chore: migrate beefcake and htpc, fix steam
This commit is contained in:
parent
b2147e90e5
commit
45119b3775
14 changed files with 597 additions and 591 deletions
|
@ -26,6 +26,7 @@ in
|
|||
iex
|
||||
cargo
|
||||
desktop
|
||||
gnome
|
||||
|
||||
/*
|
||||
broot
|
||||
|
@ -398,8 +399,14 @@ in
|
|||
};
|
||||
|
||||
gnome =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
config = lib.mkIf config.lyte.desktop.enable {
|
||||
dconf = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
@ -481,6 +488,7 @@ in
|
|||
extensions = [ { package = pkgs.gnomeExtensions.gsconnect; } ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
helix = import ./helix.nix inputs;
|
||||
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
home = {
|
||||
sessionVariables = {
|
||||
MOZ_ENABLE_WAYLAND = "1";
|
||||
BROWSER = "firefox";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -33,8 +33,6 @@ set --export --universal EXA_COLORS '*=0'
|
|||
|
||||
set --export --universal ERL_AFLAGS "-kernel shell_history enabled -kernel shell_history_file_bytes 1024000"
|
||||
|
||||
set --export --universal BROWSER (which firefox)
|
||||
|
||||
set --export --universal SOPS_AGE_KEY_FILE "$XDG_CONFIG_HOME/sops/age/keys.txt"
|
||||
|
||||
if has_command skim
|
||||
|
|
|
@ -1,279 +0,0 @@
|
|||
# https://github.com/NixOS/nixpkgs/blob/32aaedffae68f54312c4c7726f828be82f278a48/nixos/modules/services/matrix/conduwuit.nix{
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.conduwuit;
|
||||
defaultUser = "conduwuit";
|
||||
defaultGroup = "conduwuit";
|
||||
format = pkgs.formats.toml { };
|
||||
configFile = format.generate "conduwuit.toml" cfg.settings;
|
||||
in
|
||||
{
|
||||
meta.maintainers = with lib.maintainers; [ niklaskorz ];
|
||||
options.services.conduwuit = {
|
||||
enable = lib.mkEnableOption "conduwuit";
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.nonEmptyStr;
|
||||
description = ''
|
||||
The user {command}`conduwuit` is run as.
|
||||
'';
|
||||
default = defaultUser;
|
||||
};
|
||||
|
||||
group = lib.mkOption {
|
||||
type = lib.types.nonEmptyStr;
|
||||
description = ''
|
||||
The group {command}`conduwuit` is run as.
|
||||
'';
|
||||
default = defaultGroup;
|
||||
};
|
||||
|
||||
extraEnvironment = lib.mkOption {
|
||||
type = lib.types.attrsOf lib.types.str;
|
||||
description = "Extra Environment variables to pass to the conduwuit server.";
|
||||
default = { };
|
||||
example = {
|
||||
RUST_BACKTRACE = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
package = lib.mkPackageOption pkgs.unstable-packages "conduwuit" { };
|
||||
|
||||
settings = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
freeformType = format.type;
|
||||
options = {
|
||||
global.server_name = lib.mkOption {
|
||||
type = lib.types.nonEmptyStr;
|
||||
example = "example.com";
|
||||
description = "The server_name is the name of this server. It is used as a suffix for user and room ids.";
|
||||
};
|
||||
global.address = lib.mkOption {
|
||||
type = lib.types.nullOr (lib.types.listOf lib.types.nonEmptyStr);
|
||||
default = null;
|
||||
example = [
|
||||
"127.0.0.1"
|
||||
"::1"
|
||||
];
|
||||
description = ''
|
||||
Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator.
|
||||
If set to `null`, conduwuit will listen on IPv4 and IPv6 localhost.
|
||||
Must be `null` if `unix_socket_path` is set.
|
||||
'';
|
||||
};
|
||||
global.port = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.port;
|
||||
default = [ 6167 ];
|
||||
description = ''
|
||||
The port(s) conduwuit will be running on.
