hacc/haccfiles
8
0
Fork 1
Code Issues 1 Pull requests Projects Releases Wiki Activity

Compare commits

base: hacc:461cb0112662316acad041b2859f6b21fb69ba00
Branches Tags
hacc:main
hacc:24_04-remove-nftables_ruleset
hacc:nicer-nftables
hacc:monit-onlyoffice-restart
hacc:mattermost-kanidm
hacc:mattermost-update
hacc:removing-nix-hexchen
hacc:onlyoffice-nix
hacc:nextcloud-docs-on-website
...
compare: hacc:ea230c34b07951ec9c50998f2d5d4457baa87a56
Branches Tags
hacc:main
hacc:24_04-remove-nftables_ruleset
hacc:nicer-nftables
hacc:monit-onlyoffice-restart
hacc:mattermost-kanidm
hacc:mattermost-update
hacc:removing-nix-hexchen
hacc:onlyoffice-nix
hacc:nextcloud-docs-on-website

5 commits
461cb01126 ... ea230c34b0

Author SHA1 Message Date
stuebinm ea230c34b0 remove nix-hexchen from flake inputs 
fun fact: this commit delets more lines (in flake.lock) than were
removed during the previous commits (to vendor nix-hexchen's modules
into our repo)
 2024-02-18 13:47:54 +01:00
stuebinm 62917423e3 render nftables's ruleset 
This does the same as the last commit did for the nftnat module, but for
the more general nftables module. Note the weird whatspace again.
 2024-02-18 13:39:54 +01:00
stuebinm 0f678c5e80 render nftnat's extraConfig 
this removes usage of the nftnat module by rendering it into a static
nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is
concerned, hence the slightly off-putting whitespace of the multi-line
string.

This seems to me to be a better approach than just bundling the module,
since we only use it for two things (giving the containers network
access & forwarding port 22 to forgejo), which to me doesn't press for
using a custom module we can't really maintain on our own.
 2024-02-17 00:04:51 +00:00
stuebinm 0140b7a9fb bundle encboot 
this does nothing but move the module & rename the hexchen.* options to hacc.*
 2024-02-17 00:04:51 +00:00
stuebinm 39531f1c48 bundle hexchen's nopersist & bindmount moduls 
the bind mount module has been tweaked in a couple ways:
 - rename hexchen.* to hacc.*
 - rename bindmount to bindMount to make it consistent with usage in
   the nixpkgs container module
 - add a hacc.bindToPersist option as shorthand for prepending /perist
   to a path via bind mount

the nopersist module has been shortened a little by moving
service-specific things which are used once out into the individual
service files, and removing those which we don't need at all (this also
means we get to loose a mkForce or two in case of mismatches between
hexchen's and our current config).
 2024-02-17 00:04:51 +00:00
15 changed files with 244 additions and 573 deletions
Show stats Expand all files Collapse all files

1
common/default.nix
View file

@ -4,7 +4,6 @@
imports = [
../modules
./users.nix
modules.network.nftables
];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;

548
flake.lock
View file

@ -1,73 +1,5 @@
{
"nodes": {
"apple-silicon": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1705557527,
"narHash": "sha256-DuxxHTQ/W5KToFLWG4FUF8hLldNo9eXlbt7JgvhrMnY=",
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"rev": "6e324ab06cb27a19409ebc1dc2664bf1e585490a",
"type": "github"
},
"original": {
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"type": "github"
}
},
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
],
"nixpkgs-23-05": "nixpkgs-23-05",
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1706549563,
"narHash": "sha256-yNPk+UP10OU4F1yBAF0w8ubwJER48mrK+tzsLT3Jnlw=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "5fa451e05537408bd3d6f109f6740c58c0fd0aff",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1706546688,
"narHash": "sha256-+1IdXRt28UZ2KTa0zsmjneNUOcutP99UUwqcYyVyqTI=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "e095e9f694d2a427940bc8616bc4025fef502a8b",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2023.10.7",
"repo": "authentik",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
@ -84,38 +16,9 @@
"type": "gitlab"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
],
"stable": "stable"
},
"locked": {
"lastModified": 1699171528,
"narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "665603956a1c3040d756987bc7a810ffe86a3b15",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"ref": "main",
"repo": "colmena",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": [
"nix-hexchen",
"apple-silicon",
"flake-compat"
],
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
@ -136,21 +39,6 @@
}
},
"flake-compat": {
"locked": {
"lastModified": 1688025799,
"narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -166,94 +54,6 @@
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1704982712,
"narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "07f6395285469419cf9d078f59b5b49993198c00",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
]
},
"locked": {
"lastModified": 1706134977,
"narHash": "sha256-KwNb1Li3K6vuVwZ77tFjZ89AWBo7AiCs9t0Cens4BsM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6359d40f6ec0b72a38e02b333f343c3d4929ec10",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"mattermost-server": {
"flake": false,
"locked": {
@ -284,135 +84,6 @@
"url": "https://releases.mattermost.com/8.1.10/mattermost-8.1.10-linux-amd64.tar.gz"
}
},
"napalm": {
"inputs": {
"flake-utils": [
"nix-hexchen",
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"nix-hexchen",
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703102458,
"narHash": "sha256-3pOV731qi34Q2G8e2SqjUXqnftuFrbcq+NdagEZXISo=",
"owner": "nix-community",
"repo": "napalm",
"rev": "edcb26c266ca37c9521f6a97f33234633cbec186",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "napalm",
"type": "github"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
]
},
"locked": {
"lastModified": 1705915768,
"narHash": "sha256-+Jlz8OAqkOwJlioac9wtpsCnjgGYUhvLpgJR/5tP9po=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "1e706ef323de76236eb183d7784f3bd57255ec0b",
"type": "github"
},
"original": {
"owner": "LnL7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1698974481,
"narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-hexchen": {
"inputs": {
"apple-silicon": "apple-silicon",
"authentik-nix": "authentik-nix",
"colmena": "colmena",
"flake-compat": [
"nix-hexchen",
"apple-silicon",
"flake-compat"
],
"flake-utils": [
"deploy-rs",
"utils"
],
"home-manager": "home-manager",
"nix-darwin": "nix-darwin",
"nixos-hardware": "nixos-hardware",
"nixos-mailserver": [
"nixos-mailserver"
],
"nixpkgs": "nixpkgs",
"pnpm2nix": "pnpm2nix",
"sops-nix": [
"sops-nix"
],
"waybar-iceportal": "waybar-iceportal"
},
"locked": {
"lastModified": 1707171428,
"narHash": "sha256-Q/DQjwbdPU2RcU+hEHPCmbdUj48EoWaqXwQx7sCUI7o=",
"owner": "hexchen",
"repo": "nixfiles",
"rev": "698d7dbd56720d59bca196aa19e3263490336515",
"type": "gitlab"
},
"original": {
"owner": "hexchen",
"repo": "nixfiles",
"type": "gitlab"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1706182238,
"narHash": "sha256-Ti7CerGydU7xyrP/ow85lHsOpf+XMx98kQnPoQCSi1g=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "f84eaffc35d1a655e84749228cde19922fcf55f1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixos-mailserver": {
"inputs": {
"blobs": "blobs",
@ -420,7 +91,7 @@
"deploy-rs",
"flake-compat"
],
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs",
"nixpkgs-23_05": [
"nixpkgs"
],
@ -447,35 +118,19 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1706150372,
"narHash": "sha256-L0ioe5hifmkzltYr8Eo+72QvdDYPKHhDp9oWm3yqHkw=",
"lastModified": 1705856552,
"narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "854f4671883250e456dc1553c783ac9741a0e9a4",
"rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable-small",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"nixpkgs-23-05": {
"locked": {
"lastModified": 1704290814,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-23_11": {
"locked": {
"lastModified": 1706098335,
@ -491,24 +146,6 @@
"type": "indirect"
}
},
"nixpkgs-lib": {
"locked": {
"dir": "lib",
"lastModified": 1703961334,
"narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-oldstable": {
"locked": {
"lastModified": 1678761643,
@ -526,21 +163,6 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1705856552,
"narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1707091808,
"narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=",
@ -555,7 +177,7 @@
"type": "indirect"
}
},
"nixpkgs_4": {
"nixpkgs_3": {
"locked": {
"lastModified": 1706925685,
"narHash": "sha256-hVInjWMmgH4yZgA4ZtbgJM1qEAel72SYhP5nOWX4UIM=",
@ -571,84 +193,21 @@
"type": "github"
}
},
"pnpm2nix": {
"flake": false,
"locked": {
"lastModified": 1703106649,
"narHash": "sha256-YhWzfuqNCZmKMbcoDoAT52KodjpuNj/7MklwKD0ojrg=",
"owner": "TSRBerry",
"repo": "pnpm2nix",
"rev": "8df6e2a8bd0174f4e9fa858d37c08ff3e91019bc",
"type": "github"
},
"original": {
"owner": "TSRBerry",
"repo": "pnpm2nix",
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": [
"nix-hexchen",
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nix-hexchen",
"authentik-nix",
"nixpkgs"
],
"systems": "systems_3",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1705060653,
"narHash": "sha256-puYyylgrBS4AFAHeyVRTjTUVD8DZdecJfymWJe7H438=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "e0b44e9e2d3aa855d1dd77b06f067cd0e0c3860d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"root": {
"inputs": {
"deploy-rs": "deploy-rs",
"mattermost-server": "mattermost-server",
"mattermost-webapp": "mattermost-webapp",
"nix-hexchen": "nix-hexchen",
"nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_2",
"nixpkgs-oldstable": "nixpkgs-oldstable",
"sops-nix": "sops-nix",
"tracktrain": "tracktrain"
}
},
"rust-overlay": {
"flake": false,
"locked": {
"lastModified": 1686795910,
"narHash": "sha256-jDa40qRZ0GRQtP9EMZdf+uCbvzuLnJglTUI2JoHfWDc=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "5c2b97c0a9bc5217fc3dfb1555aae0fb756d99f9",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_3",
"nixpkgs-stable": [
"nixpkgs"
]
@ -667,22 +226,6 @@
"type": "github"
}
},
"stable": {
"locked": {
"lastModified": 1696039360,
"narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "32dcb45f66c0487e92db8303a798ebc548cadedc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -698,35 +241,6 @@
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"tracktrain": {
"flake": false,
"locked": {
@ -744,29 +258,6 @@
"url": "https://stuebinm.eu/git/tracktrain"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1699786194,
"narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems"
@ -784,27 +275,6 @@
"repo": "flake-utils",
"type": "github"
}
},
"waybar-iceportal": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
]
},
"locked": {
"lastModified": 1661258114,
"narHash": "sha256-wdm35mfyjz/eFrtd9fMeAJwfUk6XskbyM115wYI1kVA=",
"owner": "e1mo",
"repo": "waybar-iceportal",
"rev": "13b297c2cc0b4b56d4caccd626a16b455d8d49e5",
"type": "github"
},
"original": {
"owner": "e1mo",
"repo": "waybar-iceportal",
"type": "github"
}
}
},
"root": "root",

25
flake.nix
View file

@ -9,7 +9,6 @@
nixpkgs.url = "nixpkgs/nixos-23.11";
nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";
nix-hexchen.url = "gitlab:hexchen/nixfiles";
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
@ -17,18 +16,11 @@
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.inputs.flake-compat.follows = "nix-hexchen/apple-silicon/flake-compat";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
# these exist mostly to make the flake.lock somewhat more human-friendly
# note that in theory doing this might break things, but it seems fairly unlikely
nix-hexchen.inputs = {
nixos-mailserver.follows = "nixos-mailserver";
flake-utils.follows = "/deploy-rs/utils";
flake-compat.follows = "nix-hexchen/apple-silicon/flake-compat";
sops-nix.follows = "sops-nix";
};
nixos-mailserver.inputs = {
"nixpkgs-23_05".follows = "nixpkgs";
utils.follows = "/deploy-rs/utils";
@ -36,9 +28,13 @@
};
};
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs:
let modules = nix-hexchen.nixosModules;
profiles = nix-hexchen.nixosModules.profiles // {
outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs:
let modules = {
bindMounts = import ./modules/bindmounts.nix;
nopersist = import ./modules/nopersist.nix;
encboot = import ./modules/encboot.nix;
};
profiles = {
container = import ./modules/container-profile.nix;
};
pkgs = import ./pkgs {
@ -50,21 +46,18 @@
system = "x86_64-linux";
modules = [
config
nix-hexchen.nixosModules.network.nftables
{
nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
imports = [ profiles.container profiles.nopersist ];
imports = [ modules.nopersist profiles.container ];
}
];
specialArgs = {
# modules still needed because a profile in nix-hexchen uses it
# some of our modules import each other, and evalConfig is used for containers
inherit modules evalConfig;
sources = inputs;
};
}).config.system.build.toplevel;
in {
# do this by hand instead of via nix-hexchen/lib/hosts.nix, since that one
# apparently can't support pkgs depending on flake inputs
nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [

28
modules/bindmounts.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.hacc;
in {
options.hacc.bindMounts = mkOption {
type = types.attrsOf types.str;
default = { };
example = { "/etc/asdf" = "/persist/asdf"; };
};
options.hacc.bindToPersist = mkOption {
type = types.listOf types.str;
default = [];
example = [ "postgres" ];
};
config.fileSystems = mapAttrs (_: device: {
inherit device;
options = [ "bind" ];
}) cfg.bindMounts;
config.hacc.bindMounts = listToAttrs
(map (name: { inherit name; value = "/persist${name}"; })
cfg.bindToPersist);
}

45
modules/encboot.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
with lib;
let cfg = config.hacc.encboot;
in {
options = {
hacc.encboot = {
enable = mkOption {
type = types.bool;
default = false;
};
networkDrivers = mkOption { type = with types; listOf str; };
dataset = mkOption {
type = types.str;
default = "zroot";
};
};
};
config = mkIf cfg.enable {
boot.initrd.kernelModules = cfg.networkDrivers;
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
authorizedKeys = with lib;
concatLists (mapAttrsToList (name: user:
if elem "wheel" user.extraGroups then
user.openssh.authorizedKeys.keys
else
[ ]) config.users.users);
hostKeys = [ /etc/ssh/encboot_host ];
};
postCommands = ''
zpool import ${cfg.dataset}
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
'';
};
};
}

52
modules/nopersist.nix Normal file
View file

@ -0,0 +1,52 @@
{ config, lib, pkgs, modules, ... }:
with lib;
{
imports = [ modules.bindMounts ];
users.mutableUsers = false;
boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") {
network.ssh.hostKeys = mkIf config.hacc.encboot.enable
(mkForce [ /persist/ssh/encboot_host ]);
postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
(mkAfter ''
zfs rollback -r ${config.fileSystems."/".device}@blank
'');
systemd = mkIf config.boot.initrd.systemd.enable {
storePaths = [ pkgs.zfs ];
services.rollback = {
description = "Rollback ZFS datasets to a pristine state";
wantedBy = [ "initrd.target" ];
after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
before = [ "sysroot.mount" ];
path = [ pkgs.zfs ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
'';
};
};
};
services.openssh = {
hostKeys = [
{
path = "/persist/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
services.postgresql.dataDir =
"/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
}

12
parsons/configuration.nix
View file

@ -5,9 +5,8 @@
../common
./hardware.nix
modules.encboot
modules.network.nftables
modules.nftnat
sources.nix-hexchen.nixosModules.profiles.nopersist
modules.nopersist
./nftables.nix
./nextcloud.nix
./mattermost.nix
./murmur.nix
@ -22,9 +21,9 @@
./lxc.nix
];
hexchen.bindmounts."/var/lib/acme" = "/persist/var/lib/acme";
hacc.bindToPersist = [ "/var/lib/acme" ];
hexchen.encboot = {
hacc.encboot = {
enable = true;
dataset = "-a";
networkDrivers = [ "igb" ];
@ -40,9 +39,6 @@
networking.hostId = "b2867696";
networking.useDHCP = true;
networking.nftables.enable = true;
hexchen.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "enp35s0";
networking.hostName = "parsons";

7
parsons/forgejo.nix
View file

@ -17,7 +17,7 @@
environment.systemPackages = [ pkgs.forgejo ];
hexchen.bindmounts."/var/lib/forgejo" = "/persist/forgejo";
hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo";
services.forgejo = {
enable = true;
@ -96,9 +96,4 @@
proxyPass = "http://${config.containers.gitea.localAddress}:3000";
};
};
hexchen.nftables.nat.forwardPorts = [{
ports = [ 22 ];
destination = "${config.containers.gitea.localAddress}:22";
proto = "tcp";
}];
}

1
parsons/hedgedoc-hacc.nix
View file

@ -76,6 +76,7 @@
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
});
};
services.nginx.virtualHosts."pad.hacc.earth" = {

1
parsons/hedgedoc-i4f.nix
View file

@ -55,6 +55,7 @@
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
});
};

10
parsons/mail.nix
View file

@ -202,4 +202,14 @@
forceSSL = true;
locations."/".proxyPass = "http://[::1]:1323";
};
hacc.bindToPersist = [
"/var/lib/rspamd"
"/var/lib/opendkim"
"/var/lib/postfix"
"/var/lib/dovecot"
"/var/sieve"
"/var/lib/redis-rspamd"
"/var/dkim"
];
}

2
parsons/mattermost.nix
View file

@ -193,7 +193,7 @@
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
} ];
package = pkgs.mysql80;
dataDir = lib.mkForce "/persist/mysql";
dataDir = "/persist/mysql";
};
services.postgresql = {

4
parsons/murmur.nix
View file

@ -1,8 +1,6 @@
{ config, lib, pkgs, ... }:
{
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
services.murmur = {
enable = true;
logDays = -1;
@ -27,4 +25,6 @@
};
users.users.nginx.extraGroups = [ "mumblecert" ];
users.users.murmur.extraGroups = [ "mumblecert" ];
hacc.bindToPersist = [ "/var/lib/murmur" ];
}

80
parsons/nftables.nix Normal file
View file

@ -0,0 +1,80 @@
{ config, lib, pkgs, ... }:
{
networking.firewall.enable = false;
networking.nat.enable = false;
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv4.conf.default.forwarding" = true;
};
};
networking.nftables = {
enable = true;
ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter
policy drop
icmpv6 type { echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, packet-too-big } accept
icmp type echo-request accept
ct state invalid drop
ct state established,related accept
iifname { lo } accept
tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
udp dport { 60000-61000, 64738 } accept
# DHCPv6
ip6 daddr fe80::/64 udp dport 546 accept
counter
}
chain output {
type filter hook output priority filter
policy accept
counter
}
chain forward {
type filter hook forward priority filter
policy accept
counter
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100
iifname enp35s0 tcp dport { 22 } dnat ${config.containers.gitea.localAddress}:22
}
chain postrouting {
type nat hook postrouting priority 100
iifname lxcbr0 oifname enp35s0 masquerade
iifname ve-* oifname enp35s0 masquerade
}
}
'';
};
}

1
parsons/tracktrain.nix
View file

@ -149,6 +149,7 @@ in
systemd.services.grafana.serviceConfig.EnvironmentFile =
"/secrets/env";
hacc.bindToPersist = [ "/var/lib/grafana" ];
});
};