reformat all nix code
1 file changed, 249 insertions(+), 183 deletions(-)
changed files
M system/linde.nix → system/linde.nix
@@ -2,7 +2,12 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running `nixos-help`). -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let@@ -20,14 +25,13 @@ email = "alan@alanpearce.eu"; ts-domain = "fin-marlin.ts.net"; in { - imports = - [ - # Include the results of the hardware scan. - ./linde-hardware.nix + imports = [ + # Include the results of the hardware scan. + ./linde-hardware.nix - ./settings/configuration/nix-linux.nix - ./settings/services/git-server.nix - ]; + ./settings/configuration/nix-linux.nix + ./settings/services/git-server.nix + ]; age.secrets = { paperless = let@@ -47,14 +51,18 @@ redis-website.file = ../secrets/redis-website.age; cifs-paperless.file = ../secrets/cifs-paperless.age; cifs-transmission.file = ../secrets/cifs-transmission.age; forgejo-actions-runner.file = ../secrets/forgejo-actions-runner.age; - golink = let golink = config.services.golink; in { - # hope this doesn't collide... - path = "${golink.dataDir}/.config/tsnet-golink/auth.key"; - owner = golink.user; - mode = "400"; - symlink = false; - file = ../secrets/golink.age; - }; + golink = + let + golink = config.services.golink; + in + { + # hope this doesn't collide... + path = "${golink.dataDir}/.config/tsnet-golink/auth.key"; + owner = golink.user; + mode = "400"; + symlink = false; + file = ../secrets/golink.age; + }; rauthy.file = ../secrets/rauthy.age; };@@ -104,7 +112,10 @@ nix = { settings = { max-jobs = 2; - trusted-users = [ "root" "nixremote" ]; + trusted-users = [ + "root" + "nixremote" + ]; }; gc = { dates = "08:15";@@ -147,8 +158,16 @@ "1.1.1.1" "1.0.0.1" ]; hosts = lib.mkForce { - ${net-ip4} = [ "${hostname}.${domain}" hostname "redis" ]; - ${net-ip6} = [ "${hostname}.${domain}" hostname "redis" ]; + ${net-ip4} = [ + "${hostname}.${domain}" + hostname + "redis" + ]; + ${net-ip6} = [ + "${hostname}.${domain}" + hostname + "redis" + ]; }; defaultGateway = { address = net-gw;@@ -161,15 +180,24 @@ }; interfaces.${netif} = { ipv4 = { addresses = [ - { address = net-ip4; prefixLength = net-mask4; } + { + address = net-ip4; + prefixLength = net-mask4; + } ]; routes = [ - { address = net-gw; prefixLength = 32; } + { + address = net-gw; + prefixLength = 32; + } ]; }; ipv6 = { addresses = [ - { address = net-ip6; prefixLength = net-mask6; } + { + address = net-ip6; + prefixLength = net-mask6; + } ]; }; };@@ -197,7 +225,10 @@ 6885 # DHT 6922 config.services.transmission.settings.peer-port ]; - trustedInterfaces = [ "tailscale0" "podman0" ]; + trustedInterfaces = [ + "tailscale0" + "podman0" + ]; }; resolvconf = { enable = false;@@ -216,7 +247,10 @@ services.tailscale = { enable = true; openFirewall = true; extraUpFlags = [ "--accept-routes" ]; - extraSetFlags = [ "--advertise-exit-node" "--ssh" ]; + extraSetFlags = [ + "--advertise-exit-node" + "--ssh" + ]; useRoutingFeatures = "both"; }; services.golink = {@@ -298,7 +332,14 @@ ]; }; users.users.alan = { shell = "/run/current-system/sw/bin/fish"; - extraGroups = [ "wheel" "caddy" "docker" "podman" "laminar" "transmission" ]; + extraGroups = [ + "wheel" + "caddy" + "docker" + "podman" + "laminar" + "transmission" + ]; isNormalUser = true; home = "/home/alan"; createHome = true;@@ -496,6 +537,7 @@ acl sniff_https req.ssl_hello_type 1 acl sniff_ssh req.payload(0,7) -m str "SSH-2.0" tcp-request content accept if sniff_https use_backend ssh if sniff_ssh + use_backend ssh if { req_ssl_sni -i ssh.alin.ovh } default_backend caddy@@ -533,7 +575,7 @@ "${hostname}.${domain}" = { serverAliases = [ "https://" ]; extraConfig = '' respond * 204 - ${security-headers {}} + ${security-headers { }} ''; }; "pdns.${domain}" = {@@ -553,7 +595,7 @@ }; "files.${domain}" = { extraConfig = '' encode zstd gzip - ${security-headers {}} + ${security-headers { }} root * /srv/http/files file_server browse '';@@ -642,7 +684,7 @@ }; "go.${domain}" = { extraConfig = '' encode zstd gzip - ${security-headers {}} + ${security-headers { }} root * /srv/http/go.alin.ovh file_server '';@@ -650,7 +692,7 @@ }; "go.${oldDomain}" = { extraConfig = '' encode zstd gzip - ${security-headers {}} + ${security-headers { }} root * /srv/http/go file_server '';@@ -662,7 +704,7 @@ in { extraConfig = '' encode zstd gzip - ${security-headers{}} + ${security-headers { }} reverse_proxy ${srv.listenAddress}:${toString srv.port} ''; };@@ -690,7 +732,10 @@ group = "paperless"; uid = config.ids.uids.paperless; home = "/srv/paperless"; }; - users.groups.paperless.members = [ "alan" "syncthing" ]; + users.groups.paperless.members = [ + "alan" + "syncthing" + ]; fileSystems."/srv/paperless" = { device = "//u439959-sub3.your-storagebox.de/u439959-sub3";@@ -706,7 +751,8 @@ "x-systemd.mount-timeout=5s" ]; uid = config.ids.uids.paperless; in - automount_opts ++ [ + automount_opts + ++ [ "credentials=${config.age.secrets.cifs-paperless.path}" "seal" "multichannel"@@ -732,9 +778,11 @@ enableTun = true; privateNetwork = true; hostAddress6 = "fc00::1"; inherit localAddress6; - forwardPorts = [{ - hostPort = tsPort; - }]; + forwardPorts = [ + { + hostPort = tsPort; + } + ]; bindMounts = { ${config.services.paperless.dataDir} = { hostPath = hostConfig.services.paperless.dataDir;@@ -745,105 +793,115 @@ hostPath = externalDir; isReadOnly = false; }; }; - config = { config, pkgs, ... }: { - environment.systemPackages = with pkgs; [ - lsof - ]; - networking = { - useHostResolvConf = false; - resolvconf.enable = false; - firewall.trustedInterfaces = [ "tailscale0" ]; - firewall.rejectPackets = true; - nameservers = hostConfig.networking.nameservers; - }; - services.resolved = { - enable = true; - llmnr = "false"; - }; - services.tailscale = { - enable = true; - openFirewall = true; - permitCertUid = "caddy"; - port = tsPort; - }; - services.tailscaleAuth = { - enable = true; - group = "caddy"; - }; - services.caddy = { - enable = true; - email = "caddy@alanpearce.eu"; - virtualHosts = { - "http://" = { - # avoid logging to an awkward file name based on the attribute name i.e. http:// - hostName = "papers"; - extraConfig = '' - redir ${tsHostname}{uri} - ''; - }; - ${tsHostname} = { - extraConfig = '' - encode zstd gzip - tls { - get_certificate tailscale - } - handle_path /static/* { - root * ${config.services.paperless.package}/lib/paperless-ngx/static - file_server - } - forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { - uri /auth - header_up Expected-Tailnet "${ts-domain}." - header_up Remote-Addr {remote_host} - header_up Remote-Port {remote_port} - header_up Original-URI {uri} - copy_headers { - Tailscale-User>X-Webauth-User - Tailscale-Name>X-Webauth-Name - Tailscale-Login>X-Webauth-Login - Tailscale-Tailnet>X-Webauth-Tailnet - Tailscale-Profile-Picture>X-Webauth-Profile-Picture + config = + { config, pkgs, ... }: + { + environment.systemPackages = with pkgs; [ + lsof + ]; + networking = { + useHostResolvConf = false; + resolvconf.enable = false; + firewall.trustedInterfaces = [ "tailscale0" ]; + firewall.rejectPackets = true; + nameservers = hostConfig.networking.nameservers; + }; + services.resolved = { + enable = true; + llmnr = "false"; + }; + services.tailscale = { + enable = true; + openFirewall = true; + permitCertUid = "caddy"; + port = tsPort; + }; + services.tailscaleAuth = { + enable = true; + group = "caddy"; + }; + services.caddy = { + enable = true; + email = "caddy@alanpearce.eu"; + virtualHosts = { + "http://" = { + # avoid logging to an awkward file name based on the attribute name i.e. http:// + hostName = "papers"; + extraConfig = '' + redir ${tsHostname}{uri} + ''; + }; + ${tsHostname} = { + extraConfig = '' + encode zstd gzip + tls { + get_certificate tailscale } - } - reverse_proxy [::1]:${toString config.services.paperless.port} - ''; + handle_path /static/* { + root * ${config.services.paperless.package}/lib/paperless-ngx/static + file_server + } + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Expected-Tailnet "${ts-domain}." + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } + reverse_proxy [::1]:${toString config.services.paperless.port} + ''; + }; }; }; - }; - services.paperless = { - enable = true; - address = "::1"; - mediaDir = "${externalDir}/media"; - settings = { - PAPERLESS_DBENGINE = "sqlite"; - PAPERLESS_TIME_ZONE = "Europe/Berlin"; + services.paperless = { + enable = true; + address = "::1"; + mediaDir = "${externalDir}/media"; + settings = { + PAPERLESS_DBENGINE = "sqlite"; + PAPERLESS_TIME_ZONE = "Europe/Berlin"; - PAPERLESS_URL = "https://${tsHostname}"; - PAPERLESS_TRUSTED_PROXIES = "::1"; - PAPERLESS_USE_X_FORWARD_HOST = true; - PAPERLESS_USE_X_FORWARD_PORT = true; - PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ]; - PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it + PAPERLESS_URL = "https://${tsHostname}"; + PAPERLESS_TRUSTED_PROXIES = "::1"; + PAPERLESS_USE_X_FORWARD_HOST = true; + PAPERLESS_USE_X_FORWARD_PORT = true; + PAPERLESS_PROXY_SSL_HEADER = [ + "HTTP_X_FORWARDED_PROTO" + "https" + ]; + PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it - PAPERLESS_ENABLE_HTTP_REMOTE_USER = true; - PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_WEBAUTH_LOGIN"; + PAPERLESS_ENABLE_HTTP_REMOTE_USER = true; + PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_WEBAUTH_LOGIN"; - PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text"; - PAPERLESS_OCR_LANGUAGE = "deu+eng"; - PAPERLESS_IGNORE_DATES = "09.08.90"; + PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text"; + PAPERLESS_OCR_LANGUAGE = "deu+eng"; + PAPERLESS_IGNORE_DATES = "09.08.90"; - PAPERLESS_TASK_WORKERS = 2; - PAPERLESS_THREADS_PER_WORKER = 1; - PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4; + PAPERLESS_TASK_WORKERS = 2; + PAPERLESS_THREADS_PER_WORKER = 1; + PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4; - PAPERLESS_CONSUMER_IGNORE_PATTERN = [ ".DS_STORE/*" "desktop.ini" ".stfolder/*" ".stversions/*" ]; + PAPERLESS_CONSUMER_IGNORE_PATTERN = [ + ".DS_STORE/*" + "desktop.ini" + ".stfolder/*" + ".stversions/*" + ]; - PAPERLESS_FILENAME_FORMAT = "{correspondent}/{created} {title} {asn}"; - PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = true; + PAPERLESS_FILENAME_FORMAT = "{correspondent}/{created} {title} {asn}"; + PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = true; + }; }; + system.stateVersion = "24.11"; }; - system.stateVersion = "24.11"; - }; }; users.groups.rauthy = { };@@ -1105,7 +1163,7 @@ virtualisation.containers = { enable = true; policy = { - default = [{ type = "insecureAcceptAnything"; }]; + default = [ { type = "insecureAcceptAnything"; } ]; }; }; virtualisation.podman = {@@ -1127,7 +1185,8 @@ "x-systemd.idle-timeout=1h" "x-systemd.mount-timeout=5s" ]; in - automount_opts ++ [ + automount_opts + ++ [ "credentials=${config.age.secrets.cifs-transmission.path}" "seal" "multichannel"@@ -1168,68 +1227,75 @@ hostPath = externalDir; isReadOnly = false; }; }; - config = { config, lib, pkgs, ... }: { - system.stateVersion = "24.11"; - networking = { - useHostResolvConf = false; - resolvconf.enable = false; - firewall.trustedInterfaces = [ "tailscale0" ]; - firewall.rejectPackets = true; - nameservers = hostConfig.networking.nameservers; - }; - services.resolved = { - enable = true; - llmnr = "false"; - }; - services.tailscale = { - enable = true; - openFirewall = true; - permitCertUid = "caddy"; - port = tsPort; - }; - services.caddy = { - enable = true; - email = "caddy@alanpearce.eu"; - virtualHosts = { - "http://" = { - hostName = "bt"; - extraConfig = '' - redir ${tsHostname}{uri} - ''; - }; - ${tsHostname} = { - extraConfig = '' - encode zstd gzip - tls { - get_certificate tailscale - } - reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port} - ''; + config = + { + config, + lib, + pkgs, + ... + }: + { + system.stateVersion = "24.11"; + networking = { + useHostResolvConf = false; + resolvconf.enable = false; + firewall.trustedInterfaces = [ "tailscale0" ]; + firewall.rejectPackets = true; + nameservers = hostConfig.networking.nameservers; + }; + services.resolved = { + enable = true; + llmnr = "false"; + }; + services.tailscale = { + enable = true; + openFirewall = true; + permitCertUid = "caddy"; + port = tsPort; + }; + services.caddy = { + enable = true; + email = "caddy@alanpearce.eu"; + virtualHosts = { + "http://" = { + hostName = "bt"; + extraConfig = '' + redir ${tsHostname}{uri} + ''; + }; + ${tsHostname} = { + extraConfig = '' + encode zstd gzip + tls { + get_certificate tailscale + } + reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port} + ''; + }; }; }; - }; - services.transmission = { - enable = true; - openFirewall = true; - webHome = pkgs.flood-for-transmission; - settings = { - utp-enabled = true; - incomplete-dir-enabled = true; - incomplete-dir = "/srv/transmission/leeching"; - download-dir = "/srv/transmission/seeding"; - watch-dir = "/srv/transmission/watch"; - watch-dir-enabled = true; - rpc-bind-address = "::1"; - rpc-whitelist-enabled = false; - rpc-host-whitelist = tsHostname; - rpc-host-whitelist-enabled = true; + services.transmission = { + enable = true; + openFirewall = true; + webHome = pkgs.flood-for-transmission; + settings = { + utp-enabled = true; + incomplete-dir-enabled = true; + incomplete-dir = "/srv/transmission/leeching"; + download-dir = "/srv/transmission/seeding"; + watch-dir = "/srv/transmission/watch"; + watch-dir-enabled = true; + rpc-bind-address = "::1"; + rpc-whitelist-enabled = false; + rpc-host-whitelist = tsHostname; + rpc-host-whitelist-enabled = true; + }; }; - }; - systemd.services.transmission = { - serviceConfig = { - RootDirectory = lib.mkForce ""; + systemd.services.transmission = { + serviceConfig = { + RootDirectory = lib.mkForce ""; + }; }; }; - }; }; }