repomaa/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

run nixfmt

Browse Source
This commit is contained in:
Joakim Repomaa
2025-03-01 13:23:01 +02:00
parent a93d4afbcf
commit 8dfc9b5a6d
51 changed files with 1611 additions and 778 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
modules/firewall.nix
View File

@@ -1,19 +1,48 @@
{ lib, config, ... }:
let
services = {
ssh = { tcp = [ 22 ]; };
dhcp = { udp = [ 67 68 ]; };
dns = { udp = [ 53 853 ]; tcp = [ 53 853 ]; };
web = { tcp = [ 80 443 ]; };
ssh = {
tcp = [ 22 ];
};
dhcp = {
udp = [
67
68
];
};
dns = {
udp = [
53
853
];
tcp = [
53
853
];
};
web = {
tcp = [
80
443
];
};
};
rulesForServices = enabledServices:
rulesForServices =
enabledServices:
lib.foldr
(service: { allowedUDPPorts, allowedTCPPorts }: {
allowedUDPPorts = allowedUDPPorts ++ services.${service}.udp or [ ];
allowedTCPPorts = allowedTCPPorts ++ services.${service}.tcp or [ ];
})
{ allowedUDPPorts = [ ]; allowedTCPPorts = [ ]; }
(
service:
{ allowedUDPPorts, allowedTCPPorts }:
{
allowedUDPPorts = allowedUDPPorts ++ services.${service}.udp or [ ];
allowedTCPPorts = allowedTCPPorts ++ services.${service}.tcp or [ ];
}
)
{
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
}
enabledServices;
cfg = config.modules.firewall;

28
modules/services/dnote.nix
View File

@@ -1,4 +1,10 @@
{ lib, inputs, config, pkgs, ... }:
{
lib,
inputs,
config,
pkgs,
...
}:
let
cfg = config.services.dnote;
fqdn = "${cfg.subdomain}.${config.networking.domain}";
@@ -40,10 +46,8 @@ let
WebURL = "https://${fqdn}";
};
serializeEnvVar = value:
if (lib.isBool value)
then if value then "true" else "false"
else toString value;
serializeEnvVar =
value: if (lib.isBool value) then if value then "true" else "false" else toString value;
in
{
options.services.dnote = {
@@ -81,7 +85,9 @@ in
systemd.services.dnote = {
enable = true;
description = "Dnote server";
environment = lib.mapAttrs (_: value: serializeEnvVar value) (cfg.environment // immutableEnvironment);
environment = lib.mapAttrs (_: value: serializeEnvVar value) (
cfg.environment // immutableEnvironment
);
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
serviceConfig = {
@@ -113,10 +119,12 @@ in
postgresql = {
enable = lib.mkDefault true;
ensureDatabases = [ cfg.environment.DBName ];
ensureUsers = [{
name = cfg.user;
ensureDBOwnership = true;
}];
ensureUsers = [
{
name = cfg.user;
ensureDBOwnership = true;
}
];
};
webserver = {

9
modules/services/donetick.nix
View File

@@ -1,4 +1,9 @@
{ lib, pkgs, config, ... }:
{
lib,
pkgs,
config,
...
}:
let
types = {
jwtSettings = {
@@ -206,7 +211,7 @@ in
services.webserver = {
enable = lib.mkDefault true;
vHosts.${fqdn}.locations."/" .proxyPort = cfg.settings.server.port;
vHosts.${fqdn}.locations."/".proxyPort = cfg.settings.server.port;
};
};
}

11
modules/services/gotosocial.nix
View File

@@ -38,11 +38,12 @@ in
value.extraConfig = ''
rewrite ^.*$ https://${fqdn}/.well-known/${path} permanent;
'';
}) [
"host-meta"
"webfinger"
"nodeinfo"
]
})
[
"host-meta"
"webfinger"
"nodeinfo"
]
);
"${fqdn}".locations."/".proxyPort = port;

10
modules/services/grafana.nix
View File

@@ -50,10 +50,12 @@ in
postgresql = {
enable = lib.mkDefault true;
ensureDatabases = [ "grafana" ];
ensureUsers = [{
name = "grafana";
ensureDBOwnership = true;
}];
ensureUsers = [
{
name = "grafana";
ensureDBOwnership = true;
}
];
};
};
};

7
modules/services/gtrackmap.nix
View File

@@ -1,4 +1,9 @@
{ lib, config, inputs, ... }:
{
lib,
config,
inputs,
...
}:
let
cfg = config.services.gtrackmap;
fqdn = "${cfg.subdomain}.${config.networking.domain}";

7
modules/services/hastebin.nix
View File

@@ -1,4 +1,9 @@
{ lib, config, inputs, ... }:
{
lib,
config,
inputs,
...
}:
let
cfg = config.services.hastebin;
secrets = config.age.secrets;

10
modules/services/mealie.nix
View File

@@ -25,10 +25,12 @@ in
postgresql = {
enable = lib.mkDefault true;
ensureDatabases = [ "mealie" ];
ensureUsers = [{
name = "mealie";
ensureDBOwnership = true;
}];
ensureUsers = [
{
name = "mealie";
ensureDBOwnership = true;
}
];
};
};
};

66
modules/services/octodns.nix
View File

@@ -1,4 +1,9 @@
{ pkgs, lib, config, ... }:
{
pkgs,
lib,
config,
...
}:
let
cfg = config.services.octodns;
secrets = config.age.secrets;
@@ -125,37 +130,46 @@ let
yamlFormat = pkgs.formats.yaml { };
zoneFile = yamlFormat.generate "octodns-zone"
(
lib.filterAttrs (_: records: (lib.length records) > 0)
(lib.mapAttrs
(_: types:
lib.filter
({ values ? [ ], value ? null, ... }: (lib.length values) > 0 || !(builtins.isNull value))
(lib.mapAttrsToList
(type: { ttl, ... }@options:
if (type == "CNAME")
then
let
inherit (options) target toRoot;
value = if toRoot then "${config.networking.domain}." else target;
in
{ inherit type ttl value; }
else
{ inherit type ttl; inherit (options) values; }
)
types
)
zoneFile = yamlFormat.generate "octodns-zone" (
lib.filterAttrs (_: records: (lib.length records) > 0) (
lib.mapAttrs (
_: types:
lib.filter
(
{
values ? [ ],
value ? null,
...
}:
(lib.length values) > 0 || !(builtins.isNull value)
)
cfg.records
)
);
(
lib.mapAttrsToList (
type:
{ ttl, ... }@options:
if (type == "CNAME") then
let
inherit (options) target toRoot;
value = if toRoot then "${config.networking.domain}." else target;
in
{
inherit type ttl value;
}
else
{
inherit type ttl;
inherit (options) values;
}
) types
)
) cfg.records
)
);
zonesDir = pkgs.linkFarm "octodns-zones" {
"${config.networking.domain}.yaml" = zoneFile;
};
configFile = yamlFormat.generate "octodns-config.yaml" {
providers = {
config = {

18
modules/services/readeck.nix
View File

@@ -1,4 +1,10 @@
{ lib, inputs, config, pkgs, ... }:
{
lib,
inputs,
config,
pkgs,
...
}:
let
cfg = config.services.readeck;
secrets = config.age.secrets;
@@ -40,10 +46,12 @@ in
postgresql = {
enable = lib.mkDefault true;
ensureDatabases = [ "readeck" ];
ensureUsers = [{
name = "readeck";
ensureDBOwnership = true;
}];
ensureUsers = [
{
name = "readeck";
ensureDBOwnership = true;
}
];
};
};
};

10
modules/services/vaultwarden.nix
View File

@@ -36,10 +36,12 @@ in
postgresql = {
enable = lib.mkDefault true;
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [{
name = "vaultwarden";
ensureDBOwnership = true;
}];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
};
};

45
modules/services/webserver.nix
View File

@@ -69,8 +69,10 @@ in
virtualHosts = tailscaleAuthVhosts;
};
virtualHosts = lib.mapAttrs
(_: { proxyBuffering, locations, ... }: {
virtualHosts = lib.mapAttrs (
_:
{ proxyBuffering, locations, ... }:
{
forceSSL = true;
enableACME = true;
http2 = true;
@@ -79,26 +81,33 @@ in
(lib.optionalString (!proxyBuffering) "proxy_buffering off;")
"charset utf-8;"
];
locations = lib.mapAttrs
(_: { proxyPort, extraConfig }: lib.mergeAttrsList [
locations = lib.mapAttrs (
_:
{ proxyPort, extraConfig }:
lib.mergeAttrsList [
{ inherit extraConfig; }
(if (lib.isInt proxyPort) then {
proxyWebsockets = true;
proxyPass = "http://localhost:${toString proxyPort}";
} else { })
])
locations;
})
cfg.vHosts;
(
if (lib.isInt proxyPort) then
{
proxyWebsockets = true;
proxyPass = "http://localhost:${toString proxyPort}";
}
else
{ }
)
]
) locations;
}
) cfg.vHosts;
};
octodns.records = lib.filterAttrs (name: _: name != config.networking.domain) (
lib.mapAttrs'
(fqdn: _: {
name = lib.removeSuffix ".${config.networking.domain}" fqdn;
value = { CNAME.toRoot = true; };
})
cfg.vHosts
lib.mapAttrs' (fqdn: _: {
name = lib.removeSuffix ".${config.networking.domain}" fqdn;
value = {
CNAME.toRoot = true;
};
}) cfg.vHosts
);
};

8
modules/services/workout-sync.nix
View File

@@ -1,4 +1,10 @@
{ pkgs, inputs, config, lib, ... }:
{
pkgs,
inputs,
config,
lib,
...
}:
let
cfg = config.services.workout-sync;
fqdn = "${cfg.subdomain}.${config.networking.domain}";

8
modules/services/workout-tracker.nix
View File

@@ -1,4 +1,10 @@
{ pkgs, config, lib, inputs, ... }:
{
pkgs,
config,
lib,
inputs,
...
}:
let
cfg = config.services.workout-tracker;
fqdn = "${cfg.subdomain}.${config.networking.domain}";

39
modules/storage-box-mounts.nix
View File

@@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
let
types = {
mount = lib.types.submodule {
@@ -25,17 +30,17 @@ let
cfg = config.modules.storageBoxMounts;
secrets = config.age.secrets;
mountOptions = { uid, gid, ... }: [
"x-systemd.automount"
"auto"
"x-systemd.device-timeout=5s"
"x-systemd.mount-timeout=5s"
"credentials=${secrets.storage-box-credentials.path}"
] ++ (
if (uid != null) then [ "uid=${toString uid}" ] else [ ]
) ++ (
if (gid != null) then [ "gid=${toString gid}" ] else [ ]
);
mountOptions =
{ uid, gid, ... }:
[
"x-systemd.automount"
"auto"
"x-systemd.device-timeout=5s"
"x-systemd.mount-timeout=5s"
"credentials=${secrets.storage-box-credentials.path}"
]
++ (if (uid != null) then [ "uid=${toString uid}" ] else [ ])
++ (if (gid != null) then [ "gid=${toString gid}" ] else [ ]);
in
{
options.modules.storageBoxMounts = lib.mkOption {
@@ -44,13 +49,15 @@ in
};
config = {
fileSystems = lib.mapAttrs
(_: { path, user, ... }@options: {
fileSystems = lib.mapAttrs (
_:
{ path, user, ... }@options:
{
device = "//${user}.your-storagebox.de${path}";
fsType = "cifs";
options = mountOptions options;
})
cfg;
}
) cfg;
environment.systemPackages = lib.mkIf ((lib.length (lib.attrNames cfg)) > 0) [ pkgs.cifs-utils ];
};

131
modules/vlans.nix
View File

@@ -50,20 +50,39 @@ let
};
cfg = config.modules.vlans;
vlans = lib.mapAttrsToList (attrName: { name ? attrName, ... }@vlan: ({ inherit name; } // vlan)) cfg.networks;
vlanAttrs = lib.listToAttrs (lib.map ({ name, ... }@value: { inherit name value; }) vlans);
vlans = lib.mapAttrsToList (
attrName:
{
name ? attrName,
...
}@vlan:
({ inherit name; } // vlan)
) cfg.networks;
vlanAttrs = lib.listToAttrs (
lib.map (
{ name, ... }@value:
{
inherit name value;
}
) vlans
);
buildNetdev = name: { id, ... }: {
name = "20-${name}";
value = {
netdevConfig = {
Name = name;
Kind = "vlan";
MACAddress = "00:0d:b9:49:d2:${toString id}";
buildNetdev =
name:
{ id, ... }:
{
name = "20-${name}";
value = {
netdevConfig = {
Name = name;
Kind = "vlan";
MACAddress = "00:0d:b9:49:d2:${toString id}";
};
vlanConfig = {
Id = id;
};
};
vlanConfig = { Id = id; };
};
};
buildStaticLease = macAddress: address: ''
[DHCPServerStaticLease]
@@ -71,27 +90,35 @@ let
Address=${address}
'';
buildNetwork = name: { id, ipv6, staticLeases, ... }: {
name = "30-${name}";
value = {
matchConfig = {
Name = name;
buildNetwork =
name:
{
id,
ipv6,
staticLeases,
...
}:
{
name = "30-${name}";
value = {
matchConfig = {
Name = name;
};
networkConfig = {
Address = "10.${toString id}.0.1/23";
IPMasquerade = "ipv4";
DHCPServer = true;
IPv6AcceptRA = false;
IPv6SendRA = ipv6;
DHCPPrefixDelegation = ipv6;
};
dhcpServerConfig = {
PoolOffset = 255;
DNS = "10.${toString id}.0.1";
};
extraConfig = lib.concatLines (lib.mapAttrsToList buildStaticLease staticLeases);
};
networkConfig = {
Address = "10.${toString id}.0.1/23";
IPMasquerade = "ipv4";
DHCPServer = true;
IPv6AcceptRA = false;
IPv6SendRA = ipv6;
DHCPPrefixDelegation = ipv6;
};
dhcpServerConfig = {
PoolOffset = 255;
DNS = "10.${toString id}.0.1";
};
extraConfig = lib.concatLines (lib.mapAttrsToList buildStaticLease staticLeases);
};
};
vlanIds = lib.mapAttrsToList (_: { id, ... }: id) vlanAttrs;
@@ -108,25 +135,39 @@ let
'';
bridgeNetDev =
if (cfg.bridge.enable) then {
"${cfg.bridge.netdev}".bridgeConfig = {
VLANFiltering = true;
DefaultPVID = cfg.bridge.pvid;
};
} else { };
if (cfg.bridge.enable) then
{
"${cfg.bridge.netdev}".bridgeConfig = {
VLANFiltering = true;
DefaultPVID = cfg.bridge.pvid;
};
}
else
{ };
bridgeBindNetwork =
if (cfg.bridge.enable) then {
${cfg.bridge.bindNetwork}.extraConfig = bridgeVLANConfig;
} else { };
if (cfg.bridge.enable) then
{
${cfg.bridge.bindNetwork}.extraConfig = bridgeVLANConfig;
}
else
{ };
bridgeNetwork =
if (cfg.bridge.enable) then {
"${cfg.bridge.network}" = {
vlan = lib.map ({ name, ... }: name) vlans;
bridgeVLANs = lib.map ({ id, ... }: { VLAN = id; }) vlans;
};
} else { };
if (cfg.bridge.enable) then
{
"${cfg.bridge.network}" = {
vlan = lib.map ({ name, ... }: name) vlans;
bridgeVLANs = lib.map (
{ id, ... }:
{
VLAN = id;
}
) vlans;
};
}
else
{ };
netdevs = lib.mergeAttrsList [
(lib.mapAttrs' buildNetdev vlanAttrs)