felix/nixos
1
0
Fork 0
mirror of https://github.com/Stunkymonkey/nixos.git synced 2025-05-24 09:54:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

treewide: avoid repetitive keys in attrSets

Browse source
This commit is contained in:
Felix Buehler 2023-11-12 23:36:30 +01:00
parent 2a3f606557
commit 4b21221569
19 changed files with 994 additions and 947 deletions
Download patch file Download diff file Expand all files Collapse all files

28
images/yubikey-installer.nix
View file

@ -65,13 +65,15 @@ let
# Uncomment this to disable compression and speed up image creation time
#isoImage.squashfsCompression = "gzip -Xcompression-level 1";
boot.kernelPackages = linuxPackages_latest;
boot = {
kernelPackages = linuxPackages_latest;
# Always copytoram so that, if the image is booted from, e.g., a
# USB stick, nothing is mistakenly written to persistent storage.
boot.kernelParams = [ "copytoram" ];
kernelParams = [ "copytoram" ];
# Secure defaults
boot.tmp.cleanOnBoot = true;
boot.kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; };
tmp.cleanOnBoot = true;
kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; };
};
services.pcscd.enable = true;
services.udev.packages = [ yubikey-personalization ];
@ -121,14 +123,16 @@ let
# Disable networking so the system is air-gapped
# Comment all of these lines out if you'll need internet access
boot.initrd.network.enable = false;
networking.dhcpcd.enable = false;
networking.dhcpcd.allowInterfaces = [ ];
networking.interfaces = { };
networking.firewall.enable = true;
networking.useDHCP = false;
networking.useNetworkd = false;
networking.wireless.enable = false;
networking.networkmanager.enable = lib.mkForce false;
networking = {
dhcpcd.enable = false;
dhcpcd.allowInterfaces = [ ];
interfaces = { };
firewall.enable = true;
useDHCP = false;
useNetworkd = false;
wireless.enable = false;
networkmanager.enable = lib.mkForce false;
};
# Unset history so it's never stored
# Set GNUPGHOME to an ephemeral location and configure GPG with the

28
machines/newton/services.nix
View file

@ -4,29 +4,31 @@ let
inherit (config.sops) secrets;
in
{
sops.secrets."acme/inwx" = { };
sops.secrets."borgbackup/password" = { };
sops.secrets."borgbackup/ssh_key" = { };
sops.secrets."sso/auth-key" = { };
sops.secrets."sso/felix/password-hash" = { };
sops.secrets."sso/felix/totp-secret" = { };
sops.secrets."paperless/password" = { };
sops.secrets."nextcloud/password" = {
sops.secrets = {
"acme/inwx" = { };
"borgbackup/password" = { };
"borgbackup/ssh_key" = { };
"sso/auth-key" = { };
"sso/felix/password-hash" = { };
"sso/felix/totp-secret" = { };
"paperless/password" = { };
"nextcloud/password" = {
owner = config.users.users.nextcloud.name;
};
sops.secrets."nextcloud-exporter/password" = {
"nextcloud-exporter/password" = {
owner = config.users.users.nextcloud-exporter.name;
};
sops.secrets."freshrss/password" = {
"freshrss/password" = {
owner = config.users.users.freshrss.name;
};
sops.secrets."photoprism/password" = { };
sops.secrets."grafana/password" = {
"photoprism/password" = { };
"grafana/password" = {
owner = config.users.users.grafana.name;
};
sops.secrets."matrix-bot/password" = {
"matrix-bot/password" = {
owner = config.systemd.services.go-neb.serviceConfig.User;
};
};
# List services that you want to enable:
my.services = {

22
machines/serverle/services.nix
View file

@ -4,16 +4,18 @@ let
inherit (config.sops) secrets;
in
{
sops.secrets."acme/inwx" = { };
sops.secrets."borgbackup/password" = { };
sops.secrets."borgbackup/ssh_key" = { };
sops.secrets."dyndns/password" = { };
sops.secrets."sso/auth-key" = { };
sops.secrets."sso/felix/password-hash" = { };
sops.secrets."sso/felix/totp-secret" = { };
sops.secrets."prowlarr/apikey" = { };
sops.secrets."radarr/apikey" = { };
sops.secrets."sonarr/apikey" = { };
sops.secrets = {
"acme/inwx" = { };
"borgbackup/password" = { };
"borgbackup/ssh_key" = { };
"dyndns/password" = { };
"sso/auth-key" = { };
"sso/felix/password-hash" = { };
"sso/felix/totp-secret" = { };
"prowlarr/apikey" = { };
"radarr/apikey" = { };
"sonarr/apikey" = { };
};
# List services that you want to enable:
my.services = {

