commit 1c8c31286b7611de5b6d78d9b41b23642975ae00
parent ddaf6d51f559e9f0e5f4ea36030adf40635b8eb0
Author: Katja (zaphyra) <git@ctu.cx>
Date: Sat, 7 Jun 2025 15:01:32 +0200
parent ddaf6d51f559e9f0e5f4ea36030adf40635b8eb0
Author: Katja (zaphyra) <git@ctu.cx>
Date: Sat, 7 Jun 2025 15:01:32 +0200
nix-fmt
15 files changed, 344 insertions(+), 355 deletions(-)
M
|
146
++++++++++++++++++++++++++++++++++++++++----------------------------------------
M
|
443
+++++++++++++++++++++++++++++++++++++------------------------------------------
diff --git a/config/home/zaphyra/impermanence.nix b/config/home/zaphyra/impermanence.nix @@ -5,18 +5,23 @@ home.persistence."/nix/persist/home/zaphyra" = { allowOther = true; removePrefixDirectory = true; - directories = let - symlink = path: { method = "symlink"; directory = path; }; - in [ - (symlink "syncthing/Documents") - (symlink "syncthing/Bahn-Richtlinien") - (symlink "syncthing/Videos") - (symlink "syncthing/Pictures") - (symlink "syncthing/Music") - (symlink "syncthing/Audiobooks") - (symlink "data/Downloads") - (symlink "data/proj") - ]; + directories = + let + symlink = path: { + method = "symlink"; + directory = path; + }; + in + [ + (symlink "syncthing/Documents") + (symlink "syncthing/Bahn-Richtlinien") + (symlink "syncthing/Videos") + (symlink "syncthing/Pictures") + (symlink "syncthing/Music") + (symlink "syncthing/Audiobooks") + (symlink "data/Downloads") + (symlink "data/proj") + ]; }; -}- \ No newline at end of file +}
diff --git a/config/home/zaphyra/programs/ssh.nix b/config/home/zaphyra/programs/ssh.nix @@ -2,7 +2,6 @@ { - home.persistence."/nix/persist/home/zaphyra".files = [ "ssh/.ssh/known_hosts" ];
diff --git a/config/nixos/modules/filesystem/impermanence.nix b/config/nixos/modules/filesystem/impermanence.nix @@ -75,85 +75,85 @@ in }; config = lib.mkMerge [ - ( - lib.mkIf cfg.home.enable { - assertions = [ - { - assertion = config.modules.filesystem.rootDisk.type == "zfs"; - message = '' - Impermanence is currently only available for ZFS. - ''; - } - ]; + (lib.mkIf cfg.home.enable { + assertions = [ + { + assertion = config.modules.filesystem.rootDisk.type == "zfs"; + message = '' + Impermanence is currently only available for ZFS. + ''; + } + ]; - modules.filesystem.rootDisk.parts.home = true; - } - ) - ( - lib.mkIf cfg.system.enable { - assertions = [ - { - assertion = config.modules.filesystem.rootDisk.type == "zfs"; - message = '' - Impermanence is currently only available for ZFS. - ''; - } - ]; + modules.filesystem.rootDisk.parts.home = true; + }) + (lib.mkIf cfg.system.enable { + assertions = [ + { + assertion = config.modules.filesystem.rootDisk.type == "zfs"; + message = '' + Impermanence is currently only available for ZFS. + ''; + } + ]; - modules.filesystem.rootDisk.parts.system = true; - boot.initrd.systemd.services = { - defenestrate = { - description = "Defenestrate old root"; - wantedBy = [ "initrd.target" ]; - after = [ "zfs-import.target" ]; - before = [ "sysroot.mount" ]; - onFailure = [ "emergency.target" ]; - unitConfig.DefaultDependencies = "no"; - serviceConfig.Type = "oneshot"; - script = - let - prefix = "${hostConfig.hostName}/os/nixos/root-"; - in - '' - # We keep root from the previous last 3 boots - # Any command except create can fail in case the system has not - # booted that often yet - zfs destroy -r ${prefix}4 || true - zfs rename ${prefix}3 ${prefix}4 || true - zfs rename ${prefix}2 ${prefix}3 || true - zfs rename ${prefix}1 ${prefix}2 || true - zfs create -o devices=off -o exec=off -o mountpoint=legacy -o setuid=off ${prefix}1 - ''; - }; + modules.filesystem.rootDisk.parts.system = true; + boot.initrd.systemd.services = { + defenestrate = { + description = "Defenestrate old root"; + wantedBy = [ "initrd.target" ]; + after = [ "zfs-import.target" ]; + before = [ "sysroot.mount" ]; + onFailure = [ "emergency.target" ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = + let + prefix = "${hostConfig.hostName}/os/nixos/root-"; + in + '' + # We keep root from the previous last 3 boots + # Any command except create can fail in case the system has not + # booted that often yet + zfs destroy -r ${prefix}4 || true + zfs rename ${prefix}3 ${prefix}4 || true + zfs rename ${prefix}2 ${prefix}3 || true + zfs rename ${prefix}1 ${prefix}2 || true + zfs create -o devices=off -o exec=off -o mountpoint=legacy -o setuid=off ${prefix}1 + ''; }; + }; - environment.persistence."/nix/persist/system" = { - enable = true; - hideMounts = true; - directories = [ - "/etc/zfs" - "/var/log" - "/var/lib/nixos" - "/var/lib/systemd/coredump" - ] ++ cfg.system.dirs; - files = [ - "/etc/machine-id" - ] ++ cfg.system.files; - }; + environment.persistence."/nix/persist/system" = { + enable = true; + hideMounts = true; + directories = [ + "/etc/zfs" + "/var/log" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + ] ++ cfg.system.dirs; + files = [ + "/etc/machine-id" + ] ++ cfg.system.files; + }; - #zaphyra: hack to persist `/var/lib/private/<service>` (see https://github.com/nix-community/impermanence/issues/213) - system.activationScripts = { - "createPersistentStorageDirs".deps = [ "var-lib-private-permissions" "users" "groups" ]; - "var-lib-private-permissions" = { - deps = [ "specialfs" ]; - text = '' - mkdir -p /nix/persist/system/var/lib/private - chmod 0700 /nix/persist/system/var/lib/private - ''; - }; + #zaphyra: hack to persist `/var/lib/private/<service>` (see https://github.com/nix-community/impermanence/issues/213) + system.activationScripts = { + "createPersistentStorageDirs".deps = [ + "var-lib-private-permissions" + "users" + "groups" + ]; + "var-lib-private-permissions" = { + deps = [ "specialfs" ]; + text = '' + mkdir -p /nix/persist/system/var/lib/private + chmod 0700 /nix/persist/system/var/lib/private + ''; }; - } - ) + }; + }) ]; }
diff --git a/config/nixos/modules/filesystem/rootDisk.nix b/config/nixos/modules/filesystem/rootDisk.nix @@ -85,207 +85,189 @@ in config = lib.mkIf cfg.enable ( lib.mkMerge [ - ( - lib.mkIf (cfg.type == "zfs") { - assertions = [ - { - assertion = cfg.parts.homePerUser -> cfg.parts.home; - message = "Option ${cfg}.parts.homePerUser requires ${cfg}.parts.home to be true."; - } - ]; + (lib.mkIf (cfg.type == "zfs") { + assertions = [ + { + assertion = cfg.parts.homePerUser -> cfg.parts.home; + message = "Option ${cfg}.parts.homePerUser requires ${cfg}.parts.home to be true."; + } + ]; - services.zfs.autoScrub.enable = true; + services.zfs.autoScrub.enable = true; - boot = lib.mkMerge [ - ( - lib.mkIf cfg.encrypt { - initrd = { - luks.forceLuksSupportInInitrd = true; - supportedFilesystems = { - ext4 = true; - }; - systemd.services.decrypt-root = { - description = "Decrypt ZFS root pool"; - wantedBy = [ "initrd.target" ]; - after = [ "zfs-import.target" ]; - before = [ - "create-needed-for-boot-dirs.service" - "defenestrate.service" - "sysroot.mount" - ]; - onFailure = [ "emergency.target" ]; - unitConfig.DefaultDependencies = "no"; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - }; - script = '' - systemd-cryptsetup attach key /dev/zvol/${hostConfig.hostName}/key || exit 1 - mount /dev/mapper/key /key --mkdir || exit 1 - zfs load-key -a || exit 1 - umount /key || exit 1 - systemd-cryptsetup detach key || exit 1 - ''; - }; - }; - zfs.requestEncryptionCredentials = false; - } - ) - ( - lib.mkIf hostConfig.hardware.allowHibernation { - zfs = { - forceImportRoot = false; - allowHibernation = true; + boot = lib.mkMerge [ + (lib.mkIf cfg.encrypt { + initrd = { + luks.forceLuksSupportInInitrd = true; + supportedFilesystems = { + ext4 = true; + }; + systemd.services.decrypt-root = { + description = "Decrypt ZFS root pool"; + wantedBy = [ "initrd.target" ]; + after = [ "zfs-import.target" ]; + before = [ + "create-needed-for-boot-dirs.service" + "defenestrate.service" + "sysroot.mount" + ]; + onFailure = [ "emergency.target" ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; }; - } - ) - ]; + script = '' + systemd-cryptsetup attach key /dev/zvol/${hostConfig.hostName}/key || exit 1 + mount /dev/mapper/key /key --mkdir || exit 1 + zfs load-key -a || exit 1 + umount /key || exit 1 + systemd-cryptsetup detach key || exit 1 + ''; + }; + }; + zfs.requestEncryptionCredentials = false; + }) + (lib.mkIf hostConfig.hardware.allowHibernation { + zfs = { + forceImportRoot = false; + allowHibernation = true; + }; + }) + ]; - fileSystems."/nix/persist" = lib.mkIf cfg.parts.system { - neededForBoot = true; - }; + fileSystems."/nix/persist" = lib.mkIf cfg.parts.system { + neededForBoot = true; + }; - disko.devices = { - zpool = { - "${hostConfig.hostName}" = { - type = "zpool"; - options.ashift = "12"; - rootFsOptions = lib.mkMerge [ - { - acltype = "posixacl"; - devices = "off"; - canmount = "off"; - compression = "zstd-6"; - exec = "off"; - mountpoint = "none"; - setuid = "off"; - xattr = "sa"; - } - ( - lib.mkIf cfg.encrypt { - encryption = "on"; - keyformat = "hex"; - keylocation = "file:///key/${hostConfig.hostName}.key"; - } - ) - ]; - datasets = lib.mkMerge [ - { - "reserved" = { - type = "zfs_volume"; - size = cfg.reservedSpace; - options.readonly = "on"; - }; - "os" = { - type = "zfs_fs"; - options.canmount = "off"; - }; - "os/nixos" = { - type = "zfs_fs"; - options.canmount = "off"; - }; - "os/nixos/root-1" = { - type = "zfs_fs"; - options.mountpoint = "legacy"; - mountpoint = "/"; + disko.devices = { + zpool = { + "${hostConfig.hostName}" = { + type = "zpool"; + options.ashift = "12"; + rootFsOptions = lib.mkMerge [ + { + acltype = "posixacl"; + devices = "off"; + canmount = "off"; + compression = "zstd-6"; + exec = "off"; + mountpoint = "none"; + setuid = "off"; + xattr = "sa"; + } + (lib.mkIf cfg.encrypt { + encryption = "on"; + keyformat = "hex"; + keylocation = "file:///key/${hostConfig.hostName}.key"; + }) + ]; + datasets = lib.mkMerge [ + { + "reserved" = { + type = "zfs_volume"; + size = cfg.reservedSpace; + options.readonly = "on"; + }; + "os" = { + type = "zfs_fs"; + options.canmount = "off"; + }; + "os/nixos" = { + type = "zfs_fs"; + options.canmount = "off"; + }; + "os/nixos/root-1" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/"; + }; + } + (lib.mkIf cfg.parts.nix { + nix = { + type = "zfs_fs"; + options = { + atime = "off"; + devices = "off"; + exec = "on"; + mountpoint = "legacy"; }; - } - ( - lib.mkIf cfg.parts.nix { - nix = { + mountpoint = "/nix"; + }; + }) + (lib.mkIf (cfg.parts.system || cfg.parts.home) { + data = { + type = "zfs_fs"; + options.canmount = "off"; + }; + }) + (lib.mkIf (cfg.parts.home && !cfg.parts.homePerUser) { + "data/home" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/home"; + mountOptions = [ + "nofail" + ]; + }; + }) + (lib.mkIf (cfg.parts.home && cfg.parts.homePerUser) { + "data/home" = { + type = "zfs_fs"; + options.canmount = "off"; + }; + }) + (lib.mkIf cfg.parts.homePerUser ( + lib.listToAttrs ( + lib.map (user: { + name = "data/home/${user}"; + value = { type = "zfs_fs"; options = { - atime = "off"; devices = "off"; - exec = "on"; mountpoint = "legacy"; + setuid = "off"; }; - mountpoint = "/nix"; - }; - } - ) - ( - lib.mkIf (cfg.parts.system || cfg.parts.home) { - data = { - type = "zfs_fs"; - options.canmount = "off"; - }; - } - ) - ( - lib.mkIf (cfg.parts.home && !cfg.parts.homePerUser) { - "data/home" = { - type = "zfs_fs"; - options.mountpoint = "legacy"; - mountpoint = "/home"; mountOptions = [ "nofail" ]; + mountpoint = + if config.modules.filesystem.impermanence.home.enable then + "/nix/persist/home/${user}" + else + "/home/${user}"; }; - } - ) - ( - lib.mkIf (cfg.parts.home && cfg.parts.homePerUser) { - "data/home" = { - type = "zfs_fs"; - options.canmount = "off"; - }; - } - ) - ( - lib.mkIf cfg.parts.homePerUser ( - lib.listToAttrs ( - lib.map (user: { - name = "data/home/${user}"; - value = { - type = "zfs_fs"; - options = { - devices = "off"; - mountpoint = "legacy"; - setuid = "off"; - }; - mountOptions = [ - "nofail" - ]; - mountpoint = if config.modules.filesystem.impermanence.home.enable then "/nix/persist/home/${user}" else "/home/${user}"; - }; - }) users - ) - ) - ) - ( - lib.mkIf cfg.parts.system { - "data/system" = { - type = "zfs_fs"; - options = { - devices = "off"; - mountpoint = "legacy"; - setuid = "off"; - }; - mountpoint = "/nix/persist"; - }; - } + }) users ) - ( - lib.mkIf cfg.encrypt { - key = { - type = "zfs_volume"; - size = "50M"; - options.encryption = "off"; - # TODO: luksFormat, add key and make readonly - # cryptsetup luksFormat /dev/zvol/<host>/key - # cryptsetup open /dev/zvol/<host>/key key - # mkfs.ext4 -O ^has_journal /dev/mapper/key - # mount /dev/mapper/key /key - }; - } - ) - ]; - }; + )) + (lib.mkIf cfg.parts.system { + "data/system" = { + type = "zfs_fs"; + options = { + devices = "off"; + mountpoint = "legacy"; + setuid = "off"; + }; + mountpoint = "/nix/persist"; + }; + }) + (lib.mkIf cfg.encrypt { + key = { + type = "zfs_volume"; + size = "50M"; + options.encryption = "off"; + # TODO: luksFormat, add key and make readonly + # cryptsetup luksFormat /dev/zvol/<host>/key + # cryptsetup open /dev/zvol/<host>/key key + # mkfs.ext4 -O ^has_journal /dev/mapper/key + # mount /dev/mapper/key /key + }; + }) + ]; }; }; - } - ) + }; + }) { disko.devices = { nodev = lib.mkIf cfg.parts.tmp { @@ -327,66 +309,61 @@ in }; }; } - ( - lib.mkIf (config.modules.boot.type == "uefi") { - boot.type = "EF00"; - } - ) + (lib.mkIf (config.modules.boot.type == "uefi") { + boot.type = "EF00"; + }) { root.content = ( lib.mkMerge [ - ( - lib.mkIf (cfg.type == "ext4") ( - part "root" { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - } - ) - ) - ( - lib.mkIf (cfg.type == "btrfs") ( - part "root" { - type = "btrfs"; - subvolumes = { - "/nixos/@" = { - mountpoint = "/"; - }; - "/nixos/@home" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/home"; - }; - "/nixos/@nix" = { - mountOptions = [ - "compress=zstd" - "noatime" - ]; - mountpoint = "/nix"; - }; + (lib.mkIf (cfg.type == "ext4") ( + part "root" { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + } + )) + (lib.mkIf (cfg.type == "btrfs") ( + part "root" { + type = "btrfs"; + subvolumes = { + "/nixos/@" = { + mountpoint = "/"; + }; + "/nixos/@home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; }; - } - ) - ) - ( - lib.mkIf (cfg.type == "zfs") { - type = "zfs"; - pool = hostConfig.hostName; + "/nixos/@nix" = { + mountOptions = [ + "compress=zstd" + "noatime" + ]; + mountpoint = "/nix"; + }; + }; } - ) + )) + (lib.mkIf (cfg.type == "zfs") { + type = "zfs"; + pool = hostConfig.hostName; + }) ] ); } ( - if cfg.swap.enable then { - root.end = "-${cfg.swap.size}"; - swap = { - size = "100%"; - content = part "swap" { type = "swap"; }; - }; - } else { - root.size = "100%"; - } + if cfg.swap.enable then + { + root.end = "-${cfg.swap.size}"; + swap = { + size = "100%"; + content = part "swap" { type = "swap"; }; + }; + } + else + { + root.size = "100%"; + } ) ]; };
diff --git a/config/nixos/modules/presets/cccdaWifi.nix b/config/nixos/modules/presets/cccdaWifi.nix @@ -54,4 +54,4 @@ in }; }; -}- \ No newline at end of file +}
diff --git a/config/nixos/modules/presets/zaphyra/mailServer.nix b/config/nixos/modules/presets/zaphyra/mailServer.nix @@ -139,7 +139,6 @@ in }; }) cfg.extraDomains); - systemd.services.dovecot.after = [ "sops-install-secrets.service" ]; sops.secrets = { "mailPasswords/katja@zaphyra.eu" = { };
diff --git a/config/nixos/modules/services/gotosocial.nix b/config/nixos/modules/services/gotosocial.nix @@ -133,7 +133,10 @@ in gotosocial = { description = "GoToSocial ActivityPub Server"; wants = [ "network-online.target" ]; - after = [ "network-online.target" "sops-install-secrets.service" ]; + after = [ + "network-online.target" + "sops-install-secrets.service" + ]; wantedBy = [ "multi-user.target" ]; environment = { GTS_WAZERO_COMPILATION_CACHE = "${cfg.stateDir}/.cache";
diff --git a/config/nixos/modules/services/mautrixBridge.nix b/config/nixos/modules/services/mautrixBridge.nix @@ -9,10 +9,7 @@ let inherit (lib) types; cfg = lib.getAttrFromPath povSelf config; forEachInstance = - f: - lib.flip lib.mapAttrs' cfg ( - name: cfg: lib.nameValuePair "mautrixBridge-${name}" (f name cfg) - ); + f: lib.flip lib.mapAttrs' cfg (name: cfg: lib.nameValuePair "mautrixBridge-${name}" (f name cfg)); in { @@ -48,8 +45,7 @@ in config = { modules.filesystem.impermanence.system.dirs = ( - (lib.attrNames cfg) - |> lib.map (element: "/var/lib/private/mautrix-${element}") + (lib.attrNames cfg) |> lib.map (element: "/var/lib/private/mautrix-${element}") ); systemd.services = forEachInstance (
diff --git a/config/nixos/modules/services/openssh.nix b/config/nixos/modules/services/openssh.nix @@ -36,7 +36,6 @@ in }; }; - # this is required because the secrets need to be decryped before the users get created # but the impermanence bind-mounts get created _after_ the user creation... sops.age.sshKeyPaths = [
diff --git a/config/nixos/modules/services/resticBackup.nix b/config/nixos/modules/services/resticBackup.nix @@ -101,11 +101,13 @@ in |> lib.map ( target: lib.nameValuePair "restic-backups-${element.name}-${target}" { - serviceConfig.EnvironmentFile = [ - cfg.targets."${target}".environmentFile - ] ++ (lib.optionals (element.value.environmentFile != null) [ - element.value.environmentFile - ]); + serviceConfig.EnvironmentFile = + [ + cfg.targets."${target}".environmentFile + ] + ++ (lib.optionals (element.value.environmentFile != null) [ + element.value.environmentFile + ]); } ) )
diff --git a/config/nixos/modules/users/zaphyra.nix b/config/nixos/modules/users/zaphyra.nix @@ -25,7 +25,9 @@ in sopsFile = inputs.self.sopsSecrets.common; }; - programs.fuse.userAllowOther = lib.mkIf config.modules.filesystem.impermanence.home.enable (lib.mkDefault true); + programs.fuse.userAllowOther = lib.mkIf config.modules.filesystem.impermanence.home.enable ( + lib.mkDefault true + ); users.users.zaphyra = { uid = 1001; @@ -55,6 +57,7 @@ in inputs.impermanence.homeManagerModules.impermanence homeManagerModules.zaphyra.impermanence ]) + (lib.optionals config.modules.presets.graphical.enable ( with homeManagerModules.zaphyra; [ @@ -90,6 +93,7 @@ in programs.javascript ] )) + (lib.optionals (config.modules.presets.graphical.type == "gnomeMinimal") ( with homeManagerModules.zaphyra; [
diff --git a/config/nixos/modules/websites/git.zaphyra.eu.nix b/config/nixos/modules/websites/git.zaphyra.eu.nix @@ -169,15 +169,14 @@ in "ctu.cx".subdomains."cgit".CNAME = [ "${config.networking.fqdn}." ]; }; - modules.filesystem.impermanence.system.dirs = [ - { - directory = "/var/lib/stagit"; - mode = "0755"; - user = "git"; - group = "git"; - } - ]; - + modules.filesystem.impermanence.system.dirs = [ + { + directory = "/var/lib/stagit"; + mode = "0755"; + user = "git"; + group = "git"; + } + ]; sops.secrets."resticPasswords/gitolite" = { owner = "git";
diff --git a/config/nixos/modules/websites/gts.zaphyra.eu.nix b/config/nixos/modules/websites/gts.zaphyra.eu.nix @@ -148,11 +148,13 @@ in "/client/" = { index = "index.html"; - alias = "${pkgs.phanpy.override { - clientName = "zaphyra's fedi"; - website = "https://gts.zaphyra.eu/client/"; - defaultInstance = "gts.zaphyra.eu"; - }}/"; + alias = "${ + pkgs.phanpy.override { + clientName = "zaphyra's fedi"; + website = "https://gts.zaphyra.eu/client/"; + defaultInstance = "gts.zaphyra.eu"; + } + }/"; }; "~ /.well-known/(webfinger|host-meta)$" = { proxyPass = "http://${toString config.modules.services.gotosocial.settings.bind-address}:${toString config.modules.services.gotosocial.settings.port}";
diff --git a/hosts/huntii/default.nix b/hosts/huntii/default.nix @@ -13,12 +13,17 @@ }; configuration = - { config, pkgs, lib, ... }: + { + config, + pkgs, + lib, + ... + }: { boot.initrd.systemd.emergencyAccess = true; - sops.secrets."environments/cccdaWifi" = {}; + sops.secrets."environments/cccdaWifi" = { }; modules = { filesystem = {
diff --git a/packages/phanpy.nix b/packages/phanpy.nix @@ -7,7 +7,8 @@ defaultInstance ? "", defaultInstanceRegistrationUrl ? "", defaultLang ? "en", - ... }: + ... +}: buildNpmPackage (finalAttrs: { pname = "phanpy";