lorenzo/servers
1
0
Fork 0
Code Pull requests Packages Activity

Nixfmt Tree

Browse source
This commit is contained in:
Lorenzo Good 2026-02-24 00:00:35 -08:00
parent d6bcf1a468
commit f173b9d236
Signed by: lorenzo
GPG key ID: 7FCD64BD81180ED0
23 changed files with 381 additions and 224 deletions
Download patch file Download diff file Expand all files Collapse all files

13
common/backups/restic.nix
View file

@ -3,10 +3,17 @@
pkgs, pkgs,
lib, lib,
... ...
}: let }:
inherit (lib) mkIf mkEnableOption mkOption types; let
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.foehammer.backups.restic; cfg = config.foehammer.backups.restic;
in { in
{
options.foehammer.backups.restic = { options.foehammer.backups.restic = {
enable = mkEnableOption "Enable restic backups"; enable = mkEnableOption "Enable restic backups";

11
common/caddy.nix
View file

@ -2,10 +2,12 @@
config, config,
lib, lib,
... ...
}: let }:
let
inherit (lib) mkIf mkEnableOption; inherit (lib) mkIf mkEnableOption;
cfg = config.foehammer.caddy; cfg = config.foehammer.caddy;
in { in
{
options.foehammer.caddy.enable = mkEnableOption "Enable caddy with default configuration."; options.foehammer.caddy.enable = mkEnableOption "Enable caddy with default configuration.";
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.caddy = { services.caddy = {
@ -13,6 +15,9 @@ in {
email = "foehammer127points+acme@gmail.com"; email = "foehammer127points+acme@gmail.com";
}; };
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [
80
443
];
}; };
} }

18
common/nix.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
nix = { nix = {
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
@ -17,10 +18,19 @@
"nix-command" "nix-command"
]; ];
trusted-users = ["root" "@wheel"]; trusted-users = [
"root"
"@wheel"
];
substituters = ["https://cache.nixos.org" "https://cache.garnix.io"]; substituters = [
trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="]; "https://cache.nixos.org"
"https://cache.garnix.io"
];
trusted-public-keys = [
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
}; };
}; };
} }

16
common/nixos.nix
View file

@ -3,20 +3,28 @@
lib, lib,
pkgs, pkgs,
... ...
}: let }:
let
inherit (lib) mkIf; inherit (lib) mkIf;
in { in
{
config = { config = {
users.mutableUsers = false; users.mutableUsers = false;
environment.systemPackages = with pkgs; [neovim git]; environment.systemPackages = with pkgs; [
neovim
git
];
networking = { networking = {
firewall = { firewall = {
enable = true; enable = true;
}; };
nameservers = ["1.1.1.1" "8.8.8.8"]; nameservers = [
"1.1.1.1"
"8.8.8.8"
];
# If using dhcpcd: # If using dhcpcd:
dhcpcd.extraConfig = mkIf config.networking.dhcpcd.enable "nohook resolv.conf"; dhcpcd.extraConfig = mkIf config.networking.dhcpcd.enable "nohook resolv.conf";
# If using NetworkManager: # If using NetworkManager:

17
common/services/authelia.nix
View file

@ -2,11 +2,18 @@
config, config,
lib, lib,
... ...
}: let }:
inherit (lib) mkIf types mkOption mkEnableOption; let
inherit (lib)
mkIf
types
mkOption
mkEnableOption
;
cfg = config.foehammer.services.authelia; cfg = config.foehammer.services.authelia;
in { in
{
options.foehammer.services.authelia = { options.foehammer.services.authelia = {
enable = mkEnableOption "Enable authelia server component."; enable = mkEnableOption "Enable authelia server component.";
domain = mkOption { domain = mkOption {
@ -27,7 +34,6 @@ in {
type = types.path; type = types.path;
}; };
# https://www.authelia.com/integration/ldap/lldap/ # https://www.authelia.com/integration/ldap/lldap/
ldap = { ldap = {
addr = mkOption { addr = mkOption {
@ -190,8 +196,7 @@ in {
}; };
secrets = { secrets = {
inherit inherit (cfg)
(cfg)
jwtSecretFile jwtSecretFile
oidcIssuerPrivateKeyFile oidcIssuerPrivateKeyFile
oidcHmacSecretFile oidcHmacSecretFile

6
common/services/gitea.nix
View file

@ -3,11 +3,13 @@
lib, lib,
pkgs, pkgs,
... ...
}: let }:
let
inherit (lib) mkEnableOption mkIf mkOption; inherit (lib) mkEnableOption mkIf mkOption;
cfg = config.foehammer.services.forgejo; cfg = config.foehammer.services.forgejo;
in { in
{
options.foehammer.services.forgejo = { options.foehammer.services.forgejo = {
enable = mkEnableOption "Enable Gitea Server"; enable = mkEnableOption "Enable Gitea Server";

6
common/services/goatcounter.nix
View file

@ -3,11 +3,13 @@
lib, lib,
pkgs, pkgs,
... ...
}: let }:
let
inherit (lib) mkEnableOption mkIf mkOption; inherit (lib) mkEnableOption mkIf mkOption;
cfg = config.foehammer.services.goatcounter; cfg = config.foehammer.services.goatcounter;
in { in
{
options.foehammer.services.goatcounter = { options.foehammer.services.goatcounter = {
enable = mkEnableOption "Enable goatcounter server"; enable = mkEnableOption "Enable goatcounter server";

13
common/services/lldap.nix
View file

@ -3,11 +3,18 @@
lib, lib,
pkgs, pkgs,
... ...
}: let }:
inherit (lib) mkEnableOption types mkIf mkOption; let
inherit (lib)
mkEnableOption
types
mkIf
mkOption
;
cfg = config.foehammer.services.lldap; cfg = config.foehammer.services.lldap;
in { in
{
options.foehammer.services.lldap = { options.foehammer.services.lldap = {
enable = mkEnableOption "Enable LLDAP Server"; enable = mkEnableOption "Enable LLDAP Server";

6
common/services/vaultwarden.nix
View file

@ -3,11 +3,13 @@
lib, lib,
pkgs, pkgs,
... ...
}: let }:
let
inherit (lib) mkEnableOption mkIf mkOption; inherit (lib) mkEnableOption mkIf mkOption;
cfg = config.foehammer.services.vaultwarden; cfg = config.foehammer.services.vaultwarden;
in { in
{
options.foehammer.services.vaultwarden = { options.foehammer.services.vaultwarden = {
enable = mkEnableOption "Enable Vaultwarden Server"; enable = mkEnableOption "Enable Vaultwarden Server";

3
common/sudo.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
security.sudo = { security.sudo = {
enable = true; enable = true;
execWheelOnly = true; execWheelOnly = true;

13
common/tailscale.nix
View file

@ -2,10 +2,17 @@
config, config,
lib, lib,
... ...
}: let }:
inherit (lib) mkEnableOption mkOption types mkIf; let
inherit (lib)
mkEnableOption
mkOption
types
mkIf
;
cfg = config.foehammer.tailscale; cfg = config.foehammer.tailscale;
in { in
{
options.foehammer.tailscale = { options.foehammer.tailscale = {
enable = mkEnableOption "Enable tailscale"; enable = mkEnableOption "Enable tailscale";
authKeyFile = mkOption { authKeyFile = mkOption {

14
common/users/admin.nix
View file

@ -3,10 +3,18 @@
lib, lib,
foelib, foelib,
... ...
}: let }:
inherit (lib) mkIf mkOption mkEnableOption optionals types; let
inherit (lib)
mkIf
mkOption
mkEnableOption
optionals
types
;
cfg = config.foehammer.users.admin; cfg = config.foehammer.users.admin;
in { in
{
options.foehammer.users.admin = { options.foehammer.users.admin = {
enable = mkEnableOption "Enable a wheel admin user."; enable = mkEnableOption "Enable a wheel admin user.";
hashedPasswordFile = mkOption { hashedPasswordFile = mkOption {

30
flake.nix
View file

@ -5,18 +5,27 @@
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
}; };
outputs = inputs @ {self, ...}: outputs =
inputs.flake-parts.lib.mkFlake {inherit inputs;} (toplevel @ {withSystem, ...}: { inputs@{ self, ... }:
systems = ["aarch64-darwin" "aarch64-linux" "x86_64-linux"]; inputs.flake-parts.lib.mkFlake { inherit inputs; } (
toplevel@{ withSystem, ... }:
{
systems = [
"aarch64-darwin"
"aarch64-linux"
"x86_64-linux"
];
perSystem = { perSystem =
{
config, config,
self', self',
inputs', inputs',
pkgs, pkgs,
system, system,
... ...
}: { }:
{
_module.args.pkgs = import inputs.nixpkgs { _module.args.pkgs = import inputs.nixpkgs {
localSystem = system; localSystem = system;
config = { config = {
@ -26,6 +35,10 @@
# overlays = [self.overlays.default]; # overlays = [self.overlays.default];
}; };
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [ nixfmt-tree ];
};
# packages = import ./lib/packages.nix pkgs; # packages = import ./lib/packages.nix pkgs;
}; };
@ -34,9 +47,12 @@
# overlays.default = final: prev: (import ./lib/packages.nix prev); # overlays.default = final: prev: (import ./lib/packages.nix prev);
nixosModules.default = {...}: { nixosModules.default =
{ ... }:
{
imports = self.lib.utils.findNixFiles ./common; imports = self.lib.utils.findNixFiles ./common;
}; };
}; };
}); }
);
} }

3
lib/data.nix
View file

@ -1,5 +1,6 @@
rec { rec {
getSSHKeys = let getSSHKeys =
let
sshKeys = builtins.fromTOML (builtins.readFile ../data/ssh-keys.toml); sshKeys = builtins.fromTOML (builtins.readFile ../data/ssh-keys.toml);
in in
name: (builtins.mapAttrs (_: value: builtins.attrValues value) sshKeys)."${name}"; name: (builtins.mapAttrs (_: value: builtins.attrValues value) sshKeys)."${name}";

19
lib/nixos.nix
View file

@ -1,12 +1,14 @@
nixpkgs: withSystem: let nixpkgs: withSystem:
let
foelib = import ./default.nix nixpkgs withSystem; foelib = import ./default.nix nixpkgs withSystem;
in { in
mkSystem = hostname: host-platform: modules: {
withSystem host-platform mkSystem =
({pkgs, ...}: hostname: host-platform: modules:
withSystem host-platform (
{ pkgs, ... }:
nixpkgs.lib.nixosSystem { nixpkgs.lib.nixosSystem {
modules = modules = [
[
{ {
nix.registry = { nix.registry = {
nixpkgs.flake = nixpkgs; nixpkgs.flake = nixpkgs;
@ -21,5 +23,6 @@ in {
specialArgs = { specialArgs = {
inherit hostname foelib; inherit hostname foelib;
}; };
}); }
);
} }

29
lib/packages.nix
View file

@ -1,24 +1,21 @@
pkgs: let pkgs:
getPackages = dir: let let
getPackages =
dir:
let
entries = builtins.readDir dir; entries = builtins.readDir dir;
procEntry = name: type: let procEntry =
name: type:
let
path = dir + "/${name}"; path = dir + "/${name}";
in in
if type == "directory" if type == "directory" then
then (if builtins.pathExists (path + "/default.nix") then [ path ] else [ ])
( else
if builtins.pathExists (path + "/default.nix") [ ];
then [path]
else []
)
else [];
in in
builtins.concatLists ( builtins.concatLists (builtins.attrValues (builtins.mapAttrs procEntry entries));
builtins.attrValues (
builtins.mapAttrs procEntry entries
)
);
buildPackage = path: { buildPackage = path: {
name = builtins.baseNameOf (toString path); name = builtins.baseNameOf (toString path);

47
lib/utils.nix
View file

@ -1,6 +1,13 @@
rec { rec {
findNixFiles = dir: let findNixFiles =
inherit (builtins) attrNames readDir pathExists concatMap; dir:
let
inherit (builtins)
attrNames
readDir
pathExists
concatMap
;
# Helper function to build full paths # Helper function to build full paths
fullPath = name: dir + "/${name}"; fullPath = name: dir + "/${name}";
@ -12,36 +19,36 @@ rec {
names = attrNames contents; names = attrNames contents;
# Filter and process each item # Filter and process each item
processItem = name: let processItem =
name:
let
path = fullPath name; path = fullPath name;
type = contents.${name}; type = contents.${name};
in in
if type == "regular" && hasSuffix "nix" name if type == "regular" && hasSuffix "nix" name then
then [path] [ path ]
else if type == "directory" && pathExists path else if type == "directory" && pathExists path then
then findNixFiles path findNixFiles path
else []; else
[ ];
in in
concatMap processItem names; concatMap processItem names;
getName = filename: let getName =
filename:
let
parts = builtins.split "\\." filename; parts = builtins.split "\\." filename;
base = builtins.head (builtins.split "\\." filename); base = builtins.head (builtins.split "\\." filename);
in in
if builtins.length parts == 1 if builtins.length parts == 1 then filename else base;
then filename
else base;
getSuffix = filename: let getSuffix =
filename:
let
parts = builtins.split "\\." filename; parts = builtins.split "\\." filename;
end = builtins.tail (builtins.split "\\." filename); end = builtins.tail (builtins.split "\\." filename);
in in
if builtins.length parts == 1 if builtins.length parts == 1 then filename else builtins.elemAt end (builtins.length end - 1);
then filename
else builtins.elemAt end (builtins.length end - 1);
hasSuffix = suffix: filename: hasSuffix = suffix: filename: if (getSuffix filename) == suffix then true else false;
if (getSuffix filename) == suffix
then true
else false;
} }

9
machines/lebesgue/config/configuration.nix
View file

@ -3,7 +3,8 @@
lib, lib,
pkgs, pkgs,
... ...
}: { }:
{
foehammer = { foehammer = {
users.admin = { users.admin = {
enable = true; enable = true;
@ -62,7 +63,11 @@
environmentFile = config.sops.secrets.restic-env.path; environmentFile = config.sops.secrets.restic-env.path;
passwordFile = config.sops.secrets.restic-password.path; passwordFile = config.sops.secrets.restic-password.path;
paths = ["/var/lib/vaultwarden" "/var/lib/authelia" "/var/lib/forgejo"]; paths = [
"/var/lib/vaultwarden"
"/var/lib/authelia"
"/var/lib/forgejo"
];
}; };
tailscale = { tailscale = {

43
machines/lebesgue/config/hardware-configuration.nix
View file

@ -4,14 +4,21 @@
pkgs, pkgs,
modulesPath, modulesPath,
... ...
}: { }:
{
imports = [ imports = [
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"sr_mod"
"virtio_blk"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
@ -45,27 +52,51 @@
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = ["subvol=root" "defaults" "noatime" "compress=zstd:1" "discard=async" "nodatacow"]; options = [
"subvol=root"
"defaults"
"noatime"
"compress=zstd:1"
"discard=async"
"nodatacow"
];
}; };
fileSystems."/nix" = { fileSystems."/nix" = {
device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
neededForBoot = true; neededForBoot = true;
options = ["subvol=nix" "defaults" "noatime" "compress=zstd:3" "discard=async" "nodatacow"]; options = [
"subvol=nix"
"defaults"
"noatime"
"compress=zstd:3"
"discard=async"
"nodatacow"
];
}; };
fileSystems."/persist" = { fileSystems."/persist" = {
device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
neededForBoot = true; neededForBoot = true;
options = ["subvol=persist" "defaults" "noatime" "compress=zstd:1" "discard=async" "nodatacow"]; options = [
"subvol=persist"
"defaults"
"noatime"
"compress=zstd:1"
"discard=async"
"nodatacow"
];
}; };
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/disk/by-label/NIXBOOT"; device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat"; fsType = "vfat";
options = ["fmask=0077" "dmask=0077"]; options = [
"fmask=0077"
"dmask=0077"
];
}; };
swapDevices = [ ]; swapDevices = [ ];

3
machines/lebesgue/config/routing.nix
View file

@ -1,4 +1,5 @@
{config, ...}: { { config, ... }:
{
foehammer.caddy.enable = true; foehammer.caddy.enable = true;
services.caddy = { services.caddy = {

21
machines/lebesgue/config/secrets.nix
View file

@ -1,22 +1,31 @@
{...}: { { ... }:
{
sops = { sops = {
defaultSopsFile = ../secrets/main.yaml; defaultSopsFile = ../secrets/main.yaml;
secrets = let secrets =
let
autheliaSecret = { autheliaSecret = {
owner = "authelia-main"; owner = "authelia-main";
sopsFile = ../secrets/authelia/secrets.yaml; sopsFile = ../secrets/authelia/secrets.yaml;
}; };
in { in
{
admin-password.neededForUsers = true; admin-password.neededForUsers = true;
tskey = { }; tskey = { };
vaultwarden-env = { }; vaultwarden-env = { };
restic-env = {owner = "restic";}; restic-env = {
restic-password = {owner = "restic";}; owner = "restic";
restic-repository = {owner = "restic";}; };
restic-password = {
owner = "restic";
};
restic-repository = {
owner = "restic";
};
lldap-admin-password.owner = "lldap"; lldap-admin-password.owner = "lldap";

10
machines/lebesgue/config/state.nix
View file

@ -1,4 +1,5 @@
{config, ...}: { { config, ... }:
{
sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
environment.persistence."/persist" = { environment.persistence."/persist" = {
@ -14,7 +15,12 @@
"/var/lib/caddy/.local/share/caddy" "/var/lib/caddy/.local/share/caddy"
"/var/lib/vaultwarden" "/var/lib/vaultwarden"
{ directory = "/var/lib/lldap"; user = "lldap"; group = "lldap"; mode = "0700"; } {
directory = "/var/lib/lldap";
user = "lldap";
group = "lldap";
mode = "0700";
}
]; ];
files = [ files = [

37
machines/lebesgue/flake.nix
View file

@ -12,16 +12,26 @@
url = "github:nix-community/impermanence"; url = "github:nix-community/impermanence";
}; };
}; };
outputs = inputs @ {common, ...}: let outputs =
supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"]; inputs@{ common, ... }:
let
supportedSystems = [
"x86_64-linux"
"aarch64-linux"
"x86_64-darwin"
"aarch64-darwin"
];
forAllSystems = inputs.nixpkgs.lib.genAttrs supportedSystems; forAllSystems = inputs.nixpkgs.lib.genAttrs supportedSystems;
buildNixpkgs = system: buildNixpkgs =
system:
import inputs.nixpkgs { import inputs.nixpkgs {
inherit system; inherit system;
overlays = [ ]; overlays = [ ];
}; };
in { in
nixosConfigurations.default = let {
nixosConfigurations.default =
let
config = common.lib.utils.findNixFiles ./config; config = common.lib.utils.findNixFiles ./config;
modules = [ modules = [
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
@ -31,12 +41,19 @@
in in
common.lib.mkSystem "lebesgue" "x86_64-linux" (config ++ modules); common.lib.mkSystem "lebesgue" "x86_64-linux" (config ++ modules);
devShells = forAllSystems (system: let devShells = forAllSystems (
system:
let
pkgs = buildNixpkgs system; pkgs = buildNixpkgs system;
in { in
{
default = pkgs.mkShell { default = pkgs.mkShell {
buildInputs = with pkgs; [sops nixos-rebuild]; buildInputs = with pkgs; [
}; sops
}); nixos-rebuild
];
};
}
);
}; };
} }