From e63304937da67346471ed0b6575b9d8a876c10ba Mon Sep 17 00:00:00 2001 From: Kat Inskip Date: Wed, 13 Mar 2024 15:08:42 -0700 Subject: [PATCH] style: alejandra $(fd -e nix) --- .gitignore | 1 + ci/flake-cron.nix | 4 +- docs/derivation.nix | 44 ++--- generate.nix | 9 +- modules/nixos/access.nix | 38 +++-- modules/nixos/cloudflared.nix | 103 +++++++----- modules/nixos/github-runner.nix | 12 +- modules/nixos/home-assistant.nix | 177 +++++++++++--------- modules/nixos/jackett.nix | 5 +- modules/nixos/kanidm.nix | 5 +- modules/nixos/lidarr.nix | 5 +- modules/nixos/mediatomb.nix | 27 ++- modules/nixos/mosquitto.nix | 11 +- modules/nixos/network/namespace.nix | 156 +++++++++++------- modules/nixos/network/networks.nix | 18 +- modules/nixos/nftables.nix | 65 +++++--- modules/nixos/nginx/local.nix | 31 ++-- modules/nixos/nginx/vouch.nix | 49 +++--- modules/nixos/nginx/websocket.nix | 11 +- modules/nixos/plex.nix | 5 +- modules/nixos/policyrouting.nix | 38 +++-- modules/nixos/postgres.nix | 45 +++-- modules/nixos/prowlarr.nix | 5 +- modules/nixos/radarr.nix | 5 +- modules/nixos/readarr.nix | 5 +- modules/nixos/samba.nix | 90 +++++----- modules/nixos/sonarr.nix | 5 +- modules/nixos/steam/account-switch.nix | 53 +++--- modules/nixos/steam/beatsaber.nix | 219 ++++++++++++++----------- modules/nixos/tmpfiles.nix | 58 ++++--- modules/nixos/users.nix | 29 ++-- modules/nixos/vouch.nix | 109 ++++++------ nixos/access/freeipa.nix | 37 +++-- nixos/access/freepbx.nix | 78 +++++---- nixos/access/global.nix | 5 +- nixos/access/invidious.nix | 18 +- nixos/access/kanidm.nix | 3 +- nixos/access/kitchencam.nix | 70 ++++---- nixos/access/ldap.nix | 56 ++++--- nixos/access/plex.nix | 10 +- nixos/access/proxmox.nix | 47 +++--- nixos/access/unifi.nix | 26 +-- nixos/access/vouch.nix | 29 ++-- nixos/access/zigbee2mqtt.nix | 5 +- nixos/acme.nix | 43 +++-- nixos/avahi.nix | 35 ++-- nixos/base/access.nix | 13 +- nixos/base/documentation.nix | 2 +- nixos/base/kitty.nix | 8 +- nixos/base/nix.nix | 19 ++- nixos/base/nixpkgs.nix | 5 +- nixos/base/packages.nix | 23 ++- nixos/base/shell.nix | 4 +- nixos/base/ssh.nix | 2 +- nixos/base/time.nix | 2 +- nixos/base/urxvt.nix | 4 +- nixos/bazarr.nix | 7 +- nixos/ddclient.nix | 24 +-- nixos/deluge.nix | 34 ++-- nixos/github-runner/zone.nix | 37 +++-- nixos/home-assistant.nix | 24 +-- nixos/invidious.nix | 11 +- nixos/kyuuto/mount.nix | 61 ++++--- nixos/kyuuto/nfs.nix | 1 - nixos/kyuuto/opl.nix | 41 +++-- nixos/kyuuto/samba.nix | 31 ++-- nixos/lidarr.nix | 2 +- nixos/mediatomb.nix | 2 +- nixos/nfs.nix | 4 +- nixos/ombi.nix | 5 +- nixos/plex.nix | 14 +- nixos/postgres.nix | 7 +- nixos/radarr.nix | 2 +- nixos/readarr.nix | 2 +- nixos/reisen-ct/filesystem.nix | 5 +- nixos/samba.nix | 4 +- nixos/secrets/postgres.yaml | 6 +- nixos/sonarr.nix | 2 +- nixos/sops.nix | 9 +- nixos/steam/account-switch.nix | 5 +- nixos/steam/beatsaber.nix | 9 +- nixos/syncthing-kat/syncthing.nix | 2 +- nixos/systemd2mqtt.nix | 3 +- nixos/tautulli.nix | 6 +- nixos/users/arc.nix | 14 +- nixos/users/connie.nix | 11 +- nixos/users/kaosu.nix | 14 +- nixos/users/kat.nix | 16 +- overlays/default.nix | 26 +-- packages/default.nix | 53 +++--- packages/snakeoil.nix | 49 +++--- 91 files changed, 1422 insertions(+), 1102 deletions(-) diff --git a/.gitignore b/.gitignore index 0643002d..5464dce4 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ .terraform .DS_Store .envrc.conf +.idea diff --git a/ci/flake-cron.nix b/ci/flake-cron.nix index cd667dd2..bf040802 100644 --- a/ci/flake-cron.nix +++ b/ci/flake-cron.nix @@ -45,7 +45,7 @@ in { cron = "0 0 * * *"; } ]; - workflow_dispatch = { }; + workflow_dispatch = {}; }; }; @@ -65,7 +65,7 @@ in { displayName = "flake update build"; environment = ["CACHIX_SIGNING_KEY" "GITHUB_REF"]; command = let - filteredHosts = [ "hakurei" "reimu" "aya" "tei" "litterbox" "mediabox" ]; + filteredHosts = ["hakurei" "reimu" "aya" "tei" "litterbox" "mediabox"]; gcBetweenHosts = false; nodeBuildString = concatMapStringsSep " && " (node: "nix build --show-trace -Lf . nixosConfigurations.${node}.config.system.build.toplevel -o result-${node}" + optionalString gcBetweenHosts " && nix-collect-garbage -d") filteredHosts; hostPath = builtins.getEnv "PATH"; diff --git a/docs/derivation.nix b/docs/derivation.nix index 228bb6c6..b4e5d7ae 100644 --- a/docs/derivation.nix +++ b/docs/derivation.nix @@ -12,26 +12,28 @@ (hasSuffix ".adoc" path || baseNameOf path == "docinfo.html") || type == "directory"; }; -in stdenvNoCC.mkDerivation { - pname = "genso-docs"; - version = "dev"; - inherit src; +in + stdenvNoCC.mkDerivation { + pname = "genso-docs"; + version = "dev"; + inherit src; - ASCIIDOCTOR_OPTS = [ - "-a" "docinfo=shared" - ]; + ASCIIDOCTOR_OPTS = [ + "-a" + "docinfo=shared" + ]; - nativeBuildInputs = [ asciidoctor ]; - passAsFile = [ "buildCommand" ]; - buildCommand = '' - install -d "$out" - ASCIIDOCTOR_SRCS=( - $(find "$src" -type f -name '*.adoc' -not -path "$src/inc/*") - ) - asciidoctor \ - $ASCIIDOCTOR_OPTS \ - -a docinfodir="$src/" \ - -a inc="$src/_inc/" \ - -b html -R "$src" -D "$out" "''${ASCIIDOCTOR_SRCS[@]}" - ''; -} + nativeBuildInputs = [asciidoctor]; + passAsFile = ["buildCommand"]; + buildCommand = '' + install -d "$out" + ASCIIDOCTOR_SRCS=( + $(find "$src" -type f -name '*.adoc' -not -path "$src/inc/*") + ) + asciidoctor \ + $ASCIIDOCTOR_OPTS \ + -a docinfodir="$src/" \ + -a inc="$src/_inc/" \ + -b html -R "$src" -D "$out" "''${ASCIIDOCTOR_SRCS[@]}" + ''; + } diff --git a/generate.nix b/generate.nix index 0a49151b..d77c0139 100644 --- a/generate.nix +++ b/generate.nix @@ -10,16 +10,15 @@ templateUsers = filterAttrs (_: userIs "peeps") templateSystem.config.users.users; mkNodeUsers = users: let nodeUsers = mapAttrsToList (_: mkNodeUser) templateUsers; - in sortOn (user: user.uid) nodeUsers; + in + sortOn (user: user.uid) nodeUsers; mkNodeUser = user: { inherit (user) name uid; authorizedKeys = user.openssh.authorizedKeys.keys; }; - mkNode = { - name, - }: { + mkNode = {name}: { users = mkNodeUsers templateUsers; }; in { - reisen = mkNode { name = "reisen"; }; + reisen = mkNode {name = "reisen";}; } diff --git a/modules/nixos/access.nix b/modules/nixos/access.nix index c107080d..94580951 100644 --- a/modules/nixos/access.nix +++ b/modules/nixos/access.nix @@ -11,7 +11,7 @@ inherit (config.services) tailscale; inherit (config) networking; cfg = config.networking.access; - cidrModule = { config, ... }: { + cidrModule = {config, ...}: { options = with lib.types; { all = mkOption { type = listOf str; @@ -19,11 +19,11 @@ }; v4 = mkOption { type = listOf str; - default = [ ]; + default = []; }; v6 = mkOption { type = listOf str; - default = [ ]; + default = []; }; }; config.all = mkOptionDefault ( @@ -35,12 +35,14 @@ in { options.networking.access = with lib.types; { cidrForNetwork = mkOption { type = attrsOf (submodule cidrModule); - default = { }; + default = {}; }; localaddrs = { - enable = mkEnableOption "localaddrs" // { - default = networking.firewall.interfaces.local.nftables.enable; - }; + enable = + mkEnableOption "localaddrs" + // { + default = networking.firewall.interfaces.local.nftables.enable; + }; stateDir = mkOption { type = path; default = "/var/lib/localaddrs"; @@ -87,10 +89,11 @@ in { }; localaddrs = { nftablesInclude = mkBefore ('' - define localrange6 = 2001:568::/29 - '' + optionalString cfg.localaddrs.enable '' - include "${cfg.localaddrs.stateDir}/*.nft" - ''); + define localrange6 = 2001:568::/29 + '' + + optionalString cfg.localaddrs.enable '' + include "${cfg.localaddrs.stateDir}/*.nft" + ''); reloadScript = let localaddrs-reload = pkgs.writeShellScript "localaddrs-reload" '' ${config.systemd.package}/bin/systemctl reload localaddrs 2>/dev/null || @@ -101,7 +104,7 @@ in { }; moduleArgAttrs = { inherit (cfg) cidrForNetwork localaddrs; - mkSnakeOil = pkgs.callPackage ../../packages/snakeoil.nix { }; + mkSnakeOil = pkgs.callPackage ../../packages/snakeoil.nix {}; }; }; @@ -111,7 +114,8 @@ in { interfaces.local = { nftables.conditions = [ "ip saddr { ${concatStringsSep ", " cfg.cidrForNetwork.local.v4} }" - (mkIf networking.enableIPv6 + ( + mkIf networking.enableIPv6 "ip6 saddr { $localrange6, ${concatStringsSep ", " cfg.cidrForNetwork.local.v6} }" ) ]; @@ -169,12 +173,12 @@ in { in { localaddrs = mkIf cfg.localaddrs.enable { unitConfig = { - After = [ "network-online.target" ]; + After = ["network-online.target"]; }; serviceConfig = rec { StateDirectory = "localaddrs"; ExecStart = mkMerge [ - [ "${localaddrs}" ] + ["${localaddrs}"] (mkIf networking.nftables.enable (mkAfter [ "${localaddrs-nftables}" ])) @@ -188,7 +192,7 @@ in { }; }; nftables = mkIf (networking.nftables.enable && cfg.localaddrs.enable) rec { - wants = [ "localaddrs.service" ]; + wants = ["localaddrs.service"]; serviceConfig = { ExecReload = mkBefore [ "+${cfg.localaddrs.reloadScript}" @@ -196,7 +200,7 @@ in { }; }; nginx = mkIf (config.services.nginx.enable && cfg.localaddrs.enable) rec { - wants = [ "localaddrs.service" ]; + wants = ["localaddrs.service"]; after = wants; serviceConfig = { ExecReload = mkBefore [ diff --git a/modules/nixos/cloudflared.nix b/modules/nixos/cloudflared.nix index ca5cefab..350676a0 100644 --- a/modules/nixos/cloudflared.nix +++ b/modules/nixos/cloudflared.nix @@ -1,64 +1,79 @@ -{ pkgs, config, utils, lib, ... }: let +{ + pkgs, + config, + utils, + lib, + ... +}: let inherit (lib.attrsets) mapAttrsToList mapAttrs' nameValuePair filterAttrsRecursive; inherit (lib.lists) singleton; inherit (lib.modules) mkIf mkMerge mkForce; inherit (lib.options) mkOption mkEnableOption; cfg = config.services.cloudflared; - settingsFormat = pkgs.formats.json { }; + settingsFormat = pkgs.formats.json {}; in { options.services.cloudflared = with lib.types; { tunnels = let - tunnelModule = { config, ... }: { + tunnelModule = {config, ...}: { options = { extraTunnel = { - enable = mkEnableOption "extra tunnels" // { - default = config.extraTunnel.ingress != { }; - }; + enable = + mkEnableOption "extra tunnels" + // { + default = config.extraTunnel.ingress != {}; + }; ingress = mkOption { inherit (settingsFormat) type; - default = { }; + default = {}; }; }; }; }; - in mkOption { - type = attrsOf (submodule tunnelModule); - }; + in + mkOption { + type = attrsOf (submodule tunnelModule); + }; }; config.systemd.services = let - filterConfig = filterAttrsRecursive (_: v: ! builtins.elem v [ null [ ] { } ]); - mapIngress = hostname: ingress: { - inherit hostname; - } // filterConfig (filterConfig ingress); - in mkIf cfg.enable (mapAttrs' (uuid: tunnel: let - RuntimeDirectory = "cloudflared-tunnel-${uuid}"; - configPath = "/run/${RuntimeDirectory}/config.yml"; - settings = { - tunnel = uuid; - credentials-file = tunnel.credentialsFile; - ingress = mapAttrsToList mapIngress tunnel.ingress - ++ mapAttrsToList mapIngress tunnel.extraTunnel.ingress - ++ singleton { service = tunnel.default; }; - }; - in nameValuePair "cloudflared-tunnel-${uuid}" (mkMerge [ - { - after = mkIf config.services.tailscale.enable [ "tailscale-autoconnect.service" ]; - serviceConfig = { - RestartSec = 10; + filterConfig = filterAttrsRecursive (_: v: ! builtins.elem v [null [] {}]); + mapIngress = hostname: ingress: + { + inherit hostname; + } + // filterConfig (filterConfig ingress); + in + mkIf cfg.enable (mapAttrs' (uuid: tunnel: let + RuntimeDirectory = "cloudflared-tunnel-${uuid}"; + configPath = "/run/${RuntimeDirectory}/config.yml"; + settings = { + tunnel = uuid; + credentials-file = tunnel.credentialsFile; + ingress = + mapAttrsToList mapIngress tunnel.ingress + ++ mapAttrsToList mapIngress tunnel.extraTunnel.ingress + ++ singleton {service = tunnel.default;}; }; - } - (mkIf tunnel.extraTunnel.enable { - serviceConfig = { - inherit RuntimeDirectory; - ExecStart = mkForce [ - "${cfg.package}/bin/cloudflared tunnel --config=${configPath} --no-autoupdate run" - ]; - ExecStartPre = [ - (pkgs.writeShellScript "cloudflared-tunnel-${uuid}-prepare" '' - ${utils.genJqSecretsReplacementSnippet settings configPath} - '') - ]; - }; - }) - ])) cfg.tunnels); + in + nameValuePair "cloudflared-tunnel-${uuid}" (mkMerge [ + { + after = mkIf config.services.tailscale.enable ["tailscale-autoconnect.service"]; + serviceConfig = { + RestartSec = 10; + }; + } + (mkIf tunnel.extraTunnel.enable { + serviceConfig = { + inherit RuntimeDirectory; + ExecStart = mkForce [ + "${cfg.package}/bin/cloudflared tunnel --config=${configPath} --no-autoupdate run" + ]; + ExecStartPre = [ + (pkgs.writeShellScript "cloudflared-tunnel-${uuid}-prepare" '' + ${utils.genJqSecretsReplacementSnippet settings configPath} + '') + ]; + }; + }) + ])) + cfg.tunnels); } diff --git a/modules/nixos/github-runner.nix b/modules/nixos/github-runner.nix index 7f466026..6b17ce17 100644 --- a/modules/nixos/github-runner.nix +++ b/modules/nixos/github-runner.nix @@ -11,7 +11,7 @@ cfg = config.services.github-runners; nixosConfig = config; enabledRunners = filterAttrs (_: runner: runner.enable) cfg; - runnerModule = { config, ... }: { + runnerModule = {config, ...}: { options = with lib.types; { networkNamespace.name = mkOption { type = nullOr str; @@ -19,7 +19,7 @@ }; serviceSettings = mkOption { type = unmerged.type; - default = { }; + default = {}; }; }; config = { @@ -58,8 +58,10 @@ in { }; }; config = { - systemd.services = mapAttrs' (name: runner: nameValuePair "github-runner-${name}" ( - unmerged.merge runner.serviceSettings - )) enabledRunners; + systemd.services = mapAttrs' (name: runner: + nameValuePair "github-runner-${name}" ( + unmerged.merge runner.serviceSettings + )) + enabledRunners; }; } diff --git a/modules/nixos/home-assistant.nix b/modules/nixos/home-assistant.nix index 8c959441..9d9c47ba 100644 --- a/modules/nixos/home-assistant.nix +++ b/modules/nixos/home-assistant.nix @@ -17,29 +17,43 @@ in { default = config.networking.domain; }; homekit = { - enable = mkEnableOption "homekit" // { - default = cfg.config.homekit or [ ] != [ ]; + enable = + mkEnableOption "homekit" + // { + default = cfg.config.homekit or [] != []; + }; + openFirewall = + mkEnableOption "homekit ports" + // { + default = cfg.openFirewall; + }; + }; + googleAssistant.enable = + mkEnableOption "Google Assistant" + // { + default = cfg.config.google_assistant or {} != {}; }; - openFirewall = mkEnableOption "homekit ports" // { - default = cfg.openFirewall; + androidTv.enable = + mkEnableOption "Android TV" + // { + default = elem "androidtv" cfg.extraComponents; + }; + brother.enable = + mkEnableOption "brother" + // { + default = elem "brother" cfg.extraComponents; }; - }; - googleAssistant.enable = mkEnableOption "Google Assistant" // { - default = cfg.config.google_assistant or { } != { }; - }; - androidTv.enable = mkEnableOption "Android TV" // { - default = elem "androidtv" cfg.extraComponents; - }; - brother.enable = mkEnableOption "brother" // { - default = elem "brother" cfg.extraComponents; - }; cast = { - enable = mkEnableOption "Chromecast" // { - default = elem "cast" cfg.extraComponents; - }; - openFirewall = mkEnableOption "Chromecast ports" // { - default = cfg.openFirewall; - }; + enable = + mkEnableOption "Chromecast" + // { + default = elem "cast" cfg.extraComponents; + }; + openFirewall = + mkEnableOption "Chromecast ports" + // { + default = cfg.openFirewall; + }; }; finalPackage = mkOption { type = types.path; @@ -50,7 +64,7 @@ in { config = { networking.firewall = let homekitTcp = mkIf cfg.homekit.enable ( - map ({ port, ... }: port) cfg.config.homekit or [ ] + map ({port, ...}: port) cfg.config.homekit or [] ); castUdpRanges = mkIf cfg.cast.enable [ @@ -59,21 +73,23 @@ in { to = 60999; } ]; - in mkIf cfg.enable { - interfaces.local = { - allowedTCPPorts = mkIf (!cfg.homekit.openFirewall) homekitTcp; - allowedUDPPortRanges = mkIf (!cfg.cast.openFirewall) castUdpRanges; + in + mkIf cfg.enable { + interfaces.local = { + allowedTCPPorts = mkIf (!cfg.homekit.openFirewall) homekitTcp; + allowedUDPPortRanges = mkIf (!cfg.cast.openFirewall) castUdpRanges; + }; + allowedTCPPorts = mkIf cfg.homekit.openFirewall homekitTcp; + allowedUDPPortRanges = mkIf cfg.cast.openFirewall castUdpRanges; }; - allowedTCPPorts = mkIf cfg.homekit.openFirewall homekitTcp; - allowedUDPPortRanges = mkIf cfg.cast.openFirewall castUdpRanges; - }; # MDNS services.avahi = mkIf (cfg.enable && cfg.homekit.enable) { enable = mkDefault true; publish.enable = let - homekitNames = map (homekit: toLower homekit.name) cfg.config.homekit or [ ]; - in mkIf (elem config.networking.hostName homekitNames) false; + homekitNames = map (homekit: toLower homekit.name) cfg.config.homekit or []; + in + mkIf (elem config.networking.hostName homekitNames) false; }; systemd.services.home-assistant = mkIf (cfg.enable && cfg.mutableUiConfig) { @@ -101,12 +117,13 @@ in { use_x_forwarded_for = "true"; trusted_proxies = let inherit (config.networking.access) cidrForNetwork; - in cidrForNetwork.loopback.all - ++ cidrForNetwork.local.all - ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all - ++ [ - "200::/7" - ]; + in + cidrForNetwork.loopback.all + ++ cidrForNetwork.local.all + ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all + ++ [ + "200::/7" + ]; }; recorder = { db_url = mkIf config.services.postgresql.enable (mkDefault "postgresql://@/hass"); @@ -157,61 +174,75 @@ in { package = let inherit (cfg.package) python; # https://github.com/pysnmp/pysnmp/issues/51 - needsPyasn1pin = if lib.versionOlder python.pkgs.pysnmplib.version "6.0" + needsPyasn1pin = + if lib.versionOlder python.pkgs.pysnmplib.version "6.0" then true else lib.warn "pyasn1 pin likely no longer needed" false; pyasn1prefix = "${python.pkgs.pysnmp-pyasn1}/${python.sitePackages}"; home-assistant = pkgs.home-assistant.override { packageOverrides = self: super: { brother = super.brother.overridePythonAttrs (old: { - dontCheckRuntimeDeps = if old.dontCheckRuntimeDeps or false + dontCheckRuntimeDeps = + if old.dontCheckRuntimeDeps or false then lib.warn "brother override no longer needed" true else true; }); mpd2 = super.mpd2.overridePythonAttrs (old: { - patches = old.patches or [ ] ++ [ - ../../packages/mpd2-skip-flaky-test.patch - ]; - disabledTests = unique (old.disabledTests or [ ] ++ [ - "test_idle_timeout" - ]); + patches = + old.patches + or [] + ++ [ + ../../packages/mpd2-skip-flaky-test.patch + ]; + disabledTests = unique (old.disabledTests + or [] + ++ [ + "test_idle_timeout" + ]); }); }; }; - in home-assistant.overrideAttrs (old: { - makeWrapperArgs = old.makeWrapperArgs ++ optional (cfg.brother.enable && needsPyasn1pin) "--prefix PYTHONPATH : ${pyasn1prefix}"; - disabledTests = unique (old.disabledTests or [ ] ++ [ - "test_check_config" - ]); - }); + in + home-assistant.overrideAttrs (old: { + makeWrapperArgs = old.makeWrapperArgs ++ optional (cfg.brother.enable && needsPyasn1pin) "--prefix PYTHONPATH : ${pyasn1prefix}"; + disabledTests = unique (old.disabledTests + or [] + ++ [ + "test_check_config" + ]); + }); finalPackage = let inherit (lib.strings) hasSuffix removeSuffix splitString; inherit (lib.lists) head; inherit (lib.attrsets) attrNames filterAttrs; inherit (config.systemd.services.home-assistant.serviceConfig) ExecStart; - isHassDrv = drv: context: hasSuffix "-${cfg.package.name}.drv" drv && context.outputs or [ ] == [ "out" ]; + isHassDrv = drv: context: hasSuffix "-${cfg.package.name}.drv" drv && context.outputs or [] == ["out"]; drvs = filterAttrs isHassDrv (builtins.getContext ExecStart); isImpure = builtins ? currentSystem; - in mkIf cfg.enable (mkOptionDefault ( - if isImpure then import (head (attrNames drvs)) - else removeSuffix "/bin/hass" (head (splitString " " ExecStart)) - )); - extraPackages = python3Packages: with python3Packages; mkMerge [ - [ - psycopg2 - securetar - getmac # for upnp integration - python-otbr-api - (aiogithubapi.overrideAttrs (_: {doInstallCheck = false;})) - ] - (mkIf cfg.homekit.enable [ - aiohomekit - ]) - (mkIf cfg.androidTv.enable [ - adb-shell - androidtvremote2 - ]) - ]; + in + mkIf cfg.enable (mkOptionDefault ( + if isImpure + then import (head (attrNames drvs)) + else removeSuffix "/bin/hass" (head (splitString " " ExecStart)) + )); + extraPackages = python3Packages: + with python3Packages; + mkMerge [ + [ + psycopg2 + securetar + getmac # for upnp integration + python-otbr-api + (aiogithubapi.overrideAttrs (_: {doInstallCheck = false;})) + ] + (mkIf cfg.homekit.enable [ + aiohomekit + ]) + (mkIf cfg.androidTv.enable [ + adb-shell + androidtvremote2 + ]) + ]; extraComponents = mkMerge [ [ "automation" @@ -232,8 +263,8 @@ in { "google_assistant" "google_cloud" ]) - (map ({ platform, ... }: platform) cfg.config.media_player or [ ]) - (map ({ platform, ... }: platform) cfg.config.tts or [ ]) + (map ({platform, ...}: platform) cfg.config.media_player or []) + (map ({platform, ...}: platform) cfg.config.tts or []) ]; }; } diff --git a/modules/nixos/jackett.nix b/modules/nixos/jackett.nix index c9bad731..ffa891b8 100644 --- a/modules/nixos/jackett.nix +++ b/modules/nixos/jackett.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.options) mkOption; in { options.services.jackett = with lib.types; { diff --git a/modules/nixos/kanidm.nix b/modules/nixos/kanidm.nix index c86506f8..e379f715 100644 --- a/modules/nixos/kanidm.nix +++ b/modules/nixos/kanidm.nix @@ -60,13 +60,14 @@ in { services.kanidm = { server.unencrypted = { - domain = mkBefore [ cfg.server.frontend.domain ]; + domain = mkBefore [cfg.server.frontend.domain]; package = let cert = mkSnakeOil { name = "kanidm-cert"; inherit (cfg.server.unencrypted) domain; }; - in mkOptionDefault cert; + in + mkOptionDefault cert; }; clientSettings = mkIf cfg.enableServer { uri = mkDefault cfg.serverSettings.origin; diff --git a/modules/nixos/lidarr.nix b/modules/nixos/lidarr.nix index 3ad8f5ec..8e758cab 100644 --- a/modules/nixos/lidarr.nix +++ b/modules/nixos/lidarr.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.options) mkOption; in { options.services.lidarr = with lib.types; { diff --git a/modules/nixos/mediatomb.nix b/modules/nixos/mediatomb.nix index 0e562cff..3e66f973 100644 --- a/modules/nixos/mediatomb.nix +++ b/modules/nixos/mediatomb.nix @@ -8,7 +8,7 @@ inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; inherit (lib.lists) singleton; cfg = config.services.mediatomb; - mediaDirModule = { config, ... }: { + mediaDirModule = {config, ...}: { options = with lib.types; { mountPoint = mkOption { type = nullOr str; @@ -26,16 +26,23 @@ paths = let paths = map (path: "${config.path}/${path}") config.subdirectories; path = singleton config.path; - in mkOptionDefault (if config.subdirectories != null then paths else path); + in + mkOptionDefault ( + if config.subdirectories != null + then paths + else path + ); recursive = mkDefault true; hidden-files = mkDefault false; }; }; in { options.services.mediatomb = with lib.types; { - confine = mkEnableOption "containment" // { - default = true; - }; + confine = + mkEnableOption "containment" + // { + default = true; + }; mediaDirectories = mkOption { type = listOf (submodule mediaDirModule); }; @@ -47,9 +54,13 @@ in { }; config.systemd.services.mediatomb = mkIf cfg.enable { confinement.enable = mkIf cfg.confine (mkDefault true); - bindsTo = map (dir: mkIf (dir.mountPoint != null) - "${utils.escapeSystemdPath dir.mountPoint}.mount" - ) cfg.mediaDirectories; + bindsTo = + map ( + dir: + mkIf (dir.mountPoint != null) + "${utils.escapeSystemdPath dir.mountPoint}.mount" + ) + cfg.mediaDirectories; unitConfig.RequiresMountsFor = mkMerge ( map (dir: dir.paths) cfg.mediaDirectories ); diff --git a/modules/nixos/mosquitto.nix b/modules/nixos/mosquitto.nix index ccc86cc3..167cf10e 100644 --- a/modules/nixos/mosquitto.nix +++ b/modules/nixos/mosquitto.nix @@ -8,18 +8,19 @@ in { options.services.mosquitto = with lib.types; { listeners = let - listenerModule = { ... }: { + listenerModule = {...}: { options = { openFirewall = mkEnableOption "firewall"; }; }; - in mkOption { - type = listOf (submodule listenerModule); - }; + in + mkOption { + type = listOf (submodule listenerModule); + }; }; config = { networking.firewall.allowedTCPPorts = mkIf cfg.enable (mkMerge ( - map (listener: mkIf listener.openFirewall [ listener.port ]) cfg.listeners + map (listener: mkIf listener.openFirewall [listener.port]) cfg.listeners )); }; } diff --git a/modules/nixos/network/namespace.nix b/modules/nixos/network/namespace.nix index 35d245d8..e446158c 100644 --- a/modules/nixos/network/namespace.nix +++ b/modules/nixos/network/namespace.nix @@ -19,7 +19,12 @@ enabledNamespaces = filter (ns: ns.enable) (attrValues networking.namespaces); ip = "${pkgs.iproute2}/bin/ip"; ip-n = namespace: "${ip} -n ${escapeShellArg namespace.name}"; - namespaceInterfaceModule = { config, namespace, name, ... }: { + namespaceInterfaceModule = { + config, + namespace, + name, + ... + }: { options = with lib.types; { name = mkOption { type = str; @@ -41,8 +46,8 @@ }; config = { serviceSettings = rec { - bindsTo = [ "${namespace.unitName}.service" ]; - partOf = [ "${namespace.unitName}.target" ]; + bindsTo = ["${namespace.unitName}.service"]; + partOf = ["${namespace.unitName}.target"]; after = bindsTo; stopIfChanged = false; restartIfChanged = false; @@ -63,7 +68,11 @@ }; }; }; - groupModule = { config, namespace, ... }: { + groupModule = { + config, + namespace, + ... + }: { options = with lib.types; { id = mkOption { type = int; @@ -78,8 +87,8 @@ }; config = { serviceSettings = rec { - bindsTo = [ "${namespace.unitName}.service" ]; - partOf = [ "${namespace.unitName}.target" ]; + bindsTo = ["${namespace.unitName}.service"]; + partOf = ["${namespace.unitName}.target"]; after = bindsTo; stopIfChanged = false; restartIfChanged = false; @@ -100,17 +109,23 @@ }; }; }; - namespaceModule = { config, name, ... }: let + namespaceModule = { + config, + name, + ... + }: let linkGroupServices = optional (config.linkGroup != null) "${config.linkGroup.serviceName}.service"; interfaceServices = mapAttrsToList (_: interface: "${interface.serviceName}.service") config.interfaces; - submoduleArgs = { ... }: { + submoduleArgs = {...}: { config._module.args.namespace = config; }; in { options = with lib.types; { - enable = mkEnableOption "network namespace" // { - default = true; - }; + enable = + mkEnableOption "network namespace" + // { + default = true; + }; resolvConf = mkOption { type = lines; default = '' @@ -186,8 +201,9 @@ groupModule submoduleArgs ]; - idOrModule = coercedTo int (id: { inherit id; }) module; - in nullOr idOrModule; + idOrModule = coercedTo int (id: {inherit id;}) module; + in + nullOr idOrModule; default = null; }; interfaces = mkOption { @@ -195,7 +211,7 @@ namespaceInterfaceModule submoduleArgs ]); - default = { }; + default = {}; }; path = mkOption { type = path; @@ -226,8 +242,8 @@ }; config = { serviceSettings = { - wants = [ "network.target" ]; - after = [ "network.target" ]; + wants = ["network.target"]; + after = ["network.target"]; stopIfChanged = false; restartIfChanged = false; serviceConfig = { @@ -245,12 +261,12 @@ }; }; targetSettings = { - wantedBy = [ "multi-user.target" ]; - bindsTo = [ "${config.unitName}.service" ]; + wantedBy = ["multi-user.target"]; + bindsTo = ["${config.unitName}.service"]; requires = linkGroupServices ++ interfaceServices; wants = mkMerge [ - (mkIf config.dhcpcd.enable [ "${config.dhcpcd.serviceName}.service" ]) - (mkIf config.nftables.enable [ "${config.nftables.serviceName}.service" ]) + (mkIf config.dhcpcd.enable ["${config.dhcpcd.serviceName}.service"]) + (mkIf config.nftables.enable ["${config.nftables.serviceName}.service"]) ]; }; configFiles = { @@ -312,21 +328,22 @@ addrs6 = access.cidrForNetwork.local.v6 ++ optionals tailscale.enable access.cidrForNetwork.tail.v6; daddr4 = ''{ ${concatStringsSep ", " addrs4} }''; daddr6 = ''{ ${concatStringsSep ", " addrs6} }''; - in mkIf config.nftables.rejectLocaladdrs (mkMerge [ - ''ct state { established, related } accept'' - '' - ip daddr ${daddr4} ip protocol tcp reject with tcp reset - ip daddr ${daddr4} drop - '' - (mkIf networking.enableIPv6 '' - ip6 daddr ${daddr6} ip6 nexthdr tcp reject with tcp reset - ip6 daddr ${daddr6} drop - '') - ]); + in + mkIf config.nftables.rejectLocaladdrs (mkMerge [ + ''ct state { established, related } accept'' + '' + ip daddr ${daddr4} ip protocol tcp reject with tcp reset + ip daddr ${daddr4} drop + '' + (mkIf networking.enableIPv6 '' + ip6 daddr ${daddr6} ip6 nexthdr tcp reject with tcp reset + ip6 daddr ${daddr6} drop + '') + ]); serviceSettings = rec { - bindsTo = [ "${config.unitName}.service" ]; - partOf = [ "${config.unitName}.target" ]; - wants = mkIf config.nftables.rejectLocaladdrs [ "localaddrs.service" ]; + bindsTo = ["${config.unitName}.service"]; + partOf = ["${config.unitName}.target"]; + wants = mkIf config.nftables.rejectLocaladdrs ["localaddrs.service"]; after = mkMerge [ bindsTo wants @@ -346,7 +363,7 @@ "${pkgs.nftables}/bin/nft -f ${config.configPath}/rules.nft" ]; ExecReload = mkMerge [ - (mkIf config.nftables.rejectLocaladdrs [ "+${access.localaddrs.reloadScript}" ]) + (mkIf config.nftables.rejectLocaladdrs ["+${access.localaddrs.reloadScript}"]) [ "${pkgs.nftables}/bin/nft flush ruleset" "${pkgs.nftables}/bin/nft -f ${config.configPath}/rules.nft" @@ -360,12 +377,15 @@ }; dhcpcd = { serviceSettings = rec { - bindsTo = [ "${config.unitName}.service" ]; - partOf = [ "${config.unitName}.target" ]; + bindsTo = ["${config.unitName}.service"]; + partOf = ["${config.unitName}.target"]; wants = linkGroupServices ++ interfaceServices; - after = bindsTo ++ wants ++ [ - (mkIf config.nftables.enable "${config.nftables.serviceName}.service") - ]; + after = + bindsTo + ++ wants + ++ [ + (mkIf config.nftables.enable "${config.nftables.serviceName}.service") + ]; stopIfChanged = false; unitConfig.ConditionCapability = "CAP_NET_ADMIN"; serviceConfig = { @@ -407,15 +427,21 @@ }; }; }; - serviceModule = { config, name, ... }: let + serviceModule = { + config, + name, + ... + }: let cfg = config.networkNamespace; hasNs = cfg.name != null; ns = networking.namespaces.${cfg.name}; in { options.networkNamespace = with lib.types; { - enable = mkEnableOption "netns" // { - default = cfg.name != null; - }; + enable = + mkEnableOption "netns" + // { + default = cfg.name != null; + }; bindResolvConf = mkOption { type = nullOr path; }; @@ -446,15 +472,13 @@ path = mkDefault ( ns.path ); - bindResolvConf = mkDefault ( - "${ns.configPath}/resolv.conf" - ); + bindResolvConf = mkDefault "${ns.configPath}/resolv.conf"; }) ]; } (mkIf cfg.enable rec { - wants = mkIf hasNs [ "${ns.unitName}.target" ]; - bindsTo = mkIf hasNs [ "${ns.unitName}.service" ]; + wants = mkIf hasNs ["${ns.unitName}.target"]; + bindsTo = mkIf hasNs ["${ns.unitName}.service"]; after = mkMerge [ bindsTo (mkIf (hasNs && cfg.afterOnline) [ @@ -475,7 +499,7 @@ in { options = with lib.types; { networking.namespaces = mkOption { type = attrsOf (submodule namespaceModule); - default = { }; + default = {}; }; systemd.services = mkOption { type = attrsOf (submodule serviceModule); @@ -483,19 +507,25 @@ in { }; config = { systemd = { - services = listToAttrs (concatMap (ns: - singleton (nameValuePair ns.unitName (unmerged.merge ns.serviceSettings)) - ++ optional (ns.linkGroup != null) (nameValuePair ns.linkGroup.serviceName (unmerged.merge ns.linkGroup.serviceSettings)) - ++ mapAttrsToList (_: interface: nameValuePair interface.serviceName (unmerged.merge interface.serviceSettings)) ns.interfaces - ++ optional ns.dhcpcd.enable (nameValuePair ns.dhcpcd.serviceName (unmerged.merge ns.dhcpcd.serviceSettings)) - ++ optional ns.nftables.enable (nameValuePair ns.nftables.serviceName (unmerged.merge ns.nftables.serviceSettings)) - ) enabledNamespaces); - targets = listToAttrs (map (ns: nameValuePair ns.unitName ( - unmerged.merge ns.targetSettings - )) enabledNamespaces); + services = listToAttrs (concatMap ( + ns: + singleton (nameValuePair ns.unitName (unmerged.merge ns.serviceSettings)) + ++ optional (ns.linkGroup != null) (nameValuePair ns.linkGroup.serviceName (unmerged.merge ns.linkGroup.serviceSettings)) + ++ mapAttrsToList (_: interface: nameValuePair interface.serviceName (unmerged.merge interface.serviceSettings)) ns.interfaces + ++ optional ns.dhcpcd.enable (nameValuePair ns.dhcpcd.serviceName (unmerged.merge ns.dhcpcd.serviceSettings)) + ++ optional ns.nftables.enable (nameValuePair ns.nftables.serviceName (unmerged.merge ns.nftables.serviceSettings)) + ) + enabledNamespaces); + targets = listToAttrs (map (ns: + nameValuePair ns.unitName ( + unmerged.merge ns.targetSettings + )) + enabledNamespaces); }; - environment.etc = mkMerge (map (ns: - mapAttrs' (name: file: nameValuePair "${ns.configDir}/${name}" (unmerged.merge file)) ns.configFiles - ) enabledNamespaces); + environment.etc = mkMerge (map ( + ns: + mapAttrs' (name: file: nameValuePair "${ns.configDir}/${name}" (unmerged.merge file)) ns.configFiles + ) + enabledNamespaces); }; } diff --git a/modules/nixos/network/networks.nix b/modules/nixos/network/networks.nix index 5975b95f..8ef65ceb 100644 --- a/modules/nixos/network/networks.nix +++ b/modules/nixos/network/networks.nix @@ -8,17 +8,21 @@ inherit (lib.modules) mkIf mkMerge mkOptionDefault; inherit (inputs.self.lib.lib) eui64; inherit (config) networking services; - networkModule = { config, ... }: { + networkModule = {config, ...}: { options = with lib.types; { mdns = { - enable = mkEnableOption "SLAAC" // { - default = config.matchConfig.Type or null == "ether" && services.resolved.enable; - }; + enable = + mkEnableOption "SLAAC" + // { + default = config.matchConfig.Type or null == "ether" && services.resolved.enable; + }; }; slaac = { - enable = mkEnableOption "SLAAC" // { - default = config.matchConfig.Type or null == "ether" && networking.enableIPv6; - }; + enable = + mkEnableOption "SLAAC" + // { + default = config.matchConfig.Type or null == "ether" && networking.enableIPv6; + }; postfix = mkOption { type = str; }; diff --git a/modules/nixos/nftables.nix b/modules/nixos/nftables.nix index 4e652681..e3660534 100644 --- a/modules/nixos/nftables.nix +++ b/modules/nixos/nftables.nix @@ -1,6 +1,8 @@ -{ lib, config, ... }: - -let +{ + lib, + config, + ... +}: let inherit (lib) types; inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf; @@ -13,11 +15,13 @@ let doDocker = config.virtualisation.docker.enable && cfg.generateDockerRules; mkPorts = cond: ports: ranges: action: let - portStrings = (map (range: "${toString range.from}-${toString range.to}") ranges) - ++ (map toString ports); - in optionalString (portStrings != []) '' - ${cond} dport { ${concatStringsSep "," portStrings} } ${action} - ''; + portStrings = + (map (range: "${toString range.from}-${toString range.to}") ranges) + ++ (map toString ports); + in + optionalString (portStrings != []) '' + ${cond} dport { ${concatStringsSep "," portStrings} } ${action} + ''; ruleset = '' table inet filter { @@ -32,18 +36,21 @@ let ct state established,related accept iifname { ${ - concatStringsSep "," (["lo"] ++ fwcfg.trustedInterfaces) - } } accept + concatStringsSep "," (["lo"] ++ fwcfg.trustedInterfaces) + } } accept ${mkPorts "tcp" fwcfg.allowedTCPPorts fwcfg.allowedTCPPortRanges "accept"} ${mkPorts "udp" fwcfg.allowedUDPPorts fwcfg.allowedUDPPortRanges "accept"} ${ - concatStringsSep "\n" (mapAttrsToList (name: ifcfg: concatMapStringsSep "\n" (cond: - mkPorts "${cond} tcp" ifcfg.allowedTCPPorts ifcfg.allowedTCPPortRanges "accept" + concatStringsSep "\n" (mapAttrsToList (name: ifcfg: + concatMapStringsSep "\n" ( + cond: + mkPorts "${cond} tcp" ifcfg.allowedTCPPorts ifcfg.allowedTCPPortRanges "accept" + mkPorts "${cond} udp" ifcfg.allowedUDPPorts ifcfg.allowedUDPPortRanges "accept" - ) (optionals ifcfg.nftables.enable ifcfg.nftables.conditions)) fwcfg.interfaces) - } + ) (optionals ifcfg.nftables.enable ifcfg.nftables.conditions)) + fwcfg.interfaces) + } # DHCPv6 ip6 daddr fe80::/64 udp dport 546 accept @@ -65,10 +72,10 @@ let policy ${cfg.forwardPolicy} ${optionalString doDocker '' - oifname docker0 ct state invalid drop - oifname docker0 ct state established,related accept - iifname docker0 accept - ''} + oifname docker0 ct state invalid drop + oifname docker0 ct state established,related accept + iifname docker0 accept + ''} ${cfg.extraForward} @@ -85,14 +92,23 @@ let ''} ${cfg.extraConfig} ''; - interfaceModule = { config, name, ... }: { + interfaceModule = { + config, + name, + ... + }: { options = { nftables = { - enable = mkEnableOption "nftables firewall" // { - default = - config.allowedTCPPorts != [ ] || config.allowedTCPPortRanges != [ ] - || config.allowedUDPPorts != [ ] || config.allowedUDPPortRanges != [ ]; - }; + enable = + mkEnableOption "nftables firewall" + // { + default = + config.allowedTCPPorts + != [] + || config.allowedTCPPortRanges != [] + || config.allowedUDPPorts != [] + || config.allowedUDPPortRanges != []; + }; conditions = mkOption { type = types.listOf types.str; default = "iifname ${name}"; @@ -100,7 +116,6 @@ let }; }; }; - in { options = { networking.nftables = { diff --git a/modules/nixos/nginx/local.nix b/modules/nixos/nginx/local.nix index b035e02a..75f672f1 100644 --- a/modules/nixos/nginx/local.nix +++ b/modules/nixos/nginx/local.nix @@ -9,7 +9,7 @@ inherit (lib.lists) optionals; inherit (config.services) tailscale; inherit (config.networking.access) cidrForNetwork localaddrs; - localModule = { config, ... }: { + localModule = {config, ...}: { options.local = with lib.types; { enable = mkOption { type = bool; @@ -37,16 +37,23 @@ cidrForNetwork.loopback.all ++ cidrForNetwork.local.all ++ optionals tailscale.enable cidrForNetwork.tail.all; - allows = concatMapStringsSep "\n" mkAllow allowAddresses + optionalString localaddrs.enable '' - include ${localaddrs.stateDir}/*.nginx.conf; + allows = + concatMapStringsSep "\n" mkAllow allowAddresses + + optionalString localaddrs.enable '' + include ${localaddrs.stateDir}/*.nginx.conf; + ''; + in + mkBefore '' + ${allows} + deny all; ''; - in mkBefore '' - ${allows} - deny all; - ''; }; }; - locationModule = { config, virtualHost, ... }: { + locationModule = { + config, + virtualHost, + ... + }: { imports = [ localModule ]; @@ -58,13 +65,13 @@ emitDenyGlobal = virtualHost.local.emitDenyGlobal; }; }; - hostModule = { config, ... }: { - imports = [ localModule ]; + hostModule = {config, ...}: { + imports = [localModule]; options = with lib.types; { locations = mkOption { type = attrsOf (submoduleWith { - modules = [ locationModule ]; + modules = [locationModule]; shorthandOnlyDefinesConfig = true; specialArgs = { virtualHost = config; @@ -83,7 +90,7 @@ in { options = with lib.types; { services.nginx.virtualHosts = mkOption { type = attrsOf (submoduleWith { - modules = [ hostModule ]; + modules = [hostModule]; shorthandOnlyDefinesConfig = true; specialArgs = { nixosConfig = config; diff --git a/modules/nixos/nginx/vouch.nix b/modules/nixos/nginx/vouch.nix index e6c17713..e20dfba8 100644 --- a/modules/nixos/nginx/vouch.nix +++ b/modules/nixos/nginx/vouch.nix @@ -2,13 +2,12 @@ config, lib, ... -}: -let +}: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkBefore mkDefault; inherit (config) networking; inherit (config.services) vouch-proxy tailscale; - vouchModule = { config, ... }: { + vouchModule = {config, ...}: { options = with lib.types; { vouch = { enable = mkEnableOption "vouch auth proxy"; @@ -49,15 +48,20 @@ let vouch = mkIf vouch-proxy.enable { proxyOrigin = let inherit (vouch-proxy.settings.vouch) listen port; - host = if listen == "0.0.0.0" || listen == "[::]" then "localhost" else listen; - in mkDefault "http://${host}:${toString port}"; + host = + if listen == "0.0.0.0" || listen == "[::]" + then "localhost" + else listen; + in + mkDefault "http://${host}:${toString port}"; authUrl = mkDefault vouch-proxy.authUrl; url = mkDefault vouch-proxy.url; doubleProxy = mkDefault false; }; } { - vouch.proxyOrigin = mkIf (tailscale.enable && !vouch-proxy.enable) (mkDefault + vouch.proxyOrigin = mkIf (tailscale.enable && !vouch-proxy.enable) ( + mkDefault "http://login.tail.${networking.domain}" ); } @@ -96,22 +100,23 @@ let set $vouch_url $vouch_scheme://${config.vouch.tailDomain}; } ''; - in mkMerge [ - (mkBefore '' - set $vouch_url ${config.vouch.url}; - set $vouch_scheme $scheme; - '') - (mkIf config.local.trusted (mkBefore '' - if ($http_x_forwarded_proto) { - set $vouch_scheme $http_x_forwarded_proto; - } - '')) - (mkIf (config.local.enable or false) localVouchUrl) - (mkIf (config.local.enable or false && tailscale.enable) tailVouchUrl) - '' - return 302 $vouch_url/login?url=$vouch_scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; - '' - ]; + in + mkMerge [ + (mkBefore '' + set $vouch_url ${config.vouch.url}; + set $vouch_scheme $scheme; + '') + (mkIf config.local.trusted (mkBefore '' + if ($http_x_forwarded_proto) { + set $vouch_scheme $http_x_forwarded_proto; + } + '')) + (mkIf (config.local.enable or false) localVouchUrl) + (mkIf (config.local.enable or false && tailscale.enable) tailVouchUrl) + '' + return 302 $vouch_url/login?url=$vouch_scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; + '' + ]; }; "/validate" = { recommendedProxySettings = false; diff --git a/modules/nixos/nginx/websocket.nix b/modules/nixos/nginx/websocket.nix index 5e99af60..bad992cf 100644 --- a/modules/nixos/nginx/websocket.nix +++ b/modules/nixos/nginx/websocket.nix @@ -1,10 +1,7 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.modules) mkIf; inherit (lib.options) mkOption mkEnableOption; - wsModule = { config, ... }: { + wsModule = {config, ...}: { options = with lib.types; { proxy.websocket.enable = mkEnableOption "websocket proxy"; }; @@ -16,8 +13,8 @@ ''; }; }; - hostModule = { config, ... }: { - imports = [ wsModule ]; + hostModule = {config, ...}: { + imports = [wsModule]; options = with lib.types; { locations = mkOption { diff --git a/modules/nixos/plex.nix b/modules/nixos/plex.nix index b4866a62..5b08a167 100644 --- a/modules/nixos/plex.nix +++ b/modules/nixos/plex.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.options) mkOption; in { options.services.plex = with lib.types; { diff --git a/modules/nixos/policyrouting.nix b/modules/nixos/policyrouting.nix index 60c999d8..65ea6e08 100644 --- a/modules/nixos/policyrouting.nix +++ b/modules/nixos/policyrouting.nix @@ -1,11 +1,12 @@ -{ config, lib, ... }: - -with lib; - -let +{ + config, + lib, + ... +}: +with lib; let cfg = config.networking.policyrouting; - ruleOpts = { ... }: { + ruleOpts = {...}: { options = { prio = mkOption { type = types.int; @@ -15,37 +16,44 @@ let }; }; }; - -in -{ +in { options = { networking.policyrouting = { enable = mkEnableOption "Declarative Policy-Routing"; rules = mkOption { type = with types; listOf (submodule ruleOpts); - default = [ ]; + default = []; }; rules6 = mkOption { type = with types; listOf (submodule ruleOpts); - default = [ ]; + default = []; }; rules4 = mkOption { type = with types; listOf (submodule ruleOpts); - default = [ ]; + default = []; }; }; }; config = mkIf cfg.enable { networking.policyrouting.rules = [ - { rule = "lookup main"; prio = 32000; } + { + rule = "lookup main"; + prio = 32000; + } ]; networking.localCommands = '' set -x ip -6 rule flush ip -4 rule flush - ${concatMapStringsSep "\n" ({ prio, rule }: "ip -6 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules6)} - ${concatMapStringsSep "\n" ({ prio, rule }: "ip -4 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules4)} + ${concatMapStringsSep "\n" ({ + prio, + rule, + }: "ip -6 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules6)} + ${concatMapStringsSep "\n" ({ + prio, + rule, + }: "ip -4 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules4)} ''; }; } diff --git a/modules/nixos/postgres.nix b/modules/nixos/postgres.nix index 7e809f8b..7ece0c3e 100644 --- a/modules/nixos/postgres.nix +++ b/modules/nixos/postgres.nix @@ -10,19 +10,24 @@ inherit (config) networking; cfg = config.services.postgresql; formatHost = host: - if hasInfix "/" host then host - else if hasInfix ":" host then "${host}/128" - else if hasInfix "." host then "${host}/32" + if hasInfix "/" host + then host + else if hasInfix ":" host + then "${host}/128" + else if hasInfix "." host + then "${host}/32" else throw "unsupported IP address ${host}"; - ensureUserModule = { config, ... }: { + ensureUserModule = {config, ...}: { options = with lib.types; { authentication = { - enable = mkEnableOption "TCP connections" // { - default = config.authentication.hosts != [ ]; - }; + enable = + mkEnableOption "TCP connections" + // { + default = config.authentication.hosts != []; + }; hosts = mkOption { type = listOf str; - default = [ ]; + default = []; }; method = mkOption { type = str; @@ -47,13 +52,15 @@ authentication = { hosts = let inherit (networking.access) cidrForNetwork; - in mkMerge [ - (mkIf config.authentication.tailscale.allow cidrForNetwork.tail.all) - (mkIf config.authentication.local.allow (cidrForNetwork.loopback.all ++ cidrForNetwork.local.all)) - ]; + in + mkMerge [ + (mkIf config.authentication.tailscale.allow cidrForNetwork.tail.all) + (mkIf config.authentication.local.allow (cidrForNetwork.loopback.all ++ cidrForNetwork.local.all)) + ]; authentication = mkMerge (map (host: '' - host ${config.authentication.database} ${config.name} ${formatHost host} ${config.authentication.method} - '') config.authentication.hosts); + host ${config.authentication.database} ${config.name} ${formatHost host} ${config.authentication.method} + '') + config.authentication.hosts); }; authentication.database = mkIf config.ensureDBOwnership ( mkOptionDefault config.name @@ -70,11 +77,13 @@ in { enableTCPIP = mkIf (any (user: user.authentication.enable) cfg.ensureUsers) ( mkDefault true ); - authentication = mkMerge (map (user: - mkIf user.authentication.enable user.authentication.authentication - ) cfg.ensureUsers); + authentication = mkMerge (map ( + user: + mkIf user.authentication.enable user.authentication.authentication + ) + cfg.ensureUsers); }; config.networking.firewall.interfaces.local = mkIf cfg.enable { - allowedTCPPorts = mkIf (any (user: user.authentication.local.allow) cfg.ensureUsers) [ cfg.port ]; + allowedTCPPorts = mkIf (any (user: user.authentication.local.allow) cfg.ensureUsers) [cfg.port]; }; } diff --git a/modules/nixos/prowlarr.nix b/modules/nixos/prowlarr.nix index 7ee25ce5..b6a777f4 100644 --- a/modules/nixos/prowlarr.nix +++ b/modules/nixos/prowlarr.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.options) mkOption; in { options.services.prowlarr = with lib.types; { diff --git a/modules/nixos/radarr.nix b/modules/nixos/radarr.nix index 3bb13553..3b51e2e9 100644 --- a/modules/nixos/radarr.nix +++ b/modules/nixos/radarr.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.options) mkOption; in { options.services.radarr = with lib.types; { diff --git a/modules/nixos/readarr.nix b/modules/nixos/readarr.nix index f75f7791..5d360697 100644 --- a/modules/nixos/readarr.nix +++ b/modules/nixos/readarr.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.options) mkOption; in { options.services.readarr = with lib.types; { diff --git a/modules/nixos/samba.nix b/modules/nixos/samba.nix index 56ed625b..74927496 100644 --- a/modules/nixos/samba.nix +++ b/modules/nixos/samba.nix @@ -11,14 +11,17 @@ inherit (config.services) samba-wsdd; cfg = config.services.samba; settingValue = value: - if builtins.isList value then concatMapStringsSep ", " settingValue value - else if value == true then "yes" - else if value == false then "no" + if builtins.isList value + then concatMapStringsSep ", " settingValue value + else if value == true + then "yes" + else if value == false + then "no" else toString value; in { options.services.samba = with lib.types; let - settingPrimitive = oneOf [ str int bool ]; - settingType = oneOf [ settingPrimitive (listOf settingPrimitive) ]; + settingPrimitive = oneOf [str int bool]; + settingType = oneOf [settingPrimitive (listOf settingPrimitive)]; in { ldap = { enable = mkEnableOption "LDAP"; @@ -64,7 +67,11 @@ in { }; }; idmap = let - idmapModule = { config, name, ... }: { + idmapModule = { + config, + name, + ... + }: { options = { backend = mkOption { type = str; @@ -89,7 +96,7 @@ in { }; settings = mkOption { type = attrsOf settingType; - default = { }; + default = {}; }; }; config = { @@ -117,7 +124,7 @@ in { }; settings = mkOption { type = attrsOf settingType; - default = { }; + default = {}; }; }; @@ -139,35 +146,36 @@ in { }) ]; settings = mkMerge ([ - { - "use sendfile" = mkOptionDefault true; - } - (mkIf (cfg.passdb.smbpasswd.path != null) { - "passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}"; - }) - (mkIf cfg.ldap.enable { - "passdb backend" = mkOptionDefault ''ldapsam:"${cfg.ldap.url}"''; - "ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off"); - "ldap admin dn" = mkOptionDefault "name=anonymous,${cfg.ldap.baseDn}"; - "ldap suffix" = mkOptionDefault cfg.ldap.baseDn; - }) - (mkIf (cfg.ldap.enable && true) { - "ntlm auth" = mkOptionDefault "disabled"; - "encrypt passwords" = mkOptionDefault false; - }) - (mkIf cfg.usershare.enable { - "usershare allow guests" = mkOptionDefault true; - "usershare max shares" = mkOptionDefault 16; - "usershare owner only" = mkOptionDefault true; - "usershare template share" = mkOptionDefault cfg.usershare.templateShare; - "usershare path" = mkOptionDefault cfg.usershare.path; - "usershare prefix allow list" = mkOptionDefault [ cfg.usershare.path ]; - }) - (mkIf cfg.guest.enable { - "map to guest" = mkOptionDefault "Bad User"; - "guest account" = mkOptionDefault cfg.guest.user; - }) - ] ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains); + { + "use sendfile" = mkOptionDefault true; + } + (mkIf (cfg.passdb.smbpasswd.path != null) { + "passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}"; + }) + (mkIf cfg.ldap.enable { + "passdb backend" = mkOptionDefault ''ldapsam:"${cfg.ldap.url}"''; + "ldap ssl" = mkIf (hasPrefix "ldaps://" cfg.ldap.url) (mkOptionDefault "off"); + "ldap admin dn" = mkOptionDefault "name=anonymous,${cfg.ldap.baseDn}"; + "ldap suffix" = mkOptionDefault cfg.ldap.baseDn; + }) + (mkIf (cfg.ldap.enable && true) { + "ntlm auth" = mkOptionDefault "disabled"; + "encrypt passwords" = mkOptionDefault false; + }) + (mkIf cfg.usershare.enable { + "usershare allow guests" = mkOptionDefault true; + "usershare max shares" = mkOptionDefault 16; + "usershare owner only" = mkOptionDefault true; + "usershare template share" = mkOptionDefault cfg.usershare.templateShare; + "usershare path" = mkOptionDefault cfg.usershare.path; + "usershare prefix allow list" = mkOptionDefault [cfg.usershare.path]; + }) + (mkIf cfg.guest.enable { + "map to guest" = mkOptionDefault "Bad User"; + "guest account" = mkOptionDefault cfg.guest.user; + }) + ] + ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains); extraConfig = mkMerge (mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings); shares.${cfg.usershare.templateShare} = mkIf cfg.usershare.enable { "-valid" = false; @@ -194,12 +202,12 @@ in { networking.firewall.interfaces.local = { allowedTCPPorts = mkMerge [ - (mkIf (cfg.enable && !cfg.openFirewall) [ 139 445 ]) - (mkIf (samba-wsdd.enable && !samba-wsdd.openFirewall) [ 5357 ]) + (mkIf (cfg.enable && !cfg.openFirewall) [139 445]) + (mkIf (samba-wsdd.enable && !samba-wsdd.openFirewall) [5357]) ]; allowedUDPPorts = mkMerge [ - (mkIf (cfg.enable && !cfg.openFirewall) [ 137 138 ]) - (mkIf (samba-wsdd.enable && !samba-wsdd.openFirewall) [ 3702 ]) + (mkIf (cfg.enable && !cfg.openFirewall) [137 138]) + (mkIf (samba-wsdd.enable && !samba-wsdd.openFirewall) [3702]) ]; }; }; diff --git a/modules/nixos/sonarr.nix b/modules/nixos/sonarr.nix index b4d88a78..43276d5e 100644 --- a/modules/nixos/sonarr.nix +++ b/modules/nixos/sonarr.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.options) mkOption; in { options.services.sonarr = with lib.types; { diff --git a/modules/nixos/steam/account-switch.nix b/modules/nixos/steam/account-switch.nix index 4367748f..9b41bbba 100644 --- a/modules/nixos/steam/account-switch.nix +++ b/modules/nixos/steam/account-switch.nix @@ -76,30 +76,35 @@ in { inherit owner; inherit (shared) group mode; }; - setupFiles = singleton { - ${cfg.rootDir} = toplevel; - ${cfg.binDir} = toplevel; - ${cfg.binDir + "/users"} = shared; - ${cfg.dataDir} = toplevel; - ${cfg.sharedDataDir} = shared; - ${cfg.workingDir} = toplevel; - ${cfg.sharedWorkingDir} = shared; - } ++ map (owner: { - ${cfg.dataDir + "/${owner}"} = personal owner; - ${cfg.workingDir + "/${owner}"} = personal owner; - }) cfg.users; - userBinFiles = listToAttrs (map (user: nameValuePair "${cfg.binDir}/users/${user}.bat" { - inherit (toplevel) owner group; - mode = "0755"; - type = "copy"; - src = pkgs.writeTextFile { - name = "steam-${user}.bat"; - executable = true; - text = '' - setx GENSO_STEAM_USER ${user} - ''; - }; - }) cfg.users); + setupFiles = + singleton { + ${cfg.rootDir} = toplevel; + ${cfg.binDir} = toplevel; + ${cfg.binDir + "/users"} = shared; + ${cfg.dataDir} = toplevel; + ${cfg.sharedDataDir} = shared; + ${cfg.workingDir} = toplevel; + ${cfg.sharedWorkingDir} = shared; + } + ++ map (owner: { + ${cfg.dataDir + "/${owner}"} = personal owner; + ${cfg.workingDir + "/${owner}"} = personal owner; + }) + cfg.users; + userBinFiles = listToAttrs (map (user: + nameValuePair "${cfg.binDir}/users/${user}.bat" { + inherit (toplevel) owner group; + mode = "0755"; + type = "copy"; + src = pkgs.writeTextFile { + name = "steam-${user}.bat"; + executable = true; + text = '' + setx GENSO_STEAM_USER ${user} + ''; + }; + }) + cfg.users); in { enable = mkIf (cfg.enable || cfg.setup) true; files = mkMerge [ diff --git a/modules/nixos/steam/beatsaber.nix b/modules/nixos/steam/beatsaber.nix index 9665e25c..295a96d4 100644 --- a/modules/nixos/steam/beatsaber.nix +++ b/modules/nixos/steam/beatsaber.nix @@ -14,7 +14,11 @@ inherit (lib.meta) getExe; inherit (config.services.steam) accountSwitch; cfg = config.services.steam.beatsaber; - versionModule = { config, name, ... }: { + versionModule = { + config, + name, + ... + }: { options = with lib.types; { version = mkOption { type = str; @@ -23,11 +27,12 @@ }; }; - mkSharePath = path: mkWinPath ( - "%GENSO_SMB_SHARED_MOUNT%" - + "/${accountSwitch.sharePath}" - + "/${removePrefix (accountSwitch.rootDir + "/") path}" - ); + mkSharePath = path: + mkWinPath ( + "%GENSO_SMB_SHARED_MOUNT%" + + "/${accountSwitch.sharePath}" + + "/${removePrefix (accountSwitch.rootDir + "/") path}" + ); vars = '' if "%GENSO_STEAM_INSTALL%" == "" set "GENSO_STEAM_INSTALL=C:\Program Files (x86)\Steam" if "%GENSO_STEAM_LIBRARY_BS%" == "" set "GENSO_STEAM_LIBRARY_BS=%GENSO_STEAM_INSTALL%" @@ -102,9 +107,11 @@ in { options.services.steam.beatsaber = with lib.types; { enable = mkEnableOption "beatsaber scripts"; - setup = mkEnableOption "beatsaber data" // { - default = accountSwitch.setup; - }; + setup = + mkEnableOption "beatsaber data" + // { + default = accountSwitch.setup; + }; group = mkOption { type = str; default = "beatsaber"; @@ -114,7 +121,7 @@ in { }; versions = mkOption { type = attrsOf (submodule versionModule); - default = { }; + default = {}; }; users = mkOption { type = listOf str; @@ -127,7 +134,7 @@ in { bsUsers = filterAttrs (_: userIs cfg.group) config.users.users; allVersions = mapAttrsToList (_: version: version.version) cfg.versions; in { - defaultVersion = mkIf (allVersions != [ ]) (mkOptionDefault ( + defaultVersion = mkIf (allVersions != []) (mkOptionDefault ( head allVersions )); users = mkOptionDefault ( @@ -140,24 +147,27 @@ in { mkbeatsabersh ]; }; - systemd.services = mkIf cfg.setup (listToAttrs (map (user: nameValuePair "steam-setup-beatsaber-${user}" { - script = mkMerge (mapAttrsToList (_: version: '' - ${getExe mkbeatsaber} ${version.version} ${user} - '') cfg.versions); - path = [ - pkgs.coreutils - ]; - wantedBy = [ - "multi-user.target" - ]; - after = [ - "tmpfiles.service" - ]; - serviceConfig = { - RemainAfterExit = mkOptionDefault true; - User = mkOptionDefault user; - }; - }) cfg.users)); + systemd.services = mkIf cfg.setup (listToAttrs (map (user: + nameValuePair "steam-setup-beatsaber-${user}" { + script = mkMerge (mapAttrsToList (_: version: '' + ${getExe mkbeatsaber} ${version.version} ${user} + '') + cfg.versions); + path = [ + pkgs.coreutils + ]; + wantedBy = [ + "multi-user.target" + ]; + after = [ + "tmpfiles.service" + ]; + serviceConfig = { + RemainAfterExit = mkOptionDefault true; + User = mkOptionDefault user; + }; + }) + cfg.users)); services.tmpfiles = let toplevel = { owner = mkDefault "admin"; @@ -187,77 +197,92 @@ in { "AppData" "UserData" ]; - setupFiles = [ + setupFiles = + [ + { + "${accountSwitch.sharedDataDir}/BeatSaber" = toplevel; + "${accountSwitch.binDir}/beatsaber" = shared; + } + (listToAttrs ( + map ( + folder: + nameValuePair "${accountSwitch.sharedDataDir}/BeatSaber/${folder}" shared + ) + sharedFolders + )) + ] + ++ concatMap ( + owner: + singleton { + "${accountSwitch.dataDir}/${owner}/BeatSaber" = personal owner; + "${accountSwitch.dataDir}/${owner}/BeatSaber/AppData" = personal owner; + "${accountSwitch.dataDir}/${owner}/BeatSaber/UserData" = personal owner; + } + ++ mapAttrsToList (_: version: { + "${accountSwitch.dataDir}/${owner}/BeatSaber/${version.version}" = personal owner; + }) + cfg.versions + ) + accountSwitch.users + ++ mapAttrsToList (_: version: { + "${accountSwitch.sharedDataDir}/BeatSaber/${version.version}" = shared; + }) + cfg.versions; + versionBinFiles = + mapAttrs' ( + _: version: + nameValuePair + "${accountSwitch.binDir}/beatsaber/${replaceStrings ["."] ["_"] version.version}.bat" + { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-${version.version}.bat"; + executable = true; + text = '' + setx GENSO_STEAM_BS_VERSION ${version.version} + ''; + }; + } + ) + cfg.versions; + binFiles = { - "${accountSwitch.sharedDataDir}/BeatSaber" = toplevel; - "${accountSwitch.binDir}/beatsaber" = shared; - } - (listToAttrs ( - map (folder: - nameValuePair "${accountSwitch.sharedDataDir}/BeatSaber/${folder}" shared - ) sharedFolders - )) - ] ++ concatMap (owner: - singleton { - "${accountSwitch.dataDir}/${owner}/BeatSaber" = personal owner; - "${accountSwitch.dataDir}/${owner}/BeatSaber/AppData" = personal owner; - "${accountSwitch.dataDir}/${owner}/BeatSaber/UserData" = personal owner; - } ++ mapAttrsToList (_: version: { - "${accountSwitch.dataDir}/${owner}/BeatSaber/${version.version}" = personal owner; - }) cfg.versions - ) accountSwitch.users - ++ mapAttrsToList (_: version: { - "${accountSwitch.sharedDataDir}/BeatSaber/${version.version}" = shared; - }) cfg.versions; - versionBinFiles = mapAttrs' (_: version: nameValuePair - "${accountSwitch.binDir}/beatsaber/${replaceStrings [ "." ] [ "_" ] version.version}.bat" - { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-${version.version}.bat"; - executable = true; - text = '' - setx GENSO_STEAM_BS_VERSION ${version.version} - ''; + "${accountSwitch.binDir}/beatsaber/mount.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-mount.bat"; + executable = true; + text = mountbeatsaber; + }; + }; + "${accountSwitch.binDir}/beatsaber/launch.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-launch.bat"; + executable = true; + text = launchbeatsaber; + }; + }; + "${accountSwitch.binDir}/beatsaber/fpfc.bat" = { + inherit (bin) owner group mode type; + src = pkgs.writeTextFile { + name = "beatsaber-fpfc.bat"; + executable = true; + text = fpfcbeatsaber; + }; + }; + "${accountSwitch.binDir}/beatsaber/ModAssistant.exe" = { + inherit (toplevel) owner group; + mode = "0755"; + type = "copy"; + src = pkgs.fetchurl { + url = "https://github.com/Assistant/ModAssistant/releases/download/v1.1.32/ModAssistant.exe"; + hash = "sha256-ozu2gYFiz+2BjptqL80DmUopbahbyGKFO1IPd7BhVPM="; + executable = true; + }; }; } - ) cfg.versions; - binFiles = { - "${accountSwitch.binDir}/beatsaber/mount.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-mount.bat"; - executable = true; - text = mountbeatsaber; - }; - }; - "${accountSwitch.binDir}/beatsaber/launch.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-launch.bat"; - executable = true; - text = launchbeatsaber; - }; - }; - "${accountSwitch.binDir}/beatsaber/fpfc.bat" = { - inherit (bin) owner group mode type; - src = pkgs.writeTextFile { - name = "beatsaber-fpfc.bat"; - executable = true; - text = fpfcbeatsaber; - }; - }; - "${accountSwitch.binDir}/beatsaber/ModAssistant.exe" = { - inherit (toplevel) owner group; - mode = "0755"; - type = "copy"; - src = pkgs.fetchurl { - url = "https://github.com/Assistant/ModAssistant/releases/download/v1.1.32/ModAssistant.exe"; - hash = "sha256-ozu2gYFiz+2BjptqL80DmUopbahbyGKFO1IPd7BhVPM="; - executable = true; - }; - }; - } // versionBinFiles; + // versionBinFiles; in { enable = mkIf (cfg.enable || cfg.setup) true; files = mkMerge [ diff --git a/modules/nixos/tmpfiles.nix b/modules/nixos/tmpfiles.nix index 7806dbcf..89fbec1e 100644 --- a/modules/nixos/tmpfiles.nix +++ b/modules/nixos/tmpfiles.nix @@ -18,11 +18,17 @@ systemdFiles = filter (file: file.systemd.enable) files; setupFiles = filter (file: !file.systemd.enable) files; bindFiles = filter (file: file.type == "bind") files; - fileModule = { config, name, ... }: { + fileModule = { + config, + name, + ... + }: { options = with lib.types; { - enable = mkEnableOption "file" // { - default = true; - }; + enable = + mkEnableOption "file" + // { + default = true; + }; mkdirParent = mkEnableOption "mkdir"; bindReadOnly = mkEnableOption "mount -oro"; relativeSymlink = mkEnableOption "ln -sr"; @@ -32,8 +38,11 @@ default = name; }; type = mkOption { - type = enum [ "directory" "symlink" "link" "copy" "bind" ]; - default = if config.src != null then "symlink" else "directory"; + type = enum ["directory" "symlink" "link" "copy" "bind"]; + default = + if config.src != null + then "symlink" + else "directory"; }; mode = mkOption { type = str; @@ -71,7 +80,7 @@ }; config = let acls = concatStringsSep "," config.acls; - enableAcls = config.type == "directory" && config.acls != [ ]; + enableAcls = config.type == "directory" && config.acls != []; systemdAclRule = "a+ ${config.path} - - - - ${acls}"; systemdRule = { directory = [ @@ -168,7 +177,7 @@ systemd = { rules = mkMerge [ systemdRule.${config.type} - (mkIf enableAcls [ systemdAclRule ]) + (mkIf enableAcls [systemdAclRule]) ]; mountSettings = mkIf (config.type == "bind") { enable = mkDefault config.enable; @@ -191,16 +200,21 @@ }; in { options.services.tmpfiles = with lib.types; { - enable = mkEnableOption "extended tmpfiles" // { - default = cfg.files != { }; - }; + enable = + mkEnableOption "extended tmpfiles" + // { + default = cfg.files != {}; + }; user = mkOption { type = str; - default = if config.proxmoxLXC.privileged or true then "root" else "admin"; + default = + if config.proxmoxLXC.privileged or true + then "root" + else "admin"; }; files = mkOption { type = attrsOf (submodule fileModule); - default = { }; + default = {}; }; }; config = { @@ -209,15 +223,19 @@ in { map (file: file.systemd.rules) systemdFiles ); services.tmpfiles = { - path = [ pkgs.coreutils pkgs.acl ]; + path = [pkgs.coreutils pkgs.acl]; script = mkMerge ( - [ '' - EXITCODE=0 - '' ] + [ + '' + EXITCODE=0 + '' + ] ++ map (file: file.setup.script) setupFiles - ++ [ '' - exit $EXITCODE - '' ] + ++ [ + '' + exit $EXITCODE + '' + ] ); wantedBy = [ "sysinit.target" diff --git a/modules/nixos/users.nix b/modules/nixos/users.nix index 17385b39..b56f210e 100644 --- a/modules/nixos/users.nix +++ b/modules/nixos/users.nix @@ -13,28 +13,33 @@ userMatchBlock = user: let inherit (user.openssh) matchBlock; criteria = mapAttrsToList toSshdCriteria matchBlock.criteria; - in mkAfter '' - Match ${concatStringsSep " " criteria} - ${matchBlock.settingsConfig} - ''; - userModule = { config, ... }: let + in + mkAfter '' + Match ${concatStringsSep " " criteria} + ${matchBlock.settingsConfig} + ''; + userModule = {config, ...}: let toSshdValue = value: - if value == true then "yes" - else if value == false then "no" + if value == true + then "yes" + else if value == false + then "no" else toString value; toSshdConf = key: value: "${key} ${toSshdValue value}"; in { options = with lib.types; { openssh.matchBlock = { - enable = mkEnableOption "match block" // { - default = config.openssh.matchBlock.settings != { }; - }; + enable = + mkEnableOption "match block" + // { + default = config.openssh.matchBlock.settings != {}; + }; criteria = mkOption { type = attrsOf str; }; settings = mkOption { - type = attrsOf (oneOf [ str path bool int ]); - default = { }; + type = attrsOf (oneOf [str path bool int]); + default = {}; }; settingsConfig = mkOption { type = lines; diff --git a/modules/nixos/vouch.nix b/modules/nixos/vouch.nix index d4c78424..b204133c 100644 --- a/modules/nixos/vouch.nix +++ b/modules/nixos/vouch.nix @@ -5,11 +5,20 @@ lib, ... }: let - inherit (lib) mkIf mkMerge mkDefault mkOptionDefault mkOption mkEnableOption types - getExe; + inherit + (lib) + mkIf + mkMerge + mkDefault + mkOptionDefault + mkOption + mkEnableOption + types + getExe + ; nixosConfig = config; cfg = config.services.vouch-proxy; - settingsFormat = pkgs.formats.json { }; + settingsFormat = pkgs.formats.json {}; in { options.services.vouch-proxy = with types; { enable = mkEnableOption "vouch"; @@ -35,7 +44,7 @@ in { }; enableSettingsSecrets = mkEnableOption "genJqSecretsReplacementSnippet"; settings = let - settingsModule = { ... }: { + settingsModule = {...}: { freeformType = settingsFormat.type; options = { vouch = { @@ -98,13 +107,14 @@ in { }; }; }; - in mkOption { - type = submodule settingsModule; - default = { }; - }; + in + mkOption { + type = submodule settingsModule; + default = {}; + }; extraSettings = mkOption { inherit (settingsFormat) type; - default = { }; + default = {}; }; settingsPath = mkOption { type = path; @@ -116,48 +126,51 @@ in { cfg.settings cfg.extraSettings ]; - settingsPath = if cfg.enableSettingsSecrets + settingsPath = + if cfg.enableSettingsSecrets then "/run/vouch-proxy/vouch-config.json" else settingsFormat.generate "vouch-config.json" settings; - in mkMerge [ - { - services.vouch-proxy = { - settingsPath = mkOptionDefault settingsPath; - }; - } - (mkIf cfg.enable { - systemd.services.vouch-proxy = { - description = "Vouch-proxy"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStartPre = let - preprocess = pkgs.writeShellScript "vouch-proxy-prestart" ( - utils.genJqSecretsReplacementSnippet settings cfg.settingsPath - ); - in mkIf cfg.enableSettingsSecrets [ - "${preprocess}" - ]; - ExecStart = [ - "${getExe pkgs.vouch-proxy} -config ${cfg.settingsPath}" - ]; - Restart = "on-failure"; - RestartSec = mkDefault 5; - WorkingDirectory = "/var/lib/vouch-proxy"; - StateDirectory = "vouch-proxy"; - RuntimeDirectory = "vouch-proxy"; - User = cfg.user; - Group = cfg.group; - StartLimitBurst = mkDefault 3; + in + mkMerge [ + { + services.vouch-proxy = { + settingsPath = mkOptionDefault settingsPath; + }; + } + (mkIf cfg.enable { + systemd.services.vouch-proxy = { + description = "Vouch-proxy"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + ExecStartPre = let + preprocess = pkgs.writeShellScript "vouch-proxy-prestart" ( + utils.genJqSecretsReplacementSnippet settings cfg.settingsPath + ); + in + mkIf cfg.enableSettingsSecrets [ + "${preprocess}" + ]; + ExecStart = [ + "${getExe pkgs.vouch-proxy} -config ${cfg.settingsPath}" + ]; + Restart = "on-failure"; + RestartSec = mkDefault 5; + WorkingDirectory = "/var/lib/vouch-proxy"; + StateDirectory = "vouch-proxy"; + RuntimeDirectory = "vouch-proxy"; + User = cfg.user; + Group = cfg.group; + StartLimitBurst = mkDefault 3; + }; }; - }; - users.users.${cfg.user} = { - inherit (cfg) group; - isSystemUser = true; - }; + users.users.${cfg.user} = { + inherit (cfg) group; + isSystemUser = true; + }; - users.groups.${cfg.group} = {}; - }) - ]; + users.groups.${cfg.group} = {}; + }) + ]; } diff --git a/nixos/access/freeipa.nix b/nixos/access/freeipa.nix index 64a5dc35..27a686e0 100644 --- a/nixos/access/freeipa.nix +++ b/nixos/access/freeipa.nix @@ -3,8 +3,7 @@ meta, lib, ... -}: -let +}: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkBefore mkDefault; inherit (lib.strings) optionalString concatStringsSep; @@ -56,18 +55,22 @@ in { type = str; }; preread = { - enable = mkEnableOption "ssl preread" // { - default = true; - }; + enable = + mkEnableOption "ssl preread" + // { + default = true; + }; port = mkOption { type = port; default = 444; }; }; kerberos = { - enable = mkEnableOption "proxy kerberos" // { - default = true; - }; + enable = + mkEnableOption "proxy kerberos" + // { + default = true; + }; ports = { ticket = mkOption { type = port; @@ -86,7 +89,10 @@ in { proxyPass = mkOption { type = str; default = let - scheme = if access.port == 443 then "https" else "http"; + scheme = + if access.port == 443 + then "https" + else "http"; in "${scheme}://${access.host}:${toString access.port}"; }; domain = mkOption { @@ -130,7 +136,7 @@ in { port = mkDefault access.ldapPort; useACMEHost = mkDefault access.useACMEHost; }; - resolver.addresses = mkIf access.preread.enable [ "[::1]" "127.0.0.1:5353" ]; + resolver.addresses = mkIf access.preread.enable ["[::1]" "127.0.0.1:5353"]; defaultSSLListenPort = mkIf access.preread.enable access.preread.port; streamConfig = let preread = '' @@ -174,10 +180,11 @@ in { proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd}; } ''; - in mkMerge [ - (mkIf access.preread.enable preread) - (mkIf access.kerberos.enable kerberos) - ]; + in + mkMerge [ + (mkIf access.preread.enable preread) + (mkIf access.kerberos.enable kerberos) + ]; virtualHosts = { ${access.domain} = { inherit locations extraConfig; @@ -207,7 +214,7 @@ in { local.enable = true; inherit locations; }; - ${ldap.domain} = { config, ... }: { + ${ldap.domain} = {config, ...}: { useACMEHost = mkDefault virtualHosts.${access.domain}.useACMEHost; addSSL = mkDefault (config.useACMEHost != null); globalRedirect = access.domain; diff --git a/nixos/access/freepbx.nix b/nixos/access/freepbx.nix index 692ce09a..0a842c69 100644 --- a/nixos/access/freepbx.nix +++ b/nixos/access/freepbx.nix @@ -12,9 +12,11 @@ freepbx = config.lib.access.systemFor "freepbx"; in { options.services.nginx.access.freepbx = with lib.types; { - global.enable = mkEnableOption "global access" // { - default = access.useACMEHost != null; - }; + global.enable = + mkEnableOption "global access" + // { + default = access.useACMEHost != null; + }; host = mkOption { type = str; default = freepbx.access.hostnameForNetwork.local; @@ -94,17 +96,19 @@ in { }; "${access.domain}@ucp" = { serverName = access.domain; - listen = concatMap (addr: [ - { - inherit addr; - port = access.ucpPort; - } - (mkIf (access.useACMEHost != null) { - inherit addr; - port = access.ucpSslPort; - ssl = true; - }) - ]) nginx.defaultListenAddresses; + listen = + concatMap (addr: [ + { + inherit addr; + port = access.ucpPort; + } + (mkIf (access.useACMEHost != null) { + inherit addr; + port = access.ucpSslPort; + ssl = true; + }) + ]) + nginx.defaultListenAddresses; proxy.websocket.enable = true; local.enable = mkDefault (!access.global.enable); addSSL = mkDefault (access.useACMEHost != null); @@ -116,27 +120,29 @@ in { inherit extraConfig; }; ${access.localDomain} = { - listen = concatMap (addr: [ - { - inherit addr; - port = nginx.defaultHTTPListenPort; - } - { - inherit addr; - port = access.ucpPort; - } - (mkIf (access.useACMEHost != null) { - inherit addr; - port = nginx.defaultSSLListenPort; - ssl = true; - }) - (mkIf (access.useACMEHost != null) { - inherit addr; - port = access.ucpSslPort; - ssl = true; - }) - ]) nginx.defaultListenAddresses; - serverAliases = mkIf tailscale.enable [ access.tailDomain ]; + listen = + concatMap (addr: [ + { + inherit addr; + port = nginx.defaultHTTPListenPort; + } + { + inherit addr; + port = access.ucpPort; + } + (mkIf (access.useACMEHost != null) { + inherit addr; + port = nginx.defaultSSLListenPort; + ssl = true; + }) + (mkIf (access.useACMEHost != null) { + inherit addr; + port = access.ucpSslPort; + ssl = true; + }) + ]) + nginx.defaultListenAddresses; + serverAliases = mkIf tailscale.enable [access.tailDomain]; useACMEHost = mkDefault access.useACMEHost; addSSL = mkDefault (access.useACMEHost != null); kTLS = mkDefault true; @@ -146,7 +152,7 @@ in { }; }; config.networking.firewall = let - websocketPorts = [ access.ucpPort ] ++ optional (access.useACMEHost != null) access.ucpSslPort; + websocketPorts = [access.ucpPort] ++ optional (access.useACMEHost != null) access.ucpSslPort; in { interfaces.local.allowedTCPPorts = websocketPorts; allowedTCPPorts = mkIf access.global.enable websocketPorts; diff --git a/nixos/access/global.nix b/nixos/access/global.nix index 4c46d415..d3c58962 100644 --- a/nixos/access/global.nix +++ b/nixos/access/global.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.modules) mkDefault; in { networking = { diff --git a/nixos/access/invidious.nix b/nixos/access/invidious.nix index 73e0e5aa..11915b13 100644 --- a/nixos/access/invidious.nix +++ b/nixos/access/invidious.nix @@ -34,12 +34,14 @@ in { url = mkOptionDefault "http://localhost:${toString cfg.port}"; }; virtualHosts = let - invidiousDomains = [ - access.domain - access.localDomain - ] ++ optional tailscale.enable access.tailDomain; + invidiousDomains = + [ + access.domain + access.localDomain + ] + ++ optional tailscale.enable access.tailDomain; contentSecurityPolicy' = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob: https://*.googlevideo.com:443 https://*.youtube.com:443; child-src 'self' blob:; frame-src 'self'; frame-ancestors 'none'"; - contentSecurityPolicy = replaceStrings [ "'self'" ] [ "'self' ${concatStringsSep " " invidiousDomains}" ] contentSecurityPolicy'; + contentSecurityPolicy = replaceStrings ["'self'"] ["'self' ${concatStringsSep " " invidiousDomains}"] contentSecurityPolicy'; extraConfig = '' # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause send_timeout 100m; @@ -56,14 +58,14 @@ in { ''; }; in { - ${access.domain} = { config, ... }: { + ${access.domain} = {config, ...}: { vouch.enable = true; locations."/" = location; kTLS = mkDefault true; inherit extraConfig; }; - ${access.localDomain} = { config, ... }: { - serverAliases = mkIf tailscale.enable [ access.tailDomain ]; + ${access.localDomain} = {config, ...}: { + serverAliases = mkIf tailscale.enable [access.tailDomain]; local.enable = true; locations."/" = mkMerge [ location diff --git a/nixos/access/kanidm.nix b/nixos/access/kanidm.nix index 43c2919d..e3bcc6f8 100644 --- a/nixos/access/kanidm.nix +++ b/nixos/access/kanidm.nix @@ -3,8 +3,7 @@ meta, lib, ... -}: -let +}: let inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; inherit (config) networking; diff --git a/nixos/access/kitchencam.nix b/nixos/access/kitchencam.nix index 5360f9a3..206cfb95 100644 --- a/nixos/access/kitchencam.nix +++ b/nixos/access/kitchencam.nix @@ -64,39 +64,47 @@ in { inherit extraConfig; }; }; - streamListen = { config, ... }: { - listen = concatMap (addr: [ - (mkIf config.addSSL { - inherit addr; - port = nginx.defaultSSLListenPort; - ssl = true; - }) - { - inherit addr; - port = nginx.defaultHTTPListenPort; - } - { - inherit addr; - port = access.streamPort; - } - ]) nginx.defaultListenAddresses; + streamListen = {config, ...}: { + listen = + concatMap (addr: [ + (mkIf config.addSSL { + inherit addr; + port = nginx.defaultSSLListenPort; + ssl = true; + }) + { + inherit addr; + port = nginx.defaultHTTPListenPort; + } + { + inherit addr; + port = access.streamPort; + } + ]) + nginx.defaultListenAddresses; }; in { - ${access.domain} = mkMerge [ { - vouch.enable = true; - kTLS = mkDefault true; - inherit (access) useACMEHost; - addSSL = mkDefault (access.useACMEHost != null); - inherit locations; - } streamListen ]; - ${access.localDomain} = mkMerge [ { - serverAliases = mkIf config.services.tailscale.enable [ access.tailDomain ]; - inherit (virtualHosts.${access.domain}) useACMEHost; - addSSL = mkDefault addSSL; - kTLS = mkDefault true; - local.enable = true; - inherit locations; - } streamListen ]; + ${access.domain} = mkMerge [ + { + vouch.enable = true; + kTLS = mkDefault true; + inherit (access) useACMEHost; + addSSL = mkDefault (access.useACMEHost != null); + inherit locations; + } + streamListen + ]; + ${access.localDomain} = mkMerge [ + { + serverAliases = mkIf config.services.tailscale.enable [access.tailDomain]; + inherit (virtualHosts.${access.domain}) useACMEHost; + addSSL = mkDefault addSSL; + kTLS = mkDefault true; + local.enable = true; + inherit locations; + } + streamListen + ]; }; }; config.networking.firewall.allowedTCPPorts = [ diff --git a/nixos/access/ldap.nix b/nixos/access/ldap.nix index f6f746b3..71ddf8bc 100644 --- a/nixos/access/ldap.nix +++ b/nixos/access/ldap.nix @@ -2,8 +2,7 @@ config, lib, ... -}: -let +}: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge; inherit (lib.strings) concatMapStringsSep optionalString; @@ -18,9 +17,11 @@ let cidrForNetwork.loopback.all ++ cidrForNetwork.local.all ++ optionals tailscale.enable cidrForNetwork.tail.all; - allows = concatMapStringsSep "\n" mkAllow allowAddresses + optionalString localaddrs.enable '' - include ${localaddrs.stateDir}/*.nginx.conf; - ''; + allows = + concatMapStringsSep "\n" mkAllow allowAddresses + + optionalString localaddrs.enable '' + include ${localaddrs.stateDir}/*.nginx.conf; + ''; in '' ${allows} deny all; @@ -61,28 +62,29 @@ in { proxy_ssl on; proxy_ssl_verify off; ''; - in mkIf access.enable (mkMerge [ - '' - server { - listen 0.0.0.0:389; - listen [::]:389; - ${allows} - proxy_pass ${proxyPass}; - ${proxySsl} - } - '' - (mkIf (access.useACMEHost != null) '' - server { - listen 0.0.0.0:636 ssl; - listen [::]:636 ssl; - ssl_certificate ${cert.directory}/fullchain.pem; - ssl_certificate_key ${cert.directory}/key.pem; - ssl_trusted_certificate ${cert.directory}/chain.pem; - proxy_pass ${proxyPass}; - ${proxySsl} - } - '') - ]); + in + mkIf access.enable (mkMerge [ + '' + server { + listen 0.0.0.0:389; + listen [::]:389; + ${allows} + proxy_pass ${proxyPass}; + ${proxySsl} + } + '' + (mkIf (access.useACMEHost != null) '' + server { + listen 0.0.0.0:636 ssl; + listen [::]:636 ssl; + ssl_certificate ${cert.directory}/fullchain.pem; + ssl_certificate_key ${cert.directory}/key.pem; + ssl_trusted_certificate ${cert.directory}/chain.pem; + proxy_pass ${proxyPass}; + ${proxySsl} + } + '') + ]); }; networking.firewall = { diff --git a/nixos/access/plex.nix b/nixos/access/plex.nix index 11241278..dc0d9788 100644 --- a/nixos/access/plex.nix +++ b/nixos/access/plex.nix @@ -70,10 +70,12 @@ in { plex-external = mkIf (access.externalPort != null) { serverName = mkDefault access.domain; default = mkDefault true; - listen = map (addr: { - inherit addr; - port = access.externalPort; - }) nginx.defaultListenAddresses; + listen = + map (addr: { + inherit addr; + port = access.externalPort; + }) + nginx.defaultListenAddresses; locations."/" = location; inherit extraConfig; }; diff --git a/nixos/access/proxmox.nix b/nixos/access/proxmox.nix index 889d83e4..4f2a92cb 100644 --- a/nixos/access/proxmox.nix +++ b/nixos/access/proxmox.nix @@ -14,10 +14,11 @@ proxyPass = "https://reisen.local.${config.networking.domain}:8006/"; unencrypted = mkSnakeOil { name = "prox-local-cert"; - domain = singleton "prox.local.${config.networking.domain}" + domain = + singleton "prox.local.${config.networking.domain}" ++ optional tailscale.enable "prox.tail.${config.networking.domain}"; }; - sslHost = { config, ... }: { + sslHost = {config, ...}: { sslCertificate = mkIf (!config.enableACME && config.useACMEHost == null) unencrypted.fullchain; sslCertificateKey = mkIf (!config.enableACME && config.useACMEHost == null) unencrypted.key; }; @@ -91,24 +92,30 @@ in { ${access.domain} = { inherit locations extraConfig; }; - ${access.localDomain} = mkMerge [ { - inherit (virtualHosts.${access.domain}) useACMEHost; - local.enable = mkDefault true; - forceSSL = mkDefault true; - locations."/" = { - proxy.websocket.enable = true; - inherit proxyPass extraConfig; - }; - } sslHost ]; - ${access.tailDomain} = mkIf tailscale.enable (mkMerge [ { - inherit (virtualHosts.${access.domain}) useACMEHost; - addSSL = mkDefault true; - local.enable = mkDefault true; - locations."/" = { - proxy.websocket.enable = true; - inherit proxyPass extraConfig; - }; - } sslHost ]); + ${access.localDomain} = mkMerge [ + { + inherit (virtualHosts.${access.domain}) useACMEHost; + local.enable = mkDefault true; + forceSSL = mkDefault true; + locations."/" = { + proxy.websocket.enable = true; + inherit proxyPass extraConfig; + }; + } + sslHost + ]; + ${access.tailDomain} = mkIf tailscale.enable (mkMerge [ + { + inherit (virtualHosts.${access.domain}) useACMEHost; + addSSL = mkDefault true; + local.enable = mkDefault true; + locations."/" = { + proxy.websocket.enable = true; + inherit proxyPass extraConfig; + }; + } + sslHost + ]); }; config.sops.secrets.access-proxmox = { diff --git a/nixos/access/unifi.nix b/nixos/access/unifi.nix index 04db617e..3af5778d 100644 --- a/nixos/access/unifi.nix +++ b/nixos/access/unifi.nix @@ -10,9 +10,11 @@ in { options.services.nginx.access.unifi = with lib.types; { global = { - enable = mkEnableOption "global access" // { - default = access.useACMEHost != null; - }; + enable = + mkEnableOption "global access" + // { + default = access.useACMEHost != null; + }; management = mkEnableOption "global management port access"; }; host = mkOption { @@ -59,11 +61,13 @@ in { }; in { "${access.domain}@management" = mkIf access.global.management { - listen = map (addr: { - inherit addr; - port = access.managementPort; - ssl = true; - }) nginx.defaultListenAddresses; + listen = + map (addr: { + inherit addr; + port = access.managementPort; + ssl = true; + }) + nginx.defaultListenAddresses; serverName = access.domain; default = mkDefault true; forceSSL = mkDefault true; @@ -81,7 +85,7 @@ in { inherit locations extraConfig; }; ${access.localDomain} = { - serverAliases = mkIf tailscale.enable [ access.tailDomain ]; + serverAliases = mkIf tailscale.enable [access.tailDomain]; useACMEHost = mkDefault access.useACMEHost; addSSL = mkDefault (access.useACMEHost != null); kTLS = mkDefault true; @@ -91,7 +95,7 @@ in { }; }; config.networking.firewall = { - interfaces.local.allowedTCPPorts = [ access.managementPort ]; - allowedTCPPorts = mkIf access.global.management [ access.managementPort ]; + interfaces.local.allowedTCPPorts = [access.managementPort]; + allowedTCPPorts = mkIf access.global.management [access.managementPort]; }; } diff --git a/nixos/access/vouch.nix b/nixos/access/vouch.nix index 690b622a..59059d55 100644 --- a/nixos/access/vouch.nix +++ b/nixos/access/vouch.nix @@ -35,8 +35,12 @@ in { access.vouch = mkIf cfg.enable { url = let inherit (cfg.settings.vouch) listen; - host = if listen == "0.0.0.0" || listen == "[::]" then "localhost" else listen; - in mkOptionDefault "http://${host}:${toString cfg.port}"; + host = + if listen == "0.0.0.0" || listen == "[::]" + then "localhost" + else listen; + in + mkOptionDefault "http://${host}:${toString cfg.port}"; }; virtualHosts = let locations = { @@ -46,17 +50,20 @@ in { proxy_redirect default; ''; }; - "/validate" = { config, ... }: { + "/validate" = {config, ...}: { proxyPass = mkDefault (access.url + "/validate"); recommendedProxySettings = mkDefault false; - extraConfig = if config.local.trusted then '' - if ($http_x_host = ''') { - set $http_x_host $host; - } - proxy_set_header Host $http_x_host; - '' else '' - proxy_set_header Host $host; - ''; + extraConfig = + if config.local.trusted + then '' + if ($http_x_host = ''') { + set $http_x_host $host; + } + proxy_set_header Host $http_x_host; + '' + else '' + proxy_set_header Host $host; + ''; }; }; localLocations = kanidmDomain: { diff --git a/nixos/access/zigbee2mqtt.nix b/nixos/access/zigbee2mqtt.nix index e0a53128..305bb75a 100644 --- a/nixos/access/zigbee2mqtt.nix +++ b/nixos/access/zigbee2mqtt.nix @@ -2,8 +2,7 @@ config, lib, ... -}: -let +}: let inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkDefault mkOptionDefault; cfg = config.services.zigbee2mqtt; @@ -46,7 +45,7 @@ in { locations."/" = location; }; ${access.localDomain} = { - serverAliases = mkIf config.services.tailscale.enable [ access.tailDomain ]; + serverAliases = mkIf config.services.tailscale.enable [access.tailDomain]; local.enable = true; locations."/" = location; }; diff --git a/nixos/acme.nix b/nixos/acme.nix index 1600f085..831b33f0 100644 --- a/nixos/acme.nix +++ b/nixos/acme.nix @@ -8,18 +8,30 @@ inherit (lib.lists) head optional; cfg = config.security.acme; mkHash = with builtins; val: substring 0 20 (hashString "sha256" val); - mkAccountHash = { server ? null, keyType, email }: mkHash "${toString server} ${keyType} ${email}"; + mkAccountHash = { + server ? null, + keyType, + email, + }: + mkHash "${toString server} ${keyType} ${email}"; mkHost = server: head (splitString "/" (removePrefix "https://" server)); - mkAccountDir = { server ? null, email, keyType }: concatStringsSep "/" ([ - accountDirRoot - (mkAccountHash { inherit server email keyType; }) - ] ++ optional (server != null) ( - mkHost server - ) ++ [ - cfg.defaults.email - ]); + mkAccountDir = { + server ? null, + email, + keyType, + }: + concatStringsSep "/" ([ + accountDirRoot + (mkAccountHash {inherit server email keyType;}) + ] + ++ optional (server != null) ( + mkHost server + ) + ++ [ + cfg.defaults.email + ]); accountDirRoot = "/var/lib/acme/.lego/accounts"; - addr = concatStringsSep "@" [ "gensokyo" "arcn.mx" ]; + addr = concatStringsSep "@" ["gensokyo" "arcn.mx"]; in { security.acme = { acceptTerms = true; @@ -35,16 +47,19 @@ in { }; }; sops.secrets = let - accountDir = mkAccountDir { inherit (cfg.defaults) server email keyType; }; + accountDir = mkAccountDir {inherit (cfg.defaults) server email keyType;}; acmeSecret = { sopsFile = mkDefault ./secrets/acme.yaml; owner = "acme"; group = "nginx"; }; in { - acme_account_key = mkMerge [ acmeSecret { - path = accountDir + "/keys/${cfg.defaults.email}.key"; - } ]; + acme_account_key = mkMerge [ + acmeSecret + { + path = accountDir + "/keys/${cfg.defaults.email}.key"; + } + ]; acme_cloudflare_email = acmeSecret; acme_cloudflare_token = acmeSecret; }; diff --git a/nixos/avahi.nix b/nixos/avahi.nix index fe00fcf2..4f7633d4 100644 --- a/nixos/avahi.nix +++ b/nixos/avahi.nix @@ -26,7 +26,7 @@ in { daemon = "avahi-daemon.service"; avahi-daemon-watchdog = pkgs.writeShellScript "avahi-daemon-watchdog" '' set -eu - export PATH="$PATH:${makeBinPath [ config.systemd.package pkgs.coreutils pkgs.gnugrep ]}" + export PATH="$PATH:${makeBinPath [config.systemd.package pkgs.coreutils pkgs.gnugrep]}" while read -r line; do if [[ $line = *"Host name conflict"* ]]; then if systemctl is-active ${daemon} > /dev/null; then @@ -38,22 +38,23 @@ in { fi done < <(journalctl -o cat -feu ${daemon} | grep -F 'Host name conflict, retrying with ') ''; - in mkIf (cfg.enable && cfg.publish.enable) { - avahi-daemon = { - serviceConfig = { - inherit RestartSec; + in + mkIf (cfg.enable && cfg.publish.enable) { + avahi-daemon = { + serviceConfig = { + inherit RestartSec; + }; + }; + avahi-daemon-watchdog = { + wantedBy = [daemon]; + serviceConfig = { + Type = mkOptionDefault "exec"; + ExecStart = [ + "${avahi-daemon-watchdog}" + ]; + Restart = mkOptionDefault "on-failure"; + RestartSec = mkOptionDefault RestartSec; + }; }; }; - avahi-daemon-watchdog = { - wantedBy = [ daemon ]; - serviceConfig = { - Type = mkOptionDefault "exec"; - ExecStart = [ - "${avahi-daemon-watchdog}" - ]; - Restart = mkOptionDefault "on-failure"; - RestartSec = mkOptionDefault RestartSec; - }; - }; - }; } diff --git a/nixos/base/access.nix b/nixos/base/access.nix index c840a387..8ff72afd 100644 --- a/nixos/base/access.nix +++ b/nixos/base/access.nix @@ -28,12 +28,11 @@ users.users.root = { hashedPassword = "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB."; - openssh.authorizedKeys.keys = with pkgs.lib; - (concatLists (mapAttrsToList - (name: user: - if elem "wheel" user.extraGroups - then user.openssh.authorizedKeys.keys - else []) - config.users.users)); + openssh.authorizedKeys.keys = with pkgs.lib; (concatLists (mapAttrsToList + (name: user: + if elem "wheel" user.extraGroups + then user.openssh.authorizedKeys.keys + else []) + config.users.users)); }; } diff --git a/nixos/base/documentation.nix b/nixos/base/documentation.nix index dcb12386..0b43a4b1 100644 --- a/nixos/base/documentation.nix +++ b/nixos/base/documentation.nix @@ -1,3 +1,3 @@ -{ config, ... }: { +{config, ...}: { documentation.nixos.enable = false; } diff --git a/nixos/base/kitty.nix b/nixos/base/kitty.nix index 1050fbeb..ee2de700 100644 --- a/nixos/base/kitty.nix +++ b/nixos/base/kitty.nix @@ -1,5 +1,7 @@ -{ config, pkgs, ... }: - { - environment.systemPackages = [ pkgs.buildPackages.buildPackages.kitty.terminfo ]; + config, + pkgs, + ... +}: { + environment.systemPackages = [pkgs.buildPackages.buildPackages.kitty.terminfo]; } diff --git a/nixos/base/nix.nix b/nixos/base/nix.nix index 63e245b5..c8d59715 100644 --- a/nixos/base/nix.nix +++ b/nixos/base/nix.nix @@ -1,4 +1,10 @@ -{ config, options, lib, inputs, ... }: let +{ + config, + options, + lib, + inputs, + ... +}: let inherit (lib.modules) mkIf mkDefault; hasSops = options ? sops; in { @@ -25,7 +31,8 @@ in { experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes"; substituters = [ "https://gensokyo-infrastructure.cachix.org" - "https://arc.cachix.org" "https://kittywitch.cachix.org" + "https://arc.cachix.org" + "https://kittywitch.cachix.org" "https://nix-community.cachix.org" ]; trusted-public-keys = [ @@ -36,7 +43,7 @@ in { "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ]; auto-optimise-store = true; - trusted-users = [ "root" "@wheel" ]; + trusted-users = ["root" "@wheel"]; }; extraOptions = mkIf hasSops '' !include ${config.sops.secrets.github-access-token-public.path} @@ -47,7 +54,11 @@ in { options = mkDefault "--delete-older-than 7d"; }; }; - ${if hasSops then "sops" else null}.secrets.github-access-token-public = { + ${ + if hasSops + then "sops" + else null + }.secrets.github-access-token-public = { sopsFile = mkDefault ../secrets/nix.yaml; group = mkDefault "users"; mode = mkDefault "0644"; diff --git a/nixos/base/nixpkgs.nix b/nixos/base/nixpkgs.nix index eab9b4bb..92288607 100644 --- a/nixos/base/nixpkgs.nix +++ b/nixos/base/nixpkgs.nix @@ -1,7 +1,4 @@ -{ - inputs, - ... -}: { +{inputs, ...}: { nixpkgs = { overlays = [ inputs.arcexprs.overlays.default diff --git a/nixos/base/packages.nix b/nixos/base/packages.nix index f76f9351..e2945790 100644 --- a/nixos/base/packages.nix +++ b/nixos/base/packages.nix @@ -1,11 +1,16 @@ -{ config, lib, pkgs, ... }: - { - environment.systemPackages = with pkgs; [ - neofetch - smartmontools - hddtemp - lm_sensors - gnupg - ] ++ (lib.optional config.programs.gnupg.agent.enable pinentry-curses); + config, + lib, + pkgs, + ... +}: { + environment.systemPackages = with pkgs; + [ + neofetch + smartmontools + hddtemp + lm_sensors + gnupg + ] + ++ (lib.optional config.programs.gnupg.agent.enable pinentry-curses); } diff --git a/nixos/base/shell.nix b/nixos/base/shell.nix index de044488..eab29847 100644 --- a/nixos/base/shell.nix +++ b/nixos/base/shell.nix @@ -1,6 +1,4 @@ -{ config, ... }: - -{ +{config, ...}: { programs.zsh = { enable = true; enableCompletion = true; diff --git a/nixos/base/ssh.nix b/nixos/base/ssh.nix index f2a587dc..14b6f6a9 100644 --- a/nixos/base/ssh.nix +++ b/nixos/base/ssh.nix @@ -29,7 +29,7 @@ in { }; networking.firewall = { allowedTCPPorts = [publicPort]; - interfaces.local.allowedTCPPorts = [ 22 ]; + interfaces.local.allowedTCPPorts = [22]; }; programs.mosh.enable = true; diff --git a/nixos/base/time.nix b/nixos/base/time.nix index ac892dbf..cb2c6125 100644 --- a/nixos/base/time.nix +++ b/nixos/base/time.nix @@ -1,3 +1,3 @@ -{ config, ... }: { +{config, ...}: { services.tzupdate.enable = true; } diff --git a/nixos/base/urxvt.nix b/nixos/base/urxvt.nix index ec208f50..89d3dafa 100644 --- a/nixos/base/urxvt.nix +++ b/nixos/base/urxvt.nix @@ -1,6 +1,4 @@ -{ pkgs, ... }: - -{ +{pkgs, ...}: { environment.systemPackages = [ pkgs.buildPackages.rxvt-unicode-unwrapped.terminfo ]; diff --git a/nixos/bazarr.nix b/nixos/bazarr.nix index a2dada88..c9409e84 100644 --- a/nixos/bazarr.nix +++ b/nixos/bazarr.nix @@ -1,12 +1,9 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.modules) mkDefault; in { services.bazarr = { enable = mkDefault true; listenPort = mkDefault 6767; }; - users.users.bazarr.extraGroups = [ "kyuuto" ]; + users.users.bazarr.extraGroups = ["kyuuto"]; } diff --git a/nixos/ddclient.nix b/nixos/ddclient.nix index 54931519..8b31a101 100644 --- a/nixos/ddclient.nix +++ b/nixos/ddclient.nix @@ -14,26 +14,30 @@ in { protocol = mkDefault "cloudflare"; zone = mkDefault config.networking.domain; use = "no"; - domains = [ ]; - extraConfig = mkMerge [ (mkIf config.networking.enableIPv6 '' - usev6=webv6, webv6=https://ipv6.nsupdate.info/myip - '') '' - usev4=webv4, webv4=https://ipv4.nsupdate.info/myip - max-interval=1d - '' ]; + domains = []; + extraConfig = mkMerge [ + (mkIf config.networking.enableIPv6 '' + usev6=webv6, webv6=https://ipv6.nsupdate.info/myip + '') + '' + usev4=webv4, webv4=https://ipv4.nsupdate.info/myip + max-interval=1d + '' + ]; passwordFile = config.sops.secrets.dyndns_cloudflare_token.path; }; systemd.services.ddclient = mkIf cfg.enable rec { - wants = [ "network-online.target" ]; + wants = ["network-online.target"]; after = wants; - wantedBy = mkForce [ ]; + wantedBy = mkForce []; serviceConfig = { ExecStartPre = let inherit (config.systemd.services.ddclient.serviceConfig) RuntimeDirectory; prestart-domains = pkgs.writeShellScript "ddclient-prestart-domains" '' cat ${config.sops.secrets.dyndns_ddclient_domains.path} >> /run/${RuntimeDirectory}/ddclient.conf ''; - in mkAfter [ "!${prestart-domains}" ]; + in + mkAfter ["!${prestart-domains}"]; TimeoutStartSec = 90; LogFilterPatterns = [ "~WARNING" diff --git a/nixos/deluge.nix b/nixos/deluge.nix index 0081486f..21b32ddc 100644 --- a/nixos/deluge.nix +++ b/nixos/deluge.nix @@ -42,28 +42,32 @@ in { parent = builtins.dirOf downloadDir; hasCompletedSubdir = completedDir != null && hasPrefix parent completedDir; completedSubdir = removePrefix parent completedDir; - download = if hasCompletedSubdir then { - path = parent; - subdirectories = [ - (builtins.baseNameOf downloadDir) - completedSubdir - ]; - } else { - path = downloadDir; - }; + download = + if hasCompletedSubdir + then { + path = parent; + subdirectories = [ + (builtins.baseNameOf downloadDir) + completedSubdir + ]; + } + else { + path = downloadDir; + }; completed = { path = cfg.config.move_completed_path; }; - in mkIf cfg.enable (mkAfter [ - download - (mkIf (completedDir != null && !hasCompletedSubdir) completed) - ]); + in + mkIf cfg.enable (mkAfter [ + download + (mkIf (completedDir != null && !hasCompletedSubdir) completed) + ]); users.users = mkIf cfg.enable (mkMerge [ { - deluge.extraGroups = [ "kyuuto" ]; + deluge.extraGroups = ["kyuuto"]; } (mkIf mediatomb.enable { - ${mediatomb.user}.extraGroups = [ cfg.group ]; + ${mediatomb.user}.extraGroups = [cfg.group]; }) ]); } diff --git a/nixos/github-runner/zone.nix b/nixos/github-runner/zone.nix index 3db4bb89..475ecf4e 100644 --- a/nixos/github-runner/zone.nix +++ b/nixos/github-runner/zone.nix @@ -14,9 +14,11 @@ genZoneAttrs = prefix: f: listToAttrs (genZone (i: nameValuePair "${prefix}${toString i}" (f i))); in { options.services.github-runner-zone = with lib.types; { - enable = mkEnableOption "github-runners.zone" // { - default = true; - }; + enable = + mkEnableOption "github-runners.zone" + // { + default = true; + }; targetName = mkOption { type = str; default = "github-runner-zone"; @@ -64,7 +66,7 @@ in { enable = mkDefault true; ephemeral = mkDefault cfg.ephemeral; replace = mkDefault true; - extraLabels = [ "ubuntu-latest" ]; + extraLabels = ["ubuntu-latest"]; tokenFile = mkDefault config.sops.secrets.github-runner-gensokyo-zone-token.path; url = mkDefault "https://github.com/gensokyo-zone"; group = mkDefault cfg.group; @@ -73,9 +75,9 @@ in { }; networkNamespace.name = mkIf (cfg.networkNamespace.name != null) (mkDefault cfg.networkNamespace.name); serviceSettings = { - wantedBy = [ "${cfg.targetName}.target" ]; + wantedBy = ["${cfg.targetName}.target"]; unitConfig = { - StopPropagatedFrom = [ "${cfg.targetName}.target" ]; + StopPropagatedFrom = ["${cfg.targetName}.target"]; }; }; serviceOverrides = mkIf (!cfg.dynamicUser) { @@ -88,15 +90,16 @@ in { }; }; - services.github-runners = genZoneAttrs cfg.keyPrefix (i: mkMerge [ - (unmerged.merge cfg.runnerSettings) - { - name = mkDefault "${cfg.namePrefix}${toString i}"; - user = mkIf (cfg.userPrefix != null) ( - mkDefault "${cfg.userPrefix}${toString i}" - ); - } - ]); + services.github-runners = genZoneAttrs cfg.keyPrefix (i: + mkMerge [ + (unmerged.merge cfg.runnerSettings) + { + name = mkDefault "${cfg.namePrefix}${toString i}"; + user = mkIf (cfg.userPrefix != null) ( + mkDefault "${cfg.userPrefix}${toString i}" + ); + } + ]); systemd = mkIf cfg.enable { services.nix-daemon = mkIf cfg.enable { @@ -106,13 +109,13 @@ in { }; }; targets.${cfg.targetName} = { - wantedBy = [ "multi-user.target" ]; + wantedBy = ["multi-user.target"]; }; }; users = mkIf cfg.enable { groups = mkIf (cfg.group != null) { - ${toString cfg.group} = { }; + ${toString cfg.group} = {}; }; users = mkMerge [ (mkIf (!cfg.dynamicUser) (genZoneAttrs cfg.userPrefix (i: { diff --git a/nixos/home-assistant.nix b/nixos/home-assistant.nix index cdf7cb43..80e4988b 100644 --- a/nixos/home-assistant.nix +++ b/nixos/home-assistant.nix @@ -85,17 +85,19 @@ in { ]; entity_config = {}; }; - homekit = [ { - name = "Tewi"; - port = 21063; - filter = let - inherit (cfg.config) google_assistant; - in { - include_domains = google_assistant.exposed_domains; - include_entities = "!include homekit_include_entities.yaml"; - }; - entity_config = "!include homekit_entity_config.yaml"; - } ]; + homekit = [ + { + name = "Tewi"; + port = 21063; + filter = let + inherit (cfg.config) google_assistant; + in { + include_domains = google_assistant.exposed_domains; + include_entities = "!include homekit_include_entities.yaml"; + }; + entity_config = "!include homekit_entity_config.yaml"; + } + ]; tts = [ { platform = "google_translate"; diff --git a/nixos/invidious.nix b/nixos/invidious.nix index f31e6475..28a02b2f 100644 --- a/nixos/invidious.nix +++ b/nixos/invidious.nix @@ -1,4 +1,8 @@ -{ config, lib, ... }: let +{ + config, + lib, + ... +}: let inherit (lib.modules) mkIf mkDefault mkForce; cfg = config.services.invidious; in { @@ -6,12 +10,13 @@ in { commonSecret = { sopsFile = ./secrets/invidious.yaml; owner = "invidious"; - }; in { + }; + in { invidious_db_password = commonSecret; invidious_hmac_key = commonSecret; }; - networking.firewall.interfaces.local.allowedTCPPorts = [ cfg.port ]; + networking.firewall.interfaces.local.allowedTCPPorts = [cfg.port]; users.groups.invidious = {}; users.users.invidious = { isSystemUser = true; diff --git a/nixos/kyuuto/mount.nix b/nixos/kyuuto/mount.nix index 69e42510..4cee3dc5 100644 --- a/nixos/kyuuto/mount.nix +++ b/nixos/kyuuto/mount.nix @@ -34,7 +34,7 @@ in { }; gameLibraries = mkOption { type = listOf str; - default = [ "PC" ]; + default = ["PC"]; }; }; @@ -42,10 +42,19 @@ in { kyuuto = { gameLibraries = [ "PC" - "Wii" "Gamecube" "N64" "SNES" "NES" - "NDS" "GBA" "GBC" - "PS3" "PS2" "PS1" - "PSVita" "PSP" + "Wii" + "Gamecube" + "N64" + "SNES" + "NES" + "NDS" + "GBA" + "GBC" + "PS3" + "PS2" + "PS1" + "PSVita" + "PSP" "Genesis" ]; }; @@ -74,7 +83,7 @@ in { { ${cfg.shareDir} = mkMerge [ shared - { group = "peeps"; } + {group = "peeps";} ]; ${cfg.transferDir} = shared; ${cfg.libraryDir} = shared; @@ -108,28 +117,34 @@ in { }; users = let - mapId = id: if config.proxmoxLXC.privileged or true then 100000 + id else id; + mapId = id: + if config.proxmoxLXC.privileged or true + then 100000 + id + else id; mkDummyUsers = { name, group ? name, - enable ? !config.services.${serviceName}.enable, serviceName ? name, + enable ? !config.services.${serviceName}.enable, + serviceName ? name, uid ? config.ids.uids.${name}, gid ? config.ids.gids.${group}, - }: mkIf enable { - users.${name} = { - group = mkIf (group != null) group; - uid = mapId uid; - isSystemUser = true; + }: + mkIf enable { + users.${name} = { + group = mkIf (group != null) group; + uid = mapId uid; + isSystemUser = true; + }; + groups.${group} = { + gid = mapId gid; + }; }; - groups.${group} = { - gid = mapId gid; - }; - }; - in mkMerge [ - (mkDummyUsers { name = "deluge"; }) - (mkDummyUsers { name = "radarr"; }) - (mkDummyUsers { name = "sonarr"; }) - (mkDummyUsers { name = "lidarr"; }) - ]; + in + mkMerge [ + (mkDummyUsers {name = "deluge";}) + (mkDummyUsers {name = "radarr";}) + (mkDummyUsers {name = "sonarr";}) + (mkDummyUsers {name = "lidarr";}) + ]; }; } diff --git a/nixos/kyuuto/nfs.nix b/nixos/kyuuto/nfs.nix index f501607f..28a3547e 100644 --- a/nixos/kyuuto/nfs.nix +++ b/nixos/kyuuto/nfs.nix @@ -1,4 +1,3 @@ - { config, lib, diff --git a/nixos/kyuuto/opl.nix b/nixos/kyuuto/opl.nix index 895c870f..34c797b8 100644 --- a/nixos/kyuuto/opl.nix +++ b/nixos/kyuuto/opl.nix @@ -10,9 +10,11 @@ cfg = kyuuto.opl; in { options.kyuuto.opl = with lib.types; { - enable = mkEnableOption "hosting" // { - default = config.services.samba.enable; - }; + enable = + mkEnableOption "hosting" + // { + default = config.services.samba.enable; + }; user = mkOption { type = str; default = "opl"; @@ -39,22 +41,25 @@ in { }; shares.opl = let inherit (config.networking.access) cidrForNetwork; - localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all + localAddrs = + cidrForNetwork.loopback.all + ++ cidrForNetwork.local.all ++ lib.optionals config.services.tailscale.enable cidrForNetwork.tail.all; - in mkIf cfg.enable { - comment = "Kyuuto Media OPL"; - path = cfg.rootDir; - writeable = true; - browseable = true; - public = false; - "valid users" = [ - cfg.user - "@kyuuto-peeps" - ]; - "strict sync" = false; - "keepalive" = 0; - "hosts allow" = localAddrs; - }; + in + mkIf cfg.enable { + comment = "Kyuuto Media OPL"; + path = cfg.rootDir; + writeable = true; + browseable = true; + public = false; + "valid users" = [ + cfg.user + "@kyuuto-peeps" + ]; + "strict sync" = false; + "keepalive" = 0; + "hosts allow" = localAddrs; + }; }; services.tmpfiles = let setupFiles = { diff --git a/nixos/kyuuto/samba.nix b/nixos/kyuuto/samba.nix index 2b67d257..bd3018d7 100644 --- a/nixos/kyuuto/samba.nix +++ b/nixos/kyuuto/samba.nix @@ -1,4 +1,3 @@ - { config, lib, @@ -9,17 +8,21 @@ inherit (config.networking.access) cidrForNetwork; inherit (config) kyuuto; cfg = config.services.samba; - localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all + localAddrs = + cidrForNetwork.loopback.all + ++ cidrForNetwork.local.all ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all; - guestUsers = mkIf cfg.guest.enable [ cfg.guest.user ]; + guestUsers = mkIf cfg.guest.enable [cfg.guest.user]; kyuuto-media = { "create mask" = "0664"; "force directory mode" = "3000"; "directory mask" = "7775"; }; - kyuuto-library = kyuuto-media // { - "acl group control" = true; - }; + kyuuto-library = + kyuuto-media + // { + "acl group control" = true; + }; in { services.samba = { usershare = { @@ -35,7 +38,7 @@ in { public = true; "valid users" = mkMerge [ guestUsers - [ "@peeps" ] + ["@peeps"] ]; #"guest only" = true; "hosts allow" = localAddrs; @@ -54,10 +57,10 @@ in { public = true; "valid users" = mkMerge [ guestUsers - [ "@kyuuto-peeps" ] + ["@kyuuto-peeps"] ]; "read list" = guestUsers; - "write list" = [ "@kyuuto-peeps" ]; + "write list" = ["@kyuuto-peeps"]; "hosts allow" = localAddrs; } ]; @@ -69,7 +72,7 @@ in { writeable = true; public = false; browseable = false; - "valid users" = [ "@kyuuto-peeps" ]; + "valid users" = ["@kyuuto-peeps"]; } ]; kyuuto-media = mkMerge [ @@ -80,7 +83,7 @@ in { writeable = true; public = false; browseable = false; - "valid users" = [ "@kyuuto-peeps" ]; + "valid users" = ["@kyuuto-peeps"]; } ]; shared = { @@ -89,7 +92,7 @@ in { writeable = true; public = false; browseable = false; - "valid users" = [ "@peeps" ]; + "valid users" = ["@peeps"]; "create mask" = "0775"; "force create mode" = "0010"; "force directory mode" = "2000"; @@ -99,7 +102,7 @@ in { writeable = true; browseable = true; public = false; - "valid users" = [ "@peeps" ]; + "valid users" = ["@peeps"]; "create mask" = "0664"; "force directory mode" = "5000"; "directory mask" = "7775"; @@ -108,5 +111,5 @@ in { }; # give guest users proper access to the transfer share - users.users.guest.extraGroups = [ "kyuuto" ]; + users.users.guest.extraGroups = ["kyuuto"]; } diff --git a/nixos/lidarr.nix b/nixos/lidarr.nix index df05bd67..3bf4ec9b 100644 --- a/nixos/lidarr.nix +++ b/nixos/lidarr.nix @@ -2,5 +2,5 @@ _: { services.lidarr = { enable = true; }; - users.users.lidarr.extraGroups = [ "kyuuto" ]; + users.users.lidarr.extraGroups = ["kyuuto"]; } diff --git a/nixos/mediatomb.nix b/nixos/mediatomb.nix index 634f0c9e..2816cb19 100644 --- a/nixos/mediatomb.nix +++ b/nixos/mediatomb.nix @@ -12,6 +12,6 @@ in { uuid = mkDefault "082fd344-bf69-5b72-a68f-a5a4d88e76b2"; }; config.users.users = mkIf cfg.enable { - ${cfg.user}.extraGroups = [ "kyuuto" ]; + ${cfg.user}.extraGroups = ["kyuuto"]; }; } diff --git a/nixos/nfs.nix b/nixos/nfs.nix index 4d4c9694..f1d6a0b3 100644 --- a/nixos/nfs.nix +++ b/nixos/nfs.nix @@ -29,9 +29,9 @@ in { idmapd.settings = { General.Domain = mkDefault config.networking.domain; Translation.GSS-Methods = concatStringsSep "," ( - [ "static" ] + ["static"] ++ optional enableLdap "umich_ldap" - ++ [ "nsswitch" ] + ++ ["nsswitch"] ); Static = { }; diff --git a/nixos/ombi.nix b/nixos/ombi.nix index 8b0956c3..7e2149b8 100644 --- a/nixos/ombi.nix +++ b/nixos/ombi.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.modules) mkDefault; in { services.ombi = { diff --git a/nixos/plex.nix b/nixos/plex.nix index 553620fd..e14be9bd 100644 --- a/nixos/plex.nix +++ b/nixos/plex.nix @@ -1,4 +1,9 @@ -{config, lib, pkgs, ...}: let +{ + config, + lib, + pkgs, + ... +}: let inherit (lib.modules) mkIf mkForce mkDefault; inherit (lib.strings) escapeShellArg; cfg = config.services.plex; @@ -21,9 +26,10 @@ in { fi ${pkgs.coreutils}/bin/ln -sfT ../Cache "$PLEX_DATADIR/Plex Media Server/Cache" ''; - in mkForce [ - ''!${preStartScript}'' - ]; + in + mkForce [ + ''!${preStartScript}'' + ]; # KillMode = "mixed" doesn't behave as expected... TimeoutStopSec = 5; }; diff --git a/nixos/postgres.nix b/nixos/postgres.nix index 64f41f43..508ced09 100644 --- a/nixos/postgres.nix +++ b/nixos/postgres.nix @@ -8,7 +8,7 @@ in { services.postgresql = { enable = mkDefault true; - ensureDatabases = ["hass" "invidious" "dex"]; + ensureDatabases = ["hass" "invidious" "dex" "keycloak"]; ensureUsers = [ { name = "hass"; @@ -25,6 +25,11 @@ in { ensureDBOwnership = true; authentication.local.allow = true; } + { + name = "keycloak"; + ensureDBOwnership = true; + authentication.local.allow = true; + } ]; }; diff --git a/nixos/radarr.nix b/nixos/radarr.nix index 271b4158..ca396d7e 100644 --- a/nixos/radarr.nix +++ b/nixos/radarr.nix @@ -3,5 +3,5 @@ _: { enable = true; }; - users.users.radarr.extraGroups = [ "kyuuto" ]; + users.users.radarr.extraGroups = ["kyuuto"]; } diff --git a/nixos/readarr.nix b/nixos/readarr.nix index 2e744eed..9d60a947 100644 --- a/nixos/readarr.nix +++ b/nixos/readarr.nix @@ -2,5 +2,5 @@ _: { services.readarr = { enable = true; }; - users.users.readarr.extraGroups = [ "kyuuto" ]; + users.users.readarr.extraGroups = ["kyuuto"]; } diff --git a/nixos/reisen-ct/filesystem.nix b/nixos/reisen-ct/filesystem.nix index fb7c7e8d..33b3997a 100644 --- a/nixos/reisen-ct/filesystem.nix +++ b/nixos/reisen-ct/filesystem.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib) mkDefault; in { services.kanidm.serverSettings.db_fs_type = mkDefault "zfs"; diff --git a/nixos/samba.nix b/nixos/samba.nix index f8c4a45c..ffa9b61d 100644 --- a/nixos/samba.nix +++ b/nixos/samba.nix @@ -6,8 +6,8 @@ inherit (lib.modules) mkIf mkDefault; inherit (lib.lists) any; inherit (lib.strings) hasInfix concatMapStringsSep splitString; - cfg = config.services.samba; - hasIpv4 = any (hasInfix ".") config.systemd.network.networks.eth0.address or [ ]; + cfg = config.services.samba; + hasIpv4 = any (hasInfix ".") config.systemd.network.networks.eth0.address or []; in { services.samba = { enable = mkDefault true; diff --git a/nixos/secrets/postgres.yaml b/nixos/secrets/postgres.yaml index dd5bd7fe..60c27c43 100644 --- a/nixos/secrets/postgres.yaml +++ b/nixos/secrets/postgres.yaml @@ -1,4 +1,4 @@ -postgresql-init: ENC[AES256_GCM,data:fW9g0WKVHTO9blqlEXLJejyQUqC3na/Xh6Il2GNfuX6c2LfRjfFSeour4qt2envtPO+WanGl+ueE1AMck5t02TjqrN4a6DsQpAIGFVE7L4ajp/13Gp308pY4Xu7OKHjkGpzVBATKgLDZkoU8yAkqKZCBEU3d4xegp8pgnsLSpb/LndKiITjhTe2IJOSkIJd9twSsra8JQWRYCW8WjZZ9YOe5nqtU+56b/zb0CxVhhln0jU/3e5s7pfblfou2TnvnFezswjNTIGftNU1wOaxSCA==,iv:hjKNZ4EbPpl5YIcaWJYLKJzxuOmMjL4AtfUeL4vm5QA=,tag:mYcu4cRUnZeLgeISfaxXPQ==,type:str] +postgresql-init: ENC[AES256_GCM,data:lbkeMv6PZgB7tEl4VbIYX9VUAgJ6Kcj0jLNyyqxJJcVJPjo1lF2d/i5bFnU1/6aJ2T7ftMW4hefYgrnIMdKXxPPfrHftaEMhl9bfJIsuX2I1CXAasZOhpsmg9Wf2cvXuVYIlqTVssg+3EKW0ejCMdX6OfGdAXvBlio1DQs7YrUc+BjDiEuAUAaaYbz67EYY3dpYQixQGl/8G2w7S897uCXpc1oOh6vbGY4Nl+GGQ7B5xrrbYcdATwfGyYlZYSlIv8feDsLv7Rt+w3o4tTAxcz+8qZ7KZ6sIsu/nUoYeqoT9MJ8uRpWccXKcBVAFSEooUIHUEBA/QsGizAXBgzCnyLDvuv3DOquo2xeMg0kWM8zsF1f9YRyUKqQ==,iv:RKIvggRZlPocygabF0iKNBThBRFG5rlzrIvGjjt7s0o=,tag:U/XUDJs5J8lHB9BJ5/0fFA==,type:str] sops: shamir_threshold: 1 kms: [] @@ -33,8 +33,8 @@ sops: a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-19T03:46:45Z" - mac: ENC[AES256_GCM,data:FMzWnFllHDpgIoDJIKS7aWpUSVNH0+ij0+AIzl3qtjeuzmUUluDtEes6yAR8g/Daq+nxiMRnsse0HfUqZeT0rVVEpqvQB4Wsoq+G9qj8mmEUrHJzjU5rSDWV8uf5F1BsZbvF13VBulh/RWsmWjps+z6vyJ7uM1QjS3hSF2k3hSM=,iv:tpH8XjoTtNzPOOIosObpsvOAzZO7ywK9xjow3xTOJqY=,tag:BTzezbH9zZDZBzy1x+AJ1w==,type:str] + lastmodified: "2024-03-13T21:46:56Z" + mac: ENC[AES256_GCM,data:rEtRHX3PH1B+uoR82lDH3ACKHPbhxy+y7B9YgR6TzPSU4yIaTSqSK51eLJZoUtW6UTl6QDcTrsKDA8lGu9M/Ohfx8ayp6rkX63H/hkl0h6YaQmWDAQoNAAEWqfJ9r8O8tKKpE6qF/rw4c4KpuA5ONufOl9qj1KSgFzz0WHaKtWk=,iv:TUBAe62dmF6FAjZOPaxwzQjWL21TdWQG0YyuXJGgtk8=,tag:dewWivfnZO30Np2gajwLIw==,type:str] pgp: - created_at: "2024-01-19T19:08:55Z" enc: |- diff --git a/nixos/sonarr.nix b/nixos/sonarr.nix index 7ebbc5bc..7f45c835 100644 --- a/nixos/sonarr.nix +++ b/nixos/sonarr.nix @@ -2,5 +2,5 @@ _: { services.sonarr = { enable = true; }; - users.users.sonarr.extraGroups = [ "kyuuto" ]; + users.users.sonarr.extraGroups = ["kyuuto"]; } diff --git a/nixos/sops.nix b/nixos/sops.nix index 1ed54dc6..a7b5fea8 100644 --- a/nixos/sops.nix +++ b/nixos/sops.nix @@ -1,8 +1,13 @@ -{ lib, inputs, ... }: with lib; { +{ + lib, + inputs, + ... +}: +with lib; { imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { - age.sshKeyPaths = mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.sshKeyPaths = mkDefault ["/etc/ssh/ssh_host_ed25519_key"]; }; } diff --git a/nixos/steam/account-switch.nix b/nixos/steam/account-switch.nix index 4760fe19..0394641d 100644 --- a/nixos/steam/account-switch.nix +++ b/nixos/steam/account-switch.nix @@ -1,7 +1,4 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.modules) mkDefault; in { services.steam.accountSwitch = { diff --git a/nixos/steam/beatsaber.nix b/nixos/steam/beatsaber.nix index c44a0c24..9dee6e2e 100644 --- a/nixos/steam/beatsaber.nix +++ b/nixos/steam/beatsaber.nix @@ -1,15 +1,12 @@ -{ - lib, - ... -}: let +{lib, ...}: let inherit (lib.modules) mkDefault; in { services.steam.beatsaber = { enable = mkDefault true; defaultVersion = mkDefault "1.29.0"; versions = { - "1.29.0" = { }; - "1.34.2" = { }; + "1.29.0" = {}; + "1.34.2" = {}; }; }; } diff --git a/nixos/syncthing-kat/syncthing.nix b/nixos/syncthing-kat/syncthing.nix index 83eda231..b163cddb 100644 --- a/nixos/syncthing-kat/syncthing.nix +++ b/nixos/syncthing-kat/syncthing.nix @@ -1,4 +1,4 @@ -{ config, ... }: { +{config, ...}: { services.syncthing = { enable = true; relay.enable = true; diff --git a/nixos/systemd2mqtt.nix b/nixos/systemd2mqtt.nix index acef25f7..e53e3f79 100644 --- a/nixos/systemd2mqtt.nix +++ b/nixos/systemd2mqtt.nix @@ -10,7 +10,8 @@ in { enable = mkDefault true; user = mkDefault "root"; mqtt = { - url = mkDefault (if config.services.mosquitto.enable + url = mkDefault ( + if config.services.mosquitto.enable then "tcp://localhost:1883" else "tcp://mqtt.local.${config.networking.domain}:1883" ); diff --git a/nixos/tautulli.nix b/nixos/tautulli.nix index 9ccd62df..ad275d80 100644 --- a/nixos/tautulli.nix +++ b/nixos/tautulli.nix @@ -1,4 +1,8 @@ -{config, lib, ...}: let +{ + config, + lib, + ... +}: let inherit (lib.modules) mkIf mkDefault; cfg = config.services.tautulli; in { diff --git a/nixos/users/arc.nix b/nixos/users/arc.nix index 5ca4f683..abb7c28e 100644 --- a/nixos/users/arc.nix +++ b/nixos/users/arc.nix @@ -1,22 +1,22 @@ -{ config, ... }: - -{ - users.users.arc = { name, ... }: { +{config, ...}: { + users.users.arc = {name, ...}: { uid = 8001; isNormalUser = true; autoSubUidGidRange = false; group = name; extraGroups = [ - "users" "peeps" + "users" + "peeps" "kyuuto" - "steamaccount" "beatsaber" + "steamaccount" + "beatsaber" "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp" ]; }; - users.groups.arc = { name, ... }: { + users.groups.arc = {name, ...}: { gid = config.users.users.${name}.uid; }; } diff --git a/nixos/users/connie.nix b/nixos/users/connie.nix index 8fe160eb..4cfdef8f 100644 --- a/nixos/users/connie.nix +++ b/nixos/users/connie.nix @@ -1,17 +1,16 @@ -{ config, ... }: - -{ - users.users.connieallure = { name, ... }: { +{config, ...}: { + users.users.connieallure = {name, ...}: { uid = 8003; isNormalUser = true; autoSubUidGidRange = false; group = name; extraGroups = [ - "users" "peeps" + "users" + "peeps" "kyuuto" ]; }; - users.groups.connieallure = { name, ... }: { + users.groups.connieallure = {name, ...}: { gid = config.users.users.${name}.uid; }; } diff --git a/nixos/users/kaosu.nix b/nixos/users/kaosu.nix index 98891a20..70b2aade 100644 --- a/nixos/users/kaosu.nix +++ b/nixos/users/kaosu.nix @@ -1,18 +1,18 @@ -{ config, ... }: - -{ - users.users.kaosubaloo = { name, ... }: { +{config, ...}: { + users.users.kaosubaloo = {name, ...}: { uid = 8002; isNormalUser = true; autoSubUidGidRange = false; group = name; extraGroups = [ - "users" "peeps" + "users" + "peeps" "kyuuto" - "steamaccount" "beatsaber" + "steamaccount" + "beatsaber" ]; }; - users.groups.kaosubaloo = { name, ... }: { + users.groups.kaosubaloo = {name, ...}: { gid = config.users.users.${name}.uid; }; } diff --git a/nixos/users/kat.nix b/nixos/users/kat.nix index 084bdfd9..b8c54288 100644 --- a/nixos/users/kat.nix +++ b/nixos/users/kat.nix @@ -1,25 +1,25 @@ -{ config, ... }: - -{ - users.users.kat = { name, ... }: { +{config, ...}: { + users.users.kat = {name, ...}: { uid = 8000; isNormalUser = true; autoSubUidGidRange = false; group = name; extraGroups = [ - "users" "peeps" + "users" + "peeps" "kyuuto" - "steamaccount" "beatsaber" + "steamaccount" + "beatsaber" "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5" -"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi" ]; }; - users.groups.kat = { name, ... }: { + users.groups.kat = {name, ...}: { gid = config.users.users.${name}.uid; }; } diff --git a/overlays/default.nix b/overlays/default.nix index 81f7925e..fbbc701f 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,17 +1,19 @@ -{inputs, system}: { +{ + inputs, + system, +}: { pkgs = import inputs.nixpkgs { inherit system; - overlays = - [ - inputs.deploy-rs.overlay - inputs.arcexprs.overlays.default - (final: prev: { - jemalloc = - if final.hostPlatform != "aarch64-darwin" - then prev.jemalloc - else null; - }) - ]; + overlays = [ + inputs.deploy-rs.overlay + inputs.arcexprs.overlays.default + (final: prev: { + jemalloc = + if final.hostPlatform != "aarch64-darwin" + then prev.jemalloc + else null; + }) + ]; config = { allowUnfree = true; allowBroken = true; diff --git a/packages/default.nix b/packages/default.nix index 0add4931..7a99c06c 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -12,7 +12,7 @@ export NF_CONFIG_ROOT=''${NF_CONFIG_ROOT-${toString ../.}} ''; exportsSsh = '' - export PATH="${makeBinPath [ packages.nf-hostname packages.nf-sshopts ]}:$PATH" + export PATH="${makeBinPath [packages.nf-hostname packages.nf-sshopts]}:$PATH" ''; exportsFmtNix = '' NF_NIX_BLACKLIST_DIRS=(${string.concatMapSep " " string.escapeShellArg fmt.nix.blacklistDirs}) @@ -20,11 +20,16 @@ NF_NIX_WHITELIST_FILES=(${string.concatMapSep " " string.escapeShellArg fmt.nix.whitelist}) ''; output = { - inherit (pkgs.buildPackages) - terraform tflint - alejandra deadnix statix - ssh-to-age jq - ; + inherit + (pkgs.buildPackages) + terraform + tflint + alejandra + deadnix + statix + ssh-to-age + jq + ; inherit (inputs.deploy-rs.packages.${system}) deploy-rs; nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' ${exports} @@ -52,26 +57,27 @@ INPUT_INFRA_CT_CONFIG = reisen + "/bin/ct-config.sh"; }; inputVars = set.mapToValues (key: path: ''${key}="$(base64 -w0 < ${path})"'') inputAttrs; - in pkgs.writeShellScriptBin "nf-setup-node" '' - ${exports} - NF_SETUP_INPUTS=( - ${string.intercalate "\n" inputVars} - ) - source ${../ci/setup.sh} - ''; + in + pkgs.writeShellScriptBin "nf-setup-node" '' + ${exports} + NF_SETUP_INPUTS=( + ${string.intercalate "\n" inputVars} + ) + source ${../ci/setup.sh} + ''; nf-hostname = pkgs.writeShellScriptBin "nf-hostname" '' ${exports} source ${../ci/hostname.sh} ''; nf-sshopts = pkgs.writeShellScriptBin "nf-sshopts" '' ${exports} - export PATH="$PATH:${makeBinPath [ pkgs.jq ]}" + export PATH="$PATH:${makeBinPath [pkgs.jq]}" source ${../ci/sshopts.sh} ''; nf-sops-keyscan = pkgs.writeShellScriptBin "nf-sops-keyscan" '' ${exports} ${exportsSsh} - export PATH="$PATH:${makeBinPath [ pkgs.ssh-to-age ]}" + export PATH="$PATH:${makeBinPath [pkgs.ssh-to-age]}" source ${../ci/sops-keyscan.sh} ''; nf-ssh = pkgs.writeShellScriptBin "nf-ssh" '' @@ -94,39 +100,39 @@ ''; nf-generate = pkgs.writeShellScriptBin "nf-generate" '' ${exports} - export PATH="$PATH:${makeBinPath [ pkgs.jq ]}" + export PATH="$PATH:${makeBinPath [pkgs.jq]}" source ${../ci/generate.sh} ''; nf-statix = pkgs.writeShellScriptBin "nf-statix" '' ${exports} - export PATH="${makeBinPath [ packages.statix ]}:$PATH" + export PATH="${makeBinPath [packages.statix]}:$PATH" source ${../ci/statix.sh} ''; nf-deadnix = pkgs.writeShellScriptBin "nf-deadnix" '' ${exports} ${exportsFmtNix} - export PATH="${makeBinPath [ packages.deadnix pkgs.findutils ]}:$PATH" + export PATH="${makeBinPath [packages.deadnix pkgs.findutils]}:$PATH" source ${../ci/deadnix.sh} ''; nf-alejandra = pkgs.writeShellScriptBin "nf-alejandra" '' ${exports} ${exportsFmtNix} - export PATH="${makeBinPath [ packages.alejandra ]}:$PATH" + export PATH="${makeBinPath [packages.alejandra]}:$PATH" source ${../ci/alejandra.sh} ''; nf-lint-tf = pkgs.writeShellScriptBin "nf-lint-tf" '' ${exports} - export PATH="$PATH:${makeBinPath [ packages.tflint ]}" + export PATH="$PATH:${makeBinPath [packages.tflint]}" source ${../ci/lint-tf.sh} ''; nf-lint-nix = pkgs.writeShellScriptBin "nf-lint-nix" '' ${exports} - export PATH="${makeBinPath [ packages.nf-statix packages.nf-deadnix ]}:$PATH" + export PATH="${makeBinPath [packages.nf-statix packages.nf-deadnix]}:$PATH" source ${../ci/lint-nix.sh} ''; nf-fmt-tf = pkgs.writeShellScriptBin "nf-fmt-tf" '' ${exports} - export PATH="${makeBinPath [ packages.terraform ]}:$PATH" + export PATH="${makeBinPath [packages.terraform]}:$PATH" source ${../ci/fmt-tf.sh} ''; nf-fmt-nix = pkgs.writeShellScriptBin "nf-fmt-nix" '' @@ -144,4 +150,5 @@ inherit (inputs) self; }; }; -in output +in + output diff --git a/packages/snakeoil.nix b/packages/snakeoil.nix index ddf47394..9f47f4d1 100644 --- a/packages/snakeoil.nix +++ b/packages/snakeoil.nix @@ -5,26 +5,31 @@ }: let inherit (lib.strings) concatStringsSep; inherit (lib.lists) toList head; -in { domain, name }: runCommand name { - domains = concatStringsSep "," (toList domain); - domain = head (toList domain); - nativeBuildInputs = [ buildPackages.minica ]; - outputs = [ "out" "key" "cakey" "ca" "cert" "fullchain" ]; -} '' - install -d $out - minica \ - --ca-key ca.key.pem \ - --ca-cert ca.pem \ - --domains "$domains" - mv ca.pem $ca - mv ca.key.pem $cakey - mv $domain/cert.pem $cert - mv $domain/key.pem $key - cat $cert $ca > $fullchain +in + { + domain, + name, + }: + runCommand name { + domains = concatStringsSep "," (toList domain); + domain = head (toList domain); + nativeBuildInputs = [buildPackages.minica]; + outputs = ["out" "key" "cakey" "ca" "cert" "fullchain"]; + } '' + install -d $out + minica \ + --ca-key ca.key.pem \ + --ca-cert ca.pem \ + --domains "$domains" + mv ca.pem $ca + mv ca.key.pem $cakey + mv $domain/cert.pem $cert + mv $domain/key.pem $key + cat $cert $ca > $fullchain - ln -s $fullchain $out/fullchain.pem - ln -s $key $out/key.pem - ln -s $cakey $out/ca.key.pem - ln -s $cert $out/cert.pem - ln -s $ca $out/ca.pem -'' + ln -s $fullchain $out/fullchain.pem + ln -s $key $out/key.pem + ln -s $cakey $out/ca.key.pem + ln -s $cert $out/cert.pem + ln -s $ca $out/ca.pem + ''