xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

treewide: apply the new rfc nixfmt

Browse source
This commit is contained in:
xinyangli 2024-08-25 17:45:58 +08:00
parent e702d503b9
commit 7a795e5ed9
Signed by: xin
SSH key fingerprint: SHA256:qZ/tzd8lYRtUFSrfBDBMcUqV4GHKxqeqRA3huItgvbk
53 changed files with 1371 additions and 888 deletions
Download patch file Download diff file Expand all files Collapse all files

11
modules/home-manager/cosmic-term.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkEnableOption mkIf;
@ -10,7 +15,5 @@ in
enable = mkEnableOption "cosmic-term";
};
config = mkIf cfg.enable {
home.packages = [ pkgs.cosmic-term ];
};
config = mkIf cfg.enable { home.packages = [ pkgs.cosmic-term ]; };
}

108
modules/home-manager/fish.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
@ -10,7 +15,12 @@ in
enable = mkEnableOption "fish";
plugins = mkOption {
type = types.listOf types.str;
default = [ "pisces" "done" "hydro" "grc" ];
default = [
"pisces"
"done"
"hydro"
"grc"
];
};
functions = {
enable = mkOption {
@ -30,41 +40,65 @@ in
home.packages = [ pkgs.grc ];
programs.fish = {
enable = true;
plugins = with pkgs; (filter (
e: hasAttr e.name (builtins.listToAttrs # { "xxx" = true; }
(map (p: { name = p; value = true; }) cfg.plugins) # { name = "xxx"; value = true; }
)) [
{ name = "pisces";
src = fishPlugins.pisces.src;
}
{ name = "done";
src = fishPlugins.done.src;
}
{ name = "hydro";
src = fishPlugins.hydro.src;
}
{ name = "grc";
src = fishPlugins.grc.src;
}
]);
interactiveShellInit = let
extraInit = if cfg.functions.enable then ''
${pkgs.nix-your-shell}/bin/nix-your-shell fish | source
function fish_right_prompt
if test -n "$IN_NIX_SHELL"
echo -n "<nix-shell>"
else if test $SHLVL -ge 3
echo -n "<🚀lv$SHLVL>"
end
end
function fish_command_not_found
${pkgs.comma}/bin/comma $argv
end
set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha)
'' else "";
in ''
fish_config prompt choose default
'' + extraInit;
plugins =
with pkgs;
(filter
(
e:
hasAttr e.name (
builtins.listToAttrs # { "xxx" = true; }
(
map (p: {
name = p;
value = true;
}) cfg.plugins
) # { name = "xxx"; value = true; }
)
)
[
{
name = "pisces";
src = fishPlugins.pisces.src;
}
{
name = "done";
src = fishPlugins.done.src;
}
{
name = "hydro";
src = fishPlugins.hydro.src;
}
{
name = "grc";
src = fishPlugins.grc.src;
}
]
);
interactiveShellInit =
let
extraInit =
if cfg.functions.enable then
''
${pkgs.nix-your-shell}/bin/nix-your-shell fish | source
function fish_right_prompt
if test -n "$IN_NIX_SHELL"
echo -n "<nix-shell>"
else if test $SHLVL -ge 3
echo -n "<🚀lv$SHLVL>"
end
end
function fish_command_not_found
${pkgs.comma}/bin/comma $argv
end
set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha)
''
else
"";
in
''
fish_config prompt choose default
''
+ extraInit;
functions = mkIf cfg.functions.enable {
gitignore = "curl -sL https://www.gitignore.io/api/$argv";
};

17
modules/home-manager/git.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
@ -32,16 +37,12 @@ in
d = "diff";
s = "status";
};
signing = mkIf cfg.signing.enable {
signing = mkIf cfg.signing.enable {
signByDefault = true;
key = cfg.signing.keyFile;
};
extraConfig.user = mkIf cfg.signing.enable {
signingkey = cfg.signing.keyFile;
};
extraConfig.gpg = mkIf cfg.signing.enable {
format = "ssh";
};
extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; };
extraConfig.gpg = mkIf cfg.signing.enable { format = "ssh"; };
};
};
}

2
modules/home-manager/tmux.nix
View file

@ -1 +1 @@
{}
{ }

12
modules/home-manager/vim.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkIf mkEnableOption getExe;
cfg = config.custom-hm.neovim;
@ -13,7 +18,10 @@ in
enable = mkEnableOption "neovim configurations";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [ nixvim neovide ];
home.packages = with pkgs; [
nixvim
neovide
];
programs.neovim.enable = false;
home.file.".config/neovide/config.toml" = {
source = tomlFormat.generate "neovide-config" neovideConfig;

190
modules/home-manager/vscode.nix
View file

@ -1,4 +1,10 @@
{ inputs, config, lib, pkgs, ... }:
{
inputs,
config,
lib,
pkgs,
...
}:
with lib;
let
@ -6,7 +12,10 @@ let
packages = {
nixPackages = {
systemPackages = with pkgs; [ nixd nixpkgs-fmt ];
systemPackages = with pkgs; [
nixd
nixpkgs-fmt
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
jnoortheen.nix-ide
];
@ -17,10 +26,15 @@ let
};
};
cxxPackages = {
systemPackages = with pkgs; [ clang-tools cmake-format ];
systemPackages = with pkgs; [
clang-tools
cmake-format
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
llvm-vs-code-extensions.vscode-clangd
(ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; }))
(ms-vscode.cmake-tools.overrideAttrs (_: {
sourceRoot = "extension";
}))
twxs.cmake
ms-vscode.cpptools
];
@ -43,7 +57,10 @@ let
settings = { };
};
scalaPackages = {
systemPackages = with pkgs; [ coursier metals ];
systemPackages = with pkgs; [
coursier
metals
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
scala-lang.scala
scalameta.metals
@ -61,20 +78,56 @@ let
{
"name" = "xelatex";
"command" = "xelatex";
"args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ];
"args" = [
"-synctex=1"
"-interaction=nonstopmode"
"-file-line-error"
"%DOCFILE%"
];
}
{
"name" = "pdflatex";
"command" = "pdflatex";
"args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ];
"args" = [
"-synctex=1"
"-interaction=nonstopmode"
"-file-line-error"
"%DOCFILE%"
];
}
{
"name" = "bibtex";
"command" = "bibtex";
"args" = [ "%DOCFILE%" ];
}
{ "name" = "bibtex"; "command" = "bibtex"; "args" = [ "%DOCFILE%" ]; }
];
"latex-workshop.latex.recipes" = [
{ "name" = "xelatex"; "tools" = [ "xelatex" ]; }
{ "name" = "pdflatex"; "tools" = [ "pdflatex" ]; }
{ "name" = "xe->bib->xe->xe"; "tools" = [ "xelatex" "bibtex" "xelatex" "xelatex" ]; }
{ "name" = "pdf->bib->pdf->pdf"; "tools" = [ "pdflatex" "bibtex" "pdflatex" "pdflatex" ]; }
{
"name" = "xelatex";
"tools" = [ "xelatex" ];
}
{
"name" = "pdflatex";
"tools" = [ "pdflatex" ];
}
{
"name" = "xe->bib->xe->xe";
"tools" = [
"xelatex"
"bibtex"
"xelatex"
"xelatex"
];
}
{
"name" = "pdf->bib->pdf->pdf";
"tools" = [
"pdflatex"
"bibtex"
"pdflatex"
"pdflatex"
];
}
];
"[latex]" = {
"editor.formatOnPaste" = false;
@ -88,9 +141,15 @@ let
};
llmExtensions = [ pkgs.vscode-extensions.continue.continue ];
languages = [ "nix" "cxx" "python" "scala" "latex" ];
zipAttrsWithLanguageOption = (attr:
(map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages)
languages = [
"nix"
"cxx"
"python"
"scala"
"latex"
];
zipAttrsWithLanguageOption = (
attr: (map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages)
);
in
{
@ -111,64 +170,71 @@ in
config = mkIf cfg.enable {
nixpkgs.config.allowUnfree = true;
home.packages = lib.mkMerge ([
[ pkgs.clang-tools ]
(mkIf cfg.llm [ pkgs.ollama ])
] ++ zipAttrsWithLanguageOption "systemPackages");
home.packages = lib.mkMerge (
[
[ pkgs.clang-tools ]
(mkIf cfg.llm [ pkgs.ollama ])
]
++ zipAttrsWithLanguageOption "systemPackages"
);
programs.vscode = {
enable = true;
package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; };
enableUpdateCheck = false;
enableExtensionUpdateCheck = false;
mutableExtensionsDir = false;
extensions = lib.mkMerge ([
(with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
mkhl.direnv
extensions = lib.mkMerge (
[
(with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
mkhl.direnv
ms-azuretools.vscode-docker
ms-vscode-remote.remote-ssh
vscodevim.vim
github.vscode-pull-request-github
gruntfuggly.todo-tree # todo highlight
ms-azuretools.vscode-docker
ms-vscode-remote.remote-ssh
vscodevim.vim
github.vscode-pull-request-github
gruntfuggly.todo-tree # todo highlight
# Markdown
davidanson.vscode-markdownlint
# Latex
# Scale / chisel
sterben.fpga-support
# Markdown
davidanson.vscode-markdownlint
# Latex
# Scale / chisel
sterben.fpga-support
ms-vscode-remote.remote-ssh-edit
mushan.vscode-paste-image
])
ms-vscode-remote.remote-ssh-edit
mushan.vscode-paste-image
])
(with pkgs.vscode-extensions; [
waderyan.gitblame
catppuccin.catppuccin-vsc
# Rust
rust-lang.rust-analyzer
])
(with pkgs.vscode-extensions; [
waderyan.gitblame
catppuccin.catppuccin-vsc
# Rust
rust-lang.rust-analyzer
])
(mkIf cfg.llm llmExtensions)
] ++ zipAttrsWithLanguageOption "extension");
userSettings = lib.mkMerge ([
{
"workbench.colorTheme" = "Catppuccin Macchiato";
"terminal.integrated.sendKeybindingsToShell" = true;
"extensions.ignoreRecommendations" = true;
"files.autoSave" = "afterDelay";
"editor.inlineSuggest.enabled" = true;
"editor.rulers" = [
80
];
"editor.mouseWheelZoom" = true;
"git.autofetch" = false;
"window.zoomLevel" = -1;
(mkIf cfg.llm llmExtensions)
]
++ zipAttrsWithLanguageOption "extension"
);
userSettings = lib.mkMerge (
[
{
"workbench.colorTheme" = "Catppuccin Macchiato";
"terminal.integrated.sendKeybindingsToShell" = true;
"extensions.ignoreRecommendations" = true;
"files.autoSave" = "afterDelay";
"editor.inlineSuggest.enabled" = true;
"editor.rulers" = [ 80 ];
"editor.mouseWheelZoom" = true;
"git.autofetch" = false;
"window.zoomLevel" = -1;
"extensions.experimental.affinity" = {
"vscodevim.vim" = 1;
};
}
] ++ zipAttrsWithLanguageOption "settings");
"extensions.experimental.affinity" = {
"vscodevim.vim" = 1;
};
}
]
++ zipAttrsWithLanguageOption "settings"
);
};
home.file.".continue/config.json".text = lib.generators.toJSON { } {
@ -180,7 +246,7 @@ in
}
];
tabAutocompleteModel = {
model ="deepseek-coder:6.7b-base";
model = "deepseek-coder:6.7b-base";
provider = "ollama";
title = "codegemma";
};

2
modules/home-manager/zellij.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, lib, ... }:
with lib;

15
modules/nixos/common-settings/auth.nix
View file

@ -1,7 +1,17 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkEnableOption mkOption types;
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.auth;
in
@ -38,4 +48,3 @@ in
};
};
}

24
modules/nixos/common-settings/nix-conf.nix
View file

@ -1,7 +1,17 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkEnableOption mkOption types;
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.nix;
in
@ -33,7 +43,10 @@ in
nix.optimise.automatic = true;
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
experimental-features = [
"nix-command"
"flakes"
];
auto-optimise-store = true;
trusted-users = [ "root" ];
@ -52,10 +65,7 @@ in
"xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y="
];
secret-key-files = mkIf cfg.signing.enable [
cfg.signing.keyFile
];
secret-key-files = mkIf cfg.signing.enable [ cfg.signing.keyFile ];
};
};
}

11
modules/nixos/forgejo-actions-runner.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.custom.forgejo-actions-runner;
in
@ -6,9 +11,7 @@ in
options = {
custom.forgejo-actions-runner = {
enable = lib.mkEnableOption "TPM supported ssh agent in go";
tokenFile = lib.mkOption {
type = lib.types.path;
};
tokenFile = lib.mkOption { type = lib.types.path; };
};
};
config = lib.mkIf cfg.enable {

27
modules/nixos/hedgedoc.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
@ -26,22 +31,12 @@ in
};
oidc = {
enable = mkEnableOption "OIDC support for HedgeDoc";
baseURL = mkOption {
type = types.str;
};
authorizationURL = mkOption {
type = types.str;
};
tokenURL = mkOption {
type = types.str;
};
userProfileURL = mkOption {
type = types.str;
};
};
environmentFile = mkOption {
type = types.path;
baseURL = mkOption { type = types.str; };
authorizationURL = mkOption { type = types.str; };
tokenURL = mkOption { type = types.str; };
userProfileURL = mkOption { type = types.str; };
};
environmentFile = mkOption { type = types.path; };
};
};
config = mkIf cfg.enable {

86
modules/nixos/inbounds.nix
View file

@ -1,19 +1,16 @@
{ config
, lib
, ... }:
{ config, lib, ... }:
let
cfg = config.custom.sing-box-server;
secretFileType = lib.types.submodule {
_secret = lib.types.path;
};
secretFileType = lib.types.submodule { _secret = lib.types.path; };
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
certificate_path =
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
in
in
{
options = {
enable = lib.mkEnableOption "sing-box proxy server";
@ -22,17 +19,11 @@ in
type = lib.types.str;
default = "proxy";
};
password = lib.mkOption {
type = secretFileType;
};
uuid = lib.mkOption {
type = secretFileType;
};
password = lib.mkOption { type = secretFileType; };
uuid = lib.mkOption { type = secretFileType; };
};
wgOut = {
privKeyFile = lib.mkOption {
type = lib.types.path;
};
privKeyFile = lib.mkOption { type = lib.types.path; };
pubkey = lib.mkOption {
type = lib.types.str;
default = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
@ -73,17 +64,19 @@ in
}
];
};
inbounds = [
# TODO: Trojan and tuic enable
{
tag = "trojan-in";
type = "trojan";
listen = "::";
listen_port = 8080;
users = map (u: removeAttrs u [ "uuid" ]) cfg.users;
tls = singTls;
}
] ++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: {
inbounds =
[
# TODO: Trojan and tuic enable
{
tag = "trojan-in";
type = "trojan";
listen = "::";
listen_port = 8080;
users = map (u: removeAttrs u [ "uuid" ]) cfg.users;
tls = singTls;
}
]
++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: {
tag = "tuic-in" + toString port;
type = "tuic";
listen = "::";
@ -102,25 +95,40 @@ in
"2606:4700:110:82ed:a443:3c62:6cbc:b59b/128"
];
peers = [
{ public_key= cfg.wgOut.pubkey;
allowed_ips = [ "0.0.0.0/0" "::/0" ];
{
public_key = cfg.wgOut.pubkey;
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
{ type = "direct"; tag = "direct-out"; }
{ type = "dns"; tag = "dns-out"; }
{
type = "direct";
tag = "direct-out";
}
{
type = "dns";
tag = "dns-out";
}
];
route = {
rules = [
{ outbound = "dns-out"; protocol = "dns"; }
] ++ lib.forEach cfg.tuic.directPorts (port: {
inbound = "tuic-in" + toString port;
outbound = "direct-out";
});
rules =
[
{
outbound = "dns-out";
protocol = "dns";
}
]
++ lib.forEach cfg.tuic.directPorts (port: {
inbound = "tuic-in" + toString port;
outbound = "direct-out";
});
};
};
};
};
}
}

49
modules/nixos/kanidm-client.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
let
@ -27,31 +32,29 @@ in
type = types.listOf types.str;
default = [ ];
};
uri = mkOption {
type = types.str;
};
uri = mkOption { type = types.str; };
};
};
config = mkIf cfg.enable {
services.kanidm = mkMerge
[ (mkIf cfg.enable {
enableClient = true;
clientSettings = {
uri = cfg.uri;
};
})
(mkIf cfg.asSSHAuth.enable {
enablePam = true;
unixSettings = {
pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
default_shell = "/bin/sh";
};
})
];
services.kanidm = mkMerge [
(mkIf cfg.enable {
enableClient = true;
clientSettings = {
uri = cfg.uri;
};
})
(mkIf cfg.asSSHAuth.enable {
enablePam = true;
unixSettings = {
pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
default_shell = "/bin/sh";
};
})
];
services.openssh = mkIf cfg.asSSHAuth.enable {
enable = true;
authorizedKeysCommand = "/etc/ssh/auth %u";
authorizedKeysCommandUser = "kanidm-ssh-runner";
authorizedKeysCommandUser = "kanidm-ssh-runner";
settings = mkIf cfg.asSSHAuth.enable {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
@ -70,8 +73,10 @@ in
};
users.groups.wheel.members = cfg.sudoers;
users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; };
users.users.kanidm-ssh-runner = {
isSystemUser = true;
group = "kanidm-ssh-runner";
};
};
}

62
modules/nixos/miniflux.nix
View file

@ -1,6 +1,19 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkEnableOption mkPackageOption mkOption types literalExpression mkIf mkDefault;
inherit (lib)
mkEnableOption
mkPackageOption
mkOption
types
literalExpression
mkIf
mkDefault
;
cfg = config.custom.miniflux;
defaultAddress = "localhost:8080";
@ -18,12 +31,15 @@ in
package = mkPackageOption pkgs "miniflux" { };
oauth2SecretFile = mkOption {
type = types.path;
};
oauth2SecretFile = mkOption { type = types.path; };
environment = mkOption {
type = with types; attrsOf (oneOf [ int str ]);
type =
with types;
attrsOf (oneOf [
int
str
]);
};
createDatabaseLocally = mkOption {
@ -50,17 +66,22 @@ in
services.postgresql = lib.mkIf cfg.createDatabaseLocally {
enable = true;
ensureUsers = [{
name = "miniflux";
ensureDBOwnership = true;
}];
ensureUsers = [
{
name = "miniflux";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "miniflux" ];
};
systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally {
description = "Miniflux database setup";
requires = [ "postgresql.service" ];
after = [ "network.target" "postgresql.service" ];
after = [
"network.target"
"postgresql.service"
];
serviceConfig = {
Type = "oneshot";
User = config.services.postgresql.superUser;
@ -72,8 +93,12 @@ in
description = "Miniflux service";
wantedBy = [ "multi-user.target" ];
requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service";
after = [ "network.target" ]
++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ];
after =
[ "network.target" ]
++ lib.optionals cfg.createDatabaseLocally [
"postgresql.service"
"miniflux-dbsetup.service"
];
serviceConfig = {
Type = "notify";
@ -104,12 +129,19 @@ in
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" ];
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};

18
modules/nixos/oidc-agent.nix
View file

@ -1,10 +1,20 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkEnableOption mkOption types;
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.programs.oidc-agent;
providerFormat = pkgs.formats.json {};
providerFormat = pkgs.formats.json { };
in
{
options.programs.oidc-agent = {
@ -18,7 +28,7 @@ in
};
providers = mkOption {
type = providerFormat.type;
default = {};
default = { };
description = ''
Configuration of providers which contains a json array of json objects
each describing an issuer, see https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers

20
modules/nixos/prometheus/blackbox.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.prometheus;
in
@ -8,7 +13,7 @@ in
enable = true;
listenAddress = "127.0.0.1";
configFile = pkgs.writeText "blackbox.config.yaml" (
lib.generators.toYAML {} {
lib.generators.toYAML { } {
modules = {
tcp4_connect = {
prober = "tcp";
@ -25,7 +30,7 @@ in
};
services.prometheus.scrapeConfigs = [
{
{
job_name = "blackbox";
scrape_interval = "1m";
metrics_path = "/probe";
@ -73,8 +78,13 @@ in
alert = "HighProbeLatency";
expr = "probe_duration_seconds > 0.5";
for = "2m";
labels = { severity = "warning"; };
annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; };
labels = {
severity = "warning";
};
annotations = {
summary = "High request latency on {{ $labels.instance }}";
description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes.";
};
}
];
}

12
modules/nixos/prometheus/caddy.nix
View file

@ -13,9 +13,7 @@ in
services.prometheus.scrapeConfigs = [
{
job_name = "caddy";
static_configs = [
{ targets = [ "127.0.0.1:2019" ]; }
];
static_configs = [ { targets = [ "127.0.0.1:2019" ]; } ];
}
];
@ -27,8 +25,12 @@ in
alert = "UpstreamHealthy";
expr = "caddy_reverse_proxy_upstreams_healthy != 1";
for = "5m";
labels = { severity = "critical"; };
annotations = { summary = "Upstream {{ $labels.unstream }} not healthy"; };
labels = {
severity = "critical";
};
annotations = {
summary = "Upstream {{ $labels.unstream }} not healthy";
};
}
];
}

312
modules/nixos/prometheus/default.nix
View file

@ -1,26 +1,31 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.custom.prometheus;
mkExporterOption = enableOption: (mkOption {
type = types.bool;
default = enableOption;
description = "Enable this exporter";
});
mkExporterOption =
enableOption:
(mkOption {
type = types.bool;
default = enableOption;
description = "Enable this exporter";
});
mkRulesOption = mkOption {
type = types.listOf (types.submodule {
options = {
name = mkOption {
type = lib.types.str;
type = types.listOf (
types.submodule {
options = {
name = mkOption { type = lib.types.str; };
rules = mkOption { type = lib.types.listOf lib.types.attrs; };
};
rules = mkOption {
type = lib.types.listOf lib.types.attrs;
};
};
});
}
);
};
in
{
@ -54,153 +59,172 @@ in
};
grafana = {
enable = mkEnableOption "Grafana Cloud";
password_file = mkOption {
type = types.path;
};
password_file = mkOption { type = types.path; };
};
ruleModules = mkRulesOption;
};
};
config = mkIf cfg.enable
{
services.tailscale = {
enable = true;
permitCertUid = config.services.caddy.user;
openFirewall = true;
};
config = mkIf cfg.enable {
services.tailscale = {
enable = true;
permitCertUid = config.services.caddy.user;
openFirewall = true;
};
services.caddy = {
enable = true;
virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.prometheus.port}
'';
};
services.caddy = {
enable = true;
virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.prometheus.port}
'';
};
services.prometheus = mkIf cfg.enable
services.prometheus = mkIf cfg.enable {
enable = true;
port = 9091;
globalConfig.external_labels = {
hostname = config.networking.hostName;
};
remoteWrite = mkIf cfg.grafana.enable [
{
name = "grafana";
url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push";
basic_auth = {
username = "1340065";
password_file = cfg.grafana.password_file;
};
}
];
exporters = {
node = {
enable = true;
port = 9091;
globalConfig.external_labels = { hostname = config.networking.hostName; };
remoteWrite = mkIf cfg.grafana.enable [
{
name = "grafana";
url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push";
basic_auth = {
username = "1340065";
password_file = cfg.grafana.password_file;
};
}
enabledCollectors = [
"loadavg"
"time"
"systemd"
];
exporters = {
node = {
enable = true;
enabledCollectors = [
"loadavg"
"time"
"systemd"
];
listenAddress = "127.0.0.1";
port = 9100;
};
};
scrapeConfigs = [
{
job_name = "prometheus";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.port}" ]; }
];
}
{
job_name = "node";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
];
alertmanager = {
enable = true;
listenAddress = "127.0.0.1";
logLevel = "debug";
configuration = {
route = {
receiver = "ntfy";
};
receivers = [
{
name = "ntfy";
webhook_configs = [
{
url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL ''
Alert {{.status}}
{{range .alerts}}-----{{range $k,$v := .labels}}
{{$k}}={{$v}}{{end}}
{{end}}
''}";
send_resolved = true;
}
];
}
];
};
};
alertmanagers = [
{
scheme = "http";
static_configs = [
{
targets = [
"${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}"
];
}
];
}
];
rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ];
listenAddress = "127.0.0.1";
port = 9100;
};
custom.prometheus.ruleModules = [
};
scrapeConfigs = [
{
name = "system_alerts";
rules = [
job_name = "prometheus";
static_configs = [ { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } ];
}
{
job_name = "node";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
];
alertmanager = {
enable = true;
listenAddress = "127.0.0.1";
logLevel = "debug";
configuration = {
route = {
receiver = "ntfy";
};
receivers = [
{
alert = "SystemdFailedUnits";
expr = "node_systemd_unit_state{state=\"failed\"} > 0";
for = "5m";
labels = { severity = "critical"; };
annotations = { summary = "Systemd has failed units on {{ $labels.instance }}"; description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; };
name = "ntfy";
webhook_configs = [
{
url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL ''
Alert {{.status}}
{{range .alerts}}-----{{range $k,$v := .labels}}
{{$k}}={{$v}}{{end}}
{{end}}
''}";
send_resolved = true;
}
];
}
];
};
};
alertmanagers = [
{
scheme = "http";
static_configs = [
{
alert = "HighLoadAverage";
expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})";
for = "1m";
labels = { severity = "warning"; };
annotations = { summary = "High load average detected on {{ $labels.instance }}"; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; };
}
{
alert = "HighTransmitTraffic";
expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000";
for = "1m";
labels = { severity = "warning"; };
annotations = { summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; };
}
{
alert = "NetworkTrafficExceedLimit";
expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200'';
for = "0m";
labels = { severity = "critical"; };
annotations = { summary = "Outbound network traffic exceed 300GB for last 30 day"; };
}
{
alert = "JobDown";
expr = "up == 0";
for = "1m";
labels = { severity = "critical"; };
annotations = { summary = "Job {{ $labels.job }} down for 1m."; };
targets = [
"${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}"
];
}
];
}
];
rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ];
};
custom.prometheus.ruleModules = [
{
name = "system_alerts";
rules = [
{
alert = "SystemdFailedUnits";
expr = "node_systemd_unit_state{state=\"failed\"} > 0";
for = "5m";
labels = {
severity = "critical";
};
annotations = {
summary = "Systemd has failed units on {{ $labels.instance }}";
description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!";
};
}
{
alert = "HighLoadAverage";
expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})";
for = "1m";
labels = {
severity = "warning";
};
annotations = {
summary = "High load average detected on {{ $labels.instance }}";
description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs.";
};
}
{
alert = "HighTransmitTraffic";
expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000";
for = "1m";
labels = {
severity = "warning";
};
annotations = {
summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})";
description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute.";
};
}
{
alert = "NetworkTrafficExceedLimit";
expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200'';
for = "0m";
labels = {
severity = "critical";
};
annotations = {
summary = "Outbound network traffic exceed 300GB for last 30 day";
};
}
{
alert = "JobDown";
expr = "up == 0";
for = "1m";
labels = {
severity = "critical";
};
annotations = {
summary = "Job {{ $labels.job }} down for 1m.";
};
}
];
}
];
};
}

4
modules/nixos/prometheus/gotosocial.nix
View file

@ -10,9 +10,7 @@ in
services.prometheus.scrapeConfigs = [
{
job_name = "gotosocial";
static_configs = [
{ targets = [ "localhost:8080" ]; }
];
static_configs = [ { targets = [ "localhost:8080" ]; } ];
}
];
};

