qo.is/infrastructure
3
0
Fork 0
Code Issues 10 Pull requests Projects Activity Actions

Many small structural improvements (treefmt, no cyclic imports, git-pre-commit-hook, faster CI) #50

Merged
fabianhauser merged 16 commits from update-imports into main 2025-03-26 15:10:42 +01:00
Conversation 0 Commits 16 Files changed 106 +864 -780
106 changed files with 864 additions and 780 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
.github/workflows/ci.yml vendored
View file

@ -1,11 +1,12 @@
name: CI
on:
push:
defaults:
run:
shell: nix develop --command bash -c "{0}"
env:
ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}
CACHE_NAME: qois
CACHE_REPOSITORY: qois:qois-infrastructure
jobs:
build:
runs-on: nix
@ -15,25 +16,20 @@ jobs:
with:
token: ${{ secrets.CI_TOKEN }}
lfs: false
- name: Use attic cache
run: nix run .#cache use
- name: Build
- name: Setup Attic Cache
env:
SERVER: https://attic.qo.is/
ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}
run: |
nix build --max-jobs 12 --cores 12
nix run .#cache push
- name: Run Checks
run: nix flake check
attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
attic use "$CACHE_REPOSITORY"
- name: Run Builds and Checks
run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY"
- name: Deploy Docs
if: success() && github.ref == 'refs/heads/main'
run: |
mkdir ~/.ssh/
echo -e "Host lindberg-webapps.backplane.net.qo.is\n StrictHostKeyChecking no" >> ~/.ssh/config
(umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519)
# Remote build might be neccessary due to non-wheel nix users signing restrictions.
# However, the build should come from the cache anyway.
nix develop --command deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
# Remote build is neccessary due to non-wheel nix users signing restrictions. However, the build should come from the cache anyway.

1
.gitignore vendored
View file

@ -6,3 +6,4 @@ result*
/book
/.sops.yaml
/.nixos-test-history
/.pre-commit-config.yaml

33
.nixd.json
View file

@ -1,18 +1,21 @@
{
"eval": {
"target": {
"args": ["-f", "default.nix"],
"installable": ""
}
},
"formatting": {
"command": "nixfmt"
},
"options": {
"enable": true,
"target": {
"args": [],
"installable": ""
}
"eval": {
"target": {
"args": [
"-f",
"default.nix"
],
"installable": ""
}
},
"formatting": {
"command": "nixfmt"
},
"options": {
"enable": true,
"target": {
"args": [],
"installable": ""
}
}
}

8
.vscode/extensions.json vendored
View file

@ -1,5 +1,5 @@
{
"recommendations": [
"jnoortheen.nix-ide"
]
}
"recommendations": [
"jnoortheen.nix-ide"
]
}

81
README.md
View file

@ -6,66 +6,65 @@ Check out the current [rendered documentation](https://docs-ops.qo.is).
## Structure
`nixos-configurations`: Main nixos configuration for every host.
`defaults`: Configuration defaults
`nixos-modules`: Custom modules (e.g. for vpn and routers)
`nixos-configurations`: Main nixos configuration for every host.\
`defaults`: Configuration defaults\
`nixos-modules`: Custom modules (e.g. for vpn and routers)\
`private`: Private configuration values (like users, sops-encrypted secrets and keys)
## Building
This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes)
- `nix build`
Build all host configurations and docs
- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`
Build a single host configuration with
- `nix build .#docs`
Build the documentation website
## Development
- `nix develop`
This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes)
- `nix flake check`\
Execute the project's checks, which includes building all configurations and packages. See [Tests](./checks/README.md).
- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`\
Build a single host configuration.
- `nix build .#docs`\
Build the documentation website.
- `nix develop`\
Development environment
- `nix flake check`
Execute the project's checks
- `nix fmt`
- `nix fmt`\
Autofix formatting
### Working with the private submodule
### Secrets and `private` Submodule
To clone with submodules (if you have access):
Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix) and a git submodule in `private`.\
Make sure you have the submodule correctly available. To clone with submodules (if you have access):
```bash
git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
# See below for how to commit changes.
```
On changes:
```bash
git add private
nix flake lock --update-input private
```
## Deployment
`nix run .#deploy-qois`
See [Deployment](deploy/README.md) for details.
## Secrets
Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix).
Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords),
`private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and
`private/nixos-modules/shared-secrets/default.sops.yaml` (shared secrets for all hosts) and
`private/nixos-configurations/<hostname>/secrets.sops.yaml` (host specific secrets).
Usage:
To modify secrets:
```bash
sops $file # To edit a file
sops-rekey # To rekey all secrets, e.g. after a key rollover or new host
```
After changing secrets, don't forget to push the sub-repository and run
`nix flake update private` in the infrastructure repository to use the changes in builds.
After changing secrets:
```bash
# Commit changes in subrepo
pushd private
git commit
git push
nix flake prefetch . # Make subrepo available in nix store. Required until nix 2.27.
popd
git add private
nix flake lock --update-input private
```
## Deployment
See [Deployment](deploy/README.md) for details.

3
SUMMARY.md
View file

@ -4,7 +4,7 @@
- [Testing](checks/README.md)
- [Deployment](deploy/README.md)
---
______________________________________________________________________
- [Network Topology](defaults/meta/network.md)
- [Hardware (generic)](defaults/hardware/README.md)
@ -12,7 +12,6 @@
- [Updates](updates.md)
- [New Host Setup](nixos-configurations/setup.md)
# Services
- [E-mail](email.md)

12
checks/README.md
View file

@ -1,11 +1,19 @@
# Tests
# Tests
`nix flake check` currently:
- builds all nixos-configurations
- builds all packages
- runs all [nixos-module tests](#module-tests)
- checks all deployment configurations
- checks repository formatting.
## Module Tests
We test our nixos modules with [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests).
Running nixos tests requires QEMU virtualisation, so make sure you have KVM virtualisation support enabled.
Run all: `nix build .#checks.x86_64-linux.nixos-modules`
Run all: `nix build .#checks.x86_64-linux.nixos-modules`\
Run single test: `nix build .#checks.x86_64-linux.nixos-modules.entries.vm-test-run-testNameAsInDerivationName`
### Run Test Interactively

16
checks/default.nix
View file

@ -1,26 +1,22 @@
{
self,
flakeSelf,
system,
pkgs,
deployPkgs,
treefmtEval,
...
}:
}@inputs:
{
${system} = {
# Check project formatting
format = pkgs.runCommand "nixfmt-check" { } ''
set -euo pipefail
cd ${self}
${self.formatter.${system}}/bin/formatter . --check
mkdir $out
'';
formatting = treefmtEval.config.build.check flakeSelf;
nixos-modules = pkgs.callPackage ./nixos-modules {
defaultModule = self.nixosModules.default;
inherit (self.lib) getSubDirs isFolderWithFile;
};
#TODO(#29): Integration/System tests
nixos-configurations = import ./nixos-configurations inputs;
# Import deploy-rs tests
} // (deployPkgs.deploy-rs.lib.deployChecks self.deploy);

4
checks/nixos-configurations/default.nix Normal file
View file

@ -0,0 +1,4 @@
{ self, pkgs, ... }:
pkgs.linkFarmFromDrvs "all" (
pkgs.lib.mapAttrsToList (_n: v: v.config.system.build.toplevel) self.nixosConfigurations
)

10
checks/nixos-modules/default.nix
View file

@ -4,12 +4,14 @@
getSubDirs,
lib,
testers,
defaultModule,
}:
let
inherit (lib)
filter
path
mkDefault
mkForce
readFile
attrNames
concatStringsSep
@ -23,6 +25,7 @@ let
in
testers.runNixOSTest {
inherit name;
imports = [
(import (getFilePath "test.nix") {
inherit name;
@ -30,7 +33,12 @@ let
})
];
defaults.imports = [ (getFilePath "default.nix") ];
defaults = {
imports = [ defaultModule ];
qois.outgoing-server-mail.enable = mkForce false;
qois.backup-client.enable = mkForce false;
};
# Calls a `test(...)` python function in the test's python file with the list of nodes and helper functions.
# Helper symbols may be added as function args when needed and can be found in:

5
checks/packages/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ self, pkgs, ... }:
let
inherit (pkgs.lib) attrValues;
in
pkgs.linkFarmFromDrvs "all" (attrValues self.packages)

3
defaults/hardware/README.md
View file

@ -1,4 +1,3 @@
# APU
## Setup
@ -7,5 +6,5 @@ To boot the nixos installer with the console port, add `console=ttyS0,115200n8`
# ASROCK Mainboards
`F2`: Boot into BIOS
`F2`: Boot into BIOS\
`F11`: Select boot device

2
defaults/hardware/apu.nix
View file

@ -2,9 +2,7 @@
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:

2
defaults/hardware/apu1.nix
View file

@ -2,9 +2,7 @@
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:

2
defaults/hardware/asrock-z790m.nix
View file

@ -2,9 +2,7 @@
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:

2
defaults/hardware/asrock.nix
View file

@ -1,7 +1,5 @@
{
config,
lib,
pkgs,
modulesPath,
...
}:

3
defaults/meta/default.nix
View file

@ -1,7 +1,4 @@
{
config,
lib,
pkgs,
...
}:
{

3
defaults/meta/network-physical.nix
View file

@ -1,7 +1,4 @@
{
config,
lib,
pkgs,
...
}:
{

2
defaults/meta/network-virtual.nix
View file

@ -1,7 +1,5 @@
{
config,
lib,
pkgs,
...
}:
{

1
defaults/meta/network.md
View file

@ -74,7 +74,6 @@ All Services are published under the *qo.is* domain name. Following services are
## Contacts
### Init7
- [Status Netzwerkdienste](https://www.init7.net/status/)

1
deploy/README.md
View file

@ -4,7 +4,6 @@ Note that you have to be connected to the `vpn.qo.is`
(or execute the deployment from a host that is in the `backplane.net.qo.is` overlay network)
and that you need to have SSH root access to the target machines.
## Deploy to selected target hosts
```bash

1
deploy/default.nix
View file

@ -1,5 +1,4 @@
{
deployPkgs,
pkgs,
self,
...

1
deploy/docs-ops/default.nix
View file

@ -1,6 +1,5 @@
{
deployPkgs,
pkgs,
self,
system,
...

27
dev-shells/default.nix
View file

@ -1,9 +1,21 @@
{
pkgs,
git-hooks-nix,
treefmtEval,
system,
self,
...
}:
let
pre-commit-check = git-hooks-nix.lib.${system}.run {
src = ../.;
hooks.treefmt = {
enable = true;
package = treefmtEval.config.build.wrapper;
always_run = true;
};
};
in
{
${system}.default = pkgs.mkShellNoCC {
name = "qois-infrastructure-shell";
@ -14,9 +26,9 @@
vscode = pkgs.vscodium;
};
in
[ vscodium-with-extensions ]
pre-commit-check.enabledPackages
++ [ vscodium-with-extensions ]
++ (with self.packages.${system}; [
cache
deploy-qois
sops
sops-rekey
@ -24,14 +36,15 @@
++ (with pkgs; [
attic-client
deploy-rs
jq
nix-fast-build
nixVersions.git
nixd
nixfmt-rfc-style
nixos-anywhere
ssh-to-age
pssh
ssh-to-age
yq
jq
]);
LANG = "C.UTF-8";
LC_ALL = "C.UTF-8";
@ -47,11 +60,7 @@
done
export XDG_DATA_DIRS
# Make sure we support the pure case as well as non nixos cases
# where dynamic bash completions were not sourced.
#if ! type _completion_loader > /dev/null; then
# . ${pkgs.bash-completion}/etc/profile.d/bash_completion.sh
#fi
${pre-commit-check.shellHook}
'';
};
}

1
email.md
View file

@ -9,7 +9,6 @@ E-Mail accounts should be created in a `first.lastname@qo.is` fashion.
Alias/forwarding Domains may be added on an best effort basis.
Bills for these domains should go directly to the respective owner (i.e. should be registered with own accounts).
## System E-mails
For groups, systems, services that require e-mail access, other accounts may be created.

110
flake.lock generated
View file

@ -56,18 +56,77 @@
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"git-hooks-nix": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1742649964,
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"git-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1702272962,
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
"lastModified": 1742669843,
"narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
"rev": "1e5b653dff12029333a6546c11e108ede13052eb",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -88,7 +147,7 @@
"type": "github"
}
},
"nixpkgs-nixos-unstable": {
"nixpkgs_2": {
"locked": {
"lastModified": 1742669843,
"narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
@ -106,15 +165,16 @@
},
"private": {
"inputs": {
"nixpkgs-nixos-unstable": [
"nixpkgs-nixos-unstable"
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1737552783,
"narHash": "sha256-pJ2lp36L3++a5HtdN7ULcVpdB4j7yo90TDayWuAO+T8=",
"rev": "33cf80043c64ddd6882268430454e3cbe98b692b",
"revCount": 11,
"lastModified": 1742912717,
"narHash": "sha256-jKDVM4hLzNwYpg1/at53B2LZIEEvey1UUIi5cR8wNVQ=",
"ref": "refs/heads/main",
"rev": "80b04cd406adc46357888614ecc3f467b85ab8fa",
"revCount": 15,
"type": "git",
"url": "file:./private"
},
@ -127,16 +187,18 @@
"inputs": {
"deploy-rs": "deploy-rs",
"disko": "disko",
"git-hooks-nix": "git-hooks-nix",
"nixpkgs": "nixpkgs_2",
"nixpkgs-nixos-stable": "nixpkgs-nixos-stable",
"nixpkgs-nixos-unstable": "nixpkgs-nixos-unstable",
"private": "private",
"sops-nix": "sops-nix"
"sops-nix": "sops-nix",
"treefmt-nix": "treefmt-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs-nixos-unstable"
"nixpkgs"
]
},
"locked": {
@ -168,6 +230,26 @@
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1742370146,
"narHash": "sha256-XRE8hL4vKIQyVMDXykFh4ceo3KSpuJF3ts8GKwh5bIU=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "adc195eef5da3606891cedf80c0d9ce2d3190808",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems"

132
flake.nix
View file

@ -5,34 +5,48 @@
extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=";
};
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
git-hooks-nix = {
url = "github:cachix/git-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
deploy-rs.url = "github:serokell/deploy-rs";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs-nixos-stable";
};
nixpkgs-nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs = {
nixpkgs.follows = "nixpkgs-nixos-unstable";
};
};
private.url = "git+file:./private";
private.inputs.nixpkgs-nixos-unstable.follows = "nixpkgs-nixos-unstable";
private.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
{ nixpkgs-nixos-unstable, deploy-rs, ... }@inputs:
{
self,
nixpkgs,
deploy-rs,
treefmt-nix,
...
}@inputs:
let
system = "x86_64-linux";
# Packages for development and build process
pkgs = import nixpkgs-nixos-unstable { inherit system; };
deployPkgs = import nixpkgs-nixos-unstable {
pkgs = import nixpkgs { inherit system; };
deployPkgs = import nixpkgs {
inherit system;
overlays = [
deploy-rs.overlay
(self: super: {
(_self: super: {
deploy-rs = {
inherit (pkgs) deploy-rs;
lib = super.deploy-rs.lib;
@ -40,22 +54,86 @@
})
];
};
importParams = inputs // {
inherit pkgs;
inherit deployPkgs;
inherit system;
treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
importParams = {
inherit (inputs)
deploy-rs
disko
nixpkgs-nixos-stable
sops-nix
private
git-hooks-nix
;
inherit
deployPkgs
pkgs
system
treefmtEval
;
flakeSelf = self;
};
in
{
checks = import ./checks/default.nix importParams;
deploy = import ./deploy/default.nix importParams;
devShells = import ./dev-shells/default.nix importParams;
formatter.${system} = pkgs.writeShellScriptBin "formatter" ''
${pkgs.findutils}/bin/find $1 -type f -name '*.nix' -exec ${pkgs.nixfmt-rfc-style}/bin/nixfmt ''${@:2} {} +
'';
nixosConfigurations = import ./nixos-configurations/default.nix importParams;
nixosModules = import ./nixos-modules/default.nix importParams;
packages = import ./packages/default.nix importParams;
lib = import ./lib/default.nix importParams;
checks = import ./checks/default.nix (
importParams
// {
self = {
inherit (self)
lib
packages
nixosModules
nixosConfigurations
deploy
;
};
}
);
deploy = import ./deploy/default.nix (
importParams
// {
self = {
inherit (self)
lib
packages
nixosModules
nixosConfigurations
;
};
}
);
devShells = import ./dev-shells/default.nix (
importParams
// {
self = {
inherit (self) lib packages;
};
}
);
formatter.${system} = treefmtEval.config.build.wrapper;
nixosConfigurations = import ./nixos-configurations/default.nix (
importParams
// {
self = {
inherit (self) lib packages nixosModules;
};
}
);
nixosModules = import ./nixos-modules/default.nix (
importParams
// {
self = {
inherit (self) lib packages;
};
}
);
packages = import ./packages/default.nix (
importParams
// {
self = {
inherit (self) lib packages;
};
}
);
lib = import ./lib/default.nix { inherit pkgs; };
};
}

2
lib/default.nix
View file

@ -8,7 +8,7 @@ let
path
;
# Get a list of all subdirectories of a directory.
getSubDirs = base: attrNames (filterAttrs (n: t: t == "directory") (builtins.readDir base));
getSubDirs = base: attrNames (filterAttrs (_n: t: t == "directory") (builtins.readDir base));
# Check if a folder with a base path and folder name contains a file with a specific name
isFolderWithFile =
fileName: basePath: folderName:

4
nixos-configurations/calanda/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ ... }:
{
imports = [
@ -6,8 +6,6 @@
./filesystems.nix
../../defaults/hardware/apu.nix
../../defaults/meta
];
qois.system.physical.enable = true;

2
nixos-configurations/calanda/filesystems.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ ... }:
{
fileSystems."/" = {

2
nixos-configurations/calanda/networking.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, ... }:
let
meta = config.qois.meta;

7
nixos-configurations/cyprianspitz/README.md
View file

@ -1,17 +1,16 @@
# Host: Cyprianspitz
## Operations {#_operations}
## Operations {#\_operations}
Reboot requires passphrase.
``` bash
```bash
# Get HDD Password:
sops decrypt --extract '["system"]["hdd"]' private/nixos-configurations/cyprianspitz/secrets.sops.yaml
ssh -p 8223 root@calanda.plessur-ext.net.qo.is
```
Direct remote ssh access:
```
@ -24,8 +23,6 @@ TODO
- [Mainboard Manual](docs/z790m-itx-wifi.pdf)
### Top Overview
![](docs/top-view.jpg)

2
nixos-configurations/cyprianspitz/applications/backup.nix
View file

@ -1,4 +1,4 @@
{ pkgs, config, ... }:
{ config, ... }:
{
qois.backup-server = {

2
nixos-configurations/cyprianspitz/applications/default.nix
View file

@ -1,6 +1,4 @@
{
config,
pkgs,
lib,
...
}:

2
nixos-configurations/cyprianspitz/applications/vpn.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ ... }:
{
qois.vpn-server.enable = true;
}

4
nixos-configurations/cyprianspitz/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ ... }:
{
imports = [
@ -10,8 +10,6 @@
./virtualisation.nix
../../defaults/hardware/asrock-z790m.nix
../../defaults/meta
];
qois.system.physical.enable = true;

2
nixos-configurations/cyprianspitz/networking.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, ... }:
let
meta = config.qois.meta;

2
nixos-configurations/cyprianspitz/virtualisation.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ pkgs, ... }:
{
virtualisation.libvirtd = {
enable = true;

17
nixos-configurations/default.nix
View file

@ -2,16 +2,16 @@
self,
pkgs,
nixpkgs-nixos-stable,
disko,
sops-nix,
...
}@inputs:
let
inherit (pkgs.lib) genAttrs;
inherit (nixpkgs-nixos-stable.lib) nixosSystem;
configs = self.lib.foldersWithNix ./.;
in
pkgs.lib.genAttrs configs (
genAttrs configs (
config:
nixpkgs-nixos-stable.lib.nixosSystem {
nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
@ -19,15 +19,6 @@ pkgs.lib.genAttrs configs (
modules = [
self.nixosModules.default
./${config}/default.nix
disko.nixosModules.disko
sops-nix.nixosModules.sops
(
{ ... }:
{
system.extraSystemBuilderCmds = "ln -s ${self} $out/nixos-configuration";
imports = [ ./secrets.nix ];
}
)
];
}
)

1
nixos-configurations/lindberg-build/applications/default.nix
View file

@ -1,5 +1,4 @@
{
config,
pkgs,
lib,
...

3
nixos-configurations/lindberg-build/applications/nixpkgs-cache.nix
View file

@ -1,8 +1,7 @@
{ config, pkgs, ... }:
{ config, ... }:
{
qois.nixpkgs-cache = {
enable = true;
hostname = "nixpkgs-cache.qo.is";
dnsResolvers = [ config.qois.meta.network.virtual.lindberg-vms-nat.hosts.lindberg.v4.ip ];
};
}

3
nixos-configurations/lindberg-build/default.nix
View file

@ -1,8 +1,7 @@
{ config, pkgs, ... }:
{ ... }:
{
imports = [
../../defaults/meta
./applications
./disko-config.nix

2
nixos-configurations/lindberg-build/networking.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, ... }:
{

2
nixos-configurations/lindberg-nextcloud/backup.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ ... }:
{

3
nixos-configurations/lindberg-nextcloud/default.nix
View file

@ -1,8 +1,7 @@
{ config, pkgs, ... }:
{ config, ... }:
{
imports = [
../../defaults/meta
./applications
./backup.nix
./secrets.nix

1
nixos-configurations/lindberg-webapps/applications/README.md
View file

@ -2,7 +2,6 @@
## Setting up new static sites
Generate ssh key for deployment:
```bash

2
nixos-configurations/lindberg-webapps/applications/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ pkgs, ... }:
{
imports = [ ];

4
nixos-configurations/lindberg-webapps/default.nix
View file

@ -1,9 +1,7 @@
{ config, pkgs, ... }:
{ ... }:
{
imports = [
../../defaults/meta
./applications
./disko-config.nix
./networking.nix

2
nixos-configurations/lindberg-webapps/networking.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, ... }:
{

5
nixos-configurations/lindberg/README.md
View file

@ -1,10 +1,10 @@
# Host: Lindberg
## Operations {#_operations}
## Operations {#\_operations}
Reboot requires passphrase (see pass `host/lindberg/hdd_luks`)
``` bash
```bash
ssh -p 2222 root@lindberg.riedbach-ext.net.qo.is
```
@ -12,7 +12,6 @@ ssh -p 2222 root@lindberg.riedbach-ext.net.qo.is
- [Mainboard Manual](docs/X570Pro4-mainboard-manual.pdf)
### Front / Back
#### Front Overview

2
nixos-configurations/lindberg/applications/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ ... }:
{
imports = [ ./loadbalancer.nix ];

3
nixos-configurations/lindberg/applications/loadbalancer.nix
View file

@ -1,7 +1,4 @@
{
config,
pkgs,
lib,
...
}:

2
nixos-configurations/lindberg/backup.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ ... }:
{
qois.backup-client.includePaths = [ "/mnt/data" ];

4
nixos-configurations/lindberg/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ ... }:
{
imports = [
@ -11,8 +11,6 @@
./virtualisation.nix
../../defaults/hardware/asrock.nix
../../defaults/meta
];
qois.system.physical.enable = true;

2
nixos-configurations/lindberg/networking.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, ... }:
let
meta = config.qois.meta;

2
nixos-configurations/lindberg/virtualisation.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ pkgs, ... }:
{
virtualisation.libvirtd = {
enable = true;

11
nixos-configurations/secrets.nix
View file

@ -1,11 +0,0 @@
{ inputs, ... }:
{
sops.secrets =
let
allHostsSecretsFile = "${inputs.private}/nixos-configurations/secrets.sops.yaml";
in
{
"msmtp/password".sopsFile = allHostsSecretsFile;
"wgautomesh/gossip-secret".sopsFile = allHostsSecretsFile;
};
}

10
nixos-configurations/setup.md
View file

@ -3,8 +3,8 @@
## Prepare Remote Machine
1. Boot nixos installer image
2. Set a root password: `sudo passwd root`
3. Get host ip to connect to ssh with `ip a`
1. Set a root password: `sudo passwd root`
1. Get host ip to connect to ssh with `ip a`
## Verify configuration
@ -12,7 +12,7 @@
## Installation
```bash
````bash
nix develop
# Set according to what we want
@ -60,11 +60,11 @@ sops exec-file --no-fifo --filename secret.key private/nixos-configurations/$REM
--disk-encryption-keys /run/secrets/system/hdd.key <(yq --raw-output '.system.hdd' {}) \
--disk-encryption-keys /run/secrets/system/initrd-ssh-key <(yq --raw-output '.system.\"initrd-ssh-key\"' {})
"
```
````
## Post-Setup
* Add backplane-vpn pubkey to `network-virtual.nix` configuration with
- Add backplane-vpn pubkey to `network-virtual.nix` configuration with
```bash
wg pubkey < /secrets/wireguard/private/backplane
```

4
nixos-configurations/stompert/README.md
View file

@ -1,7 +1,7 @@
# Operations {#_operations}
# Operations {#\_operations}
Reboot requires passphrase (see pass `host/stompert/hdd_luks`)
``` bash
```bash
ssh -p 2222 root@stompert.eem-ext.net.qo.is
```

4
nixos-configurations/stompert/default.nix
View file

@ -2,13 +2,11 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ ... }:
{
imports = [
../../defaults/hardware/apu.nix
../../defaults/meta
];
qois.system.physical.enable = true;

1
nixos-modules/attic/default.nix
View file

@ -1,6 +1,5 @@
{
config,
pkgs,
lib,
...
}:

3
nixos-modules/backplane-net.hosts/default.nix
View file

@ -1,6 +1,5 @@
{
config,
pkgs,
lib,
...
}:
@ -35,7 +34,7 @@ in
networking.hosts = pipe cfg.loadbalancers [
(map (hostname: config.qois.meta.network.virtual.backplane.hosts.${hostname}.v4.ip))
(flip genAttrs (lb: cfg.domains))
(flip genAttrs (_lb: cfg.domains))
];
};

109
nixos-modules/backplane-net/default.nix
View file

@ -1,19 +1,12 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.qois.backplane-net;
hostName = config.networking.hostName;
netConfig = config.qois.meta.network.virtual.${cfg.netName};
hostNetConfig = netConfig.hosts.${hostName};
interface = "wg-${cfg.netName}";
wgService = [ "wireguard-${interface}.service" ];
in
{
options.qois.backplane-net = {
enable = mkEnableOption "Enable backplane server services";
@ -22,11 +15,6 @@ in
type = types.str;
default = "backplane";
};
domain = mkOption {
description = "Domain";
type = types.str;
default = hostNetConfig;
};
port = mkOption {
description = "Wireguard Default Port";
type = types.number;
@ -34,50 +22,59 @@ in
};
};
config = {
sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
config = lib.mkIf cfg.enable (
let
hostName = config.networking.hostName;
netConfig = config.qois.meta.network.virtual.${cfg.netName};
hostNetConfig = netConfig.hosts.${hostName};
interface = "wg-${cfg.netName}";
wgService = [ "wireguard-${interface}.service" ];
in
{
sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
networking.wireguard.enable = true;
networking.wireguard.interfaces."wg-${cfg.netName}" = {
ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ];
listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port;
privateKeyFile = "/secrets/wireguard/private/${cfg.netName}";
generatePrivateKeyFile = true;
};
systemd.network.wait-online.ignoredInterfaces = [ interface ];
networking.firewall.allowedUDPPorts =
if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ];
# Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
services.wgautomesh = {
enable = true;
gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path;
openFirewall = true;
settings = {
inherit interface;
# Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
peers = pipe netConfig.hosts [
(filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host
(mapAttrsToList (
_: peerConfig: {
address = peerConfig.v4.ip;
endpoint =
if (peerConfig.endpoint != null) then
with peerConfig.endpoint; "${fqdn}:${toString port}"
else
null;
pubkey = peerConfig.publicKey;
}
))
];
networking.wireguard.enable = true;
networking.wireguard.interfaces."wg-${cfg.netName}" = {
ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ];
listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port;
privateKeyFile = "/secrets/wireguard/private/${cfg.netName}";
generatePrivateKeyFile = true;
};
};
systemd.services.wgautomesh = {
requires = wgService;
after = wgService;
};
};
systemd.network.wait-online.ignoredInterfaces = [ interface ];
networking.firewall.allowedUDPPorts =
if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ];
# Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
services.wgautomesh = {
enable = true;
gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path;
openFirewall = true;
settings = {
inherit interface;
# Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
peers = pipe netConfig.hosts [
(filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host
(mapAttrsToList (
_: peerConfig: {
address = peerConfig.v4.ip;
endpoint =
if (peerConfig.endpoint != null) then
with peerConfig.endpoint; "${fqdn}:${toString port}"
else
null;
pubkey = peerConfig.publicKey;
}
))
];
};
};
systemd.services.wgautomesh = {
requires = wgService;
after = wgService;
};
}
);
}

2
nixos-modules/backup-client/default.nix
View file

@ -2,8 +2,6 @@
config,
lib,
options,
pkgs,
self,
...
}:

2
nixos-modules/backup-server/default.nix
View file

@ -2,8 +2,6 @@
config,
lib,
options,
pkgs,
self,
...
}:

8
nixos-modules/cloud/README.md
View file

@ -11,7 +11,7 @@ For user documentation, refer to the [upstream Nextcloud docs](https://docs.next
## Backup / Restore
1. Stop all related services: nextcloud, php-fpm, redis etc.
2. (mabe dump redis data?)
3. Import Database Backup
4. Restore `/var/lib/nextcloud`, which is currently a bind mount on `lindberg`'s `/mnt/data` volume
5. Resync nextcloud files and database, see [nextcloud docs](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html)
1. (mabe dump redis data?)
1. Import Database Backup
1. Restore `/var/lib/nextcloud`, which is currently a bind mount on `lindberg`'s `/mnt/data` volume
1. Resync nextcloud files and database, see [nextcloud docs](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html)

18
nixos-modules/default.nix
View file

@ -1,8 +1,20 @@
inputs: {
{
private,
self,
disko,
sops-nix,
...
}:
{
default =
{ config, pkgs, ... }:
{ ... }:
{
imports = (inputs.self.lib.loadSubmodulesFrom ./.) ++ [ inputs.private.nixosModules.default ];
imports = (self.lib.loadSubmodulesFrom ./.) ++ [
../defaults/meta
disko.nixosModules.disko
sops-nix.nixosModules.sops
private.nixosModules.default
];
};
}

12
nixos-modules/git-ci-runner/README.md
View file

@ -2,7 +2,6 @@
Runner for the [Forgejo git instance](../git/README.md).
## Default docker/ubuntu Runner
Registers a default runner with ubuntu OS or executes user's OCI container with podman.
@ -19,3 +18,14 @@ Consequentially, don't use to build nix things that should stay secret (which is
## Create Secret Token
To create a new token for registration, follow the steps outlined in the [Forgejo documentation](https://forgejo.org/docs/latest/user/actions/#forgejo-runner).
## Clear Runner Caches
Under some circumstances, runner caches need to be cleared. This can be done with:
```bash
cd /var/lib/private/gitea-runner/
systemctl stop --all gitea-runner-*
rm -r */.cache/
systemctl start --all gitea-runner-*
```

39
nixos-modules/git-ci-runner/default.nix
View file

@ -25,6 +25,35 @@ with lib;
default = 10;
description = "How many nix runner instances to start";
};
trustedSubstituters = mkOption {
type = types.listOf types.str;
default = [
# General substitutors (also elsewhere defined defaults, but without priority params)
"https://cache.nixos.org"
"https://${config.qois.nixpkgs-cache.hostname}"
"https://cache.garnix.io"
# Project builds
"https://attic.qo.is/qois-infrastructure" # https://git.qo.is/qo.is/infrastructure
"https://attic.qo.is/dotfiles" # https://git.qo.is/fabianhauser/dotfiles
];
description = "Substitutors that are trusted by the host.";
};
trustedPublicKeys = mkOption {
type = types.listOf types.str;
default = [
# General subsitutors
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
# Project builds
"qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=" # https://git.qo.is/qo.is/infrastructure
"dotfiles:KpLi0qe5O5rb8E8N8vntZWBDqFwG3Ksx4AFGizYCLoU=" # https://git.qo.is/fabianhauser/dotfiles
];
description = "Substitutor public keys that are trusted by the host.";
};
};
config = mkIf cfg.enable (mkMerge [
@ -34,6 +63,12 @@ with lib;
"gitea-runner-${defaultInstanceName}.service"
] ++ (genList (n: "gitea-runner-nix${builtins.toString n}.service") cfg.nixInstances);
nix.settings = {
trusted-substituters = cfg.trustedSubstituters;
trusted-public-keys = cfg.trustedPublicKeys;
};
virtualisation.podman = {
enable = true;
dockerCompat = true;
@ -146,7 +181,7 @@ with lib;
{
systemd.services =
genAttrs (genList (n: "gitea-runner-nix${builtins.toString n}") cfg.nixInstances)
(name: {
(_name: {
after = [
"gitea-runner-nix-image.service"
];
@ -237,7 +272,9 @@ with lib;
pkgs.findutils
pkgs.gawk
pkgs.git
pkgs.git-lfs
pkgs.gnugrep
pkgs.gnused
pkgs.jq
pkgs.nix
pkgs.nodejs

7
nixos-modules/git/README.md
View file

@ -38,7 +38,6 @@ sudo -u forgejo 'nix run nixpkgs#forgejo -- admin user create --config ~custom/c
## Backup / Restore
1. `systemctl stop forgejo.service`
2. Import Postgresql Database Backup
3. Restore `/var/lib/forgejo`
4. `systemctl start forgejo.service`
1. Import Postgresql Database Backup
1. Restore `/var/lib/forgejo`
1. `systemctl start forgejo.service`

2
nixos-modules/loadbalancer/default.nix
View file

@ -9,7 +9,7 @@ with lib;
let
# We assume that all static pages are hosted on lindberg-webapps
staticPages = pipe config.qois.static-page.pages [
(mapAttrsToList (name: { domain, domainAliases, ... }: [ domain ] ++ domainAliases))
(mapAttrsToList (_name: { domain, domainAliases, ... }: [ domain ] ++ domainAliases))
flatten
(map (name: {
inherit name;

3
nixos-modules/luks-ssh/default.nix
View file

@ -1,7 +1,6 @@
{
config,
lib,
pkgs,
...
}:
@ -83,7 +82,7 @@ in
with lib;
concatLists (
mapAttrsToList (
name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ]
_name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ]
) config.users.users
);
hostKeys = [ cfg.sshHostKey ];

4
nixos-modules/meta/default.nix
View file

@ -1,8 +1,4 @@
{
config,
lib,
pkgs,
options,
...
}:
{

5
nixos-modules/meta/hosts.nix
View file

@ -1,7 +1,6 @@
{
config,
lib,
pkgs,
options,
...
}:
@ -43,10 +42,10 @@ in
};
config =
let
hostsWithSshKey = lib.filterAttrs (name: hostCfg: hostCfg.sshKey != null) cfg;
hostsWithSshKey = lib.filterAttrs (_name: hostCfg: hostCfg.sshKey != null) cfg;
in
{
programs.ssh.knownHosts = lib.mapAttrs (name: hostCfg: {
programs.ssh.knownHosts = lib.mapAttrs (_name: hostCfg: {
publicKey = hostCfg.sshKey;
}) hostsWithSshKey;
};

12
nixos-modules/meta/network.nix
View file

@ -1,7 +1,6 @@
{
config,
lib,
pkgs,
options,
...
}:
@ -17,13 +16,6 @@ let
type = str;
inherit description;
});
mkOptStr =
description:
(mkOption {
type = nullOr str;
default = null;
inherit description;
});
mkNetworkIdOpts =
v:
@ -225,10 +217,10 @@ in
(getHostNamesForNetworks hostname cfg.virtual) ++ (getHostNamesForNetworks hostname cfg.physical);
hostsWithPublicKey = lib.filterAttrs (
hostName: hostConfig: hostConfig.sshKey != null
_hostName: hostConfig: hostConfig.sshKey != null
) config.qois.meta.hosts;
in
mapAttrs (name: hostCfg: { extraHostNames = getHostNames name; }) hostsWithPublicKey;
mapAttrs (name: _hostCfg: { extraHostNames = getHostNames name; }) hostsWithPublicKey;
};
}

2
nixos-modules/nixpkgs-cache/default.nix
View file

@ -1,6 +1,5 @@
{
config,
pkgs,
lib,
...
}:
@ -16,6 +15,7 @@ with lib;
hostname = mkOption {
type = types.str;
example = "mycache.myhost.org";
default = "nixpkgs-cache.qo.is";
description = "Hostname, under which the cache is served";
};

1
nixos-modules/router-dhcp/default.nix
View file

@ -1,7 +1,6 @@
{
config,
lib,
pkgs,
...
}:

1
nixos-modules/router-dns/default.nix
View file

@ -1,7 +1,6 @@
{
config,
lib,
pkgs,
...
}:

2
nixos-modules/router-wireless-ap/default.nix
View file

@ -1,14 +1,12 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
routerCfg = config.qois.router;
cfg = config.qois.router.wireless;
in
{

2
nixos-modules/router/README.md
View file

@ -1,4 +1,4 @@
# Router Role {#_router_role}
# Router Role {#\_router_role}
The `router` role set is applied on hosts which serve the rule of a SOHO
router.

1
nixos-modules/router/default.nix
View file

@ -1,7 +1,6 @@
{
config,
lib,
pkgs,
...
}:

1
nixos-modules/static-page/README.md
View file

@ -3,4 +3,3 @@
This module enables static nginx sites, with data served from "/var/lib/nginx/$domain/root".
To deploy the site, a user `nginx-$domain` is added, of which a `root` profile in the home folder can be deployed, e.g. with deploy-rs.

12
nixos-modules/static-page/default.nix
View file

@ -53,7 +53,7 @@ with lib;
config = mkIf cfg.enable (
let
pageConfigs = concatMapAttrs (
name: page:
_name: page:
let
home = "/var/lib/nginx-${page.domain}";
in
@ -76,7 +76,7 @@ with lib;
users = {
groups = concatMapAttrs (
name:
_name:
{ user, ... }:
{
"${user}" = { };
@ -84,10 +84,10 @@ with lib;
) pageConfigs;
users =
{
${config.services.nginx.user}.extraGroups = mapAttrsToList (domain: getAttr "user") pageConfigs;
${config.services.nginx.user}.extraGroups = mapAttrsToList (_domain: getAttr "user") pageConfigs;
}
// (concatMapAttrs (
name:
_name:
{
user,
home,
@ -134,10 +134,10 @@ with lib;
globalRedirect = domain;
};
});
aliasVhosts = concatMapAttrs (name: mkAliasVhost) pageConfigs;
aliasVhosts = concatMapAttrs (_name: mkAliasVhost) pageConfigs;
in
aliasVhosts // (mapAttrs (name: mkVhost) pageConfigs);
aliasVhosts // (mapAttrs (_name: mkVhost) pageConfigs);
};
}
);

6
nixos-modules/static-page/test.nix
View file

@ -10,14 +10,14 @@
inherit (lib) mkForce genAttrs const;
in
{
# Setup simple localhost page with an example.com redirect
# Setup simple docs.example.com page with an example.com redirect
qois.static-page = {
enable = true;
pages."localhost".domainAliases = [ "example.com" ];
pages."docs.example.com".domainAliases = [ "example.com" ];
};
# Disable TLS services
services.nginx.virtualHosts = genAttrs [ "localhost" "example.com" ] (const {
services.nginx.virtualHosts = genAttrs [ "docs.example.com" "example.com" ] (const {
forceSSL = mkForce false;
enableACME = mkForce false;
});

31
nixos-modules/static-page/test.py
View file

@ -3,18 +3,20 @@ def test(subtest, webserver):
webserver.wait_for_open_port(80)
# Preparations
webserverRoot = "/var/lib/nginx-localhost/root"
webserverRoot = "/var/lib/nginx-docs.example.com/root"
indexContent = "It works!"
webserver.succeed(f"mkdir {webserverRoot}")
webserver.succeed(f"echo '{indexContent}' > {webserverRoot}/index.html")
webserver.succeed(f"chown -R nginx-localhost\: {webserverRoot}")
webserver.succeed(f"chown -R nginx-docs.example.com\: {webserverRoot}")
# Helpers
def curl_variable_test(node, variable, expected, url):
value = node.succeed(
f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'")
assert value == expected, \
f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'"
)
assert value == expected, (
f"expected {variable} to be '{expected}' but got '{value}'"
)
def expect_http_code(node, code, url):
curl_variable_test(node, "http_code", code, url)
@ -24,23 +26,24 @@ def test(subtest, webserver):
def expect_http_content(node, expectedContent, url):
content = node.succeed(f"curl --no-location --silent '{url}'")
assert content.strip() == expectedContent.strip(), f'''
assert content.strip() == expectedContent.strip(), f"""
expected content:
{expectedContent}
at {url} but got following content:
{content}
'''
"""
# Tests
with subtest("website is successfully served on localhost"):
expect_http_code(webserver, "200", "http://localhost/index.html")
expect_http_content(webserver, indexContent,
"http://localhost/index.html")
with subtest("website is successfully served on docs.example.com"):
webserver.succeed("grep docs.example.com /etc/hosts")
expect_http_code(webserver, "200", "http://docs.example.com/index.html")
expect_http_content(
webserver, indexContent, "http://docs.example.com/index.html"
)
with subtest("example.com is in hosts file and a redirect to localhost"):
webserver.succeed("grep example.com /etc/hosts")
with subtest("example.com is a redirect to docs.example.com"):
webserver.succeed("grep -e '[^\.]example.com' /etc/hosts")
url = "http://example.com/index.html"
expect_http_code(webserver, "301", url)
expect_http_location(
webserver, "http://localhost/index.html", url)
expect_http_location(webserver, "http://docs.example.com/index.html", url)

2
nixos-modules/system/applications.nix
View file

@ -1,6 +1,4 @@
{
config,
lib,
pkgs,
...
}:

14
nixos-modules/system/default.nix
View file

@ -2,7 +2,6 @@
config,
lib,
pkgs,
inputs,
...
}:
{
@ -11,7 +10,6 @@
./overlays.nix
./physical.nix
./security.nix
./unfree.nix
./virtual-machine.nix
];
@ -57,9 +55,9 @@
settings =
let
substituters = [
"https://${inputs.self.nixosConfigurations.lindberg-build.config.qois.nixpkgs-cache.hostname}?priority=39"
"https://${config.qois.nixpkgs-cache.hostname}?priority=30"
"https://attic.qo.is/qois-infrastructure?priority=32"
"https://cache.nixos.org?priority=40"
"https://attic.qo.is/qois-infrastructure"
];
in
{
@ -71,7 +69,7 @@
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="
];
trusted-substituters = substituters; # For hosts that limit the subst list
trusted-substituters = substituters;
inherit substituters;
};
gc = {
@ -113,12 +111,6 @@
defaultEditor = true;
};
sops.defaultSopsFile =
let
defaultSopsPath = "${inputs.private}/nixos-configurations/${config.networking.hostName}/secrets.sops.yaml";
in
lib.mkIf (builtins.pathExists defaultSopsPath) defaultSopsPath;
services.fstrim.enable = true;
qois.outgoing-server-mail.enable = true;

4
nixos-modules/system/overlays.nix
View file

@ -1,12 +1,8 @@
{
config,
lib,
pkgs,
options,
...
}:
{
nixpkgs.overlays = [ (import ../../overlays) ];
nix.nixPath = options.nix.nixPath.default;
}

2
nixos-modules/system/security.nix
View file

@ -1,7 +1,5 @@
{
config,
lib,
pkgs,
...
}:
with lib;

22
nixos-modules/system/unfree.nix
View file

@ -1,22 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"corefonts"
"camingo-code"
"helvetica-neue-lt-std"
#"kochi-substitute-naga10"
"ttf-envy-code-r"
"vista-fonts"
"vista-fonts-chs"
"xkcd-font-unstable"
"ricty"
];
}

13
nixos-modules/vault/README.md
View file

@ -3,7 +3,7 @@
To use our Vaultwarden instance, you can use the regular
[Bitwarden apps](https://bitwarden.com/download/) with our custom server when logging in:
Username: `first.lastname@qo.is`
Username: `first.lastname@qo.is`\
Server Name: `https://vault.qo.is`
## Create Accounts
@ -17,7 +17,6 @@ Please instruct users to:
- the password cannot be reset without loosing all the passwords.
Use of [Emergency Contacts](https://bitwarden.com/help/emergency-access/) or Organizations may be advisable.
## Administration
An admin panel is available under [vault.qo.is/admin](https://vault.qo.is/admin).
@ -26,12 +25,10 @@ The password is saved in the pass database under `vaultwarden-admin`.
In the administration panel, users and organizations may be managed.
Instance settings should be changed with the nixos module in the infrastructure repository only.
## Backup / Restore
1. `systemctl stop vaultwarden.service`
2. Import Postgresql Database Backup
3. Restore `/var/lib/bitwarden_rs`
4. `systemctl start vaultwarden.service`
5. Click `Force clients to resync` in the [Administration interface under _Users_](https://vault.qo.is/admin/users/overview)
1. Import Postgresql Database Backup
1. Restore `/var/lib/bitwarden_rs`
1. `systemctl start vaultwarden.service`
1. Click `Force clients to resync` in the [Administration interface under _Users_](https://vault.qo.is/admin/users/overview)

1
nixos-modules/vpn-exit-node/default.nix
View file

@ -1,6 +1,5 @@
{
config,
pkgs,
lib,
...
}:

21
nixos-modules/vpn-server/README.md
View file

@ -29,14 +29,13 @@ These nodes allow access to the internet for clients connected to the VPN:
> ⚠️ Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future.
### Add exit nodes:
1. Create a preauth secret on the `vpn.qo.is` host:
```bash
headscale preauthkeys create --user srv --reusable
```
2. Configure the new exit-node host with the `qois.vpn-exit-node` module.
```
1. Configure the new exit-node host with the `qois.vpn-exit-node` module.
When using the `srv` user, exit nodes and routes are automatically accepted as trusted.
@ -50,11 +49,9 @@ To use the service, you can use a normal Tailscale client with following additio
| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) |
| `login-server` | `https://vpn.qo.is` | Use our own VPN service. |
> ⚠️ Currently, if the client is in an IPv6 network, the transport is broken.
> Disable IPv6 connectivity to use the VPN.
> See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details.
> See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details.
### NixOS
@ -90,15 +87,15 @@ See [this Headscale documentation for more](https://headscale.net/stable/usage/c
### Server
1. `systemctl stop headscale`
2. Replace `/var/lib/headscale`
3. `systemctl start headscale`
4. Monitor logs for errors
1. Replace `/var/lib/headscale`
1. `systemctl start headscale`
1. Monitor logs for errors
Note: `/var/lib/headscale` contains a sqlite database.
### Clients
1. `systemctl stop tailscaled`
2. Replace `/var/lib/tailscale`
3. `systemctl start tailscaled`
4. Monitor logs for errors
1. Replace `/var/lib/tailscale`
1. `systemctl start tailscaled`
1. Monitor logs for errors

2
nixos-modules/vpn-server/default.nix
View file

@ -10,7 +10,7 @@ let
cfgLoadbalancer = config.qois.loadbalancer;
defaultDnsRecords =
(mapAttrs (
name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value}
_name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value}
) cfgLoadbalancer.domains)
// {
"vpn.qo.is" = config.services.headscale.address;

4
nixos-modules/wwan/README.md
View file

@ -1,8 +1,8 @@
# WWAN Module {#_wwan_module}
# WWAN Module {#\_wwan_module}
This module configures WWAN adapters that support MBIM
## Current limitations {#_current_limitations}
## Current limitations {#\_current_limitations}
- IPv4 tested only
- Currently, it is not simple to get network failures or address

491
nixos-modules/wwan/mbim-ip.bash
View file

@ -6,11 +6,11 @@ MODE=$1
DEV=$2
if [ "$DEBUG" == "" ]; then
DEBUG="false"
DEBUG="false"
fi
if [ "$MBIM_INTERFACE" == "" ]; then
MBIM_INTERFACE="/dev/cdc-wdm0"
MBIM_INTERFACE="/dev/cdc-wdm0"
fi
###############################################################################
@ -29,274 +29,273 @@ ipv6_dns=()
ipv6_mtu=""
export previous_state state skip_line \
ipv4_addresses ipv4_gateway ipv4_dns ipv4_mtu \
ipv6_addresses ipv6_gateway ipv6_dns ipv6_mtu
ipv4_addresses ipv4_gateway ipv4_dns ipv4_mtu \
ipv6_addresses ipv6_gateway ipv6_dns ipv6_mtu
###############################################################################
# Function
###############################################################################
function print_debug {
if [ "$DEBUG" != "false" ]; then
echo "[State: $state] $1" >&2
fi
if [ "$DEBUG" != "false" ]; then
echo "[State: $state] $1" >&2
fi
}
function print_full_configuration {
if [[ "${#ipv4_addresses[@]}" > 0 ]]; then
printf "IPv4: "
printf '%s, ' "${ipv4_addresses[@]}"
printf "\n"
if [[ ${#ipv4_addresses[@]} > 0 ]]; then
printf "IPv4: "
printf '%s, ' "${ipv4_addresses[@]}"
printf "\n"
printf "GW: $ipv4_gateway\n"
printf "GW: $ipv4_gateway\n"
printf "DNS: "
printf '%s, ' "${ipv4_dns[@]}"
printf "\n"
printf "DNS: "
printf '%s, ' "${ipv4_dns[@]}"
printf "\n"
printf "MTU: $ipv4_mtu\n"
fi
printf "MTU: $ipv4_mtu\n"
fi
if [[ "${#ipv6_addresses[@]}" > 0 ]]; then
echo
printf "IPv6: "
printf '%s, ' "${ipv6_addresses[@]}"
printf "\n"
if [[ ${#ipv6_addresses[@]} > 0 ]]; then
echo
printf "IPv6: "
printf '%s, ' "${ipv6_addresses[@]}"
printf "\n"
printf "GW: $ipv6_gateway\n"
printf "GW: $ipv6_gateway\n"
printf "DNS: "
printf '%s, ' "${ipv6_dns[@]}"
printf "\n"
printf "DNS: "
printf '%s, ' "${ipv6_dns[@]}"
printf "\n"
printf "MTU: $ipv6_mtu\n"
fi
printf "MTU: $ipv6_mtu\n"
fi
}
function next_state {
previous_state="$state"
state="$1"
previous_state="$state"
state="$1"
}
function parse_ip {
# IP [0]: '10.134.203.177/30'
local line_re="IP \[([0-9]+)\]: '(.+)'"
local input=$1
if [[ $input =~ $line_re ]]; then
local ip_cnt=${BASH_REMATCH[1]}
local ip=${BASH_REMATCH[2]}
fi
echo "$ip"
# IP [0]: '10.134.203.177/30'
local line_re="IP \[([0-9]+)\]: '(.+)'"
local input=$1
if [[ $input =~ $line_re ]]; then
local ip_cnt=${BASH_REMATCH[1]}
local ip=${BASH_REMATCH[2]}
fi
echo "$ip"
}
function parse_dns {
# IP [0]: '10.134.203.177/30'
local line_re="DNS \[([0-9]+)\]: '(.+)'"
local input=$1
if [[ $input =~ $line_re ]]; then
local dns_cnt=${BASH_REMATCH[1]}
local dns=${BASH_REMATCH[2]}
fi
echo "$dns"
# IP [0]: '10.134.203.177/30'
local line_re="DNS \[([0-9]+)\]: '(.+)'"
local input=$1
if [[ $input =~ $line_re ]]; then
local dns_cnt=${BASH_REMATCH[1]}
local dns=${BASH_REMATCH[2]}
fi
echo "$dns"
}
function parse_gateway {
# Gateway: '10.134.203.178'
local line_re="Gateway: '(.+)'"
local input=$1
if [[ $input =~ $line_re ]]; then
local gw=${BASH_REMATCH[1]}
fi
echo "$gw"
# Gateway: '10.134.203.178'
local line_re="Gateway: '(.+)'"
local input=$1
if [[ $input =~ $line_re ]]; then
local gw=${BASH_REMATCH[1]}
fi
echo "$gw"
}
function parse_mtu {
# MTU: '1500'
local line_re="MTU: '([0-9]+)'"
local input=$1
if [[ $input =~ $line_re ]]; then
local mtu=${BASH_REMATCH[1]}
fi
echo "$mtu"
# MTU: '1500'
local line_re="MTU: '([0-9]+)'"
local input=$1
if [[ $input =~ $line_re ]]; then
local mtu=${BASH_REMATCH[1]}
fi
echo "$mtu"
}
function parse_input_state_machine {
state="start"
while true; do
if [[ "$skip_line" == 0 ]]; then
read line || break # TODO: Clean up
else
skip_line=0
fi
case "$state" in
"start")
read line || break # first line is empty, read a new one #TODO: This is not very clean...
case "$line" in
*"configuration available: 'none'"*)
# Skip none state
# TODO: This is a workaround of the original parser's shortcomming
continue
;;
*"IPv4 configuration available"*)
next_state "ipv4_ip"
continue
;;
*"IPv6 configuration available"*)
next_state "ipv6_ip"
continue
;;
*)
next_state "exit"
continue
;;
esac
;;
"error")
echo "Error in pattern matchin of state $previous_state. Exiting." >&2
exit 2
;;
"exit")
break
;;
"ipv4_ip")
ipv4=$(parse_ip "$line")
if [ -z "$ipv4" ]; then
if [[ "${#ipv4_addresses[@]}" < 1 ]]; then
next_state "error"
continue
else
next_state "ipv4_gateway"
skip_line=1
continue
fi
fi
print_debug "$ipv4"
ipv4_addresses+=("$ipv4")
;;
"ipv4_gateway")
gw=$(parse_gateway "$line")
if [ -z "$gw" ]; then
next_state "error"
continue
fi
print_debug "$gw"
ipv4_gateway="$gw"
next_state "ipv4_dns"
;;
"ipv4_dns")
ipv4=$(parse_dns "$line")
if [ -z "$ipv4" ]; then
if [[ "${#ipv4_dns[@]}" < 1 ]]; then
next_state "error"
continue
else
next_state "ipv4_mtu"
skip_line=1
continue
fi
fi
print_debug "$ipv4"
ipv4_dns+=("$ipv4")
;;
"ipv4_mtu")
mtu=$(parse_mtu "$line")
if [ -z "$mtu" ]; then
next_state "error"
continue
fi
print_debug "$mtu"
ipv4_mtu="$mtu"
next_state "start"
;;
"ipv6_ip")
ipv6=$(parse_ip "$line")
if [ -z "$ipv6" ]; then
if [[ "${#ipv6_addresses[@]}" < 1 ]]; then
next_state "error"
continue
else
next_state "ipv6_gateway"
skip_line=1
continue
fi
fi
print_debug "$ipv6"
ipv6_addresses+=("$ipv6")
;;
"ipv6_gateway")
gw=$(parse_gateway "$line")
if [ -z "$gw" ]; then
next_state "error"
continue
fi
print_debug "$gw"
ipv6_gateway="$gw"
next_state "ipv6_dns"
;;
"ipv6_dns")
ipv6=$(parse_dns "$line")
if [ -z "$ipv6" ]; then
if [[ "${#ipv6_dns[@]}" < 1 ]]; then
next_state "error"
continue
else
next_state "ipv6_mtu"
skip_line=1
continue
fi
fi
print_debug "$ipv6"
ipv6_dns+=("$ipv6")
;;
"ipv6_mtu")
mtu=$(parse_mtu "$line")
if [ -z "$mtu" ]; then
next_state "error"
continue
fi
print_debug "$mtu"
ipv6_mtu="$mtu"
next_state "start"
;;
*)
print_debug "Invalid state (came from $previous_state). Exiting."
exit 0
;;
esac
done
state="start"
while true; do
if [[ $skip_line == 0 ]]; then
read line || break # TODO: Clean up
else
skip_line=0
fi
case "$state" in
"start")
read line || break # first line is empty, read a new one #TODO: This is not very clean...
case "$line" in
*"configuration available: 'none'"*)
# Skip none state
# TODO: This is a workaround of the original parser's shortcomming
continue
;;
*"IPv4 configuration available"*)
next_state "ipv4_ip"
continue
;;
*"IPv6 configuration available"*)
next_state "ipv6_ip"
continue
;;
*)
next_state "exit"
continue
;;
esac
;;
"error")
echo "Error in pattern matchin of state $previous_state. Exiting." >&2
exit 2
;;
"exit")
break
;;
"ipv4_ip")
ipv4=$(parse_ip "$line")
if [ -z "$ipv4" ]; then
if [[ ${#ipv4_addresses[@]} < 1 ]]; then
next_state "error"
continue
else
next_state "ipv4_gateway"
skip_line=1
continue
fi
fi
print_debug "$ipv4"
ipv4_addresses+=("$ipv4")
;;
"ipv4_gateway")
gw=$(parse_gateway "$line")
if [ -z "$gw" ]; then
next_state "error"
continue
fi
print_debug "$gw"
ipv4_gateway="$gw"
next_state "ipv4_dns"
;;
"ipv4_dns")
ipv4=$(parse_dns "$line")
if [ -z "$ipv4" ]; then
if [[ ${#ipv4_dns[@]} < 1 ]]; then
next_state "error"
continue
else
next_state "ipv4_mtu"
skip_line=1
continue
fi
fi
print_debug "$ipv4"
ipv4_dns+=("$ipv4")
;;
"ipv4_mtu")
mtu=$(parse_mtu "$line")
if [ -z "$mtu" ]; then
next_state "error"
continue
fi
print_debug "$mtu"
ipv4_mtu="$mtu"
next_state "start"
;;
"ipv6_ip")
ipv6=$(parse_ip "$line")
if [ -z "$ipv6" ]; then
if [[ ${#ipv6_addresses[@]} < 1 ]]; then
next_state "error"
continue
else
next_state "ipv6_gateway"
skip_line=1
continue
fi
fi
print_debug "$ipv6"
ipv6_addresses+=("$ipv6")
;;
"ipv6_gateway")
gw=$(parse_gateway "$line")
if [ -z "$gw" ]; then
next_state "error"
continue
fi
print_debug "$gw"
ipv6_gateway="$gw"
next_state "ipv6_dns"
;;
"ipv6_dns")
ipv6=$(parse_dns "$line")
if [ -z "$ipv6" ]; then
if [[ ${#ipv6_dns[@]} < 1 ]]; then
next_state "error"
continue
else
next_state "ipv6_mtu"
skip_line=1
continue
fi
fi
print_debug "$ipv6"
ipv6_dns+=("$ipv6")
;;
"ipv6_mtu")
mtu=$(parse_mtu "$line")
if [ -z "$mtu" ]; then
next_state "error"
continue
fi
print_debug "$mtu"
ipv6_mtu="$mtu"
next_state "start"
;;
*)
print_debug "Invalid state (came from $previous_state). Exiting."
exit 0
;;
esac
done
}
interface_stop() {
ip addr flush dev $DEV
ip route flush dev $DEV
interface_stop(){
ip addr flush dev $DEV
ip route flush dev $DEV
ip -6 addr flush dev $DEV
ip -6 route flush dev $DEV
ip -6 addr flush dev $DEV
ip -6 route flush dev $DEV
#TODO: Nameserver?
#TODO: Nameserver?
}
interface_start() {
ip link set $DEV up
ip link set $DEV up
if [[ "${#ipv4_addresses[@]}" > 0 ]]; then
ip addr add ${ipv4_addresses[@]} dev $DEV broadcast + #TODO: Works for multiple addresses?
ip link set $DEV mtu $ipv4_mtu
ip route add default via $ipv4_gateway dev $DEV
#TODO: nameserver ${ipv4_dns[@]}
else
echo "No IPv4 address, skipping v4 configuration..."
fi
if [[ ${#ipv4_addresses[@]} > 0 ]]; then
ip addr add ${ipv4_addresses[@]} dev $DEV broadcast + #TODO: Works for multiple addresses?
ip link set $DEV mtu $ipv4_mtu
ip route add default via $ipv4_gateway dev $DEV
#TODO: nameserver ${ipv4_dns[@]}
else
echo "No IPv4 address, skipping v4 configuration..."
fi
if [[ "${#ipv6_addresses[@]}" > 0 ]]; then
ip -6 addr add ${ipv6_addresses[@]} dev $DEV #TODO: Works for multiple addresses?
ip -6 route add default via $ipv6_gateway dev $DEV
ip -6 link set $DEV mtu $ipv6_mtu
#TODO: nameserver ${ipv6_dns[@]}"
else
echo "No IPv6 address, skipping v6 configuration..."
fi
if [[ ${#ipv6_addresses[@]} > 0 ]]; then
ip -6 addr add ${ipv6_addresses[@]} dev $DEV #TODO: Works for multiple addresses?
ip -6 route add default via $ipv6_gateway dev $DEV
ip -6 link set $DEV mtu $ipv6_mtu
#TODO: nameserver ${ipv6_dns[@]}"
else
echo "No IPv6 address, skipping v6 configuration..."
fi
}
###############################################################################
@ -307,23 +306,23 @@ set -e
echo "NOTE: This script does not yet support nameserver configuration."
case "$MODE" in
"start")
mbim-network $MBIM_INTERFACE start
sleep 1
mbimcli -d $MBIM_INTERFACE -p --query-ip-configuration=0 | {
parse_input_state_machine
print_full_configuration
interface_stop
interface_start
}
;;
"stop")
mbim-network $MBIM_INTERFACE stop
interface_stop
;;
*)
echo "USAGE: $0 start|stop INTERFACE" >&2
echo "You can set an env variable DEBUG to gather debugging output." >&2
exit 1
;;
"start")
mbim-network $MBIM_INTERFACE start
sleep 1
mbimcli -d $MBIM_INTERFACE -p --query-ip-configuration=0 | {
parse_input_state_machine
print_full_configuration
interface_stop
interface_start
}
;;
"stop")
mbim-network $MBIM_INTERFACE stop
interface_stop
;;
*)
echo "USAGE: $0 start|stop INTERFACE" >&2
echo "You can set an env variable DEBUG to gather debugging output." >&2
exit 1
;;
esac

5
overlays/default.nix
View file

@ -1,5 +0,0 @@
self: super: {
lib = (super.lib or { }) // {
qois = import ../lib { lib = self.lib; };
};
}

42
packages/cache/default.nix vendored
View file

@ -1,42 +0,0 @@
{
attic-client,
findutils,
gnugrep,
writeShellApplication,
...
}:
writeShellApplication {
name = "cache";
meta.description = "Access the infrastructure's attic cache. Mostly used in CI.";
runtimeInputs = [
attic-client
findutils
gnugrep
];
text = ''
SERVER="https://attic.qo.is/"
CACHE_NAME="qois"
CACHE_REPO="$CACHE_NAME:qois-infrastructure"
if [ -z "$ATTIC_AUTH_TOKEN" ]; then
echo "Please set the \$ATTIC_AUTH_TOKEN environment variable to access the cache."
exit 3
fi
attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
case "$1" in
use)
attic use "$CACHE_REPO"
;;
watch)
attic watch-store "$CACHE_REPO"
;;
push)
RESULT_PATH="./result"
# Add build dependencies as well
nix-store -qR --include-outputs "$(nix-store -qd $RESULT_PATH)" | grep -v '\.drv$' \
| xargs attic push "$CACHE_REPO" "$RESULT_PATH"
;;
esac
'';
}

49
packages/default.nix
View file

@ -1,37 +1,28 @@
{
self,
flakeSelf,
system,
private,
pkgs,
...
}:
with pkgs.lib;
let
inherit (self.lib) foldersWithNix;
inherit (pkgs.lib)
path
genAttrs
;
in
{
${system} =
let
packages = pipe (self.lib.foldersWithNix ./.) [
(map (name: {
inherit name;
path = path.append ./. "./${name}/default.nix";
}))
(map (
{ name, path }:
{
inherit name;
value = pkgs.callPackage path {
inherit self;
inherit system;
};
}
))
listToAttrs
];
in
packages
// {
default =
let
nixosConfigs = mapAttrsToList (n: v: v.config.system.build.toplevel) self.nixosConfigurations;
in
pkgs.linkFarmFromDrvs "all" (nixosConfigs ++ (attrValues packages));
};
${system} = genAttrs (foldersWithNix ./.) (
name:
pkgs.callPackage (path.append ./. "./${name}/default.nix") {
inherit
self
flakeSelf
system
private
;
}
);
}

4
packages/deploy-qois/default.nix
View file

@ -1,6 +1,6 @@
{
deploy-rs,
self,
flakeSelf,
writeShellApplication,
...
}:
@ -9,6 +9,6 @@ writeShellApplication {
meta.description = "Deploy configuration to specificed targets.";
runtimeInputs = [ deploy-rs ];
text = ''
deploy --interactive --targets "''${@:-${self}}"
deploy --interactive --targets "''${@:-${flakeSelf}}"
'';
}

Some files were not shown because too many files have changed in this diff Show more