swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: code cleanup

Browse source
This commit is contained in:
Swarsel 2024-07-18 23:12:04 +02:00
parent bb59145f85
commit 3eecea6503
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
42 changed files with 4232 additions and 4479 deletions
Download patch file Download diff file Expand all files Collapse all files

4
profiles/TEMPLATE/home.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, fetchFromGitHub, ... }:
{ config, pkgs, ... }:
{
@ -118,7 +118,7 @@
};
keybindings = let
modifier = config.wayland.windowManager.sway.config.modifier;
inherit (config.wayland.windowManager.sway.config) modifier;
in {
# TEMPLATE
"${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\"";

4
profiles/TEMPLATE/nixos.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }:
{ pkgs, ... }:
{
@ -67,7 +67,7 @@
};
monospace = {
package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; });
package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; };
name = "FiraCode Nerd Font Mono";
};

207
profiles/common/home.nix
View file

@ -155,15 +155,15 @@
noto-fonts-cjk-sans
# cura
(let cura5 = appimageTools.wrapType2 rec {
name = "cura5";
version = "5.4.0";
src = fetchurl {
url = "https://github.com/Ultimaker/Cura/releases/download/${version}/UltiMaker-Cura-${version}-linux-modern.AppImage";
hash = "sha256-QVv7Wkfo082PH6n6rpsB79st2xK2+Np9ivBg/PYZd74=";
};
extraPkgs = pkgs: with pkgs; [ ];
}; in writeScriptBin "cura" ''
(let cura5 = appimageTools.wrapType2 rec {
name = "cura5";
version = "5.4.0";
src = fetchurl {
url = "https://github.com/Ultimaker/Cura/releases/download/${version}/UltiMaker-Cura-${version}-linux-modern.AppImage";
hash = "sha256-QVv7Wkfo082PH6n6rpsB79st2xK2+Np9ivBg/PYZd74=";
};
extraPkgs = pkgs: with pkgs; [ ];
}; in writeScriptBin "cura" ''
#! ${pkgs.bash}/bin/bash
# AppImage version of Cura loses current working directory and treats all paths relateive to $HOME.
# So we convert each of the files passed as argument to an absolute path.
@ -178,15 +178,15 @@
exec "${cura5}/bin/cura5" "''${args[@]}"
'')
#E: hides scratchpad depending on state, calls emacsclient for edit and then restores the scratchpad state
(pkgs.writeShellScriptBin "e" ''
#E: hides scratchpad depending on state, calls emacsclient for edit and then restores the scratchpad state
(pkgs.writeShellScriptBin "e" ''
bash ~/.dotfiles/scripts/editor_nowait.sh "$@"
'')
(pkgs.writeShellScriptBin "timer" ''
(pkgs.writeShellScriptBin "timer" ''
sleep "$1"; while true; do spd-say "$2"; sleep 0.5; done;
'')
(pkgs.writeScriptBin "project" ''
(pkgs.writeScriptBin "project" ''
#! ${pkgs.bash}/bin/bash
if [ "$1" == "rust" ]; then
cp ~/.dotfiles/templates/rust_flake.nix ./flake.nix
@ -214,10 +214,10 @@
direnv allow
'')
(pkgs.writeShellApplication {
name = "pass-fuzzel";
runtimeInputs = [ pkgs.pass pkgs.fuzzel ];
text = ''
(pkgs.writeShellApplication {
name = "pass-fuzzel";
runtimeInputs = [ pkgs.pass pkgs.fuzzel ];
text = ''
shopt -s nullglob globstar
typeit=0
@ -243,12 +243,12 @@
fi
notify-send -u critical -a pass -t 1000 "Copied/Typed Password"
'';
})
})
(pkgs.writeShellApplication {
name = "pass-fuzzel-otp";
runtimeInputs = [ pkgs.fuzzel (pkgs.pass.withExtensions (exts: [exts.pass-otp]))];
text = ''
(pkgs.writeShellApplication {
name = "pass-fuzzel-otp";
runtimeInputs = [ pkgs.fuzzel (pkgs.pass.withExtensions (exts: [exts.pass-otp]))];
text = ''
shopt -s nullglob globstar
typeit=0
@ -274,42 +274,44 @@
fi
notify-send -u critical -a pass -t 1000 "Copied/Typed OTPassword"
'';
})
})
(pkgs.writeShellApplication {
name = "cdw";
runtimeInputs = [ pkgs.fzf ];
text = ''
(pkgs.writeShellApplication {
name = "cdw";
runtimeInputs = [ pkgs.fzf ];
text = ''
cd "$(git worktree list | fzf | awk '{print $1}')"
'';
})
})
(pkgs.writeShellApplication {
name = "cdb";
runtimeInputs = [ pkgs.fzf ];
text = ''
(pkgs.writeShellApplication {
name = "cdb";
runtimeInputs = [ pkgs.fzf ];
text = ''
git checkout "$(git branch --list | grep -v "^\*" | fzf | awk '{print $1}')"
'';
})
})
(pkgs.writeShellApplication {
name = "bak";
text = ''
(pkgs.writeShellApplication {
name = "bak";
text = ''
cp "$1"{,.bak}
'';
})
})
];
sops.defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
sops.validateSopsFiles = false;
# since we are using the home-manager implementation, we need to specify the runtime path for each secret
sops.secrets.mrswarsel = {path = "/run/user/1000/secrets/mrswarsel";};
sops.secrets.nautilus = {path = "/run/user/1000/secrets/nautilus";};
sops.secrets.leon = {path = "/run/user/1000/secrets/leon";};
sops.secrets.swarselmail = {path = "/run/user/1000/secrets/swarselmail";};
sops.secrets.caldav = {path = "${config.home.homeDirectory}/.emacs.d/.caldav";};
sops = {
defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
validateSopsFiles = false;
secrets = {
mrswarsel = {path = "/run/user/1000/secrets/mrswarsel";};
nautilus = {path = "/run/user/1000/secrets/nautilus";};
leon = {path = "/run/user/1000/secrets/leon";};
swarselmail = {path = "/run/user/1000/secrets/swarselmail";};
caldav = {path = "${config.home.homeDirectory}/.emacs.d/.caldav";};
};
};
programs.ssh= {
enable = true;
@ -512,28 +514,29 @@ home.file = {
xdg.configFile = {
"tridactyl/tridactylrc".source = ../../programs/firefox/tridactyl/tridactylrc;
"tridactyl/themes/base16-codeschool.css".source = ../../programs/firefox/tridactyl/themes/base16-codeschool.css;
};
};
home.sessionVariables = {
EDITOR = "bash ~/.dotfiles/scripts/editor.sh";
};
# zsh Integration is enabled by default for these
programs.bottom.enable = true;
programs.imv.enable = true;
programs.sioyek.enable = true;
programs.bat.enable = true;
programs.carapace.enable = true;
programs.wlogout.enable = true;
programs.swayr.enable = true;
programs.yt-dlp.enable = true;
programs.mpv.enable = true;
programs.jq.enable = true;
programs.nix-index.enable = true;
programs.ripgrep.enable = true;
programs.pandoc.enable = true;
programs.fzf.enable = true;
programs.zoxide.enable = true;
programs = {
bottom.enable = true;
imv.enable = true;
sioyek.enable = true;
bat.enable = true;
carapace.enable = true;
wlogout.enable = true;
swayr.enable = true;
yt-dlp.enable = true;
mpv.enable = true;
jq.enable = true;
nix-index.enable = true;
ripgrep.enable = true;
pandoc.enable = true;
fzf.enable = true;
zoxide.enable = true;
};
programs.password-store = {
enable = true;
@ -543,7 +546,7 @@ programs.password-store = {
programs.direnv = {
enable = true;
nix-direnv.enable = true;
};
};
programs.eza = {
enable = true;
@ -836,7 +839,7 @@ accounts.email = {
};
mbsync = {
enable = false;
};
};
};
accounts.nautilus = {
@ -913,7 +916,7 @@ programs.emacs = {
# build the rest of the packages myself
# org-calfw is severely outdated on MELPA and throws many warnings on emacs startup
# build the package from the haji-ali fork, which is well-maintained
(epkgs.trivialBuild rec {
(epkgs.trivialBuild rec {
pname = "calfw";
version = "1.0.0-20231002";
src = pkgs.fetchFromGitHub {
@ -925,7 +928,7 @@ programs.emacs = {
packageRequires = [ epkgs.howm ];
})
(epkgs.trivialBuild rec {
(epkgs.trivialBuild rec {
pname = "fast-scroll";
version = "1.0.0-20191016";
src = pkgs.fetchFromGitHub {
@ -1142,19 +1145,19 @@ programs.firefox = {
];
};
policies = {
CaptivePortal = false;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableTelemetry = true;
DisableFirefoxAccounts = false;
NoDefaultBookmarks = true;
OfferToSaveLogins = false;
OfferToSaveLoginsDefault = false;
EnableTrackingProtection = true;
};
CaptivePortal = false;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableTelemetry = true;
DisableFirefoxAccounts = false;
NoDefaultBookmarks = true;
OfferToSaveLogins = false;
OfferToSaveLoginsDefault = false;
EnableTrackingProtection = true;
};
profiles.default = {
isDefault = true;
userChrome = (builtins.readFile ../../programs/firefox/chrome/userChrome.css);
userChrome = builtins.readFile ../../programs/firefox/chrome/userChrome.css;
extensions = with pkgs.nur.repos.rycee.firefox-addons; [
tridactyl
browserpass
@ -1172,42 +1175,10 @@ programs.firefox = {
widegithub
enhanced-github
unpaywall
# fastforwardteam
don-t-fuck-with-paste
plasma-integration
# (let version = "3.4.5.0";
# in buildFirefoxXpiAddon {
# pname = "bypass-paywalls-clean";
# inherit version;
# addonId = "magnolia@12.34";
# url =
# "https://gitlab.com/magnolia1234/bpc-uploads/-/raw/master/bypass_paywalls_clean-3.4.5.0.xpi";
# sha256 = "703d30c15b88291bd0305cc59013693aea5f75a40ea98fb8e252d1c7bfb43514";
# meta = with lib; {
# homepage =
# "https://gitlab.com/magnolia1234/bypass-paywalls-firefox-clean";
# description = "Bypass Paywalls of (custom) news sites";
# license = licenses.mit;
# platforms = platforms.all;
# };
# })
(buildFirefoxXpiAddon {
pname = ":emoji:";
version = "0.1.3";
addonId = "gonelf@gmail.com";
url = "https://addons.mozilla.org/firefox/downloads/file/3365324/emojidots-0.1.3.xpi";
sha256 = "4f7cc25c478fe52eb82f37c9ff4978dcaa3f95020398c5b184e517f6efa2c201";
meta = with lib;
{
description = "emoji autocomplete anywhere on the internet";
mozPermissions = [ "https://gist.githubusercontent.com/gonelf/d8ae3ccb7902b501c4a5dd625d4089da/raw/5eeda197ba92f8c8139e846a1225d5640077e06f/emoji_pretty.json" "tabs" "storage"];
platforms = platforms.all;
};
})
];
search.engines = {
"Nix Packages" = {
urls = [{
@ -1317,9 +1288,10 @@ wayland.windowManager.sway = {
enable = true;
checkConfig = false; # delete this line once SwayFX is fixed upstream
package = pkgs.swayfx;
# package = pkgs.sway;
systemd.enable = true;
systemd.xdgAutostart = true;
systemd = {
enable = true;
xdgAutostart = true;
};
wrapperFeatures.gtk = true;
config = rec {
modifier = "Mod4";
@ -1327,7 +1299,7 @@ wayland.windowManager.sway = {
menu = "fuzzel";
bars = [{ command = "waybar";}];
keybindings = let
modifier = config.wayland.windowManager.sway.config.modifier;
inherit (config.wayland.windowManager.sway.config) modifier;
in {
"${modifier}+q" = "kill";
"${modifier}+f" = "exec firefox";
@ -1490,7 +1462,7 @@ wayland.windowManager.sway = {
# criteria = {
# app_id="^$";
# class="^$";
# };
# };
# }
{
@ -1539,7 +1511,7 @@ wayland.windowManager.sway = {
# exec hash dbus-update-activation-environment 2>/dev/null && dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK
# ";
extraConfig =let
modifier = config.wayland.windowManager.sway.config.modifier;
inherit (config.wayland.windowManager.sway.config) modifier;
swayfxSettings = "
blur enable
blur_xray disable
@ -1550,7 +1522,6 @@ wayland.windowManager.sway = {
titlebar_separator disable
default_dim_inactive 0.02
";
swayfxSettingsOff = "";
in "
exec_always autotiling
set $exit \"exit: [s]leep, [p]oweroff, [r]eboot, [l]ogout\"

131
profiles/common/nixos.nix
View file

@ -1,31 +1,35 @@
{ config, lib, pkgs, inputs, ... }:
{ config, lib, pkgs, ... }:
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
};
services.xserver = {
xkb.layout = "us";
xkb.variant = "altgr-intl";
xkb = {
layout = "us";
variant = "altgr-intl";
};
};
nix.settings.experimental-features = ["nix-command" "flakes"];
users.mutableUsers = false;
# use ozone for wayland - chromium apps
environment.sessionVariables.NIXOS_OZONE_WL = "1";
# wordlist for look
environment.wordlist.enable = true;
# gstreamer plugins for nautilus (used for file metadata)
environment.sessionVariables.GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
gst-libav
]);
environment = {
wordlist.enable = true;
sessionVariables = {
NIXOS_OZONE_WL = "1";
GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
gst-libav
]);
};
};
# gstreamer plugins for nautilus (used for file metadata)
time.hardwareClockInLocalTime = true;
@ -47,27 +51,31 @@ nix.optimise = {
};
# systemd
systemd.extraConfig = ''
systemd.extraConfig = ''
DefaultTimeoutStartSec=60s
DefaultTimeoutStopSec=15s
'';
hardware.graphics = {
enable = true;
enable32Bit = true;
};
hardware = {
graphics = {
enable = true;
enable32Bit = true;
};
hardware.pulseaudio= {
enable = true;
package = pkgs.pulseaudioFull;
};
pulseaudio= {
enable = true;
package = pkgs.pulseaudioFull;
};
hardware.enableAllFirmware = true;
enableAllFirmware = true;
hardware.bluetooth.powerOnBoot = true;
hardware.bluetooth.settings = {
General = {
Enable = "Source,Sink,Media,Socket";
bluetooth = {
powerOnBoot = true;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
};
@ -278,17 +286,19 @@ systemd.services.NetworkManager-ensure-profiles.after = [ "NetworkManager.servic
time.timeZone = "Europe/Vienna";
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "de_AT.UTF-8";
LC_IDENTIFICATION = "de_AT.UTF-8";
LC_MEASUREMENT = "de_AT.UTF-8";
LC_MONETARY = "de_AT.UTF-8";
LC_NAME = "de_AT.UTF-8";
LC_NUMERIC = "de_AT.UTF-8";
LC_PAPER = "de_AT.UTF-8";
LC_TELEPHONE = "de_AT.UTF-8";
LC_TIME = "de_AT.UTF-8";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "de_AT.UTF-8";
LC_IDENTIFICATION = "de_AT.UTF-8";
LC_MEASUREMENT = "de_AT.UTF-8";
LC_MONETARY = "de_AT.UTF-8";
LC_NAME = "de_AT.UTF-8";
LC_NUMERIC = "de_AT.UTF-8";
LC_PAPER = "de_AT.UTF-8";
LC_TELEPHONE = "de_AT.UTF-8";
LC_TIME = "de_AT.UTF-8";
};
};
sops = {
@ -400,17 +410,16 @@ environment.systemPackages = with pkgs; [
];
programs.dconf.enable = true;
programs.evince.enable = true;
programs.kdeconnect.enable = true;
programs = {
dconf.enable = true;
evince.enable = true;
kdeconnect.enable = true;
};
# zsh section, do not delete ------
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
environment.shells = with pkgs; [ zsh ];
environment.pathsToLink = [ "/share/zsh" ];
# ---------------------------------
services.blueman.enable = true;
@ -421,24 +430,26 @@ hardware.sane = {
};
# enable discovery and usage of network devices (esp. printers)
services.printing.enable = true;
services.printing.drivers = [
services.printing = {
enable = true;
drivers = [
pkgs.gutenprint
pkgs.gutenprintBin
];
services.printing.browsedConf = ''
browsedConf = ''
BrowseDNSSDSubTypes _cups,_print
BrowseLocalProtocols all
BrowseRemoteProtocols all
CreateIPPPrinterQueues All
BrowseProtocols all
'';
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
};
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
services.gvfs.enable = true;
@ -473,10 +484,6 @@ services.pcscd.enable = true;
hardware.ledger.enable = true;
# environment.systemPackages = with pkgs; [
# --- IN SYSTEM PACKAGES SECTION ---
# ];
services.udev.packages = with pkgs; [
yubikey-personalization
ledger-udev-rules

2
profiles/fourside/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =

4
profiles/fourside/home.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, fetchFromGitHub, ... }:
{ config, pkgs, ... }:
{
@ -97,7 +97,7 @@
keybindings = let
modifier = config.wayland.windowManager.sway.config.modifier;
inherit (config.wayland.windowManager.sway.config) modifier;
in {
"${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkelement.sh\"";
"XF86MonBrightnessUp" = "exec brightnessctl set +5%";

8
profiles/fourside/nixos.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }:
{ config, pkgs, ... }:
{
@ -94,7 +94,7 @@
};
monospace = {
package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; });
package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; };
name = "FiraCode Nerd Font Mono";
};
@ -143,10 +143,10 @@
services.nswitch-rcm = {
enable = true;
package = (pkgs.fetchurl {
package = pkgs.fetchurl {
url = "https://github.com/Atmosphere-NX/Atmosphere/releases/download/1.3.2/fusee.bin";
hash = "sha256-5AXzNsny45SPLIrvWJA9/JlOCal5l6Y++Cm+RtlJppI=";
});
};
};
users.users.swarsel = {

2
profiles/mysticant/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ pkgs, ... }:
{
environment.packages = with pkgs; [

