hacc/haccfiles
8
0
Fork 1
Code Issues 1 Pull requests Projects Releases Wiki Activity

Compare commits

base: hacc:ea230c34b07951ec9c50998f2d5d4457baa87a56
Branches Tags
hacc:main
hacc:mattermost-9.11
hacc:24_04-remove-nftables_ruleset
hacc:nicer-nftables
hacc:monit-onlyoffice-restart
hacc:mattermost-kanidm
hacc:mattermost-update
hacc:removing-nix-hexchen
hacc:onlyoffice-nix
hacc:nextcloud-docs-on-website
..
compare: hacc:461cb0112662316acad041b2859f6b21fb69ba00
Branches Tags
hacc:main
hacc:mattermost-9.11
hacc:24_04-remove-nftables_ruleset
hacc:nicer-nftables
hacc:monit-onlyoffice-restart
hacc:mattermost-kanidm
hacc:mattermost-update
hacc:removing-nix-hexchen
hacc:onlyoffice-nix
hacc:nextcloud-docs-on-website

No commits in common. "ea230c34b07951ec9c50998f2d5d4457baa87a56" and "461cb0112662316acad041b2859f6b21fb69ba00" have entirely different histories.
ea230c34b0 ... 461cb01126

15 changed files with 573 additions and 244 deletions
Show stats Expand all files Collapse all files

1
common/default.nix
View file

@ -4,6 +4,7 @@
imports = [ imports = [
../modules ../modules
./users.nix ./users.nix
modules.network.nftables
]; ];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;

548
flake.lock
View file

@ -1,5 +1,73 @@
{ {
"nodes": { "nodes": {
"apple-silicon": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1705557527,
"narHash": "sha256-DuxxHTQ/W5KToFLWG4FUF8hLldNo9eXlbt7JgvhrMnY=",
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"rev": "6e324ab06cb27a19409ebc1dc2664bf1e585490a",
"type": "github"
},
"original": {
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"type": "github"
}
},
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
],
"nixpkgs-23-05": "nixpkgs-23-05",
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1706549563,
"narHash": "sha256-yNPk+UP10OU4F1yBAF0w8ubwJER48mrK+tzsLT3Jnlw=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "5fa451e05537408bd3d6f109f6740c58c0fd0aff",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1706546688,
"narHash": "sha256-+1IdXRt28UZ2KTa0zsmjneNUOcutP99UUwqcYyVyqTI=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "e095e9f694d2a427940bc8616bc4025fef502a8b",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2023.10.7",
"repo": "authentik",
"type": "github"
}
},
"blobs": { "blobs": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -16,9 +84,38 @@
"type": "gitlab" "type": "gitlab"
} }
}, },
"colmena": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
],
"stable": "stable"
},
"locked": {
"lastModified": 1699171528,
"narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "665603956a1c3040d756987bc7a810ffe86a3b15",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"ref": "main",
"repo": "colmena",
"type": "github"
}
},
"deploy-rs": { "deploy-rs": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": [
"nix-hexchen",
"apple-silicon",
"flake-compat"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -39,6 +136,21 @@
} }
}, },
"flake-compat": { "flake-compat": {
"locked": {
"lastModified": 1688025799,
"narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@ -54,6 +166,94 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1704982712,
"narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "07f6395285469419cf9d078f59b5b49993198c00",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
]
},
"locked": {
"lastModified": 1706134977,
"narHash": "sha256-KwNb1Li3K6vuVwZ77tFjZ89AWBo7AiCs9t0Cens4BsM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6359d40f6ec0b72a38e02b333f343c3d4929ec10",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"mattermost-server": { "mattermost-server": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -84,6 +284,135 @@
"url": "https://releases.mattermost.com/8.1.10/mattermost-8.1.10-linux-amd64.tar.gz" "url": "https://releases.mattermost.com/8.1.10/mattermost-8.1.10-linux-amd64.tar.gz"
} }
}, },
"napalm": {
"inputs": {
"flake-utils": [
"nix-hexchen",
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"nix-hexchen",
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703102458,
"narHash": "sha256-3pOV731qi34Q2G8e2SqjUXqnftuFrbcq+NdagEZXISo=",
"owner": "nix-community",
"repo": "napalm",
"rev": "edcb26c266ca37c9521f6a97f33234633cbec186",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "napalm",
"type": "github"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
]
},
"locked": {
"lastModified": 1705915768,
"narHash": "sha256-+Jlz8OAqkOwJlioac9wtpsCnjgGYUhvLpgJR/5tP9po=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "1e706ef323de76236eb183d7784f3bd57255ec0b",
"type": "github"
},
"original": {
"owner": "LnL7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1698974481,
"narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-hexchen": {
"inputs": {
"apple-silicon": "apple-silicon",
"authentik-nix": "authentik-nix",
"colmena": "colmena",
"flake-compat": [
"nix-hexchen",
"apple-silicon",
"flake-compat"
],
"flake-utils": [
"deploy-rs",
"utils"
],
"home-manager": "home-manager",
"nix-darwin": "nix-darwin",
"nixos-hardware": "nixos-hardware",
"nixos-mailserver": [
"nixos-mailserver"
],
"nixpkgs": "nixpkgs",
"pnpm2nix": "pnpm2nix",
"sops-nix": [
"sops-nix"
],
"waybar-iceportal": "waybar-iceportal"
},
"locked": {
"lastModified": 1707171428,
"narHash": "sha256-Q/DQjwbdPU2RcU+hEHPCmbdUj48EoWaqXwQx7sCUI7o=",
"owner": "hexchen",
"repo": "nixfiles",
"rev": "698d7dbd56720d59bca196aa19e3263490336515",
"type": "gitlab"
},
"original": {
"owner": "hexchen",
"repo": "nixfiles",
"type": "gitlab"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1706182238,
"narHash": "sha256-Ti7CerGydU7xyrP/ow85lHsOpf+XMx98kQnPoQCSi1g=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "f84eaffc35d1a655e84749228cde19922fcf55f1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixos-mailserver": { "nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
@ -91,7 +420,7 @@
"deploy-rs", "deploy-rs",
"flake-compat" "flake-compat"
], ],
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nixpkgs-23_05": [ "nixpkgs-23_05": [
"nixpkgs" "nixpkgs"
], ],
@ -118,19 +447,35 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1705856552, "lastModified": 1706150372,
"narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", "narHash": "sha256-L0ioe5hifmkzltYr8Eo+72QvdDYPKHhDp9oWm3yqHkw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", "rev": "854f4671883250e456dc1553c783ac9741a0e9a4",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-unstable", "ref": "nixos-unstable-small",
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-23-05": {
"locked": {
"lastModified": 1704290814,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-23_11": { "nixpkgs-23_11": {
"locked": { "locked": {
"lastModified": 1706098335, "lastModified": 1706098335,
@ -146,6 +491,24 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-lib": {
"locked": {
"dir": "lib",
"lastModified": 1703961334,
"narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-oldstable": { "nixpkgs-oldstable": {
"locked": { "locked": {
"lastModified": 1678761643, "lastModified": 1678761643,
@ -163,6 +526,21 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1705856552,
"narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1707091808, "lastModified": 1707091808,
"narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=", "narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=",
@ -177,7 +555,7 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs_3": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1706925685, "lastModified": 1706925685,
"narHash": "sha256-hVInjWMmgH4yZgA4ZtbgJM1qEAel72SYhP5nOWX4UIM=", "narHash": "sha256-hVInjWMmgH4yZgA4ZtbgJM1qEAel72SYhP5nOWX4UIM=",
@ -193,21 +571,84 @@
"type": "github" "type": "github"
} }
}, },
"pnpm2nix": {
"flake": false,
"locked": {
"lastModified": 1703106649,
"narHash": "sha256-YhWzfuqNCZmKMbcoDoAT52KodjpuNj/7MklwKD0ojrg=",
"owner": "TSRBerry",
"repo": "pnpm2nix",
"rev": "8df6e2a8bd0174f4e9fa858d37c08ff3e91019bc",
"type": "github"
},
"original": {
"owner": "TSRBerry",
"repo": "pnpm2nix",
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": [
"nix-hexchen",
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nix-hexchen",
"authentik-nix",
"nixpkgs"
],
"systems": "systems_3",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1705060653,
"narHash": "sha256-puYyylgrBS4AFAHeyVRTjTUVD8DZdecJfymWJe7H438=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "e0b44e9e2d3aa855d1dd77b06f067cd0e0c3860d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"mattermost-server": "mattermost-server", "mattermost-server": "mattermost-server",
"mattermost-webapp": "mattermost-webapp", "mattermost-webapp": "mattermost-webapp",
"nix-hexchen": "nix-hexchen",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_3",
"nixpkgs-oldstable": "nixpkgs-oldstable", "nixpkgs-oldstable": "nixpkgs-oldstable",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"tracktrain": "tracktrain" "tracktrain": "tracktrain"
} }
}, },
"rust-overlay": {
"flake": false,
"locked": {
"lastModified": 1686795910,
"narHash": "sha256-jDa40qRZ0GRQtP9EMZdf+uCbvzuLnJglTUI2JoHfWDc=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "5c2b97c0a9bc5217fc3dfb1555aae0fb756d99f9",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_4",
"nixpkgs-stable": [ "nixpkgs-stable": [
"nixpkgs" "nixpkgs"
] ]
@ -226,6 +667,22 @@
"type": "github" "type": "github"
} }
}, },
"stable": {
"locked": {
"lastModified": 1696039360,
"narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "32dcb45f66c0487e92db8303a798ebc548cadedc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
@ -241,6 +698,35 @@
"type": "github" "type": "github"
} }
}, },
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"tracktrain": { "tracktrain": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -258,6 +744,29 @@
"url": "https://stuebinm.eu/git/tracktrain" "url": "https://stuebinm.eu/git/tracktrain"
} }
}, },
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1699786194,
"narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems"
@ -275,6 +784,27 @@
"repo": "flake-utils", "repo": "flake-utils",
"type": "github" "type": "github"
} }
},
"waybar-iceportal": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
]
},
"locked": {
"lastModified": 1661258114,
"narHash": "sha256-wdm35mfyjz/eFrtd9fMeAJwfUk6XskbyM115wYI1kVA=",
"owner": "e1mo",
"repo": "waybar-iceportal",
"rev": "13b297c2cc0b4b56d4caccd626a16b455d8d49e5",
"type": "github"
},
"original": {
"owner": "e1mo",
"repo": "waybar-iceportal",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

25
flake.nix
View file

@ -9,6 +9,7 @@
nixpkgs.url = "nixpkgs/nixos-23.11"; nixpkgs.url = "nixpkgs/nixos-23.11";
nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344"; nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";
nix-hexchen.url = "gitlab:hexchen/nixfiles";
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main"; tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
@ -16,11 +17,18 @@
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.inputs.flake-compat.follows = "nix-hexchen/apple-silicon/flake-compat";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs"; sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
# these exist mostly to make the flake.lock somewhat more human-friendly # these exist mostly to make the flake.lock somewhat more human-friendly
# note that in theory doing this might break things, but it seems fairly unlikely # note that in theory doing this might break things, but it seems fairly unlikely
nix-hexchen.inputs = {
nixos-mailserver.follows = "nixos-mailserver";
flake-utils.follows = "/deploy-rs/utils";
flake-compat.follows = "nix-hexchen/apple-silicon/flake-compat";
sops-nix.follows = "sops-nix";
};
nixos-mailserver.inputs = { nixos-mailserver.inputs = {
"nixpkgs-23_05".follows = "nixpkgs"; "nixpkgs-23_05".follows = "nixpkgs";
utils.follows = "/deploy-rs/utils"; utils.follows = "/deploy-rs/utils";
@ -28,13 +36,9 @@
}; };
}; };
outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs: outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs:
let modules = { let modules = nix-hexchen.nixosModules;
bindMounts = import ./modules/bindmounts.nix; profiles = nix-hexchen.nixosModules.profiles // {
nopersist = import ./modules/nopersist.nix;
encboot = import ./modules/encboot.nix;
};
profiles = {
container = import ./modules/container-profile.nix; container = import ./modules/container-profile.nix;
}; };
pkgs = import ./pkgs { pkgs = import ./pkgs {
@ -46,18 +50,21 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
config config
nix-hexchen.nixosModules.network.nftables
{ {
nixpkgs.pkgs = pkgs.lib.mkForce pkgs; nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
imports = [ modules.nopersist profiles.container ]; imports = [ profiles.container profiles.nopersist ];
} }
]; ];
specialArgs = { specialArgs = {
# some of our modules import each other, and evalConfig is used for containers # modules still needed because a profile in nix-hexchen uses it
inherit modules evalConfig; inherit modules evalConfig;
sources = inputs; sources = inputs;
}; };
}).config.system.build.toplevel; }).config.system.build.toplevel;
in { in {
# do this by hand instead of via nix-hexchen/lib/hosts.nix, since that one
# apparently can't support pkgs depending on flake inputs
nixosConfigurations.parsons = nixpkgs.lib.nixosSystem { nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [

28
modules/bindmounts.nix
View file

@ -1,28 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.hacc;
in {
options.hacc.bindMounts = mkOption {
type = types.attrsOf types.str;
default = { };
example = { "/etc/asdf" = "/persist/asdf"; };
};
options.hacc.bindToPersist = mkOption {
type = types.listOf types.str;
default = [];
example = [ "postgres" ];
};
config.fileSystems = mapAttrs (_: device: {
inherit device;
options = [ "bind" ];
}) cfg.bindMounts;
config.hacc.bindMounts = listToAttrs
(map (name: { inherit name; value = "/persist${name}"; })
cfg.bindToPersist);
}

45
modules/encboot.nix
View file

@ -1,45 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let cfg = config.hacc.encboot;
in {
options = {
hacc.encboot = {
enable = mkOption {
type = types.bool;
default = false;
};
networkDrivers = mkOption { type = with types; listOf str; };
dataset = mkOption {
type = types.str;
default = "zroot";
};
};
};
config = mkIf cfg.enable {
boot.initrd.kernelModules = cfg.networkDrivers;
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
authorizedKeys = with lib;
concatLists (mapAttrsToList (name: user:
if elem "wheel" user.extraGroups then
user.openssh.authorizedKeys.keys
else
[ ]) config.users.users);
hostKeys = [ /etc/ssh/encboot_host ];
};
postCommands = ''
zpool import ${cfg.dataset}
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
'';
};
};
}

52
modules/nopersist.nix
View file

@ -1,52 +0,0 @@
{ config, lib, pkgs, modules, ... }:
with lib;
{
imports = [ modules.bindMounts ];
users.mutableUsers = false;
boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") {
network.ssh.hostKeys = mkIf config.hacc.encboot.enable
(mkForce [ /persist/ssh/encboot_host ]);
postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
(mkAfter ''
zfs rollback -r ${config.fileSystems."/".device}@blank
'');
systemd = mkIf config.boot.initrd.systemd.enable {
storePaths = [ pkgs.zfs ];
services.rollback = {
description = "Rollback ZFS datasets to a pristine state";
wantedBy = [ "initrd.target" ];
after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
before = [ "sysroot.mount" ];
path = [ pkgs.zfs ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
'';
};
};
};
services.openssh = {
hostKeys = [
{
path = "/persist/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
services.postgresql.dataDir =
"/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
}

12
parsons/configuration.nix
View file

@ -5,8 +5,9 @@
../common ../common
./hardware.nix ./hardware.nix
modules.encboot modules.encboot
modules.nopersist modules.network.nftables
./nftables.nix modules.nftnat
sources.nix-hexchen.nixosModules.profiles.nopersist
./nextcloud.nix ./nextcloud.nix
./mattermost.nix ./mattermost.nix
./murmur.nix ./murmur.nix
@ -21,9 +22,9 @@
./lxc.nix ./lxc.nix
]; ];
hacc.bindToPersist = [ "/var/lib/acme" ]; hexchen.bindmounts."/var/lib/acme" = "/persist/var/lib/acme";
hacc.encboot = { hexchen.encboot = {
enable = true; enable = true;
dataset = "-a"; dataset = "-a";
networkDrivers = [ "igb" ]; networkDrivers = [ "igb" ];
@ -39,6 +40,9 @@
networking.hostId = "b2867696"; networking.hostId = "b2867696";
networking.useDHCP = true; networking.useDHCP = true;
networking.nftables.enable = true; networking.nftables.enable = true;
hexchen.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "enp35s0";
networking.hostName = "parsons"; networking.hostName = "parsons";

7
parsons/forgejo.nix
View file

@ -17,7 +17,7 @@
environment.systemPackages = [ pkgs.forgejo ]; environment.systemPackages = [ pkgs.forgejo ];
hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo"; hexchen.bindmounts."/var/lib/forgejo" = "/persist/forgejo";
services.forgejo = { services.forgejo = {
enable = true; enable = true;
@ -96,4 +96,9 @@
proxyPass = "http://${config.containers.gitea.localAddress}:3000"; proxyPass = "http://${config.containers.gitea.localAddress}:3000";
}; };
}; };
hexchen.nftables.nat.forwardPorts = [{
ports = [ 22 ];
destination = "${config.containers.gitea.localAddress}:22";
proto = "tcp";
}];
} }

1
parsons/hedgedoc-hacc.nix
View file

@ -76,7 +76,6 @@
startAt = "*-*-* 23:45:00"; startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres"; location = "/persist/backups/postgres";
}; };
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
}); });
}; };
services.nginx.virtualHosts."pad.hacc.earth" = { services.nginx.virtualHosts."pad.hacc.earth" = {

1
parsons/hedgedoc-i4f.nix
View file

@ -55,7 +55,6 @@
startAt = "*-*-* 23:45:00"; startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres"; location = "/persist/backups/postgres";
}; };
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
}); });
}; };

10
parsons/mail.nix
View file

@ -202,14 +202,4 @@
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://[::1]:1323"; locations."/".proxyPass = "http://[::1]:1323";
}; };
hacc.bindToPersist = [
"/var/lib/rspamd"
"/var/lib/opendkim"
"/var/lib/postfix"
"/var/lib/dovecot"
"/var/sieve"
"/var/lib/redis-rspamd"
"/var/dkim"
];
} }

2
parsons/mattermost.nix
View file

@ -193,7 +193,7 @@
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; }; ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
} ]; } ];
package = pkgs.mysql80; package = pkgs.mysql80;
dataDir = "/persist/mysql"; dataDir = lib.mkForce "/persist/mysql";
}; };
services.postgresql = { services.postgresql = {

4
parsons/murmur.nix
View file

@ -1,6 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
services.murmur = { services.murmur = {
enable = true; enable = true;
logDays = -1; logDays = -1;
@ -25,6 +27,4 @@
}; };
users.users.nginx.extraGroups = [ "mumblecert" ]; users.users.nginx.extraGroups = [ "mumblecert" ];
users.users.murmur.extraGroups = [ "mumblecert" ]; users.users.murmur.extraGroups = [ "mumblecert" ];
hacc.bindToPersist = [ "/var/lib/murmur" ];
} }

80
parsons/nftables.nix
View file

@ -1,80 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking.firewall.enable = false;
networking.nat.enable = false;
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv4.conf.default.forwarding" = true;
};
};
networking.nftables = {
enable = true;
ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter
policy drop
icmpv6 type { echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, packet-too-big } accept
icmp type echo-request accept
ct state invalid drop
ct state established,related accept
iifname { lo } accept
tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
udp dport { 60000-61000, 64738 } accept
# DHCPv6
ip6 daddr fe80::/64 udp dport 546 accept
counter
}
chain output {
type filter hook output priority filter
policy accept
counter
}
chain forward {
type filter hook forward priority filter
policy accept
counter
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100
iifname enp35s0 tcp dport { 22 } dnat ${config.containers.gitea.localAddress}:22
}
chain postrouting {
type nat hook postrouting priority 100
iifname lxcbr0 oifname enp35s0 masquerade
iifname ve-* oifname enp35s0 masquerade
}
}
'';
};
}

1
parsons/tracktrain.nix
View file

@ -149,7 +149,6 @@ in
systemd.services.grafana.serviceConfig.EnvironmentFile = systemd.services.grafana.serviceConfig.EnvironmentFile =
"/secrets/env"; "/secrets/env";
hacc.bindToPersist = [ "/var/lib/grafana" ];
}); });
}; };