|
||||
You need to set up a reverse proxy in your web server (e.g. apache or nginx),
|
||||
so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit
|
||||
instance running on this port.
|
||||
'';
|
||||
};
|
||||
global.unix_socket_path = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Listen on a UNIX socket at the specified path. If listening on a UNIX socket,
|
||||
listening on an address will be disabled. The `address` option must be set to
|
||||
`null` (the default value). The option {option}`services.conduwuit.group` must
|
||||
be set to a group your reverse proxy is part of.
|
||||
|
||||
This will automatically add a system user "conduwuit" to your system if
|
||||
{option}`services.conduwuit.user` is left at the default, and a "conduwuit"
|
||||
group if {option}`services.conduwuit.group` is left at the default.
|
||||
'';
|
||||
};
|
||||
global.unix_socket_perms = lib.mkOption {
|
||||
type = lib.types.ints.positive;
|
||||
default = 660;
|
||||
description = "The default permissions (in octal) to create the UNIX socket with.";
|
||||
};
|
||||
global.max_request_size = lib.mkOption {
|
||||
type = lib.types.ints.positive;
|
||||
default = 20000000;
|
||||
description = "Max request size in bytes. Don't forget to also change it in the proxy.";
|
||||
};
|
||||
global.allow_registration = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether new users can register on this server.
|
||||
|
||||
Registration with token requires `registration_token` or `registration_token_file` to be set.
|
||||
|
||||
If set to true without a token configured, and
|
||||
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
|
||||
is set to true, users can freely register.
|
||||
'';
|
||||
};
|
||||
global.allow_encryption = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
|
||||
};
|
||||
global.allow_federation = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether this server federates with other servers.
|
||||
'';
|
||||
};
|
||||
global.trusted_servers = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.nonEmptyStr;
|
||||
default = [ "matrix.org" ];
|
||||
description = ''
|
||||
Servers listed here will be used to gather public keys of other servers
|
||||
(notary trusted key servers).
|
||||
|
||||
Currently, conduwuit doesn't support inbound batched key requests, so
|
||||
this list should only contain other Synapse servers.
|
||||
|
||||
Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]`
|
||||
'';
|
||||
};
|
||||
global.database_path = lib.mkOption {
|
||||
readOnly = true;
|
||||
type = lib.types.path;
|
||||
default = "/var/lib/conduwuit/";
|
||||
description = ''
|
||||
Path to the conduwuit database, the directory where conduwuit will save its data.
|
||||
Note that database_path cannot be edited because of the service's reliance on systemd StateDir.
|
||||
'';
|
||||
};
|
||||
global.allow_check_for_updates = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
If enabled, conduwuit will send a simple GET request periodically to
|
||||
<https://pupbrain.dev/check-for-updates/stable> for any new announcements made.
|
||||
Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint.
|
||||
|
||||
Disabled by default.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
default = { };
|
||||
# TOML does not allow null values, so we use null to omit those fields
|
||||
apply = lib.filterAttrsRecursive (_: v: v != null);
|
||||
description = ''
|
||||
Generates the conduwuit.toml configuration file. Refer to
|
||||
<https://conduwuit.puppyirl.gay/configuration.html>
|
||||
for details on supported values.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = !(cfg.settings ? global.unix_socket_path) || !(cfg.settings ? global.address);
|
||||
message = ''
|
||||
In `services.conduwuit.settings.global`, `unix_socket_path` and `address` cannot be set at the
|
||||
same time.
