Simon Gardling
98310f2582
All checks were successful
Build and Deploy / deploy (push) Successful in 2m41s
282 lines
8.3 KiB
Nix
282 lines
8.3 KiB
Nix
{
|
|
description = "Flake for server muffin";
|
|
|
|
inputs = {
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
|
|
|
|
lanzaboote = {
|
|
url = "github:nix-community/lanzaboote";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
|
|
|
|
nix-minecraft = {
|
|
url = "github:Infinidoge/nix-minecraft";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
vpn-confinement.url = "github:Maroka-chan/VPN-Confinement";
|
|
|
|
home-manager = {
|
|
url = "github:nix-community/home-manager/release-25.11";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
disko = {
|
|
url = "github:nix-community/disko";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
llamacpp = {
|
|
url = "github:TheTom/llama-cpp-turboquant/feature/turboquant-kv-cache";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
srvos = {
|
|
url = "github:nix-community/srvos";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
deploy-rs = {
|
|
url = "github:serokell/deploy-rs";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
impermanence = {
|
|
url = "github:nix-community/impermanence";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
agenix = {
|
|
url = "github:ryantm/agenix";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
inputs.home-manager.follows = "home-manager";
|
|
inputs.darwin.follows = "";
|
|
};
|
|
|
|
senior_project-website = {
|
|
url = "github:Titaniumtown/senior-project-website";
|
|
flake = false;
|
|
};
|
|
|
|
website = {
|
|
url = "git+https://git.sigkill.computer/titaniumtown/website";
|
|
flake = false;
|
|
};
|
|
|
|
trackerlist = {
|
|
url = "github:ngosang/trackerslist";
|
|
flake = false;
|
|
};
|
|
|
|
ytbn-graphing-software = {
|
|
url = "git+https://git.sigkill.computer/titaniumtown/YTBN-Graphing-Software";
|
|
};
|
|
|
|
arr-init = {
|
|
url = "git+ssh://gitea@git.gardling.com/titaniumtown/arr-init";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
nixpkgs-p2pool-module = {
|
|
url = "github:JacoMalan1/nixpkgs/create-p2pool-service";
|
|
flake = false;
|
|
};
|
|
|
|
qbittorrent-metrics-exporter = {
|
|
url = "git+https://codeberg.org/anriha/qbittorrent-metrics-exporter";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
};
|
|
|
|
outputs =
|
|
{
|
|
self,
|
|
nixpkgs,
|
|
nix-minecraft,
|
|
nixos-hardware,
|
|
vpn-confinement,
|
|
home-manager,
|
|
lanzaboote,
|
|
disko,
|
|
srvos,
|
|
deploy-rs,
|
|
impermanence,
|
|
arr-init,
|
|
nixpkgs-p2pool-module,
|
|
...
|
|
}@inputs:
|
|
let
|
|
username = "primary";
|
|
hostname = "muffin";
|
|
eth_interface = "enp4s0";
|
|
system = "x86_64-linux";
|
|
|
|
service_configs = import ./service-configs.nix;
|
|
|
|
# Bootstrap pkgs used only to apply patches to nixpkgs source.
|
|
bootstrapPkgs = import nixpkgs { inherit system; };
|
|
|
|
# Patch nixpkgs to add PostgreSQL backend support for firefox-syncserver.
|
|
patchedNixpkgsSrc = bootstrapPkgs.applyPatches {
|
|
name = "nixpkgs-patched";
|
|
src = nixpkgs;
|
|
patches = [
|
|
./patches/nixpkgs/0001-firefox-syncserver-add-postgresql-backend-support.patch
|
|
];
|
|
};
|
|
|
|
pkgs = import patchedNixpkgsSrc {
|
|
inherit system;
|
|
targetPlatform = system;
|
|
buildPlatform = builtins.currentSystem;
|
|
};
|
|
lib = import ./modules/lib.nix { inherit inputs pkgs service_configs; };
|
|
testSuite = import ./tests/tests.nix {
|
|
inherit pkgs lib inputs;
|
|
config = self.nixosConfigurations.muffin.config;
|
|
};
|
|
in
|
|
{
|
|
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-tree;
|
|
nixosConfigurations.${hostname} = lib.nixosSystem {
|
|
inherit system;
|
|
specialArgs = {
|
|
inherit
|
|
username
|
|
hostname
|
|
eth_interface
|
|
service_configs
|
|
inputs
|
|
;
|
|
};
|
|
modules = [
|
|
# SAFETY! port sanity checks
|
|
(
|
|
{ config, lib, ... }:
|
|
let
|
|
publicPorts = lib.attrValues service_configs.ports.public;
|
|
privatePorts = lib.attrValues service_configs.ports.private;
|
|
allPortNumbers = map (p: p.port) (publicPorts ++ privatePorts);
|
|
uniquePortNumbers = lib.unique allPortNumbers;
|
|
|
|
# Which public ports must be in each firewall list
|
|
publicTcp = map (p: p.port) (lib.filter (p: p.proto == "tcp" || p.proto == "both") publicPorts);
|
|
publicUdp = map (p: p.port) (lib.filter (p: p.proto == "udp" || p.proto == "both") publicPorts);
|
|
|
|
privatePortNumbers = map (p: p.port) privatePorts;
|
|
|
|
fwTcp = config.networking.firewall.allowedTCPPorts;
|
|
fwUdp = config.networking.firewall.allowedUDPPorts;
|
|
|
|
missingTcp = lib.filter (p: !(builtins.elem p fwTcp)) publicTcp;
|
|
missingUdp = lib.filter (p: !(builtins.elem p fwUdp)) publicUdp;
|
|
leakedTcp = lib.filter (p: builtins.elem p fwTcp) privatePortNumbers;
|
|
leakedUdp = lib.filter (p: builtins.elem p fwUdp) privatePortNumbers;
|
|
in
|
|
{
|
|
config.assertions = [
|
|
{
|
|
assertion = (lib.length allPortNumbers) == (lib.length uniquePortNumbers);
|
|
message = "Duplicate port numbers detected in ports.public / ports.private";
|
|
}
|
|
{
|
|
assertion = missingTcp == [ ];
|
|
message = "Public ports missing from allowedTCPPorts: ${builtins.toString missingTcp}";
|
|
}
|
|
{
|
|
assertion = missingUdp == [ ];
|
|
message = "Public ports missing from allowedUDPPorts: ${builtins.toString missingUdp}";
|
|
}
|
|
{
|
|
assertion = leakedTcp == [ ] && leakedUdp == [ ];
|
|
message = "Private ports leaked into firewall allow-lists — TCP: ${builtins.toString leakedTcp}, UDP: ${builtins.toString leakedUdp}";
|
|
}
|
|
];
|
|
}
|
|
)
|
|
|
|
# sets up things like the watchdog
|
|
srvos.nixosModules.server
|
|
|
|
# diff terminal support
|
|
srvos.nixosModules.mixins-terminfo
|
|
|
|
./disk-config.nix
|
|
./configuration.nix
|
|
|
|
# Replace upstream firefox-syncserver module + package with patched
|
|
# versions that add PostgreSQL backend support.
|
|
{
|
|
disabledModules = [ "services/networking/firefox-syncserver.nix" ];
|
|
imports = [
|
|
"${patchedNixpkgsSrc}/nixos/modules/services/networking/firefox-syncserver.nix"
|
|
];
|
|
nixpkgs.overlays = [
|
|
nix-minecraft.overlay
|
|
(import ./modules/overlays.nix)
|
|
(_final: prev: {
|
|
syncstorage-rs =
|
|
prev.callPackage "${patchedNixpkgsSrc}/pkgs/by-name/sy/syncstorage-rs/package.nix"
|
|
{ };
|
|
})
|
|
];
|
|
nixpkgs.config.allowUnfreePredicate =
|
|
pkg:
|
|
builtins.elem (nixpkgs.lib.getName pkg) [
|
|
"minecraft-server"
|
|
];
|
|
}
|
|
|
|
lanzaboote.nixosModules.lanzaboote
|
|
|
|
arr-init.nixosModules.default
|
|
|
|
(import "${nixpkgs-p2pool-module}/nixos/modules/services/networking/p2pool.nix")
|
|
|
|
home-manager.nixosModules.home-manager
|
|
(
|
|
{
|
|
home-manager,
|
|
...
|
|
}:
|
|
{
|
|
home-manager.users.${username} = import ./modules/home.nix;
|
|
}
|
|
)
|
|
]
|
|
++ (with nixos-hardware.nixosModules; [
|
|
common-cpu-amd-pstate
|
|
common-cpu-amd-zenpower
|
|
common-pc-ssd
|
|
common-gpu-intel
|
|
]);
|
|
};
|
|
|
|
deploy.nodes.muffin = {
|
|
hostname = "server-public";
|
|
profiles.system = {
|
|
sshUser = "root";
|
|
user = "root";
|
|
path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.muffin;
|
|
};
|
|
};
|
|
|
|
checks.${system} = testSuite;
|
|
|
|
packages.${system} = {
|
|
tests = pkgs.linkFarm "all-tests" (
|
|
pkgs.lib.mapAttrsToList (name: test: {
|
|
name = name;
|
|
path = test;
|
|
}) testSuite
|
|
);
|
|
}
|
|
// (pkgs.lib.mapAttrs' (name: test: {
|
|
name = "test-${name}";
|
|
value = test;
|
|
}) testSuite);
|
|
};
|
|
}
|