From e9639581a3f3f5d276a646819c71057064d9e336 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Wed, 28 Sep 2022 21:10:09 +0200 Subject: [PATCH] Merge config/ into modules/ --- config/c3d2.nix | 282 ---------- flake.nix | 8 +- hosts/hydra/default.nix | 2 +- hosts/prometheus/configuration.nix | 3 +- .../default.nix => modules/audio-server.nix | 0 modules/c3d2.nix | 532 +++++++++++++----- {config => modules}/logging.nix | 0 {config => modules}/lxc-container.nix | 0 {config => modules}/mqtt.yaml | 0 {config => modules}/nncp-relays.nix | 0 {config => modules}/stats.nix | 0 11 files changed, 403 insertions(+), 424 deletions(-) delete mode 100644 config/c3d2.nix rename config/audio-server/default.nix => modules/audio-server.nix (100%) rename {config => modules}/logging.nix (100%) rename {config => modules}/lxc-container.nix (100%) rename {config => modules}/mqtt.yaml (100%) rename {config => modules}/nncp-relays.nix (100%) rename {config => modules}/stats.nix (100%) diff --git a/config/c3d2.nix b/config/c3d2.nix deleted file mode 100644 index d46123be..00000000 --- a/config/c3d2.nix +++ /dev/null @@ -1,282 +0,0 @@ -# This module sets configuration for all NixOS machines defined in this flake - -{ zentralwerk, hostRegistry, config, options, lib, pkgs, ... }: - -let - hqPrefix64 = lib.removeSuffix "::" (builtins.head ( - builtins.split "/" zentralwerk.lib.config.site.net.c3d2.subnets6.dn42 - )); - - # Generate a deterministic IPv6 address for a 64 bit prefix - # and seed string. Prefix must not contain trailing ':'. - toIpv6Address = prefix64: seed: - with builtins; - let - digest = builtins.hashString "sha256" seed; - hextets = map (i: substring (4 * i) 4 digest) [ 0 1 2 3 ]; - in concatStringsSep ":" ([ prefix64 ] ++ hextets); - - # Generate a deterministic public IPv6 addresses - # for the HQ networking using a seed string. - toHqPrivateAddress = toIpv6Address hqPrefix64; - -in { - imports = [ - ./stats.nix - ./audio-server - ./logging.nix - ]; - - - config = let - cfg = config.c3d2; - mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x); - in { - # Configuration specific to this machine - assertions = [ - { - assertion = cfg.isInHq -> (config.users.users.root.password == null); - message = "Root passwords not allowed in HQ"; - } - { - assertion = cfg.hq.enableBinaryCache -> cfg.mergeHostsFile; - message = "mergeHostsFile must be enabled for enableBinaryCache"; - } - { - assertion = cfg.hq.enableMpdProxy -> cfg.mergeHostsFile; - message = "mergeHostsFile must be enabled for enableMpdProxy"; - } - { - assertion = cfg.isInHq -> builtins.hasAttr config.networking.hostName cfg.hosts; - message = "${config.networking.hostName} is not registered in ${ - toString ../host-registry.nix - }"; - } - ( # Check for host registry address collisions - let - getAddrHosts = key: - builtins.foldl' (result: host: - if cfg.hosts.${host}.${key} != null - then let - addr = cfg.hosts."${host}"."${key}"; - in if result ? "${addr}" - then result // { - "${addr}" = result."${addr}" ++ [ host ]; - } - else result // { - "${addr}" = [ host ]; - } - else result - ) {} (builtins.attrNames cfg.hosts); - dupHosts = - builtins.concatMap (hosts: - if builtins.length hosts == 1 - then [] - else hosts - ) ( - builtins.attrValues ( - getAddrHosts "ip4" // getAddrHosts "ip6" - ) - ); - in { - assertion = dupHosts == []; - message = "Hosts have duplicate addresses: ${ - lib.concatStringsSep " " dupHosts - }"; - }) - ]; - - boot.cleanTmpDir = true; - - c3d2.allUsersCanSshRoot = lib.mkDefault true; - - i18n = { - defaultLocale = "en_US.UTF-8"; - supportedLocales = [ - "en_US.UTF-8/UTF-8" - "de_DE.UTF-8/UTF-8" - "C.UTF-8/UTF-8" - ]; - }; - - networking.defaultGateway = lib.mkIf (!config.networking.useNetworkd) ( - mkIfIsInHq "172.22.99.4" - ); - - networking.domain = mkIfIsInHq "hq.c3d2.de"; - - systemd.network.networks = - if cfg.hq.interface != null && config.networking.useNetworkd - then { - "40-eth0".routes = [ { - routeConfig = { - Gateway = "172.22.99.4"; - GatewayOnLink = true; - }; - } ]; - } else {}; - networking.interfaces = - /* (if cfg.hq.externalInterface == null then - { } - else { - "${cfg.hq.externalInterface}" = { - ipv6.addresses = [{ - address = toHqPublicAddress config.networking.hostName; - prefixLength = 64; - }]; - }; - }) // - */ - if cfg.hq.interface == null then - { } - else { - "${cfg.hq.interface}" = { - ipv6.addresses = [{ - address = toHqPrivateAddress config.networking.hostName; - prefixLength = 64; - }]; - }; - }; - - networking.nameservers = with hostRegistry.hosts.dnscache; [ - ip4 - ip6 - "9.9.9.9" - ]; - networking.useHostResolvConf = lib.mkIf (!config.services.resolved.enable) true; - environment.etc."resolv.conf" = lib.mkIf (!config.services.resolved.enable) { - text = lib.concatMapStrings (ns: '' - nameserver ${ns} - '') config.networking.nameservers; - }; - - nix = { - settings = { - auto-optimise-store = true; - trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [ - (builtins.readFile ../hosts/hydra/cache-pub.key) - ]; - substituters = lib.mkIf (config.networking.hostName != "hydra") ( - lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ] - ); - }; - gc = { - automatic = true; - dates = "06:00"; - options = "--delete-older-than 21d"; - randomizedDelaySec = "6h"; - }; - registry.c3d2 = { - from = { - id = "c3d2"; - type = "indirect"; - }; - to = { - type = "git"; - url = "https://gitea.c3d2.de/C3D2/nix-config.git"; - }; - }; - extraOptions = '' - experimental-features = nix-command flakes - builders-use-substitutes = true - ''; - }; - - services.openssh = { - # Required for deployment - enable = true; - permitRootLogin = "prohibit-password"; - }; - - sops.age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; - - environment = { - systemPackages = with pkgs; [ - # Network fetchers - curl wget git - # System monitors - htop iotop bmon - ripgrep - # Terminal managers - tmux screen - # Editors - vim - # Pipeview - pv - # Network debugging - tcpdump ethtool mtr - ]; - variables = { - TERM = "xterm-256color"; - }; - # breaks various package builds - noXlibs = lib.mkForce false; - }; - - programs = { - ssh.knownHosts = with builtins; - let - intersectKeys = intersectAttrs { - publicKey = null; - publicKeyFile = null; - }; - list = map (name: - let - host = getAttr name cfg.hosts; - sshAttrs = intersectKeys host; - in if sshAttrs == { } then - null - else { - inherit name; - value = let - ip6 = if host.ip6 != null then - host.ip6 - else - toHqPrivateAddress name; - in { - publicKey = null; - publicKeyFile = null; - hostNames = [ ip6 "${name}.hq.c3d2.de" "${name}.hq" name ]; - } // sshAttrs; - }) (builtins.attrNames cfg.hosts); - keyedHosts = filter (x: x.value.publicKey != null || x.value.publicKeyFile != null) list; - in listToAttrs keyedHosts; - - vim.defaultEditor = true; - }; - - services.nginx = lib.mkIf config.services.nginx.enable { - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - }; - - time.timeZone = lib.mkDefault "Europe/Berlin"; - - # Reboot on hang - systemd.watchdog = lib.mkIf (!config.boot.isContainer) { - runtimeTime = "15s"; - rebootTime = "15s"; - }; - - # Defaults for LetsEncrypt - security.acme = - if options.security.acme ? defaults - then { - acceptTerms = true; - # NixOS>=22.05 - defaults = { - email = cfg.acmeEmail; - # letsencrypt staging server with way higher rate limits - # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - }; - } - else { - acceptTerms = true; - # TODO: NixOS<=21.05 - email = cfg.acmeEmail; - }; - zramSwap.enable = true; - }; -} diff --git a/flake.nix b/flake.nix index c23b823c..8031ea01 100644 --- a/flake.nix +++ b/flake.nix @@ -520,9 +520,9 @@ }) self.nixosModules.c3d2 - ./config/audio-server - ./config/c3d2.nix - ./config/stats.nix + ./modules/audio-server.nix + ./modules/c3d2.nix + ./modules/stats.nix ./modules/pi-sensors.nix ] ++ modules; }; @@ -962,7 +962,7 @@ ]; c3d2.hosts = hostRegistry.hosts; c3d2.users = import ./users.nix; - c3d2.nncp.neigh = import ./config/nncp-relays.nix; + c3d2.nncp.neigh = import ./modules/nncp-relays.nix; }; cluster = ./modules/cluster; cluster-network = ./modules/cluster-network.nix; diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index dc3e74a5..cee4110d 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -7,7 +7,7 @@ ./hydra.nix ./updater.nix ./nomad-server.nix - ../../config/c3d2.nix + ../../modules/c3d2.nix ]; nixpkgs.config.allowUnfree = true; diff --git a/hosts/prometheus/configuration.nix b/hosts/prometheus/configuration.nix index 65192de5..caea2e29 100644 --- a/hosts/prometheus/configuration.nix +++ b/hosts/prometheus/configuration.nix @@ -2,8 +2,7 @@ { imports = [ - ../../../config - ../../../config/lxc-container.nix + ../../../modules/lxc-container.nix ]; networking = { diff --git a/config/audio-server/default.nix b/modules/audio-server.nix similarity index 100% rename from config/audio-server/default.nix rename to modules/audio-server.nix diff --git a/modules/c3d2.nix b/modules/c3d2.nix index ead2b8ba..8fc0c6fd 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -1,9 +1,12 @@ -# This module defines options for use by all C3D2 machines. - -{ options, config, lib, pkgs, ... }: +{ zentralwerk, hostRegistry, config, options, lib, pkgs, ... }: let cfg = config.c3d2; + + hqPrefix64 = lib.removeSuffix "::" (builtins.head ( + builtins.split "/" zentralwerk.lib.config.site.net.c3d2.subnets6.dn42 + )); + neighMod = with lib; types.submodule { options = { addrs = mkOption { @@ -18,145 +21,157 @@ let } // (with builtins; let value = mkOption { type = types.str; }; in listToAttrs (map (name: { inherit name value; }) [ "exchpub" "id" "noisepub" "signpub" ])); }; + + # Generate a deterministic IPv6 address for a 64 bit prefix + # and seed string. Prefix must not contain trailing ':'. + toIpv6Address = prefix64: seed: + with builtins; + let + digest = builtins.hashString "sha256" seed; + hextets = map (i: substring (4 * i) 4 digest) [ 0 1 2 3 ]; + in + concatStringsSep ":" ([ prefix64 ] ++ hextets); + + # Generate a deterministic public IPv6 addresses + # for the HQ networking using a seed string. + toHqPrivateAddress = toIpv6Address hqPrefix64; in { - options.c3d2 = with lib; - with lib.types; { + imports = [ + ./stats.nix + ./audio-server.nix + ./logging.nix + ]; - acmeEmail = mkOption { - type = str; - default = "mail@c3d2.de"; + options.c3d2 = with lib; { + acmeEmail = mkOption { + type = types.str; + default = "mail@c3d2.de"; + description = '' + Admin email address to use for Letsencrypt + ''; + }; + + allUsersCanSshRoot = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Let all people in c3d2.users + login as root for deployment via SSH. + ''; + }; + + isInHq = mkEnableOption "HQ presence (TODO: what is this? association to VLAN 5?)"; + + enableMotd = mkOption { + type = types.bool; + default = cfg.isInHq; + defaultText = literalExample "config.c3d2.isInHq"; + }; + + mergeHostsFile = mkOption { + type = types.bool; + default = cfg.isInHq; + description = '' + Whether to add c3d2.hosts to /etc/hosts. + ''; + }; + + mergeNncpSettings = mkEnableOption '' + Whether to merge c3d2.nncp.<…>.nncp + into programs.nncp.settings. + ''; + + k-ot.enable = mkEnableOption '' + Add k-ot user to this machine. Anyone with an SSH key listed in + c3d2.users can log in as this user. + ''; + + hq = { + interface = mkOption { + type = with types; nullOr str; + default = null; + example = "eth0"; description = '' - Admin email address to use for Letsencrypt + Configure the given interface name with an internal IP address. ''; }; - allUsersCanSshRoot = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - Let all people in c3d2.users - login as root for deployment via SSH. - ''; - }; - - isInHq = mkEnableOption "HQ presence (TODO: what is this? association to VLAN 5?)"; - - enableMotd = mkOption { - type = bool; + enableBinaryCache = mkOption { + type = types.bool; default = cfg.isInHq; defaultText = literalExample "config.c3d2.isInHq"; + description = "Whether to enable the local Nix binary cache"; }; - mergeHostsFile = mkOption { - type = bool; - default = cfg.isInHq; + enableMpdProxy = mkOption { + type = types.bool; + default = false; + description = "Whether to proxy the local MPD database"; + }; + + journalToMqtt = mkOption { + type = types.bool; + default = true; + }; + }; + + hosts = + mkOption { + type = types.attrsOf (types.submodule { + options = { + ether = mkOption { + type = with types; nullOr str; + default = null; + }; + ip4 = mkOption { + type = with types; nullOr str; + default = null; + }; + ip6 = mkOption { + type = with types; nullOr str; + default = null; + }; + publicKey = mkOption { + type = with types; nullOr str; + default = null; + }; + wol = mkOption { + type = types.bool; + default = false; + }; + serial = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Hardware serial number to help identification when netbooting. + ''; + }; + }; + }); + }; + + nncp = { + neigh = mkOption { + type = with types; attrsOf neighMod; + default = { }; description = '' - Whether to add c3d2.hosts to /etc/hosts. + Attrset of NNCP neighbours for relaying packets. + User endpoints go in c3d2.users. ''; }; - - mergeNncpSettings = mkEnableOption '' - Whether to merge c3d2.nncp.<…>.nncp - into programs.nncp.settings. - ''; - - k-ot.enable = mkEnableOption '' - Add k-ot user to this machine. Anyone with an SSH key listed in - c3d2.users can log in as this user. - ''; - - hq = { - interface = mkOption { - type = nullOr str; - default = null; - example = "eth0"; - description = '' - Configure the given interface name with an internal IP address. - ''; - }; - - enableBinaryCache = mkOption { - type = bool; - default = cfg.isInHq; - defaultText = literalExample "config.c3d2.isInHq"; - description = "Whether to enable the local Nix binary cache"; - }; - - enableMpdProxy = mkOption { - type = bool; - default = false; - description = "Whether to proxy the local MPD database"; - }; - - journalToMqtt = mkOption { - type = bool; - default = true; - }; - - }; - - hosts = - mkOption { - type = attrsOf (submodule { - options = { - ether = mkOption { - type = with types; nullOr str; - default = null; - }; - ip4 = mkOption { - type = with types; nullOr str; - default = null; - }; - ip6 = mkOption { - type = with types; nullOr str; - default = null; - }; - publicKey = mkOption { - type = with types; nullOr str; - default = null; - }; - wol = mkOption { - type = types.bool; - default = false; - }; - serial = mkOption { - type = with types; nullOr str; - default = null; - description = '' - Hardware serial number to help identification when netbooting. - ''; - }; - }; - }); - }; - - nncp = { - neigh = mkOption { - type = with types; attrsOf neighMod; - default = { }; - description = '' - Attrset of NNCP neighbours for relaying packets. - User endpoints go in c3d2.users. - ''; - }; - }; - - users = - mkOption { - type = attrsOf - (submodule { - options = { - sshKeys = mkOption { - type = with types; - listOf str; - default = [ ]; - }; - }; - }); - }; - }; + + users = mkOption { + type = types.attrsOf (types.submodule { + options.sshKeys = mkOption { + type = with types; listOf str; + default = [ ]; + }; + }); + }; + }; + config = let adminKeys = (with builtins; lib.lists.flatten ( @@ -164,6 +179,7 @@ in (getAttr "sshKeys") (attrValues cfg.users) )); + mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x); in { networking.hosts = lib.mkIf cfg.mergeHostsFile @@ -175,16 +191,13 @@ in (lib.attrsets.filterAttrs (n: v: v.ip6 != null) cfg.hosts) )); - programs = lib.optionalAttrs (options.programs ? nncp) { - nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp; - }; + programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp; users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd); users = { users = { k-ot = lib.mkIf cfg.k-ot.enable { - packages = with pkgs; [ screen tmux ]; createHome = true; isNormalUser = true; uid = 1000; @@ -210,7 +223,7 @@ in current_boot_only = true; }; sinks.mqtt = { - inputs = ["journal"]; + inputs = [ "journal" ]; type = "mqtt"; host = "broker.serv.zentralwerk.org"; # port = 8883; @@ -239,7 +252,8 @@ in done echo '}' ''; - in { + in + { type = "exec"; command = [ catSecrets @@ -251,13 +265,261 @@ in }; sops.secrets = lib.mkIf config.c3d2.hq.journalToMqtt { "mqtt/user" = { - sopsFile = ../config/mqtt.yaml; + sopsFile = ../modules/mqtt.yaml; owner = config.systemd.services.vector.serviceConfig.User; }; "mqtt/password" = { - sopsFile = ../config/mqtt.yaml; + sopsFile = ../modules/mqtt.yaml; owner = config.systemd.services.vector.serviceConfig.User; }; }; + + assertions = [ + { + assertion = cfg.isInHq -> (config.users.users.root.password == null); + message = "Root passwords not allowed in HQ"; + } + { + assertion = cfg.hq.enableBinaryCache -> cfg.mergeHostsFile; + message = "mergeHostsFile must be enabled for enableBinaryCache"; + } + { + assertion = cfg.hq.enableMpdProxy -> cfg.mergeHostsFile; + message = "mergeHostsFile must be enabled for enableMpdProxy"; + } + { + assertion = cfg.isInHq -> builtins.hasAttr config.networking.hostName cfg.hosts; + message = "${config.networking.hostName} is not registered in ${toString ../host-registry.nix}"; + } + ( + # Check for host registry address collisions + let + getAddrHosts = key: + builtins.foldl' + (result: host: + if cfg.hosts.${host}.${key} != null + then + let + addr = cfg.hosts."${host}"."${key}"; + in + if result ? "${addr}" + then result // { + "${addr}" = result."${addr}" ++ [ host ]; + } + else result // { + "${addr}" = [ host ]; + } + else result + ) + { } + (builtins.attrNames cfg.hosts); + dupHosts = + builtins.concatMap + (hosts: + if builtins.length hosts == 1 + then [ ] + else hosts + ) + ( + builtins.attrValues ( + getAddrHosts "ip4" // getAddrHosts "ip6" + ) + ); + in + { + assertion = dupHosts == [ ]; + message = "Hosts have duplicate addresses: ${lib.concatStringsSep " " dupHosts}"; + } + ) + ]; + + boot.cleanTmpDir = true; + + c3d2.allUsersCanSshRoot = lib.mkDefault true; + + i18n = { + defaultLocale = "en_US.UTF-8"; + supportedLocales = [ + "en_US.UTF-8" + "de_DE.UTF-8" + ]; + }; + + systemd.network.networks = lib.mkIf (cfg.hq.interface != null && config.networking.useNetworkd) { + "40-eth0".routes = [{ + routeConfig = { + Gateway = "172.22.99.4"; + GatewayOnLink = true; + }; + }]; + }; + + networking = { + defaultGateway = lib.mkIf (!config.networking.useNetworkd) ( + mkIfIsInHq "172.22.99.4" + ); + + domain = mkIfIsInHq "hq.c3d2.de"; + + interfaces = lib.mkIf (cfg.hq.interface != null) { + "${cfg.hq.interface}".ipv6.addresses = [{ + address = toHqPrivateAddress config.networking.hostName; + prefixLength = 64; + }]; + }; + + nameservers = with hostRegistry.hosts.dnscache; [ + ip4 + ip6 + "9.9.9.9" + ]; + useHostResolvConf = lib.mkIf (!config.services.resolved.enable) true; + }; + + environment.etc."resolv.conf" = lib.mkIf (!config.services.resolved.enable) { + text = lib.concatMapStrings + (ns: '' + nameserver ${ns} + '') + config.networking.nameservers; + }; + + nix = { + settings = { + auto-optimise-store = true; + trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [ + (builtins.readFile ../hosts/hydra/cache-pub.key) + ]; + substituters = lib.mkIf (config.networking.hostName != "hydra") ( + lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ] + ); + }; + gc = { + automatic = true; + dates = "06:00"; + options = "--delete-older-than 21d"; + randomizedDelaySec = "6h"; + }; + registry.c3d2 = { + from = { + id = "c3d2"; + type = "indirect"; + }; + to = { + type = "git"; + url = "https://gitea.c3d2.de/C3D2/nix-config.git"; + }; + }; + extraOptions = '' + experimental-features = nix-command flakes + builders-use-substitutes = true + ''; + }; + + services.openssh = { + # Required for deployment + enable = true; + permitRootLogin = "prohibit-password"; + }; + + sops.age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; + + environment = { + systemPackages = with pkgs; [ + # Network fetchers + curl + wget + git + # System monitors + htop + iotop + bmon + ripgrep + # Terminal managers + tmux + screen + # Editors + vim + # Pipeview + pv + # Network debugging + tcpdump + ethtool + mtr + ]; + variables = { + # TERM = "xterm-256color"; + }; + # breaks various package builds + noXlibs = lib.mkForce false; + }; + + programs = { + ssh.knownHosts = with builtins; + let + intersectKeys = intersectAttrs { + publicKey = null; + publicKeyFile = null; + }; + list = map + (name: + let + host = getAttr name cfg.hosts; + sshAttrs = intersectKeys host; + in + if sshAttrs == { } then + null + else { + inherit name; + value = + let ip6 = if host.ip6 != null then host.ip6 else toHqPrivateAddress name; + in + { + publicKey = null; + publicKeyFile = null; + hostNames = [ ip6 "${name}.hq.c3d2.de" "${name}.hq" name ]; + } // sshAttrs; + }) + (builtins.attrNames cfg.hosts); + keyedHosts = filter (x: x.value.publicKey != null || x.value.publicKeyFile != null) list; + in + listToAttrs keyedHosts; + + vim.defaultEditor = true; + }; + + services.nginx = lib.mkIf config.services.nginx.enable { + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + + time.timeZone = lib.mkDefault "Europe/Berlin"; + + # Reboot on hang + systemd.watchdog = lib.mkIf (!config.boot.isContainer) { + runtimeTime = "15s"; + rebootTime = "15s"; + }; + + # Defaults for LetsEncrypt + security.acme = + if options.security.acme ? defaults + then { + acceptTerms = true; + # NixOS>=22.05 + defaults = { + email = cfg.acmeEmail; + # letsencrypt staging server with way higher rate limits + # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + } + else { + acceptTerms = true; + # TODO: NixOS<=21.05 + email = cfg.acmeEmail; + }; + zramSwap.enable = true; }; } diff --git a/config/logging.nix b/modules/logging.nix similarity index 100% rename from config/logging.nix rename to modules/logging.nix diff --git a/config/lxc-container.nix b/modules/lxc-container.nix similarity index 100% rename from config/lxc-container.nix rename to modules/lxc-container.nix diff --git a/config/mqtt.yaml b/modules/mqtt.yaml similarity index 100% rename from config/mqtt.yaml rename to modules/mqtt.yaml diff --git a/config/nncp-relays.nix b/modules/nncp-relays.nix similarity index 100% rename from config/nncp-relays.nix rename to modules/nncp-relays.nix diff --git a/config/stats.nix b/modules/stats.nix similarity index 100% rename from config/stats.nix rename to modules/stats.nix