winston/infra
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: winston:ee4671761833be2c2f46bb77666dc2c51ceeae41
Branches Tags
winston:main
..
compare: winston:334a41619afa54de3c210378b2e5747bba1b3807
Branches Tags
winston:main

No commits in common. "ee4671761833be2c2f46bb77666dc2c51ceeae41" and "334a41619afa54de3c210378b2e5747bba1b3807" have entirely different histories.
ee46717618 ... 334a41619a

27 changed files with 209 additions and 288 deletions
Show stats Expand all files Collapse all files

3
config/acme.nix
View file

@ -1,5 +1,4 @@
{ config, ... }:
{
{config, ...}: {
security.acme = {
acceptTerms = true;
defaults.email = "hey@winston.sh";

3
config/default.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
imports = [
./games
./secrets

6
config/games/valheim.nix
View file

@ -1,7 +1,5 @@
{ lib, ... }:
{
nixpkgs.config.allowUnfreePredicate =
pkg:
{lib, ...}: {
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"valheim-server"
"steamworks-sdk-redist"

14
config/nix.nix
View file

@ -1,16 +1,12 @@
{
nix = {
gc.automatic = true;
settings = (import ../flake.nix).nixConfig // {
settings =
(import ../flake.nix).nixConfig
// {
auto-optimise-store = true;
experimental-features = [
"nix-command"
"flakes"
];
trusted-users = [
"@wheel"
"winston"
];
experimental-features = ["nix-command" "flakes"];
trusted-users = ["@wheel" "winston"];
};
};
}

16
config/secrets/default.nix
View file

@ -1,13 +1,7 @@
{ lib, ... }:
{
age.secrets =
with builtins;
listToAttrs (
map (k: {
{lib, ...}: {
age.secrets = with builtins;
listToAttrs (map (k: {
name = lib.removeSuffix ".age" k;
value = {
file = ./. + "/${k}";
};
}) (attrNames (import ./secrets.nix))
);
value = {file = ./. + "/${k}";};
}) (attrNames (import ./secrets.nix)));
}

8
config/secrets/secrets.nix
View file

@ -2,12 +2,8 @@ let
users.winston = "age1yubikey1qfkn095xth4ukxjye98ew4ul6xdkyz7sek0hd67yfjs5z6tv7q9jgnfchls";
systems.main-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcY5fuyxK8rs3eocLuLnvSPDL6qcvq7oUdYrE+wLj0y";
default = [
users.winston
systems.main-node
];
in
{
default = [users.winston systems.main-node];
in {
"containers/faerber.env.age".publicKeys = default;
"containers/ghcr-token.age".publicKeys = default;

3
config/services/attic.nix
View file

@ -1,5 +1,4 @@
{ config, ... }:
{
{config, ...}: {
services.atticd = {
enable = true;
credentialsFile = config.age.secrets."services/attic/atticd.env".path;

5
config/services/atuin.nix
View file

@ -1,5 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
services.atuin = {
enable = true;
package = pkgs.unstable.atuin;

22
config/services/forgejo.nix
View file

@ -3,17 +3,14 @@
inputs,
pkgs,
...
}:
let
modules = [
"services/misc/forgejo.nix"
"services/continuous-integration/gitea-actions-runner.nix"
];
in
{
}: let
modules = ["services/misc/forgejo.nix" "services/continuous-integration/gitea-actions-runner.nix"];
in {
# swap out stable for unstable modules
disabledModules = modules;
imports = builtins.map (v: "${inputs.nixpkgs-unstable}/nixos/modules/${v}") modules;
imports =
builtins.map (v: "${inputs.nixpkgs-unstable}/nixos/modules/${v}")
modules;
age.secrets = {
"services/forgejo/minio-secretkey".owner = config.services.forgejo.user;
@ -47,13 +44,10 @@ in
settings = {
DEFAULT.APP_NAME = "winston's forgejo";
indexer =
with config.services.elasticsearch;
let
indexer = with config.services.elasticsearch; let
indexer = "elasticsearch";
conn = "http://${listenAddress}:${toString port}";
in
{
in {
REPO_INDEXER_ENABLED = true;
REPO_INDEXER_CONN_STR = conn;
REPO_INDEXER_TYPE = indexer;

3
config/services/freshrss.nix
View file

@ -1,5 +1,4 @@
{ config, ... }:
{
{config, ...}: {
services.freshrss = rec {
enable = true;

9
config/services/geoipupdate.nix
View file

@ -1,15 +1,10 @@
{ config, ... }:
{
{config, ...}: {
services.geoipupdate = {
enable = true;
settings = {
AccountID = 1062126;
LicenseKey = config.age.secrets."services/geoipupdate/license".path;
EditionIDs = [
"GeoLite2-ASN"
"GeoLite2-City"
"GeoLite2-Country"
];
EditionIDs = ["GeoLite2-ASN" "GeoLite2-City" "GeoLite2-Country"];
};
};
}

3
config/services/minio.nix
View file

@ -1,5 +1,4 @@
{ config, ... }:
{
{config, ...}: {
services.minio = {
enable = true;
browser = true;

39
config/services/monitoring.nix
View file

@ -3,8 +3,7 @@
lib,
pkgs,
...
}:
let
}: let
geoipDir = config.services.geoipupdate.settings.DatabaseDirectory;
log_params = [
@ -26,8 +25,7 @@ let
];
log_format = lib.concatStringsSep " " (map (p: "${p}=\"\$${p}\"") log_params);
log_file = "/var/log/nginx/access.log";
in
{
in {
services.grafana = {
enable = true;
settings = {
@ -84,12 +82,10 @@ in
globalConfig.scrape_interval = "10s";
scrapeConfigs =
(builtins.map
(config: {
(builtins.map (config: {
inherit (config) job_name;
static_configs = [{targets = ["localhost:${toString config.port}"];}];
})
[
}) [
{
job_name = "fail2ban";
port = 9191;
@ -110,8 +106,7 @@ in
job_name = "postgres";
port = config.services.prometheus.exporters.postgres.port;
}
]
)
])
++ [
{
job_name = "minio";
@ -121,9 +116,7 @@ in
}
{
job_name = "forgejo";
static_configs = with config.services.forgejo.settings.server; [
{ targets = [ "${HTTP_ADDR}:${toString HTTP_PORT}" ]; }
];
static_configs = with config.services.forgejo.settings.server; [{targets = ["${HTTP_ADDR}:${toString HTTP_PORT}"];}];
}
];
@ -172,24 +165,8 @@ in
};
node = {
enable = true;
enabledCollectors = [
"logind"
"processes"
"systemd"
];
disabledCollectors = [
"bonding"
"fibrechannel"
"infiniband"
"ipvs"
"mdadm"
"nfs"
"nfsd"
"nvme"
"tapestats"
"watchdog"
"zfs"
];
enabledCollectors = ["logind" "processes" "systemd"];
disabledCollectors = ["bonding" "fibrechannel" "infiniband" "ipvs" "mdadm" "nfs" "nfsd" "nvme" "tapestats" "watchdog" "zfs"];
};
postgres = {
enable = true;

8
config/services/nextcloud.nix
View file

@ -1,5 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
age.secrets = {
"services/nextcloud/admin-password".owner = "nextcloud";
"services/nextcloud/s3-secret".owner = "nextcloud";
@ -17,7 +20,8 @@
};
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
inherit
(config.services.nextcloud.package.packages.apps)
end_to_end_encryption
previewgenerator
twofactor_webauthn

15
config/services/nginx.nix
View file

@ -1,11 +1,13 @@
{ config, pkgs, ... }:
let
{
config,
pkgs,
...
}: let
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
mkdir "$out"
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
'';
in
{
in {
services.nginx = {
enable = true;
package = pkgs.nginxMainline;
@ -45,10 +47,7 @@ in
params.nginx = {};
};
networking.firewall.allowedTCPPorts = [
80
443
];
networking.firewall.allowedTCPPorts = [80 443];
# allow nginx to access Acme secrets
users.users.nginx.extraGroups = ["acme"];

3
config/services/postgres.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;

3
config/services/renovate.nix
View file

@ -3,8 +3,7 @@
inputs,
pkgs,
...
}:
{
}: {
imports = ["${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix"];
services.renovate = {

5
config/services/wakapi.nix
View file

@ -1,5 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
services.wakapi = {
enable = true;
package = pkgs.unstable.wakapi;

27
config/users.nix
View file

@ -3,35 +3,29 @@
lib,
pkgs,
...
}:
let
}: let
nu_scripts = "${pkgs.nu_scripts}/share/nu_scripts";
mkCompletions =
completions:
mkCompletions = completions:
lib.concatStringsSep "\n" (
builtins.map (
el: "source ${nu_scripts}/custom-completions/${el.name or el}/${el.filename or el}-completions.nu"
) completions
)
completions
);
in
{
in {
i18n.defaultLocale = "en_US.UTF-8";
users = {
mutableUsers = false;
users.root = {
hashedPasswordFile = config.age.secrets."system/password-root".path;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgFwSZPS1B3wndghjmgmamdM5LZ7hqv4fZsbcmYBQWT"
] ++ config.users.users.winston.openssh.authorizedKeys.keys;
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/mwLoiuaQ6KH+1IOvYO541gq37S43pYtMetilMG3v5"] ++ config.users.users.winston.openssh.authorizedKeys.keys;
};
users.winston = {
extraGroups = ["wheel"];
hashedPasswordFile = config.age.secrets."system/password-winston".path;
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILm0O46zW/XfVOSwz0okRWYeOAg+wCVkCtCAoVTpZsOh"
];
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILm0O46zW/XfVOSwz0okRWYeOAg+wCVkCtCAoVTpZsOh"];
};
};
@ -108,12 +102,7 @@ in
}
source ${nu_scripts}/aliases/git/git-aliases.nu
${mkCompletions [
"git"
"man"
"rg"
"tar"
]}
${mkCompletions ["git" "man" "rg" "tar"]}
'';
};
starship.enable = true;

32
flake.nix
View file

@ -1,13 +1,11 @@
{
outputs =
{
outputs = {
flake-parts,
nixpkgs,
nixpkgs-unstable,
self,
...
}@inputs:
let
} @ inputs: let
overlays = [
(final: _: {
unstable = nixpkgs-unstable.legacyPackages.${final.system};
@ -35,9 +33,7 @@
inputs.satisfactory-server.nixosModules.default
inputs.valheim-server.nixosModules.default
];
specialArgs = {
inherit inputs;
};
specialArgs = {inherit inputs;};
};
checks = builtins.mapAttrs (_: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
@ -51,17 +47,17 @@
};
};
perSystem =
{
perSystem = {
config,
inputs',
pkgs,
self',
system,
...
}:
{
_module.args.pkgs = import nixpkgs { inherit overlays system; };
}: {
_module.args.pkgs = import nixpkgs {
inherit overlays system;
};
devShells.default = pkgs.mkShell {
inherit (config.pre-commit.devShell) shellHook;
@ -75,28 +71,24 @@
];
};
formatter = pkgs.nixfmt-rfc-style;
formatter = pkgs.alejandra;
pre-commit = {
check.enable = true;
settings.excludes = ["_sources/"];
settings.hooks = {
alejandra.enable = true;
commitizen.enable = true;
deadnix.enable = true;
editorconfig-checker.enable = true;
nil.enable = true;
nixfmt-rfc-style.enable = true;
shellcheck.enable = true;
};
};
};
imports = [inputs.pre-commit-hooks.flakeModule];
systems = [
"x86_64-linux"
"aarch64-linux"
"aarch64-darwin"
"x86_64-darwin"
];
systems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin"];
};
inputs = {

3
hosts/main-node/default.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
imports = [./hardware-configuration.nix];
boot = {

16
hosts/main-node/hardware-configuration.nix
View file

@ -3,18 +3,12 @@
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];

6
modules/default.nix
View file

@ -1 +1,5 @@
{ imports = [ ./wakapi.nix ]; }
{
imports = [
./wakapi.nix
];
}

18
modules/wakapi.nix
View file

@ -3,8 +3,7 @@
lib,
pkgs,
...
}:
let
}: let
cfg = config.services.wakapi;
settingsFormat = pkgs.formats.yaml {};
inherit (lib) types;
@ -37,11 +36,7 @@ let
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
@ -102,8 +97,7 @@ let
public_url = lib.mkDefault cfg.domain;
};
};
in
{
in {
options.services.wakapi = {
enable = lib.mkEnableOption "Wakapi";
package = lib.mkPackageOption pkgs "wakapi" {};
@ -191,11 +185,9 @@ in
};
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
config = lib.mkIf cfg.enable (lib.mkMerge [
databaseConfig
nginxConfig
serviceConfig
]
);
]);
}

3
pkgs/prometheus-fail2ban-exporter/default.nix
View file

@ -2,8 +2,7 @@
buildGoModule,
fetchFromGitLab,
lib,
}:
let
}: let
version = "0.10.1";
in
buildGoModule {