diff --git a/.gitignore b/.gitignore index a806510..84e7193 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,4 @@ # Ignore build outputs from performing a nix-build or `nix build` command result result-* - +.pre-commit-config.yaml diff --git a/README.md b/README.md index 2c6a796..c9d9672 100644 --- a/README.md +++ b/README.md @@ -146,8 +146,7 @@ machine. The only technically required file in there is `configuration.nix`. So A good skeleton is probably: ``` -flake-inputs: -{config, pkgs, lib, ... }: { +{config, pkgs, lib, flake-inputs, ... }: { imports = [ ./hardware-configuration.nix @@ -278,3 +277,29 @@ something like this: {lib, pkgs, config, ...} : ``` + +# Contributing + +Like with all FS projects, you are welcome to contribute. Work is done usually by the person that is most annoyed +by the circumstances or by the person that didn't run fast enough. So we are happy if we get help. That doesn't +mean that we don't need to have some level of quality, people after us needs to work with it. It is live infrastructure +and downtime hurts someone (and in the wrong moment even really bad (Matheball ticket sales for example). + +So here are some Guidelines. + +## Coding style and linting. +If you run `nix check` there are automated checks in place, please make sure to pass them. +There is also a code autoformatter (`alejandra`) incorporated into those. You can also install +them into your local git repository as pre-commit hooks, and setting up a shell that has +even more tooling by running `nix develop`. That will give you a bash in which you can run +all the checks manually `pre-commit run -a`. This will also run the autoformatter. + +## Process for submitting changes + +1. If it is something bigger, please open an issue first describing what and why you want to do something. + If it is just something small, skip this step. +2. Fork the repo and implement your changes in a branch on your fork. Afterwards open a pull request (possibly mentioning the issue). + Against the main branch. + - Your branch should be based on an up to date version of main, if it is not consider rebasing. +3. You will need to find someone with the proper rights to approve of your changes, but most of the time there will be request + for changes first. diff --git a/flake-module.nix b/flake-module.nix index 2220d58..8584c3d 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -1,28 +1,60 @@ -{inputs, ...}: -{ +{inputs, ...}: { # debug = true; # We only define machines config in this flake yet, so we only include # the module that builds these. This file might get fuller, if we need to # build our own packages, that are not flakes. - imports = [ ./nixos/flake-module.nix - # To import a flake module - # 1. Add foo to inputs - # 2. Add foo as a parameter to the outputs function - # 3. Add here: foo.flakeModule - + imports = [ + ./nixos/flake-module.nix + inputs.pre-commit-hooks.flakeModule + # To import a flake module + # 1. Add foo to inputs + # 2. Add foo as a parameter to the outputs function + # 3. Add here: foo.flakeModule ]; - systems = [ "x86_64-linux"]; -# perSystem = { config, self', inputs', pkgs, system, ... }: { - # Per-system attributes can be defined here. The self' and inputs' - # module parameters provide easy access to attributes of the same - # system. + systems = ["x86_64-linux"]; + perSystem = { + config, + inputs', + pkgs, + ... + }: { + devShells.default = config.pre-commit.devShell; + + pre-commit = let + generatedFiles = [ + "hardware-configuration\\.nix" + ]; + in { + check.enable = true; + pkgs = inputs'.nixpkgs.legacyPackages; + settings = { + # for some reason statix takes it config differently than all the other hooks. + settings.statix = { + format = "stderr"; + ignore = generatedFiles; + }; + hooks = { + nil.enable = true; + statix.enable = true; + deadnix = { + enable = true; + excludes = generatedFiles; + }; + alejandra.enable = true; + }; + }; + }; + + # Per-system attributes can be defined here. The self' and inputs' + # module parameters provide easy access to attributes of the same + # system. + }; # Equivalent to inputs'.nixpkgs.legacyPackages.hello; -# }; -# flake = { - # The usual flake attributes can be defined here, including system- - # agnostic ones like nixosModule and system-enumerating ones, although - # those are more easily expressed in perSystem. + # flake = { + # The usual flake attributes can be defined here, including system- + # agnostic ones like nixosModule and system-enumerating ones, although + # those are more easily expressed in perSystem. -# }; + # }; } diff --git a/flake.nix b/flake.nix index 0c61327..b4b5593 100644 --- a/flake.nix +++ b/flake.nix @@ -17,8 +17,17 @@ impermanence = { url = "github:nix-community/impermanence"; }; + pre-commit-hooks = { + url = "github:cachix/pre-commit-hooks.nix"; + inputs = { + flake-compat.follows = ""; + gitignore.follows = ""; + nixpkgs-stable.follows = ""; + nixpkgs.follows = ""; + }; + }; }; - outputs = inputs@{ flake-parts, ... }: - flake-parts.lib.mkFlake { inherit inputs; } (import ./flake-module.nix); + outputs = inputs @ {flake-parts, ...}: + flake-parts.lib.mkFlake {inherit inputs;} (import ./flake-module.nix); } diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index 8c44964..bc1769b 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -1,20 +1,30 @@ # copied and adopted from maralorns config - # This automatically searches for nixos configs in ./machines/${name}/configuration.nix # and exposes them as outputs.nixosConfigurations.${name} -{ withSystem, lib, inputs, ... }: { +{ + withSystem, + lib, + inputs, + ... +}: { flake = { - nixosConfigurations = withSystem "x86_64-linux" ({ pkgs, ... }: - let + nixosConfigurations = withSystem "x86_64-linux" ({pkgs, ...}: let machines = builtins.attrNames (builtins.readDir ./machines); - makeSystem = name: + makeSystem = name: let + importedConfig = import (./. + "/machines/${name}/configuration.nix"); + systemConfig = + if lib.isFunction importedConfig + then x: importedConfig (x // {flake-inputs = inputs;}) + else importedConfig; + in pkgs.nixos { imports = [ - (import (./. + "/machines/${name}/configuration.nix") inputs) + systemConfig inputs.sops-nix.nixosModules.sops inputs.impermanence.nixosModules.impermanence ]; }; - in lib.genAttrs machines makeSystem); + in + lib.genAttrs machines makeSystem); }; } diff --git a/nixos/machines/ghatanothoa/configuration.nix b/nixos/machines/ghatanothoa/configuration.nix index 4e60e1b..3b4faa5 100644 --- a/nixos/machines/ghatanothoa/configuration.nix +++ b/nixos/machines/ghatanothoa/configuration.nix @@ -1,19 +1,17 @@ -flake-inputs: -{config, pkgs, lib, ... }: { - -imports = [ - ./hardware-configuration.nix - ../../modules/jitsi.nix - ../../roles - ./network.nix -]; +{ + imports = [ + ./hardware-configuration.nix + ../../modules/jitsi.nix + ../../roles + ./network.nix + ]; services.mathebau-jitsi = { enable = true; hostName = "meet.mathebau.de"; }; -# System configuration here + # System configuration here networking.hostName = "ghatanothoa"; system.stateVersion = "23.11"; } diff --git a/nixos/machines/ghatanothoa/hardware-configuration.nix b/nixos/machines/ghatanothoa/hardware-configuration.nix index ad588c9..05a48b2 100644 --- a/nixos/machines/ghatanothoa/hardware-configuration.nix +++ b/nixos/machines/ghatanothoa/hardware-configuration.nix @@ -1,15 +1,15 @@ -{config, lib, pkgs, modulesPath, ...}: { - imports = [ ]; +{lib, ...}: { + imports = []; fileSystems."/" = { device = "gha-root"; fsType = "tmpfs"; - options = [ "size=1G" "mode=755" ]; + options = ["size=1G" "mode=755"]; }; fileSystems."/persist" = { device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; fsType = "btrfs"; - options = [ "subvol=persist" ]; + options = ["subvol=persist"]; neededForBoot = true; }; fileSystems."/boot" = { @@ -19,11 +19,10 @@ fileSystems."/nix" = { device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; fsType = "btrfs"; - options = [ "subvol=nix" ]; + options = ["subvol=nix"]; }; - swapDevices = - [{ device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a"; }]; + swapDevices = [{device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a";}]; nix.settings.max-jobs = lib.mkDefault 4; diff --git a/nixos/machines/ghatanothoa/network.nix b/nixos/machines/ghatanothoa/network.nix index 7e26f79..2a1f4ae 100644 --- a/nixos/machines/ghatanothoa/network.nix +++ b/nixos/machines/ghatanothoa/network.nix @@ -1,15 +1,16 @@ # We sohuld put that config somewhere in roles and give it a parameter or something, # everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways -# depend on the same thing +# depend on the same thing { - imports = [ ]; + imports = []; networking = { - interfaces.enX0.ipv4.addresses = [ { - address = "192.168.0.25"; - prefixLength = 16; - } ]; + interfaces.enX0.ipv4.addresses = [ + { + address = "192.168.0.25"; + prefixLength = 16; + } + ]; defaultGateway = "192.168.0.152"; nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"]; }; } - diff --git a/nixos/modules/impermanence.nix b/nixos/modules/impermanence.nix index 267c9d1..f5df277 100644 --- a/nixos/modules/impermanence.nix +++ b/nixos/modules/impermanence.nix @@ -1,47 +1,47 @@ -{lib, config, ...} : - -let - inherit (lib) +{ + lib, + config, + ... +}: let + inherit + (lib) mkEnableOption mkIf mkOption types ; cfg = config.impermanence; -in +in { + imports = []; -{ -imports = [ ]; - -options.impermanence = { - enable = mkEnableOption "impermanence"; - storagePath = mkOption { - type = types.path; - default = "/persist"; - description = "The path where persistent data is stored"; + options.impermanence = { + enable = mkEnableOption "impermanence"; + storagePath = mkOption { + type = types.path; + default = "/persist"; + description = "The path where persistent data is stored"; + }; + name = mkOption { + type = types.str; + default = "persist"; + description = "the name of the persistent data store"; + }; }; - name = mkOption { - type = types.str; - default = "persist"; - description = "the name of the persistent data store"; - }; -}; -config = mkIf cfg.enable { - environment.persistence.${cfg.name} = { - persistentStoragePath = cfg.storagePath; - directories = [ - "/var/log" - "/var/lib/nixos" - ]; - files = [ - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - ]; + config = mkIf cfg.enable { + environment.persistence.${cfg.name} = { + persistentStoragePath = cfg.storagePath; + directories = [ + "/var/log" + "/var/lib/nixos" + ]; + files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; + environment.etc.machine-id.source = "${cfg.storagePath}/machine-id"; }; - environment.etc.machine-id.source = "${cfg.storagePath}/machine-id"; -}; - } diff --git a/nixos/modules/jitsi.nix b/nixos/modules/jitsi.nix index ca2a8a7..7af6662 100644 --- a/nixos/modules/jitsi.nix +++ b/nixos/modules/jitsi.nix @@ -1,16 +1,21 @@ -{pkgs, config, lib, modulesPath, ...}: -let - inherit (lib) +{ + config, + lib, + modulesPath, + ... +}: let + inherit + (lib) mkIf mkEnableOption mkOption - head; + head + ; inherit (lib.types) str; cfg = config.services.mathebau-jitsi; -in -{ +in { imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")]; - + options.services.mathebau-jitsi = { enable = mkEnableOption "mathebau jitsi service"; hostName = mkOption { @@ -23,18 +28,25 @@ in }; config = mkIf cfg.enable { - services.jitsi-meet = { - enable = true; - hostName = cfg.hostName; - config = { - defaultLang = "de"; + services = { + jitsi-meet = { + enable = true; + config = { + defaultLang = "de"; + }; + inherit (cfg) hostName; }; - }; - services.jitsi-videobridge = { - openFirewall = true; - nat = { - publicAddress = "130.83.2.184"; - localAddress = cfg.localAddress; + jitsi-videobridge = { + openFirewall = true; + nat = { + publicAddress = "130.83.2.184"; + inherit (cfg) localAddress; + }; + }; + #We are behind a reverse proxy that handles TLS + nginx.virtualHosts."${cfg.hostName}" = { + enableACME = false; + forceSSL = false; }; }; environment.persistence.${config.impermanence.name} = { @@ -43,13 +55,7 @@ in "/var/lib/prosody" ]; }; - #We are behind a reverse proxy that handles TLS - services.nginx.virtualHosts."${cfg.hostName}" = { - enableACME = false; - forceSSL = false; - }; - - #The network ports for HTTP(S) are not opened automatically - networking.firewall.allowedTCPPorts = [ 80 443 ]; + #The network ports for HTTP(S) are not opened automatically + networking.firewall.allowedTCPPorts = [80 443]; }; } diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix index 32478bf..3215ccc 100644 --- a/nixos/roles/admins.nix +++ b/nixos/roles/admins.nix @@ -1,37 +1,34 @@ -{lib, ...} : -with lib; - -let +{lib, ...}: +with lib; let admins = { nerf = { - hashedPassword = - "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7"; - keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2" - ]; + hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7"; + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2" + ]; }; gonne = { - hashedPassword = - "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/"; - keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFopCUadohY3wg9AoEup9TDRDMyEPSLsQoCnN4lsKCrr gonne@mathebau.de NixOS" - ]; + hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/"; + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFopCUadohY3wg9AoEup9TDRDMyEPSLsQoCnN4lsKCrr gonne@mathebau.de NixOS" + ]; }; }; - mkAdmin = name : - {hashedPassword, keys}: { + mkAdmin = name: { + hashedPassword, + keys, + }: { "${name}" = { isNormalUser = true; createHome = true; - extraGroups = [ "wheel" ]; + extraGroups = ["wheel"]; group = "users"; home = "/home/${name}"; - openssh.authorizedKeys = { inherit keys; }; + openssh.authorizedKeys = {inherit keys;}; inherit hashedPassword; }; }; - in { users.users = mkMerge (mapAttrsToList mkAdmin admins); } diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index d92b970..60284a7 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -1,62 +1,72 @@ -{pkgs, config, lib, modulesPath, ...} : { - -imports = [ - ./admins.nix - ./nix_keys.nix - ./prometheusNodeExporter.nix - (modulesPath + "/virtualisation/xen-domU.nix") - ../modules/impermanence.nix +{ + pkgs, + lib, + modulesPath, + ... +}: { + imports = [ + ./admins.nix + ./nix_keys.nix + ./prometheusNodeExporter.nix + (modulesPath + "/virtualisation/xen-domU.nix") + ../modules/impermanence.nix ]; -nix = { - extraOptions = '' - experimental-features = nix-command flakes - builders-use-substitutes = true - ''; -}; - -networking = { - firewall = { # these shoud be default, but better make sure! - enable = true; - allowPing = true; - }; - nftables.enable = true; - useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface - # hosts = # TODO write something to autogenerate ip adresses! -}; - -users = { - mutableUsers = false; - users.root.hashedPassword = "!"; -}; - -impermanence.enable = true; - -sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - -environment = { - systemPackages = builtins.attrValues { - inherit (pkgs) - htop lsof tmux btop; - }; -}; - -services = { - journald.extraConfig = "SystemMaxUse=5G"; - - nginx = { - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedTlsSettings = true; + nix = { + extraOptions = '' + experimental-features = nix-command flakes + builders-use-substitutes = true + ''; }; - openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; + networking = { + firewall = { + # these shoud be default, but better make sure! + enable = true; + allowPing = true; + }; + nftables.enable = true; + useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface + # hosts = # TODO write something to autogenerate ip adresses! + }; + + users = { + mutableUsers = false; + users.root.hashedPassword = "!"; + }; + + impermanence.enable = true; + + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + + environment = { + systemPackages = builtins.attrValues { + inherit + (pkgs) + htop + lsof + tmux + btop + ; }; }; -#Prevent clock drift due to interaction problem with xen hardware clock - timesyncd.enable = lib.mkForce true; -}; + + services = { + journald.extraConfig = "SystemMaxUse=5G"; + + nginx = { + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + }; + + openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + }; + #Prevent clock drift due to interaction problem with xen hardware clock + timesyncd.enable = lib.mkForce true; + }; } diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix index 14f0b56..97e5dc5 100644 --- a/nixos/roles/nix_keys.nix +++ b/nixos/roles/nix_keys.nix @@ -1,5 +1,5 @@ { - imports = [ ]; + imports = []; nix.settings.trusted-public-keys = [ "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc=" "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0=" diff --git a/nixos/roles/prometheusNodeExporter.nix b/nixos/roles/prometheusNodeExporter.nix index 9587b2f..37cdbc2 100644 --- a/nixos/roles/prometheusNodeExporter.nix +++ b/nixos/roles/prometheusNodeExporter.nix @@ -1,15 +1,14 @@ -{config, ...}: -{ - imports = [ ]; +{config, ...}: { + imports = []; services.prometheus.exporters.node = { enable = true; port = 9100; - # Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter - # It was compiled along the following steps: - # 1. Does the current Debian release supports the collector? - # 2. Is the collector depracated in the latest release? - # 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context - # (e.g. power adapter inside a VM, use fibre port connection)? + # Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter + # It was compiled along the following steps: + # 1. Does the current Debian release supports the collector? + # 2. Is the collector depracated in the latest release? + # 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context + # (e.g. power adapter inside a VM, use fibre port connection)? disabledCollectors = [ "arp" "bcache" @@ -35,6 +34,6 @@ "processes" ]; }; - networking.firewall.allowedTCPPorts = [ 9100 ]; - environment.persistence.${config.impermanence.name}.directories = [ "/var/lib/${config.services.prometheus.stateDir}" ]; + networking.firewall.allowedTCPPorts = [9100]; + environment.persistence.${config.impermanence.name}.directories = ["/var/lib/${config.services.prometheus.stateDir}"]; }