diff options
Diffstat (limited to 'os')
50 files changed, 1068 insertions, 819 deletions
diff --git a/os/cez/configuration.nix b/os/cez/configuration.nix index af2d144..a069f21 100644 --- a/os/cez/configuration.nix +++ b/os/cez/configuration.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ../pc/configuration.nix ./hardware-configuration.nix diff --git a/os/cez/hardware-configuration.nix b/os/cez/hardware-configuration.nix index f1d5f32..3877852 100644 --- a/os/cez/hardware-configuration.nix +++ b/os/cez/hardware-configuration.nix @@ -1,4 +1,11 @@ -{ modulesPath, nixos-hardware, config, pkgs, lib, ... }: +{ + modulesPath, + nixos-hardware, + config, + pkgs, + lib, + ... +}: { imports = [ @@ -13,10 +20,12 @@ }; services.xserver.videoDrivers = [ "modesetting" ]; - swapDevices = [{ - device = "/swapfile"; - size = 14 * 1024; # 14GB - }]; + swapDevices = [ + { + device = "/swapfile"; + size = 14 * 1024; # 14GB + } + ]; boot = { kernelPackages = lib.mkForce pkgs.linuxPackages; @@ -24,8 +33,7 @@ blacklistedKernelModules = [ "k10temp" ]; extraModulePackages = with config.boot.kernelPackages; [ zenpower ]; - initrd.luks.devices."crypt".device = - "/dev/disk/by-uuid/84acd784-caad-41a1-a2e4-39468d01fefd"; + initrd.luks.devices."crypt".device = "/dev/disk/by-uuid/84acd784-caad-41a1-a2e4-39468d01fefd"; }; fileSystems = { diff --git a/os/cez/modules/specialisation.nix b/os/cez/modules/specialisation.nix index abc08e8..e401e1b 100644 --- a/os/cez/modules/specialisation.nix +++ b/os/cez/modules/specialisation.nix @@ -1,4 +1,5 @@ -{ lib, ... }: { +{ lib, ... }: +{ specialisation.nvidia.configuration = { boot = { kernelParams = [ "transparent_hugepage=always" ]; diff --git a/os/cez/modules/tlp.nix b/os/cez/modules/tlp.nix index 1ccd539..887dcec 100644 --- a/os/cez/modules/tlp.nix +++ b/os/cez/modules/tlp.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ services.tlp = { enable = true; diff --git a/os/cez/modules/wireguard.nix b/os/cez/modules/wireguard.nix index c52087a..47b857a 100644 --- a/os/cez/modules/wireguard.nix +++ b/os/cez/modules/wireguard.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let domain = config.global.userdata.domain; wgIface = "kay"; @@ -21,8 +22,9 @@ fi ''; }; -in { - sops.secrets."misc/wireguard" = {}; +in +{ + sops.secrets."misc/wireguard" = { }; networking.wg-quick.interfaces.${wgIface} = { autostart = false; @@ -31,16 +33,18 @@ in { mtu = 1412; privateKeyFile = config.sops.secrets."misc/wireguard".path; - peers = [{ - publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw="; - allowedIPs = [ - "10.0.1.0/24" - "104.16.0.0/12" - "172.64.0.0/13" - ]; - endpoint = "${domain}:51820"; - persistentKeepalive = 25; - }]; + peers = [ + { + publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw="; + allowedIPs = [ + "10.0.1.0/24" + "104.16.0.0/12" + "172.64.0.0/13" + ]; + endpoint = "${domain}:51820"; + persistentKeepalive = 25; + } + ]; }; environment.systemPackages = [ helper ]; diff --git a/os/cez/modules/www.nix b/os/cez/modules/www.nix deleted file mode 100644 index 9ec20da..0000000 --- a/os/cez/modules/www.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - domain = config.global.userdata.domain; -in -{ - services.nginx = { - enable = true; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedBrotliSettings = true; - - virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - useACMEHost = domain; - locations."= /" = { - extraConfig = "add_header Content-Type text/html;"; - return = ''200 - '<!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <title>Nix Cache</title> - </head> - <body> - <center> - <h1 style="font-size: 8em"> - ❄️ Nix Cache - </h1> - <p style="font-weight: bold"> - Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= - </p> - </center> - </body> - </html>' - ''; - }; - }; - - }; - }; -} diff --git a/os/common/configuration.nix b/os/common/configuration.nix index 17b8f2a..b1dd263 100644 --- a/os/common/configuration.nix +++ b/os/common/configuration.nix @@ -1,6 +1,13 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let host = config.networking.hostName; -in { +in +{ disabledModules = [ "services/networking/pppd.nix" ]; @@ -15,16 +22,20 @@ in { time.timeZone = "Asia/Kolkata"; networking.useDHCP = false; - swapDevices = lib.mkDefault [{ - device = "/swapfile"; - size = 2048; # 2GB - }]; + swapDevices = lib.mkDefault [ + { + device = "/swapfile"; + size = 2048; # 2GB + } + ]; - services.udev.extraRules = let - cmd = "${pkgs.systemd}/bin/systemctl hibernate"; - in '' - SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${cmd}" - ''; + services.udev.extraRules = + let + cmd = "${pkgs.systemd}/bin/systemctl hibernate"; + in + '' + SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${cmd}" + ''; sops = { defaultSopsFile = ../${host}/secrets.yaml; @@ -47,5 +58,10 @@ in { ''; nixpkgs.config.allowUnfreePredicate = - pkg: builtins.elem (lib.getName pkg) [ "nvidia-x11" "slack" "spotify" ]; + pkg: + builtins.elem (lib.getName pkg) [ + "nvidia-x11" + "slack" + "spotify" + ]; } diff --git a/os/common/modules/environment.nix b/os/common/modules/environment.nix index 38446f2..576d756 100644 --- a/os/common/modules/environment.nix +++ b/os/common/modules/environment.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ environment = { binsh = lib.getExe pkgs.dash; systemPackages = with pkgs; [ diff --git a/os/common/modules/nix.nix b/os/common/modules/nix.nix index f850e24..b733c9c 100644 --- a/os/common/modules/nix.nix +++ b/os/common/modules/nix.nix @@ -1,8 +1,12 @@ -{ ... }: { +{ ... }: +{ nix.settings = { auto-optimise-store = true; use-xdg-base-directories = true; - experimental-features = [ "flakes" "nix-command" ]; + experimental-features = [ + "flakes" + "nix-command" + ]; substituters = [ "https://nixbin.sinanmohd.com" diff --git a/os/common/modules/pppd.nix b/os/common/modules/pppd.nix index 772cb29..69c37b8 100644 --- a/os/common/modules/pppd.nix +++ b/os/common/modules/pppd.nix @@ -1,10 +1,20 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.services.pppd; - shTypes = [ "ip-up" "ip-down" "ipv6-up" "ipv6-down" ]; + shTypes = [ + "ip-up" + "ip-down" + "ipv6-up" + "ipv6-down" + ]; in { meta = { @@ -46,232 +56,249 @@ in }; script = mkOption { - default = {}; + default = { }; description = lib.mdoc '' script which is executed when the link is available for sending and receiving IP packets or when the link is no longer available for sending and receiving IP packets, see pppd(8) for more details ''; - type = types.attrsOf (types.submodule ( - { name, ... }: - { - options = { - name = mkOption { - type = types.str; - default = name; - example = "01-ddns.sh"; - description = lib.mdDoc "Name of the script."; - }; - type = mkOption { - default = "ip-up"; - type = types.enum shTypes; - description = lib.mdDoc "Type of the script."; - }; - text = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc "Shell commands to be executed."; - }; - runtimeInputs = mkOption { - type = types.listOf types.package; - default = []; - description = lib.mdDoc "dependencies of the shell script"; + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "01-ddns.sh"; + description = lib.mdDoc "Name of the script."; + }; + type = mkOption { + default = "ip-up"; + type = types.enum shTypes; + description = lib.mdDoc "Type of the script."; + }; + text = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc "Shell commands to be executed."; + }; + runtimeInputs = mkOption { + type = types.listOf types.package; + default = [ ]; + description = lib.mdDoc "dependencies of the shell script"; + }; }; - }; - } - )); + } + ) + ); }; peers = mkOption { - default = {}; + default = { }; description = lib.mdDoc "pppd peers."; - type = types.attrsOf (types.submodule ( - { name, ... }: - { - options = { - name = mkOption { - type = types.str; - default = name; - example = "dialup"; - description = lib.mdDoc "Name of the PPP peer."; - }; + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "dialup"; + description = lib.mdDoc "Name of the PPP peer."; + }; - enable = mkOption { - type = types.bool; - default = true; - example = false; - description = lib.mdDoc "Whether to enable this PPP peer."; - }; + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = lib.mdDoc "Whether to enable this PPP peer."; + }; - autostart = mkOption { - type = types.bool; - default = true; - example = false; - description = lib.mdDoc "Whether the PPP session is automatically started at boot time."; - }; + autostart = mkOption { + type = types.bool; + default = true; + example = false; + description = lib.mdDoc "Whether the PPP session is automatically started at boot time."; + }; - config = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc "pppd configuration for this peer, see the pppd(8) man page."; - }; + config = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc "pppd configuration for this peer, see the pppd(8) man page."; + }; - configFile = mkOption { - type = types.nullOr types.path; - default = null; - example = literalExpression "/run/secrets/ppp/peer/options"; - description = lib.mdDoc "pppd configuration file for this peer, see the pppd(8) man page."; + configFile = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExpression "/run/secrets/ppp/peer/options"; + description = lib.mdDoc "pppd configuration file for this peer, see the pppd(8) man page."; + }; }; - }; - } - )); + } + ) + ); }; }; - config = let - enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); + config = + let + enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); - defaultCfg = if (cfg.config != "") then { - "ppp/options".text = cfg.config; - } else {}; + defaultCfg = + if (cfg.config != "") then + { + "ppp/options".text = cfg.config; + } + else + { }; - mkPeers = peerCfg: with peerCfg; let - key = if (configFile == null) then "text" else "source"; - val = if (configFile == null) then peerCfg.config else configFile; - in - { - name = "ppp/peers/${name}"; - value.${key} = val; - }; - - enabledSh = filter (s: s.text != "") (attrValues cfg.script); - mkMsh = name : { - name = "ppp/${name}"; - value.mode = "0755"; - value.text = '' - #!/bin/sh + mkPeers = + peerCfg: + with peerCfg; + let + key = if (configFile == null) then "text" else "source"; + val = if (configFile == null) then peerCfg.config else configFile; + in + { + name = "ppp/peers/${name}"; + value.${key} = val; + }; - # see the pppd(8) man page - for s in /etc/ppp/${name}.d/*.sh; do - [ -x "$s" ] && "$s" "$@" - done - ''; - }; - mkUsh = shCfg : { - name = "ppp/${shCfg.type}.d/${shCfg.name}.sh"; - value.mode = "0755"; - value.text = '' - #!/bin/sh - export PATH="${makeBinPath shCfg.runtimeInputs}:$PATH" + enabledSh = filter (s: s.text != "") (attrValues cfg.script); + mkMsh = name: { + name = "ppp/${name}"; + value.mode = "0755"; + value.text = '' + #!/bin/sh - ${shCfg.text} - ''; - }; + # see the pppd(8) man page + for s in /etc/ppp/${name}.d/*.sh; do + [ -x "$s" ] && "$s" "$@" + done + ''; + }; + mkUsh = shCfg: { + name = "ppp/${shCfg.type}.d/${shCfg.name}.sh"; + value.mode = "0755"; + value.text = '' + #!/bin/sh + export PATH="${makeBinPath shCfg.runtimeInputs}:$PATH" - enabledSec = let - l = attrNames cfg.secret; - f = (s: cfg.secret.${s} != null); - in filter f l; - mkSec = sec : { - name = "ppp/${sec}-secrets"; - value.source = cfg.secret.${sec}; - }; + ${shCfg.text} + ''; + }; - mkSystemd = peerCfg: { - name = "pppd-${peerCfg.name}"; - value = { - restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; - before = [ "network.target" ]; - wants = [ "network.target" ]; - after = [ "network-pre.target" ]; - environment = { - # pppd likes to write directly into /var/run. This is rude - # on a modern system, so we use libredirect to transparently - # move those files into /run/pppd. - LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; - NIX_REDIRECTS = "/var/run=/run/pppd"; - }; - serviceConfig = let - capabilities = [ - "CAP_BPF" - "CAP_SYS_TTY_CONFIG" - "CAP_NET_ADMIN" - "CAP_NET_RAW" - ]; + enabledSec = + let + l = attrNames cfg.secret; + f = (s: cfg.secret.${s} != null); in - { - ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; - Restart = "always"; - RestartSec = 5; + filter f l; + mkSec = sec: { + name = "ppp/${sec}-secrets"; + value.source = cfg.secret.${sec}; + }; + + mkSystemd = peerCfg: { + name = "pppd-${peerCfg.name}"; + value = { + restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; + before = [ "network.target" ]; + wants = [ "network.target" ]; + after = [ "network-pre.target" ]; + environment = { + # pppd likes to write directly into /var/run. This is rude + # on a modern system, so we use libredirect to transparently + # move those files into /run/pppd. + LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; + NIX_REDIRECTS = "/var/run=/run/pppd"; + }; + serviceConfig = + let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { + ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; + Restart = "always"; + RestartSec = 5; - AmbientCapabilities = capabilities; - CapabilityBoundingSet = capabilities; - KeyringMode = "private"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateMounts = true; - PrivateTmp = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelModules = true; - # pppd can be configured to tweak kernel settings. - ProtectKernelTunables = false; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_ATMPVC" - "AF_ATMSVC" - "AF_INET" - "AF_INET6" - "AF_IPX" - "AF_NETLINK" - "AF_PACKET" - "AF_PPPOX" - "AF_UNIX" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SecureBits = "no-setuid-fixup-locked noroot-locked"; - SystemCallFilter = "@system-service"; - SystemCallArchitectures = "native"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + # pppd can be configured to tweak kernel settings. + ProtectKernelTunables = false; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_ATMPVC" + "AF_ATMSVC" + "AF_INET" + "AF_INET6" + "AF_IPX" + "AF_NETLINK" + "AF_PACKET" + "AF_PPPOX" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SecureBits = "no-setuid-fixup-locked noroot-locked"; + SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; - # All pppd instances on a system must share a runtime - # directory in order for PPP multilink to work correctly. So - # we give all instances the same /run/pppd directory to store - # things in. - # - # For the same reason, we can't set PrivateUsers=true, because - # all instances need to run as the same user to access the - # multilink database. - RuntimeDirectory = "pppd"; - RuntimeDirectoryPreserve = true; + # All pppd instances on a system must share a runtime + # directory in order for PPP multilink to work correctly. So + # we give all instances the same /run/pppd directory to store + # things in. + # + # For the same reason, we can't set PrivateUsers=true, because + # all instances need to run as the same user to access the + # multilink database. + RuntimeDirectory = "pppd"; + RuntimeDirectoryPreserve = true; + }; + wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; }; - wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; }; - }; - etcFiles = listToAttrs (map mkPeers enabledConfigs) // - listToAttrs (map mkMsh shTypes) // - listToAttrs (map mkUsh enabledSh) // - listToAttrs (map mkSec enabledSec) // - defaultCfg; + etcFiles = + listToAttrs (map mkPeers enabledConfigs) + // listToAttrs (map mkMsh shTypes) + // listToAttrs (map mkUsh enabledSh) + // listToAttrs (map mkSec enabledSec) + // defaultCfg; - systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); + systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); - in mkIf cfg.enable { - assertions = map (peerCfg: { - assertion = (peerCfg.configFile == null || peerCfg.config == ""); - message = '' - Please specify either - 'services.pppd.${peerCfg.name}.config' or - 'services.pppd.${peerCfg.name}.configFile'. - ''; - }) enabledConfigs; + in + mkIf cfg.enable { + assertions = map (peerCfg: { + assertion = (peerCfg.configFile == null || peerCfg.config == ""); + message = '' + Please specify either + 'services.pppd.${peerCfg.name}.config' or + 'services.pppd.${peerCfg.name}.configFile'. + ''; + }) enabledConfigs; - environment.etc = etcFiles; - systemd.services = systemdConfigs; - }; + environment.etc = etcFiles; + systemd.services = systemdConfigs; + }; } diff --git a/os/common/modules/user.nix b/os/common/modules/user.nix index bdf258e..fa4e1c9 100644 --- a/os/common/modules/user.nix +++ b/os/common/modules/user.nix @@ -1,7 +1,9 @@ -{ config, ... }: let +{ config, ... }: +let user = config.global.userdata.name; email = config.global.userdata.email; -in { +in +{ users.users.${user} = { uid = 1000; isNormalUser = true; diff --git a/os/fscusat/configuration.nix b/os/fscusat/configuration.nix index 896e858..598ae8c 100644 --- a/os/fscusat/configuration.nix +++ b/os/fscusat/configuration.nix @@ -10,5 +10,8 @@ ./modules/mirror ]; - services.openssh.ports = [ 22 465 ]; + services.openssh.ports = [ + 22 + 465 + ]; } diff --git a/os/fscusat/modules/mirror/debian/default.nix b/os/fscusat/modules/mirror/debian/default.nix index c0a35cd..b80c6b8 100644 --- a/os/fscusat/modules/mirror/debian/default.nix +++ b/os/fscusat/modules/mirror/debian/default.nix @@ -1,7 +1,9 @@ -{ config, ... }: let +{ config, ... }: +let name = config.global.userdata.name; email = config.global.userdata.email; -in { +in +{ imports = [ ./ftpsync.nix ]; services.ftpsync = { diff --git a/os/fscusat/modules/mirror/debian/ftpsync.nix b/os/fscusat/modules/mirror/debian/ftpsync.nix index 29fb55b..d2394de 100644 --- a/os/fscusat/modules/mirror/debian/ftpsync.nix +++ b/os/fscusat/modules/mirror/debian/ftpsync.nix @@ -1,10 +1,15 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.ftpsync; - archvsync = pkgs.callPackage ../../../pkgs/archvsync {}; + archvsync = pkgs.callPackage ../../../pkgs/archvsync { }; - formatKeyValue = k: v: '' ${k}="${v}" ''; + formatKeyValue = k: v: ''${k}="${v}" ''; configFormat = pkgs.formats.keyValue { mkKeyValue = formatKeyValue; }; configFile = configFormat.generate "ftpsync.conf" cfg.settings; in @@ -16,7 +21,7 @@ in settings = lib.mkOption { inherit (configFormat) type; - default = {}; + default = { }; description = lib.mdDoc '' Configuration options for ftpsync. See ftpsync.conf(5) man page for available options. @@ -33,33 +38,35 @@ in LOGDIR = lib.mkDefault "$LOGS_DIRECTORY"; }; - systemd = let - name = "ftpsync"; - meta = { - description = "Mirror Debian repositories of packages"; - documentation = [ "man:ftpsync(1)" ]; - }; - in { - timers.${name} = meta // { - wantedBy = [ "timers.target" ]; + systemd = + let + name = "ftpsync"; + meta = { + description = "Mirror Debian repositories of packages"; + documentation = [ "man:ftpsync(1)" ]; + }; + in + { + timers.${name} = meta // { + wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*-*-* 00,06,12,18:00:00"; - Unit="%i.service"; - Persistent = true; - FixedRandomDelay = true; - RandomizedDelaySec = "6h"; + timerConfig = { + OnCalendar = "*-*-* 00,06,12,18:00:00"; + Unit = "%i.service"; + Persistent = true; + FixedRandomDelay = true; + RandomizedDelaySec = "6h"; + }; }; - }; - services.${name} = meta // { - serviceConfig = { - LogsDirectory = name; - StateDirectory = name; + services.${name} = meta // { + serviceConfig = { + LogsDirectory = name; + StateDirectory = name; - ExecStart = "${archvsync}/bin/ftpsync sync:all"; + ExecStart = "${archvsync}/bin/ftpsync sync:all"; + }; }; }; - }; }; } diff --git a/os/fscusat/modules/mirror/default.nix b/os/fscusat/modules/mirror/default.nix index c5fd462..1648204 100644 --- a/os/fscusat/modules/mirror/default.nix +++ b/os/fscusat/modules/mirror/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ./debian ./www.nix diff --git a/os/fscusat/modules/network.nix b/os/fscusat/modules/network.nix index 53367f8..fefcd14 100644 --- a/os/fscusat/modules/network.nix +++ b/os/fscusat/modules/network.nix @@ -5,14 +5,19 @@ let in { networking = { - interfaces.${wan}.ipv4.addresses = [{ - address = "10.0.8.101"; - prefixLength = 16; - }]; + interfaces.${wan}.ipv4.addresses = [ + { + address = "10.0.8.101"; + prefixLength = 16; + } + ]; defaultGateway = { address = "10.0.0.1"; interface = wan; }; - nameservers = [ "10.0.0.2" "10.0.0.3" ]; + nameservers = [ + "10.0.0.2" + "10.0.0.3" + ]; }; } diff --git a/os/fscusat/modules/www.nix b/os/fscusat/modules/www.nix index 24398da..8392190 100644 --- a/os/fscusat/modules/www.nix +++ b/os/fscusat/modules/www.nix @@ -4,19 +4,24 @@ let domain = "foss.fscusat.ac.in"; in { - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; - sops.secrets = let - opts = { - owner = config.services.nginx.user; - group = config.services.nginx.group; + sops.secrets = + let + opts = { + owner = config.services.nginx.user; + group = config.services.nginx.group; + }; + in + { + "cusat.ac.in/key" = opts; + "cusat.ac.in/crt" = opts; }; - in{ - "cusat.ac.in/key" = opts; - "cusat.ac.in/crt" = opts; - }; - services.nginx = { + services.nginx = { enable = true; recommendedTlsSettings = true; recommendedZstdSettings = true; diff --git a/os/fscusat/pkgs/archvsync/default.nix b/os/fscusat/pkgs/archvsync/default.nix index bd3560e..7c31b1e 100644 --- a/os/fscusat/pkgs/archvsync/default.nix +++ b/os/fscusat/pkgs/archvsync/default.nix @@ -1,4 +1,5 @@ -{ lib, +{ + lib, stdenvNoCC, fetchFromGitLab, makeWrapper, @@ -22,15 +23,29 @@ stdenvNoCC.mkDerivation { }; strictDeps = true; - nativeBuildInputs = [ makeWrapper pandoc ]; - outputs = [ "out" "man" "doc" ]; + nativeBuildInputs = [ + makeWrapper + pandoc + ]; + outputs = [ + "out" + "man" + "doc" + ]; - patches = [ ./Makefile.patch ./common.patch ]; + patches = [ + ./Makefile.patch + ./common.patch + ]; postInstall = '' for s in $out/bin/*; do - wrapProgram $s --prefix PATH : ${lib.makeBinPath - [ rsync bash hostname ] + wrapProgram $s --prefix PATH : ${ + lib.makeBinPath [ + rsync + bash + hostname + ] } done ''; diff --git a/os/kay/modules/acme.nix b/os/kay/modules/acme.nix index 00819e7..60e40a8 100644 --- a/os/kay/modules/acme.nix +++ b/os/kay/modules/acme.nix @@ -1,10 +1,11 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let email = config.global.userdata.email; domain = config.global.userdata.domain; - environmentFile = - pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; -in { + environmentFile = pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; +in +{ security.acme = { acceptTerms = true; defaults.email = email; diff --git a/os/kay/modules/alina.nix b/os/kay/modules/alina.nix index ef6331b..6f8fac4 100644 --- a/os/kay/modules/alina.nix +++ b/os/kay/modules/alina.nix @@ -1,14 +1,18 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let domain = "alinafs.com"; -in { - sops.secrets."misc/alina" = {}; +in +{ + sops.secrets."misc/alina" = { }; services.postgresql = { ensureDatabases = [ "alina" ]; - ensureUsers = [{ - name = "alina"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "alina"; + ensureDBOwnership = true; + } + ]; }; services.alina = { @@ -17,7 +21,7 @@ in { environmentFile = config.sops.secrets."misc/alina".path; settings.server = { data = "/hdd/alina"; - file_size_limit = 1024 * 1024 * 1024; /* 1GB */ + file_size_limit = 1024 * 1024 * 1024; # 1GB public_url = "https://${domain}"; }; }; diff --git a/os/kay/modules/dns/default.nix b/os/kay/modules/dns/default.nix index 357cddd..6179527 100644 --- a/os/kay/modules/dns/default.nix +++ b/os/kay/modules/dns/default.nix @@ -1,5 +1,6 @@ -{ config, pkgs, ... }: let - listen_addr = [ +{ config, pkgs, ... }: +let + listen_addr = [ "137.59.84.126" "2001:470:ee65::1" ]; @@ -16,7 +17,8 @@ IN NS ns1.sinanmohd.com. ''; -in { +in +{ imports = [ ./ddns.nix ]; networking.firewall = { @@ -39,39 +41,55 @@ in { remote = [ { id = "ns1.he.net"; - address = [ "2001:470:100::2" "216.218.130.2" ]; + address = [ + "2001:470:100::2" + "216.218.130.2" + ]; via = "2001:470:ee65::1"; } { id = "m.gtld-servers.net"; - address = [ "2001:501:b1f9::30" "192.55.83.30" ]; + address = [ + "2001:501:b1f9::30" + "192.55.83.30" + ]; } ]; - submission = [{ - id = "gtld-servers.net"; - parent = "m.gtld-servers.net"; - }]; + submission = [ + { + id = "gtld-servers.net"; + parent = "m.gtld-servers.net"; + } + ]; - policy = [{ - id = "gtld-servers.net"; - algorithm = "ecdsap384sha384"; - ksk-lifetime = "365d"; - ksk-submission = "gtld-servers.net"; - }]; + policy = [ + { + id = "gtld-servers.net"; + algorithm = "ecdsap384sha384"; + ksk-lifetime = "365d"; + ksk-submission = "gtld-servers.net"; + } + ]; # generate TSIG key with keymgr -t name acl = [ { id = "ns1.he.net"; key = "ns1.he.net"; - address = [ "2001:470:600::2" "216.218.133.2" ]; + address = [ + "2001:470:600::2" + "216.218.133.2" + ]; action = "transfer"; } { id = "ddns"; address = listen_addr; - update-type = [ "A" "AAAA" ]; + update-type = [ + "A" + "AAAA" + ]; action = "update"; } { @@ -82,11 +100,13 @@ in { } ]; - mod-rrl = [{ - id = "default"; - rate-limit = 200; - slip = 2; - }]; + mod-rrl = [ + { + id = "default"; + rate-limit = 200; + slip = 2; + } + ]; template = [ { @@ -102,7 +122,10 @@ in { dnssec-policy = "gtld-servers.net"; notify = [ "ns1.he.net" ]; - acl = [ "ns1.he.net" "ddns" ]; + acl = [ + "ns1.he.net" + "ddns" + ]; zonefile-sync = "-1"; zonefile-load = "difference"; diff --git a/os/kay/modules/home-assistant.nix b/os/kay/modules/home-assistant.nix index 2376997..65807f7 100644 --- a/os/kay/modules/home-assistant.nix +++ b/os/kay/modules/home-assistant.nix @@ -1,21 +1,26 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ services.postgresql = { enable = true; ensureDatabases = [ "hass" ]; - ensureUsers = [{ - name = "hass"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "hass"; + ensureDBOwnership = true; + } + ]; }; services.home-assistant = { enable = true; - package = (pkgs.home-assistant.override { - extraPackages = py: with py; [ psycopg2 ]; - }).overrideAttrs (oldAttrs: { - doInstallCheck = false; - }); + package = + (pkgs.home-assistant.override { + extraPackages = py: with py; [ psycopg2 ]; + }).overrideAttrs + (oldAttrs: { + doInstallCheck = false; + }); extraComponents = [ "analytics" @@ -29,7 +34,7 @@ ]; config = { - default_config = {}; + default_config = { }; recorder.db_url = "postgresql://@/hass"; http = { diff --git a/os/kay/modules/hurricane.nix b/os/kay/modules/hurricane.nix index 511b213..e815136 100644 --- a/os/kay/modules/hurricane.nix +++ b/os/kay/modules/hurricane.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let iface = "hurricane"; @@ -10,12 +15,15 @@ let prefix64 = "2001:470:36:72a::/64"; prefix48 = "2001:470:ee65::/48"; - makeAddr = prefix: host: let - split = lib.strings.splitString "/" prefix; - in { - address = "${lib.head split}${host}"; - prefixLength = lib.toInt (lib.last split); - }; + makeAddr = + prefix: host: + let + split = lib.strings.splitString "/" prefix; + in + { + address = "${lib.head split}${host}"; + prefixLength = lib.toInt (lib.last split); + }; in { networking = { @@ -43,17 +51,15 @@ in }; firewall = { - extraCommands = - "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; - extraStopCommands = - "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraCommands = "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraStopCommands = "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; }; }; sops.secrets = { - "hurricane/username" = {}; - "hurricane/update_key" = {}; - "hurricane/tunnel_id" = {}; + "hurricane/username" = { }; + "hurricane/update_key" = { }; + "hurricane/tunnel_id" = { }; }; systemd.services."network-route-${iface}" = { @@ -64,7 +70,10 @@ in ]; before = [ "network-setup.service" ]; bindsTo = [ "network-addresses-hurricane.service" ]; - after = [ "network-pre.target" "network-addresses-hurricane.service" ]; + after = [ + "network-pre.target" + "network-addresses-hurricane.service" + ]; # restart rather than stop+start this unit to prevent the # network from dying during switch-to-configuration. stopIfChanged = false; @@ -95,9 +104,13 @@ in ''; }; - services.pppd.script."01-${iface}" = { - runtimeInputs = with pkgs; [ curl coreutils iproute2 iputils ]; + runtimeInputs = with pkgs; [ + curl + coreutils + iproute2 + iputils + ]; text = '' wan_ip="$4" username="$(cat ${config.sops.secrets."hurricane/username".path})" diff --git a/os/kay/modules/mail.nix b/os/kay/modules/mail.nix index a418a86..57912ac 100644 --- a/os/kay/modules/mail.nix +++ b/os/kay/modules/mail.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let ipv6 = "2001:470:ee65::1337"; domain = config.global.userdata.domain; username = config.global.userdata.name; @@ -15,12 +16,13 @@ ]; credentials_directory = "/run/credentials/stalwart-mail.service"; -in { +in +{ security.acme.certs.${domain}.postRun = "systemctl restart stalwart-mail.service"; sops.secrets = { - "mail.${domain}/dkim_rsa" = {}; - "mail.${domain}/dkim_ed25519" = {}; - "mail.${domain}/password" = {}; + "mail.${domain}/dkim_rsa" = { }; + "mail.${domain}/dkim_ed25519" = { }; + "mail.${domain}/password" = { }; }; systemd.services.stalwart-mail.serviceConfig.LoadCredential = [ @@ -35,10 +37,12 @@ in { services.postgresql = { ensureDatabases = [ "stalwart" ]; - ensureUsers = [{ - name = "stalwart"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "stalwart"; + ensureDBOwnership = true; + } + ]; }; services.stalwart-mail = { @@ -70,7 +74,10 @@ in { server.listener = { smtp = { - bind = [ "[${ipv6}]:25" "0.0.0.0:25" ]; + bind = [ + "[${ipv6}]:25" + "0.0.0.0:25" + ]; protocol = "smtp"; }; submission = { @@ -98,7 +105,13 @@ in { private-key = "%{file:${credentials_directory}/dkim_rsa}%"; inherit domain; selector = "rsa"; - headers = ["From" "To" "Date" "Subject" "Message-ID"]; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; algorithm = "rsa-sha-256"; canonicalization = "simple/simple"; @@ -110,7 +123,13 @@ in { private-key = "%{file:${credentials_directory}/dkim_ed25519}%"; inherit domain; selector = "ed25519"; - headers = ["From" "To" "Date" "Subject" "Message-ID"]; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; algorithm = "ed25519-sha256"; canonicalization = "simple/simple"; @@ -152,7 +171,8 @@ in { secret = "%{file:${credentials_directory}/password}%"; inherit email; } - { # for mta-sts & dmarc reports + { + # for mta-sts & dmarc reports class = "individual"; name = "reports"; secret = "%{file:${credentials_directory}/password}%"; diff --git a/os/kay/modules/matrix/default.nix b/os/kay/modules/matrix/default.nix index f81d0d9..1b9564d 100644 --- a/os/kay/modules/matrix/default.nix +++ b/os/kay/modules/matrix/default.nix @@ -1,12 +1,14 @@ -{ config, ... }: let +{ config, ... }: +let domain = config.global.userdata.domain; -in { +in +{ imports = [ ./dendrite.nix ./matrix-sliding-sync.nix ]; - sops.secrets."matrix-${domain}/sliding_sync" = {}; + sops.secrets."matrix-${domain}/sliding_sync" = { }; services.matrix-sliding-sync-dirty = { enable = true; diff --git a/os/kay/modules/matrix/dendrite.nix b/os/kay/modules/matrix/dendrite.nix index 3f4a879..e66c5a5 100644 --- a/os/kay/modules/matrix/dendrite.nix +++ b/os/kay/modules/matrix/dendrite.nix @@ -10,16 +10,18 @@ let }; in { - sops.secrets."matrix-${domain}/key" = {}; + sops.secrets."matrix-${domain}/key" = { }; systemd.services.dendrite.after = [ "postgresql.service" ]; services = { postgresql = { ensureDatabases = [ "dendrite" ]; - ensureUsers = [{ - name = "dendrite"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "dendrite"; + ensureDBOwnership = true; + } + ]; }; dendrite = { @@ -43,10 +45,12 @@ in ]; inherit database; }; - logging = [{ - type = "std"; - level = "warn"; - }]; + logging = [ + { + type = "std"; + level = "warn"; + } + ]; mscs = { inherit database; mscs = [ "msc2836" ]; @@ -63,19 +67,21 @@ in federation_api = { inherit database; send_max_retries = 8; - key_perspectives = [{ - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - }]; + key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; }; app_service_api = { diff --git a/os/kay/modules/matrix/matrix-sliding-sync.nix b/os/kay/modules/matrix/matrix-sliding-sync.nix index f4c1426..63d95ad 100644 --- a/os/kay/modules/matrix/matrix-sliding-sync.nix +++ b/os/kay/modules/matrix/matrix-sliding-sync.nix @@ -1,12 +1,20 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.matrix-sliding-sync-dirty; - matrix-sliding-sync = pkgs.callPackage ../../pkgs/matrix-sliding-sync.nix {}; + matrix-sliding-sync = pkgs.callPackage ../../pkgs/matrix-sliding-sync.nix { }; in { imports = [ - (lib.mkRenamedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] [ "services" "matrix-sliding-sync" ]) + (lib.mkRenamedOptionModule + [ "services" "matrix-synapse" "sliding-sync" ] + [ "services" "matrix-sliding-sync" ] + ) ]; options.services.matrix-sliding-sync-dirty = { @@ -40,7 +48,14 @@ in }; SYNCV3_LOG_LEVEL = lib.mkOption { - type = lib.types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ]; + type = lib.types.enum [ + "trace" + "debug" + "info" + "warn" + "error" + "fatal" + ]; default = "info"; description = "The level of verbosity for messages logged."; }; @@ -77,10 +92,12 @@ in services.postgresql = lib.optionalAttrs cfg.createDatabase { enable = true; ensureDatabases = [ "matrix-sliding-sync" ]; - ensureUsers = [ { - name = "matrix-sliding-sync"; - ensureDBOwnership = true; - } ]; + ensureUsers = [ + { + name = "matrix-sliding-sync"; + ensureDBOwnership = true; + } + ]; }; systemd.services.matrix-sliding-sync = rec { diff --git a/os/kay/modules/network.nix b/os/kay/modules/network.nix index 22d132b..1315289 100644 --- a/os/kay/modules/network.nix +++ b/os/kay/modules/network.nix @@ -3,7 +3,10 @@ let inetVlan = 1003; wanInterface = "enp3s0"; - nameServer = [ "1.0.0.1" "1.1.1.1" ]; + nameServer = [ + "1.0.0.1" + "1.1.1.1" + ]; in { imports = [ @@ -12,9 +15,9 @@ in ]; sops.secrets = { - "ppp/chap-secrets" = {}; - "ppp/pap-secrets" = {}; - "ppp/username" = {}; + "ppp/chap-secrets" = { }; + "ppp/pap-secrets" = { }; + "ppp/username" = { }; }; networking = { diff --git a/os/kay/modules/observability/prometheus.nix b/os/kay/modules/observability/prometheus.nix index d9b6071..1810f9e 100644 --- a/os/kay/modules/observability/prometheus.nix +++ b/os/kay/modules/observability/prometheus.nix @@ -4,36 +4,38 @@ enable = true; port = 9001; - scrapeConfigs = [{ - job_name = "kay"; - scrape_interval = "1s"; - static_configs = [ - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.wireguard.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.snmp.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; - } - ]; - }]; + scrapeConfigs = [ + { + job_name = "kay"; + scrape_interval = "1s"; + static_configs = [ + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.wireguard.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.snmp.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; + } + ]; + } + ]; exporters = { node = { diff --git a/os/kay/modules/postgresql.nix b/os/kay/modules/postgresql.nix index 79d0b12..6ba5398 100644 --- a/os/kay/modules/postgresql.nix +++ b/os/kay/modules/postgresql.nix @@ -1,15 +1,21 @@ -{ config, lib, pkgs, ... }: { +{ + config, + lib, + pkgs, + ... +}: +{ services.postgresql = { enable = true; package = with pkgs; postgresql_15; authentication = lib.mkForce '' - #type database DBuser origin-address auth-method - # unix socket - local all all trust - # ipv4 - host all all 127.0.0.1/32 trust - # ipv6 - host all all ::1/128 trust + #type database DBuser origin-address auth-method + # unix socket + local all all trust + # ipv4 + host all all 127.0.0.1/32 trust + # ipv6 + host all all ::1/128 trust ''; settings.log_timezone = config.time.timeZone; diff --git a/os/kay/modules/router.nix b/os/kay/modules/router.nix index bb8cd3b..7280401 100644 --- a/os/kay/modules/router.nix +++ b/os/kay/modules/router.nix @@ -1,4 +1,5 @@ -{ ... }: let +{ ... }: +let wanInterface = "ppp0"; gponInterface = "enp3s0"; @@ -15,7 +16,8 @@ wapMac = "40:86:cb:d7:40:49"; wapIp = "192.168.43.2"; -in { +in +{ imports = [ ./wireguard.nix ./iperf3.nix @@ -30,17 +32,24 @@ in { internalInterfaces = [ bridgeInterface ]; }; interfaces = { - ${bridgeInterface}.ipv4.addresses = [{ + ${bridgeInterface}.ipv4.addresses = [ + { address = host; - prefixLength = prefix; - }]; - ${gponInterface}.ipv4.addresses = [{ + prefixLength = prefix; + } + ]; + ${gponInterface}.ipv4.addresses = [ + { address = gponHost; - prefixLength = gponPrefix; - }]; + prefixLength = gponPrefix; + } + ]; }; firewall = { - allowedUDPPorts = [ 53 67 ]; + allowedUDPPorts = [ + 53 + 67 + ]; allowedTCPPorts = [ 53 ]; extraCommands = '' iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ @@ -57,7 +66,7 @@ in { services.dnsmasq.settings = { dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ]; - dhcp-host= "${wapMac},${wapIp}"; + dhcp-host = "${wapMac},${wapIp}"; interface = [ bridgeInterface ]; }; diff --git a/os/kay/modules/sftp.nix b/os/kay/modules/sftp.nix index 45ed151..b740fd6 100644 --- a/os/kay/modules/sftp.nix +++ b/os/kay/modules/sftp.nix @@ -7,7 +7,7 @@ let in { users = { - groups."sftp".members = []; + groups."sftp".members = [ ]; users."sftp" = { group = "sftp"; @@ -42,7 +42,7 @@ in }; # sandboxing - extraConfig = '' + extraConfig = '' Match Group sftp # chroot dir should be owned by root # and sub dirs by %u diff --git a/os/kay/modules/sshfwd.nix b/os/kay/modules/sshfwd.nix index d70b893..fcafd17 100644 --- a/os/kay/modules/sshfwd.nix +++ b/os/kay/modules/sshfwd.nix @@ -1,21 +1,24 @@ -{ ... }: let +{ ... }: +let group = "sshfwd"; -in { +in +{ networking.firewall.allowedTCPPorts = [ 2222 ]; users = { - groups.${group}.members = []; + groups.${group}.members = [ ]; users."lia" = { inherit group; isSystemUser = true; - openssh.authorizedKeys.keys - = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" + ]; }; }; - services.openssh.extraConfig = '' + services.openssh.extraConfig = '' Match Group ${group} ForceCommand echo 'this account is only usable for remote forwarding' PermitTunnel no diff --git a/os/kay/modules/wireguard.nix b/os/kay/modules/wireguard.nix index 21cec06..ae42930 100644 --- a/os/kay/modules/wireguard.nix +++ b/os/kay/modules/wireguard.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let wgInterface = "wg"; wanInterface = "ppp0"; subnet = "10.0.1.0"; @@ -10,13 +16,17 @@ Address = 10.0.1.1/24 MTU = 1412 ListenPort = 51820 - PostUp = ${lib.getExe (pkgs.writeShellApplication { - name = "wg_set_key"; - runtimeInputs = with pkgs; [ wireguard-tools ]; - text = '' - wg set ${wgInterface} private-key <(cat ${config.sops.secrets."misc/wireguard".path}) - ''; - })} + PostUp = ${ + lib.getExe ( + pkgs.writeShellApplication { + name = "wg_set_key"; + runtimeInputs = with pkgs; [ wireguard-tools ]; + text = '' + wg set ${wgInterface} private-key <(cat ${config.sops.secrets."misc/wireguard".path}) + ''; + } + ) + } [Peer] # friendly_name = cez @@ -43,8 +53,9 @@ PublicKey = U6+PzFuM6lKVx0TnDWuWJMsP6Tj8o1a9zjRcD7gV53o= AllowedIPs = 10.0.1.6/32 ''; -in { - sops.secrets."misc/wireguard" = {}; +in +{ + sops.secrets."misc/wireguard" = { }; networking = { nat = { @@ -59,7 +70,7 @@ in { services.dnsmasq.settings = { no-dhcp-interface = wgInterface; - interface = [ wgInterface ]; + interface = [ wgInterface ]; }; services.prometheus.exporters.wireguard = { diff --git a/os/kay/modules/www.nix b/os/kay/modules/www.nix index 54ff8d2..4f894c5 100644 --- a/os/kay/modules/www.nix +++ b/os/kay/modules/www.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let domain = config.global.userdata.domain; @@ -12,7 +17,10 @@ in security.acme.certs.${domain}.postRun = "systemctl reload nginx.service"; networking.firewall = { - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [ + 80 + 443 + ]; allowedUDPPorts = [ 443 ]; }; @@ -27,7 +35,7 @@ in }; }; - services.nginx = { + services.nginx = { enable = true; statusPage = true; package = pkgs.nginxQuic; @@ -48,218 +56,216 @@ in add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; ''; - virtualHosts = let - defaultOpts = { - # reuseport = true; - quic = true; - http3 = true; - forceSSL = true; - useACMEHost = domain; - }; - in { - "${domain}" = defaultOpts // { - default = true; - globalRedirect = "www.${domain}"; + virtualHosts = + let + defaultOpts = { + # reuseport = true; + quic = true; + http3 = true; + forceSSL = true; + useACMEHost = domain; + }; + in + { + "${domain}" = defaultOpts // { + default = true; + globalRedirect = "www.${domain}"; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + locations = { + "/.well-known/matrix/server".return = '' + 200 '{ "m.server": "${domain}:443" }' + ''; - locations = { - "/.well-known/matrix/server".return = '' - 200 '{ "m.server": "${domain}:443" }' - ''; + "/.well-known/matrix/client".return = '' + 200 '${ + builtins.toJSON { + "m.homeserver".base_url = "https://${domain}"; + "org.matrix.msc3575.proxy".url = "https://sliding.${domain}"; + "m.identity_server".base_url = "https://vector.im"; + } + }' + ''; + + "~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = + "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + }; + }; - "/.well-known/matrix/client".return = '' - 200 '${builtins.toJSON { - "m.homeserver".base_url = "https://${domain}"; - "org.matrix.msc3575.proxy".url = "https://sliding.${domain}"; - "m.identity_server".base_url = "https://vector.im"; - }}' + "sliding.${domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; ''; - "~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://127.0.0.1:${toString - config.services.dendrite.httpPort - }"; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.matrix-sliding-sync-dirty.settings.SYNCV3_BINDADDR}"; + }; }; - }; - "sliding.${domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + "${config.services.grafana.settings.server.domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${config.services.matrix-sliding-sync-dirty.settings.SYNCV3_BINDADDR}"; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + }; }; - }; - "${config.services.grafana.settings.server.domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + "www.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + root = "/var/www/${domain}"; }; - }; - - "www.${domain}" = defaultOpts // { - extraConfig = '' - ssl_early_data on; - ''; - root = "/var/www/${domain}"; - }; + "git.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + }; - "git.${domain}" = defaultOpts // { - extraConfig = '' - ssl_early_data on; - ''; - }; + "bin.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + root = "${storage}/bin"; + locations."= /".return = "307 https://www.${domain}"; + }; - "bin.${domain}" = defaultOpts // { - extraConfig = '' - ssl_early_data on; - ''; - root = "${storage}/bin"; - locations."= /".return = "307 https://www.${domain}"; - }; + "static.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + root = "${storage}/static"; + locations."= /".return = "301 https://www.${domain}"; + }; - "static.${domain}" = defaultOpts // { - extraConfig = '' - ssl_early_data on; - ''; - root = "${storage}/static"; - locations."= /".return = "301 https://www.${domain}"; - }; + "home.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString config.services.home-assistant.config.http.server_port}"; + }; + }; - "home.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${ - builtins.toString config.services.home-assistant.config.http.server_port - }"; + "mail.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:8085"; + }; }; - }; - "mail.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:8085"; + "mta-sts.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + locations."= /.well-known/mta-sts.txt".return = ''200 "${ + lib.strings.concatStringsSep "\\n" [ + "version: STSv1" + "mode: enforce" + "mx: mail.${domain}" + "max_age: 86400" + ] + }"''; }; - }; - "mta-sts.${domain}" = defaultOpts // { - extraConfig = '' - ssl_early_data on; - ''; - locations."