diff options
Diffstat (limited to 'modules')
24 files changed, 209 insertions, 117 deletions
diff --git a/modules/containers/freshrss/default.nix b/modules/containers/freshrss/default.nix index 5f352a7..7cbe944 100644 --- a/modules/containers/freshrss/default.nix +++ b/modules/containers/freshrss/default.nix @@ -1,16 +1,15 @@ -{ lib, ... }: +{ ... }: let - inherit (lib.lists) singleton; directory = "/opt/freshrss"; port = "8888"; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") (singleton directory); + systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; virtualisation.oci-containers.containers.freshrss = { image = "freshrss/freshrss:latest"; autoStart = true; - ports = singleton "${port}:80"; + ports = [ "${port}:80" ]; volumes = [ "${directory}/data:/var/www/FreshRSS/data" "${directory}/extensions:/var/www/FreshRSS/extensions" diff --git a/modules/containers/jellyfin/default.nix b/modules/containers/jellyfin/default.nix index d4923ae..a7b9557 100644 --- a/modules/containers/jellyfin/default.nix +++ b/modules/containers/jellyfin/default.nix @@ -1,16 +1,15 @@ -{ lib, ... }: +{ ... }: let - inherit (lib.lists) singleton; directory = "/opt/jellyfin"; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") (singleton directory); + systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; virtualisation.oci-containers.containers.jellyfin = { image = "jellyfin/jellyfin:latest"; autoStart = true; user = "994:994"; - ports = singleton "8096:8096/tcp"; + ports = [ "8096:8096/tcp" ]; volumes = [ "${directory}/config:/config" "${directory}/cache:/cache" diff --git a/modules/containers/lubelogger/default.nix b/modules/containers/lubelogger/default.nix index 37155dc..6ff2b0d 100644 --- a/modules/containers/lubelogger/default.nix +++ b/modules/containers/lubelogger/default.nix @@ -1,16 +1,15 @@ -{ lib, ... }: +{ ... }: let - inherit (lib.lists) singleton; directory = "/opt/lubelogger"; port = "8889"; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") (singleton directory); + systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; virtualisation.oci-containers.containers.lubelogger = { image = "ghcr.io/hargata/lubelogger:latest"; autoStart = true; - ports = singleton "${port}:8080"; + ports = [ "${port}:8080" ]; volumes = [ "${directory}/config:/App/config" "${directory}/data:/App/data" diff --git a/modules/containers/pinchflat/default.nix b/modules/containers/pinchflat/default.nix index 996476d..6f9c825 100644 --- a/modules/containers/pinchflat/default.nix +++ b/modules/containers/pinchflat/default.nix @@ -1,15 +1,14 @@ -{ lib, ... }: +{ ... }: let - inherit (lib.lists) singleton; directory = "/opt/pinchflat"; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") (singleton directory); + systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; virtualisation.oci-containers.containers.pinchflat = { image = "keglin/pinchflat:latest"; autoStart = true; - ports = singleton "8945:8945"; + ports = [ "8945:8945" ]; volumes = [ "${directory}:/config" "/tank/media/yt:/downloads" diff --git a/modules/containers/vaultwarden/default.nix b/modules/containers/vaultwarden/default.nix index 9211c63..7fb4ae0 100644 --- a/modules/containers/vaultwarden/default.nix +++ b/modules/containers/vaultwarden/default.nix @@ -1,18 +1,17 @@ -{ lib, ... }: +{ ... }: let - inherit (lib.lists) singleton; directory = "/opt/vaultwarden"; domain = "steel-mountain.brownbread.net"; port = "11001"; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") (singleton directory); + systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; virtualisation.oci-containers.containers.vaultwarden = { image = "vaultwarden/server:latest"; autoStart = true; - ports = singleton "${port}:80"; - volumes = singleton "${directory}/data:/data"; + ports = [ "${port}:80" ]; + volumes = [ "${directory}/data:/data" ]; environment = { DOMAIN = domain; WEBSOCKET_ENABLED = "true"; diff --git a/modules/customs/cgit/default.nix b/modules/customs/cgit/default.nix index dfbfb96..2d493a7 100644 --- a/modules/customs/cgit/default.nix +++ b/modules/customs/cgit/default.nix @@ -1,27 +1,35 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.services.cgit; - mkCgitrc = cfg: - pkgs.writeText "cgitrc" (let - cgitConfig = { - css = "/cgit.css"; - logo = "/cgit.png"; - favicon = "/favicon.ico"; - about-filter = "${cfg.package}/lib/cgit/filters/about-formatting.sh"; - source-filter = "${cfg.package}/lib/cgit/filters/syntax-highlighting.py"; - enable-git-config = 1; - enable-http-clone = 1; - remove-suffix = 1; - clone-url = "https://${cfg.virtualHost}/$CGIT_REPO_URL"; - scan-path = cfg.scanPath; - }; - in + mkCgitrc = + cfg: + pkgs.writeText "cgitrc" ( + let + cgitConfig = { + css = "/cgit.css"; + logo = "/cgit.png"; + favicon = "/favicon.ico"; + about-filter = "${cfg.package}/lib/cgit/filters/about-formatting.sh"; + source-filter = "${cfg.package}/lib/cgit/filters/syntax-highlighting.py"; + enable-git-config = 1; + enable-http-clone = 1; + remove-suffix = 1; + clone-url = "https://${cfg.virtualHost}/$CGIT_REPO_URL"; + scan-path = cfg.scanPath; + }; + in generators.toKeyValue { } (cfg.settings // cgitConfig) ); - mkCgitAssets = pkg: files: + mkCgitAssets = + pkg: files: strings.concatStringsSep "\n" ( builtins.map (f: '' handle_path /${f} { @@ -30,7 +38,8 @@ let } '') files ); -in { +in +{ disabledModules = [ "services/networking/cgit.nix" ]; options = { @@ -64,7 +73,15 @@ in { }; settings = mkOption { default = { }; - type = with types; let settingType = oneOf [ bool int str ]; in + type = + with types; + let + settingType = oneOf [ + bool + int + str + ]; + in attrsOf (oneOf [ settingType (listOf settingType) @@ -89,7 +106,7 @@ in { openssh.authorizedKeys.keys = cfg.authorizedKeys; }; - users.groups.${cfg.group} = {}; + users.groups.${cfg.group} = { }; # Harden git user to prevent SSH port forwarding to other servers. services.openssh = { @@ -112,21 +129,26 @@ in { socket = { inherit (config.services.caddy) user group; }; }; - services.caddy.virtualHosts.${cfg.virtualHost}.extraConfig = let - socket = config.services.fcgiwrap.instances.cgit.socket.address; - in '' - encode zstd gzip + services.caddy.virtualHosts.${cfg.virtualHost}.extraConfig = + let + socket = config.services.fcgiwrap.instances.cgit.socket.address; + in + '' + encode zstd gzip - reverse_proxy unix/${socket} { - transport fastcgi { - env SCRIPT_FILENAME ${cfg.package}/cgit/cgit.cgi - env CGIT_CONFIG ${mkCgitrc cfg} + reverse_proxy unix/${socket} { + transport fastcgi { + env SCRIPT_FILENAME ${cfg.package}/cgit/cgit.cgi + env CGIT_CONFIG ${mkCgitrc cfg} + } } - } - ${mkCgitAssets cfg.package [ - "cgit.css" "cgit.png" "favicon.ico" "robots.txt" - ]} - ''; + ${mkCgitAssets cfg.package [ + "cgit.css" + "cgit.png" + "favicon.ico" + "robots.txt" + ]} + ''; }; } diff --git a/modules/customs/soft-serve/default.nix b/modules/customs/soft-serve/default.nix index 05156fd..102ee1c 100644 --- a/modules/customs/soft-serve/default.nix +++ b/modules/customs/soft-serve/default.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.services.soft-serve; @@ -39,10 +44,10 @@ in systemd.services.soft-serve = { description = "Soft Serve git server"; - documentation = lists.singleton docUrl; - requires = lists.singleton "network-online.target"; - after = lists.singleton "network-online.target"; - wantedBy = lists.singleton "multi-user.target"; + documentation = [ docUrl ]; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; environment.SOFT_SERVE_DATA_PATH = dataDir; serviceConfig = { Type = "simple"; diff --git a/modules/default.nix b/modules/default.nix index bfa1760..a8ac000 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,10 +1,9 @@ { inputs }: let - genModules = { type, modules }: - builtins.map (module: "${inputs.self}/modules/${type}/${module}") modules; + genModules = + { type, modules }: builtins.map (module: "${inputs.self}/modules/${type}/${module}") modules; - mkModules = moduleAttrList: - builtins.concatMap (moduleAttr: genModules moduleAttr) moduleAttrList; + mkModules = moduleAttrList: builtins.concatMap (moduleAttr: genModules moduleAttr) moduleAttrList; in { mkSystem = hostname: nixpkgsVersion: modules: { diff --git a/modules/profiles/common/default.nix b/modules/profiles/common/default.nix index 67d228a..da7df0f 100644 --- a/modules/profiles/common/default.nix +++ b/modules/profiles/common/default.nix @@ -1,9 +1,20 @@ -{ inputs, lib, pkgs, ... }: +{ + inputs, + lib, + pkgs, + ... +}: { nix = { settings = { - trusted-users = [ "@wheel" "root" ]; - experimental-features = lib.mkDefault [ "nix-command" "flakes" ]; + trusted-users = [ + "@wheel" + "root" + ]; + experimental-features = lib.mkDefault [ + "nix-command" + "flakes" + ]; auto-optimise-store = true; }; gc = { @@ -19,7 +30,7 @@ allowUnfreePredicate = (_: true); }; overlays = [ - (final: prev: { + (final: _prev: { unstable = import inputs.nixpkgs-unstable { system = final.system; config.allowUnfree = true; diff --git a/modules/profiles/libvirtd/default.nix b/modules/profiles/libvirtd/default.nix index 222fdab..f10a5ce 100644 --- a/modules/profiles/libvirtd/default.nix +++ b/modules/profiles/libvirtd/default.nix @@ -14,6 +14,9 @@ # Add any users in the 'wheel' group to the 'libvirtd' group. users.groups.libvirtd.members = - with builtins; let users = config.users.users; in - filter (u: elem "wheel" users.${u}.extraGroups) (attrNames users); + with builtins; + let + users = config.users.users; + in + filter (u: elem "wheel" users.${u}.extraGroups) (attrNames users); } diff --git a/modules/profiles/upgrade/default.nix b/modules/profiles/upgrade/default.nix index 32c49a8..80fd3e3 100644 --- a/modules/profiles/upgrade/default.nix +++ b/modules/profiles/upgrade/default.nix @@ -17,7 +17,8 @@ let hostname = config.networking.hostName; dependencies = [ "network-online.target" ]; - in { + in + { wantedBy = [ "multi-user.target" ]; wants = dependencies; after = dependencies; diff --git a/modules/profiles/wireshark/default.nix b/modules/profiles/wireshark/default.nix index ab741ff..6b3dd3d 100644 --- a/modules/profiles/wireshark/default.nix +++ b/modules/profiles/wireshark/default.nix @@ -7,6 +7,9 @@ # Add any users in the 'wheel' group to the 'wireshark' group. users.groups.wireshark.members = - with builtins; let users = config.users.users; in - filter (u: elem "wheel" users.${u}.extraGroups) (attrNames users); + with builtins; + let + users = config.users.users; + in + filter (u: elem "wheel" users.${u}.extraGroups) (attrNames users); } diff --git a/modules/retired/blocky/default.nix b/modules/retired/blocky/default.nix index ca58f4f..302ef8e 100644 --- a/modules/retired/blocky/default.nix +++ b/modules/retired/blocky/default.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ lib, pkgs, ... }: { services.blocky = { enable = true; @@ -11,10 +11,10 @@ "149.112.112.112" ]; }; - bootstrapDns = [{ + bootstrapDns = lib.singleton { upstream = "https://dns.quad9.net/dns-query"; ips = [ "9.9.9.9" ]; - }]; + }; ports = { dns = 53; tls = 853; @@ -87,7 +87,11 @@ }; networking.firewall = { - allowedTCPPorts = [ 53 443 853 ]; + allowedTCPPorts = [ + 53 + 443 + 853 + ]; allowedUDPPorts = [ 53 ]; }; } diff --git a/modules/retired/forgejo/default.nix b/modules/retired/forgejo/default.nix index 9db55b2..cf4e101 100644 --- a/modules/retired/forgejo/default.nix +++ b/modules/retired/forgejo/default.nix @@ -1,4 +1,10 @@ -{ inputs, config, lib, pkgs, ... }: +{ + inputs, + config, + lib, + pkgs, + ... +}: let domain = "git.tdback.net"; port = 3000; @@ -37,7 +43,8 @@ in password = config.age.secrets.forgejoAdminPass.path; user = "tdback"; email = "tyler@tdback.net"; - in '' + in + '' ${adminCmd} create --admin --email ${email} --username ${user} --password "$(tr -d '\n' < ${password})" || true ''; diff --git a/modules/retired/mumble/default.nix b/modules/retired/mumble/default.nix index 29e3339..fa08d64 100644 --- a/modules/retired/mumble/default.nix +++ b/modules/retired/mumble/default.nix @@ -5,7 +5,7 @@ package = pkgs.murmur; port = 64738; openFirewall = true; - environmentFile = "/var/lib/murmur/murmurd.env"; + environmentFile = "/var/lib/murmur/murmurd.env"; password = "$MURMURD_PASSWORD"; }; } diff --git a/modules/retired/navidrome/default.nix b/modules/retired/navidrome/default.nix index 30a6b3f..aeb8f18 100644 --- a/modules/retired/navidrome/default.nix +++ b/modules/retired/navidrome/default.nix @@ -1,10 +1,9 @@ -{ lib, ... }: +{ ... }: let directory = "/opt/navidrome"; in { - systemd.tmpfiles.rules = - map (x: "d ${x} 0755 share share - -") (lib.lists.singleton directory); + systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; virtualisation.oci-containers.containers.navidrome = { image = "deluan/navidrome:latest"; diff --git a/modules/retired/pihole/default.nix b/modules/retired/pihole/default.nix index 034c91b..3a95f8a 100644 --- a/modules/retired/pihole/default.nix +++ b/modules/retired/pihole/default.nix @@ -1,15 +1,15 @@ -{ inputs, config, lib, ... }: +{ + inputs, + config, + ... +}: let - # TODO: Think about changing this to config.networking.interface... - # Will have to pull the first value in the list, which might be messy but it - # will definitely make it more producible across machines. ip = "10.0.0.203"; interface = "eno1"; directory = "/opt/pihole"; in { - systemd.tmpfiles.rules = - map (x: "d ${x} 0755 share share - -") (lib.lists.singleton directory); + systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; virtualisation.oci-containers.containers.pihole = { image = "pihole/pihole:latest"; @@ -41,12 +41,16 @@ in systemd.services.podman-pihole.postStart = let password = config.age.secrets.piholeAdminPass.path; - in '' + in + '' podman exec -it pihole pihole -a -p "$(tr -d '\n' < ${password})" ''; networking.firewall = { - allowedTCPPorts = [ 53 80 ]; + allowedTCPPorts = [ + 53 + 80 + ]; allowedUDPPorts = [ 53 ]; }; } diff --git a/modules/scripts/motd/default.nix b/modules/scripts/motd/default.nix index c4b0c6b..6d95119 100644 --- a/modules/scripts/motd/default.nix +++ b/modules/scripts/motd/default.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.programs.motd; @@ -35,9 +40,12 @@ let printf "\n" printf "''${BOLD}Good $TIME $(whoami), welcome to $(hostname)!$ENDCOLOR\n" printf "\n" - ${strings.concatStrings (lists.forEach cfg.networkInterfaces ( - int: "printf \"$BOLD * %-20s$ENDCOLOR %s\\n\" \"IPv4 ${int}\" \"$(ip -4 addr show ${int} | grep -oP '(?<=inet\\s)\\d+(\\.\\d+){3}')\"\n" - ))} + ${strings.concatStrings ( + lists.forEach cfg.networkInterfaces ( + int: + "printf \"$BOLD * %-20s$ENDCOLOR %s\\n\" \"IPv4 ${int}\" \"$(ip -4 addr show ${int} | grep -oP '(?<=inet\\s)\\d+(\\.\\d+){3}')\"\n" + ) + )} printf "$BOLD * %-20s$ENDCOLOR %s\n" "Release" "$(awk -F= '/PRETTY_NAME/ { print $2 }' /etc/os-release | tr -d '"')" printf "$BOLD * %-20s$ENDCOLOR %s\n" "Kernel" "$(uname -rs)" printf "\n" @@ -68,7 +76,8 @@ let done <<< "$SERVICES" printf "\n" ''; -in { +in +{ options = { programs.motd = { enable = mkEnableOption "motd"; diff --git a/modules/scripts/pushover/default.nix b/modules/scripts/pushover/default.nix index a5644e4..979e96b 100644 --- a/modules/scripts/pushover/default.nix +++ b/modules/scripts/pushover/default.nix @@ -1,4 +1,9 @@ -{ inputs, config, pkgs, ... }: +{ + inputs, + config, + pkgs, + ... +}: let pushover = pkgs.writeShellScriptBin "pushover" '' set -e @@ -35,7 +40,8 @@ let --form-string "message=$MESSAGE" \ https://api.pushover.net/1/messages.json ''; -in { +in +{ age.secrets = { pushoverAppToken.file = "${inputs.self}/secrets/pushoverAppToken.age"; pushoverUserToken.file = "${inputs.self}/secrets/pushoverUserToken.age"; diff --git a/modules/scripts/zquota/default.nix b/modules/scripts/zquota/default.nix index 5741e0e..bd35546 100644 --- a/modules/scripts/zquota/default.nix +++ b/modules/scripts/zquota/default.nix @@ -1,13 +1,19 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.services.zquota; - zquota = let - bc = getExe pkgs.bc; - zfs = getExe pkgs.zfs; - hostname = config.networking.hostName; - in + zquota = + let + bc = getExe pkgs.bc; + zfs = getExe pkgs.zfs; + hostname = config.networking.hostName; + in pkgs.writeShellScriptBin "zquota" '' set -e @@ -38,7 +44,8 @@ let "dataset $DATASET on ${hostname} has exceeded quota by ''${DIFF}GB" fi ''; -in { +in +{ options = { services.zquota = { enable = mkEnableOption "zquota"; @@ -66,12 +73,11 @@ in { systemd.services."zquota" = { description = "Perform and report scheduled quota checks on ZFS datasets."; serviceConfig.Type = "oneshot"; - script = - strings.concatStringsSep "\n" ( - mapAttrsToList (dataset: quota: - "/run/current-system/sw/bin/zquota ${dataset} ${builtins.toString quota}" - ) cfg.quotas - ); + script = strings.concatStringsSep "\n" ( + mapAttrsToList ( + dataset: quota: "/run/current-system/sw/bin/zquota ${dataset} ${builtins.toString quota}" + ) cfg.quotas + ); }; systemd.timers."zquota" = { wantedBy = [ "timers.target" ]; diff --git a/modules/services/cgit/default.nix b/modules/services/cgit/default.nix index 5309e6f..7e2955a 100644 --- a/modules/services/cgit/default.nix +++ b/modules/services/cgit/default.nix @@ -1,10 +1,14 @@ -{ inputs, lib, pkgs, ... }: +{ + inputs, + pkgs, + ... +}: let scanPath = "/tank/git"; domain = "git.tdback.net"; in { - imports = lib.lists.singleton "${inputs.self}/modules/customs/cgit"; + imports = [ "${inputs.self}/modules/customs/cgit" ]; services.cgit = { enable = true; diff --git a/modules/services/proxy/default.nix b/modules/services/proxy/default.nix index e11beab..c70bb54 100644 --- a/modules/services/proxy/default.nix +++ b/modules/services/proxy/default.nix @@ -5,5 +5,8 @@ package = pkgs.caddy; }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; } diff --git a/modules/services/sftpgo/default.nix b/modules/services/sftpgo/default.nix index 27318b2..de8b5b1 100644 --- a/modules/services/sftpgo/default.nix +++ b/modules/services/sftpgo/default.nix @@ -1,15 +1,20 @@ -{ config, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { services.sftpgo = { enable = true; package = pkgs.sftpgo; settings = { - httpd.bindings = [{ + httpd.bindings = lib.singleton { port = 8080; address = "0.0.0.0"; enable_web_client = true; enable_web_admin = true; - }]; + }; }; }; diff --git a/modules/users/default.nix b/modules/users/default.nix index 027ca0f..219f577 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -6,7 +6,13 @@ uid = 1000; home = "/home/tdback"; group = "tdback"; - extraGroups = [ "wheel" "users" "networkmanager" "video" "audio" ]; + extraGroups = [ + "wheel" + "users" + "networkmanager" + "video" + "audio" + ]; shell = pkgs.bash; ignoreShellProgramCheck = true; }; |