nix fmt

albinvass · Jun 8, 2024 · a5be4b2 · a5be4b2
1 parent fda3adc
commit a5be4b2
Show file tree

Hide file tree

Showing 8 changed files with 160 additions and 138 deletions.
diff --git a/devenv.nix b/devenv.nix
@@ -20,90 +20,93 @@
 
   scripts = {
     generate-ca-certificate = {
-      exec = /* bash */ ''
-        #!/usr/bin/env bash
-
-        set -euo pipefail
-        GIT_ROOT="$(git rev-parse --show-toplevel)"
-        CA_ROOT="$GIT_ROOT/certs/ca"
-        mkdir -p $CA_ROOT
-        cd $CA_ROOT
-
-        openssl req \
-          -newkey rsa:4096 \
-          -x509 \
-          -sha256 \
-          -nodes \
-          -subj "/CN=root" \
-          -keyout ca.key \
-          -out ca.crt \
-          -days 3650
-      '';
+      exec = # bash
+        ''
+          #!/usr/bin/env bash
+
+          set -euo pipefail
+          GIT_ROOT="$(git rev-parse --show-toplevel)"
+          CA_ROOT="$GIT_ROOT/certs/ca"
+          mkdir -p $CA_ROOT
+          cd $CA_ROOT
+
+          openssl req \
+            -newkey rsa:4096 \
+            -x509 \
+            -sha256 \
+            -nodes \
+            -subj "/CN=root" \
+            -keyout ca.key \
+            -out ca.crt \
+            -days 3650
+        '';
     };
 
     decrypt-ca-certificate = {
-      exec = /* bash */ ''
-        #!/usr/bin/env bash
-
-        set -euo pipefail
-        GIT_ROOT="$(git rev-parse --show-toplevel)"
-        cd "$GIT_ROOT"
-
-        CERTS_ROOT="$GIT_ROOT/certs"
-        CA_ROOT="$CERTS_ROOT/ca"
-
-        mkdir -p "$CA_ROOT"
-        sops \
-          --extract "['ca']['cert']" \
-          -d "$GIT_ROOT/secrets.yaml" > "$CA_ROOT/ca.crt"
-        sops \
-          --extract "['ca']['key']" \
-          -d "$GIT_ROOT/secrets.yaml" > "$CA_ROOT/ca.key"
-      '';
+      exec = # bash
+        ''
+          #!/usr/bin/env bash
+
+          set -euo pipefail
+          GIT_ROOT="$(git rev-parse --show-toplevel)"
+          cd "$GIT_ROOT"
+
+          CERTS_ROOT="$GIT_ROOT/certs"
+          CA_ROOT="$CERTS_ROOT/ca"
+
+          mkdir -p "$CA_ROOT"
+          sops \
+            --extract "['ca']['cert']" \
+            -d "$GIT_ROOT/secrets.yaml" > "$CA_ROOT/ca.crt"
+          sops \
+            --extract "['ca']['key']" \
+            -d "$GIT_ROOT/secrets.yaml" > "$CA_ROOT/ca.key"
+        '';
     };
 
     generate-host-certificate = {
-      exec = /* bash */ ''
-        #!/usr/bin/env bash
-
-        set -euo pipefail
-        GIT_ROOT="$(git rev-parse --show-toplevel)"
-        cd "$GIT_ROOT"
-
-        decrypt-ca-certificate
-
-        CERTS_ROOT="$GIT_ROOT/certs"
-        CA_ROOT="$CERTS_ROOT/ca"
-        mkdir -p $CERTS_ROOT
-        cd $CERTS_ROOT
-
-        host="$1"; shift
-        HOST_DIR="$CERTS_ROOT/$host"
-        mkdir -p "$HOST_DIR"
-
-                #  -addext "certificatePolicies = 1.2.3.4" \
-        echo "Creating private key and signing request"
-        openssl req \
-          -new \
-          -newkey rsa:4096 \
-          -subj "/C=SE/CN=$host" \
-          -addext "subjectAltName = DNS:$host" \
-          -keyout "$HOST_DIR/host.key" \
-          -nodes \
-          -out "$HOST_DIR/host.csr"
-
-        echo "Creating certificate"
-        openssl x509 \
-          -req \
-          -CA "$CA_ROOT/ca.crt" \
-          -CAkey "$CA_ROOT/ca.key" \
-          -copy_extensions copy \
-          -set_serial "0x$(openssl rand -hex 8)" \
-          -in "$HOST_DIR/host.csr" \
-          -out "$HOST_DIR/host.crt" \
-          -days 367 \
-          -sha256
-      '';
+      exec = # bash
+        ''
+          #!/usr/bin/env bash
+
+          set -euo pipefail
+          GIT_ROOT="$(git rev-parse --show-toplevel)"
+          cd "$GIT_ROOT"
+
+          decrypt-ca-certificate
+
+          CERTS_ROOT="$GIT_ROOT/certs"
+          CA_ROOT="$CERTS_ROOT/ca"
+          mkdir -p $CERTS_ROOT
+          cd $CERTS_ROOT
+
+          host="$1"; shift
+          HOST_DIR="$CERTS_ROOT/$host"
+          mkdir -p "$HOST_DIR"
+
+                  #  -addext "certificatePolicies = 1.2.3.4" \
+          echo "Creating private key and signing request"
+          openssl req \
+            -new \
+            -newkey rsa:4096 \
+            -subj "/C=SE/CN=$host" \
+            -addext "subjectAltName = DNS:$host" \
+            -keyout "$HOST_DIR/host.key" \
+            -nodes \
+            -out "$HOST_DIR/host.csr"
+
+          echo "Creating certificate"
+          openssl x509 \
+            -req \
+            -CA "$CA_ROOT/ca.crt" \
+            -CAkey "$CA_ROOT/ca.key" \
+            -copy_extensions copy \
+            -set_serial "0x$(openssl rand -hex 8)" \
+            -in "$HOST_DIR/host.csr" \
+            -out "$HOST_DIR/host.crt" \
+            -days 367 \
+            -sha256
+        '';
     };
     colmena-expression = {
       exec = # bash

diff --git a/flake.nix b/flake.nix
@@ -79,15 +79,16 @@
               targetUser = "root";
               tags = [
                 "enabled"
-                ''pulumi:{
-                  "Server": {
-                    "Enabled": true,
-                    "ServerType": "cpx21"
-                  },
-                  "Volume": {
-                    "Size": 20
-                  }
-                }''
+                ''
+                  pulumi:{
+                                    "Server": {
+                                      "Enabled": true,
+                                      "ServerType": "cpx21"
+                                    },
+                                    "Volume": {
+                                      "Size": 20
+                                    }
+                                  }''
               ];
               keys = {
                 "ssh_host_ed25519_key" = {
@@ -131,12 +132,13 @@
               targetUser = "root";
               tags = [
                 "enabled"
-                ''pulumi:{
-                  "Server": {
-                    "Enabled": true,
-                    "ServerType": "cax11"
-                  }
-                }''
+                ''
+                  pulumi:{
+                                    "Server": {
+                                      "Enabled": true,
+                                      "ServerType": "cax11"
+                                    }
+                                  }''
               ];
               keys = {
                 "ssh_host_ed25519_key" = {

diff --git a/nixos/hosts/nixpi/frp.nix b/nixos/hosts/nixpi/frp.nix
@@ -1,21 +1,18 @@
-{
-  config,
-  ...
-}:
+{ config, ... }:
 
 {
   sops.secrets = {
-    "frp/tls/certFile" = {};
-    "frp/tls/keyFile" = {};
-    "frp/tls/trustedCaFile" = {};
+    "frp/tls/certFile" = { };
+    "frp/tls/keyFile" = { };
+    "frp/tls/trustedCaFile" = { };
   };
 
   systemd.services.frp.serviceConfig = {
-    LoadCredential=[
+    LoadCredential = [
       "certFile:${config.sops.secrets."frp/tls/certFile".path}"
       "keyFile:${config.sops.secrets."frp/tls/keyFile".path}"
       "trustedCaFile:${config.sops.secrets."frp/tls/trustedCaFile".path}"
-      ];
+    ];
   };
   services.frp = {
     enable = true;
@@ -30,13 +27,15 @@
           trustedCaFile = "{{ .Envs.CREDENTIALS_DIRECTORY }}/trustedCaFile";
         };
       };
-      proxies = [{
-        name = "http";
-        type = "tcp";
-        remotePort = 8082;
-        localIP = "127.0.0.1";
-        localPort = 8080;
-      }];
+      proxies = [
+        {
+          name = "http";
+          type = "tcp";
+          remotePort = 8082;
+          localIP = "127.0.0.1";
+          localPort = 8080;
+        }
+      ];
     };
   };
 }
diff --git a/nixos/hosts/reverse-proxy/crowdsec.nix b/nixos/hosts/reverse-proxy/crowdsec.nix
@@ -1,10 +1,16 @@
-{ config, pkgs, inputs, ... }: {
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
+{
   imports = [
     inputs.crowdsec.nixosModules.crowdsec
-      inputs.crowdsec.nixosModules.crowdsec-firewall-bouncer
+    inputs.crowdsec.nixosModules.crowdsec-firewall-bouncer
   ];
 
-  nixpkgs.overlays = [inputs.crowdsec.overlays.default];
+  nixpkgs.overlays = [ inputs.crowdsec.overlays.default ];
 
   sops.secrets = {
     "crowdsec/enrollKeyFile" = {
@@ -13,24 +19,29 @@
     };
   };
 
-  services.crowdsec = let
-    yaml = (pkgs.formats.yaml {}).generate;
-    acquisitions_file = yaml "acquisitions.yaml" {
-      source = "journalctl";
-      journalctl_filter = ["_SYSTEMD_UNIT=sshd.service" "_SYSTEMD_UNIT=nginx.service"];
-      labels.type = "syslog";
-    };
-  in {
-    enable = true;
-    enrollKeyFile = config.sops.secrets."crowdsec/enrollKeyFile".path;
-    allowLocalJournalAccess = true;
-    settings = {
-      crowdsec_service.acquisition_path = acquisitions_file;
-      api.server = {
-        listen_uri = "127.0.0.1:8080";
+  services.crowdsec =
+    let
+      yaml = (pkgs.formats.yaml { }).generate;
+      acquisitions_file = yaml "acquisitions.yaml" {
+        source = "journalctl";
+        journalctl_filter = [
+          "_SYSTEMD_UNIT=sshd.service"
+          "_SYSTEMD_UNIT=nginx.service"
+        ];
+        labels.type = "syslog";
+      };
+    in
+    {
+      enable = true;
+      enrollKeyFile = config.sops.secrets."crowdsec/enrollKeyFile".path;
+      allowLocalJournalAccess = true;
+      settings = {
+        crowdsec_service.acquisition_path = acquisitions_file;
+        api.server = {
+          listen_uri = "127.0.0.1:8080";
+        };
       };
     };
-  };
 
   services.crowdsec-firewall-bouncer = {
     enable = true;

diff --git a/nixos/hosts/reverse-proxy/disk-config/default.nix b/nixos/hosts/reverse-proxy/disk-config/default.nix
@@ -1,4 +1,5 @@
-{ ... }: {
+{ ... }:
+{
   disko.devices = {
     disk = {
       disk1 = {

diff --git a/nixos/hosts/reverse-proxy/frp.nix b/nixos/hosts/reverse-proxy/frp.nix
@@ -1,20 +1,21 @@
 { config, ... }:
 let
   frpPort = 7000;
-in {
+in
+{
   sops.secrets = {
-    "frp/tls/certFile" = {};
-    "frp/tls/keyFile" = {};
-    "frp/tls/trustedCaFile" = {};
+    "frp/tls/certFile" = { };
+    "frp/tls/keyFile" = { };
+    "frp/tls/trustedCaFile" = { };
   };
 
   networking.firewall.allowedTCPPorts = [ frpPort ];
   systemd.services.frp.serviceConfig = {
-    LoadCredential=[
+    LoadCredential = [
       "certFile:${config.sops.secrets."frp/tls/certFile".path}"
       "keyFile:${config.sops.secrets."frp/tls/keyFile".path}"
       "trustedCaFile:${config.sops.secrets."frp/tls/trustedCaFile".path}"
-      ];
+    ];
   };
   services.frp = {
     enable = true;

diff --git a/nixos/hosts/reverse-proxy/nginx.nix b/nixos/hosts/reverse-proxy/nginx.nix
@@ -1,5 +1,9 @@
-{ ... }: {
-  networking.firewall.allowedTCPPorts = [ 443 80 ];
+{ ... }:
+{
+  networking.firewall.allowedTCPPorts = [
+    443
+    80
+  ];
 
   security.acme = {
     acceptTerms = true;

diff --git a/nixos/modules/disk-config/default.nix b/nixos/modules/disk-config/default.nix
@@ -1,4 +1,5 @@
-{ ... }: {
+{ ... }:
+{
   disko.devices = {
     disk = {
       disk1 = {