pre-commit #23
2
.gitignore
vendored
|
@ -2,4 +2,4 @@
|
||||||
# Ignore build outputs from performing a nix-build or `nix build` command
|
# Ignore build outputs from performing a nix-build or `nix build` command
|
||||||
result
|
result
|
||||||
result-*
|
result-*
|
||||||
|
.pre-commit-config.yaml
|
||||||
|
|
35
README.md
|
@ -146,8 +146,7 @@ machine. The only technically required file in there is `configuration.nix`. So
|
||||||
|
|
||||||
A good skeleton is probably:
|
A good skeleton is probably:
|
||||||
```
|
```
|
||||||
flake-inputs:
|
{config, pkgs, lib, flake-inputs, ... }: {
|
||||||
{config, pkgs, lib, ... }: {
|
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
@ -170,6 +169,10 @@ In your hardware
|
||||||
configuration you should basically only write you filesystem layout and your hostPlatform. The bootloading stuff
|
configuration you should basically only write you filesystem layout and your hostPlatform. The bootloading stuff
|
||||||
is already taken care of by `../../roles`.
|
is already taken care of by `../../roles`.
|
||||||
|
|
||||||
|
The `flake-inputs` argument is optional, but you can use it if you need to get a hold of the flake inputs,
|
||||||
|
else this is a complete normal nixos system configuration module (with a lot of settings already imorted
|
||||||
|
from `../../roles`).
|
||||||
|
|
||||||
As of moment of writing `network.nix` should contain ip, nameserver and default gateway setup. As parts of
|
As of moment of writing `network.nix` should contain ip, nameserver and default gateway setup. As parts of
|
||||||
this is constant across all systems and will undergo refactor soon.
|
this is constant across all systems and will undergo refactor soon.
|
||||||
|
|
||||||
|
@ -278,3 +281,31 @@ something like this:
|
||||||
{lib, pkgs, config, ...} :
|
{lib, pkgs, config, ...} :
|
||||||
<module code >
|
<module code >
|
||||||
```
|
```
|
||||||
|
|
||||||
|
# Contributing
|
||||||
|
|
||||||
|
Like with all FS projects, you are welcome to contribute. Work is done usually by the person that is most annoyed
|
||||||
|
by the circumstances or by the person that didn't run fast enough. So we are happy if we get help. That doesn't
|
||||||
|
mean that we don't need to have some level of quality, people after us needs to work with it. It is live infrastructure
|
||||||
|
and downtime hurts someone (and in the wrong moment even really bad (Matheball ticket sales for example)).
|
||||||
nerf marked this conversation as resolved
Outdated
|
|||||||
|
|
||||||
|
So here are some Guidelines.
|
||||||
|
|
||||||
|
## Coding style and linting.
|
||||||
|
If you run `nix flake check` there are automated checks in place, please make sure to pass them.
|
||||||
Gonne marked this conversation as resolved
Outdated
Gonne
commented
If I run that, I get
If I run that, I get
```
$ nix check
error: 'check' is not a recognised command
Try 'nix --help' for more information.
```
nerf
commented
ahh of course that should be ahh of course that should be `nix flake check`
|
|||||||
|
There is also a code autoformatter (`alejandra`) incorporated into those. If you want to run
|
||||||
|
it you can do so over the development shell or by running `nix fmt`.
|
||||||
|
You can also install
|
||||||
Gonne marked this conversation as resolved
Outdated
Gonne
commented
```
$ nix develop
error: flake 'git+file:///home/…/nixConfig' does not provide attribute 'devShells.x86_64-linux.devShell.x86_64-linux', 'packages.x86_64-linux.devShell.x86_64-linux', 'legacyPackages.x86_64-linux.devShell.x86_64-linux', 'devShell.x86_64-linux' or 'defaultPackage.x86_64-linux'
```
Gonne
commented
More info for reference:
More info for reference:
```
$ nix flake show
git+file:///home/…/nixConfig?ref=pre-commit&rev=04469765541ab58d9777d5fd74b7e43ba6fe0e97
├───apps
│ └───x86_64-linux
├───checks
│ └───x86_64-linux
│ └───pre-commit: derivation 'pre-commit-run'
├───devShells
│ └───x86_64-linux
│ └───default: development environment 'nix-shell'
├───formatter: unknown
├───legacyPackages
warning: │ └───x86_64-linux: omitted (use '--legacy' to show)
├───nixosConfigurations
│ └───ghatanothoa: NixOS configuration
├───nixosModules
├───overlays
└───packages
└───x86_64-linux
```
nerf
commented
That is weird. To cite the nix reference
That matches the paths from your There are two old related issues error message bug and change output names You might try That is weird. To cite the [nix reference](https://nixos.org/manual/nix/unstable/command-ref/new-cli/nix3-develop)
> # Flake output attributes
>If no flake output attribute is given, `nix develop` tries the following flake output attributes:
> - devShells.\<system>.default
> - packages.\<system>.default
>
> If a flake output name is given, `nix develop` tries the following flake output attributes:
> - devShells.\<system>.\<name>
> - packages.\<system>.\<name>
> - legacyPackages.\<system>.\<name>
That matches the paths from your `nix flake show` but not from the error message of your `nix develop`. So I think that is a problem on your side. What is your nix version?
