chore: format everything

2024-11-26 13:34:55 +01:00 · 2024-11-26 13:34:55 +01:00 · 7ccd7856ee
commit 7ccd7856ee
parent deca311c68
162 changed files with 4750 additions and 3718 deletions
--- a/hosts/sentinel/acme.nix
+++ b/hosts/sentinel/acme.nix
@ -1,6 +1,8 @@
-{config, ...}: let
+{ config, ... }:
+let
  inherit (config.repo.secrets.local) acme;
-in {
+in
+{
  age.secrets.acme-cloudflare-dns-token = {
    rekeyFile = ./secrets/acme-cloudflare-dns-token.age;
    mode = "440";
@ -22,7 +24,7 @@ in {
      };
      dnsProvider = "cloudflare";
      dnsPropagationCheck = true;
-      reloadServices = ["nginx"];
+      reloadServices = [ "nginx" ];
    };
    inherit (acme) certs wildcardDomains;
  };
--- a/hosts/sentinel/blog.nix
+++ b/hosts/sentinel/blog.nix
@ -1,4 +1,5 @@
-{globals, ...}: {
+{ globals, ... }:
+{
  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/blog";
--- a/hosts/sentinel/coturn.nix
+++ b/hosts/sentinel/coturn.nix
@ -4,9 +4,9 @@
  lib,
  pkgs,
  ...
-}: let
-  inherit
-    (lib)
+}:
+let
+  inherit (lib)
    getExe
    mkAfter
    mkForce
@ -14,7 +14,8 @@

  hostDomain = globals.domains.me;
  coturnDomain = "coturn.${hostDomain}";
-in {
+in
+{
  age.secrets.coturn-password-netbird = {
    generator.script = "alnum";
    group = "turnserver";
@ -58,23 +59,25 @@ in {
    pkey = "@pkey@";
  };

-  systemd.services.coturn = let
-    certsDir = config.security.acme.certs.${hostDomain}.directory;
-  in {
-    preStart = mkAfter ''
-      ${getExe pkgs.replace-secret} @password@ ${config.age.secrets.coturn-password-netbird.path} /run/coturn/turnserver.cfg
-      ${getExe pkgs.replace-secret} @cert@ <(echo "$CREDENTIALS_DIRECTORY/cert.pem") /run/coturn/turnserver.cfg
-      ${getExe pkgs.replace-secret} @pkey@ <(echo "$CREDENTIALS_DIRECTORY/pkey.pem") /run/coturn/turnserver.cfg
-    '';
-    serviceConfig = {
-      LoadCredential = [
-        "cert.pem:${certsDir}/fullchain.pem"
-        "pkey.pem:${certsDir}/key.pem"
-      ];
-      Restart = mkForce "always";
-      RestartSec = "60"; # Retry every minute
+  systemd.services.coturn =
+    let
+      certsDir = config.security.acme.certs.${hostDomain}.directory;
+    in
+    {
+      preStart = mkAfter ''
+        ${getExe pkgs.replace-secret} @password@ ${config.age.secrets.coturn-password-netbird.path} /run/coturn/turnserver.cfg
+        ${getExe pkgs.replace-secret} @cert@ <(echo "$CREDENTIALS_DIRECTORY/cert.pem") /run/coturn/turnserver.cfg
+        ${getExe pkgs.replace-secret} @pkey@ <(echo "$CREDENTIALS_DIRECTORY/pkey.pem") /run/coturn/turnserver.cfg
+      '';
+      serviceConfig = {
+        LoadCredential = [
+          "cert.pem:${certsDir}/fullchain.pem"
+          "pkey.pem:${certsDir}/key.pem"
+        ];
+        Restart = mkForce "always";
+        RestartSec = "60"; # Retry every minute
+      };
    };
-  };

  security.acme.certs.${hostDomain}.postRun = ''
    systemctl restart coturn.service
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -2,7 +2,8 @@
  config,
  globals,
  ...
-}: {
+}:
+{
  imports = [
    ../../config
    ../../config/hardware/hetzner-cloud.nix
@ -21,9 +22,12 @@
  nixpkgs.hostPlatform = "x86_64-linux";
  boot.mode = "bios";

-  wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443];
+  wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [
+    80
+    443
+  ];

-  users.groups.acme.members = ["nginx"];
+  users.groups.acme.members = [ "nginx" ];
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;

@ -33,7 +37,7 @@
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
+  networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [ globals.services.influxdb.domain ];
  meta.telegraf = {
    enable = true;
    scrapeSensors = false;
@ -45,6 +49,6 @@
    };

    # This node shall monitor the infrastructure
-    availableMonitoringNetworks = ["internet"];
+    availableMonitoringNetworks = [ "internet" ];
  };
 }
--- a/hosts/sentinel/fs.nix
+++ b/hosts/sentinel/fs.nix
@ -2,9 +2,11 @@
  config,
  lib,
  ...
-}: let
+}:
+let
  inherit (config.repo.secrets.local) disks;
-in {
+in
+{
  disko.devices = {
    disk = {
      main = {
@ -21,9 +23,9 @@ in {
      };
    };
    zpool = {
-      rpool = lib.disko.zfs.mkZpool {datasets = lib.disko.zfs.impermanenceZfsDatasets;};
+      rpool = lib.disko.zfs.mkZpool { datasets = lib.disko.zfs.impermanenceZfsDatasets; };
    };
  };

-  boot.loader.grub.devices = ["/dev/disk/by-id/${disks.main}"];
+  boot.loader.grub.devices = [ "/dev/disk/by-id/${disks.main}" ];
 }
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -3,9 +3,11 @@
  globals,
  lib,
  ...
-}: let
+}:
+let
  icfg = config.repo.secrets.local.networking.interfaces.wan;
-in {
+in
+{
  networking.hostId = config.repo.secrets.local.networking.hostId;
  networking.domain = globals.domains.me;

@ -20,7 +22,9 @@ in {

  boot.initrd.systemd.network = {
    enable = true;
-    networks = {inherit (config.systemd.network.networks) "10-wan";};
+    networks = {
+      inherit (config.systemd.network.networks) "10-wan";
+    };
  };

  systemd.network.networks = {
@ -29,9 +33,9 @@ in {
        icfg.hostCidrv4
        icfg.hostCidrv6
      ];
-      gateway = ["fe80::1"];
+      gateway = [ "fe80::1" ];
      routes = [
-        {Destination = "172.31.1.1";}
+        { Destination = "172.31.1.1"; }
        {
          Gateway = "172.31.1.1";
          GatewayOnLink = true;
@ -43,16 +47,19 @@ in {
    };
  };

-  networking.nftables.firewall.zones.untrusted.interfaces = ["wan"];
+  networking.nftables.firewall.zones.untrusted.interfaces = [ "wan" ];
  networking.nftables.chains.forward.dnat = {
-    after = ["conntrack"];
-    rules = ["ct status dnat accept"];
+    after = [ "conntrack" ];
+    rules = [ "ct status dnat accept" ];
  };

  wireguard.proxy-sentinel.server = {
    host = config.networking.fqdn;
    port = 51443;
-    reservedAddresses = ["10.43.0.0/24" "fd00:43::/120"];
+    reservedAddresses = [
+      "10.43.0.0/24"
+      "fd00:43::/120"
+    ];
    openFirewall = true;
  };
 }
--- a/hosts/sentinel/oauth2.nix
+++ b/hosts/sentinel/oauth2.nix
@ -3,7 +3,8 @@
  globals,
  nodes,
  ...
-}: {
+}:
+{
  meta.oauth2-proxy = {
    enable = true;
    cookieDomain = globals.domains.me;
@ -23,36 +24,40 @@
    generator.dependencies = [
      nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-web-sentinel
    ];
-    generator.script = {
-      lib,
-      decrypt,
-      deps,
-      ...
-    }: ''
-      echo -n "OAUTH2_PROXY_CLIENT_SECRET="
-      ${decrypt} ${lib.escapeShellArg (lib.head deps).file}
-    '';
+    generator.script =
+      {
+        lib,
+        decrypt,
+        deps,
+        ...
+      }:
+      ''
+        echo -n "OAUTH2_PROXY_CLIENT_SECRET="
+        ${decrypt} ${lib.escapeShellArg (lib.head deps).file}
+      '';
    mode = "440";
    group = "oauth2-proxy";
  };

-  services.oauth2-proxy = let
-    clientId = "web-sentinel";
-  in {
-    provider = "oidc";
-    scope = "openid email";
-    loginURL = "https://${globals.services.kanidm.domain}/ui/oauth2";
-    redeemURL = "https://${globals.services.kanidm.domain}/oauth2/token";
-    validateURL = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}/userinfo";
-    clientID = clientId;
-    email.domains = ["*"];
+  services.oauth2-proxy =
+    let
+      clientId = "web-sentinel";
+    in
+    {
+      provider = "oidc";
+      scope = "openid email";
+      loginURL = "https://${globals.services.kanidm.domain}/ui/oauth2";
+      redeemURL = "https://${globals.services.kanidm.domain}/oauth2/token";
+      validateURL = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}/userinfo";
+      clientID = clientId;
+      email.domains = [ "*" ];

-    extraConfig = {
-      oidc-issuer-url = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}";
-      provider-display-name = "Kanidm";
-      #skip-provider-button = true;
+      extraConfig = {
+        oidc-issuer-url = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}";
+        provider-display-name = "Kanidm";
+        #skip-provider-button = true;
+      };
    };
-  };

  systemd.services.oauth2-proxy.serviceConfig.EnvironmentFile = [
    config.age.secrets.oauth2-cookie-secret.path
--- a/hosts/sentinel/plausible.nix
+++ b/hosts/sentinel/plausible.nix
@ -3,9 +3,11 @@
  lib,
  globals,
  ...
-}: let
+}:
+let
  plausibleDomain = "analytics.${globals.domains.me}";
-in {
+in
+{
  age.secrets.plausible-secret = {
    generator.script = args: "${args.pkgs.openssl}/bin/openssl rand -base64 64";
    mode = "440";
@ -61,7 +63,7 @@ in {

  services.nginx = {
    upstreams.plausible = {
-      servers."127.0.0.1:${toString config.services.plausible.server.port}" = {};
+      servers."127.0.0.1:${toString config.services.plausible.server.port}" = { };
      extraConfig = ''
        zone plausible 64k;
        keepalive 2;
@ -75,7 +77,7 @@ in {
      forceSSL = true;
      useACMEWildcardHost = true;
      oauth2.enable = true;
-      oauth2.allowedGroups = ["access_analytics"];
+      oauth2.allowedGroups = [ "access_analytics" ];
      locations."/".proxyPass = "http://plausible";
      locations."= /js/script.js" = {
        proxyPass = "http://plausible";
@ -111,7 +113,7 @@ in {
    };
  };

-  users.groups.plausible = {};
+  users.groups.plausible = { };
  users.users.plausible = {
    group = "plausible";
    isSystemUser = true;
--- a/hosts/sentinel/postgresql.nix
+++ b/hosts/sentinel/postgresql.nix
@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
+{
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16_jit;