jan-leila/nix-config
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jan-leila:539af51473126cf2a715803d80d21b5a7bfdcd13
Branches Tags
jan-leila:main
..
compare: jan-leila:e8f7331b6c8e3e33bc927459e2720c0a7e954f55
Branches Tags
jan-leila:main

No commits in common. "539af51473126cf2a715803d80d21b5a7bfdcd13" and "e8f7331b6c8e3e33bc927459e2720c0a7e954f55" have entirely different histories.
539af51473 ... e8f7331b6c

7 changed files with 27 additions and 109 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.hooks/post-commit
View file

@ -3,12 +3,4 @@
echo "restoring stashed changes" echo "restoring stashed changes"
# Find the most recent pre-commit stash and restore it git stash pop -q
recent_stash=$(git stash list | grep "pre-commit-stash-" | head -n 1 | cut -d: -f1)
if [ -n "$recent_stash" ]; then
echo "Found recent pre-commit stash: $recent_stash"
git stash pop -q "$recent_stash"
else
echo "No pre-commit stash found to restore"
fi

26
.hooks/post-merge
View file

@ -4,28 +4,14 @@
# Get current branch name # Get current branch name
current_branch=$(git branch --show-current) current_branch=$(git branch --show-current)
# Only perform actions if we're on main branch and a merge just completed # Only restore stash if we're on main branch and a merge just completed
if [ "$current_branch" = "main" ]; then if [ "$current_branch" = "main" ]; then
echo "Post-merge on main branch - running nix flake check" # Check if there are any stashes to restore
if git stash list | grep -q "stash@"; then
# Run nix flake check after merge into main echo "Post-merge: restoring stashed changes on main branch"
nix flake check git stash pop -q
if [ ! $? -eq 0 ]; then
echo "Warning: nix flake check failed after merge into main"
echo "Please fix the issues as soon as possible"
else else
echo "nix flake check passed after merge" echo "Post-merge: no stash to restore on main branch"
fi
# Check if there are any pre-commit stashes to restore
recent_stash=$(git stash list | grep "pre-commit-stash-" | head -n 1 | cut -d: -f1)
if [ -n "$recent_stash" ]; then
echo "Post-merge: restoring pre-commit stash on main branch"
git stash pop -q "$recent_stash"
else
echo "Post-merge: no pre-commit stash to restore on main branch"
fi fi
else else
echo "Post-merge: no action needed on branch '$current_branch'" echo "Post-merge: no action needed on branch '$current_branch'"

24
.hooks/pre-commit
View file

@ -1,24 +1,14 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#! nix-shell -i bash ../shell.nix #! nix-shell -i bash ../shell.nix
# Get current branch name echo "stashing all uncommitted changes"
current_branch=$(git branch --show-current) git stash -q --keep-index
echo "stashing all uncommitted changes with named stash (excluding hooks)" echo "checking flakes all compile"
git stash push -q --keep-index -m "pre-commit-stash-$(date +%s)" -- ':!.hooks/' nix flake check
# Only run nix flake check if we're on main branch if [ ! $? -eq 0 ]; then
if [ "$current_branch" = "main" ]; then exit 1
echo "On main branch - checking flakes all compile"
nix flake check
if [ ! $? -eq 0 ]; then
echo "Error: nix flake check failed on main branch"
exit 1
fi
echo "nix flake check passed"
else
echo "Not on main branch - skipping nix flake check"
fi fi
echo "running linter" echo "running linter"
@ -29,4 +19,4 @@ RESULT=$?
echo "adding lint changes to commit" echo "adding lint changes to commit"
git add -u git add -u
exit $RESULT exit $RESULT

4
.hooks/pre-merge-commit
View file

@ -17,8 +17,8 @@ fi
if [ "$target_branch" = "main" ]; then if [ "$target_branch" = "main" ]; then
echo "Merging into main branch - running nix flake check..." echo "Merging into main branch - running nix flake check..."
echo "stashing all uncommitted changes with named stash (excluding hooks)" echo "stashing all uncommitted changes"
git stash push -q --keep-index -m "pre-merge-stash-$(date +%s)" -- ':!.hooks/' git stash -q --keep-index
echo "checking flakes all compile" echo "checking flakes all compile"
nix flake check nix flake check

5
configurations/nixos/defiant/configuration.nix
View file

@ -343,18 +343,17 @@
}; };
crab-hole = { crab-hole = {
enable = false; enable = true;
port = 8085; port = 8085;
openFirewall = true; openFirewall = true;
show_doc = true; show_doc = true;
downstreams = { downstreams = {
host = { loopback = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
}; };
}; };
upstreams.cloudFlare.enable = true; upstreams.cloudFlare.enable = true;
blocklists.ad_malware.enable = true;
}; };
qbittorrent = { qbittorrent = {

65
modules/nixos-modules/server/crab-hole/crab-hole.nix
View file

@ -27,19 +27,9 @@ in {
show_doc = lib.mkEnableOption "OpenAPI documentation (loads content from third party websites)"; show_doc = lib.mkEnableOption "OpenAPI documentation (loads content from third party websites)";
downstreams = { downstreams = {
host = { loopback = {
enable = lib.mkEnableOption "host downstream DNS server accessible from network on all interfaces"; enable = lib.mkEnableOption "loopback downstream DNS server on localhost:53";
port = lib.mkOption { openFirewall = lib.mkEnableOption "automatic port forwarding for the loopback downstream";
type = lib.types.port;
default = 53;
description = "Port for the host downstream DNS server to listen on.";
};
openFirewall = lib.mkEnableOption "automatic port forwarding for the host downstream";
disableSystemdResolved = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether to automatically disable systemd-resolved when using port 53. Set to false if you want to handle the conflict manually.";
};
}; };
}; };
@ -89,44 +79,9 @@ in {
default = []; default = [];
description = "List of additional upstream DNS server configurations."; description = "List of additional upstream DNS server configurations.";
}; };
blocklists = {
ad_malware = {
enable = lib.mkEnableOption "Host file for blocking ads and malware";
url = lib.mkOption {
type = lib.types.str;
default = "http://sbc.io/hosts/hosts";
description = "URL of the ad and malware blocklist host file";
};
};
};
extraBlocklists = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "Additional blocklist URLs to be added to the configuration";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# Assertions for proper configuration
assertions = [
{
assertion = !(cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && config.services.resolved.enable && cfg.downstreams.host.disableSystemdResolved);
message = "crab-hole host downstream cannot use port 53 while systemd-resolved is enabled. Either disable systemd-resolved or use a different port.";
}
{
assertion = !(cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && !cfg.downstreams.host.disableSystemdResolved && config.services.resolved.enable);
message = "crab-hole host downstream is configured to use port 53 but systemd-resolved is still enabled and disableSystemdResolved is false. Set disableSystemdResolved = true or manually disable systemd-resolved.";
}
];
# Automatically disable systemd-resolved if using port 53
services.resolved.enable = lib.mkIf (cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && cfg.downstreams.host.disableSystemdResolved) (lib.mkForce false);
# Configure DNS nameservers when disabling systemd-resolved
networking.nameservers = lib.mkIf (cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && cfg.downstreams.host.disableSystemdResolved) (lib.mkDefault ["127.0.0.1" "1.1.1.1" "8.8.8.8"]);
services.crab-hole.settings = lib.mkMerge [ services.crab-hole.settings = lib.mkMerge [
{ {
api = { api = {
@ -136,17 +91,13 @@ in {
}; };
downstream = cfg.extraDownstreams; downstream = cfg.extraDownstreams;
upstream.name_servers = cfg.extraUpstreams; upstream.name_servers = cfg.extraUpstreams;
blocklist.lists = cfg.extraBlocklists;
} }
(lib.mkIf cfg.blocklists.ad_malware.enable { (lib.mkIf cfg.downstreams.loopback.enable {
blocklist.lists = [cfg.blocklists.ad_malware.url];
})
(lib.mkIf cfg.downstreams.host.enable {
downstream = [ downstream = [
{ {
protocol = "udp"; protocol = "udp";
listen = "0.0.0.0"; listen = "localhost";
port = cfg.downstreams.host.port; port = 53;
} }
]; ];
}) })
@ -185,8 +136,8 @@ in {
(lib.mkIf cfg.openFirewall { (lib.mkIf cfg.openFirewall {
allowedTCPPorts = [cfg.port]; allowedTCPPorts = [cfg.port];
}) })
(lib.mkIf (cfg.downstreams.host.enable && cfg.downstreams.host.openFirewall) { (lib.mkIf (cfg.downstreams.loopback.enable && cfg.downstreams.loopback.openFirewall) {
allowedUDPPorts = [cfg.downstreams.host.port]; allowedUDPPorts = [53];
}) })
]; ];
}; };

2
modules/nixos-modules/server/crab-hole/impermanence.nix
View file

@ -5,7 +5,7 @@
}: let }: let
workingDirectory = "/var/lib/private/crab-hole"; workingDirectory = "/var/lib/private/crab-hole";
in { in {
config = lib.mkIf (config.services.crab-hole.enable && config.host.impermanence.enable) { config = lib.mkIf (config.services.immich.enable && config.host.impermanence.enable) {
assertions = [ assertions = [
{ {
assertion = assertion =