palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

systems folder get smaller

Browse source
This commit is contained in:
Ingolf Wagner 2024-03-03 10:52:46 +01:00
parent c4819c67cc
commit 5361e21b67
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
26 changed files with 74 additions and 367 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
nixos/components/network/nginx.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, assets, ... }:
with lib;
{
options.components.network.nginx.enable = mkOption {
@ -8,6 +8,12 @@ with lib;
config = mkIf (config.components.network.nginx.enable) {
environment.systemPackages = [
pkgs.nginx-config-formatter
(pkgs.writers.writePython3Bin "nginx-show-config" { flakeIgnore = [ "E265" "E225" "W292" ]; }
(lib.fileContents "${assets}/nginx-show-config.py"))
];
security.acme.defaults.email = "contact@ingolf-wagner.de";
security.acme.acceptTerms = true;

3
nixos/machines/bobi/configuration.nix
View file

@ -3,7 +3,8 @@
imports = [
../../components
../../system/desktop
../../modules
./hardware-configuration.nix
./tinc.nix
./syncthing.nix

3
nixos/machines/cherry/configuration.nix
View file

@ -3,10 +3,7 @@
imports = [
# last system packages that need to be migrated to components
../../system/all/borg-jobs.nix
../../modules
../../components
./disko-config.nix

5
nixos/machines/chungus/configuration.nix
View file

@ -2,8 +2,11 @@
imports = [
../../system/server
# todo : remove
../../system/all
../../components
../../modules
./hardware-configuration

5
nixos/machines/cream/configuration.nix
View file

@ -3,11 +3,8 @@
imports = [
# last system packages that need to be migrated to components
../../system/all/borg-jobs.nix
../../modules
../../components
../../modules
./hardware-configuration.nix

55
nixos/machines/dummy/configuration.nix
View file

@ -1,55 +0,0 @@
{ lib, config, pkgs, ... }: {
imports = [
<modules>
<system/server/initssh.nix>
<system/all/sshd.nix>
./hardware-configuration.nix
];
# enable initrd ssh
configuration.init-ssh = {
enable = "enabled";
kernelModules = [ "virtio_pci" ];
hostECDSAKey = <secrets/init-ssh/host_ecdsa_key>;
};
networking.hostName = "dummy";
# allow un-free
# -------------
# todo : put this in flake
environment.variables.NIXPKGS_ALLOW_UNFREE = "1";
# some system stuff
# -----------------
time.timeZone = lib.mkDefault "Europe/Berlin";
#time.timeZone = lib.mkDefault "Pacific/Auckland";
#time.timeZone = lib.mkDefault "Asia/Singapore";
#time.timeZone = lib.mkDefault "Asia/Makassar";
i18n.defaultLocale = "en_US.UTF-8";
console.font = "Lat2-Terminus16";
console.keyMap = "us";
# swappiness
# ----------
# 0 = only when running out of RAM
# 100 = always swapp
boot.kernel.sysctl."vm.swappiness" = 0;
# rewire NIX_PATH
# ---------------
environment.variables.NIX_PATH = lib.mkForce "/var/src";
environment.systemPackages = [ pkgs.git ];
boot.initrd.network.postCommands = lib.mkAfter ''
echo "sleep engineering"
sleep 120
'';
}

9
nixos/machines/dummy/hardware-configuration.nix
View file

@ -1,9 +0,0 @@
{ ... }: {
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.loader.grub.device = "/dev/sda";
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

3
nixos/machines/mobi/configuration.nix
View file

@ -3,7 +3,8 @@
imports = [
../../components
../../system/desktop
../../modules
./hardware-configuration.nix
./tinc.nix
./syncthing.nix

9
nixos/machines/orbi/configuration.nix
View file

@ -1,17 +1,14 @@
{ lib, config, pkgs, ... }: {
imports = [
#../../system/all/nginx.nix
../../system/all/borg-jobs.nix
./hardware-configuration
../../system/all/defaults.nix
../../system/server/packages.nix
../../components
../../modules
#./disko-config.nix
#./hetzner.nix
./hardware-configuration
# services
#./borg.nix

3
nixos/machines/robi/configuration.nix
View file

@ -2,12 +2,9 @@
imports = [
# ../../system/all/nginx.nix
../../system/all/borg-jobs.nix
../../system/all/defaults.nix
../../system/server/packages.nix
../../components
../../modules
./hetzner.nix

3
nixos/machines/sternchen/configuration.nix
View file

@ -3,7 +3,8 @@
imports = [
../../components
../../system/desktop
../../modules
./hardware-configuration.nix
./packages.nix

2
nixos/machines/sterni/configuration.nix
View file

@ -3,7 +3,7 @@
imports = [
../../components
../../system/desktop
../../modules
./hardware-configuration.nix
./packages.nix

