From dadd33514c1fdc8ba4890e9334ab0fb89c31d02a Mon Sep 17 00:00:00 2001 From: seth Date: Sun, 11 Feb 2024 03:12:54 -0500 Subject: nixos/server: init (again) --- modules/nixos/archetypes/server.nix | 37 +++++--------------- modules/nixos/default.nix | 1 + modules/nixos/server/default.nix | 43 +++++++++++++++++++++++ modules/nixos/server/mixins/acme.nix | 46 +++++++++++++++++++++++++ modules/nixos/server/mixins/cloudflared.nix | 50 +++++++++++++++++++++++++++ modules/nixos/server/mixins/default.nix | 9 +++++ modules/nixos/server/mixins/hercules.nix | 53 +++++++++++++++++++++++++++++ modules/nixos/server/mixins/nginx.nix | 24 +++++++++++++ modules/nixos/server/mixins/promtail.nix | 49 ++++++++++++++++++++++++++ modules/nixos/traits/acme.nix | 46 ------------------------- modules/nixos/traits/cloudflared.nix | 50 --------------------------- modules/nixos/traits/default.nix | 5 --- modules/nixos/traits/hercules.nix | 53 ----------------------------- modules/nixos/traits/nginx.nix | 24 ------------- modules/nixos/traits/promtail.nix | 49 -------------------------- 15 files changed, 283 insertions(+), 256 deletions(-) create mode 100644 modules/nixos/server/default.nix create mode 100644 modules/nixos/server/mixins/acme.nix create mode 100644 modules/nixos/server/mixins/cloudflared.nix create mode 100644 modules/nixos/server/mixins/default.nix create mode 100644 modules/nixos/server/mixins/hercules.nix create mode 100644 modules/nixos/server/mixins/nginx.nix create mode 100644 modules/nixos/server/mixins/promtail.nix delete mode 100644 modules/nixos/traits/acme.nix delete mode 100644 modules/nixos/traits/cloudflared.nix delete mode 100644 modules/nixos/traits/hercules.nix delete mode 100644 modules/nixos/traits/nginx.nix delete mode 100644 modules/nixos/traits/promtail.nix diff --git a/modules/nixos/archetypes/server.nix b/modules/nixos/archetypes/server.nix index e42e3d4..3933b6f 100644 --- a/modules/nixos/archetypes/server.nix +++ b/modules/nixos/archetypes/server.nix @@ -1,8 +1,6 @@ { config, lib, - pkgs, - inputs, ... }: let cfg = config.archetypes.server; @@ -18,17 +16,22 @@ in { defaultPrograms.enable = false; }; + server = { + enable = true; + mixins = { + cloudflared.enable = true; + nginx.enable = true; + }; + }; + traits = { autoUpgrade.enable = true; - cloudflared.enable = true; locale = { en_US.enable = true; US-east.enable = true; }; - nginx.defaultConfiguration = true; - secrets.enable = true; tailscale = { @@ -43,29 +46,5 @@ in { zram.enable = true; }; - - _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; - - boot.tmp.cleanOnBoot = lib.mkDefault true; - - documentation = { - enable = false; - man.enable = false; - }; - - environment = { - defaultPackages = lib.mkForce []; - etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-stable.outPath; - }; - - nix = { - gc = { - dates = "*-*-1,5,9,13,17,21,25,29 00:00:00"; - options = "-d --delete-older-than 2d"; - }; - - registry.n.flake = inputs.nixpkgs-stable; - settings.allowed-users = [config.networking.hostName]; - }; }; } diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 3ef9339..b66e06d 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -2,5 +2,6 @@ archetypes = ./archetypes; base = ./base; desktop = ./desktop; + server = ./server; traits = ./traits; } diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix new file mode 100644 index 0000000..83ec0a8 --- /dev/null +++ b/modules/nixos/server/default.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: let + cfg = config.server; +in { + options.server = { + enable = lib.mkEnableOption "server settings"; + }; + + imports = [ + ./mixins + ]; + + config = lib.mkIf cfg.enable { + _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; + + boot.tmp.cleanOnBoot = lib.mkDefault true; + + documentation = { + enable = false; + man.enable = false; + }; + + environment = { + defaultPackages = lib.mkForce []; + etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-stable.outPath; + }; + + nix = { + gc = { + dates = "*-*-1,5,9,13,17,21,25,29 00:00:00"; + options = "-d --delete-older-than 2d"; + }; + + registry.n.flake = inputs.nixpkgs-stable; + settings.allowed-users = [config.networking.hostName]; + }; + }; +} diff --git a/modules/nixos/server/mixins/acme.nix b/modules/nixos/server/mixins/acme.nix new file mode 100644 index 0000000..60703e6 --- /dev/null +++ b/modules/nixos/server/mixins/acme.nix @@ -0,0 +1,46 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.server.mixins.acme; +in { + options.server.mixins.acme = { + enable = lib.mkEnableOption "ACME mixin"; + + manageSecrets = + lib.mkEnableOption "automatic secrets management" + // { + default = config.traits.secrets.enable; + }; + + useDns = lib.mkEnableOption "the usage of Cloudflare to obtain certs" // {default = true;}; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + security.acme = { + acceptTerms = true; + defaults = + { + email = "getchoo@tuta.io"; + } + // lib.optionalAttrs cfg.useDns { + dnsProvider = "cloudflare"; + } + // lib.optionalAttrs cfg.manageSecrets { + credentialsFile = config.age.secrets.cloudflareApiKey.path; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = { + cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/server/mixins/cloudflared.nix b/modules/nixos/server/mixins/cloudflared.nix new file mode 100644 index 0000000..5f75a35 --- /dev/null +++ b/modules/nixos/server/mixins/cloudflared.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.server.mixins.cloudflared; + inherit (config.services) nginx; +in { + options.server.mixins.cloudflared = { + enable = lib.mkEnableOption "cloudflared mixin"; + manageSecrets = + lib.mkEnableOption "automatic secrets management" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services.cloudflared = { + enable = true; + tunnels = { + "${config.networking.hostName}-nginx" = + { + default = "http_status:404"; + + ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( + _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} + ); + } + // lib.optionalAttrs cfg.manageSecrets { + credentialsFile = config.age.secrets.cloudflaredCreds.path; + }; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets.cloudflaredCreds = { + file = secretsDir + "/cloudflaredCreds.age"; + mode = "400"; + owner = "cloudflared"; + group = "cloudflared"; + }; + }) + ] + ); +} diff --git a/modules/nixos/server/mixins/default.nix b/modules/nixos/server/mixins/default.nix new file mode 100644 index 0000000..461cd34 --- /dev/null +++ b/modules/nixos/server/mixins/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./acme.nix + ./cloudflared.nix + ./hercules.nix + ./nginx.nix + ./promtail.nix + ]; +} diff --git a/modules/nixos/server/mixins/hercules.nix b/modules/nixos/server/mixins/hercules.nix new file mode 100644 index 0000000..103f58e --- /dev/null +++ b/modules/nixos/server/mixins/hercules.nix @@ -0,0 +1,53 @@ +{ + config, + lib, + unstable, + secretsDir, + ... +}: let + cfg = config.server.mixins.hercules-ci; +in { + options.server.mixins.hercules-ci = { + enable = lib.mkEnableOption "hercules-ci mixin"; + manageSecrets = + lib.mkEnableOption "automatic secrets management" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services.hercules-ci-agent = { + enable = true; + package = unstable.hercules-ci-agent; + }; + } + + (let + secretNames = [ + "binaryCaches" + "clusterJoinToken" + "secretsJson" + ]; + in + lib.mkIf cfg.manageSecrets { + age.secrets = lib.genAttrs secretNames ( + file: { + file = "${secretsDir}/${file}.age"; + mode = "400"; + owner = "hercules-ci-agent"; + group = "hercules-ci-agent"; + } + ); + + services.hercules-ci-agent = { + settings = lib.mapAttrs' (name: lib.nameValuePair (name + "Path")) ( + lib.genAttrs secretNames (name: config.age.secrets.${name}.path) + ); + }; + }) + ] + ); +} diff --git a/modules/nixos/server/mixins/nginx.nix b/modules/nixos/server/mixins/nginx.nix new file mode 100644 index 0000000..ba18ecf --- /dev/null +++ b/modules/nixos/server/mixins/nginx.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + ... +}: let + cfg = config.server.mixins.nginx; +in { + options.server.mixins.nginx = { + enable = lib.mkEnableOption "nginx mixin"; + }; + + config = lib.mkIf cfg.enable { + services.nginx = { + enable = true; + + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedZstdSettings = true; + }; + }; +} diff --git a/modules/nixos/server/mixins/promtail.nix b/modules/nixos/server/mixins/promtail.nix new file mode 100644 index 0000000..1baaac6 --- /dev/null +++ b/modules/nixos/server/mixins/promtail.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + ... +}: let + cfg = config.server.mixins.promtail; + inherit (lib) types; +in { + options.server.mixins.promtail = { + enable = lib.mkEnableOption "Promtail mixin"; + + clients = lib.mkOption { + type = types.listOf types.attrs; + default = [{}]; + description = "Clients for promtail"; + }; + }; + + config = lib.mkIf cfg.enable { + services.promtail = { + enable = true; + configuration = { + inherit (cfg) clients; + server.disable = true; + + scrape_configs = [ + { + job_name = "journal"; + + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "${config.networking.hostName}"; + }; + }; + + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; + }; + }; + }; +} diff --git a/modules/nixos/traits/acme.nix b/modules/nixos/traits/acme.nix deleted file mode 100644 index 0d42f6a..0000000 --- a/modules/nixos/traits/acme.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.traits.acme; -in { - options.traits.acme = { - enable = lib.mkEnableOption "ACME support"; - - manageSecrets = - lib.mkEnableOption "automatic secrets management" - // { - default = config.traits.secrets.enable; - }; - - useDns = lib.mkEnableOption "the usage of dns to get certs" // {default = true;}; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - security.acme = { - acceptTerms = true; - defaults = - { - email = "getchoo@tuta.io"; - } - // lib.optionalAttrs cfg.useDns { - dnsProvider = "cloudflare"; - } - // lib.optionalAttrs cfg.manageSecrets { - credentialsFile = config.age.secrets.cloudflareApiKey.path; - }; - }; - } - - (lib.mkIf cfg.manageSecrets { - age.secrets = { - cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; - }; - }) - ] - ); -} diff --git a/modules/nixos/traits/cloudflared.nix b/modules/nixos/traits/cloudflared.nix deleted file mode 100644 index 5bff263..0000000 --- a/modules/nixos/traits/cloudflared.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.traits.cloudflared; - inherit (config.services) nginx; -in { - options.traits.cloudflared = { - enable = lib.mkEnableOption "cloudflared"; - manageSecrets = - lib.mkEnableOption "automatic secrets management" - // { - default = config.traits.secrets.enable; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - services.cloudflared = { - enable = true; - tunnels = { - "${config.networking.hostName}-nginx" = - { - default = "http_status:404"; - - ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( - _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} - ); - } - // lib.optionalAttrs cfg.manageSecrets { - credentialsFile = config.age.secrets.cloudflaredCreds.path; - }; - }; - }; - } - - (lib.mkIf cfg.manageSecrets { - age.secrets.cloudflaredCreds = { - file = secretsDir + "/cloudflaredCreds.age"; - mode = "400"; - owner = "cloudflared"; - group = "cloudflared"; - }; - }) - ] - ); -} diff --git a/modules/nixos/traits/default.nix b/modules/nixos/traits/default.nix index 7b1d6fa..090e23f 100644 --- a/modules/nixos/traits/default.nix +++ b/modules/nixos/traits/default.nix @@ -1,15 +1,10 @@ { imports = [ - ./acme.nix ./auto-upgrade.nix - ./cloudflared.nix ./containers.nix - ./hercules.nix ./home-manager.nix ./locale.nix - ./nginx.nix ./nvk - ./promtail.nix ./secrets.nix ./tailscale.nix ./user-setup.nix diff --git a/modules/nixos/traits/hercules.nix b/modules/nixos/traits/hercules.nix deleted file mode 100644 index 14e8c12..0000000 --- a/modules/nixos/traits/hercules.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ - config, - lib, - unstable, - secretsDir, - ... -}: let - cfg = config.traits.hercules-ci; -in { - options.traits.hercules-ci = { - enable = lib.mkEnableOption "hercules-ci"; - manageSecrets = - lib.mkEnableOption "automatic secrets management" - // { - default = config.traits.secrets.enable; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - services.hercules-ci-agent = { - enable = true; - package = unstable.hercules-ci-agent; - }; - } - - (let - secretNames = [ - "binaryCaches" - "clusterJoinToken" - "secretsJson" - ]; - in - lib.mkIf cfg.manageSecrets { - age.secrets = lib.genAttrs secretNames ( - file: { - file = "${secretsDir}/${file}.age"; - mode = "400"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - } - ); - - services.hercules-ci-agent = { - settings = lib.mapAttrs' (name: lib.nameValuePair (name + "Path")) ( - lib.genAttrs secretNames (name: config.age.secrets.${name}.path) - ); - }; - }) - ] - ); -} diff --git a/modules/nixos/traits/nginx.nix b/modules/nixos/traits/nginx.nix deleted file mode 100644 index 0693719..0000000 --- a/modules/nixos/traits/nginx.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.traits.nginx; -in { - options.traits.nginx = { - defaultConfiguration = lib.mkEnableOption "default nginx configuration"; - }; - - config = lib.mkIf cfg.defaultConfiguration { - services.nginx = { - enable = true; - - recommendedBrotliSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedZstdSettings = true; - }; - }; -} diff --git a/modules/nixos/traits/promtail.nix b/modules/nixos/traits/promtail.nix deleted file mode 100644 index 5e08b25..0000000 --- a/modules/nixos/traits/promtail.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.traits.promtail; - inherit (lib) types; -in { - options.traits.promtail = { - enable = lib.mkEnableOption "Promtail"; - - clients = lib.mkOption { - type = types.listOf types.attrs; - default = [{}]; - description = "clients for promtail"; - }; - }; - - config = lib.mkIf cfg.enable { - services.promtail = { - enable = true; - configuration = { - inherit (cfg) clients; - server.disable = true; - - scrape_configs = [ - { - job_name = "journal"; - - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "${config.networking.hostName}"; - }; - }; - - relabel_configs = [ - { - source_labels = ["__journal__systemd_unit"]; - target_label = "unit"; - } - ]; - } - ]; - }; - }; - }; -} -- cgit v1.2.3