summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.envrc1
-rw-r--r--.gitignore1
-rw-r--r--_sources/generated.json13
-rw-r--r--_sources/generated.nix5
-rw-r--r--accounts/gkleen@sif/default.nix1
-rw-r--r--flake.lock51
-rw-r--r--flake.nix20
-rw-r--r--hosts/sif/default.nix31
-rw-r--r--hosts/sif/hw.nix57
-rw-r--r--hosts/surtr/bifrost/default.nix10
-rw-r--r--hosts/surtr/default.nix1
-rw-r--r--hosts/surtr/vpn/default.nix30
-rw-r--r--hosts/vidhar/default.nix1
-rw-r--r--hosts/vidhar/network/bifrost/default.nix46
-rw-r--r--hosts/vidhar/network/default.nix31
-rw-r--r--installer/default.nix2
-rw-r--r--modules/borgcopy/default.nix9
-rw-r--r--modules/build-client.nix4
-rw-r--r--modules/certspotter.nix67
-rw-r--r--modules/coturn.nix60
-rw-r--r--modules/envfs.nix8
-rw-r--r--modules/etebase-server.nix228
-rw-r--r--modules/home-manager.nix3
-rw-r--r--modules/knot.nix1
-rw-r--r--modules/netns.nix7
-rw-r--r--modules/openssh.nix3
-rw-r--r--modules/pgbackrest.nix19
-rw-r--r--modules/postfix-mta-sts-resolver.nix4
-rw-r--r--modules/postfwd.nix1
-rw-r--r--modules/prometheus-lvm-exporter.nix4
-rw-r--r--modules/yggdrasil/default.nix50
-rw-r--r--modules/yggdrasil/hosts/sif/default.nix13
-rw-r--r--modules/yggdrasil/hosts/sif/private-keys.yaml31
-rw-r--r--modules/yggdrasil/hosts/ymir.nix19
-rw-r--r--overlays/postfix-mta-sts-resolver/default.nix1
-rw-r--r--overlays/preserve-dscp/default.nix3
-rw-r--r--system-profiles/core/default.nix175
-rw-r--r--system-profiles/initrd-ssh/module.nix12
-rw-r--r--system-profiles/nfsroot.nix172
-rw-r--r--user-profiles/yt-dlp.nix1
40 files changed, 431 insertions, 765 deletions
diff --git a/.envrc b/.envrc
new file mode 100644
index 00000000..3550a30f
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
use flake
diff --git a/.gitignore b/.gitignore
index 2a9ba5f0..f30fe710 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
3**/#*# 3**/#*#
4**/.#* 4**/.#*
5**/.gup 5**/.gup
6.direnv
6 7
7**.csr 8**.csr
8hosts/*/prometheus/tls.cnf \ No newline at end of file 9hosts/*/prometheus/tls.cnf \ No newline at end of file
diff --git a/_sources/generated.json b/_sources/generated.json
index f1082af1..87d6c357 100644
--- a/_sources/generated.json
+++ b/_sources/generated.json
@@ -15,6 +15,7 @@
15 "repo": "afew", 15 "repo": "afew",
16 "rev": "8ef9a5b73e5d1063cf912c70027c655fb19d1109", 16 "rev": "8ef9a5b73e5d1063cf912c70027c655fb19d1109",
17 "sha256": "sha256-Wdvack+oAq88a9E6i+OcMlSNStv4dWsZstHgLao0c9g=", 17 "sha256": "sha256-Wdvack+oAq88a9E6i+OcMlSNStv4dWsZstHgLao0c9g=",
18 "sparseCheckout": [],
18 "type": "github" 19 "type": "github"
19 }, 20 },
20 "version": "8ef9a5b73e5d1063cf912c70027c655fb19d1109" 21 "version": "8ef9a5b73e5d1063cf912c70027c655fb19d1109"
@@ -49,6 +50,7 @@
49 "repo": "bpf-examples", 50 "repo": "bpf-examples",
50 "rev": "5343ed3377471c7b7ef2237526c8bdc0f00a0cef", 51 "rev": "5343ed3377471c7b7ef2237526c8bdc0f00a0cef",
51 "sha256": "sha256-vKVI8pQ17BNWLKm8wwpyNkLslnB9E2CAZTS6EP5lDT0=", 52 "sha256": "sha256-vKVI8pQ17BNWLKm8wwpyNkLslnB9E2CAZTS6EP5lDT0=",
53 "sparseCheckout": [],
52 "type": "github" 54 "type": "github"
53 }, 55 },
54 "version": "5343ed3377471c7b7ef2237526c8bdc0f00a0cef" 56 "version": "5343ed3377471c7b7ef2237526c8bdc0f00a0cef"
@@ -69,6 +71,7 @@
69 "repo": "scratch.el", 71 "repo": "scratch.el",
70 "rev": "0077334cc299aa7885f804d88f52cdb1b35caf71", 72 "rev": "0077334cc299aa7885f804d88f52cdb1b35caf71",
71 "sha256": "sha256-FUkKJ+1COGzgllzzv51yUIjMZI6slOFVExdwWl2ZEBA=", 73 "sha256": "sha256-FUkKJ+1COGzgllzzv51yUIjMZI6slOFVExdwWl2ZEBA=",
74 "sparseCheckout": [],
72 "type": "github" 75 "type": "github"
73 }, 76 },
74 "version": "0077334cc299aa7885f804d88f52cdb1b35caf71" 77 "version": "0077334cc299aa7885f804d88f52cdb1b35caf71"
@@ -101,6 +104,7 @@
101 "name": null, 104 "name": null,
102 "rev": "744c3ee61d2f0a8e9bb4e308dec6897215ae4704", 105 "rev": "744c3ee61d2f0a8e9bb4e308dec6897215ae4704",
103 "sha256": "sha256-yxA8wgzdS7SyKLoNTWN87ShsBfPKUflbOu4Y0jS2G3I=", 106 "sha256": "sha256-yxA8wgzdS7SyKLoNTWN87ShsBfPKUflbOu4Y0jS2G3I=",
107 "sparseCheckout": [],
104 "type": "git", 108 "type": "git",
105 "url": "https://gist.github.com/2f71a97fb85ed42146f6d9f522bc34ef.git" 109 "url": "https://gist.github.com/2f71a97fb85ed42146f6d9f522bc34ef.git"
106 }, 110 },
@@ -122,6 +126,7 @@
122 "repo": "chapterskip", 126 "repo": "chapterskip",
123 "rev": "b26825316e3329882206ae78dc903ebc4613f039", 127 "rev": "b26825316e3329882206ae78dc903ebc4613f039",
124 "sha256": "sha256-OTrLQE3rYvPQamEX23D6HttNjx3vafWdTMxTiWpDy90=", 128 "sha256": "sha256-OTrLQE3rYvPQamEX23D6HttNjx3vafWdTMxTiWpDy90=",
129 "sparseCheckout": [],
125 "type": "github" 130 "type": "github"
126 }, 131 },
127 "version": "b26825316e3329882206ae78dc903ebc4613f039" 132 "version": "b26825316e3329882206ae78dc903ebc4613f039"
@@ -142,6 +147,7 @@
142 "repo": "mpv-createchapter", 147 "repo": "mpv-createchapter",
143 "rev": "8dd33e2debbcb963a195ec1371e02c85b49e7faa", 148 "rev": "8dd33e2debbcb963a195ec1371e02c85b49e7faa",
144 "sha256": "sha256-rPtG7mgf7tOY8Ih4Bz1tpd4MwXOxJmngjY+s70zWX+g=", 149 "sha256": "sha256-rPtG7mgf7tOY8Ih4Bz1tpd4MwXOxJmngjY+s70zWX+g=",
150 "sparseCheckout": [],
145 "type": "github" 151 "type": "github"
146 }, 152 },
147 "version": "8dd33e2debbcb963a195ec1371e02c85b49e7faa" 153 "version": "8dd33e2debbcb963a195ec1371e02c85b49e7faa"
@@ -162,6 +168,7 @@
162 "repo": "mpv-mpris", 168 "repo": "mpv-mpris",
163 "rev": "1.1", 169 "rev": "1.1",
164 "sha256": "sha256-vZIO6ILatIWa9nJYOp4AMKwvaZLahqYWRLMDOizyBI0=", 170 "sha256": "sha256-vZIO6ILatIWa9nJYOp4AMKwvaZLahqYWRLMDOizyBI0=",
171 "sparseCheckout": [],
165 "type": "github" 172 "type": "github"
166 }, 173 },
167 "version": "1.1" 174 "version": "1.1"
@@ -182,6 +189,7 @@
182 "repo": "mpv-reload", 189 "repo": "mpv-reload",
183 "rev": "1a6a9383ba1774708fddbd976e7a9b72c3eec938", 190 "rev": "1a6a9383ba1774708fddbd976e7a9b72c3eec938",
184 "sha256": "sha256-BshxCjec/UNGyiC0/g1Rai2NvG2qOIHXDDEUYwwdij0=", 191 "sha256": "sha256-BshxCjec/UNGyiC0/g1Rai2NvG2qOIHXDDEUYwwdij0=",
192 "sparseCheckout": [],
185 "type": "github" 193 "type": "github"
186 }, 194 },
187 "version": "1a6a9383ba1774708fddbd976e7a9b72c3eec938" 195 "version": "1a6a9383ba1774708fddbd976e7a9b72c3eec938"
@@ -200,6 +208,7 @@
200 "name": null, 208 "name": null,
201 "rev": "a5864aa2ee849c372964809842c2b1db3d0c20ea", 209 "rev": "a5864aa2ee849c372964809842c2b1db3d0c20ea",
202 "sha256": "sha256-NKiQfx0WuDySXRR9I6FKcuzyIz3gVWXcaQgaEvyepT8=", 210 "sha256": "sha256-NKiQfx0WuDySXRR9I6FKcuzyIz3gVWXcaQgaEvyepT8=",
211 "sparseCheckout": [],
203 "type": "git", 212 "type": "git",
204 "url": "https://github.com/CogentRedTester/mpv-sub-select" 213 "url": "https://github.com/CogentRedTester/mpv-sub-select"
205 }, 214 },
@@ -219,6 +228,7 @@
219 "name": null, 228 "name": null,
220 "rev": "1f8c31457459ffc28cd1c3f3c2235a53efad7148", 229 "rev": "1f8c31457459ffc28cd1c3f3c2235a53efad7148",
221 "sha256": "sha256-voNP8tCwCv8QnAZOPC9gqHRV/7jgCAE63VKBd/1s5ic=", 230 "sha256": "sha256-voNP8tCwCv8QnAZOPC9gqHRV/7jgCAE63VKBd/1s5ic=",
231 "sparseCheckout": [],
222 "type": "git", 232 "type": "git",
223 "url": "https://github.com/jgreco/mpv-youtube-quality" 233 "url": "https://github.com/jgreco/mpv-youtube-quality"
224 }, 234 },
@@ -280,6 +290,7 @@
280 "name": null, 290 "name": null,
281 "rev": "330cb9da36651b701085ad53ae75ff296d02202a", 291 "rev": "330cb9da36651b701085ad53ae75ff296d02202a",
282 "sha256": "sha256-S0+sZ5vTywTU/HNRWt+MQhMO9uea+NvwwwdYJEdRmEw=", 292 "sha256": "sha256-S0+sZ5vTywTU/HNRWt+MQhMO9uea+NvwwwdYJEdRmEw=",
293 "sparseCheckout": [],
283 "type": "git", 294 "type": "git",
284 "url": "https://gitlab.com/depesz/Versioning" 295 "url": "https://gitlab.com/depesz/Versioning"
285 }, 296 },
@@ -329,6 +340,7 @@
329 "repo": "v4l2loopback", 340 "repo": "v4l2loopback",
330 "rev": "2d44c2f3a33844dfd9928dc536288283289bbc34", 341 "rev": "2d44c2f3a33844dfd9928dc536288283289bbc34",
331 "sha256": "sha256-6YWF1zM9glDTnJNVxlNWWqqkD0Z6sNscOoGTJsU6iCQ=", 342 "sha256": "sha256-6YWF1zM9glDTnJNVxlNWWqqkD0Z6sNscOoGTJsU6iCQ=",
343 "sparseCheckout": [],
332 "type": "github" 344 "type": "github"
333 }, 345 },
334 "version": "2d44c2f3a33844dfd9928dc536288283289bbc34" 346 "version": "2d44c2f3a33844dfd9928dc536288283289bbc34"
@@ -349,6 +361,7 @@
349 "repo": "xcompose", 361 "repo": "xcompose",
350 "rev": "cd8d3e622f547ec9f83d7f64f51d4a27ee812681", 362 "rev": "cd8d3e622f547ec9f83d7f64f51d4a27ee812681",
351 "sha256": "sha256-fkl2lDv/DdrqPjVsEUKSRD3BNGwTjTsA0ovI8akFI6U=", 363 "sha256": "sha256-fkl2lDv/DdrqPjVsEUKSRD3BNGwTjTsA0ovI8akFI6U=",
364 "sparseCheckout": [],
352 "type": "github" 365 "type": "github"
353 }, 366 },
354 "version": "cd8d3e622f547ec9f83d7f64f51d4a27ee812681" 367 "version": "cd8d3e622f547ec9f83d7f64f51d4a27ee812681"
diff --git a/_sources/generated.nix b/_sources/generated.nix
index 177fac06..cb6022ab 100644
--- a/_sources/generated.nix
+++ b/_sources/generated.nix
@@ -11,6 +11,7 @@
11 fetchSubmodules = false; 11 fetchSubmodules = false;
12 deepClone = false; 12 deepClone = false;
13 leaveDotGit = true; 13 leaveDotGit = true;
14 sparseCheckout = [ ];
14 sha256 = "sha256-Wdvack+oAq88a9E6i+OcMlSNStv4dWsZstHgLao0c9g="; 15 sha256 = "sha256-Wdvack+oAq88a9E6i+OcMlSNStv4dWsZstHgLao0c9g=";
15 }; 16 };
16 date = "2021-05-30"; 17 date = "2021-05-30";
@@ -64,6 +65,7 @@
64 fetchSubmodules = false; 65 fetchSubmodules = false;
65 deepClone = false; 66 deepClone = false;
66 leaveDotGit = false; 67 leaveDotGit = false;
68 sparseCheckout = [ ];
67 sha256 = "sha256-yxA8wgzdS7SyKLoNTWN87ShsBfPKUflbOu4Y0jS2G3I="; 69 sha256 = "sha256-yxA8wgzdS7SyKLoNTWN87ShsBfPKUflbOu4Y0jS2G3I=";
68 }; 70 };
69 date = "2020-10-22"; 71 date = "2020-10-22";
@@ -124,6 +126,7 @@
124 fetchSubmodules = false; 126 fetchSubmodules = false;
125 deepClone = false; 127 deepClone = false;
126 leaveDotGit = false; 128 leaveDotGit = false;
129 sparseCheckout = [ ];
127 sha256 = "sha256-NKiQfx0WuDySXRR9I6FKcuzyIz3gVWXcaQgaEvyepT8="; 130 sha256 = "sha256-NKiQfx0WuDySXRR9I6FKcuzyIz3gVWXcaQgaEvyepT8=";
128 }; 131 };
129 date = "2024-05-15"; 132 date = "2024-05-15";
@@ -137,6 +140,7 @@
137 fetchSubmodules = false; 140 fetchSubmodules = false;
138 deepClone = false; 141 deepClone = false;
139 leaveDotGit = false; 142 leaveDotGit = false;
143 sparseCheckout = [ ];
140 sha256 = "sha256-voNP8tCwCv8QnAZOPC9gqHRV/7jgCAE63VKBd/1s5ic="; 144 sha256 = "sha256-voNP8tCwCv8QnAZOPC9gqHRV/7jgCAE63VKBd/1s5ic=";
141 }; 145 };
142 date = "2020-02-10"; 146 date = "2020-02-10";
@@ -174,6 +178,7 @@
174 fetchSubmodules = false; 178 fetchSubmodules = false;
175 deepClone = false; 179 deepClone = false;
176 leaveDotGit = false; 180 leaveDotGit = false;
181 sparseCheckout = [ ];
177 sha256 = "sha256-S0+sZ5vTywTU/HNRWt+MQhMO9uea+NvwwwdYJEdRmEw="; 182 sha256 = "sha256-S0+sZ5vTywTU/HNRWt+MQhMO9uea+NvwwwdYJEdRmEw=";
178 }; 183 };
179 date = "2023-11-23"; 184 date = "2023-11-23";
diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix
index 2ecaf0da..2e7a25c9 100644
--- a/accounts/gkleen@sif/default.nix
+++ b/accounts/gkleen@sif/default.nix
@@ -97,6 +97,7 @@ in {
97 home-manager.users.${userName} = { 97 home-manager.users.${userName} = {
98 imports = [ 98 imports = [
99 flakeInputs.nix-index-database.hmModules.nix-index 99 flakeInputs.nix-index-database.hmModules.nix-index
100 flakeInputs.impermanence.nixosModules.home-manager.impermanence
100 ]; 101 ];
101 102
102 home.stateVersion = "20.09"; 103 home.stateVersion = "20.09";
diff --git a/flake.lock b/flake.lock
index 5bfe9859..0c0a7ad1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -12,16 +12,16 @@
12 "pre-commit-hooks-nix": "pre-commit-hooks-nix" 12 "pre-commit-hooks-nix": "pre-commit-hooks-nix"
13 }, 13 },
14 "locked": { 14 "locked": {
15 "lastModified": 1701974579, 15 "lastModified": 1723023987,
16 "narHash": "sha256-Drydx4onJnz5AqjG1clABRHUF4cPmy75zH70AXvs3eQ=", 16 "narHash": "sha256-3ffk/waTFYp0yrZ6PdFKSRJF+0z6O51c6XWirjhDXqM=",
