summary refs log tree commit diff stats
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/by-name/ba/back/module.nix2
-rw-r--r--modules/by-name/co/constants/module.nix43
-rw-r--r--modules/by-name/co/coredump/module.nix18
-rw-r--r--modules/by-name/dh/dhcpcd/module.nix18
-rw-r--r--modules/by-name/fa/fail2ban/module.nix5
-rw-r--r--modules/by-name/gi/git-server/module.nix14
-rw-r--r--modules/by-name/im/impermanence/module.nix5
-rw-r--r--modules/by-name/ng/nginx/module.nix39
-rw-r--r--modules/by-name/ng/nginx/redirects.nix6
-rw-r--r--modules/by-name/ni/nix-sync/internal_module.nix4
-rw-r--r--modules/by-name/ns/nscd/module.nix25
-rw-r--r--modules/by-name/oo/oomd/module.nix19
-rw-r--r--modules/by-name/op/openssh/module.nix5
-rw-r--r--modules/by-name/re/resolvconf/module.nix16
-rw-r--r--modules/by-name/ru/rust-motd/module.nix20
-rw-r--r--modules/by-name/us/users/module.nix6
16 files changed, 204 insertions, 41 deletions
diff --git a/modules/by-name/ba/back/module.nix b/modules/by-name/ba/back/module.nix
index f732f02..2bc5159 100644
--- a/modules/by-name/ba/back/module.nix
+++ b/modules/by-name/ba/back/module.nix
@@ -63,7 +63,7 @@
 
   services =
     lib.mapAttrs' (gitPath: config: {
-      name = builtins.replaceStrings ["/"] ["_"] "back-${gitPath}-${config.domain}";
+      name = builtins.replaceStrings ["/"] ["_"] "back-${config.domain}";
       value = mkUnit gitPath config.port;
     })
     cfg.repositories;
diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix
new file mode 100644
index 0000000..a28ea0c
--- /dev/null
+++ b/modules/by-name/co/constants/module.nix
@@ -0,0 +1,43 @@
+# This file is inspired by the `nixos/modules/misc/ids.nix`
+# file in nixpkgs.
+{lib, ...}: {
+  options.vhack.constants = {
+    ids.uids = lib.mkOption {
+      internal = true;
+      description = ''
+        The user IDs used in the vhack.eu nixos config.
+      '';
+      type = lib.types.attrsOf lib.types.int;
+    };
+    ids.gids = lib.mkOption {
+      internal = true;
+      description = ''
+        The group IDs used in the vhack.eu nixos config.
+      '';
+      type = lib.types.attrsOf lib.types.int;
+    };
+  };
+
+  config.vhack.constants = {
+    ids.uids = {
+      acme = 328;
+      dhcpcd = 329;
+      nscd = 330;
+      sshd = 331;
+      systemd-oom = 332;
+
+      # As per the NixOS file, the uids should not be greater or equal to 400;
+    };
+    ids.gids = {
+      acme = 328;
+      dhcpcd = 329;
+      nscd = 330;
+      sshd = 331;
+      systemd-oom = 332;
+      resolvconf = 333; # This group is not matched to an user?
+      systemd-coredump = 151; # matches systemd-coredump user
+
+      # The gid should match the uid. Thus should not be >= 400;
+    };
+  };
+}
diff --git a/modules/by-name/co/coredump/module.nix b/modules/by-name/co/coredump/module.nix
new file mode 100644
index 0000000..ce28ed9
--- /dev/null
+++ b/modules/by-name/co/coredump/module.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.systemd.coredump;
+in {
+  options.vhack.systemd.coredump = {
+    # NOTE(@bpeetz): Enabled by default, because that is what NixOS also does. <2024-12-25>
+    enable = (lib.mkEnableOption "oomd") // {default = true;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      groups.systemd-coredump.gid = config.vhack.constants.ids.gids.systemd-coredump;
+    };
+  };
+}
diff --git a/modules/by-name/dh/dhcpcd/module.nix b/modules/by-name/dh/dhcpcd/module.nix
new file mode 100644
index 0000000..0e35af3
--- /dev/null
+++ b/modules/by-name/dh/dhcpcd/module.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.dhcpcd;
+in {
+  options.vhack.dhcpcd = {
+    enable = (lib.mkEnableOption "dhcpcd") // {default = config.networking.dhcpcd.enable;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      users.dhcpcd.uid = config.vhack.constants.ids.uids.dhcpcd;
+      groups.dhcpcd.gid = config.vhack.constants.ids.gids.dhcpcd;
+    };
+  };
+}
diff --git a/modules/by-name/fa/fail2ban/module.nix b/modules/by-name/fa/fail2ban/module.nix
index a95e267..c619ef9 100644
--- a/modules/by-name/fa/fail2ban/module.nix
+++ b/modules/by-name/fa/fail2ban/module.nix
@@ -13,8 +13,9 @@ in {
     vhack.persist.directories = [
       {
         directory = "/var/lib/fail2ban";
-        user = "fail2ban";
-        group = "fail2ban";
+        # TODO: Fail2ban should probably run under a dedicated `fail2ban` user. <2024-12-25>
+        user = "root";
+        group = "root";
         mode = "0700";
       }
     ];
diff --git a/modules/by-name/gi/git-server/module.nix b/modules/by-name/gi/git-server/module.nix
index a374f4c..db35897 100644
--- a/modules/by-name/gi/git-server/module.nix
+++ b/modules/by-name/gi/git-server/module.nix
@@ -48,13 +48,23 @@ in {
     };
 
     # Needed for the nginx proxy and the virtual host
-    vhack.nginx.enable = true;
+    vhack = {
+      nginx.enable = true;
+      persist.directories = [
+        {
+          directory = "/var/lib/gitolite";
+          user = "git";
+          group = "git";
+          mode = "0755";
+        }
+      ];
+    };
 
     services = {
       gitolite = {
         inherit (cfg.gitolite) adminPubkey;
         enable = true;
-        dataDir = "/srv/gitolite";
+        dataDir = "/var/lib/gitolite";
         user = "git";
         group = "git";
         extraGitoliteRc = ''
diff --git a/modules/by-name/im/impermanence/module.nix b/modules/by-name/im/impermanence/module.nix
index d645bcb..1c916e2 100644
--- a/modules/by-name/im/impermanence/module.nix
+++ b/modules/by-name/im/impermanence/module.nix
@@ -20,11 +20,6 @@ in {
       directories =
         [
           "/etc/nixos"
-          "/var/log"
-
-          # TODO(@bpeetz): Instead of persisting that, encode each uid/gid directly in the
-          # config. <2024-12-24>
-          "/var/lib/nixos"
         ]
         ++ cfg.directories;
       files = [
diff --git a/modules/by-name/ng/nginx/module.nix b/modules/by-name/ng/nginx/module.nix
index 30406fe..39919c9 100644
--- a/modules/by-name/ng/nginx/module.nix
+++ b/modules/by-name/ng/nginx/module.nix
@@ -3,20 +3,13 @@
   config,
   ...
 }: let
-  importedRedirects = import ./redirects.nix {};
-  mkRedirect = {
-    key,
-    value,
-  }: {
-    name = key;
-    value = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".return = "301 ${value}";
-    };
+  mkRedirect = _: value: {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".return = "301 ${value}";
   };
 
-  redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects);
+  redirects = builtins.mapAttrs mkRedirect cfg.redirects;
 
   cfg = config.vhack.nginx;
 in {
@@ -33,12 +26,28 @@ in {
         really be useful for tests.
       '';
     };
+
+    redirects = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+      default = {};
+      description = ''
+        An attrset of redirects to add.
+        The keys are the domain that should than be redirected to the url specified as
+        value.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
     vhack.persist.directories = [
       "/var/lib/acme"
     ];
+
+    users = {
+      users.acme.uid = config.vhack.constants.ids.uids.acme;
+      groups.acme.gid = config.vhack.constants.ids.gids.acme;
+    };
+
     security.acme = {
       acceptTerms = true;
       defaults = {
@@ -56,8 +65,9 @@ in {
     };
     services.nginx = {
       enable = true;
-      # The merge here is fine, as no domain should be specified twice
-      #virtualHosts =
+      virtualHosts = redirects;
+
+      # FIXME(@bpeetz): Migrate to a host. <2024-12-25>
       #  {
       #    "gallery.s-schoeffel.de" = {
       #      forceSSL = true;
@@ -65,7 +75,6 @@ in {
       #      root = "/srv/gallery.s-schoeffel.de";
       #    };
       #  }
-      #  // redirects;
     };
   };
 }
diff --git a/modules/by-name/ng/nginx/redirects.nix b/modules/by-name/ng/nginx/redirects.nix
deleted file mode 100644
index a021e72..0000000
--- a/modules/by-name/ng/nginx/redirects.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{...}: [
-  {
-    key = "source.vhack.eu";
-    value = "https://codeberg.org/vhack.eu/nixos-server";
-  }
-]
diff --git a/modules/by-name/ni/nix-sync/internal_module.nix b/modules/by-name/ni/nix-sync/internal_module.nix
index e3b55c9..4e28586 100644
--- a/modules/by-name/ni/nix-sync/internal_module.nix
+++ b/modules/by-name/ni/nix-sync/internal_module.nix
@@ -55,7 +55,7 @@
 
         out_paths=$(mktemp);
         nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths";
-        [ "$(wc -l < "$out_paths")" -gt 1 ] && {echo "To many out-paths"; exit 1;}
+        [ "$(wc -l < "$out_paths")" -gt 1 ] && { echo "To many out-paths"; exit 1; }
         out_path="$(cat "$out_paths")";
         rm ${esa repoPath};
         ln -s "$out_path" ${esa repoPath};
@@ -71,7 +71,7 @@
 
           out_paths=$(mktemp);
           nix build ${esa repoCachePath} --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths";
-          [ "$(wc -l < "$out_paths")" -gt 1 ] && {echo "To many out-paths"; exit 1;}
+          [ "$(wc -l < "$out_paths")" -gt 1 ] && { echo "To many out-paths"; exit 1; }
           out_path="$(cat "$out_paths")";
           ln -s "$out_path" ${esa repoPath};
           rm "$out_paths";
diff --git a/modules/by-name/ns/nscd/module.nix b/modules/by-name/ns/nscd/module.nix
new file mode 100644
index 0000000..428ae3b
--- /dev/null
+++ b/modules/by-name/ns/nscd/module.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.nscd;
+in {
+  options.vhack.nscd = {
+    # NOTE(@bpeetz): This is enabled by default in NixOS.
+    # Because of this reason:
+    # > Whether to enable the Name Service Cache Daemon. Disabling this is
+    # > strongly discouraged, as this effectively disables NSS Lookups from
+    # > all non-glibc NSS modules, including the ones provided by systemd.
+    #
+    # As such we should also always enable it. <2024-12-25>
+    enable = (lib.mkEnableOption "nscd") // {default = true;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      users.nscd.uid = config.vhack.constants.ids.uids.nscd;
+      groups.nscd.gid = config.vhack.constants.ids.gids.nscd;
+    };
+  };
+}
diff --git a/modules/by-name/oo/oomd/module.nix b/modules/by-name/oo/oomd/module.nix
new file mode 100644
index 0000000..3b39236
--- /dev/null
+++ b/modules/by-name/oo/oomd/module.nix
@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.systemd.oomd;
+in {
+  options.vhack.systemd.oomd = {
+    # NOTE(@bpeetz): Enabled by default, because that is what NixOS also does. <2024-12-25>
+    enable = (lib.mkEnableOption "oomd") // {default = true;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      users.systemd-oom.uid = config.vhack.constants.ids.uids.systemd-oom;
+      groups.systemd-oom.gid = config.vhack.constants.ids.gids.systemd-oom;
+    };
+  };
+}
diff --git a/modules/by-name/op/openssh/module.nix b/modules/by-name/op/openssh/module.nix
index 49290b9..83aeadf 100644
--- a/modules/by-name/op/openssh/module.nix
+++ b/modules/by-name/op/openssh/module.nix
@@ -37,6 +37,11 @@ in {
     ];
     */
 
+    users = {
+      users.sshd.uid = config.vhack.constants.ids.uids.sshd;
+      groups.sshd.gid = config.vhack.constants.ids.gids.sshd;
+    };
+
     services.openssh = {
       enable = true;
       settings.PasswordAuthentication = false;
diff --git a/modules/by-name/re/resolvconf/module.nix b/modules/by-name/re/resolvconf/module.nix
new file mode 100644
index 0000000..ff99696
--- /dev/null
+++ b/modules/by-name/re/resolvconf/module.nix
@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.resolvconf;
+in {
+  options.vhack.resolvconf = {
+    # NOTE(@bpeetz): This condition is taken directly from NixOS. <2024-12-25>
+    enable = lib.mkEnableOption "resolvconf" // {default = !(config.environment.etc ? "resolv.conf");};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.groups.resolvconf.gid = config.vhack.constants.ids.gids.resolvconf;
+  };
+}
diff --git a/modules/by-name/ru/rust-motd/module.nix b/modules/by-name/ru/rust-motd/module.nix
index ee88762..a6998f4 100644
--- a/modules/by-name/ru/rust-motd/module.nix
+++ b/modules/by-name/ru/rust-motd/module.nix
@@ -5,6 +5,20 @@
   ...
 }: let
   cfg = config.vhack.rust-motd;
+
+  # List all users that can login
+  pred = n: v: (
+    false # <- just here for neat formatting
+    || v.initialHashedPassword != null
+    || v.initialPassword != null
+    || v.hashedPassword != null
+    || v.hashedPasswordFile != null
+    || v.password != null
+    || v.passwordFile != null
+    || v.openssh.authorizedKeys.keys != []
+    || v.openssh.authorizedKeys.keyFiles != []
+  );
+  userList = builtins.mapAttrs (n: v: 2) (lib.filterAttrs pred config.users.users);
 in {
   options.vhack.rust-motd = {
     enable = lib.mkEnableOption "rust-motd";
@@ -69,11 +83,7 @@ in {
           jails = ["sshd"]; #, "anotherjail"]
         };
 
-        last_login = {
-          sils = 2;
-          soispha = 2;
-          nightingale = 2;
-        };
+        last_login = userList;
 
         last_run = {};
       };
diff --git a/modules/by-name/us/users/module.nix b/modules/by-name/us/users/module.nix
index bdffbdc..a197b13 100644
--- a/modules/by-name/us/users/module.nix
+++ b/modules/by-name/us/users/module.nix
@@ -17,7 +17,7 @@
       inherit name uid;
       isNormalUser = true;
       home = "/home/${name}";
-      initialHashedPassword = password;
+      hashedPassword = password;
       extraGroups = [
         "wheel"
       ];
@@ -54,8 +54,8 @@ in {
       users =
         {
           root = {
-            initialHashedPassword = null; # to lock root
-            openssh.authorizedKeys.keys = [];
+            hashedPassword = lib.mkForce null; # to lock root
+            openssh.authorizedKeys.keys = lib.mkForce [];
           };
         }
         // extraUsers;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-12-27 02:01:55 +0000