diff --git a/default.nix b/default.nix index b42b9a8..c6e0ae6 100755 --- a/default.nix +++ b/default.nix @@ -1,15 +1,11 @@ { config, inputs, lib, pkgs, ... }: let - inherit (builtins) toString; - inherit (lib.modules) mkDefault; - inherit (lib.my) mapModulesRec'; + inherit (lib) filterAttrs _; in { imports = - [ - inputs.home-manager.nixosModules.home-manager - ] - ++ (mapModulesRec' (toString ./modules) import); + [ inputs.home-manager.nixosModules.home-manager ] + ++ _.mapModulesRec' ./modules import; nix = { settings = { @@ -29,15 +25,14 @@ in { environment.systemPackages = with pkgs; [ unrar unzip curl wget - # nixos-rebuild w/ flakes does not work without git - # do not remove this - # nix is awesome + # hello! if you remove this, good luck + # ever rebuilding your system using flakes! git ]; - time.timeZone = mkDefault "America/Los_Angeles"; + time.timeZone = lib.mkDefault "America/Los_Angeles"; - i18n.defaultLocale = mkDefault "en_US.UTF-8"; + i18n.defaultLocale = lib.mkDefault "en_US.UTF-8"; - system.stateVersion = mkDefault "23.11"; + system.stateVersion = lib.mkDefault "23.11"; } diff --git a/flake.lock b/flake.lock index 88e4268..d8114d2 100755 --- a/flake.lock +++ b/flake.lock @@ -2,9 +2,7 @@ "nodes": { "home-manager": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1705535278, @@ -21,6 +19,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1705316053, + "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1705496572, "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=", @@ -39,7 +53,7 @@ "root": { "inputs": { "home-manager": "home-manager", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" } } }, diff --git a/flake.nix b/flake.nix index 3d96afd..a4e0cb3 100755 --- a/flake.nix +++ b/flake.nix @@ -5,44 +5,29 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; home-manager.url = "github:nix-community/home-manager"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = inputs @ { self, nixpkgs, ... }: let - inherit (lib.my) mapModules mapModulesRec mapHosts; system = "aarch64-linux"; - mkPkgs = pkgs: extraOverlays: - import pkgs { - inherit system; - config.allowUnfree = true; - config.allowAliases = false; - overlays = extraOverlays ++ (lib.attrValues self.overlays); - }; - pkgs = mkPkgs nixpkgs [ self.overlays.default ]; + lib = import ./lib { inherit pkgs inputs; lib = nixpkgs.lib; }; + inherit (lib._) mapModules mapModulesRec mkHost; - lib = nixpkgs.lib.extend (final: prev: { - my = import ./lib { - inherit pkgs inputs; - lib = final; - }; - }); + mkPkgs = pkgs: overlays: import pkgs { + inherit system; + config.allowUnfree = true; + overlays = overlays ++ (lib.attrValues self.overlays); + }; + + pkgs = mkPkgs nixpkgs [ self.overlay ]; in { - lib = lib.my; - - overlays = - (mapModules ./overlays import) - // { - default = final: prev: { - my = self.packages.${system}; - }; - }; - packages."${system}" = mapModules ./packages (p: pkgs.callPackage p {}); - - nixosModules = mapModulesRec ./modules import; - - nixosConfigurations = mapHosts ./hosts {}; + overlay = final: prev: { + _ = self.packages."${system}"; + }; + overlays = mapModules ./overlays import; + nixosModules = (mapModulesRec ./modules import); + nixosConfigurations = mapModules ./hosts (host: mkHost host { inherit system; }); }; } diff --git a/hosts/server/authorizedKeys.nix b/hosts/server/authorizedKeys.nix new file mode 100755 index 0000000..3c1f840 --- /dev/null +++ b/hosts/server/authorizedKeys.nix @@ -0,0 +1,10 @@ +[ + # reidlab + { hostname = "reidlab@rei-pc"; + ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc"; + } + { + hostname = "reidlab@rei-phone"; + ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC12NkyZAFNDHfq1ECh4uAgM4mpKfsQnL3XF/ZzSyCJ reidlab@rei-phone"; + } +] diff --git a/hosts/server/default.nix b/hosts/server/default.nix index cf0c096..431ca38 100755 --- a/hosts/server/default.nix +++ b/hosts/server/default.nix @@ -1,7 +1,9 @@ { config, lib, pkgs, ... }: let - + keys = import ./authorizedKeys.nix; + fetchSSH = (host: lib._.getSSH host keys); + fetchSSHKeys = map fetchSSH; in { imports = [ ./hardware-configuration.nix @@ -15,9 +17,9 @@ in { conf = { packages = with pkgs; [ bat tree micro duf ]; extraGroups = [ "wheel" "dotfiles" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC12NkyZAFNDHfq1ECh4uAgM4mpKfsQnL3XF/ZzSyCJ reidlab@rei-phone" + openssh.authorizedKeys.keys = fetchSSHKeys [ + "reidlab@rei-pc" + "reidlab@rei-phone" ]; }; @@ -51,6 +53,8 @@ in { security.useDoas = true; }; + time.timeZone = "America/Los_Angeles"; + networking = { hostName = "nixos-server-reid"; networkmanager.enable = true; diff --git a/hosts/server/webapps/default.nix b/hosts/server/webapps/default.nix index cdacaeb..d3e8abd 100755 --- a/hosts/server/webapps/default.nix +++ b/hosts/server/webapps/default.nix @@ -13,7 +13,7 @@ in { }; metrics = { - enable = false; + enable = true; domain = "metrics.reidlab.online"; port = 2342; }; diff --git a/lib/attrs.nix b/lib/attrs.nix deleted file mode 100644 index e5890b4..0000000 --- a/lib/attrs.nix +++ /dev/null @@ -1,25 +0,0 @@ -{lib, ...}: let - inherit (lib.lists) any count; - inherit (lib.attrsets) filterAttrs listToAttrs mapAttrs' mapAttrsToList; -in rec { - # attrsToList - attrsToList = attrs: - mapAttrsToList (name: value: {inherit name value;}) attrs; - - # mapFilterAttrs :: - # (name -> value -> bool) - # (name -> value -> { name = any; value = any; }) - # attrs - mapFilterAttrs = pred: f: attrs: filterAttrs pred (mapAttrs' f attrs); - - # Generate an attribute set by mapping a function over a list of values. - genAttrs' = values: f: listToAttrs (map f values); - - # anyAttrs :: (name -> value -> bool) attrs - anyAttrs = pred: attrs: - any (attr: pred attr.name attr.value) (attrsToList attrs); - - # countAttrs :: (name -> value -> bool) attrs - countAttrs = pred: attrs: - count (attr: pred attr.name attr.value) (attrsToList attrs); -} diff --git a/lib/default.nix b/lib/default.nix index 1bb3d04..bb1cb9e 100755 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,20 +1,17 @@ { inputs, lib, pkgs, ... }: +lib.extend (self: super: let - inherit (lib.attrsets) attrValues; - inherit (lib.fixedPoints) makeExtensible; - inherit (lib.lists) foldr; + inherit (lib) attrValues foldr; inherit (modules) mapModules; + inherit (helpers) getSSH; - modules = import ./modules.nix { - inherit lib; - self.attrs = import ./attrs.nix { - inherit lib; - self = {}; - }; - }; - mylib = - makeExtensible (self: - mapModules ./. (file: import file {inherit self lib pkgs inputs;})); - in - mylib.extend (self: super: foldr (a: b: a // b) {} (attrValues super)) + modules = import ./modules.nix { inherit lib; }; + helpers = import ./helpers.nix { inherit lib; }; + in { + _ = foldr (a: b: a // b) {} (attrValues (mapModules ./. (file: import file { + inherit pkgs inputs; + lib = self; + }))); + } +) diff --git a/lib/helpers.nix b/lib/helpers.nix new file mode 100755 index 0000000..158ba75 --- /dev/null +++ b/lib/helpers.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +with lib; +rec { + indexFrom = origin: name: item: list: foldr + (h: t: + if h.${origin} == name && hasAttr item h + then h.${item} + else t) + (error '' + No item at the origin point ${origin} with element ${name} found. + Please make sure that the item with that origin exists, and, + failing that, that it also has the requested item defined. + '') + list; + + getSSH = name: keys: indexFrom "hostname" name "ssh" keys; +} diff --git a/lib/modules.nix b/lib/modules.nix index bb30ed5..287c1f6 100755 --- a/lib/modules.nix +++ b/lib/modules.nix @@ -1,43 +1,27 @@ -{ - lib, - self, - ... -}: let - inherit (builtins) attrValues readDir pathExists concatLists; - inherit (lib.attrsets) mapAttrsToList filterAttrs nameValuePair; - inherit (lib.strings) hasPrefix hasSuffix removeSuffix; - inherit (lib.trivial) id; - inherit (self.attrs) mapFilterAttrs; +{ lib, ... }: + +let + inherit (builtins) attrValues readDir pathExists; + inherit (lib) id filterAttrs hasPrefix hasSuffix nameValuePair removeSuffix mapAttrs' trace fix fold isAttrs; in rec { - mapModules = dir: fn: - mapFilterAttrs (n: v: v != null && !(hasPrefix "_" n)) (n: v: let - path = "${toString dir}/${n}"; - in - if v == "directory" && pathExists "${path}/default.nix" - then nameValuePair n (fn path) - else if v == "regular" && n != "default.nix" && hasSuffix ".nix" n - then nameValuePair (removeSuffix ".nix" n) (fn path) - else nameValuePair "" null) (readDir dir); - - mapModules' = dir: fn: attrValues (mapModules dir fn); - - mapModulesRec = dir: fn: - mapFilterAttrs (n: v: v != null && !(hasPrefix "_" n)) (n: v: let - path = "${toString dir}/${n}"; - in - if v == "directory" - then nameValuePair n (mapModulesRec path fn) - else if v == "regular" && n != "default.nix" && hasSuffix ".nix" n - then nameValuePair (removeSuffix ".nix" n) (fn path) - else nameValuePair "" null) (readDir dir); - - mapModulesRec' = dir: fn: let - dirs = - mapAttrsToList (k: _: "${dir}/${k}") - (filterAttrs (n: v: v == "directory" && !(hasPrefix "_" n)) + mapModules' = dir: fn: dirfn: + filterAttrs + (name: type: type != null && !(hasPrefix "_" name)) + (mapAttrs' + (name: type: + let path = "${toString dir}/${name}"; in + if type == "directory" + then nameValuePair name (dirfn path) + else if + type == "regular" && + name != "default.nix" && + hasSuffix ".nix" name + then nameValuePair (removeSuffix ".nix" name) (fn path) + else nameValuePair "" null + ) (readDir dir)); - files = attrValues (mapModules dir id); - paths = files ++ concatLists (map (d: mapModulesRec' d id) dirs); - in - map fn paths; + + mapModules = dir: fn: mapModules' dir fn (path: if pathExists "${path}/default.nix" then fn path else null); + mapModulesRec = dir: fn: mapModules' dir fn (path: mapModulesRec path fn); + mapModulesRec' = dir: fn: fix (f: attrs: fold (x: xs: (if isAttrs x then f x else [x]) ++ xs) [] (attrValues attrs)) (mapModulesRec dir fn); } diff --git a/lib/nixos.nix b/lib/nixos.nix index e39e809..464bf91 100755 --- a/lib/nixos.nix +++ b/lib/nixos.nix @@ -1,35 +1,21 @@ +{ inputs, lib, pkgs, ... }: + +with lib; { - inputs, - lib, - pkgs, - self, - ... -}: let - inherit (inputs.nixpkgs.lib) nixosSystem; - inherit (builtins) baseNameOf elem; - inherit (lib.attrsets) filterAttrs; - inherit (lib.modules) mkDefault; - inherit (lib.strings) removeSuffix; - inherit (self.modules) mapModules; -in rec { - mkHost = path: attrs @ {system ? "aarch64-linux", ...}: + mkHost = path: attrs@{ system, ... }: nixosSystem { inherit system; - - specialArgs = {inherit lib inputs system;}; - + specialArgs = { inherit lib inputs system; }; modules = [ { nixpkgs.pkgs = pkgs; - networking.hostName = - mkDefault (removeSuffix ".nix" (baseNameOf path)); + networking.hostName = mkDefault (removeSuffix ".nix" (baseNameOf path)); } - (filterAttrs (n: v: !elem n ["system"]) attrs) - ../. # /default.nix + (filterAttrs (n: v: !elem n [ "system" ]) attrs) + + ../. + (import path) ]; }; - - mapHosts = dir: attrs @ {system ? system, ...}: - mapModules dir (hostPath: mkHost hostPath attrs); } diff --git a/modules/security.nix b/modules/security.nix index 474b50c..7f56006 100755 --- a/modules/security.nix +++ b/modules/security.nix @@ -14,38 +14,24 @@ in { tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); kernel.sysctl = { - # magic sysrq key, allows low-level commands through keyboard input "kernel.sysrq" = 0; - ## TCP hardening - # prevent bogus ICMP errors from filling up logs - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - # do not accept IP source packets (we are not a router) - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - # Don't send ICMP redirects (again, we're not a router) - "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.all.accept_source_code" = 0; + "net.ipv6.conf.all.accept_source_code" = 0; "net.ipv4.conf.default.send_redirects" = 0; - # refuse ICMP redirects (MITM mitigations) - "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv4.conf.all.accept_redirects" = 0; "net.ipv6.conf.default.accept_redirects" = 0; - # protects against SYN flood attacks + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; "net.ipv4.tcp_syncookies" = 1; - # incomplete protection against TIME-WAIT assassination "net.ipv4.tcp_rfc1337" = 1; - - ## TCP optimization - # TCP fastopen "net.ipv4.tcp_fastopen" = 3; - # bufferbloat mitigations + improvement in throughput and latency "net.ipv4.tcp_conjestion_control" = "bbr"; "net.core.default_qdisc" = "cake"; }; - kernelModules = [ "tcp_bbr" ]; }; security = { diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index 4743b4c..babc2bd 100755 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -11,7 +11,10 @@ let }; in { options.modules.services.forgejo = { - enable = mkEnableOption "enable forgejo, a lightweight git server"; + enable = mkOption { + type = types.bool; + default = false; + }; domain = mkOption { type = types.str; default = "git.reidlab.online"; diff --git a/modules/services/metrics.nix b/modules/services/metrics.nix index 1cbd26b..270f71c 100644 --- a/modules/services/metrics.nix +++ b/modules/services/metrics.nix @@ -5,7 +5,10 @@ let cfg = config.modules.services.metrics; in { options.modules.services.metrics = { - enable = mkEnableOption "enable grafana with loki, prometheus, and promtail"; + enable = mkOption { + type = types.bool; + default = false; + }; domain = mkOption { type = types.str; default = "grafana.reidlab.online"; diff --git a/modules/services/mosh.nix b/modules/services/mosh.nix index 2860c6f..da344a3 100755 --- a/modules/services/mosh.nix +++ b/modules/services/mosh.nix @@ -5,7 +5,10 @@ let cfg = config.modules.services.mosh; in { options.modules.services.mosh = { - enable = mkEnableOption "enable mosh, the mobile SSH shell"; + enable = mkOption { + type = types.bool; + default = false; + }; }; config = mkIf cfg.enable { diff --git a/modules/services/nginx-conf.nix b/modules/services/nginx-conf.nix index f446f57..f3dc6a8 100755 --- a/modules/services/nginx-conf.nix +++ b/modules/services/nginx-conf.nix @@ -5,7 +5,10 @@ let cfg = config.modules.services.nginx-config; in { options.modules.services.nginx-config = { - enable = mkEnableOption "enable nginx, a high performance web server along with default configurations"; + enable = mkOption { + type = types.bool; + default = false; + }; package = mkOption { type = types.package; diff --git a/modules/services/postgres.nix b/modules/services/postgres.nix index 5074c6c..abde301 100755 --- a/modules/services/postgres.nix +++ b/modules/services/postgres.nix @@ -5,7 +5,10 @@ let cfg = config.modules.services.postgres; in { options.modules.services.postgres = { - enable = mkEnableOption "enable postgres, the database industry standard"; + enable = mkOption { + type = types.bool; + default = false; + }; }; config = mkIf cfg.enable { diff --git a/modules/services/redis.nix b/modules/services/redis.nix index 30f1888..cc8ae4b 100755 --- a/modules/services/redis.nix +++ b/modules/services/redis.nix @@ -5,7 +5,10 @@ let cfg = config.modules.services.redis; in { options.modules.services.redis = { - enable = mkEnableOption "enable redis, a speedy cache database"; + enable = mkOption { + type = types.bool; + default = false; + }; }; config = mkIf cfg.enable { diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix index 59fc01c..e8dba7c 100755 --- a/modules/services/ssh.nix +++ b/modules/services/ssh.nix @@ -5,7 +5,11 @@ let cfg = config.modules.services.ssh; in { options.modules.services.ssh = { - enable = mkEnableOption "enable openssh, a server for remote shell access"; + enable = mkOption { + type = types.bool; + default = false; + description = "Provide system SSH support though OpenSSH."; + }; requirePassword = mkOption { type = types.bool; diff --git a/readme.md b/readme.md index 955a65a..a0fc4d7 100755 --- a/readme.md +++ b/readme.md @@ -18,7 +18,8 @@ before committing, please run `nix flake check` and make sure everything is ok ## todo -- remove the lua static stuff from nginx + the cf ip -- per-host architecture selection, atm it is hardcoded to `aarch64` -- some weird perl error abt locales when building??? it only happened after the big lib update. help me -- leverage nixos-hardware +- analytics using matomo +- php support in staticsites +- no more luapackagepath. please stop. +- not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error +- this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz