From 4c62d9a41845632afd11603fb4c10b0b3fd7a7af Mon Sep 17 00:00:00 2001 From: tanneberger Date: Sun, 9 Jun 2024 17:55:24 +0200 Subject: [PATCH] formatting and updating to 24.05 --- flake.lock | 38 ++++++++++----------- flake.nix | 40 +++++++++++------------ hosts/notice-me-senpai/grafana.nix | 2 +- hosts/tram-borzoi/postgres.nix | 5 +-- modules/TLMS/base.nix | 1 + modules/TLMS/wg.nix | 3 +- modules/data-hoarder/kindergarten.nix | 9 ++--- modules/data-hoarder/nginx.nix | 3 +- modules/data-hoarder/postgres.nix | 31 +++++++++--------- modules/data-hoarder/secrets.nix | 3 +- modules/data-hoarder/website.nix | 12 +++---- modules/traffic-stop-box/radio-config.nix | 22 +++++++------ 12 files changed, 87 insertions(+), 82 deletions(-) diff --git a/flake.lock b/flake.lock index f759826..89d57d5 100644 --- a/flake.lock +++ b/flake.lock @@ -350,11 +350,11 @@ "pnpm2nix": "pnpm2nix" }, "locked": { - "lastModified": 1715280755, - "narHash": "sha256-zVkHdgFmpJ1NCmp1AQ18oT5QsbEewyqkH67wZP0uzRo=", + "lastModified": 1716148172, + "narHash": "sha256-+rKHw/bkFXiqPtVRtY/A5ER0DDdgp4aFn/6iGoE4y8s=", "owner": "tlm-solutions", "repo": "kindergarten", - "rev": "3df46c35ba76ed22e25161c7cea0ae3cedf22631", + "rev": "7f9f8d229528ee4542a4734423af26d2eb6c6b24", "type": "github" }, "original": { @@ -399,11 +399,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1714764302, - "narHash": "sha256-MmIZR67wOP3Nr9b3XpsvHSZSTDcTmd9cQn2Z8pW1/Hw=", + "lastModified": 1717441449, + "narHash": "sha256-juxjgmLnFbl+/hhIO2cVtIa6caCO4pLKlZWUMwAOznM=", "owner": "astro", "repo": "microvm.nix", - "rev": "e9977efbe34b554c3e393dc9a18509905a4080e5", + "rev": "e3a4dd5b381fb580804105594cc9c71dc45abdb5", "type": "github" }, "original": { @@ -482,11 +482,11 @@ ] }, "locked": { - "lastModified": 1713520724, - "narHash": "sha256-CO8MmVDmqZX2FovL75pu5BvwhW+Vugc7Q6ze7Hj8heI=", + "lastModified": 1717067539, + "narHash": "sha256-oIs5EF+6VpHJRvvpVWuqCYJMMVW/6h59aYUv9lABLtY=", "owner": "nix-community", "repo": "naersk", - "rev": "c5037590290c6c7dae2e42e7da1e247e54ed2d49", + "rev": "fa19d8c135e776dc97f4dcca08656a0eeb28d5c0", "type": "github" }, "original": { @@ -513,11 +513,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1714858427, - "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=", + "lastModified": 1717880976, + "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76", + "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c", "type": "github" }, "original": { @@ -593,16 +593,16 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1715106579, - "narHash": "sha256-gZMgKEGiK6YrwGBiccZ1gemiUwjsZ1Zv49KYOgmX2fY=", + "lastModified": 1717696253, + "narHash": "sha256-1+ua0ggXlYYPLTmMl3YeYYsBXDSCqT+Gw3u6l4gvMhA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8be0d8a1ed4f96d99b09aa616e2afd47acc3da89", + "rev": "9b5328b7f761a7bbdc0e332ac4cf076a3eedb89b", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } @@ -823,11 +823,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1715244550, - "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=", + "lastModified": 1717902109, + "narHash": "sha256-OQTjaEZcByyVmHwJlKp/8SE9ikC4w+mFd3X0jJs6wiA=", "owner": "Mic92", "repo": "sops-nix", - "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f", + "rev": "f0922ad001829b400f0160ba85b47d252fa3d925", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 24c65f8..0feac3f 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ }; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; # naersk and flake utils are not used by this flake directly, but needed # for the follows in all the other ones. @@ -177,27 +177,27 @@ # function that generates a system with the given number generate_system = (id: - let - myRegistry = registry.traffic-stop-box."${toString id}"; - in + let + myRegistry = registry.traffic-stop-box."${toString id}"; + in { "${myRegistry.hostName}" = { - system = myRegistry.arch; - specialArgs = { inherit self inputs; registry = myRegistry; }; - modules = - [ - # box-specific config - ./hosts/traffic-stop-box/${toString id} - - # default modules - sops-nix.nixosModules.sops - ./modules/traffic-stop-box - ./modules/TLMS - { - deployment-TLMS.monitoring.enable = myRegistry.monitoring; - } - ] ++ stop-box-modules; - }; + system = myRegistry.arch; + specialArgs = { inherit self inputs; registry = myRegistry; }; + modules = + [ + # box-specific config + ./hosts/traffic-stop-box/${toString id} + + # default modules + sops-nix.nixosModules.sops + ./modules/traffic-stop-box + ./modules/TLMS + { + deployment-TLMS.monitoring.enable = myRegistry.monitoring; + } + ] ++ stop-box-modules; + }; } ); diff --git a/hosts/notice-me-senpai/grafana.nix b/hosts/notice-me-senpai/grafana.nix index de4b3cd..637de63 100644 --- a/hosts/notice-me-senpai/grafana.nix +++ b/hosts/notice-me-senpai/grafana.nix @@ -59,7 +59,7 @@ in } // ( if exporter == "r09-receiver" then { scrape_interval = "10s"; - } else {} + } else { } ); # generate scraper config diff --git a/hosts/tram-borzoi/postgres.nix b/hosts/tram-borzoi/postgres.nix index a584455..dd64321 100644 --- a/hosts/tram-borzoi/postgres.nix +++ b/hosts/tram-borzoi/postgres.nix @@ -33,10 +33,7 @@ } { name = "borzoi"; - ensurePermissions = { - "DATABASE borzoi" = "ALL PRIVILEGES"; - "ALL TABLES IN SCHEMA public" = "ALL"; - }; + ensureDBOwnership = true; } ]; }; diff --git a/modules/TLMS/base.nix b/modules/TLMS/base.nix index 208711d..cf573f7 100644 --- a/modules/TLMS/base.nix +++ b/modules/TLMS/base.nix @@ -88,6 +88,7 @@ in users.motd = if config.networking.hostName == "data-hoarder" then prodMotd else regMotd; + programs.screen.enable = true; programs.screen.screenrc = '' defscrollback 10000 diff --git a/modules/TLMS/wg.nix b/modules/TLMS/wg.nix index f3f7501..0acc0e9 100644 --- a/modules/TLMS/wg.nix +++ b/modules/TLMS/wg.nix @@ -45,7 +45,8 @@ in endpointRegistries = let ep = (lib.filter - (x: x.wgAddr4 != registry.wgAddr4 && (!isNull x.publicWireguardEndpoint)) registries); + (x: x.wgAddr4 != registry.wgAddr4 && (!isNull x.publicWireguardEndpoint)) + registries); in assert lib.assertMsg (lib.length ep == 1) "there should be exactly one endpoint"; ep; diff --git a/modules/data-hoarder/kindergarten.nix b/modules/data-hoarder/kindergarten.nix index d1b3585..71fdc4b 100644 --- a/modules/data-hoarder/kindergarten.nix +++ b/modules/data-hoarder/kindergarten.nix @@ -16,10 +16,11 @@ enableACME = true; forceSSL = true; locations."~ ^/(de|en)" = { - root = if (config.deployment-TLMS.domain == "tlm.solutions") then - "${pkgs.kindergarten}" - else - "${pkgs.kindergarten-staging}"; + root = + if (config.deployment-TLMS.domain == "tlm.solutions") then + "${pkgs.kindergarten}" + else + "${pkgs.kindergarten-staging}"; # index = "index.html"; tryFiles = "$uri /$1/index.html =404"; extraConfig = '' diff --git a/modules/data-hoarder/nginx.nix b/modules/data-hoarder/nginx.nix index bc9ec0f..45f194d 100644 --- a/modules/data-hoarder/nginx.nix +++ b/modules/data-hoarder/nginx.nix @@ -20,7 +20,8 @@ let # STS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ''; -in { +in +{ networking.firewall.allowedTCPPorts = [ 80 443 ]; security.acme.acceptTerms = true; diff --git a/modules/data-hoarder/postgres.nix b/modules/data-hoarder/postgres.nix index 0e774f8..09525c9 100644 --- a/modules/data-hoarder/postgres.nix +++ b/modules/data-hoarder/postgres.nix @@ -1,28 +1,29 @@ { lib, pkgs, config, inputs, self, registry, ... }: { services.postgresql = { - inherit (registry.postgres) port; + settings.port = registry.port; enable = true; enableTCPIP = true; - authentication = let - senpai-ip = - self.unevaluatedNixosConfigurations.notice-me-senpai.specialArgs.registry.wgAddr4; - in pkgs.lib.mkOverride 10 '' - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - host tlms grafana ${senpai-ip}/32 scram-sha-256 - ''; + authentication = + let + senpai-ip = + self.unevaluatedNixosConfigurations.notice-me-senpai.specialArgs.registry.wgAddr4; + in + pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host tlms grafana ${senpai-ip}/32 scram-sha-256 + ''; package = pkgs.postgresql_14; ensureDatabases = [ "tlms" ]; ensureUsers = [ - { name = "grafana"; } { name = "tlms"; - ensurePermissions = { - "DATABASE tlms" = "ALL PRIVILEGES"; - "ALL TABLES IN SCHEMA public" = "ALL"; - }; + ensureDBOwnership = true; + } + { + name = "grafana"; } ]; }; diff --git a/modules/data-hoarder/secrets.nix b/modules/data-hoarder/secrets.nix index e5cc2fd..aa2fb11 100644 --- a/modules/data-hoarder/secrets.nix +++ b/modules/data-hoarder/secrets.nix @@ -4,7 +4,8 @@ let data-accumulator-user = config.TLMS.dataAccumulator.user; trekkie-user = config.TLMS.trekkie.user; chemo-user = config.TLMS.chemo.user; -in { +in +{ sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; users.groups = { diff --git a/modules/data-hoarder/website.nix b/modules/data-hoarder/website.nix index 964007f..64bf79a 100644 --- a/modules/data-hoarder/website.nix +++ b/modules/data-hoarder/website.nix @@ -4,12 +4,12 @@ virtualHosts = { "${(builtins.replaceStrings [ "tlm.solutions" ] [ "dvb.solutions" ] config.deployment-TLMS.domain)}" = { - enableACME = true; - forceSSL = true; - extraConfig = '' - rewrite ^ https://kid.${config.deployment-TLMS.domain}/ permanent; - ''; - }; + enableACME = true; + forceSSL = true; + extraConfig = '' + rewrite ^ https://kid.${config.deployment-TLMS.domain}/ permanent; + ''; + }; "${config.deployment-TLMS.domain}" = { enableACME = true; forceSSL = true; diff --git a/modules/traffic-stop-box/radio-config.nix b/modules/traffic-stop-box/radio-config.nix index 98b49c8..e528202 100644 --- a/modules/traffic-stop-box/radio-config.nix +++ b/modules/traffic-stop-box/radio-config.nix @@ -8,14 +8,16 @@ } // registry.r09-receiver; # find all the servers with data-accumulator configured - TLMS.telegramDecoder = let - registries = builtins.attrValues (builtins.mapAttrs (name: value: value.specialArgs.registry) self.unevaluatedNixosConfigurations); - filteredDataHoarders = builtins.filter (other: other ? port-data_accumulator) registries; - urlFromRegistry = other: "http://${other.wgAddr4}:${toString other.port-data_accumulator.port}"; - in { - enable = true; - server = builtins.map urlFromRegistry filteredDataHoarders; - configFile = registry.telegramDecoderConfig; - authTokenFile = config.sops.secrets.telegram-decoder-token.path; - }; + TLMS.telegramDecoder = + let + registries = builtins.attrValues (builtins.mapAttrs (name: value: value.specialArgs.registry) self.unevaluatedNixosConfigurations); + filteredDataHoarders = builtins.filter (other: other ? port-data_accumulator) registries; + urlFromRegistry = other: "http://${other.wgAddr4}:${toString other.port-data_accumulator.port}"; + in + { + enable = true; + server = builtins.map urlFromRegistry filteredDataHoarders; + configFile = registry.telegramDecoderConfig; + authTokenFile = config.sops.secrets.telegram-decoder-token.path; + }; }