diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2024-08-08 10:45:09 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2024-08-08 10:45:09 +0200 |
commit | 63adb41f1a060c21a68143eb9e86c2790ef66f36 (patch) | |
tree | 3902b85e7659fd396ded1d2e42ea318153d08a13 /modules | |
parent | 73b08cbd76d4471c9a6fddd05265d7d7fc4c45ff (diff) | |
download | nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.gz nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.bz2 nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.xz nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.zip |
...
Diffstat (limited to 'modules')
-rw-r--r-- | modules/borgcopy/default.nix | 9 | ||||
-rw-r--r-- | modules/build-client.nix | 4 | ||||
-rw-r--r-- | modules/certspotter.nix | 67 | ||||
-rw-r--r-- | modules/coturn.nix | 60 | ||||
-rw-r--r-- | modules/envfs.nix | 8 | ||||
-rw-r--r-- | modules/etebase-server.nix | 228 | ||||
-rw-r--r-- | modules/home-manager.nix | 3 | ||||
-rw-r--r-- | modules/knot.nix | 1 | ||||
-rw-r--r-- | modules/netns.nix | 7 | ||||
-rw-r--r-- | modules/openssh.nix | 3 | ||||
-rw-r--r-- | modules/pgbackrest.nix | 19 | ||||
-rw-r--r-- | modules/postfix-mta-sts-resolver.nix | 4 | ||||
-rw-r--r-- | modules/postfwd.nix | 1 | ||||
-rw-r--r-- | modules/prometheus-lvm-exporter.nix | 4 | ||||
-rw-r--r-- | modules/yggdrasil/default.nix | 50 | ||||
-rw-r--r-- | modules/yggdrasil/hosts/sif/default.nix | 13 | ||||
-rw-r--r-- | modules/yggdrasil/hosts/sif/private-keys.yaml | 31 | ||||
-rw-r--r-- | modules/yggdrasil/hosts/ymir.nix | 19 |
18 files changed, 83 insertions, 448 deletions
diff --git a/modules/borgcopy/default.nix b/modules/borgcopy/default.nix index afc6c37b..475edbd9 100644 --- a/modules/borgcopy/default.nix +++ b/modules/borgcopy/default.nix | |||
@@ -61,33 +61,40 @@ in { | |||
61 | options = { | 61 | options = { |
62 | from = mkOption { | 62 | from = mkOption { |
63 | type = types.str; | 63 | type = types.str; |
64 | description = "Copy from this repository"; | ||
64 | }; | 65 | }; |
65 | to = mkOption { | 66 | to = mkOption { |
66 | type = types.str; | 67 | type = types.str; |
68 | description = "Copy to this repository"; | ||
67 | }; | 69 | }; |
68 | 70 | ||
69 | verbosity = mkOption { | 71 | verbosity = mkOption { |
70 | type = types.int; | 72 | type = types.int; |
71 | default = 3; | 73 | default = 3; |
74 | description = "Set verbosity"; | ||
72 | }; | 75 | }; |
73 | 76 | ||
74 | sshConfig = mkOption { | 77 | sshConfig = mkOption { |
75 | type = with types; nullOr str; | 78 | type = with types; nullOr str; |
76 | default = null; | 79 | default = null; |
80 | description = "SSH client configuration"; | ||
77 | }; | 81 | }; |
78 | 82 | ||
79 | keyfile = mkOption { | 83 | keyfile = mkOption { |
80 | type = with types; nullOr str; | 84 | type = with types; nullOr str; |
81 | default = null; | 85 | default = null; |
86 | description = "Keyfile to pass to borg"; | ||
82 | }; | 87 | }; |
83 | 88 | ||
84 | unknownUnencryptedRepoAccessOk = mkOption { | 89 | unknownUnencryptedRepoAccessOk = mkOption { |
85 | type = types.bool; | 90 | type = types.bool; |
86 | default = false; | 91 | default = false; |
92 | description = "Set `BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK`?"; | ||
87 | }; | 93 | }; |
88 | hostnameIsUnique = mkOption { | 94 | hostnameIsUnique = mkOption { |
89 | type = types.bool; | 95 | type = types.bool; |
90 | default = true; | 96 | default = true; |
97 | description = "Set `BORG_HOSTNAME_IS_UNIQUE`?"; | ||
91 | }; | 98 | }; |
92 | 99 | ||
93 | timerOptions = mkOption { | 100 | timerOptions = mkOption { |
@@ -96,10 +103,12 @@ in { | |||
96 | default = { | 103 | default = { |
97 | wantedBy = ["timers.target"]; | 104 | wantedBy = ["timers.target"]; |
98 | }; | 105 | }; |
106 | description = "Systemd timer options"; | ||
99 | }; | 107 | }; |
100 | }; | 108 | }; |
101 | }); | 109 | }); |
102 | default = {}; | 110 | default = {}; |
111 | description = "Copy borg archives from one repository to another"; | ||
103 | }; | 112 | }; |
104 | }; | 113 | }; |
105 | 114 | ||
diff --git a/modules/build-client.nix b/modules/build-client.nix index 9924b751..6322e6c0 100644 --- a/modules/build-client.nix +++ b/modules/build-client.nix | |||
@@ -15,6 +15,7 @@ in { | |||
15 | options = { | 15 | options = { |
16 | address = mkOption { | 16 | address = mkOption { |
17 | type = types.str; | 17 | type = types.str; |
18 | description = "Address of buildserver"; | ||
18 | }; | 19 | }; |
19 | 20 | ||
20 | system = mkOption { | 21 | system = mkOption { |
@@ -82,10 +83,11 @@ in { | |||
82 | }; | 83 | }; |
83 | }); | 84 | }); |
84 | default = {}; | 85 | default = {}; |
86 | description = "Buildservers to use"; | ||
85 | }; | 87 | }; |
86 | }; | 88 | }; |
87 | }; | 89 | }; |
88 | 90 | ||
89 | config = mkIf (cfg != {}) { | 91 | config = mkIf (cfg != {}) { |
90 | programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: '' | 92 | programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: '' |
91 | Host ${buildHostName name} | 93 | Host ${buildHostName name} |
diff --git a/modules/certspotter.nix b/modules/certspotter.nix deleted file mode 100644 index ff7ff7c2..00000000 --- a/modules/certspotter.nix +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | { config, pkgs, lib, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | cfg = config.services.certspotter; | ||
7 | |||
8 | script = pkgs.writeShellApplication { | ||
9 | name = "certspotter-script"; | ||
10 | runtimeInputs = with pkgs; [ coreutils ]; | ||
11 | text = '' | ||
12 | mkdir -p "''${LOGS_DIRECTORY}" | ||
13 | env > "$(mktemp -p "''${LOGS_DIRECTORY}" "$(date -Iseconds).''${PUBKEY_HASH:-na}.XXXXXXXXXX.env")" | ||
14 | ''; | ||
15 | }; | ||
16 | |||
17 | startOptions = cfg.extraOptions | ||
18 | ++ optionals (cfg.logs != null) ["-logs" cfg.logs] | ||
19 | ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList)) | ||
20 | "-script" "${script}/bin/certspotter-script" | ||
21 | ]; | ||
22 | |||
23 | startScript = pkgs.writeShellApplication { | ||
24 | name = "certspotter-start"; | ||
25 | runtimeInputs = [ pkgs.coreutils cfg.package ]; | ||
26 | text = '' | ||
27 | rm -f "''${STATE_DIRECTORY}/lock" | ||
28 | exec -- certspotter -state_dir "''${STATE_DIRECTORY}" ${escapeShellArgs startOptions} | ||
29 | ''; | ||
30 | }; | ||
31 | in { | ||
32 | options = { | ||
33 | services.certspotter = { | ||
34 | watchList = mkOption { | ||
35 | type = types.listOf types.str; | ||
