simplify enable opts, and fix security.nix

default.nix

@@ -1,11 +1,15 @@
 { config, inputs, lib, pkgs, ... }:
 
 let
-  inherit (lib) filterAttrs _;
+  inherit (builtins) toString;
+  inherit (lib.modules) mkDefault;
+  inherit (lib.my) mapModulesRec';
 in {
   imports =
-    [ inputs.home-manager.nixosModules.home-manager ]
+    [ 
-    ++ _.mapModulesRec' ./modules import;
+      inputs.home-manager.nixosModules.home-manager
+    ]
+    ++ (mapModulesRec' (toString ./modules) import);
 
   nix = {
   	settings = {
@@ -25,14 +29,15 @@ in {
   environment.systemPackages = with pkgs; [
     unrar unzip
     curl wget
-    # hello! if you remove this, good luck
+    # nixos-rebuild w/ flakes does not work without git
-    # ever rebuilding your system using flakes!
+    # do not remove this
+    # nix is awesome
     git
   ];
 
-  time.timeZone = lib.mkDefault "America/Los_Angeles";
+  time.timeZone = mkDefault "America/Los_Angeles";
 
-  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
+  i18n.defaultLocale = mkDefault "en_US.UTF-8";
 
-  system.stateVersion = lib.mkDefault "23.11";
+  system.stateVersion = mkDefault "23.11";
 }

flake.lock

@@ -2,7 +2,9 @@
   "nodes": {
     "home-manager": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
         "lastModified": 1705535278,
@@ -19,22 +21,6 @@
       }
     },
     "nixpkgs": {
-      "locked": {
-        "lastModified": 1705316053,
-        "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
       "locked": {
         "lastModified": 1705496572,
         "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=",
@@ -53,7 +39,7 @@
     "root": {
       "inputs": {
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs"
       }
     }
   },

flake.nix

@@ -5,29 +5,44 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
 
     home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = inputs @ { self, nixpkgs, ... }:
     let
+      inherit (lib.my) mapModules mapModulesRec mapHosts;
       system = "aarch64-linux";
 
-      lib = import ./lib { inherit pkgs inputs; lib = nixpkgs.lib; };
+      mkPkgs = pkgs: extraOverlays: 
-      inherit (lib._) mapModules mapModulesRec mkHost;
+        import pkgs {
-
-      mkPkgs = pkgs: overlays: import pkgs {
           inherit system;
           config.allowUnfree = true;
-        overlays = overlays ++ (lib.attrValues self.overlays);
+          config.allowAliases = false;
+          overlays = extraOverlays ++ (lib.attrValues self.overlays);
+        };
+      pkgs = mkPkgs nixpkgs [ self.overlays.default ];
+
+      lib = nixpkgs.lib.extend (final: prev: {
+        my = import ./lib {
+          inherit pkgs inputs;
+          lib = final;
+        };
+      });
+    in {
+      lib = lib.my;
+    
+      overlays = 
+        (mapModules ./overlays import)
+        // {
+          default = final: prev: {
+            my = self.packages.${system};
+          };
         };
       
-      pkgs = mkPkgs nixpkgs [ self.overlay ];
-    in {
       packages."${system}" = mapModules ./packages (p: pkgs.callPackage p {});
-      overlay = final: prev: {
+      
-        _ = self.packages."${system}";
+      nixosModules = mapModulesRec ./modules import;
-      };
+      
-      overlays = mapModules ./overlays import;
+      nixosConfigurations = mapHosts ./hosts {};
-      nixosModules = (mapModulesRec ./modules import);
-      nixosConfigurations = mapModules ./hosts (host: mkHost host { inherit system; });
     };
 }

hosts/server/authorizedKeys.nix

@@ -1,10 +0,0 @@
-[
-  # reidlab
-  { hostname = "reidlab@rei-pc";
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc";
-  }
-  {
-    hostname = "reidlab@rei-phone";
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC12NkyZAFNDHfq1ECh4uAgM4mpKfsQnL3XF/ZzSyCJ reidlab@rei-phone";
-  }
-]

hosts/server/default.nix

@@ -1,9 +1,7 @@
 { config, lib, pkgs, ... }:
 
 let
-  keys = import ./authorizedKeys.nix;
+
-  fetchSSH = (host: lib._.getSSH host keys);
-  fetchSSHKeys = map fetchSSH;
 in {
   imports = [
     ./hardware-configuration.nix
@@ -17,9 +15,9 @@ in {
       conf = {
         packages = with pkgs; [ bat tree micro duf ];
         extraGroups = [ "wheel" "dotfiles" ];
-        openssh.authorizedKeys.keys = fetchSSHKeys [
+        openssh.authorizedKeys.keys = [
-          "reidlab@rei-pc"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc"
-          "reidlab@rei-phone"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC12NkyZAFNDHfq1ECh4uAgM4mpKfsQnL3XF/ZzSyCJ reidlab@rei-phone"
         ];
       };
 
@@ -53,8 +51,6 @@ in {
     security.useDoas = true;
   };
 
-  time.timeZone = "America/Los_Angeles";
-
   networking = {
     hostName = "nixos-server-reid";
     networkmanager.enable = true;

hosts/server/webapps/default.nix

@@ -13,7 +13,7 @@ in {
         };
 
         metrics = {
-          enable = true;
+          enable = false;
           domain = "metrics.reidlab.online";
           port = 2342;
         };

lib/attrs.nix

@@ -0,0 +1,25 @@
+{lib, ...}: let
+  inherit (lib.lists) any count;
+  inherit (lib.attrsets) filterAttrs listToAttrs mapAttrs' mapAttrsToList;
+in rec {
+  # attrsToList
+  attrsToList = attrs:
+    mapAttrsToList (name: value: {inherit name value;}) attrs;
+
+  # mapFilterAttrs ::
+  #   (name -> value -> bool)
+  #   (name -> value -> { name = any; value = any; })
+  #   attrs
+  mapFilterAttrs = pred: f: attrs: filterAttrs pred (mapAttrs' f attrs);
+
+  # Generate an attribute set by mapping a function over a list of values.
+  genAttrs' = values: f: listToAttrs (map f values);
+
+  # anyAttrs :: (name -> value -> bool) attrs
+  anyAttrs = pred: attrs:
+    any (attr: pred attr.name attr.value) (attrsToList attrs);
+
+  # countAttrs :: (name -> value -> bool) attrs
+  countAttrs = pred: attrs:
+    count (attr: pred attr.name attr.value) (attrsToList attrs);
+}

lib/default.nix

@@ -1,17 +1,20 @@
 { inputs, lib, pkgs, ... }:
 
-lib.extend (self: super:
   let
-    inherit (lib) attrValues foldr;
+    inherit (lib.attrsets) attrValues;
+    inherit (lib.fixedPoints) makeExtensible;
+    inherit (lib.lists) foldr;
     inherit (modules) mapModules;
-    inherit (helpers) getSSH;
 
-    modules = import ./modules.nix { inherit lib; };
+    modules = import ./modules.nix {
-    helpers = import ./helpers.nix { inherit lib; };
+      inherit lib;
-  in {
+      self.attrs = import ./attrs.nix {
-    _ = foldr (a: b: a // b) {} (attrValues (mapModules ./. (file: import file {
+      	inherit lib;
-      inherit pkgs inputs;
+      	self = {};
-      lib = self;
+      };
-    })));
+    };
-  }
+    mylib =
-)
+      makeExtensible (self:
+        mapModules ./. (file: import file {inherit self lib pkgs inputs;}));
+  in 
+    mylib.extend (self: super: foldr (a: b: a // b) {} (attrValues super))

lib/helpers.nix

@@ -1,18 +0,0 @@
-{ lib, ... }:
-
-with lib;
-rec {
-  indexFrom = origin: name: item: list: foldr
-  (h: t:
-    if h.${origin} == name && hasAttr item h
-    then h.${item}
-    else t)
-  (error ''
-    No item at the origin point ${origin} with element ${name} found.
-    Please make sure that the item with that origin exists, and,
-    failing that, that it also has the requested item defined.
-  '')
-  list;
-
-  getSSH = name: keys: indexFrom "hostname" name "ssh" keys;
-}

lib/modules.nix

@@ -1,27 +1,43 @@
-{ lib, ... }:
+{
-
+  lib,
-let
+  self,
-  inherit (builtins) attrValues readDir pathExists;
+  ...
-  inherit (lib) id filterAttrs hasPrefix hasSuffix nameValuePair removeSuffix mapAttrs' trace fix fold isAttrs;
+}: let
+  inherit (builtins) attrValues readDir pathExists concatLists;
+  inherit (lib.attrsets) mapAttrsToList filterAttrs nameValuePair;
+  inherit (lib.strings) hasPrefix hasSuffix removeSuffix;
+  inherit (lib.trivial) id;
+  inherit (self.attrs) mapFilterAttrs;
 in rec {
-  mapModules' = dir: fn: dirfn:
+  mapModules = dir: fn:
-    filterAttrs
+    mapFilterAttrs (n: v: v != null && !(hasPrefix "_" n)) (n: v: let
-      (name: type: type != null && !(hasPrefix "_" name))
+      path = "${toString dir}/${n}";
-      (mapAttrs'
+    in
-        (name: type:
+      if v == "directory" && pathExists "${path}/default.nix"
-          let path = "${toString dir}/${name}"; in
+      then nameValuePair n (fn path)
-          if type == "directory"
+      else if v == "regular" && n != "default.nix" && hasSuffix ".nix" n
-          then nameValuePair name (dirfn path)
+      then nameValuePair (removeSuffix ".nix" n) (fn path)
-          else if
+      else nameValuePair "" null) (readDir dir);
-            type == "regular" &&
-            name != "default.nix" &&
-            hasSuffix ".nix" name
-          then nameValuePair (removeSuffix ".nix" name) (fn path)
-          else nameValuePair "" null
-        )
-        (readDir dir));
 
-  mapModules = dir: fn: mapModules' dir fn (path: if pathExists "${path}/default.nix" then fn path else null);
+  mapModules' = dir: fn: attrValues (mapModules dir fn);
-  mapModulesRec = dir: fn: mapModules' dir fn (path: mapModulesRec path fn);
+
-  mapModulesRec' = dir: fn: fix (f: attrs: fold (x: xs: (if isAttrs x then f x else [x]) ++ xs) [] (attrValues attrs)) (mapModulesRec dir fn);
+  mapModulesRec = dir: fn:
+    mapFilterAttrs (n: v: v != null && !(hasPrefix "_" n)) (n: v: let
+      path = "${toString dir}/${n}";
+    in
+      if v == "directory"
+      then nameValuePair n (mapModulesRec path fn)
+      else if v == "regular" && n != "default.nix" && hasSuffix ".nix" n
+      then nameValuePair (removeSuffix ".nix" n) (fn path)
+      else nameValuePair "" null) (readDir dir);
+
+  mapModulesRec' = dir: fn: let
+    dirs =
+      mapAttrsToList (k: _: "${dir}/${k}")
+      (filterAttrs (n: v: v == "directory" && !(hasPrefix "_" n))
+        (readDir dir));
+    files = attrValues (mapModules dir id);
+    paths = files ++ concatLists (map (d: mapModulesRec' d id) dirs);
+  in
+    map fn paths;
 }

lib/nixos.nix

@@ -1,21 +1,35 @@
-{ inputs, lib, pkgs, ... }:
-
-with lib;
 {
-  mkHost = path: attrs@{ system, ... }:
+  inputs,
+  lib,
+  pkgs,
+  self,
+  ...
+}: let
+  inherit (inputs.nixpkgs.lib) nixosSystem;
+  inherit (builtins) baseNameOf elem;
+  inherit (lib.attrsets) filterAttrs;
+  inherit (lib.modules) mkDefault;
+  inherit (lib.strings) removeSuffix;
+  inherit (self.modules) mapModules;
+in rec {
+  mkHost = path: attrs @ {system ? "aarch64-linux", ...}:
     nixosSystem {
       inherit system;
-      specialArgs = { inherit lib inputs system; };
+
+      specialArgs = {inherit lib inputs system;};
+
       modules = [
         {
           nixpkgs.pkgs = pkgs;
-          networking.hostName = mkDefault (removeSuffix ".nix" (baseNameOf path));
+          networking.hostName =
+            mkDefault (removeSuffix ".nix" (baseNameOf path));
         }
-        (filterAttrs (n: v: !elem n [ "system" ]) attrs)
+        (filterAttrs (n: v: !elem n ["system"]) attrs)
-
+        ../. # /default.nix
-        ../.
-
         (import path)
       ];
     };
+
+  mapHosts = dir: attrs @ {system ? system, ...}:
+    mapModules dir (hostPath: mkHost hostPath attrs);
 }

modules/security.nix

@@ -14,24 +14,38 @@ in {
 		tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
 		
     	kernel.sysctl = {
+    	  # magic sysrq key, allows low-level commands through keyboard input
       	  "kernel.sysrq" = 0;
 
-          "net.ipv4.conf.all.accept_source_code" = 0;
+          ## TCP hardening
-          "net.ipv6.conf.all.accept_source_code" = 0;
+          # prevent bogus ICMP errors from filling up logs
-          "net.ipv4.conf.default.send_redirects" = 0;
+          "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+          # do not accept IP source packets (we are not a router)
+          "net.ipv4.conf.all.accept_source_route" = 0;
+          "net.ipv6.conf.all.accept_source_route" = 0;
+          # Don't send ICMP redirects (again, we're not a router)
           "net.ipv4.conf.all.send_redirects" = 0;
-          "net.ipv4.conf.default.accept_redirects" = 0;
+          "net.ipv4.conf.default.send_redirects" = 0;
+          # refuse ICMP redirects (MITM mitigations)
           "net.ipv4.conf.all.accept_redirects" = 0;
-          "net.ipv6.conf.default.accept_redirects" = 0;
+          "net.ipv4.conf.default.accept_redirects" = 0;
-          "net.ipv6.conf.all.accept_redirects" = 0;
-          "net.ipv4.conf.default.secure_redirects" = 0;
           "net.ipv4.conf.all.secure_redirects" = 0;
+          "net.ipv4.conf.default.secure_redirects" = 0;
+          "net.ipv6.conf.all.accept_redirects" = 0;
+          "net.ipv6.conf.default.accept_redirects" = 0;
+          # protects against SYN flood attacks
           "net.ipv4.tcp_syncookies" = 1;
+          # incomplete protection against TIME-WAIT assassination
           "net.ipv4.tcp_rfc1337" = 1;
+
+          ## TCP optimization
+          # TCP fastopen
           "net.ipv4.tcp_fastopen" = 3;
+          # bufferbloat mitigations + improvement in throughput and latency
           "net.ipv4.tcp_conjestion_control" = "bbr";
           "net.core.default_qdisc" = "cake";
         };
+        kernelModules = [ "tcp_bbr" ];
       };
 
       security = {

modules/services/forgejo.nix

@@ -11,10 +11,7 @@ let
   };
 in {
   options.modules.services.forgejo = {
-    enable = mkOption {
+    enable = mkEnableOption "enable forgejo, a lightweight git server";
-      type = types.bool;
-      default = false;
-    };
     domain = mkOption {
       type = types.str;
       default = "git.reidlab.online";

modules/services/metrics.nix

@@ -5,10 +5,7 @@ let
   cfg = config.modules.services.metrics;
 in {
   options.modules.services.metrics = {
-    enable = mkOption {
+    enable = mkEnableOption "enable grafana with loki, prometheus, and promtail";
-      type = types.bool;
-      default = false;
-    };
     domain = mkOption {
       type = types.str;
       default = "grafana.reidlab.online";

modules/services/mosh.nix

@@ -5,10 +5,7 @@ let
   cfg = config.modules.services.mosh;
 in {
   options.modules.services.mosh = {
-    enable = mkOption {
+    enable = mkEnableOption "enable mosh, the mobile SSH shell";
-      type = types.bool;
-      default = false;
-    };
   };
 
   config = mkIf cfg.enable {

modules/services/nginx-conf.nix

@@ -5,10 +5,7 @@ let
   cfg = config.modules.services.nginx-config;
 in {
   options.modules.services.nginx-config = {
-    enable = mkOption {
+	enable = mkEnableOption "enable nginx, a high performance web server along with default configurations";
-      type = types.bool;
-      default = false;
-    };
 
     package = mkOption {
       type = types.package;

modules/services/postgres.nix

@@ -5,10 +5,7 @@ let
   cfg = config.modules.services.postgres;
 in {
   options.modules.services.postgres = {
-    enable = mkOption {
+    enable = mkEnableOption "enable postgres, the database industry standard";
-      type = types.bool;
-      default = false;
-    };
   };
 
   config = mkIf cfg.enable {

modules/services/redis.nix

@@ -5,10 +5,7 @@ let
   cfg = config.modules.services.redis;
 in {
   options.modules.services.redis = {
-    enable = mkOption {
+    enable = mkEnableOption "enable redis, a speedy cache database";
-      type = types.bool;
-      default = false;
-    };
   };
 
   config = mkIf cfg.enable {

modules/services/ssh.nix

@@ -5,11 +5,7 @@ let
   cfg = config.modules.services.ssh;
 in {
   options.modules.services.ssh = {
-    enable = mkOption {
+    enable = mkEnableOption "enable openssh, a server for remote shell access";
-      type = types.bool;
-      default = false;
-      description = "Provide system SSH support though OpenSSH.";
-    };
 
     requirePassword = mkOption {
       type = types.bool;

readme.md

@@ -18,8 +18,7 @@ before committing, please run `nix flake check` and make sure everything is ok
 
 ## todo
 
-- analytics using matomo
+- remove the lua static stuff from nginx + the cf ip
-- php support in staticsites
+- per-host architecture selection, atm it is hardcoded to `aarch64`
-- no more luapackagepath. please stop.
+- some weird perl error abt locales when building??? it only happened after the big lib update. help me
-- not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error
+- leverage nixos-hardware
-- this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz