autoformatted files

This commit is contained in:
Lyn 2024-10-29 08:55:56 +01:00
parent f7609d5cf2
commit 9dc962a98c
20 changed files with 424 additions and 256 deletions

View file

@ -8,14 +8,28 @@
sops-nix.url = "github:Mic92/sops-nix";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix, lanzaboote, microvm}@inputs: let
imports = { imports = [
outputs = {
self,
nixpkgs,
nixpkgs-unstable,
sops-nix,
lanzaboote,
microvm,
} @ inputs: let
imports = {
imports = [
sops-nix.nixosModules.sops
passInputs mkLocalModsInput
passInputs
mkLocalModsInput
lanzaboote.nixosModules.lanzaboote
inputs.microvm.nixosModules.host
];};
passInputs = ({lib,config,...}:{
];
};
passInputs = {
lib,
config,
...
}: {
options.flakePath = lib.mkOption {type = lib.types.path;};
config.flakePath = ./.;
options.inputs = lib.mkOption {type = lib.types.attrs;};
@ -24,10 +38,13 @@
config.pkgsInstances = {
unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
};
});
};
inherit (nixpkgs) lib;
mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
mkLocalModsInput = (mkLocalMods {prefix = ["lyn"]; dir = ./modules;});
mkLocalModsInput = mkLocalMods {
prefix = ["lyn"];
dir = ./modules;
};
in {
nixosConfigurations = {
"forgenite" = nixpkgs.lib.nixosSystem {

View file

@ -1,6 +1,12 @@
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
imports =
[
{
config,
pkgs,
lib,
inputs,
...
}:
with config.lyn.lib; {
imports = [
./hardware-configuration.nix
];
lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};

View file

@ -1,6 +1,11 @@
{ config, pkgs, lib, inputs, ... }: {
imports =
[
{
config,
pkgs,
lib,
inputs,
...
}: {
imports = [
./hardware-configuration.nix
];
lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
@ -24,6 +29,4 @@
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

View file

@ -1,6 +1,12 @@
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
imports =
[
{
config,
pkgs,
lib,
inputs,
...
}:
with config.lyn.lib; {
imports = [
./hardware-configuration.nix
./virtualization.nix
];
@ -45,11 +51,15 @@
hostKeys = [/root/initrd-ssh-key];
# this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
# authorizedKeys = [ "ssh-rsa ..." ];
authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
authorizedKeys = with lib;
concatLists (mapAttrsToList (name: user:
if elem "wheel" user.extraGroups
then user.openssh.authorizedKeys.keys
else [])
config.users.users);
};
};
};
system.stateVersion = "24.05";
}

View file

@ -1,11 +1,15 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
@ -18,20 +22,20 @@
# doubles SSD performance because r/w queue is unnecessary here
boot.initrd.luks.devices."root".bypassWorkqueues = true;
fileSystems."/" =
{ device = "/dev/mapper/vg-root";
fileSystems."/" = {
device = "/dev/mapper/vg-root";
fsType = "btrfs";
options = ["x-systemd.device-timeout=0"];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0374-0967";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/0374-0967";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"];
};
swapDevices =
[ {
swapDevices = [
{
device = "/dev/mapper/vg-swap";
options = ["x-systemd.device-timeout=0"];
}

View file

@ -1,4 +1,3 @@
{...}: {
lyn.profiles.hypervisor.enable = true;
}

View file

@ -1,8 +1,11 @@
{ config, lib, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
config,
lib,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;

View file

@ -1,11 +1,15 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.kernelModules = ["virtio_gpu"];
boot.kernelParams = ["console=tty"];
@ -13,19 +17,19 @@
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94";
fileSystems."/" = {
device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/BEFA-C7BC";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/BEFA-C7BC";
fsType = "vfat";
options = ["fmask=0077" "dmask=0077"];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710"; }
swapDevices = [
{device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710";}
];
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;

View file

@ -3,4 +3,3 @@
./mkLocalMods.nix
];
}

View file

@ -1,27 +1,61 @@
{lib, ...}:
let
{lib, ...}: let
inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;}) packagesFromDirectoryRecursive;
mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
#kv = key: value: {inherit key value;};
recurseNaive = curPath: fn: mapAttrKVs (k: v: let
recurseNaive = curPath: fn:
mapAttrKVs (
k: v: let
match = builtins.match "(.*)[.]nix" k;
in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
else {key = null; value = null;}
in
if v == "regular" && match != null
then {
key = builtins.elemAt match 0;
value = fn (curPath + ("/" + k));
}
else if v == "directory"
then {
key = k;
value = recurseNaive (curPath + ("/" + k)) fn;
}
else {
key = null;
value = null;
}
) (builtins.readDir curPath);
getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
else [{path = prefix ++ [k]; value = v;}]
) as);
getAttrKVsRec = prefix: as:
lib.flatten (lib.mapAttrsToList (
k: v:
if lib.isAttrs v
then getAttrKVsRec (prefix ++ [k]) v
else [
{
path = prefix ++ [k];
value = v;
}
]
)
as);
getPathKVsRec = prefix: dir: getAttrKVsRec prefix (packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
getPathKVsRec = prefix: dir:
getAttrKVsRec prefix (packagesFromDirectoryRecursive {
callPackage = path: x: path;
directory = dir;
});
unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
transformLocalMod = {path, value}: let
modFn = if lib.isFunction (import value) then import value else (p: import value);
transformLocalMod = {
path,
value,
}: let
modFn =
if lib.isFunction (import value)
then import value
else (p: import value);
newMod = p: let
paramNew = p // {
paramNew =
p
// {
cfg = lib.getAttrFromPath path p.config;
};
@ -33,22 +67,41 @@ inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;} ) packagesFr
fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
enablePath = path ++ ["enable"];
imports = [ {
imports = [
{
_file = fileCtx "`opt` processor";
key = fileCtx "`opt` processor";
options = lib.setAttrByPath path (modRaw.opt or {});
} {
}
{
_file = fileCtx "`enable` definition";
key = fileCtx "`enable` definition";
options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
} ({config, ...}: {
}
({config, ...}: {
_file = fileCtx "config wrapper";
key = fileCtx "config wrapper";
config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
})];
})
];
newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
in newMod; in lib.mirrorFunctionArgs modFn newMod;
newMod =
modUni
// {
imports = modUni.imports ++ imports;
config = {};
};
in
newMod;
in
lib.mirrorFunctionArgs modFn newMod;
mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
in mkLocalMods
mkLocalMods = {
prefix ? [],
dir,
}: {
_file = "mkLocalMods collector";
imports = builtins.map transformLocalMod (getPathKVsRec prefix dir);
};
in
mkLocalMods

View file

@ -1,8 +1,8 @@
# https://github.com/NixOS/nixpkgs/blob/a5cfe012401cfebb4b2c28e74857b8ffe1402b4b/lib/modules.nix
{lib}:
with lib.modules;
let
inherit (lib)
with lib.modules; let
inherit
(lib)
addErrorContext
all
any
@ -36,7 +36,8 @@ let
optionalAttrs
optionalString
recursiveUpdate
reverseList sort
reverseList
sort
seq
setAttrByPath
substring
@ -50,7 +51,8 @@ let
zipAttrs
zipAttrsWith
;
inherit (lib.options)
inherit
(lib.options)
isOption
mkOption
showDefs
@ -58,25 +60,29 @@ let
showOption
unknownModule
;
inherit (lib.strings)
inherit
(lib.strings)
isConvertibleWithToString
;
unifyModuleSyntax = file: key: m:
let
addMeta = config: if m ? meta
unifyModuleSyntax = file: key: m: let
addMeta = config:
if m ? meta
then mkMerge [config {meta = m.meta;}]
else config;
addFreeformType = config: if m ? freeformType
addFreeformType = config:
if m ? freeformType
then mkMerge [config {_module.freeformType = m.freeformType;}]
else config;
in
if m ? config || m ? options then
let badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in
if badAttrs != {} then
throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
else
{ _file = toString m._file or file;
if m ? config || m ? options
then let
badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"];
in
if badAttrs != {}
then throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
else {
_file = toString m._file or file;
_class = m._class or null;
key = toString m.key or key;
disabledModules = m.disabledModules or [];
@ -87,7 +93,8 @@ let
else
# shorthand syntax
throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
{ _file = toString m._file or file;
{
_file = toString m._file or file;
_class = m._class or null;
key = toString m.key or key;
disabledModules = m.disabledModules or [];
@ -95,6 +102,4 @@ let
options = {};
config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]);
};
in {inherit unifyModuleSyntax;}

View file

@ -36,6 +36,32 @@
htop
];
# Use encrypted Quad9 DNS
nameservers = [ "127.0.0.1" "::1" ];
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = true;
require_dnssec = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
server_names = [ 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-nofilter-pri'];
};
};
systemd.services.dnscrypt-proxy2.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
nix.gc = {
automatic = true;
persistent = true;

View file

@ -1,4 +1,8 @@
{inputs, lib, ...}: {
{
inputs,
lib,
...
}: {
microvm.host.enable = true;
networking.useNetworkd = true;
}

View file

@ -1,5 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}: {
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
@ -9,5 +13,4 @@
enable = true;
pkiBundle = "/etc/secureboot";
};
}

View file

@ -1,5 +1,10 @@
{ config, pkgs, lib, modulesPath, ... }:
{
config,
pkgs,
lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];

View file

@ -1,5 +1,11 @@
{ config, pkgs, lib, inputs, cfg, ... }:
{
config,
pkgs,
lib,
inputs,
cfg,
...
}: {
environment.systemPackages = with pkgs; [
docker
];

View file

@ -1,5 +1,12 @@
{pkgs, lib, config, cfg, ...}:
with lib; with builtins; {
{
pkgs,
lib,
config,
cfg,
...
}:
with lib;
with builtins; {
opt.domain = lib.mkOption {type = lib.types.str;};
services.forgejo = {
enable = true;

View file

@ -1,8 +1,11 @@
{ pkgs, lib, config, ... }:
let
cfg = config.lyn.sops;
in
{
pkgs,
lib,
config,
...
}: let
cfg = config.lyn.sops;
in {
options.lyn.sops = with lib; {
secrets = mkOption {
type = types.attrs;
@ -10,14 +13,15 @@ in
};
};
config = {
sops.secrets = lib.mapAttrs
(name: value:
let
sops.secrets =
lib.mapAttrs
(name: value: let
name_split = lib.splitString "/" name;
in
{
sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
} // value)
}
// value)
cfg.secrets;
};
}

View file

@ -1,4 +1,10 @@
{lib,pkgs, config, cfg, ...}:{
{
lib,
pkgs,
config,
cfg,
...
}: {
imports = [
./ssh.nix
];

View file

@ -1,3 +1,7 @@
{lib, config, ...}: {
{
lib,
config,
...
}: {
users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
}