36 | default = []; | ||
37 | }; | ||
38 | |||
39 | logs = mkOption { | ||
40 | type = types.nullOr types.str; | ||
41 | default = null; | ||
42 | }; | ||
43 | |||
44 | extraOptions = mkOption { | ||
45 | type = types.listOf types.str; | ||
46 | default = [ "-verbose" ]; | ||
47 | }; | ||
48 | |||
49 | package = mkPackageOption pkgs "certspotter" {}; | ||
50 | }; | ||
51 | }; | ||
52 | |||
53 | config = mkIf (cfg.watchList != []) { | ||
54 | systemd.services.certspotter = { | ||
55 | serviceConfig = { | ||
56 | Type = "oneshot"; | ||
57 | ExecStart = "${startScript}/bin/certspotter-start"; | ||
58 | StateDirectory = "certspotter"; | ||
59 | LogsDirectory = "certspotter"; | ||
60 | DynamicUser = true; | ||
61 | |||
62 | CPUSchedulingPolicy = "idle"; | ||
63 | IOSchedulingClass = "idle"; | ||
64 | }; | ||
65 | }; | ||
66 | }; | ||
67 | } | ||
diff --git a/modules/coturn.nix b/modules/coturn.nix index faa4b5a2..d73d1bba 100644 --- a/modules/coturn.nix +++ b/modules/coturn.nix | |||
@@ -42,11 +42,11 @@ in { | |||
42 | 42 | ||
43 | options = { | 43 | options = { |
44 | services.coturn = { | 44 | services.coturn = { |
45 | enable = mkEnableOption (lib.mdDoc "coturn TURN server"); | 45 | enable = mkEnableOption "coturn TURN server"; |
46 | listening-port = mkOption { | 46 | listening-port = mkOption { |
47 | type = types.int; | 47 | type = types.int; |
48 | default = 3478; | 48 | default = 3478; |
49 | description = lib.mdDoc '' | 49 | description = '' |
50 | TURN listener port for UDP and TCP. | 50 | TURN listener port for UDP and TCP. |
51 | Note: actually, TLS and DTLS sessions can connect to the | 51 | Note: actually, TLS and DTLS sessions can connect to the |
52 | "plain" TCP and UDP port(s), too - if allowed by configuration. | 52 | "plain" TCP and UDP port(s), too - if allowed by configuration. |
@@ -55,7 +55,7 @@ in { | |||
55 | tls-listening-port = mkOption { | 55 | tls-listening-port = mkOption { |
56 | type = types.int; | 56 | type = types.int; |
57 | default = 5349; | 57 | default = 5349; |
58 | description = lib.mdDoc '' | 58 | description = '' |
59 | TURN listener port for TLS. | 59 | TURN listener port for TLS. |
60 | Note: actually, "plain" TCP and UDP sessions can connect to the TLS and | 60 | Note: actually, "plain" TCP and UDP sessions can connect to the TLS and |
61 | DTLS port(s), too - if allowed by configuration. The TURN server | 61 | DTLS port(s), too - if allowed by configuration. The TURN server |
@@ -71,7 +71,7 @@ in { | |||
71 | type = types.int; | 71 | type = types.int; |
72 | default = cfg.listening-port + 1; | 72 | default = cfg.listening-port + 1; |
73 | defaultText = literalExpression "listening-port + 1"; | 73 | defaultText = literalExpression "listening-port + 1"; |
74 | description = lib.mdDoc '' | 74 | description = '' |
75 | Alternative listening port for UDP and TCP listeners; | 75 | Alternative listening port for UDP and TCP listeners; |
76 | default (or zero) value means "listening port plus one". | 76 | default (or zero) value means "listening port plus one". |
77 | This is needed for RFC 5780 support | 77 | This is needed for RFC 5780 support |
@@ -86,7 +86,7 @@ in { | |||
86 | type = types.int; | 86 | type = types.int; |
87 | default = cfg.tls-listening-port + 1; | 87 | default = cfg.tls-listening-port + 1; |
88 | defaultText = literalExpression "tls-listening-port + 1"; | 88 | defaultText = literalExpression "tls-listening-port + 1"; |
89 | description = lib.mdDoc '' | 89 | description = '' |
90 | Alternative listening port for TLS and DTLS protocols. | 90 | Alternative listening port for TLS and DTLS protocols. |
91 | ''; | 91 | ''; |
92 | }; | 92 | }; |
@@ -94,7 +94,7 @@ in { | |||
94 | type = types.listOf types.str; | 94 | type = types.listOf types.str; |
95 | default = []; | 95 | default = []; |
96 | example = [ "203.0.113.42" "2001:DB8::42" ]; | 96 | example = [ "203.0.113.42" "2001:DB8::42" ]; |
97 | description = lib.mdDoc '' | 97 | description = '' |
98 | Listener IP addresses of relay server. | 98 | Listener IP addresses of relay server. |
99 | If no IP(s) specified in the config file or in the command line options, | 99 | If no IP(s) specified in the config file or in the command line options, |
100 | then all IPv4 and IPv6 system IPs will be used for listening. | 100 | then all IPv4 and IPv6 system IPs will be used for listening. |
@@ -104,7 +104,7 @@ in { | |||
104 | type = types.listOf types.str; | 104 | type = types.listOf types.str; |
105 | default = []; | 105 | default = []; |
106 | example = [ "203.0.113.42" "2001:DB8::42" ]; | 106 | example = [ "203.0.113.42" "2001:DB8::42" ]; |
107 | description = lib.mdDoc '' | 107 | description = '' |
108 | Relay address (the local IP address that will be used to relay the | 108 | Relay address (the local IP address that will be used to relay the |
109 | packets to the peer). | 109 | packets to the peer). |
110 | Multiple relay addresses may be used. | 110 | Multiple relay addresses may be used. |
@@ -120,28 +120,28 @@ in { | |||
120 | min-port = mkOption { | 120 | min-port = mkOption { |
121 | type = types.int; | 121 | type = types.int; |
122 | default = 49152; | 122 | default = 49152; |
123 | description = lib.mdDoc '' | 123 | description = '' |
124 | Lower bound of UDP relay endpoints | 124 | Lower bound of UDP relay endpoints |
125 | ''; | 125 | ''; |
126 | }; | 126 | }; |
127 | max-port = mkOption { | 127 | max-port = mkOption { |
128 | type = types.int; | 128 | type = types.int; |
129 | default = 65535; | 129 | default = 65535; |
130 | description = lib.mdDoc '' | 130 | description = '' |
131 | Upper bound of UDP relay endpoints | 131 | Upper bound of UDP relay endpoints |
132 | ''; | 132 | ''; |
133 | }; | 133 | }; |
134 | lt-cred-mech = mkOption { | 134 | lt-cred-mech = mkOption { |
135 | type = types.bool; | 135 | type = types.bool; |
136 | default = false; | 136 | default = false; |
137 | description = lib.mdDoc '' | 137 | description = '' |
138 | Use long-term credential mechanism. | 138 | Use long-term credential mechanism. |
139 | ''; | 139 | ''; |
140 | }; | 140 | }; |
141 | no-auth = mkOption { | 141 | no-auth = mkOption { |
142 | type = types.bool; | 142 | type = types.bool; |
143 | default = false; | 143 | default = false; |
144 | description = lib.mdDoc '' | 144 | description = '' |
145 | This option is opposite to lt-cred-mech. | 145 | This option is opposite to lt-cred-mech. |
146 | (TURN Server with no-auth option allows anonymous access). | 146 | (TURN Server with no-auth option allows anonymous access). |
147 | If neither option is defined, and no users are defined, | 147 | If neither option is defined, and no users are defined, |
@@ -153,7 +153,7 @@ in { | |||
153 | use-auth-secret = mkOption { | 153 | use-auth-secret = mkOption { |
154 | type = types.bool; | 154 | type = types.bool; |
155 | default = false; | 155 | default = false; |
156 | description = lib.mdDoc '' | 156 | description = '' |
157 | TURN REST API flag. | 157 | TURN REST API flag. |
158 | Flag that sets a special authorization option that is based upon authentication secret. | 158 | Flag that sets a special authorization option that is based upon authentication secret. |
159 | This feature can be used with the long-term authentication mechanism, only. | 159 | This feature can be used with the long-term authentication mechanism, only. |
@@ -177,7 +177,7 @@ in { | |||
177 | static-auth-secret = mkOption { | 177 | static-auth-secret = mkOption { |
178 | type = types.nullOr types.str; | 178 | type = types.nullOr types.str; |
179 | default = null; | 179 | default = null; |
180 | description = lib.mdDoc '' | 180 | description = '' |
181 | 'Static' authentication secret value (a string) for TURN REST API only. | 181 | 'Static' authentication secret value (a string) for TURN REST API only. |
182 | If not set, then the turn server | 182 | If not set, then the turn server |
183 | will try to use the 'dynamic' value in turn_secret table | 183 | will try to use the 'dynamic' value in turn_secret table |
@@ -188,7 +188,7 @@ in { | |||
188 | static-auth-secret-file = mkOption { | 188 | static-auth-secret-file = mkOption { |
189 | type = types.nullOr types.str; | 189 | type = types.nullOr types.str; |
190 | default = null; | 190 | default = null; |
191 | description = lib.mdDoc '' | 191 | description = '' |
192 | Path to the file containing the static authentication secret. | 192 | Path to the file containing the static authentication secret. |
193 | ''; | 193 | ''; |
194 | }; | 194 | }; |
@@ -197,7 +197,7 @@ in { | |||
197 | default = config.networking.hostName; | 197 | default = config.networking.hostName; |
198 | defaultText = literalExpression "config.networking.hostName"; | 198 | defaultText = literalExpression "config.networking.hostName"; |
199 | example = "example.com"; | 199 | example = "example.com"; |
200 | description = lib.mdDoc '' | 200 | description = '' |
201 | The default realm to be used for the users when no explicit | 201 | The default realm to be used for the users when no explicit |
202 | origin/realm relationship was found in the database, or if the TURN | 202 | origin/realm relationship was found in the database, or if the TURN |
203 | server is not using any database (just the commands-line settings | 203 | server is not using any database (just the commands-line settings |
@@ -209,7 +209,7 @@ in { | |||
209 | type = types.nullOr types.str; | 209 | type = types.nullOr types.str; |
210 | default = null; | 210 | default = null; |
211 | example = "/var/lib/acme/example.com/fullchain.pem"; | 211 | example = "/var/lib/acme/example.com/fullchain.pem"; |
212 | description = lib.mdDoc '' | 212 | description = '' |
213 | Certificate file in PEM format. | 213 | Certificate file in PEM format. |
214 | ''; | 214 | ''; |
215 | }; | 215 | }; |
@@ -217,21 +217,21 @@ in { | |||
217 | type = types.nullOr types.str; | 217 | type = types.nullOr types.str; |
218 | default = null; | 218 | default = null; |
219 | example = "/var/lib/acme/example.com/key.pem"; | 219 | example = "/var/lib/acme/example.com/key.pem"; |
220 | description = lib.mdDoc '' | 220 | description = '' |
221 | Private key file in PEM format. | 221 | Private key file in PEM format. |
222 | ''; | 222 | ''; |
223 | }; | 223 | }; |
224 | dh-file = mkOption { | 224 | dh-file = mkOption { |
225 | type = types.nullOr types.str; | 225 | type = types.nullOr types.str; |
226 | default = null; | 226 | default = null; |
227 | description = lib.mdDoc '' | 227 | description = '' |
228 | Use custom DH TLS key, stored in PEM format in the file. | 228 | Use custom DH TLS key, stored in PEM format in the file. |
229 | ''; | 229 | ''; |
230 | }; | 230 | }; |
231 | secure-stun = mkOption { | 231 | secure-stun = mkOption { |
232 | type = types.bool; | 232 | type = types.bool; |
233 | default = false; | 233 | default = false; |
234 | description = lib.mdDoc '' | 234 | description = '' |
235 | Require authentication of the STUN Binding request. | 235 | Require authentication of the STUN Binding request. |
236 | By default, the clients are allowed anonymous access to the STUN Binding functionality. | 236 | By default, the clients are allowed anonymous access to the STUN Binding functionality. |
237 | ''; | 237 | ''; |
@@ -239,28 +239,28 @@ in { | |||
239 | no-cli = mkOption { | 239 | no-cli = mkOption { |
240 | type = types.bool; | 240 | type = types.bool; |
241 | default = false; | 241 | default = false; |
242 | description = lib.mdDoc '' | 242 | description = '' |
243 | Turn OFF the CLI support. | 243 | Turn OFF the CLI support. |
244 | ''; | 244 | ''; |
245 | }; | 245 | }; |
246 | cli-ip = mkOption { | 246 | cli-ip = mkOption { |
247 | type = types.str; | 247 | type = types.str; |
248 | default = "127.0.0.1"; | 248 | default = "127.0.0.1"; |
249 | description = lib.mdDoc '' | 249 | description = '' |
250 | Local system IP address to be used for CLI server endpoint. | 250 | Local system IP address to be used for CLI server endpoint. |
251 | ''; | 251 | ''; |
252 | }; | 252 | }; |
253 | cli-port = mkOption { | 253 | cli-port = mkOption { |
254 | type = types.int; | 254 | type = types.int; |
255 | default = 5766; | 255 | default = 5766; |
256 | description = lib.mdDoc '' | 256 | description = '' |
257 | CLI server port. | 257 | CLI server port. |
258 | ''; | 258 | ''; |
259 | }; | 259 | }; |
260 | cli-password = mkOption { | 260 | cli-password = mkOption { |
261 | type = types.nullOr types.str; | 261 | type = types.nullOr types.str; |
262 | default = null; | 262 | default = null; |
263 | description = lib.mdDoc '' | 263 | description = '' |
264 | CLI access password. | 264 | CLI access password. |
265 | For the security reasons, it is recommended to use the encrypted | 265 | For the security reasons, it is recommended to use the encrypted |
266 | for of the password (see the -P command in the turnadmin utility). | 266 | for of the password (see the -P command in the turnadmin utility). |
@@ -269,37 +269,37 @@ in { | |||
269 | no-udp = mkOption { | 269 | no-udp = mkOption { |
270 | type = types.bool; | 270 | type = types.bool; |
271 | default = false; | 271 | default = false; |
272 | description = lib.mdDoc "Disable UDP client listener"; | 272 | description = "Disable UDP client listener"; |
273 | }; | 273 | }; |
274 | no-tcp = mkOption { | 274 | no-tcp = mkOption { |
275 | type = types.bool; | 275 | type = types.bool; |
276 | default = false; | 276 | default = false; |
277 | description = lib.mdDoc "Disable TCP client listener"; | 277 | description = "Disable TCP client listener"; |
278 | }; | 278 | }; |
279 | no-tls = mkOption { | 279 | no-tls = mkOption { |
280 | type = types.bool; | 280 | type = types.bool; |
281 | default = false; | 281 | default = false; |
282 | description = lib.mdDoc "Disable TLS client listener"; | 282 | description = "Disable TLS client listener"; |
283 | }; | 283 | }; |
284 | no-dtls = mkOption { | 284 | no-dtls = mkOption { |
285 | type = types.bool; | 285 | type = types.bool; |
286 | default = false; | 286 | default = false; |
287 | description = lib.mdDoc "Disable DTLS client listener"; | 287 | description = "Disable DTLS client listener"; |
288 | }; | 288 | }; |
289 | no-udp-relay = mkOption { | 289 | no-udp-relay = mkOption { |
290 | type = types.bool; | 290 | type = types.bool; |
291 | default = false; | 291 | default = false; |
292 | description = lib.mdDoc "Disable UDP relay endpoints"; | 292 | description = "Disable UDP relay endpoints"; |
293 | }; | 293 | }; |
294 | no-tcp-relay = mkOption { | 294 | no-tcp-relay = mkOption { |
295 | type = types.bool; | 295 | type = types.bool; |
296 | default = false; | 296 | default = false; |
297 | description = lib.mdDoc "Disable TCP relay endpoints"; | 297 | description = "Disable TCP relay endpoints"; |
298 | }; | 298 | }; |
299 | extraConfig = mkOption { | 299 | extraConfig = mkOption { |
300 | type = types.lines; | 300 | type = types.lines; |
301 | default = ""; | 301 | default = ""; |
302 | description = lib.mdDoc "Additional configuration options"; | 302 | description = "Additional configuration options"; |
303 | }; | 303 | }; |
304 | }; | 304 | }; |
305 | }; | 305 | }; |
diff --git a/modules/envfs.nix b/modules/envfs.nix index ff992b61..b5b453a5 100644 --- a/modules/envfs.nix +++ b/modules/envfs.nix | |||
@@ -26,9 +26,9 @@ in { | |||
26 | 26 | ||
27 | options = { | 27 | options = { |
28 | services.envfs = { | 28 | services.envfs = { |
29 | enable = lib.mkEnableOption (lib.mdDoc "Envfs filesystem") // { | 29 | enable = lib.mkEnableOption "Envfs filesystem" // { |
30 | default = true; | 30 | default = true; |
31 | description = lib.mdDoc '' | 31 | description = '' |
32 | Fuse filesystem that returns symlinks to executables based on the PATH | 32 | Fuse filesystem that returns symlinks to executables based on the PATH |
33 | of the requesting process. This is useful to execute shebangs on NixOS | 33 | of the requesting process. This is useful to execute shebangs on NixOS |
34 | that assume hard coded locations in locations like /bin or /usr/bin | 34 | that assume hard coded locations in locations like /bin or /usr/bin |
@@ -40,7 +40,7 @@ in { | |||
40 | type = lib.types.package; | 40 | type = lib.types.package; |
41 | default = pkgs.envfs; | 41 | default = pkgs.envfs; |
42 | defaultText = lib.literalExpression "pkgs.envfs"; | 42 | defaultText = lib.literalExpression "pkgs.envfs"; |
43 | description = lib.mdDoc "Which package to use for the envfs."; | 43 | description = "Which package to use for the envfs."; |
44 | }; | 44 | }; |
45 | 45 | ||
46 | paths = lib.mkOption { | 46 | paths = lib.mkOption { |
@@ -60,7 +60,7 @@ in { | |||
60 | ''') | 60 | ''') |
61 | ] | 61 | ] |
62 | ''; | 62 | ''; |
63 | description = lib.mdDoc "Extra packages to join into collection of fallback executables in case not other executable is found"; | 63 | description = "Extra packages to join into collection of fallback executables in case not other executable is found"; |
64 | }; | 64 | }; |
65 | }; | 65 | }; |
66 | }; | 66 | }; |
diff --git a/modules/etebase-server.nix b/modules/etebase-server.nix deleted file mode 100644 index 341e7fa0..00000000 --- a/modules/etebase-server.nix +++ /dev/null | |||
@@ -1,228 +0,0 @@ | |||
1 | { config, pkgs, lib, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | cfg = config.services.etebase-server; | ||
7 | |||
8 | pythonEnv = pkgs.python3.withPackages (ps: with ps; | ||
9 | [ etebase-server daphne psycopg2 ]); | ||
10 | |||
11 | iniFmt = pkgs.formats.ini {}; | ||
12 | |||
13 | configIni = iniFmt.generate "etebase-server.ini" cfg.settings; | ||
14 | |||
15 | defaultUser = "etebase-server"; | ||
16 | in | ||
17 | { | ||
18 | disabledModules = [ "services/misc/etebase-server.nix" ]; | ||
19 | |||
20 | imports = [ | ||
21 | (mkRemovedOptionModule | ||
22 | [ "services" "etebase-server" "customIni" ] | ||
23 | "Set the option `services.etebase-server.settings' instead.") | ||
24 | (mkRemovedOptionModule | ||
25 | [ "services" "etebase-server" "database" ] | ||
26 | "Set the option `services.etebase-server.settings.database' instead.") | ||
27 | (mkRenamedOptionModule | ||
28 | [ "services" "etebase-server" "secretFile" ] | ||
29 | [ "services" "etebase-server" "settings" "secret_file" ]) | ||
30 | (mkRenamedOptionModule | ||
31 | [ "services" "etebase-server" "host" ] | ||
32 | [ "services" "etebase-server" "settings" "allowed_hosts" "allowed_host1" ]) | ||
33 | ]; | ||
34 | |||
35 | options = { | ||
36 | services.etebase-server = { | ||
37 | enable = mkOption { | ||
38 | type = types.bool; | ||
39 | default = false; | ||
40 | example = true; | ||
41 | description = lib.mdDoc '' | ||
42 | Whether to enable the Etebase server. | ||
43 | |||
44 | Once enabled you need to create an admin user by invoking the | ||
45 | shell command `etebase-server createsuperuser` with | ||
46 | the user specified by the `user` option or a superuser. | ||
47 | Then you can login and create accounts on your-etebase-server.com/admin | ||
48 | ''; | ||
49 | }; | ||
50 | |||
51 | dataDir = mkOption { | ||
52 | type = types.str; | ||
53 | default = "/var/lib/etebase-server"; | ||
54 | description = lib.mdDoc "Directory to store the Etebase server data."; | ||
55 | }; | ||
56 | |||
57 | port = mkOption { | ||
58 | type = with types; nullOr port; | ||
