diff --git a/ci/fmt.nix b/ci/fmt.nix
index 4d9591c1..5af7fe5a 100644
--- a/ci/fmt.nix
+++ b/ci/fmt.nix
@@ -3,19 +3,25 @@
whitelist = [
"overlays/default.nix"
"ci/fmt.nix"
+ "docs/derivation.nix"
"devShells.nix"
"shell.nix"
+ "generate.nix"
"lib.nix"
"outputs.nix"
"tree.nix"
];
whitelistDirs = [
"modules/extern"
+ "modules/nixos"
"modules/system"
+ "nixos"
+ "overlays"
+ "packages"
"systems"
];
blacklistDirs = [
- "overlays"
+ "modules/nixos/ldap"
"ci"
];
};
diff --git a/devShells.nix b/devShells.nix
index 7effd4fd..8004046c 100644
--- a/devShells.nix
+++ b/devShells.nix
@@ -151,19 +151,23 @@
LDAPSASL_NOCANON = "on";
};
arc = let
- ldapdm = cmd: pkgs.writeShellScriptBin "dm-${cmd}" ''
- ${cmd} -D 'cn=Directory Manager' -y <(bitw get -f password ldap-directory-manager) "$@"
- '';
- in default.overrideAttrs (default: {
- nativeBuildInputs = default.nativeBuildInputs ++ [
- (ldapdm "ldapwhoami")
- (ldapdm "ldappasswd")
- (ldapdm "ldapsearch")
- (ldapdm "ldapadd")
- (ldapdm "ldapmodify")
- (ldapdm "ldapdelete")
- ];
- });
+ ldapdm = cmd:
+ pkgs.writeShellScriptBin "dm-${cmd}" ''
+ ${cmd} -D 'cn=Directory Manager' -y <(bitw get -f password ldap-directory-manager) "$@"
+ '';
+ in
+ default.overrideAttrs (default: {
+ nativeBuildInputs =
+ default.nativeBuildInputs
+ ++ [
+ (ldapdm "ldapwhoami")
+ (ldapdm "ldappasswd")
+ (ldapdm "ldapsearch")
+ (ldapdm "ldapadd")
+ (ldapdm "ldapmodify")
+ (ldapdm "ldapdelete")
+ ];
+ });
in {
inherit default arc;
}
diff --git a/generate.nix b/generate.nix
index c2a53761..3e5050cd 100644
--- a/generate.nix
+++ b/generate.nix
@@ -19,23 +19,33 @@
};
nodeSystems = let
matchesNode = nodeName: system: system.config.proxmox.enabled && system.config.proxmox.node.name == nodeName;
- in nodeName: filterAttrs (_: matchesNode nodeName) systems;
+ in
+ nodeName: filterAttrs (_: matchesNode nodeName) systems;
mkNodeSystem = system: {
inherit (system.config.access) hostName;
network = let
inherit (system.config.network) networks;
in {
networks = {
- int = if networks.int.enable or false then {
- inherit (networks.int) macAddress address4 address6;
- } else null;
- local = if networks.local.enable or false then {
- inherit (networks.local) macAddress address4 address6;
- } else null;
- tail = if networks.tail.enable or false then {
- inherit (networks.tail) address4 address6;
- macAddress = null;
- } else null;
+ int =
+ if networks.int.enable or false
+ then {
+ inherit (networks.int) macAddress address4 address6;
+ }
+ else null;
+ local =
+ if networks.local.enable or false
+ then {
+ inherit (networks.local) macAddress address4 address6;
+ }
+ else null;
+ tail =
+ if networks.tail.enable or false
+ then {
+ inherit (networks.tail) address4 address6;
+ macAddress = null;
+ }
+ else null;
};
};
};
@@ -43,10 +53,12 @@
mkExtern = system: let
enabledFiles = filterAttrs (_: file: file.enable) system.extern.files;
in {
- files = mapAttrs' (_: file: nameValuePair file.path {
- source = assert file.relativeSource != null; file.relativeSource;
- inherit (file) owner group mode;
- }) enabledFiles;
+ files = mapAttrs' (_: file:
+ nameValuePair file.path {
+ source = assert file.relativeSource != null; file.relativeSource;
+ inherit (file) owner group mode;
+ })
+ enabledFiles;
};
mkNode = system: {
users = mkNodeUsers templateUsers;
@@ -58,13 +70,17 @@
};
mkNetwork = system: {
inherit (system.config.access) hostName;
- networks = {
- int = null;
- local = null;
- tail = null;
- } // mapAttrs' (_: network: nameValuePair network.name {
- inherit (network) macAddress address4 address6;
- }) system.config.network.networks;
+ networks =
+ {
+ int = null;
+ local = null;
+ tail = null;
+ }
+ // mapAttrs' (_: network:
+ nameValuePair network.name {
+ inherit (network) macAddress address4 address6;
+ })
+ system.config.network.networks;
};
mkSystem = name: system: {
network = mkNetwork system;
@@ -72,6 +88,7 @@
in {
nodes = let
nodes = filterAttrs (_: node: node.config.proxmox.node.enable) systems;
- in mapAttrs (_: mkNode) nodes;
+ in
+ mapAttrs (_: mkNode) nodes;
systems = mapAttrs mkSystem systems;
}
diff --git a/lib.nix b/lib.nix
index 86adfe37..f7a1bcf6 100644
--- a/lib.nix
+++ b/lib.nix
@@ -23,20 +23,27 @@
parts' = Regex.match ''^([^:]+)://(\[[0-9a-fA-F:]+]|[^/:\[]+)(|:[0-9]+)(|/.*)$'' url;
parts = parts'.value;
port' = List.index parts 2;
- in assert Opt.isJust parts'; rec {
- inherit url parts;
- scheme = List.index parts 0;
- host = List.index parts 1;
- port = if port' != "" then UInt.Parse (Str.removePrefix ":" port') else null;
- hostport = host + port';
- path = List.index parts 3;
- };
+ in
+ assert Opt.isJust parts'; rec {
+ inherit url parts;
+ scheme = List.index parts 0;
+ host = List.index parts 1;
+ port =
+ if port' != ""
+ then UInt.Parse (Str.removePrefix ":" port')
+ else null;
+ hostport = host + port';
+ path = List.index parts 3;
+ };
userIs = group: user: builtins.elem group (user.extraGroups ++ [user.group]);
mkWinPath = Str.replace ["/"] ["\\"];
mkBaseDn = domain: Str.concatMapSep "," (part: "dc=${part}") (Regex.splitOn "\\." domain);
- mkAddress6 = addr: if Str.hasInfix ":" addr && ! Str.hasPrefix "[" addr then "[${addr}]" else addr;
+ mkAddress6 = addr:
+ if Str.hasInfix ":" addr && ! Str.hasPrefix "[" addr
+ then "[${addr}]"
+ else addr;
coalesce = values: Opt.default null (List.find (v: v != null) values);
mapListToAttrs = f: l: listToAttrs (map f l);
@@ -85,13 +92,43 @@ in {
Std = inputs.std-fl.lib;
lib = {
domain = "gensokyo.zone";
- inherit treeToModulesOutput userIs
- eui64 parseUrl mkWinPath mkBaseDn mkAddress6
- mapListToAttrs coalesce
- mkAlmostOptionDefault mkAlmostDefault mkAlmostForce mapOverride mapOptionDefaults mapAlmostOptionDefaults mapDefaults
- overrideOptionDefault overrideAlmostOptionDefault overrideDefault overrideAlmostDefault overrideNone overrideAlmostForce overrideForce overrideVM
- orderJustBefore orderBefore orderAlmostBefore orderNone orderAfter orderAlmostAfter orderJustAfter
- mkJustBefore mkAlmostBefore mkAlmostAfter mkJustAfter;
+ inherit
+ treeToModulesOutput
+ userIs
+ eui64
+ parseUrl
+ mkWinPath
+ mkBaseDn
+ mkAddress6
+ mapListToAttrs
+ coalesce
+ mkAlmostOptionDefault
+ mkAlmostDefault
+ mkAlmostForce
+ mapOverride
+ mapOptionDefaults
+ mapAlmostOptionDefaults
+ mapDefaults
+ overrideOptionDefault
+ overrideAlmostOptionDefault
+ overrideDefault
+ overrideAlmostDefault
+ overrideNone
+ overrideAlmostForce
+ overrideForce
+ overrideVM
+ orderJustBefore
+ orderBefore
+ orderAlmostBefore
+ orderNone
+ orderAfter
+ orderAlmostAfter
+ orderJustAfter
+ mkJustBefore
+ mkAlmostBefore
+ mkAlmostAfter
+ mkJustAfter
+ ;
inherit (inputs.arcexprs.lib) unmerged json;
};
gensokyo-zone = {
diff --git a/modules/extern/home/args.nix b/modules/extern/home/args.nix
index 974d5129..1e3fa45c 100644
--- a/modules/extern/home/args.nix
+++ b/modules/extern/home/args.nix
@@ -1,4 +1,8 @@
-{inputs, ...}: {lib, osConfig, ...}: let
+{inputs, ...}: {
+ lib,
+ osConfig,
+ ...
+}: let
inherit (inputs.self.lib) meta;
inherit (lib.modules) mkIf;
in {
diff --git a/modules/extern/home/ssh.nix b/modules/extern/home/ssh.nix
index 5773f3cc..6b16046c 100644
--- a/modules/extern/home/ssh.nix
+++ b/modules/extern/home/ssh.nix
@@ -19,18 +19,25 @@ let
system = gensokyo-zone.systems.${config.systemName}.config;
networks = let
fallbackNetwork =
- if system.network.networks.local.enable or false && access.local.enable then "local"
- else if system.access.global.enable then null
- else if system.network.networks.int.enable or false then "int"
- else if system.network.networks.local.enable or false then "local"
+ if system.network.networks.local.enable or false && access.local.enable
+ then "local"
+ else if system.access.global.enable
+ then null
+ else if system.network.networks.int.enable or false
+ then "int"
+ else if system.network.networks.local.enable or false
+ then "local"
else null;
- networks = map (name: coalesce [ name fallbackNetwork ]) config.networks;
- in unique networks;
+ networks = map (name: coalesce [name fallbackNetwork]) config.networks;
+ in
+ unique networks;
in {
options = with lib.types; {
- enable = mkEnableOption "ssh client configuration" // {
- default = true;
- };
+ enable =
+ mkEnableOption "ssh client configuration"
+ // {
+ default = true;
+ };
name = mkOption {
type = str;
default = name;
@@ -66,38 +73,46 @@ let
enabledNetworks = filterAttrs (_: net: net.enable) system.network.networks;
networkNames = mapAttrsToList (_: net: net.name) enabledNetworks;
networks = filter (name: name == null || elem name networkNames) cfg.networks;
- in mkOptionDefault networks;
+ in
+ mkOptionDefault networks;
set = {
matchBlocksSettings = let
- canonNetworkName' = intersectLists networks [ null "int" "local" ];
- canonNetworkName = if canonNetworkName' != [ ] then head canonNetworkName' else null;
- in mapListToAttrs (network: let
- name = config.name + optionalString (network != canonNetworkName) "-${network}";
- inherit (system.exports.services) sshd;
- port = head (
- optional (network == null && sshd.ports.global.enable or false) sshd.ports.global.port
- ++ optional (sshd.ports.public.enable or false) sshd.ports.public.port
- ++ [ sshd.ports.standard.port ]
- );
- needsProxy = network == "int" || (network == "local" && !access.local.enable);
- in nameValuePair name {
- hostname = mkDefault (
- if network == null then system.access.fqdn
- else system.network.networks.${network}.fqdn
- );
- user = mkIf (config.user != null) (mkDefault config.user);
- port = mkIf (port != 22) (mkDefault port);
- proxyJump = mkIf needsProxy (lib.warnIf (config.name == cfg.proxyJump) "proxyJump self-reference" (mkAlmostOptionDefault (
- cfg.proxyJump
- )));
- identitiesOnly = mkIf (config.systemName == "u7pro") (mkAlmostOptionDefault true);
- extraOptions = mkMerge [
- (unmerged.mergeAttrs config.extraOptions)
- {
- HostKeyAlias = mkIf (config.hostName != null && network != null) (mkOptionDefault system.access.fqdn);
- }
- ];
- }) networks;
+ canonNetworkName' = intersectLists networks [null "int" "local"];
+ canonNetworkName =
+ if canonNetworkName' != []
+ then head canonNetworkName'
+ else null;
+ in
+ mapListToAttrs (network: let
+ name = config.name + optionalString (network != canonNetworkName) "-${network}";
+ inherit (system.exports.services) sshd;
+ port = head (
+ optional (network == null && sshd.ports.global.enable or false) sshd.ports.global.port
+ ++ optional (sshd.ports.public.enable or false) sshd.ports.public.port
+ ++ [sshd.ports.standard.port]
+ );
+ needsProxy = network == "int" || (network == "local" && !access.local.enable);
+ in
+ nameValuePair name {
+ hostname = mkDefault (
+ if network == null
+ then system.access.fqdn
+ else system.network.networks.${network}.fqdn
+ );
+ user = mkIf (config.user != null) (mkDefault config.user);
+ port = mkIf (port != 22) (mkDefault port);
+ proxyJump = mkIf needsProxy (lib.warnIf (config.name == cfg.proxyJump) "proxyJump self-reference" (mkAlmostOptionDefault (
+ cfg.proxyJump
+ )));
+ identitiesOnly = mkIf (config.systemName == "u7pro") (mkAlmostOptionDefault true);
+ extraOptions = mkMerge [
+ (unmerged.mergeAttrs config.extraOptions)
+ {
+ HostKeyAlias = mkIf (config.hostName != null && network != null) (mkOptionDefault system.access.fqdn);
+ }
+ ];
+ })
+ networks;
};
};
};
@@ -124,7 +139,7 @@ let
};
hosts = mkOption {
type = attrsOf (submoduleWith {
- modules = [ sshHostModule ];
+ modules = [sshHostModule];
specialArgs = {
inherit gensokyo-zone osConfig homeConfig pkgs;
};
@@ -132,7 +147,7 @@ let
};
networks = mkOption {
type = listOf (nullOr str);
- default = [ null ];
+ default = [null];
};
proxyJump = mkOption {
type = str;
@@ -150,7 +165,8 @@ let
};
config = {
proxyJump = mkOptionDefault (
- if config.hosts.hakurei.enable then config.hosts.hakurei.name
+ if config.hosts.hakurei.enable
+ then config.hosts.hakurei.name
else gensokyo-zone.systems.hakurei.config.access.fqdn
);
networks = mkOptionDefault [
@@ -159,51 +175,55 @@ let
];
hosts = mapAttrs (name: system: let
enabled = system.config.access.online.enable && system.config.exports.services.sshd.enable;
- in mkIf enabled {
- systemName = mkOptionDefault name;
- }) gensokyo-zone.systems;
+ in
+ mkIf enabled {
+ systemName = mkOptionDefault name;
+ })
+ gensokyo-zone.systems;
set = {
matchBlocksSettings = let
mkMatchBlocksHost = host: mkIf host.enable (unmerged.mergeAttrs host.set.matchBlocksSettings);
- in mkMerge (
- mapAttrsToList (_: mkMatchBlocksHost) config.hosts
- );
+ in
+ mkMerge (
+ mapAttrsToList (_: mkMatchBlocksHost) config.hosts
+ );
};
};
};
-in {
- config,
- osConfig,
- lib,
- gensokyo-zone,
- pkgs,
- ...
-}: let
- inherit (lib.options) mkOption;
- inherit (lib.modules) mkIf;
- inherit (gensokyo-zone.lib) unmerged;
- cfg = config.gensokyo-zone.ssh;
-in {
- options.gensokyo-zone.ssh = mkOption {
- type = lib.types.submoduleWith {
- modules = [sshModule];
- specialArgs = {
- inherit gensokyo-zone pkgs;
- inherit osConfig;
- homeConfig = config;
+in
+ {
+ config,
+ osConfig,
+ lib,
+ gensokyo-zone,
+ pkgs,
+ ...
+ }: let
+ inherit (lib.options) mkOption;
+ inherit (lib.modules) mkIf;
+ inherit (gensokyo-zone.lib) unmerged;
+ cfg = config.gensokyo-zone.ssh;
+ in {
+ options.gensokyo-zone.ssh = mkOption {
+ type = lib.types.submoduleWith {
+ modules = [sshModule];
+ specialArgs = {
+ inherit gensokyo-zone pkgs;
+ inherit osConfig;
+ homeConfig = config;
+ };
};
+ default = {};
};
- default = { };
- };
- config = {
- gensokyo-zone.ssh = {
+ config = {
+ gensokyo-zone.ssh = {
+ };
+ programs.ssh = mkIf cfg.enable {
+ matchBlocks = unmerged.mergeAttrs cfg.set.matchBlocksSettings;
+ };
+ lib.gensokyo-zone.ssh = {
+ inherit cfg sshModule sshHostModule;
+ };
};
- programs.ssh = mkIf cfg.enable {
- matchBlocks = unmerged.mergeAttrs cfg.set.matchBlocksSettings;
- };
- lib.gensokyo-zone.ssh = {
- inherit cfg sshModule sshHostModule;
- };
- };
-}
+ }
diff --git a/modules/extern/misc/ipa.nix b/modules/extern/misc/ipa.nix
index cc711e02..d9424d5f 100644
--- a/modules/extern/misc/ipa.nix
+++ b/modules/extern/misc/ipa.nix
@@ -1,4 +1,4 @@
-{ ... }: {
+{...}: {
imports = [
../../nixos/ipa.nix
];
diff --git a/modules/extern/misc/netgroups.nix b/modules/extern/misc/netgroups.nix
index a95c730d..8762ed32 100644
--- a/modules/extern/misc/netgroups.nix
+++ b/modules/extern/misc/netgroups.nix
@@ -1,4 +1,4 @@
-{ ... }: {
+{...}: {
imports = [
../../nixos/network/netgroups.nix
];
diff --git a/modules/extern/misc/sssd.nix b/modules/extern/misc/sssd.nix
index 26f5d349..e091ec62 100644
--- a/modules/extern/misc/sssd.nix
+++ b/modules/extern/misc/sssd.nix
@@ -1,4 +1,4 @@
-{ ... }: {
+{...}: {
imports = [
../../nixos/sssd/sssd.nix
../../nixos/sssd/pam.nix
diff --git a/modules/extern/nixos/access.nix b/modules/extern/nixos/access.nix
index deecd327..4fabd945 100644
--- a/modules/extern/nixos/access.nix
+++ b/modules/extern/nixos/access.nix
@@ -35,7 +35,7 @@ in {
nixosConfig = config;
};
};
- default = { };
+ default = {};
};
config = {
diff --git a/modules/extern/nixos/dns.nix b/modules/extern/nixos/dns.nix
index 1df0b417..f12bcfc7 100644
--- a/modules/extern/nixos/dns.nix
+++ b/modules/extern/nixos/dns.nix
@@ -42,7 +42,7 @@
type = listOf str;
};
fallback = mkOption {
- type = nullOr (enum [ "cloudflare" "google" ]);
+ type = nullOr (enum ["cloudflare" "google"]);
default = "cloudflare";
};
fallbackNameservers = mkOption {
@@ -67,32 +67,38 @@
];
nameservers = let
inherit (gensokyo-zone.systems) utsuho hakurei;
- in mkMerge [
- (mkOptionDefault [ ])
- (mkIf access.local.enable [
- (mkIf enableIPv6 utsuho.config.access.address6ForNetwork.local)
- utsuho.config.access.address4ForNetwork.local
- ])
- # TODO: mirror or tunnel on hakurei or something .-.
- (mkIf (access.tail.enabled && false) [
- (mkIf enableIPv6 hakurei.config.access.address6ForNetwork.tail)
- hakurei.config.access.address4ForNetwork.tail
- ])
- ];
- fallbackNameservers = mkOptionDefault {
- cloudflare = [
- "1.1.1.1#cloudflare-dns.com"
- "1.0.0.1#cloudflare-dns.com"
+ in
+ mkMerge [
+ (mkOptionDefault [])
+ (mkIf access.local.enable [
+ (mkIf enableIPv6 utsuho.config.access.address6ForNetwork.local)
+ utsuho.config.access.address4ForNetwork.local
+ ])
+ # TODO: mirror or tunnel on hakurei or something .-.
+ (mkIf (access.tail.enabled && false) [
+ (mkIf enableIPv6 hakurei.config.access.address6ForNetwork.tail)
+ hakurei.config.access.address4ForNetwork.tail
+ ])
];
- google = optionals enableIPv6 [
- "[2001:4860:4860::8888]#dns.google"
- "[2001:4860:4860::8844]#dns.google"
- ] ++ [
- "8.8.8.8#dns.google"
- "8.8.4.4#dns.google"
- ];
- ${toString null} = [ ];
- }.${toString config.fallback};
+ fallbackNameservers =
+ mkOptionDefault
+ {
+ cloudflare = [
+ "1.1.1.1#cloudflare-dns.com"
+ "1.0.0.1#cloudflare-dns.com"
+ ];
+ google =
+ optionals enableIPv6 [
+ "[2001:4860:4860::8888]#dns.google"
+ "[2001:4860:4860::8844]#dns.google"
+ ]
+ ++ [
+ "8.8.8.8#dns.google"
+ "8.8.4.4#dns.google"
+ ];
+ ${toString null} = [];
+ }
+ .${toString config.fallback};
set = {
nssSettings = {
hosts = mkMerge [
@@ -123,11 +129,11 @@ in {
nixosConfig = config;
};
};
- default = { };
+ default = {};
};
config = {
- networking.nameservers = mkIf (cfg.enable && cfg.nameservers != [ ]) (mkMerge [
+ networking.nameservers = mkIf (cfg.enable && cfg.nameservers != []) (mkMerge [
(mkBefore cfg.nameservers)
cfg.fallbackNameservers
]);
diff --git a/modules/extern/nixos/krb5.nix b/modules/extern/nixos/krb5.nix
index 073f6bc2..62915d19 100644
--- a/modules/extern/nixos/krb5.nix
+++ b/modules/extern/nixos/krb5.nix
@@ -40,9 +40,11 @@
default = toUpper config.domain;
};
ca = {
- trust = mkEnableOption "trust CA" // {
- default = true;
- };
+ trust =
+ mkEnableOption "trust CA"
+ // {
+ default = true;
+ };
pem = mkOption {
type = path;
};
@@ -59,7 +61,7 @@
};
urls = mkOption {
type = listOf str;
- default = [ "ldaps://${config.ldap.host}" ];
+ default = ["ldaps://${config.ldap.host}"];
};
baseDn = mkOption {
type = str;
@@ -75,21 +77,21 @@
};
passwordFileKrb5 = mkOption {
type = path;
- example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" ''
+ example = lib.literalExpression "\${pkgs.writeText " ldap.kdb5 " ''
${config.bind.dn}#{HEX}616e6f6e796d6f7573
''}";
};
passwordFileSssdEnv = mkOption {
type = path;
- example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" ''
- ${"SSSD_AUTHTOK_" + replaceStrings [ "." ] [ "_" ] (toUpper config.domain)}=verysecretpassword
+ example = lib.literalExpression "\${pkgs.writeText " ldap.kdb5 " ''
+ ${"SSSD_AUTHTOK_" + replaceStrings ["."] ["_"] (toUpper config.domain)}=verysecretpassword
''}";
};
};
};
db = {
backend = mkOption {
- type = enum [ "kldap" "ipa" ];
+ type = enum ["kldap" "ipa"];
default = "kldap";
};
};
@@ -99,7 +101,7 @@
};
authToLocalNames = mkOption {
type = attrsOf str;
- default = { };
+ default = {};
example = {
"arc@${config.realm}" = "arc";
};
@@ -108,26 +110,30 @@
enable = mkEnableOption "sssd";
pam.enable = mkEnableOption "PAM";
backend = mkOption {
- type = enum [ "ipa" "ldap" ];
- default = {
- ipa = "ipa";
- kldap = "ldap";
- }.${config.db.backend};
+ type = enum ["ipa" "ldap"];
+ default =
+ {
+ ipa = "ipa";
+ kldap = "ldap";
+ }
+ .${config.db.backend};
};
};
ntp = {
- enable = mkEnableOption "ntp" // {
- default = true;
- };
+ enable =
+ mkEnableOption "ntp"
+ // {
+ default = true;
+ };
servers = mkOption {
type = listOf str;
- example = [ config.ipa.host ];
- default = [ "2.fedora.pool.ntp.org" ];
+ example = [config.ipa.host];
+ default = ["2.fedora.pool.ntp.org"];
};
};
nfs = {
enable = mkEnableOption "nfs";
- package = mkPackageOption pkgs "nfs-utils" { };
+ package = mkPackageOption pkgs "nfs-utils" {};
idmapd = {
localDomain = mkOption {
type = bool;
@@ -135,11 +141,11 @@
};
localRealms = mkOption {
type = listOf str;
- default = [ config.realm ];
+ default = [config.realm];
};
methods = mkOption {
type = listOf str;
- default = [ "nsswitch" ];
+ default = ["nsswitch"];
};
authToLocalNames = mkOption {
type = attrsOf str;
@@ -185,7 +191,8 @@
url = "https://${config.ipa.httpHost}/ipa/config/ca.crt";
sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o=";
};
- in mkOptionDefault caPem;
+ in
+ mkOptionDefault caPem;
ldap = {
urls = mkMerge [
(mkIf access.local.enable (mkOptionDefault (mkBefore [
@@ -200,22 +207,23 @@
];
bind = let
inherit (nixosConfig.sops) secrets;
- in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-krb5-passwords) {
- passwordFileKrb5 = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-passwords.path;
- passwordFile = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-peep-password.path;
- passwordFileSssdEnv = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-sssd-passwords.path;
- };
+ in
+ mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-krb5-passwords) {
+ passwordFileKrb5 = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-passwords.path;
+ passwordFile = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-peep-password.path;
+ passwordFileSssdEnv = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-sssd-passwords.path;
+ };
};
db.backend = mkIf enabled.ipa (mkAlmostOptionDefault "ipa");
nfs = {
package = mkIf (elem "umich_ldap" config.nfs.idmapd.methods) (mkAlmostOptionDefault pkgs.nfs-utils-ldap);
idmapd = {
methods = mkMerge [
- (mkIf (config.nfs.idmapd.authToLocalNames != { }) (
- mkOptionDefault (mkBefore [ "static" ])
+ (mkIf (config.nfs.idmapd.authToLocalNames != {}) (
+ mkOptionDefault (mkBefore ["static"])
))
(mkIf (!enabled.sssd) (
- mkOptionDefault [ "umich_ldap" ]
+ mkOptionDefault ["umich_ldap"]
))
];
};
@@ -243,55 +251,63 @@
};
};
sssdSettings = let
- servers = optional access.local.enable "idp.local.${config.domain}"
- ++ [ "_srv" ];
+ servers =
+ optional access.local.enable "idp.local.${config.domain}"
+ ++ ["_srv"];
backups = mkMerge [
- (mkIf access.tail.enabled (mkAlmostOptionDefault [ "ipa.tail.${config.domain}" ]))
- (mkIf access.local.enable (mkAlmostOptionDefault [ "ipa.local.${config.domain}" ]))
+ (mkIf access.tail.enabled (mkAlmostOptionDefault ["ipa.tail.${config.domain}"]))
+ (mkIf access.local.enable (mkAlmostOptionDefault ["ipa.local.${config.domain}"]))
];
- in mkIf config.sssd.enable {
- enable = mkAlmostOptionDefault true;
- gensokyo-zone = {
- backend = mkAlmostOptionDefault config.sssd.backend;
- krb5.servers = {
- servers = servers ++ [ config.host ];
- inherit backups;
+ in
+ mkIf config.sssd.enable {
+ enable = mkAlmostOptionDefault true;
+ gensokyo-zone = {
+ backend = mkAlmostOptionDefault config.sssd.backend;
+ krb5.servers = {
+ servers = servers ++ [config.host];
+ inherit backups;
+ };
+ ipa.servers = {
+ servers = servers ++ [config.ipa.host];
+ inherit backups;
+ };
+ ldap = {
+ bind.passwordFile = mkAlmostOptionDefault config.ldap.bind.passwordFile;
+ uris.backups = mkIf access.tail.enabled (mkAlmostOptionDefault (mkAfter [
+ "ldaps://ldap.tail.${config.domain}"
+ ]));
+ };
};
- ipa.servers = {
- servers = servers ++ [ config.ipa.host ];
- inherit backups;
- };
- ldap = {
- bind.passwordFile = mkAlmostOptionDefault config.ldap.bind.passwordFile;
- uris.backups = mkIf access.tail.enabled (mkAlmostOptionDefault (mkAfter [
- "ldaps://ldap.tail.${config.domain}"
- ]));
+ environmentFile = mkIf (config.sssd.backend == "ldap") (
+ mkAlmostOptionDefault
+ config.ldap.bind.passwordFileSssdEnv
+ );
+ services = {
+ ifp.enable = mkAlmostOptionDefault true;
+ pam.enable = mkIf (!config.sssd.pam.enable) (mkDefault false);
};
};
- environmentFile = mkIf (config.sssd.backend == "ldap") (mkAlmostOptionDefault
- config.ldap.bind.passwordFileSssdEnv
- );
- services = {
- ifp.enable = mkAlmostOptionDefault true;
- pam.enable = mkIf (!config.sssd.pam.enable) (mkDefault false);
- };
- };
ipaSettings = mkIf config.ipa.enable (mapAlmostOptionDefaults {
- enable = true;
- certificate = config.ca.pem;
- basedn = config.ldap.baseDn;
- domain = config.domain;
- realm = config.realm;
- server = config.ipa.server;
- # TODO: dyndns?
- } // {
- overrideConfigs = mapAlmostOptionDefaults {
- sssd = false;
- krb5 = false;
- };
- });
+ enable = true;
+ certificate = config.ca.pem;
+ basedn = config.ldap.baseDn;
+ domain = config.domain;
+ realm = config.realm;
+ server = config.ipa.server;
+ # TODO: dyndns?
+ }
+ // {
+ overrideConfigs = mapAlmostOptionDefaults {
+ sssd = false;
+ krb5 = false;
+ };
+ });
nfsSettings = mkIf config.nfs.enable {
- ${if nixosOptions ? services.nfs.settings then "settings" else null} = mkMerge [
+ ${
+ if nixosOptions ? services.nfs.settings
+ then "settings"
+ else null
+ } = mkMerge [
{
gssd = mapOptionDefaults {
#use-machine-creds = false;
@@ -314,7 +330,11 @@
};
})
];
- ${if nixosOptions ? services.nfs.settings then null else "extraConfig"} = mkMerge [
+ ${
+ if nixosOptions ? services.nfs.settings
+ then null
+ else "extraConfig"
+ } = mkMerge [
''
[gssd]
#use-machine-creds = false
@@ -344,10 +364,10 @@
Domain = mkForce config.domain;
Local-Realms = concatStringsSep "," config.nfs.idmapd.localRealms;
};
- Translation.Method = mkIf (config.nfs.idmapd.methods != [ "nsswitch" ]) (mkForce (
+ Translation.Method = mkIf (config.nfs.idmapd.methods != ["nsswitch"]) (mkForce (
concatStringsSep "," config.nfs.idmapd.methods
));
- Static = mkIf (config.nfs.idmapd.authToLocalNames != { }) config.nfs.idmapd.authToLocalNames;
+ Static = mkIf (config.nfs.idmapd.authToLocalNames != {}) config.nfs.idmapd.authToLocalNames;
UMICH_SCHEMA = mkIf (elem "umich_ldap" config.nfs.idmapd.methods) (mapOptionDefaults {
LDAP_server = config.ldap.host;
LDAP_use_ssl = true;
@@ -389,7 +409,7 @@ in {
nixosOptions = options;
};
};
- default = { };
+ default = {};
};
config = {
@@ -413,10 +433,11 @@ in {
hosts = let
inherit (gensokyo-zone.systems) freeipa;
# TODO: consider hakurei instead...
- in mkIf (cfg.enable && !config.gensokyo-zone.dns.enable or false && config.gensokyo-zone.access.local.enable) {
- ${freeipa.config.access.address6ForNetwork.local} = mkIf config.networking.enableIPv6 (mkBefore [ cfg.host ]);
- ${freeipa.config.access.address4ForNetwork.local} = mkBefore [ cfg.host ];
- };
+ in
+ mkIf (cfg.enable && !config.gensokyo-zone.dns.enable or false && config.gensokyo-zone.access.local.enable) {
+ ${freeipa.config.access.address6ForNetwork.local} = mkIf config.networking.enableIPv6 (mkBefore [cfg.host]);
+ ${freeipa.config.access.address4ForNetwork.local} = mkBefore [cfg.host];
+ };
};
environment.etc = {
"request-key.conf" = mkIf (cfg.enable && cfg.nfs.enable && cfg.sssd.enable) {
@@ -425,24 +446,30 @@ in {
export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${config.system.nssModules.path}"
exec ${cfg.nfs.package}/bin/nfsidmap "$@"
'';
- in mkForce (pkgs.writeText "request-key.conf" ''
- create id_resolver * * ${nfsidmap} -t 600 %k %d
- '');
+ in
+ mkForce (pkgs.writeText "request-key.conf" ''
+ create id_resolver * * ${nfsidmap} -t 600 %k %d
+ '');
};
};
- ${if options ? sops.secrets then "sops" else null}.secrets = let
+ ${
+ if options ? sops.secrets
+ then "sops"
+ else null
+ }.secrets = let
sopsFile = mkDefault ../secrets/krb5.yaml;
- in mkIf cfg.enable {
- gensokyo-zone-krb5-passwords = mkIf (cfg.db.backend == "kldap") {
- inherit sopsFile;
+ in
+ mkIf cfg.enable {
+ gensokyo-zone-krb5-passwords = mkIf (cfg.db.backend == "kldap") {
+ inherit sopsFile;
+ };
+ gensokyo-zone-krb5-peep-password = mkIf (cfg.sssd.backend == "ldap") {
+ inherit sopsFile;
+ };
+ gensokyo-zone-sssd-passwords = mkIf (cfg.sssd.backend == "ldap") {
+ inherit sopsFile;
+ };
};
- gensokyo-zone-krb5-peep-password = mkIf (cfg.sssd.backend == "ldap") {
- inherit sopsFile;
- };
- gensokyo-zone-sssd-passwords = mkIf (cfg.sssd.backend == "ldap") {
- inherit sopsFile;
- };
- };
lib.gensokyo-zone.krb5 = {
inherit cfg krb5Module;
};
diff --git a/modules/extern/nixos/kyuuto.nix b/modules/extern/nixos/kyuuto.nix
index acb4a596..cb653b83 100644
--- a/modules/extern/nixos/kyuuto.nix
+++ b/modules/extern/nixos/kyuuto.nix
@@ -33,20 +33,28 @@
options = with lib.types; {
enable = mkEnableOption "kyuuto";
media = {
- enable = mkEnableOption "/mnt/kyuuto-media" // {
- default = true;
- };
- krb5.enable = mkEnableOption "krb5" // {
- default = enabled.krb5;
- };
+ enable =
+ mkEnableOption "/mnt/kyuuto-media"
+ // {
+ default = true;
+ };
+ krb5.enable =
+ mkEnableOption "krb5"
+ // {
+ default = enabled.krb5;
+ };
};
transfer = {
- enable = mkEnableOption "/mnt/kyuuto-transfer" // {
- default = true;
- };
- krb5.enable = mkEnableOption "krb5" // {
- default = enabled.krb5;
- };
+ enable =
+ mkEnableOption "/mnt/kyuuto-transfer"
+ // {
+ default = true;
+ };
+ krb5.enable =
+ mkEnableOption "krb5"
+ // {
+ default = enabled.krb5;
+ };
};
shared.enable = mkEnableOption "/mnt/kyuuto-shared";
domain = mkOption {
@@ -135,12 +143,13 @@
(mkIf config.nfs.enable "nfs4")
(mkIf config.smb.enable "smb3")
];
- options = mkMerge (setFilesystemOptions ++ [
- (mkIf config.media.krb5.enable [
- "sec=krb5"
- (mkIf config.nfs.enable "nfsvers=4")
- ])
- ]);
+ options = mkMerge (setFilesystemOptions
+ ++ [
+ (mkIf config.media.krb5.enable [
+ "sec=krb5"
+ (mkIf config.nfs.enable "nfsvers=4")
+ ])
+ ]);
};
"/mnt/kyuuto-transfer" = mkIf config.transfer.enable {
device = mkMerge [
@@ -151,12 +160,17 @@
(mkIf config.nfs.enable "nfs4")
(mkIf config.smb.enable "smb3")
];
- options = mkMerge (setFilesystemOptions ++ [
- (mkIf config.media.krb5.enable [
- (if access.local.enable || access.tail.enabled then "sec=sys:krb5" else "sec=krb5")
- #(mkIf config.nfs.enable "nfsvers=3")
- ])
- ]);
+ options = mkMerge (setFilesystemOptions
+ ++ [
+ (mkIf config.media.krb5.enable [
+ (
+ if access.local.enable || access.tail.enabled
+ then "sec=sys:krb5"
+ else "sec=krb5"
+ )
+ #(mkIf config.nfs.enable "nfsvers=3")
+ ])
+ ]);
};
"/mnt/kyuuto-shared" = mkIf (config.shared.enable && config.smb.enable) {
device = mkIf (config.smb.user != null) ''\\smb.${config.domain}\shared'';
@@ -204,7 +218,7 @@ in {
nixosConfig = config;
};
};
- default = { };
+ default = {};
};
config = {
diff --git a/modules/extern/nixos/nix.nix b/modules/extern/nixos/nix.nix
index 78a0944f..2a355a51 100644
--- a/modules/extern/nixos/nix.nix
+++ b/modules/extern/nixos/nix.nix
@@ -46,9 +46,11 @@
default = "ssh";
};
ssh = {
- commonKey = mkEnableOption "shared secret nixbld key" // {
- default = true;
- };
+ commonKey =
+ mkEnableOption "shared secret nixbld key"
+ // {
+ default = true;
+ };
user = mkOption {
type = str;
default = "nixbld";
@@ -105,8 +107,8 @@
];
builder = {
systems = mkMerge [
- (mkIf config.builder.cross.aarch64 (mkOptionDefault [ "aarch64-linux" ]))
- (mkIf config.builder.cross.armv7l (mkOptionDefault [ "armv7l-linux" ]))
+ (mkIf config.builder.cross.aarch64 (mkOptionDefault ["aarch64-linux"]))
+ (mkIf config.builder.cross.armv7l (mkOptionDefault ["armv7l-linux"]))
];
domain = mkMerge [
(mkIf access.tail.enabled (mkAlmostOptionDefault "nixbld.tail.${domain}"))
@@ -114,9 +116,11 @@
];
ssh.key = let
inherit (nixosConfig.sops) secrets;
- in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-nix-bld-key) (mkAlmostOptionDefault
- nixosConfig.sops.secrets.gensokyo-zone-nix-bld-key.path
- );
+ in
+ mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-nix-bld-key) (
+ mkAlmostOptionDefault
+ nixosConfig.sops.secrets.gensokyo-zone-nix-bld-key.path
+ );
setBuildMachine = {
hostName = config.builder.domain;
protocol = config.builder.protocol;
@@ -145,7 +149,7 @@ in {
nixosOptions = options;
};
};
- default = { };
+ default = {};
};
config = {
@@ -153,13 +157,18 @@ in {
settings = unmerged.merge cfg.setNixSettings;
buildMachines = unmerged.merge cfg.setNixBuildMachines;
};
- ${if options ? sops.secrets then "sops" else null}.secrets = let
+ ${
+ if options ? sops.secrets
+ then "sops"
+ else null
+ }.secrets = let
sopsFile = mkDefault ../secrets/nix.yaml;
- in mkIf cfg.enable {
- gensokyo-zone-nix-bld-key = mkIf cfg.builder.ssh.commonKey {
- inherit sopsFile;
+ in
+ mkIf cfg.enable {
+ gensokyo-zone-nix-bld-key = mkIf cfg.builder.ssh.commonKey {
+ inherit sopsFile;
+ };
};
- };
lib.gensokyo-zone.nix = {
inherit cfg nixModule;
};
diff --git a/modules/extern/nixos/users.nix b/modules/extern/nixos/users.nix
index 008fd332..41acb32c 100644
--- a/modules/extern/nixos/users.nix
+++ b/modules/extern/nixos/users.nix
@@ -162,7 +162,7 @@
modules = [userModule];
inherit specialArgs;
});
- default = { };
+ default = {};
};
excludeUsers = mkOption {
type = listOf str;
@@ -172,7 +172,7 @@
modules = [groupModule];
inherit specialArgs;
});
- default = { };
+ default = {};
};
excludeGroups = mkOption {
type = listOf str;
diff --git a/modules/nixos/access/cidr.nix b/modules/nixos/access/cidr.nix
index 5ce3c5fa..2bbaaf30 100644
--- a/modules/nixos/access/cidr.nix
+++ b/modules/nixos/access/cidr.nix
@@ -76,10 +76,12 @@ in {
];
};
allLan = {
- v4 = cfg.cidrForNetwork.loopback.v4
+ v4 =
+ cfg.cidrForNetwork.loopback.v4
++ cfg.cidrForNetwork.local.v4
++ cfg.cidrForNetwork.int.v4;
- v6 = cfg.cidrForNetwork.loopback.v6
+ v6 =
+ cfg.cidrForNetwork.loopback.v6
++ cfg.cidrForNetwork.local.v6
++ cfg.cidrForNetwork.int.v6;
};
diff --git a/modules/nixos/access/local.nix b/modules/nixos/access/local.nix
index 0790b161..642b14b7 100644
--- a/modules/nixos/access/local.nix
+++ b/modules/nixos/access/local.nix
@@ -55,7 +55,7 @@ in {
nftables.ruleset = mkIf cfg.enable (mkBefore cfg.nftablesInclude);
firewall = {
interfaces.local = {
- nftables.conditions = mkIf (cfg.enable && networking.enableIPv6) [ "ip6 saddr $localrange6" ];
+ nftables.conditions = mkIf (cfg.enable && networking.enableIPv6) ["ip6 saddr $localrange6"];
};
};
};
diff --git a/modules/nixos/access/peeps.nix b/modules/nixos/access/peeps.nix
index bd47921d..ab68fc90 100644
--- a/modules/nixos/access/peeps.nix
+++ b/modules/nixos/access/peeps.nix
@@ -15,33 +15,42 @@
hasSops = options ? sops.secrets;
in {
options.networking.access.peeps = with lib.types; {
- enable = mkEnableOption "peeps" // { default = hasSops; };
+ enable = mkEnableOption "peeps" // {default = hasSops;};
ranges = mkOption {
type = attrsOf str;
- default = { };
+ default = {};
};
stateDir = mkOption {
type = path;
default = "/run/access/peeps";
};
};
- config.${if hasSops then "sops" else null}.secrets = let
+ config.${
+ if hasSops
+ then "sops"
+ else null
+ }.secrets = let
sopsFile = mkDefault ../../../nixos/secrets/access.yaml;
- sopsSecrets = mapAttrs' (name: _: nameValuePair (mkSopsName name) {
- inherit sopsFile;
- path = mkDefault "${cfg.stateDir}/${name}.nft";
- }) cfg.ranges;
- in mkIf cfg.enable sopsSecrets;
+ sopsSecrets = mapAttrs' (name: _:
+ nameValuePair (mkSopsName name) {
+ inherit sopsFile;
+ path = mkDefault "${cfg.stateDir}/${name}.nft";
+ })
+ cfg.ranges;
+ in
+ mkIf cfg.enable sopsSecrets;
config.networking = let
nftRanges = mapAttrsToList (name: range: let
nft = "define ${mkNftName name} = ${range}";
- in mkBefore nft) cfg.ranges;
+ in
+ mkBefore nft)
+ cfg.ranges;
condition = "ip6 saddr { ${concatStringsSep "," (mapAttrsToList (name: _: "$" + mkNftName name) cfg.ranges)} }";
in {
nftables.ruleset = mkIf cfg.enable (mkMerge (
nftRanges
- ++ [ (mkBefore ''include "${cfg.stateDir}/*.nft"'') ]
+ ++ [(mkBefore ''include "${cfg.stateDir}/*.nft"'')]
));
firewall.interfaces.peeps = {
nftables.enable = cfg.enable;
diff --git a/modules/nixos/args.nix b/modules/nixos/args.nix
index 02d86339..8bb5dccb 100644
--- a/modules/nixos/args.nix
+++ b/modules/nixos/args.nix
@@ -1,4 +1,4 @@
-{ gensokyo-zone, ... }: {
+{gensokyo-zone, ...}: {
config.lib = {
inherit gensokyo-zone;
};
diff --git a/modules/nixos/barcodebuddy.nix b/modules/nixos/barcodebuddy.nix
index d7068f5a..05a62c55 100644
--- a/modules/nixos/barcodebuddy.nix
+++ b/modules/nixos/barcodebuddy.nix
@@ -1,4 +1,10 @@
-{ config, lib, gensokyo-zone, pkgs, ... }: let
+{
+ config,
+ lib,
+ gensokyo-zone,
+ pkgs,
+ ...
+}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults unmerged;
inherit (lib.options) mkOption mkEnableOption mkPackageOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
@@ -8,17 +14,20 @@
cfg = config.services.barcodebuddy;
toEnvName = key: "BBUDDY_" + key;
toEnvValue = value:
- if value == true then "true"
- else if value == false then "false"
- else if isList value then concatStringsSep ";" (imap0 (i: v: "${toString i}=${toEnvValue v}") value)
+ if value == true
+ then "true"
+ else if value == false
+ then "false"
+ else if isList value
+ then concatStringsSep ";" (imap0 (i: v: "${toString i}=${toEnvValue v}") value)
else toString value;
toEnvPair = key: value: nameValuePair (toEnvName key) (toEnvValue value);
toPhpEnvPair = key: value: nameValuePair (toEnvName key) ''"${toEnvValue value}"'';
in {
options.services.barcodebuddy = with lib.types; {
enable = mkEnableOption "Barcode Buddy";
- package = mkPackageOption pkgs "barcodebuddy" { };
- phpPackageUnwrapped = mkPackageOption pkgs "php83" { };
+ package = mkPackageOption pkgs "barcodebuddy" {};
+ phpPackageUnwrapped = mkPackageOption pkgs "php83" {};
hostName = mkOption {
type = str;
};
@@ -38,7 +47,7 @@ in {
enable = mkEnableOption "reverse proxy";
trustedAddresses = mkOption {
type = listOf str;
- default = [ "127.0.0.1" "::1" ];
+ default = ["127.0.0.1" "::1"];
};
};
screen = {
@@ -65,13 +74,15 @@ in {
type = nullOr str;
default = null;
};
- /* TODO: passwordFile = mkOption {
+ /*
+ TODO: passwordFile = mkOption {
type = nullOr path;
default = null;
- };*/
+ };
+ */
};
settings = mkOption {
- type = attrsOf (oneOf [ str bool int (listOf str) ]);
+ type = attrsOf (oneOf [str bool int (listOf str)]);
description = "https://github.com/Forceu/barcodebuddy/blob/master/config-dist.php";
};
nginxConfig = mkOption {
@@ -95,9 +106,19 @@ in {
bbuddyConfig.services.barcodebuddy = {
settings = let
defaults = mapOptionDefaults {
- ${if cfg.screen.enable then "PORT_WEBSOCKET_SERVER" else null} = cfg.screen.websocketPort;
+ ${
+ if cfg.screen.enable
+ then "PORT_WEBSOCKET_SERVER"
+ else null
+ } =
+ cfg.screen.websocketPort;
SEARCH_ENGINE = "https://google.com/search?q=";
- ${if cfg.reverseProxy.enable then "TRUSTED_PROXIES" else null} = cfg.reverseProxy.trustedAddresses;
+ ${
+ if cfg.reverseProxy.enable
+ then "TRUSTED_PROXIES"
+ else null
+ } =
+ cfg.reverseProxy.trustedAddresses;
DISABLE_AUTHENTICATION = false;
DATABASE_PATH = cfg.databasePath;
AUTHDB_PATH = cfg.authDatabasePath;
@@ -109,7 +130,8 @@ in {
REDIS_PORT = cfg.redis.port;
REDIS_PW = toString cfg.redis.password;
};
- in mkMerge [ defaults (mkIf cfg.redis.enable redis) ];
+ in
+ mkMerge [defaults (mkIf cfg.redis.enable redis)];
nginxConfig = ''
index index.php index.html index.htm;
'';
@@ -125,13 +147,18 @@ in {
};
redis = let
redis = config.services.redis.servers.${cfg.redis.server};
- in mkIf (cfg.redis.server != null) {
- enable = mkAlmostOptionDefault redis.enable;
- ip = mkOptionDefault (if redis.bind == null then "localhost" else redis.bind);
- port = mkIf (redis.port != 0) (mkOptionDefault redis.port);
- password = mkAlmostOptionDefault redis.requirePass;
- # TODO: passwordFile = mkAlmostOptionDefault redis.requirePassFile;
- };
+ in
+ mkIf (cfg.redis.server != null) {
+ enable = mkAlmostOptionDefault redis.enable;
+ ip = mkOptionDefault (
+ if redis.bind == null
+ then "localhost"
+ else redis.bind
+ );
+ port = mkIf (redis.port != 0) (mkOptionDefault redis.port);
+ password = mkAlmostOptionDefault redis.requirePass;
+ # TODO: passwordFile = mkAlmostOptionDefault redis.requirePassFile;
+ };
};
conf.users.users.barcodebuddy = {
isSystemUser = true;
@@ -146,7 +173,10 @@ in {
user = "barcodebuddy";
inherit (config.services.nginx) group;
- phpPackage = cfg.phpPackageUnwrapped.withExtensions ({ enabled, all }: [
+ phpPackage = cfg.phpPackageUnwrapped.withExtensions ({
+ enabled,
+ all,
+ }: [
all.curl
all.mbstring
all.sqlite3
@@ -190,7 +220,7 @@ in {
};
};
conf.systemd.services.bbuddy-websocket = mkIf cfg.screen.enable {
- wantedBy = [ "multi-user.target" ];
+ wantedBy = ["multi-user.target"];
environment = mapAttrs' toEnvPair cfg.settings;
unitConfig = {
Description = "Run websocket server for barcodebuddy screen feature";
@@ -202,5 +232,6 @@ in {
User = "barcodebuddy";
};
};
- in mkMerge [ bbuddyConfig (mkIf cfg.enable conf) ];
+ in
+ mkMerge [bbuddyConfig (mkIf cfg.enable conf)];
}
diff --git a/modules/nixos/home-assistant.nix b/modules/nixos/home-assistant.nix
index b0a4ac67..0c28062b 100644
--- a/modules/nixos/home-assistant.nix
+++ b/modules/nixos/home-assistant.nix
@@ -82,7 +82,7 @@ in {
interfaces.local = {
allowedTCPPorts = mkMerge [
(mkIf (!cfg.homekit.openFirewall) homekitTcp)
- (mkIf (!cfg.openFirewall) [ cfg.config.http.server_port ])
+ (mkIf (!cfg.openFirewall) [cfg.config.http.server_port])
];
allowedUDPPortRanges = mkIf (!cfg.cast.openFirewall) castUdpRanges;
};
diff --git a/modules/nixos/ipa.nix b/modules/nixos/ipa.nix
index cb8206cc..abe8cdcc 100644
--- a/modules/nixos/ipa.nix
+++ b/modules/nixos/ipa.nix
@@ -14,7 +14,7 @@
cfg = config.security.ipa;
in {
options.security.ipa = with lib.types; {
- package = mkPackageOption pkgs "freeipa" { };
+ package = mkPackageOption pkgs "freeipa" {};
overrideConfigs = {
krb5 = mkOption {
type = bool;
@@ -36,67 +36,70 @@ in {
config.services.sssd = let
inherit (config.services) sssd;
ipaDebugLevel = 65510;
- in mkIf cfg.enable {
- debugLevel = mkAlmostOptionDefault ipaDebugLevel;
- domains = {
- ${cfg.domain} = {
- ldap.extraAttrs.user = {
- mail = "mail";
- sn = "sn";
- givenname = "givenname";
- telephoneNumber = "telephoneNumber";
- lock = "nsaccountlock";
- };
- settings = mapOptionDefaults {
- id_provider = "ipa";
- auth_provider = "ipa";
- access_provider = "ipa";
- chpass_provider = "ipa";
- ipa_domain = cfg.domain;
+ in
+ mkIf cfg.enable {
+ debugLevel = mkAlmostOptionDefault ipaDebugLevel;
+ domains = {
+ ${cfg.domain} = {
+ ldap.extraAttrs.user = {
+ mail = "mail";
+ sn = "sn";
+ givenname = "givenname";
+ telephoneNumber = "telephoneNumber";
+ lock = "nsaccountlock";
+ };
+ settings =
+ mapOptionDefaults {
+ id_provider = "ipa";
+ auth_provider = "ipa";
+ access_provider = "ipa";
+ chpass_provider = "ipa";
+ ipa_domain = cfg.domain;
- ipa_server = [ "_srv_" cfg.server ];
+ ipa_server = ["_srv_" cfg.server];
- ipa_hostname = "${config.networking.hostName}.${cfg.domain}";
+ ipa_hostname = "${config.networking.hostName}.${cfg.domain}";
- cache_credentials = cfg.cacheCredentials;
+ cache_credentials = cfg.cacheCredentials;
- krb5_store_password_if_offline = cfg.offlinePasswords;
+ krb5_store_password_if_offline = cfg.offlinePasswords;
- dyndns_update = cfg.dyndns.enable;
+ dyndns_update = cfg.dyndns.enable;
- dyndns_iface = cfg.dyndns.interface;
+ dyndns_iface = cfg.dyndns.interface;
- ldap_tls_cacert = "/etc/ipa/ca.crt";
- } // {
- krb5_realm = mkIf (toLower cfg.domain != toLower cfg.realm) (mkOptionDefault cfg.realm);
+ ldap_tls_cacert = "/etc/ipa/ca.crt";
+ }
+ // {
+ krb5_realm = mkIf (toLower cfg.domain != toLower cfg.realm) (mkOptionDefault cfg.realm);
+ };
};
};
+ services = {
+ nss.settings = mapOptionDefaults {
+ homedir_substring = "/home";
+ };
+ pam.settings = mapOptionDefaults {
+ pam_pwd_expiration_warning = 3;
+ pam_verbosity = 3;
+ };
+ sudo = {
+ enable = mkAlmostOptionDefault true;
+ settings = mapOptionDefaults {
+ debug_level = ipaDebugLevel;
+ };
+ };
+ ssh.enable = mkAlmostOptionDefault true;
+ ifp = {
+ enable = mkAlmostOptionDefault true;
+ settings = mapOptionDefaults {
+ allowed_uids = cfg.ifpAllowedUids;
+ };
+ };
+ };
+ configText = mkIf (cfg.overrideConfigs.sssd) (mkAlmostOptionDefault null);
+ config = mkIf (sssd.configText != null) (mkAlmostForce sssd.configText);
};
- services = {
- nss.settings = mapOptionDefaults {
- homedir_substring = "/home";
- };
- pam.settings = mapOptionDefaults {
- pam_pwd_expiration_warning = 3;
- pam_verbosity = 3;
- };
- sudo = {
- enable = mkAlmostOptionDefault true;
- settings = mapOptionDefaults {
- debug_level = ipaDebugLevel;
- };
- };
- ssh.enable = mkAlmostOptionDefault true;
- ifp = {
- enable = mkAlmostOptionDefault true;
- settings = mapOptionDefaults {
- allowed_uids = cfg.ifpAllowedUids;
- };
- };
- };
- configText = mkIf (cfg.overrideConfigs.sssd) (mkAlmostOptionDefault null);
- config = mkIf (sssd.configText != null) (mkAlmostForce sssd.configText);
- };
config.security.krb5 = mkIf cfg.enable {
enable = mkAlmostForce false;
package = mkAlmostOptionDefault pkgs.krb5Full;
@@ -136,8 +139,9 @@ in {
};
config.environment.etc."krb5.conf" = let
inherit (config.security) krb5;
- format = import (modulesPath + "/security/krb5/krb5-conf-format.nix") { inherit pkgs lib; } { };
- in mkIf (cfg.enable && !cfg.overrideConfigs.krb5) {
- text = mkForce (format.generate "krb5.conf" krb5.settings).text;
- };
+ format = import (modulesPath + "/security/krb5/krb5-conf-format.nix") {inherit pkgs lib;} {};
+ in
+ mkIf (cfg.enable && !cfg.overrideConfigs.krb5) {
+ text = mkForce (format.generate "krb5.conf" krb5.settings).text;
+ };
}
diff --git a/modules/nixos/keycloak.nix b/modules/nixos/keycloak.nix
index 3b15701e..e13ff183 100644
--- a/modules/nixos/keycloak.nix
+++ b/modules/nixos/keycloak.nix
@@ -1,11 +1,15 @@
-{config, lib, ...}: let
+{
+ config,
+ lib,
+ ...
+}: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkOptionDefault;
cfg = config.services.keycloak;
in {
options.services.keycloak = with lib.types; {
protocol = mkOption {
- type = enum [ "http" "https" ];
+ type = enum ["http" "https"];
readOnly = true;
};
port = mkOption {
@@ -14,7 +18,11 @@ in {
};
};
config.services.keycloak = {
- protocol = mkOptionDefault (if cfg.sslCertificate != null then "https" else "http");
+ protocol = mkOptionDefault (
+ if cfg.sslCertificate != null
+ then "https"
+ else "http"
+ );
port = mkOptionDefault cfg.settings."${cfg.protocol}-port";
};
}
diff --git a/modules/nixos/krb5/genso.nix b/modules/nixos/krb5/genso.nix
index d04cb8e5..8ed34ea6 100644
--- a/modules/nixos/krb5/genso.nix
+++ b/modules/nixos/krb5/genso.nix
@@ -1,4 +1,10 @@
-{ gensokyo-zone, pkgs, config, lib, ... }: let
+{
+ gensokyo-zone,
+ pkgs,
+ config,
+ lib,
+ ...
+}: let
inherit (gensokyo-zone.lib) mkBaseDn mapDefaults mkAlmostOptionDefault mapOptionDefaults domain;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkDefault mkOptionDefault mkForce;
@@ -50,12 +56,12 @@ in {
};
};
db.backend = mkOption {
- type = enum [ "kldap" "ipa" ];
+ type = enum ["kldap" "ipa"];
default = "kldap";
};
authToLocalNames = mkOption {
type = attrsOf str;
- default = { };
+ default = {};
};
};
config = {
@@ -64,32 +70,36 @@ in {
krb5-ldap = pkgs.krb5.override {
withLdap = true;
};
- in mkIf (cfg.enable && cfg.db.backend == "kldap") (mkDefault pkgs.krb5-ldap or krb5-ldap);
+ in
+ mkIf (cfg.enable && cfg.db.backend == "kldap") (mkDefault pkgs.krb5-ldap or krb5-ldap);
settings = mkIf cfg.enable {
dbmodules = {
genso-kldap = mkIf (cfg.db.backend == "kldap") (mapDefaults {
- db_library = "kldap";
- ldap_servers = concatStringsSep " " cfg.ldap.urls;
- ldap_kdc_dn = cfg.ldap.bind.dn;
- ldap_kerberos_container_dn = cfg.ldap.baseDn;
- } // {
- ldap_service_password_file = mkIf (cfg.ldap.bind.passwordFile != null) (mkDefault cfg.ldap.bind.passwordFile);
- });
+ db_library = "kldap";
+ ldap_servers = concatStringsSep " " cfg.ldap.urls;
+ ldap_kdc_dn = cfg.ldap.bind.dn;
+ ldap_kerberos_container_dn = cfg.ldap.baseDn;
+ }
+ // {
+ ldap_service_password_file = mkIf (cfg.ldap.bind.passwordFile != null) (mkDefault cfg.ldap.bind.passwordFile);
+ });
genso-ipa = mkIf (cfg.db.backend == "ipa") (mapDefaults {
db_library = "${ipa.package}/lib/krb5/plugins/kdb/ipadb.so";
});
- ${cfg.realm} = mkIf ipa.enable (mkForce { });
- };
- realms.${cfg.realm} = mapDefaults {
- kdc = "${cfg.host}:88";
- master_kdc = "${cfg.host}:88";
- admin_server = "${cfg.host}:749";
- default_domain = cfg.domain;
- pkinit_anchors = [ "FILE:${cfg.ca.cert}" ];
- } // {
- database_module = mkOptionDefault "genso-${cfg.db.backend}";
- auth_to_local_names = mkIf (cfg.authToLocalNames != { }) (mkDefault (subsection cfg.authToLocalNames));
+ ${cfg.realm} = mkIf ipa.enable (mkForce {});
};
+ realms.${cfg.realm} =
+ mapDefaults {
+ kdc = "${cfg.host}:88";
+ master_kdc = "${cfg.host}:88";
+ admin_server = "${cfg.host}:749";
+ default_domain = cfg.domain;
+ pkinit_anchors = ["FILE:${cfg.ca.cert}"];
+ }
+ // {
+ database_module = mkOptionDefault "genso-${cfg.db.backend}";
+ auth_to_local_names = mkIf (cfg.authToLocalNames != {}) (mkDefault (subsection cfg.authToLocalNames));
+ };
domain_realm = mapOptionDefaults {
${cfg.domain} = cfg.realm;
".${cfg.domain}" = cfg.realm;
@@ -112,7 +122,8 @@ in {
url = "https://ipa.${cfg.domain}/ipa/config/ca.crt";
sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o=";
};
- in mkOptionDefault caPem;
+ in
+ mkOptionDefault caPem;
db.backend = mkIf ipa.enable (mkAlmostOptionDefault "ipa");
ldap.urls = mkOptionDefault [
"ldaps://ldap.${cfg.domain}"
@@ -120,16 +131,18 @@ in {
];
};
};
- networking.timeServers = mkIf (cfg.enable && enabled) [ "2.fedora.pool.ntp.org" ];
+ networking.timeServers = mkIf (cfg.enable && enabled) ["2.fedora.pool.ntp.org"];
security.ipa = mkIf cfg.enable {
certificate = mkDefault cfg.ca.cert;
basedn = mkDefault cfg.ldap.baseDn;
domain = mkDefault cfg.domain;
realm = mkDefault cfg.realm;
server = mkDefault cfg.canonHost;
- ifpAllowedUids = [
- "root"
- ] ++ config.users.groups.wheel.members;
+ ifpAllowedUids =
+ [
+ "root"
+ ]
+ ++ config.users.groups.wheel.members;
dyndns.enable = mkDefault false;
};
};
diff --git a/modules/nixos/minecraft-bedrock.nix b/modules/nixos/minecraft-bedrock.nix
index 0c8f5c3d..532fb636 100644
--- a/modules/nixos/minecraft-bedrock.nix
+++ b/modules/nixos/minecraft-bedrock.nix
@@ -1,5 +1,11 @@
let
- allowListModule = {config, name, gensokyo-zone, lib, ...}: let
+ allowListModule = {
+ config,
+ name,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.Std) UInt;
inherit (lib.options) mkOption;
inherit (lib.modules) mkOptionDefault;
@@ -11,10 +17,10 @@ let
default = name;
};
xuid = mkOption {
- type = oneOf [ int str ];
+ type = oneOf [int str];
};
permission = mkOption {
- type = enum [ "visitor" "member" "operator" ];
+ type = enum ["visitor" "member" "operator"];
default = "member";
};
settings = mkOption {
@@ -25,10 +31,12 @@ let
};
};
config = let
- xuid = {
- string = toString (UInt.FromHex config.xuid);
- int = toString config.xuid;
- }.${typeOf config.xuid};
+ xuid =
+ {
+ string = toString (UInt.FromHex config.xuid);
+ int = toString config.xuid;
+ }
+ .${typeOf config.xuid};
in {
settings = {
name = mkOptionDefault config.name;
@@ -41,16 +49,22 @@ let
};
};
};
- packModule = {config, lib, ...}: let
+ packModule = {
+ config,
+ lib,
+ ...
+ }: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkOptionDefault;
inherit (lib.strings) splitString;
inherit (builtins) typeOf;
in {
options = with lib.types; {
- enable = mkEnableOption "pack" // {
- default = true;
- };
+ enable =
+ mkEnableOption "pack"
+ // {
+ default = true;
+ };
package = mkOption {
type = nullOr package;
default = null;
@@ -59,90 +73,194 @@ let
type = str;
};
packType = mkOption {
- type = enum [ "resource_packs" "behavior_packs" ];
+ type = enum ["resource_packs" "behavior_packs"];
};
packId = mkOption {
type = str;
};
version = mkOption {
- type = oneOf [ str (listOf str) ];
+ type = oneOf [str (listOf str)];
};
settings = mkOption {
- type = attrsOf (oneOf [ str (listOf str) ]);
+ type = attrsOf (oneOf [str (listOf str)]);
};
};
config = {
- packId = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.pack_id) (mkOptionDefault
+ packId = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.pack_id) (
+ mkOptionDefault
config.package.minecraft-bedrock.pack.pack_id
);
- packType = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.type) (mkOptionDefault
+ packType = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.type) (
+ mkOptionDefault
config.package.minecraft-bedrock.pack.type
);
- version = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.version) (mkOptionDefault
+ version = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.version) (
+ mkOptionDefault
config.package.minecraft-bedrock.pack.version
);
- packDir = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.dir) (mkOptionDefault
+ packDir = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.dir) (
+ mkOptionDefault
config.package.minecraft-bedrock.pack.dir
);
settings = {
pack_id = mkOptionDefault config.packId;
- version = mkOptionDefault {
- string = splitString "." config.version;
- list = config.version;
- }.${typeOf config.version};
+ version =
+ mkOptionDefault
+ {
+ string = splitString "." config.version;
+ list = config.version;
+ }
+ .${typeOf config.version};
};
};
};
-in { config, gensokyo-zone, lib, pkgs, ... }: let
- # see https://gist.github.com/datakurre/cfdf627fb23ed8ff62bb7b3520b92674
- inherit (gensokyo-zone.lib) mapOptionDefaults;
- inherit (lib.options) mkOption mkPackageOption;
- inherit (lib.modules) mkIf mkMerge mkOptionDefault;
- inherit (lib.attrsets) filterAttrs mapAttrsToList;
- inherit (lib.lists) optional;
- inherit (lib.strings) concatStringsSep;
- inherit (lib.trivial) boolToString;
- inherit (lib.meta) getExe;
- inherit (builtins) toJSON;
- cfg = config.services.minecraft-bedrock-server;
+in
+ {
+ config,
+ gensokyo-zone,
+ lib,
+ pkgs,
+ ...
+ }: let
+ # see https://gist.github.com/datakurre/cfdf627fb23ed8ff62bb7b3520b92674
+ inherit (gensokyo-zone.lib) mapOptionDefaults;
+ inherit (lib.options) mkOption mkPackageOption;
+ inherit (lib.modules) mkIf mkMerge mkOptionDefault;
+ inherit (lib.attrsets) filterAttrs mapAttrsToList;
+ inherit (lib.lists) optional;
+ inherit (lib.strings) concatStringsSep;
+ inherit (lib.trivial) boolToString;
+ inherit (lib.meta) getExe;
+ inherit (builtins) toJSON;
+ cfg = config.services.minecraft-bedrock-server;
- cfgToString = v: if builtins.isBool v then boolToString v else toString v;
+ cfgToString = v:
+ if builtins.isBool v
+ then boolToString v
+ else toString v;
- serverPropertiesFile = pkgs.writeText "server.properties" (''
- # server.properties managed by NixOS configuration
- '' + concatStringsSep "\n" (mapAttrsToList
- (n: v: "${n}=${cfgToString v}") cfg.serverProperties));
-in {
- options.services.minecraft-bedrock-server = with lib.types; {
- enable = mkOption {
- type = bool;
- default = false;
- description = ''
- If enabled, start a Minecraft Bedrock Server. The server
- data will be loaded from and saved to
- .
- '';
+ serverPropertiesFile = pkgs.writeText "server.properties" (''
+ # server.properties managed by NixOS configuration
+ ''
+ + concatStringsSep "\n" (mapAttrsToList
+ (n: v: "${n}=${cfgToString v}")
+ cfg.serverProperties));
+ in {
+ options.services.minecraft-bedrock-server = with lib.types; {
+ enable = mkOption {
+ type = bool;
+ default = false;
+ description = ''
+ If enabled, start a Minecraft Bedrock Server. The server
+ data will be loaded from and saved to
+ .
+ '';
+ };
+
+ dataDir = mkOption {
+ type = path;
+ default = "/var/lib/minecraft-bedrock";
+ description = ''
+ Directory to store Minecraft Bedrock database and other state/data files.
+ '';
+ };
+
+ serverProperties = mkOption {
+ type = attrsOf (oneOf [bool int str float]);
+ example = literalExample ''
+ {
+ server-name = "Dedicated Server";
+ gamemode = "survival";
+ difficulty = "easy";
+ allow-cheats = false;
+ max-players = 10;
+ online-mode = false;
+ white-list = false;
+ server-port = 19132;
+ server-portv6 = 19133;
+ view-distance = 32;
+ tick-distance = 4;
+ player-idle-timeout = 30;
+ max-threads = 8;
+ level-name = "Bedrock level";
+ level-seed = "";
+ default-player-permission-level = "member";
+ texturepack-required = false;
+ content-log-file-enabled = false;
+ compression-threshold = 1;
+ server-authoritative-movement = "server-auth";
+ player-movement-score-threshold = 20;
+ player-movement-distance-threshold = 0.3;
+ player-movement-duration-threshold-in-ms = 500;
+ correct-player-movement = false;
+ }
+ '';
+ description = ''
+ Minecraft Bedrock server properties for the server.properties file.
+ '';
+ };
+
+ package =
+ mkPackageOption pkgs "minecraft-bedrock-server" {}
+ // {
+ description = "Version of minecraft-bedrock-server to run.";
+ };
+
+ openFirewall = mkOption {
+ type = bool;
+ default = false;
+ };
+
+ user = mkOption {
+ type = str;
+ default = "minecraft-bedrock";
+ };
+ group = mkOption {
+ type = str;
+ default = cfg.user;
+ };
+
+ allowPlayers = mkOption {
+ type = nullOr (attrsOf (submoduleWith {
+ modules = [allowListModule];
+ specialArgs = {
+ inherit gensokyo-zone;
+ nixosConfig = config;
+ };
+ }));
+ default = null;
+ };
+
+ allowList = mkOption {
+ type = nullOr path;
+ };
+
+ permissions = mkOption {
+ type = nullOr path;
+ };
+
+ packs = mkOption {
+ type = attrsOf (submoduleWith {
+ modules = [packModule];
+ specialArgs = {
+ inherit gensokyo-zone;
+ nixosConfig = config;
+ };
+ });
+ default = {};
+ };
};
- dataDir = mkOption {
- type = path;
- default = "/var/lib/minecraft-bedrock";
- description = ''
- Directory to store Minecraft Bedrock database and other state/data files.
- '';
- };
-
- serverProperties = mkOption {
- type = attrsOf (oneOf [ bool int str float ]);
- example = literalExample ''
- {
+ config = let
+ confService.services.minecraft-bedrock-server = {
+ serverProperties = mapOptionDefaults {
server-name = "Dedicated Server";
gamemode = "survival";
difficulty = "easy";
allow-cheats = false;
max-players = 10;
online-mode = false;
- white-list = false;
+ allow-list = cfg.allowList != null;
server-port = 19132;
server-portv6 = 19133;
view-distance = 32;
@@ -160,191 +278,118 @@ in {
player-movement-distance-threshold = 0.3;
player-movement-duration-threshold-in-ms = 500;
correct-player-movement = false;
- }
- '';
- description = ''
- Minecraft Bedrock server properties for the server.properties file.
- '';
- };
-
- package = mkPackageOption pkgs "minecraft-bedrock-server" { }// {
- description = "Version of minecraft-bedrock-server to run.";
- };
-
- openFirewall = mkOption {
- type = bool;
- default = false;
- };
-
- user = mkOption {
- type = str;
- default = "minecraft-bedrock";
- };
- group = mkOption {
- type = str;
- default = cfg.user;
- };
-
- allowPlayers = mkOption {
- type = nullOr (attrsOf (submoduleWith {
- modules = [ allowListModule ];
- specialArgs = {
- inherit gensokyo-zone;
- nixosConfig = config;
};
- }));
- default = null;
- };
-
- allowList = mkOption {
- type = nullOr path;
- };
-
- permissions = mkOption {
- type = nullOr path;
- };
-
- packs = mkOption {
- type = attrsOf (submoduleWith {
- modules = [ packModule ];
- specialArgs = {
- inherit gensokyo-zone;
- nixosConfig = config;
- };
- });
- default = { };
- };
- };
-
- config = let
- confService.services.minecraft-bedrock-server = {
- serverProperties = mapOptionDefaults {
- server-name = "Dedicated Server";
- gamemode = "survival";
- difficulty = "easy";
- allow-cheats = false;
- max-players = 10;
- online-mode = false;
- allow-list = cfg.allowList != null;
- server-port = 19132;
- server-portv6 = 19133;
- view-distance = 32;
- tick-distance = 4;
- player-idle-timeout = 30;
- max-threads = 8;
- level-name = "Bedrock level";
- level-seed = "";
- default-player-permission-level = "member";
- texturepack-required = false;
- content-log-file-enabled = false;
- compression-threshold = 1;
- server-authoritative-movement = "server-auth";
- player-movement-score-threshold = 20;
- player-movement-distance-threshold = 0.3;
- player-movement-duration-threshold-in-ms = 500;
- correct-player-movement = false;
+ allowList = let
+ allowPlayers = mapAttrsToList (_: allow: allow.settings) cfg.allowPlayers;
+ allowListJson = pkgs.writeText "minecraft-bedrock-server-allowlist.json" (
+ toJSON allowPlayers
+ );
+ in
+ mkOptionDefault (
+ if cfg.allowPlayers != null
+ then allowListJson
+ else null
+ );
+ permissions = let
+ permissions = mapAttrsToList (_: allow: allow.permissionSettings) cfg.allowPlayers;
+ permissionsJson = pkgs.writeText "minecraft-bedrock-server-permissions.json" (
+ toJSON permissions
+ );
+ in
+ mkOptionDefault (
+ if cfg.allowPlayers != null
+ then permissionsJson
+ else null
+ );
};
- allowList = let
- allowPlayers = mapAttrsToList (_: allow: allow.settings) cfg.allowPlayers;
- allowListJson = pkgs.writeText "minecraft-bedrock-server-allowlist.json" (
- toJSON allowPlayers
- );
- in mkOptionDefault (
- if cfg.allowPlayers != null then allowListJson
- else null
- );
- permissions = let
- permissions = mapAttrsToList (_: allow: allow.permissionSettings) cfg.allowPlayers;
- permissionsJson = pkgs.writeText "minecraft-bedrock-server-permissions.json" (
- toJSON permissions
- );
- in mkOptionDefault (
- if cfg.allowPlayers != null then permissionsJson
- else null
- );
- };
- conf.users.users.${cfg.user} = {
- inherit (cfg) group;
- description = "Minecraft server service user";
- home = cfg.dataDir;
- createHome = true;
- isSystemUser = true;
- };
- conf.users.groups.${cfg.group} = {};
+ conf.users.users.${cfg.user} = {
+ inherit (cfg) group;
+ description = "Minecraft server service user";
+ home = cfg.dataDir;
+ createHome = true;
+ isSystemUser = true;
+ };
+ conf.users.groups.${cfg.group} = {};
- conf.systemd.services.minecraft-bedrock-server = {
- description = "Minecraft Bedrock Server Service";
- wantedBy = [ "multi-user.target" ];
- after = [ "network.target" ];
+ conf.systemd.services.minecraft-bedrock-server = {
+ description = "Minecraft Bedrock Server Service";
+ wantedBy = ["multi-user.target"];
+ after = ["network.target"];
- serviceConfig = {
- BindReadOnlyPaths = let
- packageResources = map (subpath: "${cfg.package}/var/lib/minecraft-bedrock/${subpath}:${cfg.dataDir}/${subpath}") ([
- "definitions/attachables"
- "definitions/biomes"
- "definitions/feature_rules"
- "definitions/features"
- "definitions/persona"
- "definitions/sdl_layouts"
- "definitions/spawn_groups"
- "resource_packs/vanilla"
- "resource_packs/chemistry"
- "config/default"
- "bedrock_server_symbols.debug"
- "env-vars"
- ] ++ optional (cfg.permissions == null) "permissions.json");
- mkWorldPacks = type: let
- enabledPacks = filterAttrs (_: pack: pack.enable && pack.packType == "${type}_packs") cfg.packs;
- jsonName = "world_${type}_packs.json";
- packsJson = mapAttrsToList (_: pack: pack.settings) enabledPacks;
- packsJsonPath = pkgs.writeText jsonName (toJSON packsJson);
- in mkIf (enabledPacks != { }) [
- "${packsJsonPath}:${cfg.dataDir}/worlds/${cfg.serverProperties.level-name}/${jsonName}"
+ serviceConfig = {
+ BindReadOnlyPaths = let
+ packageResources = map (subpath: "${cfg.package}/var/lib/minecraft-bedrock/${subpath}:${cfg.dataDir}/${subpath}") ([
+ "definitions/attachables"
+ "definitions/biomes"
+ "definitions/feature_rules"
+ "definitions/features"
+ "definitions/persona"
+ "definitions/sdl_layouts"
+ "definitions/spawn_groups"
+ "resource_packs/vanilla"
+ "resource_packs/chemistry"
+ "config/default"
+ "bedrock_server_symbols.debug"
+ "env-vars"
+ ]
+ ++ optional (cfg.permissions == null) "permissions.json");
+ mkWorldPacks = type: let
+ enabledPacks = filterAttrs (_: pack: pack.enable && pack.packType == "${type}_packs") cfg.packs;
+ jsonName = "world_${type}_packs.json";
+ packsJson = mapAttrsToList (_: pack: pack.settings) enabledPacks;
+ packsJsonPath = pkgs.writeText jsonName (toJSON packsJson);
+ in
+ mkIf (enabledPacks != {}) [
+ "${packsJsonPath}:${cfg.dataDir}/worlds/${cfg.serverProperties.level-name}/${jsonName}"
+ ];
+ mapWorldPacks = packs: let
+ enabledPacks = filterAttrs (_: pack: pack.enable && pack.package != null) packs;
+ mapPackPath = _: pack: let
+ subDir = "${pack.packType}/${pack.packDir}";
+ in "${pack.package}/${cfg.package.dataDir}/${subDir}:${cfg.dataDir}/${subDir}";
+ in
+ mapAttrsToList mapPackPath enabledPacks;
+ packsPaths = mkMerge [
+ (mkWorldPacks "behavior")
+ (mkWorldPacks "resource")
+ (mapWorldPacks cfg.packs)
+ ];
+ in
+ mkMerge [
+ packageResources
+ (mkIf (cfg.allowList != null) ["${cfg.allowList}:${cfg.dataDir}/allowlist.json"])
+ (mkIf (cfg.permissions != null) ["${cfg.permissions}:${cfg.dataDir}/permissions.json"])
+ (mkIf (cfg.packs != {}) packsPaths)
+ ];
+ ExecStart = [
+ "${getExe cfg.package}"
];
- mapWorldPacks = packs: let
- enabledPacks = filterAttrs (_: pack: pack.enable && pack.package != null) packs;
- mapPackPath = _: pack: let
- subDir = "${pack.packType}/${pack.packDir}";
- in "${pack.package}/${cfg.package.dataDir}/${subDir}:${cfg.dataDir}/${subDir}";
- in mapAttrsToList mapPackPath enabledPacks;
- packsPaths = mkMerge [
- (mkWorldPacks "behavior")
- (mkWorldPacks "resource")
- (mapWorldPacks cfg.packs)
+ Restart = "always";
+ User = cfg.user;
+ WorkingDirectory = cfg.dataDir;
+ LogFilterPatterns = [
+ "~.*minecraft:trial_chambers/chamber/end"
+ "~Running AutoCompaction"
];
- in mkMerge [
- packageResources
- (mkIf (cfg.allowList != null) [ "${cfg.allowList}:${cfg.dataDir}/allowlist.json" ])
- (mkIf (cfg.permissions != null) [ "${cfg.permissions}:${cfg.dataDir}/permissions.json" ])
- (mkIf (cfg.packs != { }) packsPaths)
- ];
- ExecStart = [
- "${getExe cfg.package}"
- ];
- Restart = "always";
- User = cfg.user;
- WorkingDirectory = cfg.dataDir;
- LogFilterPatterns = [
- "~.*minecraft:trial_chambers/chamber/end"
- "~Running AutoCompaction"
- ];
+ };
+
+ preStart = ''
+ mkdir -p behavior_packs
+ ln -sf ${cfg.package}/var/lib/minecraft-bedrock/behavior_packs/* behavior_packs/
+ cp -f ${serverPropertiesFile} server.properties
+ chmod +w server.properties
+ '';
};
- preStart = ''
- mkdir -p behavior_packs
- ln -sf ${cfg.package}/var/lib/minecraft-bedrock/behavior_packs/* behavior_packs/
- cp -f ${serverPropertiesFile} server.properties
- chmod +w server.properties
- '';
- };
-
- conf.networking.firewall = let
- ports = [ cfg.serverProperties.server-port cfg.serverProperties.server-portv6 ];
- in mkIf cfg.openFirewall {
- allowedUDPPorts = ports;
- };
- in mkMerge [
- confService
- (mkIf cfg.enable conf)
- ];
-}
+ conf.networking.firewall = let
+ ports = [cfg.serverProperties.server-port cfg.serverProperties.server-portv6];
+ in
+ mkIf cfg.openFirewall {
+ allowedUDPPorts = ports;
+ };
+ in
+ mkMerge [
+ confService
+ (mkIf cfg.enable conf)
+ ];
+ }
diff --git a/modules/nixos/network/netgroups.nix b/modules/nixos/network/netgroups.nix
index 60d2fd77..2373234e 100644
--- a/modules/nixos/network/netgroups.nix
+++ b/modules/nixos/network/netgroups.nix
@@ -9,14 +9,18 @@
inherit (lib.strings) concatStringsSep;
inherit (config.system) nssDatabases;
inherit (config) networking;
- netgroupMemberModule = { config, name, ... }: {
+ netgroupMemberModule = {
+ config,
+ name,
+ ...
+ }: {
options = with lib.types; {
hostname = mkOption {
type = str;
default = name;
};
user = mkOption {
- type = either (enum [ null "-" ]) str;
+ type = either (enum [null "-"]) str;
default = "-";
};
domain = mkOption {
@@ -32,7 +36,11 @@
triple = mkOptionDefault "(${config.hostname},${toString config.user},${config.domain})";
};
};
- netgroupModule = { config, name, ... }: {
+ netgroupModule = {
+ config,
+ name,
+ ...
+ }: {
options = with lib.types; {
name = mkOption {
type = str;
@@ -40,14 +48,14 @@
};
members = mkOption {
type = attrsOf (submodule netgroupMemberModule);
- default = { };
+ default = {};
};
fileLine = mkOption {
type = str;
};
};
config = {
- fileLine = mkOptionDefault (concatStringsSep " " ([ config.name ] ++ mapAttrsToList (_: member: member.triple) config.members));
+ fileLine = mkOptionDefault (concatStringsSep " " ([config.name] ++ mapAttrsToList (_: member: member.triple) config.members));
};
};
in {
@@ -60,7 +68,7 @@ in {
networking = {
netgroups = mkOption {
type = attrsOf (submodule netgroupModule);
- default = { };
+ default = {};
};
extraNetgroups = mkOption {
type = lines;
@@ -71,17 +79,17 @@ in {
config = {
system.nssDatabases = {
netgroup = mkMerge [
- (mkBefore [ "files" ])
- (mkAfter [ "nis" ])
+ (mkBefore ["files"])
+ (mkAfter ["nis"])
];
};
- environment.etc."nsswitch.conf".text = mkIf (nssDatabases.netgroup != [ ]) (mkAfter ''
+ environment.etc."nsswitch.conf".text = mkIf (nssDatabases.netgroup != []) (mkAfter ''
netgroup: ${concatStringsSep " " nssDatabases.netgroup}
'');
- environment.etc."netgroup" = mkIf (networking.netgroups != { } || networking.extraNetgroups != "") {
+ environment.etc."netgroup" = mkIf (networking.netgroups != {} || networking.extraNetgroups != "") {
text = mkMerge (
mapAttrsToList (_: ng: ng.fileLine) networking.netgroups
- ++ [ networking.extraNetgroups ]
+ ++ [networking.extraNetgroups]
);
};
};
diff --git a/modules/nixos/network/resolve.nix b/modules/nixos/network/resolve.nix
index 6e122f02..7192959f 100644
--- a/modules/nixos/network/resolve.nix
+++ b/modules/nixos/network/resolve.nix
@@ -1,4 +1,8 @@
-{config, lib, ...}: let
+{
+ config,
+ lib,
+ ...
+}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkOptionDefault;
inherit (lib.lists) filter optional;
@@ -7,21 +11,32 @@
enabledNameservers = filter (ns: ns.enable) (config.networking.nameservers');
nameserverModule = {config, ...}: let
dnsPort = 53;
- mkResolvedValue = { address, port, interface ? null, host ? null }: let
+ mkResolvedValue = {
+ address,
+ port,
+ interface ? null,
+ host ? null,
+ }: let
isIpv6 = hasInfix ":" address;
isPlain = port == dnsPort && interface == null && host == null;
- addr = if isIpv6 && !isPlain then "[${address}]" else address;
- in concatStrings (
- [ addr ]
- ++ optional (port != dnsPort) ":${toString port}"
- ++ optional (interface != null) "%${interface}"
- ++ optional (host != null) "#${host}"
- );
+ addr =
+ if isIpv6 && !isPlain
+ then "[${address}]"
+ else address;
+ in
+ concatStrings (
+ [addr]
+ ++ optional (port != dnsPort) ":${toString port}"
+ ++ optional (interface != null) "%${interface}"
+ ++ optional (host != null) "#${host}"
+ );
in {
options = with lib.types; {
- enable = mkEnableOption "nameserver" // {
- default = true;
- };
+ enable =
+ mkEnableOption "nameserver"
+ // {
+ default = true;
+ };
address = mkOption {
type = str;
};
@@ -59,12 +74,16 @@ in {
options.networking = with lib.types; {
nameservers' = mkOption {
type = listOf (submodule nameserverModule);
- default = { };
+ default = {};
};
};
config = {
- networking.nameservers = mkIf (config.networking.nameservers' != [ ]) (
- map (ns: if resolved.enable then ns.resolvedValue else ns.value) enabledNameservers
+ networking.nameservers = mkIf (config.networking.nameservers' != []) (
+ map (ns:
+ if resolved.enable
+ then ns.resolvedValue
+ else ns.value)
+ enabledNameservers
);
};
}
diff --git a/modules/nixos/nfs.nix b/modules/nixos/nfs.nix
index 8a845f67..22dd51ea 100644
--- a/modules/nixos/nfs.nix
+++ b/modules/nixos/nfs.nix
@@ -21,16 +21,20 @@
(mkIf (cfg.server.mountdPort != null) cfg.server.mountdPort)
];
concatFlags = concatStringsSep ",";
- clientModule = { config, name, ... }: {
+ clientModule = {
+ config,
+ name,
+ ...
+ }: {
options = with lib.types; {
machine = mkOption {
- type = oneOf [ str (listOf str) ];
+ type = oneOf [str (listOf str)];
default = name;
example = "*";
};
flags = mkOption {
type = listOf str;
- default = [ ];
+ default = [];
};
entry = mkOption {
type = str;
@@ -38,12 +42,17 @@
};
config = {
entry = let
- flags = optionalString (config.flags != [ ]) "(${concatFlags config.flags})";
+ flags = optionalString (config.flags != []) "(${concatFlags config.flags})";
machines = toList config.machine;
- in mkOptionDefault (concatMapStringsSep " " (machine: machine + flags) machines);
+ in
+ mkOptionDefault (concatMapStringsSep " " (machine: machine + flags) machines);
};
};
- exportModule = { config, name, ... }: {
+ exportModule = {
+ config,
+ name,
+ ...
+ }: {
options = with lib.types; {
path = mkOption {
type = path;
@@ -60,12 +69,14 @@
};
};
config = {
- flags = mkOptionDefault (cfg.export.flagSets.common or [ ]);
+ flags = mkOptionDefault (cfg.export.flagSets.common or []);
fileLine = let
- parts = [ config.path ]
- ++ optional (config.flags != [ ]) "-${concatFlags config.flags}"
+ parts =
+ [config.path]
+ ++ optional (config.flags != []) "-${concatFlags config.flags}"
++ mapAttrsToList (_: client: client.entry) config.clients;
- in mkOptionDefault (concatStringsSep " " parts);
+ in
+ mkOptionDefault (concatStringsSep " " parts);
};
};
in {
@@ -74,15 +85,15 @@ in {
flagSets = mkOption {
type = lazyAttrsOf (listOf str);
default = {
- common = [ "no_subtree_check" ];
+ common = ["no_subtree_check"];
};
};
root = mkOption {
type = nullOr (submodule [
exportModule
- ({ ... }: {
+ ({...}: {
flags = mkMerge [
- (cfg.export.flagSets.common or [ ])
+ (cfg.export.flagSets.common or [])
];
})
]);
@@ -90,7 +101,7 @@ in {
};
paths = mkOption {
type = attrsOf (submodule exportModule);
- default = { };
+ default = {};
};
};
};
diff --git a/modules/nixos/nftables.nix b/modules/nixos/nftables.nix
index 7c2958a0..54a8c685 100644
--- a/modules/nixos/nftables.nix
+++ b/modules/nixos/nftables.nix
@@ -111,7 +111,7 @@
};
conditions = mkOption {
type = types.listOf types.str;
- default = [ "iifname ${name}" ];
+ default = ["iifname ${name}"];
};
};
};
diff --git a/modules/nixos/nginx/enable.nix b/modules/nixos/nginx/enable.nix
index 611d8e6e..f2eacb47 100644
--- a/modules/nixos/nginx/enable.nix
+++ b/modules/nixos/nginx/enable.nix
@@ -1,28 +1,33 @@
-{
- lib,
- ...
-}: let
+{lib, ...}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkOverride;
mkExtraForce = mkOverride 25;
- locationModule = { config, virtualHost, ... }: {
+ locationModule = {
+ config,
+ virtualHost,
+ ...
+ }: {
options = with lib.types; {
- enable = mkEnableOption "enable location" // {
- default = true;
- };
+ enable =
+ mkEnableOption "enable location"
+ // {
+ default = true;
+ };
};
config = mkIf (!virtualHost.enable || !config.enable) {
extraConfig = mkExtraForce "deny all;";
};
};
- hostModule = { config, ... }: {
+ hostModule = {config, ...}: {
options = with lib.types; {
- enable = mkEnableOption "enable server" // {
- default = true;
- };
+ enable =
+ mkEnableOption "enable server"
+ // {
+ default = true;
+ };
locations = mkOption {
type = attrsOf (submoduleWith {
- modules = [ locationModule ];
+ modules = [locationModule];
shorthandOnlyDefinesConfig = true;
});
};
@@ -39,7 +44,7 @@ in {
options = with lib.types; {
services.nginx.virtualHosts = mkOption {
type = attrsOf (submoduleWith {
- modules = [ hostModule ];
+ modules = [hostModule];
shorthandOnlyDefinesConfig = true;
});
};
diff --git a/modules/nixos/nginx/fastcgi.nix b/modules/nixos/nginx/fastcgi.nix
index 313dc10d..21005172 100644
--- a/modules/nixos/nginx/fastcgi.nix
+++ b/modules/nixos/nginx/fastcgi.nix
@@ -30,7 +30,7 @@ let
};
passHeaders = mkOption {
type = attrsOf bool;
- default = { };
+ default = {};
description = "fastcgi_pass_header";
};
socket = mkOption {
@@ -43,7 +43,8 @@ let
config = {
fastcgi = {
- socket = mkIf (cfg.phpfpmPool != null) (mkAlmostOptionDefault
+ socket = mkIf (cfg.phpfpmPool != null) (
+ mkAlmostOptionDefault
nixosConfig.services.phpfpm.pools.${cfg.phpfpmPool}.socket
);
params = mapOptionDefaults {
@@ -60,18 +61,24 @@ let
extraConfig = let
passHeadersConfig = map (header: "fastcgi_pass_header ${xvars.escapeString header};") passHeaders;
paramsConfig = mapAttrsToList (param: value: mkJustAfter "fastcgi_param ${param} ${xvars.escapeString value};") params;
- in mkIf cfg.enable (mkMerge ([
- (mkIf cfg.includeDefaults (mkAlmostBefore ''
- include ${nginx.package}/conf/fastcgi.conf;
- ''))
- (mkIf (cfg.socket != null) (mkJustAfter ''
- fastcgi_pass unix:${cfg.socket};
- ''))
- ] ++ passHeadersConfig
- ++ paramsConfig));
+ in
+ mkIf cfg.enable (mkMerge ([
+ (mkIf cfg.includeDefaults (mkAlmostBefore ''
+ include ${nginx.package}/conf/fastcgi.conf;
+ ''))
+ (mkIf (cfg.socket != null) (mkJustAfter ''
+ fastcgi_pass unix:${cfg.socket};
+ ''))
+ ]
+ ++ passHeadersConfig
+ ++ paramsConfig));
};
};
- hostModule = {config, lib, ...}: let
+ hostModule = {
+ config,
+ lib,
+ ...
+ }: let
inherit (lib.options) mkOption;
in {
options = with lib.types; {
@@ -80,15 +87,13 @@ let
};
};
};
-in {
- lib,
- ...
-}: let
- inherit (lib.options) mkOption;
-in {
- options = with lib.types; {
- services.nginx.virtualHosts = mkOption {
- type = attrsOf (submodule [hostModule]);
+in
+ {lib, ...}: let
+ inherit (lib.options) mkOption;
+ in {
+ options = with lib.types; {
+ services.nginx.virtualHosts = mkOption {
+ type = attrsOf (submodule [hostModule]);
+ };
};
- };
-}
+ }
diff --git a/modules/nixos/nginx/headers.nix b/modules/nixos/nginx/headers.nix
index 8723e2ef..b28687fb 100644
--- a/modules/nixos/nginx/headers.nix
+++ b/modules/nixos/nginx/headers.nix
@@ -1,5 +1,12 @@
let
- locationModule = { config, virtualHost, xvars, gensokyo-zone, lib, ... }: let
+ locationModule = {
+ config,
+ virtualHost,
+ xvars,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mapOptionDefaults;
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkMerge mkAfter mkOptionDefault;
@@ -13,25 +20,32 @@ let
default = true;
};
set = mkOption {
- type = attrsOf (nullOr (oneOf [ str (listOf str) ]));
+ type = attrsOf (nullOr (oneOf [str (listOf str)]));
};
};
config = let
mkHeader = name: value:
- if isList value then mkMerge (map (mkHeader name) value)
+ if isList value
+ then mkMerge (map (mkHeader name) value)
else mkAfter "add_header ${name} ${xvars.escapeString value};";
setHeaders = mapAttrsToList (name: value: mkIf (value != null) (mkHeader name value)) cfg.set;
in {
headers = {
set = mkMerge [
- (mkOptionDefault { })
+ (mkOptionDefault {})
(mkIf cfg.inheritServerDefaults (mapOptionDefaults virtualHost.headers.set))
];
};
extraConfig = mkMerge setHeaders;
};
};
- hostModule = { config, nixosConfig, gensokyo-zone, lib, ... }: let
+ hostModule = {
+ config,
+ nixosConfig,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mapOptionDefaults;
inherit (lib.options) mkOption;
inherit (nixosConfig.services) nginx;
@@ -39,12 +53,12 @@ let
options = with lib.types; {
headers = {
set = mkOption {
- type = attrsOf (nullOr (oneOf [ str (listOf str) ]));
+ type = attrsOf (nullOr (oneOf [str (listOf str)]));
};
};
locations = mkOption {
type = attrsOf (submoduleWith {
- modules = [ locationModule ];
+ modules = [locationModule];
shorthandOnlyDefinesConfig = true;
});
};
@@ -55,22 +69,20 @@ let
};
};
};
-in {
- lib,
- ...
-}: let
- inherit (lib.options) mkOption;
-in {
- options.services.nginx = with lib.types; {
- headers = {
- set = mkOption {
- type = attrsOf (nullOr (oneOf [ str (listOf str) ]));
- default = {
+in
+ {lib, ...}: let
+ inherit (lib.options) mkOption;
+ in {
+ options.services.nginx = with lib.types; {
+ headers = {
+ set = mkOption {
+ type = attrsOf (nullOr (oneOf [str (listOf str)]));
+ default = {
+ };
};
};
+ virtualHosts = mkOption {
+ type = attrsOf (submodule [hostModule]);
+ };
};
- virtualHosts = mkOption {
- type = attrsOf (submodule [hostModule]);
- };
- };
-}
+ }
diff --git a/modules/nixos/nginx/listen.nix b/modules/nixos/nginx/listen.nix
index 6390efaf..d583e098 100644
--- a/modules/nixos/nginx/listen.nix
+++ b/modules/nixos/nginx/listen.nix
@@ -10,11 +10,18 @@
inherit (lib.attrsets) attrValues mapAttrs;
inherit (lib.lists) optional filter concatMap;
inherit (config.services) nginx;
- listenModule = { config, virtualHost, listenKind, ... }: {
+ listenModule = {
+ config,
+ virtualHost,
+ listenKind,
+ ...
+ }: {
options = with lib.types; {
- enable = mkEnableOption "this port" // {
- default = true;
- };
+ enable =
+ mkEnableOption "this port"
+ // {
+ default = true;
+ };
addr = mkOption {
type = nullOr str;
default = null;
@@ -34,7 +41,7 @@
};
extraParameters = mkOption {
type = listOf str;
- default = [ ];
+ default = [];
};
proxyProtocol = mkOption {
type = bool;
@@ -59,11 +66,13 @@
(mkIf (listenKind == "streamServer" && !config.ssl && virtualHost.ssl.enable && virtualHost.ssl.force != false) (mkForce false))
];
port = mkIf (listenKind == "virtualHost") (mkOptionDefault (
- if config.ssl then nginx.defaultSSLListenPort else nginx.defaultHTTPListenPort
+ if config.ssl
+ then nginx.defaultSSLListenPort
+ else nginx.defaultHTTPListenPort
));
addresses = mkMerge [
(mkOptionDefault virtualHost.listenAddresses')
- (mkIf (config.addr != null) (mkAlmostOptionDefault [ config.addr ]))
+ (mkIf (config.addr != null) (mkAlmostOptionDefault [config.addr]))
];
listenParameters = mkOptionDefault (
optional config.ssl "ssl"
@@ -74,26 +83,44 @@
);
listenConfigs = let
# TODO: handle quic listener..?
- mkListenHost = { addr, port }: let
+ mkListenHost = {
+ addr,
+ port,
+ }: let
host =
- if addr != null then "${mkAddress6 addr}:${toString port}"
+ if addr != null
+ then "${mkAddress6 addr}:${toString port}"
else toString port;
- in assert port != null; host;
+ in
+ assert port != null; host;
mkDirective = addr: let
- host = mkListenHost { inherit addr; inherit (config) port; };
- in mkMerge (
- [ (mkBefore host) ]
- ++ config.listenParameters
- );
- in mkOptionDefault (map (mkDirective) config.addresses);
+ host = mkListenHost {
+ inherit addr;
+ inherit (config) port;
+ };
+ in
+ mkMerge (
+ [(mkBefore host)]
+ ++ config.listenParameters
+ );
+ in
+ mkOptionDefault (map mkDirective config.addresses);
listenDirectives = mkMerge (map (conf: mkOptionDefault "listen ${conf};") config.listenConfigs);
};
};
- listenType = { specialArgs, modules ? [ ] }: lib.types.submoduleWith {
- inherit specialArgs;
- modules = [ listenModule ] ++ modules;
- };
- hostModule = { nixosConfig, config, ... }: let
+ listenType = {
+ specialArgs,
+ modules ? [],
+ }:
+ lib.types.submoduleWith {
+ inherit specialArgs;
+ modules = [listenModule] ++ modules;
+ };
+ hostModule = {
+ nixosConfig,
+ config,
+ ...
+ }: let
cfg = attrValues config.listen';
enabledCfg = filter (port: port.enable) cfg;
mkListen = listen: addr: let
@@ -101,7 +128,8 @@
inherit addr;
inherit (listen) port ssl extraParameters proxyProtocol;
};
- in mapAttrs (_: mkAlmostOptionDefault) listenAttrs;
+ in
+ mapAttrs (_: mkAlmostOptionDefault) listenAttrs;
mkListens = listen: map (mkListen listen) listen.addresses;
in {
options = with lib.types; {
@@ -113,7 +141,7 @@
listenKind = "virtualHost";
};
});
- default = { };
+ default = {};
};
listenAddresses' = mkOption {
type = listOf str;
@@ -122,16 +150,22 @@
};
config = {
- enable = mkIf (cfg != [ ] && enabledCfg == [ ]) (mkForce false);
+ enable = mkIf (cfg != [] && enabledCfg == []) (mkForce false);
listenAddresses' = mkOptionDefault (
- if config.listenAddresses != [ ] then config.listenAddresses else nginx.defaultListenAddresses
+ if config.listenAddresses != []
+ then config.listenAddresses
+ else nginx.defaultListenAddresses
);
- listen = mkIf (cfg != { }) (mkAlmostOptionDefault (
- concatMap (mkListens) enabledCfg
+ listen = mkIf (cfg != {}) (mkAlmostOptionDefault (
+ concatMap mkListens enabledCfg
));
};
};
- streamServerModule = { nixosConfig, config, ... }: let
+ streamServerModule = {
+ nixosConfig,
+ config,
+ ...
+ }: let
enabledListen = filter (port: port.enable) (attrValues config.listen);
in {
options = with lib.types; {
@@ -144,7 +178,7 @@
listenKind = "streamServer";
};
});
- default = { };
+ default = {};
};
listenAddresses = mkOption {
type = nullOr (listOf str);
@@ -163,11 +197,13 @@
};
config = {
- enable = mkIf (config.listen != { } && enabledListen == [ ]) (mkForce false);
+ enable = mkIf (config.listen != {} && enabledListen == []) (mkForce false);
listenAddresses' = mkOptionDefault (
- if config.listenAddresses != null then config.listenAddresses else nginx.defaultListenAddresses
+ if config.listenAddresses != null
+ then config.listenAddresses
+ else nginx.defaultListenAddresses
);
- streamConfig = mkIf (config.listen != { }) (mkMerge (
+ streamConfig = mkIf (config.listen != {}) (mkMerge (
map (listen: mkBefore listen.listenDirectives) enabledListen
));
};
@@ -176,13 +212,13 @@ in {
options.services.nginx = with lib.types; {
virtualHosts = mkOption {
type = attrsOf (submoduleWith {
- modules = [ hostModule ];
+ modules = [hostModule];
shorthandOnlyDefinesConfig = true;
});
};
stream.servers = mkOption {
type = attrsOf (submoduleWith {
- modules = [ streamServerModule ];
+ modules = [streamServerModule];
shorthandOnlyDefinesConfig = false;
});
};
diff --git a/modules/nixos/nginx/local.nix b/modules/nixos/nginx/local.nix
index 19540252..ea0f0c74 100644
--- a/modules/nixos/nginx/local.nix
+++ b/modules/nixos/nginx/local.nix
@@ -8,55 +8,62 @@
inherit (lib.strings) concatMapStringsSep optionalString;
inherit (config.services) tailscale;
inherit (config.networking.access) cidrForNetwork localaddrs;
- mkAddrVar = remoteAddr: varPrefix: ''
- set ${varPrefix}tailscale 0;
- '' + optionalString tailscale.enable ''
- if (${remoteAddr} ~ "^fd7a:115c:a1e0:(:|ab12:)") {
- set ${varPrefix}tailscale 1;
- }
- if (${remoteAddr} ~ "^100\.(6[4-9]|([7-9]|1[01])[0-9]|12[0-7])\.[0-9]+\.[0-9]+") {
- set ${varPrefix}tailscale 1;
- }
- '' + ''
- set ${varPrefix}lan 0;
- if (${remoteAddr} ~ "^10\.1\.1\.[0-9]+") {
- set ${varPrefix}lan 1;
- }
- if (${remoteAddr} ~ "^fd0a::") {
- set ${varPrefix}lan 1;
- }
- if (${remoteAddr} ~ "^fe80::") {
- set ${varPrefix}lan 1;
- }
- set ${varPrefix}int 0;
- if (${remoteAddr} ~ "^10\.9\.1\.[0-9]+") {
- set ${varPrefix}lan 1;
- }
- if (${remoteAddr} ~ "^fd0c::") {
- set ${varPrefix}int 1;
- }
- set ${varPrefix}localhost 0;
- if (${remoteAddr} = "::1") {
- set ${varPrefix}localhost 1;
- }
- if (${remoteAddr} ~ "127\.0\.0\.[0-9]+") {
- set ${varPrefix}localhost 1;
- }
- set ${varPrefix}client 0;
- if (${varPrefix}tailscale) {
- set ${varPrefix}client 1;
- }
- if (${varPrefix}lan) {
- set ${varPrefix}client 1;
- }
- if (${varPrefix}int) {
- set ${varPrefix}client 1;
- }
- if (${varPrefix}localhost) {
- set ${varPrefix}client 1;
- }
- '';
- localModule = {config, xvars, ...}: let
+ mkAddrVar = remoteAddr: varPrefix:
+ ''
+ set ${varPrefix}tailscale 0;
+ ''
+ + optionalString tailscale.enable ''
+ if (${remoteAddr} ~ "^fd7a:115c:a1e0:(:|ab12:)") {
+ set ${varPrefix}tailscale 1;
+ }
+ if (${remoteAddr} ~ "^100\.(6[4-9]|([7-9]|1[01])[0-9]|12[0-7])\.[0-9]+\.[0-9]+") {
+ set ${varPrefix}tailscale 1;
+ }
+ ''
+ + ''
+ set ${varPrefix}lan 0;
+ if (${remoteAddr} ~ "^10\.1\.1\.[0-9]+") {
+ set ${varPrefix}lan 1;
+ }
+ if (${remoteAddr} ~ "^fd0a::") {
+ set ${varPrefix}lan 1;
+ }
+ if (${remoteAddr} ~ "^fe80::") {
+ set ${varPrefix}lan 1;
+ }
+ set ${varPrefix}int 0;
+ if (${remoteAddr} ~ "^10\.9\.1\.[0-9]+") {
+ set ${varPrefix}lan 1;
+ }
+ if (${remoteAddr} ~ "^fd0c::") {
+ set ${varPrefix}int 1;
+ }
+ set ${varPrefix}localhost 0;
+ if (${remoteAddr} = "::1") {
+ set ${varPrefix}localhost 1;
+ }
+ if (${remoteAddr} ~ "127\.0\.0\.[0-9]+") {
+ set ${varPrefix}localhost 1;
+ }
+ set ${varPrefix}client 0;
+ if (${varPrefix}tailscale) {
+ set ${varPrefix}client 1;
+ }
+ if (${varPrefix}lan) {
+ set ${varPrefix}client 1;
+ }
+ if (${varPrefix}int) {
+ set ${varPrefix}client 1;
+ }
+ if (${varPrefix}localhost) {
+ set ${varPrefix}client 1;
+ }
+ '';
+ localModule = {
+ config,
+ xvars,
+ ...
+ }: let
cfg = config.local;
in {
options.local = with lib.types; {
@@ -97,11 +104,12 @@
${allows}
deny all;
'';
- in mkMerge [
- (mkIf cfg.emitDenyGlobal (mkBefore allowDirectives))
- (mkIf cfg.emitVars (mkBefore (mkAddrVar "$remote_addr" "$local_")))
- (mkIf (cfg.emitVars && config.xvars.enable) (mkBefore (mkAddrVar (xvars.remote_addr.get) "$x_local_")))
- ];
+ in
+ mkMerge [
+ (mkIf cfg.emitDenyGlobal (mkBefore allowDirectives))
+ (mkIf cfg.emitVars (mkBefore (mkAddrVar "$remote_addr" "$local_")))
+ (mkIf (cfg.emitVars && config.xvars.enable) (mkBefore (mkAddrVar (xvars.remote_addr.get) "$x_local_")))
+ ];
};
};
locationModule = {
diff --git a/modules/nixos/nginx/lua.nix b/modules/nixos/nginx/lua.nix
index 41a7334a..5a9a72fd 100644
--- a/modules/nixos/nginx/lua.nix
+++ b/modules/nixos/nginx/lua.nix
@@ -1,4 +1,9 @@
-{pkgs, config, lib, ...}: let
+{
+ pkgs,
+ config,
+ lib,
+ ...
+}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkAfter mkOptionDefault;
inherit (lib.strings) hasPrefix;
@@ -10,7 +15,8 @@
luaModule = {config, ...}: let
cfg = config.lua;
mkSetBy = var: value:
- if hasPrefix "/" "${value}" then "set_by_lua_file \$${var} ${value};"
+ if hasPrefix "/" "${value}"
+ then "set_by_lua_file \$${var} ${value};"
else ''
set_by_lua_block ''$${var} {
${value}
@@ -25,12 +31,12 @@
};
files = mkOption {
type = listOf path;
- default = [ ];
+ default = [];
};
};
set = mkOption {
type = attrsOf (either path lines);
- default = { };
+ default = {};
};
};
config = {
@@ -40,25 +46,27 @@
${cfg.access.block}
}
''))
- (mkIf (cfg.access.files != [ ]) (assert lua.http.enable; mkMerge (
- map (file: "access_by_lua_file ${file};") cfg.access.files
- )))
- (mkIf (cfg.set != { }) (assert lua.http.enable && lua.ndk.enable; mkMerge (
- mapAttrsToList mkSetBy cfg.set
- )))
+ (mkIf (cfg.access.files != []) (assert lua.http.enable;
+ mkMerge (
+ map (file: "access_by_lua_file ${file};") cfg.access.files
+ )))
+ (mkIf (cfg.set != {}) (assert lua.http.enable && lua.ndk.enable;
+ mkMerge (
+ mapAttrsToList mkSetBy cfg.set
+ )))
];
};
};
locationModule = {config, ...}: {
- imports = [ luaModule ];
+ imports = [luaModule];
};
hostModule = {config, ...}: {
- imports = [ luaModule ];
+ imports = [luaModule];
options = with lib.types; {
locations = mkOption {
type = attrsOf (submoduleWith {
- modules = [ locationModule ];
+ modules = [locationModule];
shorthandOnlyDefinesConfig = true;
});
};
@@ -84,7 +92,7 @@ in {
};
virtualHosts = mkOption {
type = attrsOf (submoduleWith {
- modules = [ hostModule ];
+ modules = [hostModule];
shorthandOnlyDefinesConfig = true;
});
};
@@ -92,18 +100,20 @@ in {
config = {
services.nginx = {
lua = {
- modules = [
- cfg.luaPackage.pkgs.lua-resty-core
- ] ++ cfg.luaPackage.pkgs.lua-resty-core.propagatedBuildInputs;
+ modules =
+ [
+ cfg.luaPackage.pkgs.lua-resty-core
+ ]
+ ++ cfg.luaPackage.pkgs.lua-resty-core.propagatedBuildInputs;
luaPath = mkMerge (
map luaPkgPath cfg.modules
- ++ [ (mkAfter ";") ]
+ ++ [(mkAfter ";")]
);
};
additionalModules = mkMerge [
- (mkIf cfg.ndk.enable [ pkgs.nginxModules.develkit ])
- (mkIf cfg.http.enable [ pkgs.nginxModules.lua ])
- (mkIf cfg.upstream.enable [ pkgs.nginxModules.lua-upstream ])
+ (mkIf cfg.ndk.enable [pkgs.nginxModules.develkit])
+ (mkIf cfg.http.enable [pkgs.nginxModules.lua])
+ (mkIf cfg.upstream.enable [pkgs.nginxModules.lua-upstream])
];
};
systemd.services.nginx = mkIf config.services.nginx.enable {
diff --git a/modules/nixos/nginx/name.nix b/modules/nixos/nginx/name.nix
index da342dca..07fd80ce 100644
--- a/modules/nixos/nginx/name.nix
+++ b/modules/nixos/nginx/name.nix
@@ -46,18 +46,21 @@
config = {
name = {
qualifier = mkOptionDefault (
- if config.local.enable then "local"
+ if config.local.enable
+ then "local"
else null
);
includeTailscale = mkOptionDefault (
config.local.enable && tailscale.enable && cfg.qualifier != "tail"
);
localName = mkOptionDefault (
- if cfg.includeLocal then "${cfg.shortServer}.local.${networking.domain}"
+ if cfg.includeLocal
+ then "${cfg.shortServer}.local.${networking.domain}"
else null
);
tailscaleName = mkOptionDefault (
- if cfg.includeTailscale then "${cfg.shortServer}.tail.${networking.domain}"
+ if cfg.includeTailscale
+ then "${cfg.shortServer}.tail.${networking.domain}"
else null
);
};
@@ -71,7 +74,7 @@
(mkIf (cfg.tailscaleName != null) cfg.tailscaleName)
]);
allServerNames = mkOptionDefault (filter (name: ! hasPrefix "@" name) (
- [ config.serverName ] ++ config.serverAliases
+ [config.serverName] ++ config.serverAliases
));
otherServerNames = mkOptionDefault (filter (name: ! hasPrefix "@" name) (
config.serverAliases
diff --git a/modules/nixos/nginx/preread.nix b/modules/nixos/nginx/preread.nix
index e76f4d73..916f8454 100644
--- a/modules/nixos/nginx/preread.nix
+++ b/modules/nixos/nginx/preread.nix
@@ -1,5 +1,12 @@
let
- serverModule = {config, nixosConfig, name, gensokyo-zone, lib, ...}: let
+ serverModule = {
+ config,
+ nixosConfig,
+ name,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkBefore mkOptionDefault;
@@ -13,7 +20,7 @@ let
enable = mkEnableOption "ngx_stream_ssl_preread_module";
upstream = mkOption {
type = str;
- default = "$preread_" + replaceStrings [ "'" ] [ "_" ] name;
+ default = "$preread_" + replaceStrings ["'"] ["_"] name;
};
upstreams = mkOption {
type = nullOr (attrsOf str);
@@ -25,9 +32,10 @@ let
config = let
inherit (nginx.stream) upstreams;
mkUpstream = host: upstream: "${host} ${upstreams.${upstream}.name};";
- upstreams' = removeAttrs cfg.upstreams [ "default" ];
- upstreamLines = mapAttrsToList mkUpstream upstreams'
- ++ optional (cfg.upstreams ? default) (mkUpstream "default" cfg.upstreams.default);
+ upstreams' = removeAttrs cfg.upstreams ["default"];
+ upstreamLines =
+ mapAttrsToList mkUpstream upstreams'
+ ++ optional (cfg.upstreams ? default) (mkUpstream "default" cfg.upstreams.default);
in {
ssl.preread = {
streamConfig = mkIf (cfg.upstreams != null) ''
@@ -46,59 +54,65 @@ let
serverBlock = mkIf cfg.enable (mkOptionDefault (mkBefore cfg.streamConfig));
};
};
-in {config, gensokyo-zone, lib, ...}: let
- inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
- inherit (lib.options) mkOption mkEnableOption;
- inherit (lib.modules) mkIf mkDefault mkOptionDefault;
- cfg = config.services.nginx.ssl.preread;
-in {
- options.services.nginx = with lib.types; {
- ssl.preread = {
- enable = mkEnableOption "ssl preread";
- listenPort = mkOption {
- type = port;
- default = 444;
- };
- serverPort = mkOption {
- type = port;
- default = 443;
- };
- serverName = mkOption {
- type = str;
- default = "preread'https";
- };
- upstreamName = mkOption {
- type = str;
- default = "preread'nginx";
- };
- };
- stream.servers = mkOption {
- type = attrsOf (submoduleWith {
- modules = [serverModule];
- shorthandOnlyDefinesConfig = false;
- });
- };
- };
- config = {
- services.nginx = {
- defaultSSLListenPort = mkIf cfg.enable cfg.listenPort;
- stream = {
- upstreams.${cfg.upstreamName} = mkIf cfg.enable {
- ssl.enable = true;
- servers.access = {
- addr = mkDefault "localhost";
- port = mkOptionDefault cfg.listenPort;
- };
+in
+ {
+ config,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
+ inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+ inherit (lib.options) mkOption mkEnableOption;
+ inherit (lib.modules) mkIf mkDefault mkOptionDefault;
+ cfg = config.services.nginx.ssl.preread;
+ in {
+ options.services.nginx = with lib.types; {
+ ssl.preread = {
+ enable = mkEnableOption "ssl preread";
+ listenPort = mkOption {
+ type = port;
+ default = 444;
};
- servers.${cfg.serverName} = {
- enable = mkIf (!cfg.enable) (mkAlmostOptionDefault false);
- listen.https.port = cfg.serverPort;
- ssl.preread = {
- enable = true;
- upstreams.default = mkOptionDefault cfg.upstreamName;
+ serverPort = mkOption {
+ type = port;
+ default = 443;
+ };
+ serverName = mkOption {
+ type = str;
+ default = "preread'https";
+ };
+ upstreamName = mkOption {
+ type = str;
+ default = "preread'nginx";
+ };
+ };
+ stream.servers = mkOption {
+ type = attrsOf (submoduleWith {
+ modules = [serverModule];
+ shorthandOnlyDefinesConfig = false;
+ });
+ };
+ };
+ config = {
+ services.nginx = {
+ defaultSSLListenPort = mkIf cfg.enable cfg.listenPort;
+ stream = {
+ upstreams.${cfg.upstreamName} = mkIf cfg.enable {
+ ssl.enable = true;
+ servers.access = {
+ addr = mkDefault "localhost";
+ port = mkOptionDefault cfg.listenPort;
+ };
+ };
+ servers.${cfg.serverName} = {
+ enable = mkIf (!cfg.enable) (mkAlmostOptionDefault false);
+ listen.https.port = cfg.serverPort;
+ ssl.preread = {
+ enable = true;
+ upstreams.default = mkOptionDefault cfg.upstreamName;
+ };
};
};
};
};
- };
-}
+ }
diff --git a/modules/nixos/nginx/proxied.nix b/modules/nixos/nginx/proxied.nix
index 5d0e9281..abb1740a 100644
--- a/modules/nixos/nginx/proxied.nix
+++ b/modules/nixos/nginx/proxied.nix
@@ -1,5 +1,5 @@
let
- xHeadersProxied = { xvars }: ''
+ xHeadersProxied = {xvars}: ''
${xvars.init "forwarded_for" "$proxy_add_x_forwarded_for"}
if ($http_x_forwarded_proto) {
${xvars.init "scheme" "$http_x_forwarded_proto"}
@@ -18,7 +18,14 @@ let
${xvars.init "forwarded_server" "$http_x_forwarded_server"}
}
'';
- locationModule = { config, virtualHost, xvars, gensokyo-zone, lib, ... }: let
+ locationModule = {
+ config,
+ virtualHost,
+ xvars,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mkJustBefore mkAlmostOptionDefault;
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
@@ -27,7 +34,7 @@ let
options = with lib.types; {
proxied = {
enable = mkOption {
- type = enum [ false true "cloudflared" ];
+ type = enum [false true "cloudflared"];
default = false;
};
enabled = mkOption {
@@ -60,12 +67,19 @@ let
xvars.enable = mkIf cfg.enabled true;
extraConfig = mkMerge [
(mkIf emitVars (
- mkJustBefore (xHeadersProxied { inherit xvars; })
+ mkJustBefore (xHeadersProxied {inherit xvars;})
))
];
};
};
- hostModule = { config, nixosConfig, xvars, gensokyo-zone, lib, ... }: let
+ hostModule = {
+ config,
+ nixosConfig,
+ xvars,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault orderJustBefore unmerged;
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkOrder mkDefault;
@@ -75,7 +89,7 @@ let
options = with lib.types; {
proxied = {
enable = mkOption {
- type = enum [ false true "cloudflared" ];
+ type = enum [false true "cloudflared"];
default = false;
};
enabled = mkOption {
@@ -93,7 +107,7 @@ let
};
locations = mkOption {
type = attrsOf (submoduleWith {
- modules = [ locationModule ];
+ modules = [locationModule];
shorthandOnlyDefinesConfig = true;
});
};
@@ -105,14 +119,23 @@ let
proxied = {
cloudflared = let
listen = config.listen'.proxied;
- scheme = if listen.ssl then "https" else "http";
- in mkIf (cfg.enable == "cloudflared") {
- ingressSettings.${config.serverName} = {
- service = "${scheme}://localhost:${toString listen.port}";
- originRequest.${if scheme == "https" then "noTLSVerify" else null} = true;
+ scheme =
+ if listen.ssl
+ then "https"
+ else "http";
+ in
+ mkIf (cfg.enable == "cloudflared") {
+ ingressSettings.${config.serverName} = {
+ service = "${scheme}://localhost:${toString listen.port}";
+ originRequest.${
+ if scheme == "https"
+ then "noTLSVerify"
+ else null
+ } =
+ true;
+ };
+ getIngress = {}: unmerged.mergeAttrs cfg.cloudflared.ingressSettings;
};
- getIngress = {}: unmerged.mergeAttrs cfg.cloudflared.ingressSettings;
- };
};
xvars.enable = mkIf cfg.enabled true;
local.denyGlobal = mkIf listenProxied (mkDefault true);
@@ -123,74 +146,75 @@ let
};
};
extraConfig = mkIf (cfg.enabled && config.xvars.enable) (
- mkOrder (orderJustBefore + 25) (xHeadersProxied { inherit xvars; })
+ mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;})
);
};
};
-in {
- config,
- system,
- gensokyo-zone,
- lib,
- ...
-}: let
- inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
- inherit (lib.options) mkOption mkEnableOption;
- inherit (lib.modules) mkIf mkOptionDefault;
- inherit (lib.attrsets) attrValues;
- inherit (lib.lists) any;
- inherit (config.services) nginx;
- cfg = nginx.proxied;
-in {
- options.services.nginx = with lib.types; {
- proxied = {
- enable = mkEnableOption "proxy";
- listenAddr = mkOption {
- type = str;
- default = "[::]";
+in
+ {
+ config,
+ system,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
+ inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+ inherit (lib.options) mkOption mkEnableOption;
+ inherit (lib.modules) mkIf mkOptionDefault;
+ inherit (lib.attrsets) attrValues;
+ inherit (lib.lists) any;
+ inherit (config.services) nginx;
+ cfg = nginx.proxied;
+ in {
+ options.services.nginx = with lib.types; {
+ proxied = {
+ enable = mkEnableOption "proxy";
+ listenAddr = mkOption {
+ type = str;
+ default = "[::]";
+ };
+ listenPort = mkOption {
+ type = port;
+ default = 9080;
+ };
};
- listenPort = mkOption {
- type = port;
- default = 9080;
+ virtualHosts = mkOption {
+ type = attrsOf (submodule [hostModule]);
};
};
- virtualHosts = mkOption {
- type = attrsOf (submodule [hostModule]);
- };
- };
- config = {
- services.nginx = let
- warnEnable = lib.warnIf (cfg.enable != hasProxiedHosts) "services.nginx.proxied.enable expected to be set";
- hasProxiedHosts = any (virtualHost: virtualHost.enable && virtualHost.proxied.enabled) (attrValues nginx.virtualHosts);
- in {
- upstreams' = {
- nginx'proxied = mkIf (warnEnable cfg.enable) {
- servers.local = {
- accessService = {
- system = system.name;
- name = "nginx";
- port = "proxied";
+ config = {
+ services.nginx = let
+ warnEnable = lib.warnIf (cfg.enable != hasProxiedHosts) "services.nginx.proxied.enable expected to be set";
+ hasProxiedHosts = any (virtualHost: virtualHost.enable && virtualHost.proxied.enabled) (attrValues nginx.virtualHosts);
+ in {
+ upstreams' = {
+ nginx'proxied = mkIf (warnEnable cfg.enable) {
+ servers.local = {
+ accessService = {
+ system = system.name;
+ name = "nginx";
+ port = "proxied";
+ };
};
};
};
- };
- virtualHosts = {
- fallback'proxied = mkIf cfg.enable {
- serverName = null;
- reuseport = mkAlmostOptionDefault true;
- default = mkAlmostOptionDefault true;
- listen'.proxied = {
- addr = mkAlmostOptionDefault cfg.listenAddr;
- port = mkAlmostOptionDefault cfg.listenPort;
+ virtualHosts = {
+ fallback'proxied = mkIf cfg.enable {
+ serverName = null;
+ reuseport = mkAlmostOptionDefault true;
+ default = mkAlmostOptionDefault true;
+ listen'.proxied = {
+ addr = mkAlmostOptionDefault cfg.listenAddr;
+ port = mkAlmostOptionDefault cfg.listenPort;
+ };
+ locations."/".extraConfig = mkAlmostOptionDefault ''
+ return 502;
+ '';
};
- locations."/".extraConfig = mkAlmostOptionDefault ''
- return 502;
- '';
};
};
+ networking.firewall.interfaces.lan = mkIf nginx.enable {
+ allowedTCPPorts = mkIf cfg.enable [cfg.listenPort];
+ };
};
- networking.firewall.interfaces.lan = mkIf nginx.enable {
- allowedTCPPorts = mkIf cfg.enable [ cfg.listenPort ];
- };
- };
-}
+ }
diff --git a/modules/nixos/nginx/proxy.nix b/modules/nixos/nginx/proxy.nix
index c4741ed6..a46232a1 100644
--- a/modules/nixos/nginx/proxy.nix
+++ b/modules/nixos/nginx/proxy.nix
@@ -1,5 +1,12 @@
let
- proxyModule = {config, name, options, gensokyo-zone, lib, ...}: let
+ proxyModule = {
+ config,
+ name,
+ options,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkAfter mkOptionDefault;
inherit (lib.strings) optionalString;
@@ -32,21 +39,38 @@ let
]);
};
};
- serverModule = {config, name, options, gensokyo-zone, lib, ...}: let
+ serverModule = {
+ config,
+ name,
+ options,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (lib.modules) mkIf mkAfter;
cfg = config.proxy;
in {
- imports = [ proxyModule ];
+ imports = [proxyModule];
config = let
warnProxy = lib.warnIf (!cfg.enable && options.proxy.url.isDefined) "nginx.stream.servers.${name}.proxy.url set without proxy.enable";
in {
- streamConfig = warnProxy (mkIf cfg.enable (mkAfter
+ streamConfig = warnProxy (mkIf cfg.enable (
+ mkAfter
"proxy_pass ${cfg.url};"
));
};
};
- locationModule = { config, nixosConfig, name, virtualHost, xvars, gensokyo-zone, lib, ... }: let
+ locationModule = {
+ config,
+ nixosConfig,
+ name,
+ virtualHost,
+ xvars,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mkJustBefore mkJustAfter mkAlmostOptionDefault mapOptionDefaults coalesce parseUrl;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkBefore mkOptionDefault;
@@ -57,7 +81,7 @@ let
inherit (nixosConfig.services) nginx;
cfg = config.proxy;
in {
- imports = [ proxyModule ];
+ imports = [proxyModule];
options = with lib.types; {
proxy = {
@@ -75,9 +99,11 @@ let
host = mkOption {
type = nullOr str;
};
- websocket.enable = mkEnableOption "websocket proxy" // {
- default = cfg.inheritServerDefaults && virtualHost.proxy.websocket.enable;
- };
+ websocket.enable =
+ mkEnableOption "websocket proxy"
+ // {
+ default = cfg.inheritServerDefaults && virtualHost.proxy.websocket.enable;
+ };
parsed = {
scheme = mkOption {
type = nullOr str;
@@ -94,7 +120,7 @@ let
};
headers = {
enableRecommended = mkOption {
- type = enum [ true false "nixpkgs" ];
+ type = enum [true false "nixpkgs"];
};
rewriteReferer.enable = mkEnableOption "rewrite referer host";
set = mkOption {
@@ -102,7 +128,7 @@ let
};
hide = mkOption {
type = attrsOf bool;
- default = { };
+ default = {};
};
};
redirect = {
@@ -121,7 +147,7 @@ let
};
};
config = let
- emitHeaders = setHeaders' != { };
+ emitHeaders = setHeaders' != {};
url = parseUrl config.proxyPass;
upstream = nginx.upstreams'.${cfg.upstream};
upstreamServer = upstream.servers.${upstream.defaultServerName};
@@ -129,7 +155,10 @@ let
hasUpstream = cfg.upstream != null && !dynamicUpstream;
hasUpstreamServer = upstream.defaultServerName != null;
recommendedHeaders = {
- Host = if cfg.host == null then xvars.get.proxy_hostport else cfg.host;
+ Host =
+ if cfg.host == null
+ then xvars.get.proxy_hostport
+ else cfg.host;
Referer = xvars.get.referer;
X-Real-IP = xvars.get.remote_addr;
X-Forwarded-For = xvars.get.forwarded_for;
@@ -137,12 +166,15 @@ let
X-Forwarded-Host = xvars.get.host;
X-Forwarded-Server = xvars.get.forwarded_server;
};
- schemePort = {
- http = 80;
- https = 443;
- }.${cfg.parsed.scheme} or (throw "unsupported proxy_scheme ${toString cfg.parsed.scheme}");
- upstreamHost = coalesce ([ upstream.host ] ++ optional hasUpstreamServer upstreamServer.addr);
- port = coalesce [ cfg.parsed.port schemePort ];
+ schemePort =
+ {
+ http = 80;
+ https = 443;
+ }
+ .${cfg.parsed.scheme}
+ or (throw "unsupported proxy_scheme ${toString cfg.parsed.scheme}");
+ upstreamHost = coalesce ([upstream.host] ++ optional hasUpstreamServer upstreamServer.addr);
+ port = coalesce [cfg.parsed.port schemePort];
hostport = cfg.parsed.host + optionalString (port != schemePort) ":${toString port}";
initProxyVars = let
initScheme = xvars.init "proxy_scheme" config.xvars.defaults.proxy_scheme;
@@ -174,8 +206,12 @@ let
${xvars.init "proxy_hostport" xvars.get.proxy_host}
}
'';
- init = if cfg.upstream != null then initUpstream else initDynamic;
- in init;
+ init =
+ if cfg.upstream != null
+ then initUpstream
+ else initDynamic;
+ in
+ init;
hostHeader = coalesce [
cfg.headers.set.Host or null
cfg.host
@@ -191,8 +227,9 @@ let
'';
setHeaders' = filterAttrs (_: header: header != null) cfg.headers.set;
setHeaders = concatStringsSep "\n" (mapAttrsToList (
- name: value: "proxy_set_header ${name} ${xvars.escapeString value};"
- ) setHeaders');
+ name: value: "proxy_set_header ${name} ${xvars.escapeString value};"
+ )
+ setHeaders');
hideHeaders = mapAttrsToList (header: hide: mkIf hide "proxy_hide_header ${xvars.escapeString header};") cfg.headers.hide;
in {
xvars = {
@@ -210,12 +247,16 @@ let
url = mkIf (cfg.inheritServerDefaults && virtualHost.proxy.url != null) (mkOptionDefault virtualHost.proxy.url);
headers = {
enableRecommended = mkOptionDefault (
- if cfg.enable && (!cfg.inheritServerDefaults || virtualHost.proxy.headers.enableRecommended != false) then true
- else if cfg.inheritServerDefaults then virtualHost.proxy.headers.enableRecommended
- else if nginx.recommendedProxySettings then "nixpkgs" else false
+ if cfg.enable && (!cfg.inheritServerDefaults || virtualHost.proxy.headers.enableRecommended != false)
+ then true
+ else if cfg.inheritServerDefaults
+ then virtualHost.proxy.headers.enableRecommended
+ else if nginx.recommendedProxySettings
+ then "nixpkgs"
+ else false
);
set = mkMerge [
- (mkOptionDefault { })
+ (mkOptionDefault {})
(mkIf (cfg.headers.enableRecommended == true) (mapOptionDefaults recommendedHeaders))
(mkIf (cfg.host != null) {
Host = mkIf (cfg.headers.enableRecommended != "nixpkgs") (mkAlmostOptionDefault cfg.host);
@@ -230,8 +271,10 @@ let
];
};
host = mkOptionDefault (
- if cfg.inheritServerDefaults && virtualHost.proxy.host != null then virtualHost.proxy.host
- else if cfg.headers.enableRecommended == false then null
+ if cfg.inheritServerDefaults && virtualHost.proxy.host != null
+ then virtualHost.proxy.host
+ else if cfg.headers.enableRecommended == false
+ then null
else xvars.get.host
);
parsed = {
@@ -242,11 +285,13 @@ let
mapNullable (_: url.path) config.proxyPass
);
host = mkOptionDefault (
- if hasUpstream then assert url.host == upstream.name; upstreamHost
+ if hasUpstream
+ then assert url.host == upstream.name; upstreamHost
else mapNullable (_: url.host) config.proxyPass
);
port = mkOptionDefault (
- if hasUpstream && hasUpstreamServer && url.port == null then assert url.host == upstream.name; upstreamServer.port
+ if hasUpstream && hasUpstreamServer && url.port == null
+ then assert url.host == upstream.name; upstreamServer.port
else mapNullable (_: url.port) config.proxyPass
);
};
@@ -254,15 +299,22 @@ let
proxyPass = mkIf cfg.enable (mkAlmostOptionDefault (removeSuffix "/" cfg.url + cfg.path));
recommendedProxySettings = mkAlmostOptionDefault (cfg.headers.enableRecommended == "nixpkgs");
extraConfig = mkIf cfg.enabled (mkMerge ([
- (mkIf virtualHost.xvars.enable (mkJustBefore initProxyVars))
- (mkIf (cfg.headers.rewriteReferer.enable) (mkJustBefore rewriteReferer))
- (mkIf (cfg.redirect.enable) (mkBefore redirect))
- (mkIf (emitHeaders) (mkJustAfter setHeaders))
- (mkIf cfg.websocket.enable "proxy_cache_bypass $http_upgrade;")
- ] ++ hideHeaders));
+ (mkIf virtualHost.xvars.enable (mkJustBefore initProxyVars))
+ (mkIf (cfg.headers.rewriteReferer.enable) (mkJustBefore rewriteReferer))
+ (mkIf (cfg.redirect.enable) (mkBefore redirect))
+ (mkIf emitHeaders (mkJustAfter setHeaders))
+ (mkIf cfg.websocket.enable "proxy_cache_bypass $http_upgrade;")
+ ]
+ ++ hideHeaders));
};
};
- hostModule = { config, nixosConfig, gensokyo-zone, lib, ... }: let
+ hostModule = {
+ config,
+ nixosConfig,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mapOptionDefaults mapAlmostOptionDefaults;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkOptionDefault;
@@ -288,13 +340,16 @@ let
};
websocket.enable = mkEnableOption "websocket proxy";
headers.enableRecommended = mkOption {
- type = enum [ true false "nixpkgs" ];
- default = if nginx.recommendedProxySettings then "nixpkgs" else false;
+ type = enum [true false "nixpkgs"];
+ default =
+ if nginx.recommendedProxySettings
+ then "nixpkgs"
+ else false;
};
};
locations = mkOption {
type = attrsOf (submoduleWith {
- modules = [ locationModule ];
+ modules = [locationModule];
shorthandOnlyDefinesConfig = true;
});
};
@@ -303,16 +358,18 @@ let
needsReferer = loc: loc.proxy.enabled && loc.proxy.headers.rewriteReferer.enable;
confCopy = let
proxyHost = nginx.virtualHosts.${cfg.copyFromVhost};
- in mapAlmostOptionDefaults {
- inherit (proxyHost.proxy) host url upstream;
- } // {
- websocket = mapAlmostOptionDefaults {
- inherit (proxyHost.proxy.websocket) enable;
+ in
+ mapAlmostOptionDefaults {
+ inherit (proxyHost.proxy) host url upstream;
+ }
+ // {
+ websocket = mapAlmostOptionDefaults {
+ inherit (proxyHost.proxy.websocket) enable;
+ };
+ headers = mapAlmostOptionDefaults {
+ inherit (proxyHost.proxy.headers) enableRecommended;
+ };
};
- headers = mapAlmostOptionDefaults {
- inherit (proxyHost.proxy.headers) enableRecommended;
- };
- };
in {
xvars = {
parseReferer = mkIf (anyLocations needsReferer) true;
@@ -326,21 +383,19 @@ let
proxy = mkIf (cfg.copyFromVhost != null) confCopy;
};
};
-in {
- lib,
- ...
-}: let
- inherit (lib.options) mkOption;
-in {
- options.services.nginx = with lib.types; {
- virtualHosts = mkOption {
- type = attrsOf (submodule [hostModule]);
+in
+ {lib, ...}: let
+ inherit (lib.options) mkOption;
+ in {
+ options.services.nginx = with lib.types; {
+ virtualHosts = mkOption {
+ type = attrsOf (submodule [hostModule]);
+ };
+ stream.servers = mkOption {
+ type = attrsOf (submoduleWith {
+ modules = [serverModule];
+ shorthandOnlyDefinesConfig = false;
+ });
+ };
};
- stream.servers = mkOption {
- type = attrsOf (submoduleWith {
- modules = [serverModule];
- shorthandOnlyDefinesConfig = false;
- });
- };
- };
-}
+ }
diff --git a/modules/nixos/nginx/ssl.nix b/modules/nixos/nginx/ssl.nix
index 3f170dbf..12d3b951 100644
--- a/modules/nixos/nginx/ssl.nix
+++ b/modules/nixos/nginx/ssl.nix
@@ -1,5 +1,11 @@
let
- sslModule = { config, nixosConfig, gensokyo-zone, lib, ... }: let
+ sslModule = {
+ config,
+ nixosConfig,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
inherit (nixosConfig.services) nginx;
@@ -12,7 +18,7 @@ let
};
force = mkOption {
# TODO: "force-nonlocal"? exceptions for tailscale?
- type = enum [ false true "only" "reject" ];
+ type = enum [false true "only" "reject"];
default = false;
};
forced = mkOption {
@@ -60,14 +66,19 @@ let
};
copyCertVhost = mkCopyCert nginx.virtualHosts.${cfg.cert.copyFromVhost}.ssl.cert;
copyCertStreamServer = mkCopyCert nginx.stream.servers.${cfg.cert.copyFromStreamServer}.ssl.cert;
- in mkMerge [
- (mkIf (cfg.cert.copyFromStreamServer != null) copyCertStreamServer)
- (mkIf (cfg.cert.copyFromVhost != null) copyCertVhost)
- ];
+ in
+ mkMerge [
+ (mkIf (cfg.cert.copyFromStreamServer != null) copyCertStreamServer)
+ (mkIf (cfg.cert.copyFromVhost != null) copyCertVhost)
+ ];
};
};
};
- sslProxyModule = { config, lib, ... }: let
+ sslProxyModule = {
+ config,
+ lib,
+ ...
+ }: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkAfter;
inherit (config) proxy;
@@ -78,9 +89,11 @@ let
type = bool;
};
verify = mkEnableOption "proxy_ssl_verify";
- sni = mkEnableOption "proxy_ssl_server_name" // {
- default = cfg.host != null;
- };
+ sni =
+ mkEnableOption "proxy_ssl_server_name"
+ // {
+ default = cfg.host != null;
+ };
host = mkOption {
type = nullOr str;
default = null;
@@ -97,18 +110,26 @@ let
]);
};
};
- streamServerModule = { config, nixosConfig, gensokyo-zone, lib, ... }: let
+ streamServerModule = {
+ config,
+ nixosConfig,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mkAlmostDefault;
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
cfg = config.ssl;
in {
- imports = [ sslModule sslProxyModule ];
+ imports = [sslModule sslProxyModule];
options = with lib.types; {
ssl = {
- kTLS = mkEnableOption "kTLS support" // {
- default = true;
- };
+ kTLS =
+ mkEnableOption "kTLS support"
+ // {
+ default = true;
+ };
};
};
config = let
@@ -126,104 +147,124 @@ let
(mkIf cfg.kTLS "ssl_conf_command Options KTLS;")
];
confProxy.extraConfig = mkIf proxy.ssl.enable "proxy_ssl on;";
- in mkMerge [
- conf
- (mkIf cfg.enable confSsl)
- (mkIf proxy.enable confProxy)
- ];
+ in
+ mkMerge [
+ conf
+ (mkIf cfg.enable confSsl)
+ (mkIf proxy.enable confProxy)
+ ];
};
-in {
- config,
- gensokyo-zone,
- lib,
- ...
-}: let
- inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
- inherit (lib.options) mkOption mkEnableOption;
- inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
- inherit (lib.attrsets) mapAttrsToList;
- inherit (lib.trivial) warnIf;
- inherit (lib.strings) hasPrefix;
- inherit (config.services) nginx;
- forceRedirectConfig = { virtualHost, xvars }: ''
- if (${xvars.get.scheme} = http) {
- return ${toString virtualHost.redirectCode} https://${xvars.get.host}$request_uri;
- }
- '';
- locationModule = { config, virtualHost, xvars, ... }: let
- cfg = config.ssl;
- emitForce = cfg.force && !virtualHost.ssl.forced;
- in {
- imports = [ sslProxyModule ];
- options.ssl = {
- force = mkEnableOption "redirect to SSL";
+in
+ {
+ config,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
+ inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+ inherit (lib.options) mkOption mkEnableOption;
+ inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
+ inherit (lib.attrsets) mapAttrsToList;
+ inherit (lib.trivial) warnIf;
+ inherit (lib.strings) hasPrefix;
+ inherit (config.services) nginx;
+ forceRedirectConfig = {
+ virtualHost,
+ xvars,
+ }: ''
+ if (${xvars.get.scheme} = http) {
+ return ${toString virtualHost.redirectCode} https://${xvars.get.host}$request_uri;
+ }
+ '';
+ locationModule = {
+ config,
+ virtualHost,
+ xvars,
+ ...
+ }: let
+ cfg = config.ssl;
+ emitForce = cfg.force && !virtualHost.ssl.forced;
+ in {
+ imports = [sslProxyModule];
+ options.ssl = {
+ force = mkEnableOption "redirect to SSL";
+ };
+ config = {
+ proxy.ssl.enable = mkOptionDefault (hasPrefix "https://" config.proxyPass);
+ xvars.enable = mkIf emitForce true;
+ extraConfig = mkIf emitForce (forceRedirectConfig {inherit xvars virtualHost;});
+ };
};
- config = {
- proxy.ssl.enable = mkOptionDefault (hasPrefix "https://" config.proxyPass);
- xvars.enable = mkIf emitForce true;
- extraConfig = mkIf emitForce (forceRedirectConfig { inherit xvars virtualHost; });
- };
- };
- hostModule = { config, xvars, ... }: let
- cfg = config.ssl;
- emitForce = cfg.forced && config.proxied.enabled;
- in {
- imports = [ sslModule ];
- options = with lib.types; {
- ssl = {
- cert = {
- enable = mkEnableOption "ssl cert via name.shortServer";
+ hostModule = {
+ config,
+ xvars,
+ ...
+ }: let
+ cfg = config.ssl;
+ emitForce = cfg.forced && config.proxied.enabled;
+ in {
+ imports = [sslModule];
+ options = with lib.types; {
+ ssl = {
+ cert = {
+ enable = mkEnableOption "ssl cert via name.shortServer";
+ };
+ };
+ locations = mkOption {
+ type = attrsOf (submoduleWith {
+ modules = [locationModule];
+ shorthandOnlyDefinesConfig = true;
+ });
};
};
- locations = mkOption {
- type = attrsOf (submoduleWith {
- modules = [ locationModule ];
- shorthandOnlyDefinesConfig = true;
+ config = {
+ ssl = {
+ cert = let
+ certConfig.name = mkIf cfg.cert.enable (warnIf (config.name.shortServer == null) "ssl.cert.enable set but name.shortServer is null" (
+ mkAlmostOptionDefault config.name.shortServer
+ ));
+ in
+ certConfig;
+ };
+ addSSL = mkIf (cfg.enable && (cfg.force == false || emitForce)) (mkDefault true);
+ forceSSL = mkIf (cfg.enable && cfg.force == true && !emitForce) (mkDefault true);
+ onlySSL = mkIf (cfg.enable && cfg.force == "only" && !emitForce) (mkDefault true);
+ rejectSSL = mkIf (cfg.force == "reject") (mkDefault true);
+ useACMEHost = mkAlmostOptionDefault cfg.cert.name;
+ sslCertificate = mkIf (cfg.cert.path != null) (mkAlmostOptionDefault cfg.cert.path);
+ sslCertificateKey = mkIf (cfg.cert.keyPath != null) (mkAlmostOptionDefault cfg.cert.keyPath);
+ kTLS = mkAlmostOptionDefault true;
+
+ xvars.enable = mkIf emitForce true;
+ extraConfig = mkIf emitForce (forceRedirectConfig {
+ virtualHost = config;
+ inherit xvars;
});
};
};
- config = {
- ssl = {
- cert = let
- certConfig.name = mkIf cfg.cert.enable (warnIf (config.name.shortServer == null) "ssl.cert.enable set but name.shortServer is null" (
- mkAlmostOptionDefault config.name.shortServer
- ));
- in certConfig;
+ in {
+ options.services.nginx = with lib.types; {
+ virtualHosts = mkOption {
+ type = attrsOf (submoduleWith {
+ modules = [hostModule];
+ shorthandOnlyDefinesConfig = true;
+ });
+ };
+ stream.servers = mkOption {
+ type = attrsOf (submoduleWith {
+ modules = [streamServerModule];
+ shorthandOnlyDefinesConfig = false;
+ });
};
- addSSL = mkIf (cfg.enable && (cfg.force == false || emitForce)) (mkDefault true);
- forceSSL = mkIf (cfg.enable && cfg.force == true && !emitForce) (mkDefault true);
- onlySSL = mkIf (cfg.enable && cfg.force == "only" && !emitForce) (mkDefault true);
- rejectSSL = mkIf (cfg.force == "reject") (mkDefault true);
- useACMEHost = mkAlmostOptionDefault cfg.cert.name;
- sslCertificate = mkIf (cfg.cert.path != null) (mkAlmostOptionDefault cfg.cert.path);
- sslCertificateKey = mkIf (cfg.cert.keyPath != null) (mkAlmostOptionDefault cfg.cert.keyPath);
- kTLS = mkAlmostOptionDefault true;
-
- xvars.enable = mkIf emitForce true;
- extraConfig = mkIf emitForce (forceRedirectConfig { virtualHost = config; inherit xvars; });
};
- };
-in {
- options.services.nginx = with lib.types; {
- virtualHosts = mkOption {
- type = attrsOf (submoduleWith {
- modules = [ hostModule ];
- shorthandOnlyDefinesConfig = true;
- });
- };
- stream.servers = mkOption {
- type = attrsOf (submoduleWith {
- modules = [ streamServerModule ];
- shorthandOnlyDefinesConfig = false;
- });
- };
- };
- config.systemd.services.nginx = let
- mapStreamServer = server: mkIf (server.enable && server.ssl.enable && server.ssl.cert.name != null) {
- wants = [ "acme-finished-${server.ssl.cert.name}.target" ];
- after = [ "acme-selfsigned-${server.ssl.cert.name}.service" ];
- before = [ "acme-${server.ssl.cert.name}.service" ];
- };
- streamServerCerts = mapAttrsToList (_: mapStreamServer) nginx.stream.servers;
- in mkIf nginx.enable (mkMerge streamServerCerts);
-}
+ config.systemd.services.nginx = let
+ mapStreamServer = server:
+ mkIf (server.enable && server.ssl.enable && server.ssl.cert.name != null) {
+ wants = ["acme-finished-${server.ssl.cert.name}.target"];
+ after = ["acme-selfsigned-${server.ssl.cert.name}.service"];
+ before = ["acme-${server.ssl.cert.name}.service"];
+ };
+ streamServerCerts = mapAttrsToList (_: mapStreamServer) nginx.stream.servers;
+ in
+ mkIf nginx.enable (mkMerge streamServerCerts);
+ }
diff --git a/modules/nixos/nginx/stream.nix b/modules/nixos/nginx/stream.nix
index 94ac5394..67d82d65 100644
--- a/modules/nixos/nginx/stream.nix
+++ b/modules/nixos/nginx/stream.nix
@@ -10,9 +10,11 @@
cfg = config.services.nginx.stream;
serverModule = {config, ...}: {
options = with lib.types; {
- enable = mkEnableOption "stream server block" // {
- default = true;
- };
+ enable =
+ mkEnableOption "stream server block"
+ // {
+ default = true;
+ };
extraConfig = mkOption {
type = lines;
default = "";
@@ -49,7 +51,7 @@ in {
nixosConfig = config;
};
});
- default = { };
+ default = {};
};
};
config.services.nginx = {
diff --git a/modules/nixos/nginx/upstream.nix b/modules/nixos/nginx/upstream.nix
index 72d5926d..be6450e0 100644
--- a/modules/nixos/nginx/upstream.nix
+++ b/modules/nixos/nginx/upstream.nix
@@ -1,5 +1,13 @@
let
- upstreamServerAccessModule = {config, nixosConfig, name, gensokyo-zone, lib, upstreamKind, ...}: let
+ upstreamServerAccessModule = {
+ config,
+ nixosConfig,
+ name,
+ gensokyo-zone,
+ lib,
+ upstreamKind,
+ ...
+ }: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
@@ -57,12 +65,20 @@ let
port = mkOptionDefault port.port;
ssl.enable = mkIf port.ssl (mkAlmostOptionDefault true);
};
- in mkMerge [
- confAccess
- (mkIf cfg.enable conf)
- ];
+ in
+ mkMerge [
+ confAccess
+ (mkIf cfg.enable conf)
+ ];
};
- upstreamServerModule = {config, name, gensokyo-zone, lib, upstreamKind, ...}: let
+ upstreamServerModule = {
+ config,
+ name,
+ gensokyo-zone,
+ lib,
+ upstreamKind,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mkAddress6;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkBefore mkOptionDefault;
@@ -72,9 +88,11 @@ let
inherit (lib.trivial) isBool;
in {
options = with lib.types; {
- enable = mkEnableOption "upstream server" // {
- default = true;
- };
+ enable =
+ mkEnableOption "upstream server"
+ // {
+ default = true;
+ };
addr = mkOption {
type = str;
default = name;
@@ -90,8 +108,8 @@ let
example = "unix:/tmp/backend3";
};
settings = mkOption {
- type = attrsOf (oneOf [ int str bool ]);
- default = { };
+ type = attrsOf (oneOf [int str bool]);
+ default = {};
};
extraConfig = mkOption {
type = str;
@@ -108,21 +126,30 @@ let
};
config = let
mapSetting = key: value:
- if isBool value then mkIf value key
+ if isBool value
+ then mkIf value key
else "${key}=${toString value}";
settings = mapAttrsToList mapSetting config.settings;
port = optionalString (config.port != null) ":${toString config.port}";
in {
server = mkOptionDefault "${mkAddress6 config.addr}${port}";
serverConfig = mkMerge (
- [ (mkBefore config.server) ]
+ [(mkBefore config.server)]
++ settings
++ optional (config.extraConfig != "") config.extraConfig
);
serverDirective = mkOptionDefault "server ${config.serverConfig};";
};
};
- upstreamModule = {config, name, nixosConfig, gensokyo-zone, lib, upstreamKind, ...}: let
+ upstreamModule = {
+ config,
+ name,
+ nixosConfig,
+ gensokyo-zone,
+ lib,
+ upstreamKind,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault unmerged;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
@@ -132,19 +159,21 @@ let
in {
options = with lib.types; let
upstreamServer = submoduleWith {
- modules = [ upstreamServerModule upstreamServerAccessModule ];
+ modules = [upstreamServerModule upstreamServerAccessModule];
specialArgs = {
inherit nixosConfig gensokyo-zone upstreamKind;
upstream = config;
};
};
in {
- enable = mkEnableOption "upstream block" // {
- default = true;
- };
+ enable =
+ mkEnableOption "upstream block"
+ // {
+ default = true;
+ };
name = mkOption {
type = str;
- default = replaceStrings [ "'" ] [ "_" ] name;
+ default = replaceStrings ["'"] ["_"] name;
};
servers = mkOption {
type = attrsOf upstreamServer;
@@ -183,13 +212,13 @@ let
config = let
enabledServers = filterAttrs (_: server: server.enable) config.servers;
- assertServers = v: assert enabledServers != { }; v;
+ assertServers = v: assert enabledServers != {}; v;
in {
ssl.enable = mkIf (any (server: server.ssl.enable) (attrValues enabledServers)) (mkAlmostOptionDefault true);
defaultServerName = findSingle (_: true) null null (attrNames enabledServers);
upstreamConfig = mkMerge (
mapAttrsToList (_: server: mkIf server.enable server.serverDirective) config.servers
- ++ [ config.extraConfig ]
+ ++ [config.extraConfig]
);
upstreamBlock = mkOptionDefault ''
upstream ${config.name} {
@@ -199,16 +228,28 @@ let
upstreamSettings = assertServers (mkOptionDefault {
#extraConfig = config.upstreamConfig;
extraConfig = config.extraConfig;
- servers = mapAttrs' (name: server: nameValuePair (if server.enable then server.server else "disabled_${name}") (mkIf server.enable (mkMerge [
- server.settings
- (mkIf (server.extraConfig != "") {
- ${config.extraConfig} = true;
- })
- ]))) config.servers;
+ servers = mapAttrs' (name: server:
+ nameValuePair (
+ if server.enable
+ then server.server
+ else "disabled_${name}"
+ ) (mkIf server.enable (mkMerge [
+ server.settings
+ (mkIf (server.extraConfig != "") {
+ ${config.extraConfig} = true;
+ })
+ ])))
+ config.servers;
});
};
};
- serverModule = {config, nixosConfig, gensokyo-zone, lib, ...}: let
+ serverModule = {
+ config,
+ nixosConfig,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf;
@@ -229,7 +270,8 @@ let
dynamicUpstream = hasPrefix "$" config.proxy.upstream;
hasUpstream = config.proxy.upstream != null && !dynamicUpstream;
proxyPass =
- if dynamicUpstream then config.proxy.upstream
+ if dynamicUpstream
+ then config.proxy.upstream
else assert proxyUpstream.enable; proxyUpstream.name;
in {
proxy = {
@@ -242,7 +284,12 @@ let
};
};
};
- proxyUpstreamModule = {config, nixosConfig, lib, ...}: let
+ proxyUpstreamModule = {
+ config,
+ nixosConfig,
+ lib,
+ ...
+ }: let
inherit (lib.options) mkOption;
in {
options = with lib.types; {
@@ -253,42 +300,63 @@ let
};
};
};
- locationModule = {config, nixosConfig, virtualHost, gensokyo-zone, lib, ...}: let
+ locationModule = {
+ config,
+ nixosConfig,
+ virtualHost,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.modules) mkIf mkOptionDefault;
inherit (lib.strings) hasPrefix;
inherit (nixosConfig.services) nginx;
in {
- imports = [ proxyUpstreamModule ];
+ imports = [proxyUpstreamModule];
config = let
proxyUpstream = nginx.upstreams'.${config.proxy.upstream};
- proxyScheme = if config.proxy.ssl.enable then "https" else "http";
+ proxyScheme =
+ if config.proxy.ssl.enable
+ then "https"
+ else "http";
dynamicUpstream = hasPrefix "$" config.proxy.upstream;
hasUpstream = config.proxy.upstream != null && !dynamicUpstream;
proxyHost =
- if dynamicUpstream then config.proxy.upstream
+ if dynamicUpstream
+ then config.proxy.upstream
else assert proxyUpstream.enable; proxyUpstream.name;
in {
proxy = {
upstream = mkOptionDefault virtualHost.proxy.upstream;
enable = mkIf (config.proxy.upstream != null && virtualHost.proxy.upstream == null) true;
- url = mkIf (config.proxy.upstream != null) (mkAlmostOptionDefault
+ url = mkIf (config.proxy.upstream != null) (
+ mkAlmostOptionDefault
"${proxyScheme}://${proxyHost}"
);
ssl = {
- enable = mkAlmostOptionDefault (if hasUpstream then proxyUpstream.ssl.enable else false);
+ enable = mkAlmostOptionDefault (
+ if hasUpstream
+ then proxyUpstream.ssl.enable
+ else false
+ );
host = mkIf hasUpstream (mkAlmostOptionDefault proxyUpstream.ssl.host);
};
host = mkIf (hasUpstream && proxyUpstream.host != null) (mkAlmostOptionDefault proxyUpstream.host);
};
};
};
- hostModule = {config, nixosConfig, lib, ...}: let
+ hostModule = {
+ config,
+ nixosConfig,
+ lib,
+ ...
+ }: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkOptionDefault;
in {
- imports = [ proxyUpstreamModule ];
+ imports = [proxyUpstreamModule];
options = with lib.types; {
locations = mkOption {
@@ -302,68 +370,76 @@ let
};
};
};
-in {
- config,
- lib,
- gensokyo-zone,
- ...
-}: let
- inherit (gensokyo-zone.lib) unmerged;
- inherit (lib.options) mkOption;
- inherit (lib.modules) mkIf mkMerge;
- inherit (lib.attrsets) mapAttrsToList;
- cfg = config.services.nginx;
-in {
- options.services.nginx = with lib.types; {
- upstreams' = mkOption {
- type = attrsOf (submoduleWith {
- modules = [upstreamModule];
- shorthandOnlyDefinesConfig = false;
- specialArgs = {
- inherit gensokyo-zone;
- nixosConfig = config;
- upstreamKind = "virtualHost";
- };
- });
- default = { };
- };
- virtualHosts = mkOption {
- type = attrsOf (submodule hostModule);
- };
- stream = {
- upstreams = mkOption {
+in
+ {
+ config,
+ lib,
+ gensokyo-zone,
+ ...
+ }: let
+ inherit (gensokyo-zone.lib) unmerged;
+ inherit (lib.options) mkOption;
+ inherit (lib.modules) mkIf mkMerge;
+ inherit (lib.attrsets) mapAttrsToList;
+ cfg = config.services.nginx;
+ in {
+ options.services.nginx = with lib.types; {
+ upstreams' = mkOption {
type = attrsOf (submoduleWith {
modules = [upstreamModule];
shorthandOnlyDefinesConfig = false;
specialArgs = {
inherit gensokyo-zone;
nixosConfig = config;
- upstreamKind = "stream";
+ upstreamKind = "virtualHost";
};
});
- default = { };
+ default = {};
};
- servers = mkOption {
- type = attrsOf (submoduleWith {
- modules = [serverModule];
- shorthandOnlyDefinesConfig = false;
- });
+ virtualHosts = mkOption {
+ type = attrsOf (submodule hostModule);
+ };
+ stream = {
+ upstreams = mkOption {
+ type = attrsOf (submoduleWith {
+ modules = [upstreamModule];
+ shorthandOnlyDefinesConfig = false;
+ specialArgs = {
+ inherit gensokyo-zone;
+ nixosConfig = config;
+ upstreamKind = "stream";
+ };
+ });
+ default = {};
+ };
+ servers = mkOption {
+ type = attrsOf (submoduleWith {
+ modules = [serverModule];
+ shorthandOnlyDefinesConfig = false;
+ });
+ };
};
};
- };
- config.services.nginx = let
- confStream.streamConfig = mkMerge (
- mapAttrsToList (_: upstream: mkIf upstream.enable upstream.upstreamBlock) cfg.stream.upstreams
- );
- useUpstreams = true;
- confUpstreams.upstreams = mkMerge (mapAttrsToList (_: upstream: mkIf upstream.enable {
- ${upstream.name} = unmerged.mergeAttrs upstream.upstreamSettings;
- }) cfg.upstreams');
- confBlock.commonHttpConfig = mkMerge (
- mapAttrsToList (_: upstream: mkIf upstream.enable upstream.upstreamBlock) cfg.upstreams'
- );
- in mkMerge [
- confStream
- (if useUpstreams then confUpstreams else confBlock)
- ];
-}
+ config.services.nginx = let
+ confStream.streamConfig = mkMerge (
+ mapAttrsToList (_: upstream: mkIf upstream.enable upstream.upstreamBlock) cfg.stream.upstreams
+ );
+ useUpstreams = true;
+ confUpstreams.upstreams = mkMerge (mapAttrsToList (_: upstream:
+ mkIf upstream.enable {
+ ${upstream.name} = unmerged.mergeAttrs upstream.upstreamSettings;
+ })
+ cfg.upstreams');
+ confBlock.commonHttpConfig = mkMerge (
+ mapAttrsToList (_: upstream: mkIf upstream.enable upstream.upstreamBlock) cfg.upstreams'
+ );
+ in
+ mkMerge [
+ confStream
+ (
+ if useUpstreams
+ then confUpstreams
+ else confBlock
+ )
+ ];
+ }
diff --git a/modules/nixos/nginx/vouch.nix b/modules/nixos/nginx/vouch.nix
index c989e63f..5490775d 100644
--- a/modules/nixos/nginx/vouch.nix
+++ b/modules/nixos/nginx/vouch.nix
@@ -13,7 +13,12 @@
inherit (config) networking;
inherit (config.services) vouch-proxy nginx tailscale;
inherit (nginx) vouch;
- locationModule = {config, virtualHost, xvars, ...}: {
+ locationModule = {
+ config,
+ virtualHost,
+ xvars,
+ ...
+ }: {
options.vouch = with lib.types; {
requireAuth = mkEnableOption "require auth to access this location";
setProxyHeader = mkOption {
@@ -26,29 +31,35 @@
enableVouchLocal = virtualHost.vouch.localSso.enable;
enableVouchTail = enableVouchLocal && tailscale.enable && false;
allowOrigin = url: "add_header Access-Control-Allow-Origin ${url};";
- in mkIf config.vouch.requireAuth {
- lua = mkIf virtualHost.vouch.auth.lua.enable {
- access.block = mkMerge [
- (mkBefore virtualHost.vouch.auth.lua.accessRequest)
- (mkBefore virtualHost.vouch.auth.lua.accessVariables)
- (mkBefore virtualHost.vouch.auth.lua.accessLogic)
- ];
+ in
+ mkIf config.vouch.requireAuth {
+ lua = mkIf virtualHost.vouch.auth.lua.enable {
+ access.block = mkMerge [
+ (mkBefore virtualHost.vouch.auth.lua.accessRequest)
+ (mkBefore virtualHost.vouch.auth.lua.accessVariables)
+ (mkBefore virtualHost.vouch.auth.lua.accessLogic)
+ ];
+ };
+ xvars.enable = mkIf (enableVouchTail || virtualHost.vouch.auth.lua.enable) true;
+ proxy.headers.set.X-Vouch-User = mkOptionDefault "$auth_resp_x_vouch_user";
+ extraConfig = assert virtualHost.vouch.enable;
+ mkMerge [
+ (mkIf (!virtualHost.vouch.requireAuth) virtualHost.vouch.auth.requestDirective)
+ (allowOrigin vouch.url)
+ (allowOrigin vouch.authUrl)
+ (mkIf enableVouchLocal (allowOrigin vouch.localUrl))
+ (mkIf enableVouchLocal (allowOrigin "sso.local.${networking.domain}"))
+ (mkIf enableVouchTail (allowOrigin "${xvars.get.scheme}://${vouch.tailDomain}"))
+ ];
};
- xvars.enable = mkIf (enableVouchTail || virtualHost.vouch.auth.lua.enable) true;
- proxy.headers.set.X-Vouch-User = mkOptionDefault "$auth_resp_x_vouch_user";
- extraConfig = assert virtualHost.vouch.enable; mkMerge [
- (mkIf (!virtualHost.vouch.requireAuth) virtualHost.vouch.auth.requestDirective)
- (allowOrigin vouch.url)
- (allowOrigin vouch.authUrl)
- (mkIf enableVouchLocal (allowOrigin vouch.localUrl))
- (mkIf enableVouchLocal (allowOrigin "sso.local.${networking.domain}"))
- (mkIf enableVouchTail (allowOrigin "${xvars.get.scheme}://${vouch.tailDomain}"))
- ];
- };
};
- hostModule = {config, xvars, ...}: let
+ hostModule = {
+ config,
+ xvars,
+ ...
+ }: let
cfg = config.vouch;
- mkHeaderVar = header: toLower (replaceStrings [ "-" ] [ "_" ] header);
+ mkHeaderVar = header: toLower (replaceStrings ["-"] ["_"] header);
mkUpstreamVar = header: "\$upstream_http_${mkHeaderVar header}";
in {
options = with lib.types; {
@@ -57,12 +68,16 @@
};
vouch = {
enable = mkEnableOption "vouch auth proxy";
- localSso.enable = mkEnableOption "lan-local vouch" // {
- default = vouch.localSso.enable && config.local.enable;
- };
- requireAuth = mkEnableOption "require auth to access this host" // {
- default = true;
- };
+ localSso.enable =
+ mkEnableOption "lan-local vouch"
+ // {
+ default = vouch.localSso.enable && config.local.enable;
+ };
+ requireAuth =
+ mkEnableOption "require auth to access this host"
+ // {
+ default = true;
+ };
auth = {
lua = {
enable = mkEnableOption "lua";
@@ -129,9 +144,12 @@
return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
'');
- accessVariables = mkMerge (mapAttrsToList (authVar: header: mkOptionDefault
- ''ngx.var["${authVar}"] = ngx.ctx.auth_res.header["${header}"] or ""''
- ) cfg.auth.variables);
+ accessVariables = mkMerge (mapAttrsToList (
+ authVar: header:
+ mkOptionDefault
+ ''ngx.var["${authVar}"] = ngx.ctx.auth_res.header["${header}"] or ""''
+ )
+ cfg.auth.variables);
};
errorLocation = mkIf cfg.auth.lua.enable (mkAlmostOptionDefault null);
requestDirective = mkIf cfg.auth.lua.enable (mkAlmostOptionDefault "");
@@ -161,15 +179,19 @@
(mkIf cfg.localSso.enable localVouchUrl)
(mkIf (cfg.localSso.enable && tailscale.enable) tailVouchUrl)
];
- in mkIf cfg.enable (mkMerge (
- [
- (mkIf (cfg.requireAuth) (mkBefore cfg.auth.requestDirective))
- (mkIf (cfg.auth.errorLocation != null) "error_page 401 = ${cfg.auth.errorLocation};")
- ] ++ setVouchUrl
- ++ mapAttrsToList (authVar: header: mkIf (!cfg.auth.lua.enable) (
- mkBefore "auth_request_set \$${authVar} ${mkUpstreamVar header};"
- )) cfg.auth.variables
- ));
+ in
+ mkIf cfg.enable (mkMerge (
+ [
+ (mkIf (cfg.requireAuth) (mkBefore cfg.auth.requestDirective))
+ (mkIf (cfg.auth.errorLocation != null) "error_page 401 = ${cfg.auth.errorLocation};")
+ ]
+ ++ setVouchUrl
+ ++ mapAttrsToList (authVar: header:
+ mkIf (!cfg.auth.lua.enable) (
+ mkBefore "auth_request_set \$${authVar} ${mkUpstreamVar header};"
+ ))
+ cfg.auth.variables
+ ));
xvars.enable = mkIf cfg.enable true;
locations = mkIf cfg.enable {
"/" = mkIf cfg.requireAuth {
@@ -181,18 +203,30 @@
return 302 $vouch_url/login?url=${xvars.get.scheme}://${xvars.get.host}$request_uri&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
'';
};
- ${cfg.auth.requestLocation} = { config, xvars, ... }: {
+ ${cfg.auth.requestLocation} = {
+ config,
+ xvars,
+ ...
+ }: {
proxy = {
enable = true;
inheritServerDefaults = false;
upstream = mkDefault (
- if vouch.doubleProxy.enable then "vouch'proxy"
- else if cfg.localSso.enable then "vouch'auth'local"
+ if vouch.doubleProxy.enable
+ then "vouch'proxy"
+ else if cfg.localSso.enable
+ then "vouch'auth'local"
else "vouch'auth"
);
# nginx-proxied vouch must use X-Forwarded-Host, but vanilla vouch requires Host
- host = if config.proxy.upstream == "vouch'proxy"
- then (if cfg.localSso.enable then vouch.doubleProxy.localServerName else vouch.doubleProxy.serverName)
+ host =
+ if config.proxy.upstream == "vouch'proxy"
+ then
+ (
+ if cfg.localSso.enable
+ then vouch.doubleProxy.localServerName
+ else vouch.doubleProxy.serverName
+ )
else xvars.get.host;
headers = {
set.Content-Length = "";
@@ -212,9 +246,11 @@ in {
vouch = {
enable = mkEnableOption "vouch auth proxy";
localSso = {
- enable = mkEnableOption "lan-local auth" // {
- default = true;
- };
+ enable =
+ mkEnableOption "lan-local auth"
+ // {
+ default = true;
+ };
};
doubleProxy = {
enable = mkOption {
@@ -271,7 +307,7 @@ in {
enable = vouch.enable;
servers = {
local = localVouch;
- service = { upstream, ... }: {
+ service = {upstream, ...}: {
enable = mkIf upstream.servers.local.enable false;
accessService = {
name = "vouch-proxy";
@@ -283,10 +319,12 @@ in {
vouch'auth'local = {
enable = vouch.enable && vouch.localSso.enable;
servers = {
- local = localVouch // {
- enable = mkAlmostOptionDefault false;
- };
- service = { upstream, ... }: {
+ local =
+ localVouch
+ // {
+ enable = mkAlmostOptionDefault false;
+ };
+ service = {upstream, ...}: {
enable = mkIf upstream.servers.local.enable false;
accessService = {
name = "vouch-proxy";
@@ -299,18 +337,18 @@ in {
enable = vouch.enable && vouch.doubleProxy.enable;
# TODO: need exported hosts options for this to detect the correct host/port/etc
servers = {
- lan = { upstream, ... }: {
+ lan = {upstream, ...}: {
enable = mkAlmostOptionDefault (!upstream.servers.int.enable);
addr = mkAlmostOptionDefault "login.local.${networking.domain}";
port = mkOptionDefault 9080;
ssl.enable = mkAlmostOptionDefault true;
};
- int = { upstream, ... }: {
+ int = {upstream, ...}: {
enable = mkAlmostOptionDefault system.network.networks.int.enable or false;
addr = mkAlmostOptionDefault "login.int.${networking.domain}";
port = mkOptionDefault 9080;
};
- tail = { upstream, ... }: {
+ tail = {upstream, ...}: {
enable = mkAlmostOptionDefault (tailscale.enable && !upstream.servers.lan.enable && !upstream.servers.int.enable);
addr = mkAlmostOptionDefault "login.tail.${networking.domain}";
port = mkOptionDefault 9080;
diff --git a/modules/nixos/nginx/xvars.nix b/modules/nixos/nginx/xvars.nix
index 8cb20f6b..964efa88 100644
--- a/modules/nixos/nginx/xvars.nix
+++ b/modules/nixos/nginx/xvars.nix
@@ -1,5 +1,10 @@
let
- locationModule = { config, virtualHost, lib, ... }: let
+ locationModule = {
+ config,
+ virtualHost,
+ lib,
+ ...
+ }: let
inherit (lib.options) mkEnableOption mkOption;
inherit (lib.attrsets) mapAttrs;
cfg = config.xvars;
@@ -8,7 +13,7 @@ let
enable = mkEnableOption "$x_variables";
defaults = mkOption {
type = attrsOf (nullOr str);
- default = { };
+ default = {};
};
lib = mkOption {
type = attrs;
@@ -18,15 +23,28 @@ let
xvars = {
lib = let
xvars = virtualHost.xvars.lib;
- get = mapAttrs (name: default: if virtualHost.xvars.enable then "$x_${name}" else assert default != null; default) cfg.defaults;
- in xvars // {
- get = xvars.get // get;
- };
+ get = mapAttrs (name: default:
+ if virtualHost.xvars.enable
+ then "$x_${name}"
+ else assert default != null; default)
+ cfg.defaults;
+ in
+ xvars
+ // {
+ get = xvars.get // get;
+ };
};
_module.args.xvars = config.xvars.lib;
};
};
- hostModule = { config, nixosConfig, gensokyo-zone, xvars, lib, ... }: let
+ hostModule = {
+ config,
+ nixosConfig,
+ gensokyo-zone,
+ xvars,
+ lib,
+ ...
+ }: let
inherit (gensokyo-zone.lib) mkJustBefore;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
@@ -36,11 +54,16 @@ let
inherit (lib.trivial) isInt;
cfg = config.xvars;
escapeString = value:
- if value == "" then ''""''
- else if isInt value then toString value
- else if hasPrefix ''"'' value || hasPrefix "'" value then value # already escaped, may include trailing arguments
- else if hasInfix ''"'' value then "'${value}'"
- else if hasInfix " " value || hasInfix ";" value || hasInfix "'" value then ''"${value}"''
+ if value == ""
+ then ''""''
+ else if isInt value
+ then toString value
+ else if hasPrefix ''"'' value || hasPrefix "'" value
+ then value # already escaped, may include trailing arguments
+ else if hasInfix ''"'' value
+ then "'${value}'"
+ else if hasInfix " " value || hasInfix ";" value || hasInfix "'" value
+ then ''"${value}"''
else value;
anyLocations = f: any (loc: loc.enable && f loc) (attrValues config.locations);
in {
@@ -66,7 +89,7 @@ let
};
locations = mkOption {
type = attrsOf (submoduleWith {
- modules = [ locationModule ];
+ modules = [locationModule];
shorthandOnlyDefinesConfig = true;
specialArgs = {
inherit nixosConfig gensokyo-zone;
@@ -99,7 +122,11 @@ let
referer_path = null;
});
lib = {
- get = mapAttrs (name: default: if cfg.enable then "$x_${name}" else assert default != null; default) cfg.defaults;
+ get = mapAttrs (name: default:
+ if cfg.enable
+ then "$x_${name}"
+ else assert default != null; default)
+ cfg.defaults;
init = name: value: assert cfg.enable && cfg.defaults ? ${name}; "set $x_${name} ${escapeString value};";
inherit escapeString;
};
@@ -111,24 +138,25 @@ let
_module.args.xvars = config.xvars.lib;
};
};
-in {
- config,
- lib,
- gensokyo-zone,
- ...
-}: let
- inherit (lib.options) mkOption;
-in {
- options = with lib.types; {
- services.nginx.virtualHosts = mkOption {
- type = attrsOf (submoduleWith {
- modules = [ hostModule ];
- shorthandOnlyDefinesConfig = true;
- specialArgs = {
- inherit gensokyo-zone;
- nixosConfig = config;
- };
- });
+in
+ {
+ config,
+ lib,
+ gensokyo-zone,
+ ...
+ }: let
+ inherit (lib.options) mkOption;
+ in {
+ options = with lib.types; {
+ services.nginx.virtualHosts = mkOption {
+ type = attrsOf (submoduleWith {
+ modules = [hostModule];
+ shorthandOnlyDefinesConfig = true;
+ specialArgs = {
+ inherit gensokyo-zone;
+ nixosConfig = config;
+ };
+ });
+ };
};
- };
-}
+ }
diff --git a/modules/nixos/postgres.nix b/modules/nixos/postgres.nix
index 9a63262a..6bbc22fa 100644
--- a/modules/nixos/postgres.nix
+++ b/modules/nixos/postgres.nix
@@ -40,9 +40,11 @@
allow = mkEnableOption "tailscale TCP connections";
};
int = {
- allow = mkEnableOption "internal TCP connections" // {
- default = config.authentication.local.allow;
- };
+ allow =
+ mkEnableOption "internal TCP connections"
+ // {
+ default = config.authentication.local.allow;
+ };
};
local = {
allow = mkEnableOption "local TCP connections";
diff --git a/modules/nixos/samba.nix b/modules/nixos/samba.nix
index da45fa5d..3929574b 100644
--- a/modules/nixos/samba.nix
+++ b/modules/nixos/samba.nix
@@ -45,28 +45,32 @@ in {
};
netbiosHostAddresses = mkOption {
type = attrsOf (listOf str);
- default = { };
+ default = {};
};
lmhosts = mkOption {
type = attrsOf str;
- default = { };
+ default = {};
};
};
ldap = {
enable = mkEnableOption "LDAP";
passdb = {
- enable = mkEnableOption "LDAP authentication" // {
- default = true;
- };
+ enable =
+ mkEnableOption "LDAP authentication"
+ // {
+ default = true;
+ };
backend = mkOption {
- type = enum [ "ldapsam" "ipasam" ];
+ type = enum ["ldapsam" "ipasam"];
default = "ldapsam";
};
};
idmap = {
- enable = mkEnableOption "LDAP users" // {
- default = true;
- };
+ enable =
+ mkEnableOption "LDAP users"
+ // {
+ default = true;
+ };
domain = mkOption {
type = str;
default = "*";
@@ -98,12 +102,16 @@ in {
};
};
tls = {
- enable = mkEnableOption "tls" // {
- default = cfg.tls.certPath != null;
- };
- peer.enable = mkEnableOption "peer verification" // {
- default = cfg.tls.caPath != null;
- };
+ enable =
+ mkEnableOption "tls"
+ // {
+ default = cfg.tls.certPath != null;
+ };
+ peer.enable =
+ mkEnableOption "peer verification"
+ // {
+ default = cfg.tls.caPath != null;
+ };
useACMECert = mkOption {
type = nullOr str;
default = null;
@@ -212,19 +220,30 @@ in {
config = {
services.samba = {
package = mkIf cfg.ldap.enable (mkAlmostOptionDefault (
- if cfg.ldap.passdb.enable && cfg.ldap.passdb.backend == "ipasam" then pkgs.samba-ipa else pkgs.samba-ldap
+ if cfg.ldap.passdb.enable && cfg.ldap.passdb.backend == "ipasam"
+ then pkgs.samba-ipa
+ else pkgs.samba-ldap
));
domain = {
isWorkgroup = mkOptionDefault (cfg.securityType != "domain" && cfg.securityType != "ads");
netbiosName' = let
- name = if cfg.domain.netbiosName != null then cfg.domain.netbiosName else config.networking.hostName;
- in mkOptionDefault (if cfg.domain.isWorkgroup then toUpper name else name);
+ name =
+ if cfg.domain.netbiosName != null
+ then cfg.domain.netbiosName
+ else config.networking.hostName;
+ in
+ mkOptionDefault (
+ if cfg.domain.isWorkgroup
+ then toUpper name
+ else name
+ );
netbiosHostAddresses = mkIf (cfg.domain.netbiosName != null) {
- ${cfg.domain.netbiosName'} = [ "127.0.0.1" "::1" ];
+ ${cfg.domain.netbiosName'} = ["127.0.0.1" "::1"];
};
lmhosts = let
addrs = mapAttrsToList (name: map (flip nameValuePair name)) cfg.domain.netbiosHostAddresses;
- in listToAttrs (concatLists addrs);
+ in
+ listToAttrs (concatLists addrs);
};
ldap = {
adminPasswordPath = mkIf (cfg.ldap.adminDn != null && hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkAlmostOptionDefault (
@@ -251,58 +270,61 @@ in {
})
];
settings = mkMerge ([
- {
- "use sendfile" = mkOptionDefault true;
- "mdns name" = mkOptionDefault "mdns";
- "name resolve order" = mkOptionDefault [ "lmhosts" "host" "bcast" ];
- workgroup = mkIf (cfg.domain.name != null) (mkOptionDefault cfg.domain.name);
- "netbios name" = mkIf (cfg.domain.netbiosName != null) (mkOptionDefault cfg.domain.netbiosName);
- }
- (mkIf (cfg.passdb.smbpasswd.path != null) {
- "passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}";
- })
- (mkIf cfg.ldap.enable {
- "ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off");
- "ldap admin dn" = mkIf (cfg.ldap.adminDn != null) (mkOptionDefault cfg.ldap.adminDn);
- "ldap suffix" = mkOptionDefault cfg.ldap.baseDn;
- })
- (mkIf cfg.kerberos.enable {
- "realm" = mkOptionDefault cfg.kerberos.realm;
- "kerberos method" = mkOptionDefault (
- if cfg.kerberos.keytabPath != null then "dedicated keytab"
- else "system keytab"
- );
- "dedicated keytab file" = mkIf (cfg.kerberos.keytabPath != null) (mkOptionDefault
- "FILE:${cfg.kerberos.keytabPath}"
- );
- "kerberos encryption types" = mkOptionDefault "strong";
- "create krb5 conf" = mkOptionDefault false;
- })
- (mkIf cfg.enableWinbindd {
- "winbind nss info" = mkOptionDefault "rfc2307";
- "winbind use default domain" = mkOptionDefault true;
- })
- (mkIf cfg.tls.enable {
- "tls enabled" = mkOptionDefault true;
- "tls verify peer" = mkIf cfg.tls.peer.enable (mkOptionDefault "ca_and_name_if_available");
- "tls certfile" = mkIf (cfg.tls.certPath != null) (mkOptionDefault cfg.tls.certPath);
- "tls keyfile" = mkIf (cfg.tls.keyPath != null) (mkOptionDefault cfg.tls.keyPath);
- "tls cafile" = mkIf (cfg.tls.caPath != null) (mkOptionDefault cfg.tls.caPath);
- "tls crlfile" = mkIf (cfg.tls.crlPath != null) (mkOptionDefault cfg.tls.crlPath);
- })
- (mkIf cfg.usershare.enable {
- "usershare allow guests" = mkOptionDefault true;
- "usershare max shares" = mkOptionDefault 16;
- "usershare owner only" = mkOptionDefault true;
- "usershare template share" = mkOptionDefault cfg.usershare.templateShare;
- "usershare path" = mkOptionDefault cfg.usershare.path;
- "usershare prefix allow list" = mkOptionDefault [ cfg.usershare.path ];
- })
- (mkIf cfg.guest.enable {
- "map to guest" = mkOptionDefault "Bad User";
- "guest account" = mkOptionDefault cfg.guest.user;
- })
- ] ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains);
+ {
+ "use sendfile" = mkOptionDefault true;
+ "mdns name" = mkOptionDefault "mdns";
+ "name resolve order" = mkOptionDefault ["lmhosts" "host" "bcast"];
+ workgroup = mkIf (cfg.domain.name != null) (mkOptionDefault cfg.domain.name);
+ "netbios name" = mkIf (cfg.domain.netbiosName != null) (mkOptionDefault cfg.domain.netbiosName);
+ }
+ (mkIf (cfg.passdb.smbpasswd.path != null) {
+ "passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}";
+ })
+ (mkIf cfg.ldap.enable {
+ "ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off");
+ "ldap admin dn" = mkIf (cfg.ldap.adminDn != null) (mkOptionDefault cfg.ldap.adminDn);
+ "ldap suffix" = mkOptionDefault cfg.ldap.baseDn;
+ })
+ (mkIf cfg.kerberos.enable {
+ "realm" = mkOptionDefault cfg.kerberos.realm;
+ "kerberos method" = mkOptionDefault (
+ if cfg.kerberos.keytabPath != null
+ then "dedicated keytab"
+ else "system keytab"
+ );
+ "dedicated keytab file" = mkIf (cfg.kerberos.keytabPath != null) (
+ mkOptionDefault
+ "FILE:${cfg.kerberos.keytabPath}"
+ );
+ "kerberos encryption types" = mkOptionDefault "strong";
+ "create krb5 conf" = mkOptionDefault false;
+ })
+ (mkIf cfg.enableWinbindd {
+ "winbind nss info" = mkOptionDefault "rfc2307";
+ "winbind use default domain" = mkOptionDefault true;
+ })
+ (mkIf cfg.tls.enable {
+ "tls enabled" = mkOptionDefault true;
+ "tls verify peer" = mkIf cfg.tls.peer.enable (mkOptionDefault "ca_and_name_if_available");
+ "tls certfile" = mkIf (cfg.tls.certPath != null) (mkOptionDefault cfg.tls.certPath);
+ "tls keyfile" = mkIf (cfg.tls.keyPath != null) (mkOptionDefault cfg.tls.keyPath);
+ "tls cafile" = mkIf (cfg.tls.caPath != null) (mkOptionDefault cfg.tls.caPath);
+ "tls crlfile" = mkIf (cfg.tls.crlPath != null) (mkOptionDefault cfg.tls.crlPath);
+ })
+ (mkIf cfg.usershare.enable {
+ "usershare allow guests" = mkOptionDefault true;
+ "usershare max shares" = mkOptionDefault 16;
+ "usershare owner only" = mkOptionDefault true;
+ "usershare template share" = mkOptionDefault cfg.usershare.templateShare;
+ "usershare path" = mkOptionDefault cfg.usershare.path;
+ "usershare prefix allow list" = mkOptionDefault [cfg.usershare.path];
+ })
+ (mkIf cfg.guest.enable {
+ "map to guest" = mkOptionDefault "Bad User";
+ "guest account" = mkOptionDefault cfg.guest.user;
+ })
+ ]
+ ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains);
extraConfig = mkMerge (
mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings
++ [
@@ -340,11 +362,11 @@ in {
];
networking.hosts = mkIf (cfg.enable && cfg.domain.netbiosName != null) {
- "::1" = mkAfter [ cfg.domain.netbiosName' ];
+ "::1" = mkAfter [cfg.domain.netbiosName'];
# not a typo...
- "127.0.0.2" = mkAfter [ cfg.domain.netbiosName' ];
+ "127.0.0.2" = mkAfter [cfg.domain.netbiosName'];
};
- environment.etc."samba/lmhosts" = mkIf (cfg.enable && cfg.domain.lmhosts != { }) {
+ environment.etc."samba/lmhosts" = mkIf (cfg.enable && cfg.domain.lmhosts != {}) {
text = mkMerge (
mapAttrsToList (address: name: "${address} ${name}") cfg.domain.lmhosts
);
diff --git a/modules/nixos/shared.nix b/modules/nixos/shared.nix
index 9f822aa6..553c7035 100644
--- a/modules/nixos/shared.nix
+++ b/modules/nixos/shared.nix
@@ -1,11 +1,20 @@
-{ config, lib, utils, ... }: let
+{
+ config,
+ lib,
+ utils,
+ ...
+}: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
inherit (lib.attrsets) mapAttrsToList;
inherit (lib.lists) head;
inherit (lib.strings) splitString;
inherit (utils) escapeSystemdPath;
- mountModule = { config, name, ... }: {
+ mountModule = {
+ config,
+ name,
+ ...
+ }: {
options = with lib.types; {
source = mkOption {
type = path;
@@ -32,23 +41,38 @@
};
};
};
- mkMountType' = { rootDir, specialArgs, modules ? [ ] }: let
- rootDirModule = { ... }: {
+ mkMountType' = {
+ rootDir,
+ specialArgs,
+ modules ? [],
+ }: let
+ rootDirModule = {...}: {
config.rootDir = mkOptionDefault rootDir;
};
- in lib.types.submoduleWith {
- modules = [ mountModule rootDirModule ] ++ modules;
- inherit specialArgs;
- };
- mkMountType = args: with lib.types; coercedTo path (path: { path = mkOptionDefault path; }) (mkMountType' args);
- serviceModule = { config, nixosConfig, ... }: let
+ in
+ lib.types.submoduleWith {
+ modules = [mountModule rootDirModule] ++ modules;
+ inherit specialArgs;
+ };
+ mkMountType = args: with lib.types; coercedTo path (path: {path = mkOptionDefault path;}) (mkMountType' args);
+ serviceModule = {
+ config,
+ nixosConfig,
+ ...
+ }: let
cfg = config.gensokyo-zone;
- mapSharedMounts = f: mapAttrsToList (_: target:
- f target
- ) cfg.sharedMounts;
- mapCacheMounts = f: mapAttrsToList (_: target:
- f target
- ) cfg.cacheMounts;
+ mapSharedMounts = f:
+ mapAttrsToList (
+ _: target:
+ f target
+ )
+ cfg.sharedMounts;
+ mapCacheMounts = f:
+ mapAttrsToList (
+ _: target:
+ f target
+ )
+ cfg.cacheMounts;
mkRequire = mount: mount.mountUnit;
mkBindPath = mount: "${mount.source}:${mount.path}";
specialArgs = {
@@ -56,28 +80,34 @@
inherit nixosConfig;
};
mountUnits = mkMerge [
- (mkIf (cfg.sharedMounts != { }) (mapSharedMounts mkRequire))
- (mkIf (cfg.cacheMounts != { }) (mapCacheMounts mkRequire))
+ (mkIf (cfg.sharedMounts != {}) (mapSharedMounts mkRequire))
+ (mkIf (cfg.cacheMounts != {}) (mapCacheMounts mkRequire))
];
in {
options.gensokyo-zone = with lib.types; {
sharedMounts = mkOption {
- type = attrsOf (mkMountType { rootDir = "/mnt/shared"; inherit specialArgs; });
- default = { };
+ type = attrsOf (mkMountType {
+ rootDir = "/mnt/shared";
+ inherit specialArgs;
+ });
+ default = {};
};
cacheMounts = mkOption {
- type = attrsOf (mkMountType { rootDir = "/mnt/caches"; inherit specialArgs; });
- default = { };
+ type = attrsOf (mkMountType {
+ rootDir = "/mnt/caches";
+ inherit specialArgs;
+ });
+ default = {};
};
};
config = {
requires = mountUnits;
after = mountUnits;
serviceConfig = mkMerge [
- (mkIf (cfg.sharedMounts != { }) {
+ (mkIf (cfg.sharedMounts != {}) {
BindPaths = mapSharedMounts mkBindPath;
})
- (mkIf (cfg.cacheMounts != { }) {
+ (mkIf (cfg.cacheMounts != {}) {
BindPaths = mapCacheMounts mkBindPath;
})
];
@@ -87,7 +117,7 @@ in {
options = with lib.types; {
systemd.services = mkOption {
type = attrsOf (submoduleWith {
- modules = [ serviceModule ];
+ modules = [serviceModule];
shorthandOnlyDefinesConfig = true;
specialArgs = {
nixosConfig = config;
diff --git a/modules/nixos/sssd/genso.nix b/modules/nixos/sssd/genso.nix
index 6e5da5e3..4212a737 100644
--- a/modules/nixos/sssd/genso.nix
+++ b/modules/nixos/sssd/genso.nix
@@ -1,4 +1,10 @@
-{ gensokyo-zone, pkgs, config, lib, ... }: let
+{
+ gensokyo-zone,
+ pkgs,
+ config,
+ lib,
+ ...
+}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults mapDefaults;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkAfter mkDefault mkOptionDefault;
@@ -6,7 +12,7 @@
inherit (config.services) sssd;
genso = krb5.gensokyo-zone;
cfg = sssd.gensokyo-zone;
- serverModule = { config, ... }: {
+ serverModule = {config, ...}: {
options = with lib.types; {
servers = mkOption {
type = nullOr (listOf str);
@@ -14,14 +20,14 @@
};
backups = mkOption {
type = listOf str;
- default = [ ];
+ default = [];
};
serverName = mkOption {
type = str;
internal = true;
};
serverKind = mkOption {
- type = enum [ "server" "uri" ];
+ type = enum ["server" "uri"];
default = "server";
internal = true;
};
@@ -35,35 +41,42 @@
in {
settings = {
${key} = mkIf (config.servers != null) (mkOptionDefault config.servers);
- ${keyBackups} = mkIf (config.backups != [ ]) (mkOptionDefault config.backups);
+ ${keyBackups} = mkIf (config.backups != []) (mkOptionDefault config.backups);
};
};
};
- mkServerType = { modules }: lib.types.submoduleWith {
- modules = [ serverModule ] ++ modules;
- specialArgs = {
- inherit gensokyo-zone pkgs;
- nixosConfig = config;
+ mkServerType = {modules}:
+ lib.types.submoduleWith {
+ modules = [serverModule] ++ modules;
+ specialArgs = {
+ inherit gensokyo-zone pkgs;
+ nixosConfig = config;
+ };
};
- };
- mkServerOption = { name, kind ? "server" }: let
- serverInfoModule = { ... }: {
+ mkServerOption = {
+ name,
+ kind ? "server",
+ }: let
+ serverInfoModule = {...}: {
config = {
serverName = mkOptionDefault name;
serverKind = mkAlmostOptionDefault kind;
};
};
- in mkOption {
- type = mkServerType {
- modules = [ serverInfoModule ];
+ in
+ mkOption {
+ type = mkServerType {
+ modules = [serverInfoModule];
+ };
+ default = {};
};
- default = { };
- };
in {
options.services.sssd.gensokyo-zone = with lib.types; {
- enable = mkEnableOption "realm" // {
- default = genso.enable;
- };
+ enable =
+ mkEnableOption "realm"
+ // {
+ default = genso.enable;
+ };
ldap = {
bind = {
passwordFile = mkOption {
@@ -71,24 +84,29 @@ in {
default = null;
};
};
- uris = mkServerOption { name = "ldap"; kind = "uri"; };
+ uris = mkServerOption {
+ name = "ldap";
+ kind = "uri";
+ };
};
krb5 = {
- servers = mkServerOption { name = "krb5"; };
+ servers = mkServerOption {name = "krb5";};
};
ipa = {
- servers = mkServerOption { name = "ipa"; } // {
- default = {
- inherit (cfg.krb5.servers) servers backups;
+ servers =
+ mkServerOption {name = "ipa";}
+ // {
+ default = {
+ inherit (cfg.krb5.servers) servers backups;
+ };
};
- };
hostName = mkOption {
type = str;
default = config.networking.fqdn;
};
};
backend = mkOption {
- type = enum [ "ldap" "ipa" ];
+ type = enum ["ldap" "ipa"];
default = "ipa";
};
};
@@ -97,24 +115,26 @@ in {
# or "ipaNTSecurityIdentifier" which isn't set for most groups, maybe check netgroups..?
objectsid = "sambaSID";
backendDomainSettings = {
- ldap = mapDefaults {
- id_provider = "ldap";
- auth_provider = "krb5";
- access_provider = "ldap";
- ldap_tls_cacert = "/etc/ssl/certs/ca-bundle.crt";
- } // mapOptionDefaults {
- ldap_access_order = [ "host" ];
- ldap_schema = "IPA";
- ldap_default_bind_dn = genso.ldap.bind.dn;
- ldap_search_base = genso.ldap.baseDn;
- ldap_user_search_base = "cn=users,cn=accounts,${genso.ldap.baseDn}";
- ldap_group_search_base = "cn=groups,cn=accounts,${genso.ldap.baseDn}";
- ldap_user_uuid = "ipaUniqueID";
- ldap_user_ssh_public_key = "ipaSshPubKey";
- ldap_user_objectsid = objectsid;
- ldap_group_uuid = "ipaUniqueID";
- ldap_group_objectsid = objectsid;
- };
+ ldap =
+ mapDefaults {
+ id_provider = "ldap";
+ auth_provider = "krb5";
+ access_provider = "ldap";
+ ldap_tls_cacert = "/etc/ssl/certs/ca-bundle.crt";
+ }
+ // mapOptionDefaults {
+ ldap_access_order = ["host"];
+ ldap_schema = "IPA";
+ ldap_default_bind_dn = genso.ldap.bind.dn;
+ ldap_search_base = genso.ldap.baseDn;
+ ldap_user_search_base = "cn=users,cn=accounts,${genso.ldap.baseDn}";
+ ldap_group_search_base = "cn=groups,cn=accounts,${genso.ldap.baseDn}";
+ ldap_user_uuid = "ipaUniqueID";
+ ldap_user_ssh_public_key = "ipaSshPubKey";
+ ldap_user_objectsid = objectsid;
+ ldap_group_uuid = "ipaUniqueID";
+ ldap_group_objectsid = objectsid;
+ };
ipa = mapOptionDefaults {
id_provider = "ipa";
auth_provider = "ipa";
@@ -124,26 +144,28 @@ in {
dyndns_iface = ipa.dyndns.interface;
};
};
- domainSettings = mapAlmostOptionDefaults {
- ipa_hostname = cfg.ipa.hostName;
- } // mapOptionDefaults {
- enumerate = true;
- ipa_domain = genso.domain;
- krb5_realm = genso.realm;
- cache_credentials = ipa.cacheCredentials;
- krb5_store_password_if_offline = ipa.offlinePasswords;
- #min_id = 8000;
- #max_id = 8999;
- };
+ domainSettings =
+ mapAlmostOptionDefaults {
+ ipa_hostname = cfg.ipa.hostName;
+ }
+ // mapOptionDefaults {
+ enumerate = true;
+ ipa_domain = genso.domain;
+ krb5_realm = genso.realm;
+ cache_credentials = ipa.cacheCredentials;
+ krb5_store_password_if_offline = ipa.offlinePasswords;
+ #min_id = 8000;
+ #max_id = 8999;
+ };
in {
gensokyo-zone = {
krb5.servers.servers = mkMerge [
- [ genso.host ]
- (mkAfter [ "_srv" genso.canonHost ])
+ [genso.host]
+ (mkAfter ["_srv" genso.canonHost])
];
ldap.uris = {
servers = mkMerge [
- (mkAfter [ "_srv" ])
+ (mkAfter ["_srv"])
genso.ldap.urls
];
};
@@ -191,4 +213,3 @@ in {
};
};
}
-
diff --git a/modules/nixos/sssd/pam.nix b/modules/nixos/sssd/pam.nix
index 94d77fa0..cda0df2a 100644
--- a/modules/nixos/sssd/pam.nix
+++ b/modules/nixos/sssd/pam.nix
@@ -9,8 +9,8 @@
inherit (lib.modules) mkIf;
inherit (lib.attrsets) genAttrs;
cfg = config.services.sssd;
- pamRulesModule = { ... }: let
- rules = [ "account" "auth" "password" "session" ];
+ pamRulesModule = {...}: let
+ rules = ["account" "auth" "password" "session"];
mkRuleConfig = ruleName: {
sss = mkIf cfg.enable {
enable = mkIf (!cfg.services.pam.enable) (mkAlmostForce false);
@@ -19,7 +19,7 @@
in {
config = genAttrs rules mkRuleConfig;
};
- pamServiceModule = { ... }: {
+ pamServiceModule = {...}: {
options = with lib.types; {
rules = mkOption {
type = submodule pamRulesModule;
diff --git a/modules/nixos/sssd/sssd.nix b/modules/nixos/sssd/sssd.nix
index 534d12ae..e8802be3 100644
--- a/modules/nixos/sssd/sssd.nix
+++ b/modules/nixos/sssd/sssd.nix
@@ -15,20 +15,23 @@
inherit (lib) generators;
cfg = config.services.sssd;
mkValuePrimitive = value:
- if value == true then "True"
- else if value == false then "False"
+ if value == true
+ then "True"
+ else if value == false
+ then "False"
else toString value;
toINI = generators.toINI {
mkKeyValue = generators.mkKeyValueDefault {
mkValueString = value:
- if isList value then concatMapStringsSep ", " mkValuePrimitive value
+ if isList value
+ then concatMapStringsSep ", " mkValuePrimitive value
else mkValuePrimitive value;
} " = ";
};
- primitiveType = with lib.types; oneOf [ str int bool ];
- valueType = with lib.types; oneOf [ primitiveType (listOf primitiveType) ];
+ primitiveType = with lib.types; oneOf [str int bool];
+ valueType = with lib.types; oneOf [primitiveType (listOf primitiveType)];
settingsType = lib.types.attrsOf valueType;
- serviceModule = { name, ... }: {
+ serviceModule = {name, ...}: {
options = with lib.types; {
enable = mkEnableOption "${name} service";
name = mkOption {
@@ -38,22 +41,24 @@
};
settings = mkOption {
type = settingsType;
- default = { };
+ default = {};
};
};
};
- nssModule = { nixosConfig, ... }: {
+ nssModule = {nixosConfig, ...}: {
options = {
# TODO: passwd.enable = mkEnableOption "passwd" // { default = true; };
- shadow.enable = mkEnableOption "shadow" // { default = nixosConfig.services.sssd.services.pam.enable; };
- netgroup.enable = mkEnableOption "netgroup" // { default = true; };
+ shadow.enable = mkEnableOption "shadow" // {default = nixosConfig.services.sssd.services.pam.enable;};
+ netgroup.enable = mkEnableOption "netgroup" // {default = true;};
};
};
- domainModule = { name, ... }: {
+ domainModule = {name, ...}: {
options = with lib.types; {
- enable = mkEnableOption "domain" // {
- default = true;
- };
+ enable =
+ mkEnableOption "domain"
+ // {
+ default = true;
+ };
domain = mkOption {
type = str;
default = name;
@@ -63,17 +68,17 @@
};
};
};
- domainLdapModule = { config, ... }: let
+ domainLdapModule = {config, ...}: let
cfg = config.ldap;
in {
options.ldap = with lib.types; {
extraAttrs.user = mkOption {
type = attrsOf str;
- default = { };
+ default = {};
};
authtok = {
type = mkOption {
- type = enum [ "password" "obfuscated_password" ];
+ type = enum ["password" "obfuscated_password"];
default = "password";
};
password = mkOption {
@@ -87,7 +92,7 @@
passwordVar = mkOption {
type = str;
internal = true;
- default = "SSSD_AUTHTOK_" + replaceStrings [ "-" "." ] [ "_" "_" ] (toUpper config.domain);
+ default = "SSSD_AUTHTOK_" + replaceStrings ["-" "."] ["_" "_"] (toUpper config.domain);
};
};
};
@@ -95,14 +100,16 @@
authtokConfig = mkIf (cfg.authtok.password != null || cfg.authtok.passwordFile != null) {
ldap_default_authtok_type = mkOptionDefault cfg.authtok.type;
ldap_default_authtok = mkOptionDefault (
- if cfg.authtok.passwordFile != null then "\$${cfg.authtok.passwordVar}"
+ if cfg.authtok.passwordFile != null
+ then "\$${cfg.authtok.passwordVar}"
else cfg.authtok.password
);
};
- extraAttrsConfig = mkIf (cfg.extraAttrs.user != { }) {
+ extraAttrsConfig = mkIf (cfg.extraAttrs.user != {}) {
ldap_user_extra_attrs = let
mkAttr = name: attr: "${name}:${attr}";
- in mapAttrsToList mkAttr cfg.extraAttrs.user;
+ in
+ mapAttrsToList mkAttr cfg.extraAttrs.user;
};
in {
settings = mkMerge [
@@ -119,7 +126,7 @@ in {
};
domains = mkOption {
type = attrsOf (submoduleWith {
- modules = [ domainModule domainLdapModule ];
+ modules = [domainModule domainLdapModule];
specialArgs = {
nixosConfig = config;
};
@@ -135,25 +142,27 @@ in {
};
};
services = let
- mkServiceOption = name: { modules ? [ ] }: mkOption {
- type = submoduleWith {
- modules = [ serviceModule ] ++ modules;
- specialArgs = {
- inherit name;
- nixosConfig = config;
+ mkServiceOption = name: {modules ? []}:
+ mkOption {
+ type = submoduleWith {
+ modules = [serviceModule] ++ modules;
+ specialArgs = {
+ inherit name;
+ nixosConfig = config;
+ };
};
};
- };
services = {
- nss = { modules = [ nssModule ]; };
- pam = { };
- ifp = { };
- sudo = { };
- autofs = { };
- ssh = { };
- pac = { };
+ nss = {modules = [nssModule];};
+ pam = {};
+ ifp = {};
+ sudo = {};
+ autofs = {};
+ ssh = {};
+ pac = {};
};
- in mapAttrs mkServiceOption services;
+ in
+ mapAttrs mkServiceOption services;
settings = mkOption {
type = attrsOf settingsType;
};
@@ -175,11 +184,14 @@ in {
domains = map (domain: domain.domain) enabledDomains;
};
};
- domainSettings = map (domain: {
- "domain/${domain.domain}" = mapAttrs (_: mkOptionDefault) domain.settings;
- }) enabledDomains;
- settings = [ defaultSettings serviceSettings ] ++ domainSettings;
- in mkMerge settings;
+ domainSettings =
+ map (domain: {
+ "domain/${domain.domain}" = mapAttrs (_: mkOptionDefault) domain.settings;
+ })
+ enabledDomains;
+ settings = [defaultSettings serviceSettings] ++ domainSettings;
+ in
+ mkMerge settings;
services = {
nss.enable = mkAlmostOptionDefault true;
pam.enable = mkAlmostOptionDefault true;
@@ -187,24 +199,30 @@ in {
extraUserAttrs = listToAttrs (concatMap (domain: map (flip nameValuePair {}) (attrNames domain.ldap.extraAttrs.user)) enabledDomains);
mkExtraAttr = name: _: "+${name}";
in {
- user_attributes = mkIf (extraUserAttrs != { }) (mkOptionDefault (
+ user_attributes = mkIf (extraUserAttrs != {}) (mkOptionDefault (
mapAttrsToList mkExtraAttr extraUserAttrs
));
};
- sudo = { };
- autofs = { };
- ssh = { };
- pac = { };
+ sudo = {};
+ autofs = {};
+ ssh = {};
+ pac = {};
};
configText = mkOptionDefault (toINI cfg.settings);
config = mkIf (cfg.configText != null) (mkAlmostOptionDefault cfg.configText);
};
config.system.nssDatabases = let
inherit (cfg.services) nss;
- in mkIf cfg.enable {
- ${if options ? system.nssDatabases.netgroup then "netgroup" else null} = mkIf (nss.enable && nss.netgroup.enable) [ "sss" ];
- shadow = mkIf (!nss.enable || !nss.shadow.enable) (
- mkForce [ "files" ]
- );
- };
+ in
+ mkIf cfg.enable {
+ ${
+ if options ? system.nssDatabases.netgroup
+ then "netgroup"
+ else null
+ } =
+ mkIf (nss.enable && nss.netgroup.enable) ["sss"];
+ shadow = mkIf (!nss.enable || !nss.shadow.enable) (
+ mkForce ["files"]
+ );
+ };
}
diff --git a/modules/nixos/steam/account-switch.nix b/modules/nixos/steam/account-switch.nix
index 333844c1..6485d89c 100644
--- a/modules/nixos/steam/account-switch.nix
+++ b/modules/nixos/steam/account-switch.nix
@@ -12,7 +12,11 @@
inherit (lib.lists) singleton;
inherit (lib.strings) removePrefix;
cfg = config.services.steam.accountSwitch;
- machineModule = { config, name, ... }: {
+ machineModule = {
+ config,
+ name,
+ ...
+ }: {
options = with lib.types; {
name = mkOption {
type = str;
@@ -67,7 +71,7 @@ in {
};
machines = mkOption {
type = attrsOf (submodule machineModule);
- default = { };
+ default = {};
};
};
@@ -93,34 +97,40 @@ in {
inherit owner;
inherit (shared) group mode;
};
- setupFiles = singleton {
- ${cfg.rootDir} = toplevel;
- ${cfg.binDir} = toplevel;
- ${cfg.binDir + "/users"} = shared;
- ${cfg.dataDir} = toplevel;
- ${cfg.sharedDataDir} = shared;
- ${cfg.workingDir} = toplevel;
- ${cfg.sharedWorkingDir} = shared;
- } ++ map (owner: {
- ${cfg.dataDir + "/${owner}"} = personal owner;
- ${cfg.workingDir + "/${owner}"} = personal owner;
- }) cfg.users
- ++ mapAttrsToList (_: machine: {
- ${cfg.dataDir + "/${machine.name}"} = personal machine.owner;
- ${cfg.workingDir + "/${machine.name}"} = personal machine.owner;
- }) cfg.machines;
- userBinFiles = listToAttrs (map (user: nameValuePair "${cfg.binDir}/users/${user}.bat" {
- inherit (toplevel) owner group;
- mode = "0755";
- type = "copy";
- src = pkgs.writeTextFile {
- name = "steam-${user}.bat";
- executable = true;
- text = ''
- setx GENSO_STEAM_USER ${user}
- '';
- };
- }) cfg.users);
+ setupFiles =
+ singleton {
+ ${cfg.rootDir} = toplevel;
+ ${cfg.binDir} = toplevel;
+ ${cfg.binDir + "/users"} = shared;
+ ${cfg.dataDir} = toplevel;
+ ${cfg.sharedDataDir} = shared;
+ ${cfg.workingDir} = toplevel;
+ ${cfg.sharedWorkingDir} = shared;
+ }
+ ++ map (owner: {
+ ${cfg.dataDir + "/${owner}"} = personal owner;
+ ${cfg.workingDir + "/${owner}"} = personal owner;
+ })
+ cfg.users
+ ++ mapAttrsToList (_: machine: {
+ ${cfg.dataDir + "/${machine.name}"} = personal machine.owner;
+ ${cfg.workingDir + "/${machine.name}"} = personal machine.owner;
+ })
+ cfg.machines;
+ userBinFiles = listToAttrs (map (user:
+ nameValuePair "${cfg.binDir}/users/${user}.bat" {
+ inherit (toplevel) owner group;
+ mode = "0755";
+ type = "copy";
+ src = pkgs.writeTextFile {
+ name = "steam-${user}.bat";
+ executable = true;
+ text = ''
+ setx GENSO_STEAM_USER ${user}
+ '';
+ };
+ })
+ cfg.users);
in {
enable = mkIf (cfg.enable || cfg.setup) true;
files = mkMerge [
@@ -132,14 +142,16 @@ in {
mkSharePathWith = {
path,
winRoot ? "%GENSO_SMB_SHARED_MOUNT%",
- }: mkWinPath (
- winRoot
- + "/${cfg.sharePath}"
- + "/${removePrefix (cfg.rootDir + "/") path}"
- );
- mkSharePath = path: config.lib.steam.mkSharePathWith {
- inherit path;
- };
+ }:
+ mkWinPath (
+ winRoot
+ + "/${cfg.sharePath}"
+ + "/${removePrefix (cfg.rootDir + "/") path}"
+ );
+ mkSharePath = path:
+ config.lib.steam.mkSharePathWith {
+ inherit path;
+ };
};
};
}
diff --git a/modules/nixos/steam/beatsaber.nix b/modules/nixos/steam/beatsaber.nix
index 0f5e8fc9..633b5509 100644
--- a/modules/nixos/steam/beatsaber.nix
+++ b/modules/nixos/steam/beatsaber.nix
@@ -17,8 +17,15 @@
sortedVersions = sort (a: b: versionOlder a.version b.version) (attrValues cfg.versions);
prevVersionFor = version: let
olderVersions = filter (v: versionOlder v.version version) sortedVersions;
- in if olderVersions != [] then last olderVersions else null;
- versionModule = { config, name, ... }: {
+ in
+ if olderVersions != []
+ then last olderVersions
+ else null;
+ versionModule = {
+ config,
+ name,
+ ...
+ }: {
options = with lib.types; {
version = mkOption {
type = str;
@@ -40,14 +47,18 @@
);
};
};
- fileModule = { config, name, ... }: {
+ fileModule = {
+ config,
+ name,
+ ...
+ }: {
options = with lib.types; {
relativePath = mkOption {
type = str;
default = name;
};
type = mkOption {
- type = enum [ "file" "directory" ];
+ type = enum ["file" "directory"];
default = "file";
};
versioned = mkOption {
@@ -55,13 +66,16 @@
default = false;
};
target = mkOption {
- type = enum [ "user" "shared" "game" ];
+ type = enum ["user" "shared" "game"];
default = "user";
};
mode = {
file = mkOption {
type = str;
- default = if hasSuffix ".exe" config.relativePath || hasSuffix ".dll" config.relativePath then "775" else "664";
+ default =
+ if hasSuffix ".exe" config.relativePath || hasSuffix ".dll" config.relativePath
+ then "775"
+ else "664";
};
dir = mkOption {
type = str;
@@ -75,7 +89,7 @@
type = functionTo path;
};
srcStyle = mkOption {
- type = enum [ "empty" "copy" "symlink" "symlink-shallow" ];
+ type = enum ["empty" "copy" "symlink" "symlink-shallow"];
default = "symlink";
};
workingPathFor = mkOption {
@@ -88,7 +102,7 @@
type = functionTo (nullOr path);
};
initStyle = mkOption {
- type = enum [ "none" "copy" "symlink" "symlink-shallow" ];
+ type = enum ["none" "copy" "symlink" "symlink-shallow"];
default = "copy";
};
setup = {
@@ -106,32 +120,56 @@
versionPathFor = version: optionalString config.versioned "/${version}";
in {
init = mkOptionDefault (
- if config.target == "game" then null
- else if config.type == "directory" then "${emptyDir}"
- else if hasSuffix ".json" config.relativePath then "${emptyJson}"
- else if hasSuffix ".dll" config.relativePath || hasSuffix ".exe" config.relativePath then "${emptyExecutable}"
+ if config.target == "game"
+ then null
+ else if config.type == "directory"
+ then "${emptyDir}"
+ else if hasSuffix ".json" config.relativePath
+ then "${emptyJson}"
+ else if hasSuffix ".dll" config.relativePath || hasSuffix ".exe" config.relativePath
+ then "${emptyExecutable}"
else "${emptyFile}"
);
initFor = mkOptionDefault (
- { user, version }: config.init
- );
- ownerFor = mkOptionDefault (user:
- if config.target == "user" then user else "admin"
- );
- srcPathFor = mkOptionDefault ({ user, version }:
{
- shared = cfg.sharedDataDir + versionPathFor version;
- user = cfg.dataDirFor user + versionPathFor version;
- game = cfg.gameDirFor version;
- }.${config.target} or (throw "unsupported target")
- + "/${config.relativePath}"
+ user,
+ version,
+ }:
+ config.init
);
- workingPathFor = mkOptionDefault ({ user, version }:
- cfg.workingDirFor { inherit user version; }
- + "/${config.relativePath}"
+ ownerFor = mkOptionDefault (
+ user:
+ if config.target == "user"
+ then user
+ else "admin"
+ );
+ srcPathFor = mkOptionDefault (
+ {
+ user,
+ version,
+ }:
+ {
+ shared = cfg.sharedDataDir + versionPathFor version;
+ user = cfg.dataDirFor user + versionPathFor version;
+ game = cfg.gameDirFor version;
+ }
+ .${config.target}
+ or (throw "unsupported target")
+ + "/${config.relativePath}"
+ );
+ workingPathFor = mkOptionDefault (
+ {
+ user,
+ version,
+ }:
+ cfg.workingDirFor {inherit user version;}
+ + "/${config.relativePath}"
);
# TODO: setup.shared and do inits seperately!
- setup.script = { user, version }@args: let
+ setup.script = {
+ user,
+ version,
+ } @ args: let
owner = config.ownerFor user;
srcPath = config.srcPathFor args;
workingPath = config.workingPathFor args;
@@ -148,85 +186,120 @@
fi
chown ${owner}:${cfg.group} ${escapeShellArg dest}
'';
- mkStyle = { style, src }: if style != "none" && src == {
- file = "${emptyFile}";
- directory = "${emptyDir}";
- }.${config.type} then "empty" else style;
- doInit = { style, src, dest }: {
- none = "true";
- copy = {
- file = ''
- if [[ -L ${escapeShellArg dest} ]]; then
- rm -f ${escapeShellArg dest}
- elif [[ -e ${escapeShellArg dest} ]]; then
- echo ERR: something is in the way of copying ${escapeShellArg dest} >&2
+ mkStyle = {
+ style,
+ src,
+ }:
+ if
+ style
+ != "none"
+ && src
+ == {
+ file = "${emptyFile}";
+ directory = "${emptyDir}";
+ }
+ .${config.type}
+ then "empty"
+ else style;
+ doInit = {
+ style,
+ src,
+ dest,
+ }:
+ {
+ none = "true";
+ copy =
+ {
+ file = ''
+ if [[ -L ${escapeShellArg dest} ]]; then
+ rm -f ${escapeShellArg dest}
+ elif [[ -e ${escapeShellArg dest} ]]; then
+ echo ERR: something is in the way of copying ${escapeShellArg dest} >&2
+ exit 1
+ fi
+ cp -TP --no-preserve=all ${escapeShellArg src} ${escapeShellArg dest}
+ chmod ${config.mode.file} ${escapeShellArg dest}
+ chown ${owner}:${cfg.group} ${escapeShellArg dest}
+ '';
+ directory = ''
+ ${mkdir dest}
+ cp -rTP --no-preserve=all ${escapeShellArg src} ${escapeShellArg dest}
+ chown -R ${owner}:${cfg.group} ${escapeShellArg dest}
+ find ${escapeShellArg dest} -type f -exec chmod -m${config.mode.file} "{}" \;
+ '';
+ }
+ .${config.type};
+ empty =
+ {
+ directory = ''
+ ${mkdir dest}
+ '';
+ file = ''
+ touch ${escapeShellArg dest}
+ chmod ${config.mode.file} ${escapeShellArg dest}
+ chown ${owner}:${cfg.group} ${escapeShellArg dest}
+ '';
+ }
+ .${config.type};
+ symlink = ''
+ if [[ -e ${escapeShellArg dest} && ! -L ${escapeShellArg dest} ]]; then
+ echo ERR: something is in the way of linking ${escapeShellArg dest} >&2
exit 1
fi
- cp -TP --no-preserve=all ${escapeShellArg src} ${escapeShellArg dest}
- chmod ${config.mode.file} ${escapeShellArg dest}
- chown ${owner}:${cfg.group} ${escapeShellArg dest}
+ ln -sfT ${escapeShellArg src} ${escapeShellArg dest}
'';
- directory = ''
- ${mkdir dest}
- cp -rTP --no-preserve=all ${escapeShellArg src} ${escapeShellArg dest}
- chown -R ${owner}:${cfg.group} ${escapeShellArg dest}
- find ${escapeShellArg dest} -type f -exec chmod -m${config.mode.file} "{}" \;
- '';
- }.${config.type};
- empty = {
- directory = ''
- ${mkdir dest}
- '';
- file = ''
- touch ${escapeShellArg dest}
- chmod ${config.mode.file} ${escapeShellArg dest}
- chown ${owner}:${cfg.group} ${escapeShellArg dest}
- '';
- }.${config.type};
- symlink = ''
- if [[ -e ${escapeShellArg dest} && ! -L ${escapeShellArg dest} ]]; then
- echo ERR: something is in the way of linking ${escapeShellArg dest} >&2
- exit 1
- fi
- ln -sfT ${escapeShellArg src} ${escapeShellArg dest}
- '';
- symlink-shallow = {
- directory = ''
- ${mkdir dest}
- ln -sf ${escapeShellArg src}/* ${escapeShellArg dest}/
- '';
- }.${config.type};
- }.${mkStyle { inherit style src; }};
- doSetup = { style, src, dest }: rec {
- none = "true";
- copy = {
- file = ''
- ${empty}
- '';
- directory = ''
- ${empty}
- if [[ ${escapeShellArg dest}/* != ${escapeShellArg dest}/\* ]]; then
- chmod -m${config.mode.file} ${escapeShellArg dest}/*
- fi
- '';
- }.${config.type};
- empty = {
- directory = ''
- chmod ${config.mode.dir} ${escapeShellArg dest}
- chown ${owner}:${cfg.group} ${escapeShellArg dest}
- '';
- file = ''
- chmod ${config.mode.file} ${escapeShellArg dest}
- chown ${owner}:${cfg.group} ${escapeShellArg dest}
- '';
- }.${config.type};
- symlink = "true";
- symlink-shallow = {
- directory = ''
- ${mkdir.directory}
- '';
- }.${config.type};
- }.${mkStyle { inherit style src; }};
+ symlink-shallow =
+ {
+ directory = ''
+ ${mkdir dest}
+ ln -sf ${escapeShellArg src}/* ${escapeShellArg dest}/
+ '';
+ }
+ .${config.type};
+ }
+ .${mkStyle {inherit style src;}};
+ doSetup = {
+ style,
+ src,
+ dest,
+ }:
+ rec {
+ none = "true";
+ copy =
+ {
+ file = ''
+ ${empty}
+ '';
+ directory = ''
+ ${empty}
+ if [[ ${escapeShellArg dest}/* != ${escapeShellArg dest}/\* ]]; then
+ chmod -m${config.mode.file} ${escapeShellArg dest}/*
+ fi
+ '';
+ }
+ .${config.type};
+ empty =
+ {
+ directory = ''
+ chmod ${config.mode.dir} ${escapeShellArg dest}
+ chown ${owner}:${cfg.group} ${escapeShellArg dest}
+ '';
+ file = ''
+ chmod ${config.mode.file} ${escapeShellArg dest}
+ chown ${owner}:${cfg.group} ${escapeShellArg dest}
+ '';
+ }
+ .${config.type};
+ symlink = "true";
+ symlink-shallow =
+ {
+ directory = ''
+ ${mkdir.directory}
+ '';
+ }
+ .${config.type};
+ }
+ .${mkStyle {inherit style src;}};
init = doInit {
style = config.initStyle;
src = initPath;
@@ -242,37 +315,46 @@
src = srcPath;
dest = workingPath;
};
- checkFlag = {
- file = {
- none = "e";
- copy = "f";
- symlink = "L";
- }.${config.initStyle};
- directory = {
- none = "e";
- copy = "d";
- symlink-shallow = "d";
- symlink = "L";
- }.${config.initStyle};
- }.${config.type};
+ checkFlag =
+ {
+ file =
+ {
+ none = "e";
+ copy = "f";
+ symlink = "L";
+ }
+ .${config.initStyle};
+ directory =
+ {
+ none = "e";
+ copy = "d";
+ symlink-shallow = "d";
+ symlink = "L";
+ }
+ .${config.initStyle};
+ }
+ .${config.type};
checkParent = ''
if [[ ! -d ${escapeShellArg parentWorkingPath} ]]; then
echo ERR: parent of ${escapeShellArg workingPath} does not exist >&2
exit 1
fi
'';
- check = if initPath != null then ''
- if [[ ! -${checkFlag} ${escapeShellArg srcPath} ]]; then
- ${init}
- else
- ${setup}
- fi
- '' else ''
- if [[ ! -${checkFlag} ${escapeShellArg srcPath} ]]; then
- echo ERR: src ${escapeShellArg srcPath} for ${escapeShellArg workingPath} does not exist >&2
- exit 1
- fi
- '';
+ check =
+ if initPath != null
+ then ''
+ if [[ ! -${checkFlag} ${escapeShellArg srcPath} ]]; then
+ ${init}
+ else
+ ${setup}
+ fi
+ ''
+ else ''
+ if [[ ! -${checkFlag} ${escapeShellArg srcPath} ]]; then
+ echo ERR: src ${escapeShellArg srcPath} for ${escapeShellArg workingPath} does not exist >&2
+ exit 1
+ fi
+ '';
in ''
${checkParent}
${check}
@@ -280,7 +362,11 @@
'';
};
};
- userModule = { config, name, ... }: {
+ userModule = {
+ config,
+ name,
+ ...
+ }: {
options = with lib.types; {
name = mkOption {
type = str;
@@ -294,7 +380,7 @@
};
emptyFile = pkgs.writeText "empty.txt" "";
emptyJson = pkgs.writeText "empty.json" "{}";
- emptyDir = pkgs.runCommand "empty" { } ''
+ emptyDir = pkgs.runCommand "empty" {} ''
mkdir $out
'';
emptyExecutable = pkgs.writeTextFile {
@@ -347,9 +433,11 @@
rmdir "%STEAM_BS_LIBRARY%"
mklink /D "%STEAM_BS_LIBRARY%" "%STEAM_BS_LAUNCH%"
'';
- launch = ''
- cd /d "%STEAM_BS_LIBRARY%"
- '' + ''"%STEAM_BS_LIBRARY%\Beat Saber.exe"'';
+ launch =
+ ''
+ cd /d "%STEAM_BS_LIBRARY%"
+ ''
+ + ''"%STEAM_BS_LIBRARY%\Beat Saber.exe"'';
setup = ''
rmdir "%STEAM_BS_APPDATA%"
rmdir "%STEAM_BS_LIBRARY%"
@@ -404,7 +492,10 @@
${launch}
${eof}
'';
- beatsaber-user = { user, version }: ''
+ beatsaber-user = {
+ user,
+ version,
+ }: ''
set GENSO_STEAM_USER=${user}
set GENSO_STEAM_BS_VERSION=${version}
${vars}
@@ -416,19 +507,25 @@
setx GENSO_STEAM_BS_VERSION Vanilla
'';
- mksetupbeatsaber = { user, version }: let
- setupFiles = mapAttrsToList (_: file: file.setup.script { inherit user version; }) cfg.files;
- in pkgs.writeShellScript "setupbeatsaber-${user}-${version}" ''
- set -eu
- export PATH="$PATH:${makeBinPath [ pkgs.coreutils ]}"
- ${concatStringsSep "\n" setupFiles}
- '';
+ mksetupbeatsaber = {
+ user,
+ version,
+ }: let
+ setupFiles = mapAttrsToList (_: file: file.setup.script {inherit user version;}) cfg.files;
+ in
+ pkgs.writeShellScript "setupbeatsaber-${user}-${version}" ''
+ set -eu
+ export PATH="$PATH:${makeBinPath [pkgs.coreutils]}"
+ ${concatStringsSep "\n" setupFiles}
+ '';
in {
options.services.steam.beatsaber = with lib.types; {
enable = mkEnableOption "beatsaber scripts";
- setup = mkEnableOption "beatsaber data" // {
- default = accountSwitch.setup;
- };
+ setup =
+ mkEnableOption "beatsaber data"
+ // {
+ default = accountSwitch.setup;
+ };
group = mkOption {
type = str;
default = "beatsaber";
@@ -438,7 +535,7 @@ in {
};
versions = mkOption {
type = attrsOf (submodule versionModule);
- default = { };
+ default = {};
};
setupServiceNames = mkOption {
type = listOf str;
@@ -446,7 +543,7 @@ in {
};
files = mkOption {
type = attrsOf (submodule fileModule);
- default = { };
+ default = {};
};
users = mkOption {
type = attrsOf (submodule userModule);
@@ -489,7 +586,11 @@ in {
};
workingDirFor = mkOption {
type = functionTo path;
- default = { user, version }: cfg.userWorkingDirFor user + "/${version}";
+ default = {
+ user,
+ version,
+ }:
+ cfg.userWorkingDirFor user + "/${version}";
};
};
@@ -498,9 +599,9 @@ in {
bsUsers = filterAttrs (_: userIs cfg.group) config.users.users;
allVersions = mapAttrsToList (_: version: version.version) cfg.versions;
gameFiles = {
- "Beat Saber.exe" = { };
- "UnityCrashHandler64.exe" = { };
- "UnityPlayer.dll" = { };
+ "Beat Saber.exe" = {};
+ "UnityCrashHandler64.exe" = {};
+ "UnityPlayer.dll" = {};
"MonoBleedingEdge".type = "directory";
};
sharedFiles = {
@@ -526,7 +627,7 @@ in {
};
"BeatSaberVersion.txt" = {
versioned = true;
- initFor = { version, ... }: pkgs.writeText "BeatSaberVersion-${version}.txt" version;
+ initFor = {version, ...}: pkgs.writeText "BeatSaberVersion-${version}.txt" version;
};
"IPA.exe".versioned = true;
"IPA.exe.config".versioned = true;
@@ -538,19 +639,19 @@ in {
#initStyle = "symlink-shallow";
#initFor = { version, ... }: cfg.gameDirFor version + "/${bsdata}";
initStyle = "none";
- srcPathFor = { version, ... }: cfg.gameDirFor version + "/${bsdata}";
+ srcPathFor = {version, ...}: cfg.gameDirFor version + "/${bsdata}";
srcStyle = "symlink-shallow";
};
"${bsdata}/Managed" = {
type = "directory";
versioned = true;
- initFor = { version, ... }: cfg.gameDirFor version + "/${bsdata}/Managed";
+ initFor = {version, ...}: cfg.gameDirFor version + "/${bsdata}/Managed";
};
# TODO: remove this to use multiple folders
"${bsdata}/CustomLevels" = {
type = "directory";
initStyle = "none";
- srcPathFor = { ... }: cfg.sharedDataDir + "/CustomLevels";
+ srcPathFor = {...}: cfg.sharedDataDir + "/CustomLevels";
};
CustomAvatars = {
type = "directory";
@@ -579,7 +680,7 @@ in {
"UserData/ScoreSaber/Replays" = {
type = "directory";
initStyle = "none";
- srcPathFor = { ... }: cfg.sharedDataDir + "/Replays";
+ srcPathFor = {...}: cfg.sharedDataDir + "/Replays";
};
"UserData/Beat Saber IPA.json".versioned = true;
"UserData/SongCore/" = {
@@ -619,8 +720,8 @@ in {
};
"UserData/Saber Factory/Cache".type = "directory";
"UserData/Saber Factory/Textures".type = "directory";
- "UserData/BeatSaverDownloader.ini" = { };
- "UserData/BeatSaverUpdater.json" = { };
+ "UserData/BeatSaverDownloader.ini" = {};
+ "UserData/BeatSaverUpdater.json" = {};
"UserData/SongDetailsCache.proto".versioned = true;
"UserData/SongDetailsCache.proto.Direct.etag".versioned = true;
};
@@ -636,7 +737,7 @@ in {
srcStyle = "empty";
};
"UserData/Saber Factory/Presets".type = "directory";
- "UserData/Saber Factory/TrailConfig.json" = { };
+ "UserData/Saber Factory/TrailConfig.json" = {};
"UserData/SongCore" = {
type = "directory";
versioned = true;
@@ -658,17 +759,23 @@ in {
"UserData/JDFixer.json".versioned = true;
};
userDataFiles = [
- "modprefs.ini" "Disabled Mods.json"
+ "modprefs.ini"
+ "Disabled Mods.json"
"AutoPauseStealth.json"
"BeatSaberMarkupLanguage.json"
"BeatSaviorData.ini"
"BetterSongList.json"
"BetterSongSearch.json"
- "bookmarkedSongs.json" "votedSongs.json"
+ "bookmarkedSongs.json"
+ "votedSongs.json"
"Chroma.json"
"Cinema.json"
"CountersPlus.json"
- "CustomAvatars.CalibrationData.dat" "CustomAvatars.json" "CustomNotes.json" "Custom Platforms.json" "CustomWalls.json"
+ "CustomAvatars.CalibrationData.dat"
+ "CustomAvatars.json"
+ "CustomNotes.json"
+ "Custom Platforms.json"
+ "CustomWalls.json"
"DrinkWater.json"
"EasyOffset.json"
"Enhancements.json"
@@ -702,20 +809,25 @@ in {
"Tweaks55.json"
"UITweaks.json"
];
- mapSharedFile = file: file // {
- target = "shared";
- };
- mapGameFile = file: file // {
- target = "game";
- };
- mapUserDataFile = file: nameValuePair "UserData/${file}" {
- target = "user";
- };
+ mapSharedFile = file:
+ file
+ // {
+ target = "shared";
+ };
+ mapGameFile = file:
+ file
+ // {
+ target = "game";
+ };
+ mapUserDataFile = file:
+ nameValuePair "UserData/${file}" {
+ target = "user";
+ };
in {
- defaultVersion = mkIf (allVersions != [ ]) (mkOptionDefault (
+ defaultVersion = mkIf (allVersions != []) (mkOptionDefault (
head allVersions
));
- users = mapAttrs (_: user: { name = mkDefault user.name; }) bsUsers;
+ users = mapAttrs (_: user: {name = mkDefault user.name;}) bsUsers;
setupServiceNames = mkOptionDefault (
mapAttrsToList (_: user: "steam-setup-beatsaber-${user.name}.service") cfg.users
);
@@ -736,11 +848,16 @@ in {
serviceConfig = {
Type = mkOptionDefault "oneshot";
RemainAfterExit = mkOptionDefault true;
- ExecStart = mkMerge (mapAttrsToList (_: user:
- (mapAttrsToList (_: version:
- "${mksetupbeatsaber { user = user.name; inherit (version) version; }}"
- ) cfg.versions)
- ) cfg.users);
+ ExecStart = mkMerge (mapAttrsToList (
+ _: user: (mapAttrsToList (
+ _: version: "${mksetupbeatsaber {
+ user = user.name;
+ inherit (version) version;
+ }}"
+ )
+ cfg.versions)
+ )
+ cfg.users);
};
};
services.tmpfiles = let
@@ -774,132 +891,157 @@ in {
"AppData"
"UserData"
];
- setupFiles = [
+ setupFiles =
+ [
+ {
+ ${cfg.sharedDataDir} = toplevel;
+ ${cfg.binDir} = shared;
+ }
+ (listToAttrs (
+ map (
+ folder:
+ nameValuePair "${cfg.sharedDataDir}/${folder}" shared
+ )
+ sharedFolders
+ ))
+ ]
+ ++ concatLists (mapAttrsToList (
+ _: user:
+ singleton {
+ ${cfg.dataDirFor user.name} = personal user.name;
+ "${cfg.dataDirFor user.name}/AppData" = personal user.name;
+ "${cfg.dataDirFor user.name}/UserData" = personal user.name;
+ }
+ ++ mapAttrsToList (_: version: {
+ "${cfg.dataDirFor user.name}/${version.version}" = personal user.name;
+ ${cfg.userWorkingDirFor user.name} = personal user.name;
+ ${
+ cfg.workingDirFor {
+ user = user.name;
+ inherit (version) version;
+ }
+ } =
+ personal user.name;
+ })
+ cfg.versions
+ )
+ cfg.users)
+ ++ mapAttrsToList (_: version: {
+ "${cfg.sharedDataDir}/${version.version}" = shared;
+ })
+ cfg.versions;
+ versionBinFiles =
+ mapAttrs' (
+ _: version:
+ nameValuePair
+ "${cfg.binDir}/${replaceStrings ["."] ["_"] version.version}.bat"
+ {
+ inherit (bin) owner group mode type;
+ src = pkgs.writeTextFile {
+ name = "beatsaber-${version.version}.bat";
+ executable = true;
+ text = ''
+ setx GENSO_STEAM_BS_VERSION ${version.version}
+ '';
+ };
+ }
+ )
+ cfg.versions;
+ userBinFiles =
+ mapAttrs' (
+ _: user:
+ nameValuePair
+ "${cfg.binDir}/${user.name}.bat"
+ {
+ inherit (bin) owner group mode type;
+ src = pkgs.writeTextFile {
+ name = "beatsaber-${user.name}.bat";
+ executable = true;
+ text = beatsaber-user {
+ user = user.name;
+ version = user.preferredVersion;
+ };
+ };
+ }
+ )
+ cfg.users;
+ binFiles =
{
- ${cfg.sharedDataDir} = toplevel;
- ${cfg.binDir} = shared;
- }
- (listToAttrs (
- map (folder:
- nameValuePair "${cfg.sharedDataDir}/${folder}" shared
- ) sharedFolders
- ))
- ] ++ concatLists (mapAttrsToList (_: user:
- singleton {
- ${cfg.dataDirFor user.name} = personal user.name;
- "${cfg.dataDirFor user.name}/AppData" = personal user.name;
- "${cfg.dataDirFor user.name}/UserData" = personal user.name;
- } ++ mapAttrsToList (_: version: {
- "${cfg.dataDirFor user.name}/${version.version}" = personal user.name;
- ${cfg.userWorkingDirFor user.name} = personal user.name;
- ${cfg.workingDirFor { user = user.name; inherit (version) version; }} = personal user.name;
- }) cfg.versions
- ) cfg.users)
- ++ mapAttrsToList (_: version: {
- "${cfg.sharedDataDir}/${version.version}" = shared;
- }) cfg.versions;
- versionBinFiles = mapAttrs' (_: version: nameValuePair
- "${cfg.binDir}/${replaceStrings [ "." ] [ "_" ] version.version}.bat"
- {
- inherit (bin) owner group mode type;
- src = pkgs.writeTextFile {
- name = "beatsaber-${version.version}.bat";
- executable = true;
- text = ''
- setx GENSO_STEAM_BS_VERSION ${version.version}
- '';
+ "${cfg.binDir}/mount.bat" = {
+ inherit (bin) owner group mode type;
+ src = pkgs.writeTextFile {
+ name = "beatsaber-mount.bat";
+ executable = true;
+ text = mountbeatsaber;
+ };
};
- }
- ) cfg.versions;
- userBinFiles = mapAttrs' (_: user: nameValuePair
- "${cfg.binDir}/${user.name}.bat"
- {
- inherit (bin) owner group mode type;
- src = pkgs.writeTextFile {
- name = "beatsaber-${user.name}.bat";
- executable = true;
- text = beatsaber-user {
- user = user.name;
- version = user.preferredVersion;
+ "${cfg.binDir}/launch.bat" = {
+ inherit (bin) owner group mode type;
+ src = pkgs.writeTextFile {
+ name = "beatsaber-launch.bat";
+ executable = true;
+ text = launchbeatsaber;
+ };
+ };
+ "${cfg.binDir}/fpfc.bat" = {
+ inherit (bin) owner group mode type;
+ src = pkgs.writeTextFile {
+ name = "beatsaber-fpfc.bat";
+ executable = true;
+ text = fpfcbeatsaber;
+ };
+ };
+ "${cfg.binDir}/setup.bat" = {
+ inherit (bin) owner group mode type;
+ src = pkgs.writeTextFile {
+ name = "beatsaber-setup.bat";
+ executable = true;
+ text = setupbeatsaber;
+ };
+ };
+ "${cfg.binDir}/local-launch.bat" = {
+ inherit (bin) owner group mode type;
+ src = pkgs.writeTextFile {
+ name = "beatsaber-local-launch.bat";
+ executable = true;
+ text = localbeatsaber-launch;
+ };
+ };
+ "${cfg.binDir}/local-mount.bat" = {
+ inherit (bin) owner group mode type;
+ src = pkgs.writeTextFile {
+ name = "beatsaber-local-mount.bat";
+ executable = true;
+ text = localbeatsaber-mount;
+ };
+ };
+ "${cfg.binDir}/local-vanilla.bat" = {
+ inherit (bin) owner group mode type;
+ src = pkgs.writeTextFile {
+ name = "beatsaber-local-vanilla.bat";
+ executable = true;
+ text = localbeatsaber-vanilla;
+ };
+ };
+ "${cfg.binDir}/vanilla.bat" = {
+ inherit (bin) owner group mode type;
+ src = pkgs.writeTextFile {
+ name = "beatsaber-version-vanilla.bat";
+ executable = true;
+ text = vanilla;
+ };
+ };
+ "${cfg.binDir}/ModAssistant.exe" = {
+ inherit (bin) owner group mode type;
+ src = pkgs.fetchurl {
+ url = "https://github.com/Assistant/ModAssistant/releases/download/v1.1.32/ModAssistant.exe";
+ hash = "sha256-ozu2gYFiz+2BjptqL80DmUopbahbyGKFO1IPd7BhVPM=";
+ executable = true;
};
};
}
- ) cfg.users;
- binFiles = {
- "${cfg.binDir}/mount.bat" = {
- inherit (bin) owner group mode type;
- src = pkgs.writeTextFile {
- name = "beatsaber-mount.bat";
- executable = true;
- text = mountbeatsaber;
- };
- };
- "${cfg.binDir}/launch.bat" = {
- inherit (bin) owner group mode type;
- src = pkgs.writeTextFile {
- name = "beatsaber-launch.bat";
- executable = true;
- text = launchbeatsaber;
- };
- };
- "${cfg.binDir}/fpfc.bat" = {
- inherit (bin) owner group mode type;
- src = pkgs.writeTextFile {
- name = "beatsaber-fpfc.bat";
- executable = true;
- text = fpfcbeatsaber;
- };
- };
- "${cfg.binDir}/setup.bat" = {
- inherit (bin) owner group mode type;
- src = pkgs.writeTextFile {
- name = "beatsaber-setup.bat";
- executable = true;
- text = setupbeatsaber;
- };
- };
- "${cfg.binDir}/local-launch.bat" = {
- inherit (bin) owner group mode type;
- src = pkgs.writeTextFile {
- name = "beatsaber-local-launch.bat";
- executable = true;
- text = localbeatsaber-launch;
- };
- };
- "${cfg.binDir}/local-mount.bat" = {
- inherit (bin) owner group mode type;
- src = pkgs.writeTextFile {
- name = "beatsaber-local-mount.bat";
- executable = true;
- text = localbeatsaber-mount;
- };
- };
- "${cfg.binDir}/local-vanilla.bat" = {
- inherit (bin) owner group mode type;
- src = pkgs.writeTextFile {
- name = "beatsaber-local-vanilla.bat";
- executable = true;
- text = localbeatsaber-vanilla;
- };
- };
- "${cfg.binDir}/vanilla.bat" = {
- inherit (bin) owner group mode type;
- src = pkgs.writeTextFile {
- name = "beatsaber-version-vanilla.bat";
- executable = true;
- text = vanilla;
- };
- };
- "${cfg.binDir}/ModAssistant.exe" = {
- inherit (bin) owner group mode type;
- src = pkgs.fetchurl {
- url = "https://github.com/Assistant/ModAssistant/releases/download/v1.1.32/ModAssistant.exe";
- hash = "sha256-ozu2gYFiz+2BjptqL80DmUopbahbyGKFO1IPd7BhVPM=";
- executable = true;
- };
- };
- } // versionBinFiles
- // userBinFiles;
+ // versionBinFiles
+ // userBinFiles;
in {
enable = mkIf cfg.setup true;
files = mkIf cfg.setup (mkMerge (
diff --git a/modules/system/access.nix b/modules/system/access.nix
index 9503ef38..a0a97359 100644
--- a/modules/system/access.nix
+++ b/modules/system/access.nix
@@ -24,7 +24,10 @@
...
}: let
cfg = config.networking.access;
- addressForAttr = if config.networking.enableIPv6 then "address6ForNetwork" else "address4ForNetwork";
+ addressForAttr =
+ if config.networking.enableIPv6
+ then "address6ForNetwork"
+ else "address4ForNetwork";
has'Int = system.network.networks.int.enable or false;
has'Local = system.network.networks.local.enable or false;
has'Tail' = system.network.networks.tail.enable or false;
@@ -48,26 +51,53 @@
forSystem = access.systemFor hostName;
forSystemHas = network: forSystem.access ? ${addressForAttr}.${network} || forSystem.access ? address4ForNetwork.${network};
err = throw "no interface found between ${config.networking.hostName} -> ${hostName}@${network}";
- fallback = if nameAllowed
+ fallback =
+ if nameAllowed
then lib.warn "getAddressFor hostname fallback for ${config.networking.hostName} -> ${hostName}@${network}" (access.getHostnameFor hostName network)
else err;
local = forSystem.access.${addressForAttr}.local or forSystem.access.address4ForNetwork.local or fallback;
int = forSystem.access.${addressForAttr}.int or forSystem.access.address4ForNetwork.int or fallback;
tail = forSystem.access.${addressForAttr}.tail or fallback;
- in {
- lan =
- if hostName == system.name then forSystem.access.${addressForAttr}.localhost
- else if has'Int && forSystemHas "int" then int
- else if has'Local && forSystemHas "local" then local
- else fallback;
- ${if has'Local then "local" else null} = local;
- ${if has'Int then "int" else null} = int;
- ${if has'Tail then "tail" else null} = tail;
- }.${network} or fallback;
+ in
+ {
+ lan =
+ if hostName == system.name
+ then forSystem.access.${addressForAttr}.localhost
+ else if has'Int && forSystemHas "int"
+ then int
+ else if has'Local && forSystemHas "local"
+ then local
+ else fallback;
+ ${
+ if has'Local
+ then "local"
+ else null
+ } =
+ local;
+ ${
+ if has'Int
+ then "int"
+ else null
+ } =
+ int;
+ ${
+ if has'Tail
+ then "tail"
+ else null
+ } =
+ tail;
+ }
+ .${network}
+ or fallback;
in {
- inherit (systemAccess)
- hostnameForNetwork address4ForNetwork address6ForNetwork
- systemForService systemForServiceId;
+ inherit
+ (systemAccess)
+ hostnameForNetwork
+ address4ForNetwork
+ address6ForNetwork
+ systemForService
+ systemForServiceId
+ ;
addressForNetwork = systemAccess.${addressForAttr};
systemFor = hostName:
if hostName == config.networking.hostName
@@ -91,34 +121,63 @@
getHostnameFor = hostName: network: let
forSystem = access.systemFor hostName;
err = throw "no hostname found between ${config.networking.hostName} and ${hostName}@${network}";
- in {
- lan =
- if hostName == system.name then forSystem.access.hostnameForNetwork.localhost
- else if has'Int && forSystem.access.hostnameForNetwork ? int then forSystem.access.hostnameForNetwork.int
- else if has'Local && forSystem.access.hostnameForNetwork ? local then forSystem.access.hostnameForNetwork.local
- else err;
- ${if has'Local then "local" else null} = forSystem.access.hostnameForNetwork.local or err;
- ${if has'Int then "int" else null} = forSystem.access.hostnameForNetwork.int or err;
- ${if has'Tail then "tail" else null} = forSystem.access.hostnameForNetwork.tail or err;
- }.${network} or err;
+ in
+ {
+ lan =
+ if hostName == system.name
+ then forSystem.access.hostnameForNetwork.localhost
+ else if has'Int && forSystem.access.hostnameForNetwork ? int
+ then forSystem.access.hostnameForNetwork.int
+ else if has'Local && forSystem.access.hostnameForNetwork ? local
+ then forSystem.access.hostnameForNetwork.local
+ else err;
+ ${
+ if has'Local
+ then "local"
+ else null
+ } =
+ forSystem.access.hostnameForNetwork.local or err;
+ ${
+ if has'Int
+ then "int"
+ else null
+ } =
+ forSystem.access.hostnameForNetwork.int or err;
+ ${
+ if has'Tail
+ then "tail"
+ else null
+ } =
+ forSystem.access.hostnameForNetwork.tail or err;
+ }
+ .${network}
+ or err;
proxyUrlFor = {
- system ? if serviceId != null then access.systemForServiceId serviceId else access.systemForService serviceName,
+ system ?
+ if serviceId != null
+ then access.systemForServiceId serviceId
+ else access.systemForService serviceName,
serviceName ? mapNullable (serviceId: (findSingle (s: s.id == serviceId) null null (attrValues system.exports.services)).name) serviceId,
serviceId ? null,
service ? system.exports.services.${serviceName},
portName ? "default",
network ? "lan",
scheme ? null,
- getAddressFor ? "getAddressFor"
+ getAddressFor ? "getAddressFor",
}: let
port = service.ports.${portName};
- scheme' = if scheme == null then port.protocol else scheme;
- port' = if !port.enable
+ scheme' =
+ if scheme == null
+ then port.protocol
+ else scheme;
+ port' =
+ if !port.enable
then throw "${system.name}.exports.services.${service.name}.ports.${portName} isn't enabled"
else ":${toString port.port}";
host = access.${getAddressFor} system.name network;
url = "${scheme'}://${mkAddress6 host}${port'}";
- in assert service.enable; url;
+ in
+ assert service.enable; url;
};
};
networking.tempAddresses = mkIf cfg.global.enable (
@@ -142,9 +201,11 @@ in {
default = domain;
};
global.enable = mkEnableOption "globally routeable";
- online.enable = mkEnableOption "a deployed machine" // {
- default = true;
- };
+ online.enable =
+ mkEnableOption "a deployed machine"
+ // {
+ default = true;
+ };
hostnameForNetwork = mkOption {
type = attrsOf str;
default = {};
@@ -164,7 +225,12 @@ in {
];
access = let
- noNetwork = { enable = false; address4 = null; address6 = null; fqdn = null; };
+ noNetwork = {
+ enable = false;
+ address4 = null;
+ address6 = null;
+ fqdn = null;
+ };
local = config.network.networks.local or noNetwork;
int = config.network.networks.int or noNetwork;
mapNetwork' = mkDefault: attr: network: mkIf (network.enable && network.${attr} != null) (mkDefault network.${attr});
@@ -216,12 +282,14 @@ in {
hasService = system: system.config.exports.services.${service}.enable;
notFound = throw "no system found serving ${service}";
multiple = throw "multiple systems found serving ${service}";
- in (findSingle hasService notFound multiple (attrValues systems)).config;
+ in
+ (findSingle hasService notFound multiple (attrValues systems)).config;
systemForServiceId = serviceId: let
hasService = system: findSingle (service: service.id == serviceId && service.enable) null multiple (attrValues system.config.exports.services) != null;
notFound = throw "no system found serving ${serviceId}";
multiple = throw "multiple systems found serving ${serviceId}";
- in (findSingle hasService notFound multiple (attrValues systems)).config;
+ in
+ (findSingle hasService notFound multiple (attrValues systems)).config;
};
};
}
diff --git a/modules/system/ci.nix b/modules/system/ci.nix
index 17e0a074..4ac2b458 100644
--- a/modules/system/ci.nix
+++ b/modules/system/ci.nix
@@ -10,9 +10,11 @@
inherit (lib.modules) mkIf mkOptionDefault;
in {
options.ci = with lib.types; {
- enable = mkEnableOption "build via CI" // {
- default = config.type == "NixOS";
- };
+ enable =
+ mkEnableOption "build via CI"
+ // {
+ default = config.type == "NixOS";
+ };
allowFailure = mkOption {
type = bool;
default = false;
diff --git a/modules/system/exports/cockpit.nix b/modules/system/exports/cockpit.nix
index 575326aa..7455a343 100644
--- a/modules/system/exports/cockpit.nix
+++ b/modules/system/exports/cockpit.nix
@@ -1,4 +1,8 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.attrsets) mapAttrs;
in {
diff --git a/modules/system/exports/dnsmasq.nix b/modules/system/exports/dnsmasq.nix
index dd9dadec..c0554b13 100644
--- a/modules/system/exports/dnsmasq.nix
+++ b/modules/system/exports/dnsmasq.nix
@@ -1,8 +1,12 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.attrsets) mapAttrs;
in {
- config.exports.services.dnsmasq = { config, ... }: {
+ config.exports.services.dnsmasq = {config, ...}: {
id = mkAlmostOptionDefault "dns";
nixos = {
serviceAttr = "dnsmasq";
diff --git a/modules/system/exports/exports.nix b/modules/system/exports/exports.nix
index 72981787..8b8be7a5 100644
--- a/modules/system/exports/exports.nix
+++ b/modules/system/exports/exports.nix
@@ -24,7 +24,12 @@
};
id = mkOption {
type = str;
- default = cfg.services.${config.serviceName}.id/* or config.name*/;
+ default =
+ cfg.services.${config.serviceName}.id
+ /*
+ or config.name
+ */
+ ;
};
};
};
diff --git a/modules/system/exports/freeipa.nix b/modules/system/exports/freeipa.nix
index 58efda01..0de9c818 100644
--- a/modules/system/exports/freeipa.nix
+++ b/modules/system/exports/freeipa.nix
@@ -1,4 +1,8 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.attrsets) mapAttrs;
in {
diff --git a/modules/system/exports/freepbx.nix b/modules/system/exports/freepbx.nix
index 39cf085e..423d94eb 100644
--- a/modules/system/exports/freepbx.nix
+++ b/modules/system/exports/freepbx.nix
@@ -1,4 +1,8 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.attrsets) mapAttrs;
in {
diff --git a/modules/system/exports/home-assistant.nix b/modules/system/exports/home-assistant.nix
index 3a8e3d6a..fd46454f 100644
--- a/modules/system/exports/home-assistant.nix
+++ b/modules/system/exports/home-assistant.nix
@@ -1,14 +1,19 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
inherit (lib.attrsets) mapAttrs;
inherit (lib.lists) all imap0;
inherit (lib.trivial) id;
in {
- config.exports.services.home-assistant = { config, ... }: let
+ config.exports.services.home-assistant = {config, ...}: let
mkAssertion = f: nixosConfig: let
cfg = nixosConfig.services.home-assistant;
- in f nixosConfig cfg;
+ in
+ f nixosConfig cfg;
assertPort = nixosConfig: cfg: {
assertion = config.ports.default.port == cfg.config.http.server_port;
message = "port mismatch";
@@ -16,10 +21,11 @@ in {
assertHomekitPort = let
portName = i: "homekit${toString i}";
mkAssertPort = i: homekit: config.ports.${portName i}.port or null == homekit.port;
- in nixosConfig: cfg: {
- assertion = all id (imap0 mkAssertPort cfg.config.homekit);
- message = "homekit port mismatch";
- };
+ in
+ nixosConfig: cfg: {
+ assertion = all id (imap0 mkAssertPort cfg.config.homekit);
+ message = "homekit port mismatch";
+ };
in {
id = mkAlmostOptionDefault "home";
nixos = {
diff --git a/modules/system/exports/invidious.nix b/modules/system/exports/invidious.nix
index 147790e1..3e0c221c 100644
--- a/modules/system/exports/invidious.nix
+++ b/modules/system/exports/invidious.nix
@@ -1,8 +1,12 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
in {
- config.exports.services.invidious = { config, ... }: {
+ config.exports.services.invidious = {config, ...}: {
id = mkAlmostOptionDefault "yt";
nixos = {
serviceAttr = "invidious";
diff --git a/modules/system/exports/kerberos.nix b/modules/system/exports/kerberos.nix
index f122ee1a..7ff90fd1 100644
--- a/modules/system/exports/kerberos.nix
+++ b/modules/system/exports/kerberos.nix
@@ -1,8 +1,12 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults;
inherit (lib.attrsets) mapAttrs;
in {
- config.exports.services.kerberos = { config, ... }: {
+ config.exports.services.kerberos = {config, ...}: {
id = "krb5";
ports = mapAttrs (_: mapAlmostOptionDefaults) {
default = {
diff --git a/modules/system/exports/keycloak.nix b/modules/system/exports/keycloak.nix
index 3dab812e..791e2d82 100644
--- a/modules/system/exports/keycloak.nix
+++ b/modules/system/exports/keycloak.nix
@@ -1,26 +1,32 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
inherit (lib.attrsets) mapAttrs;
in {
- config.exports.services.keycloak = { config, ... }: {
+ config.exports.services.keycloak = {config, ...}: {
id = mkAlmostOptionDefault "sso";
nixos = {
serviceAttr = "keycloak";
assertions = let
mkAssertion = f: nixosConfig: let
cfg = nixosConfig.services.keycloak;
- in f nixosConfig cfg;
- in mkIf config.enable [
- (mkAssertion (nixosConfig: cfg: {
- assertion = config.ports.${cfg.protocol}.port == cfg.port;
- message = "port mismatch";
- }))
- (mkAssertion (nixosConfig: cfg: {
- assertion = config.ports.${cfg.protocol}.enable;
- message = "port enable mismatch";
- }))
- ];
+ in
+ f nixosConfig cfg;
+ in
+ mkIf config.enable [
+ (mkAssertion (nixosConfig: cfg: {
+ assertion = config.ports.${cfg.protocol}.port == cfg.port;
+ message = "port mismatch";
+ }))
+ (mkAssertion (nixosConfig: cfg: {
+ assertion = config.ports.${cfg.protocol}.enable;
+ message = "port enable mismatch";
+ }))
+ ];
};
ports = mapAttrs (_: mapAlmostOptionDefaults) {
http = {
diff --git a/modules/system/exports/ldap.nix b/modules/system/exports/ldap.nix
index be3489b5..de1a760a 100644
--- a/modules/system/exports/ldap.nix
+++ b/modules/system/exports/ldap.nix
@@ -1,8 +1,12 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.attrsets) mapAttrs;
in {
- config.exports.services.ldap = { config, ... }: {
+ config.exports.services.ldap = {config, ...}: {
defaults.port.listen = mkAlmostOptionDefault "lan";
ports = mapAttrs (_: mapAlmostOptionDefaults) {
default = {
diff --git a/modules/system/exports/minecraft-bedrock.nix b/modules/system/exports/minecraft-bedrock.nix
index 734b84fa..ab34cc11 100644
--- a/modules/system/exports/minecraft-bedrock.nix
+++ b/modules/system/exports/minecraft-bedrock.nix
@@ -1,12 +1,17 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
inherit (lib.attrsets) mapAttrs;
in {
- config.exports.services.minecraft-bedrock-server = { config, ... }: let
+ config.exports.services.minecraft-bedrock-server = {config, ...}: let
mkAssertion = f: nixosConfig: let
cfg = nixosConfig.services.minecraft-bedrock-server;
- in f nixosConfig cfg;
+ in
+ f nixosConfig cfg;
in {
nixos = {
serviceAttr = "minecraft-bedrock-server";
diff --git a/modules/system/exports/mosquitto.nix b/modules/system/exports/mosquitto.nix
index b180454d..3dc2e07f 100644
--- a/modules/system/exports/mosquitto.nix
+++ b/modules/system/exports/mosquitto.nix
@@ -1,11 +1,15 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
inherit (lib.attrsets) mapAttrs;
inherit (lib.lists) all imap0;
inherit (lib.trivial) id;
in {
- config.exports.services.mosquitto = { config, ... }: {
+ config.exports.services.mosquitto = {config, ...}: {
id = mkAlmostOptionDefault "mqtt";
nixos = {
serviceAttr = "mosquitto";
@@ -13,7 +17,8 @@ in {
(nixosConfig: let
cfg = nixosConfig.services.mosquitto;
portName = i:
- if i == 0 then "default"
+ if i == 0
+ then "default"
else "listener${toString i}";
mkAssertPort = i: listener: config.ports.${portName i}.port or null == listener.port;
in {
diff --git a/modules/system/exports/motion.nix b/modules/system/exports/motion.nix
index 4ba16e88..eaff7e97 100644
--- a/modules/system/exports/motion.nix
+++ b/modules/system/exports/motion.nix
@@ -1,8 +1,12 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.attrsets) mapAttrs;
in {
- config.exports.services.motion = { config, ... }: {
+ config.exports.services.motion = {config, ...}: {
defaults.port.listen = mkAlmostOptionDefault "lan";
ports = mapAttrs (_: mapAlmostOptionDefaults) {
default = {
diff --git a/modules/system/exports/nfs.nix b/modules/system/exports/nfs.nix
index 2a52afde..42ec0342 100644
--- a/modules/system/exports/nfs.nix
+++ b/modules/system/exports/nfs.nix
@@ -1,24 +1,34 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
inherit (lib.attrsets) mapAttrs;
in {
- config.exports.services.nfs = { config, ... }: let
+ config.exports.services.nfs = {config, ...}: let
mkAssertion = f: nixosConfig: let
cfg = nixosConfig.services.nfs;
- in f nixosConfig cfg;
- mkAssertionPort = portName: mkAssertion (nixosConfig: cfg: let
- portAttr = "${portName}Port";
- in {
- assertion = mkAssertPort config.ports.${portName} cfg.server.${portAttr};
- message = "${portAttr} mismatch";
- });
+ in
+ f nixosConfig cfg;
+ mkAssertionPort = portName:
+ mkAssertion (nixosConfig: cfg: let
+ portAttr = "${portName}Port";
+ in {
+ assertion = mkAssertPort config.ports.${portName} cfg.server.${portAttr};
+ message = "${portAttr} mismatch";
+ });
mkAssertPort = port: cfgPort: let
- cmpPort = if port.enable then port.port else null;
- in cfgPort == cmpPort;
+ cmpPort =
+ if port.enable
+ then port.port
+ else null;
+ in
+ cfgPort == cmpPort;
in {
nixos = {
- serviceAttrPath = [ "services" "nfs" "server" ];
+ serviceAttrPath = ["services" "nfs" "server"];
assertions = mkIf config.enable [
(mkAssertionPort "statd")
(mkAssertionPort "lockd")
diff --git a/modules/system/exports/nginx.nix b/modules/system/exports/nginx.nix
index e3a668b3..71150cb2 100644
--- a/modules/system/exports/nginx.nix
+++ b/modules/system/exports/nginx.nix
@@ -1,12 +1,17 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
inherit (lib.attrsets) mapAttrs;
in {
- config.exports.services.nginx = { config, ... }: let
+ config.exports.services.nginx = {config, ...}: let
mkAssertion = f: nixosConfig: let
cfg = nixosConfig.services.nginx;
- in f nixosConfig cfg;
+ in
+ f nixosConfig cfg;
assertPorts = nixosConfig: cfg: {
assertion = config.ports.http.port == cfg.defaultHTTPListenPort && config.ports.https.port == cfg.defaultSSLListenPort;
message = "ports mismatch";
diff --git a/modules/system/exports/openwebrx.nix b/modules/system/exports/openwebrx.nix
index f7a564d2..2d9eb55b 100644
--- a/modules/system/exports/openwebrx.nix
+++ b/modules/system/exports/openwebrx.nix
@@ -1,22 +1,28 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
inherit (lib.attrsets) mapAttrs;
in {
- config.exports.services.openwebrx = { config, ... }: {
+ config.exports.services.openwebrx = {config, ...}: {
id = mkAlmostOptionDefault "webrx";
nixos = {
serviceAttr = "openwebrx";
assertions = let
mkAssertion = f: nixosConfig: let
cfg = nixosConfig.services.openwebrx;
- in f nixosConfig cfg;
- in mkIf config.enable [
- (mkAssertion (nixosConfig: cfg: {
- assertion = config.ports.default.port == cfg.port;
- message = "port mismatch";
- }))
- ];
+ in
+ f nixosConfig cfg;
+ in
+ mkIf config.enable [
+ (mkAssertion (nixosConfig: cfg: {
+ assertion = config.ports.default.port == cfg.port;
+ message = "port mismatch";
+ }))
+ ];
};
defaults.port.listen = mkAlmostOptionDefault "lan";
ports = mapAttrs (_: mapAlmostOptionDefaults) {
diff --git a/modules/system/exports/plex.nix b/modules/system/exports/plex.nix
index 3b289fa6..f345bfa8 100644
--- a/modules/system/exports/plex.nix
+++ b/modules/system/exports/plex.nix
@@ -1,4 +1,8 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.attrsets) mapAttrs;
in {
diff --git a/modules/system/exports/postgresql.nix b/modules/system/exports/postgresql.nix
index e7ba5c6b..97fc0ce9 100644
--- a/modules/system/exports/postgresql.nix
+++ b/modules/system/exports/postgresql.nix
@@ -1,11 +1,16 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults;
inherit (lib.modules) mkIf;
in {
- config.exports.services.postgresql = { config, ... }: let
+ config.exports.services.postgresql = {config, ...}: let
mkAssertion = f: nixosConfig: let
cfg = nixosConfig.services.postgresql;
- in f nixosConfig cfg;
+ in
+ f nixosConfig cfg;
in {
nixos = {
serviceAttr = "postgresql";
diff --git a/modules/system/exports/prox.nix b/modules/system/exports/prox.nix
index b82a0270..0c1bf9be 100644
--- a/modules/system/exports/prox.nix
+++ b/modules/system/exports/prox.nix
@@ -1,7 +1,11 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
in {
- config.exports.services.proxmox = { config, ... }: {
+ config.exports.services.proxmox = {config, ...}: {
id = mkAlmostOptionDefault "prox";
defaults.port.listen = mkAlmostOptionDefault "lan";
ports.default = mapAlmostOptionDefaults {
diff --git a/modules/system/exports/samba.nix b/modules/system/exports/samba.nix
index 7cf31484..fc46bc68 100644
--- a/modules/system/exports/samba.nix
+++ b/modules/system/exports/samba.nix
@@ -1,4 +1,8 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.attrsets) mapAttrs;
in {
diff --git a/modules/system/exports/services.nix b/modules/system/exports/services.nix
index acf97d9a..7d56bab1 100644
--- a/modules/system/exports/services.nix
+++ b/modules/system/exports/services.nix
@@ -12,7 +12,11 @@
inherit (lib.trivial) mapNullable;
inherit (lib.strings) concatStringsSep;
systemConfig = config;
- portModule = {config, service, ...}: {
+ portModule = {
+ config,
+ service,
+ ...
+ }: {
options = with lib.types; {
enable =
mkEnableOption "port"
@@ -86,7 +90,7 @@
};
assertions = mkOption {
type = listOf (functionTo attrs);
- default = [ ];
+ default = [];
};
};
defaults = {
@@ -107,7 +111,8 @@
serviceConfig = getAttrFromPath config.nixos.serviceAttrPath;
mkAssertion = f: nixosConfig: let
cfg = serviceConfig nixosConfig;
- in f nixosConfig cfg;
+ in
+ f nixosConfig cfg;
enableAssertion = nixosConfig: cfg: {
assertion = (! cfg ? enable) || (config.enable == cfg.enable);
message = "enable == nixosConfig.${concatStringsSep "." config.nixos.serviceAttrPath}.enable";
@@ -120,12 +125,18 @@
};
};
};
- nixosModule = {config, system, ...}: let
+ nixosModule = {
+ config,
+ system,
+ ...
+ }: let
mapAssertion = service: a: let
res = a config;
- in res // {
- message = "system.exports.${service.name}: " + res.message or "assertion failed";
- };
+ in
+ res
+ // {
+ message = "system.exports.${service.name}: " + res.message or "assertion failed";
+ };
assertions = mapAttrsToList (_: service: map (mapAssertion service) service.nixos.assertions) system.exports.services;
in {
config = {
diff --git a/modules/system/exports/sshd.nix b/modules/system/exports/sshd.nix
index 34bc219c..1cd22783 100644
--- a/modules/system/exports/sshd.nix
+++ b/modules/system/exports/sshd.nix
@@ -1,13 +1,18 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
inherit (lib.attrsets) mapAttrs filterAttrs mapAttrsToList;
inherit (lib.lists) sort;
in {
- config.exports.services.sshd = { config, ... }: let
+ config.exports.services.sshd = {config, ...}: let
mkAssertion = f: nixosConfig: let
cfg = nixosConfig.services.openssh;
- in f nixosConfig cfg;
+ in
+ f nixosConfig cfg;
sorted = sort (a: b: a > b);
assertPorts = nixosConfig: cfg: let
nixosPorts = cfg.ports;
diff --git a/modules/system/exports/unifi.nix b/modules/system/exports/unifi.nix
index 59c75ba3..dd75b269 100644
--- a/modules/system/exports/unifi.nix
+++ b/modules/system/exports/unifi.nix
@@ -1,8 +1,12 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.attrsets) mapAttrs;
in {
- config.exports.services.unifi = { config, ... }: {
+ config.exports.services.unifi = {config, ...}: {
nixos.serviceAttr = "unifi";
defaults.port.listen = mkAlmostOptionDefault "lan";
ports = mapAttrs (_: mapAlmostOptionDefaults) {
diff --git a/modules/system/exports/vouch.nix b/modules/system/exports/vouch.nix
index b3324771..9b873728 100644
--- a/modules/system/exports/vouch.nix
+++ b/modules/system/exports/vouch.nix
@@ -1,8 +1,12 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
in {
- config.exports.services.vouch-proxy = { config, ... }: {
+ config.exports.services.vouch-proxy = {config, ...}: {
id = mkAlmostOptionDefault "login";
defaults.port.listen = mkAlmostOptionDefault "localhost";
nixos = {
diff --git a/modules/system/exports/zigbee2mqtt.nix b/modules/system/exports/zigbee2mqtt.nix
index 00fcbbd2..2e3f181f 100644
--- a/modules/system/exports/zigbee2mqtt.nix
+++ b/modules/system/exports/zigbee2mqtt.nix
@@ -1,8 +1,12 @@
-{lib, gensokyo-zone, ...}: let
+{
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
in {
- config.exports.services.zigbee2mqtt = { config, ... }: {
+ config.exports.services.zigbee2mqtt = {config, ...}: {
id = mkAlmostOptionDefault "z2m";
nixos = {
serviceAttr = "zigbee2mqtt";
diff --git a/modules/system/extern/files.nix b/modules/system/extern/files.nix
index 3fcb2533..216e5515 100644
--- a/modules/system/extern/files.nix
+++ b/modules/system/extern/files.nix
@@ -1,13 +1,21 @@
let
- fileModule = {config, name, gensokyo-zone, lib, ...}: let
+ fileModule = {
+ config,
+ name,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkOptionDefault;
inherit (lib.strings) hasPrefix removePrefix;
in {
options = with lib.types; {
- enable = mkEnableOption "external file" // {
- default = true;
- };
+ enable =
+ mkEnableOption "external file"
+ // {
+ default = true;
+ };
path = mkOption {
type = str;
default = name;
@@ -35,25 +43,33 @@ let
relativeSource = let
flakeRoot = toString gensokyo-zone.self + "/";
sourcePath = toString config.source;
- in mkOptionDefault (
- if hasPrefix flakeRoot sourcePath then removePrefix flakeRoot sourcePath
- else null
- );
+ in
+ mkOptionDefault (
+ if hasPrefix flakeRoot sourcePath
+ then removePrefix flakeRoot sourcePath
+ else null
+ );
};
};
-in {config, gensokyo-zone, lib, ...}: let
- inherit (lib.options) mkOption;
-in {
- options.extern = with lib.types; {
- files = mkOption {
- type = attrsOf (submoduleWith {
- modules = [ fileModule ];
- specialArgs = {
- inherit gensokyo-zone;
- system = config;
- };
- });
- default = { };
+in
+ {
+ config,
+ gensokyo-zone,
+ lib,
+ ...
+ }: let
+ inherit (lib.options) mkOption;
+ in {
+ options.extern = with lib.types; {
+ files = mkOption {
+ type = attrsOf (submoduleWith {
+ modules = [fileModule];
+ specialArgs = {
+ inherit gensokyo-zone;
+ system = config;
+ };
+ });
+ default = {};
+ };
};
- };
-}
+ }
diff --git a/modules/system/host.nix b/modules/system/host.nix
index 074c61b4..80320035 100644
--- a/modules/system/host.nix
+++ b/modules/system/host.nix
@@ -41,7 +41,7 @@ in {
};
modules = mkOption {
type = listOf unspecified;
- default = [ ];
+ default = [];
};
specialArgs = mkOption {
type = attrs;
@@ -101,10 +101,13 @@ in {
darwin = inputs.darwin.lib.darwinSystem;
macos = inputs.darwin.lib.darwinSystem;
}
- .${string.toLower config.type} or null;
- built = mkOptionDefault (mapNullable (builder: builder {
- inherit (config) system modules specialArgs;
- }) config.builder);
+ .${string.toLower config.type}
+ or null;
+ built = mkOptionDefault (mapNullable (builder:
+ builder {
+ inherit (config) system modules specialArgs;
+ })
+ config.builder);
specialArgs = {
inherit name inputs std Std meta;
inherit (inputs.self.lib) gensokyo-zone;
diff --git a/modules/system/network/networks.nix b/modules/system/network/networks.nix
index 4878633b..374d624c 100644
--- a/modules/system/network/networks.nix
+++ b/modules/system/network/networks.nix
@@ -1,9 +1,19 @@
-{config, lib, inputs, ...}: let
+{
+ config,
+ lib,
+ inputs,
+ ...
+}: let
inherit (inputs.self.lib.lib) eui64;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkOptionDefault;
inherit (lib.trivial) mapNullable;
- networkModule = { config, name, system, ... }: let
+ networkModule = {
+ config,
+ name,
+ system,
+ ...
+ }: let
knownNetworks = {
local.slaac = {
enable = true;
@@ -13,9 +23,11 @@
};
in {
options = with lib.types; {
- enable = mkEnableOption "network" // {
- default = true;
- };
+ enable =
+ mkEnableOption "network"
+ // {
+ default = true;
+ };
slaac = {
enable = mkOption {
type = bool;
@@ -65,12 +77,12 @@ in {
options.network = with lib.types; {
networks = mkOption {
type = attrsOf (submoduleWith {
- modules = [ networkModule ];
+ modules = [networkModule];
specialArgs = {
system = config;
};
});
- default = { };
+ default = {};
};
};
}
diff --git a/modules/system/proxmox/container.nix b/modules/system/proxmox/container.nix
index 94f4984f..4a3a7889 100644
--- a/modules/system/proxmox/container.nix
+++ b/modules/system/proxmox/container.nix
@@ -1,4 +1,8 @@
-{config, lib, ...}: let
+{
+ config,
+ lib,
+ ...
+}: let
inherit (lib.options) mkOption mkEnableOption;
cfg = config.proxmox.container;
in {
diff --git a/modules/system/proxmox/network.nix b/modules/system/proxmox/network.nix
index 391de1b2..f4057257 100644
--- a/modules/system/proxmox/network.nix
+++ b/modules/system/proxmox/network.nix
@@ -1,4 +1,10 @@
-{config, gensokyo-zone, lib, Std, ...}: let
+{
+ config,
+ gensokyo-zone,
+ lib,
+ Std,
+ ...
+}: let
inherit (Std) UInt;
inherit (gensokyo-zone.lib) unmerged eui64 mkAlmostOptionDefault mapAlmostOptionDefaults;
inherit (lib.options) mkOption mkEnableOption;
@@ -9,11 +15,18 @@
inherit (lib.trivial) mapNullable;
cfg = config.proxmox.network;
internalOffset = 32;
- networkInterfaceModule = { config, name, system, ... }: {
+ networkInterfaceModule = {
+ config,
+ name,
+ system,
+ ...
+ }: {
options = with lib.types; {
- enable = mkEnableOption "network interface" // {
- default = true;
- };
+ enable =
+ mkEnableOption "network interface"
+ // {
+ default = true;
+ };
bridge = mkOption {
type = str;
default = "vmbr0";
@@ -30,7 +43,7 @@
default = null;
};
address4 = mkOption {
- type = nullOr (either (enum [ "dhcp" ]) str);
+ type = nullOr (either (enum ["dhcp"]) str);
default = null;
};
gateway4 = mkOption {
@@ -38,7 +51,7 @@
default = null;
};
address6 = mkOption {
- type = nullOr (either (enum [ "auto" "dhcp" ]) str);
+ type = nullOr (either (enum ["auto" "dhcp"]) str);
default = null;
};
gateway6 = mkOption {
@@ -47,13 +60,15 @@
};
firewall.enable = mkEnableOption "firewall";
vm.model = mkOption {
- type = enum [ "virtio" "e1000" "rtl8139" "vmxnet3" ];
+ type = enum ["virtio" "e1000" "rtl8139" "vmxnet3"];
default = "virtio";
};
mdns = {
- enable = mkEnableOption "mDNS" // {
- default = config.local.enable && config.id == "net0";
- };
+ enable =
+ mkEnableOption "mDNS"
+ // {
+ default = config.local.enable && config.id == "net0";
+ };
};
slaac = {
postfix = mkOption {
@@ -76,9 +91,11 @@
};
};
networkd = {
- enable = mkEnableOption "systemd.network" // {
- default = true;
- };
+ enable =
+ mkEnableOption "systemd.network"
+ // {
+ default = true;
+ };
name = mkOption {
type = str;
default = config.name;
@@ -90,14 +107,20 @@
};
};
config = let
- hasAddr4 = ! elem config.address4 [ null "dhcp" ];
- hasAddr6 = ! elem config.address6 [ null "dhcp" "auto" ];
+ hasAddr4 = ! elem config.address4 [null "dhcp"];
+ hasAddr6 = ! elem config.address6 [null "dhcp" "auto"];
conf = {
local = mkIf config.local.enable {
- address4 = mkOptionDefault (if hasAddr4 then config.address4 else null);
+ address4 = mkOptionDefault (
+ if hasAddr4
+ then config.address4
+ else null
+ );
address6 = mkOptionDefault (
- if config.address6 == "auto" && config.slaac.postfix != null then "fd0a::${config.slaac.postfix}"
- else if hasAddr6 then config.address6
+ if config.address6 == "auto" && config.slaac.postfix != null
+ then "fd0a::${config.slaac.postfix}"
+ else if hasAddr6
+ then config.address6
else null
);
};
@@ -123,7 +146,7 @@
Type = mkOptionDefault "ether";
};
linkConfig = mkMerge [
- (mkIf config.mdns.enable { Multicast = mkOptionDefault true; })
+ (mkIf config.mdns.enable {Multicast = mkOptionDefault true;})
];
networkConfig = mkMerge [
(mkIf (config.address6 == "auto") {
@@ -134,17 +157,20 @@
})
];
address = mkMerge [
- (mkIf (! elem config.address4 [ null "dhcp" ]) [ config.address4 ])
- (mkIf (! elem config.address6 [ null "auto" "dhcp" ]) [ config.address6 ])
+ (mkIf (! elem config.address4 [null "dhcp"]) [config.address4])
+ (mkIf (! elem config.address6 [null "auto" "dhcp"]) [config.address6])
];
gateway = mkMerge [
- (mkIf (config.gateway4 != null) [ config.gateway4 ])
- (mkIf (config.gateway6 != null) [ config.gateway6 ])
+ (mkIf (config.gateway4 != null) [config.gateway4])
+ (mkIf (config.gateway6 != null) [config.gateway6])
];
DHCP = mkAlmostOptionDefault (
- if config.address4 == "dhcp" && config.address6 == "dhcp" then "yes"
- else if config.address6 == "dhcp" then "ipv6"
- else if config.address4 == "dhcp" then "ipv4"
+ if config.address4 == "dhcp" && config.address6 == "dhcp"
+ then "yes"
+ else if config.address6 == "dhcp"
+ then "ipv6"
+ else if config.address4 == "dhcp"
+ then "ipv4"
else "no"
);
};
@@ -157,11 +183,11 @@
address4 = mkAlmostOptionDefault "10.9.1.${toString index}/24";
address6 = mkAlmostOptionDefault "fd0c::${UInt.toHexLower index}/64";
macAddress = mkIf (system.proxmox.network.interfaces.net0.macAddress or null != null && hasPrefix "BC:24:11:" system.proxmox.network.interfaces.net0.macAddress) (mkAlmostOptionDefault (
- replaceStrings [ "BC:24:11:" ] [ "BC:24:19:" ] system.proxmox.network.interfaces.net0.macAddress
+ replaceStrings ["BC:24:11:"] ["BC:24:19:"] system.proxmox.network.interfaces.net0.macAddress
));
networkd.name = mkDefault "_00-int";
networkd.networkSettings = {
- domains = mkDefault [ ]; # int.${domain}?
+ domains = mkDefault []; # int.${domain}?
linkConfig.RequiredForOnline = false;
ipv6AcceptRAConfig = {
Token = mkOptionDefault "static:::${UInt.toHexLower index}";
@@ -172,21 +198,22 @@
};
};
};
- in mkMerge [
- conf
- (mkIf config.internal.enable confInternal)
- ];
+ in
+ mkMerge [
+ conf
+ (mkIf config.internal.enable confInternal)
+ ];
};
in {
options.proxmox.network = with lib.types; {
interfaces = mkOption {
type = attrsOf (submoduleWith {
- modules = [ networkInterfaceModule ];
+ modules = [networkInterfaceModule];
specialArgs = {
system = config;
};
});
- default = { };
+ default = {};
};
internal = {
interface = mkOption {
diff --git a/modules/system/proxmox/node.nix b/modules/system/proxmox/node.nix
index 4cdc5add..408c0b91 100644
--- a/modules/system/proxmox/node.nix
+++ b/modules/system/proxmox/node.nix
@@ -1,4 +1,9 @@
-{config, lib, gensokyo-zone, ...}: let
+{
+ config,
+ lib,
+ gensokyo-zone,
+ ...
+}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf;
diff --git a/modules/system/proxmox/vm.nix b/modules/system/proxmox/vm.nix
index 40da72a1..508107ad 100644
--- a/modules/system/proxmox/vm.nix
+++ b/modules/system/proxmox/vm.nix
@@ -1,4 +1,8 @@
-{config, lib, ...}: let
+{
+ config,
+ lib,
+ ...
+}: let
inherit (lib.options) mkOption mkEnableOption;
cfg = config.proxmox;
in {
diff --git a/nixos/access/barcodebuddy.nix b/nixos/access/barcodebuddy.nix
index 36db7703..f1fbed4b 100644
--- a/nixos/access/barcodebuddy.nix
+++ b/nixos/access/barcodebuddy.nix
@@ -25,7 +25,8 @@ in {
requireAuth = false;
};
proxy = {
- upstream = mkIf barcodebuddy.enable (mkDefault
+ upstream = mkIf barcodebuddy.enable (
+ mkDefault
"nginx'proxied"
);
host = mkDefault serverName;
@@ -48,7 +49,7 @@ in {
upstream = mkDefault nginx.virtualHosts.barcodebuddy.proxy.upstream;
host = mkDefault nginx.virtualHosts.barcodebuddy.proxy.host;
};
- locations."/" = { config, ... }: {
+ locations."/" = {config, ...}: {
proxy = {
headers.enableRecommended = true;
redirect = {
diff --git a/nixos/access/freeipa.nix b/nixos/access/freeipa.nix
index 559a9550..6138faf9 100644
--- a/nixos/access/freeipa.nix
+++ b/nixos/access/freeipa.nix
@@ -5,8 +5,7 @@
gensokyo-zone,
lib,
...
-}:
-let
+}: let
inherit (gensokyo-zone.lib) mapOptionDefaults;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
@@ -19,7 +18,11 @@ let
ssl_verify_client optional_no_ca;
'';
locations = {
- "/" = { config, xvars, ... }: {
+ "/" = {
+ config,
+ xvars,
+ ...
+ }: {
proxy = {
enable = true;
upstream = "freeipa";
@@ -67,9 +70,11 @@ in {
};
};
kerberos = {
- enable = mkEnableOption "proxy kerberos" // {
- default = true;
- };
+ enable =
+ mkEnableOption "proxy kerberos"
+ // {
+ default = true;
+ };
ports = {
ticket = mkOption {
type = port;
@@ -177,7 +182,7 @@ in {
kticket4 = mkKrb5Upstream "ticket4";
};
servers = let
- mkKrb5Server = tcpPort: udpPort: { name, ... }: {
+ mkKrb5Server = tcpPort: udpPort: {name, ...}: {
enable = mkDefault nginx.stream.upstreams.${name}.enable;
listen = {
tcp = mkIf (tcpPort != null) {
@@ -187,7 +192,7 @@ in {
udp = mkIf (udpPort != null) {
enable = mkDefault kerberos.ports.${udpPort}.enable;
port = mkOptionDefault kerberos.ports.${udpPort}.port;
- extraParameters = [ "udp" ];
+ extraParameters = ["udp"];
};
};
proxy.upstream = name;
@@ -208,11 +213,12 @@ in {
ssl.cert.copyFromVhost = mkDefault "freeipa";
};
};
- in mkMerge [
- conf
- (mkIf nginx.ssl.preread.enable prereadConf)
- (mkIf cfg.kerberos.enable kerberosConf)
- ];
+ in
+ mkMerge [
+ conf
+ (mkIf nginx.ssl.preread.enable prereadConf)
+ (mkIf cfg.kerberos.enable kerberosConf)
+ ];
virtualHosts = let
name.shortServer = mkDefault "ipa";
name'cockpit.shortServer = mkDefault "ipa-cock";
@@ -233,7 +239,11 @@ in {
name.shortServer = mkDefault "idp-ca";
locations."/" = mkMerge [
locations."/"
- ({config, virtualHost, ...}: {
+ ({
+ config,
+ virtualHost,
+ ...
+ }: {
proxy.ssl.host = virtualHost.serverName;
proxy.host = config.proxy.ssl.host;
})
@@ -276,7 +286,7 @@ in {
};
freeipa'ldap'local = {
serverName = mkDefault ldap.localDomain;
- serverAliases = [ ldap.intDomain ];
+ serverAliases = [ldap.intDomain];
ssl.cert.copyFromVhost = "freeipa'ldap";
globalRedirect = virtualHosts.freeipa'web'local.serverName;
local.enable = true;
@@ -295,16 +305,18 @@ in {
inherit (nginx.stream.servers) krb5 kadmin kpasswd kticket4;
in {
allowedTCPPorts = mkMerge [
- (mkIf cfg.kerberos.enable (map (server:
- mkIf (server.enable && server.listen.tcp.enable) server.listen.tcp.port
- ) [ krb5 kticket4 kpasswd kadmin ]))
+ (mkIf cfg.kerberos.enable (map (
+ server:
+ mkIf (server.enable && server.listen.tcp.enable) server.listen.tcp.port
+ ) [krb5 kticket4 kpasswd kadmin]))
(mkIf nginx.ssl.preread.enable [
ldapsPort
])
];
- allowedUDPPorts = mkIf cfg.kerberos.enable (map (server:
- mkIf (server.enable && server.listen.udp.enable) server.listen.udp.port
- ) [ krb5 kticket4 kpasswd ]);
+ allowedUDPPorts = mkIf cfg.kerberos.enable (map (
+ server:
+ mkIf (server.enable && server.listen.udp.enable) server.listen.udp.port
+ ) [krb5 kticket4 kpasswd]);
};
};
}
diff --git a/nixos/access/freepbx.nix b/nixos/access/freepbx.nix
index 76b1f012..9fce1be1 100644
--- a/nixos/access/freepbx.nix
+++ b/nixos/access/freepbx.nix
@@ -13,8 +13,15 @@ in {
config.services.nginx = {
virtualHosts = let
proxyScheme = "https";
- url = access.proxyUrlFor { serviceName = "freepbx"; portName = proxyScheme; };
- ucpUrl = access.proxyUrlFor { serviceName = "freepbx"; portName = "ucp-ssl"; getAddressFor = "getAddress4For"; };
+ url = access.proxyUrlFor {
+ serviceName = "freepbx";
+ portName = proxyScheme;
+ };
+ ucpUrl = access.proxyUrlFor {
+ serviceName = "freepbx";
+ portName = "ucp-ssl";
+ getAddressFor = "getAddress4For";
+ };
ucpPath = "/socket.io";
# TODO: ports.asterisk/asterisk-ssl?
extraConfig = ''
@@ -23,7 +30,7 @@ in {
proxy_busy_buffers_size 256k;
'';
locations = {
- "/" = { xvars, ... }: {
+ "/" = {xvars, ...}: {
xvars.enable = true;
proxy = {
enable = true;
@@ -33,7 +40,11 @@ in {
};
};
};
- ${ucpPath} = { xvars, virtualHost, ... }: {
+ ${ucpPath} = {
+ xvars,
+ virtualHost,
+ ...
+ }: {
proxy = {
enable = true;
websocket.enable = true;
@@ -63,12 +74,12 @@ in {
listen' = {
ucp = {
port = mkDefault freepbx.ports.ucp.port;
- extraParameters = [ "default_server" ];
+ extraParameters = ["default_server"];
};
ucpSsl = {
port = mkDefault freepbx.ports.ucp-ssl.port;
ssl = true;
- extraParameters = [ "default_server" ];
+ extraParameters = ["default_server"];
};
};
proxy = {
@@ -84,7 +95,7 @@ in {
};
freepbx'local = {
listen' = {
- http = { };
+ http = {};
https.ssl = true;
ucp = {
port = mkDefault nginx.virtualHosts.freepbx'ucp.listen'.ucp.port;
@@ -103,9 +114,11 @@ in {
};
};
config.networking.firewall = let
- websocketPorts = virtualHost: [
- virtualHost.listen'.ucp.port
- ] ++ optional virtualHost.listen'.ucpSsl.enable virtualHost.listen'.ucpSsl.port;
+ websocketPorts = virtualHost:
+ [
+ virtualHost.listen'.ucp.port
+ ]
+ ++ optional virtualHost.listen'.ucpSsl.enable virtualHost.listen'.ucpSsl.port;
in {
interfaces.local.allowedTCPPorts = websocketPorts nginx.virtualHosts.freepbx'local;
allowedTCPPorts = mkIf (!nginx.virtualHosts.freepbx'ucp.local.denyGlobal) (websocketPorts nginx.virtualHosts.freepbx'ucp);
diff --git a/nixos/access/grocy.nix b/nixos/access/grocy.nix
index 0e3a05ef..964b5741 100644
--- a/nixos/access/grocy.nix
+++ b/nixos/access/grocy.nix
@@ -20,7 +20,11 @@
headers.set.X-Grocy-User = mkOptionDefault "$grocy_user";
};
};
- luaAuthHost = { config, xvars, ... }: {
+ luaAuthHost = {
+ config,
+ xvars,
+ ...
+ }: {
vouch.auth.lua = {
enable = true;
accessRequest = ''
@@ -56,16 +60,20 @@ in {
proxied.enable = true;
local.denyGlobal = true;
};
- grocy = mkMerge [ luaAuthHost {
- inherit name extraConfig locations;
- vouch.enable = true;
- proxy = {
- upstream = mkIf grocy.enable (mkDefault
- "nginx'proxied"
- );
- host = mkDefault serverName;
- };
- } ];
+ grocy = mkMerge [
+ luaAuthHost
+ {
+ inherit name extraConfig locations;
+ vouch.enable = true;
+ proxy = {
+ upstream = mkIf grocy.enable (
+ mkDefault
+ "nginx'proxied"
+ );
+ host = mkDefault serverName;
+ };
+ }
+ ];
grocy'local = {
inherit name;
local.enable = mkDefault true;
@@ -78,20 +86,23 @@ in {
proxy.enable = true;
};
};
- grocy'local'int = mkMerge [ luaAuthHost {
- # internal proxy workaround for http2 lua compat issues
- serverName = serverName'local;
- inherit name extraConfig locations;
- proxy = {
- upstream = mkDefault nginx.virtualHosts.grocy.proxy.upstream;
- host = mkDefault nginx.virtualHosts.grocy.proxy.host;
- };
- proxied.enable = true;
- vouch = {
- enable = true;
- localSso.enable = true;
- };
- } ];
+ grocy'local'int = mkMerge [
+ luaAuthHost
+ {
+ # internal proxy workaround for http2 lua compat issues
+ serverName = serverName'local;
+ inherit name extraConfig locations;
+ proxy = {
+ upstream = mkDefault nginx.virtualHosts.grocy.proxy.upstream;
+ host = mkDefault nginx.virtualHosts.grocy.proxy.host;
+ };
+ proxied.enable = true;
+ vouch = {
+ enable = true;
+ localSso.enable = true;
+ };
+ }
+ ];
};
};
}
diff --git a/nixos/access/home-assistant.nix b/nixos/access/home-assistant.nix
index 25cb3e5c..e9876a48 100644
--- a/nixos/access/home-assistant.nix
+++ b/nixos/access/home-assistant.nix
@@ -7,12 +7,12 @@
inherit (config.services) nginx home-assistant;
name.shortServer = mkDefault "home";
listen' = {
- http = { };
+ http = {};
https.ssl = true;
hass = {
enable = !home-assistant.enable;
port = mkDefault home-assistant.config.http.server_port;
- extraParameters = [ "default_server" ];
+ extraParameters = ["default_server"];
};
};
upstreamName = "home-assistant'access";
@@ -24,7 +24,7 @@ in {
addr = mkDefault "localhost";
port = mkIf home-assistant.enable (mkDefault home-assistant.config.http.server_port);
};
- service = { upstream, ... }: {
+ service = {upstream, ...}: {
enable = mkIf upstream.servers.local.enable (mkDefault false);
accessService = {
name = "home-assistant";
@@ -63,7 +63,8 @@ in {
};
config.networking.firewall.allowedTCPPorts = let
inherit (nginx.virtualHosts.home-assistant'local) listen';
- in mkIf nginx.virtualHosts.home-assistant'local.enable [
- (mkIf listen'.hass.enable listen'.hass.port)
- ];
+ in
+ mkIf nginx.virtualHosts.home-assistant'local.enable [
+ (mkIf listen'.hass.enable listen'.hass.port)
+ ];
}
diff --git a/nixos/access/invidious.nix b/nixos/access/invidious.nix
index 14037793..6a6fe7f4 100644
--- a/nixos/access/invidious.nix
+++ b/nixos/access/invidious.nix
@@ -19,7 +19,7 @@ in {
addr = mkDefault "localhost";
port = mkIf cfg.enable (mkDefault cfg.port);
};
- service = { upstream, ... }: {
+ service = {upstream, ...}: {
enable = mkIf upstream.servers.local.enable (mkDefault false);
accessService = {
name = "invidious";
@@ -40,7 +40,7 @@ in {
proxy_redirect off;
proxy_buffering off;
'';
- location = { xvars, ... }: {
+ location = {xvars, ...}: {
proxy = {
enable = true;
websocket.enable = true;
@@ -61,7 +61,11 @@ in {
upstream = "nginx'proxied";
host = mkDefault nginx.virtualHosts.invidious'int.serverName;
};
- locations."/" = { xvars, virtualHost, ... }: {
+ locations."/" = {
+ xvars,
+ virtualHost,
+ ...
+ }: {
proxy.enable = true;
extraConfig = ''
proxy_http_version 1.1;
@@ -72,7 +76,11 @@ in {
'';
};
};
- invidious'int = { config, xvars, ... }: {
+ invidious'int = {
+ config,
+ xvars,
+ ...
+ }: {
serverName = "@invidious_internal";
proxied.enable = true;
local.denyGlobal = true;
@@ -115,7 +123,7 @@ in {
};
inherit extraConfig;
};
- invidious'local = { xvars, ... }: {
+ invidious'local = {xvars, ...}: {
local.enable = true;
ssl.cert.copyFromVhost = "invidious";
proxy = {
diff --git a/nixos/access/keycloak.nix b/nixos/access/keycloak.nix
index 0f598c8b..87d914cf 100644
--- a/nixos/access/keycloak.nix
+++ b/nixos/access/keycloak.nix
@@ -18,7 +18,7 @@ in {
port = mkDefault cfg.port;
ssl.enable = mkIf (cfg.protocol == "https") true;
};
- access = { upstream, ... }: {
+ access = {upstream, ...}: {
enable = mkDefault (!upstream.servers.local.enable or false);
accessService = {
name = "keycloak";
diff --git a/nixos/access/kitchencam.nix b/nixos/access/kitchencam.nix
index 3f43a85a..6c7a516f 100644
--- a/nixos/access/kitchencam.nix
+++ b/nixos/access/kitchencam.nix
@@ -12,8 +12,15 @@
in {
config.services.nginx = {
virtualHosts = let
- url = access.proxyUrlFor { inherit system; service = motion; };
- streamUrl = access.proxyUrlFor { inherit system; service = motion; portName = "stream"; };
+ url = access.proxyUrlFor {
+ inherit system;
+ service = motion;
+ };
+ streamUrl = access.proxyUrlFor {
+ inherit system;
+ service = motion;
+ portName = "stream";
+ };
extraConfig = ''
proxy_redirect off;
proxy_buffering off;
@@ -32,7 +39,7 @@ in {
};
};
listen' = {
- http = { };
+ http = {};
https.ssl = true;
stream = {
enable = mkDefault motion.ports.stream.enable;
@@ -49,9 +56,12 @@ in {
inherit name listen';
ssl.cert.copyFromVhost = "kitchencam";
local.enable = true;
- locations = mapAttrs (name: location: location // {
- proxyPass = mkDefault nginx.virtualHosts.kitchencam.locations.${name}.proxyPass;
- }) locations;
+ locations = mapAttrs (name: location:
+ location
+ // {
+ proxyPass = mkDefault nginx.virtualHosts.kitchencam.locations.${name}.proxyPass;
+ })
+ locations;
};
};
};
diff --git a/nixos/access/ldap.nix b/nixos/access/ldap.nix
index 1741a9b5..38630f6a 100644
--- a/nixos/access/ldap.nix
+++ b/nixos/access/ldap.nix
@@ -4,8 +4,7 @@
gensokyo-zone,
access,
...
-}:
-let
+}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkOptionDefault;
@@ -42,7 +41,7 @@ in {
inherit (nginx.stream.upstreams.ldaps.servers.access.accessService) system name id port;
};
};
- ldap = { upstream, ... }: {
+ ldap = {upstream, ...}: {
enable = mkIf upstream.servers.ldaps.enable false;
accessService = {
inherit (nginx.stream.upstreams.ldap.servers.access.accessService) system name id port;
@@ -54,7 +53,7 @@ in {
name = "ldap";
};
};
- ldaps = { config, ... }: {
+ ldaps = {config, ...}: {
enable = mkAlmostOptionDefault config.servers.access.enable;
servers.access = {
accessService = {
diff --git a/nixos/access/mosquitto.nix b/nixos/access/mosquitto.nix
index efb92519..fee9debc 100644
--- a/nixos/access/mosquitto.nix
+++ b/nixos/access/mosquitto.nix
@@ -4,8 +4,7 @@
access,
gensokyo-zone,
...
-}:
-let
+}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.modules) mkIf mkOptionDefault;
inherit (config.services) nginx;
@@ -42,7 +41,9 @@ in {
};
};
proxy.upstream = mkAlmostOptionDefault (
- if nginx.stream.upstreams.mqtts.enable then "mqtts" else "mqtt"
+ if nginx.stream.upstreams.mqtts.enable
+ then "mqtts"
+ else "mqtt"
);
};
};
diff --git a/nixos/access/nginx.nix b/nixos/access/nginx.nix
index 7b341098..26cd13e2 100644
--- a/nixos/access/nginx.nix
+++ b/nixos/access/nginx.nix
@@ -1,4 +1,8 @@
-{config, lib, ...}: let
+{
+ config,
+ lib,
+ ...
+}: let
inherit (lib.modules) mkIf;
cfg = config.services.nginx;
in {
diff --git a/nixos/access/openwebrx.nix b/nixos/access/openwebrx.nix
index fa89f2cd..755f83c0 100644
--- a/nixos/access/openwebrx.nix
+++ b/nixos/access/openwebrx.nix
@@ -15,7 +15,7 @@ in {
addr = mkDefault "localhost";
port = mkIf openwebrx.enable (mkDefault openwebrx.port);
};
- service = { upstream, ... }: {
+ service = {upstream, ...}: {
enable = mkIf upstream.servers.local.enable (mkDefault false);
accessService = {
name = "openwebrx";
diff --git a/nixos/access/plex.nix b/nixos/access/plex.nix
index 4294f5b1..3ad8f2a2 100644
--- a/nixos/access/plex.nix
+++ b/nixos/access/plex.nix
@@ -16,7 +16,7 @@ in {
addr = mkDefault "localhost";
port = mkDefault cfg.port;
};
- access = { upstream, ... }: {
+ access = {upstream, ...}: {
enable = mkDefault (!upstream.servers.local.enable);
accessService.name = "plex";
};
@@ -65,12 +65,12 @@ in {
inherit name locations extraConfig;
proxy.upstream = mkDefault upstreamName;
listen' = {
- http = { };
+ http = {};
https.ssl = true;
external = {
enable = mkDefault false;
port = mkDefault 32400;
- extraParameters = [ "default_server" ];
+ extraParameters = ["default_server"];
};
};
};
@@ -88,7 +88,8 @@ in {
};
config.networking.firewall.allowedTCPPorts = let
inherit (nginx.virtualHosts.plex) listen';
- in mkIf listen'.external.enable [
- listen'.external.port
- ];
+ in
+ mkIf listen'.external.enable [
+ listen'.external.port
+ ];
}
diff --git a/nixos/access/proxmox.nix b/nixos/access/proxmox.nix
index 3fa4932c..97eff709 100644
--- a/nixos/access/proxmox.nix
+++ b/nixos/access/proxmox.nix
@@ -7,7 +7,7 @@
inherit (lib.modules) mkDefault;
inherit (lib.strings) escapeRegex;
inherit (config.services) nginx tailscale;
- proxyPass = access.proxyUrlFor { serviceName = "proxmox"; } + "/";
+ proxyPass = access.proxyUrlFor {serviceName = "proxmox";} + "/";
in {
config.services.nginx.virtualHosts = let
locations."/" = {
diff --git a/nixos/access/unifi.nix b/nixos/access/unifi.nix
index 636cfb18..91e1c9da 100644
--- a/nixos/access/unifi.nix
+++ b/nixos/access/unifi.nix
@@ -16,7 +16,7 @@ in {
port = mkDefault 8443;
ssl.enable = mkDefault true;
};
- access = { upstream, ... }: {
+ access = {upstream, ...}: {
enable = mkDefault (!upstream.servers.local.enable);
accessService = {
name = "unifi";
diff --git a/nixos/access/vouch.nix b/nixos/access/vouch.nix
index 0ad0a366..77b24e4b 100644
--- a/nixos/access/vouch.nix
+++ b/nixos/access/vouch.nix
@@ -28,7 +28,11 @@ in {
proxy_redirect default;
'';
};
- "/validate" = {config, virtualHost, ...}: {
+ "/validate" = {
+ config,
+ virtualHost,
+ ...
+ }: {
proxied.enable = true;
proxy.enable = true;
local.denyGlobal = true;
@@ -36,9 +40,9 @@ in {
};
name.shortServer = mkDefault "login";
in {
- vouch = { xvars, ... }: {
+ vouch = {xvars, ...}: {
inherit name locations;
- serverAliases = [ nginx.vouch.doubleProxy.serverName ];
+ serverAliases = [nginx.vouch.doubleProxy.serverName];
proxied.enable = true;
proxy = {
upstream = mkDefault "vouch'access";
@@ -46,12 +50,12 @@ in {
};
local.denyGlobal = true;
};
- vouch'local = { xvars, ... }: {
+ vouch'local = {xvars, ...}: {
name = {
inherit (name) shortServer;
includeTailscale = mkDefault false;
};
- serverAliases = mkIf cfg.enable [ nginx.vouch.doubleProxy.localServerName ];
+ serverAliases = mkIf cfg.enable [nginx.vouch.doubleProxy.localServerName];
proxied.enable = true;
proxy = {
upstream = mkDefault "vouch'access'local";
@@ -64,7 +68,7 @@ in {
};
inherit locations;
};
- vouch'tail = { xvars, ... }: {
+ vouch'tail = {xvars, ...}: {
enable = mkDefault (tailscale.enable && !nginx.virtualHosts.vouch'local.name.includeTailscale);
ssl.cert.copyFromVhost = "vouch'local";
name = {
diff --git a/nixos/access/zigbee2mqtt.nix b/nixos/access/zigbee2mqtt.nix
index cbb261e9..f93af0de 100644
--- a/nixos/access/zigbee2mqtt.nix
+++ b/nixos/access/zigbee2mqtt.nix
@@ -15,7 +15,7 @@ in {
addr = mkDefault "localhost";
port = mkIf zigbee2mqtt.enable (mkDefault zigbee2mqtt.settings.frontend.port);
};
- service = { upstream, ... }: {
+ service = {upstream, ...}: {
enable = mkIf upstream.servers.local.enable (mkDefault false);
accessService = {
name = "zigbee2mqtt";
diff --git a/nixos/acme.nix b/nixos/acme.nix
index bf7aae0a..c7726ab2 100644
--- a/nixos/acme.nix
+++ b/nixos/acme.nix
@@ -64,7 +64,7 @@ in {
acme_cloudflare_token = acmeSecret;
};
systemd.services = let
- after = [ "systemd-tmpfiles-resetup.service" ];
+ after = ["systemd-tmpfiles-resetup.service"];
in {
acme-fixperms = {
inherit after;
diff --git a/nixos/barcodebuddy.nix b/nixos/barcodebuddy.nix
index 53d2a4fd..a1fadc5e 100644
--- a/nixos/barcodebuddy.nix
+++ b/nixos/barcodebuddy.nix
@@ -1,4 +1,9 @@
-{config, access, lib, ...}: let
+{
+ config,
+ access,
+ lib,
+ ...
+}: let
inherit (lib.modules) mkIf mkDefault;
inherit (config.services) nginx;
cfg = config.services.barcodebuddy;
@@ -28,14 +33,15 @@ in {
};
config.systemd.services = let
gensokyo-zone.sharedMounts.barcodebuddy.path = mkDefault cfg.dataDir;
- in mkIf cfg.enable {
- phpfpm-barcodebuddy = {
- inherit gensokyo-zone;
+ in
+ mkIf cfg.enable {
+ phpfpm-barcodebuddy = {
+ inherit gensokyo-zone;
+ };
+ bbuddy-websocket = mkIf cfg.screen.enable {
+ inherit gensokyo-zone;
+ };
};
- bbuddy-websocket = mkIf cfg.screen.enable {
- inherit gensokyo-zone;
- };
- };
config.sops.secrets.barcodebuddy-fastcgi-params = mkIf cfg.enable {
sopsFile = mkDefault ./secrets/barcodebuddy.yaml;
owner = mkDefault nginx.user;
diff --git a/nixos/base/locale.nix b/nixos/base/locale.nix
index 56ba022a..cb8441c0 100644
--- a/nixos/base/locale.nix
+++ b/nixos/base/locale.nix
@@ -1,7 +1,4 @@
-{
- pkgs,
- ...
-}: {
+{pkgs, ...}: {
fonts.packages = [
pkgs.tamzen
];
diff --git a/nixos/base/network.nix b/nixos/base/network.nix
index 8559d9e0..8cdc693f 100644
--- a/nixos/base/network.nix
+++ b/nixos/base/network.nix
@@ -14,13 +14,19 @@ in {
hostName = mkOverride 25 name;
nameservers' = [
#{ address = "8.8.8.8"; host = "dns.google"; }
- { address = "1.1.1.1"; host = "cloudflare-dns.com"; }
- { address = "1.0.0.1"; host = "cloudflare-dns.com"; }
+ {
+ address = "1.1.1.1";
+ host = "cloudflare-dns.com";
+ }
+ {
+ address = "1.0.0.1";
+ host = "cloudflare-dns.com";
+ }
];
};
# work around https://github.com/NixOS/nixpkgs/issues/132646
system.nssDatabases.hosts = mkIf config.services.resolved.enable (
- mkOrder 450 [ "files" ]
+ mkOrder 450 ["files"]
);
}
diff --git a/nixos/base/nix.nix b/nixos/base/nix.nix
index 072901de..a41b8451 100644
--- a/nixos/base/nix.nix
+++ b/nixos/base/nix.nix
@@ -23,12 +23,14 @@ in {
lock = importJSON ../../flake.lock;
mapFlake = name: let
node = lock.nodes.${name};
- in {
- inherit (node.original) type;
- inherit (node.locked) lastModified rev narHash;
- } // optionalAttrs (node.original.type == "github") {
- inherit (node.original) repo owner;
- };
+ in
+ {
+ inherit (node.original) type;
+ inherit (node.locked) lastModified rev narHash;
+ }
+ // optionalAttrs (node.original.type == "github") {
+ inherit (node.original) repo owner;
+ };
in {
nixpkgs.to = mapFlake "nixpkgs";
arc.to = mapFlake "arcexprs";
@@ -40,7 +42,7 @@ in {
};
};
settings = {
- allowed-users = [ "@nixbuilder" ];
+ allowed-users = ["@nixbuilder"];
experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
substituters = [
"https://gensokyo-infrastructure.cachix.org"
@@ -67,7 +69,7 @@ in {
};
optimise = {
automatic = mkAlmostDefault true;
- dates = mkDefault [ "03:25" ];
+ dates = mkDefault ["03:25"];
};
};
${
diff --git a/nixos/cross/aarch64.nix b/nixos/cross/aarch64.nix
index f8f18e10..45e03db0 100644
--- a/nixos/cross/aarch64.nix
+++ b/nixos/cross/aarch64.nix
@@ -1,21 +1,28 @@
-{ pkgs, config, lib, ... }: let
+{
+ pkgs,
+ config,
+ lib,
+ ...
+}: let
inherit (lib.options) mkEnableOption mkPackageOption;
inherit (lib.modules) mkIf;
cfg = config.boot.binfmt.cross.aarch64;
in {
options = {
boot.binfmt.cross.aarch64 = {
- enable = mkEnableOption "qemu-aarch64" // {
- default = true;
- };
- package = mkPackageOption pkgs "qemu" { };
+ enable =
+ mkEnableOption "qemu-aarch64"
+ // {
+ default = true;
+ };
+ package = mkPackageOption pkgs "qemu" {};
armv7l = mkEnableOption "arm.cachix.org";
};
};
config = {
boot.binfmt = {
- emulatedSystems = mkIf cfg.enable [ "aarch64-linux" ];
+ emulatedSystems = mkIf cfg.enable ["aarch64-linux"];
registrations.aarch64-linux = mkIf cfg.enable {
interpreter = "${cfg.package}/bin/qemu-aarch64";
wrapInterpreterInShell = false;
@@ -23,8 +30,8 @@ in {
};
nix.settings = mkIf cfg.armv7l {
- substituters = [ "https://arm.cachix.org/" ];
- trusted-public-keys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ];
+ substituters = ["https://arm.cachix.org/"];
+ trusted-public-keys = ["arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM="];
};
};
}
diff --git a/nixos/dnsmasq.nix b/nixos/dnsmasq.nix
index f50d83e8..e36b2578 100644
--- a/nixos/dnsmasq.nix
+++ b/nixos/dnsmasq.nix
@@ -13,38 +13,49 @@
inherit (lib.trivial) mapNullable flip;
cfg = config.services.dnsmasq;
inherit (gensokyo-zone) systems;
- localSystems = filterAttrs (_: system:
- system.config.access.online.enable && system.config.network.networks.local.enable or false
- ) systems;
+ localSystems =
+ filterAttrs (
+ _: system:
+ system.config.access.online.enable && system.config.network.networks.local.enable or false
+ )
+ systems;
mkHostRecordPairs = _: system: [
(mkHostRecordPair "int" system)
(mkHostRecordPair "local" system)
(mkHostRecordPair "tail" system)
];
- mapDynamic4 = replaceStrings [ "10.1.1." ] [ "0.0.0." ];
- mapDynamic6 = replaceStrings [ "fd0a::" ] [ "2001::" ];
+ mapDynamic4 = replaceStrings ["10.1.1."] ["0.0.0."];
+ mapDynamic6 = replaceStrings ["fd0a::"] ["2001::"];
mkDynamicHostRecord = _: system: let
address4 = system.config.network.networks.local.address4 or null;
address6 = system.config.network.networks.local.address6 or null;
- in concatStringsSep "," ([
- system.config.access.fqdn
- ] ++ optional (address4 != null)
- (toString (mapNullable mapDynamic4 address4))
- ++ optional (address6 != null)
- (toString (mapNullable mapDynamic6 address6))
- ++ singleton
- cfg.dynamic.interface
- );
+ in
+ concatStringsSep "," (
+ [
+ system.config.access.fqdn
+ ]
+ ++ optional (address4 != null)
+ (toString (mapNullable mapDynamic4 address4))
+ ++ optional (address6 != null)
+ (toString (mapNullable mapDynamic6 address6))
+ ++ singleton
+ cfg.dynamic.interface
+ );
mkHostRecordPair = network: system: let
address4 = system.config.network.networks.${network}.address4 or null;
address6 = system.config.network.networks.${network}.address6 or null;
fqdn = system.config.network.networks.${network}.fqdn or null;
- in nameValuePair
- (if fqdn != null then fqdn else "${network}.${system.config.access.fqdn}")
+ in
+ nameValuePair
+ (
+ if fqdn != null
+ then fqdn
+ else "${network}.${system.config.access.fqdn}"
+ )
(concatStringsSep "," (
- optional (address4 != null)
+ optional (address4 != null)
(toString address4)
- ++ optional (address6 != null)
+ ++ optional (address6 != null)
(toString address6)
));
systemHosts = filterAttrs (_: value: value != "") (
@@ -93,15 +104,16 @@ in {
"mco.cubecraft.net"
];
bedrockRecords = map (flip mkHostRecord bedrockRecord) bedrockRecordNames;
- in mkMerge [
- (mapAttrsToList mkHostRecord systemHosts)
- (mkIf (cfg.bedrockConnect.address != null || cfg.bedrockConnect.address6 != null) bedrockRecords)
- ];
+ in
+ mkMerge [
+ (mapAttrsToList mkHostRecord systemHosts)
+ (mkIf (cfg.bedrockConnect.address != null || cfg.bedrockConnect.address6 != null) bedrockRecords)
+ ];
dynamic-host = mapAttrsToList mkDynamicHostRecord localSystems;
server =
- if config.networking.nameservers' != [ ] then map (ns: ns.address) (filter filterns' config.networking.nameservers')
- else filter filterns config.networking.nameservers
- ;
+ if config.networking.nameservers' != []
+ then map (ns: ns.address) (filter filterns' config.networking.nameservers')
+ else filter filterns config.networking.nameservers;
max-cache-ttl = 60;
};
bedrockConnect = let
@@ -118,11 +130,11 @@ in {
};
networking = mkIf cfg.enable {
firewall = {
- interfaces.local.allowedTCPPorts = [ 53 ];
- interfaces.local.allowedUDPPorts = [ 53 ];
+ interfaces.local.allowedTCPPorts = [53];
+ interfaces.local.allowedUDPPorts = [53];
};
nameservers' = mkIf cfg.resolveLocalQueries' (mkBefore [
- { address = "127.0.0.1"; }
+ {address = "127.0.0.1";}
]);
};
};
diff --git a/nixos/grocy.nix b/nixos/grocy.nix
index 278786bb..a3686a04 100644
--- a/nixos/grocy.nix
+++ b/nixos/grocy.nix
@@ -1,4 +1,8 @@
-{config, lib, ...}: let
+{
+ config,
+ lib,
+ ...
+}: let
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
cfg = config.services.grocy;
in {
@@ -72,13 +76,14 @@ in {
};
systemd.services = let
gensokyo-zone.sharedMounts.grocy.path = mkDefault cfg.dataDir;
- in mkIf cfg.enable {
- grocy-setup = {
- inherit gensokyo-zone;
+ in
+ mkIf cfg.enable {
+ grocy-setup = {
+ inherit gensokyo-zone;
+ };
+ phpfpm-grocy = {
+ inherit gensokyo-zone;
+ };
};
- phpfpm-grocy = {
- inherit gensokyo-zone;
- };
- };
};
}
diff --git a/nixos/int.nix b/nixos/int.nix
index 45dc5d03..4392c78f 100644
--- a/nixos/int.nix
+++ b/nixos/int.nix
@@ -1,4 +1,8 @@
-{lib, access, ...}: let
+{
+ lib,
+ access,
+ ...
+}: let
inherit (lib.modules) mkDefault;
in {
config = {
@@ -9,7 +13,7 @@ in {
ipv6SendRAConfig = {
Managed = mkDefault false;
EmitDNS = mkDefault true;
- DNS = [ (access.systemForService "dnsmasq").access.address6ForNetwork.int ];
+ DNS = [(access.systemForService "dnsmasq").access.address6ForNetwork.int];
# Domains = [ "int.${networking.domain}" ];
EmitDomains = mkDefault false;
RouterPreference = mkDefault "low";
diff --git a/nixos/ipa.nix b/nixos/ipa.nix
index 334a095a..266f2236 100644
--- a/nixos/ipa.nix
+++ b/nixos/ipa.nix
@@ -1,4 +1,8 @@
-{ config, lib, ... }: let
+{
+ config,
+ lib,
+ ...
+}: let
inherit (lib.modules) mkDefault;
in {
# NOTE: requires manual post-install setup...
diff --git a/nixos/keycloak.nix b/nixos/keycloak.nix
index c2b36d46..2d92685f 100644
--- a/nixos/keycloak.nix
+++ b/nixos/keycloak.nix
@@ -1,4 +1,11 @@
-{inputs, system, access, config, lib, ...}: let
+{
+ inputs,
+ system,
+ access,
+ config,
+ lib,
+ ...
+}: let
inherit (lib.modules) mkIf mkForce mkDefault;
inherit (lib.lists) optional;
cfg = config.services.keycloak;
@@ -20,9 +27,10 @@ in {
sopsFile = ./secrets/keycloak.yaml;
owner = "keycloak";
};
- in mkIf cfg.enable {
- keycloak_db_password = commonSecret;
- };
+ in
+ mkIf cfg.enable {
+ keycloak_db_password = commonSecret;
+ };
users = mkIf cfg.enable {
users.keycloak = {
isSystemUser = true;
@@ -54,8 +62,16 @@ in {
};
settings = {
- hostname = mkDefault (if hostname-strict then hostname else null);
- proxy = mkDefault (if cfg.protocol == "https" then "reencrypt" else "edge");
+ hostname = mkDefault (
+ if hostname-strict
+ then hostname
+ else null
+ );
+ proxy = mkDefault (
+ if cfg.protocol == "https"
+ then "reencrypt"
+ else "edge"
+ );
hostname-strict = mkDefault hostname-strict;
hostname-strict-https = mkDefault hostname-strict;
proxy-headers = mkDefault "xforwarded";
diff --git a/nixos/krb5.nix b/nixos/krb5.nix
index e80b9745..9dc9222a 100644
--- a/nixos/krb5.nix
+++ b/nixos/krb5.nix
@@ -1,4 +1,11 @@
-{ inputs, pkgs, config, access, lib, ... }: let
+{
+ inputs,
+ pkgs,
+ config,
+ access,
+ lib,
+ ...
+}: let
inherit (inputs.self.lib.lib) mkAlmostOptionDefault mapAlmostOptionDefaults;
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault mkOptionDefault;
inherit (lib.strings) replaceStrings;
@@ -17,7 +24,7 @@ in {
};
};
gensokyo-zone = let
- toLdap = replaceStrings [ "idp." ] [ "ldap." ];
+ toLdap = replaceStrings ["idp."] ["ldap."];
system = access.systemForService "kerberos";
lanName = access.getHostnameFor system.name "lan";
localName = access.getHostnameFor system.name "local";
@@ -28,8 +35,8 @@ in {
host = mkAlmostOptionDefault lanName;
ldap = {
urls = mkMerge [
- (mkOptionDefault (mkBefore [ "ldaps://${ldapLan}" ]))
- (mkIf (ldapLan != ldapLocal) (mkOptionDefault (mkBefore [ "ldaps://${ldapLan}" ])))
+ (mkOptionDefault (mkBefore ["ldaps://${ldapLan}"]))
+ (mkIf (ldapLan != ldapLocal) (mkOptionDefault (mkBefore ["ldaps://${ldapLan}"])))
];
bind.passwordFile = mkIf (cfg.gensokyo-zone.db.backend == "kldap") config.sops.secrets.gensokyo-zone-krb5-passwords.path;
};
@@ -52,7 +59,7 @@ in {
sysAccountDnSuffix = mkDefault "cn=sysaccounts,cn=etc,";
domainDnSuffix = mkDefault "cn=ad,cn=etc,";
};
- networking.timeServers = [ "2.fedora.pool.ntp.org" ];
+ networking.timeServers = ["2.fedora.pool.ntp.org"];
security.ipa = {
chromiumSupport = mkDefault false;
};
@@ -68,24 +75,26 @@ in {
kinit -k host/${config.networking.fqdn}
'';
- in mkIf enabled {
- path = [ config.security.krb5.package ];
- serviceConfig = {
- Type = mkOptionDefault "oneshot";
- ExecStart = [ "${krb5-host}" ];
+ in
+ mkIf enabled {
+ path = [config.security.krb5.package];
+ serviceConfig = {
+ Type = mkOptionDefault "oneshot";
+ ExecStart = ["${krb5-host}"];
+ };
};
- };
sops.secrets = let
sopsFile = mkDefault ./secrets/krb5.yaml;
- in mkIf enabled {
- krb5-keytab = {
- mode = "0400";
- path = "/etc/krb5.keytab";
+ in
+ mkIf enabled {
+ krb5-keytab = {
+ mode = "0400";
+ path = "/etc/krb5.keytab";
+ };
+ gensokyo-zone-krb5-passwords = mkIf (cfg.gensokyo-zone.db.backend == "kldap") {
+ inherit sopsFile;
+ };
};
- gensokyo-zone-krb5-passwords = mkIf (cfg.gensokyo-zone.db.backend == "kldap") {
- inherit sopsFile;
- };
- };
};
}
diff --git a/nixos/kyuuto/nfs.nix b/nixos/kyuuto/nfs.nix
index 91140c32..2ff3ed81 100644
--- a/nixos/kyuuto/nfs.nix
+++ b/nixos/kyuuto/nfs.nix
@@ -10,7 +10,7 @@
inherit (config) kyuuto;
inherit (config.services.nfs.export) flagSets;
nfsRoot = {
- __toString = _: config.services.nfs.export.root.path;
+ __toString = _: config.services.nfs.export.root.path;
transfer = "${nfsRoot}/kyuuto/transfer";
media = "${nfsRoot}/kyuuto/media";
};
@@ -19,16 +19,16 @@ in {
export = {
paths = {
${nfsRoot.media} = {
- flags = flagSets.common ++ [ "fsid=128" ] ++ flagSets.secip ++ [ "rw" ] ++ flagSets.anon_ro;
+ flags = flagSets.common ++ ["fsid=128"] ++ flagSets.secip ++ ["rw"] ++ flagSets.anon_ro;
clients = {
local = {
machine = flagSets.allClients;
- flags = flagSets.seclocal ++ [ "rw" "no_all_squash" ];
+ flags = flagSets.seclocal ++ ["rw" "no_all_squash"];
};
};
};
${nfsRoot.transfer} = {
- flags = flagSets.common ++ [ "fsid=129" ] ++ [ "rw" "async" ];
+ flags = flagSets.common ++ ["fsid=129"] ++ ["rw" "async"];
clients = {
local = {
machine = flagSets.allClients;
@@ -47,16 +47,17 @@ in {
"nfs-mountd.service"
];
before = wantedBy;
- in mkIf config.services.nfs.server.enable [
- {
- inherit type options wantedBy before;
- what = kyuuto.mountDir;
- where = nfsRoot.media;
- }
- {
- inherit type options wantedBy before;
- what = kyuuto.transferDir;
- where = nfsRoot.transfer;
- }
- ];
+ in
+ mkIf config.services.nfs.server.enable [
+ {
+ inherit type options wantedBy before;
+ what = kyuuto.mountDir;
+ where = nfsRoot.media;
+ }
+ {
+ inherit type options wantedBy before;
+ what = kyuuto.transferDir;
+ where = nfsRoot.transfer;
+ }
+ ];
}
diff --git a/nixos/ldap/permissions.nix b/nixos/ldap/permissions.nix
index 5c80715c..ea02adcb 100644
--- a/nixos/ldap/permissions.nix
+++ b/nixos/ldap/permissions.nix
@@ -1,4 +1,8 @@
-{config, lib, ...}: let
+{
+ config,
+ lib,
+ ...
+}: let
inherit (lib.modules) mkDefault;
inherit (config.users) ldap;
inherit (ldap.management) permissions;
@@ -9,15 +13,33 @@ in {
"Custom Anonymous User Read" = {
bindType = "anonymous";
targetType = "user";
- attrs = [ "gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber" ];
+ attrs = ["gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber"];
};
"Custom Permission Admin" = {
location = ldap.permissionDnSuffix;
target = "cn=*";
rights = "all";
attrs = [
- "member" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
- "ipapermtarget" "ipapermright" "ipapermincludedattr" "ipapermbindruletype" "ipapermexcludedattr" "ipapermtargetto" "ipapermissiontype" "ipapermlocation" "ipapermdefaultattr" "ipapermtargetfrom" "ipapermtargetfilter"
+ "member"
+ "cn"
+ "o"
+ "ou"
+ "owner"
+ "description"
+ "objectclass"
+ "seealso"
+ "businesscategory"
+ "ipapermtarget"
+ "ipapermright"
+ "ipapermincludedattr"
+ "ipapermbindruletype"
+ "ipapermexcludedattr"
+ "ipapermtargetto"
+ "ipapermissiontype"
+ "ipapermlocation"
+ "ipapermdefaultattr"
+ "ipapermtargetfrom"
+ "ipapermtargetfilter"
];
};
"Custom Privilege Admin" = {
@@ -25,7 +47,16 @@ in {
target = "cn=*";
rights = "all";
attrs = [
- "member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
+ "member"
+ "memberof"
+ "cn"
+ "o"
+ "ou"
+ "owner"
+ "description"
+ "objectclass"
+ "seealso"
+ "businesscategory"
];
};
"Custom Role Admin" = {
@@ -33,17 +64,26 @@ in {
target = "cn=*";
rights = "all";
attrs = [
- "member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
+ "member"
+ "memberof"
+ "cn"
+ "o"
+ "ou"
+ "owner"
+ "description"
+ "objectclass"
+ "seealso"
+ "businesscategory"
];
};
"Custom Role Modify" = {
targetType = "role";
- rights = [ "write" "add" ];
+ rights = ["write" "add"];
attrs = permissions."Custom Role Admin".attrs;
};
"Custom Host Permission" = {
targetType = "host";
- rights = [ "write" ];
+ rights = ["write"];
attrs = [
"memberof"
];
@@ -52,21 +92,32 @@ in {
targetType = "sysaccount";
rights = "all";
attrs = [
- "member" "memberof" "uid" "o" "ou" "description" "objectclass" "seealso" "businesscategory"
- "passwordExpirationTime" "nsIdleTimeout"
+ "member"
+ "memberof"
+ "uid"
+ "o"
+ "ou"
+ "description"
+ "objectclass"
+ "seealso"
+ "businesscategory"
+ "passwordExpirationTime"
+ "nsIdleTimeout"
];
};
"Custom SysAccount Admin" = {
location = ldap.sysAccountDnSuffix;
target = "uid=*";
- rights = [ "add" "write" "delete" ];
- attrs = permissions."Custom SysAccount Permission".attrs ++ [
- "userPassword"
- ];
+ rights = ["add" "write" "delete"];
+ attrs =
+ permissions."Custom SysAccount Permission".attrs
+ ++ [
+ "userPassword"
+ ];
};
"Custom Service Permission" = {
targetType = "service";
- rights = [ "write" ];
+ rights = ["write"];
attrs = [
"memberof"
];
diff --git a/nixos/ldap/samba.nix b/nixos/ldap/samba.nix
index 5bbd4312..71f804eb 100644
--- a/nixos/ldap/samba.nix
+++ b/nixos/ldap/samba.nix
@@ -1,68 +1,72 @@
-{config, lib, ...}: let
+{
+ config,
+ lib,
+ ...
+}: let
inherit (lib.modules) mkDefault;
inherit (config.users) ldap;
- smbAccountAttrs = [ "sambasid" "sambapwdlastset" "sambaacctflags" "sambapasswordhistory" "sambantpassword" ];
- smbGroupAttrs = [ "sambasid" "sambagrouptype" ];
- smbDomainAttrs = [ "sambasid" "sambaRefuseMachinePwdChange" "sambaMinPwdLength" "sambaAlgorithmicRidBase" "sambaPwdHistoryLength" "sambaDomainName" "sambaMinPwdAge" "sambaMaxPwdAge" "sambaLockoutThreshold" "sambaForceLogoff" "sambaLogonToChgPwd" "sambaLockoutObservationWindow" "sambaNextUserRid" "sambaLockoutDuration" ];
+ smbAccountAttrs = ["sambasid" "sambapwdlastset" "sambaacctflags" "sambapasswordhistory" "sambantpassword"];
+ smbGroupAttrs = ["sambasid" "sambagrouptype"];
+ smbDomainAttrs = ["sambasid" "sambaRefuseMachinePwdChange" "sambaMinPwdLength" "sambaAlgorithmicRidBase" "sambaPwdHistoryLength" "sambaDomainName" "sambaMinPwdAge" "sambaMaxPwdAge" "sambaLockoutThreshold" "sambaForceLogoff" "sambaLogonToChgPwd" "sambaLockoutObservationWindow" "sambaNextUserRid" "sambaLockoutDuration"];
in {
config.users.ldap.management = {
enable = mkDefault true;
permissions = {
"Custom Samba User Read" = {
targetType = "user";
- attrs = [ "ipanthash" "ipanthomedirectory" "ipanthomedirectorydrive" "ipantlogonscript" "ipantprofilepath" "ipantsecurityidentifier" ] ++ smbAccountAttrs;
+ attrs = ["ipanthash" "ipanthomedirectory" "ipanthomedirectorydrive" "ipantlogonscript" "ipantprofilepath" "ipantsecurityidentifier"] ++ smbAccountAttrs;
};
"Custom Samba User Modify" = {
targetType = "user";
- rights = [ "write" ];
+ rights = ["write"];
attrs = smbAccountAttrs;
};
"Custom Samba User Admin" = {
targetType = "user";
- rights = [ "write" ];
- attrs = smbAccountAttrs ++ [ "objectclass" ];
+ rights = ["write"];
+ attrs = smbAccountAttrs ++ ["objectclass"];
};
"Custom Samba Group Read" = {
targetType = "user-group";
- attrs = [ "ipantsecurityidentifier" "gidnumber" ] ++ smbGroupAttrs;
+ attrs = ["ipantsecurityidentifier" "gidnumber"] ++ smbGroupAttrs;
};
"Custom Samba Group Modify" = {
targetType = "user-group";
- rights = [ "write" ];
+ rights = ["write"];
attrs = smbGroupAttrs;
};
"Custom Samba Group Admin" = {
targetType = "user-group";
- rights = [ "write" ];
- attrs = smbGroupAttrs ++ [ "objectclass" ];
+ rights = ["write"];
+ attrs = smbGroupAttrs ++ ["objectclass"];
};
"Custom Samba Domain Read" = {
targetType = "samba-domain";
- attrs = [ "objectClass" ] ++ smbDomainAttrs;
+ attrs = ["objectClass"] ++ smbDomainAttrs;
};
"Custom Samba Domain Modify" = {
targetType = "samba-domain";
- rights = [ "write" "add" ];
+ rights = ["write" "add"];
attrs = smbDomainAttrs;
};
"Custom Samba Domain Admin" = {
targetType = "domain";
- rights = [ "write" ];
- attrs = smbDomainAttrs ++ [ "objectclass" ];
+ rights = ["write"];
+ attrs = smbDomainAttrs ++ ["objectclass"];
};
"Custom Samba Realm Read" = {
targetType = "domain";
- attrs = [ "objectClass" "ipaNTSecurityIdentifier" "ipaNTFlatName" "ipaNTDomainGUID" "ipaNTFallbackPrimaryGroup" ] ++ smbDomainAttrs;
+ attrs = ["objectClass" "ipaNTSecurityIdentifier" "ipaNTFlatName" "ipaNTDomainGUID" "ipaNTFallbackPrimaryGroup"] ++ smbDomainAttrs;
};
"Custom Samba Realm Modify" = {
targetType = "domain";
- rights = [ "write" ];
+ rights = ["write"];
attrs = smbDomainAttrs;
};
"Custom Samba Realm Admin" = {
targetType = "domain";
- rights = [ "write" ];
- attrs = smbDomainAttrs ++ [ "objectclass" ];
+ rights = ["write"];
+ attrs = smbDomainAttrs ++ ["objectclass"];
};
};
users = {
@@ -173,7 +177,7 @@ in {
};
objects = {
"cn=${config.networking.domain},${ldap.domainDnSuffix}" = {
- objectClasses = [ "sambaDomain" ];
+ objectClasses = ["sambaDomain"];
settings = {
sambaSID = ldap.samba.domainSID;
sambaDomainName = "GENSOKYO";
diff --git a/nixos/ldap/users.nix b/nixos/ldap/users.nix
index 5fe8c17c..e4aff6d3 100644
--- a/nixos/ldap/users.nix
+++ b/nixos/ldap/users.nix
@@ -1,99 +1,111 @@
-{config, lib, inputs, ...}: let
+{
+ config,
+ lib,
+ inputs,
+ ...
+}: let
inherit (inputs.self.lib.lib) userIs mkAlmostOptionDefault;
inherit (lib.modules) mkMerge mkDefault;
inherit (lib.attrsets) mapAttrs filterAttrs;
ldapUsers = filterAttrs (_: userIs "peeps") config.users.users;
ldapGroups = filterAttrs (_: group: group.gid != null && group.gid >= 8000 && group.gid < 8256) config.users.groups;
management = {
- users = mapAttrs (name: user: {
- user.name = mkAlmostOptionDefault name;
- samba = {
- enable = mkDefault true;
- sync.enable = mkDefault true;
- accountFlags = {
- noPasswordExpiry = mkDefault true;
+ users =
+ mapAttrs (name: user: {
+ user.name = mkAlmostOptionDefault name;
+ samba = {
+ enable = mkDefault true;
+ sync.enable = mkDefault true;
+ accountFlags = {
+ noPasswordExpiry = mkDefault true;
+ };
};
- };
- }) ldapUsers;
- groups = mapAttrs (name: group: {
- group.name = mkAlmostOptionDefault name;
- samba.enable = mkDefault true;
- }) ldapGroups;
+ })
+ ldapUsers;
+ groups =
+ mapAttrs (name: group: {
+ group.name = mkAlmostOptionDefault name;
+ samba.enable = mkDefault true;
+ })
+ ldapGroups;
};
in {
config.users.ldap = {
- management = mkMerge [ management {
- users = {
- guest.user.enable = true;
- admin = {
- user.enable = true;
- samba.enable = true;
- };
- opl = {
- user.enable = true;
- samba = {
- enable = true;
- #sync.enable = true;
- accountFlags = {
- noPasswordExpiry = mkDefault true;
- normalUser = true;
+ management = mkMerge [
+ management
+ {
+ users = {
+ guest.user.enable = true;
+ admin = {
+ user.enable = true;
+ samba.enable = true;
+ };
+ opl = {
+ user.enable = true;
+ samba = {
+ enable = true;
+ #sync.enable = true;
+ accountFlags = {
+ noPasswordExpiry = mkDefault true;
+ normalUser = true;
+ };
+ };
+ object.settings.settings = {
+ sambaNTPassword = "F7C2C5D78C24EACB73550B02BF5888E3";
+ sambaLMPassword = "A5C96CDE7660B20BAAD3B435B51404EE";
};
};
- object.settings.settings = {
- sambaNTPassword = "F7C2C5D78C24EACB73550B02BF5888E3";
- sambaLMPassword = "A5C96CDE7660B20BAAD3B435B51404EE";
+ };
+ groups = {
+ nogroup = {
+ group.enable = true;
+ samba.enable = true;
+ };
+ guest = {
+ samba = {
+ enable = true;
+ groupType = 4;
+ sid = "S-1-5-32-546";
+ };
+ };
+ admin = {
+ group.enable = true;
+ samba.enable = true;
+ };
+ kyuuto-peeps = {
+ group.enable = true;
+ samba.enable = true;
+ };
+ kyuuto = {
+ group.enable = true;
+ samba.enable = true;
+ };
+ peeps = {
+ group.enable = true;
+ samba.enable = true;
+ };
+ admins = {
+ samba = {
+ enable = true;
+ #sync.enable = true;
+ groupType = 4;
+ sid = "S-1-5-32-544";
+ };
+ };
+ smb = {
+ name = "Default SMB Group";
+ samba = {
+ enable = true;
+ #sync.enable = true;
+ groupType = 4;
+ sid = "S-1-5-32-545";
+ };
};
};
- };
- groups = {
- nogroup = {
- group.enable = true;
- samba.enable = true;
+ objects = {
+ # TODO: ipa hostname krb5 aliases should be populated here!!!
};
- guest = {
- samba = {
- enable = true;
- groupType = 4;
- sid = "S-1-5-32-546";
- };
- };
- admin = {
- group.enable = true;
- samba.enable = true;
- };
- kyuuto-peeps = {
- group.enable = true;
- samba.enable = true;
- };
- kyuuto = {
- group.enable = true;
- samba.enable = true;
- };
- peeps = {
- group.enable = true;
- samba.enable = true;
- };
- admins = {
- samba = {
- enable = true;
- #sync.enable = true;
- groupType = 4;
- sid = "S-1-5-32-544";
- };
- };
- smb = {
- name = "Default SMB Group";
- samba = {
- enable = true;
- #sync.enable = true;
- groupType = 4;
- sid = "S-1-5-32-545";
- };
- };
- };
- objects = {
- # TODO: ipa hostname krb5 aliases should be populated here!!!
- };
- } ];
+ }
+ ];
};
}
diff --git a/nixos/minecraft/bedrock.nix b/nixos/minecraft/bedrock.nix
index 66f6d571..022a3f3e 100644
--- a/nixos/minecraft/bedrock.nix
+++ b/nixos/minecraft/bedrock.nix
@@ -1,4 +1,9 @@
-{config, lib, pkgs, ...}: let
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}: let
inherit (lib.modules) mkIf mkDefault;
cfg = config.services.minecraft-bedrock-server;
in {
@@ -47,9 +52,10 @@ in {
groups.${cfg.group}.gid = config.users.users.${cfg.user}.uid;
};
networking.firewall.interfaces = let
- ports = [ cfg.serverProperties.server-port cfg.serverProperties.server-portv6 ];
- in mkIf cfg.enable {
- local.allowedUDPPorts = ports;
- peeps.allowedUDPPorts = ports;
- };
+ ports = [cfg.serverProperties.server-port cfg.serverProperties.server-portv6];
+ in
+ mkIf cfg.enable {
+ local.allowedUDPPorts = ports;
+ peeps.allowedUDPPorts = ports;
+ };
}
diff --git a/nixos/nfs.nix b/nixos/nfs.nix
index f5228f0a..f5ee81e0 100644
--- a/nixos/nfs.nix
+++ b/nixos/nfs.nix
@@ -39,11 +39,13 @@ in {
gssd = {
preferred-realm = mkOptionDefault realm;
};
- /*svcgssd = {
+ /*
+ svcgssd = {
#principal = system
#principal = nfs/idp.${domain}@${realm}
#principal = nfs/${config.networking.fqdn}@${realm}
- };*/
+ };
+ */
}
];
server = {
@@ -60,16 +62,16 @@ in {
"anongid=${toString config.users.groups.${config.users.users.guest.group}.gid}"
];
sec = [
- "sec=${concatStringsSep ":" [ "krb5i" "krb5" "krb5p" ]}"
+ "sec=${concatStringsSep ":" ["krb5i" "krb5" "krb5p"]}"
];
seclocal = [
- "sec=${concatStringsSep ":" [ "krb5" ]}"
+ "sec=${concatStringsSep ":" ["krb5"]}"
];
secip = [
- "sec=${concatStringsSep ":" [ "krb5i" "krb5p" ]}"
+ "sec=${concatStringsSep ":" ["krb5i" "krb5p"]}"
];
secanon = [
- "sec=${concatStringsSep ":" [ "krb5i" "krb5" "krb5p" "sys" ]}"
+ "sec=${concatStringsSep ":" ["krb5i" "krb5" "krb5p" "sys"]}"
];
anon_ro = [
"sec=sys"
@@ -93,7 +95,7 @@ in {
clients = {
trusted = {
machine = flagSets.trustedClients;
- flags = flagSets.secip ++ [ "rw" ];
+ flags = flagSets.secip ++ ["rw"];
};
};
};
@@ -107,9 +109,9 @@ in {
];
};
Translation.Method = mkForce (concatStringsSep "," (
- [ "static" ]
+ ["static"]
++ optional enableLdap "umich_ldap"
- ++ [ "nsswitch" ]
+ ++ ["nsswitch"]
));
Static = {
};
diff --git a/nixos/nginx.nix b/nixos/nginx.nix
index 7bef1dc8..a4d90dab 100644
--- a/nixos/nginx.nix
+++ b/nixos/nginx.nix
@@ -8,10 +8,15 @@
in {
networking.firewall.interfaces.local.allowedTCPPorts = let
inherit (cfg.ssl) preread;
- in mkIf cfg.enable [
- (if preread.enable then preread.serverPort else cfg.defaultSSLListenPort)
- cfg.defaultHTTPListenPort
- ];
+ in
+ mkIf cfg.enable [
+ (
+ if preread.enable
+ then preread.serverPort
+ else cfg.defaultSSLListenPort
+ )
+ cfg.defaultHTTPListenPort
+ ];
services.nginx = {
enable = true;
diff --git a/nixos/nixbld.nix b/nixos/nixbld.nix
index cc8be0bf..44de6a3a 100644
--- a/nixos/nixbld.nix
+++ b/nixos/nixbld.nix
@@ -1,4 +1,4 @@
-{ lib, ... }: let
+{lib, ...}: let
inherit (lib.modules) mkForce;
in {
config.users = {
diff --git a/nixos/openwebrx.nix b/nixos/openwebrx.nix
index 10d866f6..6664584a 100644
--- a/nixos/openwebrx.nix
+++ b/nixos/openwebrx.nix
@@ -31,14 +31,15 @@ in {
sops.secrets = let
sopsFile = mkDefault ./secrets/openwebrx.yaml;
- in mkIf cfg.enable {
- openwebrx-users = {
- inherit sopsFile;
- owner = cfg.user;
- group = cfg.group;
- path = "${cfg.dataDir}/users.json";
+ in
+ mkIf cfg.enable {
+ openwebrx-users = {
+ inherit sopsFile;
+ owner = cfg.user;
+ group = cfg.group;
+ path = "${cfg.dataDir}/users.json";
+ };
};
- };
networking.firewall = mkIf cfg.enable {
interfaces.lan.allowedTCPPorts = mkIf cfg.enable [
diff --git a/nixos/reisen-ct/network.nix b/nixos/reisen-ct/network.nix
index 9b581756..1f1f758a 100644
--- a/nixos/reisen-ct/network.nix
+++ b/nixos/reisen-ct/network.nix
@@ -29,12 +29,13 @@ in {
networkConfig.MulticastDNS = true;
};
networking.nameservers' = mkIf enableDns (mkBefore [
- { address = access.getAddressFor (access.systemForService "dnsmasq").name "lan"; }
+ {address = access.getAddressFor (access.systemForService "dnsmasq").name "lan";}
]);
# prioritize our resolver over systemd-resolved!
system.nssDatabases.hosts = let
avahiResolverEnabled = config.services.avahi.enable && (config.services.avahi.nssmdns4 || config.services.avahi.nssmdns4);
- in mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 475 ["dns"]);
+ in
+ mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 475 ["dns"]);
services.resolved.extraConfig = mkIf enableDns ''
DNSStubListener=no
'';
diff --git a/nixos/reisen-ct/proxmox.nix b/nixos/reisen-ct/proxmox.nix
index 1824a505..e8a66c1a 100644
--- a/nixos/reisen-ct/proxmox.nix
+++ b/nixos/reisen-ct/proxmox.nix
@@ -26,19 +26,22 @@ in {
proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true;
- systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface: mkIf (interface.enable && interface.networkd.enable) {
- networks.${interface.networkd.name} = unmerged.mergeAttrs interface.networkd.networkSettings;
- }) proxmox.network.interfaces));
+ systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface:
+ mkIf (interface.enable && interface.networkd.enable) {
+ networks.${interface.networkd.name} = unmerged.mergeAttrs interface.networkd.networkSettings;
+ })
+ proxmox.network.interfaces));
networking.firewall.interfaces.lan = let
inherit (proxmox.network) internal local;
conditions = coalesce [
- (mapNullable (interface: [ "iifname ${interface.name}" ]) internal.interface)
+ (mapNullable (interface: ["iifname ${interface.name}"]) internal.interface)
(mapNullable (interface: config.networking.firewall.interfaces.local.nftables.conditions) local.interface)
];
- in mkIf (conditions != null) {
- nftables = {
- inherit conditions;
+ in
+ mkIf (conditions != null) {
+ nftables = {
+ inherit conditions;
+ };
};
- };
}
diff --git a/nixos/samba.nix b/nixos/samba.nix
index dab7606b..2842a515 100644
--- a/nixos/samba.nix
+++ b/nixos/samba.nix
@@ -61,59 +61,63 @@ in {
passdb.smbpasswd.path = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) (
mkDefault config.sops.secrets.smbpasswd.path
);
- settings = mkMerge [ {
- "local master" = true;
- "preferred master" = true;
- "winbind offline logon" = true;
- "winbind scan trusted domains" = false;
- "winbind use default domain" = true;
- "domain master" = true;
- "server role" = "classic primary domain controller";
- "domain logons" = true;
- "remote announce" = [
- "10.1.1.255/${cfg.domain.name}"
- ];
- "additional dns hostnames" = mkMerge [
- [
- config.networking.fqdn
- "smb.${domain}"
- ]
- (mkIf system.network.networks.local.enable or false [
- "smb.local.${domain}"
- access.hostnameForNetwork.local
- ])
- (mkIf system.network.networks.int.enable or false [
- "smb.int.${domain}"
- access.hostnameForNetwork.int
- ])
- (mkIf config.services.tailscale.enable [
- "smb.tail.${domain}"
- access.hostnameForNetwork.tail
- ])
- ];
- } (mkIf cfg.ldap.enable {
- "ldapsam:trusted" = true;
- "ldapsam:editposix" = false;
- "ldap user suffix" = removeSuffix "," ldap.userDnSuffix;
- "ldap group suffix" = removeSuffix "," ldap.groupDnSuffix;
- "ldap machine suffix" = removeSuffix "," ldap.hostDnSuffix;
- "ldap idmap suffix" = removeSuffix "," ldap.idViewDnSuffix;
- "ldap server require strong auth" = "allow_sasl_over_tls";
- # TODO: ldap delete dn?
- # TODO: username map script?
- }) (mkIf debugLogging {
- "ldap debug level" = 1;
- #"ldap debug threshold" = 3; # 4? 5?
- logging = "systemd";
- "log level" = [
- "4"
- #"passdb:8"
- #"auth:8"
- #"idmap:8"
- #"winbind:6"
- #"dns:8"
- ];
- }) ];
+ settings = mkMerge [
+ {
+ "local master" = true;
+ "preferred master" = true;
+ "winbind offline logon" = true;
+ "winbind scan trusted domains" = false;
+ "winbind use default domain" = true;
+ "domain master" = true;
+ "server role" = "classic primary domain controller";
+ "domain logons" = true;
+ "remote announce" = [
+ "10.1.1.255/${cfg.domain.name}"
+ ];
+ "additional dns hostnames" = mkMerge [
+ [
+ config.networking.fqdn
+ "smb.${domain}"
+ ]
+ (mkIf system.network.networks.local.enable or false [
+ "smb.local.${domain}"
+ access.hostnameForNetwork.local
+ ])
+ (mkIf system.network.networks.int.enable or false [
+ "smb.int.${domain}"
+ access.hostnameForNetwork.int
+ ])
+ (mkIf config.services.tailscale.enable [
+ "smb.tail.${domain}"
+ access.hostnameForNetwork.tail
+ ])
+ ];
+ }
+ (mkIf cfg.ldap.enable {
+ "ldapsam:trusted" = true;
+ "ldapsam:editposix" = false;
+ "ldap user suffix" = removeSuffix "," ldap.userDnSuffix;
+ "ldap group suffix" = removeSuffix "," ldap.groupDnSuffix;
+ "ldap machine suffix" = removeSuffix "," ldap.hostDnSuffix;
+ "ldap idmap suffix" = removeSuffix "," ldap.idViewDnSuffix;
+ "ldap server require strong auth" = "allow_sasl_over_tls";
+ # TODO: ldap delete dn?
+ # TODO: username map script?
+ })
+ (mkIf debugLogging {
+ "ldap debug level" = 1;
+ #"ldap debug threshold" = 3; # 4? 5?
+ logging = "systemd";
+ "log level" = [
+ "4"
+ #"passdb:8"
+ #"auth:8"
+ #"idmap:8"
+ #"winbind:6"
+ #"dns:8"
+ ];
+ })
+ ];
idmap.domains = {
nss = mkIf (!cfg.ldap.enable || !cfg.ldap.idmap.enable) {
backend = "nss";
diff --git a/nixos/sops.nix b/nixos/sops.nix
index dea7d58b..e651fae5 100644
--- a/nixos/sops.nix
+++ b/nixos/sops.nix
@@ -1,7 +1,4 @@
-{
- inputs,
- ...
-}: {
+{inputs, ...}: {
imports = [
inputs.sops-nix.nixosModules.sops
];
diff --git a/nixos/sssd.nix b/nixos/sssd.nix
index 8f64d203..2323aed2 100644
--- a/nixos/sssd.nix
+++ b/nixos/sssd.nix
@@ -1,4 +1,10 @@
-{ gensokyo-zone, access, config, lib, ... }: let
+{
+ gensokyo-zone,
+ access,
+ config,
+ lib,
+ ...
+}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.modules) mkIf mkBefore mkAfter mkDefault;
inherit (lib.lists) tail;
@@ -11,12 +17,13 @@ in {
config = {
services.sssd = {
- enable = (mkDefault true);
+ enable = mkDefault true;
gensokyo-zone = let
serviceFragment = service: service;
toService = service: hostname: let
segments = splitString "." hostname;
- in concatStringsSep "." ([ (serviceFragment service) ] ++ tail segments);
+ in
+ concatStringsSep "." ([(serviceFragment service)] ++ tail segments);
toFreeipa = toService "freeipa";
tailName = access.getHostnameFor "hakurei" "tail";
mkServers = serviceName: let
@@ -46,21 +53,23 @@ in {
bind.passwordFile = mkIf (cfg.gensokyo-zone.backend == "ldap") config.sops.secrets.gensokyo-zone-peep-passwords.path;
};
};
- environmentFile = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") (mkAlmostOptionDefault
+ environmentFile = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") (
+ mkAlmostOptionDefault
config.sops.secrets.gensokyo-zone-sssd-passwords.path
);
};
sops.secrets = let
sopsFile = mkDefault ./secrets/krb5.yaml;
- in mkIf (cfg.enable && cfg.gensokyo-zone.enable) {
- gensokyo-zone-krb5-peep-password = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
- inherit sopsFile;
+ in
+ mkIf (cfg.enable && cfg.gensokyo-zone.enable) {
+ gensokyo-zone-krb5-peep-password = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
+ inherit sopsFile;
+ };
+ # TODO: this shouldn't be needed, module is incomplete :(
+ gensokyo-zone-sssd-passwords = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
+ inherit sopsFile;
+ };
};
- # TODO: this shouldn't be needed, module is incomplete :(
- gensokyo-zone-sssd-passwords = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
- inherit sopsFile;
- };
- };
};
}
diff --git a/nixos/systemd2mqtt.nix b/nixos/systemd2mqtt.nix
index 9c62f81e..184b5183 100644
--- a/nixos/systemd2mqtt.nix
+++ b/nixos/systemd2mqtt.nix
@@ -8,7 +8,7 @@
inherit (lib.modules) mkIf mkDefault;
cfg = config.services.systemd2mqtt;
in {
- imports = [ inputs.systemd2mqtt.nixosModules.default ];
+ imports = [inputs.systemd2mqtt.nixosModules.default];
services.systemd2mqtt = {
enable = mkDefault true;
@@ -17,7 +17,11 @@ in {
url = mkDefault (
if config.services.mosquitto.enable
then "tcp://localhost:1883"
- else access.proxyUrlFor { serviceName = "mosquitto"; scheme = "tcp"; }
+ else
+ access.proxyUrlFor {
+ serviceName = "mosquitto";
+ scheme = "tcp";
+ }
);
username = mkDefault "systemd";
};
diff --git a/nixos/unifi.nix b/nixos/unifi.nix
index 316be282..534ba2ac 100644
--- a/nixos/unifi.nix
+++ b/nixos/unifi.nix
@@ -20,13 +20,18 @@ in {
rev = "r${version}";
sha256 = "sha256-lVRTrEnwuyKETFL1C8bVqBfrDaYrbQIdmHN42CF8ZIw=";
};
- sconsFlags = old.sconsFlags ++ [
- "MONGO_VERSION=${version}"
- ];
+ sconsFlags =
+ old.sconsFlags
+ ++ [
+ "MONGO_VERSION=${version}"
+ ];
});
isUpdated = lib.versionAtLeast pkgs.mongodb-5_0.version mongodb-5_0_26.version;
message = "mongodb 5.0 updated in upstream nixpkgs, override no longer needed";
- in if !isUpdated then mongodb-5_0_26 else lib.warn message pkgs.mongodb-5_0;
+ in
+ if !isUpdated
+ then mongodb-5_0_26
+ else lib.warn message pkgs.mongodb-5_0;
};
networking.firewall = mkIf cfg.enable {
diff --git a/nixos/users/connie.nix b/nixos/users/connie.nix
index 1811f3c2..59c9aca5 100644
--- a/nixos/users/connie.nix
+++ b/nixos/users/connie.nix
@@ -1,4 +1,8 @@
-{config, options, ...}: {
+{
+ config,
+ options,
+ ...
+}: {
config.users = {
users.connieallure = {name, ...}: {
uid = 8003;
@@ -15,7 +19,11 @@
gid = config.users.users.${name}.uid;
};
};
- config.${if options ? networking.firewall then "networking" else null} = {
+ config.${
+ if options ? networking.firewall
+ then "networking"
+ else null
+ } = {
access.peeps.ranges.connieallure = "2604:3d00::/28";
};
}
diff --git a/nixos/wake-chen.nix b/nixos/wake-chen.nix
index 4aa2bf17..1a949d7f 100644
--- a/nixos/wake-chen.nix
+++ b/nixos/wake-chen.nix
@@ -11,21 +11,23 @@
service = "wake-chen";
in {
systemd.services.${service} = {
- path = [ pkgs.wol ];
+ path = [pkgs.wol];
script = ''
exec wol ${chen.network.networks.local.macAddress}
'';
environment = mapOptionDefaults {
WOL_MAC_ADDRESS = chen.network.networks.local.macAddress;
};
- serviceConfig = mapOptionDefaults {
- Type = "oneshot";
- RemainAfterExit = false;
- } // {
- ExecStart = [
- "${getExe pkgs.wol} $WOL_MAC_ADDRESS"
- ];
- };
+ serviceConfig =
+ mapOptionDefaults {
+ Type = "oneshot";
+ RemainAfterExit = false;
+ }
+ // {
+ ExecStart = [
+ "${getExe pkgs.wol} $WOL_MAC_ADDRESS"
+ ];
+ };
};
- services.systemd2mqtt.units = [ "${service}.service" ];
+ services.systemd2mqtt.units = ["${service}.service"];
}
diff --git a/nixos/zigbee2mqtt.nix b/nixos/zigbee2mqtt.nix
index 5b10aaa7..5793a00a 100644
--- a/nixos/zigbee2mqtt.nix
+++ b/nixos/zigbee2mqtt.nix
@@ -27,10 +27,15 @@ in {
user = "z2m";
password = "!secret z2m_pass";
server = let
- url = access.proxyUrlFor { serviceName = "mosquitto"; scheme = "mqtt"; getAddressFor = "getAddress4For"; };
- in mkIf (!config.services.mosquitto.enable) (
- mkAlmostDefault url
- );
+ url = access.proxyUrlFor {
+ serviceName = "mosquitto";
+ scheme = "mqtt";
+ getAddressFor = "getAddress4For";
+ };
+ in
+ mkIf (!config.services.mosquitto.enable) (
+ mkAlmostDefault url
+ );
};
homeassistant = true;
permit_join = false;
diff --git a/overlays/barcodebuddy.nix b/overlays/barcodebuddy.nix
index e3fa66b8..8a4fe9c5 100644
--- a/overlays/barcodebuddy.nix
+++ b/overlays/barcodebuddy.nix
@@ -1,4 +1,4 @@
final: prev: let
in {
- barcodebuddy = final.callPackage ../packages/barcodebuddy.nix { };
+ barcodebuddy = final.callPackage ../packages/barcodebuddy.nix {};
}
diff --git a/overlays/default.nix b/overlays/default.nix
index 49ee2b2f..fd6bac54 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -1,7 +1,4 @@
-{
- inputs,
- ...
-}: let
+{inputs, ...}: let
inherit (inputs.self.lib) nixlib;
in rec {
default = nixlib.composeManyExtensions [
diff --git a/overlays/krb5.nix b/overlays/krb5.nix
index bee778ee..4b000761 100644
--- a/overlays/krb5.nix
+++ b/overlays/krb5.nix
@@ -7,22 +7,30 @@ in {
_389-ds-base = let
inherit (prev) _389-ds-base;
drv = _389-ds-base.overrideAttrs (old: {
- patches = old.patches or [ ] ++ [
- ../packages/389-ds-base-fix.patch
- (final.fetchpatch {
- name = "389-ds-base-5973-f_un.patch";
- url = "https://github.com/389ds/389-ds-base/pull/5974.patch";
- sha256 = "sha256-WtctQPZVZSAbPg2tjY7wD8ysI4SKkfyS5tQx0NPhSmY=";
- })
- (final.fetchpatch {
- name = "389-ds-base-5962-f_un.patch";
- url = "https://github.com/389ds/389-ds-base/pull/6089.patch";
- sha256 = "sha256-b0HSaDjuEUKERIXKg8np+lZDdZNmrCTAXybJzF+0hq0=";
- })
- ];
- meta = old.meta // {
- broken = false;
- };
+ patches =
+ old.patches
+ or []
+ ++ [
+ ../packages/389-ds-base-fix.patch
+ (final.fetchpatch {
+ name = "389-ds-base-5973-f_un.patch";
+ url = "https://github.com/389ds/389-ds-base/pull/5974.patch";
+ sha256 = "sha256-WtctQPZVZSAbPg2tjY7wD8ysI4SKkfyS5tQx0NPhSmY=";
+ })
+ (final.fetchpatch {
+ name = "389-ds-base-5962-f_un.patch";
+ url = "https://github.com/389ds/389-ds-base/pull/6089.patch";
+ sha256 = "sha256-b0HSaDjuEUKERIXKg8np+lZDdZNmrCTAXybJzF+0hq0=";
+ })
+ ];
+ meta =
+ old.meta
+ // {
+ broken = false;
+ };
});
- in if _389-ds-base.meta.broken or false && _389-ds-base.version == "2.4.3" then drv else lib.warn "389-ds patch/overlay no longer needed" _389-ds-base;
+ in
+ if _389-ds-base.meta.broken or false && _389-ds-base.version == "2.4.3"
+ then drv
+ else lib.warn "389-ds patch/overlay no longer needed" _389-ds-base;
}
diff --git a/overlays/minecraft.nix b/overlays/minecraft.nix
index c044e370..3d05a48f 100644
--- a/overlays/minecraft.nix
+++ b/overlays/minecraft.nix
@@ -1,12 +1,12 @@
final: prev: let
inherit (final) callPackage callPackages;
in {
- minecraft-bedrock-server = callPackage ../packages/minecraft-bedrock/server.nix { };
- minecraft-bedrock-server-libCrypto = callPackage ../packages/minecraft-bedrock/libcrypto.nix { };
- minecraft-bedrock-server-patchdebug = callPackage ../packages/minecraft-bedrock/patchdebug.nix { };
- minecraft-bedrock-server-patchelf = callPackage ../packages/minecraft-bedrock/patchelf.nix { };
+ minecraft-bedrock-server = callPackage ../packages/minecraft-bedrock/server.nix {};
+ minecraft-bedrock-server-libCrypto = callPackage ../packages/minecraft-bedrock/libcrypto.nix {};
+ minecraft-bedrock-server-patchdebug = callPackage ../packages/minecraft-bedrock/patchdebug.nix {};
+ minecraft-bedrock-server-patchelf = callPackage ../packages/minecraft-bedrock/patchelf.nix {};
- minecraft-bedrock-addons = callPackages ../packages/minecraft-bedrock/addons.nix { };
- mkMinecraftBedrockServerAddon = final.callPackage ../packages/minecraft-bedrock/mkaddon.nix { };
- unzipMcpack = final.callPackage ../packages/minecraft-bedrock/mcpack.nix { };
+ minecraft-bedrock-addons = callPackages ../packages/minecraft-bedrock/addons.nix {};
+ mkMinecraftBedrockServerAddon = final.callPackage ../packages/minecraft-bedrock/mkaddon.nix {};
+ unzipMcpack = final.callPackage ../packages/minecraft-bedrock/mcpack.nix {};
}
diff --git a/overlays/nfs.nix b/overlays/nfs.nix
index 8cac3cdd..ebd3fe6d 100644
--- a/overlays/nfs.nix
+++ b/overlays/nfs.nix
@@ -1,14 +1,18 @@
final: prev: {
# https://github.com/NixOS/nixpkgs/pull/286793
nfs-utils-ldap = prev.nfs-utils.overrideAttrs (old: {
- buildInputs = old.buildInputs ++ [
- final.openldap
- (final.cyrus_sasl.override {
- openssl = final.openssl_legacy;
- })
- ];
- configureFlags = old.configureFlags ++ [
- "--enable-ldap"
- ];
+ buildInputs =
+ old.buildInputs
+ ++ [
+ final.openldap
+ (final.cyrus_sasl.override {
+ openssl = final.openssl_legacy;
+ })
+ ];
+ configureFlags =
+ old.configureFlags
+ ++ [
+ "--enable-ldap"
+ ];
});
}
diff --git a/overlays/nginx.nix b/overlays/nginx.nix
index d57369bc..5db2bf43 100644
--- a/overlays/nginx.nix
+++ b/overlays/nginx.nix
@@ -1,27 +1,36 @@
final: prev: let
inherit (final) lib;
luaOverlay = luafinal: luaprev: let
- mkRestyCore = { nixpkgsVersion, version, sha256 }: luaprev.lua-resty-core.overrideAttrs (old: {
- version = lib.warnIf (old.version != nixpkgsVersion) "lua-resty-core updated upstream" version;
- src = old.src.override {
- rev = "v${version}";
- inherit sha256;
- };
- });
+ mkRestyCore = {
+ nixpkgsVersion,
+ version,
+ sha256,
+ }:
+ luaprev.lua-resty-core.overrideAttrs (old: {
+ version = lib.warnIf (old.version != nixpkgsVersion) "lua-resty-core updated upstream" version;
+ src = old.src.override {
+ rev = "v${version}";
+ inherit sha256;
+ };
+ });
in {
#lua-resty-core = mkRestyCore { nixpkgsVersion = "0.1.24"; version = "0.1.28"; sha256 = "sha256-RJ2wcHTu447wM0h1fa2qCBl4/p9XL6ZqX9pktRW64RI="; };
};
in {
- nginxModules = prev.nginxModules // {
- lua = let
- inherit (prev.nginxModules) lua;
- in lua // lib.warnIf (lua.version != "0.10.26") "nginxModules.lua updated upstream" {
- preConfigure = lib.replaceStrings [ "patch " ] [ "#patch " ] lua.preConfigure;
+ nginxModules =
+ prev.nginxModules
+ // {
+ lua = let
+ inherit (prev.nginxModules) lua;
+ in
+ lua
+ // lib.warnIf (lua.version != "0.10.26") "nginxModules.lua updated upstream" {
+ preConfigure = lib.replaceStrings ["patch "] ["#patch "] lua.preConfigure;
+ };
};
- };
luaInterpreters = prev.luaInterpreters.override (old: {
callPackage = final.newScope {
- packageOverrides = lib.composeExtensions (final.packageOverrides or (_: _: { })) luaOverlay;
+ packageOverrides = lib.composeExtensions (final.packageOverrides or (_: _: {})) luaOverlay;
};
});
}
diff --git a/overlays/openwebrxplus.nix b/overlays/openwebrxplus.nix
index 3cf6563c..640df71c 100644
--- a/overlays/openwebrxplus.nix
+++ b/overlays/openwebrxplus.nix
@@ -1,4 +1,4 @@
final: prev: let
in {
openwebrxplus = final.python3Packages.callPackage ../packages/openwebrxplus.nix {};
-}
\ No newline at end of file
+}
diff --git a/overlays/samba.nix b/overlays/samba.nix
index 8c283f6b..613464a8 100644
--- a/overlays/samba.nix
+++ b/overlays/samba.nix
@@ -4,24 +4,30 @@ in {
freeipa-ipasam = let
attrs = old: {
pname = "freeipa-ipasam";
- patches = old.patches or [ ] ++ [
- ../packages/freeipa-ipasam.patch
- ];
+ patches =
+ old.patches
+ or []
+ ++ [
+ ../packages/freeipa-ipasam.patch
+ ];
configureFlags = lib.filter (f: f != "--disable-server") old.configureFlags;
};
overrides = {
samba = final.samba-ldap;
};
- in (final.freeipa.override overrides).overrideAttrs attrs;
+ in
+ (final.freeipa.override overrides).overrideAttrs attrs;
samba-ldap = final.samba.override {
enableLDAP = true;
};
samba-ipa = final.samba-ldap.overrideAttrs (old: {
- buildInputs = old.buildInputs ++ [
- final.freeipa-ipasam
- ];
+ buildInputs =
+ old.buildInputs
+ ++ [
+ final.freeipa-ipasam
+ ];
postInstall = ''
${old.postInstall or ""}
cp -a ${final.freeipa-ipasam}/lib/samba/pdb/ipasam.so $out/lib/samba/pdb/
diff --git a/packages/barcodebuddy.nix b/packages/barcodebuddy.nix
index ec9a889f..17afb22d 100644
--- a/packages/barcodebuddy.nix
+++ b/packages/barcodebuddy.nix
@@ -8,22 +8,23 @@
inherit (lib.trivial) importJSON;
lock = importJSON ../flake.lock;
inherit (lock.nodes) barcodebuddy;
-in stdenvNoCC.mkDerivation {
- pname = "barcodebuddy";
- version = removePrefix "v" barcodebuddy.original.ref;
- src = fetchFromGitHub {
- inherit (barcodebuddy.locked) repo owner rev;
- sha256 = barcodebuddy.locked.narHash;
- };
- skipConfigure = true;
- skipBuild = true;
+in
+ stdenvNoCC.mkDerivation {
+ pname = "barcodebuddy";
+ version = removePrefix "v" barcodebuddy.original.ref;
+ src = fetchFromGitHub {
+ inherit (barcodebuddy.locked) repo owner rev;
+ sha256 = barcodebuddy.locked.narHash;
+ };
+ skipConfigure = true;
+ skipBuild = true;
- installPhase = ''
- runHook preInstall
+ installPhase = ''
+ runHook preInstall
- install -d $out
- cp -ar api/ incl/ locales/ menu/ plugins/ *.php $out/
+ install -d $out
+ cp -ar api/ incl/ locales/ menu/ plugins/ *.php $out/
- runHook postInstall
- '';
-}
+ runHook postInstall
+ '';
+ }
diff --git a/packages/default.nix b/packages/default.nix
index d8242850..762e7389 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -42,13 +42,17 @@
;
inherit (inputs.deploy-rs.packages.${system}) deploy-rs;
- inherit (pkgs)
- freeipa-ipasam samba-ldap samba-ipa
+ inherit
+ (pkgs)
+ freeipa-ipasam
+ samba-ldap
+ samba-ipa
krb5-ldap
nfs-utils-ldap
barcodebuddy
openwebrxplus
- systemd2mqtt;
+ systemd2mqtt
+ ;
nf-setup-node = let
reisen = ../systems/reisen;
diff --git a/packages/minecraft-bedrock/addons.nix b/packages/minecraft-bedrock/addons.nix
index 8f8e814c..72cec871 100644
--- a/packages/minecraft-bedrock/addons.nix
+++ b/packages/minecraft-bedrock/addons.nix
@@ -1,4 +1,8 @@
-{ lib, mkMinecraftBedrockServerAddon, fetchurl }: let
+{
+ lib,
+ mkMinecraftBedrockServerAddon,
+ fetchurl,
+}: let
inherit (lib.attrsets) mapAttrs;
true-tree-capitator = {
version = "1.2";
@@ -7,61 +11,72 @@
sourceRoot = ".";
meta.homepage = "https://www.curseforge.com/minecraft-bedrock/addons/tree-capitator";
};
- true-tree-capitator-bp = true-tree-capitator // {
- pname = "true-tree-capitator-bp";
- mcpackId = "4d0f6078-f2f9-415f-9848-b36b008127b4";
- mcpackType = "behavior_packs";
- src = fetchurl {
- name = "Tree-capitator-BP-v1.2.mcpack";
- url = "https://mediafilez.forgecdn.net/files/5237/589/Tree%20capitator%20%5BBP%5D%20v1.2.mcpack";
- sha256 = "c4b702be4dd45707b66ef3cfda578695347caa6a43ead30c06dc17cd14a00040";
+ true-tree-capitator-bp =
+ true-tree-capitator
+ // {
+ pname = "true-tree-capitator-bp";
+ mcpackId = "4d0f6078-f2f9-415f-9848-b36b008127b4";
+ mcpackType = "behavior_packs";
+ src = fetchurl {
+ name = "Tree-capitator-BP-v1.2.mcpack";
+ url = "https://mediafilez.forgecdn.net/files/5237/589/Tree%20capitator%20%5BBP%5D%20v1.2.mcpack";
+ sha256 = "c4b702be4dd45707b66ef3cfda578695347caa6a43ead30c06dc17cd14a00040";
+ };
+ postPatch = ''
+ substituteInPlace manifest.json \
+ --replace "1.10.0-beta" "1.11.0-beta"
+ '';
};
- postPatch = ''
- substituteInPlace manifest.json \
- --replace "1.10.0-beta" "1.11.0-beta"
- '';
- };
- true-tree-capitator-rp = true-tree-capitator // {
- pname = "true-tree-capitator-rp";
- mcpackId = "811af5f4-929b-4d77-aed4-119486b6c0a0";
- mcpackType = "resource_packs";
- src = fetchurl {
- name = "Tree-capitator-RP-v1.2.mcpack";
- url = "https://mediafilez.forgecdn.net/files/5237/590/Tree%20capitator%20%5BRP%5D%20v1.2.mcpack";
- sha256 = "66c850106c7fa1764b32f20c555c1bb5e7e6905f3cbea4b429ca076e7a4cc31f";
+ true-tree-capitator-rp =
+ true-tree-capitator
+ // {
+ pname = "true-tree-capitator-rp";
+ mcpackId = "811af5f4-929b-4d77-aed4-119486b6c0a0";
+ mcpackType = "resource_packs";
+ src = fetchurl {
+ name = "Tree-capitator-RP-v1.2.mcpack";
+ url = "https://mediafilez.forgecdn.net/files/5237/590/Tree%20capitator%20%5BRP%5D%20v1.2.mcpack";
+ sha256 = "66c850106c7fa1764b32f20c555c1bb5e7e6905f3cbea4b429ca076e7a4cc31f";
+ };
};
- };
definitive-tree-capitator = {
version = "1.0.0";
mcpackVersion = "1.0.0";
meta.homepage = "https://www.curseforge.com/minecraft-bedrock/addons/definitive-tree-capitator-addon";
};
- definitive-tree-capitator-bh = definitive-tree-capitator // {
- pname = "definitive-tree-capitator-bh";
- mcpackId = "b3538a6c-3e42-400a-9ed0-5ec1670b796c";
- mcpackType = "behavior_packs";
- mcVersion = "1.20.20";
- src = fetchurl {
- url = "https://mediafilez.forgecdn.net/files/5214/136/Definitive%20Tree%20Capitator%20BH.mcpack";
- sha256 = "941564d65386fd2701dfe017408d8c1d5b6d6a90a017e60b7ef9f6ff6de7b51a";
+ definitive-tree-capitator-bh =
+ definitive-tree-capitator
+ // {
+ pname = "definitive-tree-capitator-bh";
+ mcpackId = "b3538a6c-3e42-400a-9ed0-5ec1670b796c";
+ mcpackType = "behavior_packs";
+ mcVersion = "1.20.20";
+ src = fetchurl {
+ url = "https://mediafilez.forgecdn.net/files/5214/136/Definitive%20Tree%20Capitator%20BH.mcpack";
+ sha256 = "941564d65386fd2701dfe017408d8c1d5b6d6a90a017e60b7ef9f6ff6de7b51a";
+ };
+ patches = [
+ ./definitive-tree-capitator-bh.patch
+ ];
};
- patches = [
- ./definitive-tree-capitator-bh.patch
- ];
- };
- definitive-tree-capitator-rs = definitive-tree-capitator // {
- pname = "definitive-tree-capitator-rs";
- mcpackId = "e01dd561-a1d9-45d0-b6ad-cd3858b93fe7";
- mcpackType = "resource_packs";
- mcVersion = "1.13.0";
- src = fetchurl {
- url = "https://mediafilez.forgecdn.net/files/5214/134/Definitive%20Tree%20Capitator%20RS.mcpack";
- sha256 = "22c8ff1c85720052d9f2a0af1c205b5457a9bb806d65125cff3751fdbe22b864";
+ definitive-tree-capitator-rs =
+ definitive-tree-capitator
+ // {
+ pname = "definitive-tree-capitator-rs";
+ mcpackId = "e01dd561-a1d9-45d0-b6ad-cd3858b93fe7";
+ mcpackType = "resource_packs";
+ mcVersion = "1.13.0";
+ src = fetchurl {
+ url = "https://mediafilez.forgecdn.net/files/5214/134/Definitive%20Tree%20Capitator%20RS.mcpack";
+ sha256 = "22c8ff1c85720052d9f2a0af1c205b5457a9bb806d65125cff3751fdbe22b864";
+ };
};
- };
-in mapAttrs (_: mkMinecraftBedrockServerAddon) {
- inherit
- true-tree-capitator-bp true-tree-capitator-rp
- definitive-tree-capitator-bh definitive-tree-capitator-rs
- ;
-}
+in
+ mapAttrs (_: mkMinecraftBedrockServerAddon) {
+ inherit
+ true-tree-capitator-bp
+ true-tree-capitator-rp
+ definitive-tree-capitator-bh
+ definitive-tree-capitator-rs
+ ;
+ }
diff --git a/packages/minecraft-bedrock/libcrypto.nix b/packages/minecraft-bedrock/libcrypto.nix
index dc528c8b..55bfbc4d 100644
--- a/packages/minecraft-bedrock/libcrypto.nix
+++ b/packages/minecraft-bedrock/libcrypto.nix
@@ -1,20 +1,30 @@
-{ lib, minecraft-bedrock-server, stdenv, autoPatchelfHook, curl, gcc-unwrapped, unzip, openssl }: let
+{
+ lib,
+ minecraft-bedrock-server,
+ stdenv,
+ autoPatchelfHook,
+ curl,
+ gcc-unwrapped,
+ unzip,
+ openssl,
+}: let
inherit (lib.strings) versionAtLeast;
-in stdenv.mkDerivation {
- pname = "${minecraft-bedrock-server.pname}-libcrypto";
- inherit (minecraft-bedrock-server) version src sourceRoot;
- nativeBuildInputs = [
- autoPatchelfHook
- curl
- gcc-unwrapped
- openssl
- unzip
- ];
- installPhase = ''
- install -m755 -D libCrypto.so $out/lib/libCrypto.so
- '';
- fixupPhase = ''
- autoPatchelf $out/lib/libCrypto.so
- '';
- meta.broken = versionAtLeast minecraft-bedrock-server.version "1.20";
-}
+in
+ stdenv.mkDerivation {
+ pname = "${minecraft-bedrock-server.pname}-libcrypto";
+ inherit (minecraft-bedrock-server) version src sourceRoot;
+ nativeBuildInputs = [
+ autoPatchelfHook
+ curl
+ gcc-unwrapped
+ openssl
+ unzip
+ ];
+ installPhase = ''
+ install -m755 -D libCrypto.so $out/lib/libCrypto.so
+ '';
+ fixupPhase = ''
+ autoPatchelf $out/lib/libCrypto.so
+ '';
+ meta.broken = versionAtLeast minecraft-bedrock-server.version "1.20";
+ }
diff --git a/packages/minecraft-bedrock/mcpack.nix b/packages/minecraft-bedrock/mcpack.nix
index 886e853f..aa313b35 100644
--- a/packages/minecraft-bedrock/mcpack.nix
+++ b/packages/minecraft-bedrock/mcpack.nix
@@ -1,6 +1,11 @@
-{ stdenvNoCC, unzip, writeText }: stdenvNoCC.mkDerivation {
+{
+ stdenvNoCC,
+ unzip,
+ writeText,
+}:
+stdenvNoCC.mkDerivation {
name = "unzip-mcpack";
- propagatedBuildInputs = [ unzip ];
+ propagatedBuildInputs = [unzip];
dontUnpack = true;
setupHook = writeText "mcpack-setup-hook.sh" ''
unpackCmdHooks+=(_tryUnzipMcpack)
diff --git a/packages/minecraft-bedrock/mkaddon.nix b/packages/minecraft-bedrock/mkaddon.nix
index 1bc34290..0603c05c 100644
--- a/packages/minecraft-bedrock/mkaddon.nix
+++ b/packages/minecraft-bedrock/mkaddon.nix
@@ -1,42 +1,62 @@
-{ stdenvNoCC, unzipMcpack, minecraft-bedrock-server, lib }:
{
+ stdenvNoCC,
+ unzipMcpack,
+ minecraft-bedrock-server,
+ lib,
+}: {
src,
pname,
version,
mcpackVersion ? version,
mcVersion ? null,
mcpackId,
- mcpackModules ? [ ],
+ mcpackModules ? [],
mcpackDir ? pname,
mcpackType, # "behavior_packs" or "resource_packs" etc
...
-}@args: let
+} @ args: let
inherit (lib.strings) optionalString splitString;
inherit (minecraft-bedrock-server) dataDir;
- argNames = [ "mcpackModules" "mcpackVersion" "mcpackId" ];
-in stdenvNoCC.mkDerivation (removeAttrs args argNames // {
- inherit dataDir mcpackType mcpackDir;
- version = version + optionalString (mcVersion != null) "-${mcVersion}";
- nativeBuildInputs = args.nativeBuildInputs or [ ] ++ [
- unzipMcpack
- ];
- installPhase = args.installPhase or ''
- install -d "$out$dataDir/$mcpackType/$mcpackDir"
- cp -a ./* "$out$dataDir/$mcpackType/$mcpackDir/"
+ argNames = ["mcpackModules" "mcpackVersion" "mcpackId"];
+in
+ stdenvNoCC.mkDerivation (removeAttrs args argNames
+ // {
+ inherit dataDir mcpackType mcpackDir;
+ version = version + optionalString (mcVersion != null) "-${mcVersion}";
+ nativeBuildInputs =
+ args.nativeBuildInputs
+ or []
+ ++ [
+ unzipMcpack
+ ];
+ installPhase =
+ args.installPhase
+ or ''
+ install -d "$out$dataDir/$mcpackType/$mcpackDir"
+ cp -a ./* "$out$dataDir/$mcpackType/$mcpackDir/"
- install ./manifest.json $manifest
- '';
- outputs = [ "out" "manifest" ];
- passthru = args.passthru or { } // {
- minecraft-bedrock = args.passthru.minecraft-bedrock or { } // {
- pack = args.passthru.minecraft-bedrock.pack or { } // {
- pack_id = mcpackId;
- modules = mcpackModules;
- version = splitString "." mcpackVersion;
- type = mcpackType;
- dir = mcpackDir;
- subPath = "${dataDir}/${mcpackType}/${mcpackDir}";
- };
- };
- };
-})
+ install ./manifest.json $manifest
+ '';
+ outputs = ["out" "manifest"];
+ passthru =
+ args.passthru
+ or {}
+ // {
+ minecraft-bedrock =
+ args.passthru.minecraft-bedrock
+ or {}
+ // {
+ pack =
+ args.passthru.minecraft-bedrock.pack
+ or {}
+ // {
+ pack_id = mcpackId;
+ modules = mcpackModules;
+ version = splitString "." mcpackVersion;
+ type = mcpackType;
+ dir = mcpackDir;
+ subPath = "${dataDir}/${mcpackType}/${mcpackDir}";
+ };
+ };
+ };
+ })
diff --git a/packages/minecraft-bedrock/patchdebug.nix b/packages/minecraft-bedrock/patchdebug.nix
index 92b36bd4..ee0d6e2f 100644
--- a/packages/minecraft-bedrock/patchdebug.nix
+++ b/packages/minecraft-bedrock/patchdebug.nix
@@ -1,7 +1,11 @@
-{ lib, python3, writeTextFile }: let
+{
+ lib,
+ python3,
+ writeTextFile,
+}: let
# https://github.com/minecraft-linux/server-modloader/tree/master?tab=readme-ov-file#getting-mods-to-work-on-newer-versions-116
inherit (lib.meta) getExe;
- python = python3.withPackages (p: [ p.lief ]);
+ python = python3.withPackages (p: [p.lief]);
script = ''
import lief
import sys
@@ -12,13 +16,14 @@
lib_symbols.write(sys.argv[2])
'';
name = "minecraft-bedrock-server-patchdebug";
-in writeTextFile {
- name = "${name}.py";
- destination = "/bin/${name}";
- executable = true;
- text = ''
- #!${getExe python}
- ${script}
- '';
- meta.mainProgram = name;
-}
+in
+ writeTextFile {
+ name = "${name}.py";
+ destination = "/bin/${name}";
+ executable = true;
+ text = ''
+ #!${getExe python}
+ ${script}
+ '';
+ meta.mainProgram = name;
+ }
diff --git a/packages/minecraft-bedrock/patchelf.nix b/packages/minecraft-bedrock/patchelf.nix
index da88a1af..fc5f13f1 100644
--- a/packages/minecraft-bedrock/patchelf.nix
+++ b/packages/minecraft-bedrock/patchelf.nix
@@ -1,4 +1,5 @@
-{ patchelf }: patchelf.overrideDerivation (old: {
+{patchelf}:
+patchelf.overrideDerivation (old: {
postPatch = ''
substituteInPlace src/patchelf.cc \
--replace "32 * 1024 * 1024" "512 * 1024 * 1024"
diff --git a/packages/minecraft-bedrock/server.nix b/packages/minecraft-bedrock/server.nix
index 52c07b74..a38918e7 100644
--- a/packages/minecraft-bedrock/server.nix
+++ b/packages/minecraft-bedrock/server.nix
@@ -1,48 +1,53 @@
-{ stdenv
-, fetchurl
-, minecraft-bedrock-server-patchelf
-, minecraft-bedrock-server-patchdebug
-#, minecraft-bedrock-server-libCrypto
-, autoPatchelfHook
-, curl, gcc-unwrapped, openssl, unzip
-, lib
+{
+ stdenv,
+ fetchurl,
+ minecraft-bedrock-server-patchelf,
+ minecraft-bedrock-server-patchdebug,
+ #, minecraft-bedrock-server-libCrypto
+ autoPatchelfHook,
+ curl,
+ gcc-unwrapped,
+ openssl,
+ unzip,
+ lib,
}: let
inherit (lib) licenses;
-in stdenv.mkDerivation rec {
- pname = "minecraft-bedrock-server";
- version = "1.20.80.05";
- src = fetchurl {
- url = "https://minecraft.azureedge.net/bin-linux/bedrock-server-${version}.zip";
- sha256 = "sha256-6vZx29FOXRR7Rzx82Axo3a/Em+9cpK7Hj3cuDRnW9+8=";
- };
- sourceRoot = ".";
- nativeBuildInputs = [
- minecraft-bedrock-server-patchelf
- minecraft-bedrock-server-patchdebug
- autoPatchelfHook
- curl
- gcc-unwrapped
- #minecraft-bedrock-server-libCrypto
- openssl
- unzip
- ];
- buildPhase = ''
- minecraft-bedrock-server-patchdebug bedrock_server_symbols.debug bedrock_server_symbols_patched.debug
- '';
- dataDir = "/var/lib/minecraft-bedrock";
- installPhase = ''
- install -m755 -D bedrock_server $out/bin/bedrock_server
- install -d $out$dataDir
- cp -a definitions behavior_packs resource_packs config env-vars *.json *.debug *.properties $out$dataDir/
- '';
- fixupPhase = ''
- autoPatchelf $out/bin/bedrock_server
- '';
- dontStrip = true;
+in
+ stdenv.mkDerivation rec {
+ pname = "minecraft-bedrock-server";
+ version = "1.20.80.05";
+ src = fetchurl {
+ url = "https://minecraft.azureedge.net/bin-linux/bedrock-server-${version}.zip";
+ sha256 = "sha256-6vZx29FOXRR7Rzx82Axo3a/Em+9cpK7Hj3cuDRnW9+8=";
+ };
+ sourceRoot = ".";
+ nativeBuildInputs = [
+ minecraft-bedrock-server-patchelf
+ minecraft-bedrock-server-patchdebug
+ autoPatchelfHook
+ curl
+ gcc-unwrapped
+ #minecraft-bedrock-server-libCrypto
+ openssl
+ unzip
+ ];
+ buildPhase = ''
+ minecraft-bedrock-server-patchdebug bedrock_server_symbols.debug bedrock_server_symbols_patched.debug
+ '';
+ dataDir = "/var/lib/minecraft-bedrock";
+ installPhase = ''
+ install -m755 -D bedrock_server $out/bin/bedrock_server
+ install -d $out$dataDir
+ cp -a definitions behavior_packs resource_packs config env-vars *.json *.debug *.properties $out$dataDir/
+ '';
+ fixupPhase = ''
+ autoPatchelf $out/bin/bedrock_server
+ '';
+ dontStrip = true;
- meta = {
- platforms = [ "x86_64-linux" ];
- license = licenses.unfree;
- mainProgram = "bedrock_server";
- };
-}
+ meta = {
+ platforms = ["x86_64-linux"];
+ license = licenses.unfree;
+ mainProgram = "bedrock_server";
+ };
+ }
diff --git a/packages/openwebrxplus.nix b/packages/openwebrxplus.nix
index 3fdac47f..33e4e693 100644
--- a/packages/openwebrxplus.nix
+++ b/packages/openwebrxplus.nix
@@ -1,11 +1,24 @@
-{ stdenv, lib, buildPythonPackage, buildPythonApplication, fetchFromGitHub
-, pkg-config, cmake, ninja, setuptools, python
-, libsamplerate, fftwFloat
-, rtl-sdr, soapysdr-with-plugins, pydigiham, direwolf, sox, wsjtx, codecserver
-}:
-
-let
-
+{
+ stdenv,
+ lib,
+ buildPythonPackage,
+ buildPythonApplication,
+ fetchFromGitHub,
+ pkg-config,
+ cmake,
+ ninja,
+ setuptools,
+ python,
+ libsamplerate,
+ fftwFloat,
+ rtl-sdr,
+ soapysdr-with-plugins,
+ pydigiham,
+ direwolf,
+ sox,
+ wsjtx,
+ codecserver,
+}: let
js8py = buildPythonPackage rec {
pname = "js8py";
version = "0.1.1";
@@ -17,7 +30,7 @@ let
sha256 = "1j80zclg1cl5clqd00qqa16prz7cyc32bvxqz2mh540cirygq24w";
};
- pythonImportsCheck = [ "js8py" "test" ];
+ pythonImportsCheck = ["js8py" "test"];
meta = with lib; {
homepage = "https://github.com/jketterl/js8py";
@@ -27,144 +40,143 @@ let
};
};
-csdr-eti = stdenv.mkDerivation rec {
- pname = "csdr-eti";
- version = "0.0.11";
+ csdr-eti = stdenv.mkDerivation rec {
+ pname = "csdr-eti";
+ version = "0.0.11";
- src = fetchFromGitHub {
- owner = "luarvique";
- repo = pname;
- rev = version;
- hash = "sha256-jft4zi1mLU6zZ+2gsym/3Xu8zkKL0MeoztcyMPM0RYI=";
+ src = fetchFromGitHub {
+ owner = "luarvique";
+ repo = pname;
+ rev = version;
+ hash = "sha256-jft4zi1mLU6zZ+2gsym/3Xu8zkKL0MeoztcyMPM0RYI=";
+ };
+
+ nativeBuildInputs = [
+ cmake
+ ninja
+ pkg-config
+ ];
+
+ propagatedBuildInputs = [
+ fftwFloat
+ libsamplerate
+ ];
+ buildInputs = [
+ csdr
+ ];
+
+ hardeningDisable = lib.optional stdenv.isAarch64 "format";
+
+ meta = with lib; {
+ homepage = "https://github.com/jketterl/csdr";
+ description = "A simple DSP library and command-line tool for Software Defined Radio";
+ license = licenses.gpl3Only;
+ platforms = platforms.unix;
+ broken = stdenv.isDarwin;
+ maintainers = teams.c3d2.members;
+ };
};
- nativeBuildInputs = [
- cmake
- ninja
- pkg-config
- ];
+ csdr = stdenv.mkDerivation rec {
+ pname = "csdr";
+ version = "0.18.23";
- propagatedBuildInputs = [
- fftwFloat
- libsamplerate
- ];
- buildInputs = [
- csdr
- ];
+ src = fetchFromGitHub {
+ owner = "luarvique";
+ repo = pname;
+ rev = version;
+ hash = "sha256-Q7g1OqfpAP6u78zyHjLP2ASGYKNKCAVv8cgGwytZ+cE=";
+ };
- hardeningDisable = lib.optional stdenv.isAarch64 "format";
+ nativeBuildInputs = [
+ cmake
+ ninja
+ pkg-config
+ ];
- meta = with lib; {
- homepage = "https://github.com/jketterl/csdr";
- description = "A simple DSP library and command-line tool for Software Defined Radio";
- license = licenses.gpl3Only;
- platforms = platforms.unix;
- broken = stdenv.isDarwin;
- maintainers = teams.c3d2.members;
- };
-};
+ propagatedBuildInputs = [
+ fftwFloat
+ libsamplerate
+ ];
-csdr = stdenv.mkDerivation rec {
- pname = "csdr";
- version = "0.18.23";
+ hardeningDisable = lib.optional stdenv.isAarch64 "format";
- src = fetchFromGitHub {
- owner = "luarvique";
- repo = pname;
- rev = version;
- hash = "sha256-Q7g1OqfpAP6u78zyHjLP2ASGYKNKCAVv8cgGwytZ+cE=";
+ postFixup = ''
+ substituteInPlace "$out"/lib/pkgconfig/csdr.pc \
+ --replace '=''${prefix}//' '=/' \
+ --replace '=''${exec_prefix}//' '=/'
+ '';
+
+ meta = with lib; {
+ homepage = "https://github.com/jketterl/csdr";
+ description = "A simple DSP library and command-line tool for Software Defined Radio";
+ license = licenses.gpl3Only;
+ platforms = platforms.unix;
+ broken = stdenv.isDarwin;
+ maintainers = teams.c3d2.members;
+ };
};
- nativeBuildInputs = [
- cmake
- ninja
- pkg-config
- ];
+ pycsdr-eti = buildPythonPackage rec {
+ pname = "pycsdr-eti";
+ version = "0.0.11";
+ format = "setuptools";
- propagatedBuildInputs = [
- fftwFloat
- libsamplerate
- ];
+ src = fetchFromGitHub {
+ owner = "luarvique";
+ repo = "pycsdr-eti";
+ rev = version;
+ hash = "sha256-pjY5sxHvuDTUDxpdhWk8U7ibwxHznyywEqj1btAyXBE=";
+ };
- hardeningDisable = lib.optional stdenv.isAarch64 "format";
+ postPatch = ''
+ substituteInPlace setup.py \
+ --replace ', "fftw3"' ""
+ '';
- postFixup = ''
- substituteInPlace "$out"/lib/pkgconfig/csdr.pc \
- --replace '=''${prefix}//' '=/' \
- --replace '=''${exec_prefix}//' '=/'
- '';
+ propagatedBuildInputs = [pycsdr];
+ buildInputs = [csdr-eti csdr];
+ NIX_CFLAGS_COMPILE = [
+ "-I${pycsdr}/include/${python.libPrefix}"
+ ];
- meta = with lib; {
- homepage = "https://github.com/jketterl/csdr";
- description = "A simple DSP library and command-line tool for Software Defined Radio";
- license = licenses.gpl3Only;
- platforms = platforms.unix;
- broken = stdenv.isDarwin;
- maintainers = teams.c3d2.members;
- };
-};
+ # has no tests
+ doCheck = false;
+ pythonImportsCheck = ["csdreti"];
-
-pycsdr-eti = buildPythonPackage rec {
- pname = "pycsdr-eti";
- version = "0.0.11";
- format = "setuptools";
-
- src = fetchFromGitHub {
- owner = "luarvique";
- repo = "pycsdr-eti";
- rev = version;
- hash = "sha256-pjY5sxHvuDTUDxpdhWk8U7ibwxHznyywEqj1btAyXBE=";
+ meta = {
+ homepage = "https://github.com/jketterl/pycsdr";
+ description = "bindings for the csdr library";
+ license = lib.licenses.gpl3Only;
+ maintainers = lib.teams.c3d2.members;
+ };
};
- postPatch = ''
- substituteInPlace setup.py \
- --replace ', "fftw3"' ""
- '';
+ pycsdr = buildPythonPackage rec {
+ pname = "pycsdr";
+ version = "0.18.23";
+ format = "setuptools";
- propagatedBuildInputs = [ pycsdr ];
- buildInputs = [ csdr-eti csdr ];
- NIX_CFLAGS_COMPILE = [
- "-I${pycsdr}/include/${python.libPrefix}"
- ];
+ src = fetchFromGitHub {
+ owner = "luarvique";
+ repo = "pycsdr";
+ rev = version;
+ hash = "sha256-NjRBC7bhq2bMlRI0Q8bcGcneD/HlAO6l/0As3/lk4e8=";
+ };
- # has no tests
- doCheck = false;
- pythonImportsCheck = [ "csdreti" ];
+ buildInputs = [csdr];
- meta = {
- homepage = "https://github.com/jketterl/pycsdr";
- description = "bindings for the csdr library";
- license = lib.licenses.gpl3Only;
- maintainers = lib.teams.c3d2.members;
+ # has no tests
+ doCheck = false;
+ pythonImportsCheck = ["pycsdr"];
+
+ meta = {
+ homepage = "https://github.com/jketterl/pycsdr";
+ description = "bindings for the csdr library";
+ license = lib.licenses.gpl3Only;
+ maintainers = lib.teams.c3d2.members;
+ };
};
-};
-
-pycsdr = buildPythonPackage rec {
- pname = "pycsdr";
- version = "0.18.23";
- format = "setuptools";
-
- src = fetchFromGitHub {
- owner = "luarvique";
- repo = "pycsdr";
- rev = version;
- hash = "sha256-NjRBC7bhq2bMlRI0Q8bcGcneD/HlAO6l/0As3/lk4e8=";
- };
-
- buildInputs = [ csdr ];
-
- # has no tests
- doCheck = false;
- pythonImportsCheck = [ "pycsdr" ];
-
- meta = {
- homepage = "https://github.com/jketterl/pycsdr";
- description = "bindings for the csdr library";
- license = lib.licenses.gpl3Only;
- maintainers = lib.teams.c3d2.members;
- };
-};
owrx_connector = stdenv.mkDerivation rec {
pname = "owrx_connector";
@@ -184,7 +196,8 @@ pycsdr = buildPythonPackage rec {
];
buildInputs = [
- libsamplerate fftwFloat
+ libsamplerate
+ fftwFloat
csdr
rtl-sdr
soapysdr-with-plugins
@@ -198,51 +211,50 @@ pycsdr = buildPythonPackage rec {
maintainers = teams.c3d2.members;
};
};
-
in
-buildPythonApplication rec {
- pname = "openwebrxplus";
- version = "1.2.49";
+ buildPythonApplication rec {
+ pname = "openwebrxplus";
+ version = "1.2.49";
- src = fetchFromGitHub {
- owner = "luarvique";
- repo = "openwebrx";
- rev = version;
- sha256 = "sha256-QHgt0JGV4E8vOZpY3UwxbtBV38NZBXNrc2asYbHjEqo=";
- };
+ src = fetchFromGitHub {
+ owner = "luarvique";
+ repo = "openwebrx";
+ rev = version;
+ sha256 = "sha256-QHgt0JGV4E8vOZpY3UwxbtBV38NZBXNrc2asYbHjEqo=";
+ };
- nativeBuildInputs = [
- setuptools
- ];
+ nativeBuildInputs = [
+ setuptools
+ ];
- propagatedBuildInputs = [
- setuptools
- pycsdr
- pycsdr-eti
- pydigiham
- js8py
-owrx_connector
- soapysdr-with-plugins
- ];
+ propagatedBuildInputs = [
+ setuptools
+ pycsdr
+ pycsdr-eti
+ pydigiham
+ js8py
+ owrx_connector
+ soapysdr-with-plugins
+ ];
- buildInputs = [
- direwolf
- sox
- wsjtx
- codecserver
- ];
+ buildInputs = [
+ direwolf
+ sox
+ wsjtx
+ codecserver
+ ];
- pythonImportsCheck = [ "csdr" "owrx" "test" ];
+ pythonImportsCheck = ["csdr" "owrx" "test"];
- passthru = {
- inherit js8py owrx_connector pycsdr csdr;
- };
+ passthru = {
+ inherit js8py owrx_connector pycsdr csdr;
+ };
- meta = with lib; {
- homepage = "https://github.com/luarvique/openwebrx";
- description = "A simple DSP library and command-line tool for Software Defined Radio";
- mainProgram = "openwebrx";
- license = licenses.gpl3Only;
- maintainers = teams.c3d2.members;
- };
-}
\ No newline at end of file
+ meta = with lib; {
+ homepage = "https://github.com/luarvique/openwebrx";
+ description = "A simple DSP library and command-line tool for Software Defined Radio";
+ mainProgram = "openwebrx";
+ license = licenses.gpl3Only;
+ maintainers = teams.c3d2.members;
+ };
+ }
diff --git a/systems/extern-test/default.nix b/systems/extern-test/default.nix
index 0b15cd1c..8772ced1 100644
--- a/systems/extern-test/default.nix
+++ b/systems/extern-test/default.nix
@@ -1,4 +1,8 @@
-{ inputs, lib, ... }: let
+{
+ inputs,
+ lib,
+ ...
+}: let
inherit (lib.modules) mkForce;
in {
arch = "x86_64";
@@ -6,10 +10,16 @@ in {
modules = mkForce [
./nixos.nix
];
- builder = mkForce ({ modules, system, specialArgs, ... }: inputs.nixpkgs.lib.nixosSystem {
- inherit modules system;
- specialArgs = {
- extern'test'inputs = specialArgs.inputs;
- };
- });
+ builder = mkForce ({
+ modules,
+ system,
+ specialArgs,
+ ...
+ }:
+ inputs.nixpkgs.lib.nixosSystem {
+ inherit modules system;
+ specialArgs = {
+ extern'test'inputs = specialArgs.inputs;
+ };
+ });
}
diff --git a/systems/extern-test/nixos.nix b/systems/extern-test/nixos.nix
index c9187cd4..acbcdcba 100644
--- a/systems/extern-test/nixos.nix
+++ b/systems/extern-test/nixos.nix
@@ -1,7 +1,4 @@
-{
- extern'test'inputs,
- ...
-}: let
+{extern'test'inputs, ...}: let
inherit (extern'test'inputs.self) nixosModules homeModules;
in {
imports = [
@@ -53,7 +50,7 @@ in {
sharedModules = [
homeModules.default
];
- users.me = { config, ... }: {
+ users.me = {config, ...}: {
config = {
home.stateVersion = "23.11";
gensokyo-zone = {
diff --git a/systems/hakurei/default.nix b/systems/hakurei/default.nix
index 8a4f9da6..f474aecd 100644
--- a/systems/hakurei/default.nix
+++ b/systems/hakurei/default.nix
@@ -1,4 +1,4 @@
-{ lib, ... }: {
+{lib, ...}: {
imports = [
./proxmox.nix
];
diff --git a/systems/keycloak/nixos.nix b/systems/keycloak/nixos.nix
index 3ee0e070..bd171450 100644
--- a/systems/keycloak/nixos.nix
+++ b/systems/keycloak/nixos.nix
@@ -1,4 +1,9 @@
-{meta, config, access, ...}: {
+{
+ meta,
+ config,
+ access,
+ ...
+}: {
imports = let
inherit (meta) nixos;
in [
@@ -24,13 +29,28 @@
inherit (vouch'system.exports.services) vouch-proxy;
in {
"${keycloak.id}.${config.networking.domain}" = let
- portName = if keycloak.ports.https.enable then "https" else "http";
+ portName =
+ if keycloak.ports.https.enable
+ then "https"
+ else "http";
in {
- service = access.proxyUrlFor { system = keycloak'system; service = keycloak; inherit portName; };
- originRequest.${if keycloak.ports.${portName}.protocol == "https" then "noTLSVerify" else null} = true;
+ service = access.proxyUrlFor {
+ system = keycloak'system;
+ service = keycloak;
+ inherit portName;
+ };
+ originRequest.${
+ if keycloak.ports.${portName}.protocol == "https"
+ then "noTLSVerify"
+ else null
+ } =
+ true;
};
"${vouch-proxy.id}.${config.networking.domain}" = {
- service = access.proxyUrlFor { system = vouch'system; service = vouch-proxy; };
+ service = access.proxyUrlFor {
+ system = vouch'system;
+ service = vouch-proxy;
+ };
};
};
};
diff --git a/systems/nue/default.nix b/systems/nue/default.nix
index 35db1ca9..6aa04c98 100644
--- a/systems/nue/default.nix
+++ b/systems/nue/default.nix
@@ -1,21 +1,21 @@
{lib, ...}: let
inherit (lib.strings) concatStringsSep;
dot = concatStringsSep ".";
- cutie = dot [ "cutie" "moe" ];
- netname = { config, ... }: {
- domain = dot [ config.name cutie ];
+ cutie = dot ["cutie" "moe"];
+ netname = {config, ...}: {
+ domain = dot [config.name cutie];
};
in {
type = "Linux";
- access.domain = dot [ "gensokyo" cutie ];
+ access.domain = dot ["gensokyo" cutie];
network.networks = {
local = {
- imports = [ netname ];
+ imports = [netname];
address4 = "10.1.1.62";
address6 = "fd0a::daf8:83ff:fe36:81b6";
};
tail = {
- imports = [ netname ];
+ imports = [netname];
address4 = "100.86.77.54";
address6 = "fd7a:115c:a1e0:ab12:4843:cd96:6256:4d36";
};
diff --git a/systems/shanghai/default.nix b/systems/shanghai/default.nix
index fa19fe24..98ea5079 100644
--- a/systems/shanghai/default.nix
+++ b/systems/shanghai/default.nix
@@ -1,24 +1,25 @@
{lib, ...}: let
inherit (lib.strings) concatStringsSep;
dot = concatStringsSep ".";
- cutie = dot [ "cutie" "moe" ];
- netname = { config, ... }: {
- domain = dot [ config.name cutie ];
+ cutie = dot ["cutie" "moe"];
+ netname = {config, ...}: {
+ domain = dot [config.name cutie];
};
in {
type = "Linux";
- access.domain = dot [ "gensokyo" cutie ];
+ access.domain = dot ["gensokyo" cutie];
network.networks = {
local = {
- imports = [ netname ];
+ imports = [netname];
macAddress = let
#eth = "18:c0:4d:08:87:bd";
eth25 = "18:c0:4d:08:87:bc";
- in eth25;
+ in
+ eth25;
address4 = "10.1.1.32";
};
tail = {
- imports = [ netname ];
+ imports = [netname];
address4 = "100.104.155.122";
address6 = "fd7a:115c:a1e0:ab12:4843:cd96:6268:9b7a";
};
diff --git a/systems/tei/cloudflared.nix b/systems/tei/cloudflared.nix
index b6974f9e..7cf02a3f 100644
--- a/systems/tei/cloudflared.nix
+++ b/systems/tei/cloudflared.nix
@@ -21,7 +21,7 @@ in {
(nginx.virtualHosts.barcodebuddy.proxied.cloudflared.getIngress {})
{
${home-assistant.domain} = assert home-assistant.enable; {
- service = access.proxyUrlFor { serviceName = "home-assistant"; };
+ service = access.proxyUrlFor {serviceName = "home-assistant";};
};
}
];
diff --git a/systems/utsuho/nixos.nix b/systems/utsuho/nixos.nix
index 3cdd3d42..51e30567 100644
--- a/systems/utsuho/nixos.nix
+++ b/systems/utsuho/nixos.nix
@@ -1,4 +1,8 @@
-{meta, config, ...}: let
+{
+ meta,
+ config,
+ ...
+}: let
inherit (config.services) nginx;
in {
imports = let