From 63adb41f1a060c21a68143eb9e86c2790ef66f36 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 8 Aug 2024 10:45:09 +0200 Subject: ... --- .envrc | 1 + .gitignore | 1 + _sources/generated.json | 13 ++ _sources/generated.nix | 5 + accounts/gkleen@sif/default.nix | 1 + flake.lock | 51 ++++-- flake.nix | 20 ++- hosts/sif/default.nix | 31 +++- hosts/sif/hw.nix | 57 +------ hosts/surtr/bifrost/default.nix | 10 +- hosts/surtr/default.nix | 1 + hosts/surtr/vpn/default.nix | 30 +--- hosts/vidhar/default.nix | 1 + hosts/vidhar/network/bifrost/default.nix | 46 ++---- hosts/vidhar/network/default.nix | 31 ++-- installer/default.nix | 2 + modules/borgcopy/default.nix | 9 + modules/build-client.nix | 4 +- modules/certspotter.nix | 67 -------- modules/coturn.nix | 60 +++---- modules/envfs.nix | 8 +- modules/etebase-server.nix | 228 -------------------------- modules/home-manager.nix | 3 + modules/knot.nix | 1 + modules/netns.nix | 7 + modules/openssh.nix | 3 + modules/pgbackrest.nix | 19 ++- modules/postfix-mta-sts-resolver.nix | 4 +- modules/postfwd.nix | 1 + modules/prometheus-lvm-exporter.nix | 4 +- modules/yggdrasil/default.nix | 50 ------ modules/yggdrasil/hosts/sif/default.nix | 13 -- modules/yggdrasil/hosts/sif/private-keys.yaml | 31 ---- modules/yggdrasil/hosts/ymir.nix | 19 --- overlays/postfix-mta-sts-resolver/default.nix | 1 + overlays/preserve-dscp/default.nix | 3 +- system-profiles/core/default.nix | 175 +++++++++++--------- system-profiles/initrd-ssh/module.nix | 12 +- system-profiles/nfsroot.nix | 172 ++++++++++--------- user-profiles/yt-dlp.nix | 1 + 40 files changed, 431 insertions(+), 765 deletions(-) create mode 100644 .envrc delete mode 100644 modules/certspotter.nix delete mode 100644 modules/etebase-server.nix delete mode 100644 modules/yggdrasil/default.nix delete mode 100644 modules/yggdrasil/hosts/sif/default.nix delete mode 100644 modules/yggdrasil/hosts/sif/private-keys.yaml delete mode 100644 modules/yggdrasil/hosts/ymir.nix diff --git a/.envrc b/.envrc new file mode 100644 index 00000000..3550a30f --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.gitignore b/.gitignore index 2a9ba5f0..f30fe710 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ **/#*# **/.#* **/.gup +.direnv **.csr hosts/*/prometheus/tls.cnf \ No newline at end of file diff --git a/_sources/generated.json b/_sources/generated.json index f1082af1..87d6c357 100644 --- a/_sources/generated.json +++ b/_sources/generated.json @@ -15,6 +15,7 @@ "repo": "afew", "rev": "8ef9a5b73e5d1063cf912c70027c655fb19d1109", "sha256": "sha256-Wdvack+oAq88a9E6i+OcMlSNStv4dWsZstHgLao0c9g=", + "sparseCheckout": [], "type": "github" }, "version": "8ef9a5b73e5d1063cf912c70027c655fb19d1109" @@ -49,6 +50,7 @@ "repo": "bpf-examples", "rev": "5343ed3377471c7b7ef2237526c8bdc0f00a0cef", "sha256": "sha256-vKVI8pQ17BNWLKm8wwpyNkLslnB9E2CAZTS6EP5lDT0=", + "sparseCheckout": [], "type": "github" }, "version": "5343ed3377471c7b7ef2237526c8bdc0f00a0cef" @@ -69,6 +71,7 @@ "repo": "scratch.el", "rev": "0077334cc299aa7885f804d88f52cdb1b35caf71", "sha256": "sha256-FUkKJ+1COGzgllzzv51yUIjMZI6slOFVExdwWl2ZEBA=", + "sparseCheckout": [], "type": "github" }, "version": "0077334cc299aa7885f804d88f52cdb1b35caf71" @@ -101,6 +104,7 @@ "name": null, "rev": "744c3ee61d2f0a8e9bb4e308dec6897215ae4704", "sha256": "sha256-yxA8wgzdS7SyKLoNTWN87ShsBfPKUflbOu4Y0jS2G3I=", + "sparseCheckout": [], "type": "git", "url": "https://gist.github.com/2f71a97fb85ed42146f6d9f522bc34ef.git" }, @@ -122,6 +126,7 @@ "repo": "chapterskip", "rev": "b26825316e3329882206ae78dc903ebc4613f039", "sha256": "sha256-OTrLQE3rYvPQamEX23D6HttNjx3vafWdTMxTiWpDy90=", + "sparseCheckout": [], "type": "github" }, "version": "b26825316e3329882206ae78dc903ebc4613f039" @@ -142,6 +147,7 @@ "repo": "mpv-createchapter", "rev": "8dd33e2debbcb963a195ec1371e02c85b49e7faa", "sha256": "sha256-rPtG7mgf7tOY8Ih4Bz1tpd4MwXOxJmngjY+s70zWX+g=", + "sparseCheckout": [], "type": "github" }, "version": "8dd33e2debbcb963a195ec1371e02c85b49e7faa" @@ -162,6 +168,7 @@ "repo": "mpv-mpris", "rev": "1.1", "sha256": "sha256-vZIO6ILatIWa9nJYOp4AMKwvaZLahqYWRLMDOizyBI0=", + "sparseCheckout": [], "type": "github" }, "version": "1.1" @@ -182,6 +189,7 @@ "repo": "mpv-reload", "rev": "1a6a9383ba1774708fddbd976e7a9b72c3eec938", "sha256": "sha256-BshxCjec/UNGyiC0/g1Rai2NvG2qOIHXDDEUYwwdij0=", + "sparseCheckout": [], "type": "github" }, "version": "1a6a9383ba1774708fddbd976e7a9b72c3eec938" @@ -200,6 +208,7 @@ "name": null, "rev": "a5864aa2ee849c372964809842c2b1db3d0c20ea", "sha256": "sha256-NKiQfx0WuDySXRR9I6FKcuzyIz3gVWXcaQgaEvyepT8=", + "sparseCheckout": [], "type": "git", "url": "https://github.com/CogentRedTester/mpv-sub-select" }, @@ -219,6 +228,7 @@ "name": null, "rev": "1f8c31457459ffc28cd1c3f3c2235a53efad7148", "sha256": "sha256-voNP8tCwCv8QnAZOPC9gqHRV/7jgCAE63VKBd/1s5ic=", + "sparseCheckout": [], "type": "git", "url": "https://github.com/jgreco/mpv-youtube-quality" }, @@ -280,6 +290,7 @@ "name": null, "rev": "330cb9da36651b701085ad53ae75ff296d02202a", "sha256": "sha256-S0+sZ5vTywTU/HNRWt+MQhMO9uea+NvwwwdYJEdRmEw=", + "sparseCheckout": [], "type": "git", "url": "https://gitlab.com/depesz/Versioning" }, @@ -329,6 +340,7 @@ "repo": "v4l2loopback", "rev": "2d44c2f3a33844dfd9928dc536288283289bbc34", "sha256": "sha256-6YWF1zM9glDTnJNVxlNWWqqkD0Z6sNscOoGTJsU6iCQ=", + "sparseCheckout": [], "type": "github" }, "version": "2d44c2f3a33844dfd9928dc536288283289bbc34" @@ -349,6 +361,7 @@ "repo": "xcompose", "rev": "cd8d3e622f547ec9f83d7f64f51d4a27ee812681", "sha256": "sha256-fkl2lDv/DdrqPjVsEUKSRD3BNGwTjTsA0ovI8akFI6U=", + "sparseCheckout": [], "type": "github" }, "version": "cd8d3e622f547ec9f83d7f64f51d4a27ee812681" diff --git a/_sources/generated.nix b/_sources/generated.nix index 177fac06..cb6022ab 100644 --- a/_sources/generated.nix +++ b/_sources/generated.nix @@ -11,6 +11,7 @@ fetchSubmodules = false; deepClone = false; leaveDotGit = true; + sparseCheckout = [ ]; sha256 = "sha256-Wdvack+oAq88a9E6i+OcMlSNStv4dWsZstHgLao0c9g="; }; date = "2021-05-30"; @@ -64,6 +65,7 @@ fetchSubmodules = false; deepClone = false; leaveDotGit = false; + sparseCheckout = [ ]; sha256 = "sha256-yxA8wgzdS7SyKLoNTWN87ShsBfPKUflbOu4Y0jS2G3I="; }; date = "2020-10-22"; @@ -124,6 +126,7 @@ fetchSubmodules = false; deepClone = false; leaveDotGit = false; + sparseCheckout = [ ]; sha256 = "sha256-NKiQfx0WuDySXRR9I6FKcuzyIz3gVWXcaQgaEvyepT8="; }; date = "2024-05-15"; @@ -137,6 +140,7 @@ fetchSubmodules = false; deepClone = false; leaveDotGit = false; + sparseCheckout = [ ]; sha256 = "sha256-voNP8tCwCv8QnAZOPC9gqHRV/7jgCAE63VKBd/1s5ic="; }; date = "2020-02-10"; @@ -174,6 +178,7 @@ fetchSubmodules = false; deepClone = false; leaveDotGit = false; + sparseCheckout = [ ]; sha256 = "sha256-S0+sZ5vTywTU/HNRWt+MQhMO9uea+NvwwwdYJEdRmEw="; }; date = "2023-11-23"; diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix index 2ecaf0da..2e7a25c9 100644 --- a/accounts/gkleen@sif/default.nix +++ b/accounts/gkleen@sif/default.nix @@ -97,6 +97,7 @@ in { home-manager.users.${userName} = { imports = [ flakeInputs.nix-index-database.hmModules.nix-index + flakeInputs.impermanence.nixosModules.home-manager.impermanence ]; home.stateVersion = "20.09"; diff --git a/flake.lock b/flake.lock index 5bfe9859..0c0a7ad1 100644 --- a/flake.lock +++ b/flake.lock @@ -12,16 +12,16 @@ "pre-commit-hooks-nix": "pre-commit-hooks-nix" }, "locked": { - "lastModified": 1701974579, - "narHash": "sha256-Drydx4onJnz5AqjG1clABRHUF4cPmy75zH70AXvs3eQ=", + "lastModified": 1723023987, + "narHash": "sha256-3ffk/waTFYp0yrZ6PdFKSRJF+0z6O51c6XWirjhDXqM=", "owner": "gkleen", "repo": "backup-utils", - "rev": "d094023745980f90828f0390441ff22b51107f3a", + "rev": "3b70e591eade840a32aea80264050ddc6a92c599", "type": "gitlab" }, "original": { "owner": "gkleen", - "ref": "v0.1.2", + "ref": "v0.1.3", "repo": "backup-utils", "type": "gitlab" } @@ -392,6 +392,22 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1719091691, + "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "impermanence", + "type": "github" + } + }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -420,11 +436,11 @@ ] }, "locked": { - "lastModified": 1722136042, - "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=", + "lastModified": 1722740924, + "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "c0ca47e8523b578464014961059999d8eddd4aae", + "rev": "97ca0a0fca0391de835f57e44f369a283e37890f", "type": "github" }, "original": { @@ -602,11 +618,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1722329972, - "narHash": "sha256-Y1rUW6x+7hSwQxtJk9Xu3QDmcV/AOX3zl3g4N5Lh8nI=", - "owner": "nixos", + "lastModified": 1722813957, + "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "cdeee848778cb4e084ab0c50fc83fc3117a69766", + "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", "type": "github" }, "original": { @@ -672,11 +688,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1722300206, - "narHash": "sha256-lSF96eM7lJPYl2nd63t2zGWIvZEWSf1BOaP1Rf2q9mI=", + "lastModified": 1723013744, + "narHash": "sha256-Ilcm+bME9nUDICcoS47/McfNmbU+xn3ZBUoMjPrwGrU=", "owner": "nix-community", "repo": "poetry2nix", - "rev": "1dcd9fdca06bf28bdd6eeab0a464f4bc5d643bca", + "rev": "551cd76c920b9eabed3fb095a4091af7676b31ba", "type": "github" }, "original": { @@ -794,6 +810,7 @@ "flake-utils": "flake-utils_3", "home-manager": "home-manager", "home-manager-eostre": "home-manager-eostre", + "impermanence": "impermanence", "nix-index-database": "nix-index-database", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", @@ -816,11 +833,11 @@ ] }, "locked": { - "lastModified": 1722114803, - "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=", + "lastModified": 1722897572, + "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab", + "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index c317f5c1..6f24a90c 100644 --- a/flake.nix +++ b/flake.nix @@ -141,7 +141,7 @@ type = "gitlab"; owner = "gkleen"; repo = "backup-utils"; - ref = "v0.1.2"; + ref = "v0.1.3"; inputs = { nixpkgs.follows = "nixpkgs"; poetry2nix.follows = "poetry2nix"; @@ -163,6 +163,12 @@ repo = "nixos-hardware"; ref = "master"; }; + impermanence = { + type = "github"; + owner = "nix-community"; + repo = "impermanence"; + ref = "master"; + }; }; outputs = { self, nixpkgs, home-manager, sops-nix, deploy-rs, nvfetcher, ... }@inputs: @@ -255,12 +261,12 @@ // outputs // { imports = [self.nixosModules.users.${userName} or ({...}: { imports = defaultUserProfiles userName; })] ++ (outputs.imports or []); }); - # systemsSelector = "x86_64-linux"; - # systems = filter (system: !(isNull (builtins.match systemsSelector system))) nixpkgs.lib.systems.flakeExposed; - systems = - let - disallowedSystems = ["armv5tel-linux" "armv6l-linux"]; - in filter (system: !(elem system disallowedSystems)) nixpkgs.lib.systems.flakeExposed; + systemsSelector = "x86_64-linux"; + systems = filter (system: !(isNull (builtins.match systemsSelector system))) nixpkgs.lib.systems.flakeExposed; + # systems = + # let + # disallowedSystems = ["armv5tel-linux" "armv6l-linux"]; + # in filter (system: !(elem system disallowedSystems)) nixpkgs.lib.systems.flakeExposed; nixpkgsPackages = localSystem: (makeOverridable (import (nixpkgs.outPath + "/pkgs/top-level"))) { inherit localSystem; }; forAllSystems = f: mapAttrs f (genAttrs systems nixpkgsPackages); forAllUsers = genAttrs (unique (map accountUserName (attrNames self.nixosModules.accounts))); diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 3525015d..5ed4e05e 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -16,6 +16,7 @@ in { tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines networkmanager flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 + flakeInputs.impermanence.nixosModules.impermanence ]; config = { @@ -555,7 +556,10 @@ in { # sound.enable = true; nix = { - settings.auto-optimise-store = true; + settings = { + auto-optimise-store = true; + max-jobs = 4; + }; daemonCPUSchedPolicy = "idle"; daemonIOSchedClass = "idle"; @@ -569,6 +573,11 @@ in { speedFactor = 4; }; }; + systemd.services."nix-daemon" = { + serviceConfig = { + CPUQuota = "400%"; + }; + }; environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; @@ -661,6 +670,26 @@ in { in [ gtk-portal ]; }; + environment.persistence."/.bcachefs" = { + hideMounts = true; + directories = [ + "/nix" + "/root" + "/var/log" + "/var/lib/sops-nix" + "/var/lib/nixos" + "/var/lib/systemd" + "/home" + "/var/lib/chrony" + "/var/lib/fprint" + "/var/lib/bluetooth" + "/etc/NetworkManager/system-connections" + ]; + files = [ + "/etc/localtime" + ]; + }; + system.stateVersion = "24.11"; }; } diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix index 077d25a6..fc20ef7c 100644 --- a/hosts/sif/hw.nix +++ b/hosts/sif/hw.nix @@ -12,59 +12,11 @@ fsType = "bcachefs"; neededForBoot = true; }; - "/nix" = - { device = "/.bcachefs/nix"; - fsType = "none"; - options = [ "bind" ]; # "x-systemd.after=bcachefs.service" "x-systemd.requires=bcachefs.service" "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ]; - }; - "/root" = - { device = "/.bcachefs/root"; - fsType = "none"; - options = [ "bind" ]; # "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ]; - }; - "/var/log" = - { device = "/.bcachefs/var/log"; - fsType = "none"; - options = [ "bind" ]; # "x-systemd.after=bcachefs.service" "x-systemd.requires=bcachefs.service" "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ]; - }; - "/var/lib/sops-nix" = - { device = "/.bcachefs/var/lib/sops-nix"; - fsType = "none"; - options = [ "bind" ]; # "x-systemd.after=bcachefs.service" "x-systemd.requires=bcachefs.service" "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ]; - neededForBoot = true; - }; - "/var/lib/nixos" = - { device = "/.bcachefs/var/lib/nixos"; - fsType = "none"; - options = [ "bind" ]; # "x-systemd.after=bcachefs.service" "x-systemd.requires=bcachefs.service" "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ]; - }; - "/var/lib/chrony" = - { device = "/.bcachefs/var/lib/chrony"; - fsType = "none"; - options = [ "bind" ]; # "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ]; - }; - "/var/lib/fprint" = - { device = "/.bcachefs/var/lib/fprint"; - fsType = "none"; - options = [ "bind" ]; # "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ]; - }; - "/var/lib/systemd" = - { device = "/.bcachefs/var/lib/systemd"; - fsType = "none"; - options = [ "bind" ]; # "x-systemd.after=bcachefs.service" "x-systemd.requires=bcachefs.service" "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ]; - neededForBoot = true; - }; - "/home" = - { device = "/.bcachefs/home"; - fsType = "none"; - options = [ "bind" ]; # "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ]; - }; - "/etc/NetworkManager/system-connections" = - { device = "/.bcachefs/etc/NetworkManager/system-connections"; - fsType = "none"; - options = [ "bind" ]; # "x-systemd.after=\\x2ebcachefs.mount" "x-systemd.requires=\\x2ebcachefs.mount" ]; - }; + "/var/lib/sops-nix".neededForBoot = true; + "/var/lib/systemd".neededForBoot = true; }; + system.etc.overlay.enable = false; + systemd.sysusers.enable = false; # boot.initrd.supportedFilesystems.bcachefs = true; # boot.initrd.systemd.units."dev-sif-nvm0:-dev-sif-nvm1.device".enable = false; @@ -91,7 +43,6 @@ # }; # }; - nix.settings.max-jobs = 12; # High-DPI console console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix index 20cd5892..fbfde757 100644 --- a/hosts/surtr/bifrost/default.nix +++ b/hosts/surtr/bifrost/default.nix @@ -18,10 +18,8 @@ in { ListenPort = 51822; }; wireguardPeers = [ - { wireguardPeerConfig = { - AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ]; - PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub); - }; + { AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ]; + PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub); } ]; }; @@ -34,9 +32,7 @@ in { }; address = ["2a03:4000:52:ada:4::/96"]; routes = [ - { routeConfig = { - Destination = "2a03:4000:52:ada:4::/80"; - }; + { Destination = "2a03:4000:52:ada:4::/80"; } ]; linkConfig = { diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index e6ca0c64..ceb035cb 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -165,6 +165,7 @@ with lib; algorithm = "zstd"; }; + systemd.sysusers.enable = false; system.stateVersion = "20.09"; }; } diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 74a9fb22..61a9d544 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix @@ -63,10 +63,8 @@ in { ListenPort = 51820; }; wireguardPeers = imap1 (i: { name, ip ? i }: { - wireguardPeerConfig = { - AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"]; - PublicKey = trim (readFile (./. + "/${name}.pub")); - }; + AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"]; + PublicKey = trim (readFile (./. + "/${name}.pub")); }) [ { name = "geri"; } { name = "sif"; } ]; }; }; @@ -86,19 +84,13 @@ in { MulticastDNS = false; }; routes = [ - { routeConfig = { - Destination = "202.61.240.1"; - }; + { Destination = "202.61.240.1"; } - { routeConfig = { - Destination = "0.0.0.0/0"; - Gateway = "202.61.240.1"; - }; + { Destination = "0.0.0.0/0"; + Gateway = "202.61.240.1"; } - { routeConfig = { - Destination = "::/0"; - Gateway = "fe80::1"; - }; + { Destination = "::/0"; + Gateway = "fe80::1"; } ]; extraConfig = '' @@ -114,13 +106,9 @@ in { }; address = ["${prefix6}::/96" "${prefix4}.0/32"]; routes = [ - { routeConfig = { - Destination = "${prefix6}::/80"; - }; + { Destination = "${prefix6}::/80"; } - { routeConfig = { - Destination = "${prefix4}.0/24"; - }; + { Destination = "${prefix4}.0/24"; } ]; linkConfig = { diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index ea200f5c..440829bb 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -377,6 +377,7 @@ with lib; environment.systemPackages = with pkgs; [iotop vmtouch]; + systemd.sysusers.enable = false; system.stateVersion = "21.05"; }; } diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix index ec354f81..59550481 100644 --- a/hosts/vidhar/network/bifrost/default.nix +++ b/hosts/vidhar/network/bifrost/default.nix @@ -18,12 +18,10 @@ in { ListenPort = 51822; }; wireguardPeers = [ - { wireguardPeerConfig = { - AllowedIPs = [ "::/0" ]; - PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub); - PersistentKeepalive = 5; - Endpoint = "2a03:4000:52:ada:::51822"; - }; + { AllowedIPs = [ "::/0" ]; + PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub); + PersistentKeepalive = 5; + Endpoint = "2a03:4000:52:ada:::51822"; } ]; }; @@ -36,35 +34,25 @@ in { }; address = ["2a03:4000:52:ada:4:1::/96"]; routes = [ - { routeConfig = { - Destination = "2a03:4000:52:ada:4::/80"; - }; + { Destination = "2a03:4000:52:ada:4::/80"; } - { routeConfig = { - Gateway = "2a03:4000:52:ada:4::"; - GatewayOnLink = true; - Table = "bifrost"; - }; + { Gateway = "2a03:4000:52:ada:4::"; + GatewayOnLink = true; + Table = "bifrost"; } - { routeConfig = { - Destination = "2a03:4000:52:ada:4::/80"; - GatewayOnLink = true; - Table = "bifrost"; - }; + { Destination = "2a03:4000:52:ada:4::/80"; + GatewayOnLink = true; + Table = "bifrost"; } - { routeConfig = { - Destination = "2a03:4000:52:ada:4:1::/96"; - GatewayOnLink = true; - Table = "bifrost"; - }; + { Destination = "2a03:4000:52:ada:4:1::/96"; + GatewayOnLink = true; + Table = "bifrost"; } ]; routingPolicyRules = [ - { routingPolicyRuleConfig = { - Table = "bifrost"; - From = "2a03:4000:52:ada:4:1::/96"; - Priority = 1; - }; + { Table = "bifrost"; + From = "2a03:4000:52:ada:4:1::/96"; + Priority = 1; } ]; linkConfig = { diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index e961c17e..4a792851 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -89,22 +89,21 @@ with lib; }; }; - services.nfs.server = { - enable = true; - createMountPoints = true; - - statdPort = 4000; - lockdPort = 4001; - mountdPort = 4002; - - extraNfsdConfig = '' - vers3=off - ''; - - exports = '' - /srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0) - /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash) - ''; + services.nfs = { + server = { + enable = true; + createMountPoints = true; + + statdPort = 4000; + lockdPort = 4001; + mountdPort = 4002; + + exports = '' + /srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0) + /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash) + ''; + }; + settings.nfsd.vers3 = false; }; fileSystems = { diff --git a/installer/default.nix b/installer/default.nix index 4fa2c2ab..e9d9fa1a 100644 --- a/installer/default.nix +++ b/installer/default.nix @@ -55,6 +55,8 @@ with lib; services.getty.autologinUser = lib.mkForce null; + system.disableInstallerTools = false; + system.stateVersion = config.system.nixos.release; # No state in installer }; } diff --git a/modules/borgcopy/default.nix b/modules/borgcopy/default.nix index afc6c37b..475edbd9 100644 --- a/modules/borgcopy/default.nix +++ b/modules/borgcopy/default.nix @@ -61,33 +61,40 @@ in { options = { from = mkOption { type = types.str; + description = "Copy from this repository"; }; to = mkOption { type = types.str; + description = "Copy to this repository"; }; verbosity = mkOption { type = types.int; default = 3; + description = "Set verbosity"; }; sshConfig = mkOption { type = with types; nullOr str; default = null; + description = "SSH client configuration"; }; keyfile = mkOption { type = with types; nullOr str; default = null; + description = "Keyfile to pass to borg"; }; unknownUnencryptedRepoAccessOk = mkOption { type = types.bool; default = false; + description = "Set `BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK`?"; }; hostnameIsUnique = mkOption { type = types.bool; default = true; + description = "Set `BORG_HOSTNAME_IS_UNIQUE`?"; }; timerOptions = mkOption { @@ -96,10 +103,12 @@ in { default = { wantedBy = ["timers.target"]; }; + description = "Systemd timer options"; }; }; }); default = {}; + description = "Copy borg archives from one repository to another"; }; }; diff --git a/modules/build-client.nix b/modules/build-client.nix index 9924b751..6322e6c0 100644 --- a/modules/build-client.nix +++ b/modules/build-client.nix @@ -15,6 +15,7 @@ in { options = { address = mkOption { type = types.str; + description = "Address of buildserver"; }; system = mkOption { @@ -82,10 +83,11 @@ in { }; }); default = {}; + description = "Buildservers to use"; }; }; }; - + config = mkIf (cfg != {}) { programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: '' Host ${buildHostName name} diff --git a/modules/certspotter.nix b/modules/certspotter.nix deleted file mode 100644 index ff7ff7c2..00000000 --- a/modules/certspotter.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.certspotter; - - script = pkgs.writeShellApplication { - name = "certspotter-script"; - runtimeInputs = with pkgs; [ coreutils ]; - text = '' - mkdir -p "''${LOGS_DIRECTORY}" - env > "$(mktemp -p "''${LOGS_DIRECTORY}" "$(date -Iseconds).''${PUBKEY_HASH:-na}.XXXXXXXXXX.env")" - ''; - }; - - startOptions = cfg.extraOptions - ++ optionals (cfg.logs != null) ["-logs" cfg.logs] - ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList)) - "-script" "${script}/bin/certspotter-script" - ]; - - startScript = pkgs.writeShellApplication { - name = "certspotter-start"; - runtimeInputs = [ pkgs.coreutils cfg.package ]; - text = '' - rm -f "''${STATE_DIRECTORY}/lock" - exec -- certspotter -state_dir "''${STATE_DIRECTORY}" ${escapeShellArgs startOptions} - ''; - }; -in { - options = { - services.certspotter = { - watchList = mkOption { - type = types.listOf types.str; - default = []; - }; - - logs = mkOption { - type = types.nullOr types.str; - default = null; - }; - - extraOptions = mkOption { - type = types.listOf types.str; - default = [ "-verbose" ]; - }; - - package = mkPackageOption pkgs "certspotter" {}; - }; - }; - - config = mkIf (cfg.watchList != []) { - systemd.services.certspotter = { - serviceConfig = { - Type = "oneshot"; - ExecStart = "${startScript}/bin/certspotter-start"; - StateDirectory = "certspotter"; - LogsDirectory = "certspotter"; - DynamicUser = true; - - CPUSchedulingPolicy = "idle"; - IOSchedulingClass = "idle"; - }; - }; - }; -} diff --git a/modules/coturn.nix b/modules/coturn.nix index faa4b5a2..d73d1bba 100644 --- a/modules/coturn.nix +++ b/modules/coturn.nix @@ -42,11 +42,11 @@ in { options = { services.coturn = { - enable = mkEnableOption (lib.mdDoc "coturn TURN server"); + enable = mkEnableOption "coturn TURN server"; listening-port = mkOption { type = types.int; default = 3478; - description = lib.mdDoc '' + description = '' TURN listener port for UDP and TCP. Note: actually, TLS and DTLS sessions can connect to the "plain" TCP and UDP port(s), too - if allowed by configuration. @@ -55,7 +55,7 @@ in { tls-listening-port = mkOption { type = types.int; default = 5349; - description = lib.mdDoc '' + description = '' TURN listener port for TLS. Note: actually, "plain" TCP and UDP sessions can connect to the TLS and DTLS port(s), too - if allowed by configuration. The TURN server @@ -71,7 +71,7 @@ in { type = types.int; default = cfg.listening-port + 1; defaultText = literalExpression "listening-port + 1"; - description = lib.mdDoc '' + description = '' Alternative listening port for UDP and TCP listeners; default (or zero) value means "listening port plus one". This is needed for RFC 5780 support @@ -86,7 +86,7 @@ in { type = types.int; default = cfg.tls-listening-port + 1; defaultText = literalExpression "tls-listening-port + 1"; - description = lib.mdDoc '' + description = '' Alternative listening port for TLS and DTLS protocols. ''; }; @@ -94,7 +94,7 @@ in { type = types.listOf types.str; default = []; example = [ "203.0.113.42" "2001:DB8::42" ]; - description = lib.mdDoc '' + description = '' Listener IP addresses of relay server. If no IP(s) specified in the config file or in the command line options, then all IPv4 and IPv6 system IPs will be used for listening. @@ -104,7 +104,7 @@ in { type = types.listOf types.str; default = []; example = [ "203.0.113.42" "2001:DB8::42" ]; - description = lib.mdDoc '' + description = '' Relay address (the local IP address that will be used to relay the packets to the peer). Multiple relay addresses may be used. @@ -120,28 +120,28 @@ in { min-port = mkOption { type = types.int; default = 49152; - description = lib.mdDoc '' + description = '' Lower bound of UDP relay endpoints ''; }; max-port = mkOption { type = types.int; default = 65535; - description = lib.mdDoc '' + description = '' Upper bound of UDP relay endpoints ''; }; lt-cred-mech = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Use long-term credential mechanism. ''; }; no-auth = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' This option is opposite to lt-cred-mech. (TURN Server with no-auth option allows anonymous access). If neither option is defined, and no users are defined, @@ -153,7 +153,7 @@ in { use-auth-secret = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' TURN REST API flag. Flag that sets a special authorization option that is based upon authentication secret. This feature can be used with the long-term authentication mechanism, only. @@ -177,7 +177,7 @@ in { static-auth-secret = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' 'Static' authentication secret value (a string) for TURN REST API only. If not set, then the turn server will try to use the 'dynamic' value in turn_secret table @@ -188,7 +188,7 @@ in { static-auth-secret-file = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Path to the file containing the static authentication secret. ''; }; @@ -197,7 +197,7 @@ in { default = config.networking.hostName; defaultText = literalExpression "config.networking.hostName"; example = "example.com"; - description = lib.mdDoc '' + description = '' The default realm to be used for the users when no explicit origin/realm relationship was found in the database, or if the TURN server is not using any database (just the commands-line settings @@ -209,7 +209,7 @@ in { type = types.nullOr types.str; default = null; example = "/var/lib/acme/example.com/fullchain.pem"; - description = lib.mdDoc '' + description = '' Certificate file in PEM format. ''; }; @@ -217,21 +217,21 @@ in { type = types.nullOr types.str; default = null; example = "/var/lib/acme/example.com/key.pem"; - description = lib.mdDoc '' + description = '' Private key file in PEM format. ''; }; dh-file = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Use custom DH TLS key, stored in PEM format in the file. ''; }; secure-stun = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Require authentication of the STUN Binding request. By default, the clients are allowed anonymous access to the STUN Binding functionality. ''; @@ -239,28 +239,28 @@ in { no-cli = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Turn OFF the CLI support. ''; }; cli-ip = mkOption { type = types.str; default = "127.0.0.1"; - description = lib.mdDoc '' + description = '' Local system IP address to be used for CLI server endpoint. ''; }; cli-port = mkOption { type = types.int; default = 5766; - description = lib.mdDoc '' + description = '' CLI server port. ''; }; cli-password = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' CLI access password. For the security reasons, it is recommended to use the encrypted for of the password (see the -P command in the turnadmin utility). @@ -269,37 +269,37 @@ in { no-udp = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable UDP client listener"; + description = "Disable UDP client listener"; }; no-tcp = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable TCP client listener"; + description = "Disable TCP client listener"; }; no-tls = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable TLS client listener"; + description = "Disable TLS client listener"; }; no-dtls = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable DTLS client listener"; + description = "Disable DTLS client listener"; }; no-udp-relay = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable UDP relay endpoints"; + description = "Disable UDP relay endpoints"; }; no-tcp-relay = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable TCP relay endpoints"; + description = "Disable TCP relay endpoints"; }; extraConfig = mkOption { type = types.lines; default = ""; - description = lib.mdDoc "Additional configuration options"; + description = "Additional configuration options"; }; }; }; diff --git a/modules/envfs.nix b/modules/envfs.nix index ff992b61..b5b453a5 100644 --- a/modules/envfs.nix +++ b/modules/envfs.nix @@ -26,9 +26,9 @@ in { options = { services.envfs = { - enable = lib.mkEnableOption (lib.mdDoc "Envfs filesystem") // { + enable = lib.mkEnableOption "Envfs filesystem" // { default = true; - description = lib.mdDoc '' + description = '' Fuse filesystem that returns symlinks to executables based on the PATH of the requesting process. This is useful to execute shebangs on NixOS that assume hard coded locations in locations like /bin or /usr/bin @@ -40,7 +40,7 @@ in { type = lib.types.package; default = pkgs.envfs; defaultText = lib.literalExpression "pkgs.envfs"; - description = lib.mdDoc "Which package to use for the envfs."; + description = "Which package to use for the envfs."; }; paths = lib.mkOption { @@ -60,7 +60,7 @@ in { ''') ] ''; - description = lib.mdDoc "Extra packages to join into collection of fallback executables in case not other executable is found"; + description = "Extra packages to join into collection of fallback executables in case not other executable is found"; }; }; }; diff --git a/modules/etebase-server.nix b/modules/etebase-server.nix deleted file mode 100644 index 341e7fa0..00000000 --- a/modules/etebase-server.nix +++ /dev/null @@ -1,228 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.etebase-server; - - pythonEnv = pkgs.python3.withPackages (ps: with ps; - [ etebase-server daphne psycopg2 ]); - - iniFmt = pkgs.formats.ini {}; - - configIni = iniFmt.generate "etebase-server.ini" cfg.settings; - - defaultUser = "etebase-server"; -in -{ - disabledModules = [ "services/misc/etebase-server.nix" ]; - - imports = [ - (mkRemovedOptionModule - [ "services" "etebase-server" "customIni" ] - "Set the option `services.etebase-server.settings' instead.") - (mkRemovedOptionModule - [ "services" "etebase-server" "database" ] - "Set the option `services.etebase-server.settings.database' instead.") - (mkRenamedOptionModule - [ "services" "etebase-server" "secretFile" ] - [ "services" "etebase-server" "settings" "secret_file" ]) - (mkRenamedOptionModule - [ "services" "etebase-server" "host" ] - [ "services" "etebase-server" "settings" "allowed_hosts" "allowed_host1" ]) - ]; - - options = { - services.etebase-server = { - enable = mkOption { - type = types.bool; - default = false; - example = true; - description = lib.mdDoc '' - Whether to enable the Etebase server. - - Once enabled you need to create an admin user by invoking the - shell command `etebase-server createsuperuser` with - the user specified by the `user` option or a superuser. - Then you can login and create accounts on your-etebase-server.com/admin - ''; - }; - - dataDir = mkOption { - type = types.str; - default = "/var/lib/etebase-server"; - description = lib.mdDoc "Directory to store the Etebase server data."; - }; - - port = mkOption { - type = with types; nullOr port; - default = 8001; - description = lib.mdDoc "Port to listen on."; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to open ports in the firewall for the server. - ''; - }; - - unixSocket = mkOption { - type = with types; nullOr str; - default = null; - description = lib.mdDoc "The path to the socket to bind to."; - example = "/run/etebase-server/etebase-server.sock"; - }; - - settings = mkOption { - type = lib.types.submodule { - freeformType = iniFmt.type; - - options = { - global = { - debug = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to set django's DEBUG flag. - ''; - }; - secret_file = mkOption { - type = with types; nullOr str; - default = null; - description = lib.mdDoc '' - The path to a file containing the secret - used as django's SECRET_KEY. - ''; - }; - static_root = mkOption { - type = types.str; - default = "${cfg.dataDir}/static"; - defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/static"''; - description = lib.mdDoc "The directory for static files."; - }; - media_root = mkOption { - type = types.str; - default = "${cfg.dataDir}/media"; - defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/media"''; - description = lib.mdDoc "The media directory."; - }; - }; - allowed_hosts = { - allowed_host1 = mkOption { - type = types.str; - default = "0.0.0.0"; - example = "localhost"; - description = lib.mdDoc '' - The main host that is allowed access. - ''; - }; - }; - database = { - engine = mkOption { - type = types.enum [ "django.db.backends.sqlite3" "django.db.backends.postgresql" ]; - default = "django.db.backends.sqlite3"; - description = lib.mdDoc "The database engine to use."; - }; - name = mkOption { - type = types.str; - default = "${cfg.dataDir}/db.sqlite3"; - defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/db.sqlite3"''; - description = lib.mdDoc "The database name."; - }; - }; - }; - }; - default = {}; - description = lib.mdDoc '' - Configuration for `etebase-server`. Refer to - - and - for details on supported values. - ''; - example = { - global = { - debug = true; - media_root = "/path/to/media"; - }; - allowed_hosts = { - allowed_host2 = "localhost"; - }; - }; - }; - - user = mkOption { - type = types.str; - default = defaultUser; - description = lib.mdDoc "User under which Etebase server runs."; - }; - }; - }; - - config = mkIf cfg.enable { - - environment.systemPackages = with pkgs; [ - (runCommand "etebase-server" { - nativeBuildInputs = [ makeWrapper ]; - } '' - makeWrapper ${pythonEnv}/bin/etebase-server \ - $out/bin/etebase-server \ - --chdir ${escapeShellArg cfg.dataDir} \ - --prefix ETEBASE_EASY_CONFIG_PATH : "${configIni}" - '') - ]; - - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - ]; - - systemd.services.etebase-server = { - description = "An Etebase (EteSync 2.0) server"; - after = [ "network.target" "systemd-tmpfiles-setup.service" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pythonEnv ]; - serviceConfig = { - User = cfg.user; - Restart = "always"; - WorkingDirectory = cfg.dataDir; - }; - environment = { - ETEBASE_EASY_CONFIG_PATH = configIni; - }; - preStart = '' - # Auto-migrate on first run or if the package has changed - versionFile="${cfg.dataDir}/src-version" - if [[ $(cat "$versionFile" 2>/dev/null) != ${pkgs.etebase-server} ]]; then - etebase-server migrate --no-input - etebase-server collectstatic --no-input --clear - echo ${pkgs.etebase-server} > "$versionFile" - fi - ''; - script = - let - networking = if cfg.unixSocket != null - then "-u ${cfg.unixSocket}" - else "-b 0.0.0.0 -p ${toString cfg.port}"; - in '' - cd "${pythonEnv}/lib/etebase-server"; - daphne ${networking} \ - etebase_server.asgi:application - ''; - }; - - users = optionalAttrs (cfg.user == defaultUser) { - users.${defaultUser} = { - isSystemUser = true; - group = defaultUser; - home = cfg.dataDir; - }; - - groups.${defaultUser} = {}; - }; - - networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ cfg.port ]; - }; - }; -} diff --git a/modules/home-manager.nix b/modules/home-manager.nix index ebe3e153..c485dd99 100644 --- a/modules/home-manager.nix +++ b/modules/home-manager.nix @@ -8,6 +8,9 @@ with lib; type = types.bool; default = true; example = true; + description = '' + Are we using home-manager version that starts late as systemd user service? + ''; }; }; } diff --git a/modules/knot.nix b/modules/knot.nix index a4691324..f7165029 100644 --- a/modules/knot.nix +++ b/modules/knot.nix @@ -81,6 +81,7 @@ in { cliWrappers = mkOption { readOnly = true; + internal = true; type = types.package; default = knot-cli-wrappers; defaultText = "knot-cli-wrappers"; diff --git a/modules/netns.nix b/modules/netns.nix index dca3c0db..79dc123b 100644 --- a/modules/netns.nix +++ b/modules/netns.nix @@ -125,6 +125,13 @@ in { containers = mkOption { default = {}; type = types.attrsOf (types.submodule containerOpts); + description = '' + A set of NixOS system configurations to be run as lightweight + containers. Each container appears as a service + `container-«name»` + on the host system, allowing it to be started and stopped via + {command}`systemctl`. + ''; }; }; }; diff --git a/modules/openssh.nix b/modules/openssh.nix index 78749869..8bdc3df6 100644 --- a/modules/openssh.nix +++ b/modules/openssh.nix @@ -30,6 +30,7 @@ with lib; "rsa-sha2-512" "rsa-sha2-512-cert-v01@openssh.com" ]; + description = "HostKeyAlgorithms"; }; settings.CASignatureAlgorithms = mkOption { type = types.str; @@ -43,6 +44,7 @@ with lib; "rsa-sha2-512" "rsa-sha2-256" ]; + description = "CASignatureAlgorithms"; }; settings.PubkeyAcceptedAlgorithms = mkOption { type = types.str; @@ -69,6 +71,7 @@ with lib; "rsa-sha2-512" "rsa-sha2-512-cert-v01@openssh.com" ]; + description = "PubkeyAcceptedAlgorithms"; }; }; }; diff --git a/modules/pgbackrest.nix b/modules/pgbackrest.nix index e02849f5..886840b9 100644 --- a/modules/pgbackrest.nix +++ b/modules/pgbackrest.nix @@ -50,8 +50,8 @@ in { package = mkPackageOption pkgs "pgbackrest" {}; dscpPackage = mkPackageOption pkgs "libdscp" { nullable = true; default = null; }; - dscp.archive-push = mkDSCPOption { default = 24; }; - dscp.backup = mkDSCPOption { default = 8; }; + dscp.archive-push = mkDSCPOption { default = 24; description = "DSCP during archive push"; }; + dscp.backup = mkDSCPOption { default = 8; description = "DSCP during backup"; }; configurePostgresql = { enable = mkEnableOption "configuring PostgreSQL for sending WAL to pgBackRest" // { @@ -63,6 +63,7 @@ in { type = types.str; default = config.networking.hostName; defaultText = literalExpression "config.networking.hostName"; + description = "Stanza"; }; }; @@ -74,23 +75,28 @@ in { global.log-level-console = mkOption { type = loglevelType; default = "detail"; + description = "Log level to console"; }; global.log-level-file = mkOption { type = loglevelType; default = "off"; + description = "Log level to logfile"; }; global.log-level-stderr = mkOption { type = loglevelType; default = "warn"; + description = "Log level to stderr"; }; global.log-subprocess = mkOption { type = types.bool; default = true; + description = "Log subprocesses?"; }; global.log-timestamp = mkOption { type = types.bool; default = false; + description = "Log timestamps?"; }; }; }; @@ -106,10 +112,12 @@ in { user = mkOption { type = types.str; default = "postgres"; + description = "User"; }; group = mkOption { type = types.str; default = "postgres"; + description = "Group"; }; }; @@ -119,32 +127,39 @@ in { type = mkOption { type = types.enum ["full" "incr" "diff"]; default = "full"; + description = "Type"; }; stanza = mkOption { type = types.str; default = cfg.configurePostgresql.stanza; defaultText = literalExpression "config.services.pgbackrest.configurePostgresql.stanza"; + description = "Stanza"; }; repo = mkOption { type = types.nullOr (types.strMatching "^[0-9]+$"); + description = "Repository number"; }; user = mkOption { type = types.str; default = "postgres"; + description = "User"; }; group = mkOption { type = types.str; default = "postgres"; + description = "Group"; }; timerConfig = mkOption { type = types.attrsOf unitOption; + description = "Systemd timer options"; }; }; })); default = {}; + description = "Configure backups"; }; }; }; diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix index fcbd9390..193c54fb 100644 --- a/modules/postfix-mta-sts-resolver.nix +++ b/modules/postfix-mta-sts-resolver.nix @@ -8,7 +8,7 @@ in { options = { services.postfix-mta-sts-resolver = { enable = mkEnableOption "mta-sts-daemon"; - package = mkPackageOption pkgs "postfix-mta-sts-resolver"; + package = mkPackageOption pkgs "postfix-mta-sts-resolver" {}; redis = mkEnableOption "redis cache" // { default = true; example = false; }; proactive-policy-fetching = mkEnableOption "proactive policy fetching" // { default = true; example = false; }; @@ -16,10 +16,12 @@ in { loglevel = mkOption { type = types.enum ["debug" "info" "warn" "error" "fatal"]; default = "info"; + description = "Loglevel"; }; settings = mkOption { type = types.attrs; + description = "Settings"; }; }; }; diff --git a/modules/postfwd.nix b/modules/postfwd.nix index e10c04a7..3edff44d 100644 --- a/modules/postfwd.nix +++ b/modules/postfwd.nix @@ -12,6 +12,7 @@ in { rules = mkOption { type = lines; default = ""; + description = "Rules"; }; }; }; diff --git a/modules/prometheus-lvm-exporter.nix b/modules/prometheus-lvm-exporter.nix index 7ef082c3..ad46f835 100644 --- a/modules/prometheus-lvm-exporter.nix +++ b/modules/prometheus-lvm-exporter.nix @@ -21,7 +21,7 @@ in { openFirewall = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Open port in firewall for incoming connections. ''; }; @@ -31,7 +31,7 @@ in { example = literalExpression '' "-i eth0 -p tcp -m tcp --dport ${toString cfg.port}" ''; - description = lib.mdDoc '' + description = '' Specify a filter for iptables to use when {option}`services.prometheus.exporters.lvm.openFirewall` is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`. diff --git a/modules/yggdrasil/default.nix b/modules/yggdrasil/default.nix deleted file mode 100644 index f4100e73..00000000 --- a/modules/yggdrasil/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, lib, customUtils, ... }: -let - cfg = config.services.tinc.yggdrasil; -in { - options = { - services.tinc.yggdrasil = lib.mkOption { - default = {}; - type = lib.types.submodule { - options = { - enable = lib.mkEnableOption "Yggdrasil tinc network"; - - connect = lib.mkOption { - default = true; - type = lib.types.bool; - description = '' - Connect to central server - ''; - }; - }; - }; - }; - }; - - config = lib.mkIf cfg.enable { - services.tinc.networks.yggdrasil = { - name = config.networking.hostName; - hostSettings = customUtils.nixImport { dir = ./hosts; }; - debugLevel = 2; - interfaceType = "tap"; - settings = { - Mode = "switch"; - PingTimeout = 30; - ConnectTo = lib.mkIf cfg.connect "ymir"; - }; - }; - - sops.secrets = { - tinc-yggdrasil-rsa = { - key = "rsa"; - path = "/etc/tinc/yggdrasil/rsa_key.priv"; - sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml"; - }; - tinc-yggdrasil-ed25519 = { - key = "ed25519"; - path = "/etc/tinc/yggdrasil/rsa_key.priv"; - sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml"; - }; - }; - }; -} diff --git a/modules/yggdrasil/hosts/sif/default.nix b/modules/yggdrasil/hosts/sif/default.nix deleted file mode 100644 index 32b844de..00000000 --- a/modules/yggdrasil/hosts/sif/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - settings.Ed25519PublicKey = "qJqty+wiTNcYaHQCvQNiMqXYz30C9M3+LI/qjmU/9hK"; - rsaPublicKey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA0ACaacg9EN0hBQct8ZwQ/i6EsXKP4DIwKwabM2rp8azValTHU2uI - WW6JRY+Eii6zRx9B5kJ96C4rJJeAGV6lZPAogaC2LbM7lcsZ7oRDWZGaQKcZFNGi - laEcDg2dRuDx1W4at0rb03SDLNPt8sXSV6BcK9n/7m7+s9cwM/+PB8FHDMnWvwbC - usbP23020s+CVr/PU1z/7J0y3Eat+Acut6x5X8DNewpqV96wQpqdAggbhtYERMFH - +i0sa1WUDQtJ6HGChbENRTMlsPJ6lnzXY+J0pzatzzvetLsOljES9uJ8dtk6qBC7 - KRZo5lvdUwR6j9XiHMQeRerUt23b9ATFXQIDAQAB - -----END RSA PUBLIC KEY----- - ''; -} diff --git a/modules/yggdrasil/hosts/sif/private-keys.yaml b/modules/yggdrasil/hosts/sif/private-keys.yaml deleted file mode 100644 index 0c4274d1..00000000 --- a/modules/yggdrasil/hosts/sif/private-keys.yaml +++ /dev/null @@ -1,31 +0,0 @@ -ed25519: ENC[AES256_GCM,data:1CqB4y6CIm5JUsznpXPqqLJqCKmmoAJOZQTWb7+Jbn0oZMX27qSMK4CchHF7Bmo24EK8rk5EyW5aQLnoxp/2NA62p8SXdaoI8Qgz3EgsQ5QrlJrt1jvERpNs4vttT9V6+aK3Yojr9IuQSvJ4jyKSLrzrTnLzF9pXlaOf1Ru5SxySRWtVzynzurRpdUVS6goE+lb+Irg6x2geV719iQ9bu1C2smeQDREdS+dlfoxp02/pU6kTFA7KAm5vA91HKEfMqfSEzuBgUB0=,iv:n6Yh0zZ9AbT+83P42QNO2rCCISJV5nbO9wYcwaRYD2E=,tag:dJpXV9ZzLSO1B+LsyV3vAg==,type:str] -rsa: ENC[AES256_GCM,data:7faQJAhoYt3MJidg4TVwysmLGZ4V1fA9NYYKgEMgky4q0Q9tBGhEsA60uj7iKcMMRhGku7feIFkj2+1qjKy+e1Bajfs2rqxgyqYmM6yOTrmorbXBVyrPOTOwJp3yp7O1vIXwoUS9vWIYxFszpfaLL0/8aARYVrYmpxf3gsBfQ4LciM1VKEgjG3uRBf1tDLaNuMNyzdan0DFghwuDojPOXUFv/6yuPxU2U0TagVjwAk4FThGwEasvV454RSm/GmqYtX+P4Vc3pEWNYAK1rXJAuXm1392Uash+HGQ+3ln5N9yWneewgPPr0pePAugxxN0qnwhy5MRKGQE3ZHCZ0beslfOm6pkmYTfww3lKNIJGabMfMD3COoAI7zWebUvksZPsgH6f1olbzABkZdS1s//WNMnWQHGxsWePXkLFe8bfnNXouEXHtLvQ7On0KPyt8y5QBI9bDPpTn92/O9jCevXSttrez4buBdCHFmCE8xgW5JKKEXgMubPPjEF3MABiGu0TMeWM4a1ibY7HfvNrRkO1pE9RhdRT/dFV/MrPxk7P0k16x9H4+QnE7VglfNZO3Wd3bnYxcH7hmAbIzpFnUJvolyNfmynwL2WwaYuBskXASD1FuqpM0tbhantqGyHVPe62+KimU0zDAJ1HMyqhIN0MD1MSXsdoItAsw033GYLB83L8xPatARJR9qEdKwrhmgSDY36AbJ8VI/RUzicZoYdhK8+M7bNGIkD5MgrQO35q+3oa6Xcib+5MtW0RVJKLP4y5/XNkjd4EPl6nahcVi63/FG7LJmO+/I7bkLIAWmIq8BHcXEwbz0womYp404pSfEPr3cy1N5S3yqRdzVxavTJb0PLMpHq2rWuHK2DIY77hEOAt0XcReWYsRkmTl+v9iQLF+D4GBLr+O2oZNJrocNVZYkfdjsrUd2cUOCV7ZQphO5Yc+yKrqzmCqUUvdoJ3vlaPxMXx4LACeMImo1sAFxoOgIpyfklo/bdhi9osiL55I8pAIh5hGes/uCbwaRnW+wbaYcMliCuUO8XelfXwBot8W+0l0wk2zKRSKtYKcX1n/Ax5mIt6mIoQkvyL82lccS9ppJLjt7DYlvK8L6imeV11ATf1ZhSGB3c67/XYik5BXz827Rj29K6fg/CvU65f/bEAuE39gSJ4mHsRl3bvkNLiUMEBrDuZnText33fCbqVA5DUIfqSbLUzXtqNl8vHnlOBICYwjv8PtUMJ6VTCDu33SmtQzJAfnmuewOKAC51FPsyaDhouTKllUaqx34NfEP8k2C8/4oNPgDcLjInm3f43tIuJbScdp8ltNVCLoChS8jbBOvrVYTI0eP+BuAuEfWYldUYq96oH/x9d0yvPqZ1rnwmqg4y6GfkACw6+/QvrDdtcM+1uI86RxZ7KGurb8KG7NPdSWhzz+72+TO5Tq29K8QETLzzalnVzaVWj/xGsjgkslxmDMKxLJQw0o24lgg/R30aU9BL6YwDVi10nu+Tv5kayb/NVLdMNWxfKNg1KZcf8M2ApgonjingbpUlinZ25/IIcQB9lMT4HSyvtGtIqnsPL4SQNsgBLcMzdwbL0EvS3qMAEVWKfUm2v9AA2+RMsKEKtD4UNF2xF7oACJiyTcw/xUOmkaTIZZ2ev0JVb4IYs1qx5Skz+IMAvWQ2FjBMXna5e/LYgBl6kdLSTcDvlymHpbjjuRdRq+uq+ZMXIACyZ+qUnZ0qcfWGPxOCI0hXPc5ac/zSGkPKYiWT/rCSuo+MoijjK4YZ2fub9TCYjZRS+QvLlXOM8F06Or0jQQOveezqJFZdoBGj248BtcPAVbYqfaytIlYjARlhQL/lKaaOrbONk6kIlDpwkhlzO50OkhALItlbW4Aa8zZ/WeXkfkb/6A7NLce42XDoOnvZt9UdYVTRphf8yxjRE2YMwZsmeTIieg8KwwJdnoJIhiQFdVDFgXb2xPZA2CbdvZwGwuFkLWgJUg6H+aHdw39UnNM+S9PYaOQ9oaS7IyeWhXMgP7TKM98uILsBg/Xn9tafHaslQfjVRDEaYtrmDZMYhb+h/MZKngx7uwmUyqHszAYN/M+RMJVy3s4uBu/EufWYVMorunpPEXGYA4Rg1HUuAOvWSvpM3PJG9Wnrazw6xmkwIUSKju5irpWATYmqSX3pPkG5C0sTatszVDAvTs9+/9Xdbney7/6QskSHMph8Kn/Udpq7PPrZWADkIi1k4oibgABOXOWBk5ZbNbiDrZA==,iv:ZUAqvOpcVCXQD2PFzUh0e2m20t6gVT3mYb7S50iV/m8=,tag:AssxMqjVUEwQ4R6Y7eG9Tg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTjludkxXUm5OREx4Zndk - czI0VmMxUE5kOHVKQ1lTL1RvQXlIQ3FhWFRVCmVXbmFqNTBDNy94RDJtakQra0lh - a2JrZlBxWFNVVFh6WFU3bjBwaFVIa1kKLS0tIFNObGZvVmpuQlU4SFBjZk45dlJM - d3VHVVZsVGlBd2craGNVbHdoeUpyVFEK/Tj9QVqAOWmAJv/PESvIOnnIbZkKof6E - HHaEYANQTp5kLyWaz4rfJiiQOP2bL5hDr1XV61mf6y9W8m9w4IynHg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6L2lSdUUvSE1iUTEvdkxm - Nm4vV3MySWlTdldMZEw2dEhtSlZCb0wvL0VBCnJxY2dNUlJhcktQNVVOdHhPemJF - ZUJ3NUR0ZTRZdFkwMmExR2gwOHFlMTQKLS0tIHhLbkZQalBuNm5mRHBVQ1NNbGM4 - YUNsNE8vbnk0RnpRbHB5azM2NmdmKzAKwUVFQHvBvGjc/mGI9lhkW86ovUVvUxok - O6QelapJHGP2gQ3aZBk8eFJJs7Ve+q1yiQUbO34BFFdIfRyiObmbKw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2021-01-02T14:46:16Z" - mac: ENC[AES256_GCM,data:Phng7z7UlE6nO3FFIQPOHgKCqDm2uOGL57ryJbokjipSSdoWPinpz0zIJv9Z67b9uOf3CQoGtV4YwcudNkzDBKOyD8uA6RYwCKpbYcZIdiy8DLL46+VT/wq9toTkeDXM6jKupzzOARZhHT8DCOLqW7u8Q3S645cbTJmw0+LMIGk=,iv:y4KEh0+bKhtnSobKVdfaPuRsueNC1lcrEbUGfEAn+Bg=,tag:3Oi4e/hSgPVsoFQpnVQj+g==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.6.1 diff --git a/modules/yggdrasil/hosts/ymir.nix b/modules/yggdrasil/hosts/ymir.nix deleted file mode 100644 index b77a9216..00000000 --- a/modules/yggdrasil/hosts/ymir.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - addresses = [{ address = "ymir.yggdrasil.li"; }]; - settings.Ed25519PublicKey = "b/SobnMqByzHOQeO+iU7OZ1liD8a++knbi5ebNawnaC"; - rsaPublicKey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAuInSfQf5euFXEVkLLzf9TumQJ+3WRsxX4uKdOXBqrIC7yjSBP8j9 - ql5rNWPzgXxFF5ERmwW+E3cyzJLU9Htu7r3muqM6nhSZizhCskifPRFc3e5ssSke - XhHICHfe90+qvab/hWx/NjkW59bBYIzDuJfq+ijDFMVNgOxaiM2f3/2prUUhP7bN - r3wVI8KCkOaknc0SOOmOhLzfJaD5wosqLOjgaNhlro2eMgMjQlxbyW8dVVgjwseR - Cl/mpu7r1pSMhS66RFH68wDoC3X81f7Zs9ZGDLTD8KXWhx0qgUMUAH4n6YGY0RM6 - BZ3qR/3KFRU64QPVAERpb0JdsU9ggCVydHkjrWW23ptHOPAOO5+yQj7tSDCKTRy9 - dHMQnbtPrgAb6iMhO1XTxA8Hdta1sCHsewsQekarwsA1bmk3hTgi/k8vwoGDUWtk - jgiDEPuutfmH4C6qxq9s+6lRboNKH8wgkVGpHiaq7mmePFdhzFdrj4+fYAMZTbil - 2iygsJ+yFOjA7U+iT6QDK33/MLsrQg0Ue6RPiG1qnDyax7gBAjz52iWkiuSkUXk0 - E5ImdP4XMILgGcWk8iPq5iRS03edE0pCpxGX3ZZwFE5+CoXgO6wR1ToL1vZEEHMQ - SHJPufKjkavPKbejPps/mLaJQVw3W10PAJssB9nxW2aHX3n0ugGaIvMCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; -} diff --git a/overlays/postfix-mta-sts-resolver/default.nix b/overlays/postfix-mta-sts-resolver/default.nix index 49fbb7c9..d930cefb 100644 --- a/overlays/postfix-mta-sts-resolver/default.nix +++ b/overlays/postfix-mta-sts-resolver/default.nix @@ -3,6 +3,7 @@ postfix-mta-sts-resolver = with prev.poetry2nix; mkPoetryApplication { + python = prev.python311; inherit (sources.postfix-mta-sts-resolver) pname version; projectDir = cleanPythonSources { src = prev.runCommand "sources" {} '' diff --git a/overlays/preserve-dscp/default.nix b/overlays/preserve-dscp/default.nix index 73721083..a1064591 100644 --- a/overlays/preserve-dscp/default.nix +++ b/overlays/preserve-dscp/default.nix @@ -10,7 +10,8 @@ buildFlags = [ "preserve-dscp" ]; CPATH = prev.lib.makeSearchPathOutput "dev" "include" (buildInputs ++ nativeBuildInputs); - BPF_CFLAGS = "-Wno-unused-command-line-argument -fno-stack-protector"; + BPF_CFLAGS = "-Wno-unused-command-line-argument"; + hardeningDisable = [ "stackprotector" "zerocallusedregs" ]; outputs = [ "out" "lib" ]; diff --git a/system-profiles/core/default.nix b/system-profiles/core/default.nix index 6aee221f..c2c821b7 100644 --- a/system-profiles/core/default.nix +++ b/system-profiles/core/default.nix @@ -74,7 +74,7 @@ in { }; in foldr (def: mergeConfig def.value) {}; }; - description = mdDoc '' + description = '' The configuration of the Nix Packages collection. (For details, see the Nixpkgs documentation.) It allows you to set package configuration options. @@ -91,96 +91,113 @@ in { }; }; - config = { - networking.hostName = hostName; - system.configurationRevision = mkIf (flake ? rev) flake.rev; + config = foldr recursiveUpdate {} ([ + { + networking.hostName = hostName; + system.configurationRevision = mkIf (flake ? rev) flake.rev; - nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") { - overlays = attrValues flake.overlays; - config = config.nixpkgs.externalConfig; - localSystem = config.nixpkgs.system; - }; + nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") { + overlays = attrValues flake.overlays; + config = config.nixpkgs.externalConfig; + localSystem = config.nixpkgs.system; + }; - nix = { - package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable; - settings = { - sandbox = true; - allowed-users = [ "*" ]; - trusted-users = [ "root" "@wheel" ]; + nix = { + package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable; + settings = { + sandbox = true; + allowed-users = [ "*" ]; + trusted-users = [ "root" "@wheel" ]; - experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"]; - auto-allocate-uids = true; - use-cgroups = true; - use-xdg-base-directories = true; + experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"]; + auto-allocate-uids = true; + use-cgroups = true; + use-xdg-base-directories = true; - flake-registry = "${flakeInputs.flake-registry}/flake-registry.json"; + flake-registry = "${flakeInputs.flake-registry}/flake-registry.json"; + }; + nixPath = [ + "nixpkgs=${pkgs.runCommand "nixpkgs" {} '' + mkdir $out + ln -s ${./nixpkgs.nix} $out/default.nix + ln -s /run/nixpkgs/lib $out/lib + ''}" + ]; + registry = + let override = { self = "nixos"; }; + in mapAttrs' (inpName: inpFlake: nameValuePair + (override.${inpName} or inpName) + { flake = inpFlake; } ) flakeInputs; }; - nixPath = [ - "nixpkgs=${pkgs.runCommand "nixpkgs" {} '' - mkdir $out - ln -s ${./nixpkgs.nix} $out/default.nix - ln -s /run/nixpkgs/lib $out/lib + + systemd.tmpfiles.rules = [ + "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}" + "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" '' + with builtins; + + attrValues (import + ( + let lock = fromJSON (readFile ${flake + "/flake.lock"}); in + fetchTarball { + url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz"; + sha256 = lock.nodes.flake-compat.locked.narHash; + } + ) + { src = ${flake}; } + ).defaultNix.overlays ''}" + "L+ /etc/nixos - - - - ${flake}" ]; - registry = - let override = { self = "nixos"; }; - in mapAttrs' (inpName: inpFlake: nameValuePair - (override.${inpName} or inpName) - { flake = inpFlake; } ) flakeInputs; - }; - - systemd.tmpfiles.rules = [ - "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}" - "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" '' - with builtins; - - attrValues (import - ( - let lock = fromJSON (readFile ${flake + "/flake.lock"}); in - fetchTarball { - url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz"; - sha256 = lock.nodes.flake-compat.locked.narHash; - } - ) - { src = ${flake}; } - ).defaultNix.overlays - ''}" - ]; - - users.mutableUsers = false; - # documentation.nixos.includeAllModules = true; # incompatible with home-manager (build fails) + users.mutableUsers = false; - home-manager = { - useGlobalPkgs = true; # Otherwise home-manager would only work impurely - useUserPackages = false; - backupFileExtension = "bak"; - }; + documentation.nixos = { + includeAllModules = true; + options.warningsAreErrors = false; + }; - sops = mkIf hasSops { - age = { - keyFile = "/var/lib/sops-nix/key.txt"; - generateKey = false; - sshKeyPaths = []; + home-manager = { + useGlobalPkgs = true; # Otherwise home-manager would only work impurely + useUserPackages = false; + backupFileExtension = "bak"; }; - gnupg = { - home = null; - sshKeyPaths = []; + + sops = mkIf hasSops { + age = { + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = false; + sshKeyPaths = []; + }; + gnupg = { + home = null; + sshKeyPaths = []; + }; }; - }; - programs.git = { - enable = true; - lfs.enable = true; + programs.git = { + enable = true; + lfs.enable = true; + }; + environment.systemPackages = with pkgs; [ git-annex scutiger ]; + } + ] ++ (optional (options ? system.switch.enableNg) { + system.switch = lib.mkDefault { + enable = false; + enableNg = true; }; - environment.systemPackages = with pkgs; [ git-annex scutiger ]; - - system.activationScripts.symlink-flake = '' - if test -L /etc/nixos; then - ln -nsf ${flake} /etc/nixos - elif test -d /etc/nixos && rmdir --ignore-fail-on-non-empty /etc/nixos; then - ln -s ${flake} /etc/nixos - fi - ''; - }; + }) + ++ (optional (options ? system.etc) { + boot.initrd.systemd.enable = lib.mkDefault true; + system.etc.overlay.enable = lib.mkDefault true; + systemd.sysusers.enable = lib.mkDefault true; + + # Random perl remnants + system.disableInstallerTools = lib.mkDefault true; + programs.less.lessopen = lib.mkDefault null; + programs.command-not-found.enable = lib.mkDefault false; + boot.enableContainers = lib.mkDefault false; + boot.loader.grub.enable = lib.mkDefault false; + environment.defaultPackages = lib.mkDefault [ ]; + documentation.info.enable = lib.mkDefault false; + })); } diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix index 2e75a8c4..db973b72 100644 --- a/system-profiles/initrd-ssh/module.nix +++ b/system-profiles/initrd-ssh/module.nix @@ -15,7 +15,7 @@ in enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished. @@ -28,7 +28,7 @@ in port = mkOption { type = types.port; default = 22; - description = lib.mdDoc '' + description = '' Port on which SSH initrd service should listen. ''; }; @@ -36,7 +36,7 @@ in shell = mkOption { type = types.str; default = "/bin/ash"; - description = lib.mdDoc '' + description = '' Login shell of the remote user. Can be used to limit actions user can do. ''; }; @@ -48,7 +48,7 @@ in "/etc/secrets/initrd/ssh_host_rsa_key" "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - description = lib.mdDoc '' + description = '' Specify SSH host keys to import into the initrd. To generate keys, use @@ -80,7 +80,7 @@ in type = types.listOf types.str; default = config.users.users.root.openssh.authorizedKeys.keys; defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys"; - description = lib.mdDoc '' + description = '' Authorized keys for the root user on initrd. ''; }; @@ -88,7 +88,7 @@ in extraConfig = mkOption { type = types.lines; default = ""; - description = lib.mdDoc "Verbatim contents of {file}`sshd_config`."; + description = "Verbatim contents of {file}`sshd_config`."; }; }; diff --git a/system-profiles/nfsroot.nix b/system-profiles/nfsroot.nix index 4323765b..1cd930d9 100644 --- a/system-profiles/nfsroot.nix +++ b/system-profiles/nfsroot.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, flake, flakeInputs, ... }: +{ config, options, pkgs, lib, flake, flakeInputs, ... }: with lib; @@ -14,99 +14,111 @@ in { storeDevice = mkOption { type = types.str; default = "nfsroot:nix-store"; + description = "Nix store device"; }; registrationUrl = mkOption { type = types.str; default = "http://nfsroot/nix-registration"; + description = "Url of nix store registrations"; }; }; system.build = { - storeContents = mkOption {}; + storeContents = mkOption { + description = "Contents of nix store"; + }; }; }; - config = { - # Don't build the GRUB menu builder script, since we don't need it - # here and it causes a cyclic dependency. - boot.loader.grub.enable = false; - - # !!! Hack - attributes expected by other modules. - environment.systemPackages = [ pkgs.grub2_efi ] - ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux" - then [] - else [ pkgs.grub2 pkgs.syslinux ]); - - # In stage 1, mount a tmpfs on top of /nix/store (the squashfs - # image) to make this a live CD. - fileSystems."/nix/.ro-store" = mkImageMediaOverride - { fsType = "nfs4"; - device = cfg.storeDevice; - options = [ "ro" ]; - neededForBoot = true; - }; + config = foldr recursiveUpdate {} ([ + { + # Don't build the GRUB menu builder script, since we don't need it + # here and it causes a cyclic dependency. + boot.loader.grub.enable = false; + + # !!! Hack - attributes expected by other modules. + environment.systemPackages = [ pkgs.grub2_efi ] + ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux" + then [] + else [ pkgs.grub2 pkgs.syslinux ]); + + # In stage 1, mount a tmpfs on top of /nix/store (the squashfs + # image) to make this a live CD. + fileSystems."/nix/.ro-store" = mkImageMediaOverride + { fsType = "nfs4"; + device = cfg.storeDevice; + options = [ "ro" ]; + neededForBoot = true; + }; + + fileSystems."/nix/.rw-store" = mkImageMediaOverride + { fsType = "tmpfs"; + options = [ "mode=0755" ]; + neededForBoot = true; + }; + + fileSystems."/nix/store" = mkImageMediaOverride + { fsType = "overlay"; + device = "overlay"; + options = [ + "lowerdir=/nix/.ro-store" + "upperdir=/nix/.rw-store/store" + "workdir=/nix/.rw-store/work" + ]; + + depends = [ + "/nix/.ro-store" + "/nix/.rw-store/store" + "/nix/.rw-store/work" + ]; + }; + + nix.settings.use-sqlite-wal = false; + + boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ]; + boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ]; + services.rpcbind.enable = mkImageMediaOverride false; + + boot.initrd.network.enable = true; + boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work + boot.initrd.postMountCommands = '' + mkdir -p /mnt-root/etc/ + cp /etc/resolv.conf /mnt-root/etc/resolv.conf + ''; + networking.useDHCP = true; + networking.resolvconf.enable = false; + networking.dhcpcd.persistent = true; - fileSystems."/nix/.rw-store" = mkImageMediaOverride - { fsType = "tmpfs"; - options = [ "mode=0755" ]; - neededForBoot = true; - }; - fileSystems."/nix/store" = mkImageMediaOverride - { fsType = "overlay"; - device = "overlay"; - options = [ - "lowerdir=/nix/.ro-store" - "upperdir=/nix/.rw-store/store" - "workdir=/nix/.rw-store/work" - ]; - - depends = [ - "/nix/.ro-store" - "/nix/.rw-store/store" - "/nix/.rw-store/work" - ]; - }; + system.build.storeContents = [config.system.build.toplevel]; - nix.settings.use-sqlite-wal = false; - - boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ]; - boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ]; - services.rpcbind.enable = mkImageMediaOverride false; - - boot.initrd.network.enable = true; - boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work - boot.initrd.postMountCommands = '' - mkdir -p /mnt-root/etc/ - cp /etc/resolv.conf /mnt-root/etc/resolv.conf - ''; - networking.useDHCP = true; - networking.resolvconf.enable = false; - networking.dhcpcd.persistent = true; - - - system.build.storeContents = [config.system.build.toplevel]; - - system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" '' - #!ipxe - # Use the cmdline variable to allow the user to specify custom kernel params - # when chainloading this script from other iPXE scripts like netboot.xyz - kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline} - initrd initrd - boot - ''; - - boot.postBootCommands = - '' - # After booting, register the contents of the Nix store on NFS - # in the Nix database in the tmpfs. - ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db - - # nixos-rebuild also requires a "system" profile and an - # /etc/NIXOS tag. - touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" '' + #!ipxe + # Use the cmdline variable to allow the user to specify custom kernel params + # when chainloading this script from other iPXE scripts like netboot.xyz + kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline} + initrd initrd + boot ''; - }; + + boot.postBootCommands = + '' + # After booting, register the contents of the Nix store on NFS + # in the Nix database in the tmpfs. + ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db + + # nixos-rebuild also requires a "system" profile and an + # /etc/NIXOS tag. + touch /etc/NIXOS + ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ''; + + boot.initrd.systemd.enable = false; + } + ] ++ (optional (options ? system.etc) { + system.etc.overlay.enable = false; + }) ++ (optional (options ? system.sysusers) { + systemd.sysusers.enable = false; + })); } diff --git a/user-profiles/yt-dlp.nix b/user-profiles/yt-dlp.nix index 550d6a78..fda29111 100644 --- a/user-profiles/yt-dlp.nix +++ b/user-profiles/yt-dlp.nix @@ -28,6 +28,7 @@ # "youtube:formats=dashy" # ]; remux-video = "mp4>mkv"; + hwdec = "auto-safe"; }; }; }; -- cgit v1.2.3