chayleaf/dotfiles
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

nixserver->server; start working on phone config

Browse source
This commit is contained in:
chayleaf 2023-10-17 20:25:03 +07:00
parent 9a4d9a7330
commit 18d471c2ec
18 changed files with 146 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
extra-builtins.nix
View file

@ -2,22 +2,21 @@
secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] { secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] {
# compress and base64 the file to make it representable in nix, # compress and base64 the file to make it representable in nix,
# then decompress it back in a derivation (shouldn't there be a better way...) # then decompress it back in a derivation (shouldn't there be a better way...)
copyToStore = pkgs: path: copyToStore = pkgs: name: path:
let let
archive = exec [ archive = exec [
"/bin/sh" "-c" "/bin/sh" "-c"
"echo '\"' && (cd /etc/nixos/private && tar czv ${path} 2>/dev/null | base64 -w0) && echo '\"'" "echo '\"' && (cd /etc/nixos/private && tar -I ${pkgs.zstd}/bin/zstd -c -- ${pkgs.lib.escapeShellArg path} 2>/dev/null | base64 -w0) && echo '\"'"
]; ];
in "${pkgs.stdenvNoCC.mkDerivation { in "${pkgs.stdenvNoCC.mkDerivation {
name = "private"; inherit name;
unpackPhase = "true"; unpackPhase = "true";
buildPhase = "true"; buildPhase = "true";
installPhase = '' installPhase = ''
mkdir -p $out mkdir -p $out
cd $out cd $out
echo "${archive}" | base64 -d | tar xzv echo "${archive}" | base64 -d | tar -I ${pkgs.zstd}/bin/zstd -x
''; '';
url = builtins.toFile "private.tar.gz.base64" archive; }}/${toString path}";
}}/${path}";
}; };
} }

30
flake.lock
View file

@ -35,11 +35,11 @@
"flake-compat_2": { "flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1696426674,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -143,11 +143,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1695274149, "lastModified": 1697331506,
"narHash": "sha256-TXMD7TkBA6BYR77465ej5jZcHYTdDC67H1C/Zpp0aiQ=", "narHash": "sha256-N6RD9EudU+i7SJO3z3S309XQRhp81iqaN9G9sxRtVts=",
"owner": "chayleaf", "owner": "chayleaf",
"repo": "maubot.nix", "repo": "maubot.nix",
"rev": "1b5d44af45a3fb7b2fa29a4b7590b5cb37d1fdf1", "rev": "cf32a2873523c80cebdd1ee409c45593040944b8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -156,6 +156,23 @@
"type": "github" "type": "github"
} }
}, },
"mobile-nixos": {
"flake": false,
"locked": {
"lastModified": 1697544701,
"narHash": "sha256-u/59b13bwEqxR1x2l9SeSya2ZXABmjpUCdTrXVMLrsA=",
"owner": "chayleaf",
"repo": "mobile-nixos",
"rev": "b3ec466c5abbda7de279dccb010ab10e74dd07ee",
"type": "github"
},
"original": {
"owner": "chayleaf",
"ref": "cleanup",
"repo": "mobile-nixos",
"type": "github"
}
},
"nix-gaming": { "nix-gaming": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
@ -352,6 +369,7 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"impermanence": "impermanence", "impermanence": "impermanence",
"maubot": "maubot", "maubot": "maubot",
"mobile-nixos": "mobile-nixos",
"nix-gaming": "nix-gaming", "nix-gaming": "nix-gaming",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",

44
flake.nix
View file

@ -7,6 +7,11 @@
nixpkgs2.url = "github:nixos/nixpkgs/master"; nixpkgs2.url = "github:nixos/nixpkgs/master";
# nixpkgs.url = "github:chayleaf/nixpkgs/ccache2"; # nixpkgs.url = "github:chayleaf/nixpkgs/ccache2";
nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-hardware.url = "github:NixOS/nixos-hardware";
mobile-nixos = {
# url = "github:NixOS/mobile-nixos";
url = "github:chayleaf/mobile-nixos/cleanup";
flake = false;
};
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
nur.url = "github:nix-community/NUR"; nur.url = "github:nix-community/NUR";
rust-overlay = { rust-overlay = {
@ -51,7 +56,22 @@
}; };
}; };
outputs = inputs@{ self, nixpkgs, nixpkgs2, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, notnft, nixos-mailserver, nixos-router, maubot, ... }: outputs = inputs@
{ self
, nixpkgs
, nixpkgs2
, nixos-hardware
, mobile-nixos
, impermanence
, home-manager
, nur
, nix-gaming
, notlua
, notnft
, nixos-mailserver
, nixos-router
, maubot
, ... }:
let let
# --impure required for developing # --impure required for developing
# it takes the paths for modules from filesystem as opposed to flake inputs # it takes the paths for modules from filesystem as opposed to flake inputs
@ -104,7 +124,7 @@
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
{ {
_module.args.server-config = nixosConfigurations.nixserver.config; _module.args.server-config = nixosConfigurations.server.config;
_module.args.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system}; _module.args.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system};
} }
(if devNixRt then import /${devPath}/nixos-router else nixos-router.nixosModules.default) (if devNixRt then import /${devPath}/nixos-router else nixos-router.nixosModules.default)
@ -128,7 +148,7 @@
router-sd = mkBpiR3 "sd" routerConfig; router-sd = mkBpiR3 "sd" routerConfig;
router-emmc-cross = crossConfig router-emmc; router-emmc-cross = crossConfig router-emmc;
router-sd-cross = crossConfig router-emmc; router-sd-cross = crossConfig router-emmc;
nixserver = { server = {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
{ _module.args.router-config = nixosConfigurations.router-emmc.config; } { _module.args.router-config = nixosConfigurations.router-emmc.config; }
@ -138,7 +158,7 @@
./system/modules/scanservjs.nix ./system/modules/scanservjs.nix
]; ];
}; };
nixserver-cross = crossConfig nixserver; server-cross = crossConfig server;
nixmsi = rec { nixmsi = rec {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
@ -156,6 +176,16 @@
]; ];
}; };
nixmsi-cross = crossConfig nixmsi; nixmsi-cross = crossConfig nixmsi;
phone = {
system = "aarch64-linux";
modules = [
(import "${mobile-nixos}/lib/configuration.nix" {
device = "oneplus-enchilada";
})
./system/hosts/phone/default.nix
];
};
phone-cross = crossConfig phone;
}; };
# this is the system config processing part # this is the system config processing part
@ -274,7 +304,7 @@
"x86_64-linux" "x86_64-linux"
"aarch64-linux" "aarch64-linux"
] (system: let self = overlay ((mkPkgs { inherit system; }) // self) (import nixpkgs { inherit system; }); in self); ] (system: let self = overlay ((mkPkgs { inherit system; }) // self) (import nixpkgs { inherit system; }); in self);
nixosImages.router = let pkgs = mkPkgs { system = "aarch64-linux"; }; in { nixosImages.router = let pkgs = mkPkgs { inherit (config.router-emmc) system; }; in {
emmcImage = pkgs.callPackage ./system/hardware/bpi-r3/image.nix { emmcImage = pkgs.callPackage ./system/hardware/bpi-r3/image.nix {
inherit (nixosConfigurations.router-emmc) config; inherit (nixosConfigurations.router-emmc) config;
rootfsImage = nixosConfigurations.router-emmc.config.system.build.rootfsImage; rootfsImage = nixosConfigurations.router-emmc.config.system.build.rootfsImage;
@ -286,6 +316,8 @@
bpiR3Stuff = pkgs.bpiR3StuffSd; bpiR3Stuff = pkgs.bpiR3StuffSd;
}; };
}; };
nixosImages.phone = nixosConfigurations.phone.config.mobile.outputs.disk-image;
nixosImages.phone-fastboot = nixosConfigurations.phone.config.mobile.outputs.android.android-fastboot-image;
hydraJobs = let hydraJobs = let
addMeta = x: x // { addMeta = x: x // {
@ -295,7 +327,7 @@
}; };
}; };
in { in {
server.${config.nixserver.system} = addMeta nixosConfigurations.nixserver.config.system.build.toplevel; server.${config.server.system} = addMeta nixosConfigurations.server.config.system.build.toplevel;
workstation.${config.nixmsi.system} = addMeta nixosConfigurations.nixmsi.config.system.build.toplevel; workstation.${config.nixmsi.system} = addMeta nixosConfigurations.nixmsi.config.system.build.toplevel;
router.${config.router-emmc.system} = addMeta nixosConfigurations.router-emmc-cross.config.system.build.toplevel; router.${config.router-emmc.system} = addMeta nixosConfigurations.router-emmc-cross.config.system.build.toplevel;
workstation-home.${config.nixmsi.system} = addMeta homeConfigurations."user@nixmsi".activation-script; workstation-home.${config.nixmsi.system} = addMeta homeConfigurations."user@nixmsi".activation-script;

2
home/common/firefox.nix
View file

@ -32,7 +32,7 @@
inherit (pkgs.librewolf-unwrapped) extraPrefsFiles extraPoliciesFiles; inherit (pkgs.librewolf-unwrapped) extraPrefsFiles extraPoliciesFiles;
wmClass = "LibreWolf"; wmClass = "LibreWolf";
libName = "librewolf"; libName = "librewolf";
# TODO: keepass in extraNativeMessagingHosts? enableKeePassXC = true;
}; };
profiles = { profiles = {
chayleaf = { chayleaf = {

4
private.nix.sample
View file

@ -1,6 +1,6 @@
# copy a path to store (needed because I don't copy the secrets to store by default) # copy a path to store (needed because I don't copy the secrets to store by default)
# arg must be a string because of how nix handles relative paths as absolute # arg must be a string because of how nix handles relative paths as absolute
{ copyToStore ? (pkgs: x: ./. + x) { copyToStore ? (pkgs: name: x: ./. + x)
, ... }: { , ... }: {
nixmsi = { nixmsi = {
system = { pkgs, ... }: { system = { pkgs, ... }: {
@ -13,7 +13,7 @@
# insert private user config for username here # insert private user config for username here
}; };
}; };
nixserver.system = { ... }: { server.system = { ... }: {
server.localIpV4 = ...; server.localIpV4 = ...;
server.lanCidrV4 = ...; server.lanCidrV4 = ...;
server.localIpV6 = ...; server.localIpV6 = ...;

55
system/devices/hp-probook-g0-server.nix
View file

@ -1,55 +0,0 @@
{ config, ... }:
let
efiPart = "/dev/disk/by-uuid/3E2A-A5CB";
rootUuid = "6aace237-9b48-4294-8e96-196759a5305b";
rootPart = "/dev/disk/by-uuid/${rootUuid}";
root2Uuid = "e7e5ca5e-294e-42be-a58c-cb4d54a583e8";
root2Part = "/dev/disk/by-uuid/${root2Uuid}";
in {
imports = [
../hardware/hp-probook-g0.nix
../hosts/nixserver
];
boot.loader = {
grub = {
enable = true;
device = "nodev";
efiSupport = true;
efiInstallAsRemovable = true;
};
efi.efiSysMountPoint = "/boot/efi";
};
fileSystems = {
"/" = { device = "none"; fsType = "tmpfs"; neededForBoot = true;
options = [ "defaults" "size=2G" "mode=755" ]; };
"/persist" =
{ device = root2Part; fsType = "bcachefs"; neededForBoot = true; };
"/boot" =
{ device = rootPart; fsType = "btrfs"; neededForBoot = true;
options = [ "compress=zstd:15" "subvol=boot" ]; };
"/boot/efi" =
{ device = efiPart; fsType = "vfat"; };
};
services.beesd = {
filesystems.root = {
spec = "UUID=${rootUuid}";
hashTableSizeMB = 128;
extraOptions = [ "--loadavg-target" "8.0" ];
};
};
zramSwap.enable = true;
swapDevices = [ ];
impermanence = {
enable = true;
path = /persist;
directories = [
{ directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = "users"; mode = "0700"; }
{ directory = /root; }
{ directory = /nix; }
];
};
}

2
system/devices/radxa-rock5a-server.nix
View file

@ -16,7 +16,7 @@ in
{ {
imports = [ imports = [
../hardware/radxa-rock5a ../hardware/radxa-rock5a
../hosts/nixserver ../hosts/server
hardware.common-pc-ssd hardware.common-pc-ssd
]; ];

40
system/hosts/phone/default.nix Normal file
View file

@ -0,0 +1,40 @@
# WIP (I don't even have the phone yet)
{ pkgs
, config
, ... }:
{
system.stateVersion = "23.11";
# kde connect
networking.firewall.allowedTCPPortRanges = [
{ from = 1714; to = 1764; }
];
networking.firewall.allowedUDPPortRanges = [
{ from = 1714; to = 1764; }
];
networking.wireless.iwd.enable = true;
common.minimal = false;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
security.polkit.enable = true;
security.rtkit.enable = true;
xdg.portal = {
enable = true;
extraPortals = with pkgs; [ xdg-desktop-portal-gtk xdg-desktop-portal-wlr ];
};
services.sshd.enable = true;
users.users.${config.common.mainUsername}.extraGroups = [ "video" "feedbackd" "dialout" ];
mobile.generatedFilesystems.rootfs = {
filesystem = "btrfs";
btrfs.partitionID = "44444444-4444-4444-8888-888888888888";
};
}

54
system/hosts/nixserver/default.nix → system/hosts/server/default.nix
View file

@ -152,40 +152,34 @@ in {
services.nginx.package = pkgs.nginxQuic; services.nginx.package = pkgs.nginxQuic;
/* DNS over TLS /* DNS over TLS
services.nginx.streamConfig = services.nginx.streamConfig =
let let
inherit (config.security.acme.certs."${cfg.domainName}") directory; inherit (config.security.acme.certs."${cfg.domainName}") directory;
in '' in ''
upstream dns { upstream dns {
zone dns 64k; zone dns 64k;
server 127.0.0.1:53; server 127.0.0.1:53;
} }
server { server {
listen 853 ssl; listen 853 ssl;
ssl_certificate ${directory}/fullchain.pem; ssl_certificate ${directory}/fullchain.pem;
ssl_certificate_key ${directory}/key.pem; ssl_certificate_key ${directory}/key.pem;
ssl_trusted_certificate ${directory}/chain.pem; ssl_trusted_certificate ${directory}/chain.pem;
proxy_pass dns; proxy_pass dns;
} }
'';*/ '';*/
services.nginx.commonHttpConfig = services.nginx.commonHttpConfig = ''
let log_format postdata '{\"ip\":\"$remote_addr\",\"time\":\"$time_iso8601\",\"referer\":\"$http_referer\",\"body\":\"$request_body\",\"ua\":\"$http_user_agent\"}';
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); ${lib.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};") (lib.splitString "\n" ''
cfipv4 = fileToList (pkgs.fetchurl { ${builtins.readFile (builtins.fetchurl {
url = "https://www.cloudflare.com/ips-v4"; url = "https://www.cloudflare.com/ips-v4";
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h"; sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
}); })}
cfipv6 = fileToList (pkgs.fetchurl { ${builtins.readFile (builtins.fetchurl {
url = "https://www.cloudflare.com/ips-v6"; url = "https://www.cloudflare.com/ips-v6";
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy"; sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
}); })}'')}
in real_ip_header CF-Connecting-IP;
''
log_format postdata '{\"ip\":\"$remote_addr\",\"time\":\"$time_iso8601\",\"referer\":\"$http_referer\",\"body\":\"$request_body\",\"ua\":\"$http_user_agent\"}';
${realIpsFromList cfipv4}
${realIpsFromList cfipv6}
real_ip_header CF-Connecting-IP;
''; '';
# brotli and zstd requires recompilation so I don't enable it # brotli and zstd requires recompilation so I don't enable it
# services.nginx.recommendedBrotliSettings = true; # services.nginx.recommendedBrotliSettings = true;

0
system/hosts/nixserver/fdroid.nix → system/hosts/server/fdroid.nix
View file

24
system/hosts/nixserver/home.nix → system/hosts/server/home.nix
View file

@ -84,22 +84,17 @@ in {
}; };
users.users.nginx.extraGroups = [ "grafana" ]; users.users.nginx.extraGroups = [ "grafana" ];
/*services.nix-serve = {
enable = true;
package = pkgs.nix-serve-ng;
bindAddress = "127.0.0.1";
secretKeyFile = "/secrets/cache-priv-key.pem";
};*/
services.harmonia = { services.harmonia = {
enable = true; enable = true;
signKeyPath = "/secrets/cache-priv-key.pem"; signKeyPath = "/secrets/cache-priv-key.pem";
settings.bind = "[::1]:5000"; settings.bind = "[::1]:5000";
}; };
nix.settings.allowed-users = [ "nix-serve" "harmonia" "hydra" "hydra-www" ]; nix.settings.allowed-users = [ "nix-serve" "harmonia" "hydra" "hydra-www" ];
# only hydra has access to this file anyway # make sure only hydra has access to this file
nix.settings.extra-builtins-file = "/etc/nixos/private/extra-builtins.nix"; # so normal nix evals don't have access to builtins
nix.settings.extra-builtins-file = "/etc/nixos/extra-builtins.nix";
impermanence.directories = [ impermanence.directories = [
{ directory = /etc/nixos/private; user = "hydra"; group = "hydra"; mode = "0700"; } { directory = /etc/nixos; user = "hydra"; group = "hydra"; mode = "0700"; }
]; ];
nix.settings.allowed-uris = [ nix.settings.allowed-uris = [
# required for home-manager # required for home-manager
@ -114,12 +109,6 @@ in {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
basicAuthFile = "/secrets/home_password"; basicAuthFile = "/secrets/home_password";
/*locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
extraConfig = ''
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
'';*/
locations."/".proxyPass = "http://${config.services.harmonia.settings.bind or "[::1]:5000"}"; locations."/".proxyPass = "http://${config.services.harmonia.settings.bind or "[::1]:5000"}";
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_set_header Host $host; proxy_set_header Host $host;
@ -144,10 +133,7 @@ in {
# smtpHost = "mail.${cfg.domainName}"; # smtpHost = "mail.${cfg.domainName}";
useSubstitutes = true; useSubstitutes = true;
}; };
boot.binfmt.emulatedSystems = { boot.binfmt.emulatedSystems = builtins.filter (x: x != pkgs.system) [ "aarch64-linux" "x86_64-linux" ];
"x86_64-linux" = [ "aarch64-linux" ];
"aarch64-linux" = [ "x86_64-linux" ];
}.${pkgs.system};
nix.buildMachines = [ nix.buildMachines = [
{ {
# there were some bugs related to not specifying the machine # there were some bugs related to not specifying the machine

4
system/hosts/nixserver/keycloak.nix → system/hosts/server/keycloak.nix
View file

@ -29,12 +29,15 @@ in {
ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true; ENABLE_OPENID_SIGNUP = true;
}; };
systemd.services.gitea.after = [ "keycloak.service" ];
services.nextcloud.extraOptions.allow_local_remote_servers = true; services.nextcloud.extraOptions.allow_local_remote_servers = true;
systemd.services.nextcloud.after = [ "keycloak.service" ];
# a crude way to make some python packages available for synapse # a crude way to make some python packages available for synapse
services.matrix-synapse.plugins = with pkgs.python3.pkgs; [ authlib ]; services.matrix-synapse.plugins = with pkgs.python3.pkgs; [ authlib ];
services.matrix-synapse.settings.password_config.enabled = false; services.matrix-synapse.settings.password_config.enabled = false;
systemd.services.matrix-synapse.after = [ "keycloak.service" ];
# See also https://meta.akkoma.dev/t/390 # See also https://meta.akkoma.dev/t/390
# https://<pleroma>/oauth/keycloak?scope=openid+profile # https://<pleroma>/oauth/keycloak?scope=openid+profile
@ -100,6 +103,7 @@ in {
OAUTH_CONSUMER_STRATEGIES = "keycloak:ueberauth_keycloak_strategy"; OAUTH_CONSUMER_STRATEGIES = "keycloak:ueberauth_keycloak_strategy";
}); });
systemd.services.akkoma = { systemd.services.akkoma = {
after = [ "keycloak.service" ];
environment.OAUTH_CONSUMER_STRATEGIES = "keycloak:ueberauth_keycloak_strategy"; environment.OAUTH_CONSUMER_STRATEGIES = "keycloak:ueberauth_keycloak_strategy";
serviceConfig.EnvironmentFile = "/secrets/akkoma/envrc"; serviceConfig.EnvironmentFile = "/secrets/akkoma/envrc";
};*/ };*/

0
system/hosts/nixserver/mailserver.nix → system/hosts/server/mailserver.nix
View file

0
system/hosts/nixserver/matrix.nix → system/hosts/server/matrix.nix
View file

0
system/hosts/nixserver/maubot.nix → system/hosts/server/maubot.nix
View file

0
system/hosts/nixserver/mumble.nix → system/hosts/server/mumble.nix
View file

0
system/hosts/nixserver/options.nix → system/hosts/server/options.nix
View file

2
system/modules/impermanence.nix
View file

@ -125,6 +125,8 @@ in {
{ directory = /var/db/sudo/lectured; user = "root"; group = "root"; mode = "0700"; } { directory = /var/db/sudo/lectured; user = "root"; group = "root"; mode = "0700"; }
] ++ lib.optionals config.services.openldap.enable [ ] ++ lib.optionals config.services.openldap.enable [
{ directory = /var/lib/openldap; inherit (config.services.openldap) user group; mode = "0755"; } { directory = /var/lib/openldap; inherit (config.services.openldap) user group; mode = "0755"; }
] ++ lib.optionals (config.services.scanservjs.enable or false) [
{ directory = /var/lib/scanservjs; user = "scanservjs"; group = "scanservjs"; mode = "0750"; }
] ++ cfg.directories); ] ++ cfg.directories);
files = map (x: files = map (x:
if builtins.isPath x then toString x if builtins.isPath x then toString x