From d7ac88762db111a7962c4e14b5f4e37ab85ccac7 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sun, 24 Aug 2025 18:55:06 -0600
Subject: tree-wide: reformat using alejandra after enabling trivionomicon

---
 sys/nspawn/dmz.nix | 129 ++++++++++++++++++++++++++++-------------------------
 1 file changed, 67 insertions(+), 62 deletions(-)

(limited to 'sys/nspawn')

diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix
index fb3acea..805ca72 100644
--- a/sys/nspawn/dmz.nix
+++ b/sys/nspawn/dmz.nix
@@ -1,4 +1,10 @@
-{ lib, config, flakes, pkgs, ... }:
+{
+  lib,
+  config,
+  flakes,
+  pkgs,
+  ...
+}:
 with lib; let
   cfg = config.local.nspawn.dmz;
   inherit (config.local) mailHost;
@@ -7,8 +13,7 @@ with lib; let
 
   hassPort = config.services.home-assistant.config.http.server_port;
   hassEnable = config.local.home-assistant.enable;
-in
-{
+in {
   options.local.nspawn.dmz = {
     enable = mkEnableOption "DMZ services in a container";
 
@@ -60,71 +65,70 @@ in
       nspawn.dmz = {
         hostAddr6 = dmzNet.hosts.gateway.v6.address;
 
-        system =
-          let
-            containerModule = { ... }: {
-              #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables
-              config = {
-                local = {
-                  preset.dmz = {
-                    enable = true;
-                    container = true;
-                  };
+        system = let
+          containerModule = {...}: {
+            #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables
+            config = {
+              local = {
+                preset.dmz = {
+                  enable = true;
+                  container = true;
+                };
 
-                  mta = {
-                    mdaAddr = "[${mailHost.mdaListen}]";
-                    inherit (mailHost) saslPort lmtpPort;
-                  };
+                mta = {
+                  mdaAddr = "[${mailHost.mdaListen}]";
+                  inherit (mailHost) saslPort lmtpPort;
+                };
 
-                  web.sites = {
-                    home = {
-                      enable = hassEnable;
-                      proxyUrl = "http://[${cfg.hostAddr6}]:${toString hassPort}";
-                    };
+                web.sites = {
+                  home = {
+                    enable = hassEnable;
+                    proxyUrl = "http://[${cfg.hostAddr6}]:${toString hassPort}";
                   };
                 };
+              };
 
-                nixpkgs = {
-                  pkgs = mkDefault pkgs;
-                  localSystem = mkDefault pkgs.stdenv.hostPlatform;
-                };
+              nixpkgs = {
+                pkgs = mkDefault pkgs;
+                localSystem = mkDefault pkgs.stdenv.hostPlatform;
+              };
 
-                services.nginx.virtualHosts = {
-                  "${config.local.domains.imap.main}".locations."^~ /.well-known/acme-challenge/" = {
-                    root = "/var/lib/acme/acme-challenge";
+              services.nginx.virtualHosts = {
+                "${config.local.domains.imap.main}".locations."^~ /.well-known/acme-challenge/" = {
+                  root = "/var/lib/acme/acme-challenge";
 
-                    extraConfig = ''
-                      auth_basic off;
-                      auth_request off;
-                    '';
-                  };
+                  extraConfig = ''
+                    auth_basic off;
+                    auth_request off;
+                  '';
                 };
+              };
 
-                systemd.network.networks."40-host0" = {
-                  name = "host0";
+              systemd.network.networks."40-host0" = {
+                name = "host0";
 
-                  networkConfig = {
-                    DNS = [ cfg.dns64 ];
+                networkConfig = {
+                  DNS = [cfg.dns64];
 
-                    DHCP = "no";
-                    IPv6AcceptRA = "yes";
-                    LinkLocalAddressing = "ipv6";
-                  };
+                  DHCP = "no";
+                  IPv6AcceptRA = "yes";
+                  LinkLocalAddressing = "ipv6";
+                };
 
-                  ipv6AcceptRAConfig = {
-                    Token = [
-                      "static:::${dmzNet.hosts.dmz.v6.suffix}"
-                      "eui64"
-                      "static:::${dmzNet.hosts.mta.v6.suffix}"
-                      "static:::${dmzNet.hosts.web.v6.suffix}"
-                    ];
+                ipv6AcceptRAConfig = {
+                  Token = [
+                    "static:::${dmzNet.hosts.dmz.v6.suffix}"
+                    "eui64"
+                    "static:::${dmzNet.hosts.mta.v6.suffix}"
+                    "static:::${dmzNet.hosts.web.v6.suffix}"
+                  ];
 
-                    UseDNS = false;
-                  };
+                  UseDNS = false;
                 };
               };
             };
-          in
+          };
+        in
           # Tomado de la definición de pkgs.nixos junto con definición de nixpkgs.{pkgs,localSystem} arriba
           import "${flakes.nixpkgs}/nixos/lib/eval-config.nix" {
             modules = [
@@ -133,15 +137,15 @@ in
             ];
 
             system = null;
-            specialArgs = { inherit flakes; };
+            specialArgs = {inherit flakes;};
           };
       };
     };
 
     services = {
       home-assistant.config.http = mkIf hassEnable {
-        server_host = [ cfg.hostAddr6 ];
-        trusted_proxies = [ dmzNet.hosts.web.v6.address ];
+        server_host = [cfg.hostAddr6];
+        trusted_proxies = [dmzNet.hosts.web.v6.address];
         use_x_forwarded_for = true;
       };
     };
@@ -199,26 +203,27 @@ in
       };
 
       services = {
-        dovecot2.after = [ "systemd-nspawn@dmz.service" ];
+        dovecot2.after = ["systemd-nspawn@dmz.service"];
 
         "systemd-nspawn@dmz" = {
           overrideStrategy = "asDropin";
 
-          after = [ "network-online.target" ];
-          wants = [ "network-online.target" ];
-          wantedBy = [ "machines.target" ];
+          after = ["network-online.target"];
+          wants = ["network-online.target"];
+          wantedBy = ["machines.target"];
         };
       };
     };
 
     networking.firewall = {
-      allowedTCPPorts = [ 25 80 443 ];
+      allowedTCPPorts = [25 80 443];
 
       interfaces.ve-dmz = {
-        allowedTCPPorts = [ mailHost.saslPort mailHost.lmtpPort ]
+        allowedTCPPorts =
+          [mailHost.saslPort mailHost.lmtpPort]
           ++ optional hassEnable hassPort;
 
-        allowedUDPPorts = [ 67 ]; # DHCP
+        allowedUDPPorts = [67]; # DHCP
       };
     };
   };
-- 
cgit v1.2.3