diff options
| author | seth <[email protected]> | 2024-10-27 20:12:19 -0400 |
|---|---|---|
| committer | GitHub <[email protected]> | 2024-10-28 00:12:19 +0000 |
| commit | 5ec7ee21e036f7bc1cbdec714271c619cb3fdb3d (patch) | |
| tree | 3277d8ba68ca466e68c58a8373063010db392d2e /modules/nixos/server | |
| parent | 75ec48c5f7dd7877f2294b86764b1fdadc6b7e88 (diff) | |
modules: restructure (#487)
* seth: remove unused pkgs
* modules: restructure
from archetypes back to profiles
make less actual modules for everything
use lib.mkDefault like it's supposed to
move mixins out of server
* nixos/resolved: use modern options
Diffstat (limited to 'modules/nixos/server')
| -rw-r--r-- | modules/nixos/server/default.nix | 45 | ||||
| -rw-r--r-- | modules/nixos/server/github-mirror/default.nix | 101 | ||||
| -rwxr-xr-x | modules/nixos/server/github-mirror/update-mirror.sh | 78 | ||||
| -rw-r--r-- | modules/nixos/server/host-user.nix | 44 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/acme.nix | 52 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/cloudflared.nix | 60 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/default.nix | 9 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/hercules.nix | 55 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/nginx.nix | 22 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/promtail.nix | 48 |
10 files changed, 0 insertions, 514 deletions
diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix deleted file mode 100644 index 3cc60fb..0000000 --- a/modules/nixos/server/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: -let - cfg = config.server; -in -{ - options.server = { - enable = lib.mkEnableOption "basic server settings"; - }; - - imports = [ - ./github-mirror - ./host-user.nix - ./mixins - ]; - - config = lib.mkIf cfg.enable { - # all servers are most likely on stable, so we may want to pull some newer packages from time to time - _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; - - boot.tmp.cleanOnBoot = lib.mkDefault true; - - # we don't need it here - documentation.enable = false; - - environment.defaultPackages = lib.mkForce [ ]; - - nix = { - gc = { - # ~every 2 days - dates = "Mon,Wed,Fri *-*-* 00:00:00"; - options = "-d --delete-older-than 2d"; - }; - - # hardening access to `nix` on servers as no other users - # *should* ever really touch it - settings.allowed-users = [ config.networking.hostName ]; - }; - }; -} diff --git a/modules/nixos/server/github-mirror/default.nix b/modules/nixos/server/github-mirror/default.nix deleted file mode 100644 index 9d0d870..0000000 --- a/modules/nixos/server/github-mirror/default.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - cfg = config.services.github-mirror; - cgitInstance = config.services.cgit.${cfg.hostname}; - - update-mirror = - pkgs.runCommand "update-mirror" - { - nativeBuildInputs = [ pkgs.patsh ]; - - buildInputs = [ - config.programs.git.package - pkgs.curl - pkgs.jq - ]; - } - '' - patsh -s ${builtins.storeDir} ${./update-mirror.sh} $out - chmod 755 $out - patchShebangs $out - ''; -in -{ - options.services.github-mirror = { - enable = lib.mkEnableOption "the github-mirror service"; - - hostname = lib.mkOption { - type = lib.types.str; - description = "Hostname of the cgit service to create"; - example = lib.literalExpression "git.example.com"; - }; - - mirroredUsers = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "List of GitHub users to mirror repositories for"; - example = lib.literalExpression ''[ "edolstra" ]''; - }; - }; - - config = lib.mkIf cfg.enable { - assertions = [ - { - assertion = cfg.mirroredUsers != [ ]; - message = "`services.git-mirror.mirroredUsers` must have at least one user"; - } - ]; - - services.cgit.${cfg.hostname} = { - enable = true; - - scanPath = "/var/lib/cgit/${cfg.hostname}"; - settings = { - robots = "none"; # noindex, nofollow - }; - - user = "cgit"; - group = "cgit"; - }; - - systemd = { - services.github-mirror = { - description = "Mirror a GitHub repository"; - - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - - script = toString ( - [ - "exec" - (toString update-mirror) - "--directory" - cgitInstance.scanPath - ] - ++ cfg.mirroredUsers - ); - - serviceConfig = { - Type = "oneshot"; - User = cgitInstance.user; - Group = cgitInstance.group; - }; - }; - - timers.github-mirror = { - description = "Hourly timer for %N"; - timerConfig.OnCalendar = "hourly"; - }; - - tmpfiles.settings."10-github-mirror" = { - ${cgitInstance.scanPath}.d = { - inherit (cgitInstance) user group; - }; - }; - }; - }; -} diff --git a/modules/nixos/server/github-mirror/update-mirror.sh b/modules/nixos/server/github-mirror/update-mirror.sh deleted file mode 100755 index c1e392d..0000000 --- a/modules/nixos/server/github-mirror/update-mirror.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -help() { - echo "Mirror a GitHub user's repositories - -Usage: $(basename "$0") [options] <user>... - -Options: - -h --help Show this screen - -d --directory DIRECTORY Where to clone repositories (defaults to ./git)" -} - -create_if_not_exists() { - if [ ! -d "$1" ]; then - mkdir -p "$1" - fi -} - -repo_endpoint() { - echo "https://api.github.com/users/$1/repos" -} - -users=() -output_directory="git" - -while [ "$#" -gt 0 ]; do - case $1 in - -h | --help) - help - exit 0 - ;; - -d | --directory) - output_directory="$2" - shift - shift - ;; - -*) - echo "error: unknown option $1" - help - exit 1 - ;; - *) - users+=("$1") - shift - ;; - esac -done - -if [ "${#users[@]}" -lt 1 ]; then - echo "error: at least one user must be specified" - help - exit 1 -fi - -create_if_not_exists "$output_directory" -cd "$output_directory" - -for user in "${users[@]}"; do - create_if_not_exists "$user" - - url="$(repo_endpoint "$user")" - curl --fail --location --show-error --silent "$url" | jq --raw-output '.[].name' | while read -r repo; do - repo_path="$user"/"$repo" - - if [ -d "$repo_path"/.git ]; then - pushd "$repo_path" &>/dev/null - echo "Pulling $repo_path..." - if ! git remote update --prune &>/dev/null; then - echo "Unable to pull $repo_path! Continuing..." - fi - popd &>/dev/null - else - echo "Cloning $repo_path..." - git clone --bare --mirror https://github.com/"$repo_path".git "$repo_path" &>/dev/null - fi - done -done diff --git a/modules/nixos/server/host-user.nix b/modules/nixos/server/host-user.nix deleted file mode 100644 index c60bfe3..0000000 --- a/modules/nixos/server/host-user.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: -let - cfg = config.server.hostUser; - inherit (config.networking) hostName; -in -{ - options.server.hostUser = { - enable = lib.mkEnableOption "a default interactive user" // { - default = config.server.enable; - defaultText = lib.literalExpression "config.server.enable"; - }; - - manageSecrets = lib.mkEnableOption "automatic management of secrets" // { - default = config.traits.secrets.enable; - defaultText = lib.literalExpression "config.traits.secrets.enable"; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - users.users.${hostName} = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - }; - } - - (lib.mkIf cfg.manageSecrets { - age.secrets = { - userPassword.file = secretsDir + "/userPassword.age"; - }; - - users.users.${hostName} = { - hashedPasswordFile = config.age.secrets.userPassword.path; - }; - }) - ] - ); -} diff --git a/modules/nixos/server/mixins/acme.nix b/modules/nixos/server/mixins/acme.nix deleted file mode 100644 index 39166f2..0000000 --- a/modules/nixos/server/mixins/acme.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: -let - cfg = config.server.mixins.acme; -in -{ - options.server.mixins.acme = { - enable = lib.mkEnableOption "ACME mixin"; - - manageSecrets = lib.mkEnableOption "automatic management of secrets" // { - default = config.traits.secrets.enable; - defaultText = lib.literalExpression "config.traits.secrets.enable"; - }; - - useDns = lib.mkEnableOption "the use of Cloudflare to obtain certs" // { - default = true; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - security.acme = { - acceptTerms = true; - defaults = { - email = "[email protected]"; - }; - }; - } - - (lib.mkIf cfg.useDns { - security.acme.defaults = { - dnsProvider = "cloudflare"; - }; - }) - - (lib.mkIf cfg.manageSecrets { - age.secrets = { - cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; - }; - - security.acme.defaults = { - credentialsFile = config.age.secrets.cloudflareApiKey.path; - }; - }) - ] - ); -} diff --git a/modules/nixos/server/mixins/cloudflared.nix b/modules/nixos/server/mixins/cloudflared.nix deleted file mode 100644 index 9a56aaa..0000000 --- a/modules/nixos/server/mixins/cloudflared.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: -let - cfg = config.server.mixins.cloudflared; - inherit (config.services) nginx; -in -{ - options.server.mixins.cloudflared = { - enable = lib.mkEnableOption "cloudflared mixin"; - tunnelName = lib.mkOption { - description = '' - Name of the default tunnel being created - ''; - type = lib.types.str; - default = "${config.networking.hostName}-nginx"; - defaultText = lib.literalExpression "\${config.networking.hostName}-nginx"; - example = "my-tunnel"; - }; - - manageSecrets = lib.mkEnableOption "automatic management of secrets" // { - default = config.traits.secrets.enable; - defaultText = lib.literalExpression "config.traits.secrets.enable"; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - services.cloudflared = { - enable = true; - tunnels.${cfg.tunnelName} = { - default = "http_status:404"; - - # map our virtualHosts from nginx to ingress rules - ingress = lib.mapAttrs (_: _: { - service = "http://localhost:${toString nginx.defaultHTTPListenPort}"; - }) nginx.virtualHosts; - }; - }; - } - - (lib.mkIf cfg.manageSecrets { - age.secrets.cloudflaredCreds = { - file = secretsDir + "/cloudflaredCreds.age"; - mode = "400"; - owner = "cloudflared"; - group = "cloudflared"; - }; - - services.cloudflared.tunnels.${cfg.tunnelName} = { - credentialsFile = config.age.secrets.cloudflaredCreds.path; - }; - }) - ] - ); -} diff --git a/modules/nixos/server/mixins/default.nix b/modules/nixos/server/mixins/default.nix deleted file mode 100644 index 461cd34..0000000 --- a/modules/nixos/server/mixins/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - imports = [ - ./acme.nix - ./cloudflared.nix - ./hercules.nix - ./nginx.nix - ./promtail.nix - ]; -} diff --git a/modules/nixos/server/mixins/hercules.nix b/modules/nixos/server/mixins/hercules.nix deleted file mode 100644 index a04f9b1..0000000 --- a/modules/nixos/server/mixins/hercules.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ - config, - lib, - unstable, - secretsDir, - ... -}: -let - cfg = config.server.mixins.hercules-ci; -in -{ - options.server.mixins.hercules-ci = { - enable = lib.mkEnableOption "Hercules CI mixin"; - manageSecrets = lib.mkEnableOption "automatic management of secrets" // { - default = config.traits.secrets.enable; - defaultText = lib.literalExpression "config.traits.secrets.enable"; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - services.hercules-ci-agent = { - enable = true; - # we want newer features - package = unstable.hercules-ci-agent; - }; - } - - ( - let - secretNames = [ - "binaryCaches" - "clusterJoinToken" - "secretsJson" - ]; - in - lib.mkIf cfg.manageSecrets { - age.secrets = lib.genAttrs secretNames (file: { - file = "${secretsDir}/${file}.age"; - mode = "400"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }); - - services.hercules-ci-agent = { - settings = lib.mapAttrs' (name: lib.nameValuePair (name + "Path")) ( - lib.genAttrs secretNames (name: config.age.secrets.${name}.path) - ); - }; - } - ) - ] - ); -} diff --git a/modules/nixos/server/mixins/nginx.nix b/modules/nixos/server/mixins/nginx.nix deleted file mode 100644 index e3cc47a..0000000 --- a/modules/nixos/server/mixins/nginx.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.server.mixins.nginx; -in -{ - options.server.mixins.nginx = { - enable = lib.mkEnableOption "NGINX mixin"; - }; - - config = lib.mkIf cfg.enable { - services.nginx = { - enable = true; - - recommendedBrotliSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedZstdSettings = true; - }; - }; -} diff --git a/modules/nixos/server/mixins/promtail.nix b/modules/nixos/server/mixins/promtail.nix deleted file mode 100644 index 173a85b..0000000 --- a/modules/nixos/server/mixins/promtail.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.server.mixins.promtail; - inherit (lib) types; -in -{ - options.server.mixins.promtail = { - enable = lib.mkEnableOption "Promtail mixin"; - - clients = lib.mkOption { - type = types.listOf types.attrs; - default = [ { } ]; - defaultText = lib.literalExpression "[ { } ]"; - description = "Clients for promtail"; - }; - }; - - config = lib.mkIf cfg.enable { - services.promtail = { - enable = true; - configuration = { - inherit (cfg) clients; - server.disable = true; - - scrape_configs = [ - { - job_name = "journal"; - - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "${config.networking.hostName}"; - }; - }; - - relabel_configs = [ - { - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - } - ]; - } - ]; - }; - }; - }; -} |