0
nixos/system/all/borg-jobs.nix → nixos/modules/borg-jobs.nix
View file

6
nixos/modules/default.nix
View file

@ -1,11 +1,13 @@
{
imports = [
./borg-jobs.nix
./browser.nix
./castget.nix
./init-ssh.nix
./rbackup.nix
./samba-share.nix
./taskwarrior-pushover.nix
./taskwarrior-autotag.nix
./browser.nix
./taskwarrior-pushover.nix
];
}

10
nixos/system/server/initssh.nix → nixos/modules/init-ssh.nix
View file

@ -1,14 +1,11 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.configuration.init-ssh;
in
{
# todo : this is kinda deprecated. It should be replaced some day with something more simple, and put in a module.
options.configuration.init-ssh = {
enable = mkOption {
@ -16,11 +13,6 @@ in
type = with types; enum [ "disable" "prepare" "enabled" ];
};
#mode = mkOption {
# default = "ssh";
# type = with types; enum [ "ssh" "ssh+tor" ];
#};
kernelModules = mkOption {
type = with types; listOf str;
description =

7
nixos/pkgs/nginx-show-config/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ writers, fileContents, ... }:
pkgs.writers.writePython3Bin "nginx-show-config"
{
flakeIgnore = [ "E265" "E225" "W292" ];
libraries = [ nginx-config-formatter ];
}
(lib.fileContents ./nginx-show-config.py)

40
nixos/pkgs/nginx-show-config/nginx-show-config.py Normal file
View file

@ -0,0 +1,40 @@
#!/usr/bin/env nix-shell
#!nix-shell -p nginx-config-formatter python3 -i python3
import os
import re
import shutil
import subprocess
import sys
from tempfile import TemporaryDirectory
def nginx_config() -> str:
reload_config = "/etc/nginx/nginx.conf"
if os.path.exists(reload_config):
return reload_config
out = subprocess.check_output(["systemctl", "cat", "nginx"])
match = re.search(r"-c '(\S+-nginx\.conf)", out.decode("utf-8"))
if not match:
print("Could not find nginx.conf in nginx.service", file=sys.stderr)
sys.exit(1)
return match.group(1)
def main():
config_path = nginx_config()
with TemporaryDirectory() as temp_dir:
temp_path = os.path.join(temp_dir, "nginx.conf")
with open(temp_path, "wb+") as temp_file, open(
config_path, "rb"
) as config_file:
shutil.copyfileobj(config_file, temp_file)
temp_file.flush()
subprocess.check_call(["nginxfmt", temp_file.name])
editor = os.environ.get("EDITOR", "cat")
subprocess.check_call([editor, temp_file.name] + sys.argv[1:])
if __name__ == "__main__":
main()

5
nixos/system/all/default.nix
View file

@ -4,14 +4,9 @@
../../modules
../../components/network
./defaults.nix
./grub.nix
#./nginx-landingpage.nix
#./nginx.nix
./packages.nix
./borg-jobs.nix
./borg-scripts.nix
];

2
nixos/system/all/packages.nix
View file

@ -41,8 +41,6 @@ let
in
{
#imports = [ ./packages/llvm-config-dummy.nix ];
programs.tmux = {
enable = true;
clock24 = true;

43
nixos/system/all/packages/llvm-config-dummy.nix
View file

@ -1,43 +0,0 @@
{ pkgs, config, lib, ... }:
with pkgs.lib; {
environment.systemPackages =
let
llvm = pkgs.llvm;
llvm-config = pkgs.writers.writeBashBin "llvm-config" ''
while [[ $# -gt 0 ]]; do
arg="$1"
case $arg in
--assertion-mode)
echo "OFF"
;;
--bindir)
echo "${getBin llvm}/bin"
;;
--libdir)
echo "${getLib llvm}/lib"
;;
--includedir)
echo "${getDev llvm}/include"
;;
--prefix)
echo "${llvm.out}"
;;
--src-root)
echo "/build/llvm";
;;
--obj-root)
echo "/build/llvm/build";
;;
--cmakedir)
echo "${getDev llvm}/lib/cmake/llvm"
;;
*)
echo "Unhandled argument '$arg' passed to dummy llvm-config!"
exit 1
esac
shift
done
'';
in
[ llvm-config ];
}

18
nixos/system/desktop/default.nix
View file

@ -1,18 +0,0 @@
{ config, pkgs, lib, ... }: {
imports = [
../all
];
backup.dirs = [
"${config.users.users.mainUser.home}/.config/noti"
"${config.users.users.mainUser.home}/.password-store"
"${config.users.users.mainUser.home}/.task"
"${config.users.users.mainUser.home}/.vit"
];
services.urxvtd.enable = true;
}

12
nixos/system/proxy/default.nix
View file

@ -1,12 +0,0 @@
{ config, lib, pkgs, ... }: {
imports = [
../../system/all
../../system/server/graylog-exporter.nix
../../system/server/prometheus-exporters.nix
];
services.sshguard.enable = true;
}

23
nixos/system/server/default.nix
View file

@ -1,23 +0,0 @@
{ config, lib, pkgs, ... }: {
imports = [
../../system/all
#./netdata.nix
./initssh.nix
#./graylog-exporter.nix
./prometheus-exporters.nix
./packages.nix
];
# make sure laptops stay awake when closing the montior
services.logind.lidSwitch = "ignore";
powerManagement.enable = false;
#powerManagement.scsiLinkPolicy = "min_power";
services.locate.enable = true;
services.locate.locate = pkgs.mlocate;
services.locate.localuser = null;
}

139
nixos/system/server/graylog-exporter.nix
View file

@ -1,139 +0,0 @@
{ lib, ... }: {
# send data to graylog
services.SystemdJournal2Gelf.enable = lib.mkDefault false;
services.SystemdJournal2Gelf.graylogServer = "workhorse.private:11201";
services.journalbeat = {
enable = true;
# https://docs.graylog.org/en/4.0/pages/sending/journald.html
extraConfig = ''
journalbeat.inputs:
# Paths that should be crawled and fetched. Possible values files and directories.
# When setting a directory, all journals under it are merged.
# When empty starts to read from local journal.
- paths: []
# The number of seconds to wait before trying to read again from journals.
#backoff: 1s
# The maximum number of seconds to wait before attempting to read again from journals.
#max_backoff: 20s
# Position to start reading from journal. Valid values: head, tail, cursor
seek: tail
# Fallback position if no cursor data is available.
#cursor_seek_fallback: tail
# Exact matching for field values of events.
# Matching for nginx entries: "systemd.unit=nginx"
#include_matches: []
output.logstash:
# Boolean flag to enable or disable the output module.
enabled: true
# Graylog host and the beats input
hosts: ["workhorse.private:5044"]
# Number of workers per Graylog host.
#worker: 1
# Set gzip compression level.
#compression_level: 3
# Configure escaping HTML symbols in strings.
#escape_html: false
# Optional maximum time to live for a connection to Graylog, after which the
# connection will be re-established. A value of `0s` (the default) will
# disable this feature.
#
# Not yet supported for async connections (i.e. with the "pipelining" option set)
ttl: 30s
# Optionally load-balance events between Graylog hosts. Default is false.
#loadbalance: false
# If enabled only a subset of events in a batch of events is transferred per
# transaction. The number of events to be sent increases up to `bulk_max_size`
# if no error is encountered.
slow_start: true
# The number of seconds to wait before trying to reconnect to Graylog
# after a network error. After waiting backoff.init seconds, the Beat
# tries to reconnect. If the attempt fails, the backoff timer is increased
# exponentially up to backoff.max. After a successful connection, the backoff
# timer is reset. The default is 1s.
backoff.init: 1s
# The maximum number of seconds to wait before attempting to connect to
# Graylog after a network error. The default is 60s.
backoff.max: 60s
# SOCKS5 proxy server URL
#proxy_url: socks5://user:password@socks5-server:2233
# Resolve names locally when using a proxy server. Defaults to false.
#proxy_use_local_resolver: false
# Enable SSL support. SSL is automatically enabled if any SSL setting is set.
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all server hosts
# and certificates will be accepted. In this mode, SSL based connections are
# susceptible to man-in-the-middle attacks. Use only for testing. Default is
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions from 1.1
# up to 1.3 are enabled.
#ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
# Optional SSL configuration options. SSL is off by default.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client certificate key
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
#ssl.key_passphrase:
# Configure cipher suites to be used for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE-based cipher suites
#ssl.curve_types: []
# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never
# Configure a pin that can be used to do extra validation of the verified certificate chain,
# this allow you to ensure that a specific certificate is used to validate the chain of trust.
#
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""
# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
# Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
# and retry until all events are published. Set max_retries to a value less
# than 0 to retry until all events are published. The default is 3.
#max_retries: 3
# The maximum number of events to bulk in a single Graylog request. The
# default is 2048.
bulk_max_size: 2048
# The number of seconds to wait for responses from the Graylog server before
# timing out. The default is 30s.
#timeout: 30s
'';
};
}

20
nixos/system/server/packages.nix
View file

@ -1,20 +0,0 @@
{ pkgs, config, lib, ... }: {
# no need to to start a service
environment.systemPackages =
let
nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config"
{
flakeIgnore = [ "E265" "E225" "W292" ];
}
(lib.fileContents ../../assets/nginx-show-config.py);
in
[
pkgs.mosh
# nginxfmt
pkgs.nginx-config-formatter
nginxShowConfig
];
}

8
nixos/system/server/prometheus-exporters.nix
View file

@ -1,8 +0,0 @@
{ config, lib, ... }: {
config = lib.mkMerge [
(lib.mkIf config.services.nginx.enable {
services.prometheus.exporters.nginx.enable = true;
services.nginx.statusPage = true;
})
];
}