swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

style: eliminate duplicate keys

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-03-21 20:16:37 +01:00
parent 658d2bb7ba
commit c997e9174e
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
15 changed files with 1314 additions and 1249 deletions
Download patch file Download diff file Expand all files Collapse all files

1249
SwarselSystems.org
View file

File diff suppressed because it is too large Load diff

28
hosts/nixos/chaostheatre/hardware-configuration.nix
View file

@ -9,20 +9,24 @@
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; boot = {
boot.initrd.kernelModules = [ ]; initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.kernelModules = [ "kvm-amd" ]; initrd.kernelModules = [ ];
boot.extraModulePackages = [ ]; kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk-by-uuid/d2a8fad0-373e-4bcf-8e75-d9b5ef94199c";
fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems = {
device = "/dev/disk-by-uuid/5CF0-A66E"; "/" = {
fsType = "vfat"; device = "/dev/disk-by-uuid/d2a8fad0-373e-4bcf-8e75-d9b5ef94199c";
options = [ "fmask=0077" "dmask=0077" ]; fsType = "ext4";
};
"/boot" = {
device = "/dev/disk-by-uuid/5CF0-A66E";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
}; };
swapDevices = [ ]; swapDevices = [ ];

44
hosts/nixos/nbl-imba-2/hardware-configuration.nix
View file

@ -21,28 +21,32 @@
esac esac
''; '';
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "cryptd" "usbhid" "sd_mod" "r8152" ]; boot = {
boot.initrd.kernelModules = [ "sg" ]; initrd = {
boot.kernelModules = [ "kvm-amd" ]; availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "cryptd" "usbhid" "sd_mod" "r8152" ];
kernelModules = [ "sg" ];
luks.devices."cryptroot" = {
# improve performance on ssds
bypassWorkqueues = true;
preLVM = true;
};
};
boot.kernelParams = [ kernelModules = [ "kvm-amd" ];
"mem_sleep_default=deep" kernelParams = [
"amd_pstate=passive" "mem_sleep_default=deep"
# Fix screen flickering issue at the cost of battery life (disable PSR and PSR-SU, keep PR enabled) "amd_pstate=passive"
# TODO: figure out if this is worth it # Fix screen flickering issue at the cost of battery life (disable PSR and PSR-SU, keep PR enabled)
# test PSR/PR state with 'sudo grep '' /sys/kernel/debug/dri/0000*/eDP-2/*_capability' # TODO: figure out if this is worth it
# ref: # test PSR/PR state with 'sudo grep '' /sys/kernel/debug/dri/0000*/eDP-2/*_capability'
# https://old.reddit.com/r/framework/comments/1goh7hc/anyone_else_get_this_screen_flickering_issue/ # ref:
# https://www.reddit.com/r/NixOS/comments/1hjruq1/graphics_corruption_on_kernel_6125_and_up/ # https://old.reddit.com/r/framework/comments/1goh7hc/anyone_else_get_this_screen_flickering_issue/
# https://gitlab.freedesktop.org/drm/amd/-/issues/3797 # https://www.reddit.com/r/NixOS/comments/1hjruq1/graphics_corruption_on_kernel_6125_and_up/
"amdgpu.dcdebugmask=0x410" # https://gitlab.freedesktop.org/drm/amd/-/issues/3797
]; "amdgpu.dcdebugmask=0x410"
];
boot.extraModulePackages = [ ]; extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
# improve performance on ssds
bypassWorkqueues = true;
preLVM = true;
}; };
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

76
hosts/nixos/sync/default.nix
View file

@ -20,24 +20,6 @@ in
defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml"; defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml";
}; };
services.nginx = {
virtualHosts = {
"sync.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:8384/";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
boot = { boot = {
tmp.cleanOnBoot = true; tmp.cleanOnBoot = true;
loader.grub.device = "nodev"; loader.grub.device = "nodev";
@ -46,31 +28,53 @@ in
networking = { networking = {
nftables.enable = lib.mkForce false; nftables.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ 8384 22000 ];
firewall.allowedUDPPorts = [ 21027 22000 ];
hostName = "sync"; hostName = "sync";
enableIPv6 = false; enableIPv6 = false;
domain = "subnet03112148.vcn03112148.oraclevcn.com"; domain = "subnet03112148.vcn03112148.oraclevcn.com";
firewall.extraCommands = '' firewall = {
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT allowedTCPPorts = [ 8384 22000 ];
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT allowedUDPPorts = [ 21027 22000 ];
iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
''; iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
'';
};
}; };
# system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change # system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
# do not manage OCI syncthing through nix config services = {
services.syncthing = { nginx = {
enable = true; virtualHosts = {
guiAddress = "0.0.0.0:8384"; "sync.swarsel.win" = {
openDefaultPorts = true; enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:8384/";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
# do not manage OCI syncthing through nix config
syncthing = {
enable = true;
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
};
}; };

26
hosts/nixos/sync/hardware-configuration.nix
View file

@ -7,19 +7,23 @@
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; boot = {
boot.initrd.kernelModules = [ ]; initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
boot.kernelModules = [ "kvm-amd" ]; initrd.kernelModules = [ ];
boot.extraModulePackages = [ ]; kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a";
fsType = "xfs";
}; };
fileSystems."/boot" = { fileSystems = {
device = "/dev/disk/by-uuid/2B75-2AD5"; "/" = {
fsType = "vfat"; device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a";
fsType = "xfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/2B75-2AD5";
fsType = "vfat";
};
}; };
swapDevices = [ swapDevices = [

10
hosts/nixos/toto/hardware-configuration.nix
View file

@ -9,10 +9,12 @@
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; boot = {
boot.initrd.kernelModules = [ ]; initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.kernelModules = [ "kvm-amd" ]; initrd.kernelModules = [ ];
boot.extraModulePackages = [ ]; kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

36
hosts/nixos/winters/hardware-configuration.nix
View file

@ -6,25 +6,29 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; boot = {
boot.initrd.kernelModules = [ ]; initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ]; initrd.kernelModules = [ ];
boot.extraModulePackages = [ ]; kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
boot.zfs.extraPools = [ "Vault" ]; zfs.extraPools = [ "Vault" ];
};
fileSystems."/" = fileSystems = {
{ "/" =
device = "/dev/disk/by-uuid/30e2f96a-b01d-4c27-9ebb-d5d7e9f0031f"; {
fsType = "ext4"; device = "/dev/disk/by-uuid/30e2f96a-b01d-4c27-9ebb-d5d7e9f0031f";
}; fsType = "ext4";
};
fileSystems."/boot" = "/boot" =
{ {
device = "/dev/disk/by-uuid/F0D8-8BD1"; device = "/dev/disk/by-uuid/F0D8-8BD1";
fsType = "vfat"; fsType = "vfat";
}; };
};
swapDevices = swapDevices =
[{ device = "/dev/disk/by-uuid/a8eb6f3b-69bf-4160-90aa-9247abc108e0"; }]; [{ device = "/dev/disk/by-uuid/a8eb6f3b-69bf-4160-90aa-9247abc108e0"; }];

221
profiles/home/common/mail.nix
View file

@ -1,129 +1,136 @@
{ lib, config, ... }: { lib, config, ... }:
{ {
programs.mbsync = lib.mkIf (!config.swarselsystems.isPublic) { programs = {
enable = true; mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
mu = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
}; };
services.mbsync = lib.mkIf (!config.swarselsystems.isPublic) { services.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true; enable = true;
}; };
# this is needed so that mbsync can use the passwords from sops # this is needed so that mbsync can use the passwords from sops
systemd.user.services.mbsync.Unit.After = lib.mkIf (!config.swarselsystems.isPublic) [ "sops-nix.service" ]; systemd.user.services.mbsync.Unit.After = lib.mkIf (!config.swarselsystems.isPublic) [ "sops-nix.service" ];
programs.msmtp = lib.mkIf (!config.swarselsystems.isPublic) { accounts = {
enable = true; email = lib.mkIf (!config.swarselsystems.isPublic) {
}; maildirBasePath = "Mail";
accounts = {
programs.mu = lib.mkIf (!config.swarselsystems.isPublic) { leon = {
enable = true; primary = true;
}; address = "leon.schwarzaeugl@gmail.com";
userName = "leon.schwarzaeugl@gmail.com";
accounts.email = lib.mkIf (!config.swarselsystems.isPublic) { realName = "Leon Schwarzäugl";
maildirBasePath = "Mail"; passwordCommand = "cat ${config.sops.secrets.leon.path}";
accounts.leon = { gpg = {
primary = true; key = "0x76FD3810215AE097";
address = "leon.schwarzaeugl@gmail.com"; signByDefault = true;
userName = "leon.schwarzaeugl@gmail.com";
realName = "Leon Schwarzäugl";
passwordCommand = "cat ${config.sops.secrets.leon.path}";
gpg = {
key = "0x76FD3810215AE097";
signByDefault = true;
};
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
mu.enable = true;
msmtp = {
enable = true;
};
mbsync = {
enable = true;
create = "maildir";
expunge = "both";
patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
extraConfig = {
channel = {
Sync = "All";
}; };
account = { imap.host = "imap.gmail.com";
Timeout = 120; smtp.host = "smtp.gmail.com";
PipelineDepth = 1; mu.enable = true;
msmtp = {
enable = true;
};
mbsync = {
enable = true;
create = "maildir";
expunge = "both";
patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
extraConfig = {
channel = {
Sync = "All";
};
account = {
Timeout = 120;
PipelineDepth = 1;
};
};
}; };
}; };
};
};
accounts.swarsel = lib.mkIf (!config.swarselsystems.isPublic) { swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
address = "leon@swarsel.win"; address = "leon@swarsel.win";
userName = "8227dc594dd515ce232eda1471cb9a19"; userName = "8227dc594dd515ce232eda1471cb9a19";
realName = "Leon Schwarzäugl"; realName = "Leon Schwarzäugl";
passwordCommand = "cat ${config.sops.secrets.swarselmail.path}"; passwordCommand = "cat ${config.sops.secrets.swarselmail.path}";
smtp = { smtp = {
host = "in-v3.mailjet.com"; host = "in-v3.mailjet.com";
port = 587; port = 587;
tls = { tls = {
enable = true; enable = true;
useStartTls = true; useStartTls = true;
};
};
mu.enable = false;
msmtp = {
enable = true;
};
mbsync = {
enable = false;
};
}; };
};
mu.enable = false;
msmtp = {
enable = true;
};
mbsync = {
enable = false;
};
};
accounts.nautilus = lib.mkIf (!config.swarselsystems.isPublic) { nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
primary = false; primary = false;
address = "nautilus.dw@gmail.com"; address = "nautilus.dw@gmail.com";
userName = "nautilus.dw@gmail.com"; userName = "nautilus.dw@gmail.com";
realName = "Nautilus"; realName = "Nautilus";
passwordCommand = "cat ${config.sops.secrets.nautilus.path}"; passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
imap.host = "imap.gmail.com"; imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com"; smtp.host = "smtp.gmail.com";
msmtp.enable = true; msmtp.enable = true;
mu.enable = true; mu.enable = true;
mbsync = { mbsync = {
enable = true; enable = true;
create = "maildir"; create = "maildir";
expunge = "both"; expunge = "both";
patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ]; patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
extraConfig = { extraConfig = {
channel = { channel = {
Sync = "All"; Sync = "All";
}; };
account = { account = {
Timeout = 120; Timeout = 120;
PipelineDepth = 1; PipelineDepth = 1;
};
};
}; };
}; };
};
}; mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
accounts.mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) { primary = false;
primary = false; address = "mrswarsel@gmail.com";
address = "mrswarsel@gmail.com"; userName = "mrswarsel@gmail.com";
userName = "mrswarsel@gmail.com"; realName = "Swarsel";
realName = "Swarsel"; passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}"; imap.host = "imap.gmail.com";
imap.host = "imap.gmail.com"; smtp.host = "smtp.gmail.com";
smtp.host = "smtp.gmail.com"; msmtp.enable = true;
msmtp.enable = true; mu.enable = true;
mu.enable = true; mbsync = {
mbsync = { enable = true;
enable = true; create = "maildir";
create = "maildir"; expunge = "both";
expunge = "both"; patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ]; extraConfig = {
extraConfig = { channel = {
channel = { Sync = "All";
Sync = "All"; };
}; account = {
account = { Timeout = 120;
Timeout = 120; PipelineDepth = 1;
PipelineDepth = 1; };
};
}; };
}; };
}; };
}; };
}; };

22
profiles/nixos/common/polkit.nix
View file

@ -1,16 +1,18 @@
_: _:
{ {
security.pam.services = { security = {
login.u2fAuth = true; pam.services = {
sudo.u2fAuth = true; login.u2fAuth = true;
swaylock.u2fAuth = true; sudo.u2fAuth = true;
swaylock.fprintAuth = false; swaylock.u2fAuth = true;
}; swaylock.fprintAuth = false;
security.polkit.enable = true; };
polkit.enable = true;
security.sudo.extraConfig = '' sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK Defaults env_keep+=SSH_AUTH_SOCK
''; '';
};
} }

497
profiles/nixos/server/matrix.nix
View file

@ -49,264 +49,271 @@ in
}; };
}; };
services.postgresql = { systemd = {
enable = true; timers."restart-bridges" = {
initialScript = pkgs.writeText "synapse-init.sql" '' wantedBy = [ "timers.target" ];
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; timerConfig = {
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" OnBootSec = "1d";
TEMPLATE template0 OnUnitActiveSec = "1d";
LC_COLLATE = "C" Unit = "restart-bridges.service";
LC_CTYPE = "C"; };
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; };
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.matrix-synapse = { services = {
enable = true; "restart-bridges" = {
settings = { script = ''
app_service_config_files = [ systemctl restart mautrix-whatsapp.service
"/var/lib/matrix-synapse/telegram-registration.yaml" systemctl restart mautrix-signal.service
"/var/lib/matrix-synapse/whatsapp-registration.yaml" systemctl restart mautrix-telegram.service
"/var/lib/matrix-synapse/signal-registration.yaml" '';
"/var/lib/matrix-synapse/doublepuppet.yaml" serviceConfig = {
]; Type = "oneshot";
server_name = matrixDomain; User = "root";
public_baseurl = "https://${matrixDomain}"; };
listeners = [ };
{ mautrix-telegram.path = with pkgs; [
port = 8008; lottieconverter # for animated stickers conversion, unfree package
bind_addresses = [ ffmpeg # if converting animated stickers to webm (very slow!)
"127.0.0.1"
# "::1"
];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
]; ];
}; };
extraConfigFiles = [
config.sops.templates.matrixshared.path
];
}; };
services.mautrix-telegram = { services = {
enable = true; postgresql = {
environmentFile = config.sops.templates.mautrixtelegram.path; enable = true;
settings = { initialScript = pkgs.writeText "synapse-init.sql" ''
homeserver = { CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
address = "http://localhost:8008"; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
domain = matrixDomain; TEMPLATE template0
}; LC_COLLATE = "C"
appservice = { LC_CTYPE = "C";
address = "http://localhost:29317"; CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
hostname = "localhost"; CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
port = "29317"; TEMPLATE template0
provisioning.enabled = true; LC_COLLATE = "C"
id = "telegram"; LC_CTYPE = "C";
# ephemeral_events = true; # not needed due to double puppeting CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
public = { CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
enabled = false; TEMPLATE template0
}; LC_COLLATE = "C"
database = "postgresql:///mautrix-telegram?host=/run/postgresql"; LC_CTYPE = "C";
}; CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
bridge = { CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
relaybot.authless_portals = true; TEMPLATE template0
allow_avatar_remove = true; LC_COLLATE = "C"
allow_contact_info = true; LC_CTYPE = "C";
sync_channel_members = true; '';
startup_sync = true;
sync_create_limit = 0;
sync_direct_chats = true;
telegram_link_preview = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
animated_sticker = {
target = "gif";
args = {
width = 256;
height = 256;
fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported
};
};
};
}; };
};
systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
services.mautrix-whatsapp = { matrix-synapse = {
enable = true; enable = true;
registerToSynapse = false; settings = {
settings = { app_service_config_files = [
homeserver = { "/var/lib/matrix-synapse/telegram-registration.yaml"
address = "http://localhost:8008"; "/var/lib/matrix-synapse/whatsapp-registration.yaml"
domain = matrixDomain; "/var/lib/matrix-synapse/signal-registration.yaml"
}; "/var/lib/matrix-synapse/doublepuppet.yaml"
appservice = { ];
address = "http://localhost:29318"; server_name = matrixDomain;
hostname = "127.0.0.1"; public_baseurl = "https://${matrixDomain}";
port = 29318; listeners = [
database = {
type = "postgres";
uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .FullName .PushName .JID}} (WA)";
history_sync = {
backfill = true;
max_initial_conversations = -1;
message_count = -1;
request_full_sync = true;
full_sync_config = {
days_limit = 900;
size_mb_limit = 5000;
storage_quota_mb = 5000;
};
};
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
sync_manual_marked_unread = true;
send_presence_on_typing = true;
parallel_member_sync = true;
url_previews = true;
caption_in_message = true;
extev_polls = true;
permissions = {
"*" = "relay";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
services.mautrix-signal = {
enable = true;
registerToSynapse = false;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29328";
hostname = "127.0.0.1";
port = 29328;
database = {
type = "postgres";
uri = "postgresql:///mautrix-signal?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
caption_in_message = true;
permissions = {
"*" = "relay";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
# messages out after a while.
systemd.timers."restart-bridges" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1d";
OnUnitActiveSec = "1d";
Unit = "restart-bridges.service";
};
};
systemd.services."restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
services.nginx = {
virtualHosts = {
"swatrix.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
listen = [
{ {
addr = "0.0.0.0"; port = 8008;
port = 8448; bind_addresses = [
ssl = true; "127.0.0.1"
extraParameters = [ # "::1"
"default_server"
]; ];
} type = "http";
{ tls = false;
addr = "[::0]"; x_forwarded = true;
port = 8448; resources = [
ssl = true; {
extraParameters = [ names = [ "client" "federation" ];
"default_server" compress = true;
}
]; ];
} }
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::0]";
port = 443;
ssl = true;
}
]; ];
locations = { };
"~ ^(/_matrix|/_synapse/client)" = { extraConfigFiles = [
# proxyPass = "http://localhost:8008"; config.sops.templates.matrixshared.path
proxyPass = "http://localhost:8008"; ];
extraConfig = '' };
client_max_body_size 0;
''; mautrix-telegram = {
enable = true;
environmentFile = config.sops.templates.mautrixtelegram.path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29317";
hostname = "localhost";
port = "29317";
provisioning.enabled = true;
id = "telegram";
# ephemeral_events = true; # not needed due to double puppeting
public = {
enabled = false;
};
database = "postgresql:///mautrix-telegram?host=/run/postgresql";
};
bridge = {
relaybot.authless_portals = true;
allow_avatar_remove = true;
allow_contact_info = true;
sync_channel_members = true;
startup_sync = true;
sync_create_limit = 0;
sync_direct_chats = true;
telegram_link_preview = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
animated_sticker = {
target = "gif";
args = {
width = 256;
height = 256;
fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported
};
};
};
};
};
mautrix-whatsapp = {
enable = true;
registerToSynapse = false;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29318";
hostname = "127.0.0.1";
port = 29318;
database = {
type = "postgres";
uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .FullName .PushName .JID}} (WA)";
history_sync = {
backfill = true;
max_initial_conversations = -1;
message_count = -1;
request_full_sync = true;
full_sync_config = {
days_limit = 900;
size_mb_limit = 5000;
storage_quota_mb = 5000;
};
};
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
sync_manual_marked_unread = true;
send_presence_on_typing = true;
parallel_member_sync = true;
url_previews = true;
caption_in_message = true;
extev_polls = true;
permissions = {
"*" = "relay";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
mautrix-signal = {
enable = true;
registerToSynapse = false;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29328";
hostname = "127.0.0.1";
port = 29328;
database = {
type = "postgres";
uri = "postgresql:///mautrix-signal?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
caption_in_message = true;
permissions = {
"*" = "relay";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
# messages out after a while.
nginx = {
virtualHosts = {
"swatrix.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
listen = [
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
extraParameters = [
"default_server"
];
}
{
addr = "[::0]";
port = 8448;
ssl = true;
extraParameters = [
"default_server"
];
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::0]";
port = 443;
ssl = true;
}
];
locations = {
"~ ^(/_matrix|/_synapse/client)" = {
# proxyPass = "http://localhost:8008";
proxyPass = "http://localhost:8008";
extraConfig = ''
client_max_body_size 0;
'';
};
"= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
"= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
}; };
"= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
"= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
}; };
}; };
}; };

274
profiles/nixos/server/monitoring.nix
View file

@ -11,145 +11,151 @@
}; };
}; };
users.users.nextcloud-exporter = { users = {
extraGroups = [ "nextcloud" ]; users = {
nextcloud-exporter = {
extraGroups = [ "nextcloud" ];
};
grafana = {
extraGroups = [ "users" ];
};
};
}; };
users.users.grafana = { services = {
extraGroups = [ "users" ]; grafana = {
};
services.grafana = {
enable = true;
dataDir = "/Vault/data/grafana";
provision = {
enable = true; enable = true;
datasources.settings = { dataDir = "/Vault/data/grafana";
datasources = [ provision = {
{ enable = true;
name = "prometheus"; datasources.settings = {
type = "prometheus"; datasources = [
url = "https://status.swarsel.win/prometheus"; {
editable = false; name = "prometheus";
access = "proxy"; type = "prometheus";
basicAuth = true; url = "https://status.swarsel.win/prometheus";
basicAuthUser = "admin"; editable = false;
jsonData = { access = "proxy";
httpMethod = "POST"; basicAuth = true;
manageAlerts = true; basicAuthUser = "admin";
prometheusType = "Prometheus"; jsonData = {
prometheusVersion = "> 2.50.x"; httpMethod = "POST";
cacheLevel = "High"; manageAlerts = true;
disableRecordingRules = false; prometheusType = "Prometheus";
incrementalQueryOverlapWindow = "10m"; prometheusVersion = "> 2.50.x";
cacheLevel = "High";
disableRecordingRules = false;
incrementalQueryOverlapWindow = "10m";
};
secureJsonData = {
basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}";
};
}
];
};
};
settings = {
security.admin_password = "$__file{/run/secrets/grafanaadminpass}";
server = {
http_port = 3000;
http_addr = "127.0.0.1";
protocol = "http";
domain = "status.swarsel.win";
};
};
};
prometheus = {
enable = true;
webExternalUrl = "https://status.swarsel.win/prometheus";
port = 9090;
listenAddress = "127.0.0.1";
globalConfig = {
scrape_interval = "10s";
};
webConfigFile = self + /programs/server/prometheus/web.config;
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
{
job_name = "zfs";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
}];
}
{
job_name = "nginx";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
}];
}
{
job_name = "nextcloud";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
}];
}
];
exporters = {
node = {
enable = true;
port = 9000;
enabledCollectors = [ "systemd" ];
extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
};
zfs = {
enable = true;
port = 9134;
pools = [
"Vault"
];
};
restic = {
enable = false;
port = 9753;
};
nginx = {
enable = true;
port = 9113;
sslVerify = false;
scrapeUri = "http://localhost/nginx_status";
};
nextcloud = lib.mkIf config.swarselsystems.server.nextcloud {
enable = true;
port = 9205;
url = "https://stash.swarsel.win/ocs/v2.php/apps/serverinfo/api/v1/info";
username = "admin";
passwordFile = config.sops.secrets.nextcloudadminpass.path;
};
};
};
nginx = {
virtualHosts = {
"status.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
client_max_body_size 0;
'';
}; };
secureJsonData = { "/prometheus" = {
basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}"; proxyPass = "http://localhost:9090";
extraConfig = ''
client_max_body_size 0;
'';
}; };
}
];
};
};
settings = {
security.admin_password = "$__file{/run/secrets/grafanaadminpass}";
server = {
http_port = 3000;
http_addr = "127.0.0.1";
protocol = "http";
domain = "status.swarsel.win";
};
};
};
services.prometheus = {
enable = true;
webExternalUrl = "https://status.swarsel.win/prometheus";
port = 9090;
listenAddress = "127.0.0.1";
globalConfig = {
scrape_interval = "10s";
};
webConfigFile = self + /programs/server/prometheus/web.config;
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
{
job_name = "zfs";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
}];
}
{
job_name = "nginx";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
}];
}
{
job_name = "nextcloud";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
}];
}
];
exporters = {
node = {
enable = true;
port = 9000;
enabledCollectors = [ "systemd" ];
extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
};
zfs = {
enable = true;
port = 9134;
pools = [
"Vault"
];
};
restic = {
enable = false;
port = 9753;
};
nginx = {
enable = true;
port = 9113;
sslVerify = false;
scrapeUri = "http://localhost/nginx_status";
};
nextcloud = lib.mkIf config.swarselsystems.server.nextcloud {
enable = true;
port = 9205;
url = "https://stash.swarsel.win/ocs/v2.php/apps/serverinfo/api/v1/info";
username = "admin";
passwordFile = config.sops.secrets.nextcloudadminpass.path;
};
};
};
services.nginx = {
virtualHosts = {
"status.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
client_max_body_size 0;
'';
};
"/prometheus" = {
proxyPass = "http://localhost:9090";
extraConfig = ''
client_max_body_size 0;
'';
}; };
}; };
}; };

53
profiles/nixos/server/nextcloud.nix
View file

@ -8,34 +8,35 @@
mode = "0440"; mode = "0440";
}; };
services.nextcloud = { services = {
enable = true; nextcloud = {
package = pkgs.nextcloud31; enable = true;
hostName = "stash.swarsel.win"; package = pkgs.nextcloud31;
home = "/Vault/apps/nextcloud"; hostName = "stash.swarsel.win";
datadir = "/Vault/data/nextcloud"; home = "/Vault/apps/nextcloud";
https = true; datadir = "/Vault/data/nextcloud";
configureRedis = true; https = true;
maxUploadSize = "4G"; configureRedis = true;
extraApps = { maxUploadSize = "4G";
inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks; extraApps = {
inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks;
};
config = {
adminuser = "admin";
adminpassFile = config.sops.secrets.nextcloudadminpass.path;
dbtype = "sqlite";
};
}; };
config = {
adminuser = "admin";
adminpassFile = config.sops.secrets.nextcloudadminpass.path;
dbtype = "sqlite";
};
};
nginx = {
services.nginx = { virtualHosts = {
virtualHosts = { "stash.swarsel.win" = {
"stash.swarsel.win" = { enableACME = true;
enableACME = true; forceSSL = true;
forceSSL = true; acmeRoot = null;
acmeRoot = null; # config is automatically added by nixos nextcloud config.
# config is automatically added by nixos nextcloud config. # hence, only provide certificate
# hence, only provide certificate };
}; };
}; };
}; };

8
profiles/nixos/server/nginx.nix
View file

@ -17,9 +17,11 @@
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
preliminarySelfsigned = false; preliminarySelfsigned = false;
defaults.email = "mrswarsel@gmail.com"; defaults = {
defaults.dnsProvider = "cloudflare"; email = "mrswarsel@gmail.com";
defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; dnsProvider = "cloudflare";
environmentFile = "${config.sops.templates."certs.secret".path}";
};
}; };
services.nginx = { services.nginx = {

5
statix.toml
View file

@ -1,5 +0,0 @@
disabled = [
"repeated_keys"
]
nix_version = '2.4'
ignore = ['.direnv']

14
templates/python/flake.nix
View file

@ -13,15 +13,19 @@
uv2nix = { uv2nix = {
url = "github:pyproject-nix/uv2nix"; url = "github:pyproject-nix/uv2nix";
inputs.pyproject-nix.follows = "pyproject-nix"; inputs = {
inputs.nixpkgs.follows = "nixpkgs"; pyproject-nix.follows = "pyproject-nix";
nixpkgs.follows = "nixpkgs";
};
}; };
pyproject-build-systems = { pyproject-build-systems = {
url = "github:pyproject-nix/build-system-pkgs"; url = "github:pyproject-nix/build-system-pkgs";
inputs.pyproject-nix.follows = "pyproject-nix"; inputs = {
inputs.uv2nix.follows = "uv2nix"; pyproject-nix.follows = "pyproject-nix";
inputs.nixpkgs.follows = "nixpkgs"; uv2nix.follows = "uv2nix";
nixpkgs.follows = "nixpkgs";
};
}; };
}; };