There are two old related issues [error message bug](https://github.com/NixOS/nix/issues/5880) and [change output names](https://github.com/NixOS/nix/issues/5532)
You might try `nix develop .#default` to set the default explicitly
Gonne
commented
The first link suggests that this has been resolved in version ```
$ nix --version
nix (Nix) 2.6.0
```
The first link suggests that this has been resolved in version `2.7.0`.
nerf
commented
`2.18.0` is the current version, I think you should upgrade, did the `nix develop .#default` work?
|
|||||||
|
them into your local git repository as pre-commit hooks, and setting up a shell that has
|
||||||
|
even more tooling by running `nix develop`. That will give you a bash in which you can run
|
||||||
|
all the checks manually `pre-commit run -a`. This will also run the autoformatter.
|
||||||
|
|
||||||
|
## Process for submitting changes
|
||||||
|
|
||||||
|
1. If it is something bigger, please open an issue first describing what and why you want to do something.
|
||||||
|
If it is just something small, skip this step.
|
||||||
|
2. Fork the repo and implement your changes in a branch on your fork. Afterwards open a pull request (possibly mentioning the issue).
|
||||||
|
Against the main branch.
|
||||||
|
- Your branch should be based on an up to date version of main, if it is not consider rebasing.
|
||||||
|
3. You will need to find someone with the proper rights to approve of your changes, but most of the time there will be request
|
||||||
|
for changes first.
|
||||||
|
|
|
@ -1,28 +1,60 @@
|
||||||
{inputs, ...}:
|
{inputs, ...}: {
|
||||||
{
|
|
||||||
# debug = true;
|
# debug = true;
|
||||||
# We only define machines config in this flake yet, so we only include
|
# We only define machines config in this flake yet, so we only include
|
||||||
# the module that builds these. This file might get fuller, if we need to
|
# the module that builds these. This file might get fuller, if we need to
|
||||||
# build our own packages, that are not flakes.
|
# build our own packages, that are not flakes.
|
||||||
imports = [ ./nixos/flake-module.nix
|
imports = [
|
||||||
# To import a flake module
|
./nixos/flake-module.nix
|
||||||
# 1. Add foo to inputs
|
inputs.pre-commit-hooks.flakeModule
|
||||||
# 2. Add foo as a parameter to the outputs function
|
# To import a flake module
|
||||||
# 3. Add here: foo.flakeModule
|
# 1. Add foo to inputs
|
||||||
|
# 2. Add foo as a parameter to the outputs function
|
||||||
|
# 3. Add here: foo.flakeModule
|
||||||
];
|
];
|
||||||
systems = [ "x86_64-linux"];
|
systems = ["x86_64-linux"];
|
||||||
# perSystem = { config, self', inputs', pkgs, system, ... }: {
|
perSystem = {
|
||||||
# Per-system attributes can be defined here. The self' and inputs'
|
config,
|
||||||
# module parameters provide easy access to attributes of the same
|
pkgs,
|
||||||
# system.
|
...
|
||||||
|
}: {
|
||||||
|
devShells.default = config.pre-commit.devShell;
|
||||||
|
|
||||||
|
pre-commit = let
|
||||||
|
generatedFiles = [
|
||||||
|
"hardware-configuration\\.nix"
|
||||||
|
];
|
||||||
|
in {
|
||||||
|
check.enable = true;
|
||||||
|
settings = {
|
||||||
|
# for some reason statix takes it config differently than all the other hooks.
|
||||||
|
settings.statix = {
|
||||||
|
format = "stderr";
|
||||||
|
ignore = generatedFiles;
|
||||||
|
};
|
||||||
|
hooks = {
|
||||||
|
nil.enable = true;
|
||||||
|
statix.enable = true;
|
||||||
|
deadnix = {
|
||||||
|
enable = true;
|
||||||
|
excludes = generatedFiles;
|
||||||
|
};
|
||||||
|
alejandra.enable = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
formatter = pkgs.alejandra;
|
||||||
|
|
||||||
|
# Per-system attributes can be defined here. The self' and inputs'
|
||||||
|
# module parameters provide easy access to attributes of the same
|
||||||
|
# system.
|
||||||
|
};
|
||||||
|
|
||||||
# Equivalent to inputs'.nixpkgs.legacyPackages.hello;
|
# Equivalent to inputs'.nixpkgs.legacyPackages.hello;
|
||||||
# };
|
# flake = {
|
||||||
# flake = {
|
# The usual flake attributes can be defined here, including system-
|
||||||
# The usual flake attributes can be defined here, including system-
|
# agnostic ones like nixosModule and system-enumerating ones, although
|
||||||
# agnostic ones like nixosModule and system-enumerating ones, although
|
# those are more easily expressed in perSystem.
|
||||||
# those are more easily expressed in perSystem.
|
|
||||||
|
|
||||||
# };
|
# };
|
||||||
}
|
}
|
||||||
|
|
56
flake.lock
|
@ -33,6 +33,24 @@
|
||||||
"type": "indirect"
|
"type": "indirect"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"flake-utils": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1685518550,
|
||||||
|
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"impermanence": {
|
"impermanence": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1697303681,
|
"lastModified": 1697303681,
|
||||||
|
@ -151,12 +169,35 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"pre-commit-hooks": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-compat": [],
|
||||||
|
"flake-utils": "flake-utils",
|
||||||
|
"gitignore": [],
|
||||||
|
"nixpkgs": [],
|
||||||
|
"nixpkgs-stable": []
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1699271226,
|
||||||
|
"narHash": "sha256-8Jt1KW3xTjolD6c6OjJm9USx/jmL+VVmbooADCkdDfU=",
|
||||||
|
"owner": "cachix",
|
||||||
|
"repo": "pre-commit-hooks.nix",
|
||||||
|
"rev": "ea758da1a6dcde6dc36db348ed690d09b9864128",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "cachix",
|
||||||
|
"repo": "pre-commit-hooks.nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-parts": "flake-parts",
|
"flake-parts": "flake-parts",
|
||||||
"impermanence": "impermanence",
|
"impermanence": "impermanence",
|
||||||
"nixos-mailserver": "nixos-mailserver",
|
"nixos-mailserver": "nixos-mailserver",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
|
"pre-commit-hooks": "pre-commit-hooks",
|
||||||
"sops-nix": "sops-nix"
|
"sops-nix": "sops-nix"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -181,6 +222,21 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"systems": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"utils": {
|
"utils": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1605370193,
|
"lastModified": 1605370193,
|
||||||
|
|
13
flake.nix
|
@ -17,8 +17,17 @@
|
||||||
impermanence = {
|
impermanence = {
|
||||||
url = "github:nix-community/impermanence";
|
url = "github:nix-community/impermanence";
|
||||||
};
|
};
|
||||||
|
pre-commit-hooks = {
|
||||||
|
url = "github:cachix/pre-commit-hooks.nix";
|
||||||
|
inputs = {
|
||||||
|
flake-compat.follows = "";
|
||||||
|
gitignore.follows = "";
|
||||||
|
nixpkgs-stable.follows = "";
|
||||||
|
nixpkgs.follows = "";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs@{ flake-parts, ... }:
|
outputs = inputs @ {flake-parts, ...}:
|
||||||
flake-parts.lib.mkFlake { inherit inputs; } (import ./flake-module.nix);
|
flake-parts.lib.mkFlake {inherit inputs;} (import ./flake-module.nix);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,20 +1,30 @@
|
||||||
# copied and adopted from maralorns config
|
# copied and adopted from maralorns config
|
||||||
|
|
||||||
# This automatically searches for nixos configs in ./machines/${name}/configuration.nix
|
# This automatically searches for nixos configs in ./machines/${name}/configuration.nix
|
||||||
# and exposes them as outputs.nixosConfigurations.${name}
|
# and exposes them as outputs.nixosConfigurations.${name}
|
||||||
{ withSystem, lib, inputs, ... }: {
|
{
|
||||||
|
withSystem,
|
||||||
|
lib,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
flake = {
|
flake = {
|
||||||
nixosConfigurations = withSystem "x86_64-linux" ({ pkgs, ... }:
|
nixosConfigurations = withSystem "x86_64-linux" ({pkgs, ...}: let
|
||||||
let
|
|
||||||
machines = builtins.attrNames (builtins.readDir ./machines);
|
machines = builtins.attrNames (builtins.readDir ./machines);
|
||||||
makeSystem = name:
|
makeSystem = name: let
|
||||||
|
importedConfig = import (./. + "/machines/${name}/configuration.nix");
|
||||||
|
systemConfig =
|
||||||
|
if lib.isFunction importedConfig
|
||||||
|
then x: importedConfig (x // {flake-inputs = inputs;})
|
||||||
|
else importedConfig;
|
||||||
|
in
|
||||||
pkgs.nixos {
|
pkgs.nixos {
|
||||||
imports = [
|
imports = [
|
||||||
(import (./. + "/machines/${name}/configuration.nix") inputs)
|
systemConfig
|
||||||
inputs.sops-nix.nixosModules.sops
|
inputs.sops-nix.nixosModules.sops
|
||||||
inputs.impermanence.nixosModules.impermanence
|
inputs.impermanence.nixosModules.impermanence
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
in lib.genAttrs machines makeSystem);
|
in
|
||||||
|
lib.genAttrs machines makeSystem);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,19 +1,17 @@
|
||||||
flake-inputs:
|
{
|
||||||
{config, pkgs, lib, ... }: {
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
imports = [
|
../../modules/jitsi.nix
|
||||||
./hardware-configuration.nix
|
../../roles
|
||||||
../../modules/jitsi.nix
|
./network.nix
|
||||||
../../roles
|
];
|
||||||
./network.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
services.mathebau-jitsi = {
|
services.mathebau-jitsi = {
|
||||||
enable = true;
|
enable = true;
|
||||||
hostName = "meet.mathebau.de";
|
hostName = "meet.mathebau.de";
|
||||||
};
|
};
|
||||||
|
|
||||||
# System configuration here
|
# System configuration here
|
||||||
networking.hostName = "ghatanothoa";
|
networking.hostName = "ghatanothoa";
|
||||||
system.stateVersion = "23.11";
|
system.stateVersion = "23.11";
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
{config, lib, pkgs, modulesPath, ...}: {
|
{lib, ...}: {
|
||||||
imports = [ ];
|
imports = [];
|
||||||
|
|
||||||
fileSystems."/" = {
|
fileSystems."/" = {
|
||||||
device = "gha-root";
|
device = "gha-root";
|
||||||
fsType = "tmpfs";
|
fsType = "tmpfs";
|
||||||
options = [ "size=1G" "mode=755" ];
|
options = ["size=1G" "mode=755"];
|
||||||
};
|
};
|
||||||
fileSystems."/persist" = {
|
fileSystems."/persist" = {
|
||||||
device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136";
|
device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [ "subvol=persist" ];
|
options = ["subvol=persist"];
|
||||||
neededForBoot = true;
|
neededForBoot = true;
|
||||||
};
|
};
|
||||||
fileSystems."/boot" = {
|
fileSystems."/boot" = {
|
||||||
|
@ -19,11 +19,10 @@
|
||||||
fileSystems."/nix" = {
|
fileSystems."/nix" = {
|
||||||
device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136";
|
device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [ "subvol=nix" ];
|
options = ["subvol=nix"];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices = [{device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a";}];
|
||||||
[{ device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a"; }];
|
|
||||||
|
|
||||||
nix.settings.max-jobs = lib.mkDefault 4;
|
nix.settings.max-jobs = lib.mkDefault 4;
|
||||||
|
|
||||||
|
|
|
@ -1,15 +1,16 @@
|
||||||
# We sohuld put that config somewhere in roles and give it a parameter or something,
|
# We sohuld put that config somewhere in roles and give it a parameter or something,
|
||||||
# everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways
|
# everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways
|
||||||
# depend on the same thing
|
# depend on the same thing
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [];
|
||||||
networking = {
|
networking = {
|
||||||
interfaces.enX0.ipv4.addresses = [ {
|
interfaces.enX0.ipv4.addresses = [
|
||||||
address = "192.168.0.25";
|
{
|
||||||
prefixLength = 16;
|
address = "192.168.0.25";
|
||||||
} ];
|
prefixLength = 16;
|
||||||
|
}
|
||||||
|
];
|
||||||
defaultGateway = "192.168.0.152";
|
defaultGateway = "192.168.0.152";
|
||||||
nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"];
|
nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,47 +1,47 @@
|
||||||
{lib, config, ...} :
|
{
|
||||||
|
lib,
|
||||||
let
|
config,
|
||||||
inherit (lib)
|
...
|
||||||
|
}: let
|
||||||
|
inherit
|
||||||
|
(lib)
|
||||||
mkEnableOption
|
mkEnableOption
|
||||||
mkIf
|
mkIf
|
||||||
mkOption
|
mkOption
|
||||||
types
|
types
|
||||||
;
|
;
|
||||||
cfg = config.impermanence;
|
cfg = config.impermanence;
|
||||||
in
|
in {
|
||||||
|
imports = [];
|
||||||
|
|
||||||
{
|
options.impermanence = {
|
||||||
imports = [ ];
|
enable = mkEnableOption "impermanence";
|
||||||
|
storagePath = mkOption {
|
||||||
options.impermanence = {
|
type = types.path;
|
||||||
enable = mkEnableOption "impermanence";
|
default = "/persist";
|
||||||
storagePath = mkOption {
|
description = "The path where persistent data is stored";
|
||||||
type = types.path;
|
};
|
||||||
default = "/persist";
|
name = mkOption {
|
||||||
description = "The path where persistent data is stored";
|
type = types.str;
|
||||||
|
default = "persist";
|
||||||
|
description = "the name of the persistent data store";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "persist";
|
|
||||||
description = "the name of the persistent data store";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
environment.persistence.${cfg.name} = {
|
environment.persistence.${cfg.name} = {
|
||||||
persistentStoragePath = cfg.storagePath;
|
persistentStoragePath = cfg.storagePath;
|
||||||
directories = [
|
directories = [
|
||||||
"/var/log"
|
"/var/log"
|
||||||
"/var/lib/nixos"
|
"/var/lib/nixos"
|
||||||
];
|
];
|
||||||
files = [
|
files = [
|
||||||
"/etc/ssh/ssh_host_ed25519_key"
|
"/etc/ssh/ssh_host_ed25519_key"
|
||||||
"/etc/ssh/ssh_host_ed25519_key.pub"
|
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||||
"/etc/ssh/ssh_host_rsa_key"
|
"/etc/ssh/ssh_host_rsa_key"
|
||||||
"/etc/ssh/ssh_host_rsa_key.pub"
|
"/etc/ssh/ssh_host_rsa_key.pub"
|
||||||
];
|
];
|
||||||
|
};
|
||||||
|
environment.etc.machine-id.source = "${cfg.storagePath}/machine-id";
|
||||||
};
|
};
|
||||||
environment.etc.machine-id.source = "${cfg.storagePath}/machine-id";
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,16 +1,21 @@
|
||||||
{pkgs, config, lib, modulesPath, ...}:
|
{
|
||||||
let
|
config,
|
||||||
inherit (lib)
|
lib,
|
||||||
|
modulesPath,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
inherit
|
||||||
|
(lib)
|
||||||
mkIf
|
mkIf
|
||||||
mkEnableOption
|
mkEnableOption
|
||||||
mkOption
|
mkOption
|
||||||
head;
|
head
|
||||||
|
;
|
||||||
inherit (lib.types) str;
|
inherit (lib.types) str;
|
||||||
cfg = config.services.mathebau-jitsi;
|
cfg = config.services.mathebau-jitsi;
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")];
|
imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")];
|
||||||
|
|
||||||
options.services.mathebau-jitsi = {
|
options.services.mathebau-jitsi = {
|
||||||
enable = mkEnableOption "mathebau jitsi service";
|
enable = mkEnableOption "mathebau jitsi service";
|
||||||
hostName = mkOption {
|
hostName = mkOption {
|
||||||
|
@ -23,18 +28,25 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
services.jitsi-meet = {
|
services = {
|
||||||
enable = true;
|
jitsi-meet = {
|
||||||
hostName = cfg.hostName;
|
enable = true;
|
||||||
config = {
|
config = {
|
||||||
defaultLang = "de";
|
defaultLang = "de";
|
||||||
|
};
|
||||||
|
inherit (cfg) hostName;
|
||||||
};
|
};
|
||||||
};
|
jitsi-videobridge = {
|
||||||
services.jitsi-videobridge = {
|
openFirewall = true;
|
||||||
openFirewall = true;
|
nat = {
|
||||||
nat = {
|
publicAddress = "130.83.2.184";
|
||||||
publicAddress = "130.83.2.184";
|
inherit (cfg) localAddress;
|
||||||
localAddress = cfg.localAddress;
|
};
|
||||||
|
};
|
||||||
|
#We are behind a reverse proxy that handles TLS
|
||||||
|
nginx.virtualHosts."${cfg.hostName}" = {
|
||||||
|
enableACME = false;
|
||||||
|
forceSSL = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
environment.persistence.${config.impermanence.name} = {
|
environment.persistence.${config.impermanence.name} = {
|
||||||
|
@ -43,13 +55,7 @@ in
|
||||||
"/var/lib/prosody"
|
"/var/lib/prosody"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
#We are behind a reverse proxy that handles TLS
|
#The network ports for HTTP(S) are not opened automatically
|
||||||
services.nginx.virtualHosts."${cfg.hostName}" = {
|
networking.firewall.allowedTCPPorts = [80 443];
|
||||||
enableACME = false;
|
|
||||||
forceSSL = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
#The network ports for HTTP(S) are not opened automatically
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,37 +1,34 @@
|
||||||
{lib, ...} :
|
{lib, ...}:
|
||||||
with lib;
|
with lib; let
|
||||||
|
|
||||||
let
|
|
||||||
admins = {
|
admins = {
|
||||||
nerf = {
|
nerf = {
|
||||||
hashedPassword =
|
hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7";
|
||||||
"$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7";
|
keys = [
|
||||||
keys = [
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
|
];
|
||||||
];
|
|
||||||
};
|
};
|
||||||
gonne = {
|
gonne = {
|
||||||
hashedPassword =
|
hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/";
|
||||||
"$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/";
|
keys = [
|
||||||
keys = [
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFopCUadohY3wg9AoEup9TDRDMyEPSLsQoCnN4lsKCrr gonne@mathebau.de NixOS"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFopCUadohY3wg9AoEup9TDRDMyEPSLsQoCnN4lsKCrr gonne@mathebau.de NixOS"
|
];
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
mkAdmin = name :
|
mkAdmin = name: {
|
||||||
{hashedPassword, keys}: {
|
hashedPassword,
|
||||||
|
keys,
|
||||||
|
}: {
|
||||||
"${name}" = {
|
"${name}" = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = ["wheel"];
|
||||||
group = "users";
|
group = "users";
|
||||||
home = "/home/${name}";
|
home = "/home/${name}";
|
||||||
openssh.authorizedKeys = { inherit keys; };
|
openssh.authorizedKeys = {inherit keys;};
|
||||||
inherit hashedPassword;
|
inherit hashedPassword;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
in {
|
in {
|
||||||
users.users = mkMerge (mapAttrsToList mkAdmin admins);
|
users.users = mkMerge (mapAttrsToList mkAdmin admins);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,62 +1,72 @@
|
||||||
{pkgs, config, lib, modulesPath, ...} : {
|
{
|
||||||
|
pkgs,
|
||||||
imports = [
|
lib,
|
||||||
./admins.nix
|
modulesPath,
|
||||||
./nix_keys.nix
|
...
|
||||||
./prometheusNodeExporter.nix
|
}: {
|
||||||
(modulesPath + "/virtualisation/xen-domU.nix")
|
imports = [
|
||||||
../modules/impermanence.nix
|
./admins.nix
|
||||||
|
./nix_keys.nix
|
||||||
|
./prometheusNodeExporter.nix
|
||||||
|
(modulesPath + "/virtualisation/xen-domU.nix")
|
||||||
|
../modules/impermanence.nix
|
||||||
];
|
];
|
||||||
nix = {
|
nix = {
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
experimental-features = nix-command flakes
|
experimental-features = nix-command flakes
|
||||||
builders-use-substitutes = true
|
builders-use-substitutes = true
|
||||||
'';
|
'';
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
|
||||||
firewall = { # these shoud be default, but better make sure!
|
|
||||||
enable = true;
|
|
||||||
allowPing = true;
|
|
||||||
};
|
|
||||||
nftables.enable = true;
|
|
||||||
useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface
|
|
||||||
# hosts = # TODO write something to autogenerate ip adresses!
|
|
||||||
};
|
|
||||||
|
|
||||||
users = {
|
|
||||||
mutableUsers = false;
|
|
||||||
users.root.hashedPassword = "!";
|
|
||||||
};
|
|
||||||
|
|
||||||
impermanence.enable = true;
|
|
||||||
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
systemPackages = builtins.attrValues {
|
|
||||||
inherit (pkgs)
|
|
||||||
htop lsof tmux btop;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
|
||||||
journald.extraConfig = "SystemMaxUse=5G";
|
|
||||||
|
|
||||||
nginx = {
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
openssh = {
|
networking = {
|
||||||
enable = true;
|
firewall = {
|
||||||
settings = {
|
# these shoud be default, but better make sure!
|
||||||
PermitRootLogin = "no";
|
enable = true;
|
||||||
PasswordAuthentication = false;
|
allowPing = true;
|
||||||
|
};
|
||||||
|
nftables.enable = true;
|
||||||
|
useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface
|
||||||
|
# hosts = # TODO write something to autogenerate ip adresses!
|
||||||
|
};
|
||||||
|
|
||||||
|
users = {
|
||||||
|
mutableUsers = false;
|
||||||
|
users.root.hashedPassword = "!";
|
||||||
|
};
|
||||||
|
|
||||||
|
impermanence.enable = true;
|
||||||
|
|
||||||
|
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
systemPackages = builtins.attrValues {
|
||||||
|
inherit
|
||||||
|
(pkgs)
|
||||||
|
htop
|
||||||
|
lsof
|
||||||
|
tmux
|
||||||
|
btop
|
||||||
|
;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
#Prevent clock drift due to interaction problem with xen hardware clock
|
|
||||||
timesyncd.enable = lib.mkForce true;
|
services = {
|
||||||
};
|
journald.extraConfig = "SystemMaxUse=5G";
|
||||||
|
|
||||||
|
nginx = {
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
openssh = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
PermitRootLogin = "no";
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
#Prevent clock drift due to interaction problem with xen hardware clock
|
||||||
|
timesyncd.enable = lib.mkForce true;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [];
|
||||||
nix.settings.trusted-public-keys = [
|
nix.settings.trusted-public-keys = [
|
||||||
"nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
|
"nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
|
||||||
"gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
|
"gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
|
||||||
|
|
|
@ -1,15 +1,14 @@
|
||||||
{config, ...}:
|
{config, ...}: {
|
||||||
{
|
imports = [];
|
||||||
imports = [ ];
|
|
||||||
services.prometheus.exporters.node = {
|
services.prometheus.exporters.node = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 9100;
|
port = 9100;
|
||||||
# Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter
|
# Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter
|
||||||
# It was compiled along the following steps:
|
# It was compiled along the following steps:
|
||||||
# 1. Does the current Debian release supports the collector?
|
# 1. Does the current Debian release supports the collector?
|
||||||
# 2. Is the collector depracated in the latest release?
|
# 2. Is the collector depracated in the latest release?
|
||||||
# 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context
|
# 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context
|
||||||
# (e.g. power adapter inside a VM, use fibre port connection)?
|
# (e.g. power adapter inside a VM, use fibre port connection)?
|
||||||
disabledCollectors = [
|
disabledCollectors = [
|
||||||
"arp"
|
"arp"
|
||||||
"bcache"
|
"bcache"
|
||||||
|
@ -35,6 +34,6 @@
|
||||||
"processes"
|
"processes"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
networking.firewall.allowedTCPPorts = [ 9100 ];
|
networking.firewall.allowedTCPPorts = [9100];
|
||||||
environment.persistence.${config.impermanence.name}.directories = [ "/var/lib/${config.services.prometheus.stateDir}" ];
|
environment.persistence.${config.impermanence.name}.directories = ["/var/lib/${config.services.prometheus.stateDir}"];
|
||||||
}
|
}
|
||||||
|
|
missing closing parenthesis