lbailly/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity

chore: pre-commit hooks are supposed to be run....

Browse source
This commit is contained in:
sinavir 2024-03-10 01:03:30 +01:00
parent d946894d8f
commit 581fa6b560
21 changed files with 348 additions and 382 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
default.nix
View file

@ -1,36 +1,37 @@
/* Copyright :
- Maurice Debray <maurice.debray@dgnum.eu> 2023
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
/*
Copyright :
- Maurice Debray <maurice.debray@dgnum.eu> 2023
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
Ce logiciel est un programme informatique servant à déployer des
configurations de serveurs via NixOS.
Ce logiciel est un programme informatique servant à déployer des
configurations de serveurs via NixOS.
Ce logiciel est régi par la licence CeCILL soumise au droit français et
respectant les principes de diffusion des logiciels libres. Vous pouvez
utiliser, modifier et/ou redistribuer ce programme sous les conditions
de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
sur le site "http://www.cecill.info".
Ce logiciel est régi par la licence CeCILL soumise au droit français et
respectant les principes de diffusion des logiciels libres. Vous pouvez
utiliser, modifier et/ou redistribuer ce programme sous les conditions
de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
sur le site "http://www.cecill.info".
En contrepartie de l'accessibilité au code source et des droits de copie,
de modification et de redistribution accordés par cette licence, il n'est
offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
seule une responsabilité restreinte pèse sur l'auteur du programme, le
titulaire des droits patrimoniaux et les concédants successifs.
En contrepartie de l'accessibilité au code source et des droits de copie,
de modification et de redistribution accordés par cette licence, il n'est
offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
seule une responsabilité restreinte pèse sur l'auteur du programme, le
titulaire des droits patrimoniaux et les concédants successifs.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs et des professionnels
avertis possédant des connaissances informatiques approfondies. Les
utilisateurs sont donc invités à charger et tester l'adéquation du
logiciel à leurs besoins dans des conditions permettant d'assurer la
sécurité de leurs systèmes et ou de leurs données et, plus généralement,
à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs et des professionnels
avertis possédant des connaissances informatiques approfondies. Les
utilisateurs sont donc invités à charger et tester l'adéquation du
logiciel à leurs besoins dans des conditions permettant d'assurer la
sécurité de leurs systèmes et ou de leurs données et, plus généralement,
à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
pris connaissance de la licence CeCILL, et que vous en avez accepté les
termes.
Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
pris connaissance de la licence CeCILL, et que vous en avez accepté les
termes.
*/
let
@ -59,9 +60,9 @@ let
in
{
nodes = builtins.mapAttrs (host: { site, ... }: "${host}.${site}.infra.dgnum.eu") (
import ./meta/nodes.nix
);
nodes = builtins.mapAttrs (
host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
) (import ./meta/nodes.nix);
dns = import ./meta/dns.nix;

6
iso/configuration.nix
View file

@ -33,7 +33,7 @@ in
openssh.enable = true;
};
users.users.root.openssh.authorizedKeys.keyFiles =
builtins.map (m: dgn-lib.mkRel ../keys "${m}.keys")
dgn-members;
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
m: dgn-lib.mkRel ../keys "${m}.keys"
) dgn-members;
}

7
lib/default.nix
View file

@ -20,10 +20,9 @@ lib.extra
getNodeKeys =
node:
let
names =
builtins.foldl' (names: group: names ++ meta.organization.groups.${group})
(meta.nodes.${node}.admins ++ [ "/machines/${node}" ])
meta.nodes.${node}.adminGroups;
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
) meta.nodes.${node}.adminGroups;
in
rootKeys ++ (getAllKeys names);

12
machines/compute01/arkheon.nix
View file

@ -10,13 +10,11 @@
(import sources.nixos-unstable {
overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
}).python3.withPackages
(
ps: [
ps.arkheon
ps.daphne
ps.psycopg2
]
);
(ps: [
ps.arkheon
ps.daphne
ps.psycopg2
]);
domain = "arkheon.dgnum.eu";

36
machines/compute01/k-radius/module.nix
View file

@ -29,11 +29,9 @@ in
freeradius = mkOption {
type = types.package;
default = pkgs.freeradius.overrideAttrs (
old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
}
);
default = pkgs.freeradius.overrideAttrs (old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
});
};
configDir = mkOption {
@ -126,21 +124,19 @@ in
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs
(
name:
{ secret, ipaddr }:
''
cat <<EOF >> ${cfg.configDir}/clients.conf
client ${name} {
ipaddr = ${ipaddr}
secret = $(cat "${secret}")
proto = *
}
EOF
''
)
cfg.radiusClients
builtins.mapAttrs (
name:
{ secret, ipaddr }:
''
cat <<EOF >> ${cfg.configDir}/clients.conf
client ${name} {
ipaddr = ${ipaddr}
secret = $(cat "${secret}")
proto = *
}
EOF
''
) cfg.radiusClients
)
)}

4
machines/compute01/k-radius/packages/pykanidm.nix
View file

@ -31,7 +31,9 @@ python3.pkgs.buildPythonPackage {
aiohttp
pydantic
toml
(authlib.overridePythonAttrs (_: { doCheck = false; }))
(authlib.overridePythonAttrs (_: {
doCheck = false;
}))
];
doCheck = false;

10
machines/compute01/librenms/default.nix
View file

@ -12,12 +12,10 @@ in
package =
(pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs
(
old: {
patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
}
);
(old: {
patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
});
hostname = host;

24
machines/compute01/librenms/module.nix
View file

@ -198,13 +198,11 @@ in
poolConfig = mkOption {
type =
with types;
attrsOf (
oneOf [
str
int
bool
]
);
attrsOf (oneOf [
str
int
bool
]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
@ -221,9 +219,9 @@ in
nginx = mkOption {
type = types.submodule (
recursiveUpdate
(import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" { inherit config lib; })
{ }
recursiveUpdate (import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" {
inherit config lib;
}) { }
);
default = { };
example = literalExpression ''
@ -392,9 +390,9 @@ in
}
// (lib.optionalAttrs cfg.distributedPoller.enable {
"distributed_poller" = true;
"distributed_poller_name" =
lib.mkIf (cfg.distributedPoller.name != null)
cfg.distributedPoller.name;
"distributed_poller_name" = lib.mkIf (
cfg.distributedPoller.name != null
) cfg.distributedPoller.name;
"distributed_poller_group" = cfg.distributedPoller.group;
"distributed_billing" = cfg.distributedPoller.distributedBilling;
"distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost;

10
machines/compute01/satosa/module.nix
View file

@ -23,12 +23,10 @@ let
mkYamlFiles =
files: builtins.attrValues (builtins.mapAttrs (name: yamlFormat.generate "${name}.yaml") files);
pyEnv = cfg.package.python.withPackages (
ps: [
cfg.package
ps.gunicorn
]
);
pyEnv = cfg.package.python.withPackages (ps: [
cfg.package
ps.gunicorn
]);
in
{
options.services.satosa = {

33
machines/storage01/netbird/module.nix
View file

@ -30,9 +30,9 @@ let
managementFormat = pkgs.formats.json { };
settingsFile = settingsFormat.generate "setup.env" (
builtins.mapAttrs
(_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val)
settings
builtins.mapAttrs (
_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
) settings
);
managementFile = managementFormat.generate "config.json" cfg.managementConfig;
@ -106,9 +106,9 @@ let
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
NETBIRD_AUTH_PKCE_REDIRECT_URLS =
builtins.map (p: "http://localhost:${p}")
cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
p: "http://localhost:${p}"
) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
}
// (optionalAttrs cfg.setupAutoOidc {
NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
@ -138,15 +138,13 @@ in
type =
with types;
attrsOf (
nullOr (
oneOf [
(listOf str)
bool
int
float
str
]
)
nullOr (oneOf [
(listOf str)
bool
int
float
str
])
);
defaultText = lib.literalExpression ''
{
@ -493,8 +491,9 @@ in
export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
${optionalString (cfg.secretFiles.AUTH_CLIENT_SECRET == null)
''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
${optionalString (
cfg.secretFiles.AUTH_CLIENT_SECRET == null
) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"

166
machines/web01/crabfit/packages/crabfit-frontend/default.nix
View file

@ -11,105 +11,103 @@
frontend_url ? "crab.fit",
}:
stdenv.mkDerivation (
finalAttrs: {
pname = "crabfit-frontend";
version = "unstable-2023-08-02";
stdenv.mkDerivation (finalAttrs: {
pname = "crabfit-frontend";
version = "unstable-2023-08-02";
src = fetchFromGitHub {
owner = "GRA0007";
repo = "crab.fit";
rev = "628f9eefc300bf1ed3d6cc3323332c2ed9b8a350";
hash = "sha256-jy8BrJSHukRenPbZHw4nPx3cSi7E2GSg//WOXDh90mY=";
};
src = fetchFromGitHub {
owner = "GRA0007";
repo = "crab.fit";
rev = "628f9eefc300bf1ed3d6cc3323332c2ed9b8a350";
hash = "sha256-jy8BrJSHukRenPbZHw4nPx3cSi7E2GSg//WOXDh90mY=";
};
sourceRoot = "source/frontend";
sourceRoot = "source/frontend";
patches = [
./01-privacy.patch
./02-karla.patch
./03-standalone.patch
./04-frontend_url.patch
./05-dgnum.patch
./06-download.patch
./07-colormap.patch
];
patches = [
./01-privacy.patch
./02-karla.patch
./03-standalone.patch
./04-frontend_url.patch
./05-dgnum.patch
./06-download.patch
./07-colormap.patch
];
offlineCache = fetchYarnDeps {
yarnLock = "${finalAttrs.src}/frontend/yarn.lock";
hash = "sha256-jkyQygwHdLlEZ1tlSQOh72nANp2F29rZbTXvKQStvGc=";
};
offlineCache = fetchYarnDeps {
yarnLock = "${finalAttrs.src}/frontend/yarn.lock";
hash = "sha256-jkyQygwHdLlEZ1tlSQOh72nANp2F29rZbTXvKQStvGc=";
};
nativeBuildInputs = [
nodejs
yarn
fixup_yarn_lock
];
nativeBuildInputs = [
nodejs
yarn
fixup_yarn_lock
];
postPatch = ''
substituteInPlace \
public/robots.txt \
public/sitemap.xml \
src/app/\[id\]/page.tsx \
src/app/layout.tsx \
src/components/CreateForm/components/EventInfo/EventInfo.tsx \
src/i18n/locales/de/help.json \
src/i18n/locales/en-GB/help.json \
src/i18n/locales/en/help.json \
src/i18n/locales/es/help.json \
src/i18n/locales/fr/help.json \
src/i18n/locales/hi/help.json \
src/i18n/locales/id/help.json \
src/i18n/locales/it/help.json \
src/i18n/locales/ko/help.json \
src/i18n/locales/pt-BR/help.json \
src/i18n/locales/pt-PT/help.json \
src/i18n/locales/ru/help.json \
--replace "@FRONTEND_URL@" "${frontend_url}"
'';
postPatch = ''
substituteInPlace \
public/robots.txt \
public/sitemap.xml \
src/app/\[id\]/page.tsx \
src/app/layout.tsx \
src/components/CreateForm/components/EventInfo/EventInfo.tsx \
src/i18n/locales/de/help.json \
src/i18n/locales/en-GB/help.json \
src/i18n/locales/en/help.json \
src/i18n/locales/es/help.json \
src/i18n/locales/fr/help.json \
src/i18n/locales/hi/help.json \
src/i18n/locales/id/help.json \
src/i18n/locales/it/help.json \
src/i18n/locales/ko/help.json \
src/i18n/locales/pt-BR/help.json \
src/i18n/locales/pt-PT/help.json \
src/i18n/locales/ru/help.json \
--replace "@FRONTEND_URL@" "${frontend_url}"
'';
configurePhase = ''
runHook preConfigure
configurePhase = ''
runHook preConfigure
export HOME="$PWD"
export HOME="$PWD"
echo 'NEXT_PUBLIC_API_URL="${api_url}"' > .env.local
echo 'NEXT_PUBLIC_API_URL="${api_url}"' > .env.local
fixup_yarn_lock yarn.lock
yarn config --offline set yarn-offline-mirror ${finalAttrs.offlineCache}
yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
patchShebangs node_modules
fixup_yarn_lock yarn.lock
yarn config --offline set yarn-offline-mirror ${finalAttrs.offlineCache}
yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
patchShebangs node_modules
mkdir -p src/app/fonts
cp "${
google-fonts.override { fonts = [ "Karla" ]; }
}/share/fonts/truetype/Karla[wght].ttf" src/app/fonts/karla.ttf
mkdir -p src/app/fonts
cp "${
google-fonts.override { fonts = [ "Karla" ]; }
}/share/fonts/truetype/Karla[wght].ttf" src/app/fonts/karla.ttf
runHook postConfigure
'';
runHook postConfigure
'';
buildPhase = ''
runHook preBuild
buildPhase = ''
runHook preBuild
NODE_ENV=production yarn build
NODE_ENV=production yarn build
runHook postBuild
'';
runHook postBuild
'';
installPhase = ''
mkdir $out
cp -R .next/* $out
cp -R public $out/standalone/
cp -R .next/static $out/standalone/.next
installPhase = ''
mkdir $out
cp -R .next/* $out
cp -R public $out/standalone/
cp -R .next/static $out/standalone/.next
ln -s /var/cache/crabfit $out/standalone/.next/cache
'';
ln -s /var/cache/crabfit $out/standalone/.next/cache
'';
meta = with lib; {
description = "Enter your availability to find a time that works for everyone";
homepage = "https://github.com/GRA0007/crab.fit";
license = licenses.gpl3;
maintainers = with maintainers; [ thubrecht ];
};
}
)
meta = with lib; {
description = "Enter your availability to find a time that works for everyone";
homepage = "https://github.com/GRA0007/crab.fit";
license = licenses.gpl3;
maintainers = with maintainers; [ thubrecht ];
};
})

72
machines/web01/linkal/module.nix
View file

@ -28,7 +28,9 @@ in
package = mkOption {
type = types.package;
default = package.overrideAttrs (_: { buildInputs = [ ]; });
default = package.overrideAttrs (_: {
buildInputs = [ ];
});
};
domain = mkOption { type = types.str; };
@ -38,36 +40,31 @@ in
let
inherit (types) attrsOf port submodule;
in
attrsOf (
submodule {
options = {
port = mkOption { type = port; };
calendars = mkOption { inherit (jsonFormat) type; };
};
}
);
attrsOf (submodule {
options = {
port = mkOption { type = port; };
calendars = mkOption { inherit (jsonFormat) type; };
};
});
default = { };
};
};
config = mkIf cfg.enable {
systemd.services =
mapAttrs'
(
name:
{ port, calendars }:
nameValuePair "linkal-${name}" {
description = "Linkal - ${name}";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${cfg.package}/bin/linkal --port ${builtins.toString port} --calendar-file ${
jsonFormat.generate "linkal-${name}.json" { inherit calendars; }
}";
};
}
)
cfg.calendarGroups;
systemd.services = mapAttrs' (
name:
{ port, calendars }:
nameValuePair "linkal-${name}" {
description = "Linkal - ${name}";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${cfg.package}/bin/linkal --port ${builtins.toString port} --calendar-file ${
jsonFormat.generate "linkal-${name}.json" { inherit calendars; }
}";
};
}
) cfg.calendarGroups;
# Configure bind for DNS certificate validation on *.cal.dgnum.eu.
# services.bind = {
@ -107,20 +104,17 @@ in
services.nginx = {
enable = true;
virtualHosts =
mapAttrs'
(
name:
{ port, ... }:
nameValuePair "${name}.${cfg.domain}" {
enableACME = true;
# acmeRoot = null; # Use DNS-01 validation
forceSSL = true;
virtualHosts = mapAttrs' (
name:
{ port, ... }:
nameValuePair "${name}.${cfg.domain}" {
enableACME = true;
# acmeRoot = null; # Use DNS-01 validation
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
}
)
cfg.calendarGroups;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
}
) cfg.calendarGroups;
};
};
}

25
machines/web01/metis/default.nix
View file

@ -16,20 +16,17 @@ in
forceSSL = true;
root = metis.production;
locations =
lib.mapAttrs'
(
name: value:
lib.nameValuePair "/cal/${name}/" {
extraConfig = ''
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass ${value};
'';
}
)
providers;
locations = lib.mapAttrs' (
name: value:
lib.nameValuePair "/cal/${name}/" {
extraConfig = ''
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass ${value};
'';
}
) providers;
extraConfig = ''
rewrite ^/calendrier(.*)$ $1 permanent;

18
machines/web01/redirections.nix
View file

@ -6,16 +6,14 @@ let
mkRetired =
hosts:
builtins.listToAttrs (
builtins.map
(name: {
inherit name;
value = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 https://${retired_host}/${name}";
};
})
hosts
builtins.map (name: {
inherit name;
value = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 https://${retired_host}/${name}";
};
}) hosts
);
mkSub = domain: builtins.map (s: "${s}.${domain}");

25
meta/dns.nix
View file

@ -150,20 +150,17 @@ in
DMARC = [ { p = "none"; } ];
DKIM = kurisuDKIM;
subdomains =
mapAttrs'
(
host:
{ site, ... }:
nameValuePair "${host}.${site}" (
with meta.network.${host}.addresses;
{
A = ipv4;
AAAA = ipv6;
}
)
)
meta.nodes;
subdomains = mapAttrs' (
host:
{ site, ... }:
nameValuePair "${host}.${site}" (
with meta.network.${host}.addresses;
{
A = ipv4;
AAAA = ipv6;
}
)
) meta.nodes;
};
};
}

11
meta/nodes.nix
View file

@ -10,11 +10,12 @@
# nixpkgs = "unstable" or "22.11"; # nixpkgs version
# }
/* Liste des différents sites :
- dmi01 -> VM du NPSPI
- par01 -> Salle serveur sous le pavillon Pasteur
- par02 -> Local DGNum Jourdan
- par03 -> VM de Luj
/*
Liste des différents sites :
- dmi01 -> VM du NPSPI
- par01 -> Salle serveur sous le pavillon Pasteur
- par02 -> Local DGNum Jourdan
- par03 -> VM de Luj
*/
{

34
meta/options.nix
View file

@ -38,25 +38,23 @@ in
options = {
organization = {
members = mkOption {
type = attrsOf (
submodule {
options = {
name = mkOption {
type = str;
description = ''
Name of the member.
'';
};
email = mkOption {
type = str;
description = ''
Main e-mail address of the member.
'';
};
type = attrsOf (submodule {
options = {
name = mkOption {
type = str;
description = ''
Name of the member.
'';
};
}
);
email = mkOption {
type = str;
description = ''
Main e-mail address of the member.
'';
};
};
});
description = ''
Members of the DGNum organization.

5
meta/organization.nix
View file

@ -1,5 +1,6 @@
/* To add a new member add an attribute to `members`
Then add the key to the required groups.
/*
To add a new member add an attribute to `members`
Then add the key to the required groups.
*/
{

6
modules/dgn-access-control.nix
View file

@ -83,8 +83,8 @@ in
# Admins have root access to the node
dgn-access-control.users.root = mkDefault admins;
users.users =
builtins.mapAttrs (_: members: { openssh.authorizedKeys.keys = lib.extra.getAllKeys members; })
cfg.users;
users.users = builtins.mapAttrs (_: members: {
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
}) cfg.users;
};
}

67
modules/dgn-backups/default.nix
View file

@ -37,9 +37,9 @@ let
{
startAt = starts.${name};
key = config.age.secrets."bupstash-put_key".path;
repositoryCommands =
lib.extra.mapSingleFuse (host: "ssh -i /etc/ssh/ssh_host_ed25519_key bupstash-repo@${host}.dgnum")
to;
repositoryCommands = lib.extra.mapSingleFuse (
host: "ssh -i /etc/ssh/ssh_host_ed25519_key bupstash-repo@${host}.dgnum"
) to;
}
// settings
);
@ -58,46 +58,41 @@ in
};
jobs = mkOption {
type = attrsOf (
submodule {
options = {
to = mkOption {
type = listOf str;
default = remove name [
"compute01"
"geo01"
"geo02"
"storage01"
];
description = "Hosts to send the backups to.";
};
settings = mkOption {
type = attrs;
default = { };
description = "Base bupstash job config.";
};
type = attrsOf (submodule {
options = {
to = mkOption {
type = listOf str;
default = remove name [
"compute01"
"geo01"
"geo02"
"storage01"
];
description = "Hosts to send the backups to.";
};
}
);
settings = mkOption {
type = attrs;
default = { };
description = "Base bupstash job config.";
};
};
});
default = { };
description = "List of bupstash jobs.";
};
};
config = {
dgn-backups.jobs =
lib.extra.mapFuse
(db: {
"${db}-db".settings = {
user = "postgres";
command = [
"${lib.getExe' config.services.postgresql.package "pg_dump"}"
db
];
};
})
cfg.postgresDatabases;
dgn-backups.jobs = lib.extra.mapFuse (db: {
"${db}-db".settings = {
user = "postgres";
command = [
"${lib.getExe' config.services.postgresql.package "pg_dump"}"
db
];
};
}) cfg.postgresDatabases;
services.bupstash = {
repositories = {

96
modules/dgn-hardware.nix
View file

@ -41,56 +41,54 @@ in
};
};
config = mkIf cfg.enable (
mkMerge [
{
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
config = mkIf cfg.enable (mkMerge [
{
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot = {
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"ehci_pci"
"virtio_pci"
"ahci"
"virtio_blk"
];
kernelModules = [ "kvm-intel" ];
kernelParams = [
"cgroup_enable=cpu"
"cgroup_enable=cpuset"
"cgroup_enable=memory"
"cgroup_memory=1"
];
boot = {
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"ehci_pci"
"virtio_pci"
"ahci"
"virtio_blk"
];
kernelModules = [ "kvm-intel" ];
kernelParams = [
"cgroup_enable=cpu"
"cgroup_enable=cpuset"
"cgroup_enable=memory"
"cgroup_memory=1"
];
};
}
(mkIf cfg.useSystemd {
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
})
(mkIf cfg.useBcachefs {
boot.supportedFilesystems = [ "bcachefs" ];
boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_7;
})
(mkIf cfg.useZfs {
boot = {
supportedFilesystems = [ "zfs" ];
zfs = {
forceImportRoot = false;
extraPools = cfg.zfsPools;
package = pkgs.zfs_2_1;
};
}
(mkIf cfg.useSystemd {
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
})
(mkIf cfg.useBcachefs {
boot.supportedFilesystems = [ "bcachefs" ];
boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_7;
})
(mkIf cfg.useZfs {
boot = {
supportedFilesystems = [ "zfs" ];
zfs = {
forceImportRoot = false;
extraPools = cfg.zfsPools;
package = pkgs.zfs_2_1;
};
};
})
]
);
};
})
]);
}