From 781ce2d5e939da7cab8b4ae20ea9467fc68e16ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Thu, 23 Jan 2025 14:13:19 +0100 Subject: [PATCH] Format using alejandra --- flake.nix | 387 +++++++++--------- hosts/nixmox-curiosity/configuration.nix | 19 +- .../hardware-configuration.nix | 17 +- hosts/nixmox-curiosity/home.nix | 26 +- hosts/nixmox-perseverance/configuration.nix | 19 +- .../hardware-configuration.nix | 16 +- hosts/nixmox-perseverance/home.nix | 26 +- secrets.nix | 24 +- services/authentik/default.nix | 14 +- services/default.nix | 3 +- services/gitea/default.nix | 13 +- services/grafana/default.nix | 209 ++++++---- services/jellyfin/default.nix | 13 +- services/minimalConfig/default.nix | 53 +-- services/minimalConfig/lxc.nix | 11 +- services/minimalConfig/vm.nix | 11 +- services/nextcloud/default.nix | 19 +- services/nginx/default.nix | 13 +- services/onlyoffice/default.nix | 17 +- services/postgresql/default.nix | 13 +- services/redis/default.nix | 15 +- systems/minimalLXCConfig.nix | 53 +-- systems/minimalMicrovmConfig.nix | 71 ++-- systems/minimalVMConfig.nix | 53 +-- 24 files changed, 610 insertions(+), 505 deletions(-) diff --git a/flake.nix b/flake.nix index 095c125..4dbb568 100644 --- a/flake.nix +++ b/flake.nix @@ -13,200 +13,205 @@ agenix.url = "github:yaxitech/ragenix"; }; - outputs = inputs@{ self, nixpkgs, home-manager, microvm, agenix, ... }: - let - system = "x86_64-linux"; - username = "tbarnouin"; - proxy_host = "192.168.1.40"; - pgsql_host = "192.168.1.13"; - in - { - nixosConfigurations = { - nixmox-curiosity = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - ./hosts/nixmox-curiosity/configuration.nix - { - networking.hostName = "nixmox-curiosity"; - } - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.${username} = import ./hosts/nixmox-curiosity/home.nix; - } - microvm.nixosModules.host - { - microvm = { - autostart = []; - vms = {}; - }; - } - ]; + outputs = inputs @ { + self, + nixpkgs, + home-manager, + microvm, + agenix, + ... + }: let + system = "x86_64-linux"; + username = "tbarnouin"; + proxy_host = "192.168.1.40"; + pgsql_host = "192.168.1.13"; + in { + nixosConfigurations = { + nixmox-curiosity = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + ./hosts/nixmox-curiosity/configuration.nix + { + networking.hostName = "nixmox-curiosity"; + } + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.${username} = import ./hosts/nixmox-curiosity/home.nix; + } + microvm.nixosModules.host + { + microvm = { + autostart = []; + vms = {}; + }; + } + ]; - specialArgs = { - inherit inputs; - inherit username; - inherit proxy_host; - inherit pgsql_host; - inherit system; - }; - }; - nginx = nixpkgs.lib.nixosSystem { + specialArgs = { + inherit inputs; + inherit username; + inherit proxy_host; + inherit pgsql_host; inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - networking.hostName = "nginx"; - services.vm_nginx = { - enable = true; - }; - } - ]; - }; - onlyoffice = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - networking.hostName = "onlyoffice"; - services.vm_onlyoffice = { - enable = true; - pgsql_ip = pgsql_host; - }; - } - ]; - }; -# template = nixpkgs.lib.nixosSystem { -# inherit system; -# modules = [ -# agenix.nixosModules.default -# "${inputs.self}/systems/minimalVMConfig.nix" -# { -# networking.hostName = "nixos"; -# } -# ]; -# }; - jellyfin = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - microvm.nixosModules.microvm - "${inputs.self}/systems/minimalVMConfig.nix" - "${inputs.self}/services" - { - services.vm_jellyfin = { - enable = true; - }; - } - ]; - }; - redis = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - networking.hostName = "redis"; - services.vm_redis = { - enable = true; - }; - } - ]; - }; - grafana-lxc = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - services.vm_grafana = { - enable = true; - vm_ip = "192.168.1.27"; - proxy_ip = proxy_host; - pgsql_ip = pgsql_host; - }; - } - ]; - }; - grafana = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - microvm.nixosModules.microvm - "${inputs.self}/systems/minimalMicrovmConfig.nix" - "${inputs.self}/services" - { - services.vm_grafana = { - enable = true; - vm_ip = "192.168.1.27"; - proxy_ip = proxy_host; - pgsql_ip = pgsql_host; - }; - services.micro_vm = { - enable = true; - hostname = "grafana"; - vm_ip = "192.168.1.20"; - vm_cpu = 1; - vm_mem = 512; - macAddr = "02:00:00:00:00:20"; - }; - } - ]; - }; - authentik = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - inputs.authentik-nix.nixosModules.default - { - services.authentik = { - enable = true; - environmentFile = "/run/secrets/authentik/authentik-env"; - settings = { - disable_startup_analytics = true; - avatars = "initials"; - }; - }; - services.vm_authentik = { - enable = true; - }; - } - microvm.nixosModules.microvm - "${inputs.self}/systems/minimalMicrovmConfig.nix" - "${inputs.self}/services" - { - microvm = { - volumes = [ - { - mountPoint = "/media"; - image = "/var/lib/microvms/authentik/media.img"; - size = 2048; - } - ]; - }; - services.micro_vm = { - enable = true; - hostname = "authentik"; - vm_ip = "192.168.1.25"; - vm_cpu = 2; - vm_mem = 2048; - macAddr = "02:00:00:00:00:25"; - }; - } - ]; }; }; + nginx = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + networking.hostName = "nginx"; + services.vm_nginx = { + enable = true; + }; + } + ]; + }; + onlyoffice = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + networking.hostName = "onlyoffice"; + services.vm_onlyoffice = { + enable = true; + pgsql_ip = pgsql_host; + }; + } + ]; + }; + # template = nixpkgs.lib.nixosSystem { + # inherit system; + # modules = [ + # agenix.nixosModules.default + # "${inputs.self}/systems/minimalVMConfig.nix" + # { + # networking.hostName = "nixos"; + # } + # ]; + # }; + jellyfin = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + microvm.nixosModules.microvm + "${inputs.self}/systems/minimalVMConfig.nix" + "${inputs.self}/services" + { + services.vm_jellyfin = { + enable = true; + }; + } + ]; + }; + redis = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + networking.hostName = "redis"; + services.vm_redis = { + enable = true; + }; + } + ]; + }; + grafana-lxc = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + services.vm_grafana = { + enable = true; + vm_ip = "192.168.1.27"; + proxy_ip = proxy_host; + pgsql_ip = pgsql_host; + }; + } + ]; + }; + grafana = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + microvm.nixosModules.microvm + "${inputs.self}/systems/minimalMicrovmConfig.nix" + "${inputs.self}/services" + { + services.vm_grafana = { + enable = true; + vm_ip = "192.168.1.27"; + proxy_ip = proxy_host; + pgsql_ip = pgsql_host; + }; + services.micro_vm = { + enable = true; + hostname = "grafana"; + vm_ip = "192.168.1.20"; + vm_cpu = 1; + vm_mem = 512; + macAddr = "02:00:00:00:00:20"; + }; + } + ]; + }; + authentik = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + inputs.authentik-nix.nixosModules.default + { + services.authentik = { + enable = true; + environmentFile = "/run/secrets/authentik/authentik-env"; + settings = { + disable_startup_analytics = true; + avatars = "initials"; + }; + }; + services.vm_authentik = { + enable = true; + }; + } + microvm.nixosModules.microvm + "${inputs.self}/systems/minimalMicrovmConfig.nix" + "${inputs.self}/services" + { + microvm = { + volumes = [ + { + mountPoint = "/media"; + image = "/var/lib/microvms/authentik/media.img"; + size = 2048; + } + ]; + }; + services.micro_vm = { + enable = true; + hostname = "authentik"; + vm_ip = "192.168.1.25"; + vm_cpu = 2; + vm_mem = 2048; + macAddr = "02:00:00:00:00:25"; + }; + } + ]; + }; }; + }; } diff --git a/hosts/nixmox-curiosity/configuration.nix b/hosts/nixmox-curiosity/configuration.nix index b3d58ff..a71b9c4 100644 --- a/hosts/nixmox-curiosity/configuration.nix +++ b/hosts/nixmox-curiosity/configuration.nix @@ -1,11 +1,15 @@ -{ config, lib, pkgs, ... }: - -{ imports = [ ./hardware-configuration.nix ]; +{ + config, + lib, + pkgs, + ... +}: { + imports = [./hardware-configuration.nix]; nix = { settings = { - experimental-features = [ "nix-command" "flakes" ]; - trusted-users = [ "@wheel" ]; + experimental-features = ["nix-command" "flakes"]; + trusted-users = ["@wheel"]; auto-optimise-store = true; }; gc = { @@ -17,9 +21,9 @@ security.sudo.wheelNeedsPassword = false; - networking= { + networking = { useNetworkd = true; - firewall.allowedTCPPorts = [ 22 ]; + firewall.allowedTCPPorts = [22]; }; systemd.network = { @@ -104,5 +108,4 @@ }; system.stateVersion = "24.11"; # Did you read the comment? - } diff --git a/hosts/nixmox-curiosity/hardware-configuration.nix b/hosts/nixmox-curiosity/hardware-configuration.nix index f1d478b..ca9f744 100644 --- a/hosts/nixmox-curiosity/hardware-configuration.nix +++ b/hosts/nixmox-curiosity/hardware-configuration.nix @@ -1,13 +1,15 @@ -{ lib, system, ... }: - { + lib, + system, + ... +}: { boot = { # use latest kernel # kernelPackages = pkgs.linuxPackages_latest; - supportedFilesystems = [ "ext4" "btrfs" "xfs" "fat" "vfat" "cifs" "nfs" ]; + supportedFilesystems = ["ext4" "btrfs" "xfs" "fat" "vfat" "cifs" "nfs"]; growPartition = true; - kernelModules = [ "kvm-intel" ]; - kernelParams = lib.mkForce [ ]; + kernelModules = ["kvm-intel"]; + kernelParams = lib.mkForce []; loader = { grub = { @@ -20,8 +22,8 @@ }; initrd = { - availableKernelModules = [ "9p" "9pnet_virtio" "ata_piix" "uhci_hcd" "virtio_blk" "virtio_mmio" "virtio_net" "virtio_pci" "virtio_scsi" ]; - kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ]; + availableKernelModules = ["9p" "9pnet_virtio" "ata_piix" "uhci_hcd" "virtio_blk" "virtio_mmio" "virtio_net" "virtio_pci" "virtio_scsi"]; + kernelModules = ["virtio_balloon" "virtio_console" "virtio_rng"]; }; tmp.cleanOnBoot = true; @@ -45,7 +47,6 @@ }; }; - services.fstrim = { enable = true; interval = "weekly"; diff --git a/hosts/nixmox-curiosity/home.nix b/hosts/nixmox-curiosity/home.nix index 5173e23..07adba1 100644 --- a/hosts/nixmox-curiosity/home.nix +++ b/hosts/nixmox-curiosity/home.nix @@ -1,5 +1,8 @@ -{ config, pkgs, ... }: { + config, + pkgs, + ... +}: { home = { username = "tbarnouin"; stateVersion = "24.11"; @@ -75,17 +78,16 @@ }; oh-my-zsh = { enable = true; - plugins = - [ - "git" - "terraform" - "sudo" - "docker" - "pip" - "python" - "pyenv" - "pipenv" - ]; + plugins = [ + "git" + "terraform" + "sudo" + "docker" + "pip" + "python" + "pyenv" + "pipenv" + ]; theme = "bira"; }; }; diff --git a/hosts/nixmox-perseverance/configuration.nix b/hosts/nixmox-perseverance/configuration.nix index ed6c2c2..2bc1ce2 100644 --- a/hosts/nixmox-perseverance/configuration.nix +++ b/hosts/nixmox-perseverance/configuration.nix @@ -1,11 +1,15 @@ -{ config, lib, pkgs, ... }: - -{ imports = [ ./hardware-configuration.nix ]; +{ + config, + lib, + pkgs, + ... +}: { + imports = [./hardware-configuration.nix]; nix = { settings = { - experimental-features = [ "nix-command" "flakes" ]; - trusted-users = [ "@wheel" ]; + experimental-features = ["nix-command" "flakes"]; + trusted-users = ["@wheel"]; auto-optimise-store = true; }; gc = { @@ -17,9 +21,9 @@ security.sudo.wheelNeedsPassword = false; - networking= { + networking = { useNetworkd = true; - firewall.allowedTCPPorts = [ 22 ]; + firewall.allowedTCPPorts = [22]; }; systemd.network = { @@ -104,5 +108,4 @@ }; system.stateVersion = "24.11"; # Did you read the comment? - } diff --git a/hosts/nixmox-perseverance/hardware-configuration.nix b/hosts/nixmox-perseverance/hardware-configuration.nix index 08aa2b7..ca9f744 100644 --- a/hosts/nixmox-perseverance/hardware-configuration.nix +++ b/hosts/nixmox-perseverance/hardware-configuration.nix @@ -1,13 +1,15 @@ -{ lib, system, ... }: - { + lib, + system, + ... +}: { boot = { # use latest kernel # kernelPackages = pkgs.linuxPackages_latest; - supportedFilesystems = [ "ext4" "btrfs" "xfs" "fat" "vfat" "cifs" "nfs" ]; + supportedFilesystems = ["ext4" "btrfs" "xfs" "fat" "vfat" "cifs" "nfs"]; growPartition = true; - kernelModules = [ "kvm-intel" ]; - kernelParams = lib.mkForce [ ]; + kernelModules = ["kvm-intel"]; + kernelParams = lib.mkForce []; loader = { grub = { @@ -20,8 +22,8 @@ }; initrd = { - availableKernelModules = [ "9p" "9pnet_virtio" "ata_piix" "uhci_hcd" "virtio_blk" "virtio_mmio" "virtio_net" "virtio_pci" "virtio_scsi" ]; - kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ]; + availableKernelModules = ["9p" "9pnet_virtio" "ata_piix" "uhci_hcd" "virtio_blk" "virtio_mmio" "virtio_net" "virtio_pci" "virtio_scsi"]; + kernelModules = ["virtio_balloon" "virtio_console" "virtio_rng"]; }; tmp.cleanOnBoot = true; diff --git a/hosts/nixmox-perseverance/home.nix b/hosts/nixmox-perseverance/home.nix index 5173e23..07adba1 100644 --- a/hosts/nixmox-perseverance/home.nix +++ b/hosts/nixmox-perseverance/home.nix @@ -1,5 +1,8 @@ -{ config, pkgs, ... }: { + config, + pkgs, + ... +}: { home = { username = "tbarnouin"; stateVersion = "24.11"; @@ -75,17 +78,16 @@ }; oh-my-zsh = { enable = true; - plugins = - [ - "git" - "terraform" - "sudo" - "docker" - "pip" - "python" - "pyenv" - "pipenv" - ]; + plugins = [ + "git" + "terraform" + "sudo" + "docker" + "pip" + "python" + "pyenv" + "pipenv" + ]; theme = "bira"; }; }; diff --git a/secrets.nix b/secrets.nix index 26b78f3..b8b0abd 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,19 +1,17 @@ let - tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"; - users = [ tbarnouin ]; + tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"; + users = [tbarnouin]; - forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; - grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; + forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; + grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice"; - systems = [ forgejo grafana ]; -in -{ + systems = [forgejo grafana]; +in { "secrets/initialPassword.age".publicKeys = users ++ systems; - "services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ]; - "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [ tbarnouin grafana ]; - "services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ]; - "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [ tbarnouin onlyoffice ]; - "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ]; + "services/grafana/secrets/grafana-db.age".publicKeys = [tbarnouin grafana]; + "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [tbarnouin grafana]; + "services/grafana/secrets/kuma-token.age".publicKeys = [tbarnouin grafana]; + "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [tbarnouin onlyoffice]; + "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [tbarnouin onlyoffice]; } - diff --git a/services/authentik/default.nix b/services/authentik/default.nix index 40ec81f..5e92ecd 100644 --- a/services/authentik/default.nix +++ b/services/authentik/default.nix @@ -1,14 +1,18 @@ -{ inputs, config, lib, authentik-nix, ... }: -let - cfg = config.services.vm_authentik; -in { + inputs, + config, + lib, + authentik-nix, + ... +}: let + cfg = config.services.vm_authentik; +in { options.services.vm_authentik = { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { networking = { - firewall.allowedTCPPorts = [ 9000 9300 9443 ]; + firewall.allowedTCPPorts = [9000 9300 9443]; }; }; } diff --git a/services/default.nix b/services/default.nix index 0b1e474..42fe9eb 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,5 +1,4 @@ -{ inputs, ... }: -{ +{inputs, ...}: { imports = [ ./nginx ./gitea diff --git a/services/gitea/default.nix b/services/gitea/default.nix index 61add6f..eeb68c7 100644 --- a/services/gitea/default.nix +++ b/services/gitea/default.nix @@ -1,8 +1,11 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.services.vm_gitea; -in { + config, + pkgs, + lib, + ... +}: let + cfg = config.services.vm_gitea; +in { options.services.vm_gitea = { enable = lib.mkEnableOption "Enable minimal config"; db_ip = lib.mkOption { @@ -27,6 +30,6 @@ in passwordFile = "/run/secrets/gitea/gitea-dbpass"; }; }; - networking.firewall.allowedTCPPorts = [ 3000 ]; + networking.firewall.allowedTCPPorts = [3000]; }; } diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 4afd0f1..5ce3ef1 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -1,8 +1,11 @@ -{ lib, config, pkgs, ... }: -let - cfg = config.services.vm_grafana; -in { + lib, + config, + pkgs, + ... +}: let + cfg = config.services.vm_grafana; +in { options.services.vm_grafana = { enable = lib.mkEnableOption "Enable minimal config"; vm_ip = lib.mkOption { @@ -19,16 +22,16 @@ in }; }; config = lib.mkIf cfg.enable { - age.secrets ={ + age.secrets = { grafana-db = { - file = ./secrets/grafana-db.age; + file = ./secrets/grafana-db.age; owner = "grafana"; }; grafana-oauth_secret = { - file = ./secrets/grafana-oauth_secret.age; + file = ./secrets/grafana-oauth_secret.age; owner = "grafana"; }; - kuma-token.file = ./secrets/kuma-token.age; + kuma-token.file = ./secrets/kuma-token.age; }; services.rsyslogd = { enable = true; @@ -59,22 +62,22 @@ in serve_from_sub_path = false; }; database = { - type = "postgres"; - host = "${cfg.pgsql_ip}:5432"; - name = "grafana"; - user = "grafana"; + type = "postgres"; + host = "${cfg.pgsql_ip}:5432"; + name = "grafana"; + user = "grafana"; password = "\$__file{${config.age.secrets.grafana-db.path}}"; }; "auth.generic_oauth" = { - enabled = "true"; - name = "authentik"; + enabled = "true"; + name = "authentik"; allow_sign_up = "true"; - client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; + client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}"; - scopes = "openid email profile"; - auth_url = "https://authentik.le43.eu/application/o/authorize/"; - token_url = "https://authentik.le43.eu/application/o/token/"; - api_url = "https://authentik.le43.eu/application/o/userinfo/"; + scopes = "openid email profile"; + auth_url = "https://authentik.le43.eu/application/o/authorize/"; + token_url = "https://authentik.le43.eu/application/o/token/"; + api_url = "https://authentik.le43.eu/application/o/userinfo/"; role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false"; allow_assign_grafana_admin = "true"; }; @@ -88,95 +91,125 @@ in job_name = "kuma"; scrape_interval = "30s"; scheme = "http"; - static_configs = [{ - targets = [ "192.168.1.90:3001" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.90:3001"]; + } + ]; basic_auth.username = "tbarnouin"; basic_auth.password_file = config.age.secrets.kuma-token.path; } { job_name = "grafana"; - static_configs = [{ - targets = [ "127.0.0.1:9002" ]; - }]; + static_configs = [ + { + targets = ["127.0.0.1:9002"]; + } + ]; } { job_name = "openmediavault_cadvisor"; - static_configs = [{ - targets = [ "192.168.1.125:8080" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.125:8080"]; + } + ]; } { job_name = "opportunity"; - static_configs = [{ - targets = [ "192.168.1.125:9100" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.125:9100"]; + } + ]; } { job_name = "nginx"; - static_configs = [{ - targets = [ "${cfg.proxy_ip}:9002" ]; - }]; + static_configs = [ + { + targets = ["${cfg.proxy_ip}:9002"]; + } + ]; } { job_name = "redis"; - static_configs = [{ - targets = [ "192.168.1.16:9002" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.16:9002"]; + } + ]; } { job_name = "ingenuity"; - static_configs = [{ - targets = [ "192.168.1.90:9100" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.90:9100"]; + } + ]; } { job_name = "gitea"; - static_configs = [{ - targets = [ "192.168.1.14:9100" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.14:9100"]; + } + ]; } { job_name = "postgresql"; - static_configs = [{ - targets = [ "192.168.1.13:9100" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.13:9100"]; + } + ]; } { job_name = "nextcloud"; - static_configs = [{ - targets = [ "192.168.1.44:9100" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.44:9100"]; + } + ]; } { job_name = "deluge"; - static_configs = [{ - targets = [ "192.168.1.18:9100" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.18:9100"]; + } + ]; } { job_name = "netbox"; - static_configs = [{ - targets = [ "192.168.1.45:9100" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.45:9100"]; + } + ]; } { job_name = "jellyfin"; - static_configs = [{ - targets = [ "192.168.1.42:9100" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.42:9100"]; + } + ]; } { job_name = "authentik-ldap"; - static_configs = [{ - targets = [ "192.168.1.41:9100" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.41:9100"]; + } + ]; } { job_name = "authentik"; - static_configs = [{ - targets = [ "192.168.1.25:9002" ]; - }]; + static_configs = [ + { + targets = ["192.168.1.25:9002"]; + } + ]; } ]; }; @@ -202,16 +235,18 @@ in chunk_retain_period = "30s"; }; schema_config = { - configs = [{ - from = "2022-06-06"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - }]; + configs = [ + { + from = "2022-06-06"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; }; storage_config = { boltdb_shipper = { @@ -255,14 +290,16 @@ in positions = { filename = "/tmp/positions.yaml"; }; - clients = [{ - url = "http://127.0.0.1:3100/loki/api/v1/push"; - }]; + clients = [ + { + url = "http://127.0.0.1:3100/loki/api/v1/push"; + } + ]; scrape_configs = [ { job_name = "syslog"; syslog = { - listen_address = "0.0.0.0:1514"; + listen_address = "0.0.0.0:1514"; listen_protocol = "tcp"; idle_timeout = "60s"; labels = { @@ -271,27 +308,27 @@ in }; relabel_configs = [ { - source_labels = [ "__syslog_message_hostname" ]; + source_labels = ["__syslog_message_hostname"]; target_label = "host"; } { - source_labels = [ "__syslog_message_hostname" ]; + source_labels = ["__syslog_message_hostname"]; target_label = "hostname"; } { - source_labels = [ "__syslog_message_severity" ]; + source_labels = ["__syslog_message_severity"]; target_label = "level"; } { - source_labels = [ "__syslog_message_app_name" ]; + source_labels = ["__syslog_message_app_name"]; target_label = "application"; } { - source_labels = [ "__syslog_message_facility" ]; + source_labels = ["__syslog_message_facility"]; target_label = "facility"; } { - source_labels = [ "__syslog_connection_hostname" ]; + source_labels = ["__syslog_connection_hostname"]; target_label = "connection_hostname"; } ]; @@ -301,7 +338,7 @@ in }; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ 3000 3100 3101 8086 9001 1514 514 ]; - networking.firewall.allowedUDPPorts = [ 514 ]; + networking.firewall.allowedTCPPorts = [3000 3100 3101 8086 9001 1514 514]; + networking.firewall.allowedUDPPorts = [514]; }; } diff --git a/services/jellyfin/default.nix b/services/jellyfin/default.nix index 8bf8012..1cbd172 100644 --- a/services/jellyfin/default.nix +++ b/services/jellyfin/default.nix @@ -1,13 +1,16 @@ -{ lib, config, pkgs, ... }: -let - cfg = config.services.vm_jellyfin; -in { + lib, + config, + pkgs, + ... +}: let + cfg = config.services.vm_jellyfin; +in { options.services.vm_jellyfin = { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { - environment.systemPackages = [ pkgs.cifs-utils ]; + environment.systemPackages = [pkgs.cifs-utils]; services.jellyfin = { enable = true; user = "tbarnouin"; diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix index 2d15b80..3993631 100644 --- a/services/minimalConfig/default.nix +++ b/services/minimalConfig/default.nix @@ -1,20 +1,25 @@ -{ config, pkgs, lib, inputs, modulesPath, ... }: { - + config, + pkgs, + lib, + inputs, + modulesPath, + ... +}: { imports = [ ./lxc.nix ./vm.nix ]; nix = { - settings.experimental-features = [ "nix-command" "flakes" ]; - settings.trusted-users = [ "root" "@wheel" ]; + settings.experimental-features = ["nix-command" "flakes"]; + settings.trusted-users = ["root" "@wheel"]; }; networking = { firewall = { enable = true; - allowedTCPPorts = [ 22 9002 ]; + allowedTCPPorts = [22 9002]; }; }; @@ -22,7 +27,7 @@ console.keyMap = "fr"; i18n.defaultLocale = "fr_FR.UTF-8"; environment.sessionVariables = rec { - TERM = "xterm-256color"; + TERM = "xterm-256color"; }; nix.gc = { @@ -35,7 +40,7 @@ users = { users.tbarnouin = { isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = ["wheel"]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" @@ -58,7 +63,7 @@ }; ohMyZsh = { enable = true; - plugins = [ "git" ]; + plugins = ["git"]; theme = "bira"; }; }; @@ -70,21 +75,21 @@ nixpkgs.config.allowUnfree = true; environment = { localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; services = { openssh = { @@ -110,7 +115,7 @@ exporters = { node = { enable = true; - enabledCollectors = [ "systemd" ]; + enabledCollectors = ["systemd"]; port = 9002; }; }; diff --git a/services/minimalConfig/lxc.nix b/services/minimalConfig/lxc.nix index acafe8d..fe92334 100644 --- a/services/minimalConfig/lxc.nix +++ b/services/minimalConfig/lxc.nix @@ -1,8 +1,11 @@ -{lib, config, modulesPath, ...}: -let - cfg = config.services.lxc; -in { + lib, + config, + modulesPath, + ... +}: let + cfg = config.services.lxc; +in { options.services.lxc = { enable = lib.mkEnableOption "Enable LXC container config"; }; diff --git a/services/minimalConfig/vm.nix b/services/minimalConfig/vm.nix index 96c3ff3..b504132 100644 --- a/services/minimalConfig/vm.nix +++ b/services/minimalConfig/vm.nix @@ -1,8 +1,11 @@ -{lib, config, modulesPath, ...}: -let - cfg = config.services.vm; -in { + lib, + config, + modulesPath, + ... +}: let + cfg = config.services.vm; +in { options.services.vm = { enable = lib.mkEnableOption "Enable LXC container config"; }; diff --git a/services/nextcloud/default.nix b/services/nextcloud/default.nix index c478702..9a653e9 100644 --- a/services/nextcloud/default.nix +++ b/services/nextcloud/default.nix @@ -1,8 +1,11 @@ -{ lib, config, pkgs, ... }: -let - cfg = config.services.vm_nextcloud; -in { + lib, + config, + pkgs, + ... +}: let + cfg = config.services.vm_nextcloud; +in { options.services.vm_nextcloud = { enable = lib.mkEnableOption "Enable minimal config"; proxy_ip = lib.mkOption { @@ -53,8 +56,8 @@ in "opcache.memory_consumption" = "512"; }; settings = { - trusted_proxies = [ "${cfg.proxy_ip}" ]; - trusted_domains = [ "${cfg.proxy_ip}" ]; + trusted_proxies = ["${cfg.proxy_ip}"]; + trusted_domains = ["${cfg.proxy_ip}"]; overwriteprotocol = "http"; overwrite.cli.url = "http://${cfg.proxy_ip}/cloud/"; "overwritehost" = "${cfg.proxy_ip}"; @@ -68,11 +71,11 @@ in dbuser = "nextcloud"; dbtype = "pgsql"; dbpassFile = "/run/secrets/nextcloud/nextcloud-dbpass"; - adminuser = "tbarnouin"; + adminuser = "tbarnouin"; adminpassFile = "/run/secrets/nextcloud/nextcloud-adminpass"; }; }; }; - networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowedTCPPorts = [80]; }; } diff --git a/services/nginx/default.nix b/services/nginx/default.nix index 93ef4b5..7942c13 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -1,8 +1,11 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.services.vm_nginx; -in { + config, + pkgs, + lib, + ... +}: let + cfg = config.services.vm_nginx; +in { options.services.vm_nginx = { enable = lib.mkEnableOption "Enable minimal config"; }; @@ -158,6 +161,6 @@ in }; }; }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [80 443]; }; } diff --git a/services/onlyoffice/default.nix b/services/onlyoffice/default.nix index 5540e48..ba91dd4 100644 --- a/services/onlyoffice/default.nix +++ b/services/onlyoffice/default.nix @@ -1,8 +1,11 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.services.vm_onlyoffice; -in { + config, + pkgs, + lib, + ... +}: let + cfg = config.services.vm_onlyoffice; +in { options.services.vm_onlyoffice = { enable = lib.mkEnableOption "Enable OnlyOffice service"; pgsql_ip = lib.mkOption { @@ -13,11 +16,11 @@ in config = lib.mkIf cfg.enable { age.secrets = { office-dbpass = { - file = ./secrets/office-dbpass.age; + file = ./secrets/office-dbpass.age; owner = "onlyoffice"; }; office-jwtpass = { - file = ./secrets/office-jwtpass.age; + file = ./secrets/office-jwtpass.age; owner = "onlyoffice"; }; }; @@ -33,6 +36,6 @@ in jwtSecretFile = config.age.secrets.office-jwtpass.path; }; }; - networking.firewall.allowedTCPPorts = [ 80 4369 5432 5672 6379 8000 8080 ]; + networking.firewall.allowedTCPPorts = [80 4369 5432 5672 6379 8000 8080]; }; } diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index 4b4a9dc..5823ec3 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -1,8 +1,11 @@ -{ lib, config, pkgs, ... }: -let - cfg = config.services.vm_postgresql; -in { + lib, + config, + pkgs, + ... +}: let + cfg = config.services.vm_postgresql; +in { options.services.vm_postgresql = { enable = lib.mkEnableOption "Enable minimal config"; }; @@ -44,6 +47,6 @@ in alter user nextcloud with password 'password'; ''; }; - networking.firewall.allowedTCPPorts = [ 5432 ]; + networking.firewall.allowedTCPPorts = [5432]; }; } diff --git a/services/redis/default.nix b/services/redis/default.nix index 5dc54b4..db56381 100644 --- a/services/redis/default.nix +++ b/services/redis/default.nix @@ -1,8 +1,11 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.services.vm_redis; -in { + config, + pkgs, + lib, + ... +}: let + cfg = config.services.vm_redis; +in { options.services.vm_redis = { enable = lib.mkEnableOption "Enable minimal config"; }; @@ -16,8 +19,8 @@ in settings = { protected-mode = "no"; }; - }; + }; }; - networking.firewall.allowedTCPPorts = [ 6379 ]; + networking.firewall.allowedTCPPorts = [6379]; }; } diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix index 32cbcb3..a2e426c 100644 --- a/systems/minimalLXCConfig.nix +++ b/systems/minimalLXCConfig.nix @@ -1,15 +1,20 @@ -{ config, pkgs, lib, inputs, modulesPath, ... }: { - + config, + pkgs, + lib, + inputs, + modulesPath, + ... +}: { nix = { - settings.experimental-features = [ "nix-command" "flakes" ]; - settings.trusted-users = [ "root" "@wheel" ]; + settings.experimental-features = ["nix-command" "flakes"]; + settings.trusted-users = ["root" "@wheel"]; }; networking = { firewall = { enable = true; - allowedTCPPorts = [ 22 9002 ]; + allowedTCPPorts = [22 9002]; }; }; @@ -30,7 +35,7 @@ console.keyMap = "fr"; i18n.defaultLocale = "fr_FR.UTF-8"; environment.sessionVariables = rec { - TERM = "xterm-256color"; + TERM = "xterm-256color"; }; nix.gc = { @@ -43,7 +48,7 @@ users = { users.tbarnouin = { isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = ["wheel"]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" @@ -66,7 +71,7 @@ }; ohMyZsh = { enable = true; - plugins = [ "git" ]; + plugins = ["git"]; theme = "bira"; }; }; @@ -78,21 +83,21 @@ nixpkgs.config.allowUnfree = true; environment = { localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; services = { openssh = { @@ -118,7 +123,7 @@ exporters = { node = { enable = true; - enabledCollectors = [ "systemd" ]; + enabledCollectors = ["systemd"]; port = 9002; }; }; diff --git a/systems/minimalMicrovmConfig.nix b/systems/minimalMicrovmConfig.nix index cd46ddc..0284417 100644 --- a/systems/minimalMicrovmConfig.nix +++ b/systems/minimalMicrovmConfig.nix @@ -1,8 +1,14 @@ -{ config, pkgs, lib, inputs, modulesPath, microvm, ... }: -let - cfg = config.services.micro_vm; -in { + config, + pkgs, + lib, + inputs, + modulesPath, + microvm, + ... +}: let + cfg = config.services.micro_vm; +in { options.services.micro_vm = { enable = lib.mkEnableOption "Enable NixOS microvm config"; hostname = lib.mkOption { @@ -53,11 +59,13 @@ in mountPoint = "/run/secrets/${cfg.hostname}"; } ]; - interfaces = [ { - type = "tap"; - id = "vm-${cfg.hostname}"; - mac = "${cfg.macAddr}"; - } ]; + interfaces = [ + { + type = "tap"; + id = "vm-${cfg.hostname}"; + mac = "${cfg.macAddr}"; + } + ]; hypervisor = "qemu"; socket = "control.socket"; @@ -76,14 +84,14 @@ in }; nix = { - settings.experimental-features = [ "nix-command" "flakes" ]; - settings.trusted-users = [ "root" "@wheel" ]; + settings.experimental-features = ["nix-command" "flakes"]; + settings.trusted-users = ["root" "@wheel"]; }; networking = { firewall = { enable = true; - allowedTCPPorts = [ 22 9002 ]; + allowedTCPPorts = [22 9002]; }; }; @@ -91,7 +99,7 @@ in console.keyMap = "fr"; i18n.defaultLocale = "fr_FR.UTF-8"; environment.sessionVariables = rec { - TERM = "xterm-256color"; + TERM = "xterm-256color"; }; nix.gc = { @@ -104,7 +112,7 @@ in users = { users.tbarnouin = { isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = ["wheel"]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" @@ -127,7 +135,7 @@ in }; ohMyZsh = { enable = true; - plugins = [ "git" ]; + plugins = ["git"]; theme = "bira"; }; }; @@ -139,21 +147,21 @@ in nixpkgs.config.allowUnfree = true; environment = { localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; services = { openssh = { @@ -179,7 +187,7 @@ in exporters = { node = { enable = true; - enabledCollectors = [ "systemd" ]; + enabledCollectors = ["systemd"]; port = 9002; }; }; @@ -192,4 +200,3 @@ in }; }; } - diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix index 1431860..7cbc576 100644 --- a/systems/minimalVMConfig.nix +++ b/systems/minimalVMConfig.nix @@ -1,15 +1,20 @@ -{ config, pkgs, lib, inputs, modulesPath, ... }: { - + config, + pkgs, + lib, + inputs, + modulesPath, + ... +}: { nix = { - settings.experimental-features = [ "nix-command" "flakes" ]; - settings.trusted-users = [ "root" "@wheel" ]; + settings.experimental-features = ["nix-command" "flakes"]; + settings.trusted-users = ["root" "@wheel"]; }; networking = { firewall = { enable = true; - allowedTCPPorts = [ 22 9002 ]; + allowedTCPPorts = [22 9002]; }; }; @@ -17,7 +22,7 @@ console.keyMap = "fr"; i18n.defaultLocale = "fr_FR.UTF-8"; environment.sessionVariables = rec { - TERM = "xterm-256color"; + TERM = "xterm-256color"; }; nix.gc = { @@ -30,7 +35,7 @@ users = { users.tbarnouin = { isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = ["wheel"]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" @@ -53,7 +58,7 @@ }; ohMyZsh = { enable = true; - plugins = [ "git" ]; + plugins = ["git"]; theme = "bira"; }; }; @@ -65,21 +70,21 @@ nixpkgs.config.allowUnfree = true; environment = { localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; services = { cloud-init.network.enable = true; @@ -106,7 +111,7 @@ exporters = { node = { enable = true; - enabledCollectors = [ "systemd" ]; + enabledCollectors = ["systemd"]; port = 9002; }; };