nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updates over time

Browse Source
This commit is contained in:
niten 2022-07-10 20:46:30 -07:00
parent df53c13bb7
commit 070a5e1831
4 changed files with 339 additions and 325 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/fudo/client/dns.nix
View File

@ -80,11 +80,7 @@ in {
}; };
}; };
groups = { groups = { "${cfg.user}" = { members = [ cfg.user ]; }; };
"${cfg.user}" = {
members = [ cfg.user ];
};
};
}; };
systemd = { systemd = {
@ -104,7 +100,7 @@ in {
services.backplane-dns-client-pw-file = { services.backplane-dns-client-pw-file = {
enable = true; enable = true;
requiredBy = [ "backplane-dns-client.services" ]; requiredBy = [ "backplane-dns-client.service" ];
reloadIfChanged = true; reloadIfChanged = true;
serviceConfig = { Type = "oneshot"; }; serviceConfig = { Type = "oneshot"; };
script = '' script = ''

18
lib/fudo/prometheus.nix
View File

@ -8,6 +8,13 @@ in {
options.fudo.metrics.prometheus = with types; { options.fudo.metrics.prometheus = with types; {
enable = mkEnableOption "Fudo Prometheus Data-Gathering Server"; enable = mkEnableOption "Fudo Prometheus Data-Gathering Server";
package = mkOption {
type = package;
default = pkgs.prometheus;
defaultText = literalExpression "pkgs.prometheus";
description = "The prometheus package that should be used.";
};
service-discovery-dns = mkOption { service-discovery-dns = mkOption {
type = attrsOf (listOf str); type = attrsOf (listOf str);
description = '' description = ''
@ -119,9 +126,10 @@ in {
services.prometheus = { services.prometheus = {
enable = true; enable = true;
webExternalUrl = "https://${cfg.hostname}"; webExternalUrl = "https://${cfg.hostname}";
package = cfg.package;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
port = 9090; port = 9090;
@ -131,14 +139,14 @@ in {
honor_labels = false; honor_labels = false;
scheme = if cfg.private-network then "http" else "https"; scheme = if cfg.private-network then "http" else "https";
metrics_path = "/metrics/${type}"; metrics_path = "/metrics/${type}";
dns_sd_configs = if (hasAttr type cfg.service-discovery-dns) then [{
names = cfg.service-discovery-dns.${type};
}] else
[ ];
static_configs = if (hasAttr type cfg.static-targets) then [{ static_configs = if (hasAttr type cfg.static-targets) then [{
targets = cfg.static-targets.${type}; targets = cfg.static-targets.${type};
}] else }] else
[ ]; [ ];
dns_sd_configs = if (hasAttr type cfg.service-discovery-dns) then [{
names = cfg.service-discovery-dns.${type};
}] else
[ ];
}; };
in map make-job [ "docker" "node" "dovecot" "postfix" "rspamd" ]; in map make-job [ "docker" "node" "dovecot" "postfix" "rspamd" ];

4
lib/fudo/system.nix
View File

@ -431,11 +431,11 @@ in {
SecureBits = mkIf ((length opts.requiredCapabilities) > 0) "keep-caps"; SecureBits = mkIf ((length opts.requiredCapabilities) > 0) "keep-caps";
DynamicUser = mkIf (opts.user == null) opts.dynamicUser; DynamicUser = mkIf (opts.user == null) opts.dynamicUser;
Restart = opts.restartWhen; Restart = opts.restartWhen;
WorkingDirectory = WorkingDirectory =
mkIf (opts.workingDirectory != null) opts.workingDirectory; mkIf (opts.workingDirectory != null) opts.workingDirectory;
RestrictAddressFamilies = RestrictAddressFamilies = optionals (opts.addressFamilies != null)
optionals (opts.addressFamilies != null)
(restrict-address-families opts.addressFamilies); (restrict-address-families opts.addressFamilies);
RestrictNamespaces = opts.restrictNamespaces; RestrictNamespaces = opts.restrictNamespaces;
User = mkIf (opts.user != null) opts.user; User = mkIf (opts.user != null) opts.user;

54
lib/types/host.nix
View File

@ -1,11 +1,11 @@
{ lib, ... }: { lib, ... }:
with lib; with lib;
let let passwd = import ../passwd.nix { inherit lib; };
passwd = import ../passwd.nix { inherit lib; };
in rec { in rec {
encryptedFSOpts = { ... }: let encryptedFSOpts = { ... }:
let
mountpoint = { mp, ... }: { mountpoint = { mp, ... }: {
options = with types; { options = with types; {
mountpoint = mkOption { mountpoint = mkOption {
@ -16,7 +16,8 @@ in rec {
options = mkOption { options = mkOption {
type = listOf str; type = listOf str;
description = "List of filesystem options specific to this mountpoint (eg: subvol)."; description =
"List of filesystem options specific to this mountpoint (eg: subvol).";
}; };
group = mkOption { group = mkOption {
@ -70,8 +71,9 @@ in rec {
mountpoints = mkOption { mountpoints = mkOption {
type = attrsOf (submodule mountpoint); type = attrsOf (submodule mountpoint);
description = "A map of mountpoints for this filesystem to fs options. Multiple to support btrfs."; description =
default = {}; "A map of mountpoints for this filesystem to fs options. Multiple to support btrfs.";
default = { };
}; };
}; };
}; };
@ -80,23 +82,26 @@ in rec {
options = with types; { options = with types; {
key-path = mkOption { key-path = mkOption {
type = str; type = str;
description = "Path of the host master key file, used to decrypt secrets."; description =
"Path of the host master key file, used to decrypt secrets.";
}; };
public-key = mkOption { public-key = mkOption {
type = str; type = str;
description = "Public key used during deployment to decrypt secrets for the host."; description =
"Public key used during deployment to decrypt secrets for the host.";
}; };
}; };
}; };
hostOpts = { name, ... }: let hostOpts = { name, ... }:
hostname = name; let hostname = name;
in { in {
options = with types; { options = with types; {
master-key = mkOption { master-key = mkOption {
type = nullOr (submodule masterKeyOpts); type = nullOr (submodule masterKeyOpts);
description = "Public key for the host master key, used by the host to decrypt secrets."; description =
"Public key for the host master key, used by the host to decrypt secrets.";
}; };
domain = mkOption { domain = mkOption {
@ -133,7 +138,7 @@ in rec {
}; };
profile = mkOption { profile = mkOption {
type = listOf (enum ["desktop" "server" "laptop"]); type = listOf (enum [ "desktop" "server" "laptop" ]);
description = description =
"The profile to be applied to the host, determining what software is included."; "The profile to be applied to the host, determining what software is included.";
}; };
@ -204,9 +209,8 @@ in rec {
ssh-pubkeys = mkOption { ssh-pubkeys = mkOption {
type = listOf path; type = listOf path;
description = description = "SSH key files of the host.";
"SSH key files of the host."; default = [ ];
default = [];
}; };
build-pubkeys = mkOption { build-pubkeys = mkOption {
@ -254,7 +258,8 @@ in rec {
encrypted-filesystems = mkOption { encrypted-filesystems = mkOption {
type = attrsOf (submodule encryptedFSOpts); type = attrsOf (submodule encryptedFSOpts);
description = "List of encrypted filesystems to mount on the local host when the key is available."; description =
"List of encrypted filesystems to mount on the local host when the key is available.";
default = { }; default = { };
}; };
@ -269,7 +274,8 @@ in rec {
options = { options = {
ip = mkOption { ip = mkOption {
type = nullOr str; type = nullOr str;
description = "IP address assigned to this host in the WireGuard network."; description =
"IP address assigned to this host in the WireGuard network.";
}; };
bound = mkOption { bound = mkOption {
@ -322,7 +328,8 @@ in rec {
options = { options = {
ip = mkOption { ip = mkOption {
type = str; type = str;
description = "IP to assign to the initrd image, allowing access to host during bootup."; description =
"IP to assign to the initrd image, allowing access to host during bootup.";
}; };
keypair = mkOption { keypair = mkOption {
type = (submodule keypair-type); type = (submodule keypair-type);
@ -330,20 +337,23 @@ in rec {
}; };
interface = mkOption { interface = mkOption {
type = str; type = str;
description = "Name of interface on which to listen for connections."; description =
"Name of interface on which to listen for connections.";
}; };
}; };
}; };
in mkOption { in mkOption {
type = nullOr (submodule initrd-network-config); type = nullOr (submodule initrd-network-config);
description = "Configuration parameters to set up initrd SSH network."; description =
"Configuration parameters to set up initrd SSH network.";
default = null; default = null;
}; };
backplane-password-file = mkOption { backplane-password-file = mkOption {
options = path; type = path;
description = "File containing the password used by this host to connect to the backplane."; description =
"File containing the password used by this host to connect to the backplane.";
}; };
}; };
}; };