v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Projects Releases Packages Activity Actions

fix lints

Browse source
This commit is contained in:
Vivian 2023-12-24 12:27:59 +01:00
parent 23fd3adfa3
commit 30de216118
14 changed files with 201 additions and 247 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -54,7 +54,6 @@
, nixos-generators , nixos-generators
, nur , nur
, attic , attic
, microvm
, ... , ...
}@inputs: }@inputs:
let let

5
nixos/common/default.nix
View file

@ -34,6 +34,8 @@
enableUserServices = true; enableUserServices = true;
}; };
security.polkit.enable = lib.mkDefault true;
# Nix Settings # Nix Settings
nix = { nix = {
registry.nixpkgs.flake = inputs.nixpkgs; registry.nixpkgs.flake = inputs.nixpkgs;
@ -74,9 +76,6 @@
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages =
[ "nodejs-16.20.2" "nodejs-14.21.3" "openssl-1.1.1w" ];
# Limit the systemd journal to 100 MB of disk or the # Limit the systemd journal to 100 MB of disk or the
# last 7 days of logs, whichever happens first. # last 7 days of logs, whichever happens first.
services.journald.extraConfig = '' services.journald.extraConfig = ''

53
nixos/common/users/default.nix
View file

@ -1,32 +1,37 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
imports = [ ./laura.nix ./vivian.nix ./jonathan.nix ]; imports = [ ./laura.nix ./vivian.nix ./jonathan.nix ];
programs = {
# Setup ZSH to use grml config # Setup ZSH to use grml config
programs.zsh = { zsh = {
enable = true; enable = true;
enableCompletion = true; enableCompletion = true;
syntaxHighlighting.enable = true; syntaxHighlighting.enable = true;
interactiveShellInit = '' autosuggestions.enable = true;
source "${pkgs.grml-zsh-config}/etc/zsh/zshrc" interactiveShellInit = ''
export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow" source "${pkgs.grml-zsh-config}/etc/zsh/zshrc"
source "${pkgs.fzf}/share/fzf/key-bindings.zsh" export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow"
source "${pkgs.fzf}/share/fzf/completion.zsh" source "${pkgs.fzf}/share/fzf/key-bindings.zsh"
eval "$(${pkgs.zoxide}/bin/zoxide init zsh)" source "${pkgs.fzf}/share/fzf/completion.zsh"
''; eval "$(${pkgs.zoxide}/bin/zoxide init zsh)"
# otherwise it'll override the grml prompt '';
promptInit = ""; # otherwise it'll override the grml prompt
promptInit = "";
};
# Install Neovim and set it as alias for vi(m)
neovim = {
enable = true;
viAlias = true;
vimAlias = true;
defaultEditor = true;
};
tmux.enable = true;
}; };
environment.pathsToLink = [ "/share/zsh" ]; environment.pathsToLink = [ "/share/zsh" ];
# Install Neovim and set it as alias for vi(m)
programs.neovim = {
enable = true;
viAlias = true;
vimAlias = true;
defaultEditor = true;
};
# Disable sudo prompt for `wheel` users. # Disable sudo prompt for `wheel` users.
security.sudo.wheelNeedsPassword = lib.mkDefault false; security.sudo.wheelNeedsPassword = lib.mkDefault false;
@ -41,15 +46,15 @@
# Setup packages available everywhere # Setup packages available everywhere
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
file
fzf fzf
git git
htop htop
ncdu ncdu
psmisc psmisc
helix
ripgrep ripgrep
rsync rsync
tmux
zoxide zoxide
tmux
]; ];
} }

5
nixos/hosts/hades/attic/configuration.nix
View file

@ -26,10 +26,7 @@ in {
ensureDatabases = [ "atticd" ]; ensureDatabases = [ "atticd" ];
ensureUsers = [{ ensureUsers = [{
name = "atticd"; name = "atticd";
ensurePermissions = { ensureDBOwnership = true;
"DATABASE atticd" = "ALL PRIVILEGES";
"schema public" = "ALL";
};
}]; }];
}; };

9
nixos/hosts/hades/bastion/configuration.nix
View file

@ -5,16 +5,7 @@
programs.mosh.enable = true; programs.mosh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
cachix
clang
direnv
git-crypt
nix-update
pinentry-curses
ripgrep
rsync
rustup rustup
tmux
vault vault
]; ];

40
nixos/hosts/hades/immich/configuration.nix
View file

@ -7,8 +7,7 @@ let
# https://github.com/immich-app/immich/releases # https://github.com/immich-app/immich/releases
# version = "1.55.1"; # version = "1.55.1";
dataDir = "/var/lib/immich"; dataDir = "/var/lib/immich";
in in {
{
imports = [ ]; imports = [ ];
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
@ -22,31 +21,32 @@ in
# Additional packages # Additional packages
environment.systemPackages = with pkgs; [ ]; environment.systemPackages = with pkgs; [ ];
# TODO: https://github.com/suderman/nixos/tree/main/modules/nixos/immich # TODO: https://github.com/suderman/nixos/tree/main/modules/nixos/immich
fileSystems."/mnt/storage" = { fileSystems."/mnt/storage" = {
device = "storage:/mnt/storage"; device = "storage:/mnt/storage";
fsType = "nfs"; fsType = "nfs";
}; };
ids = {
# Unused uid/gid snagged from this list: # Unused uid/gid snagged from this list:
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
ids.uids.immich = 911; uids.immich = 911;
ids.gids.immich = 911; gids.immich = 911;
users.groups.photos = {};
users.users.immich = {
isSystemUser = true;
group = "photos";
description = "Immich daemon user";
home = dataDir;
uid = config.ids.uids.immich;
}; };
users = {
groups = {
photos = { };
immich = { gid = config.ids.gids.immich; };
};
users.groups.immich = { gid = config.ids.gids.immich; }; users.immich = {
isSystemUser = true;
group = "photos";
description = "Immich daemon user";
home = dataDir;
uid = config.ids.uids.immich;
};
};
# Postgres database configuration # Postgres database configuration
services.postgresql = { services.postgresql = {
@ -56,7 +56,7 @@ in
ensureUsers = [{ ensureUsers = [{
name = "immich"; name = "immich";
ensurePermissions = { "DATABASE immich" = "ALL PRIVILEGES"; }; ensureDBOwnership = true;
}]; }];
ensureDatabases = [ "immich" ]; ensureDatabases = [ "immich" ];

22
nixos/hosts/hades/lucy/configuration.nix
View file

@ -49,17 +49,21 @@ in {
allowedTCPPorts = [ 25565 ]; allowedTCPPorts = [ 25565 ];
}; };
users.extraUsers.laura.extraGroups = [ "wheel" ]; users = {
users.groups.mc = { }; groups.mc = { };
extraUsers = {
laura.extraGroups = [ "wheel" ];
users.extraUsers.julia = { julia = {
isNormalUser = true; isNormalUser = true;
shell = pkgs.zsh; shell = pkgs.zsh;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTvqk+CJG4VwN8wg3H1ZdbUVj1JuX7RYKH1ewRKfCPv julia@juliadijkstraarch" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTvqk+CJG4VwN8wg3H1ZdbUVj1JuX7RYKH1ewRKfCPv julia@juliadijkstraarch"
]; ];
extraGroups = [ "mc" "wheel" ]; extraGroups = [ "mc" "wheel" ];
};
};
}; };
} }

167
nixos/hosts/hades/mastodon/configuration.nix
View file

@ -2,19 +2,94 @@
let let
vs = config.vault-secrets.secrets; vs = config.vault-secrets.secrets;
cfg = config.services.mastodon; cfg = config.services.mastodon;
in in {
{
system.stateVersion = "21.05"; system.stateVersion = "21.05";
# Use DHCP with static leases # Use DHCP with static leases
networking.interfaces.eth0.useDHCP = true; networking.interfaces.eth0.useDHCP = true;
# Better cache hits # Better cache hits
environment.noXlibs = lib.mkForce false; environment.noXlibs = lib.mkForce false;
services = {
elasticsearch = {
enable = true;
cluster_name = "mastodon-es";
package = pkgs.elasticsearch7;
};
services.elasticsearch = { postgresql = {
enable = true; enable = true;
cluster_name = "mastodon-es"; package = pkgs.postgresql_16;
package = pkgs.elasticsearch7; settings = {
shared_preload_libraries = "pg_stat_statements";
"pg_stat_statements.track" = "all";
"pg_stat_statements.max" = 10000;
track_activity_query_size = 2048;
};
# The rest of the database setup is handled by mastodon
};
mastodon = {
enable = true;
package = pkgs.v.glitch-soc;
streamingProcesses = 3;
webPort = 55001;
enableUnixSocket = false;
localDomain = "xirion.net";
trustedProxy = "192.168.0.122";
mediaAutoRemove = {
enable = true;
olderThanDays = 30;
startAt = "daily";
};
configureNginx = false;
redis.createLocally = true;
elasticsearch = {
host = "127.0.0.1";
inherit (config.services.elasticsearch) port;
};
database.createLocally = true;
smtp = {
createLocally = false;
fromAddress = "mastodon@xirion.net";
host = "mail.0x76.dev";
user = "mastodon@xirion.net";
authenticate = true;
port = 587;
passwordFile = "${vs.mastodon}/smtp-password";
};
extraConfig = {
BIND = "0.0.0.0";
SINGLE_USER_MODE = "false";
EMAIL_DOMAIN_ALLOWLIST = "xirion.net";
DEFAULT_LOCALE = "en";
WEB_DOMAIN = "fedi.xirion.net";
ALTERNATE_DOMAINS = "meowy.tech";
SMTP_AUTH_METHOD = "plain";
SMTP_OPENSSL_VERIFY_MODE = "none";
RAILS_SERVE_STATIC_FILES = "false";
AUTHORIZED_FETCH = "true";
# https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md;
# https://shivering-isles.com/Mastodon-and-Amazon-S3
S3_ENABLED = "true";
S3_REGION = "hades";
S3_BUCKET = "mastodon";
S3_ENDPOINT = "http://garage.hades:3900";
S3_ALIAS_HOST = "fedi-media.xirion.net";
DEEPL_PLAN = "free";
};
};
}; };
vault-secrets.secrets.mastodon = { vault-secrets.secrets.mastodon = {
@ -31,82 +106,6 @@ in
EOF EOF
''; '';
services.postgresql = { networking.firewall = let cfg = config.services.mastodon;
enable = true; in { allowedTCPPorts = [ cfg.webPort ]; };
package = pkgs.postgresql_16;
settings = {
shared_preload_libraries = "pg_stat_statements";
"pg_stat_statements.track" = "all";
"pg_stat_statements.max" = 10000;
track_activity_query_size = 2048;
};
# The rest of the database setup is handled by mastodon
};
services.mastodon = {
enable = true;
package = pkgs.v.glitch-soc;
streamingProcesses = 3;
webPort = 55001;
enableUnixSocket = false;
localDomain = "xirion.net";
trustedProxy = "192.168.0.122";
mediaAutoRemove = {
enable = true;
olderThanDays = 30;
startAt = "daily";
};
configureNginx = false;
redis.createLocally = true;
elasticsearch = {
host = "127.0.0.1";
inherit (config.services.elasticsearch) port;
};
database.createLocally = true;
smtp = {
createLocally = false;
fromAddress = "mastodon@xirion.net";
host = "mail.0x76.dev";
user = "mastodon@xirion.net";
authenticate = true;
port = 587;
passwordFile = "${vs.mastodon}/smtp-password";
};
extraConfig = {
BIND = "0.0.0.0";
SINGLE_USER_MODE = "false";
EMAIL_DOMAIN_ALLOWLIST = "xirion.net";
DEFAULT_LOCALE = "en";
WEB_DOMAIN = "fedi.xirion.net";
ALTERNATE_DOMAINS = "meowy.tech";
SMTP_AUTH_METHOD = "plain";
SMTP_OPENSSL_VERIFY_MODE = "none";
RAILS_SERVE_STATIC_FILES = "false";
AUTHORIZED_FETCH = "true";
# https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md;
# https://shivering-isles.com/Mastodon-and-Amazon-S3
S3_ENABLED = "true";
S3_REGION = "hades";
S3_BUCKET = "mastodon";
S3_ENDPOINT = "http://garage.hades:3900";
S3_ALIAS_HOST = "fedi-media.xirion.net";
DEEPL_PLAN = "free";
};
};
networking.firewall =
let cfg = config.services.mastodon;
in { allowedTCPPorts = [ cfg.webPort ]; };
} }

32
nixos/hosts/hades/nginx/configuration.nix
View file

@ -12,8 +12,7 @@ let
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
in in {
{
imports = [ ]; imports = [ ];
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
@ -46,22 +45,25 @@ in
"xirion.net" = { "xirion.net" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".extraConfig = '' locations = {
add_header Content-Type 'text/html; charset=UTF-8'; "/".extraConfig = ''
return 200 'Hello, World!'; add_header Content-Type 'text/html; charset=UTF-8';
''; return 200 'Hello, World!';
'';
# Mastodon federation # Mastodon federation
locations."= /.well-known/host-meta".extraConfig = '' "= /.well-known/host-meta".extraConfig = ''
return 301 https://fedi.xirion.net$request_uri; return 301 https://fedi.xirion.net$request_uri;
''; '';
locations."/.well-known/webfinger".extraConfig = '' "/.well-known/webfinger".extraConfig = ''
add_header Access-Control-Allow-Origin '*'; add_header Access-Control-Allow-Origin '*';
return 301 https://fedi.xirion.net$request_uri; return 301 https://fedi.xirion.net$request_uri;
''; '';
};
}; };
"peepeepoopoo.xirion.net" = proxy "http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already! "peepeepoopoo.xirion.net" = proxy
"http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already!
"plex.xirion.net" = { "plex.xirion.net" = {
# Since we want a secure connection, we force SSL # Since we want a secure connection, we force SSL

63
nixos/hosts/hades/rtorrent/configuration.nix
View file

@ -2,13 +2,40 @@
let vs = config.vault-secrets.secrets; let vs = config.vault-secrets.secrets;
in { in {
imports = [ ./rtorrent.nix ]; imports = [ ./rtorrent.nix ];
networking = {
interfaces.eth0.useDHCP = true;
firewall = {
allowedTCPPorts = [ config.services.rtorrent.port ];
allowedUDPPorts = [ config.services.rtorrent.port ];
};
networking.interfaces.eth0.useDHCP = true; wg-quick.interfaces = let
postUpScript = pkgs.writeScriptBin "post_up" ''
#!${pkgs.stdenv.shell}
${pkgs.iproute2}/bin/ip route add 10.42.42.0/23 via 192.168.0.1
${pkgs.iproute2}/bin/ip route add 10.100.0.0/24 via 192.168.0.1
'';
in {
wg0 = {
address =
[ "10.129.112.89/32, fd7d:76ee:e68f:a993:edd1:668b:49f7:b7c3/128" ];
mtu = 1320;
dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
privateKeyFile = "${vs.rtorrent}/wireguardKey";
postUp = "${postUpScript}/bin/post_up || true";
peers = [{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "europe3.vpn.airdns.org:1637";
presharedKeyFile = "${vs.rtorrent}/presharedKey";
persistentKeepalive = 15;
}];
};
};
};
system.stateVersion = "22.05"; system.stateVersion = "22.05";
networking.firewall.allowedTCPPorts = [ config.services.rtorrent.port ];
networking.firewall.allowedUDPPorts = [ config.services.rtorrent.port ];
fileSystems."/mnt/storage" = { fileSystems."/mnt/storage" = {
device = "storage:/mnt/storage"; device = "storage:/mnt/storage";
fsType = "nfs"; fsType = "nfs";
@ -22,32 +49,4 @@ in {
}; };
vault-secrets.secrets.rtorrent = { services = [ "wg-quick-wg0" ]; }; vault-secrets.secrets.rtorrent = { services = [ "wg-quick-wg0" ]; };
networking.wg-quick.interfaces =
let
postUpScript = pkgs.writeScriptBin "post_up" ''
#!${pkgs.stdenv.shell}
${pkgs.iproute2}/bin/ip route add 10.42.42.0/23 via 192.168.0.1
${pkgs.iproute2}/bin/ip route add 10.100.0.0/24 via 192.168.0.1
'';
in
{
wg0 = {
address = [ "10.129.112.89/32, fd7d:76ee:e68f:a993:edd1:668b:49f7:b7c3/128" ];
mtu = 1320;
dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
privateKeyFile = "${vs.rtorrent}/wireguardKey";
postUp = "${postUpScript}/bin/post_up || true";
peers = [
{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "europe3.vpn.airdns.org:1637";
presharedKeyFile = "${vs.rtorrent}/presharedKey";
persistentKeepalive = 15;
}
];
};
};
} }

42
nixos/hosts/olympus/bastion/configuration.nix
View file

@ -2,36 +2,13 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ pkgs, ... }: { pkgs, ... }: {
let
fix-vscode = pkgs.writeScriptBin "fix-vscode" ''
#!${pkgs.stdenv.shell}
# Check if vscode-server dir exists
if [[ -d "$HOME/.vscode-server/bin" ]]; then
# For every bin folder within
for versiondir in "$HOME"/.vscode-server/bin/*; do
# Remove bundled node (dynamic links are borked for nix)
rm "$versiondir/node"
# symlink node form the nixpkg
ln -s "${pkgs.nodejs-16_x}/bin/node" "$versiondir/node"
done
fi
'';
in
{
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
# This _should_ fix vscode errors as well
programs.nix-ld.enable = true; programs.nix-ld.enable = true;
# environment.variables = {
# NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [
# pkgs.stdenv.cc.cc
# ];
# # NIX_LD = lib.fileContents "${pkgs.stdenv.cc}/nix-support/dynamic-linker";
# };
# Use the GRUB 2 boot loader. # Use the GRUB 2 boot loader.
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
@ -48,22 +25,7 @@ in
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
# Additional packages # Additional packages
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ vault ];
binutils
fix-vscode
fluxcd
k9s
kubectl
kubectx
nix-prefetch-git
nixpkgs-fmt
nixpkgs-review
ripgrep
rsync
tmux
vault
vim
];
programs.gnupg.agent = { programs.gnupg.agent = {
enable = true; enable = true;

5
nixos/hosts/olympus/dex/configuration.nix
View file

@ -33,10 +33,7 @@ in {
ensureDatabases = [ db_name ]; ensureDatabases = [ db_name ];
ensureUsers = [{ ensureUsers = [{
name = db_user; name = db_user;
ensurePermissions = { ensureDBOwnership = true;
"DATABASE ${db_name}" = "ALL PRIVILEGES";
"schema public" = "ALL";
};
}]; }];
}; };

2
nixos/hosts/olympus/hedgedoc/configuration.nix
View file

@ -32,7 +32,7 @@ in
ensureDatabases = [ db_name ]; ensureDatabases = [ db_name ];
ensureUsers = [{ ensureUsers = [{
name = db_user; name = db_user;
ensurePermissions = { "DATABASE ${db_name}" = "ALL PRIVILEGES"; }; ensureDBOwnership = true;
}]; }];
}; };

2
nixos/pkgs/glitch-soc/source.nix
View file

@ -11,7 +11,7 @@ in
rev = "v${version}"; rev = "v${version}";
hash = "sha256-fZH3zPEU5jnYFhLx8OKDNrvsSVT46Peu92L84Fg5YpQ="; hash = "sha256-fZH3zPEU5jnYFhLx8OKDNrvsSVT46Peu92L84Fg5YpQ=";
}; };
patches = patches ++ []; inherit patches;
}) // { }) // {
inherit version; inherit version;
yarnHash = "sha256-P7KswzsCusyiS4MxUFnC1HYMTQ6fLpIwd97AglCukIk="; yarnHash = "sha256-P7KswzsCusyiS4MxUFnC1HYMTQ6fLpIwd97AglCukIk=";