diff --git a/SwarselSystems.org b/SwarselSystems.org index 1ea6fd5..db906a3 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -839,17 +839,23 @@ No matter what you do, check the initial /etc/nixos/configuration.nix for notabl }; # Bootloader - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; # TEMPLATE - if only one disk, this will work - boot.loader.grub.useOSProber = true; + boot.loader.grub = { + enable = true; + device = "/dev/sda"; # TEMPLATE - if only one disk, this will work + useOSProber = true; + }; # -------------------------------------- # you might need a configuration like this instead: # Bootloader - # boot.loader.grub.enable = true; - # boot.loader.grub.devices = ["nodev" ]; - # boot.loader.grub.useOSProber = true; - # boot.kernelPackages = pkgs.linuxPackages_latest; + # boot = { + # kernelPackages = pkgs.linuxPackages_latest; + # loader.grub = { + # enable = true; + # devices = ["nodev" ]; + # useOSProber = true; + # }; + # }; # -------------------------------------- networking.hostName = "TEMPLATE"; # Define your hostname. @@ -988,42 +994,121 @@ My old laptop, replaced by a new one, since most basic functions have stopped to #+begin_src nix :noweb yes :tangle profiles/sandbox/nixos.nix - { config, pkgs, unstable, sops, ... }: let - matrixDomain = "swatrix.swarsel.win"; - in { + { config, pkgs, sops, ... }: let + matrixDomain = "swatrix.swarsel.win"; + in { - imports = [ - ./hardware-configuration.nix - # we import here a service that is not available yet on normal nixpkgs - # this module is hence not in the modules list, we add it ourselves - (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") + imports = [ + ./hardware-configuration.nix + ]; + + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + useOSProber = true; + supportedFilesystems = [ "zfs" ]; + zfs.forceImportRoot = false; + kernelModules = [ "tun" ]; + kernel.sysctl = { + "net.ipv4.conf.all.rp_filter" = 2; + "net.ipv4.conf.default.rp_filter" = 2; + "net.ipv4.conf.enp7s0.rp_filter" = 2; + }; + }; + + networking = { + hostId = "8a8ad84a"; + hostName = "sandbox"; # Define your hostname. + enableIPv6 = true; + firewall.enable = false; + firewall.extraCommands = '' + sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP + ''; + iproute2 = { + enable = true; + rttablesExtraConfig = '' + 200 vpn + ''; + }; + }; + + hardware.graphics = { + enable = true; + hardware.enableAllFirmware = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl ]; + }; - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - useOSProber = true; + sound = { + enable = true; + }; + + users = { + groups = { + vpn = {}; + mpd = {}; + navidrome = { + gid = 61593; }; - - users.users.swarsel = { + spotifyd = { + gid = 65136; + }; + }; + users = { + jellyfin = { + extraGroups = [ "video" "render" ]; + }; + vpn = { + isNormalUser = true; + group = "vpn"; + home = "/home/vpn"; + }; + navidrome = { + isSystemUser = true; + uid = 61593; + group = "navidrome"; + extraGroups = [ "audio" "utmp" ]; + }; + spotifyd = { + isSystemUser = true; + uid = 65136; + group = "spotifyd"; + extraGroups = [ "audio" "utmp" ]; + }; + mpd = { + isSystemUser = true; + group = "mpd"; + extraGroups = [ "audio" "utmp" ]; + }; + swarsel = { isNormalUser = true; description = "Leon S"; extraGroups = [ "networkmanager" "wheel" "lp"]; packages = with pkgs; []; }; - - # actual config starts here - - fileSystems."/mnt/Eternor" = { - device = "//192.168.1.3/Eternor"; - fsType = "cifs"; - options = let - # this line prevents hanging on network split - automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; - in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"]; + root = { + openssh.authorizedKeys.keyFiles = [ + ../../secrets/keys/authorized_keys + ]; + }; }; + }; - environment.systemPackages = with pkgs; [ + fileSystems."/mnt/Eternor" = { + device = "//192.168.1.3/Eternor"; + fsType = "cifs"; + options = let + # this line prevents hanging on network split + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; + in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"]; + }; + + environment = { + systemPackages = with pkgs; [ git gnupg ssh-to-age @@ -1042,62 +1127,147 @@ My old laptop, replaced by a new one, since most basic functions have stopped to alsa-utils mpv zfs - ]; + ]; + etc = { + "openvpn/iptables.sh" = + { source = ../../scripts/server1/iptables.sh; + mode = "0755"; + }; + "openvpn/update-resolv-conf" = + { source = ../../scripts/server1/update-resolv-conf; + mode = "0755"; + }; + "openvpn/routing.sh" = + { source = ../../scripts/server1/routing.sh; + mode = "0755"; + }; + "openvpn/ca.rsa.2048.crt" = + { source = ../../secrets/certs/ca.rsa.2048.crt; + mode = "0644"; + }; + "openvpn/crl.rsa.2048.pem" = + { source = ../../secrets/certs/crl.rsa.2048.pem; + mode = "0644"; + }; + }; + shellAliases = { + nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + }; - services.xserver = { - layout = "us"; - xkbVariant = "altgr-intl"; + systemd = { + timers."restart-bridges" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1d"; + OnUnitActiveSec = "1d"; + Unit = "restart-bridges.service"; }; - - nix.settings.experimental-features = ["nix-command" "flakes"]; - - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - boot.supportedFilesystems = [ "zfs" ]; - boot.zfs.forceImportRoot = false; - networking.hostId = "8a8ad84a"; - - networking.hostName = "sandbox"; # Define your hostname. - networking.enableIPv6 = true; - networking.firewall.enable = false; - - documentation = { - enable = false; - }; - - sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; - sops.defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml"; - sops.validateSopsFiles = false; - sops.secrets.dnstokenfull = {owner="acme";}; - sops.templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; }; - services.nginx = { + services."restart-bridges" = { + script = '' + systemctl restart mautrix-whatsapp.service + systemctl restart mautrix-signal.service + systemctl restart mautrix-telegram.service + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + }; + nix.settings.experimental-features = ["nix-command" "flakes"]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + documentation = { + enable = false; + }; + + sops = { + age.sshKeyPaths = [ "/etc/ssh/sops" ]; + defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml"; + validateSopsFiles = false; + secrets = { + dnstokenfull = {owner="acme";}; + kavita = { owner = "kavita";}; + vpnuser = {}; + rpcuser = {owner="vpn";}; + vpnpass = {}; + rpcpass = {owner="vpn";}; + vpnprot = {}; + vpnloc = {}; + mpdpass = { owner = "mpd";}; + }; + templates = { + "transmission-rpc" = { + owner = "vpn"; + content = builtins.toJSON { + rpc-username = config.sops.placeholder.rpcuser; + rpc-password = config.sops.placeholder.rpcpass; + }; + }; + + pia.content = '' + ${config.sops.placeholder.vpnuser} + ${config.sops.placeholder.vpnpass} + ''; + + vpn.content = '' + client + dev tun + proto ${config.sops.placeholder.vpnprot} + remote ${config.sops.placeholder.vpnloc} + resolv-retry infinite + nobind + persist-key + persist-tun + cipher aes-128-cbc + auth sha1 + tls-client + remote-cert-tls server + + auth-user-pass ${config.sops.templates.pia.path} + compress + verb 1 + reneg-sec 0 + + crl-verify /etc/openvpn/crl.rsa.2048.pem + ca /etc/openvpn/ca.rsa.2048.crt + + disable-occ + ''; + "certs.secret".content = '' + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + ''; + }; + }; + + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults.email = "mrswarsel@gmail.com"; + defaults.dnsProvider = "cloudflare"; + defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; + }; + + services = { + xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + listenAddresses = [{ + port = 22; + addr = "0.0.0.0"; + }]; + }; + + nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; @@ -1113,12 +1283,9 @@ My old laptop, replaced by a new one, since most basic functions have stopped to "/" = { proxyPass = "https://192.168.1.5"; extraConfig = '' - client_max_body_size 0; - ''; + client_max_body_size 0; + ''; }; - # "/push/" = { - # proxyPass = "http://192.168.2.5:7867"; - # }; "/.well-known/carddav" = { return = "301 $scheme://$host/remote.php/dav"; }; @@ -1136,325 +1303,186 @@ My old laptop, replaced by a new one, since most basic functions have stopped to "~ ^(/_matrix|/_synapse/client)" = { proxyPass = "http://127.0.0.1:8008"; extraConfig = '' - client_max_body_size 0; - ''; + client_max_body_size 0; + ''; }; }; }; - "sound.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:4040"; - proxyWebsockets = true; - extraConfig = '' - proxy_redirect http:// https://; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; + "sound.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:4040"; + proxyWebsockets = true; + extraConfig = '' + proxy_redirect http:// https://; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; }; }; + }; - "scan.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:28981"; - extraConfig = '' - client_max_body_size 0; - ''; - }; + "scan.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:28981"; + extraConfig = '' + client_max_body_size 0; + ''; }; }; + }; - "screen.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8096"; - extraConfig = '' - client_max_body_size 0; - ''; - }; + "screen.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + client_max_body_size 0; + ''; }; }; + }; - "scroll.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8080"; - extraConfig = '' - client_max_body_size 0; - ''; - }; + "scroll.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8080"; + extraConfig = '' + client_max_body_size 0; + ''; }; }; - - }; }; + }; - - sops.secrets.kavita = { owner = "kavita";}; - - services.kavita = { + kavita = { enable = true; user = "kavita"; port = 8080; tokenKeyFile = config.sops.secrets.kavita.path; }; - users.users.jellyfin = { - extraGroups = [ "video" "render" ]; - }; - - # nixpkgs.config.packageOverrides = pkgs: { - # vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - # }; - - hardware.graphics = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # LIBVA_DRIVER_NAME=iHD - vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) - vaapiVdpau - libvdpau-va-gl - ]; - }; - - services.jellyfin = { + jellyfin = { enable = true; user = "jellyfin"; - # openFirewall = true; # this works only for the default ports }; - users.groups.vpn = {}; - - users.users.vpn = { - isNormalUser = true; - group = "vpn"; - home = "/home/vpn"; - }; - - boot.kernelModules = [ "tun" ]; - - services.radarr = { - enable = true; - }; - - services.readarr = { - enable = true; - }; - services.sonarr = { - enable = true; - }; - services.lidarr = { - enable = true; - }; - services.prowlarr = { - enable = true; - }; - - networking.firewall.extraCommands = '' - sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP - ''; - networking.iproute2 = { - enable = true; - rttablesExtraConfig = '' - 200 vpn - ''; - }; - boot.kernel.sysctl = { - "net.ipv4.conf.all.rp_filter" = 2; - "net.ipv4.conf.default.rp_filter" = 2; - "net.ipv4.conf.enp7s0.rp_filter" = 2; - }; - environment.etc = { - "openvpn/iptables.sh" = - { source = ../../scripts/server1/iptables.sh; - mode = "0755"; - }; - "openvpn/update-resolv-conf" = - { source = ../../scripts/server1/update-resolv-conf; - mode = "0755"; - }; - "openvpn/routing.sh" = - { source = ../../scripts/server1/routing.sh; - mode = "0755"; - }; - "openvpn/ca.rsa.2048.crt" = - { source = ../../secrets/certs/ca.rsa.2048.crt; - mode = "0644"; - }; - "openvpn/crl.rsa.2048.pem" = - { source = ../../secrets/certs/crl.rsa.2048.pem; - mode = "0644"; - }; - }; - - sops.secrets.vpnuser = {}; - sops.secrets.rpcuser = {owner="vpn";}; - sops.secrets.vpnpass = {}; - sops.secrets.rpcpass = {owner="vpn";}; - sops.secrets.vpnprot = {}; - sops.secrets.vpnloc = {}; - # sops.secrets.crlpem = {}; - # sops.secrets.capem = {}; - sops.templates."transmission-rpc".owner = "vpn"; - sops.templates."transmission-rpc".content = builtins.toJSON { - rpc-username = config.sops.placeholder.rpcuser; - rpc-password = config.sops.placeholder.rpcpass; - }; - - sops.templates.pia.content = '' - ${config.sops.placeholder.vpnuser} - ${config.sops.placeholder.vpnpass} - ''; - - sops.templates.vpn.content = '' - client - dev tun - proto ${config.sops.placeholder.vpnprot} - remote ${config.sops.placeholder.vpnloc} - resolv-retry infinite - nobind - persist-key - persist-tun - cipher aes-128-cbc - auth sha1 - tls-client - remote-cert-tls server - - auth-user-pass ${config.sops.templates.pia.path} - compress - verb 1 - reneg-sec 0 - - crl-verify /etc/openvpn/crl.rsa.2048.pem - ca /etc/openvpn/ca.rsa.2048.crt - - disable-occ - ''; - - services.openvpn.servers = { - pia = { - autoStart = true; - updateResolvConf = false; - config = "config ${config.sops.templates.vpn.path}"; - }; - }; - - services.transmission = { - enable = true; - credentialsFile = config.sops.templates."transmission-rpc".path; - user = "vpn"; - settings = { - - alt-speed-down= 8000; - alt-speed-enabled= false; - alt-speed-time-begin= 0; - alt-speed-time-day= 127; - alt-speed-time-enabled= true; - alt-speed-time-end= 360; - alt-speed-up= 2000; - bind-address-ipv4= "0.0.0.0"; - bind-address-ipv6= "::"; - blocklist-enabled= false; - blocklist-url= "http://www.example.com/blocklist"; - cache-size-mb= 256; - dht-enabled= false; - download-dir= "/test"; - download-limit= 100; - download-limit-enabled= 0; - download-queue-enabled= true; - download-queue-size= 5; - encryption= 2; - idle-seeding-limit= 30; - idle-seeding-limit-enabled= false; - incomplete-dir= "/var/lib/transmission-daemon/Downloads"; - incomplete-dir-enabled= false; - lpd-enabled= false; - max-peers-global= 200; - message-level= 1; - peer-congestion-algorithm= ""; - peer-id-ttl-hours= 6; - peer-limit-global= 100; - peer-limit-per-torrent= 40; - peer-port= 22371; - peer-port-random-high= 65535; - peer-port-random-low= 49152; - peer-port-random-on-start= false; - peer-socket-tos= "default"; - pex-enabled= false; - port-forwarding-enabled= false; - preallocation= 1; - prefetch-enabled= true; - queue-stalled-enabled= true; - queue-stalled-minutes= 30; - ratio-limit= 2; - ratio-limit-enabled= false; - rename-partial-files= true; - rpc-authentication-required= true; - rpc-bind-address= "0.0.0.0"; - rpc-enabled= true; - rpc-host-whitelist= ""; - rpc-host-whitelist-enabled= true; - rpc-port= 9091; - rpc-url= "/transmission/"; - rpc-whitelist= "127.0.0.1,192.168.3.2"; - rpc-whitelist-enabled= true; - scrape-paused-torrents-enabled= true; - script-torrent-done-enabled= false; - seed-queue-enabled= false; - seed-queue-size= 10; - speed-limit-down= 6000; - speed-limit-down-enabled= true; - speed-limit-up= 500; - speed-limit-up-enabled= true; - start-added-torrents= true; - trash-original-torrent-files= false; - umask= 2; - upload-limit= 100; - upload-limit-enabled= 0; - upload-slots-per-torrent= 14; - utp-enabled= false; - }; - }; - - # services.nginx = { - # enable = true; - # virtualHosts = { - - # "192.168.1.192" = { - # locations = { - # "/transmission" = { - # proxyPass = "http://127.0.0.1:9091"; - # extraConfig = '' - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # ''; - # }; - # }; - # }; - # }; - # }; - + radarr = { + enable = true; + }; + readarr = { + enable = true; + }; + sonarr = { + enable = true; + }; + lidarr = { + enable = true; + }; + prowlarr = { + enable = true; + }; + openvpn.servers = { + pia = { + autoStart = true; + updateResolvConf = false; + config = "config ${config.sops.templates.vpn.path}"; + }; + }; + transmission = { + enable = true; + credentialsFile = config.sops.templates."transmission-rpc".path; + user = "vpn"; + settings = { + alt-speed-down= 8000; + alt-speed-enabled= false; + alt-speed-time-begin= 0; + alt-speed-time-day= 127; + alt-speed-time-enabled= true; + alt-speed-time-end= 360; + alt-speed-up= 2000; + bind-address-ipv4= "0.0.0.0"; + bind-address-ipv6= "::"; + blocklist-enabled= false; + blocklist-url= "http://www.example.com/blocklist"; + cache-size-mb= 256; + dht-enabled= false; + download-dir= "/test"; + download-limit= 100; + download-limit-enabled= 0; + download-queue-enabled= true; + download-queue-size= 5; + encryption= 2; + idle-seeding-limit= 30; + idle-seeding-limit-enabled= false; + incomplete-dir= "/var/lib/transmission-daemon/Downloads"; + incomplete-dir-enabled= false; + lpd-enabled= false; + max-peers-global= 200; + message-level= 1; + peer-congestion-algorithm= ""; + peer-id-ttl-hours= 6; + peer-limit-global= 100; + peer-limit-per-torrent= 40; + peer-port= 22371; + peer-port-random-high= 65535; + peer-port-random-low= 49152; + peer-port-random-on-start= false; + peer-socket-tos= "default"; + pex-enabled= false; + port-forwarding-enabled= false; + preallocation= 1; + prefetch-enabled= true; + queue-stalled-enabled= true; + queue-stalled-minutes= 30; + ratio-limit= 2; + ratio-limit-enabled= false; + rename-partial-files= true; + rpc-authentication-required= true; + rpc-bind-address= "0.0.0.0"; + rpc-enabled= true; + rpc-host-whitelist= ""; + rpc-host-whitelist-enabled= true; + rpc-port= 9091; + rpc-url= "/transmission/"; + rpc-whitelist= "127.0.0.1,192.168.3.2"; + rpc-whitelist-enabled= true; + scrape-paused-torrents-enabled= true; + script-torrent-done-enabled= false; + seed-queue-enabled= false; + seed-queue-size= 10; + speed-limit-down= 6000; + speed-limit-down-enabled= true; + speed-limit-up= 500; + speed-limit-up-enabled= true; + start-added-torrents= true; + trash-original-torrent-files= false; + umask= 2; + upload-limit= 100; + upload-limit-enabled= 0; + upload-slots-per-torrent= 14; + utp-enabled= false; + }; + }; # sops.secrets.matrixsharedsecret = {owner="matrix-synapse";}; # sops.templates."matrix_user_register.sh".content = '' @@ -1486,31 +1514,32 @@ My old laptop, replaced by a new one, since most basic functions have stopped to # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared} # ''; - services.postgresql.enable = true; - services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; - CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; - CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - - services.matrix-synapse = { + postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; + CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; + CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + matrix-synapse = { settings.app_service_config_files = [ "/var/lib/matrix-synapse/telegram-registration.yaml" "/var/lib/matrix-synapse/whatsapp-registration.yaml" @@ -1539,7 +1568,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to ]; }; - services.mautrix-telegram = { + mautrix-telegram = { enable = false; environmentFile = config.sops.templates.mautrixtelegram.path; settings = { @@ -1561,7 +1590,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to }; bridge = { # login_shared_secret_map = { - # matrixDomain = "as_token:doublepuppet"; + # matrixDomain = "as_token:doublepuppet"; # }; relaybot.authless_portals = true; allow_avatar_remove = true; @@ -1575,12 +1604,6 @@ My old laptop, replaced by a new one, since most basic functions have stopped to "*" = "relaybot"; "@swarsel:${matrixDomain}" = "admin"; }; - # Animated stickers conversion requires additional packages in the - # service's path. - # If this isn't a fresh installation, clearing the bridge's uploaded - # file cache might be necessary (make a database backup first!): - # delete from telegram_file where \ - # mime_type in ('application/gzip', 'application/octet-stream') animated_sticker = { target = "gif"; args = { @@ -1593,12 +1616,8 @@ My old laptop, replaced by a new one, since most basic functions have stopped to }; }; }; - # systemd.services.mautrix-telegram.path = with pkgs; [ - # lottieconverter # for animated stickers conversion, unfree package - # ffmpeg # if converting animated stickers to webm (very slow!) - # ]; - services.mautrix-whatsapp = { + mautrix-whatsapp = { enable = false; # environmentFile = config.sops.templates.mautrixwhatsapp.path; settings = { @@ -1645,9 +1664,8 @@ My old laptop, replaced by a new one, since most basic functions have stopped to }; }; - services.mautrix-signal = { + mautrix-signal = { enable = false; - # environmentFile = config.sops.templates.mautrixwhatsapp.path; settings = { homeserver = { address = "http://localhost:8008"; @@ -1677,59 +1695,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to }; }; - # restart the bridges daily. this is done for the signal bridge mainly which stops carrying - # messages out after a while. - - systemd.timers."restart-bridges" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1d"; - OnUnitActiveSec = "1d"; - Unit = "restart-bridges.service"; - }; - }; - - systemd.services."restart-bridges" = { - script = '' - systemctl restart mautrix-whatsapp.service - systemctl restart mautrix-signal.service - systemctl restart mautrix-telegram.service - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - - - users.groups.navidrome = { - gid = 61593; - }; - - users.groups.mpd = {}; - - users.users.navidrome = { - isSystemUser = true; - uid = 61593; - group = "navidrome"; - extraGroups = [ "audio" "utmp" ]; - }; - - users.users.mpd = { - isSystemUser = true; - group = "mpd"; - extraGroups = [ "audio" "utmp" ]; - }; - - sound = { - enable = true; - }; - - hardware.enableAllFirmware = true; - - sops.secrets.mpdpass = { owner = "mpd";}; - - services.navidrome = { + navidrome = { enable = true; settings = { Address = "0.0.0.0"; @@ -1748,7 +1714,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to UIWelcomeMessage = "~SwarselSound~"; }; }; - services.mpd = { + mpd = { enable = true; musicDirectory = "/mnt/Eternor/Musik"; user = "mpd"; @@ -1771,18 +1737,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to }; - users.groups.spotifyd = { - gid = 65136; - }; - - users.users.spotifyd = { - isSystemUser = true; - uid = 65136; - group = "spotifyd"; - extraGroups = [ "audio" "utmp" ]; - }; - - services.spotifyd = { + spotifyd = { enable = true; settings = { global = { @@ -1796,65 +1751,56 @@ My old laptop, replaced by a new one, since most basic functions have stopped to }; }; - # Network shares - # add a user with sudo smbpasswd -a - services.samba = { - package = pkgs.samba4Full; - extraConfig = '' - workgroup = WORKGROUP - server role = standalone server - dns proxy = no + # Network shares + # add a user with sudo smbpasswd -a + samba = { + package = pkgs.samba4Full; + extraConfig = '' + workgroup = WORKGROUP + server role = standalone server + dns proxy = no - pam password change = yes - map to guest = bad user - create mask = 0664 - force create mode = 0664 - directory mask = 0775 - force directory mode = 0775 - follow symlinks = yes - ''; + pam password change = yes + map to guest = bad user + create mask = 0664 + force create mode = 0664 + directory mask = 0775 + force directory mode = 0775 + follow symlinks = yes + ''; - # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba` - # Required for samba to register mDNS records for auto discovery - # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268 - enable = true; - # openFirewall = true; - shares.test = { - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - path = "/test2"; - writable = "true"; - comment = "Eternor"; - "valid users" = "@smbtest2"; - }; + # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba` + # Required for samba to register mDNS records for auto discovery + # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268 + enable = true; + # openFirewall = true; + shares.test = { + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + path = "/test2"; + writable = "true"; + comment = "Eternor"; + "valid users" = "@smbtest2"; }; + }; - services.avahi = { - publish.enable = true; - publish.userServices = true; - # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` - nssmdns = true; - # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it - enable = true; - }; + avahi = { + publish.enable = true; + publish.userServices = true; + # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` + nssmdns = true; + # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it + enable = true; + }; - services.samba-wsdd = { + samba-wsdd = { # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued - enable = true; - }; - - - - - - - - - - - } + enable = true; + }; + }; + } #+end_src **** Threed (Surface Pro 3) @@ -3923,7 +3869,6 @@ Lastly, the machine that runs matrix needs to regularly update, as otherwise you imports = [ ./hardware-configuration.nix - # (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") # no longer needed; mautrix-signal was added to nixpkgs ]; environment.systemPackages = with pkgs; [ @@ -5159,7 +5104,7 @@ Programming languages and default lsp's are defined here: [[#h:0e7e8bea-ec58-499 #+begin_src nix :tangle profiles/common/home.nix - { config, pkgs, lib, fetchFromGitHub , ... }: + { config, pkgs, fetchFromGitHub , ... }: { home.packages = with pkgs; [ diff --git a/index.html b/index.html index f9b11f8..b1ab052 100644 --- a/index.html +++ b/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + SwarselSystems: NixOS + Emacs Configuration @@ -387,7 +387,7 @@

-This file has 41177 words spanning 10930 lines and was last revised on 2024-07-18 23:36:22 +0200. +This file has 40971 words spanning 10908 lines and was last revised on 2024-07-19 00:29:02 +0200.

@@ -437,7 +437,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-07-18 23:36:22 +0200) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-07-19 00:29:02 +0200)

@@ -1372,17 +1372,23 @@ No matter what you do, check the initial /etc/nixos/configuration.nix for notabl }; # Bootloader - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; # TEMPLATE - if only one disk, this will work - boot.loader.grub.useOSProber = true; + boot.loader.grub = { + enable = true; + device = "/dev/sda"; # TEMPLATE - if only one disk, this will work + useOSProber = true; + }; # -------------------------------------- # you might need a configuration like this instead: # Bootloader - # boot.loader.grub.enable = true; - # boot.loader.grub.devices = ["nodev" ]; - # boot.loader.grub.useOSProber = true; - # boot.kernelPackages = pkgs.linuxPackages_latest; + # boot = { + # kernelPackages = pkgs.linuxPackages_latest; + # loader.grub = { + # enable = true; + # devices = ["nodev" ]; + # useOSProber = true; + # }; + # }; # -------------------------------------- networking.hostName = "TEMPLATE"; # Define your hostname. @@ -1629,42 +1635,121 @@ My old laptop, replaced by a new one, since most basic functions have stopped to 
-    { config, pkgs, unstable, sops, ... }: let
-    matrixDomain = "swatrix.swarsel.win";
-  in {
+{ config, pkgs, sops, ... }: let
+  matrixDomain = "swatrix.swarsel.win";
+in {
 
-    imports = [
-      ./hardware-configuration.nix
-      # we import here a service that is not available yet on normal nixpkgs
-      # this module is hence not in the modules list, we add it ourselves
-      (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix")
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    useOSProber = true;
+    supportedFilesystems = [ "zfs" ];
+    zfs.forceImportRoot = false;
+    kernelModules = [ "tun" ];
+    kernel.sysctl = {
+      "net.ipv4.conf.all.rp_filter" = 2;
+      "net.ipv4.conf.default.rp_filter" = 2;
+      "net.ipv4.conf.enp7s0.rp_filter" = 2;
+    };
+  };
+
+  networking = {
+    hostId = "8a8ad84a";
+    hostName = "sandbox"; # Define your hostname.
+    enableIPv6 = true;
+    firewall.enable = false;
+    firewall.extraCommands = ''
+                          sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
+                          '';
+    iproute2 = {
+      enable = true;
+      rttablesExtraConfig = ''
+                            200     vpn
+                            '';
+    };
+  };
+
+  hardware.graphics = {
+    enable = true;
+    hardware.enableAllFirmware = true;
+    extraPackages = with pkgs; [
+      intel-media-driver # LIBVA_DRIVER_NAME=iHD
+      vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+      vaapiVdpau
+      libvdpau-va-gl
     ];
+  };
 
-      boot.loader.grub = {
-        enable = true;
-        device = "/dev/sda";
-        useOSProber = true;
+  sound = {
+    enable = true;
+  };
+
+  users = {
+    groups = {
+      vpn = {};
+      mpd = {};
+      navidrome = {
+        gid = 61593;
       };
-
-      users.users.swarsel = {
+      spotifyd = {
+        gid = 65136;
+      };
+    };
+    users = {
+      jellyfin = {
+        extraGroups  = [ "video" "render" ];
+      };
+      vpn = {
+        isNormalUser = true;
+        group = "vpn";
+        home = "/home/vpn";
+      };
+      navidrome = {
+        isSystemUser = true;
+        uid = 61593;
+        group = "navidrome";
+        extraGroups  = [ "audio" "utmp" ];
+      };
+      spotifyd = {
+        isSystemUser = true;
+        uid = 65136;
+        group = "spotifyd";
+        extraGroups  = [ "audio" "utmp" ];
+      };
+      mpd = {
+        isSystemUser = true;
+        group = "mpd";
+        extraGroups  = [ "audio" "utmp" ];
+      };
+      swarsel = {
         isNormalUser = true;
         description = "Leon S";
         extraGroups = [ "networkmanager" "wheel" "lp"];
         packages = with pkgs; [];
       };
-
-  # actual config starts here
-
-    fileSystems."/mnt/Eternor" = {
-      device = "//192.168.1.3/Eternor";
-      fsType = "cifs";
-      options = let
-        # this line prevents hanging on network split
-        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
-      in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
+      root = {
+        openssh.authorizedKeys.keyFiles = [
+          ../../secrets/keys/authorized_keys
+        ];
+      };
     };
+  };
 
-      environment.systemPackages = with pkgs; [
+  fileSystems."/mnt/Eternor" = {
+    device = "//192.168.1.3/Eternor";
+    fsType = "cifs";
+    options = let
+      # this line prevents hanging on network split
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+    in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
+  };
+
+  environment = {
+    systemPackages = with pkgs; [
       git
       gnupg
       ssh-to-age
@@ -1683,62 +1768,147 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
       alsa-utils
       mpv
       zfs
-      ];
+    ];
+    etc = {
+      "openvpn/iptables.sh" =
+        { source = ../../scripts/server1/iptables.sh;
+          mode = "0755";
+        };
+      "openvpn/update-resolv-conf" =
+        { source = ../../scripts/server1/update-resolv-conf;
+          mode = "0755";
+        };
+      "openvpn/routing.sh" =
+        { source = ../../scripts/server1/routing.sh;
+          mode = "0755";
+        };
+      "openvpn/ca.rsa.2048.crt" =
+        { source = ../../secrets/certs/ca.rsa.2048.crt;
+          mode = "0644";
+        };
+      "openvpn/crl.rsa.2048.pem" =
+        { source = ../../secrets/certs/crl.rsa.2048.pem;
+          mode = "0644";
+        };
+    };
+    shellAliases = {
+      nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
+    };
+  };
 
-      services.xserver = {
-        layout = "us";
-        xkbVariant = "altgr-intl";
+  systemd = {
+    timers."restart-bridges" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "1d";
+        OnUnitActiveSec = "1d";
+        Unit = "restart-bridges.service";
       };
-
-      nix.settings.experimental-features = ["nix-command" "flakes"];
-
-      services.openssh = {
-        enable = true;
-        settings.PermitRootLogin = "yes";
-        listenAddresses = [{
-          port = 22;
-          addr = "0.0.0.0";
-        }];
-      };
-      users.users.root.openssh.authorizedKeys.keyFiles = [
-        ../../secrets/keys/authorized_keys
-      ];
-
-      system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
-
-      environment.shellAliases = {
-        nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
-      };
-
-boot.supportedFilesystems = [ "zfs" ];
-boot.zfs.forceImportRoot = false;
-networking.hostId = "8a8ad84a";
-
-      networking.hostName = "sandbox"; # Define your hostname.
-      networking.enableIPv6 = true;
-      networking.firewall.enable = false;
-
-      documentation = {
-        enable = false;
-      };
-
-    sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-    sops.defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
-    sops.validateSopsFiles = false;
-    sops.secrets.dnstokenfull = {owner="acme";};
-    sops.templates."certs.secret".content = ''
-    CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
-    '';
-
-    security.acme = {
-      acceptTerms = true;
-      preliminarySelfsigned = false;
-      defaults.email = "mrswarsel@gmail.com";
-      defaults.dnsProvider = "cloudflare";
-      defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
     };
 
-    services.nginx = {
+    services."restart-bridges" = {
+      script = ''
+                systemctl restart mautrix-whatsapp.service
+                systemctl restart mautrix-signal.service
+                systemctl restart mautrix-telegram.service
+                '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+      };
+    };
+  };
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+
+  system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
+
+  documentation = {
+    enable = false;
+  };
+
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/sops" ];
+    defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
+    validateSopsFiles = false;
+    secrets = {
+      dnstokenfull = {owner="acme";};
+      kavita = { owner = "kavita";};
+      vpnuser = {};
+      rpcuser = {owner="vpn";};
+      vpnpass = {};
+      rpcpass = {owner="vpn";};
+      vpnprot = {};
+      vpnloc = {};
+      mpdpass = { owner = "mpd";};
+    };
+    templates = {
+      "transmission-rpc" = {
+        owner = "vpn";
+        content = builtins.toJSON {
+          rpc-username = config.sops.placeholder.rpcuser;
+          rpc-password = config.sops.placeholder.rpcpass;
+        };
+      };
+
+      pia.content = ''
+                          ${config.sops.placeholder.vpnuser}
+                          ${config.sops.placeholder.vpnpass}
+                          '';
+
+      vpn.content = ''
+                            client
+                            dev tun
+                            proto ${config.sops.placeholder.vpnprot}
+                            remote ${config.sops.placeholder.vpnloc}
+                            resolv-retry infinite
+                            nobind
+                            persist-key
+                            persist-tun
+                            cipher aes-128-cbc
+                            auth sha1
+                            tls-client
+                            remote-cert-tls server
+
+                            auth-user-pass ${config.sops.templates.pia.path}
+                            compress
+                            verb 1
+                            reneg-sec 0
+
+                            crl-verify /etc/openvpn/crl.rsa.2048.pem
+                            ca /etc/openvpn/ca.rsa.2048.crt
+
+                            disable-occ
+                          '';
+      "certs.secret".content = ''
+              CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
+              '';
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    preliminarySelfsigned = false;
+    defaults.email = "mrswarsel@gmail.com";
+    defaults.dnsProvider = "cloudflare";
+    defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
+  };
+
+  services = {
+    xserver = {
+      layout = "us";
+      xkbVariant = "altgr-intl";
+    };
+
+    openssh = {
+      enable = true;
+      settings.PermitRootLogin = "yes";
+      listenAddresses = [{
+        port = 22;
+        addr = "0.0.0.0";
+      }];
+    };
+
+    nginx = {
       enable = true;
       recommendedProxySettings = true;
       recommendedTlsSettings = true;
@@ -1754,12 +1924,9 @@ networking.hostId = "8a8ad84a";
             "/" = {
               proxyPass = "https://192.168.1.5";
               extraConfig = ''
-              client_max_body_size 0;
-              '';
+                        client_max_body_size 0;
+                        '';
             };
-            # "/push/" = {
-              # proxyPass = "http://192.168.2.5:7867";
-            # };
             "/.well-known/carddav" = {
               return = "301 $scheme://$host/remote.php/dav";
             };
@@ -1777,325 +1944,186 @@ networking.hostId = "8a8ad84a";
             "~ ^(/_matrix|/_synapse/client)" = {
               proxyPass = "http://127.0.0.1:8008";
               extraConfig = ''
-                  client_max_body_size 0;
-                '';
+                            client_max_body_size 0;
+                          '';
             };
           };
         };
 
 
-          "sound.swarsel.win" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://127.0.0.1:4040";
-                proxyWebsockets = true;
-                extraConfig = ''
-                  proxy_redirect          http:// https://;
-                  proxy_read_timeout      600s;
-                  proxy_send_timeout      600s;
-                  proxy_buffering         off;
-                  proxy_request_buffering off;
-                  client_max_body_size    0;
-                '';
-              };
+        "sound.swarsel.win" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/" = {
+              proxyPass = "http://127.0.0.1:4040";
+              proxyWebsockets = true;
+              extraConfig = ''
+                            proxy_redirect          http:// https://;
+                            proxy_read_timeout      600s;
+                            proxy_send_timeout      600s;
+                            proxy_buffering         off;
+                            proxy_request_buffering off;
+                            client_max_body_size    0;
+                          '';
             };
           };
+        };
 
-          "scan.swarsel.win" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://127.0.0.1:28981";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
+        "scan.swarsel.win" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/" = {
+              proxyPass = "http://127.0.0.1:28981";
+              extraConfig = ''
+                            client_max_body_size 0;
+                          '';
             };
           };
+        };
 
-          "screen.swarsel.win" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://127.0.0.1:8096";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
+        "screen.swarsel.win" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/" = {
+              proxyPass = "http://127.0.0.1:8096";
+              extraConfig = ''
+                            client_max_body_size 0;
+                          '';
             };
           };
+        };
 
-          "scroll.swarsel.win" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://127.0.0.1:8080";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
+        "scroll.swarsel.win" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/" = {
+              proxyPass = "http://127.0.0.1:8080";
+              extraConfig = ''
+                            client_max_body_size 0;
+                          '';
             };
           };
-
-
         };
       };
+    };
 
-
-    sops.secrets.kavita = { owner = "kavita";};
-
-    services.kavita = {
+    kavita = {
       enable = true;
       user = "kavita";
       port = 8080;
       tokenKeyFile = config.sops.secrets.kavita.path;
     };
 
-    users.users.jellyfin = {
-      extraGroups  = [ "video" "render" ];
-    };
-
-     # nixpkgs.config.packageOverrides = pkgs: {
-     #   vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
-     # };
-
-     hardware.graphics = {
-       enable = true;
-       extraPackages = with pkgs; [
-         intel-media-driver # LIBVA_DRIVER_NAME=iHD
-         vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-         vaapiVdpau
-         libvdpau-va-gl
-       ];
-     };
-
-    services.jellyfin = {
+    jellyfin = {
       enable = true;
       user = "jellyfin";
-      # openFirewall = true; # this works only for the default ports
     };
 
-                users.groups.vpn = {};
-
-                users.users.vpn = {
-                  isNormalUser = true;
-                  group = "vpn";
-                  home = "/home/vpn";
-                };
-
-                boot.kernelModules = [ "tun" ];
-
-                services.radarr = {
-                  enable = true;
-                };
-
-                services.readarr = {
-                  enable = true;
-                };
-                services.sonarr = {
-                  enable = true;
-                };
-                services.lidarr = {
-                  enable = true;
-                };
-                services.prowlarr = {
-                  enable = true;
-                };
-
-                networking.firewall.extraCommands = ''
-                sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
-                '';
-                networking.iproute2 = {
-                  enable = true;
-                  rttablesExtraConfig = ''
-                  200     vpn
-                  '';
-                };
-                boot.kernel.sysctl = {
-                  "net.ipv4.conf.all.rp_filter" = 2;
-                  "net.ipv4.conf.default.rp_filter" = 2;
-                  "net.ipv4.conf.enp7s0.rp_filter" = 2;
-                };
-                environment.etc = {
-                  "openvpn/iptables.sh" =
-                    { source = ../../scripts/server1/iptables.sh;
-                      mode = "0755";
-                    };
-                  "openvpn/update-resolv-conf" =
-                    { source = ../../scripts/server1/update-resolv-conf;
-                      mode = "0755";
-                    };
-                  "openvpn/routing.sh" =
-                    { source = ../../scripts/server1/routing.sh;
-                      mode = "0755";
-                    };
-                  "openvpn/ca.rsa.2048.crt" =
-                    { source = ../../secrets/certs/ca.rsa.2048.crt;
-                      mode = "0644";
-                    };
-                  "openvpn/crl.rsa.2048.pem" =
-                    { source = ../../secrets/certs/crl.rsa.2048.pem;
-                      mode = "0644";
-                    };
-                };
-
-                sops.secrets.vpnuser = {};
-                sops.secrets.rpcuser = {owner="vpn";};
-                sops.secrets.vpnpass = {};
-                sops.secrets.rpcpass = {owner="vpn";};
-                sops.secrets.vpnprot = {};
-                sops.secrets.vpnloc = {};
-                # sops.secrets.crlpem = {};
-                # sops.secrets.capem = {};
-                sops.templates."transmission-rpc".owner = "vpn";
-                sops.templates."transmission-rpc".content = builtins.toJSON {
-                  rpc-username = config.sops.placeholder.rpcuser;
-                  rpc-password = config.sops.placeholder.rpcpass;
-                };
-
-                sops.templates.pia.content = ''
-                ${config.sops.placeholder.vpnuser}
-                ${config.sops.placeholder.vpnpass}
-                '';
-
-                sops.templates.vpn.content = ''
-                  client
-                  dev tun
-                  proto ${config.sops.placeholder.vpnprot}
-                  remote ${config.sops.placeholder.vpnloc}
-                  resolv-retry infinite
-                  nobind
-                  persist-key
-                  persist-tun
-                  cipher aes-128-cbc
-                  auth sha1
-                  tls-client
-                  remote-cert-tls server
-
-                  auth-user-pass ${config.sops.templates.pia.path}
-                  compress
-                  verb 1
-                  reneg-sec 0
-
-                  crl-verify /etc/openvpn/crl.rsa.2048.pem
-                  ca /etc/openvpn/ca.rsa.2048.crt
-
-                  disable-occ
-                '';
-
-            services.openvpn.servers = {
-              pia = {
-                autoStart = true;
-                updateResolvConf = false;
-                config = "config ${config.sops.templates.vpn.path}";
-              };
-            };
-
-          services.transmission = {
-            enable = true;
-            credentialsFile = config.sops.templates."transmission-rpc".path;
-            user = "vpn";
-            settings = {
-
-            alt-speed-down= 8000;
-            alt-speed-enabled= false;
-            alt-speed-time-begin= 0;
-            alt-speed-time-day= 127;
-            alt-speed-time-enabled= true;
-            alt-speed-time-end= 360;
-            alt-speed-up= 2000;
-            bind-address-ipv4= "0.0.0.0";
-            bind-address-ipv6= "::";
-            blocklist-enabled= false;
-            blocklist-url= "http://www.example.com/blocklist";
-            cache-size-mb= 256;
-            dht-enabled= false;
-            download-dir= "/test";
-            download-limit= 100;
-            download-limit-enabled= 0;
-            download-queue-enabled= true;
-            download-queue-size= 5;
-            encryption= 2;
-            idle-seeding-limit= 30;
-            idle-seeding-limit-enabled= false;
-            incomplete-dir= "/var/lib/transmission-daemon/Downloads";
-            incomplete-dir-enabled= false;
-            lpd-enabled= false;
-            max-peers-global= 200;
-            message-level= 1;
-            peer-congestion-algorithm= "";
-            peer-id-ttl-hours= 6;
-            peer-limit-global= 100;
-            peer-limit-per-torrent= 40;
-            peer-port= 22371;
-            peer-port-random-high= 65535;
-            peer-port-random-low= 49152;
-            peer-port-random-on-start= false;
-            peer-socket-tos= "default";
-            pex-enabled= false;
-            port-forwarding-enabled= false;
-            preallocation= 1;
-            prefetch-enabled= true;
-            queue-stalled-enabled= true;
-            queue-stalled-minutes= 30;
-            ratio-limit= 2;
-            ratio-limit-enabled= false;
-            rename-partial-files= true;
-            rpc-authentication-required= true;
-            rpc-bind-address= "0.0.0.0";
-            rpc-enabled= true;
-            rpc-host-whitelist= "";
-            rpc-host-whitelist-enabled= true;
-            rpc-port= 9091;
-            rpc-url= "/transmission/";
-            rpc-whitelist= "127.0.0.1,192.168.3.2";
-            rpc-whitelist-enabled= true;
-            scrape-paused-torrents-enabled= true;
-            script-torrent-done-enabled= false;
-            seed-queue-enabled= false;
-            seed-queue-size= 10;
-            speed-limit-down= 6000;
-            speed-limit-down-enabled= true;
-            speed-limit-up= 500;
-            speed-limit-up-enabled= true;
-            start-added-torrents= true;
-            trash-original-torrent-files= false;
-            umask= 2;
-            upload-limit= 100;
-            upload-limit-enabled= 0;
-            upload-slots-per-torrent= 14;
-            utp-enabled= false;
-            };
-          };
-
-        # services.nginx = {
-        #       enable = true;
-        #       virtualHosts = {
-
-        #         "192.168.1.192" = {
-        #           locations = {
-        #             "/transmission" = {
-        #               proxyPass = "http://127.0.0.1:9091";
-        #               extraConfig = ''
-        #               proxy_set_header Host $host;
-        #               proxy_set_header X-Real-IP $remote_addr;
-        #               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        #               '';
-        #             };
-        #           };
-        #         };
-        #       };
-        # };
-
+    radarr = {
+      enable = true;
+    };
+    readarr = {
+      enable = true;
+    };
+    sonarr = {
+      enable = true;
+    };
+    lidarr = {
+      enable = true;
+    };
+    prowlarr = {
+      enable = true;
+    };
+    openvpn.servers = {
+      pia = {
+        autoStart = true;
+        updateResolvConf = false;
+        config = "config ${config.sops.templates.vpn.path}";
+      };
+    };
+    transmission = {
+      enable = true;
+      credentialsFile = config.sops.templates."transmission-rpc".path;
+      user = "vpn";
+      settings = {
+        alt-speed-down= 8000;
+        alt-speed-enabled= false;
+        alt-speed-time-begin= 0;
+        alt-speed-time-day= 127;
+        alt-speed-time-enabled= true;
+        alt-speed-time-end= 360;
+        alt-speed-up= 2000;
+        bind-address-ipv4= "0.0.0.0";
+        bind-address-ipv6= "::";
+        blocklist-enabled= false;
+        blocklist-url= "http://www.example.com/blocklist";
+        cache-size-mb= 256;
+        dht-enabled= false;
+        download-dir= "/test";
+        download-limit= 100;
+        download-limit-enabled= 0;
+        download-queue-enabled= true;
+        download-queue-size= 5;
+        encryption= 2;
+        idle-seeding-limit= 30;
+        idle-seeding-limit-enabled= false;
+        incomplete-dir= "/var/lib/transmission-daemon/Downloads";
+        incomplete-dir-enabled= false;
+        lpd-enabled= false;
+        max-peers-global= 200;
+        message-level= 1;
+        peer-congestion-algorithm= "";
+        peer-id-ttl-hours= 6;
+        peer-limit-global= 100;
+        peer-limit-per-torrent= 40;
+        peer-port= 22371;
+        peer-port-random-high= 65535;
+        peer-port-random-low= 49152;
+        peer-port-random-on-start= false;
+        peer-socket-tos= "default";
+        pex-enabled= false;
+        port-forwarding-enabled= false;
+        preallocation= 1;
+        prefetch-enabled= true;
+        queue-stalled-enabled= true;
+        queue-stalled-minutes= 30;
+        ratio-limit= 2;
+        ratio-limit-enabled= false;
+        rename-partial-files= true;
+        rpc-authentication-required= true;
+        rpc-bind-address= "0.0.0.0";
+        rpc-enabled= true;
+        rpc-host-whitelist= "";
+        rpc-host-whitelist-enabled= true;
+        rpc-port= 9091;
+        rpc-url= "/transmission/";
+        rpc-whitelist= "127.0.0.1,192.168.3.2";
+        rpc-whitelist-enabled= true;
+        scrape-paused-torrents-enabled= true;
+        script-torrent-done-enabled= false;
+        seed-queue-enabled= false;
+        seed-queue-size= 10;
+        speed-limit-down= 6000;
+        speed-limit-down-enabled= true;
+        speed-limit-up= 500;
+        speed-limit-up-enabled= true;
+        start-added-torrents= true;
+        trash-original-torrent-files= false;
+        umask= 2;
+        upload-limit= 100;
+        upload-limit-enabled= 0;
+        upload-slots-per-torrent= 14;
+        utp-enabled= false;
+      };
+    };
 
     # sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
     # sops.templates."matrix_user_register.sh".content = ''
@@ -2127,31 +2155,32 @@ networking.hostId = "8a8ad84a";
     # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
     # '';
 
-    services.postgresql.enable = true;
-    services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
-      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-        TEMPLATE template0
-        LC_COLLATE = "C"
-        LC_CTYPE = "C";
-      CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
-      CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
-        TEMPLATE template0
-        LC_COLLATE = "C"
-        LC_CTYPE = "C";
-      CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
-      CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
-        TEMPLATE template0
-        LC_COLLATE = "C"
-        LC_CTYPE = "C";
-      CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
-      CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
-        TEMPLATE template0
-        LC_COLLATE = "C"
-        LC_CTYPE = "C";
-    '';
-
-    services.matrix-synapse = {
+    postgresql = {
+      enable = true;
+      initialScript = pkgs.writeText "synapse-init.sql" ''
+                CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+                CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+                  TEMPLATE template0
+                  LC_COLLATE = "C"
+                  LC_CTYPE = "C";
+                CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
+                CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
+                  TEMPLATE template0
+                  LC_COLLATE = "C"
+                  LC_CTYPE = "C";
+                CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
+                CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
+                  TEMPLATE template0
+                  LC_COLLATE = "C"
+                  LC_CTYPE = "C";
+                CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
+                CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
+                  TEMPLATE template0
+                  LC_COLLATE = "C"
+                  LC_CTYPE = "C";
+              '';
+    };
+    matrix-synapse = {
       settings.app_service_config_files = [
         "/var/lib/matrix-synapse/telegram-registration.yaml"
         "/var/lib/matrix-synapse/whatsapp-registration.yaml"
@@ -2180,7 +2209,7 @@ networking.hostId = "8a8ad84a";
       ];
     };
 
-    services.mautrix-telegram = {
+    mautrix-telegram = {
       enable = false;
       environmentFile = config.sops.templates.mautrixtelegram.path;
       settings = {
@@ -2202,7 +2231,7 @@ networking.hostId = "8a8ad84a";
         };
         bridge = {
           # login_shared_secret_map = {
-            # matrixDomain = "as_token:doublepuppet";
+          # matrixDomain = "as_token:doublepuppet";
           # };
           relaybot.authless_portals = true;
           allow_avatar_remove = true;
@@ -2216,12 +2245,6 @@ networking.hostId = "8a8ad84a";
             "*" = "relaybot";
             "@swarsel:${matrixDomain}" = "admin";
           };
-          # Animated stickers conversion requires additional packages in the
-          # service's path.
-          # If this isn't a fresh installation, clearing the bridge's uploaded
-          # file cache might be necessary (make a database backup first!):
-          # delete from telegram_file where \
-          #   mime_type in ('application/gzip', 'application/octet-stream')
           animated_sticker = {
             target = "gif";
             args = {
@@ -2234,12 +2257,8 @@ networking.hostId = "8a8ad84a";
         };
       };
     };
-    # systemd.services.mautrix-telegram.path = with pkgs; [
-      # lottieconverter  # for animated stickers conversion, unfree package
-      # ffmpeg           # if converting animated stickers to webm (very slow!)
-    # ];
 
-    services.mautrix-whatsapp = {
+    mautrix-whatsapp = {
       enable = false;
       # environmentFile = config.sops.templates.mautrixwhatsapp.path;
       settings = {
@@ -2286,9 +2305,8 @@ networking.hostId = "8a8ad84a";
       };
     };
 
-    services.mautrix-signal = {
+    mautrix-signal = {
       enable = false;
-      # environmentFile = config.sops.templates.mautrixwhatsapp.path;
       settings = {
         homeserver = {
           address = "http://localhost:8008";
@@ -2318,59 +2336,7 @@ networking.hostId = "8a8ad84a";
       };
     };
 
-    # restart the bridges daily. this is done for the signal bridge mainly which stops carrying
-    # messages out after a while.
-
-    systemd.timers."restart-bridges" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnBootSec = "1d";
-        OnUnitActiveSec = "1d";
-        Unit = "restart-bridges.service";
-      };
-    };
-
-    systemd.services."restart-bridges" = {
-      script = ''
-      systemctl restart mautrix-whatsapp.service
-      systemctl restart mautrix-signal.service
-      systemctl restart mautrix-telegram.service
-      '';
-      serviceConfig = {
-        Type = "oneshot";
-        User = "root";
-      };
-    };
-
-
-    users.groups.navidrome = {
-      gid = 61593;
-    };
-
-    users.groups.mpd = {};
-
-    users.users.navidrome = {
-      isSystemUser = true;
-      uid = 61593;
-      group = "navidrome";
-      extraGroups  = [ "audio" "utmp" ];
-    };
-
-    users.users.mpd = {
-      isSystemUser = true;
-      group = "mpd";
-      extraGroups  = [ "audio" "utmp" ];
-    };
-
-    sound = {
-      enable = true;
-    };
-
-    hardware.enableAllFirmware = true;
-
-    sops.secrets.mpdpass = { owner = "mpd";};
-
-    services.navidrome = {
+    navidrome = {
       enable = true;
       settings = {
         Address = "0.0.0.0";
@@ -2389,7 +2355,7 @@ networking.hostId = "8a8ad84a";
         UIWelcomeMessage = "~SwarselSound~";
       };
     };
-    services.mpd = {
+    mpd = {
       enable = true;
       musicDirectory = "/mnt/Eternor/Musik";
       user = "mpd";
@@ -2412,18 +2378,7 @@ networking.hostId = "8a8ad84a";
     };
 
 
-    users.groups.spotifyd = {
-      gid = 65136;
-    };
-
-    users.users.spotifyd = {
-      isSystemUser = true;
-      uid = 65136;
-      group = "spotifyd";
-      extraGroups  = [ "audio" "utmp" ];
-    };
-
-    services.spotifyd = {
+    spotifyd = {
       enable = true;
       settings = {
         global = {
@@ -2437,65 +2392,56 @@ networking.hostId = "8a8ad84a";
       };
     };
 
-      # Network shares
-      # add a user with sudo smbpasswd -a <user>
-      services.samba = {
-        package = pkgs.samba4Full;
-        extraConfig = ''
-        workgroup = WORKGROUP
-        server role = standalone server
-        dns proxy = no
+    # Network shares
+    # add a user with sudo smbpasswd -a <user>
+    samba = {
+      package = pkgs.samba4Full;
+      extraConfig = ''
+                  workgroup = WORKGROUP
+                  server role = standalone server
+                  dns proxy = no
 
-        pam password change = yes
-        map to guest = bad user
-        create mask = 0664
-        force create mode = 0664
-        directory mask = 0775
-        force directory mode = 0775
-        follow symlinks = yes
-        '';
+                  pam password change = yes
+                  map to guest = bad user
+                  create mask = 0664
+                  force create mode = 0664
+                  directory mask = 0775
+                  force directory mode = 0775
+                  follow symlinks = yes
+                  '';
 
-        # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba`
-        # Required for samba to register mDNS records for auto discovery
-        # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268
-        enable = true;
-        # openFirewall = true;
-        shares.test = {
-          browseable = "yes";
-          "read only" = "no";
-          "guest ok" = "no";
-          path = "/test2";
-          writable = "true";
-          comment = "Eternor";
-          "valid users" = "@smbtest2";
-        };
+      # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba`
+      # Required for samba to register mDNS records for auto discovery
+      # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268
+      enable = true;
+      # openFirewall = true;
+      shares.test = {
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        path = "/test2";
+        writable = "true";
+        comment = "Eternor";
+        "valid users" = "@smbtest2";
       };
+    };
 
 
-      services.avahi = {
-        publish.enable = true;
-        publish.userServices = true;
-        # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile`
-        nssmdns = true;
-        # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
-  enable = true;
-      };
+    avahi = {
+      publish.enable = true;
+      publish.userServices = true;
+      # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile`
+      nssmdns = true;
+      # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
+      enable = true;
+    };
 
-      services.samba-wsdd = {
+    samba-wsdd = {
       # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued
-        enable = true;
-      };
-
-
-
-
-
-
-
-
-
-
-    }
+      enable = true;
+    };
+  };
+}
@@ -5020,7 +4966,6 @@ in { imports = [ ./hardware-configuration.nix - # (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") # no longer needed; mautrix-signal was added to nixpkgs ]; environment.systemPackages = with pkgs; [ @@ -6363,7 +6308,7 @@ Programming languages and default lsp's are defined here: 
-{ config, pkgs, lib, fetchFromGitHub , ... }:
+{ config, pkgs, fetchFromGitHub , ... }:
 
 {
   home.packages = with pkgs; [
@@ -9387,6 +9332,39 @@ The standard Emacs behaviour for the Python process shell is a bit annoying. Thi
   (python-shell-send-region (region-beginning) (region-end))
   (python-shell-switch-to-shell))
 
+
+
+
+ +
  • Nix common prefix bracketer
    +
    +

    +This function searches for common delimiters in region and removes them, summarizing all captured lines by it. +

    + +
    +
    +(defun swarsel/prefix-block (start end)
+  (interactive "r")
+  (save-excursion
+    (goto-char start)
+    (setq start (line-beginning-position))
+    (goto-char end)
+    (setq end (line-end-position))
+    (let ((common-prefix (save-excursion
+                           (goto-char start)
+                           (if (re-search-forward "^\\([^.\n]+\\)\\." end t)
+                               (match-string 1)
+                             (error "No common prefix found")))))
+      (save-excursion
+        (goto-char start)
+        (insert common-prefix " = {\n")
+        (goto-char (+ end (length common-prefix) 6))
+        (insert "};\n")
+        (goto-char start)
+        (while (re-search-forward (concat "^" (regexp-quote common-prefix) "\\.") end t)
+          (replace-match ""))))))
+
    @@ -9753,6 +9731,10 @@ Lastly, I load the highlight-indent-guides package. This adds a nea (set-face-attribute 'highlight-indent-guides-odd-face nil :background "gray20") (set-face-attribute 'highlight-indent-guides-stack-even-face nil :background "gray40") (set-face-attribute 'highlight-indent-guides-stack-odd-face nil :background "gray50")) + +(use-package aggressive-indent) +(global-aggressive-indent-mode 1) + @@ -12925,7 +12907,7 @@ My laptop, sadly soon to be replaced by a new one, since most basic functions ar

    Author: Leon Schwarzäugl

    -

    Created: 2024-07-18 Do 23:36

    +

    Created: 2024-07-19 Fr 00:29

    Validate

    diff --git a/profiles/TEMPLATE/nixos.nix b/profiles/TEMPLATE/nixos.nix index e5ee86f..2d1c7f4 100644 --- a/profiles/TEMPLATE/nixos.nix +++ b/profiles/TEMPLATE/nixos.nix @@ -15,17 +15,23 @@ }; # Bootloader - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; # TEMPLATE - if only one disk, this will work - boot.loader.grub.useOSProber = true; + boot.loader.grub = { + enable = true; + device = "/dev/sda"; # TEMPLATE - if only one disk, this will work + useOSProber = true; + }; # -------------------------------------- # you might need a configuration like this instead: # Bootloader - # boot.loader.grub.enable = true; - # boot.loader.grub.devices = ["nodev" ]; - # boot.loader.grub.useOSProber = true; - # boot.kernelPackages = pkgs.linuxPackages_latest; + # boot = { + # kernelPackages = pkgs.linuxPackages_latest; + # loader.grub = { + # enable = true; + # devices = ["nodev" ]; + # useOSProber = true; + # }; + # }; # -------------------------------------- networking.hostName = "TEMPLATE"; # Define your hostname. diff --git a/profiles/common/home.nix b/profiles/common/home.nix index 7a83c0b..03c2cd3 100644 --- a/profiles/common/home.nix +++ b/profiles/common/home.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, fetchFromGitHub , ... }: +{ config, pkgs, fetchFromGitHub , ... }: { home.packages = with pkgs; [ diff --git a/profiles/remote/oracle/matrix/nixos.nix b/profiles/remote/oracle/matrix/nixos.nix index 19cdbfb..a2d7cdf 100644 --- a/profiles/remote/oracle/matrix/nixos.nix +++ b/profiles/remote/oracle/matrix/nixos.nix @@ -4,7 +4,6 @@ in { imports = [ ./hardware-configuration.nix - # (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") # no longer needed; mautrix-signal was added to nixpkgs ]; environment.systemPackages = with pkgs; [ diff --git a/profiles/sandbox/nixos.nix b/profiles/sandbox/nixos.nix index cf6268b..d88489f 100644 --- a/profiles/sandbox/nixos.nix +++ b/profiles/sandbox/nixos.nix @@ -1,39 +1,118 @@ -{ config, pkgs, unstable, sops, ... }: let - matrixDomain = "swatrix.swarsel.win"; - in { +{ config, pkgs, sops, ... }: let + matrixDomain = "swatrix.swarsel.win"; +in { - imports = [ - ./hardware-configuration.nix - # we import here a service that is not available yet on normal nixpkgs - # this module is hence not in the modules list, we add it ourselves - (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") + imports = [ + ./hardware-configuration.nix + ]; + + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + useOSProber = true; + supportedFilesystems = [ "zfs" ]; + zfs.forceImportRoot = false; + kernelModules = [ "tun" ]; + kernel.sysctl = { + "net.ipv4.conf.all.rp_filter" = 2; + "net.ipv4.conf.default.rp_filter" = 2; + "net.ipv4.conf.enp7s0.rp_filter" = 2; + }; + }; + + networking = { + hostId = "8a8ad84a"; + hostName = "sandbox"; # Define your hostname. + enableIPv6 = true; + firewall.enable = false; + firewall.extraCommands = '' + sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP + ''; + iproute2 = { + enable = true; + rttablesExtraConfig = '' + 200 vpn + ''; + }; + }; + + hardware.graphics = { + enable = true; + hardware.enableAllFirmware = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl ]; + }; - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - useOSProber = true; + sound = { + enable = true; + }; + + users = { + groups = { + vpn = {}; + mpd = {}; + navidrome = { + gid = 61593; }; - - users.users.swarsel = { + spotifyd = { + gid = 65136; + }; + }; + users = { + jellyfin = { + extraGroups = [ "video" "render" ]; + }; + vpn = { + isNormalUser = true; + group = "vpn"; + home = "/home/vpn"; + }; + navidrome = { + isSystemUser = true; + uid = 61593; + group = "navidrome"; + extraGroups = [ "audio" "utmp" ]; + }; + spotifyd = { + isSystemUser = true; + uid = 65136; + group = "spotifyd"; + extraGroups = [ "audio" "utmp" ]; + }; + mpd = { + isSystemUser = true; + group = "mpd"; + extraGroups = [ "audio" "utmp" ]; + }; + swarsel = { isNormalUser = true; description = "Leon S"; extraGroups = [ "networkmanager" "wheel" "lp"]; packages = with pkgs; []; }; - - # actual config starts here - - fileSystems."/mnt/Eternor" = { - device = "//192.168.1.3/Eternor"; - fsType = "cifs"; - options = let - # this line prevents hanging on network split - automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; - in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"]; + root = { + openssh.authorizedKeys.keyFiles = [ + ../../secrets/keys/authorized_keys + ]; + }; }; + }; - environment.systemPackages = with pkgs; [ + fileSystems."/mnt/Eternor" = { + device = "//192.168.1.3/Eternor"; + fsType = "cifs"; + options = let + # this line prevents hanging on network split + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; + in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"]; + }; + + environment = { + systemPackages = with pkgs; [ git gnupg ssh-to-age @@ -52,62 +131,147 @@ alsa-utils mpv zfs - ]; + ]; + etc = { + "openvpn/iptables.sh" = + { source = ../../scripts/server1/iptables.sh; + mode = "0755"; + }; + "openvpn/update-resolv-conf" = + { source = ../../scripts/server1/update-resolv-conf; + mode = "0755"; + }; + "openvpn/routing.sh" = + { source = ../../scripts/server1/routing.sh; + mode = "0755"; + }; + "openvpn/ca.rsa.2048.crt" = + { source = ../../secrets/certs/ca.rsa.2048.crt; + mode = "0644"; + }; + "openvpn/crl.rsa.2048.pem" = + { source = ../../secrets/certs/crl.rsa.2048.pem; + mode = "0644"; + }; + }; + shellAliases = { + nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + }; - services.xserver = { - layout = "us"; - xkbVariant = "altgr-intl"; + systemd = { + timers."restart-bridges" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1d"; + OnUnitActiveSec = "1d"; + Unit = "restart-bridges.service"; }; - - nix.settings.experimental-features = ["nix-command" "flakes"]; - - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - -boot.supportedFilesystems = [ "zfs" ]; -boot.zfs.forceImportRoot = false; -networking.hostId = "8a8ad84a"; - - networking.hostName = "sandbox"; # Define your hostname. - networking.enableIPv6 = true; - networking.firewall.enable = false; - - documentation = { - enable = false; - }; - - sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; - sops.defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml"; - sops.validateSopsFiles = false; - sops.secrets.dnstokenfull = {owner="acme";}; - sops.templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; }; - services.nginx = { + services."restart-bridges" = { + script = '' + systemctl restart mautrix-whatsapp.service + systemctl restart mautrix-signal.service + systemctl restart mautrix-telegram.service + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + }; + nix.settings.experimental-features = ["nix-command" "flakes"]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + documentation = { + enable = false; + }; + + sops = { + age.sshKeyPaths = [ "/etc/ssh/sops" ]; + defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml"; + validateSopsFiles = false; + secrets = { + dnstokenfull = {owner="acme";}; + kavita = { owner = "kavita";}; + vpnuser = {}; + rpcuser = {owner="vpn";}; + vpnpass = {}; + rpcpass = {owner="vpn";}; + vpnprot = {}; + vpnloc = {}; + mpdpass = { owner = "mpd";}; + }; + templates = { + "transmission-rpc" = { + owner = "vpn"; + content = builtins.toJSON { + rpc-username = config.sops.placeholder.rpcuser; + rpc-password = config.sops.placeholder.rpcpass; + }; + }; + + pia.content = '' + ${config.sops.placeholder.vpnuser} + ${config.sops.placeholder.vpnpass} + ''; + + vpn.content = '' + client + dev tun + proto ${config.sops.placeholder.vpnprot} + remote ${config.sops.placeholder.vpnloc} + resolv-retry infinite + nobind + persist-key + persist-tun + cipher aes-128-cbc + auth sha1 + tls-client + remote-cert-tls server + + auth-user-pass ${config.sops.templates.pia.path} + compress + verb 1 + reneg-sec 0 + + crl-verify /etc/openvpn/crl.rsa.2048.pem + ca /etc/openvpn/ca.rsa.2048.crt + + disable-occ + ''; + "certs.secret".content = '' + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + ''; + }; + }; + + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults.email = "mrswarsel@gmail.com"; + defaults.dnsProvider = "cloudflare"; + defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; + }; + + services = { + xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + listenAddresses = [{ + port = 22; + addr = "0.0.0.0"; + }]; + }; + + nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; @@ -123,12 +287,9 @@ networking.hostId = "8a8ad84a"; "/" = { proxyPass = "https://192.168.1.5"; extraConfig = '' - client_max_body_size 0; - ''; + client_max_body_size 0; + ''; }; - # "/push/" = { - # proxyPass = "http://192.168.2.5:7867"; - # }; "/.well-known/carddav" = { return = "301 $scheme://$host/remote.php/dav"; }; @@ -146,325 +307,186 @@ networking.hostId = "8a8ad84a"; "~ ^(/_matrix|/_synapse/client)" = { proxyPass = "http://127.0.0.1:8008"; extraConfig = '' - client_max_body_size 0; - ''; + client_max_body_size 0; + ''; }; }; }; - "sound.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:4040"; - proxyWebsockets = true; - extraConfig = '' - proxy_redirect http:// https://; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; + "sound.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:4040"; + proxyWebsockets = true; + extraConfig = '' + proxy_redirect http:// https://; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; }; }; + }; - "scan.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:28981"; - extraConfig = '' - client_max_body_size 0; - ''; - }; + "scan.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:28981"; + extraConfig = '' + client_max_body_size 0; + ''; }; }; + }; - "screen.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8096"; - extraConfig = '' - client_max_body_size 0; - ''; - }; + "screen.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + client_max_body_size 0; + ''; }; }; + }; - "scroll.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8080"; - extraConfig = '' - client_max_body_size 0; - ''; - }; + "scroll.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8080"; + extraConfig = '' + client_max_body_size 0; + ''; }; }; - - }; }; + }; - - sops.secrets.kavita = { owner = "kavita";}; - - services.kavita = { + kavita = { enable = true; user = "kavita"; port = 8080; tokenKeyFile = config.sops.secrets.kavita.path; }; - users.users.jellyfin = { - extraGroups = [ "video" "render" ]; - }; - - # nixpkgs.config.packageOverrides = pkgs: { - # vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - # }; - - hardware.graphics = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # LIBVA_DRIVER_NAME=iHD - vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) - vaapiVdpau - libvdpau-va-gl - ]; - }; - - services.jellyfin = { + jellyfin = { enable = true; user = "jellyfin"; - # openFirewall = true; # this works only for the default ports }; - users.groups.vpn = {}; - - users.users.vpn = { - isNormalUser = true; - group = "vpn"; - home = "/home/vpn"; - }; - - boot.kernelModules = [ "tun" ]; - - services.radarr = { - enable = true; - }; - - services.readarr = { - enable = true; - }; - services.sonarr = { - enable = true; - }; - services.lidarr = { - enable = true; - }; - services.prowlarr = { - enable = true; - }; - - networking.firewall.extraCommands = '' - sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP - ''; - networking.iproute2 = { - enable = true; - rttablesExtraConfig = '' - 200 vpn - ''; - }; - boot.kernel.sysctl = { - "net.ipv4.conf.all.rp_filter" = 2; - "net.ipv4.conf.default.rp_filter" = 2; - "net.ipv4.conf.enp7s0.rp_filter" = 2; - }; - environment.etc = { - "openvpn/iptables.sh" = - { source = ../../scripts/server1/iptables.sh; - mode = "0755"; - }; - "openvpn/update-resolv-conf" = - { source = ../../scripts/server1/update-resolv-conf; - mode = "0755"; - }; - "openvpn/routing.sh" = - { source = ../../scripts/server1/routing.sh; - mode = "0755"; - }; - "openvpn/ca.rsa.2048.crt" = - { source = ../../secrets/certs/ca.rsa.2048.crt; - mode = "0644"; - }; - "openvpn/crl.rsa.2048.pem" = - { source = ../../secrets/certs/crl.rsa.2048.pem; - mode = "0644"; - }; - }; - - sops.secrets.vpnuser = {}; - sops.secrets.rpcuser = {owner="vpn";}; - sops.secrets.vpnpass = {}; - sops.secrets.rpcpass = {owner="vpn";}; - sops.secrets.vpnprot = {}; - sops.secrets.vpnloc = {}; - # sops.secrets.crlpem = {}; - # sops.secrets.capem = {}; - sops.templates."transmission-rpc".owner = "vpn"; - sops.templates."transmission-rpc".content = builtins.toJSON { - rpc-username = config.sops.placeholder.rpcuser; - rpc-password = config.sops.placeholder.rpcpass; - }; - - sops.templates.pia.content = '' - ${config.sops.placeholder.vpnuser} - ${config.sops.placeholder.vpnpass} - ''; - - sops.templates.vpn.content = '' - client - dev tun - proto ${config.sops.placeholder.vpnprot} - remote ${config.sops.placeholder.vpnloc} - resolv-retry infinite - nobind - persist-key - persist-tun - cipher aes-128-cbc - auth sha1 - tls-client - remote-cert-tls server - - auth-user-pass ${config.sops.templates.pia.path} - compress - verb 1 - reneg-sec 0 - - crl-verify /etc/openvpn/crl.rsa.2048.pem - ca /etc/openvpn/ca.rsa.2048.crt - - disable-occ - ''; - - services.openvpn.servers = { - pia = { - autoStart = true; - updateResolvConf = false; - config = "config ${config.sops.templates.vpn.path}"; - }; - }; - - services.transmission = { - enable = true; - credentialsFile = config.sops.templates."transmission-rpc".path; - user = "vpn"; - settings = { - - alt-speed-down= 8000; - alt-speed-enabled= false; - alt-speed-time-begin= 0; - alt-speed-time-day= 127; - alt-speed-time-enabled= true; - alt-speed-time-end= 360; - alt-speed-up= 2000; - bind-address-ipv4= "0.0.0.0"; - bind-address-ipv6= "::"; - blocklist-enabled= false; - blocklist-url= "http://www.example.com/blocklist"; - cache-size-mb= 256; - dht-enabled= false; - download-dir= "/test"; - download-limit= 100; - download-limit-enabled= 0; - download-queue-enabled= true; - download-queue-size= 5; - encryption= 2; - idle-seeding-limit= 30; - idle-seeding-limit-enabled= false; - incomplete-dir= "/var/lib/transmission-daemon/Downloads"; - incomplete-dir-enabled= false; - lpd-enabled= false; - max-peers-global= 200; - message-level= 1; - peer-congestion-algorithm= ""; - peer-id-ttl-hours= 6; - peer-limit-global= 100; - peer-limit-per-torrent= 40; - peer-port= 22371; - peer-port-random-high= 65535; - peer-port-random-low= 49152; - peer-port-random-on-start= false; - peer-socket-tos= "default"; - pex-enabled= false; - port-forwarding-enabled= false; - preallocation= 1; - prefetch-enabled= true; - queue-stalled-enabled= true; - queue-stalled-minutes= 30; - ratio-limit= 2; - ratio-limit-enabled= false; - rename-partial-files= true; - rpc-authentication-required= true; - rpc-bind-address= "0.0.0.0"; - rpc-enabled= true; - rpc-host-whitelist= ""; - rpc-host-whitelist-enabled= true; - rpc-port= 9091; - rpc-url= "/transmission/"; - rpc-whitelist= "127.0.0.1,192.168.3.2"; - rpc-whitelist-enabled= true; - scrape-paused-torrents-enabled= true; - script-torrent-done-enabled= false; - seed-queue-enabled= false; - seed-queue-size= 10; - speed-limit-down= 6000; - speed-limit-down-enabled= true; - speed-limit-up= 500; - speed-limit-up-enabled= true; - start-added-torrents= true; - trash-original-torrent-files= false; - umask= 2; - upload-limit= 100; - upload-limit-enabled= 0; - upload-slots-per-torrent= 14; - utp-enabled= false; - }; - }; - - # services.nginx = { - # enable = true; - # virtualHosts = { - - # "192.168.1.192" = { - # locations = { - # "/transmission" = { - # proxyPass = "http://127.0.0.1:9091"; - # extraConfig = '' - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # ''; - # }; - # }; - # }; - # }; - # }; - + radarr = { + enable = true; + }; + readarr = { + enable = true; + }; + sonarr = { + enable = true; + }; + lidarr = { + enable = true; + }; + prowlarr = { + enable = true; + }; + openvpn.servers = { + pia = { + autoStart = true; + updateResolvConf = false; + config = "config ${config.sops.templates.vpn.path}"; + }; + }; + transmission = { + enable = true; + credentialsFile = config.sops.templates."transmission-rpc".path; + user = "vpn"; + settings = { + alt-speed-down= 8000; + alt-speed-enabled= false; + alt-speed-time-begin= 0; + alt-speed-time-day= 127; + alt-speed-time-enabled= true; + alt-speed-time-end= 360; + alt-speed-up= 2000; + bind-address-ipv4= "0.0.0.0"; + bind-address-ipv6= "::"; + blocklist-enabled= false; + blocklist-url= "http://www.example.com/blocklist"; + cache-size-mb= 256; + dht-enabled= false; + download-dir= "/test"; + download-limit= 100; + download-limit-enabled= 0; + download-queue-enabled= true; + download-queue-size= 5; + encryption= 2; + idle-seeding-limit= 30; + idle-seeding-limit-enabled= false; + incomplete-dir= "/var/lib/transmission-daemon/Downloads"; + incomplete-dir-enabled= false; + lpd-enabled= false; + max-peers-global= 200; + message-level= 1; + peer-congestion-algorithm= ""; + peer-id-ttl-hours= 6; + peer-limit-global= 100; + peer-limit-per-torrent= 40; + peer-port= 22371; + peer-port-random-high= 65535; + peer-port-random-low= 49152; + peer-port-random-on-start= false; + peer-socket-tos= "default"; + pex-enabled= false; + port-forwarding-enabled= false; + preallocation= 1; + prefetch-enabled= true; + queue-stalled-enabled= true; + queue-stalled-minutes= 30; + ratio-limit= 2; + ratio-limit-enabled= false; + rename-partial-files= true; + rpc-authentication-required= true; + rpc-bind-address= "0.0.0.0"; + rpc-enabled= true; + rpc-host-whitelist= ""; + rpc-host-whitelist-enabled= true; + rpc-port= 9091; + rpc-url= "/transmission/"; + rpc-whitelist= "127.0.0.1,192.168.3.2"; + rpc-whitelist-enabled= true; + scrape-paused-torrents-enabled= true; + script-torrent-done-enabled= false; + seed-queue-enabled= false; + seed-queue-size= 10; + speed-limit-down= 6000; + speed-limit-down-enabled= true; + speed-limit-up= 500; + speed-limit-up-enabled= true; + start-added-torrents= true; + trash-original-torrent-files= false; + umask= 2; + upload-limit= 100; + upload-limit-enabled= 0; + upload-slots-per-torrent= 14; + utp-enabled= false; + }; + }; # sops.secrets.matrixsharedsecret = {owner="matrix-synapse";}; # sops.templates."matrix_user_register.sh".content = '' @@ -496,31 +518,32 @@ networking.hostId = "8a8ad84a"; # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared} # ''; - services.postgresql.enable = true; - services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; - CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; - CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - - services.matrix-synapse = { + postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; + CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; + CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + matrix-synapse = { settings.app_service_config_files = [ "/var/lib/matrix-synapse/telegram-registration.yaml" "/var/lib/matrix-synapse/whatsapp-registration.yaml" @@ -549,7 +572,7 @@ networking.hostId = "8a8ad84a"; ]; }; - services.mautrix-telegram = { + mautrix-telegram = { enable = false; environmentFile = config.sops.templates.mautrixtelegram.path; settings = { @@ -571,7 +594,7 @@ networking.hostId = "8a8ad84a"; }; bridge = { # login_shared_secret_map = { - # matrixDomain = "as_token:doublepuppet"; + # matrixDomain = "as_token:doublepuppet"; # }; relaybot.authless_portals = true; allow_avatar_remove = true; @@ -585,12 +608,6 @@ networking.hostId = "8a8ad84a"; "*" = "relaybot"; "@swarsel:${matrixDomain}" = "admin"; }; - # Animated stickers conversion requires additional packages in the - # service's path. - # If this isn't a fresh installation, clearing the bridge's uploaded - # file cache might be necessary (make a database backup first!): - # delete from telegram_file where \ - # mime_type in ('application/gzip', 'application/octet-stream') animated_sticker = { target = "gif"; args = { @@ -603,12 +620,8 @@ networking.hostId = "8a8ad84a"; }; }; }; - # systemd.services.mautrix-telegram.path = with pkgs; [ - # lottieconverter # for animated stickers conversion, unfree package - # ffmpeg # if converting animated stickers to webm (very slow!) - # ]; - services.mautrix-whatsapp = { + mautrix-whatsapp = { enable = false; # environmentFile = config.sops.templates.mautrixwhatsapp.path; settings = { @@ -655,9 +668,8 @@ networking.hostId = "8a8ad84a"; }; }; - services.mautrix-signal = { + mautrix-signal = { enable = false; - # environmentFile = config.sops.templates.mautrixwhatsapp.path; settings = { homeserver = { address = "http://localhost:8008"; @@ -687,59 +699,7 @@ networking.hostId = "8a8ad84a"; }; }; - # restart the bridges daily. this is done for the signal bridge mainly which stops carrying - # messages out after a while. - - systemd.timers."restart-bridges" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1d"; - OnUnitActiveSec = "1d"; - Unit = "restart-bridges.service"; - }; - }; - - systemd.services."restart-bridges" = { - script = '' - systemctl restart mautrix-whatsapp.service - systemctl restart mautrix-signal.service - systemctl restart mautrix-telegram.service - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - - - users.groups.navidrome = { - gid = 61593; - }; - - users.groups.mpd = {}; - - users.users.navidrome = { - isSystemUser = true; - uid = 61593; - group = "navidrome"; - extraGroups = [ "audio" "utmp" ]; - }; - - users.users.mpd = { - isSystemUser = true; - group = "mpd"; - extraGroups = [ "audio" "utmp" ]; - }; - - sound = { - enable = true; - }; - - hardware.enableAllFirmware = true; - - sops.secrets.mpdpass = { owner = "mpd";}; - - services.navidrome = { + navidrome = { enable = true; settings = { Address = "0.0.0.0"; @@ -758,7 +718,7 @@ networking.hostId = "8a8ad84a"; UIWelcomeMessage = "~SwarselSound~"; }; }; - services.mpd = { + mpd = { enable = true; musicDirectory = "/mnt/Eternor/Musik"; user = "mpd"; @@ -781,18 +741,7 @@ networking.hostId = "8a8ad84a"; }; - users.groups.spotifyd = { - gid = 65136; - }; - - users.users.spotifyd = { - isSystemUser = true; - uid = 65136; - group = "spotifyd"; - extraGroups = [ "audio" "utmp" ]; - }; - - services.spotifyd = { + spotifyd = { enable = true; settings = { global = { @@ -806,62 +755,53 @@ networking.hostId = "8a8ad84a"; }; }; - # Network shares - # add a user with sudo smbpasswd -a - services.samba = { - package = pkgs.samba4Full; - extraConfig = '' - workgroup = WORKGROUP - server role = standalone server - dns proxy = no + # Network shares + # add a user with sudo smbpasswd -a + samba = { + package = pkgs.samba4Full; + extraConfig = '' + workgroup = WORKGROUP + server role = standalone server + dns proxy = no - pam password change = yes - map to guest = bad user - create mask = 0664 - force create mode = 0664 - directory mask = 0775 - force directory mode = 0775 - follow symlinks = yes - ''; + pam password change = yes + map to guest = bad user + create mask = 0664 + force create mode = 0664 + directory mask = 0775 + force directory mode = 0775 + follow symlinks = yes + ''; - # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba` - # Required for samba to register mDNS records for auto discovery - # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268 - enable = true; - # openFirewall = true; - shares.test = { - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - path = "/test2"; - writable = "true"; - comment = "Eternor"; - "valid users" = "@smbtest2"; - }; + # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba` + # Required for samba to register mDNS records for auto discovery + # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268 + enable = true; + # openFirewall = true; + shares.test = { + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + path = "/test2"; + writable = "true"; + comment = "Eternor"; + "valid users" = "@smbtest2"; }; + }; - services.avahi = { - publish.enable = true; - publish.userServices = true; - # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` - nssmdns = true; - # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it - enable = true; - }; + avahi = { + publish.enable = true; + publish.userServices = true; + # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` + nssmdns = true; + # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it + enable = true; + }; - services.samba-wsdd = { + samba-wsdd = { # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued - enable = true; - }; - - - - - - - - - - - } + enable = true; + }; + }; +} diff --git a/programs/emacs/init.el b/programs/emacs/init.el index 01d2b6e..c543a8a 100644 --- a/programs/emacs/init.el +++ b/programs/emacs/init.el @@ -247,6 +247,27 @@ create a new one." (python-shell-send-region (region-beginning) (region-end)) (python-shell-switch-to-shell)) +(defun swarsel/prefix-block (start end) + (interactive "r") + (save-excursion + (goto-char start) + (setq start (line-beginning-position)) + (goto-char end) + (setq end (line-end-position)) + (let ((common-prefix (save-excursion + (goto-char start) + (if (re-search-forward "^\\([^.\n]+\\)\\." end t) + (match-string 1) + (error "No common prefix found"))))) + (save-excursion + (goto-char start) + (insert common-prefix " = {\n") + (goto-char (+ end (length common-prefix) 6)) + (insert "};\n") + (goto-char start) + (while (re-search-forward (concat "^" (regexp-quote common-prefix) "\\.") end t) + (replace-match "")))))) + ;; Make ESC quit prompts (global-set-key (kbd "") 'keyboard-escape-quit) @@ -475,6 +496,9 @@ create a new one." (set-face-attribute 'highlight-indent-guides-stack-even-face nil :background "gray40") (set-face-attribute 'highlight-indent-guides-stack-odd-face nil :background "gray50")) +(use-package aggressive-indent) +(global-aggressive-indent-mode 1) + (setq mouse-wheel-scroll-amount '(1 ((shift) . 5)