From a5be4b25eaf1e1b785660e506d2b7781e2d78241 Mon Sep 17 00:00:00 2001 From: Albin Vass Date: Sat, 8 Jun 2024 15:31:03 +0200 Subject: [PATCH] nix fmt --- devenv.nix | 159 +++++++++--------- flake.nix | 32 ++-- nixos/hosts/nixpi/frp.nix | 31 ++-- nixos/hosts/reverse-proxy/crowdsec.nix | 49 +++--- .../reverse-proxy/disk-config/default.nix | 3 +- nixos/hosts/reverse-proxy/frp.nix | 13 +- nixos/hosts/reverse-proxy/nginx.nix | 8 +- nixos/modules/disk-config/default.nix | 3 +- 8 files changed, 160 insertions(+), 138 deletions(-) diff --git a/devenv.nix b/devenv.nix index c58c0f5..c72cbae 100644 --- a/devenv.nix +++ b/devenv.nix @@ -20,90 +20,93 @@ scripts = { generate-ca-certificate = { - exec = /* bash */ '' - #!/usr/bin/env bash - - set -euo pipefail - GIT_ROOT="$(git rev-parse --show-toplevel)" - CA_ROOT="$GIT_ROOT/certs/ca" - mkdir -p $CA_ROOT - cd $CA_ROOT - - openssl req \ - -newkey rsa:4096 \ - -x509 \ - -sha256 \ - -nodes \ - -subj "/CN=root" \ - -keyout ca.key \ - -out ca.crt \ - -days 3650 - ''; + exec = # bash + '' + #!/usr/bin/env bash + + set -euo pipefail + GIT_ROOT="$(git rev-parse --show-toplevel)" + CA_ROOT="$GIT_ROOT/certs/ca" + mkdir -p $CA_ROOT + cd $CA_ROOT + + openssl req \ + -newkey rsa:4096 \ + -x509 \ + -sha256 \ + -nodes \ + -subj "/CN=root" \ + -keyout ca.key \ + -out ca.crt \ + -days 3650 + ''; }; decrypt-ca-certificate = { - exec = /* bash */ '' - #!/usr/bin/env bash - - set -euo pipefail - GIT_ROOT="$(git rev-parse --show-toplevel)" - cd "$GIT_ROOT" - - CERTS_ROOT="$GIT_ROOT/certs" - CA_ROOT="$CERTS_ROOT/ca" - - mkdir -p "$CA_ROOT" - sops \ - --extract "['ca']['cert']" \ - -d "$GIT_ROOT/secrets.yaml" > "$CA_ROOT/ca.crt" - sops \ - --extract "['ca']['key']" \ - -d "$GIT_ROOT/secrets.yaml" > "$CA_ROOT/ca.key" - ''; + exec = # bash + '' + #!/usr/bin/env bash + + set -euo pipefail + GIT_ROOT="$(git rev-parse --show-toplevel)" + cd "$GIT_ROOT" + + CERTS_ROOT="$GIT_ROOT/certs" + CA_ROOT="$CERTS_ROOT/ca" + + mkdir -p "$CA_ROOT" + sops \ + --extract "['ca']['cert']" \ + -d "$GIT_ROOT/secrets.yaml" > "$CA_ROOT/ca.crt" + sops \ + --extract "['ca']['key']" \ + -d "$GIT_ROOT/secrets.yaml" > "$CA_ROOT/ca.key" + ''; }; generate-host-certificate = { - exec = /* bash */ '' - #!/usr/bin/env bash - - set -euo pipefail - GIT_ROOT="$(git rev-parse --show-toplevel)" - cd "$GIT_ROOT" - - decrypt-ca-certificate - - CERTS_ROOT="$GIT_ROOT/certs" - CA_ROOT="$CERTS_ROOT/ca" - mkdir -p $CERTS_ROOT - cd $CERTS_ROOT - - host="$1"; shift - HOST_DIR="$CERTS_ROOT/$host" - mkdir -p "$HOST_DIR" - - # -addext "certificatePolicies = 1.2.3.4" \ - echo "Creating private key and signing request" - openssl req \ - -new \ - -newkey rsa:4096 \ - -subj "/C=SE/CN=$host" \ - -addext "subjectAltName = DNS:$host" \ - -keyout "$HOST_DIR/host.key" \ - -nodes \ - -out "$HOST_DIR/host.csr" - - echo "Creating certificate" - openssl x509 \ - -req \ - -CA "$CA_ROOT/ca.crt" \ - -CAkey "$CA_ROOT/ca.key" \ - -copy_extensions copy \ - -set_serial "0x$(openssl rand -hex 8)" \ - -in "$HOST_DIR/host.csr" \ - -out "$HOST_DIR/host.crt" \ - -days 367 \ - -sha256 - ''; + exec = # bash + '' + #!/usr/bin/env bash + + set -euo pipefail + GIT_ROOT="$(git rev-parse --show-toplevel)" + cd "$GIT_ROOT" + + decrypt-ca-certificate + + CERTS_ROOT="$GIT_ROOT/certs" + CA_ROOT="$CERTS_ROOT/ca" + mkdir -p $CERTS_ROOT + cd $CERTS_ROOT + + host="$1"; shift + HOST_DIR="$CERTS_ROOT/$host" + mkdir -p "$HOST_DIR" + + # -addext "certificatePolicies = 1.2.3.4" \ + echo "Creating private key and signing request" + openssl req \ + -new \ + -newkey rsa:4096 \ + -subj "/C=SE/CN=$host" \ + -addext "subjectAltName = DNS:$host" \ + -keyout "$HOST_DIR/host.key" \ + -nodes \ + -out "$HOST_DIR/host.csr" + + echo "Creating certificate" + openssl x509 \ + -req \ + -CA "$CA_ROOT/ca.crt" \ + -CAkey "$CA_ROOT/ca.key" \ + -copy_extensions copy \ + -set_serial "0x$(openssl rand -hex 8)" \ + -in "$HOST_DIR/host.csr" \ + -out "$HOST_DIR/host.crt" \ + -days 367 \ + -sha256 + ''; }; colmena-expression = { exec = # bash diff --git a/flake.nix b/flake.nix index 0370fd1..c92c986 100644 --- a/flake.nix +++ b/flake.nix @@ -79,15 +79,16 @@ targetUser = "root"; tags = [ "enabled" - ''pulumi:{ - "Server": { - "Enabled": true, - "ServerType": "cpx21" - }, - "Volume": { - "Size": 20 - } - }'' + '' + pulumi:{ + "Server": { + "Enabled": true, + "ServerType": "cpx21" + }, + "Volume": { + "Size": 20 + } + }'' ]; keys = { "ssh_host_ed25519_key" = { @@ -131,12 +132,13 @@ targetUser = "root"; tags = [ "enabled" - ''pulumi:{ - "Server": { - "Enabled": true, - "ServerType": "cax11" - } - }'' + '' + pulumi:{ + "Server": { + "Enabled": true, + "ServerType": "cax11" + } + }'' ]; keys = { "ssh_host_ed25519_key" = { diff --git a/nixos/hosts/nixpi/frp.nix b/nixos/hosts/nixpi/frp.nix index 59c8ca0..42e21d9 100644 --- a/nixos/hosts/nixpi/frp.nix +++ b/nixos/hosts/nixpi/frp.nix @@ -1,21 +1,18 @@ -{ - config, - ... -}: +{ config, ... }: { sops.secrets = { - "frp/tls/certFile" = {}; - "frp/tls/keyFile" = {}; - "frp/tls/trustedCaFile" = {}; + "frp/tls/certFile" = { }; + "frp/tls/keyFile" = { }; + "frp/tls/trustedCaFile" = { }; }; systemd.services.frp.serviceConfig = { - LoadCredential=[ + LoadCredential = [ "certFile:${config.sops.secrets."frp/tls/certFile".path}" "keyFile:${config.sops.secrets."frp/tls/keyFile".path}" "trustedCaFile:${config.sops.secrets."frp/tls/trustedCaFile".path}" - ]; + ]; }; services.frp = { enable = true; @@ -30,13 +27,15 @@ trustedCaFile = "{{ .Envs.CREDENTIALS_DIRECTORY }}/trustedCaFile"; }; }; - proxies = [{ - name = "http"; - type = "tcp"; - remotePort = 8082; - localIP = "127.0.0.1"; - localPort = 8080; - }]; + proxies = [ + { + name = "http"; + type = "tcp"; + remotePort = 8082; + localIP = "127.0.0.1"; + localPort = 8080; + } + ]; }; }; } diff --git a/nixos/hosts/reverse-proxy/crowdsec.nix b/nixos/hosts/reverse-proxy/crowdsec.nix index 28bb47d..22a7d7d 100644 --- a/nixos/hosts/reverse-proxy/crowdsec.nix +++ b/nixos/hosts/reverse-proxy/crowdsec.nix @@ -1,10 +1,16 @@ -{ config, pkgs, inputs, ... }: { +{ + config, + pkgs, + inputs, + ... +}: +{ imports = [ inputs.crowdsec.nixosModules.crowdsec - inputs.crowdsec.nixosModules.crowdsec-firewall-bouncer + inputs.crowdsec.nixosModules.crowdsec-firewall-bouncer ]; - nixpkgs.overlays = [inputs.crowdsec.overlays.default]; + nixpkgs.overlays = [ inputs.crowdsec.overlays.default ]; sops.secrets = { "crowdsec/enrollKeyFile" = { @@ -13,24 +19,29 @@ }; }; - services.crowdsec = let - yaml = (pkgs.formats.yaml {}).generate; - acquisitions_file = yaml "acquisitions.yaml" { - source = "journalctl"; - journalctl_filter = ["_SYSTEMD_UNIT=sshd.service" "_SYSTEMD_UNIT=nginx.service"]; - labels.type = "syslog"; - }; - in { - enable = true; - enrollKeyFile = config.sops.secrets."crowdsec/enrollKeyFile".path; - allowLocalJournalAccess = true; - settings = { - crowdsec_service.acquisition_path = acquisitions_file; - api.server = { - listen_uri = "127.0.0.1:8080"; + services.crowdsec = + let + yaml = (pkgs.formats.yaml { }).generate; + acquisitions_file = yaml "acquisitions.yaml" { + source = "journalctl"; + journalctl_filter = [ + "_SYSTEMD_UNIT=sshd.service" + "_SYSTEMD_UNIT=nginx.service" + ]; + labels.type = "syslog"; + }; + in + { + enable = true; + enrollKeyFile = config.sops.secrets."crowdsec/enrollKeyFile".path; + allowLocalJournalAccess = true; + settings = { + crowdsec_service.acquisition_path = acquisitions_file; + api.server = { + listen_uri = "127.0.0.1:8080"; + }; }; }; - }; services.crowdsec-firewall-bouncer = { enable = true; diff --git a/nixos/hosts/reverse-proxy/disk-config/default.nix b/nixos/hosts/reverse-proxy/disk-config/default.nix index 4276c9c..6d04622 100644 --- a/nixos/hosts/reverse-proxy/disk-config/default.nix +++ b/nixos/hosts/reverse-proxy/disk-config/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ disko.devices = { disk = { disk1 = { diff --git a/nixos/hosts/reverse-proxy/frp.nix b/nixos/hosts/reverse-proxy/frp.nix index 491e1d8..49d2881 100644 --- a/nixos/hosts/reverse-proxy/frp.nix +++ b/nixos/hosts/reverse-proxy/frp.nix @@ -1,20 +1,21 @@ { config, ... }: let frpPort = 7000; -in { +in +{ sops.secrets = { - "frp/tls/certFile" = {}; - "frp/tls/keyFile" = {}; - "frp/tls/trustedCaFile" = {}; + "frp/tls/certFile" = { }; + "frp/tls/keyFile" = { }; + "frp/tls/trustedCaFile" = { }; }; networking.firewall.allowedTCPPorts = [ frpPort ]; systemd.services.frp.serviceConfig = { - LoadCredential=[ + LoadCredential = [ "certFile:${config.sops.secrets."frp/tls/certFile".path}" "keyFile:${config.sops.secrets."frp/tls/keyFile".path}" "trustedCaFile:${config.sops.secrets."frp/tls/trustedCaFile".path}" - ]; + ]; }; services.frp = { enable = true; diff --git a/nixos/hosts/reverse-proxy/nginx.nix b/nixos/hosts/reverse-proxy/nginx.nix index 7eb0c2a..dd56598 100644 --- a/nixos/hosts/reverse-proxy/nginx.nix +++ b/nixos/hosts/reverse-proxy/nginx.nix @@ -1,5 +1,9 @@ -{ ... }: { - networking.firewall.allowedTCPPorts = [ 443 80 ]; +{ ... }: +{ + networking.firewall.allowedTCPPorts = [ + 443 + 80 + ]; security.acme = { acceptTerms = true; diff --git a/nixos/modules/disk-config/default.nix b/nixos/modules/disk-config/default.nix index 7e96917..f7d5566 100644 --- a/nixos/modules/disk-config/default.nix +++ b/nixos/modules/disk-config/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ disko.devices = { disk = { disk1 = {