From eae84263f5bd820176f91c9c0c97de0c64632aeb Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 27 Sep 2023 23:24:23 +0200 Subject: [PATCH] less verbose container definitions move some options (the nopersist & container profiles + allowUnfree packages) into the evalConfig used for containers, so we don't have to repeat ourselves as much. also removed some no-longer-needed specialArgs. also made thelounge work with nopersist, which for some reason it didn't use before. --- flake.nix | 13 ++++++++----- pkgs/default.nix | 4 ++-- services/gitea.nix | 6 ++---- services/hedgedoc-hacc.nix | 7 ++----- services/hedgedoc-i4f.nix | 7 ++----- services/mattermost.nix | 16 +++------------- services/murmur.nix | 2 +- services/nextcloud.nix | 7 +------ services/thelounge.nix | 26 +++++++++----------------- services/tracktrain.nix | 6 ++---- services/uffd.nix | 18 ++++++------------ 11 files changed, 38 insertions(+), 74 deletions(-) diff --git a/flake.nix b/flake.nix index cefe3f3..c385bb5 100644 --- a/flake.nix +++ b/flake.nix @@ -52,10 +52,15 @@ modules = [ config nix-hexchen.nixosModules.network.nftables - { nixpkgs.pkgs = pkgs; } + { + nixpkgs.pkgs = pkgs.lib.mkForce pkgs; + nixpkgs.config.allowUnfree = true; + imports = [ profiles.container profiles.nopersist ]; + } ]; specialArgs = { - inherit modules profiles evalConfig; + # modules still needed because a profile in nix-hexchen uses it + inherit modules evalConfig; sources = inputs; }; }).config.system.build.toplevel; @@ -71,10 +76,8 @@ { environment.etc."haccfiles".source = self.outPath; } ]; specialArgs = { - # with a few exceptions, the flake inputs can be used the same - # as the niv-style (import nix/sources.nix {}) sources = inputs; - inherit modules profiles evalConfig; + inherit modules evalConfig; }; }; diff --git a/pkgs/default.nix b/pkgs/default.nix index 92a5ffd..a083909 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,4 +1,4 @@ -{ sources, system ? builtins.currentSystem, ... }@args: +{ sources, ... }@args: let pkgs = import sources.nixpkgs args; @@ -17,7 +17,7 @@ let # a version of the lounge with some extra css that # hides things the hacc-voc doesn't need - thelounge-hacked = pkgs.stdenv.mkDerivation { + thelounge = pkgs.stdenv.mkDerivation { name = "thelounge-hacked"; src = pkgs.thelounge; diff --git a/services/gitea.nix b/services/gitea.nix index ccabfe4..3ab5f31 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: +{ config, lib, pkgs, evalConfig, ... }: { containers.gitea = { @@ -12,11 +12,9 @@ isReadOnly = false; }; }; - path = evalConfig ({ config, lib, pkgs, profiles, ... }: { + path = evalConfig ({ config, lib, pkgs, ... }: { system.stateVersion = "21.11"; - imports = [ profiles.nopersist profiles.container ]; - environment.systemPackages = [ pkgs.gitea ]; hexchen.bindmounts."/var/lib/gitea" = "/persist/gitea"; diff --git a/services/hedgedoc-hacc.nix b/services/hedgedoc-hacc.nix index bb09cd0..354b83e 100644 --- a/services/hedgedoc-hacc.nix +++ b/services/hedgedoc-hacc.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: +{ config, lib, pkgs, evalConfig, ... }: { @@ -18,10 +18,7 @@ }; "/secrets".hostPath = "/run/secrets/hedgedoc-hacc"; }; - path = evalConfig ({ config, lib, pkgs, profiles, ... }: { - imports = [ profiles.nopersist profiles.container ]; - nixpkgs.config.allowUnfree = true; - + path = evalConfig ({ config, lib, ... }: { services.hedgedoc = { enable = true; settings = { diff --git a/services/hedgedoc-i4f.nix b/services/hedgedoc-i4f.nix index bb2e376..a37431f 100644 --- a/services/hedgedoc-i4f.nix +++ b/services/hedgedoc-i4f.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, modules, evalConfig, sources, ... }: +{ config, lib, pkgs, evalConfig, ... }: { containers.pad-i4f = { @@ -12,10 +12,7 @@ isReadOnly = false; }; }; - path = evalConfig ({ config, lib, pkgs, profiles, ... }: { - imports = [ profiles.nopersist profiles.container ]; - nixpkgs.config.allowUnfree = true; - + path = evalConfig ({ config, lib, ... }: { services.hedgedoc = { enable = true; settings = { diff --git a/services/mattermost.nix b/services/mattermost.nix index e21a3a1..1c135de 100644 --- a/services/mattermost.nix +++ b/services/mattermost.nix @@ -1,9 +1,6 @@ -{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}: - -let - mattermost = pkgs.mattermost; -in { +{ config, pkgs, lib, evalConfig, ...}: +{ sops.secrets = { "mattermost/env" = {}; }; @@ -22,17 +19,10 @@ in { "/secrets".hostPath = "/run/secrets/mattermost"; }; - path = evalConfig ({ config, lib, pkgs, profiles, ... }: { - imports = [ profiles.nopersist profiles.container ]; - nixpkgs.overlays = [ (self: super: { inherit mattermost; }) ]; - - nixpkgs.config.allowUnfree = true; - + path = evalConfig ({ config, lib, pkgs, ... }: { systemd.services.mattermost.serviceConfig.EnvironmentFile = lib.mkForce "/secrets/env"; - # couldn't figure out how to actually overwrite modules, so now - # there's two mattermost modules ... services.mattermost = { enable = true; siteUrl = "https://mattermost.infra4future.de"; diff --git a/services/murmur.nix b/services/murmur.nix index c38750e..66fff44 100644 --- a/services/murmur.nix +++ b/services/murmur.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, sources, ... }: +{ config, lib, pkgs, ... }: { hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur"; diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 6f82d74..0727f93 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, profiles, modules, evalConfig, ... }: +{ config, lib, pkgs, evalConfig, ... }: { containers.nextcloud = { @@ -14,17 +14,12 @@ }; path = evalConfig ({ config, lib, pkgs, profiles, sources, ... }: { imports = [ - profiles.nopersist - profiles.container (import "${sources.nixpkgs-unstable}/nixos/modules/services/web-apps/nextcloud.nix") ]; disabledModules = [ "services/web-apps/nextcloud.nix" ]; - - nixpkgs.config.allowUnfree = true; - environment.systemPackages = [ pkgs.htop ]; services.nextcloud = { diff --git a/services/thelounge.nix b/services/thelounge.nix index f8d1517..be7b556 100644 --- a/services/thelounge.nix +++ b/services/thelounge.nix @@ -1,30 +1,26 @@ { config, lib, pkgs, evalConfig, ... }: -let - # necessary since overlays won't propagate into the - # container's config - thelounge = pkgs.thelounge-hacked; -in { containers.thelounge = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.1"; localAddress = "192.168.100.4"; + bindMounts = { + "/var/lib/thelounge" = { + hostPath = "/persist/containers/thelounge"; + isReadOnly = false; + }; + }; - path = evalConfig ({ config, lib, pkgs, profiles, modules, sources, ... }: { - # for some inexplicable reason this does not import nopersist. - # i'm too lazy rn to deal with possible breakages if I add it. - # if you have spoons & nothing else to do, consider this a suggestion! - imports = [ profiles.container ]; - - nixpkgs.config.allowUnfree = true; - + path = evalConfig ({ config, lib, ... }: { services.thelounge = { enable = true; extraConfig = { public = true; + package = pkgs.thelounge; + # respect X-Forwarded-For reverseProxy = true; defaults = { @@ -57,10 +53,6 @@ in leaveMessage = "happy haccing"; }; }; - - # override the package we use - systemd.services.thelounge.serviceConfig.ExecStart = - pkgs.lib.mkForce "${thelounge}/bin/thelounge start"; }); }; diff --git a/services/tracktrain.nix b/services/tracktrain.nix index 100461c..0431031 100644 --- a/services/tracktrain.nix +++ b/services/tracktrain.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, inputs, evalConfig, ... }: +{ config, lib, pkgs, evalConfig, ... }: let tracktrain-config = '' @@ -53,11 +53,9 @@ in "/secrets".hostPath = "/run/secrets/tracktrain"; }; - path = evalConfig ({ config, lib, pkgs, profiles, ... }: { + path = evalConfig ({ config, lib, pkgs, ... }: { system.stateVersion = "21.11"; - imports = [ profiles.nopersist profiles.container ]; - users.users.tracktrain = { group = "tracktrain"; isSystemUser = true; diff --git a/services/uffd.nix b/services/uffd.nix index 02fe132..04f1abe 100644 --- a/services/uffd.nix +++ b/services/uffd.nix @@ -1,8 +1,6 @@ -{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: +{ config, lib, pkgs, evalConfig, ... }: -let - uffd = pkgs.uffd; -in { +{ containers.uffd = { privateNetwork = true; hostAddress = "192.168.100.1"; @@ -14,24 +12,20 @@ in { isReadOnly = false; }; }; - path = evalConfig ({ config, lib, pkgs, profiles, ... }: { - imports = [ profiles.nopersist profiles.container ]; - - nixpkgs.config.allowUnfree = true; - + path = evalConfig ({ config, lib, pkgs, ... }: { services.uwsgi = { enable = true; plugins = [ "python3" ]; instance = { type = "normal"; - pythonPackages = self: with self; [ uffd ]; + pythonPackages = _: [ pkgs.uffd ]; module = "uffd:create_app()"; # socket = "${config.services.uwsgi.runDir}/uwsgi.sock"; http = ":8080"; env = [ "CONFIG_PATH=/persist/uffd/uffd.conf" ]; - hook-pre-app = "exec:FLASK_APP=${uffd}/lib/python3.10/site-packages/uffd flask db upgrade"; + hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade"; }; }; }); @@ -41,7 +35,7 @@ in { forceSSL = true; locations = { "/".proxyPass = "http://${config.containers.uffd.localAddress}:8080"; - "/static".root = "${uffd}/lib/python3.10/site-packages/uffd"; + "/static".root = "${pkgs.uffd}/lib/python3.10/site-packages/uffd"; "/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png"; "/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg"; "/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg";