From 9903866044816c5fd39e043ff0b30e87d763ad91 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Mon, 13 May 2024 15:13:58 -0700 Subject: [PATCH] chore: nf-fmt-nix --- ci/fmt.nix | 8 +- devShells.nix | 30 +- generate.nix | 63 +- lib.nix | 69 +- modules/extern/home/args.nix | 6 +- modules/extern/home/ssh.nix | 180 +++-- modules/extern/misc/ipa.nix | 2 +- modules/extern/misc/netgroups.nix | 2 +- modules/extern/misc/sssd.nix | 2 +- modules/extern/nixos/access.nix | 2 +- modules/extern/nixos/dns.nix | 62 +- modules/extern/nixos/krb5.nix | 217 +++--- modules/extern/nixos/kyuuto.nix | 64 +- modules/extern/nixos/nix.nix | 37 +- modules/extern/nixos/users.nix | 4 +- modules/nixos/access/cidr.nix | 6 +- modules/nixos/access/local.nix | 2 +- modules/nixos/access/peeps.nix | 29 +- modules/nixos/args.nix | 2 +- modules/nixos/barcodebuddy.nix | 77 +- modules/nixos/home-assistant.nix | 2 +- modules/nixos/ipa.nix | 116 +-- modules/nixos/keycloak.nix | 14 +- modules/nixos/krb5/genso.nix | 67 +- modules/nixos/minecraft-bedrock.nix | 529 +++++++------ modules/nixos/network/netgroups.nix | 30 +- modules/nixos/network/resolve.nix | 49 +- modules/nixos/nfs.nix | 39 +- modules/nixos/nftables.nix | 2 +- modules/nixos/nginx/enable.nix | 33 +- modules/nixos/nginx/fastcgi.nix | 51 +- modules/nixos/nginx/headers.nix | 58 +- modules/nixos/nginx/listen.nix | 104 ++- modules/nixos/nginx/local.nix | 116 +-- modules/nixos/nginx/lua.nix | 52 +- modules/nixos/nginx/name.nix | 11 +- modules/nixos/nginx/preread.nix | 126 ++-- modules/nixos/nginx/proxied.nix | 168 +++-- modules/nixos/nginx/proxy.nix | 189 +++-- modules/nixos/nginx/ssl.nix | 255 ++++--- modules/nixos/nginx/stream.nix | 10 +- modules/nixos/nginx/upstream.nix | 260 ++++--- modules/nixos/nginx/vouch.nix | 148 ++-- modules/nixos/nginx/xvars.nix | 96 ++- modules/nixos/postgres.nix | 8 +- modules/nixos/samba.nix | 172 +++-- modules/nixos/shared.nix | 80 +- modules/nixos/sssd/genso.nix | 143 ++-- modules/nixos/sssd/pam.nix | 6 +- modules/nixos/sssd/sssd.nix | 124 ++-- modules/nixos/steam/account-switch.nix | 88 ++- modules/nixos/steam/beatsaber.nix | 738 +++++++++++-------- modules/system/access.nix | 140 +++- modules/system/ci.nix | 8 +- modules/system/exports/cockpit.nix | 6 +- modules/system/exports/dnsmasq.nix | 8 +- modules/system/exports/exports.nix | 7 +- modules/system/exports/freeipa.nix | 6 +- modules/system/exports/freepbx.nix | 6 +- modules/system/exports/home-assistant.nix | 20 +- modules/system/exports/invidious.nix | 8 +- modules/system/exports/kerberos.nix | 8 +- modules/system/exports/keycloak.nix | 32 +- modules/system/exports/ldap.nix | 8 +- modules/system/exports/minecraft-bedrock.nix | 11 +- modules/system/exports/mosquitto.nix | 11 +- modules/system/exports/motion.nix | 8 +- modules/system/exports/nfs.nix | 34 +- modules/system/exports/nginx.nix | 11 +- modules/system/exports/openwebrx.nix | 24 +- modules/system/exports/plex.nix | 6 +- modules/system/exports/postgresql.nix | 11 +- modules/system/exports/prox.nix | 8 +- modules/system/exports/samba.nix | 6 +- modules/system/exports/services.nix | 25 +- modules/system/exports/sshd.nix | 11 +- modules/system/exports/unifi.nix | 8 +- modules/system/exports/vouch.nix | 8 +- modules/system/exports/zigbee2mqtt.nix | 8 +- modules/system/extern/files.nix | 62 +- modules/system/host.nix | 13 +- modules/system/network/networks.nix | 26 +- modules/system/proxmox/container.nix | 6 +- modules/system/proxmox/network.nix | 97 ++- modules/system/proxmox/node.nix | 7 +- modules/system/proxmox/vm.nix | 6 +- nixos/access/barcodebuddy.nix | 5 +- nixos/access/freeipa.nix | 54 +- nixos/access/freepbx.nix | 33 +- nixos/access/grocy.nix | 61 +- nixos/access/home-assistant.nix | 13 +- nixos/access/invidious.nix | 18 +- nixos/access/keycloak.nix | 2 +- nixos/access/kitchencam.nix | 22 +- nixos/access/ldap.nix | 7 +- nixos/access/mosquitto.nix | 7 +- nixos/access/nginx.nix | 6 +- nixos/access/openwebrx.nix | 2 +- nixos/access/plex.nix | 13 +- nixos/access/proxmox.nix | 2 +- nixos/access/unifi.nix | 2 +- nixos/access/vouch.nix | 16 +- nixos/access/zigbee2mqtt.nix | 2 +- nixos/acme.nix | 2 +- nixos/barcodebuddy.nix | 22 +- nixos/base/locale.nix | 5 +- nixos/base/network.nix | 12 +- nixos/base/nix.nix | 18 +- nixos/cross/aarch64.nix | 23 +- nixos/dnsmasq.nix | 68 +- nixos/grocy.nix | 21 +- nixos/int.nix | 8 +- nixos/ipa.nix | 6 +- nixos/keycloak.nix | 28 +- nixos/krb5.nix | 47 +- nixos/kyuuto/nfs.nix | 33 +- nixos/ldap/permissions.nix | 81 +- nixos/ldap/samba.nix | 46 +- nixos/ldap/users.nix | 176 ++--- nixos/minecraft/bedrock.nix | 18 +- nixos/nfs.nix | 20 +- nixos/nginx.nix | 13 +- nixos/nixbld.nix | 2 +- nixos/openwebrx.nix | 15 +- nixos/reisen-ct/network.nix | 5 +- nixos/reisen-ct/proxmox.nix | 19 +- nixos/samba.nix | 110 +-- nixos/sops.nix | 5 +- nixos/sssd.nix | 33 +- nixos/systemd2mqtt.nix | 8 +- nixos/unifi.nix | 13 +- nixos/users/connie.nix | 12 +- nixos/wake-chen.nix | 22 +- nixos/zigbee2mqtt.nix | 13 +- overlays/barcodebuddy.nix | 2 +- overlays/default.nix | 5 +- overlays/krb5.nix | 42 +- overlays/minecraft.nix | 14 +- overlays/nfs.nix | 22 +- overlays/nginx.nix | 37 +- overlays/openwebrxplus.nix | 2 +- overlays/samba.nix | 20 +- packages/barcodebuddy.nix | 33 +- packages/default.nix | 10 +- packages/minecraft-bedrock/addons.nix | 115 +-- packages/minecraft-bedrock/libcrypto.nix | 48 +- packages/minecraft-bedrock/mcpack.nix | 9 +- packages/minecraft-bedrock/mkaddon.nix | 78 +- packages/minecraft-bedrock/patchdebug.nix | 29 +- packages/minecraft-bedrock/patchelf.nix | 3 +- packages/minecraft-bedrock/server.nix | 95 +-- packages/openwebrxplus.nix | 346 ++++----- systems/extern-test/default.nix | 24 +- systems/extern-test/nixos.nix | 7 +- systems/hakurei/default.nix | 2 +- systems/keycloak/nixos.nix | 30 +- systems/nue/default.nix | 12 +- systems/shanghai/default.nix | 15 +- systems/tei/cloudflared.nix | 2 +- systems/utsuho/nixos.nix | 6 +- 160 files changed, 4570 insertions(+), 3019 deletions(-) diff --git a/ci/fmt.nix b/ci/fmt.nix index 4d9591c1..5af7fe5a 100644 --- a/ci/fmt.nix +++ b/ci/fmt.nix @@ -3,19 +3,25 @@ whitelist = [ "overlays/default.nix" "ci/fmt.nix" + "docs/derivation.nix" "devShells.nix" "shell.nix" + "generate.nix" "lib.nix" "outputs.nix" "tree.nix" ]; whitelistDirs = [ "modules/extern" + "modules/nixos" "modules/system" + "nixos" + "overlays" + "packages" "systems" ]; blacklistDirs = [ - "overlays" + "modules/nixos/ldap" "ci" ]; }; diff --git a/devShells.nix b/devShells.nix index 7effd4fd..8004046c 100644 --- a/devShells.nix +++ b/devShells.nix @@ -151,19 +151,23 @@ LDAPSASL_NOCANON = "on"; }; arc = let - ldapdm = cmd: pkgs.writeShellScriptBin "dm-${cmd}" '' - ${cmd} -D 'cn=Directory Manager' -y <(bitw get -f password ldap-directory-manager) "$@" - ''; - in default.overrideAttrs (default: { - nativeBuildInputs = default.nativeBuildInputs ++ [ - (ldapdm "ldapwhoami") - (ldapdm "ldappasswd") - (ldapdm "ldapsearch") - (ldapdm "ldapadd") - (ldapdm "ldapmodify") - (ldapdm "ldapdelete") - ]; - }); + ldapdm = cmd: + pkgs.writeShellScriptBin "dm-${cmd}" '' + ${cmd} -D 'cn=Directory Manager' -y <(bitw get -f password ldap-directory-manager) "$@" + ''; + in + default.overrideAttrs (default: { + nativeBuildInputs = + default.nativeBuildInputs + ++ [ + (ldapdm "ldapwhoami") + (ldapdm "ldappasswd") + (ldapdm "ldapsearch") + (ldapdm "ldapadd") + (ldapdm "ldapmodify") + (ldapdm "ldapdelete") + ]; + }); in { inherit default arc; } diff --git a/generate.nix b/generate.nix index c2a53761..3e5050cd 100644 --- a/generate.nix +++ b/generate.nix @@ -19,23 +19,33 @@ }; nodeSystems = let matchesNode = nodeName: system: system.config.proxmox.enabled && system.config.proxmox.node.name == nodeName; - in nodeName: filterAttrs (_: matchesNode nodeName) systems; + in + nodeName: filterAttrs (_: matchesNode nodeName) systems; mkNodeSystem = system: { inherit (system.config.access) hostName; network = let inherit (system.config.network) networks; in { networks = { - int = if networks.int.enable or false then { - inherit (networks.int) macAddress address4 address6; - } else null; - local = if networks.local.enable or false then { - inherit (networks.local) macAddress address4 address6; - } else null; - tail = if networks.tail.enable or false then { - inherit (networks.tail) address4 address6; - macAddress = null; - } else null; + int = + if networks.int.enable or false + then { + inherit (networks.int) macAddress address4 address6; + } + else null; + local = + if networks.local.enable or false + then { + inherit (networks.local) macAddress address4 address6; + } + else null; + tail = + if networks.tail.enable or false + then { + inherit (networks.tail) address4 address6; + macAddress = null; + } + else null; }; }; }; @@ -43,10 +53,12 @@ mkExtern = system: let enabledFiles = filterAttrs (_: file: file.enable) system.extern.files; in { - files = mapAttrs' (_: file: nameValuePair file.path { - source = assert file.relativeSource != null; file.relativeSource; - inherit (file) owner group mode; - }) enabledFiles; + files = mapAttrs' (_: file: + nameValuePair file.path { + source = assert file.relativeSource != null; file.relativeSource; + inherit (file) owner group mode; + }) + enabledFiles; }; mkNode = system: { users = mkNodeUsers templateUsers; @@ -58,13 +70,17 @@ }; mkNetwork = system: { inherit (system.config.access) hostName; - networks = { - int = null; - local = null; - tail = null; - } // mapAttrs' (_: network: nameValuePair network.name { - inherit (network) macAddress address4 address6; - }) system.config.network.networks; + networks = + { + int = null; + local = null; + tail = null; + } + // mapAttrs' (_: network: + nameValuePair network.name { + inherit (network) macAddress address4 address6; + }) + system.config.network.networks; }; mkSystem = name: system: { network = mkNetwork system; @@ -72,6 +88,7 @@ in { nodes = let nodes = filterAttrs (_: node: node.config.proxmox.node.enable) systems; - in mapAttrs (_: mkNode) nodes; + in + mapAttrs (_: mkNode) nodes; systems = mapAttrs mkSystem systems; } diff --git a/lib.nix b/lib.nix index 86adfe37..f7a1bcf6 100644 --- a/lib.nix +++ b/lib.nix @@ -23,20 +23,27 @@ parts' = Regex.match ''^([^:]+)://(\[[0-9a-fA-F:]+]|[^/:\[]+)(|:[0-9]+)(|/.*)$'' url; parts = parts'.value; port' = List.index parts 2; - in assert Opt.isJust parts'; rec { - inherit url parts; - scheme = List.index parts 0; - host = List.index parts 1; - port = if port' != "" then UInt.Parse (Str.removePrefix ":" port') else null; - hostport = host + port'; - path = List.index parts 3; - }; + in + assert Opt.isJust parts'; rec { + inherit url parts; + scheme = List.index parts 0; + host = List.index parts 1; + port = + if port' != "" + then UInt.Parse (Str.removePrefix ":" port') + else null; + hostport = host + port'; + path = List.index parts 3; + }; userIs = group: user: builtins.elem group (user.extraGroups ++ [user.group]); mkWinPath = Str.replace ["/"] ["\\"]; mkBaseDn = domain: Str.concatMapSep "," (part: "dc=${part}") (Regex.splitOn "\\." domain); - mkAddress6 = addr: if Str.hasInfix ":" addr && ! Str.hasPrefix "[" addr then "[${addr}]" else addr; + mkAddress6 = addr: + if Str.hasInfix ":" addr && ! Str.hasPrefix "[" addr + then "[${addr}]" + else addr; coalesce = values: Opt.default null (List.find (v: v != null) values); mapListToAttrs = f: l: listToAttrs (map f l); @@ -85,13 +92,43 @@ in { Std = inputs.std-fl.lib; lib = { domain = "gensokyo.zone"; - inherit treeToModulesOutput userIs - eui64 parseUrl mkWinPath mkBaseDn mkAddress6 - mapListToAttrs coalesce - mkAlmostOptionDefault mkAlmostDefault mkAlmostForce mapOverride mapOptionDefaults mapAlmostOptionDefaults mapDefaults - overrideOptionDefault overrideAlmostOptionDefault overrideDefault overrideAlmostDefault overrideNone overrideAlmostForce overrideForce overrideVM - orderJustBefore orderBefore orderAlmostBefore orderNone orderAfter orderAlmostAfter orderJustAfter - mkJustBefore mkAlmostBefore mkAlmostAfter mkJustAfter; + inherit + treeToModulesOutput + userIs + eui64 + parseUrl + mkWinPath + mkBaseDn + mkAddress6 + mapListToAttrs + coalesce + mkAlmostOptionDefault + mkAlmostDefault + mkAlmostForce + mapOverride + mapOptionDefaults + mapAlmostOptionDefaults + mapDefaults + overrideOptionDefault + overrideAlmostOptionDefault + overrideDefault + overrideAlmostDefault + overrideNone + overrideAlmostForce + overrideForce + overrideVM + orderJustBefore + orderBefore + orderAlmostBefore + orderNone + orderAfter + orderAlmostAfter + orderJustAfter + mkJustBefore + mkAlmostBefore + mkAlmostAfter + mkJustAfter + ; inherit (inputs.arcexprs.lib) unmerged json; }; gensokyo-zone = { diff --git a/modules/extern/home/args.nix b/modules/extern/home/args.nix index 974d5129..1e3fa45c 100644 --- a/modules/extern/home/args.nix +++ b/modules/extern/home/args.nix @@ -1,4 +1,8 @@ -{inputs, ...}: {lib, osConfig, ...}: let +{inputs, ...}: { + lib, + osConfig, + ... +}: let inherit (inputs.self.lib) meta; inherit (lib.modules) mkIf; in { diff --git a/modules/extern/home/ssh.nix b/modules/extern/home/ssh.nix index 5773f3cc..6b16046c 100644 --- a/modules/extern/home/ssh.nix +++ b/modules/extern/home/ssh.nix @@ -19,18 +19,25 @@ let system = gensokyo-zone.systems.${config.systemName}.config; networks = let fallbackNetwork = - if system.network.networks.local.enable or false && access.local.enable then "local" - else if system.access.global.enable then null - else if system.network.networks.int.enable or false then "int" - else if system.network.networks.local.enable or false then "local" + if system.network.networks.local.enable or false && access.local.enable + then "local" + else if system.access.global.enable + then null + else if system.network.networks.int.enable or false + then "int" + else if system.network.networks.local.enable or false + then "local" else null; - networks = map (name: coalesce [ name fallbackNetwork ]) config.networks; - in unique networks; + networks = map (name: coalesce [name fallbackNetwork]) config.networks; + in + unique networks; in { options = with lib.types; { - enable = mkEnableOption "ssh client configuration" // { - default = true; - }; + enable = + mkEnableOption "ssh client configuration" + // { + default = true; + }; name = mkOption { type = str; default = name; @@ -66,38 +73,46 @@ let enabledNetworks = filterAttrs (_: net: net.enable) system.network.networks; networkNames = mapAttrsToList (_: net: net.name) enabledNetworks; networks = filter (name: name == null || elem name networkNames) cfg.networks; - in mkOptionDefault networks; + in + mkOptionDefault networks; set = { matchBlocksSettings = let - canonNetworkName' = intersectLists networks [ null "int" "local" ]; - canonNetworkName = if canonNetworkName' != [ ] then head canonNetworkName' else null; - in mapListToAttrs (network: let - name = config.name + optionalString (network != canonNetworkName) "-${network}"; - inherit (system.exports.services) sshd; - port = head ( - optional (network == null && sshd.ports.global.enable or false) sshd.ports.global.port - ++ optional (sshd.ports.public.enable or false) sshd.ports.public.port - ++ [ sshd.ports.standard.port ] - ); - needsProxy = network == "int" || (network == "local" && !access.local.enable); - in nameValuePair name { - hostname = mkDefault ( - if network == null then system.access.fqdn - else system.network.networks.${network}.fqdn - ); - user = mkIf (config.user != null) (mkDefault config.user); - port = mkIf (port != 22) (mkDefault port); - proxyJump = mkIf needsProxy (lib.warnIf (config.name == cfg.proxyJump) "proxyJump self-reference" (mkAlmostOptionDefault ( - cfg.proxyJump - ))); - identitiesOnly = mkIf (config.systemName == "u7pro") (mkAlmostOptionDefault true); - extraOptions = mkMerge [ - (unmerged.mergeAttrs config.extraOptions) - { - HostKeyAlias = mkIf (config.hostName != null && network != null) (mkOptionDefault system.access.fqdn); - } - ]; - }) networks; + canonNetworkName' = intersectLists networks [null "int" "local"]; + canonNetworkName = + if canonNetworkName' != [] + then head canonNetworkName' + else null; + in + mapListToAttrs (network: let + name = config.name + optionalString (network != canonNetworkName) "-${network}"; + inherit (system.exports.services) sshd; + port = head ( + optional (network == null && sshd.ports.global.enable or false) sshd.ports.global.port + ++ optional (sshd.ports.public.enable or false) sshd.ports.public.port + ++ [sshd.ports.standard.port] + ); + needsProxy = network == "int" || (network == "local" && !access.local.enable); + in + nameValuePair name { + hostname = mkDefault ( + if network == null + then system.access.fqdn + else system.network.networks.${network}.fqdn + ); + user = mkIf (config.user != null) (mkDefault config.user); + port = mkIf (port != 22) (mkDefault port); + proxyJump = mkIf needsProxy (lib.warnIf (config.name == cfg.proxyJump) "proxyJump self-reference" (mkAlmostOptionDefault ( + cfg.proxyJump + ))); + identitiesOnly = mkIf (config.systemName == "u7pro") (mkAlmostOptionDefault true); + extraOptions = mkMerge [ + (unmerged.mergeAttrs config.extraOptions) + { + HostKeyAlias = mkIf (config.hostName != null && network != null) (mkOptionDefault system.access.fqdn); + } + ]; + }) + networks; }; }; }; @@ -124,7 +139,7 @@ let }; hosts = mkOption { type = attrsOf (submoduleWith { - modules = [ sshHostModule ]; + modules = [sshHostModule]; specialArgs = { inherit gensokyo-zone osConfig homeConfig pkgs; }; @@ -132,7 +147,7 @@ let }; networks = mkOption { type = listOf (nullOr str); - default = [ null ]; + default = [null]; }; proxyJump = mkOption { type = str; @@ -150,7 +165,8 @@ let }; config = { proxyJump = mkOptionDefault ( - if config.hosts.hakurei.enable then config.hosts.hakurei.name + if config.hosts.hakurei.enable + then config.hosts.hakurei.name else gensokyo-zone.systems.hakurei.config.access.fqdn ); networks = mkOptionDefault [ @@ -159,51 +175,55 @@ let ]; hosts = mapAttrs (name: system: let enabled = system.config.access.online.enable && system.config.exports.services.sshd.enable; - in mkIf enabled { - systemName = mkOptionDefault name; - }) gensokyo-zone.systems; + in + mkIf enabled { + systemName = mkOptionDefault name; + }) + gensokyo-zone.systems; set = { matchBlocksSettings = let mkMatchBlocksHost = host: mkIf host.enable (unmerged.mergeAttrs host.set.matchBlocksSettings); - in mkMerge ( - mapAttrsToList (_: mkMatchBlocksHost) config.hosts - ); + in + mkMerge ( + mapAttrsToList (_: mkMatchBlocksHost) config.hosts + ); }; }; }; -in { - config, - osConfig, - lib, - gensokyo-zone, - pkgs, - ... -}: let - inherit (lib.options) mkOption; - inherit (lib.modules) mkIf; - inherit (gensokyo-zone.lib) unmerged; - cfg = config.gensokyo-zone.ssh; -in { - options.gensokyo-zone.ssh = mkOption { - type = lib.types.submoduleWith { - modules = [sshModule]; - specialArgs = { - inherit gensokyo-zone pkgs; - inherit osConfig; - homeConfig = config; +in + { + config, + osConfig, + lib, + gensokyo-zone, + pkgs, + ... + }: let + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf; + inherit (gensokyo-zone.lib) unmerged; + cfg = config.gensokyo-zone.ssh; + in { + options.gensokyo-zone.ssh = mkOption { + type = lib.types.submoduleWith { + modules = [sshModule]; + specialArgs = { + inherit gensokyo-zone pkgs; + inherit osConfig; + homeConfig = config; + }; }; + default = {}; }; - default = { }; - }; - config = { - gensokyo-zone.ssh = { + config = { + gensokyo-zone.ssh = { + }; + programs.ssh = mkIf cfg.enable { + matchBlocks = unmerged.mergeAttrs cfg.set.matchBlocksSettings; + }; + lib.gensokyo-zone.ssh = { + inherit cfg sshModule sshHostModule; + }; }; - programs.ssh = mkIf cfg.enable { - matchBlocks = unmerged.mergeAttrs cfg.set.matchBlocksSettings; - }; - lib.gensokyo-zone.ssh = { - inherit cfg sshModule sshHostModule; - }; - }; -} + } diff --git a/modules/extern/misc/ipa.nix b/modules/extern/misc/ipa.nix index cc711e02..d9424d5f 100644 --- a/modules/extern/misc/ipa.nix +++ b/modules/extern/misc/ipa.nix @@ -1,4 +1,4 @@ -{ ... }: { +{...}: { imports = [ ../../nixos/ipa.nix ]; diff --git a/modules/extern/misc/netgroups.nix b/modules/extern/misc/netgroups.nix index a95c730d..8762ed32 100644 --- a/modules/extern/misc/netgroups.nix +++ b/modules/extern/misc/netgroups.nix @@ -1,4 +1,4 @@ -{ ... }: { +{...}: { imports = [ ../../nixos/network/netgroups.nix ]; diff --git a/modules/extern/misc/sssd.nix b/modules/extern/misc/sssd.nix index 26f5d349..e091ec62 100644 --- a/modules/extern/misc/sssd.nix +++ b/modules/extern/misc/sssd.nix @@ -1,4 +1,4 @@ -{ ... }: { +{...}: { imports = [ ../../nixos/sssd/sssd.nix ../../nixos/sssd/pam.nix diff --git a/modules/extern/nixos/access.nix b/modules/extern/nixos/access.nix index deecd327..4fabd945 100644 --- a/modules/extern/nixos/access.nix +++ b/modules/extern/nixos/access.nix @@ -35,7 +35,7 @@ in { nixosConfig = config; }; }; - default = { }; + default = {}; }; config = { diff --git a/modules/extern/nixos/dns.nix b/modules/extern/nixos/dns.nix index 1df0b417..f12bcfc7 100644 --- a/modules/extern/nixos/dns.nix +++ b/modules/extern/nixos/dns.nix @@ -42,7 +42,7 @@ type = listOf str; }; fallback = mkOption { - type = nullOr (enum [ "cloudflare" "google" ]); + type = nullOr (enum ["cloudflare" "google"]); default = "cloudflare"; }; fallbackNameservers = mkOption { @@ -67,32 +67,38 @@ ]; nameservers = let inherit (gensokyo-zone.systems) utsuho hakurei; - in mkMerge [ - (mkOptionDefault [ ]) - (mkIf access.local.enable [ - (mkIf enableIPv6 utsuho.config.access.address6ForNetwork.local) - utsuho.config.access.address4ForNetwork.local - ]) - # TODO: mirror or tunnel on hakurei or something .-. - (mkIf (access.tail.enabled && false) [ - (mkIf enableIPv6 hakurei.config.access.address6ForNetwork.tail) - hakurei.config.access.address4ForNetwork.tail - ]) - ]; - fallbackNameservers = mkOptionDefault { - cloudflare = [ - "1.1.1.1#cloudflare-dns.com" - "1.0.0.1#cloudflare-dns.com" + in + mkMerge [ + (mkOptionDefault []) + (mkIf access.local.enable [ + (mkIf enableIPv6 utsuho.config.access.address6ForNetwork.local) + utsuho.config.access.address4ForNetwork.local + ]) + # TODO: mirror or tunnel on hakurei or something .-. + (mkIf (access.tail.enabled && false) [ + (mkIf enableIPv6 hakurei.config.access.address6ForNetwork.tail) + hakurei.config.access.address4ForNetwork.tail + ]) ]; - google = optionals enableIPv6 [ - "[2001:4860:4860::8888]#dns.google" - "[2001:4860:4860::8844]#dns.google" - ] ++ [ - "8.8.8.8#dns.google" - "8.8.4.4#dns.google" - ]; - ${toString null} = [ ]; - }.${toString config.fallback}; + fallbackNameservers = + mkOptionDefault + { + cloudflare = [ + "1.1.1.1#cloudflare-dns.com" + "1.0.0.1#cloudflare-dns.com" + ]; + google = + optionals enableIPv6 [ + "[2001:4860:4860::8888]#dns.google" + "[2001:4860:4860::8844]#dns.google" + ] + ++ [ + "8.8.8.8#dns.google" + "8.8.4.4#dns.google" + ]; + ${toString null} = []; + } + .${toString config.fallback}; set = { nssSettings = { hosts = mkMerge [ @@ -123,11 +129,11 @@ in { nixosConfig = config; }; }; - default = { }; + default = {}; }; config = { - networking.nameservers = mkIf (cfg.enable && cfg.nameservers != [ ]) (mkMerge [ + networking.nameservers = mkIf (cfg.enable && cfg.nameservers != []) (mkMerge [ (mkBefore cfg.nameservers) cfg.fallbackNameservers ]); diff --git a/modules/extern/nixos/krb5.nix b/modules/extern/nixos/krb5.nix index 073f6bc2..62915d19 100644 --- a/modules/extern/nixos/krb5.nix +++ b/modules/extern/nixos/krb5.nix @@ -40,9 +40,11 @@ default = toUpper config.domain; }; ca = { - trust = mkEnableOption "trust CA" // { - default = true; - }; + trust = + mkEnableOption "trust CA" + // { + default = true; + }; pem = mkOption { type = path; }; @@ -59,7 +61,7 @@ }; urls = mkOption { type = listOf str; - default = [ "ldaps://${config.ldap.host}" ]; + default = ["ldaps://${config.ldap.host}"]; }; baseDn = mkOption { type = str; @@ -75,21 +77,21 @@ }; passwordFileKrb5 = mkOption { type = path; - example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" '' + example = lib.literalExpression "\${pkgs.writeText " ldap.kdb5 " '' ${config.bind.dn}#{HEX}616e6f6e796d6f7573 ''}"; }; passwordFileSssdEnv = mkOption { type = path; - example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" '' - ${"SSSD_AUTHTOK_" + replaceStrings [ "." ] [ "_" ] (toUpper config.domain)}=verysecretpassword + example = lib.literalExpression "\${pkgs.writeText " ldap.kdb5 " '' + ${"SSSD_AUTHTOK_" + replaceStrings ["."] ["_"] (toUpper config.domain)}=verysecretpassword ''}"; }; }; }; db = { backend = mkOption { - type = enum [ "kldap" "ipa" ]; + type = enum ["kldap" "ipa"]; default = "kldap"; }; }; @@ -99,7 +101,7 @@ }; authToLocalNames = mkOption { type = attrsOf str; - default = { }; + default = {}; example = { "arc@${config.realm}" = "arc"; }; @@ -108,26 +110,30 @@ enable = mkEnableOption "sssd"; pam.enable = mkEnableOption "PAM"; backend = mkOption { - type = enum [ "ipa" "ldap" ]; - default = { - ipa = "ipa"; - kldap = "ldap"; - }.${config.db.backend}; + type = enum ["ipa" "ldap"]; + default = + { + ipa = "ipa"; + kldap = "ldap"; + } + .${config.db.backend}; }; }; ntp = { - enable = mkEnableOption "ntp" // { - default = true; - }; + enable = + mkEnableOption "ntp" + // { + default = true; + }; servers = mkOption { type = listOf str; - example = [ config.ipa.host ]; - default = [ "2.fedora.pool.ntp.org" ]; + example = [config.ipa.host]; + default = ["2.fedora.pool.ntp.org"]; }; }; nfs = { enable = mkEnableOption "nfs"; - package = mkPackageOption pkgs "nfs-utils" { }; + package = mkPackageOption pkgs "nfs-utils" {}; idmapd = { localDomain = mkOption { type = bool; @@ -135,11 +141,11 @@ }; localRealms = mkOption { type = listOf str; - default = [ config.realm ]; + default = [config.realm]; }; methods = mkOption { type = listOf str; - default = [ "nsswitch" ]; + default = ["nsswitch"]; }; authToLocalNames = mkOption { type = attrsOf str; @@ -185,7 +191,8 @@ url = "https://${config.ipa.httpHost}/ipa/config/ca.crt"; sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o="; }; - in mkOptionDefault caPem; + in + mkOptionDefault caPem; ldap = { urls = mkMerge [ (mkIf access.local.enable (mkOptionDefault (mkBefore [ @@ -200,22 +207,23 @@ ]; bind = let inherit (nixosConfig.sops) secrets; - in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-krb5-passwords) { - passwordFileKrb5 = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-passwords.path; - passwordFile = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-peep-password.path; - passwordFileSssdEnv = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-sssd-passwords.path; - }; + in + mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-krb5-passwords) { + passwordFileKrb5 = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-passwords.path; + passwordFile = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-peep-password.path; + passwordFileSssdEnv = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-sssd-passwords.path; + }; }; db.backend = mkIf enabled.ipa (mkAlmostOptionDefault "ipa"); nfs = { package = mkIf (elem "umich_ldap" config.nfs.idmapd.methods) (mkAlmostOptionDefault pkgs.nfs-utils-ldap); idmapd = { methods = mkMerge [ - (mkIf (config.nfs.idmapd.authToLocalNames != { }) ( - mkOptionDefault (mkBefore [ "static" ]) + (mkIf (config.nfs.idmapd.authToLocalNames != {}) ( + mkOptionDefault (mkBefore ["static"]) )) (mkIf (!enabled.sssd) ( - mkOptionDefault [ "umich_ldap" ] + mkOptionDefault ["umich_ldap"] )) ]; }; @@ -243,55 +251,63 @@ }; }; sssdSettings = let - servers = optional access.local.enable "idp.local.${config.domain}" - ++ [ "_srv" ]; + servers = + optional access.local.enable "idp.local.${config.domain}" + ++ ["_srv"]; backups = mkMerge [ - (mkIf access.tail.enabled (mkAlmostOptionDefault [ "ipa.tail.${config.domain}" ])) - (mkIf access.local.enable (mkAlmostOptionDefault [ "ipa.local.${config.domain}" ])) + (mkIf access.tail.enabled (mkAlmostOptionDefault ["ipa.tail.${config.domain}"])) + (mkIf access.local.enable (mkAlmostOptionDefault ["ipa.local.${config.domain}"])) ]; - in mkIf config.sssd.enable { - enable = mkAlmostOptionDefault true; - gensokyo-zone = { - backend = mkAlmostOptionDefault config.sssd.backend; - krb5.servers = { - servers = servers ++ [ config.host ]; - inherit backups; + in + mkIf config.sssd.enable { + enable = mkAlmostOptionDefault true; + gensokyo-zone = { + backend = mkAlmostOptionDefault config.sssd.backend; + krb5.servers = { + servers = servers ++ [config.host]; + inherit backups; + }; + ipa.servers = { + servers = servers ++ [config.ipa.host]; + inherit backups; + }; + ldap = { + bind.passwordFile = mkAlmostOptionDefault config.ldap.bind.passwordFile; + uris.backups = mkIf access.tail.enabled (mkAlmostOptionDefault (mkAfter [ + "ldaps://ldap.tail.${config.domain}" + ])); + }; }; - ipa.servers = { - servers = servers ++ [ config.ipa.host ]; - inherit backups; - }; - ldap = { - bind.passwordFile = mkAlmostOptionDefault config.ldap.bind.passwordFile; - uris.backups = mkIf access.tail.enabled (mkAlmostOptionDefault (mkAfter [ - "ldaps://ldap.tail.${config.domain}" - ])); + environmentFile = mkIf (config.sssd.backend == "ldap") ( + mkAlmostOptionDefault + config.ldap.bind.passwordFileSssdEnv + ); + services = { + ifp.enable = mkAlmostOptionDefault true; + pam.enable = mkIf (!config.sssd.pam.enable) (mkDefault false); }; }; - environmentFile = mkIf (config.sssd.backend == "ldap") (mkAlmostOptionDefault - config.ldap.bind.passwordFileSssdEnv - ); - services = { - ifp.enable = mkAlmostOptionDefault true; - pam.enable = mkIf (!config.sssd.pam.enable) (mkDefault false); - }; - }; ipaSettings = mkIf config.ipa.enable (mapAlmostOptionDefaults { - enable = true; - certificate = config.ca.pem; - basedn = config.ldap.baseDn; - domain = config.domain; - realm = config.realm; - server = config.ipa.server; - # TODO: dyndns? - } // { - overrideConfigs = mapAlmostOptionDefaults { - sssd = false; - krb5 = false; - }; - }); + enable = true; + certificate = config.ca.pem; + basedn = config.ldap.baseDn; + domain = config.domain; + realm = config.realm; + server = config.ipa.server; + # TODO: dyndns? + } + // { + overrideConfigs = mapAlmostOptionDefaults { + sssd = false; + krb5 = false; + }; + }); nfsSettings = mkIf config.nfs.enable { - ${if nixosOptions ? services.nfs.settings then "settings" else null} = mkMerge [ + ${ + if nixosOptions ? services.nfs.settings + then "settings" + else null + } = mkMerge [ { gssd = mapOptionDefaults { #use-machine-creds = false; @@ -314,7 +330,11 @@ }; }) ]; - ${if nixosOptions ? services.nfs.settings then null else "extraConfig"} = mkMerge [ + ${ + if nixosOptions ? services.nfs.settings + then null + else "extraConfig" + } = mkMerge [ '' [gssd] #use-machine-creds = false @@ -344,10 +364,10 @@ Domain = mkForce config.domain; Local-Realms = concatStringsSep "," config.nfs.idmapd.localRealms; }; - Translation.Method = mkIf (config.nfs.idmapd.methods != [ "nsswitch" ]) (mkForce ( + Translation.Method = mkIf (config.nfs.idmapd.methods != ["nsswitch"]) (mkForce ( concatStringsSep "," config.nfs.idmapd.methods )); - Static = mkIf (config.nfs.idmapd.authToLocalNames != { }) config.nfs.idmapd.authToLocalNames; + Static = mkIf (config.nfs.idmapd.authToLocalNames != {}) config.nfs.idmapd.authToLocalNames; UMICH_SCHEMA = mkIf (elem "umich_ldap" config.nfs.idmapd.methods) (mapOptionDefaults { LDAP_server = config.ldap.host; LDAP_use_ssl = true; @@ -389,7 +409,7 @@ in { nixosOptions = options; }; }; - default = { }; + default = {}; }; config = { @@ -413,10 +433,11 @@ in { hosts = let inherit (gensokyo-zone.systems) freeipa; # TODO: consider hakurei instead... - in mkIf (cfg.enable && !config.gensokyo-zone.dns.enable or false && config.gensokyo-zone.access.local.enable) { - ${freeipa.config.access.address6ForNetwork.local} = mkIf config.networking.enableIPv6 (mkBefore [ cfg.host ]); - ${freeipa.config.access.address4ForNetwork.local} = mkBefore [ cfg.host ]; - }; + in + mkIf (cfg.enable && !config.gensokyo-zone.dns.enable or false && config.gensokyo-zone.access.local.enable) { + ${freeipa.config.access.address6ForNetwork.local} = mkIf config.networking.enableIPv6 (mkBefore [cfg.host]); + ${freeipa.config.access.address4ForNetwork.local} = mkBefore [cfg.host]; + }; }; environment.etc = { "request-key.conf" = mkIf (cfg.enable && cfg.nfs.enable && cfg.sssd.enable) { @@ -425,24 +446,30 @@ in { export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${config.system.nssModules.path}" exec ${cfg.nfs.package}/bin/nfsidmap "$@" ''; - in mkForce (pkgs.writeText "request-key.conf" '' - create id_resolver * * ${nfsidmap} -t 600 %k %d - ''); + in + mkForce (pkgs.writeText "request-key.conf" '' + create id_resolver * * ${nfsidmap} -t 600 %k %d + ''); }; }; - ${if options ? sops.secrets then "sops" else null}.secrets = let + ${ + if options ? sops.secrets + then "sops" + else null + }.secrets = let sopsFile = mkDefault ../secrets/krb5.yaml; - in mkIf cfg.enable { - gensokyo-zone-krb5-passwords = mkIf (cfg.db.backend == "kldap") { - inherit sopsFile; + in + mkIf cfg.enable { + gensokyo-zone-krb5-passwords = mkIf (cfg.db.backend == "kldap") { + inherit sopsFile; + }; + gensokyo-zone-krb5-peep-password = mkIf (cfg.sssd.backend == "ldap") { + inherit sopsFile; + }; + gensokyo-zone-sssd-passwords = mkIf (cfg.sssd.backend == "ldap") { + inherit sopsFile; + }; }; - gensokyo-zone-krb5-peep-password = mkIf (cfg.sssd.backend == "ldap") { - inherit sopsFile; - }; - gensokyo-zone-sssd-passwords = mkIf (cfg.sssd.backend == "ldap") { - inherit sopsFile; - }; - }; lib.gensokyo-zone.krb5 = { inherit cfg krb5Module; }; diff --git a/modules/extern/nixos/kyuuto.nix b/modules/extern/nixos/kyuuto.nix index acb4a596..cb653b83 100644 --- a/modules/extern/nixos/kyuuto.nix +++ b/modules/extern/nixos/kyuuto.nix @@ -33,20 +33,28 @@ options = with lib.types; { enable = mkEnableOption "kyuuto"; media = { - enable = mkEnableOption "/mnt/kyuuto-media" // { - default = true; - }; - krb5.enable = mkEnableOption "krb5" // { - default = enabled.krb5; - }; + enable = + mkEnableOption "/mnt/kyuuto-media" + // { + default = true; + }; + krb5.enable = + mkEnableOption "krb5" + // { + default = enabled.krb5; + }; }; transfer = { - enable = mkEnableOption "/mnt/kyuuto-transfer" // { - default = true; - }; - krb5.enable = mkEnableOption "krb5" // { - default = enabled.krb5; - }; + enable = + mkEnableOption "/mnt/kyuuto-transfer" + // { + default = true; + }; + krb5.enable = + mkEnableOption "krb5" + // { + default = enabled.krb5; + }; }; shared.enable = mkEnableOption "/mnt/kyuuto-shared"; domain = mkOption { @@ -135,12 +143,13 @@ (mkIf config.nfs.enable "nfs4") (mkIf config.smb.enable "smb3") ]; - options = mkMerge (setFilesystemOptions ++ [ - (mkIf config.media.krb5.enable [ - "sec=krb5" - (mkIf config.nfs.enable "nfsvers=4") - ]) - ]); + options = mkMerge (setFilesystemOptions + ++ [ + (mkIf config.media.krb5.enable [ + "sec=krb5" + (mkIf config.nfs.enable "nfsvers=4") + ]) + ]); }; "/mnt/kyuuto-transfer" = mkIf config.transfer.enable { device = mkMerge [ @@ -151,12 +160,17 @@ (mkIf config.nfs.enable "nfs4") (mkIf config.smb.enable "smb3") ]; - options = mkMerge (setFilesystemOptions ++ [ - (mkIf config.media.krb5.enable [ - (if access.local.enable || access.tail.enabled then "sec=sys:krb5" else "sec=krb5") - #(mkIf config.nfs.enable "nfsvers=3") - ]) - ]); + options = mkMerge (setFilesystemOptions + ++ [ + (mkIf config.media.krb5.enable [ + ( + if access.local.enable || access.tail.enabled + then "sec=sys:krb5" + else "sec=krb5" + ) + #(mkIf config.nfs.enable "nfsvers=3") + ]) + ]); }; "/mnt/kyuuto-shared" = mkIf (config.shared.enable && config.smb.enable) { device = mkIf (config.smb.user != null) ''\\smb.${config.domain}\shared''; @@ -204,7 +218,7 @@ in { nixosConfig = config; }; }; - default = { }; + default = {}; }; config = { diff --git a/modules/extern/nixos/nix.nix b/modules/extern/nixos/nix.nix index 78a0944f..2a355a51 100644 --- a/modules/extern/nixos/nix.nix +++ b/modules/extern/nixos/nix.nix @@ -46,9 +46,11 @@ default = "ssh"; }; ssh = { - commonKey = mkEnableOption "shared secret nixbld key" // { - default = true; - }; + commonKey = + mkEnableOption "shared secret nixbld key" + // { + default = true; + }; user = mkOption { type = str; default = "nixbld"; @@ -105,8 +107,8 @@ ]; builder = { systems = mkMerge [ - (mkIf config.builder.cross.aarch64 (mkOptionDefault [ "aarch64-linux" ])) - (mkIf config.builder.cross.armv7l (mkOptionDefault [ "armv7l-linux" ])) + (mkIf config.builder.cross.aarch64 (mkOptionDefault ["aarch64-linux"])) + (mkIf config.builder.cross.armv7l (mkOptionDefault ["armv7l-linux"])) ]; domain = mkMerge [ (mkIf access.tail.enabled (mkAlmostOptionDefault "nixbld.tail.${domain}")) @@ -114,9 +116,11 @@ ]; ssh.key = let inherit (nixosConfig.sops) secrets; - in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-nix-bld-key) (mkAlmostOptionDefault - nixosConfig.sops.secrets.gensokyo-zone-nix-bld-key.path - ); + in + mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-nix-bld-key) ( + mkAlmostOptionDefault + nixosConfig.sops.secrets.gensokyo-zone-nix-bld-key.path + ); setBuildMachine = { hostName = config.builder.domain; protocol = config.builder.protocol; @@ -145,7 +149,7 @@ in { nixosOptions = options; }; }; - default = { }; + default = {}; }; config = { @@ -153,13 +157,18 @@ in { settings = unmerged.merge cfg.setNixSettings; buildMachines = unmerged.merge cfg.setNixBuildMachines; }; - ${if options ? sops.secrets then "sops" else null}.secrets = let + ${ + if options ? sops.secrets + then "sops" + else null + }.secrets = let sopsFile = mkDefault ../secrets/nix.yaml; - in mkIf cfg.enable { - gensokyo-zone-nix-bld-key = mkIf cfg.builder.ssh.commonKey { - inherit sopsFile; + in + mkIf cfg.enable { + gensokyo-zone-nix-bld-key = mkIf cfg.builder.ssh.commonKey { + inherit sopsFile; + }; }; - }; lib.gensokyo-zone.nix = { inherit cfg nixModule; }; diff --git a/modules/extern/nixos/users.nix b/modules/extern/nixos/users.nix index 008fd332..41acb32c 100644 --- a/modules/extern/nixos/users.nix +++ b/modules/extern/nixos/users.nix @@ -162,7 +162,7 @@ modules = [userModule]; inherit specialArgs; }); - default = { }; + default = {}; }; excludeUsers = mkOption { type = listOf str; @@ -172,7 +172,7 @@ modules = [groupModule]; inherit specialArgs; }); - default = { }; + default = {}; }; excludeGroups = mkOption { type = listOf str; diff --git a/modules/nixos/access/cidr.nix b/modules/nixos/access/cidr.nix index 5ce3c5fa..2bbaaf30 100644 --- a/modules/nixos/access/cidr.nix +++ b/modules/nixos/access/cidr.nix @@ -76,10 +76,12 @@ in { ]; }; allLan = { - v4 = cfg.cidrForNetwork.loopback.v4 + v4 = + cfg.cidrForNetwork.loopback.v4 ++ cfg.cidrForNetwork.local.v4 ++ cfg.cidrForNetwork.int.v4; - v6 = cfg.cidrForNetwork.loopback.v6 + v6 = + cfg.cidrForNetwork.loopback.v6 ++ cfg.cidrForNetwork.local.v6 ++ cfg.cidrForNetwork.int.v6; }; diff --git a/modules/nixos/access/local.nix b/modules/nixos/access/local.nix index 0790b161..642b14b7 100644 --- a/modules/nixos/access/local.nix +++ b/modules/nixos/access/local.nix @@ -55,7 +55,7 @@ in { nftables.ruleset = mkIf cfg.enable (mkBefore cfg.nftablesInclude); firewall = { interfaces.local = { - nftables.conditions = mkIf (cfg.enable && networking.enableIPv6) [ "ip6 saddr $localrange6" ]; + nftables.conditions = mkIf (cfg.enable && networking.enableIPv6) ["ip6 saddr $localrange6"]; }; }; }; diff --git a/modules/nixos/access/peeps.nix b/modules/nixos/access/peeps.nix index bd47921d..ab68fc90 100644 --- a/modules/nixos/access/peeps.nix +++ b/modules/nixos/access/peeps.nix @@ -15,33 +15,42 @@ hasSops = options ? sops.secrets; in { options.networking.access.peeps = with lib.types; { - enable = mkEnableOption "peeps" // { default = hasSops; }; + enable = mkEnableOption "peeps" // {default = hasSops;}; ranges = mkOption { type = attrsOf str; - default = { }; + default = {}; }; stateDir = mkOption { type = path; default = "/run/access/peeps"; }; }; - config.${if hasSops then "sops" else null}.secrets = let + config.${ + if hasSops + then "sops" + else null + }.secrets = let sopsFile = mkDefault ../../../nixos/secrets/access.yaml; - sopsSecrets = mapAttrs' (name: _: nameValuePair (mkSopsName name) { - inherit sopsFile; - path = mkDefault "${cfg.stateDir}/${name}.nft"; - }) cfg.ranges; - in mkIf cfg.enable sopsSecrets; + sopsSecrets = mapAttrs' (name: _: + nameValuePair (mkSopsName name) { + inherit sopsFile; + path = mkDefault "${cfg.stateDir}/${name}.nft"; + }) + cfg.ranges; + in + mkIf cfg.enable sopsSecrets; config.networking = let nftRanges = mapAttrsToList (name: range: let nft = "define ${mkNftName name} = ${range}"; - in mkBefore nft) cfg.ranges; + in + mkBefore nft) + cfg.ranges; condition = "ip6 saddr { ${concatStringsSep "," (mapAttrsToList (name: _: "$" + mkNftName name) cfg.ranges)} }"; in { nftables.ruleset = mkIf cfg.enable (mkMerge ( nftRanges - ++ [ (mkBefore ''include "${cfg.stateDir}/*.nft"'') ] + ++ [(mkBefore ''include "${cfg.stateDir}/*.nft"'')] )); firewall.interfaces.peeps = { nftables.enable = cfg.enable; diff --git a/modules/nixos/args.nix b/modules/nixos/args.nix index 02d86339..8bb5dccb 100644 --- a/modules/nixos/args.nix +++ b/modules/nixos/args.nix @@ -1,4 +1,4 @@ -{ gensokyo-zone, ... }: { +{gensokyo-zone, ...