17 "owner": "gkleen", 17 "owner": "gkleen",
18 "repo": "backup-utils", 18 "repo": "backup-utils",
19 "rev": "d094023745980f90828f0390441ff22b51107f3a", 19 "rev": "3b70e591eade840a32aea80264050ddc6a92c599",
20 "type": "gitlab" 20 "type": "gitlab"
21 }, 21 },
22 "original": { 22 "original": {
23 "owner": "gkleen", 23 "owner": "gkleen",
24 "ref": "v0.1.2", 24 "ref": "v0.1.3",
25 "repo": "backup-utils", 25 "repo": "backup-utils",
26 "type": "gitlab" 26 "type": "gitlab"
27 } 27 }
@@ -392,6 +392,22 @@
392 "type": "github" 392 "type": "github"
393 } 393 }
394 }, 394 },
395 "impermanence": {
396 "locked": {
397 "lastModified": 1719091691,
398 "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
399 "owner": "nix-community",
400 "repo": "impermanence",
401 "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
402 "type": "github"
403 },
404 "original": {
405 "owner": "nix-community",
406 "ref": "master",
407 "repo": "impermanence",
408 "type": "github"
409 }
410 },
395 "nix-github-actions": { 411 "nix-github-actions": {
396 "inputs": { 412 "inputs": {
397 "nixpkgs": [ 413 "nixpkgs": [
@@ -420,11 +436,11 @@
420 ] 436 ]
421 }, 437 },
422 "locked": { 438 "locked": {
423 "lastModified": 1722136042, 439 "lastModified": 1722740924,
424 "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=", 440 "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=",
425 "owner": "Mic92", 441 "owner": "Mic92",
426 "repo": "nix-index-database", 442 "repo": "nix-index-database",
427 "rev": "c0ca47e8523b578464014961059999d8eddd4aae", 443 "rev": "97ca0a0fca0391de835f57e44f369a283e37890f",
428 "type": "github" 444 "type": "github"
429 }, 445 },
430 "original": { 446 "original": {
@@ -602,11 +618,11 @@
602 }, 618 },
603 "nixpkgs_2": { 619 "nixpkgs_2": {
604 "locked": { 620 "locked": {
605 "lastModified": 1722329972, 621 "lastModified": 1722813957,
606 "narHash": "sha256-Y1rUW6x+7hSwQxtJk9Xu3QDmcV/AOX3zl3g4N5Lh8nI=", 622 "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=",
607 "owner": "nixos", 623 "owner": "NixOS",
608 "repo": "nixpkgs", 624 "repo": "nixpkgs",
609 "rev": "cdeee848778cb4e084ab0c50fc83fc3117a69766", 625 "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa",
610 "type": "github" 626 "type": "github"
611 }, 627 },
612 "original": { 628 "original": {
@@ -672,11 +688,11 @@
672 "treefmt-nix": "treefmt-nix" 688 "treefmt-nix": "treefmt-nix"
673 }, 689 },
674 "locked": { 690 "locked": {
675 "lastModified": 1722300206, 691 "lastModified": 1723013744,
676 "narHash": "sha256-lSF96eM7lJPYl2nd63t2zGWIvZEWSf1BOaP1Rf2q9mI=", 692 "narHash": "sha256-Ilcm+bME9nUDICcoS47/McfNmbU+xn3ZBUoMjPrwGrU=",
677 "owner": "nix-community", 693 "owner": "nix-community",
678 "repo": "poetry2nix", 694 "repo": "poetry2nix",
679 "rev": "1dcd9fdca06bf28bdd6eeab0a464f4bc5d643bca", 695 "rev": "551cd76c920b9eabed3fb095a4091af7676b31ba",
680 "type": "github" 696 "type": "github"
681 }, 697 },
682 "original": { 698 "original": {
@@ -794,6 +810,7 @@
794 "flake-utils": "flake-utils_3", 810 "flake-utils": "flake-utils_3",
795 "home-manager": "home-manager", 811 "home-manager": "home-manager",
796 "home-manager-eostre": "home-manager-eostre", 812 "home-manager-eostre": "home-manager-eostre",
813 "impermanence": "impermanence",
797 "nix-index-database": "nix-index-database", 814 "nix-index-database": "nix-index-database",
798 "nixos-hardware": "nixos-hardware", 815 "nixos-hardware": "nixos-hardware",
799 "nixpkgs": "nixpkgs_2", 816 "nixpkgs": "nixpkgs_2",
@@ -816,11 +833,11 @@
816 ] 833 ]
817 }, 834 },
818 "locked": { 835 "locked": {
819 "lastModified": 1722114803, 836 "lastModified": 1722897572,
820 "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=", 837 "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
821 "owner": "Mic92", 838 "owner": "Mic92",
822 "repo": "sops-nix", 839 "repo": "sops-nix",
823 "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab", 840 "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
824 "type": "github" 841 "type": "github"
825 }, 842 },
826 "original": { 843 "original": {
diff --git a/flake.nix b/flake.nix
index c317f5c1..6f24a90c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -141,7 +141,7 @@
141 type = "gitlab"; 141 type = "gitlab";
142 owner = "gkleen"; 142 owner = "gkleen";
143 repo = "backup-utils"; 143 repo = "backup-utils";
144 ref = "v0.1.2"; 144 ref = "v0.1.3";
145 inputs = { 145 inputs = {
146 nixpkgs.follows = "nixpkgs"; 146 nixpkgs.follows = "nixpkgs";
147 poetry2nix.follows = "poetry2nix"; 147 poetry2nix.follows = "poetry2nix";
@@ -163,6 +163,12 @@
163 repo = "nixos-hardware"; 163 repo = "nixos-hardware";
164 ref = "master"; 164 ref = "master";
165 }; 165 };
166 impermanence = {
167 type = "github";
168 owner = "nix-community";
169 repo = "impermanence";
170 ref = "master";
171 };
166 }; 172 };
167 173
168 outputs = { self, nixpkgs, home-manager, sops-nix, deploy-rs, nvfetcher, ... }@inputs: 174 outputs = { self, nixpkgs, home-manager, sops-nix, deploy-rs, nvfetcher, ... }@inputs:
@@ -255,12 +261,12 @@
255 // outputs 261 // outputs
256 // { imports = [self.nixosModules.users.${userName} or ({...}: { imports = defaultUserProfiles userName; })] ++ (outputs.imports or []); }); 262 // { imports = [self.nixosModules.users.${userName} or ({...}: { imports = defaultUserProfiles userName; })] ++ (outputs.imports or []); });
257 263
258 # systemsSelector = "x86_64-linux"; 264 systemsSelector = "x86_64-linux";
259 # systems = filter (system: !(isNull (builtins.match systemsSelector system))) nixpkgs.lib.systems.flakeExposed; 265 systems = filter (system: !(isNull (builtins.match systemsSelector system))) nixpkgs.lib.systems.flakeExposed;
260 systems = 266 # systems =
261 let 267 # let
262 disallowedSystems = ["armv5tel-linux" "armv6l-linux"]; 268 # disallowedSystems = ["armv5tel-linux" "armv6l-linux"];
263 in filter (system: !(elem system disallowedSystems)) nixpkgs.lib.systems.flakeExposed; 269 # in filter (system: !(elem system disallowedSystems)) nixpkgs.lib.systems.flakeExposed;
264 nixpkgsPackages = localSystem: (makeOverridable (import (nixpkgs.outPath + "/pkgs/top-level"))) { inherit localSystem; }; 270 nixpkgsPackages = localSystem: (makeOverridable (import (nixpkgs.outPath + "/pkgs/top-level"))) { inherit localSystem; };
265 forAllSystems = f: mapAttrs f (genAttrs systems nixpkgsPackages); 271 forAllSystems = f: mapAttrs f (genAttrs systems nixpkgsPackages);
266 forAllUsers = genAttrs (unique (map accountUserName (attrNames self.nixosModules.accounts))); 272 forAllUsers = genAttrs (unique (map accountUserName (attrNames self.nixosModules.accounts)));
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 3525015d..5ed4e05e 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -16,6 +16,7 @@ in {
16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines 16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines
17 networkmanager 17 networkmanager
18 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 18 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
19 flakeInputs.impermanence.nixosModules.impermanence
19 ]; 20 ];
20 21
21 config = { 22 config = {
@@ -555,7 +556,10 @@ in {
555 # sound.enable = true; 556 # sound.enable = true;
556 557
557 nix = { 558 nix = {
558 settings.auto-optimise-store = true; 559 settings = {
560 auto-optimise-store = true;
561 max-jobs = 4;
562 };
559 daemonCPUSchedPolicy = "idle"; 563 daemonCPUSchedPolicy = "idle";
560 daemonIOSchedClass = "idle"; 564 daemonIOSchedClass = "idle";
561 565
@@ -569,6 +573,11 @@ in {
569 speedFactor = 4; 573 speedFactor = 4;
570 }; 574 };
571 }; 575 };
576 systemd.services."nix-daemon" = {
577 serviceConfig = {
578 CPUQuota = "400%";
579 };
580 };
572 581
573 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; 582 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
574 583
@@ -661,6 +670,26 @@ in {
661 in [ gtk-portal ]; 670 in [ gtk-portal ];
662 }; 671 };
663 672
673 environment.persistence."/.bcachefs" = {
674 hideMounts = true;
675 directories = [
676 "/nix"
677 "/root"
678 "/var/log"
679 "/var/lib/sops-nix"
680 "/var/lib/nixos"
681 "/var/lib/systemd"
682 "/home"
683 "/var/lib/chrony"
684 "/var/lib/fprint"
685 "/var/lib/bluetooth"
686 "/etc/NetworkManager/system-connections"
687 ];
688 files = [
689 "/etc/localtime"
690 ];
691 };
692
664 system.stateVersion = "24.11"; 693 system.stateVersion = "24.11";
665 }; 694 };
666} 695}
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
index 077d25a6..fc20ef7c 100644
--- a/hosts/sif/hw.nix
+++ b/hosts/sif/hw.nix
@@ -12,59 +12,11 @@
12 fsType = "bcachefs"; 12 fsType = "bcachefs";
13 neededForBoot = true; 13 neededForBoot = true;
14 }; 14 };
15 "/nix" = 15 "/var/lib/sops-nix".neededForBoot = true;
16 { device = "/.bcachefs/nix"; 16 "/var/lib/systemd".neededForBoot = true;
17 fsType = "none";
18 options = [ "bind" ]; # "x-systemd.after=bcachefs.service" "x-systemd.requires=bcachefs.service" "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ];
19 };
20 "/root" =
21 { device = "/.bcachefs/root";
22 fsType = "none";
23 options = [ "bind" ]; # "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ];
24 };
25 "/var/log" =
26 { device = "/.bcachefs/var/log";
27 fsType = "none";
28 options = [ "bind" ]; # "x-systemd.after=bcachefs.service" "x-systemd.requires=bcachefs.service" "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ];
29 };
30 "/var/lib/sops-nix" =
31 { device = "/.bcachefs/var/lib/sops-nix";
32 fsType = "none";
33 options = [ "bind" ]; # "x-systemd.after=bcachefs.service" "x-systemd.requires=bcachefs.service" "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ];
34 neededForBoot = true;
35 };
36 "/var/lib/nixos" =
37 { device = "/.bcachefs/var/lib/nixos";
38 fsType = "none";
39 options = [ "bind" ]; # "x-systemd.after=bcachefs.service" "x-systemd.requires=bcachefs.service" "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ];
40 };
41 "/var/lib/chrony" =
42 { device = "/.bcachefs/var/lib/chrony";
43 fsType = "none";
44 options = [ "bind" ]; # "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ];
45 };
46 "/var/lib/fprint" =
47 { device = "/.bcachefs/var/lib/fprint";
48 fsType = "none";
49 options = [ "bind" ]; # "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ];
50 };
51 "/var/lib/systemd" =
52 { device = "/.bcachefs/var/lib/systemd";
53 fsType = "none";
54 options = [ "bind" ]; # "x-systemd.after=bcachefs.service" "x-systemd.requires=bcachefs.service" "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ];
55 neededForBoot = true;
56 };
57 "/home" =
58 { device = "/.bcachefs/home";
59 fsType = "none";
60 options = [ "bind" ]; # "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ];
61 };
62 "/etc/NetworkManager/system-connections" =
63 { device = "/.bcachefs/etc/NetworkManager/system-connections";
64 fsType = "none";
65 options = [ "bind" ]; # "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ];
66 };
67 }; 17 };
18 system.etc.overlay.enable = false;
19 systemd.sysusers.enable = false;
68 20
69 # boot.initrd.supportedFilesystems.bcachefs = true; 21 # boot.initrd.supportedFilesystems.bcachefs = true;
70 # boot.initrd.systemd.units."dev-sif-nvm0:-dev-sif-nvm1.device".enable = false; 22 # boot.initrd.systemd.units."dev-sif-nvm0:-dev-sif-nvm1.device".enable = false;
@@ -91,7 +43,6 @@
91 # }; 43 # };
92 # }; 44 # };
93 45
94 nix.settings.max-jobs = 12;
95 # High-DPI console 46 # High-DPI console
96 console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; 47 console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
97 48
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix
index 20cd5892..fbfde757 100644
--- a/hosts/surtr/bifrost/default.nix
+++ b/hosts/surtr/bifrost/default.nix
@@ -18,10 +18,8 @@ in {
18 ListenPort = 51822; 18 ListenPort = 51822;
19 }; 19 };
20 wireguardPeers = [ 20 wireguardPeers = [
21 { wireguardPeerConfig = { 21 { AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ];
22 AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ]; 22 PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
23 PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
24 };
25 } 23 }
26 ]; 24 ];
27 }; 25 };
@@ -34,9 +32,7 @@ in {
34 }; 32 };
35 address = ["2a03:4000:52:ada:4::/96"]; 33 address = ["2a03:4000:52:ada:4::/96"];
36 routes = [ 34 routes = [
37 { routeConfig = { 35 { Destination = "2a03:4000:52:ada:4::/80";
38 Destination = "2a03:4000:52:ada:4::/80";
39 };
40 } 36 }
41 ]; 37 ];
42 linkConfig = { 38 linkConfig = {
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index e6ca0c64..ceb035cb 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -165,6 +165,7 @@ with lib;
165 algorithm = "zstd"; 165 algorithm = "zstd";
166 }; 166 };
167 167
168 systemd.sysusers.enable = false;
168 system.stateVersion = "20.09"; 169 system.stateVersion = "20.09";
169 }; 170 };
170} 171}
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 74a9fb22..61a9d544 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -63,10 +63,8 @@ in {
63 ListenPort = 51820; 63 ListenPort = 51820;
64 }; 64 };
65 wireguardPeers = imap1 (i: { name, ip ? i }: { 65 wireguardPeers = imap1 (i: { name, ip ? i }: {
66 wireguardPeerConfig = { 66 AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"];
67 AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"]; 67 PublicKey = trim (readFile (./. + "/${name}.pub"));
68 PublicKey = trim (readFile (./. + "/${name}.pub"));
69 };
70 }) [ { name = "geri"; } { name = "sif"; } ]; 68 }) [ { name = "geri"; } { name = "sif"; } ];
71 }; 69 };
72 }; 70 };
@@ -86,19 +84,13 @@ in {
86 MulticastDNS = false; 84 MulticastDNS = false;
87 }; 85 };
88 routes = [ 86 routes = [
89 { routeConfig = { 87 { Destination = "202.61.240.1";
90 Destination = "202.61.240.1";
91 };
92 } 88 }
93 { routeConfig = { 89 { Destination = "0.0.0.0/0";
94 Destination = "0.0.0.0/0"; 90 Gateway = "202.61.240.1";
95 Gateway = "202.61.240.1";
96 };
97 } 91 }
98 { routeConfig = { 92 { Destination = "::/0";
99 Destination = "::/0"; 93 Gateway = "fe80::1";
100 Gateway = "fe80::1";
101 };
102 } 94 }
103 ]; 95 ];
104 extraConfig = '' 96 extraConfig = ''
@@ -114,13 +106,9 @@ in {
114 }; 106 };
115 address = ["${prefix6}::/96" "${prefix4}.0/32"]; 107 address = ["${prefix6}::/96" "${prefix4}.0/32"];
116 routes = [ 108 routes = [
117 { routeConfig = { 109 { Destination = "${prefix6}::/80";
118 Destination = "${prefix6}::/80";
119 };
120 } 110 }
121 { routeConfig = { 111 { Destination = "${prefix4}.0/24";
122 Destination = "${prefix4}.0/24";
123 };
124 } 112 }
125 ]; 113 ];
126 linkConfig = { 114 linkConfig = {
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index ea200f5c..440829bb 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -377,6 +377,7 @@ with lib;
377 377
378 environment.systemPackages = with pkgs; [iotop vmtouch]; 378 environment.systemPackages = with pkgs; [iotop vmtouch];
379 379
380 systemd.sysusers.enable = false;
380 system.stateVersion = "21.05"; 381 system.stateVersion = "21.05";
381 }; 382 };
382} 383}
diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix
index ec354f81..59550481 100644
--- a/hosts/vidhar/network/bifrost/default.nix
+++ b/hosts/vidhar/network/bifrost/default.nix
@@ -18,12 +18,10 @@ in {
18 ListenPort = 51822; 18 ListenPort = 51822;
19 }; 19 };
20 wireguardPeers = [ 20 wireguardPeers = [
21 { wireguardPeerConfig = { 21 { AllowedIPs = [ "::/0" ];
22 AllowedIPs = [ "::/0" ]; 22 PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub);
23 PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub); 23 PersistentKeepalive = 5;
24 PersistentKeepalive = 5; 24 Endpoint = "2a03:4000:52:ada:::51822";
25 Endpoint = "2a03:4000:52:ada:::51822";
26 };
27 } 25 }
28 ]; 26 ];
29 }; 27 };
@@ -36,35 +34,25 @@ in {
36 }; 34 };
37 address = ["2a03:4000:52:ada:4:1::/96"]; 35 address = ["2a03:4000:52:ada:4:1::/96"];
38 routes = [ 36 routes = [
39 { routeConfig = { 37 { Destination = "2a03:4000:52:ada:4::/80";
40 Destination = "2a03:4000:52:ada:4::/80";
41 };
42 } 38 }
43 { routeConfig = { 39 { Gateway = "2a03:4000:52:ada:4::";
44 Gateway = "2a03:4000:52:ada:4::"; 40 GatewayOnLink = true;
45 GatewayOnLink = true; 41 Table = "bifrost";
46 Table = "bifrost";
47 };
48 } 42 }
49 { routeConfig = { 43 { Destination = "2a03:4000:52:ada:4::/80";
50 Destination = "2a03:4000:52:ada:4::/80"; 44 GatewayOnLink = true;
51 GatewayOnLink = true; 45 Table = "bifrost";
52 Table = "bifrost";
53 };
54 } 46 }
55 { routeConfig = { 47 { Destination = "2a03:4000:52:ada:4:1::/96";
56 Destination = "2a03:4000:52:ada:4:1::/96"; 48 GatewayOnLink = true;
57 GatewayOnLink = true; 49 Table = "bifrost";
58 Table = "bifrost";
59 };
60 } 50 }
61 ]; 51 ];
62 routingPolicyRules = [ 52 routingPolicyRules = [
63 { routingPolicyRuleConfig = { 53 { Table = "bifrost";
64 Table = "bifrost"; 54 From = "2a03:4000:52:ada:4:1::/96";
65 From = "2a03:4000:52:ada:4:1::/96"; 55 Priority = 1;
66 Priority = 1;
67 };
68 } 56 }
69 ]; 57 ];
70 linkConfig = { 58 linkConfig = {
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index e961c17e..4a792851 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -89,22 +89,21 @@ with lib;
89 }; 89 };
90 }; 90 };
91 91
92 services.nfs.server = { 92 services.nfs = {
93 enable = true; 93 server = {
94 createMountPoints = true; 94 enable = true;
95 95 createMountPoints = true;
96 statdPort = 4000; 96
97 lockdPort = 4001; 97 statdPort = 4000;
98 mountdPort = 4002; 98 lockdPort = 4001;
99 99 mountdPort = 4002;
100 extraNfsdConfig = '' 100
101 vers3=off 101 exports = ''
102 ''; 102 /srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0)
103 103 /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
104 exports = '' 104 '';
105 /srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0) 105 };
106 /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash) 106 settings.nfsd.vers3 = false;
107 '';
108 }; 107 };
109 108
110 fileSystems = { 109 fileSystems = {
diff --git a/installer/default.nix b/installer/default.nix
index 4fa2c2ab..e9d9fa1a 100644
--- a/installer/default.nix
+++ b/installer/default.nix
@@ -55,6 +55,8 @@ with lib;
55 55
56 services.getty.autologinUser = lib.mkForce null; 56 services.getty.autologinUser = lib.mkForce null;
57 57
58 system.disableInstallerTools = false;
59
58 system.stateVersion = config.system.nixos.release; # No state in installer 60 system.stateVersion = config.system.nixos.release; # No state in installer
59 }; 61 };
60} 62}
diff --git a/modules/borgcopy/default.nix b/modules/borgcopy/default.nix
index afc6c37b..475edbd9 100644
--- a/modules/borgcopy/default.nix
+++ b/modules/borgcopy/default.nix
@@ -61,33 +61,40 @@ in {
61 options = { 61 options = {
62 from = mkOption { 62 from = mkOption {
63 type = types.str; 63 type = types.str;
64 description = "Copy from this repository";
64 }; 65 };
65 to = mkOption { 66 to = mkOption {
66 type = types.str; 67 type = types.str;
68 description = "Copy to this repository";
67 }; 69 };
68 70
69 verbosity = mkOption { 71 verbosity = mkOption {
70 type = types.int; 72 type = types.int;
71 default = 3; 73 default = 3;
74 description = "Set verbosity";
72 }; 75 };
73 76
74 sshConfig = mkOption { 77 sshConfig = mkOption {
75 type = with types; nullOr str; 78 type = with types; nullOr str;
76 default = null; 79 default = null;
80 description = "SSH client configuration";
77 }; 81 };
78 82
79 keyfile = mkOption { 83 keyfile = mkOption {
80 type = with types; nullOr str; 84 type = with types; nullOr str;
81 default = null; 85 default = null;
86 description = "Keyfile to pass to borg";
82 }; 87 };
83 88
84 unknownUnencryptedRepoAccessOk = mkOption { 89 unknownUnencryptedRepoAccessOk = mkOption {
85 type = types.bool; 90 type = types.bool;
86 default = false; 91 default = false;
92 description = "Set `BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK`?";
87 }; 93 };
88 hostnameIsUnique = mkOption { 94 hostnameIsUnique = mkOption {
89 type = types.bool; 95 type = types.bool;
90 default = true; 96 default = true;
97 description = "Set `BORG_HOSTNAME_IS_UNIQUE`?";
91 }; 98 };
92 99
93 timerOptions = mkOption { 100 timerOptions = mkOption {
@@ -96,10 +103,12 @@ in {
96 default = { 103 default = {
97 wantedBy = ["timers.target"]; 104 wantedBy = ["timers.target"];
98 }; 105 };
106 description = "Systemd timer options";
99 }; 107 };
100 }; 108 };
101 }); 109 });
102 default = {}; 110 default = {};
111 description = "Copy borg archives from one repository to another";
103 }; 112 };
104 }; 113 };
105 114
diff --git a/modules/build-client.nix b/modules/build-client.nix
index 9924b751..6322e6c0 100644
--- a/modules/build-client.nix
+++ b/modules/build-client.nix
@@ -15,6 +15,7 @@ in {
15 options = { 15 options = {
16 address = mkOption { 16 address = mkOption {
17 type = types.str; 17 type = types.str;
18 description = "Address of buildserver";
18 }; 19 };
19 20
20 system = mkOption { 21 system = mkOption {
@@ -82,10 +83,11 @@ in {
82 }; 83 };
83 }); 84 });
84 default = {}; 85 default = {};
86 description = "Buildservers to use";
85 }; 87 };
86 }; 88 };
87 }; 89 };
88 90
89 config = mkIf (cfg != {}) { 91 config = mkIf (cfg != {}) {
90 programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: '' 92 programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: ''
91 Host ${buildHostName name} 93 Host ${buildHostName name}
diff --git a/modules/certspotter.nix b/modules/certspotter.nix
deleted file mode 100644
index ff7ff7c2..00000000
--- a/modules/certspotter.nix
+++ /dev/null
@@ -1,67 +0,0 @@
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5let
6 cfg = config.services.certspotter;
7
8 script = pkgs.writeShellApplication {
9 name = "certspotter-script";
10 runtimeInputs = with pkgs; [ coreutils ];
11 text = ''
12 mkdir -p "''${LOGS_DIRECTORY}"
13 env > "$(mktemp -p "''${LOGS_DIRECTORY}" "$(date -Iseconds).''${PUBKEY_HASH:-na}.XXXXXXXXXX.env")"
14 '';
15 };
16
17 startOptions = cfg.extraOptions
18 ++ optionals (cfg.logs != null) ["-logs" cfg.logs]
19 ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList))
20 "-script" "${script}/bin/certspotter-script"
21 ];
22
23 startScript = pkgs.writeShellApplication {
24 name = "certspotter-start";
25 runtimeInputs = [ pkgs.coreutils cfg.package ];
26 text = ''
27 rm -f "''${STATE_DIRECTORY}/lock"
28 exec -- certspotter -state_dir "''${STATE_DIRECTORY}" ${escapeShellArgs startOptions}
29 '';
30 };
31in {
32 options = {
33 services.certspotter = {
34 watchList = mkOption {
35 type = types.listOf types.str;
36 default = [];
37 };
38
39 logs = mkOption {
40 type = types.nullOr types.str;
41 default = null;
42 };
43
44 extraOptions = mkOption {
45 type = types.listOf types.str;
46 default = [ "-verbose" ];
47 };
48
49 package = mkPackageOption pkgs "certspotter" {};
50 };
51 };
52
53 config = mkIf (cfg.watchList != []) {
54 systemd.services.certspotter = {
55 serviceConfig = {
56 Type = "oneshot";
57 ExecStart = "${startScript}/bin/certspotter-start";
58 StateDirectory = "certspotter";
59 LogsDirectory = "certspotter";
60 DynamicUser = true;
61
62 CPUSchedulingPolicy = "idle";
63 IOSchedulingClass = "idle";
64 };
65 };
66 };
67}
diff --git a/modules/coturn.nix b/modules/coturn.nix
index faa4b5a2..d73d1bba 100644
--- a/modules/coturn.nix
+++ b/modules/coturn.nix
@@ -42,11 +42,11 @@ in {
42 42
43 options = { 43 options = {
44 services.coturn = { 44 services.coturn = {
45 enable = mkEnableOption (lib.mdDoc "coturn TURN server"); 45 enable = mkEnableOption "coturn TURN server";
46 listening-port = mkOption { 46 listening-port = mkOption {
47 type = types.int; 47 type = types.int;
48 default = 3478; 48 default = 3478;
49 description = lib.mdDoc '' 49 description = ''
50 TURN listener port for UDP and TCP. 50 TURN listener port for UDP and TCP.
51 Note: actually, TLS and DTLS sessions can connect to the 51 Note: actually, TLS and DTLS sessions can connect to the
52 "plain" TCP and UDP port(s), too - if allowed by configuration. 52 "plain" TCP and UDP port(s), too - if allowed by configuration.
@@ -55,7 +55,7 @@ in {
55 tls-listening-port = mkOption { 55 tls-listening-port = mkOption {
56 type = types.int; 56 type = types.int;
57 default = 5349; 57 default = 5349;
58 description = lib.mdDoc '' 58 description = ''
59 TURN listener port for TLS. 59 TURN listener port for TLS.
60 Note: actually, "plain" TCP and UDP sessions can connect to the TLS and 60 Note: actually, "plain" TCP and UDP sessions can connect to the TLS and
61 DTLS port(s), too - if allowed by configuration. The TURN server 61 DTLS port(s), too - if allowed by configuration. The TURN server
@@ -71,7 +71,7 @@ in {
71 type = types.int; 71 type = types.int;
72 default = cfg.listening-port + 1; 72 default = cfg.listening-port + 1;
73 defaultText = literalExpression "listening-port + 1"; 73 defaultText = literalExpression "listening-port + 1";
74 description = lib.mdDoc '' 74 description = ''
75 Alternative listening port for UDP and TCP listeners; 75 Alternative listening port for UDP and TCP listeners;
76 default (or zero) value means "listening port plus one". 76 default (or zero) value means "listening port plus one".
77 This is needed for RFC 5780 support 77 This is needed for RFC 5780 support
@@ -86,7 +86,7 @@ in {
86 type = types.int; 86 type = types.int;
87 default = cfg.tls-listening-port + 1; 87 default = cfg.tls-listening-port + 1;
88 defaultText = literalExpression "tls-listening-port + 1"; 88 defaultText = literalExpression "tls-listening-port + 1";
89 description = lib.mdDoc '' 89 description = ''
90 Alternative listening port for TLS and DTLS protocols. 90 Alternative listening port for TLS and DTLS protocols.
91 ''; 91 '';
92 }; 92 };
@@ -94,7 +94,7 @@ in {
94 type = types.listOf types.str; 94 type = types.listOf types.str;
95 default = []; 95 default = [];
96 example = [ "203.0.113.42" "2001:DB8::42" ]; 96 example = [ "203.0.113.42" "2001:DB8::42" ];
97 description = lib.mdDoc '' 97 description = ''
98 Listener IP addresses of relay server. 98 Listener IP addresses of relay server.
99 If no IP(s) specified in the config file or in the command line options, 99 If no IP(s) specified in the config file or in the command line options,
100 then all IPv4 and IPv6 system IPs will be used for listening. 100 then all IPv4 and IPv6 system IPs will be used for listening.
@@ -104,7 +104,7 @@ in {
104 type = types.listOf types.str; 104 type = types.listOf types.str;
105 default = []; 105 default = [];
106 example = [ "203.0.113.42" "2001:DB8::42" ]; 106 example = [ "203.0.113.42" "2001:DB8::42" ];
107 description = lib.mdDoc '' 107 description = ''
108 Relay address (the local IP address that will be used to relay the 108 Relay address (the local IP address that will be used to relay the
109 packets to the peer). 109 packets to the peer).
110 Multiple relay addresses may be used. 110 Multiple relay addresses may be used.
@@ -120,28 +120,28 @@ in {
120 min-port = mkOption { 120 min-port = mkOption {
121 type = types.int; 121 type = types.int;
122 default = 49152; 122 default = 49152;
123 description = lib.mdDoc '' 123 description = ''
124 Lower bound of UDP relay endpoints 124 Lower bound of UDP relay endpoints
125 ''; 125 '';
126 }; 126 };
127 max-port = mkOption { 127 max-port = mkOption {
128 type = types.int; 128 type = types.int;
129 default = 65535; 129 default = 65535;
130 description = lib.mdDoc '' 130 description = ''
131 Upper bound of UDP relay endpoints 131 Upper bound of UDP relay endpoints
132 ''; 132 '';
133 }; 133 };
134 lt-cred-mech = mkOption { 134 lt-cred-mech = mkOption {
135 type = types.bool; 135 type = types.bool;
136 default = false; 136 default = false;
137 description = lib.mdDoc '' 137 description = ''
138 Use long-term credential mechanism. 138 Use long-term credential mechanism.
139 ''; 139 '';
140 }; 140 };
141 no-auth = mkOption { 141 no-auth = mkOption {
142 type = types.bool; 142 type = types.bool;
143 default = false; 143 default = false;
144 description = lib.mdDoc '' 144 description = ''
145 This option is opposite to lt-cred-mech. 145 This option is opposite to lt-cred-mech.
146 (TURN Server with no-auth option allows anonymous access). 146 (TURN Server with no-auth option allows anonymous access).
147 If neither option is defined, and no users are defined, 147 If neither option is defined, and no users are defined,
@@ -153,7 +153,7 @@ in {
153 use-auth-secret = mkOption { 153 use-auth-secret = mkOption {
154 type = types.bool; 154 type = types.bool;
155 default = false; 155 default = false;
156 description = lib.mdDoc '' 156 description = ''
157 TURN REST API flag. 157 TURN REST API flag.
158 Flag that sets a special authorization option that is based upon authentication secret. 158 Flag that sets a special authorization option that is based upon authentication secret.
159 This feature can be used with the long-term authentication mechanism, only. 159 This feature can be used with the long-term authentication mechanism, only.
@@ -177,7 +177,7 @@ in {
177 static-auth-secret = mkOption { 177 static-auth-secret = mkOption {
178 type = types.nullOr types.str; 178 type = types.nullOr types.str;
179 default = null; 179 default = null;
180 description = lib.mdDoc '' 180 description = ''
181 'Static' authentication secret value (a string) for TURN REST API only. 181 'Static' authentication secret value (a string) for TURN REST API only.
182 If not set, then the turn server 182 If not set, then the turn server
183 will try to use the 'dynamic' value in turn_secret table 183 will try to use the 'dynamic' value in turn_secret table
@@ -188,7 +188,7 @@ in {
188 static-auth-secret-file = mkOption { 188 static-auth-secret-file = mkOption {
189 type = types.nullOr types.str; 189 type = types.nullOr types.str;
190 default = null; 190 default = null;
191 description = lib.mdDoc '' 191 description = ''
192 Path to the file containing the static authentication secret. 192 Path to the file containing the static authentication secret.
193 ''; 193 '';
194 }; 194 };
@@ -197,7 +197,7 @@ in {
197 default = config.networking.hostName; 197 default = config.networking.hostName;
198 defaultText = literalExpression "config.networking.hostName"; 198 defaultText = literalExpression "config.networking.hostName";
199 example = "example.com"; 199 example = "example.com";
200 description = lib.mdDoc '' 200 description = ''
201 The default realm to be used for the users when no explicit 201 The default realm to be used for the users when no explicit
202 origin/realm relationship was found in the database, or if the TURN 202 origin/realm relationship was found in the database, or if the TURN
203 server is not using any database (just the commands-line settings 203 server is not using any database (just the commands-line settings
@@ -209,7 +209,7 @@ in {
209 type = types.nullOr types.str; 209 type = types.nullOr types.str;
210 default = null; 210 default = null;
211 example = "/var/lib/acme/example.com/fullchain.pem"; 211 example = "/var/lib/acme/example.com/fullchain.pem";
212 description = lib.mdDoc '' 212 description = ''
213 Certificate file in PEM format. 213 Certificate file in PEM format.
214 ''; 214 '';
215 }; 215 };
@@ -217,21 +217,21 @@ in {
217 type = types.nullOr types.str; 217 type = types.nullOr types.str;
218 default = null; 218 default = null;
219 example = "/var/lib/acme/example.com/key.pem"; 219 example = "/var/lib/acme/example.com/key.pem";
220 description = lib.mdDoc '' 220 description = ''
221 Private key file in PEM format. 221 Private key file in PEM format.
222 ''; 222 '';
223 }; 223 };
224 dh-file = mkOption { 224 dh-file = mkOption {
225 type = types.nullOr types.str; 225 type = types.nullOr types.str;
226 default = null; 226 default = null;
227 description = lib.mdDoc '' 227 description = ''
228 Use custom DH TLS key, stored in PEM format in the file. 228 Use custom DH TLS key, stored in PEM format in the file.
229 ''; 229 '';
230 }; 230 };
231 secure-stun = mkOption { 231 secure-stun = mkOption {
232 type = types.bool; 232 type = types.bool;
233 default = false; 233 default = false;
234 description = lib.mdDoc '' 234 description = ''
235 Require authentication of the STUN Binding request. 235 Require authentication of the STUN Binding request.
236 By default, the clients are allowed anonymous access to the STUN Binding functionality. 236 By default, the clients are allowed anonymous access to the STUN Binding functionality.
237 ''; 237 '';
@@ -239,28 +239,28 @@ in {
239 no-cli = mkOption { 239 no-cli = mkOption {
240 type = types.bool; 240 type = types.bool;
241 default = false; 241 default = false;
242 description = lib.mdDoc '' 242 description = ''
243 Turn OFF the CLI support. 243 Turn OFF the CLI support.
244 ''; 244 '';
245 }; 245 };
246 cli-ip = mkOption { 246 cli-ip = mkOption {
247 type = types.str; 247 type = types.str;
248 default = "127.0.0.1"; 248 default = "127.0.0.1";
249 description = lib.mdDoc '' 249 description = ''
250 Local system IP address to be used for CLI server endpoint. 250 Local system IP address to be used for CLI server endpoint.
251 ''; 251 '';
252 }; 252 };
253 cli-port = mkOption { 253 cli-port = mkOption {
254 type = types.int; 254 type = types.int;
255 default = 5766; 255 default = 5766;
256 description = lib.mdDoc '' 256 description = ''
257 CLI server port. 257 CLI server port.
258 ''; 258 '';
259 }; 259 };
260 cli-password = mkOption { 260 cli-password = mkOption {
261 type = types.nullOr types.str; 261 type = types.nullOr types.str;
262 default = null; 262 default = null;
263 description = lib.mdDoc '' 263 description = ''
264 CLI access password. 264 CLI access password.
265 For the security reasons, it is recommended to use the encrypted 265 For the security reasons, it is recommended to use the encrypted
266 for of the password (see the -P command in the turnadmin utility). 266 for of the password (see the -P command in the turnadmin utility).
@@ -269,37 +269,37 @@ in {
269 no-udp = mkOption { 269 no-udp = mkOption {
270 type = types.bool; 270 type = types.bool;
271 default = false; 271 default = false;
272 description = lib.mdDoc "Disable UDP client listener"; 272 description = "Disable UDP client listener";
273 }; 273 };
274 no-tcp = mkOption { 274 no-tcp = mkOption {
275 type = types.bool; 275 type = types.bool;
276 default = false; 276 default = false;
277 description = lib.mdDoc "Disable TCP client listener"; 277 description = "Disable TCP client listener";
278 }; 278 };
279 no-tls = mkOption { 279 no-tls = mkOption {
280 type = types.bool; 280 type = types.bool;
281 default = false; 281 default = false;
282 description = lib.mdDoc "Disable TLS client listener"; 282 description = "Disable TLS client listener";
283 }; 283 };
284 no-dtls = mkOption { 284 no-dtls = mkOption {
285 type = types.bool; 285 type = types.bool;
286 default = false; 286 default = false;
287 description = lib.mdDoc "Disable DTLS client listener"; 287 description = "Disable DTLS client listener";
288 }; 288 };
289 no-udp-relay = mkOption { 289 no-udp-relay = mkOption {
290 type = types.bool; 290 type = types.bool;
291 default = false; 291 default = false;
292 description = lib.mdDoc "Disable UDP relay endpoints"; 292 description = "Disable UDP relay endpoints";
293 }; 293 };
294 no-tcp-relay = mkOption { 294 no-tcp-relay = mkOption {
295 type = types.bool; 295 type = types.bool;
296 default = false; 296 default = false;
297 description = lib.mdDoc "Disable TCP relay endpoints"; 297 description = "Disable TCP relay endpoints";
298 }; 298 };
299 extraConfig = mkOption { 299 extraConfig = mkOption {
300 type = types.lines; 300 type = types.lines;
301 default = ""; 301 default = "";
302 description = lib.mdDoc "Additional configuration options"; 302 description = "Additional configuration options";
303 }; 303 };
304 }; 304 };
305 }; 305 };
diff --git a/modules/envfs.nix b/modules/envfs.nix
index ff992b61..b5b453a5 100644
--- a/modules/envfs.nix
+++ b/modules/envfs.nix
@@ -26,9 +26,9 @@ in {
26 26
27 options = { 27 options = {
28 services.envfs = { 28 services.envfs = {
29 enable = lib.mkEnableOption (lib.mdDoc "Envfs filesystem") // { 29 enable = lib.mkEnableOption "Envfs filesystem" // {
30 default = true; 30 default = true;
31 description = lib.mdDoc '' 31 description = ''
32 Fuse filesystem that returns symlinks to executables based on the PATH 32 Fuse filesystem that returns symlinks to executables based on the PATH
33 of the requesting process. This is useful to execute shebangs on NixOS 33 of the requesting process. This is useful to execute shebangs on NixOS
34 that assume hard coded locations in locations like /bin or /usr/bin 34 that assume hard coded locations in locations like /bin or /usr/bin
@@ -40,7 +40,7 @@ in {
40 type = lib.types.package; 40 type = lib.types.package;
41 default = pkgs.envfs; 41 default = pkgs.envfs;
42 defaultText = lib.literalExpression "pkgs.envfs"; 42 defaultText = lib.literalExpression "pkgs.envfs";
43 description = lib.mdDoc "Which package to use for the envfs."; 43 description = "Which package to use for the envfs.";
44 }; 44 };
45 45
46 paths = lib.mkOption { 46 paths = lib.mkOption {
@@ -60,7 +60,7 @@ in {
60 ''') 60 ''')
61 ] 61 ]
62 ''; 62 '';
63 description = lib.mdDoc "Extra packages to join into collection of fallback executables in case not other executable is found"; 63 description = "Extra packages to join into collection of fallback executables in case not other executable is found";
64 }; 64 };
65 }; 65 };
66 }; 66 };
diff --git a/modules/etebase-server.nix b/modules/etebase-server.nix
deleted file mode 100644
index 341e7fa0..00000000
--- a/modules/etebase-server.nix
+++ /dev/null
@@ -1,228 +0,0 @@
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5let
6 cfg = config.services.etebase-server;
7
8 pythonEnv = pkgs.python3.withPackages (ps: with ps;
9 [ etebase-server daphne psycopg2 ]);
10
11 iniFmt = pkgs.formats.ini {};
12
13 configIni = iniFmt.generate "etebase-server.ini" cfg.settings;
14
15 defaultUser = "etebase-server";
16in
17{
18 disabledModules = [ "services/misc/etebase-server.nix" ];
19
20 imports = [
21 (mkRemovedOptionModule
22 [ "services" "etebase-server" "customIni" ]
23 "Set the option `services.etebase-server.settings' instead.")
24 (mkRemovedOptionModule
25 [ "services" "etebase-server" "database" ]
26 "Set the option `services.etebase-server.settings.database' instead.")
27 (mkRenamedOptionModule
28 [ "services" "etebase-server" "secretFile" ]
29 [ "services" "etebase-server" "settings" "secret_file" ])
30 (mkRenamedOptionModule
31 [ "services" "etebase-server" "host" ]
32 [ "services" "etebase-server" "settings" "allowed_hosts" "allowed_host1" ])
33 ];
34
35 options = {
36 services.etebase-server = {
37 enable = mkOption {
38 type = types.bool;
39 default = false;
40 example = true;
41 description = lib.mdDoc ''
42 Whether to enable the Etebase server.
43
44 Once enabled you need to create an admin user by invoking the
45 shell command `etebase-server createsuperuser` with
46 the user specified by the `user` option or a superuser.
47 Then you can login and create accounts on your-etebase-server.com/admin
48 '';
49 };
50
51 dataDir = mkOption {
52 type = types.str;
53 default = "/var/lib/etebase-server";
54 description = lib.mdDoc "Directory to store the Etebase server data.";
55 };
56
57 port = mkOption {
58 type = with types; nullOr port;
59 default = 8001;
60 description = lib.mdDoc "Port to listen on.";
61 };
62
63 openFirewall = mkOption {
64 type = types.bool;
65 default = false;
66 description = lib.mdDoc ''
67 Whether to open ports in the firewall for the server.
68 '';
69 };
70
71 unixSocket = mkOption {
72 type = with types; nullOr str;
73 default = null;
74 description = lib.mdDoc "The path to the socket to bind to.";
75 example = "/run/etebase-server/etebase-server.sock";
76 };
77
78 settings = mkOption {
79 type = lib.types.submodule {
80 freeformType = iniFmt.type;
81
82 options = {
83 global = {
84 debug = mkOption {
85 type = types.bool;
86 default = false;
87 description = lib.mdDoc ''
88 Whether to set django's DEBUG flag.
89 '';
90 };
91 secret_file = mkOption {
92 type = with types; nullOr str;
93 default = null;
94 description = lib.mdDoc ''
95 The path to a file containing the secret
96 used as django's SECRET_KEY.
97 '';
98 };
99 static_root = mkOption {
100 type = types.str;
101 default = "${cfg.dataDir}/static";
102 defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/static"'';
103 description = lib.mdDoc "The directory for static files.";
104 };
105 media_root = mkOption {
106 type = types.str;
107 default = "${cfg.dataDir}/media";
108 defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/media"'';
109 description = lib.mdDoc "The media directory.";
110 };
111 };
112 allowed_hosts = {
113 allowed_host1 = mkOption {
114 type = types.str;
115 default = "0.0.0.0";
116 example = "localhost";
117 description = lib.mdDoc ''
118 The main host that is allowed access.
119 '';
120 };
121 };
122 database = {
123 engine = mkOption {
124 type = types.enum [ "django.db.backends.sqlite3" "django.db.backends.postgresql" ];
125 default = "django.db.backends.sqlite3";
126 description = lib.mdDoc "The database engine to use.";
127 };
128 name = mkOption {
129 type = types.str;
130 default = "${cfg.dataDir}/db.sqlite3";
131 defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/db.sqlite3"'';
132 description = lib.mdDoc "The database name.";
133 };
134 };
135 };
136 };
137 default = {};
138 description = lib.mdDoc ''
139 Configuration for `etebase-server`. Refer to
140 <https://github.com/etesync/server/blob/master/etebase-server.ini.example>
141 and <https://github.com/etesync/server/wiki>
142 for details on supported values.
143 '';
144 example = {
145 global = {
146 debug = true;
147 media_root = "/path/to/media";
148 };
149 allowed_hosts = {
150 allowed_host2 = "localhost";
151 };
152 };
153 };
154
155 user = mkOption {
156 type = types.str;
157 default = defaultUser;
158 description = lib.mdDoc "User under which Etebase server runs.";
159 };
160 };
161 };
162
163 config = mkIf cfg.enable {
164
165 environment.systemPackages = with pkgs; [
166 (runCommand "etebase-server" {
167 nativeBuildInputs = [ makeWrapper ];
168 } ''
169 makeWrapper ${pythonEnv}/bin/etebase-server \
170 $out/bin/etebase-server \
171 --chdir ${escapeShellArg cfg.dataDir} \
172 --prefix ETEBASE_EASY_CONFIG_PATH : "${configIni}"
173 '')
174 ];
175
176 systemd.tmpfiles.rules = [
177 "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
178 ];
179
180 systemd.services.etebase-server = {
181 description = "An Etebase (EteSync 2.0) server";
182 after = [ "network.target" "systemd-tmpfiles-setup.service" ];
183 wantedBy = [ "multi-user.target" ];
184 path = [ pythonEnv ];
185 serviceConfig = {
186 User = cfg.user;
187 Restart = "always";
188 WorkingDirectory = cfg.dataDir;
189 };
190 environment = {
191 ETEBASE_EASY_CONFIG_PATH = configIni;
192 };
193 preStart = ''
194 # Auto-migrate on first run or if the package has changed
195 versionFile="${cfg.dataDir}/src-version"
196 if [[ $(cat "$versionFile" 2>/dev/null) != ${pkgs.etebase-server} ]]; then
197 etebase-server migrate --no-input
198 etebase-server collectstatic --no-input --clear
199 echo ${pkgs.etebase-server} > "$versionFile"
200 fi
201 '';
202 script =
203 let
204 networking = if cfg.unixSocket != null
205 then "-u ${cfg.unixSocket}"
206 else "-b 0.0.0.0 -p ${toString cfg.port}";
207 in ''
208 cd "${pythonEnv}/lib/etebase-server";
209 daphne ${networking} \
210 etebase_server.asgi:application
211 '';
212 };
213
214 users = optionalAttrs (cfg.user == defaultUser) {
215 users.${defaultUser} = {
216 isSystemUser = true;
217 group = defaultUser;
218 home = cfg.dataDir;
219 };
220
221 groups.${defaultUser} = {};
222 };
223
224 networking.firewall = mkIf cfg.openFirewall {
225 allowedTCPPorts = [ cfg.port ];
226 };
227 };
228}
diff --git a/modules/home-manager.nix b/modules/home-manager.nix
index ebe3e153..c485dd99 100644
--- a/modules/home-manager.nix
+++ b/modules/home-manager.nix
@@ -8,6 +8,9 @@ with lib;
8 type = types.bool; 8 type = types.bool;
9 default = true; 9 default = true;
10 example = true; 10 example = true;
11 description = ''
12 Are we using home-manager version that starts late as systemd user service?
13 '';
11 }; 14 };
12 }; 15 };
13} 16}
diff --git a/modules/knot.nix b/modules/knot.nix
index a4691324..f7165029 100644
--- a/modules/knot.nix
+++ b/modules/knot.nix
@@ -81,6 +81,7 @@ in {
81 81
82 cliWrappers = mkOption { 82 cliWrappers = mkOption {
83 readOnly = true; 83 readOnly = true;
84 internal = true;
84 type = types.package; 85 type = types.package;
85 default = knot-cli-wrappers; 86 default = knot-cli-wrappers;
86 defaultText = "knot-cli-wrappers"; 87 defaultText = "knot-cli-wrappers";
diff --git a/modules/netns.nix b/modules/netns.nix
index dca3c0db..79dc123b 100644
--- a/modules/netns.nix
+++ b/modules/netns.nix
@@ -125,6 +125,13 @@ in {
125 containers = mkOption { 125 containers = mkOption {
126 default = {}; 126 default = {};
127 type = types.attrsOf (types.submodule containerOpts); 127 type = types.attrsOf (types.submodule containerOpts);
128 description = ''
129 A set of NixOS system configurations to be run as lightweight
130 containers. Each container appears as a service
131 `container-«name»`
132 on the host system, allowing it to be started and stopped via
133 {command}`systemctl`.
134 '';
128 }; 135 };
129 }; 136 };
130 }; 137 };
diff --git a/modules/openssh.nix b/modules/openssh.nix
index 78749869..8bdc3df6 100644
--- a/modules/openssh.nix
+++ b/modules/openssh.nix
@@ -30,6 +30,7 @@ with lib;
30 "rsa-sha2-512" 30 "rsa-sha2-512"
31 "rsa-sha2-512-cert-v01@openssh.com" 31 "rsa-sha2-512-cert-v01@openssh.com"
32 ]; 32 ];
33 description = "HostKeyAlgorithms";
33 }; 34 };
34 settings.CASignatureAlgorithms = mkOption { 35 settings.CASignatureAlgorithms = mkOption {
35 type = types.str; 36 type = types.str;
@@ -43,6 +44,7 @@ with lib;
43 "rsa-sha2-512" 44 "rsa-sha2-512"
44 "rsa-sha2-256" 45 "rsa-sha2-256"
45 ]; 46 ];
47 description = "CASignatureAlgorithms";
46 }; 48 };
47 settings.PubkeyAcceptedAlgorithms = mkOption { 49 settings.PubkeyAcceptedAlgorithms = mkOption {
48 type = types.str; 50 type = types.str;
@@ -69,6 +71,7 @@ with lib;
69 "rsa-sha2-512" 71 "rsa-sha2-512"
70 "rsa-sha2-512-cert-v01@openssh.com" 72 "rsa-sha2-512-cert-v01@openssh.com"
71 ]; 73 ];
74 description = "PubkeyAcceptedAlgorithms";
72 }; 75 };
73 }; 76 };
74 }; 77 };
diff --git a/modules/pgbackrest.nix b/modules/pgbackrest.nix
index e02849f5..886840b9 100644
--- a/modules/pgbackrest.nix
+++ b/modules/pgbackrest.nix
@@ -50,8 +50,8 @@ in {
50 package = mkPackageOption pkgs "pgbackrest" {}; 50 package = mkPackageOption pkgs "pgbackrest" {};
51 dscpPackage = mkPackageOption pkgs "libdscp" { nullable = true; default = null; }; 51 dscpPackage = mkPackageOption pkgs "libdscp" { nullable = true; default = null; };
52 52
53 dscp.archive-push = mkDSCPOption { default = 24; }; 53 dscp.archive-push = mkDSCPOption { default = 24; description = "DSCP during archive push"; };
54 dscp.backup = mkDSCPOption { default = 8; }; 54 dscp.backup = mkDSCPOption { default = 8; description = "DSCP during backup"; };
55 55
56 configurePostgresql = { 56 configurePostgresql = {
57 enable = mkEnableOption "configuring PostgreSQL for sending WAL to pgBackRest" // { 57 enable = mkEnableOption "configuring PostgreSQL for sending WAL to pgBackRest" // {
@@ -63,6 +63,7 @@ in {
63 type = types.str; 63 type = types.str;
64 default = config.networking.hostName; 64 default = config.networking.hostName;
65 defaultText = literalExpression "config.networking.hostName"; 65 defaultText = literalExpression "config.networking.hostName";
66 description = "Stanza";
66 }; 67 };
67 }; 68 };
68 69
@@ -74,23 +75,28 @@ in {
74 global.log-level-console = mkOption { 75 global.log-level-console = mkOption {
75 type = loglevelType; 76 type = loglevelType;
76 default = "detail"; 77 default = "detail";
78 description = "Log level to console";
77 }; 79 };
78 global.log-level-file = mkOption { 80 global.log-level-file = mkOption {
79 type = loglevelType; 81 type = loglevelType;
80 default = "off"; 82 default = "off";
83 description = "Log level to logfile";
81 }; 84 };
82 global.log-level-stderr = mkOption { 85 global.log-level-stderr = mkOption {
83 type = loglevelType; 86 type = loglevelType;
84 default = "warn"; 87 default = "warn";
88 description = "Log level to stderr";
85 }; 89 };
86 90
87 global.log-subprocess = mkOption { 91 global.log-subprocess = mkOption {
88 type = types.bool; 92 type = types.bool;
89 default = true; 93 default = true;
94 description = "Log subprocesses?";
90 }; 95 };
91 global.log-timestamp = mkOption { 96 global.log-timestamp = mkOption {
92 type = types.bool; 97 type = types.bool;
93 default = false; 98 default = false;
99 description = "Log timestamps?";
94 }; 100 };
95 }; 101 };
96 }; 102 };
@@ -106,10 +112,12 @@ in {
106 user = mkOption { 112 user = mkOption {
107 type = types.str; 113 type = types.str;
108 default = "postgres"; 114 default = "postgres";
115 description = "User";
109 }; 116 };
110 group = mkOption { 117 group = mkOption {
111 type = types.str; 118 type = types.str;
112 default = "postgres"; 119 default = "postgres";
120 description = "Group";
113 }; 121 };
114 }; 122 };
115 123
@@ -119,32 +127,39 @@ in {
119 type = mkOption { 127 type = mkOption {
120 type = types.enum ["full" "incr" "diff"]; 128 type = types.enum ["full" "incr" "diff"];
121 default = "full"; 129 default = "full";
130 description = "Type";
122 }; 131 };
123 132
124 stanza = mkOption { 133 stanza = mkOption {
125 type = types.str; 134 type = types.str;
126 default = cfg.configurePostgresql.stanza; 135 default = cfg.configurePostgresql.stanza;
127 defaultText = literalExpression "config.services.pgbackrest.configurePostgresql.stanza"; 136 defaultText = literalExpression "config.services.pgbackrest.configurePostgresql.stanza";
137 description = "Stanza";
128 }; 138 };
129 repo = mkOption { 139 repo = mkOption {
130 type = types.nullOr (types.strMatching "^[0-9]+$"); 140 type = types.nullOr (types.strMatching "^[0-9]+$");
141 description = "Repository number";
131 }; 142 };
132 143
133 user = mkOption { 144 user = mkOption {
134 type = types.str; 145 type = types.str;
135 default = "postgres"; 146 default = "postgres";
147 description = "User";
136 }; 148 };
137 group = mkOption { 149 group = mkOption {
138 type = types.str; 150 type = types.str;
139 default = "postgres"; 151 default = "postgres";
152 description = "Group";
140 }; 153 };
141 154
142 timerConfig = mkOption { 155 timerConfig = mkOption {
143 type = types.attrsOf unitOption; 156 type = types.attrsOf unitOption;
157 description = "Systemd timer options";
144 }; 158 };
145 }; 159 };
146 })); 160 }));
147 default = {}; 161 default = {};
162 description = "Configure backups";
148 }; 163 };
149 }; 164 };
150 }; 165 };
diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix
index fcbd9390..193c54fb 100644
--- a/modules/postfix-mta-sts-resolver.nix
+++ b/modules/postfix-mta-sts-resolver.nix
@@ -8,7 +8,7 @@ in {
8 options = { 8 options = {
9 services.postfix-mta-sts-resolver = { 9 services.postfix-mta-sts-resolver = {
10 enable = mkEnableOption "mta-sts-daemon"; 10 enable = mkEnableOption "mta-sts-daemon";
11 package = mkPackageOption pkgs "postfix-mta-sts-resolver"; 11 package = mkPackageOption pkgs "postfix-mta-sts-resolver" {};
12 12
13 redis = mkEnableOption "redis cache" // { default = true; example = false; }; 13 redis = mkEnableOption "redis cache" // { default = true; example = false; };
14 proactive-policy-fetching = mkEnableOption "proactive policy fetching" // { default = true; example = false; }; 14 proactive-policy-fetching = mkEnableOption "proactive policy fetching" // { default = true; example = false; };
@@ -16,10 +16,12 @@ in {
16 loglevel = mkOption { 16 loglevel = mkOption {
17 type = types.enum ["debug" "info" "warn" "error" "fatal"]; 17 type = types.enum ["debug" "info" "warn" "error" "fatal"];
18 default = "info"; 18 default = "info";
19 description = "Loglevel";
19 }; 20 };
20 21
21 settings = mkOption { 22 settings = mkOption {
22 type = types.attrs; 23 type = types.attrs;
24 description = "Settings";
23 }; 25 };
24 }; 26 };
25 }; 27 };
diff --git a/modules/postfwd.nix b/modules/postfwd.nix
index e10c04a7..3edff44d 100644
--- a/modules/postfwd.nix
+++ b/modules/postfwd.nix
@@ -12,6 +12,7 @@ in {
12 rules = mkOption { 12 rules = mkOption {
13 type = lines; 13 type = lines;
14 default = ""; 14 default = "";
15 description = "Rules";
15 }; 16 };
16 }; 17 };
17 }; 18 };
diff --git a/modules/prometheus-lvm-exporter.nix b/modules/prometheus-lvm-exporter.nix
index 7ef082c3..ad46f835 100644
--- a/modules/prometheus-lvm-exporter.nix
+++ b/modules/prometheus-lvm-exporter.nix
@@ -21,7 +21,7 @@ in {
21 openFirewall = mkOption { 21 openFirewall = mkOption {
22 type = types.bool; 22 type = types.bool;
23 default = false; 23 default = false;
24 description = lib.mdDoc '' 24 description = ''
25 Open port in firewall for incoming connections. 25 Open port in firewall for incoming connections.
26 ''; 26 '';
27 }; 27 };
@@ -31,7 +31,7 @@ in {
31 example = literalExpression '' 31 example = literalExpression ''
32 "-i eth0 -p tcp -m tcp --dport ${toString cfg.port}" 32 "-i eth0 -p tcp -m tcp --dport ${toString cfg.port}"
33 ''; 33 '';
34 description = lib.mdDoc '' 34 description = ''
35 Specify a filter for iptables to use when 35 Specify a filter for iptables to use when
36 {option}`services.prometheus.exporters.lvm.openFirewall` 36 {option}`services.prometheus.exporters.lvm.openFirewall`
37 is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`. 37 is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`.
diff --git a/modules/yggdrasil/default.nix b/modules/yggdrasil/default.nix
deleted file mode 100644
index f4100e73..00000000
--- a/modules/yggdrasil/default.nix
+++ /dev/null
@@ -1,50 +0,0 @@
1{ config, lib, customUtils, ... }:
2let
3 cfg = config.services.tinc.yggdrasil;
4in {
5 options = {
6 services.tinc.yggdrasil = lib.mkOption {
7 default = {};
8 type = lib.types.submodule {
9 options = {
10 enable = lib.mkEnableOption "Yggdrasil tinc network";
11
12 connect = lib.mkOption {
13 default = true;
14 type = lib.types.bool;
15 description = ''
16 Connect to central server
17 '';
18 };
19 };
20 };
21 };
22 };
23
24 config = lib.mkIf cfg.enable {
25 services.tinc.networks.yggdrasil = {
26 name = config.networking.hostName;
27 hostSettings = customUtils.nixImport { dir = ./hosts; };
28 debugLevel = 2;
29 interfaceType = "tap";
30 settings = {
31 Mode = "switch";
32 PingTimeout = 30;
33 ConnectTo = lib.mkIf cfg.connect "ymir";
34 };
35 };
36
37 sops.secrets = {
38 tinc-yggdrasil-rsa = {
39 key = "rsa";
40 path = "/etc/tinc/yggdrasil/rsa_key.priv";
41 sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml";
42 };
43 tinc-yggdrasil-ed25519 = {
44 key = "ed25519";
45 path = "/etc/tinc/yggdrasil/rsa_key.priv";
46 sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml";
47 };
48 };
49 };
50}
diff --git a/modules/yggdrasil/hosts/sif/default.nix b/modules/yggdrasil/hosts/sif/default.nix
deleted file mode 100644
index 32b844de..00000000
--- a/modules/yggdrasil/hosts/sif/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
1{
2 settings.Ed25519PublicKey = "qJqty+wiTNcYaHQCvQNiMqXYz30C9M3+LI/qjmU/9hK";
3 rsaPublicKey = ''
4 -----BEGIN RSA PUBLIC KEY-----
5 MIIBCgKCAQEA0ACaacg9EN0hBQct8ZwQ/i6EsXKP4DIwKwabM2rp8azValTHU2uI
6 WW6JRY+Eii6zRx9B5kJ96C4rJJeAGV6lZPAogaC2LbM7lcsZ7oRDWZGaQKcZFNGi
7 laEcDg2dRuDx1W4at0rb03SDLNPt8sXSV6BcK9n/7m7+s9cwM/+PB8FHDMnWvwbC
8 usbP23020s+CVr/PU1z/7J0y3Eat+Acut6x5X8DNewpqV96wQpqdAggbhtYERMFH
9 +i0sa1WUDQtJ6HGChbENRTMlsPJ6lnzXY+J0pzatzzvetLsOljES9uJ8dtk6qBC7
10 KRZo5lvdUwR6j9XiHMQeRerUt23b9ATFXQIDAQAB
11 -----END RSA PUBLIC KEY-----
12 '';
13}
diff --git a/modules/yggdrasil/hosts/sif/private-keys.yaml b/modules/yggdrasil/hosts/sif/private-keys.yaml
deleted file mode 100644
index 0c4274d1..00000000
--- a/modules/yggdrasil/hosts/sif/private-keys.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
1ed25519: ENC[AES256_GCM,data:1CqB4y6CIm5JUsznpXPqqLJqCKmmoAJOZQTWb7+Jbn0oZMX27qSMK4CchHF7Bmo24EK8rk5EyW5aQLnoxp/2NA62p8SXdaoI8Qgz3EgsQ5QrlJrt1jvERpNs4vttT9V6+aK3Yojr9IuQSvJ4jyKSLrzrTnLzF9pXlaOf1Ru5SxySRWtVzynzurRpdUVS6goE+lb+Irg6x2geV719iQ9bu1C2smeQDREdS+dlfoxp02/pU6kTFA7KAm5vA91HKEfMqfSEzuBgUB0=,iv:n6Yh0zZ9AbT+83P42QNO2rCCISJV5nbO9wYcwaRYD2E=,tag:dJpXV9ZzLSO1B+LsyV3vAg==,type:str]
2rsa: ENC[AES256_GCM,data:7faQJAhoYt3MJidg4TVwysmLGZ4V1fA9NYYKgEMgky4q0Q9tBGhEsA60uj7iKcMMRhGku7feIFkj2+1qjKy+e1Bajfs2rqxgyqYmM6yOTrmorbXBVyrPOTOwJp3yp7O1vIXwoUS9vWIYxFszpfaLL0/8aARYVrYmpxf3gsBfQ4LciM1VKEgjG3uRBf1tDLaNuMNyzdan0DFghwuDojPOXUFv/6yuPxU2U0TagVjwAk4FThGwEasvV454RSm/GmqYtX+P4Vc3pEWNYAK1rXJAuXm1392Uash+HGQ+3ln5N9yWneewgPPr0pePAugxxN0qnwhy5MRKGQE3ZHCZ0beslfOm6pkmYTfww3lKNIJGabMfMD3COoAI7zWebUvksZPsgH6f1olbzABkZdS1s//WNMnWQHGxsWePXkLFe8bfnNXouEXHtLvQ7On0KPyt8y5QBI9bDPpTn92/O9jCevXSttrez4buBdCHFmCE8xgW5JKKEXgMubPPjEF3MABiGu0TMeWM4a1ibY7HfvNrRkO1pE9RhdRT/dFV/MrPxk7P0k16x9H4+QnE7VglfNZO3Wd3bnYxcH7hmAbIzpFnUJvolyNfmynwL2WwaYuBskXASD1FuqpM0tbhantqGyHVPe62+KimU0zDAJ1HMyqhIN0MD1MSXsdoItAsw033GYLB83L8xPatARJR9qEdKwrhmgSDY36AbJ8VI/RUzicZoYdhK8+M7bNGIkD5MgrQO35q+3oa6Xcib+5MtW0RVJKLP4y5/XNkjd4EPl6nahcVi63/FG7LJmO+/I7bkLIAWmIq8BHcXEwbz0womYp404pSfEPr3cy1N5S3yqRdzVxavTJb0PLMpHq2rWuHK2DIY77hEOAt0XcReWYsRkmTl+v9iQLF+D4GBLr+O2oZNJrocNVZYkfdjsrUd2cUOCV7ZQphO5Yc+yKrqzmCqUUvdoJ3vlaPxMXx4LACeMImo1sAFxoOgIpyfklo/bdhi9osiL55I8pAIh5hGes/uCbwaRnW+wbaYcMliCuUO8XelfXwBot8W+0l0wk2zKRSKtYKcX1n/Ax5mIt6mIoQkvyL82lccS9ppJLjt7DYlvK8L6imeV11ATf1ZhSGB3c67/XYik5BXz827Rj29K6fg/CvU65f/bEAuE39gSJ4mHsRl3bvkNLiUMEBrDuZnText33fCbqVA5DUIfqSbLUzXtqNl8vHnlOBICYwjv8PtUMJ6VTCDu33SmtQzJAfnmuewOKAC51FPsyaDhouTKllUaqx34NfEP8k2C8/4oNPgDcLjInm3f43tIuJbScdp8ltNVCLoChS8jbBOvrVYTI0eP+BuAuEfWYldUYq96oH/x9d0yvPqZ1rnwmqg4y6GfkACw6+/QvrDdtcM+1uI86RxZ7KGurb8KG7NPdSWhzz+72+TO5Tq29K8QETLzzalnVzaVWj/xGsjgkslxmDMKxLJQw0o24lgg/R30aU9BL6YwDVi10nu+Tv5kayb/NVLdMNWxfKNg1KZcf8M2ApgonjingbpUlinZ25/IIcQB9lMT4HSyvtGtIqnsPL4SQNsgBLcMzdwbL0EvS3qMAEVWKfUm2v9AA2+RMsKEKtD4UNF2xF7oACJiyTcw/xUOmkaTIZZ2ev0JVb4IYs1qx5Skz+IMAvWQ2FjBMXna5e/LYgBl6kdLSTcDvlymHpbjjuRdRq+uq+ZMXIACyZ+qUnZ0qcfWGPxOCI0hXPc5ac/zSGkPKYiWT/rCSuo+MoijjK4YZ2fub9TCYjZRS+QvLlXOM8F06Or0jQQOveezqJFZdoBGj248BtcPAVbYqfaytIlYjARlhQL/lKaaOrbONk6kIlDpwkhlzO50OkhALItlbW4Aa8zZ/WeXkfkb/6A7NLce42XDoOnvZt9UdYVTRphf8yxjRE2YMwZsmeTIieg8KwwJdnoJIhiQFdVDFgXb2xPZA2CbdvZwGwuFkLWgJUg6H+aHdw39UnNM+S9PYaOQ9oaS7IyeWhXMgP7TKM98uILsBg/Xn9tafHaslQfjVRDEaYtrmDZMYhb+h/MZKngx7uwmUyqHszAYN/M+RMJVy3s4uBu/EufWYVMorunpPEXGYA4Rg1HUuAOvWSvpM3PJG9Wnrazw6xmkwIUSKju5irpWATYmqSX3pPkG5C0sTatszVDAvTs9+/9Xdbney7/6QskSHMph8Kn/Udpq7PPrZWADkIi1k4oibgABOXOWBk5ZbNbiDrZA==,iv:ZUAqvOpcVCXQD2PFzUh0e2m20t6gVT3mYb7S50iV/m8=,tag:AssxMqjVUEwQ4R6Y7eG9Tg==,type:str]
3sops:
4 kms: []
5 gcp_kms: []
6 azure_kv: []
7 hc_vault: []
8 age:
9 - recipient: age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866
10 enc: |
11 -----BEGIN AGE ENCRYPTED FILE-----
12 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTjludkxXUm5OREx4Zndk
13 czI0VmMxUE5kOHVKQ1lTL1RvQXlIQ3FhWFRVCmVXbmFqNTBDNy94RDJtakQra0lh
14 a2JrZlBxWFNVVFh6WFU3bjBwaFVIa1kKLS0tIFNObGZvVmpuQlU4SFBjZk45dlJM
15 d3VHVVZsVGlBd2craGNVbHdoeUpyVFEK/Tj9QVqAOWmAJv/PESvIOnnIbZkKof6E
16 HHaEYANQTp5kLyWaz4rfJiiQOP2bL5hDr1XV61mf6y9W8m9w4IynHg==
17 -----END AGE ENCRYPTED FILE-----
18 - recipient: age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne
19 enc: |
20 -----BEGIN AGE ENCRYPTED FILE-----
21 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6L2lSdUUvSE1iUTEvdkxm
22 Nm4vV3MySWlTdldMZEw2dEhtSlZCb0wvL0VBCnJxY2dNUlJhcktQNVVOdHhPemJF
23 ZUJ3NUR0ZTRZdFkwMmExR2gwOHFlMTQKLS0tIHhLbkZQalBuNm5mRHBVQ1NNbGM4
24 YUNsNE8vbnk0RnpRbHB5azM2NmdmKzAKwUVFQHvBvGjc/mGI9lhkW86ovUVvUxok
25 O6QelapJHGP2gQ3aZBk8eFJJs7Ve+q1yiQUbO34BFFdIfRyiObmbKw==
26 -----END AGE ENCRYPTED FILE-----
27 lastmodified: "2021-01-02T14:46:16Z"
28 mac: ENC[AES256_GCM,data:Phng7z7UlE6nO3FFIQPOHgKCqDm2uOGL57ryJbokjipSSdoWPinpz0zIJv9Z67b9uOf3CQoGtV4YwcudNkzDBKOyD8uA6RYwCKpbYcZIdiy8DLL46+VT/wq9toTkeDXM6jKupzzOARZhHT8DCOLqW7u8Q3S645cbTJmw0+LMIGk=,iv:y4KEh0+bKhtnSobKVdfaPuRsueNC1lcrEbUGfEAn+Bg=,tag:3Oi4e/hSgPVsoFQpnVQj+g==,type:str]
29 pgp: []
30 unencrypted_suffix: _unencrypted
31 version: 3.6.1
diff --git a/modules/yggdrasil/hosts/ymir.nix b/modules/yggdrasil/hosts/ymir.nix
deleted file mode 100644
index b77a9216..00000000
--- a/modules/yggdrasil/hosts/ymir.nix
+++ /dev/null
@@ -1,19 +0,0 @@
1{
2 addresses = [{ address = "ymir.yggdrasil.li"; }];
3 settings.Ed25519PublicKey = "b/SobnMqByzHOQeO+iU7OZ1liD8a++knbi5ebNawnaC";
4 rsaPublicKey = ''
5 -----BEGIN RSA PUBLIC KEY-----
6 MIICCgKCAgEAuInSfQf5euFXEVkLLzf9TumQJ+3WRsxX4uKdOXBqrIC7yjSBP8j9
7 ql5rNWPzgXxFF5ERmwW+E3cyzJLU9Htu7r3muqM6nhSZizhCskifPRFc3e5ssSke
8 XhHICHfe90+qvab/hWx/NjkW59bBYIzDuJfq+ijDFMVNgOxaiM2f3/2prUUhP7bN
9 r3wVI8KCkOaknc0SOOmOhLzfJaD5wosqLOjgaNhlro2eMgMjQlxbyW8dVVgjwseR
10 Cl/mpu7r1pSMhS66RFH68wDoC3X81f7Zs9ZGDLTD8KXWhx0qgUMUAH4n6YGY0RM6
11 BZ3qR/3KFRU64QPVAERpb0JdsU9ggCVydHkjrWW23ptHOPAOO5+yQj7tSDCKTRy9
12 dHMQnbtPrgAb6iMhO1XTxA8Hdta1sCHsewsQekarwsA1bmk3hTgi/k8vwoGDUWtk
13 jgiDEPuutfmH4C6qxq9s+6lRboNKH8wgkVGpHiaq7mmePFdhzFdrj4+fYAMZTbil
14 2iygsJ+yFOjA7U+iT6QDK33/MLsrQg0Ue6RPiG1qnDyax7gBAjz52iWkiuSkUXk0
15 E5ImdP4XMILgGcWk8iPq5iRS03edE0pCpxGX3ZZwFE5+CoXgO6wR1ToL1vZEEHMQ
16 SHJPufKjkavPKbejPps/mLaJQVw3W10PAJssB9nxW2aHX3n0ugGaIvMCAwEAAQ==
17 -----END RSA PUBLIC KEY-----
18 '';
19}
diff --git a/overlays/postfix-mta-sts-resolver/default.nix b/overlays/postfix-mta-sts-resolver/default.nix
index 49fbb7c9..d930cefb 100644
--- a/overlays/postfix-mta-sts-resolver/default.nix
+++ b/overlays/postfix-mta-sts-resolver/default.nix
@@ -3,6 +3,7 @@
3 postfix-mta-sts-resolver = 3 postfix-mta-sts-resolver =
4 with prev.poetry2nix; 4 with prev.poetry2nix;
5 mkPoetryApplication { 5 mkPoetryApplication {
6 python = prev.python311;
6 inherit (sources.postfix-mta-sts-resolver) pname version; 7 inherit (sources.postfix-mta-sts-resolver) pname version;
7 projectDir = cleanPythonSources { 8 projectDir = cleanPythonSources {
8 src = prev.runCommand "sources" {} '' 9 src = prev.runCommand "sources" {} ''
diff --git a/overlays/preserve-dscp/default.nix b/overlays/preserve-dscp/default.nix
index 73721083..a1064591 100644
--- a/overlays/preserve-dscp/default.nix
+++ b/overlays/preserve-dscp/default.nix
@@ -10,7 +10,8 @@
10 buildFlags = [ "preserve-dscp" ]; 10 buildFlags = [ "preserve-dscp" ];
11 11
12 CPATH = prev.lib.makeSearchPathOutput "dev" "include" (buildInputs ++ nativeBuildInputs); 12 CPATH = prev.lib.makeSearchPathOutput "dev" "include" (buildInputs ++ nativeBuildInputs);
13 BPF_CFLAGS = "-Wno-unused-command-line-argument -fno-stack-protector"; 13 BPF_CFLAGS = "-Wno-unused-command-line-argument";
14 hardeningDisable = [ "stackprotector" "zerocallusedregs" ];
14 15
15 outputs = [ "out" "lib" ]; 16 outputs = [ "out" "lib" ];
16 17
diff --git a/system-profiles/core/default.nix b/system-profiles/core/default.nix
index 6aee221f..c2c821b7 100644
--- a/system-profiles/core/default.nix
+++ b/system-profiles/core/default.nix
@@ -74,7 +74,7 @@ in {
74 }; 74 };
75 in foldr (def: mergeConfig def.value) {}; 75 in foldr (def: mergeConfig def.value) {};
76 }; 76 };
77 description = mdDoc '' 77 description = ''
78 The configuration of the Nix Packages collection. (For 78 The configuration of the Nix Packages collection. (For
79 details, see the Nixpkgs documentation.) It allows you to set 79 details, see the Nixpkgs documentation.) It allows you to set
80 package configuration options. 80 package configuration options.
@@ -91,96 +91,113 @@ in {
91 }; 91 };
92 }; 92 };
93 93
94 config = { 94 config = foldr recursiveUpdate {} ([
95 networking.hostName = hostName; 95 {
96 system.configurationRevision = mkIf (flake ? rev) flake.rev; 96 networking.hostName = hostName;
97 system.configurationRevision = mkIf (flake ? rev) flake.rev;
97 98
98 nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") { 99 nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") {
99 overlays = attrValues flake.overlays; 100 overlays = attrValues flake.overlays;
100 config = config.nixpkgs.externalConfig; 101 config = config.nixpkgs.externalConfig;
101 localSystem = config.nixpkgs.system; 102 localSystem = config.nixpkgs.system;
102 }; 103 };
103 104
104 nix = { 105 nix = {
105 package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable; 106 package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable;
106 settings = { 107 settings = {
107 sandbox = true; 108 sandbox = true;
108 allowed-users = [ "*" ]; 109 allowed-users = [ "*" ];
109 trusted-users = [ "root" "@wheel" ]; 110 trusted-users = [ "root" "@wheel" ];
110 111
111 experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"]; 112 experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"];
112 auto-allocate-uids = true; 113 auto-allocate-uids = true;
113 use-cgroups = true; 114 use-cgroups = true;
114 use-xdg-base-directories = true; 115 use-xdg-base-directories = true;
115 116
116 flake-registry = "${flakeInputs.flake-registry}/flake-registry.json"; 117 flake-registry = "${flakeInputs.flake-registry}/flake-registry.json";
118 };
119 nixPath = [
120 "nixpkgs=${pkgs.runCommand "nixpkgs" {} ''
121 mkdir $out
122 ln -s ${./nixpkgs.nix} $out/default.nix
123 ln -s /run/nixpkgs/lib $out/lib
124 ''}"
125 ];
126 registry =
127 let override = { self = "nixos"; };
128 in mapAttrs' (inpName: inpFlake: nameValuePair
129 (override.${inpName} or inpName)
130 { flake = inpFlake; } ) flakeInputs;
117 }; 131 };
118 nixPath = [ 132
119 "nixpkgs=${pkgs.runCommand "nixpkgs" {} '' 133 systemd.tmpfiles.rules = [
120 mkdir $out 134 "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
121 ln -s ${./nixpkgs.nix} $out/default.nix 135 "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
122 ln -s /run/nixpkgs/lib $out/lib 136 with builtins;
137
138 attrValues (import
139 (
140 let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
141 fetchTarball {
142 url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
143 sha256 = lock.nodes.flake-compat.locked.narHash;
144 }
145 )
146 { src = ${flake}; }
147 ).defaultNix.overlays
123 ''}" 148 ''}"
149 "L+ /etc/nixos - - - - ${flake}"
124 ]; 150 ];
125 registry =
126 let override = { self = "nixos"; };
127 in mapAttrs' (inpName: inpFlake: nameValuePair
128 (override.${inpName} or inpName)
129 { flake = inpFlake; } ) flakeInputs;
130 };
131
132 systemd.tmpfiles.rules = [
133 "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
134 "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
135 with builtins;
136
137 attrValues (import
138 (
139 let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
140 fetchTarball {
141 url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
142 sha256 = lock.nodes.flake-compat.locked.narHash;
143 }
144 )
145 { src = ${flake}; }
146 ).defaultNix.overlays
147 ''}"
148 ];
149
150 users.mutableUsers = false;
151 151
152 # documentation.nixos.includeAllModules = true; # incompatible with home-manager (build fails) 152 users.mutableUsers = false;
153 153
154 home-manager = { 154 documentation.nixos = {
155 useGlobalPkgs = true; # Otherwise home-manager would only work impurely 155 includeAllModules = true;
156 useUserPackages = false; 156 options.warningsAreErrors = false;
157 backupFileExtension = "bak"; 157 };
158 };
159 158
160 sops = mkIf hasSops { 159 home-manager = {
161 age = { 160 useGlobalPkgs = true; # Otherwise home-manager would only work impurely
162 keyFile = "/var/lib/sops-nix/key.txt"; 161 useUserPackages = false;
163 generateKey = false; 162 backupFileExtension = "bak";
164 sshKeyPaths = [];
165 }; 163 };
166 gnupg = { 164
167 home = null; 165 sops = mkIf hasSops {
168 sshKeyPaths = []; 166 age = {
167 keyFile = "/var/lib/sops-nix/key.txt";
168 generateKey = false;
169 sshKeyPaths = [];
170 };
171 gnupg = {
172 home = null;
173 sshKeyPaths = [];
174 };
169 }; 175 };
170 };
171 176
172 programs.git = { 177 programs.git = {
173 enable = true; 178 enable = true;
174 lfs.enable = true; 179 lfs.enable = true;
180 };
181 environment.systemPackages = with pkgs; [ git-annex scutiger ];
182 }
183 ] ++ (optional (options ? system.switch.enableNg) {
184 system.switch = lib.mkDefault {
185 enable = false;
186 enableNg = true;
175 }; 187 };
176 environment.systemPackages = with pkgs; [ git-annex scutiger ]; 188 })
177 189 ++ (optional (options ? system.etc) {
178 system.activationScripts.symlink-flake = '' 190 boot.initrd.systemd.enable = lib.mkDefault true;
179 if test -L /etc/nixos; then 191 system.etc.overlay.enable = lib.mkDefault true;
180 ln -nsf ${flake} /etc/nixos 192 systemd.sysusers.enable = lib.mkDefault true;
181 elif test -d /etc/nixos && rmdir --ignore-fail-on-non-empty /etc/nixos; then 193
182 ln -s ${flake} /etc/nixos 194 # Random perl remnants
183 fi 195 system.disableInstallerTools = lib.mkDefault true;
184 ''; 196 programs.less.lessopen = lib.mkDefault null;
185 }; 197 programs.command-not-found.enable = lib.mkDefault false;
198 boot.enableContainers = lib.mkDefault false;
199 boot.loader.grub.enable = lib.mkDefault false;
200 environment.defaultPackages = lib.mkDefault [ ];
201 documentation.info.enable = lib.mkDefault false;
202 }));
186} 203}
diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix
index 2e75a8c4..db973b72 100644
--- a/system-profiles/initrd-ssh/module.nix
+++ b/system-profiles/initrd-ssh/module.nix
@@ -15,7 +15,7 @@ in
15 enable = mkOption { 15 enable = mkOption {
16 type = types.bool; 16 type = types.bool;
17 default = false; 17 default = false;
18 description = lib.mdDoc '' 18 description = ''
19 Start SSH service during initrd boot. It can be used to debug failing 19 Start SSH service during initrd boot. It can be used to debug failing
20 boot on a remote server, enter pasphrase for an encrypted partition etc. 20 boot on a remote server, enter pasphrase for an encrypted partition etc.
21 Service is killed when stage-1 boot is finished. 21 Service is killed when stage-1 boot is finished.
@@ -28,7 +28,7 @@ in
28 port = mkOption { 28 port = mkOption {
29 type = types.port; 29 type = types.port;
30 default = 22; 30 default = 22;
31 description = lib.mdDoc '' 31 description = ''
32 Port on which SSH initrd service should listen. 32 Port on which SSH initrd service should listen.
33 ''; 33 '';
34 }; 34 };
@@ -36,7 +36,7 @@ in
36 shell = mkOption { 36 shell = mkOption {
37 type = types.str; 37 type = types.str;
38 default = "/bin/ash"; 38 default = "/bin/ash";
39 description = lib.mdDoc '' 39 description = ''
40 Login shell of the remote user. Can be used to limit actions user can do. 40 Login shell of the remote user. Can be used to limit actions user can do.
41 ''; 41 '';
42 }; 42 };
@@ -48,7 +48,7 @@ in
48 "/etc/secrets/initrd/ssh_host_rsa_key" 48 "/etc/secrets/initrd/ssh_host_rsa_key"
49 "/etc/secrets/initrd/ssh_host_ed25519_key" 49 "/etc/secrets/initrd/ssh_host_ed25519_key"
50 ]; 50 ];
51 description = lib.mdDoc '' 51 description = ''
52 Specify SSH host keys to import into the initrd. 52 Specify SSH host keys to import into the initrd.
53 53
54 To generate keys, use 54 To generate keys, use
@@ -80,7 +80,7 @@ in
80 type = types.listOf types.str; 80 type = types.listOf types.str;
81 default = config.users.users.root.openssh.authorizedKeys.keys; 81 default = config.users.users.root.openssh.authorizedKeys.keys;
82 defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys"; 82 defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys";
83 description = lib.mdDoc '' 83 description = ''
84 Authorized keys for the root user on initrd. 84 Authorized keys for the root user on initrd.
85 ''; 85 '';
86 }; 86 };
@@ -88,7 +88,7 @@ in
88 extraConfig = mkOption { 88 extraConfig = mkOption {
89 type = types.lines; 89 type = types.lines;
90 default = ""; 90 default = "";
91 description = lib.mdDoc "Verbatim contents of {file}`sshd_config`."; 91 description = "Verbatim contents of {file}`sshd_config`.";
92 }; 92 };
93 }; 93 };
94 94
diff --git a/system-profiles/nfsroot.nix b/system-profiles/nfsroot.nix
index 4323765b..1cd930d9 100644
--- a/system-profiles/nfsroot.nix
+++ b/system-profiles/nfsroot.nix
@@ -1,4 +1,4 @@
1{ config, pkgs, lib, flake, flakeInputs, ... }: 1{ config, options, pkgs, lib, flake, flakeInputs, ... }:
2 2
3with lib; 3with lib;
4 4
@@ -14,99 +14,111 @@ in {
14 storeDevice = mkOption { 14 storeDevice = mkOption {
15 type = types.str; 15 type = types.str;
16 default = "nfsroot:nix-store"; 16 default = "nfsroot:nix-store";
17 description = "Nix store device";
17 }; 18 };
18 19
19 registrationUrl = mkOption { 20 registrationUrl = mkOption {
20 type = types.str; 21 type = types.str;
21 default = "http://nfsroot/nix-registration"; 22 default = "http://nfsroot/nix-registration";
23 description = "Url of nix store registrations";
22 }; 24 };
23 }; 25 };
24 26
25 system.build = { 27 system.build = {
26 storeContents = mkOption {}; 28 storeContents = mkOption {
29 description = "Contents of nix store";
30 };
27 }; 31 };
28 }; 32 };
29 33
30 config = { 34 config = foldr recursiveUpdate {} ([
31 # Don't build the GRUB menu builder script, since we don't need it 35 {
32 # here and it causes a cyclic dependency. 36 # Don't build the GRUB menu builder script, since we don't need it
33 boot.loader.grub.enable = false; 37 # here and it causes a cyclic dependency.
34 38 boot.loader.grub.enable = false;
35 # !!! Hack - attributes expected by other modules. 39
36 environment.systemPackages = [ pkgs.grub2_efi ] 40 # !!! Hack - attributes expected by other modules.
37 ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux" 41 environment.systemPackages = [ pkgs.grub2_efi ]
38 then [] 42 ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
39 else [ pkgs.grub2 pkgs.syslinux ]); 43 then []
40 44 else [ pkgs.grub2 pkgs.syslinux ]);
41 # In stage 1, mount a tmpfs on top of /nix/store (the squashfs 45
42 # image) to make this a live CD. 46 # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
43 fileSystems."/nix/.ro-store" = mkImageMediaOverride 47 # image) to make this a live CD.
44 { fsType = "nfs4"; 48 fileSystems."/nix/.ro-store" = mkImageMediaOverride
45 device = cfg.storeDevice; 49 { fsType = "nfs4";
46 options = [ "ro" ]; 50 device = cfg.storeDevice;
47 neededForBoot = true; 51 options = [ "ro" ];
48 }; 52 neededForBoot = true;
53 };
54
55 fileSystems."/nix/.rw-store" = mkImageMediaOverride
56 { fsType = "tmpfs";
57 options = [ "mode=0755" ];
58 neededForBoot = true;
59 };
60
61 fileSystems."/nix/store" = mkImageMediaOverride
62 { fsType = "overlay";
63 device = "overlay";
64 options = [
65 "lowerdir=/nix/.ro-store"
66 "upperdir=/nix/.rw-store/store"
67 "workdir=/nix/.rw-store/work"
68 ];
69
70 depends = [
71 "/nix/.ro-store"
72 "/nix/.rw-store/store"
73 "/nix/.rw-store/work"
74 ];
75 };
76
77 nix.settings.use-sqlite-wal = false;
78
79 boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
80 boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
81 services.rpcbind.enable = mkImageMediaOverride false;
82
83 boot.initrd.network.enable = true;
84 boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
85 boot.initrd.postMountCommands = ''
86 mkdir -p /mnt-root/etc/
87 cp /etc/resolv.conf /mnt-root/etc/resolv.conf
88 '';
89 networking.useDHCP = true;
90 networking.resolvconf.enable = false;
91 networking.dhcpcd.persistent = true;
49 92
50 fileSystems."/nix/.rw-store" = mkImageMediaOverride
51 { fsType = "tmpfs";
52 options = [ "mode=0755" ];
53 neededForBoot = true;
54 };
55 93
56 fileSystems."/nix/store" = mkImageMediaOverride 94 system.build.storeContents = [config.system.build.toplevel];
57 { fsType = "overlay";
58 device = "overlay";
59 options = [
60 "lowerdir=/nix/.ro-store"
61 "upperdir=/nix/.rw-store/store"
62 "workdir=/nix/.rw-store/work"
63 ];
64
65 depends = [
66 "/nix/.ro-store"
67 "/nix/.rw-store/store"
68 "/nix/.rw-store/work"
69 ];
70 };
71 95
72 nix.settings.use-sqlite-wal = false; 96 system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
73 97 #!ipxe
74 boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ]; 98 # Use the cmdline variable to allow the user to specify custom kernel params
75 boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ]; 99 # when chainloading this script from other iPXE scripts like netboot.xyz
76 services.rpcbind.enable = mkImageMediaOverride false; 100 kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
77 101 initrd initrd
78 boot.initrd.network.enable = true; 102 boot
79 boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
80 boot.initrd.postMountCommands = ''
81 mkdir -p /mnt-root/etc/
82 cp /etc/resolv.conf /mnt-root/etc/resolv.conf
83 '';
84 networking.useDHCP = true;
85 networking.resolvconf.enable = false;
86 networking.dhcpcd.persistent = true;
87
88
89 system.build.storeContents = [config.system.build.toplevel];
90
91 system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
92 #!ipxe
93 # Use the cmdline variable to allow the user to specify custom kernel params
94 # when chainloading this script from other iPXE scripts like netboot.xyz
95 kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
96 initrd initrd
97 boot
98 '';
99
100 boot.postBootCommands =
101 ''
102 # After booting, register the contents of the Nix store on NFS
103 # in the Nix database in the tmpfs.
104 ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
105
106 # nixos-rebuild also requires a "system" profile and an
107 # /etc/NIXOS tag.
108 touch /etc/NIXOS
109 ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
110 ''; 103 '';
111 }; 104
105 boot.postBootCommands =
106 ''
107 # After booting, register the contents of the Nix store on NFS
108 # in the Nix database in the tmpfs.
109 ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
110
111 # nixos-rebuild also requires a "system" profile and an
112 # /etc/NIXOS tag.
113 touch /etc/NIXOS
114 ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
115 '';
116
117 boot.initrd.systemd.enable = false;
118 }
119 ] ++ (optional (options ? system.etc) {
120 system.etc.overlay.enable = false;
121 }) ++ (optional (options ? system.sysusers) {
122 systemd.sysusers.enable = false;
123 }));
112} 124}
diff --git a/user-profiles/yt-dlp.nix b/user-profiles/yt-dlp.nix
index 550d6a78..fda29111 100644
--- a/user-profiles/yt-dlp.nix
+++ b/user-profiles/yt-dlp.nix
@@ -28,6 +28,7 @@
28 # "youtube:formats=dashy" 28 # "youtube:formats=dashy"
29 # ]; 29 # ];
30 remux-video = "mp4>mkv"; 30 remux-video = "mp4>mkv";
31 hwdec = "auto-safe";
31 }; 32 };
32 }; 33 };
33 }; 34 };