lytedev/nix
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: migrate beefcake and htpc, fix steam

Browse source
This commit is contained in:
Daniel Flanagan 2025-02-16 23:53:40 -06:00
parent b2147e90e5
commit 45119b3775
14 changed files with 597 additions and 591 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

160
lib/modules/home/default.nix
View file

@ -26,6 +26,7 @@ in
iex
cargo
desktop
gnome
/*
broot
@ -398,87 +399,94 @@ in
};
gnome =
{ pkgs, ... }:
{
dconf = {
enable = true;
settings = {
"org/gnome/settings-daemon/plugins/media-keys" = {
screensaver = [ "<Shift><Control><Super>l" ]; # lock screen
mic-mute = [ "<Shift><Super>v" ];
};
"org/gnome/desktop/peripherals/keyboard" = {
# gnome key repeat
repeat-interval = 7;
delay = 200;
};
"org/gnome/desktop/wm/preferences" = {
resize-with-right-button = true;
# mouse-button-modifier = '<Super>'; # default
};
"org/gnome/desktop/wm/keybindings" = {
minimize = [ "<Shift><Control><Super>h" ];
show-desktop = [ "<Super>d" ];
move-to-workspace-left = [ "<Super><Shift>h" ];
move-to-workspace-right = [ "<Super><Shift>l" ];
switch-to-workspace-left = [ "<Super><Control>h" ];
switch-to-workspace-right = [ "<Super><Control>l" ];
# mouse-button-modifier = '<Super>'; # default
};
"org/gnome/desktop/interface" = {
show-battery-percentage = true;
clock-show-weekday = true;
font-name = "IosevkaLyteTerm 12";
monospace-font-name = "IosevkaLyteTerm 12";
color-scheme = "prefer-dark";
# scaling-factor = 1.75;
};
"org/gnome/mutter" = {
experimental-features = [ "variable-refresh-rate" ];
};
"org/gnome/shell" = {
disable-user-extensions = false;
enabled-extensions = with pkgs.gnomeExtensions; [
tiling-shell.extensionUuid
appindicator.extensionUuid
blur-my-shell.extensionUuid
];
};
"org/gnome/shell/extensions/tilingshell" = {
inner-gaps = 8;
outer-gaps = 8;
window-border-width = 2;
window-border-color = "rgba(116,199,236,0.47)";
focus-window-right = [ "<Super>l" ];
focus-window-left = [ "<Super>h" ];
focus-window-up = [ "<Super>k" ];
focus-window-down = [ "<Super>j" ];
};
};
};
home = {
packages = with pkgs.gnomeExtensions; [
tiling-shell
blur-my-shell
appindicator
];
file.".face" = {
lib,
config,
pkgs,
...
}:
{
config = lib.mkIf config.lyte.desktop.enable {
dconf = {
enable = true;
source = builtins.fetchurl {
url = "https://lyte.dev/img/avatar3-square-512.png";
sha256 = "sha256:15zwbwisrc01m7ad684rsyq19wl4s33ry9xmgzmi88k1myxhs93x";
settings = {
"org/gnome/settings-daemon/plugins/media-keys" = {
screensaver = [ "<Shift><Control><Super>l" ]; # lock screen
mic-mute = [ "<Shift><Super>v" ];
};
"org/gnome/desktop/peripherals/keyboard" = {
# gnome key repeat
repeat-interval = 7;
delay = 200;
};
"org/gnome/desktop/wm/preferences" = {
resize-with-right-button = true;
# mouse-button-modifier = '<Super>'; # default
};
"org/gnome/desktop/wm/keybindings" = {
minimize = [ "<Shift><Control><Super>h" ];
show-desktop = [ "<Super>d" ];
move-to-workspace-left = [ "<Super><Shift>h" ];
move-to-workspace-right = [ "<Super><Shift>l" ];
switch-to-workspace-left = [ "<Super><Control>h" ];
switch-to-workspace-right = [ "<Super><Control>l" ];
# mouse-button-modifier = '<Super>'; # default
};
"org/gnome/desktop/interface" = {
show-battery-percentage = true;
clock-show-weekday = true;
font-name = "IosevkaLyteTerm 12";
monospace-font-name = "IosevkaLyteTerm 12";
color-scheme = "prefer-dark";
# scaling-factor = 1.75;
};
"org/gnome/mutter" = {
experimental-features = [ "variable-refresh-rate" ];
};
"org/gnome/shell" = {
disable-user-extensions = false;
enabled-extensions = with pkgs.gnomeExtensions; [
tiling-shell.extensionUuid
appindicator.extensionUuid
blur-my-shell.extensionUuid
];
};
"org/gnome/shell/extensions/tilingshell" = {
inner-gaps = 8;
outer-gaps = 8;
window-border-width = 2;
window-border-color = "rgba(116,199,236,0.47)";
focus-window-right = [ "<Super>l" ];
focus-window-left = [ "<Super>h" ];
focus-window-up = [ "<Super>k" ];
focus-window-down = [ "<Super>j" ];
};
};
};
};
programs.gnome-shell = {
enable = true;
extensions = [ { package = pkgs.gnomeExtensions.gsconnect; } ];
home = {
packages = with pkgs.gnomeExtensions; [
tiling-shell
blur-my-shell
appindicator
];
file.".face" = {
enable = true;
source = builtins.fetchurl {
url = "https://lyte.dev/img/avatar3-square-512.png";
sha256 = "sha256:15zwbwisrc01m7ad684rsyq19wl4s33ry9xmgzmi88k1myxhs93x";
};
};
};
programs.gnome-shell = {
enable = true;
extensions = [ { package = pkgs.gnomeExtensions.gsconnect; } ];
};
};
};

1
lib/modules/home/firefox.nix
View file

@ -9,6 +9,7 @@
home = {
sessionVariables = {
MOZ_ENABLE_WAYLAND = "1";
BROWSER = "firefox";
};
};

2
lib/modules/home/fish/shellInit.fish
View file

@ -33,8 +33,6 @@ set --export --universal EXA_COLORS '*=0'
set --export --universal ERL_AFLAGS "-kernel shell_history enabled -kernel shell_history_file_bytes 1024000"
set --export --universal BROWSER (which firefox)
set --export --universal SOPS_AGE_KEY_FILE "$XDG_CONFIG_HOME/sops/age/keys.txt"
if has_command skim

279
lib/modules/nixos/conduwuit.nix
View file

@ -1,279 +0,0 @@
# https://github.com/NixOS/nixpkgs/blob/32aaedffae68f54312c4c7726f828be82f278a48/nixos/modules/services/matrix/conduwuit.nix{
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.conduwuit;
defaultUser = "conduwuit";
defaultGroup = "conduwuit";
format = pkgs.formats.toml { };
configFile = format.generate "conduwuit.toml" cfg.settings;
in
{
meta.maintainers = with lib.maintainers; [ niklaskorz ];
options.services.conduwuit = {
enable = lib.mkEnableOption "conduwuit";
user = lib.mkOption {
type = lib.types.nonEmptyStr;
description = ''
The user {command}`conduwuit` is run as.
'';
default = defaultUser;
};
group = lib.mkOption {
type = lib.types.nonEmptyStr;
description = ''
The group {command}`conduwuit` is run as.
'';
default = defaultGroup;
};
extraEnvironment = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
description = "Extra Environment variables to pass to the conduwuit server.";
default = { };
example = {
RUST_BACKTRACE = "yes";
};
};
package = lib.mkPackageOption pkgs.unstable-packages "conduwuit" { };
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
global.server_name = lib.mkOption {
type = lib.types.nonEmptyStr;
example = "example.com";
description = "The server_name is the name of this server. It is used as a suffix for user and room ids.";
};
global.address = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.nonEmptyStr);
default = null;
example = [
"127.0.0.1"
"::1"
];
description = ''
Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator.
If set to `null`, conduwuit will listen on IPv4 and IPv6 localhost.
Must be `null` if `unix_socket_path` is set.
'';
};
global.port = lib.mkOption {
type = lib.types.listOf lib.types.port;
default = [ 6167 ];
description = ''
The port(s) conduwuit will be running on.
You need to set up a reverse proxy in your web server (e.g. apache or nginx),
so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit
instance running on this port.
'';
};
global.unix_socket_path = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Listen on a UNIX socket at the specified path. If listening on a UNIX socket,
listening on an address will be disabled. The `address` option must be set to
`null` (the default value). The option {option}`services.conduwuit.group` must
be set to a group your reverse proxy is part of.
This will automatically add a system user "conduwuit" to your system if
{option}`services.conduwuit.user` is left at the default, and a "conduwuit"
group if {option}`services.conduwuit.group` is left at the default.
'';
};
global.unix_socket_perms = lib.mkOption {
type = lib.types.ints.positive;
default = 660;
description = "The default permissions (in octal) to create the UNIX socket with.";
};
global.max_request_size = lib.mkOption {
type = lib.types.ints.positive;
default = 20000000;
description = "Max request size in bytes. Don't forget to also change it in the proxy.";
};
global.allow_registration = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether new users can register on this server.
Registration with token requires `registration_token` or `registration_token_file` to be set.
If set to true without a token configured, and
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
is set to true, users can freely register.
'';
};
global.allow_encryption = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
};
global.allow_federation = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether this server federates with other servers.
'';
};
global.trusted_servers = lib.mkOption {
type = lib.types.listOf lib.types.nonEmptyStr;
default = [ "matrix.org" ];
description = ''
Servers listed here will be used to gather public keys of other servers
(notary trusted key servers).
Currently, conduwuit doesn't support inbound batched key requests, so
this list should only contain other Synapse servers.
Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]`
'';
};
global.database_path = lib.mkOption {
readOnly = true;
type = lib.types.path;
default = "/var/lib/conduwuit/";
description = ''
Path to the conduwuit database, the directory where conduwuit will save its data.
Note that database_path cannot be edited because of the service's reliance on systemd StateDir.
'';
};
global.allow_check_for_updates = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
If enabled, conduwuit will send a simple GET request periodically to
<https://pupbrain.dev/check-for-updates/stable> for any new announcements made.
Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint.
Disabled by default.
'';
};
};
};
default = { };
# TOML does not allow null values, so we use null to omit those fields
apply = lib.filterAttrsRecursive (_: v: v != null);
description = ''
Generates the conduwuit.toml configuration file. Refer to
<https://conduwuit.puppyirl.gay/configuration.html>
for details on supported values.
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = !(cfg.settings ? global.unix_socket_path) || !(cfg.settings ? global.address);
message = ''
In `services.conduwuit.settings.global`, `unix_socket_path` and `address` cannot be set at the
same time.
Leave one of the two options unset or explicitly set them to `null`.
'';
}
{
assertion = cfg.user != defaultUser -> config ? users.users.${cfg.user};
message = "If `services.conduwuit.user` is changed, the configured user must already exist.";
}
{
assertion = cfg.group != defaultGroup -> config ? users.groups.${cfg.group};
message = "If `services.conduwuit.group` is changed, the configured group must already exist.";
}
];
users.users = lib.mkIf (cfg.user == defaultUser) {
${defaultUser} = {
group = cfg.group;
home = cfg.settings.global.database_path;
isSystemUser = true;
};
};
users.groups = lib.mkIf (cfg.group == defaultGroup) {
${defaultGroup} = { };
};
systemd.services.conduwuit = {
description = "Conduwuit Matrix Server";
documentation = [ "https://conduwuit.puppyirl.gay/" ];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = lib.mkMerge [
{ CONDUWUIT_CONFIG = configFile; }
cfg.extraEnvironment
];
startLimitBurst = 5;
startLimitIntervalSec = 60;
serviceConfig = {
DynamicUser = true;
User = cfg.user;
Group = cfg.group;
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateIPC = true;
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@resources"
"~@clock"
"@debug"
"@module"
"@mount"
"@reboot"
"@swap"
"@cpu-emulation"
"@obsolete"
"@timer"
"@chown"
"@setuid"
"@privileged"
"@keyring"
"@ipc"
];
SystemCallErrorNumber = "EPERM";
StateDirectory = "conduwuit";
StateDirectoryMode = "0700";
RuntimeDirectory = "conduwuit";
RuntimeDirectoryMode = "0750";
ExecStart = lib.getExe cfg.package;
Restart = "on-failure";
RestartSec = 10;
};
};
};
}

1
lib/modules/nixos/default-module.nix
View file

@ -30,6 +30,7 @@
virtual-machines
postgres
gaming
restic
];
config = {

1
lib/modules/nixos/default.nix
View file

@ -19,6 +19,7 @@ inputs: {
desktop = import ./desktop.nix;
printing = import ./printing.nix;
wifi = import ./wifi.nix;
restic = import ./restic.nix;
remote-disk-key-entry-on-boot =
{

3
lib/modules/nixos/deno-netlify-ddns-client.nix
View file

@ -33,7 +33,8 @@ in
};
ipv6 = mkOption {
type = types.bool;
default = true;
# TODO: router doesn't support ipv6 yet
default = false;
};
requestTimeout = mkOption {
type = types.int;

117
lib/modules/nixos/gaming.nix
View file

@ -1,69 +1,72 @@
{
lib,
config,
options,
pkgs,
...
}:
{
programs.gamescope.enable = true;
config = lib.mkIf config.programs.steam.enable {
programs.gamescope.enable = true;
services.pipewire = {
alsa.support32Bit = true;
};
programs.steam = {
extest.enable = true;
gamescopeSession.enable = true;
extraPackages = with pkgs; [
gamescope
];
extraCompatPackages = with pkgs; [
proton-ge-bin
];
localNetworkGameTransfers.openFirewall = true;
remotePlay.openFirewall = true;
};
hardware =
(
if builtins.hasAttr "graphics" options.hardware then
{
graphics = {
enable = true;
enable32Bit = true;
};
}
else
{
opengl = {
enable = true;
driSupport32Bit = true;
};
}
)
// {
steam-hardware.enable = true;
services.pipewire = {
alsa.support32Bit = true;
};
services.udev.packages = with pkgs; [ steam ];
programs.steam = {
extest.enable = true;
gamescopeSession.enable = true;
environment = {
systemPackages = with pkgs; [
dualsensectl # for interfacing with dualsense controllers programmatically
wineWowPackages.waylandFull
lutris
winetricks
ludusavi
# ludusavi uses rclone
rclone
];
extraPackages = with pkgs; [
gamescope
];
extraCompatPackages = with pkgs; [
proton-ge-bin
];
localNetworkGameTransfers.openFirewall = true;
remotePlay.openFirewall = true;
};
hardware =
(
if builtins.hasAttr "graphics" options.hardware then
{
graphics = {
enable = true;
enable32Bit = true;
};
}
else
{
opengl = {
enable = true;
driSupport32Bit = true;
};
}
)
// {
steam-hardware.enable = true;
};
services.udev.packages = with pkgs; [ steam ];
environment = {
systemPackages = with pkgs; [
dualsensectl # for interfacing with dualsense controllers programmatically
wineWowPackages.waylandFull
lutris
winetricks
ludusavi
# ludusavi uses rclone
rclone
];
};
# remote play ports - should be unnecessary due to programs.steam.remotePlay.openFirewall = true;
/*
networking.firewall.allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
networking.firewall.allowedTCPPortRanges = [ { from = 27036; to = 27037; } ];
*/
};
# remote play ports - should be unnecessary due to programs.steam.remotePlay.openFirewall = true;
/*
networking.firewall.allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
networking.firewall.allowedTCPPortRanges = [ { from = 27036; to = 27037; } ];
*/
}

