autoformatted files
This commit is contained in:
parent
f7609d5cf2
commit
9dc962a98c
20 changed files with 424 additions and 256 deletions
65
flake.nix
65
flake.nix
|
@ -8,26 +8,43 @@
|
|||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
};
|
||||
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix, lanzaboote, microvm}@inputs: let
|
||||
imports = { imports = [
|
||||
sops-nix.nixosModules.sops
|
||||
passInputs mkLocalModsInput
|
||||
outputs = {
|
||||
self,
|
||||
nixpkgs,
|
||||
nixpkgs-unstable,
|
||||
sops-nix,
|
||||
lanzaboote,
|
||||
microvm,
|
||||
} @ inputs: let
|
||||
imports = {
|
||||
imports = [
|
||||
sops-nix.nixosModules.sops
|
||||
passInputs
|
||||
mkLocalModsInput
|
||||
lanzaboote.nixosModules.lanzaboote
|
||||
inputs.microvm.nixosModules.host
|
||||
];};
|
||||
passInputs = ({lib,config,...}:{
|
||||
options.flakePath = lib.mkOption {type = lib.types.path;};
|
||||
config.flakePath = ./.;
|
||||
options.inputs = lib.mkOption {type = lib.types.attrs;};
|
||||
config.inputs = inputs;
|
||||
options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
|
||||
config.pkgsInstances = {
|
||||
unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
|
||||
inputs.microvm.nixosModules.host
|
||||
];
|
||||
};
|
||||
passInputs = {
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
options.flakePath = lib.mkOption {type = lib.types.path;};
|
||||
config.flakePath = ./.;
|
||||
options.inputs = lib.mkOption {type = lib.types.attrs;};
|
||||
config.inputs = inputs;
|
||||
options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
|
||||
config.pkgsInstances = {
|
||||
unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
|
||||
};
|
||||
};
|
||||
inherit (nixpkgs) lib;
|
||||
mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
|
||||
mkLocalModsInput = mkLocalMods {
|
||||
prefix = ["lyn"];
|
||||
dir = ./modules;
|
||||
};
|
||||
});
|
||||
inherit (nixpkgs) lib;
|
||||
mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
|
||||
mkLocalModsInput = (mkLocalMods {prefix = ["lyn"]; dir = ./modules;});
|
||||
in {
|
||||
nixosConfigurations = {
|
||||
"forgenite" = nixpkgs.lib.nixosSystem {
|
||||
|
@ -35,28 +52,28 @@
|
|||
modules = [
|
||||
./hosts/forgenite
|
||||
imports
|
||||
];
|
||||
];
|
||||
};
|
||||
"forgejo-ci" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./hosts/forgejo-ci
|
||||
imports
|
||||
];
|
||||
];
|
||||
};
|
||||
"supernova" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./hosts/supernova
|
||||
imports
|
||||
];
|
||||
imports
|
||||
];
|
||||
};
|
||||
"wg-gateway" = nixpkgs.lib.nixosSystem {
|
||||
system = "aarch64-linux";
|
||||
modules = [
|
||||
./hosts/wg-gateway
|
||||
imports
|
||||
];
|
||||
imports
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,11 +1,17 @@
|
|||
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
with config.lyn.lib; {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
|
||||
lyn.users.lyn.enable = true;
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.kernel.hardened.enable = true;
|
||||
lyn.profiles.base.enable = true;
|
||||
lyn.profiles.vm.enable = true;
|
||||
|
@ -16,5 +22,5 @@
|
|||
|
||||
networking.hostName = "forgejo-ci"; # Define your hostname.
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
system.stateVersion = "23.05";
|
||||
}
|
||||
|
|
|
@ -1,12 +1,17 @@
|
|||
{ config, pkgs, lib, inputs, ... }: {
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
|
||||
lyn.users.lyn.enable = true;
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.kernel.hardened.enable =true;
|
||||
lyn.kernel.hardened.enable = true;
|
||||
lyn.profiles.base.enable = true;
|
||||
lyn.profiles.vm.enable = true;
|
||||
|
||||
|
@ -24,6 +29,4 @@
|
|||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "24.05"; # Did you read the comment?
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -1,16 +1,22 @@
|
|||
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
./virtualization.nix
|
||||
];
|
||||
lyn.kernel.latest.enable = true;
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
with config.lyn.lib; {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./virtualization.nix
|
||||
];
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.profiles.base.enable = true;
|
||||
lyn.profiles.headless.enable = true;
|
||||
lyn.users.lyn.enable = true;
|
||||
networking.hostName = "supernova";
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
|
||||
# this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled:
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
||||
|
@ -23,33 +29,37 @@
|
|||
|
||||
# Kernel hardening
|
||||
lyn.kernel.hardened.enable = true;
|
||||
## Don't print any errors/logs to the console
|
||||
## Don't print any errors/logs to the console
|
||||
boot.consoleLogLevel = 0;
|
||||
|
||||
|
||||
# Secure boot
|
||||
lyn.profiles.secureboot.enable = true;
|
||||
|
||||
# FDE + initrd stuff
|
||||
boot.kernelParams = [ "ip=dhcp" ];
|
||||
boot.kernelParams = ["ip=dhcp"];
|
||||
boot.loader.timeout = 2;
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "r8169" ];
|
||||
availableKernelModules = ["r8169"];
|
||||
systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
|
||||
secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";};
|
||||
network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
# WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
|
||||
hostKeys = [ /root/initrd-ssh-key ];
|
||||
# this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
|
||||
# authorizedKeys = [ "ssh-rsa ..." ];
|
||||
authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
# WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
|
||||
hostKeys = [/root/initrd-ssh-key];
|
||||
# this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
|
||||
# authorizedKeys = [ "ssh-rsa ..." ];
|
||||
authorizedKeys = with lib;
|
||||
concatLists (mapAttrsToList (name: user:
|
||||
if elem "wheel" user.extraGroups
|
||||
then user.openssh.authorizedKeys.keys
|
||||
else [])
|
||||
config.users.users);
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
|
|
|
@ -1,41 +1,45 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
|
||||
boot.initrd.kernelModules = ["dm-snapshot"];
|
||||
boot.kernelModules = ["kvm-amd"];
|
||||
boot.extraModulePackages = [];
|
||||
|
||||
boot.initrd.systemd.enable = true;
|
||||
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/db8a5cf9-c54b-4e6a-b3f9-e6323eb962a6";
|
||||
# doubles SSD performance because r/w queue is unnecessary here
|
||||
boot.initrd.luks.devices."root".bypassWorkqueues = true;
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/mapper/vg-root";
|
||||
fsType = "btrfs";
|
||||
options = ["x-systemd.device-timeout=0"];
|
||||
};
|
||||
fileSystems."/" = {
|
||||
device = "/dev/mapper/vg-root";
|
||||
fsType = "btrfs";
|
||||
options = ["x-systemd.device-timeout=0"];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/0374-0967";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"];
|
||||
};
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/0374-0967";
|
||||
fsType = "vfat";
|
||||
options = ["fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"];
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ {
|
||||
device = "/dev/mapper/vg-swap";
|
||||
swapDevices = [
|
||||
{
|
||||
device = "/dev/mapper/vg-swap";
|
||||
options = ["x-systemd.device-timeout=0"];
|
||||
}
|
||||
];
|
||||
];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
{ ... }:{
|
||||
{...}: {
|
||||
lyn.profiles.hypervisor.enable = true;
|
||||
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,32 +1,35 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.profiles.base.enable = true;
|
||||
lyn.profiles.secureboot.enable = true;
|
||||
lyn.users.lyn.enable = true;
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.profiles.base.enable = true;
|
||||
lyn.profiles.secureboot.enable = true;
|
||||
lyn.users.lyn.enable = true;
|
||||
|
||||
# network
|
||||
networking.useDHCP = false;
|
||||
networking.hostName = "wg-gateway"; # Define your hostname.
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."10-wan" = {
|
||||
# network
|
||||
networking.useDHCP = false;
|
||||
networking.hostName = "wg-gateway"; # Define your hostname.
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."10-wan" = {
|
||||
matchConfig.Name = "enp1s0";
|
||||
networkConfig.DHCP = "ipv4";
|
||||
address = [
|
||||
"2a01:4f8:1c1b:d2db::/64"
|
||||
];
|
||||
routes = [
|
||||
{ routeConfig.Gateway = "fe80::1"; }
|
||||
{routeConfig.Gateway = "fe80::1";}
|
||||
];
|
||||
};
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
|
|
|
@ -1,34 +1,38 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
boot.initrd.kernelModules = [ "virtio_gpu" ];
|
||||
boot.kernelParams = [ "console=tty" ];
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
boot.initrd.kernelModules = ["virtio_gpu"];
|
||||
boot.kernelParams = ["console=tty"];
|
||||
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
|
||||
boot.kernelModules = [];
|
||||
boot.extraModulePackages = [];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94";
|
||||
fsType = "ext4";
|
||||
};
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/BEFA-C7BC";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0077" "dmask=0077" ];
|
||||
};
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/BEFA-C7BC";
|
||||
fsType = "vfat";
|
||||
options = ["fmask=0077" "dmask=0077"];
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710"; }
|
||||
];
|
||||
swapDevices = [
|
||||
{device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710";}
|
||||
];
|
||||
|
||||
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{
|
||||
imports = [
|
||||
./mkLocalMods.nix
|
||||
];
|
||||
imports = [
|
||||
./mkLocalMods.nix
|
||||
];
|
||||
}
|
||||
|
||||
|
|
|
@ -1,54 +1,107 @@
|
|||
{lib, ...}:
|
||||
let
|
||||
inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;} ) packagesFromDirectoryRecursive;
|
||||
mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
|
||||
#kv = key: value: {inherit key value;};
|
||||
recurseNaive = curPath: fn: mapAttrKVs (k: v: let
|
||||
match = builtins.match "(.*)[.]nix" k;
|
||||
in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
|
||||
else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
|
||||
else {key = null; value = null;}
|
||||
) (builtins.readDir curPath);
|
||||
{lib, ...}: let
|
||||
inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;}) packagesFromDirectoryRecursive;
|
||||
mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
|
||||
#kv = key: value: {inherit key value;};
|
||||
recurseNaive = curPath: fn:
|
||||
mapAttrKVs (
|
||||
k: v: let
|
||||
match = builtins.match "(.*)[.]nix" k;
|
||||
in
|
||||
if v == "regular" && match != null
|
||||
then {
|
||||
key = builtins.elemAt match 0;
|
||||
value = fn (curPath + ("/" + k));
|
||||
}
|
||||
else if v == "directory"
|
||||
then {
|
||||
key = k;
|
||||
value = recurseNaive (curPath + ("/" + k)) fn;
|
||||
}
|
||||
else {
|
||||
key = null;
|
||||
value = null;
|
||||
}
|
||||
) (builtins.readDir curPath);
|
||||
|
||||
getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
|
||||
if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
|
||||
else [{path = prefix ++ [k]; value = v;}]
|
||||
) as);
|
||||
getAttrKVsRec = prefix: as:
|
||||
lib.flatten (lib.mapAttrsToList (
|
||||
k: v:
|
||||
if lib.isAttrs v
|
||||
then getAttrKVsRec (prefix ++ [k]) v
|
||||
else [
|
||||
{
|
||||
path = prefix ++ [k];
|
||||
value = v;
|
||||
}
|
||||
]
|
||||
)
|
||||
as);
|
||||
|
||||
getPathKVsRec = prefix: dir: getAttrKVsRec prefix (packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
|
||||
getPathKVsRec = prefix: dir:
|
||||
getAttrKVsRec prefix (packagesFromDirectoryRecursive {
|
||||
callPackage = path: x: path;
|
||||
directory = dir;
|
||||
});
|
||||
|
||||
unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
|
||||
transformLocalMod = {path, value}: let
|
||||
modFn = if lib.isFunction (import value) then import value else (p: import value);
|
||||
newMod = p: let
|
||||
paramNew = p // {
|
||||
cfg = lib.getAttrFromPath path p.config;
|
||||
};
|
||||
unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
|
||||
transformLocalMod = {
|
||||
path,
|
||||
value,
|
||||
}: let
|
||||
modFn =
|
||||
if lib.isFunction (import value)
|
||||
then import value
|
||||
else (p: import value);
|
||||
newMod = p: let
|
||||
paramNew =
|
||||
p
|
||||
// {
|
||||
cfg = lib.getAttrFromPath path p.config;
|
||||
};
|
||||
|
||||
pathStr = builtins.concatStringsSep "." path;
|
||||
modRaw = modFn paramNew;
|
||||
modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
|
||||
pathStr = builtins.concatStringsSep "." path;
|
||||
modRaw = modFn paramNew;
|
||||
modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
|
||||
|
||||
mod = modRaw.mod or {};
|
||||
fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
|
||||
enablePath = path ++ ["enable"];
|
||||
mod = modRaw.mod or {};
|
||||
fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
|
||||
enablePath = path ++ ["enable"];
|
||||
|
||||
imports = [ {
|
||||
_file = fileCtx "`opt` processor";
|
||||
key = fileCtx "`opt` processor";
|
||||
options = lib.setAttrByPath path (modRaw.opt or {});
|
||||
} {
|
||||
_file = fileCtx "`enable` definition";
|
||||
key = fileCtx "`enable` definition";
|
||||
options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
|
||||
} ({config, ...}: {
|
||||
_file = fileCtx "config wrapper";
|
||||
key = fileCtx "config wrapper";
|
||||
config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
|
||||
})];
|
||||
imports = [
|
||||
{
|
||||
_file = fileCtx "`opt` processor";
|
||||
key = fileCtx "`opt` processor";
|
||||
options = lib.setAttrByPath path (modRaw.opt or {});
|
||||
}
|
||||
{
|
||||
_file = fileCtx "`enable` definition";
|
||||
key = fileCtx "`enable` definition";
|
||||
options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
|
||||
}
|
||||
({config, ...}: {
|
||||
_file = fileCtx "config wrapper";
|
||||
key = fileCtx "config wrapper";
|
||||
config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
|
||||
})
|
||||
];
|
||||
|
||||
newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
|
||||
in newMod; in lib.mirrorFunctionArgs modFn newMod;
|
||||
newMod =
|
||||
modUni
|
||||
// {
|
||||
imports = modUni.imports ++ imports;
|
||||
config = {};
|
||||
};
|
||||
in
|
||||
newMod;
|
||||
in
|
||||
lib.mirrorFunctionArgs modFn newMod;
|
||||
|
||||
mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
|
||||
in mkLocalMods
|
||||
mkLocalMods = {
|
||||
prefix ? [],
|
||||
dir,
|
||||
}: {
|
||||
_file = "mkLocalMods collector";
|
||||
imports = builtins.map transformLocalMod (getPathKVsRec prefix dir);
|
||||
};
|
||||
in
|
||||
mkLocalMods
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# https://github.com/NixOS/nixpkgs/blob/a5cfe012401cfebb4b2c28e74857b8ffe1402b4b/lib/modules.nix
|
||||
{ lib }:
|
||||
with lib.modules;
|
||||
let
|
||||
inherit (lib)
|
||||
{lib}:
|
||||
with lib.modules; let
|
||||
inherit
|
||||
(lib)
|
||||
addErrorContext
|
||||
all
|
||||
any
|
||||
|
@ -36,7 +36,8 @@ let
|
|||
optionalAttrs
|
||||
optionalString
|
||||
recursiveUpdate
|
||||
reverseList sort
|
||||
reverseList
|
||||
sort
|
||||
seq
|
||||
setAttrByPath
|
||||
substring
|
||||
|
@ -50,7 +51,8 @@ let
|
|||
zipAttrs
|
||||
zipAttrsWith
|
||||
;
|
||||
inherit (lib.options)
|
||||
inherit
|
||||
(lib.options)
|
||||
isOption
|
||||
mkOption
|
||||
showDefs
|
||||
|
@ -58,36 +60,41 @@ let
|
|||
showOption
|
||||
unknownModule
|
||||
;
|
||||
inherit (lib.strings)
|
||||
inherit
|
||||
(lib.strings)
|
||||
isConvertibleWithToString
|
||||
;
|
||||
|
||||
unifyModuleSyntax = file: key: m:
|
||||
let
|
||||
addMeta = config: if m ? meta
|
||||
then mkMerge [ config { meta = m.meta; } ]
|
||||
else config;
|
||||
addFreeformType = config: if m ? freeformType
|
||||
then mkMerge [ config { _module.freeformType = m.freeformType; } ]
|
||||
else config;
|
||||
unifyModuleSyntax = file: key: m: let
|
||||
addMeta = config:
|
||||
if m ? meta
|
||||
then mkMerge [config {meta = m.meta;}]
|
||||
else config;
|
||||
addFreeformType = config:
|
||||
if m ? freeformType
|
||||
then mkMerge [config {_module.freeformType = m.freeformType;}]
|
||||
else config;
|
||||
in
|
||||
if m ? config || m ? options
|
||||
then let
|
||||
badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"];
|
||||
in
|
||||
if m ? config || m ? options then
|
||||
let badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in
|
||||
if badAttrs != {} then
|
||||
throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
|
||||
else
|
||||
{ _file = toString m._file or file;
|
||||
_class = m._class or null;
|
||||
key = toString m.key or key;
|
||||
disabledModules = m.disabledModules or [];
|
||||
imports = m.imports or [];
|
||||
options = m.options or {};
|
||||
config = addFreeformType (addMeta (m.config or {}));
|
||||
}
|
||||
if badAttrs != {}
|
||||
then throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
|
||||
else {
|
||||
_file = toString m._file or file;
|
||||
_class = m._class or null;
|
||||
key = toString m.key or key;
|
||||
disabledModules = m.disabledModules or [];
|
||||
imports = m.imports or [];
|
||||
options = m.options or {};
|
||||
config = addFreeformType (addMeta (m.config or {}));
|
||||
}
|
||||
else
|
||||
# shorthand syntax
|
||||
throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
|
||||
{ _file = toString m._file or file;
|
||||
{
|
||||
_file = toString m._file or file;
|
||||
_class = m._class or null;
|
||||
key = toString m.key or key;
|
||||
disabledModules = m.disabledModules or [];
|
||||
|
@ -95,6 +102,4 @@ let
|
|||
options = {};
|
||||
config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]);
|
||||
};
|
||||
|
||||
|
||||
in {inherit unifyModuleSyntax;}
|
||||
|
|
|
@ -36,6 +36,32 @@
|
|||
htop
|
||||
];
|
||||
|
||||
# Use encrypted Quad9 DNS
|
||||
nameservers = [ "127.0.0.1" "::1" ];
|
||||
services.dnscrypt-proxy2 = {
|
||||
enable = true;
|
||||
settings = {
|
||||
ipv6_servers = true;
|
||||
require_dnssec = true;
|
||||
|
||||
sources.public-resolvers = {
|
||||
urls = [
|
||||
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
|
||||
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
|
||||
];
|
||||
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
|
||||
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
|
||||
};
|
||||
|
||||
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
|
||||
server_names = [ 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-nofilter-pri'];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.dnscrypt-proxy2.serviceConfig = {
|
||||
StateDirectory = "dnscrypt-proxy";
|
||||
};
|
||||
|
||||
nix.gc = {
|
||||
automatic = true;
|
||||
persistent = true;
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
{inputs, lib, ...}: {
|
||||
microvm.host.enable = true;
|
||||
networking.useNetworkd = true;
|
||||
{
|
||||
inputs,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
microvm.host.enable = true;
|
||||
networking.useNetworkd = true;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,9 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
environment.systemPackages = [
|
||||
# For debugging and troubleshooting Secure Boot.
|
||||
pkgs.sbctl
|
||||
|
@ -9,5 +13,4 @@
|
|||
enable = true;
|
||||
pkiBundle = "/etc/secureboot";
|
||||
};
|
||||
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,8 +1,13 @@
|
|||
{ config, pkgs, lib, modulesPath, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
modulesPath,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
#enable qemu-guestagent
|
||||
services.qemuGuest.enable = true;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,8 +1,14 @@
|
|||
{ config, pkgs, lib, inputs, cfg, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
cfg,
|
||||
...
|
||||
}: {
|
||||
environment.systemPackages = with pkgs; [
|
||||
docker
|
||||
];
|
||||
];
|
||||
|
||||
# Enable docker
|
||||
virtualisation.docker = {
|
||||
|
@ -20,10 +26,10 @@
|
|||
instances = {
|
||||
"${cfg.instancename}" = {
|
||||
enable = true;
|
||||
url = "https://${cfg.domain}";
|
||||
name = cfg.instancename;
|
||||
tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
|
||||
labels = [];
|
||||
url = "https://${cfg.domain}";
|
||||
name = cfg.instancename;
|
||||
tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
|
||||
labels = [];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,5 +1,12 @@
|
|||
{pkgs, lib, config, cfg, ...}:
|
||||
with lib; with builtins; {
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
cfg,
|
||||
...
|
||||
}:
|
||||
with lib;
|
||||
with builtins; {
|
||||
opt.domain = lib.mkOption {type = lib.types.str;};
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
|
@ -11,20 +18,20 @@ with lib; with builtins; {
|
|||
OFFLINE_MODE = true; # disable gravatar, CDN
|
||||
};
|
||||
settings.actions = {
|
||||
ENABLED = true;
|
||||
ENABLED = true;
|
||||
};
|
||||
settings."repository.upload" = {
|
||||
FILE_MAX_SIZE = 4095;
|
||||
MAX_FILES = 20;
|
||||
FILE_MAX_SIZE = 4095;
|
||||
MAX_FILES = 20;
|
||||
};
|
||||
settings."attachment" = {
|
||||
MAX_SIZE = 4095;
|
||||
MAX_FILES = 20;
|
||||
MAX_SIZE = 4095;
|
||||
MAX_FILES = 20;
|
||||
};
|
||||
|
||||
settings.service = {
|
||||
DISABLE_REGISTRATION = true;
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
||||
DISABLE_REGISTRATION = true;
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
||||
};
|
||||
database = {
|
||||
user = "forgejo";
|
||||
|
|
|
@ -1,23 +1,27 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.lyn.sops;
|
||||
in
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
cfg = config.lyn.sops;
|
||||
in {
|
||||
options.lyn.sops = with lib; {
|
||||
secrets = mkOption {
|
||||
type = types.attrs;
|
||||
default = { };
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config = {
|
||||
sops.secrets = lib.mapAttrs
|
||||
(name: value:
|
||||
let
|
||||
name_split = lib.splitString "/" name;
|
||||
in
|
||||
sops.secrets =
|
||||
lib.mapAttrs
|
||||
(name: value: let
|
||||
name_split = lib.splitString "/" name;
|
||||
in
|
||||
{
|
||||
sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
|
||||
} // value)
|
||||
}
|
||||
// value)
|
||||
cfg.secrets;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,11 +1,17 @@
|
|||
{lib,pkgs, config, cfg, ...}:{
|
||||
imports = [
|
||||
./ssh.nix
|
||||
];
|
||||
users.users.lyn = {
|
||||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
cfg,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
./ssh.nix
|
||||
];
|
||||
users.users.lyn = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel"];
|
||||
packages = with pkgs; [
|
||||
extraGroups = ["wheel"];
|
||||
packages = with pkgs; [
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
{lib, config, ...}: {
|
||||
users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue