gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: nf-fmt-nix

Browse source
This commit is contained in:
arcnmx 2024-05-13 15:13:58 -07:00
parent 7486517713
commit 9903866044
160 changed files with 4570 additions and 3019 deletions
Download patch file Download diff file Expand all files Collapse all files

5
nixos/access/barcodebuddy.nix
View file

@ -25,7 +25,8 @@ in {
requireAuth = false;
};
proxy = {
upstream = mkIf barcodebuddy.enable (mkDefault
upstream = mkIf barcodebuddy.enable (
mkDefault
"nginx'proxied"
);
host = mkDefault serverName;
@ -48,7 +49,7 @@ in {
upstream = mkDefault nginx.virtualHosts.barcodebuddy.proxy.upstream;
host = mkDefault nginx.virtualHosts.barcodebuddy.proxy.host;
};
locations."/" = { config, ... }: {
locations."/" = {config, ...}: {
proxy = {
headers.enableRecommended = true;
redirect = {

54
nixos/access/freeipa.nix
View file

@ -5,8 +5,7 @@
gensokyo-zone,
lib,
...
}:
let
}: let
inherit (gensokyo-zone.lib) mapOptionDefaults;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
@ -19,7 +18,11 @@ let
ssl_verify_client optional_no_ca;
'';
locations = {
"/" = { config, xvars, ... }: {
"/" = {
config,
xvars,
...
}: {
proxy = {
enable = true;
upstream = "freeipa";
@ -67,9 +70,11 @@ in {
};
};
kerberos = {
enable = mkEnableOption "proxy kerberos" // {
default = true;
};
enable =
mkEnableOption "proxy kerberos"
// {
default = true;
};
ports = {
ticket = mkOption {
type = port;
@ -177,7 +182,7 @@ in {
kticket4 = mkKrb5Upstream "ticket4";
};
servers = let
mkKrb5Server = tcpPort: udpPort: { name, ... }: {
mkKrb5Server = tcpPort: udpPort: {name, ...}: {
enable = mkDefault nginx.stream.upstreams.${name}.enable;
listen = {
tcp = mkIf (tcpPort != null) {
@ -187,7 +192,7 @@ in {
udp = mkIf (udpPort != null) {
enable = mkDefault kerberos.ports.${udpPort}.enable;
port = mkOptionDefault kerberos.ports.${udpPort}.port;
extraParameters = [ "udp" ];
extraParameters = ["udp"];
};
};
proxy.upstream = name;
@ -208,11 +213,12 @@ in {
ssl.cert.copyFromVhost = mkDefault "freeipa";
};
};
in mkMerge [
conf
(mkIf nginx.ssl.preread.enable prereadConf)
(mkIf cfg.kerberos.enable kerberosConf)
];
in
mkMerge [
conf
(mkIf nginx.ssl.preread.enable prereadConf)
(mkIf cfg.kerberos.enable kerberosConf)
];
virtualHosts = let
name.shortServer = mkDefault "ipa";
name'cockpit.shortServer = mkDefault "ipa-cock";
@ -233,7 +239,11 @@ in {
name.shortServer = mkDefault "idp-ca";
locations."/" = mkMerge [
locations."/"
({config, virtualHost, ...}: {
({
config,
virtualHost,
...
}: {
proxy.ssl.host = virtualHost.serverName;
proxy.host = config.proxy.ssl.host;
})
@ -276,7 +286,7 @@ in {
};
freeipa'ldap'local = {
serverName = mkDefault ldap.localDomain;
serverAliases = [ ldap.intDomain ];
serverAliases = [ldap.intDomain];
ssl.cert.copyFromVhost = "freeipa'ldap";
globalRedirect = virtualHosts.freeipa'web'local.serverName;
local.enable = true;
@ -295,16 +305,18 @@ in {
inherit (nginx.stream.servers) krb5 kadmin kpasswd kticket4;
in {
allowedTCPPorts = mkMerge [
(mkIf cfg.kerberos.enable (map (server:
mkIf (server.enable && server.listen.tcp.enable) server.listen.tcp.port
) [ krb5 kticket4 kpasswd kadmin ]))
(mkIf cfg.kerberos.enable (map (
server:
mkIf (server.enable && server.listen.tcp.enable) server.listen.tcp.port
) [krb5 kticket4 kpasswd kadmin]))
(mkIf nginx.ssl.preread.enable [
ldapsPort
])
];
allowedUDPPorts = mkIf cfg.kerberos.enable (map (server:
mkIf (server.enable && server.listen.udp.enable) server.listen.udp.port
) [ krb5 kticket4 kpasswd ]);
allowedUDPPorts = mkIf cfg.kerberos.enable (map (
server:
mkIf (server.enable && server.listen.udp.enable) server.listen.udp.port
) [krb5 kticket4 kpasswd]);
};
};
}

33
nixos/access/freepbx.nix
View file

@ -13,8 +13,15 @@ in {
config.services.nginx = {
virtualHosts = let
proxyScheme = "https";
url = access.proxyUrlFor { serviceName = "freepbx"; portName = proxyScheme; };
ucpUrl = access.proxyUrlFor { serviceName = "freepbx"; portName = "ucp-ssl"; getAddressFor = "getAddress4For"; };
url = access.proxyUrlFor {
serviceName = "freepbx";
portName = proxyScheme;
};
ucpUrl = access.proxyUrlFor {
serviceName = "freepbx";
portName = "ucp-ssl";
getAddressFor = "getAddress4For";
};
ucpPath = "/socket.io";
# TODO: ports.asterisk/asterisk-ssl?
extraConfig = ''
@ -23,7 +30,7 @@ in {
proxy_busy_buffers_size 256k;
'';
locations = {
"/" = { xvars, ... }: {
"/" = {xvars, ...}: {
xvars.enable = true;
proxy = {
enable = true;
@ -33,7 +40,11 @@ in {
};
};
};
${ucpPath} = { xvars, virtualHost, ... }: {
${ucpPath} = {
xvars,
virtualHost,
...
}: {
proxy = {
enable = true;
websocket.enable = true;
@ -63,12 +74,12 @@ in {
listen' = {
ucp = {
port = mkDefault freepbx.ports.ucp.port;
extraParameters = [ "default_server" ];
extraParameters = ["default_server"];
};
ucpSsl = {
port = mkDefault freepbx.ports.ucp-ssl.port;
ssl = true;
extraParameters = [ "default_server" ];
extraParameters = ["default_server"];
};
};
proxy = {
@ -84,7 +95,7 @@ in {
};
freepbx'local = {
listen' = {
http = { };
http = {};
https.ssl = true;
ucp = {
port = mkDefault nginx.virtualHosts.freepbx'ucp.listen'.ucp.port;
@ -103,9 +114,11 @@ in {
};
};
config.networking.firewall = let
websocketPorts = virtualHost: [
virtualHost.listen'.ucp.port
] ++ optional virtualHost.listen'.ucpSsl.enable virtualHost.listen'.ucpSsl.port;
websocketPorts = virtualHost:
[
virtualHost.listen'.ucp.port
]
++ optional virtualHost.listen'.ucpSsl.enable virtualHost.listen'.ucpSsl.port;
in {
interfaces.local.allowedTCPPorts = websocketPorts nginx.virtualHosts.freepbx'local;
allowedTCPPorts = mkIf (!nginx.virtualHosts.freepbx'ucp.local.denyGlobal) (websocketPorts nginx.virtualHosts.freepbx'ucp);

61
nixos/access/grocy.nix
View file

@ -20,7 +20,11 @@
headers.set.X-Grocy-User = mkOptionDefault "$grocy_user";
};
};
luaAuthHost = { config, xvars, ... }: {
luaAuthHost = {
config,
xvars,
...
}: {
vouch.auth.lua = {
enable = true;
accessRequest = ''
@ -56,16 +60,20 @@ in {
proxied.enable = true;
local.denyGlobal = true;
};
grocy = mkMerge [ luaAuthHost {
inherit name extraConfig locations;
vouch.enable = true;
proxy = {
upstream = mkIf grocy.enable (mkDefault
"nginx'proxied"
);
host = mkDefault serverName;
};
} ];
grocy = mkMerge [
luaAuthHost
{
inherit name extraConfig locations;
vouch.enable = true;
proxy = {
upstream = mkIf grocy.enable (
mkDefault
"nginx'proxied"
);
host = mkDefault serverName;
};
}
];
grocy'local = {
inherit name;
local.enable = mkDefault true;
@ -78,20 +86,23 @@ in {
proxy.enable = true;
};
};
grocy'local'int = mkMerge [ luaAuthHost {
# internal proxy workaround for http2 lua compat issues
serverName = serverName'local;
inherit name extraConfig locations;
proxy = {
upstream = mkDefault nginx.virtualHosts.grocy.proxy.upstream;
host = mkDefault nginx.virtualHosts.grocy.proxy.host;
};
proxied.enable = true;
vouch = {
enable = true;
localSso.enable = true;
};
} ];
grocy'local'int = mkMerge [
luaAuthHost
{
# internal proxy workaround for http2 lua compat issues
serverName = serverName'local;
inherit name extraConfig locations;
proxy = {
upstream = mkDefault nginx.virtualHosts.grocy.proxy.upstream;
host = mkDefault nginx.virtualHosts.grocy.proxy.host;
};
proxied.enable = true;
vouch = {
enable = true;
localSso.enable = true;
};
}
];
};
};
}

13
nixos/access/home-assistant.nix
View file

@ -7,12 +7,12 @@
inherit (config.services) nginx home-assistant;
name.shortServer = mkDefault "home";
listen' = {
http = { };
http = {};
https.ssl = true;
hass = {
enable = !home-assistant.enable;
port = mkDefault home-assistant.config.http.server_port;
extraParameters = [ "default_server" ];
extraParameters = ["default_server"];
};
};
upstreamName = "home-assistant'access";
@ -24,7 +24,7 @@ in {
addr = mkDefault "localhost";
port = mkIf home-assistant.enable (mkDefault home-assistant.config.http.server_port);
};
service = { upstream, ... }: {
service = {upstream, ...}: {
enable = mkIf upstream.servers.local.enable (mkDefault false);
accessService = {
name = "home-assistant";
@ -63,7 +63,8 @@ in {
};
config.networking.firewall.allowedTCPPorts = let
inherit (nginx.virtualHosts.home-assistant'local) listen';
in mkIf nginx.virtualHosts.home-assistant'local.enable [
(mkIf listen'.hass.enable listen'.hass.port)
];
in
mkIf nginx.virtualHosts.home-assistant'local.enable [
(mkIf listen'.hass.enable listen'.hass.port)
];
}

18
nixos/access/invidious.nix
View file

@ -19,7 +19,7 @@ in {
addr = mkDefault "localhost";
port = mkIf cfg.enable (mkDefault cfg.port);
};
service = { upstream, ... }: {
service = {upstream, ...}: {
enable = mkIf upstream.servers.local.enable (mkDefault false);
accessService = {
name = "invidious";
@ -40,7 +40,7 @@ in {
proxy_redirect off;
proxy_buffering off;
'';
location = { xvars, ... }: {
location = {xvars, ...}: {
proxy = {
enable = true;
websocket.enable = true;
@ -61,7 +61,11 @@ in {
upstream = "nginx'proxied";
host = mkDefault nginx.virtualHosts.invidious'int.serverName;
};
locations."/" = { xvars, virtualHost, ... }: {
locations."/" = {
xvars,
virtualHost,
...
}: {
proxy.enable = true;
extraConfig = ''
proxy_http_version 1.1;
@ -72,7 +76,11 @@ in {
'';
};
};
invidious'int = { config, xvars, ... }: {
invidious'int = {
config,
xvars,
...
}: {
serverName = "@invidious_internal";
proxied.enable = true;
local.denyGlobal = true;
@ -115,7 +123,7 @@ in {
};
inherit extraConfig;
};
invidious'local = { xvars, ... }: {
invidious'local = {xvars, ...}: {
local.enable = true;
ssl.cert.copyFromVhost = "invidious";
proxy = {

2
nixos/access/keycloak.nix
View file

@ -18,7 +18,7 @@ in {
port = mkDefault cfg.port;
ssl.enable = mkIf (cfg.protocol == "https") true;
};
access = { upstream, ... }: {
access = {upstream, ...}: {
enable = mkDefault (!upstream.servers.local.enable or false);
accessService = {
name = "keycloak";

22
nixos/access/kitchencam.nix
View file

@ -12,8 +12,15 @@
in {
config.services.nginx = {
virtualHosts = let
url = access.proxyUrlFor { inherit system; service = motion; };
streamUrl = access.proxyUrlFor { inherit system; service = motion; portName = "stream"; };
url = access.proxyUrlFor {
inherit system;
service = motion;
};
streamUrl = access.proxyUrlFor {
inherit system;
service = motion;
portName = "stream";
};
extraConfig = ''
proxy_redirect off;
proxy_buffering off;
@ -32,7 +39,7 @@ in {
};
};
listen' = {
http = { };
http = {};
https.ssl = true;
stream = {
enable = mkDefault motion.ports.stream.enable;
@ -49,9 +56,12 @@ in {
inherit name listen';
ssl.cert.copyFromVhost = "kitchencam";
local.enable = true;
locations = mapAttrs (name: location: location // {
proxyPass = mkDefault nginx.virtualHosts.kitchencam.locations.${name}.proxyPass;
}) locations;
locations = mapAttrs (name: location:
location
// {
proxyPass = mkDefault nginx.virtualHosts.kitchencam.locations.${name}.proxyPass;
})
locations;
};
};
};

7
nixos/access/ldap.nix
View file

@ -4,8 +4,7 @@
gensokyo-zone,
access,
...
}:
let
}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkOptionDefault;
@ -42,7 +41,7 @@ in {
inherit (nginx.stream.upstreams.ldaps.servers.access.accessService) system name id port;
};
};
ldap = { upstream, ... }: {
ldap = {upstream, ...}: {
enable = mkIf upstream.servers.ldaps.enable false;
accessService = {
inherit (nginx.stream.upstreams.ldap.servers.access.accessService) system name id port;
@ -54,7 +53,7 @@ in {
name = "ldap";
};
};
ldaps = { config, ... }: {
ldaps = {config, ...}: {
enable = mkAlmostOptionDefault config.servers.access.enable;
servers.access = {
accessService = {

7
nixos/access/mosquitto.nix
View file

@ -4,8 +4,7 @@
access,
gensokyo-zone,
...
}:
let
}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.modules) mkIf mkOptionDefault;
inherit (config.services) nginx;
@ -42,7 +41,9 @@ in {
};
};
proxy.upstream = mkAlmostOptionDefault (
if nginx.stream.upstreams.mqtts.enable then "mqtts" else "mqtt"
if nginx.stream.upstreams.mqtts.enable
then "mqtts"
else "mqtt"
);
};
};

6
nixos/access/nginx.nix
View file

@ -1,4 +1,8 @@
{config, lib, ...}: let
{
config,
lib,
...
}: let
inherit (lib.modules) mkIf;
cfg = config.services.nginx;
in {

2
nixos/access/openwebrx.nix
View file

@ -15,7 +15,7 @@ in {
addr = mkDefault "localhost";
port = mkIf openwebrx.enable (mkDefault openwebrx.port);
};
service = { upstream, ... }: {
service = {upstream, ...}: {
enable = mkIf upstream.servers.local.enable (mkDefault false);
accessService = {
name = "openwebrx";

13
nixos/access/plex.nix
View file

@ -16,7 +16,7 @@ in {
addr = mkDefault "localhost";
port = mkDefault cfg.port;
};
access = { upstream, ... }: {
access = {upstream, ...}: {
enable = mkDefault (!upstream.servers.local.enable);
accessService.name = "plex";
};
@ -65,12 +65,12 @@ in {
inherit name locations extraConfig;
proxy.upstream = mkDefault upstreamName;
listen' = {
http = { };
http = {};
https.ssl = true;
external = {
enable = mkDefault false;
port = mkDefault 32400;
extraParameters = [ "default_server" ];
extraParameters = ["default_server"];
};
};
};
@ -88,7 +88,8 @@ in {
};
config.networking.firewall.allowedTCPPorts = let
inherit (nginx.virtualHosts.plex) listen';
in mkIf listen'.external.enable [
listen'.external.port
];
in
mkIf listen'.external.enable [
listen'.external.port
];
}

2
nixos/access/proxmox.nix
View file

@ -7,7 +7,7 @@
inherit (lib.modules) mkDefault;
inherit (lib.strings) escapeRegex;
inherit (config.services) nginx tailscale;
proxyPass = access.proxyUrlFor { serviceName = "proxmox"; } + "/";
proxyPass = access.proxyUrlFor {serviceName = "proxmox";} + "/";
in {
config.services.nginx.virtualHosts = let
locations."/" = {

2
nixos/access/unifi.nix
View file

@ -16,7 +16,7 @@ in {
port = mkDefault 8443;
ssl.enable = mkDefault true;
};
access = { upstream, ... }: {
access = {upstream, ...}: {
enable = mkDefault (!upstream.servers.local.enable);
accessService = {
name = "unifi";

16
nixos/access/vouch.nix
View file

@ -28,7 +28,11 @@ in {
proxy_redirect default;
'';
};
"/validate" = {config, virtualHost, ...}: {
"/validate" = {
config,
virtualHost,
...
}: {
proxied.enable = true;
proxy.enable = true;
local.denyGlobal = true;
@ -36,9 +40,9 @@ in {
};
name.shortServer = mkDefault "login";
in {
vouch = { xvars, ... }: {
vouch = {xvars, ...}: {
inherit name locations;
serverAliases = [ nginx.vouch.doubleProxy.serverName ];
serverAliases = [nginx.vouch.doubleProxy.serverName];
proxied.enable = true;
proxy = {
upstream = mkDefault "vouch'access";
@ -46,12 +50,12 @@ in {
};
local.denyGlobal = true;
};
vouch'local = { xvars, ... }: {
vouch'local = {xvars, ...}: {
name = {
inherit (name) shortServer;
includeTailscale = mkDefault false;
};
serverAliases = mkIf cfg.enable [ nginx.vouch.doubleProxy.localServerName ];
serverAliases = mkIf cfg.enable [nginx.vouch.doubleProxy.localServerName];
proxied.enable = true;
proxy = {
upstream = mkDefault "vouch'access'local";
@ -64,7 +68,7 @@ in {
};
inherit locations;
};
vouch'tail = { xvars, ... }: {
vouch'tail = {xvars, ...}: {
enable = mkDefault (tailscale.enable && !nginx.virtualHosts.vouch'local.name.includeTailscale);
ssl.cert.copyFromVhost = "vouch'local";
name = {

2
nixos/access/zigbee2mqtt.nix
View file

@ -15,7 +15,7 @@ in {
addr = mkDefault "localhost";
port = mkIf zigbee2mqtt.enable (mkDefault zigbee2mqtt.settings.frontend.port);
};
service = { upstream, ... }: {
service = {upstream, ...}: {
enable = mkIf upstream.servers.local.enable (mkDefault false);
accessService = {
name = "zigbee2mqtt";

2
nixos/acme.nix
View file

@ -64,7 +64,7 @@ in {
acme_cloudflare_token = acmeSecret;
};
systemd.services = let
after = [ "systemd-tmpfiles-resetup.service" ];
after = ["systemd-tmpfiles-resetup.service"];
in {
acme-fixperms = {
inherit after;

22
nixos/barcodebuddy.nix
View file

@ -1,4 +1,9 @@
{config, access, lib, ...}: let
{
config,
access,
lib,
...
}: let
inherit (lib.modules) mkIf mkDefault;
inherit (config.services) nginx;
cfg = config.services.barcodebuddy;
@ -28,14 +33,15 @@ in {
};
config.systemd.services = let
gensokyo-zone.sharedMounts.barcodebuddy.path = mkDefault cfg.dataDir;
in mkIf cfg.enable {
phpfpm-barcodebuddy = {
inherit gensokyo-zone;
in
mkIf cfg.enable {
phpfpm-barcodebuddy = {
inherit gensokyo-zone;
};
bbuddy-websocket = mkIf cfg.screen.enable {
inherit gensokyo-zone;
};
};
bbuddy-websocket = mkIf cfg.screen.enable {
inherit gensokyo-zone;
};
};
config.sops.secrets.barcodebuddy-fastcgi-params = mkIf cfg.enable {
sopsFile = mkDefault ./secrets/barcodebuddy.yaml;
owner = mkDefault nginx.user;

5
nixos/base/locale.nix
View file

@ -1,7 +1,4 @@
{
pkgs,
...
}: {
{pkgs, ...}: {
fonts.packages = [
pkgs.tamzen
];

12
nixos/base/network.nix
View file

@ -14,13 +14,19 @@ in {
hostName = mkOverride 25 name;
nameservers' = [
#{ address = "8.8.8.8"; host = "dns.google"; }
{ address = "1.1.1.1"; host = "cloudflare-dns.com"; }
{ address = "1.0.0.1"; host = "cloudflare-dns.com"; }
{
address = "1.1.1.1";
host = "cloudflare-dns.com";
}
{
address = "1.0.0.1";
host = "cloudflare-dns.com";
}
];
};
# work around https://github.com/NixOS/nixpkgs/issues/132646
system.nssDatabases.hosts = mkIf config.services.resolved.enable (
mkOrder 450 [ "files" ]
mkOrder 450 ["files"]
);
}

18
nixos/base/nix.nix
View file

@ -23,12 +23,14 @@ in {
lock = importJSON ../../flake.lock;
mapFlake = name: let
node = lock.nodes.${name};
in {
inherit (node.original) type;
inherit (node.locked) lastModified rev narHash;
} // optionalAttrs (node.original.type == "github") {
inherit (node.original) repo owner;
};
in
{
inherit (node.original) type;
inherit (node.locked) lastModified rev narHash;
}
// optionalAttrs (node.original.type == "github") {
inherit (node.original) repo owner;
};
in {
nixpkgs.to = mapFlake "nixpkgs";
arc.to = mapFlake "arcexprs";
@ -40,7 +42,7 @@ in {
};
};
settings = {
allowed-users = [ "@nixbuilder" ];
allowed-users = ["@nixbuilder"];
experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
substituters = [
"https://gensokyo-infrastructure.cachix.org"
@ -67,7 +69,7 @@ in {
};
optimise = {
automatic = mkAlmostDefault true;
dates = mkDefault [ "03:25" ];
dates = mkDefault ["03:25"];
};
};
${

23
nixos/cross/aarch64.nix
View file

@ -1,21 +1,28 @@
{ pkgs, config, lib, ... }: let
{
pkgs,
config,
lib,
...
}: let
inherit (lib.options) mkEnableOption mkPackageOption;
inherit (lib.modules) mkIf;
cfg = config.boot.binfmt.cross.aarch64;
in {
options = {
boot.binfmt.cross.aarch64 = {
enable = mkEnableOption "qemu-aarch64" // {
default = true;
};
package = mkPackageOption pkgs "qemu" { };
enable =
mkEnableOption "qemu-aarch64"
// {
default = true;
};
package = mkPackageOption pkgs "qemu" {};
armv7l = mkEnableOption "arm.cachix.org";
};
};
config = {
boot.binfmt = {
emulatedSystems = mkIf cfg.enable [ "aarch64-linux" ];
emulatedSystems = mkIf cfg.enable ["aarch64-linux"];
registrations.aarch64-linux = mkIf cfg.enable {
interpreter = "${cfg.package}/bin/qemu-aarch64";
wrapInterpreterInShell = false;
@ -23,8 +30,8 @@ in {
};
nix.settings = mkIf cfg.armv7l {
substituters = [ "https://arm.cachix.org/" ];
trusted-public-keys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ];
substituters = ["https://arm.cachix.org/"];
trusted-public-keys = ["arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM="];
};
};
}

68
nixos/dnsmasq.nix
View file

@ -13,38 +13,49 @@
inherit (lib.trivial) mapNullable flip;
cfg = config.services.dnsmasq;
inherit (gensokyo-zone) systems;
localSystems = filterAttrs (_: system:
system.config.access.online.enable && system.config.network.networks.local.enable or false
) systems;
localSystems =
filterAttrs (
_: system:
system.config.access.online.enable && system.config.network.networks.local.enable or false
)
systems;
mkHostRecordPairs = _: system: [
(mkHostRecordPair "int" system)
(mkHostRecordPair "local" system)
(mkHostRecordPair "tail" system)
];
mapDynamic4 = replaceStrings [ "10.1.1." ] [ "0.0.0." ];
mapDynamic6 = replaceStrings [ "fd0a::" ] [ "2001::" ];
mapDynamic4 = replaceStrings ["10.1.1."] ["0.0.0."];
mapDynamic6 = replaceStrings ["fd0a::"] ["2001::"];
mkDynamicHostRecord = _: system: let
address4 = system.config.network.networks.local.address4 or null;
address6 = system.config.network.networks.local.address6 or null;
in concatStringsSep "," ([
system.config.access.fqdn
] ++ optional (address4 != null)
(toString (mapNullable mapDynamic4 address4))
++ optional (address6 != null)
(toString (mapNullable mapDynamic6 address6))
++ singleton
cfg.dynamic.interface
);
in
concatStringsSep "," (
[
system.config.access.fqdn
]
++ optional (address4 != null)
(toString (mapNullable mapDynamic4 address4))
++ optional (address6 != null)
(toString (mapNullable mapDynamic6 address6))
++ singleton
cfg.dynamic.interface
);
mkHostRecordPair = network: system: let
address4 = system.config.network.networks.${network}.address4 or null;
address6 = system.config.network.networks.${network}.address6 or null;
fqdn = system.config.network.networks.${network}.fqdn or null;
in nameValuePair
(if fqdn != null then fqdn else "${network}.${system.config.access.fqdn}")
in
nameValuePair
(
if fqdn != null
then fqdn
else "${network}.${system.config.access.fqdn}"
)
(concatStringsSep "," (
optional (address4 != null)
optional (address4 != null)
(toString address4)
++ optional (address6 != null)
++ optional (address6 != null)
(toString address6)
));
systemHosts = filterAttrs (_: value: value != "") (
@ -93,15 +104,16 @@ in {
"mco.cubecraft.net"
];
bedrockRecords = map (flip mkHostRecord bedrockRecord) bedrockRecordNames;
in mkMerge [
(mapAttrsToList mkHostRecord systemHosts)
(mkIf (cfg.bedrockConnect.address != null || cfg.bedrockConnect.address6 != null) bedrockRecords)
];
in
mkMerge [
(mapAttrsToList mkHostRecord systemHosts)
(mkIf (cfg.bedrockConnect.address != null || cfg.bedrockConnect.address6 != null) bedrockRecords)
];
dynamic-host = mapAttrsToList mkDynamicHostRecord localSystems;
server =
if config.networking.nameservers' != [ ] then map (ns: ns.address) (filter filterns' config.networking.nameservers')
else filter filterns config.networking.nameservers
;
if config.networking.nameservers' != []
then map (ns: ns.address) (filter filterns' config.networking.nameservers')
else filter filterns config.networking.nameservers;
max-cache-ttl = 60;
};
bedrockConnect = let
@ -118,11 +130,11 @@ in {
};
networking = mkIf cfg.enable {
firewall = {
interfaces.local.allowedTCPPorts = [ 53 ];
interfaces.local.allowedUDPPorts = [ 53 ];
interfaces.local.allowedTCPPorts = [53];
interfaces.local.allowedUDPPorts = [53];
};
nameservers' = mkIf cfg.resolveLocalQueries' (mkBefore [
{ address = "127.0.0.1"; }
{address = "127.0.0.1";}
]);
};
};

21
nixos/grocy.nix
View file

@ -1,4 +1,8 @@
{config, lib, ...}: let
{
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
cfg = config.services.grocy;
in {
@ -72,13 +76,14 @@ in {
};
systemd.services = let
gensokyo-zone.sharedMounts.grocy.path = mkDefault cfg.dataDir;
in mkIf cfg.enable {
grocy-setup = {
inherit gensokyo-zone;
in
mkIf cfg.enable {
grocy-setup = {
inherit gensokyo-zone;
};
phpfpm-grocy = {
inherit gensokyo-zone;
};
};
phpfpm-grocy = {
inherit gensokyo-zone;
};
};
};
}

8
nixos/int.nix
View file

@ -1,4 +1,8 @@
{lib, access, ...}: let
{
lib,
access,
...
}: let
inherit (lib.modules) mkDefault;
in {
config = {
@ -9,7 +13,7 @@ in {
ipv6SendRAConfig = {
Managed = mkDefault false;
EmitDNS = mkDefault true;
DNS = [ (access.systemForService "dnsmasq").access.address6ForNetwork.int ];
DNS = [(access.systemForService "dnsmasq").access.address6ForNetwork.int];
# Domains = [ "int.${networking.domain}" ];
EmitDomains = mkDefault false;
RouterPreference = mkDefault "low";

6
nixos/ipa.nix
View file

@ -1,4 +1,8 @@
{ config, lib, ... }: let
{
config,
lib,
...
}: let
inherit (lib.modules) mkDefault;
in {
# NOTE: requires manual post-install setup...

28
nixos/keycloak.nix
View file

@ -1,4 +1,11 @@
{inputs, system, access, config, lib, ...}: let
{
inputs,
system,
access,
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkForce mkDefault;
inherit (lib.lists) optional;
cfg = config.services.keycloak;
@ -20,9 +27,10 @@ in {
sopsFile = ./secrets/keycloak.yaml;
owner = "keycloak";
};
in mkIf cfg.enable {
keycloak_db_password = commonSecret;
};
in
mkIf cfg.enable {
keycloak_db_password = commonSecret;
};
users = mkIf cfg.enable {
users.keycloak = {
isSystemUser = true;
@ -54,8 +62,16 @@ in {
};
settings = {
hostname = mkDefault (if hostname-strict then hostname else null);
proxy = mkDefault (if cfg.protocol == "https" then "reencrypt" else "edge");
hostname = mkDefault (
if hostname-strict
then hostname
else null
);
proxy = mkDefault (
if cfg.protocol == "https"
then "reencrypt"
else "edge"
);
hostname-strict = mkDefault hostname-strict;
hostname-strict-https = mkDefault hostname-strict;
proxy-headers = mkDefault "xforwarded";

47
nixos/krb5.nix
View file

@ -1,4 +1,11 @@
{ inputs, pkgs, config, access, lib, ... }: let
{
inputs,
pkgs,
config,
access,
lib,
...
}: let
inherit (inputs.self.lib.lib) mkAlmostOptionDefault mapAlmostOptionDefaults;
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault mkOptionDefault;
inherit (lib.strings) replaceStrings;
@ -17,7 +24,7 @@ in {
};
};
gensokyo-zone = let
toLdap = replaceStrings [ "idp." ] [ "ldap." ];
toLdap = replaceStrings ["idp."] ["ldap."];
system = access.systemForService "kerberos";
lanName = access.getHostnameFor system.name "lan";
localName = access.getHostnameFor system.name "local";
@ -28,8 +35,8 @@ in {
host = mkAlmostOptionDefault lanName;
ldap = {
urls = mkMerge [
(mkOptionDefault (mkBefore [ "ldaps://${ldapLan}" ]))
(mkIf (ldapLan != ldapLocal) (mkOptionDefault (mkBefore [ "ldaps://${ldapLan}" ])))
(mkOptionDefault (mkBefore ["ldaps://${ldapLan}"]))
(mkIf (ldapLan != ldapLocal) (mkOptionDefault (mkBefore ["ldaps://${ldapLan}"])))
];
bind.passwordFile = mkIf (cfg.gensokyo-zone.db.backend == "kldap") config.sops.secrets.gensokyo-zone-krb5-passwords.path;
};
@ -52,7 +59,7 @@ in {
sysAccountDnSuffix = mkDefault "cn=sysaccounts,cn=etc,";
domainDnSuffix = mkDefault "cn=ad,cn=etc,";
};
networking.timeServers = [ "2.fedora.pool.ntp.org" ];
networking.timeServers = ["2.fedora.pool.ntp.org"];
security.ipa = {
chromiumSupport = mkDefault false;
};
@ -68,24 +75,26 @@ in {
kinit -k host/${config.networking.fqdn}
'';
in mkIf enabled {
path = [ config.security.krb5.package ];
serviceConfig = {
Type = mkOptionDefault "oneshot";
ExecStart = [ "${krb5-host}" ];
in
mkIf enabled {
path = [config.security.krb5.package];
serviceConfig = {
Type = mkOptionDefault "oneshot";
ExecStart = ["${krb5-host}"];
};
};
};
sops.secrets = let
sopsFile = mkDefault ./secrets/krb5.yaml;
in mkIf enabled {
krb5-keytab = {
mode = "0400";
path = "/etc/krb5.keytab";
in
mkIf enabled {
krb5-keytab = {
mode = "0400";
path = "/etc/krb5.keytab";
};
gensokyo-zone-krb5-passwords = mkIf (cfg.gensokyo-zone.db.backend == "kldap") {
inherit sopsFile;
};
};
gensokyo-zone-krb5-passwords = mkIf (cfg.gensokyo-zone.db.backend == "kldap") {
inherit sopsFile;
};
};
};
}

33
nixos/kyuuto/nfs.nix
View file

@ -10,7 +10,7 @@
inherit (config) kyuuto;
inherit (config.services.nfs.export) flagSets;
nfsRoot = {
__toString = _: config.services.nfs.export.root.path;
__toString = _: config.services.nfs.export.root.path;
transfer = "${nfsRoot}/kyuuto/transfer";
media = "${nfsRoot}/kyuuto/media";
};
@ -19,16 +19,16 @@ in {
export = {
paths = {
${nfsRoot.media} = {
flags = flagSets.common ++ [ "fsid=128" ] ++ flagSets.secip ++ [ "rw" ] ++ flagSets.anon_ro;
flags = flagSets.common ++ ["fsid=128"] ++ flagSets.secip ++ ["rw"] ++ flagSets.anon_ro;
clients = {
local = {
machine = flagSets.allClients;
flags = flagSets.seclocal ++ [ "rw" "no_all_squash" ];
flags = flagSets.seclocal ++ ["rw" "no_all_squash"];
};
};
};
${nfsRoot.transfer} = {
flags = flagSets.common ++ [ "fsid=129" ] ++ [ "rw" "async" ];
flags = flagSets.common ++ ["fsid=129"] ++ ["rw" "async"];
clients = {
local = {
machine = flagSets.allClients;
@ -47,16 +47,17 @@ in {
"nfs-mountd.service"
];
before = wantedBy;
in mkIf config.services.nfs.server.enable [
{
inherit type options wantedBy before;
what = kyuuto.mountDir;
where = nfsRoot.media;
}
{
inherit type options wantedBy before;
what = kyuuto.transferDir;
where = nfsRoot.transfer;
}
];
in
mkIf config.services.nfs.server.enable [
{
inherit type options wantedBy before;
what = kyuuto.mountDir;
where = nfsRoot.media;
}
{
inherit type options wantedBy before;
what = kyuuto.transferDir;
where = nfsRoot.transfer;
}
];
}

81
nixos/ldap/permissions.nix
View file

@ -1,4 +1,8 @@
{config, lib, ...}: let
{
config,
lib,
...
}: let
inherit (lib.modules) mkDefault;
inherit (config.users) ldap;
inherit (ldap.management) permissions;
@ -9,15 +13,33 @@ in {
"Custom Anonymous User Read" = {
bindType = "anonymous";
targetType = "user";
attrs = [ "gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber" ];
attrs = ["gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber"];
};
"Custom Permission Admin" = {
location = ldap.permissionDnSuffix;
target = "cn=*";
rights = "all";
attrs = [
"member" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
"ipapermtarget" "ipapermright" "ipapermincludedattr" "ipapermbindruletype" "ipapermexcludedattr" "ipapermtargetto" "ipapermissiontype" "ipapermlocation" "ipapermdefaultattr" "ipapermtargetfrom" "ipapermtargetfilter"
"member"
"cn"
"o"
"ou"
"owner"
"description"
"objectclass"
"seealso"
"businesscategory"
"ipapermtarget"
"ipapermright"
"ipapermincludedattr"
"ipapermbindruletype"
"ipapermexcludedattr"
"ipapermtargetto"
"ipapermissiontype"
"ipapermlocation"
"ipapermdefaultattr"
"ipapermtargetfrom"
"ipapermtargetfilter"
];
};
"Custom Privilege Admin" = {
@ -25,7 +47,16 @@ in {
target = "cn=*";
rights = "all";
attrs = [
"member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
"member"
"memberof"
"cn"
"o"
"ou"
"owner"
"description"
"objectclass"
"seealso"
"businesscategory"
];
};
"Custom Role Admin" = {
@ -33,17 +64,26 @@ in {
target = "cn=*";
rights = "all";
attrs = [
"member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
"member"
"memberof"
"cn"
"o"
"ou"
"owner"
"description"
"objectclass"
"seealso"
"businesscategory"
];
};
"Custom Role Modify" = {
targetType = "role";
rights = [ "write" "add" ];
rights = ["write" "add"];
attrs = permissions."Custom Role Admin".attrs;
};
"Custom Host Permission" = {
targetType = "host";
rights = [ "write" ];
rights = ["write"];
attrs = [
"memberof"
];
@ -52,21 +92,32 @@ in {
targetType = "sysaccount";
rights = "all";
attrs = [
"member" "memberof" "uid" "o" "ou" "description" "objectclass" "seealso" "businesscategory"
"passwordExpirationTime" "nsIdleTimeout"
"member"
"memberof"
"uid"
"o"
"ou"
"description"
"objectclass"
"seealso"
"businesscategory"
"passwordExpirationTime"
"nsIdleTimeout"
];
};
"Custom SysAccount Admin" = {
location = ldap.sysAccountDnSuffix;
target = "uid=*";
rights = [ "add" "write" "delete" ];
attrs = permissions."Custom SysAccount Permission".attrs ++ [
"userPassword"
];
rights = ["add" "write" "delete"];
attrs =
permissions."Custom SysAccount Permission".attrs
++ [
"userPassword"
];
};
"Custom Service Permission" = {
targetType = "service";
rights = [ "write" ];
rights = ["write"];
attrs = [
"memberof"
];

46
nixos/ldap/samba.nix
View file

@ -1,68 +1,72 @@
{config, lib, ...}: let
{
config,
lib,
...
}: let
inherit (lib.modules) mkDefault;
inherit (config.users) ldap;
smbAccountAttrs = [ "sambasid" "sambapwdlastset" "sambaacctflags" "sambapasswordhistory" "sambantpassword" ];
smbGroupAttrs = [ "sambasid" "sambagrouptype" ];
smbDomainAttrs = [ "sambasid" "sambaRefuseMachinePwdChange" "sambaMinPwdLength" "sambaAlgorithmicRidBase" "sambaPwdHistoryLength" "sambaDomainName" "sambaMinPwdAge" "sambaMaxPwdAge" "sambaLockoutThreshold" "sambaForceLogoff" "sambaLogonToChgPwd" "sambaLockoutObservationWindow" "sambaNextUserRid" "sambaLockoutDuration" ];
smbAccountAttrs = ["sambasid" "sambapwdlastset" "sambaacctflags" "sambapasswordhistory" "sambantpassword"];
smbGroupAttrs = ["sambasid" "sambagrouptype"];
smbDomainAttrs = ["sambasid" "sambaRefuseMachinePwdChange" "sambaMinPwdLength" "sambaAlgorithmicRidBase" "sambaPwdHistoryLength" "sambaDomainName" "sambaMinPwdAge" "sambaMaxPwdAge" "sambaLockoutThreshold" "sambaForceLogoff" "sambaLogonToChgPwd" "sambaLockoutObservationWindow" "sambaNextUserRid" "sambaLockoutDuration"];
in {
config.users.ldap.management = {
enable = mkDefault true;
permissions = {
"Custom Samba User Read" = {
targetType = "user";
attrs = [ "ipanthash" "ipanthomedirectory" "ipanthomedirectorydrive" "ipantlogonscript" "ipantprofilepath" "ipantsecurityidentifier" ] ++ smbAccountAttrs;
attrs = ["ipanthash" "ipanthomedirectory" "ipanthomedirectorydrive" "ipantlogonscript" "ipantprofilepath" "ipantsecurityidentifier"] ++ smbAccountAttrs;
};
"Custom Samba User Modify" = {
targetType = "user";
rights = [ "write" ];
rights = ["write"];
attrs = smbAccountAttrs;
};
"Custom Samba User Admin" = {
targetType = "user";
rights = [ "write" ];
attrs = smbAccountAttrs ++ [ "objectclass" ];
rights = ["write"];
attrs = smbAccountAttrs ++ ["objectclass"];
};
"Custom Samba Group Read" = {
targetType = "user-group";
attrs = [ "ipantsecurityidentifier" "gidnumber" ] ++ smbGroupAttrs;
attrs = ["ipantsecurityidentifier" "gidnumber"] ++ smbGroupAttrs;
};
"Custom Samba Group Modify" = {
targetType = "user-group";
rights = [ "write" ];
rights = ["write"];
attrs = smbGroupAttrs;
};
"Custom Samba Group Admin" = {
targetType = "user-group";
rights = [ "write" ];
attrs = smbGroupAttrs ++ [ "objectclass" ];
rights = ["write"];
attrs = smbGroupAttrs ++ ["objectclass"];
};
"Custom Samba Domain Read" = {
targetType = "samba-domain";
attrs = [ "objectClass" ] ++ smbDomainAttrs;
attrs = ["objectClass"] ++ smbDomainAttrs;
};
"Custom Samba Domain Modify" = {
targetType = "samba-domain";
rights = [ "write" "add" ];
rights = ["write" "add"];
attrs = smbDomainAttrs;
};
"Custom Samba Domain Admin" = {
targetType = "domain";
rights = [ "write" ];
attrs = smbDomainAttrs ++ [ "objectclass" ];
rights = ["write"];
attrs = smbDomainAttrs ++ ["objectclass"];
};
"Custom Samba Realm Read" = {
targetType = "domain";
attrs = [ "objectClass" "ipaNTSecurityIdentifier" "ipaNTFlatName" "ipaNTDomainGUID" "ipaNTFallbackPrimaryGroup" ] ++ smbDomainAttrs;
attrs = ["objectClass" "ipaNTSecurityIdentifier" "ipaNTFlatName" "ipaNTDomainGUID" "ipaNTFallbackPrimaryGroup"] ++ smbDomainAttrs;
};
"Custom Samba Realm Modify" = {
targetType = "domain";
rights = [ "write" ];
rights = ["write"];
attrs = smbDomainAttrs;
};
"Custom Samba Realm Admin" = {
targetType = "domain";
rights = [ "write" ];
attrs = smbDomainAttrs ++ [ "objectclass" ];
rights = ["write"];
attrs = smbDomainAttrs ++ ["objectclass"];
};
};
users = {
@ -173,7 +177,7 @@ in {
};
objects = {
"cn=${config.networking.domain},${ldap.domainDnSuffix}" = {
objectClasses = [ "sambaDomain" ];
objectClasses = ["sambaDomain"];
settings = {
sambaSID = ldap.samba.domainSID;
sambaDomainName = "GENSOKYO";

176
nixos/ldap/users.nix
View file

@ -1,99 +1,111 @@
{config, lib, inputs, ...}: let
{
config,
lib,
inputs,
...
}: let
inherit (inputs.self.lib.lib) userIs mkAlmostOptionDefault;
inherit (lib.modules) mkMerge mkDefault;
inherit (lib.attrsets) mapAttrs filterAttrs;
ldapUsers = filterAttrs (_: userIs "peeps") config.users.users;
ldapGroups = filterAttrs (_: group: group.gid != null && group.gid >= 8000 && group.gid < 8256) config.users.groups;
management = {
users = mapAttrs (name: user: {
user.name = mkAlmostOptionDefault name;
samba = {
enable = mkDefault true;
sync.enable = mkDefault true;
accountFlags = {
noPasswordExpiry = mkDefault true;
users =
mapAttrs (name: user: {
user.name = mkAlmostOptionDefault name;
samba = {
enable = mkDefault true;
sync.enable = mkDefault true;
accountFlags = {
noPasswordExpiry = mkDefault true;
};
};
};
}) ldapUsers;
groups = mapAttrs (name: group: {
group.name = mkAlmostOptionDefault name;
samba.enable = mkDefault true;
}) ldapGroups;
})
ldapUsers;
groups =
mapAttrs (name: group: {
group.name = mkAlmostOptionDefault name;
samba.enable = mkDefault true;
})
ldapGroups;
};
in {
config.users.ldap = {
management = mkMerge [ management {
users = {
guest.user.enable = true;
admin = {
user.enable = true;
samba.enable = true;
};
opl = {
user.enable = true;
samba = {
enable = true;
#sync.enable = true;
accountFlags = {
noPasswordExpiry = mkDefault true;
normalUser = true;
management = mkMerge [
management
{
users = {
guest.user.enable = true;
admin = {
user.enable = true;
samba.enable = true;
};
opl = {
user.enable = true;
samba = {
enable = true;
#sync.enable = true;
accountFlags = {
noPasswordExpiry = mkDefault true;
normalUser = true;
};
};
object.settings.settings = {
sambaNTPassword = "F7C2C5D78C24EACB73550B02BF5888E3";
sambaLMPassword = "A5C96CDE7660B20BAAD3B435B51404EE";
};
};
object.settings.settings = {
sambaNTPassword = "F7C2C5D78C24EACB73550B02BF5888E3";
sambaLMPassword = "A5C96CDE7660B20BAAD3B435B51404EE";
};
groups = {
nogroup = {
group.enable = true;
samba.enable = true;
};
guest = {
samba = {
enable = true;
groupType = 4;
sid = "S-1-5-32-546";
};
};
admin = {
group.enable = true;
samba.enable = true;
};
kyuuto-peeps = {
group.enable = true;
samba.enable = true;
};
kyuuto = {
group.enable = true;
samba.enable = true;
};
peeps = {
group.enable = true;
samba.enable = true;
};
admins = {
samba = {
enable = true;
#sync.enable = true;
groupType = 4;
sid = "S-1-5-32-544";
};
};
smb = {
name = "Default SMB Group";
samba = {
enable = true;
#sync.enable = true;
groupType = 4;
sid = "S-1-5-32-545";
};
};
};
};
groups = {
nogroup = {
group.enable = true;
samba.enable = true;
objects = {
# TODO: ipa hostname krb5 aliases should be populated here!!!
};
guest = {
samba = {
enable = true;
groupType = 4;
sid = "S-1-5-32-546";
};
};
admin = {
group.enable = true;
samba.enable = true;
};
kyuuto-peeps = {
group.enable = true;
samba.enable = true;
};
kyuuto = {
group.enable = true;
samba.enable = true;
};
peeps = {
group.enable = true;
samba.enable = true;
};
admins = {
samba = {
enable = true;
#sync.enable = true;
groupType = 4;
sid = "S-1-5-32-544";
};
};
smb = {
name = "Default SMB Group";
samba = {
enable = true;
#sync.enable = true;
groupType = 4;
sid = "S-1-5-32-545";
};
};
};
objects = {
# TODO: ipa hostname krb5 aliases should be populated here!!!
};
} ];
}
];
};
}

18
nixos/minecraft/bedrock.nix
View file

@ -1,4 +1,9 @@
{config, lib, pkgs, ...}: let
{
config,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkDefault;
cfg = config.services.minecraft-bedrock-server;
in {
@ -47,9 +52,10 @@ in {
groups.${cfg.group}.gid = config.users.users.${cfg.user}.uid;
};
networking.firewall.interfaces = let
ports = [ cfg.serverProperties.server-port cfg.serverProperties.server-portv6 ];
in mkIf cfg.enable {
local.allowedUDPPorts = ports;
peeps.allowedUDPPorts = ports;
};
ports = [cfg.serverProperties.server-port cfg.serverProperties.server-portv6];
in
mkIf cfg.enable {
local.allowedUDPPorts = ports;
peeps.allowedUDPPorts = ports;
};
}

20
nixos/nfs.nix
View file

@ -39,11 +39,13 @@ in {
gssd = {
preferred-realm = mkOptionDefault realm;
};
/*svcgssd = {
/*
svcgssd = {
#principal = system
#principal = nfs/idp.${domain}@${realm}
#principal = nfs/${config.networking.fqdn}@${realm}
};*/
};
*/
}
];
server = {
@ -60,16 +62,16 @@ in {
"anongid=${toString config.users.groups.${config.users.users.guest.group}.gid}"
];
sec = [
"sec=${concatStringsSep ":" [ "krb5i" "krb5" "krb5p" ]}"
"sec=${concatStringsSep ":" ["krb5i" "krb5" "krb5p"]}"
];
seclocal = [
"sec=${concatStringsSep ":" [ "krb5" ]}"
"sec=${concatStringsSep ":" ["krb5"]}"
];
secip = [
"sec=${concatStringsSep ":" [ "krb5i" "krb5p" ]}"
"sec=${concatStringsSep ":" ["krb5i" "krb5p"]}"
];
secanon = [
"sec=${concatStringsSep ":" [ "krb5i" "krb5" "krb5p" "sys" ]}"
"sec=${concatStringsSep ":" ["krb5i" "krb5" "krb5p" "sys"]}"
];
anon_ro = [
"sec=sys"
@ -93,7 +95,7 @@ in {
clients = {
trusted = {
machine = flagSets.trustedClients;
flags = flagSets.secip ++ [ "rw" ];
flags = flagSets.secip ++ ["rw"];
};
};
};
@ -107,9 +109,9 @@ in {
];
};
Translation.Method = mkForce (concatStringsSep "," (
[ "static" ]
["static"]
++ optional enableLdap "umich_ldap"
++ [ "nsswitch" ]
++ ["nsswitch"]
));
Static = {
};

13
nixos/nginx.nix
View file

@ -8,10 +8,15 @@
in {
networking.firewall.interfaces.local.allowedTCPPorts = let
inherit (cfg.ssl) preread;
in mkIf cfg.enable [
(if preread.enable then preread.serverPort else cfg.defaultSSLListenPort)
cfg.defaultHTTPListenPort
];
in
mkIf cfg.enable [
(
if preread.enable
then preread.serverPort
else cfg.defaultSSLListenPort
)
cfg.defaultHTTPListenPort
];
services.nginx = {
enable = true;

2
nixos/nixbld.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }: let
{lib, ...}: let
inherit (lib.modules) mkForce;
in {
config.users = {

15
nixos/openwebrx.nix
View file

@ -31,14 +31,15 @@ in {
sops.secrets = let
sopsFile = mkDefault ./secrets/openwebrx.yaml;
in mkIf cfg.enable {
openwebrx-users = {
inherit sopsFile;
owner = cfg.user;
group = cfg.group;
path = "${cfg.dataDir}/users.json";
in
mkIf cfg.enable {
openwebrx-users = {
inherit sopsFile;
owner = cfg.user;
group = cfg.group;
path = "${cfg.dataDir}/users.json";
};
};
};
networking.firewall = mkIf cfg.enable {
interfaces.lan.allowedTCPPorts = mkIf cfg.enable [

5
nixos/reisen-ct/network.nix
View file

@ -29,12 +29,13 @@ in {
networkConfig.MulticastDNS = true;
};
networking.nameservers' = mkIf enableDns (mkBefore [
{ address = access.getAddressFor (access.systemForService "dnsmasq").name "lan"; }
{address = access.getAddressFor (access.systemForService "dnsmasq").name "lan";}
]);
# prioritize our resolver over systemd-resolved!
system.nssDatabases.hosts = let
avahiResolverEnabled = config.services.avahi.enable && (config.services.avahi.nssmdns4 || config.services.avahi.nssmdns4);
in mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 475 ["dns"]);
in
mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 475 ["dns"]);
services.resolved.extraConfig = mkIf enableDns ''
DNSStubListener=no
'';

19
nixos/reisen-ct/proxmox.nix
View file

@ -26,19 +26,22 @@ in {
proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true;
systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface: mkIf (interface.enable && interface.networkd.enable) {
networks.${interface.networkd.name} = unmerged.mergeAttrs interface.networkd.networkSettings;
}) proxmox.network.interfaces));
systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface:
mkIf (interface.enable && interface.networkd.enable) {
networks.${interface.networkd.name} = unmerged.mergeAttrs interface.networkd.networkSettings;
})
proxmox.network.interfaces));
networking.firewall.interfaces.lan = let
inherit (proxmox.network) internal local;
conditions = coalesce [
(mapNullable (interface: [ "iifname ${interface.name}" ]) internal.interface)
(mapNullable (interface: ["iifname ${interface.name}"]) internal.interface)
(mapNullable (interface: config.networking.firewall.interfaces.local.nftables.conditions) local.interface)
];
in mkIf (conditions != null) {
nftables = {
inherit conditions;
in
mkIf (conditions != null) {
nftables = {
inherit conditions;
};
};
};
}

110
nixos/samba.nix
View file

@ -61,59 +61,63 @@ in {
passdb.smbpasswd.path = mkIf (!cfg.ldap.enable || !cfg.ldap.passdb.enable) (
mkDefault config.sops.secrets.smbpasswd.path
);
settings = mkMerge [ {
"local master" = true;
"preferred master" = true;
"winbind offline logon" = true;
"winbind scan trusted domains" = false;
"winbind use default domain" = true;
"domain master" = true;
"server role" = "classic primary domain controller";
"domain logons" = true;
"remote announce" = [
"10.1.1.255/${cfg.domain.name}"
];
"additional dns hostnames" = mkMerge [
[
config.networking.fqdn
"smb.${domain}"
]
(mkIf system.network.networks.local.enable or false [
"smb.local.${domain}"
access.hostnameForNetwork.local
])
(mkIf system.network.networks.int.enable or false [
"smb.int.${domain}"
access.hostnameForNetwork.int
])
(mkIf config.services.tailscale.enable [
"smb.tail.${domain}"
access.hostnameForNetwork.tail
])
];
} (mkIf cfg.ldap.enable {
"ldapsam:trusted" = true;
"ldapsam:editposix" = false;
"ldap user suffix" = removeSuffix "," ldap.userDnSuffix;
"ldap group suffix" = removeSuffix "," ldap.groupDnSuffix;
"ldap machine suffix" = removeSuffix "," ldap.hostDnSuffix;
"ldap idmap suffix" = removeSuffix "," ldap.idViewDnSuffix;
"ldap server require strong auth" = "allow_sasl_over_tls";
# TODO: ldap delete dn?
# TODO: username map script?
}) (mkIf debugLogging {
"ldap debug level" = 1;
#"ldap debug threshold" = 3; # 4? 5?
logging = "systemd";
"log level" = [
"4"
#"passdb:8"
#"auth:8"
#"idmap:8"
#"winbind:6"
#"dns:8"
];
}) ];
settings = mkMerge [
{
"local master" = true;
"preferred master" = true;
"winbind offline logon" = true;
"winbind scan trusted domains" = false;
"winbind use default domain" = true;
"domain master" = true;
"server role" = "classic primary domain controller";
"domain logons" = true;
"remote announce" = [
"10.1.1.255/${cfg.domain.name}"
];
"additional dns hostnames" = mkMerge [
[
config.networking.fqdn
"smb.${domain}"
]
(mkIf system.network.networks.local.enable or false [
"smb.local.${domain}"
access.hostnameForNetwork.local
])
(mkIf system.network.networks.int.enable or false [
"smb.int.${domain}"
access.hostnameForNetwork.int
])
(mkIf config.services.tailscale.enable [
"smb.tail.${domain}"
access.hostnameForNetwork.tail
])
];
}
(mkIf cfg.ldap.enable {
"ldapsam:trusted" = true;
"ldapsam:editposix" = false;
"ldap user suffix" = removeSuffix "," ldap.userDnSuffix;
"ldap group suffix" = removeSuffix "," ldap.groupDnSuffix;
"ldap machine suffix" = removeSuffix "," ldap.hostDnSuffix;
"ldap idmap suffix" = removeSuffix "," ldap.idViewDnSuffix;
"ldap server require strong auth" = "allow_sasl_over_tls";
# TODO: ldap delete dn?
# TODO: username map script?
})
(mkIf debugLogging {
"ldap debug level" = 1;
#"ldap debug threshold" = 3; # 4? 5?
logging = "systemd";
"log level" = [
"4"
#"passdb:8"
#"auth:8"
#"idmap:8"
#"winbind:6"
#"dns:8"
];
})
];
idmap.domains = {
nss = mkIf (!cfg.ldap.enable || !cfg.ldap.idmap.enable) {
backend = "nss";

5
nixos/sops.nix
View file

@ -1,7 +1,4 @@
{
inputs,
...
}: {
{inputs, ...}: {
imports = [
inputs.sops-nix.nixosModules.sops
];

33
nixos/sssd.nix
View file

@ -1,4 +1,10 @@
{ gensokyo-zone, access, config, lib, ... }: let
{
gensokyo-zone,
access,
config,
lib,
...
}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.modules) mkIf mkBefore mkAfter mkDefault;
inherit (lib.lists) tail;
@ -11,12 +17,13 @@ in {
config = {
services.sssd = {
enable = (mkDefault true);
enable = mkDefault true;
gensokyo-zone = let
serviceFragment = service: service;
toService = service: hostname: let
segments = splitString "." hostname;
in concatStringsSep "." ([ (serviceFragment service) ] ++ tail segments);
in
concatStringsSep "." ([(serviceFragment service)] ++ tail segments);
toFreeipa = toService "freeipa";
tailName = access.getHostnameFor "hakurei" "tail";
mkServers = serviceName: let
@ -46,21 +53,23 @@ in {
bind.passwordFile = mkIf (cfg.gensokyo-zone.backend == "ldap") config.sops.secrets.gensokyo-zone-peep-passwords.path;
};
};
environmentFile = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") (mkAlmostOptionDefault
environmentFile = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") (
mkAlmostOptionDefault
config.sops.secrets.gensokyo-zone-sssd-passwords.path
);
};
sops.secrets = let
sopsFile = mkDefault ./secrets/krb5.yaml;
in mkIf (cfg.enable && cfg.gensokyo-zone.enable) {
gensokyo-zone-krb5-peep-password = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
inherit sopsFile;
in
mkIf (cfg.enable && cfg.gensokyo-zone.enable) {
gensokyo-zone-krb5-peep-password = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
inherit sopsFile;
};
# TODO: this shouldn't be needed, module is incomplete :(
gensokyo-zone-sssd-passwords = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
inherit sopsFile;
};
};
# TODO: this shouldn't be needed, module is incomplete :(
gensokyo-zone-sssd-passwords = mkIf (cfg.gensokyo-zone.enable && cfg.gensokyo-zone.backend == "ldap") {
inherit sopsFile;
};
};
};
}

8
nixos/systemd2mqtt.nix
View file

@ -8,7 +8,7 @@
inherit (lib.modules) mkIf mkDefault;
cfg = config.services.systemd2mqtt;
in {
imports = [ inputs.systemd2mqtt.nixosModules.default ];
imports = [inputs.systemd2mqtt.nixosModules.default];
services.systemd2mqtt = {
enable = mkDefault true;
@ -17,7 +17,11 @@ in {
url = mkDefault (
if config.services.mosquitto.enable
then "tcp://localhost:1883"
else access.proxyUrlFor { serviceName = "mosquitto"; scheme = "tcp"; }
else
access.proxyUrlFor {
serviceName = "mosquitto";
scheme = "tcp";
}
);
username = mkDefault "systemd";
};

13
nixos/unifi.nix
View file

@ -20,13 +20,18 @@ in {
rev = "r${version}";
sha256 = "sha256-lVRTrEnwuyKETFL1C8bVqBfrDaYrbQIdmHN42CF8ZIw=";
};
sconsFlags = old.sconsFlags ++ [
"MONGO_VERSION=${version}"
];
sconsFlags =
old.sconsFlags
++ [
"MONGO_VERSION=${version}"
];
});
isUpdated = lib.versionAtLeast pkgs.mongodb-5_0.version mongodb-5_0_26.version;
message = "mongodb 5.0 updated in upstream nixpkgs, override no longer needed";
in if !isUpdated then mongodb-5_0_26 else lib.warn message pkgs.mongodb-5_0;
in
if !isUpdated
then mongodb-5_0_26
else lib.warn message pkgs.mongodb-5_0;
};
networking.firewall = mkIf cfg.enable {

12
nixos/users/connie.nix
View file

@ -1,4 +1,8 @@
{config, options, ...}: {
{
config,
options,
...
}: {
config.users = {
users.connieallure = {name, ...}: {
uid = 8003;
@ -15,7 +19,11 @@
gid = config.users.users.${name}.uid;
};
};
config.${if options ? networking.firewall then "networking" else null} = {
config.${
if options ? networking.firewall
then "networking"
else null
} = {
access.peeps.ranges.connieallure = "2604:3d00::/28";
};
}

22
nixos/wake-chen.nix
View file

@ -11,21 +11,23 @@
service = "wake-chen";
in {
systemd.services.${service} = {
path = [ pkgs.wol ];
path = [pkgs.wol];
script = ''
exec wol ${chen.network.networks.local.macAddress}
'';
environment = mapOptionDefaults {
WOL_MAC_ADDRESS = chen.network.networks.local.macAddress;
};
serviceConfig = mapOptionDefaults {
Type = "oneshot";
RemainAfterExit = false;
} // {
ExecStart = [
"${getExe pkgs.wol} $WOL_MAC_ADDRESS"
];
};
serviceConfig =
mapOptionDefaults {
Type = "oneshot";
RemainAfterExit = false;
}
// {
ExecStart = [
"${getExe pkgs.wol} $WOL_MAC_ADDRESS"
];
};
};
services.systemd2mqtt.units = [ "${service}.service" ];
services.systemd2mqtt.units = ["${service}.service"];
}

13
nixos/zigbee2mqtt.nix
View file

@ -27,10 +27,15 @@ in {
user = "z2m";
password = "!secret z2m_pass";
server = let
url = access.proxyUrlFor { serviceName = "mosquitto"; scheme = "mqtt"; getAddressFor = "getAddress4For"; };
in mkIf (!config.services.mosquitto.enable) (
mkAlmostDefault url
);
url = access.proxyUrlFor {
serviceName = "mosquitto";
scheme = "mqtt";
getAddressFor = "getAddress4For";
};
in
mkIf (!config.services.mosquitto.enable) (
mkAlmostDefault url
);
};
homeassistant = true;
permit_join = false;