6
lib/modules/nixos/podman.nix
View file

@ -5,7 +5,7 @@
...
}:
{
config = lib.mkIf config.virtualisation.podman.enable {
config = lib.mkIf (config.virtualisation.oci-containers.backend == "podman") {
environment = {
systemPackages = with pkgs; [
podman-compose
@ -14,13 +14,13 @@
virtualisation = {
podman = {
dockerCompat = config.virtualisation.podman.enable;
dockerCompat = true;
dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true;
};
oci-containers = {
backend = "podman";
# backend = "podman";
};
};

25
lib/modules/nixos/restic.nix Normal file
View file

@ -0,0 +1,25 @@
{
lib,
# options,
# config,
...
}:
let
inherit (lib) mkOption types;
in
{
options.services.restic.commonPaths = mkOption {
type = types.nullOr (types.listOf types.str);
default = [ ];
description = ''
Which paths to backup, in addition to ones specified via
`dynamicFilesFrom`. If null or an empty array and
`dynamicFilesFrom` is also null, no backup command will be run.
This can be used to create a prune-only job.
'';
example = [
"/var/lib/postgresql"
"/home/user/backup"
];
};
}

520
packages/hosts/beefcake.nix
View file

@ -15,129 +15,101 @@
lib,
config,
pkgs,
hardware,
...
}:
{
system.stateVersion = "24.05";
# home-manager.users.daniel.home.stateVersion = "24.05";
networking.hostName = "beefcake";
boot = {
zfs = {
extraPools = [ "zstorage" ];
};
supportedFilesystems = {
zfs = true;
};
initrd.supportedFilesystems = {
zfs = true;
};
# kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
initrd.availableKernelModules = [
"ehci_pci"
"mpt3sas"
"usbhid"
"sd_mod"
];
kernelModules = [ "kvm-intel" ];
kernelParams = [ "nohibernate" ];
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/992ce55c-7507-4d6b-938c-45b7e891f395";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/B6C4-7CF4";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
"/nix" = {
device = "zstorage/nix";
fsType = "zfs";
};
};
networking = {
hostId = "541ede55";
};
services = {
zfs = {
autoScrub.enable = true;
autoSnapshot.enable = true;
};
tailscale.useRoutingFeatures = "server";
};
sops = {
defaultSopsFile = ../../secrets/beefcake/secrets.yml;
secrets = {
netlify-ddns-password.mode = "0400";
nix-cache-priv-key.mode = "0400";
};
};
virtualisation.oci-containers.backend = "podman";
services.deno-netlify-ddns-client = {
enable = true;
passwordFile = config.sops.secrets.netlify-ddns-password.path;
username = "beefcake.h";
};
environment.systemPackages = with pkgs; [
aria2
restic
btrfs-progs
zfs
smartmontools
htop
bottom
curl
xh
];
imports = [
hardware.common-cpu-intel
{
# hardware and boot module
networking.hostId = "541ede55";
boot = {
zfs = {
extraPools = [ "zstorage" ];
};
supportedFilesystems = {
zfs = true;
};
initrd.supportedFilesystems = {
zfs = true;
};
# kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
initrd.availableKernelModules = [
"ehci_pci"
"mpt3sas"
"usbhid"
"sd_mod"
];
kernelModules = [ "kvm-intel" ];
kernelParams = [ "nohibernate" ];
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/992ce55c-7507-4d6b-938c-45b7e891f395";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/B6C4-7CF4";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
/*
# should be mounted by auto-import; see boot.zfs.extraPools
fileSystems."/storage" = {
device = "zstorage/storage";
fsType = "zfs";
};
*/
fileSystems."/nix" = {
device = "zstorage/nix";
fsType = "zfs";
};
services.zfs.autoScrub.enable = true;
services.zfs.autoSnapshot.enable = true;
# TODO: nfs with zfs?
# services.nfs.server.enable = true;
}
(
{
options,
config,
...
}:
let
inherit (lib) mkOption types;
in
{
options.services.restic.commonPaths = mkOption {
type = types.nullOr (types.listOf types.str);
default = [ ];
description = ''
Which paths to backup, in addition to ones specified via
`dynamicFilesFrom`. If null or an empty array and
`dynamicFilesFrom` is also null, no backup command will be run.
This can be used to create a prune-only job.
'';
example = [
"/var/lib/postgresql"
"/home/user/backup"
];
};
}
)
{
# sops secrets config
sops = {
defaultSopsFile = ../secrets/beefcake/secrets.yml;
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
};
}
{
sops.secrets = {
netlify-ddns-password = {
mode = "0400";
};
};
services.deno-netlify-ddns-client = {
passwordFile = config.sops.secrets.netlify-ddns-password.path;
};
}
{
# nix binary cache
sops.secrets = {
nix-cache-priv-key = {
mode = "0400";
};
};
services.nix-serve = {
enable = true; # TODO: true
enable = true;
secretKeyFile = config.sops.secrets.nix-cache-priv-key.path;
};
services.caddy.virtualHosts."nix.h.lyte.dev" = {
@ -145,10 +117,6 @@
reverse_proxy :${toString config.services.nix-serve.port}
'';
};
networking.firewall.allowedTCPPorts = [
80
443
];
# regularly build this flake so we have stuff in the cache
# TODO: schedule this for nightly builds instead of intervals based on boot time
@ -247,11 +215,8 @@
];
services.soju = {
enable = true;
listen = [ "irc+insecure://:6667" ];
listen = [ "irc+insecure://:6667" ]; # tailscale only
};
networking.firewall.allowedTCPPorts = [
6667
];
}
{
# nextcloud
@ -464,6 +429,7 @@
}
{
# clickhouse
time.timeZone = lib.mkForce "America/Chicago";
environment.etc = {
"clickhouse-server/users.d/disable-logging-query.xml" = {
text = ''
@ -549,10 +515,8 @@
};
};
users.groups.daniel.members = [ "daniel" ];
users.groups.nixadmin.members = [ "daniel" ];
users.users.daniel = {
extraGroups = [
# "nixadmin" # write access to /etc/nixos/ files
"wheel" # sudo access
"caddy" # write access to public static files
"users" # general users group
@ -565,7 +529,6 @@
services.restic.commonPaths = [
"/storage/daniel"
];
services.postgresql = {
ensureDatabases = [ "daniel" ];
ensureUsers = [
@ -663,7 +626,7 @@
dataDir = "/storage/postgres";
enableTCPIP = true;
package = pkgs.postgresql_15;
package = lib.mkForce pkgs.postgresql_15;
# https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
# TODO: give the "daniel" user access to all databases
@ -713,7 +676,7 @@
isNormalUser = true;
packages = [ pkgs.vim ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUfLZ+IX85p9355Po2zP1H2tAxiE0rE6IYb8Sf+eF9T ben@benhany.com"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUfLZ+IX85p9355Po2zP1H2tAxiE0rE6IYb8Sf+eF9T"
];
};
@ -842,6 +805,10 @@
};
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
networking.firewall.allowedTCPPorts = [
80
443
];
}
(
{ ... }:
@ -1378,7 +1345,7 @@
group = user;
};
virtualisation.oci-containers.containers.minecraft-flanilla-creative = {
autoStart = true;
autoStart = false;
image = "docker.io/itzg/minecraft-server";
# user = "${toString uid}:${toString gid}";
extraOptions = [
@ -1499,6 +1466,7 @@
};
services.kanidm = {
package = pkgs.unstable-packages.kanidm;
enableServer = true;
serverSettings = {
inherit domain;
@ -1825,7 +1793,7 @@
}
{
services.factorio = {
enable = true;
enable = false;
package = pkgs.factorio-headless.override {
versionsJson = ./factorio-versions.json;
};
@ -1848,6 +1816,286 @@
};
};
}
(
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.conduwuit;
defaultUser = "conduwuit";
defaultGroup = "conduwuit";
format = pkgs.formats.toml { };
configFile = format.generate "conduwuit.toml" cfg.settings;
in
{
meta.maintainers = with lib.maintainers; [ niklaskorz ];
options.services.conduwuit = {
enable = lib.mkEnableOption "conduwuit";
user = lib.mkOption {
type = lib.types.nonEmptyStr;
description = ''
The user {command}`conduwuit` is run as.
'';
default = defaultUser;
};
group = lib.mkOption {
type = lib.types.nonEmptyStr;
description = ''
The group {command}`conduwuit` is run as.
'';
default = defaultGroup;
};
extraEnvironment = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
description = "Extra Environment variables to pass to the conduwuit server.";
default = { };
example = {
RUST_BACKTRACE = "yes";
};
};
package = lib.mkPackageOption pkgs.unstable-packages "conduwuit" { };
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
global.server_name = lib.mkOption {
type = lib.types.nonEmptyStr;
example = "example.com";
description = "The server_name is the name of this server. It is used as a suffix for user and room ids.";
};
global.address = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.nonEmptyStr);
default = null;
example = [
"127.0.0.1"
"::1"
];
description = ''
Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator.
If set to `null`, conduwuit will listen on IPv4 and IPv6 localhost.
Must be `null` if `unix_socket_path` is set.
'';
};
global.port = lib.mkOption {
type = lib.types.listOf lib.types.port;
default = [ 6167 ];
description = ''
The port(s) conduwuit will be running on.
You need to set up a reverse proxy in your web server (e.g. apache or nginx),
so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit
instance running on this port.
'';
};
global.unix_socket_path = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Listen on a UNIX socket at the specified path. If listening on a UNIX socket,
listening on an address will be disabled. The `address` option must be set to
`null` (the default value). The option {option}`services.conduwuit.group` must
be set to a group your reverse proxy is part of.
This will automatically add a system user "conduwuit" to your system if
{option}`services.conduwuit.user` is left at the default, and a "conduwuit"
group if {option}`services.conduwuit.group` is left at the default.
'';
};
global.unix_socket_perms = lib.mkOption {
type = lib.types.ints.positive;
default = 660;
description = "The default permissions (in octal) to create the UNIX socket with.";
};
global.max_request_size = lib.mkOption {
type = lib.types.ints.positive;
default = 20000000;
description = "Max request size in bytes. Don't forget to also change it in the proxy.";
};
global.allow_registration = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether new users can register on this server.
Registration with token requires `registration_token` or `registration_token_file` to be set.
If set to true without a token configured, and
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
is set to true, users can freely register.
'';
};
global.allow_encryption = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
};
global.allow_federation = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether this server federates with other servers.
'';
};
global.trusted_servers = lib.mkOption {
type = lib.types.listOf lib.types.nonEmptyStr;
default = [ "matrix.org" ];
description = ''
Servers listed here will be used to gather public keys of other servers
(notary trusted key servers).
Currently, conduwuit doesn't support inbound batched key requests, so
this list should only contain other Synapse servers.
Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]`
'';
};
global.database_path = lib.mkOption {
readOnly = true;
type = lib.types.path;
default = "/var/lib/conduwuit/";
description = ''
Path to the conduwuit database, the directory where conduwuit will save its data.
Note that database_path cannot be edited because of the service's reliance on systemd StateDir.
'';
};
global.allow_check_for_updates = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
If enabled, conduwuit will send a simple GET request periodically to
<https://pupbrain.dev/check-for-updates/stable> for any new announcements made.
Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint.
Disabled by default.
'';
};
};
};
default = { };
# TOML does not allow null values, so we use null to omit those fields
apply = lib.filterAttrsRecursive (_: v: v != null);
description = ''
Generates the conduwuit.toml configuration file. Refer to
<https://conduwuit.puppyirl.gay/configuration.html>
for details on supported values.
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = !(cfg.settings ? global.unix_socket_path) || !(cfg.settings ? global.address);
message = ''
In `services.conduwuit.settings.global`, `unix_socket_path` and `address` cannot be set at the
same time.
Leave one of the two options unset or explicitly set them to `null`.
'';
}
{
assertion = cfg.user != defaultUser -> config ? users.users.${cfg.user};
message = "If `services.conduwuit.user` is changed, the configured user must already exist.";
}
{
assertion = cfg.group != defaultGroup -> config ? users.groups.${cfg.group};
message = "If `services.conduwuit.group` is changed, the configured group must already exist.";
}
];
users.users = lib.mkIf (cfg.user == defaultUser) {
${defaultUser} = {
group = cfg.group;
home = cfg.settings.global.database_path;
isSystemUser = true;
};
};
users.groups = lib.mkIf (cfg.group == defaultGroup) {
${defaultGroup} = { };
};
systemd.services.conduwuit = {
description = "Conduwuit Matrix Server";
documentation = [ "https://conduwuit.puppyirl.gay/" ];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = lib.mkMerge [
{ CONDUWUIT_CONFIG = configFile; }
cfg.extraEnvironment
];
startLimitBurst = 5;
startLimitIntervalSec = 60;
serviceConfig = {
DynamicUser = true;
User = cfg.user;
Group = cfg.group;
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateIPC = true;
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@resources"
"~@clock"
"@debug"
"@module"
"@mount"
"@reboot"
"@swap"
"@cpu-emulation"
"@obsolete"
"@timer"
"@chown"
"@setuid"
"@privileged"
"@keyring"
"@ipc"
];
SystemCallErrorNumber = "EPERM";
StateDirectory = "conduwuit";
StateDirectoryMode = "0700";
RuntimeDirectory = "conduwuit";
RuntimeDirectoryMode = "0750";
ExecStart = lib.getExe cfg.package;
Restart = "on-failure";
RestartSec = 10;
};
};
};
}
)
(
{
pkgs,
@ -1897,20 +2145,6 @@
TODO: declarative directory quotas? for storage/$USER and /home/$USER
*/
environment.systemPackages = with pkgs; [
aria2
restic
btrfs-progs
zfs
smartmontools
htop
bottom
curl
xh
];
services.tailscale.useRoutingFeatures = "server";
/*
# https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72
services.lidarr = {

5
packages/hosts/dragon.nix
View file

@ -38,13 +38,12 @@
secrets.ddns-pass.mode = "0400";
};
services.deno-netlify-ddns-client = {
passwordFile = config.sops.secrets.ddns-pass.path;
enable = true;
passwordFile = config.sops.secrets.ddns-pass.path;
username = "dragon.h";
# TODO: router doesn't even do ipv6 yet...
ipv6 = false;
};
programs.steam.enable = true;
networking.wifi.enable = true;
lyte.desktop.enable = true;

1
packages/hosts/foxtrot.nix
View file

@ -65,6 +65,7 @@
};
};
programs.steam.enable = true;
networking.wifi.enable = true;
lyte.desktop.enable = true;

67
packages/hosts/htpc.nix
View file

@ -1,46 +1,55 @@
{
pkgs,
hardware,
config,
lib,
...
}:
{
system.stateVersion = "24.11";
networking.hostName = "htpc";
networking.networkmanager.enable = true;
boot = {
loader = {
grub = {
enable = true;
device = "/dev/sda";
useOSProber = true;
};
};
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.useOSProber = true;
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
kernelModules = [
"8821au"
"8812au"
];
};
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [
"8821au"
"8812au"
];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [
# pkgs.rtl8811au
config.boot.kernelPackages.rtl8812au
config.boot.kernelPackages.rtl8821au
];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [
# pkgs.rtl8811au
config.boot.kernelPackages.rtl8812au
config.boot.kernelPackages.rtl8821au
];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/86d8ded0-1c6f-4a79-901c-2d59c11b5ca8";
fsType = "ext4";
};
swapDevices = [ ];
imports = with hardware; [
common-cpu-intel
common-pc-ssd
];
hardware.bluetooth = {
enable = true;
# package = pkgs.bluez;
settings = {
General = {
AutoConnect = true;
@ -49,6 +58,10 @@
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
networking.wifi.enable = true;
lyte.desktop.enable = true;
home-manager.users.daniel = {
lyte.shell.enable = true;
lyte.desktop.enable = true;
};
}