chore: reformat

2025-06-03 20:04:44 +02:00 · 2025-06-03 20:04:44 +02:00 · 1402ee13cc
commit 1402ee13cc
parent b638c4125b
57 changed files with 845 additions and 466 deletions
--- a/nixos/modules/admin.nix
+++ b/nixos/modules/admin.nix
@ -1,11 +1,16 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
  cfg = config.dadada.admin;
-  extraGroups = [ "wheel" "libvirtd" ];
+  extraGroups = [
+    "wheel"
+    "libvirtd"
+  ];

  shells = {
    "bash" = pkgs.bashInteractive;
@ -16,22 +21,32 @@ with lib; let
  shellNames = builtins.attrNames shells;

  adminOpts =
-    { name
-    , config
-    , ...
-    }: {
+    {
+      name,
+      config,
+      ...
+    }:
+    {
      options = {
        keys = mkOption {
          type = types.listOf types.str;
          default = [ ];
-          apply = x: assert (builtins.length x > 0 || abort "Please specify at least one key to be able to log in"); x;
+          apply =
+            x:
+            assert (builtins.length x > 0 || abort "Please specify at least one key to be able to log in");
+            x;
          description = ''
            The keys that should be able to access the account.
          '';
        };
        shell = mkOption {
          type = types.nullOr types.str;
-          apply = x: assert (builtins.elem x shellNames || abort "Please specify one of ${builtins.toString shellNames}"); x;
+          apply =
+            x:
+            assert (
+              builtins.elem x shellNames || abort "Please specify one of ${builtins.toString shellNames}"
+            );
+            x;
          default = "zsh";
          defaultText = literalExpression "zsh";
          example = literalExpression "bash";
@ -81,15 +96,12 @@ in
    security.sudo.wheelNeedsPassword = false;
    services.openssh.openFirewall = true;

-    users.users =
-      mapAttrs
-        (user: keys: {
-          shell = shells."${keys.shell}";
-          extraGroups = extraGroups;
-          isNormalUser = true;
-          openssh.authorizedKeys.keys = keys.keys;
-        })
-        cfg.users;
+    users.users = mapAttrs (user: keys: {
+      shell = shells."${keys.shell}";
+      extraGroups = extraGroups;
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = keys.keys;
+    }) cfg.users;

    nix.settings.trusted-users = builtins.attrNames cfg.users;

@ -103,7 +115,7 @@ in
    services.tor.relay.onionServices = {
      "rat" = mkIf cfg.rat.enable {
        name = "rat";
-        map = [{ port = 22; }];
+        map = [ { port = 22; } ];
      };
    };
  };
--- a/nixos/modules/backup.nix
+++ b/nixos/modules/backup.nix
@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
  backupExcludes = [
    "/backup"
    "/dev"
--- a/nixos/modules/borg-server.nix
+++ b/nixos/modules/borg-server.nix
@ -1,6 +1,11 @@
 { config, lib, ... }:
 let
-  inherit (lib) mkEnableOption mkIf mkOption types;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    types
+    ;
  cfg = config.dadada.borgServer;
 in
 {
@ -20,31 +25,41 @@ in
    services.borgbackup.repos = {
      "metis" = {
        allowSubRepos = false;
-        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis"
+        ];
        path = "${cfg.path}/metis";
        quota = "1T";
      };
      "gorgon" = {
        allowSubRepos = false;
-        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon"
+        ];
        path = "${cfg.path}/gorgon";
        quota = "1T";
      };
      "surgat" = {
        allowSubRepos = false;
-        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ];
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat"
+        ];
        path = "${cfg.path}/surgat";
        quota = "50G";
      };
      "pruflas" = {
        allowSubRepos = false;
-        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ];
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas"
+        ];
        path = "${cfg.path}/pruflas";
        quota = "50G";
      };
      "wohnzimmerpi" = {
        allowSubRepos = false;
-        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi"
+        ];
        path = "${cfg.path}/wohnzimmerpi";
        quota = "50G";
      };
--- a/nixos/modules/ddns.nix
+++ b/nixos/modules/ddns.nix
@ -1,52 +1,70 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
  cfg = config.dadada.ddns;
-  ddnsConfig = { domains, credentialsPath, interface }: {
-    systemd.timers = listToAttrs (forEach domains (domain:
-      nameValuePair "ddns-${domain}"
-        {
-          wantedBy = [ "timers.target" ];
-          partOf = [ "ddns-${domain}.service" ];
-          timerConfig.OnCalendar = "hourly";
-        }));
+  ddnsConfig =
+    {
+      domains,
+      credentialsPath,
+      interface,
+    }:
+    {
+      systemd.timers = listToAttrs (
+        forEach domains (
+          domain:
+          nameValuePair "ddns-${domain}" {
+            wantedBy = [ "timers.target" ];
+            partOf = [ "ddns-${domain}.service" ];
+            timerConfig.OnCalendar = "hourly";
+          }
+        )
+      );

-    systemd.services = listToAttrs (forEach domains (domain:
-      nameValuePair "ddns-${domain}"
-        {
-          serviceConfig = {
-            Type = "oneshot";
-            PrivateTmp = true;
-            PrivateDevices = true;
-            PrivateUsers = true;
-            PrivateMounts = true;
-            PrivateIPC = true;
-            ProtectHome = true;
-            ProtectSystem = "strict";
-            ProtectKernelTunables = true;
-            BindReadOnlyPaths = [ credentialsPath ];
-            NoNewPrivileges = true;
-            CapabilitBoundingSet = [ ];
-          };
-          script = ''
-            function url() {
-              echo "https://svc.joker.com/nic/update?username=$1&password=$2&hostname=$3"
-            }
+      systemd.services = listToAttrs (
+        forEach domains (
+          domain:
+          nameValuePair "ddns-${domain}" {
+            serviceConfig = {
+              Type = "oneshot";
+              PrivateTmp = true;
+              PrivateDevices = true;
+              PrivateUsers = true;
+              PrivateMounts = true;
+              PrivateIPC = true;
+              ProtectHome = true;
+              ProtectSystem = "strict";
+              ProtectKernelTunables = true;
+              BindReadOnlyPaths = [ credentialsPath ];
+              NoNewPrivileges = true;
+              CapabilitBoundingSet = [ ];
+            };
+            script = ''
+              function url() {
+                echo "https://svc.joker.com/nic/update?username=$1&password=$2&hostname=$3"
+              }

-            IFS=':'
-            read -r user password < ${credentialsPath}
-            unset IFS
+              IFS=':'
+              read -r user password < ${credentialsPath}
+              unset IFS

-            curl_url=$(url "$user" "$password" ${domain})
+              curl_url=$(url "$user" "$password" ${domain})

-            ${pkgs.curl}/bin/curl --ipv4 "$curl_url" ${if interface == null then "" else "--interface ${interface}"} || true
-            ${pkgs.curl}/bin/curl --ipv6 "$curl_url" ${if interface == null then "" else "--interface ${interface}"}
-          '';
-        }));
-  };
+              ${pkgs.curl}/bin/curl --ipv4 "$curl_url" ${
+                if interface == null then "" else "--interface ${interface}"
+              } || true
+              ${pkgs.curl}/bin/curl --ipv6 "$curl_url" ${
+                if interface == null then "" else "--interface ${interface}"
+              }
+            '';
+          }
+        )
+      );
+    };
 in
 {
  options = {
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -1,8 +1,16 @@
 { lib, ... }:
-with lib; let
-  modules' = dir: filterAttrs (name: type: (name != "default.nix" && name != "profiles" && ((hasSuffix ".nix" name) || (type == "directory"))))
-    (builtins.readDir dir);
-  modules = dir: mapAttrs' (name: _: nameValuePair (removeSuffix ".nix" name) (import (dir + "/${name}")))
-    (modules' dir);
+with lib;
+let
+  modules' =
+    dir:
+    filterAttrs (
+      name: type:
+      (name != "default.nix" && name != "profiles" && ((hasSuffix ".nix" name) || (type == "directory")))
+    ) (builtins.readDir dir);
+  modules =
+    dir:
+    mapAttrs' (name: _: nameValuePair (removeSuffix ".nix" name) (import (dir + "/${name}"))) (
+      modules' dir
+    );
 in
 (modules ./.)
--- a/nixos/modules/element.nix
+++ b/nixos/modules/element.nix
@ -1,7 +1,8 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
 let
  cfg = config.dadada.element;
--- a/nixos/modules/fileShare.nix
+++ b/nixos/modules/fileShare.nix
@ -1,8 +1,10 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
  cfg = config.dadada.fileShare;
  sharePath = "/mnt/storage/share";
  ipv6 = "fd42:dead:beef::/48";
--- a/nixos/modules/gitea.nix
+++ b/nixos/modules/gitea.nix
@ -1,7 +1,8 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
 let
  cfg = config.dadada.forgejo;
--- a/nixos/modules/headphones.nix
+++ b/nixos/modules/headphones.nix
@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
  cfg = config.dadada.headphones;
 in
 {
--- a/nixos/modules/homepage.nix
+++ b/nixos/modules/homepage.nix
@ -1,11 +1,13 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
 let
  cfg = config.dadada.homepage;
 in
-with lib; {
+with lib;
+{
  options.dadada.homepage = {
    enable = mkEnableOption "Enable home page";
    package = mkOption {
--- a/nixos/modules/inputs.nix
+++ b/nixos/modules/inputs.nix
@ -1,7 +1,8 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
 let
  cfg = config.dadada.inputs;
--- a/nixos/modules/profiles/backup.nix
+++ b/nixos/modules/profiles/backup.nix
@ -21,6 +21,8 @@ in
    sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path;
  };

-  age.secrets."${config.networking.hostName}-backup-passphrase".file = "${secretsPath}/${config.networking.hostName}-backup-passphrase.age";
-  age.secrets."${config.networking.hostName}-backup-ssh-key".file = "${secretsPath}/${config.networking.hostName}-backup-ssh-key.age";
+  age.secrets."${config.networking.hostName}-backup-passphrase".file =
+    "${secretsPath}/${config.networking.hostName}-backup-passphrase.age";
+  age.secrets."${config.networking.hostName}-backup-ssh-key".file =
+    "${secretsPath}/${config.networking.hostName}-backup-ssh-key.age";
 }
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
  mkDefault = lib.mkDefault;
  inputs = config.dadada.inputs;
@ -27,7 +32,7 @@ in

  nix.package = pkgs.lix;

-  nix.settings.substituters = [ https://cache.nixos.org/ ];
+  nix.settings.substituters = [ "https://cache.nixos.org/" ];

  nix.settings.trusted-public-keys = [
    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
@ -56,7 +61,10 @@ in

  services.resolved = {
    enable = mkDefault true;
-    fallbackDns = [ "9.9.9.9#dns.quad9.net" "2620:fe::fe:11#dns11.quad9.net" ];
+    fallbackDns = [
+      "9.9.9.9#dns.quad9.net"
+      "2620:fe::fe:11#dns11.quad9.net"
+    ];
  };

  programs.zsh.enable = mkDefault true;
@ -64,4 +72,3 @@ in
  # Avoid some bots
  services.openssh.ports = [ 2222 ];
 }
-
--- a/nixos/modules/profiles/cloud.nix
+++ b/nixos/modules/profiles/cloud.nix
@ -21,14 +21,13 @@ in
      hostKeys = [
        config.age.secrets."${initrdHostKey}".path
      ];
-      authorizedKeys = with lib;
-        concatLists (mapAttrsToList
-          (name: user:
-            if elem "wheel" user.extraGroups then
-              user.openssh.authorizedKeys.keys
-            else
-              [ ])
-          config.users.users);
+      authorizedKeys =
+        with lib;
+        concatLists (
+          mapAttrsToList (
+            name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ]
+          ) config.users.users
+        );
    };
    postCommands = ''
      echo 'cryptsetup-askpass' >> /root/.profile
@ -36,7 +35,9 @@ in
  };

  assertions = lib.singleton {
-    assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true;
+    assertion =
+      (config.boot.initrd.network.ssh.hostKeys != [ ])
+      -> config.boot.loader.supportsInitrdSecrets == true;
    message = "Refusing to store private keys in store";
  };

--- a/nixos/modules/profiles/laptop.nix
+++ b/nixos/modules/profiles/laptop.nix
@ -1,12 +1,14 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
 let
  inputs = config.dadada.inputs;
  secretsPath = config.dadada.secrets.path;
 in
-with lib; {
+with lib;
+{
  imports = [
    ./backup.nix
    ./base.nix
@ -53,5 +55,6 @@ with lib; {
    passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path;
  };

-  age.secrets."${config.networking.hostName}-backup-passphrase-gs".file = "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age";
+  age.secrets."${config.networking.hostName}-backup-passphrase-gs".file =
+    "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age";
 }
--- a/nixos/modules/profiles/server.nix
+++ b/nixos/modules/profiles/server.nix
@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; {
+with lib;
+{
  imports = [
    ./backup.nix
    ./base.nix
@ -16,7 +18,9 @@ with lib; {
  documentation.enable = mkDefault false;
  documentation.nixos.enable = mkDefault false;

-  services.btrfs.autoScrub.enable = mkDefault ((filterAttrs (name: fs: fs.fsType == "btrfs") config.fileSystems) != { });
+  services.btrfs.autoScrub.enable = mkDefault (
+    (filterAttrs (name: fs: fs.fsType == "btrfs") config.fileSystems) != { }
+  );

  services.journald.extraConfig = ''
    SystemKeepFree = 2G
--- a/nixos/modules/profiles/upgrade-pg-cluster.nix
+++ b/nixos/modules/profiles/upgrade-pg-cluster.nix
@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 {
  environment.systemPackages = lib.mkIf config.services.postgresql.enable [
    (
--- a/nixos/modules/share.nix
+++ b/nixos/modules/share.nix
@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
  cfg = config.dadada.share;
 in
 {
--- a/nixos/modules/steam.nix
+++ b/nixos/modules/steam.nix
@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
  cfg = config.dadada.steam;
 in
 {
--- a/nixos/modules/vpnServer.nix
+++ b/nixos/modules/vpnServer.nix
@ -1,28 +1,32 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
  cfg = config.dadada.vpnServer;
-  wgPeer = { name, ... }: {
-    options = {
-      name = mkOption {
-        internal = true;
-        default = name;
-      };
-      id = mkOption {
-        description = "VPN client id";
-        default = 0;
-        type = types.str;
-      };
-      key = mkOption {
-        description = "VPN client public key";
-        default = "";
-        type = types.str;
+  wgPeer =
+    { name, ... }:
+    {
+      options = {
+        name = mkOption {
+          internal = true;
+          default = name;
+        };
+        id = mkOption {
+          description = "VPN client id";
+          default = 0;
+          type = types.str;
+        };
+        key = mkOption {
+          description = "VPN client public key";
+          default = "";
+          type = types.str;
+        };
      };
    };
-  };
 in
 {
  options.dadada.vpnServer = {
@ -41,13 +45,10 @@ in
        privateKeyFile = "/var/lib/wireguard/wg0-key";
        ips = [ "fd42:9c3b:f96d:0201::0/64" ];
        listenPort = 51234;
-        peers =
-          map
-            (peer: {
-              allowedIPs = [ "fd42:9c3b:f96d:0201::${peer.id}/128" ];
-              publicKey = peer.key;
-            })
-            (attrValues cfg.peers);
+        peers = map (peer: {
+          allowedIPs = [ "fd42:9c3b:f96d:0201::${peer.id}/128" ];
+          publicKey = peer.key;
+        }) (attrValues cfg.peers);
        postSetup = ''
          wg set wg0 fwmark 51234
          ip -6 route add table 2468 fd42:9c3b:f96d::/48 dev ens3
--- a/nixos/modules/weechat.nix
+++ b/nixos/modules/weechat.nix
@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
  cfg = config.dadada.weechat;
 in
 {
--- a/nixos/modules/yubikey.nix
+++ b/nixos/modules/yubikey.nix
@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
  yubikey = config.dadada.yubikey;
 in
 {