diff --git a/lib/modules/home/default.nix b/lib/modules/home/default.nix index c793ec9..49ad657 100644 --- a/lib/modules/home/default.nix +++ b/lib/modules/home/default.nix @@ -26,6 +26,7 @@ in iex cargo desktop + gnome /* broot @@ -398,87 +399,94 @@ in }; gnome = - { pkgs, ... }: { - dconf = { - enable = true; - settings = { - "org/gnome/settings-daemon/plugins/media-keys" = { - screensaver = [ "l" ]; # lock screen - mic-mute = [ "v" ]; - }; - - "org/gnome/desktop/peripherals/keyboard" = { - # gnome key repeat - repeat-interval = 7; - delay = 200; - }; - "org/gnome/desktop/wm/preferences" = { - resize-with-right-button = true; - # mouse-button-modifier = ''; # default - }; - "org/gnome/desktop/wm/keybindings" = { - minimize = [ "h" ]; - show-desktop = [ "d" ]; - move-to-workspace-left = [ "h" ]; - move-to-workspace-right = [ "l" ]; - switch-to-workspace-left = [ "h" ]; - switch-to-workspace-right = [ "l" ]; - # mouse-button-modifier = ''; # default - }; - "org/gnome/desktop/interface" = { - show-battery-percentage = true; - clock-show-weekday = true; - font-name = "IosevkaLyteTerm 12"; - monospace-font-name = "IosevkaLyteTerm 12"; - color-scheme = "prefer-dark"; - # scaling-factor = 1.75; - }; - "org/gnome/mutter" = { - experimental-features = [ "variable-refresh-rate" ]; - }; - - "org/gnome/shell" = { - disable-user-extensions = false; - enabled-extensions = with pkgs.gnomeExtensions; [ - tiling-shell.extensionUuid - appindicator.extensionUuid - blur-my-shell.extensionUuid - ]; - }; - - "org/gnome/shell/extensions/tilingshell" = { - inner-gaps = 8; - outer-gaps = 8; - window-border-width = 2; - window-border-color = "rgba(116,199,236,0.47)"; - focus-window-right = [ "l" ]; - focus-window-left = [ "h" ]; - focus-window-up = [ "k" ]; - focus-window-down = [ "j" ]; - }; - }; - }; - - home = { - packages = with pkgs.gnomeExtensions; [ - tiling-shell - blur-my-shell - appindicator - ]; - - file.".face" = { + lib, + config, + pkgs, + ... + }: + { + config = lib.mkIf config.lyte.desktop.enable { + dconf = { enable = true; - source = builtins.fetchurl { - url = "https://lyte.dev/img/avatar3-square-512.png"; - sha256 = "sha256:15zwbwisrc01m7ad684rsyq19wl4s33ry9xmgzmi88k1myxhs93x"; + settings = { + "org/gnome/settings-daemon/plugins/media-keys" = { + screensaver = [ "l" ]; # lock screen + mic-mute = [ "v" ]; + }; + + "org/gnome/desktop/peripherals/keyboard" = { + # gnome key repeat + repeat-interval = 7; + delay = 200; + }; + "org/gnome/desktop/wm/preferences" = { + resize-with-right-button = true; + # mouse-button-modifier = ''; # default + }; + "org/gnome/desktop/wm/keybindings" = { + minimize = [ "h" ]; + show-desktop = [ "d" ]; + move-to-workspace-left = [ "h" ]; + move-to-workspace-right = [ "l" ]; + switch-to-workspace-left = [ "h" ]; + switch-to-workspace-right = [ "l" ]; + # mouse-button-modifier = ''; # default + }; + "org/gnome/desktop/interface" = { + show-battery-percentage = true; + clock-show-weekday = true; + font-name = "IosevkaLyteTerm 12"; + monospace-font-name = "IosevkaLyteTerm 12"; + color-scheme = "prefer-dark"; + # scaling-factor = 1.75; + }; + "org/gnome/mutter" = { + experimental-features = [ "variable-refresh-rate" ]; + }; + + "org/gnome/shell" = { + disable-user-extensions = false; + enabled-extensions = with pkgs.gnomeExtensions; [ + tiling-shell.extensionUuid + appindicator.extensionUuid + blur-my-shell.extensionUuid + ]; + }; + + "org/gnome/shell/extensions/tilingshell" = { + inner-gaps = 8; + outer-gaps = 8; + window-border-width = 2; + window-border-color = "rgba(116,199,236,0.47)"; + focus-window-right = [ "l" ]; + focus-window-left = [ "h" ]; + focus-window-up = [ "k" ]; + focus-window-down = [ "j" ]; + }; }; }; - }; - programs.gnome-shell = { - enable = true; - extensions = [ { package = pkgs.gnomeExtensions.gsconnect; } ]; + home = { + packages = with pkgs.gnomeExtensions; [ + tiling-shell + blur-my-shell + appindicator + ]; + + file.".face" = { + enable = true; + source = builtins.fetchurl { + url = "https://lyte.dev/img/avatar3-square-512.png"; + sha256 = "sha256:15zwbwisrc01m7ad684rsyq19wl4s33ry9xmgzmi88k1myxhs93x"; + }; + }; + }; + + programs.gnome-shell = { + enable = true; + extensions = [ { package = pkgs.gnomeExtensions.gsconnect; } ]; + }; }; }; diff --git a/lib/modules/home/firefox.nix b/lib/modules/home/firefox.nix index fa316d9..91ea8ce 100644 --- a/lib/modules/home/firefox.nix +++ b/lib/modules/home/firefox.nix @@ -9,6 +9,7 @@ home = { sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; + BROWSER = "firefox"; }; }; diff --git a/lib/modules/home/fish/shellInit.fish b/lib/modules/home/fish/shellInit.fish index 02e15b9..bb5dd73 100644 --- a/lib/modules/home/fish/shellInit.fish +++ b/lib/modules/home/fish/shellInit.fish @@ -33,8 +33,6 @@ set --export --universal EXA_COLORS '*=0' set --export --universal ERL_AFLAGS "-kernel shell_history enabled -kernel shell_history_file_bytes 1024000" -set --export --universal BROWSER (which firefox) - set --export --universal SOPS_AGE_KEY_FILE "$XDG_CONFIG_HOME/sops/age/keys.txt" if has_command skim diff --git a/lib/modules/nixos/conduwuit.nix b/lib/modules/nixos/conduwuit.nix deleted file mode 100644 index f82b147..0000000 --- a/lib/modules/nixos/conduwuit.nix +++ /dev/null @@ -1,279 +0,0 @@ -# https://github.com/NixOS/nixpkgs/blob/32aaedffae68f54312c4c7726f828be82f278a48/nixos/modules/services/matrix/conduwuit.nix{ -{ - config, - lib, - pkgs, - ... -}: -let - cfg = config.services.conduwuit; - defaultUser = "conduwuit"; - defaultGroup = "conduwuit"; - format = pkgs.formats.toml { }; - configFile = format.generate "conduwuit.toml" cfg.settings; -in -{ - meta.maintainers = with lib.maintainers; [ niklaskorz ]; - options.services.conduwuit = { - enable = lib.mkEnableOption "conduwuit"; - - user = lib.mkOption { - type = lib.types.nonEmptyStr; - description = '' - The user {command}`conduwuit` is run as. - ''; - default = defaultUser; - }; - - group = lib.mkOption { - type = lib.types.nonEmptyStr; - description = '' - The group {command}`conduwuit` is run as. - ''; - default = defaultGroup; - }; - - extraEnvironment = lib.mkOption { - type = lib.types.attrsOf lib.types.str; - description = "Extra Environment variables to pass to the conduwuit server."; - default = { }; - example = { - RUST_BACKTRACE = "yes"; - }; - }; - - package = lib.mkPackageOption pkgs.unstable-packages "conduwuit" { }; - - settings = lib.mkOption { - type = lib.types.submodule { - freeformType = format.type; - options = { - global.server_name = lib.mkOption { - type = lib.types.nonEmptyStr; - example = "example.com"; - description = "The server_name is the name of this server. It is used as a suffix for user and room ids."; - }; - global.address = lib.mkOption { - type = lib.types.nullOr (lib.types.listOf lib.types.nonEmptyStr); - default = null; - example = [ - "127.0.0.1" - "::1" - ]; - description = '' - Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator. - If set to `null`, conduwuit will listen on IPv4 and IPv6 localhost. - Must be `null` if `unix_socket_path` is set. - ''; - }; - global.port = lib.mkOption { - type = lib.types.listOf lib.types.port; - default = [ 6167 ]; - description = '' - The port(s) conduwuit will be running on. - You need to set up a reverse proxy in your web server (e.g. apache or nginx), - so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit - instance running on this port. - ''; - }; - global.unix_socket_path = lib.mkOption { - type = lib.types.nullOr lib.types.path; - default = null; - description = '' - Listen on a UNIX socket at the specified path. If listening on a UNIX socket, - listening on an address will be disabled. The `address` option must be set to - `null` (the default value). The option {option}`services.conduwuit.group` must - be set to a group your reverse proxy is part of. - - This will automatically add a system user "conduwuit" to your system if - {option}`services.conduwuit.user` is left at the default, and a "conduwuit" - group if {option}`services.conduwuit.group` is left at the default. - ''; - }; - global.unix_socket_perms = lib.mkOption { - type = lib.types.ints.positive; - default = 660; - description = "The default permissions (in octal) to create the UNIX socket with."; - }; - global.max_request_size = lib.mkOption { - type = lib.types.ints.positive; - default = 20000000; - description = "Max request size in bytes. Don't forget to also change it in the proxy."; - }; - global.allow_registration = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - Whether new users can register on this server. - - Registration with token requires `registration_token` or `registration_token_file` to be set. - - If set to true without a token configured, and - `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` - is set to true, users can freely register. - ''; - }; - global.allow_encryption = lib.mkOption { - type = lib.types.bool; - default = true; - description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work."; - }; - global.allow_federation = lib.mkOption { - type = lib.types.bool; - default = true; - description = '' - Whether this server federates with other servers. - ''; - }; - global.trusted_servers = lib.mkOption { - type = lib.types.listOf lib.types.nonEmptyStr; - default = [ "matrix.org" ]; - description = '' - Servers listed here will be used to gather public keys of other servers - (notary trusted key servers). - - Currently, conduwuit doesn't support inbound batched key requests, so - this list should only contain other Synapse servers. - - Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]` - ''; - }; - global.database_path = lib.mkOption { - readOnly = true; - type = lib.types.path; - default = "/var/lib/conduwuit/"; - description = '' - Path to the conduwuit database, the directory where conduwuit will save its data. - Note that database_path cannot be edited because of the service's reliance on systemd StateDir. - ''; - }; - global.allow_check_for_updates = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - If enabled, conduwuit will send a simple GET request periodically to - for any new announcements made. - Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint. - - Disabled by default. - ''; - }; - }; - }; - default = { }; - # TOML does not allow null values, so we use null to omit those fields - apply = lib.filterAttrsRecursive (_: v: v != null); - description = '' - Generates the conduwuit.toml configuration file. Refer to - - for details on supported values. - ''; - }; - }; - - config = lib.mkIf cfg.enable { - assertions = [ - { - assertion = !(cfg.settings ? global.unix_socket_path) || !(cfg.settings ? global.address); - message = '' - In `services.conduwuit.settings.global`, `unix_socket_path` and `address` cannot be set at the - same time. - Leave one of the two options unset or explicitly set them to `null`. - ''; - } - { - assertion = cfg.user != defaultUser -> config ? users.users.${cfg.user}; - message = "If `services.conduwuit.user` is changed, the configured user must already exist."; - } - { - assertion = cfg.group != defaultGroup -> config ? users.groups.${cfg.group}; - message = "If `services.conduwuit.group` is changed, the configured group must already exist."; - } - ]; - - users.users = lib.mkIf (cfg.user == defaultUser) { - ${defaultUser} = { - group = cfg.group; - home = cfg.settings.global.database_path; - isSystemUser = true; - }; - }; - - users.groups = lib.mkIf (cfg.group == defaultGroup) { - ${defaultGroup} = { }; - }; - - systemd.services.conduwuit = { - description = "Conduwuit Matrix Server"; - documentation = [ "https://conduwuit.puppyirl.gay/" ]; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - environment = lib.mkMerge [ - { CONDUWUIT_CONFIG = configFile; } - cfg.extraEnvironment - ]; - startLimitBurst = 5; - startLimitIntervalSec = 60; - serviceConfig = { - DynamicUser = true; - User = cfg.user; - Group = cfg.group; - - DevicePolicy = "closed"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateTmp = true; - PrivateUsers = true; - PrivateIPC = true; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_UNIX" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "@resources" - "~@clock" - "@debug" - "@module" - "@mount" - "@reboot" - "@swap" - "@cpu-emulation" - "@obsolete" - "@timer" - "@chown" - "@setuid" - "@privileged" - "@keyring" - "@ipc" - ]; - SystemCallErrorNumber = "EPERM"; - - StateDirectory = "conduwuit"; - StateDirectoryMode = "0700"; - RuntimeDirectory = "conduwuit"; - RuntimeDirectoryMode = "0750"; - - ExecStart = lib.getExe cfg.package; - Restart = "on-failure"; - RestartSec = 10; - }; - }; - }; -} diff --git a/lib/modules/nixos/default-module.nix b/lib/modules/nixos/default-module.nix index 3810f0d..14ee79b 100644 --- a/lib/modules/nixos/default-module.nix +++ b/lib/modules/nixos/default-module.nix @@ -30,6 +30,7 @@ virtual-machines postgres gaming + restic ]; config = { diff --git a/lib/modules/nixos/default.nix b/lib/modules/nixos/default.nix index 2a16c75..b859eec 100644 --- a/lib/modules/nixos/default.nix +++ b/lib/modules/nixos/default.nix @@ -19,6 +19,7 @@ inputs: { desktop = import ./desktop.nix; printing = import ./printing.nix; wifi = import ./wifi.nix; + restic = import ./restic.nix; remote-disk-key-entry-on-boot = { diff --git a/lib/modules/nixos/deno-netlify-ddns-client.nix b/lib/modules/nixos/deno-netlify-ddns-client.nix index 8a8f8d9..dd1c0cd 100644 --- a/lib/modules/nixos/deno-netlify-ddns-client.nix +++ b/lib/modules/nixos/deno-netlify-ddns-client.nix @@ -33,7 +33,8 @@ in }; ipv6 = mkOption { type = types.bool; - default = true; + # TODO: router doesn't support ipv6 yet + default = false; }; requestTimeout = mkOption { type = types.int; diff --git a/lib/modules/nixos/gaming.nix b/lib/modules/nixos/gaming.nix index 756fece..af2b759 100644 --- a/lib/modules/nixos/gaming.nix +++ b/lib/modules/nixos/gaming.nix @@ -1,69 +1,72 @@ { + lib, + config, options, pkgs, ... }: { - programs.gamescope.enable = true; + config = lib.mkIf config.programs.steam.enable { + programs.gamescope.enable = true; - services.pipewire = { - alsa.support32Bit = true; - }; - - programs.steam = { - extest.enable = true; - gamescopeSession.enable = true; - - extraPackages = with pkgs; [ - gamescope - ]; - - extraCompatPackages = with pkgs; [ - proton-ge-bin - ]; - - localNetworkGameTransfers.openFirewall = true; - remotePlay.openFirewall = true; - }; - - hardware = - ( - if builtins.hasAttr "graphics" options.hardware then - { - graphics = { - enable = true; - enable32Bit = true; - }; - } - else - { - opengl = { - enable = true; - driSupport32Bit = true; - }; - } - ) - // { - steam-hardware.enable = true; + services.pipewire = { + alsa.support32Bit = true; }; - services.udev.packages = with pkgs; [ steam ]; + programs.steam = { + extest.enable = true; + gamescopeSession.enable = true; - environment = { - systemPackages = with pkgs; [ - dualsensectl # for interfacing with dualsense controllers programmatically - wineWowPackages.waylandFull - lutris - winetricks - ludusavi - # ludusavi uses rclone - rclone - ]; + extraPackages = with pkgs; [ + gamescope + ]; + + extraCompatPackages = with pkgs; [ + proton-ge-bin + ]; + + localNetworkGameTransfers.openFirewall = true; + remotePlay.openFirewall = true; + }; + + hardware = + ( + if builtins.hasAttr "graphics" options.hardware then + { + graphics = { + enable = true; + enable32Bit = true; + }; + } + else + { + opengl = { + enable = true; + driSupport32Bit = true; + }; + } + ) + // { + steam-hardware.enable = true; + }; + + services.udev.packages = with pkgs; [ steam ]; + + environment = { + systemPackages = with pkgs; [ + dualsensectl # for interfacing with dualsense controllers programmatically + wineWowPackages.waylandFull + lutris + winetricks + ludusavi + # ludusavi uses rclone + rclone + ]; + }; + # remote play ports - should be unnecessary due to programs.steam.remotePlay.openFirewall = true; + /* + networking.firewall.allowedUDPPortRanges = [ { from = 27031; to = 27036; } ]; + networking.firewall.allowedTCPPortRanges = [ { from = 27036; to = 27037; } ]; + */ }; - # remote play ports - should be unnecessary due to programs.steam.remotePlay.openFirewall = true; - /* - networking.firewall.allowedUDPPortRanges = [ { from = 27031; to = 27036; } ]; - networking.firewall.allowedTCPPortRanges = [ { from = 27036; to = 27037; } ]; - */ - } diff --git a/lib/modules/nixos/podman.nix b/lib/modules/nixos/podman.nix index ddab23c..2c82844 100644 --- a/lib/modules/nixos/podman.nix +++ b/lib/modules/nixos/podman.nix @@ -5,7 +5,7 @@ ... }: { - config = lib.mkIf config.virtualisation.podman.enable { + config = lib.mkIf (config.virtualisation.oci-containers.backend == "podman") { environment = { systemPackages = with pkgs; [ podman-compose @@ -14,13 +14,13 @@ virtualisation = { podman = { - dockerCompat = config.virtualisation.podman.enable; + dockerCompat = true; dockerSocket.enable = true; defaultNetwork.settings.dns_enabled = true; }; oci-containers = { - backend = "podman"; + # backend = "podman"; }; }; diff --git a/lib/modules/nixos/restic.nix b/lib/modules/nixos/restic.nix new file mode 100644 index 0000000..18aeffc --- /dev/null +++ b/lib/modules/nixos/restic.nix @@ -0,0 +1,25 @@ +{ + lib, + # options, + # config, + ... +}: +let + inherit (lib) mkOption types; +in +{ + options.services.restic.commonPaths = mkOption { + type = types.nullOr (types.listOf types.str); + default = [ ]; + description = '' + Which paths to backup, in addition to ones specified via + `dynamicFilesFrom`. If null or an empty array and + `dynamicFilesFrom` is also null, no backup command will be run. + This can be used to create a prune-only job. + ''; + example = [ + "/var/lib/postgresql" + "/home/user/backup" + ]; + }; +} diff --git a/packages/hosts/beefcake.nix b/packages/hosts/beefcake.nix index 02503e8..a74acc7 100644 --- a/packages/hosts/beefcake.nix +++ b/packages/hosts/beefcake.nix @@ -15,129 +15,101 @@ lib, config, pkgs, + hardware, ... }: { system.stateVersion = "24.05"; - # home-manager.users.daniel.home.stateVersion = "24.05"; networking.hostName = "beefcake"; + boot = { + zfs = { + extraPools = [ "zstorage" ]; + }; + supportedFilesystems = { + zfs = true; + }; + initrd.supportedFilesystems = { + zfs = true; + }; + # kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + initrd.availableKernelModules = [ + "ehci_pci" + "mpt3sas" + "usbhid" + "sd_mod" + ]; + kernelModules = [ "kvm-intel" ]; + kernelParams = [ "nohibernate" ]; + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/992ce55c-7507-4d6b-938c-45b7e891f395"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/B6C4-7CF4"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + "/nix" = { + device = "zstorage/nix"; + fsType = "zfs"; + }; + }; + + networking = { + hostId = "541ede55"; + }; + + services = { + zfs = { + autoScrub.enable = true; + autoSnapshot.enable = true; + }; + tailscale.useRoutingFeatures = "server"; + + }; + + sops = { + defaultSopsFile = ../../secrets/beefcake/secrets.yml; + secrets = { + netlify-ddns-password.mode = "0400"; + nix-cache-priv-key.mode = "0400"; + }; + }; + + virtualisation.oci-containers.backend = "podman"; + + services.deno-netlify-ddns-client = { + enable = true; + passwordFile = config.sops.secrets.netlify-ddns-password.path; + username = "beefcake.h"; + }; + + environment.systemPackages = with pkgs; [ + aria2 + restic + btrfs-progs + zfs + smartmontools + htop + bottom + curl + xh + ]; + imports = [ + hardware.common-cpu-intel { - # hardware and boot module - networking.hostId = "541ede55"; - boot = { - zfs = { - extraPools = [ "zstorage" ]; - }; - supportedFilesystems = { - zfs = true; - }; - initrd.supportedFilesystems = { - zfs = true; - }; - # kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - initrd.availableKernelModules = [ - "ehci_pci" - "mpt3sas" - "usbhid" - "sd_mod" - ]; - kernelModules = [ "kvm-intel" ]; - kernelParams = [ "nohibernate" ]; - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - }; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/992ce55c-7507-4d6b-938c-45b7e891f395"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/B6C4-7CF4"; - fsType = "vfat"; - options = [ - "fmask=0022" - "dmask=0022" - ]; - }; - - /* - # should be mounted by auto-import; see boot.zfs.extraPools - fileSystems."/storage" = { - device = "zstorage/storage"; - fsType = "zfs"; - }; - */ - - fileSystems."/nix" = { - device = "zstorage/nix"; - fsType = "zfs"; - }; - - services.zfs.autoScrub.enable = true; - services.zfs.autoSnapshot.enable = true; - - # TODO: nfs with zfs? - # services.nfs.server.enable = true; - } - ( - { - options, - config, - ... - }: - let - inherit (lib) mkOption types; - in - { - options.services.restic.commonPaths = mkOption { - type = types.nullOr (types.listOf types.str); - default = [ ]; - description = '' - Which paths to backup, in addition to ones specified via - `dynamicFilesFrom`. If null or an empty array and - `dynamicFilesFrom` is also null, no backup command will be run. - This can be used to create a prune-only job. - ''; - example = [ - "/var/lib/postgresql" - "/home/user/backup" - ]; - }; - } - ) - { - # sops secrets config - sops = { - defaultSopsFile = ../secrets/beefcake/secrets.yml; - age = { - sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - keyFile = "/var/lib/sops-nix/key.txt"; - generateKey = true; - }; - }; - } - { - sops.secrets = { - netlify-ddns-password = { - mode = "0400"; - }; - }; - services.deno-netlify-ddns-client = { - passwordFile = config.sops.secrets.netlify-ddns-password.path; - }; - } - { - # nix binary cache - sops.secrets = { - nix-cache-priv-key = { - mode = "0400"; - }; - }; services.nix-serve = { - enable = true; # TODO: true + enable = true; secretKeyFile = config.sops.secrets.nix-cache-priv-key.path; }; services.caddy.virtualHosts."nix.h.lyte.dev" = { @@ -145,10 +117,6 @@ reverse_proxy :${toString config.services.nix-serve.port} ''; }; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; # regularly build this flake so we have stuff in the cache # TODO: schedule this for nightly builds instead of intervals based on boot time @@ -247,11 +215,8 @@ ]; services.soju = { enable = true; - listen = [ "irc+insecure://:6667" ]; + listen = [ "irc+insecure://:6667" ]; # tailscale only }; - networking.firewall.allowedTCPPorts = [ - 6667 - ]; } { # nextcloud @@ -464,6 +429,7 @@ } { # clickhouse + time.timeZone = lib.mkForce "America/Chicago"; environment.etc = { "clickhouse-server/users.d/disable-logging-query.xml" = { text = '' @@ -549,10 +515,8 @@ }; }; users.groups.daniel.members = [ "daniel" ]; - users.groups.nixadmin.members = [ "daniel" ]; users.users.daniel = { extraGroups = [ - # "nixadmin" # write access to /etc/nixos/ files "wheel" # sudo access "caddy" # write access to public static files "users" # general users group @@ -565,7 +529,6 @@ services.restic.commonPaths = [ "/storage/daniel" ]; - services.postgresql = { ensureDatabases = [ "daniel" ]; ensureUsers = [ @@ -663,7 +626,7 @@ dataDir = "/storage/postgres"; enableTCPIP = true; - package = pkgs.postgresql_15; + package = lib.mkForce pkgs.postgresql_15; # https://www.postgresql.org/docs/current/auth-pg-hba-conf.html # TODO: give the "daniel" user access to all databases @@ -713,7 +676,7 @@ isNormalUser = true; packages = [ pkgs.vim ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUfLZ+IX85p9355Po2zP1H2tAxiE0rE6IYb8Sf+eF9T ben@benhany.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUfLZ+IX85p9355Po2zP1H2tAxiE0rE6IYb8Sf+eF9T" ]; }; @@ -842,6 +805,10 @@ }; # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; } ( { ... }: @@ -1378,7 +1345,7 @@ group = user; }; virtualisation.oci-containers.containers.minecraft-flanilla-creative = { - autoStart = true; + autoStart = false; image = "docker.io/itzg/minecraft-server"; # user = "${toString uid}:${toString gid}"; extraOptions = [ @@ -1499,6 +1466,7 @@ }; services.kanidm = { + package = pkgs.unstable-packages.kanidm; enableServer = true; serverSettings = { inherit domain; @@ -1825,7 +1793,7 @@ } { services.factorio = { - enable = true; + enable = false; package = pkgs.factorio-headless.override { versionsJson = ./factorio-versions.json; }; @@ -1848,6 +1816,286 @@ }; }; } + ( + { + config, + lib, + pkgs, + ... + }: + let + cfg = config.services.conduwuit; + defaultUser = "conduwuit"; + defaultGroup = "conduwuit"; + format = pkgs.formats.toml { }; + configFile = format.generate "conduwuit.toml" cfg.settings; + in + { + meta.maintainers = with lib.maintainers; [ niklaskorz ]; + options.services.conduwuit = { + enable = lib.mkEnableOption "conduwuit"; + + user = lib.mkOption { + type = lib.types.nonEmptyStr; + description = '' + The user {command}`conduwuit` is run as. + ''; + default = defaultUser; + }; + + group = lib.mkOption { + type = lib.types.nonEmptyStr; + description = '' + The group {command}`conduwuit` is run as. + ''; + default = defaultGroup; + }; + + extraEnvironment = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + description = "Extra Environment variables to pass to the conduwuit server."; + default = { }; + example = { + RUST_BACKTRACE = "yes"; + }; + }; + + package = lib.mkPackageOption pkgs.unstable-packages "conduwuit" { }; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = format.type; + options = { + global.server_name = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "example.com"; + description = "The server_name is the name of this server. It is used as a suffix for user and room ids."; + }; + global.address = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.nonEmptyStr); + default = null; + example = [ + "127.0.0.1" + "::1" + ]; + description = '' + Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator. + If set to `null`, conduwuit will listen on IPv4 and IPv6 localhost. + Must be `null` if `unix_socket_path` is set. + ''; + }; + global.port = lib.mkOption { + type = lib.types.listOf lib.types.port; + default = [ 6167 ]; + description = '' + The port(s) conduwuit will be running on. + You need to set up a reverse proxy in your web server (e.g. apache or nginx), + so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit + instance running on this port. + ''; + }; + global.unix_socket_path = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + Listen on a UNIX socket at the specified path. If listening on a UNIX socket, + listening on an address will be disabled. The `address` option must be set to + `null` (the default value). The option {option}`services.conduwuit.group` must + be set to a group your reverse proxy is part of. + + This will automatically add a system user "conduwuit" to your system if + {option}`services.conduwuit.user` is left at the default, and a "conduwuit" + group if {option}`services.conduwuit.group` is left at the default. + ''; + }; + global.unix_socket_perms = lib.mkOption { + type = lib.types.ints.positive; + default = 660; + description = "The default permissions (in octal) to create the UNIX socket with."; + }; + global.max_request_size = lib.mkOption { + type = lib.types.ints.positive; + default = 20000000; + description = "Max request size in bytes. Don't forget to also change it in the proxy."; + }; + global.allow_registration = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether new users can register on this server. + + Registration with token requires `registration_token` or `registration_token_file` to be set. + + If set to true without a token configured, and + `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` + is set to true, users can freely register. + ''; + }; + global.allow_encryption = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work."; + }; + global.allow_federation = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether this server federates with other servers. + ''; + }; + global.trusted_servers = lib.mkOption { + type = lib.types.listOf lib.types.nonEmptyStr; + default = [ "matrix.org" ]; + description = '' + Servers listed here will be used to gather public keys of other servers + (notary trusted key servers). + + Currently, conduwuit doesn't support inbound batched key requests, so + this list should only contain other Synapse servers. + + Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]` + ''; + }; + global.database_path = lib.mkOption { + readOnly = true; + type = lib.types.path; + default = "/var/lib/conduwuit/"; + description = '' + Path to the conduwuit database, the directory where conduwuit will save its data. + Note that database_path cannot be edited because of the service's reliance on systemd StateDir. + ''; + }; + global.allow_check_for_updates = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + If enabled, conduwuit will send a simple GET request periodically to + for any new announcements made. + Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint. + + Disabled by default. + ''; + }; + }; + }; + default = { }; + # TOML does not allow null values, so we use null to omit those fields + apply = lib.filterAttrsRecursive (_: v: v != null); + description = '' + Generates the conduwuit.toml configuration file. Refer to + + for details on supported values. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = !(cfg.settings ? global.unix_socket_path) || !(cfg.settings ? global.address); + message = '' + In `services.conduwuit.settings.global`, `unix_socket_path` and `address` cannot be set at the + same time. + Leave one of the two options unset or explicitly set them to `null`. + ''; + } + { + assertion = cfg.user != defaultUser -> config ? users.users.${cfg.user}; + message = "If `services.conduwuit.user` is changed, the configured user must already exist."; + } + { + assertion = cfg.group != defaultGroup -> config ? users.groups.