diff --git a/flake.nix b/flake.nix
index e37d06d..8eb169b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -41,7 +41,7 @@
"https://cache.nixos.org/"
"https://helix.cachix.org"
"https://nix-community.cachix.org"
- "https://nix.h.lyte.dev"
+ # "https://nix.h.lyte.dev"
"https://hyprland.cachix.org"
];
@@ -221,6 +221,8 @@
final.helix = helix;
# TODO: would love to use a current wezterm build so I can make use of ssh/mux functionality without breakage
# source: https://github.com/wez/wezterm/issues/3771
+ # not-yet-merged (abandoned?): https://github.com/wez/wezterm/pull/4737
+ # I did try using the latest code via the flake, but alas it did not resolve my issues with mux'ing
wezterm = wezterm-input.outputs.packages.${prev.system}.default;
final.wezterm = wezterm;
};
@@ -250,21 +252,15 @@
modules = with nixosModules; [
home-manager-defaults
+ # TODO: disko?
hardware.nixosModules.common-cpu-intel
common
+ troubleshooting-tools
linux
fonts
./nixos/beefcake.nix
-
- {
- time = {
- timeZone = "America/Chicago";
- };
- services.smartd.enable = true;
- services.fwupd.enable = true;
- }
];
};
diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix
index 3512334..63a2833 100644
--- a/modules/home-manager/default.nix
+++ b/modules/home-manager/default.nix
@@ -1249,7 +1249,7 @@
# docs: https://wezfurlong.org/wezterm/config/appearance.html#defining-your-own-colors
programs.wezterm = with colors.withHashPrefix; {
enable = true;
- package = pkgs.wezterm;
+ # package = pkgs.wezterm;
extraConfig = builtins.readFile ./wezterm/config.lua;
colorSchemes = {
catppuccin-mocha-sapphire = {
diff --git a/modules/home-manager/wezterm/config.lua b/modules/home-manager/wezterm/config.lua
index a642934..ba00a7e 100644
--- a/modules/home-manager/wezterm/config.lua
+++ b/modules/home-manager/wezterm/config.lua
@@ -22,6 +22,8 @@ config.window_background_opacity = 1.0
config.enable_kitty_keyboard = true
config.show_new_tab_button_in_tab_bar = true
+-- config.front_end = "WebGpu"
+
local function tab_title(tab_info)
local title = tab_info.tab_title
if title and #title > 0 then
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index f45e13e..c79f654 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -250,7 +250,7 @@
"https://cache.nixos.org/"
"https://helix.cachix.org"
"https://nix-community.cachix.org"
- "https://nix.h.lyte.dev"
+ # "https://nix.h.lyte.dev"
"https://hyprland.cachix.org"
];
trusted-public-keys = [
diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix
index 35932a7..6fc2b38 100644
--- a/nixos/beefcake.nix
+++ b/nixos/beefcake.nix
@@ -23,33 +23,31 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
{
# hardware
boot = {
- initrd.availableKernelModules = ["ehci_pci" "megaraid_sas" "usbhid" "uas" "sd_mod"];
+ initrd.availableKernelModules = ["ehci_pci" "mpt3sas" "usbhid" "sd_mod"];
kernelModules = ["kvm-intel"];
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
fileSystems."/" = {
- device = "/dev/disk/by-uuid/0747dcba-f590-42e6-89c8-6cb2f9114d64";
+ device = "/dev/disk/by-uuid/992ce55c-7507-4d6b-938c-45b7e891f395";
fsType = "ext4";
- options = [
- "usrquota"
- ];
};
fileSystems."/boot" = {
- device = "/dev/disk/by-uuid/7E3C-9018";
+ device = "/dev/disk/by-uuid/B6C4-7CF4";
fsType = "vfat";
+ options = ["fmask=0022" "dmask=0022"];
};
- fileSystems."/storage" = {
- device = "/dev/disk/by-uuid/ea8258d7-54d1-430e-93b3-e15d33231063";
- fsType = "btrfs";
- options = [
- "compress=zstd:5"
- "space_cache=v2"
- ];
- };
+ # fileSystems."/storage" = {
+ # device = "/dev/disk/by-uuid/ea8258d7-54d1-430e-93b3-e15d33231063";
+ # fsType = "btrfs";
+ # options = [
+ # "compress=zstd:5"
+ # "space_cache=v2"
+ # ];
+ # };
}
{
# sops secrets stuff
@@ -83,36 +81,36 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# subdirectory
# "myservice/my_subdir/my_secret" = { };
- "jland.env" = {
- path = "/var/lib/jland/jland.env";
- # TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
- mode = "0440";
- owner = config.users.users.daniel.name;
- group = config.users.groups.daniel.name;
- };
+ # "jland.env" = {
+ # path = "/var/lib/jland/jland.env";
+ # # TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
+ # mode = "0440";
+ # owner = config.users.users.daniel.name;
+ # group = config.users.groups.daniel.name;
+ # };
- "dawncraft.env" = {
- path = "/var/lib/dawncraft/dawncraft.env";
- # TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
- mode = "0440";
- owner = config.users.users.daniel.name;
- group = config.users.groups.daniel.name;
- };
+ # "dawncraft.env" = {
+ # path = "/var/lib/dawncraft/dawncraft.env";
+ # # TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
+ # mode = "0440";
+ # owner = config.users.users.daniel.name;
+ # group = config.users.groups.daniel.name;
+ # };
- plausible-admin-password = {
- # TODO: path = "${config.systemd.services.plausible.serviceConfig.WorkingDirectory}/plausible-admin-password.txt";
- path = "/var/lib/plausible/plausible-admin-password";
- mode = "0440";
- owner = config.systemd.services.plausible.serviceConfig.User;
- group = config.systemd.services.plausible.serviceConfig.Group;
- };
- plausible-secret-key-base = {
- path = "/var/lib/plausible/plausible-secret-key-base";
- mode = "0440";
- owner = config.systemd.services.plausible.serviceConfig.User;
- group = config.systemd.services.plausible.serviceConfig.Group;
- };
- nextcloud-admin-password.path = "/var/lib/nextcloud/admin-password";
+ # plausible-admin-password = {
+ # # TODO: path = "${config.systemd.services.plausible.serviceConfig.WorkingDirectory}/plausible-admin-password.txt";
+ # path = "/var/lib/plausible/plausible-admin-password";
+ # mode = "0440";
+ # owner = config.systemd.services.plausible.serviceConfig.User;
+ # group = config.systemd.services.plausible.serviceConfig.Group;
+ # };
+ # plausible-secret-key-base = {
+ # path = "/var/lib/plausible/plausible-secret-key-base";
+ # mode = "0440";
+ # owner = config.systemd.services.plausible.serviceConfig.User;
+ # group = config.systemd.services.plausible.serviceConfig.Group;
+ # };
+ # nextcloud-admin-password.path = "/var/lib/nextcloud/admin-password";
"forgejo-runner.env" = {mode = "0400";};
};
};
@@ -120,6 +118,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
}
{
# nix binary cache
+ # TODO: move /nix to a big drive?
services.nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
@@ -136,79 +135,77 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# regularly build this flake so we have stuff in the cache
# TODO: schedule this for nightly builds instead of intervals based on boot time
- systemd.timers."build-lytedev-flake" = {
- wantedBy = ["timers.target"];
- timerConfig = {
- OnBootSec = "30m"; # 30 minutes after booting
- OnUnitActiveSec = "1d"; # every day afterwards
- Unit = "build-lytedev-flake.service";
- };
- };
+ # systemd.timers."build-lytedev-flake" = {
+ # wantedBy = ["timers.target"];
+ # timerConfig = {
+ # OnBootSec = "30m"; # 30 minutes after booting
+ # OnUnitActiveSec = "1d"; # every day afterwards
+ # Unit = "build-lytedev-flake.service";
+ # };
+ # };
- systemd.services."build-lytedev-flake" = {
- script = ''
- # build self (main server) configuration
- nixos-rebuild build --flake git+https://git.lyte.dev/lytedev/nix.git --accept-flake-config
- # build desktop configuration
- nixos-rebuild build --flake git+https://git.lyte.dev/lytedev/nix.git#dragon --accept-flake-config
- # build main laptop configuration
- nixos-rebuild build --flake git+https://git.lyte.dev/lytedev/nix.git#foxtrot --accept-flake-config
- '';
- path = with pkgs; [openssh git nixos-rebuild];
- serviceConfig = {
- # TODO: mkdir -p...?
- WorkingDirectory = "/home/daniel/.home/nightly-flake-builds";
- Type = "oneshot";
- User = "daniel"; # might have to run as me for git ssh access to the repo
- };
- };
+ # systemd.services."build-lytedev-flake" = {
+ # script = ''
+ # # build self (main server) configuration
+ # nixos-rebuild build --flake git+https://git.lyte.dev/lytedev/nix.git --accept-flake-config
+ # # build desktop configuration
+ # nixos-rebuild build --flake git+https://git.lyte.dev/lytedev/nix.git#dragon --accept-flake-config
+ # # build main laptop configuration
+ # nixos-rebuild build --flake git+https://git.lyte.dev/lytedev/nix.git#foxtrot --accept-flake-config
+ # '';
+ # path = with pkgs; [openssh git nixos-rebuild];
+ # serviceConfig = {
+ # # TODO: mkdir -p...?
+ # WorkingDirectory = "/home/daniel/.home/nightly-flake-builds";
+ # Type = "oneshot";
+ # User = "daniel"; # might have to run as me for git ssh access to the repo
+ # };
+ # };
networking = {
extraHosts = ''
::1 nix.h.lyte.dev
127.0.0.1 nix.h.lyte.dev
- ::1 idm.h.lyte.dev
- 127.0.0.1 idm.h.lyte.dev
'';
};
}
- {
- services.headscale = {
- enable = true;
- address = "127.0.0.1";
- port = 7777;
- settings = {
- server_url = "https://tailscale.vpn.h.lyte.dev";
- db_type = "sqlite3";
- db_path = "/var/lib/headscale/db.sqlite";
+ # {
+ # services.headscale = {
+ # enable = true;
+ # address = "127.0.0.1";
+ # port = 7777;
+ # settings = {
+ # server_url = "https://tailscale.vpn.h.lyte.dev";
+ # db_type = "sqlite3";
+ # db_path = "/var/lib/headscale/db.sqlite";
- derp.server = {
- enable = true;
- region_id = 999;
- stun_listen_addr = "0.0.0.0:3478";
- };
+ # derp.server = {
+ # enable = true;
+ # region_id = 999;
+ # stun_listen_addr = "0.0.0.0:3478";
+ # };
- dns_config = {
- magic_dns = true;
- base_domain = "vpn.h.lyte.dev";
- domains = [
- "ts.vpn.h.lyte.dev"
- ];
- nameservers = [
- "1.1.1.1"
- # "192.168.0.1"
- ];
- override_local_dns = true;
- };
- };
- };
- services.caddy.virtualHosts."tailscale.vpn.h.lyte.dev" = {
- extraConfig = ''
- reverse_proxy http://localhost:${toString config.services.headscale.port}
- '';
- };
- networking.firewall.allowedUDPPorts = [3478];
- }
+ # dns_config = {
+ # magic_dns = true;
+ # base_domain = "vpn.h.lyte.dev";
+ # domains = [
+ # "ts.vpn.h.lyte.dev"
+ # ];
+ # nameservers = [
+ # "1.1.1.1"
+ # # "192.168.0.1"
+ # ];
+ # override_local_dns = true;
+ # };
+ # };
+ # };
+ # services.caddy.virtualHosts."tailscale.vpn.h.lyte.dev" = {
+ # extraConfig = ''
+ # reverse_proxy http://localhost:${toString config.services.headscale.port}
+ # '';
+ # };
+ # networking.firewall.allowedUDPPorts = [3478];
+ # }
{
services.soju = {
enable = true;
@@ -218,117 +215,117 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
6667
];
}
- {
- # samba
- users.users.guest = {
- # used for anonymous samba access
- isSystemUser = true;
- group = "users";
- createHome = true;
- };
- users.users.scannerupload = {
- # used for scanner samba access
- isSystemUser = true;
- group = "users";
- createHome = true;
- };
- systemd.tmpfiles.rules = [
- "d /var/spool/samba 1777 root root -"
- ];
- services.samba-wsdd = {
- enable = true;
- };
- services.samba = {
- enable = true;
- openFirewall = true;
- securityType = "user";
+ # {
+ # # samba
+ # users.users.guest = {
+ # # used for anonymous samba access
+ # isSystemUser = true;
+ # group = "users";
+ # createHome = true;
+ # };
+ # users.users.scannerupload = {
+ # # used for scanner samba access
+ # isSystemUser = true;
+ # group = "users";
+ # createHome = true;
+ # };
+ # systemd.tmpfiles.rules = [
+ # "d /var/spool/samba 1777 root root -"
+ # ];
+ # services.samba-wsdd = {
+ # enable = true;
+ # };
+ # services.samba = {
+ # enable = true;
+ # openFirewall = true;
+ # securityType = "user";
- # not needed since I don't think I use printer sharing?
- # https://nixos.wiki/wiki/Samba#Printer_sharing
- # package = pkgs.sambaFull; # broken last I checked in nixpkgs?
+ # # not needed since I don't think I use printer sharing?
+ # # https://nixos.wiki/wiki/Samba#Printer_sharing
+ # # package = pkgs.sambaFull; # broken last I checked in nixpkgs?
- extraConfig = ''
- workgroup = WORKGROUP
- server string = beefcake
- netbios name = beefcake
- security = user
- #use sendfile = yes
- #max protocol = smb2
- # note: localhost is the ipv6 localhost ::1
- hosts allow = 100.64.0.0/10 192.168.0.0/16 127.0.0.1 localhost
- hosts deny = 0.0.0.0/0
- guest account = guest
- map to guest = never
- # load printers = yes
- # printing = cups
- # printcap name = cups
- '';
- shares = {
- libre = {
- path = "/storage/libre";
- browseable = "yes";
- "read only" = "no";
- "guest ok" = "yes";
- "create mask" = "0666";
- "directory mask" = "0777";
- # "force user" = "nobody";
- # "force group" = "users";
- };
- public = {
- path = "/storage/public";
- browseable = "yes";
- "read only" = "no";
- "guest ok" = "yes";
- "create mask" = "0664";
- "directory mask" = "0775";
- # "force user" = "nobody";
- # "force group" = "users";
- };
- family = {
- path = "/storage/family";
- browseable = "yes";
- "read only" = "no";
- "guest ok" = "no";
- "create mask" = "0660";
- "directory mask" = "0770";
- # "force user" = "nobody";
- # "force group" = "family";
- };
- scannerdocs = {
- path = "/storage/scannerdocs";
- browseable = "yes";
- "read only" = "no";
- "guest ok" = "no";
- "create mask" = "0600";
- "directory mask" = "0700";
- "valid users" = "scannerupload";
- "force user" = "scannerupload";
- "force group" = "users";
- };
- daniel = {
- path = "/storage/daniel";
- browseable = "yes";
- "read only" = "no";
- "guest ok" = "no";
- "create mask" = "0600";
- "directory mask" = "0700";
- # "force user" = "daniel";
- # "force group" = "users";
- };
- # printers = {
- # comment = "All Printers";
- # path = "/var/spool/samba";
- # public = "yes";
- # browseable = "yes";
- # # to allow user 'guest account' to print.
- # "guest ok" = "yes";
- # writable = "no";
- # printable = "yes";
- # "create mode" = 0700;
- # };
- };
- };
- }
+ # extraConfig = ''
+ # workgroup = WORKGROUP
+ # server string = beefcake
+ # netbios name = beefcake
+ # security = user
+ # #use sendfile = yes
+ # #max protocol = smb2
+ # # note: localhost is the ipv6 localhost ::1
+ # hosts allow = 100.64.0.0/10 192.168.0.0/16 127.0.0.1 localhost
+ # hosts deny = 0.0.0.0/0
+ # guest account = guest
+ # map to guest = never
+ # # load printers = yes
+ # # printing = cups
+ # # printcap name = cups
+ # '';
+ # shares = {
+ # libre = {
+ # path = "/storage/libre";
+ # browseable = "yes";
+ # "read only" = "no";
+ # "guest ok" = "yes";
+ # "create mask" = "0666";
+ # "directory mask" = "0777";
+ # # "force user" = "nobody";
+ # # "force group" = "users";
+ # };
+ # public = {
+ # path = "/storage/public";
+ # browseable = "yes";
+ # "read only" = "no";
+ # "guest ok" = "yes";
+ # "create mask" = "0664";
+ # "directory mask" = "0775";
+ # # "force user" = "nobody";
+ # # "force group" = "users";
+ # };
+ # family = {
+ # path = "/storage/family";
+ # browseable = "yes";
+ # "read only" = "no";
+ # "guest ok" = "no";
+ # "create mask" = "0660";
+ # "directory mask" = "0770";
+ # # "force user" = "nobody";
+ # # "force group" = "family";
+ # };
+ # scannerdocs = {
+ # path = "/storage/scannerdocs";
+ # browseable = "yes";
+ # "read only" = "no";
+ # "guest ok" = "no";
+ # "create mask" = "0600";
+ # "directory mask" = "0700";
+ # "valid users" = "scannerupload";
+ # "force user" = "scannerupload";
+ # "force group" = "users";
+ # };
+ # daniel = {
+ # path = "/storage/daniel";
+ # browseable = "yes";
+ # "read only" = "no";
+ # "guest ok" = "no";
+ # "create mask" = "0600";
+ # "directory mask" = "0700";
+ # # "force user" = "daniel";
+ # # "force group" = "users";
+ # };
+ # # printers = {
+ # # comment = "All Printers";
+ # # path = "/var/spool/samba";
+ # # public = "yes";
+ # # browseable = "yes";
+ # # # to allow user 'guest account' to print.
+ # # "guest ok" = "yes";
+ # # writable = "no";
+ # # printable = "yes";
+ # # "create mode" = 0700;
+ # # };
+ # };
+ # };
+ # }
{
# nextcloud
# users.users.nextcloud = {
@@ -337,988 +334,988 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# group = "nextcloud";
# };
}
- {
- # plausible
- users.users.plausible = {
- isSystemUser = true;
- createHome = false;
- group = "plausible";
- };
- users.extraGroups = {
- "plausible" = {};
- };
- services.plausible = {
- # TODO: enable
- enable = true;
- database = {
- clickhouse.setup = true;
- postgres = {
- setup = false;
- dbname = "plausible";
- };
- };
- server = {
- baseUrl = "https://a.lyte.dev";
- disableRegistration = true;
- port = 8899;
- secretKeybaseFile = config.sops.secrets.plausible-secret-key-base.path;
- };
- adminUser = {
- activate = false;
- email = "daniel@lyte.dev";
- passwordFile = config.sops.secrets.plausible-admin-password.path;
- };
- };
- systemd.services.plausible = let
- cfg = config.services.plausible;
- in {
- serviceConfig.User = "plausible";
- serviceConfig.Group = "plausible";
- # since createdb is not gated behind postgres.setup, this breaks
- script = lib.mkForce ''
- # Elixir does not start up if `RELEASE_COOKIE` is not set,
- # even though we set `RELEASE_DISTRIBUTION=none` so the cookie should be unused.
- # Thus, make a random one, which should then be ignored.
- export RELEASE_COOKIE=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 20)
- export ADMIN_USER_PWD="$(< $CREDENTIALS_DIRECTORY/ADMIN_USER_PWD )"
- export SECRET_KEY_BASE="$(< $CREDENTIALS_DIRECTORY/SECRET_KEY_BASE )"
+ # {
+ # # plausible
+ # users.users.plausible = {
+ # isSystemUser = true;
+ # createHome = false;
+ # group = "plausible";
+ # };
+ # users.extraGroups = {
+ # "plausible" = {};
+ # };
+ # services.plausible = {
+ # # TODO: enable
+ # enable = true;
+ # database = {
+ # clickhouse.setup = true;
+ # postgres = {
+ # setup = false;
+ # dbname = "plausible";
+ # };
+ # };
+ # server = {
+ # baseUrl = "https://a.lyte.dev";
+ # disableRegistration = true;
+ # port = 8899;
+ # secretKeybaseFile = config.sops.secrets.plausible-secret-key-base.path;
+ # };
+ # adminUser = {
+ # activate = false;
+ # email = "daniel@lyte.dev";
+ # passwordFile = config.sops.secrets.plausible-admin-password.path;
+ # };
+ # };
+ # systemd.services.plausible = let
+ # cfg = config.services.plausible;
+ # in {
+ # serviceConfig.User = "plausible";
+ # serviceConfig.Group = "plausible";
+ # # since createdb is not gated behind postgres.setup, this breaks
+ # script = lib.mkForce ''
+ # # Elixir does not start up if `RELEASE_COOKIE` is not set,
+ # # even though we set `RELEASE_DISTRIBUTION=none` so the cookie should be unused.
+ # # Thus, make a random one, which should then be ignored.
+ # export RELEASE_COOKIE=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 20)
+ # export ADMIN_USER_PWD="$(< $CREDENTIALS_DIRECTORY/ADMIN_USER_PWD )"
+ # export SECRET_KEY_BASE="$(< $CREDENTIALS_DIRECTORY/SECRET_KEY_BASE )"
- ${lib.optionalString (cfg.mail.smtp.passwordFile != null)
- ''export SMTP_USER_PWD="$(< $CREDENTIALS_DIRECTORY/SMTP_USER_PWD )"''}
+ # ${lib.optionalString (cfg.mail.smtp.passwordFile != null)
+ # ''export SMTP_USER_PWD="$(< $CREDENTIALS_DIRECTORY/SMTP_USER_PWD )"''}
- # setup
- ${
- if cfg.database.postgres.setup
- then "${cfg.package}/createdb.sh"
- else ""
- }
- ${cfg.package}/migrate.sh
- export IP_GEOLOCATION_DB=${pkgs.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb
- ${cfg.package}/bin/plausible eval "(Plausible.Release.prepare() ; Plausible.Auth.create_user(\"$ADMIN_USER_NAME\", \"$ADMIN_USER_EMAIL\", \"$ADMIN_USER_PWD\"))"
- ${lib.optionalString cfg.adminUser.activate ''
- psql -d plausible <<< "UPDATE users SET email_verified=true where email = '$ADMIN_USER_EMAIL';"
- ''}
+ # # setup
+ # ${
+ # if cfg.database.postgres.setup
+ # then "${cfg.package}/createdb.sh"
+ # else ""
+ # }
+ # ${cfg.package}/migrate.sh
+ # export IP_GEOLOCATION_DB=${pkgs.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb
+ # ${cfg.package}/bin/plausible eval "(Plausible.Release.prepare() ; Plausible.Auth.create_user(\"$ADMIN_USER_NAME\", \"$ADMIN_USER_EMAIL\", \"$ADMIN_USER_PWD\"))"
+ # ${lib.optionalString cfg.adminUser.activate ''
+ # psql -d plausible <<< "UPDATE users SET email_verified=true where email = '$ADMIN_USER_EMAIL';"
+ # ''}
- exec plausible start
- '';
- };
- services.caddy.virtualHosts."a.lyte.dev" = {
- extraConfig = ''
- reverse_proxy :${toString config.services.plausible.server.port}
- '';
- };
- }
- {
- # clickhouse
- environment.etc = {
- "clickhouse-server/users.d/disable-logging-query.xml" = {
- text = ''
-
-
-
- 0
- 0
-
-
-
- '';
- };
- "clickhouse-server/config.d/reduce-logging.xml" = {
- text = ''
-
-
- warning
- true
-
-
-
-
-
-
-
-
-
-
- '';
- };
- };
- }
+ # exec plausible start
+ # '';
+ # };
+ # services.caddy.virtualHosts."a.lyte.dev" = {
+ # extraConfig = ''
+ # reverse_proxy :${toString config.services.plausible.server.port}
+ # '';
+ # };
+ # }
+ # {
+ # # clickhouse
+ # environment.etc = {
+ # "clickhouse-server/users.d/disable-logging-query.xml" = {
+ # text = ''
+ #
+ #
+ #
+ # 0
+ # 0
+ #
+ #
+ #
+ # '';
+ # };
+ # "clickhouse-server/config.d/reduce-logging.xml" = {
+ # text = ''
+ #
+ #
+ # warning
+ # true
+ #
+ #
+ #
+ #
+ #
+ #
+ #
+ #
+ #
+ #
+ # '';
+ # };
+ # };
+ # }
{
# daniel augments
users.groups.daniel.members = ["daniel"];
users.groups.nixadmin.members = ["daniel"];
users.users.daniel = {
extraGroups = [
- "nixadmin" # write access to /etc/nixos/ files
+ # "nixadmin" # write access to /etc/nixos/ files
"wheel" # sudo access
- "caddy" # write access to /storage/files.lyte.dev
+ "caddy" # write access to public static files
"users" # general users group
- "jellyfin" # write access to /storage/jellyfin
- "audiobookshelf" # write access to /storage/audiobookshelf
- "flanilla"
+ "jellyfin" # write access to jellyfin files
+ "audiobookshelf" # write access to audiobookshelf files
+ "flanilla" # minecraft server manager
];
};
}
- {
- services.jellyfin = {
- enable = true;
- openFirewall = false;
- # uses port 8096 by default, configurable from admin UI
- };
- services.caddy.virtualHosts."video.lyte.dev" = {
- extraConfig = ''reverse_proxy :8096'';
- };
- # NOTE: this server's xeon chips DO NOT seem to support quicksync or graphics in general
- # but I can probably throw in a crappy GPU (or a big, cheap ebay GPU for ML
- # stuff, too?) and get good transcoding performance
+ # {
+ # services.jellyfin = {
+ # enable = true;
+ # openFirewall = false;
+ # # uses port 8096 by default, configurable from admin UI
+ # };
+ # services.caddy.virtualHosts."video.lyte.dev" = {
+ # extraConfig = ''reverse_proxy :8096'';
+ # };
+ # # NOTE: this server's xeon chips DO NOT seem to support quicksync or graphics in general
+ # # but I can probably throw in a crappy GPU (or a big, cheap ebay GPU for ML
+ # # stuff, too?) and get good transcoding performance
- # jellyfin hardware encoding
- # hardware.graphics = {
- # enable = true;
- # extraPackages = with pkgs; [
- # intel-media-driver
- # vaapiIntel
- # vaapiVdpau
- # libvdpau-va-gl
- # intel-compute-runtime
- # ];
- # };
- # nixpkgs.config.packageOverrides = pkgs: {
- # vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
- # };
- }
- {
- services.postgresql = {
- enable = true;
- ensureDatabases = [
- "daniel"
- "plausible"
- "nextcloud"
- # "atuin"
- ];
- ensureUsers = [
- {
- name = "daniel";
- ensureDBOwnership = true;
- }
- {
- name = "plausible";
- ensureDBOwnership = true;
- }
- {
- name = "nextcloud";
- ensureDBOwnership = true;
- }
- # {
- # name = "atuin";
- # ensureDBOwnership = true;
- # }
- ];
- dataDir = "/storage/postgres";
- enableTCPIP = true;
+ # # jellyfin hardware encoding
+ # # hardware.graphics = {
+ # # enable = true;
+ # # extraPackages = with pkgs; [
+ # # intel-media-driver
+ # # vaapiIntel
+ # # vaapiVdpau
+ # # libvdpau-va-gl
+ # # intel-compute-runtime
+ # # ];
+ # # };
+ # # nixpkgs.config.packageOverrides = pkgs: {
+ # # vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+ # # };
+ # }
+ # {
+ # services.postgresql = {
+ # enable = true;
+ # ensureDatabases = [
+ # "daniel"
+ # "plausible"
+ # "nextcloud"
+ # # "atuin"
+ # ];
+ # ensureUsers = [
+ # {
+ # name = "daniel";
+ # ensureDBOwnership = true;
+ # }
+ # {
+ # name = "plausible";
+ # ensureDBOwnership = true;
+ # }
+ # {
+ # name = "nextcloud";
+ # ensureDBOwnership = true;
+ # }
+ # # {
+ # # name = "atuin";
+ # # ensureDBOwnership = true;
+ # # }
+ # ];
+ # dataDir = "/storage/postgres";
+ # enableTCPIP = true;
- package = pkgs.postgresql_15;
+ # package = pkgs.postgresql_15;
- # https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
- authentication = pkgs.lib.mkOverride 10 ''
- #type database user auth-method auth-options
- local all postgres peer map=superuser_map
- local all daniel peer map=superuser_map
- local sameuser all peer map=superuser_map
- # local plausible plausible peer
- # local nextcloud nextcloud peer
- # local atuin atuin peer
+ # # https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
+ # authentication = pkgs.lib.mkOverride 10 ''
+ # #type database user auth-method auth-options
+ # local all postgres peer map=superuser_map
+ # local all daniel peer map=superuser_map
+ # local sameuser all peer map=superuser_map
+ # # local plausible plausible peer
+ # # local nextcloud nextcloud peer
+ # # local atuin atuin peer
- # lan ipv4
- host all daniel 192.168.0.0/16 trust
- host all daniel 10.0.0.0/24 trust
+ # # lan ipv4
+ # host all daniel 192.168.0.0/16 trust
+ # host all daniel 10.0.0.0/24 trust
- # tailnet ipv4
- host all daniel 100.64.0.0/10 trust
- '';
+ # # tailnet ipv4
+ # host all daniel 100.64.0.0/10 trust
+ # '';
- identMap = ''
- # map system_user db_user
- superuser_map root postgres
- superuser_map postgres postgres
- superuser_map daniel postgres
+ # identMap = ''
+ # # map system_user db_user
+ # superuser_map root postgres
+ # superuser_map postgres postgres
+ # superuser_map daniel postgres
- # Let other names login as themselves
- superuser_map /^(.*)$ \1
- '';
- };
+ # # Let other names login as themselves
+ # superuser_map /^(.*)$ \1
+ # '';
+ # };
- services.postgresqlBackup = {
- enable = true;
- backupAll = true;
- compression = "none"; # hoping for deduplication here?
- location = "/storage/postgres-backups";
- startAt = "*-*-* 03:00:00";
- };
- }
- {
- # friends
- users.users.ben = {
- isNormalUser = true;
- packages = [pkgs.vim];
- openssh.authorizedKeys.keys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUfLZ+IX85p9355Po2zP1H2tAxiE0rE6IYb8Sf+eF9T ben@benhany.com"
- ];
- };
+ # services.postgresqlBackup = {
+ # enable = true;
+ # backupAll = true;
+ # compression = "none"; # hoping for deduplication here?
+ # location = "/storage/postgres-backups";
+ # startAt = "*-*-* 03:00:00";
+ # };
+ # }
+ # {
+ # # friends
+ # users.users.ben = {
+ # isNormalUser = true;
+ # packages = [pkgs.vim];
+ # openssh.authorizedKeys.keys = [
+ # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUfLZ+IX85p9355Po2zP1H2tAxiE0rE6IYb8Sf+eF9T ben@benhany.com"
+ # ];
+ # };
- users.users.alan = {
- isNormalUser = true;
- packages = [pkgs.vim];
- openssh.authorizedKeys.keys = [
- ""
- ];
- };
+ # users.users.alan = {
+ # isNormalUser = true;
+ # packages = [pkgs.vim];
+ # openssh.authorizedKeys.keys = [
+ # ""
+ # ];
+ # };
- networking.firewall.allowedTCPPorts = [
- 64022
- ];
- networking.firewall.allowedUDPPorts = [
- 64020
- ];
- }
- {
- # flanilla family minecraft server
- users.groups.flanilla = {};
- users.users.flanilla = {
- isSystemUser = true;
- createHome = false;
- group = "flanilla";
- };
- }
- {
- # restic backups
- users.users.restic = {
- # used for other machines to backup to
- isNormalUser = true;
- openssh.authorizedKeys.keys =
- [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbPqzKB09U+i4Kqu136yOjflLZ/J7pYsNulTAd4x903 root@chromebox.h.lyte.dev"
- ]
- ++ config.users.users.daniel.openssh.authorizedKeys.keys;
- };
- # TODO: move previous backups over and put here
- # clickhouse and plausible analytics once they're up and running?
- services.restic.backups = let
- defaults = {
- passwordFile = "/root/restic-remotebackup-password";
- paths = [
- "/storage/files.lyte.dev"
- "/storage/daniel"
- "/storage/forgejo" # TODO: should maybe use configuration.nix's services.forgejo.dump ?
- "/storage/postgres-backups"
+ # networking.firewall.allowedTCPPorts = [
+ # 64022
+ # ];
+ # networking.firewall.allowedUDPPorts = [
+ # 64020
+ # ];
+ # }
+ # {
+ # # flanilla family minecraft server
+ # users.groups.flanilla = {};
+ # users.users.flanilla = {
+ # isSystemUser = true;
+ # createHome = false;
+ # group = "flanilla";
+ # };
+ # }
+ # {
+ # # restic backups
+ # users.users.restic = {
+ # # used for other machines to backup to
+ # isNormalUser = true;
+ # openssh.authorizedKeys.keys =
+ # [
+ # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbPqzKB09U+i4Kqu136yOjflLZ/J7pYsNulTAd4x903 root@chromebox.h.lyte.dev"
+ # ]
+ # ++ config.users.users.daniel.openssh.authorizedKeys.keys;
+ # };
+ # # TODO: move previous backups over and put here
+ # # clickhouse and plausible analytics once they're up and running?
+ # services.restic.backups = let
+ # defaults = {
+ # passwordFile = "/root/restic-remotebackup-password";
+ # paths = [
+ # "/storage/files.lyte.dev"
+ # "/storage/daniel"
+ # "/storage/forgejo" # TODO: should maybe use configuration.nix's services.forgejo.dump ?
+ # "/storage/postgres-backups"
- # https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault
- # specifically, https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#sqlite-database-files
- "/var/lib/bitwarden_rs" # does this need any sqlite preprocessing?
+ # # https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault
+ # # specifically, https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#sqlite-database-files
+ # "/var/lib/bitwarden_rs" # does this need any sqlite preprocessing?
- # TODO: backup *arr configs?
- ];
- initialize = true;
- exclude = [];
- timerConfig = {
- OnCalendar = ["04:45" "17:45"];
- };
- };
- in {
- local =
- defaults
- // {
- passwordFile = "/root/restic-localbackup-password";
- repository = "/storage/backups/local";
- };
- rascal =
- defaults
- // {
- extraOptions = [
- "sftp.command='ssh beefcake@rascal -i /root/.ssh/id_ed25519 -s sftp'"
- ];
- repository = "sftp://beefcake@rascal://storage/backups/beefcake";
- };
- # TODO: add ruby?
- benland =
- defaults
- // {
- extraOptions = [
- "sftp.command='ssh daniel@n.benhaney.com -p 10022 -i /root/.ssh/id_ed25519 -s sftp'"
- ];
- repository = "sftp://daniel@n.benhaney.com://storage/backups/beefcake";
- };
- };
- }
- {
- services.caddy = {
- # TODO: 502 and other error pages
- enable = true;
- email = "daniel@lyte.dev";
- adapter = "caddyfile";
- virtualHosts = {
- "dev.h.lyte.dev" = {
- extraConfig = ''
- reverse_proxy :8000
- '';
- };
- "files.lyte.dev" = {
- # TODO: customize the files.lyte.dev template?
- extraConfig = ''
- # @options {
- # method OPTIONS
- # }
- # @corsOrigin {
- # header_regexp Origin ^https?://([a-zA-Z0-9-]+\.)*lyte\.dev$
- # }
- header {
- Access-Control-Allow-Origin "{http.request.header.Origin}"
- Access-Control-Allow-Credentials true
- Access-Control-Allow-Methods *
- Access-Control-Allow-Headers *
- Vary Origin
- defer
- }
- # reverse_proxy shuwashuwa:8848 {
- # header_down -Access-Control-Allow-Origin
- # }
- file_server browse {
- # browse template
- # hide .*
- root /storage/files.lyte.dev
- }
- '';
- };
- };
- # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
- };
- networking.firewall.allowedTCPPorts = [
- 8000 # random development stuff
- ];
- }
- {
- services.forgejo = {
- enable = true;
- stateDir = "/storage/forgejo";
- settings = {
- DEFAULT = {
- APP_NAME = "git.lyte.dev";
- };
- server = {
- ROOT_URL = "https://git.lyte.dev";
- HTTP_ADDR = "127.0.0.1";
- HTTP_PORT = 3088;
- DOMAIN = "git.lyte.dev";
- };
- actions = {
- ENABLED = true;
- };
- service = {
- DISABLE_REGISTRATION = true;
- };
- session = {
- COOKIE_SECURE = true;
- };
- log = {
- # TODO: raise the log level
- # LEVEL = "Debug";
- };
- ui = {
- THEMES = "forgejo-auto,forgejo-light,forgejo-dark,catppuccin-mocha-sapphire";
- DEFAULT_THEME = "forgejo-auto";
- };
- indexer = {
- REPO_INDEXER_ENABLED = "true";
- REPO_INDEXER_PATH = "indexers/repos.bleve";
- MAX_FILE_SIZE = "1048576";
- # REPO_INDEXER_INCLUDE =
- REPO_INDEXER_EXCLUDE = "resources/bin/**";
- };
- };
- lfs = {
- enable = true;
- };
- dump = {
- enable = true;
- };
- database = {
- # TODO: move to postgres?
- type = "sqlite3";
- };
- };
- services.gitea-actions-runner = {
- # TODO: simple git-based automation would be dope? maybe especially for
- # mirroring to github super easy?
- # enable = true;
- package = pkgs.forgejo-runner;
- instances."beefcake" = {
- enable = true;
- name = "beefcake";
- url = "https://git.lyte.dev";
- settings = {
- container = {
- # use the shared network which is bridged by default
- # this lets us hit git.lyte.dev just fine
- network = "podman";
- };
- };
- labels = [
- # type ":host" does not depend on docker/podman/lxc
- "podman"
- "nix:docker://git.lyte.dev/lytedev/nix:latest"
- "beefcake:host"
- "nixos-host:host"
- ];
- tokenFile = config.sops.secrets."forgejo-runner.env".path;
- hostPackages = with pkgs; [
- nix
- bash
- coreutils
- curl
- gawk
- gitMinimal
- gnused
- nodejs
- gnutar # needed for cache action
- wget
- ];
- };
- };
- # environment.systemPackages = with pkgs; [nodejs];
- services.caddy.virtualHosts."git.lyte.dev" = {
- extraConfig = ''
- reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
- '';
- };
- services.caddy.virtualHosts."http://git.beefcake.lan" = {
- extraConfig = ''
- reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
- '';
- };
- }
- {
- services.vaultwarden = {
- enable = true;
- config = {
- DOMAIN = "https://bw.lyte.dev";
- SIGNUPS_ALLOWED = "false";
- ROCKET_ADDRESS = "127.0.0.1";
- ROCKET_PORT = 8222;
- };
- };
- services.caddy.virtualHosts."bw.lyte.dev" = {
- extraConfig = ''reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}'';
- };
- }
- {
- # TODO: make the client declarative? right now I think it's manually git
- # clone'd to /root
- systemd.services.deno-netlify-ddns-client = {
- serviceConfig.Type = "oneshot";
- path = with pkgs; [curl bash];
- environment = {
- NETLIFY_DDNS_RC_FILE = "/root/deno-netlify-ddns-client/.env";
- };
- script = ''
- bash /root/deno-netlify-ddns-client/netlify-ddns-client.sh
- '';
- };
- systemd.timers.deno-netlify-ddns-client = {
- wantedBy = ["timers.target"];
- partOf = ["deno-netlify-ddns-client.service"];
- timerConfig = {
- OnBootSec = "10sec";
- OnUnitActiveSec = "5min";
- Unit = "deno-netlify-ddns-client.service";
- };
- };
- }
- {
- services.atuin = {
- enable = true;
- database = {
- createLocally = true;
- # uri = "postgresql://atuin@localhost:5432/atuin";
- };
- openRegistration = false;
- };
- services.caddy.virtualHosts."atuin.h.lyte.dev" = {
- extraConfig = ''reverse_proxy :${toString config.services.atuin.port}'';
- };
- }
- {
- # jland minecraft server
- users.groups.jland = {
- gid = 982;
- };
- users.users.jland = {
- uid = 986;
- isSystemUser = true;
- createHome = false;
- group = "jland";
- };
- virtualisation.oci-containers.containers.minecraft-jland = {
- autoStart = false;
+ # # TODO: backup *arr configs?
+ # ];
+ # initialize = true;
+ # exclude = [];
+ # timerConfig = {
+ # OnCalendar = ["04:45" "17:45"];
+ # };
+ # };
+ # in {
+ # local =
+ # defaults
+ # // {
+ # passwordFile = "/root/restic-localbackup-password";
+ # repository = "/storage/backups/local";
+ # };
+ # rascal =
+ # defaults
+ # // {
+ # extraOptions = [
+ # "sftp.command='ssh beefcake@rascal -i /root/.ssh/id_ed25519 -s sftp'"
+ # ];
+ # repository = "sftp://beefcake@rascal://storage/backups/beefcake";
+ # };
+ # # TODO: add ruby?
+ # benland =
+ # defaults
+ # // {
+ # extraOptions = [
+ # "sftp.command='ssh daniel@n.benhaney.com -p 10022 -i /root/.ssh/id_ed25519 -s sftp'"
+ # ];
+ # repository = "sftp://daniel@n.benhaney.com://storage/backups/beefcake";
+ # };
+ # };
+ # }
+ # {
+ # services.caddy = {
+ # # TODO: 502 and other error pages
+ # enable = true;
+ # email = "daniel@lyte.dev";
+ # adapter = "caddyfile";
+ # virtualHosts = {
+ # "dev.h.lyte.dev" = {
+ # extraConfig = ''
+ # reverse_proxy :8000
+ # '';
+ # };
+ # "files.lyte.dev" = {
+ # # TODO: customize the files.lyte.dev template?
+ # extraConfig = ''
+ # # @options {
+ # # method OPTIONS
+ # # }
+ # # @corsOrigin {
+ # # header_regexp Origin ^https?://([a-zA-Z0-9-]+\.)*lyte\.dev$
+ # # }
+ # header {
+ # Access-Control-Allow-Origin "{http.request.header.Origin}"
+ # Access-Control-Allow-Credentials true
+ # Access-Control-Allow-Methods *
+ # Access-Control-Allow-Headers *
+ # Vary Origin
+ # defer
+ # }
+ # # reverse_proxy shuwashuwa:8848 {
+ # # header_down -Access-Control-Allow-Origin
+ # # }
+ # file_server browse {
+ # # browse template
+ # # hide .*
+ # root /storage/files.lyte.dev
+ # }
+ # '';
+ # };
+ # };
+ # # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
+ # };
+ # networking.firewall.allowedTCPPorts = [
+ # 8000 # random development stuff
+ # ];
+ # }
+ # {
+ # services.forgejo = {
+ # enable = true;
+ # stateDir = "/storage/forgejo";
+ # settings = {
+ # DEFAULT = {
+ # APP_NAME = "git.lyte.dev";
+ # };
+ # server = {
+ # ROOT_URL = "https://git.lyte.dev";
+ # HTTP_ADDR = "127.0.0.1";
+ # HTTP_PORT = 3088;
+ # DOMAIN = "git.lyte.dev";
+ # };
+ # actions = {
+ # ENABLED = true;
+ # };
+ # service = {
+ # DISABLE_REGISTRATION = true;
+ # };
+ # session = {
+ # COOKIE_SECURE = true;
+ # };
+ # log = {
+ # # TODO: raise the log level
+ # # LEVEL = "Debug";
+ # };
+ # ui = {
+ # THEMES = "forgejo-auto,forgejo-light,forgejo-dark,catppuccin-mocha-sapphire";
+ # DEFAULT_THEME = "forgejo-auto";
+ # };
+ # indexer = {
+ # REPO_INDEXER_ENABLED = "true";
+ # REPO_INDEXER_PATH = "indexers/repos.bleve";
+ # MAX_FILE_SIZE = "1048576";
+ # # REPO_INDEXER_INCLUDE =
+ # REPO_INDEXER_EXCLUDE = "resources/bin/**";
+ # };
+ # };
+ # lfs = {
+ # enable = true;
+ # };
+ # dump = {
+ # enable = true;
+ # };
+ # database = {
+ # # TODO: move to postgres?
+ # type = "sqlite3";
+ # };
+ # };
+ # services.gitea-actions-runner = {
+ # # TODO: simple git-based automation would be dope? maybe especially for
+ # # mirroring to github super easy?
+ # # enable = true;
+ # package = pkgs.forgejo-runner;
+ # instances."beefcake" = {
+ # enable = true;
+ # name = "beefcake";
+ # url = "https://git.lyte.dev";
+ # settings = {
+ # container = {
+ # # use the shared network which is bridged by default
+ # # this lets us hit git.lyte.dev just fine
+ # network = "podman";
+ # };
+ # };
+ # labels = [
+ # # type ":host" does not depend on docker/podman/lxc
+ # "podman"
+ # "nix:docker://git.lyte.dev/lytedev/nix:latest"
+ # "beefcake:host"
+ # "nixos-host:host"
+ # ];
+ # tokenFile = config.sops.secrets."forgejo-runner.env".path;
+ # hostPackages = with pkgs; [
+ # nix
+ # bash
+ # coreutils
+ # curl
+ # gawk
+ # gitMinimal
+ # gnused
+ # nodejs
+ # gnutar # needed for cache action
+ # wget
+ # ];
+ # };
+ # };
+ # # environment.systemPackages = with pkgs; [nodejs];
+ # services.caddy.virtualHosts."git.lyte.dev" = {
+ # extraConfig = ''
+ # reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
+ # '';
+ # };
+ # services.caddy.virtualHosts."http://git.beefcake.lan" = {
+ # extraConfig = ''
+ # reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
+ # '';
+ # };
+ # }
+ # {
+ # services.vaultwarden = {
+ # enable = true;
+ # config = {
+ # DOMAIN = "https://bw.lyte.dev";
+ # SIGNUPS_ALLOWED = "false";
+ # ROCKET_ADDRESS = "127.0.0.1";
+ # ROCKET_PORT = 8222;
+ # };
+ # };
+ # services.caddy.virtualHosts."bw.lyte.dev" = {
+ # extraConfig = ''reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}'';
+ # };
+ # }
+ # {
+ # # TODO: make the client declarative? right now I think it's manually git
+ # # clone'd to /root
+ # systemd.services.deno-netlify-ddns-client = {
+ # serviceConfig.Type = "oneshot";
+ # path = with pkgs; [curl bash];
+ # environment = {
+ # NETLIFY_DDNS_RC_FILE = "/root/deno-netlify-ddns-client/.env";
+ # };
+ # script = ''
+ # bash /root/deno-netlify-ddns-client/netlify-ddns-client.sh
+ # '';
+ # };
+ # systemd.timers.deno-netlify-ddns-client = {
+ # wantedBy = ["timers.target"];
+ # partOf = ["deno-netlify-ddns-client.service"];
+ # timerConfig = {
+ # OnBootSec = "10sec";
+ # OnUnitActiveSec = "5min";
+ # Unit = "deno-netlify-ddns-client.service";
+ # };
+ # };
+ # }
+ # {
+ # services.atuin = {
+ # enable = true;
+ # database = {
+ # createLocally = true;
+ # # uri = "postgresql://atuin@localhost:5432/atuin";
+ # };
+ # openRegistration = false;
+ # };
+ # services.caddy.virtualHosts."atuin.h.lyte.dev" = {
+ # extraConfig = ''reverse_proxy :${toString config.services.atuin.port}'';
+ # };
+ # }
+ # {
+ # # jland minecraft server
+ # users.groups.jland = {
+ # gid = 982;
+ # };
+ # users.users.jland = {
+ # uid = 986;
+ # isSystemUser = true;
+ # createHome = false;
+ # group = "jland";
+ # };
+ # virtualisation.oci-containers.containers.minecraft-jland = {
+ # autoStart = false;
- # sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/
- image = "docker.io/itzg/minecraft-server";
- # user = "${toString config.users.users.jland.uid}:${toString config.users.groups.jland.gid}";
- extraOptions = [
- "--tty"
- "--interactive"
- ];
- environment = {
- EULA = "true";
- # UID = toString config.users.users.jland.uid;
- # GID = toString config.users.groups.jland.gid;
- STOP_SERVER_ANNOUNCE_DELAY = "20";
- TZ = "America/Chicago";
- VERSION = "1.20.1";
- MEMORY = "8G";
- MAX_MEMORY = "16G";
- TYPE = "FORGE";
- FORGE_VERSION = "47.1.3";
- ALLOW_FLIGHT = "true";
- ENABLE_QUERY = "true";
+ # # sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/
+ # image = "docker.io/itzg/minecraft-server";
+ # # user = "${toString config.users.users.jland.uid}:${toString config.users.groups.jland.gid}";
+ # extraOptions = [
+ # "--tty"
+ # "--interactive"
+ # ];
+ # environment = {
+ # EULA = "true";
+ # # UID = toString config.users.users.jland.uid;
+ # # GID = toString config.users.groups.jland.gid;
+ # STOP_SERVER_ANNOUNCE_DELAY = "20";
+ # TZ = "America/Chicago";
+ # VERSION = "1.20.1";
+ # MEMORY = "8G";
+ # MAX_MEMORY = "16G";
+ # TYPE = "FORGE";
+ # FORGE_VERSION = "47.1.3";
+ # ALLOW_FLIGHT = "true";
+ # ENABLE_QUERY = "true";
- MODPACK = "/data/origination-files/Server-Files-0.2.14.zip";
+ # MODPACK = "/data/origination-files/Server-Files-0.2.14.zip";
- # TYPE = "AUTO_CURSEFORGE";
- # CF_SLUG = "monumental-experience";
- # CF_FILE_ID = "4826863"; # 2.2.53
+ # # TYPE = "AUTO_CURSEFORGE";
+ # # CF_SLUG = "monumental-experience";
+ # # CF_FILE_ID = "4826863"; # 2.2.53
- # due to
- # Nov 02 13:45:22 beefcake minecraft-jland[2738672]: me.itzg.helpers.errors.GenericException: The modpack authors have indicated this file is not allowed for project distribution. Please download the client zip file from https://www.curseforge.com/minecraft/modpacks/monumental-experience and pass via CF_MODPACK_ZIP environment variable or place indownloads repo directory.
- # we must upload manually
- # CF_MODPACK_ZIP = "/data/origination-files/Monumental+Experience-2.2.53.zip";
+ # # due to
+ # # Nov 02 13:45:22 beefcake minecraft-jland[2738672]: me.itzg.helpers.errors.GenericException: The modpack authors have indicated this file is not allowed for project distribution. Please download the client zip file from https://www.curseforge.com/minecraft/modpacks/monumental-experience and pass via CF_MODPACK_ZIP environment variable or place indownloads repo directory.
+ # # we must upload manually
+ # # CF_MODPACK_ZIP = "/data/origination-files/Monumental+Experience-2.2.53.zip";
- # ENABLE_AUTOPAUSE = "true"; # TODO: must increate or disable max-tick-time
- # May also have mod/loader incompatibilities?
- # https://docker-minecraft-server.readthedocs.io/en/latest/misc/autopause-autostop/autopause/
- };
- environmentFiles = [
- # config.sops.secrets."jland.env".path
- ];
- ports = ["26965:25565"];
- volumes = [
- "/storage/jland/data:/data"
- "/storage/jland/worlds:/worlds"
- ];
- };
- networking.firewall.allowedTCPPorts = [
- 26965
- ];
- }
- {
- # dawncraft minecraft server
- systemd.tmpfiles.rules = [
- "d /storage/dawncraft/ 0770 1000 1000 -"
- "d /storage/dawncraft/data/ 0770 1000 1000 -"
- "d /storage/dawncraft/worlds/ 0770 1000 1000 -"
- "d /storage/dawncraft/downloads/ 0770 1000 1000 -"
- ];
- virtualisation.oci-containers.containers.minecraft-dawncraft = {
- autoStart = false;
+ # # ENABLE_AUTOPAUSE = "true"; # TODO: must increate or disable max-tick-time
+ # # May also have mod/loader incompatibilities?
+ # # https://docker-minecraft-server.readthedocs.io/en/latest/misc/autopause-autostop/autopause/
+ # };
+ # environmentFiles = [
+ # # config.sops.secrets."jland.env".path
+ # ];
+ # ports = ["26965:25565"];
+ # volumes = [
+ # "/storage/jland/data:/data"
+ # "/storage/jland/worlds:/worlds"
+ # ];
+ # };
+ # networking.firewall.allowedTCPPorts = [
+ # 26965
+ # ];
+ # }
+ # {
+ # # dawncraft minecraft server
+ # systemd.tmpfiles.rules = [
+ # "d /storage/dawncraft/ 0770 1000 1000 -"
+ # "d /storage/dawncraft/data/ 0770 1000 1000 -"
+ # "d /storage/dawncraft/worlds/ 0770 1000 1000 -"
+ # "d /storage/dawncraft/downloads/ 0770 1000 1000 -"
+ # ];
+ # virtualisation.oci-containers.containers.minecraft-dawncraft = {
+ # autoStart = false;
- # sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/
- image = "docker.io/itzg/minecraft-server";
- extraOptions = [
- "--tty"
- "--interactive"
- ];
- environment = {
- EULA = "true";
+ # # sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/
+ # image = "docker.io/itzg/minecraft-server";
+ # extraOptions = [
+ # "--tty"
+ # "--interactive"
+ # ];
+ # environment = {
+ # EULA = "true";
- STOP_SERVER_ANNOUNCE_DELAY = "20";
- TZ = "America/Chicago";
- VERSION = "1.18.2";
- MEMORY = "8G";
- MAX_MEMORY = "32G";
+ # STOP_SERVER_ANNOUNCE_DELAY = "20";
+ # TZ = "America/Chicago";
+ # VERSION = "1.18.2";
+ # MEMORY = "8G";
+ # MAX_MEMORY = "32G";
- ALLOW_FLIGHT = "true";
- ENABLE_QUERY = "true";
- SERVER_PORT = "26968";
- QUERY_PORT = "26968";
+ # ALLOW_FLIGHT = "true";
+ # ENABLE_QUERY = "true";
+ # SERVER_PORT = "26968";
+ # QUERY_PORT = "26968";
- TYPE = "AUTO_CURSEFORGE";
- CF_SLUG = "dawn-craft";
+ # TYPE = "AUTO_CURSEFORGE";
+ # CF_SLUG = "dawn-craft";
- CF_EXCLUDE_MODS = "368398";
- CF_FORCE_SYNCHRONIZE = "true";
- # CF_FILE_ID = "5247696"; # 2.0.7 server
- };
- environmentFiles = [
- config.sops.secrets."dawncraft.env".path
- ];
- ports = ["26968:26968/tcp" "26968:26968/udp"];
- volumes = [
- "/storage/dawncraft/data:/data"
- "/storage/dawncraft/worlds:/worlds"
- "/storage/dawncraft/downloads:/downloads"
- ];
- };
- networking.firewall.allowedTCPPorts = [
- 26968
- ];
- }
- {
- virtualisation.oci-containers.containers.minecraft-flanilla = {
- autoStart = true;
+ # CF_EXCLUDE_MODS = "368398";
+ # CF_FORCE_SYNCHRONIZE = "true";
+ # # CF_FILE_ID = "5247696"; # 2.0.7 server
+ # };
+ # environmentFiles = [
+ # config.sops.secrets."dawncraft.env".path
+ # ];
+ # ports = ["26968:26968/tcp" "26968:26968/udp"];
+ # volumes = [
+ # "/storage/dawncraft/data:/data"
+ # "/storage/dawncraft/worlds:/worlds"
+ # "/storage/dawncraft/downloads:/downloads"
+ # ];
+ # };
+ # networking.firewall.allowedTCPPorts = [
+ # 26968
+ # ];
+ # }
+ # {
+ # virtualisation.oci-containers.containers.minecraft-flanilla = {
+ # autoStart = true;
- image = "docker.io/itzg/minecraft-server";
- user = "${toString config.users.users.flanilla.uid}:${toString config.users.groups.flanilla.gid}";
- extraOptions = ["--tty" "--interactive"];
- environment = {
- EULA = "true";
- UID = toString config.users.users.flanilla.uid;
- GID = toString config.users.groups.flanilla.gid;
- STOP_SERVER_ANNOUNCE_DELAY = "20";
- TZ = "America/Chicago";
- VERSION = "1.20.4";
- OPS = "lytedev";
- MODE = "creative";
- DIFFICULTY = "peaceful";
- ONLINE_MODE = "false";
- MEMORY = "8G";
- MAX_MEMORY = "16G";
- ALLOW_FLIGHT = "true";
- ENABLE_QUERY = "true";
- ENABLE_COMMAND_BLOCK = "true";
- };
+ # image = "docker.io/itzg/minecraft-server";
+ # user = "${toString config.users.users.flanilla.uid}:${toString config.users.groups.flanilla.gid}";
+ # extraOptions = ["--tty" "--interactive"];
+ # environment = {
+ # EULA = "true";
+ # UID = toString config.users.users.flanilla.uid;
+ # GID = toString config.users.groups.flanilla.gid;
+ # STOP_SERVER_ANNOUNCE_DELAY = "20";
+ # TZ = "America/Chicago";
+ # VERSION = "1.20.4";
+ # OPS = "lytedev";
+ # MODE = "creative";
+ # DIFFICULTY = "peaceful";
+ # ONLINE_MODE = "false";
+ # MEMORY = "8G";
+ # MAX_MEMORY = "16G";
+ # ALLOW_FLIGHT = "true";
+ # ENABLE_QUERY = "true";
+ # ENABLE_COMMAND_BLOCK = "true";
+ # };
- environmentFiles = [
- # config.sops.secrets."flanilla.env".path
- ];
+ # environmentFiles = [
+ # # config.sops.secrets."flanilla.env".path
+ # ];
- ports = ["26966:25565"];
+ # ports = ["26966:25565"];
- volumes = [
- "/storage/flanilla/data:/data"
- "/storage/flanilla/worlds:/worlds"
- ];
- };
- networking.firewall.allowedTCPPorts = [
- 26966
- ];
- }
- ({options, ...}: let
- toml = pkgs.formats.toml {};
- package = pkgs.kanidm;
- domain = "idm.h.lyte.dev";
- name = "kanidm";
- storage = "/storage/${name}";
- cert = "${storage}/certs/idm.h.lyte.dev.crt";
- key = "${storage}/certs/idm.h.lyte.dev.key";
+ # volumes = [
+ # "/storage/flanilla/data:/data"
+ # "/storage/flanilla/worlds:/worlds"
+ # ];
+ # };
+ # networking.firewall.allowedTCPPorts = [
+ # 26966
+ # ];
+ # }
+ # ({options, ...}: let
+ # toml = pkgs.formats.toml {};
+ # package = pkgs.kanidm;
+ # domain = "idm.h.lyte.dev";
+ # name = "kanidm";
+ # storage = "/storage/${name}";
+ # cert = "${storage}/certs/idm.h.lyte.dev.crt";
+ # key = "${storage}/certs/idm.h.lyte.dev.key";
- serverSettings = {
- inherit domain;
- bindaddress = "127.0.0.1:8443";
- # ldapbindaddress
- tls_chain = cert;
- tls_key = key;
- origin = "https://${domain}";
- db_path = "${storage}/data/kanidm.db";
- log_level = "info";
- online_backup = {
- path = "${storage}/backups/";
- schedule = "00 22 * * *";
- # versions = 7;
- };
- };
+ # serverSettings = {
+ # inherit domain;
+ # bindaddress = "127.0.0.1:8443";
+ # # ldapbindaddress
+ # tls_chain = cert;
+ # tls_key = key;
+ # origin = "https://${domain}";
+ # db_path = "${storage}/data/kanidm.db";
+ # log_level = "info";
+ # online_backup = {
+ # path = "${storage}/backups/";
+ # schedule = "00 22 * * *";
+ # # versions = 7;
+ # };
+ # };
- unixdSettings = {
- hsm_pin_path = "/var/cache/${name}-unixd/hsm-pin";
- pam_allowed_login_groups = [];
- };
+ # unixdSettings = {
+ # hsm_pin_path = "/var/cache/${name}-unixd/hsm-pin";
+ # pam_allowed_login_groups = [];
+ # };
- clientSettings = {
- uri = "https://idm.h.lyte.dev";
- };
+ # clientSettings = {
+ # uri = "https://idm.h.lyte.dev";
+ # };
- user = name;
- group = name;
- serverConfigFile = toml.generate "server.toml" serverSettings;
- unixdConfigFile = toml.generate "kanidm-unixd.toml" unixdSettings;
- clientConfigFile = toml.generate "kanidm-config.toml" clientSettings;
+ # user = name;
+ # group = name;
+ # serverConfigFile = toml.generate "server.toml" serverSettings;
+ # unixdConfigFile = toml.generate "kanidm-unixd.toml" unixdSettings;
+ # clientConfigFile = toml.generate "kanidm-config.toml" clientSettings;
- defaultServiceConfig = {
- BindReadOnlyPaths = [
- "/nix/store"
- "-/etc/resolv.conf"
- "-/etc/nsswitch.conf"
- "-/etc/hosts"
- "-/etc/localtime"
- ];
- CapabilityBoundingSet = [];
- # ProtectClock= adds DeviceAllow=char-rtc r
- DeviceAllow = "";
- # Implies ProtectSystem=strict, which re-mounts all paths
- # DynamicUser = true;
- LockPersonality = true;
- MemoryDenyWriteExecute = true;
- NoNewPrivileges = true;
- PrivateDevices = true;
- PrivateMounts = true;
- PrivateNetwork = true;
- PrivateTmp = true;
- PrivateUsers = true;
- ProcSubset = "pid";
- ProtectClock = true;
- ProtectHome = true;
- ProtectHostname = true;
- # Would re-mount paths ignored by temporary root
- #ProtectSystem = "strict";
- ProtectControlGroups = true;
- ProtectKernelLogs = true;
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- ProtectProc = "invisible";
- RestrictAddressFamilies = [];
- RestrictNamespaces = true;
- RestrictRealtime = true;
- RestrictSUIDSGID = true;
- SystemCallArchitectures = "native";
- SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"];
- # Does not work well with the temporary root
- #UMask = "0066";
- };
- in {
- # kanidm
+ # defaultServiceConfig = {
+ # BindReadOnlyPaths = [
+ # "/nix/store"
+ # "-/etc/resolv.conf"
+ # "-/etc/nsswitch.conf"
+ # "-/etc/hosts"
+ # "-/etc/localtime"
+ # ];
+ # CapabilityBoundingSet = [];
+ # # ProtectClock= adds DeviceAllow=char-rtc r
+ # DeviceAllow = "";
+ # # Implies ProtectSystem=strict, which re-mounts all paths
+ # # DynamicUser = true;
+ # LockPersonality = true;
+ # MemoryDenyWriteExecute = true;
+ # NoNewPrivileges = true;
+ # PrivateDevices = true;
+ # PrivateMounts = true;
+ # PrivateNetwork = true;
+ # PrivateTmp = true;
+ # PrivateUsers = true;
+ # ProcSubset = "pid";
+ # ProtectClock = true;
+ # ProtectHome = true;
+ # ProtectHostname = true;
+ # # Would re-mount paths ignored by temporary root
+ # #ProtectSystem = "strict";
+ # ProtectControlGroups = true;
+ # ProtectKernelLogs = true;
+ # ProtectKernelModules = true;
+ # ProtectKernelTunables = true;
+ # ProtectProc = "invisible";
+ # RestrictAddressFamilies = [];
+ # RestrictNamespaces = true;
+ # RestrictRealtime = true;
+ # RestrictSUIDSGID = true;
+ # SystemCallArchitectures = "native";
+ # SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"];
+ # # Does not work well with the temporary root
+ # #UMask = "0066";
+ # };
+ # in {
+ # # kanidm
- config = {
- # we need a mechanism to get the certificates that caddy provisions for us
- systemd.timers."copy-kanidm-certificates-from-caddy" = {
- wantedBy = ["timers.target"];
- timerConfig = {
- OnBootSec = "10m"; # 10 minutes after booting
- OnUnitActiveSec = "5m"; # every 5 minutes afterwards
- Unit = "copy-kanidm-certificates-from-caddy.service";
- };
- };
+ # config = {
+ # # we need a mechanism to get the certificates that caddy provisions for us
+ # systemd.timers."copy-kanidm-certificates-from-caddy" = {
+ # wantedBy = ["timers.target"];
+ # timerConfig = {
+ # OnBootSec = "10m"; # 10 minutes after booting
+ # OnUnitActiveSec = "5m"; # every 5 minutes afterwards
+ # Unit = "copy-kanidm-certificates-from-caddy.service";
+ # };
+ # };
- systemd.services."copy-kanidm-certificates-from-caddy" = {
- script = ''
- umask 077
- install -d -m 0700 -o "${user}" -g "${group}" "${storage}/data" "${storage}/certs"
- cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev
- install -m 0700 -o "${user}" -g "${group}" idm.h.lyte.dev.key idm.h.lyte.dev.crt "${storage}/certs"
- '';
- path = with pkgs; [rsync];
- serviceConfig = {
- Type = "oneshot";
- User = "root";
- };
- };
+ # systemd.services."copy-kanidm-certificates-from-caddy" = {
+ # script = ''
+ # umask 077
+ # install -d -m 0700 -o "${user}" -g "${group}" "${storage}/data" "${storage}/certs"
+ # cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev
+ # install -m 0700 -o "${user}" -g "${group}" idm.h.lyte.dev.key idm.h.lyte.dev.crt "${storage}/certs"
+ # '';
+ # path = with pkgs; [rsync];
+ # serviceConfig = {
+ # Type = "oneshot";
+ # User = "root";
+ # };
+ # };
- environment.systemPackages = [package];
+ # environment.systemPackages = [package];
- # TODO: should I use this for /storage/kanidm/certs etc.?
- systemd.tmpfiles.settings."10-kanidm" = {
- "${serverSettings.online_backup.path}".d = {
- inherit user group;
- mode = "0700";
- };
- # "${builtins.dirOf unixdSettings.hsm_pin_path}".d = {
- # user = "${user}-unixd";
- # group = "${group}-unixd";
- # mode = "0700";
- # };
- "${storage}/data".d = {
- inherit user group;
- mode = "0700";
- };
- "${storage}/certs".d = {
- inherit user group;
- mode = "0700";
- };
- };
+ # # TODO: should I use this for /storage/kanidm/certs etc.?
+ # systemd.tmpfiles.settings."10-kanidm" = {
+ # "${serverSettings.online_backup.path}".d = {
+ # inherit user group;
+ # mode = "0700";
+ # };
+ # # "${builtins.dirOf unixdSettings.hsm_pin_path}".d = {
+ # # user = "${user}-unixd";
+ # # group = "${group}-unixd";
+ # # mode = "0700";
+ # # };
+ # "${storage}/data".d = {
+ # inherit user group;
+ # mode = "0700";
+ # };
+ # "${storage}/certs".d = {
+ # inherit user group;
+ # mode = "0700";
+ # };
+ # };
- users.groups = {
- ${group} = {};
- "${group}-unixd" = {};
- };
+ # users.groups = {
+ # ${group} = {};
+ # "${group}-unixd" = {};
+ # };
- users.users.${user} = {
- inherit group;
- description = "kanidm server";
- isSystemUser = true;
- packages = [package];
- };
- users.users."${user}-unixd" = {
- group = "${group}-unixd";
- description = lib.mkForce "kanidm PAM daemon";
- isSystemUser = true;
- };
+ # users.users.${user} = {
+ # inherit group;
+ # description = "kanidm server";
+ # isSystemUser = true;
+ # packages = [package];
+ # };
+ # users.users."${user}-unixd" = {
+ # group = "${group}-unixd";
+ # description = lib.mkForce "kanidm PAM daemon";
+ # isSystemUser = true;
+ # };
- # the kanidm module in nixpkgs was not working for me, so I rolled my own
- # loosely based off it
- systemd.services.kanidm = {
- enable = true;
- path = with pkgs; [openssl] ++ [package];
- description = "kanidm identity management daemon";
- wantedBy = ["multi-user.target"];
- after = ["network.target"];
- requires = ["copy-kanidm-certificates-from-caddy.service"];
- script = ''
- pwd
- ls -la
- ls -laR /storage/kanidm
- ${package}/bin/kanidmd server -c ${serverConfigFile}
- '';
- # environment.RUST_LOG = serverSettings.log_level;
- serviceConfig = lib.mkMerge [
- defaultServiceConfig
- {
- StateDirectory = name;
- StateDirectoryMode = "0700";
- RuntimeDirectory = "${name}d";
- User = user;
- Group = group;
+ # # the kanidm module in nixpkgs was not working for me, so I rolled my own
+ # # loosely based off it
+ # systemd.services.kanidm = {
+ # enable = true;
+ # path = with pkgs; [openssl] ++ [package];
+ # description = "kanidm identity management daemon";
+ # wantedBy = ["multi-user.target"];
+ # after = ["network.target"];
+ # requires = ["copy-kanidm-certificates-from-caddy.service"];
+ # script = ''
+ # pwd
+ # ls -la
+ # ls -laR /storage/kanidm
+ # ${package}/bin/kanidmd server -c ${serverConfigFile}
+ # '';
+ # # environment.RUST_LOG = serverSettings.log_level;
+ # serviceConfig = lib.mkMerge [
+ # defaultServiceConfig
+ # {
+ # StateDirectory = name;
+ # StateDirectoryMode = "0700";
+ # RuntimeDirectory = "${name}d";
+ # User = user;
+ # Group = group;
- AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
- CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
- PrivateUsers = lib.mkForce false;
- PrivateNetwork = lib.mkForce false;
- RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
- # TemporaryFileSystem = "/:ro";
- BindReadOnlyPaths = [
- "${storage}/certs"
- ];
- BindPaths = [
- "${storage}/data"
+ # AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
+ # CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
+ # PrivateUsers = lib.mkForce false;
+ # PrivateNetwork = lib.mkForce false;
+ # RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
+ # # TemporaryFileSystem = "/:ro";
+ # BindReadOnlyPaths = [
+ # "${storage}/certs"
+ # ];
+ # BindPaths = [
+ # "${storage}/data"
- # socket
- "/run/${name}d:/run/${name}d"
+ # # socket
+ # "/run/${name}d:/run/${name}d"
- # backups
- serverSettings.online_backup.path
- ];
- }
- ];
- };
+ # # backups
+ # serverSettings.online_backup.path
+ # ];
+ # }
+ # ];
+ # };
- systemd.services.kanidm-unixd = {
- description = "Kanidm PAM daemon";
- wantedBy = ["multi-user.target"];
- after = ["network.target"];
- restartTriggers = [unixdConfigFile clientConfigFile];
- serviceConfig = lib.mkMerge [
- defaultServiceConfig
- {
- CacheDirectory = "${name}-unixd";
- CacheDirectoryMode = "0700";
- RuntimeDirectory = "${name}-unixd";
- ExecStart = "${package}/bin/kanidm_unixd";
- User = "${user}-unixd";
- Group = "${group}-unixd";
+ # systemd.services.kanidm-unixd = {
+ # description = "Kanidm PAM daemon";
+ # wantedBy = ["multi-user.target"];
+ # after = ["network.target"];
+ # restartTriggers = [unixdConfigFile clientConfigFile];
+ # serviceConfig = lib.mkMerge [
+ # defaultServiceConfig
+ # {
+ # CacheDirectory = "${name}-unixd";
+ # CacheDirectoryMode = "0700";
+ # RuntimeDirectory = "${name}-unixd";
+ # ExecStart = "${package}/bin/kanidm_unixd";
+ # User = "${user}-unixd";
+ # Group = "${group}-unixd";
- BindReadOnlyPaths = [
- "-/etc/kanidm"
- "-/etc/static/kanidm"
- "-/etc/ssl"
- "-/etc/static/ssl"
- "-/etc/passwd"
- "-/etc/group"
- ];
+ # BindReadOnlyPaths = [
+ # "-/etc/kanidm"
+ # "-/etc/static/kanidm"
+ # "-/etc/ssl"
+ # "-/etc/static/ssl"
+ # "-/etc/passwd"
+ # "-/etc/group"
+ # ];
- BindPaths = [
- # socket
- "/run/kanidm-unixd:/var/run/kanidm-unixd"
- ];
+ # BindPaths = [
+ # # socket
+ # "/run/kanidm-unixd:/var/run/kanidm-unixd"
+ # ];
- # Needs to connect to kanidmd
- PrivateNetwork = lib.mkForce false;
- RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
- TemporaryFileSystem = "/:ro";
- }
- ];
- environment.RUST_LOG = serverSettings.log_level;
- };
+ # # Needs to connect to kanidmd
+ # PrivateNetwork = lib.mkForce false;
+ # RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
+ # TemporaryFileSystem = "/:ro";
+ # }
+ # ];
+ # environment.RUST_LOG = serverSettings.log_level;
+ # };
- systemd.services.kanidm-unixd-tasks = {
- description = "Kanidm PAM home management daemon";
- wantedBy = ["multi-user.target"];
- after = ["network.target" "kanidm-unixd.service"];
- partOf = ["kanidm-unixd.service"];
- restartTriggers = [unixdConfigFile clientConfigFile];
- serviceConfig = {
- ExecStart = "${package}/bin/kanidm_unixd_tasks";
+ # systemd.services.kanidm-unixd-tasks = {
+ # description = "Kanidm PAM home management daemon";
+ # wantedBy = ["multi-user.target"];
+ # after = ["network.target" "kanidm-unixd.service"];
+ # partOf = ["kanidm-unixd.service"];
+ # restartTriggers = [unixdConfigFile clientConfigFile];
+ # serviceConfig = {
+ # ExecStart = "${package}/bin/kanidm_unixd_tasks";
- BindReadOnlyPaths = [
- "/nix/store"
- "-/etc/resolv.conf"
- "-/etc/nsswitch.conf"
- "-/etc/hosts"
- "-/etc/localtime"
- "-/etc/kanidm"
- "-/etc/static/kanidm"
- ];
- BindPaths = [
- # To manage home directories
- "/home"
+ # BindReadOnlyPaths = [
+ # "/nix/store"
+ # "-/etc/resolv.conf"
+ # "-/etc/nsswitch.conf"
+ # "-/etc/hosts"
+ # "-/etc/localtime"
+ # "-/etc/kanidm"
+ # "-/etc/static/kanidm"
+ # ];
+ # BindPaths = [
+ # # To manage home directories
+ # "/home"
- # To connect to kanidm-unixd
- "/run/kanidm-unixd:/var/run/kanidm-unixd"
- ];
- # CAP_DAC_OVERRIDE is needed to ignore ownership of unixd socket
- CapabilityBoundingSet = ["CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH"];
- IPAddressDeny = "any";
- # Need access to users
- PrivateUsers = false;
- # Need access to home directories
- ProtectHome = false;
- RestrictAddressFamilies = ["AF_UNIX"];
- TemporaryFileSystem = "/:ro";
- Restart = "on-failure";
- };
- environment.RUST_LOG = serverSettings.log_level;
- };
+ # # To connect to kanidm-unixd
+ # "/run/kanidm-unixd:/var/run/kanidm-unixd"
+ # ];
+ # # CAP_DAC_OVERRIDE is needed to ignore ownership of unixd socket
+ # CapabilityBoundingSet = ["CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH"];
+ # IPAddressDeny = "any";
+ # # Need access to users
+ # PrivateUsers = false;
+ # # Need access to home directories
+ # ProtectHome = false;
+ # RestrictAddressFamilies = ["AF_UNIX"];
+ # TemporaryFileSystem = "/:ro";
+ # Restart = "on-failure";
+ # };
+ # environment.RUST_LOG = serverSettings.log_level;
+ # };
- environment.etc = {
- "kanidm/server.toml".source = serverConfigFile;
- "kanidm/config".source = clientConfigFile;
- "kanidm/unixd".source = unixdConfigFile;
- };
+ # environment.etc = {
+ # "kanidm/server.toml".source = serverConfigFile;
+ # "kanidm/config".source = clientConfigFile;
+ # "kanidm/unixd".source = unixdConfigFile;
+ # };
- system.nssModules = [package];
+ # system.nssModules = [package];
- system.nssDatabases.group = [name];
- system.nssDatabases.passwd = [name];
+ # system.nssDatabases.group = [name];
+ # system.nssDatabases.passwd = [name];
- # environment.etc."kanidm/server.toml" = {
- # mode = "0600";
- # group = "kanidm";
- # user = "kanidm";
- # };
+ # # environment.etc."kanidm/server.toml" = {
+ # # mode = "0600";
+ # # group = "kanidm";
+ # # user = "kanidm";
+ # # };
- # environment.etc."kanidm/config" = {
- # mode = "0600";
- # group = "kanidm";
- # user = "kanidm";
- # };
+ # # environment.etc."kanidm/config" = {
+ # # mode = "0600";
+ # # group = "kanidm";
+ # # user = "kanidm";
+ # # };
- services.caddy.virtualHosts."idm.h.lyte.dev" = {
- extraConfig = ''reverse_proxy https://idm.h.lyte.dev:8443'';
- };
+ # services.caddy.virtualHosts."idm.h.lyte.dev" = {
+ # extraConfig = ''reverse_proxy https://idm.h.lyte.dev:8443'';
+ # };
- networking = {
- extraHosts = ''
- ::1 idm.h.lyte.dev
- 127.0.0.1 idm.h.lyte.dev
- '';
- };
- };
- })
- {
- services.audiobookshelf = {
- enable = true;
- # dataDir = "/storage/audiobookshelf";
- port = 8523;
- };
- services.caddy.virtualHosts."audio.lyte.dev" = {
- extraConfig = ''reverse_proxy :8523'';
- };
- }
+ # networking = {
+ # extraHosts = ''
+ # ::1 idm.h.lyte.dev
+ # 127.0.0.1 idm.h.lyte.dev
+ # '';
+ # };
+ # };
+ # })
+ # {
+ # services.audiobookshelf = {
+ # enable = true;
+ # # dataDir = "/storage/audiobookshelf";
+ # port = 8523;
+ # };
+ # services.caddy.virtualHosts."audio.lyte.dev" = {
+ # extraConfig = ''reverse_proxy :8523'';
+ # };
+ # }
];
# TODO: non-root processes and services that access secrets need to be part of
@@ -1348,25 +1345,13 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# };
};
environment.systemPackages = with pkgs; [
- linuxquota
htop
bottom
curl
xh
];
+
services.tailscale.useRoutingFeatures = "server";
- services.openssh = {
- listenAddresses = [
- {
- addr = "0.0.0.0";
- port = 64022;
- }
- {
- addr = "0.0.0.0";
- port = 22;
- }
- ];
- };
# https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72
# services.lidarr = {
@@ -1389,12 +1374,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# listenPort = 6767;
# };
- networking.firewall.allowedTCPPorts = [9876 9877];
- networking.firewall.allowedUDPPorts = [9876 9877];
- networking.firewall.allowedUDPPortRanges = [
- {
- from = 27000;
- to = 27100;
- }
- ];
+ # networking.firewall.allowedTCPPorts = [9876 9877];
+ # networking.firewall.allowedUDPPorts = [9876 9877];
+ # networking.firewall.allowedUDPPortRanges = [
+ # {
+ # from = 27000;
+ # to = 27100;
+ # }
+ # ];
}
diff --git a/nixos/router.nix b/nixos/router.nix
index 2263075..fdd730e 100644
--- a/nixos/router.nix
+++ b/nixos/router.nix
@@ -337,7 +337,7 @@ in {
ConfigureWithoutCarrier = true;
# IPv6AcceptRA = false;
IPv6SendRA = true;
- DHCPPrefixDelegation = true;
+ DHCPv6PrefixDelegation = true;
};
};
@@ -406,7 +406,10 @@ in {
cache-size = "10000";
- dhcp-range = with dhcp_lease_space; ["${interfaces.lan.name},${min},${max},${netmask},24h"];
+ dhcp-range = with dhcp_lease_space; [
+ "${interfaces.lan.name},${min},${max},${netmask},24h"
+ "::,constructor:${interfaces.lan.name},ra-stateless,ra-names,4h"
+ ];
except-interface = interfaces.wan.name;
interface = interfaces.lan.name;
dhcp-host =