From 4e182bec1de024b32985bd8cd427434570605723 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 6 Jun 2024 17:52:20 +0200 Subject: [PATCH] reformat with nixfmt --- devShells/flake-module.nix | 37 +- flake.nix | 86 +- modules/admins.nix | 5 +- modules/flake-module.nix | 3 +- modules/initrd-networking.nix | 27 +- modules/web01/borgbackup.nix | 7 +- modules/web01/clan-merge.nix | 12 +- modules/web01/default.nix | 3 +- modules/web01/gitea/actions-runner.nix | 379 ++++---- modules/web01/gitea/default.nix | 22 +- modules/web01/gitea/postgresql.nix | 3 +- modules/web01/goaccess.nix | 14 +- modules/web01/harmonia.nix | 11 +- modules/web01/homepage.nix | 18 +- modules/web01/jobs.nix | 20 +- modules/zfs-crypto-raid.nix | 11 +- pkgs/action-create-pr/default.nix | 27 +- pkgs/action-ensure-tea-login/default.nix | 21 +- pkgs/action-flake-update-pr-clan/default.nix | 41 +- pkgs/action-flake-update/default.nix | 24 +- pkgs/clan-merge/clan_merge/__init__.py | 4 +- pkgs/clan-merge/default.nix | 24 +- pkgs/clan-merge/flake-module.nix | 3 +- pkgs/clan-merge/shell.nix | 15 +- pkgs/clan-merge/tests/test_cli.py | 4 +- pkgs/flake-module.nix | 63 +- pkgs/job-flake-updates/default.nix | 16 +- pkgs/renovate/composition.nix | 25 +- pkgs/renovate/default.nix | 7 +- pkgs/renovate/node-env.nix | 495 ++++++---- pkgs/renovate/node-packages.nix | 925 +++++++++---------- pkgs/writers.nix | 30 +- targets/flake-module.nix | 8 +- 33 files changed, 1269 insertions(+), 1121 deletions(-) diff --git a/devShells/flake-module.nix b/devShells/flake-module.nix index c77c9a3..044b75e 100644 --- a/devShells/flake-module.nix +++ b/devShells/flake-module.nix @@ -1,14 +1,14 @@ { perSystem = - { inputs' - , pkgs - , lib - , ... - }: + { inputs', pkgs, ... }: let - convert2Tofu = provider: provider.override (prev: { - homepage = builtins.replaceStrings [ "registry.terraform.io/providers" ] [ "registry.opentofu.org" ] prev.homepage; - }); + convert2Tofu = + provider: + provider.override (prev: { + homepage = builtins.replaceStrings [ "registry.terraform.io/providers" ] [ + "registry.opentofu.org" + ] prev.homepage; + }); in { devShells.default = pkgs.mkShellNoCC { @@ -18,17 +18,18 @@ inputs'.clan-core.packages.clan-cli - (pkgs.opentofu.withPlugins (p: builtins.map convert2Tofu [ - p.hetznerdns - p.hcloud - p.null - p.external - p.local - ])) - ]; - inputsFrom = [ - inputs'.clan-core.devShells.default + (pkgs.opentofu.withPlugins ( + p: + builtins.map convert2Tofu [ + p.hetznerdns + p.hcloud + p.null + p.external + p.local + ] + )) ]; + inputsFrom = [ inputs'.clan-core.devShells.default ]; }; }; } diff --git a/flake.nix b/flake.nix index fa72c4e..71db00b 100644 --- a/flake.nix +++ b/flake.nix @@ -37,39 +37,55 @@ buildbot-nix.inputs.treefmt-nix.follows = "treefmt-nix"; }; - outputs = inputs@{ flake-parts, ... }: - flake-parts.lib.mkFlake { inherit inputs; } ({ self, ... }: { - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - imports = [ - inputs.treefmt-nix.flakeModule - ./devShells/flake-module.nix - ./targets/flake-module.nix - ./modules/flake-module.nix - ./pkgs/flake-module.nix - ]; - perSystem = ({ lib, self', system, ... }: { - treefmt = { - projectRootFile = ".git/config"; - programs.hclfmt.enable = true; - programs.nixpkgs-fmt.enable = true; - settings.formatter.nixpkgs-fmt.excludes = [ - # generated files - "node-env.nix" - "node-packages.nix" - "composition.nix" - ]; - }; - checks = - let - nixosMachines = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations); - packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages; - devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells; - homeConfigurations = lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (self'.legacyPackages.homeConfigurations or { }); - in - nixosMachines // packages // devShells // homeConfigurations; - }); - }); + outputs = + inputs@{ flake-parts, ... }: + flake-parts.lib.mkFlake { inherit inputs; } ( + { self, ... }: + { + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + imports = [ + inputs.treefmt-nix.flakeModule + ./devShells/flake-module.nix + ./targets/flake-module.nix + ./modules/flake-module.nix + ./pkgs/flake-module.nix + ]; + perSystem = ( + { + lib, + self', + system, + ... + }: + { + treefmt = { + projectRootFile = ".git/config"; + programs.hclfmt.enable = true; + programs.nixfmt-rfc-style.enable = true; + settings.formatter.nixfmt-rfc-style.excludes = [ + # generated files + "node-env.nix" + "node-packages.nix" + "composition.nix" + ]; + }; + checks = + let + nixosMachines = lib.mapAttrs' ( + name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel + ) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations); + packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages; + devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells; + homeConfigurations = lib.mapAttrs' ( + name: config: lib.nameValuePair "home-manager-${name}" config.activation-script + ) (self'.legacyPackages.homeConfigurations or { }); + in + nixosMachines // packages // devShells // homeConfigurations; + } + ); + } + ); } diff --git a/modules/admins.nix b/modules/admins.nix index df3bb04..e35e312 100644 --- a/modules/admins.nix +++ b/modules/admins.nix @@ -41,7 +41,10 @@ in extraGroups = [ "wheel" ]; shell = "/run/current-system/sw/bin/zsh"; uid = 1004; - openssh.authorizedKeys.keys = [ admins.kenji admins.kenji-remote ]; + openssh.authorizedKeys.keys = [ + admins.kenji + admins.kenji-remote + ]; }; johannes = { isNormalUser = true; diff --git a/modules/flake-module.nix b/modules/flake-module.nix index 9c57836..2310522 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -1,4 +1,5 @@ -{ self, inputs, ... }: { +{ self, inputs, ... }: +{ flake.nixosModules = { server.imports = [ inputs.srvos.nixosModules.server diff --git a/modules/initrd-networking.nix b/modules/initrd-networking.nix index 2c4d05f..3c5a8d3 100644 --- a/modules/initrd-networking.nix +++ b/modules/initrd-networking.nix @@ -1,31 +1,22 @@ -{ config -, lib -, ... -}: -with lib; let +{ config, lib, ... }: +let cfg = config.clan.networking; in { options = { - clan.networking.ipv4.address = mkOption { - type = types.str; - }; + clan.networking.ipv4.address = lib.mkOption { type = lib.types.str; }; - clan.networking.ipv4.cidr = mkOption { - type = types.str; + clan.networking.ipv4.cidr = lib.mkOption { + type = lib.types.str; default = "26"; }; - clan.networking.ipv4.gateway = mkOption { - type = types.str; - }; + clan.networking.ipv4.gateway = lib.mkOption { type = lib.types.str; }; - clan.networking.ipv6.address = mkOption { - type = types.str; - }; + clan.networking.ipv6.address = lib.mkOption { type = lib.types.str; }; - clan.networking.ipv6.cidr = mkOption { - type = types.str; + clan.networking.ipv6.cidr = lib.mkOption { + type = lib.types.str; default = "64"; }; }; diff --git a/modules/web01/borgbackup.nix b/modules/web01/borgbackup.nix index 150ae13..856a597 100644 --- a/modules/web01/borgbackup.nix +++ b/modules/web01/borgbackup.nix @@ -1,9 +1,8 @@ -{ config, ... }: { +{ config, ... }: +{ # 100GB storagebox is under the nix-community hetzner account - systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [ - "/var/log/telegraf" - ]; + systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; # Run this from the hetzner network: # ssh-keyscan -p 23 u359378.your-storagebox.de diff --git a/modules/web01/clan-merge.nix b/modules/web01/clan-merge.nix index 9efe37b..3b3000b 100644 --- a/modules/web01/clan-merge.nix +++ b/modules/web01/clan-merge.nix @@ -1,10 +1,18 @@ -{ config, self, pkgs, ... }: { +{ + config, + self, + pkgs, + ... +}: +{ # service to for automatic merge bot systemd.services.clan-merge = { description = "Merge clan.lol PRs automatically"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - environment = { GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE"; }; + environment = { + GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE"; + }; serviceConfig = { LoadCredential = [ "GITEA_TOKEN_FILE:${config.sops.secrets.merge-bot-gitea-token.path}" ]; Restart = "on-failure"; diff --git a/modules/web01/default.nix b/modules/web01/default.nix index d1d7b3a..5bdf337 100644 --- a/modules/web01/default.nix +++ b/modules/web01/default.nix @@ -1,4 +1,5 @@ -{ self, ... }: { +{ self, ... }: +{ imports = [ ./borgbackup.nix ./clan-merge.nix diff --git a/modules/web01/gitea/actions-runner.nix b/modules/web01/gitea/actions-runner.nix index cf7d5b3..a85d032 100644 --- a/modules/web01/gitea/actions-runner.nix +++ b/modules/web01/gitea/actions-runner.nix @@ -1,8 +1,26 @@ -{ config, self, pkgs, lib, ... }: +{ + config, + self, + pkgs, + lib, + ... +}: let storeDeps = pkgs.runCommand "store-deps" { } '' mkdir -p $out/bin - for dir in ${toString [ pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.gawk pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs ]}; do + for dir in ${ + toString [ + pkgs.coreutils + pkgs.findutils + pkgs.gnugrep + pkgs.gawk + pkgs.git + pkgs.nix + pkgs.bash + pkgs.jq + pkgs.nodejs + ] + }; do for bin in "$dir"/bin/*; do ln -s "$bin" "$out/bin/$(basename "$bin")" done @@ -14,87 +32,95 @@ let ''; numInstances = 2; in -lib.mkMerge [{ - # everything here has no dependencies on the store - systemd.services.gitea-runner-nix-image = { - wantedBy = [ "multi-user.target" ]; - after = [ "podman.service" ]; - requires = [ "podman.service" ]; - path = [ config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent ]; - # we also include etc here because the cleanup job also wants the nixuser to be present - script = '' - set -eux -o pipefail - mkdir -p etc/nix - - # Create an unpriveleged user that we can use also without the run-as-user.sh script - touch etc/passwd etc/group - groupid=$(cut -d: -f3 < <(getent group nixuser)) - userid=$(cut -d: -f3 < <(getent passwd nixuser)) - groupadd --prefix $(pwd) --gid "$groupid" nixuser - emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.' - useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser - - cat < etc/nix/nix.conf - accept-flake-config = true - experimental-features = nix-command flakes - NIX_CONFIG - - cat < etc/nsswitch.conf - passwd: files mymachines systemd - group: files mymachines systemd - shadow: files - - hosts: files mymachines dns myhostname - networks: files - - ethers: files - services: files - protocols: files - rpc: files - NSSWITCH - - # list the content as it will be imported into the container - tar -cv . | tar -tvf - - tar -cv . | podman import - gitea-runner-nix - ''; - serviceConfig = { - RuntimeDirectory = "gitea-runner-nix-image"; - WorkingDirectory = "/run/gitea-runner-nix-image"; - Type = "oneshot"; - RemainAfterExit = true; - }; - }; - - users.users.nixuser = { - group = "nixuser"; - description = "Used for running nix ci jobs"; - home = "/var/empty"; - isSystemUser = true; - }; - users.groups.nixuser = { }; -} +lib.mkMerge [ { - systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") numInstances) (name: { + # everything here has no dependencies on the store + systemd.services.gitea-runner-nix-image = { wantedBy = [ "multi-user.target" ]; - after = [ "gitea.service" ]; - environment = { - GITEA_CUSTOM = "/var/lib/gitea/custom"; - GITEA_WORK_DIR = "/var/lib/gitea"; - }; + after = [ "podman.service" ]; + requires = [ "podman.service" ]; + path = [ + config.virtualisation.podman.package + pkgs.gnutar + pkgs.shadow + pkgs.getent + ]; + # we also include etc here because the cleanup job also wants the nixuser to be present script = '' - set -euo pipefail - token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token) - echo "TOKEN=$token" > /var/lib/gitea-registration/${name} + set -eux -o pipefail + mkdir -p etc/nix + + # Create an unpriveleged user that we can use also without the run-as-user.sh script + touch etc/passwd etc/group + groupid=$(cut -d: -f3 < <(getent group nixuser)) + userid=$(cut -d: -f3 < <(getent passwd nixuser)) + groupadd --prefix $(pwd) --gid "$groupid" nixuser + emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.' + useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser + + cat < etc/nix/nix.conf + accept-flake-config = true + experimental-features = nix-command flakes + NIX_CONFIG + + cat < etc/nsswitch.conf + passwd: files mymachines systemd + group: files mymachines systemd + shadow: files + + hosts: files mymachines dns myhostname + networks: files + + ethers: files + services: files + protocols: files + rpc: files + NSSWITCH + + # list the content as it will be imported into the container + tar -cv . | tar -tvf - + tar -cv . | podman import - gitea-runner-nix ''; - unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ]; serviceConfig = { - User = "gitea"; - Group = "gitea"; - StateDirectory = "gitea-registration"; + RuntimeDirectory = "gitea-runner-nix-image"; + WorkingDirectory = "/run/gitea-runner-nix-image"; Type = "oneshot"; RemainAfterExit = true; }; - }); + }; + + users.users.nixuser = { + group = "nixuser"; + description = "Used for running nix ci jobs"; + home = "/var/empty"; + isSystemUser = true; + }; + users.groups.nixuser = { }; + } + { + systemd.services = + lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") numInstances) + (name: { + wantedBy = [ "multi-user.target" ]; + after = [ "gitea.service" ]; + environment = { + GITEA_CUSTOM = "/var/lib/gitea/custom"; + GITEA_WORK_DIR = "/var/lib/gitea"; + }; + script = '' + set -euo pipefail + token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token) + echo "TOKEN=$token" > /var/lib/gitea-registration/${name} + ''; + unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ]; + serviceConfig = { + User = "gitea"; + Group = "gitea"; + StateDirectory = "gitea-registration"; + Type = "oneshot"; + RemainAfterExit = true; + }; + }); # Format of the token file: virtualisation = { @@ -111,106 +137,119 @@ lib.mkMerge [{ virtualisation.containers.containersConf.settings = { # podman seems to not work with systemd-resolved - containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ]; + containers.dns_servers = [ + "8.8.8.8" + "8.8.4.4" + ]; }; } { - systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (name: { - after = [ - "${name}-token.service" - "gitea-runner-nix-image.service" - ]; - requires = [ - "${name}-token.service" - "gitea-runner-nix-image.service" - ]; + systemd.services = + lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) + (name: { + after = [ + "${name}-token.service" + "gitea-runner-nix-image.service" + ]; + requires = [ + "${name}-token.service" + "gitea-runner-nix-image.service" + ]; - # TODO: systemd confinment - serviceConfig = { - # Hardening (may overlap with DynamicUser=) - # The following options are only for optimizing output of systemd-analyze - AmbientCapabilities = ""; - CapabilityBoundingSet = ""; - # ProtectClock= adds DeviceAllow=char-rtc r - DeviceAllow = ""; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - UMask = "0066"; - ProtectProc = "invisible"; - SystemCallFilter = [ - "~@clock" - "~@cpu-emulation" - "~@module" - "~@mount" - "~@obsolete" - "~@raw-io" - "~@reboot" - "~@swap" - # needed by go? - #"~@resources" - "~@privileged" - "~capset" - "~setdomainname" - "~sethostname" - ]; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; + # TODO: systemd confinment + serviceConfig = { + # Hardening (may overlap with DynamicUser=) + # The following options are only for optimizing output of systemd-analyze + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + UMask = "0066"; + ProtectProc = "invisible"; + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@module" + "~@mount" + "~@obsolete" + "~@raw-io" + "~@reboot" + "~@swap" + # needed by go? + #"~@resources" + "~@privileged" + "~capset" + "~setdomainname" + "~sethostname" + ]; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + "AF_NETLINK" + ]; - # Needs network access - PrivateNetwork = false; - # Cannot be true due to Node - MemoryDenyWriteExecute = false; + # Needs network access + PrivateNetwork = false; + # Cannot be true due to Node + MemoryDenyWriteExecute = false; - # The more restrictive "pid" option makes `nix` commands in CI emit - # "GC Warning: Couldn't read /proc/stat" - # You may want to set this to "pid" if not using `nix` commands - ProcSubset = "all"; - # Coverage programs for compiled code such as `cargo-tarpaulin` disable - # ASLR (address space layout randomization) which requires the - # `personality` syscall - # You may want to set this to `true` if not using coverage tooling on - # compiled code - LockPersonality = false; + # The more restrictive "pid" option makes `nix` commands in CI emit + # "GC Warning: Couldn't read /proc/stat" + # You may want to set this to "pid" if not using `nix` commands + ProcSubset = "all"; + # Coverage programs for compiled code such as `cargo-tarpaulin` disable + # ASLR (address space layout randomization) which requires the + # `personality` syscall + # You may want to set this to `true` if not using coverage tooling on + # compiled code + LockPersonality = false; - # Note that this has some interactions with the User setting; so you may - # want to consult the systemd docs if using both. - DynamicUser = true; - }; - }); + # Note that this has some interactions with the User setting; so you may + # want to consult the systemd docs if using both. + DynamicUser = true; + }; + }); - services.gitea-actions-runner.instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (name: { - enable = true; - name = "nix-runner"; - # take the git root url from the gitea config - # only possible if you've also configured your gitea though the same nix config - # otherwise you need to set it manually - url = config.services.gitea.settings.server.ROOT_URL; - # use your favourite nix secret manager to get a path for this - tokenFile = "/var/lib/gitea-registration/gitea-runner-${name}-token"; - labels = [ "nix:docker://gitea-runner-nix" ]; - settings = { - container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm"; - # the default network that also respects our dns server settings - container.network = "host"; - container.valid_volumes = [ - "/nix" - "${storeDeps}/bin" - "${storeDeps}/etc/ssl" - ]; - }; - }); - }] + services.gitea-actions-runner.instances = + lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) + (name: { + enable = true; + name = "nix-runner"; + # take the git root url from the gitea config + # only possible if you've also configured your gitea though the same nix config + # otherwise you need to set it manually + url = config.services.gitea.settings.server.ROOT_URL; + # use your favourite nix secret manager to get a path for this + tokenFile = "/var/lib/gitea-registration/gitea-runner-${name}-token"; + labels = [ "nix:docker://gitea-runner-nix" ]; + settings = { + container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm"; + # the default network that also respects our dns server settings + container.network = "host"; + container.valid_volumes = [ + "/nix" + "${storeDeps}/bin" + "${storeDeps}/etc/ssl" + ]; + }; + }); + } +] diff --git a/modules/web01/gitea/default.nix b/modules/web01/gitea/default.nix index cd41223..080745c 100644 --- a/modules/web01/gitea/default.nix +++ b/modules/web01/gitea/default.nix @@ -1,12 +1,22 @@ -{ config, pkgs, lib, self, ... }: +{ + pkgs, + lib, + self, + config, + ... +}: let # make the logs for this host "public" so that they show up in e.g. metrics - publog = vhost: lib.attrsets.unionOfDisjoint vhost { - extraConfig = (vhost.extraConfig or "") + '' - access_log /var/log/nginx/public.log vcombined; - ''; - }; + publog = + vhost: + lib.attrsets.unionOfDisjoint vhost { + extraConfig = + (vhost.extraConfig or "") + + '' + access_log /var/log/nginx/public.log vcombined; + ''; + }; in { diff --git a/modules/web01/gitea/postgresql.nix b/modules/web01/gitea/postgresql.nix index 67a7486..c5dde57 100644 --- a/modules/web01/gitea/postgresql.nix +++ b/modules/web01/gitea/postgresql.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ services.postgresql.enable = true; services.postgresql.package = pkgs.postgresql_14; services.postgresql.settings = { diff --git a/modules/web01/goaccess.nix b/modules/web01/goaccess.nix index e243df5..231921f 100644 --- a/modules/web01/goaccess.nix +++ b/modules/web01/goaccess.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, pkgs, ... }: +{ pkgs, ... }: let domain = "metrics.clan.lol"; @@ -38,14 +38,13 @@ in "d ${pub_goaccess} 0755 goaccess nginx -" ]; - # --browsers-file=/etc/goaccess/browsers.list # https://raw.githubusercontent.com/allinurl/goaccess/master/config/browsers.list systemd.services.goaccess = { description = "GoAccess server monitoring"; preStart = '' - rm -f ${pub_goaccess}/index.html - ''; + rm -f ${pub_goaccess}/index.html + ''; serviceConfig = { User = "goaccess"; Group = "nginx"; @@ -83,7 +82,11 @@ in ProtectSystem = "strict"; SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io"; ReadOnlyPaths = "/"; - ReadWritePaths = [ "/proc/self" "${pub_goaccess}" "${priv_goaccess}" ]; + ReadWritePaths = [ + "/proc/self" + "${pub_goaccess}" + "${priv_goaccess}" + ]; PrivateDevices = "yes"; ProtectKernelModules = "yes"; ProtectKernelTunables = "yes"; @@ -92,7 +95,6 @@ in wantedBy = [ "multi-user.target" ]; }; - services.nginx.virtualHosts."${domain}" = { addSSL = true; enableACME = true; diff --git a/modules/web01/harmonia.nix b/modules/web01/harmonia.nix index 7eda587..d5ca8d8 100644 --- a/modules/web01/harmonia.nix +++ b/modules/web01/harmonia.nix @@ -1,17 +1,18 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: +{ services.harmonia.enable = true; # $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub services.harmonia.signKeyPath = config.sops.secrets.harmonia-secret.path; services.nginx = { - package = pkgs.nginxStable.override { - modules = [ pkgs.nginxModules.zstd ]; - }; + package = pkgs.nginxStable.override { modules = [ pkgs.nginxModules.zstd ]; }; }; # trust our own cache nix.settings.trusted-substituters = [ "https://cache.clan.lol" ]; - nix.settings.trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ]; + nix.settings.trusted-public-keys = [ + "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" + ]; services.nginx.virtualHosts."cache.clan.lol" = { forceSSL = true; diff --git a/modules/web01/homepage.nix b/modules/web01/homepage.nix index 56623b2..32601d6 100644 --- a/modules/web01/homepage.nix +++ b/modules/web01/homepage.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, self, ... }: +{ config, ... }: { security.acme.defaults.email = "admins@clan.lol"; @@ -6,13 +6,11 @@ # www user to push website artifacts via ssh users.users.www = { - openssh.authorizedKeys.keys = - config.users.users.root.openssh.authorizedKeys.keys - ++ [ - # ssh-homepage-key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuYyfSuETSrwqCsWHeeClqjcsFlMEmiJN6Rr8/DwrU0 gitea-ci" - ]; + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [ + # ssh-homepage-key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuYyfSuETSrwqCsWHeeClqjcsFlMEmiJN6Rr8/DwrU0 gitea-ci" + ]; isSystemUser = true; shell = "/run/current-system/sw/bin/bash"; group = "www"; @@ -20,9 +18,7 @@ users.groups.www = { }; # ensure /var/www can be accessed by nginx and www user - systemd.tmpfiles.rules = [ - "d /var/www 0755 www nginx" - ]; + systemd.tmpfiles.rules = [ "d /var/www 0755 www nginx" ]; services.nginx = { diff --git a/modules/web01/jobs.nix b/modules/web01/jobs.nix index 9925787..f0c98a8 100644 --- a/modules/web01/jobs.nix +++ b/modules/web01/jobs.nix @@ -1,4 +1,10 @@ -{ config, self, pkgs, lib, ... }: +{ + config, + self, + pkgs, + lib, + ... +}: let configForJob = name: { systemd.timers.${name} = { @@ -46,9 +52,11 @@ let }; in { - config = lib.mkMerge (map configForJob [ - "job-flake-update-clan-core" - "job-flake-update-clan-homepage" - "job-flake-update-clan-infra" - ]); + config = lib.mkMerge ( + map configForJob [ + "job-flake-update-clan-core" + "job-flake-update-clan-homepage" + "job-flake-update-clan-infra" + ] + ); } diff --git a/modules/zfs-crypto-raid.nix b/modules/zfs-crypto-raid.nix index 7a3bd3c..0497350 100644 --- a/modules/zfs-crypto-raid.nix +++ b/modules/zfs-crypto-raid.nix @@ -1,4 +1,3 @@ -{ self, ... }: let mirrorBoot = idx: { type = "disk"; @@ -41,8 +40,14 @@ in efiSupport = true; efiInstallAsRemovable = true; mirroredBoots = [ - { path = "/boot0"; devices = [ "nodev" ]; } - { path = "/boot1"; devices = [ "nodev" ]; } + { + path = "/boot0"; + devices = [ "nodev" ]; + } + { + path = "/boot1"; + devices = [ "nodev" ]; + } ]; }; diff --git a/pkgs/action-create-pr/default.nix b/pkgs/action-create-pr/default.nix index 05e4f40..9040bc6 100644 --- a/pkgs/action-create-pr/default.nix +++ b/pkgs/action-create-pr/default.nix @@ -1,10 +1,19 @@ -{ bash -, coreutils -, git -, tea -, openssh -, writePureShellScriptBin +{ + bash, + coreutils, + git, + tea, + openssh, + writePureShellScriptBin, }: -writePureShellScriptBin "action-create-pr" [ bash coreutils git tea openssh ] '' - bash ${./script.sh} "$@" -'' +writePureShellScriptBin "action-create-pr" + [ + bash + coreutils + git + tea + openssh + ] + '' + bash ${./script.sh} "$@" + '' diff --git a/pkgs/action-ensure-tea-login/default.nix b/pkgs/action-ensure-tea-login/default.nix index 0857ef1..5542896 100644 --- a/pkgs/action-ensure-tea-login/default.nix +++ b/pkgs/action-ensure-tea-login/default.nix @@ -1,8 +1,15 @@ -{ bash -, coreutils -, tea -, writePureShellScriptBin +{ + bash, + coreutils, + tea, + writePureShellScriptBin, }: -writePureShellScriptBin "action-ensure-tea-login" [ bash coreutils tea ] '' - bash ${./script.sh} -'' +writePureShellScriptBin "action-ensure-tea-login" + [ + bash + coreutils + tea + ] + '' + bash ${./script.sh} + '' diff --git a/pkgs/action-flake-update-pr-clan/default.nix b/pkgs/action-flake-update-pr-clan/default.nix index 34b1c0b..25b30de 100644 --- a/pkgs/action-flake-update-pr-clan/default.nix +++ b/pkgs/action-flake-update-pr-clan/default.nix @@ -1,20 +1,23 @@ -{ bash -, coreutils -, git -, openssh -, action-ensure-tea-login -, action-create-pr -, action-flake-update -, writePureShellScriptBin +{ + bash, + coreutils, + git, + openssh, + action-ensure-tea-login, + action-create-pr, + action-flake-update, + writePureShellScriptBin, }: -writePureShellScriptBin "action-flake-update-pr-clan" [ - bash - coreutils - git - openssh - action-ensure-tea-login - action-create-pr - action-flake-update -] '' - bash ${./script.sh} -'' +writePureShellScriptBin "action-flake-update-pr-clan" + [ + bash + coreutils + git + openssh + action-ensure-tea-login + action-create-pr + action-flake-update + ] + '' + bash ${./script.sh} + '' diff --git a/pkgs/action-flake-update/default.nix b/pkgs/action-flake-update/default.nix index 7d2560f..2bf0889 100644 --- a/pkgs/action-flake-update/default.nix +++ b/pkgs/action-flake-update/default.nix @@ -1,9 +1,17 @@ -{ bash -, coreutils -, git -, nix -, writePureShellScriptBin +{ + bash, + coreutils, + git, + nix, + writePureShellScriptBin, }: -writePureShellScriptBin "action-flake-update" [ bash coreutils git nix ] '' - bash ${./script.sh} -'' +writePureShellScriptBin "action-flake-update" + [ + bash + coreutils + git + nix + ] + '' + bash ${./script.sh} + '' diff --git a/pkgs/clan-merge/clan_merge/__init__.py b/pkgs/clan-merge/clan_merge/__init__.py index 6f765aa..cf9077b 100644 --- a/pkgs/clan-merge/clan_merge/__init__.py +++ b/pkgs/clan-merge/clan_merge/__init__.py @@ -1,7 +1,7 @@ import argparse import json -import urllib.request import urllib.error +import urllib.request from os import environ from typing import Optional @@ -38,6 +38,7 @@ def is_ci_green(pr: dict) -> bool: return False return True + def is_org_member(user: str, token: str) -> bool: url = "https://git.clan.lol/api/v1/orgs/clan/members/" + user + f"?token={token}" try: @@ -50,7 +51,6 @@ def is_org_member(user: str, token: str) -> bool: raise - def merge_allowed(pr: dict, bot_name: str, token: str) -> bool: assignees = pr["assignees"] if pr["assignees"] else [] if ( diff --git a/pkgs/clan-merge/default.nix b/pkgs/clan-merge/default.nix index a9ae5f7..11107fb 100644 --- a/pkgs/clan-merge/default.nix +++ b/pkgs/clan-merge/default.nix @@ -1,9 +1,9 @@ -{ pkgs ? import { } -, lib ? pkgs.lib -, python3 ? pkgs.python3 -, ruff ? pkgs.ruff -, runCommand ? pkgs.runCommand -, +{ + pkgs ? import { }, + lib ? pkgs.lib, + python3 ? pkgs.python3, + ruff ? pkgs.ruff, + runCommand ? pkgs.runCommand, }: let pyproject = builtins.fromTOML (builtins.readFile ./pyproject.toml); @@ -32,13 +32,11 @@ let package = python3.pkgs.buildPythonPackage { inherit name src; format = "pyproject"; - nativeBuildInputs = [ - python3.pkgs.setuptools - ]; - propagatedBuildInputs = - dependencies - ++ [ ]; - passthru.tests = { inherit check; }; + nativeBuildInputs = [ python3.pkgs.setuptools ]; + propagatedBuildInputs = dependencies ++ [ ]; + passthru.tests = { + inherit check; + }; passthru.devDependencies = devDependencies; }; diff --git a/pkgs/clan-merge/flake-module.nix b/pkgs/clan-merge/flake-module.nix index 8623e16..a104914 100644 --- a/pkgs/clan-merge/flake-module.nix +++ b/pkgs/clan-merge/flake-module.nix @@ -1,5 +1,6 @@ { - perSystem = { pkgs, ... }: + perSystem = + { pkgs, ... }: let package = pkgs.callPackage ./default.nix { inherit pkgs; }; in diff --git a/pkgs/clan-merge/shell.nix b/pkgs/clan-merge/shell.nix index e506aaf..eb097bc 100644 --- a/pkgs/clan-merge/shell.nix +++ b/pkgs/clan-merge/shell.nix @@ -1,16 +1,11 @@ -{ pkgs ? import { } }: +{ + pkgs ? import { }, +}: let inherit (pkgs) lib python3; - package = import ./default.nix { - inherit lib pkgs python3; - }; + package = import ./default.nix { inherit lib pkgs python3; }; pythonWithDeps = python3.withPackages ( - ps: - package.propagatedBuildInputs - ++ package.devDependencies - ++ [ - ps.pip - ] + ps: package.propagatedBuildInputs ++ package.devDependencies ++ [ ps.pip ] ); checkScript = pkgs.writeScriptBin "check" '' nix build -f . tests -L "$@" diff --git a/pkgs/clan-merge/tests/test_cli.py b/pkgs/clan-merge/tests/test_cli.py index 74e3ab9..26f02c4 100644 --- a/pkgs/clan-merge/tests/test_cli.py +++ b/pkgs/clan-merge/tests/test_cli.py @@ -112,4 +112,6 @@ def test_list_prs_to_merge(monkeypatch: pytest.MonkeyPatch) -> None: assignees=[dict(login=bot_name)], ), ] - assert clan_merge.list_prs_to_merge(prs, bot_name=bot_name, gitea_token="test") == [prs[0]] + assert clan_merge.list_prs_to_merge(prs, bot_name=bot_name, gitea_token="test") == [ + prs[0] + ] diff --git a/pkgs/flake-module.nix b/pkgs/flake-module.nix index 9329022..d58fac3 100644 --- a/pkgs/flake-module.nix +++ b/pkgs/flake-module.nix @@ -1,33 +1,38 @@ { - imports = [ - ./clan-merge/flake-module.nix - ]; - perSystem = { pkgs, config, ... }: { - packages = - let - writers = pkgs.callPackage ./writers.nix { }; - in - { - inherit (pkgs.callPackage ./renovate { }) renovate; - gitea = pkgs.callPackage ./gitea { }; + imports = [ ./clan-merge/flake-module.nix ]; + perSystem = + { pkgs, config, ... }: + { + packages = + let + writers = pkgs.callPackage ./writers.nix { }; + in + { + inherit (pkgs.callPackage ./renovate { }) renovate; + gitea = pkgs.callPackage ./gitea { }; - action-create-pr = pkgs.callPackage ./action-create-pr { - inherit (writers) writePureShellScriptBin; + action-create-pr = pkgs.callPackage ./action-create-pr { + inherit (writers) writePureShellScriptBin; + }; + action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login { + inherit (writers) writePureShellScriptBin; + }; + action-flake-update = pkgs.callPackage ./action-flake-update { + inherit (writers) writePureShellScriptBin; + }; + action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan { + inherit (writers) writePureShellScriptBin; + inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update; + }; + inherit + (pkgs.callPackages ./job-flake-updates { + inherit (writers) writePureShellScriptBin; + inherit (config.packages) action-flake-update-pr-clan; + }) + job-flake-update-clan-core + job-flake-update-clan-homepage + job-flake-update-clan-infra + ; }; - action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login { - inherit (writers) writePureShellScriptBin; - }; - action-flake-update = pkgs.callPackage ./action-flake-update { - inherit (writers) writePureShellScriptBin; - }; - action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan { - inherit (writers) writePureShellScriptBin; - inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update; - }; - inherit (pkgs.callPackages ./job-flake-updates { - inherit (writers) writePureShellScriptBin; - inherit (config.packages) action-flake-update-pr-clan; - }) job-flake-update-clan-core job-flake-update-clan-homepage job-flake-update-clan-infra; - }; - }; + }; } diff --git a/pkgs/job-flake-updates/default.nix b/pkgs/job-flake-updates/default.nix index cc5fcb7..4e0afdd 100644 --- a/pkgs/job-flake-updates/default.nix +++ b/pkgs/job-flake-updates/default.nix @@ -1,13 +1,13 @@ -{ action-flake-update-pr-clan -, writePureShellScriptBin -}: +{ action-flake-update-pr-clan, writePureShellScriptBin }: let - job-flake-update = repo: writePureShellScriptBin "job-flake-update-${repo}" [ action-flake-update-pr-clan ] '' - export REPO="gitea@git.clan.lol:clan/${repo}.git" - export KEEP_VARS="REPO''${KEEP_VARS:+ $KEEP_VARS}" + job-flake-update = + repo: + writePureShellScriptBin "job-flake-update-${repo}" [ action-flake-update-pr-clan ] '' + export REPO="gitea@git.clan.lol:clan/${repo}.git" + export KEEP_VARS="REPO''${KEEP_VARS:+ $KEEP_VARS}" - action-flake-update-pr-clan - ''; + action-flake-update-pr-clan + ''; in { job-flake-update-clan-core = job-flake-update "clan-core"; diff --git a/pkgs/renovate/composition.nix b/pkgs/renovate/composition.nix index d9c0dae..c4d6395 100644 --- a/pkgs/renovate/composition.nix +++ b/pkgs/renovate/composition.nix @@ -1,17 +1,32 @@ # This file has been generated by node2nix 1.11.1. Do not edit! -{pkgs ? import { - inherit system; - }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs_18"}: +{ + pkgs ? import { inherit system; }, + system ? builtins.currentSystem, + nodejs ? pkgs."nodejs_18", +}: let nodeEnv = import ./node-env.nix { - inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript; + inherit (pkgs) + stdenv + lib + python2 + runCommand + writeTextFile + writeShellScript + ; inherit pkgs nodejs; libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null; }; in import ./node-packages.nix { - inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit; + inherit (pkgs) + fetchurl + nix-gitignore + stdenv + lib + fetchgit + ; inherit nodeEnv; } diff --git a/pkgs/renovate/default.nix b/pkgs/renovate/default.nix index bc18db9..c3f442b 100644 --- a/pkgs/renovate/default.nix +++ b/pkgs/renovate/default.nix @@ -1,4 +1,9 @@ -{ pkgs, system, nodejs-18_x, makeWrapper }: +{ + pkgs, + system, + nodejs-18_x, + makeWrapper, +}: let nodePackages = import ./composition.nix { inherit pkgs system; diff --git a/pkgs/renovate/node-env.nix b/pkgs/renovate/node-env.nix index bc1e366..68f8c82 100644 --- a/pkgs/renovate/node-env.nix +++ b/pkgs/renovate/node-env.nix @@ -1,6 +1,16 @@ # This file originates from node2nix -{lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile, writeShellScript}: +{ + lib, + stdenv, + nodejs, + python2, + pkgs, + libtool, + runCommand, + writeTextFile, + writeShellScript, +}: let # Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master @@ -9,7 +19,7 @@ let python = if nodejs ? python then nodejs.python else python2; # Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise - tarWrapper = runCommand "tarWrapper" {} '' + tarWrapper = runCommand "tarWrapper" { } '' mkdir -p $out/bin cat > $out/bin/tar < $out/bin/shell < $out/bin/shell <