181
profiles/remote/oracle/matrix/nixos.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, modulesPath, unstable, sops, ... }: let
{ config, pkgs, sops, ... }: let
matrixDomain = "swatrix.swarsel.win";
in {
@ -23,13 +23,42 @@ in {
nix.settings.experimental-features = ["nix-command" "flakes"];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/root/.dotfiles/secrets/omatrix/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.dnstokenfull = {owner="acme";};
sops.templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
'';
sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ];
defaultSopsFile = "/root/.dotfiles/secrets/omatrix/secrets.yaml";
validateSopsFiles = false;
secrets = {
dnstokenfull = {owner="acme";};
matrixsharedsecret = {owner="matrix-synapse";};
mautrixtelegram_as = {owner="matrix-synapse";};
mautrixtelegram_hs = {owner="matrix-synapse";};
mautrixtelegram_api_id = {owner="matrix-synapse";};
mautrixtelegram_api_hash = {owner="matrix-synapse";};
};
templates = {
"certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
'';
"matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
'';
mautrixtelegram = {
owner = "matrix-synapse";
content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
'';
};
matrixshared = {
owner = "matrix-synapse";
content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
'';
};
};
};
documentation = {
enable = false;
@ -59,8 +88,8 @@ in {
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://localhost:8008";
extraConfig = ''
client_max_body_size 0;
'';
client_max_body_size 0;
'';
};
};
};
@ -69,18 +98,19 @@ in {
boot.tmp.cleanOnBoot = true;
zramSwap.enable = false;
networking.hostName = "swatrix";
networking.enableIPv6 = false;
# networking.domain = "subnet03112148.vcn03112148.oraclevcn.com";
networking.domain = "swarsel.win";
networking.firewall.extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8008 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 29317 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 29318 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 29328 -j ACCEPT
'';
networking = {
hostName = "swatrix";
enableIPv6 = false;
domain = "swarsel.win";
firewall.extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8008 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 29317 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 29318 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 29328 -j ACCEPT
'';
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
@ -97,55 +127,31 @@ in {
boot.loader.grub.device = "nodev";
sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
sops.templates."matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
'';
sops.templates.matrixshared.owner = "matrix-synapse";
sops.templates.matrixshared.content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
'';
sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";};
sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";};
sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";};
sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";};
sops.templates.mautrixtelegram.owner = "matrix-synapse";
sops.templates.mautrixtelegram.content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
'';
# sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";};
# sops.templates.mautrixwhatsapp.owner = "matrix-synapse";
# sops.templates.mautrixwhatsapp.content = ''
# MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
# '';
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.matrix-synapse = {
settings.app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
@ -154,12 +160,11 @@ in {
"/var/lib/matrix-synapse/doublepuppet.yaml"
];
enable = true;
settings.server_name = matrixDomain;
settings.public_baseurl = "https://${matrixDomain}";
extraConfigFiles = [
config.sops.templates.matrixshared.path
];
settings.listeners = [
settings = {
server_name = matrixDomain;
public_baseurl = "https://${matrixDomain}";
};
listeners = [
{ port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
@ -173,6 +178,9 @@ in {
];
}
];
extraConfigFiles = [
config.sops.templates.matrixshared.path
];
};
services.mautrix-telegram = {
@ -196,9 +204,6 @@ in {
database = "postgresql:///mautrix-telegram?host=/run/postgresql";
};
bridge = {
# login_shared_secret_map = {
# matrixDomain = "as_token:doublepuppet";
# };
relaybot.authless_portals = true;
allow_avatar_remove = true;
allow_contact_info = true;
@ -211,12 +216,6 @@ in {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
# Animated stickers conversion requires additional packages in the
# service's path.
# If this isn't a fresh installation, clearing the bridge's uploaded
# file cache might be necessary (make a database backup first!):
# delete from telegram_file where \
# mime_type in ('application/gzip', 'application/octet-stream')
animated_sticker = {
target = "gif";
args = {
@ -236,7 +235,6 @@ in {
services.mautrix-whatsapp = {
enable = true;
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
settings = {
homeserver = {
address = "http://localhost:8008";
@ -284,7 +282,6 @@ in {
services.mautrix-signal = {
enable = true;
registerToSynapse = false; # this has the same effect as registering to app_service_config_file above
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
settings = {
homeserver = {
address = "http://localhost:8008";
@ -328,10 +325,10 @@ in {
systemd.services."restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";

2
profiles/remote/oracle/sync/hardware-configuration.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =

100
profiles/remote/oracle/sync/nixos.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, modulesPath, ... }:
{ config, pkgs, ... }:
{
imports = [
@ -18,14 +18,16 @@
nix.settings.experimental-features = ["nix-command" "flakes"];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.swarsel = { owner = "root";};
sops.secrets.dnstokenfull = {owner="acme";};
sops.templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
'';
sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ];
defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml";
validateSopsFiles = false;
secrets.swarsel = { owner = "root";};
secrets.dnstokenfull = {owner="acme";};
templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
'';
};
security.acme = {
acceptTerms = true;
@ -51,57 +53,59 @@
"/" = {
proxyPass = "http://localhost:27701";
extraConfig = ''
client_max_body_size 0;
'';
client_max_body_size 0;
'';
};
};
};
"sync.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:8384/";
extraConfig = ''
client_max_body_size 0;
'';
};
"sync.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:8384/";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"swagit.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
client_max_body_size 0;
'';
};
"swagit.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = false;
networking.hostName = "sync";
networking.enableIPv6 = false;
networking.domain = "subnet03112148.vcn03112148.oraclevcn.com";
networking.firewall.extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
'';
networking = {
hostName = "sync";
enableIPv6 = false;
domain = "subnet03112148.vcn03112148.oraclevcn.com";
firewall.extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
'';
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
@ -125,8 +129,8 @@
openFirewall = true;
users = [
{
username = "Swarsel";
passwordFile = config.sops.secrets.swarsel.path;
username = "Swarsel";
passwordFile = config.sops.secrets.swarsel.path;
}
];
};

2
profiles/sandbox/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =

2
profiles/sandbox/nixos.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, modulesPath, unstable, sops, ... }: let
{ config, pkgs, unstable, sops, ... }: let
matrixDomain = "swatrix.swarsel.win";
in {

64
profiles/server1/TEMPLATE/nixos.nix
View file

@ -1,37 +1,41 @@
{ pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
];
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
];
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.hostName = "TEMPLATE"; # Define your hostname.
networking.useDHCP = true;
networking.enableIPv6 = false;
networking.firewall.enable = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
# users.users.root.password = "TEMPLATE";
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
hostName = "TEMPLATE"; # Define your hostname.
useDHCP = true;
enableIPv6 = false;
firewall.enable = false;
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
# users.users.root.password = "TEMPLATE";
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
}
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
}

2
profiles/server1/calibre/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ lib, ... }:
{
imports = [ ];

149
profiles/server1/calibre/nixos.nix
View file

@ -1,101 +1,70 @@
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
];
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
calibre
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
calibre
];
users.groups.lxc_shares = {
gid = 10000;
members = [
"kavita"
"calibre-web"
"root"
];
};
users.groups.lxc_shares = {
gid = 10000;
members = [
"kavita"
"calibre-web"
"root"
];
};
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
nix.settings.experimental-features = ["nix-command" "flakes"];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.kavita = { owner = "kavita";};
# sops.secrets.smbuser = { };
# sops.secrets.smbpassword = { };
# sops.secrets.smbdomain = { };
# sops.templates."smb.cred".content = ''
# user=${config.sops.placeholder.smbuser}
# password=${config.sops.placeholder.smbpassword}
# domain=${config.sops.placeholder.smbdomain}
# '';
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.hostName = "calibre"; # Define your hostname.
networking.useDHCP = true;
networking.enableIPv6 = false;
networking.firewall.enable = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ];
defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml";
validateSopsFiles = false;
secrets.kavita = { owner = "kavita";};
};
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
hostName = "calibre"; # Define your hostname.
useDHCP = true;
enableIPv6 = false;
firewall.enable = false;
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
services.kavita = {
enable = true;
user = "kavita";
port = 8080;
tokenKeyFile = config.sops.secrets.kavita.path;
};
# services.calibre-server = {
# enable = true;
# user = "calibre-server";
# auth.enable = true;
# auth.userDb = "/srv/calibre/users.sqlite";
# libraries = [
# /media/Books/main
# /media/Books/diverse
# /media/Books/language
# /media/Books/science
# /media/Books/sport
# /media/Books/novels
# ];
# };
# services.calibre-web = {
# enable = true;
# user = "calibre-web";
# group = "calibre-web";
# listen.port = 8083;
# listen.ip = "0.0.0.0";
# options = {
# enableBookUploading = true;
# enableKepubify = true;
# enableBookConversion = true;
# };
# };
services.kavita = {
enable = true;
user = "kavita";
port = 8080;
tokenKeyFile = config.sops.secrets.kavita.path;
};
}
}

