systems folder get smaller

2024-03-03 10:52:46 +01:00 · 2024-03-03 10:52:46 +01:00 · 5361e21b67
commit 5361e21b67
parent c4819c67cc
26 changed files with 74 additions and 367 deletions
--- a/nixos/components/network/nginx.nix
+++ b/nixos/components/network/nginx.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, assets, ... }:
 with lib;
 {
  options.components.network.nginx.enable = mkOption {
@ -8,6 +8,12 @@ with lib;
  config = mkIf (config.components.network.nginx.enable) {
    environment.systemPackages = [
      pkgs.nginx-config-formatter
      (pkgs.writers.writePython3Bin "nginx-show-config" { flakeIgnore = [ "E265" "E225" "W292" ]; }
        (lib.fileContents "${assets}/nginx-show-config.py"))
    ];
    security.acme.defaults.email = "contact@ingolf-wagner.de";
    security.acme.acceptTerms = true;
--- a/nixos/machines/bobi/configuration.nix
+++ b/nixos/machines/bobi/configuration.nix
@ -3,7 +3,8 @@
  imports = [
    ../../components
-    ../../system/desktop
+    ../../modules
    ./hardware-configuration.nix
    ./tinc.nix
    ./syncthing.nix
--- a/nixos/machines/cherry/configuration.nix
+++ b/nixos/machines/cherry/configuration.nix
@ -3,10 +3,7 @@
  imports = [
    # last system packages that need to be migrated to components
    ../../system/all/borg-jobs.nix
    ../../modules
    ../../components
    ./disko-config.nix
--- a/nixos/machines/chungus/configuration.nix
+++ b/nixos/machines/chungus/configuration.nix
@ -2,8 +2,11 @@
  imports = [
-    ../../system/server
+    # todo : remove
    ../../system/all
    ../../components
    ../../modules
    ./hardware-configuration
--- a/nixos/machines/cream/configuration.nix
+++ b/nixos/machines/cream/configuration.nix
@ -3,11 +3,8 @@
  imports = [
    # last system packages that need to be migrated to components
    ../../system/all/borg-jobs.nix
    ../../modules
    ../../components
    ../../modules
    ./hardware-configuration.nix
--- a/nixos/machines/dummy/configuration.nix
+++ b/nixos/machines/dummy/configuration.nix
@ -1,55 +0,0 @@
 { lib, config, pkgs, ... }: {
  imports = [
    <modules>
    <system/server/initssh.nix>
    <system/all/sshd.nix>
    ./hardware-configuration.nix
  ];
  # enable initrd ssh
  configuration.init-ssh = {
    enable = "enabled";
    kernelModules = [ "virtio_pci" ];
    hostECDSAKey = <secrets/init-ssh/host_ecdsa_key>;
  };
  networking.hostName = "dummy";
  # allow un-free
  # -------------
  # todo : put this in flake
  environment.variables.NIXPKGS_ALLOW_UNFREE = "1";
  # some system stuff
  # -----------------
  time.timeZone = lib.mkDefault "Europe/Berlin";
  #time.timeZone = lib.mkDefault "Pacific/Auckland";
  #time.timeZone = lib.mkDefault "Asia/Singapore";
  #time.timeZone = lib.mkDefault "Asia/Makassar";
  i18n.defaultLocale = "en_US.UTF-8";
  console.font = "Lat2-Terminus16";
  console.keyMap = "us";
  # swappiness
  # ----------
  # 0 = only when running out of RAM
  # 100 = always swapp
  boot.kernel.sysctl."vm.swappiness" = 0;
  # rewire NIX_PATH
  # ---------------
  environment.variables.NIX_PATH = lib.mkForce "/var/src";
  environment.systemPackages = [ pkgs.git ];
  boot.initrd.network.postCommands = lib.mkAfter ''
    echo "sleep engineering"
    sleep 120
  '';
 }
--- a/nixos/machines/dummy/hardware-configuration.nix
+++ b/nixos/machines/dummy/hardware-configuration.nix
@ -1,9 +0,0 @@
 { ... }: {
  imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
  boot.loader.grub.device = "/dev/sda";
  fileSystems."/" = {
    device = "/dev/sda1";
    fsType = "ext4";
  };
 }
--- a/nixos/machines/mobi/configuration.nix
+++ b/nixos/machines/mobi/configuration.nix
@ -3,7 +3,8 @@
  imports = [
    ../../components
-    ../../system/desktop
+    ../../modules
    ./hardware-configuration.nix
    ./tinc.nix
    ./syncthing.nix
--- a/nixos/machines/orbi/configuration.nix
+++ b/nixos/machines/orbi/configuration.nix
@ -1,17 +1,14 @@
 { lib, config, pkgs, ... }: {
  imports = [
-    #../../system/all/nginx.nix
+    ./hardware-configuration
-    ../../system/all/borg-jobs.nix
+
    ../../system/all/defaults.nix
-    ../../system/server/packages.nix
+
    ../../components
    ../../modules
    #./disko-config.nix
    #./hetzner.nix
    ./hardware-configuration
    # services
    #./borg.nix
--- a/nixos/machines/robi/configuration.nix
+++ b/nixos/machines/robi/configuration.nix
@ -2,12 +2,9 @@
  imports = [
    # ../../system/all/nginx.nix
    ../../system/all/borg-jobs.nix
    ../../system/all/defaults.nix
    ../../system/server/packages.nix
    ../../components
    ../../modules
    ./hetzner.nix
--- a/nixos/machines/sternchen/configuration.nix
+++ b/nixos/machines/sternchen/configuration.nix
@ -3,7 +3,8 @@
  imports = [
    ../../components
-    ../../system/desktop
+    ../../modules
    ./hardware-configuration.nix
    ./packages.nix
--- a/nixos/machines/sterni/configuration.nix
+++ b/nixos/machines/sterni/configuration.nix
@ -3,7 +3,7 @@
  imports = [
    ../../components
-    ../../system/desktop
+    ../../modules
    ./hardware-configuration.nix
    ./packages.nix
--- a/nixos/system/all/borg-jobs.nix
+++ b/nixos/system/all/borg-jobs.nix
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -1,11 +1,13 @@
 {
  imports = [
    ./borg-jobs.nix
    ./browser.nix
    ./castget.nix
    ./init-ssh.nix
    ./rbackup.nix
    ./samba-share.nix
    ./taskwarrior-pushover.nix
    ./taskwarrior-autotag.nix
-    ./browser.nix
+    ./taskwarrior-pushover.nix
  ];
 }
--- a/nixos/system/server/initssh.nix
+++ b/nixos/system/server/initssh.nix
@ -1,14 +1,11 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.configuration.init-ssh;
 in
 {
  # todo : this is kinda deprecated. It should be replaced some day with something more simple, and put in a module.
  options.configuration.init-ssh = {
    enable = mkOption {
@ -16,11 +13,6 @@ in
      type = with types; enum [ "disable" "prepare" "enabled" ];
    };
    #mode = mkOption {
    #  default = "ssh";
    #  type = with types; enum [ "ssh" "ssh+tor" ];
    #};
    kernelModules = mkOption {
      type = with types; listOf str;
      description =
--- a/nixos/pkgs/nginx-show-config/default.nix
+++ b/nixos/pkgs/nginx-show-config/default.nix
@ -0,0 +1,7 @@
 { writers, fileContents, ... }:
 pkgs.writers.writePython3Bin "nginx-show-config"
 {
  flakeIgnore = [ "E265" "E225" "W292" ];
  libraries = [ nginx-config-formatter ];
 }
  (lib.fileContents ./nginx-show-config.py)
--- a/nixos/pkgs/nginx-show-config/nginx-show-config.py
+++ b/nixos/pkgs/nginx-show-config/nginx-show-config.py
@ -0,0 +1,40 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -p nginx-config-formatter python3 -i python3
 import os
 import re
 import shutil
 import subprocess
 import sys
 from tempfile import TemporaryDirectory
 def nginx_config() -> str:
    reload_config = "/etc/nginx/nginx.conf"
    if os.path.exists(reload_config):
        return reload_config
    out = subprocess.check_output(["systemctl", "cat", "nginx"])
    match = re.search(r"-c '(\S+-nginx\.conf)", out.decode("utf-8"))
    if not match:
        print("Could not find nginx.conf in nginx.service", file=sys.stderr)
        sys.exit(1)
    return match.group(1)
 def main():
    config_path = nginx_config()
    with TemporaryDirectory() as temp_dir:
        temp_path = os.path.join(temp_dir, "nginx.conf")
        with open(temp_path, "wb+") as temp_file, open(
            config_path, "rb"
        ) as config_file:
            shutil.copyfileobj(config_file, temp_file)
            temp_file.flush()
            subprocess.check_call(["nginxfmt", temp_file.name])
            editor = os.environ.get("EDITOR", "cat")
            subprocess.check_call([editor, temp_file.name] + sys.argv[1:])
 if __name__ == "__main__":
    main()
--- a/nixos/system/all/default.nix
+++ b/nixos/system/all/default.nix
@ -4,14 +4,9 @@
    ../../modules
    ../../components/network
    ./defaults.nix
    ./grub.nix
    #./nginx-landingpage.nix
    #./nginx.nix
    ./packages.nix
    ./borg-jobs.nix
    ./borg-scripts.nix
  ];
--- a/nixos/system/all/packages.nix
+++ b/nixos/system/all/packages.nix
@ -41,8 +41,6 @@ let
 in
 {
  #imports = [ ./packages/llvm-config-dummy.nix ];
  programs.tmux = {
    enable = true;
    clock24 = true;
--- a/nixos/system/all/packages/llvm-config-dummy.nix
+++ b/nixos/system/all/packages/llvm-config-dummy.nix
@ -1,43 +0,0 @@
 { pkgs, config, lib, ... }:
 with pkgs.lib; {
  environment.systemPackages =
    let
      llvm = pkgs.llvm;
      llvm-config = pkgs.writers.writeBashBin "llvm-config" ''
        while [[ $# -gt 0 ]]; do
          arg="$1"
          case $arg in
            --assertion-mode)
              echo "OFF"
              ;;
            --bindir)
              echo "${getBin llvm}/bin"
              ;;
            --libdir)
              echo "${getLib llvm}/lib"
              ;;
            --includedir)
              echo "${getDev llvm}/include"
              ;;
            --prefix)
              echo "${llvm.out}"
              ;;
            --src-root)
              echo "/build/llvm";
              ;;
            --obj-root)
              echo "/build/llvm/build";
              ;;
            --cmakedir)
              echo "${getDev llvm}/lib/cmake/llvm"
              ;;
            *)
              echo "Unhandled argument '$arg' passed to dummy llvm-config!"
              exit 1
          esac
          shift
        done
      '';
    in
    [ llvm-config ];
 }
--- a/nixos/system/desktop/default.nix
+++ b/nixos/system/desktop/default.nix
@ -1,18 +0,0 @@
 { config, pkgs, lib, ... }: {
  imports = [
    ../all
  ];
  backup.dirs = [
    "${config.users.users.mainUser.home}/.config/noti"
    "${config.users.users.mainUser.home}/.password-store"
    "${config.users.users.mainUser.home}/.task"
    "${config.users.users.mainUser.home}/.vit"
  ];
  services.urxvtd.enable = true;
 }
--- a/nixos/system/proxy/default.nix
+++ b/nixos/system/proxy/default.nix
@ -1,12 +0,0 @@
 { config, lib, pkgs, ... }: {
  imports = [
    ../../system/all
    ../../system/server/graylog-exporter.nix
    ../../system/server/prometheus-exporters.nix
  ];
  services.sshguard.enable = true;
 }
--- a/nixos/system/server/default.nix
+++ b/nixos/system/server/default.nix
@ -1,23 +0,0 @@
 { config, lib, pkgs, ... }: {
  imports = [
    ../../system/all
    #./netdata.nix
    ./initssh.nix
    #./graylog-exporter.nix
    ./prometheus-exporters.nix
    ./packages.nix
  ];
  # make sure laptops stay awake when closing the montior
  services.logind.lidSwitch = "ignore";
  powerManagement.enable = false;
  #powerManagement.scsiLinkPolicy = "min_power";
  services.locate.enable = true;
  services.locate.locate = pkgs.mlocate;
  services.locate.localuser = null;
 }
--- a/nixos/system/server/graylog-exporter.nix
+++ b/nixos/system/server/graylog-exporter.nix
@ -1,139 +0,0 @@
 { lib, ... }: {
  # send data to graylog
  services.SystemdJournal2Gelf.enable = lib.mkDefault false;
  services.SystemdJournal2Gelf.graylogServer = "workhorse.private:11201";
  services.journalbeat = {
    enable = true;
    # https://docs.graylog.org/en/4.0/pages/sending/journald.html
    extraConfig = ''
      journalbeat.inputs:
        # Paths that should be crawled and fetched. Possible values files and directories.
        # When setting a directory, all journals under it are merged.
        # When empty starts to read from local journal.
      - paths: []
        # The number of seconds to wait before trying to read again from journals.
        #backoff: 1s
        # The maximum number of seconds to wait before attempting to read again from journals.
        #max_backoff: 20s
        # Position to start reading from journal. Valid values: head, tail, cursor
        seek: tail
        # Fallback position if no cursor data is available.
        #cursor_seek_fallback: tail
        # Exact matching for field values of events.
        # Matching for nginx entries: "systemd.unit=nginx"
        #include_matches: []
      output.logstash:
        # Boolean flag to enable or disable the output module.
        enabled: true
        # Graylog host and the beats input
        hosts: ["workhorse.private:5044"]
        # Number of workers per Graylog host.
        #worker: 1
        # Set gzip compression level.
        #compression_level: 3
        # Configure escaping HTML symbols in strings.
        #escape_html: false
        # Optional maximum time to live for a connection to Graylog, after which the
        # connection will be re-established.  A value of `0s` (the default) will
        # disable this feature.
        #
        # Not yet supported for async connections (i.e. with the "pipelining" option set)
        ttl: 30s
        # Optionally load-balance events between Graylog hosts. Default is false.
        #loadbalance: false
        # If enabled only a subset of events in a batch of events is transferred per
        # transaction.  The number of events to be sent increases up to `bulk_max_size`
        # if no error is encountered.
        slow_start: true
        # The number of seconds to wait before trying to reconnect to Graylog
        # after a network error. After waiting backoff.init seconds, the Beat
        # tries to reconnect. If the attempt fails, the backoff timer is increased
        # exponentially up to backoff.max. After a successful connection, the backoff
        # timer is reset. The default is 1s.
        backoff.init: 1s
        # The maximum number of seconds to wait before attempting to connect to
        # Graylog after a network error. The default is 60s.
        backoff.max: 60s
        # SOCKS5 proxy server URL
        #proxy_url: socks5://user:password@socks5-server:2233
        # Resolve names locally when using a proxy server. Defaults to false.
        #proxy_use_local_resolver: false
        # Enable SSL support. SSL is automatically enabled if any SSL setting is set.
        #ssl.enabled: true
        # Configure SSL verification mode. If `none` is configured, all server hosts
        # and certificates will be accepted. In this mode, SSL based connections are
        # susceptible to man-in-the-middle attacks. Use only for testing. Default is
        # `full`.
        #ssl.verification_mode: full
        # List of supported/valid TLS versions. By default all TLS versions from 1.1
        # up to 1.3 are enabled.
        #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
        # Optional SSL configuration options. SSL is off by default.
        # List of root certificates for HTTPS server verifications
        #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
        # Certificate for SSL client authentication
        #ssl.certificate: "/etc/pki/client/cert.pem"
        # Client certificate key
        #ssl.key: "/etc/pki/client/cert.key"
        # Optional passphrase for decrypting the Certificate Key.
        #ssl.key_passphrase: 
        # Configure cipher suites to be used for SSL connections
        #ssl.cipher_suites: []
        # Configure curve types for ECDHE-based cipher suites
        #ssl.curve_types: []
        # Configure what types of renegotiation are supported. Valid options are
        # never, once, and freely. Default is never.
        #ssl.renegotiation: never
        # Configure a pin that can be used to do extra validation of the verified certificate chain,
        # this allow you to ensure that a specific certificate is used to validate the chain of trust.
        #
        # The pin is a base64 encoded string of the SHA-256 fingerprint.
        #ssl.ca_sha256: ""
        # The number of times to retry publishing an event after a publishing failure.
        # After the specified number of retries, the events are typically dropped.
        # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
        # and retry until all events are published.  Set max_retries to a value less
        # than 0 to retry until all events are published. The default is 3.
        #max_retries: 3
        # The maximum number of events to bulk in a single Graylog request. The
        # default is 2048.
        bulk_max_size: 2048
        # The number of seconds to wait for responses from the Graylog server before
        # timing out. The default is 30s.
        #timeout: 30s
    '';
  };
 }
--- a/nixos/system/server/packages.nix
+++ b/nixos/system/server/packages.nix
@ -1,20 +0,0 @@
 { pkgs, config, lib, ... }: {
  # no need to to start a service
  environment.systemPackages =
    let
      nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config"
        {
          flakeIgnore = [ "E265" "E225" "W292" ];
        }
        (lib.fileContents ../../assets/nginx-show-config.py);
    in
    [
      pkgs.mosh
      # nginxfmt
      pkgs.nginx-config-formatter
      nginxShowConfig
    ];
 }
--- a/nixos/system/server/prometheus-exporters.nix
+++ b/nixos/system/server/prometheus-exporters.nix
@ -1,8 +0,0 @@
 { config, lib, ... }: {
  config = lib.mkMerge [
    (lib.mkIf config.services.nginx.enable {
      services.prometheus.exporters.nginx.enable = true;
      services.nginx.statusPage = true;
    })
  ];
 }