ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(treewide): format with alejandra

Browse source
This commit is contained in:
ooks-io 2024-07-29 15:00:38 +12:00
parent 7fefb94400
commit 61cef505da
216 changed files with 5995 additions and 3969 deletions
Download patch file Download diff file Expand all files Collapse all files

8
nixos/modules/base/boot/loader/default.nix
View file

@ -1,10 +1,6 @@
{ lib, ... }:
let
{lib, ...}: let
inherit (lib) types mkOption;
in
{
in {
imports = [
./systemd.nix
# ./grub

12
nixos/modules/base/boot/loader/systemd.nix
View file

@ -1,11 +1,11 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) mkIf;
bootloader = config.ooknet.boot.loader;
in
{
in {
config = mkIf (bootloader == "systemd") {
boot.loader = {
systemd-boot = {

13
nixos/modules/base/boot/plymouth.nix
View file

@ -1,11 +1,12 @@
{ lib, config, pkgs, ... }:
let
{
lib,
config,
pkgs,
...
}: let
inherit (lib) mkIf mkEnableOption;
cfg = config.sys.boot.plymouth;
in
{
in {
options.sys.boot.plymouth.enable = mkEnableOption "";
config = mkIf cfg.enable {

11
nixos/modules/base/displayManager/tuigreet.nix
View file

@ -1,10 +1,13 @@
{ pkgs, lib, config, ... }:
let
{
pkgs,
lib,
config,
...
}: let
inherit (lib) mkIf;
tuigreet = "${pkgs.greetd.tuigreet}/bin/tuigreet";
host = config.ooknet.host;
in
{
in {
config = mkIf (host.type != "phone") {
services.greetd = {
enable = true;

8
nixos/modules/base/locale.nix
View file

@ -1,10 +1,6 @@
{ lib, ... }:
let
{lib, ...}: let
inherit (lib) mkDefault;
in
{
in {
i18n = {
defaultLocale = mkDefault "en_US.UTF-8";
supportedLocales = mkDefault [

12
nixos/modules/base/networking/default.nix
View file

@ -1,11 +1,11 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) mkIf;
host = config.ooknet.host;
in
{
in {
imports = [
./firewall.nix
./tools.nix

12
nixos/modules/base/networking/firewall.nix
View file

@ -1,11 +1,11 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) mkIf;
host = config.ooknet.host;
in
{
in {
config = mkIf (host.type != "phone") {
networking.firewall = {
enable = true;

14
nixos/modules/base/networking/resolved.nix
View file

@ -1,18 +1,18 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) mkIf;
host = config.ooknet.host;
in
{
in {
config = mkIf (host.type != "phone") {
services.resolved = {
enable = true;
fallbackDns = ["9.9.9.9"];
# allow-downgrade is vulnerable to downgrade attacks
extraConfig = ''
DNSOverTLS=yes # or allow-downgrade
DNSOverTLS=yes # or allow-downgrade
'';
};
};

12
nixos/modules/base/networking/ssh.nix
View file

@ -1,11 +1,11 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) mkIf mkDefault;
host = config.ooknet.host;
in
{
in {
config = mkIf (host.type != "phone") {
services.openssh = {
enable = true;

15
nixos/modules/base/networking/tailscale.nix
View file

@ -1,12 +1,13 @@
{ lib, config, pkgs, ... }:
let
{
lib,
config,
pkgs,
...
}: let
cfg = config.ooknet.host.networking.tailscale;
inherit (config.services) tailscale;
inherit (lib) mkIf mkDefault mkBefore;
in
{
in {
config = mkIf cfg.enable {
services.tailscale = {
enable = true;
@ -29,7 +30,7 @@ in
};
systemd.network.wait-online.ignoredInterfaces = ["${tailscale.interfaceName}"];
environment.systemPackages = [ pkgs.tailscale ];
environment.systemPackages = [pkgs.tailscale];
# disable tailscale logging
systemd.services.tailscaled.serviceConfig.Environment = mkBefore ["TS_NO_LOGS_NO_SUPPORT"];

12
nixos/modules/base/networking/tcp.nix
View file

@ -1,11 +1,11 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) mkIf;
host = config.ooknet.host;
in
{
in {
# nyx module
config = mkIf (host.type != "phone") {
boot = {

4
nixos/modules/base/networking/tools.nix
View file

@ -1,6 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
traceroute
mtr

22
nixos/modules/base/nix/default.nix
View file

@ -1,11 +1,13 @@
{ lib, config, pkgs, inputs, ... }:
let
{
lib,
config,
pkgs,
inputs,
...
}: let
inherit (lib) mkIf mapAttrs mapAttrsToList;
host = config.ooknet.host;
in
{
in {
imports = [
./nh.nix
./nixpkgs.nix
@ -31,7 +33,7 @@ in
nixPath = mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
optimise = {
automatic = true;
dates = [ "18:00" ];
dates = ["18:00"];
};
gc = {
automatic = true;
@ -40,9 +42,9 @@ in
};
settings = {
flake-registry = "/etc/nix/registry.json";
allowed-users = [ "root" "@wheel" ];
trusted-users = [ "root" "@wheel" ];
experimental-features = [ "nix-command" "flakes" ];
allowed-users = ["root" "@wheel"];
trusted-users = ["root" "@wheel"];
experimental-features = ["nix-command" "flakes"];
builders-use-substitutes = true;
};
};

13
nixos/modules/base/nix/nh.nix
View file

@ -1,12 +1,13 @@
{ pkgs, lib, config, ... }:
let
{
pkgs,
lib,
config,
...
}: let
inherit (lib) mkIf;
host = config.ooknet.host;
admin = host.admin;
in
{
in {
config = mkIf (host.type != "phone") {
environment.variables.FLAKE = mkIf admin.homeManager "/home/${admin.name}/.config/ooknet/";

13
nixos/modules/base/nix/nixpkgs.nix
View file

@ -1,11 +1,12 @@
{ lib, config, inputs, ... }:
let
{
lib,
config,
inputs,
...
}: let
inherit (lib) mkIf;
host = config.ooknet.host;
in
{
in {
config = mkIf (host.type != "phone") {
nixpkgs = {
config = {

12
nixos/modules/base/nix/subs.nix
View file

@ -1,11 +1,11 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) mkIf;
host = config.ooknet.host;
in
{
in {
config = mkIf (host.type != "phone") {
nix.settings = {
substituters = [

13
nixos/modules/base/secrets.nix
View file

@ -1,14 +1,15 @@
{ config, lib, self, ... }:
let
{
config,
lib,
self,
...
}: let
inherit (lib) mkIf;
host = config.ooknet.host;
admin = host.admin;
tailscale = host.networking.tailscale;
in
{
in {
age.identityPaths = [
"/home/${admin.name}/.ssh/id_ed25519"
];

23
nixos/modules/base/security/kernel.nix
View file

@ -1,18 +1,18 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) optionals mkForce concatLists;
inherit (builtins) elem;
features = config.ooknet.host.hardware.features;
in
{
in {
security = {
# Protects the kernel from being tampered with at runtime. prevents the ability to hibernate.
protectKernelImage = true;
protectKernelImage = true;
# page table isolation (PTI) is a kernel option designed to protect against
# side-channel attacks, including Meltdown & Spectre vunerabilities.
# side-channel attacks, including Meltdown & Spectre vunerabilities.
forcePageTableIsolation = true;
# locking kernel modules during runtime breaks certain services by stopping them from being
@ -41,7 +41,7 @@ in
# limits the exposer of the kernel memory address via dmesg
"kernel.dmesg_restrict" = 1;
# we are not a kernel developer so we disable this to prevent potential information leaks & attacks
"kernel.ftrace_enabled" = false;
@ -100,7 +100,7 @@ in
# disables a common interface that contains sensitive info on the kernel
"debugfs=off"
# prevent kernel from blanking plymouth out of the frame buffer console
# prevent kernel from blanking plymouth out of the frame buffer console
"fbcon=nodefer"
# enables auditing of integrity measurement events
@ -112,11 +112,10 @@ in
# disables the legacy vyscall mechanism, reducing attack surface.
"vsyscall=none"
# reduce exposure to heap attacks by preventing different slab caches from being merged.
"slab_nomerge"
"rootflags=noatime"
"lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
];

13
nixos/modules/base/security/polkit.nix
View file

@ -1,11 +1,10 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault mkIf;
in
{
lib,
config,
...
}: let
inherit (lib) mkDefault mkIf;
in {
security.polkit = {
enable = true;
debug = mkDefault true;

24
nixos/modules/base/security/sudo.nix
View file

@ -1,10 +1,6 @@
{ lib, ... }:
let
{lib, ...}: let
inherit (lib) mkDefault mkForce;
in
{
in {
# nyx module
security = {
sudo-rs.enable = mkForce false; # we don't want the rust sudo fork
@ -12,12 +8,16 @@ in
enable = true;
wheelNeedsPassword = mkDefault false; # only use false here if the extraRules below are enabled
execWheelOnly = mkForce true; # only allow wheel to execute sudo
extraConfig = /* shell */ ''
Defaults lecture = never # disable sudo lecture
Defaults pwfeedback # password feedback
Defaults env_keep += "EDITOR PATH DISPLAY" # variables to be passes to root
Defaults timestamp_timeout = 300 # asks for sudo password ever 300s
'';
extraConfig =
/*
shell
*/
''
Defaults lecture = never # disable sudo lecture
Defaults pwfeedback # password feedback
Defaults env_keep += "EDITOR PATH DISPLAY" # variables to be passes to root
Defaults timestamp_timeout = 300 # asks for sudo password ever 300s
'';
extraRules = [
{
# allow wheel group to run nixos-rebuild without password

15
nixos/modules/base/shell/bash/default.nix
View file

@ -1,16 +1,15 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) mkIf;
adminShell = config.ooknet.host.admin.shell;
in
{
config = mkIf (adminShell == "bash" ) {
in {
config = mkIf (adminShell == "bash") {
programs.bash = {
enable = true;
};
environment.pathsToLink = ["/share/bash-completion"];
};
}

12
nixos/modules/base/shell/fish/default.nix
View file

@ -1,12 +1,12 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) mkIf mkEnableOption;
adminShell = config.ooknet.host.admin.shell;
cfg = config.ooknet.shell.fish;
in
{
in {
options.ooknet.shell.fish.enable = mkEnableOption "Enable fish module";
config = mkIf (adminShell == "fish" || cfg.enable) {

16
nixos/modules/base/shell/zsh/default.nix
View file

@ -1,14 +1,14 @@
{ lib, config, ... }:
let
{
lib,
config,
...
}: let
inherit (lib) mkIf;
adminShell = config.ooknet.host.admin.shell;
in
{
in {
config = mkIf (adminShell == "zsh") {
# enable nixpkgs module if zsh is the main users login shell
# configure with home-manager module
# enable nixpkgs module if zsh is the main users login shell
# configure with home-manager module
programs.zsh = {
enable = true;