pre-commit #23

Merged
Gonne merged 3 commits from nerf/nixConfig:pre-commit into main 2023-11-09 15:20:45 +00:00
15 changed files with 352 additions and 204 deletions

2
.gitignore vendored
View file

@ -2,4 +2,4 @@
# Ignore build outputs from performing a nix-build or `nix build` command # Ignore build outputs from performing a nix-build or `nix build` command
result result
result-* result-*
.pre-commit-config.yaml

View file

@ -146,8 +146,7 @@ machine. The only technically required file in there is `configuration.nix`. So
A good skeleton is probably: A good skeleton is probably:
``` ```
flake-inputs: {config, pkgs, lib, flake-inputs, ... }: {
{config, pkgs, lib, ... }: {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@ -170,6 +169,10 @@ In your hardware
configuration you should basically only write you filesystem layout and your hostPlatform. The bootloading stuff configuration you should basically only write you filesystem layout and your hostPlatform. The bootloading stuff
is already taken care of by `../../roles`. is already taken care of by `../../roles`.
The `flake-inputs` argument is optional, but you can use it if you need to get a hold of the flake inputs,
else this is a complete normal nixos system configuration module (with a lot of settings already imorted
from `../../roles`).
As of moment of writing `network.nix` should contain ip, nameserver and default gateway setup. As parts of As of moment of writing `network.nix` should contain ip, nameserver and default gateway setup. As parts of
this is constant across all systems and will undergo refactor soon. this is constant across all systems and will undergo refactor soon.
@ -278,3 +281,31 @@ something like this:
{lib, pkgs, config, ...} : {lib, pkgs, config, ...} :
<module code > <module code >
``` ```
# Contributing
Like with all FS projects, you are welcome to contribute. Work is done usually by the person that is most annoyed
by the circumstances or by the person that didn't run fast enough. So we are happy if we get help. That doesn't
mean that we don't need to have some level of quality, people after us needs to work with it. It is live infrastructure
and downtime hurts someone (and in the wrong moment even really bad (Matheball ticket sales for example)).
nerf marked this conversation as resolved Outdated
Outdated
Review

missing closing parenthesis

missing closing parenthesis
So here are some Guidelines.
## Coding style and linting.
If you run `nix flake check` there are automated checks in place, please make sure to pass them.
Gonne marked this conversation as resolved Outdated
Outdated
Review

If I run that, I get

$ nix check
error: 'check' is not a recognised command
Try 'nix --help' for more information.
If I run that, I get ``` $ nix check error: 'check' is not a recognised command Try 'nix --help' for more information. ```
Outdated
Review

ahh of course that should be nix flake check

ahh of course that should be `nix flake check`
There is also a code autoformatter (`alejandra`) incorporated into those. If you want to run
it you can do so over the development shell or by running `nix fmt`.
You can also install
Gonne marked this conversation as resolved Outdated
Outdated
Review
$ nix develop
error: flake 'git+file:///home/…/nixConfig' does not provide attribute 'devShells.x86_64-linux.devShell.x86_64-linux', 'packages.x86_64-linux.devShell.x86_64-linux', 'legacyPackages.x86_64-linux.devShell.x86_64-linux', 'devShell.x86_64-linux' or 'defaultPackage.x86_64-linux'
``` $ nix develop error: flake 'git+file:///home/…/nixConfig' does not provide attribute 'devShells.x86_64-linux.devShell.x86_64-linux', 'packages.x86_64-linux.devShell.x86_64-linux', 'legacyPackages.x86_64-linux.devShell.x86_64-linux', 'devShell.x86_64-linux' or 'defaultPackage.x86_64-linux' ```
Outdated
Review

More info for reference:

$ nix flake show
git+file:///home/…/nixConfig?ref=pre-commit&rev=04469765541ab58d9777d5fd74b7e43ba6fe0e97
├───apps
│   └───x86_64-linux
├───checks
│   └───x86_64-linux
│       └───pre-commit: derivation 'pre-commit-run'
├───devShells
│   └───x86_64-linux
│       └───default: development environment 'nix-shell'
├───formatter: unknown
├───legacyPackages
warning: │   └───x86_64-linux: omitted (use '--legacy' to show)
├───nixosConfigurations
│   └───ghatanothoa: NixOS configuration
├───nixosModules
├───overlays
└───packages
    └───x86_64-linux

More info for reference: ``` $ nix flake show git+file:///home/…/nixConfig?ref=pre-commit&rev=04469765541ab58d9777d5fd74b7e43ba6fe0e97 ├───apps │ └───x86_64-linux ├───checks │ └───x86_64-linux │ └───pre-commit: derivation 'pre-commit-run' ├───devShells │ └───x86_64-linux │ └───default: development environment 'nix-shell' ├───formatter: unknown ├───legacyPackages warning: │ └───x86_64-linux: omitted (use '--legacy' to show) ├───nixosConfigurations │ └───ghatanothoa: NixOS configuration ├───nixosModules ├───overlays └───packages └───x86_64-linux ```
Outdated
Review

That is weird. To cite the nix reference

Flake output attributes

If no flake output attribute is given, nix develop tries the following flake output attributes:

  • devShells.<system>.default
  • packages.<system>.default

If a flake output name is given, nix develop tries the following flake output attributes:

  • devShells.<system>.<name>
  • packages.<system>.<name>
  • legacyPackages.<system>.<name>

That matches the paths from your nix flake show but not from the error message of your nix develop. So I think that is a problem on your side. What is your nix version?

There are two old related issues error message bug and change output names

You might try nix develop .#default to set the default explicitly

That is weird. To cite the [nix reference](https://nixos.org/manual/nix/unstable/command-ref/new-cli/nix3-develop) > # Flake output attributes >If no flake output attribute is given, `nix develop` tries the following flake output attributes: > - devShells.\<system>.default > - packages.\<system>.default > > If a flake output name is given, `nix develop` tries the following flake output attributes: > - devShells.\<system>.\<name> > - packages.\<system>.\<name> > - legacyPackages.\<system>.\<name> That matches the paths from your `nix flake show` but not from the error message of your `nix develop`. So I think that is a problem on your side. What is your nix version? There are two old related issues [error message bug](https://github.com/NixOS/nix/issues/5880) and [change output names](https://github.com/NixOS/nix/issues/5532) You might try `nix develop .#default` to set the default explicitly
Outdated
Review
$ nix --version
nix (Nix) 2.6.0

The first link suggests that this has been resolved in version 2.7.0.

``` $ nix --version nix (Nix) 2.6.0 ``` The first link suggests that this has been resolved in version `2.7.0`.
Outdated
Review

2.18.0 is the current version, I think you should upgrade, did the nix develop .#default work?

`2.18.0` is the current version, I think you should upgrade, did the `nix develop .#default` work?
them into your local git repository as pre-commit hooks, and setting up a shell that has
even more tooling by running `nix develop`. That will give you a bash in which you can run
all the checks manually `pre-commit run -a`. This will also run the autoformatter.
## Process for submitting changes
1. If it is something bigger, please open an issue first describing what and why you want to do something.
If it is just something small, skip this step.
2. Fork the repo and implement your changes in a branch on your fork. Afterwards open a pull request (possibly mentioning the issue).
Against the main branch.
- Your branch should be based on an up to date version of main, if it is not consider rebasing.
3. You will need to find someone with the proper rights to approve of your changes, but most of the time there will be request
for changes first.