2
profiles/server1/jellyfin/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ lib, ... }:
{
imports = [ ];

44
profiles/server1/jellyfin/nixos.nix
View file

@ -31,16 +31,16 @@
nix.settings.experimental-features = ["nix-command" "flakes"];
# sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
# sops.defaultSopsFile = "/.dotfiles/secrets/jellyfin/secrets.yaml";
# sops.validateSopsFiles = false;
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.hostName = "jellyfin"; # Define your hostname.
networking.useDHCP = true;
networking.enableIPv6 = false;
networking.firewall.enable = false;
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
hostName = "jellyfin"; # Define your hostname.
useDHCP = true;
enableIPv6 = false;
firewall.enable = false;
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
@ -55,18 +55,18 @@
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
vaapiVdpau
libvdpau-va-gl
];
};
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
vaapiVdpau
libvdpau-va-gl
];
};
services.jellyfin = {
enable = true;

2
profiles/server1/matrix/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ lib, ... }:
{
imports = [ ];

218
profiles/server1/matrix/nixos.nix
View file

@ -1,25 +1,35 @@
{ config, pkgs, modulesPath, unstable, sops, ... }: let
{ config, pkgs, modulesPath, sops, ... }: let
matrixDomain = "matrix2.swarsel.win";
in {
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
services = {
xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
};
nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.useDHCP = true;
networking.enableIPv6 = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
useDHCP = true;
enableIPv6 = false;
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
@ -38,8 +48,10 @@ in {
# this module is hence not in the modules list, we add it ourselves
];
networking.hostName = "matrix"; # Define your hostname.
networking.firewall.enable = false;
networking = {
hostName = "matrix"; # Define your hostname.
firewall.enable = false;
};
environment.systemPackages = with pkgs; [
git
gnupg
@ -49,85 +61,94 @@ in {
ffmpeg
];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
sops.templates."matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
'';
sops.templates.matrixshared.owner = "matrix-synapse";
sops.templates.matrixshared.content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
'';
sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";};
sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";};
sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";};
sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";};
sops.templates.mautrixtelegram.owner = "matrix-synapse";
sops.templates.mautrixtelegram.content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
'';
# sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";};
# sops.templates.mautrixwhatsapp.owner = "matrix-synapse";
# sops.templates.mautrixwhatsapp.content = ''
# MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
# '';
sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ];
defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml";
validateSopsFiles = false;
secrets = {
matrixsharedsecret = {owner="matrix-synapse";};
mautrixtelegram_as = {owner="matrix-synapse";};
mautrixtelegram_hs = {owner="matrix-synapse";};
mautrixtelegram_api_id = {owner="matrix-synapse";};
mautrixtelegram_api_hash = {owner="matrix-synapse";};
};
templates = {
"matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
'';
matrixshared = {
owner = "matrix-synapse";
content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
'';
};
mautrixtelegram = {
owner = "matrix-synapse";
content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
'';
};
};
};
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.matrix-synapse = {
settings.app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/whatsapp-registration.yaml"
"/var/lib/matrix-synapse/signal-registration.yaml"
"/var/lib/matrix-synapse/doublepuppet.yaml"
];
enable = true;
settings.server_name = matrixDomain;
settings.public_baseurl = "https://${matrixDomain}";
settings = {
app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/whatsapp-registration.yaml"
"/var/lib/matrix-synapse/signal-registration.yaml"
"/var/lib/matrix-synapse/doublepuppet.yaml"
];
server_name = matrixDomain;
public_baseurl = "https://${matrixDomain}";
listeners = [
{ port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
];
};
extraConfigFiles = [
config.sops.templates.matrixshared.path
];
settings.listeners = [
{ port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
];
};
services.mautrix-telegram = {
@ -151,9 +172,6 @@ in {
database = "postgresql:///mautrix-telegram?host=/run/postgresql";
};
bridge = {
# login_shared_secret_map = {
# matrixDomain = "as_token:doublepuppet";
# };
relaybot.authless_portals = true;
allow_avatar_remove = true;
allow_contact_info = true;
@ -166,12 +184,6 @@ in {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
# Animated stickers conversion requires additional packages in the
# service's path.
# If this isn't a fresh installation, clearing the bridge's uploaded
# file cache might be necessary (make a database backup first!):
# delete from telegram_file where \
# mime_type in ('application/gzip', 'application/octet-stream')
animated_sticker = {
target = "gif";
args = {
@ -191,7 +203,6 @@ in {
services.mautrix-whatsapp = {
enable = true;
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
settings = {
homeserver = {
address = "http://localhost:8008";
@ -238,7 +249,6 @@ in {
services.mautrix-signal = {
enable = true;
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
settings = {
homeserver = {
address = "http://localhost:8008";
@ -282,10 +292,10 @@ in {
systemd.services."restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";

2
profiles/server1/nginx/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ lib, ... }:
{
imports = [ ];

222
profiles/server1/nginx/nixos.nix
View file

@ -20,19 +20,25 @@
nix.settings.experimental-features = ["nix-command" "flakes"];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.dnstokenfull = {owner="acme";};
sops.templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
'';
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.hostName = "nginx"; # Define your hostname.
networking.useDHCP = true;
networking.enableIPv6 = false;
networking.firewall.enable = false;
sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ];
defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml";
validateSopsFiles = false;
secrets.dnstokenfull = {owner="acme";};
templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
'';
};
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
hostName = "nginx"; # Define your hostname.
useDHCP = true;
enableIPv6 = false;
firewall.enable = false;
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
@ -72,11 +78,11 @@
"/" = {
proxyPass = "https://192.168.1.5";
extraConfig = ''
client_max_body_size 0;
'';
client_max_body_size 0;
'';
};
# "/push/" = {
# proxyPass = "http://192.168.2.5:7867";
# proxyPass = "http://192.168.2.5:7867";
# };
"/.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
@ -95,108 +101,104 @@
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.23:8008";
extraConfig = ''
client_max_body_size 0;
'';
client_max_body_size 0;
'';
};
};
};
"sound.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.13:4040";
proxyWebsockets = true;
extraConfig = ''
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
'';
};
"sound.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.13:4040";
proxyWebsockets = true;
extraConfig = ''
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
'';
};
};
"scan.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.24:28981";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"screen.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.16:8096";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"matrix.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.20:8008";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"scroll.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.22:8080";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"blog.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "https://192.168.1.7";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
"scan.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.24:28981";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"screen.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.16:8096";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"matrix.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.20:8008";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"scroll.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.22:8080";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
"blog.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "https://192.168.1.7";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
}

2
profiles/server1/paperless/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ lib, ... }:
{
imports = [ ];

54
profiles/server1/paperless/nixos.nix
View file

@ -9,23 +9,33 @@
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
services = {
xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
};
nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.useDHCP = true;
networking.enableIPv6 = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
useDHCP = true;
enableIPv6 = false;
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
@ -52,13 +62,17 @@
ssh-to-age
];
networking.hostName = "paperless"; # Define your hostname.
networking.firewall.enable = false;
networking = {
hostName = "paperless"; # Define your hostname.
firewall.enable = false;
};
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.admin = { owner = "paperless";};
sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ];
defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml";
validateSopsFiles = false;
secrets.admin = { owner = "paperless";};
};
services.paperless = {
enable = true;

2
profiles/server1/sound/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ lib, ... }:
{
imports = [ ];

104
profiles/server1/sound/nixos.nix
View file

@ -9,23 +9,33 @@
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
services = {
xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
};
nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.useDHCP = true;
networking.enableIPv6 = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
useDHCP = true;
enableIPv6 = false;
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
@ -40,32 +50,38 @@
proxmoxLXC.privileged = true; # manage hostname myself
users.groups.lxc_pshares = {
gid = 110000;
members = [
"navidrome"
"mpd"
"root"
];
};
users = {
groups = {
lxc_pshares = {
gid = 110000;
members = [
"navidrome"
"mpd"
"root"
];
};
users.groups.navidrome = {
gid = 61593;
};
navidrome = {
gid = 61593;
};
users.groups.mpd = {};
mpd = {};
};
users.users.navidrome = {
isSystemUser = true;
uid = 61593;
group = "navidrome";
extraGroups = [ "audio" "utmp" ];
};
users = {
navidrome = {
isSystemUser = true;
uid = 61593;
group = "navidrome";
extraGroups = [ "audio" "utmp" ];
};
users.users.mpd = {
isSystemUser = true;
group = "mpd";
extraGroups = [ "audio" "utmp" ];
mpd = {
isSystemUser = true;
group = "mpd";
extraGroups = [ "audio" "utmp" ];
};
};
};
sound = {
@ -73,8 +89,10 @@
};
hardware.enableAllFirmware = true;
networking.hostName = "sound"; # Define your hostname.
networking.firewall.enable = false;
networking = {
hostName = "sound"; # Define your hostname.
firewall.enable = false;
};
environment.systemPackages = with pkgs; [
git
gnupg
@ -84,10 +102,12 @@
mpv
];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml";
sops.validateSopsFiles = false;
sops.secrets.mpdpass = { owner = "mpd";};
sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ];
defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml";
validateSopsFiles = false;
secrets.mpdpass = { owner = "mpd";};
};
services.navidrome = {
enable = true;

2
profiles/server1/spotifyd/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ lib, ... }:
{
imports = [ ];

50
profiles/server1/spotifyd/nixos.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, modulesPath, ... }:
{ pkgs, modulesPath, ... }:
{
@ -9,23 +9,33 @@
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
services = {
xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
};
nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.useDHCP = true;
networking.enableIPv6 = false;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
useDHCP = true;
enableIPv6 = false;
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
@ -56,18 +66,16 @@
};
hardware.enableAllFirmware = true;
networking.hostName = "spotifyd"; # Define your hostname.
networking.firewall.enable = false;
networking = {
hostName = "spotifyd"; # Define your hostname.
firewall.enable = false;
};
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
];
# sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
# sops.defaultSopsFile = "/.dotfiles/secrets/spotifyd/secrets.yaml";
# sops.validateSopsFiles = false;
services.spotifyd = {
enable = true;
settings = {

2
profiles/server1/transmission/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ lib, ... }:
{
imports = [ ];

590
profiles/server1/transmission/nixos.nix
View file

@ -1,358 +1,270 @@
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
# ./openvpn.nix #this file holds the vpn login data
];
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
# ./openvpn.nix #this file holds the vpn login data
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
openvpn
jq
iptables
busybox
wireguard-tools
];
environment.systemPackages = with pkgs; [
git
gnupg
ssh-to-age
openvpn
jq
iptables
busybox
wireguard-tools
];
users.groups.lxc_shares = {
gid = 10000;
members = [
"vpn"
"radarr"
"sonarr"
"lidarr"
"readarr"
"root"
];
};
users.groups.vpn = {};
users.groups.lxc_shares = {
gid = 10000;
members = [
"vpn"
"radarr"
"sonarr"
"lidarr"
"readarr"
"root"
];
};
users.groups.vpn = {};
users.users.vpn = {
isNormalUser = true;
group = "vpn";
home = "/home/vpn";
};
users.users.vpn = {
isNormalUser = true;
group = "vpn";
home = "/home/vpn";
};
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
services.xserver = {
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"];
nix.settings.experimental-features = ["nix-command" "flakes"];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
sops.defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml";
sops.validateSopsFiles = false;
sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ];
defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml";
validateSopsFiles = false;
};
boot.kernelModules = [ "tun" ];
proxmoxLXC.manageNetwork = true; # manage network myself
proxmoxLXC.manageHostName = false; # manage hostname myself
networking.hostName = "transmission"; # Define your hostname.
networking.useDHCP = true;
networking.enableIPv6 = false;
networking.firewall.enable = false;
boot.kernelModules = [ "tun" ];
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
hostName = "transmission"; # Define your hostname.
useDHCP = true;
enableIPv6 = false;
firewall.enable = false;
};
services.radarr = {
enable = true;
};
services = {
radarr = {
enable = true;
};
readarr = {
enable = true;
};
sonarr = {
enable = true;
};
lidarr = {
enable = true;
};
prowlarr = {
enable = true;
};
};
services.readarr = {
enable = true;
};
services.sonarr = {
enable = true;
};
services.lidarr = {
enable = true;
};
services.prowlarr = {
enable = true;
};
networking.iproute2 = {
enable = true;
rttablesExtraConfig = ''
200 vpn
'';
};
environment.etc = {
"openvpn/iptables.sh" =
{ source = ../../../scripts/server1/iptables.sh;
mode = "0755";
};
"openvpn/update-resolv-conf" =
{ source = ../../../scripts/server1/update-resolv-conf;
mode = "0755";
};
"openvpn/routing.sh" =
{ source = ../../../scripts/server1/routing.sh;
mode = "0755";
};
"openvpn/ca.rsa.2048.crt" =
{ source = ../../../secrets/certs/ca.rsa.2048.crt;
mode = "0644";
};
"openvpn/crl.rsa.2048.pem" =
{ source = ../../../secrets/certs/crl.rsa.2048.pem;
mode = "0644";
};
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
# networking.interfaces = {
# lo = {
# useDHCP = false;
# ipv4.addresses = [
# { address = "127.0.0.1"; prefixLength = 8; }
# ];
# };
#
# eth0 = {
# useDHCP = true;
# };
# };
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
# users.users.root.password = "TEMPLATE";
# networking.firewall.extraCommands = ''
# sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
# '';
networking.iproute2 = {
enable = true;
rttablesExtraConfig = ''
200 vpn
'';
};
# boot.kernel.sysctl = {
# "net.ipv4.conf.all.rp_filter" = 2;
# "net.ipv4.conf.default.rp_filter" = 2;
# "net.ipv4.conf.eth0.rp_filter" = 2;
# };
environment.etc = {
"openvpn/iptables.sh" =
{ source = ../../../scripts/server1/iptables.sh;
mode = "0755";
};
"openvpn/update-resolv-conf" =
{ source = ../../../scripts/server1/update-resolv-conf;
mode = "0755";
};
"openvpn/routing.sh" =
{ source = ../../../scripts/server1/routing.sh;
mode = "0755";
};
"openvpn/ca.rsa.2048.crt" =
{ source = ../../../secrets/certs/ca.rsa.2048.crt;
mode = "0644";
};
"openvpn/crl.rsa.2048.pem" =
{ source = ../../../secrets/certs/crl.rsa.2048.pem;
mode = "0644";
};
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
listenAddresses = [{
port = 22;
addr = "0.0.0.0";
}];
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
# users.users.root.password = "TEMPLATE";
environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
};
sops.secrets.vpnuser = {};
sops.secrets.rpcuser = {owner="vpn";};
sops.secrets.vpnpass = {};
sops.secrets.rpcpass = {owner="vpn";};
sops.secrets.vpnprot = {};
sops.secrets.vpnloc = {};
# sops.secrets.crlpem = {};
# sops.secrets.capem = {};
sops.templates."transmission-rpc".owner = "vpn";
sops.templates."transmission-rpc".content = builtins.toJSON {
rpc-username = config.sops.placeholder.rpcuser;
rpc-password = config.sops.placeholder.rpcpass;
};
sops.templates.pia.content = ''
${config.sops.placeholder.vpnuser}
${config.sops.placeholder.vpnpass}
'';
sops.templates.vpn.content = ''
client
dev tun
proto ${config.sops.placeholder.vpnprot}
remote ${config.sops.placeholder.vpnloc}
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass ${config.sops.templates.pia.path}
compress
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218
dhcp-option DNS 8.8.8.8
route-noexec
'';
# services.pia.enable = true;
# services.pia.authUserPass.username = "na";
# services.pia.authUserPass.password = "na";
# systemd.services.openvpn-vpn = {
# wantedBy = [ "multi-user.target" ];
# after = [ "network.target" ];
# description = "OpenVPN connection to pia";
# serviceConfig = {
# Type = "forking";
# RuntimeDirectory="openvpn";
# PrivateTmp=true;
# KillMode="mixed";
# ExecStart = ''@${pkgs.openvpn}/sbin/openvpn openvpn --daemon ovpn-pia --status /run/openvpn/pia.status 10 --cd /etc/openvpn --script-security 2 --config ${config.sops.templates.vpn.path} --writepid /run/openvpn/pia.pid'';
# PIDFile=''/run/openvpn/pia.pid'';
# ExecReload=''/run/current-system/sw/bin/kill -HUP $MAINPID'';
# WorkingDirectory="/etc/openvpn";
# Restart="on-failure";
# RestartSec=30;
# ProtectSystem="yes";
# DeviceAllow=["/dev/null rw" "/dev/net/tun rw"];
# };
# };
services.openvpn.servers = {
pia = {
autoStart = false;
updateResolvConf = true;
# up = ''
# export INTERFACE="tun0"
# export VPNUSER="vpn"
# export LOCALIP="192.168.1.191"
# export NETIF="eth0"
# export VPNIF="tun0"
# export GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
# iptables -F -t nat
# iptables -F -t mangle
# iptables -F -t filter
# iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
# iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
# iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
# iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
# iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
# iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i $INTERFACE -j REJECT
# iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
# iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
# iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
# if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
# ip rule add from all fwmark 0x1 lookup $VPNUSER
# fi
# ip route replace default via $GATEWAYIP table $VPNUSER
# ip route append default via 127.0.0.1 dev lo table $VPNUSER
# ip route flush cache
# '';
# down = "bash /etc/openvpn/update-resolv-conf";
# these are outsourced to a local file, I am not sure if it can be done with sops-nix
# authUserPass = {
# username = "TODO:secrets";
# password = "TODO:secrets";
# };
config = "config ${config.sops.templates.vpn.path}";
};
};
services.transmission = {
enable = true;
credentialsFile = config.sops.templates."transmission-rpc".path;
user = "vpn";
group = "lxc_shares";
settings = {
alt-speed-down= 8000;
alt-speed-enabled= false;
alt-speed-time-begin= 0;
alt-speed-time-day= 127;
alt-speed-time-enabled= true;
alt-speed-time-end= 360;
alt-speed-up= 2000;
bind-address-ipv4= "0.0.0.0";
bind-address-ipv6= "::";
blocklist-enabled= false;
blocklist-url= "http://www.example.com/blocklist";
cache-size-mb= 4;
dht-enabled= false;
download-dir= "/media/Eternor/New";
download-limit= 100;
download-limit-enabled= 0;
download-queue-enabled= true;
download-queue-size= 5;
encryption= 2;
idle-seeding-limit= 30;
idle-seeding-limit-enabled= false;
incomplete-dir= "/var/lib/transmission-daemon/Downloads";
incomplete-dir-enabled= false;
lpd-enabled= false;
max-peers-global= 200;
message-level= 1;
peer-congestion-algorithm= "";
peer-id-ttl-hours= 6;
peer-limit-global= 100;
peer-limit-per-torrent= 40;
peer-port= 22371;
peer-port-random-high= 65535;
peer-port-random-low= 49152;
peer-port-random-on-start= false;
peer-socket-tos= "default";
pex-enabled= false;
port-forwarding-enabled= false;
preallocation= 1;
prefetch-enabled= true;
queue-stalled-enabled= true;
queue-stalled-minutes= 30;
ratio-limit= 2;
ratio-limit-enabled= false;
rename-partial-files= true;
rpc-authentication-required= true;
rpc-bind-address= "0.0.0.0";
rpc-enabled= true;
rpc-host-whitelist= "";
rpc-host-whitelist-enabled= true;
rpc-port= 9091;
rpc-url= "/transmission/";
rpc-whitelist= "127.0.0.1,192.168.3.2";
rpc-whitelist-enabled= true;
scrape-paused-torrents-enabled= true;
script-torrent-done-enabled= false;
seed-queue-enabled= false;
seed-queue-size= 10;
speed-limit-down= 6000;
speed-limit-down-enabled= true;
speed-limit-up= 500;
speed-limit-up-enabled= true;
start-added-torrents= true;
trash-original-torrent-files= false;
umask= 2;
upload-limit= 100;
upload-limit-enabled= 0;
upload-slots-per-torrent= 14;
utp-enabled= false;
};
sops = {
templates = {
"transmission-rpc" = {
owner = "vpn";
content = builtins.toJSON {
rpc-username = config.sops.placeholder.rpcuser;
rpc-password = config.sops.placeholder.rpcpass;
};
};
# services.nginx = {
# enable = true;
# virtualHosts = {
pia.content = ''
${config.sops.placeholder.vpnuser}
${config.sops.placeholder.vpnpass}
'';
# "192.168.1.192" = {
# locations = {
# "/transmission" = {
# proxyPass = "http://127.0.0.1:9091";
# extraConfig = ''
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# '';
# };
# };
# };
# };
# };
vpn.content = ''
client
dev tun
proto ${config.sops.placeholder.vpnprot}
remote ${config.sops.placeholder.vpnloc}
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass ${config.sops.templates.pia.path}
compress
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218
dhcp-option DNS 8.8.8.8
route-noexec
'';
};
secrets = {
vpnuser = {};
rpcuser = {owner="vpn";};
vpnpass = {};
rpcpass = {owner="vpn";};
vpnprot = {};
vpnloc = {};
};
};
services.openvpn.servers = {
pia = {
autoStart = false;
updateResolvConf = true;
config = "config ${config.sops.templates.vpn.path}";
};
};
services.transmission = {
enable = true;
credentialsFile = config.sops.templates."transmission-rpc".path;
user = "vpn";
group = "lxc_shares";
settings = {
alt-speed-down= 8000;
alt-speed-enabled= false;
alt-speed-time-begin= 0;
alt-speed-time-day= 127;
alt-speed-time-enabled= true;
alt-speed-time-end= 360;
alt-speed-up= 2000;
bind-address-ipv4= "0.0.0.0";
bind-address-ipv6= "::";
blocklist-enabled= false;
blocklist-url= "http://www.example.com/blocklist";
cache-size-mb= 4;
dht-enabled= false;
download-dir= "/media/Eternor/New";
download-limit= 100;
download-limit-enabled= 0;
download-queue-enabled= true;
download-queue-size= 5;
encryption= 2;
idle-seeding-limit= 30;
idle-seeding-limit-enabled= false;
incomplete-dir= "/var/lib/transmission-daemon/Downloads";
incomplete-dir-enabled= false;
lpd-enabled= false;
max-peers-global= 200;
message-level= 1;
peer-congestion-algorithm= "";
peer-id-ttl-hours= 6;
peer-limit-global= 100;
peer-limit-per-torrent= 40;
peer-port= 22371;
peer-port-random-high= 65535;
peer-port-random-low= 49152;
peer-port-random-on-start= false;
peer-socket-tos= "default";
pex-enabled= false;
port-forwarding-enabled= false;
preallocation= 1;
prefetch-enabled= true;
queue-stalled-enabled= true;
queue-stalled-minutes= 30;
ratio-limit= 2;
ratio-limit-enabled= false;
rename-partial-files= true;
rpc-authentication-required= true;
rpc-bind-address= "0.0.0.0";
rpc-enabled= true;
rpc-host-whitelist= "";
rpc-host-whitelist-enabled= true;
rpc-port= 9091;
rpc-url= "/transmission/";
rpc-whitelist= "127.0.0.1,192.168.3.2";
rpc-whitelist-enabled= true;
scrape-paused-torrents-enabled= true;
script-torrent-done-enabled= false;
seed-queue-enabled= false;
seed-queue-size= 10;
speed-limit-down= 6000;
speed-limit-down-enabled= true;
speed-limit-up= 500;
speed-limit-up-enabled= true;
start-added-torrents= true;
trash-original-torrent-files= false;
umask= 2;
upload-limit= 100;
upload-limit-enabled= 0;
upload-slots-per-torrent= 14;
utp-enabled= false;
};
};
}
}

2
profiles/threed/hardware-configuration.nix
View file

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =

4
profiles/threed/home.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, fetchFromGitHub, ... }:
{ config, pkgs, ... }:
{
@ -76,7 +76,7 @@
};
keybindings = let
modifier = config.wayland.windowManager.sway.config.modifier;
inherit (config.wayland.windowManager.sway.config) modifier;
in {
"${modifier}+F2" = "exec brightnessctl set +5%";
"${modifier}+F1"= "exec brightnessctl set 5%-";

4
profiles/threed/nixos.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }:
{ lib, pkgs, ... }:
{
@ -71,7 +71,7 @@
};
monospace = {
package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; });
package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; };
name = "FiraCode Nerd Font Mono";
};

10
profiles/winters/home.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, fetchFromGitHub, ... }:
{ config, pkgs, ... }:
{
@ -97,11 +97,11 @@
];
keybindings = let
modifier = config.wayland.windowManager.sway.config.modifier;
in {
# keybindings = let
# inherit (config.wayland.windowManager.sway.config) modifier;
# in {
};
# };
startup = [

4
profiles/winters/nixos.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }:
{ pkgs, ... }:
{
@ -88,7 +88,7 @@
};
monospace = {
package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; });
package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; };
name = "FiraCode Nerd Font Mono";
};