commit 17333cf95859ed5eccfacd015b2e08efa1245069 · soopy.moe/gensokyo

+18 -17

.sops.nix

···

       19
        
           }

     

       20
        
         ];

     

       21
        
       

     

       22
       -
         mkHost = name: identities:

     

       23
       -
           assert builtins.typeOf identities == "list"; {

     

       0
        
       
     

       0
        
       
     

       24
        
             path_regex = "creds/sops/${name}/.*";

     

       25
        
             key_groups = [

     

       26
        
               {

     

       27
       -
                 age =

     

       28
       -
                   [

     

       29
       -
                     # admin

     

       30
       -
                     age.soopyc_pxl7ag

     

       31
       -
                     age.soopyc_mbp14

     

       32
       -
                   ]

     

       33
       -
                   ++ identities;

     

       34
        
               }

     

       35
        
             ];

     

       36
        
           };

     

       37
       -
       in {

     

       0
        
       
     

       38
        
         # remember to run `just utils update-sops-config` and `sops updatekeys` after editing.

     

       39
        
         creation_rules = [

     

       40
        
           {

     
···

       42
        
             key_groups = everything;

     

       43
        
           }

     

       44
        
       

     

       45
       -
           (mkHost "koumakan" [age.koumakan])

     

       46
       -
           (mkHost "satori" [age.satori])

     

       47
       -
           (mkHost "renko" [age.renko])

     

       48
        
       

     

       49
       -
           (mkHost "bocchi" [age.bocchi])

     

       50
       -
           (mkHost "kita" [age.kita])

     

       51
       -
           (mkHost "ryo" [age.ryo])

     

       52
       -
           (mkHost "nijika" [age.nijika])

     

       53
        
         ];

     

       54
        
       }

···

       19
        
           }

     

       20
        
         ];

     

       21
        
       

     

       22
       +
         mkHost =

     

       23
       +
           name: identities:

     

       24
       +
           assert builtins.typeOf identities == "list";

     

       25
       +
           {

     

       26
        
             path_regex = "creds/sops/${name}/.*";

     

       27
        
             key_groups = [

     

       28
        
               {

     

       29
       +
                 age = [

     

       30
       +
                   # admin

     

       31
       +
                   age.soopyc_pxl7ag

     

       32
       +
                   age.soopyc_mbp14

     

       33
       +
                 ] ++ identities;

     

       0
        
       
     

       0
        
       
     

       34
        
               }

     

       35
        
             ];

     

       36
        
           };

     

       37
       +
       in

     

       38
       +
       {

     

       39
        
         # remember to run `just utils update-sops-config` and `sops updatekeys` after editing.

     

       40
        
         creation_rules = [

     

       41
        
           {

     
···

       43
        
             key_groups = everything;

     

       44
        
           }

     

       45
        
       

     

       46
       +
           (mkHost "koumakan" [ age.koumakan ])

     

       47
       +
           (mkHost "satori" [ age.satori ])

     

       48
       +
           (mkHost "renko" [ age.renko ])

     

       49
        
       

     

       50
       +
           (mkHost "bocchi" [ age.bocchi ])

     

       51
       +
           (mkHost "kita" [ age.kita ])

     

       52
       +
           (mkHost "ryo" [ age.ryo ])

     

       53
       +
           (mkHost "nijika" [ age.nijika ])

     

       54
        
         ];

     

       55
        
       }

+47 -39

flake.nix

···

       67
        
           };

     

       68
        
         };

     

       69
        
       

     

       70
       -
         outputs = {

     

       71
       -
           self,

     

       72
       -
           nixpkgs,

     

       73
       -
           treefmt-nix,

     

       74
       -
           ...

     

       75
       -
         } @ inputs: let

     

       76
       -
           lib = nixpkgs.lib;

     

       0
        
       
     

       0
        
       
     

       77
        
       

     

       78
       -
           systems = [

     

       79
       -
             "x86_64-linux"

     

       80
       -
             "aarch64-linux"

     

       81
       -
             "x86_64-darwin"

     

       82
       -
             "aarch64-darwin"

     

       83
       -
           ];

     

       84
       -
           forAllSystems = fn: lib.genAttrs systems (system: fn nixpkgs.legacyPackages.${system});

     

       85
       -
           treefmt = forAllSystems (pkgs: treefmt-nix.lib.evalModule pkgs ./nix/treefmt.nix);

     

       86
       -
         in {

     

       87
       -
           lib.x86_64-linux = import ./global/utils.nix {

     

       88
       -
             inherit inputs;

     

       89
       -
             system = "x86_64-linux";

     

       90
       -
           };

     

       0
        
       
     

       91
        
       

     

       92
       -
           packages.x86_64-linux = let

     

       93
       -
             system = "x86_64-linux";

     

       94
       -
           in {

     

       95
       -
             brcmfmac = let

     

       96
       -
               pkgs = import nixpkgs {

     

       97
       -
                 inherit system;

     

       98
       -
                 config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["brcm-mac-firmware"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       99
        
               };

     

       100
       -
             in

     

       101
       -
               pkgs.callPackage ./vendor/brcmfmac {};

     

       102
       -
           };

     

       103
        
       

     

       104
       -
           nixosConfigurations = import systems/default.nix {inherit inputs lib;};

     

       105
        
       

     

       106
       -
           devShells = forAllSystems (pkgs: import ./nix/devshell.nix {inherit pkgs inputs;});

     

       107
        
       

     

       108
       -
           checks = forAllSystems (pkgs:

     

       109
       -
             (import ./nix/checks.nix {inherit pkgs inputs;})

     

       110
       -
             // {

     

       111
       -
               formatting = treefmt.${pkgs.system}.config.build.check self;

     

       112
       -
             });

     

       0
        
       
     

       0
        
       
     

       113
        
       

     

       114
       -
           formatter = forAllSystems (pkgs: treefmt.${pkgs.system}.config.build.wrapper);

     

       115
       -
         };

     

       116
        
       }

···

       67
        
           };

     

       68
        
         };

     

       69
        
       

     

       70
       +
         outputs =

     

       71
       +
           {

     

       72
       +
             self,

     

       73
       +
             nixpkgs,

     

       74
       +
             treefmt-nix,

     

       75
       +
             ...

     

       76
       +
           }@inputs:

     

       77
       +
           let

     

       78
       +
             lib = nixpkgs.lib;

     

       79
        
       

     

       80
       +
             systems = [

     

       81
       +
               "x86_64-linux"

     

       82
       +
               "aarch64-linux"

     

       83
       +
               "x86_64-darwin"

     

       84
       +
               "aarch64-darwin"

     

       85
       +
             ];

     

       86
       +
             forAllSystems = fn: lib.genAttrs systems (system: fn nixpkgs.legacyPackages.${system});

     

       87
       +
             treefmt = forAllSystems (pkgs: treefmt-nix.lib.evalModule pkgs ./nix/treefmt.nix);

     

       88
       +
           in

     

       89
       +
           {

     

       90
       +
             lib.x86_64-linux = import ./global/utils.nix {

     

       91
       +
               inherit inputs;

     

       92
       +
               system = "x86_64-linux";

     

       93
       +
             };

     

       94
        
       

     

       95
       +
             packages.x86_64-linux =

     

       96
       +
               let

     

       97
       +
                 system = "x86_64-linux";

     

       98
       +
               in

     

       99
       +
               {

     

       100
       +
                 brcmfmac =

     

       101
       +
                   let

     

       102
       +
                     pkgs = import nixpkgs {

     

       103
       +
                       inherit system;

     

       104
       +
                       config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "brcm-mac-firmware" ];

     

       105
       +
                     };

     

       106
       +
                   in

     

       107
       +
                   pkgs.callPackage ./vendor/brcmfmac { };

     

       108
        
               };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       109
        
       

     

       110
       +
             nixosConfigurations = import systems/default.nix { inherit inputs lib; };

     

       111
        
       

     

       112
       +
             devShells = forAllSystems (pkgs: import ./nix/devshell.nix { inherit pkgs inputs; });

     

       113
        
       

     

       114
       +
             checks = forAllSystems (

     

       115
       +
               pkgs:

     

       116
       +
               (import ./nix/checks.nix { inherit pkgs inputs; })

     

       117
       +
               // {

     

       118
       +
                 formatting = treefmt.${pkgs.system}.config.build.check self;

     

       119
       +
               }

     

       120
       +
             );

     

       121
        
       

     

       122
       +
             formatter = forAllSystems (pkgs: treefmt.${pkgs.system}.config.build.wrapper);

     

       123
       +
           };

     

       124
        
       }

+2 -1

global/core.nix

···

       2
        
         pkgs,

     

       3
        
         inputs,

     

       4
        
         ...

     

       5
       -
       }: {

     

       0
        
       
     

       6
        
         imports = [

     

       7
        
           ./upgrade-diff.nix

     

       8
        
         ];

···

       2
        
         pkgs,

     

       3
        
         inputs,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
        
         imports = [

     

       8
        
           ./upgrade-diff.nix

     

       9
        
         ];

+2 -1

global/default.nix

···

       1
        
       # This is a NixOS module, you cannot use this as a standalone file.

     

       2
        
       # Other files may be though, but things that starts with {...}: most definitely aren't.

     

       3
       -
       {inputs, ...}: {

     

       0
        
       
     

       4
        
         imports = [

     

       5
        
           ./core.nix

     

       6
        
           ./gensokyo

···

       1
        
       # This is a NixOS module, you cannot use this as a standalone file.

     

       2
        
       # Other files may be though, but things that starts with {...}: most definitely aren't.

     

       3
       +
       { inputs, ... }:

     

       4
       +
       {

     

       5
        
         imports = [

     

       6
        
           ./core.nix

     

       7
        
           ./gensokyo

+2 -1

global/gensokyo/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./traits.nix

     

       4
        
           ./presets

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./traits.nix

     

       5
        
           ./presets

+25 -21

global/gensokyo/presets/certificates.nix

···

       3
        
         config,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       -
       }: let

     

       0
        
       
     

       7
        
         secrets = _utils.setupSecrets config {

     

       8
        
           namespace = "lego";

     

       9
       -
           secrets = ["cf_token"];

     

       10
        
         };

     

       11
       -
       in {

     

       12
       -
         config = lib.mkIf config.gensokyo.presets.certificates (lib.mkMerge [

     

       13
       -
           {

     

       14
       -
             security.acme = {

     

       15
       -
               acceptTerms = true;

     

       0
        
       
     

       0
        
       
     

       16
        
       

     

       17
       -
               defaults = {

     

       18
       -
                 # == lego Configuration ==

     

       19
       -
                 # In an ideal world we would have an ed/cv25519 algo here but oh well

     

       20
       -
                 keyType = "ec256"; # Ensure we use ec keys

     

       21
       -
                 credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.get "cf_token";

     

       22
       -
                 dnsProvider = "cloudflare";

     

       23
        
       

     

       24
       -
                 # == LE Configuration ==

     

       25
       -
                 email = "me@soopy.moe";

     

       26
       -
                 # server = "https://acme-staging-v02.api.letsencrypt.org/directory";

     

       27
       -
                 server = "https://acme-v02.api.letsencrypt.org/directory";

     

       0
        
       
     

       28
        
               };

     

       29
       -
             };

     

       30
       -
           }

     

       31
       -
           secrets.generate

     

       32
       -
         ]);

     

       33
        
       }

···

       3
        
         config,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
        
         secrets = _utils.setupSecrets config {

     

       9
        
           namespace = "lego";

     

       10
       +
           secrets = [ "cf_token" ];

     

       11
        
         };

     

       12
       +
       in

     

       13
       +
       {

     

       14
       +
         config = lib.mkIf config.gensokyo.presets.certificates (

     

       15
       +
           lib.mkMerge [

     

       16
       +
             {

     

       17
       +
               security.acme = {

     

       18
       +
                 acceptTerms = true;

     

       19
        
       

     

       20
       +
                 defaults = {

     

       21
       +
                   # == lego Configuration ==

     

       22
       +
                   # In an ideal world we would have an ed/cv25519 algo here but oh well

     

       23
       +
                   keyType = "ec256"; # Ensure we use ec keys

     

       24
       +
                   credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.get "cf_token";

     

       25
       +
                   dnsProvider = "cloudflare";

     

       26
        
       

     

       27
       +
                   # == LE Configuration ==

     

       28
       +
                   email = "me@soopy.moe";

     

       29
       +
                   # server = "https://acme-staging-v02.api.letsencrypt.org/directory";

     

       30
       +
                   server = "https://acme-v02.api.letsencrypt.org/directory";

     

       31
       +
                 };

     

       32
        
               };

     

       33
       +
             }

     

       34
       +
             secrets.generate

     

       35
       +
           ]

     

       36
       +
         );

     

       37
        
       }

+2 -1

global/gensokyo/presets/default.nix

···

       1
       -
       {lib, ...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./vmetrics.nix

     

       4
        
           ./nginx.nix

···

       1
       +
       { lib, ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./vmetrics.nix

     

       5
        
           ./nginx.nix

+9 -4

global/gensokyo/presets/nginx.nix

···

       3
        
         pkgs,

     

       4
        
         config,

     

       5
        
         ...

     

       6
       -
       }: let

     

       0
        
       
     

       7
        
         presetConf = config.gensokyo.presets;

     

       8
        
       in

     

       9
       -
         lib.mkIf presetConf.nginx (lib.mkMerge [

     

       0
        
       
     

       10
        
           {

     

       11
        
             services.nginx = {

     

       12
        
               enable = lib.mkDefault true;

     
···

       50
        
             services.vmagent.prometheusConfig.scrape_configs = [

     

       51
        
               {

     

       52
        
                 job_name = "nginx";

     

       53
       -
                 static_configs = [{targets = ["localhost:${builtins.toString config.services.prometheus.exporters.nginx.port}"];}];

     

       0
        
       
     

       0
        
       
     

       54
        
                 relabel_configs = [

     

       55
        
                   {

     

       56
        
                     target_label = "instance";

     
···

       60
        
               }

     

       61
        
             ];

     

       62
        
           })

     

       63
       -
         ])

     

       0

···

       3
        
         pkgs,

     

       4
        
         config,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
        
         presetConf = config.gensokyo.presets;

     

       9
        
       in

     

       10
       +
       lib.mkIf presetConf.nginx (

     

       11
       +
         lib.mkMerge [

     

       12
        
           {

     

       13
        
             services.nginx = {

     

       14
        
               enable = lib.mkDefault true;

     
···

       52
        
             services.vmagent.prometheusConfig.scrape_configs = [

     

       53
        
               {

     

       54
        
                 job_name = "nginx";

     

       55
       +
                 static_configs = [

     

       56
       +
                   { targets = [ "localhost:${builtins.toString config.services.prometheus.exporters.nginx.port}" ]; }

     

       57
       +
                 ];

     

       58
        
                 relabel_configs = [

     

       59
        
                   {

     

       60
        
                     target_label = "instance";

     
···

       64
        
               }

     

       65
        
             ];

     

       66
        
           })

     

       67
       +
         ]

     

       68
       +
       )

+9 -9

global/gensokyo/presets/secureboot.nix

···

       8
        
       let

     

       9
        
         cfg = config.gensokyo.presets;

     

       10
        
       in

     

       11
       -
         lib.mkIf cfg.secureboot {

     

       12
       -
           environment.systemPackages = [pkgs.sbctl];

     

       13
        
       

     

       14
       -
           # lanzaboote currently replaces systemd-boot, so disable that here.

     

       15
       -
           boot.loader.systemd-boot.enable = lib.mkForce false;

     

       16
       -
           boot.lanzaboote = {

     

       17
       -
             enable = true;

     

       18
       -
             pkiBundle = "/etc/secureboot";

     

       19
       -
           };

     

       20
       -
         }

···

       8
        
       let

     

       9
        
         cfg = config.gensokyo.presets;

     

       10
        
       in

     

       11
       +
       lib.mkIf cfg.secureboot {

     

       12
       +
         environment.systemPackages = [ pkgs.sbctl ];

     

       13
        
       

     

       14
       +
         # lanzaboote currently replaces systemd-boot, so disable that here.

     

       15
       +
         boot.loader.systemd-boot.enable = lib.mkForce false;

     

       16
       +
         boot.lanzaboote = {

     

       17
       +
           enable = true;

     

       18
       +
           pkiBundle = "/etc/secureboot";

     

       19
       +
         };

     

       20
       +
       }

+36 -30

global/gensokyo/presets/vmetrics.nix

···

       4
        
         config,

     

       5
        
         _utils,

     

       6
        
         ...

     

       7
       -
       }: let

     

       0
        
       
     

       8
        
         secrets = _utils.setupSecrets config {

     

       9
        
           namespace = "vmetrics";

     

       10
       -
           secrets = ["auth"];

     

       11
        
         };

     

       12
       -
       in {

     

       0
        
       
     

       13
        
         # inb4 this causes conflicts

     

       14
       -
         config = lib.mkIf config.gensokyo.presets.vmetrics (lib.mkMerge [

     

       15
       -
           {

     

       16
       -
             services.prometheus.exporters.node.enable = true;

     

       17
       -
             services.vmagent.enable = true;

     

       18
       -
             services.vmagent.remoteWrite.url = "https://panopticon.soopy.moe/api/v1/write";

     

       19
       -
             services.vmagent.extraArgs = ["-remoteWrite.bearerTokenFile=%d/auth_token"];

     

       20
       -
             services.vmagent.prometheusConfig = {

     

       21
       -
               global.scrape_interval = "30s";

     

       0
        
       
     

       22
        
       

     

       23
       -
               scrape_configs = [

     

       24
       -
                 {

     

       25
       -
                   job_name = "node";

     

       26
       -
                   static_configs = [{targets = ["localhost:${builtins.toString config.services.prometheus.exporters.node.port}"];}];

     

       27
       -
                   relabel_configs = [

     

       28
       -
                     {

     

       29
       -
                       target_label = "instance";

     

       30
       -
                       replacement = "${hostname}.d.soopy.moe";

     

       31
       -
                     }

     

       32
       -
                   ];

     

       33
       -
                 }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       34
        
               ];

     

       35
       -
             };

     

       36
       -
       

     

       37
       -
             systemd.services.vmagent.serviceConfig.LoadCredential = [

     

       38
       -
               "auth_token:${secrets.get "auth"}"

     

       39
       -
             ];

     

       40
       -
           }

     

       41
        
       

     

       42
       -
           secrets.generate

     

       43
       -
         ]);

     

       0
        
       
     

       44
        
       }

···

       4
        
         config,

     

       5
        
         _utils,

     

       6
        
         ...

     

       7
       +
       }:

     

       8
       +
       let

     

       9
        
         secrets = _utils.setupSecrets config {

     

       10
        
           namespace = "vmetrics";

     

       11
       +
           secrets = [ "auth" ];

     

       12
        
         };

     

       13
       +
       in

     

       14
       +
       {

     

       15
        
         # inb4 this causes conflicts

     

       16
       +
         config = lib.mkIf config.gensokyo.presets.vmetrics (

     

       17
       +
           lib.mkMerge [

     

       18
       +
             {

     

       19
       +
               services.prometheus.exporters.node.enable = true;

     

       20
       +
               services.vmagent.enable = true;

     

       21
       +
               services.vmagent.remoteWrite.url = "https://panopticon.soopy.moe/api/v1/write";

     

       22
       +
               services.vmagent.extraArgs = [ "-remoteWrite.bearerTokenFile=%d/auth_token" ];

     

       23
       +
               services.vmagent.prometheusConfig = {

     

       24
       +
                 global.scrape_interval = "30s";

     

       25
        
       

     

       26
       +
                 scrape_configs = [

     

       27
       +
                   {

     

       28
       +
                     job_name = "node";

     

       29
       +
                     static_configs = [

     

       30
       +
                       { targets = [ "localhost:${builtins.toString config.services.prometheus.exporters.node.port}" ]; }

     

       31
       +
                     ];

     

       32
       +
                     relabel_configs = [

     

       33
       +
                       {

     

       34
       +
                         target_label = "instance";

     

       35
       +
                         replacement = "${hostname}.d.soopy.moe";

     

       36
       +
                       }

     

       37
       +
                     ];

     

       38
       +
                   }

     

       39
       +
                 ];

     

       40
       +
               };

     

       41
       +
       

     

       42
       +
               systemd.services.vmagent.serviceConfig.LoadCredential = [

     

       43
       +
                 "auth_token:${secrets.get "auth"}"

     

       44
        
               ];

     

       45
       +
             }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       46
        
       

     

       47
       +
             secrets.generate

     

       48
       +
           ]

     

       49
       +
         );

     

       50
        
       }

+2 -1

global/gensokyo/traits.nix

···

       1
       -
       {lib, ...}: {

     

       0
        
       
     

       2
        
         options.gensokyo.traits = {

     

       3
        
           sensitive = lib.mkEnableOption "or selectively disable options specific to security-sensitive systems";

     

       4
        
           gui = lib.mkEnableOption "graphical programs, related packages and modules";

···

       1
       +
       { lib, ... }:

     

       2
       +
       {

     

       3
        
         options.gensokyo.traits = {

     

       4
        
           sensitive = lib.mkEnableOption "or selectively disable options specific to security-sensitive systems";

     

       5
        
           gui = lib.mkEnableOption "graphical programs, related packages and modules";

+2 -1

global/gui/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./power.nix

     

       4
        
           ./hardware.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./power.nix

     

       5
        
           ./hardware.nix

+1 -1

global/gui/locale.nix

···

       4
        
         ...

     

       5
        
       }:

     

       6
        
       lib.mkIf config.gensokyo.traits.gui {

     

       7
       -
         i18n.supportedLocales = ["all"];

     

       8
        
       }

···

       4
        
         ...

     

       5
        
       }:

     

       6
        
       lib.mkIf config.gensokyo.traits.gui {

     

       7
       +
         i18n.supportedLocales = [ "all" ];

     

       8
        
       }

+11 -6

global/gui/power.nix

···

       13
        
           killUserProcesses = false;

     

       14
        
         };

     

       15
        
       

     

       16
       -
         systemd.targets = lib.genAttrs [

     

       17
       -
           "sleep"

     

       18
       -
           "suspend"

     

       19
       -
           "hibernate"

     

       20
       -
           "hybrid-sleep"

     

       21
       -
         ] (_: {enable = false;});

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       22
        
       }

···

       13
        
           killUserProcesses = false;

     

       14
        
         };

     

       15
        
       

     

       16
       +
         systemd.targets =

     

       17
       +
           lib.genAttrs

     

       18
       +
             [

     

       19
       +
               "sleep"

     

       20
       +
               "suspend"

     

       21
       +
               "hibernate"

     

       22
       +
               "hybrid-sleep"

     

       23
       +
             ]

     

       24
       +
             (_: {

     

       25
       +
               enable = false;

     

       26
       +
             });

     

       27
        
       }

+2 -1

global/home.nix

···

       2
        
         config,

     

       3
        
         inputs,

     

       4
        
         ...

     

       5
       -
       }: {

     

       0
        
       
     

       6
        
         home-manager = {

     

       7
        
           useGlobalPkgs = true;

     

       8
        
           useUserPackages = true;

···

       2
        
         config,

     

       3
        
         inputs,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
        
         home-manager = {

     

       8
        
           useGlobalPkgs = true;

     

       9
        
           useUserPackages = true;

+2 -1

global/programs/compat.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         programs.nix-ld.enable = true;

     

       3
        
       }

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         programs.nix-ld.enable = true;

     

       4
        
       }

+2 -1

global/programs/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./nix

     

       4

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./nix

     

       5

+2 -1

global/programs/editors.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         programs.neovim = {

     

       3
        
           enable = true;

     

       4
        
           defaultEditor = false;

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         programs.neovim = {

     

       4
        
           enable = true;

     

       5
        
           defaultEditor = false;

+2 -1

global/programs/misc.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         # Miscellaneous packages that do not have an option.

     

       3
        
         # It is recommended to use packages.<package>.enable when possible.

     

       4

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         # Miscellaneous packages that do not have an option.

     

       4
        
         # It is recommended to use packages.<package>.enable when possible.

     

       5

+2 -1

global/programs/multiplexers.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         programs.tmux = {

     

       3
        
           enable = true;

     

       4
        
           newSession = true;

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         programs.tmux = {

     

       4
        
           enable = true;

     

       5
        
           newSession = true;

+1 -1

global/programs/networking.nix

···

       41
        
       

     

       42
        
         {

     

       43
        
           networking.hosts = {

     

       44
       -
             "62.176.231.184" = ["codeberg.org"];

     

       45
        
           };

     

       46
        
         }

     

       47
        
       ]

···

       41
        
       

     

       42
        
         {

     

       43
        
           networking.hosts = {

     

       44
       +
             "62.176.231.184" = [ "codeberg.org" ];

     

       45
        
           };

     

       46
        
         }

     

       47
        
       ]

+3 -2

global/programs/nix/config.nix

···

       51
        
             {

     

       52
        
               n.flake = inputs.nixpkgs;

     

       53
        
             }

     

       54
       -
             // (builtins.mapAttrs (_: flake: {inherit flake;})

     

       55
       -
               (lib.filterAttrs (n: _: n != "nixpkgs") inputs));

     

       0
        
       
     

       56
        
       

     

       57
        
           # nix-index[-database]

     

       58
        
           programs.nix-index.enable = true;

···

       51
        
             {

     

       52
        
               n.flake = inputs.nixpkgs;

     

       53
        
             }

     

       54
       +
             // (builtins.mapAttrs (_: flake: { inherit flake; }) (

     

       55
       +
               lib.filterAttrs (n: _: n != "nixpkgs") inputs

     

       56
       +
             ));

     

       57
        
       

     

       58
        
           # nix-index[-database]

     

       59
        
           programs.nix-index.enable = true;

+2 -1

global/programs/nix/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./config.nix

     

       4
        
           ./dist-builds.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./config.nix

     

       5
        
           ./dist-builds.nix

+22 -11

global/programs/nix/dist-builds.nix

···

       5
        
         config,

     

       6
        
         hostname,

     

       7
        
         ...

     

       8
       -
       }: let

     

       0
        
       
     

       9
        
         baselineFeatures = [

     

       10
        
           "big-parallel"

     

       11
        
           "ca-derivations"

     

       12
        
         ];

     

       13
        
       

     

       14
       -
         mkBuildMachines = attr: let

     

       15
       -
           cleanAttr = builtins.removeAttrs attr [hostname];

     

       16
       -
         in

     

       17
       -
           lib.mapAttrsToList (name: value:

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
             {

     

       19
        
               hostName = name + ".mist-nessie.ts.net";

     

       20
        
       

     
···

       26
        
               maxJobs = 2;

     

       27
        
               supportedFeatures = baselineFeatures;

     

       28
        
       

     

       29
       -
               systems = ["i686-linux" "x86_64-linux"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       30
        
             }

     

       31
       -
             // value)

     

       32
       -
           cleanAttr;

     

       33
       -
       in {

     

       0
        
       
     

       34
        
         sops.secrets.builder_key = {

     

       35
        
           sopsFile = inputs.self + "/creds/sops/global/id_builder";

     

       36
        
           format = "binary";

     
···

       40
        
         nix.settings.builders-use-substitutes = true;

     

       41
        
         nix.buildMachines = mkBuildMachines {

     

       42
        
           renko = {

     

       43
       -
             supportedFeatures = baselineFeatures ++ ["kvm" "nixos-test"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       44
        
             speedFactor = 5;

     

       45
        
             publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUoreGNleXA4YnRVNnd0dThpRUFKMkZ4cm5rZlBsS1M3TWFJL2xLT0ZuUDEgcm9vdEByZW5rbwo=";

     

       46
        
           };

     

       47
        
           nijika = {

     

       48
       -
             systems = ["aarch64-linux"];

     

       49
        
             publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSVBsWGZ5MnMxejRIQ05oem92Rk55UzBhcCtyMEF2ZzAzNDlKeFFjMW0xaFEK";

     

       50
        
           };

     

       51
        
         };

···

       5
        
         config,

     

       6
        
         hostname,

     

       7
        
         ...

     

       8
       +
       }:

     

       9
       +
       let

     

       10
        
         baselineFeatures = [

     

       11
        
           "big-parallel"

     

       12
        
           "ca-derivations"

     

       13
        
         ];

     

       14
        
       

     

       15
       +
         mkBuildMachines =

     

       16
       +
           attr:

     

       17
       +
           let

     

       18
       +
             cleanAttr = builtins.removeAttrs attr [ hostname ];

     

       19
       +
           in

     

       20
       +
           lib.mapAttrsToList (

     

       21
       +
             name: value:

     

       22
        
             {

     

       23
        
               hostName = name + ".mist-nessie.ts.net";

     

       24
        
       

     
···

       30
        
               maxJobs = 2;

     

       31
        
               supportedFeatures = baselineFeatures;

     

       32
        
       

     

       33
       +
               systems = [

     

       34
       +
                 "i686-linux"

     

       35
       +
                 "x86_64-linux"

     

       36
       +
               ];

     

       37
        
             }

     

       38
       +
             // value

     

       39
       +
           ) cleanAttr;

     

       40
       +
       in

     

       41
       +
       {

     

       42
        
         sops.secrets.builder_key = {

     

       43
        
           sopsFile = inputs.self + "/creds/sops/global/id_builder";

     

       44
        
           format = "binary";

     
···

       48
        
         nix.settings.builders-use-substitutes = true;

     

       49
        
         nix.buildMachines = mkBuildMachines {

     

       50
        
           renko = {

     

       51
       +
             supportedFeatures = baselineFeatures ++ [

     

       52
       +
               "kvm"

     

       53
       +
               "nixos-test"

     

       54
       +
             ];

     

       55
        
             speedFactor = 5;

     

       56
        
             publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUoreGNleXA4YnRVNnd0dThpRUFKMkZ4cm5rZlBsS1M3TWFJL2xLT0ZuUDEgcm9vdEByZW5rbwo=";

     

       57
        
           };

     

       58
        
           nijika = {

     

       59
       +
             systems = [ "aarch64-linux" ];

     

       60
        
             publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSVBsWGZ5MnMxejRIQ05oem92Rk55UzBhcCtyMEF2ZzAzNDlKeFFjMW0xaFEK";

     

       61
        
           };

     

       62
        
         };

+2 -1

global/programs/scm.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         programs.git = {

     

       3
        
           enable = true;

     

       4
        
           config = {

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         programs.git = {

     

       4
        
           enable = true;

     

       5
        
           config = {

+2 -1

global/programs/security/crypto.nix

···

       1
        
       # crypto stands for cryptography, not cryptocurrency

     

       2
       -
       {pkgs, ...}: {

     

       0
        
       
     

       3
        
         environment.systemPackages = with pkgs; [

     

       4
        
           gnupg

     

       5
        
           pinentry

···

       1
        
       # crypto stands for cryptography, not cryptocurrency

     

       2
       +
       { pkgs, ... }:

     

       3
       +
       {

     

       4
        
         environment.systemPackages = with pkgs; [

     

       5
        
           gnupg

     

       6
        
           pinentry

+2 -1

global/programs/security/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./crypto.nix

     

       4
        
           ./sudo.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./crypto.nix

     

       5
        
           ./sudo.nix

+2 -1

global/programs/security/firewall.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./ip-bans.nix

     

       4
        
         ];

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./ip-bans.nix

     

       5
        
         ];

+12 -4

global/programs/security/ip-bans.nix

···

       1
       -
       {lib, ...}: let

     

       0
        
       
     

       2
        
         banned = {

     

       3
        
           ip = [

     

       4
        
             "156.229.232.142" # added 2025-04-10: minecraft server scanner with 30m intervals

     

       5
        
           ];

     

       6
       -
           ip6 = [];

     

       7
        
         };

     

       8
       -
       in {

     

       9
       -
         networking.firewall.extraCommands = builtins.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList (family: ips: builtins.map (ip: "${family}tables -w -I INPUT -s ${ip} -j DROP") ips) banned));

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
       }

···

       1
       +
       { lib, ... }:

     

       2
       +
       let

     

       3
        
         banned = {

     

       4
        
           ip = [

     

       5
        
             "156.229.232.142" # added 2025-04-10: minecraft server scanner with 30m intervals

     

       6
        
           ];

     

       7
       +
           ip6 = [ ];

     

       8
        
         };

     

       9
       +
       in

     

       10
       +
       {

     

       11
       +
         networking.firewall.extraCommands = builtins.concatStringsSep "\n" (

     

       12
       +
           lib.flatten (

     

       13
       +
             lib.mapAttrsToList (

     

       14
       +
               family: ips: builtins.map (ip: "${family}tables -w -I INPUT -s ${ip} -j DROP") ips

     

       15
       +
             ) banned

     

       16
       +
           )

     

       17
       +
         );

     

       18
        
       }

+3 -2

global/programs/security/sudo.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         security.sudo.extraConfig = ''

     

       3
        
           Defaults insults

     

       4
        
         '';

     

       5
       -
         security.sudo.package = pkgs.sudo.override {withInsults = true;};

     

       6
        
       }

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         security.sudo.extraConfig = ''

     

       4
        
           Defaults insults

     

       5
        
         '';

     

       6
       +
         security.sudo.package = pkgs.sudo.override { withInsults = true; };

     

       7
        
       }

+2 -1

global/programs/shells.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         users.defaultUserShell = pkgs.zsh;

     

       3
        
         programs.zsh = {

     

       4
        
           enable = true;

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         users.defaultUserShell = pkgs.zsh;

     

       4
        
         programs.zsh = {

     

       5
        
           enable = true;

+8 -3

global/programs/ssh.nix

···

       1
       -
       {config, ...}: let

     

       0
        
       
     

       2
        
         nixos = config.system.nixos;

     

       3
       -
       in {

     

       0
        
       
     

       4
        
         # Enable the OpenSSH daemon.

     

       5
        
         services.openssh = {

     

       6
        
           enable = true;

     
···

       30
        
       

     

       31
        
         programs.ssh = {

     

       32
        
           startAgent = true;

     

       33
       -
           pubkeyAcceptedKeyTypes = ["ssh-ed25519" "sk-ssh-ed25519@openssh.com"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       34
        
           # enableAskPassword = true;

     

       35
        
       

     

       36
        
           extraConfig = ''

···

       1
       +
       { config, ... }:

     

       2
       +
       let

     

       3
        
         nixos = config.system.nixos;

     

       4
       +
       in

     

       5
       +
       {

     

       6
        
         # Enable the OpenSSH daemon.

     

       7
        
         services.openssh = {

     

       8
        
           enable = true;

     
···

       32
        
       

     

       33
        
         programs.ssh = {

     

       34
        
           startAgent = true;

     

       35
       +
           pubkeyAcceptedKeyTypes = [

     

       36
       +
             "ssh-ed25519"

     

       37
       +
             "sk-ssh-ed25519@openssh.com"

     

       38
       +
           ];

     

       39
        
           # enableAskPassword = true;

     

       40
        
       

     

       41
        
           extraConfig = ''

+5 -3

global/programs/system-manager/default.nix

···

       3
        
         config,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       -
       }: let

     

       0
        
       
     

       7
        
         types = lib.types;

     

       8
        
         cfg = config.gensokyo.system-manager;

     

       9
       -
       in {

     

       0
        
       
     

       10
        
         options.gensokyo.system-manager = {

     

       11
        
           enable = lib.mkEnableOption "a shortcut to manage the system no matter where you are (in the system)";

     

       12
        
           flakeLocation = lib.mkOption {

     
···

       17
        
       

     

       18
        
         config = lib.mkIf cfg.enable {

     

       19
        
           environment.systemPackages = [

     

       20
       -
             (pkgs.callPackage ./package.nix {inherit (cfg) flakeLocation;})

     

       21
        
           ];

     

       22
        
         };

     

       23
        
       }

···

       3
        
         config,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
        
         types = lib.types;

     

       9
        
         cfg = config.gensokyo.system-manager;

     

       10
       +
       in

     

       11
       +
       {

     

       12
        
         options.gensokyo.system-manager = {

     

       13
        
           enable = lib.mkEnableOption "a shortcut to manage the system no matter where you are (in the system)";

     

       14
        
           flakeLocation = lib.mkOption {

     
···

       19
        
       

     

       20
        
         config = lib.mkIf cfg.enable {

     

       21
        
           environment.systemPackages = [

     

       22
       +
             (pkgs.callPackage ./package.nix { inherit (cfg) flakeLocation; })

     

       23
        
           ];

     

       24
        
         };

     

       25
        
       }

+1 -1

global/programs/system-manager/package.nix

···

       8
        
         meta = {

     

       9
        
           description = "A shortcut to run `just` in the local system flake directory.";

     

       10
        
           license = lib.licenses.cc0;

     

       11
       -
           maintainers = with lib.maintainers; [soopyc];

     

       12
        
         };

     

       13
        
       

     

       14
        
         # we could make this more robust by not using `just` and (hardcode?) commands in, but this is by far the easiest

···

       8
        
         meta = {

     

       9
        
           description = "A shortcut to run `just` in the local system flake directory.";

     

       10
        
           license = lib.licenses.cc0;

     

       11
       +
           maintainers = with lib.maintainers; [ soopyc ];

     

       12
        
         };

     

       13
        
       

     

       14
        
         # we could make this more robust by not using `just` and (hardcode?) commands in, but this is by far the easiest

+3 -2

global/sops.nix

···

       2
        
         hostname,

     

       3
        
         inputs,

     

       4
        
         ...

     

       5
       -
       }: {

     

       6
       -
         sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];

     

       0
        
       
     

       7
        
         sops.defaultSopsFile = "${inputs.self}/creds/sops/${hostname}/default.yaml";

     

       8
        
       }

···

       2
        
         hostname,

     

       3
        
         inputs,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
       +
         sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

     

       8
        
         sops.defaultSopsFile = "${inputs.self}/creds/sops/${hostname}/default.yaml";

     

       9
        
       }

+2 -1

global/upgrade-diff.nix

···

       3
        
         lib,

     

       4
        
         pkgs,

     

       5
        
         ...

     

       6
       -
       }: {

     

       0
        
       
     

       7
        
         system.activationScripts.diff = {

     

       8
        
           supportsDryActivation = true;

     

       9
        
           text = ''

···

       3
        
         lib,

     

       4
        
         pkgs,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       {

     

       8
        
         system.activationScripts.diff = {

     

       9
        
           supportsDryActivation = true;

     

       10
        
           text = ''

+81 -55

global/utils.nix

···

       7
        
         inputs,

     

       8
        
         system,

     

       9
        
         ...

     

       10
       -
       }: let

     

       0
        
       
     

       11
        
         pkgs = inputs.nixpkgs.legacyPackages.${system};

     

       12
        
         lib = pkgs.lib;

     

       13
       -
       in rec {

     

       14
       -
         mkVhost = opts:

     

       0
        
       
     

       0
        
       
     

       15
        
           lib.mkMerge [

     

       16
        
             {

     

       17
        
               forceSSL = lib.mkDefault true;

     
···

       44
        
             opts

     

       45
        
           ];

     

       46
        
       

     

       47
       -
         mkSimpleProxy = {

     

       48
       -
           protocol ? "http",

     

       49
       -
           host ? "localhost",

     

       50
       -
           port ? null,

     

       51
       -
           socketPath ? null,

     

       52
       -
           location ? "/",

     

       53
       -
           websockets ? false,

     

       54
       -
           extraConfig ? {},

     

       55
       -
         }:

     

       56
       -
           assert lib.assertMsg (port != null || socketPath != null) "one of port or socketPath must be specified";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       57
        
           # i dislike logic gates

     

       58
       -
           assert lib.assertMsg (!(port != null && socketPath != null)) "only one of port or socketPath may be specified at the same time";

     

       59
       -
           assert lib.assertMsg (socketPath != null -> host == "localhost") "setting host has no effect when socketPath is set";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       60
        
           assert lib.assertMsg (port != null -> builtins.isInt port) "port must be an integer if specified";

     

       61
       -
             mkVhost (lib.mkMerge [

     

       0
        
       
     

       62
        
               extraConfig

     

       63
        
               {

     

       64
        
                 locations."${location}" = {

     

       65
        
                   proxyPass =

     

       66
        
                     "${protocol}://"

     

       67
       -
                     + (

     

       68
       -
                       if (socketPath == null)

     

       69
       -
                       then "${host}:${builtins.toString port}"

     

       70
       -
                       else "unix:${socketPath}"

     

       71
       -
                     );

     

       72
        
                   proxyWebsockets = websockets;

     

       73
        
                 };

     

       74
        
               }

     

       75
       -
             ]);

     

       0
        
       
     

       76
        
       

     

       77
       -
         setupSecrets = _config: {

     

       78
       -
           namespace ? (lib.warn "secret namespace left as default, which is empty. it is encouraged to set a namespace for easier secret management. to override, explicitly set this to an empty value." ""),

     

       79
       -
           secrets,

     

       80
       -
           config ? {},

     

       81
       -
         }: let

     

       82
       -
           _r_ns = namespace + lib.optionalString (lib.stringLength namespace != 0) "/";

     

       83
       -
           check = path:

     

       84
       -
             assert lib.assertMsg (lib.elem path secrets)

     

       85
       -
             "secret path `${path}` is not defined in namespace `${namespace}`. (resolved to: ${_r_ns namespace}/${path})"; path;

     

       86
       -
           getRealPath = path: _r_ns + check path;

     

       87
       -
         in

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       88
        
           builtins.addErrorContext "while setting up secrets with namespace ${namespace}" {

     

       89
       -
             generate = {sops.secrets = genSecrets namespace secrets config;}; # i love trolling

     

       0
        
       
     

       0
        
       
     

       90
        
             get = path: _config.sops.secrets.${getRealPath path}.path;

     

       91
        
       

     

       92
        
             placeholder = path: _config.sops.placeholder.${getRealPath path};

     

       93
        
             getTemplate = file: _config.sops.templates.${file}.path;

     

       94
       -
             mkTemplate = file: content:

     

       0
        
       
     

       95
        
               builtins.addErrorContext "while generating sops template ${file}" {

     

       96
       -
                 sops.templates.${file} =

     

       97
       -
                   {inherit content;} // (builtins.removeAttrs config ["content"]);

     

       0
        
       
     

       98
        
                 # // (lib.optionalAttrs (builtins.hasAttr "owner" config) {inherit (config) owner;})

     

       99
        
                 # // (lib.optionalAttrs (builtins.hasAttr "group" config) {inherit (config) group;});

     

       100
        
               };

     

       101
        
           };

     

       102
        
       

     

       103
       -
         genSecrets = namespace: files: value:

     

       104
       -
           lib.genAttrs (

     

       105
       -
             map (x: namespace + lib.optionalString (lib.stringLength namespace != 0) "/" + x) files

     

       106
       -
           ) (_: value);

     

       0
        
       
     

       107
        
       

     

       108
       -
         mkNginxFile = {

     

       109
       -
           filename ? "index.html",

     

       110
       -
           content,

     

       111
       -
         }:

     

       0
        
       
     

       112
        
           builtins.addErrorContext "while creating a static nginx file ${filename}" (

     

       113
        
             let

     

       114
       -
               contentDir = assert lib.assertMsg (builtins.typeOf content == "string")

     

       115
       -
               "content must be a string, got `${builtins.typeOf content}`";

     

       0
        
       
     

       0
        
       
     

       116
        
                 builtins.toString (pkgs.writeTextDir filename content) + "/";

     

       117
       -
             in {

     

       0
        
       
     

       118
        
               alias = contentDir;

     

       119
        
               tryFiles = "${filename} =500"; # if it can't find the file something has gone wrong.

     

       120
        
             }

     

       121
        
           );

     

       122
        
       

     

       123
       -
         mkNginxJSON = filename: attrset:

     

       0
        
       
     

       124
        
           builtins.addErrorContext "while creating a static nginx JSON file ${filename}" (

     

       125
       -
             assert lib.assertMsg (builtins.typeOf attrset == "set")

     

       126
       -
             "expected argument type `set`, got `${builtins.typeOf attrset}` instead.";

     

       127
       -
               mkNginxFile {

     

       128
       -
                 inherit filename;

     

       129
       -
                 content = builtins.toJSON attrset;

     

       130
       -
               }

     

       0
        
       
     

       131
        
           );

     

       132
        
       }

···

       7
        
         inputs,

     

       8
        
         system,

     

       9
        
         ...

     

       10
       +
       }:

     

       11
       +
       let

     

       12
        
         pkgs = inputs.nixpkgs.legacyPackages.${system};

     

       13
        
         lib = pkgs.lib;

     

       14
       +
       in

     

       15
       +
       rec {

     

       16
       +
         mkVhost =

     

       17
       +
           opts:

     

       18
        
           lib.mkMerge [

     

       19
        
             {

     

       20
        
               forceSSL = lib.mkDefault true;

     
···

       47
        
             opts

     

       48
        
           ];

     

       49
        
       

     

       50
       +
         mkSimpleProxy =

     

       51
       +
           {

     

       52
       +
             protocol ? "http",

     

       53
       +
             host ? "localhost",

     

       54
       +
             port ? null,

     

       55
       +
             socketPath ? null,

     

       56
       +
             location ? "/",

     

       57
       +
             websockets ? false,

     

       58
       +
             extraConfig ? { },

     

       59
       +
           }:

     

       60
       +
           assert lib.assertMsg (

     

       61
       +
             port != null || socketPath != null

     

       62
       +
           ) "one of port or socketPath must be specified";

     

       63
        
           # i dislike logic gates

     

       64
       +
           assert lib.assertMsg (

     

       65
       +
             !(port != null && socketPath != null)

     

       66
       +
           ) "only one of port or socketPath may be specified at the same time";

     

       67
       +
           assert lib.assertMsg (

     

       68
       +
             socketPath != null -> host == "localhost"

     

       69
       +
           ) "setting host has no effect when socketPath is set";

     

       70
        
           assert lib.assertMsg (port != null -> builtins.isInt port) "port must be an integer if specified";

     

       71
       +
           mkVhost (

     

       72
       +
             lib.mkMerge [

     

       73
        
               extraConfig

     

       74
        
               {

     

       75
        
                 locations."${location}" = {

     

       76
        
                   proxyPass =

     

       77
        
                     "${protocol}://"

     

       78
       +
                     + (if (socketPath == null) then "${host}:${builtins.toString port}" else "unix:${socketPath}");

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       79
        
                   proxyWebsockets = websockets;

     

       80
        
                 };

     

       81
        
               }

     

       82
       +
             ]

     

       83
       +
           );

     

       84
        
       

     

       85
       +
         setupSecrets =

     

       86
       +
           _config:

     

       87
       +
           {

     

       88
       +
             namespace ? (

     

       89
       +
               lib.warn "secret namespace left as default, which is empty. it is encouraged to set a namespace for easier secret management. to override, explicitly set this to an empty value." ""

     

       90
       +
             ),

     

       91
       +
             secrets,

     

       92
       +
             config ? { },

     

       93
       +
           }:

     

       94
       +
           let

     

       95
       +
             _r_ns = namespace + lib.optionalString (lib.stringLength namespace != 0) "/";

     

       96
       +
             check =

     

       97
       +
               path:

     

       98
       +
               assert lib.assertMsg (lib.elem path secrets)

     

       99
       +
                 "secret path `${path}` is not defined in namespace `${namespace}`. (resolved to: ${_r_ns namespace}/${path})";

     

       100
       +
               path;

     

       101
       +
             getRealPath = path: _r_ns + check path;

     

       102
       +
           in

     

       103
        
           builtins.addErrorContext "while setting up secrets with namespace ${namespace}" {

     

       104
       +
             generate = {

     

       105
       +
               sops.secrets = genSecrets namespace secrets config;

     

       106
       +
             }; # i love trolling

     

       107
        
             get = path: _config.sops.secrets.${getRealPath path}.path;

     

       108
        
       

     

       109
        
             placeholder = path: _config.sops.placeholder.${getRealPath path};

     

       110
        
             getTemplate = file: _config.sops.templates.${file}.path;

     

       111
       +
             mkTemplate =

     

       112
       +
               file: content:

     

       113
        
               builtins.addErrorContext "while generating sops template ${file}" {

     

       114
       +
                 sops.templates.${file} = {

     

       115
       +
                   inherit content;

     

       116
       +
                 } // (builtins.removeAttrs config [ "content" ]);

     

       117
        
                 # // (lib.optionalAttrs (builtins.hasAttr "owner" config) {inherit (config) owner;})

     

       118
        
                 # // (lib.optionalAttrs (builtins.hasAttr "group" config) {inherit (config) group;});

     

       119
        
               };

     

       120
        
           };

     

       121
        
       

     

       122
       +
         genSecrets =

     

       123
       +
           namespace: files: value:

     

       124
       +
           lib.genAttrs (map (

     

       125
       +
             x: namespace + lib.optionalString (lib.stringLength namespace != 0) "/" + x

     

       126
       +
           ) files) (_: value);

     

       127
        
       

     

       128
       +
         mkNginxFile =

     

       129
       +
           {

     

       130
       +
             filename ? "index.html",

     

       131
       +
             content,

     

       132
       +
           }:

     

       133
        
           builtins.addErrorContext "while creating a static nginx file ${filename}" (

     

       134
        
             let

     

       135
       +
               contentDir =

     

       136
       +
                 assert lib.assertMsg (

     

       137
       +
                   builtins.typeOf content == "string"

     

       138
       +
                 ) "content must be a string, got `${builtins.typeOf content}`";

     

       139
        
                 builtins.toString (pkgs.writeTextDir filename content) + "/";

     

       140
       +
             in

     

       141
       +
             {

     

       142
        
               alias = contentDir;

     

       143
        
               tryFiles = "${filename} =500"; # if it can't find the file something has gone wrong.

     

       144
        
             }

     

       145
        
           );

     

       146
        
       

     

       147
       +
         mkNginxJSON =

     

       148
       +
           filename: attrset:

     

       149
        
           builtins.addErrorContext "while creating a static nginx JSON file ${filename}" (

     

       150
       +
             assert lib.assertMsg (

     

       151
       +
               builtins.typeOf attrset == "set"

     

       152
       +
             ) "expected argument type `set`, got `${builtins.typeOf attrset}` instead.";

     

       153
       +
             mkNginxFile {

     

       154
       +
               inherit filename;

     

       155
       +
               content = builtins.toJSON attrset;

     

       156
       +
             }

     

       157
        
           );

     

       158
        
       }

+3 -2

nix/checks.nix

···

       1
        
       {

     

       2
        
         inputs,

     

       3
        
         pkgs,

     

       4
       -
       }: {

     

       0
        
       
     

       5
        
         deadcode = pkgs.stdenvNoCC.mkDerivation {

     

       6
        
           name = "deadcode_check";

     

       7
        
           src = inputs.self;

     

       8
        
           dontPatch = true;

     

       9
        
           dontConfigure = true;

     

       10
        
       

     

       11
       -
           buildInputs = with pkgs; [deadnix];

     

       12
        
           buildPhase = ''

     

       13
        
             set -euo pipefail

     

       14

···

       1
        
       {

     

       2
        
         inputs,

     

       3
        
         pkgs,

     

       4
       +
       }:

     

       5
       +
       {

     

       6
        
         deadcode = pkgs.stdenvNoCC.mkDerivation {

     

       7
        
           name = "deadcode_check";

     

       8
        
           src = inputs.self;

     

       9
        
           dontPatch = true;

     

       10
        
           dontConfigure = true;

     

       11
        
       

     

       12
       +
           buildInputs = with pkgs; [ deadnix ];

     

       13
        
           buildPhase = ''

     

       14
        
             set -euo pipefail

     

       15

+2 -1

nix/devshell.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         default = pkgs.mkShellNoCC {

     

       3
        
           packages = [

     

       4
        
             pkgs.nixos-rebuild

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         default = pkgs.mkShellNoCC {

     

       4
        
           packages = [

     

       5
        
             pkgs.nixos-rebuild

+3 -2

nix/treefmt.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         projectRootFile = "flake.nix";

     

       3
       -
         programs.alejandra.enable = true;

     

       4
        
       }

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         projectRootFile = "flake.nix";

     

       4
       +
         programs.nixfmt.enable = true;

     

       5
        
       }

+8 -5

systems/default.nix

···

       2
        
         lib,

     

       3
        
         inputs,

     

       4
        
         ...

     

       5
       -
       }: let

     

       0
        
       
     

       6
        
         utils = import ../global/utils.nix;

     

       7
        
       

     

       8
       -
         mkSystem = hostname: system:

     

       0
        
       
     

       9
        
           lib.nixosSystem {

     

       10
        
             specialArgs = {

     

       11
        
               inherit inputs;

     

       12
        
       

     

       13
        
               hostname = hostname;

     

       14
       -
               _utils = utils {inherit inputs system;};

     

       15
        
             };

     

       16
        
       

     

       17
        
             modules = [

     
···

       20
        
               ./${hostname}/hardware-configuration.nix

     

       21
        
       

     

       22
        
               {

     

       23
       -
                 home-manager.extraSpecialArgs = {inherit inputs;};

     

       24
        
                 networking.hostName = hostname;

     

       25
        
                 nixpkgs.hostPlatform = lib.mkDefault system; # ensure we detect conflicts

     

       26
        
               }

     

       27
        
             ];

     

       28
        
           };

     

       29
       -
       in {

     

       0
        
       
     

       30
        
         koumakan = mkSystem "koumakan" "x86_64-linux";

     

       31
        
         satori = mkSystem "satori" "x86_64-linux";

     

       32
        
         renko = mkSystem "renko" "x86_64-linux";

···

       2
        
         lib,

     

       3
        
         inputs,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       let

     

       7
        
         utils = import ../global/utils.nix;

     

       8
        
       

     

       9
       +
         mkSystem =

     

       10
       +
           hostname: system:

     

       11
        
           lib.nixosSystem {

     

       12
        
             specialArgs = {

     

       13
        
               inherit inputs;

     

       14
        
       

     

       15
        
               hostname = hostname;

     

       16
       +
               _utils = utils { inherit inputs system; };

     

       17
        
             };

     

       18
        
       

     

       19
        
             modules = [

     
···

       22
        
               ./${hostname}/hardware-configuration.nix

     

       23
        
       

     

       24
        
               {

     

       25
       +
                 home-manager.extraSpecialArgs = { inherit inputs; };

     

       26
        
                 networking.hostName = hostname;

     

       27
        
                 nixpkgs.hostPlatform = lib.mkDefault system; # ensure we detect conflicts

     

       28
        
               }

     

       29
        
             ];

     

       30
        
           };

     

       31
       +
       in

     

       32
       +
       {

     

       33
        
         koumakan = mkSystem "koumakan" "x86_64-linux";

     

       34
        
         satori = mkSystem "satori" "x86_64-linux";

     

       35
        
         renko = mkSystem "renko" "x86_64-linux";

+2 -1

systems/kita/certificates/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./mail.nix

     

       4
        
           ./web.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./mail.nix

     

       5
        
           ./web.nix

+2 -1

systems/kita/certificates/mail.nix

···

       1
       -
       {config, ...}: {

     

       0
        
       
     

       2
        
         security.acme.certs."kita.c.soopy.moe" = {

     

       3
        
           group = config.services.maddy.group;

     

       4
        
           extraLegoRenewFlags = [

···

       1
       +
       { config, ... }:

     

       2
       +
       {

     

       3
        
         security.acme.certs."kita.c.soopy.moe" = {

     

       4
        
           group = config.services.maddy.group;

     

       5
        
           extraLegoRenewFlags = [

+2 -1

systems/kita/certificates/web.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         security.acme.certs."kita-web.c.soopy.moe" = {

     

       3
        
           group = "nginx";

     

       4
        
           extraDomainNames = [

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         security.acme.certs."kita-web.c.soopy.moe" = {

     

       4
        
           group = "nginx";

     

       5
        
           extraDomainNames = [

+2 -1

systems/kita/configuration.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./certificates

     

       4
        
           ./services

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./certificates

     

       5
        
           ./services

+10 -4

systems/kita/hardware-configuration.nix

···

       1
       -
       {modulesPath, ...}: {

     

       2
       -
         imports = [(modulesPath + "/profiles/qemu-guest.nix")];

     

       0
        
       
     

       3
        
         boot.loader.grub.device = "/dev/sda";

     

       4
       -
         boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];

     

       5
       -
         boot.initrd.kernelModules = ["nvme"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       6
        
         fileSystems."/" = {

     

       7
        
           device = "/dev/sda1";

     

       8
        
           fsType = "ext4";

···

       1
       +
       { modulesPath, ... }:

     

       2
       +
       {

     

       3
       +
         imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];

     

       4
        
         boot.loader.grub.device = "/dev/sda";

     

       5
       +
         boot.initrd.availableKernelModules = [

     

       6
       +
           "ata_piix"

     

       7
       +
           "uhci_hcd"

     

       8
       +
           "xen_blkfront"

     

       9
       +
           "vmw_pvscsi"

     

       10
       +
         ];

     

       11
       +
         boot.initrd.kernelModules = [ "nvme" ];

     

       12
        
         fileSystems."/" = {

     

       13
        
           device = "/dev/sda1";

     

       14
        
           fsType = "ext4";

+2 -1

systems/kita/networking.nix

···

       1
       -
       {lib, ...}: {

     

       0
        
       
     

       2
        
         # This file was populated at runtime with the networking

     

       3
        
         # details gathered from the active system.

     

       4
        
         networking = {

···

       1
       +
       { lib, ... }:

     

       2
       +
       {

     

       3
        
         # This file was populated at runtime with the networking

     

       4
        
         # details gathered from the active system.

     

       5
        
         networking = {

+2 -1

systems/kita/services/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./fallback_page

     

       4
        
           ./mail

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./fallback_page

     

       5
        
           ./mail

+2 -1

systems/kita/services/dns.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         services.pdns-recursor = {

     

       3
        
           enable = true;

     

       4

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         services.pdns-recursor = {

     

       4
        
           enable = true;

     

       5

+3 -2

systems/kita/services/fallback_page/default.nix

···

       2
        
         pkgs,

     

       3
        
         _utils,

     

       4
        
         ...

     

       5
       -
       }: {

     

       0
        
       
     

       6
        
         services.nginx.virtualHosts."_" = _utils.mkVhost {

     

       7
        
           useACMEHost = "kita-web.c.soopy.moe";

     

       8
        
           default = true;

     

       9
        
       

     

       10
        
           locations."/" = {

     

       11
       -
             root = pkgs.callPackage ./package.nix {};

     

       12
        
             tryFiles = "$uri $uri/index.html $uri.html =404";

     

       13
        
           };

     

       14
        
         };

···

       2
        
         pkgs,

     

       3
        
         _utils,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
        
         services.nginx.virtualHosts."_" = _utils.mkVhost {

     

       8
        
           useACMEHost = "kita-web.c.soopy.moe";

     

       9
        
           default = true;

     

       10
        
       

     

       11
        
           locations."/" = {

     

       12
       +
             root = pkgs.callPackage ./package.nix { };

     

       13
        
             tryFiles = "$uri $uri/index.html $uri.html =404";

     

       14
        
           };

     

       15
        
         };

+1 -1

systems/kita/services/fallback_page/package.nix

···

       1
       -
       {stdenvNoCC}:

     

       2
        
       stdenvNoCC.mkDerivation (final: {

     

       3
        
         name = "kita-landing";

     

       4
        
         src = ./.;

···

       1
       +
       { stdenvNoCC }:

     

       2
        
       stdenvNoCC.mkDerivation (final: {

     

       3
        
         name = "kita-landing";

     

       4
        
         src = ./.;

+5 -3

systems/kita/services/gatus.nix

···

       2
        
         _utils,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       -
       }: let

     

       0
        
       
     

       6
        
         mkHttpEndpoint = name: group: url: {

     

       7
        
           inherit name url group;

     

       8
        
           enabled = true;

     
···

       12
        
             "[CONNECTED] == true"

     

       13
        
           ];

     

       14
        
         };

     

       15
       -
       in {

     

       0
        
       
     

       16
        
         services.gatus = {

     

       17
        
           enable = true;

     

       18
        
           settings = {

     
···

       34
        
             endpoints = [

     

       35
        
               (mkHttpEndpoint "Main Site" "core" "https://soopy.moe")

     

       36
        
       

     

       37
       -
               (mkHttpEndpoint "Gateway (Kanidm)" "koumakan" "https://gateway.soopy.moe" // {enabled = false;}) # TODO

     

       38
        
               (mkHttpEndpoint "Patchy (Forgejo)" "koumakan" "https://patchy.soopy.moe")

     

       39
        
               (mkHttpEndpoint "Suika (Grafana)" "koumakan" "https://suika.soopy.moe/login")

     

       40
        
               (mkHttpEndpoint "Nue (Synapse)" "koumakan" "https://nue.soopy.moe/health")

···

       2
        
         _utils,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       let

     

       7
        
         mkHttpEndpoint = name: group: url: {

     

       8
        
           inherit name url group;

     

       9
        
           enabled = true;

     
···

       13
        
             "[CONNECTED] == true"

     

       14
        
           ];

     

       15
        
         };

     

       16
       +
       in

     

       17
       +
       {

     

       18
        
         services.gatus = {

     

       19
        
           enable = true;

     

       20
        
           settings = {

     
···

       36
        
             endpoints = [

     

       37
        
               (mkHttpEndpoint "Main Site" "core" "https://soopy.moe")

     

       38
        
       

     

       39
       +
               (mkHttpEndpoint "Gateway (Kanidm)" "koumakan" "https://gateway.soopy.moe" // { enabled = false; }) # TODO

     

       40
        
               (mkHttpEndpoint "Patchy (Forgejo)" "koumakan" "https://patchy.soopy.moe")

     

       41
        
               (mkHttpEndpoint "Suika (Grafana)" "koumakan" "https://suika.soopy.moe/login")

     

       42
        
               (mkHttpEndpoint "Nue (Synapse)" "koumakan" "https://nue.soopy.moe/health")

+2 -1

systems/kita/services/mail/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./roundcube.nix

     

       4

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./roundcube.nix

     

       5

+2 -1

systems/kita/services/mail/maddy.nix

···

       1
       -
       {config, ...}: {

     

       0
        
       
     

       2
        
         services.maddy = {

     

       3
        
           enable = true;

     

       4
        
           hostname = "mx2.soopy.moe";

···

       1
       +
       { config, ... }:

     

       2
       +
       {

     

       3
        
         services.maddy = {

     

       4
        
           enable = true;

     

       5
        
           hostname = "mx2.soopy.moe";

+2 -1

systems/kita/services/mail/mta-sts.nix

···

       1
        
       # mail-transfer-agent strict transport security policy

     

       2
       -
       {_utils, ...}: {

     

       0
        
       
     

       3
        
         services.nginx.virtualHosts."mta-sts.soopy.moe" = _utils.mkVhost {

     

       4
        
           useACMEHost = "kita-web.c.soopy.moe";

     

       5

···

       1
        
       # mail-transfer-agent strict transport security policy

     

       2
       +
       { _utils, ... }:

     

       3
       +
       {

     

       4
        
         services.nginx.virtualHosts."mta-sts.soopy.moe" = _utils.mkVhost {

     

       5
        
           useACMEHost = "kita-web.c.soopy.moe";

     

       6

+9 -3

systems/kita/services/mail/roundcube.nix

···

       2
        
         pkgs,

     

       3
        
         _utils,

     

       4
        
         ...

     

       5
       -
       }: {

     

       0
        
       
     

       6
        
         services.roundcube = {

     

       7
        
           enable = true;

     

       8
       -
           package = pkgs.roundcube.withPlugins (plugins: with plugins; [carddav contextmenu]);

     

       9
       -
           dicts = with pkgs.aspellDicts; [en];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
           hostName = "webmail.soopy.moe";

     

       11
        
       

     

       12
        
           extraConfig = ''

···

       2
        
         pkgs,

     

       3
        
         _utils,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
        
         services.roundcube = {

     

       8
        
           enable = true;

     

       9
       +
           package = pkgs.roundcube.withPlugins (

     

       10
       +
             plugins: with plugins; [

     

       11
       +
               carddav

     

       12
       +
               contextmenu

     

       13
       +
             ]

     

       14
       +
           );

     

       15
       +
           dicts = with pkgs.aspellDicts; [ en ];

     

       16
        
           hostName = "webmail.soopy.moe";

     

       17
        
       

     

       18
        
           extraConfig = ''

+9 -9

systems/kita/services/mail/rspamd.nix

···

       2
        
         config,

     

       3
        
         _utils,

     

       4
        
         ...

     

       5
       -
       }: let

     

       0
        
       
     

       6
        
         secrets = _utils.setupSecrets config {

     

       7
        
           namespace = "rspamd";

     

       8
       -
           secrets = ["controller_passwd"];

     

       9
        
           config.owner = config.users.users.rspamd.name;

     

       10
        
         };

     

       11
       -
       in {

     

       0
        
       
     

       12
        
         imports = [

     

       13
        
           secrets.generate

     

       14
       -
           (

     

       15
       -
             secrets.mkTemplate "rspamd-controller-pwd.inc" ''

     

       16
       -
               password = "${secrets.placeholder "controller_passwd"}";

     

       17
       -
             ''

     

       18
       -
           )

     

       19
        
         ];

     

       20
        
         services.rspamd = {

     

       21
        
           enable = true;

     
···

       39
        
             .include(try=false; priority=10) "${secrets.getTemplate "rspamd-controller-pwd.inc"}"

     

       40
        
           '';

     

       41
        
       

     

       42
       -
           workers."normal".bindSockets = ["127.0.0.1:11333"];

     

       43
        
         };

     

       44
        
       

     

       45
        
         services.redis.servers.rspamd.enable = true;

···

       2
        
         config,

     

       3
        
         _utils,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       let

     

       7
        
         secrets = _utils.setupSecrets config {

     

       8
        
           namespace = "rspamd";

     

       9
       +
           secrets = [ "controller_passwd" ];

     

       10
        
           config.owner = config.users.users.rspamd.name;

     

       11
        
         };

     

       12
       +
       in

     

       13
       +
       {

     

       14
        
         imports = [

     

       15
        
           secrets.generate

     

       16
       +
           (secrets.mkTemplate "rspamd-controller-pwd.inc" ''

     

       17
       +
             password = "${secrets.placeholder "controller_passwd"}";

     

       18
       +
           '')

     

       0
        
       
     

       0
        
       
     

       19
        
         ];

     

       20
        
         services.rspamd = {

     

       21
        
           enable = true;

     
···

       39
        
             .include(try=false; priority=10) "${secrets.getTemplate "rspamd-controller-pwd.inc"}"

     

       40
        
           '';

     

       41
        
       

     

       42
       +
           workers."normal".bindSockets = [ "127.0.0.1:11333" ];

     

       43
        
         };

     

       44
        
       

     

       45
        
         services.redis.servers.rspamd.enable = true;

+3 -2

systems/kita/services/postgresql.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         services.postgresql = {

     

       3
        
           enable = true;

     

       4
        
           package = pkgs.postgresql_16; # we like to specify a package so we know what we're using.

     
···

       8
        
               ensureDBOwnership = true;

     

       9
        
             }

     

       10
        
           ];

     

       11
       -
           ensureDatabases = ["maildb"];

     

       12
        
         };

     

       13
        
       }

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         services.postgresql = {

     

       4
        
           enable = true;

     

       5
        
           package = pkgs.postgresql_16; # we like to specify a package so we know what we're using.

     
···

       9
        
               ensureDBOwnership = true;

     

       10
        
             }

     

       11
        
           ];

     

       12
       +
           ensureDatabases = [ "maildb" ];

     

       13
        
         };

     

       14
        
       }

+2 -1

systems/kita/services/radicale.nix

···

       1
       -
       {_utils, ...}: {

     

       0
        
       
     

       2
        
         services.radicale = {

     

       3
        
           enable = true;

     

       4
        
           settings = {

···

       1
       +
       { _utils, ... }:

     

       2
       +
       {

     

       3
        
         services.radicale = {

     

       4
        
           enable = true;

     

       5
        
           settings = {

+2 -1

systems/koumakan/administration/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./telemetry.nix

     

       4
        
         ];

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./telemetry.nix

     

       5
        
         ];

+2 -1

systems/koumakan/administration/telemetry.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         services.prometheus.exporters = {

     

       3
        
           node = {

     

       4
        
             enable = true;

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         services.prometheus.exporters = {

     

       4
        
           node = {

     

       5
        
             enable = true;

+2 -1

systems/koumakan/certificates/breezewiki.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         # Certificate for breezewiki

     

       3
        
         security.acme.certs."bw.c.soopy.moe" = {

     

       4
        
           group = "nginx";

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         # Certificate for breezewiki

     

       4
        
         security.acme.certs."bw.c.soopy.moe" = {

     

       5
        
           group = "nginx";

+2 -1

systems/koumakan/certificates/bsky-pds.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         # Certificate for fedi services

     

       3
        
         security.acme.certs."bsky.c.soopy.moe" = {

     

       4
        
           group = "nginx";

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         # Certificate for fedi services

     

       4
        
         security.acme.certs."bsky.c.soopy.moe" = {

     

       5
        
           group = "nginx";

+2 -1

systems/koumakan/certificates/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./global.nix

     

       4
        
           ./postgresql.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./global.nix

     

       5
        
           ./postgresql.nix

+2 -1

systems/koumakan/certificates/fediverse.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         # Certificate for fedi services

     

       3
        
         security.acme.certs."fedi.c.soopy.moe" = {

     

       4
        
           group = "nginx";

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         # Certificate for fedi services

     

       4
        
         security.acme.certs."fedi.c.soopy.moe" = {

     

       5
        
           group = "nginx";

+2 -1

systems/koumakan/certificates/global.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         # Global certificate

     

       3
        
         security.acme.certs."global.c.soopy.moe" = {

     

       4
        
           group = "nginx";

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         # Global certificate

     

       4
        
         security.acme.certs."global.c.soopy.moe" = {

     

       5
        
           group = "nginx";

+11 -8

systems/koumakan/certificates/postgresql.nix

···

       1
       -
       {config, ...}: {

     

       0
        
       
     

       2
        
         # PostgreSQL only certificate

     

       3
        
         security.acme.certs."phant.soopy.moe" = {

     

       4
        
           group = "postgres";

     
···

       9
        
       

     

       10
        
         # https://nixos.org/manual/nixos/stable/#module-security-acme-root-owned

     

       11
        
         systemd.services.postgresql = {

     

       12
       -
           requires = ["acme-finished-phant.soopy.moe.target"];

     

       13
       -
           serviceConfig.LoadCredential = let

     

       14
       -
             certDir = config.security.acme.certs."phant.soopy.moe".directory;

     

       15
       -
           in [

     

       16
       -
             "cert.pem:${certDir}/cert.pem"

     

       17
       -
             "key.pem:${certDir}/key.pem"

     

       18
       -
           ];

     

       0
        
       
     

       0
        
       
     

       19
        
         };

     

       20
        
       }

···

       1
       +
       { config, ... }:

     

       2
       +
       {

     

       3
        
         # PostgreSQL only certificate

     

       4
        
         security.acme.certs."phant.soopy.moe" = {

     

       5
        
           group = "postgres";

     
···

       10
        
       

     

       11
        
         # https://nixos.org/manual/nixos/stable/#module-security-acme-root-owned

     

       12
        
         systemd.services.postgresql = {

     

       13
       +
           requires = [ "acme-finished-phant.soopy.moe.target" ];

     

       14
       +
           serviceConfig.LoadCredential =

     

       15
       +
             let

     

       16
       +
               certDir = config.security.acme.certs."phant.soopy.moe".directory;

     

       17
       +
             in

     

       18
       +
             [

     

       19
       +
               "cert.pem:${certDir}/cert.pem"

     

       20
       +
               "key.pem:${certDir}/key.pem"

     

       21
       +
             ];

     

       22
        
         };

     

       23
        
       }

+2 -1

systems/koumakan/configuration.nix

···

       1
       -
       {inputs, ...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           inputs.mystia.nixosModules.fixups

     

       4
        
           inputs.mystia.nixosModules.vmauth

···

       1
       +
       { inputs, ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           inputs.mystia.nixosModules.fixups

     

       5
        
           inputs.mystia.nixosModules.vmauth

+19 -7

systems/koumakan/hardware-configuration.nix

···

       6
        
         lib,

     

       7
        
         modulesPath,

     

       8
        
         ...

     

       9
       -
       }: {

     

       0
        
       
     

       10
        
         imports = [

     

       11
        
           (modulesPath + "/installer/scan/not-detected.nix")

     

       12
        
         ];

     

       13
        
       

     

       14
       -
         boot.initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"];

     

       15
       -
         boot.initrd.kernelModules = [];

     

       16
       -
         boot.kernelModules = ["kvm-intel"];

     

       17
       -
         boot.extraModulePackages = [];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
       

     

       19
        
         fileSystems."/" = {

     

       20
        
           device = "/dev/disk/by-uuid/738969fe-b2a0-4fa1-9ac5-69f2a25536e7";

     
···

       24
        
         fileSystems."/boot" = {

     

       25
        
           device = "/dev/disk/by-uuid/62FD-C60A";

     

       26
        
           fsType = "vfat";

     

       27
       -
           options = ["fmask=0022" "dmask=0022"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       28
        
         };

     

       29
        
       

     

       30
        
         swapDevices = [

     

       31
       -
           {device = "/dev/disk/by-uuid/902b902d-3486-49de-9a58-7a079c9a090d";}

     

       32
        
         ];

     

       33
        
       

     

       34
        
         # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

···

       6
        
         lib,

     

       7
        
         modulesPath,

     

       8
        
         ...

     

       9
       +
       }:

     

       10
       +
       {

     

       11
        
         imports = [

     

       12
        
           (modulesPath + "/installer/scan/not-detected.nix")

     

       13
        
         ];

     

       14
        
       

     

       15
       +
         boot.initrd.availableKernelModules = [

     

       16
       +
           "xhci_pci"

     

       17
       +
           "ehci_pci"

     

       18
       +
           "ahci"

     

       19
       +
           "usbhid"

     

       20
       +
           "usb_storage"

     

       21
       +
           "sd_mod"

     

       22
       +
           "sr_mod"

     

       23
       +
         ];

     

       24
       +
         boot.initrd.kernelModules = [ ];

     

       25
       +
         boot.kernelModules = [ "kvm-intel" ];

     

       26
       +
         boot.extraModulePackages = [ ];

     

       27
        
       

     

       28
        
         fileSystems."/" = {

     

       29
        
           device = "/dev/disk/by-uuid/738969fe-b2a0-4fa1-9ac5-69f2a25536e7";

     
···

       33
        
         fileSystems."/boot" = {

     

       34
        
           device = "/dev/disk/by-uuid/62FD-C60A";

     

       35
        
           fsType = "vfat";

     

       36
       +
           options = [

     

       37
       +
             "fmask=0022"

     

       38
       +
             "dmask=0022"

     

       39
       +
           ];

     

       40
        
         };

     

       41
        
       

     

       42
        
         swapDevices = [

     

       43
       +
           { device = "/dev/disk/by-uuid/902b902d-3486-49de-9a58-7a079c9a090d"; }

     

       44
        
         ];

     

       45
        
       

     

       46
        
         # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

+2 -1

systems/koumakan/networking/cjdns.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         services.cjdns = {

     

       3
        
           enable = true;

     

       4

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         services.cjdns = {

     

       4
        
           enable = true;

     

       5

+2 -1

systems/koumakan/networking/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./firewall.nix

     

       4
        
           ./interface.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./firewall.nix

     

       5
        
           ./interface.nix

+2 -1

systems/koumakan/networking/firewall.nix

···

       1
       -
       {lib, ...}: {

     

       0
        
       
     

       2
        
         networking.firewall = {

     

       3
        
           enable = true;

     

       4
        
           allowedTCPPorts = [

···

       1
       +
       { lib, ... }:

     

       2
       +
       {

     

       3
        
         networking.firewall = {

     

       4
        
           enable = true;

     

       5
        
           allowedTCPPorts = [

+2 -1

systems/koumakan/networking/interface.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         networking.networkmanager.ethernet.macAddress = "stable";

     

       3
        
       }

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         networking.networkmanager.ethernet.macAddress = "stable";

     

       4
        
       }

+2 -1

systems/koumakan/security/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./pam.nix

     

       4
        
         ];

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./pam.nix

     

       5
        
         ];

+2 -1

systems/koumakan/security/pam.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         security.pam.yubico = {

     

       3
        
           enable = true;

     

       4
        
           id = "91582";

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         security.pam.yubico = {

     

       4
        
           enable = true;

     

       5
        
           id = "91582";

+8 -8

systems/koumakan/services/anubis.nix

···

       2
        
         lib,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       -
       }: {

     

       6
       -
         assertions =

     

       7
       -
           lib.mapAttrsToList (k: v: {

     

       8
       -
             # assertion = v.settings.METRICS_BIND_NETWORK == "tcp" -> !builtins.isNull (builtins.match "127.0.0.1:.*" v.settings.METRICS_BIND);

     

       9
       -
             assertion = !builtins.isNull (builtins.match "^127.0.0.1:17[[:digit:]]\{3\}$" v.settings.METRICS_BIND); # stricter

     

       10
       -
             message = "koumakan-internal(anubis `${k}`): settings.METRICS_BIND must be in the form `127.0.0.1:17xxx`";

     

       11
       -
           })

     

       12
       -
           config.services.anubis.instances;

     

       13
        
       

     

       14
        
         # neither VM nor Prom supports scraping unix domain sockets and i currently cba writing a custom scraper for it

     

       15
        
         # prom: https://github.com/prometheus/prometheus/issues/12024

···

       2
        
         lib,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
       +
         assertions = lib.mapAttrsToList (k: v: {

     

       8
       +
           # assertion = v.settings.METRICS_BIND_NETWORK == "tcp" -> !builtins.isNull (builtins.match "127.0.0.1:.*" v.settings.METRICS_BIND);

     

       9
       +
           assertion =

     

       10
       +
             !builtins.isNull (builtins.match "^127.0.0.1:17[[:digit:]]\{3\}$" v.settings.METRICS_BIND); # stricter

     

       11
       +
           message = "koumakan-internal(anubis `${k}`): settings.METRICS_BIND must be in the form `127.0.0.1:17xxx`";

     

       12
       +
         }) config.services.anubis.instances;

     

       13
        
       

     

       14
        
         # neither VM nor Prom supports scraping unix domain sockets and i currently cba writing a custom scraper for it

     

       15
        
         # prom: https://github.com/prometheus/prometheus/issues/12024

+3 -2

systems/koumakan/services/arion/breezewiki.nix

···

       1
       -
       {_utils, ...}: {

     

       0
        
       
     

       2
        
         virtualisation.arion.projects.breezewiki.settings = {

     

       3
        
           services.breezewiki = {

     

       4
        
             service = {

     

       5
        
               image = "quay.io/pussthecatorg/breezewiki";

     

       6
       -
               ports = ["127.0.0.1:35612:10416"];

     

       7
        
               environment = {

     

       8
        
                 bw_canonical_origin = "https://bw.soopy.moe";

     

       9
        
                 bw_log_outgoing = "false";

···

       1
       +
       { _utils, ... }:

     

       2
       +
       {

     

       3
        
         virtualisation.arion.projects.breezewiki.settings = {

     

       4
        
           services.breezewiki = {

     

       5
        
             service = {

     

       6
        
               image = "quay.io/pussthecatorg/breezewiki";

     

       7
       +
               ports = [ "127.0.0.1:35612:10416" ];

     

       8
        
               environment = {

     

       9
        
                 bw_canonical_origin = "https://bw.soopy.moe";

     

       10
        
                 bw_log_outgoing = "false";

+2 -1

systems/koumakan/services/arion/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./breezewiki.nix

     

       4
        
           ./pixivfe.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./breezewiki.nix

     

       5
        
           ./pixivfe.nix

+5 -3

systems/koumakan/services/arion/pixivfe.nix

···

       3
        
         config,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       -
       }: let

     

       0
        
       
     

       7
        
         secrets = _utils.setupSecrets config {

     

       8
        
           namespace = "pixivfe";

     

       9
       -
           secrets = ["token"];

     

       10
        
         };

     

       11
       -
       in {

     

       0
        
       
     

       12
        
         imports = [

     

       13
        
           secrets.generate

     

       14
        
           (secrets.mkTemplate "pixivfe.env" ''

···

       3
        
         config,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
        
         secrets = _utils.setupSecrets config {

     

       9
        
           namespace = "pixivfe";

     

       10
       +
           secrets = [ "token" ];

     

       11
        
         };

     

       12
       +
       in

     

       13
       +
       {

     

       14
        
         imports = [

     

       15
        
           secrets.generate

     

       16
        
           (secrets.mkTemplate "pixivfe.env" ''

+2 -1

systems/koumakan/services/ci/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./hydra

     

       4
        
         ];

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./hydra

     

       5
        
         ];

+5 -3

systems/koumakan/services/ci/hydra/default.nix

···

       5
        
         config,

     

       6
        
         lib,

     

       7
        
         ...

     

       8
       -
       }: let

     

       0
        
       
     

       9
        
         secrets = _utils.setupSecrets config {

     

       10
        
           namespace = "hydra";

     

       11
        
           secrets = [

     
···

       22
        
       

     

       23
        
         webhookScript = pkgs.writeShellApplication {

     

       24
        
           name = "hydra-webhook";

     

       25
       -
           runtimeInputs = with pkgs; [xh];

     

       26
        
           text = ''

     

       27
        
             xh :8000 @"$1"

     

       28
        
           '';

     

       29
        
         };

     

       30
       -
       in {

     

       0
        
       
     

       31
        
         imports = [

     

       32
        
           secrets.generate

     

       33
        
           (secrets.mkTemplate "hydra-s3-creds" ''

···

       5
        
         config,

     

       6
        
         lib,

     

       7
        
         ...

     

       8
       +
       }:

     

       9
       +
       let

     

       10
        
         secrets = _utils.setupSecrets config {

     

       11
        
           namespace = "hydra";

     

       12
        
           secrets = [

     
···

       23
        
       

     

       24
        
         webhookScript = pkgs.writeShellApplication {

     

       25
        
           name = "hydra-webhook";

     

       26
       +
           runtimeInputs = with pkgs; [ xh ];

     

       27
        
           text = ''

     

       28
        
             xh :8000 @"$1"

     

       29
        
           '';

     

       30
        
         };

     

       31
       +
       in

     

       32
       +
       {

     

       33
        
         imports = [

     

       34
        
           secrets.generate

     

       35
        
           (secrets.mkTemplate "hydra-s3-creds" ''

+2 -1

systems/koumakan/services/databases/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./postgresql.nix

     

       4
        
           ./redis.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./postgresql.nix

     

       5
        
           ./redis.nix

+22 -19

systems/koumakan/services/databases/postgresql.nix

···

       2
        
         pkgs,

     

       3
        
         lib,

     

       4
        
         ...

     

       5
       -
       }: {

     

       0
        
       
     

       6
        
         services.postgresql = {

     

       7
        
           enable = true;

     

       8
        
       

     
···

       18
        
             host    all             all             ::1/128                 scram-sha-256

     

       19
        
           '';

     

       20
        
       

     

       21
       -
           settings = let

     

       22
       -
             credsDir = "/run/credentials/postgresql.service";

     

       23
       -
           in {

     

       24
       -
             listen_addresses = pkgs.lib.mkForce "*";

     

       25
       -
             max_connections = 200;

     

       26
       -
             password_encryption = "scram-sha-256";

     

       0
        
       
     

       0
        
       
     

       27
        
       

     

       28
       -
             log_line_prefix = "%m [%p] %h ";

     

       29
       -
             ssl = "on";

     

       30
       -
             ssl_cert_file = "${credsDir}/cert.pem";

     

       31
       -
             ssl_key_file = "${credsDir}/key.pem";

     

       32
        
       

     

       33
       -
             log_hostname = true;

     

       34
       -
             datestyle = "iso, dmy";

     

       35
       -
             log_timezone = "Asia/Hong_Kong";

     

       36
       -
             timezone = "Asia/Hong_Kong";

     

       37
       -
             default_text_search_config = "pg_catalog.english";

     

       38
        
       

     

       39
       -
             max_wal_size = "2GB";

     

       40
       -
             min_wal_size = "80MB";

     

       41
       -
           };

     

       42
        
         };

     

       43
        
       

     

       44
        
         users.users.postgres.useDefaultShell = lib.mkForce false;

···

       2
        
         pkgs,

     

       3
        
         lib,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
        
         services.postgresql = {

     

       8
        
           enable = true;

     

       9
        
       

     
···

       19
        
             host    all             all             ::1/128                 scram-sha-256

     

       20
        
           '';

     

       21
        
       

     

       22
       +
           settings =

     

       23
       +
             let

     

       24
       +
               credsDir = "/run/credentials/postgresql.service";

     

       25
       +
             in

     

       26
       +
             {

     

       27
       +
               listen_addresses = pkgs.lib.mkForce "*";

     

       28
       +
               max_connections = 200;

     

       29
       +
               password_encryption = "scram-sha-256";

     

       30
        
       

     

       31
       +
               log_line_prefix = "%m [%p] %h ";

     

       32
       +
               ssl = "on";

     

       33
       +
               ssl_cert_file = "${credsDir}/cert.pem";

     

       34
       +
               ssl_key_file = "${credsDir}/key.pem";

     

       35
        
       

     

       36
       +
               log_hostname = true;

     

       37
       +
               datestyle = "iso, dmy";

     

       38
       +
               log_timezone = "Asia/Hong_Kong";

     

       39
       +
               timezone = "Asia/Hong_Kong";

     

       40
       +
               default_text_search_config = "pg_catalog.english";

     

       41
        
       

     

       42
       +
               max_wal_size = "2GB";

     

       43
       +
               min_wal_size = "80MB";

     

       44
       +
             };

     

       45
        
         };

     

       46
        
       

     

       47
        
         users.users.postgres.useDefaultShell = lib.mkForce false;

+2 -1

systems/koumakan/services/databases/redis.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         services.redis.servers."" = {

     

       3
        
           enable = true;

     

       4
        
         };

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         services.redis.servers."" = {

     

       4
        
           enable = true;

     

       5
        
         };

+2 -1

systems/koumakan/services/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./nginx.nix

     

       4

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./nginx.nix

     

       5

+5 -3

systems/koumakan/services/fediverse/bsky-pds.nix

···

       4
        
         config,

     

       5
        
         _utils,

     

       6
        
         ...

     

       7
       -
       }: let

     

       0
        
       
     

       8
        
         secrets = _utils.setupSecrets config {

     

       9
        
           namespace = "pds";

     

       10
        
           secrets = [

     
···

       13
        
           ];

     

       14
        
           config.owner = config.services.bsky-pds.user;

     

       15
        
         };

     

       16
       -
       in {

     

       17
       -
         imports = [secrets.generate];

     

       0
        
       
     

       18
        
         services.bsky-pds = {

     

       19
        
           enable = true;

     

       20
        
           package = inputs.mystia.packages.${pkgs.system}.bsky-pds;

···

       4
        
         config,

     

       5
        
         _utils,

     

       6
        
         ...

     

       7
       +
       }:

     

       8
       +
       let

     

       9
        
         secrets = _utils.setupSecrets config {

     

       10
        
           namespace = "pds";

     

       11
        
           secrets = [

     
···

       14
        
           ];

     

       15
        
           config.owner = config.services.bsky-pds.user;

     

       16
        
         };

     

       17
       +
       in

     

       18
       +
       {

     

       19
       +
         imports = [ secrets.generate ];

     

       20
        
         services.bsky-pds = {

     

       21
        
           enable = true;

     

       22
        
           package = inputs.mystia.packages.${pkgs.system}.bsky-pds;

+2 -1

systems/koumakan/services/fediverse/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./writefreely.nix

     

       4
        
           ./bsky-pds.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./writefreely.nix

     

       5
        
           ./bsky-pds.nix

+2 -1

systems/koumakan/services/fediverse/writefreely.nix

···

       5
        
         # inputs,

     

       6
        
         # pkgs,

     

       7
        
         ...

     

       8
       -
       }: {

     

       0
        
       
     

       9
        
         services.writefreely = {

     

       10
        
           enable = true;

     

       11
        
           # package = inputs.nixpkgs-wf.legacyPackages.${pkgs.system}.writefreely;

···

       5
        
         # inputs,

     

       6
        
         # pkgs,

     

       7
        
         ...

     

       8
       +
       }:

     

       9
       +
       {

     

       10
        
         services.writefreely = {

     

       11
        
           enable = true;

     

       12
        
           # package = inputs.nixpkgs-wf.legacyPackages.${pkgs.system}.writefreely;

+2 -1

systems/koumakan/services/feeds/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./miniflux.nix

     

       4
        
         ];

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./miniflux.nix

     

       5
        
         ];

+2 -1

systems/koumakan/services/feeds/miniflux.nix

···

       1
       -
       {_utils, ...}: {

     

       0
        
       
     

       2
        
         services.miniflux = {

     

       3
        
           enable = true;

     

       4
        
           config = {

···

       1
       +
       { _utils, ... }:

     

       2
       +
       {

     

       3
        
         services.miniflux = {

     

       4
        
           enable = true;

     

       5
        
           config = {

+5 -4

systems/koumakan/services/ftp.nix

···

       3
        
         config,

     

       4
        
         inputs,

     

       5
        
         ...

     

       6
       -
       }: {

     

       0
        
       
     

       7
        
         sops.secrets = {

     

       8
        
           "vsftpdUsers.db" = {

     

       9
        
             sopsFile = inputs.self + "/creds/sops/koumakan/vsftpdUsers.db";

     
···

       51
        
           group = "vsftpd";

     

       52
        
           enable = true;

     

       53
        
           settings = {

     

       54
       -
             server.listen = ["100.100.16.16:38563"];

     

       55
        
             accounts.auth-type = "htpasswd.default";

     

       56
        
       

     

       57
        
             htpasswd.default.htpasswd = config.sops.secrets."webdav.scan.htpasswd".path;

     
···

       59
        
       

     

       60
        
             location = [

     

       61
        
               {

     

       62
       -
                 route = ["/*path"];

     

       63
        
                 auth = "true";

     

       64
        
                 handler = "filesystem";

     

       65
       -
                 methods = ["webdav-rw"];

     

       66
        
       

     

       67
        
                 directory = "/var/www/ftp";

     

       68
        
               }

···

       3
        
         config,

     

       4
        
         inputs,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       {

     

       8
        
         sops.secrets = {

     

       9
        
           "vsftpdUsers.db" = {

     

       10
        
             sopsFile = inputs.self + "/creds/sops/koumakan/vsftpdUsers.db";

     
···

       52
        
           group = "vsftpd";

     

       53
        
           enable = true;

     

       54
        
           settings = {

     

       55
       +
             server.listen = [ "100.100.16.16:38563" ];

     

       56
        
             accounts.auth-type = "htpasswd.default";

     

       57
        
       

     

       58
        
             htpasswd.default.htpasswd = config.sops.secrets."webdav.scan.htpasswd".path;

     
···

       60
        
       

     

       61
        
             location = [

     

       62
        
               {

     

       63
       +
                 route = [ "/*path" ];

     

       64
        
                 auth = "true";

     

       65
        
                 handler = "filesystem";

     

       66
       +
                 methods = [ "webdav-rw" ];

     

       67
        
       

     

       68
        
                 directory = "/var/www/ftp";

     

       69
        
               }

+2 -1

systems/koumakan/services/matrix/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./synapse.nix

     

       4
        
         ];

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./synapse.nix

     

       5
        
         ];

+8 -6

systems/koumakan/services/matrix/synapse.nix

···

       4
        
         lib,

     

       5
        
         config,

     

       6
        
         ...

     

       7
       -
       }: let

     

       0
        
       
     

       8
        
         getSocket = file: "/run/matrix-synapse/${file}.sock";

     

       9
       -
       in {

     

       0
        
       
     

       10
        
         sops.secrets."synapse.yaml" = {

     

       11
        
           mode = "0400";

     

       12
        
           owner = config.users.users.matrix-synapse.name;

     
···

       35
        
           ];

     

       36
        
       

     

       37
        
           workers = {

     

       38
       -
             federation-sender-0 = {};

     

       39
       -
             pusher-0 = {};

     

       40
        
           };

     

       41
        
       

     

       42
        
           settings = {

     
···

       111
        
         };

     

       112
        
       

     

       113
        
         services.postgresql = {

     

       114
       -
           ensureDatabases = ["synapse"];

     

       115
        
           ensureUsers = [

     

       116
        
             {

     

       117
        
               name = "synapse";

     
···

       120
        
           ];

     

       121
        
         };

     

       122
        
       

     

       123
       -
         users.users.nginx.extraGroups = ["matrix-synapse"];

     

       124
        
         services.nginx.virtualHosts."nue.soopy.moe" = _utils.mkVhost {

     

       125
        
           extraConfig = ''

     

       126
        
             access_log off;

···

       4
        
         lib,

     

       5
        
         config,

     

       6
        
         ...

     

       7
       +
       }:

     

       8
       +
       let

     

       9
        
         getSocket = file: "/run/matrix-synapse/${file}.sock";

     

       10
       +
       in

     

       11
       +
       {

     

       12
        
         sops.secrets."synapse.yaml" = {

     

       13
        
           mode = "0400";

     

       14
        
           owner = config.users.users.matrix-synapse.name;

     
···

       37
        
           ];

     

       38
        
       

     

       39
        
           workers = {

     

       40
       +
             federation-sender-0 = { };

     

       41
       +
             pusher-0 = { };

     

       42
        
           };

     

       43
        
       

     

       44
        
           settings = {

     
···

       113
        
         };

     

       114
        
       

     

       115
        
         services.postgresql = {

     

       116
       +
           ensureDatabases = [ "synapse" ];

     

       117
        
           ensureUsers = [

     

       118
        
             {

     

       119
        
               name = "synapse";

     
···

       122
        
           ];

     

       123
        
         };

     

       124
        
       

     

       125
       +
         users.users.nginx.extraGroups = [ "matrix-synapse" ];

     

       126
        
         services.nginx.virtualHosts."nue.soopy.moe" = _utils.mkVhost {

     

       127
        
           extraConfig = ''

     

       128
        
             access_log off;

+3 -2

systems/koumakan/services/nginx.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         gensokyo.presets.nginx = true;

     

       3
        
       

     

       4
       -
         users.users.nginx.extraGroups = ["anubis"];

     

       5
        
         services.nginx = {

     

       6
        
           enable = true;

     

       7
        
           clientMaxBodySize = "50m";

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         gensokyo.presets.nginx = true;

     

       4
        
       

     

       5
       +
         users.users.nginx.extraGroups = [ "anubis" ];

     

       6
        
         services.nginx = {

     

       7
        
           enable = true;

     

       8
        
           clientMaxBodySize = "50m";

+2 -1

systems/koumakan/services/proxies/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./nitter.nix

     

       4
        
           ./searxng.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./nitter.nix

     

       5
        
           ./searxng.nix

+2 -1

systems/koumakan/services/proxies/minio.nix

···

       2
        
         _utils,

     

       3
        
         inputs,

     

       4
        
         ...

     

       5
       -
       }: {

     

       0
        
       
     

       6
        
         services.nginx.virtualHosts = {

     

       7
        
           "s3.soopy.moe" = _utils.mkSimpleProxy {

     

       8
        
             host = "renko.mist-nessie.ts.net";

···

       2
        
         _utils,

     

       3
        
         inputs,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
        
         services.nginx.virtualHosts = {

     

       8
        
           "s3.soopy.moe" = _utils.mkSimpleProxy {

     

       9
        
             host = "renko.mist-nessie.ts.net";

+2 -1

systems/koumakan/services/proxies/nitter.nix

···

       1
       -
       {_utils, ...}: {

     

       0
        
       
     

       2
        
         services.nginx.virtualHosts."nitter.soopy.moe" = _utils.mkVhost {

     

       3
        
           locations."/".return = "301 https://twiiit.com$request_uri";

     

       4
        
         };

···

       1
       +
       { _utils, ... }:

     

       2
       +
       {

     

       3
        
         services.nginx.virtualHosts."nitter.soopy.moe" = _utils.mkVhost {

     

       4
        
           locations."/".return = "301 https://twiiit.com$request_uri";

     

       5
        
         };

+10 -5

systems/koumakan/services/proxies/searxng.nix

···

       3
        
         config,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       -
       }: let

     

       0
        
       
     

       7
        
         secrets = _utils.setupSecrets config {

     

       8
        
           namespace = "searxng";

     

       9
       -
           secrets = ["secret"];

     

       10
        
         };

     

       11
       -
       in {

     

       0
        
       
     

       12
        
         imports = [

     

       13
        
           secrets.generate

     

       14
        
           (secrets.mkTemplate "searxng.env" ''

     
···

       16
        
           '')

     

       17
        
         ];

     

       18
        
       

     

       19
       -
         users.users.nginx.extraGroups = [config.users.groups.searx.name];

     

       20
        
       

     

       21
        
         services.searx = {

     

       22
        
           enable = true;

     
···

       100
        
                 engine = "discourse";

     

       101
        
                 shortcut = "dno";

     

       102
        
                 base_url = "https://discourse.nixos.org";

     

       103
       -
                 categories = ["it" "q&a"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       104
        
               }

     

       105
        
             ];

     

       106
        
           };

···

       3
        
         config,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
        
         secrets = _utils.setupSecrets config {

     

       9
        
           namespace = "searxng";

     

       10
       +
           secrets = [ "secret" ];

     

       11
        
         };

     

       12
       +
       in

     

       13
       +
       {

     

       14
        
         imports = [

     

       15
        
           secrets.generate

     

       16
        
           (secrets.mkTemplate "searxng.env" ''

     
···

       18
        
           '')

     

       19
        
         ];

     

       20
        
       

     

       21
       +
         users.users.nginx.extraGroups = [ config.users.groups.searx.name ];

     

       22
        
       

     

       23
        
         services.searx = {

     

       24
        
           enable = true;

     
···

       102
        
                 engine = "discourse";

     

       103
        
                 shortcut = "dno";

     

       104
        
                 base_url = "https://discourse.nixos.org";

     

       105
       +
                 categories = [

     

       106
       +
                   "it"

     

       107
       +
                   "q&a"

     

       108
       +
                 ];

     

       109
        
               }

     

       110
        
             ];

     

       111
        
           };

+2 -1

systems/koumakan/services/scm/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./forgejo.nix

     

       4
        
           ./tangled-knot.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./forgejo.nix

     

       5
        
           ./tangled-knot.nix

+4 -3

systems/koumakan/services/scm/forgejo.nix

···

       4
        
         config,

     

       5
        
         pkgs,

     

       6
        
         ...

     

       7
       -
       }: let

     

       0
        
       
     

       8
        
         secrets = [

     

       9
        
           "database/pass"

     

       10
        
           "turnstile/secret"

     
···

       23
        
         #   else "/run/secrets/${ns}";

     

       24
        
       

     

       25
        
         runConfig = config.services.forgejo.customDir + "/conf/app.ini";

     

       26
       -
       in {

     

       0
        
       
     

       27
        
         sops.secrets = _utils.genSecrets ns secrets {

     

       28
        
           owner = config.services.forgejo.user;

     

       29
        
         };

     
···

       242
        
         # }}}

     

       243
        
       }

     

       244
        
       # vim:foldmethod=marker

     

       245
       -

···

       4
        
         config,

     

       5
        
         pkgs,

     

       6
        
         ...

     

       7
       +
       }:

     

       8
       +
       let

     

       9
        
         secrets = [

     

       10
        
           "database/pass"

     

       11
        
           "turnstile/secret"

     
···

       24
        
         #   else "/run/secrets/${ns}";

     

       25
        
       

     

       26
        
         runConfig = config.services.forgejo.customDir + "/conf/app.ini";

     

       27
       +
       in

     

       28
       +
       {

     

       29
        
         sops.secrets = _utils.genSecrets ns secrets {

     

       30
        
           owner = config.services.forgejo.user;

     

       31
        
         };

     
···

       244
        
         # }}}

     

       245
        
       }

     

       246
        
       # vim:foldmethod=marker

     

       0

+5 -3

systems/koumakan/services/scm/tangled-knot.nix

···

       2
        
         _utils,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       -
       }: let

     

       0
        
       
     

       6
        
         secrets = _utils.setupSecrets config {

     

       7
        
           namespace = "tangled";

     

       8
       -
           secrets = ["knot/key"];

     

       9
        
         };

     

       10
       -
       in {

     

       0
        
       
     

       11
        
         imports = [

     

       12
        
           secrets.generate

     

       13

···

       2
        
         _utils,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       let

     

       7
        
         secrets = _utils.setupSecrets config {

     

       8
        
           namespace = "tangled";

     

       9
       +
           secrets = [ "knot/key" ];

     

       10
        
         };

     

       11
       +
       in

     

       12
       +
       {

     

       13
        
         imports = [

     

       14
        
           secrets.generate

     

       15

+2 -1

systems/koumakan/services/security/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./vaultwarden.nix

     

       4
        
         ];

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./vaultwarden.nix

     

       5
        
         ];

+24 -20

systems/koumakan/services/security/vaultwarden.nix

···

       3
        
         config,

     

       4
        
         # lib,

     

       5
        
         ...

     

       6
       -
       }: let

     

       0
        
       
     

       7
        
         # mkSecrets = file:

     

       8
        
         #   if !lib.elem file secrets

     

       9
        
         #   then throw "Provided secret file ${file} is not in the list of defined secrets."

     
···

       23
        
           "push/installation_id"

     

       24
        
           "push/installation_key"

     

       25
        
         ];

     

       26
       -
       in {

     

       27
       -
         sops.secrets = _utils.genSecrets "vaultwarden" secrets {};

     

       28
       -
         sops.templates."vaultwarden.env".content = let

     

       29
       -
           ph = p: config.sops.placeholder."vaultwarden/${p}";

     

       30
       -
         in ''

     

       31
       -
           DATABASE_URL=postgresql://${ph "database/username"}:${ph "database/password"}@localhost/vaultwarden

     

       32
       -
           ADMIN_TOKEN=${ph "admin_token"}

     

       33
       -
           YUBICO_CLIENT_ID=${ph "yubico/id"}

     

       34
       -
           YUBICO_SECRET_KEY=${ph "yubico/secret"}

     

       35
       -
           SMTP_USERNAME=${ph "smtp/username"}

     

       36
       -
           SMTP_FROM=${ph "smtp/username"}

     

       37
       -
           SMTP_PASSWORD=${ph "smtp/password"}

     

       38
       -
           SMTP_HOST=${ph "smtp/host"}

     

       39
       -
           SMTP_SECURITY=${ph "smtp/security"}

     

       40
       -
           SMTP_PORT=${ph "smtp/port"}

     

       41
       -
           PUSH_INSTALLATION_ID=${ph "push/installation_id"}

     

       42
       -
           PUSH_INSTALLATION_KEY=${ph "push/installation_key"}

     

       43
       -
         '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       44
        
       

     

       45
        
         services.vaultwarden = {

     

       46
        
           enable = true;

     
···

       106
        
           upstreams = {

     

       107
        
             vault-default = {

     

       108
        
               servers = {

     

       109
       -
                 "[::1]:38480" = {};

     

       110
        
               };

     

       111
        
               extraConfig = ''

     

       112
        
                 zone vaultwarden 128k;  # XXX: are there any security implications if we reuse the same zone for both webvault and the ws server?

···

       3
        
         config,

     

       4
        
         # lib,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
        
         # mkSecrets = file:

     

       9
        
         #   if !lib.elem file secrets

     

       10
        
         #   then throw "Provided secret file ${file} is not in the list of defined secrets."

     
···

       24
        
           "push/installation_id"

     

       25
        
           "push/installation_key"

     

       26
        
         ];

     

       27
       +
       in

     

       28
       +
       {

     

       29
       +
         sops.secrets = _utils.genSecrets "vaultwarden" secrets { };

     

       30
       +
         sops.templates."vaultwarden.env".content =

     

       31
       +
           let

     

       32
       +
             ph = p: config.sops.placeholder."vaultwarden/${p}";

     

       33
       +
           in

     

       34
       +
           ''

     

       35
       +
             DATABASE_URL=postgresql://${ph "database/username"}:${ph "database/password"}@localhost/vaultwarden

     

       36
       +
             ADMIN_TOKEN=${ph "admin_token"}

     

       37
       +
             YUBICO_CLIENT_ID=${ph "yubico/id"}

     

       38
       +
             YUBICO_SECRET_KEY=${ph "yubico/secret"}

     

       39
       +
             SMTP_USERNAME=${ph "smtp/username"}

     

       40
       +
             SMTP_FROM=${ph "smtp/username"}

     

       41
       +
             SMTP_PASSWORD=${ph "smtp/password"}

     

       42
       +
             SMTP_HOST=${ph "smtp/host"}

     

       43
       +
             SMTP_SECURITY=${ph "smtp/security"}

     

       44
       +
             SMTP_PORT=${ph "smtp/port"}

     

       45
       +
             PUSH_INSTALLATION_ID=${ph "push/installation_id"}

     

       46
       +
             PUSH_INSTALLATION_KEY=${ph "push/installation_key"}

     

       47
       +
           '';

     

       48
        
       

     

       49
        
         services.vaultwarden = {

     

       50
        
           enable = true;

     
···

       110
        
           upstreams = {

     

       111
        
             vault-default = {

     

       112
        
               servers = {

     

       113
       +
                 "[::1]:38480" = { };

     

       114
        
               };

     

       115
        
               extraConfig = ''

     

       116
        
                 zone vaultwarden 128k;  # XXX: are there any security implications if we reuse the same zone for both webvault and the ws server?

+2 -1

systems/koumakan/services/static-sites/assets.nix

···

       1
       -
       {_utils, ...}: {

     

       0
        
       
     

       2
        
         services.nginx.virtualHosts."assets.soopy.moe" = _utils.mkVhost {

     

       3
        
           root = "/opt/public-assets";

     

       4
        
           locations = {

···

       1
       +
       { _utils, ... }:

     

       2
       +
       {

     

       3
        
         services.nginx.virtualHosts."assets.soopy.moe" = _utils.mkVhost {

     

       4
        
           root = "/opt/public-assets";

     

       5
        
           locations = {

+2 -1

systems/koumakan/services/static-sites/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./assets.nix

     

       4
        
           ./nonbunary.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./assets.nix

     

       5
        
           ./nonbunary.nix

+2 -1

systems/koumakan/services/static-sites/nonbunary.nix

···

       1
       -
       {_utils, ...}: {

     

       0
        
       
     

       2
        
         services.nginx.virtualHosts."nonbunary.soopy.moe" = _utils.mkVhost {

     

       3
        
           locations."/".return = "404";

     

       4
        
           locations."= /" = _utils.mkNginxFile {

···

       1
       +
       { _utils, ... }:

     

       2
       +
       {

     

       3
        
         services.nginx.virtualHosts."nonbunary.soopy.moe" = _utils.mkVhost {

     

       4
        
           locations."/".return = "404";

     

       5
        
           locations."= /" = _utils.mkNginxFile {

+11 -7

systems/koumakan/services/static-sites/photography.nix

···

       4
        
         lib,

     

       5
        
         _utils,

     

       6
        
         ...

     

       7
       -
       }: {

     

       0
        
       
     

       8
        
         # TODO: we can make this better by just automating everything needed to make a h5ai site.

     

       9
        
         services.phpfpm.pools."photography" = {

     

       10
        
           user = "photography";

     
···

       22
        
             "php_admin_flag[log_errors]" = true;

     

       23
        
             "catch_workers_output" = true;

     

       24
        
           };

     

       25
       -
           phpEnv."PATH" = lib.makeBinPath (with pkgs; [

     

       26
       -
             zip

     

       27
       -
           ]);

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       28
        
         };

     

       29
        
       

     

       30
        
         services.nginx.virtualHosts."photography.soopy.moe" = _utils.mkVhost {

     
···

       54
        
           group = "photography";

     

       55
        
           createHome = false;

     

       56
        
         };

     

       57
       -
         users.groups.photography = {};

     

       58
        
       

     

       59
       -
         users.users.nginx.extraGroups = ["photography"];

     

       60
       -
         users.users.cassie.extraGroups = ["photography"];

     

       61
        
       }

···

       4
        
         lib,

     

       5
        
         _utils,

     

       6
        
         ...

     

       7
       +
       }:

     

       8
       +
       {

     

       9
        
         # TODO: we can make this better by just automating everything needed to make a h5ai site.

     

       10
        
         services.phpfpm.pools."photography" = {

     

       11
        
           user = "photography";

     
···

       23
        
             "php_admin_flag[log_errors]" = true;

     

       24
        
             "catch_workers_output" = true;

     

       25
        
           };

     

       26
       +
           phpEnv."PATH" = lib.makeBinPath (

     

       27
       +
             with pkgs;

     

       28
       +
             [

     

       29
       +
               zip

     

       30
       +
             ]

     

       31
       +
           );

     

       32
        
         };

     

       33
        
       

     

       34
        
         services.nginx.virtualHosts."photography.soopy.moe" = _utils.mkVhost {

     
···

       58
        
           group = "photography";

     

       59
        
           createHome = false;

     

       60
        
         };

     

       61
       +
         users.groups.photography = { };

     

       62
        
       

     

       63
       +
         users.users.nginx.extraGroups = [ "photography" ];

     

       64
       +
         users.users.cassie.extraGroups = [ "photography" ];

     

       65
        
       }

+2 -1

systems/koumakan/services/storage/atuin.nix

···

       1
       -
       {_utils, ...}: {

     

       0
        
       
     

       2
        
         services.atuin = {

     

       3
        
           enable = true;

     

       4
        
           database.createLocally = true;

···

       1
       +
       { _utils, ... }:

     

       2
       +
       {

     

       3
        
         services.atuin = {

     

       4
        
           enable = true;

     

       5
        
           database.createLocally = true;

+5 -3

systems/koumakan/services/storage/wastebin.nix

···

       2
        
         _utils,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       -
       }: let

     

       0
        
       
     

       6
        
         secrets = _utils.setupSecrets config {

     

       7
        
           namespace = "wastebasket";

     

       8
       -
           secrets = ["key"];

     

       9
        
         };

     

       10
       -
       in {

     

       0
        
       
     

       11
        
         # figure out a way to disable encryption, i don't trust the impl.

     

       12
        
         imports = [

     

       13
        
           secrets.generate

···

       2
        
         _utils,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       let

     

       7
        
         secrets = _utils.setupSecrets config {

     

       8
        
           namespace = "wastebasket";

     

       9
       +
           secrets = [ "key" ];

     

       10
        
         };

     

       11
       +
       in

     

       12
       +
       {

     

       13
        
         # figure out a way to disable encryption, i don't trust the impl.

     

       14
        
         imports = [

     

       15
        
           secrets.generate

+4 -2

systems/koumakan/services/storage/zipline.nix

···

       3
        
         lib,

     

       4
        
         config,

     

       5
        
         ...

     

       6
       -
       }: let

     

       0
        
       
     

       7
        
         secrets = _utils.setupSecrets config {

     

       8
        
           namespace = "zipline";

     

       9
        
           secrets = [

     
···

       12
        
             "s3/access_secret"

     

       13
        
           ];

     

       14
        
         };

     

       15
       -
       in {

     

       0
        
       
     

       16
        
         imports = [

     

       17
        
           secrets.generate

     

       18
        
           (secrets.mkTemplate "zipline.env" ''

···

       3
        
         lib,

     

       4
        
         config,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
        
         secrets = _utils.setupSecrets config {

     

       9
        
           namespace = "zipline";

     

       10
        
           secrets = [

     
···

       13
        
             "s3/access_secret"

     

       14
        
           ];

     

       15
        
         };

     

       16
       +
       in

     

       17
       +
       {

     

       18
        
         imports = [

     

       19
        
           secrets.generate

     

       20
        
           (secrets.mkTemplate "zipline.env" ''

+2 -1

systems/koumakan/services/telemetry/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./victoriametrics.nix

     

       4
        
           ./grafana

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./victoriametrics.nix

     

       5
        
           ./grafana

+4 -2

systems/koumakan/services/telemetry/grafana/default.nix

···

       2
        
         _utils,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       -
       }: let

     

       0
        
       
     

       6
        
         secrets = _utils.setupSecrets config {

     

       7
        
           namespace = "grafana";

     

       8
        
           secrets = [

     
···

       16
        
           };

     

       17
        
         };

     

       18
        
         fromSecret = path: "$__file{${secrets.get path}}";

     

       19
       -
       in {

     

       0
        
       
     

       20
        
         imports = [

     

       21
        
           secrets.generate

     

       22
        
           ./provisioning.nix

···

       2
        
         _utils,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       let

     

       7
        
         secrets = _utils.setupSecrets config {

     

       8
        
           namespace = "grafana";

     

       9
        
           secrets = [

     
···

       17
        
           };

     

       18
        
         };

     

       19
        
         fromSecret = path: "$__file{${secrets.get path}}";

     

       20
       +
       in

     

       21
       +
       {

     

       22
        
         imports = [

     

       23
        
           secrets.generate

     

       24
        
           ./provisioning.nix

+5 -2

systems/koumakan/services/telemetry/grafana/provisioning.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         services.grafana.provision = {

     

       3
        
           datasources.settings = {

     

       4
        
             apiVersion = 1; # i am stupid. keep this as 1.

     
···

       11
        
                 uid = "gs_panopticon";

     

       12
        
                 url = "http://localhost:20090";

     

       13
        
                 isDefault = true;

     

       14
       -
                 jsonData = {prometheusVersion = "2.44.0";};

     

       0
        
       
     

       0
        
       
     

       15
        
               }

     

       16
        
             ];

     

       17
        
           };

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         services.grafana.provision = {

     

       4
        
           datasources.settings = {

     

       5
        
             apiVersion = 1; # i am stupid. keep this as 1.

     
···

       12
        
                 uid = "gs_panopticon";

     

       13
        
                 url = "http://localhost:20090";

     

       14
        
                 isDefault = true;

     

       15
       +
                 jsonData = {

     

       16
       +
                   prometheusVersion = "2.44.0";

     

       17
       +
                 };

     

       18
        
               }

     

       19
        
             ];

     

       20
        
           };

+24 -24

systems/koumakan/services/telemetry/victoriametrics.nix

···

       3
        
         lib,

     

       4
        
         _utils,

     

       5
        
         ...

     

       6
       -
       }: let

     

       0
        
       
     

       7
        
         monitoredHosts = [

     

       8
        
           "mail"

     

       9
        
           "satori"

     
···

       14
        
         ];

     

       15
        
         secrets = _utils.setupSecrets config {

     

       16
        
           namespace = "vmetrics";

     

       17
       -
           secrets = ["agent/akkoma"] ++ builtins.map (f: "auth/hosts/" + f) monitoredHosts;

     

       18
        
         };

     

       19
       -
       in {

     

       0
        
       
     

       20
        
         imports = [

     

       21
        
           secrets.generate

     

       22
        
       

     
···

       24
        
             VMA_AKKOMA_CRED=${secrets.placeholder "agent/akkoma"}

     

       25
        
           '')

     

       26
        
           (secrets.mkTemplate "vmauth.env" (

     

       27
       -
             lib.concatLines (builtins.map (

     

       0
        
       
     

       28
        
                 host: "AUTH_${lib.toUpper host}_TOKEN=${secrets.placeholder "auth/hosts/${host}"}"

     

       29
       -
               )

     

       30
       -
               monitoredHosts)

     

       31
        
           ))

     

       32
        
         ];

     

       33
        
       

     
···

       63
        
                 static_configs = lib.singleton {

     

       64
        
                   targets = lib.singleton "localhost:${builtins.toString config.services.prometheus.exporters.node.port}";

     

       65
        
                 };

     

       66
       -
                 relabel_configs =

     

       67
       -
                   lib.singleton

     

       68
       -
                   {

     

       69
       -
                     target_label = "instance";

     

       70
       -
                     replacement = "koumakan";

     

       71
       -
                   };

     

       72
        
               }

     

       73
        
       

     

       74
        
               # external nodes uses remote write

     
···

       77
        
               # other services' metrics

     

       78
        
               {

     

       79
        
                 job_name = "nginx";

     

       80
       -
                 static_configs = lib.singleton {targets = lib.singleton "localhost:${builtins.toString config.services.prometheus.exporters.nginx.port}";};

     

       81
       -
                 relabel_configs =

     

       82
       -
                   lib.singleton

     

       83
       -
                   {

     

       84
       -
                     target_label = "instance";

     

       85
       -
                     replacement = "koumakan";

     

       86
       -
                   };

     

       87
        
               }

     

       88
        
             ];

     

       89
        
           };

     
···

       101
        
           authConfig = {

     

       102
        
             users = builtins.concatMap (

     

       103
        
               token:

     

       104
       -
                 lib.singleton

     

       105
       -
                 {

     

       106
       -
                   bearer_token = token;

     

       107
       -
                   url_prefix = "http://${config.services.victoriametrics.listenAddress}"; # send directly to vm

     

       108
       -
                 }

     

       109
        
             ) (builtins.map (host: "%{AUTH_${lib.toUpper host}_TOKEN}") monitoredHosts);

     

       110
        
           };

     

       111
        
           environmentFile = secrets.getTemplate "vmauth.env";

···

       3
        
         lib,

     

       4
        
         _utils,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
        
         monitoredHosts = [

     

       9
        
           "mail"

     

       10
        
           "satori"

     
···

       15
        
         ];

     

       16
        
         secrets = _utils.setupSecrets config {

     

       17
        
           namespace = "vmetrics";

     

       18
       +
           secrets = [ "agent/akkoma" ] ++ builtins.map (f: "auth/hosts/" + f) monitoredHosts;

     

       19
        
         };

     

       20
       +
       in

     

       21
       +
       {

     

       22
        
         imports = [

     

       23
        
           secrets.generate

     

       24
        
       

     
···

       26
        
             VMA_AKKOMA_CRED=${secrets.placeholder "agent/akkoma"}

     

       27
        
           '')

     

       28
        
           (secrets.mkTemplate "vmauth.env" (

     

       29
       +
             lib.concatLines (

     

       30
       +
               builtins.map (

     

       31
        
                 host: "AUTH_${lib.toUpper host}_TOKEN=${secrets.placeholder "auth/hosts/${host}"}"

     

       32
       +
               ) monitoredHosts

     

       33
       +
             )

     

       34
        
           ))

     

       35
        
         ];

     

       36
        
       

     
···

       66
        
                 static_configs = lib.singleton {

     

       67
        
                   targets = lib.singleton "localhost:${builtins.toString config.services.prometheus.exporters.node.port}";

     

       68
        
                 };

     

       69
       +
                 relabel_configs = lib.singleton {

     

       70
       +
                   target_label = "instance";

     

       71
       +
                   replacement = "koumakan";

     

       72
       +
                 };

     

       0
        
       
     

       0
        
       
     

       73
        
               }

     

       74
        
       

     

       75
        
               # external nodes uses remote write

     
···

       78
        
               # other services' metrics

     

       79
        
               {

     

       80
        
                 job_name = "nginx";

     

       81
       +
                 static_configs = lib.singleton {

     

       82
       +
                   targets = lib.singleton "localhost:${builtins.toString config.services.prometheus.exporters.nginx.port}";

     

       83
       +
                 };

     

       84
       +
                 relabel_configs = lib.singleton {

     

       85
       +
                   target_label = "instance";

     

       86
       +
                   replacement = "koumakan";

     

       87
       +
                 };

     

       88
        
               }

     

       89
        
             ];

     

       90
        
           };

     
···

       102
        
           authConfig = {

     

       103
        
             users = builtins.concatMap (

     

       104
        
               token:

     

       105
       +
               lib.singleton {

     

       106
       +
                 bearer_token = token;

     

       107
       +
                 url_prefix = "http://${config.services.victoriametrics.listenAddress}"; # send directly to vm

     

       108
       +
               }

     

       0
        
       
     

       109
        
             ) (builtins.map (host: "%{AUTH_${lib.toUpper host}_TOKEN}") monitoredHosts);

     

       110
        
           };

     

       111
        
           environmentFile = secrets.getTemplate "vmauth.env";

+2 -1

systems/nijika/configuration.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./services

     

       4
        
           ./networking.nix # generated at runtime by nixos-infect

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./services

     

       5
        
           ./networking.nix # generated at runtime by nixos-infect

+9 -4

systems/nijika/hardware-configuration.nix

···

       1
       -
       {modulesPath, ...}: {

     

       2
       -
         imports = [(modulesPath + "/profiles/qemu-guest.nix")];

     

       0
        
       
     

       3
        
         boot.loader.grub = {

     

       4
        
           efiSupport = true;

     

       5
        
           efiInstallAsRemovable = true;

     
···

       9
        
           device = "/dev/disk/by-uuid/5E93-6B15";

     

       10
        
           fsType = "vfat";

     

       11
        
         };

     

       12
       -
         boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];

     

       13
       -
         boot.initrd.kernelModules = ["nvme"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       14
        
         fileSystems."/" = {

     

       15
        
           device = "/dev/sda1";

     

       16
        
           fsType = "ext4";

···

       1
       +
       { modulesPath, ... }:

     

       2
       +
       {

     

       3
       +
         imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];

     

       4
        
         boot.loader.grub = {

     

       5
        
           efiSupport = true;

     

       6
        
           efiInstallAsRemovable = true;

     
···

       10
        
           device = "/dev/disk/by-uuid/5E93-6B15";

     

       11
        
           fsType = "vfat";

     

       12
        
         };

     

       13
       +
         boot.initrd.availableKernelModules = [

     

       14
       +
           "ata_piix"

     

       15
       +
           "uhci_hcd"

     

       16
       +
           "xen_blkfront"

     

       17
       +
         ];

     

       18
       +
         boot.initrd.kernelModules = [ "nvme" ];

     

       19
        
         fileSystems."/" = {

     

       20
        
           device = "/dev/sda1";

     

       21
        
           fsType = "ext4";

+2 -1

systems/nijika/networking.nix

···

       1
       -
       {lib, ...}: {

     

       0
        
       
     

       2
        
         # This file was populated at runtime with the networking

     

       3
        
         # details gathered from the active system.

     

       4
        
         networking = {

···

       1
       +
       { lib, ... }:

     

       2
       +
       {

     

       3
        
         # This file was populated at runtime with the networking

     

       4
        
         # details gathered from the active system.

     

       5
        
         networking = {

+2 -1

systems/nijika/services/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./fallback_page

     

       4
        
         ];

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./fallback_page

     

       5
        
         ];

+3 -2

systems/nijika/services/fallback_page/default.nix

···

       2
        
         pkgs,

     

       3
        
         _utils,

     

       4
        
         ...

     

       5
       -
       }: {

     

       0
        
       
     

       6
        
         services.nginx.virtualHosts."nijika.soopy.moe" = _utils.mkVhost {

     

       7
        
           useACMEHost = null;

     

       8
        
           enableACME = true;

     

       9
        
           default = true;

     

       10
        
       

     

       11
        
           locations."/" = {

     

       12
       -
             root = pkgs.callPackage ./package.nix {};

     

       13
        
             tryFiles = "$uri $uri/index.html $uri.html =404";

     

       14
        
           };

     

       15
        
         };

···

       2
        
         pkgs,

     

       3
        
         _utils,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
        
         services.nginx.virtualHosts."nijika.soopy.moe" = _utils.mkVhost {

     

       8
        
           useACMEHost = null;

     

       9
        
           enableACME = true;

     

       10
        
           default = true;

     

       11
        
       

     

       12
        
           locations."/" = {

     

       13
       +
             root = pkgs.callPackage ./package.nix { };

     

       14
        
             tryFiles = "$uri $uri/index.html $uri.html =404";

     

       15
        
           };

     

       16
        
         };

+1 -1

systems/nijika/services/fallback_page/package.nix

···

       1
       -
       {stdenvNoCC}:

     

       2
        
       stdenvNoCC.mkDerivation (final: {

     

       3
        
         name = "nijika-landing";

     

       4
        
         src = ./.;

···

       1
       +
       { stdenvNoCC }:

     

       2
        
       stdenvNoCC.mkDerivation (final: {

     

       3
        
         name = "nijika-landing";

     

       4
        
         src = ./.;

+2 -1

systems/renko/configuration.nix

···

       2
        
         inputs,

     

       3
        
         pkgs,

     

       4
        
         ...

     

       5
       -
       }: {

     

       0
        
       
     

       6
        
         imports = [

     

       7
        
           ./gui

     

       8
        
           ./development

···

       2
        
         inputs,

     

       3
        
         pkgs,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
        
         imports = [

     

       8
        
           ./gui

     

       9
        
           ./development

+2 -1

systems/renko/development/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./docker.nix

     

       4
        
           ./postgresql.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./docker.nix

     

       5
        
           ./postgresql.nix

+2 -1

systems/renko/development/docker.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         virtualisation.docker = {

     

       3
        
           enable = true;

     

       4
        
           storageDriver = "btrfs";

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         virtualisation.docker = {

     

       4
        
           enable = true;

     

       5
        
           storageDriver = "btrfs";

+2 -1

systems/renko/development/postgresql.nix

···

       1
       -
       {lib, ...}: {

     

       0
        
       
     

       2
        
         services.postgresql = {

     

       3
        
           enable = true;

     

       4
        
           enableTCPIP = true;

···

       1
       +
       { lib, ... }:

     

       2
       +
       {

     

       3
        
         services.postgresql = {

     

       4
        
           enable = true;

     

       5
        
           enableTCPIP = true;

+2 -1

systems/renko/gui/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./virt.nix

     

       4
        
           ./finance.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./virt.nix

     

       5
        
           ./finance.nix

+2 -1

systems/renko/gui/finance.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         environment.systemPackages = [

     

       3
        
           pkgs.kmymoney

     

       4
        
         ];

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         environment.systemPackages = [

     

       4
        
           pkgs.kmymoney

     

       5
        
         ];

+2 -1

systems/renko/gui/games/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./osu.nix

     

       4
        
           ./steam.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./osu.nix

     

       5
        
           ./steam.nix

+2 -1

systems/renko/gui/graphics.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         # enforce settings

     

       3
        
         hardware.opengl = {

     

       4
        
           enable = true;

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         # enforce settings

     

       4
        
         hardware.opengl = {

     

       5
        
           enable = true;

+2 -1

systems/renko/gui/virt.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         programs.virt-manager.enable = true;

     

       3
        
         virtualisation.libvirtd = {

     

       4
        
           enable = true;

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         programs.virt-manager.enable = true;

     

       4
        
         virtualisation.libvirtd = {

     

       5
        
           enable = true;

+17 -7

systems/renko/hardware-configuration.nix

···

       6
        
         lib,

     

       7
        
         modulesPath,

     

       8
        
         ...

     

       9
       -
       }: {

     

       0
        
       
     

       10
        
         imports = [

     

       11
        
           (modulesPath + "/installer/scan/not-detected.nix")

     

       12
        
         ];

     

       13
        
       

     

       14
       -
         boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid"];

     

       15
       -
         boot.initrd.kernelModules = [];

     

       16
       -
         boot.kernelModules = ["kvm-amd"];

     

       17
       -
         boot.extraModulePackages = [];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
       

     

       19
        
         fileSystems."/" = {

     

       20
        
           device = "/dev/disk/by-uuid/e6637f8a-12fc-4aa4-8335-3fad10d8f63a";

     
···

       31
        
         fileSystems."/efi" = {

     

       32
        
           device = "/dev/disk/by-uuid/77E6-011C";

     

       33
        
           fsType = "vfat";

     

       34
       -
           options = ["fmask=0022" "dmask=0022" "umask=0077"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       35
        
         };

     

       36
        
       

     

       37
        
         swapDevices = [

     

       38
       -
           {device = "/dev/disk/by-uuid/40a77774-ab28-45db-8f8a-845814eacba9";}

     

       39
        
         ];

     

       40
        
       

     

       41
        
         # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

···

       6
        
         lib,

     

       7
        
         modulesPath,

     

       8
        
         ...

     

       9
       +
       }:

     

       10
       +
       {

     

       11
        
         imports = [

     

       12
        
           (modulesPath + "/installer/scan/not-detected.nix")

     

       13
        
         ];

     

       14
        
       

     

       15
       +
         boot.initrd.availableKernelModules = [

     

       16
       +
           "nvme"

     

       17
       +
           "xhci_pci"

     

       18
       +
           "ahci"

     

       19
       +
           "usbhid"

     

       20
       +
         ];

     

       21
       +
         boot.initrd.kernelModules = [ ];

     

       22
       +
         boot.kernelModules = [ "kvm-amd" ];

     

       23
       +
         boot.extraModulePackages = [ ];

     

       24
        
       

     

       25
        
         fileSystems."/" = {

     

       26
        
           device = "/dev/disk/by-uuid/e6637f8a-12fc-4aa4-8335-3fad10d8f63a";

     
···

       37
        
         fileSystems."/efi" = {

     

       38
        
           device = "/dev/disk/by-uuid/77E6-011C";

     

       39
        
           fsType = "vfat";

     

       40
       +
           options = [

     

       41
       +
             "fmask=0022"

     

       42
       +
             "dmask=0022"

     

       43
       +
             "umask=0077"

     

       44
       +
           ];

     

       45
        
         };

     

       46
        
       

     

       47
        
         swapDevices = [

     

       48
       +
           { device = "/dev/disk/by-uuid/40a77774-ab28-45db-8f8a-845814eacba9"; }

     

       49
        
         ];

     

       50
        
       

     

       51
        
         # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

+2 -1

systems/renko/services/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./vmagent.nix

     

       4
        
           ./minio.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./vmagent.nix

     

       5
        
           ./minio.nix

+4 -2

systems/renko/services/minio.nix

···

       2
        
         _utils,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       -
       }: let

     

       0
        
       
     

       6
        
         secrets = _utils.setupSecrets config {

     

       7
        
           namespace = "minio";

     

       8
        
           secrets = [

     
···

       10
        
             "root_pass"

     

       11
        
           ];

     

       12
        
         };

     

       13
       -
       in {

     

       0
        
       
     

       14
        
         imports = [

     

       15
        
           secrets.generate

     

       16
        
           (secrets.mkTemplate "minio.env" ''

···

       2
        
         _utils,

     

       3
        
         config,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       let

     

       7
        
         secrets = _utils.setupSecrets config {

     

       8
        
           namespace = "minio";

     

       9
        
           secrets = [

     
···

       11
        
             "root_pass"

     

       12
        
           ];

     

       13
        
         };

     

       14
       +
       in

     

       15
       +
       {

     

       16
        
         imports = [

     

       17
        
           secrets.generate

     

       18
        
           (secrets.mkTemplate "minio.env" ''

+6 -4

systems/renko/services/vmagent.nix

···

       3
        
         config,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       -
       }: let

     

       0
        
       
     

       7
        
         secrets = _utils.setupSecrets config {

     

       8
        
           namespace = "vmetrics";

     

       9
       -
           secrets = ["minio_token"];

     

       10
        
         };

     

       11
       -
       in {

     

       0
        
       
     

       12
        
         imports = lib.singleton secrets.generate;

     

       13
        
         systemd.services.vmagent.serviceConfig.LoadCredential = [

     

       14
        
           "minio_token:${secrets.get "minio_token"}"

     
···

       18
        
           job_name = "minio-job";

     

       19
        
           metrics_path = "/minio/v2/metrics/cluster";

     

       20
        
           scheme = "http";

     

       21
       -
           static_configs = lib.singleton {targets = lib.singleton "localhost:26531";};

     

       22
        
           relabel_configs = lib.singleton {

     

       23
        
             target_label = "instance";

     

       24
        
             replacement = config.networking.fqdnOrHostName;

···

       3
        
         config,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
        
         secrets = _utils.setupSecrets config {

     

       9
        
           namespace = "vmetrics";

     

       10
       +
           secrets = [ "minio_token" ];

     

       11
        
         };

     

       12
       +
       in

     

       13
       +
       {

     

       14
        
         imports = lib.singleton secrets.generate;

     

       15
        
         systemd.services.vmagent.serviceConfig.LoadCredential = [

     

       16
        
           "minio_token:${secrets.get "minio_token"}"

     
···

       20
        
           job_name = "minio-job";

     

       21
        
           metrics_path = "/minio/v2/metrics/cluster";

     

       22
        
           scheme = "http";

     

       23
       +
           static_configs = lib.singleton { targets = lib.singleton "localhost:26531"; };

     

       24
        
           relabel_configs = lib.singleton {

     

       25
        
             target_label = "instance";

     

       26
        
             replacement = config.networking.fqdnOrHostName;

+2 -1

systems/ryo/configuration.nix

···

       1
        
       # ryo because empty-headed. also btr naming scheme.

     

       2
        
       # DO NOT copy anything done on this host, it's insecure by design.

     

       3
       -
       {...}: {

     

       0
        
       
     

       4
        
         imports = [

     

       5
        
           ./services

     

       6
        
         ];

···

       1
        
       # ryo because empty-headed. also btr naming scheme.

     

       2
        
       # DO NOT copy anything done on this host, it's insecure by design.

     

       3
       +
       { ... }:

     

       4
       +
       {

     

       5
        
         imports = [

     

       6
        
           ./services

     

       7
        
         ];

+13 -4

systems/ryo/hardware-configuration.nix

···

       2
        
         modulesPath,

     

       3
        
         lib,

     

       4
        
         ...

     

       5
       -
       }: {

     

       6
       -
         imports = [(modulesPath + "/profiles/qemu-guest.nix")];

     

       0
        
       
     

       7
        
       

     

       8
       -
         boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "xen_blkfront" "vmw_pvscsi"];

     

       9
       -
         boot.initrd.kernelModules = ["nvme"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
         boot.loader.grub = {

     

       11
        
           efiSupport = true;

     

       12
        
           efiInstallAsRemovable = true;

···

       2
        
         modulesPath,

     

       3
        
         lib,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       {

     

       7
       +
         imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];

     

       8
        
       

     

       9
       +
         boot.initrd.availableKernelModules = [

     

       10
       +
           "ata_piix"

     

       11
       +
           "uhci_hcd"

     

       12
       +
           "virtio_pci"

     

       13
       +
           "virtio_scsi"

     

       14
       +
           "sd_mod"

     

       15
       +
           "xen_blkfront"

     

       16
       +
           "vmw_pvscsi"

     

       17
       +
         ];

     

       18
       +
         boot.initrd.kernelModules = [ "nvme" ];

     

       19
        
         boot.loader.grub = {

     

       20
        
           efiSupport = true;

     

       21
        
           efiInstallAsRemovable = true;

+2 -1

systems/ryo/services/default.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         imports = [

     

       3
        
           ./novnc.nix

     

       4
        
           ./thefunny.nix

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         imports = [

     

       4
        
           ./novnc.nix

     

       5
        
           ./thefunny.nix

+4 -3

systems/ryo/services/novnc.nix

···

       3
        
         pkgs,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       -
       }: {

     

       0
        
       
     

       7
        
         services.nginx.virtualHosts."ryo.soopy.moe" = _utils.mkSimpleProxy {

     

       8
        
           port = 6080;

     

       9
        
           websockets = true;

     
···

       16
        
       

     

       17
        
         systemd.services."novnc" = {

     

       18
        
           enable = true;

     

       19
       -
           wantedBy = ["multi-user.target"];

     

       20
       -
           path = with pkgs; [procps];

     

       21
        
           serviceConfig = {

     

       22
        
             DynamicUser = true;

     

       23
        
             ExecStart = "${lib.getExe pkgs.novnc} --file-only";

···

       3
        
         pkgs,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       {

     

       8
        
         services.nginx.virtualHosts."ryo.soopy.moe" = _utils.mkSimpleProxy {

     

       9
        
           port = 6080;

     

       10
        
           websockets = true;

     
···

       17
        
       

     

       18
        
         systemd.services."novnc" = {

     

       19
        
           enable = true;

     

       20
       +
           wantedBy = [ "multi-user.target" ];

     

       21
       +
           path = with pkgs; [ procps ];

     

       22
        
           serviceConfig = {

     

       23
        
             DynamicUser = true;

     

       24
        
             ExecStart = "${lib.getExe pkgs.novnc} --file-only";

+26 -25

systems/ryo/services/thefunny.nix

···

       2
        
         pkgs,

     

       3
        
         lib,

     

       4
        
         ...

     

       5
       -
       }: let

     

       0
        
       
     

       6
        
         serviceHardening = {

     

       7
        
           PrivateUsers = true;

     

       8
        
           LockPersonality = true;

     
···

       27
        
             # "~@privileged" # cage/wlroots needs setgid for some reason?

     

       28
        
           ];

     

       29
        
         };

     

       30
       -
       in {

     

       0
        
       
     

       31
        
         users.users.funny = {

     

       32
        
           isSystemUser = true;

     

       33
        
           group = "funny";

     

       34
        
         };

     

       35
       -
         users.groups.funny = {};

     

       36
        
       

     

       37
        
         systemd.services = {

     

       38
        
           cage-feh = {

     

       39
       -
             wantedBy = ["multi-user.target"];

     

       40
       -
             serviceConfig =

     

       41
       -
               {

     

       42
       -
                 User = "funny";

     

       43
       -
                 RuntimeDirectory = "funny";

     

       44
       -
                 Restart = "on-failure";

     

       45
       -
                 RestartSec = "1";

     

       46
       -
               }

     

       47
       -
               // serviceHardening;

     

       48
       -
             path = with pkgs; [cage feh];

     

       0
        
       
     

       49
        
             script = ''

     

       50
        
               set -e

     

       51
        
               cage -d feh -- -.dz -D10 --draw-tinted /srv/funny

     
···

       58
        
           };

     

       59
        
       

     

       60
        
           wayvnc-feh = {

     

       61
       -
             wantedBy = ["multi-user.target"];

     

       62
       -
             requires = ["cage-feh.service"];

     

       63
       -
             after = ["cage-feh.service"];

     

       64
       -
             serviceConfig =

     

       65
       -
               {

     

       66
       -
                 User = "funny";

     

       67
       -
                 RuntimeDirectory = "funny";

     

       68
       -
                 ExecStart = "${lib.getExe pkgs.wayvnc} -d 0.0.0.0";

     

       69
       -
                 Restart = "on-failure";

     

       70
       -
                 RestartSec = "1";

     

       71
       -
               }

     

       72
       -
               // serviceHardening;

     

       73
        
             environment = {

     

       74
        
               WAYLAND_DISPLAY = "wayland-0";

     

       75
        
               XDG_RUNTIME_DIR = "%t/funny";

···

       2
        
         pkgs,

     

       3
        
         lib,

     

       4
        
         ...

     

       5
       +
       }:

     

       6
       +
       let

     

       7
        
         serviceHardening = {

     

       8
        
           PrivateUsers = true;

     

       9
        
           LockPersonality = true;

     
···

       28
        
             # "~@privileged" # cage/wlroots needs setgid for some reason?

     

       29
        
           ];

     

       30
        
         };

     

       31
       +
       in

     

       32
       +
       {

     

       33
        
         users.users.funny = {

     

       34
        
           isSystemUser = true;

     

       35
        
           group = "funny";

     

       36
        
         };

     

       37
       +
         users.groups.funny = { };

     

       38
        
       

     

       39
        
         systemd.services = {

     

       40
        
           cage-feh = {

     

       41
       +
             wantedBy = [ "multi-user.target" ];

     

       42
       +
             serviceConfig = {

     

       43
       +
               User = "funny";

     

       44
       +
               RuntimeDirectory = "funny";

     

       45
       +
               Restart = "on-failure";

     

       46
       +
               RestartSec = "1";

     

       47
       +
             } // serviceHardening;

     

       48
       +
             path = with pkgs; [

     

       49
       +
               cage

     

       50
       +
               feh

     

       51
       +
             ];

     

       52
        
             script = ''

     

       53
        
               set -e

     

       54
        
               cage -d feh -- -.dz -D10 --draw-tinted /srv/funny

     
···

       61
        
           };

     

       62
        
       

     

       63
        
           wayvnc-feh = {

     

       64
       +
             wantedBy = [ "multi-user.target" ];

     

       65
       +
             requires = [ "cage-feh.service" ];

     

       66
       +
             after = [ "cage-feh.service" ];

     

       67
       +
             serviceConfig = {

     

       68
       +
               User = "funny";

     

       69
       +
               RuntimeDirectory = "funny";

     

       70
       +
               ExecStart = "${lib.getExe pkgs.wayvnc} -d 0.0.0.0";

     

       71
       +
               Restart = "on-failure";

     

       72
       +
               RestartSec = "1";

     

       73
       +
             } // serviceHardening;

     

       0
        
       
     

       0
        
       
     

       74
        
             environment = {

     

       75
        
               WAYLAND_DISPLAY = "wayland-0";

     

       76
        
               XDG_RUNTIME_DIR = "%t/funny";

+2 -1

systems/satori/configuration.nix

···

       3
        
         pkgs,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       -
       }: {

     

       0
        
       
     

       7
        
         imports = [

     

       8
        
           ./steam.nix

     

       9
        
           inputs.nixos-hardware.nixosModules.apple-t2

···

       3
        
         pkgs,

     

       4
        
         lib,

     

       5
        
         ...

     

       6
       +
       }:

     

       7
       +
       {

     

       8
        
         imports = [

     

       9
        
           ./steam.nix

     

       10
        
           inputs.nixos-hardware.nixosModules.apple-t2

+18 -7

systems/satori/hardware-configuration.nix

···

       6
        
         lib,

     

       7
        
         modulesPath,

     

       8
        
         ...

     

       9
       -
       }: {

     

       0
        
       
     

       10
        
         imports = [

     

       11
        
           (modulesPath + "/installer/scan/not-detected.nix")

     

       12
        
         ];

     

       13
        
       

     

       14
       -
         boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];

     

       15
       -
         boot.initrd.kernelModules = [];

     

       16
       -
         boot.kernelModules = ["kvm-intel"];

     

       17
       -
         boot.extraModulePackages = [];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
       

     

       19
        
         fileSystems."/" = {

     

       20
        
           device = "/dev/disk/by-uuid/f4bb41e2-b477-49e7-ae96-61fd80a63b2e";

     
···

       24
        
         fileSystems."/boot" = {

     

       25
        
           device = "/dev/disk/by-uuid/3231-A446";

     

       26
        
           fsType = "vfat";

     

       27
       -
           options = ["fmask=0022" "dmask=0022" "umask=0077"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       28
        
         };

     

       29
        
       

     

       30
       -
         swapDevices = [];

     

       31
        
       

     

       32
        
         # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

     

       33
        
         # (the default) this is the recommended approach. When using systemd-networkd it's

···

       6
        
         lib,

     

       7
        
         modulesPath,

     

       8
        
         ...

     

       9
       +
       }:

     

       10
       +
       {

     

       11
        
         imports = [

     

       12
        
           (modulesPath + "/installer/scan/not-detected.nix")

     

       13
        
         ];

     

       14
        
       

     

       15
       +
         boot.initrd.availableKernelModules = [

     

       16
       +
           "xhci_pci"

     

       17
       +
           "nvme"

     

       18
       +
           "usbhid"

     

       19
       +
           "usb_storage"

     

       20
       +
           "sd_mod"

     

       21
       +
         ];

     

       22
       +
         boot.initrd.kernelModules = [ ];

     

       23
       +
         boot.kernelModules = [ "kvm-intel" ];

     

       24
       +
         boot.extraModulePackages = [ ];

     

       25
        
       

     

       26
        
         fileSystems."/" = {

     

       27
        
           device = "/dev/disk/by-uuid/f4bb41e2-b477-49e7-ae96-61fd80a63b2e";

     
···

       31
        
         fileSystems."/boot" = {

     

       32
        
           device = "/dev/disk/by-uuid/3231-A446";

     

       33
        
           fsType = "vfat";

     

       34
       +
           options = [

     

       35
       +
             "fmask=0022"

     

       36
       +
             "dmask=0022"

     

       37
       +
             "umask=0077"

     

       38
       +
           ];

     

       39
        
         };

     

       40
        
       

     

       41
       +
         swapDevices = [ ];

     

       42
        
       

     

       43
        
         # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

     

       44
        
         # (the default) this is the recommended approach. When using systemd-networkd it's

+2 -1

systems/satori/steam.nix

···

       1
       -
       {pkgs, ...}: {

     

       0
        
       
     

       2
        
         programs.steam = {

     

       3
        
           enable = true;

     

       4

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       {

     

       3
        
         programs.steam = {

     

       4
        
           enable = true;

     

       5

+3 -2

users/_tester.nix

···

       1
       -
       {...}: {

     

       0
        
       
     

       2
        
         virtualisation.vmVariant.users.users._tester = builtins.warn "[vm] building tester user..." {

     

       3
        
           password = "explode";

     

       4
        
           isNormalUser = true;

     

       5
       -
           extraGroups = ["wheel"];

     

       6
        
         };

     

       7
        
       }

···

       1
       +
       { ... }:

     

       2
       +
       {

     

       3
        
         virtualisation.vmVariant.users.users._tester = builtins.warn "[vm] building tester user..." {

     

       4
        
           password = "explode";

     

       5
        
           isNormalUser = true;

     

       6
       +
           extraGroups = [ "wheel" ];

     

       7
        
         };

     

       8
        
       }

+1 -1

users/builder.nix

···

       24
        
           shell = pkgs.zsh;

     

       25
        
         };

     

       26
        
       

     

       27
       -
         users.groups.remote-builder = {};

     

       28
        
       }

···

       24
        
           shell = pkgs.zsh;

     

       25
        
         };

     

       26
        
       

     

       27
       +
         users.groups.remote-builder = { };

     

       28
        
       }