View file

@ -1,28 +1,60 @@
{inputs, ...}: {inputs, ...}: {
{
# debug = true; # debug = true;
# We only define machines config in this flake yet, so we only include # We only define machines config in this flake yet, so we only include
# the module that builds these. This file might get fuller, if we need to # the module that builds these. This file might get fuller, if we need to
# build our own packages, that are not flakes. # build our own packages, that are not flakes.
imports = [ ./nixos/flake-module.nix imports = [
# To import a flake module ./nixos/flake-module.nix
# 1. Add foo to inputs inputs.pre-commit-hooks.flakeModule
# 2. Add foo as a parameter to the outputs function # To import a flake module
# 3. Add here: foo.flakeModule # 1. Add foo to inputs
# 2. Add foo as a parameter to the outputs function
# 3. Add here: foo.flakeModule
]; ];
systems = [ "x86_64-linux"]; systems = ["x86_64-linux"];
# perSystem = { config, self', inputs', pkgs, system, ... }: { perSystem = {
# Per-system attributes can be defined here. The self' and inputs' config,
# module parameters provide easy access to attributes of the same pkgs,
# system. ...
}: {
devShells.default = config.pre-commit.devShell;
pre-commit = let
generatedFiles = [
"hardware-configuration\\.nix"
];
in {
check.enable = true;
settings = {
# for some reason statix takes it config differently than all the other hooks.
settings.statix = {
format = "stderr";
ignore = generatedFiles;
};
hooks = {
nil.enable = true;
statix.enable = true;
deadnix = {
enable = true;
excludes = generatedFiles;
};
alejandra.enable = true;
};
};
};
formatter = pkgs.alejandra;
# Per-system attributes can be defined here. The self' and inputs'
# module parameters provide easy access to attributes of the same
# system.
};
# Equivalent to inputs'.nixpkgs.legacyPackages.hello; # Equivalent to inputs'.nixpkgs.legacyPackages.hello;
# }; # flake = {
# flake = { # The usual flake attributes can be defined here, including system-
# The usual flake attributes can be defined here, including system- # agnostic ones like nixosModule and system-enumerating ones, although
# agnostic ones like nixosModule and system-enumerating ones, although # those are more easily expressed in perSystem.
# those are more easily expressed in perSystem.
# }; # };
} }

View file

@ -33,6 +33,24 @@
"type": "indirect" "type": "indirect"
} }
}, },
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1697303681, "lastModified": 1697303681,
@ -151,12 +169,35 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks": {
"inputs": {
"flake-compat": [],
"flake-utils": "flake-utils",
"gitignore": [],
"nixpkgs": [],
"nixpkgs-stable": []
},
"locked": {
"lastModified": 1699271226,
"narHash": "sha256-8Jt1KW3xTjolD6c6OjJm9USx/jmL+VVmbooADCkdDfU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "ea758da1a6dcde6dc36db348ed690d09b9864128",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"impermanence": "impermanence", "impermanence": "impermanence",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"pre-commit-hooks": "pre-commit-hooks",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
@ -181,6 +222,21 @@
"type": "github" "type": "github"
} }
}, },
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": { "utils": {
"locked": { "locked": {
"lastModified": 1605370193, "lastModified": 1605370193,

View file

@ -17,8 +17,17 @@
impermanence = { impermanence = {
url = "github:nix-community/impermanence"; url = "github:nix-community/impermanence";
}; };
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs = {
flake-compat.follows = "";
gitignore.follows = "";
nixpkgs-stable.follows = "";
nixpkgs.follows = "";
};
};
}; };
outputs = inputs@{ flake-parts, ... }: outputs = inputs @ {flake-parts, ...}:
flake-parts.lib.mkFlake { inherit inputs; } (import ./flake-module.nix); flake-parts.lib.mkFlake {inherit inputs;} (import ./flake-module.nix);
} }

View file

@ -1,20 +1,30 @@
# copied and adopted from maralorns config # copied and adopted from maralorns config
# This automatically searches for nixos configs in ./machines/${name}/configuration.nix # This automatically searches for nixos configs in ./machines/${name}/configuration.nix
# and exposes them as outputs.nixosConfigurations.${name} # and exposes them as outputs.nixosConfigurations.${name}
{ withSystem, lib, inputs, ... }: { {
withSystem,
lib,
inputs,
...
}: {
flake = { flake = {
nixosConfigurations = withSystem "x86_64-linux" ({ pkgs, ... }: nixosConfigurations = withSystem "x86_64-linux" ({pkgs, ...}: let
let
machines = builtins.attrNames (builtins.readDir ./machines); machines = builtins.attrNames (builtins.readDir ./machines);
makeSystem = name: makeSystem = name: let
importedConfig = import (./. + "/machines/${name}/configuration.nix");
systemConfig =
if lib.isFunction importedConfig
then x: importedConfig (x // {flake-inputs = inputs;})
else importedConfig;
in
pkgs.nixos { pkgs.nixos {
imports = [ imports = [
(import (./. + "/machines/${name}/configuration.nix") inputs) systemConfig
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
]; ];
}; };
in lib.genAttrs machines makeSystem); in
lib.genAttrs machines makeSystem);
}; };
} }

View file

@ -1,19 +1,17 @@
flake-inputs: {
{config, pkgs, lib, ... }: { imports = [
./hardware-configuration.nix
imports = [ ../../modules/jitsi.nix
./hardware-configuration.nix ../../roles
../../modules/jitsi.nix ./network.nix
../../roles ];
./network.nix
];
services.mathebau-jitsi = { services.mathebau-jitsi = {
enable = true; enable = true;
hostName = "meet.mathebau.de"; hostName = "meet.mathebau.de";
}; };
# System configuration here # System configuration here
networking.hostName = "ghatanothoa"; networking.hostName = "ghatanothoa";
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

View file

@ -1,15 +1,15 @@
{config, lib, pkgs, modulesPath, ...}: { {lib, ...}: {
imports = [ ]; imports = [];
fileSystems."/" = { fileSystems."/" = {
device = "gha-root"; device = "gha-root";
fsType = "tmpfs"; fsType = "tmpfs";
options = [ "size=1G" "mode=755" ]; options = ["size=1G" "mode=755"];
}; };
fileSystems."/persist" = { fileSystems."/persist" = {
device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=persist" ]; options = ["subvol=persist"];
neededForBoot = true; neededForBoot = true;
}; };
fileSystems."/boot" = { fileSystems."/boot" = {
@ -19,11 +19,10 @@
fileSystems."/nix" = { fileSystems."/nix" = {
device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=nix" ]; options = ["subvol=nix"];
}; };
swapDevices = swapDevices = [{device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a";}];
[{ device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a"; }];
nix.settings.max-jobs = lib.mkDefault 4; nix.settings.max-jobs = lib.mkDefault 4;

View file

@ -1,15 +1,16 @@
# We sohuld put that config somewhere in roles and give it a parameter or something, # We sohuld put that config somewhere in roles and give it a parameter or something,
# everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways # everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways
# depend on the same thing # depend on the same thing
{ {
imports = [ ]; imports = [];
networking = { networking = {
interfaces.enX0.ipv4.addresses = [ { interfaces.enX0.ipv4.addresses = [
address = "192.168.0.25"; {
prefixLength = 16; address = "192.168.0.25";
} ]; prefixLength = 16;
}
];
defaultGateway = "192.168.0.152"; defaultGateway = "192.168.0.152";
nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"]; nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"];
}; };
} }

View file

@ -1,47 +1,47 @@
{lib, config, ...} : {
lib,
let config,
inherit (lib) ...
}: let
inherit
(lib)
mkEnableOption mkEnableOption
mkIf mkIf
mkOption mkOption
types types
; ;
cfg = config.impermanence; cfg = config.impermanence;
in in {
imports = [];
{ options.impermanence = {
imports = [ ]; enable = mkEnableOption "impermanence";
storagePath = mkOption {
options.impermanence = { type = types.path;
enable = mkEnableOption "impermanence"; default = "/persist";
storagePath = mkOption { description = "The path where persistent data is stored";
type = types.path; };
default = "/persist"; name = mkOption {
description = "The path where persistent data is stored"; type = types.str;
default = "persist";
description = "the name of the persistent data store";
};
}; };
name = mkOption {
type = types.str;
default = "persist";
description = "the name of the persistent data store";
};
};
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.persistence.${cfg.name} = { environment.persistence.${cfg.name} = {
persistentStoragePath = cfg.storagePath; persistentStoragePath = cfg.storagePath;
directories = [ directories = [
"/var/log" "/var/log"
"/var/lib/nixos" "/var/lib/nixos"
]; ];
files = [ files = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub" "/etc/ssh/ssh_host_rsa_key.pub"
]; ];
};
environment.etc.machine-id.source = "${cfg.storagePath}/machine-id";
}; };
environment.etc.machine-id.source = "${cfg.storagePath}/machine-id";
};
} }

View file

@ -1,16 +1,21 @@
{pkgs, config, lib, modulesPath, ...}: {
let config,
inherit (lib) lib,
modulesPath,
...
}: let
inherit
(lib)
mkIf mkIf
mkEnableOption mkEnableOption
mkOption mkOption
head; head
;
inherit (lib.types) str; inherit (lib.types) str;
cfg = config.services.mathebau-jitsi; cfg = config.services.mathebau-jitsi;
in in {
{
imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")]; imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")];
options.services.mathebau-jitsi = { options.services.mathebau-jitsi = {
enable = mkEnableOption "mathebau jitsi service"; enable = mkEnableOption "mathebau jitsi service";
hostName = mkOption { hostName = mkOption {
@ -23,18 +28,25 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.jitsi-meet = { services = {
enable = true; jitsi-meet = {
hostName = cfg.hostName; enable = true;
config = { config = {
defaultLang = "de"; defaultLang = "de";
};
inherit (cfg) hostName;
}; };
}; jitsi-videobridge = {
services.jitsi-videobridge = { openFirewall = true;
openFirewall = true; nat = {
nat = { publicAddress = "130.83.2.184";
publicAddress = "130.83.2.184"; inherit (cfg) localAddress;
localAddress = cfg.localAddress; };
};
#We are behind a reverse proxy that handles TLS
nginx.virtualHosts."${cfg.hostName}" = {
enableACME = false;
forceSSL = false;
}; };
}; };
environment.persistence.${config.impermanence.name} = { environment.persistence.${config.impermanence.name} = {
@ -43,13 +55,7 @@ in
"/var/lib/prosody" "/var/lib/prosody"
]; ];
}; };
#We are behind a reverse proxy that handles TLS #The network ports for HTTP(S) are not opened automatically
services.nginx.virtualHosts."${cfg.hostName}" = { networking.firewall.allowedTCPPorts = [80 443];
enableACME = false;
forceSSL = false;
};
#The network ports for HTTP(S) are not opened automatically
networking.firewall.allowedTCPPorts = [ 80 443 ];
}; };
} }

View file

@ -1,37 +1,34 @@
{lib, ...} : {lib, ...}:
with lib; with lib; let
let
admins = { admins = {
nerf = { nerf = {
hashedPassword = hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7";
"$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7"; keys = [
keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2" ];
];
}; };
gonne = { gonne = {
hashedPassword = hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/";
"$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/"; keys = [
keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFopCUadohY3wg9AoEup9TDRDMyEPSLsQoCnN4lsKCrr gonne@mathebau.de NixOS"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFopCUadohY3wg9AoEup9TDRDMyEPSLsQoCnN4lsKCrr gonne@mathebau.de NixOS" ];
];
}; };
}; };
mkAdmin = name : mkAdmin = name: {
{hashedPassword, keys}: { hashedPassword,
keys,
}: {
"${name}" = { "${name}" = {
isNormalUser = true; isNormalUser = true;
createHome = true; createHome = true;
extraGroups = [ "wheel" ]; extraGroups = ["wheel"];
group = "users"; group = "users";
home = "/home/${name}"; home = "/home/${name}";
openssh.authorizedKeys = { inherit keys; }; openssh.authorizedKeys = {inherit keys;};
inherit hashedPassword; inherit hashedPassword;
}; };
}; };
in { in {
users.users = mkMerge (mapAttrsToList mkAdmin admins); users.users = mkMerge (mapAttrsToList mkAdmin admins);
} }

View file

@ -1,62 +1,72 @@
{pkgs, config, lib, modulesPath, ...} : { {
pkgs,
imports = [ lib,
./admins.nix modulesPath,
./nix_keys.nix ...
./prometheusNodeExporter.nix }: {
(modulesPath + "/virtualisation/xen-domU.nix") imports = [
../modules/impermanence.nix ./admins.nix
./nix_keys.nix
./prometheusNodeExporter.nix
(modulesPath + "/virtualisation/xen-domU.nix")
../modules/impermanence.nix
]; ];
nix = { nix = {
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
builders-use-substitutes = true builders-use-substitutes = true
''; '';
};
networking = {
firewall = { # these shoud be default, but better make sure!
enable = true;
allowPing = true;
};
nftables.enable = true;
useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface
# hosts = # TODO write something to autogenerate ip adresses!
};
users = {
mutableUsers = false;
users.root.hashedPassword = "!";
};
impermanence.enable = true;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
environment = {
systemPackages = builtins.attrValues {
inherit (pkgs)
htop lsof tmux btop;
};
};
services = {
journald.extraConfig = "SystemMaxUse=5G";
nginx = {
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
}; };
openssh = { networking = {
enable = true; firewall = {
settings = { # these shoud be default, but better make sure!
PermitRootLogin = "no"; enable = true;
PasswordAuthentication = false; allowPing = true;
};
nftables.enable = true;
useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface
# hosts = # TODO write something to autogenerate ip adresses!
};
users = {
mutableUsers = false;
users.root.hashedPassword = "!";
};
impermanence.enable = true;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
environment = {
systemPackages = builtins.attrValues {
inherit
(pkgs)
htop
lsof
tmux
btop
;
}; };
}; };
#Prevent clock drift due to interaction problem with xen hardware clock
timesyncd.enable = lib.mkForce true; services = {
}; journald.extraConfig = "SystemMaxUse=5G";
nginx = {
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
};
openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
#Prevent clock drift due to interaction problem with xen hardware clock
timesyncd.enable = lib.mkForce true;
};
} }

View file

@ -1,5 +1,5 @@
{ {
imports = [ ]; imports = [];
nix.settings.trusted-public-keys = [ nix.settings.trusted-public-keys = [
"nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc=" "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
"gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0=" "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="

View file

@ -1,15 +1,14 @@
{config, ...}: {config, ...}: {
{ imports = [];
imports = [ ];
services.prometheus.exporters.node = { services.prometheus.exporters.node = {
enable = true; enable = true;
port = 9100; port = 9100;
# Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter # Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter
# It was compiled along the following steps: # It was compiled along the following steps:
# 1. Does the current Debian release supports the collector? # 1. Does the current Debian release supports the collector?
# 2. Is the collector depracated in the latest release? # 2. Is the collector depracated in the latest release?
# 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context # 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context
# (e.g. power adapter inside a VM, use fibre port connection)? # (e.g. power adapter inside a VM, use fibre port connection)?
disabledCollectors = [ disabledCollectors = [
"arp" "arp"
"bcache" "bcache"
@ -35,6 +34,6 @@
"processes" "processes"
]; ];
}; };
networking.firewall.allowedTCPPorts = [ 9100 ]; networking.firewall.allowedTCPPorts = [9100];
environment.persistence.${config.impermanence.name}.directories = [ "/var/lib/${config.services.prometheus.stateDir}" ]; environment.persistence.${config.impermanence.name}.directories = ["/var/lib/${config.services.prometheus.stateDir}"];
} }