59 | default = 8001; | ||
60 | description = lib.mdDoc "Port to listen on."; | ||
61 | }; | ||
62 | |||
63 | openFirewall = mkOption { | ||
64 | type = types.bool; | ||
65 | default = false; | ||
66 | description = lib.mdDoc '' | ||
67 | Whether to open ports in the firewall for the server. | ||
68 | ''; | ||
69 | }; | ||
70 | |||
71 | unixSocket = mkOption { | ||
72 | type = with types; nullOr str; | ||
73 | default = null; | ||
74 | description = lib.mdDoc "The path to the socket to bind to."; | ||
75 | example = "/run/etebase-server/etebase-server.sock"; | ||
76 | }; | ||
77 | |||
78 | settings = mkOption { | ||
79 | type = lib.types.submodule { | ||
80 | freeformType = iniFmt.type; | ||
81 | |||
82 | options = { | ||
83 | global = { | ||
84 | debug = mkOption { | ||
85 | type = types.bool; | ||
86 | default = false; | ||
87 | description = lib.mdDoc '' | ||
88 | Whether to set django's DEBUG flag. | ||
89 | ''; | ||
90 | }; | ||
91 | secret_file = mkOption { | ||
92 | type = with types; nullOr str; | ||
93 | default = null; | ||
94 | description = lib.mdDoc '' | ||
95 | The path to a file containing the secret | ||
96 | used as django's SECRET_KEY. | ||
97 | ''; | ||
98 | }; | ||
99 | static_root = mkOption { | ||
100 | type = types.str; | ||
101 | default = "${cfg.dataDir}/static"; | ||
102 | defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/static"''; | ||
103 | description = lib.mdDoc "The directory for static files."; | ||
104 | }; | ||
105 | media_root = mkOption { | ||
106 | type = types.str; | ||
107 | default = "${cfg.dataDir}/media"; | ||
108 | defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/media"''; | ||
109 | description = lib.mdDoc "The media directory."; | ||
110 | }; | ||
111 | }; | ||
112 | allowed_hosts = { | ||
113 | allowed_host1 = mkOption { | ||
114 | type = types.str; | ||
115 | default = "0.0.0.0"; | ||
116 | example = "localhost"; | ||
117 | description = lib.mdDoc '' | ||
118 | The main host that is allowed access. | ||
119 | ''; | ||
120 | }; | ||
121 | }; | ||
122 | database = { | ||
123 | engine = mkOption { | ||
124 | type = types.enum [ "django.db.backends.sqlite3" "django.db.backends.postgresql" ]; | ||
125 | default = "django.db.backends.sqlite3"; | ||
126 | description = lib.mdDoc "The database engine to use."; | ||
127 | }; | ||
128 | name = mkOption { | ||
129 | type = types.str; | ||
130 | default = "${cfg.dataDir}/db.sqlite3"; | ||
131 | defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/db.sqlite3"''; | ||
132 | description = lib.mdDoc "The database name."; | ||
133 | }; | ||
134 | }; | ||
135 | }; | ||
136 | }; | ||
137 | default = {}; | ||
138 | description = lib.mdDoc '' | ||
139 | Configuration for `etebase-server`. Refer to | ||
140 | <https://github.com/etesync/server/blob/master/etebase-server.ini.example> | ||
141 | and <https://github.com/etesync/server/wiki> | ||
142 | for details on supported values. | ||
143 | ''; | ||
144 | example = { | ||
145 | global = { | ||
146 | debug = true; | ||
147 | media_root = "/path/to/media"; | ||
148 | }; | ||
149 | allowed_hosts = { | ||
150 | allowed_host2 = "localhost"; | ||
151 | }; | ||
152 | }; | ||
153 | }; | ||
154 | |||
155 | user = mkOption { | ||
156 | type = types.str; | ||
157 | default = defaultUser; | ||
158 | description = lib.mdDoc "User under which Etebase server runs."; | ||
159 | }; | ||
160 | }; | ||
161 | }; | ||
162 | |||
163 | config = mkIf cfg.enable { | ||
164 | |||
165 | environment.systemPackages = with pkgs; [ | ||
166 | (runCommand "etebase-server" { | ||
167 | nativeBuildInputs = [ makeWrapper ]; | ||
168 | } '' | ||
169 | makeWrapper ${pythonEnv}/bin/etebase-server \ | ||
170 | $out/bin/etebase-server \ | ||
171 | --chdir ${escapeShellArg cfg.dataDir} \ | ||
172 | --prefix ETEBASE_EASY_CONFIG_PATH : "${configIni}" | ||
173 | '') | ||
174 | ]; | ||
175 | |||
176 | systemd.tmpfiles.rules = [ | ||
177 | "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" | ||
178 | ]; | ||
179 | |||
180 | systemd.services.etebase-server = { | ||
181 | description = "An Etebase (EteSync 2.0) server"; | ||
182 | after = [ "network.target" "systemd-tmpfiles-setup.service" ]; | ||
183 | wantedBy = [ "multi-user.target" ]; | ||
184 | path = [ pythonEnv ]; | ||
185 | serviceConfig = { | ||
186 | User = cfg.user; | ||
187 | Restart = "always"; | ||
188 | WorkingDirectory = cfg.dataDir; | ||
189 | }; | ||
190 | environment = { | ||
191 | ETEBASE_EASY_CONFIG_PATH = configIni; | ||
192 | }; | ||
193 | preStart = '' | ||
194 | # Auto-migrate on first run or if the package has changed | ||
195 | versionFile="${cfg.dataDir}/src-version" | ||
196 | if [[ $(cat "$versionFile" 2>/dev/null) != ${pkgs.etebase-server} ]]; then | ||
197 | etebase-server migrate --no-input | ||
198 | etebase-server collectstatic --no-input --clear | ||
199 | echo ${pkgs.etebase-server} > "$versionFile" | ||
200 | fi | ||
201 | ''; | ||
202 | script = | ||
203 | let | ||
204 | networking = if cfg.unixSocket != null | ||
205 | then "-u ${cfg.unixSocket}" | ||
206 | else "-b 0.0.0.0 -p ${toString cfg.port}"; | ||
207 | in '' | ||
208 | cd "${pythonEnv}/lib/etebase-server"; | ||
209 | daphne ${networking} \ | ||
210 | etebase_server.asgi:application | ||
211 | ''; | ||
212 | }; | ||
213 | |||
214 | users = optionalAttrs (cfg.user == defaultUser) { | ||
215 | users.${defaultUser} = { | ||
216 | isSystemUser = true; | ||
217 | group = defaultUser; | ||
218 | home = cfg.dataDir; | ||
219 | }; | ||
220 | |||
221 | groups.${defaultUser} = {}; | ||
222 | }; | ||
223 | |||
224 | networking.firewall = mkIf cfg.openFirewall { | ||
225 | allowedTCPPorts = [ cfg.port ]; | ||
226 | }; | ||
227 | }; | ||
228 | } | ||
diff --git a/modules/home-manager.nix b/modules/home-manager.nix index ebe3e153..c485dd99 100644 --- a/modules/home-manager.nix +++ b/modules/home-manager.nix | |||
@@ -8,6 +8,9 @@ with lib; | |||
8 | type = types.bool; | 8 | type = types.bool; |
9 | default = true; | 9 | default = true; |
10 | example = true; | 10 | example = true; |
11 | description = '' | ||
12 | Are we using home-manager version that starts late as systemd user service? | ||
13 | ''; | ||
11 | }; | 14 | }; |
12 | }; | 15 | }; |
13 | } | 16 | } |
diff --git a/modules/knot.nix b/modules/knot.nix index a4691324..f7165029 100644 --- a/modules/knot.nix +++ b/modules/knot.nix | |||
@@ -81,6 +81,7 @@ in { | |||
81 | 81 | ||
82 | cliWrappers = mkOption { | 82 | cliWrappers = mkOption { |
83 | readOnly = true; | 83 | readOnly = true; |
84 | internal = true; | ||
84 | type = types.package; | 85 | type = types.package; |
85 | default = knot-cli-wrappers; | 86 | default = knot-cli-wrappers; |
86 | defaultText = "knot-cli-wrappers"; | 87 | defaultText = "knot-cli-wrappers"; |
diff --git a/modules/netns.nix b/modules/netns.nix index dca3c0db..79dc123b 100644 --- a/modules/netns.nix +++ b/modules/netns.nix | |||
@@ -125,6 +125,13 @@ in { | |||
125 | containers = mkOption { | 125 | containers = mkOption { |
126 | default = {}; | 126 | default = {}; |
127 | type = types.attrsOf (types.submodule containerOpts); | 127 | type = types.attrsOf (types.submodule containerOpts); |
128 | description = '' | ||
129 | A set of NixOS system configurations to be run as lightweight | ||
130 | containers. Each container appears as a service | ||
131 | `container-«name»` | ||
132 | on the host system, allowing it to be started and stopped via | ||
133 | {command}`systemctl`. | ||
134 | ''; | ||
128 | }; | 135 | }; |
129 | }; | 136 | }; |
130 | }; | 137 | }; |
diff --git a/modules/openssh.nix b/modules/openssh.nix index 78749869..8bdc3df6 100644 --- a/modules/openssh.nix +++ b/modules/openssh.nix | |||
@@ -30,6 +30,7 @@ with lib; | |||
30 | "rsa-sha2-512" | 30 | "rsa-sha2-512" |
31 | "rsa-sha2-512-cert-v01@openssh.com" | 31 | "rsa-sha2-512-cert-v01@openssh.com" |
32 | ]; | 32 | ]; |
33 | description = "HostKeyAlgorithms"; | ||
33 | }; | 34 | }; |
34 | settings.CASignatureAlgorithms = mkOption { | 35 | settings.CASignatureAlgorithms = mkOption { |
35 | type = types.str; | 36 | type = types.str; |
@@ -43,6 +44,7 @@ with lib; | |||
43 | "rsa-sha2-512" | 44 | "rsa-sha2-512" |
44 | "rsa-sha2-256" | 45 | "rsa-sha2-256" |
45 | ]; | 46 | ]; |
47 | description = "CASignatureAlgorithms"; | ||
46 | }; | 48 | }; |
47 | settings.PubkeyAcceptedAlgorithms = mkOption { | 49 | settings.PubkeyAcceptedAlgorithms = mkOption { |
48 | type = types.str; | 50 | type = types.str; |
@@ -69,6 +71,7 @@ with lib; | |||
69 | "rsa-sha2-512" | 71 | "rsa-sha2-512" |
70 | "rsa-sha2-512-cert-v01@openssh.com" | 72 | "rsa-sha2-512-cert-v01@openssh.com" |
71 | ]; | 73 | ]; |
74 | description = "PubkeyAcceptedAlgorithms"; | ||
72 | }; | 75 | }; |
73 | }; | 76 | }; |
74 | }; | 77 | }; |
diff --git a/modules/pgbackrest.nix b/modules/pgbackrest.nix index e02849f5..886840b9 100644 --- a/modules/pgbackrest.nix +++ b/modules/pgbackrest.nix | |||
@@ -50,8 +50,8 @@ in { | |||
50 | package = mkPackageOption pkgs "pgbackrest" {}; | 50 | package = mkPackageOption pkgs "pgbackrest" {}; |
51 | dscpPackage = mkPackageOption pkgs "libdscp" { nullable = true; default = null; }; | 51 | dscpPackage = mkPackageOption pkgs "libdscp" { nullable = true; default = null; }; |
52 | 52 | ||
53 | dscp.archive-push = mkDSCPOption { default = 24; }; | 53 | dscp.archive-push = mkDSCPOption { default = 24; description = "DSCP during archive push"; }; |
54 | dscp.backup = mkDSCPOption { default = 8; }; | 54 | dscp.backup = mkDSCPOption { default = 8; description = "DSCP during backup"; }; |
55 | 55 | ||
56 | configurePostgresql = { | 56 | configurePostgresql = { |
57 | enable = mkEnableOption "configuring PostgreSQL for sending WAL to pgBackRest" // { | 57 | enable = mkEnableOption "configuring PostgreSQL for sending WAL to pgBackRest" // { |
@@ -63,6 +63,7 @@ in { | |||
63 | type = types.str; | 63 | type = types.str; |
64 | default = config.networking.hostName; | 64 | default = config.networking.hostName; |
65 | defaultText = literalExpression "config.networking.hostName"; | 65 | defaultText = literalExpression "config.networking.hostName"; |
66 | description = "Stanza"; | ||
66 | }; | 67 | }; |
67 | }; | 68 | }; |
68 | 69 | ||
@@ -74,23 +75,28 @@ in { | |||
74 | global.log-level-console = mkOption { | 75 | global.log-level-console = mkOption { |
75 | type = loglevelType; | 76 | type = loglevelType; |
76 | default = "detail"; | 77 | default = "detail"; |
78 | description = "Log level to console"; | ||
77 | }; | 79 | }; |
78 | global.log-level-file = mkOption { | 80 | global.log-level-file = mkOption { |
79 | type = loglevelType; | 81 | type = loglevelType; |
80 | default = "off"; | 82 | default = "off"; |
83 | description = "Log level to logfile"; | ||
81 | }; | 84 | }; |
82 | global.log-level-stderr = mkOption { | 85 | global.log-level-stderr = mkOption { |
83 | type = loglevelType; | 86 | type = loglevelType; |
84 | default = "warn"; | 87 | default = "warn"; |
88 | description = "Log level to stderr"; | ||
85 | }; | 89 | }; |
86 | 90 | ||
87 | global.log-subprocess = mkOption { | 91 | global.log-subprocess = mkOption { |
88 | type = types.bool; | 92 | type = types.bool; |
89 | default = true; | 93 | default = true; |
94 | description = "Log subprocesses?"; | ||
90 | }; | 95 | }; |
91 | global.log-timestamp = mkOption { | 96 | global.log-timestamp = mkOption { |
92 | type = types.bool; | 97 | type = types.bool; |
93 | default = false; | 98 | default = false; |
99 | description = "Log timestamps?"; | ||
94 | }; | 100 | }; |
95 | }; | 101 | }; |
96 | }; | 102 | }; |
@@ -106,10 +112,12 @@ in { | |||
106 | user = mkOption { | 112 | user = mkOption { |
107 | type = types.str; | 113 | type = types.str; |
108 | default = "postgres"; | 114 | default = "postgres"; |
115 | description = "User"; | ||
109 | }; | 116 | }; |
110 | group = mkOption { | 117 | group = mkOption { |
111 | type = types.str; | 118 | type = types.str; |
112 | default = "postgres"; | 119 | default = "postgres"; |
120 | description = "Group"; | ||
113 | }; | 121 | }; |
114 | }; | 122 | }; |
115 | 123 | ||
@@ -119,32 +127,39 @@ in { | |||
119 | type = mkOption { | 127 | type = mkOption { |
120 | type = types.enum ["full" "incr" "diff"]; | 128 | type = types.enum ["full" "incr" "diff"]; |
121 | default = "full"; | 129 | default = "full"; |
130 | description = "Type"; | ||
122 | }; | 131 | }; |
123 | 132 | ||
124 | stanza = mkOption { | 133 | stanza = mkOption { |
125 | type = types.str; | 134 | type = types.str; |
126 | default = cfg.configurePostgresql.stanza; | 135 | default = cfg.configurePostgresql.stanza; |
127 | defaultText = literalExpression "config.services.pgbackrest.configurePostgresql.stanza"; | 136 | defaultText = literalExpression "config.services.pgbackrest.configurePostgresql.stanza"; |
137 | description = "Stanza"; | ||
128 | }; | 138 | }; |
129 | repo = mkOption { | 139 | repo = mkOption { |
130 | type = types.nullOr (types.strMatching "^[0-9]+$"); | 140 | type = types.nullOr (types.strMatching "^[0-9]+$"); |
141 | description = "Repository number"; | ||
131 | }; | 142 | }; |
132 | 143 | ||
133 | user = mkOption { | 144 | user = mkOption { |
134 | type = types.str; | 145 | type = types.str; |
135 | default = "postgres"; | 146 | default = "postgres"; |
147 | description = "User"; | ||
136 | }; | 148 | }; |
137 | group = mkOption { | 149 | group = mkOption { |
138 | type = types.str; | 150 | type = types.str; |
139 | default = "postgres"; | 151 | default = "postgres"; |
152 | description = "Group"; | ||
140 | }; | 153 | }; |
141 | 154 | ||
142 | timerConfig = mkOption { | 155 | timerConfig = mkOption { |
143 | type = types.attrsOf unitOption; | 156 | type = types.attrsOf unitOption; |
157 | description = "Systemd timer options"; | ||
144 | }; | 158 | }; |
145 | }; | 159 | }; |
146 | })); | 160 | })); |
147 | default = {}; | 161 | default = {}; |
162 | description = "Configure backups"; | ||
148 | }; | 163 | }; |
149 | }; | 164 | }; |
150 | }; | 165 | }; |
diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix index fcbd9390..193c54fb 100644 --- a/modules/postfix-mta-sts-resolver.nix +++ b/modules/postfix-mta-sts-resolver.nix | |||
@@ -8,7 +8,7 @@ in { | |||
8 | options = { | 8 | options = { |
9 | services.postfix-mta-sts-resolver = { | 9 | services.postfix-mta-sts-resolver = { |
10 | enable = mkEnableOption "mta-sts-daemon"; | 10 | enable = mkEnableOption "mta-sts-daemon"; |
11 | package = mkPackageOption pkgs "postfix-mta-sts-resolver"; | 11 | package = mkPackageOption pkgs "postfix-mta-sts-resolver" {}; |
12 | 12 | ||
13 | redis = mkEnableOption "redis cache" // { default = true; example = false; }; | 13 | redis = mkEnableOption "redis cache" // { default = true; example = false; }; |
14 | proactive-policy-fetching = mkEnableOption "proactive policy fetching" // { default = true; example = false; }; | 14 | proactive-policy-fetching = mkEnableOption "proactive policy fetching" // { default = true; example = false; }; |
@@ -16,10 +16,12 @@ in { | |||
16 | loglevel = mkOption { | 16 | loglevel = mkOption { |
17 | type = types.enum ["debug" "info" "warn" "error" "fatal"]; | 17 | type = types.enum ["debug" "info" "warn" "error" "fatal"]; |
18 | default = "info"; | 18 | default = "info"; |
19 | description = "Loglevel"; | ||
19 | }; | 20 | }; |
20 | 21 | ||
21 | settings = mkOption { | 22 | settings = mkOption { |
22 | type = types.attrs; | 23 | type = types.attrs; |
24 | description = "Settings"; | ||
23 | }; | 25 | }; |
24 | }; | 26 | }; |
25 | }; | 27 | }; |
diff --git a/modules/postfwd.nix b/modules/postfwd.nix index e10c04a7..3edff44d 100644 --- a/modules/postfwd.nix +++ b/modules/postfwd.nix | |||
@@ -12,6 +12,7 @@ in { | |||
12 | rules = mkOption { | 12 | rules = mkOption { |
13 | type = lines; | 13 | type = lines; |
14 | default = ""; | 14 | default = ""; |
15 | description = "Rules"; | ||
15 | }; | 16 | }; |
16 | }; | 17 | }; |
17 | }; | 18 | }; |
diff --git a/modules/prometheus-lvm-exporter.nix b/modules/prometheus-lvm-exporter.nix index 7ef082c3..ad46f835 100644 --- a/modules/prometheus-lvm-exporter.nix +++ b/modules/prometheus-lvm-exporter.nix | |||
@@ -21,7 +21,7 @@ in { | |||
21 | openFirewall = mkOption { | 21 | openFirewall = mkOption { |
22 | type = types.bool; | 22 | type = types.bool; |
23 | default = false; | 23 | default = false; |
24 | description = lib.mdDoc '' | 24 | description = '' |
25 | Open port in firewall for incoming connections. | 25 | Open port in firewall for incoming connections. |
26 | ''; | 26 | ''; |
27 | }; | 27 | }; |
@@ -31,7 +31,7 @@ in { | |||
31 | example = literalExpression '' | 31 | example = literalExpression '' |
32 | "-i eth0 -p tcp -m tcp --dport ${toString cfg.port}" | 32 | "-i eth0 -p tcp -m tcp --dport ${toString cfg.port}" |
33 | ''; | 33 | ''; |
34 | description = lib.mdDoc '' | 34 | description = '' |
35 | Specify a filter for iptables to use when | 35 | Specify a filter for iptables to use when |
36 | {option}`services.prometheus.exporters.lvm.openFirewall` | 36 | {option}`services.prometheus.exporters.lvm.openFirewall` |
37 | is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`. | 37 | is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`. |
diff --git a/modules/yggdrasil/default.nix b/modules/yggdrasil/default.nix deleted file mode 100644 index f4100e73..00000000 --- a/modules/yggdrasil/default.nix +++ /dev/null | |||
@@ -1,50 +0,0 @@ | |||
1 | { config, lib, customUtils, ... }: | ||
2 | let | ||
3 | cfg = config.services.tinc.yggdrasil; | ||
4 | in { | ||
5 | options = { | ||
6 | services.tinc.yggdrasil = lib.mkOption { | ||
7 | default = {}; | ||
8 | type = lib.types.submodule { | ||
9 | options = { | ||
10 | enable = lib.mkEnableOption "Yggdrasil tinc network"; | ||
11 | |||
12 | connect = lib.mkOption { | ||
13 | default = true; | ||
14 | type = lib.types.bool; | ||
15 | description = '' | ||
16 | Connect to central server | ||
17 | ''; | ||
18 | }; | ||
19 | }; | ||
20 | }; | ||
21 | }; | ||
22 | }; | ||
23 | |||
24 | config = lib.mkIf cfg.enable { | ||
25 | services.tinc.networks.yggdrasil = { | ||
26 | name = config.networking.hostName; | ||
27 | hostSettings = customUtils.nixImport { dir = ./hosts; }; | ||
28 | debugLevel = 2; | ||
29 | interfaceType = "tap"; | ||
30 | settings = { | ||
31 | Mode = "switch"; | ||
32 | PingTimeout = 30; | ||
33 | ConnectTo = lib.mkIf cfg.connect "ymir"; | ||
34 | }; | ||
35 | }; | ||
36 | |||
37 | sops.secrets = { | ||
38 | tinc-yggdrasil-rsa = { | ||
39 | key = "rsa"; | ||
40 | path = "/etc/tinc/yggdrasil/rsa_key.priv"; | ||
41 | sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml"; | ||
42 | }; | ||
43 | tinc-yggdrasil-ed25519 = { | ||
44 | key = "ed25519"; | ||
45 | path = "/etc/tinc/yggdrasil/rsa_key.priv"; | ||
46 | sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml"; | ||
47 | }; | ||
48 | }; | ||
49 | }; | ||
50 | } | ||
diff --git a/modules/yggdrasil/hosts/sif/default.nix b/modules/yggdrasil/hosts/sif/default.nix deleted file mode 100644 index 32b844de..00000000 --- a/modules/yggdrasil/hosts/sif/default.nix +++ /dev/null | |||
@@ -1,13 +0,0 @@ | |||
1 | { | ||
2 | settings.Ed25519PublicKey = "qJqty+wiTNcYaHQCvQNiMqXYz30C9M3+LI/qjmU/9hK"; | ||
3 | rsaPublicKey = '' | ||
4 | -----BEGIN RSA PUBLIC KEY----- | ||
5 | MIIBCgKCAQEA0ACaacg9EN0hBQct8ZwQ/i6EsXKP4DIwKwabM2rp8azValTHU2uI | ||
6 | WW6JRY+Eii6zRx9B5kJ96C4rJJeAGV6lZPAogaC2LbM7lcsZ7oRDWZGaQKcZFNGi | ||
7 | laEcDg2dRuDx1W4at0rb03SDLNPt8sXSV6BcK9n/7m7+s9cwM/+PB8FHDMnWvwbC | ||
8 | usbP23020s+CVr/PU1z/7J0y3Eat+Acut6x5X8DNewpqV96wQpqdAggbhtYERMFH | ||
9 | +i0sa1WUDQtJ6HGChbENRTMlsPJ6lnzXY+J0pzatzzvetLsOljES9uJ8dtk6qBC7 | ||
10 | KRZo5lvdUwR6j9XiHMQeRerUt23b9ATFXQIDAQAB | ||
11 | -----END RSA PUBLIC KEY----- | ||
12 | ''; | ||
13 | } | ||
diff --git a/modules/yggdrasil/hosts/sif/private-keys.yaml b/modules/yggdrasil/hosts/sif/private-keys.yaml deleted file mode 100644 index 0c4274d1..00000000 --- a/modules/yggdrasil/hosts/sif/private-keys.yaml +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | ed25519: ENC[AES256_GCM,data:1CqB4y6CIm5JUsznpXPqqLJqCKmmoAJOZQTWb7+Jbn0oZMX27qSMK4CchHF7Bmo24EK8rk5EyW5aQLnoxp/2NA62p8SXdaoI8Qgz3EgsQ5QrlJrt1jvERpNs4vttT9V6+aK3Yojr9IuQSvJ4jyKSLrzrTnLzF9pXlaOf1Ru5SxySRWtVzynzurRpdUVS6goE+lb+Irg6x2geV719iQ9bu1C2smeQDREdS+dlfoxp02/pU6kTFA7KAm5vA91HKEfMqfSEzuBgUB0=,iv:n6Yh0zZ9AbT+83P42QNO2rCCISJV5nbO9wYcwaRYD2E=,tag:dJpXV9ZzLSO1B+LsyV3vAg==,type:str] | ||
2 | rsa: ENC[AES256_GCM,data:7faQJAhoYt3MJidg4TVwysmLGZ4V1fA9NYYKgEMgky4q0Q9tBGhEsA60uj7iKcMMRhGku7feIFkj2+1qjKy+e1Bajfs2rqxgyqYmM6yOTrmorbXBVyrPOTOwJp3yp7O1vIXwoUS9vWIYxFszpfaLL0/8aARYVrYmpxf3gsBfQ4LciM1VKEgjG3uRBf1tDLaNuMNyzdan0DFghwuDojPOXUFv/6yuPxU2U0TagVjwAk4FThGwEasvV454RSm/GmqYtX+P4Vc3pEWNYAK1rXJAuXm1392Uash+HGQ+3ln5N9yWneewgPPr0pePAugxxN0qnwhy5MRKGQE3ZHCZ0beslfOm6pkmYTfww3lKNIJGabMfMD3COoAI7zWebUvksZPsgH6f1olbzABkZdS1s//WNMnWQHGxsWePXkLFe8bfnNXouEXHtLvQ7On0KPyt8y5QBI9bDPpTn92/O9jCevXSttrez4buBdCHFmCE8xgW5JKKEXgMubPPjEF3MABiGu0TMeWM4a1ibY7HfvNrRkO1pE9RhdRT/dFV/MrPxk7P0k16x9H4+QnE7VglfNZO3Wd3bnYxcH7hmAbIzpFnUJvolyNfmynwL2WwaYuBskXASD1FuqpM0tbhantqGyHVPe62+KimU0zDAJ1HMyqhIN0MD1MSXsdoItAsw033GYLB83L8xPatARJR9qEdKwrhmgSDY36AbJ8VI/RUzicZoYdhK8+M7bNGIkD5MgrQO35q+3oa6Xcib+5MtW0RVJKLP4y5/XNkjd4EPl6nahcVi63/FG7LJmO+/I7bkLIAWmIq8BHcXEwbz0womYp404pSfEPr3cy1N5S3yqRdzVxavTJb0PLMpHq2rWuHK2DIY77hEOAt0XcReWYsRkmTl+v9iQLF+D4GBLr+O2oZNJrocNVZYkfdjsrUd2cUOCV7ZQphO5Yc+yKrqzmCqUUvdoJ3vlaPxMXx4LACeMImo1sAFxoOgIpyfklo/bdhi9osiL55I8pAIh5hGes/uCbwaRnW+wbaYcMliCuUO8XelfXwBot8W+0l0wk2zKRSKtYKcX1n/Ax5mIt6mIoQkvyL82lccS9ppJLjt7DYlvK8L6imeV11ATf1ZhSGB3c67/XYik5BXz827Rj29K6fg/CvU65f/bEAuE39gSJ4mHsRl3bvkNLiUMEBrDuZnText33fCbqVA5DUIfqSbLUzXtqNl8vHnlOBICYwjv8PtUMJ6VTCDu33SmtQzJAfnmuewOKAC51FPsyaDhouTKllUaqx34NfEP8k2C8/4oNPgDcLjInm3f43tIuJbScdp8ltNVCLoChS8jbBOvrVYTI0eP+BuAuEfWYldUYq96oH/x9d0yvPqZ1rnwmqg4y6GfkACw6+/QvrDdtcM+1uI86RxZ7KGurb8KG7NPdSWhzz+72+TO5Tq29K8QETLzzalnVzaVWj/xGsjgkslxmDMKxLJQw0o24lgg/R30aU9BL6YwDVi10nu+Tv5kayb/NVLdMNWxfKNg1KZcf8M2ApgonjingbpUlinZ25/IIcQB9lMT4HSyvtGtIqnsPL4SQNsgBLcMzdwbL0EvS3qMAEVWKfUm2v9AA2+RMsKEKtD4UNF2xF7oACJiyTcw/xUOmkaTIZZ2ev0JVb4IYs1qx5Skz+IMAvWQ2FjBMXna5e/LYgBl6kdLSTcDvlymHpbjjuRdRq+uq+ZMXIACyZ+qUnZ0qcfWGPxOCI0hXPc5ac/zSGkPKYiWT/rCSuo+MoijjK4YZ2fub9TCYjZRS+QvLlXOM8F06Or0jQQOveezqJFZdoBGj248BtcPAVbYqfaytIlYjARlhQL/lKaaOrbONk6kIlDpwkhlzO50OkhALItlbW4Aa8zZ/WeXkfkb/6A7NLce42XDoOnvZt9UdYVTRphf8yxjRE2YMwZsmeTIieg8KwwJdnoJIhiQFdVDFgXb2xPZA2CbdvZwGwuFkLWgJUg6H+aHdw39UnNM+S9PYaOQ9oaS7IyeWhXMgP7TKM98uILsBg/Xn9tafHaslQfjVRDEaYtrmDZMYhb+h/MZKngx7uwmUyqHszAYN/M+RMJVy3s4uBu/EufWYVMorunpPEXGYA4Rg1HUuAOvWSvpM3PJG9Wnrazw6xmkwIUSKju5irpWATYmqSX3pPkG5C0sTatszVDAvTs9+/9Xdbney7/6QskSHMph8Kn/Udpq7PPrZWADkIi1k4oibgABOXOWBk5ZbNbiDrZA==,iv:ZUAqvOpcVCXQD2PFzUh0e2m20t6gVT3mYb7S50iV/m8=,tag:AssxMqjVUEwQ4R6Y7eG9Tg==,type:str] | ||
3 | sops: | ||
4 | kms: [] | ||
5 | gcp_kms: [] | ||
6 | azure_kv: [] | ||
7 | hc_vault: [] | ||
8 | age: | ||
9 | - recipient: age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866 | ||
10 | enc: | | ||
11 | -----BEGIN AGE ENCRYPTED FILE----- | ||
12 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTjludkxXUm5OREx4Zndk | ||
13 | czI0VmMxUE5kOHVKQ1lTL1RvQXlIQ3FhWFRVCmVXbmFqNTBDNy94RDJtakQra0lh | ||
14 | a2JrZlBxWFNVVFh6WFU3bjBwaFVIa1kKLS0tIFNObGZvVmpuQlU4SFBjZk45dlJM | ||
15 | d3VHVVZsVGlBd2craGNVbHdoeUpyVFEK/Tj9QVqAOWmAJv/PESvIOnnIbZkKof6E | ||
16 | HHaEYANQTp5kLyWaz4rfJiiQOP2bL5hDr1XV61mf6y9W8m9w4IynHg== | ||
17 | -----END AGE ENCRYPTED FILE----- | ||
18 | - recipient: age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne | ||
19 | enc: | | ||
20 | -----BEGIN AGE ENCRYPTED FILE----- | ||
21 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6L2lSdUUvSE1iUTEvdkxm | ||
22 | Nm4vV3MySWlTdldMZEw2dEhtSlZCb0wvL0VBCnJxY2dNUlJhcktQNVVOdHhPemJF | ||
23 | ZUJ3NUR0ZTRZdFkwMmExR2gwOHFlMTQKLS0tIHhLbkZQalBuNm5mRHBVQ1NNbGM4 | ||
24 | YUNsNE8vbnk0RnpRbHB5azM2NmdmKzAKwUVFQHvBvGjc/mGI9lhkW86ovUVvUxok | ||
25 | O6QelapJHGP2gQ3aZBk8eFJJs7Ve+q1yiQUbO34BFFdIfRyiObmbKw== | ||
26 | -----END AGE ENCRYPTED FILE----- | ||
27 | lastmodified: "2021-01-02T14:46:16Z" | ||
28 | mac: ENC[AES256_GCM,data:Phng7z7UlE6nO3FFIQPOHgKCqDm2uOGL57ryJbokjipSSdoWPinpz0zIJv9Z67b9uOf3CQoGtV4YwcudNkzDBKOyD8uA6RYwCKpbYcZIdiy8DLL46+VT/wq9toTkeDXM6jKupzzOARZhHT8DCOLqW7u8Q3S645cbTJmw0+LMIGk=,iv:y4KEh0+bKhtnSobKVdfaPuRsueNC1lcrEbUGfEAn+Bg=,tag:3Oi4e/hSgPVsoFQpnVQj+g==,type:str] | ||
29 | pgp: [] | ||
30 | unencrypted_suffix: _unencrypted | ||
31 | version: 3.6.1 | ||
diff --git a/modules/yggdrasil/hosts/ymir.nix b/modules/yggdrasil/hosts/ymir.nix deleted file mode 100644 index b77a9216..00000000 --- a/modules/yggdrasil/hosts/ymir.nix +++ /dev/null | |||
@@ -1,19 +0,0 @@ | |||
1 | { | ||
2 | addresses = [{ address = "ymir.yggdrasil.li"; }]; | ||
3 | settings.Ed25519PublicKey = "b/SobnMqByzHOQeO+iU7OZ1liD8a++knbi5ebNawnaC"; | ||
4 | rsaPublicKey = '' | ||
5 | -----BEGIN RSA PUBLIC KEY----- | ||
6 | MIICCgKCAgEAuInSfQf5euFXEVkLLzf9TumQJ+3WRsxX4uKdOXBqrIC7yjSBP8j9 | ||
7 | ql5rNWPzgXxFF5ERmwW+E3cyzJLU9Htu7r3muqM6nhSZizhCskifPRFc3e5ssSke | ||
8 | XhHICHfe90+qvab/hWx/NjkW59bBYIzDuJfq+ijDFMVNgOxaiM2f3/2prUUhP7bN | ||
9 | r3wVI8KCkOaknc0SOOmOhLzfJaD5wosqLOjgaNhlro2eMgMjQlxbyW8dVVgjwseR | ||
10 | Cl/mpu7r1pSMhS66RFH68wDoC3X81f7Zs9ZGDLTD8KXWhx0qgUMUAH4n6YGY0RM6 | ||
11 | BZ3qR/3KFRU64QPVAERpb0JdsU9ggCVydHkjrWW23ptHOPAOO5+yQj7tSDCKTRy9 | ||
12 | dHMQnbtPrgAb6iMhO1XTxA8Hdta1sCHsewsQekarwsA1bmk3hTgi/k8vwoGDUWtk | ||
13 | jgiDEPuutfmH4C6qxq9s+6lRboNKH8wgkVGpHiaq7mmePFdhzFdrj4+fYAMZTbil | ||
14 | 2iygsJ+yFOjA7U+iT6QDK33/MLsrQg0Ue6RPiG1qnDyax7gBAjz52iWkiuSkUXk0 | ||
15 | E5ImdP4XMILgGcWk8iPq5iRS03edE0pCpxGX3ZZwFE5+CoXgO6wR1ToL1vZEEHMQ | ||
16 | SHJPufKjkavPKbejPps/mLaJQVw3W10PAJssB9nxW2aHX3n0ugGaIvMCAwEAAQ== | ||
17 | -----END RSA PUBLIC KEY----- | ||
18 | ''; | ||
19 | } | ||