mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2025-12-06 09:07:21 +01:00
chore: cleanup code
This commit is contained in:
Swarsel
parent
38b7687b5c
commit
9dc9a1fe1b
GPG key ID:
26A54C31F2A4FD84
7 changed files with 1517 additions and 1621 deletions
|
|
@ -839,17 +839,23 @@ No matter what you do, check the initial /etc/nixos/configuration.nix for notabl
|
|||
};
|
||||
|
||||
# Bootloader
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.device = "/dev/sda"; # TEMPLATE - if only one disk, this will work
|
||||
boot.loader.grub.useOSProber = true;
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda"; # TEMPLATE - if only one disk, this will work
|
||||
useOSProber = true;
|
||||
};
|
||||
|
||||
# --------------------------------------
|
||||
# you might need a configuration like this instead:
|
||||
# Bootloader
|
||||
# boot.loader.grub.enable = true;
|
||||
# boot.loader.grub.devices = ["nodev" ];
|
||||
# boot.loader.grub.useOSProber = true;
|
||||
# boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
# boot = {
|
||||
# kernelPackages = pkgs.linuxPackages_latest;
|
||||
# loader.grub = {
|
||||
# enable = true;
|
||||
# devices = ["nodev" ];
|
||||
# useOSProber = true;
|
||||
# };
|
||||
# };
|
||||
# --------------------------------------
|
||||
|
||||
networking.hostName = "TEMPLATE"; # Define your hostname.
|
||||
|
|
@ -988,31 +994,109 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
|
||||
#+begin_src nix :noweb yes :tangle profiles/sandbox/nixos.nix
|
||||
|
||||
{ config, pkgs, unstable, sops, ... }: let
|
||||
{ config, pkgs, sops, ... }: let
|
||||
matrixDomain = "swatrix.swarsel.win";
|
||||
in {
|
||||
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
# we import here a service that is not available yet on normal nixpkgs
|
||||
# this module is hence not in the modules list, we add it ourselves
|
||||
(unstable + "/nixos/modules/services/matrix/mautrix-signal.nix")
|
||||
];
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda";
|
||||
useOSProber = true;
|
||||
supportedFilesystems = [ "zfs" ];
|
||||
zfs.forceImportRoot = false;
|
||||
kernelModules = [ "tun" ];
|
||||
kernel.sysctl = {
|
||||
"net.ipv4.conf.all.rp_filter" = 2;
|
||||
"net.ipv4.conf.default.rp_filter" = 2;
|
||||
"net.ipv4.conf.enp7s0.rp_filter" = 2;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.swarsel = {
|
||||
networking = {
|
||||
hostId = "8a8ad84a";
|
||||
hostName = "sandbox"; # Define your hostname.
|
||||
enableIPv6 = true;
|
||||
firewall.enable = false;
|
||||
firewall.extraCommands = ''
|
||||
sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
|
||||
'';
|
||||
iproute2 = {
|
||||
enable = true;
|
||||
rttablesExtraConfig = ''
|
||||
200 vpn
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
hardware.graphics = {
|
||||
enable = true;
|
||||
hardware.enableAllFirmware = true;
|
||||
extraPackages = with pkgs; [
|
||||
intel-media-driver # LIBVA_DRIVER_NAME=iHD
|
||||
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
|
||||
vaapiVdpau
|
||||
libvdpau-va-gl
|
||||
];
|
||||
};
|
||||
|
||||
sound = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
users = {
|
||||
groups = {
|
||||
vpn = {};
|
||||
mpd = {};
|
||||
navidrome = {
|
||||
gid = 61593;
|
||||
};
|
||||
spotifyd = {
|
||||
gid = 65136;
|
||||
};
|
||||
};
|
||||
users = {
|
||||
jellyfin = {
|
||||
extraGroups = [ "video" "render" ];
|
||||
};
|
||||
vpn = {
|
||||
isNormalUser = true;
|
||||
group = "vpn";
|
||||
home = "/home/vpn";
|
||||
};
|
||||
navidrome = {
|
||||
isSystemUser = true;
|
||||
uid = 61593;
|
||||
group = "navidrome";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
spotifyd = {
|
||||
isSystemUser = true;
|
||||
uid = 65136;
|
||||
group = "spotifyd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
mpd = {
|
||||
isSystemUser = true;
|
||||
group = "mpd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
swarsel = {
|
||||
isNormalUser = true;
|
||||
description = "Leon S";
|
||||
extraGroups = [ "networkmanager" "wheel" "lp"];
|
||||
packages = with pkgs; [];
|
||||
};
|
||||
|
||||
# actual config starts here
|
||||
root = {
|
||||
openssh.authorizedKeys.keyFiles = [
|
||||
../../secrets/keys/authorized_keys
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/mnt/Eternor" = {
|
||||
device = "//192.168.1.3/Eternor";
|
||||
|
|
@ -1023,7 +1107,8 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
git
|
||||
gnupg
|
||||
ssh-to-age
|
||||
|
|
@ -1043,51 +1128,121 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
mpv
|
||||
zfs
|
||||
];
|
||||
|
||||
services.xserver = {
|
||||
layout = "us";
|
||||
xkbVariant = "altgr-intl";
|
||||
etc = {
|
||||
"openvpn/iptables.sh" =
|
||||
{ source = ../../scripts/server1/iptables.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
|
||||
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
listenAddresses = [{
|
||||
port = 22;
|
||||
addr = "0.0.0.0";
|
||||
}];
|
||||
"openvpn/update-resolv-conf" =
|
||||
{ source = ../../scripts/server1/update-resolv-conf;
|
||||
mode = "0755";
|
||||
};
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
../../secrets/keys/authorized_keys
|
||||
];
|
||||
|
||||
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
|
||||
|
||||
environment.shellAliases = {
|
||||
"openvpn/routing.sh" =
|
||||
{ source = ../../scripts/server1/routing.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/ca.rsa.2048.crt" =
|
||||
{ source = ../../secrets/certs/ca.rsa.2048.crt;
|
||||
mode = "0644";
|
||||
};
|
||||
"openvpn/crl.rsa.2048.pem" =
|
||||
{ source = ../../secrets/certs/crl.rsa.2048.pem;
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
shellAliases = {
|
||||
nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
|
||||
};
|
||||
};
|
||||
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.zfs.forceImportRoot = false;
|
||||
networking.hostId = "8a8ad84a";
|
||||
systemd = {
|
||||
timers."restart-bridges" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = "1d";
|
||||
OnUnitActiveSec = "1d";
|
||||
Unit = "restart-bridges.service";
|
||||
};
|
||||
};
|
||||
|
||||
networking.hostName = "sandbox"; # Define your hostname.
|
||||
networking.enableIPv6 = true;
|
||||
networking.firewall.enable = false;
|
||||
services."restart-bridges" = {
|
||||
script = ''
|
||||
systemctl restart mautrix-whatsapp.service
|
||||
systemctl restart mautrix-signal.service
|
||||
systemctl restart mautrix-telegram.service
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
};
|
||||
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||
|
||||
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
|
||||
|
||||
documentation = {
|
||||
enable = false;
|
||||
};
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
|
||||
sops.defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
|
||||
sops.validateSopsFiles = false;
|
||||
sops.secrets.dnstokenfull = {owner="acme";};
|
||||
sops.templates."certs.secret".content = ''
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/sops" ];
|
||||
defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
|
||||
validateSopsFiles = false;
|
||||
secrets = {
|
||||
dnstokenfull = {owner="acme";};
|
||||
kavita = { owner = "kavita";};
|
||||
vpnuser = {};
|
||||
rpcuser = {owner="vpn";};
|
||||
vpnpass = {};
|
||||
rpcpass = {owner="vpn";};
|
||||
vpnprot = {};
|
||||
vpnloc = {};
|
||||
mpdpass = { owner = "mpd";};
|
||||
};
|
||||
templates = {
|
||||
"transmission-rpc" = {
|
||||
owner = "vpn";
|
||||
content = builtins.toJSON {
|
||||
rpc-username = config.sops.placeholder.rpcuser;
|
||||
rpc-password = config.sops.placeholder.rpcpass;
|
||||
};
|
||||
};
|
||||
|
||||
pia.content = ''
|
||||
${config.sops.placeholder.vpnuser}
|
||||
${config.sops.placeholder.vpnpass}
|
||||
'';
|
||||
|
||||
vpn.content = ''
|
||||
client
|
||||
dev tun
|
||||
proto ${config.sops.placeholder.vpnprot}
|
||||
remote ${config.sops.placeholder.vpnloc}
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
cipher aes-128-cbc
|
||||
auth sha1
|
||||
tls-client
|
||||
remote-cert-tls server
|
||||
|
||||
auth-user-pass ${config.sops.templates.pia.path}
|
||||
compress
|
||||
verb 1
|
||||
reneg-sec 0
|
||||
|
||||
crl-verify /etc/openvpn/crl.rsa.2048.pem
|
||||
ca /etc/openvpn/ca.rsa.2048.crt
|
||||
|
||||
disable-occ
|
||||
'';
|
||||
"certs.secret".content = ''
|
||||
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
|
|
@ -1097,7 +1252,22 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
services = {
|
||||
xserver = {
|
||||
layout = "us";
|
||||
xkbVariant = "altgr-intl";
|
||||
};
|
||||
|
||||
openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
listenAddresses = [{
|
||||
port = 22;
|
||||
addr = "0.0.0.0";
|
||||
}];
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
|
@ -1116,9 +1286,6 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
# "/push/" = {
|
||||
# proxyPass = "http://192.168.2.5:7867";
|
||||
# };
|
||||
"/.well-known/carddav" = {
|
||||
return = "301 $scheme://$host/remote.php/dav";
|
||||
};
|
||||
|
|
@ -1204,167 +1371,48 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
sops.secrets.kavita = { owner = "kavita";};
|
||||
|
||||
services.kavita = {
|
||||
kavita = {
|
||||
enable = true;
|
||||
user = "kavita";
|
||||
port = 8080;
|
||||
tokenKeyFile = config.sops.secrets.kavita.path;
|
||||
};
|
||||
|
||||
users.users.jellyfin = {
|
||||
extraGroups = [ "video" "render" ];
|
||||
};
|
||||
|
||||
# nixpkgs.config.packageOverrides = pkgs: {
|
||||
# vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
|
||||
# };
|
||||
|
||||
hardware.graphics = {
|
||||
enable = true;
|
||||
extraPackages = with pkgs; [
|
||||
intel-media-driver # LIBVA_DRIVER_NAME=iHD
|
||||
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
|
||||
vaapiVdpau
|
||||
libvdpau-va-gl
|
||||
];
|
||||
};
|
||||
|
||||
services.jellyfin = {
|
||||
jellyfin = {
|
||||
enable = true;
|
||||
user = "jellyfin";
|
||||
# openFirewall = true; # this works only for the default ports
|
||||
};
|
||||
|
||||
users.groups.vpn = {};
|
||||
|
||||
users.users.vpn = {
|
||||
isNormalUser = true;
|
||||
group = "vpn";
|
||||
home = "/home/vpn";
|
||||
};
|
||||
|
||||
boot.kernelModules = [ "tun" ];
|
||||
|
||||
services.radarr = {
|
||||
radarr = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
services.readarr = {
|
||||
readarr = {
|
||||
enable = true;
|
||||
};
|
||||
services.sonarr = {
|
||||
sonarr = {
|
||||
enable = true;
|
||||
};
|
||||
services.lidarr = {
|
||||
lidarr = {
|
||||
enable = true;
|
||||
};
|
||||
services.prowlarr = {
|
||||
prowlarr = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
networking.firewall.extraCommands = ''
|
||||
sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
|
||||
'';
|
||||
networking.iproute2 = {
|
||||
enable = true;
|
||||
rttablesExtraConfig = ''
|
||||
200 vpn
|
||||
'';
|
||||
};
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.rp_filter" = 2;
|
||||
"net.ipv4.conf.default.rp_filter" = 2;
|
||||
"net.ipv4.conf.enp7s0.rp_filter" = 2;
|
||||
};
|
||||
environment.etc = {
|
||||
"openvpn/iptables.sh" =
|
||||
{ source = ../../scripts/server1/iptables.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/update-resolv-conf" =
|
||||
{ source = ../../scripts/server1/update-resolv-conf;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/routing.sh" =
|
||||
{ source = ../../scripts/server1/routing.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/ca.rsa.2048.crt" =
|
||||
{ source = ../../secrets/certs/ca.rsa.2048.crt;
|
||||
mode = "0644";
|
||||
};
|
||||
"openvpn/crl.rsa.2048.pem" =
|
||||
{ source = ../../secrets/certs/crl.rsa.2048.pem;
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets.vpnuser = {};
|
||||
sops.secrets.rpcuser = {owner="vpn";};
|
||||
sops.secrets.vpnpass = {};
|
||||
sops.secrets.rpcpass = {owner="vpn";};
|
||||
sops.secrets.vpnprot = {};
|
||||
sops.secrets.vpnloc = {};
|
||||
# sops.secrets.crlpem = {};
|
||||
# sops.secrets.capem = {};
|
||||
sops.templates."transmission-rpc".owner = "vpn";
|
||||
sops.templates."transmission-rpc".content = builtins.toJSON {
|
||||
rpc-username = config.sops.placeholder.rpcuser;
|
||||
rpc-password = config.sops.placeholder.rpcpass;
|
||||
};
|
||||
|
||||
sops.templates.pia.content = ''
|
||||
${config.sops.placeholder.vpnuser}
|
||||
${config.sops.placeholder.vpnpass}
|
||||
'';
|
||||
|
||||
sops.templates.vpn.content = ''
|
||||
client
|
||||
dev tun
|
||||
proto ${config.sops.placeholder.vpnprot}
|
||||
remote ${config.sops.placeholder.vpnloc}
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
cipher aes-128-cbc
|
||||
auth sha1
|
||||
tls-client
|
||||
remote-cert-tls server
|
||||
|
||||
auth-user-pass ${config.sops.templates.pia.path}
|
||||
compress
|
||||
verb 1
|
||||
reneg-sec 0
|
||||
|
||||
crl-verify /etc/openvpn/crl.rsa.2048.pem
|
||||
ca /etc/openvpn/ca.rsa.2048.crt
|
||||
|
||||
disable-occ
|
||||
'';
|
||||
|
||||
services.openvpn.servers = {
|
||||
openvpn.servers = {
|
||||
pia = {
|
||||
autoStart = true;
|
||||
updateResolvConf = false;
|
||||
config = "config ${config.sops.templates.vpn.path}";
|
||||
};
|
||||
};
|
||||
|
||||
services.transmission = {
|
||||
transmission = {
|
||||
enable = true;
|
||||
credentialsFile = config.sops.templates."transmission-rpc".path;
|
||||
user = "vpn";
|
||||
settings = {
|
||||
|
||||
alt-speed-down= 8000;
|
||||
alt-speed-enabled= false;
|
||||
alt-speed-time-begin= 0;
|
||||
|
|
@ -1436,26 +1484,6 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
};
|
||||
};
|
||||
|
||||
# services.nginx = {
|
||||
# enable = true;
|
||||
# virtualHosts = {
|
||||
|
||||
# "192.168.1.192" = {
|
||||
# locations = {
|
||||
# "/transmission" = {
|
||||
# proxyPass = "http://127.0.0.1:9091";
|
||||
# extraConfig = ''
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# '';
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
|
||||
# sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
|
||||
# sops.templates."matrix_user_register.sh".content = ''
|
||||
# register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
|
||||
|
|
@ -1486,8 +1514,9 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
# MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
|
||||
# '';
|
||||
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
|
||||
postgresql = {
|
||||
enable = true;
|
||||
initialScript = pkgs.writeText "synapse-init.sql" ''
|
||||
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
|
||||
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
||||
TEMPLATE template0
|
||||
|
|
@ -1509,8 +1538,8 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
LC_COLLATE = "C"
|
||||
LC_CTYPE = "C";
|
||||
'';
|
||||
|
||||
services.matrix-synapse = {
|
||||
};
|
||||
matrix-synapse = {
|
||||
settings.app_service_config_files = [
|
||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
"/var/lib/matrix-synapse/whatsapp-registration.yaml"
|
||||
|
|
@ -1539,7 +1568,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
];
|
||||
};
|
||||
|
||||
services.mautrix-telegram = {
|
||||
mautrix-telegram = {
|
||||
enable = false;
|
||||
environmentFile = config.sops.templates.mautrixtelegram.path;
|
||||
settings = {
|
||||
|
|
@ -1575,12 +1604,6 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
"*" = "relaybot";
|
||||
"@swarsel:${matrixDomain}" = "admin";
|
||||
};
|
||||
# Animated stickers conversion requires additional packages in the
|
||||
# service's path.
|
||||
# If this isn't a fresh installation, clearing the bridge's uploaded
|
||||
# file cache might be necessary (make a database backup first!):
|
||||
# delete from telegram_file where \
|
||||
# mime_type in ('application/gzip', 'application/octet-stream')
|
||||
animated_sticker = {
|
||||
target = "gif";
|
||||
args = {
|
||||
|
|
@ -1593,12 +1616,8 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
};
|
||||
};
|
||||
};
|
||||
# systemd.services.mautrix-telegram.path = with pkgs; [
|
||||
# lottieconverter # for animated stickers conversion, unfree package
|
||||
# ffmpeg # if converting animated stickers to webm (very slow!)
|
||||
# ];
|
||||
|
||||
services.mautrix-whatsapp = {
|
||||
mautrix-whatsapp = {
|
||||
enable = false;
|
||||
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
|
||||
settings = {
|
||||
|
|
@ -1645,9 +1664,8 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
};
|
||||
};
|
||||
|
||||
services.mautrix-signal = {
|
||||
mautrix-signal = {
|
||||
enable = false;
|
||||
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
|
||||
settings = {
|
||||
homeserver = {
|
||||
address = "http://localhost:8008";
|
||||
|
|
@ -1677,59 +1695,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
};
|
||||
};
|
||||
|
||||
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
|
||||
# messages out after a while.
|
||||
|
||||
systemd.timers."restart-bridges" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = "1d";
|
||||
OnUnitActiveSec = "1d";
|
||||
Unit = "restart-bridges.service";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."restart-bridges" = {
|
||||
script = ''
|
||||
systemctl restart mautrix-whatsapp.service
|
||||
systemctl restart mautrix-signal.service
|
||||
systemctl restart mautrix-telegram.service
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
users.groups.navidrome = {
|
||||
gid = 61593;
|
||||
};
|
||||
|
||||
users.groups.mpd = {};
|
||||
|
||||
users.users.navidrome = {
|
||||
isSystemUser = true;
|
||||
uid = 61593;
|
||||
group = "navidrome";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
|
||||
users.users.mpd = {
|
||||
isSystemUser = true;
|
||||
group = "mpd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
|
||||
sound = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
hardware.enableAllFirmware = true;
|
||||
|
||||
sops.secrets.mpdpass = { owner = "mpd";};
|
||||
|
||||
services.navidrome = {
|
||||
navidrome = {
|
||||
enable = true;
|
||||
settings = {
|
||||
Address = "0.0.0.0";
|
||||
|
|
@ -1748,7 +1714,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
UIWelcomeMessage = "~SwarselSound~";
|
||||
};
|
||||
};
|
||||
services.mpd = {
|
||||
mpd = {
|
||||
enable = true;
|
||||
musicDirectory = "/mnt/Eternor/Musik";
|
||||
user = "mpd";
|
||||
|
|
@ -1771,18 +1737,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
};
|
||||
|
||||
|
||||
users.groups.spotifyd = {
|
||||
gid = 65136;
|
||||
};
|
||||
|
||||
users.users.spotifyd = {
|
||||
isSystemUser = true;
|
||||
uid = 65136;
|
||||
group = "spotifyd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
|
||||
services.spotifyd = {
|
||||
spotifyd = {
|
||||
enable = true;
|
||||
settings = {
|
||||
global = {
|
||||
|
|
@ -1798,7 +1753,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
|
||||
# Network shares
|
||||
# add a user with sudo smbpasswd -a <user>
|
||||
services.samba = {
|
||||
samba = {
|
||||
package = pkgs.samba4Full;
|
||||
extraConfig = ''
|
||||
workgroup = WORKGROUP
|
||||
|
|
@ -1831,7 +1786,7 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
};
|
||||
|
||||
|
||||
services.avahi = {
|
||||
avahi = {
|
||||
publish.enable = true;
|
||||
publish.userServices = true;
|
||||
# ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile`
|
||||
|
|
@ -1840,20 +1795,11 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
enable = true;
|
||||
};
|
||||
|
||||
services.samba-wsdd = {
|
||||
samba-wsdd = {
|
||||
# This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued
|
||||
enable = true;
|
||||
};
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
};
|
||||
}
|
||||
|
||||
#+end_src
|
||||
|
|
@ -3923,7 +3869,6 @@ Lastly, the machine that runs matrix needs to regularly update, as otherwise you
|
|||
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
# (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") # no longer needed; mautrix-signal was added to nixpkgs
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
|
@ -5159,7 +5104,7 @@ Programming languages and default lsp's are defined here: [[#h:0e7e8bea-ec58-499
|
|||
|
||||
#+begin_src nix :tangle profiles/common/home.nix
|
||||
|
||||
{ config, pkgs, lib, fetchFromGitHub , ... }:
|
||||
{ config, pkgs, fetchFromGitHub , ... }:
|
||||
|
||||
{
|
||||
home.packages = with pkgs; [
|
||||
|
|
|
|||
586
index.html
586
index.html
|
|
@ -3,7 +3,7 @@
|
|||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
||||
<head>
|
||||
<!-- 2024-07-18 Do 23:36 -->
|
||||
<!-- 2024-07-19 Fr 00:29 -->
|
||||
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<title>SwarselSystems: NixOS + Emacs Configuration</title>
|
||||
|
|
@ -387,7 +387,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<p>
|
||||
<b>This file has 41177 words spanning 10930 lines and was last revised on 2024-07-18 23:36:22 +0200.</b>
|
||||
<b>This file has 40971 words spanning 10908 lines and was last revised on 2024-07-19 00:29:02 +0200.</b>
|
||||
</p>
|
||||
|
||||
<p>
|
||||
|
|
@ -437,7 +437,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
|
|||
</p>
|
||||
|
||||
<p>
|
||||
My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-07-18 23:36:22 +0200)
|
||||
My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-07-19 00:29:02 +0200)
|
||||
</p></li>
|
||||
</ul>
|
||||
|
||||
|
|
@ -1372,17 +1372,23 @@ No matter what you do, check the initial /etc/nixos/configuration.nix for notabl
|
|||
};
|
||||
|
||||
# Bootloader
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.device = "/dev/sda"; # TEMPLATE - if only one disk, this will work
|
||||
boot.loader.grub.useOSProber = true;
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda"; # TEMPLATE - if only one disk, this will work
|
||||
useOSProber = true;
|
||||
};
|
||||
|
||||
# --------------------------------------
|
||||
# you might need a configuration like this instead:
|
||||
# Bootloader
|
||||
# boot.loader.grub.enable = true;
|
||||
# boot.loader.grub.devices = ["nodev" ];
|
||||
# boot.loader.grub.useOSProber = true;
|
||||
# boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
# boot = {
|
||||
# kernelPackages = pkgs.linuxPackages_latest;
|
||||
# loader.grub = {
|
||||
# enable = true;
|
||||
# devices = ["nodev" ];
|
||||
# useOSProber = true;
|
||||
# };
|
||||
# };
|
||||
# --------------------------------------
|
||||
|
||||
networking.hostName = "TEMPLATE"; # Define your hostname.
|
||||
|
|
@ -1629,31 +1635,109 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
<div class="outline-text-6" id="text-h:23b0f629-343c-42fa-bf9b-70bea341c0d2">
|
||||
<div class="org-src-container">
|
||||
<pre class="src src-nix">
|
||||
{ config, pkgs, unstable, sops, ... }: let
|
||||
{ config, pkgs, sops, ... }: let
|
||||
matrixDomain = "swatrix.swarsel.win";
|
||||
in {
|
||||
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
# we import here a service that is not available yet on normal nixpkgs
|
||||
# this module is hence not in the modules list, we add it ourselves
|
||||
(unstable + "/nixos/modules/services/matrix/mautrix-signal.nix")
|
||||
];
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda";
|
||||
useOSProber = true;
|
||||
supportedFilesystems = [ "zfs" ];
|
||||
zfs.forceImportRoot = false;
|
||||
kernelModules = [ "tun" ];
|
||||
kernel.sysctl = {
|
||||
"net.ipv4.conf.all.rp_filter" = 2;
|
||||
"net.ipv4.conf.default.rp_filter" = 2;
|
||||
"net.ipv4.conf.enp7s0.rp_filter" = 2;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.swarsel = {
|
||||
networking = {
|
||||
hostId = "8a8ad84a";
|
||||
hostName = "sandbox"; # Define your hostname.
|
||||
enableIPv6 = true;
|
||||
firewall.enable = false;
|
||||
firewall.extraCommands = ''
|
||||
sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
|
||||
'';
|
||||
iproute2 = {
|
||||
enable = true;
|
||||
rttablesExtraConfig = ''
|
||||
200 vpn
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
hardware.graphics = {
|
||||
enable = true;
|
||||
hardware.enableAllFirmware = true;
|
||||
extraPackages = with pkgs; [
|
||||
intel-media-driver # LIBVA_DRIVER_NAME=iHD
|
||||
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
|
||||
vaapiVdpau
|
||||
libvdpau-va-gl
|
||||
];
|
||||
};
|
||||
|
||||
sound = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
users = {
|
||||
groups = {
|
||||
vpn = {};
|
||||
mpd = {};
|
||||
navidrome = {
|
||||
gid = 61593;
|
||||
};
|
||||
spotifyd = {
|
||||
gid = 65136;
|
||||
};
|
||||
};
|
||||
users = {
|
||||
jellyfin = {
|
||||
extraGroups = [ "video" "render" ];
|
||||
};
|
||||
vpn = {
|
||||
isNormalUser = true;
|
||||
group = "vpn";
|
||||
home = "/home/vpn";
|
||||
};
|
||||
navidrome = {
|
||||
isSystemUser = true;
|
||||
uid = 61593;
|
||||
group = "navidrome";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
spotifyd = {
|
||||
isSystemUser = true;
|
||||
uid = 65136;
|
||||
group = "spotifyd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
mpd = {
|
||||
isSystemUser = true;
|
||||
group = "mpd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
swarsel = {
|
||||
isNormalUser = true;
|
||||
description = "Leon S";
|
||||
extraGroups = [ "networkmanager" "wheel" "lp"];
|
||||
packages = with pkgs; [];
|
||||
};
|
||||
|
||||
# actual config starts here
|
||||
root = {
|
||||
openssh.authorizedKeys.keyFiles = [
|
||||
../../secrets/keys/authorized_keys
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/mnt/Eternor" = {
|
||||
device = "//192.168.1.3/Eternor";
|
||||
|
|
@ -1664,7 +1748,8 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
git
|
||||
gnupg
|
||||
ssh-to-age
|
||||
|
|
@ -1684,51 +1769,121 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
|
|||
mpv
|
||||
zfs
|
||||
];
|
||||
|
||||
services.xserver = {
|
||||
layout = "us";
|
||||
xkbVariant = "altgr-intl";
|
||||
etc = {
|
||||
"openvpn/iptables.sh" =
|
||||
{ source = ../../scripts/server1/iptables.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
|
||||
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
listenAddresses = [{
|
||||
port = 22;
|
||||
addr = "0.0.0.0";
|
||||
}];
|
||||
"openvpn/update-resolv-conf" =
|
||||
{ source = ../../scripts/server1/update-resolv-conf;
|
||||
mode = "0755";
|
||||
};
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
../../secrets/keys/authorized_keys
|
||||
];
|
||||
|
||||
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
|
||||
|
||||
environment.shellAliases = {
|
||||
"openvpn/routing.sh" =
|
||||
{ source = ../../scripts/server1/routing.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/ca.rsa.2048.crt" =
|
||||
{ source = ../../secrets/certs/ca.rsa.2048.crt;
|
||||
mode = "0644";
|
||||
};
|
||||
"openvpn/crl.rsa.2048.pem" =
|
||||
{ source = ../../secrets/certs/crl.rsa.2048.pem;
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
shellAliases = {
|
||||
nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
|
||||
};
|
||||
};
|
||||
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.zfs.forceImportRoot = false;
|
||||
networking.hostId = "8a8ad84a";
|
||||
systemd = {
|
||||
timers."restart-bridges" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = "1d";
|
||||
OnUnitActiveSec = "1d";
|
||||
Unit = "restart-bridges.service";
|
||||
};
|
||||
};
|
||||
|
||||
networking.hostName = "sandbox"; # Define your hostname.
|
||||
networking.enableIPv6 = true;
|
||||
networking.firewall.enable = false;
|
||||
services."restart-bridges" = {
|
||||
script = ''
|
||||
systemctl restart mautrix-whatsapp.service
|
||||
systemctl restart mautrix-signal.service
|
||||
systemctl restart mautrix-telegram.service
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
};
|
||||
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||
|
||||
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
|
||||
|
||||
documentation = {
|
||||
enable = false;
|
||||
};
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
|
||||
sops.defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
|
||||
sops.validateSopsFiles = false;
|
||||
sops.secrets.dnstokenfull = {owner="acme";};
|
||||
sops.templates."certs.secret".content = ''
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/sops" ];
|
||||
defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
|
||||
validateSopsFiles = false;
|
||||
secrets = {
|
||||
dnstokenfull = {owner="acme";};
|
||||
kavita = { owner = "kavita";};
|
||||
vpnuser = {};
|
||||
rpcuser = {owner="vpn";};
|
||||
vpnpass = {};
|
||||
rpcpass = {owner="vpn";};
|
||||
vpnprot = {};
|
||||
vpnloc = {};
|
||||
mpdpass = { owner = "mpd";};
|
||||
};
|
||||
templates = {
|
||||
"transmission-rpc" = {
|
||||
owner = "vpn";
|
||||
content = builtins.toJSON {
|
||||
rpc-username = config.sops.placeholder.rpcuser;
|
||||
rpc-password = config.sops.placeholder.rpcpass;
|
||||
};
|
||||
};
|
||||
|
||||
pia.content = ''
|
||||
${config.sops.placeholder.vpnuser}
|
||||
${config.sops.placeholder.vpnpass}
|
||||
'';
|
||||
|
||||
vpn.content = ''
|
||||
client
|
||||
dev tun
|
||||
proto ${config.sops.placeholder.vpnprot}
|
||||
remote ${config.sops.placeholder.vpnloc}
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
cipher aes-128-cbc
|
||||
auth sha1
|
||||
tls-client
|
||||
remote-cert-tls server
|
||||
|
||||
auth-user-pass ${config.sops.templates.pia.path}
|
||||
compress
|
||||
verb 1
|
||||
reneg-sec 0
|
||||
|
||||
crl-verify /etc/openvpn/crl.rsa.2048.pem
|
||||
ca /etc/openvpn/ca.rsa.2048.crt
|
||||
|
||||
disable-occ
|
||||
'';
|
||||
"certs.secret".content = ''
|
||||
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
|
|
@ -1738,7 +1893,22 @@ networking.hostId = "8a8ad84a";
|
|||
defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
services = {
|
||||
xserver = {
|
||||
layout = "us";
|
||||
xkbVariant = "altgr-intl";
|
||||
};
|
||||
|
||||
openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
listenAddresses = [{
|
||||
port = 22;
|
||||
addr = "0.0.0.0";
|
||||
}];
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
|
@ -1757,9 +1927,6 @@ networking.hostId = "8a8ad84a";
|
|||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
# "/push/" = {
|
||||
# proxyPass = "http://192.168.2.5:7867";
|
||||
# };
|
||||
"/.well-known/carddav" = {
|
||||
return = "301 $scheme://$host/remote.php/dav";
|
||||
};
|
||||
|
|
@ -1845,167 +2012,48 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
sops.secrets.kavita = { owner = "kavita";};
|
||||
|
||||
services.kavita = {
|
||||
kavita = {
|
||||
enable = true;
|
||||
user = "kavita";
|
||||
port = 8080;
|
||||
tokenKeyFile = config.sops.secrets.kavita.path;
|
||||
};
|
||||
|
||||
users.users.jellyfin = {
|
||||
extraGroups = [ "video" "render" ];
|
||||
};
|
||||
|
||||
# nixpkgs.config.packageOverrides = pkgs: {
|
||||
# vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
|
||||
# };
|
||||
|
||||
hardware.graphics = {
|
||||
enable = true;
|
||||
extraPackages = with pkgs; [
|
||||
intel-media-driver # LIBVA_DRIVER_NAME=iHD
|
||||
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
|
||||
vaapiVdpau
|
||||
libvdpau-va-gl
|
||||
];
|
||||
};
|
||||
|
||||
services.jellyfin = {
|
||||
jellyfin = {
|
||||
enable = true;
|
||||
user = "jellyfin";
|
||||
# openFirewall = true; # this works only for the default ports
|
||||
};
|
||||
|
||||
users.groups.vpn = {};
|
||||
|
||||
users.users.vpn = {
|
||||
isNormalUser = true;
|
||||
group = "vpn";
|
||||
home = "/home/vpn";
|
||||
};
|
||||
|
||||
boot.kernelModules = [ "tun" ];
|
||||
|
||||
services.radarr = {
|
||||
radarr = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
services.readarr = {
|
||||
readarr = {
|
||||
enable = true;
|
||||
};
|
||||
services.sonarr = {
|
||||
sonarr = {
|
||||
enable = true;
|
||||
};
|
||||
services.lidarr = {
|
||||
lidarr = {
|
||||
enable = true;
|
||||
};
|
||||
services.prowlarr = {
|
||||
prowlarr = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
networking.firewall.extraCommands = ''
|
||||
sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
|
||||
'';
|
||||
networking.iproute2 = {
|
||||
enable = true;
|
||||
rttablesExtraConfig = ''
|
||||
200 vpn
|
||||
'';
|
||||
};
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.rp_filter" = 2;
|
||||
"net.ipv4.conf.default.rp_filter" = 2;
|
||||
"net.ipv4.conf.enp7s0.rp_filter" = 2;
|
||||
};
|
||||
environment.etc = {
|
||||
"openvpn/iptables.sh" =
|
||||
{ source = ../../scripts/server1/iptables.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/update-resolv-conf" =
|
||||
{ source = ../../scripts/server1/update-resolv-conf;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/routing.sh" =
|
||||
{ source = ../../scripts/server1/routing.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/ca.rsa.2048.crt" =
|
||||
{ source = ../../secrets/certs/ca.rsa.2048.crt;
|
||||
mode = "0644";
|
||||
};
|
||||
"openvpn/crl.rsa.2048.pem" =
|
||||
{ source = ../../secrets/certs/crl.rsa.2048.pem;
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets.vpnuser = {};
|
||||
sops.secrets.rpcuser = {owner="vpn";};
|
||||
sops.secrets.vpnpass = {};
|
||||
sops.secrets.rpcpass = {owner="vpn";};
|
||||
sops.secrets.vpnprot = {};
|
||||
sops.secrets.vpnloc = {};
|
||||
# sops.secrets.crlpem = {};
|
||||
# sops.secrets.capem = {};
|
||||
sops.templates."transmission-rpc".owner = "vpn";
|
||||
sops.templates."transmission-rpc".content = builtins.toJSON {
|
||||
rpc-username = config.sops.placeholder.rpcuser;
|
||||
rpc-password = config.sops.placeholder.rpcpass;
|
||||
};
|
||||
|
||||
sops.templates.pia.content = ''
|
||||
${config.sops.placeholder.vpnuser}
|
||||
${config.sops.placeholder.vpnpass}
|
||||
'';
|
||||
|
||||
sops.templates.vpn.content = ''
|
||||
client
|
||||
dev tun
|
||||
proto ${config.sops.placeholder.vpnprot}
|
||||
remote ${config.sops.placeholder.vpnloc}
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
cipher aes-128-cbc
|
||||
auth sha1
|
||||
tls-client
|
||||
remote-cert-tls server
|
||||
|
||||
auth-user-pass ${config.sops.templates.pia.path}
|
||||
compress
|
||||
verb 1
|
||||
reneg-sec 0
|
||||
|
||||
crl-verify /etc/openvpn/crl.rsa.2048.pem
|
||||
ca /etc/openvpn/ca.rsa.2048.crt
|
||||
|
||||
disable-occ
|
||||
'';
|
||||
|
||||
services.openvpn.servers = {
|
||||
openvpn.servers = {
|
||||
pia = {
|
||||
autoStart = true;
|
||||
updateResolvConf = false;
|
||||
config = "config ${config.sops.templates.vpn.path}";
|
||||
};
|
||||
};
|
||||
|
||||
services.transmission = {
|
||||
transmission = {
|
||||
enable = true;
|
||||
credentialsFile = config.sops.templates."transmission-rpc".path;
|
||||
user = "vpn";
|
||||
settings = {
|
||||
|
||||
alt-speed-down= 8000;
|
||||
alt-speed-enabled= false;
|
||||
alt-speed-time-begin= 0;
|
||||
|
|
@ -2077,26 +2125,6 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
};
|
||||
|
||||
# services.nginx = {
|
||||
# enable = true;
|
||||
# virtualHosts = {
|
||||
|
||||
# "192.168.1.192" = {
|
||||
# locations = {
|
||||
# "/transmission" = {
|
||||
# proxyPass = "http://127.0.0.1:9091";
|
||||
# extraConfig = ''
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# '';
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
|
||||
# sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
|
||||
# sops.templates."matrix_user_register.sh".content = ''
|
||||
# register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
|
||||
|
|
@ -2127,8 +2155,9 @@ networking.hostId = "8a8ad84a";
|
|||
# MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
|
||||
# '';
|
||||
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
|
||||
postgresql = {
|
||||
enable = true;
|
||||
initialScript = pkgs.writeText "synapse-init.sql" ''
|
||||
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
|
||||
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
||||
TEMPLATE template0
|
||||
|
|
@ -2150,8 +2179,8 @@ networking.hostId = "8a8ad84a";
|
|||
LC_COLLATE = "C"
|
||||
LC_CTYPE = "C";
|
||||
'';
|
||||
|
||||
services.matrix-synapse = {
|
||||
};
|
||||
matrix-synapse = {
|
||||
settings.app_service_config_files = [
|
||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
"/var/lib/matrix-synapse/whatsapp-registration.yaml"
|
||||
|
|
@ -2180,7 +2209,7 @@ networking.hostId = "8a8ad84a";
|
|||
];
|
||||
};
|
||||
|
||||
services.mautrix-telegram = {
|
||||
mautrix-telegram = {
|
||||
enable = false;
|
||||
environmentFile = config.sops.templates.mautrixtelegram.path;
|
||||
settings = {
|
||||
|
|
@ -2216,12 +2245,6 @@ networking.hostId = "8a8ad84a";
|
|||
"*" = "relaybot";
|
||||
"@swarsel:${matrixDomain}" = "admin";
|
||||
};
|
||||
# Animated stickers conversion requires additional packages in the
|
||||
# service's path.
|
||||
# If this isn't a fresh installation, clearing the bridge's uploaded
|
||||
# file cache might be necessary (make a database backup first!):
|
||||
# delete from telegram_file where \
|
||||
# mime_type in ('application/gzip', 'application/octet-stream')
|
||||
animated_sticker = {
|
||||
target = "gif";
|
||||
args = {
|
||||
|
|
@ -2234,12 +2257,8 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
};
|
||||
};
|
||||
# systemd.services.mautrix-telegram.path = with pkgs; [
|
||||
# lottieconverter # for animated stickers conversion, unfree package
|
||||
# ffmpeg # if converting animated stickers to webm (very slow!)
|
||||
# ];
|
||||
|
||||
services.mautrix-whatsapp = {
|
||||
mautrix-whatsapp = {
|
||||
enable = false;
|
||||
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
|
||||
settings = {
|
||||
|
|
@ -2286,9 +2305,8 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
};
|
||||
|
||||
services.mautrix-signal = {
|
||||
mautrix-signal = {
|
||||
enable = false;
|
||||
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
|
||||
settings = {
|
||||
homeserver = {
|
||||
address = "http://localhost:8008";
|
||||
|
|
@ -2318,59 +2336,7 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
};
|
||||
|
||||
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
|
||||
# messages out after a while.
|
||||
|
||||
systemd.timers."restart-bridges" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = "1d";
|
||||
OnUnitActiveSec = "1d";
|
||||
Unit = "restart-bridges.service";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."restart-bridges" = {
|
||||
script = ''
|
||||
systemctl restart mautrix-whatsapp.service
|
||||
systemctl restart mautrix-signal.service
|
||||
systemctl restart mautrix-telegram.service
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
users.groups.navidrome = {
|
||||
gid = 61593;
|
||||
};
|
||||
|
||||
users.groups.mpd = {};
|
||||
|
||||
users.users.navidrome = {
|
||||
isSystemUser = true;
|
||||
uid = 61593;
|
||||
group = "navidrome";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
|
||||
users.users.mpd = {
|
||||
isSystemUser = true;
|
||||
group = "mpd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
|
||||
sound = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
hardware.enableAllFirmware = true;
|
||||
|
||||
sops.secrets.mpdpass = { owner = "mpd";};
|
||||
|
||||
services.navidrome = {
|
||||
navidrome = {
|
||||
enable = true;
|
||||
settings = {
|
||||
Address = "0.0.0.0";
|
||||
|
|
@ -2389,7 +2355,7 @@ networking.hostId = "8a8ad84a";
|
|||
UIWelcomeMessage = "~SwarselSound~";
|
||||
};
|
||||
};
|
||||
services.mpd = {
|
||||
mpd = {
|
||||
enable = true;
|
||||
musicDirectory = "/mnt/Eternor/Musik";
|
||||
user = "mpd";
|
||||
|
|
@ -2412,18 +2378,7 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
|
||||
|
||||
users.groups.spotifyd = {
|
||||
gid = 65136;
|
||||
};
|
||||
|
||||
users.users.spotifyd = {
|
||||
isSystemUser = true;
|
||||
uid = 65136;
|
||||
group = "spotifyd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
|
||||
services.spotifyd = {
|
||||
spotifyd = {
|
||||
enable = true;
|
||||
settings = {
|
||||
global = {
|
||||
|
|
@ -2439,7 +2394,7 @@ networking.hostId = "8a8ad84a";
|
|||
|
||||
# Network shares
|
||||
# add a user with sudo smbpasswd -a <user>
|
||||
services.samba = {
|
||||
samba = {
|
||||
package = pkgs.samba4Full;
|
||||
extraConfig = ''
|
||||
workgroup = WORKGROUP
|
||||
|
|
@ -2472,7 +2427,7 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
|
||||
|
||||
services.avahi = {
|
||||
avahi = {
|
||||
publish.enable = true;
|
||||
publish.userServices = true;
|
||||
# ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile`
|
||||
|
|
@ -2481,20 +2436,11 @@ networking.hostId = "8a8ad84a";
|
|||
enable = true;
|
||||
};
|
||||
|
||||
services.samba-wsdd = {
|
||||
samba-wsdd = {
|
||||
# This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued
|
||||
enable = true;
|
||||
};
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
};
|
||||
}
|
||||
|
||||
</pre>
|
||||
|
|
@ -5020,7 +4966,6 @@ in {
|
|||
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
# (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") # no longer needed; mautrix-signal was added to nixpkgs
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
|
@ -6363,7 +6308,7 @@ Programming languages and default lsp's are defined here: <a href="#h:0e7e8bea-e
|
|||
<div class="outline-text-5" id="text-h:6ef9bb5f-c5ee-496e-86e2-d8d271a34d75">
|
||||
<div class="org-src-container">
|
||||
<pre class="src src-nix">
|
||||
{ config, pkgs, lib, fetchFromGitHub , ... }:
|
||||
{ config, pkgs, fetchFromGitHub , ... }:
|
||||
|
||||
{
|
||||
home.packages = with pkgs; [
|
||||
|
|
@ -9387,6 +9332,39 @@ The standard Emacs behaviour for the Python process shell is a bit annoying. Thi
|
|||
(python-shell-send-region (region-beginning) (region-end))
|
||||
(python-shell-switch-to-shell))
|
||||
|
||||
</pre>
|
||||
</div>
|
||||
</div>
|
||||
</li>
|
||||
<li><a id="org03da7a6"></a>Nix common prefix bracketer<br />
|
||||
<div class="outline-text-5" id="text-4-2-1-15">
|
||||
<p>
|
||||
This function searches for common delimiters in region and removes them, summarizing all captured lines by it.
|
||||
</p>
|
||||
|
||||
<div class="org-src-container">
|
||||
<pre class="src src-emacs-lisp">
|
||||
(defun swarsel/prefix-block (start end)
|
||||
(interactive "r")
|
||||
(save-excursion
|
||||
(goto-char start)
|
||||
(setq start (line-beginning-position))
|
||||
(goto-char end)
|
||||
(setq end (line-end-position))
|
||||
(let ((common-prefix (save-excursion
|
||||
(goto-char start)
|
||||
(if (re-search-forward "^\\([^.\n]+\\)\\." end t)
|
||||
(match-string 1)
|
||||
(error "No common prefix found")))))
|
||||
(save-excursion
|
||||
(goto-char start)
|
||||
(insert common-prefix " = {\n")
|
||||
(goto-char (+ end (length common-prefix) 6))
|
||||
(insert "};\n")
|
||||
(goto-char start)
|
||||
(while (re-search-forward (concat "^" (regexp-quote common-prefix) "\\.") end t)
|
||||
(replace-match ""))))))
|
||||
|
||||
</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
|
@ -9753,6 +9731,10 @@ Lastly, I load the <code>highlight-indent-guides</code> package. This adds a nea
|
|||
(set-face-attribute 'highlight-indent-guides-odd-face nil :background "gray20")
|
||||
(set-face-attribute 'highlight-indent-guides-stack-even-face nil :background "gray40")
|
||||
(set-face-attribute 'highlight-indent-guides-stack-odd-face nil :background "gray50"))
|
||||
|
||||
(use-package aggressive-indent)
|
||||
(global-aggressive-indent-mode 1)
|
||||
|
||||
</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
|
@ -12925,7 +12907,7 @@ My laptop, sadly soon to be replaced by a new one, since most basic functions ar
|
|||
</div>
|
||||
<div id="postamble" class="status">
|
||||
<p class="author">Author: Leon Schwarzäugl</p>
|
||||
<p class="date">Created: 2024-07-18 Do 23:36</p>
|
||||
<p class="date">Created: 2024-07-19 Fr 00:29</p>
|
||||
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
|
||||
</div>
|
||||
</body>
|
||||
|
|
|
|||
|
|
@ -15,17 +15,23 @@
|
|||
};
|
||||
|
||||
# Bootloader
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.device = "/dev/sda"; # TEMPLATE - if only one disk, this will work
|
||||
boot.loader.grub.useOSProber = true;
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda"; # TEMPLATE - if only one disk, this will work
|
||||
useOSProber = true;
|
||||
};
|
||||
|
||||
# --------------------------------------
|
||||
# you might need a configuration like this instead:
|
||||
# Bootloader
|
||||
# boot.loader.grub.enable = true;
|
||||
# boot.loader.grub.devices = ["nodev" ];
|
||||
# boot.loader.grub.useOSProber = true;
|
||||
# boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
# boot = {
|
||||
# kernelPackages = pkgs.linuxPackages_latest;
|
||||
# loader.grub = {
|
||||
# enable = true;
|
||||
# devices = ["nodev" ];
|
||||
# useOSProber = true;
|
||||
# };
|
||||
# };
|
||||
# --------------------------------------
|
||||
|
||||
networking.hostName = "TEMPLATE"; # Define your hostname.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, fetchFromGitHub , ... }:
|
||||
{ config, pkgs, fetchFromGitHub , ... }:
|
||||
|
||||
{
|
||||
home.packages = with pkgs; [
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ in {
|
|||
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
# (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") # no longer needed; mautrix-signal was added to nixpkgs
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
|
|
|||
|
|
@ -1,28 +1,106 @@
|
|||
{ config, pkgs, unstable, sops, ... }: let
|
||||
{ config, pkgs, sops, ... }: let
|
||||
matrixDomain = "swatrix.swarsel.win";
|
||||
in {
|
||||
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
# we import here a service that is not available yet on normal nixpkgs
|
||||
# this module is hence not in the modules list, we add it ourselves
|
||||
(unstable + "/nixos/modules/services/matrix/mautrix-signal.nix")
|
||||
];
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda";
|
||||
useOSProber = true;
|
||||
supportedFilesystems = [ "zfs" ];
|
||||
zfs.forceImportRoot = false;
|
||||
kernelModules = [ "tun" ];
|
||||
kernel.sysctl = {
|
||||
"net.ipv4.conf.all.rp_filter" = 2;
|
||||
"net.ipv4.conf.default.rp_filter" = 2;
|
||||
"net.ipv4.conf.enp7s0.rp_filter" = 2;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.swarsel = {
|
||||
networking = {
|
||||
hostId = "8a8ad84a";
|
||||
hostName = "sandbox"; # Define your hostname.
|
||||
enableIPv6 = true;
|
||||
firewall.enable = false;
|
||||
firewall.extraCommands = ''
|
||||
sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
|
||||
'';
|
||||
iproute2 = {
|
||||
enable = true;
|
||||
rttablesExtraConfig = ''
|
||||
200 vpn
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
hardware.graphics = {
|
||||
enable = true;
|
||||
hardware.enableAllFirmware = true;
|
||||
extraPackages = with pkgs; [
|
||||
intel-media-driver # LIBVA_DRIVER_NAME=iHD
|
||||
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
|
||||
vaapiVdpau
|
||||
libvdpau-va-gl
|
||||
];
|
||||
};
|
||||
|
||||
sound = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
users = {
|
||||
groups = {
|
||||
vpn = {};
|
||||
mpd = {};
|
||||
navidrome = {
|
||||
gid = 61593;
|
||||
};
|
||||
spotifyd = {
|
||||
gid = 65136;
|
||||
};
|
||||
};
|
||||
users = {
|
||||
jellyfin = {
|
||||
extraGroups = [ "video" "render" ];
|
||||
};
|
||||
vpn = {
|
||||
isNormalUser = true;
|
||||
group = "vpn";
|
||||
home = "/home/vpn";
|
||||
};
|
||||
navidrome = {
|
||||
isSystemUser = true;
|
||||
uid = 61593;
|
||||
group = "navidrome";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
spotifyd = {
|
||||
isSystemUser = true;
|
||||
uid = 65136;
|
||||
group = "spotifyd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
mpd = {
|
||||
isSystemUser = true;
|
||||
group = "mpd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
swarsel = {
|
||||
isNormalUser = true;
|
||||
description = "Leon S";
|
||||
extraGroups = [ "networkmanager" "wheel" "lp"];
|
||||
packages = with pkgs; [];
|
||||
};
|
||||
|
||||
# actual config starts here
|
||||
root = {
|
||||
openssh.authorizedKeys.keyFiles = [
|
||||
../../secrets/keys/authorized_keys
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/mnt/Eternor" = {
|
||||
device = "//192.168.1.3/Eternor";
|
||||
|
|
@ -33,7 +111,8 @@
|
|||
in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
git
|
||||
gnupg
|
||||
ssh-to-age
|
||||
|
|
@ -53,51 +132,121 @@
|
|||
mpv
|
||||
zfs
|
||||
];
|
||||
|
||||
services.xserver = {
|
||||
layout = "us";
|
||||
xkbVariant = "altgr-intl";
|
||||
etc = {
|
||||
"openvpn/iptables.sh" =
|
||||
{ source = ../../scripts/server1/iptables.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
|
||||
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
listenAddresses = [{
|
||||
port = 22;
|
||||
addr = "0.0.0.0";
|
||||
}];
|
||||
"openvpn/update-resolv-conf" =
|
||||
{ source = ../../scripts/server1/update-resolv-conf;
|
||||
mode = "0755";
|
||||
};
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
../../secrets/keys/authorized_keys
|
||||
];
|
||||
|
||||
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
|
||||
|
||||
environment.shellAliases = {
|
||||
"openvpn/routing.sh" =
|
||||
{ source = ../../scripts/server1/routing.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/ca.rsa.2048.crt" =
|
||||
{ source = ../../secrets/certs/ca.rsa.2048.crt;
|
||||
mode = "0644";
|
||||
};
|
||||
"openvpn/crl.rsa.2048.pem" =
|
||||
{ source = ../../secrets/certs/crl.rsa.2048.pem;
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
shellAliases = {
|
||||
nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
|
||||
};
|
||||
};
|
||||
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.zfs.forceImportRoot = false;
|
||||
networking.hostId = "8a8ad84a";
|
||||
systemd = {
|
||||
timers."restart-bridges" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = "1d";
|
||||
OnUnitActiveSec = "1d";
|
||||
Unit = "restart-bridges.service";
|
||||
};
|
||||
};
|
||||
|
||||
networking.hostName = "sandbox"; # Define your hostname.
|
||||
networking.enableIPv6 = true;
|
||||
networking.firewall.enable = false;
|
||||
services."restart-bridges" = {
|
||||
script = ''
|
||||
systemctl restart mautrix-whatsapp.service
|
||||
systemctl restart mautrix-signal.service
|
||||
systemctl restart mautrix-telegram.service
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
};
|
||||
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||
|
||||
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
|
||||
|
||||
documentation = {
|
||||
enable = false;
|
||||
};
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
|
||||
sops.defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
|
||||
sops.validateSopsFiles = false;
|
||||
sops.secrets.dnstokenfull = {owner="acme";};
|
||||
sops.templates."certs.secret".content = ''
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/sops" ];
|
||||
defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
|
||||
validateSopsFiles = false;
|
||||
secrets = {
|
||||
dnstokenfull = {owner="acme";};
|
||||
kavita = { owner = "kavita";};
|
||||
vpnuser = {};
|
||||
rpcuser = {owner="vpn";};
|
||||
vpnpass = {};
|
||||
rpcpass = {owner="vpn";};
|
||||
vpnprot = {};
|
||||
vpnloc = {};
|
||||
mpdpass = { owner = "mpd";};
|
||||
};
|
||||
templates = {
|
||||
"transmission-rpc" = {
|
||||
owner = "vpn";
|
||||
content = builtins.toJSON {
|
||||
rpc-username = config.sops.placeholder.rpcuser;
|
||||
rpc-password = config.sops.placeholder.rpcpass;
|
||||
};
|
||||
};
|
||||
|
||||
pia.content = ''
|
||||
${config.sops.placeholder.vpnuser}
|
||||
${config.sops.placeholder.vpnpass}
|
||||
'';
|
||||
|
||||
vpn.content = ''
|
||||
client
|
||||
dev tun
|
||||
proto ${config.sops.placeholder.vpnprot}
|
||||
remote ${config.sops.placeholder.vpnloc}
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
cipher aes-128-cbc
|
||||
auth sha1
|
||||
tls-client
|
||||
remote-cert-tls server
|
||||
|
||||
auth-user-pass ${config.sops.templates.pia.path}
|
||||
compress
|
||||
verb 1
|
||||
reneg-sec 0
|
||||
|
||||
crl-verify /etc/openvpn/crl.rsa.2048.pem
|
||||
ca /etc/openvpn/ca.rsa.2048.crt
|
||||
|
||||
disable-occ
|
||||
'';
|
||||
"certs.secret".content = ''
|
||||
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
|
|
@ -107,7 +256,22 @@ networking.hostId = "8a8ad84a";
|
|||
defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
services = {
|
||||
xserver = {
|
||||
layout = "us";
|
||||
xkbVariant = "altgr-intl";
|
||||
};
|
||||
|
||||
openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
listenAddresses = [{
|
||||
port = 22;
|
||||
addr = "0.0.0.0";
|
||||
}];
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
|
@ -126,9 +290,6 @@ networking.hostId = "8a8ad84a";
|
|||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
# "/push/" = {
|
||||
# proxyPass = "http://192.168.2.5:7867";
|
||||
# };
|
||||
"/.well-known/carddav" = {
|
||||
return = "301 $scheme://$host/remote.php/dav";
|
||||
};
|
||||
|
|
@ -214,167 +375,48 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
sops.secrets.kavita = { owner = "kavita";};
|
||||
|
||||
services.kavita = {
|
||||
kavita = {
|
||||
enable = true;
|
||||
user = "kavita";
|
||||
port = 8080;
|
||||
tokenKeyFile = config.sops.secrets.kavita.path;
|
||||
};
|
||||
|
||||
users.users.jellyfin = {
|
||||
extraGroups = [ "video" "render" ];
|
||||
};
|
||||
|
||||
# nixpkgs.config.packageOverrides = pkgs: {
|
||||
# vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
|
||||
# };
|
||||
|
||||
hardware.graphics = {
|
||||
enable = true;
|
||||
extraPackages = with pkgs; [
|
||||
intel-media-driver # LIBVA_DRIVER_NAME=iHD
|
||||
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
|
||||
vaapiVdpau
|
||||
libvdpau-va-gl
|
||||
];
|
||||
};
|
||||
|
||||
services.jellyfin = {
|
||||
jellyfin = {
|
||||
enable = true;
|
||||
user = "jellyfin";
|
||||
# openFirewall = true; # this works only for the default ports
|
||||
};
|
||||
|
||||
users.groups.vpn = {};
|
||||
|
||||
users.users.vpn = {
|
||||
isNormalUser = true;
|
||||
group = "vpn";
|
||||
home = "/home/vpn";
|
||||
};
|
||||
|
||||
boot.kernelModules = [ "tun" ];
|
||||
|
||||
services.radarr = {
|
||||
radarr = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
services.readarr = {
|
||||
readarr = {
|
||||
enable = true;
|
||||
};
|
||||
services.sonarr = {
|
||||
sonarr = {
|
||||
enable = true;
|
||||
};
|
||||
services.lidarr = {
|
||||
lidarr = {
|
||||
enable = true;
|
||||
};
|
||||
services.prowlarr = {
|
||||
prowlarr = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
networking.firewall.extraCommands = ''
|
||||
sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
|
||||
'';
|
||||
networking.iproute2 = {
|
||||
enable = true;
|
||||
rttablesExtraConfig = ''
|
||||
200 vpn
|
||||
'';
|
||||
};
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.rp_filter" = 2;
|
||||
"net.ipv4.conf.default.rp_filter" = 2;
|
||||
"net.ipv4.conf.enp7s0.rp_filter" = 2;
|
||||
};
|
||||
environment.etc = {
|
||||
"openvpn/iptables.sh" =
|
||||
{ source = ../../scripts/server1/iptables.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/update-resolv-conf" =
|
||||
{ source = ../../scripts/server1/update-resolv-conf;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/routing.sh" =
|
||||
{ source = ../../scripts/server1/routing.sh;
|
||||
mode = "0755";
|
||||
};
|
||||
"openvpn/ca.rsa.2048.crt" =
|
||||
{ source = ../../secrets/certs/ca.rsa.2048.crt;
|
||||
mode = "0644";
|
||||
};
|
||||
"openvpn/crl.rsa.2048.pem" =
|
||||
{ source = ../../secrets/certs/crl.rsa.2048.pem;
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets.vpnuser = {};
|
||||
sops.secrets.rpcuser = {owner="vpn";};
|
||||
sops.secrets.vpnpass = {};
|
||||
sops.secrets.rpcpass = {owner="vpn";};
|
||||
sops.secrets.vpnprot = {};
|
||||
sops.secrets.vpnloc = {};
|
||||
# sops.secrets.crlpem = {};
|
||||
# sops.secrets.capem = {};
|
||||
sops.templates."transmission-rpc".owner = "vpn";
|
||||
sops.templates."transmission-rpc".content = builtins.toJSON {
|
||||
rpc-username = config.sops.placeholder.rpcuser;
|
||||
rpc-password = config.sops.placeholder.rpcpass;
|
||||
};
|
||||
|
||||
sops.templates.pia.content = ''
|
||||
${config.sops.placeholder.vpnuser}
|
||||
${config.sops.placeholder.vpnpass}
|
||||
'';
|
||||
|
||||
sops.templates.vpn.content = ''
|
||||
client
|
||||
dev tun
|
||||
proto ${config.sops.placeholder.vpnprot}
|
||||
remote ${config.sops.placeholder.vpnloc}
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
cipher aes-128-cbc
|
||||
auth sha1
|
||||
tls-client
|
||||
remote-cert-tls server
|
||||
|
||||
auth-user-pass ${config.sops.templates.pia.path}
|
||||
compress
|
||||
verb 1
|
||||
reneg-sec 0
|
||||
|
||||
crl-verify /etc/openvpn/crl.rsa.2048.pem
|
||||
ca /etc/openvpn/ca.rsa.2048.crt
|
||||
|
||||
disable-occ
|
||||
'';
|
||||
|
||||
services.openvpn.servers = {
|
||||
openvpn.servers = {
|
||||
pia = {
|
||||
autoStart = true;
|
||||
updateResolvConf = false;
|
||||
config = "config ${config.sops.templates.vpn.path}";
|
||||
};
|
||||
};
|
||||
|
||||
services.transmission = {
|
||||
transmission = {
|
||||
enable = true;
|
||||
credentialsFile = config.sops.templates."transmission-rpc".path;
|
||||
user = "vpn";
|
||||
settings = {
|
||||
|
||||
alt-speed-down= 8000;
|
||||
alt-speed-enabled= false;
|
||||
alt-speed-time-begin= 0;
|
||||
|
|
@ -446,26 +488,6 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
};
|
||||
|
||||
# services.nginx = {
|
||||
# enable = true;
|
||||
# virtualHosts = {
|
||||
|
||||
# "192.168.1.192" = {
|
||||
# locations = {
|
||||
# "/transmission" = {
|
||||
# proxyPass = "http://127.0.0.1:9091";
|
||||
# extraConfig = ''
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# '';
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
|
||||
# sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
|
||||
# sops.templates."matrix_user_register.sh".content = ''
|
||||
# register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
|
||||
|
|
@ -496,8 +518,9 @@ networking.hostId = "8a8ad84a";
|
|||
# MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
|
||||
# '';
|
||||
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
|
||||
postgresql = {
|
||||
enable = true;
|
||||
initialScript = pkgs.writeText "synapse-init.sql" ''
|
||||
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
|
||||
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
||||
TEMPLATE template0
|
||||
|
|
@ -519,8 +542,8 @@ networking.hostId = "8a8ad84a";
|
|||
LC_COLLATE = "C"
|
||||
LC_CTYPE = "C";
|
||||
'';
|
||||
|
||||
services.matrix-synapse = {
|
||||
};
|
||||
matrix-synapse = {
|
||||
settings.app_service_config_files = [
|
||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
"/var/lib/matrix-synapse/whatsapp-registration.yaml"
|
||||
|
|
@ -549,7 +572,7 @@ networking.hostId = "8a8ad84a";
|
|||
];
|
||||
};
|
||||
|
||||
services.mautrix-telegram = {
|
||||
mautrix-telegram = {
|
||||
enable = false;
|
||||
environmentFile = config.sops.templates.mautrixtelegram.path;
|
||||
settings = {
|
||||
|
|
@ -585,12 +608,6 @@ networking.hostId = "8a8ad84a";
|
|||
"*" = "relaybot";
|
||||
"@swarsel:${matrixDomain}" = "admin";
|
||||
};
|
||||
# Animated stickers conversion requires additional packages in the
|
||||
# service's path.
|
||||
# If this isn't a fresh installation, clearing the bridge's uploaded
|
||||
# file cache might be necessary (make a database backup first!):
|
||||
# delete from telegram_file where \
|
||||
# mime_type in ('application/gzip', 'application/octet-stream')
|
||||
animated_sticker = {
|
||||
target = "gif";
|
||||
args = {
|
||||
|
|
@ -603,12 +620,8 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
};
|
||||
};
|
||||
# systemd.services.mautrix-telegram.path = with pkgs; [
|
||||
# lottieconverter # for animated stickers conversion, unfree package
|
||||
# ffmpeg # if converting animated stickers to webm (very slow!)
|
||||
# ];
|
||||
|
||||
services.mautrix-whatsapp = {
|
||||
mautrix-whatsapp = {
|
||||
enable = false;
|
||||
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
|
||||
settings = {
|
||||
|
|
@ -655,9 +668,8 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
};
|
||||
|
||||
services.mautrix-signal = {
|
||||
mautrix-signal = {
|
||||
enable = false;
|
||||
# environmentFile = config.sops.templates.mautrixwhatsapp.path;
|
||||
settings = {
|
||||
homeserver = {
|
||||
address = "http://localhost:8008";
|
||||
|
|
@ -687,59 +699,7 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
};
|
||||
|
||||
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
|
||||
# messages out after a while.
|
||||
|
||||
systemd.timers."restart-bridges" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = "1d";
|
||||
OnUnitActiveSec = "1d";
|
||||
Unit = "restart-bridges.service";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."restart-bridges" = {
|
||||
script = ''
|
||||
systemctl restart mautrix-whatsapp.service
|
||||
systemctl restart mautrix-signal.service
|
||||
systemctl restart mautrix-telegram.service
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
users.groups.navidrome = {
|
||||
gid = 61593;
|
||||
};
|
||||
|
||||
users.groups.mpd = {};
|
||||
|
||||
users.users.navidrome = {
|
||||
isSystemUser = true;
|
||||
uid = 61593;
|
||||
group = "navidrome";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
|
||||
users.users.mpd = {
|
||||
isSystemUser = true;
|
||||
group = "mpd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
|
||||
sound = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
hardware.enableAllFirmware = true;
|
||||
|
||||
sops.secrets.mpdpass = { owner = "mpd";};
|
||||
|
||||
services.navidrome = {
|
||||
navidrome = {
|
||||
enable = true;
|
||||
settings = {
|
||||
Address = "0.0.0.0";
|
||||
|
|
@ -758,7 +718,7 @@ networking.hostId = "8a8ad84a";
|
|||
UIWelcomeMessage = "~SwarselSound~";
|
||||
};
|
||||
};
|
||||
services.mpd = {
|
||||
mpd = {
|
||||
enable = true;
|
||||
musicDirectory = "/mnt/Eternor/Musik";
|
||||
user = "mpd";
|
||||
|
|
@ -781,18 +741,7 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
|
||||
|
||||
users.groups.spotifyd = {
|
||||
gid = 65136;
|
||||
};
|
||||
|
||||
users.users.spotifyd = {
|
||||
isSystemUser = true;
|
||||
uid = 65136;
|
||||
group = "spotifyd";
|
||||
extraGroups = [ "audio" "utmp" ];
|
||||
};
|
||||
|
||||
services.spotifyd = {
|
||||
spotifyd = {
|
||||
enable = true;
|
||||
settings = {
|
||||
global = {
|
||||
|
|
@ -808,7 +757,7 @@ networking.hostId = "8a8ad84a";
|
|||
|
||||
# Network shares
|
||||
# add a user with sudo smbpasswd -a <user>
|
||||
services.samba = {
|
||||
samba = {
|
||||
package = pkgs.samba4Full;
|
||||
extraConfig = ''
|
||||
workgroup = WORKGROUP
|
||||
|
|
@ -841,7 +790,7 @@ networking.hostId = "8a8ad84a";
|
|||
};
|
||||
|
||||
|
||||
services.avahi = {
|
||||
avahi = {
|
||||
publish.enable = true;
|
||||
publish.userServices = true;
|
||||
# ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile`
|
||||
|
|
@ -850,18 +799,9 @@ networking.hostId = "8a8ad84a";
|
|||
enable = true;
|
||||
};
|
||||
|
||||
services.samba-wsdd = {
|
||||
samba-wsdd = {
|
||||
# This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued
|
||||
enable = true;
|
||||
};
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -247,6 +247,27 @@ create a new one."
|
|||
(python-shell-send-region (region-beginning) (region-end))
|
||||
(python-shell-switch-to-shell))
|
||||
|
||||
(defun swarsel/prefix-block (start end)
|
||||
(interactive "r")
|
||||
(save-excursion
|
||||
(goto-char start)
|
||||
(setq start (line-beginning-position))
|
||||
(goto-char end)
|
||||
(setq end (line-end-position))
|
||||
(let ((common-prefix (save-excursion
|
||||
(goto-char start)
|
||||
(if (re-search-forward "^\\([^.\n]+\\)\\." end t)
|
||||
(match-string 1)
|
||||
(error "No common prefix found")))))
|
||||
(save-excursion
|
||||
(goto-char start)
|
||||
(insert common-prefix " = {\n")
|
||||
(goto-char (+ end (length common-prefix) 6))
|
||||
(insert "};\n")
|
||||
(goto-char start)
|
||||
(while (re-search-forward (concat "^" (regexp-quote common-prefix) "\\.") end t)
|
||||
(replace-match ""))))))
|
||||
|
||||
;; Make ESC quit prompts
|
||||
(global-set-key (kbd "<escape>") 'keyboard-escape-quit)
|
||||
|
||||
|
|
@ -475,6 +496,9 @@ create a new one."
|
|||
(set-face-attribute 'highlight-indent-guides-stack-even-face nil :background "gray40")
|
||||
(set-face-attribute 'highlight-indent-guides-stack-odd-face nil :background "gray50"))
|
||||
|
||||
(use-package aggressive-indent)
|
||||
(global-aggressive-indent-mode 1)
|
||||
|
||||
(setq mouse-wheel-scroll-amount
|
||||
'(1
|
||||
((shift) . 5)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue