about summary refs log tree commit diff
path: root/ops/machines/whitby/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'ops/machines/whitby/default.nix')
-rw-r--r--ops/machines/whitby/default.nix141
1 files changed, 77 insertions, 64 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index a6a5a763177a..0aa61fda80cf 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -4,7 +4,8 @@
 let
   inherit (builtins) listToAttrs;
   inherit (lib) range;
-in {
+in
+{
   imports = [
     "${depot.path}/ops/modules/atward.nix"
     "${depot.path}/ops/modules/clbot.nix"
@@ -55,7 +56,13 @@ in {
 
     initrd = {
       availableKernelModules = [
-        "igb" "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sr_mod"
+        "igb"
+        "xhci_pci"
+        "nvme"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sr_mod"
       ];
 
       # Enable SSH in the initrd so that we can enter disk encryption
@@ -189,7 +196,7 @@ in {
         ++ lukegb.keys.all
         ++ [ grfn.keys.whitby ]
         ++ sterni.keys.all
-        ;
+      ;
     };
   };
 
@@ -205,7 +212,8 @@ in {
   age.secrets =
     let
       secretFile = name: depot.ops.secrets."${name}.age";
-    in {
+    in
+    {
       clbot.file = secretFile "clbot";
       gerrit-queue.file = secretFile "gerrit-queue";
       grafana.file = secretFile "grafana";
@@ -509,15 +517,16 @@ in {
       job_name = "node";
       scrape_interval = "5s";
       static_configs = [{
-        targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"];
+        targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
       }];
-    } {
-      job_name = "nginx";
-      scrape_interval = "5s";
-      static_configs = [{
-        targets = ["localhost:${toString config.services.prometheus.exporters.nginx.port}"];
+    }
+      {
+        job_name = "nginx";
+        scrape_interval = "5s";
+        static_configs = [{
+          targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
+        }];
       }];
-    }];
   };
 
   services.grafana = {
@@ -526,58 +535,62 @@ in {
     domain = "status.tvl.su";
     rootUrl = "https://status.tvl.su";
     analytics.reporting.enable = false;
-    extraOptions = let
-      options = {
-        auth = {
-          generic_oauth = {
-            enabled = true;
-            client_id = "grafana";
-            scopes = "openid profile email";
-            name = "TVL";
-            email_attribute_path = "mail";
-            login_attribute_path = "sub";
-            name_attribute_path = "displayName";
-            auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
-            token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
-            api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";
-
-            # Give lukegb, grfn, tazjin "Admin" rights.
-            role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
-
-            # Allow creating new Grafana accounts from OAuth accounts.
-            allow_sign_up = true;
-          };
-
-          anonymous = {
-            enabled = true;
-            org_name = "The Virus Lounge";
-            org_role = "Viewer";
+    extraOptions =
+      let
+        options = {
+          auth = {
+            generic_oauth = {
+              enabled = true;
+              client_id = "grafana";
+              scopes = "openid profile email";
+              name = "TVL";
+              email_attribute_path = "mail";
+              login_attribute_path = "sub";
+              name_attribute_path = "displayName";
+              auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
+              token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
+              api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";
+
+              # Give lukegb, grfn, tazjin "Admin" rights.
+              role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
+
+              # Allow creating new Grafana accounts from OAuth accounts.
+              allow_sign_up = true;
+            };
+
+            anonymous = {
+              enabled = true;
+              org_name = "The Virus Lounge";
+              org_role = "Viewer";
+            };
+
+            basic.enabled = false;
+            oauth_auto_login = true;
+            disable_login_form = true;
           };
-
-          basic.enabled = false;
-          oauth_auto_login = true;
-          disable_login_form = true;
         };
-      };
-      inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
-      inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
-
-      # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
-      encodeName = raw: replaceStrings ["."] ["_"] (toUpper (concatStringsSep "_" raw));
-
-      # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
-      optionToString = value:
-        if (typeOf value) == "bool" then
-          if value then "true" else "false"
-        else builtins.toString value;
-
-      # Turn an nested options attrset into a flat listToAttrs-compatible list.
-      encodeOptions = prefix: inp: concatLists (mapAttrsToList (name: value:
-        if (typeOf value) == "set"
-          then encodeOptions (prefix ++ [name]) value
-          else [ (nameValuePair (encodeName (prefix ++ [name])) (optionToString value)) ]
-        ) inp);
-    in listToAttrs (encodeOptions [] options);
+        inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
+        inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
+
+        # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
+        encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw));
+
+        # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
+        optionToString = value:
+          if (typeOf value) == "bool" then
+            if value then "true" else "false"
+          else builtins.toString value;
+
+        # Turn an nested options attrset into a flat listToAttrs-compatible list.
+        encodeOptions = prefix: inp: concatLists (mapAttrsToList
+          (name: value:
+            if (typeOf value) == "set"
+            then encodeOptions (prefix ++ [ name ]) value
+            else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ]
+          )
+          inp);
+      in
+      listToAttrs (encodeOptions [ ] options);
 
     provision = {
       enable = true;
@@ -623,8 +636,8 @@ in {
 
   security.sudo.extraRules = [
     {
-      groups = ["wheel"];
-      commands = [{ command = "ALL"; options = ["NOPASSWD"]; }];
+      groups = [ "wheel" ];
+      commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }];
     }
   ];
 
@@ -705,7 +718,7 @@ in {
     };
 
     # Set up a user & group for git shenanigans
-    groups.git = {};
+    groups.git = { };
     users.git = {
       group = "git";
       isSystemUser = true;