lynatic/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

it finally worky now \o/

Browse source
This commit is contained in:
Lyn 2024-09-17 02:46:45 +02:00
parent 2746f3de5c
commit 51b7e7887d
23 changed files with 103 additions and 233 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
flake.nix
View file

@ -7,36 +7,37 @@
};
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let
imports = [
./meta
];
passInputs = ({lib,config,...}:{
options.inputs = lib.mkOption{type = lib.types.attrs;};
options.flakePath = lib.mkOption {type = lib.types.path;};
config.flakePath = ./.;
options.inputs = lib.mkOption {type = lib.types.attrs;};
config.inputs = inputs;
options.pkgsInstances = lib.mkOption{type = lib.types.attrs;};
options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
config.pkgsInstances = {
unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;};
unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
};
});
inherit (nixpkgs) lib;
mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
in {
nixosConfigurations = {
"forgejo" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./meta
./hosts/forgenite
sops-nix.nixosModules.sops
passInputs
(mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
];
};
"forgejo-ci" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./hosts/forgejo-ci
./meta
sops-nix.nixosModules.sops
passInputs
(mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
];
};
};

12
hosts/forgejo-ci/default.nix
View file

@ -1,18 +1,20 @@
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
imports =
[
./../../services/forgejo-ci.nix
./hardware-configuration.nix
./../../users/lyn
./../../meta/profiles/base.nix
./../../meta/profiles/vm.nix
];
lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
#lyn.kernel = enable ["latest" "hardened"];
lyn.kernel.latest.enable = true;
lyn.profiles.base.enable = true;
lyn.profiles.vm.enable = true;
lyn.services.forgejo-ci.enable = true;
lyn.services.forgejo-ci.domain = "git.shibe.pro";
lyn.services.forgejo-ci.instancename = "shibepro-ci";
# Use UEFI
boot.loader.systemd-boot.enable = true;
networking.hostName = "forgenite"; # Define your hostname.
networking.hostName = "forgejo-ci"; # Define your hostname.
# Firewall stuff:
networking.firewall.enable = true;

5
hosts/forgenite/default.nix
View file

@ -1,7 +1,6 @@
{ config, pkgs, lib, inputs, ... }: {
imports =
[
./../../services/forgejo.nix
./../../users/lyn
./hardware-configuration.nix
./../../meta/profiles/base.nix
@ -10,7 +9,9 @@
lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
# Use UEFI
boot.loader.systemd-boot.enable = true;
# enable git
lyn.services.forgejo.enable = true;
lyn.services.forgejo.domain = "git.shibe.pro";
networking.hostName = "forgenite"; # Define your hostname.
# Firewall stuff:

3
kernel/latest.nix
View file

@ -1,3 +0,0 @@
{lib, config, pkgs, ...}: config.lyn.lib.mkLocalModule ./latest.nix "latest linux kernel" {
boot.kernelPackages = pkgs.linuxPackages_latest;
}

5
meta/default.nix
View file

@ -1,8 +1,7 @@
{
imports = [
./mkLocalModule.nix
./enable.nix
./lib.nix
./mkLocalMods.nix
# ./enable.nix
];
}

16
meta/lib.nix
View file

@ -1,16 +0,0 @@
{lib, config, ...}: {
options.lyn = {
lib = lib.mkOption {
type = lib.types.attrs;
default = {};
};
prelude = lib.mkOption {
type = lib.types.attrs;
default = {};
};
};
config = {
lyn.prelude.llib = config.lyn.lib;
};
}

53
meta/mkLocalMods.nix Normal file
View file

@ -0,0 +1,53 @@
{lib, ...}:
let
mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
#kv = key: value: {inherit key value;};
recurseNaive = curPath: fn: mapAttrKVs (k: v: let
match = builtins.match "(.*)[.]nix" k;
in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
else {key = null; value = null;}
) (builtins.readDir curPath);
getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
else [{path = prefix ++ [k]; value = v;}]
) as);
getPathKVsRec = prefix: dir: getAttrKVsRec prefix (lib.packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
transformLocalMod = {path, value}: let
modFn = if lib.isFunction (import value) then import value else (p: import value);
newMod = p: let
paramNew = p // {
cfg = lib.getAttrFromPath path p.config;
};
pathStr = builtins.concatStringsSep "." path;
modRaw = modFn paramNew;
modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
mod = modRaw.mod or {};
fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
enablePath = path ++ ["enable"];
imports = [ {
_file = fileCtx "`opt` processor";
key = fileCtx "`opt` processor";
options = lib.setAttrByPath path (modRaw.opt or {});
} {
_file = fileCtx "`enable` definition";
key = fileCtx "`enable` definition";
options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
} ({config, ...}: {
_file = fileCtx "config wrapper";
key = fileCtx "config wrapper";
config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
})];
newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
in newMod; in lib.mirrorFunctionArgs modFn newMod;
mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
in mkLocalMods

71
meta/mkLocalModule.nix
View file

@ -1,71 +0,0 @@
{lib, ...}: { config.lyn.lib = rec {
/**
Split a string, and return all elements after a marker.
# Example
```
splitAfterMarker "/" "modules" /home/user/flake/modules/abc/def
== ["abc" "def"]
```
*/
splitAfterMarker = splitter: marker: input: builtins.foldl' (acc: new:
if acc == false then # marker not found yet
if new == marker then [] /* marker found */ else false
else acc ++ [new] # marker already found, add to output list
) false (lib.splitString splitter input);
/**
Make a Nix module, with its attrpath being the local path
relative to a marker directory. Accepts a prefix, and removes `.nix` file endings.
# Example
```
mkLocalModuleMarker "modules" ["myModules" "abc"] ./current-file.nix "enable something" {}
{ myModules.abc.current.file.path.current-file.enable = true; }
```
*/
mkLocalModuleMarker = marker: prefix: currentPath: optDesc: moduleConfig: let
normalizedPath = lib.strings.removeSuffix ".nix" (builtins.toString currentPath);
attrPath = prefix ++ (splitAfterMarker "/" marker normalizedPath);
mod = {config, ...}: {
options = lib.setAttrsByPath attrPath (lib.mkEnableOption optDesc);
config = lib.mkIf (lib.getAttrByPath attrPath config) moduleConfig;
};
in mod;
/**
Find a folder or a parent folder containing a file.
# Example
```
findFolderWithFile "flake.nix" ./.
== /home/user/flake/
```
*/
findFolderWithFile = file: arg:
if builtins.pathExists (arg + "/" + file) then arg
else if arg == /. then throw "could not find folder containing ${file}"
else findFolderWithFile file (arg + "/..");
/**
Shorthand for mkLocalModuleMarker, setting marker to your flake and prefix to l.
*/
mkLocalModule = path: mkLocalModuleMarker (findFolderWithFile "flake.nix" path) ["lyn"] path;
};}
# foldl' op nul [x0 x1 x2 ...] = op (op (op nul x0) x1) x2) .... For example, foldl' (x: y: x + y) 0 [1 2 3]
# input = /home/alina/flake/desktop/common
# options.desktop.common
# input' = /nix/store/aaa-flake/desktop/common
# foldl' (split "/" input)
# marker = flake
# foldl' ([home alina flake modules audio.nix ])
# acc = false false [] [modules] [modules audio.nix]
# | ^ marker found
# | marker not found yet
# $ echo "abc\ndef" > readme
# readPathsFromFile "readme" == [./abc ./def]

0
modules-extracted.nix → meta/modules-extracted.nix
View file

20
kernel/hardened.nix → modules/kernel/hardened.nix
View file

@ -1,14 +1,14 @@
{lib, pkgs, config, ...}: let
ifApparmor = config.l.kernel.lsm.apparmor.enable;
in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
ifApparmor = config.lyn.kernel.hardened.apparmor.enable;
in{
boot.kernelPackages = let
kernel = pkgs.linux-libre;
llvm = pkgs.llvmPackages_latest;
version = pkgs.kernelPatches.hardened${kernel.meta.branch}.version;
version = pkgs.kernelPatches."hardened${kernel.meta.branch}".version;
major = lib.versions.major version;
sha256 = pkgs.kernelPatches.hardened.${kernel.meta.branch}.sha256;
sha256 = pkgs.kernelPatches.hardened."${kernel.meta.branch}:".sha256;
modDirVer = lib.replaceStrings
[ kernel.version ]
[ version ]
@ -17,10 +17,10 @@ in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
stdenv = llvm.stdenv;
extraMakeFlags = [ "LLVM=${llvm.bintools-unwrapped}/bin/" ];
kernelPatches = kernel.kernelPatches
++ [ pkgs.kernelPatches.hardened.${kernel.meta.branch} ];
++ [ pkgs.kernelPatches.hardened."${kernel.meta.branch}" ];
modDirVersionArg =
modDirVer +
(pkgs.kernelPatches.hardened.${kernel.meta.branch}).extra;
(pkgs.kernelPatches.hardened."${kernel.meta.branch}").extra;
isHardened = true;
argsOverride = {
inherit version;
@ -93,7 +93,6 @@ in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
# randomize allocator freelists, harden metadata
SLAB_FREELIST_RANDOM = yes;
SLAB_FREELIST_HARDENED = yes;
SHUFFLE_PAGE_ALLOCATOR = yes;
RANDOM_KMALLOC_CACHES = yes;
# sanity check userspace page table mappings
@ -189,7 +188,7 @@ in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
SECURITY_SAFESETID = yes;
DEFAULT_SECURITY_APPARMOR = lib.mkIf ifApparmor yes;
DEFAULT_SECURITY = lib.mkIf ifApparmor (freeform "apparmor");
SECURITY_APPARMOR_BOOTPARAM_VALUE = lib.mkIf ifApparmor (freeform "1";)
SECURITY_APPARMOR_BOOTPARAM_VALUE = lib.mkIf ifApparmor (freeform "1");
# mark LSM hooks read-only after init
SECURITY_WRITABLE_HOOKS = no;
@ -230,7 +229,7 @@ in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
# disable IO delay
IO_DELAY_NONE = yes;
};
}))
}));
boot.kernelParams = [
# set apparmor as the default security module
(lib.mkIf ifApparmor "security=apparmor")
@ -278,9 +277,6 @@ in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
# restrict ptrace()
"kernel.yama.ptrace_scope" = 1;
# hide kernel memory addresses
"kernel.kptr_restrict" = 2;
# enable hardened eBPF JIT
"net.core.bpf_jit_enable" = 1;
"net.core.bpf_jit_harden" = 1;

3
modules/kernel/latest.nix Normal file
View file

@ -0,0 +1,3 @@
{lib, config, pkgs, ...}: {
boot.kernelPackages = pkgs.linuxPackages_latest;
}

0
packages/archivetools.nix → modules/packages/archivetools.nix
View file

0
packages/crypto.nix → modules/packages/crypto.nix
View file

0
packages/network.nix → modules/packages/network.nix
View file

0
packages/security.nix → modules/packages/security.nix
View file

9
meta/profiles/base.nix → modules/profiles/base.nix
View file

@ -1,11 +1,9 @@
{lib, config, pkgs, ...}: {
imports = [
../modules/sops
];
lyn.sops.default.enable = true;
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nixpkgs.config.allowUnfree = true;
nix.package = config.pkgsInstances.unstable.lix;
environment.variables.EDITOR = "vim";
environment.variables.EDITOR = "nvim";
time.timeZone = "Europe/Berlin";
@ -23,7 +21,8 @@
environment.systemPackages = with pkgs; [
git
vim
vim
neovim
wget
curl
htop

0
meta/profiles/vm.nix → modules/profiles/vm.nix
View file

10
services/forgejo-ci.nix → modules/services/forgejo-ci.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, inputs, ... }:
{ config, pkgs, lib, inputs, cfg, ... }:
{
environment.systemPackages = with pkgs; [
docker
@ -12,14 +12,16 @@
ipv6 = true;
};
};
opt.domain = lib.mkOption {type = lib.types.str;};
opt.instancename = lib.mkOption {type = lib.types.str;};
# Forgejo actions runner
services.gitea-actions-runner = {
package = config.pkgsInstances.unstable.forgejo-runner;
instances = {
"shibepro-ci" = {
"${cfg.instancename}" = {
enable = true;
url = "https://git.shibe.pro";
name = "shibepro-ci";
url = "https://${cfg.domain}";
name = cfg.instancename;
tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
labels = [];
};

7
services/forgejo.nix → modules/services/forgejo.nix
View file

@ -1,11 +1,12 @@
{pkgs, lib, config, ...}:
{pkgs, lib, config, cfg, ...}:
with lib; with builtins; {
opt.domain = lib.mkOption {type = lib.types.string;};
services.forgejo = {
enable = true;
package = config.pkgsInstances.unstable.forgejo;
settings.server = {
ROOT_URL = "https://git.shibe.pro";
DOMAIN = "git.shibe.pro";
ROOT_URL = "https://${cfg.domain}";
DOMAIN = cfg.domain;
HTTP_PORT = 48540;
OFFLINE_MODE = true; # disable gravatar, CDN
};

2
meta/modules/sops/default.nix → modules/sops/default.nix
View file

@ -16,7 +16,7 @@ in
name_split = lib.splitString "/" name;
in
{
sopsFile = ../../../secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
} // value)
cfg.secrets;
};

6
modules/test/example.nix
View file

@ -1,6 +0,0 @@
{config, cfg, lib, ...}: {
#mod.desc = "an example";
options.networking.hostName = lib.mkOption { default = "nixos"; };
opt.name = lib.mkOption { default = "foo"; };
config.networking.hostName = cfg.name;
}

6
secrets/hosts/forgejo-ci.yaml
View file

@ -1,6 +1,6 @@
hosts:
forgejo-ci:
forgejo_ci_token: ENC[AES256_GCM,data:zZQPn/YxMKly1hcT2m3cGoIILh4wG7GiCXwiKRwNLrrPfwJlfAUn9g==,iv:xKVR09JhCIM5plxifcHeAEcsp1UyuXaqXaQCqIPywtU=,tag:zF032vUnTr8Mj79ZLCWcfg==,type:str]
forgejo_ci_token: ENC[AES256_GCM,data:mUGfczGcttcKQ8kXmESnRjpOxF1WNHZn7PSuek5dsbuZyaErCqQxtIUjvV90sQ==,iv:CjTrx56WChzFq5PSGj23dirl6iWF6Nqx93yCLHJQPRo=,tag:FrkOjdAiTq0kAYaUAQKfBQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -25,8 +25,8 @@ sops:
SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8
Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-06T03:55:48Z"
mac: ENC[AES256_GCM,data:H9RZy7w/quqfjMedaQe1NHAasC0FspxcXPyAXoy5uZaAoevNdXQNIe5yqBW+BRrw/5uIKKtLuS7YS5B3evpor2WRV0EeoPmy4dI/oFYZWg2kNzLVTumxQp4Q1vOOcrBrMUmm7OeoItr85p42Cx/08I9TnwRieGMnG5Mn0J6o+Zo=,iv:XbWd6j2LhhOld7NXN2m58f1cUJpLcdb3Ywf0bNkQYdA=,tag:T5gTjfRCCLfGFtIzXE7OfA==,type:str]
lastmodified: "2024-09-17T00:30:12Z"
mac: ENC[AES256_GCM,data:bppWgKwMHPDHwHdegjcseFJefUZ2bThMWvk9s8l3IG/jRJaP5bTtdJppKeC0EGE0W1FjQtFP+aYscZRLsFYdpVqJMvo5XJp5VcW+vE1IZ09Qs5GCMpHHDEmuU5tx6h8fTIk5KLskGfxbtBvSABS+QZgF6QRa6FRq2DxVaf07P2I=,iv:NVrqJZOfpTwkTlmycR1Zg0XdHJwRkDaiR5uud7IML3g=,tag:I++gzcdhJR2eiIMJHUZ9Ag==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

91
test.nix
View file

@ -1,91 +0,0 @@
let
flake = builtins.getFlake "/home/lyn/flake";
pkgs = import flake.inputs.nixpkgs {};
lib = pkgs.lib;
mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
#kv = key: value: {inherit key value;};
recurseNaive = curPath: fn: mapAttrKVs (k: v: let
match = builtins.match "(.*)[.]nix" k;
in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
else {key = null; value = null;}
) (builtins.readDir curPath);
getAttrKVsRec = prefix: as: pkgs.lib.flatten (pkgs.lib.mapAttrsToList (k: v:
if pkgs.lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
else [{path = prefix ++ [k]; value = v;}]
) as);
getPathKVsRec = prefix: dir: getAttrKVsRec prefix (lib.packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
transformLocalMod = {path, value}: p: let
param = p // {
cfg = lib.getAttrFromPath path p.config;
};
pathStr = builtins.concatStringsSep "." path;
modFn = p: let i = import value; in if lib.isFunction i then i p else i;
modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
meta = modRaw.mod or {};
fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
enablePath = path ++ ["enable"];
merge = cur: upd:
runExts = exts: let
nul = x: rec {
# First pass
args = p; # Args to call the module with. This immediately changes the params of `raw`, `mod` etc. through Nix magic
deletedKeys = ["opt" "mod"]; # Keys to delete before calling unifyModuleSyntax
# Second pass
imports = {}; # Put any modules to import as *attributes* here (for other extensions to modify them)
raw = modFn x.args; # The raw module result, called with `args`
mod = unifyMod pathStr pathStr (builtins.removeAttrs raw x.deletedKeys); # The unified module, e.g. the result of `unifyModuleSyntax .. .. raw`, and has the default module attrs
meta = raw.mod or {}; # Equivalent to raw.mod, contains metadata of the module
};
firstPass = builtins.foldl' (acc: ext:
builtins.foldl' (acc: ext: let
acc' = acc // (let acc2 = (ext acc) // acc; in rec {
raw = modFn acc2.args;
mod = unifyMod pathStr pathStr (builtins.removeAttrs raw acc2.deletedKeys);
meta = raw.mod or {};
});
res = lib.recursiveUpdate acc' (ext acc');
in res) exts
addMod = c: ctx: newMod: { mod.imports = c.mod.imports ++ [ (newMod // {_file = fileCtx ctx;}) ]; };
defaultExtensions = [
(c: { imports.opt = {
name = "`opt` processor";
options = lib.setAttrByPath c.path raw.opt;
};})
(c: { imports.enable = {
name "`enable` definition";
opt.enable = lib.mkEnableOption (c.meta.desc or c.meta.description or c.meta.name or pathStr);
};})
(c: {
})
]
imports = [ {
_file = fileCtx "`opt` processor";
options = lib.setAttrByPath path modRaw.opt;
} {
_file = fileCtx "`enable` definition";
options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
} ({config, ...}: {
_file = fileCtx "config wrapper";
config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
}) ];
newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
in newMod;
mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
in cfg: (pkgs.lib.evalModules { modules = [ (mkLocalMods {prefix = ["lyn"]; dir = ./modules;}) cfg ]; })