12
modules/services/alertmanager/default.nix
View file

@ -25,7 +25,8 @@ in
}
];
services.prometheus = {
services = {
prometheus = {
alertmanager = {
enable = true;
listenAddress = "127.0.0.1";
@ -58,7 +59,7 @@ in
];
};
services.grafana.provision = {
grafana.provision = {
datasources.settings.datasources = [
{
name = "Alertmanager";
@ -72,7 +73,7 @@ in
];
};
services.grafana.provision = {
grafana.provision = {
dashboards.settings.providers = [
{
name = "Alertmanager";
@ -83,9 +84,9 @@ in
};
# for mail delivery
services.postfix.enable = true;
postfix.enable = true;
services.go-neb.config.services = [
go-neb.config.services = [
{
ID = "alertmanager_service";
Type = "alertmanager";
@ -127,6 +128,7 @@ in
};
}
];
};
my.services.prometheus.rules = {
alerts_silences_changed = {

20
modules/services/blackbox/default.nix
View file

@ -42,13 +42,14 @@ in
};
config = lib.mkIf cfg.enable {
services.prometheus.exporters.blackbox = {
services = {
prometheus.exporters.blackbox = {
enable = true;
configFile = pkgs.writeText "blackbox-config.yml" (builtins.toJSON blackBoxConfig);
};
# relabels as in https://github.com/prometheus/blackbox_exporter#prometheus-configuration
services.prometheus = {
prometheus = {
scrapeConfigs = [
{
job_name = "blackbox";
@ -79,6 +80,14 @@ in
}
];
};
grafana.provision.dashboards.settings.providers = [
{
name = "Blackbox";
options.path = pkgs.grafana-dashboards.blackbox;
disableDeletion = true;
}
];
};
my.services.prometheus.rules = {
BlackboxProbeFailed = {
@ -143,12 +152,5 @@ in
};
};
};
services.grafana.provision.dashboards.settings.providers = [
{
name = "Blackbox";
options.path = pkgs.grafana-dashboards.blackbox;
disableDeletion = true;
}
];
};
}

8
modules/services/blocky/default.nix
View file

@ -27,7 +27,8 @@ in
};
config = lib.mkIf cfg.enable {
services.blocky = {
services = {
blocky = {
enable = true;
settings = {
@ -46,7 +47,7 @@ in
} // cfg.settings;
};
services.prometheus.scrapeConfigs = [
prometheus.scrapeConfigs = [
{
job_name = "blocky";
static_configs = [
@ -61,7 +62,7 @@ in
];
# untested
services.grafana.provision.dashboards.settings.providers = [
grafana.provision.dashboards.settings.providers = [
{
name = "Blocky";
options.path = pkgs.grafana-dashboards.blocky;
@ -69,4 +70,5 @@ in
}
];
};
};
}

42
modules/services/gitea/default.nix
View file

@ -16,7 +16,8 @@ in
};
config = lib.mkIf cfg.enable {
services.gitea = {
services = {
gitea = {
enable = true;
settings = {
server = {
@ -32,22 +33,7 @@ in
lfs.enable = true;
};
# Proxy to Gitea
my.services.nginx.virtualHosts = [
{
subdomain = "code";
inherit (cfg) port;
}
];
my.services.backup = {
paths = [
config.services.gitea.lfs.contentDir
config.services.gitea.repositoryRoot
];
};
services.prometheus = {
prometheus = {
scrapeConfigs = [
{
job_name = "gitea";
@ -62,7 +48,7 @@ in
}
];
};
services.grafana.provision = {
grafana.provision = {
dashboards.settings.providers = [
{
name = "Gitea";
@ -71,13 +57,31 @@ in
}
];
};
};
my.services.prometheus.rules = {
# Proxy to Gitea
my.services = {
nginx.virtualHosts = [
{
subdomain = "code";
inherit (cfg) port;
}
];
backup = {
paths = [
config.services.gitea.lfs.contentDir
config.services.gitea.repositoryRoot
];
};
prometheus.rules = {
gitea = {
condition = ''rate(promhttp_metric_handler_requests_total{job="gitea", code="500"}[5m]) > 3'';
description = "{{$labels.instance}}: gitea instances error rate went up: {{$value}} errors in 5 minutes";
};
};
};
webapps.apps.gitea = {
dashboard = {

17
modules/services/hedgedoc/default.nix
View file

@ -31,7 +31,8 @@ in
};
config = lib.mkIf cfg.enable {
services.hedgedoc = {
services = {
hedgedoc = {
enable = true;
settings = {
@ -46,11 +47,7 @@ in
} // cfg.settings;
};
# temporary fix for: https://github.com/NixOS/nixpkgs/issues/198250
#systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce "/var/lib/hedgedoc";
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce "hedgedoc";
services.prometheus = {
prometheus = {
scrapeConfigs = [
{
job_name = "hedgedoc";
@ -66,13 +63,19 @@ in
];
};
services.grafana.provision.dashboards.settings.providers = [
grafana.provision.dashboards.settings.providers = [
{
name = "Hedgedoc";
options.path = pkgs.grafana-dashboards.hedgedoc;
disableDeletion = true;
}
];
};
# TODO remove for 23.11
# temporary fix for: https://github.com/NixOS/nixpkgs/issues/198250
#systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce "/var/lib/hedgedoc";
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce "hedgedoc";
my.services.nginx.virtualHosts = [
{

14
modules/services/homer/config.nix
View file

@ -37,7 +37,8 @@
type = lib.types.attrsOf
(lib.types.submodule {
options = {
dashboard.url = lib.mkOption {
dashboard = {
url = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Url to webapp
@ -45,7 +46,7 @@
example = "http://192.168.1.10:1234";
default = null;
};
dashboard.name = lib.mkOption {
name = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Application name.
@ -53,7 +54,7 @@
example = "App";
default = null;
};
dashboard.category = lib.mkOption {
category = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
App category tag.
@ -61,7 +62,7 @@
example = "app";
default = null;
};
dashboard.icon = lib.mkOption {
icon = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Font Awesome application icon.
@ -69,7 +70,7 @@
example = "rss";
default = null;
};
dashboard.type = lib.mkOption {
type = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
application type.
@ -77,7 +78,7 @@
example = "Ping";
default = "Ping";
};
dashboard.method = lib.mkOption {
method = lib.mkOption {
type = lib.types.enum [ "get" "head" ];
description = ''
method of request used
@ -86,6 +87,7 @@
default = "head";
};
};
};
});
description = ''
Defines a web application.

22
modules/services/loki/default.nix
View file

@ -62,7 +62,8 @@ in
};
config = lib.mkIf cfg.enable {
services.loki = {
services = {
loki = {
enable = true;
configuration = {
server = {
@ -120,7 +121,7 @@ in
};
};
services.grafana.provision = {
grafana.provision = {
datasources.settings.datasources = [
{
name = "Loki";
@ -138,14 +139,7 @@ in
];
};
my.services.loki.rules = {
loki_highLogRate = {
condition = ''sum by (host) (rate({unit="loki.service"}[1m])) > 60'';
description = "Loki has a high logging rate";
};
};
services.prometheus = {
prometheus = {
scrapeConfigs = [
{
job_name = "loki";
@ -161,4 +155,12 @@ in
];
};
};
my.services.loki.rules = {
loki_highLogRate = {
condition = ''sum by (host) (rate({unit="loki.service"}[1m])) > 60'';
description = "Loki has a high logging rate";
};
};
};
}

22
modules/services/navidrome/default.nix
View file

@ -39,7 +39,8 @@ in
};
config = lib.mkIf cfg.enable {
services.navidrome = {
services = {
navidrome = {
enable = true;
settings = cfg.settings // {
@ -51,14 +52,7 @@ in
};
};
my.services.nginx.virtualHosts = [
{
subdomain = "music";
inherit (cfg) port;
}
];
services.prometheus = {
prometheus = {
scrapeConfigs = [
{
job_name = "navidrome";
@ -73,7 +67,7 @@ in
}
];
};
services.grafana.provision = {
grafana.provision = {
dashboards.settings.providers = [
{
name = "Navidrome";
@ -82,6 +76,7 @@ in
}
];
};
};
my.services.prometheus.rules = {
navidrome_not_enough_albums = {
@ -90,6 +85,13 @@ in
};
};
my.services.nginx.virtualHosts = [
{
subdomain = "music";
inherit (cfg) port;
}
];
webapps.apps.navidrome = {
dashboard = {
name = "Music";

38
modules/services/nextcloud/default.nix
View file

@ -51,7 +51,8 @@ in
};
config = lib.mkIf cfg.enable {
services.nextcloud = {
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud27;
hostName = "cloud.${domain}";
@ -88,7 +89,7 @@ in
};
};
#services.postgresql = {
#postgresql = {
# enable = true;
# ensureDatabases = [ "nextcloud" ];
# ensureUsers = [
@ -99,13 +100,8 @@ in
# ];
#};
#systemd.services."nextcloud-setup" = {
# requires = [ "postgresql.service" ];
# after = [ "postgresql.service" ];
#};
# The service above configures the domain, no need for my wrapper
services.nginx.virtualHosts."cloud.${domain}" = {
nginx.virtualHosts."cloud.${domain}" = {
forceSSL = true;
useACMEHost = domain;
@ -115,14 +111,7 @@ in
'';
};
my.services.backup = {
exclude = [
# image previews can take up a lot of space
"${config.services.nextcloud.home}/data/appdata_*/preview"
];
};
services.prometheus.exporters.nextcloud = {
prometheus.exporters.nextcloud = {
enable = true;
url = "https://cloud.${domain}";
username = cfg.admin;
@ -130,7 +119,7 @@ in
port = cfg.exporterPort;
};
services.prometheus.scrapeConfigs = [
prometheus.scrapeConfigs = [
{
job_name = "nextcloud";
static_configs = [
@ -143,7 +132,7 @@ in
];
}
];
services.grafana.provision = {
grafana.provision = {
dashboards.settings.providers = [
{
name = "Nextcloud";
@ -152,6 +141,19 @@ in
}
];
};
};
#systemd.services."nextcloud-setup" = {
# requires = [ "postgresql.service" ];
# after = [ "postgresql.service" ];
#};
my.services.backup = {
exclude = [
# image previews can take up a lot of space
"${config.services.nextcloud.home}/data/appdata_*/preview"
];
};
webapps.apps.nextcloud = {
dashboard = {

78
modules/services/nginx/default.nix
View file

@ -153,8 +153,7 @@ in
};
};
config = lib.mkIf cfg.enable {
assertions = [ ]
++ (lib.flip builtins.map cfg.virtualHosts ({ subdomain, ... } @ args:
assertions = lib.flip builtins.map cfg.virtualHosts ({ subdomain, ... } @ args:
let
conflicts = [ "port" "root" ];
optionsNotNull = builtins.map (v: args.${v} != null) conflicts;
@ -167,7 +166,7 @@ in
lib.concatStringsSep ", " (builtins.map (v: "'${v}'") conflicts)
} configured.
'';
}))
})
# ++ (
# let
# ports = lib.my.mapFilter
@ -201,7 +200,8 @@ in
# map mkAssertion nonUniques
# )
;
services.nginx = {
services = {
nginx = {
enable = true;
statusPage = true; # For monitoring scraping.
@ -277,10 +277,11 @@ in
extraConfig = (args.extraConfig.extraConfig or "") + ''
error_page 401 = @error401;
'';
locations."@error401".return = ''
locations = {
"@error401".return = ''
302 https://${cfg.sso.subdomain}.${config.networking.domain}/login?go=$scheme://$http_host$request_uri
'';
locations."/" = {
"/" = {
extraConfig =
(args.extraConfig.locations."/".extraConfig or "") + ''
# Use SSO
@ -293,7 +294,7 @@ in
add_header Set-Cookie $cookie;
'';
};
locations."/sso-auth" = {
"/sso-auth" = {
proxyPass = "http://localhost:${toString cfg.sso.port}/auth";
extraConfig = ''
# Do not allow requests from outside
@ -307,6 +308,7 @@ in
proxy_set_header X-Origin-URI $request_uri;
'';
};
};
})
])
;
@ -379,6 +381,38 @@ in
};
};
};
# services.prometheus = lib.mkIf cfg.monitoring.enable {
prometheus = {
exporters.nginx = {
enable = true;
listenAddress = "127.0.0.1";
};
scrapeConfigs = [
{
job_name = "nginx";
static_configs = [
{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ];
labels = {
instance = config.networking.hostName;
};
}
];
}
];
};
grafana.provision = {
dashboards.settings.providers = [
{
name = "Nginx";
options.path = pkgs.grafana-dashboards.nginx;
disableDeletion = true;
}
];
};
};
my.services.nginx.virtualHosts = [
{
subdomain = "login";
@ -407,35 +441,5 @@ in
};
};
};
# services.prometheus = lib.mkIf cfg.monitoring.enable {
services.prometheus = {
exporters.nginx = {
enable = true;
listenAddress = "127.0.0.1";
};
scrapeConfigs = [
{
job_name = "nginx";
static_configs = [
{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ];
labels = {
instance = config.networking.hostName;
};
}
];
}
];
};
services.grafana.provision = {
dashboards.settings.providers = [
{
name = "Nginx";
options.path = pkgs.grafana-dashboards.nginx;
disableDeletion = true;
}
];
};
};
}

16
modules/services/prometheus/default.nix
View file

@ -78,7 +78,8 @@ in
};
config = lib.mkIf cfg.enable {
services.prometheus = {
services = {
prometheus = {
enable = true;
webExternalUrl = "https://monitor.${domain}";
inherit (cfg) port;
@ -125,9 +126,7 @@ in
];
};
my.services.node-exporter.enable = true;
services.grafana.provision = {
grafana.provision = {
datasources.settings.datasources = [
{
name = "Prometheus";
@ -149,8 +148,12 @@ in
}
];
};
};
my.services.prometheus.rules = {
my.services = {
node-exporter.enable = true;
prometheus.rules = {
prometheus_too_many_restarts = {
condition = ''changes(process_start_time_seconds{job=~"prometheus|alertmanager"}[15m]) > 2'';
description = "Prometheus has restarted more than twice in the last 15 minutes. It might be crashlooping";
@ -178,12 +181,13 @@ in
};
};
my.services.nginx.virtualHosts = [
nginx.virtualHosts = [
{
subdomain = "monitor";
inherit (cfg) port;
}
];
};
webapps.apps = {
prometheus.dashboard = {

8
modules/system/docker/default.nix
View file

@ -19,9 +19,10 @@ in
autoPrune.enable = true;
};
services.cadvisor.enable = config.services.prometheus.enable;
services = {
cadvisor.enable = config.services.prometheus.enable;
services.prometheus = {
prometheus = {
scrapeConfigs = [
{
job_name = "docker";
@ -37,7 +38,7 @@ in
];
};
# dashboard untested
services.grafana.provision = {
grafana.provision = {
dashboards.settings.providers = [
{
name = "Docker";
@ -47,4 +48,5 @@ in
];
};
};
};
}

8
profiles/gaming/default.nix
View file

@ -24,8 +24,10 @@ in
programs.steam.enable = true;
hardware.opengl.driSupport32Bit = true;
hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
hardware.pulseaudio.support32Bit = true;
hardware = {
opengl.driSupport32Bit = true;
opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
pulseaudio.support32Bit = true;
};
};
}

10
profiles/gnome/default.nix
View file

@ -9,7 +9,6 @@ in
config = lib.mkIf cfg.enable {
programs.gnome-disks.enable = true;
services.udisks2.enable = true;
xdg.mime.enable = true;
@ -17,9 +16,12 @@ in
programs.dconf.enable = true;
# gnome services
services.dbus.packages = [ pkgs.dconf ];
services.udev.packages = [ pkgs.gnome.gnome-settings-daemon ];
services.gnome.gnome-keyring.enable = true;
services = {
udisks2.enable = true;
dbus.packages = [ pkgs.dconf ];
udev.packages = [ pkgs.gnome.gnome-settings-daemon ];
gnome.gnome-keyring.enable = true;
};
environment.systemPackages = with pkgs; [
glib

14
profiles/nautilus/default.nix
View file

@ -14,18 +14,14 @@ in
# enable trash & network-mount
services.gvfs.enable = true;
environment.sessionVariables.NAUTILUS_4_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-4";
environment.pathsToLink = [
"/share/nautilus-python/extensions"
];
services.gnome.glib-networking.enable = true; # network-mount
# default-programs
xdg.mime.enable = true;
xdg.icons.enable = true;
environment.systemPackages = with pkgs; [
environment = {
systemPackages = with pkgs; [
gnome.nautilus
ffmpegthumbnailer # thumbnails
@ -33,5 +29,11 @@ in
gst_all_1.gst-libav # thumbnails
nautilus-open-any-terminal # terminal-context-entry
];
sessionVariables.NAUTILUS_4_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-4";
pathsToLink = [
"/share/nautilus-python/extensions"
];
};
};
}

8
profiles/sway/default.nix
View file

@ -28,10 +28,11 @@ in
];
environment.pathsToLink = [ "/libexec" ];
programs.wshowkeys.enable = true;
programs.light.enable = true;
programs = {
wshowkeys.enable = true;
light.enable = true;
programs.sway = {
sway = {
enable = true;
wrapperFeatures = {
gtk = true;
@ -72,4 +73,5 @@ in
'';
};
};
};
}