chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

first pass using statix linter

Browse source
This commit is contained in:
chaos 2024-03-10 17:26:18 +00:00
parent 0e271b08c4
commit 94eb79d5c6
No known key found for this signature in database
46 changed files with 81 additions and 85 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
extras/mk-enc-usb.nix
View file

@ -5,7 +5,7 @@
writeShellApplication, writeShellApplication,
}: let }: let
encryptedUSBData = import ../data/drives/encryptedUSB.nix; encryptedUSBData = import ../data/drives/encryptedUSB.nix;
in (writeShellApplication { in writeShellApplication {
name = "mk-enc-usb"; name = "mk-enc-usb";
runtimeInputs = [ runtimeInputs = [
parted parted
@ -48,4 +48,4 @@ in (writeShellApplication {
echo "Naming Partitions" echo "Naming Partitions"
parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel} parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel}
''; '';
}) }

4
extras/mk-encrypted-drive.nix
View file

@ -6,7 +6,7 @@
writeShellApplication, writeShellApplication,
}: let }: let
driveData = import ../data/drives/encryptedDrive.nix; driveData = import ../data/drives/encryptedDrive.nix;
in (writeShellApplication { in writeShellApplication {
name = "mk-encrypted-drive"; name = "mk-encrypted-drive";
runtimeInputs = [ runtimeInputs = [
parted parted
@ -82,4 +82,4 @@ in (writeShellApplication {
echo "mount /dev/mapper/mk_encrypted_drive to install" echo "mount /dev/mapper/mk_encrypted_drive to install"
''; '';
}) }

4
extras/mk-raspberry-ext-drive.nix
View file

@ -5,7 +5,7 @@
writeShellApplication, writeShellApplication,
}: let }: let
externalDriveData = import ../data/drives/raspberryExternalDrive.nix; externalDriveData = import ../data/drives/raspberryExternalDrive.nix;
in (writeShellApplication { in writeShellApplication {
name = "mk-raspberry-ext-drive"; name = "mk-raspberry-ext-drive";
runtimeInputs = [ runtimeInputs = [
util-linux util-linux
@ -64,4 +64,4 @@ in (writeShellApplication {
echo "Closing mapper device" echo "Closing mapper device"
cryptsetup close "mk-raspberry-ext-drive" cryptsetup close "mk-raspberry-ext-drive"
''; '';
}) }

2
flake.nix
View file

@ -42,5 +42,5 @@
food-site.inputs.flake-compat.follows = "flake-compat"; food-site.inputs.flake-compat.follows = "flake-compat";
}; };
outputs = {...} @ inputs: import ./outputs.nix inputs; outputs = inputs: import ./outputs.nix inputs;
} }

2
home/musicLibrary.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
# Requires secrets.{restic_music_env} # Requires secrets.{restic_music_env}
secrets = nixosConfig.services.secrets.secrets; inherit (nixosConfig.services.secrets) secrets;
in { in {
imports = with tree; [ imports = with tree; [
home.apps.rclone home.apps.rclone

2
home/programming/languages/nix.nix
View file

@ -1,5 +1,5 @@
{pkgs, ...}: { {pkgs, ...}: {
home.packages = with pkgs; [alejandra deadnix]; home.packages = with pkgs; [alejandra deadnix statix];
programs.vscode-mod.extensions = with pkgs; [ programs.vscode-mod.extensions = with pkgs; [
vscode-extensions.bbenoist.nix vscode-extensions.bbenoist.nix

2
hosts/default.nix
View file

@ -1,3 +1,3 @@
{...} @ inputs: { inputs: {
nixosConfigurations = import ./nixos.nix inputs; nixosConfigurations = import ./nixos.nix inputs;
} }

2
hosts/hetzner-arm/containers/caldav/profiles/radicale.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let {config, ...}: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
services.radicale = { services.radicale = {
enable = true; enable = true;

2
hosts/hetzner-arm/containers/caldav/profiles/restic.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
backupSchedules = import "${self}/data/backupSchedules.nix"; backupSchedules = import "${self}/data/backupSchedules.nix";
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
restic restic

2
hosts/hetzner-arm/containers/forgejo/profiles/restic.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
backupSchedules = import "${self}/data/backupSchedules.nix"; backupSchedules = import "${self}/data/backupSchedules.nix";
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
restic restic

2
hosts/hetzner-arm/containers/grocy/profiles/restic.nix
View file

@ -4,7 +4,7 @@
config, config,
... ...
}: let }: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
backupSchedules = import "${self}/data/backupSchedules.nix"; backupSchedules = import "${self}/data/backupSchedules.nix";
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

2
hosts/hetzner-arm/containers/jellyfin/profiles/mediaMount.nix
View file

@ -3,7 +3,7 @@
pkgs, pkgs,
... ...
}: let }: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
rcloneMedia = pkgs.writeShellScriptBin "rclone-media" '' rcloneMedia = pkgs.writeShellScriptBin "rclone-media" ''
${pkgs.rclone}/bin/rclone --config ${secrets.rclone_config.path} "$@" ${pkgs.rclone}/bin/rclone --config ${secrets.rclone_config.path} "$@"
''; '';

2
hosts/hetzner-arm/containers/jellyfin/profiles/restic.nix
View file

@ -4,7 +4,7 @@
config, config,
... ...
}: let }: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
backupSchedules = import "${self}/data/backupSchedules.nix"; backupSchedules = import "${self}/data/backupSchedules.nix";
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

2
hosts/hetzner-arm/containers/mail/modules/mailserver/dovecot.nix
View file

@ -36,7 +36,7 @@
EOF EOF
''; '';
in { in {
config = mkIf (mailConfig.enable) { config = mkIf mailConfig.enable {
services.dovecot2 = { services.dovecot2 = {
enable = true; enable = true;
enableImap = true; enableImap = true;

4
hosts/hetzner-arm/containers/mail/modules/mailserver/opendkim.nix
View file

@ -19,7 +19,7 @@
keyDir = mailConfig.dkim.directory; keyDir = mailConfig.dkim.directory;
selector = "mail"; selector = "mail";
domains = mailConfig.domains; inherit (mailConfig) domains;
createDomainDkimCert = dom: let createDomainDkimCert = dom: let
dkimKey = "${keyDir}/${dom}.${selector}.key"; dkimKey = "${keyDir}/${dom}.${selector}.key";
@ -51,7 +51,7 @@ in {
config = mkIf (mailConfig.enable && mailConfig.dkim.enable) { config = mkIf (mailConfig.enable && mailConfig.dkim.enable) {
services.opendkim = { services.opendkim = {
enable = true; enable = true;
selector = selector; inherit selector;
keyPath = keyDir; keyPath = keyDir;
domains = "csl:${concatStringsSep "," domains}"; domains = "csl:${concatStringsSep "," domains}";
configFile = toFile "opendkim.conf" ('' configFile = toFile "opendkim.conf" (''

8
hosts/hetzner-arm/containers/mail/modules/mailserver/postfix.nix
View file

@ -34,7 +34,7 @@
extraAliasesCombinedFilePath = "/run/postfix_sending_receiving_aliases"; extraAliasesCombinedFilePath = "/run/postfix_sending_receiving_aliases";
in { in {
config = mkIf (mailConfig.enable) { config = mkIf mailConfig.enable {
systemd.tmpfiles.rules = mkIf (mailConfig.extraAliasesFile != null) [ systemd.tmpfiles.rules = mkIf (mailConfig.extraAliasesFile != null) [
"f ${extraAliasesCombinedFilePath} 660 root root" "f ${extraAliasesCombinedFilePath} 660 root root"
]; ];
@ -111,7 +111,7 @@ in {
"reject_unauth_destination" "reject_unauth_destination"
]; ];
policy-spf_time_limit = mkIf (mailConfig.spf.enable) "3600s"; policy-spf_time_limit = mkIf mailConfig.spf.enable "3600s";
smtpd_recipient_restrictions = flatten [ smtpd_recipient_restrictions = flatten [
(optional mailConfig.spf.enable "check_policy_service unix:private/policy-spf") (optional mailConfig.spf.enable "check_policy_service unix:private/policy-spf")
@ -158,7 +158,7 @@ in {
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}"; milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
}; };
submissionOptions = submissionOptions; inherit submissionOptions;
submissionsOptions = submissionOptions; submissionsOptions = submissionOptions;
masterConfig = { masterConfig = {
@ -167,7 +167,7 @@ in {
# D => Delivered-To, O => X-Original-To, R => Return-Path # D => Delivered-To, O => X-Original-To, R => Return-Path
args = ["flags=O"]; args = ["flags=O"];
}; };
"policy-spf" = mkIf (mailConfig.spf.enable) { "policy-spf" = mkIf mailConfig.spf.enable {
type = "unix"; type = "unix";
privileged = true; privileged = true;
chroot = false; chroot = false;

2
hosts/hetzner-arm/containers/mail/modules/mailserver/ssl.nix
View file

@ -16,7 +16,7 @@ in {
serverAliases = mailConfig.domains; serverAliases = mailConfig.domains;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
acmeRoot = acmeRoot; inherit acmeRoot;
}; };
}; };

6
hosts/hetzner-arm/containers/mail/modules/mailserver/vmail.nix
View file

@ -10,11 +10,11 @@
mailConfig = config.services.mailserver; mailConfig = config.services.mailserver;
vmail = mailConfig.vmail; inherit (mailConfig) vmail;
vmailUser = vmail.user; vmailUser = vmail.user;
vmailGroup = vmail.group; vmailGroup = vmail.group;
sieveDirectory = mailConfig.sieveDirectory; inherit (mailConfig) sieveDirectory;
scriptForUser = name: config: scriptForUser = name: config:
if builtins.isString config.sieveScript if builtins.isString config.sieveScript
@ -39,7 +39,7 @@
${concatStringsSep "\n" (mapAttrsToList (name: config: scriptForUser name config) mailConfig.accounts)} ${concatStringsSep "\n" (mapAttrsToList (name: config: scriptForUser name config) mailConfig.accounts)}
''; '';
in { in {
config = mkIf (mailConfig.enable) { config = mkIf mailConfig.enable {
users.users."${vmailUser}" = { users.users."${vmailUser}" = {
isSystemUser = true; isSystemUser = true;

2
hosts/hetzner-arm/containers/mail/profiles/mailserver.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let {config, ...}: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
services.mailserver = { services.mailserver = {
enable = true; enable = true;

2
hosts/hetzner-arm/containers/mail/profiles/restic.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
backupSchedules = import "${self}/data/backupSchedules.nix"; backupSchedules = import "${self}/data/backupSchedules.nix";
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
mailConfig = config.services.mailserver; mailConfig = config.services.mailserver;
in { in {

7
hosts/hetzner-arm/containers/music/modules/mpd-fork.nix
View file

@ -34,7 +34,7 @@ with lib; let
${optionalString (cfg.network.listenAddress != "any") ''bind_to_address "${cfg.network.listenAddress}"''} ${optionalString (cfg.network.listenAddress != "any") ''bind_to_address "${cfg.network.listenAddress}"''}
${optionalString (cfg.network.port != 6600) ''port "${toString cfg.network.port}"''} ${optionalString (cfg.network.port != 6600) ''port "${toString cfg.network.port}"''}
${optionalString (cfg.fluidsynth) '' ${optionalString cfg.fluidsynth ''
decoder { decoder {
plugin "fluidsynth" plugin "fluidsynth"
soundfont "${pkgs.soundfont-fluid}/share/soundfonts/FluidR3_GM2-2.sf2" soundfont "${pkgs.soundfont-fluid}/share/soundfonts/FluidR3_GM2-2.sf2"
@ -245,8 +245,7 @@ in {
ExecStart = ["" "${cfg.package}/bin/mpd --systemd /run/mpd/mpd.conf"]; ExecStart = ["" "${cfg.package}/bin/mpd --systemd /run/mpd/mpd.conf"];
RuntimeDirectory = "mpd"; RuntimeDirectory = "mpd";
StateDirectory = StateDirectory =
[] optionals (cfg.dataDir == "/var/lib/${name}") [name]
++ optionals (cfg.dataDir == "/var/lib/${name}") [name]
++ optionals (cfg.playlistDirectory == "/var/lib/${name}/playlists") [name "${name}/playlists"] ++ optionals (cfg.playlistDirectory == "/var/lib/${name}/playlists") [name "${name}/playlists"]
++ optionals (cfg.musicDirectory == "/var/lib/${name}/music") [name "${name}/music"]; ++ optionals (cfg.musicDirectory == "/var/lib/${name}/music") [name "${name}/music"];
}; };
@ -255,7 +254,7 @@ in {
users.users = optionalAttrs (cfg.user == name) { users.users = optionalAttrs (cfg.user == name) {
"${name}" = { "${name}" = {
inherit uid; inherit uid;
group = cfg.group; inherit (cfg) group;
extraGroups = ["audio"]; extraGroups = ["audio"];
description = "Music Player Daemon user"; description = "Music Player Daemon user";
home = "${cfg.dataDir}"; home = "${cfg.dataDir}";

2
hosts/hetzner-arm/containers/music/profiles/mpd.nix
View file

@ -8,7 +8,7 @@
inherit (lib.lists) forEach; inherit (lib.lists) forEach;
ports = import ../data/ports.nix; ports = import ../data/ports.nix;
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
mpc_cli mpc_cli

2
hosts/hetzner-arm/containers/music/profiles/soulseek.nix
View file

@ -4,7 +4,7 @@
... ...
}: let }: let
ports = import ../data/ports.nix; ports = import ../data/ports.nix;
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
inherit (lib.modules) mkForce; inherit (lib.modules) mkForce;
in { in {

2
hosts/hetzner-arm/containers/owncast/profiles/restic.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
backupSchedules = import "${self}/data/backupSchedules.nix"; backupSchedules = import "${self}/data/backupSchedules.nix";
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
restic restic

2
hosts/hetzner-arm/containers/postgresql/profiles/restic.nix
View file

@ -4,7 +4,7 @@
config, config,
... ...
}: let }: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
backupSchedules = import "${self}/data/backupSchedules.nix"; backupSchedules = import "${self}/data/backupSchedules.nix";
backupPrepareCommand = "${ backupPrepareCommand = "${

2
hosts/hetzner-arm/containers/quassel/profiles/restic.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
backupSchedules = import "${self}/data/backupSchedules.nix"; backupSchedules = import "${self}/data/backupSchedules.nix";
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
restic restic

2
hosts/hetzner-arm/containers/social/profiles/gotosocial.nix
View file

@ -7,7 +7,7 @@
hostIP = containerAddresses.host; hostIP = containerAddresses.host;
containerIP = containerAddresses.containers.social; containerIP = containerAddresses.containers.social;
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
services.gotosocial = { services.gotosocial = {
enable = true; enable = true;

2
hosts/hetzner-arm/containers/social/profiles/restic.nix
View file

@ -4,7 +4,7 @@
config, config,
... ...
}: let }: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
backupSchedules = import "${self}/data/backupSchedules.nix"; backupSchedules = import "${self}/data/backupSchedules.nix";
# Because gotosocial-admin isn't a seporate package we need to generate a seperate config # Because gotosocial-admin isn't a seporate package we need to generate a seperate config

2
hosts/hetzner-arm/containers/storage/profiles/rcloneConfigs.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let {config, ...}: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /root/.config - root root" "d /root/.config - root root"

2
hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let {config, ...}: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
ports = import ../data/ports.nix; ports = import ../data/ports.nix;
in { in {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [

2
hosts/hetzner-arm/containers/stream/profiles/mpd.nix
View file

@ -8,7 +8,7 @@
inherit (lib.lists) forEach; inherit (lib.lists) forEach;
ports = import ../data/ports.nix; ports = import ../data/ports.nix;
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
mpc_cli mpc_cli

2
hosts/hetzner-arm/containers/stream/profiles/soulseek.nix
View file

@ -4,7 +4,7 @@
... ...
}: let }: let
ports = import ../data/ports.nix; ports = import ../data/ports.nix;
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
inherit (lib.modules) mkForce; inherit (lib.modules) mkForce;
in { in {

2
hosts/lappy-t495/profiles/restic.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let {config, ...}: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
services.restic.backups.lappy-t495 = { services.restic.backups.lappy-t495 = {
user = "root"; user = "root";

2
hosts/vault/profiles/internalCA.nix
View file

@ -3,7 +3,7 @@
config, config,
... ...
}: let }: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
step-cli step-cli

2
hosts/vault/profiles/restic.nix
View file

@ -4,7 +4,7 @@
config, config,
... ...
}: let }: let
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
backupSchedules = import "${self}/data/backupSchedules.nix"; backupSchedules = import "${self}/data/backupSchedules.nix";
in { in {
services.restic.backups.vault = { services.restic.backups.vault = {

8
modules/home/vscode-mod-module.nix
View file

@ -76,7 +76,7 @@ in {
}; };
userSettings = mkOption { userSettings = mkOption {
type = jsonFormat.type; inherit (jsonFormat) type;
default = {}; default = {};
example = literalExpression '' example = literalExpression ''
{ {
@ -91,7 +91,7 @@ in {
}; };
userTasks = mkOption { userTasks = mkOption {
type = jsonFormat.type; inherit (jsonFormat) type;
default = {}; default = {};
example = literalExpression '' example = literalExpression ''
{ {
@ -127,7 +127,7 @@ in {
}; };
when = mkOption { when = mkOption {
type = types.nullOr (types.str); type = types.nullOr types.str;
default = null; default = null;
example = "textInputFocus"; example = "textInputFocus";
description = "Optional context filter."; description = "Optional context filter.";
@ -135,7 +135,7 @@ in {
# https://code.visualstudio.com/docs/getstarted/keybindings#_command-arguments # https://code.visualstudio.com/docs/getstarted/keybindings#_command-arguments
args = mkOption { args = mkOption {
type = types.nullOr (jsonFormat.type); type = types.nullOr jsonFormat.type;
default = null; default = null;
example = {direction = "up";}; example = {direction = "up";};
description = "Optional arguments for a command."; description = "Optional arguments for a command.";

8
modules/nixos/postgreSQLRemoteBackup.nix
View file

@ -93,7 +93,7 @@ in {
"d '${cfg.location}' 0700 ${cfg.backupUser} - - -" "d '${cfg.location}' 0700 ${cfg.backupUser} - - -"
]; ];
}) })
(mkIf (cfg.enable) { (mkIf cfg.enable {
systemd.services = listToAttrs (map (db: { systemd.services = listToAttrs (map (db: {
name = "remotePostgreSQLBackup-${db}"; name = "remotePostgreSQLBackup-${db}";
value = let value = let
@ -118,7 +118,7 @@ in {
description = "Backup of ${db} database(s)"; description = "Backup of ${db} database(s)";
requires = mkIf (config.services.postgresql.enable) [ requires = mkIf config.services.postgresql.enable [
"postgresql.service" "postgresql.service"
]; ];
@ -137,7 +137,7 @@ in {
umask 0077 # ensure backup is only readable by backup user umask 0077 # ensure backup is only readable by backup user
${optionalString (cfg.keepPrev) '' ${optionalString cfg.keepPrev ''
if [ -e ${curFile} ]; then if [ -e ${curFile} ]; then
rm -f ${toString prevFiles} rm -f ${toString prevFiles}
mv ${curFile} ${prevFile} mv ${curFile} ${prevFile}
@ -156,7 +156,7 @@ in {
User = cfg.backupUser; User = cfg.backupUser;
}; };
startAt = cfg.startAt; inherit (cfg) startAt;
}; };
}) })
cfg.databases); cfg.databases);

2
modules/nixos/rcloneSync.nix
View file

@ -120,7 +120,7 @@ in {
value = { value = {
wantedBy = ["timers.target"]; wantedBy = ["timers.target"];
partOf = ["${name}.service"]; partOf = ["${name}.service"];
timerConfig = job.timerConfig; inherit (job) timerConfig;
}; };
}) })
cfg.syncJobs); cfg.syncJobs);

6
modules/nixos/secrets.nix
View file

@ -69,7 +69,7 @@ in {
autoSecrets = { autoSecrets = {
enable = mkEnableOption "autoSecrets"; enable = mkEnableOption "autoSecrets";
affectedSystemdServices = mkOption { affectedSystemdServices = mkOption {
type = types.listOf (types.either (types.str) (types.submodule { type = types.listOf (types.either types.str (types.submodule {
options = { options = {
name = mkOption { name = mkOption {
type = types.str; type = types.str;
@ -251,7 +251,7 @@ in {
]; ];
} }
// (mkMerge [ // (mkMerge [
(mkIf (cfg.enable) { (mkIf cfg.enable {
environment.systemPackages = [ environment.systemPackages = [
(secretsLib.mkSecretsInitScript cfg) (secretsLib.mkSecretsInitScript cfg)
(secretsLib.mkSecretsCheckScript cfg) (secretsLib.mkSecretsCheckScript cfg)
@ -284,7 +284,7 @@ in {
in { in {
services = services =
(listToAttrs (map (unitConfig: { (listToAttrs (map (unitConfig: {
name = unitConfig.name; inherit (unitConfig) name;
value = { value = {
after = ["auto-secrets.service"]; after = ["auto-secrets.service"];
wants = ["auto-secrets.service"]; wants = ["auto-secrets.service"];

24
modules/nixos/secretsLib/lib.nix
View file

@ -300,37 +300,32 @@ in rec {
}; };
mkSecretsInitScript = cfg: mkSecretsInitScriptWithName cfg null; mkSecretsInitScript = cfg: mkSecretsInitScriptWithName cfg null;
mkSecretsInitScriptWithName = ( mkSecretsInitScriptWithName = cfg: name: let
cfg: name: let
scriptName = scriptName =
if name == null if name == null
then "secrets-init" then "secrets-init"
else "secrets-init-${name}"; else "secrets-init-${name}";
scripts = genScripts cfg; scripts = genScripts cfg;
in (writeShellApplication { in writeShellApplication {
name = scriptName; name = scriptName;
runtimeInputs = defaultPackages ++ cfg.packages; runtimeInputs = defaultPackages ++ cfg.packages;
text = scripts.initScript; text = scripts.initScript;
}) };
);
mkSecretsCheckScript = cfg: mkSecretsCheckScriptWithName cfg null; mkSecretsCheckScript = cfg: mkSecretsCheckScriptWithName cfg null;
mkSecretsCheckScriptWithName = ( mkSecretsCheckScriptWithName = cfg: name: let
cfg: name: let
scriptName = scriptName =
if name == null if name == null
then "secrets-check" then "secrets-check"
else "secrets-check-${name}"; else "secrets-check-${name}";
scripts = genScripts cfg; scripts = genScripts cfg;
in (writeShellApplication { in writeShellApplication {
name = scriptName; name = scriptName;
runtimeInputs = defaultPackages ++ cfg.checkPackages; runtimeInputs = defaultPackages ++ cfg.checkPackages;
text = scripts.checkScript; text = scripts.checkScript;
}) };
);
genVaultPolicy = ( genVaultPolicy = cfg: name: let
cfg: name: let
inherit (cfg) requiredVaultPaths; inherit (cfg) requiredVaultPaths;
policies = forEach requiredVaultPaths (policyConfig: let policies = forEach requiredVaultPaths (policyConfig: let
@ -349,8 +344,7 @@ in rec {
capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}] capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}]
} }
''); '');
in (toFile "vault-policy-${name}.hcl" '' in toFile "vault-policy-${name}.hcl" ''
${concatStringsSep "\n" policies} ${concatStringsSep "\n" policies}
'') '';
);
} }

12
outputs.nix
View file

@ -1,6 +1,6 @@
{self, ...} @ inputs: let {self, ...} @ inputs: let
nixpkgs = inputs.nixpkgs-unstable; nixpkgs = inputs.nixpkgs-unstable;
lib = nixpkgs.lib; inherit (nixpkgs) lib;
inherit (lib.attrsets) mergeAttrsList recursiveUpdate; inherit (lib.attrsets) mergeAttrsList recursiveUpdate;
inherit (lib.lists) foldl' forEach filter; inherit (lib.lists) foldl' forEach filter;
@ -8,7 +8,7 @@
hosts = import ./hosts inputs; hosts = import ./hosts inputs;
in in
{ {
nixosConfigurations = hosts.nixosConfigurations; inherit (hosts) nixosConfigurations;
extras = { extras = {
wsl-tarball-builder = hosts.nixosConfigurations.wsl.config.system.build.tarballBuilderExt; wsl-tarball-builder = hosts.nixosConfigurations.wsl.config.system.build.tarballBuilderExt;
@ -161,7 +161,7 @@ in
}; };
machinesWithHostSecrets = filter ( machinesWithHostSecrets = filter (
machine: (machines.${machine}.hasHostSecrets) machine: machines.${machine}.hasHostSecrets
) (builtins.attrNames machines); ) (builtins.attrNames machines);
machinesWithContainers = filter ( machinesWithContainers = filter (
@ -201,11 +201,11 @@ in
(mergeAttrsList (forEach machinesWithContainers (machineName: let (mergeAttrsList (forEach machinesWithContainers (machineName: let
machine = machines.${machineName}; machine = machines.${machineName};
containers = machine.containers; inherit (machine) containers;
in (mergeAttrsList (forEach containers (containerName: { in mergeAttrsList (forEach containers (containerName: {
"secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName; "secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName;
"vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName; "vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName;
})))))) })))))
]; ];
}) })
] ]

2
presets/nixos/serverEncryptedDrive.nix
View file

@ -9,7 +9,7 @@
inherit (lib.modules) mkForce; inherit (lib.modules) mkForce;
inherit (lib.lists) optionals; inherit (lib.lists) optionals;
system = pkgs.system; inherit (pkgs) system;
driveData = import "${self}/data/drives/encryptedDrive.nix"; driveData = import "${self}/data/drives/encryptedDrive.nix";
in { in {

4
presets/nixos/serverHetzner.nix
View file

@ -9,11 +9,11 @@
inherit (lib.lists) optionals; inherit (lib.lists) optionals;
inherit (lib.modules) mkForce; inherit (lib.modules) mkForce;
system = pkgs.system; inherit (pkgs) system;
serverIPs = import "${self}/data/serverIPs.nix"; serverIPs = import "${self}/data/serverIPs.nix";
hostName = config.networking.hostName; inherit (config.networking) hostName;
hostServerIPs = serverIPs.${hostName}; hostServerIPs = serverIPs.${hostName};
gateway = "172.31.1.1"; gateway = "172.31.1.1";

2
profiles/chaosInternalWireGuard/wireguard.nix
View file

@ -9,7 +9,7 @@
inherit (builtins) hasAttr attrNames; inherit (builtins) hasAttr attrNames;
# Assume this to be set # Assume this to be set
secrets = config.services.secrets.secrets; inherit (config.services.secrets) secrets;
wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix"; wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
wireguardHosts = wireguardData.hosts; wireguardHosts = wireguardData.hosts;

2
profiles/fingerprint.nix
View file

@ -14,7 +14,7 @@ in {
sudo.fprintAuth = true; sudo.fprintAuth = true;
login.fprintAuth = true; login.fprintAuth = true;
gdm-fingerprint = mkIf (config.services.xserver.displayManager.gdm.enable) { gdm-fingerprint = mkIf config.services.xserver.displayManager.gdm.enable {
text = '' text = ''
auth required pam_shells.so auth required pam_shells.so
auth requisite pam_nologin.so auth requisite pam_nologin.so

3
statix.toml Normal file
View file

@ -0,0 +1,3 @@
disabled = [
"empty_pattern"
]