= /.well-known/mta-sts.txt".return = ''200 "${ - lib.strings.concatStringsSep "\\n" [ - "version: STSv1" - "mode: enforce" - "mx: mail.${domain}" - "max_age: 86400" - ] - }"''; - }; + "immich.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.immich.host}:${builtins.toString config.services.immich.port}"; + }; - "immich.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://${config.services.immich.host}:${builtins.toString config.services.immich.port}"; + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; }; - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - - "nixbin.${domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + "nixbin.${domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; - locations = { - "= /files".return = "301 https://nixbin.${domain}/files/"; - "/files/" = { + locations = { + "= /files".return = "301 https://nixbin.${domain}/files/"; + "/files/" = { alias = "/nix/store/"; extraConfig = "autoindex on;"; + }; + + "= /" = { + extraConfig = '' + add_header Content-Type text/html; + add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; + ''; + return = '' + 200 + '<!DOCTYPE html> + <html lang="en"> + <head> + <meta charset="UTF-8"> + <title>Nix Cache</title> + </head> + <body> + <center> + <h1 style="font-size: 8em"> + ❄️ Nix Cache + </h1> + <p style="font-weight: bold"> + Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= + </p> + </center> + </body> + </html>' + ''; + }; + + "/".proxyPass = + "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; }; - - "= /" = { - extraConfig = '' - add_header Content-Type text/html; - add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; - ''; - return = ''200 - '<!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <title>Nix Cache</title> - </head> - <body> - <center> - <h1 style="font-size: 8em"> - ❄️ Nix Cache - </h1> - <p style="font-weight: bold"> - Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= - </p> - </center> - </body> - </html>' - ''; - }; - - "/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${ - toString config.services.nix-serve.port - }"; }; - }; - - - "www.alinafs.com" = defaultOpts // { - useACMEHost = null; - enableACME = true; - globalRedirect = "alinafs.com/home"; - extraConfig = '' - ssl_early_data on; - ''; - }; - "alinafs.com" = defaultOpts // { - useACMEHost = null; - enableACME = true; - locations = { - "/metrics".return = "307 /home/"; - "/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}"; - }; + "www.alinafs.com" = defaultOpts // { + useACMEHost = null; + enableACME = true; + globalRedirect = "alinafs.com/home"; + extraConfig = '' + ssl_early_data on; + ''; }; + "alinafs.com" = defaultOpts // { + useACMEHost = null; + enableACME = true; + + locations = { + "/metrics".return = "307 /home/"; + "/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}"; + }; + }; - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; }; - }; }; } diff --git a/os/kay/pkgs/matrix-sliding-sync.nix b/os/kay/pkgs/matrix-sliding-sync.nix index 17051dc..2095817 100644 --- a/os/kay/pkgs/matrix-sliding-sync.nix +++ b/os/kay/pkgs/matrix-sliding-sync.nix @@ -1,6 +1,7 @@ -{ lib -, buildGoModule -, fetchFromGitHub +{ + lib, + buildGoModule, + fetchFromGitHub, }: buildGoModule rec { diff --git a/os/lia/configuration.nix b/os/lia/configuration.nix index e720cb0..6e5323e 100644 --- a/os/lia/configuration.nix +++ b/os/lia/configuration.nix @@ -11,4 +11,3 @@ ./modules/sshfwd.nix ]; } - diff --git a/os/lia/modules/lxc.nix b/os/lia/modules/lxc.nix index 259c316..012695d 100644 --- a/os/lia/modules/lxc.nix +++ b/os/lia/modules/lxc.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: let +{ pkgs, ... }: +let container = { name = "ubu"; distro = "ubuntu"; @@ -6,7 +7,8 @@ }; bridge = "lan"; -in { +in +{ virtualisation.lxc.enable = true; environment.systemPackages = with pkgs; [ wget ]; @@ -22,7 +24,14 @@ in { RemainAfterExit = true; }; - path = with pkgs; [ wget lxc util-linux gnutar xz gawk ]; + path = with pkgs; [ + wget + lxc + util-linux + gnutar + xz + gawk + ]; script = '' if ! lxc-ls | grep -q ${container.name}; then lxc-create -n ${container.name} -t download -- \ diff --git a/os/lia/modules/network/default.nix b/os/lia/modules/network/default.nix index c8d9059..3d58636 100644 --- a/os/lia/modules/network/default.nix +++ b/os/lia/modules/network/default.nix @@ -1,4 +1,5 @@ -{ ... }: let +{ ... }: +let wan = "enp9s0"; in { @@ -7,10 +8,12 @@ in ]; networking = { - interfaces.${wan}.ipv4.addresses = [{ - address = "172.16.148.20"; - prefixLength = 22; - }]; + interfaces.${wan}.ipv4.addresses = [ + { + address = "172.16.148.20"; + prefixLength = 22; + } + ]; defaultGateway = { address = "172.16.148.1"; interface = wan; diff --git a/os/lia/modules/network/router.nix b/os/lia/modules/network/router.nix index b8cac8c..4f22e31 100644 --- a/os/lia/modules/network/router.nix +++ b/os/lia/modules/network/router.nix @@ -1,6 +1,10 @@ -{ ... }: let +{ ... }: +let wanInterface = "enp9s0"; - lanInterfaces = [ "enp1s0f0" "enp1s0f1" ]; + lanInterfaces = [ + "enp1s0f0" + "enp1s0f1" + ]; prefix = 24; subnet = "192.168.1.0"; @@ -8,7 +12,10 @@ leaseRangeStart = "192.168.1.100"; leaseRangeEnd = "192.168.1.254"; - nameServer = [ "10.0.0.2" "10.0.0.3" ]; + nameServer = [ + "10.0.0.2" + "10.0.0.3" + ]; in { networking = { @@ -21,17 +28,21 @@ in }; interfaces.lan = { - ipv4.addresses = [{ - address = host; - prefixLength = prefix; - }]; + ipv4.addresses = [ + { + address = host; + prefixLength = prefix; + } + ]; }; firewall = { - allowedUDPPorts = [ 53 67 ]; + allowedUDPPorts = [ + 53 + 67 + ]; allowedTCPPorts = [ 53 ]; - extraCommands = - "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE"; + extraCommands = "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE"; }; }; diff --git a/os/lia/modules/sshfwd.nix b/os/lia/modules/sshfwd.nix index 3c7c006..b7e8d17 100644 --- a/os/lia/modules/sshfwd.nix +++ b/os/lia/modules/sshfwd.nix @@ -1,53 +1,57 @@ -{ pkgs, config, ... }: let - mkFwdSrv = { - local_port, - remote_port, - remote_user, - remote ? "sinanmohd.com", - ssh_port ? 22, - key ? config.sops.secrets."sshfwd/${remote}".path, - }: { - "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = { - description = "Forwarding port ${toString local_port} to ${remote}"; +{ pkgs, config, ... }: +let + mkFwdSrv = + { + local_port, + remote_port, + remote_user, + remote ? "sinanmohd.com", + ssh_port ? 22, + key ? config.sops.secrets."sshfwd/${remote}".path, + }: + { + "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = { + description = "Forwarding port ${toString local_port} to ${remote}"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - # restart rather than stop+start this unit to prevent - # the ssh from dying during switch-to-configuration. - stopIfChanged = false; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + # restart rather than stop+start this unit to prevent + # the ssh from dying during switch-to-configuration. + stopIfChanged = false; - serviceConfig = { - ExecStart = '' - ${pkgs.openssh}/bin/ssh -N ${remote_user}@${remote} -p ${toString ssh_port} \ - -R '[::]:${toString remote_port}:127.0.0.1:${toString local_port}' \ - -o ServerAliveInterval=15 \ - -o ExitOnForwardFailure=yes \ - -i ${key} - ''; + serviceConfig = { + ExecStart = '' + ${pkgs.openssh}/bin/ssh -N ${remote_user}@${remote} -p ${toString ssh_port} \ + -R '[::]:${toString remote_port}:127.0.0.1:${toString local_port}' \ + -o ServerAliveInterval=15 \ + -o ExitOnForwardFailure=yes \ + -i ${key} + ''; - RestartSec = 3; - Restart = "always"; - }; + RestartSec = 3; + Restart = "always"; + }; + }; }; - }; -in { - sops.secrets."sshfwd/sinanmohd.com" = {}; - sops.secrets."sshfwd/lia.sinanmohd.com" = {}; +in +{ + sops.secrets."sshfwd/sinanmohd.com" = { }; + sops.secrets."sshfwd/lia.sinanmohd.com" = { }; environment.systemPackages = with pkgs; [ openssh ]; - systemd.services - = (mkFwdSrv { - local_port = 22; - remote_user = "lia"; - remote_port = 2222; - }) // - (mkFwdSrv { - local_port = 22; - remote_port = 22; - ssh_port = 23; - remote_user = "root"; - remote = "lia.sinanmohd.com"; - }); + systemd.services = + (mkFwdSrv { + local_port = 22; + remote_user = "lia"; + remote_port = 2222; + }) + // (mkFwdSrv { + local_port = 22; + remote_port = 22; + ssh_port = 23; + remote_user = "root"; + remote = "lia.sinanmohd.com"; + }); } diff --git a/os/lia/modules/users.nix b/os/lia/modules/users.nix index 26f5dc8..3a44104 100644 --- a/os/lia/modules/users.nix +++ b/os/lia/modules/users.nix @@ -1,18 +1,24 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ users.users = { "rohit" = { isNormalUser = true; extraGroups = [ "wheel" ]; - packages = with pkgs; [ git htop ]; - openssh.authorizedKeys.keys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" ]; + packages = with pkgs; [ + git + htop + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" + ]; }; "sharu" = { isNormalUser = true; - openssh.authorizedKeys.keys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" + ]; }; }; } diff --git a/os/pc/configuration.nix b/os/pc/configuration.nix index 7e7218a..33f38cd 100644 --- a/os/pc/configuration.nix +++ b/os/pc/configuration.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let user = config.global.userdata.name; -in { +in +{ imports = [ ../common/configuration.nix @@ -19,8 +21,8 @@ in { }; services.pipewire = { - enable = true; - pulse.enable = true; + enable = true; + pulse.enable = true; }; documentation.dev.enable = true; diff --git a/os/pc/modules/firejail.nix b/os/pc/modules/firejail.nix index 920607e..f915d07 100644 --- a/os/pc/modules/firejail.nix +++ b/os/pc/modules/firejail.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ programs.firejail = { enable = true; diff --git a/os/pc/modules/getty.nix b/os/pc/modules/getty.nix index 8c7f57e..c0d5d1c 100644 --- a/os/pc/modules/getty.nix +++ b/os/pc/modules/getty.nix @@ -1,6 +1,8 @@ -{ config, ... }: let +{ config, ... }: +let user = config.global.userdata.name; -in { +in +{ systemd.services."getty@".serviceConfig.TTYVTDisallocate = "no"; services.getty = { diff --git a/os/pc/modules/network.nix b/os/pc/modules/network.nix index 6e07963..029822f 100644 --- a/os/pc/modules/network.nix +++ b/os/pc/modules/network.nix @@ -1,5 +1,6 @@ -{ ... }: { - networking.wireless.iwd = { +{ ... }: +{ + networking.wireless.iwd = { enable = true; settings = { diff --git a/os/pc/modules/nocodb.nix b/os/pc/modules/nocodb.nix index 6b26bf2..9bd1d75 100644 --- a/os/pc/modules/nocodb.nix +++ b/os/pc/modules/nocodb.nix @@ -1,6 +1,13 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let user = config.global.userdata.name; -in { +in +{ programs.firejail.wrappedBinaries.slack = { executable = lib.getExe pkgs.slack; profile = "${pkgs.firejail}/etc/firejail/slack.profile"; diff --git a/os/pc/modules/nopolkit.nix b/os/pc/modules/nopolkit.nix index 0c45f41..f7148aa 100644 --- a/os/pc/modules/nopolkit.nix +++ b/os/pc/modules/nopolkit.nix @@ -1,26 +1,33 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let user = config.global.userdata.name; -in { +in +{ security.sudo = { enable = true; - extraRules = [{ - commands = [ - { - command = "${pkgs.systemd}/bin/systemctl suspend-then-hibernate"; - options = [ "SETENV" "NOPASSWD" ]; - } - { - command = "${pkgs.systemd}/bin/reboot"; - options = [ "NOPASSWD" ]; - } - { - command = "${pkgs.systemd}/bin/poweroff"; - options = [ "NOPASSWD" ]; - } - ]; + extraRules = [ + { + commands = [ + { + command = "${pkgs.systemd}/bin/systemctl suspend-then-hibernate"; + options = [ + "SETENV" + "NOPASSWD" + ]; + } + { + command = "${pkgs.systemd}/bin/reboot"; + options = [ "NOPASSWD" ]; + } + { + command = "${pkgs.systemd}/bin/poweroff"; + options = [ "NOPASSWD" ]; + } + ]; - users = [ user ]; - }]; + users = [ user ]; + } + ]; }; } diff --git a/os/pc/modules/sshfs.nix b/os/pc/modules/sshfs.nix index 2dbccce..b173d7c 100644 --- a/os/pc/modules/sshfs.nix +++ b/os/pc/modules/sshfs.nix @@ -1,9 +1,11 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let domain = config.global.userdata.domain; user = config.global.userdata.name; uid = config.users.users.${user}.uid; gid = config.users.groups.users.gid; -in { +in +{ sops.secrets."misc/sftp".sopsFile = ../secrets.yaml; system.fsPackages = with pkgs; [ sshfs ]; @@ -12,12 +14,12 @@ in { fsType = "sshfs"; options = [ - "allow_other" # for non-root access + "allow_other" # for non-root access "uid=${toString uid}" "gid=${toString gid}" - "_netdev" # this is a network fs + "_netdev" # this is a network fs "x-systemd.automount" # mount on demand - "reconnect" # handle connection drops + "reconnect" # handle connection drops "ServerAliveInterval=15" # keep connections alive "IdentityFile=${config.sops.secrets."misc/sftp".path}" ]; diff --git a/os/pc/modules/wayland.nix b/os/pc/modules/wayland.nix index 33f25c8..6787e9a 100644 --- a/os/pc/modules/wayland.nix +++ b/os/pc/modules/wayland.nix @@ -1,11 +1,12 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let user = config.global.userdata.name; fontSans = config.global.font.sans.name; fontMonospace = config.global.font.monospace.name; - fontPackages = config.global.font.monospace.packages - ++ config.global.font.sans.packages; -in { + fontPackages = config.global.font.monospace.packages ++ config.global.font.sans.packages; +in +{ fonts = { packages = fontPackages; enableDefaultPackages = true; @@ -32,7 +33,10 @@ in { }; systemd.services.swaynag_battery = { - path = [ pkgs.sway pkgs.systemd ]; + path = [ + pkgs.sway + pkgs.systemd + ]; environment = { # TODO: don't hardcode them WAYLAND_DISPLAY = "wayland-1"; @@ -46,19 +50,21 @@ in { systemctl hibernate ''; }; - services.udev.extraRules = let - start = "${pkgs.systemd}/bin/systemctl start swaynag_battery"; - stop = "${pkgs.systemd}/bin/systemctl stop swaynag_battery"; - in '' - SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-9]", RUN+="${start}" - SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${stop}" - SUBSYSTEM=="power_supply", ATTR{status}=="Charging", RUN+="${stop}" - ''; + services.udev.extraRules = + let + start = "${pkgs.systemd}/bin/systemctl start swaynag_battery"; + stop = "${pkgs.systemd}/bin/systemctl stop swaynag_battery"; + in + '' + SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-9]", RUN+="${start}" + SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${stop}" + SUBSYSTEM=="power_supply", ATTR{status}=="Charging", RUN+="${stop}" + ''; hardware.graphics = { enable = true; enable32Bit = true; }; - security.pam.services.swaylock = {}; + security.pam.services.swaylock = { }; } |