Add editconfig, fix mixed indentation

.editorconfig

@@ -0,0 +1,5 @@
+root = true
+
+[*]
+indent_style = tab
+indent_size = 2

config/.editorconfig

@@ -0,0 +1,4 @@
+root = true
+[*]
+indent_style = tab
+indent_size = 2

config/common/services/nginx.nix

@@ -1,43 +1,43 @@
 { ... }:
 {
-    services.nginx = {
-    enable = true;
+	services.nginx = {
+		enable = true;
 
-    # Use recommended settings
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
+		# Use recommended settings
+		recommendedGzipSettings = true;
+		recommendedOptimisation = true;
+		recommendedProxySettings = true;
+		recommendedTlsSettings = true;
 
-    # Only allow PFS-enabled ciphers with AES256
-    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+		# Only allow PFS-enabled ciphers with AES256
+		sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
 
-    commonHttpConfig = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
+		commonHttpConfig = ''
+			# Add HSTS header with preloading to HTTPS requests.
+			# Adding this header to HTTP requests is discouraged
+			map $scheme $hsts_header {
+				https   "max-age=31536000; includeSubdomains; preload";
+			}
+			add_header Strict-Transport-Security $hsts_header;
 
-      # Enable CSP for your services.
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+			# Enable CSP for your services.
+			#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'same-origin';
+			# Minimize information leaked to other domains
+			add_header 'Referrer-Policy' 'same-origin';
 
-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
+			# Disable embedding as a frame
+			add_header X-Frame-Options DENY;
 
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
+			# Prevent injection of code in other mime types (XSS Attacks)
+			add_header X-Content-Type-Options nosniff;
 
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
+			# Enable XSS protection of the browser.
+			# May be unnecessary when CSP is configured properly (see above)
+			add_header X-XSS-Protection "1; mode=block";
 
-      # This might create errors
-      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-    '';
-  };
+			# This might create errors
+			proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+		'';
+	};
 }

config/common/services/ssh.nix

@@ -1,28 +1,28 @@
 { ... }:
 {
-  services.openssh = {
-    enable = true;
-    permitRootLogin = "no";
-    passwordAuthentication = false;
-    challengeResponseAuthentication = false;
-    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+	services.openssh = {
+		enable = true;
+		permitRootLogin = "no";
+		passwordAuthentication = false;
+		challengeResponseAuthentication = false;
+		kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
 	ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ];
-    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ];
+		macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ];
 	extraConfig = "
 		HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
 		";
-  };
+	};
 
-  programs.ssh.knownHosts = {
-    despondos = {
-      hostNames = [ "despondos.nao.sh" ];
-      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
-    };
-  };
+	programs.ssh.knownHosts = {
+		despondos = {
+			hostNames = [ "despondos.nao.sh" ];
+			publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+		};
+	};
 
-  #services.sshguard = {
-  #  enable = true;
-  #  blocktime = 300;
-  #};
+	#services.sshguard = {
+	#	enable = true;
+	#	blocktime = 300;
+	#};
 }
 

config/hosts/capetillo/configuration.nix

@@ -1,70 +1,70 @@
 { config, pkgs, lib, ... }:
 
 {
-  imports =
-    [ 
-	  ./hardware-configuration.nix
-	  ../../common/services/ssh.nix
-	  ../../common/services/acme.nix
-	  ./services/nginx.nix
-	  ./services/mail.nix
-	  ./data/secrets/secrets.nix
+	imports =
+		[ 
+		./hardware-configuration.nix
+		../../common/services/ssh.nix
+		../../common/services/acme.nix
+		./services/nginx.nix
+		./services/mail.nix
+		./data/secrets/secrets.nix
 	];
 
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  boot.loader.grub.device = "/dev/sda";
-  boot.supportedFilesystems = ["zfs"];
-  services.zfs.autoSnapshot.enable = true;
-  services.zfs.autoScrub.enable = true;
+	boot.loader.grub.enable = true;
+	boot.loader.grub.version = 2;
+	boot.loader.grub.device = "/dev/sda";
+	boot.supportedFilesystems = ["zfs"];
+	services.zfs.autoSnapshot.enable = true;
+	services.zfs.autoScrub.enable = true;
 
-  networking.hostName = "capetillo"; # Define your hostname.
-  networking.hostId = "17a9ec46";
-  time.timeZone = "Europe/Copenhagen";
-  networking.useDHCP = false;
-  networking.interfaces.ens3.useDHCP = true;
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ];
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+	networking.hostName = "capetillo"; # Define your hostname.
+	networking.hostId = "17a9ec46";
+	time.timeZone = "Europe/Copenhagen";
+	networking.useDHCP = false;
+	networking.interfaces.ens3.useDHCP = true;
+	networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ];
+	networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
 
-  users.users.emelie = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
-    ];
-  };
+	users.users.emelie = {
+		isNormalUser = true;
+		extraGroups = [ "wheel" ];
+		openssh.authorizedKeys.keys = [
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+		];
+	};
 
-  users.users.deploy = {
-  	isNormalUser = true;
+	users.users.deploy = {
+		isNormalUser = true;
 	extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
-    ];
-  };
+		openssh.authorizedKeys.keys = [
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+		];
+	};
 
-  users.groups.backup.members = [ "virtualMail" ];
+	users.groups.backup.members = [ "virtualMail" ];
 
-  security.sudo.wheelNeedsPassword = false;
+	security.sudo.wheelNeedsPassword = false;
 
-  environment.systemPackages = with pkgs; [
-    vim
-    htop
+	environment.systemPackages = with pkgs; [
+		vim
+		htop
 	iotop
 	dig
-  ];
+	];
 
-  nix.trustedUsers = [
-    "root"
+	nix.trustedUsers = [
+		"root"
 	"deploy"
-    "@wheel"
-  ];
+		"@wheel"
+	];
 
-  services.openssh.enable = true;
+	services.openssh.enable = true;
 
-  networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
+	networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ];
+	# networking.firewall.allowedUDPPorts = [ ... ];
 
 
-  system.stateVersion = "21.05";
+	system.stateVersion = "21.05";
 
 }

config/hosts/capetillo/hardware-configuration.nix

@@ -1,42 +1,42 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
+# Do not modify this file!	It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.	Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-      (modulesPath + "/profiles/minimal.nix")
-    ];
+	imports =
+		[ (modulesPath + "/profiles/qemu-guest.nix")
+			(modulesPath + "/profiles/minimal.nix")
+		];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
+	boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+	boot.initrd.kernelModules = [ ];
+	boot.kernelModules = [ ];
+	boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "rpool/safe/root";
-      fsType = "zfs";
-    };
+	fileSystems."/" =
+		{ device = "rpool/safe/root";
+			fsType = "zfs";
+		};
 
-  fileSystems."/home" =
-    { device = "rpool/safe/home";
-      fsType = "zfs";
-    };
+	fileSystems."/home" =
+		{ device = "rpool/safe/home";
+			fsType = "zfs";
+		};
 
-  fileSystems."/var/www" =
-    { device = "rpool/safe/webroot";
-      fsType = "zfs";
-    };
-  fileSystems."/var/vmail" =
-    { device = "rpool/safe/mail";
-      fsType = "zfs";
-    };
-  fileSystems."/nix" =
-    { device = "rpool/local/nix";
-      fsType = "zfs";
-    };
+	fileSystems."/var/www" =
+		{ device = "rpool/safe/webroot";
+			fsType = "zfs";
+		};
+	fileSystems."/var/vmail" =
+		{ device = "rpool/safe/mail";
+			fsType = "zfs";
+		};
+	fileSystems."/nix" =
+		{ device = "rpool/local/nix";
+			fsType = "zfs";
+		};
 
-  swapDevices = [ ];
+	swapDevices = [ ];
 
 }

config/hosts/capetillo/services/mail.nix

@@ -1,32 +1,32 @@
 { config, ... }:
 
 {
-  imports = [
-    (builtins.fetchTarball {
-      # Pick a commit from the branch you are interested in
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
-      # And set its hash
-      sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
-    })
-  ];
+	imports = [
+		(builtins.fetchTarball {
+			# Pick a commit from the branch you are interested in
+			url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
+			# And set its hash
+			sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
+		})
+	];
 
-  mailserver = {
-    enable = true;
-    fqdn = "nixaalb.org";
-    domains = [ "nixaalb.org" ];
+	mailserver = {
+		enable = true;
+		fqdn = "nixaalb.org";
+		domains = [ "nixaalb.org" ];
 
-    loginAccounts = {
-	  "emelie@nixaalb.org" = {
-	  	hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file;
+		loginAccounts = {
+		"emelie@nixaalb.org" = {
+			hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file;
 		aliases = [ "admin@nixaalb.org" ];
-	  };
-	  "sebastian@nixaalb.org" = {
-	  	hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file;
-	  };
-	  "noreply@anarkafem.dev" = {
-	  	hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
-	  };
-    };
-    certificateScheme = 3;
-  };
+		};
+		"sebastian@nixaalb.org" = {
+			hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file;
+		};
+		"noreply@anarkafem.dev" = {
+			hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
+		};
+		};
+		certificateScheme = 3;
+	};
 }

config/hosts/capetillo/services/restic.nix

@@ -2,16 +2,16 @@
 
 {
 
-  services.restic.backups = {
-    "mail" = {
-      paths = [ "/var/vmail" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail";
-      initialize = true;
-      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
-      timerConfig = { "OnCalendar" = "02:15"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
-      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
-      user = "virtualMail";
-    };
-  };
+	services.restic.backups = {
+		"mail" = {
+			paths = [ "/var/vmail" ];
+			repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail";
+			initialize = true;
+			pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+			timerConfig = { "OnCalendar" = "02:15"; };
+			extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+			passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+			user = "virtualMail";
+		};
+	};
 }

deploy/default.nix

@@ -1,23 +1,23 @@
 let
-  sources = import ../config/sources;
+	sources = import ../config/sources;
 in import "${sources.nixus}" {} ({ config, ... }: {
 
-  defaults = { name, ... }: {
-    configuration = { lib, ... }: {
-      networking.hostName = lib.mkDefault name;
-    };
+	defaults = { name, ... }: {
+		configuration = { lib, ... }: {
+			networking.hostName = lib.mkDefault name;
+		};
 
-    # use our nixpkgs from niv
-    nixpkgs = sources.nixpkgs;
-  };
+		# use our nixpkgs from niv
+		nixpkgs = sources.nixpkgs;
+	};
 
-  nodes = {
-    capetillo = { lib, config, ... }: {
-      host = "deploy@nixaalb.org";
-      configuration = ../config/hosts/capetillo/configuration.nix;
-      switchTimeout = 300;
-      successTimeout = 300;
-      #ignoreFailingSystemdUnits = true;
-    };
-  };
+	nodes = {
+		mail = { lib, config, ... }: {
+			host = "deploy@nixaalb.org";
+			configuration = ../config/hosts/capetillo/configuration.nix;
+			switchTimeout = 300;
+			successTimeout = 300;
+			#ignoreFailingSystemdUnits = true;
+		};
+	};
 })