|
||||
Leave one of the two options unset or explicitly set them to `null`.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = cfg.user != defaultUser -> config ? users.users.${cfg.user};
|
||||
message = "If `services.conduwuit.user` is changed, the configured user must already exist.";
|
||||
}
|
||||
{
|
||||
assertion = cfg.group != defaultGroup -> config ? users.groups.${cfg.group};
|
||||
message = "If `services.conduwuit.group` is changed, the configured group must already exist.";
|
||||
}
|
||||
];
|
||||
|
||||
users.users = lib.mkIf (cfg.user == defaultUser) {
|
||||
${defaultUser} = {
|
||||
group = cfg.group;
|
||||
home = cfg.settings.global.database_path;
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
users.groups = lib.mkIf (cfg.group == defaultGroup) {
|
||||
${defaultGroup} = { };
|
||||
};
|
||||
|
||||
systemd.services.conduwuit = {
|
||||
description = "Conduwuit Matrix Server";
|
||||
documentation = [ "https://conduwuit.puppyirl.gay/" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
environment = lib.mkMerge [
|
||||
{ CONDUWUIT_CONFIG = configFile; }
|
||||
cfg.extraEnvironment
|
||||
];
|
||||
startLimitBurst = 5;
|
||||
startLimitIntervalSec = 60;
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
|
||||
DevicePolicy = "closed";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
PrivateIPC = true;
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"@resources"
|
||||
"~@clock"
|
||||
"@debug"
|
||||
"@module"
|
||||
"@mount"
|
||||
"@reboot"
|
||||
"@swap"
|
||||
"@cpu-emulation"
|
||||
"@obsolete"
|
||||
"@timer"
|
||||
"@chown"
|
||||
"@setuid"
|
||||
"@privileged"
|
||||
"@keyring"
|
||||
"@ipc"
|
||||
];
|
||||
SystemCallErrorNumber = "EPERM";
|
||||
|
||||
StateDirectory = "conduwuit";
|
||||
StateDirectoryMode = "0700";
|
||||
RuntimeDirectory = "conduwuit";
|
||||
RuntimeDirectoryMode = "0750";
|
||||
|
||||
ExecStart = lib.getExe cfg.package;
|
||||
Restart = "on-failure";
|
||||
RestartSec = 10;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -30,6 +30,7 @@
|
|||
virtual-machines
|
||||
postgres
|
||||
gaming
|
||||
restic
|
||||
];
|
||||
|
||||
config = {
|
||||
|
|
|
@ -19,6 +19,7 @@ inputs: {
|
|||
desktop = import ./desktop.nix;
|
||||
printing = import ./printing.nix;
|
||||
wifi = import ./wifi.nix;
|
||||
restic = import ./restic.nix;
|
||||
|
||||
remote-disk-key-entry-on-boot =
|
||||
{
|
||||
|
|
|
@ -33,7 +33,8 @@ in
|
|||
};
|
||||
ipv6 = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
# TODO: router doesn't support ipv6 yet
|
||||
default = false;
|
||||
};
|
||||
requestTimeout = mkOption {
|
||||
type = types.int;
|
||||
|
|
|
@ -1,9 +1,12 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
options,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
config = lib.mkIf config.programs.steam.enable {
|
||||
programs.gamescope.enable = true;
|
||||
|
||||
services.pipewire = {
|
||||
|
@ -65,5 +68,5 @@
|
|||
networking.firewall.allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
|
||||
networking.firewall.allowedTCPPortRanges = [ { from = 27036; to = 27037; } ];
|
||||
*/
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
...
|
||||
}:
|
||||
{
|
||||
config = lib.mkIf config.virtualisation.podman.enable {
|
||||
config = lib.mkIf (config.virtualisation.oci-containers.backend == "podman") {
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
podman-compose
|
||||
|
@ -14,13 +14,13 @@
|
|||
|
||||
virtualisation = {
|
||||
podman = {
|
||||
dockerCompat = config.virtualisation.podman.enable;
|
||||
dockerCompat = true;
|
||||
dockerSocket.enable = true;
|
||||
defaultNetwork.settings.dns_enabled = true;
|
||||
};
|
||||
|
||||
oci-containers = {
|
||||
backend = "podman";
|
||||
# backend = "podman";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
25
lib/modules/nixos/restic.nix
Normal file
25
lib/modules/nixos/restic.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{
|
||||
lib,
|
||||
# options,
|
||||
# config,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib) mkOption types;
|
||||
in
|
||||
{
|
||||
options.services.restic.commonPaths = mkOption {
|
||||
type = types.nullOr (types.listOf types.str);
|
||||
default = [ ];
|
||||
description = ''
|
||||
Which paths to backup, in addition to ones specified via
|
||||
`dynamicFilesFrom`. If null or an empty array and
|
||||
`dynamicFilesFrom` is also null, no backup command will be run.
