Compare commits
No commits in common. "ee4671761833be2c2f46bb77666dc2c51ceeae41" and "334a41619afa54de3c210378b2e5747bba1b3807" have entirely different histories.
ee46717618
...
334a41619a
27 changed files with 209 additions and 288 deletions
|
@ -1,10 +1,9 @@
|
||||||
{ config, ... }:
|
{config, ...}: {
|
||||||
{
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
defaults.email = "hey@winston.sh";
|
defaults.email = "hey@winston.sh";
|
||||||
certs."winston.sh" = {
|
certs."winston.sh" = {
|
||||||
extraDomainNames = [ "*.winston.sh" ];
|
extraDomainNames = ["*.winston.sh"];
|
||||||
dnsProvider = "porkbun";
|
dnsProvider = "porkbun";
|
||||||
credentialsFile = config.age.secrets."lego/porkbun-credentials".path;
|
credentialsFile = config.age.secrets."lego/porkbun-credentials".path;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
{ pkgs, ... }:
|
{pkgs, ...}: {
|
||||||
{
|
|
||||||
imports = [
|
imports = [
|
||||||
./games
|
./games
|
||||||
./secrets
|
./secrets
|
||||||
|
@ -10,6 +9,6 @@
|
||||||
./users.nix
|
./users.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [ wezterm.terminfo ];
|
environment.systemPackages = with pkgs; [wezterm.terminfo];
|
||||||
programs.git.enable = true;
|
programs.git.enable = true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
{ lib, ... }:
|
{lib, ...}: {
|
||||||
{
|
nixpkgs.config.allowUnfreePredicate = pkg:
|
||||||
nixpkgs.config.allowUnfreePredicate =
|
|
||||||
pkg:
|
|
||||||
builtins.elem (lib.getName pkg) [
|
builtins.elem (lib.getName pkg) [
|
||||||
"valheim-server"
|
"valheim-server"
|
||||||
"steamworks-sdk-redist"
|
"steamworks-sdk-redist"
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
};
|
};
|
||||||
openssh = {
|
openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ports = [ 22 ];
|
ports = [22];
|
||||||
settings = {
|
settings = {
|
||||||
KexAlgorithms = [
|
KexAlgorithms = [
|
||||||
"curve25519-sha256"
|
"curve25519-sha256"
|
||||||
|
|
|
@ -1,16 +1,12 @@
|
||||||
{
|
{
|
||||||
nix = {
|
nix = {
|
||||||
gc.automatic = true;
|
gc.automatic = true;
|
||||||
settings = (import ../flake.nix).nixConfig // {
|
settings =
|
||||||
|
(import ../flake.nix).nixConfig
|
||||||
|
// {
|
||||||
auto-optimise-store = true;
|
auto-optimise-store = true;
|
||||||
experimental-features = [
|
experimental-features = ["nix-command" "flakes"];
|
||||||
"nix-command"
|
trusted-users = ["@wheel" "winston"];
|
||||||
"flakes"
|
|
||||||
];
|
|
||||||
trusted-users = [
|
|
||||||
"@wheel"
|
|
||||||
"winston"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,13 +1,7 @@
|
||||||
{ lib, ... }:
|
{lib, ...}: {
|
||||||
{
|
age.secrets = with builtins;
|
||||||
age.secrets =
|
listToAttrs (map (k: {
|
||||||
with builtins;
|
|
||||||
listToAttrs (
|
|
||||||
map (k: {
|
|
||||||
name = lib.removeSuffix ".age" k;
|
name = lib.removeSuffix ".age" k;
|
||||||
value = {
|
value = {file = ./. + "/${k}";};
|
||||||
file = ./. + "/${k}";
|
}) (attrNames (import ./secrets.nix)));
|
||||||
};
|
|
||||||
}) (attrNames (import ./secrets.nix))
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,12 +2,8 @@ let
|
||||||
users.winston = "age1yubikey1qfkn095xth4ukxjye98ew4ul6xdkyz7sek0hd67yfjs5z6tv7q9jgnfchls";
|
users.winston = "age1yubikey1qfkn095xth4ukxjye98ew4ul6xdkyz7sek0hd67yfjs5z6tv7q9jgnfchls";
|
||||||
systems.main-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcY5fuyxK8rs3eocLuLnvSPDL6qcvq7oUdYrE+wLj0y";
|
systems.main-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcY5fuyxK8rs3eocLuLnvSPDL6qcvq7oUdYrE+wLj0y";
|
||||||
|
|
||||||
default = [
|
default = [users.winston systems.main-node];
|
||||||
users.winston
|
in {
|
||||||
systems.main-node
|
|
||||||
];
|
|
||||||
in
|
|
||||||
{
|
|
||||||
"containers/faerber.env.age".publicKeys = default;
|
"containers/faerber.env.age".publicKeys = default;
|
||||||
"containers/ghcr-token.age".publicKeys = default;
|
"containers/ghcr-token.age".publicKeys = default;
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
{ config, ... }:
|
{config, ...}: {
|
||||||
{
|
|
||||||
services.atticd = {
|
services.atticd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
credentialsFile = config.age.secrets."services/attic/atticd.env".path;
|
credentialsFile = config.age.secrets."services/attic/atticd.env".path;
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
services.atuin = {
|
services.atuin = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.unstable.atuin;
|
package = pkgs.unstable.atuin;
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
{ }
|
{}
|
||||||
|
|
|
@ -3,17 +3,14 @@
|
||||||
inputs,
|
inputs,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}: let
|
||||||
let
|
modules = ["services/misc/forgejo.nix" "services/continuous-integration/gitea-actions-runner.nix"];
|
||||||
modules = [
|
in {
|
||||||
"services/misc/forgejo.nix"
|
|
||||||
"services/continuous-integration/gitea-actions-runner.nix"
|
|
||||||
];
|
|
||||||
in
|
|
||||||
{
|
|
||||||
# swap out stable for unstable modules
|
# swap out stable for unstable modules
|
||||||
disabledModules = modules;
|
disabledModules = modules;
|
||||||
imports = builtins.map (v: "${inputs.nixpkgs-unstable}/nixos/modules/${v}") modules;
|
imports =
|
||||||
|
builtins.map (v: "${inputs.nixpkgs-unstable}/nixos/modules/${v}")
|
||||||
|
modules;
|
||||||
|
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
"services/forgejo/minio-secretkey".owner = config.services.forgejo.user;
|
"services/forgejo/minio-secretkey".owner = config.services.forgejo.user;
|
||||||
|
@ -21,7 +18,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
# forgejo ssh
|
# forgejo ssh
|
||||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
networking.firewall.allowedTCPPorts = [22];
|
||||||
|
|
||||||
# indexer
|
# indexer
|
||||||
services.elasticsearch.enable = true;
|
services.elasticsearch.enable = true;
|
||||||
|
@ -47,13 +44,10 @@ in
|
||||||
settings = {
|
settings = {
|
||||||
DEFAULT.APP_NAME = "winston's forgejo";
|
DEFAULT.APP_NAME = "winston's forgejo";
|
||||||
|
|
||||||
indexer =
|
indexer = with config.services.elasticsearch; let
|
||||||
with config.services.elasticsearch;
|
|
||||||
let
|
|
||||||
indexer = "elasticsearch";
|
indexer = "elasticsearch";
|
||||||
conn = "http://${listenAddress}:${toString port}";
|
conn = "http://${listenAddress}:${toString port}";
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
REPO_INDEXER_ENABLED = true;
|
REPO_INDEXER_ENABLED = true;
|
||||||
REPO_INDEXER_CONN_STR = conn;
|
REPO_INDEXER_CONN_STR = conn;
|
||||||
REPO_INDEXER_TYPE = indexer;
|
REPO_INDEXER_TYPE = indexer;
|
||||||
|
@ -127,7 +121,7 @@ in
|
||||||
name = "main";
|
name = "main";
|
||||||
url = config.services.forgejo.settings.server.ROOT_URL;
|
url = config.services.forgejo.settings.server.ROOT_URL;
|
||||||
tokenFile = config.age.secrets."services/forgejo/runner-token".path;
|
tokenFile = config.age.secrets."services/forgejo/runner-token".path;
|
||||||
labels = [ "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest" ];
|
labels = ["ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"];
|
||||||
settings.container = {
|
settings.container = {
|
||||||
network = "host";
|
network = "host";
|
||||||
options = "--add-host=forgejo.winston.sh:host-gateway";
|
options = "--add-host=forgejo.winston.sh:host-gateway";
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
{ config, ... }:
|
{config, ...}: {
|
||||||
{
|
|
||||||
services.freshrss = rec {
|
services.freshrss = rec {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
|
|
@ -1,15 +1,10 @@
|
||||||
{ config, ... }:
|
{config, ...}: {
|
||||||
{
|
|
||||||
services.geoipupdate = {
|
services.geoipupdate = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
AccountID = 1062126;
|
AccountID = 1062126;
|
||||||
LicenseKey = config.age.secrets."services/geoipupdate/license".path;
|
LicenseKey = config.age.secrets."services/geoipupdate/license".path;
|
||||||
EditionIDs = [
|
EditionIDs = ["GeoLite2-ASN" "GeoLite2-City" "GeoLite2-Country"];
|
||||||
"GeoLite2-ASN"
|
|
||||||
"GeoLite2-City"
|
|
||||||
"GeoLite2-Country"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
{ config, ... }:
|
{config, ...}: {
|
||||||
{
|
|
||||||
services.minio = {
|
services.minio = {
|
||||||
enable = true;
|
enable = true;
|
||||||
browser = true;
|
browser = true;
|
||||||
|
|
|
@ -3,8 +3,7 @@
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}: let
|
||||||
let
|
|
||||||
geoipDir = config.services.geoipupdate.settings.DatabaseDirectory;
|
geoipDir = config.services.geoipupdate.settings.DatabaseDirectory;
|
||||||
|
|
||||||
log_params = [
|
log_params = [
|
||||||
|
@ -26,8 +25,7 @@ let
|
||||||
];
|
];
|
||||||
log_format = lib.concatStringsSep " " (map (p: "${p}=\"\$${p}\"") log_params);
|
log_format = lib.concatStringsSep " " (map (p: "${p}=\"\$${p}\"") log_params);
|
||||||
log_file = "/var/log/nginx/access.log";
|
log_file = "/var/log/nginx/access.log";
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
services.grafana = {
|
services.grafana = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
|
@ -52,7 +50,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
additionalModules = [ pkgs.nginxModules.geoip2 ];
|
additionalModules = [pkgs.nginxModules.geoip2];
|
||||||
commonHttpConfig =
|
commonHttpConfig =
|
||||||
# nginx
|
# nginx
|
||||||
''
|
''
|
||||||
|
@ -84,12 +82,10 @@ in
|
||||||
|
|
||||||
globalConfig.scrape_interval = "10s";
|
globalConfig.scrape_interval = "10s";
|
||||||
scrapeConfigs =
|
scrapeConfigs =
|
||||||
(builtins.map
|
(builtins.map (config: {
|
||||||
(config: {
|
|
||||||
inherit (config) job_name;
|
inherit (config) job_name;
|
||||||
static_configs = [ { targets = [ "localhost:${toString config.port}" ]; } ];
|
static_configs = [{targets = ["localhost:${toString config.port}"];}];
|
||||||
})
|
}) [
|
||||||
[
|
|
||||||
{
|
{
|
||||||
job_name = "fail2ban";
|
job_name = "fail2ban";
|
||||||
port = 9191;
|
port = 9191;
|
||||||
|
@ -110,20 +106,17 @@ in
|
||||||
job_name = "postgres";
|
job_name = "postgres";
|
||||||
port = config.services.prometheus.exporters.postgres.port;
|
port = config.services.prometheus.exporters.postgres.port;
|
||||||
}
|
}
|
||||||
]
|
])
|
||||||
)
|
|
||||||
++ [
|
++ [
|
||||||
{
|
{
|
||||||
job_name = "minio";
|
job_name = "minio";
|
||||||
bearer_token_file = config.age.secrets."services/prometheus/minio-bearer-token".path;
|
bearer_token_file = config.age.secrets."services/prometheus/minio-bearer-token".path;
|
||||||
metrics_path = "/minio/v2/metrics/cluster";
|
metrics_path = "/minio/v2/metrics/cluster";
|
||||||
static_configs = [ { targets = [ config.services.minio.listenAddress ]; } ];
|
static_configs = [{targets = [config.services.minio.listenAddress];}];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
job_name = "forgejo";
|
job_name = "forgejo";
|
||||||
static_configs = with config.services.forgejo.settings.server; [
|
static_configs = with config.services.forgejo.settings.server; [{targets = ["${HTTP_ADDR}:${toString HTTP_PORT}"];}];
|
||||||
{ targets = [ "${HTTP_ADDR}:${toString HTTP_PORT}" ]; }
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -166,30 +159,14 @@ in
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
source.files = [ log_file ];
|
source.files = [log_file];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
node = {
|
node = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enabledCollectors = [
|
enabledCollectors = ["logind" "processes" "systemd"];
|
||||||
"logind"
|
disabledCollectors = ["bonding" "fibrechannel" "infiniband" "ipvs" "mdadm" "nfs" "nfsd" "nvme" "tapestats" "watchdog" "zfs"];
|
||||||
"processes"
|
|
||||||
"systemd"
|
|
||||||
];
|
|
||||||
disabledCollectors = [
|
|
||||||
"bonding"
|
|
||||||
"fibrechannel"
|
|
||||||
"infiniband"
|
|
||||||
"ipvs"
|
|
||||||
"mdadm"
|
|
||||||
"nfs"
|
|
||||||
"nfsd"
|
|
||||||
"nvme"
|
|
||||||
"tapestats"
|
|
||||||
"watchdog"
|
|
||||||
"zfs"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
postgres = {
|
postgres = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -200,11 +177,11 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.prometheus-fail2ban-exporter = {
|
systemd.services.prometheus-fail2ban-exporter = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = ["multi-user.target"];
|
||||||
after = [ "network.target" ];
|
after = ["network.target"];
|
||||||
requires = [ "network-online.target" ];
|
requires = ["network-online.target"];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = [ (lib.getExe pkgs.prometheus-fail2ban-exporter) ];
|
ExecStart = [(lib.getExe pkgs.prometheus-fail2ban-exporter)];
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
User = "root";
|
User = "root";
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
"services/nextcloud/admin-password".owner = "nextcloud";
|
"services/nextcloud/admin-password".owner = "nextcloud";
|
||||||
"services/nextcloud/s3-secret".owner = "nextcloud";
|
"services/nextcloud/s3-secret".owner = "nextcloud";
|
||||||
|
@ -17,7 +20,8 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
extraApps = {
|
extraApps = {
|
||||||
inherit (config.services.nextcloud.package.packages.apps)
|
inherit
|
||||||
|
(config.services.nextcloud.package.packages.apps)
|
||||||
end_to_end_encryption
|
end_to_end_encryption
|
||||||
previewgenerator
|
previewgenerator
|
||||||
twofactor_webauthn
|
twofactor_webauthn
|
||||||
|
|
|
@ -1,11 +1,13 @@
|
||||||
{ config, pkgs, ... }:
|
{
|
||||||
let
|
config,
|
||||||
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" { buildInputs = [ pkgs.openssl ]; } ''
|
pkgs,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
|
||||||
mkdir "$out"
|
mkdir "$out"
|
||||||
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
||||||
'';
|
'';
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.nginxMainline;
|
package = pkgs.nginxMainline;
|
||||||
|
@ -42,14 +44,11 @@ in
|
||||||
|
|
||||||
security.dhparams = {
|
security.dhparams = {
|
||||||
enable = true;
|
enable = true;
|
||||||
params.nginx = { };
|
params.nginx = {};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [80 443];
|
||||||
80
|
|
||||||
443
|
|
||||||
];
|
|
||||||
|
|
||||||
# allow nginx to access Acme secrets
|
# allow nginx to access Acme secrets
|
||||||
users.users.nginx.extraGroups = [ "acme" ];
|
users.users.nginx.extraGroups = ["acme"];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
{ pkgs, ... }:
|
{pkgs, ...}: {
|
||||||
{
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.postgresql_14;
|
package = pkgs.postgresql_14;
|
||||||
|
|
|
@ -3,9 +3,8 @@
|
||||||
inputs,
|
inputs,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}: {
|
||||||
{
|
imports = ["${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix"];
|
||||||
imports = [ "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix" ];
|
|
||||||
|
|
||||||
services.renovate = {
|
services.renovate = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -24,7 +23,7 @@
|
||||||
platform = "gitea";
|
platform = "gitea";
|
||||||
gitAuthor = "renovate[bot] <renovate@winston.sh>";
|
gitAuthor = "renovate[bot] <renovate@winston.sh>";
|
||||||
autodiscover = true;
|
autodiscover = true;
|
||||||
autodiscoverTopics = [ "managed-by-renovate" ];
|
autodiscoverTopics = ["managed-by-renovate"];
|
||||||
|
|
||||||
# performance
|
# performance
|
||||||
cachePrivatePackages = true;
|
cachePrivatePackages = true;
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
services.wakapi = {
|
services.wakapi = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.unstable.wakapi;
|
package = pkgs.unstable.wakapi;
|
||||||
|
@ -27,7 +30,7 @@
|
||||||
# for agenix owner permissions
|
# for agenix owner permissions
|
||||||
age.secrets."services/wakapi/password-salt.env".owner = "wakapi";
|
age.secrets."services/wakapi/password-salt.env".owner = "wakapi";
|
||||||
users = {
|
users = {
|
||||||
groups.wakapi = { };
|
groups.wakapi = {};
|
||||||
users.wakapi = {
|
users.wakapi = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
group = "wakapi";
|
group = "wakapi";
|
||||||
|
|
|
@ -3,35 +3,29 @@
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}: let
|
||||||
let
|
|
||||||
nu_scripts = "${pkgs.nu_scripts}/share/nu_scripts";
|
nu_scripts = "${pkgs.nu_scripts}/share/nu_scripts";
|
||||||
mkCompletions =
|
mkCompletions = completions:
|
||||||
completions:
|
|
||||||
lib.concatStringsSep "\n" (
|
lib.concatStringsSep "\n" (
|
||||||
builtins.map (
|
builtins.map (
|
||||||
el: "source ${nu_scripts}/custom-completions/${el.name or el}/${el.filename or el}-completions.nu"
|
el: "source ${nu_scripts}/custom-completions/${el.name or el}/${el.filename or el}-completions.nu"
|
||||||
) completions
|
)
|
||||||
|
completions
|
||||||
);
|
);
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
|
||||||
users = {
|
users = {
|
||||||
mutableUsers = false;
|
mutableUsers = false;
|
||||||
users.root = {
|
users.root = {
|
||||||
hashedPasswordFile = config.age.secrets."system/password-root".path;
|
hashedPasswordFile = config.age.secrets."system/password-root".path;
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/mwLoiuaQ6KH+1IOvYO541gq37S43pYtMetilMG3v5"] ++ config.users.users.winston.openssh.authorizedKeys.keys;
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgFwSZPS1B3wndghjmgmamdM5LZ7hqv4fZsbcmYBQWT"
|
|
||||||
] ++ config.users.users.winston.openssh.authorizedKeys.keys;
|
|
||||||
};
|
};
|
||||||
users.winston = {
|
users.winston = {
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = ["wheel"];
|
||||||
hashedPasswordFile = config.age.secrets."system/password-winston".path;
|
hashedPasswordFile = config.age.secrets."system/password-winston".path;
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILm0O46zW/XfVOSwz0okRWYeOAg+wCVkCtCAoVTpZsOh"];
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILm0O46zW/XfVOSwz0okRWYeOAg+wCVkCtCAoVTpZsOh"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -108,12 +102,7 @@ in
|
||||||
}
|
}
|
||||||
|
|
||||||
source ${nu_scripts}/aliases/git/git-aliases.nu
|
source ${nu_scripts}/aliases/git/git-aliases.nu
|
||||||
${mkCompletions [
|
${mkCompletions ["git" "man" "rg" "tar"]}
|
||||||
"git"
|
|
||||||
"man"
|
|
||||||
"rg"
|
|
||||||
"tar"
|
|
||||||
]}
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
starship.enable = true;
|
starship.enable = true;
|
||||||
|
|
40
flake.nix
40
flake.nix
|
@ -1,21 +1,19 @@
|
||||||
{
|
{
|
||||||
outputs =
|
outputs = {
|
||||||
{
|
|
||||||
flake-parts,
|
flake-parts,
|
||||||
nixpkgs,
|
nixpkgs,
|
||||||
nixpkgs-unstable,
|
nixpkgs-unstable,
|
||||||
self,
|
self,
|
||||||
...
|
...
|
||||||
}@inputs:
|
} @ inputs: let
|
||||||
let
|
|
||||||
overlays = [
|
overlays = [
|
||||||
(final: _: {
|
(final: _: {
|
||||||
unstable = nixpkgs-unstable.legacyPackages.${final.system};
|
unstable = nixpkgs-unstable.legacyPackages.${final.system};
|
||||||
prometheus-fail2ban-exporter = final.callPackage ./pkgs/prometheus-fail2ban-exporter { };
|
prometheus-fail2ban-exporter = final.callPackage ./pkgs/prometheus-fail2ban-exporter {};
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
in
|
in
|
||||||
flake-parts.lib.mkFlake { inherit inputs; } {
|
flake-parts.lib.mkFlake {inherit inputs;} {
|
||||||
flake = {
|
flake = {
|
||||||
nixosConfigurations.main-node = nixpkgs.lib.nixosSystem {
|
nixosConfigurations.main-node = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
@ -35,9 +33,7 @@
|
||||||
inputs.satisfactory-server.nixosModules.default
|
inputs.satisfactory-server.nixosModules.default
|
||||||
inputs.valheim-server.nixosModules.default
|
inputs.valheim-server.nixosModules.default
|
||||||
];
|
];
|
||||||
specialArgs = {
|
specialArgs = {inherit inputs;};
|
||||||
inherit inputs;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
checks = builtins.mapAttrs (_: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
|
checks = builtins.mapAttrs (_: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
|
||||||
|
@ -51,17 +47,17 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
perSystem =
|
perSystem = {
|
||||||
{
|
|
||||||
config,
|
config,
|
||||||
inputs',
|
inputs',
|
||||||
pkgs,
|
pkgs,
|
||||||
self',
|
self',
|
||||||
system,
|
system,
|
||||||
...
|
...
|
||||||
}:
|
}: {
|
||||||
{
|
_module.args.pkgs = import nixpkgs {
|
||||||
_module.args.pkgs = import nixpkgs { inherit overlays system; };
|
inherit overlays system;
|
||||||
|
};
|
||||||
|
|
||||||
devShells.default = pkgs.mkShell {
|
devShells.default = pkgs.mkShell {
|
||||||
inherit (config.pre-commit.devShell) shellHook;
|
inherit (config.pre-commit.devShell) shellHook;
|
||||||
|
@ -75,28 +71,24 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
formatter = pkgs.nixfmt-rfc-style;
|
formatter = pkgs.alejandra;
|
||||||
|
|
||||||
pre-commit = {
|
pre-commit = {
|
||||||
check.enable = true;
|
check.enable = true;
|
||||||
settings.excludes = [ "_sources/" ];
|
settings.excludes = ["_sources/"];
|
||||||
settings.hooks = {
|
settings.hooks = {
|
||||||
|
alejandra.enable = true;
|
||||||
commitizen.enable = true;
|
commitizen.enable = true;
|
||||||
|
deadnix.enable = true;
|
||||||
editorconfig-checker.enable = true;
|
editorconfig-checker.enable = true;
|
||||||
nil.enable = true;
|
nil.enable = true;
|
||||||
nixfmt-rfc-style.enable = true;
|
|
||||||
shellcheck.enable = true;
|
shellcheck.enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
imports = [ inputs.pre-commit-hooks.flakeModule ];
|
imports = [inputs.pre-commit-hooks.flakeModule];
|
||||||
systems = [
|
systems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin"];
|
||||||
"x86_64-linux"
|
|
||||||
"aarch64-linux"
|
|
||||||
"aarch64-darwin"
|
|
||||||
"x86_64-darwin"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
{ pkgs, ... }:
|
{pkgs, ...}: {
|
||||||
{
|
imports = [./hardware-configuration.nix];
|
||||||
imports = [ ./hardware-configuration.nix ];
|
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
loader = {
|
loader = {
|
||||||
|
|
|
@ -3,41 +3,35 @@
|
||||||
lib,
|
lib,
|
||||||
modulesPath,
|
modulesPath,
|
||||||
...
|
...
|
||||||
}:
|
}: {
|
||||||
{
|
imports = [
|
||||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
(modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [
|
|
||||||
"ata_piix"
|
|
||||||
"uhci_hcd"
|
|
||||||
"virtio_pci"
|
|
||||||
"virtio_scsi"
|
|
||||||
"sd_mod"
|
|
||||||
"sr_mod"
|
|
||||||
];
|
];
|
||||||
boot.initrd.kernelModules = [ ];
|
|
||||||
boot.kernelModules = [ ];
|
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
|
||||||
boot.extraModulePackages = [ ];
|
boot.initrd.kernelModules = [];
|
||||||
|
boot.kernelModules = [];
|
||||||
|
boot.extraModulePackages = [];
|
||||||
|
|
||||||
fileSystems."/" = {
|
fileSystems."/" = {
|
||||||
device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8";
|
device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [ "subvol=root" ];
|
options = ["subvol=root"];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/home" = {
|
fileSystems."/home" = {
|
||||||
device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8";
|
device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [ "subvol=home" ];
|
options = ["subvol=home"];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/nix" = {
|
fileSystems."/nix" = {
|
||||||
device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8";
|
device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [ "subvol=nix" ];
|
options = ["subvol=nix"];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
|
|
@ -1 +1,5 @@
|
||||||
{ imports = [ ./wakapi.nix ]; }
|
{
|
||||||
|
imports = [
|
||||||
|
./wakapi.nix
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
|
@ -3,10 +3,9 @@
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}: let
|
||||||
let
|
|
||||||
cfg = config.services.wakapi;
|
cfg = config.services.wakapi;
|
||||||
settingsFormat = pkgs.formats.yaml { };
|
settingsFormat = pkgs.formats.yaml {};
|
||||||
inherit (lib) types;
|
inherit (lib) types;
|
||||||
|
|
||||||
settingsFile = settingsFormat.generate "wakapi-settings" cfg.settings;
|
settingsFile = settingsFormat.generate "wakapi-settings" cfg.settings;
|
||||||
|
@ -14,9 +13,9 @@ let
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
systemd.services.wakapi = {
|
systemd.services.wakapi = {
|
||||||
description = "Wakapi (self-hosted WakaTime-compatible backend)";
|
description = "Wakapi (self-hosted WakaTime-compatible backend)";
|
||||||
wants = [ "network-online.target" ];
|
wants = ["network-online.target"];
|
||||||
after = [ "network-online.target" ];
|
after = ["network-online.target"];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = ["multi-user.target"];
|
||||||
|
|
||||||
script = ''
|
script = ''
|
||||||
exec ${pkgs.wakapi}/bin/wakapi -config ${settingsFile}
|
exec ${pkgs.wakapi}/bin/wakapi -config ${settingsFile}
|
||||||
|
@ -37,11 +36,7 @@ let
|
||||||
ProtectKernelTunables = true;
|
ProtectKernelTunables = true;
|
||||||
ProtectProc = "invisible";
|
ProtectProc = "invisible";
|
||||||
ProtectSystem = "strict";
|
ProtectSystem = "strict";
|
||||||
RestrictAddressFamilies = [
|
RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
|
||||||
"AF_INET"
|
|
||||||
"AF_INET6"
|
|
||||||
"AF_UNIX"
|
|
||||||
];
|
|
||||||
RestrictNamespaces = true;
|
RestrictNamespaces = true;
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
RestrictSUIDSGID = true;
|
RestrictSUIDSGID = true;
|
||||||
|
@ -82,8 +77,8 @@ let
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.wakapi = {
|
systemd.services.wakapi = {
|
||||||
requires = [ "postgresql.service" ];
|
requires = ["postgresql.service"];
|
||||||
after = [ "postgresql.service" ];
|
after = ["postgresql.service"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -102,11 +97,10 @@ let
|
||||||
public_url = lib.mkDefault cfg.domain;
|
public_url = lib.mkDefault cfg.domain;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
options.services.wakapi = {
|
options.services.wakapi = {
|
||||||
enable = lib.mkEnableOption "Wakapi";
|
enable = lib.mkEnableOption "Wakapi";
|
||||||
package = lib.mkPackageOption pkgs "wakapi" { };
|
package = lib.mkPackageOption pkgs "wakapi" {};
|
||||||
|
|
||||||
port = lib.mkOption {
|
port = lib.mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
|
@ -182,7 +176,7 @@ in
|
||||||
|
|
||||||
settings = lib.mkOption {
|
settings = lib.mkOption {
|
||||||
type = settingsFormat.type;
|
type = settingsFormat.type;
|
||||||
default = { };
|
default = {};
|
||||||
description = lib.mkDoc ''
|
description = lib.mkDoc ''
|
||||||
Settings for Wakapi.
|
Settings for Wakapi.
|
||||||
|
|
||||||
|
@ -191,11 +185,9 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable (
|
config = lib.mkIf cfg.enable (lib.mkMerge [
|
||||||
lib.mkMerge [
|
|
||||||
databaseConfig
|
databaseConfig
|
||||||
nginxConfig
|
nginxConfig
|
||||||
serviceConfig
|
serviceConfig
|
||||||
]
|
]);
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,11 +2,10 @@
|
||||||
buildGoModule,
|
buildGoModule,
|
||||||
fetchFromGitLab,
|
fetchFromGitLab,
|
||||||
lib,
|
lib,
|
||||||
}:
|
}: let
|
||||||
let
|
|
||||||
version = "0.10.1";
|
version = "0.10.1";
|
||||||
in
|
in
|
||||||
buildGoModule {
|
buildGoModule {
|
||||||
pname = "prometheus-fail2ban-exporter";
|
pname = "prometheus-fail2ban-exporter";
|
||||||
inherit version;
|
inherit version;
|
||||||
|
|
||||||
|
@ -25,4 +24,4 @@ buildGoModule {
|
||||||
homepage = "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter";
|
homepage = "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter";
|
||||||
license = licenses.mit;
|
license = licenses.mit;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue