From 6bcaca4bed4def9b00aae40b5f30c71fe6380d77 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Tue, 7 Nov 2023 09:12:43 +0100 Subject: [PATCH] Code Linting and hooks to do so automatically --- .gitignore | 2 +- flake-module.nix | 58 ++++++--- flake.lock | 56 ++++++++ flake.nix | 13 +- nixos/flake-module.nix | 24 +++- nixos/machines/ghatanothoa/configuration.nix | 18 ++- .../ghatanothoa/hardware-configuration.nix | 13 +- nixos/machines/ghatanothoa/network.nix | 15 ++- nixos/modules/impermanence.nix | 72 +++++------ nixos/modules/jitsi.nix | 29 +++-- nixos/roles/admins.nix | 35 +++-- nixos/roles/default.nix | 122 ++++++++++-------- nixos/roles/nix_keys.nix | 2 +- nixos/roles/prometheusNodeExporter.nix | 21 ++- 14 files changed, 292 insertions(+), 188 deletions(-) diff --git a/.gitignore b/.gitignore index a806510..84e7193 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,4 @@ # Ignore build outputs from performing a nix-build or `nix build` command result result-* - +.pre-commit-config.yaml diff --git a/flake-module.nix b/flake-module.nix index 2220d58..e435985 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -1,28 +1,48 @@ -{inputs, ...}: -{ +{inputs, ...}: { # debug = true; # We only define machines config in this flake yet, so we only include # the module that builds these. This file might get fuller, if we need to # build our own packages, that are not flakes. - imports = [ ./nixos/flake-module.nix - # To import a flake module - # 1. Add foo to inputs - # 2. Add foo as a parameter to the outputs function - # 3. Add here: foo.flakeModule - + imports = [ + ./nixos/flake-module.nix + inputs.pre-commit-hooks.flakeModule + # To import a flake module + # 1. Add foo to inputs + # 2. Add foo as a parameter to the outputs function + # 3. Add here: foo.flakeModule ]; - systems = [ "x86_64-linux"]; -# perSystem = { config, self', inputs', pkgs, system, ... }: { - # Per-system attributes can be defined here. The self' and inputs' - # module parameters provide easy access to attributes of the same - # system. + systems = ["x86_64-linux"]; + perSystem = { + config, + inputs', + pkgs, + ... + }: { + devShells.default = pkgs.mkShell { + shellHook = config.pre-commit.installationScript; + }; + + pre-commit = { + check.enable = true; + pkgs = inputs'.nixpkgs.legacyPackages; + settings.hooks = { + nil.enable = true; + statix.enable = true; + deadnix.enable = true; + alejandra.enable = true; + }; + }; + + # Per-system attributes can be defined here. The self' and inputs' + # module parameters provide easy access to attributes of the same + # system. + }; # Equivalent to inputs'.nixpkgs.legacyPackages.hello; -# }; -# flake = { - # The usual flake attributes can be defined here, including system- - # agnostic ones like nixosModule and system-enumerating ones, although - # those are more easily expressed in perSystem. + # flake = { + # The usual flake attributes can be defined here, including system- + # agnostic ones like nixosModule and system-enumerating ones, although + # those are more easily expressed in perSystem. -# }; + # }; } diff --git a/flake.lock b/flake.lock index 614154a..f6b3be5 100644 --- a/flake.lock +++ b/flake.lock @@ -33,6 +33,24 @@ "type": "indirect" } }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1685518550, + "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "impermanence": { "locked": { "lastModified": 1697303681, @@ -151,12 +169,35 @@ "type": "github" } }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": [], + "flake-utils": "flake-utils", + "gitignore": [], + "nixpkgs": [], + "nixpkgs-stable": [] + }, + "locked": { + "lastModified": 1699271226, + "narHash": "sha256-8Jt1KW3xTjolD6c6OjJm9USx/jmL+VVmbooADCkdDfU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "ea758da1a6dcde6dc36db348ed690d09b9864128", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "flake-parts": "flake-parts", "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs", + "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, @@ -181,6 +222,21 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1605370193, diff --git a/flake.nix b/flake.nix index 0c61327..b4b5593 100644 --- a/flake.nix +++ b/flake.nix @@ -17,8 +17,17 @@ impermanence = { url = "github:nix-community/impermanence"; }; + pre-commit-hooks = { + url = "github:cachix/pre-commit-hooks.nix"; + inputs = { + flake-compat.follows = ""; + gitignore.follows = ""; + nixpkgs-stable.follows = ""; + nixpkgs.follows = ""; + }; + }; }; - outputs = inputs@{ flake-parts, ... }: - flake-parts.lib.mkFlake { inherit inputs; } (import ./flake-module.nix); + outputs = inputs @ {flake-parts, ...}: + flake-parts.lib.mkFlake {inherit inputs;} (import ./flake-module.nix); } diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index 8c44964..3005780 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -1,20 +1,30 @@ # copied and adopted from maralorns config - # This automatically searches for nixos configs in ./machines/${name}/configuration.nix # and exposes them as outputs.nixosConfigurations.${name} -{ withSystem, lib, inputs, ... }: { +{ + withSystem, + lib, + inputs, + ... +}: { flake = { - nixosConfigurations = withSystem "x86_64-linux" ({ pkgs, ... }: - let + nixosConfigurations = withSystem "x86_64-linux" ({pkgs, ...}: let machines = builtins.attrNames (builtins.readDir ./machines); - makeSystem = name: + makeSystem = name: let + importedModule = import (./. + "/machines/${name}/configuration.nix"); + configModule = + if lib.isFunction importedModule + then importedModule inputs + else importedModule; + in pkgs.nixos { imports = [ - (import (./. + "/machines/${name}/configuration.nix") inputs) + configModule inputs.sops-nix.nixosModules.sops inputs.impermanence.nixosModules.impermanence ]; }; - in lib.genAttrs machines makeSystem); + in + lib.genAttrs machines makeSystem); }; } diff --git a/nixos/machines/ghatanothoa/configuration.nix b/nixos/machines/ghatanothoa/configuration.nix index 4e60e1b..3b4faa5 100644 --- a/nixos/machines/ghatanothoa/configuration.nix +++ b/nixos/machines/ghatanothoa/configuration.nix @@ -1,19 +1,17 @@ -flake-inputs: -{config, pkgs, lib, ... }: { - -imports = [ - ./hardware-configuration.nix - ../../modules/jitsi.nix - ../../roles - ./network.nix -]; +{ + imports = [ + ./hardware-configuration.nix + ../../modules/jitsi.nix + ../../roles + ./network.nix + ]; services.mathebau-jitsi = { enable = true; hostName = "meet.mathebau.de"; }; -# System configuration here + # System configuration here networking.hostName = "ghatanothoa"; system.stateVersion = "23.11"; } diff --git a/nixos/machines/ghatanothoa/hardware-configuration.nix b/nixos/machines/ghatanothoa/hardware-configuration.nix index ad588c9..05a48b2 100644 --- a/nixos/machines/ghatanothoa/hardware-configuration.nix +++ b/nixos/machines/ghatanothoa/hardware-configuration.nix @@ -1,15 +1,15 @@ -{config, lib, pkgs, modulesPath, ...}: { - imports = [ ]; +{lib, ...}: { + imports = []; fileSystems."/" = { device = "gha-root"; fsType = "tmpfs"; - options = [ "size=1G" "mode=755" ]; + options = ["size=1G" "mode=755"]; }; fileSystems."/persist" = { device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; fsType = "btrfs"; - options = [ "subvol=persist" ]; + options = ["subvol=persist"]; neededForBoot = true; }; fileSystems."/boot" = { @@ -19,11 +19,10 @@ fileSystems."/nix" = { device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; fsType = "btrfs"; - options = [ "subvol=nix" ]; + options = ["subvol=nix"]; }; - swapDevices = - [{ device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a"; }]; + swapDevices = [{device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a";}]; nix.settings.max-jobs = lib.mkDefault 4; diff --git a/nixos/machines/ghatanothoa/network.nix b/nixos/machines/ghatanothoa/network.nix index 7e26f79..2a1f4ae 100644 --- a/nixos/machines/ghatanothoa/network.nix +++ b/nixos/machines/ghatanothoa/network.nix @@ -1,15 +1,16 @@ # We sohuld put that config somewhere in roles and give it a parameter or something, # everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways -# depend on the same thing +# depend on the same thing { - imports = [ ]; + imports = []; networking = { - interfaces.enX0.ipv4.addresses = [ { - address = "192.168.0.25"; - prefixLength = 16; - } ]; + interfaces.enX0.ipv4.addresses = [ + { + address = "192.168.0.25"; + prefixLength = 16; + } + ]; defaultGateway = "192.168.0.152"; nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"]; }; } - diff --git a/nixos/modules/impermanence.nix b/nixos/modules/impermanence.nix index 267c9d1..f5df277 100644 --- a/nixos/modules/impermanence.nix +++ b/nixos/modules/impermanence.nix @@ -1,47 +1,47 @@ -{lib, config, ...} : - -let - inherit (lib) +{ + lib, + config, + ... +}: let + inherit + (lib) mkEnableOption mkIf mkOption types ; cfg = config.impermanence; -in +in { + imports = []; -{ -imports = [ ]; - -options.impermanence = { - enable = mkEnableOption "impermanence"; - storagePath = mkOption { - type = types.path; - default = "/persist"; - description = "The path where persistent data is stored"; + options.impermanence = { + enable = mkEnableOption "impermanence"; + storagePath = mkOption { + type = types.path; + default = "/persist"; + description = "The path where persistent data is stored"; + }; + name = mkOption { + type = types.str; + default = "persist"; + description = "the name of the persistent data store"; + }; }; - name = mkOption { - type = types.str; - default = "persist"; - description = "the name of the persistent data store"; - }; -}; -config = mkIf cfg.enable { - environment.persistence.${cfg.name} = { - persistentStoragePath = cfg.storagePath; - directories = [ - "/var/log" - "/var/lib/nixos" - ]; - files = [ - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - ]; + config = mkIf cfg.enable { + environment.persistence.${cfg.name} = { + persistentStoragePath = cfg.storagePath; + directories = [ + "/var/log" + "/var/lib/nixos" + ]; + files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; + environment.etc.machine-id.source = "${cfg.storagePath}/machine-id"; }; - environment.etc.machine-id.source = "${cfg.storagePath}/machine-id"; -}; - } diff --git a/nixos/modules/jitsi.nix b/nixos/modules/jitsi.nix index ca2a8a7..601e30f 100644 --- a/nixos/modules/jitsi.nix +++ b/nixos/modules/jitsi.nix @@ -1,16 +1,21 @@ -{pkgs, config, lib, modulesPath, ...}: -let - inherit (lib) +{ + config, + lib, + modulesPath, + ... +}: let + inherit + (lib) mkIf mkEnableOption mkOption - head; + head + ; inherit (lib.types) str; cfg = config.services.mathebau-jitsi; -in -{ +in { imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")]; - + options.services.mathebau-jitsi = { enable = mkEnableOption "mathebau jitsi service"; hostName = mkOption { @@ -25,16 +30,16 @@ in config = mkIf cfg.enable { services.jitsi-meet = { enable = true; - hostName = cfg.hostName; config = { defaultLang = "de"; }; + inherit (cfg) hostName; }; services.jitsi-videobridge = { openFirewall = true; nat = { publicAddress = "130.83.2.184"; - localAddress = cfg.localAddress; + inherit (cfg) localAddress; }; }; environment.persistence.${config.impermanence.name} = { @@ -43,13 +48,13 @@ in "/var/lib/prosody" ]; }; - #We are behind a reverse proxy that handles TLS + #We are behind a reverse proxy that handles TLS services.nginx.virtualHosts."${cfg.hostName}" = { enableACME = false; forceSSL = false; }; - #The network ports for HTTP(S) are not opened automatically - networking.firewall.allowedTCPPorts = [ 80 443 ]; + #The network ports for HTTP(S) are not opened automatically + networking.firewall.allowedTCPPorts = [80 443]; }; } diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix index 32478bf..3215ccc 100644 --- a/nixos/roles/admins.nix +++ b/nixos/roles/admins.nix @@ -1,37 +1,34 @@ -{lib, ...} : -with lib; - -let +{lib, ...}: +with lib; let admins = { nerf = { - hashedPassword = - "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7"; - keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2" - ]; + hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7"; + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2" + ]; }; gonne = { - hashedPassword = - "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/"; - keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFopCUadohY3wg9AoEup9TDRDMyEPSLsQoCnN4lsKCrr gonne@mathebau.de NixOS" - ]; + hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/"; + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFopCUadohY3wg9AoEup9TDRDMyEPSLsQoCnN4lsKCrr gonne@mathebau.de NixOS" + ]; }; }; - mkAdmin = name : - {hashedPassword, keys}: { + mkAdmin = name: { + hashedPassword, + keys, + }: { "${name}" = { isNormalUser = true; createHome = true; - extraGroups = [ "wheel" ]; + extraGroups = ["wheel"]; group = "users"; home = "/home/${name}"; - openssh.authorizedKeys = { inherit keys; }; + openssh.authorizedKeys = {inherit keys;}; inherit hashedPassword; }; }; - in { users.users = mkMerge (mapAttrsToList mkAdmin admins); } diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index d92b970..60284a7 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -1,62 +1,72 @@ -{pkgs, config, lib, modulesPath, ...} : { - -imports = [ - ./admins.nix - ./nix_keys.nix - ./prometheusNodeExporter.nix - (modulesPath + "/virtualisation/xen-domU.nix") - ../modules/impermanence.nix +{ + pkgs, + lib, + modulesPath, + ... +}: { + imports = [ + ./admins.nix + ./nix_keys.nix + ./prometheusNodeExporter.nix + (modulesPath + "/virtualisation/xen-domU.nix") + ../modules/impermanence.nix ]; -nix = { - extraOptions = '' - experimental-features = nix-command flakes - builders-use-substitutes = true - ''; -}; - -networking = { - firewall = { # these shoud be default, but better make sure! - enable = true; - allowPing = true; - }; - nftables.enable = true; - useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface - # hosts = # TODO write something to autogenerate ip adresses! -}; - -users = { - mutableUsers = false; - users.root.hashedPassword = "!"; -}; - -impermanence.enable = true; - -sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - -environment = { - systemPackages = builtins.attrValues { - inherit (pkgs) - htop lsof tmux btop; - }; -}; - -services = { - journald.extraConfig = "SystemMaxUse=5G"; - - nginx = { - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedTlsSettings = true; + nix = { + extraOptions = '' + experimental-features = nix-command flakes + builders-use-substitutes = true + ''; }; - openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; + networking = { + firewall = { + # these shoud be default, but better make sure! + enable = true; + allowPing = true; + }; + nftables.enable = true; + useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface + # hosts = # TODO write something to autogenerate ip adresses! + }; + + users = { + mutableUsers = false; + users.root.hashedPassword = "!"; + }; + + impermanence.enable = true; + + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + + environment = { + systemPackages = builtins.attrValues { + inherit + (pkgs) + htop + lsof + tmux + btop + ; }; }; -#Prevent clock drift due to interaction problem with xen hardware clock - timesyncd.enable = lib.mkForce true; -}; + + services = { + journald.extraConfig = "SystemMaxUse=5G"; + + nginx = { + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + }; + + openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + }; + #Prevent clock drift due to interaction problem with xen hardware clock + timesyncd.enable = lib.mkForce true; + }; } diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix index 14f0b56..97e5dc5 100644 --- a/nixos/roles/nix_keys.nix +++ b/nixos/roles/nix_keys.nix @@ -1,5 +1,5 @@ { - imports = [ ]; + imports = []; nix.settings.trusted-public-keys = [ "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc=" "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0=" diff --git a/nixos/roles/prometheusNodeExporter.nix b/nixos/roles/prometheusNodeExporter.nix index 9587b2f..37cdbc2 100644 --- a/nixos/roles/prometheusNodeExporter.nix +++ b/nixos/roles/prometheusNodeExporter.nix @@ -1,15 +1,14 @@ -{config, ...}: -{ - imports = [ ]; +{config, ...}: { + imports = []; services.prometheus.exporters.node = { enable = true; port = 9100; - # Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter - # It was compiled along the following steps: - # 1. Does the current Debian release supports the collector? - # 2. Is the collector depracated in the latest release? - # 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context - # (e.g. power adapter inside a VM, use fibre port connection)? + # Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter + # It was compiled along the following steps: + # 1. Does the current Debian release supports the collector? + # 2. Is the collector depracated in the latest release? + # 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context + # (e.g. power adapter inside a VM, use fibre port connection)? disabledCollectors = [ "arp" "bcache" @@ -35,6 +34,6 @@ "processes" ]; }; - networking.firewall.allowedTCPPorts = [ 9100 ]; - environment.persistence.${config.impermanence.name}.directories = [ "/var/lib/${config.services.prometheus.stateDir}" ]; + networking.firewall.allowedTCPPorts = [9100]; + environment.persistence.${config.impermanence.name}.directories = ["/var/lib/${config.services.prometheus.stateDir}"]; }