diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ef07fd9..c40fdf4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,11 +1,12 @@ name: CI - on: push: - +defaults: + run: + shell: nix develop --command bash -c "{0}" env: - ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }} - + CACHE_NAME: qois + CACHE_REPOSITORY: qois:qois-infrastructure jobs: build: runs-on: nix @@ -15,25 +16,20 @@ jobs: with: token: ${{ secrets.CI_TOKEN }} lfs: false - - - name: Use attic cache - run: nix run .#cache use - - - name: Build + - name: Setup Attic Cache + env: + SERVER: https://attic.qo.is/ + ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }} run: | - nix build --max-jobs 12 --cores 12 - nix run .#cache push - - - name: Run Checks - run: nix flake check - + attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN" + attic use "$CACHE_REPOSITORY" + - name: Run Builds and Checks + run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY" - name: Deploy Docs if: success() && github.ref == 'refs/heads/main' run: | mkdir ~/.ssh/ echo -e "Host lindberg-webapps.backplane.net.qo.is\n StrictHostKeyChecking no" >> ~/.ssh/config (umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519) - # Remote build might be neccessary due to non-wheel nix users signing restrictions. - # However, the build should come from the cache anyway. - nix develop --command deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\" - + deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\" + # Remote build is neccessary due to non-wheel nix users signing restrictions. However, the build should come from the cache anyway. diff --git a/.gitignore b/.gitignore index 900f5b8..6454c83 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ result* /book /.sops.yaml /.nixos-test-history +/.pre-commit-config.yaml diff --git a/.nixd.json b/.nixd.json index b1e6c19..1e4b0db 100644 --- a/.nixd.json +++ b/.nixd.json @@ -1,18 +1,21 @@ { - "eval": { - "target": { - "args": ["-f", "default.nix"], - "installable": "" - } - }, - "formatting": { - "command": "nixfmt" - }, - "options": { - "enable": true, - "target": { - "args": [], - "installable": "" - } + "eval": { + "target": { + "args": [ + "-f", + "default.nix" + ], + "installable": "" } + }, + "formatting": { + "command": "nixfmt" + }, + "options": { + "enable": true, + "target": { + "args": [], + "installable": "" + } + } } diff --git a/.vscode/extensions.json b/.vscode/extensions.json index fce5ab4..76d746c 100644 --- a/.vscode/extensions.json +++ b/.vscode/extensions.json @@ -1,5 +1,5 @@ { - "recommendations": [ - "jnoortheen.nix-ide" - ] -} \ No newline at end of file + "recommendations": [ + "jnoortheen.nix-ide" + ] +} diff --git a/README.md b/README.md index 4899007..5c75a76 100644 --- a/README.md +++ b/README.md @@ -6,66 +6,65 @@ Check out the current [rendered documentation](https://docs-ops.qo.is). ## Structure -`nixos-configurations`: Main nixos configuration for every host. -`defaults`: Configuration defaults -`nixos-modules`: Custom modules (e.g. for vpn and routers) +`nixos-configurations`: Main nixos configuration for every host.\ +`defaults`: Configuration defaults\ +`nixos-modules`: Custom modules (e.g. for vpn and routers)\ `private`: Private configuration values (like users, sops-encrypted secrets and keys) -## Building - -This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes) - -- `nix build` - Build all host configurations and docs -- `nix build .#nixosConfigurations..config.system.build.toplevel` - Build a single host configuration with -- `nix build .#docs` - Build the documentation website - ## Development -- `nix develop` +This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes) + +- `nix flake check`\ + Execute the project's checks, which includes building all configurations and packages. See [Tests](./checks/README.md). + +- `nix build .#nixosConfigurations..config.system.build.toplevel`\ + Build a single host configuration. + +- `nix build .#docs`\ + Build the documentation website. + +- `nix develop`\ Development environment -- `nix flake check` - Execute the project's checks -- `nix fmt` + +- `nix fmt`\ Autofix formatting -### Working with the private submodule +### Secrets and `private` Submodule -To clone with submodules (if you have access): +Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix) and a git submodule in `private`.\ +Make sure you have the submodule correctly available. To clone with submodules (if you have access): ```bash git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git +# See below for how to commit changes. ``` -On changes: - -```bash -git add private -nix flake lock --update-input private -``` - -## Deployment - -`nix run .#deploy-qois` - -See [Deployment](deploy/README.md) for details. - -## Secrets - -Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix). - Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords), -`private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and +`private/nixos-modules/shared-secrets/default.sops.yaml` (shared secrets for all hosts) and `private/nixos-configurations//secrets.sops.yaml` (host specific secrets). -Usage: +To modify secrets: ```bash sops $file # To edit a file sops-rekey # To rekey all secrets, e.g. after a key rollover or new host ``` -After changing secrets, don't forget to push the sub-repository and run -`nix flake update private` in the infrastructure repository to use the changes in builds. +After changing secrets: + +```bash +# Commit changes in subrepo +pushd private + git commit + git push + nix flake prefetch . # Make subrepo available in nix store. Required until nix 2.27. +popd + +git add private +nix flake lock --update-input private +``` + +## Deployment + +See [Deployment](deploy/README.md) for details. diff --git a/SUMMARY.md b/SUMMARY.md index fdbf4d1..d562822 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -4,7 +4,7 @@ - [Testing](checks/README.md) - [Deployment](deploy/README.md) ---- +______________________________________________________________________ - [Network Topology](defaults/meta/network.md) - [Hardware (generic)](defaults/hardware/README.md) @@ -12,7 +12,6 @@ - [Updates](updates.md) - [New Host Setup](nixos-configurations/setup.md) - # Services - [E-mail](email.md) diff --git a/checks/README.md b/checks/README.md index c5f73f5..d8f6db8 100644 --- a/checks/README.md +++ b/checks/README.md @@ -1,11 +1,19 @@ -# Tests +# Tests + +`nix flake check` currently: + +- builds all nixos-configurations +- builds all packages +- runs all [nixos-module tests](#module-tests) +- checks all deployment configurations +- checks repository formatting. ## Module Tests We test our nixos modules with [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests). Running nixos tests requires QEMU virtualisation, so make sure you have KVM virtualisation support enabled. -Run all: `nix build .#checks.x86_64-linux.nixos-modules` +Run all: `nix build .#checks.x86_64-linux.nixos-modules`\ Run single test: `nix build .#checks.x86_64-linux.nixos-modules.entries.vm-test-run-testNameAsInDerivationName` ### Run Test Interactively diff --git a/checks/default.nix b/checks/default.nix index 66d5b0b..19ee99a 100644 --- a/checks/default.nix +++ b/checks/default.nix @@ -1,26 +1,22 @@ { self, + flakeSelf, system, pkgs, deployPkgs, + treefmtEval, ... -}: +}@inputs: { ${system} = { - - # Check project formatting - format = pkgs.runCommand "nixfmt-check" { } '' - set -euo pipefail - cd ${self} - ${self.formatter.${system}}/bin/formatter . --check - mkdir $out - ''; + formatting = treefmtEval.config.build.check flakeSelf; nixos-modules = pkgs.callPackage ./nixos-modules { + defaultModule = self.nixosModules.default; inherit (self.lib) getSubDirs isFolderWithFile; }; - #TODO(#29): Integration/System tests + nixos-configurations = import ./nixos-configurations inputs; # Import deploy-rs tests } // (deployPkgs.deploy-rs.lib.deployChecks self.deploy); diff --git a/checks/nixos-configurations/default.nix b/checks/nixos-configurations/default.nix new file mode 100644 index 0000000..689078b --- /dev/null +++ b/checks/nixos-configurations/default.nix @@ -0,0 +1,4 @@ +{ self, pkgs, ... }: +pkgs.linkFarmFromDrvs "all" ( + pkgs.lib.mapAttrsToList (_n: v: v.config.system.build.toplevel) self.nixosConfigurations +) diff --git a/checks/nixos-modules/default.nix b/checks/nixos-modules/default.nix index 74e8a25..4773359 100644 --- a/checks/nixos-modules/default.nix +++ b/checks/nixos-modules/default.nix @@ -4,12 +4,14 @@ getSubDirs, lib, testers, + defaultModule, }: let inherit (lib) filter path mkDefault + mkForce readFile attrNames concatStringsSep @@ -23,6 +25,7 @@ let in testers.runNixOSTest { inherit name; + imports = [ (import (getFilePath "test.nix") { inherit name; @@ -30,7 +33,12 @@ let }) ]; - defaults.imports = [ (getFilePath "default.nix") ]; + defaults = { + imports = [ defaultModule ]; + + qois.outgoing-server-mail.enable = mkForce false; + qois.backup-client.enable = mkForce false; + }; # Calls a `test(...)` python function in the test's python file with the list of nodes and helper functions. # Helper symbols may be added as function args when needed and can be found in: diff --git a/checks/packages/default.nix b/checks/packages/default.nix new file mode 100644 index 0000000..dbd8049 --- /dev/null +++ b/checks/packages/default.nix @@ -0,0 +1,5 @@ +{ self, pkgs, ... }: +let + inherit (pkgs.lib) attrValues; +in +pkgs.linkFarmFromDrvs "all" (attrValues self.packages) diff --git a/defaults/hardware/README.md b/defaults/hardware/README.md index f59f745..fbf1f50 100644 --- a/defaults/hardware/README.md +++ b/defaults/hardware/README.md @@ -1,4 +1,3 @@ - # APU ## Setup @@ -7,5 +6,5 @@ To boot the nixos installer with the console port, add `console=ttyS0,115200n8` # ASROCK Mainboards -`F2`: Boot into BIOS +`F2`: Boot into BIOS\ `F11`: Select boot device diff --git a/defaults/hardware/apu.nix b/defaults/hardware/apu.nix index e4256dc..5cdb6dc 100644 --- a/defaults/hardware/apu.nix +++ b/defaults/hardware/apu.nix @@ -2,9 +2,7 @@ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { - config, lib, - pkgs, modulesPath, ... }: diff --git a/defaults/hardware/apu1.nix b/defaults/hardware/apu1.nix index 9c6e00a..b5084d0 100644 --- a/defaults/hardware/apu1.nix +++ b/defaults/hardware/apu1.nix @@ -2,9 +2,7 @@ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { - config, lib, - pkgs, modulesPath, ... }: diff --git a/defaults/hardware/asrock-z790m.nix b/defaults/hardware/asrock-z790m.nix index c90c220..db198d1 100644 --- a/defaults/hardware/asrock-z790m.nix +++ b/defaults/hardware/asrock-z790m.nix @@ -2,9 +2,7 @@ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { - config, lib, - pkgs, modulesPath, ... }: diff --git a/defaults/hardware/asrock.nix b/defaults/hardware/asrock.nix index 44b3f10..0b4baef 100644 --- a/defaults/hardware/asrock.nix +++ b/defaults/hardware/asrock.nix @@ -1,7 +1,5 @@ { - config, lib, - pkgs, modulesPath, ... }: diff --git a/defaults/meta/default.nix b/defaults/meta/default.nix index 19bb5b6..bf4f5bd 100644 --- a/defaults/meta/default.nix +++ b/defaults/meta/default.nix @@ -1,7 +1,4 @@ { - config, - lib, - pkgs, ... }: { diff --git a/defaults/meta/network-physical.nix b/defaults/meta/network-physical.nix index f3e7806..a83fe09 100644 --- a/defaults/meta/network-physical.nix +++ b/defaults/meta/network-physical.nix @@ -1,7 +1,4 @@ { - config, - lib, - pkgs, ... }: { diff --git a/defaults/meta/network-virtual.nix b/defaults/meta/network-virtual.nix index f8ed2e3..1c323c1 100644 --- a/defaults/meta/network-virtual.nix +++ b/defaults/meta/network-virtual.nix @@ -1,7 +1,5 @@ { config, - lib, - pkgs, ... }: { diff --git a/defaults/meta/network.md b/defaults/meta/network.md index 72e13ba..f119bf9 100644 --- a/defaults/meta/network.md +++ b/defaults/meta/network.md @@ -74,7 +74,6 @@ All Services are published under the *qo.is* domain name. Following services are ## Contacts - ### Init7 - [Status Netzwerkdienste](https://www.init7.net/status/) diff --git a/deploy/README.md b/deploy/README.md index 0a5b7ab..8c95d8a 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -4,7 +4,6 @@ Note that you have to be connected to the `vpn.qo.is` (or execute the deployment from a host that is in the `backplane.net.qo.is` overlay network) and that you need to have SSH root access to the target machines. - ## Deploy to selected target hosts ```bash diff --git a/deploy/default.nix b/deploy/default.nix index 5fb1a86..990140e 100644 --- a/deploy/default.nix +++ b/deploy/default.nix @@ -1,5 +1,4 @@ { - deployPkgs, pkgs, self, ... diff --git a/deploy/docs-ops/default.nix b/deploy/docs-ops/default.nix index 01c25d1..7fcf9ae 100644 --- a/deploy/docs-ops/default.nix +++ b/deploy/docs-ops/default.nix @@ -1,6 +1,5 @@ { deployPkgs, - pkgs, self, system, ... diff --git a/dev-shells/default.nix b/dev-shells/default.nix index 0b238d5..fc8bc5a 100644 --- a/dev-shells/default.nix +++ b/dev-shells/default.nix @@ -1,9 +1,21 @@ { pkgs, + git-hooks-nix, + treefmtEval, system, self, ... }: +let + pre-commit-check = git-hooks-nix.lib.${system}.run { + src = ../.; + hooks.treefmt = { + enable = true; + package = treefmtEval.config.build.wrapper; + always_run = true; + }; + }; +in { ${system}.default = pkgs.mkShellNoCC { name = "qois-infrastructure-shell"; @@ -14,9 +26,9 @@ vscode = pkgs.vscodium; }; in - [ vscodium-with-extensions ] + pre-commit-check.enabledPackages + ++ [ vscodium-with-extensions ] ++ (with self.packages.${system}; [ - cache deploy-qois sops sops-rekey @@ -24,14 +36,15 @@ ++ (with pkgs; [ attic-client deploy-rs + jq + nix-fast-build nixVersions.git nixd nixfmt-rfc-style nixos-anywhere - ssh-to-age pssh + ssh-to-age yq - jq ]); LANG = "C.UTF-8"; LC_ALL = "C.UTF-8"; @@ -47,11 +60,7 @@ done export XDG_DATA_DIRS - # Make sure we support the pure case as well as non nixos cases - # where dynamic bash completions were not sourced. - #if ! type _completion_loader > /dev/null; then - # . ${pkgs.bash-completion}/etc/profile.d/bash_completion.sh - #fi + ${pre-commit-check.shellHook} ''; }; } diff --git a/email.md b/email.md index 902badc..bba9063 100644 --- a/email.md +++ b/email.md @@ -9,7 +9,6 @@ E-Mail accounts should be created in a `first.lastname@qo.is` fashion. Alias/forwarding Domains may be added on an best effort basis. Bills for these domains should go directly to the respective owner (i.e. should be registered with own accounts). - ## System E-mails For groups, systems, services that require e-mail access, other accounts may be created. diff --git a/flake.lock b/flake.lock index 18386cf..d817032 100644 --- a/flake.lock +++ b/flake.lock @@ -56,18 +56,77 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "git-hooks-nix": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1742649964, + "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1702272962, - "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", + "lastModified": 1742669843, + "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", + "rev": "1e5b653dff12029333a6546c11e108ede13052eb", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -88,7 +147,7 @@ "type": "github" } }, - "nixpkgs-nixos-unstable": { + "nixpkgs_2": { "locked": { "lastModified": 1742669843, "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=", @@ -106,15 +165,16 @@ }, "private": { "inputs": { - "nixpkgs-nixos-unstable": [ - "nixpkgs-nixos-unstable" + "nixpkgs": [ + "nixpkgs" ] }, "locked": { - "lastModified": 1737552783, - "narHash": "sha256-pJ2lp36L3++a5HtdN7ULcVpdB4j7yo90TDayWuAO+T8=", - "rev": "33cf80043c64ddd6882268430454e3cbe98b692b", - "revCount": 11, + "lastModified": 1742912717, + "narHash": "sha256-jKDVM4hLzNwYpg1/at53B2LZIEEvey1UUIi5cR8wNVQ=", + "ref": "refs/heads/main", + "rev": "80b04cd406adc46357888614ecc3f467b85ab8fa", + "revCount": 15, "type": "git", "url": "file:./private" }, @@ -127,16 +187,18 @@ "inputs": { "deploy-rs": "deploy-rs", "disko": "disko", + "git-hooks-nix": "git-hooks-nix", + "nixpkgs": "nixpkgs_2", "nixpkgs-nixos-stable": "nixpkgs-nixos-stable", - "nixpkgs-nixos-unstable": "nixpkgs-nixos-unstable", "private": "private", - "sops-nix": "sops-nix" + "sops-nix": "sops-nix", + "treefmt-nix": "treefmt-nix" } }, "sops-nix": { "inputs": { "nixpkgs": [ - "nixpkgs-nixos-unstable" + "nixpkgs" ] }, "locked": { @@ -168,6 +230,26 @@ "type": "github" } }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1742370146, + "narHash": "sha256-XRE8hL4vKIQyVMDXykFh4ceo3KSpuJF3ts8GKwh5bIU=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "adc195eef5da3606891cedf80c0d9ce2d3190808", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "utils": { "inputs": { "systems": "systems" diff --git a/flake.nix b/flake.nix index d9dae25..8668199 100644 --- a/flake.nix +++ b/flake.nix @@ -5,34 +5,48 @@ extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="; }; inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11"; + + treefmt-nix = { + url = "github:numtide/treefmt-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + git-hooks-nix = { + url = "github:cachix/git-hooks.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + deploy-rs.url = "github:serokell/deploy-rs"; disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs-nixos-stable"; }; - nixpkgs-nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; - nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11"; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs = { - nixpkgs.follows = "nixpkgs-nixos-unstable"; - }; - }; private.url = "git+file:./private"; - private.inputs.nixpkgs-nixos-unstable.follows = "nixpkgs-nixos-unstable"; + private.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = - { nixpkgs-nixos-unstable, deploy-rs, ... }@inputs: + { + self, + nixpkgs, + deploy-rs, + treefmt-nix, + ... + }@inputs: let system = "x86_64-linux"; # Packages for development and build process - pkgs = import nixpkgs-nixos-unstable { inherit system; }; - deployPkgs = import nixpkgs-nixos-unstable { + pkgs = import nixpkgs { inherit system; }; + deployPkgs = import nixpkgs { inherit system; overlays = [ deploy-rs.overlay - (self: super: { + (_self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; @@ -40,22 +54,86 @@ }) ]; }; - importParams = inputs // { - inherit pkgs; - inherit deployPkgs; - inherit system; + treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix; + importParams = { + inherit (inputs) + deploy-rs + disko + nixpkgs-nixos-stable + sops-nix + private + git-hooks-nix + ; + inherit + deployPkgs + pkgs + system + treefmtEval + ; + flakeSelf = self; }; in { - checks = import ./checks/default.nix importParams; - deploy = import ./deploy/default.nix importParams; - devShells = import ./dev-shells/default.nix importParams; - formatter.${system} = pkgs.writeShellScriptBin "formatter" '' - ${pkgs.findutils}/bin/find $1 -type f -name '*.nix' -exec ${pkgs.nixfmt-rfc-style}/bin/nixfmt ''${@:2} {} + - ''; - nixosConfigurations = import ./nixos-configurations/default.nix importParams; - nixosModules = import ./nixos-modules/default.nix importParams; - packages = import ./packages/default.nix importParams; - lib = import ./lib/default.nix importParams; + checks = import ./checks/default.nix ( + importParams + // { + self = { + inherit (self) + lib + packages + nixosModules + nixosConfigurations + deploy + ; + }; + } + ); + deploy = import ./deploy/default.nix ( + importParams + // { + self = { + inherit (self) + lib + packages + nixosModules + nixosConfigurations + ; + }; + } + ); + devShells = import ./dev-shells/default.nix ( + importParams + // { + self = { + inherit (self) lib packages; + }; + } + ); + formatter.${system} = treefmtEval.config.build.wrapper; + nixosConfigurations = import ./nixos-configurations/default.nix ( + importParams + // { + self = { + inherit (self) lib packages nixosModules; + }; + } + ); + nixosModules = import ./nixos-modules/default.nix ( + importParams + // { + self = { + inherit (self) lib packages; + }; + } + ); + packages = import ./packages/default.nix ( + importParams + // { + self = { + inherit (self) lib packages; + }; + } + ); + lib = import ./lib/default.nix { inherit pkgs; }; }; } diff --git a/lib/default.nix b/lib/default.nix index e4cd3ee..3d70a2c 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -8,7 +8,7 @@ let path ; # Get a list of all subdirectories of a directory. - getSubDirs = base: attrNames (filterAttrs (n: t: t == "directory") (builtins.readDir base)); + getSubDirs = base: attrNames (filterAttrs (_n: t: t == "directory") (builtins.readDir base)); # Check if a folder with a base path and folder name contains a file with a specific name isFolderWithFile = fileName: basePath: folderName: diff --git a/nixos-configurations/calanda/default.nix b/nixos-configurations/calanda/default.nix index 18bd0e2..a397319 100644 --- a/nixos-configurations/calanda/default.nix +++ b/nixos-configurations/calanda/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ @@ -6,8 +6,6 @@ ./filesystems.nix ../../defaults/hardware/apu.nix - - ../../defaults/meta ]; qois.system.physical.enable = true; diff --git a/nixos-configurations/calanda/filesystems.nix b/nixos-configurations/calanda/filesystems.nix index ecb21b4..f240ed6 100644 --- a/nixos-configurations/calanda/filesystems.nix +++ b/nixos-configurations/calanda/filesystems.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { fileSystems."/" = { diff --git a/nixos-configurations/calanda/networking.nix b/nixos-configurations/calanda/networking.nix index 46ac9cd..9ad8dbe 100644 --- a/nixos-configurations/calanda/networking.nix +++ b/nixos-configurations/calanda/networking.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, ... }: let meta = config.qois.meta; diff --git a/nixos-configurations/cyprianspitz/README.md b/nixos-configurations/cyprianspitz/README.md index d6369f9..b01d9bc 100644 --- a/nixos-configurations/cyprianspitz/README.md +++ b/nixos-configurations/cyprianspitz/README.md @@ -1,17 +1,16 @@ # Host: Cyprianspitz -## Operations {#_operations} +## Operations {#\_operations} Reboot requires passphrase. -``` bash +```bash # Get HDD Password: sops decrypt --extract '["system"]["hdd"]' private/nixos-configurations/cyprianspitz/secrets.sops.yaml ssh -p 8223 root@calanda.plessur-ext.net.qo.is ``` - Direct remote ssh access: ``` @@ -24,8 +23,6 @@ TODO - [Mainboard Manual](docs/z790m-itx-wifi.pdf) - - ### Top Overview ![](docs/top-view.jpg) diff --git a/nixos-configurations/cyprianspitz/applications/backup.nix b/nixos-configurations/cyprianspitz/applications/backup.nix index 241fba8..c364132 100644 --- a/nixos-configurations/cyprianspitz/applications/backup.nix +++ b/nixos-configurations/cyprianspitz/applications/backup.nix @@ -1,4 +1,4 @@ -{ pkgs, config, ... }: +{ config, ... }: { qois.backup-server = { diff --git a/nixos-configurations/cyprianspitz/applications/default.nix b/nixos-configurations/cyprianspitz/applications/default.nix index 18cd6ea..0a2aceb 100644 --- a/nixos-configurations/cyprianspitz/applications/default.nix +++ b/nixos-configurations/cyprianspitz/applications/default.nix @@ -1,6 +1,4 @@ { - config, - pkgs, lib, ... }: diff --git a/nixos-configurations/cyprianspitz/applications/vpn.nix b/nixos-configurations/cyprianspitz/applications/vpn.nix index 2fafbd0..ea7c158 100644 --- a/nixos-configurations/cyprianspitz/applications/vpn.nix +++ b/nixos-configurations/cyprianspitz/applications/vpn.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { qois.vpn-server.enable = true; } diff --git a/nixos-configurations/cyprianspitz/default.nix b/nixos-configurations/cyprianspitz/default.nix index a306350..fd20520 100644 --- a/nixos-configurations/cyprianspitz/default.nix +++ b/nixos-configurations/cyprianspitz/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ @@ -10,8 +10,6 @@ ./virtualisation.nix ../../defaults/hardware/asrock-z790m.nix - - ../../defaults/meta ]; qois.system.physical.enable = true; diff --git a/nixos-configurations/cyprianspitz/networking.nix b/nixos-configurations/cyprianspitz/networking.nix index 0d55ee9..3423220 100644 --- a/nixos-configurations/cyprianspitz/networking.nix +++ b/nixos-configurations/cyprianspitz/networking.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, ... }: let meta = config.qois.meta; diff --git a/nixos-configurations/cyprianspitz/virtualisation.nix b/nixos-configurations/cyprianspitz/virtualisation.nix index 5905bdf..6e7a883 100644 --- a/nixos-configurations/cyprianspitz/virtualisation.nix +++ b/nixos-configurations/cyprianspitz/virtualisation.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { virtualisation.libvirtd = { enable = true; diff --git a/nixos-configurations/default.nix b/nixos-configurations/default.nix index 00253e0..475d6d5 100644 --- a/nixos-configurations/default.nix +++ b/nixos-configurations/default.nix @@ -2,16 +2,16 @@ self, pkgs, nixpkgs-nixos-stable, - disko, - sops-nix, ... }@inputs: let + inherit (pkgs.lib) genAttrs; + inherit (nixpkgs-nixos-stable.lib) nixosSystem; configs = self.lib.foldersWithNix ./.; in -pkgs.lib.genAttrs configs ( +genAttrs configs ( config: - nixpkgs-nixos-stable.lib.nixosSystem { + nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs; @@ -19,15 +19,6 @@ pkgs.lib.genAttrs configs ( modules = [ self.nixosModules.default ./${config}/default.nix - disko.nixosModules.disko - sops-nix.nixosModules.sops - ( - { ... }: - { - system.extraSystemBuilderCmds = "ln -s ${self} $out/nixos-configuration"; - imports = [ ./secrets.nix ]; - } - ) ]; } ) diff --git a/nixos-configurations/lindberg-build/applications/default.nix b/nixos-configurations/lindberg-build/applications/default.nix index 35d4632..b965c04 100644 --- a/nixos-configurations/lindberg-build/applications/default.nix +++ b/nixos-configurations/lindberg-build/applications/default.nix @@ -1,5 +1,4 @@ { - config, pkgs, lib, ... diff --git a/nixos-configurations/lindberg-build/applications/nixpkgs-cache.nix b/nixos-configurations/lindberg-build/applications/nixpkgs-cache.nix index f097544..66807ed 100644 --- a/nixos-configurations/lindberg-build/applications/nixpkgs-cache.nix +++ b/nixos-configurations/lindberg-build/applications/nixpkgs-cache.nix @@ -1,8 +1,7 @@ -{ config, pkgs, ... }: +{ config, ... }: { qois.nixpkgs-cache = { enable = true; - hostname = "nixpkgs-cache.qo.is"; dnsResolvers = [ config.qois.meta.network.virtual.lindberg-vms-nat.hosts.lindberg.v4.ip ]; }; } diff --git a/nixos-configurations/lindberg-build/default.nix b/nixos-configurations/lindberg-build/default.nix index b0f1911..dc3a626 100644 --- a/nixos-configurations/lindberg-build/default.nix +++ b/nixos-configurations/lindberg-build/default.nix @@ -1,8 +1,7 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ - ../../defaults/meta ./applications ./disko-config.nix diff --git a/nixos-configurations/lindberg-build/networking.nix b/nixos-configurations/lindberg-build/networking.nix index 0e8f881..0564355 100644 --- a/nixos-configurations/lindberg-build/networking.nix +++ b/nixos-configurations/lindberg-build/networking.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, ... }: { diff --git a/nixos-configurations/lindberg-nextcloud/backup.nix b/nixos-configurations/lindberg-nextcloud/backup.nix index 3b5da39..561f4b1 100644 --- a/nixos-configurations/lindberg-nextcloud/backup.nix +++ b/nixos-configurations/lindberg-nextcloud/backup.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { diff --git a/nixos-configurations/lindberg-nextcloud/default.nix b/nixos-configurations/lindberg-nextcloud/default.nix index d9ccc62..3bfc14a 100644 --- a/nixos-configurations/lindberg-nextcloud/default.nix +++ b/nixos-configurations/lindberg-nextcloud/default.nix @@ -1,8 +1,7 @@ -{ config, pkgs, ... }: +{ config, ... }: { imports = [ - ../../defaults/meta ./applications ./backup.nix ./secrets.nix diff --git a/nixos-configurations/lindberg-webapps/applications/README.md b/nixos-configurations/lindberg-webapps/applications/README.md index c9ce161..7a0a199 100644 --- a/nixos-configurations/lindberg-webapps/applications/README.md +++ b/nixos-configurations/lindberg-webapps/applications/README.md @@ -2,7 +2,6 @@ ## Setting up new static sites - Generate ssh key for deployment: ```bash diff --git a/nixos-configurations/lindberg-webapps/applications/default.nix b/nixos-configurations/lindberg-webapps/applications/default.nix index 9efef42..672e080 100644 --- a/nixos-configurations/lindberg-webapps/applications/default.nix +++ b/nixos-configurations/lindberg-webapps/applications/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { imports = [ ]; diff --git a/nixos-configurations/lindberg-webapps/default.nix b/nixos-configurations/lindberg-webapps/default.nix index f875d44..00b64a7 100644 --- a/nixos-configurations/lindberg-webapps/default.nix +++ b/nixos-configurations/lindberg-webapps/default.nix @@ -1,9 +1,7 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ - ../../defaults/meta - ./applications ./disko-config.nix ./networking.nix diff --git a/nixos-configurations/lindberg-webapps/networking.nix b/nixos-configurations/lindberg-webapps/networking.nix index 07f42ff..6a5c63d 100644 --- a/nixos-configurations/lindberg-webapps/networking.nix +++ b/nixos-configurations/lindberg-webapps/networking.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, ... }: { diff --git a/nixos-configurations/lindberg/README.md b/nixos-configurations/lindberg/README.md index c6957d9..7ac97ea 100644 --- a/nixos-configurations/lindberg/README.md +++ b/nixos-configurations/lindberg/README.md @@ -1,10 +1,10 @@ # Host: Lindberg -## Operations {#_operations} +## Operations {#\_operations} Reboot requires passphrase (see pass `host/lindberg/hdd_luks`) -``` bash +```bash ssh -p 2222 root@lindberg.riedbach-ext.net.qo.is ``` @@ -12,7 +12,6 @@ ssh -p 2222 root@lindberg.riedbach-ext.net.qo.is - [Mainboard Manual](docs/X570Pro4-mainboard-manual.pdf) - ### Front / Back #### Front Overview diff --git a/nixos-configurations/lindberg/applications/default.nix b/nixos-configurations/lindberg/applications/default.nix index e0d34f0..bf4ab0c 100644 --- a/nixos-configurations/lindberg/applications/default.nix +++ b/nixos-configurations/lindberg/applications/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ ./loadbalancer.nix ]; diff --git a/nixos-configurations/lindberg/applications/loadbalancer.nix b/nixos-configurations/lindberg/applications/loadbalancer.nix index 97427d2..2594617 100644 --- a/nixos-configurations/lindberg/applications/loadbalancer.nix +++ b/nixos-configurations/lindberg/applications/loadbalancer.nix @@ -1,7 +1,4 @@ { - config, - pkgs, - lib, ... }: diff --git a/nixos-configurations/lindberg/backup.nix b/nixos-configurations/lindberg/backup.nix index bb9bb11..7421be3 100644 --- a/nixos-configurations/lindberg/backup.nix +++ b/nixos-configurations/lindberg/backup.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { qois.backup-client.includePaths = [ "/mnt/data" ]; diff --git a/nixos-configurations/lindberg/default.nix b/nixos-configurations/lindberg/default.nix index 6c26cca..2bf286c 100644 --- a/nixos-configurations/lindberg/default.nix +++ b/nixos-configurations/lindberg/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ @@ -11,8 +11,6 @@ ./virtualisation.nix ../../defaults/hardware/asrock.nix - - ../../defaults/meta ]; qois.system.physical.enable = true; diff --git a/nixos-configurations/lindberg/networking.nix b/nixos-configurations/lindberg/networking.nix index fb06bc6..aab51c3 100644 --- a/nixos-configurations/lindberg/networking.nix +++ b/nixos-configurations/lindberg/networking.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, ... }: let meta = config.qois.meta; diff --git a/nixos-configurations/lindberg/virtualisation.nix b/nixos-configurations/lindberg/virtualisation.nix index 5905bdf..6e7a883 100644 --- a/nixos-configurations/lindberg/virtualisation.nix +++ b/nixos-configurations/lindberg/virtualisation.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { virtualisation.libvirtd = { enable = true; diff --git a/nixos-configurations/secrets.nix b/nixos-configurations/secrets.nix deleted file mode 100644 index 0757d74..0000000 --- a/nixos-configurations/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ inputs, ... }: -{ - sops.secrets = - let - allHostsSecretsFile = "${inputs.private}/nixos-configurations/secrets.sops.yaml"; - in - { - "msmtp/password".sopsFile = allHostsSecretsFile; - "wgautomesh/gossip-secret".sopsFile = allHostsSecretsFile; - }; -} diff --git a/nixos-configurations/setup.md b/nixos-configurations/setup.md index 542eb18..11fdcf8 100644 --- a/nixos-configurations/setup.md +++ b/nixos-configurations/setup.md @@ -3,8 +3,8 @@ ## Prepare Remote Machine 1. Boot nixos installer image -2. Set a root password: `sudo passwd root` -3. Get host ip to connect to ssh with `ip a` +1. Set a root password: `sudo passwd root` +1. Get host ip to connect to ssh with `ip a` ## Verify configuration @@ -12,7 +12,7 @@ ## Installation -```bash +````bash nix develop # Set according to what we want @@ -60,11 +60,11 @@ sops exec-file --no-fifo --filename secret.key private/nixos-configurations/$REM --disk-encryption-keys /run/secrets/system/hdd.key <(yq --raw-output '.system.hdd' {}) \ --disk-encryption-keys /run/secrets/system/initrd-ssh-key <(yq --raw-output '.system.\"initrd-ssh-key\"' {}) " -``` +```` ## Post-Setup -* Add backplane-vpn pubkey to `network-virtual.nix` configuration with +- Add backplane-vpn pubkey to `network-virtual.nix` configuration with ```bash wg pubkey < /secrets/wireguard/private/backplane ``` diff --git a/nixos-configurations/stompert/README.md b/nixos-configurations/stompert/README.md index 8a46e06..84ceeb2 100644 --- a/nixos-configurations/stompert/README.md +++ b/nixos-configurations/stompert/README.md @@ -1,7 +1,7 @@ -# Operations {#_operations} +# Operations {#\_operations} Reboot requires passphrase (see pass `host/stompert/hdd_luks`) -``` bash +```bash ssh -p 2222 root@stompert.eem-ext.net.qo.is ``` diff --git a/nixos-configurations/stompert/default.nix b/nixos-configurations/stompert/default.nix index 7419b91..688aa31 100644 --- a/nixos-configurations/stompert/default.nix +++ b/nixos-configurations/stompert/default.nix @@ -2,13 +2,11 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: +{ ... }: { imports = [ ../../defaults/hardware/apu.nix - - ../../defaults/meta ]; qois.system.physical.enable = true; diff --git a/nixos-modules/attic/default.nix b/nixos-modules/attic/default.nix index e5ff733..5ab774f 100644 --- a/nixos-modules/attic/default.nix +++ b/nixos-modules/attic/default.nix @@ -1,6 +1,5 @@ { config, - pkgs, lib, ... }: diff --git a/nixos-modules/backplane-net.hosts/default.nix b/nixos-modules/backplane-net.hosts/default.nix index b249dac..ea58c18 100644 --- a/nixos-modules/backplane-net.hosts/default.nix +++ b/nixos-modules/backplane-net.hosts/default.nix @@ -1,6 +1,5 @@ { config, - pkgs, lib, ... }: @@ -35,7 +34,7 @@ in networking.hosts = pipe cfg.loadbalancers [ (map (hostname: config.qois.meta.network.virtual.backplane.hosts.${hostname}.v4.ip)) - (flip genAttrs (lb: cfg.domains)) + (flip genAttrs (_lb: cfg.domains)) ]; }; diff --git a/nixos-modules/backplane-net/default.nix b/nixos-modules/backplane-net/default.nix index 08fb31e..b5c2c4d 100644 --- a/nixos-modules/backplane-net/default.nix +++ b/nixos-modules/backplane-net/default.nix @@ -1,19 +1,12 @@ { config, lib, - pkgs, ... }: with lib; let cfg = config.qois.backplane-net; - hostName = config.networking.hostName; - netConfig = config.qois.meta.network.virtual.${cfg.netName}; - hostNetConfig = netConfig.hosts.${hostName}; - interface = "wg-${cfg.netName}"; - wgService = [ "wireguard-${interface}.service" ]; in - { options.qois.backplane-net = { enable = mkEnableOption "Enable backplane server services"; @@ -22,11 +15,6 @@ in type = types.str; default = "backplane"; }; - domain = mkOption { - description = "Domain"; - type = types.str; - default = hostNetConfig; - }; port = mkOption { description = "Wireguard Default Port"; type = types.number; @@ -34,50 +22,59 @@ in }; }; - config = { - sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ]; + config = lib.mkIf cfg.enable ( + let + hostName = config.networking.hostName; + netConfig = config.qois.meta.network.virtual.${cfg.netName}; + hostNetConfig = netConfig.hosts.${hostName}; + interface = "wg-${cfg.netName}"; + wgService = [ "wireguard-${interface}.service" ]; + in + { + sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ]; - networking.wireguard.enable = true; - networking.wireguard.interfaces."wg-${cfg.netName}" = { - ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ]; - listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port; - privateKeyFile = "/secrets/wireguard/private/${cfg.netName}"; - generatePrivateKeyFile = true; - }; - - systemd.network.wait-online.ignoredInterfaces = [ interface ]; - - networking.firewall.allowedUDPPorts = - if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ]; - - # Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module - services.wgautomesh = { - enable = true; - gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path; - openFirewall = true; - settings = { - inherit interface; - - # Map meta network configuration to the format of wgautomesh and filter out peers with endpoints - peers = pipe netConfig.hosts [ - (filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host - (mapAttrsToList ( - _: peerConfig: { - address = peerConfig.v4.ip; - endpoint = - if (peerConfig.endpoint != null) then - with peerConfig.endpoint; "${fqdn}:${toString port}" - else - null; - pubkey = peerConfig.publicKey; - } - )) - ]; + networking.wireguard.enable = true; + networking.wireguard.interfaces."wg-${cfg.netName}" = { + ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ]; + listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port; + privateKeyFile = "/secrets/wireguard/private/${cfg.netName}"; + generatePrivateKeyFile = true; }; - }; - systemd.services.wgautomesh = { - requires = wgService; - after = wgService; - }; - }; + + systemd.network.wait-online.ignoredInterfaces = [ interface ]; + + networking.firewall.allowedUDPPorts = + if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ]; + + # Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module + services.wgautomesh = { + enable = true; + gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path; + openFirewall = true; + settings = { + inherit interface; + + # Map meta network configuration to the format of wgautomesh and filter out peers with endpoints + peers = pipe netConfig.hosts [ + (filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host + (mapAttrsToList ( + _: peerConfig: { + address = peerConfig.v4.ip; + endpoint = + if (peerConfig.endpoint != null) then + with peerConfig.endpoint; "${fqdn}:${toString port}" + else + null; + pubkey = peerConfig.publicKey; + } + )) + ]; + }; + }; + systemd.services.wgautomesh = { + requires = wgService; + after = wgService; + }; + } + ); } diff --git a/nixos-modules/backup-client/default.nix b/nixos-modules/backup-client/default.nix index 5e45d82..df872f0 100644 --- a/nixos-modules/backup-client/default.nix +++ b/nixos-modules/backup-client/default.nix @@ -2,8 +2,6 @@ config, lib, options, - pkgs, - self, ... }: diff --git a/nixos-modules/backup-server/default.nix b/nixos-modules/backup-server/default.nix index fe3c79f..15df544 100644 --- a/nixos-modules/backup-server/default.nix +++ b/nixos-modules/backup-server/default.nix @@ -2,8 +2,6 @@ config, lib, options, - pkgs, - self, ... }: diff --git a/nixos-modules/cloud/README.md b/nixos-modules/cloud/README.md index 0e135ad..c9b0898 100644 --- a/nixos-modules/cloud/README.md +++ b/nixos-modules/cloud/README.md @@ -11,7 +11,7 @@ For user documentation, refer to the [upstream Nextcloud docs](https://docs.next ## Backup / Restore 1. Stop all related services: nextcloud, php-fpm, redis etc. -2. (mabe dump redis data?) -3. Import Database Backup -4. Restore `/var/lib/nextcloud`, which is currently a bind mount on `lindberg`'s `/mnt/data` volume -5. Resync nextcloud files and database, see [nextcloud docs](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html) +1. (mabe dump redis data?) +1. Import Database Backup +1. Restore `/var/lib/nextcloud`, which is currently a bind mount on `lindberg`'s `/mnt/data` volume +1. Resync nextcloud files and database, see [nextcloud docs](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html) diff --git a/nixos-modules/default.nix b/nixos-modules/default.nix index 0afd3b1..4e50c08 100644 --- a/nixos-modules/default.nix +++ b/nixos-modules/default.nix @@ -1,8 +1,20 @@ -inputs: { +{ + private, + self, + disko, + sops-nix, + ... +}: +{ default = - { config, pkgs, ... }: + { ... }: { - imports = (inputs.self.lib.loadSubmodulesFrom ./.) ++ [ inputs.private.nixosModules.default ]; + imports = (self.lib.loadSubmodulesFrom ./.) ++ [ + ../defaults/meta + disko.nixosModules.disko + sops-nix.nixosModules.sops + private.nixosModules.default + ]; }; } diff --git a/nixos-modules/git-ci-runner/README.md b/nixos-modules/git-ci-runner/README.md index 694ad88..2bfc937 100644 --- a/nixos-modules/git-ci-runner/README.md +++ b/nixos-modules/git-ci-runner/README.md @@ -2,7 +2,6 @@ Runner for the [Forgejo git instance](../git/README.md). - ## Default docker/ubuntu Runner Registers a default runner with ubuntu OS or executes user's OCI container with podman. @@ -19,3 +18,14 @@ Consequentially, don't use to build nix things that should stay secret (which is ## Create Secret Token To create a new token for registration, follow the steps outlined in the [Forgejo documentation](https://forgejo.org/docs/latest/user/actions/#forgejo-runner). + +## Clear Runner Caches + +Under some circumstances, runner caches need to be cleared. This can be done with: + +```bash +cd /var/lib/private/gitea-runner/ +systemctl stop --all gitea-runner-* +rm -r */.cache/ +systemctl start --all gitea-runner-* +``` diff --git a/nixos-modules/git-ci-runner/default.nix b/nixos-modules/git-ci-runner/default.nix index ac53334..7f6e9b6 100644 --- a/nixos-modules/git-ci-runner/default.nix +++ b/nixos-modules/git-ci-runner/default.nix @@ -25,6 +25,35 @@ with lib; default = 10; description = "How many nix runner instances to start"; }; + + trustedSubstituters = mkOption { + type = types.listOf types.str; + default = [ + # General substitutors (also elsewhere defined defaults, but without priority params) + "https://cache.nixos.org" + "https://${config.qois.nixpkgs-cache.hostname}" + "https://cache.garnix.io" + + # Project builds + "https://attic.qo.is/qois-infrastructure" # https://git.qo.is/qo.is/infrastructure + "https://attic.qo.is/dotfiles" # https://git.qo.is/fabianhauser/dotfiles + ]; + description = "Substitutors that are trusted by the host."; + }; + + trustedPublicKeys = mkOption { + type = types.listOf types.str; + default = [ + # General subsitutors + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + + # Project builds + "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=" # https://git.qo.is/qo.is/infrastructure + "dotfiles:KpLi0qe5O5rb8E8N8vntZWBDqFwG3Ksx4AFGizYCLoU=" # https://git.qo.is/fabianhauser/dotfiles + ]; + description = "Substitutor public keys that are trusted by the host."; + }; }; config = mkIf cfg.enable (mkMerge [ @@ -34,6 +63,12 @@ with lib; "gitea-runner-${defaultInstanceName}.service" ] ++ (genList (n: "gitea-runner-nix${builtins.toString n}.service") cfg.nixInstances); + nix.settings = { + trusted-substituters = cfg.trustedSubstituters; + trusted-public-keys = cfg.trustedPublicKeys; + + }; + virtualisation.podman = { enable = true; dockerCompat = true; @@ -146,7 +181,7 @@ with lib; { systemd.services = genAttrs (genList (n: "gitea-runner-nix${builtins.toString n}") cfg.nixInstances) - (name: { + (_name: { after = [ "gitea-runner-nix-image.service" ]; @@ -237,7 +272,9 @@ with lib; pkgs.findutils pkgs.gawk pkgs.git + pkgs.git-lfs pkgs.gnugrep + pkgs.gnused pkgs.jq pkgs.nix pkgs.nodejs diff --git a/nixos-modules/git/README.md b/nixos-modules/git/README.md index 6b822bc..c76741a 100644 --- a/nixos-modules/git/README.md +++ b/nixos-modules/git/README.md @@ -38,7 +38,6 @@ sudo -u forgejo 'nix run nixpkgs#forgejo -- admin user create --config ~custom/c ## Backup / Restore 1. `systemctl stop forgejo.service` -2. Import Postgresql Database Backup -3. Restore `/var/lib/forgejo` -4. `systemctl start forgejo.service` - +1. Import Postgresql Database Backup +1. Restore `/var/lib/forgejo` +1. `systemctl start forgejo.service` diff --git a/nixos-modules/loadbalancer/default.nix b/nixos-modules/loadbalancer/default.nix index 3d8b4d7..e0a113a 100644 --- a/nixos-modules/loadbalancer/default.nix +++ b/nixos-modules/loadbalancer/default.nix @@ -9,7 +9,7 @@ with lib; let # We assume that all static pages are hosted on lindberg-webapps staticPages = pipe config.qois.static-page.pages [ - (mapAttrsToList (name: { domain, domainAliases, ... }: [ domain ] ++ domainAliases)) + (mapAttrsToList (_name: { domain, domainAliases, ... }: [ domain ] ++ domainAliases)) flatten (map (name: { inherit name; diff --git a/nixos-modules/luks-ssh/default.nix b/nixos-modules/luks-ssh/default.nix index 4b15363..5f0950a 100644 --- a/nixos-modules/luks-ssh/default.nix +++ b/nixos-modules/luks-ssh/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -83,7 +82,7 @@ in with lib; concatLists ( mapAttrsToList ( - name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ] + _name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ] ) config.users.users ); hostKeys = [ cfg.sshHostKey ]; diff --git a/nixos-modules/meta/default.nix b/nixos-modules/meta/default.nix index f7d9775..ad18f47 100644 --- a/nixos-modules/meta/default.nix +++ b/nixos-modules/meta/default.nix @@ -1,8 +1,4 @@ { - config, - lib, - pkgs, - options, ... }: { diff --git a/nixos-modules/meta/hosts.nix b/nixos-modules/meta/hosts.nix index 27526d0..af9497c 100644 --- a/nixos-modules/meta/hosts.nix +++ b/nixos-modules/meta/hosts.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, options, ... }: @@ -43,10 +42,10 @@ in }; config = let - hostsWithSshKey = lib.filterAttrs (name: hostCfg: hostCfg.sshKey != null) cfg; + hostsWithSshKey = lib.filterAttrs (_name: hostCfg: hostCfg.sshKey != null) cfg; in { - programs.ssh.knownHosts = lib.mapAttrs (name: hostCfg: { + programs.ssh.knownHosts = lib.mapAttrs (_name: hostCfg: { publicKey = hostCfg.sshKey; }) hostsWithSshKey; }; diff --git a/nixos-modules/meta/network.nix b/nixos-modules/meta/network.nix index 3caa3d7..e30a26f 100644 --- a/nixos-modules/meta/network.nix +++ b/nixos-modules/meta/network.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, options, ... }: @@ -17,13 +16,6 @@ let type = str; inherit description; }); - mkOptStr = - description: - (mkOption { - type = nullOr str; - default = null; - inherit description; - }); mkNetworkIdOpts = v: @@ -225,10 +217,10 @@ in (getHostNamesForNetworks hostname cfg.virtual) ++ (getHostNamesForNetworks hostname cfg.physical); hostsWithPublicKey = lib.filterAttrs ( - hostName: hostConfig: hostConfig.sshKey != null + _hostName: hostConfig: hostConfig.sshKey != null ) config.qois.meta.hosts; in - mapAttrs (name: hostCfg: { extraHostNames = getHostNames name; }) hostsWithPublicKey; + mapAttrs (name: _hostCfg: { extraHostNames = getHostNames name; }) hostsWithPublicKey; }; } diff --git a/nixos-modules/nixpkgs-cache/default.nix b/nixos-modules/nixpkgs-cache/default.nix index 12c55ef..3823bb7 100644 --- a/nixos-modules/nixpkgs-cache/default.nix +++ b/nixos-modules/nixpkgs-cache/default.nix @@ -1,6 +1,5 @@ { config, - pkgs, lib, ... }: @@ -16,6 +15,7 @@ with lib; hostname = mkOption { type = types.str; example = "mycache.myhost.org"; + default = "nixpkgs-cache.qo.is"; description = "Hostname, under which the cache is served"; }; diff --git a/nixos-modules/router-dhcp/default.nix b/nixos-modules/router-dhcp/default.nix index fed5e6b..c59db06 100644 --- a/nixos-modules/router-dhcp/default.nix +++ b/nixos-modules/router-dhcp/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: diff --git a/nixos-modules/router-dns/default.nix b/nixos-modules/router-dns/default.nix index ed8cbf2..1d0d462 100644 --- a/nixos-modules/router-dns/default.nix +++ b/nixos-modules/router-dns/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: diff --git a/nixos-modules/router-wireless-ap/default.nix b/nixos-modules/router-wireless-ap/default.nix index f18739d..da40979 100644 --- a/nixos-modules/router-wireless-ap/default.nix +++ b/nixos-modules/router-wireless-ap/default.nix @@ -1,14 +1,12 @@ { config, lib, - pkgs, ... }: with lib; let - routerCfg = config.qois.router; cfg = config.qois.router.wireless; in { diff --git a/nixos-modules/router/README.md b/nixos-modules/router/README.md index b4a000f..5944b45 100644 --- a/nixos-modules/router/README.md +++ b/nixos-modules/router/README.md @@ -1,4 +1,4 @@ -# Router Role {#_router_role} +# Router Role {#\_router_role} The `router` role set is applied on hosts which serve the rule of a SOHO router. diff --git a/nixos-modules/router/default.nix b/nixos-modules/router/default.nix index c368bc8..f77f8b0 100644 --- a/nixos-modules/router/default.nix +++ b/nixos-modules/router/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: diff --git a/nixos-modules/static-page/README.md b/nixos-modules/static-page/README.md index 3c3252b..19fce35 100644 --- a/nixos-modules/static-page/README.md +++ b/nixos-modules/static-page/README.md @@ -3,4 +3,3 @@ This module enables static nginx sites, with data served from "/var/lib/nginx/$domain/root". To deploy the site, a user `nginx-$domain` is added, of which a `root` profile in the home folder can be deployed, e.g. with deploy-rs. - diff --git a/nixos-modules/static-page/default.nix b/nixos-modules/static-page/default.nix index 25859b1..6fb12ef 100644 --- a/nixos-modules/static-page/default.nix +++ b/nixos-modules/static-page/default.nix @@ -53,7 +53,7 @@ with lib; config = mkIf cfg.enable ( let pageConfigs = concatMapAttrs ( - name: page: + _name: page: let home = "/var/lib/nginx-${page.domain}"; in @@ -76,7 +76,7 @@ with lib; users = { groups = concatMapAttrs ( - name: + _name: { user, ... }: { "${user}" = { }; @@ -84,10 +84,10 @@ with lib; ) pageConfigs; users = { - ${config.services.nginx.user}.extraGroups = mapAttrsToList (domain: getAttr "user") pageConfigs; + ${config.services.nginx.user}.extraGroups = mapAttrsToList (_domain: getAttr "user") pageConfigs; } // (concatMapAttrs ( - name: + _name: { user, home, @@ -134,10 +134,10 @@ with lib; globalRedirect = domain; }; }); - aliasVhosts = concatMapAttrs (name: mkAliasVhost) pageConfigs; + aliasVhosts = concatMapAttrs (_name: mkAliasVhost) pageConfigs; in - aliasVhosts // (mapAttrs (name: mkVhost) pageConfigs); + aliasVhosts // (mapAttrs (_name: mkVhost) pageConfigs); }; } ); diff --git a/nixos-modules/static-page/test.nix b/nixos-modules/static-page/test.nix index 9d82a01..6c2f223 100644 --- a/nixos-modules/static-page/test.nix +++ b/nixos-modules/static-page/test.nix @@ -10,14 +10,14 @@ inherit (lib) mkForce genAttrs const; in { - # Setup simple localhost page with an example.com redirect + # Setup simple docs.example.com page with an example.com redirect qois.static-page = { enable = true; - pages."localhost".domainAliases = [ "example.com" ]; + pages."docs.example.com".domainAliases = [ "example.com" ]; }; # Disable TLS services - services.nginx.virtualHosts = genAttrs [ "localhost" "example.com" ] (const { + services.nginx.virtualHosts = genAttrs [ "docs.example.com" "example.com" ] (const { forceSSL = mkForce false; enableACME = mkForce false; }); diff --git a/nixos-modules/static-page/test.py b/nixos-modules/static-page/test.py index 16e2b28..295635f 100644 --- a/nixos-modules/static-page/test.py +++ b/nixos-modules/static-page/test.py @@ -3,18 +3,20 @@ def test(subtest, webserver): webserver.wait_for_open_port(80) # Preparations - webserverRoot = "/var/lib/nginx-localhost/root" + webserverRoot = "/var/lib/nginx-docs.example.com/root" indexContent = "It works!" webserver.succeed(f"mkdir {webserverRoot}") webserver.succeed(f"echo '{indexContent}' > {webserverRoot}/index.html") - webserver.succeed(f"chown -R nginx-localhost\: {webserverRoot}") + webserver.succeed(f"chown -R nginx-docs.example.com\: {webserverRoot}") # Helpers def curl_variable_test(node, variable, expected, url): value = node.succeed( - f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'") - assert value == expected, \ + f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'" + ) + assert value == expected, ( f"expected {variable} to be '{expected}' but got '{value}'" + ) def expect_http_code(node, code, url): curl_variable_test(node, "http_code", code, url) @@ -24,23 +26,24 @@ def test(subtest, webserver): def expect_http_content(node, expectedContent, url): content = node.succeed(f"curl --no-location --silent '{url}'") - assert content.strip() == expectedContent.strip(), f''' + assert content.strip() == expectedContent.strip(), f""" expected content: {expectedContent} at {url} but got following content: {content} - ''' + """ # Tests - with subtest("website is successfully served on localhost"): - expect_http_code(webserver, "200", "http://localhost/index.html") - expect_http_content(webserver, indexContent, - "http://localhost/index.html") + with subtest("website is successfully served on docs.example.com"): + webserver.succeed("grep docs.example.com /etc/hosts") + expect_http_code(webserver, "200", "http://docs.example.com/index.html") + expect_http_content( + webserver, indexContent, "http://docs.example.com/index.html" + ) - with subtest("example.com is in hosts file and a redirect to localhost"): - webserver.succeed("grep example.com /etc/hosts") + with subtest("example.com is a redirect to docs.example.com"): + webserver.succeed("grep -e '[^\.]example.com' /etc/hosts") url = "http://example.com/index.html" expect_http_code(webserver, "301", url) - expect_http_location( - webserver, "http://localhost/index.html", url) + expect_http_location(webserver, "http://docs.example.com/index.html", url) diff --git a/nixos-modules/system/applications.nix b/nixos-modules/system/applications.nix index ed63b6a..b3bf422 100644 --- a/nixos-modules/system/applications.nix +++ b/nixos-modules/system/applications.nix @@ -1,6 +1,4 @@ { - config, - lib, pkgs, ... }: diff --git a/nixos-modules/system/default.nix b/nixos-modules/system/default.nix index ed0dfb5..53fe41e 100644 --- a/nixos-modules/system/default.nix +++ b/nixos-modules/system/default.nix @@ -2,7 +2,6 @@ config, lib, pkgs, - inputs, ... }: { @@ -11,7 +10,6 @@ ./overlays.nix ./physical.nix ./security.nix - ./unfree.nix ./virtual-machine.nix ]; @@ -57,9 +55,9 @@ settings = let substituters = [ - "https://${inputs.self.nixosConfigurations.lindberg-build.config.qois.nixpkgs-cache.hostname}?priority=39" + "https://${config.qois.nixpkgs-cache.hostname}?priority=30" + "https://attic.qo.is/qois-infrastructure?priority=32" "https://cache.nixos.org?priority=40" - "https://attic.qo.is/qois-infrastructure" ]; in { @@ -71,7 +69,7 @@ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=" ]; - trusted-substituters = substituters; # For hosts that limit the subst list + trusted-substituters = substituters; inherit substituters; }; gc = { @@ -113,12 +111,6 @@ defaultEditor = true; }; - sops.defaultSopsFile = - let - defaultSopsPath = "${inputs.private}/nixos-configurations/${config.networking.hostName}/secrets.sops.yaml"; - in - lib.mkIf (builtins.pathExists defaultSopsPath) defaultSopsPath; - services.fstrim.enable = true; qois.outgoing-server-mail.enable = true; diff --git a/nixos-modules/system/overlays.nix b/nixos-modules/system/overlays.nix index f89be8f..bb6ec19 100644 --- a/nixos-modules/system/overlays.nix +++ b/nixos-modules/system/overlays.nix @@ -1,12 +1,8 @@ { - config, - lib, - pkgs, options, ... }: { - nixpkgs.overlays = [ (import ../../overlays) ]; nix.nixPath = options.nix.nixPath.default; } diff --git a/nixos-modules/system/security.nix b/nixos-modules/system/security.nix index a8a8801..a7ceb31 100644 --- a/nixos-modules/system/security.nix +++ b/nixos-modules/system/security.nix @@ -1,7 +1,5 @@ { - config, lib, - pkgs, ... }: with lib; diff --git a/nixos-modules/system/unfree.nix b/nixos-modules/system/unfree.nix deleted file mode 100644 index 4e751ae..0000000 --- a/nixos-modules/system/unfree.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -{ - nixpkgs.config.allowUnfreePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "corefonts" - "camingo-code" - "helvetica-neue-lt-std" - #"kochi-substitute-naga10" - "ttf-envy-code-r" - "vista-fonts" - "vista-fonts-chs" - "xkcd-font-unstable" - "ricty" - ]; -} diff --git a/nixos-modules/vault/README.md b/nixos-modules/vault/README.md index 337b152..80a04f2 100644 --- a/nixos-modules/vault/README.md +++ b/nixos-modules/vault/README.md @@ -3,7 +3,7 @@ To use our Vaultwarden instance, you can use the regular [Bitwarden apps](https://bitwarden.com/download/) with our custom server when logging in: -Username: `first.lastname@qo.is` +Username: `first.lastname@qo.is`\ Server Name: `https://vault.qo.is` ## Create Accounts @@ -17,7 +17,6 @@ Please instruct users to: - the password cannot be reset without loosing all the passwords. Use of [Emergency Contacts](https://bitwarden.com/help/emergency-access/) or Organizations may be advisable. - ## Administration An admin panel is available under [vault.qo.is/admin](https://vault.qo.is/admin). @@ -26,12 +25,10 @@ The password is saved in the pass database under `vaultwarden-admin`. In the administration panel, users and organizations may be managed. Instance settings should be changed with the nixos module in the infrastructure repository only. - ## Backup / Restore 1. `systemctl stop vaultwarden.service` -2. Import Postgresql Database Backup -3. Restore `/var/lib/bitwarden_rs` -4. `systemctl start vaultwarden.service` -5. Click `Force clients to resync` in the [Administration interface under _Users_](https://vault.qo.is/admin/users/overview) - +1. Import Postgresql Database Backup +1. Restore `/var/lib/bitwarden_rs` +1. `systemctl start vaultwarden.service` +1. Click `Force clients to resync` in the [Administration interface under _Users_](https://vault.qo.is/admin/users/overview) diff --git a/nixos-modules/vpn-exit-node/default.nix b/nixos-modules/vpn-exit-node/default.nix index aff1a84..75e6c03 100644 --- a/nixos-modules/vpn-exit-node/default.nix +++ b/nixos-modules/vpn-exit-node/default.nix @@ -1,6 +1,5 @@ { config, - pkgs, lib, ... }: diff --git a/nixos-modules/vpn-server/README.md b/nixos-modules/vpn-server/README.md index 364a91e..d45c005 100644 --- a/nixos-modules/vpn-server/README.md +++ b/nixos-modules/vpn-server/README.md @@ -29,14 +29,13 @@ These nodes allow access to the internet for clients connected to the VPN: > ⚠️ Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future. - ### Add exit nodes: 1. Create a preauth secret on the `vpn.qo.is` host: ```bash headscale preauthkeys create --user srv --reusable - ``` -2. Configure the new exit-node host with the `qois.vpn-exit-node` module. + ``` +1. Configure the new exit-node host with the `qois.vpn-exit-node` module. When using the `srv` user, exit nodes and routes are automatically accepted as trusted. @@ -50,11 +49,9 @@ To use the service, you can use a normal Tailscale client with following additio | `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) | | `login-server` | `https://vpn.qo.is` | Use our own VPN service. | - > ⚠️ Currently, if the client is in an IPv6 network, the transport is broken. > Disable IPv6 connectivity to use the VPN. -> See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details. - +> See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details. ### NixOS @@ -90,15 +87,15 @@ See [this Headscale documentation for more](https://headscale.net/stable/usage/c ### Server 1. `systemctl stop headscale` -2. Replace `/var/lib/headscale` -3. `systemctl start headscale` -4. Monitor logs for errors +1. Replace `/var/lib/headscale` +1. `systemctl start headscale` +1. Monitor logs for errors Note: `/var/lib/headscale` contains a sqlite database. ### Clients 1. `systemctl stop tailscaled` -2. Replace `/var/lib/tailscale` -3. `systemctl start tailscaled` -4. Monitor logs for errors +1. Replace `/var/lib/tailscale` +1. `systemctl start tailscaled` +1. Monitor logs for errors diff --git a/nixos-modules/vpn-server/default.nix b/nixos-modules/vpn-server/default.nix index d813532..39361a9 100644 --- a/nixos-modules/vpn-server/default.nix +++ b/nixos-modules/vpn-server/default.nix @@ -10,7 +10,7 @@ let cfgLoadbalancer = config.qois.loadbalancer; defaultDnsRecords = (mapAttrs ( - name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value} + _name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value} ) cfgLoadbalancer.domains) // { "vpn.qo.is" = config.services.headscale.address; diff --git a/nixos-modules/wwan/README.md b/nixos-modules/wwan/README.md index 655a021..8e486bb 100644 --- a/nixos-modules/wwan/README.md +++ b/nixos-modules/wwan/README.md @@ -1,8 +1,8 @@ -# WWAN Module {#_wwan_module} +# WWAN Module {#\_wwan_module} This module configures WWAN adapters that support MBIM -## Current limitations {#_current_limitations} +## Current limitations {#\_current_limitations} - IPv4 tested only - Currently, it is not simple to get network failures or address diff --git a/nixos-modules/wwan/mbim-ip.bash b/nixos-modules/wwan/mbim-ip.bash index fafc841..1189b46 100644 --- a/nixos-modules/wwan/mbim-ip.bash +++ b/nixos-modules/wwan/mbim-ip.bash @@ -6,11 +6,11 @@ MODE=$1 DEV=$2 if [ "$DEBUG" == "" ]; then - DEBUG="false" + DEBUG="false" fi if [ "$MBIM_INTERFACE" == "" ]; then - MBIM_INTERFACE="/dev/cdc-wdm0" + MBIM_INTERFACE="/dev/cdc-wdm0" fi ############################################################################### @@ -29,274 +29,273 @@ ipv6_dns=() ipv6_mtu="" export previous_state state skip_line \ - ipv4_addresses ipv4_gateway ipv4_dns ipv4_mtu \ - ipv6_addresses ipv6_gateway ipv6_dns ipv6_mtu + ipv4_addresses ipv4_gateway ipv4_dns ipv4_mtu \ + ipv6_addresses ipv6_gateway ipv6_dns ipv6_mtu ############################################################################### # Function ############################################################################### function print_debug { - if [ "$DEBUG" != "false" ]; then - echo "[State: $state] $1" >&2 - fi + if [ "$DEBUG" != "false" ]; then + echo "[State: $state] $1" >&2 + fi } function print_full_configuration { - if [[ "${#ipv4_addresses[@]}" > 0 ]]; then - printf "IPv4: " - printf '%s, ' "${ipv4_addresses[@]}" - printf "\n" + if [[ ${#ipv4_addresses[@]} > 0 ]]; then + printf "IPv4: " + printf '%s, ' "${ipv4_addresses[@]}" + printf "\n" - printf "GW: $ipv4_gateway\n" + printf "GW: $ipv4_gateway\n" - printf "DNS: " - printf '%s, ' "${ipv4_dns[@]}" - printf "\n" + printf "DNS: " + printf '%s, ' "${ipv4_dns[@]}" + printf "\n" - printf "MTU: $ipv4_mtu\n" - fi + printf "MTU: $ipv4_mtu\n" + fi - if [[ "${#ipv6_addresses[@]}" > 0 ]]; then - echo - printf "IPv6: " - printf '%s, ' "${ipv6_addresses[@]}" - printf "\n" + if [[ ${#ipv6_addresses[@]} > 0 ]]; then + echo + printf "IPv6: " + printf '%s, ' "${ipv6_addresses[@]}" + printf "\n" - printf "GW: $ipv6_gateway\n" + printf "GW: $ipv6_gateway\n" - printf "DNS: " - printf '%s, ' "${ipv6_dns[@]}" - printf "\n" + printf "DNS: " + printf '%s, ' "${ipv6_dns[@]}" + printf "\n" - printf "MTU: $ipv6_mtu\n" - fi + printf "MTU: $ipv6_mtu\n" + fi } function next_state { - previous_state="$state" - state="$1" + previous_state="$state" + state="$1" } function parse_ip { - # IP [0]: '10.134.203.177/30' - local line_re="IP \[([0-9]+)\]: '(.+)'" - local input=$1 - if [[ $input =~ $line_re ]]; then - local ip_cnt=${BASH_REMATCH[1]} - local ip=${BASH_REMATCH[2]} - fi - echo "$ip" + # IP [0]: '10.134.203.177/30' + local line_re="IP \[([0-9]+)\]: '(.+)'" + local input=$1 + if [[ $input =~ $line_re ]]; then + local ip_cnt=${BASH_REMATCH[1]} + local ip=${BASH_REMATCH[2]} + fi + echo "$ip" } function parse_dns { - # IP [0]: '10.134.203.177/30' - local line_re="DNS \[([0-9]+)\]: '(.+)'" - local input=$1 - if [[ $input =~ $line_re ]]; then - local dns_cnt=${BASH_REMATCH[1]} - local dns=${BASH_REMATCH[2]} - fi - echo "$dns" + # IP [0]: '10.134.203.177/30' + local line_re="DNS \[([0-9]+)\]: '(.+)'" + local input=$1 + if [[ $input =~ $line_re ]]; then + local dns_cnt=${BASH_REMATCH[1]} + local dns=${BASH_REMATCH[2]} + fi + echo "$dns" } function parse_gateway { - # Gateway: '10.134.203.178' - local line_re="Gateway: '(.+)'" - local input=$1 - if [[ $input =~ $line_re ]]; then - local gw=${BASH_REMATCH[1]} - fi - echo "$gw" + # Gateway: '10.134.203.178' + local line_re="Gateway: '(.+)'" + local input=$1 + if [[ $input =~ $line_re ]]; then + local gw=${BASH_REMATCH[1]} + fi + echo "$gw" } function parse_mtu { - # MTU: '1500' - local line_re="MTU: '([0-9]+)'" - local input=$1 - if [[ $input =~ $line_re ]]; then - local mtu=${BASH_REMATCH[1]} - fi - echo "$mtu" + # MTU: '1500' + local line_re="MTU: '([0-9]+)'" + local input=$1 + if [[ $input =~ $line_re ]]; then + local mtu=${BASH_REMATCH[1]} + fi + echo "$mtu" } function parse_input_state_machine { - state="start" - while true; do - if [[ "$skip_line" == 0 ]]; then - read line || break # TODO: Clean up - else - skip_line=0 - fi - case "$state" in - "start") - read line || break # first line is empty, read a new one #TODO: This is not very clean... - case "$line" in - *"configuration available: 'none'"*) - # Skip none state - # TODO: This is a workaround of the original parser's shortcomming - continue - ;; - *"IPv4 configuration available"*) - next_state "ipv4_ip" - continue - ;; - *"IPv6 configuration available"*) - next_state "ipv6_ip" - continue - ;; - *) - next_state "exit" - continue - ;; - esac - ;; - "error") - echo "Error in pattern matchin of state $previous_state. Exiting." >&2 - exit 2 - ;; - "exit") - break - ;; - "ipv4_ip") - ipv4=$(parse_ip "$line") - if [ -z "$ipv4" ]; then - if [[ "${#ipv4_addresses[@]}" < 1 ]]; then - next_state "error" - continue - else - next_state "ipv4_gateway" - skip_line=1 - continue - fi - fi - print_debug "$ipv4" - ipv4_addresses+=("$ipv4") - ;; - "ipv4_gateway") - gw=$(parse_gateway "$line") - if [ -z "$gw" ]; then - next_state "error" - continue - fi - print_debug "$gw" - ipv4_gateway="$gw" - next_state "ipv4_dns" - ;; - "ipv4_dns") - ipv4=$(parse_dns "$line") - if [ -z "$ipv4" ]; then - if [[ "${#ipv4_dns[@]}" < 1 ]]; then - next_state "error" - continue - else - next_state "ipv4_mtu" - skip_line=1 - continue - fi - fi - print_debug "$ipv4" - ipv4_dns+=("$ipv4") - ;; - "ipv4_mtu") - mtu=$(parse_mtu "$line") - if [ -z "$mtu" ]; then - next_state "error" - continue - fi - print_debug "$mtu" - ipv4_mtu="$mtu" - next_state "start" - ;; - "ipv6_ip") - ipv6=$(parse_ip "$line") - if [ -z "$ipv6" ]; then - if [[ "${#ipv6_addresses[@]}" < 1 ]]; then - next_state "error" - continue - else - next_state "ipv6_gateway" - skip_line=1 - continue - fi - fi - print_debug "$ipv6" - ipv6_addresses+=("$ipv6") - ;; - "ipv6_gateway") - gw=$(parse_gateway "$line") - if [ -z "$gw" ]; then - next_state "error" - continue - fi - print_debug "$gw" - ipv6_gateway="$gw" - next_state "ipv6_dns" - ;; - "ipv6_dns") - ipv6=$(parse_dns "$line") - if [ -z "$ipv6" ]; then - if [[ "${#ipv6_dns[@]}" < 1 ]]; then - next_state "error" - continue - else - next_state "ipv6_mtu" - skip_line=1 - continue - fi - fi - print_debug "$ipv6" - ipv6_dns+=("$ipv6") - ;; - "ipv6_mtu") - mtu=$(parse_mtu "$line") - if [ -z "$mtu" ]; then - next_state "error" - continue - fi - print_debug "$mtu" - ipv6_mtu="$mtu" - next_state "start" - ;; - *) - print_debug "Invalid state (came from $previous_state). Exiting." - exit 0 - ;; - esac - done + state="start" + while true; do + if [[ $skip_line == 0 ]]; then + read line || break # TODO: Clean up + else + skip_line=0 + fi + case "$state" in + "start") + read line || break # first line is empty, read a new one #TODO: This is not very clean... + case "$line" in + *"configuration available: 'none'"*) + # Skip none state + # TODO: This is a workaround of the original parser's shortcomming + continue + ;; + *"IPv4 configuration available"*) + next_state "ipv4_ip" + continue + ;; + *"IPv6 configuration available"*) + next_state "ipv6_ip" + continue + ;; + *) + next_state "exit" + continue + ;; + esac + ;; + "error") + echo "Error in pattern matchin of state $previous_state. Exiting." >&2 + exit 2 + ;; + "exit") + break + ;; + "ipv4_ip") + ipv4=$(parse_ip "$line") + if [ -z "$ipv4" ]; then + if [[ ${#ipv4_addresses[@]} < 1 ]]; then + next_state "error" + continue + else + next_state "ipv4_gateway" + skip_line=1 + continue + fi + fi + print_debug "$ipv4" + ipv4_addresses+=("$ipv4") + ;; + "ipv4_gateway") + gw=$(parse_gateway "$line") + if [ -z "$gw" ]; then + next_state "error" + continue + fi + print_debug "$gw" + ipv4_gateway="$gw" + next_state "ipv4_dns" + ;; + "ipv4_dns") + ipv4=$(parse_dns "$line") + if [ -z "$ipv4" ]; then + if [[ ${#ipv4_dns[@]} < 1 ]]; then + next_state "error" + continue + else + next_state "ipv4_mtu" + skip_line=1 + continue + fi + fi + print_debug "$ipv4" + ipv4_dns+=("$ipv4") + ;; + "ipv4_mtu") + mtu=$(parse_mtu "$line") + if [ -z "$mtu" ]; then + next_state "error" + continue + fi + print_debug "$mtu" + ipv4_mtu="$mtu" + next_state "start" + ;; + "ipv6_ip") + ipv6=$(parse_ip "$line") + if [ -z "$ipv6" ]; then + if [[ ${#ipv6_addresses[@]} < 1 ]]; then + next_state "error" + continue + else + next_state "ipv6_gateway" + skip_line=1 + continue + fi + fi + print_debug "$ipv6" + ipv6_addresses+=("$ipv6") + ;; + "ipv6_gateway") + gw=$(parse_gateway "$line") + if [ -z "$gw" ]; then + next_state "error" + continue + fi + print_debug "$gw" + ipv6_gateway="$gw" + next_state "ipv6_dns" + ;; + "ipv6_dns") + ipv6=$(parse_dns "$line") + if [ -z "$ipv6" ]; then + if [[ ${#ipv6_dns[@]} < 1 ]]; then + next_state "error" + continue + else + next_state "ipv6_mtu" + skip_line=1 + continue + fi + fi + print_debug "$ipv6" + ipv6_dns+=("$ipv6") + ;; + "ipv6_mtu") + mtu=$(parse_mtu "$line") + if [ -z "$mtu" ]; then + next_state "error" + continue + fi + print_debug "$mtu" + ipv6_mtu="$mtu" + next_state "start" + ;; + *) + print_debug "Invalid state (came from $previous_state). Exiting." + exit 0 + ;; + esac + done } +interface_stop() { + ip addr flush dev $DEV + ip route flush dev $DEV -interface_stop(){ - ip addr flush dev $DEV - ip route flush dev $DEV + ip -6 addr flush dev $DEV + ip -6 route flush dev $DEV - ip -6 addr flush dev $DEV - ip -6 route flush dev $DEV - - #TODO: Nameserver? + #TODO: Nameserver? } interface_start() { - ip link set $DEV up + ip link set $DEV up - if [[ "${#ipv4_addresses[@]}" > 0 ]]; then - ip addr add ${ipv4_addresses[@]} dev $DEV broadcast + #TODO: Works for multiple addresses? - ip link set $DEV mtu $ipv4_mtu - ip route add default via $ipv4_gateway dev $DEV - #TODO: nameserver ${ipv4_dns[@]} - else - echo "No IPv4 address, skipping v4 configuration..." - fi + if [[ ${#ipv4_addresses[@]} > 0 ]]; then + ip addr add ${ipv4_addresses[@]} dev $DEV broadcast + #TODO: Works for multiple addresses? + ip link set $DEV mtu $ipv4_mtu + ip route add default via $ipv4_gateway dev $DEV + #TODO: nameserver ${ipv4_dns[@]} + else + echo "No IPv4 address, skipping v4 configuration..." + fi - if [[ "${#ipv6_addresses[@]}" > 0 ]]; then - ip -6 addr add ${ipv6_addresses[@]} dev $DEV #TODO: Works for multiple addresses? - ip -6 route add default via $ipv6_gateway dev $DEV - ip -6 link set $DEV mtu $ipv6_mtu - #TODO: nameserver ${ipv6_dns[@]}" - else - echo "No IPv6 address, skipping v6 configuration..." - fi + if [[ ${#ipv6_addresses[@]} > 0 ]]; then + ip -6 addr add ${ipv6_addresses[@]} dev $DEV #TODO: Works for multiple addresses? + ip -6 route add default via $ipv6_gateway dev $DEV + ip -6 link set $DEV mtu $ipv6_mtu + #TODO: nameserver ${ipv6_dns[@]}" + else + echo "No IPv6 address, skipping v6 configuration..." + fi } ############################################################################### @@ -307,23 +306,23 @@ set -e echo "NOTE: This script does not yet support nameserver configuration." case "$MODE" in - "start") - mbim-network $MBIM_INTERFACE start - sleep 1 - mbimcli -d $MBIM_INTERFACE -p --query-ip-configuration=0 | { - parse_input_state_machine - print_full_configuration - interface_stop - interface_start - } - ;; - "stop") - mbim-network $MBIM_INTERFACE stop - interface_stop - ;; - *) - echo "USAGE: $0 start|stop INTERFACE" >&2 - echo "You can set an env variable DEBUG to gather debugging output." >&2 - exit 1 - ;; +"start") + mbim-network $MBIM_INTERFACE start + sleep 1 + mbimcli -d $MBIM_INTERFACE -p --query-ip-configuration=0 | { + parse_input_state_machine + print_full_configuration + interface_stop + interface_start + } + ;; +"stop") + mbim-network $MBIM_INTERFACE stop + interface_stop + ;; +*) + echo "USAGE: $0 start|stop INTERFACE" >&2 + echo "You can set an env variable DEBUG to gather debugging output." >&2 + exit 1 + ;; esac diff --git a/overlays/default.nix b/overlays/default.nix deleted file mode 100644 index 430b766..0000000 --- a/overlays/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -self: super: { - lib = (super.lib or { }) // { - qois = import ../lib { lib = self.lib; }; - }; -} diff --git a/packages/cache/default.nix b/packages/cache/default.nix deleted file mode 100644 index 5a7c983..0000000 --- a/packages/cache/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - attic-client, - findutils, - gnugrep, - writeShellApplication, - ... -}: -writeShellApplication { - name = "cache"; - meta.description = "Access the infrastructure's attic cache. Mostly used in CI."; - runtimeInputs = [ - attic-client - findutils - gnugrep - ]; - text = '' - SERVER="https://attic.qo.is/" - CACHE_NAME="qois" - CACHE_REPO="$CACHE_NAME:qois-infrastructure" - if [ -z "$ATTIC_AUTH_TOKEN" ]; then - echo "Please set the \$ATTIC_AUTH_TOKEN environment variable to access the cache." - exit 3 - fi - attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN" - - case "$1" in - use) - attic use "$CACHE_REPO" - ;; - watch) - attic watch-store "$CACHE_REPO" - ;; - push) - RESULT_PATH="./result" - # Add build dependencies as well - nix-store -qR --include-outputs "$(nix-store -qd $RESULT_PATH)" | grep -v '\.drv$' \ - | xargs attic push "$CACHE_REPO" "$RESULT_PATH" - ;; - - esac - ''; -} diff --git a/packages/default.nix b/packages/default.nix index c4dc1bf..1e991b9 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -1,37 +1,28 @@ { self, + flakeSelf, system, + private, pkgs, ... }: -with pkgs.lib; +let + inherit (self.lib) foldersWithNix; + inherit (pkgs.lib) + path + genAttrs + ; +in { - ${system} = - let - packages = pipe (self.lib.foldersWithNix ./.) [ - (map (name: { - inherit name; - path = path.append ./. "./${name}/default.nix"; - })) - (map ( - { name, path }: - { - inherit name; - value = pkgs.callPackage path { - inherit self; - inherit system; - }; - } - )) - listToAttrs - ]; - in - packages - // { - default = - let - nixosConfigs = mapAttrsToList (n: v: v.config.system.build.toplevel) self.nixosConfigurations; - in - pkgs.linkFarmFromDrvs "all" (nixosConfigs ++ (attrValues packages)); - }; + ${system} = genAttrs (foldersWithNix ./.) ( + name: + pkgs.callPackage (path.append ./. "./${name}/default.nix") { + inherit + self + flakeSelf + system + private + ; + } + ); } diff --git a/packages/deploy-qois/default.nix b/packages/deploy-qois/default.nix index ee3f0ac..ed647ef 100644 --- a/packages/deploy-qois/default.nix +++ b/packages/deploy-qois/default.nix @@ -1,6 +1,6 @@ { deploy-rs, - self, + flakeSelf, writeShellApplication, ... }: @@ -9,6 +9,6 @@ writeShellApplication { meta.description = "Deploy configuration to specificed targets."; runtimeInputs = [ deploy-rs ]; text = '' - deploy --interactive --targets "''${@:-${self}}" + deploy --interactive --targets "''${@:-${flakeSelf}}" ''; } diff --git a/packages/docs/default.nix b/packages/docs/default.nix index f16736d..66f7dd9 100644 --- a/packages/docs/default.nix +++ b/packages/docs/default.nix @@ -3,12 +3,12 @@ mdbook-plantuml, mdbook, plantuml, - self, + flakeSelf, stdenv, ... }: let - version = self.rev or self.dirtyRev; + version = flakeSelf.rev or flakeSelf.dirtyRev; in stdenv.mkDerivation { inherit version; @@ -19,6 +19,6 @@ stdenv.mkDerivation { mdbook-plantuml plantuml ]; - src = self; + src = flakeSelf; buildPhase = "mdbook build --dest-dir $out"; } diff --git a/packages/sops-config/default.nix b/packages/sops-config/default.nix index 1daf54a..9655950 100644 --- a/packages/sops-config/default.nix +++ b/packages/sops-config/default.nix @@ -3,7 +3,7 @@ gnupg, lib, runCommand, - self, + private, ssh-to-age, writeText, ... @@ -13,7 +13,7 @@ let metaHostConfigs = import ../../defaults/meta/hosts.nix { }; userPgpKeys = let - keysFolder = "${self.inputs.private}/sops_keys"; + keysFolder = "${private}/sops_keys"; gpgFingerprintsFile = runCommand "userPgpKeys" { @@ -41,9 +41,9 @@ let userAgeKeys = [ ]; serverAgeKeys = let - getHostsWithSshKeys = filterAttrs (name: cfg: cfg ? sshKey); + getHostsWithSshKeys = filterAttrs (_name: cfg: cfg ? sshKey); mapHostToAgeKey = mapAttrs ( - name: cfg: + _name: cfg: readFile ( runCommand "sshToAgeKey" { diff --git a/private b/private index 33cf800..80b04cd 160000 --- a/private +++ b/private @@ -1 +1 @@ -Subproject commit 33cf80043c64ddd6882268430454e3cbe98b692b +Subproject commit 80b04cd406adc46357888614ecc3f467b85ab8fa diff --git a/renovate.json b/renovate.json index 9df5a17..f710e2d 100644 --- a/renovate.json +++ b/renovate.json @@ -1,13 +1,16 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ "config:recommended" ], + "extends": [ + "config:recommended" + ], "lockFileMaintenance": { "enabled": true, - "extends": [ "schedule:weekly" ] + "extends": [ + "schedule:weekly" + ] }, "cloneSubmodules": true, "nix": { "enabled": true } } - diff --git a/treefmt.nix b/treefmt.nix new file mode 100644 index 0000000..5e44926 --- /dev/null +++ b/treefmt.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + projectRootFile = "flake.nix"; + programs = { + nixfmt.enable = true; + deadnix.enable = true; + jsonfmt.enable = true; + yamlfmt.enable = true; + mdformat.enable = true; + ruff-check.enable = true; + ruff-format.enable = true; + shfmt.enable = true; + }; + settings = { + global.excludes = + [ + "*.jpg" + "*.pdf" + "*.toml" + ] + ++ [ + ".envrc" + "robots.txt" + ".vscode/*" + "nixos-modules/system/etc/*" + "private/*" + ]; + formatter.jsonfmt.excludes = [ ".vscode/*.json" ]; + }; +} diff --git a/updates.md b/updates.md index 09373c1..949cac7 100644 --- a/updates.md +++ b/updates.md @@ -16,7 +16,7 @@ git commit git push ``` -Deploy updates: +Deploy updates: ```bash nix develop @@ -47,11 +47,10 @@ pssh -l root -H lindberg-nextcloud.backplane.net.qo.is -H lindberg-build.backpla ## Application Updates -Some applications have pinned versions to prevent problems due to accidental upgrades. +Some applications have pinned versions to prevent problems due to accidental upgrades.\ The version switch has to be done manually by switching the package used. This includes the modules for: - `nextcloud` -- `postgresql`, [→ Nixpkgs manual page](https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading) - +- `postgresql`, [→ Nixpkgs manual page](https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading)