steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

chore: format with alejandra

Browse source
This commit is contained in:
steveej 2023-02-07 18:24:28 +01:00
parent 05f0cbdfb4
commit 89f5f65f2d
181 changed files with 2720 additions and 2560 deletions
Download patch file Download diff file Expand all files Collapse all files

72
nix/os/containers/backup-target.nix
View file

@ -1,9 +1,19 @@
{ hostAddress, localAddress, containerBackupCfg
, sshPort ? containerBackupCfg.portInt, autoStart ? false }: {
config = { config, pkgs, lib, ... }: {
{
hostAddress,
localAddress,
containerBackupCfg,
sshPort ? containerBackupCfg.portInt,
autoStart ? false,
}: {
config = {
config,
pkgs,
lib,
...
}: {
system.stateVersion = "22.05"; # Did you read the comment?
imports = [ ../profiles/containers/configuration.nix ];
imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = false;
@ -23,30 +33,32 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp"
];
packages = with pkgs; [ btrfs-progs ];
packages = with pkgs; [btrfs-progs];
isSystemUser = true;
};
security.sudo = {
enable = true;
extraRules = [{
users = [ "bkp" ];
commands = [
{
command = "/etc/profiles/per-user/bkp/bin/btrfs";
options = [ "NOPASSWD" ];
}
{
command = "/run/current-system/sw/bin/readlink";
options = [ "NOPASSWD" ];
}
{
command = "/run/current-system/sw/bin/test";
options = [ "NOPASSWD" ];
}
];
}];
extraRules = [
{
users = ["bkp"];
commands = [
{
command = "/etc/profiles/per-user/bkp/bin/btrfs";
options = ["NOPASSWD"];
}
{
command = "/run/current-system/sw/bin/readlink";
options = ["NOPASSWD"];
}
{
command = "/run/current-system/sw/bin/test";
options = ["NOPASSWD"];
}
];
}
];
};
};
@ -59,15 +71,17 @@
};
};
extraFlags = [ "--resolv-conf=bind-host" ];
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [{
# ssh
containerPort = 22;
hostPort = sshPort;
protocol = "tcp";
}];
forwardPorts = [
{
# ssh
containerPort = 22;
hostPort = sshPort;
protocol = "tcp";
}
];
inherit hostAddress localAddress;
}

51
nix/os/containers/backup.nix
View file

@ -1,17 +1,20 @@
{ config, hostAddress, localAddress, subvolumes, targetPathSuffix ? ""
, autoStart ? false }:
let
{
config,
hostAddress,
localAddress,
subvolumes,
targetPathSuffix ? "",
autoStart ? false,
}: let
passwords = import ../../variables/passwords.crypt.nix;
subvolumeParentDir = "/var/lib/container-volumes";
in {
config = { pkgs, ... }: {
config = {pkgs, ...}: {
system.stateVersion = "20.03"; # Did you read the comment?
imports = [ ../profiles/containers/configuration.nix ];
imports = [../profiles/containers/configuration.nix];
environment.systemPackages = with pkgs; [ btrfs-progs btrbk ];
environment.systemPackages = with pkgs; [btrfs-progs btrbk];
networking.firewall.enable = true;
@ -19,13 +22,13 @@ in {
enable = true;
description = "bkp-sync service";
serviceConfig = { Type = "oneshot"; };
serviceConfig = {Type = "oneshot";};
after = [ "bkp-run.service" ];
after = ["bkp-run.service"];
requires = [ "bkp-run.service" ];
requires = ["bkp-run.service"];
path = with pkgs; [ utillinux ];
path = with pkgs; [utillinux];
script = ''
set -x
true
@ -36,11 +39,11 @@ in {
enable = true;
description = "bkp-run";
serviceConfig = { Type = "oneshot"; };
serviceConfig = {Type = "oneshot";};
partOf = [ "bkp-sync.service" ];
partOf = ["bkp-sync.service"];
path = with pkgs; [ btrfs-progs btrbk coreutils ];
path = with pkgs; [btrfs-progs btrbk coreutils];
script = let
btrbkConf = pkgs.writeText "cfg" ''
@ -60,7 +63,7 @@ in {
volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") ""
subvolumes}
subvolumes}
'';
in ''
#! ${pkgs.bash}/bin/bash
@ -73,7 +76,7 @@ in {
systemd.timers."bkp" = {
description = "Timer to trigger bkp periodically";
enable = true;
wantedBy = [ "timer.target" "multi-user.target" ];
wantedBy = ["timer.target" "multi-user.target"];
timerConfig = {
# Obtained using `systemd-analyze calendar "Wed 23:00"`
# OnCalendar = "Wed *-*-* 23:00:00";
@ -104,15 +107,17 @@ in {
};
};
allowedDevices = [{
node = "/dev/fuse";
modifier = "rw";
}];
allowedDevices = [
{
node = "/dev/fuse";
modifier = "rw";
}
];
extraFlags = [ "--resolv-conf=bind-host" ];
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [ ];
forwardPorts = [];
inherit hostAddress localAddress;
}

29
nix/os/containers/ipxe.nix
View file

@ -1,9 +1,18 @@
{ hostAddress, localAddress, httpPort ? 80, httpsPort ? 443 }:
let passwords = import ../../variables/passwords.crypt.nix;
{
hostAddress,
localAddress,
httpPort ? 80,
httpsPort ? 443,
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
config = { config, pkgs, lib, ... }: {
imports = [ ../profiles/containers/configuration.nix ];
config = {
config,
pkgs,
lib,
...
}: {
imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = false;
@ -48,7 +57,7 @@ in {
# sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
# sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
locations."/fi" = { index = "index.php"; };
locations."/fi" = {index = "index.php";};
locations."~ ^(.+.php)(.*)$".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(.*)$;
@ -57,13 +66,12 @@ in {
fastcgi_index index.php;
'';
locations."/hedgedoc/" = { proxyPass = "http://127.0.0.1:3000/"; };
locations."/hedgedoc/" = {proxyPass = "http://127.0.0.1:3000/";};
locations."/hedgedoc/socket.io/" = {
proxyPass = "http://127.0.0.1:3000/socket.io/";
proxyWebsockets = true;
};
};
services.phpfpm.pools.mypool = {
@ -78,14 +86,13 @@ in {
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
"php_admin_value[error_reporting]" =
"E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
"php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
};
};
# the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work
systemd.services."phpfpm-mypool" = {
serviceConfig = { Type = lib.mkForce "simple"; };
serviceConfig = {Type = lib.mkForce "simple";};
};
services.mysql = {

34
nix/os/containers/mailserver.nix
View file

@ -1,15 +1,16 @@
{ hostAddress, localAddress, imapsPort ? 993, sievePort ? 4190
, autoStart ? false }:
let passwords = import ../../variables/passwords.crypt.nix;
{
hostAddress,
localAddress,
imapsPort ? 993,
sievePort ? 4190,
autoStart ? false,
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
config = { pkgs, ... }: {
config = {pkgs, ...}: {
system.stateVersion = "21.11"; # Did you read the comment?
imports =
[ ../profiles/containers/configuration.nix ../profiles/common/user.nix ];
imports = [../profiles/containers/configuration.nix ../profiles/common/user.nix];
networking.firewall.enable = false;
@ -21,8 +22,8 @@ in {
services.dovecot2 = {
enable = true;
modules = [ pkgs.dovecot_pigeonhole ];
protocols = [ "sieve" ];
modules = [pkgs.dovecot_pigeonhole];
protocols = ["sieve"];
enableImap = true;
enableLmtp = true;
@ -51,7 +52,6 @@ in {
mail_max_userip_connections = 64
}
'';
};
environment.etc."dovecot/users".text = ''
@ -60,13 +60,13 @@ in {
systemd.services.steveej-getmail-stefanjunker = {
enable = true;
wantedBy = [ "multi-user.target" ];
wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 600;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [ pkgs.getmail6 ];
path = [pkgs.getmail6];
script = let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
@ -93,11 +93,11 @@ in {
systemd.services.steveej-getmail-webde = {
enable = true;
wantedBy = [ "multi-user.target" ];
wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
description = "Getmail service";
path = [ pkgs.getmail6 ];
path = [pkgs.getmail6];
serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always";
script = let
@ -139,7 +139,7 @@ in {
};
};
extraFlags = [ "--resolv-conf=bind-host" ];
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [

20
nix/os/containers/syncthing.nix
View file

@ -1,12 +1,18 @@
{ hostAddress, localAddress, syncthingPort ? 22000
, syncthingLocalAnnouncePort ? 21027, autoStart ? false }:
{
config = { config, pkgs, ... }: {
hostAddress,
localAddress,
syncthingPort ? 22000,
syncthingLocalAnnouncePort ? 21027,
autoStart ? false,
}: {
config = {
config,
pkgs,
...
}: {
system.stateVersion = "20.05"; # Did you read the comment?
imports = [ ../profiles/containers/configuration.nix ];
imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [
@ -30,7 +36,7 @@
};
};
extraFlags = [ "--resolv-conf=bind-host" ];
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [

33
nix/os/containers/webserver.nix
View file

@ -1,12 +1,21 @@
{ hostAddress, localAddress, httpPort ? 80, httpsPort ? 443, autoStart ? false
}:
let passwords = import ../../variables/passwords.crypt.nix;
{
hostAddress,
localAddress,
httpPort ? 80,
httpsPort ? 443,
autoStart ? false,
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
config = { config, pkgs, lib, ... }: {
config = {
config,
pkgs,
lib,
...
}: {
system.stateVersion = "22.05"; # Did you read the comment?
imports = [ ../profiles/containers/configuration.nix ];
imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = false;
@ -51,7 +60,7 @@ in {
# sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
# sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
locations."/fi" = { index = "index.php"; };
locations."/fi" = {index = "index.php";};
locations."~ ^(.+.php)(.*)$".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(.*)$;
@ -60,13 +69,12 @@ in {
fastcgi_index index.php;
'';
locations."/hedgedoc/" = { proxyPass = "http://127.0.0.1:3000/"; };
locations."/hedgedoc/" = {proxyPass = "http://127.0.0.1:3000/";};
locations."/hedgedoc/socket.io/" = {
proxyPass = "http://127.0.0.1:3000/socket.io/";
proxyWebsockets = true;
};
};
services.phpfpm.pools.mypool = {
@ -81,14 +89,13 @@ in {
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
"php_admin_value[error_reporting]" =
"E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
"php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
};
};
# the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work
systemd.services."phpfpm-mypool" = {
serviceConfig = { Type = lib.mkForce "simple"; };
serviceConfig = {Type = lib.mkForce "simple";};
};
services.mysql = {
@ -146,7 +153,7 @@ in {
};
};
extraFlags = [ "--resolv-conf=bind-host" ];
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [