diff --git a/SwarselSystems.org b/SwarselSystems.org index b9d1aff..2b97d28 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -735,997 +735,6 @@ This section mainly exists house different `configuration.nix` files for system ] ++ (builtins.attrValues outputs.nixosModules); - nixpkgs = { - inherit (outputs) overlays; - config = { - allowUnfree = true; - allowBroken = true; - }; - }; - - isoImage.makeEfiBootable = true; - isoImage.makeUsbBootable = true; - - networking.networkmanager.wifi.scanRandMacAddress = false; - - boot = { - loader.efi.canTouchEfiVariables = true; - kernelPackages = pkgs.linuxPackages_latest; - }; - - system.stateVersion = lib.mkForce "23.05"; - services.getty.autologinUser = lib.mkForce "swarsel"; - - networking = { - hostName = "live"; - wireless.enable = lib.mkForce false; - firewall.enable = true; - }; - - - swarselsystems = { - wallpaper = ../../wallpaper/lenovowp.png; - hasBluetooth = true; - hasFingerprint = true; - impermanence = false; - initialSetup = true; - isBtrfs = false; - }; - - home-manager.users.swarsel.swarselsystems = { - isLaptop = false; - isNixos = true; - isBtrfs = false; - startup = [ - { command = "nextcloud --background"; } - { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } - { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } - { command = "ANKI_WAYLAND=1 anki"; } - { command = "OBSIDIAN_USE_WAYLAND=1 obsidian"; } - { command = "nm-applet"; } - { command = "teams-for-linux"; } - { command = "1password"; } - { command = "feishin"; } - ]; - }; - } - - -#+end_src - -**** Home-manager only -:PROPERTIES: -:CUSTOM_ID: h:7056b9a0-f38b-4bca-b2ba-ab34e2d73493 -:END: - -This is the "reference implementation" of a setup that runs without NixOS, only relying on home-manager. I try to test this every now and then and keep it supported. However, manual steps are needed to get the system to work fully, depending on what distribution you are running on. - -#+begin_src nix :tangle profiles/home-manager/default.nix - { inputs, outputs, config, ... }: - { - - imports = builtins.attrValues outputs.homeManagerModules; - - nixpkgs = { - inherit (outputs) overlays; - config = { - allowUnfree = true; - }; - }; - - services.xcape = { - enable = true; - mapExpression = { - Control_L = "Escape"; - }; - }; - - programs.zsh.initExtra = " - export GPG_TTY=\"$(tty)\" - export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) - gpgconf --launch gpg-agent - "; - - swarselsystems = { - isLaptop = true; - isNixos = false; - wallpaper = ../../wallpaper/surfacewp.png; - temperatureHwmon = { - isAbsolutePath = true; - path = "/sys/devices/platform/thinkpad_hwmon/hwmon/"; - input-filename = "temp1_input"; - }; - monitors = { - main = { - name = "California Institute of Technology 0x1407 Unknown"; - mode = "1920x1080"; # TEMPLATE - scale = "1"; - position = "2560,0"; - workspace = "2:二"; - output = "eDP-1"; - }; - }; - inputs = { - "1:1:AT_Translated_Set_2_keyboard" = { - xkb_layout = "us"; - xkb_options = "grp:win_space_toggle"; - xkb_variant = "altgr-intl"; - }; - }; - keybindings = { }; - }; - - } - - -#+end_src - -**** Sandbox (Lenovo Y510P) -:PROPERTIES: -:CUSTOM_ID: h:60cf171f-2ec9-418f-8f67-85d159efe9d0 -:END: - -My old laptop, replaced by a new one, since most basic functions have stopped to work lately. However, it is still good as a dummy server for testing things out before having them go live. This configuration often changes when I am testing things - at the moment it is not even transitioned to the new module system however. - -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:23b0f629-343c-42fa-bf9b-70bea341c0d2 -:END: - -#+begin_src nix :noweb yes :tangle profiles/sandbox/nixos.nix - { config, pkgs, sops, ... }: - let - matrixDomain = "swatrix.swarsel.win"; - in - { - - imports = [ - ./hardware-configuration.nix - ]; - - boot = { - zfs.forceImportRoot = false; - supportedFilesystems = [ "zfs" ]; - kernelModules = [ "tun" ]; - kernel.sysctl = { - "net.ipv4.conf.all.rp_filter" = 2; - "net.ipv4.conf.default.rp_filter" = 2; - "net.ipv4.conf.enp7s0.rp_filter" = 2; - }; - - loader.grub = { - enable = true; - device = "/dev/sda"; - useOSProber = true; - }; - }; - - networking = { - hostId = "8a8ad84a"; - hostName = "sandbox"; # Define your hostname. - enableIPv6 = true; - firewall.enable = false; - firewall.extraCommands = '' - sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP - ''; - iproute2 = { - enable = true; - rttablesExtraConfig = '' - 200 vpn - ''; - }; - }; - - nixpkgs.config.allowUnfree = true; - - hardware = { - enableAllFirmware = true; - graphics = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # LIBVA_DRIVER_NAME=iHD - vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) - vaapiVdpau - libvdpau-va-gl - ]; - }; - }; - - users = { - groups = { - vpn = { }; - mpd = { }; - navidrome = { - gid = 61593; - }; - spotifyd = { - gid = 65136; - }; - }; - users = { - jellyfin = { - extraGroups = [ "video" "render" ]; - }; - vpn = { - isNormalUser = true; - group = "vpn"; - home = "/home/vpn"; - }; - navidrome = { - isSystemUser = true; - uid = 61593; - group = "navidrome"; - extraGroups = [ "audio" "utmp" ]; - }; - spotifyd = { - isSystemUser = true; - uid = 65136; - group = "spotifyd"; - extraGroups = [ "audio" "utmp" ]; - }; - mpd = { - isSystemUser = true; - group = "mpd"; - extraGroups = [ "audio" "utmp" ]; - }; - swarsel = { - isNormalUser = true; - description = "Leon S"; - extraGroups = [ "networkmanager" "wheel" "lp" ]; - packages = with pkgs; [ ]; - }; - root = { - openssh.authorizedKeys.keyFiles = [ - ../../secrets/keys/authorized_keys - ]; - }; - }; - }; - - fileSystems."/mnt/Eternor" = { - device = "//192.168.1.3/Eternor"; - fsType = "cifs"; - options = - let - # this line prevents hanging on network split - automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; - in - [ "${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100" ]; - }; - - environment = { - systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - lego - nginx - calibre - openvpn - jq - iptables - busybox - wireguard-tools - matrix-synapse - lottieconverter - ffmpeg - pciutils - alsa-utils - mpv - zfs - ]; - etc = { - "openvpn/iptables.sh" = - { - source = ../../scripts/server1/iptables.sh; - mode = "0755"; - }; - "openvpn/update-resolv-conf" = - { - source = ../../scripts/server1/update-resolv-conf; - mode = "0755"; - }; - "openvpn/routing.sh" = - { - source = ../../scripts/server1/routing.sh; - mode = "0755"; - }; - "openvpn/ca.rsa.2048.crt" = - { - source = ../../secrets/certs/ca.rsa.2048.crt; - mode = "0644"; - }; - "openvpn/crl.rsa.2048.pem" = - { - source = ../../secrets/certs/crl.rsa.2048.pem; - mode = "0644"; - }; - }; - shellAliases = { - nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - }; - - systemd = { - timers."restart-bridges" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1d"; - OnUnitActiveSec = "1d"; - Unit = "restart-bridges.service"; - }; - }; - - services."restart-bridges" = { - script = '' - systemctl restart mautrix-whatsapp.service - systemctl restart mautrix-signal.service - systemctl restart mautrix-telegram.service - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - }; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - documentation = { - enable = false; - }; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml"; - validateSopsFiles = false; - secrets = { - dnstokenfull = { owner = "acme"; }; - kavita = { owner = "kavita"; }; - vpnuser = { }; - rpcuser = { owner = "vpn"; }; - vpnpass = { }; - rpcpass = { owner = "vpn"; }; - vpnprot = { }; - vpnloc = { }; - mpdpass = { owner = "mpd"; }; - }; - templates = { - "transmission-rpc" = { - owner = "vpn"; - content = builtins.toJSON { - rpc-username = config.sops.placeholder.rpcuser; - rpc-password = config.sops.placeholder.rpcpass; - }; - }; - - pia.content = '' - ${config.sops.placeholder.vpnuser} - ${config.sops.placeholder.vpnpass} - ''; - - vpn.content = '' - client - dev tun - proto ${config.sops.placeholder.vpnprot} - remote ${config.sops.placeholder.vpnloc} - resolv-retry infinite - nobind - persist-key - persist-tun - cipher aes-128-cbc - auth sha1 - tls-client - remote-cert-tls server - - auth-user-pass ${config.sops.templates.pia.path} - compress - verb 1 - reneg-sec 0 - - crl-verify /etc/openvpn/crl.rsa.2048.pem - ca /etc/openvpn/ca.rsa.2048.crt - - disable-occ - ''; - "certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - }; - }; - - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; - }; - - services = { - xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - - nginx = { - enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - virtualHosts = { - - "stash.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "https://192.168.1.5"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - "/.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - }; - }; - - "swatrix.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://127.0.0.1:8008"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - - "sound.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:4040"; - proxyWebsockets = true; - extraConfig = '' - proxy_redirect http:// https://; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - }; - }; - - "scan.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:28981"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "screen.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8096"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "scroll.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8080"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - - kavita = { - enable = true; - user = "kavita"; - settings.port = 8080; - tokenKeyFile = config.sops.secrets.kavita.path; - }; - - jellyfin = { - enable = true; - user = "jellyfin"; - }; - - radarr = { - enable = true; - }; - readarr = { - enable = true; - }; - sonarr = { - enable = true; - }; - lidarr = { - enable = true; - }; - prowlarr = { - enable = true; - }; - openvpn.servers = { - pia = { - autoStart = true; - updateResolvConf = false; - config = "config ${config.sops.templates.vpn.path}"; - }; - }; - transmission = { - enable = true; - credentialsFile = config.sops.templates."transmission-rpc".path; - user = "vpn"; - settings = { - alt-speed-down = 8000; - alt-speed-enabled = false; - alt-speed-time-begin = 0; - alt-speed-time-day = 127; - alt-speed-time-enabled = true; - alt-speed-time-end = 360; - alt-speed-up = 2000; - bind-address-ipv4 = "0.0.0.0"; - bind-address-ipv6 = "::"; - blocklist-enabled = false; - blocklist-url = "http://www.example.com/blocklist"; - cache-size-mb = 256; - dht-enabled = false; - download-dir = "/test"; - download-limit = 100; - download-limit-enabled = 0; - download-queue-enabled = true; - download-queue-size = 5; - encryption = 2; - idle-seeding-limit = 30; - idle-seeding-limit-enabled = false; - incomplete-dir = "/var/lib/transmission-daemon/Downloads"; - incomplete-dir-enabled = false; - lpd-enabled = false; - max-peers-global = 200; - message-level = 1; - peer-congestion-algorithm = ""; - peer-id-ttl-hours = 6; - peer-limit-global = 100; - peer-limit-per-torrent = 40; - peer-port = 22371; - peer-port-random-high = 65535; - peer-port-random-low = 49152; - peer-port-random-on-start = false; - peer-socket-tos = "default"; - pex-enabled = false; - port-forwarding-enabled = false; - preallocation = 1; - prefetch-enabled = true; - queue-stalled-enabled = true; - queue-stalled-minutes = 30; - ratio-limit = 2; - ratio-limit-enabled = false; - rename-partial-files = true; - rpc-authentication-required = true; - rpc-bind-address = "0.0.0.0"; - rpc-enabled = true; - rpc-host-whitelist = ""; - rpc-host-whitelist-enabled = true; - rpc-port = 9091; - rpc-url = "/transmission/"; - rpc-whitelist = "127.0.0.1,192.168.3.2"; - rpc-whitelist-enabled = true; - scrape-paused-torrents-enabled = true; - script-torrent-done-enabled = false; - seed-queue-enabled = false; - seed-queue-size = 10; - speed-limit-down = 6000; - speed-limit-down-enabled = true; - speed-limit-up = 500; - speed-limit-up-enabled = true; - start-added-torrents = true; - trash-original-torrent-files = false; - umask = 2; - upload-limit = 100; - upload-limit-enabled = 0; - upload-slots-per-torrent = 14; - utp-enabled = false; - }; - }; - - # sops.secrets.matrixsharedsecret = {owner="matrix-synapse";}; - # sops.templates."matrix_user_register.sh".content = '' - # register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 - # ''; - # sops.templates.matrixshared.owner = "matrix-synapse"; - # sops.templates.matrixshared.content = '' - # registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} - # ''; - # sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";}; - # sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";}; - # sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";}; - # sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";}; - # sops.templates.mautrixtelegram.owner = "matrix-synapse"; - # sops.templates.mautrixtelegram.content = '' - # MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} - # MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} - # MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} - # MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} - # ''; - - - - - # ---------------- - # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";}; - # sops.templates.mautrixwhatsapp.owner = "matrix-synapse"; - # sops.templates.mautrixwhatsapp.content = '' - # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared} - # ''; - - postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; - CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; - CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - matrix-synapse = { - settings.app_service_config_files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-synapse/whatsapp-registration.yaml" - "/var/lib/matrix-synapse/signal-registration.yaml" - "/var/lib/matrix-synapse/doublepuppet.yaml" - ]; - enable = false; - settings.server_name = matrixDomain; - settings.public_baseurl = "https://${matrixDomain}"; - extraConfigFiles = [ - config.sops.templates.matrixshared.path - ]; - settings.listeners = [ - { - port = 8008; - bind_addresses = [ "0.0.0.0" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = true; - } - ]; - } - ]; - }; - - mautrix-telegram = { - enable = false; - environmentFile = config.sops.templates.mautrixtelegram.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29317"; - hostname = "0.0.0.0"; - port = "29317"; - provisioning.enabled = true; - id = "telegram"; - # ephemeral_events = true; # not needed due to double puppeting - public = { - enabled = false; - }; - database = "postgresql:///mautrix-telegram?host=/run/postgresql"; - }; - bridge = { - # login_shared_secret_map = { - # matrixDomain = "as_token:doublepuppet"; - # }; - relaybot.authless_portals = true; - allow_avatar_remove = true; - allow_contact_info = true; - sync_channel_members = true; - startup_sync = true; - sync_create_limit = 0; - sync_direct_chats = true; - telegram_link_preview = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - animated_sticker = { - target = "gif"; - args = { - width = 256; - height = 256; - fps = 30; # only for webm - background = "020202"; # only for gif, transparency not supported - }; - }; - }; - }; - }; - - mautrix-whatsapp = { - enable = false; - # environmentFile = config.sops.templates.mautrixwhatsapp.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29318"; - hostname = "0.0.0.0"; - port = 29318; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .FullName .PushName .JID}} (WA)"; - history_sync = { - backfill = true; - max_initial_conversations = -1; - message_count = -1; - request_full_sync = true; - full_sync_config = { - days_limit = 900; - size_mb_limit = 5000; - storage_quota_mb = 5000; - }; - }; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - sync_manual_marked_unread = true; - send_presence_on_typing = true; - parallel_member_sync = true; - url_previews = true; - caption_in_message = true; - extev_polls = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - mautrix-signal = { - enable = false; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - - address = "http://localhost:29328"; - hostname = "0.0.0.0"; - port = 29328; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-signal?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - caption_in_message = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - navidrome = { - enable = true; - settings = { - Address = "0.0.0.0"; - Port = 4040; - MusicFolder = "/mnt/"; - EnableSharing = true; - EnableTranscodingConfig = true; - Scanner.GroupAlbumReleases = true; - ScanSchedule = "@every 24h"; - # Insert these values locally as sops-nix does not work for them - # LastFM.ApiKey = TEMPLATE; - # LastFM.Secret = TEMPLATE; - # Spotify.ID = TEMPLATE; - # Spotify.Secret = TEMPLATE; - UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; - UIWelcomeMessage = "~SwarselSound~"; - }; - }; - mpd = { - enable = true; - musicDirectory = "/mnt/Eternor/Musik"; - user = "mpd"; - group = "mpd"; - network = { - port = 3254; - listenAddress = "any"; - }; - credentials = [ - { - passwordFile = config.sops.secrets.mpdpass.path; - permissions = [ - "read" - "add" - "control" - "admin" - ]; - } - ]; - }; - - - spotifyd = { - enable = true; - settings = { - global = { - dbus_type = "session"; - use_mpris = false; - device = "default:CARD=PCH"; - device_name = "SwarselSpot"; - mixer = "alsa"; - zeroconf_port = 1025; - }; - }; - }; - - # Network shares - # add a user with sudo smbpasswd -a - samba = { - package = pkgs.samba4Full; - extraConfig = '' - workgroup = WORKGROUP - server role = standalone server - dns proxy = no - - pam password change = yes - map to guest = bad user - create mask = 0664 - force create mode = 0664 - directory mask = 0775 - force directory mode = 0775 - follow symlinks = yes - ''; - - # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba` - # Required for samba to register mDNS records for auto discovery - # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268 - enable = true; - # openFirewall = true; - shares.test = { - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - path = "/test2"; - writable = "true"; - comment = "Eternor"; - "valid users" = "@smbtest2"; - }; - }; - - - avahi = { - publish.enable = true; - publish.userServices = true; - # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` - nssmdns4 = true; - # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it - enable = true; - }; - - samba-wsdd = { - # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued - enable = true; - }; - }; - } - -#+end_src - -**** Fourside (Lenovo Thinkpad P14s Gen2) -:PROPERTIES: -:CUSTOM_ID: h:6c6e9261-dfa1-42d8-ab2a-8b7c227be6d9 -:END: - -This is my private main machine. I am not using hardware encryption here as I personally do not really care. However, I want to setup impermanence on this one as soon as I get the chance. - -#+begin_src nix :tangle profiles/fourside/default.nix - { inputs, outputs, config, pkgs, ... }: - { - - imports = [ - inputs.nixos-hardware.nixosModules.lenovo-thinkpad-p14s-amd-gen2 - - ./hardware-configuration.nix - - ../optional/nixos/steam.nix - ../optional/nixos/virtualbox.nix - ../optional/nixos/autologin.nix - ../optional/nixos/nswitch-rcm.nix - - inputs.home-manager.nixosModules.home-manager - { - home-manager.users.swarsel.imports = outputs.mixedModules ++ [ - ../optional/home/gaming.nix - ] ++ (builtins.attrValues outputs.homeManagerModules); - } - ] ++ (builtins.attrValues outputs.nixosModules); - - nixpkgs = { inherit (outputs) overlays; config = { @@ -2212,96 +1221,6 @@ My server setup was originally built on Proxmox VE; back when I started, I creat I have removed most of the machines from this section. What remains are some hosts that I have deployed on OCI (mostly sync for medium-important data) and one other machine that I left for now as a reference. -**** Jellyfin (Local) -:PROPERTIES: -:CUSTOM_ID: h:4a194546-9a9e-47c4-8d03-8d2428d45d30 -:END: -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:9e94efd9-f63b-46ce-b34c-ec3128de5ed9 -:END: - -#+begin_src nix :tangle profiles/server1/jellyfin/nixos.nix - { config, pkgs, modulesPath, ... }: - - { - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - ]; - - users.groups.lxc_shares = { - gid = 10000; - members = [ - "jellyfin" - "root" - ]; - }; - - users.users.jellyfin = { - extraGroups = [ "video" "render" ]; - }; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "jellyfin"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - nixpkgs.config.packageOverrides = pkgs: { - vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - }; - hardware.graphics = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # LIBVA_DRIVER_NAME=iHD - vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) - vaapiVdpau - libvdpau-va-gl - ]; - }; - - services.jellyfin = { - enable = true; - user = "jellyfin"; - # openFirewall = true; # this works only for the default ports - }; - - } - -#+end_src - **** Sync (OCI) :PROPERTIES: :CUSTOM_ID: h:4c5febb0-fdf6-44c5-8d51-7ea0f8930abf diff --git a/profiles/common/gammastep.nix b/profiles/common/gammastep.nix deleted file mode 100644 index 516dbf1..0000000 --- a/profiles/common/gammastep.nix +++ /dev/null @@ -1,9 +0,0 @@ -_: -{ - services.gammastep = { - enable = true; - provider = "manual"; - latitude = 48.210033; - longitude = 16.363449; - }; -} diff --git a/profiles/fourside/default.nix b/profiles/fourside/default.nix deleted file mode 100644 index 46cf945..0000000 --- a/profiles/fourside/default.nix +++ /dev/null @@ -1,110 +0,0 @@ -{ inputs, outputs, config, pkgs, ... }: -{ - - imports = [ - inputs.nixos-hardware.nixosModules.lenovo-thinkpad-p14s-amd-gen2 - - ./hardware-configuration.nix - - ../optional/nixos/steam.nix - ../optional/nixos/virtualbox.nix - ../optional/nixos/autologin.nix - ../optional/nixos/nswitch-rcm.nix - - inputs.home-manager.nixosModules.home-manager - { - home-manager.users.swarsel.imports = outputs.mixedModules ++ [ - ../optional/home/gaming.nix - ] ++ (builtins.attrValues outputs.homeManagerModules); - } - ] ++ (builtins.attrValues outputs.nixosModules); - - - nixpkgs = { - inherit (outputs) overlays; - config = { - allowUnfree = true; - }; - }; - - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - kernelPackages = pkgs.linuxPackages_latest; - }; - - - networking = { - hostName = "fourside"; - firewall.enable = true; - }; - - hardware.graphics.extraPackages = with pkgs; [ - vulkan-loader - vulkan-validation-layers - vulkan-extension-layer - ]; - - services = { - thinkfan.enable = false; - fwupd.enable = true; - }; - - swarselsystems = { - wallpaper = ../../wallpaper/lenovowp.png; - hasBluetooth = true; - hasFingerprint = true; - trackpoint = { - isAvailable = true; - device = "TPPS/2 Elan TrackPoint"; - }; - }; - - home-manager.users.swarsel.swarselsystems = { - isLaptop = true; - isNixos = true; - temperatureHwmon = { - isAbsolutePath = true; - path = "/sys/devices/platform/thinkpad_hwmon/hwmon/"; - input-filename = "temp1_input"; - }; - # ------ ----- - # | DP-4 | |eDP-1| - # ------ ----- - monitors = { - main = { - name = "California Institute of Technology 0x1407 Unknown"; - mode = "1920x1080"; # TEMPLATE - scale = "1"; - position = "2560,0"; - workspace = "2:二"; - output = "eDP-1"; - }; - homedesktop = { - name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; - mode = "2560x1440"; - scale = "1"; - position = "0,0"; - workspace = "1:一"; - output = "DP-4"; - }; - }; - inputs = { - "1:1:AT_Translated_Set_2_keyboard" = { - xkb_layout = "us"; - xkb_options = "grp:win_space_toggle"; - xkb_variant = "altgr-intl"; - }; - }; - keybindings = { - # these are left open to use - # "XF86WLAN" = "exec wl-mirror eDP-1"; - # "XF86Messenger" = "exec wl-mirror eDP-1"; - # "XF86Go" = "exec wl-mirror eDP-1"; - # "XF86Favorites" = "exec wl-mirror eDP-1"; - # "XF86HomePage" = "exec wtype -P Escape -p Escape"; - # "XF86AudioLowerVolume" = "pactl set-sink-volume alsa_output.pci-0000_08_00.6.HiFi__hw_Generic_1__sink -5%"; - # "XF86AudioRaiseVolume" = "pactl set-sink-volume alsa_output.pci-0000_08_00.6.HiFi__hw_Generic_1__sink +5% "; - }; - }; -} diff --git a/profiles/fourside/hardware-configuration.nix b/profiles/fourside/hardware-configuration.nix deleted file mode 100644 index 775c6f9..0000000 --- a/profiles/fourside/hardware-configuration.nix +++ /dev/null @@ -1,44 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config -, lib -, modulesPath -, ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/55eee3d2-4125-4aba-a326-10cde2abdf26"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/BC7A-F7D9"; - fsType = "vfat"; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/0a74b04a-99e0-48cd-afcf-6ca849f6f85a"; } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true; - # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wwan0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/profiles/sandbox/disk-config.nix b/profiles/sandbox/disk-config.nix deleted file mode 100644 index 75ae234..0000000 --- a/profiles/sandbox/disk-config.nix +++ /dev/null @@ -1,56 +0,0 @@ -# Example to create a bios compatible gpt partition -{ lib, ... }: -{ - disko.devices = { - disk.disk1 = { - device = lib.mkDefault "/dev/sda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - name = "boot"; - size = "1M"; - type = "EF02"; - }; - esp = { - name = "ESP"; - size = "500M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - root = { - name = "root"; - size = "100%"; - content = { - type = "lvm_pv"; - vg = "pool"; - }; - }; - }; - }; - }; - lvm_vg = { - pool = { - type = "lvm_vg"; - lvs = { - root = { - size = "100%FREE"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ - "defaults" - ]; - }; - }; - }; - }; - }; - }; -} diff --git a/profiles/sandbox/hardware-configuration.nix b/profiles/sandbox/hardware-configuration.nix deleted file mode 100644 index 77e701a..0000000 --- a/profiles/sandbox/hardware-configuration.nix +++ /dev/null @@ -1,35 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config -, lib -, modulesPath -, ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ata_piix" "usb_storage" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # fileSystems."/" = { - # device = "/dev/disk/by-uuid/147e3682-eb15-4e96-9cac-4f2fb5888a69"; - # fsType = "ext4"; - # }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp8s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/profiles/sandbox/nixos.nix b/profiles/sandbox/nixos.nix deleted file mode 100644 index d1bccff..0000000 --- a/profiles/sandbox/nixos.nix +++ /dev/null @@ -1,820 +0,0 @@ -{ config, pkgs, sops, ... }: -let - matrixDomain = "swatrix.swarsel.win"; -in -{ - - imports = [ - ./hardware-configuration.nix - ]; - - boot = { - zfs.forceImportRoot = false; - supportedFilesystems = [ "zfs" ]; - kernelModules = [ "tun" ]; - kernel.sysctl = { - "net.ipv4.conf.all.rp_filter" = 2; - "net.ipv4.conf.default.rp_filter" = 2; - "net.ipv4.conf.enp7s0.rp_filter" = 2; - }; - - loader.grub = { - enable = true; - device = "/dev/sda"; - useOSProber = true; - }; - }; - - networking = { - hostId = "8a8ad84a"; - hostName = "sandbox"; # Define your hostname. - enableIPv6 = true; - firewall.enable = false; - firewall.extraCommands = '' - sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP - ''; - iproute2 = { - enable = true; - rttablesExtraConfig = '' - 200 vpn - ''; - }; - }; - - nixpkgs.config.allowUnfree = true; - - hardware = { - enableAllFirmware = true; - graphics = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # LIBVA_DRIVER_NAME=iHD - vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) - vaapiVdpau - libvdpau-va-gl - ]; - }; - }; - - users = { - groups = { - vpn = { }; - mpd = { }; - navidrome = { - gid = 61593; - }; - spotifyd = { - gid = 65136; - }; - }; - users = { - jellyfin = { - extraGroups = [ "video" "render" ]; - }; - vpn = { - isNormalUser = true; - group = "vpn"; - home = "/home/vpn"; - }; - navidrome = { - isSystemUser = true; - uid = 61593; - group = "navidrome"; - extraGroups = [ "audio" "utmp" ]; - }; - spotifyd = { - isSystemUser = true; - uid = 65136; - group = "spotifyd"; - extraGroups = [ "audio" "utmp" ]; - }; - mpd = { - isSystemUser = true; - group = "mpd"; - extraGroups = [ "audio" "utmp" ]; - }; - swarsel = { - isNormalUser = true; - description = "Leon S"; - extraGroups = [ "networkmanager" "wheel" "lp" ]; - packages = with pkgs; [ ]; - }; - root = { - openssh.authorizedKeys.keyFiles = [ - ../../secrets/keys/authorized_keys - ]; - }; - }; - }; - - fileSystems."/mnt/Eternor" = { - device = "//192.168.1.3/Eternor"; - fsType = "cifs"; - options = - let - # this line prevents hanging on network split - automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; - in - [ "${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100" ]; - }; - - environment = { - systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - lego - nginx - calibre - openvpn - jq - iptables - busybox - wireguard-tools - matrix-synapse - lottieconverter - ffmpeg - pciutils - alsa-utils - mpv - zfs - ]; - etc = { - "openvpn/iptables.sh" = - { - source = ../../scripts/server1/iptables.sh; - mode = "0755"; - }; - "openvpn/update-resolv-conf" = - { - source = ../../scripts/server1/update-resolv-conf; - mode = "0755"; - }; - "openvpn/routing.sh" = - { - source = ../../scripts/server1/routing.sh; - mode = "0755"; - }; - "openvpn/ca.rsa.2048.crt" = - { - source = ../../secrets/certs/ca.rsa.2048.crt; - mode = "0644"; - }; - "openvpn/crl.rsa.2048.pem" = - { - source = ../../secrets/certs/crl.rsa.2048.pem; - mode = "0644"; - }; - }; - shellAliases = { - nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - }; - - systemd = { - timers."restart-bridges" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1d"; - OnUnitActiveSec = "1d"; - Unit = "restart-bridges.service"; - }; - }; - - services."restart-bridges" = { - script = '' - systemctl restart mautrix-whatsapp.service - systemctl restart mautrix-signal.service - systemctl restart mautrix-telegram.service - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - }; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - documentation = { - enable = false; - }; - - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml"; - validateSopsFiles = false; - secrets = { - dnstokenfull = { owner = "acme"; }; - kavita = { owner = "kavita"; }; - vpnuser = { }; - rpcuser = { owner = "vpn"; }; - vpnpass = { }; - rpcpass = { owner = "vpn"; }; - vpnprot = { }; - vpnloc = { }; - mpdpass = { owner = "mpd"; }; - }; - templates = { - "transmission-rpc" = { - owner = "vpn"; - content = builtins.toJSON { - rpc-username = config.sops.placeholder.rpcuser; - rpc-password = config.sops.placeholder.rpcpass; - }; - }; - - pia.content = '' - ${config.sops.placeholder.vpnuser} - ${config.sops.placeholder.vpnpass} - ''; - - vpn.content = '' - client - dev tun - proto ${config.sops.placeholder.vpnprot} - remote ${config.sops.placeholder.vpnloc} - resolv-retry infinite - nobind - persist-key - persist-tun - cipher aes-128-cbc - auth sha1 - tls-client - remote-cert-tls server - - auth-user-pass ${config.sops.templates.pia.path} - compress - verb 1 - reneg-sec 0 - - crl-verify /etc/openvpn/crl.rsa.2048.pem - ca /etc/openvpn/ca.rsa.2048.crt - - disable-occ - ''; - "certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - }; - }; - - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; - }; - - services = { - xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - - nginx = { - enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - virtualHosts = { - - "stash.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "https://192.168.1.5"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - "/.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - }; - }; - - "swatrix.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://127.0.0.1:8008"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - - "sound.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:4040"; - proxyWebsockets = true; - extraConfig = '' - proxy_redirect http:// https://; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - }; - }; - - "scan.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:28981"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "screen.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8096"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "scroll.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8080"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - - kavita = { - enable = true; - user = "kavita"; - settings.port = 8080; - tokenKeyFile = config.sops.secrets.kavita.path; - }; - - jellyfin = { - enable = true; - user = "jellyfin"; - }; - - radarr = { - enable = true; - }; - readarr = { - enable = true; - }; - sonarr = { - enable = true; - }; - lidarr = { - enable = true; - }; - prowlarr = { - enable = true; - }; - openvpn.servers = { - pia = { - autoStart = true; - updateResolvConf = false; - config = "config ${config.sops.templates.vpn.path}"; - }; - }; - transmission = { - enable = true; - credentialsFile = config.sops.templates."transmission-rpc".path; - user = "vpn"; - settings = { - alt-speed-down = 8000; - alt-speed-enabled = false; - alt-speed-time-begin = 0; - alt-speed-time-day = 127; - alt-speed-time-enabled = true; - alt-speed-time-end = 360; - alt-speed-up = 2000; - bind-address-ipv4 = "0.0.0.0"; - bind-address-ipv6 = "::"; - blocklist-enabled = false; - blocklist-url = "http://www.example.com/blocklist"; - cache-size-mb = 256; - dht-enabled = false; - download-dir = "/test"; - download-limit = 100; - download-limit-enabled = 0; - download-queue-enabled = true; - download-queue-size = 5; - encryption = 2; - idle-seeding-limit = 30; - idle-seeding-limit-enabled = false; - incomplete-dir = "/var/lib/transmission-daemon/Downloads"; - incomplete-dir-enabled = false; - lpd-enabled = false; - max-peers-global = 200; - message-level = 1; - peer-congestion-algorithm = ""; - peer-id-ttl-hours = 6; - peer-limit-global = 100; - peer-limit-per-torrent = 40; - peer-port = 22371; - peer-port-random-high = 65535; - peer-port-random-low = 49152; - peer-port-random-on-start = false; - peer-socket-tos = "default"; - pex-enabled = false; - port-forwarding-enabled = false; - preallocation = 1; - prefetch-enabled = true; - queue-stalled-enabled = true; - queue-stalled-minutes = 30; - ratio-limit = 2; - ratio-limit-enabled = false; - rename-partial-files = true; - rpc-authentication-required = true; - rpc-bind-address = "0.0.0.0"; - rpc-enabled = true; - rpc-host-whitelist = ""; - rpc-host-whitelist-enabled = true; - rpc-port = 9091; - rpc-url = "/transmission/"; - rpc-whitelist = "127.0.0.1,192.168.3.2"; - rpc-whitelist-enabled = true; - scrape-paused-torrents-enabled = true; - script-torrent-done-enabled = false; - seed-queue-enabled = false; - seed-queue-size = 10; - speed-limit-down = 6000; - speed-limit-down-enabled = true; - speed-limit-up = 500; - speed-limit-up-enabled = true; - start-added-torrents = true; - trash-original-torrent-files = false; - umask = 2; - upload-limit = 100; - upload-limit-enabled = 0; - upload-slots-per-torrent = 14; - utp-enabled = false; - }; - }; - - # sops.secrets.matrixsharedsecret = {owner="matrix-synapse";}; - # sops.templates."matrix_user_register.sh".content = '' - # register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 - # ''; - # sops.templates.matrixshared.owner = "matrix-synapse"; - # sops.templates.matrixshared.content = '' - # registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} - # ''; - # sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";}; - # sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";}; - # sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";}; - # sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";}; - # sops.templates.mautrixtelegram.owner = "matrix-synapse"; - # sops.templates.mautrixtelegram.content = '' - # MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} - # MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} - # MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} - # MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} - # ''; - - - - - # ---------------- - # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";}; - # sops.templates.mautrixwhatsapp.owner = "matrix-synapse"; - # sops.templates.mautrixwhatsapp.content = '' - # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared} - # ''; - - postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; - CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; - CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - matrix-synapse = { - settings.app_service_config_files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-synapse/whatsapp-registration.yaml" - "/var/lib/matrix-synapse/signal-registration.yaml" - "/var/lib/matrix-synapse/doublepuppet.yaml" - ]; - enable = false; - settings.server_name = matrixDomain; - settings.public_baseurl = "https://${matrixDomain}"; - extraConfigFiles = [ - config.sops.templates.matrixshared.path - ]; - settings.listeners = [ - { - port = 8008; - bind_addresses = [ "0.0.0.0" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = true; - } - ]; - } - ]; - }; - - mautrix-telegram = { - enable = false; - environmentFile = config.sops.templates.mautrixtelegram.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29317"; - hostname = "0.0.0.0"; - port = "29317"; - provisioning.enabled = true; - id = "telegram"; - # ephemeral_events = true; # not needed due to double puppeting - public = { - enabled = false; - }; - database = "postgresql:///mautrix-telegram?host=/run/postgresql"; - }; - bridge = { - # login_shared_secret_map = { - # matrixDomain = "as_token:doublepuppet"; - # }; - relaybot.authless_portals = true; - allow_avatar_remove = true; - allow_contact_info = true; - sync_channel_members = true; - startup_sync = true; - sync_create_limit = 0; - sync_direct_chats = true; - telegram_link_preview = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - animated_sticker = { - target = "gif"; - args = { - width = 256; - height = 256; - fps = 30; # only for webm - background = "020202"; # only for gif, transparency not supported - }; - }; - }; - }; - }; - - mautrix-whatsapp = { - enable = false; - # environmentFile = config.sops.templates.mautrixwhatsapp.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29318"; - hostname = "0.0.0.0"; - port = 29318; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .FullName .PushName .JID}} (WA)"; - history_sync = { - backfill = true; - max_initial_conversations = -1; - message_count = -1; - request_full_sync = true; - full_sync_config = { - days_limit = 900; - size_mb_limit = 5000; - storage_quota_mb = 5000; - }; - }; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - sync_manual_marked_unread = true; - send_presence_on_typing = true; - parallel_member_sync = true; - url_previews = true; - caption_in_message = true; - extev_polls = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - mautrix-signal = { - enable = false; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - - address = "http://localhost:29328"; - hostname = "0.0.0.0"; - port = 29328; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-signal?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - caption_in_message = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - navidrome = { - enable = true; - settings = { - Address = "0.0.0.0"; - Port = 4040; - MusicFolder = "/mnt/"; - EnableSharing = true; - EnableTranscodingConfig = true; - Scanner.GroupAlbumReleases = true; - ScanSchedule = "@every 24h"; - # Insert these values locally as sops-nix does not work for them - # LastFM.ApiKey = TEMPLATE; - # LastFM.Secret = TEMPLATE; - # Spotify.ID = TEMPLATE; - # Spotify.Secret = TEMPLATE; - UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; - UIWelcomeMessage = "~SwarselSound~"; - }; - }; - mpd = { - enable = true; - musicDirectory = "/mnt/Eternor/Musik"; - user = "mpd"; - group = "mpd"; - network = { - port = 3254; - listenAddress = "any"; - }; - credentials = [ - { - passwordFile = config.sops.secrets.mpdpass.path; - permissions = [ - "read" - "add" - "control" - "admin" - ]; - } - ]; - }; - - - spotifyd = { - enable = true; - settings = { - global = { - dbus_type = "session"; - use_mpris = false; - device = "default:CARD=PCH"; - device_name = "SwarselSpot"; - mixer = "alsa"; - zeroconf_port = 1025; - }; - }; - }; - - # Network shares - # add a user with sudo smbpasswd -a - samba = { - package = pkgs.samba4Full; - extraConfig = '' - workgroup = WORKGROUP - server role = standalone server - dns proxy = no - - pam password change = yes - map to guest = bad user - create mask = 0664 - force create mode = 0664 - directory mask = 0775 - force directory mode = 0775 - follow symlinks = yes - ''; - - # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba` - # Required for samba to register mDNS records for auto discovery - # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268 - enable = true; - # openFirewall = true; - shares.test = { - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - path = "/test2"; - writable = "true"; - comment = "Eternor"; - "valid users" = "@smbtest2"; - }; - }; - - - avahi = { - publish.enable = true; - publish.userServices = true; - # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` - nssmdns4 = true; - # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it - enable = true; - }; - - samba-wsdd = { - # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued - enable = true; - }; - }; -} diff --git a/profiles/server/common/calibre.nix b/profiles/server/common/calibre.nix deleted file mode 100644 index c450c4c..0000000 --- a/profiles/server/common/calibre.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ pkgs, config, ... }: -{ - environment.systemPackages = with pkgs; [ - calibre - ]; - - sops.secrets.kavita = { owner = "kavita"; }; - - services.kavita = { - enable = true; - user = "kavita"; - port = 8080; - tokenKeyFile = config.sops.secrets.kavita.path; - }; - - services.nginx = { - "scroll.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://192.168.1.22:8080"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - -} diff --git a/profiles/server/common/default.nix b/profiles/server/common/default.nix deleted file mode 100644 index 9a958ed..0000000 --- a/profiles/server/common/default.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ lib, config, inputs, ... }: -{ - imports = [ - ../../common/nixos/xserver.nix - ../../common/nixos/gc.nix - ../../common/nixos/store.nix - ../../common/nixos/time.nix - ../../common/nixos/pipewire.nix - ../../common/nixos/users.nix - ../../common/nixos/nix-ld.nix - ./packages.nix - ./sops.nix - ./ssh.nix - ./nfs.nix - ./nginx.nix - ./kavita.nix - ./jellyfin.nix - ./navidrome.nix - ./spotifyd.nix - ./mpd.nix - ./matrix.nix - ./nextcloud.nix - ./immich.nix - ./paperless.nix - ./transmission.nix - ./syncthing.nix - ./restic.nix - ./monitoring.nix - ./jenkins.nix - ]; - - nix = - let - flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; - in - { - settings = { - experimental-features = [ - "nix-command" - "flakes" - "ca-derivations" - ]; - trusted-users = [ "swarsel" ]; - flake-registry = ""; - warn-dirty = false; - }; - channel.enable = false; - registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs; - nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; - }; - - environment.shellAliases = lib.recursiveUpdate - { - npswitch = "cd ${config.swarselsystems.flakePath}; git pull; sudo nixos-rebuild --flake .#$(hostname) switch --impure; cd -;"; - nswitch = "cd ${config.swarselsystems.flakePath}; sudo nixos-rebuild --flake .#$(hostname) switch --impure; cd -;"; - } - config.swarselsystems.shellAliases; - - nixpkgs.config.permittedInsecurePackages = [ - "olm-3.2.16" - ]; - - system.stateVersion = lib.mkDefault "23.05"; -} diff --git a/profiles/server/common/immich.nix b/profiles/server/common/immich.nix deleted file mode 100644 index 385db13..0000000 --- a/profiles/server/common/immich.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.immich { - - users.users.immich = { - extraGroups = [ "video" "render" "users" ]; - }; - - # sops.secrets.nextcloudadminpass = { owner = "nextcloud"; }; - - services.immich = { - enable = true; - port = 3001; - openFirewall = true; - mediaLocation = "/Vault/Eternor/Immich"; - environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003"; - }; - - - services.nginx = { - virtualHosts = { - "shots.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:3001"; - extraConfig = '' - client_max_body_size 0; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_redirect off; - - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - ''; - }; - }; - }; - }; - }; - - }; - -} diff --git a/profiles/server/common/jellyfin.nix b/profiles/server/common/jellyfin.nix deleted file mode 100644 index 8f07590..0000000 --- a/profiles/server/common/jellyfin.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.jellyfin { - users.users.jellyfin = { - extraGroups = [ "video" "render" "users" ]; - }; - nixpkgs.config.packageOverrides = pkgs: { - vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - }; - hardware.graphics = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # LIBVA_DRIVER_NAME=iHD - vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) - vaapiVdpau - libvdpau-va-gl - ]; - }; - services.jellyfin = { - enable = true; - user = "jellyfin"; - openFirewall = true; # this works only for the default ports - }; - - services.nginx = { - virtualHosts = { - "screen.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:8096"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - }; - -} diff --git a/profiles/server/common/jenkins.nix b/profiles/server/common/jenkins.nix deleted file mode 100644 index 525a808..0000000 --- a/profiles/server/common/jenkins.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.jenkins { - - services.jenkins = { - enable = true; - withCLI = true; - port = 8088; - packages = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ]; - listenAddress = "127.0.0.1"; - home = "/Vault/apps/jenkins"; - }; - - - - services.nginx = { - virtualHosts = { - "servant.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:8088"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - }; - -} diff --git a/profiles/server/common/kavita.nix b/profiles/server/common/kavita.nix deleted file mode 100644 index 1ec45a9..0000000 --- a/profiles/server/common/kavita.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.kavita { - environment.systemPackages = with pkgs; [ - calibre - ]; - - - users.users.jellyfin = { - extraGroups = [ "users" ]; - }; - - sops.secrets.kavita = { owner = "kavita"; }; - - networking.firewall.allowedTCPPorts = [ 8080 ]; - - services.kavita = { - enable = true; - user = "kavita"; - settings.Port = 8080; - tokenKeyFile = config.sops.secrets.kavita.path; - }; - - services.nginx = { - virtualHosts = { - "scroll.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:8080"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - }; -} diff --git a/profiles/server/common/matrix.nix b/profiles/server/common/matrix.nix deleted file mode 100644 index bf17ecf..0000000 --- a/profiles/server/common/matrix.nix +++ /dev/null @@ -1,317 +0,0 @@ -{ config, lib, pkgs, sops, ... }: -let - matrixDomain = "swatrix.swarsel.win"; - baseUrl = "https://${matrixDomain}"; - clientConfig."m.homeserver".base_url = baseUrl; - serverConfig."m.server" = "${matrixDomain}:443"; - mkWellKnown = data: '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; -in -{ - - config = lib.mkIf config.swarselsystems.server.matrix { - environment.systemPackages = with pkgs; [ - matrix-synapse - lottieconverter - ffmpeg - ]; - - sops = { - secrets = { - matrixsharedsecret = { owner = "matrix-synapse"; }; - mautrixtelegram_as = { owner = "matrix-synapse"; }; - mautrixtelegram_hs = { owner = "matrix-synapse"; }; - mautrixtelegram_api_id = { owner = "matrix-synapse"; }; - mautrixtelegram_api_hash = { owner = "matrix-synapse"; }; - }; - templates = { - "matrix_user_register.sh".content = '' - register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 - ''; - matrixshared = { - owner = "matrix-synapse"; - content = '' - registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} - ''; - }; - mautrixtelegram = { - owner = "matrix-synapse"; - content = '' - MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} - MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} - MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} - MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} - ''; - }; - }; - }; - - services.postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; - CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; - CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - - services.matrix-synapse = { - enable = true; - settings = { - app_service_config_files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-synapse/whatsapp-registration.yaml" - "/var/lib/matrix-synapse/signal-registration.yaml" - "/var/lib/matrix-synapse/doublepuppet.yaml" - ]; - server_name = matrixDomain; - public_baseurl = "https://${matrixDomain}"; - listeners = [ - { - port = 8008; - bind_addresses = [ - "127.0.0.1" - "::1" - ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = true; - } - ]; - } - ]; - }; - extraConfigFiles = [ - config.sops.templates.matrixshared.path - ]; - }; - - services.mautrix-telegram = { - enable = true; - environmentFile = config.sops.templates.mautrixtelegram.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29317"; - hostname = "localhost"; - port = "29317"; - provisioning.enabled = true; - id = "telegram"; - # ephemeral_events = true; # not needed due to double puppeting - public = { - enabled = false; - }; - database = "postgresql:///mautrix-telegram?host=/run/postgresql"; - }; - bridge = { - relaybot.authless_portals = true; - allow_avatar_remove = true; - allow_contact_info = true; - sync_channel_members = true; - startup_sync = true; - sync_create_limit = 0; - sync_direct_chats = true; - telegram_link_preview = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - animated_sticker = { - target = "gif"; - args = { - width = 256; - height = 256; - fps = 30; # only for webm - background = "020202"; # only for gif, transparency not supported - }; - }; - }; - }; - }; - systemd.services.mautrix-telegram.path = with pkgs; [ - lottieconverter # for animated stickers conversion, unfree package - ffmpeg # if converting animated stickers to webm (very slow!) - ]; - - services.mautrix-whatsapp = { - enable = true; - registerToSynapse = false; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29318"; - hostname = "127.0.0.1"; - port = 29318; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .FullName .PushName .JID}} (WA)"; - history_sync = { - backfill = true; - max_initial_conversations = -1; - message_count = -1; - request_full_sync = true; - full_sync_config = { - days_limit = 900; - size_mb_limit = 5000; - storage_quota_mb = 5000; - }; - }; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - sync_manual_marked_unread = true; - send_presence_on_typing = true; - parallel_member_sync = true; - url_previews = true; - caption_in_message = true; - extev_polls = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - services.mautrix-signal = { - enable = true; - registerToSynapse = false; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - - address = "http://localhost:29328"; - hostname = "127.0.0.1"; - port = 29328; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-signal?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - caption_in_message = true; - permissions = { - "*" = "relay"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - # restart the bridges daily. this is done for the signal bridge mainly which stops carrying - # messages out after a while. - - systemd.timers."restart-bridges" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1d"; - OnUnitActiveSec = "1d"; - Unit = "restart-bridges.service"; - }; - }; - - systemd.services."restart-bridges" = { - script = '' - systemctl restart mautrix-whatsapp.service - systemctl restart mautrix-signal.service - systemctl restart mautrix-telegram.service - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - - services.nginx = { - virtualHosts = { - "swatrix.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - listen = [ - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - extraParameters = [ - "default_server" - ]; - } - { - addr = "[::0]"; - port = 8448; - ssl = true; - extraParameters = [ - "default_server" - ]; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { - addr = "[::0]"; - port = 443; - ssl = true; - } - ]; - locations = { - "~ ^(/_matrix|/_synapse/client)" = { - # proxyPass = "http://localhost:8008"; - proxyPass = "http://localhost:8008"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - }; - }; - }; - }; - }; - - -} diff --git a/profiles/server/common/monitoring.nix b/profiles/server/common/monitoring.nix deleted file mode 100644 index 35cb5ed..0000000 --- a/profiles/server/common/monitoring.nix +++ /dev/null @@ -1,160 +0,0 @@ -{ lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.monitoring { - - sops.secrets = { - grafanaadminpass = { - owner = "grafana"; - }; - prometheusadminpass = { - owner = "grafana"; - }; - }; - - users.users.nextcloud-exporter = { - extraGroups = [ "nextcloud" ]; - }; - - users.users.grafana = { - extraGroups = [ "users" ]; - }; - - services.grafana = { - enable = true; - dataDir = "/Vault/data/grafana"; - provision = { - enable = true; - datasources.settings = { - datasources = [ - { - name = "prometheus"; - type = "prometheus"; - url = "https://status.swarsel.win/prometheus"; - editable = false; - access = "proxy"; - basicAuth = true; - basicAuthUser = "admin"; - jsonData = { - httpMethod = "POST"; - manageAlerts = true; - prometheusType = "Prometheus"; - prometheusVersion = "> 2.50.x"; - cacheLevel = "High"; - disableRecordingRules = false; - incrementalQueryOverlapWindow = "10m"; - }; - secureJsonData = { - basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}"; - }; - } - ]; - }; - }; - - settings = { - security.admin_password = "$__file{/run/secrets/grafanaadminpass}"; - server = { - http_port = 3000; - http_addr = "127.0.0.1"; - protocol = "http"; - domain = "status.swarsel.win"; - }; - }; - }; - - services.prometheus = { - enable = true; - webExternalUrl = "https://status.swarsel.win/prometheus"; - port = 9090; - listenAddress = "127.0.0.1"; - globalConfig = { - scrape_interval = "10s"; - }; - webConfigFile = ../../../programs/server/prometheus/web.config; - scrapeConfigs = [ - { - job_name = "node"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; - }]; - } - { - job_name = "zfs"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ]; - }]; - } - { - job_name = "nginx"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; - }]; - } - { - job_name = "nextcloud"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ]; - }]; - } - ]; - exporters = { - node = { - enable = true; - port = 9000; - enabledCollectors = [ "systemd" ]; - extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ]; - }; - zfs = { - enable = true; - port = 9134; - pools = [ - "Vault" - ]; - }; - restic = { - enable = false; - port = 9753; - }; - nginx = { - enable = true; - port = 9113; - sslVerify = false; - scrapeUri = "http://localhost/nginx_status"; - }; - nextcloud = lib.mkIf config.swarselsystems.server.nextcloud { - enable = true; - port = 9205; - url = "https://stash.swarsel.win/ocs/v2.php/apps/serverinfo/api/v1/info"; - username = "admin"; - passwordFile = config.sops.secrets.nextcloudadminpass.path; - }; - }; - }; - - - services.nginx = { - virtualHosts = { - "status.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:3000"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/prometheus" = { - proxyPass = "http://localhost:9090"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - }; - -} diff --git a/profiles/server/common/mpd.nix b/profiles/server/common/mpd.nix deleted file mode 100644 index 0380143..0000000 --- a/profiles/server/common/mpd.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.mpd { - users = { - groups = { - mpd = { }; - }; - - users = { - mpd = { - isSystemUser = true; - group = "mpd"; - extraGroups = [ "audio" "utmp" ]; - }; - }; - }; - - sops = { - secrets.mpdpass = { owner = "mpd"; }; - }; - - environment.systemPackages = with pkgs; [ - pciutils - alsa-utils - mpv - ]; - - services.mpd = { - enable = true; - musicDirectory = "/media"; - user = "mpd"; - group = "mpd"; - network = { - port = 3254; - listenAddress = "any"; - }; - credentials = [ - { - passwordFile = config.sops.secrets.mpdpass.path; - permissions = [ - "read" - "add" - "control" - "admin" - ]; - } - ]; - }; - }; - -} diff --git a/profiles/server/common/navidrome.nix b/profiles/server/common/navidrome.nix deleted file mode 100644 index 2753e35..0000000 --- a/profiles/server/common/navidrome.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.navidrome { - environment.systemPackages = with pkgs; [ - pciutils - alsa-utils - mpv - ]; - - users = { - groups = { - navidrome = { - gid = 61593; - }; - }; - - users = { - navidrome = { - isSystemUser = true; - uid = 61593; - group = "navidrome"; - extraGroups = [ "audio" "utmp" "users" "pipewire" ]; - }; - }; - }; - - - hardware = { - # opengl.enable = true; - enableAllFirmware = true; - }; - - networking.firewall.allowedTCPPorts = [ 4040 ]; - - services.navidrome = { - enable = true; - openFirewall = true; - settings = { - LogLevel = "error"; - Address = "127.0.0.1"; - Port = 4040; - MusicFolder = "/Vault/Eternor/Musik"; - EnableSharing = true; - EnableTranscodingConfig = true; - Scanner.GroupAlbumReleases = true; - ScanSchedule = "@every 24h"; - MPVPath = "${pkgs.mpv}/bin/mpv"; - MPVCommandTemplate = "mpv --audio-device=%d --no-audio-display --pause %f"; - Jukebox = { - Enabled = true; - Default = "pch"; - Devices = [ - [ "pch" "alsa/sysdefault:CARD=PCH" ] - ]; - }; - # Insert these values locally as sops-nix does not work for them - LastFM.ApiKey = builtins.readFile /home/swarsel/api/lastfm-secret; - LastFM.Secret = builtins.readFile /home/swarsel/api/lastfm-key; - Spotify.ID = builtins.readFile /home/swarsel/api/spotify-id; - Spotify.Secret = builtins.readFile /home/swarsel/api/spotify-secret; - UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; - UIWelcomeMessage = "~SwarselSound~"; - }; - }; - - services.nginx = { - virtualHosts = { - "sound.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:4040"; - proxyWebsockets = true; - extraConfig = '' - proxy_redirect http:// https://; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - }; - - -} diff --git a/profiles/server/common/nextcloud.nix b/profiles/server/common/nextcloud.nix deleted file mode 100644 index f744d4c..0000000 --- a/profiles/server/common/nextcloud.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.nextcloud { - - sops.secrets.nextcloudadminpass = { - owner = "nextcloud"; - group = "nextcloud"; - mode = "0440"; - }; - - services.nextcloud = { - enable = true; - package = pkgs.nextcloud30; - hostName = "stash.swarsel.win"; - home = "/Vault/apps/nextcloud"; - datadir = "/Vault/data/nextcloud"; - https = true; - configureRedis = true; - maxUploadSize = "4G"; - extraApps = { - inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks; - }; - config = { - adminuser = "admin"; - adminpassFile = config.sops.secrets.nextcloudadminpass.path; - }; - }; - - - services.nginx = { - virtualHosts = { - "stash.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - # config is automatically added by nixos nextcloud config. - # hence, only provide certificate - }; - }; - }; - }; - -} diff --git a/profiles/server/common/nfs.nix b/profiles/server/common/nfs.nix deleted file mode 100644 index 3506e8c..0000000 --- a/profiles/server/common/nfs.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ pkgs, ... }: -{ - services = { - # add a user with sudo smbpasswd -a - samba = { - package = pkgs.samba4Full; - # extraConfig = '' - # workgroup = WORKGROUP - # server role = standalone server - # dns proxy = no - - # pam password change = yes - # map to guest = bad user - # create mask = 0664 - # force create mode = 0664 - # directory mask = 0775 - # force directory mode = 0775 - # follow symlinks = yes - # ''; - - enable = true; - openFirewall = true; - settings.Eternor = { - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - path = "/Vault/Eternor"; - writable = "true"; - comment = "Eternor"; - "valid users" = "Swarsel"; - }; - }; - - - avahi = { - publish.enable = true; - publish.userServices = true; # Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` - nssmdns4 = true; - enable = true; - openFirewall = true; - }; - - # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued - samba-wsdd = { - enable = true; - openFirewall = true; - }; - }; -} diff --git a/profiles/server/common/nginx.nix b/profiles/server/common/nginx.nix deleted file mode 100644 index fd0fbc9..0000000 --- a/profiles/server/common/nginx.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ pkgs, config, ... }: -{ - environment.systemPackages = with pkgs; [ - lego - ]; - - # users.users.acme = {}; - - sops = { - # secrets.dnstokenfull = { owner = "acme"; }; - secrets.dnstokenfull = { }; - templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - }; - - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; - }; - - services.nginx = { - enable = true; - statusPage = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - # virtualHosts are defined in the respective sections - }; - -} diff --git a/profiles/server/common/packages.nix b/profiles/server/common/packages.nix deleted file mode 100644 index 5d3d744..0000000 --- a/profiles/server/common/packages.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - gnupg - nix-index - ssh-to-age - git - emacs - ]; -} diff --git a/profiles/server/common/paperless.nix b/profiles/server/common/paperless.nix deleted file mode 100644 index 26a2041..0000000 --- a/profiles/server/common/paperless.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.paperless { - - users.users.paperless = { - extraGroups = [ "users" ]; - }; - - - sops.secrets.paperless_admin = { owner = "paperless"; }; - - services.paperless = { - enable = true; - mediaDir = "/Vault/Eternor/Paperless"; - dataDir = "/Vault/data/paperless"; - user = "paperless"; - port = 28981; - passwordFile = config.sops.secrets.paperless_admin.path; - address = "127.0.0.1"; - settings = { - PAPERLESS_OCR_LANGUAGE = "deu+eng"; - PAPERLESS_URL = "https://scan.swarsel.win"; - PAPERLESS_OCR_USER_ARGS = builtins.toJSON { - optimize = 1; - invalidate_digital_signatures = true; - pdfa_image_compression = "lossless"; - }; - }; - }; - - services.nginx = { - virtualHosts = { - "scan.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:28981"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - }; - -} diff --git a/profiles/server/common/restic.nix b/profiles/server/common/restic.nix deleted file mode 100644 index 7b5d6c5..0000000 --- a/profiles/server/common/restic.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.restic { - - # TODO - - }; -} diff --git a/profiles/server/common/sops.nix b/profiles/server/common/sops.nix deleted file mode 100644 index 3de53ed..0000000 --- a/profiles/server/common/sops.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, ... }: -{ - sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/server/winters/secrets.yaml"; - validateSopsFiles = false; - }; - -} diff --git a/profiles/server/common/spotifyd.nix b/profiles/server/common/spotifyd.nix deleted file mode 100644 index 06eeb76..0000000 --- a/profiles/server/common/spotifyd.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.spotifyd { - users.groups.spotifyd = { - gid = 65136; - }; - - users.users.spotifyd = { - isSystemUser = true; - uid = 65136; - group = "spotifyd"; - extraGroups = [ "audio" "utmp" "pipewire" ]; - }; - - networking.firewall.allowedTCPPorts = [ 1025 ]; - - services.pipewire.systemWide = true; - - services.spotifyd = { - enable = true; - settings = { - global = { - dbus_type = "session"; - use_mpris = false; - device = "sysdefault:CARD=PCH"; - device_name = "SwarselSpot"; - mixer = "alsa"; - zeroconf_port = 1025; - }; - }; - }; - }; - -} diff --git a/profiles/server/common/ssh.nix b/profiles/server/common/ssh.nix deleted file mode 100644 index 05dd3d8..0000000 --- a/profiles/server/common/ssh.nix +++ /dev/null @@ -1,16 +0,0 @@ -_: -{ - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - users.users.swarsel.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ../../../secrets/keys/mysticant.pub - ]; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ../../../secrets/keys/mysticant.pub - ]; - -} diff --git a/profiles/server/common/syncthing.nix b/profiles/server/common/syncthing.nix deleted file mode 100644 index a6fc5cc..0000000 --- a/profiles/server/common/syncthing.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.syncthing { - - users.users.syncthing = { - extraGroups = [ "users" ]; - }; - - services.syncthing = { - enable = true; - user = "syncthing"; - dataDir = "/Vault/data/syncthing"; - configDir = "/Vault/apps/syncthing"; - guiAddress = "0.0.0.0:8384"; - openDefaultPorts = true; - relay.enable = false; - settings = { - urAccepted = -1; - devices = { - "magicant" = { - id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO"; - }; - "zenfone9" = { - id = "SEH2NMT-IVRQUU5-VPW2HUQ-3GQYDBF-F6H6OY6-X3DZTUZ-LCRE2DJ-QNIXIQ2"; - }; - "sync (@oracle)" = { - id = "ETW6TST-NPK7MKZ-M4LXMHA-QUPQHDT-VTSHH5X-CR5EIN2-YU7E55F-MGT7DQB"; - }; - "nbl-imba-2" = { - id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; - }; - }; - folders = { - "Default Folder" = { - path = "/Vault/data/syncthing/Sync"; - type = "receiveonly"; - versioning = null; - devices = [ "sync (@oracle)" "magicant" "zenfone9" "nbl-imba-2" ]; - id = "default"; - }; - "Obsidian" = { - path = "/Vault/data/syncthing/Obsidian"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "5"; - }; - devices = [ "sync (@oracle)" "magicant" "zenfone9" "nbl-imba-2" ]; - id = "yjvni-9eaa7"; - }; - "Org" = { - path = "/Vault/data/syncthing/Org"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "5"; - }; - devices = [ "sync (@oracle)" "magicant" "zenfone9" "nbl-imba-2" ]; - id = "a7xnl-zjj3d"; - }; - "Vpn" = { - path = "/Vault/data/syncthing/Vpn"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "5"; - }; - devices = [ "sync (@oracle)" "magicant" "zenfone9" "nbl-imba-2" ]; - id = "hgp9s-fyq3p"; - }; - "Documents" = { - path = "/Vault/data/syncthing/Documents"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "5"; - }; - devices = [ "magicant" "nbl-imba-2" ]; - id = "hgr3d-pfu3w"; - }; - }; - }; - }; - - services.nginx = { - virtualHosts = { - "storync.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:8384"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - }; - -} diff --git a/profiles/server/common/transmission.nix b/profiles/server/common/transmission.nix deleted file mode 100644 index ee88608..0000000 --- a/profiles/server/common/transmission.nix +++ /dev/null @@ -1,132 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.transmission { - - # this user/group section is probably unneeded - users = { - groups = { - dockeruser = { - gid = 1155; - }; - radarr = { }; - readarr = { }; - sonarr = { }; - lidarr = { }; - prowlarr = { }; - }; - users = { - dockeruser = { - isSystemUser = true; - uid = 1155; - group = "docker"; - extraGroups = [ "users" ]; - }; - radarr = { - isSystemUser = true; - group = "radarr"; - extraGroups = [ "users" ]; - }; - readarr = { - isSystemUser = true; - group = "readarr"; - extraGroups = [ "users" ]; - }; - sonarr = { - isSystemUser = true; - group = "sonarr"; - extraGroups = [ "users" ]; - }; - lidarr = { - isSystemUser = true; - group = "lidarr"; - extraGroups = [ "users" ]; - }; - prowlarr = { - isSystemUser = true; - group = "prowlarr"; - extraGroups = [ "users" ]; - }; - }; - }; - - virtualisation.docker.enable = true; - environment.systemPackages = with pkgs; [ - docker - ]; - - services = { - radarr = { - enable = true; - openFirewall = true; - dataDir = "/Vault/apps/radarr"; - }; - readarr = { - enable = true; - openFirewall = true; - dataDir = "/Vault/apps/readarr"; - }; - sonarr = { - enable = true; - openFirewall = true; - dataDir = "/Vault/apps/sonarr"; - }; - lidarr = { - enable = true; - openFirewall = true; - dataDir = "/Vault/apps/lidarr"; - }; - prowlarr = { - enable = true; - openFirewall = true; - }; - - nginx = { - virtualHosts = { - "store.swarsel.win" = { - enableACME = false; - forceSSL = false; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:9091"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/radarr" = { - proxyPass = "http://localhost:7878"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/readarr" = { - proxyPass = "http://localhost:8787"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/sonarr" = { - proxyPass = "http://localhost:8989"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/lidarr" = { - proxyPass = "http://localhost:8686"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/prowlarr" = { - proxyPass = "http://localhost:9696"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/profiles/server/mysticant/default.nix b/profiles/server/mysticant/default.nix deleted file mode 100644 index baee810..0000000 --- a/profiles/server/mysticant/default.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ pkgs, ... }: { - environment = { - packages = with pkgs; [ - vim - git - openssh - toybox - dig - man - gnupg - ]; - - etcBackupExtension = ".bak"; - extraOutputsToInstall = [ - "doc" - "info" - "devdoc" - ]; - motd = null; - }; - - home-manager.config = { - - imports = [ - ../common/home/ssh.nix - ]; - services.ssh-agent.enable = true; - - }; - - android-integration = { - termux-open.enable = true; - termux-xdg-open.enable = true; - termux-open-url.enable = true; - termux-reload-settings.enable = true; - termux-setup-storage.enable = true; - }; - - # Backup etc files instead of failing to activate generation if a file already exists in /etc - - # Read the changelog before changing this value - system.stateVersion = "23.05"; - - # Set up nix for flakes - nix.extraOptions = '' - experimental-features = nix-command flakes - ''; -} diff --git a/profiles/server/nbm-imba-166/default.nix b/profiles/server/nbm-imba-166/default.nix deleted file mode 100644 index a4f8ded..0000000 --- a/profiles/server/nbm-imba-166/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ inputs, outputs, config, pkgs, lib, ... }: -{ - - imports = [ - inputs.home-manager.darwinModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users."leon.schwarzaeugl".imports = [ - ../../common/home/emacs.nix - ] ++ (builtins.attrValues outputs.homeManagerModules); - } - ] ++ (builtins.attrValues outputs.nixosModules); - - nix.settings.experimental-features = "nix-command flakes"; - nixpkgs = { - inherit (outputs) overlays; - config = { - allowUnfree = true; - }; - }; - - # Auto upgrade nix package and the daemon service. - services.nix-daemon.enable = true; - services.karabiner-elements.enable = true; - - home-manager.users."leon.schwarzaeugl".swarselsystems = { - isDarwin = true; - isLaptop = true; - isNixos = false; - isBtrfs = false; - }; - - system.stateVersion = 4; - -} diff --git a/profiles/server1/jellyfin/nixos.nix b/profiles/server1/jellyfin/nixos.nix deleted file mode 100644 index c37c22c..0000000 --- a/profiles/server1/jellyfin/nixos.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, pkgs, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./hardware-configuration.nix - ]; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - ]; - - users.groups.lxc_shares = { - gid = 10000; - members = [ - "jellyfin" - "root" - ]; - }; - - users.users.jellyfin = { - extraGroups = [ "video" "render" ]; - }; - - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - proxmoxLXC = { - manageNetwork = true; # manage network myself - manageHostName = false; # manage hostname myself - }; - networking = { - hostName = "jellyfin"; # Define your hostname. - useDHCP = true; - enableIPv6 = false; - firewall.enable = false; - }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - nixpkgs.config.packageOverrides = pkgs: { - vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - }; - hardware.graphics = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # LIBVA_DRIVER_NAME=iHD - vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) - vaapiVdpau - libvdpau-va-gl - ]; - }; - - services.jellyfin = { - enable = true; - user = "jellyfin"; - # openFirewall = true; # this works only for the default ports - }; - -} diff --git a/profiles/threed/hardware-configuration.nix b/profiles/threed/hardware-configuration.nix deleted file mode 100644 index 41025cb..0000000 --- a/profiles/threed/hardware-configuration.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config -, lib -, modulesPath -, ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/4a590cad-28d9-4153-bdb8-e424ec3bd5c8"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/C67D-61AD"; - fsType = "vfat"; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/b07aac27-a443-489c-9fdb-01c1ef633699"; } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/profiles/threed/home.nix b/profiles/threed/home.nix deleted file mode 100644 index bfd3d39..0000000 --- a/profiles/threed/home.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ config, pkgs, ... }: - -{ - - - - - home = { - username = "swarsel"; - homeDirectory = "/home/swarsel"; - stateVersion = "23.05"; # Please read the comment before changing. - keyboard.layout = "us"; - packages = with pkgs; [ - ]; - }; - - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - - programs.waybar.settings.mainBar = { - cpu.format = "{icon0} {icon1} {icon2} {icon3}"; - temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon1/temp3_input"; - }; - - programs.waybar.settings.mainBar.modules-right = [ - "custom/outer-left-arrow-dark" - "mpris" - "custom/left-arrow-light" - "network" - "custom/left-arrow-dark" - "pulseaudio" - "custom/left-arrow-light" - "custom/pseudobat" - "battery" - "custom/left-arrow-dark" - "group/hardware" - "custom/left-arrow-light" - "clock#2" - "custom/left-arrow-dark" - "clock#1" - ]; - - - wayland.windowManager.sway = { - config = rec { - input = { - "*" = { - xkb_layout = "us"; - xkb_options = "grp:win_space_toggle"; - xkb_variant = "altgr-intl"; - }; - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - middle_emulation = "enabled"; - }; - }; - - output = { - eDP-1 = { - mode = "2160x1440@59.955Hz"; - scale = "1"; - bg = "~/.dotfiles/wallpaper/surfacewp.png fill"; - }; - }; - - keybindings = - let - inherit (config.wayland.windowManager.sway.config) modifier; - in - { - "${modifier}+F2" = "exec brightnessctl set +5%"; - "${modifier}+F1" = "exec brightnessctl set 5%-"; - "${modifier}+n" = "exec sway output eDP-1 transform normal, splith"; - "${modifier}+Ctrl+p" = "exec wl-mirror eDP-1"; - "${modifier}+t" = "exec sway output eDP-1 transform 90, splitv"; - "${modifier}+XF86AudioLowerVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; - "${modifier}+XF86AudioRaiseVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; - "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\""; - }; - - startup = [ - - { command = "nextcloud --background"; } - { command = "discord --start-minimized"; } - { command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } - { command = "ANKI_WAYLAND=1 anki"; } - { command = "OBSIDIAN_USE_WAYLAND=1 obsidian"; } - { command = "nm-applet"; } - - ]; - - keycodebindings = { - "124" = "exec systemctl suspend"; - }; - }; - - extraConfig = " - exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05 map_to_output eDP-1 - exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05_Stylus map_to_output eDP-1 - "; - }; -} diff --git a/profiles/threed/nixos.nix b/profiles/threed/nixos.nix deleted file mode 100644 index 0f59691..0000000 --- a/profiles/threed/nixos.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ lib, pkgs, ... }: - -{ - - imports = - [ - ./hardware-configuration.nix - ]; - - - services = { - getty.autologinUser = "swarsel"; - greetd.settings.initial_session.user = "swarsel"; - }; - - hardware.bluetooth.enable = true; - - # Bootloader - boot = { - loader.systemd-boot.enable = lib.mkForce false; - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - loader.efi.canTouchEfiVariables = true; - # use bootspec instead of lzbt for secure boot. This is not a generally needed setting - bootspec.enable = true; - # kernelPackages = pkgs.linuxPackages_latest; - }; - - networking = { - hostName = "threed"; - enableIPv6 = false; - firewall.enable = false; - }; - - stylix.image = ../../wallpaper/surfacewp.png; - - enable = true; - base16Scheme = ../../../wallpaper/swarsel.yaml; - # base16Scheme = "${pkgs.base16-schemes}/share/themes/shapeshifter.yaml"; - polarity = "dark"; - opacity.popups = 0.5; - cursor = { - package = pkgs.capitaine-cursors; - name = "capitaine-cursors"; - size = 16; - }; - fonts = { - sizes = { - terminal = 10; - applications = 11; - }; - serif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - sansSerif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - monospace = { - package = pkgs.nerdfonts.override { fonts = [ "FiraCode" ]; }; - name = "FiraCode Nerd Font Mono"; - }; - - emoji = { - package = pkgs.noto-fonts-emoji; - name = "Noto Color Emoji"; - }; - }; - - - users.users.swarsel = { - isNormalUser = true; - description = "Leon S"; - extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" ]; - packages = with pkgs; [ ]; - }; - - environment.systemPackages = with pkgs; [ - ]; - - system.stateVersion = "23.05"; - -}