11
modules/nixos/prometheus/immich.nix
View file

@ -3,9 +3,10 @@ let
cfg = config.custom.prometheus;
immichEnv = config.services.immich.environment;
metricPort =
if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv
then immichEnv.IMMICH_API_METRICS_PORT
else 8081;
if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv then
immichEnv.IMMICH_API_METRICS_PORT
else
8081;
in
{
config = lib.mkIf (cfg.enable && cfg.exporters.immich.enable) {
@ -16,9 +17,7 @@ in
services.prometheus.scrapeConfigs = [
{
job_name = "immich";
static_configs = [
{ targets = [ "127.0.0.1:${toString metricPort}" ]; }
];
static_configs = [ { targets = [ "127.0.0.1:${toString metricPort}" ]; } ];
}
];
};

4
modules/nixos/prometheus/miniflux.nix
View file

@ -8,9 +8,7 @@ in
services.prometheus.scrapeConfigs = [
{
job_name = "miniflux";
static_configs = [
{ targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; }
];
static_configs = [ { targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; } ];
}
];
};

4
modules/nixos/prometheus/ntfy-sh.nix
View file

@ -8,9 +8,7 @@ in
services.prometheus.scrapeConfigs = [
{
job_name = "ntfy-sh";
static_configs = [
{ targets = [ "ntfy.xinyang.life" ]; }
];
static_configs = [ { targets = [ "ntfy.xinyang.life" ]; } ];
}
];
};

22
modules/nixos/prometheus/restic.nix
View file

@ -9,9 +9,7 @@ in
services.prometheus.scrapeConfigs = [
(lib.mkIf cfg.exporters.restic.enable {
job_name = "restic";
static_configs = [
{ targets = [ config.services.restic.server.listenAddress ]; }
];
static_configs = [ { targets = [ config.services.restic.server.listenAddress ]; } ];
})
];
@ -23,15 +21,25 @@ in
alert = "ResticCheckFailed";
expr = "restic_check_success == 0";
for = "5m";
labels = { severity = "critical"; };
annotations = { summary = "Restic check failed (instance {{ $labels.instance }})"; description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; };
labels = {
severity = "critical";
};
annotations = {
summary = "Restic check failed (instance {{ $labels.instance }})";
description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}";
};
}
{
alert = "ResticOutdatedBackup";
expr = "time() - restic_backup_timestamp > 518400";
for = "0m";
labels = { severity = "critical"; };
annotations = { summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; };
labels = {
severity = "critical";
};
annotations = {
summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated";
description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}";
};
}
];
}

8
modules/nixos/restic.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.custom.restic;
in
@ -45,4 +50,3 @@ in
};
};
}

21
modules/nixos/sing-box.nix
View file

@ -1,4 +1,10 @@
{ config, pkgs, lib, utils, ... }:
{
config,
pkgs,
lib,
utils,
...
}:
let
cfg = config.custom.sing-box;
settingsFormat = pkgs.formats.json { };
@ -16,9 +22,7 @@ in
};
configFile = {
urlFile = lib.mkOption {
type = lib.types.path;
};
urlFile = lib.mkOption { type = lib.types.path; };
name = lib.mkOption {
type = lib.types.str;
default = "config.json";
@ -62,10 +66,10 @@ in
systemd.packages = [ cfg.package ];
systemd.services.sing-box =
let
configFile = cfg.stateDir + "/${cfg.configFile.name}";
in
systemd.services.sing-box =
let
configFile = cfg.stateDir + "/${cfg.configFile.name}";
in
{
preStart = ''
umask 0077
@ -81,4 +85,3 @@ in
};
};
}

7
modules/nixos/ssh-tpm-agent.nix
View file

@ -1,5 +1,10 @@
# Temporary workaround
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.ssh-tpm-agent;
in

10
modules/nixos/vaultwarden.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
@ -23,7 +28,7 @@ in
};
};
config = mkIf cfg.enable {
services.vaultwarden = {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
config = {
@ -44,4 +49,3 @@ in
};
};
}