|
||||
This can be used to create a prune-only job.
|
||||
'';
|
||||
example = [
|
||||
"/var/lib/postgresql"
|
||||
"/home/user/backup"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -15,17 +15,13 @@
|
|||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
hardware,
|
||||
...
|
||||
}:
|
||||
{
|
||||
system.stateVersion = "24.05";
|
||||
# home-manager.users.daniel.home.stateVersion = "24.05";
|
||||
networking.hostName = "beefcake";
|
||||
|
||||
imports = [
|
||||
{
|
||||
# hardware and boot module
|
||||
networking.hostId = "541ede55";
|
||||
boot = {
|
||||
zfs = {
|
||||
extraPools = [ "zstorage" ];
|
||||
|
@ -49,12 +45,12 @@
|
|||
loader.efi.canTouchEfiVariables = true;
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/disk/by-uuid/992ce55c-7507-4d6b-938c-45b7e891f395";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-uuid/B6C4-7CF4";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
|
@ -62,82 +58,58 @@
|
|||
"dmask=0022"
|
||||
];
|
||||
};
|
||||
|
||||
/*
|
||||
# should be mounted by auto-import; see boot.zfs.extraPools
|
||||
fileSystems."/storage" = {
|
||||
device = "zstorage/storage";
|
||||
fsType = "zfs";
|
||||
};
|
||||
*/
|
||||
|
||||
fileSystems."/nix" = {
|
||||
"/nix" = {
|
||||
device = "zstorage/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
services.zfs.autoScrub.enable = true;
|
||||
services.zfs.autoSnapshot.enable = true;
|
||||
|
||||
# TODO: nfs with zfs?
|
||||
# services.nfs.server.enable = true;
|
||||
}
|
||||
(
|
||||
{
|
||||
options,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib) mkOption types;
|
||||
in
|
||||
{
|
||||
options.services.restic.commonPaths = mkOption {
|
||||
type = types.nullOr (types.listOf types.str);
|
||||
default = [ ];
|
||||
description = ''
|
||||
Which paths to backup, in addition to ones specified via
|
||||
`dynamicFilesFrom`. If null or an empty array and
|
||||
`dynamicFilesFrom` is also null, no backup command will be run.
|
||||
This can be used to create a prune-only job.
|
||||
'';
|
||||
example = [
|
||||
"/var/lib/postgresql"
|
||||
"/home/user/backup"
|
||||
];
|
||||
};
|
||||
}
|
||||
)
|
||||
{
|
||||
# sops secrets config
|
||||
|
||||
networking = {
|
||||
hostId = "541ede55";
|
||||
};
|
||||
|
||||
services = {
|
||||
zfs = {
|
||||
autoScrub.enable = true;
|
||||
autoSnapshot.enable = true;
|
||||
};
|
||||
tailscale.useRoutingFeatures = "server";
|
||||
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../secrets/beefcake/secrets.yml;
|
||||
age = {
|
||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
keyFile = "/var/lib/sops-nix/key.txt";
|
||||
generateKey = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
{
|
||||
sops.secrets = {
|
||||
netlify-ddns-password = {
|
||||
mode = "0400";
|
||||
defaultSopsFile = ../../secrets/beefcake/secrets.yml;
|
||||
secrets = {
|
||||
netlify-ddns-password.mode = "0400";
|
||||
nix-cache-priv-key.mode = "0400";
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.backend = "podman";
|
||||
|
||||
services.deno-netlify-ddns-client = {
|
||||
enable = true;
|
||||
passwordFile = config.sops.secrets.netlify-ddns-password.path;
|
||||
username = "beefcake.h";
|
||||
};
|
||||
}
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
aria2
|
||||
restic
|
||||
btrfs-progs
|
||||
zfs
|
||||
smartmontools
|
||||
htop
|
||||
bottom
|
||||
curl
|
||||
xh
|
||||
];
|
||||
|
||||
imports = [
|
||||
hardware.common-cpu-intel
|
||||
{
|
||||
# nix binary cache
|
||||
sops.secrets = {
|
||||
nix-cache-priv-key = {
|
||||
mode = "0400";
|
||||
};
|
||||
};
|
||||
services.nix-serve = {
|
||||
enable = true; # TODO: true
|
||||
enable = true;
|
||||
secretKeyFile = config.sops.secrets.nix-cache-priv-key.path;
|
||||
};
|
||||
services.caddy.virtualHosts."nix.h.lyte.dev" = {
|
||||
|
@ -145,10 +117,6 @@
|
|||
reverse_proxy :${toString config.services.nix-serve.port}
|
||||
'';
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
|
||||
# regularly build this flake so we have stuff in the cache
|
||||
# TODO: schedule this for nightly builds instead of intervals based on boot time
|
||||
|
@ -247,11 +215,8 @@
|
|||
];
|
||||
services.soju = {
|
||||
enable = true;
|
||||
listen = [ "irc+insecure://:6667" ];
|
||||
listen = [ "irc+insecure://:6667" ]; # tailscale only
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
6667
|
||||
];
|
||||
}
|
||||
{
|
||||
# nextcloud
|
||||
|
@ -464,6 +429,7 @@
|
|||
}
|
||||
{
|
||||
# clickhouse
|
||||
time.timeZone = lib.mkForce "America/Chicago";
|
||||
environment.etc = {
|
||||
"clickhouse-server/users.d/disable-logging-query.xml" = {
|
||||
text = ''
|
||||
|
@ -549,10 +515,8 @@
|
|||
};
|
||||
};
|
||||
users.groups.daniel.members = [ "daniel" ];
|
||||
users.groups.nixadmin.members = [ "daniel" ];
|
||||
users.users.daniel = {
|
||||
extraGroups = [
|
||||
# "nixadmin" # write access to /etc/nixos/ files
|
||||
"wheel" # sudo access
|
||||
"caddy" # write access to public static files
|
||||
"users" # general users group
|
||||
|
@ -565,7 +529,6 @@
|
|||
services.restic.commonPaths = [
|
||||
"/storage/daniel"
|
||||
];
|
||||
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "daniel" ];
|
||||
ensureUsers = [
|
||||
|
@ -663,7 +626,7 @@
|
|||
dataDir = "/storage/postgres";
|
||||
enableTCPIP = true;
|
||||
|
||||
package = pkgs.postgresql_15;
|
||||
package = lib.mkForce pkgs.postgresql_15;
|
||||
|
||||
# https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
|
||||
# TODO: give the "daniel" user access to all databases
|
||||
|
@ -713,7 +676,7 @@
|
|||
isNormalUser = true;
|
||||
packages = [ pkgs.vim ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUfLZ+IX85p9355Po2zP1H2tAxiE0rE6IYb8Sf+eF9T ben@benhany.com"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUfLZ+IX85p9355Po2zP1H2tAxiE0rE6IYb8Sf+eF9T"
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -842,6 +805,10 @@
|
|||
};
|
||||
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
}
|
||||
(
|
||||
{ ... }:
|
||||
|
@ -1378,7 +1345,7 @@
|
|||
group = user;
|
||||
};
|
||||
virtualisation.oci-containers.containers.minecraft-flanilla-creative = {
|
||||
autoStart = true;
|
||||
autoStart = false;
|
||||
image = "docker.io/itzg/minecraft-server";
|
||||
# user = "${toString uid}:${toString gid}";
|
||||
extraOptions = [
|
||||
|
@ -1499,6 +1466,7 @@
|
|||
};
|
||||
|
||||
services.kanidm = {
|
||||
package = pkgs.unstable-packages.kanidm;
|
||||
enableServer = true;
|
||||
serverSettings = {
|
||||
inherit domain;
|
||||
|
@ -1825,7 +1793,7 @@
|
|||
}
|
||||
{
|
||||
services.factorio = {
|
||||
enable = true;
|
||||
enable = false;
|
||||
package = pkgs.factorio-headless.override {
|
||||
versionsJson = ./factorio-versions.json;
|
||||
};
|
||||
|
@ -1848,6 +1816,286 @@
|
|||
};
|
||||
};
|
||||
}
|
||||
(
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.conduwuit;
|
||||
defaultUser = "conduwuit";
|
||||
defaultGroup = "conduwuit";
|
||||
format = pkgs.formats.toml { };
|
||||
configFile = format.generate "conduwuit.toml" cfg.settings;
|
||||
in
|
||||
{
|
||||
meta.maintainers = with lib.maintainers; [ niklaskorz ];
|
||||
options.services.conduwuit = {
|
||||
enable = lib.mkEnableOption "conduwuit";
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.nonEmptyStr;
|
||||
description = ''
|
||||
The user {command}`conduwuit` is run as.
|
||||
'';
|
||||
default = defaultUser;
|
||||
};
|
||||
|
||||
group = lib.mkOption {
|
||||
type = lib.types.nonEmptyStr;
|
||||
description = ''
|
||||
The group {command}`conduwuit` is run as.
|
||||
'';
|
||||
default = defaultGroup;
|
||||
};
|
||||
|
||||
extraEnvironment = lib.mkOption {
|
||||
type = lib.types.attrsOf lib.types.str;
|
||||
description = "Extra Environment variables to pass to the conduwuit server.";
|
||||
default = { };
|
||||
example = {
|
||||
RUST_BACKTRACE = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
package = lib.mkPackageOption pkgs.unstable-packages "conduwuit" { };
|
||||
|
||||
settings = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
freeformType = format.type;
|
||||
options = {
|
||||
global.server_name = lib.mkOption {
|
||||
type = lib.types.nonEmptyStr;
|
||||
example = "example.com";
|
||||
description = "The server_name is the name of this server. It is used as a suffix for user and room ids.";
|
||||
};
|
||||
global.address = lib.mkOption {
|
||||
type = lib.types.nullOr (lib.types.listOf lib.types.nonEmptyStr);
|
||||
default = null;
|
||||
example = [
|
||||
"127.0.0.1"
|
||||
"::1"
|
||||
];
|
||||
description = ''
|
||||
Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator.
|
||||
If set to `null`, conduwuit will listen on IPv4 and IPv6 localhost.
|
||||
Must be `null` if `unix_socket_path` is set.
|
||||
'';
|
||||
};
|
||||
global.port = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.port;
|
||||
default = [ 6167 ];
|
||||
description = ''
|
||||
The port(s) conduwuit will be running on.
|
||||
You need to set up a reverse proxy in your web server (e.g. apache or nginx),
|
||||
so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit
|
||||
instance running on this port.
|
||||
'';
|
||||
};
|
||||
global.unix_socket_path = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Listen on a UNIX socket at the specified path. If listening on a UNIX socket,
|
||||
listening on an address will be disabled. The `address` option must be set to
|
||||
`null` (the default value). The option {option}`services.conduwuit.group` must
|
||||
be set to a group your reverse proxy is part of.
|
||||
|
||||
This will automatically add a system user "conduwuit" to your system if
|
||||
{option}`services.conduwuit.user` is left at the default, and a "conduwuit"
|
||||
group if {option}`services.conduwuit.group` is left at the default.
|
||||
'';
|
||||
};
|
||||
global.unix_socket_perms = lib.mkOption {
|
||||
type = lib.types.ints.positive;
|
||||
default = 660;
|
||||
description = "The default permissions (in octal) to create the UNIX socket with.";
|
||||
};
|
||||
global.max_request_size = lib.mkOption {
|
||||
type = lib.types.ints.positive;
|
||||
default = 20000000;
|
||||
description = "Max request size in bytes. Don't forget to also change it in the proxy.";
|
||||
};
|
||||
global.allow_registration = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether new users can register on this server.
|
||||
|
||||
Registration with token requires `registration_token` or `registration_token_file` to be set.
|
||||
|
||||
If set to true without a token configured, and
|
||||
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
|
||||
is set to true, users can freely register.
|
||||
'';
|
||||
};
|
||||
global.allow_encryption = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
|
||||
};
|
||||
global.allow_federation = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether this server federates with other servers.
|
||||
'';
|
||||
};
|
||||
global.trusted_servers = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.nonEmptyStr;
|
||||
default = [ "matrix.org" ];
|
||||
description = ''
|
||||
Servers listed here will be used to gather public keys of other servers
|
||||
(notary trusted key servers).
|
||||
|
||||
Currently, conduwuit doesn't support inbound batched key requests, so
|
||||
this list should only contain other Synapse servers.
|
||||
|
||||
Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]`
|
||||
'';
|
||||
};
|
||||
global.database_path = lib.mkOption {
|
||||
readOnly = true;
|
||||
type = lib.types.path;
|
||||
default = "/var/lib/conduwuit/";
|
||||
description = ''
|
||||
Path to the conduwuit database, the directory where conduwuit will save its data.
|
||||
Note that database_path cannot be edited because of the service's reliance on systemd StateDir.
|
||||
'';
|
||||
};
|
||||
global.allow_check_for_updates = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
If enabled, conduwuit will send a simple GET request periodically to
|
||||
<https://pupbrain.dev/check-for-updates/stable> for any new announcements made.
|
||||
Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint.
|
||||
|
||||
Disabled by default.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
default = { };
|
||||
# TOML does not allow null values, so we use null to omit those fields
|
||||
apply = lib.filterAttrsRecursive (_: v: v != null);
|
||||
description = ''
|
||||
Generates the conduwuit.toml configuration file. Refer to
|
||||
<https://conduwuit.puppyirl.gay/configuration.html>
|
||||
for details on supported values.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = !(cfg.settings ? global.unix_socket_path) || !(cfg.settings ? global.address);
|
||||
message = ''
|
||||
In `services.conduwuit.settings.global`, `unix_socket_path` and `address` cannot be set at the
|
||||
same time.
|
||||
Leave one of the two options unset or explicitly set them to `null`.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = cfg.user != defaultUser -> config ? users.users.${cfg.user};
|
||||
message = "If `services.conduwuit.user` is changed, the configured user must already exist.";
|
||||
}
|
||||
{
|
||||
assertion = cfg.group != defaultGroup -> config ? users.groups.${cfg.group};
|
||||
message = "If `services.conduwuit.group` is changed, the configured group must already exist.";
|
||||
}
|
||||
];
|
||||
|
||||
users.users = lib.mkIf (cfg.user == defaultUser) {
|
||||
${defaultUser} = {
|
||||
group = cfg.group;
|
||||
home = cfg.settings.global.database_path;
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
users.groups = lib.mkIf (cfg.group == defaultGroup) {
|
||||
${defaultGroup} = { };
|
||||
};
|
||||
|
||||
systemd.services.conduwuit = {
|
||||
description = "Conduwuit Matrix Server";
|
||||
documentation = [ "https://conduwuit.puppyirl.gay/" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
environment = lib.mkMerge [
|
||||
{ CONDUWUIT_CONFIG = configFile; }
|
||||
cfg.extraEnvironment
|
||||
];
|
||||
startLimitBurst = 5;
|
||||
startLimitIntervalSec = 60;
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
|
||||
DevicePolicy = "closed";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
PrivateIPC = true;
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"@resources"
|
||||
"~@clock"
|
||||
"@debug"
|
||||
"@module"
|
||||
"@mount"
|
||||
"@reboot"
|
||||
"@swap"
|
||||
"@cpu-emulation"
|
||||
"@obsolete"
|
||||
"@timer"
|
||||
"@chown"
|
||||
"@setuid"
|
||||
"@privileged"
|
||||
"@keyring"
|
||||
"@ipc"
|
||||
];
|
||||
SystemCallErrorNumber = "EPERM";
|
||||
|
||||
StateDirectory = "conduwuit";
|
||||
StateDirectoryMode = "0700";
|
||||
RuntimeDirectory = "conduwuit";
|
||||
RuntimeDirectoryMode = "0750";
|
||||
|
||||
ExecStart = lib.getExe cfg.package;
|
||||
Restart = "on-failure";
|
||||
RestartSec = 10;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
(
|
||||
{
|
||||
pkgs,
|
||||
|
@ -1897,20 +2145,6 @@
|
|||
TODO: declarative directory quotas? for storage/$USER and /home/$USER
|
||||
*/
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
aria2
|
||||
restic
|
||||
btrfs-progs
|
||||
zfs
|
||||
smartmontools
|
||||
htop
|
||||
bottom
|
||||
curl
|
||||
xh
|
||||
];
|
||||
|
||||
services.tailscale.useRoutingFeatures = "server";
|
||||
|
||||
/*
|
||||
# https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72
|
||||
services.lidarr = {
|
||||
|
|
|
@ -38,13 +38,12 @@
|
|||
secrets.ddns-pass.mode = "0400";
|
||||
};
|
||||
services.deno-netlify-ddns-client = {
|
||||
passwordFile = config.sops.secrets.ddns-pass.path;
|
||||
enable = true;
|
||||
passwordFile = config.sops.secrets.ddns-pass.path;
|
||||
username = "dragon.h";
|
||||
# TODO: router doesn't even do ipv6 yet...
|
||||
ipv6 = false;
|
||||
};
|
||||
|
||||
programs.steam.enable = true;
|
||||
networking.wifi.enable = true;
|
||||
lyte.desktop.enable = true;
|
||||
|
||||
|
|
|
@ -65,6 +65,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
programs.steam.enable = true;
|
||||
networking.wifi.enable = true;
|
||||
lyte.desktop.enable = true;
|
||||
|
||||
|
|
|
@ -1,46 +1,55 @@
|
|||
{
|
||||
pkgs,
|
||||
hardware,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
system.stateVersion = "24.11";
|
||||
networking.hostName = "htpc";
|
||||
|
||||
networking.networkmanager.enable = true;
|
||||
boot = {
|
||||
loader = {
|
||||
grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda";
|
||||
useOSProber = true;
|
||||
};
|
||||
};
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.loader.grub.useOSProber = true;
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"xhci_pci"
|
||||
"ahci"
|
||||
"usbhid"
|
||||
"usb_storage"
|
||||
"sd_mod"
|
||||
];
|
||||
boot.initrd.kernelModules = [
|
||||
kernelModules = [
|
||||
"8821au"
|
||||
"8812au"
|
||||
];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [
|
||||
};
|
||||
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
extraModulePackages = [
|
||||
# pkgs.rtl8811au
|
||||
config.boot.kernelPackages.rtl8812au
|
||||
config.boot.kernelPackages.rtl8821au
|
||||
];
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/86d8ded0-1c6f-4a79-901c-2d59c11b5ca8";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
imports = with hardware; [
|
||||
common-cpu-intel
|
||||
common-pc-ssd
|
||||
];
|
||||
|
||||
hardware.bluetooth = {
|
||||
enable = true;
|
||||
# package = pkgs.bluez;
|
||||
settings = {
|
||||
General = {
|
||||
AutoConnect = true;
|
||||
|
@ -49,6 +58,10 @@
|
|||
};
|
||||
};
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
networking.wifi.enable = true;
|
||||
lyte.desktop.enable = true;
|
||||
home-manager.users.daniel = {
|
||||
lyte.shell.enable = true;
|
||||
lyte.desktop.enable = true;
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue