From 9dc962a98c0a55a1131069d3e70292ad4642c057 Mon Sep 17 00:00:00 2001 From: Lyn Date: Tue, 29 Oct 2024 08:55:56 +0100 Subject: [PATCH] autoformatted files --- flake.nix | 65 +++++---- hosts/forgejo-ci/default.nix | 20 ++- hosts/forgenite/default.nix | 19 +-- hosts/supernova/default.nix | 56 ++++---- hosts/supernova/hardware-configuration.nix | 50 +++---- hosts/supernova/virtualization.nix | 5 +- hosts/wg-gateway/default.nix | 43 +++--- hosts/wg-gateway/hardware-configuration.nix | 50 +++---- meta/default.nix | 7 +- meta/mkLocalMods.nix | 145 +++++++++++++------- meta/modules-extracted.nix | 67 ++++----- modules/profiles/base.nix | 26 ++++ modules/profiles/hypervisor.nix | 10 +- modules/profiles/secureboot.nix | 9 +- modules/profiles/vm.nix | 9 +- modules/services/forgejo-ci.nix | 18 ++- modules/services/forgejo.nix | 25 ++-- modules/sops/default.nix | 26 ++-- modules/users/lyn/default.nix | 22 +-- modules/users/lyn/ssh.nix | 8 +- 20 files changed, 424 insertions(+), 256 deletions(-) diff --git a/flake.nix b/flake.nix index 142fa23..c50d7df 100644 --- a/flake.nix +++ b/flake.nix @@ -8,26 +8,43 @@ sops-nix.url = "github:Mic92/sops-nix"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; }; - outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix, lanzaboote, microvm}@inputs: let - imports = { imports = [ - sops-nix.nixosModules.sops - passInputs mkLocalModsInput + outputs = { + self, + nixpkgs, + nixpkgs-unstable, + sops-nix, + lanzaboote, + microvm, + } @ inputs: let + imports = { + imports = [ + sops-nix.nixosModules.sops + passInputs + mkLocalModsInput lanzaboote.nixosModules.lanzaboote - inputs.microvm.nixosModules.host - ];}; - passInputs = ({lib,config,...}:{ - options.flakePath = lib.mkOption {type = lib.types.path;}; - config.flakePath = ./.; - options.inputs = lib.mkOption {type = lib.types.attrs;}; - config.inputs = inputs; - options.pkgsInstances = lib.mkOption {type = lib.types.attrs;}; - config.pkgsInstances = { - unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;}; + inputs.microvm.nixosModules.host + ]; + }; + passInputs = { + lib, + config, + ... + }: { + options.flakePath = lib.mkOption {type = lib.types.path;}; + config.flakePath = ./.; + options.inputs = lib.mkOption {type = lib.types.attrs;}; + config.inputs = inputs; + options.pkgsInstances = lib.mkOption {type = lib.types.attrs;}; + config.pkgsInstances = { + unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;}; + }; + }; + inherit (nixpkgs) lib; + mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;}; + mkLocalModsInput = mkLocalMods { + prefix = ["lyn"]; + dir = ./modules; }; - }); - inherit (nixpkgs) lib; - mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;}; - mkLocalModsInput = (mkLocalMods {prefix = ["lyn"]; dir = ./modules;}); in { nixosConfigurations = { "forgenite" = nixpkgs.lib.nixosSystem { @@ -35,28 +52,28 @@ modules = [ ./hosts/forgenite imports - ]; + ]; }; "forgejo-ci" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./hosts/forgejo-ci imports - ]; + ]; }; "supernova" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./hosts/supernova - imports - ]; + imports + ]; }; "wg-gateway" = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = [ ./hosts/wg-gateway - imports - ]; + imports + ]; }; }; }; diff --git a/hosts/forgejo-ci/default.nix b/hosts/forgejo-ci/default.nix index 25f046f..5978046 100644 --- a/hosts/forgejo-ci/default.nix +++ b/hosts/forgejo-ci/default.nix @@ -1,11 +1,17 @@ -{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; { - imports = - [ - ./hardware-configuration.nix - ]; +{ + config, + pkgs, + lib, + inputs, + ... +}: +with config.lyn.lib; { + imports = [ + ./hardware-configuration.nix + ]; lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {}; lyn.users.lyn.enable = true; - lyn.kernel.latest.enable = true; + lyn.kernel.latest.enable = true; lyn.kernel.hardened.enable = true; lyn.profiles.base.enable = true; lyn.profiles.vm.enable = true; @@ -16,5 +22,5 @@ networking.hostName = "forgejo-ci"; # Define your hostname. - system.stateVersion = "23.05"; + system.stateVersion = "23.05"; } diff --git a/hosts/forgenite/default.nix b/hosts/forgenite/default.nix index 699cc53..27b0a01 100644 --- a/hosts/forgenite/default.nix +++ b/hosts/forgenite/default.nix @@ -1,12 +1,17 @@ -{ config, pkgs, lib, inputs, ... }: { - imports = - [ - ./hardware-configuration.nix - ]; +{ + config, + pkgs, + lib, + inputs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ]; lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo"; lyn.users.lyn.enable = true; lyn.kernel.latest.enable = true; - lyn.kernel.hardened.enable =true; + lyn.kernel.hardened.enable = true; lyn.profiles.base.enable = true; lyn.profiles.vm.enable = true; @@ -24,6 +29,4 @@ # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "24.05"; # Did you read the comment? - } - diff --git a/hosts/supernova/default.nix b/hosts/supernova/default.nix index b657295..ece818d 100644 --- a/hosts/supernova/default.nix +++ b/hosts/supernova/default.nix @@ -1,16 +1,22 @@ -{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; { - imports = - [ - ./hardware-configuration.nix - ./virtualization.nix - ]; - lyn.kernel.latest.enable = true; +{ + config, + pkgs, + lib, + inputs, + ... +}: +with config.lyn.lib; { + imports = [ + ./hardware-configuration.nix + ./virtualization.nix + ]; + lyn.kernel.latest.enable = true; lyn.profiles.base.enable = true; lyn.profiles.headless.enable = true; lyn.users.lyn.enable = true; networking.hostName = "supernova"; boot.loader.efi.canTouchEfiVariables = true; - + # this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled: boot.loader.systemd-boot.enable = true; @@ -23,33 +29,37 @@ # Kernel hardening lyn.kernel.hardened.enable = true; - ## Don't print any errors/logs to the console + ## Don't print any errors/logs to the console boot.consoleLogLevel = 0; - + # Secure boot lyn.profiles.secureboot.enable = true; # FDE + initrd stuff - boot.kernelParams = [ "ip=dhcp" ]; + boot.kernelParams = ["ip=dhcp"]; boot.loader.timeout = 2; boot.initrd = { - availableKernelModules = [ "r8169" ]; + availableKernelModules = ["r8169"]; systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent"; secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";}; network = { - enable = true; - ssh = { enable = true; - port = 2222; - # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here. - hostKeys = [ /root/initrd-ssh-key ]; - # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually - # authorizedKeys = [ "ssh-rsa ..." ]; - authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); + ssh = { + enable = true; + port = 2222; + # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here. + hostKeys = [/root/initrd-ssh-key]; + # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually + # authorizedKeys = [ "ssh-rsa ..." ]; + authorizedKeys = with lib; + concatLists (mapAttrsToList (name: user: + if elem "wheel" user.extraGroups + then user.openssh.authorizedKeys.keys + else []) + config.users.users); + }; }; }; - }; - - system.stateVersion = "24.05"; + system.stateVersion = "24.05"; } diff --git a/hosts/supernova/hardware-configuration.nix b/hosts/supernova/hardware-configuration.nix index bcbb211..a8096e4 100644 --- a/hosts/supernova/hardware-configuration.nix +++ b/hosts/supernova/hardware-configuration.nix @@ -1,41 +1,45 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"]; + boot.initrd.kernelModules = ["dm-snapshot"]; + boot.kernelModules = ["kvm-amd"]; + boot.extraModulePackages = []; boot.initrd.systemd.enable = true; boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/db8a5cf9-c54b-4e6a-b3f9-e6323eb962a6"; # doubles SSD performance because r/w queue is unnecessary here boot.initrd.luks.devices."root".bypassWorkqueues = true; - fileSystems."/" = - { device = "/dev/mapper/vg-root"; - fsType = "btrfs"; - options = ["x-systemd.device-timeout=0"]; - }; + fileSystems."/" = { + device = "/dev/mapper/vg-root"; + fsType = "btrfs"; + options = ["x-systemd.device-timeout=0"]; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/0374-0967"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0374-0967"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"]; + }; - swapDevices = - [ { - device = "/dev/mapper/vg-swap"; + swapDevices = [ + { + device = "/dev/mapper/vg-swap"; options = ["x-systemd.device-timeout=0"]; } - ]; + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/supernova/virtualization.nix b/hosts/supernova/virtualization.nix index ec6f167..be14fa6 100644 --- a/hosts/supernova/virtualization.nix +++ b/hosts/supernova/virtualization.nix @@ -1,4 +1,3 @@ -{ ... }:{ +{...}: { lyn.profiles.hypervisor.enable = true; - -} \ No newline at end of file +} diff --git a/hosts/wg-gateway/default.nix b/hosts/wg-gateway/default.nix index 67b7fa6..ed87bde 100644 --- a/hosts/wg-gateway/default.nix +++ b/hosts/wg-gateway/default.nix @@ -1,32 +1,35 @@ -{ config, lib, pkgs, ... }: - { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + config, + lib, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; - lyn.kernel.latest.enable = true; - lyn.profiles.base.enable = true; - lyn.profiles.secureboot.enable = true; - lyn.users.lyn.enable = true; + lyn.kernel.latest.enable = true; + lyn.profiles.base.enable = true; + lyn.profiles.secureboot.enable = true; + lyn.users.lyn.enable = true; - # network - networking.useDHCP = false; - networking.hostName = "wg-gateway"; # Define your hostname. - systemd.network.enable = true; - systemd.network.networks."10-wan" = { + # network + networking.useDHCP = false; + networking.hostName = "wg-gateway"; # Define your hostname. + systemd.network.enable = true; + systemd.network.networks."10-wan" = { matchConfig.Name = "enp1s0"; networkConfig.DHCP = "ipv4"; address = [ "2a01:4f8:1c1b:d2db::/64" ]; routes = [ - { routeConfig.Gateway = "fe80::1"; } + {routeConfig.Gateway = "fe80::1";} ]; }; - system.stateVersion = "24.05"; -} \ No newline at end of file + system.stateVersion = "24.05"; +} diff --git a/hosts/wg-gateway/hardware-configuration.nix b/hosts/wg-gateway/hardware-configuration.nix index c601b11..87d8056 100644 --- a/hosts/wg-gateway/hardware-configuration.nix +++ b/hosts/wg-gateway/hardware-configuration.nix @@ -1,34 +1,38 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - boot.initrd.kernelModules = [ "virtio_gpu" ]; - boot.kernelParams = [ "console=tty" ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.initrd.kernelModules = ["virtio_gpu"]; + boot.kernelParams = ["console=tty"]; + boot.initrd.availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"]; + boot.kernelModules = []; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/BEFA-C7BC"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/BEFA-C7BC"; + fsType = "vfat"; + options = ["fmask=0077" "dmask=0077"]; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710"; } - ]; + swapDevices = [ + {device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710";} + ]; # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} \ No newline at end of file +} diff --git a/meta/default.nix b/meta/default.nix index 90405b7..32ffd79 100644 --- a/meta/default.nix +++ b/meta/default.nix @@ -1,6 +1,5 @@ { - imports = [ - ./mkLocalMods.nix - ]; + imports = [ + ./mkLocalMods.nix + ]; } - diff --git a/meta/mkLocalMods.nix b/meta/mkLocalMods.nix index 285624d..fdb63f0 100644 --- a/meta/mkLocalMods.nix +++ b/meta/mkLocalMods.nix @@ -1,54 +1,107 @@ -{lib, ...}: -let -inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;} ) packagesFromDirectoryRecursive; - mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs)); - #kv = key: value: {inherit key value;}; - recurseNaive = curPath: fn: mapAttrKVs (k: v: let - match = builtins.match "(.*)[.]nix" k; - in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));} - else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;} - else {key = null; value = null;} - ) (builtins.readDir curPath); +{lib, ...}: let + inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;}) packagesFromDirectoryRecursive; + mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs)); + #kv = key: value: {inherit key value;}; + recurseNaive = curPath: fn: + mapAttrKVs ( + k: v: let + match = builtins.match "(.*)[.]nix" k; + in + if v == "regular" && match != null + then { + key = builtins.elemAt match 0; + value = fn (curPath + ("/" + k)); + } + else if v == "directory" + then { + key = k; + value = recurseNaive (curPath + ("/" + k)) fn; + } + else { + key = null; + value = null; + } + ) (builtins.readDir curPath); - getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v: - if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v - else [{path = prefix ++ [k]; value = v;}] - ) as); + getAttrKVsRec = prefix: as: + lib.flatten (lib.mapAttrsToList ( + k: v: + if lib.isAttrs v + then getAttrKVsRec (prefix ++ [k]) v + else [ + { + path = prefix ++ [k]; + value = v; + } + ] + ) + as); - getPathKVsRec = prefix: dir: getAttrKVsRec prefix (packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; }); + getPathKVsRec = prefix: dir: + getAttrKVsRec prefix (packagesFromDirectoryRecursive { + callPackage = path: x: path; + directory = dir; + }); - unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax; - transformLocalMod = {path, value}: let - modFn = if lib.isFunction (import value) then import value else (p: import value); - newMod = p: let - paramNew = p // { - cfg = lib.getAttrFromPath path p.config; - }; + unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax; + transformLocalMod = { + path, + value, + }: let + modFn = + if lib.isFunction (import value) + then import value + else (p: import value); + newMod = p: let + paramNew = + p + // { + cfg = lib.getAttrFromPath path p.config; + }; - pathStr = builtins.concatStringsSep "." path; - modRaw = modFn paramNew; - modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]); + pathStr = builtins.concatStringsSep "." path; + modRaw = modFn paramNew; + modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]); - mod = modRaw.mod or {}; - fileCtx = str: "${modUni._file} (mkLocalMods ${str})"; - enablePath = path ++ ["enable"]; + mod = modRaw.mod or {}; + fileCtx = str: "${modUni._file} (mkLocalMods ${str})"; + enablePath = path ++ ["enable"]; - imports = [ { - _file = fileCtx "`opt` processor"; - key = fileCtx "`opt` processor"; - options = lib.setAttrByPath path (modRaw.opt or {}); - } { - _file = fileCtx "`enable` definition"; - key = fileCtx "`enable` definition"; - options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr)); - } ({config, ...}: { - _file = fileCtx "config wrapper"; - key = fileCtx "config wrapper"; - config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config; - })]; + imports = [ + { + _file = fileCtx "`opt` processor"; + key = fileCtx "`opt` processor"; + options = lib.setAttrByPath path (modRaw.opt or {}); + } + { + _file = fileCtx "`enable` definition"; + key = fileCtx "`enable` definition"; + options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr)); + } + ({config, ...}: { + _file = fileCtx "config wrapper"; + key = fileCtx "config wrapper"; + config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config; + }) + ]; - newMod = modUni // { imports = modUni.imports ++ imports; config = {}; }; - in newMod; in lib.mirrorFunctionArgs modFn newMod; + newMod = + modUni + // { + imports = modUni.imports ++ imports; + config = {}; + }; + in + newMod; + in + lib.mirrorFunctionArgs modFn newMod; - mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); }; -in mkLocalMods + mkLocalMods = { + prefix ? [], + dir, + }: { + _file = "mkLocalMods collector"; + imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); + }; +in + mkLocalMods diff --git a/meta/modules-extracted.nix b/meta/modules-extracted.nix index ea55c2e..f82ebf7 100644 --- a/meta/modules-extracted.nix +++ b/meta/modules-extracted.nix @@ -1,8 +1,8 @@ # https://github.com/NixOS/nixpkgs/blob/a5cfe012401cfebb4b2c28e74857b8ffe1402b4b/lib/modules.nix -{ lib }: -with lib.modules; -let - inherit (lib) +{lib}: +with lib.modules; let + inherit + (lib) addErrorContext all any @@ -36,7 +36,8 @@ let optionalAttrs optionalString recursiveUpdate - reverseList sort + reverseList + sort seq setAttrByPath substring @@ -50,7 +51,8 @@ let zipAttrs zipAttrsWith ; - inherit (lib.options) + inherit + (lib.options) isOption mkOption showDefs @@ -58,36 +60,41 @@ let showOption unknownModule ; - inherit (lib.strings) + inherit + (lib.strings) isConvertibleWithToString ; - unifyModuleSyntax = file: key: m: - let - addMeta = config: if m ? meta - then mkMerge [ config { meta = m.meta; } ] - else config; - addFreeformType = config: if m ? freeformType - then mkMerge [ config { _module.freeformType = m.freeformType; } ] - else config; + unifyModuleSyntax = file: key: m: let + addMeta = config: + if m ? meta + then mkMerge [config {meta = m.meta;}] + else config; + addFreeformType = config: + if m ? freeformType + then mkMerge [config {_module.freeformType = m.freeformType;}] + else config; + in + if m ? config || m ? options + then let + badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in - if m ? config || m ? options then - let badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in - if badAttrs != {} then - throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute." - else - { _file = toString m._file or file; - _class = m._class or null; - key = toString m.key or key; - disabledModules = m.disabledModules or []; - imports = m.imports or []; - options = m.options or {}; - config = addFreeformType (addMeta (m.config or {})); - } + if badAttrs != {} + then throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute." + else { + _file = toString m._file or file; + _class = m._class or null; + key = toString m.key or key; + disabledModules = m.disabledModules or []; + imports = m.imports or []; + options = m.options or {}; + config = addFreeformType (addMeta (m.config or {})); + } else # shorthand syntax throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module." - { _file = toString m._file or file; + { + _file = toString m._file or file; _class = m._class or null; key = toString m.key or key; disabledModules = m.disabledModules or []; @@ -95,6 +102,4 @@ let options = {}; config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]); }; - - in {inherit unifyModuleSyntax;} diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix index 2581a41..9e86589 100644 --- a/modules/profiles/base.nix +++ b/modules/profiles/base.nix @@ -36,6 +36,32 @@ htop ]; + # Use encrypted Quad9 DNS + nameservers = [ "127.0.0.1" "::1" ]; + services.dnscrypt-proxy2 = { + enable = true; + settings = { + ipv6_servers = true; + require_dnssec = true; + + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + + # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md + server_names = [ 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-nofilter-pri']; + }; + }; + + systemd.services.dnscrypt-proxy2.serviceConfig = { + StateDirectory = "dnscrypt-proxy"; + }; + nix.gc = { automatic = true; persistent = true; diff --git a/modules/profiles/hypervisor.nix b/modules/profiles/hypervisor.nix index 143c671..b9a7f08 100644 --- a/modules/profiles/hypervisor.nix +++ b/modules/profiles/hypervisor.nix @@ -1,4 +1,8 @@ -{inputs, lib, ...}: { - microvm.host.enable = true; - networking.useNetworkd = true; +{ + inputs, + lib, + ... +}: { + microvm.host.enable = true; + networking.useNetworkd = true; } diff --git a/modules/profiles/secureboot.nix b/modules/profiles/secureboot.nix index 3f821a8..bdcac93 100644 --- a/modules/profiles/secureboot.nix +++ b/modules/profiles/secureboot.nix @@ -1,5 +1,9 @@ -{ config, pkgs, lib, ... }: { + config, + pkgs, + lib, + ... +}: { environment.systemPackages = [ # For debugging and troubleshooting Secure Boot. pkgs.sbctl @@ -9,5 +13,4 @@ enable = true; pkiBundle = "/etc/secureboot"; }; - -} \ No newline at end of file +} diff --git a/modules/profiles/vm.nix b/modules/profiles/vm.nix index 890c250..5f4db4a 100644 --- a/modules/profiles/vm.nix +++ b/modules/profiles/vm.nix @@ -1,8 +1,13 @@ -{ config, pkgs, lib, modulesPath, ... }: { + config, + pkgs, + lib, + modulesPath, + ... +}: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; #enable qemu-guestagent services.qemuGuest.enable = true; -} \ No newline at end of file +} diff --git a/modules/services/forgejo-ci.nix b/modules/services/forgejo-ci.nix index 6b6305a..af10740 100644 --- a/modules/services/forgejo-ci.nix +++ b/modules/services/forgejo-ci.nix @@ -1,8 +1,14 @@ -{ config, pkgs, lib, inputs, cfg, ... }: { + config, + pkgs, + lib, + inputs, + cfg, + ... +}: { environment.systemPackages = with pkgs; [ docker -]; + ]; # Enable docker virtualisation.docker = { @@ -20,10 +26,10 @@ instances = { "${cfg.instancename}" = { enable = true; - url = "https://${cfg.domain}"; - name = cfg.instancename; - tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path; - labels = []; + url = "https://${cfg.domain}"; + name = cfg.instancename; + tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path; + labels = []; }; }; }; diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index 59143db..088fe2e 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -1,5 +1,12 @@ -{pkgs, lib, config, cfg, ...}: -with lib; with builtins; { +{ + pkgs, + lib, + config, + cfg, + ... +}: +with lib; +with builtins; { opt.domain = lib.mkOption {type = lib.types.str;}; services.forgejo = { enable = true; @@ -11,20 +18,20 @@ with lib; with builtins; { OFFLINE_MODE = true; # disable gravatar, CDN }; settings.actions = { - ENABLED = true; + ENABLED = true; }; settings."repository.upload" = { - FILE_MAX_SIZE = 4095; - MAX_FILES = 20; + FILE_MAX_SIZE = 4095; + MAX_FILES = 20; }; settings."attachment" = { - MAX_SIZE = 4095; - MAX_FILES = 20; + MAX_SIZE = 4095; + MAX_FILES = 20; }; settings.service = { - DISABLE_REGISTRATION = true; - DEFAULT_KEEP_EMAIL_PRIVATE = true; + DISABLE_REGISTRATION = true; + DEFAULT_KEEP_EMAIL_PRIVATE = true; }; database = { user = "forgejo"; diff --git a/modules/sops/default.nix b/modules/sops/default.nix index cc08255..a97db38 100644 --- a/modules/sops/default.nix +++ b/modules/sops/default.nix @@ -1,23 +1,27 @@ -{ pkgs, lib, config, ... }: -let - cfg = config.lyn.sops; -in { + pkgs, + lib, + config, + ... +}: let + cfg = config.lyn.sops; +in { options.lyn.sops = with lib; { secrets = mkOption { type = types.attrs; - default = { }; + default = {}; }; }; config = { - sops.secrets = lib.mapAttrs - (name: value: - let - name_split = lib.splitString "/" name; - in + sops.secrets = + lib.mapAttrs + (name: value: let + name_split = lib.splitString "/" name; + in { sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml; - } // value) + } + // value) cfg.secrets; }; } diff --git a/modules/users/lyn/default.nix b/modules/users/lyn/default.nix index ed52c1d..174cc9b 100644 --- a/modules/users/lyn/default.nix +++ b/modules/users/lyn/default.nix @@ -1,11 +1,17 @@ -{lib,pkgs, config, cfg, ...}:{ - imports = [ - ./ssh.nix - ]; - users.users.lyn = { +{ + lib, + pkgs, + config, + cfg, + ... +}: { + imports = [ + ./ssh.nix + ]; + users.users.lyn = { isNormalUser = true; - extraGroups = [ "wheel"]; - packages = with pkgs; [ + extraGroups = ["wheel"]; + packages = with pkgs; [ ]; - }; + }; } diff --git a/modules/users/lyn/ssh.nix b/modules/users/lyn/ssh.nix index 039fb5c..8f9e26f 100644 --- a/modules/users/lyn/ssh.nix +++ b/modules/users/lyn/ssh.nix @@ -1,3 +1,7 @@ -{lib, config, ...}: { - users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"]; +{ + lib, + config, + ... +}: { + users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"]; }