${cfg.group}; + message = "If `services.conduwuit.group` is changed, the configured group must already exist."; + } + ]; + + users.users = lib.mkIf (cfg.user == defaultUser) { + ${defaultUser} = { + group = cfg.group; + home = cfg.settings.global.database_path; + isSystemUser = true; + }; + }; + + users.groups = lib.mkIf (cfg.group == defaultGroup) { + ${defaultGroup} = { }; + }; + + systemd.services.conduwuit = { + description = "Conduwuit Matrix Server"; + documentation = [ "https://conduwuit.puppyirl.gay/" ]; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + environment = lib.mkMerge [ + { CONDUWUIT_CONFIG = configFile; } + cfg.extraEnvironment + ]; + startLimitBurst = 5; + startLimitIntervalSec = 60; + serviceConfig = { + DynamicUser = true; + User = cfg.user; + Group = cfg.group; + + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + PrivateIPC = true; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@resources" + "~@clock" + "@debug" + "@module" + "@mount" + "@reboot" + "@swap" + "@cpu-emulation" + "@obsolete" + "@timer" + "@chown" + "@setuid" + "@privileged" + "@keyring" + "@ipc" + ]; + SystemCallErrorNumber = "EPERM"; + + StateDirectory = "conduwuit"; + StateDirectoryMode = "0700"; + RuntimeDirectory = "conduwuit"; + RuntimeDirectoryMode = "0750"; + + ExecStart = lib.getExe cfg.package; + Restart = "on-failure"; + RestartSec = 10; + }; + }; + }; + } + ) ( { pkgs, @@ -1897,20 +2145,6 @@ TODO: declarative directory quotas? for storage/$USER and /home/$USER */ - environment.systemPackages = with pkgs; [ - aria2 - restic - btrfs-progs - zfs - smartmontools - htop - bottom - curl - xh - ]; - - services.tailscale.useRoutingFeatures = "server"; - /* # https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72 services.lidarr = { diff --git a/packages/hosts/dragon.nix b/packages/hosts/dragon.nix index 979bded..8d97980 100644 --- a/packages/hosts/dragon.nix +++ b/packages/hosts/dragon.nix @@ -38,13 +38,12 @@ secrets.ddns-pass.mode = "0400"; }; services.deno-netlify-ddns-client = { - passwordFile = config.sops.secrets.ddns-pass.path; enable = true; + passwordFile = config.sops.secrets.ddns-pass.path; username = "dragon.h"; - # TODO: router doesn't even do ipv6 yet... - ipv6 = false; }; + programs.steam.enable = true; networking.wifi.enable = true; lyte.desktop.enable = true; diff --git a/packages/hosts/foxtrot.nix b/packages/hosts/foxtrot.nix index a0407e7..13e9b77 100644 --- a/packages/hosts/foxtrot.nix +++ b/packages/hosts/foxtrot.nix @@ -65,6 +65,7 @@ }; }; + programs.steam.enable = true; networking.wifi.enable = true; lyte.desktop.enable = true; diff --git a/packages/hosts/htpc.nix b/packages/hosts/htpc.nix index 2e6321d..15c0e9e 100644 --- a/packages/hosts/htpc.nix +++ b/packages/hosts/htpc.nix @@ -1,46 +1,55 @@ { - pkgs, + hardware, config, - lib, ... }: { + system.stateVersion = "24.11"; networking.hostName = "htpc"; - networking.networkmanager.enable = true; + boot = { + loader = { + grub = { + enable = true; + device = "/dev/sda"; + useOSProber = true; + }; + }; - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; - boot.loader.grub.useOSProber = true; + initrd = { + availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + ]; + kernelModules = [ + "8821au" + "8812au" + ]; + }; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usbhid" - "usb_storage" - "sd_mod" - ]; - boot.initrd.kernelModules = [ - "8821au" - "8812au" - ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ - # pkgs.rtl8811au - config.boot.kernelPackages.rtl8812au - config.boot.kernelPackages.rtl8821au - ]; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ + # pkgs.rtl8811au + config.boot.kernelPackages.rtl8812au + config.boot.kernelPackages.rtl8821au + ]; + }; fileSystems."/" = { device = "/dev/disk/by-uuid/86d8ded0-1c6f-4a79-901c-2d59c11b5ca8"; fsType = "ext4"; }; - swapDevices = [ ]; + imports = with hardware; [ + common-cpu-intel + common-pc-ssd + ]; hardware.bluetooth = { enable = true; - # package = pkgs.bluez; settings = { General = { AutoConnect = true; @@ -49,6 +58,10 @@ }; }; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + networking.wifi.enable = true; + lyte.desktop.enable = true; + home-manager.users.daniel = { + lyte.shell.enable = true; + lyte.desktop.enable = true; + }; }