Harald Hoyer
cd99b128d4
Introduce a preStart hook to the nixos-upgrade systemd service to ensure the local repository is updated before upgrades by fetching and resetting to the origin's HEAD. This enhances the reliability and consistency of the upgrade process. Also, maintain the commented out old flake path for backward traceability.
157 lines
3.3 KiB
Nix
157 lines
3.3 KiB
Nix
{ pkgs, lib, ... }:
|
|
{
|
|
imports = [
|
|
# ./goaccess.nix
|
|
./acme.nix
|
|
./backup.nix
|
|
./coturn.nix
|
|
./forgejo.nix
|
|
./hardware-configuration.nix
|
|
./kicker.nix
|
|
./mailserver.nix
|
|
./network.nix
|
|
./nextcloud.nix
|
|
./nginx.nix
|
|
./postgresql.nix
|
|
./rspamd.nix
|
|
./users.nix
|
|
];
|
|
|
|
metacfg = {
|
|
base.enable = true;
|
|
nix.enable = true;
|
|
podman.enable = true;
|
|
secureboot.enable = false;
|
|
tools = {
|
|
direnv.enable = true;
|
|
};
|
|
};
|
|
|
|
security = {
|
|
tpm2.enable = lib.mkDefault true;
|
|
tpm2.abrmd.enable = lib.mkDefault true;
|
|
};
|
|
|
|
system.autoUpgrade = {
|
|
enable = true;
|
|
dates = "04:00";
|
|
operation = "switch";
|
|
allowReboot = true;
|
|
# flake = lib.mkForce "git+file:///var/lib/gitea/repositories/harald/nixcfg.git#mx";
|
|
flake = lib.mkForce "/root/nixcfg/.#mx";
|
|
};
|
|
|
|
systemd.services.nixos-upgrade = {
|
|
preStart = ''
|
|
cd /root
|
|
git fetch origin
|
|
git reset --hard origin/HEAD
|
|
'';
|
|
};
|
|
|
|
nix.gc = {
|
|
dates = "daily";
|
|
options = "--delete-older-than 7d";
|
|
};
|
|
|
|
programs.git.config = {
|
|
safe.directory = "/var/lib/gitea/repositories/harald/nixcfg.git";
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
age
|
|
apacheHttpd # for mkpasswd
|
|
efibootmgr
|
|
fgallery
|
|
git
|
|
htop
|
|
mdadm
|
|
rrsync
|
|
tpm2-pkcs11
|
|
tpm2-pkcs11.out
|
|
tpm2-tools
|
|
zola
|
|
];
|
|
|
|
sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
hostKeys = [
|
|
{
|
|
path = "/var/lib/secrets/ssh_host_ed25519_key";
|
|
type = "ed25519";
|
|
}
|
|
{
|
|
path = "/var/lib/secrets/ssh_host_rsa_key";
|
|
type = "rsa";
|
|
bits = 4096;
|
|
}
|
|
];
|
|
};
|
|
|
|
systemd.services = {
|
|
check_boot = {
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
Environment = "PATH=/run/current-system/sw/bin";
|
|
ExecStart = toString (
|
|
pkgs.writeShellScript "check_boot.sh" ''
|
|
CURRENT=$(df /boot | grep /boot | awk '{ print $5}' | sed 's/%//g')
|
|
THRESHOLD=85
|
|
|
|
if [ "$CURRENT" -gt "$THRESHOLD" ] ; then
|
|
${pkgs.mailutils}/bin/mail -s '/boot Disk Space Alert' harald << EOF
|
|
Your /boot partition remaining free space is critically low. Used: $CURRENT%
|
|
EOF
|
|
fi
|
|
''
|
|
);
|
|
};
|
|
wantedBy = [ "default.target" ];
|
|
};
|
|
};
|
|
|
|
systemd.timers = {
|
|
check_boot = {
|
|
timerConfig = {
|
|
OnCalendar = "daily";
|
|
};
|
|
wantedBy = [ "timers.target" ];
|
|
};
|
|
};
|
|
|
|
systemd.services = {
|
|
check_root = {
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
Environment = "PATH=/run/current-system/sw/bin";
|
|
ExecStart = toString (
|
|
pkgs.writeShellScript "check_root.sh" ''
|
|
CURRENT=$(df / | grep / | awk '{ print $5}' | sed 's/%//g')
|
|
THRESHOLD=85
|
|
|
|
if [ "$CURRENT" -gt "$THRESHOLD" ] ; then
|
|
${pkgs.mailutils}/bin/mail -s '/boot Disk Space Alert' harald << EOF
|
|
Your root partition remaining free space is critically low. Used: $CURRENT%
|
|
EOF
|
|
fi
|
|
''
|
|
);
|
|
};
|
|
wantedBy = [ "default.target" ];
|
|
};
|
|
};
|
|
|
|
systemd.timers = {
|
|
check_root = {
|
|
timerConfig = {
|
|
OnCalendar = "daily";
|
|
};
|
|
wantedBy = [ "timers.target" ];
|
|
};
|
|
};
|
|
|
|
system.stateVersion = "23.05";
|
|
}
|