From 9a5427e3a0c0ccf2a82dc503149a26b23fbd6004 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sun, 31 Mar 2024 21:29:27 +0300 Subject: 2024-03-31 --- lib/default.nix | 63 ++++--- lib/dns.nix | 42 ++++- lib/my.nix | 526 ++++++++++++++++++++++++++++---------------------------- 3 files changed, 341 insertions(+), 290 deletions(-) (limited to 'lib') diff --git a/lib/default.nix b/lib/default.nix index 7fbaeec..ab4ca0d 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -3,44 +3,57 @@ lib: _: rec { dns = import ./dns.nix; - isEven = number: + isEven = + number: assert (builtins.isInt number) || (builtins.isFloat number); - builtins.div number 2 == 0; + builtins.div number 2 == 0; isOdd = !isEven; - pow = base: exponent: + pow = + base: exponent: assert (builtins.isInt base) && (builtins.isInt exponent); assert exponent > 0; - builtins.foldl' (x: _: x * base) 1 (builtins.genList (_: _) exponent); + builtins.foldl' (x: _: x * base) 1 (builtins.genList (_: _) exponent); - mapListToAttrs = f: attrs: - builtins.listToAttrs (map (name: { - name = - if builtins.isList name - then builtins.elemAt name (builtins.length name - 1) - else name; + mapListToAttrs = + f: attrs: + builtins.listToAttrs ( + map (name: { + name = if builtins.isList name then builtins.elemAt name (builtins.length name - 1) else name; value = f name; - }) - attrs); + }) attrs + ); - mkTcpMem = min: ini: max: + mkTcpMem = + min: ini: max: assert min <= ini && ini <= max; - lib.concatMapStrings (x: toString x + " ") (map (pow 2) [min ini max]); + lib.concatMapStrings (x: toString x + " ") ( + map (pow 2) [ + min + ini + max + ] + ); moduleFromRef = module: ref: sha256: { - disabledModules = [module]; + disabledModules = [ module ]; imports = [ - (let - src = builtins.fetchTarball { - url = let - cons = lib.splitString ":" ref; - owner = lib.head cons; - branch = lib.last cons; - in "https://github.com/${owner}/nixpkgs/archive/refs/heads/${branch}.tar.gz"; - inherit sha256; - }; - in "${src}/nixos/modules/${module}") + ( + let + src = builtins.fetchTarball { + url = + let + cons = lib.splitString ":" ref; + owner = lib.head cons; + branch = lib.last cons; + in + "https://github.com/${owner}/nixpkgs/archive/refs/heads/${branch}.tar.gz"; + inherit sha256; + }; + in + "${src}/nixos/modules/${module}" + ) ]; }; } diff --git a/lib/dns.nix b/lib/dns.nix index 5e1d767..e1f6b7a 100644 --- a/lib/dns.nix +++ b/lib/dns.nix @@ -1,14 +1,44 @@ { const = { quad9 = { - default = ["9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9"]; - unsecured = ["9.9.9.10" "149.112.112.10" "2620:fe::10" "2620:fe::fe:10"]; - ecs = ["9.9.9.11" "149.112.112.11" "2620:fe::11" "2620:fe::fe:11"]; + default = [ + "9.9.9.9" + "149.112.112.112" + "2620:fe::fe" + "2620:fe::9" + ]; + unsecured = [ + "9.9.9.10" + "149.112.112.10" + "2620:fe::10" + "2620:fe::fe:10" + ]; + ecs = [ + "9.9.9.11" + "149.112.112.11" + "2620:fe::11" + "2620:fe::fe:11" + ]; }; cloudflare = { - default = ["1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001"]; - blocking = ["1.1.1.2" "1.0.0.2" "2606:4700:4700::1112" "2606:4700:4700::1002"]; - blockingPlus = ["1.1.1.3" "1.0.0.3" "2606:4700:4700::1113" "2606:4700:4700::1003"]; + default = [ + "1.1.1.1" + "1.0.0.1" + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; + blocking = [ + "1.1.1.2" + "1.0.0.2" + "2606:4700:4700::1112" + "2606:4700:4700::1002" + ]; + blockingPlus = [ + "1.1.1.3" + "1.0.0.3" + "2606:4700:4700::1113" + "2606:4700:4700::1003" + ]; }; }; } diff --git a/lib/my.nix b/lib/my.nix index 1044211..391d0ee 100644 --- a/lib/my.nix +++ b/lib/my.nix @@ -1,289 +1,297 @@ lib: with lib; - (evalModules { - modules = [ - { - options.configurations = mkOption { - description = "My configurations."; - type = with types; - attrsOf (submodule ({name, ...}: { - freeformType = attrs; - options = let - mkConfigurationTypeOption = type: - mkOption { - description = "Whether the machine's functional type is a ${type} one."; - type = bool; - default = false; - }; - in { - hostname = mkOption { - description = "The machine's hostname."; - type = str; - default = name; - readOnly = true; - }; +(evalModules { + modules = [ + { + options.configurations = mkOption { + description = "My configurations."; + type = + with types; + attrsOf ( + submodule ( + { name, ... }: + { + freeformType = attrs; + options = + let + mkConfigurationTypeOption = + type: + mkOption { + description = "Whether the machine's functional type is a ${type} one."; + type = bool; + default = false; + }; + in + { + hostname = mkOption { + description = "The machine's hostname."; + type = str; + default = name; + readOnly = true; + }; - system = mkOption { - description = "The machine's system."; - type = nullOr (enum platforms.all); - default = null; - }; + system = mkOption { + description = "The machine's system."; + type = nullOr (enum platforms.all); + default = null; + }; - isHeadless = mkConfigurationTypeOption "headless"; - isHeadful = mkConfigurationTypeOption "headful"; - isOther = mkConfigurationTypeOption "other"; + isHeadless = mkConfigurationTypeOption "headless"; + isHeadful = mkConfigurationTypeOption "headful"; + isOther = mkConfigurationTypeOption "other"; - ipv4 = { - address = mkOption { - description = "The machine's public IPv4 address."; - type = nullOr str; - default = null; - }; - prefixLength = mkOption { - description = "The machine's public IPv4 prefix length."; - type = nullOr int; - default = null; - }; - gatewayAddress = mkOption { - description = "The machine's public IPv4 gateway address."; - type = nullOr str; - default = null; - }; - }; - ipv6 = { - address = mkOption { - description = "The machine's public IPv6 address."; - type = nullOr str; - default = null; - }; - prefixLength = mkOption { - description = "The machine's public IPv6 prefix length."; - type = nullOr int; - default = null; - }; - gatewayAddress = mkOption { - description = "The machine's public IPv6 gateway address."; - type = nullOr str; - default = null; - }; - }; + ipv4 = { + address = mkOption { + description = "The machine's public IPv4 address."; + type = nullOr str; + default = null; + }; + prefixLength = mkOption { + description = "The machine's public IPv4 prefix length."; + type = nullOr int; + default = null; + }; + gatewayAddress = mkOption { + description = "The machine's public IPv4 gateway address."; + type = nullOr str; + default = null; + }; + }; + ipv6 = { + address = mkOption { + description = "The machine's public IPv6 address."; + type = nullOr str; + default = null; + }; + prefixLength = mkOption { + description = "The machine's public IPv6 prefix length."; + type = nullOr int; + default = null; + }; + gatewayAddress = mkOption { + description = "The machine's public IPv6 gateway address."; + type = nullOr str; + default = null; + }; + }; - wireguard = { - ipv4.address = mkOption { - description = "The machine's internal IPv4 addresses."; - type = nullOr str; - default = null; - }; - ipv6.address = mkOption { - description = "The machine's internal IPv6 addresses."; - type = nullOr str; - default = null; - }; - publicKey = mkOption { - description = "The machine's public key."; - type = nullOr str; - default = null; + wireguard = { + ipv4.address = mkOption { + description = "The machine's internal IPv4 addresses."; + type = nullOr str; + default = null; + }; + ipv6.address = mkOption { + description = "The machine's internal IPv6 addresses."; + type = nullOr str; + default = null; + }; + publicKey = mkOption { + description = "The machine's public key."; + type = nullOr str; + default = null; + }; + }; + + # TODO Automate filling of this from the NSD service module. + # Right now I need to copy domain definitions from there to here + # manually. + # + # Something like taking `config.services.nsd.zones[$domain]` and + # filtering for actual subdomains. We can remove this option + # altogether then. + domains = mkOption { + description = "External domains that resolve to this address."; + type = listOf str; + default = [ ]; + }; + + syncthing.id = mkOption { + description = "Syncthing ID."; + type = nullOr str; + default = null; + }; }; - }; + } + ) + ); - # TODO Automate filling of this from the NSD service module. - # Right now I need to copy domain definitions from there to here - # manually. - # - # Something like taking `config.services.nsd.zones[$domain]` and - # filtering for actual subdomains. We can remove this option - # altogether then. - domains = mkOption { - description = "External domains that resolve to this address."; - type = listOf str; - default = []; - }; + default = { }; + }; - syncthing.id = mkOption { - description = "Syncthing ID."; - type = nullOr str; - default = null; - }; - }; - })); + config = { + _module.freeformType = types.attrs; - default = {}; + fullname = "Azat Bahawi"; + username = "azahi"; + domain = { + azahi = "azahi.cc"; + rohan = "rohan.net"; + gondor = "gondor.net"; + shire = "shire.net"; }; + email = "frodo@${my.domain.gondor}"; + pgp = { + key = "@PGP_KEY@"; + fingerprint = "@PGP_FINGERPRINT@"; + grip = "@PGP_GRIP@"; + }; + ssh = rec { + type = "ed25519"; + id = my.email; + key = "ssh-${type} @PUBLIC_KEY@ ${id}"; + }; + hashedPassword = "@HASHED_PASSWORD@"; - config = { - _module.freeformType = types.attrs; - - fullname = "Azat Bahawi"; - username = "azahi"; - domain = { - azahi = "azahi.cc"; - rohan = "rohan.net"; - gondor = "gondor.net"; - shire = "shire.net"; - }; - email = "frodo@${my.domain.gondor}"; - pgp = { - key = "@PGP_KEY@"; - fingerprint = "@PGP_FINGERPRINT@"; - grip = "@PGP_GRIP@"; - }; - ssh = rec { - type = "ed25519"; - id = my.email; - key = "ssh-${type} @PUBLIC_KEY@ ${id}"; + configurations = { + # VPS in Germany. + manwe = { + system = "x86_64-linux"; + isHeadless = true; + ipv4 = { + gatewayAddress = "@IPV4_ADDRESS@"; + address = "@IPV4_ADDRESS@"; + prefixLength = 22; + }; + ipv6 = { + gatewayAddress = "@IPV6_ADDRESS@"; + address = "@IPV6_ADDRESS@]"; + prefixLength = 64; + }; + wireguard = { + ipv4.address = "10.69.0.1"; + ipv6.address = "fd69::0:1"; + publicKey = "@PUBLIC_KEY@"; + }; + domains = with my.domain; [ + "alertmanager.${shire}" + "frodo.${rohan}" + "frodo.${gondor}" + "bitwarden.${shire}" + "git.${azahi}" + "git.${shire}" + "grafana.${shire}" + "loki.${shire}" + "ntfy.${shire}" + "plausible.${shire}" + "prometheus.${shire}" + "radicale.${shire}" + "rss-bridge.${shire}" + "start.local" + "vaultwarden.${shire}" + azahi + rohan + gondor + shire + ]; }; - hashedPassword = "@HASHED_PASSWORD@"; - configurations = { - # VPS in Germany. - manwe = { - system = "x86_64-linux"; - isHeadless = true; - ipv4 = { - gatewayAddress = "@IPV4_ADDRESS@"; - address = "@IPV4_ADDRESS@"; - prefixLength = 22; - }; - ipv6 = { - gatewayAddress = "@IPV6_ADDRESS@"; - address = "@IPV6_ADDRESS@]"; - prefixLength = 64; - }; - wireguard = { - ipv4.address = "10.69.0.1"; - ipv6.address = "fd69::0:1"; - publicKey = "@PUBLIC_KEY@"; - }; - domains = with my.domain; [ - "alertmanager.${shire}" - "frodo.${rohan}" - "frodo.${gondor}" - "bitwarden.${shire}" - "git.${azahi}" - "git.${shire}" - "grafana.${shire}" - "loki.${shire}" - "ntfy.${shire}" - "plausible.${shire}" - "prometheus.${shire}" - "radicale.${shire}" - "rss-bridge.${shire}" - "start.local" - "vaultwarden.${shire}" - azahi - rohan - gondor - shire - ]; + # VPS in Germany. + varda = { + system = "x86_64-linux"; + isHeadless = true; + ipv4 = { + gatewayAddress = "@IPV4_ADDRESS@"; + address = "@IPV4_ADDRESS@"; + prefixLength = 22; }; - - # VPS in Germany. - varda = { - system = "x86_64-linux"; - isHeadless = true; - ipv4 = { - gatewayAddress = "@IPV4_ADDRESS@"; - address = "@IPV4_ADDRESS@"; - prefixLength = 22; - }; - ipv6 = { - gatewayAddress = "@IPV6_ADDRESS@"; - address = "@IPV6_ADDRESS@"; - prefixLength = 64; - }; - wireguard = { - ipv4.address = "10.69.1.1"; - ipv6.address = "fd69::1:1"; - publicKey = "@PUBLIC_KEY@"; - }; + ipv6 = { + gatewayAddress = "@IPV6_ADDRESS@"; + address = "@IPV6_ADDRESS@"; + prefixLength = 64; + }; + wireguard = { + ipv4.address = "10.69.1.1"; + ipv6.address = "fd69::1:1"; + publicKey = "@PUBLIC_KEY@"; }; + }; - # VPS in France. - yavanna = { - system = "x86_64-linux"; - isHeadless = true; - ipv4 = { - gatewayAddress = "@IPV4_ADDRESS@"; - address = "@IPV4_ADDRESS@"; - prefixLength = 24; - }; - ipv6 = { - gatewayAddress = "@IPV6_ADDRESS@"; - address = "@IPV6_ADDRESS@"; - prefixLength = 128; - }; - wireguard = { - ipv4.address = "10.69.1.2"; - ipv6.address = "fd69::1:2"; - publicKey = "@PUBLIC_KEY@"; - }; - domains = with my.domain; [ - "flood.${shire}" - "jackett.${shire}" - "lidarr.${shire}" - ]; - syncthing.id = "@SYNCTHING_ID@"; + # VPS in France. + yavanna = { + system = "x86_64-linux"; + isHeadless = true; + ipv4 = { + gatewayAddress = "@IPV4_ADDRESS@"; + address = "@IPV4_ADDRESS@"; + prefixLength = 24; }; + ipv6 = { + gatewayAddress = "@IPV6_ADDRESS@"; + address = "@IPV6_ADDRESS@"; + prefixLength = 128; + }; + wireguard = { + ipv4.address = "10.69.1.2"; + ipv6.address = "fd69::1:2"; + publicKey = "@PUBLIC_KEY@"; + }; + domains = with my.domain; [ + "flood.${shire}" + "jackett.${shire}" + "lidarr.${shire}" + ]; + syncthing.id = "@SYNCTHING_ID@"; + }; - # A beefy desktop: 7950x/rx6750xt/128GB. - eonwe = { - system = "x86_64-linux"; - isHeadful = true; - wireguard = { - ipv4.address = "10.69.3.1"; - ipv6.address = "fd69::3:1"; - publicKey = "@PUBLIC_KEY@"; - }; - syncthing.id = "@SYNCTHING_ID@"; + # A beefy desktop: 7950x/rx6750xt/128GB. + eonwe = { + system = "x86_64-linux"; + isHeadful = true; + wireguard = { + ipv4.address = "10.69.3.1"; + ipv6.address = "fd69::3:1"; + publicKey = "@PUBLIC_KEY@"; }; + syncthing.id = "@SYNCTHING_ID@"; + }; - # ThinkPad T480. - melian = { - system = "x86_64-linux"; - isHeadful = true; - wireguard = { - ipv4.address = "10.69.4.1"; - ipv6.address = "fd69::4:1"; - publicKey = "@PUBLIC_KEY@"; - }; - syncthing.id = "@SYNCTHING_ID@"; + # ThinkPad T480. + melian = { + system = "x86_64-linux"; + isHeadful = true; + wireguard = { + ipv4.address = "10.69.4.1"; + ipv6.address = "fd69::4:1"; + publicKey = "@PUBLIC_KEY@"; }; + syncthing.id = "@SYNCTHING_ID@"; + }; - # Macbook Air M1. - mairon = { - system = "aarch64-darwin"; - isHeadful = true; - wireguard = { - ipv4.address = "10.69.4.2"; - ipv6.address = "fd69::4:2"; - publicKey = "@PUBLIC_KEY@"; - }; + # Macbook Air M1. + mairon = { + system = "aarch64-darwin"; + isHeadful = true; + wireguard = { + ipv4.address = "10.69.4.2"; + ipv6.address = "fd69::4:2"; + publicKey = "@PUBLIC_KEY@"; }; + }; - # Google Pixel 4a w/ GrapheneOS. - gothmog = { - isOther = true; - wireguard = { - ipv4.address = "10.69.5.1"; - ipv6.address = "fd69::5:1"; - publicKey = "@PUBLIC_KEY@"; - }; - syncthing.id = "@SYNCTHING_ID@"; + # Google Pixel 4a w/ GrapheneOS. + gothmog = { + isOther = true; + wireguard = { + ipv4.address = "10.69.5.1"; + ipv6.address = "fd69::5:1"; + publicKey = "@PUBLIC_KEY@"; }; + syncthing.id = "@SYNCTHING_ID@"; + }; - # Google Pixel 7a w/ GrapheneOS. - lungorthin = { - isOther = true; - wireguard = { - ipv4.address = "10.69.5.2"; - ipv6.address = "fd69::5:2"; - publicKey = "@PUBLIC_KEY@"; - }; - syncthing.id = "@SYNCTHING_ID@"; + # Google Pixel 7a w/ GrapheneOS. + lungorthin = { + isOther = true; + wireguard = { + ipv4.address = "10.69.5.2"; + ipv6.address = "fd69::5:2"; + publicKey = "@PUBLIC_KEY@"; }; + syncthing.id = "@SYNCTHING_ID@"; }; }; - } - ]; - }) - .config + }; + } + ]; +}).config -- cgit v1.2.3