}: { config.lib = { inherit gensokyo-zone; }; diff --git a/modules/nixos/barcodebuddy.nix b/modules/nixos/barcodebuddy.nix index d7068f5a..05a62c55 100644 --- a/modules/nixos/barcodebuddy.nix +++ b/modules/nixos/barcodebuddy.nix @@ -1,4 +1,10 @@ -{ config, lib, gensokyo-zone, pkgs, ... }: let +{ + config, + lib, + gensokyo-zone, + pkgs, + ... +}: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults unmerged; inherit (lib.options) mkOption mkEnableOption mkPackageOption; inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; @@ -8,17 +14,20 @@ cfg = config.services.barcodebuddy; toEnvName = key: "BBUDDY_" + key; toEnvValue = value: - if value == true then "true" - else if value == false then "false" - else if isList value then concatStringsSep ";" (imap0 (i: v: "${toString i}=${toEnvValue v}") value) + if value == true + then "true" + else if value == false + then "false" + else if isList value + then concatStringsSep ";" (imap0 (i: v: "${toString i}=${toEnvValue v}") value) else toString value; toEnvPair = key: value: nameValuePair (toEnvName key) (toEnvValue value); toPhpEnvPair = key: value: nameValuePair (toEnvName key) ''"${toEnvValue value}"''; in { options.services.barcodebuddy = with lib.types; { enable = mkEnableOption "Barcode Buddy"; - package = mkPackageOption pkgs "barcodebuddy" { }; - phpPackageUnwrapped = mkPackageOption pkgs "php83" { }; + package = mkPackageOption pkgs "barcodebuddy" {}; + phpPackageUnwrapped = mkPackageOption pkgs "php83" {}; hostName = mkOption { type = str; }; @@ -38,7 +47,7 @@ in { enable = mkEnableOption "reverse proxy"; trustedAddresses = mkOption { type = listOf str; - default = [ "127.0.0.1" "::1" ]; + default = ["127.0.0.1" "::1"]; }; }; screen = { @@ -65,13 +74,15 @@ in { type = nullOr str; default = null; }; - /* TODO: passwordFile = mkOption { + /* + TODO: passwordFile = mkOption { type = nullOr path; default = null; - };*/ + }; + */ }; settings = mkOption { - type = attrsOf (oneOf [ str bool int (listOf str) ]); + type = attrsOf (oneOf [str bool int (listOf str)]); description = "https://github.com/Forceu/barcodebuddy/blob/master/config-dist.php"; }; nginxConfig = mkOption { @@ -95,9 +106,19 @@ in { bbuddyConfig.services.barcodebuddy = { settings = let defaults = mapOptionDefaults { - ${if cfg.screen.enable then "PORT_WEBSOCKET_SERVER" else null} = cfg.screen.websocketPort; + ${ + if cfg.screen.enable + then "PORT_WEBSOCKET_SERVER" + else null + } = + cfg.screen.websocketPort; SEARCH_ENGINE = "https://google.com/search?q="; - ${if cfg.reverseProxy.enable then "TRUSTED_PROXIES" else null} = cfg.reverseProxy.trustedAddresses; + ${ + if cfg.reverseProxy.enable + then "TRUSTED_PROXIES" + else null + } = + cfg.reverseProxy.trustedAddresses; DISABLE_AUTHENTICATION = false; DATABASE_PATH = cfg.databasePath; AUTHDB_PATH = cfg.authDatabasePath; @@ -109,7 +130,8 @@ in { REDIS_PORT = cfg.redis.port; REDIS_PW = toString cfg.redis.password; }; - in mkMerge [ defaults (mkIf cfg.redis.enable redis) ]; + in + mkMerge [defaults (mkIf cfg.redis.enable redis)]; nginxConfig = '' index index.php index.html index.htm; ''; @@ -125,13 +147,18 @@ in { }; redis = let redis = config.services.redis.servers.${cfg.redis.server}; - in mkIf (cfg.redis.server != null) { - enable = mkAlmostOptionDefault redis.enable; - ip = mkOptionDefault (if redis.bind == null then "localhost" else redis.bind); - port = mkIf (redis.port != 0) (mkOptionDefault redis.port); - password = mkAlmostOptionDefault redis.requirePass; - # TODO: passwordFile = mkAlmostOptionDefault redis.requirePassFile; - }; + in + mkIf (cfg.redis.server != null) { + enable = mkAlmostOptionDefault redis.enable; + ip = mkOptionDefault ( + if redis.bind == null + then "localhost" + else redis.bind + ); + port = mkIf (redis.port != 0) (mkOptionDefault redis.port); + password = mkAlmostOptionDefault redis.requirePass; + # TODO: passwordFile = mkAlmostOptionDefault redis.requirePassFile; + }; }; conf.users.users.barcodebuddy = { isSystemUser = true; @@ -146,7 +173,10 @@ in { user = "barcodebuddy"; inherit (config.services.nginx) group; - phpPackage = cfg.phpPackageUnwrapped.withExtensions ({ enabled, all }: [ + phpPackage = cfg.phpPackageUnwrapped.withExtensions ({ + enabled, + all, + }: [ all.curl all.mbstring all.sqlite3 @@ -190,7 +220,7 @@ in { }; }; conf.systemd.services.bbuddy-websocket = mkIf cfg.screen.enable { - wantedBy = [ "multi-user.target" ]; + wantedBy = ["multi-user.target"]; environment = mapAttrs' toEnvPair cfg.settings; unitConfig = { Description = "Run websocket server for barcodebuddy screen feature"; @@ -202,5 +232,6 @@ in { User = "barcodebuddy"; }; }; - in mkMerge [ bbuddyConfig (mkIf cfg.enable conf) ]; + in + mkMerge [bbuddyConfig (mkIf cfg.enable conf)]; } diff --git a/modules/nixos/home-assistant.nix b/modules/nixos/home-assistant.nix index b0a4ac67..0c28062b 100644 --- a/modules/nixos/home-assistant.nix +++ b/modules/nixos/home-assistant.nix @@ -82,7 +82,7 @@ in { interfaces.local = { allowedTCPPorts = mkMerge [ (mkIf (!cfg.homekit.openFirewall) homekitTcp) - (mkIf (!cfg.openFirewall) [ cfg.config.http.server_port ]) + (mkIf (!cfg.openFirewall) [cfg.config.http.server_port]) ]; allowedUDPPortRanges = mkIf (!cfg.cast.openFirewall) castUdpRanges; }; diff --git a/modules/nixos/ipa.nix b/modules/nixos/ipa.nix index cb8206cc..abe8cdcc 100644 --- a/modules/nixos/ipa.nix +++ b/modules/nixos/ipa.nix @@ -14,7 +14,7 @@ cfg = config.security.ipa; in { options.security.ipa = with lib.types; { - package = mkPackageOption pkgs "freeipa" { }; + package = mkPackageOption pkgs "freeipa" {}; overrideConfigs = { krb5 = mkOption { type = bool; @@ -36,67 +36,70 @@ in { config.services.sssd = let inherit (config.services) sssd; ipaDebugLevel = 65510; - in mkIf cfg.enable { - debugLevel = mkAlmostOptionDefault ipaDebugLevel; - domains = { - ${cfg.domain} = { - ldap.extraAttrs.user = { - mail = "mail"; - sn = "sn"; - givenname = "givenname"; - telephoneNumber = "telephoneNumber"; - lock = "nsaccountlock"; - }; - settings = mapOptionDefaults { - id_provider = "ipa"; - auth_provider = "ipa"; - access_provider = "ipa"; - chpass_provider = "ipa"; - ipa_domain = cfg.domain; + in + mkIf cfg.enable { + debugLevel = mkAlmostOptionDefault ipaDebugLevel; + domains = { + ${cfg.domain} = { + ldap.extraAttrs.user = { + mail = "mail"; + sn = "sn"; + givenname = "givenname"; + telephoneNumber = "telephoneNumber"; + lock = "nsaccountlock"; + }; + settings = + mapOptionDefaults { + id_provider = "ipa"; + auth_provider = "ipa"; + access_provider = "ipa"; + chpass_provider = "ipa"; + ipa_domain = cfg.domain; - ipa_server = [ "_srv_" cfg.server ]; + ipa_server = ["_srv_" cfg.server]; - ipa_hostname = "${config.networking.hostName}.${cfg.domain}"; + ipa_hostname = "${config.networking.hostName}.${cfg.domain}"; - cache_credentials = cfg.cacheCredentials; + cache_credentials = cfg.cacheCredentials; - krb5_store_password_if_offline = cfg.offlinePasswords; + krb5_store_password_if_offline = cfg.offlinePasswords; - dyndns_update = cfg.dyndns.enable; + dyndns_update = cfg.dyndns.enable; - dyndns_iface = cfg.dyndns.interface; + dyndns_iface = cfg.dyndns.interface; - ldap_tls_cacert = "/etc/ipa/ca.crt"; - } // { - krb5_realm = mkIf (toLower cfg.domain != toLower cfg.realm) (mkOptionDefault cfg.realm); + ldap_tls_cacert = "/etc/ipa/ca.crt"; + } + // { + krb5_realm = mkIf (toLower cfg.domain != toLower cfg.realm) (mkOptionDefault cfg.realm); + }; }; }; + services = { + nss.settings = mapOptionDefaults { + homedir_substring = "/home"; + }; + pam.settings = mapOptionDefaults { + pam_pwd_expiration_warning = 3; + pam_verbosity = 3; + }; + sudo = { + enable = mkAlmostOptionDefault true; + settings = mapOptionDefaults { + debug_level = ipaDebugLevel; + }; + }; + ssh.enable = mkAlmostOptionDefault true; + ifp = { + enable = mkAlmostOptionDefault true; + settings = mapOptionDefaults { + allowed_uids = cfg.ifpAllowedUids; + }; + }; + }; + configText = mkIf (cfg.overrideConfigs.sssd) (mkAlmostOptionDefault null); + config = mkIf (sssd.configText != null) (mkAlmostForce sssd.configText); }; - services = { - nss.settings = mapOptionDefaults { - homedir_substring = "/home"; - }; - pam.settings = mapOptionDefaults { - pam_pwd_expiration_warning = 3; - pam_verbosity = 3; - }; - sudo = { - enable = mkAlmostOptionDefault true; - settings = mapOptionDefaults { - debug_level = ipaDebugLevel; - }; - }; - ssh.enable = mkAlmostOptionDefault true; - ifp = { - enable = mkAlmostOptionDefault true; - settings = mapOptionDefaults { - allowed_uids = cfg.ifpAllowedUids; - }; - }; - }; - configText = mkIf (cfg.overrideConfigs.sssd) (mkAlmostOptionDefault null); - config = mkIf (sssd.configText != null) (mkAlmostForce sssd.configText); - }; config.security.krb5 = mkIf cfg.enable { enable = mkAlmostForce false; package = mkAlmostOptionDefault pkgs.krb5Full; @@ -136,8 +139,9 @@ in { }; config.environment.etc."krb5.conf" = let inherit (config.security) krb5; - format = import (modulesPath + "/security/krb5/krb5-conf-format.nix") { inherit pkgs lib; } { }; - in mkIf (cfg.enable && !cfg.overrideConfigs.krb5) { - text = mkForce (format.generate "krb5.conf" krb5.settings).text; - }; + format = import (modulesPath + "/security/krb5/krb5-conf-format.nix") {inherit pkgs lib;} {}; + in + mkIf (cfg.enable && !cfg.overrideConfigs.krb5) { + text = mkForce (format.generate "krb5.conf" krb5.settings).text; + }; } diff --git a/modules/nixos/keycloak.nix b/modules/nixos/keycloak.nix index 3b15701e..e13ff183 100644 --- a/modules/nixos/keycloak.nix +++ b/modules/nixos/keycloak.nix @@ -1,11 +1,15 @@ -{config, lib, ...}: let +{ + config, + lib, + ... +}: let inherit (lib.options) mkOption; inherit (lib.modules) mkOptionDefault; cfg = config.services.keycloak; in { options.services.keycloak = with lib.types; { protocol = mkOption { - type = enum [ "http" "https" ]; + type = enum ["http" "https"]; readOnly = true; }; port = mkOption { @@ -14,7 +18,11 @@ in { }; }; config.services.keycloak = { - protocol = mkOptionDefault (if cfg.sslCertificate != null then "https" else "http"); + protocol = mkOptionDefault ( + if cfg.sslCertificate != null + then "https" + else "http" + ); port = mkOptionDefault cfg.settings."${cfg.protocol}-port"; }; } diff --git a/modules/nixos/krb5/genso.nix b/modules/nixos/krb5/genso.nix index d04cb8e5..8ed34ea6 100644 --- a/modules/nixos/krb5/genso.nix +++ b/modules/nixos/krb5/genso.nix @@ -1,4 +1,10 @@ -{ gensokyo-zone, pkgs, config, lib, ... }: let +{ + gensokyo-zone, + pkgs, + config, + lib, + ... +}: let inherit (gensokyo-zone.lib) mkBaseDn mapDefaults mkAlmostOptionDefault mapOptionDefaults domain; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkDefault mkOptionDefault mkForce; @@ -50,12 +56,12 @@ in { }; }; db.backend = mkOption { - type = enum [ "kldap" "ipa" ]; + type = enum ["kldap" "ipa"]; default = "kldap"; }; authToLocalNames = mkOption { type = attrsOf str; - default = { }; + default = {}; }; }; config = { @@ -64,32 +70,36 @@ in { krb5-ldap = pkgs.krb5.override { withLdap = true; }; - in mkIf (cfg.enable && cfg.db.backend == "kldap") (mkDefault pkgs.krb5-ldap or krb5-ldap); + in + mkIf (cfg.enable && cfg.db.backend == "kldap") (mkDefault pkgs.krb5-ldap or krb5-ldap); settings = mkIf cfg.enable { dbmodules = { genso-kldap = mkIf (cfg.db.backend == "kldap") (mapDefaults { - db_library = "kldap"; - ldap_servers = concatStringsSep " " cfg.ldap.urls; - ldap_kdc_dn = cfg.ldap.bind.dn; - ldap_kerberos_container_dn = cfg.ldap.baseDn; - } // { - ldap_service_password_file = mkIf (cfg.ldap.bind.passwordFile != null) (mkDefault cfg.ldap.bind.passwordFile); - }); + db_library = "kldap"; + ldap_servers = concatStringsSep " " cfg.ldap.urls; + ldap_kdc_dn = cfg.ldap.bind.dn; + ldap_kerberos_container_dn = cfg.ldap.baseDn; + } + // { + ldap_service_password_file = mkIf (cfg.ldap.bind.passwordFile != null) (mkDefault cfg.ldap.bind.passwordFile); + }); genso-ipa = mkIf (cfg.db.backend == "ipa") (mapDefaults { db_library = "${ipa.package}/lib/krb5/plugins/kdb/ipadb.so"; }); - ${cfg.realm} = mkIf ipa.enable (mkForce { }); - }; - realms.${cfg.realm} = mapDefaults { - kdc = "${cfg.host}:88"; - master_kdc = "${cfg.host}:88"; - admin_server = "${cfg.host}:749"; - default_domain = cfg.domain; - pkinit_anchors = [ "FILE:${cfg.ca.cert}" ]; - } // { - database_module = mkOptionDefault "genso-${cfg.db.backend}"; - auth_to_local_names = mkIf (cfg.authToLocalNames != { }) (mkDefault (subsection cfg.authToLocalNames)); + ${cfg.realm} = mkIf ipa.enable (mkForce {}); }; + realms.${cfg.realm} = + mapDefaults { + kdc = "${cfg.host}:88"; + master_kdc = "${cfg.host}:88"; + admin_server = "${cfg.host}:749"; + default_domain = cfg.domain; + pkinit_anchors = ["FILE:${cfg.ca.cert}"]; + } + // { + database_module = mkOptionDefault "genso-${cfg.db.backend}"; + auth_to_local_names = mkIf (cfg.authToLocalNames != {}) (mkDefault (subsection cfg.authToLocalNames)); + }; domain_realm = mapOptionDefaults { ${cfg.domain} = cfg.realm; ".${cfg.domain}" = cfg.realm; @@ -112,7 +122,8 @@ in { url = "https://ipa.${cfg.domain}/ipa/config/ca.crt"; sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o="; }; - in mkOptionDefault caPem; + in + mkOptionDefault caPem; db.backend = mkIf ipa.enable (mkAlmostOptionDefault "ipa"); ldap.urls = mkOptionDefault [ "ldaps://ldap.${cfg.domain}" @@ -120,16 +131,18 @@ in { ]; }; }; - networking.timeServers = mkIf (cfg.enable && enabled) [ "2.fedora.pool.ntp.org" ]; + networking.timeServers = mkIf (cfg.enable && enabled) ["2.fedora.pool.ntp.org"]; security.ipa = mkIf cfg.enable { certificate = mkDefault cfg.ca.cert; basedn = mkDefault cfg.ldap.baseDn; domain = mkDefault cfg.domain; realm = mkDefault cfg.realm; server = mkDefault cfg.canonHost; - ifpAllowedUids = [ - "root" - ] ++ config.users.groups.wheel.members; + ifpAllowedUids = + [ + "root" + ] + ++ config.users.groups.wheel.members; dyndns.enable = mkDefault false; }; }; diff --git a/modules/nixos/minecraft-bedrock.nix b/modules/nixos/minecraft-bedrock.nix index 0c8f5c3d..532fb636 100644 --- a/modules/nixos/minecraft-bedrock.nix +++ b/modules/nixos/minecraft-bedrock.nix @@ -1,5 +1,11 @@ let - allowListModule = {config, name, gensokyo-zone, lib, ...}: let + allowListModule = { + config, + name, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.Std) UInt; inherit (lib.options) mkOption; inherit (lib.modules) mkOptionDefault; @@ -11,10 +17,10 @@ let default = name; }; xuid = mkOption { - type = oneOf [ int str ]; + type = oneOf [int str]; }; permission = mkOption { - type = enum [ "visitor" "member" "operator" ]; + type = enum ["visitor" "member" "operator"]; default = "member"; }; settings = mkOption { @@ -25,10 +31,12 @@ let }; }; config = let - xuid = { - string = toString (UInt.FromHex config.xuid); - int = toString config.xuid; - }.${typeOf config.xuid}; + xuid = + { + string = toString (UInt.FromHex config.xuid); + int = toString config.xuid; + } + .${typeOf config.xuid}; in { settings = { name = mkOptionDefault config.name; @@ -41,16 +49,22 @@ let }; }; }; - packModule = {config, lib, ...}: let + packModule = { + config, + lib, + ... + }: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkOptionDefault; inherit (lib.strings) splitString; inherit (builtins) typeOf; in { options = with lib.types; { - enable = mkEnableOption "pack" // { - default = true; - }; + enable = + mkEnableOption "pack" + // { + default = true; + }; package = mkOption { type = nullOr package; default = null; @@ -59,90 +73,194 @@ let type = str; }; packType = mkOption { - type = enum [ "resource_packs" "behavior_packs" ]; + type = enum ["resource_packs" "behavior_packs"]; }; packId = mkOption { type = str; }; version = mkOption { - type = oneOf [ str (listOf str) ]; + type = oneOf [str (listOf str)]; }; settings = mkOption { - type = attrsOf (oneOf [ str (listOf str) ]); + type = attrsOf (oneOf [str (listOf str)]); }; }; config = { - packId = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.pack_id) (mkOptionDefault + packId = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.pack_id) ( + mkOptionDefault config.package.minecraft-bedrock.pack.pack_id ); - packType = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.type) (mkOptionDefault + packType = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.type) ( + mkOptionDefault config.package.minecraft-bedrock.pack.type ); - version = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.version) (mkOptionDefault + version = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.version) ( + mkOptionDefault config.package.minecraft-bedrock.pack.version ); - packDir = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.dir) (mkOptionDefault + packDir = mkIf (config.package != null && config.package ? minecraft-bedrock.pack.dir) ( + mkOptionDefault config.package.minecraft-bedrock.pack.dir ); settings = { pack_id = mkOptionDefault config.packId; - version = mkOptionDefault { - string = splitString "." config.version; - list = config.version; - }.${typeOf config.version}; + version = + mkOptionDefault + { + string = splitString "." config.version; + list = config.version; + } + .${typeOf config.version}; }; }; }; -in { config, gensokyo-zone, lib, pkgs, ... }: let - # see https://gist.github.com/datakurre/cfdf627fb23ed8ff62bb7b3520b92674 - inherit (gensokyo-zone.lib) mapOptionDefaults; - inherit (lib.options) mkOption mkPackageOption; - inherit (lib.modules) mkIf mkMerge mkOptionDefault; - inherit (lib.attrsets) filterAttrs mapAttrsToList; - inherit (lib.lists) optional; - inherit (lib.strings) concatStringsSep; - inherit (lib.trivial) boolToString; - inherit (lib.meta) getExe; - inherit (builtins) toJSON; - cfg = config.services.minecraft-bedrock-server; +in + { + config, + gensokyo-zone, + lib, + pkgs, + ... + }: let + # see https://gist.github.com/datakurre/cfdf627fb23ed8ff62bb7b3520b92674 + inherit (gensokyo-zone.lib) mapOptionDefaults; + inherit (lib.options) mkOption mkPackageOption; + inherit (lib.modules) mkIf mkMerge mkOptionDefault; + inherit (lib.attrsets) filterAttrs mapAttrsToList; + inherit (lib.lists) optional; + inherit (lib.strings) concatStringsSep; + inherit (lib.trivial) boolToString; + inherit (lib.meta) getExe; + inherit (builtins) toJSON; + cfg = config.services.minecraft-bedrock-server; - cfgToString = v: if builtins.isBool v then boolToString v else toString v; + cfgToString = v: + if builtins.isBool v + then boolToString v + else toString v; - serverPropertiesFile = pkgs.writeText "server.properties" ('' - # server.properties managed by NixOS configuration - '' + concatStringsSep "\n" (mapAttrsToList - (n: v: "${n}=${cfgToString v}") cfg.serverProperties)); -in { - options.services.minecraft-bedrock-server = with lib.types; { - enable = mkOption { - type = bool; - default = false; - description = '' - If enabled, start a Minecraft Bedrock Server. The server - data will be loaded from and saved to - . - ''; + serverPropertiesFile = pkgs.writeText "server.properties" ('' + # server.properties managed by NixOS configuration + '' + + concatStringsSep "\n" (mapAttrsToList + (n: v: "${n}=${cfgToString v}") + cfg.serverProperties)); + in { + options.services.minecraft-bedrock-server = with lib.types; { + enable = mkOption { + type = bool; + default = false; + description = '' + If enabled, start a Minecraft Bedrock Server. The server + data will be loaded from and saved to + . + ''; + }; + + dataDir = mkOption { + type = path; + default = "/var/lib/minecraft-bedrock"; + description = '' + Directory to store Minecraft Bedrock database and other state/data files. + ''; + }; + + serverProperties = mkOption { + type = attrsOf (oneOf [bool int str float]); + example = literalExample '' + { + server-name = "Dedicated Server"; + gamemode = "survival"; + difficulty = "easy"; + allow-cheats = false; + max-players = 10; + online-mode = false; + white-list = false; + server-port = 19132; + server-portv6 = 19133; + view-distance = 32; + tick-distance = 4; + player-idle-timeout = 30; + max-threads = 8; + level-name = "Bedrock level"; + level-seed = ""; + default-player-permission-level = "member"; + texturepack-required = false; + content-log-file-enabled = false; + compression-threshold = 1; + server-authoritative-movement = "server-auth"; + player-movement-score-threshold = 20; + player-movement-distance-threshold = 0.3; + player-movement-duration-threshold-in-ms = 500; + correct-player-movement = false; + } + ''; + description = '' + Minecraft Bedrock server properties for the server.properties file. + ''; + }; + + package = + mkPackageOption pkgs "minecraft-bedrock-server" {} + // { + description = "Version of minecraft-bedrock-server to run."; + }; + + openFirewall = mkOption { + type = bool; + default = false; + }; + + user = mkOption { + type = str; + default = "minecraft-bedrock"; + }; + group = mkOption { + type = str; + default = cfg.user; + }; + + allowPlayers = mkOption { + type = nullOr (attrsOf (submoduleWith { + modules = [allowListModule]; + specialArgs = { + inherit gensokyo-zone; + nixosConfig = config; + }; + })); + default = null; + }; + + allowList = mkOption { + type = nullOr path; + }; + + permissions = mkOption { + type = nullOr path; + }; + + packs = mkOption { + type = attrsOf (submoduleWith { + modules = [packModule]; + specialArgs = { + inherit gensokyo-zone; + nixosConfig = config; + }; + }); + default = {}; + }; }; - dataDir = mkOption { - type = path; - default = "/var/lib/minecraft-bedrock"; - description = '' - Directory to store Minecraft Bedrock database and other state/data files. - ''; - }; - - serverProperties = mkOption { - type = attrsOf (oneOf [ bool int str float ]); - example = literalExample '' - { + config = let + confService.services.minecraft-bedrock-server = { + serverProperties = mapOptionDefaults { server-name = "Dedicated Server"; gamemode = "survival"; difficulty = "easy"; allow-cheats = false; max-players = 10; online-mode = false; - white-list = false; + allow-list = cfg.allowList != null; server-port = 19132; server-portv6 = 19133; view-distance = 32; @@ -160,191 +278,118 @@ in { player-movement-distance-threshold = 0.3; player-movement-duration-threshold-in-ms = 500; correct-player-movement = false; - } - ''; - description = '' - Minecraft Bedrock server properties for the server.properties file. - ''; - }; - - package = mkPackageOption pkgs "minecraft-bedrock-server" { }// { - description = "Version of minecraft-bedrock-server to run."; - }; - - openFirewall = mkOption { - type = bool; - default = false; - }; - - user = mkOption { - type = str; - default = "minecraft-bedrock"; - }; - group = mkOption { - type = str; - default = cfg.user; - }; - - allowPlayers = mkOption { - type = nullOr (attrsOf (submoduleWith { - modules = [ allowListModule ]; - specialArgs = { - inherit gensokyo-zone; - nixosConfig = config; }; - })); - default = null; - }; - - allowList = mkOption { - type = nullOr path; - }; - - permissions = mkOption { - type = nullOr path; - }; - - packs = mkOption { - type = attrsOf (submoduleWith { - modules = [ packModule ]; - specialArgs = { - inherit gensokyo-zone; - nixosConfig = config; - }; - }); - default = { }; - }; - }; - - config = let - confService.services.minecraft-bedrock-server = { - serverProperties = mapOptionDefaults { - server-name = "Dedicated Server"; - gamemode = "survival"; - difficulty = "easy"; - allow-cheats = false; - max-players = 10; - online-mode = false; - allow-list = cfg.allowList != null; - server-port = 19132; - server-portv6 = 19133; - view-distance = 32; - tick-distance = 4; - player-idle-timeout = 30; - max-threads = 8; - level-name = "Bedrock level"; - level-seed = ""; - default-player-permission-level = "member"; - texturepack-required = false; - content-log-file-enabled = false; - compression-threshold = 1; - server-authoritative-movement = "server-auth"; - player-movement-score-threshold = 20; - player-movement-distance-threshold = 0.3; - player-movement-duration-threshold-in-ms = 500; - correct-player-movement = false; + allowList = let + allowPlayers = mapAttrsToList (_: allow: allow.settings) cfg.allowPlayers; + allowListJson = pkgs.writeText "minecraft-bedrock-server-allowlist.json" ( + toJSON allowPlayers + ); + in + mkOptionDefault ( + if cfg.allowPlayers != null + then allowListJson + else null + ); + permissions = let + permissions = mapAttrsToList (_: allow: allow.permissionSettings) cfg.allowPlayers; + permissionsJson = pkgs.writeText "minecraft-bedrock-server-permissions.json" ( + toJSON permissions + ); + in + mkOptionDefault ( + if cfg.allowPlayers != null + then permissionsJson + else null + ); }; - allowList = let - allowPlayers = mapAttrsToList (_: allow: allow.settings) cfg.allowPlayers; - allowListJson = pkgs.writeText "minecraft-bedrock-server-allowlist.json" ( - toJSON allowPlayers - ); - in mkOptionDefault ( - if cfg.allowPlayers != null then allowListJson - else null - ); - permissions = let - permissions = mapAttrsToList (_: allow: allow.permissionSettings) cfg.allowPlayers; - permissionsJson = pkgs.writeText "minecraft-bedrock-server-permissions.json" ( - toJSON permissions - ); - in mkOptionDefault ( - if cfg.allowPlayers != null then permissionsJson - else null - ); - }; - conf.users.users.${cfg.user} = { - inherit (cfg) group; - description = "Minecraft server service user"; - home = cfg.dataDir; - createHome = true; - isSystemUser = true; - }; - conf.users.groups.${cfg.group} = {}; + conf.users.users.${cfg.user} = { + inherit (cfg) group; + description = "Minecraft server service user"; + home = cfg.dataDir; + createHome = true; + isSystemUser = true; + }; + conf.users.groups.${cfg.group} = {}; - conf.systemd.services.minecraft-bedrock-server = { - description = "Minecraft Bedrock Server Service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + conf.systemd.services.minecraft-bedrock-server = { + description = "Minecraft Bedrock Server Service"; + wantedBy = ["multi-user.target"]; + after = ["network.target"]; - serviceConfig = { - BindReadOnlyPaths = let - packageResources = map (subpath: "${cfg.package}/var/lib/minecraft-bedrock/${subpath}:${cfg.dataDir}/${subpath}") ([ - "definitions/attachables" - "definitions/biomes" - "definitions/feature_rules" - "definitions/features" - "definitions/persona" - "definitions/sdl_layouts" - "definitions/spawn_groups" - "resource_packs/vanilla" - "resource_packs/chemistry" - "config/default" - "bedrock_server_symbols.debug" - "env-vars" - ] ++ optional (cfg.permissions == null) "permissions.json"); - mkWorldPacks = type: let - enabledPacks = filterAttrs (_: pack: pack.enable && pack.packType == "${type}_packs") cfg.packs; - jsonName = "world_${type}_packs.json"; - packsJson = mapAttrsToList (_: pack: pack.settings) enabledPacks; - packsJsonPath = pkgs.writeText jsonName (toJSON packsJson); - in mkIf (enabledPacks != { }) [ - "${packsJsonPath}:${cfg.dataDir}/worlds/${cfg.serverProperties.level-name}/${jsonName}" + serviceConfig = { + BindReadOnlyPaths = let + packageResources = map (subpath: "${cfg.package}/var/lib/minecraft-bedrock/${subpath}:${cfg.dataDir}/${subpath}") ([ + "definitions/attachables" + "definitions/biomes" + "definitions/feature_rules" + "definitions/features" + "definitions/persona" + "definitions/sdl_layouts" + "definitions/spawn_groups" + "resource_packs/vanilla" + "resource_packs/chemistry" + "config/default" + "bedrock_server_symbols.debug" + "env-vars" + ] + ++ optional (cfg.permissions == null) "permissions.json"); + mkWorldPacks = type: let + enabledPacks = filterAttrs (_: pack: pack.enable && pack.packType == "${type}_packs") cfg.packs; + jsonName = "world_${type}_packs.json"; + packsJson = mapAttrsToList (_: pack: pack.settings) enabledPacks; + packsJsonPath = pkgs.writeText jsonName (toJSON packsJson); + in + mkIf (enabledPacks != {}) [ + "${packsJsonPath}:${cfg.dataDir}/worlds/${cfg.serverProperties.level-name}/${jsonName}" + ]; + mapWorldPacks = packs: let + enabledPacks = filterAttrs (_: pack: pack.enable && pack.package != null) packs; + mapPackPath = _: pack: let + subDir = "${pack.packType}/${pack.packDir}"; + in "${pack.package}/${cfg.package.dataDir}/${subDir}:${cfg.dataDir}/${subDir}"; + in + mapAttrsToList mapPackPath enabledPacks; + packsPaths = mkMerge [ + (mkWorldPacks "behavior") + (mkWorldPacks "resource") + (mapWorldPacks cfg.packs) + ]; + in + mkMerge [ + packageResources + (mkIf (cfg.allowList != null) ["${cfg.allowList}:${cfg.dataDir}/allowlist.json"]) + (mkIf (cfg.permissions != null) ["${cfg.permissions}:${cfg.dataDir}/permissions.json"]) + (mkIf (cfg.packs != {}) packsPaths) + ]; + ExecStart = [ + "${getExe cfg.package}" ]; - mapWorldPacks = packs: let - enabledPacks = filterAttrs (_: pack: pack.enable && pack.package != null) packs; - mapPackPath = _: pack: let - subDir = "${pack.packType}/${pack.packDir}"; - in "${pack.package}/${cfg.package.dataDir}/${subDir}:${cfg.dataDir}/${subDir}"; - in mapAttrsToList mapPackPath enabledPacks; - packsPaths = mkMerge [ - (mkWorldPacks "behavior") - (mkWorldPacks "resource") - (mapWorldPacks cfg.packs) + Restart = "always"; + User = cfg.user; + WorkingDirectory = cfg.dataDir; + LogFilterPatterns = [ + "~.*minecraft:trial_chambers/chamber/end" + "~Running AutoCompaction" ]; - in mkMerge [ - packageResources - (mkIf (cfg.allowList != null) [ "${cfg.allowList}:${cfg.dataDir}/allowlist.json" ]) - (mkIf (cfg.permissions != null) [ "${cfg.permissions}:${cfg.dataDir}/permissions.json" ]) - (mkIf (cfg.packs != { }) packsPaths) - ]; - ExecStart = [ - "${getExe cfg.package}" - ]; - Restart = "always"; - User = cfg.user; - WorkingDirectory = cfg.dataDir; - LogFilterPatterns = [ - "~.*minecraft:trial_chambers/chamber/end" - "~Running AutoCompaction" - ]; + }; + + preStart = '' + mkdir -p behavior_packs + ln -sf ${cfg.package}/var/lib/minecraft-bedrock/behavior_packs/* behavior_packs/ + cp -f ${serverPropertiesFile} server.properties + chmod +w server.properties + ''; }; - preStart = '' - mkdir -p behavior_packs - ln -sf ${cfg.package}/var/lib/minecraft-bedrock/behavior_packs/* behavior_packs/ - cp -f ${serverPropertiesFile} server.properties - chmod +w server.properties - ''; - }; - - conf.networking.firewall = let - ports = [ cfg.serverProperties.server-port cfg.serverProperties.server-portv6 ]; - in mkIf cfg.openFirewall { - allowedUDPPorts = ports; - }; - in mkMerge [ - confService - (mkIf cfg.enable conf) - ]; -} + conf.networking.firewall = let + ports = [cfg.serverProperties.server-port cfg.serverProperties.server-portv6]; + in + mkIf cfg.openFirewall { + allowedUDPPorts = ports; + }; + in + mkMerge [ + confService + (mkIf cfg.enable conf) + ]; + } diff --git a/modules/nixos/network/netgroups.nix b/modules/nixos/network/netgroups.nix index 60d2fd77..2373234e 100644 --- a/modules/nixos/network/netgroups.nix +++ b/modules/nixos/network/netgroups.nix @@ -9,14 +9,18 @@ inherit (lib.strings) concatStringsSep; inherit (config.system) nssDatabases; inherit (config) networking; - netgroupMemberModule = { config, name, ... }: { + netgroupMemberModule = { + config, + name, + ... + }: { options = with lib.types; { hostname = mkOption { type = str; default = name; }; user = mkOption { - type = either (enum [ null "-" ]) str; + type = either (enum [null "-"]) str; default = "-"; }; domain = mkOption { @@ -32,7 +36,11 @@ triple = mkOptionDefault "(${config.hostname},${toString config.user},${config.domain})"; }; }; - netgroupModule = { config, name, ... }: { + netgroupModule = { + config, + name, + ... + }: { options = with lib.types; { name = mkOption { type = str; @@ -40,14 +48,14 @@ }; members = mkOption { type = attrsOf (submodule netgroupMemberModule); - default = { }; + default = {}; }; fileLine = mkOption { type = str; }; }; config = { - fileLine = mkOptionDefault (concatStringsSep " " ([ config.name ] ++ mapAttrsToList (_: member: member.triple) config.members)); + fileLine = mkOptionDefault (concatStringsSep " " ([config.name] ++ mapAttrsToList (_: member: member.triple) config.members)); }; }; in { @@ -60,7 +68,7 @@ in { networking = { netgroups = mkOption { type = attrsOf (submodule netgroupModule); - default = { }; + default = {}; }; extraNetgroups = mkOption { type = lines; @@ -71,17 +79,17 @@ in { config = { system.nssDatabases = { netgroup = mkMerge [ - (mkBefore [ "files" ]) - (mkAfter [ "nis" ]) + (mkBefore ["files"]) + (mkAfter ["nis"]) ]; }; - environment.etc."nsswitch.conf".text = mkIf (nssDatabases.netgroup != [ ]) (mkAfter '' + environment.etc."nsswitch.conf".text = mkIf (nssDatabases.netgroup != []) (mkAfter '' netgroup: ${concatStringsSep " " nssDatabases.netgroup} ''); - environment.etc."netgroup" = mkIf (networking.netgroups != { } || networking.extraNetgroups != "") { + environment.etc."netgroup" = mkIf (networking.netgroups != {} || networking.extraNetgroups != "") { text = mkMerge ( mapAttrsToList (_: ng: ng.fileLine) networking.netgroups - ++ [ networking.extraNetgroups ] + ++ [networking.extraNetgroups] ); }; }; diff --git a/modules/nixos/network/resolve.nix b/modules/nixos/network/resolve.nix index 6e122f02..7192959f 100644 --- a/modules/nixos/network/resolve.nix +++ b/modules/nixos/network/resolve.nix @@ -1,4 +1,8 @@ -{config, lib, ...}: let +{ + config, + lib, + ... +}: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkOptionDefault; inherit (lib.lists) filter optional; @@ -7,21 +11,32 @@ enabledNameservers = filter (ns: ns.enable) (config.networking.nameservers'); nameserverModule = {config, ...}: let dnsPort = 53; - mkResolvedValue = { address, port, interface ? null, host ? null }: let + mkResolvedValue = { + address, + port, + interface ? null, + host ? null, + }: let isIpv6 = hasInfix ":" address; isPlain = port == dnsPort && interface == null && host == null; - addr = if isIpv6 && !isPlain then "[${address}]" else address; - in concatStrings ( - [ addr ] - ++ optional (port != dnsPort) ":${toString port}" - ++ optional (interface != null) "%${interface}" - ++ optional (host != null) "#${host}" - ); + addr = + if isIpv6 && !isPlain + then "[${address}]" + else address; + in + concatStrings ( + [addr] + ++ optional (port != dnsPort) ":${toString port}" + ++ optional (interface != null) "%${interface}" + ++ optional (host != null) "#${host}" + ); in { options = with lib.types; { - enable = mkEnableOption "nameserver" // { - default = true; - }; + enable = + mkEnableOption "nameserver" + // { + default = true; + }; address = mkOption { type = str; }; @@ -59,12 +74,16 @@ in { options.networking = with lib.types; { nameservers' = mkOption { type = listOf (submodule nameserverModule); - default = { }; + default = {}; }; }; config = { - networking.nameservers = mkIf (config.networking.nameservers' != [ ]) ( - map (ns: if resolved.enable then ns.resolvedValue else ns.value) enabledNameservers + networking.nameservers = mkIf (config.networking.nameservers' != []) ( + map (ns: + if resolved.enable + then ns.resolvedValue + else ns.value) + enabledNameservers ); }; } diff --git a/modules/nixos/nfs.nix b/modules/nixos/nfs.nix index 8a845f67..22dd51ea 100644 --- a/modules/nixos/nfs.nix +++ b/modules/nixos/nfs.nix @@ -21,16 +21,20 @@ (mkIf (cfg.server.mountdPort != null) cfg.server.mountdPort) ]; concatFlags = concatStringsSep ","; - clientModule = { config, name, ... }: { + clientModule = { + config, + name, + ... + }: { options = with lib.types; { machine = mkOption { - type = oneOf [ str (listOf str) ]; + type = oneOf [str (listOf str)]; default = name; example = "*"; }; flags = mkOption { type = listOf str; - default = [ ]; + default = []; }; entry = mkOption { type = str; @@ -38,12 +42,17 @@ }; config = { entry = let - flags = optionalString (config.flags != [ ]) "(${concatFlags config.flags})"; + flags = optionalString (config.flags != []) "(${concatFlags config.flags})"; machines = toList config.machine; - in mkOptionDefault (concatMapStringsSep " " (machine: machine + flags) machines); + in + mkOptionDefault (concatMapStringsSep " " (machine: machine + flags) machines); }; }; - exportModule = { config, name, ... }: { + exportModule = { + config, + name, + ... + }: { options = with lib.types; { path = mkOption { type = path; @@ -60,12 +69,14 @@ }; }; config = { - flags = mkOptionDefault (cfg.export.flagSets.common or [ ]); + flags = mkOptionDefault (cfg.export.flagSets.common or []); fileLine = let - parts = [ config.path ] - ++ optional (config.flags != [ ]) "-${concatFlags config.flags}" + parts = + [config.path] + ++ optional (config.flags != []) "-${concatFlags config.flags}" ++ mapAttrsToList (_: client: client.entry) config.clients; - in mkOptionDefault (concatStringsSep " " parts); + in + mkOptionDefault (concatStringsSep " " parts); }; }; in { @@ -74,15 +85,15 @@ in { flagSets = mkOption { type = lazyAttrsOf (listOf str); default = { - common = [ "no_subtree_check" ]; + common = ["no_subtree_check"]; }; }; root = mkOption { type = nullOr (submodule [ exportModule - ({ ... }: { + ({...}: { flags = mkMerge [ - (cfg.export.flagSets.common or [ ]) + (cfg.export.flagSets.common or []) ]; }) ]); @@ -90,7 +101,7 @@ in { }; paths = mkOption { type = attrsOf (submodule exportModule); - default = { }; + default = {}; }; }; }; diff --git a/modules/nixos/nftables.nix b/modules/nixos/nftables.nix index 7c2958a0..54a8c685 100644 --- a/modules/nixos/nftables.nix +++ b/modules/nixos/nftables.nix @@ -111,7 +111,7 @@ }; conditions = mkOption { type = types.listOf types.str; - default = [ "iifname ${name}" ]; + default = ["iifname ${name}"]; }; }; }; diff --git a/modules/nixos/nginx/enable.nix b/modules/nixos/nginx/enable.nix index 611d8e6e..f2eacb47 100644 --- a/modules/nixos/nginx/enable.nix +++ b/modules/nixos/nginx/enable.nix @@ -1,28 +1,33 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkOverride; mkExtraForce = mkOverride 25; - locationModule = { config, virtualHost, ... }: { + locationModule = { + config, + virtualHost, + ... + }: { options = with lib.types; { - enable = mkEnableOption "enable location" // { - default = true; - }; + enable = + mkEnableOption "enable location" + // { + default = true; + }; }; config = mkIf (!virtualHost.enable || !config.enable) { extraConfig = mkExtraForce "deny all;"; }; }; - hostModule = { config, ... }: { + hostModule = {config, ...}: { options = with lib.types; { - enable = mkEnableOption "enable server" // { - default = true; - }; + enable = + mkEnableOption "enable server" + // { + default = true; + }; locations = mkOption { type = attrsOf (submoduleWith { - modules = [ locationModule ]; + modules = [locationModule]; shorthandOnlyDefinesConfig = true; }); }; @@ -39,7 +44,7 @@ in { options = with lib.types; { services.nginx.virtualHosts = mkOption { type = attrsOf (submoduleWith { - modules = [ hostModule ]; + modules = [hostModule]; shorthandOnlyDefinesConfig = true; }); }; diff --git a/modules/nixos/nginx/fastcgi.nix b/modules/nixos/nginx/fastcgi.nix index 313dc10d..21005172 100644 --- a/modules/nixos/nginx/fastcgi.nix +++ b/modules/nixos/nginx/fastcgi.nix @@ -30,7 +30,7 @@ let }; passHeaders = mkOption { type = attrsOf bool; - default = { }; + default = {}; description = "fastcgi_pass_header"; }; socket = mkOption { @@ -43,7 +43,8 @@ let config = { fastcgi = { - socket = mkIf (cfg.phpfpmPool != null) (mkAlmostOptionDefault + socket = mkIf (cfg.phpfpmPool != null) ( + mkAlmostOptionDefault nixosConfig.services.phpfpm.pools.${cfg.phpfpmPool}.socket ); params = mapOptionDefaults { @@ -60,18 +61,24 @@ let extraConfig = let passHeadersConfig = map (header: "fastcgi_pass_header ${xvars.escapeString header};") passHeaders; paramsConfig = mapAttrsToList (param: value: mkJustAfter "fastcgi_param ${param} ${xvars.escapeString value};") params; - in mkIf cfg.enable (mkMerge ([ - (mkIf cfg.includeDefaults (mkAlmostBefore '' - include ${nginx.package}/conf/fastcgi.conf; - '')) - (mkIf (cfg.socket != null) (mkJustAfter '' - fastcgi_pass unix:${cfg.socket}; - '')) - ] ++ passHeadersConfig - ++ paramsConfig)); + in + mkIf cfg.enable (mkMerge ([ + (mkIf cfg.includeDefaults (mkAlmostBefore '' + include ${nginx.package}/conf/fastcgi.conf; + '')) + (mkIf (cfg.socket != null) (mkJustAfter '' + fastcgi_pass unix:${cfg.socket}; + '')) + ] + ++ passHeadersConfig + ++ paramsConfig)); }; }; - hostModule = {config, lib, ...}: let + hostModule = { + config, + lib, + ... + }: let inherit (lib.options) mkOption; in { options = with lib.types; { @@ -80,15 +87,13 @@ let }; }; }; -in { - lib, - ... -}: let - inherit (lib.options) mkOption; -in { - options = with lib.types; { - services.nginx.virtualHosts = mkOption { - type = attrsOf (submodule [hostModule]); +in + {lib, ...}: let + inherit (lib.options) mkOption; + in { + options = with lib.types; { + services.nginx.virtualHosts = mkOption { + type = attrsOf (submodule [hostModule]); + }; }; - }; -} + } diff --git a/modules/nixos/nginx/headers.nix b/modules/nixos/nginx/headers.nix index 8723e2ef..b28687fb 100644 --- a/modules/nixos/nginx/headers.nix +++ b/modules/nixos/nginx/headers.nix @@ -1,5 +1,12 @@ let - locationModule = { config, virtualHost, xvars, gensokyo-zone, lib, ... }: let + locationModule = { + config, + virtualHost, + xvars, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.lib) mapOptionDefaults; inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkMerge mkAfter mkOptionDefault; @@ -13,25 +20,32 @@ let default = true; }; set = mkOption { - type = attrsOf (nullOr (oneOf [ str (listOf str) ])); + type = attrsOf (nullOr (oneOf [str (listOf str)])); }; }; config = let mkHeader = name: value: - if isList value then mkMerge (map (mkHeader name) value) + if isList value + then mkMerge (map (mkHeader name) value) else mkAfter "add_header ${name} ${xvars.escapeString value};"; setHeaders = mapAttrsToList (name: value: mkIf (value != null) (mkHeader name value)) cfg.set; in { headers = { set = mkMerge [ - (mkOptionDefault { }) + (mkOptionDefault {}) (mkIf cfg.inheritServerDefaults (mapOptionDefaults virtualHost.headers.set)) ]; }; extraConfig = mkMerge setHeaders; }; }; - hostModule = { config, nixosConfig, gensokyo-zone, lib, ... }: let + hostModule = { + config, + nixosConfig, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.lib) mapOptionDefaults; inherit (lib.options) mkOption; inherit (nixosConfig.services) nginx; @@ -39,12 +53,12 @@ let options = with lib.types; { headers = { set = mkOption { - type = attrsOf (nullOr (oneOf [ str (listOf str) ])); + type = attrsOf (nullOr (oneOf [str (listOf str)])); }; }; locations = mkOption { type = attrsOf (submoduleWith { - modules = [ locationModule ]; + modules = [locationModule]; shorthandOnlyDefinesConfig = true; }); }; @@ -55,22 +69,20 @@ let }; }; }; -in { - lib, - ... -}: let - inherit (lib.options) mkOption; -in { - options.services.nginx = with lib.types; { - headers = { - set = mkOption { - type = attrsOf (nullOr (oneOf [ str (listOf str) ])); - default = { +in + {lib, ...}: let + inherit (lib.options) mkOption; + in { + options.services.nginx = with lib.types; { + headers = { + set = mkOption { + type = attrsOf (nullOr (oneOf [str (listOf str)])); + default = { + }; }; }; + virtualHosts = mkOption { + type = attrsOf (submodule [hostModule]); + }; }; - virtualHosts = mkOption { - type = attrsOf (submodule [hostModule]); - }; - }; -} + } diff --git a/modules/nixos/nginx/listen.nix b/modules/nixos/nginx/listen.nix index 6390efaf..d583e098 100644 --- a/modules/nixos/nginx/listen.nix +++ b/modules/nixos/nginx/listen.nix @@ -10,11 +10,18 @@ inherit (lib.attrsets) attrValues mapAttrs; inherit (lib.lists) optional filter concatMap; inherit (config.services) nginx; - listenModule = { config, virtualHost, listenKind, ... }: { + listenModule = { + config, + virtualHost, + listenKind, + ... + }: { options = with lib.types; { - enable = mkEnableOption "this port" // { - default = true; - }; + enable = + mkEnableOption "this port" + // { + default = true; + }; addr = mkOption { type = nullOr str; default = null; @@ -34,7 +41,7 @@ }; extraParameters = mkOption { type = listOf str; - default = [ ]; + default = []; }; proxyProtocol = mkOption { type = bool; @@ -59,11 +66,13 @@ (mkIf (listenKind == "streamServer" && !config.ssl && virtualHost.ssl.enable && virtualHost.ssl.force != false) (mkForce false)) ]; port = mkIf (listenKind == "virtualHost") (mkOptionDefault ( - if config.ssl then nginx.defaultSSLListenPort else nginx.defaultHTTPListenPort + if config.ssl + then nginx.defaultSSLListenPort + else nginx.defaultHTTPListenPort )); addresses = mkMerge [ (mkOptionDefault virtualHost.listenAddresses') - (mkIf (config.addr != null) (mkAlmostOptionDefault [ config.addr ])) + (mkIf (config.addr != null) (mkAlmostOptionDefault [config.addr])) ]; listenParameters = mkOptionDefault ( optional config.ssl "ssl" @@ -74,26 +83,44 @@ ); listenConfigs = let # TODO: handle quic listener..? - mkListenHost = { addr, port }: let + mkListenHost = { + addr, + port, + }: let host = - if addr != null then "${mkAddress6 addr}:${toString port}" + if addr != null + then "${mkAddress6 addr}:${toString port}" else toString port; - in assert port != null; host; + in + assert port != null; host; mkDirective = addr: let - host = mkListenHost { inherit addr; inherit (config) port; }; - in mkMerge ( - [ (mkBefore host) ] - ++ config.listenParameters - ); - in mkOptionDefault (map (mkDirective) config.addresses); + host = mkListenHost { + inherit addr; + inherit (config) port; + }; + in + mkMerge ( + [(mkBefore host)] + ++ config.listenParameters + ); + in + mkOptionDefault (map mkDirective config.addresses); listenDirectives = mkMerge (map (conf: mkOptionDefault "listen ${conf};") config.listenConfigs); }; }; - listenType = { specialArgs, modules ? [ ] }: lib.types.submoduleWith { - inherit specialArgs; - modules = [ listenModule ] ++ modules; - }; - hostModule = { nixosConfig, config, ... }: let + listenType = { + specialArgs, + modules ? [], + }: + lib.types.submoduleWith { + inherit specialArgs; + modules = [listenModule] ++ modules; + }; + hostModule = { + nixosConfig, + config, + ... + }: let cfg = attrValues config.listen'; enabledCfg = filter (port: port.enable) cfg; mkListen = listen: addr: let @@ -101,7 +128,8 @@ inherit addr; inherit (listen) port ssl extraParameters proxyProtocol; }; - in mapAttrs (_: mkAlmostOptionDefault) listenAttrs; + in + mapAttrs (_: mkAlmostOptionDefault) listenAttrs; mkListens = listen: map (mkListen listen) listen.addresses; in { options = with lib.types; { @@ -113,7 +141,7 @@ listenKind = "virtualHost"; }; }); - default = { }; + default = {}; }; listenAddresses' = mkOption { type = listOf str; @@ -122,16 +150,22 @@ }; config = { - enable = mkIf (cfg != [ ] && enabledCfg == [ ]) (mkForce false); + enable = mkIf (cfg != [] && enabledCfg == []) (mkForce false); listenAddresses' = mkOptionDefault ( - if config.listenAddresses != [ ] then config.listenAddresses else nginx.defaultListenAddresses + if config.listenAddresses != [] + then config.listenAddresses + else nginx.defaultListenAddresses ); - listen = mkIf (cfg != { }) (mkAlmostOptionDefault ( - concatMap (mkListens) enabledCfg + listen = mkIf (cfg != {}) (mkAlmostOptionDefault ( + concatMap mkListens enabledCfg )); }; }; - streamServerModule = { nixosConfig, config, ... }: let + streamServerModule = { + nixosConfig, + config, + ... + }: let enabledListen = filter (port: port.enable) (attrValues config.listen); in { options = with lib.types; { @@ -144,7 +178,7 @@ listenKind = "streamServer"; }; }); - default = { }; + default = {}; }; listenAddresses = mkOption { type = nullOr (listOf str); @@ -163,11 +197,13 @@ }; config = { - enable = mkIf (config.listen != { } && enabledListen == [ ]) (mkForce false); + enable = mkIf (config.listen != {} && enabledListen == []) (mkForce false); listenAddresses' = mkOptionDefault ( - if config.listenAddresses != null then config.listenAddresses else nginx.defaultListenAddresses + if config.listenAddresses != null + then config.listenAddresses + else nginx.defaultListenAddresses ); - streamConfig = mkIf (config.listen != { }) (mkMerge ( + streamConfig = mkIf (config.listen != {}) (mkMerge ( map (listen: mkBefore listen.listenDirectives) enabledListen )); }; @@ -176,13 +212,13 @@ in { options.services.nginx = with lib.types; { virtualHosts = mkOption { type = attrsOf (submoduleWith { - modules = [ hostModule ]; + modules = [hostModule]; shorthandOnlyDefinesConfig = true; }); }; stream.servers = mkOption { type = attrsOf (submoduleWith { - modules = [ streamServerModule ]; + modules = [streamServerModule]; shorthandOnlyDefinesConfig = false; }); }; diff --git a/modules/nixos/nginx/local.nix b/modules/nixos/nginx/local.nix index 19540252..ea0f0c74 100644 --- a/modules/nixos/nginx/local.nix +++ b/modules/nixos/nginx/local.nix @@ -8,55 +8,62 @@ inherit (lib.strings) concatMapStringsSep optionalString; inherit (config.services) tailscale; inherit (config.networking.access) cidrForNetwork localaddrs; - mkAddrVar = remoteAddr: varPrefix: '' - set ${varPrefix}tailscale 0; - '' + optionalString tailscale.enable '' - if (${remoteAddr} ~ "^fd7a:115c:a1e0:(:|ab12:)") { - set ${varPrefix}tailscale 1; - } - if (${remoteAddr} ~ "^100\.(6[4-9]|([7-9]|1[01])[0-9]|12[0-7])\.[0-9]+\.[0-9]+") { - set ${varPrefix}tailscale 1; - } - '' + '' - set ${varPrefix}lan 0; - if (${remoteAddr} ~ "^10\.1\.1\.[0-9]+") { - set ${varPrefix}lan 1; - } - if (${remoteAddr} ~ "^fd0a::") { - set ${varPrefix}lan 1; - } - if (${remoteAddr} ~ "^fe80::") { - set ${varPrefix}lan 1; - } - set ${varPrefix}int 0; - if (${remoteAddr} ~ "^10\.9\.1\.[0-9]+") { - set ${varPrefix}lan 1; - } - if (${remoteAddr} ~ "^fd0c::") { - set ${varPrefix}int 1; - } - set ${varPrefix}localhost 0; - if (${remoteAddr} = "::1") { - set ${varPrefix}localhost 1; - } - if (${remoteAddr} ~ "127\.0\.0\.[0-9]+") { - set ${varPrefix}localhost 1; - } - set ${varPrefix}client 0; - if (${varPrefix}tailscale) { - set ${varPrefix}client 1; - } - if (${varPrefix}lan) { - set ${varPrefix}client 1; - } - if (${varPrefix}int) { - set ${varPrefix}client 1; - } - if (${varPrefix}localhost) { - set ${varPrefix}client 1; - } - ''; - localModule = {config, xvars, ...}: let + mkAddrVar = remoteAddr: varPrefix: + '' + set ${varPrefix}tailscale 0; + '' + + optionalString tailscale.enable '' + if (${remoteAddr} ~ "^fd7a:115c:a1e0:(:|ab12:)") { + set ${varPrefix}tailscale 1; + } + if (${remoteAddr} ~ "^100\.(6[4-9]|([7-9]|1[01])[0-9]|12[0-7])\.[0-9]+\.[0-9]+") { + set ${varPrefix}tailscale 1; + } + '' + + '' + set ${varPrefix}lan 0; + if (${remoteAddr} ~ "^10\.1\.1\.[0-9]+") { + set ${varPrefix}lan 1; + } + if (${remoteAddr} ~ "^fd0a::") { + set ${varPrefix}lan 1; + } + if (${remoteAddr} ~ "^fe80::") { + set ${varPrefix}lan 1; + } + set ${varPrefix}int 0; + if (${remoteAddr} ~ "^10\.9\.1\.[0-9]+") { + set ${varPrefix}lan 1; + } + if (${remoteAddr} ~ "^fd0c::") { + set ${varPrefix}int 1; + } + set ${varPrefix}localhost 0; + if (${remoteAddr} = "::1") { + set ${varPrefix}localhost 1; + } + if (${remoteAddr} ~ "127\.0\.0\.[0-9]+") { + set ${varPrefix}localhost 1; + } + set ${varPrefix}client 0; + if (${varPrefix}tailscale) { + set ${varPrefix}client 1; + } + if (${varPrefix}lan) { + set ${varPrefix}client 1; + } + if (${varPrefix}int) { + set ${varPrefix}client 1; + } + if (${varPrefix}localhost) { + set ${varPrefix}client 1; + } + ''; + localModule = { + config, + xvars, + ... + }: let cfg = config.local; in { options.local = with lib.types; { @@ -97,11 +104,12 @@ ${allows} deny all; ''; - in mkMerge [ - (mkIf cfg.emitDenyGlobal (mkBefore allowDirectives)) - (mkIf cfg.emitVars (mkBefore (mkAddrVar "$remote_addr" "$local_"))) - (mkIf (cfg.emitVars && config.xvars.enable) (mkBefore (mkAddrVar (xvars.remote_addr.get) "$x_local_"))) - ]; + in + mkMerge [ + (mkIf cfg.emitDenyGlobal (mkBefore allowDirectives)) + (mkIf cfg.emitVars (mkBefore (mkAddrVar "$remote_addr" "$local_"))) + (mkIf (cfg.emitVars && config.xvars.enable) (mkBefore (mkAddrVar (xvars.remote_addr.get) "$x_local_"))) + ]; }; }; locationModule = { diff --git a/modules/nixos/nginx/lua.nix b/modules/nixos/nginx/lua.nix index 41a7334a..5a9a72fd 100644 --- a/modules/nixos/nginx/lua.nix +++ b/modules/nixos/nginx/lua.nix @@ -1,4 +1,9 @@ -{pkgs, config, lib, ...}: let +{ + pkgs, + config, + lib, + ... +}: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkAfter mkOptionDefault; inherit (lib.strings) hasPrefix; @@ -10,7 +15,8 @@ luaModule = {config, ...}: let cfg = config.lua; mkSetBy = var: value: - if hasPrefix "/" "${value}" then "set_by_lua_file \$${var} ${value};" + if hasPrefix "/" "${value}" + then "set_by_lua_file \$${var} ${value};" else '' set_by_lua_block ''$${var} { ${value} @@ -25,12 +31,12 @@ }; files = mkOption { type = listOf path; - default = [ ]; + default = []; }; }; set = mkOption { type = attrsOf (either path lines); - default = { }; + default = {}; }; }; config = { @@ -40,25 +46,27 @@ ${cfg.access.block} } '')) - (mkIf (cfg.access.files != [ ]) (assert lua.http.enable; mkMerge ( - map (file: "access_by_lua_file ${file};") cfg.access.files - ))) - (mkIf (cfg.set != { }) (assert lua.http.enable && lua.ndk.enable; mkMerge ( - mapAttrsToList mkSetBy cfg.set - ))) + (mkIf (cfg.access.files != []) (assert lua.http.enable; + mkMerge ( + map (file: "access_by_lua_file ${file};") cfg.access.files + ))) + (mkIf (cfg.set != {}) (assert lua.http.enable && lua.ndk.enable; + mkMerge ( + mapAttrsToList mkSetBy cfg.set + ))) ]; }; }; locationModule = {config, ...}: { - imports = [ luaModule ]; + imports = [luaModule]; }; hostModule = {config, ...}: { - imports = [ luaModule ]; + imports = [luaModule]; options = with lib.types; { locations = mkOption { type = attrsOf (submoduleWith { - modules = [ locationModule ]; + modules = [locationModule]; shorthandOnlyDefinesConfig = true; }); }; @@ -84,7 +92,7 @@ in { }; virtualHosts = mkOption { type = attrsOf (submoduleWith { - modules = [ hostModule ]; + modules = [hostModule]; shorthandOnlyDefinesConfig = true; }); }; @@ -92,18 +100,20 @@ in { config = { services.nginx = { lua = { - modules = [ - cfg.luaPackage.pkgs.lua-resty-core - ] ++ cfg.luaPackage.pkgs.lua-resty-core.propagatedBuildInputs; + modules = + [ + cfg.luaPackage.pkgs.lua-resty-core + ] + ++ cfg.luaPackage.pkgs.lua-resty-core.propagatedBuildInputs; luaPath = mkMerge ( map luaPkgPath cfg.modules - ++ [ (mkAfter ";") ] + ++ [(mkAfter ";")] ); }; additionalModules = mkMerge [ - (mkIf cfg.ndk.enable [ pkgs.nginxModules.develkit ]) - (mkIf cfg.http.enable [ pkgs.nginxModules.lua ]) - (mkIf cfg.upstream.enable [ pkgs.nginxModules.lua-upstream ]) + (mkIf cfg.ndk.enable [pkgs.nginxModules.develkit]) + (mkIf cfg.http.enable [pkgs.nginxModules.lua]) + (mkIf cfg.upstream.enable [pkgs.nginxModules.lua-upstream]) ]; }; systemd.services.nginx = mkIf config.services.nginx.enable { diff --git a/modules/nixos/nginx/name.nix b/modules/nixos/nginx/name.nix index da342dca..07fd80ce 100644 --- a/modules/nixos/nginx/name.nix +++ b/modules/nixos/nginx/name.nix @@ -46,18 +46,21 @@ config = { name = { qualifier = mkOptionDefault ( - if config.local.enable then "local" + if config.local.enable + then "local" else null ); includeTailscale = mkOptionDefault ( config.local.enable && tailscale.enable && cfg.qualifier != "tail" ); localName = mkOptionDefault ( - if cfg.includeLocal then "${cfg.shortServer}.local.${networking.domain}" + if cfg.includeLocal + then "${cfg.shortServer}.local.${networking.domain}" else null ); tailscaleName = mkOptionDefault ( - if cfg.includeTailscale then "${cfg.shortServer}.tail.${networking.domain}" + if cfg.includeTailscale + then "${cfg.shortServer}.tail.${networking.domain}" else null ); }; @@ -71,7 +74,7 @@ (mkIf (cfg.tailscaleName != null) cfg.tailscaleName) ]); allServerNames = mkOptionDefault (filter (name: ! hasPrefix "@" name) ( - [ config.serverName ] ++ config.serverAliases + [config.serverName] ++ config.serverAliases )); otherServerNames = mkOptionDefault (filter (name: ! hasPrefix "@" name) ( config.serverAliases diff --git a/modules/nixos/nginx/preread.nix b/modules/nixos/nginx/preread.nix index e76f4d73..916f8454 100644 --- a/modules/nixos/nginx/preread.nix +++ b/modules/nixos/nginx/preread.nix @@ -1,5 +1,12 @@ let - serverModule = {config, nixosConfig, name, gensokyo-zone, lib, ...}: let + serverModule = { + config, + nixosConfig, + name, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkBefore mkOptionDefault; @@ -13,7 +20,7 @@ let enable = mkEnableOption "ngx_stream_ssl_preread_module"; upstream = mkOption { type = str; - default = "$preread_" + replaceStrings [ "'" ] [ "_" ] name; + default = "$preread_" + replaceStrings ["'"] ["_"] name; }; upstreams = mkOption { type = nullOr (attrsOf str); @@ -25,9 +32,10 @@ let config = let inherit (nginx.stream) upstreams; mkUpstream = host: upstream: "${host} ${upstreams.${upstream}.name};"; - upstreams' = removeAttrs cfg.upstreams [ "default" ]; - upstreamLines = mapAttrsToList mkUpstream upstreams' - ++ optional (cfg.upstreams ? default) (mkUpstream "default" cfg.upstreams.default); + upstreams' = removeAttrs cfg.upstreams ["default"]; + upstreamLines = + mapAttrsToList mkUpstream upstreams' + ++ optional (cfg.upstreams ? default) (mkUpstream "default" cfg.upstreams.default); in { ssl.preread = { streamConfig = mkIf (cfg.upstreams != null) '' @@ -46,59 +54,65 @@ let serverBlock = mkIf cfg.enable (mkOptionDefault (mkBefore cfg.streamConfig)); }; }; -in {config, gensokyo-zone, lib, ...}: let - inherit (gensokyo-zone.lib) mkAlmostOptionDefault; - inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkDefault mkOptionDefault; - cfg = config.services.nginx.ssl.preread; -in { - options.services.nginx = with lib.types; { - ssl.preread = { - enable = mkEnableOption "ssl preread"; - listenPort = mkOption { - type = port; - default = 444; - }; - serverPort = mkOption { - type = port; - default = 443; - }; - serverName = mkOption { - type = str; - default = "preread'https"; - }; - upstreamName = mkOption { - type = str; - default = "preread'nginx"; - }; - }; - stream.servers = mkOption { - type = attrsOf (submoduleWith { - modules = [serverModule]; - shorthandOnlyDefinesConfig = false; - }); - }; - }; - config = { - services.nginx = { - defaultSSLListenPort = mkIf cfg.enable cfg.listenPort; - stream = { - upstreams.${cfg.upstreamName} = mkIf cfg.enable { - ssl.enable = true; - servers.access = { - addr = mkDefault "localhost"; - port = mkOptionDefault cfg.listenPort; - }; +in + { + config, + gensokyo-zone, + lib, + ... + }: let + inherit (gensokyo-zone.lib) mkAlmostOptionDefault; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkDefault mkOptionDefault; + cfg = config.services.nginx.ssl.preread; + in { + options.services.nginx = with lib.types; { + ssl.preread = { + enable = mkEnableOption "ssl preread"; + listenPort = mkOption { + type = port; + default = 444; }; - servers.${cfg.serverName} = { - enable = mkIf (!cfg.enable) (mkAlmostOptionDefault false); - listen.https.port = cfg.serverPort; - ssl.preread = { - enable = true; - upstreams.default = mkOptionDefault cfg.upstreamName; + serverPort = mkOption { + type = port; + default = 443; + }; + serverName = mkOption { + type = str; + default = "preread'https"; + }; + upstreamName = mkOption { + type = str; + default = "preread'nginx"; + }; + }; + stream.servers = mkOption { + type = attrsOf (submoduleWith { + modules = [serverModule]; + shorthandOnlyDefinesConfig = false; + }); + }; + }; + config = { + services.nginx = { + defaultSSLListenPort = mkIf cfg.enable cfg.listenPort; + stream = { + upstreams.${cfg.upstreamName} = mkIf cfg.enable { + ssl.enable = true; + servers.access = { + addr = mkDefault "localhost"; + port = mkOptionDefault cfg.listenPort; + }; + }; + servers.${cfg.serverName} = { + enable = mkIf (!cfg.enable) (mkAlmostOptionDefault false); + listen.https.port = cfg.serverPort; + ssl.preread = { + enable = true; + upstreams.default = mkOptionDefault cfg.upstreamName; + }; }; }; }; }; - }; -} + } diff --git a/modules/nixos/nginx/proxied.nix b/modules/nixos/nginx/proxied.nix index 5d0e9281..abb1740a 100644 --- a/modules/nixos/nginx/proxied.nix +++ b/modules/nixos/nginx/proxied.nix @@ -1,5 +1,5 @@ let - xHeadersProxied = { xvars }: '' + xHeadersProxied = {xvars}: '' ${xvars.init "forwarded_for" "$proxy_add_x_forwarded_for"} if ($http_x_forwarded_proto) { ${xvars.init "scheme" "$http_x_forwarded_proto"} @@ -18,7 +18,14 @@ let ${xvars.init "forwarded_server" "$http_x_forwarded_server"} } ''; - locationModule = { config, virtualHost, xvars, gensokyo-zone, lib, ... }: let + locationModule = { + config, + virtualHost, + xvars, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.lib) mkJustBefore mkAlmostOptionDefault; inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkMerge mkOptionDefault; @@ -27,7 +34,7 @@ let options = with lib.types; { proxied = { enable = mkOption { - type = enum [ false true "cloudflared" ]; + type = enum [false true "cloudflared"]; default = false; }; enabled = mkOption { @@ -60,12 +67,19 @@ let xvars.enable = mkIf cfg.enabled true; extraConfig = mkMerge [ (mkIf emitVars ( - mkJustBefore (xHeadersProxied { inherit xvars; }) + mkJustBefore (xHeadersProxied {inherit xvars;}) )) ]; }; }; - hostModule = { config, nixosConfig, xvars, gensokyo-zone, lib, ... }: let + hostModule = { + config, + nixosConfig, + xvars, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault orderJustBefore unmerged; inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkOrder mkDefault; @@ -75,7 +89,7 @@ let options = with lib.types; { proxied = { enable = mkOption { - type = enum [ false true "cloudflared" ]; + type = enum [false true "cloudflared"]; default = false; }; enabled = mkOption { @@ -93,7 +107,7 @@ let }; locations = mkOption { type = attrsOf (submoduleWith { - modules = [ locationModule ]; + modules = [locationModule]; shorthandOnlyDefinesConfig = true; }); }; @@ -105,14 +119,23 @@ let proxied = { cloudflared = let listen = config.listen'.proxied; - scheme = if listen.ssl then "https" else "http"; - in mkIf (cfg.enable == "cloudflared") { - ingressSettings.${config.serverName} = { - service = "${scheme}://localhost:${toString listen.port}"; - originRequest.${if scheme == "https" then "noTLSVerify" else null} = true; + scheme = + if listen.ssl + then "https" + else "http"; + in + mkIf (cfg.enable == "cloudflared") { + ingressSettings.${config.serverName} = { + service = "${scheme}://localhost:${toString listen.port}"; + originRequest.${ + if scheme == "https" + then "noTLSVerify" + else null + } = + true; + }; + getIngress = {}: unmerged.mergeAttrs cfg.cloudflared.ingressSettings; }; - getIngress = {}: unmerged.mergeAttrs cfg.cloudflared.ingressSettings; - }; }; xvars.enable = mkIf cfg.enabled true; local.denyGlobal = mkIf listenProxied (mkDefault true); @@ -123,74 +146,75 @@ let }; }; extraConfig = mkIf (cfg.enabled && config.xvars.enable) ( - mkOrder (orderJustBefore + 25) (xHeadersProxied { inherit xvars; }) + mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;}) ); }; }; -in { - config, - system, - gensokyo-zone, - lib, - ... -}: let - inherit (gensokyo-zone.lib) mkAlmostOptionDefault; - inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkOptionDefault; - inherit (lib.attrsets) attrValues; - inherit (lib.lists) any; - inherit (config.services) nginx; - cfg = nginx.proxied; -in { - options.services.nginx = with lib.types; { - proxied = { - enable = mkEnableOption "proxy"; - listenAddr = mkOption { - type = str; - default = "[::]"; +in + { + config, + system, + gensokyo-zone, + lib, + ... + }: let + inherit (gensokyo-zone.lib) mkAlmostOptionDefault; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkOptionDefault; + inherit (lib.attrsets) attrValues; + inherit (lib.lists) any; + inherit (config.services) nginx; + cfg = nginx.proxied; + in { + options.services.nginx = with lib.types; { + proxied = { + enable = mkEnableOption "proxy"; + listenAddr = mkOption { + type = str; + default = "[::]"; + }; + listenPort = mkOption { + type = port; + default = 9080; + }; }; - listenPort = mkOption { - type = port; - default = 9080; + virtualHosts = mkOption { + type = attrsOf (submodule [hostModule]); }; }; - virtualHosts = mkOption { - type = attrsOf (submodule [hostModule]); - }; - }; - config = { - services.nginx = let - warnEnable = lib.warnIf (cfg.enable != hasProxiedHosts) "services.nginx.proxied.enable expected to be set"; - hasProxiedHosts = any (virtualHost: virtualHost.enable && virtualHost.proxied.enabled) (attrValues nginx.virtualHosts); - in { - upstreams' = { - nginx'proxied = mkIf (warnEnable cfg.enable) { - servers.local = { - accessService = { - system = system.name; - name = "nginx"; - port = "proxied"; + config = { + services.nginx = let + warnEnable = lib.warnIf (cfg.enable != hasProxiedHosts) "services.nginx.proxied.enable expected to be set"; + hasProxiedHosts = any (virtualHost: virtualHost.enable && virtualHost.proxied.enabled) (attrValues nginx.virtualHosts); + in { + upstreams' = { + nginx'proxied = mkIf (warnEnable cfg.enable) { + servers.local = { + accessService = { + system = system.name; + name = "nginx"; + port = "proxied"; + }; }; }; }; - }; - virtualHosts = { - fallback'proxied = mkIf cfg.enable { - serverName = null; - reuseport = mkAlmostOptionDefault true; - default = mkAlmostOptionDefault true; - listen'.proxied = { - addr = mkAlmostOptionDefault cfg.listenAddr; - port = mkAlmostOptionDefault cfg.listenPort; + virtualHosts = { + fallback'proxied = mkIf cfg.enable { + serverName = null; + reuseport = mkAlmostOptionDefault true; + default = mkAlmostOptionDefault true; + listen'.proxied = { + addr = mkAlmostOptionDefault cfg.listenAddr; + port = mkAlmostOptionDefault cfg.listenPort; + }; + locations."/".extraConfig = mkAlmostOptionDefault '' + return 502; + ''; }; - locations."/".extraConfig = mkAlmostOptionDefault '' - return 502; - ''; }; }; + networking.firewall.interfaces.lan = mkIf nginx.enable { + allowedTCPPorts = mkIf cfg.enable [cfg.listenPort]; + }; }; - networking.firewall.interfaces.lan = mkIf nginx.enable { - allowedTCPPorts = mkIf cfg.enable [ cfg.listenPort ]; - }; - }; -} + } diff --git a/modules/nixos/nginx/proxy.nix b/modules/nixos/nginx/proxy.nix index c4741ed6..a46232a1 100644 --- a/modules/nixos/nginx/proxy.nix +++ b/modules/nixos/nginx/proxy.nix @@ -1,5 +1,12 @@ let - proxyModule = {config, name, options, gensokyo-zone, lib, ...}: let + proxyModule = { + config, + name, + options, + gensokyo-zone, + lib, + ... + }: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkAfter mkOptionDefault; inherit (lib.strings) optionalString; @@ -32,21 +39,38 @@ let ]); }; }; - serverModule = {config, name, options, gensokyo-zone, lib, ...}: let + serverModule = { + config, + name, + options, + gensokyo-zone, + lib, + ... + }: let inherit (lib.modules) mkIf mkAfter; cfg = config.proxy; in { - imports = [ proxyModule ]; + imports = [proxyModule]; config = let warnProxy = lib.warnIf (!cfg.enable && options.proxy.url.isDefined) "nginx.stream.servers.${name}.proxy.url set without proxy.enable"; in { - streamConfig = warnProxy (mkIf cfg.enable (mkAfter + streamConfig = warnProxy (mkIf cfg.enable ( + mkAfter "proxy_pass ${cfg.url};" )); }; }; - locationModule = { config, nixosConfig, name, virtualHost, xvars, gensokyo-zone, lib, ... }: let + locationModule = { + config, + nixosConfig, + name, + virtualHost, + xvars, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.lib) mkJustBefore mkJustAfter mkAlmostOptionDefault mapOptionDefaults coalesce parseUrl; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkBefore mkOptionDefault; @@ -57,7 +81,7 @@ let inherit (nixosConfig.services) nginx; cfg = config.proxy; in { - imports = [ proxyModule ]; + imports = [proxyModule]; options = with lib.types; { proxy = { @@ -75,9 +99,11 @@ let host = mkOption { type = nullOr str; }; - websocket.enable = mkEnableOption "websocket proxy" // { - default = cfg.inheritServerDefaults && virtualHost.proxy.websocket.enable; - }; + websocket.enable = + mkEnableOption "websocket proxy" + // { + default = cfg.inheritServerDefaults && virtualHost.proxy.websocket.enable; + }; parsed = { scheme = mkOption { type = nullOr str; @@ -94,7 +120,7 @@ let }; headers = { enableRecommended = mkOption { - type = enum [ true false "nixpkgs" ]; + type = enum [true false "nixpkgs"]; }; rewriteReferer.enable = mkEnableOption "rewrite referer host"; set = mkOption { @@ -102,7 +128,7 @@ let }; hide = mkOption { type = attrsOf bool; - default = { }; + default = {}; }; }; redirect = { @@ -121,7 +147,7 @@ let }; }; config = let - emitHeaders = setHeaders' != { }; + emitHeaders = setHeaders' != {}; url = parseUrl config.proxyPass; upstream = nginx.upstreams'.${cfg.upstream}; upstreamServer = upstream.servers.${upstream.defaultServerName}; @@ -129,7 +155,10 @@ let hasUpstream = cfg.upstream != null && !dynamicUpstream; hasUpstreamServer = upstream.defaultServerName != null; recommendedHeaders = { - Host = if cfg.host == null then xvars.get.proxy_hostport else cfg.host; + Host = + if cfg.host == null + then xvars.get.proxy_hostport + else cfg.host; Referer = xvars.get.referer; X-Real-IP = xvars.get.remote_addr; X-Forwarded-For = xvars.get.forwarded_for; @@ -137,12 +166,15 @@ let X-Forwarded-Host = xvars.get.host; X-Forwarded-Server = xvars.get.forwarded_server; }; - schemePort = { - http = 80; - https = 443; - }.${cfg.parsed.scheme} or (throw "unsupported proxy_scheme ${toString cfg.parsed.scheme}"); - upstreamHost = coalesce ([ upstream.host ] ++ optional hasUpstreamServer upstreamServer.addr); - port = coalesce [ cfg.parsed.port schemePort ]; + schemePort = + { + http = 80; + https = 443; + } + .${cfg.parsed.scheme} + or (throw "unsupported proxy_scheme ${toString cfg.parsed.scheme}"); + upstreamHost = coalesce ([upstream.host] ++ optional hasUpstreamServer upstreamServer.addr); + port = coalesce [cfg.parsed.port schemePort]; hostport = cfg.parsed.host + optionalString (port != schemePort) ":${toString port}"; initProxyVars = let initScheme = xvars.init "proxy_scheme" config.xvars.defaults.proxy_scheme; @@ -174,8 +206,12 @@ let ${xvars.init "proxy_hostport" xvars.get.proxy_host} } ''; - init = if cfg.upstream != null then initUpstream else initDynamic; - in init; + init = + if cfg.upstream != null + then initUpstream + else initDynamic; + in + init; hostHeader = coalesce [ cfg.headers.set.Host or null cfg.host @@ -191,8 +227,9 @@ let ''; setHeaders' = filterAttrs (_: header: header != null) cfg.headers.set; setHeaders = concatStringsSep "\n" (mapAttrsToList ( - name: value: "proxy_set_header ${name} ${xvars.escapeString value};" - ) setHeaders'); + name: value: "proxy_set_header ${name} ${xvars.escapeString value};" + ) + setHeaders'); hideHeaders = mapAttrsToList (header: hide: mkIf hide "proxy_hide_header ${xvars.escapeString header};") cfg.headers.hide; in { xvars = { @@ -210,12 +247,16 @@ let url = mkIf (cfg.inheritServerDefaults && virtualHost.proxy.url != null) (mkOptionDefault virtualHost.proxy.url); headers = { enableRecommended = mkOptionDefault ( - if cfg.enable && (!cfg.inheritServerDefaults || virtualHost.proxy.headers.enableRecommended != false) then true - else if cfg.inheritServerDefaults then virtualHost.proxy.headers.enableRecommended - else if nginx.recommendedProxySettings then "nixpkgs" else false + if cfg.enable && (!cfg.inheritServerDefaults || virtualHost.proxy.headers.enableRecommended != false) + then true + else if cfg.inheritServerDefaults + then virtualHost.proxy.headers.enableRecommended + else if nginx.recommendedProxySettings + then "nixpkgs" + else false ); set = mkMerge [ - (mkOptionDefault { }) + (mkOptionDefault {}) (mkIf (cfg.headers.enableRecommended == true) (mapOptionDefaults recommendedHeaders)) (mkIf (cfg.host != null) { Host = mkIf (cfg.headers.enableRecommended != "nixpkgs") (mkAlmostOptionDefault cfg.host); @@ -230,8 +271,10 @@ let ]; }; host = mkOptionDefault ( - if cfg.inheritServerDefaults && virtualHost.proxy.host != null then virtualHost.proxy.host - else if cfg.headers.enableRecommended == false then null + if cfg.inheritServerDefaults && virtualHost.proxy.host != null + then virtualHost.proxy.host + else if cfg.headers.enableRecommended == false + then null else xvars.get.host ); parsed = { @@ -242,11 +285,13 @@ let mapNullable (_: url.path) config.proxyPass ); host = mkOptionDefault ( - if hasUpstream then assert url.host == upstream.name; upstreamHost + if hasUpstream + then assert url.host == upstream.name; upstreamHost else mapNullable (_: url.host) config.proxyPass ); port = mkOptionDefault ( - if hasUpstream && hasUpstreamServer && url.port == null then assert url.host == upstream.name; upstreamServer.port + if hasUpstream && hasUpstreamServer && url.port == null + then assert url.host == upstream.name; upstreamServer.port else mapNullable (_: url.port) config.proxyPass ); }; @@ -254,15 +299,22 @@ let proxyPass = mkIf cfg.enable (mkAlmostOptionDefault (removeSuffix "/" cfg.url + cfg.path)); recommendedProxySettings = mkAlmostOptionDefault (cfg.headers.enableRecommended == "nixpkgs"); extraConfig = mkIf cfg.enabled (mkMerge ([ - (mkIf virtualHost.xvars.enable (mkJustBefore initProxyVars)) - (mkIf (cfg.headers.rewriteReferer.enable) (mkJustBefore rewriteReferer)) - (mkIf (cfg.redirect.enable) (mkBefore redirect)) - (mkIf (emitHeaders) (mkJustAfter setHeaders)) - (mkIf cfg.websocket.enable "proxy_cache_bypass $http_upgrade;") - ] ++ hideHeaders)); + (mkIf virtualHost.xvars.enable (mkJustBefore initProxyVars)) + (mkIf (cfg.headers.rewriteReferer.enable) (mkJustBefore rewriteReferer)) + (mkIf (cfg.redirect.enable) (mkBefore redirect)) + (mkIf emitHeaders (mkJustAfter setHeaders)) + (mkIf cfg.websocket.enable "proxy_cache_bypass $http_upgrade;") + ] + ++ hideHeaders)); }; }; - hostModule = { config, nixosConfig, gensokyo-zone, lib, ... }: let + hostModule = { + config, + nixosConfig, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.lib) mapOptionDefaults mapAlmostOptionDefaults; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkOptionDefault; @@ -288,13 +340,16 @@ let }; websocket.enable = mkEnableOption "websocket proxy"; headers.enableRecommended = mkOption { - type = enum [ true false "nixpkgs" ]; - default = if nginx.recommendedProxySettings then "nixpkgs" else false; + type = enum [true false "nixpkgs"]; + default = + if nginx.recommendedProxySettings + then "nixpkgs" + else false; }; }; locations = mkOption { type = attrsOf (submoduleWith { - modules = [ locationModule ]; + modules = [locationModule]; shorthandOnlyDefinesConfig = true; }); }; @@ -303,16 +358,18 @@ let needsReferer = loc: loc.proxy.enabled && loc.proxy.headers.rewriteReferer.enable; confCopy = let proxyHost = nginx.virtualHosts.${cfg.copyFromVhost}; - in mapAlmostOptionDefaults { - inherit (proxyHost.proxy) host url upstream; - } // { - websocket = mapAlmostOptionDefaults { - inherit (proxyHost.proxy.websocket) enable; + in + mapAlmostOptionDefaults { + inherit (proxyHost.proxy) host url upstream; + } + // { + websocket = mapAlmostOptionDefaults { + inherit (proxyHost.proxy.websocket) enable; + }; + headers = mapAlmostOptionDefaults { + inherit (proxyHost.proxy.headers) enableRecommended; + }; }; - headers = mapAlmostOptionDefaults { - inherit (proxyHost.proxy.headers) enableRecommended; - }; - }; in { xvars = { parseReferer = mkIf (anyLocations needsReferer) true; @@ -326,21 +383,19 @@ let proxy = mkIf (cfg.copyFromVhost != null) confCopy; }; }; -in { - lib, - ... -}: let - inherit (lib.options) mkOption; -in { - options.services.nginx = with lib.types; { - virtualHosts = mkOption { - type = attrsOf (submodule [hostModule]); +in + {lib, ...}: let + inherit (lib.options) mkOption; + in { + options.services.nginx = with lib.types; { + virtualHosts = mkOption { + type = attrsOf (submodule [hostModule]); + }; + stream.servers = mkOption { + type = attrsOf (submoduleWith { + modules = [serverModule]; + shorthandOnlyDefinesConfig = false; + }); + }; }; - stream.servers = mkOption { - type = attrsOf (submoduleWith { - modules = [serverModule]; - shorthandOnlyDefinesConfig = false; - }); - }; - }; -} + } diff --git a/modules/nixos/nginx/ssl.nix b/modules/nixos/nginx/ssl.nix index 3f170dbf..12d3b951 100644 --- a/modules/nixos/nginx/ssl.nix +++ b/modules/nixos/nginx/ssl.nix @@ -1,5 +1,11 @@ let - sslModule = { config, nixosConfig, gensokyo-zone, lib, ... }: let + sslModule = { + config, + nixosConfig, + gensokyo-zone, + lib, + ... + }: let inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; inherit (nixosConfig.services) nginx; @@ -12,7 +18,7 @@ let }; force = mkOption { # TODO: "force-nonlocal"? exceptions for tailscale? - type = enum [ false true "only" "reject" ]; + type = enum [false true "only" "reject"]; default = false; }; forced = mkOption { @@ -60,14 +66,19 @@ let }; copyCertVhost = mkCopyCert nginx.virtualHosts.${cfg.cert.copyFromVhost}.ssl.cert; copyCertStreamServer = mkCopyCert nginx.stream.servers.${cfg.cert.copyFromStreamServer}.ssl.cert; - in mkMerge [ - (mkIf (cfg.cert.copyFromStreamServer != null) copyCertStreamServer) - (mkIf (cfg.cert.copyFromVhost != null) copyCertVhost) - ]; + in + mkMerge [ + (mkIf (cfg.cert.copyFromStreamServer != null) copyCertStreamServer) + (mkIf (cfg.cert.copyFromVhost != null) copyCertVhost) + ]; }; }; }; - sslProxyModule = { config, lib, ... }: let + sslProxyModule = { + config, + lib, + ... + }: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkAfter; inherit (config) proxy; @@ -78,9 +89,11 @@ let type = bool; }; verify = mkEnableOption "proxy_ssl_verify"; - sni = mkEnableOption "proxy_ssl_server_name" // { - default = cfg.host != null; - }; + sni = + mkEnableOption "proxy_ssl_server_name" + // { + default = cfg.host != null; + }; host = mkOption { type = nullOr str; default = null; @@ -97,18 +110,26 @@ let ]); }; }; - streamServerModule = { config, nixosConfig, gensokyo-zone, lib, ... }: let + streamServerModule = { + config, + nixosConfig, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.lib) mkAlmostDefault; inherit (lib.options) mkEnableOption; inherit (lib.modules) mkIf mkMerge mkOptionDefault; cfg = config.ssl; in { - imports = [ sslModule sslProxyModule ]; + imports = [sslModule sslProxyModule]; options = with lib.types; { ssl = { - kTLS = mkEnableOption "kTLS support" // { - default = true; - }; + kTLS = + mkEnableOption "kTLS support" + // { + default = true; + }; }; }; config = let @@ -126,104 +147,124 @@ let (mkIf cfg.kTLS "ssl_conf_command Options KTLS;") ]; confProxy.extraConfig = mkIf proxy.ssl.enable "proxy_ssl on;"; - in mkMerge [ - conf - (mkIf cfg.enable confSsl) - (mkIf proxy.enable confProxy) - ]; + in + mkMerge [ + conf + (mkIf cfg.enable confSsl) + (mkIf proxy.enable confProxy) + ]; }; -in { - config, - gensokyo-zone, - lib, - ... -}: let - inherit (gensokyo-zone.lib) mkAlmostOptionDefault; - inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; - inherit (lib.attrsets) mapAttrsToList; - inherit (lib.trivial) warnIf; - inherit (lib.strings) hasPrefix; - inherit (config.services) nginx; - forceRedirectConfig = { virtualHost, xvars }: '' - if (${xvars.get.scheme} = http) { - return ${toString virtualHost.redirectCode} https://${xvars.get.host}$request_uri; - } - ''; - locationModule = { config, virtualHost, xvars, ... }: let - cfg = config.ssl; - emitForce = cfg.force && !virtualHost.ssl.forced; - in { - imports = [ sslProxyModule ]; - options.ssl = { - force = mkEnableOption "redirect to SSL"; +in + { + config, + gensokyo-zone, + lib, + ... + }: let + inherit (gensokyo-zone.lib) mkAlmostOptionDefault; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; + inherit (lib.attrsets) mapAttrsToList; + inherit (lib.trivial) warnIf; + inherit (lib.strings) hasPrefix; + inherit (config.services) nginx; + forceRedirectConfig = { + virtualHost, + xvars, + }: '' + if (${xvars.get.scheme} = http) { + return ${toString virtualHost.redirectCode} https://${xvars.get.host}$request_uri; + } + ''; + locationModule = { + config, + virtualHost, + xvars, + ... + }: let + cfg = config.ssl; + emitForce = cfg.force && !virtualHost.ssl.forced; + in { + imports = [sslProxyModule]; + options.ssl = { + force = mkEnableOption "redirect to SSL"; + }; + config = { + proxy.ssl.enable = mkOptionDefault (hasPrefix "https://" config.proxyPass); + xvars.enable = mkIf emitForce true; + extraConfig = mkIf emitForce (forceRedirectConfig {inherit xvars virtualHost;}); + }; }; - config = { - proxy.ssl.enable = mkOptionDefault (hasPrefix "https://" config.proxyPass); - xvars.enable = mkIf emitForce true; - extraConfig = mkIf emitForce (forceRedirectConfig { inherit xvars virtualHost; }); - }; - }; - hostModule = { config, xvars, ... }: let - cfg = config.ssl; - emitForce = cfg.forced && config.proxied.enabled; - in { - imports = [ sslModule ]; - options = with lib.types; { - ssl = { - cert = { - enable = mkEnableOption "ssl cert via name.shortServer"; + hostModule = { + config, + xvars, + ... + }: let + cfg = config.ssl; + emitForce = cfg.forced && config.proxied.enabled; + in { + imports = [sslModule]; + options = with lib.types; { + ssl = { + cert = { + enable = mkEnableOption "ssl cert via name.shortServer"; + }; + }; + locations = mkOption { + type = attrsOf (submoduleWith { + modules = [locationModule]; + shorthandOnlyDefinesConfig = true; + }); }; }; - locations = mkOption { - type = attrsOf (submoduleWith { - modules = [ locationModule ]; - shorthandOnlyDefinesConfig = true; + config = { + ssl = { + cert = let + certConfig.name = mkIf cfg.cert.enable (warnIf (config.name.shortServer == null) "ssl.cert.enable set but name.shortServer is null" ( + mkAlmostOptionDefault config.name.shortServer + )); + in + certConfig; + }; + addSSL = mkIf (cfg.enable && (cfg.force == false || emitForce)) (mkDefault true); + forceSSL = mkIf (cfg.enable && cfg.force == true && !emitForce) (mkDefault true); + onlySSL = mkIf (cfg.enable && cfg.force == "only" && !emitForce) (mkDefault true); + rejectSSL = mkIf (cfg.force == "reject") (mkDefault true); + useACMEHost = mkAlmostOptionDefault cfg.cert.name; + sslCertificate = mkIf (cfg.cert.path != null) (mkAlmostOptionDefault cfg.cert.path); + sslCertificateKey = mkIf (cfg.cert.keyPath != null) (mkAlmostOptionDefault cfg.cert.keyPath); + kTLS = mkAlmostOptionDefault true; + + xvars.enable = mkIf emitForce true; + extraConfig = mkIf emitForce (forceRedirectConfig { + virtualHost = config; + inherit xvars; }); }; }; - config = { - ssl = { - cert = let - certConfig.name = mkIf cfg.cert.enable (warnIf (config.name.shortServer == null) "ssl.cert.enable set but name.shortServer is null" ( - mkAlmostOptionDefault config.name.shortServer - )); - in certConfig; + in { + options.services.nginx = with lib.types; { + virtualHosts = mkOption { + type = attrsOf (submoduleWith { + modules = [hostModule]; + shorthandOnlyDefinesConfig = true; + }); + }; + stream.servers = mkOption { + type = attrsOf (submoduleWith { + modules = [streamServerModule]; + shorthandOnlyDefinesConfig = false; + }); }; - addSSL = mkIf (cfg.enable && (cfg.force == false || emitForce)) (mkDefault true); - forceSSL = mkIf (cfg.enable && cfg.force == true && !emitForce) (mkDefault true); - onlySSL = mkIf (cfg.enable && cfg.force == "only" && !emitForce) (mkDefault true); - rejectSSL = mkIf (cfg.force == "reject") (mkDefault true); - useACMEHost = mkAlmostOptionDefault cfg.cert.name; - sslCertificate = mkIf (cfg.cert.path != null) (mkAlmostOptionDefault cfg.cert.path); - sslCertificateKey = mkIf (cfg.cert.keyPath != null) (mkAlmostOptionDefault cfg.cert.keyPath); - kTLS = mkAlmostOptionDefault true; - - xvars.enable = mkIf emitForce true; - extraConfig = mkIf emitForce (forceRedirectConfig { virtualHost = config; inherit xvars; }); }; - }; -in { - options.services.nginx = with lib.types; { - virtualHosts = mkOption { - type = attrsOf (submoduleWith { - modules = [ hostModule ]; - shorthandOnlyDefinesConfig = true; - }); - }; - stream.servers = mkOption { - type = attrsOf (submoduleWith { - modules = [ streamServerModule ]; - shorthandOnlyDefinesConfig = false; - }); - }; - }; - config.systemd.services.nginx = let - mapStreamServer = server: mkIf (server.enable && server.ssl.enable && server.ssl.cert.name != null) { - wants = [ "acme-finished-${server.ssl.cert.name}.target" ]; - after = [ "acme-selfsigned-${server.ssl.cert.name}.service" ]; - before = [ "acme-${server.ssl.cert.name}.service" ]; - }; - streamServerCerts = mapAttrsToList (_: mapStreamServer) nginx.stream.servers; - in mkIf nginx.enable (mkMerge streamServerCerts); -} + config.systemd.services.nginx = let + mapStreamServer = server: + mkIf (server.enable && server.ssl.enable && server.ssl.cert.name != null) { + wants = ["acme-finished-${server.ssl.cert.name}.target"]; + after = ["acme-selfsigned-${server.ssl.cert.name}.service"]; + before = ["acme-${server.ssl.cert.name}.service"]; + }; + streamServerCerts = mapAttrsToList (_: mapStreamServer) nginx.stream.servers; + in + mkIf nginx.enable (mkMerge streamServerCerts); + } diff --git a/modules/nixos/nginx/stream.nix b/modules/nixos/nginx/stream.nix index 94ac5394..67d82d65 100644 --- a/modules/nixos/nginx/stream.nix +++ b/modules/nixos/nginx/stream.nix @@ -10,9 +10,11 @@ cfg = config.services.nginx.stream; serverModule = {config, ...}: { options = with lib.types; { - enable = mkEnableOption "stream server block" // { - default = true; - }; + enable = + mkEnableOption "stream server block" + // { + default = true; + }; extraConfig = mkOption { type = lines; default = ""; @@ -49,7 +51,7 @@ in { nixosConfig = config; }; }); - default = { }; + default = {}; }; }; config.services.nginx = { diff --git a/modules/nixos/nginx/upstream.nix b/modules/nixos/nginx/upstream.nix index 72d5926d..be6450e0 100644 --- a/modules/nixos/nginx/upstream.nix +++ b/modules/nixos/nginx/upstream.nix @@ -1,5 +1,13 @@ let - upstreamServerAccessModule = {config, nixosConfig, name, gensokyo-zone, lib, upstreamKind, ...}: let + upstreamServerAccessModule = { + config, + nixosConfig, + name, + gensokyo-zone, + lib, + upstreamKind, + ... + }: let inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkMerge mkOptionDefault; inherit (gensokyo-zone.lib) mkAlmostOptionDefault; @@ -57,12 +65,20 @@ let port = mkOptionDefault port.port; ssl.enable = mkIf port.ssl (mkAlmostOptionDefault true); }; - in mkMerge [ - confAccess - (mkIf cfg.enable conf) - ]; + in + mkMerge [ + confAccess + (mkIf cfg.enable conf) + ]; }; - upstreamServerModule = {config, name, gensokyo-zone, lib, upstreamKind, ...}: let + upstreamServerModule = { + config, + name, + gensokyo-zone, + lib, + upstreamKind, + ... + }: let inherit (gensokyo-zone.lib) mkAddress6; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkBefore mkOptionDefault; @@ -72,9 +88,11 @@ let inherit (lib.trivial) isBool; in { options = with lib.types; { - enable = mkEnableOption "upstream server" // { - default = true; - }; + enable = + mkEnableOption "upstream server" + // { + default = true; + }; addr = mkOption { type = str; default = name; @@ -90,8 +108,8 @@ let example = "unix:/tmp/backend3"; }; settings = mkOption { - type = attrsOf (oneOf [ int str bool ]); - default = { }; + type = attrsOf (oneOf [int str bool]); + default = {}; }; extraConfig = mkOption { type = str; @@ -108,21 +126,30 @@ let }; config = let mapSetting = key: value: - if isBool value then mkIf value key + if isBool value + then mkIf value key else "${key}=${toString value}"; settings = mapAttrsToList mapSetting config.settings; port = optionalString (config.port != null) ":${toString config.port}"; in { server = mkOptionDefault "${mkAddress6 config.addr}${port}"; serverConfig = mkMerge ( - [ (mkBefore config.server) ] + [(mkBefore config.server)] ++ settings ++ optional (config.extraConfig != "") config.extraConfig ); serverDirective = mkOptionDefault "server ${config.serverConfig};"; }; }; - upstreamModule = {config, name, nixosConfig, gensokyo-zone, lib, upstreamKind, ...}: let + upstreamModule = { + config, + name, + nixosConfig, + gensokyo-zone, + lib, + upstreamKind, + ... + }: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault unmerged; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkOptionDefault; @@ -132,19 +159,21 @@ let in { options = with lib.types; let upstreamServer = submoduleWith { - modules = [ upstreamServerModule upstreamServerAccessModule ]; + modules = [upstreamServerModule upstreamServerAccessModule]; specialArgs = { inherit nixosConfig gensokyo-zone upstreamKind; upstream = config; }; }; in { - enable = mkEnableOption "upstream block" // { - default = true; - }; + enable = + mkEnableOption "upstream block" + // { + default = true; + }; name = mkOption { type = str; - default = replaceStrings [ "'" ] [ "_" ] name; + default = replaceStrings ["'"] ["_"] name; }; servers = mkOption { type = attrsOf upstreamServer; @@ -183,13 +212,13 @@ let config = let enabledServers = filterAttrs (_: server: server.enable) config.servers; - assertServers = v: assert enabledServers != { }; v; + assertServers = v: assert enabledServers != {}; v; in { ssl.enable = mkIf (any (server: server.ssl.enable) (attrValues enabledServers)) (mkAlmostOptionDefault true); defaultServerName = findSingle (_: true) null null (attrNames enabledServers); upstreamConfig = mkMerge ( mapAttrsToList (_: server: mkIf server.enable server.serverDirective) config.servers - ++ [ config.extraConfig ] + ++ [config.extraConfig] ); upstreamBlock = mkOptionDefault '' upstream ${config.name} { @@ -199,16 +228,28 @@ let upstreamSettings = assertServers (mkOptionDefault { #extraConfig = config.upstreamConfig; extraConfig = config.extraConfig; - servers = mapAttrs' (name: server: nameValuePair (if server.enable then server.server else "disabled_${name}") (mkIf server.enable (mkMerge [ - server.settings - (mkIf (server.extraConfig != "") { - ${config.extraConfig} = true; - }) - ]))) config.servers; + servers = mapAttrs' (name: server: + nameValuePair ( + if server.enable + then server.server + else "disabled_${name}" + ) (mkIf server.enable (mkMerge [ + server.settings + (mkIf (server.extraConfig != "") { + ${config.extraConfig} = true; + }) + ]))) + config.servers; }); }; }; - serverModule = {config, nixosConfig, gensokyo-zone, lib, ...}: let + serverModule = { + config, + nixosConfig, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.options) mkOption; inherit (lib.modules) mkIf; @@ -229,7 +270,8 @@ let dynamicUpstream = hasPrefix "$" config.proxy.upstream; hasUpstream = config.proxy.upstream != null && !dynamicUpstream; proxyPass = - if dynamicUpstream then config.proxy.upstream + if dynamicUpstream + then config.proxy.upstream else assert proxyUpstream.enable; proxyUpstream.name; in { proxy = { @@ -242,7 +284,12 @@ let }; }; }; - proxyUpstreamModule = {config, nixosConfig, lib, ...}: let + proxyUpstreamModule = { + config, + nixosConfig, + lib, + ... + }: let inherit (lib.options) mkOption; in { options = with lib.types; { @@ -253,42 +300,63 @@ let }; }; }; - locationModule = {config, nixosConfig, virtualHost, gensokyo-zone, lib, ...}: let + locationModule = { + config, + nixosConfig, + virtualHost, + gensokyo-zone, + lib, + ... + }: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.modules) mkIf mkOptionDefault; inherit (lib.strings) hasPrefix; inherit (nixosConfig.services) nginx; in { - imports = [ proxyUpstreamModule ]; + imports = [proxyUpstreamModule]; config = let proxyUpstream = nginx.upstreams'.${config.proxy.upstream}; - proxyScheme = if config.proxy.ssl.enable then "https" else "http"; + proxyScheme = + if config.proxy.ssl.enable + then "https" + else "http"; dynamicUpstream = hasPrefix "$" config.proxy.upstream; hasUpstream = config.proxy.upstream != null && !dynamicUpstream; proxyHost = - if dynamicUpstream then config.proxy.upstream + if dynamicUpstream + then config.proxy.upstream else assert proxyUpstream.enable; proxyUpstream.name; in { proxy = { upstream = mkOptionDefault virtualHost.proxy.upstream; enable = mkIf (config.proxy.upstream != null && virtualHost.proxy.upstream == null) true; - url = mkIf (config.proxy.upstream != null) (mkAlmostOptionDefault + url = mkIf (config.proxy.upstream != null) ( + mkAlmostOptionDefault "${proxyScheme}://${proxyHost}" ); ssl = { - enable = mkAlmostOptionDefault (if hasUpstream then proxyUpstream.ssl.enable else false); + enable = mkAlmostOptionDefault ( + if hasUpstream + then proxyUpstream.ssl.enable + else false + ); host = mkIf hasUpstream (mkAlmostOptionDefault proxyUpstream.ssl.host); }; host = mkIf (hasUpstream && proxyUpstream.host != null) (mkAlmostOptionDefault proxyUpstream.host); }; }; }; - hostModule = {config, nixosConfig, lib, ...}: let + hostModule = { + config, + nixosConfig, + lib, + ... + }: let inherit (lib.options) mkOption; inherit (lib.modules) mkOptionDefault; in { - imports = [ proxyUpstreamModule ]; + imports = [proxyUpstreamModule]; options = with lib.types; { locations = mkOption { @@ -302,68 +370,76 @@ let }; }; }; -in { - config, - lib, - gensokyo-zone, - ... -}: let - inherit (gensokyo-zone.lib) unmerged; - inherit (lib.options) mkOption; - inherit (lib.modules) mkIf mkMerge; - inherit (lib.attrsets) mapAttrsToList; - cfg = config.services.nginx; -in { - options.services.nginx = with lib.types; { - upstreams' = mkOption { - type = attrsOf (submoduleWith { - modules = [upstreamModule]; - shorthandOnlyDefinesConfig = false; - specialArgs = { - inherit gensokyo-zone; - nixosConfig = config; - upstreamKind = "virtualHost"; - }; - }); - default = { }; - }; - virtualHosts = mkOption { - type = attrsOf (submodule hostModule); - }; - stream = { - upstreams = mkOption { +in + { + config, + lib, + gensokyo-zone, + ... + }: let + inherit (gensokyo-zone.lib) unmerged; + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf mkMerge; + inherit (lib.attrsets) mapAttrsToList; + cfg = config.services.nginx; + in { + options.services.nginx = with lib.types; { + upstreams' = mkOption { type = attrsOf (submoduleWith { modules = [upstreamModule]; shorthandOnlyDefinesConfig = false; specialArgs = { inherit gensokyo-zone; nixosConfig = config; - upstreamKind = "stream"; + upstreamKind = "virtualHost"; }; }); - default = { }; + default = {}; }; - servers = mkOption { - type = attrsOf (submoduleWith { - modules = [serverModule]; - shorthandOnlyDefinesConfig = false; - }); + virtualHosts = mkOption { + type = attrsOf (submodule hostModule); + }; + stream = { + upstreams = mkOption { + type = attrsOf (submoduleWith { + modules = [upstreamModule]; + shorthandOnlyDefinesConfig = false; + specialArgs = { + inherit gensokyo-zone; + nixosConfig = config; + upstreamKind = "stream"; + }; + }); + default = {}; + }; + servers = mkOption { + type = attrsOf (submoduleWith { + modules = [serverModule]; + shorthandOnlyDefinesConfig = false; + }); + }; }; }; - }; - config.services.nginx = let - confStream.streamConfig = mkMerge ( - mapAttrsToList (_: upstream: mkIf upstream.enable upstream.upstreamBlock) cfg.stream.upstreams - ); - useUpstreams = true; - confUpstreams.upstreams = mkMerge (mapAttrsToList (_: upstream: mkIf upstream.enable { - ${upstream.name} = unmerged.mergeAttrs upstream.upstreamSettings; - }) cfg.upstreams'); - confBlock.commonHttpConfig = mkMerge ( - mapAttrsToList (_: upstream: mkIf upstream.enable upstream.upstreamBlock) cfg.upstreams' - ); - in mkMerge [ - confStream - (if useUpstreams then confUpstreams else confBlock) - ]; -} + config.services.nginx = let + confStream.streamConfig = mkMerge ( + mapAttrsToList (_: upstream: mkIf upstream.enable upstream.upstreamBlock) cfg.stream.upstreams + ); + useUpstreams = true; + confUpstreams.upstreams = mkMerge (mapAttrsToList (_: upstream: + mkIf upstream.enable { + ${upstream.name} = unmerged.mergeAttrs upstream.upstreamSettings; + }) + cfg.upstreams'); + confBlock.commonHttpConfig = mkMerge ( + mapAttrsToList (_: upstream: mkIf upstream.enable upstream.upstreamBlock) cfg.upstreams' + ); + in + mkMerge [ + confStream + ( + if useUpstreams + then confUpstreams + else confBlock + ) + ]; + } diff --git a/modules/nixos/nginx/vouch.nix b/modules/nixos/nginx/vouch.nix index c989e63f..5490775d 100644 --- a/modules/nixos/nginx/vouch.nix +++ b/modules/nixos/nginx/vouch.nix @@ -13,7 +13,12 @@ inherit (config) networking; inherit (config.services) vouch-proxy nginx tailscale; inherit (nginx) vouch; - locationModule = {config, virtualHost, xvars, ...}: { + locationModule = { + config, + virtualHost, + xvars, + ... + }: { options.vouch = with lib.types; { requireAuth = mkEnableOption "require auth to access this location"; setProxyHeader = mkOption { @@ -26,29 +31,35 @@ enableVouchLocal = virtualHost.vouch.localSso.enable; enableVouchTail = enableVouchLocal && tailscale.enable && false; allowOrigin = url: "add_header Access-Control-Allow-Origin ${url};"; - in mkIf config.vouch.requireAuth { - lua = mkIf virtualHost.vouch.auth.lua.enable { - access.block = mkMerge [ - (mkBefore virtualHost.vouch.auth.lua.accessRequest) - (mkBefore virtualHost.vouch.auth.lua.accessVariables) - (mkBefore virtualHost.vouch.auth.lua.accessLogic) - ]; + in + mkIf config.vouch.requireAuth { + lua = mkIf virtualHost.vouch.auth.lua.enable { + access.block = mkMerge [ + (mkBefore virtualHost.vouch.auth.lua.accessRequest) + (mkBefore virtualHost.vouch.auth.lua.accessVariables) + (mkBefore virtualHost.vouch.auth.lua.accessLogic) + ]; + }; + xvars.enable = mkIf (enableVouchTail || virtualHost.vouch.auth.lua.enable) true; + proxy.headers.set.X-Vouch-User = mkOptionDefault "$auth_resp_x_vouch_user"; + extraConfig = assert virtualHost.vouch.enable; + mkMerge [ + (mkIf (!virtualHost.vouch.requireAuth) virtualHost.vouch.auth.requestDirective) + (allowOrigin vouch.url) + (allowOrigin vouch.authUrl) + (mkIf enableVouchLocal (allowOrigin vouch.localUrl)) + (mkIf enableVouchLocal (allowOrigin "sso.local.${networking.domain}")) + (mkIf enableVouchTail (allowOrigin "${xvars.get.scheme}://${vouch.tailDomain}")) + ]; }; - xvars.enable = mkIf (enableVouchTail || virtualHost.vouch.auth.lua.enable) true; - proxy.headers.set.X-Vouch-User = mkOptionDefault "$auth_resp_x_vouch_user"; - extraConfig = assert virtualHost.vouch.enable; mkMerge [ - (mkIf (!virtualHost.vouch.requireAuth) virtualHost.vouch.auth.requestDirective) - (allowOrigin vouch.url) - (allowOrigin vouch.authUrl) - (mkIf enableVouchLocal (allowOrigin vouch.localUrl)) - (mkIf enableVouchLocal (allowOrigin "sso.local.${networking.domain}")) - (mkIf enableVouchTail (allowOrigin "${xvars.get.scheme}://${vouch.tailDomain}")) - ]; - }; }; - hostModule = {config, xvars, ...}: let + hostModule = { + config, + xvars, + ... + }: let cfg = config.vouch; - mkHeaderVar = header: toLower (replaceStrings [ "-" ] [ "_" ] header); + mkHeaderVar = header: toLower (replaceStrings ["-"] ["_"] header); mkUpstreamVar = header: "\$upstream_http_${mkHeaderVar header}"; in { options = with lib.types; { @@ -57,12 +68,16 @@ }; vouch = { enable = mkEnableOption "vouch auth proxy"; - localSso.enable = mkEnableOption "lan-local vouch" // { - default = vouch.localSso.enable && config.local.enable; - }; - requireAuth = mkEnableOption "require auth to access this host" // { - default = true; - }; + localSso.enable = + mkEnableOption "lan-local vouch" + // { + default = vouch.localSso.enable && config.local.enable; + }; + requireAuth = + mkEnableOption "require auth to access this host" + // { + default = true; + }; auth = { lua = { enable = mkEnableOption "lua"; @@ -129,9 +144,12 @@ return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) end ''); - accessVariables = mkMerge (mapAttrsToList (authVar: header: mkOptionDefault - ''ngx.var["${authVar}"] = ngx.ctx.auth_res.header["${header}"] or ""'' - ) cfg.auth.variables); + accessVariables = mkMerge (mapAttrsToList ( + authVar: header: + mkOptionDefault + ''ngx.var["${authVar}"] = ngx.ctx.auth_res.header["${header}"] or ""'' + ) + cfg.auth.variables); }; errorLocation = mkIf cfg.auth.lua.enable (mkAlmostOptionDefault null); requestDirective = mkIf cfg.auth.lua.enable (mkAlmostOptionDefault ""); @@ -161,15 +179,19 @@ (mkIf cfg.localSso.enable localVouchUrl) (mkIf (cfg.localSso.enable && tailscale.enable) tailVouchUrl) ]; - in mkIf cfg.enable (mkMerge ( - [ - (mkIf (cfg.requireAuth) (mkBefore cfg.auth.requestDirective)) - (mkIf (cfg.auth.errorLocation != null) "error_page 401 = ${cfg.auth.errorLocation};") - ] ++ setVouchUrl - ++ mapAttrsToList (authVar: header: mkIf (!cfg.auth.lua.enable) ( - mkBefore "auth_request_set \$${authVar} ${mkUpstreamVar header};" - )) cfg.auth.variables - )); + in + mkIf cfg.enable (mkMerge ( + [ + (mkIf (cfg.requireAuth) (mkBefore cfg.auth.requestDirective)) + (mkIf (cfg.auth.errorLocation != null) "error_page 401 = ${cfg.auth.errorLocation};") + ] + ++ setVouchUrl + ++ mapAttrsToList (authVar: header: + mkIf (!cfg.auth.lua.enable) ( + mkBefore "auth_request_set \$${authVar} ${mkUpstreamVar header};" + )) + cfg.auth.variables + )); xvars.enable = mkIf cfg.enable true; locations = mkIf cfg.enable { "/" = mkIf cfg.requireAuth { @@ -181,18 +203,30 @@ return 302 $vouch_url/login?url=${xvars.get.scheme}://${xvars.get.host}$request_uri&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; ''; }; - ${cfg.auth.requestLocation} = { config, xvars, ... }: { + ${cfg.auth.requestLocation} = { + config, + xvars, + ... + }: { proxy = { enable = true; inheritServerDefaults = false; upstream = mkDefault ( - if vouch.doubleProxy.enable then "vouch'proxy" - else if cfg.localSso.enable then "vouch'auth'local" + if vouch.doubleProxy.enable + then "vouch'proxy" + else if cfg.localSso.enable + then "vouch'auth'local" else "vouch'auth" ); # nginx-proxied vouch must use X-Forwarded-Host, but vanilla vouch requires Host - host = if config.proxy.upstream == "vouch'proxy" - then (if cfg.localSso.enable then vouch.doubleProxy.localServerName else vouch.doubleProxy.serverName) + host = + if config.proxy.upstream == "vouch'proxy" + then + ( + if cfg.localSso.enable + then vouch.doubleProxy.localServerName + else vouch.doubleProxy.serverName + ) else xvars.get.host; headers = { set.Content-Length = ""; @@ -212,9 +246,11 @@ in { vouch = { enable = mkEnableOption "vouch auth proxy"; localSso = { - enable = mkEnableOption "lan-local auth" // { - default = true; - }; + enable = + mkEnableOption "lan-local auth" + // { + default = true; + }; }; doubleProxy = { enable = mkOption { @@ -271,7 +307,7 @@ in { enable = vouch.enable; servers = { local = localVouch; - service = { upstream, ... }: { + service = {upstream, ...}: { enable = mkIf upstream.servers.local.enable false; accessService = { name = "vouch-proxy"; @@ -283,10 +319,12 @@ in { vouch'auth'local = { enable = vouch.enable && vouch.localSso.enable; servers = { - local = localVouch // { - enable = mkAlmostOptionDefault false; - }; - service = { upstream, ... }: { + local = + localVouch + // { + enable = mkAlmostOptionDefault false; + }; + service = {upstream, ...}: { enable = mkIf upstream.servers.local.enable false; accessService = { name = "vouch-proxy"; @@ -299,18 +337,18 @@ in { enable = vouch.enable && vouch.doubleProxy.enable; # TODO: need exported hosts options for this to detect the correct host/port/etc servers = { - lan = { upstream, ... }: { + lan = {upstream, ...}: { enable = mkAlmostOptionDefault (!upstream.servers.int.enable); addr = mkAlmostOptionDefault "login.local.${networking.domain}"; port = mkOptionDefault 9080; ssl.enable = mkAlmostOptionDefault true; }; - int = { upstream, ... }: { + int = {upstream, ...}: { enable = mkAlmostOptionDefault system.network.networks.int.enable or false; addr = mkAlmostOptionDefault "login.int.${networking.domain}"; port = mkOptionDefault 9080; }; - tail = { upstream, ... }: { + tail = {upstream, ...}: { enable = mkAlmostOptionDefault (tailscale.enable && !upstream.servers.lan.enable && !upstream.servers.int.enable); addr = mkAlmostOptionDefault "login.tail.${networking.domain}"; port = mkOptionDefault 9080; diff --git a/modules/nixos/nginx/xvars.nix b/modules/nixos/nginx/xvars.nix index 8cb20f6b..964efa88 100644 --- a/modules/nixos/nginx/xvars.nix +++ b/modules/nixos/nginx/xvars.nix @@ -1,5 +1,10 @@ let - locationModule = { config, virtualHost, lib, ... }: let + locationModule = { + config, + virtualHost, + lib, + ... + }: let inherit (lib.options) mkEnableOption mkOption; inherit (lib.attrsets) mapAttrs; cfg = config.xvars; @@ -8,7 +13,7 @@ let enable = mkEnableOption "$x_variables"; defaults = mkOption { type = attrsOf (nullOr str); - default = { }; + default = {}; }; lib = mkOption { type = attrs; @@ -18,15 +23,28 @@ let xvars = { lib = let xvars = virtualHost.xvars.lib; - get = mapAttrs (name: default: if virtualHost.xvars.enable then "$x_${name}" else assert default != null; default) cfg.defaults; - in xvars // { - get = xvars.get // get; - }; + get = mapAttrs (name: default: + if virtualHost.xvars.enable + then "$x_${name}" + else assert default != null; default) + cfg.defaults; + in + xvars + // { + get = xvars.get // get; + }; }; _module.args.xvars = config.xvars.lib; }; }; - hostModule = { config, nixosConfig, gensokyo-zone, xvars, lib, ... }: let + hostModule = { + config, + nixosConfig, + gensokyo-zone, + xvars, + lib, + ... + }: let inherit (gensokyo-zone.lib) mkJustBefore; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkOptionDefault; @@ -36,11 +54,16 @@ let inherit (lib.trivial) isInt; cfg = config.xvars; escapeString = value: - if value == "" then ''""'' - else if isInt value then toString value - else if hasPrefix ''"'' value || hasPrefix "'" value then value # already escaped, may include trailing arguments - else if hasInfix ''"'' value then "'${value}'" - else if hasInfix " " value || hasInfix ";" value || hasInfix "'" value then ''"${value}"'' + if value == "" + then ''""'' + else if isInt value + then toString value + else if hasPrefix ''"'' value || hasPrefix "'" value + then value # already escaped, may include trailing arguments + else if hasInfix ''"'' value + then "'${value}'" + else if hasInfix " " value || hasInfix ";" value || hasInfix "'" value + then ''"${value}"'' else value; anyLocations = f: any (loc: loc.enable && f loc) (attrValues config.locations); in { @@ -66,7 +89,7 @@ let }; locations = mkOption { type = attrsOf (submoduleWith { - modules = [ locationModule ]; + modules = [locationModule]; shorthandOnlyDefinesConfig = true; specialArgs = { inherit nixosConfig gensokyo-zone; @@ -99,7 +122,11 @@ let referer_path = null; }); lib = { - get = mapAttrs (name: default: if cfg.enable then "$x_${name}" else assert default != null; default) cfg.defaults; + get = mapAttrs (name: default: + if cfg.enable + then "$x_${name}" + else assert default != null; default) + cfg.defaults; init = name: value: assert cfg.enable && cfg.defaults ? ${name}; "set $x_${name} ${escapeString value};"; inherit escapeString; }; @@ -111,24 +138,25 @@ let _module.args.xvars = config.xvars.lib; }; }; -in { - config, - lib, - gensokyo-zone, - ... -}: let - inherit (lib.options) mkOption; -in { - options = with lib.types; { - services.nginx.virtualHosts = mkOption { - type = attrsOf (submoduleWith { - modules = [ hostModule ]; - shorthandOnlyDefinesConfig = true; - specialArgs = { - inherit gensokyo-zone; - nixosConfig = config; - }; - }); +in + { + config, + lib, + gensokyo-zone, + ... + }: let + inherit (lib.options) mkOption; + in { + options = with lib.types; { + services.nginx.virtualHosts = mkOption { + type = attrsOf (submoduleWith { + modules = [hostModule]; + shorthandOnlyDefinesConfig = true; + specialArgs = { + inherit gensokyo-zone; + nixosConfig = config; + }; + }); + }; }; - }; -} + } diff --git a/modules/nixos/postgres.nix b/modules/nixos/postgres.nix index 9a63262a..6bbc22fa 100644 --- a/modules/nixos/postgres.nix +++ b/modules/nixos/postgres.nix @@ -40,9 +40,11 @@ allow = mkEnableOption "tailscale TCP connections"; }; int = { - allow = mkEnableOption "internal TCP connections" // { - default = config.authentication.local.allow; - }; + allow = + mkEnableOption "internal TCP connections" + // { + default = config.authentication.local.allow; + }; }; local = { allow = mkEnableOption "local TCP connections"; diff --git a/modules/nixos/samba.nix b/modules/nixos/samba.nix index da45fa5d..3929574b 100644 --- a/modules/nixos/samba.nix +++ b/modules/nixos/samba.nix @@ -45,28 +45,32 @@ in { }; netbiosHostAddresses = mkOption { type = attrsOf (listOf str); - default = { }; + default = {}; }; lmhosts = mkOption { type = attrsOf str; - default = { }; + default = {}; }; }; ldap = { enable = mkEnableOption "LDAP"; passdb = { - enable = mkEnableOption "LDAP authentication" // { - default = true; - }; + enable = + mkEnableOption "LDAP authentication" + // { + default = true; + }; backend = mkOption { - type = enum [ "ldapsam" "ipasam" ]; + type = enum ["ldapsam" "ipasam"]; default = "ldapsam"; }; }; idmap = { - enable = mkEnableOption "LDAP users" // { - default = true; - }; + enable = + mkEnableOption "LDAP users" + // { + default = true; + }; domain = mkOption { type = str; default = "*"; @@ -98,12 +102,16 @@ in { }; }; tls = { - enable = mkEnableOption "tls" // { - default = cfg.tls.certPath != null; - }; - peer.enable = mkEnableOption "peer verification" // { - default = cfg.tls.caPath != null; - }; + enable = + mkEnableOption "tls" + // { + default = cfg.tls.certPath != null; + }; + peer.enable = + mkEnableOption "peer verification" + // { + default = cfg.tls.caPath != null; + }; useACMECert = mkOption { type = nullOr str; default = null; @@ -212,19 +220,30 @@ in { config = { services.samba = { package = mkIf cfg.ldap.enable (mkAlmostOptionDefault ( - if cfg.ldap.passdb.enable && cfg.ldap.passdb.backend == "ipasam" then pkgs.samba-ipa else pkgs.samba-ldap + if cfg.ldap.passdb.enable && cfg.ldap.passdb.backend == "ipasam" + then pkgs.samba-ipa + else pkgs.samba-ldap )); domain = { isWorkgroup = mkOptionDefault (cfg.securityType != "domain" && cfg.securityType != "ads"); netbiosName' = let - name = if cfg.domain.netbiosName != null then cfg.domain.netbiosName else config.networking.hostName; - in mkOptionDefault (if cfg.domain.isWorkgroup then toUpper name else name); + name = + if cfg.domain.netbiosName != null + then cfg.domain.netbiosName + else config.networking.hostName; + in + mkOptionDefault ( + if cfg.domain.isWorkgroup + then toUpper name + else name + ); netbiosHostAddresses = mkIf (cfg.domain.netbiosName != null) { - ${cfg.domain.netbiosName'} = [ "127.0.0.1" "::1" ]; + ${cfg.domain.netbiosName'} = ["127.0.0.1" "::1"]; }; lmhosts = let addrs = mapAttrsToList (name: map (flip nameValuePair name)) cfg.domain.netbiosHostAddresses; - in listToAttrs (concatLists addrs); + in + listToAttrs (concatLists addrs); }; ldap = { adminPasswordPath = mkIf (cfg.ldap.adminDn != null && hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkAlmostOptionDefault ( @@ -251,58 +270,61 @@ in { }) ]; settings = mkMerge ([ - { - "use sendfile" = mkOptionDefault true; - "mdns name" = mkOptionDefault "mdns"; - "name resolve order" = mkOptionDefault [ "lmhosts" "host" "bcast" ]; - workgroup = mkIf (cfg.domain.name != null) (mkOptionDefault cfg.domain.name); - "netbios name" = mkIf (cfg.domain.netbiosName != null) (mkOptionDefault cfg.domain.netbiosName); - } - (mkIf (cfg.passdb.smbpasswd.path != null) { - "passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}"; - }) - (mkIf cfg.ldap.enable { - "ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off"); - "ldap admin dn" = mkIf (cfg.ldap.adminDn != null) (mkOptionDefault cfg.ldap.adminDn); - "ldap suffix" = mkOptionDefault cfg.ldap.baseDn; - }) - (mkIf cfg.kerberos.enable { - "realm" = mkOptionDefault cfg.kerberos.realm; - "kerberos method" = mkOptionDefault ( - if cfg.kerberos.keytabPath != null then "dedicated keytab" - else "system keytab" - ); - "dedicated keytab file" = mkIf (cfg.kerberos.keytabPath != null) (mkOptionDefault - "FILE:${cfg.kerberos.keytabPath}" - ); - "kerberos encryption types" = mkOptionDefault "strong"; - "create krb5 conf" = mkOptionDefault false; - }) - (mkIf cfg.enableWinbindd { - "winbind nss info" = mkOptionDefault "rfc2307"; - "winbind use default domain" = mkOptionDefault true; - }) - (mkIf cfg.tls.enable { - "tls enabled" = mkOptionDefault true; - "tls verify peer" = mkIf cfg.tls.peer.enable (mkOptionDefault "ca_and_name_if_available"); - "tls certfile" = mkIf (cfg.tls.certPath != null) (mkOptionDefault cfg.tls.certPath); - "tls keyfile" = mkIf (cfg.tls.keyPath != null) (mkOptionDefault cfg.tls.keyPath); - "tls cafile" = mkIf (cfg.tls.caPath != null) (mkOptionDefault cfg.tls.caPath); - "tls crlfile" = mkIf (cfg.tls.crlPath != null) (mkOptionDefault cfg.tls.crlPath); - }) - (mkIf cfg.usershare.enable { - "usershare allow guests" = mkOptionDefault true; - "usershare max shares" = mkOptionDefault 16; - "usershare owner only" = mkOptionDefault true; - "usershare template share" = mkOptionDefault cfg.usershare.templateShare; - "usershare path" = mkOptionDefault cfg.usershare.path; - "usershare prefix allow list" = mkOptionDefault [ cfg.usershare.path ]; - }) - (mkIf cfg.guest.enable { - "map to guest" = mkOptionDefault "Bad User"; - "guest account" = mkOptionDefault cfg.guest.user; - }) - ] ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains); + { + "use sendfile" = mkOptionDefault true; + "mdns name" = mkOptionDefault "mdns"; + "name resolve order" = mkOptionDefault ["lmhosts" "host" "bcast"]; + workgroup = mkIf (cfg.domain.name != null) (mkOptionDefault cfg.domain.name); + "netbios name" = mkIf (cfg.domain.netbiosName != null) (mkOptionDefault cfg.domain.netbiosName); + } + (mkIf (cfg.passdb.smbpasswd.path != null) { + "passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}"; + }) + (mkIf cfg.ldap.enable { + "ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off"); + "ldap admin dn" = mkIf (cfg.ldap.adminDn != null) (mkOptionDefault cfg.ldap.adminDn); + "ldap suffix" = mkOptionDefault cfg.ldap.baseDn; + }) + (mkIf cfg.kerberos.enable { + "realm" = mkOptionDefault cfg.kerberos.realm; + "kerberos method" = mkOptionDefault ( + if cfg.kerberos.keytabPath != null + then "dedicated keytab" + else "system keytab" + ); + "dedicated keytab file" = mkIf (cfg.kerberos.keytabPath != null) ( + mkOptionDefault + "FILE:${cfg.kerberos.keytabPath}" + ); + "kerberos encryption types" = mkOptionDefault "strong"; + "create krb5 conf" = mkOptionDefault false; + }) + (mkIf cfg.enableWinbindd { + "winbind nss info" = mkOptionDefault "rfc2307"; + "winbind use default domain" = mkOptionDefault true; + }) + (mkIf cfg.tls.enable { + "tls enabled" = mkOptionDefault true; + "tls verify peer" = mkIf cfg.tls.peer.enable (mkOptionDefault "ca_and_name_if_available"); + "tls certfile" = mkIf (cfg.tls.certPath != null) (mkOptionDefault cfg.tls.certPath); + "tls keyfile" = mkIf (cfg.tls.keyPath != null) (mkOptionDefault cfg.tls.keyPath); + "tls cafile" = mkIf (cfg.tls.caPath != null) (mkOptionDefault cfg.tls.caPath); + "tls crlfile" = mkIf (cfg.tls.crlPath != null) (mkOptionDefault cfg.tls.crlPath); + }) + (mkIf cfg.usershare.enable { + "usershare allow guests" = mkOptionDefault true; + "usershare max shares" = mkOptionDefault 16; + "usershare owner only" = mkOptionDefault true; + "usershare template share" = mkOptionDefault cfg.usershare.templateShare; + "usershare path" = mkOptionDefault cfg.usershare.path; + "usershare prefix allow list" = mkOptionDefault [cfg.usershare.path]; + }) + (mkIf cfg.guest.enable { + "map to guest" = mkOptionDefault "Bad User"; + "guest account" = mkOptionDefault cfg.guest.user; + }) + ] + ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains); extraConfig = mkMerge ( mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings ++ [ @@ -340,11 +362,11 @@ in { ]; networking.hosts = mkIf (cfg.enable && cfg.domain.netbiosName != null) { - "::1" = mkAfter [ cfg.domain.netbiosName' ]; + "::1" = mkAfter [cfg.domain.netbiosName']; # not a typo... - "127.0.0.2" = mkAfter [ cfg.domain.netbiosName' ]; + "127.0.0.2" = mkAfter [cfg.domain.netbiosName']; }; - environment.etc."samba/lmhosts" = mkIf (cfg.enable && cfg.domain.lmhosts != { }) { + environment.etc."samba/lmhosts" = mkIf (cfg.enable && cfg.domain.lmhosts != {}) { text = mkMerge ( mapAttrsToList (address: name: "${address} ${name}") cfg.domain.lmhosts ); diff --git a/modules/nixos/shared.nix b/modules/nixos/shared.nix index 9f822aa6..553c7035 100644 --- a/modules/nixos/shared.nix +++ b/modules/nixos/shared.nix @@ -1,11 +1,20 @@ -{ config, lib, utils, ... }: let +{ + config, + lib, + utils, + ... +}: let inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkMerge mkOptionDefault; inherit (lib.attrsets) mapAttrsToList; inherit (lib.lists) head; inherit (lib.strings) splitString; inherit (utils) escapeSystemdPath; - mountModule = { config, name, ... }: { + mountModule = { + config, + name, + ... + }: { options = with lib.types; { source = mkOption { type = path; @@ -32,23 +41,38 @@ }; }; }; - mkMountType' = { rootDir, specialArgs, modules ? [ ] }: let - rootDirModule = { ... }: { + mkMountType' = { + rootDir, + specialArgs, + modules ? [], + }: let + rootDirModule = {...}: { config.rootDir = mkOptionDefault rootDir; }; - in lib.types.submoduleWith { - modules = [ mountModule rootDirModule ] ++ modules; - inherit specialArgs; - }; - mkMountType = args: with lib.types; coercedTo path (path: { path = mkOptionDefault path; }) (mkMountType' args); - serviceModule = { config, nixosConfig, ... }: let + in + lib.types.submoduleWith { + modules = [mountModule rootDirModule] ++ modules; + inherit specialArgs; + }; + mkMountType = args: with lib.types; coercedTo path (path: {path = mkOptionDefault path;}) (mkMountType' args); + serviceModule = { + config, + nixosConfig, + ... + }: let cfg = config.gensokyo-zone; - mapSharedMounts = f: mapAttrsToList (_: target: - f target - ) cfg.sharedMounts; - mapCacheMounts = f: mapAttrsToList (_: target: - f target - ) cfg.cacheMounts; + mapSharedMounts = f: + mapAttrsToList ( + _: target: + f target + ) + cfg.sharedMounts; + mapCacheMounts = f: + mapAttrsToList ( + _: target: + f target + ) + cfg.cacheMounts; mkRequire = mount: mount.mountUnit; mkBindPath = mount: "${mount.source}:${mount.path}"; specialArgs = { @@ -56,28 +80,34 @@ inherit nixosConfig; }; mountUnits = mkMerge [ - (mkIf (cfg.sharedMounts != { }) (mapSharedMounts mkRequire)) - (mkIf (cfg.cacheMounts != { }) (mapCacheMounts mkRequire)) + (mkIf (cfg.sharedMounts != {}) (mapSharedMounts mkRequire)) + (mkIf (cfg.cacheMounts != {}) (mapCacheMounts mkRequire)) ]; in { options.gensokyo-zone = with lib.types; { sharedMounts = mkOption { - type = attrsOf (mkMountType { rootDir = "/mnt/shared"; inherit specialArgs; }); - default = { }; + type = attrsOf (mkMountType { + rootDir = "/mnt/shared"; + inherit specialArgs; + }); + default = {}; }; cacheMounts = mkOption { - type = attrsOf (mkMountType { rootDir = "/mnt/caches"; inherit specialArgs; }); - default = { }; + type = attrsOf (mkMountType { + rootDir = "/mnt/caches"; + inherit specialArgs; + }); + default = {}; }; }; config = { requires = mountUnits; after = mountUnits; serviceConfig = mkMerge [ - (mkIf (cfg.sharedMounts != { }) { + (mkIf (cfg.sharedMounts != {}) { BindPaths = mapSharedMounts mkBindPath; }) - (mkIf (cfg.cacheMounts != { }) { + (mkIf (cfg.cacheMounts != {}) { BindPaths = mapCacheMounts mkBindPath; }) ]; @@ -87,7 +117,7 @@ in { options = with lib.types; { systemd.services = mkOption { type = attrsOf (submoduleWith { - modules = [ serviceModule ]; + modules = [serviceModule]; shorthandOnlyDefinesConfig = true; specialArgs = { nixosConfig = config; diff --git a/modules/nixos/sssd/genso.nix b/modules/nixos/sssd/genso.nix index 6e5da5e3..4212a737 100644 --- a/modules/nixos/sssd/genso.nix +++ b/modules/nixos/sssd/genso.nix @@ -1,4 +1,10 @@ -{ gensokyo-zone, pkgs, config, lib, ... }: let +{ + gensokyo-zone, + pkgs, + config, + lib, + ... +}: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults mapDefaults; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkAfter mkDefault mkOptionDefault; @@ -6,7 +12,7 @@ inherit (config.services) sssd; genso = krb5.gensokyo-zone; cfg = sssd.gensokyo-zone; - serverModule = { config, ... }: { + serverModule = {config, ...}: { options = with lib.types; { servers = mkOption { type = nullOr (listOf str); @@ -14,14 +20,14 @@ }; backups = mkOption { type = listOf str; - default = [ ]; + default = []; }; serverName = mkOption { type = str; internal = true; }; serverKind = mkOption { - type = enum [ "server" "uri" ]; + type = enum ["server" "uri"]; default = "server"; internal = true; }; @@ -35,35 +41,42 @@ in { settings = { ${key} = mkIf (config.servers != null) (mkOptionDefault config.servers); - ${keyBackups} = mkIf (config.backups != [ ]) (mkOptionDefault config.backups); + ${keyBackups} = mkIf (config.backups != []) (mkOptionDefault config.backups); }; }; }; - mkServerType = { modules }: lib.types.submoduleWith { - modules = [ serverModule ] ++ modules; - specialArgs = { - inherit gensokyo-zone pkgs; - nixosConfig = config; + mkServerType = {modules}: + lib.types.submoduleWith { + modules = [serverModule] ++ modules; + specialArgs = { + inherit gensokyo-zone pkgs; + nixosConfig = config; + }; }; - }; - mkServerOption = { name, kind ? "server" }: let - serverInfoModule = { ... }: { + mkServerOption = { + name, + kind ? "server", + }: let + serverInfoModule = {...}: { config = { serverName = mkOptionDefault name; serverKind = mkAlmostOptionDefault kind; }; }; - in mkOption { - type = mkServerType { - modules = [ serverInfoModule ]; + in + mkOption { + type = mkServerType { + modules = [serverInfoModule]; + }; + default = {}; }; - default = { }; - }; in { options.services.sssd.gensokyo-zone = with lib.types; { - enable = mkEnableOption "realm" // { - default = genso.enable; - }; + enable = + mkEnableOption "realm" + // { + default = genso.enable; + }; ldap = { bind = { passwordFile = mkOption { @@ -71,24 +84,29 @@ in { default = null; }; }; - uris = mkServerOption { name = "ldap"; kind = "uri"; }; + uris = mkServerOption { + name = "ldap"; + kind = "uri"; + }; }; krb5 = { - servers = mkServerOption { name = "krb5"; }; + servers = mkServerOption {name = "krb5";}; }; ipa = { - servers = mkServerOption { name = "ipa"; } // { - default = { - inherit (cfg.krb5.servers) servers backups; + servers = + mkServerOption {name = "ipa";} + // { + default = { + inherit (cfg.krb5.servers) servers backups; + }; }; - }; hostName = mkOption { type = str; default = config.networking.fqdn; }; }; backend = mkOption { - type = enum [ "ldap" "ipa" ]; + type = enum ["ldap" "ipa"]; default = "ipa"; }; }; @@ -97,24 +115,26 @@ in { # or "ipaNTSecurityIdentifier" which isn't set for most groups, maybe check netgroups..? objectsid = "sambaSID"; backendDomainSettings = { - ldap = mapDefaults { - id_provider = "ldap"; - auth_provider = "krb5"; - access_provider = "ldap"; - ldap_tls_cacert = "/etc/ssl/certs/ca-bundle.crt"; - } // mapOptionDefaults { - ldap_access_order = [ "host" ]; - ldap_schema = "IPA"; - ldap_default_bind_dn = genso.ldap.bind.dn; - ldap_search_base = genso.ldap.baseDn; - ldap_user_search_base = "cn=users,cn=accounts,${genso.ldap.baseDn}"; - ldap_group_search_base = "cn=groups,cn=accounts,${genso.ldap.baseDn}"; - ldap_user_uuid = "ipaUniqueID"; - ldap_user_ssh_public_key = "ipaSshPubKey"; - ldap_user_objectsid = objectsid; - ldap_group_uuid = "ipaUniqueID"; - ldap_group_objectsid = objectsid; - }; + ldap = + mapDefaults { + id_provider = "ldap"; + auth_provider = "krb5"; + access_provider = "ldap"; + ldap_tls_cacert = "/etc/ssl/certs/ca-bundle.crt"; + } + // mapOptionDefaults { + ldap_access_order = ["host"]; + ldap_schema = "IPA"; + ldap_default_bind_dn = genso.ldap.bind.dn; + ldap_search_base = genso.ldap.baseDn; + ldap_user_search_base = "cn=users,cn=accounts,${genso.ldap.baseDn}"; + ldap_group_search_base = "cn=groups,cn=accounts,${genso.ldap.baseDn}"; + ldap_user_uuid = "ipaUniqueID"; + ldap_user_ssh_public_key = "ipaSshPubKey"; + ldap_user_objectsid = objectsid; + ldap_group_uuid = "ipaUniqueID"; + ldap_group_objectsid = objectsid; + }; ipa = mapOptionDefaults { id_provider = "ipa"; auth_provider = "ipa"; @@ -124,26 +144,28 @@ in { dyndns_iface = ipa.dyndns.interface; }; }; - domainSettings = mapAlmostOptionDefaults { - ipa_hostname = cfg.ipa.hostName; - } // mapOptionDefaults { - enumerate = true; - ipa_domain = genso.domain; - krb5_realm = genso.realm; - cache_credentials = ipa.cacheCredentials; - krb5_store_password_if_offline = ipa.offlinePasswords; - #min_id = 8000; - #max_id = 8999; - }; + domainSettings = + mapAlmostOptionDefaults { + ipa_hostname = cfg.ipa.hostName; + } + // mapOptionDefaults { + enumerate = true; + ipa_domain = genso.domain; + krb5_realm = genso.realm; + cache_credentials = ipa.cacheCredentials; + krb5_store_password_if_offline = ipa.offlinePasswords; + #min_id = 8000; + #max_id = 8999; + }; in { gensokyo-zone = { krb5.servers.servers = mkMerge [ - [ genso.host ] - (mkAfter [ "_srv" genso.canonHost ]) + [genso.host] + (mkAfter ["_srv" genso.canonHost]) ]; ldap.uris = { servers = mkMerge [ - (mkAfter [ "_srv" ]) + (mkAfter ["_srv"]) genso.ldap.urls ]; }; @@ -191,4 +213,3 @@ in { }; }; } - diff --git a/modules/nixos/sssd/pam.nix b/modules/nixos/sssd/pam.nix index 94d77fa0..cda0df2a 100644 --- a/modules/nixos/sssd/pam.nix +++ b/modules/nixos/sssd/pam.nix @@ -9,8 +9,8 @@ inherit (lib.modules) mkIf; inherit (lib.attrsets) genAttrs; cfg = config.services.sssd; - pamRulesModule = { ... }: let - rules = [ "account" "auth" "password" "session" ]; + pamRulesModule = {...}: let + rules = ["account" "auth" "password" "session"]; mkRuleConfig = ruleName: { sss = mkIf cfg.enable { enable = mkIf (!cfg.services.pam.enable) (mkAlmostForce false); @@ -19,7 +19,7 @@ in { config = genAttrs rules mkRuleConfig; }; - pamServiceModule = { ... }: { + pamServiceModule = {...}: { options = with lib.types; { rules = mkOption { type = submodule pamRulesModule; diff --git a/modules/nixos/sssd/sssd.nix b/modules/nixos/sssd/sssd.nix index 534d12ae..e8802be3 100644 --- a/modules/nixos/sssd/sssd.nix +++ b/modules/nixos/sssd/sssd.nix @@ -15,20 +15,23 @@ inherit (lib) generators; cfg = config.services.sssd; mkValuePrimitive = value: - if value == true then "True" - else if value == false then "False" + if value == true + then "True" + else if value == false + then "False" else toString value; toINI = generators.toINI { mkKeyValue = generators.mkKeyValueDefault { mkValueString = value: - if isList value then concatMapStringsSep ", " mkValuePrimitive value + if isList value + then concatMapStringsSep ", " mkValuePrimitive value else mkValuePrimitive value; } " = "; }; - primitiveType = with lib.types; oneOf [ str int bool ]; - valueType = with lib.types; oneOf [ primitiveType (listOf primitiveType) ]; + primitiveType = with lib.types; oneOf [str int bool]; + valueType = with lib.types; oneOf [primitiveType (listOf primitiveType)]; settingsType = lib.types.attrsOf valueType; - serviceModule = { name, ... }: { + serviceModule = {name, ...}: { options = with lib.types; { enable = mkEnableOption "${name} service"; name = mkOption { @@ -38,22 +41,24 @@ }; settings = mkOption { type = settingsType; - default = { }; + default = {}; }; }; }; - nssModule = { nixosConfig, ... }: { + nssModule = {nixosConfig, ...}: { options = { # TODO: passwd.enable = mkEnableOption "passwd" // { default = true; }; - shadow.enable = mkEnableOption "shadow" // { default = nixosConfig.services.sssd.services.pam.enable; }; - netgroup.enable = mkEnableOption "netgroup" // { default = true; }; + shadow.enable = mkEnableOption "shadow" // {default = nixosConfig.services.sssd.services.pam.enable;}; + netgroup.enable = mkEnableOption "netgroup" // {default = true;}; }; }; - domainModule = { name, ... }: { + domainModule = {name, ...}: { options = with lib.types; { - enable = mkEnableOption "domain" // { - default = true; - }; + enable = + mkEnableOption "domain" + // { + default = true; + }; domain = mkOption { type = str; default = name; @@ -63,17 +68,17 @@ }; }; }; - domainLdapModule = { config, ... }: let + domainLdapModule = {config, ...}: let cfg = config.ldap; in { options.ldap = with lib.types; { extraAttrs.user = mkOption { type = attrsOf str; - default = { }; + default = {}; }; authtok = { type = mkOption { - type = enum [ "password" "obfuscated_password" ]; + type = enum ["password" "obfuscated_password"]; default = "password"; }; password = mkOption { @@ -87,7 +92,7 @@ passwordVar = mkOption { type = str; internal = true; - default = "SSSD_AUTHTOK_" + replaceStrings [ "-" "." ] [ "_" "_" ] (toUpper config.domain); + default = "SSSD_AUTHTOK_" + replaceStrings ["-" "."] ["_" "_"] (toUpper config.domain); }; }; }; @@ -95,14 +100,16 @@ authtokConfig = mkIf (cfg.authtok.password != null || cfg.authtok.passwordFile != null) { ldap_default_authtok_type = mkOptionDefault cfg.authtok.type; ldap_default_authtok = mkOptionDefault ( - if cfg.authtok.passwordFile != null then "\$${cfg.authtok.passwordVar}" + if cfg.authtok.passwordFile != null + then "\$${cfg.authtok.passwordVar}" else cfg.authtok.password ); }; - extraAttrsConfig = mkIf (cfg.extraAttrs.user != { }) { + extraAttrsConfig = mkIf (cfg.extraAttrs.user != {}) { ldap_user_extra_attrs = let mkAttr = name: attr: "${name}:${attr}"; - in mapAttrsToList mkAttr cfg.extraAttrs.user; + in + mapAttrsToList mkAttr cfg.extraAttrs.user; }; in { settings = mkMerge [ @@ -119,7 +126,7 @@ in { }; domains = mkOption { type = attrsOf (submoduleWith { - modules = [ domainModule domainLdapModule ]; + modules = [domainModule domainLdapModule]; specialArgs = { nixosConfig = config; }; @@ -135,25 +142,27 @@ in { }; }; services = let - mkServiceOption = name: { modules ? [ ] }: mkOption { - type = submoduleWith { - modules = [ serviceModule ] ++ modules; - specialArgs = { - inherit name; - nixosConfig = config; + mkServiceOption = name: {modules ? []}: + mkOption { + type = submoduleWith { + modules = [serviceModule] ++ modules; + specialArgs = { + inherit name; + nixosConfig = config; + }; }; }; - }; services = { - nss = { modules = [ nssModule ]; }; - pam = { }; - ifp = { }; - sudo = { }; - autofs = { }; - ssh = { }; - pac = { }; + nss = {modules = [nssModule];}; + pam = {}; + ifp = {}; + sudo = {}; + autofs = {}; + ssh = {}; + pac = {}; }; - in mapAttrs mkServiceOption services; + in + mapAttrs mkServiceOption services; settings = mkOption { type = attrsOf settingsType; }; @@ -175,11 +184,14 @@ in { domains = map (domain: domain.domain) enabledDomains; }; }; - domainSettings = map (domain: { - "domain/${domain.domain}" = mapAttrs (_: mkOptionDefault) domain.settings; - }) enabledDomains; - settings = [ defaultSettings serviceSettings ] ++ domainSettings; - in mkMerge settings; + domainSettings = + map (domain: { + "domain/${domain.domain}" = mapAttrs (_: mkOptionDefault) domain.settings; + }) + enabledDomains; + settings = [defaultSettings serviceSettings] ++ domainSettings; + in + mkMerge settings; services = { nss.enable = mkAlmostOptionDefault true; pam.enable = mkAlmostOptionDefault true; @@ -187,24 +199,30 @@ in { extraUserAttrs = listToAttrs (concatMap (domain: map (flip nameValuePair {}) (attrNames domain.ldap.extraAttrs.user)) enabledDomains); mkExtraAttr = name: _: "+${name}"; in { - user_attributes = mkIf (extraUserAttrs != { }) (mkOptionDefault ( + user_attributes = mkIf (extraUserAttrs != {}) (mkOptionDefault ( mapAttrsToList mkExtraAttr extraUserAttrs )); }; - sudo = { }; - autofs = { }; - ssh = { }; - pac = { }; + sudo = {}; + autofs = {}; + ssh = {}; + pac = {}; }; configText = mkOptionDefault (toINI cfg.settings); config = mkIf (cfg.configText != null) (mkAlmostOptionDefault cfg.configText); }; config.system.nssDatabases = let inherit (cfg.services) nss; - in mkIf cfg.enable { - ${if options ? system.nssDatabases.netgroup then "netgroup" else null} = mkIf (nss.enable && nss.netgroup.enable) [ "sss" ]; - shadow = mkIf (!nss.enable || !nss.shadow.enable) ( - mkForce [ "files" ] - ); - }; + in + mkIf cfg.enable { + ${ + if options ? system.nssDatabases.netgroup + then "netgroup" + else null + } = + mkIf (nss.enable && nss.netgroup.enable) ["sss"]; + shadow = mkIf (!nss.enable || !nss.shadow.enable) ( + mkForce ["files"] + ); + }; } diff --git a/modules/nixos/steam/account-switch.nix b/modules/nixos/steam/account-switch.nix index 333844c1..6485d89c 100644 --- a/modules/nixos/steam/account-switch.nix +++ b/modules/nixos/steam/account-switch.nix @@ -12,7 +12,11 @@ inherit (lib.lists) singleton; inherit (lib.strings) removePrefix; cfg = config.services.steam.accountSwitch; - machineModule = { config, name, ... }: { + machineModule = { + config, + name, + ... + }: { options = with lib.types; { name = mkOption { type = str; @@ -67,7 +71,7 @@ in { }; machines = mkOption { type = attrsOf (submodule machineModule); - default = { }; + default = {}; }; }; @@ -93,34 +97,40 @@ in { inherit owner; inherit (shared) group mode; }; - setupFiles = singleton { - ${cfg.rootDir} = toplevel; - ${cfg.binDir} = toplevel; - ${cfg.binDir + "/users"} = shared; - ${cfg.dataDir} = toplevel; - ${cfg.sharedDataDir} = shared; - ${cfg.workingDir} = toplevel; - ${cfg.sharedWorkingDir} = shared; - } ++ map (owner: { - ${cfg.dataDir + "/${owner}"} = personal owner; - ${cfg.workingDir + "/${owner}"} = personal owner; - }) cfg.users - ++ mapAttrsToList (_: machine: { - ${cfg.dataDir + "/${machine.name}"} = personal machine.owner; - ${cfg.workingDir + "/${machine.name}"} = personal machine.owner; - }) cfg.machines; - userBinFiles = listToAttrs (map (user: nameValuePair "${cfg.binDir}/users/${user}.bat" { - inherit (toplevel) owner group; - mode = "0755"; - type = "copy"; - src = pkgs.writeTextFile { - name = "steam-${user}.bat"; - executable = true; - text = '' - setx GENSO_STEAM_USER ${user} - ''; - }; - }) cfg.users); + setupFiles = + singleton { + ${cfg.rootDir} = toplevel; + ${cfg.binDir} = toplevel; + ${cfg.binDir + "/users"} = shared; + ${cfg.dataDir} = toplevel; + ${cfg.sharedDataDir} = shared; + ${cfg.workingDir} = toplevel; + ${cfg.sharedWorkingDir} = shared; + } + ++ map (owner: { + ${cfg.dataDir + "/${owner}"} = personal owner; + ${cfg.workingDir + "/${owner}"} = personal owner; + }) + cfg.users + ++ mapAttrsToList (_: machine: { + ${cfg.dataDir + "/${machine.name}"} = personal machine.owner; + ${cfg.workingDir + "/${machine.name}"} = personal machine.owner; + }) + cfg.machines; + userBinFiles = listToAttrs (map (user: + nameValuePair "${cfg.binDir}/users/${user}.bat" { + inherit (toplevel) owner group; + mode = "0755"; + type = "copy"; + src = pkgs.writeTextFile { + name = "steam-${user}.bat"; + executable = true; + text = '' + setx GENSO_STEAM_USER ${user} + ''; + }; + }) + cfg.users); in { enable = mkIf (cfg.enable || cfg.setup) true; files = mkMerge [ @@ -132,14 +142,16 @@ in { mkSharePathWith = { path, winRoot ? "%GENSO_SMB_SHARED_MOUNT%", - }: mkWinPath ( - winRoot - + "/${cfg.sharePath}" - + "/${removePrefix (cfg.rootDir + "/") path}" - ); - mkSharePath = path: config.lib.steam.mkSharePathWith { - inherit path; - }; + }: + mkWinPath ( + winRoot + + "/${cfg.sharePath}" + + "/${removePrefix (cfg.rootDir + "/") path}" + ); + mkSharePath = path: + config.lib.steam.mkSharePathWith { + inherit path; + }; }; }; } diff --git a/modules/nixos/steam/beatsaber.nix b/modules/nixos/steam/beatsaber.nix index 0f5e8fc9..633b5509 100644 --- a/modules/nixos/steam/beatsaber.nix +++ b/modules/nixos/steam/beatsaber.nix @@ -17,8 +17,15 @@ sortedVersions = sort (a: b: versionOlder a.version b.version) (attrValues cfg.versions); prevVersionFor = version: let olderVersions = filter (v: versionOlder v.version version) sortedVersions; - in if olderVersions != [] then last olderVersions else null; - versionModule = { config, name, ... }: { + in + if olderVersions != [] + then last olderVersions + else null; + versionModule = { + config, + name, + ... + }: { options = with lib.types; { version = mkOption { type = str; @@ -40,14 +47,18 @@ ); }; }; - fileModule = { config, name, ... }: { + fileModule = { + config, + name, + ... + }: { options = with lib.types; { relativePath = mkOption { type = str; default = name; }; type = mkOption { - type = enum [ "file" "directory" ]; + type = enum ["file" "directory"]; default = "file"; }; versioned = mkOption { @@ -55,13 +66,16 @@ default = false; }; target = mkOption { - type = enum [ "user" "shared" "game" ]; + type = enum ["user" "shared" "game"]; default = "user"; }; mode = { file = mkOption { type = str; - default = if hasSuffix ".exe" config.relativePath || hasSuffix ".dll" config.relativePath then "775" else "664"; + default = + if hasSuffix ".exe" config.relativePath || hasSuffix ".dll" config.relativePath + then "775" + else "664"; }; dir = mkOption { type = str; @@ -75,7 +89,7 @@ type = functionTo path; }; srcStyle = mkOption { - type = enum [ "empty" "copy" "symlink" "symlink-shallow" ]; + type = enum ["empty" "copy" "symlink" "symlink-shallow"]; default = "symlink"; }; workingPathFor = mkOption { @@ -88,7 +102,7 @@ type = functionTo (nullOr path); }; initStyle = mkOption { - type = enum [ "none" "copy" "symlink" "symlink-shallow" ]; + type = enum ["none" "copy" "symlink" "symlink-shallow"]; default = "copy"; }; setup = { @@ -106,32 +120,56 @@ versionPathFor = version: optionalString config.versioned "/${version}"; in { init = mkOptionDefault ( - if config.target == "game" then null - else if config.type == "directory" then "${emptyDir}" - else if hasSuffix ".json" config.relativePath then "${emptyJson}" - else if hasSuffix ".dll" config.relativePath || hasSuffix ".exe" config.relativePath then "${emptyExecutable}" + if config.target == "game" + then null + else if config.type == "directory" + then "${emptyDir}" + else if hasSuffix ".json" config.relativePath + then "${emptyJson}" + else if hasSuffix ".dll" config.relativePath || hasSuffix ".exe" config.relativePath + then "${emptyExecutable}" else "${emptyFile}" ); initFor = mkOptionDefault ( - { user, version }: config.init - ); - ownerFor = mkOptionDefault (user: - if config.target == "user" then user else "admin" - ); - srcPathFor = mkOptionDefault ({ user, version }: { - shared = cfg.sharedDataDir + versionPathFor version; - user = cfg.dataDirFor user + versionPathFor version; - game = cfg.gameDirFor version; - }.${config.target} or (throw "unsupported target") - + "/${config.relativePath}" + user, + version, + }: + config.init ); - workingPathFor = mkOptionDefault ({ user, version }: - cfg.workingDirFor { inherit user version; } - + "/${config.relativePath}" + ownerFor = mkOptionDefault ( + user: + if config.target == "user" + then user + else "admin" + ); + srcPathFor = mkOptionDefault ( + { + user, + version, + }: + { + shared = cfg.sharedDataDir + versionPathFor version; + user = cfg.dataDirFor user + versionPathFor version; + game = cfg.gameDirFor version; + } + .${config.target} + or (throw "unsupported target") + + "/${config.relativePath}" + ); + workingPathFor = mkOptionDefault ( + { + user, + version, + }: + cfg.workingDirFor {inherit user version;} + + "/${config.relativePath}" ); # TODO: setup.shared and do inits seperately! - setup.script = { user, version }@args: let + setup.script = { + user, + version, + } @ args: let owner = config.ownerFor user; srcPath = config.srcPathFor args; workingPath = config.workingPathFor args; @@ -148,85 +186,120 @@ fi chown ${owner}:${cfg.group} ${escapeShellArg dest} ''; - mkStyle = { style, src }: if style != "none" && src == { - file = "${emptyFile}"; - directory = "${emptyDir}"; - }.${config.type} then "empty" else style; - doInit = { style, src, dest }: { - none = "true"; - copy = { - file = '' - if [[ -L ${escapeShellArg dest} ]]; then - rm -f ${escapeShellArg dest} - elif [[ -e ${escapeShellArg dest} ]]; then - echo ERR: something is in the way of copying ${escapeShellArg dest} >&2 + mkStyle = { + style, + src, + }: + if + style + != "none" + && src + == { + file = "${emptyFile}"; + directory = "${emptyDir}"; + } + .${config.type} + then "empty" + else style; + doInit = { + style, + src, + dest, + }: + { + none = "true"; + copy = + { + file = '' + if [[ -L ${escapeShellArg dest} ]]; then + rm -f ${escapeShellArg dest} + elif [[ -e ${escapeShellArg dest} ]]; then + echo ERR: something is in the way of copying ${escapeShellArg dest} >&2 + exit 1 + fi + cp -TP --no-preserve=all ${escapeShellArg src} ${escapeShellArg dest} + chmod ${config.mode.file} ${escapeShellArg dest} + chown ${owner}:${cfg.group} ${escapeShellArg dest} + ''; + directory = '' + ${mkdir dest} + cp -rTP --no-preserve=all ${escapeShellArg src} ${escapeShellArg dest} + chown -R ${owner}:${cfg.group} ${escapeShellArg dest} + find ${escapeShellArg dest} -type f -exec chmod -m${config.mode.file} "{}" \; + ''; + } + .${config.type}; + empty = + { + directory = '' + ${mkdir dest} + ''; + file = '' + touch ${escapeShellArg dest} + chmod ${config.mode.file} ${escapeShellArg dest} + chown ${owner}:${cfg.group} ${escapeShellArg dest} + ''; + } + .${config.type}; + symlink = '' + if [[ -e ${escapeShellArg dest} && ! -L ${escapeShellArg dest} ]]; then + echo ERR: something is in the way of linking ${escapeShellArg dest} >&2 exit 1 fi - cp -TP --no-preserve=all ${escapeShellArg src} ${escapeShellArg dest} - chmod ${config.mode.file} ${escapeShellArg dest} - chown ${owner}:${cfg.group} ${escapeShellArg dest} + ln -sfT ${escapeShellArg src} ${escapeShellArg dest} ''; - directory = '' - ${mkdir dest} - cp -rTP --no-preserve=all ${escapeShellArg src} ${escapeShellArg dest} - chown -R ${owner}:${cfg.group} ${escapeShellArg dest} - find ${escapeShellArg dest} -type f -exec chmod -m${config.mode.file} "{}" \; - ''; - }.${config.type}; - empty = { - directory = '' - ${mkdir dest} - ''; - file = '' - touch ${escapeShellArg dest} - chmod ${config.mode.file} ${escapeShellArg dest} - chown ${owner}:${cfg.group} ${escapeShellArg dest} - ''; - }.${config.type}; - symlink = '' - if [[ -e ${escapeShellArg dest} && ! -L ${escapeShellArg dest} ]]; then - echo ERR: something is in the way of linking ${escapeShellArg dest} >&2 - exit 1 - fi - ln -sfT ${escapeShellArg src} ${escapeShellArg dest} - ''; - symlink-shallow = { - directory = '' - ${mkdir dest} - ln -sf ${escapeShellArg src}/* ${escapeShellArg dest}/ - ''; - }.${config.type}; - }.${mkStyle { inherit style src; }}; - doSetup = { style, src, dest }: rec { - none = "true"; - copy = { - file = '' - ${empty} - ''; - directory = '' - ${empty} - if [[ ${escapeShellArg dest}/* != ${escapeShellArg dest}/\* ]]; then - chmod -m${config.mode.file} ${escapeShellArg dest}/* - fi - ''; - }.${config.type}; - empty = { - directory = '' - chmod ${config.mode.dir} ${escapeShellArg dest} - chown ${owner}:${cfg.group} ${escapeShellArg dest} - ''; - file = '' - chmod ${config.mode.file} ${escapeShellArg dest} - chown ${owner}:${cfg.group} ${escapeShellArg dest} - ''; - }.${config.type}; - symlink = "true"; - symlink-shallow = { - directory = '' - ${mkdir.directory} - ''; - }.${config.type}; - }.${mkStyle { inherit style src; }}; + symlink-shallow = + { + directory = '' + ${mkdir dest} + ln -sf ${escapeShellArg src}/* ${escapeShellArg dest}/ + ''; + } + .${config.type}; + } + .${mkStyle {inherit style src;}}; + doSetup = { + style, + src, + dest, + }: + rec { + none = "true"; + copy = + { + file = '' + ${empty} + ''; + directory = '' + ${empty} + if [[ ${escapeShellArg dest}/* != ${escapeShellArg dest}/\* ]]; then + chmod -m${config.mode.file} ${escapeShellArg dest}/* + fi + ''; + } + .${config.type}; + empty = + { + directory = '' + chmod ${config.mode.dir} ${escapeShellArg dest} + chown ${owner}:${cfg.group} ${escapeShellArg dest} + ''; + file = '' + chmod ${config.mode.file} ${escapeShellArg dest} + chown ${owner}:${cfg.group} ${escapeShellArg dest} + ''; + } + .${config.type}; + symlink = "true"; + symlink-shallow = + { + directory = '' + ${mkdir.directory} + ''; + } + .${config.type}; + } + .${mkStyle {inherit style src;}}; init = doInit { style = config.initStyle; src = initPath; @@ -242,37 +315,46 @@ src = srcPath; dest = workingPath; }; - checkFlag = { - file = { - none = "e"; - copy = "f"; - symlink = "L"; - }.${config.initStyle}; - directory = { - none = "e"; - copy = "d"; - symlink-shallow = "d"; - symlink = "L"; - }.${config.initStyle}; - }.${config.type}; + checkFlag = + { + file = + { + none = "e"; + copy = "f"; + symlink = "L"; + } + .${config.initStyle}; + directory = + { + none = "e"; + copy = "d"; + symlink-shallow = "d"; + symlink = "L"; + } + .${config.initStyle}; + } + .${config.type}; checkParent = '' if [[ ! -d ${escapeShellArg parentWorkingPath} ]]; then echo ERR: parent of ${escapeShellArg workingPath} does not exist >&2 exit 1 fi ''; - check = if initPath != null then '' - if [[ ! -${checkFlag} ${escapeShellArg srcPath} ]]; then - ${init} - else - ${setup} - fi - '' else '' - if [[ ! -${checkFlag} ${escapeShellArg srcPath} ]]; then - echo ERR: src ${escapeShellArg srcPath} for ${escapeShellArg workingPath} does not exist >&2 - exit 1 - fi - ''; + check = + if initPath != null + then '' + if [[ ! -${checkFlag} ${escapeShellArg srcPath} ]]; then + ${init} + else + ${setup} + fi + '' + else '' + if [[ ! -${checkFlag} ${escapeShellArg srcPath} ]]; then + echo ERR: src ${escapeShellArg srcPath} for ${escapeShellArg workingPath} does not exist >&2 + exit 1 + fi + ''; in '' ${checkParent} ${check} @@ -280,7 +362,11 @@ ''; }; }; - userModule = { config, name, ... }: { + userModule = { + config, + name, + ... + }: { options = with lib.types; { name = mkOption { type = str; @@ -294,7 +380,7 @@ }; emptyFile = pkgs.writeText "empty.txt" ""; emptyJson = pkgs.writeText "empty.json" "{}"; - emptyDir = pkgs.runCommand "empty" { } '' + emptyDir = pkgs.runCommand "empty" {} '' mkdir $out ''; emptyExecutable = pkgs.writeTextFile { @@ -347,9 +433,11 @@ rmdir "%STEAM_BS_LIBRARY%" mklink /D "%STEAM_BS_LIBRARY%" "%STEAM_BS_LAUNCH%" ''; - launch = '' - cd /d "%STEAM_BS_LIBRARY%" - '' + ''"%STEAM_BS_LIBRARY%\Beat Saber.exe"''; + launch = + '' + cd /d "%STEAM_BS_LIBRARY%" + '' + + ''"%STEAM_BS_LIBRARY%\Beat Saber.exe"''; setup = '' rmdir "%STEAM_BS_APPDATA%" rmdir "%STEAM_BS_LIBRARY%" @@ -404,7 +492,10 @@ ${launch} ${eof} ''; - beatsaber-user = { user, version }: '' + beatsaber-user = { + user, + version, + }: '' set GENSO_STEAM_USER=${user} set GENSO_STEAM_BS_VERSION=${version} ${vars} @@ -416,19 +507,25 @@ setx GENSO_STEAM_BS_VERSION Vanilla ''; - mksetupbeatsaber = { user, version }: let - setupFiles = mapAttrsToList (_: file: file.setup.script { inherit user version; }) cfg.files; - in pkgs.writeShellScript "setupbeatsaber-${user}-${version}" '' - set -eu - export PATH="$PATH:${makeBinPath [ pkgs.coreutils ]}" - ${concatStringsSep "\n" setupFiles} - ''; + mksetupbeatsaber = { + user, + version, + }: let + setupFiles = mapAttrsToList (_: file: file.setup.script {inherit user version;}) cfg.files; + in + pkgs.writeShellScript "setupbeatsaber-${user}-${version}" '' + set -eu + export PATH="$PATH:${makeBinPath [pkgs.coreutils]}" + ${concatStringsSep "\n" setupFiles} + ''; in { options.services.steam.beatsaber = with lib.types; { enable = mkEnableOption "beatsaber scripts"; - setup = mkEnableOption "beatsaber data" // { - default = accountSwitch.setup; - }; + setup = + mkEnableOption "beatsaber data" + // { + default = accountSwitch.setup; + }; group = mkOption { type = str; default = "beatsaber"; @@ -438,7 +535,7 @@ in { }; versions = mkOption { type = attrsOf (submodule versionModule); - default = { }; + default = {}; }; setupServiceNames = mkOption { type = listOf str; @@ -446,7 +543,7 @@ in { }; files = mkOption { type = attrsOf (submodule fileModule); - default = { }; + default = {}; }; users = mkOption { type = attrsOf (submodule userModule); @@ -489,7 +586,11 @@ in { }; workingDirFor = mkOption { type = functionTo path; - default = { user, version }: cfg.userWorkingDirFor user + "/${version}"; + default = { + user, + version, + }: + cfg.userWorkingDirFor user + "/${version}"; }; }; @@ -498,9 +599,9 @@ in { bsUsers = filterAttrs (_: userIs cfg.group) config.users.users; allVersions = mapAttrsToList (_: version: version.version) cfg.versions; gameFiles = { - "Beat Saber.exe" = { }; - "UnityCrashHandler64.exe" = { }; - "UnityPlayer.dll" = { }; + "Beat Saber.exe" = {}; + "UnityCrashHandler64.exe" = {}; + "UnityPlayer.dll" = {}; "MonoBleedingEdge".type = "directory"; }; sharedFiles = { @@ -526,7 +627,7 @@ in { }; "BeatSaberVersion.txt" = { versioned = true; - initFor = { version, ... }: pkgs.writeText "BeatSaberVersion-${version}.txt" version; + initFor = {version, ...}: pkgs.writeText "BeatSaberVersion-${version}.txt" version; }; "IPA.exe".versioned = true; "IPA.exe.config".versioned = true; @@ -538,19 +639,19 @@ in { #initStyle = "symlink-shallow"; #initFor = { version, ... }: cfg.gameDirFor version + "/${bsdata}"; initStyle = "none"; - srcPathFor = { version, ... }: cfg.gameDirFor version + "/${bsdata}"; + srcPathFor = {version, ...}: cfg.gameDirFor version + "/${bsdata}"; srcStyle = "symlink-shallow"; }; "${bsdata}/Managed" = { type = "directory"; versioned = true; - initFor = { version, ... }: cfg.gameDirFor version + "/${bsdata}/Managed"; + initFor = {version, ...}: cfg.gameDirFor version + "/${bsdata}/Managed"; }; # TODO: remove this to use multiple folders "${bsdata}/CustomLevels" = { type = "directory"; initStyle = "none"; - srcPathFor = { ... }: cfg.sharedDataDir + "/CustomLevels"; + srcPathFor = {...}: cfg.sharedDataDir + "/CustomLevels"; }; CustomAvatars = { type = "directory"; @@ -579,7 +680,7 @@ in { "UserData/ScoreSaber/Replays" = { type = "directory"; initStyle = "none"; - srcPathFor = { ... }: cfg.sharedDataDir + "/Replays"; + srcPathFor = {...}: cfg.sharedDataDir + "/Replays"; }; "UserData/Beat Saber IPA.json".versioned = true; "UserData/SongCore/" = { @@ -619,8 +720,8 @@ in { }; "UserData/Saber Factory/Cache".type = "directory"; "UserData/Saber Factory/Textures".type = "directory"; - "UserData/BeatSaverDownloader.ini" = { }; - "UserData/BeatSaverUpdater.json" = { }; + "UserData/BeatSaverDownloader.ini" = {}; + "UserData/BeatSaverUpdater.json" = {}; "UserData/SongDetailsCache.proto".versioned = true; "UserData/SongDetailsCache.proto.Direct.etag".versioned = true; }; @@ -636,7 +737,7 @@ in { srcStyle = "empty"; }; "UserData/Saber Factory/Presets".type = "directory"; - "UserData/Saber Factory/TrailConfig.json" = { }; + "UserData/Saber Factory/TrailConfig.json" = {}; "UserData/SongCore" = { type = "directory"; versioned = true; @@ -658,17 +759,23 @@ in { "UserData/JDFixer.json".versioned = true; }; userDataFiles = [ - "modprefs.ini" "Disabled Mods.json" + "modprefs.ini" + "Disabled Mods.json" "AutoPauseStealth.json" "BeatSaberMarkupLanguage.json" "BeatSaviorData.ini" "BetterSongList.json" "BetterSongSearch.json" - "bookmarkedSongs.json" "votedSongs.json" + "bookmarkedSongs.json" + "votedSongs.json" "Chroma.json" "Cinema.json" "CountersPlus.json" - "CustomAvatars.CalibrationData.dat" "CustomAvatars.json" "CustomNotes.json" "Custom Platforms.json" "CustomWalls.json" + "CustomAvatars.CalibrationData.dat" + "CustomAvatars.json" + "CustomNotes.json" + "Custom Platforms.json" + "CustomWalls.json" "DrinkWater.json" "EasyOffset.json" "Enhancements.json" @@ -702,20 +809,25 @@ in { "Tweaks55.json" "UITweaks.json" ]; - mapSharedFile = file: file // { - target = "shared"; - }; - mapGameFile = file: file // { - target = "game"; - }; - mapUserDataFile = file: nameValuePair "UserData/${file}" { - target = "user"; - }; + mapSharedFile = file: + file + // { + target = "shared"; + }; + mapGameFile = file: + file + // { + target = "game"; + }; + mapUserDataFile = file: + nameValuePair "UserData/${file}" { + target = "user"; + }; in { - defaultVersion = mkIf (allVersions != [ ]) (mkOptionDefault ( + defaultVersion = mkIf (allVersions != []) (mkOptionDefault ( head allVersions )); - users = mapAttrs (_: user: { name = mkDefault user.name; }) bsUsers; + users = mapAttrs (_: user: {name = mkDefault user.name;}) bsUsers; setupServiceNames = mkOptionDefault ( mapAttrsToList (_: user: "steam-setup-beatsaber-${user.name}.service") cfg.users ); @@ -736,11 +848,16 @@ in { serviceConfig = { Type = mkOptionDefault "oneshot"; RemainAfterExit = mkOptionDefault true; - ExecStart = mkMerge (mapAttrsToList (_: user: - (mapAttrsToList (_: version: - "${mksetupbeatsaber { user = user.name; inherit (version) version; }}" - ) cfg.versions) - ) cfg.users); + ExecStart = mkMerge (mapAttrsToList ( + _: user: (mapAttrsToList ( + _: version: "${mksetupbeatsaber { + user = user.name; + inherit (version) version; + }}" + ) + cfg.versions) + ) + cfg.users); }; }; services.tmpfiles = let @@ -774,132 +891,157 @@ in { "AppData" "UserData" ]; - setupFiles = [ + setupFiles = + [ + { + ${cfg.sharedDataDir} = toplevel; + ${cfg.binDir} = shared; + } + (listToAttrs ( + map ( + folder: + nameValuePair "${cfg.sharedDataDir}/${folder}" shared + ) + sharedFolders + )) + ] + ++ concatLists (mapAttrsToList ( + _: user: + singleton { + ${cfg.dataDirFor user.name} = personal user.name; + "${cfg.dataDirFor user.name}/AppData" = personal user.name; + "${cfg.dataDirFor user.name}/UserData" = personal user.name; + } + ++ mapAttrsToList (_: version: { + "${cfg.dataDirFor user.name}/${version.version}" = personal user.name; + ${cfg.userWorkingDirFor user.name} = personal user.name; + ${ + cfg.workingDirFor { + user = user.name; + inherit (version) version; + } + } = + personal user.name; + }) + cfg.versions + ) + cfg.users) + ++ mapAttrsToList (_: version: { + "${cfg.sharedDataDir}/${version.version}" = shared; + }) + cfg.versions; + versionBinFiles = + mapAttrs' ( + _: version: + nameValuePair + "${cfg.binDir}/${replaceStrings ["."] ["_"] version.version}.bat" + { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-${version.version}.bat"; + executable = true; + text = '' + setx GENSO_STEAM_BS_VERSION ${version.version} + ''; + }; + } + ) + cfg.versions; + userBinFiles = + mapAttrs' ( + _: user: + nameValuePair + "${cfg.binDir}/${user.name}.bat" + { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-${user.name}.bat"; + executable = true; + text = beatsaber-user { + user = user.name; + version = user.preferredVersion; + }; + }; + } + ) + cfg.users; + binFiles = { - ${cfg.sharedDataDir} = toplevel; - ${cfg.binDir} = shared; - } - (listToAttrs ( - map (folder: - nameValuePair "${cfg.sharedDataDir}/${folder}" shared - ) sharedFolders - )) - ] ++ concatLists (mapAttrsToList (_: user: - singleton { - ${cfg.dataDirFor user.name} = personal user.name; - "${cfg.dataDirFor user.name}/AppData" = personal user.name; - "${cfg.dataDirFor user.name}/UserData" = personal user.name; - } ++ mapAttrsToList (_: version: { - "${cfg.dataDirFor user.name}/${version.version}" = personal user.name; - ${cfg.userWorkingDirFor user.name} = personal user.name; - ${cfg.workingDirFor { user = user.name; inherit (version) version; }} = personal user.name; - }) cfg.versions - ) cfg.users) - ++ mapAttrsToList (_: version: { - "${cfg.sharedDataDir}/${version.version}" = shared; - }) cfg.versions; - versionBinFiles = mapAttrs' (_: version: nameValuePair - "${cfg.binDir}/${replaceStrings [ "." ] [ "_" ] version.version}.bat" - { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-${version.version}.bat"; - executable = true; - text = '' - setx GENSO_STEAM_BS_VERSION ${version.version} - ''; + "${cfg.binDir}/mount.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-mount.bat"; + executable = true; + text = mountbeatsaber; + }; }; - } - ) cfg.versions; - userBinFiles = mapAttrs' (_: user: nameValuePair - "${cfg.binDir}/${user.name}.bat" - { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-${user.name}.bat"; - executable = true; - text = beatsaber-user { - user = user.name; - version = user.preferredVersion; + "${cfg.binDir}/launch.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-launch.bat"; + executable = true; + text = launchbeatsaber; + }; + }; + "${cfg.binDir}/fpfc.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-fpfc.bat"; + executable = true; + text = fpfcbeatsaber; + }; + }; + "${cfg.binDir}/setup.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-setup.bat"; + executable = true; + text = setupbeatsaber; + }; + }; + "${cfg.binDir}/local-launch.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-local-launch.bat"; + executable = true; + text = localbeatsaber-launch; + }; + }; + "${cfg.binDir}/local-mount.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-local-mount.bat"; + executable = true; + text = localbeatsaber-mount; + }; + }; + "${cfg.binDir}/local-vanilla.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-local-vanilla.bat"; + executable = true; + text = localbeatsaber-vanilla; + }; + }; + "${cfg.binDir}/vanilla.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-version-vanilla.bat"; + executable = true; + text = vanilla; + }; + }; + "${cfg.binDir}/ModAssistant.exe" = { + inherit (bin) owner group mode type; + src = pkgs.fetchurl { + url = "https://github.com/Assistant/ModAssistant/releases/download/v1.1.32/ModAssistant.exe"; + hash = "sha256-ozu2gYFiz+2BjptqL80DmUopbahbyGKFO1IPd7BhVPM="; + executable = true; }; }; } - ) cfg.users; - binFiles = { - "${cfg.binDir}/mount.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-mount.bat"; - executable = true; - text = mountbeatsaber; - }; - }; - "${cfg.binDir}/launch.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-launch.bat"; - executable = true; - text = launchbeatsaber; - }; - }; - "${cfg.binDir}/fpfc.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-fpfc.bat"; - executable = true; - text = fpfcbeatsaber; - }; - }; - "${cfg.binDir}/setup.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-setup.bat"; - executable = true; - text = setupbeatsaber; - }; - }; - "${cfg.binDir}/local-launch.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-local-launch.bat"; - executable = true; - text = localbeatsaber-launch; - }; - }; - "${cfg.binDir}/local-mount.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-local-mount.bat"; - executable = true; - text = localbeatsaber-mount; - }; - }; - "${cfg.binDir}/local-vanilla.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-local-vanilla.bat"; - executable = true; - text = localbeatsaber-vanilla; - }; - }; - "${cfg.binDir}/vanilla.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-version-vanilla.bat"; - executable = true; - text = vanilla; - }; - }; - "${cfg.binDir}/ModAssistant.exe" = { - inherit (bin) owner group mode type; - src = pkgs.fetchurl { - url = "https://github.com/Assistant/ModAssistant/releases/download/v1.1.32/ModAssistant.exe"; - hash = "sha256-ozu2gYFiz+2BjptqL80DmUopbahbyGKFO1IPd7BhVPM="; - executable = true; - }; - }; - } // versionBinFiles - // userBinFiles; + // versionBinFiles + // userBinFiles; in { enable = mkIf cfg.setup true; files = mkIf cfg.setup (mkMerge ( diff --git a/modules/system/access.nix b/modules/system/access.nix index 9503ef38..a0a97359 100644 --- a/modules/system/access.nix +++ b/modules/system/access.nix @@ -24,7 +24,10 @@ ... }: let cfg = config.networking.access; - addressForAttr = if config.networking.enableIPv6 then "address6ForNetwork" else "address4ForNetwork"; + addressForAttr = + if config.networking.enableIPv6 + then "address6ForNetwork" + else "address4ForNetwork"; has'Int = system.network.networks.int.enable or false; has'Local = system.network.networks.local.enable or false; has'Tail' = system.network.networks.tail.enable or false; @@ -48,26 +51,53 @@ forSystem = access.systemFor hostName; forSystemHas = network: forSystem.access ? ${addressForAttr}.${network} || forSystem.access ? address4ForNetwork.${network}; err = throw "no interface found between ${config.networking.hostName} -> ${hostName}@${network}"; - fallback = if nameAllowed + fallback = + if nameAllowed then lib.warn "getAddressFor hostname fallback for ${config.networking.hostName} -> ${hostName}@${network}" (access.getHostnameFor hostName network) else err; local = forSystem.access.${addressForAttr}.local or forSystem.access.address4ForNetwork.local or fallback; int = forSystem.access.${addressForAttr}.int or forSystem.access.address4ForNetwork.int or fallback; tail = forSystem.access.${addressForAttr}.tail or fallback; - in { - lan = - if hostName == system.name then forSystem.access.${addressForAttr}.localhost - else if has'Int && forSystemHas "int" then int - else if has'Local && forSystemHas "local" then local - else fallback; - ${if has'Local then "local" else null} = local; - ${if has'Int then "int" else null} = int; - ${if has'Tail then "tail" else null} = tail; - }.${network} or fallback; + in + { + lan = + if hostName == system.name + then forSystem.access.${addressForAttr}.localhost + else if has'Int && forSystemHas "int" + then int + else if has'Local && forSystemHas "local" + then local + else fallback; + ${ + if has'Local + then "local" + else null + } = + local; + ${ + if has'Int + then "int" + else null + } = + int; + ${ + if has'Tail + then "tail" + else null + } = + tail; + } + .${network} + or fallback; in { - inherit (systemAccess) - hostnameForNetwork address4ForNetwork address6ForNetwork - systemForService systemForServiceId; + inherit + (systemAccess) + hostnameForNetwork + address4ForNetwork + address6ForNetwork + systemForService + systemForServiceId + ; addressForNetwork = systemAccess.${addressForAttr}; systemFor = hostName: if hostName == config.networking.hostName @@ -91,34 +121,63 @@ getHostnameFor = hostName: network: let forSystem = access.systemFor hostName; err = throw "no hostname found between ${config.networking.hostName} and ${hostName}@${network}"; - in { - lan = - if hostName == system.name then forSystem.access.hostnameForNetwork.localhost - else if has'Int && forSystem.access.hostnameForNetwork ? int then forSystem.access.hostnameForNetwork.int - else if has'Local && forSystem.access.hostnameForNetwork ? local then forSystem.access.hostnameForNetwork.local - else err; - ${if has'Local then "local" else null} = forSystem.access.hostnameForNetwork.local or err; - ${if has'Int then "int" else null} = forSystem.access.hostnameForNetwork.int or err; - ${if has'Tail then "tail" else null} = forSystem.access.hostnameForNetwork.tail or err; - }.${network} or err; + in + { + lan = + if hostName == system.name + then forSystem.access.hostnameForNetwork.localhost + else if has'Int && forSystem.access.hostnameForNetwork ? int + then forSystem.access.hostnameForNetwork.int + else if has'Local && forSystem.access.hostnameForNetwork ? local + then forSystem.access.hostnameForNetwork.local + else err; + ${ + if has'Local + then "local" + else null + } = + forSystem.access.hostnameForNetwork.local or err; + ${ + if has'Int + then "int" + else null + } = + forSystem.access.hostnameForNetwork.int or err; + ${ + if has'Tail + then "tail" + else null + } = + forSystem.access.hostnameForNetwork.tail or err; + } + .${network} + or err; proxyUrlFor = { - system ? if serviceId != null then access.systemForServiceId serviceId else access.systemForService serviceName, + system ? + if serviceId != null + then access.systemForServiceId serviceId + else access.systemForService serviceName, serviceName ? mapNullable (serviceId: (findSingle (s: s.id == serviceId) null null (attrValues system.exports.services)).name) serviceId, serviceId ? null, service ? system.exports.services.${serviceName}, portName ? "default", network ? "lan", scheme ? null, - getAddressFor ? "getAddressFor" + getAddressFor ? "getAddressFor", }: let port = service.ports.${portName}; - scheme' = if scheme == null then port.protocol else scheme; - port' = if !port.enable + scheme' = + if scheme == null + then port.protocol + else scheme; + port' = + if !port.enable then throw "${system.name}.exports.services.${service.name}.ports.${portName} isn't enabled" else ":${toString port.port}"; host = access.${getAddressFor} system.name network; url = "${scheme'}://${mkAddress6 host}${port'}"; - in assert service.enable; url; + in + assert service.enable; url; }; }; networking.tempAddresses = mkIf cfg.global.enable ( @@ -142,9 +201,11 @@ in { default = domain; }; global.enable = mkEnableOption "globally routeable"; - online.enable = mkEnableOption "a deployed machine" // { - default = true; - }; + online.enable = + mkEnableOption "a deployed machine" + // { + default = true; + }; hostnameForNetwork = mkOption { type = attrsOf str; default = {}; @@ -164,7 +225,12 @@ in { ]; access = let - noNetwork = { enable = false; address4 = null; address6 = null; fqdn = null; }; + noNetwork = { + enable = false; + address4 = null; + address6 = null; + fqdn = null; + }; local = config.network.networks.local or noNetwork; int = config.network.networks.int or noNetwork; mapNetwork' = mkDefault: attr: network: mkIf (network.enable && network.${attr} != null) (mkDefault network.${attr}); @@ -216,12 +282,14 @@ in { hasService = system: system.config.exports.services.${service}.enable; notFound = throw "no system found serving ${service}"; multiple = throw "multiple systems found serving ${service}"; - in (findSingle hasService notFound multiple (attrValues systems)).config; + in + (findSingle hasService notFound multiple (attrValues systems)).config; systemForServiceId = serviceId: let hasService = system: findSingle (service: service.id == serviceId && service.enable) null multiple (attrValues system.config.exports.services) != null; notFound = throw "no system found serving ${serviceId}"; multiple = throw "multiple systems found serving ${serviceId}"; - in (findSingle hasService notFound multiple (attrValues systems)).config; + in + (findSingle hasService notFound multiple (attrValues systems)).config; }; }; } diff --git a/modules/system/ci.nix b/modules/system/ci.nix index 17e0a074..4ac2b458 100644 --- a/modules/system/ci.nix +++ b/modules/system/ci.nix @@ -10,9 +10,11 @@ inherit (lib.modules) mkIf mkOptionDefault; in { options.ci = with lib.types; { - enable = mkEnableOption "build via CI" // { - default = config.type == "NixOS"; - }; + enable = + mkEnableOption "build via CI" + // { + default = config.type == "NixOS"; + }; allowFailure = mkOption { type = bool; default = false; diff --git a/modules/system/exports/cockpit.nix b/modules/system/exports/cockpit.nix index 575326aa..7455a343 100644 --- a/modules/system/exports/cockpit.nix +++ b/modules/system/exports/cockpit.nix @@ -1,4 +1,8 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.attrsets) mapAttrs; in { diff --git a/modules/system/exports/dnsmasq.nix b/modules/system/exports/dnsmasq.nix index dd9dadec..c0554b13 100644 --- a/modules/system/exports/dnsmasq.nix +++ b/modules/system/exports/dnsmasq.nix @@ -1,8 +1,12 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.attrsets) mapAttrs; in { - config.exports.services.dnsmasq = { config, ... }: { + config.exports.services.dnsmasq = {config, ...}: { id = mkAlmostOptionDefault "dns"; nixos = { serviceAttr = "dnsmasq"; diff --git a/modules/system/exports/exports.nix b/modules/system/exports/exports.nix index 72981787..8b8be7a5 100644 --- a/modules/system/exports/exports.nix +++ b/modules/system/exports/exports.nix @@ -24,7 +24,12 @@ }; id = mkOption { type = str; - default = cfg.services.${config.serviceName}.id/* or config.name*/; + default = + cfg.services.${config.serviceName}.id + /* + or config.name + */ + ; }; }; }; diff --git a/modules/system/exports/freeipa.nix b/modules/system/exports/freeipa.nix index 58efda01..0de9c818 100644 --- a/modules/system/exports/freeipa.nix +++ b/modules/system/exports/freeipa.nix @@ -1,4 +1,8 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.attrsets) mapAttrs; in { diff --git a/modules/system/exports/freepbx.nix b/modules/system/exports/freepbx.nix index 39cf085e..423d94eb 100644 --- a/modules/system/exports/freepbx.nix +++ b/modules/system/exports/freepbx.nix @@ -1,4 +1,8 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.attrsets) mapAttrs; in { diff --git a/modules/system/exports/home-assistant.nix b/modules/system/exports/home-assistant.nix index 3a8e3d6a..fd46454f 100644 --- a/modules/system/exports/home-assistant.nix +++ b/modules/system/exports/home-assistant.nix @@ -1,14 +1,19 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; inherit (lib.attrsets) mapAttrs; inherit (lib.lists) all imap0; inherit (lib.trivial) id; in { - config.exports.services.home-assistant = { config, ... }: let + config.exports.services.home-assistant = {config, ...}: let mkAssertion = f: nixosConfig: let cfg = nixosConfig.services.home-assistant; - in f nixosConfig cfg; + in + f nixosConfig cfg; assertPort = nixosConfig: cfg: { assertion = config.ports.default.port == cfg.config.http.server_port; message = "port mismatch"; @@ -16,10 +21,11 @@ in { assertHomekitPort = let portName = i: "homekit${toString i}"; mkAssertPort = i: homekit: config.ports.${portName i}.port or null == homekit.port; - in nixosConfig: cfg: { - assertion = all id (imap0 mkAssertPort cfg.config.homekit); - message = "homekit port mismatch"; - }; + in + nixosConfig: cfg: { + assertion = all id (imap0 mkAssertPort cfg.config.homekit); + message = "homekit port mismatch"; + }; in { id = mkAlmostOptionDefault "home"; nixos = { diff --git a/modules/system/exports/invidious.nix b/modules/system/exports/invidious.nix index 147790e1..3e0c221c 100644 --- a/modules/system/exports/invidious.nix +++ b/modules/system/exports/invidious.nix @@ -1,8 +1,12 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; in { - config.exports.services.invidious = { config, ... }: { + config.exports.services.invidious = {config, ...}: { id = mkAlmostOptionDefault "yt"; nixos = { serviceAttr = "invidious"; diff --git a/modules/system/exports/kerberos.nix b/modules/system/exports/kerberos.nix index f122ee1a..7ff90fd1 100644 --- a/modules/system/exports/kerberos.nix +++ b/modules/system/exports/kerberos.nix @@ -1,8 +1,12 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults; inherit (lib.attrsets) mapAttrs; in { - config.exports.services.kerberos = { config, ... }: { + config.exports.services.kerberos = {config, ...}: { id = "krb5"; ports = mapAttrs (_: mapAlmostOptionDefaults) { default = { diff --git a/modules/system/exports/keycloak.nix b/modules/system/exports/keycloak.nix index 3dab812e..791e2d82 100644 --- a/modules/system/exports/keycloak.nix +++ b/modules/system/exports/keycloak.nix @@ -1,26 +1,32 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; inherit (lib.attrsets) mapAttrs; in { - config.exports.services.keycloak = { config, ... }: { + config.exports.services.keycloak = {config, ...}: { id = mkAlmostOptionDefault "sso"; nixos = { serviceAttr = "keycloak"; assertions = let mkAssertion = f: nixosConfig: let cfg = nixosConfig.services.keycloak; - in f nixosConfig cfg; - in mkIf config.enable [ - (mkAssertion (nixosConfig: cfg: { - assertion = config.ports.${cfg.protocol}.port == cfg.port; - message = "port mismatch"; - })) - (mkAssertion (nixosConfig: cfg: { - assertion = config.ports.${cfg.protocol}.enable; - message = "port enable mismatch"; - })) - ]; + in + f nixosConfig cfg; + in + mkIf config.enable [ + (mkAssertion (nixosConfig: cfg: { + assertion = config.ports.${cfg.protocol}.port == cfg.port; + message = "port mismatch"; + })) + (mkAssertion (nixosConfig: cfg: { + assertion = config.ports.${cfg.protocol}.enable; + message = "port enable mismatch"; + })) + ]; }; ports = mapAttrs (_: mapAlmostOptionDefaults) { http = { diff --git a/modules/system/exports/ldap.nix b/modules/system/exports/ldap.nix index be3489b5..de1a760a 100644 --- a/modules/system/exports/ldap.nix +++ b/modules/system/exports/ldap.nix @@ -1,8 +1,12 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.attrsets) mapAttrs; in { - config.exports.services.ldap = { config, ... }: { + config.exports.services.ldap = {config, ...}: { defaults.port.listen = mkAlmostOptionDefault "lan"; ports = mapAttrs (_: mapAlmostOptionDefaults) { default = { diff --git a/modules/system/exports/minecraft-bedrock.nix b/modules/system/exports/minecraft-bedrock.nix index 734b84fa..ab34cc11 100644 --- a/modules/system/exports/minecraft-bedrock.nix +++ b/modules/system/exports/minecraft-bedrock.nix @@ -1,12 +1,17 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; inherit (lib.attrsets) mapAttrs; in { - config.exports.services.minecraft-bedrock-server = { config, ... }: let + config.exports.services.minecraft-bedrock-server = {config, ...}: let mkAssertion = f: nixosConfig: let cfg = nixosConfig.services.minecraft-bedrock-server; - in f nixosConfig cfg; + in + f nixosConfig cfg; in { nixos = { serviceAttr = "minecraft-bedrock-server"; diff --git a/modules/system/exports/mosquitto.nix b/modules/system/exports/mosquitto.nix index b180454d..3dc2e07f 100644 --- a/modules/system/exports/mosquitto.nix +++ b/modules/system/exports/mosquitto.nix @@ -1,11 +1,15 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; inherit (lib.attrsets) mapAttrs; inherit (lib.lists) all imap0; inherit (lib.trivial) id; in { - config.exports.services.mosquitto = { config, ... }: { + config.exports.services.mosquitto = {config, ...}: { id = mkAlmostOptionDefault "mqtt"; nixos = { serviceAttr = "mosquitto"; @@ -13,7 +17,8 @@ in { (nixosConfig: let cfg = nixosConfig.services.mosquitto; portName = i: - if i == 0 then "default" + if i == 0 + then "default" else "listener${toString i}"; mkAssertPort = i: listener: config.ports.${portName i}.port or null == listener.port; in { diff --git a/modules/system/exports/motion.nix b/modules/system/exports/motion.nix index 4ba16e88..eaff7e97 100644 --- a/modules/system/exports/motion.nix +++ b/modules/system/exports/motion.nix @@ -1,8 +1,12 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.attrsets) mapAttrs; in { - config.exports.services.motion = { config, ... }: { + config.exports.services.motion = {config, ...}: { defaults.port.listen = mkAlmostOptionDefault "lan"; ports = mapAttrs (_: mapAlmostOptionDefaults) { default = { diff --git a/modules/system/exports/nfs.nix b/modules/system/exports/nfs.nix index 2a52afde..42ec0342 100644 --- a/modules/system/exports/nfs.nix +++ b/modules/system/exports/nfs.nix @@ -1,24 +1,34 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; inherit (lib.attrsets) mapAttrs; in { - config.exports.services.nfs = { config, ... }: let + config.exports.services.nfs = {config, ...}: let mkAssertion = f: nixosConfig: let cfg = nixosConfig.services.nfs; - in f nixosConfig cfg; - mkAssertionPort = portName: mkAssertion (nixosConfig: cfg: let - portAttr = "${portName}Port"; - in { - assertion = mkAssertPort config.ports.${portName} cfg.server.${portAttr}; - message = "${portAttr} mismatch"; - }); + in + f nixosConfig cfg; + mkAssertionPort = portName: + mkAssertion (nixosConfig: cfg: let + portAttr = "${portName}Port"; + in { + assertion = mkAssertPort config.ports.${portName} cfg.server.${portAttr}; + message = "${portAttr} mismatch"; + }); mkAssertPort = port: cfgPort: let - cmpPort = if port.enable then port.port else null; - in cfgPort == cmpPort; + cmpPort = + if port.enable + then port.port + else null; + in + cfgPort == cmpPort; in { nixos = { - serviceAttrPath = [ "services" "nfs" "server" ]; + serviceAttrPath = ["services" "nfs" "server"]; assertions = mkIf config.enable [ (mkAssertionPort "statd") (mkAssertionPort "lockd") diff --git a/modules/system/exports/nginx.nix b/modules/system/exports/nginx.nix index e3a668b3..71150cb2 100644 --- a/modules/system/exports/nginx.nix +++ b/modules/system/exports/nginx.nix @@ -1,12 +1,17 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; inherit (lib.attrsets) mapAttrs; in { - config.exports.services.nginx = { config, ... }: let + config.exports.services.nginx = {config, ...}: let mkAssertion = f: nixosConfig: let cfg = nixosConfig.services.nginx; - in f nixosConfig cfg; + in + f nixosConfig cfg; assertPorts = nixosConfig: cfg: { assertion = config.ports.http.port == cfg.defaultHTTPListenPort && config.ports.https.port == cfg.defaultSSLListenPort; message = "ports mismatch"; diff --git a/modules/system/exports/openwebrx.nix b/modules/system/exports/openwebrx.nix index f7a564d2..2d9eb55b 100644 --- a/modules/system/exports/openwebrx.nix +++ b/modules/system/exports/openwebrx.nix @@ -1,22 +1,28 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; inherit (lib.attrsets) mapAttrs; in { - config.exports.services.openwebrx = { config, ... }: { + config.exports.services.openwebrx = {config, ...}: { id = mkAlmostOptionDefault "webrx"; nixos = { serviceAttr = "openwebrx"; assertions = let mkAssertion = f: nixosConfig: let cfg = nixosConfig.services.openwebrx; - in f nixosConfig cfg; - in mkIf config.enable [ - (mkAssertion (nixosConfig: cfg: { - assertion = config.ports.default.port == cfg.port; - message = "port mismatch"; - })) - ]; + in + f nixosConfig cfg; + in + mkIf config.enable [ + (mkAssertion (nixosConfig: cfg: { + assertion = config.ports.default.port == cfg.port; + message = "port mismatch"; + })) + ]; }; defaults.port.listen = mkAlmostOptionDefault "lan"; ports = mapAttrs (_: mapAlmostOptionDefaults) { diff --git a/modules/system/exports/plex.nix b/modules/system/exports/plex.nix index 3b289fa6..f345bfa8 100644 --- a/modules/system/exports/plex.nix +++ b/modules/system/exports/plex.nix @@ -1,4 +1,8 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.attrsets) mapAttrs; in { diff --git a/modules/system/exports/postgresql.nix b/modules/system/exports/postgresql.nix index e7ba5c6b..97fc0ce9 100644 --- a/modules/system/exports/postgresql.nix +++ b/modules/system/exports/postgresql.nix @@ -1,11 +1,16 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults; inherit (lib.modules) mkIf; in { - config.exports.services.postgresql = { config, ... }: let + config.exports.services.postgresql = {config, ...}: let mkAssertion = f: nixosConfig: let cfg = nixosConfig.services.postgresql; - in f nixosConfig cfg; + in + f nixosConfig cfg; in { nixos = { serviceAttr = "postgresql"; diff --git a/modules/system/exports/prox.nix b/modules/system/exports/prox.nix index b82a0270..0c1bf9be 100644 --- a/modules/system/exports/prox.nix +++ b/modules/system/exports/prox.nix @@ -1,7 +1,11 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; in { - config.exports.services.proxmox = { config, ... }: { + config.exports.services.proxmox = {config, ...}: { id = mkAlmostOptionDefault "prox"; defaults.port.listen = mkAlmostOptionDefault "lan"; ports.default = mapAlmostOptionDefaults { diff --git a/modules/system/exports/samba.nix b/modules/system/exports/samba.nix index 7cf31484..fc46bc68 100644 --- a/modules/system/exports/samba.nix +++ b/modules/system/exports/samba.nix @@ -1,4 +1,8 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.attrsets) mapAttrs; in { diff --git a/modules/system/exports/services.nix b/modules/system/exports/services.nix index acf97d9a..7d56bab1 100644 --- a/modules/system/exports/services.nix +++ b/modules/system/exports/services.nix @@ -12,7 +12,11 @@ inherit (lib.trivial) mapNullable; inherit (lib.strings) concatStringsSep; systemConfig = config; - portModule = {config, service, ...}: { + portModule = { + config, + service, + ... + }: { options = with lib.types; { enable = mkEnableOption "port" @@ -86,7 +90,7 @@ }; assertions = mkOption { type = listOf (functionTo attrs); - default = [ ]; + default = []; }; }; defaults = { @@ -107,7 +111,8 @@ serviceConfig = getAttrFromPath config.nixos.serviceAttrPath; mkAssertion = f: nixosConfig: let cfg = serviceConfig nixosConfig; - in f nixosConfig cfg; + in + f nixosConfig cfg; enableAssertion = nixosConfig: cfg: { assertion = (! cfg ? enable) || (config.enable == cfg.enable); message = "enable == nixosConfig.${concatStringsSep "." config.nixos.serviceAttrPath}.enable"; @@ -120,12 +125,18 @@ }; }; }; - nixosModule = {config, system, ...}: let + nixosModule = { + config, + system, + ... + }: let mapAssertion = service: a: let res = a config; - in res // { - message = "system.exports.${service.name}: " + res.message or "assertion failed"; - }; + in + res + // { + message = "system.exports.${service.name}: " + res.message or "assertion failed"; + }; assertions = mapAttrsToList (_: service: map (mapAssertion service) service.nixos.assertions) system.exports.services; in { config = { diff --git a/modules/system/exports/sshd.nix b/modules/system/exports/sshd.nix index 34bc219c..1cd22783 100644 --- a/modules/system/exports/sshd.nix +++ b/modules/system/exports/sshd.nix @@ -1,13 +1,18 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; inherit (lib.attrsets) mapAttrs filterAttrs mapAttrsToList; inherit (lib.lists) sort; in { - config.exports.services.sshd = { config, ... }: let + config.exports.services.sshd = {config, ...}: let mkAssertion = f: nixosConfig: let cfg = nixosConfig.services.openssh; - in f nixosConfig cfg; + in + f nixosConfig cfg; sorted = sort (a: b: a > b); assertPorts = nixosConfig: cfg: let nixosPorts = cfg.ports; diff --git a/modules/system/exports/unifi.nix b/modules/system/exports/unifi.nix index 59c75ba3..dd75b269 100644 --- a/modules/system/exports/unifi.nix +++ b/modules/system/exports/unifi.nix @@ -1,8 +1,12 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.attrsets) mapAttrs; in { - config.exports.services.unifi = { config, ... }: { + config.exports.services.unifi = {config, ...}: { nixos.serviceAttr = "unifi"; defaults.port.listen = mkAlmostOptionDefault "lan"; ports = mapAttrs (_: mapAlmostOptionDefaults) { diff --git a/modules/system/exports/vouch.nix b/modules/system/exports/vouch.nix index b3324771..9b873728 100644 --- a/modules/system/exports/vouch.nix +++ b/modules/system/exports/vouch.nix @@ -1,8 +1,12 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; in { - config.exports.services.vouch-proxy = { config, ... }: { + config.exports.services.vouch-proxy = {config, ...}: { id = mkAlmostOptionDefault "login"; defaults.port.listen = mkAlmostOptionDefault "localhost"; nixos = { diff --git a/modules/system/exports/zigbee2mqtt.nix b/modules/system/exports/zigbee2mqtt.nix index 00fcbbd2..2e3f181f 100644 --- a/modules/system/exports/zigbee2mqtt.nix +++ b/modules/system/exports/zigbee2mqtt.nix @@ -1,8 +1,12 @@ -{lib, gensokyo-zone, ...}: let +{ + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; inherit (lib.modules) mkIf; in { - config.exports.services.zigbee2mqtt = { config, ... }: { + config.exports.services.zigbee2mqtt = {config, ...}: { id = mkAlmostOptionDefault "z2m"; nixos = { serviceAttr = "zigbee2mqtt"; diff --git a/modules/system/extern/files.nix b/modules/system/extern/files.nix index 3fcb2533..216e5515 100644 --- a/modules/system/extern/files.nix +++ b/modules/system/extern/files.nix @@ -1,13 +1,21 @@ let - fileModule = {config, name, gensokyo-zone, lib, ...}: let + fileModule = { + config, + name, + gensokyo-zone, + lib, + ... + }: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkOptionDefault; inherit (lib.strings) hasPrefix removePrefix; in { options = with lib.types; { - enable = mkEnableOption "external file" // { - default = true; - }; + enable = + mkEnableOption "external file" + // { + default = true; + }; path = mkOption { type = str; default = name; @@ -35,25 +43,33 @@ let relativeSource = let flakeRoot = toString gensokyo-zone.self + "/"; sourcePath = toString config.source; - in mkOptionDefault ( - if hasPrefix flakeRoot sourcePath then removePrefix flakeRoot sourcePath - else null - ); + in + mkOptionDefault ( + if hasPrefix flakeRoot sourcePath + then removePrefix flakeRoot sourcePath + else null + ); }; }; -in {config, gensokyo-zone, lib, ...}: let - inherit (lib.options) mkOption; -in { - options.extern = with lib.types; { - files = mkOption { - type = attrsOf (submoduleWith { - modules = [ fileModule ]; - specialArgs = { - inherit gensokyo-zone; - system = config; - }; - }); - default = { }; +in + { + config, + gensokyo-zone, + lib, + ... + }: let + inherit (lib.options) mkOption; + in { + options.extern = with lib.types; { + files = mkOption { + type = attrsOf (submoduleWith { + modules = [fileModule]; + specialArgs = { + inherit gensokyo-zone; + system = config; + }; + }); + default = {}; + }; }; - }; -} + } diff --git a/modules/system/host.nix b/modules/system/host.nix index 074c61b4..80320035 100644 --- a/modules/system/host.nix +++ b/modules/system/host.nix @@ -41,7 +41,7 @@ in { }; modules = mkOption { type = listOf unspecified; - default = [ ]; + default = []; }; specialArgs = mkOption { type = attrs; @@ -101,10 +101,13 @@ in { darwin = inputs.darwin.lib.darwinSystem; macos = inputs.darwin.lib.darwinSystem; } - .${string.toLower config.type} or null; - built = mkOptionDefault (mapNullable (builder: builder { - inherit (config) system modules specialArgs; - }) config.builder); + .${string.toLower config.type} + or null; + built = mkOptionDefault (mapNullable (builder: + builder { + inherit (config) system modules specialArgs; + }) + config.builder); specialArgs = { inherit name inputs std Std meta; inherit (inputs.self.lib) gensokyo-zone; diff --git a/modules/system/network/networks.nix b/modules/system/network/networks.nix index 4878633b..374d624c 100644 --- a/modules/system/network/networks.nix +++ b/modules/system/network/networks.nix @@ -1,9 +1,19 @@ -{config, lib, inputs, ...}: let +{ + config, + lib, + inputs, + ... +}: let inherit (inputs.self.lib.lib) eui64; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkOptionDefault; inherit (lib.trivial) mapNullable; - networkModule = { config, name, system, ... }: let + networkModule = { + config, + name, + system, + ... + }: let knownNetworks = { local.slaac = { enable = true; @@ -13,9 +23,11 @@ }; in { options = with lib.types; { - enable = mkEnableOption "network" // { - default = true; - }; + enable = + mkEnableOption "network" + // { + default = true; + }; slaac = { enable = mkOption { type = bool; @@ -65,12 +77,12 @@ in { options.network = with lib.types; { networks = mkOption { type = attrsOf (submoduleWith { - modules = [ networkModule ]; + modules = [networkModule]; specialArgs = { system = config; }; }); - default = { }; + default = {}; }; }; } diff --git a/modules/system/proxmox/container.nix b/modules/system/proxmox/container.nix index 94f4984f..4a3a7889 100644 --- a/modules/system/proxmox/container.nix +++ b/modules/system/proxmox/container.nix @@ -1,4 +1,8 @@ -{config, lib, ...}: let +{ + config, + lib, + ... +}: let inherit (lib.options) mkOption mkEnableOption; cfg = config.proxmox.container; in { diff --git a/modules/system/proxmox/network.nix b/modules/system/proxmox/network.nix index 391de1b2..f4057257 100644 --- a/modules/system/proxmox/network.nix +++ b/modules/system/proxmox/network.nix @@ -1,4 +1,10 @@ -{config, gensokyo-zone, lib, Std, ...}: let +{ + config, + gensokyo-zone, + lib, + Std, + ... +}: let inherit (Std) UInt; inherit (gensokyo-zone.lib) unmerged eui64 mkAlmostOptionDefault mapAlmostOptionDefaults; inherit (lib.options) mkOption mkEnableOption; @@ -9,11 +15,18 @@ inherit (lib.trivial) mapNullable; cfg = config.proxmox.network; internalOffset = 32; - networkInterfaceModule = { config, name, system, ... }: { + networkInterfaceModule = { + config, + name, + system, + ... + }: { options = with lib.types; { - enable = mkEnableOption "network interface" // { - default = true; - }; + enable = + mkEnableOption "network interface" + // { + default = true; + }; bridge = mkOption { type = str; default = "vmbr0"; @@ -30,7 +43,7 @@ default = null; }; address4 = mkOption { - type = nullOr (either (enum [ "dhcp" ]) str); + type = nullOr (either (enum ["dhcp"]) str); default = null; }; gateway4 = mkOption { @@ -38,7 +51,7 @@ default = null; }; address6 = mkOption { - type = nullOr (either (enum [ "auto" "dhcp" ]) str); + type = nullOr (either (enum ["auto" "dhcp"]) str); default = null; }; gateway6 = mkOption { @@ -47,13 +60,15 @@ }; firewall.enable = mkEnableOption "firewall"; vm.model = mkOption { - type = enum [ "virtio" "e1000" "rtl8139" "vmxnet3" ]; + type = enum ["virtio" "e1000" "rtl8139" "vmxnet3"]; default = "virtio"; }; mdns = { - enable = mkEnableOption "mDNS" // { - default = config.local.enable && config.id == "net0"; - }; + enable = + mkEnableOption "mDNS" + // { + default = config.local.enable && config.id == "net0"; + }; }; slaac = { postfix = mkOption { @@ -76,9 +91,11 @@ }; }; networkd = { - enable = mkEnableOption "systemd.network" // { - default = true; - }; + enable = + mkEnableOption "systemd.network" + // { + default = true; + }; name = mkOption { type = str; default = config.name; @@ -90,14 +107,20 @@ }; }; config = let - hasAddr4 = ! elem config.address4 [ null "dhcp" ]; - hasAddr6 = ! elem config.address6 [ null "dhcp" "auto" ]; + hasAddr4 = ! elem config.address4 [null "dhcp"]; + hasAddr6 = ! elem config.address6 [null "dhcp" "auto"]; conf = { local = mkIf config.local.enable { - address4 = mkOptionDefault (if hasAddr4 then config.address4 else null); + address4 = mkOptionDefault ( + if hasAddr4 + then config.address4 + else null + ); address6 = mkOptionDefault ( - if config.address6 == "auto" && config.slaac.postfix != null then "fd0a::${config.slaac.postfix}" - else if hasAddr6 then config.address6 + if config.address6 == "auto" && config.slaac.postfix != null + then "fd0a::${config.slaac.postfix}" + else if hasAddr6 + then config.address6 else null ); }; @@ -123,7 +146,7 @@ Type = mkOptionDefault "ether"; }; linkConfig = mkMerge [ - (mkIf config.mdns.enable { Multicast = mkOptionDefault true; }) + (mkIf config.mdns.enable {Multicast = mkOptionDefault true;}) ]; networkConfig = mkMerge [ (mkIf (config.address6 == "auto") { @@ -134,17 +157,20 @@ }) ]; address = mkMerge [ - (mkIf (! elem config.address4 [ null "dhcp" ]) [ config.address4 ]) - (mkIf (! elem config.address6 [ null "auto" "dhcp" ]) [ config.address6 ]) + (mkIf (! elem config.address4 [null "dhcp"]) [config.address4]) + (mkIf (! elem config.address6 [null "auto" "dhcp"]) [config.address6]) ]; gateway = mkMerge [ - (mkIf (config.gateway4 != null) [ config.gateway4 ]) - (mkIf (config.gateway6 != null) [ config.gateway6 ]) + (mkIf (config.gateway4 != null) [config.gateway4]) + (mkIf (config.gateway6 != null) [config.gateway6]) ]; DHCP = mkAlmostOptionDefault ( - if config.address4 == "dhcp" && config.address6 == "dhcp" then "yes" - else if config.address6 == "dhcp" then "ipv6" - else if config.address4 == "dhcp" then "ipv4" + if config.address4 == "dhcp" && config.address6 == "dhcp" + then "yes" + else if config.address6 == "dhcp" + then "ipv6" + else if config.address4 == "dhcp" + then "ipv4" else "no" ); }; @@ -157,11 +183,11 @@ address4 = mkAlmostOptionDefault "10.9.1.${toString index}/24"; address6 = mkAlmostOptionDefault "fd0c::${UInt.toHexLower index}/64"; macAddress = mkIf (system.proxmox.network.interfaces.net0.macAddress or null != null && hasPrefix "BC:24:11:" system.proxmox.network.interfaces.net0.macAddress) (mkAlmostOptionDefault ( - replaceStrings [ "BC:24:11:" ] [ "BC:24:19:" ] system.proxmox.network.interfaces.net0.macAddress + replaceStrings ["BC:24:11:"] ["BC:24:19:"] system.proxmox.network.interfaces.net0.macAddress )); networkd.name = mkDefault "_00-int"; networkd.networkSettings = { - domains = mkDefault [ ]; # int.${domain}? + domains = mkDefault []; # int.${domain}? linkConfig.RequiredForOnline = false; ipv6AcceptRAConfig = { Token = mkOptionDefault "static:::${UInt.toHexLower index}"; @@ -172,21 +198,22 @@ }; }; }; - in mkMerge [ - conf - (mkIf config.internal.enable confInternal) - ]; + in + mkMerge [ + conf + (mkIf config.internal.enable confInternal) + ]; }; in { options.proxmox.network = with lib.types; { interfaces = mkOption { type = attrsOf (submoduleWith { - modules = [ networkInterfaceModule ]; + modules = [networkInterfaceModule]; specialArgs = { system = config; }; }); - default = { }; + default = {}; }; internal = { interface = mkOption { diff --git a/modules/system/proxmox/node.nix b/modules/system/proxmox/node.nix index 4cdc5add..408c0b91 100644 --- a/modules/system/proxmox/node.nix +++ b/modules/system/proxmox/node.nix @@ -1,4 +1,9 @@ -{config, lib, gensokyo-zone, ...}: let +{ + config, + lib, + gensokyo-zone, + ... +}: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf; diff --git a/modules/system/proxmox/vm.nix b/modules/system/proxmox/vm.nix index 40da72a1..508107ad 100644 --- a/modules/system/proxmox/vm.nix +++ b/modules/system/proxmox/vm.nix @@ -1,4 +1,8 @@ -{config, lib, ...}: let +{ + config, + lib, + ... +}: let inherit (lib.options) mkOption mkEnableOption; cfg = config.proxmox; in { diff --git a/nixos/access/barcodebuddy.nix b/nixos/access/barcodebuddy.nix index 36db7703..f1fbed4b 100644 --- a/nixos/access/barcodebuddy.nix +++ b/nixos/access/barcodebuddy.nix @@ -25,7 +25,8 @@ in { requireAuth = false; }; proxy = { - upstream = mkIf barcodebuddy.enable (mkDefault + upstream = mkIf barcodebuddy.enable ( + mkDefault "nginx'proxied" ); host = mkDefault serverName; @@ -48,7 +49,7 @@ in { upstream = mkDefault nginx.virtualHosts.barcodebuddy.proxy.upstream; host = mkDefault nginx.virtualHosts.barcodebuddy.proxy.host; }; - locations."/" = { config, ... }: { + locations."/" = {config, ...}: { proxy = { headers.enableRecommended = true; redirect = { diff --git a/nixos/access/freeipa.nix b/nixos/access/freeipa.nix index 559a9550..6138faf9 100644 --- a/nixos/access/freeipa.nix +++ b/nixos/access/freeipa.nix @@ -5,8 +5,7 @@ gensokyo-zone, lib, ... -}: -let +}: let inherit (gensokyo-zone.lib) mapOptionDefaults; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; @@ -19,7 +18,11 @@ let ssl_verify_client optional_no_ca; ''; locations = { - "/" = { config, xvars, ... }: { + "/" = { + config, + xvars, + ... + }: { proxy = { enable = true; upstream = "freeipa"; @@ -67,9 +70,11 @@ in { }; }; kerberos = { - enable = mkEnableOption "proxy kerberos" // { - default = true; - }; + enable = + mkEnableOption "proxy kerberos" + // { + default = true; + }; ports = { ticket = mkOption { type = port; @@ -177,7 +182,7 @@ in { kticket4 = mkKrb5Upstream "ticket4"; }; servers = let - mkKrb5Server = tcpPort: udpPort: { name, ... }: { + mkKrb5Server = tcpPort: udpPort: {name, ...}: { enable = mkDefault nginx.stream.upstreams.${name}.enable; listen = { tcp = mkIf (tcpPort != null) { @@ -187,7 +192,7 @@ in { udp = mkIf (udpPort != null) { enable = mkDefault kerberos.ports.${udpPort}.enable; port = mkOptionDefault kerberos.ports.${udpPort}.port; - extraParameters = [ "udp" ]; + extraParameters = ["udp"]; }; }; proxy.upstream = name; @@ -208,11 +213,12 @@ in { ssl.cert.copyFromVhost = mkDefault "freeipa"; }; }; - in mkMerge [ - conf - (mkIf nginx.ssl.preread.enable prereadConf) - (mkIf cfg.kerberos.enable kerberosConf) - ]; + in + mkMerge [ + conf + (mkIf nginx.ssl.preread.enable prereadConf) + (mkIf cfg.kerberos.enable kerberosConf) + ]; virtualHosts = let name.shortServer = mkDefault "ipa"; name'cockpit.shortServer = mkDefault "ipa-cock"; @@ -233,7 +239,11 @@ in { name.shortServer = mkDefault "idp-ca"; locations."/" = mkMerge [ locations."/" - ({config, virtualHost, ...}: { + ({ + config, + virtualHost, + ... + }: { proxy.ssl.host = virtualHost.serverName; proxy.host = config.proxy.ssl.host; }) @@ -276,7 +286,7 @@ in { }; freeipa'ldap'local = { serverName = mkDefault ldap.localDomain; - serverAliases = [ ldap.intDomain ]; + serverAliases = [ldap.intDomain]; ssl.cert.copyFromVhost = "freeipa'ldap"; globalRedirect = virtualHosts.freeipa'web'local.serverName; local.enable = true; @@ -295,16 +305,18 @@ in { inherit (nginx.stream.servers) krb5 kadmin kpasswd kticket4; in { allowedTCPPorts = mkMerge [ - (mkIf cfg.kerberos.enable (map (server: - mkIf (server.enable && server.listen.tcp.enable) server.listen.tcp.port - ) [ krb5 kticket4 kpasswd kadmin ])) + (mkIf cfg.kerberos.enable (map ( + server: + mkIf (server.enable && server.listen.tcp.enable) server.listen.tcp.port + ) [krb5 kticket4 kpasswd kadmin])) (mkIf nginx.ssl.preread.enable [ ldapsPort ]) ]; - allowedUDPPorts = mkIf cfg.kerberos.enable (map (server: - mkIf (server.enable && server.listen.udp.enable) server.listen.udp.port - ) [ krb5 kticket4 kpasswd ]); + allowedUDPPorts = mkIf cfg.kerberos.enable (map ( + server: + mkIf (server.enable && server.listen.udp.enable) server.listen.udp.port + ) [krb5 kticket4 kpasswd]); }; }; } diff --git a/nixos/access/freepbx.nix b/nixos/access/freepbx.nix index 76b1f012..9fce1be1 100644 --- a/nixos/access/freepbx.nix +++ b/nixos/access/freepbx.nix @@ -13,8 +13,15 @@ in { config.services.nginx = { virtualHosts = let proxyScheme = "https"; - url = access.proxyUrlFor { serviceName = "freepbx"; portName = proxyScheme; }; - ucpUrl = access.proxyUrlFor { serviceName = "freepbx"; portName = "ucp-ssl"; getAddressFor = "getAddress4For"; }; + url = access.proxyUrlFor { + serviceName = "freepbx"; + portName = proxyScheme; + }; + ucpUrl = access.proxyUrlFor { + serviceName = "freepbx"; + portName = "ucp-ssl"; + getAddressFor = "getAddress4For"; + }; ucpPath = "/socket.io"; # TODO: ports.asterisk/asterisk-ssl? extraConfig = '' @@ -23,7 +30,7 @@ in { proxy_busy_buffers_size 256k; ''; locations = { - "/" = { xvars, ... }: { + "/" = {xvars, ...}: { xvars.enable = true; proxy = { enable = true; @@ -33,7 +40,11 @@ in { }; }; }; - ${ucpPath} = { xvars, virtualHost, ... }: { + ${ucpPath} = { + xvars, + virtualHost, + ... + }: { proxy = { enable = true; websocket.enable = true; @@ -63,12 +74,12 @@ in { listen' = { ucp = { port = mkDefault freepbx.ports.ucp.port; - extraParameters = [ "default_server" ]; + extraParameters = ["default_server"]; }; ucpSsl = { port = mkDefault freepbx.ports.ucp-ssl.port; ssl = true; - extraParameters = [ "default_server" ]; + extraParameters = ["default_server"]; }; }; proxy = { @@ -84,7 +95,7 @@ in { }; freepbx'local = { listen' = { - http = { }; + http = {}; https.ssl = true; ucp = { port = mkDefault nginx.virtualHosts.freepbx'ucp.listen'.ucp.port; @@ -103,9 +114,11 @@ in { }; }; config.networking.firewall = let - websocketPorts = virtualHost: [ - virtualHost.listen'.ucp.port - ] ++ optional virtualHost.listen'.ucpSsl.enable virtualHost.listen'.ucpSsl.port; + websocketPorts = virtualHost: + [ + virtualHost.listen'.ucp.port + ] + ++ optional virtualHost.listen'.ucpSsl.enable virtualHost.listen'.ucpSsl.port; in { interfaces.local.allowedTCPPorts = websocketPorts nginx.virtualHosts.freepbx'local; allowedTCPPorts = mkIf (!nginx.virtualHosts.freepbx'ucp.local.denyGlobal) (websocketPorts nginx.virtualHosts.freepbx'ucp); diff --git a/nixos/access/grocy.nix b/nixos/access/grocy.nix index 0e3a05ef..964b5741 100644 --- a/nixos/access/grocy.nix +++ b/nixos/access/grocy.nix @@ -20,7 +20,11 @@ headers.set.X-Grocy-User = mkOptionDefault "$grocy_user"; }; }; - luaAuthHost = { config, xvars, ... }: { + luaAuthHost = { + config, + xvars, + ... + }: { vouch.auth.lua = { enable = true; accessRequest = '' @@ -56,16 +60,20 @@ in { proxied.enable = true; local.denyGlobal = true; }; - grocy = mkMerge [ luaAuthHost { - inherit name extraConfig locations; - vouch.enable = true; - proxy = { - upstream = mkIf grocy.enable (mkDefault - "nginx'proxied" - ); - host = mkDefault serverName; - }; - } ]; + grocy = mkMerge [ + luaAuthHost + { + inherit name extraConfig locations; + vouch.enable = true; + proxy = { + upstream = mkIf grocy.enable ( + mkDefault + "nginx'proxied" + ); + host = mkDefault serverName; + }; + } + ]; grocy'local = { inherit name; local.enable = mkDefault true; @@ -78,20 +86,23 @@ in { proxy.enable = true; }; }; - grocy'local'int = mkMerge [ luaAuthHost { - # internal proxy workaround for http2 lua compat issues - serverName = serverName'local; - inherit name extraConfig locations; - proxy = { - upstream = mkDefault nginx.virtualHosts.grocy.proxy.upstream; - host = mkDefault nginx.virtualHosts.grocy.proxy.host; - }; - proxied.enable = true; - vouch = { - enable = true; - localSso.enable = true; - }; - } ]; + grocy'local'int = mkMerge [ + luaAuthHost + { + # internal proxy workaround for http2 lua compat issues + serverName = serverName'local; + inherit name extraConfig locations; + proxy = { + upstream = mkDefault nginx.virtualHosts.grocy.proxy.upstream; + host = mkDefault nginx.virtualHosts.grocy.proxy.host; + }; + proxied.enable = true; + vouch = { + enable = true; + localSso.enable = true; + }; + } + ]; }; }; } diff --git a/nixos/access/home-assistant.nix b/nixos/access/home-assistant.nix index 25cb3e5c..e9876a48 100644 --- a/nixos/access/home-assistant.nix +++ b/nixos/access/home-assistant.nix @@ -7,12 +7,12 @@ inherit (config.services) nginx home-assistant; name.shortServer = mkDefault "home"; listen' = { - http = { }; + http = {}; https.ssl = true; hass = { enable = !home-assistant.enable; port = mkDefault home-assistant.config.http.server_port; - extraParameters = [ "default_server" ]; + extraParameters = ["default_server"]; }; }; upstreamName = "home-assistant'access"; @@ -24,7 +24,7 @@ in { addr = mkDefault "localhost"; port = mkIf home-assistant.enable (mkDefault home-assistant.config.http.server_port); }; - service = { upstream, ... }: { + service = {upstream, ...}: { enable = mkIf upstream.servers.local.enable (mkDefault false); accessService = { name = "home-assistant"; @@ -63,7 +63,8 @@ in { }; config.networking.firewall.allowedTCPPorts = let inherit (nginx.virtualHosts.home-assistant'local) listen'; - in mkIf nginx.virtualHosts.home-assistant'local.enable [ - (mkIf listen'.hass.enable listen'.hass.port) - ]; + in + mkIf nginx.virtualHosts.home-assistant'local.enable [ + (mkIf listen'.hass.enable listen'.hass.port) + ]; } diff --git a/nixos/access/invidious.nix b/nixos/access/invidious.nix index 14037793..6a6fe7f4 100644 --- a/nixos/access/invidious.nix +++ b/nixos/access/invidious.nix @@ -19,7 +19,7 @@ in { addr = mkDefault "localhost"; port = mkIf cfg.enable (mkDefault cfg.port); }; - service = { upstream, ... }: { + service = {upstream, ...}: { enable = mkIf upstream.servers.local.enable (mkDefault false); accessService = { name = "invidious"; @@ -40,7 +40,7 @@ in { proxy_redirect off; proxy_buffering off; ''; - location = { xvars, ... }: { + location = {xvars, ...}: { proxy = { enable = true; websocket.enable = true; @@ -61,7 +61,11 @@ in { upstream = "nginx'proxied"; host = mkDefault nginx.virtualHosts.invidious'int.serverName; }; - locations."/" = { xvars, virtualHost, ... }: { + locations."/" = { + xvars, + virtualHost, + ... + }: { proxy.enable = true; extraConfig = '' proxy_http_version 1.1; @@ -72,7 +76,11 @@ in { ''; }; }; - invidious'int = { config, xvars, ... }: { + invidious'int = { + config, + xvars, + ... + }: { serverName = "@invidious_internal"; proxied.enable = true; local.denyGlobal = true; @@ -115,7 +123,7 @@ in { }; inherit extraConfig; }; - invidious'local = { xvars, ... }: { + invidious'local = {xvars, ...}: { local.enable = true; ssl.cert.copyFromVhost = "invidious"; proxy = { diff --git a/nixos/access/keycloak.nix b/nixos/access/keycloak.nix index 0f598c8b..87d914cf 100644 --- a/nixos/access/keycloak.nix +++ b/nixos/access/keycloak.nix @@ -18,7 +18,7 @@ in { port = mkDefault cfg.port; ssl.enable = mkIf (cfg.protocol == "https") true; }; - access = { upstream, ... }: { + access = {upstream, ...}: { enable = mkDefault (!upstream.servers.local.enable or false); accessService = { name = "keycloak"; diff --git a/nixos/access/kitchencam.nix b/nixos/access/kitchencam.nix index 3f43a85a..6c7a516f 100644 --- a/nixos/access/kitchencam.nix +++ b/nixos/access/kitchencam.nix @@ -12,8 +12,15 @@ in { config.services.nginx = { virtualHosts = let - url = access.proxyUrlFor { inherit system; service = motion; }; - streamUrl = access.proxyUrlFor { inherit system; service = motion; portName = "stream"; }; + url = access.proxyUrlFor { + inherit system; + service = motion; + }; + streamUrl = access.proxyUrlFor { + inherit system; + service = motion; + portName = "stream"; + }; extraConfig = '' proxy_redirect off; proxy_buffering off; @@ -32,7 +39,7 @@ in { }; }; listen' = { - http = { }; + http = {}; https.ssl = true; stream = { enable = mkDefault motion.ports.stream.enable; @@ -49,9 +56,12 @@ in { inherit name listen'; ssl.cert.copyFromVhost = "kitchencam"; local.enable = true; - locations = mapAttrs (name: location: location // { - proxyPass = mkDefault nginx.virtualHosts.kitchencam.locations.${name}.proxyPass; - }) locations; + locations = mapAttrs (name: location: + location + // { + proxyPass = mkDefault nginx.virtualHosts.kitchencam.locations.${name}.proxyPass; + }) + locations; }; }; }; diff --git a/nixos/access/ldap.nix b/nixos/access/ldap.nix index 1741a9b5..38630f6a 100644 --- a/nixos/access/ldap.nix +++ b/nixos/access/ldap.nix @@ -4,8 +4,7 @@ gensokyo-zone, access, ... -}: -let +}: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkOptionDefault; @@ -42,7 +41,7 @@ in { inherit (nginx.stream.upstreams.ldaps.servers.access.accessService) system name id port; }; }; - ldap = { upstream, ... }: { + ldap = {upstream, ...}: { enable = mkIf upstream.servers.ldaps.enable false; accessService = { inherit (nginx.stream.upstreams.ldap.servers.access.accessService) system name id port; @@ -54,7 +53,7 @@ in { name = "ldap"; }; }; - ldaps = { config, ... }: { + ldaps = {config, ...}: { enable = mkAlmostOptionDefault config.servers.access.enable; servers.access = { accessService = { diff --git a/nixos/access/mosquitto.nix b/nixos/access/mosquitto.nix index efb92519..fee9debc 100644 --- a/nixos/access/mosquitto.nix +++ b/nixos/access/mosquitto.nix @@ -4,8 +4,7 @@ access, gensokyo-zone, ... -}: -let +}: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.modules) mkIf mkOptionDefault; inherit (config.services) nginx; @@ -42,7 +41,9 @@ in { }; }; proxy.upstream = mkAlmostOptionDefault ( - if nginx.stream.upstreams.mqtts.enable then "mqtts" else "mqtt" + if nginx.stream.upstreams.mqtts.enable + then "mqtts" + else "mqtt" ); }; }; diff --git a/nixos/access/nginx.nix b/nixos/access/nginx.nix index 7b341098..26cd13e2 100644 --- a/nixos/access/nginx.nix +++ b/nixos/access/nginx.nix @@ -1,4 +1,8 @@ -{config, lib, ...}: let +{ + config, + lib, + ... +}: let inherit (lib.modules) mkIf; cfg = config.services.nginx; in { diff --git a/nixos/access/openwebrx.nix b/nixos/access/openwebrx.nix index fa89f2cd..755f83c0 100644 --- a/nixos/access/openwebrx.nix +++ b/nixos/access/openwebrx.nix @@ -15,7 +15,7 @@ in { addr = mkDefault "localhost"; port = mkIf openwebrx.enable (mkDefault openwebrx.port); }; - service = { upstream, ... }: { + service = {upstream, ...}: { enable = mkIf upstream.servers.local.enable (mkDefault false); accessService = { name = "openwebrx"; diff --git a/nixos/access/plex.nix b/nixos/access/plex.nix index 4294f5b1..3ad8f2a2 100644 --- a/nixos/access/plex.nix +++ b/nixos/access/plex.nix @@ -16,7 +16,7 @@ in { addr = mkDefault "localhost"; port = mkDefault cfg.port; }; - access = { upstream, ... }: { + access = {upstream, ...}: { enable = mkDefault (!upstream.servers.local.enable); accessService.name = "plex"; }; @@ -65,12 +65,12 @@ in { inherit name locations extraConfig; proxy.upstream = mkDefault upstreamName; listen' = { - http = { }; + http = {}; https.ssl = true; external = { enable = mkDefault false; port = mkDefault 32400; - extraParameters = [ "default_server" ]; + extraParameters = ["default_server"]; }; }; }; @@ -88,7 +88,8 @@ in { }; config.networking.firewall.allowedTCPPorts = let inherit (nginx.virtualHosts.plex) listen'; - in mkIf listen'.external.enable [ - listen'.external.port - ]; + in + mkIf listen'.external.enable [ + listen'.external.port + ]; } diff --git a/nixos/access/proxmox.nix b/nixos/access/proxmox.nix index 3fa4932c..97eff709 100644 --- a/nixos/access/proxmox.nix +++ b/nixos/access/proxmox.nix @@ -7,7 +7,7 @@ inherit (lib.modules) mkDefault; inherit (lib.strings) escapeRegex; inherit (config.services) nginx tailscale; - proxyPass = access.proxyUrlFor { serviceName = "proxmox"; } + "/"; + proxyPass = access.proxyUrlFor {serviceName = "proxmox";} + "/"; in { config.services.nginx.virtualHosts = let locations."/" = { diff --git a/nixos/access/unifi.nix b/nixos/access/unifi.nix index 636cfb18..91e1c9da 100644 --- a/nixos/access/unifi.nix +++ b/nixos/access/unifi.nix @@ -16,7 +16,7 @@ in { port = mkDefault 8443; ssl.enable = mkDefault true; }; - access = { upstream, ... }: { + access = {upstream, ...}: { enable = mkDefault (!upstream.servers.local.enable); accessService = { name = "unifi"; diff --git a/nixos/access/vouch.nix b/nixos/access/vouch.nix index 0ad0a366..77b24e4b 100644 --- a/nixos/access/vouch.nix +++ b/nixos/access/vouch.nix @@ -28,7 +28,11 @@ in { proxy_redirect default; ''; }; - "/validate" = {config, virtualHost, ...}: { + "/validate" = { + config, + virtualHost, + ... + }: { proxied.enable = true; proxy.enable = true; local.denyGlobal = true; @@ -36,9 +40,9 @@ in { }; name.shortServer = mkDefault "login"; in { - vouch = { xvars, ... }: { + vouch = {xvars, ...}: { inherit name locations; - serverAliases = [ nginx.vouch.doubleProxy.serverName ]; + serverAliases = [nginx.vouch.doubleProxy.serverName]; proxied.enable = true; proxy = { upstream = mkDefault "vouch'access"; @@ -46,12 +50,12 @@ in { }; local.denyGlobal = true; }; - vouch'local = { xvars, ... }: { + vouch'local = {xvars, ...}: { name = { inherit (name) shortServer; includeTailscale = mkDefault false; }; - serverAliases = mkIf cfg.enable [ nginx.vouch.doubleProxy.localServerName ]; + serverAliases = mkIf cfg.enable [nginx.vouch.doubleProxy.localServerName]; proxied.enable = true; proxy = { upstream = mkDefault "vouch'access'local"; @@ -64,7 +68,7 @@ in { }; inherit locations; }; - vouch'tail = { xvars, ... }: { + vouch'tail = {xvars, ...}: { enable = mkDefault (tailscale.enable && !nginx.virtualHosts.vouch'local.name.includeTailscale); ssl.cert.copyFromVhost = "vouch'local"; name = { diff --git a/nixos/access/zigbee2mqtt.nix b/nixos/access/zigbee2mqtt.nix index cbb261e9..f93af0de 100644 --- a/nixos/access/zigbee2mqtt.nix +++ b/nixos/access/zigbee2mqtt.nix @@ -15,7 +15,7 @@ in { addr = mkDefault "localhost"; port = mkIf zigbee2mqtt.enable (mkDefault zigbee2mqtt.settings.frontend.port); }; - service = { upstream, ... }: { + service = {upstream, ...}: { enable = mkIf upstream.servers.local.enable (mkDefault false); accessService = { name = "zigbee2mqtt"; diff --git a/nixos/acme.nix b/nixos/acme.nix index bf7aae0a..c7726ab2 100644 --- a/nixos/acme.nix +++ b/nixos/acme.nix @@ -64,7 +64,7 @@ in { acme_cloudflare_token = acmeSecret; }; systemd.services = let - after = [ "systemd-tmpfiles-resetup.service" ]; + after = ["systemd-tmpfiles-resetup.service"]; in { acme-fixperms = { inherit after; diff --git a/nixos/barcodebuddy.nix b/nixos/barcodebuddy.nix index 53d2a4fd..a1fadc5e 100644 --- a/nixos/barcodebuddy.nix +++ b/nixos/barcodebuddy.nix @@ -1,4 +1,9 @@ -{config, access, lib, ...}: let +{ + config, + access, + lib, + ... +}: let inherit (lib.modules) mkIf mkDefault; inherit (config.services) nginx; cfg = config.services.barcodebuddy; @@ -28,14 +33,15 @@ in { }; config.systemd.services = let gensokyo-zone.sharedMounts.barcodebuddy.path = mkDefault cfg.dataDir; - in mkIf cfg.enable { - phpfpm-barcodebuddy = { - inherit gensokyo-zone; + in + mkIf cfg.enable { + phpfpm-barcodebuddy = { + inherit gensokyo-zone; + }; + bbuddy-websocket = mkIf cfg.screen.enable { + inherit gensokyo-zone; + }; }; - bbuddy-websocket = mkIf cfg.screen.enable { - inherit gensokyo-zone; - }; - }; config.sops.secrets.barcodebuddy-fastcgi-params = mkIf cfg.enable { sopsFile = mkDefault ./secrets/barcodebuddy.yaml; owner = mkDefault nginx.user; diff --git a/nixos/base/locale.nix b/nixos/base/locale.nix index 56ba022a..cb8441c0 100644 --- a/nixos/base/locale.nix +++ b/nixos/base/locale.nix @@ -1,7 +1,4 @@ -{ - pkgs, - ... -}: { +{pkgs, ...}: { fonts.packages = [ pkgs.tamzen ]; diff --git a/nixos/base/network.nix b/nixos/base/network.nix index 8559d9e0..8cdc693f 100644 --- a/nixos/base/network.nix +++ b/nixos/base/network.nix @@ -14,13 +14,19 @@ in { hostName = mkOverride 25 name; nameservers' = [ #{ address = "8.8.8.8"; host = "dns.google"; } - { address = "1.1.1.1"; host = "cloudflare-dns.com"; } - { address = "1.0.0.1"; host = "cloudflare-dns.com"; } + { + address = "1.1.1.1"; + host = "cloudflare-dns.com"; + } + { + address = "1.0.0.1"; + host = "cloudflare-dns.com"; + } ]; }; # work around https://github.com/NixOS/nixpkgs/issues/132646 system.nssDatabases.hosts = mkIf config.services.resolved.enable ( - mkOrder 450 [ "files" ] + mkOrder 450 ["files"] ); } diff --git a/nixos/base/nix.nix b/nixos/base/nix.nix index 072901de..a41b8451 100644 --- a/nixos/base/nix.nix +++ b/nixos/base/nix.nix @@ -23,12 +23,14 @@ in { lock = importJSON ../../flake.lock; mapFlake = name: let node = lock.nodes.${name}; - in { - inherit (node.original) type; - inherit (node.locked) lastModified rev narHash; - } // optionalAttrs (node.original.type == "github") { - inherit (node.original) repo owner; - }; + in + { + inherit (node.original) type; + inherit (node.locked) lastModified rev narHash; + } + // optionalAttrs (node.original.type == "github") { + inherit (node.original) repo owner; + }; in { nixpkgs.to = mapFlake "nixpkgs"; arc.to = mapFlake "arcexprs"; @@ -40,7 +42,7 @@ in { }; }; settings = { - allowed-users = [ "@nixbuilder" ]; + allowed-users = ["@nixbuilder"]; experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes"; substituters = [ "https://gensokyo-infrastructure.cachix.org" @@ -67,7 +69,7 @@ in { }; optimise = { automatic = mkAlmostDefault true; - dates = mkDefault [ "03:25" ]; + dates = mkDefault ["03:25"]; }; }; ${ diff --git a/nixos/cross/aarch64.nix b/nixos/cross/aarch64.nix index f8f18e10..45e03db0 100644 --- a/nixos/cross/aarch64.nix +++ b/nixos/cross/aarch64.nix @@ -1,21 +1,28 @@ -{ pkgs, config, lib, ... }: let +{ + pkgs, + config, + lib, + ... +}: let inherit (lib.options) mkEnableOption mkPackageOption; inherit (lib.modules) mkIf; cfg = config.boot.binfmt.cross.aarch64; in { options = { boot.binfmt.cross.aarch64 = { - enable = mkEnableOption "qemu-aarch64" // { - default = true; - }; - package = mkPackageOption pkgs "qemu" { }; + enable = + mkEnableOption "qemu-aarch64" + // { + default = true; + }; + package = mkPackageOption pkgs "qemu" {}; armv7l = mkEnableOption "arm.cachix.org"; }; }; config = { boot.binfmt = { - emulatedSystems = mkIf cfg.enable [ "aarch64-linux" ]; + emulatedSystems = mkIf cfg.enable ["aarch64-linux"]; registrations.aarch64-linux = mkIf cfg.enable { interpreter = "${cfg.package}/bin/qemu-aarch64"; wrapInterpreterInShell = false; @@ -23,8 +30,8 @@ in { }; nix.settings = mkIf cfg.armv7l { - substituters = [ "https://arm.cachix.org/" ]; - trusted-public-keys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ]; + substituters = ["https://arm.cachix.org/"]; + trusted-public-keys = ["arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM="]; }; }; } diff --git a/nixos/dnsmasq.nix b/nixos/dnsmasq.nix index f50d83e8..e36b2578 100644 --- a/nixos/dnsmasq.nix +++ b/nixos/dnsmasq.nix @@ -13,38 +13,49 @@ inherit (lib.trivial) mapNullable flip; cfg = config.services.dnsmasq; inherit (gensokyo-zone) systems; - localSystems = filterAttrs (_: system: - system.config.access.online.enable && system.config.network.networks.local.enable or false - ) systems; + localSystems = + filterAttrs ( + _: system: + system.config.access.online.enable && system.config.network.networks.local.enable or false + ) + systems; mkHostRecordPairs = _: system: [ (mkHostRecordPair "int" system) (mkHostRecordPair "local" system) (mkHostRecordPair "tail" system) ]; - mapDynamic4 = replaceStrings [ "10.1.1." ] [ "0.0.0." ]; - mapDynamic6 = replaceStrings [ "fd0a::" ] [ "2001::" ]; + mapDynamic4 = replaceStrings ["10.1.1."] ["0.0.0."]; + mapDynamic6 = replaceStrings ["fd0a::"] ["2001::"]; mkDynamicHostRecord = _: system: let address4 = system.config.network.networks.local.address4 or null; address6 = system.config.network.networks.local.address6 or null; - in concatStringsSep "," ([ - system.config.access.fqdn - ] ++ optional (address4 != null) - (toString (mapNullable mapDynamic4 address4)) - ++ optional (address6 != null) - (toString (mapNullable mapDynamic6 address6)) - ++ singleton - cfg.dynamic.interface - ); + in + concatStringsSep "," ( + [ + system.config.access.fqdn + ] + ++ optional (address4 != null) + (toString (mapNullable mapDynamic4 address4)) + ++ optional (address6 != null) + (toString (mapNullable mapDynamic6 address6)) + ++ singleton + cfg.dynamic.interface + ); mkHostRecordPair = network: system: let address4 = system.config.network.networks.${network}.address4 or null; address6 = system.config.network.networks.${network}.address6 or null; fqdn = system.config.network.networks.${network}.fqdn or null; - in nameValuePair - (if fqdn != null then fqdn else "${network}.${system.config.access.fqdn}") + in + nameValuePair + ( + if fqdn != null + then fqdn + else "${network}.${system.config.access.fqdn}" + ) (concatStringsSep "," ( - optional (address4 != null) + optional (address4 != null) (toString address4) - ++ optional (address6 != null) + ++ optional (address6 != null) (toString address6) )); systemHosts = filterAttrs (_: value: value != "") ( @@ -93,15 +104,16 @@ in { "mco.cubecraft.net" ]; bedrockRecords = map (flip mkHostRecord bedrockRecord) bedrockRecordNames; - in mkMerge [ - (mapAttrsToList mkHostRecord systemHosts) - (mkIf (cfg.bedrockConnect.address != null || cfg.bedrockConnect.address6 != null) bedrockRecords) - ]; + in + mkMerge [ + (mapAttrsToList mkHostRecord systemHosts) + (mkIf (cfg.bedrockConnect.address != null || cfg.bedrockConnect.address6 != null) bedrockRecords) + ]; dynamic-host = mapAttrsToList mkDynamicHostRecord localSystems; server = - if config.networking.nameservers' != [ ] then map (ns: ns.address) (filter filterns' config.networking.nameservers') - else filter filterns config.networking.nameservers - ; + if config.networking.nameservers' != [] + then map (ns: ns.address) (filter filterns' config.networking.nameservers') + else filter filterns config.networking.nameservers; max-cache-ttl = 60; }; bedrockConnect = let @@ -118,11 +130,11 @@ in { }; networking = mkIf cfg.enable { firewall = { - interfaces.local.allowedTCPPorts = [ 53 ]; - interfaces.local.allowedUDPPorts = [ 53 ]; + interfaces.local.allowedTCPPorts = [53]; + interfaces.local.allowedUDPPorts = [53]; }; nameservers' = mkIf cfg.resolveLocalQueries' (mkBefore [ - { address = "127.0.0.1"; } + {address = "127.0.0.1";} ]); }; }; diff --git a/nixos/grocy.nix b/nixos/grocy.nix index 278786bb..a3686a04 100644 --- a/nixos/grocy.nix +++ b/nixos/grocy.nix @@ -1,4 +1,8 @@ -{config, lib, ...}: let +{ + config, + lib, + ... +}: let inherit (lib.modules) mkIf mkMerge mkBefore mkDefault; cfg = config.services.grocy; in { @@ -72,13 +76,14 @@ in { }; systemd.services = let gensokyo-zone.sharedMounts.grocy.path = mkDefault cfg.dataDir; - in mkIf cfg.enable { - grocy-setup = { - inherit gensokyo-zone; + in + mkIf cfg.enable { + grocy-setup = { + inherit gensokyo-zone; + }; + phpfpm-grocy = { + inherit gensokyo-zone; + }; }; - phpfpm-grocy = { - inherit gensokyo-zone; - }; - }; }; } diff --git a/nixos/int.nix b/nixos/int.nix index 45dc5d03..4392c78f 100644 --- a/nixos/int.nix +++ b/nixos/int.nix @@ -1,4 +1,8 @@ -{lib, access, ...}: let +{ + lib, + access, + ... +}: let inherit (lib.modules) mkDefault; in { config = { @@ -9,7 +13,7 @@ in { ipv6SendRAConfig = { Managed = mkDefault false; EmitDNS = mkDefault true; - DNS = [ (access.systemForService "dnsmasq").access.address6ForNetwork.int ]; + DNS = [(access.systemForService "dnsmasq").access.address6ForNetwork.int]; # Domains = [ "int.${networking.domain}" ]; EmitDomains = mkDefault false; RouterPreference = mkDefault "low"; diff --git a/nixos/ipa.nix b/nixos/ipa.nix index 334a095a..266f2236 100644 --- a/nixos/ipa.nix +++ b/nixos/ipa.nix @@ -1,4 +1,8 @@ -{ config, lib, ... }: let +{ + config, + lib, + ... +}: let inherit (lib.modules) mkDefault; in { # NOTE: requires manual post-install setup... diff --git a/nixos/keycloak.nix b/nixos/keycloak.nix index c2b36d46..2d92685f 100644 --- a/nixos/keycloak.nix +++ b/nixos/keycloak.nix @@ -1,4 +1,11 @@ -{inputs, system, access, config, lib, ...}: let +{ + inputs, + system, + access, + config, + lib, + ... +}: let inherit (lib.modules) mkIf mkForce mkDefault; inherit (lib.lists) optional; cfg = config.services.keycloak; @@ -20,9 +27,10 @@ in { sopsFile = ./secrets/keycloak.yaml; owner = "keycloak"; }; - in mkIf cfg.enable { - keycloak_db_password = commonSecret; - }; + in + mkIf cfg.enable { + keycloak_db_password = commonSecret; + }; users = mkIf cfg.enable { users.keycloak = { isSystemUser = true; @@ -54,8 +62,16 @@ in { }; settings = { - hostname = mkDefault (if hostname-strict then hostname else null); - proxy = mkDefault (if cfg.protocol == "https" then "reencrypt" else "edge"); + hostname = mkDefault ( + if hostname-strict + then hostname + else null + ); + proxy = mkDefault ( + if cfg.protocol == "https" + then "reencrypt" + else "edge" + ); hostname-strict = mkDefault hostname-strict; hostname-strict-https = mkDefault hostname-strict; proxy-headers = mkDefault "xforwarded"; diff --git a/nixos/krb5.nix b/nixos/krb5.nix index e80b9745..9dc9222a 100644 --- a/nixos/krb5.nix +++ b/nixos/krb5.nix @@ -1,4 +1,11 @@ -{ inputs, pkgs, config, access, lib, ... }: let +{ + inputs, + pkgs, + config, + access, + lib, + ... +}: let inherit (inputs.self.lib.lib) mkAlmostOptionDefault mapAlmostOptionDefaults; inherit (lib.modules) mkIf mkMerge mkBefore mkDefault mkOptionDefault; inherit (lib.strings) replaceStrings; @@ -17,7 +24,7 @@ in { }; }; gensokyo-zone = let - toLdap = replaceStrings [ "idp." ] [ "ldap." ]; + toLdap = replaceStrings ["idp."] ["ldap."]; system = access.systemForService "kerberos"; lanName = access.getHostnameFor system.name "lan"; localName = access.getHostnameFor system.name "local"; @@ -28,8 +35,8 @@ in { host = mkAlmostOptionDefault lanName; ldap = { urls = mkMerge [ - (mkOptionDefault (mkBefore [ "ldaps://${ldapLan}" ])) - (mkIf (ldapLan != ldapLocal) (mkOptionDefault (mkBefore [ "ldaps://${ldapLan}" ]))) + (mkOptionDefault (mkBefore ["ldaps://${ldapLan}"])) + (mkIf (ldapLan != ldapLocal) (mkOptionDefault (mkBefore ["ldaps://${ldapLan}"]))) ]; bind.passwordFile = mkIf (cfg.gensokyo-zone.db.backend == "kldap") config.sops.secrets.gensokyo-zone-krb5-passwords.path; }; @@ -52,7 +59,7 @@ in { sysAccountDnSuffix = mkDefault "cn=sysaccounts,cn=etc,"; domainDnSuffix = mkDefault "cn=ad,cn=etc,"; }; - networking.timeServers = [ "2.fedora.pool.ntp.org" ]; + networking.timeServers = ["2.fedora.pool.ntp.org"]; security.ipa = { chromiumSupport = mkDefault false; }; @@ -68,24 +75,26 @@ in { kinit -k host/${config.networking.fqdn} ''; - in mkIf enabled { - path = [ config.security.krb5.package ]; - serviceConfig = { - Type = mkOptionDefault "oneshot"; - ExecStart = [ "${krb5-host}" ]; + in + mkIf enabled { + path = [config.security.krb5.package]; + serviceConfig = { + Type = mkOptionDefault "oneshot"; + ExecStart = ["${krb5-host}"]; + }; }; - }; sops.secrets = let sopsFile = mkDefault ./secrets/krb5.yaml; - in mkIf enabled { - krb5-keytab = { - mode = "0400"; - path = "/etc/krb5.keytab"; + in + mkIf enabled { + krb5-keytab = { + mode = "0400"; + path = "/etc/krb5.keytab"; + }; + gensokyo-zone-krb5-passwords = mkIf (cfg.gensokyo-zone.db.backend == "kldap") { + inherit sopsFile; + }; }; - gensokyo-zone-krb5-passwords = mkIf (cfg.gensokyo-zone.db.backend == "kldap") { - inherit sopsFile; - }; - }; }; } diff --git a/nixos/kyuuto/nfs.nix b/nixos/kyuuto/nfs.nix index 91140c32..2ff3ed81 100644 --- a/nixos/kyuuto/nfs.nix +++ b/nixos/kyuuto/nfs.nix @@ -10,7 +10,7 @@ inherit (config) kyuuto; inherit (config.services.nfs.export) flagSets; nfsRoot = { - __toString = _: config.services.nfs.export.root.path; + __toString = _: config.services.nfs.export.root.path; transfer = "${nfsRoot}/kyuuto/transfer"; media = "${nfsRoot}/kyuuto/media"; }; @@ -19,16 +19,16 @@ in { export = { paths = { ${nfsRoot.media} = { - flags = flagSets.common ++ [ "fsid=128" ] ++ flagSets.secip ++ [ "rw" ] ++ flagSets.anon_ro; + flags = flagSets.common ++ ["fsid=128"] ++ flagSets.secip ++ ["rw"] ++ flagSets.anon_ro; clients = { local = { machine = flagSets.allClients; - flags = flagSets.seclocal ++ [ "rw" "no_all_squash" ]; + flags = flagSets.seclocal ++ ["rw" "no_all_squash"]; }; }; }; ${nfsRoot.transfer} = { - flags = flagSets.common ++ [ "fsid=129" ] ++ [ "rw" "async" ]; + flags = flagSets.common ++ ["fsid=129"] ++ ["rw" "async"]; clients = { local = { machine = flagSets.allClients; @@ -47,16 +47,17 @@ in { "nfs-mountd.service" ]; before = wantedBy; - in mkIf config.services.nfs.server.enable [ - { - inherit type options wantedBy before; - what = kyuuto.mountDir; - where = nfsRoot.media; - } - { - inherit type options wantedBy before; - what = kyuuto.transferDir; - where = nfsRoot.transfer; - } - ]; + in + mkIf config.services.nfs.server.enable [ + { + inherit type options wantedBy before; + what = kyuuto.mountDir; + where = nfsRoot.media; + } + { + inherit type options wantedBy before; + what = kyuuto.transferDir; + where = nfsRoot.transfer; + } + ]; } diff --git a/nixos/ldap/permissions.nix b/nixos/ldap/permissions.nix index 5c80715c..ea02adcb 100644 --- a/nixos/ldap/permissions.nix +++ b/nixos/ldap/permissions.nix @@ -1,4 +1,8 @@ -{config, lib, ...}: let +{ + config, + lib, + ... +}: let inherit (lib.modules) mkDefault; inherit (config.users) ldap; inherit (ldap.management) permissions; @@ -9,15 +13,33 @@ in { "Custom Anonymous User Read" = { bindType = "anonymous"; targetType = "user"; - attrs = [ "gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber" ]; + attrs = ["gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber"]; }; "Custom Permission Admin" = { location = ldap.permissionDnSuffix; target = "cn=*"; rights = "all"; attrs = [ - "member" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory" - "ipapermtarget" "ipapermright" "ipapermincludedattr" "ipapermbindruletype" "ipapermexcludedattr" "ipapermtargetto" "ipapermissiontype" "ipapermlocation" "ipapermdefaultattr" "ipapermtargetfrom" "ipapermtargetfilter" + "member" + "cn" + "o" + "ou" + "owner" + "description" + "objectclass" + "seealso" + "businesscategory" + "ipapermtarget" + "ipapermright" + "ipapermincludedattr" + "ipapermbindruletype" + "ipapermexcludedattr" + "ipapermtargetto" + "ipapermissiontype" + "ipapermlocation" + "ipapermdefaultattr" + "ipapermtargetfrom" + "ipapermtargetfilter" ]; }; "Custom Privilege Admin" = { @@ -25,7 +47,16 @@ in { target = "cn=*"; rights = "all"; attrs = [ - "member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory" + "member" + "memberof" + "cn" + "o" + "ou" + "owner" + "description" + "objectclass" + "seealso" + "businesscategory" ]; }; "Custom Role Admin" = { @@ -33,17 +64,26 @@ in { target = "cn=*"; rights = "all"; attrs = [ - "member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory" + "member" + "memberof" + "cn" + "o" + "ou" + "owner" + "description" + "objectclass" + "seealso" + "businesscategory" ]; }; "Custom Role Modify" = { targetType = "role"; - rights = [ "write" "add" ]; + rights = ["write" "add"]; attrs = permissions."Custom Role Admin".attrs; }; "Custom Host Permission" = { targetType = "host"; - rights = [ "write" ]; + rights = ["write"]; attrs = [ "memberof" ]; @@ -52,21 +92,32 @@ in { targetType = "sysaccount"; rights = "all"; attrs = [ - "member" "memberof" "uid" "o" "ou" "description" "objectclass" "seealso" "businesscategory" - "passwordExpirationTime" "nsIdleTimeout" + "member" + "memberof" + "uid" + "o" + "ou" + "description" + "objectclass" + "seealso" + "businesscategory" + "passwordExpirationTime" + "nsIdleTimeout" ]; }; "Custom SysAccount Admin" = { location = ldap.sysAccountDnSuffix; target = "uid=*"; - rights = [ "add" "write" "delete" ]; - attrs = permissions."Custom SysAccount Permission".attrs ++ [ - "userPassword" - ]; + rights = ["add" "write" "delete"]; + attrs = + permissions."Custom SysAccount Permission".attrs + ++ [ + "userPassword" + ]; }; "Custom Service Permission" = { targetType = "service"; - rights = [ "write" ]; + rights = ["write"]; attrs = [ "memberof" ]; diff --git a/nixos/ldap/samba.nix b/nixos/ldap/samba.nix index 5bbd4312..71f804eb 100644 --- a/nixos/ldap/samba.nix +++ b/nixos/ldap/samba.nix @@ -1,68 +1,72 @@ -{config, lib, ...}: let +{ + config, + lib, + ... +}: let inherit (lib.modules) mkDefault; inherit (config.users) ldap; - smbAccountAttrs = [ "sambasid" "sambapwdlastset" "sambaacctflags" "sambapasswordhistory" "sambantpassword" ]; - smbGroupAttrs = [ "sambasid" "sambagrouptype" ]; - smbDomainAttrs = [ "sambasid" "sambaRefuseMachinePwdChange" "sambaMinPwdLength" "sambaAlgorithmicRidBase" "sambaPwdHistoryLength" "sambaDomainName" "sambaMinPwdAge" "sambaMaxPwdAge" "sambaLockoutThreshold" "sambaForceLogoff" "sambaLogonToChgPwd" "sambaLockoutObservationWindow" "sambaNextUserRid" "sambaLockoutDuration" ]; + smbAccountAttrs = ["sambasid" "sambapwdlastset" "sambaacctflags" "sambapasswordhistory" "sambantpassword"]; + smbGroupAttrs = ["sambasid" "sambagrouptype"]; + smbDomainAttrs = ["sambasid" "sambaRefuseMachinePwdChange" "sambaMinPwdLength" "sambaAlgorithmicRidBase" "sambaPwdHistoryLength" "sambaDomainName" "sambaMinPwdAge" "sambaMaxPwdAge" "sambaLockoutThreshold" "sambaForceLogoff" "sambaLogonToChgPwd" "sambaLockoutObservationWindow" "sambaNextUserRid" "sambaLockoutDuration"]; in { config.users.ldap.management = { enable = mkDefault true; permissions = { "Custom Samba User Read" = { targetType = "user"; - attrs = [ "ipanthash" "ipanthomedirectory" "ipanthomedirectorydrive" "ipantlogonscript" "ipantprofilepath" "ipantsecurityidentifier" ] ++ smbAccountAttrs; + attrs = ["ipanthash" "ipanthomedirectory" "ipanthomedirectorydrive" "ipantlogonscript" "ipantprofilepath" "ipantsecurityidentifier"] ++ smbAccountAttrs; }; "Custom Samba User Modify" = { targetType = "user"; - rights = [ "write" ]; + rights = ["write"]; attrs = smbAccountAttrs; }; "Custom Samba User Admin" = { targetType = "user"; - rights = [ "write" ]; - attrs = smbAccountAttrs ++ [ "objectclass" ]; + rights = ["write"]; + attrs = smbAccountAttrs ++ ["objectclass"]; }; "Custom Samba Group Read" = { targetType = "user-group"; - attrs = [ "ipantsecurityidentifier" "gidnumber" ] ++ smbGroupAttrs; + attrs = ["ipantsecurityidentifier" "gidnumber"] ++ smbGroupAttrs; }; "Custom Samba Group Modify" = { targetType = "user-group"; - rights = [ "write" ]; + rights = ["write"]; attrs = smbGroupAttrs; }; "Custom Samba Group Admin" = { targetType = "user-group"; - rights = [ "write" ]; - attrs = smbGroupAttrs ++ [ "objectclass" ]; + rights = ["write"]; + attrs = smbGroupAttrs ++ ["objectclass"]; }; "Custom Samba Domain Read" = { targetType = "samba-domain"; - attrs = [ "objectClass" ] ++ smbDomainAttrs; + attrs = ["objectClass"] ++ smbDomainAttrs; }; "Custom Samba Domain Modify" = { targetType = "samba-domain"; - rights = [ "write" "add" ]; + rights = ["write" "add"]; attrs = smbDomainAttrs; }; "Custom Samba Domain Admin" = { targetType = "domain"; - rights = [ "write" ]; - attrs = smbDomainAttrs ++ [ "objectclass" ]; + rights = ["write"]; + attrs = smbDomainAttrs ++ ["objectclass"]; }; "Custom Samba Realm Read" = { targetType = "domain"; - attrs = [ "objectClass" "ipaNTSecurityIdentifier" "ipaNTFlatName" "ipaNTDomainGUID" "ipaNTFallbackPrimaryGroup" ] ++ smbDomainAttrs; + attrs = ["objectClass" "ipaNTSecurityIdentifier" "ipaNTFlatName" "ipaNTDomainGUID" "ipaNTFallbackPrimaryGroup"] ++ smbDomainAttrs; }; "Custom Samba Realm Modify" = { targetType = "domain"; - rights = [ "write" ]; + rights = ["write"]; attrs = smbDomainAttrs; }; "Custom Samba Realm Admin" = { targetType = "domain"; - rights = [ "write" ]; - attrs = smbDomainAttrs ++ [ "objectclass" ]; + rights = ["write"]; + attrs = smbDomainAttrs ++ ["objectclass"]; }; }; users = { @@ -173,7 +177,7 @@ in { }; objects = { "cn=${config.networking.domain},${ldap.domainDnSuffix}" = { - objectClasses = [ "sambaDomain" ]; + objectClasses = ["sambaDomain"]; settings = { sambaSID = ldap.samba.domainSID; sambaDomainName = "GENSOKYO"; diff --git a/nixos/ldap/users.nix b/nixos/ldap/users.nix index 5fe8c17c..e4aff6d3 100644 --- a/nixos/ldap/users.nix +++ b/nixos/ldap/users.nix @@ -1,99 +1,111 @@ -{config, lib, inputs, ...}: let +{ + config, + lib, + inputs, + ... +}: let inherit (inputs.self.lib.lib) userIs mkAlmostOptionDefault; inherit (lib.modules) mkMerge mkDefault; inherit (lib.attrsets) mapAttrs filterAttrs; ldapUsers = filterAttrs (_: userIs "peeps") config.users.users; ldapGroups = filterAttrs (_: group: group.gid != null && group.gid >= 8000 && group.gid < 8256) config.users.groups; management = { - users = mapAttrs (name: user: { - user.name = mkAlmostOptionDefault name; - samba = { - enable = mkDefault true; - sync.enable = mkDefault true; - accountFlags = { - noPasswordExpiry = mkDefault true; + users = + mapAttrs (name: user: { + user.name = mkAlmostOptionDefault name; + samba = { + enable = mkDefault true; + sync.enable = mkDefault true; + accountFlags = { + noPasswordExpiry = mkDefault true; + }; }; - }; - }) ldapUsers; - groups = mapAttrs (name: group: { - group.name = mkAlmostOptionDefault name; - samba.enable = mkDefault true; - }) ldapGroups; + }) + ldapUsers; + groups = + mapAttrs (name: group: { + group.name = mkAlmostOptionDefault name; + samba.enable = mkDefault true; + }) + ldapGroups; }; in { config.users.ldap = { - management = mkMerge [ management { - users = { - guest.user.enable = true; - admin = { - user.enable = true; - samba.enable = true; - }; - opl = { - user.enable = true; - samba = { - enable = true; - #sync.enable = true; - accountFlags = { - noPasswordExpiry = mkDefault true; - normalUser = true; + management = mkMerge [ + management + { + users = { + guest.user.enable = true; + admin = { + user.enable = true; + samba.enable = true; + }; + opl = { + user.enable = true; + samba = { + enable = true; + #sync.enable = true; + accountFlags = { + noPasswordExpiry = mkDefault true; + normalUser = true; + }; + }; + object.settings.settings = { + sambaNTPassword = "F7C2C5D78C24EACB73550B02BF5888E3"; + sambaLMPassword = "A5C96CDE7660B20BAAD3B435B51404EE"; }; }; - object.settings.settings = { - sambaNTPassword = "F7C2C5D78C24EACB73550B02BF5888E3"; - sambaLMPassword = "A5C96CDE7660B20BAAD3B435B51404EE"; + }; + groups = { + nogroup = { + group.enable = true; + samba.enable = true; + }; + guest = { + samba = { + enable = true; + groupType = 4; + sid = "S-1-5-32-546"; + }; + }; + admin = { + group.enable = true; + samba.enable = true; + }; + kyuuto-peeps = { + group.enable = true; + samba.enable = true; + }; + kyuuto = { + group.enable = true; + samba.enable = true; + }; + peeps = { + group.enable = true; + samba.enable = true; + }; + admins = { + samba = { + enable = true; + #sync.enable = true; + groupType = 4; + sid = "S-1-5-32-544"; + }; + }; + smb = { + name = "Default SMB Group"; + samba = { + enable = true; + #sync.enable = true; + groupType = 4; + sid = "S-1-5-32-545"; + }; }; }; - }; - groups = { - nogroup = { - group.enable = true; - samba.enable = true; + objects = { + # TODO: ipa hostname krb5 aliases should be populated here!!! }; - guest = { - samba = { - enable = true; - groupType = 4; - sid = "S-1-5-32-546"; - }; - }; - admin = { - group.enable = true; - samba.enable = true; - }; - kyuuto-peeps = { - group.enable = true; - samba.enable = true; - }; - kyuuto = { - group.enable = true; - samba.enable = true; - }; - peeps = { - group.enable = true; - samba.enable = true; - }; - admins = { - samba = { - enable = true; - #sync.enable = true; - groupType = 4; - sid = "S-1-5-32-544"; - }; - }; - smb = { - name = "Default SMB Group"; - samba = { - enable = true; - #sync.enable = true; - groupType = 4; - sid = "S-1-5-32-545"; - }; - }; - }; - objects = { - # TODO: ipa hostname krb5 aliases should be populated here!!! - }; - } ]; + } + ]; }; } diff --git a/nixos/minecraft/bedrock.nix b/nixos/minecraft/bedrock.nix index 66f6d571..022a3f3e 100644 --- a/nixos/minecraft/bedrock.nix +++ b/nixos/minecraft/bedrock.nix @@ -1,4 +1,9 @@ -{config, lib, pkgs, ...}: let +{ + config, + lib, + pkgs, + ... +}: let inherit (lib.modules) mkIf mkDefault; cfg = config.services.minecraft-bedrock-server; in { @@ -47,9 +52,10 @@ in { groups.${cfg.group}.gid = config.users.users.${cfg.user}.uid; }; networking.firewall.interfaces = let - ports = [ cfg.serverProperties.server-port cfg.serverProperties.server-portv6 ]; - in mkIf cfg.enable { - local.allowedUDPPorts = ports; - peeps.allowedUDPPorts = ports; - }; + ports = [cfg.serverProperties.server-port cfg.serverProperties.server-portv6]; + in + mkIf cfg.enable { + local.allowedUDPPorts = ports; + peeps.allowedUDPPorts = ports; + }; } diff --git a/nixos/nfs.nix b/nixos/nfs.nix index f5228f0a..f5ee81e0 100644 --- a/nixos/nfs.nix +++ b/nixos/nfs.nix @@ -39,11 +39,13 @@ in { gssd = { preferred-realm = mkOptionDefault realm; }; - /*svcgssd = { + /* + svcgssd = { #principal = system #principal = nfs/idp.${domain}@${realm} #principal = nfs/${config.networking.fqdn}@${realm} - };*/ + }; + */ } ]; server = { @@ -60,16 +62,16 @@ in { "anongid=${toString config.users.groups.${config.users.users.guest.group}.gid}" ]; sec = [ - "sec=${concatStringsSep ":" [ "krb5i" "krb5" "krb5p" ]}" + "sec=${concatStringsSep ":" ["krb5i" "krb5" "krb5p"]}" ]; seclocal = [ - "sec=${concatStringsSep ":" [ "krb5" ]}" + "sec=${concatStringsSep ":" ["krb5"]}" ]; secip = [ - "sec=${concatStringsSep ":" [ "krb5i" "krb5p" ]}" + "sec=${concatStringsSep ":" ["krb5i" "krb5p"]}" ]; secanon = [ - "sec=${concatStringsSep ":" [ "krb5i" "krb5" "krb5p" "sys" ]}" + "sec=${concatStringsSep ":" ["krb5i" "krb5" "krb5p" "sys"]}" ]; anon_ro = [ "sec=sys" @@ -93,7 +95,7 @@ in { clients = { trusted = { machine = flagSets.trustedClients; - flags = flagSets.secip ++ [ "rw" ]; + flags = flagSets.secip ++ ["rw"]; }; }; }; @@ -107,9 +109,9 @@ in { ]; }; Translation.Method = mkForce (concatStringsSep "," ( - [ "static" ] + ["static"] ++ optional enableLdap "umich_ldap" - ++ [ "nsswitch" ] + ++ ["nsswitch"] )); Static = { }; diff --git a/nixos/nginx.nix b/nixos/nginx.nix index 7bef1dc8..a4d90dab 100644 --- a/nixos/nginx.nix +++ b/nixos/nginx.nix @@ -8,10 +8,15 @@ in { networking.firewall.interfaces.local.allowedTCPPorts = let inherit (cfg.ssl) preread; - in mkIf cfg.enable [ - (if preread.enable then preread.serverPort else cfg.defaultSSLListenPort) - cfg.defaultHTTPListenPort - ]; + in + mkIf cfg.enable [ + ( + if preread.enable + then preread.serverPort + else cfg.defaultSSLListenPort + ) + cfg.defaultHTTPListenPort + ]; services.nginx = { enable = true; diff --git a/nixos/nixbld.nix b/nixos/nixbld.nix index cc8be0bf..44de6a3a 100644 --- a/nixos/nixbld.nix +++ b/nixos/nixbld.nix @@ -1,4 +1,4 @@ -{ lib, ... }: let +{lib, ...}: let inherit (lib.modules) mkForce; in { config.users = { diff --git a/nixos/openwebrx.nix b/nixos/openwebrx.nix index 10d866f6..6664584a 100644 --- a/nixos/openwebrx.nix +++ b/nixos/openwebrx.nix @@ -31,14 +31,15 @@ in { sops.secrets = let sopsFile = mkDefault ./secrets/openwebrx.yaml; - in mkIf cfg.enable { - openwebrx-users = { - inherit sopsFile; - owner = cfg.user; - group = cfg.group; - path = "${cfg.dataDir}/users.json"; + in + mkIf cfg.enable { + openwebrx-users = { + inherit sopsFile; + owner = cfg.user; + group = cfg.group; + path = "${cfg.dataDir}/users.json"; + }; }; - }; networking.firewall = mkIf cfg.enable { interfaces.lan.allowedTCPPorts = mkIf cfg.enable [ diff --git a/nixos/reisen-ct/network.nix b/nixos/reisen-ct/network.nix index 9b581756..1f1f758a 100644 --- a/nixos/reisen-ct/network.nix +++ b/nixos/reisen-ct/network.nix @@ -29,12 +29,13 @@ in { networkConfig.MulticastDNS = true; }; networking.nameservers' = mkIf enableDns (mkBefore [ - { address = access.getAddressFor (access.systemForService "dnsmasq").name "lan"; } + {address = access.getAddressFor (access.systemForService "dnsmasq").name "lan";} ]); # prioritize our resolver over systemd-resolved! system.nssDatabases.hosts = let avahiResolverEnabled = config.services.avahi.enable && (config.services.avahi.nssmdns4 || config.services.avahi.nssmdns4); - in mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 475 ["dns"]); + in + mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 475 ["dns"]); services.resolved.extraConfig = mkIf enableDns '' DNSStubListener=no ''; diff --git a/nixos/reisen-ct/proxmox.nix b/nixos/reisen-ct/proxmox.nix index 1824a505..e8a66c1a 100644 --- a/nixos/reisen-ct/proxmox.nix +++ b/nixos/reisen-ct/proxmox.nix @@ -26,19 +26,22 @@ in { proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true; - systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface: mkIf (interface.enable && interface.networkd.enable) { - networks.${interface.networkd.name} = unmerged.mergeAttrs interface.networkd.networkSettings; - }) proxmox.network.interfaces)); + systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface: + mkIf (interface.enable && interface.networkd.enable) { + networks.${interface.networkd.name} = unmerged.mergeAttrs interface.networkd.networkSettings; + }) + proxmox.network.interfaces)); networking.firewall.interfaces.lan = let inherit (proxmox.network) internal local; conditions = coalesce [ - (mapNullable (interface: [ "iifname ${interface.name}" ]) internal.interface) + (mapNullable (interface: ["iifname ${interface.name}"]) internal.interface) (mapNullable (interface: config.networking.firewall.interfaces.local.nftables.conditions) local.interface) ]; - in mkIf (conditions != null) { - nftables = { - inherit conditions; + in + mkIf (conditions != null) { + nftables = { + inherit conditions; + }; }; - }; } diff --git a/nixos/samba.nix b/nixos/samba.nix index dab7606b..2842a515 100644 --- a/nixos/samba.nix +++ b/nixos/samba.nix @@ -61,59 +61,63 @@ in { passdb.smbpasswd.path = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) ( mkDefault config.sops.secrets.smbpasswd.path ); - settings = mkMerge [ { - "local master" = true; - "preferred master" = true; - "winbind offline logon" = true; - "winbind scan trusted domains" = false; - "winbind use default domain" = true; - "domain master" = true; - "server role" = "classic primary domain controller"; - "domain logons" = true; - "remote announce" = [ - "10.1.1.255/${cfg.domain.name}" - ]; - "additional dns hostnames" = mkMerge [ - [ - config.networking.fqdn - "smb.${domain}" - ] - (mkIf system.network.networks.local.enable or false [ - "smb.local.${domain}" - access.hostnameForNetwork.local - ]) - (mkIf system.network.networks.int.enable or false [ - "smb.int.${domain}" - access.hostnameForNetwork.int - ]) - (mkIf config.services.tailscale.enable [ - "smb.tail.${domain}" - access.hostnameForNetwork.tail - ]) - ]; - } (mkIf cfg.ldap.enable { - "ldapsam:trusted" = true; - "ldapsam:editposix" = false; - "ldap user suffix" = removeSuffix "," ldap.userDnSuffix; - "ldap group suffix" = removeSuffix "," ldap.groupDnSuffix; - "ldap machine suffix" = removeSuffix "," ldap.hostDnSuffix; - "ldap idmap suffix" = removeSuffix "," ldap.idViewDnSuffix; - "ldap server require strong auth" = "allow_sasl_over_tls"; - # TODO: ldap delete dn? - # TODO: username map script? - }) (mkIf debugLogging { - "ldap debug level" = 1; - #"ldap debug threshold" = 3; # 4? 5? - logging = "systemd"; - "log level" = [ - "4" - #"passdb:8" - #"auth:8" - #"idmap:8" - #"winbind:6" - #"dns:8" - ]; - }) ]; + settings = mkMerge [ + { + "local master" = true; + "preferred master" = true; + "winbind offline logon" = true; + "winbind scan trusted domains" = false; + "winbind use default domain" = true; + "domain master" = true; + "server role" = "classic primary domain controller"; + "domain logons" = true; + "remote announce" = [ + "10.1.1.255/${cfg.domain.name}" + ]; + "additional dns hostnames" = mkMerge [ + [ + config.networking.fqdn + "smb.${domain}" + ] + (mkIf system.network.networks.local.enable or false [ + "smb.local.${domain}" + access.hostnameForNetwork.local + ]) + (mkIf system.network.networks.int.enable or false [ + "smb.int.${domain}" + access.hostnameForNetwork.int + ]) + (mkIf config.services.tailscale.enable [ + "smb.tail.${domain}" + access.hostnameForNetwork.tail + ]) + ]; + } + (mkIf cfg.ldap.enable { + "ldapsam:trusted" = true; + "ldapsam:editposix" = false; + "ldap user suffix" = removeSuffix "," ldap.userDnSuffix; + "ldap group suffix" = removeSuffix "," ldap.groupDnSuffix; + "ldap machine suffix" = removeSuffix "," ldap.hostDnSuffix; + "ldap idmap suffix" = removeSuffix "," ldap.idViewDnSuffix; + "ldap server require strong auth" = "allow_sasl_over_tls"; + # TODO: ldap delete dn? + # TODO: username map script? + }) + (mkIf debugLogging { + "ldap debug level" = 1; + #"ldap debug threshold" = 3; # 4? 5? + logging = "systemd"; + "log level" = [ + "4" + #"passdb:8" + #"auth:8" + #"idmap:8" + #"winbind:6" + #"dns:8" + ]; + }) + ]; idmap.domains = { nss = mkIf (!cfg.ldap.enable || !cfg.ldap.idmap.enable) { backend = "nss"; diff --git a/nixos/sops.nix b/nixos/sops.nix index dea7d58b..e651fae5 100644 --- a/nixos/sops.nix +++ b/nixos/sops.nix @@ -1,7 +1,4 @@ -{ - inputs, - ... -}: { +{inputs, ...}: { imports = [ inputs.sops-nix.nixosModules.sops ]; diff --git a/nixos/sssd.nix b/nixos/sssd.nix index 8f64d203..2323aed2 100644 --- a/nixos/sssd.nix +++ b/nixos/sssd.nix @@ -1,4 +1,10 @@ -{ gensokyo-zone, access, config, lib, ... }: let +{ + gensokyo-zone, + access, + config, + lib, + ... +}: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.modules) mkIf mkBefore mkAfter mkDefault; inherit (lib.lists) tail; @@ -11,12 +17,13 @@ in { config = { services.sssd = { - enable = (mkDefault true); + enable = mkDefault true; gensokyo-zone = let serviceFragment = service: service; toService = service: hostname: let segments = splitString "." hostname; - in concatStringsSep "." ([ (serviceFragment service) ] ++ tail segments); + in + concatStringsSep "." ([(serviceFragment service)] ++ tail segments); toFreeipa = toService "freeipa"; tailName = access.getHostnameFor "hakurei" "tail"; mkServers = serviceName: let @@ -46,21 +53,23 @@ in { bind.passwordFile = mkIf (cfg.gensokyo-zone.backend == "ldap") config.sops.secrets.gensokyo-zone-peep-passwords.path; }; }; - environmentFile = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") (mkAlmostOptionDefault + environmentFile = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") ( + mkAlmostOptionDefault config.sops.secrets.gensokyo-zone-sssd-passwords.path ); }; sops.secrets = let sopsFile = mkDefault ./secrets/krb5.yaml; - in mkIf (cfg.enable && cfg.gensokyo-zone.enable) { - gensokyo-zone-krb5-peep-password = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") { - inherit sopsFile; + in + mkIf (cfg.enable && cfg.gensokyo-zone.enable) { + gensokyo-zone-krb5-peep-password = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") { + inherit sopsFile; + }; + # TODO: this shouldn't be needed, module is incomplete :( + gensokyo-zone-sssd-passwords = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") { + inherit sopsFile; + }; }; - # TODO: this shouldn't be needed, module is incomplete :( - gensokyo-zone-sssd-passwords = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") { - inherit sopsFile; - }; - }; }; } diff --git a/nixos/systemd2mqtt.nix b/nixos/systemd2mqtt.nix index 9c62f81e..184b5183 100644 --- a/nixos/systemd2mqtt.nix +++ b/nixos/systemd2mqtt.nix @@ -8,7 +8,7 @@ inherit (lib.modules) mkIf mkDefault; cfg = config.services.systemd2mqtt; in { - imports = [ inputs.systemd2mqtt.nixosModules.default ]; + imports = [inputs.systemd2mqtt.nixosModules.default]; services.systemd2mqtt = { enable = mkDefault true; @@ -17,7 +17,11 @@ in { url = mkDefault ( if config.services.mosquitto.enable then "tcp://localhost:1883" - else access.proxyUrlFor { serviceName = "mosquitto"; scheme = "tcp"; } + else + access.proxyUrlFor { + serviceName = "mosquitto"; + scheme = "tcp"; + } ); username = mkDefault "systemd"; }; diff --git a/nixos/unifi.nix b/nixos/unifi.nix index 316be282..534ba2ac 100644 --- a/nixos/unifi.nix +++ b/nixos/unifi.nix @@ -20,13 +20,18 @@ in { rev = "r${version}"; sha256 = "sha256-lVRTrEnwuyKETFL1C8bVqBfrDaYrbQIdmHN42CF8ZIw="; }; - sconsFlags = old.sconsFlags ++ [ - "MONGO_VERSION=${version}" - ]; + sconsFlags = + old.sconsFlags + ++ [ + "MONGO_VERSION=${version}" + ]; }); isUpdated = lib.versionAtLeast pkgs.mongodb-5_0.version mongodb-5_0_26.version; message = "mongodb 5.0 updated in upstream nixpkgs, override no longer needed"; - in if !isUpdated then mongodb-5_0_26 else lib.warn message pkgs.mongodb-5_0; + in + if !isUpdated + then mongodb-5_0_26 + else lib.warn message pkgs.mongodb-5_0; }; networking.firewall = mkIf cfg.enable { diff --git a/nixos/users/connie.nix b/nixos/users/connie.nix index 1811f3c2..59c9aca5 100644 --- a/nixos/users/connie.nix +++ b/nixos/users/connie.nix @@ -1,4 +1,8 @@ -{config, options, ...}: { +{ + config, + options, + ... +}: { config.users = { users.connieallure = {name, ...}: { uid = 8003; @@ -15,7 +19,11 @@ gid = config.users.users.${name}.uid; }; }; - config.${if options ? networking.firewall then "networking" else null} = { + config.${ + if options ? networking.firewall + then "networking" + else null + } = { access.peeps.ranges.connieallure = "2604:3d00::/28"; }; } diff --git a/nixos/wake-chen.nix b/nixos/wake-chen.nix index 4aa2bf17..1a949d7f 100644 --- a/nixos/wake-chen.nix +++ b/nixos/wake-chen.nix @@ -11,21 +11,23 @@ service = "wake-chen"; in { systemd.services.${service} = { - path = [ pkgs.wol ]; + path = [pkgs.wol]; script = '' exec wol ${chen.network.networks.local.macAddress} ''; environment = mapOptionDefaults { WOL_MAC_ADDRESS = chen.network.networks.local.macAddress; }; - serviceConfig = mapOptionDefaults { - Type = "oneshot"; - RemainAfterExit = false; - } // { - ExecStart = [ - "${getExe pkgs.wol} $WOL_MAC_ADDRESS" - ]; - }; + serviceConfig = + mapOptionDefaults { + Type = "oneshot"; + RemainAfterExit = false; + } + // { + ExecStart = [ + "${getExe pkgs.wol} $WOL_MAC_ADDRESS" + ]; + }; }; - services.systemd2mqtt.units = [ "${service}.service" ]; + services.systemd2mqtt.units = ["${service}.service"]; } diff --git a/nixos/zigbee2mqtt.nix b/nixos/zigbee2mqtt.nix index 5b10aaa7..5793a00a 100644 --- a/nixos/zigbee2mqtt.nix +++ b/nixos/zigbee2mqtt.nix @@ -27,10 +27,15 @@ in { user = "z2m"; password = "!secret z2m_pass"; server = let - url = access.proxyUrlFor { serviceName = "mosquitto"; scheme = "mqtt"; getAddressFor = "getAddress4For"; }; - in mkIf (!config.services.mosquitto.enable) ( - mkAlmostDefault url - ); + url = access.proxyUrlFor { + serviceName = "mosquitto"; + scheme = "mqtt"; + getAddressFor = "getAddress4For"; + }; + in + mkIf (!config.services.mosquitto.enable) ( + mkAlmostDefault url + ); }; homeassistant = true; permit_join = false; diff --git a/overlays/barcodebuddy.nix b/overlays/barcodebuddy.nix index e3fa66b8..8a4fe9c5 100644 --- a/overlays/barcodebuddy.nix +++ b/overlays/barcodebuddy.nix @@ -1,4 +1,4 @@ final: prev: let in { - barcodebuddy = final.callPackage ../packages/barcodebuddy.nix { }; + barcodebuddy = final.callPackage ../packages/barcodebuddy.nix {}; } diff --git a/overlays/default.nix b/overlays/default.nix index 49ee2b2f..fd6bac54 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,7 +1,4 @@ -{ - inputs, - ... -}: let +{inputs, ...}: let inherit (inputs.self.lib) nixlib; in rec { default = nixlib.composeManyExtensions [ diff --git a/overlays/krb5.nix b/overlays/krb5.nix index bee778ee..4b000761 100644 --- a/overlays/krb5.nix +++ b/overlays/krb5.nix @@ -7,22 +7,30 @@ in { _389-ds-base = let inherit (prev) _389-ds-base; drv = _389-ds-base.overrideAttrs (old: { - patches = old.patches or [ ] ++ [ - ../packages/389-ds-base-fix.patch - (final.fetchpatch { - name = "389-ds-base-5973-f_un.patch"; - url = "https://github.com/389ds/389-ds-base/pull/5974.patch"; - sha256 = "sha256-WtctQPZVZSAbPg2tjY7wD8ysI4SKkfyS5tQx0NPhSmY="; - }) - (final.fetchpatch { - name = "389-ds-base-5962-f_un.patch"; - url = "https://github.com/389ds/389-ds-base/pull/6089.patch"; - sha256 = "sha256-b0HSaDjuEUKERIXKg8np+lZDdZNmrCTAXybJzF+0hq0="; - }) - ]; - meta = old.meta // { - broken = false; - }; + patches = + old.patches + or [] + ++ [ + ../packages/389-ds-base-fix.patch + (final.fetchpatch { + name = "389-ds-base-5973-f_un.patch"; + url = "https://github.com/389ds/389-ds-base/pull/5974.patch"; + sha256 = "sha256-WtctQPZVZSAbPg2tjY7wD8ysI4SKkfyS5tQx0NPhSmY="; + }) + (final.fetchpatch { + name = "389-ds-base-5962-f_un.patch"; + url = "https://github.com/389ds/389-ds-base/pull/6089.patch"; + sha256 = "sha256-b0HSaDjuEUKERIXKg8np+lZDdZNmrCTAXybJzF+0hq0="; + }) + ]; + meta = + old.meta + // { + broken = false; + }; }); - in if _389-ds-base.meta.broken or false && _389-ds-base.version == "2.4.3" then drv else lib.warn "389-ds patch/overlay no longer needed" _389-ds-base; + in + if _389-ds-base.meta.broken or false && _389-ds-base.version == "2.4.3" + then drv + else lib.warn "389-ds patch/overlay no longer needed" _389-ds-base; } diff --git a/overlays/minecraft.nix b/overlays/minecraft.nix index c044e370..3d05a48f 100644 --- a/overlays/minecraft.nix +++ b/overlays/minecraft.nix @@ -1,12 +1,12 @@ final: prev: let inherit (final) callPackage callPackages; in { - minecraft-bedrock-server = callPackage ../packages/minecraft-bedrock/server.nix { }; - minecraft-bedrock-server-libCrypto = callPackage ../packages/minecraft-bedrock/libcrypto.nix { }; - minecraft-bedrock-server-patchdebug = callPackage ../packages/minecraft-bedrock/patchdebug.nix { }; - minecraft-bedrock-server-patchelf = callPackage ../packages/minecraft-bedrock/patchelf.nix { }; + minecraft-bedrock-server = callPackage ../packages/minecraft-bedrock/server.nix {}; + minecraft-bedrock-server-libCrypto = callPackage ../packages/minecraft-bedrock/libcrypto.nix {}; + minecraft-bedrock-server-patchdebug = callPackage ../packages/minecraft-bedrock/patchdebug.nix {}; + minecraft-bedrock-server-patchelf = callPackage ../packages/minecraft-bedrock/patchelf.nix {}; - minecraft-bedrock-addons = callPackages ../packages/minecraft-bedrock/addons.nix { }; - mkMinecraftBedrockServerAddon = final.callPackage ../packages/minecraft-bedrock/mkaddon.nix { }; - unzipMcpack = final.callPackage ../packages/minecraft-bedrock/mcpack.nix { }; + minecraft-bedrock-addons = callPackages ../packages/minecraft-bedrock/addons.nix {}; + mkMinecraftBedrockServerAddon = final.callPackage ../packages/minecraft-bedrock/mkaddon.nix {}; + unzipMcpack = final.callPackage ../packages/minecraft-bedrock/mcpack.nix {}; } diff --git a/overlays/nfs.nix b/overlays/nfs.nix index 8cac3cdd..ebd3fe6d 100644 --- a/overlays/nfs.nix +++ b/overlays/nfs.nix @@ -1,14 +1,18 @@ final: prev: { # https://github.com/NixOS/nixpkgs/pull/286793 nfs-utils-ldap = prev.nfs-utils.overrideAttrs (old: { - buildInputs = old.buildInputs ++ [ - final.openldap - (final.cyrus_sasl.override { - openssl = final.openssl_legacy; - }) - ]; - configureFlags = old.configureFlags ++ [ - "--enable-ldap" - ]; + buildInputs = + old.buildInputs + ++ [ + final.openldap + (final.cyrus_sasl.override { + openssl = final.openssl_legacy; + }) + ]; + configureFlags = + old.configureFlags + ++ [ + "--enable-ldap" + ]; }); } diff --git a/overlays/nginx.nix b/overlays/nginx.nix index d57369bc..5db2bf43 100644 --- a/overlays/nginx.nix +++ b/overlays/nginx.nix @@ -1,27 +1,36 @@ final: prev: let inherit (final) lib; luaOverlay = luafinal: luaprev: let - mkRestyCore = { nixpkgsVersion, version, sha256 }: luaprev.lua-resty-core.overrideAttrs (old: { - version = lib.warnIf (old.version != nixpkgsVersion) "lua-resty-core updated upstream" version; - src = old.src.override { - rev = "v${version}"; - inherit sha256; - }; - }); + mkRestyCore = { + nixpkgsVersion, + version, + sha256, + }: + luaprev.lua-resty-core.overrideAttrs (old: { + version = lib.warnIf (old.version != nixpkgsVersion) "lua-resty-core updated upstream" version; + src = old.src.override { + rev = "v${version}"; + inherit sha256; + }; + }); in { #lua-resty-core = mkRestyCore { nixpkgsVersion = "0.1.24"; version = "0.1.28"; sha256 = "sha256-RJ2wcHTu447wM0h1fa2qCBl4/p9XL6ZqX9pktRW64RI="; }; }; in { - nginxModules = prev.nginxModules // { - lua = let - inherit (prev.nginxModules) lua; - in lua // lib.warnIf (lua.version != "0.10.26") "nginxModules.lua updated upstream" { - preConfigure = lib.replaceStrings [ "patch " ] [ "#patch " ] lua.preConfigure; + nginxModules = + prev.nginxModules + // { + lua = let + inherit (prev.nginxModules) lua; + in + lua + // lib.warnIf (lua.version != "0.10.26") "nginxModules.lua updated upstream" { + preConfigure = lib.replaceStrings ["patch "] ["#patch "] lua.preConfigure; + }; }; - }; luaInterpreters = prev.luaInterpreters.override (old: { callPackage = final.newScope { - packageOverrides = lib.composeExtensions (final.packageOverrides or (_: _: { })) luaOverlay; + packageOverrides = lib.composeExtensions (final.packageOverrides or (_: _: {})) luaOverlay; }; }); } diff --git a/overlays/openwebrxplus.nix b/overlays/openwebrxplus.nix index 3cf6563c..640df71c 100644 --- a/overlays/openwebrxplus.nix +++ b/overlays/openwebrxplus.nix @@ -1,4 +1,4 @@ final: prev: let in { openwebrxplus = final.python3Packages.callPackage ../packages/openwebrxplus.nix {}; -} \ No newline at end of file +} diff --git a/overlays/samba.nix b/overlays/samba.nix index 8c283f6b..613464a8 100644 --- a/overlays/samba.nix +++ b/overlays/samba.nix @@ -4,24 +4,30 @@ in { freeipa-ipasam = let attrs = old: { pname = "freeipa-ipasam"; - patches = old.patches or [ ] ++ [ - ../packages/freeipa-ipasam.patch - ]; + patches = + old.patches + or [] + ++ [ + ../packages/freeipa-ipasam.patch + ]; configureFlags = lib.filter (f: f != "--disable-server") old.configureFlags; }; overrides = { samba = final.samba-ldap; }; - in (final.freeipa.override overrides).overrideAttrs attrs; + in + (final.freeipa.override overrides).overrideAttrs attrs; samba-ldap = final.samba.override { enableLDAP = true; }; samba-ipa = final.samba-ldap.overrideAttrs (old: { - buildInputs = old.buildInputs ++ [ - final.freeipa-ipasam - ]; + buildInputs = + old.buildInputs + ++ [ + final.freeipa-ipasam + ]; postInstall = '' ${old.postInstall or ""} cp -a ${final.freeipa-ipasam}/lib/samba/pdb/ipasam.so $out/lib/samba/pdb/ diff --git a/packages/barcodebuddy.nix b/packages/barcodebuddy.nix index ec9a889f..17afb22d 100644 --- a/packages/barcodebuddy.nix +++ b/packages/barcodebuddy.nix @@ -8,22 +8,23 @@ inherit (lib.trivial) importJSON; lock = importJSON ../flake.lock; inherit (lock.nodes) barcodebuddy; -in stdenvNoCC.mkDerivation { - pname = "barcodebuddy"; - version = removePrefix "v" barcodebuddy.original.ref; - src = fetchFromGitHub { - inherit (barcodebuddy.locked) repo owner rev; - sha256 = barcodebuddy.locked.narHash; - }; - skipConfigure = true; - skipBuild = true; +in + stdenvNoCC.mkDerivation { + pname = "barcodebuddy"; + version = removePrefix "v" barcodebuddy.original.ref; + src = fetchFromGitHub { + inherit (barcodebuddy.locked) repo owner rev; + sha256 = barcodebuddy.locked.narHash; + }; + skipConfigure = true; + skipBuild = true; - installPhase = '' - runHook preInstall + installPhase = '' + runHook preInstall - install -d $out - cp -ar api/ incl/ locales/ menu/ plugins/ *.php $out/ + install -d $out + cp -ar api/ incl/ locales/ menu/ plugins/ *.php $out/ - runHook postInstall - ''; -} + runHook postInstall + ''; + } diff --git a/packages/default.nix b/packages/default.nix index d8242850..762e7389 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -42,13 +42,17 @@ ; inherit (inputs.deploy-rs.packages.${system}) deploy-rs; - inherit (pkgs) - freeipa-ipasam samba-ldap samba-ipa + inherit + (pkgs) + freeipa-ipasam + samba-ldap + samba-ipa krb5-ldap nfs-utils-ldap barcodebuddy openwebrxplus - systemd2mqtt; + systemd2mqtt + ; nf-setup-node = let reisen = ../systems/reisen; diff --git a/packages/minecraft-bedrock/addons.nix b/packages/minecraft-bedrock/addons.nix index 8f8e814c..72cec871 100644 --- a/packages/minecraft-bedrock/addons.nix +++ b/packages/minecraft-bedrock/addons.nix @@ -1,4 +1,8 @@ -{ lib, mkMinecraftBedrockServerAddon, fetchurl }: let +{ + lib, + mkMinecraftBedrockServerAddon, + fetchurl, +}: let inherit (lib.attrsets) mapAttrs; true-tree-capitator = { version = "1.2"; @@ -7,61 +11,72 @@ sourceRoot = "."; meta.homepage = "https://www.curseforge.com/minecraft-bedrock/addons/tree-capitator"; }; - true-tree-capitator-bp = true-tree-capitator // { - pname = "true-tree-capitator-bp"; - mcpackId = "4d0f6078-f2f9-415f-9848-b36b008127b4"; - mcpackType = "behavior_packs"; - src = fetchurl { - name = "Tree-capitator-BP-v1.2.mcpack"; - url = "https://mediafilez.forgecdn.net/files/5237/589/Tree%20capitator%20%5BBP%5D%20v1.2.mcpack"; - sha256 = "c4b702be4dd45707b66ef3cfda578695347caa6a43ead30c06dc17cd14a00040"; + true-tree-capitator-bp = + true-tree-capitator + // { + pname = "true-tree-capitator-bp"; + mcpackId = "4d0f6078-f2f9-415f-9848-b36b008127b4"; + mcpackType = "behavior_packs"; + src = fetchurl { + name = "Tree-capitator-BP-v1.2.mcpack"; + url = "https://mediafilez.forgecdn.net/files/5237/589/Tree%20capitator%20%5BBP%5D%20v1.2.mcpack"; + sha256 = "c4b702be4dd45707b66ef3cfda578695347caa6a43ead30c06dc17cd14a00040"; + }; + postPatch = '' + substituteInPlace manifest.json \ + --replace "1.10.0-beta" "1.11.0-beta" + ''; }; - postPatch = '' - substituteInPlace manifest.json \ - --replace "1.10.0-beta" "1.11.0-beta" - ''; - }; - true-tree-capitator-rp = true-tree-capitator // { - pname = "true-tree-capitator-rp"; - mcpackId = "811af5f4-929b-4d77-aed4-119486b6c0a0"; - mcpackType = "resource_packs"; - src = fetchurl { - name = "Tree-capitator-RP-v1.2.mcpack"; - url = "https://mediafilez.forgecdn.net/files/5237/590/Tree%20capitator%20%5BRP%5D%20v1.2.mcpack"; - sha256 = "66c850106c7fa1764b32f20c555c1bb5e7e6905f3cbea4b429ca076e7a4cc31f"; + true-tree-capitator-rp = + true-tree-capitator + // { + pname = "true-tree-capitator-rp"; + mcpackId = "811af5f4-929b-4d77-aed4-119486b6c0a0"; + mcpackType = "resource_packs"; + src = fetchurl { + name = "Tree-capitator-RP-v1.2.mcpack"; + url = "https://mediafilez.forgecdn.net/files/5237/590/Tree%20capitator%20%5BRP%5D%20v1.2.mcpack"; + sha256 = "66c850106c7fa1764b32f20c555c1bb5e7e6905f3cbea4b429ca076e7a4cc31f"; + }; }; - }; definitive-tree-capitator = { version = "1.0.0"; mcpackVersion = "1.0.0"; meta.homepage = "https://www.curseforge.com/minecraft-bedrock/addons/definitive-tree-capitator-addon"; }; - definitive-tree-capitator-bh = definitive-tree-capitator // { - pname = "definitive-tree-capitator-bh"; - mcpackId = "b3538a6c-3e42-400a-9ed0-5ec1670b796c"; - mcpackType = "behavior_packs"; - mcVersion = "1.20.20"; - src = fetchurl { - url = "https://mediafilez.forgecdn.net/files/5214/136/Definitive%20Tree%20Capitator%20BH.mcpack"; - sha256 = "941564d65386fd2701dfe017408d8c1d5b6d6a90a017e60b7ef9f6ff6de7b51a"; + definitive-tree-capitator-bh = + definitive-tree-capitator + // { + pname = "definitive-tree-capitator-bh"; + mcpackId = "b3538a6c-3e42-400a-9ed0-5ec1670b796c"; + mcpackType = "behavior_packs"; + mcVersion = "1.20.20"; + src = fetchurl { + url = "https://mediafilez.forgecdn.net/files/5214/136/Definitive%20Tree%20Capitator%20BH.mcpack"; + sha256 = "941564d65386fd2701dfe017408d8c1d5b6d6a90a017e60b7ef9f6ff6de7b51a"; + }; + patches = [ + ./definitive-tree-capitator-bh.patch + ]; }; - patches = [ - ./definitive-tree-capitator-bh.patch - ]; - }; - definitive-tree-capitator-rs = definitive-tree-capitator // { - pname = "definitive-tree-capitator-rs"; - mcpackId = "e01dd561-a1d9-45d0-b6ad-cd3858b93fe7"; - mcpackType = "resource_packs"; - mcVersion = "1.13.0"; - src = fetchurl { - url = "https://mediafilez.forgecdn.net/files/5214/134/Definitive%20Tree%20Capitator%20RS.mcpack"; - sha256 = "22c8ff1c85720052d9f2a0af1c205b5457a9bb806d65125cff3751fdbe22b864"; + definitive-tree-capitator-rs = + definitive-tree-capitator + // { + pname = "definitive-tree-capitator-rs"; + mcpackId = "e01dd561-a1d9-45d0-b6ad-cd3858b93fe7"; + mcpackType = "resource_packs"; + mcVersion = "1.13.0"; + src = fetchurl { + url = "https://mediafilez.forgecdn.net/files/5214/134/Definitive%20Tree%20Capitator%20RS.mcpack"; + sha256 = "22c8ff1c85720052d9f2a0af1c205b5457a9bb806d65125cff3751fdbe22b864"; + }; }; - }; -in mapAttrs (_: mkMinecraftBedrockServerAddon) { - inherit - true-tree-capitator-bp true-tree-capitator-rp - definitive-tree-capitator-bh definitive-tree-capitator-rs - ; -} +in + mapAttrs (_: mkMinecraftBedrockServerAddon) { + inherit + true-tree-capitator-bp + true-tree-capitator-rp + definitive-tree-capitator-bh + definitive-tree-capitator-rs + ; + } diff --git a/packages/minecraft-bedrock/libcrypto.nix b/packages/minecraft-bedrock/libcrypto.nix index dc528c8b..55bfbc4d 100644 --- a/packages/minecraft-bedrock/libcrypto.nix +++ b/packages/minecraft-bedrock/libcrypto.nix @@ -1,20 +1,30 @@ -{ lib, minecraft-bedrock-server, stdenv, autoPatchelfHook, curl, gcc-unwrapped, unzip, openssl }: let +{ + lib, + minecraft-bedrock-server, + stdenv, + autoPatchelfHook, + curl, + gcc-unwrapped, + unzip, + openssl, +}: let inherit (lib.strings) versionAtLeast; -in stdenv.mkDerivation { - pname = "${minecraft-bedrock-server.pname}-libcrypto"; - inherit (minecraft-bedrock-server) version src sourceRoot; - nativeBuildInputs = [ - autoPatchelfHook - curl - gcc-unwrapped - openssl - unzip - ]; - installPhase = '' - install -m755 -D libCrypto.so $out/lib/libCrypto.so - ''; - fixupPhase = '' - autoPatchelf $out/lib/libCrypto.so - ''; - meta.broken = versionAtLeast minecraft-bedrock-server.version "1.20"; -} +in + stdenv.mkDerivation { + pname = "${minecraft-bedrock-server.pname}-libcrypto"; + inherit (minecraft-bedrock-server) version src sourceRoot; + nativeBuildInputs = [ + autoPatchelfHook + curl + gcc-unwrapped + openssl + unzip + ]; + installPhase = '' + install -m755 -D libCrypto.so $out/lib/libCrypto.so + ''; + fixupPhase = '' + autoPatchelf $out/lib/libCrypto.so + ''; + meta.broken = versionAtLeast minecraft-bedrock-server.version "1.20"; + } diff --git a/packages/minecraft-bedrock/mcpack.nix b/packages/minecraft-bedrock/mcpack.nix index 886e853f..aa313b35 100644 --- a/packages/minecraft-bedrock/mcpack.nix +++ b/packages/minecraft-bedrock/mcpack.nix @@ -1,6 +1,11 @@ -{ stdenvNoCC, unzip, writeText }: stdenvNoCC.mkDerivation { +{ + stdenvNoCC, + unzip, + writeText, +}: +stdenvNoCC.mkDerivation { name = "unzip-mcpack"; - propagatedBuildInputs = [ unzip ]; + propagatedBuildInputs = [unzip]; dontUnpack = true; setupHook = writeText "mcpack-setup-hook.sh" '' unpackCmdHooks+=(_tryUnzipMcpack) diff --git a/packages/minecraft-bedrock/mkaddon.nix b/packages/minecraft-bedrock/mkaddon.nix index 1bc34290..0603c05c 100644 --- a/packages/minecraft-bedrock/mkaddon.nix +++ b/packages/minecraft-bedrock/mkaddon.nix @@ -1,42 +1,62 @@ -{ stdenvNoCC, unzipMcpack, minecraft-bedrock-server, lib }: { + stdenvNoCC, + unzipMcpack, + minecraft-bedrock-server, + lib, +}: { src, pname, version, mcpackVersion ? version, mcVersion ? null, mcpackId, - mcpackModules ? [ ], + mcpackModules ? [], mcpackDir ? pname, mcpackType, # "behavior_packs" or "resource_packs" etc ... -}@args: let +} @ args: let inherit (lib.strings) optionalString splitString; inherit (minecraft-bedrock-server) dataDir; - argNames = [ "mcpackModules" "mcpackVersion" "mcpackId" ]; -in stdenvNoCC.mkDerivation (removeAttrs args argNames // { - inherit dataDir mcpackType mcpackDir; - version = version + optionalString (mcVersion != null) "-${mcVersion}"; - nativeBuildInputs = args.nativeBuildInputs or [ ] ++ [ - unzipMcpack - ]; - installPhase = args.installPhase or '' - install -d "$out$dataDir/$mcpackType/$mcpackDir" - cp -a ./* "$out$dataDir/$mcpackType/$mcpackDir/" + argNames = ["mcpackModules" "mcpackVersion" "mcpackId"]; +in + stdenvNoCC.mkDerivation (removeAttrs args argNames + // { + inherit dataDir mcpackType mcpackDir; + version = version + optionalString (mcVersion != null) "-${mcVersion}"; + nativeBuildInputs = + args.nativeBuildInputs + or [] + ++ [ + unzipMcpack + ]; + installPhase = + args.installPhase + or '' + install -d "$out$dataDir/$mcpackType/$mcpackDir" + cp -a ./* "$out$dataDir/$mcpackType/$mcpackDir/" - install ./manifest.json $manifest - ''; - outputs = [ "out" "manifest" ]; - passthru = args.passthru or { } // { - minecraft-bedrock = args.passthru.minecraft-bedrock or { } // { - pack = args.passthru.minecraft-bedrock.pack or { } // { - pack_id = mcpackId; - modules = mcpackModules; - version = splitString "." mcpackVersion; - type = mcpackType; - dir = mcpackDir; - subPath = "${dataDir}/${mcpackType}/${mcpackDir}"; - }; - }; - }; -}) + install ./manifest.json $manifest + ''; + outputs = ["out" "manifest"]; + passthru = + args.passthru + or {} + // { + minecraft-bedrock = + args.passthru.minecraft-bedrock + or {} + // { + pack = + args.passthru.minecraft-bedrock.pack + or {} + // { + pack_id = mcpackId; + modules = mcpackModules; + version = splitString "." mcpackVersion; + type = mcpackType; + dir = mcpackDir; + subPath = "${dataDir}/${mcpackType}/${mcpackDir}"; + }; + }; + }; + }) diff --git a/packages/minecraft-bedrock/patchdebug.nix b/packages/minecraft-bedrock/patchdebug.nix index 92b36bd4..ee0d6e2f 100644 --- a/packages/minecraft-bedrock/patchdebug.nix +++ b/packages/minecraft-bedrock/patchdebug.nix @@ -1,7 +1,11 @@ -{ lib, python3, writeTextFile }: let +{ + lib, + python3, + writeTextFile, +}: let # https://github.com/minecraft-linux/server-modloader/tree/master?tab=readme-ov-file#getting-mods-to-work-on-newer-versions-116 inherit (lib.meta) getExe; - python = python3.withPackages (p: [ p.lief ]); + python = python3.withPackages (p: [p.lief]); script = '' import lief import sys @@ -12,13 +16,14 @@ lib_symbols.write(sys.argv[2]) ''; name = "minecraft-bedrock-server-patchdebug"; -in writeTextFile { - name = "${name}.py"; - destination = "/bin/${name}"; - executable = true; - text = '' - #!${getExe python} - ${script} - ''; - meta.mainProgram = name; -} +in + writeTextFile { + name = "${name}.py"; + destination = "/bin/${name}"; + executable = true; + text = '' + #!${getExe python} + ${script} + ''; + meta.mainProgram = name; + } diff --git a/packages/minecraft-bedrock/patchelf.nix b/packages/minecraft-bedrock/patchelf.nix index da88a1af..fc5f13f1 100644 --- a/packages/minecraft-bedrock/patchelf.nix +++ b/packages/minecraft-bedrock/patchelf.nix @@ -1,4 +1,5 @@ -{ patchelf }: patchelf.overrideDerivation (old: { +{patchelf}: +patchelf.overrideDerivation (old: { postPatch = '' substituteInPlace src/patchelf.cc \ --replace "32 * 1024 * 1024" "512 * 1024 * 1024" diff --git a/packages/minecraft-bedrock/server.nix b/packages/minecraft-bedrock/server.nix index 52c07b74..a38918e7 100644 --- a/packages/minecraft-bedrock/server.nix +++ b/packages/minecraft-bedrock/server.nix @@ -1,48 +1,53 @@ -{ stdenv -, fetchurl -, minecraft-bedrock-server-patchelf -, minecraft-bedrock-server-patchdebug -#, minecraft-bedrock-server-libCrypto -, autoPatchelfHook -, curl, gcc-unwrapped, openssl, unzip -, lib +{ + stdenv, + fetchurl, + minecraft-bedrock-server-patchelf, + minecraft-bedrock-server-patchdebug, + #, minecraft-bedrock-server-libCrypto + autoPatchelfHook, + curl, + gcc-unwrapped, + openssl, + unzip, + lib, }: let inherit (lib) licenses; -in stdenv.mkDerivation rec { - pname = "minecraft-bedrock-server"; - version = "1.20.80.05"; - src = fetchurl { - url = "https://minecraft.azureedge.net/bin-linux/bedrock-server-${version}.zip"; - sha256 = "sha256-6vZx29FOXRR7Rzx82Axo3a/Em+9cpK7Hj3cuDRnW9+8="; - }; - sourceRoot = "."; - nativeBuildInputs = [ - minecraft-bedrock-server-patchelf - minecraft-bedrock-server-patchdebug - autoPatchelfHook - curl - gcc-unwrapped - #minecraft-bedrock-server-libCrypto - openssl - unzip - ]; - buildPhase = '' - minecraft-bedrock-server-patchdebug bedrock_server_symbols.debug bedrock_server_symbols_patched.debug - ''; - dataDir = "/var/lib/minecraft-bedrock"; - installPhase = '' - install -m755 -D bedrock_server $out/bin/bedrock_server - install -d $out$dataDir - cp -a definitions behavior_packs resource_packs config env-vars *.json *.debug *.properties $out$dataDir/ - ''; - fixupPhase = '' - autoPatchelf $out/bin/bedrock_server - ''; - dontStrip = true; +in + stdenv.mkDerivation rec { + pname = "minecraft-bedrock-server"; + version = "1.20.80.05"; + src = fetchurl { + url = "https://minecraft.azureedge.net/bin-linux/bedrock-server-${version}.zip"; + sha256 = "sha256-6vZx29FOXRR7Rzx82Axo3a/Em+9cpK7Hj3cuDRnW9+8="; + }; + sourceRoot = "."; + nativeBuildInputs = [ + minecraft-bedrock-server-patchelf + minecraft-bedrock-server-patchdebug + autoPatchelfHook + curl + gcc-unwrapped + #minecraft-bedrock-server-libCrypto + openssl + unzip + ]; + buildPhase = '' + minecraft-bedrock-server-patchdebug bedrock_server_symbols.debug bedrock_server_symbols_patched.debug + ''; + dataDir = "/var/lib/minecraft-bedrock"; + installPhase = '' + install -m755 -D bedrock_server $out/bin/bedrock_server + install -d $out$dataDir + cp -a definitions behavior_packs resource_packs config env-vars *.json *.debug *.properties $out$dataDir/ + ''; + fixupPhase = '' + autoPatchelf $out/bin/bedrock_server + ''; + dontStrip = true; - meta = { - platforms = [ "x86_64-linux" ]; - license = licenses.unfree; - mainProgram = "bedrock_server"; - }; -} + meta = { + platforms = ["x86_64-linux"]; + license = licenses.unfree; + mainProgram = "bedrock_server"; + }; + } diff --git a/packages/openwebrxplus.nix b/packages/openwebrxplus.nix index 3fdac47f..33e4e693 100644 --- a/packages/openwebrxplus.nix +++ b/packages/openwebrxplus.nix @@ -1,11 +1,24 @@ -{ stdenv, lib, buildPythonPackage, buildPythonApplication, fetchFromGitHub -, pkg-config, cmake, ninja, setuptools, python -, libsamplerate, fftwFloat -, rtl-sdr, soapysdr-with-plugins, pydigiham, direwolf, sox, wsjtx, codecserver -}: - -let - +{ + stdenv, + lib, + buildPythonPackage, + buildPythonApplication, + fetchFromGitHub, + pkg-config, + cmake, + ninja, + setuptools, + python, + libsamplerate, + fftwFloat, + rtl-sdr, + soapysdr-with-plugins, + pydigiham, + direwolf, + sox, + wsjtx, + codecserver, +}: let js8py = buildPythonPackage rec { pname = "js8py"; version = "0.1.1"; @@ -17,7 +30,7 @@ let sha256 = "1j80zclg1cl5clqd00qqa16prz7cyc32bvxqz2mh540cirygq24w"; }; - pythonImportsCheck = [ "js8py" "test" ]; + pythonImportsCheck = ["js8py" "test"]; meta = with lib; { homepage = "https://github.com/jketterl/js8py"; @@ -27,144 +40,143 @@ let }; }; -csdr-eti = stdenv.mkDerivation rec { - pname = "csdr-eti"; - version = "0.0.11"; + csdr-eti = stdenv.mkDerivation rec { + pname = "csdr-eti"; + version = "0.0.11"; - src = fetchFromGitHub { - owner = "luarvique"; - repo = pname; - rev = version; - hash = "sha256-jft4zi1mLU6zZ+2gsym/3Xu8zkKL0MeoztcyMPM0RYI="; + src = fetchFromGitHub { + owner = "luarvique"; + repo = pname; + rev = version; + hash = "sha256-jft4zi1mLU6zZ+2gsym/3Xu8zkKL0MeoztcyMPM0RYI="; + }; + + nativeBuildInputs = [ + cmake + ninja + pkg-config + ]; + + propagatedBuildInputs = [ + fftwFloat + libsamplerate + ]; + buildInputs = [ + csdr + ]; + + hardeningDisable = lib.optional stdenv.isAarch64 "format"; + + meta = with lib; { + homepage = "https://github.com/jketterl/csdr"; + description = "A simple DSP library and command-line tool for Software Defined Radio"; + license = licenses.gpl3Only; + platforms = platforms.unix; + broken = stdenv.isDarwin; + maintainers = teams.c3d2.members; + }; }; - nativeBuildInputs = [ - cmake - ninja - pkg-config - ]; + csdr = stdenv.mkDerivation rec { + pname = "csdr"; + version = "0.18.23"; - propagatedBuildInputs = [ - fftwFloat - libsamplerate - ]; - buildInputs = [ - csdr - ]; + src = fetchFromGitHub { + owner = "luarvique"; + repo = pname; + rev = version; + hash = "sha256-Q7g1OqfpAP6u78zyHjLP2ASGYKNKCAVv8cgGwytZ+cE="; + }; - hardeningDisable = lib.optional stdenv.isAarch64 "format"; + nativeBuildInputs = [ + cmake + ninja + pkg-config + ]; - meta = with lib; { - homepage = "https://github.com/jketterl/csdr"; - description = "A simple DSP library and command-line tool for Software Defined Radio"; - license = licenses.gpl3Only; - platforms = platforms.unix; - broken = stdenv.isDarwin; - maintainers = teams.c3d2.members; - }; -}; + propagatedBuildInputs = [ + fftwFloat + libsamplerate + ]; -csdr = stdenv.mkDerivation rec { - pname = "csdr"; - version = "0.18.23"; + hardeningDisable = lib.optional stdenv.isAarch64 "format"; - src = fetchFromGitHub { - owner = "luarvique"; - repo = pname; - rev = version; - hash = "sha256-Q7g1OqfpAP6u78zyHjLP2ASGYKNKCAVv8cgGwytZ+cE="; + postFixup = '' + substituteInPlace "$out"/lib/pkgconfig/csdr.pc \ + --replace '=''${prefix}//' '=/' \ + --replace '=''${exec_prefix}//' '=/' + ''; + + meta = with lib; { + homepage = "https://github.com/jketterl/csdr"; + description = "A simple DSP library and command-line tool for Software Defined Radio"; + license = licenses.gpl3Only; + platforms = platforms.unix; + broken = stdenv.isDarwin; + maintainers = teams.c3d2.members; + }; }; - nativeBuildInputs = [ - cmake - ninja - pkg-config - ]; + pycsdr-eti = buildPythonPackage rec { + pname = "pycsdr-eti"; + version = "0.0.11"; + format = "setuptools"; - propagatedBuildInputs = [ - fftwFloat - libsamplerate - ]; + src = fetchFromGitHub { + owner = "luarvique"; + repo = "pycsdr-eti"; + rev = version; + hash = "sha256-pjY5sxHvuDTUDxpdhWk8U7ibwxHznyywEqj1btAyXBE="; + }; - hardeningDisable = lib.optional stdenv.isAarch64 "format"; + postPatch = '' + substituteInPlace setup.py \ + --replace ', "fftw3"' "" + ''; - postFixup = '' - substituteInPlace "$out"/lib/pkgconfig/csdr.pc \ - --replace '=''${prefix}//' '=/' \ - --replace '=''${exec_prefix}//' '=/' - ''; + propagatedBuildInputs = [pycsdr]; + buildInputs = [csdr-eti csdr]; + NIX_CFLAGS_COMPILE = [ + "-I${pycsdr}/include/${python.libPrefix}" + ]; - meta = with lib; { - homepage = "https://github.com/jketterl/csdr"; - description = "A simple DSP library and command-line tool for Software Defined Radio"; - license = licenses.gpl3Only; - platforms = platforms.unix; - broken = stdenv.isDarwin; - maintainers = teams.c3d2.members; - }; -}; + # has no tests + doCheck = false; + pythonImportsCheck = ["csdreti"]; - -pycsdr-eti = buildPythonPackage rec { - pname = "pycsdr-eti"; - version = "0.0.11"; - format = "setuptools"; - - src = fetchFromGitHub { - owner = "luarvique"; - repo = "pycsdr-eti"; - rev = version; - hash = "sha256-pjY5sxHvuDTUDxpdhWk8U7ibwxHznyywEqj1btAyXBE="; + meta = { + homepage = "https://github.com/jketterl/pycsdr"; + description = "bindings for the csdr library"; + license = lib.licenses.gpl3Only; + maintainers = lib.teams.c3d2.members; + }; }; - postPatch = '' - substituteInPlace setup.py \ - --replace ', "fftw3"' "" - ''; + pycsdr = buildPythonPackage rec { + pname = "pycsdr"; + version = "0.18.23"; + format = "setuptools"; - propagatedBuildInputs = [ pycsdr ]; - buildInputs = [ csdr-eti csdr ]; - NIX_CFLAGS_COMPILE = [ - "-I${pycsdr}/include/${python.libPrefix}" - ]; + src = fetchFromGitHub { + owner = "luarvique"; + repo = "pycsdr"; + rev = version; + hash = "sha256-NjRBC7bhq2bMlRI0Q8bcGcneD/HlAO6l/0As3/lk4e8="; + }; - # has no tests - doCheck = false; - pythonImportsCheck = [ "csdreti" ]; + buildInputs = [csdr]; - meta = { - homepage = "https://github.com/jketterl/pycsdr"; - description = "bindings for the csdr library"; - license = lib.licenses.gpl3Only; - maintainers = lib.teams.c3d2.members; + # has no tests + doCheck = false; + pythonImportsCheck = ["pycsdr"]; + + meta = { + homepage = "https://github.com/jketterl/pycsdr"; + description = "bindings for the csdr library"; + license = lib.licenses.gpl3Only; + maintainers = lib.teams.c3d2.members; + }; }; -}; - -pycsdr = buildPythonPackage rec { - pname = "pycsdr"; - version = "0.18.23"; - format = "setuptools"; - - src = fetchFromGitHub { - owner = "luarvique"; - repo = "pycsdr"; - rev = version; - hash = "sha256-NjRBC7bhq2bMlRI0Q8bcGcneD/HlAO6l/0As3/lk4e8="; - }; - - buildInputs = [ csdr ]; - - # has no tests - doCheck = false; - pythonImportsCheck = [ "pycsdr" ]; - - meta = { - homepage = "https://github.com/jketterl/pycsdr"; - description = "bindings for the csdr library"; - license = lib.licenses.gpl3Only; - maintainers = lib.teams.c3d2.members; - }; -}; owrx_connector = stdenv.mkDerivation rec { pname = "owrx_connector"; @@ -184,7 +196,8 @@ pycsdr = buildPythonPackage rec { ]; buildInputs = [ - libsamplerate fftwFloat + libsamplerate + fftwFloat csdr rtl-sdr soapysdr-with-plugins @@ -198,51 +211,50 @@ pycsdr = buildPythonPackage rec { maintainers = teams.c3d2.members; }; }; - in -buildPythonApplication rec { - pname = "openwebrxplus"; - version = "1.2.49"; + buildPythonApplication rec { + pname = "openwebrxplus"; + version = "1.2.49"; - src = fetchFromGitHub { - owner = "luarvique"; - repo = "openwebrx"; - rev = version; - sha256 = "sha256-QHgt0JGV4E8vOZpY3UwxbtBV38NZBXNrc2asYbHjEqo="; - }; + src = fetchFromGitHub { + owner = "luarvique"; + repo = "openwebrx"; + rev = version; + sha256 = "sha256-QHgt0JGV4E8vOZpY3UwxbtBV38NZBXNrc2asYbHjEqo="; + }; - nativeBuildInputs = [ - setuptools - ]; + nativeBuildInputs = [ + setuptools + ]; - propagatedBuildInputs = [ - setuptools - pycsdr - pycsdr-eti - pydigiham - js8py -owrx_connector - soapysdr-with-plugins - ]; + propagatedBuildInputs = [ + setuptools + pycsdr + pycsdr-eti + pydigiham + js8py + owrx_connector + soapysdr-with-plugins + ]; - buildInputs = [ - direwolf - sox - wsjtx - codecserver - ]; + buildInputs = [ + direwolf + sox + wsjtx + codecserver + ]; - pythonImportsCheck = [ "csdr" "owrx" "test" ]; + pythonImportsCheck = ["csdr" "owrx" "test"]; - passthru = { - inherit js8py owrx_connector pycsdr csdr; - }; + passthru = { + inherit js8py owrx_connector pycsdr csdr; + }; - meta = with lib; { - homepage = "https://github.com/luarvique/openwebrx"; - description = "A simple DSP library and command-line tool for Software Defined Radio"; - mainProgram = "openwebrx"; - license = licenses.gpl3Only; - maintainers = teams.c3d2.members; - }; -} \ No newline at end of file + meta = with lib; { + homepage = "https://github.com/luarvique/openwebrx"; + description = "A simple DSP library and command-line tool for Software Defined Radio"; + mainProgram = "openwebrx"; + license = licenses.gpl3Only; + maintainers = teams.c3d2.members; + }; + } diff --git a/systems/extern-test/default.nix b/systems/extern-test/default.nix index 0b15cd1c..8772ced1 100644 --- a/systems/extern-test/default.nix +++ b/systems/extern-test/default.nix @@ -1,4 +1,8 @@ -{ inputs, lib, ... }: let +{ + inputs, + lib, + ... +}: let inherit (lib.modules) mkForce; in { arch = "x86_64"; @@ -6,10 +10,16 @@ in { modules = mkForce [ ./nixos.nix ]; - builder = mkForce ({ modules, system, specialArgs, ... }: inputs.nixpkgs.lib.nixosSystem { - inherit modules system; - specialArgs = { - extern'test'inputs = specialArgs.inputs; - }; - }); + builder = mkForce ({ + modules, + system, + specialArgs, + ... + }: + inputs.nixpkgs.lib.nixosSystem { + inherit modules system; + specialArgs = { + extern'test'inputs = specialArgs.inputs; + }; + }); } diff --git a/systems/extern-test/nixos.nix b/systems/extern-test/nixos.nix index c9187cd4..acbcdcba 100644 --- a/systems/extern-test/nixos.nix +++ b/systems/extern-test/nixos.nix @@ -1,7 +1,4 @@ -{ - extern'test'inputs, - ... -}: let +{extern'test'inputs, ...}: let inherit (extern'test'inputs.self) nixosModules homeModules; in { imports = [ @@ -53,7 +50,7 @@ in { sharedModules = [ homeModules.default ]; - users.me = { config, ... }: { + users.me = {config, ...}: { config = { home.stateVersion = "23.11"; gensokyo-zone = { diff --git a/systems/hakurei/default.nix b/systems/hakurei/default.nix index 8a4f9da6..f474aecd 100644 --- a/systems/hakurei/default.nix +++ b/systems/hakurei/default.nix @@ -1,4 +1,4 @@ -{ lib, ... }: { +{lib, ...}: { imports = [ ./proxmox.nix ]; diff --git a/systems/keycloak/nixos.nix b/systems/keycloak/nixos.nix index 3ee0e070..bd171450 100644 --- a/systems/keycloak/nixos.nix +++ b/systems/keycloak/nixos.nix @@ -1,4 +1,9 @@ -{meta, config, access, ...}: { +{ + meta, + config, + access, + ... +}: { imports = let inherit (meta) nixos; in [ @@ -24,13 +29,28 @@ inherit (vouch'system.exports.services) vouch-proxy; in { "${keycloak.id}.${config.networking.domain}" = let - portName = if keycloak.ports.https.enable then "https" else "http"; + portName = + if keycloak.ports.https.enable + then "https" + else "http"; in { - service = access.proxyUrlFor { system = keycloak'system; service = keycloak; inherit portName; }; - originRequest.${if keycloak.ports.${portName}.protocol == "https" then "noTLSVerify" else null} = true; + service = access.proxyUrlFor { + system = keycloak'system; + service = keycloak; + inherit portName; + }; + originRequest.${ + if keycloak.ports.${portName}.protocol == "https" + then "noTLSVerify" + else null + } = + true; }; "${vouch-proxy.id}.${config.networking.domain}" = { - service = access.proxyUrlFor { system = vouch'system; service = vouch-proxy; }; + service = access.proxyUrlFor { + system = vouch'system; + service = vouch-proxy; + }; }; }; }; diff --git a/systems/nue/default.nix b/systems/nue/default.nix index 35db1ca9..6aa04c98 100644 --- a/systems/nue/default.nix +++ b/systems/nue/default.nix @@ -1,21 +1,21 @@ {lib, ...}: let inherit (lib.strings) concatStringsSep; dot = concatStringsSep "."; - cutie = dot [ "cutie" "moe" ]; - netname = { config, ... }: { - domain = dot [ config.name cutie ]; + cutie = dot ["cutie" "moe"]; + netname = {config, ...}: { + domain = dot [config.name cutie]; }; in { type = "Linux"; - access.domain = dot [ "gensokyo" cutie ]; + access.domain = dot ["gensokyo" cutie]; network.networks = { local = { - imports = [ netname ]; + imports = [netname]; address4 = "10.1.1.62"; address6 = "fd0a::daf8:83ff:fe36:81b6"; }; tail = { - imports = [ netname ]; + imports = [netname]; address4 = "100.86.77.54"; address6 = "fd7a:115c:a1e0:ab12:4843:cd96:6256:4d36"; }; diff --git a/systems/shanghai/default.nix b/systems/shanghai/default.nix index fa19fe24..98ea5079 100644 --- a/systems/shanghai/default.nix +++ b/systems/shanghai/default.nix @@ -1,24 +1,25 @@ {lib, ...}: let inherit (lib.strings) concatStringsSep; dot = concatStringsSep "."; - cutie = dot [ "cutie" "moe" ]; - netname = { config, ... }: { - domain = dot [ config.name cutie ]; + cutie = dot ["cutie" "moe"]; + netname = {config, ...}: { + domain = dot [config.name cutie]; }; in { type = "Linux"; - access.domain = dot [ "gensokyo" cutie ]; + access.domain = dot ["gensokyo" cutie]; network.networks = { local = { - imports = [ netname ]; + imports = [netname]; macAddress = let #eth = "18:c0:4d:08:87:bd"; eth25 = "18:c0:4d:08:87:bc"; - in eth25; + in + eth25; address4 = "10.1.1.32"; }; tail = { - imports = [ netname ]; + imports = [netname]; address4 = "100.104.155.122"; address6 = "fd7a:115c:a1e0:ab12:4843:cd96:6268:9b7a"; }; diff --git a/systems/tei/cloudflared.nix b/systems/tei/cloudflared.nix index b6974f9e..7cf02a3f 100644 --- a/systems/tei/cloudflared.nix +++ b/systems/tei/cloudflared.nix @@ -21,7 +21,7 @@ in { (nginx.virtualHosts.barcodebuddy.proxied.cloudflared.getIngress {}) { ${home-assistant.domain} = assert home-assistant.enable; { - service = access.proxyUrlFor { serviceName = "home-assistant"; }; + service = access.proxyUrlFor {serviceName = "home-assistant";}; }; } ]; diff --git a/systems/utsuho/nixos.nix b/systems/utsuho/nixos.nix index 3cdd3d42..51e30567 100644 --- a/systems/utsuho/nixos.nix +++ b/systems/utsuho/nixos.nix @@ -1,4 +1,8 @@ -{meta, config, ...}: let +{ + meta, + config, + ... +}: let inherit (config.services) nginx; in { imports = let