aynish/helm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Attempting to migrate off digga...

Browse Source
This commit is contained in:
Anish Lakhwara
2022-12-06 17:09:27 +10:00
parent 0051488eb1
commit f5a0ad9ba9
203 changed files with 575 additions and 7302 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hosts/box/default.nix
+19 -6
View File
@@ -1,12 +1,25 @@
{ self, pkgs, profiles, suites, ... }:
{ self, pkgs, ... }:
{
imports = [
./configuration.nix
] ++ suites.mossnet;
home-manager.users.anish = { self, suites, ... }: {
imports = [ ] ++ suites.hmBase;
};
../users/anish
../profiles/core
../profiles/server
../profiles/taskd
../profiles/shaarli
../profiles/dns
../profiles/monitoring
../profiles/nfs
../profiles/gonic
../profiles/headphones
../profiles/radicale
../profiles/seafile
../profiles/syncthing
../profiles/dhyan
../profiles/calibre
../profiles/wallabag
../profiles/finance
];
# For some reason this doesn't work in the profile, but does over here??
# Something weird in the way I'm importing nixpkgs in the profile or something
hosts/cube/default.nix
+4 -5
View File
@@ -2,9 +2,8 @@
{
imports = [
./configuration.nix
] ++ suites.cube;
home-manager.users.anish = { self, suites, ... }: {
imports = [ ] ++ suites.hmBase;
};
../profiles/core
../profiles/server
../profiles/site
];
}
hosts/curve/curve.nix
-16
View File
@@ -1,16 +0,0 @@
{ profiles, suites, ... }:
{
imports = [
profiles.core
profiles.users.anish
profiles.hardware.curve # how else to deal with hardware?
];
bud.enable = true;
# Speed up boot by removing dependency on network
systemd = {
targets.network-online.wantedBy = pkgs.lib.mkForce [ ]; # Normally ["multi-user.target"]
services.NetworkManager-wait-online.wantedBy = pkgs.lib.mkForce [ ]; # Normally ["network-online.target"]
};
}
hosts/curve/default.nix
+18 -5
View File
@@ -1,12 +1,25 @@
{ self, pkgs, profiles, suites, ... }:
{ self, pkgs, ... }:
{
imports = [
./configuration.nix
profiles.mossnet-hosts
] ++ suites.curve;
../users/anish
../profiles/core
../profiles/bluetooth
../profiles/music
../profiles/sync/kitaab
../profiles/sync/website
../profiles/sync/cal
../profiles/wifi
../profiles/desktop
../profiles/mimetypes
../profiles/syncthing
../profiles/mossnet-hosts
];
home-manager.users.anish = { suites, ... }: {
imports = suites.gui;
# Speed up boot by removing dependency on network
systemd = {
targets.network-online.wantedBy = pkgs.lib.mkForce [ ]; # Normally ["multi-user.target"]
services.NetworkManager-wait-online.wantedBy = pkgs.lib.mkForce [ ]; # Normally ["network-online.target"]
};
programs.gnupg.agent.pinentryFlavor = "gnome3";
hosts/curve/hardware-configuration.nix
+9 -6
View File
@@ -5,7 +5,8 @@
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
@@ -14,25 +15,27 @@
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/74ba39ee-35cd-4b87-9ee9-651384fa55bd";
{
device = "/dev/disk/by-uuid/74ba39ee-35cd-4b87-9ee9-651384fa55bd";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/74ba39ee-35cd-4b87-9ee9-651384fa55bd";
{
device = "/dev/disk/by-uuid/74ba39ee-35cd-4b87-9ee9-651384fa55bd";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/87DA-98E7";
{
device = "/dev/disk/by-uuid/87DA-98E7";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/c36e3ba9-8eee-4fbf-837c-7e1cfda33f09"; }
];
[{ device = "/dev/disk/by-uuid/c36e3ba9-8eee-4fbf-837c-7e1cfda33f09"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
hosts/helix/default.nix
+7 -5
View File
@@ -2,11 +2,13 @@
{
imports = [
./configuration.nix
] ++ suites.sealight;
home-manager.users.anish = { self, suites, ... }: {
imports = [ ] ++ suites.hmBase;
};
../profiles/core
../profiles/server
../profiles/metrics
../profiles/sealight-website
../profiles/matrix
../profiles/wireguard-server
];
# Capsul specific
users.users.cyberian = {
hosts/lituus/default.nix
+9 -5
View File
@@ -2,10 +2,14 @@
{
imports = [
./configuration.nix
] ++ suites.lituus;
home-manager.users.anish = { self, suites, ... }: {
imports = [ ] ++ suites.hmBase;
};
../users/anish
../profiles/core
../profiles/server
../profiles/metrics
../profiles/gitea
../profiles/rss-bridge
../profiles/mount-mossnet
../profiles/freshrss
];
}
hosts/profiles/backup/default.nix
+1
View File
@@ -0,0 +1 @@
{ }
hosts/profiles/bluetooth/default.nix
+12
View File
@@ -0,0 +1,12 @@
{ pkgs, ... }:
{
hardware.bluetooth.enable = true;
services.blueman.enable = true;
# A2DP protocol
hardware.bluetooth.settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
}
hosts/profiles/borg/default.nix
+34
View File
@@ -0,0 +1,34 @@
{
# Assumes the remote borg backup server has already been initialized
# borg init --encryption-key=repokey-blake2 -rsh 'ssh -i /run/keys/id_ed25519_borgbase' 20779@hk-s020.rsync.net:<borg-archive>
services.borgbackup.jobs = {
backupTaskwarriorRsync = {
paths = [ "/var/lib/taskserver" ];
doInit = true;
repo = "20779@hk-s020.rsync.net:taskwarrior";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/keys/rsync";
};
environment = { BORG_RSH = "ssh -i /run/keys/id_ed25519_borgbase"; };
compression = "auto,lzma";
startAt = "weekly";
extraArgs = "--remote-path=borg1";
};
};
services.borgbackup.jobs = {
backupShaarliRsync = {
paths = [ "/var/www/shaarli-config/data/datastore.php" "/var/www/shaarli-config/config" "/var/www/shaarli-config/.json.config" ];
doInit = true;
repo = "20779@hk-s020.rsync.net:shaarli";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/keys/rsync";
};
environment = { BORG_RSH = "ssh -i /run/keys/id_ed25519_borgbase"; };
compression = "auto,lzma";
startAt = "weekly";
extraArgs = "--remote-path=borg1";
};
};
}
hosts/profiles/cachix/default.nix
+11
View File
@@ -0,0 +1,11 @@
{ pkgs, lib, ... }:
let
folder = ./.;
toImport = name: value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key && key != "default.nix";
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in
{
inherit imports;
nix.settings.substituters = [ "https://cache.nixos.org/" ];
}
hosts/profiles/cachix/nix-community.nix
+12
View File
@@ -0,0 +1,12 @@
{
nix = {
settings = {
substituters = [
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
};
}
hosts/profiles/cachix/nrdxp.nix
+12
View File
@@ -0,0 +1,12 @@
{
nix = {
settings = {
substituters = [
"https://nrdxp.cachix.org"
];
trusted-public-keys = [
"nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4="
];
};
};
}
hosts/profiles/calibre/default.nix
+37
View File
@@ -0,0 +1,37 @@
{
# Unnecessary at this stage
#services.calibre-web = {
# enable = true;
# listen.port = 8083;
# openFirewall = true;
# # Bug in the module puts this in quotes in the systemd file
# # user = calibre;
# # group = calibre;
# options = {
# calibreLibrary = "/data/books";
# enableBookUploading = true;
# };
#};
services.calibre-server = {
enable = true;
libraries = [ "/data/books" ];
# Bug in the module puts this in quotes in the systemd file
# user = calibre;
# group = calibre;
};
services.nginx.virtualHosts."books.mossnet.lan" = {
enableACME = false;
forceSSL = false;
locations."/" = {
extraConfig = ''
proxy_pass http://localhost:8083/;
proxy_set_header X-Forwarded-Host $host;
'';
};
};
networking.firewall.allowedTCPPorts = [ 8080 ];
}
hosts/profiles/core/common.nix
+132
View File
@@ -0,0 +1,132 @@
{ config, pkgs, ... }:
{
# imports = [
# ./nvim.nix
# ./unstable.nix
# ];
environment.systemPackages = with pkgs; [
htop
iftop
wget
curl
exa
bat
fd
ag
viu
w3m
ranger
ripgrep
tcpdump
whois
mtr
file
lsof
atool
inotify-tools
strace
zip
unzip
rsync
tmux
pwgen
glow
gitAndTools.gitFull
dig
wpa_supplicant
#neovim defined in ./nvim.nix
#wofi
#firefox
#fractal
#pinentry_gnome
pass
gcc
less
mpv
zathura
#qmk_firmware
python3
gdb
#vcv-rack
#xdotool
#neofetch
#calibre
#openvpn
#gimp
xxd
#tilix
kitty
taskwarrior
gnupg
#openjdk
#glslviewer
#filezilla
#signal-desktop
#wire-desktop
#tdesktop
#feedreader
#newsflash
#syncthing
dijo
#kdeconnect
#ssb-patchwork
#gnome3.gnome-tweaks
#gnome3.pomodoro
#gnomeExtensions.gsconnect
#gnomeExtensions.taskwhisperer
#gnome3.networkmanager-openvpn
#python3Packages.youtube-dl
#appimage-run
#home-manager
libreoffice
fontconfig
#hugo
#processing
#nextcloud-client
#zsh-powerlevel10k
powerline-fonts
#supercollider
haskellPackages.tidal
pandoc
];
#programs.bash.enableCompletion = true;
environment.shellAliases = {
"cat": "bat";
"ls":"exa";
"grep": "rg";
};
# needed for vcv-rack
#nixpkgs.config.allowUnfree = true;
programs.gnupg.agent.enable = true;
programs.gnupg.agent.pinentryFlavor = "curses";
programs.gnupg.agent.enableSSHSupport = false;
#system.copySystemConfiguration = true;
#services.syncthing = {
# enable = true;
# openDefaultPorts = true;
# systemService = true;
# user = "anish";
# dataDir = "/home/anish/usr/syncthing";
#};
#zsh powerlevel10k
#programs.zsh.enable = true;
#programs.zsh.promptInit = "source ${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k/powerlevel10k.zsh-theme";
#users.users.anish.shell = pkgs.zsh;
#android
programs.adb.enable = true;
users.users.anish.extraGroups = ["adbusers"];
nix.extraOptions = ''
keep-outputs = true
keep-derivations = true
'';
}
hosts/profiles/core/default.nix
+51
View File
@@ -0,0 +1,51 @@
{ self, config, lib, pkgs, ... }:
let inherit (lib) fileContents;
in
{
imports = [ ../cachix ];
fonts = {
fonts = with pkgs; [ powerline-fonts dejavu_fonts ];
fontconfig.defaultFonts = {
monospace = [ "DejaVu Sans Mono for Powerline" ];
sansSerif = [ "DejaVu Sans" ];
};
};
nix = {
settings = {
sandbox = true;
trusted-users = [ "root" "@wheel" ];
allowed-users = [ "@wheel" ];
auto-optimise-store = true;
system-features = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
};
gc.automatic = true;
optimise.automatic = true;
extraOptions = ''
min-free = 536870912
keep-outputs = true
keep-derivations = true
fallback = true
'';
};
environment.systemPackages = with pkgs; [
pinentry_gnome
cached-nix-shell
];
services.devmon.enable = true;
# For rage encryption, all hosts need a ssh key pair
services.openssh = {
enable = true;
openFirewall = lib.mkDefault false;
};
programs.gnupg.agent.enable = true;
#programs.gnupg.agent.pinentryFlavor = "curses";
services.earlyoom.enable = true;
}
hosts/profiles/core/starship.toml
+92
View File
@@ -0,0 +1,92 @@
[aws]
symbol = " "
[character]
success_symbol = "[](bold purple)"
vicmd_symbol = "[](bold purple)"
[battery]
full_symbol = " "
charging_symbol = " "
discharging_symbol = " "
[conda]
symbol = " "
[directory]
style = "cyan"
read_only = " 🔒"
[docker_context]
symbol = " "
[elixir]
symbol = " "
[elm]
symbol = " "
[git_branch]
format = "[$symbol$branch]($style) "
symbol = " "
style = "bold dimmed white"
[git_status]
format = '([「$all_status$ahead_behind」]($style) )'
conflicted = "⚠️"
ahead = "⟫${count} "
behind = "⟪${count}"
diverged = "🔀 "
untracked = "📁 "
stashed = "↪ "
modified = "𝚫 "
staged = "✔ "
renamed = "⇆ "
deleted = "✘ "
style = "bold bright-white"
[golang]
symbol = " "
[hg_branch]
symbol = " "
[java]
symbol = " "
[julia]
symbol = " "
[memory_usage]
symbol = " "
disabled = false
[nim]
symbol = " "
[nix_shell]
format = '[$symbol$state]($style) '
symbol = " "
pure_msg = "λ"
impure_msg = "⎔"
[nodejs]
symbol = " "
[package]
symbol = " "
[php]
symbol = " "
[python]
symbol = " "
[ruby]
symbol = " "
[rust]
symbol = " "
[status]
disabled = false
hosts/profiles/desktop/battery-low-timer.nix
+42
View File
@@ -0,0 +1,42 @@
{ pkgs, ... }:
{
systemd.services.battery-low = {
serviceConfig.Type = "simple";
path = [
pkgs.acpi
pkgs.gawk # I was too lazy to find out where awk lives, it's not coreutils, hopefully it works the same
pkgs.libnotify
];
startAt = "*08:00:00";
script = ''
#!/usr/bin/env bash
if [ `acpi -b | grep "Battery 0" | gawk ' { print ($3)}'` == "Discharging," ] ; then
# Discharging
# Monitor for low battery
rm /tmp/battery-full
if [ `acpi -b | grep "Battery 0" | gawk ' { print ($4)-0}'` -le "15" ] ; then
notify-send -u critical "Battery Low";
fi
else
# Charging
if [ `acpi -b | grep "Battery 0" | gawk ' { print ($4)-0}'` -ge "94" ] ; then
# Fully charged
if [[ -f /tmp/battery-full ]]; then
touch /tmp/battery-full;
notify-send "Battery Full"
fi
fi
fi
'';
serviceConfig = {
User = "anish";
Environment = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus";
};
};
systemd.timers.battery-low = {
wantedBy = [ "timers.target" ];
partOf = [ "battery-low.service" ];
timerConfig.OnCalendar = [ "*:0/5" ];
};
}
hosts/profiles/desktop/default.nix
+218
View File
@@ -0,0 +1,218 @@
{ config, pkgs, lib, ... }:
let
tex = (pkgs.texlive.combine {
inherit (pkgs.texlive) scheme-basic
dvisvgm dvipng# for preview and export as html
wrapfig amsmath ulem hyperref capt-of;
#(setq org-latex-compiler "lualatex")
#(setq org-preview-latex-default-process 'dvisvgm)
});
dracula-gtk = pkgs.fetchFromGitHub {
owner = "dracula";
repo = "gtk";
rev = "502f212d83bc67e8f0499574546b99ec6c8e16f9";
sha256 = "1wx9nzq7cqyvpaq4j60bs8g7gh4jk8qg4016yi4c331l4iw1ymsa";
};
in
{
# TODO modularize
imports = [ ./battery-low-timer.nix ];
services = {
gnome.gnome-keyring.enable = true;
upower.enable = true;
dbus = {
enable = true;
packages = [ pkgs.dconf ];
};
};
security.pam.services.Default.enableGnomeKeyring = true;
security.pam.services.Login.enableGnomeKeyring = true;
security.pam.services.sddm.enableGnomeKeyring = true;
environment.sessionVariables = rec {
XDG_CACHE_HOME = "\${HOME}/.cache";
XDG_CONFIG_HOME = "\${HOME}/.config";
XDG_BIN_HOME = "\${HOME}/.local/bin";
XDG_DATA_HOME = "\${HOME}/.local/share";
PATH = [
"\${XDG_BIN_HOME}"
];
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"ripcord"
"VCV-Rack"
"SunVox"
"renoise"
];
environment.systemPackages = with pkgs; [
signal-desktop # bridge to sealight?
scrot
ripcord
feh
sxiv
xkblayout-state
sublime-music
vcv-rack
zathura
calibre
nheko
fractal
mpv
newsflash
zeal
xclip
xdotool
rofi
rofimoji
rofi-calc
eww
obs-studio
lightdm
dunst
libnotify
(polybar.override {
pulseSupport = true;
nlSupport = true;
})
papirus-icon-theme
calendar-cli
wyrd
tootle
tex
];
location.provider = "geoclue2";
services = {
redshift = {
enable = true;
temperature = {
day = 5500;
night = 3700;
};
};
xserver = {
enable = true;
layout = "us,dvorak";
desktopManager.wallpaper.mode = "fill";
displayManager = {
defaultSession = "none+bspwm";
sessionCommands = ''
${pkgs.xorg.xrdb}/bin/xrdb -merge <<EOF
#define blk #1F2430
#define bblk #F28779
#define red #A6CC70
#define bred #FFCC66
#define grn #5CCFE6
#define bgrn #F29E74
#define ylw #77A8D9
#define bylw #5C6773
#define blu #707A8C
#define bblu #F27983
#define mag #BAE67E
#define bmag #FFD580
#define cyn #73D0FF
#define bcyn #FFA759
#define wht #95E6CB
#define bwht #CBCCC6
#define bg blk
#define fg wht
*.foreground: fg
*.background: bg
*.cursorColor: mag
*.color0: blk
*.color8: bblk
*.color1: red
*.color9: bred
*.color2: grn
*.color10: bgrn
*.color3: ylw
*.color11: bylw
*.color4: blu
*.color12: bblu
*.color5: mag
*.color13: bmag
*.color6: cyn
*.color14: bcyn
*.color7: wht
*.color15: bwht
! greys
*.color234: #1E2029
*.color235: #282a36
*.color236: #373844
*.color237: #44475a
*.color239: #565761
*.color240: #6272a4
*.color241: #b6b6b2
EOF
# hotplug
connect() {
xrandr --output HDMI-2 --same-as eDP-1
}
disconnect() {
xrandr --output HDMI-2 --off
}
xrandr | grep "HDMI-2 connected" &>>/dev/null && connect || disconnect
# keyboard on curve is busted
get_keyboard_id() {
xinput list | grep 'AT Translated Set' | cut -f2 | cut -d'=' -f2 | xinput float
}
disconnect_keyboard() {
id=$(get_keyboard_id)
xinput float $id
unset id
}
attach_keyboard() {
id=$(get_keyboard_id)
xinput reattach $id 3
}
disconnect_keyboard
'';
lightdm = {
enable = true;
background = "/etc/nixos/users/profiles/desktop/background.jpg";
greeters.mini = {
enable = true;
user = "anish";
extraConfig = ''
text-color = "#ff79c6"
password-background-color = "#1E2029"
window-color = "#181a23"
border-color = "#181a23"
'';
};
};
};
windowManager.bspwm.enable = true;
#windowManager.bspwm.configFile = "/home/anish/.bspwm/bspwmrc";
windowManager.bspwm.sxhkd.configFile = "/home/anish/.config/sxhkdrc";
};
};
fonts.fonts = with pkgs; [
fira-code
fira-code-symbols
hermit
#hack
siji
font-awesome
proggyfonts
(nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" "Iosevka" ]; })
];
}
hosts/profiles/dhyan/default.nix
+32
View File
@@ -0,0 +1,32 @@
{ pkgs, ... }:
{
# TODO
# scrappy script that requires dhyan be cloned to /home/anish/usr/dhyan
# dhyan needs secrets, and internet access to install dependencies, havent figured that out with nix yet
# dhyan also depends on jdk11, but that's only to install dependencies, run `bb -m dhyan.main` once before installing this script
# If you've updated dhyan, you'll want to cd to /home/anish/usr/dhyan and run git pull
systemd.services.dhyan = {
serviceConfig.Type = "oneshot";
path = [
pkgs.babashka
pkgs.git
pkgs.jdk11
pkgs.curl
];
startAt = "*08:00:00";
script = ''
cd /home/anish/usr/dhyan
source .envrc
bb -m dhyan.main
'';
serviceConfig = {
User = "anish";
};
};
systemd.timers.dhyan = {
wantedBy = [ "timers.target" ];
partOf = [ "kitaab-sync.service" ];
timerConfig.OnCalendar = [ "08:00:00" ];
};
}
hosts/profiles/dns/default.nix
+35
View File
@@ -0,0 +1,35 @@
{ config, pkgs, lib, ... }:
{
services.dnsmasq.enable = true;
services.dnsmasq.extraConfig = ''
domain-needed
no-resolv
local=/lan/
local=/moss/
cache-size=5000
addn-hosts=/etc/adblock.hosts
''; # TODO find a way to make adblock hosts reproducible and updateable
services.dnsmasq.servers = [ "45.90.30.49" "45.90.28.49" "1.1.1.1" "8.8.8.8" ];
# TODO use this list in mossnet-hosts
networking.hosts = {
"192.168.1.240" = [
"mossnet.lan"
"links.mossnet.lan"
"read.mossnet.lan"
"stats.mossnet.lan"
"music.mossnet.lan"
"rss.mossnet.lan"
"tasks.mossnet.lan"
"file.mossnet.lan"
"books.mossnet.lan"
"fin.mossnet.lan"
"paper.mossnet.lan"
"cal.mossnet.lan"
];
"192.168.1.226" = [
"df-web.lan"
];
};
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
}
hosts/profiles/finance/default.nix
+40
View File
@@ -0,0 +1,40 @@
{ pkgs, config, lib, ... }:
{
services.paperless = {
enable = true;
consumptionDirIsPublic = true;
extraConfig.PAPERLESS_AUTO_LOGIN_USERNAME = "admin";
};
environment.systemPackages = [
pkgs.beancount
];
# TODO
# This one doesn't have a start condition, so I'm manually triggering it
# I'm not sure what the proper start condition is for it
systemd.services.fava = {
path = [
pkgs.fava
];
before = [ "nginx.service" ];
serviceConfig = {
User = "anish";
ExecStart = ''
${pkgs.fava}/bin/fava -p 29492 /home/anish/usr/finance/ledger.beancount
'';
Restart = "on-failure";
};
};
services.nginx = {
enable = true;
virtualHosts."fin.mossnet.lan".locations."/" = {
proxyPass = "http://localhost:29492";
};
virtualHosts."paper.mossnet.lan".locations."/" = {
proxyPass = "http://localhost:28981";
};
};
}
hosts/profiles/freshrss/default.nix
+36
View File
@@ -0,0 +1,36 @@
{ config, lib, pkgs, ... }:
{
age.secrets.freshrss-dbpass.file = "${self}/secrets/freshrss-dbpass.age";
age.secrets.freshrss-dbpass.owner = "freshrss";
services.freshrss = {
enable = true;
virtualHost = "rss.sealight.xyz";
baseUrl = "https://rss.sealight.xyz/";
database = {
type = "pgsql";
passFile = "/run/agenix/freshrss-dbpass";
};
};
services.postgresql = {
enable = true; # Ensure postgresql is enabled
package = pkgs.postgresql_11;
authentication = ''
local freshrss all ident map=freshrss-users
'';
identMap = # Map the gitea user to postgresql
''
freshrss-users freshrss freshrss
'';
# TODO with password
# ensureDatabases = [ "freshrss" ];
ensureUsers = [
{ name = "freshrss"; ensurePermissions."DATABASE freshrss" = "ALL PRIVILEGES"; }
];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.defaults.email = "anish+acme@lakhwara.com";
security.acme.acceptTerms = true;
}
hosts/profiles/ftp/default.nix
+20
View File
@@ -0,0 +1,20 @@
{ pkgs, lib, ... }:
{
networking.firewall.allowedTCPPorts = [ 20 21 ];
networking.firewall.allowedTCPPortRanges = [{ from = 51000; to = 51999; }];
services.vsftpd = {
enable = true;
writeEnable = true;
anonymousUser = true;
anonymousUserNoPassword = true;
anonymousUploadEnable = true;
anonymousMkdirEnable = true;
anonymousUserHome = "/home/ftp";
extraConfig = ''
pasv_enable=Yes
pasv_min_port=51000
pasv_max_port=51999
'';
};
}
hosts/profiles/gitea/default.nix
+67
View File
@@ -0,0 +1,67 @@
{ config, lib, pkgs, ... }:
{
services.gitea = {
enable = true;
appName = "Sealight Git Forge";
domain = "git.sealight.xyz";
rootUrl = "https://git.sealight.xyz";
httpPort = 3001;
extraConfig = ''
[markup.restructuredtext]
ENABLED = true
FILE_EXTENSIONS = .rst
RENDER_COMMAND = "timeout 30s pandoc +RTS -M512M -RTS -f rst"
IS_INPUT_FILE = false
'';
database = {
type = "postgres";
# passwordFile = "/run/secrets/gitea-dbpass"; # TODO supplied by agenix
password = "somethingunknowablesorry";
};
settings = {
metrics = {
ENABLED = true;
};
repository = {
DEFAULT_BRANCH = "main";
};
};
};
environment.systemPackages = [ pkgs.pandoc ];
services.postgresql = {
enable = true; # Ensure postgresql is enabled
authentication = ''
local gitea all ident map=gitea-users
'';
identMap = # Map the gitea user to postgresql
''
gitea-users gitea gitea
'';
# ensureDatabases = [ "gitea" ];
ensureUsers = [
{ name = "gitea"; ensurePermissions."DATABASE gitea" = "ALL PRIVILEGES"; }
];
# TODO
# initialScript # set password for gitea user
};
services.nginx = {
enable = true; # Enable Nginx
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."git.sealight.xyz" = {
# Gitea hostname
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
locations."/".proxyPass = "http://localhost:3001/"; # Proxy Gitea
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.defaults.email = "anish+acme@lakhwara.com";
security.acme.acceptTerms = true;
}
hosts/profiles/gonic/default.nix
+12
View File
@@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
{
services.gonic.enable = true;
services.gonic.settings = ''
music-path /mnt/two/music/
podcast-path /data/podcasts
cache-path /data/cache
'';
services.gonic.group = "audio";
services.gonic.user = "headphones";
networking.firewall.allowedTCPPorts = [ 4747 ];
}
hosts/profiles/gonic/module-gonic.nix
+110
View File
@@ -0,0 +1,110 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.gonic;
configFile = "/etc/gonic/config";
dataFolder = "/var/lib/gonic";
in
{
options = {
services.gonic = {
enable = mkEnableOption "Gonic music server and streamer";
settings = lib.mkOption {
type = types.str;
default = { };
example = literalExample ''
music-path <path to your music dir>
podcast-path <path to your podcasts dir>
cache-path <path to cache dir>
'';
description = ''
Configuration for Gonic, see <link xlink:href="https://github.com/sentriz/gonic"/> for supported values.
'';
};
user = mkOption {
type = types.str;
default = "gonic";
description = "User account under which gonic runs.";
};
group = mkOption {
type = types.str;
default = "gonic";
description = "Group account under which gonic runs.";
};
};
};
config = mkIf cfg.enable {
environment.etc."gonic/config".text = cfg.settings;
systemd.services.gonic = {
description = "gonic Music Server and Streamer compatible with Subsonic/Airsonic";
after = [ "remote-fs.target" "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
#GONIC_MUSIC_PATH
#GONIC_PODCAST_PATH
#GONIC_CACHE_PATH
#GONIC_DB_PATH
GONIC_SCAN_INTERVAL = "800";
#...
};
serviceConfig = {
ExecStart = "${pkgs.gonic}/bin/gonic -config-path /etc/gonic/config";
WorkingDirectory = dataFolder;
TimeoutStopSec = "20";
KillMode = "process";
Restart = "on-failure";
RestartSec = "10";
User = cfg.user;
Group = cfg.group;
DevicePolicy = "closed";
NoNewPrivileges = " yes";
PrivateTmp = "yes";
PrivateUsers = "yes";
ProtectControlGroups = "yes";
ProtectKernelModules = "yes";
ProtectKernelTunables = "yes";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = "yes";
RestrictRealtime = "yes";
SystemCallFilter = "~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap";
ReadWritePaths = dataFolder;
StateDirectory = baseNameOf dataFolder;
};
};
users.users = optionalAttrs (cfg.user == "gonic") ({
gonic = {
description = "gonic service user";
name = cfg.user;
group = cfg.group;
isSystemUser = true;
};
});
users.groups = optionalAttrs (cfg.group == "gonic") ({
gonic = { };
});
services.nginx.virtualHosts."music.mossnet.lan" = {
enableACME = false;
forceSSL = false;
locations."/" = {
extraConfig = ''
proxy_pass http://localhost:4747/;
proxy_set_header X-Forwarded-Host $host;
'';
};
};
};
}
hosts/profiles/grasp/default.nix
+6
View File
@@ -0,0 +1,6 @@
{ ... }:
{
services."grasp".enable = true;
services."grasp".path = "/home/anish/kitaab/grasp";
services."grasp".user = "anish";
}
hosts/profiles/headphones/default.nix
+12
View File
@@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
{
services.headphones = {
enable = true;
host = "192.168.1.240";
port = 8181;
user = "headphones";
group = "audio";
dataDir = "/data/music";
};
networking.firewall.allowedTCPPorts = [ 8181 ];
}
hosts/profiles/matrix/compress-state-service.nix
+21
View File
@@ -0,0 +1,21 @@
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.matrix-synapse-tools.rust-synapse-compress-state ];
systemd.services.compress-matrix-state = {
serviceConfig.Type = "oneshot";
path = [
pkgs.matrix-synapse-tools.rust-synapse-compress-state
];
script = ''
synapse_auto_compressor -p "host=/run/postgresql port=5432 user=matrix-synapse dbname=matrix-synapse" -n 2000000 -c 10000
'';
serviceConfig = {
User = "matrix-synapse";
};
};
systemd.timers.compress-matrix-state = {
wantedBy = [ "timers.target" ];
partOf = [ "compress-matrix-state.service" ];
timerConfig.OnCalendar = [ "weekly" ];
};
}
hosts/profiles/matrix/default.nix
+237
View File
@@ -0,0 +1,237 @@
{ self, config, lib, pkgs, ... }:
{
imports = [
./mautrix-telegram.nix
./mjolnir.nix
./heisenbridge.nix
./compress-state-service.nix
];
age.secrets.synapse-database-password.file = "${self}/secrets/synapse-database-password.age";
age.secrets.synapse-database-password.owner = "matrix-synapse";
age.secrets.synapse-config.file = "${self}/secrets/synapse-config.age";
age.secrets.synapse-config.owner = "matrix-synapse";
services.matrix-synapse = {
enable = true;
settings = {
server_name = "sealight.xyz";
listeners = [
{
port = 8448;
tls = false;
resources = [{
compress = true;
names = [ "client" "federation" ];
}];
}
{
port = 9090;
type = "metrics";
bind_addresses = [ "0.0.0.0" ];
resources = [{
compress = false;
names = [ ];
}];
tls = false;
}
];
app_service_config_files = [
# The registration file is automatically generated after starting the appservice for the first time.
# cp /var/lib/matrix-appservice-discord/discord-registration.yaml /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/discord-registration.yaml
"/var/lib/matrix-synapse/telegram-registration.yaml"
# "/var/lib/matrix-synapse/slack-registration.yaml"
# "/var/lib/matrix-synapse/discord-registration.yaml"
# "/var/lib/matrix-synapse/whatsapp-registration.yaml"
];
turn_uris = [
"turn:turn.sealight.xyz:3478?transport=udp"
"turn:turn.sealight.xyz:3478?transport=tcp"
];
# turn_shared_secret = config.services.coturn.static-auth-secret;
# Example config (saved as secret??)
# ''
# max_upload_size: "50M"
# use_presence: false
# registration_shared_secret: "hD9HQGTTDxp0mQsQ5JDsfudWMDiubmZENOgPchIvfBvUlPxlvQSvjoO4wn2L1seU";
# enable_registration_without_verification: true
# '';
enable_metrics = true;
enable_registration = false;
database = {
name = "psycopg2";
args.passfile = "/run/agenix/synapse-database-password";
};
};
extraConfigFiles = [ "/run/agenix/synapse-config" ];
## coturn based TURN server integration (TURN server setup mentioned later),
## shared secret generated while configuring coturn
## and reused here (power of Nix being a real programming language)
};
# services.coturn = {
# enable = true;
# use-auth-secret = true;
# static-auth-secret = "jXW1ohIq6wM3NB00xeME3uBihY85xjpkhGoyzBIdwhOpj7gjyxXZu1fwp1lUiYwJ"; # TODO agenix
# realm = "turn.sealight.xyz";
# min-port = 49111;
# max-port = 51111;
# no-cli = true;
# no-tcp-relay = true;
# no-tls = true;
# cert = "${config.security.acme.certs."turn.sealight.xyz".directory}/full.pem";
# pkey = "${config.security.acme.certs."turn.sealight.xyz".directory}/key.pem";
# extraConfig = ''
# verbose
# user-quota=12
# total-quota=1200
# denied-peer-ip=10.0.0.0-10.255.255.255
# denied-peer-ip=192.168.0.0-192.168.255.255
# denied-peer-ip=172.16.0.0-172.31.255.255
# denied-peer-ip=0.0.0.0-0.255.255.255
# denied-peer-ip=100.64.0.0-100.127.255.255
# denied-peer-ip=127.0.0.0-127.255.255.255
# denied-peer-ip=169.254.0.0-169.254.255.255
# denied-peer-ip=192.0.0.0-192.0.0.255
# denied-peer-ip=192.0.2.0-192.0.2.255
# denied-peer-ip=192.88.99.0-192.88.99.255
# denied-peer-ip=198.18.0.0-198.19.255.255
# denied-peer-ip=198.51.100.0-198.51.100.255
# denied-peer-ip=203.0.113.0-203.0.113.255
# denied-peer-ip=240.0.0.0-255.255.255.255
# '';
# };
# security.acme.certs.${config.services.coturn.realm} = {
# /* insert here the right configuration to obtain a certificate */
# webroot = "/var/lib/acme/acme-challenge/";
# email = "anish+acme@lakhwara.com";
# postRun = "systemctl restart coturn.service";
# group = "turnserver";
# };
# TODO fix up jitsi bridge stuff
## services.jitsi-meet = {
## enable = true;
## hostName = "jitsi.sealight.xyz";
## };
## services.jitsi-videobridge.enable = true;
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
## postgresql user and db name remains in the
## service.matrix-synapse.database_args setting which
## by default is matrix-synapse
# TODO agenix
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD "s0m3s3cur3p455w0rdth4tisch4ng3d";
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
authentication = ''
local matrix-synapse all ident map=matrix-synapse-users
'';
identMap = # Map the matrix-synapse user to postgresql
''
matrix-synapse-users matrix-synapse matrix-synapse
'';
};
networking.firewall =
let
range = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
in
{
enable = true;
allowedUDPPortRanges = range; # coturn
allowedTCPPortRanges = range;
allowedTCPPorts = [
22 # SSH
8448 # Matrix federation
8008
80
443
3478 # Coturn service
5349 # Coturn service
9090 # Synapse Metrics
];
allowedUDPPorts = [
3478
5349 # Coturn service
];
};
nixpkgs.overlays = [
(self: super: {
element-web = super.element-web.override {
conf = {
default_server_config = {
"m.homeserver" = {
"base_url" = "https://chat.sealight.xyz";
"server_name" = "sealight.xyz";
};
"m.identity_server" = {
"base_url" = "https://vector.im";
};
};
## jitsi will be setup later,
## but we need to add to Riot configuration
jitsi.preferredDomain = "jitsi.sealight.xyz";
};
};
})
];
services.nginx = {
enable = true;
virtualHosts = {
"sealight.xyz" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = "/var/www/sealight.xyz";
};
locations."/_matrix" = {
proxyPass = "http://localhost:8448";
};
# locations."/slackbridge" = {
# proxyPass = "http://localhost:9899";
# };
};
## virtual host for Synapse
"chat.sealight.xyz" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8448";
};
};
## virtual host for Riot/Web
"element.sealight.xyz" = {
forceSSL = true;
enableACME = true;
## root points to the element-web package content, also configured via Nix
locations."/" = {
root = pkgs.element-web;
};
};
# ${config.services.jitsi-meet.hostName} = {
# enableACME = true; # TODO
# forceSSL = true; # TODO
# };
};
## other nginx specific best practices
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
};
}
hosts/profiles/matrix/heisenbridge.nix
+10
View File
@@ -0,0 +1,10 @@
{ pkgs, lib, config, ... }:
{
services.sealight.heisenbridge = {
enable = true;
homeserver = "https://sealight.xyz";
listenPort = 14456;
appServiceToken = "wyujLh8kjpmk2bfKeEE3sZ2gWOEUBKK5";
homeserverToken = "yEHs7lthD2ZHUibJOAv1APaFhEjxN5PT";
};
}
hosts/profiles/matrix/matrix-slack.nix
+154
View File
@@ -0,0 +1,154 @@
{ config, pkgs, lib, ... }:
with lib;
let
dataDir = "/var/lib/matrix-appservice-slack";
registrationFile = "${dataDir}/slack-registration.yaml";
#appDir = "${pkgs.matrix-appservice-slack}/${pkgs.matrix-appservice-slack.passthru.nodeAppDir}";
cfg = config.services.matrix-appservice-slack;
# TODO: switch to configGen.json once RFC42 is implemented
settingsFile = pkgs.writeText "matrix-appservice-slack-settings.json" (builtins.toJSON cfg.settings);
in
{
options = {
services.matrix-appservice-slack = {
enable = mkEnableOption "a bridge between Matrix and Slack";
settings = mkOption rec {
# TODO: switch to types.config.json as prescribed by RFC42 once it's implemented
type = types.attrs;
apply = recursiveUpdate default;
default = {
# empty values necessary for registration file generation
# actual values defined in environmentFile
auth = {
clientID = "";
botToken = "";
};
};
example = literalExample ''
{
bridge = {
domain = "public-domain.tld";
homeserverUrl = "http://public-domain.tld:8008";
};
}
'';
description = ''
<filename>config.yaml</filename> configuration as a Nix attribute set.
</para>
<para>
Configuration options should match those described in
<link xlink:href="https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml">
config.sample.yaml</link>.
</para>
<para>
<option>config.bridge.domain</option> and <option>config.bridge.homeserverUrl</option>
should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work.
</para>
<para>
Secret tokens should be specified using <option>environmentFile</option>
instead of this world-readable attribute set.
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
File containing environment variables to be passed to the matrix-appservice-discord service,
in which secret tokens can be specified securely by defining values for
<literal>APPSERVICE_SLACK_AUTH_CLIENT_I_D</literal> and
<literal>APPSERVICE_SLACK_AUTH_BOT_TOKEN</literal>.
'';
};
url = mkOption {
type = types.str;
default = "http://localhost:${toString cfg.port}";
description = ''
The URL where the application service is listening for HS requests.
'';
};
port = mkOption {
type = types.port;
default = 9898; # from https://github.com/matrix-org/matrix-appservice-slack/blob/develop/config/config.sample.yaml#L70
description = ''
Port number on which the bridge should listen for internal communication with the Matrix homeserver.
'';
};
localpart = mkOption {
type = with types; nullOr str;
default = null;
description = ''
The user_id localpart to assign to the AS.
'';
};
serviceDependencies = mkOption {
type = with types; listOf str;
default = optional config.services.matrix-synapse.enable "matrix-synapse.service";
description = ''
List of Systemd services to require and wait for when starting the application service,
such as the Matrix homeserver if it's running on the same host.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.matrix-appservice-slack = {
description = "A bridge between Matrix and Slack.";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
preStart = ''
if [ ! -f '${registrationFile}' ]; then
${pkgs.matrix-appservice-slack}/bin/matrix-appservice-slack \
--generate-registration \
--url=${escapeShellArg cfg.url} \
${optionalString (cfg.localpart != null) "--localpart=${escapeShellArg cfg.localpart}"} \
--config='${settingsFile}' \
--file='${registrationFile}'
fi
'';
serviceConfig = {
Type = "simple";
Restart = "always";
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
DynamicUser = true;
PrivateTmp = true;
#WorkingDirectory = appDir;
StateDirectory = baseNameOf dataDir;
UMask = 0027;
EnvironmentFile = cfg.environmentFile;
ExecStart = ''
${pkgs.matrix-appservice-slack}/bin/matrix-appservice-slack \
--file='${registrationFile}' \
--config='${settingsFile}' \
--port='${toString cfg.port}'
'';
};
};
};
meta.maintainers = with maintainers; [ chickensoupandrice ];
}
hosts/profiles/matrix/mautrix-telegram.nix
+37
View File
@@ -0,0 +1,37 @@
{ self, config, lib, pkgs, ... }:
{
age.secrets.telegram-matrix-env.file = "${self}/secrets/telegram-matrix-env.age";
#age.secrets.telegram-matrix-env.owner = "mautrix-telegram";
services.mautrix-telegram = {
enable = true;
environmentFile = "/run/agenix/telegram-matrix-env";
# TODO use pgsql
# The appservice is pre-configured to use SQLite by default. It's also possible to use PostgreSQL.
settings = {
homeserver = {
address = "https://sealight.xyz";
domain = "sealight.xyz";
};
appservice = {
provisioning.enabled = false;
id = "telegram";
bot_username = "telegrambridge";
public = {
enabled = false;
prefix = "/public";
external = "https://chat.sealight.xyz/public";
};
address = "http://localhost:18787";
port = 18787;
# The service uses SQLite by default, but it's also possible to use PostgreSQL instead:
#database = "postgresql:///mautrix-telegram?host=/run/postgresql";
};
bridge = {
relaybot.authless_portals = false;
permissions = {
"@aynish:sealight.xyz" = "admin";
};
};
};
};
}
hosts/profiles/matrix/mautrix-whatsapp.nix
+97
View File
@@ -0,0 +1,97 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.mautrix-whatsapp;
configFile = pkgs.runCommand "mautrix-whatsapp"
{
buildInputs = [ pkgs.mautrix-whatsapp pkgs.remarshal ];
preferLocalBuild = true;
} ''
mkdir -p $out
${pkgs.remarshal}/bin/json2yaml -i ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \
-o $out/config.yaml
${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp -c $out/config.yaml -g -r $out/registration.yaml
'';
in
{
options.services.mautrix-whatsapp = {
enable = mkEnableOption "Mautrix-whatsapp, a puppeting bridge between Matrix and WhatsApp.";
configOptions = mkOption {
type = types.attrs;
description = ''
This options will be transform in YAML configuration file for the bridge
Look <link xlink:href="https://github.com/tulir/mautrix-whatsapp/wiki/Bridge-setup">here</link> for documentation.
'';
example = {
configOptions = {
homeserver = {
address = https://matrix.org;
domain = "matrix.org";
};
appservice = {
address = http://localhost:8080;
hostname = "0.0.0.0";
port = 8080;
database = {
type = "sqlite3";
uri = "/var/lib/mautrix-whatsapp/mautrix-whatsapp.db";
};
state_store_path = "/var/lib/mautrix-whatsapp/mx-state.json";
id = "whatsapp";
bot = {
username = "whatsappbot";
displayname = "WhatsApp bridge bot";
avatar = "mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr";
};
as_token = "";
hs_token = "";
};
bridge = {
username_template = "whatsapp_{{.}}";
displayname_template = "{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)";
command_prefix = "!wa";
permissions = {
"@example:matrix.org" = 100;
};
};
logging = {
directory = "/var/lib/mautrix-whatsapp/logs";
file_name_format = "{{.Date}}-{{.Index}}.log";
file_date_format = "\"2006-01-02\"";
file_mode = 384;
timestamp_format = "Jan _2, 2006 15:04:05";
print_level = "debug";
};
};
};
};
};
config = mkIf cfg.enable {
systemd.services.mautrix-whatsapp = {
description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix";
after = [ "network.target" "matrix-synapse.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
StateDirectory = "mautrix-whatsapp";
LoggingDir = "mautrix-whatsapp";
ExecStart = ''
${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp -c "${configFile}/config.yaml"
'';
Restart = "on-failure";
};
};
#services.matrix-synapse.app_service_config_files = [ "${configFile}/registration.yaml" ];
};
}
hosts/profiles/matrix/mjolnir.nix
+22
View File
@@ -0,0 +1,22 @@
{ self, pkgs, lib, config, ... }:
{
age.secrets.sealight-mod-password.file = "${self}/secrets/sealight-mod-password.age";
age.secrets.sealight-mod-password.owner = "mjolnir";
services.mjolnir = {
enable = true;
protectedRooms = [
"https://matrix.to/#/#public:sealight.xyz"
"https://matrix.to/#/#theFeed:sealight.xyz"
"https://matrix.to/#/#control:sealight.xyz"
];
managementRoom = "#control:sealight.xyz";
homeserverUrl = "https://sealight.xyz";
pantalaimon = {
enable = true;
username = "mod";
passwordFile = "/run/agenix/sealight-mod-password";
options.homeserver = config.services.mjolnir.homeserverUrl;
};
};
}
hosts/profiles/matrix/mod-mx-puppet-slack.nix
+125
View File
@@ -0,0 +1,125 @@
{ config, pkgs, lib, ... }:
with lib;
let
dataDir = "/var/lib/mx-puppet-slack";
registrationFile = "${dataDir}/slack-registration.yaml";
cfg = config.services.mx-puppet-slack;
settingsFormat = pkgs.formats.json { };
settingsFile = settingsFormat.generate "mx-puppet-slack-config.json" cfg.settings;
mx-puppet-slack = pkgs.callPackage ./pkg-mx-puppet-slack.nix { };
in
{
options = {
services.mx-puppet-slack = {
enable = mkEnableOption ''
mx-puppet-slack is a slack puppeting bridge for matrix.
It handles bridging private and group DMs, as well as Guilds (servers)
'';
settings = mkOption rec {
apply = recursiveUpdate default;
inherit (settingsFormat) type;
default = {
bridge.port = 8434;
presence = {
enabled = true;
interval = 500;
};
provisioning.whitelist = [ ];
relay.whitelist = [ ];
# variables are preceded by a colon.
namePatterns = {
user = ":name";
userOverride = ":displayname";
room = ":name";
group = ":name";
};
#defaults to sqlite but can be configured to use postgresql with
#connstring
database.filename = "${dataDir}/database.db";
logging = {
console = "info";
lineDateFormat = "MMM-D HH:mm:ss.SSS";
};
};
example = literalExpression ''
{
bridge = {
bindAddress = "localhost";
domain = "example.com";
homeserverUrl = "https://example.com";
};
provisioning.whitelist = [ "@admin:example.com" ];
relay.whitelist = [ "@.*:example.com" ];
}
'';
description = ''
<filename>config.yaml</filename> configuration as a Nix attribute set.
Configuration options should match those described in
<link xlink:href="https://github.com/matrix-slack/mx-puppet-slack/blob/master/sample.config.yaml">
sample.config.yaml</link>.
'';
};
serviceDependencies = mkOption {
type = with types; listOf str;
default = optional config.services.matrix-synapse.enable "matrix-synapse.service";
description = ''
List of Systemd services to require and wait for when starting the application service.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.mx-puppet-slack = {
description = ''
mx-puppet-slack is a slack puppeting bridge for matrix.
It handles bridging private and group DMs, as well as Guilds (servers).
'';
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
preStart = ''
# generate the appservice's registration file if absent
if [ ! -f '${registrationFile}' ]; then
${mx-puppet-slack}/bin/mx-puppet-slack -r -c ${settingsFile} \
-f ${registrationFile}
fi
'';
serviceConfig = {
Type = "simple";
Restart = "always";
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
DynamicUser = true;
PrivateTmp = true;
WorkingDirectory = mx-puppet-slack;
StateDirectory = baseNameOf dataDir;
UMask = 0027;
ExecStart = ''
${mx-puppet-slack}/bin/mx-puppet-slack \
-c ${settingsFile} \
-f ${registrationFile}
'';
};
};
};
meta.maintainers = with maintainers; [ chickensoupwithrice ];
}
hosts/profiles/metrics/default.nix
+159
View File
@@ -0,0 +1,159 @@
{ config, pkgs, ... }: {
# grafana configuration
#services.grafana = {
# enable = true;
# domain = "grafana.mossnet.lan";
# port = 2342;
# addr = "127.0.0.1";
#};
#
## nginx reverse proxy
#services.nginx.virtualHosts.${config.services.grafana.domain} = {
# locations."/" = {
# proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
# proxyWebsockets = true;
# };
#};
services.prometheus = {
enable = true;
port = 9001;
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
rules = [
''
groups:
- name: synapse
rules:
- record: "synapse_federation_transaction_queue_pendingEdus:total"
expr: "sum(synapse_federation_transaction_queue_pendingEdus or absent(synapse_federation_transaction_queue_pendingEdus)*0)"
- record: "synapse_federation_transaction_queue_pendingPdus:total"
expr: "sum(synapse_federation_transaction_queue_pendingPdus or absent(synapse_federation_transaction_queue_pendingPdus)*0)"
- record: 'synapse_http_server_request_count:method'
labels:
servlet: ""
expr: "sum(synapse_http_server_request_count) by (method)"
- record: 'synapse_http_server_request_count:servlet'
labels:
method: ""
expr: 'sum(synapse_http_server_request_count) by (servlet)'
- record: 'synapse_http_server_request_count:total'
labels:
servlet: ""
expr: 'sum(synapse_http_server_request_count:by_method) by (servlet)'
- record: 'synapse_cache:hit_ratio_5m'
expr: 'rate(synapse_util_caches_cache:hits[5m]) / rate(synapse_util_caches_cache:total[5m])'
- record: 'synapse_cache:hit_ratio_30s'
expr: 'rate(synapse_util_caches_cache:hits[30s]) / rate(synapse_util_caches_cache:total[30s])'
- record: 'synapse_federation_client_sent'
labels:
type: "EDU"
expr: 'synapse_federation_client_sent_edus + 0'
- record: 'synapse_federation_client_sent'
labels:
type: "PDU"
expr: 'synapse_federation_client_sent_pdu_destinations:count + 0'
- record: 'synapse_federation_client_sent'
labels:
type: "Query"
expr: 'sum(synapse_federation_client_sent_queries) by (job)'
- record: 'synapse_federation_server_received'
labels:
type: "EDU"
expr: 'synapse_federation_server_received_edus + 0'
- record: 'synapse_federation_server_received'
labels:
type: "PDU"
expr: 'synapse_federation_server_received_pdus + 0'
- record: 'synapse_federation_server_received'
labels:
type: "Query"
expr: 'sum(synapse_federation_server_received_queries) by (job)'
- record: 'synapse_federation_transaction_queue_pending'
labels:
type: "EDU"
expr: 'synapse_federation_transaction_queue_pending_edus + 0'
- record: 'synapse_federation_transaction_queue_pending'
labels:
type: "PDU"
expr: 'synapse_federation_transaction_queue_pending_pdus + 0'
- record: synapse_storage_events_persisted_by_source_type
expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep{origin_type="remote"})
labels:
type: remote
- record: synapse_storage_events_persisted_by_source_type
expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep{origin_entity="*client*",origin_type="local"})
labels:
type: local
- record: synapse_storage_events_persisted_by_source_type
expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep{origin_entity!="*client*",origin_type="local"})
labels:
type: bridges
- record: synapse_storage_events_persisted_by_event_type
expr: sum without(origin_entity, origin_type) (synapse_storage_events_persisted_events_sep)
- record: synapse_storage_events_persisted_by_origin
expr: sum without(type) (synapse_storage_events_persisted_events_sep)
''
];
scrapeConfigs = [
{
job_name = "helix";
static_configs = [{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
{
job_name = "synapse";
metrics_path = "/_synapse/metrics";
static_configs = [{
targets = [ "localhost:9090" ];
}];
}
{
job_name = "gitea";
static_configs = [{
targets = [ "localhost:3001" ];
}];
}
];
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 9001 ];
};
services.nginx.virtualHosts."sealight.xyz" = {
locations."/metrics" = {
#basicAuth = { anish = "password"; };
proxyPass = "http://localhost:9001";
};
};
services.loki = {
enable = false; # TODO
#configFile = /var/loki-config.yaml;
};
# systemd.services.promtail = {
# description = "Promtail service for Loki";
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# ExecStart = ''
# ${pkgs.grafana-loki}/bin/promtail --config.file ${/var/promtail.yaml}
# '';
# };
# };
}
hosts/profiles/mimetypes/default.nix
+19
View File
@@ -0,0 +1,19 @@
{ pkgs, lib, ... }:
{
xdg.mime.defaultApplications = {
"application/pdf" = "firefox.desktop";
"image/png" = [
"sxiv.desktop"
"feh.desktop"
];
"image/jpg" = [
"sxiv.desktop"
"feh.desktop"
];
"image/jpeg" = [
"sxiv.desktop"
"feh.desktop"
];
};
}
hosts/profiles/monitoring/default.nix
+60
View File
@@ -0,0 +1,60 @@
{ config, pkgs, ... }: {
# grafana configuration
services.grafana = {
enable = true;
domain = "stats.mossnet.lan";
port = 2342;
addr = "127.0.0.1";
};
# nginx reverse proxy
services.nginx.recommendedProxySettings = true; # Needed for new grafana versions
services.nginx.virtualHosts.${config.services.grafana.domain} = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true;
};
};
services.prometheus = {
enable = true;
port = 9001;
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
dnsmasq = {
enable = true;
port = 9153;
};
};
scrapeConfigs = [
{
job_name = "box";
static_configs = [{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }];
}
{
job_name = "dns";
static_configs = [{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; }];
}
];
};
services.loki = {
#enable = true;
#configFile = /var/loki-config.yaml;
};
#systemd.services.promtail = {
# description = "Promtail service for Loki";
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# ExecStart = ''
# ${pkgs.grafana-loki}/bin/promtail --config.file ${/var/promtail.yaml}
# '';
# };
#};
}
hosts/profiles/mossnet-hosts/default.nix
+18
View File
@@ -0,0 +1,18 @@
{
# TODO use the list from DNS
networking.extraHosts = ''
192.168.1.240 mossnet.lan
192.168.1.240 links.mossnet.lan
192.168.1.240 read.mossnet.lan
192.168.1.240 music.mossnet.lan
192.168.1.240 stats.mossnet.lan
192.168.1.240 file.mossnet.lan
192.168.1.240 task.mossnet.lan
192.168.1.240 fin.mossnet.lan
192.168.1.240 paper.mossnet.lan
'';
# 10.0.69.4 mossnet.lan
# 10.0.69.4 links.mossnet.lan
# 10.0.69.4 read.mossnet.lan
# 10.0.69.4 stats.mossnet.lan
}
hosts/profiles/mount-mossnet/default.nix
+9
View File
@@ -0,0 +1,9 @@
{ pkgs, lib, ... }:
{
fileSystems."/mnt/mossnet" = {
device = "10.0.69.4:/mnt/two";
fsType = "nfs";
options = [ "noatime" ];
};
}
hosts/profiles/muneem/default.nix
+35
View File
@@ -0,0 +1,35 @@
{ pkgs, ... }:
{
# TODO
# scrappy script that requires muneem be cloned to /home/anish/usr/muneem
# you also gotta setup .envrc and add all the secrets there lol
# muneem needs secrets, and internet access to install dependencies, havent figured that out with nix yet
# muneem also depends on jdk11, but that's only to install dependencies, run `bb -m muneem.main` once before installing this script
# If you've updated muneem, you'll want to cd to /home/anish/usr/muneem and run git pull
systemd.services.muneem = {
serviceConfig.Type = "oneshot";
path = with pkgs; [
babashka
git
jdk11
curl
chromedriver
chromium
];
startAt = "Thu 03:00:00";
script = ''
cd /home/anish/usr/muneem
source .envrc
bb -m muneem.main
'';
serviceConfig = {
User = "anish";
};
};
systemd.timers.muneem = {
wantedBy = [ "timers.target" ];
partOf = [ "muneem.service" ];
timerConfig.OnCalendar = [ "Thu 03:00:00" ];
};
}
hosts/profiles/music/default.nix
+62
View File
@@ -0,0 +1,62 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
qjackctl
libjack2 # needed for overtone with pipewire
jack2 # needed for overtone with pipewire
# GUI
carla
# Plugins
helm
# surge
distrho
orca-c
supercollider
dirt
sunvox
vcv-rack
lmms
bespokesynth
lsp-plugins
helio-workstation
projectm # milkdrop visualizer
# DAWs
# ardour
# reaper
renoise
];
hardware.pulseaudio.enable = lib.mkForce false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
config = {
pipewire."context.properties"."default.clock.rate" = "48000";
pipewire-pulse."stream.properties"."resample.quality" = 15;
client."stream.properties"."resample.quality" = 15;
client-rt."stream.properties"."resample.quality" = 15;
#jack."context.modules" = [];
};
#media-session.config.bluez-monitor.properties = {
# "bluez5.headset-roles" = [ "hsp_hs" "hsp_ag" ];
# "bluez5.codecs" = [ "aac" "ldac" "aptx_hd" ];
#};
};
#systemd.services.bluethoot.serviceConfig.ExecStart = [
# ""
# "${config.hardware.bluetooth.package}/libexec/bluetooth/bluetoothd --noplugin=sap"
#];
boot.kernelModules = [ "snd-seq" "snd-rawmidi" ]; # midi sequence kernel mods
hardware.pulseaudio.package = pkgs.pulseaudio.override { jackaudioSupport = true; };
}
hosts/profiles/nextcloud/default.nix
+60
View File
@@ -0,0 +1,60 @@
{ pkgs, config, ... }:
{
#age.secrets.nextcloud-db.file = "/etc/nixos/secrets/nextcloud-db.age";
#age.secrets.nextcloud-db.owner = "nextcloud";
#age.secrets.nextcloud-admin.file = "/etc/nixos/secrets/nextcloud-admin.age";
#age.secrets.nextcloud-admin.owner = "nextcloud";
services.nextcloud = {
enable = true;
hostName = "mossnet.lan";
home = "/data/nextcloud2";
package = pkgs.nextcloud22;
# Use HTTPS for links
https = false;
# Auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# Set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
config = {
# Further forces Nextcloud to use HTTPS
# overwriteProtocol = "https";
# Nextcloud PostegreSQL database configuration, recommended over using SQLite
dbtype = "pgsql";
dbuser = "nextcloud2";
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
dbname = "nextcloud2";
dbpassFile = "/var/nextcloud-db-pass";
adminpassFile = "/var/nextcloud-admin-pass";
adminuser = "admin";
};
};
# Enable PostgreSQL
services.postgresql = {
enable = true;
# Ensure the database, user, and permissions always exist
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
# Ensure that postgres is running before running the setup
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
#nixpkgs.config.permittedInsecurePackages = [ "nextcloud-19.0.6"];
}
hosts/profiles/nfs/default.nix
+35
View File
@@ -0,0 +1,35 @@
{
#fileSystems."/export/" = {
# device = "/mnt/mafuyu";
# options = [ "bind" ];
#};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/home/ftp 192.168.1.0/24(rw)
/mnt/one 192.168.1.0/24(rw)
/mnt/two 192.168.1.0/24(rw,no_subtree_check) 10.0.69.0/24(rw,no_subtree_check)
/mnt/three 192.168.1.0/24(rw)
'';
};
networking.firewall = {
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
#systemd.services.create-mount-dir = {
# serviceConfig = {
# ExecStart = "mkdir /export";
# };
# wantedBy = [ "multi-user.target" ];
# after = [ "remote-fs.target" ];
# description = "Create a directory we can mount on fs";
#};
}
hosts/profiles/postgres_upgrade_script/default.nix
+31
View File
@@ -0,0 +1,31 @@
{ config, pkgs, ... }:
{
environment.systemPackages = [
(pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# TODO it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
# TODO replace `<new version>` with the psqlSchema here
# The schema can be found by running:
# nix-instantiate '<nixpkgs>' --eval -A postgresql_14.psqlSchema
export NEWDATA="/var/lib/postgresql/<new version>"
# TODO specify the postgresql package you'd like to upgrade to
export NEWBIN="${pkgs.postgresql_14}/bin"
export OLDDATA="${config.services.postgresql.dataDir}"
export OLDBIN="${config.services.postgresql.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
'')
];
}
hosts/profiles/radicale/default.nix
+24
View File
@@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
{
services.radicale = {
enable = true;
package = pkgs.radicale;
settings = {
server.hosts = [ "0.0.0.0:5252" ];
};
};
networking.firewall.allowedTCPPorts = [ 5252 ];
services.nginx.virtualHosts."cal.mossnet.lan" = {
enableACME = false;
forceSSL = false;
locations."/" = {
extraConfig = ''
proxy_pass http://localhost:5252/;
proxy_set_header X-Forwarded-Host $host;
'';
};
};
}
hosts/profiles/rss-bridge/default.nix
+11
View File
@@ -0,0 +1,11 @@
{ pkgs, lib, config, ... }:
{
services.rss-bridge = {
enable = true;
virtualHost = "bridge.sealight.xyz";
whitelist = [ "Facebook" "Bandcamp" "Twitter" "Telegram" "Instagram" "Reddit" ];
};
services.nginx.virtualHosts."bridge.sealight.xyz".forceSSL = true;
services.nginx.virtualHosts."bridge.sealight.xyz".enableACME = true;
}
hosts/profiles/seafile/default.nix
+54
View File
@@ -0,0 +1,54 @@
{ pkgs, ... }:
{
services.seafile = {
enable = true;
seafileSettings = {
fileserver.host = "0.0.0.0";
fileserver.port = 8082;
};
ccnetSettings.General.SERVICE_URL = "http://file.mossnet.lan";
adminEmail = "anish@lakhwara.com";
initialAdminPassword = "arandompasswordsecure!";
};
services.nginx = {
enable = true;
};
services.nginx.upstreams."gunicorn_seafile" = {
servers."unix:/run/seahub/gunicorn.sock" = { };
};
services.nginx.upstreams."seafhttp" = {
servers."127.0.0.1:8082" = { };
};
services.nginx.virtualHosts."file.mossnet.lan" = {
serverName = "file.mossnet.lan";
locations."/" = {
proxyPass = "http://gunicorn_seafile"; # without a trailing /
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
#proxy_set_header Host $host;
proxy_read_timeout 1200s;
client_max_body_size 0; # disable max upload size
'';
};
locations."/seafhttp" = {
proxyPass = "http://seafhttp"; # without a trailing /
extraConfig = ''
rewrite ^/seafhttp(.*)$ $1 break;
client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
proxy_request_buffering off;
send_timeout 36000s;
'';
};
};
}
hosts/profiles/sealight-website/default.nix
+15
View File
@@ -0,0 +1,15 @@
{
# TODO add file/site to be deployed
# services.nginx = {
# enable = true;
# virtualHosts = {
# "sealight.xyz" = {
# forceSSL = true;
# enableACME = true;
# locations."/" = {
# root = "/var/www/sealight.xyz";
# };
# };
# };
# };
}
hosts/profiles/secrets/default.nix
+9
View File
@@ -0,0 +1,9 @@
{ self, pkgs, config, lib, ... }:
{
# Secrets used by home-manager modules
age.secrets.fastmail.file = "${self}/secrets/fastmail.age";
age.secrets.fastmail.owner = "anish";
age.secrets.mossnet.file = "${self}/secrets/mossnet.age";
age.secrets.mossnet.owner = "anish";
}
hosts/profiles/server/default.nix
+22
View File
@@ -0,0 +1,22 @@
{ config, ... }:
{
services.openssh = {
enable = true;
passwordAuthentication = false;
permitRootLogin = "no";
};
networking.firewall.allowedTCPPorts = [ 80 443 22 ]; # ssh and website
security.sudo.wheelNeedsPassword = false; # needed for deploy-rs
security.acme.defaults.email = "anish+acme@lakhwara.com";
security.acme.acceptTerms = true;
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
];
};
}
hosts/profiles/shaarli/default.nix
+114
View File
@@ -0,0 +1,114 @@
{ pkgs, config, ... }:
let
dataDir = "/var/www/shaarli-config";
name = "shaarli";
in
{
services.nginx = {
enable = true;
virtualHosts = {
"links.mossnet.lan" = {
forceSSL = false;
enableACME = false;
root = "${dataDir}";
extraConfig = ''
index index.php;
'';
locations = {
"/".extraConfig = ''
index index.php;
try_files _ /index.php$is_args$args;
'';
"~ (index)\\.php$".extraConfig = ''
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools."${name}".socket};
fastcgi_index index.php;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
'';
"~ \\.php$".extraConfig = ''
deny all;
'';
"^~ /tpl/".extraConfig = "alias ${pkgs.shaarli}/tpl/;";
"^~ /plugins/".extraConfig = "alias ${pkgs.shaarli}/plugins/;";
"~* \\.(?:ico|css|js|gif|jpe?g|png)$".extraConfig = ''
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
'';
};
};
};
};
services.phpfpm = {
pools = {
"${name}" = {
user = "nginx";
group = "nginx";
#listen = "/run/phpfpm/php.sock";
settings = {
"listen.owner" = "nginx";
"listen.group" = "nginx";
"user" = "nginx";
"pm" = "dynamic";
"pm.max_children" = "4";
"pm.min_spare_servers" = "1";
"pm.max_spare_servers" = "4";
"pm.max_requests" = "32";
"catch_workers_output" = "1";
"php_admin_value[error_log]" = "/var/log/nginx/${name}-phpfpm-error.log";
};
};
};
};
users.extraUsers."${name}" = { group = "${name}"; };
users.extraGroups."${name}" = { };
users.users.shaarli.isSystemUser = true;
systemd.services.shaarli-install = {
serviceConfig.Type = "oneshot";
wantedBy = [ "multi-user.target" ];
script = ''
if [ ! -d "${dataDir}" ]; then
#cp -R ${pkgs.shaarli}/data.orig/.htaccess ${dataDir}/cache/
#cp -R ${pkgs.shaarli}/data.orig/.htaccess ${dataDir}/data/
#cp -R ${pkgs.shaarli}/data.orig/.htaccess ${dataDir}/pagecache/
#cp -R ${pkgs.shaarli}/data.orig/.htaccess ${dataDir}/tmp/
mkdir -p ${dataDir}/{cache,data,pagecache,tmp}
ln -s ${pkgs.shaarli}/* ${dataDir}
fi
chown -Rc nginx:nginx ${dataDir}
find ${dataDir} -type d ! -perm 0700 -exec chmod 0700 {} \; -exec chmod g-s {} \;
find ${dataDir} -type f ! -perm 0600 -exec chmod 0600 {} \;
'';
};
#networking.firewall.allowedTCPPorts = [ 80 ];
}
hosts/profiles/site/default.nix
+5
View File
@@ -0,0 +1,5 @@
{ self, pkgs, ... }:
{
services."anish.lakhwara.com".enable = true;
services."anish.lakhwara.com".enableSSL = true;
}
hosts/profiles/sync/cal/default.nix
+21
View File
@@ -0,0 +1,21 @@
{ pkgs, ... }:
{
systemd.services.vdir-sync = {
serviceConfig.Type = "oneshot";
path = [
pkgs.vdirsyncer
];
script = ''
vdirsyncer sync
'';
serviceConfig = {
User = "anish";
};
};
systemd.timers.vdir-sync = {
wantedBy = [ "timers.target" ];
partOf = [ "vdir-sync.service" ];
timerConfig.OnCalendar = [ "hourly" ];
};
}
hosts/profiles/sync/kitaab/default.nix
+26
View File
@@ -0,0 +1,26 @@
{ pkgs, ... }:
{
systemd.services.kitaab-sync = {
serviceConfig.Type = "oneshot";
path = [
pkgs.git
pkgs.coreutils
];
script = ''
cd /home/anish/kitaab
git add -A
git diff-index --quiet HEAD || git commit -m 'syncing kitaab' # if nothing, don't exit 1
git push
exit 0
'';
serviceConfig = {
User = "anish";
};
};
systemd.timers.kitaab-sync = {
wantedBy = [ "timers.target" ];
partOf = [ "kitaab-sync.service" ];
timerConfig.OnCalendar = [ "hourly" ];
};
}
hosts/profiles/sync/music/default.nix
+20
View File
@@ -0,0 +1,20 @@
{ pkgs, lib, ... }:
{
systemd.services.get-music-sync = {
serviceConfig.Type = "oneshot";
path = [
pkgs.coreutils
pkgs.rsync
];
script = builtins.readFile ./get-music.sh;
serviceConfig = {
User = "anish";
};
};
systemd.timers.get-music-timer = {
wantedBy = [ "timers.target" ];
partOf = [ "get-music-sync.service" ];
timerConfig.OnCalendar = [ "daily" ];
};
}
hosts/profiles/sync/music/get-music.sh
Executable
+9
View File
@@ -0,0 +1,9 @@
#!/usr/bin/env bash
rsync -r --ignore-existing --log-file=/data/incoming/download-log hypercube@talos.feralhosting.com:private/transmission/data/* /data/incoming
# you need to set defaults for beets
# if already imported -> Skip
# Auto accept changes
# also install it lmao
#beet import /data/incoming
hosts/profiles/sync/website/default.nix
+35
View File
@@ -0,0 +1,35 @@
{ pkgs, inputs, ... }:
{
systemd.services.website-deploy = {
serviceConfig.Type = "oneshot";
path = [
pkgs.git
pkgs.coreutils
pkgs.nixUnstable
pkgs.openssh
inputs.deploy.packages.${pkgs.system}.deploy-rs
];
script = ''
cd /etc/nixos/ # TODO make variable
nix flake lock --update-input poonam
nix flake lock --update-input basant
# TODO
# git add flake.lock
# git commit -m "update website"
# git push
deploy .#cube --hostname lakhwara.com
exit 0
'';
serviceConfig = {
User = "anish";
};
};
systemd.timers.website-deploy = {
after = [ "kitaab-sync.timer" ];
wantedBy = [ "timers.target" ];
partOf = [ "website-deploy.service" ];
timerConfig.OnCalendar = [ "daily" ];
timerConfig.persistent = "true";
};
}
hosts/profiles/syncthing/default.nix
+16
View File
@@ -0,0 +1,16 @@
{ pkgs, ... }:
{
services.syncthing = {
enable = true;
user = "anish";
group = "users";
dataDir = "/home/anish/";
configDir = "/home/anish/.config/syncthing";
};
# TODO reproducible shares?
networking.firewall.allowedTCPPorts = [ 8384 22000 ];
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
}
hosts/profiles/taskd/default.nix
+10
View File
@@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
services.taskserver.enable = true;
services.taskserver.fqdn = "task.moss";
services.taskserver.listenHost = "0.0.0.0";
services.taskserver.listenPort = 53589;
services.taskserver.organisations.mossnet.users = [ "anish" ];
networking.firewall.allowedTCPPorts = [ 53589 ];
}
hosts/profiles/wallabag/default.nix
+100
View File
@@ -0,0 +1,100 @@
{ pkgs, config, lib, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_11;
# Ensure the database, user, and permissions always exist
ensureDatabases = [ "wallabag" ];
ensureUsers = [
{
name = "wallabag";
ensurePermissions."DATABASE wallabag" = "ALL PRIVILEGES";
}
];
};
services.wallabag = {
enable = true;
hostName = "read.mossnet.lan";
package = pkgs.wallabag;
conf = ''
# This file is a "template" of what your parameters.yml file should look like
parameters:
# Uncomment these settings or manually update your parameters.yml
# to use docker-compose
#
# database_driver: %env.database_driver%
# database_host: %env.database_host%
# database_port: %env.database_port%
# database_name: %env.database_name%
# database_user: %env.database_user%
# database_password: %env.database_password%
database_driver: pdo_pgsql
database_host: localhost
database_port: ~
database_name: wallabag
database_user: wallabag
database_password: wallabag
# For SQLite, database_path should be "%kernel.project_dir%/data/db/wallabag.sqlite"
database_path: ~
database_table_prefix: wallabag_
database_socket: null
# with PostgreSQL and SQLite, you must set "utf8"
database_charset: utf8
domain_name: http://read.mossnet.lan
server_name: "mossnet wallabag instance"
mailer_transport: smtp
mailer_user: ~
mailer_password: ~
mailer_host: 127.0.0.1
mailer_port: false
mailer_encryption: ~
mailer_auth_mode: ~
locale: en
# A secret key that's used to generate certain security-related tokens
secret: SAFGOECRIlfal89oe6u0(*^dsaaih961
# two factor stuff
twofactor_auth: true
twofactor_sender: no-reply@wallabag.org
# fosuser stuff
fosuser_registration: true
fosuser_confirmation: true
# how long the access token should live in seconds for the API
fos_oauth_server_access_token_lifetime: 3600
# how long the refresh token should life in seconds for the API
fos_oauth_server_refresh_token_lifetime: 1209600
from_email: no-reply@wallabag.org
rss_limit: 50
# RabbitMQ processing
rabbitmq_host: localhost
rabbitmq_port: 5672
rabbitmq_user: guest
rabbitmq_password: guest
rabbitmq_prefetch_count: 10
# Redis processing
redis_scheme: tcp
redis_host: localhost
redis_port: 6379
redis_path: null
redis_password: null
# sentry logging
sentry_dsn: ~
'';
};
# networking.firewall.allowedTCPPorts = [ 8080 ];
}
hosts/profiles/wifi/default.nix
+42
View File
@@ -0,0 +1,42 @@
{ config, pkgs, ... }:
{
networking.dhcpcd.wait = "background";
networking.dhcpcd.extraConfig = "noarp";
networking.wireless.userControlled.enable = true;
networking.wireless.networks = {
"Chester 11403" = {
pskRaw = "43fcb0bea43633899a9885865c53ea79d268b9bdfb8c3f4013718e43e6672e5e";
};
"HSBNEWiFi" = {
pskRaw = "0820d84980eeb47630f13f04804fc9add684a8feebb64ba914cafc48f569d801";
};
"TP-LINK_1D79" = {
pskRaw = "6d960910c33a59e94b151281cc3982863b4b112d8a4efd1b165e4f8e52e7dae8";
};
"nadir" = {
pskRaw = "92e0c1f0b3a1bada333964f0ee4ac04e0d9ba941aa3f29216cc3782595a41e5f";
};
"WiFi-399631" = {
pskRaw = "2e312c9721e470847f751d8b844d264dc5e2612361a579fc0bdebd2135b5a8ea";
};
"line" = {
pskRaw = "ec36a5a116224c12e305c90b7f3c5a0b7417abfaacf15828748f6a1e1e316c03";
};
"MEHRA" = {
pskRaw = "e1573bc9e30fd68ac8a805b7c5f9871322ffcdac909746831555905c2e156abb";
};
"Sandeep1" = {
pskRaw = "035972401640bf4dc2d8651c0b9df515a69f6bc2bffa07cc936183128a6ccf0a";
};
"chadpad" = {
pskRaw = "2594b3880a60817950bd60b2770c9793fd4cb784ed183f685a52502a9df2c7b1";
};
# "updog" = {
# pskRaw = "be28d9e50e4d9a065f1afccad52675d0d4fabe85526c0245648671721db606b1";
# };
"Vodafone-07F38" = {
pskRaw = "4ffd87de73ed31ef1aee1d0d178857490afbda3f0bb8453a0baaee7b2576f302";
};
};
}
hosts/profiles/wireguard-server/default.nix
+41
View File
@@ -0,0 +1,41 @@
{ config, pkgs, lib, ... }:
{
environment.systemPackages = [ pkgs.wireguard-tools pkgs.mosh ];
networking.nat = {
enable = true;
externalInterface = "ens3";
internalInterfaces = [ "wg0" ];
};
networking.firewall = {
allowedUDPPorts = [ 60990 ];
};
networking.wireguard.interfaces.wg0 = {
ips = [ "10.0.69.1/24" ];
listenPort = 60990;
privateKeyFile = "/var/lib/wireguard/priv";
generatePrivateKeyFile = true; # TODO agenix secret
peers = [
{
# box
publicKey = "Ra78mOc110K7URN5uB3m9d78iBKgeRHzT+3HkiFp9BU=";
allowedIPs = [ "10.0.69.4/32" ];
}
{
# line
publicKey = "fsb1FuGmYi89p4CVXytKw2FYamONKtoanxrgs/dJjC8=";
allowedIPs = [ "10.0.69.3/32" ];
}
{
# curve
publicKey = "kzw+51vVYkitGmSMJPAj1jdhzmxhvmSrrIQ4Ar8wzlI=";
allowedIPs = [ "10.0.69.2/32" ];
}
{
# helix
publicKey = "gcdq86hhEUlqF2chqYB/F8pALyAMNFvwLycxBoHuoDs=";
allowedIPs = [ "10.0.69.5/32" ];
}
];
};
}
hosts/profiles/wireguard/default.nix
+30
View File
@@ -0,0 +1,30 @@
{ config, pkgs, lib, ... }:
{
# services.tailscale.enable = true;
networking.firewall.allowedUDPPorts = [ 60990 ];
age.secrets.curve-wg.file = "/etc/nixos/secrets/curve-wg.age";
age.secrets.curve-wg.owner = "anish";
networking.wireguard.interfaces = {
# TODO need some kind of module here to configure curve & box from hosts or something
wg0 = {
ips = [ "10.0.69.2/24" ];
listenPort = 60990; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = "/run/agenix/curve-wg";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
publicKey = "c1J4p63rD3IlszugMZiki7UBV3YmDdqa3DU4UejXzAI=";
allowedIPs = [ "10.0.69.0/24" ];
# Set this to the server IP and port.
endpoint = "69.61.38.225:60990"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}
hosts/users/anish/default.nix
+31
View File
@@ -0,0 +1,31 @@
{ hmUsers, pkgs, ... }:
{
#home-manager.users = { inherit (hmUsers) anish; };
users.users.anish = {
description = "Personal user for Anish";
hashedPassword = "$y$j9T$y3DPt/dWaPE.gRazQqw1w0$1RMH5sl/Nu8kW3ZMywYCPRniHD/jF5qRh0VKrdJ.bV2";
shell = pkgs.zsh;
isNormalUser = true;
extraGroups = [ "wheel" "audio" ];
openssh.authorizedKeys.keys = [
# Curve
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDM0Zvei46x/yZl/IeBCq6+IYQQ0avulzVyBysF9cPigZMCybWRV7IEU+E3k9t6JrbdbdGfJkcZIWmsWDdKS8W8mBnZpVoT0ffLynu8JQ/TKdGm4Qv6bgUeKNrGsNv0ZPs2CDaGSLj0oJfRF7Ko10tcLP0vW+yujrh+y6TH/vVzJioaV4TGvtCUpn+wEQah9ROwPQLUUofsSWdnRsDJ/gp37zXWs4l5wyjSKtP3O9RZUP7kBekbSqEgSXiTk0oUQSVqIWl9NDiP6onk/gSOjXsR/JPqsSN/XI/c/yj6gyY0f51Ru2D7iBxuMJIJcWV+rU6coIj+ULcQWLzt/7TI8jq5AOOzI/ll4zbL24Eo84Rz+TP9tvMMhDZ0VaMN22AJ8qQEjc5P09tWKsX7Jg39XelyV1jHXncE4yvIE9F4RSCHzWCeKeXakizQNuzSaxTxIExRFYHjNW5bR6+3MTGwVrEIXU+qML+0yFTR86MT+tdY5AreAJQLwbog79O1NupeXJE= anish@curve"
# Line
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtU2GMYjXj6RGO1+mwM4TDGOo0qrKLTL4Di8+QgDX0p5vUEsnE1PS9wnuqCmSu75U8g0XIAMtvtdYyGk1N+Bx01erAZpT8DLYtIXFCyaiN28PVu5T1D0T+TQ7xgIH1qenXZR2DOQdf6kpvKEfm7+7bWhCo0N/KFMpmReubyzHDQcq/1qQasxTL+YALQFOjwKqsOTBXbHwZ103AEAcQX4ftBFEOfVli4/1aKIK4dNSZYB7J9Htq707YnsEqo9RLAMh0aOTTYgTx9AoSUDeqGuh/AGkcB7NcS7EEtI6d5YUGylwZh/gF6hqE0jl8kn2m5jMKXL3CRohZvjifue8x/GIjpu5WRabUuhBEbrfTQQaC7taHnt5rvYCGzKZx09TexUzhuz2CL480DRoxSG+P+lCNm1dIg/EZrnGEzXCSr36PlOqS5t5gm8tPkzCmZf2wU15A3ZIYUPmnYLqsn4WmIV7rKmdqt2ctWELUXow3PPiZXBucP9P3xpsYEfF1SB2SGNc= u0_a139@localhost"
];
};
home-manager.users.anish.home.stateVersion = "22.05";
# home-manager.users.anish.programs.git = {
# userName = "Anish Lakhwara";
# userEmail = "anish+git@lakhwara.com";
# delta.enable = true;
# };
#home-manager.users.anish = { suites, ... }: {
# imports = suites.gui;
#};
}