From 63adb41f1a060c21a68143eb9e86c2790ef66f36 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 8 Aug 2024 10:45:09 +0200 Subject: ... --- modules/borgcopy/default.nix | 9 + modules/build-client.nix | 4 +- modules/certspotter.nix | 67 -------- modules/coturn.nix | 60 +++---- modules/envfs.nix | 8 +- modules/etebase-server.nix | 228 -------------------------- modules/home-manager.nix | 3 + modules/knot.nix | 1 + modules/netns.nix | 7 + modules/openssh.nix | 3 + modules/pgbackrest.nix | 19 ++- modules/postfix-mta-sts-resolver.nix | 4 +- modules/postfwd.nix | 1 + modules/prometheus-lvm-exporter.nix | 4 +- modules/yggdrasil/default.nix | 50 ------ modules/yggdrasil/hosts/sif/default.nix | 13 -- modules/yggdrasil/hosts/sif/private-keys.yaml | 31 ---- modules/yggdrasil/hosts/ymir.nix | 19 --- 18 files changed, 83 insertions(+), 448 deletions(-) delete mode 100644 modules/certspotter.nix delete mode 100644 modules/etebase-server.nix delete mode 100644 modules/yggdrasil/default.nix delete mode 100644 modules/yggdrasil/hosts/sif/default.nix delete mode 100644 modules/yggdrasil/hosts/sif/private-keys.yaml delete mode 100644 modules/yggdrasil/hosts/ymir.nix (limited to 'modules') diff --git a/modules/borgcopy/default.nix b/modules/borgcopy/default.nix index afc6c37b..475edbd9 100644 --- a/modules/borgcopy/default.nix +++ b/modules/borgcopy/default.nix @@ -61,33 +61,40 @@ in { options = { from = mkOption { type = types.str; + description = "Copy from this repository"; }; to = mkOption { type = types.str; + description = "Copy to this repository"; }; verbosity = mkOption { type = types.int; default = 3; + description = "Set verbosity"; }; sshConfig = mkOption { type = with types; nullOr str; default = null; + description = "SSH client configuration"; }; keyfile = mkOption { type = with types; nullOr str; default = null; + description = "Keyfile to pass to borg"; }; unknownUnencryptedRepoAccessOk = mkOption { type = types.bool; default = false; + description = "Set `BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK`?"; }; hostnameIsUnique = mkOption { type = types.bool; default = true; + description = "Set `BORG_HOSTNAME_IS_UNIQUE`?"; }; timerOptions = mkOption { @@ -96,10 +103,12 @@ in { default = { wantedBy = ["timers.target"]; }; + description = "Systemd timer options"; }; }; }); default = {}; + description = "Copy borg archives from one repository to another"; }; }; diff --git a/modules/build-client.nix b/modules/build-client.nix index 9924b751..6322e6c0 100644 --- a/modules/build-client.nix +++ b/modules/build-client.nix @@ -15,6 +15,7 @@ in { options = { address = mkOption { type = types.str; + description = "Address of buildserver"; }; system = mkOption { @@ -82,10 +83,11 @@ in { }; }); default = {}; + description = "Buildservers to use"; }; }; }; - + config = mkIf (cfg != {}) { programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: '' Host ${buildHostName name} diff --git a/modules/certspotter.nix b/modules/certspotter.nix deleted file mode 100644 index ff7ff7c2..00000000 --- a/modules/certspotter.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.certspotter; - - script = pkgs.writeShellApplication { - name = "certspotter-script"; - runtimeInputs = with pkgs; [ coreutils ]; - text = '' - mkdir -p "''${LOGS_DIRECTORY}" - env > "$(mktemp -p "''${LOGS_DIRECTORY}" "$(date -Iseconds).''${PUBKEY_HASH:-na}.XXXXXXXXXX.env")" - ''; - }; - - startOptions = cfg.extraOptions - ++ optionals (cfg.logs != null) ["-logs" cfg.logs] - ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList)) - "-script" "${script}/bin/certspotter-script" - ]; - - startScript = pkgs.writeShellApplication { - name = "certspotter-start"; - runtimeInputs = [ pkgs.coreutils cfg.package ]; - text = '' - rm -f "''${STATE_DIRECTORY}/lock" - exec -- certspotter -state_dir "''${STATE_DIRECTORY}" ${escapeShellArgs startOptions} - ''; - }; -in { - options = { - services.certspotter = { - watchList = mkOption { - type = types.listOf types.str; - default = []; - }; - - logs = mkOption { - type = types.nullOr types.str; - default = null; - }; - - extraOptions = mkOption { - type = types.listOf types.str; - default = [ "-verbose" ]; - }; - - package = mkPackageOption pkgs "certspotter" {}; - }; - }; - - config = mkIf (cfg.watchList != []) { - systemd.services.certspotter = { - serviceConfig = { - Type = "oneshot"; - ExecStart = "${startScript}/bin/certspotter-start"; - StateDirectory = "certspotter"; - LogsDirectory = "certspotter"; - DynamicUser = true; - - CPUSchedulingPolicy = "idle"; - IOSchedulingClass = "idle"; - }; - }; - }; -} diff --git a/modules/coturn.nix b/modules/coturn.nix index faa4b5a2..d73d1bba 100644 --- a/modules/coturn.nix +++ b/modules/coturn.nix @@ -42,11 +42,11 @@ in { options = { services.coturn = { - enable = mkEnableOption (lib.mdDoc "coturn TURN server"); + enable = mkEnableOption "coturn TURN server"; listening-port = mkOption { type = types.int; default = 3478; - description = lib.mdDoc '' + description = '' TURN listener port for UDP and TCP. Note: actually, TLS and DTLS sessions can connect to the "plain" TCP and UDP port(s), too - if allowed by configuration. @@ -55,7 +55,7 @@ in { tls-listening-port = mkOption { type = types.int; default = 5349; - description = lib.mdDoc '' + description = '' TURN listener port for TLS. Note: actually, "plain" TCP and UDP sessions can connect to the TLS and DTLS port(s), too - if allowed by configuration. The TURN server @@ -71,7 +71,7 @@ in { type = types.int; default = cfg.listening-port + 1; defaultText = literalExpression "listening-port + 1"; - description = lib.mdDoc '' + description = '' Alternative listening port for UDP and TCP listeners; default (or zero) value means "listening port plus one". This is needed for RFC 5780 support @@ -86,7 +86,7 @@ in { type = types.int; default = cfg.tls-listening-port + 1; defaultText = literalExpression "tls-listening-port + 1"; - description = lib.mdDoc '' + description = '' Alternative listening port for TLS and DTLS protocols. ''; }; @@ -94,7 +94,7 @@ in { type = types.listOf types.str; default = []; example = [ "203.0.113.42" "2001:DB8::42" ]; - description = lib.mdDoc '' + description = '' Listener IP addresses of relay server. If no IP(s) specified in the config file or in the command line options, then all IPv4 and IPv6 system IPs will be used for listening. @@ -104,7 +104,7 @@ in { type = types.listOf types.str; default = []; example = [ "203.0.113.42" "2001:DB8::42" ]; - description = lib.mdDoc '' + description = '' Relay address (the local IP address that will be used to relay the packets to the peer). Multiple relay addresses may be used. @@ -120,28 +120,28 @@ in { min-port = mkOption { type = types.int; default = 49152; - description = lib.mdDoc '' + description = '' Lower bound of UDP relay endpoints ''; }; max-port = mkOption { type = types.int; default = 65535; - description = lib.mdDoc '' + description = '' Upper bound of UDP relay endpoints ''; }; lt-cred-mech = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Use long-term credential mechanism. ''; }; no-auth = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' This option is opposite to lt-cred-mech. (TURN Server with no-auth option allows anonymous access). If neither option is defined, and no users are defined, @@ -153,7 +153,7 @@ in { use-auth-secret = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' TURN REST API flag. Flag that sets a special authorization option that is based upon authentication secret. This feature can be used with the long-term authentication mechanism, only. @@ -177,7 +177,7 @@ in { static-auth-secret = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' 'Static' authentication secret value (a string) for TURN REST API only. If not set, then the turn server will try to use the 'dynamic' value in turn_secret table @@ -188,7 +188,7 @@ in { static-auth-secret-file = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Path to the file containing the static authentication secret. ''; }; @@ -197,7 +197,7 @@ in { default = config.networking.hostName; defaultText = literalExpression "config.networking.hostName"; example = "example.com"; - description = lib.mdDoc '' + description = '' The default realm to be used for the users when no explicit origin/realm relationship was found in the database, or if the TURN server is not using any database (just the commands-line settings @@ -209,7 +209,7 @@ in { type = types.nullOr types.str; default = null; example = "/var/lib/acme/example.com/fullchain.pem"; - description = lib.mdDoc '' + description = '' Certificate file in PEM format. ''; }; @@ -217,21 +217,21 @@ in { type = types.nullOr types.str; default = null; example = "/var/lib/acme/example.com/key.pem"; - description = lib.mdDoc '' + description = '' Private key file in PEM format. ''; }; dh-file = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Use custom DH TLS key, stored in PEM format in the file. ''; }; secure-stun = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Require authentication of the STUN Binding request. By default, the clients are allowed anonymous access to the STUN Binding functionality. ''; @@ -239,28 +239,28 @@ in { no-cli = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Turn OFF the CLI support. ''; }; cli-ip = mkOption { type = types.str; default = "127.0.0.1"; - description = lib.mdDoc '' + description = '' Local system IP address to be used for CLI server endpoint. ''; }; cli-port = mkOption { type = types.int; default = 5766; - description = lib.mdDoc '' + description = '' CLI server port. ''; }; cli-password = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' CLI access password. For the security reasons, it is recommended to use the encrypted for of the password (see the -P command in the turnadmin utility). @@ -269,37 +269,37 @@ in { no-udp = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable UDP client listener"; + description = "Disable UDP client listener"; }; no-tcp = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable TCP client listener"; + description = "Disable TCP client listener"; }; no-tls = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable TLS client listener"; + description = "Disable TLS client listener"; }; no-dtls = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable DTLS client listener"; + description = "Disable DTLS client listener"; }; no-udp-relay = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable UDP relay endpoints"; + description = "Disable UDP relay endpoints"; }; no-tcp-relay = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Disable TCP relay endpoints"; + description = "Disable TCP relay endpoints"; }; extraConfig = mkOption { type = types.lines; default = ""; - description = lib.mdDoc "Additional configuration options"; + description = "Additional configuration options"; }; }; }; diff --git a/modules/envfs.nix b/modules/envfs.nix index ff992b61..b5b453a5 100644 --- a/modules/envfs.nix +++ b/modules/envfs.nix @@ -26,9 +26,9 @@ in { options = { services.envfs = { - enable = lib.mkEnableOption (lib.mdDoc "Envfs filesystem") // { + enable = lib.mkEnableOption "Envfs filesystem" // { default = true; - description = lib.mdDoc '' + description = '' Fuse filesystem that returns symlinks to executables based on the PATH of the requesting process. This is useful to execute shebangs on NixOS that assume hard coded locations in locations like /bin or /usr/bin @@ -40,7 +40,7 @@ in { type = lib.types.package; default = pkgs.envfs; defaultText = lib.literalExpression "pkgs.envfs"; - description = lib.mdDoc "Which package to use for the envfs."; + description = "Which package to use for the envfs."; }; paths = lib.mkOption { @@ -60,7 +60,7 @@ in { ''') ] ''; - description = lib.mdDoc "Extra packages to join into collection of fallback executables in case not other executable is found"; + description = "Extra packages to join into collection of fallback executables in case not other executable is found"; }; }; }; diff --git a/modules/etebase-server.nix b/modules/etebase-server.nix deleted file mode 100644 index 341e7fa0..00000000 --- a/modules/etebase-server.nix +++ /dev/null @@ -1,228 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.etebase-server; - - pythonEnv = pkgs.python3.withPackages (ps: with ps; - [ etebase-server daphne psycopg2 ]); - - iniFmt = pkgs.formats.ini {}; - - configIni = iniFmt.generate "etebase-server.ini" cfg.settings; - - defaultUser = "etebase-server"; -in -{ - disabledModules = [ "services/misc/etebase-server.nix" ]; - - imports = [ - (mkRemovedOptionModule - [ "services" "etebase-server" "customIni" ] - "Set the option `services.etebase-server.settings' instead.") - (mkRemovedOptionModule - [ "services" "etebase-server" "database" ] - "Set the option `services.etebase-server.settings.database' instead.") - (mkRenamedOptionModule - [ "services" "etebase-server" "secretFile" ] - [ "services" "etebase-server" "settings" "secret_file" ]) - (mkRenamedOptionModule - [ "services" "etebase-server" "host" ] - [ "services" "etebase-server" "settings" "allowed_hosts" "allowed_host1" ]) - ]; - - options = { - services.etebase-server = { - enable = mkOption { - type = types.bool; - default = false; - example = true; - description = lib.mdDoc '' - Whether to enable the Etebase server. - - Once enabled you need to create an admin user by invoking the - shell command `etebase-server createsuperuser` with - the user specified by the `user` option or a superuser. - Then you can login and create accounts on your-etebase-server.com/admin - ''; - }; - - dataDir = mkOption { - type = types.str; - default = "/var/lib/etebase-server"; - description = lib.mdDoc "Directory to store the Etebase server data."; - }; - - port = mkOption { - type = with types; nullOr port; - default = 8001; - description = lib.mdDoc "Port to listen on."; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to open ports in the firewall for the server. - ''; - }; - - unixSocket = mkOption { - type = with types; nullOr str; - default = null; - description = lib.mdDoc "The path to the socket to bind to."; - example = "/run/etebase-server/etebase-server.sock"; - }; - - settings = mkOption { - type = lib.types.submodule { - freeformType = iniFmt.type; - - options = { - global = { - debug = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to set django's DEBUG flag. - ''; - }; - secret_file = mkOption { - type = with types; nullOr str; - default = null; - description = lib.mdDoc '' - The path to a file containing the secret - used as django's SECRET_KEY. - ''; - }; - static_root = mkOption { - type = types.str; - default = "${cfg.dataDir}/static"; - defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/static"''; - description = lib.mdDoc "The directory for static files."; - }; - media_root = mkOption { - type = types.str; - default = "${cfg.dataDir}/media"; - defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/media"''; - description = lib.mdDoc "The media directory."; - }; - }; - allowed_hosts = { - allowed_host1 = mkOption { - type = types.str; - default = "0.0.0.0"; - example = "localhost"; - description = lib.mdDoc '' - The main host that is allowed access. - ''; - }; - }; - database = { - engine = mkOption { - type = types.enum [ "django.db.backends.sqlite3" "django.db.backends.postgresql" ]; - default = "django.db.backends.sqlite3"; - description = lib.mdDoc "The database engine to use."; - }; - name = mkOption { - type = types.str; - default = "${cfg.dataDir}/db.sqlite3"; - defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/db.sqlite3"''; - description = lib.mdDoc "The database name."; - }; - }; - }; - }; - default = {}; - description = lib.mdDoc '' - Configuration for `etebase-server`. Refer to - - and - for details on supported values. - ''; - example = { - global = { - debug = true; - media_root = "/path/to/media"; - }; - allowed_hosts = { - allowed_host2 = "localhost"; - }; - }; - }; - - user = mkOption { - type = types.str; - default = defaultUser; - description = lib.mdDoc "User under which Etebase server runs."; - }; - }; - }; - - config = mkIf cfg.enable { - - environment.systemPackages = with pkgs; [ - (runCommand "etebase-server" { - nativeBuildInputs = [ makeWrapper ]; - } '' - makeWrapper ${pythonEnv}/bin/etebase-server \ - $out/bin/etebase-server \ - --chdir ${escapeShellArg cfg.dataDir} \ - --prefix ETEBASE_EASY_CONFIG_PATH : "${configIni}" - '') - ]; - - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - ]; - - systemd.services.etebase-server = { - description = "An Etebase (EteSync 2.0) server"; - after = [ "network.target" "systemd-tmpfiles-setup.service" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pythonEnv ]; - serviceConfig = { - User = cfg.user; - Restart = "always"; - WorkingDirectory = cfg.dataDir; - }; - environment = { - ETEBASE_EASY_CONFIG_PATH = configIni; - }; - preStart = '' - # Auto-migrate on first run or if the package has changed - versionFile="${cfg.dataDir}/src-version" - if [[ $(cat "$versionFile" 2>/dev/null) != ${pkgs.etebase-server} ]]; then - etebase-server migrate --no-input - etebase-server collectstatic --no-input --clear - echo ${pkgs.etebase-server} > "$versionFile" - fi - ''; - script = - let - networking = if cfg.unixSocket != null - then "-u ${cfg.unixSocket}" - else "-b 0.0.0.0 -p ${toString cfg.port}"; - in '' - cd "${pythonEnv}/lib/etebase-server"; - daphne ${networking} \ - etebase_server.asgi:application - ''; - }; - - users = optionalAttrs (cfg.user == defaultUser) { - users.${defaultUser} = { - isSystemUser = true; - group = defaultUser; - home = cfg.dataDir; - }; - - groups.${defaultUser} = {}; - }; - - networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ cfg.port ]; - }; - }; -} diff --git a/modules/home-manager.nix b/modules/home-manager.nix index ebe3e153..c485dd99 100644 --- a/modules/home-manager.nix +++ b/modules/home-manager.nix @@ -8,6 +8,9 @@ with lib; type = types.bool; default = true; example = true; + description = '' + Are we using home-manager version that starts late as systemd user service? + ''; }; }; } diff --git a/modules/knot.nix b/modules/knot.nix index a4691324..f7165029 100644 --- a/modules/knot.nix +++ b/modules/knot.nix @@ -81,6 +81,7 @@ in { cliWrappers = mkOption { readOnly = true; + internal = true; type = types.package; default = knot-cli-wrappers; defaultText = "knot-cli-wrappers"; diff --git a/modules/netns.nix b/modules/netns.nix index dca3c0db..79dc123b 100644 --- a/modules/netns.nix +++ b/modules/netns.nix @@ -125,6 +125,13 @@ in { containers = mkOption { default = {}; type = types.attrsOf (types.submodule containerOpts); + description = '' + A set of NixOS system configurations to be run as lightweight + containers. Each container appears as a service + `container-«name»` + on the host system, allowing it to be started and stopped via + {command}`systemctl`. + ''; }; }; }; diff --git a/modules/openssh.nix b/modules/openssh.nix index 78749869..8bdc3df6 100644 --- a/modules/openssh.nix +++ b/modules/openssh.nix @@ -30,6 +30,7 @@ with lib; "rsa-sha2-512" "rsa-sha2-512-cert-v01@openssh.com" ]; + description = "HostKeyAlgorithms"; }; settings.CASignatureAlgorithms = mkOption { type = types.str; @@ -43,6 +44,7 @@ with lib; "rsa-sha2-512" "rsa-sha2-256" ]; + description = "CASignatureAlgorithms"; }; settings.PubkeyAcceptedAlgorithms = mkOption { type = types.str; @@ -69,6 +71,7 @@ with lib; "rsa-sha2-512" "rsa-sha2-512-cert-v01@openssh.com" ]; + description = "PubkeyAcceptedAlgorithms"; }; }; }; diff --git a/modules/pgbackrest.nix b/modules/pgbackrest.nix index e02849f5..886840b9 100644 --- a/modules/pgbackrest.nix +++ b/modules/pgbackrest.nix @@ -50,8 +50,8 @@ in { package = mkPackageOption pkgs "pgbackrest" {}; dscpPackage = mkPackageOption pkgs "libdscp" { nullable = true; default = null; }; - dscp.archive-push = mkDSCPOption { default = 24; }; - dscp.backup = mkDSCPOption { default = 8; }; + dscp.archive-push = mkDSCPOption { default = 24; description = "DSCP during archive push"; }; + dscp.backup = mkDSCPOption { default = 8; description = "DSCP during backup"; }; configurePostgresql = { enable = mkEnableOption "configuring PostgreSQL for sending WAL to pgBackRest" // { @@ -63,6 +63,7 @@ in { type = types.str; default = config.networking.hostName; defaultText = literalExpression "config.networking.hostName"; + description = "Stanza"; }; }; @@ -74,23 +75,28 @@ in { global.log-level-console = mkOption { type = loglevelType; default = "detail"; + description = "Log level to console"; }; global.log-level-file = mkOption { type = loglevelType; default = "off"; + description = "Log level to logfile"; }; global.log-level-stderr = mkOption { type = loglevelType; default = "warn"; + description = "Log level to stderr"; }; global.log-subprocess = mkOption { type = types.bool; default = true; + description = "Log subprocesses?"; }; global.log-timestamp = mkOption { type = types.bool; default = false; + description = "Log timestamps?"; }; }; }; @@ -106,10 +112,12 @@ in { user = mkOption { type = types.str; default = "postgres"; + description = "User"; }; group = mkOption { type = types.str; default = "postgres"; + description = "Group"; }; }; @@ -119,32 +127,39 @@ in { type = mkOption { type = types.enum ["full" "incr" "diff"]; default = "full"; + description = "Type"; }; stanza = mkOption { type = types.str; default = cfg.configurePostgresql.stanza; defaultText = literalExpression "config.services.pgbackrest.configurePostgresql.stanza"; + description = "Stanza"; }; repo = mkOption { type = types.nullOr (types.strMatching "^[0-9]+$"); + description = "Repository number"; }; user = mkOption { type = types.str; default = "postgres"; + description = "User"; }; group = mkOption { type = types.str; default = "postgres"; + description = "Group"; }; timerConfig = mkOption { type = types.attrsOf unitOption; + description = "Systemd timer options"; }; }; })); default = {}; + description = "Configure backups"; }; }; }; diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix index fcbd9390..193c54fb 100644 --- a/modules/postfix-mta-sts-resolver.nix +++ b/modules/postfix-mta-sts-resolver.nix @@ -8,7 +8,7 @@ in { options = { services.postfix-mta-sts-resolver = { enable = mkEnableOption "mta-sts-daemon"; - package = mkPackageOption pkgs "postfix-mta-sts-resolver"; + package = mkPackageOption pkgs "postfix-mta-sts-resolver" {}; redis = mkEnableOption "redis cache" // { default = true; example = false; }; proactive-policy-fetching = mkEnableOption "proactive policy fetching" // { default = true; example = false; }; @@ -16,10 +16,12 @@ in { loglevel = mkOption { type = types.enum ["debug" "info" "warn" "error" "fatal"]; default = "info"; + description = "Loglevel"; }; settings = mkOption { type = types.attrs; + description = "Settings"; }; }; }; diff --git a/modules/postfwd.nix b/modules/postfwd.nix index e10c04a7..3edff44d 100644 --- a/modules/postfwd.nix +++ b/modules/postfwd.nix @@ -12,6 +12,7 @@ in { rules = mkOption { type = lines; default = ""; + description = "Rules"; }; }; }; diff --git a/modules/prometheus-lvm-exporter.nix b/modules/prometheus-lvm-exporter.nix index 7ef082c3..ad46f835 100644 --- a/modules/prometheus-lvm-exporter.nix +++ b/modules/prometheus-lvm-exporter.nix @@ -21,7 +21,7 @@ in { openFirewall = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Open port in firewall for incoming connections. ''; }; @@ -31,7 +31,7 @@ in { example = literalExpression '' "-i eth0 -p tcp -m tcp --dport ${toString cfg.port}" ''; - description = lib.mdDoc '' + description = '' Specify a filter for iptables to use when {option}`services.prometheus.exporters.lvm.openFirewall` is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`. diff --git a/modules/yggdrasil/default.nix b/modules/yggdrasil/default.nix deleted file mode 100644 index f4100e73..00000000 --- a/modules/yggdrasil/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, lib, customUtils, ... }: -let - cfg = config.services.tinc.yggdrasil; -in { - options = { - services.tinc.yggdrasil = lib.mkOption { - default = {}; - type = lib.types.submodule { - options = { - enable = lib.mkEnableOption "Yggdrasil tinc network"; - - connect = lib.mkOption { - default = true; - type = lib.types.bool; - description = '' - Connect to central server - ''; - }; - }; - }; - }; - }; - - config = lib.mkIf cfg.enable { - services.tinc.networks.yggdrasil = { - name = config.networking.hostName; - hostSettings = customUtils.nixImport { dir = ./hosts; }; - debugLevel = 2; - interfaceType = "tap"; - settings = { - Mode = "switch"; - PingTimeout = 30; - ConnectTo = lib.mkIf cfg.connect "ymir"; - }; - }; - - sops.secrets = { - tinc-yggdrasil-rsa = { - key = "rsa"; - path = "/etc/tinc/yggdrasil/rsa_key.priv"; - sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml"; - }; - tinc-yggdrasil-ed25519 = { - key = "ed25519"; - path = "/etc/tinc/yggdrasil/rsa_key.priv"; - sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml"; - }; - }; - }; -} diff --git a/modules/yggdrasil/hosts/sif/default.nix b/modules/yggdrasil/hosts/sif/default.nix deleted file mode 100644 index 32b844de..00000000 --- a/modules/yggdrasil/hosts/sif/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - settings.Ed25519PublicKey = "qJqty+wiTNcYaHQCvQNiMqXYz30C9M3+LI/qjmU/9hK"; - rsaPublicKey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA0ACaacg9EN0hBQct8ZwQ/i6EsXKP4DIwKwabM2rp8azValTHU2uI - WW6JRY+Eii6zRx9B5kJ96C4rJJeAGV6lZPAogaC2LbM7lcsZ7oRDWZGaQKcZFNGi - laEcDg2dRuDx1W4at0rb03SDLNPt8sXSV6BcK9n/7m7+s9cwM/+PB8FHDMnWvwbC - usbP23020s+CVr/PU1z/7J0y3Eat+Acut6x5X8DNewpqV96wQpqdAggbhtYERMFH - +i0sa1WUDQtJ6HGChbENRTMlsPJ6lnzXY+J0pzatzzvetLsOljES9uJ8dtk6qBC7 - KRZo5lvdUwR6j9XiHMQeRerUt23b9ATFXQIDAQAB - -----END RSA PUBLIC KEY----- - ''; -} diff --git a/modules/yggdrasil/hosts/sif/private-keys.yaml b/modules/yggdrasil/hosts/sif/private-keys.yaml deleted file mode 100644 index 0c4274d1..00000000 --- a/modules/yggdrasil/hosts/sif/private-keys.yaml +++ /dev/null @@ -1,31 +0,0 @@ -ed25519: ENC[AES256_GCM,data:1CqB4y6CIm5JUsznpXPqqLJqCKmmoAJOZQTWb7+Jbn0oZMX27qSMK4CchHF7Bmo24EK8rk5EyW5aQLnoxp/2NA62p8SXdaoI8Qgz3EgsQ5QrlJrt1jvERpNs4vttT9V6+aK3Yojr9IuQSvJ4jyKSLrzrTnLzF9pXlaOf1Ru5SxySRWtVzynzurRpdUVS6goE+lb+Irg6x2geV719iQ9bu1C2smeQDREdS+dlfoxp02/pU6kTFA7KAm5vA91HKEfMqfSEzuBgUB0=,iv:n6Yh0zZ9AbT+83P42QNO2rCCISJV5nbO9wYcwaRYD2E=,tag:dJpXV9ZzLSO1B+LsyV3vAg==,type:str] -rsa: ENC[AES256_GCM,data:7faQJAhoYt3MJidg4TVwysmLGZ4V1fA9NYYKgEMgky4q0Q9tBGhEsA60uj7iKcMMRhGku7feIFkj2+1qjKy+e1Bajfs2rqxgyqYmM6yOTrmorbXBVyrPOTOwJp3yp7O1vIXwoUS9vWIYxFszpfaLL0/8aARYVrYmpxf3gsBfQ4LciM1VKEgjG3uRBf1tDLaNuMNyzdan0DFghwuDojPOXUFv/6yuPxU2U0TagVjwAk4FThGwEasvV454RSm/GmqYtX+P4Vc3pEWNYAK1rXJAuXm1392Uash+HGQ+3ln5N9yWneewgPPr0pePAugxxN0qnwhy5MRKGQE3ZHCZ0beslfOm6pkmYTfww3lKNIJGabMfMD3COoAI7zWebUvksZPsgH6f1olbzABkZdS1s//WNMnWQHGxsWePXkLFe8bfnNXouEXHtLvQ7On0KPyt8y5QBI9bDPpTn92/O9jCevXSttrez4buBdCHFmCE8xgW5JKKEXgMubPPjEF3MABiGu0TMeWM4a1ibY7HfvNrRkO1pE9RhdRT/dFV/MrPxk7P0k16x9H4+QnE7VglfNZO3Wd3bnYxcH7hmAbIzpFnUJvolyNfmynwL2WwaYuBskXASD1FuqpM0tbhantqGyHVPe62+KimU0zDAJ1HMyqhIN0MD1MSXsdoItAsw033GYLB83L8xPatARJR9qEdKwrhmgSDY36AbJ8VI/RUzicZoYdhK8+M7bNGIkD5MgrQO35q+3oa6Xcib+5MtW0RVJKLP4y5/XNkjd4EPl6nahcVi63/FG7LJmO+/I7bkLIAWmIq8BHcXEwbz0womYp404pSfEPr3cy1N5S3yqRdzVxavTJb0PLMpHq2rWuHK2DIY77hEOAt0XcReWYsRkmTl+v9iQLF+D4GBLr+O2oZNJrocNVZYkfdjsrUd2cUOCV7ZQphO5Yc+yKrqzmCqUUvdoJ3vlaPxMXx4LACeMImo1sAFxoOgIpyfklo/bdhi9osiL55I8pAIh5hGes/uCbwaRnW+wbaYcMliCuUO8XelfXwBot8W+0l0wk2zKRSKtYKcX1n/Ax5mIt6mIoQkvyL82lccS9ppJLjt7DYlvK8L6imeV11ATf1ZhSGB3c67/XYik5BXz827Rj29K6fg/CvU65f/bEAuE39gSJ4mHsRl3bvkNLiUMEBrDuZnText33fCbqVA5DUIfqSbLUzXtqNl8vHnlOBICYwjv8PtUMJ6VTCDu33SmtQzJAfnmuewOKAC51FPsyaDhouTKllUaqx34NfEP8k2C8/4oNPgDcLjInm3f43tIuJbScdp8ltNVCLoChS8jbBOvrVYTI0eP+BuAuEfWYldUYq96oH/x9d0yvPqZ1rnwmqg4y6GfkACw6+/QvrDdtcM+1uI86RxZ7KGurb8KG7NPdSWhzz+72+TO5Tq29K8QETLzzalnVzaVWj/xGsjgkslxmDMKxLJQw0o24lgg/R30aU9BL6YwDVi10nu+Tv5kayb/NVLdMNWxfKNg1KZcf8M2ApgonjingbpUlinZ25/IIcQB9lMT4HSyvtGtIqnsPL4SQNsgBLcMzdwbL0EvS3qMAEVWKfUm2v9AA2+RMsKEKtD4UNF2xF7oACJiyTcw/xUOmkaTIZZ2ev0JVb4IYs1qx5Skz+IMAvWQ2FjBMXna5e/LYgBl6kdLSTcDvlymHpbjjuRdRq+uq+ZMXIACyZ+qUnZ0qcfWGPxOCI0hXPc5ac/zSGkPKYiWT/rCSuo+MoijjK4YZ2fub9TCYjZRS+QvLlXOM8F06Or0jQQOveezqJFZdoBGj248BtcPAVbYqfaytIlYjARlhQL/lKaaOrbONk6kIlDpwkhlzO50OkhALItlbW4Aa8zZ/WeXkfkb/6A7NLce42XDoOnvZt9UdYVTRphf8yxjRE2YMwZsmeTIieg8KwwJdnoJIhiQFdVDFgXb2xPZA2CbdvZwGwuFkLWgJUg6H+aHdw39UnNM+S9PYaOQ9oaS7IyeWhXMgP7TKM98uILsBg/Xn9tafHaslQfjVRDEaYtrmDZMYhb+h/MZKngx7uwmUyqHszAYN/M+RMJVy3s4uBu/EufWYVMorunpPEXGYA4Rg1HUuAOvWSvpM3PJG9Wnrazw6xmkwIUSKju5irpWATYmqSX3pPkG5C0sTatszVDAvTs9+/9Xdbney7/6QskSHMph8Kn/Udpq7PPrZWADkIi1k4oibgABOXOWBk5ZbNbiDrZA==,iv:ZUAqvOpcVCXQD2PFzUh0e2m20t6gVT3mYb7S50iV/m8=,tag:AssxMqjVUEwQ4R6Y7eG9Tg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTjludkxXUm5OREx4Zndk - czI0VmMxUE5kOHVKQ1lTL1RvQXlIQ3FhWFRVCmVXbmFqNTBDNy94RDJtakQra0lh - a2JrZlBxWFNVVFh6WFU3bjBwaFVIa1kKLS0tIFNObGZvVmpuQlU4SFBjZk45dlJM - d3VHVVZsVGlBd2craGNVbHdoeUpyVFEK/Tj9QVqAOWmAJv/PESvIOnnIbZkKof6E - HHaEYANQTp5kLyWaz4rfJiiQOP2bL5hDr1XV61mf6y9W8m9w4IynHg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6L2lSdUUvSE1iUTEvdkxm - Nm4vV3MySWlTdldMZEw2dEhtSlZCb0wvL0VBCnJxY2dNUlJhcktQNVVOdHhPemJF - ZUJ3NUR0ZTRZdFkwMmExR2gwOHFlMTQKLS0tIHhLbkZQalBuNm5mRHBVQ1NNbGM4 - YUNsNE8vbnk0RnpRbHB5azM2NmdmKzAKwUVFQHvBvGjc/mGI9lhkW86ovUVvUxok - O6QelapJHGP2gQ3aZBk8eFJJs7Ve+q1yiQUbO34BFFdIfRyiObmbKw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2021-01-02T14:46:16Z" - mac: ENC[AES256_GCM,data:Phng7z7UlE6nO3FFIQPOHgKCqDm2uOGL57ryJbokjipSSdoWPinpz0zIJv9Z67b9uOf3CQoGtV4YwcudNkzDBKOyD8uA6RYwCKpbYcZIdiy8DLL46+VT/wq9toTkeDXM6jKupzzOARZhHT8DCOLqW7u8Q3S645cbTJmw0+LMIGk=,iv:y4KEh0+bKhtnSobKVdfaPuRsueNC1lcrEbUGfEAn+Bg=,tag:3Oi4e/hSgPVsoFQpnVQj+g==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.6.1 diff --git a/modules/yggdrasil/hosts/ymir.nix b/modules/yggdrasil/hosts/ymir.nix deleted file mode 100644 index b77a9216..00000000 --- a/modules/yggdrasil/hosts/ymir.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - addresses = [{ address = "ymir.yggdrasil.li"; }]; - settings.Ed25519PublicKey = "b/SobnMqByzHOQeO+iU7OZ1liD8a++knbi5ebNawnaC"; - rsaPublicKey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAuInSfQf5euFXEVkLLzf9TumQJ+3WRsxX4uKdOXBqrIC7yjSBP8j9 - ql5rNWPzgXxFF5ERmwW+E3cyzJLU9Htu7r3muqM6nhSZizhCskifPRFc3e5ssSke - XhHICHfe90+qvab/hWx/NjkW59bBYIzDuJfq+ijDFMVNgOxaiM2f3/2prUUhP7bN - r3wVI8KCkOaknc0SOOmOhLzfJaD5wosqLOjgaNhlro2eMgMjQlxbyW8dVVgjwseR - Cl/mpu7r1pSMhS66RFH68wDoC3X81f7Zs9ZGDLTD8KXWhx0qgUMUAH4n6YGY0RM6 - BZ3qR/3KFRU64QPVAERpb0JdsU9ggCVydHkjrWW23ptHOPAOO5+yQj7tSDCKTRy9 - dHMQnbtPrgAb6iMhO1XTxA8Hdta1sCHsewsQekarwsA1bmk3hTgi/k8vwoGDUWtk - jgiDEPuutfmH4C6qxq9s+6lRboNKH8wgkVGpHiaq7mmePFdhzFdrj4+fYAMZTbil - 2iygsJ+yFOjA7U+iT6QDK33/MLsrQg0Ue6RPiG1qnDyax7gBAjz52iWkiuSkUXk0 - E5ImdP4XMILgGcWk8iPq5iRS03edE0pCpxGX3ZZwFE5+CoXgO6wR1ToL1vZEEHMQ - SHJPufKjkavPKbejPps/mLaJQVw3W10PAJssB9nxW2aHX3n0ugGaIvMCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; -} -- cgit v1.2.3