steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

chore: nixfmt *

Browse source
This commit is contained in:
steveej 2022-10-31 11:04:38 +01:00
parent dc761a5271
commit d039179898
161 changed files with 2688 additions and 3024 deletions
Download patch file Download diff file Expand all files Collapse all files

56
nix/os/containers/backup-target.nix
View file

@ -1,20 +1,15 @@
{ hostAddress
, localAddress
, containerBackupCfg
, sshPort ? containerBackupCfg.portInt
}: {
{ hostAddress, localAddress, containerBackupCfg
, sshPort ? containerBackupCfg.portInt }: {
config = { config, pkgs, lib, ... }: {
system.stateVersion = "21.11"; # Did you read the comment?
imports = [
../profiles/containers/configuration.nix
];
imports = [ ../profiles/containers/configuration.nix ];
networking.firewall.enable = false;
services.ddclientovh = {
enable = true;
domain = containerBackupCfg.addr;
enable = true;
domain = containerBackupCfg.addr;
};
services.openssh.enable = true;
@ -35,16 +30,23 @@
security.sudo = {
enable = true;
extraRules = [
{
users = [ "bkp" ];
commands = [
{ command = "/etc/profiles/per-user/bkp/bin/btrfs"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/test"; options = [ "NOPASSWD" ]; }
];
}
];
extraRules = [{
users = [ "bkp" ];
commands = [
{
command = "/etc/profiles/per-user/bkp/bin/btrfs";
options = [ "NOPASSWD" ];
}
{
command = "/run/current-system/sw/bin/readlink";
options = [ "NOPASSWD" ];
}
{
command = "/run/current-system/sw/bin/test";
options = [ "NOPASSWD" ];
}
];
}];
};
};
@ -58,14 +60,12 @@
};
privateNetwork = true;
forwardPorts = [
{
# ssh
containerPort = 22;
hostPort = sshPort;
protocol = "tcp";
}
];
forwardPorts = [{
# ssh
containerPort = 22;
hostPort = sshPort;
protocol = "tcp";
}];
inherit hostAddress localAddress;
}

57
nix/os/containers/backup.nix
View file

@ -1,9 +1,4 @@
{ config
, hostAddress
, localAddress
, subvolumes
, targetPathSuffix ? ""
}:
{ config, hostAddress, localAddress, subvolumes, targetPathSuffix ? "" }:
let
passwords = import ../../variables/passwords.crypt.nix;
@ -13,14 +8,9 @@ in {
config = { pkgs, ... }: {
system.stateVersion = "20.03"; # Did you read the comment?
imports = [
../profiles/containers/configuration.nix
];
imports = [ ../profiles/containers/configuration.nix ];
environment.systemPackages = with pkgs; [
btrfs-progs
btrbk
];
environment.systemPackages = with pkgs; [ btrfs-progs btrbk ];
networking.firewall.enable = true;
@ -28,17 +18,11 @@ in {
enable = true;
description = "bkp-sync service";
serviceConfig = {
Type = "oneshot";
};
serviceConfig = { Type = "oneshot"; };
after = [
"bkp-run.service"
];
after = [ "bkp-run.service" ];
requires = [
"bkp-run.service"
];
requires = [ "bkp-run.service" ];
path = with pkgs; [ utillinux ];
script = ''
@ -51,17 +35,13 @@ in {
enable = true;
description = "bkp-run";
serviceConfig = {
Type = "oneshot";
};
serviceConfig = { Type = "oneshot"; };
partOf = [
"bkp-sync.service"
];
partOf = [ "bkp-sync.service" ];
path = with pkgs; [ btrfs-progs btrbk coreutils ];
script = let
script = let
btrbkConf = pkgs.writeText "cfg" ''
timestamp_format long
ssh_identity ${passwords.storage.backupTarget.keyPath}
@ -78,7 +58,8 @@ in {
volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") ""
subvolumes}
'';
in ''
#! ${pkgs.bash}/bin/bash
@ -95,10 +76,10 @@ in {
timerConfig = {
# Obtained using `systemd-analyze calendar "Wed 23:00"`
# OnCalendar = "Wed *-*-* 23:00:00";
OnStartupSec="1m";
OnStartupSec = "1m";
Unit = "bkp-sync.service";
OnUnitInactiveSec="2h";
Persistent="true";
OnUnitInactiveSec = "2h";
Persistent = "true";
};
};
};
@ -122,13 +103,13 @@ in {
};
};
allowedDevices = [
{ node = "/dev/fuse"; modifier = "rw"; }
];
allowedDevices = [{
node = "/dev/fuse";
modifier = "rw";
}];
privateNetwork = true;
forwardPorts = [
];
forwardPorts = [ ];
inherit hostAddress localAddress;
}

104
nix/os/containers/mailserver.nix
View file

@ -1,28 +1,20 @@
{ hostAddress
, localAddress
, imapsPort ? 993
, sievePort ? 4190
}:
{ hostAddress, localAddress, imapsPort ? 993, sievePort ? 4190 }:
let
passwords = import ../../variables/passwords.crypt.nix;
let passwords = import ../../variables/passwords.crypt.nix;
in
{
in {
config = { pkgs, ... }: {
system.stateVersion = "21.11"; # Did you read the comment?
imports = [
../profiles/containers/configuration.nix
../profiles/common/user.nix
];
imports =
[ ../profiles/containers/configuration.nix ../profiles/common/user.nix ];
networking.firewall.enable = false;
services.ddclientovh = {
enable = true;
domain = "mailserver.svc.stefanjunker.de";
enable = true;
domain = "mailserver.svc.stefanjunker.de";
};
services.dovecot2 = {
@ -43,7 +35,7 @@ in
extraConfig = ''
auth_mechanisms = cram-md5 digest-md5
auth_verbose = yes
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/users
@ -75,26 +67,26 @@ in
description = "Getmail service";
path = [ pkgs.getmail6 ];
script = let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = ssl0.ovh.net
port = 993
username = mail@stefanjunker.de
password = ${passwords.email.mailStefanjunkerDe}
mailboxes = ('INBOX',)
[retriever]
type = SimpleIMAPSSLRetriever
server = ssl0.ovh.net
port = 993
username = mail@stefanjunker.de
password = ${passwords.email.mailStefanjunkerDe}
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in ''
getmail --rcfile=${rc} --idle=INBOX
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in ''
getmail --rcfile=${rc} --idle=INBOX
'';
};
@ -108,45 +100,45 @@ in
serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always";
script = let
rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = imap.web.de
port = 993
username = schtif
password = ${passwords.email.schtifATwebDe}
mailboxes = ('INBOX',)
[retriever]
type = SimpleIMAPSSLRetriever
server = imap.web.de
port = 993
username = schtif
password = ${passwords.email.schtifATwebDe}
mailboxes = ('INBOX',)
[destination]
type = Maildir
path = ~/.maildir/
'';
in ''
getmail --rcfile=${rc}
[destination]
type = Maildir
path = ~/.maildir/
'';
in ''
getmail --rcfile=${rc}
'';
};
};
};
autoStart = true;
bindMounts = {
"/etc/secrets/" = {
"/etc/secrets/" = {
hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
isReadOnly = false;
};
"/home" = {
"/home" = {
hostPath = "/var/lib/container-volumes/mailserver/home";
isReadOnly = false;
};
};
privateNetwork = true ;
privateNetwork = true;
forwardPorts = [
{
# imaps

11
nix/os/containers/syncthing.nix
View file

@ -1,17 +1,12 @@
{ hostAddress
, localAddress
, syncthingPort ? 22000
, syncthingLocalAnnouncePort ? 21027
}:
{ hostAddress, localAddress, syncthingPort ? 22000
, syncthingLocalAnnouncePort ? 21027 }:
{
config = { config, pkgs, ... }: {
system.stateVersion = "20.05"; # Did you read the comment?
imports = [
../profiles/containers/configuration.nix
];
imports = [ ../profiles/containers/configuration.nix ];
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [

37
nix/os/containers/webserver.nix
View file

@ -1,25 +1,17 @@
{ hostAddress
, localAddress
, httpPort ? 80
, httpsPort ? 443
}:
{ hostAddress, localAddress, httpPort ? 80, httpsPort ? 443 }:
let
passwords = import ../../variables/passwords.crypt.nix;
in
{
let passwords = import ../../variables/passwords.crypt.nix;
in {
config = { config, pkgs, lib, ... }: {
system.stateVersion = "22.05"; # Did you read the comment?
imports = [
../profiles/containers/configuration.nix
];
imports = [ ../profiles/containers/configuration.nix ];
networking.firewall.enable = false;
services.ddclientovh = {
enable = true;
domain = "www.stefanjunker.de";
enable = true;
domain = "www.stefanjunker.de";
};
security.acme = {
@ -58,20 +50,16 @@ in
# sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
# sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
locations."/fi" = {
index = "index.php";
};
locations."/fi" = { index = "index.php"; };
locations."~ ^(.+\.php)(.*)$".extraConfig = ''
locations."~ ^(.+.php)(.*)$".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket};
fastcgi_index index.php;
'';
locations."/hedgedoc/" = {
proxyPass = "http://127.0.0.1:3000/";
};
locations."/hedgedoc/" = { proxyPass = "http://127.0.0.1:3000/"; };
locations."/hedgedoc/socket.io/" = {
proxyPass = "http://127.0.0.1:3000/socket.io/";
@ -92,15 +80,14 @@ in
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
"php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
"php_admin_value[error_reporting]" =
"E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
};
};
# the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work
systemd.services."phpfpm-mypool" = {
serviceConfig = {
Type = lib.mkForce "simple";
};
serviceConfig = { Type = lib.mkForce "simple"; };
};
services.mysql = {