swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

style: eliminate duplicate keys

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-03-21 20:16:37 +01:00
parent 658d2bb7ba
commit c997e9174e
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
15 changed files with 1314 additions and 1249 deletions
Download patch file Download diff file Expand all files Collapse all files

265
SwarselSystems.org
View file

@ -1080,11 +1080,19 @@ My work machine. Built for more security, this is the gold standard of my config
esac
'';
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "cryptd" "usbhid" "sd_mod" "r8152" ];
boot.initrd.kernelModules = [ "sg" ];
boot.kernelModules = [ "kvm-amd" ];
boot = {
initrd = {
availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "cryptd" "usbhid" "sd_mod" "r8152" ];
kernelModules = [ "sg" ];
luks.devices."cryptroot" = {
# improve performance on ssds
bypassWorkqueues = true;
preLVM = true;
};
};
boot.kernelParams = [
kernelModules = [ "kvm-amd" ];
kernelParams = [
"mem_sleep_default=deep"
"amd_pstate=passive"
# Fix screen flickering issue at the cost of battery life (disable PSR and PSR-SU, keep PR enabled)
@ -1097,11 +1105,7 @@ My work machine. Built for more security, this is the gold standard of my config
"amdgpu.dcdebugmask=0x410"
];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
# improve performance on ssds
bypassWorkqueues = true;
preLVM = true;
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@ -1291,25 +1295,29 @@ This is my main server that I run at home. It handles most tasks that require bi
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.extraPools = [ "Vault" ];
supportedFilesystems = [ "zfs" ];
zfs.extraPools = [ "Vault" ];
};
fileSystems."/" =
fileSystems = {
"/" =
{
device = "/dev/disk/by-uuid/30e2f96a-b01d-4c27-9ebb-d5d7e9f0031f";
fsType = "ext4";
};
fileSystems."/boot" =
"/boot" =
{
device = "/dev/disk/by-uuid/F0D8-8BD1";
fsType = "vfat";
};
};
swapDevices =
[{ device = "/dev/disk/by-uuid/a8eb6f3b-69bf-4160-90aa-9247abc108e0"; }];
@ -1454,7 +1462,38 @@ This machine mainly acts as an external sync helper. It manages the following th
defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml";
};
services.nginx = {
boot = {
tmp.cleanOnBoot = true;
loader.grub.device = "nodev";
};
zramSwap.enable = false;
networking = {
nftables.enable = lib.mkForce false;
hostName = "sync";
enableIPv6 = false;
domain = "subnet03112148.vcn03112148.oraclevcn.com";
firewall = {
allowedTCPPorts = [ 8384 22000 ];
allowedUDPPorts = [ 21027 22000 ];
extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
'';
};
};
# system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
services = {
nginx = {
virtualHosts = {
"sync.swarsel.win" = {
enableACME = true;
@ -1472,40 +1511,13 @@ This machine mainly acts as an external sync helper. It manages the following th
};
};
boot = {
tmp.cleanOnBoot = true;
loader.grub.device = "nodev";
};
zramSwap.enable = false;
networking = {
nftables.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ 8384 22000 ];
firewall.allowedUDPPorts = [ 21027 22000 ];
hostName = "sync";
enableIPv6 = false;
domain = "subnet03112148.vcn03112148.oraclevcn.com";
firewall.extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
'';
};
# system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
# do not manage OCI syncthing through nix config
services.syncthing = {
syncthing = {
enable = true;
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
};
};
swarselsystems = {
@ -4947,17 +4959,19 @@ Needed for control over system-wide privileges etc. Also I make sure that the ro
_:
{
security.pam.services = {
security = {
pam.services = {
login.u2fAuth = true;
sudo.u2fAuth = true;
swaylock.u2fAuth = true;
swaylock.fprintAuth = false;
};
security.polkit.enable = true;
polkit.enable = true;
security.sudo.extraConfig = ''
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
'';
};
}
#+end_src
@ -6442,9 +6456,11 @@ Here we just define some aliases for rebuilding the system, and we allow some in
security.acme = {
acceptTerms = true;
preliminarySelfsigned = false;
defaults.email = "mrswarsel@gmail.com";
defaults.dnsProvider = "cloudflare";
defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
defaults = {
email = "mrswarsel@gmail.com";
dnsProvider = "cloudflare";
environmentFile = "${config.sops.templates."certs.secret".path}";
};
};
services.nginx = {
@ -6879,7 +6895,37 @@ Here we just define some aliases for rebuilding the system, and we allow some in
};
};
services.postgresql = {
systemd = {
timers."restart-bridges" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1d";
OnUnitActiveSec = "1d";
Unit = "restart-bridges.service";
};
};
services = {
"restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
};
};
services = {
postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
@ -6905,7 +6951,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
'';
};
services.matrix-synapse = {
matrix-synapse = {
enable = true;
settings = {
app_service_config_files = [
@ -6940,7 +6986,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
];
};
services.mautrix-telegram = {
mautrix-telegram = {
enable = true;
environmentFile = config.sops.templates.mautrixtelegram.path;
settings = {
@ -6985,12 +7031,8 @@ Here we just define some aliases for rebuilding the system, and we allow some in
};
};
};
systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
services.mautrix-whatsapp = {
mautrix-whatsapp = {
enable = true;
registerToSynapse = false;
settings = {
@ -7037,7 +7079,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
};
};
services.mautrix-signal = {
mautrix-signal = {
enable = true;
registerToSynapse = false;
settings = {
@ -7072,28 +7114,8 @@ Here we just define some aliases for rebuilding the system, and we allow some in
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
# messages out after a while.
systemd.timers."restart-bridges" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1d";
OnUnitActiveSec = "1d";
Unit = "restart-bridges.service";
};
};
systemd.services."restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
services.nginx = {
nginx = {
virtualHosts = {
"swatrix.swarsel.win" = {
enableACME = true;
@ -7142,6 +7164,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
};
};
};
};
}
@ -7164,7 +7187,8 @@ Here we just define some aliases for rebuilding the system, and we allow some in
mode = "0440";
};
services.nextcloud = {
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud31;
hostName = "stash.swarsel.win";
@ -7183,8 +7207,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
};
};
services.nginx = {
nginx = {
virtualHosts = {
"stash.swarsel.win" = {
enableACME = true;
@ -7196,6 +7219,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
};
};
};
};
}
#+end_src
@ -7617,15 +7641,20 @@ This section exposes several metrics that I use to check the health of my server
};
};
users.users.nextcloud-exporter = {
users = {
users = {
nextcloud-exporter = {
extraGroups = [ "nextcloud" ];
};
users.users.grafana = {
grafana = {
extraGroups = [ "users" ];
};
};
};
services.grafana = {
services = {
grafana = {
enable = true;
dataDir = "/Vault/data/grafana";
provision = {
@ -7668,7 +7697,7 @@ This section exposes several metrics that I use to check the health of my server
};
};
services.prometheus = {
prometheus = {
enable = true;
webExternalUrl = "https://status.swarsel.win/prometheus";
port = 9090;
@ -7738,7 +7767,7 @@ This section exposes several metrics that I use to check the health of my server
};
services.nginx = {
nginx = {
virtualHosts = {
"status.swarsel.win" = {
enableACME = true;
@ -7762,6 +7791,7 @@ This section exposes several metrics that I use to check the health of my server
};
};
};
};
}
#+end_src
@ -9575,26 +9605,29 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
#+begin_src nix :tangle profiles/home/common/mail.nix
{ lib, config, ... }:
{
programs.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
programs = {
mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
mu = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
};
services.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
# this is needed so that mbsync can use the passwords from sops
systemd.user.services.mbsync.Unit.After = lib.mkIf (!config.swarselsystems.isPublic) [ "sops-nix.service" ];
programs.msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
programs.mu = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
accounts.email = lib.mkIf (!config.swarselsystems.isPublic) {
accounts = {
email = lib.mkIf (!config.swarselsystems.isPublic) {
maildirBasePath = "Mail";
accounts.leon = {
accounts = {
leon = {
primary = true;
address = "leon.schwarzaeugl@gmail.com";
userName = "leon.schwarzaeugl@gmail.com";
@ -9627,7 +9660,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
};
};
accounts.swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
address = "leon@swarsel.win";
userName = "8227dc594dd515ce232eda1471cb9a19";
realName = "Leon Schwarzäugl";
@ -9649,7 +9682,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
};
};
accounts.nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
primary = false;
address = "nautilus.dw@gmail.com";
userName = "nautilus.dw@gmail.com";
@ -9675,7 +9708,8 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
};
};
};
accounts.mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
primary = false;
address = "mrswarsel@gmail.com";
userName = "mrswarsel@gmail.com";
@ -9701,6 +9735,9 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
};
};
};
};
};
};
}
#+end_src
@ -15107,21 +15144,3 @@ This file defines a few workflows that I often need to run when working on my co
rsync -av --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/
#+end_src
** statix.toml
:PROPERTIES:
:CUSTOM_ID: h:d4dcb884-f24f-4786-8fa6-9f36c88a706e
:END:
This file is used to tell =statix= which checks and folders/fiels to ignore, as well as to specify the nix version that it should use.
I need this mainly to disable the =repeated_keys= check, which checks if there is an attribute set called twice without stepping into it. While in general this should be avoided, since I am tangling some files and need to use the top-level attribute in each org-src block, the check would fail for all these cases.
#+begin_src toml :tangle statix.toml
disabled = [
"repeated_keys"
]
nix_version = '2.4'
ignore = ['.direnv']
#+end_src

16
hosts/nixos/chaostheatre/hardware-configuration.nix
View file

@ -9,21 +9,25 @@
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
fileSystems = {
"/" = {
device = "/dev/disk-by-uuid/d2a8fad0-373e-4bcf-8e75-d9b5ef94199c";
fsType = "ext4";
};
fileSystems."/boot" = {
"/boot" = {
device = "/dev/disk-by-uuid/5CF0-A66E";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
};
swapDevices = [ ];

22
hosts/nixos/nbl-imba-2/hardware-configuration.nix
View file

@ -21,11 +21,19 @@
esac
'';
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "cryptd" "usbhid" "sd_mod" "r8152" ];
boot.initrd.kernelModules = [ "sg" ];
boot.kernelModules = [ "kvm-amd" ];
boot = {
initrd = {
availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "cryptd" "usbhid" "sd_mod" "r8152" ];
kernelModules = [ "sg" ];
luks.devices."cryptroot" = {
# improve performance on ssds
bypassWorkqueues = true;
preLVM = true;
};
};
boot.kernelParams = [
kernelModules = [ "kvm-amd" ];
kernelParams = [
"mem_sleep_default=deep"
"amd_pstate=passive"
# Fix screen flickering issue at the cost of battery life (disable PSR and PSR-SU, keep PR enabled)
@ -38,11 +46,7 @@
"amdgpu.dcdebugmask=0x410"
];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
# improve performance on ssds
bypassWorkqueues = true;
preLVM = true;
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

64
hosts/nixos/sync/default.nix
View file

@ -20,7 +20,38 @@ in
defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml";
};
services.nginx = {
boot = {
tmp.cleanOnBoot = true;
loader.grub.device = "nodev";
};
zramSwap.enable = false;
networking = {
nftables.enable = lib.mkForce false;
hostName = "sync";
enableIPv6 = false;
domain = "subnet03112148.vcn03112148.oraclevcn.com";
firewall = {
allowedTCPPorts = [ 8384 22000 ];
allowedUDPPorts = [ 21027 22000 ];
extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
'';
};
};
# system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
services = {
nginx = {
virtualHosts = {
"sync.swarsel.win" = {
enableACME = true;
@ -38,40 +69,13 @@ in
};
};
boot = {
tmp.cleanOnBoot = true;
loader.grub.device = "nodev";
};
zramSwap.enable = false;
networking = {
nftables.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ 8384 22000 ];
firewall.allowedUDPPorts = [ 21027 22000 ];
hostName = "sync";
enableIPv6 = false;
domain = "subnet03112148.vcn03112148.oraclevcn.com";
firewall.extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
'';
};
# system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
# do not manage OCI syncthing through nix config
services.syncthing = {
syncthing = {
enable = true;
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
};
};
swarselsystems = {

16
hosts/nixos/sync/hardware-configuration.nix
View file

@ -7,20 +7,24 @@
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot = {
initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a";
fsType = "xfs";
};
fileSystems."/boot" = {
"/boot" = {
device = "/dev/disk/by-uuid/2B75-2AD5";
fsType = "vfat";
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; }

10
hosts/nixos/toto/hardware-configuration.nix
View file

@ -9,10 +9,12 @@
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

20
hosts/nixos/winters/hardware-configuration.nix
View file

@ -6,25 +6,29 @@
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.extraPools = [ "Vault" ];
supportedFilesystems = [ "zfs" ];
zfs.extraPools = [ "Vault" ];
};
fileSystems."/" =
fileSystems = {
"/" =
{
device = "/dev/disk/by-uuid/30e2f96a-b01d-4c27-9ebb-d5d7e9f0031f";
fsType = "ext4";
};
fileSystems."/boot" =
"/boot" =
{
device = "/dev/disk/by-uuid/F0D8-8BD1";
fsType = "vfat";
};
};
swapDevices =
[{ device = "/dev/disk/by-uuid/a8eb6f3b-69bf-4160-90aa-9247abc108e0"; }];

35
profiles/home/common/mail.nix
View file

@ -1,25 +1,28 @@
{ lib, config, ... }:
{
programs.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
programs = {
mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
mu = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
};
services.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
# this is needed so that mbsync can use the passwords from sops
systemd.user.services.mbsync.Unit.After = lib.mkIf (!config.swarselsystems.isPublic) [ "sops-nix.service" ];
programs.msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
programs.mu = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true;
};
accounts.email = lib.mkIf (!config.swarselsystems.isPublic) {
accounts = {
email = lib.mkIf (!config.swarselsystems.isPublic) {
maildirBasePath = "Mail";
accounts.leon = {
accounts = {
leon = {
primary = true;
address = "leon.schwarzaeugl@gmail.com";
userName = "leon.schwarzaeugl@gmail.com";
@ -52,7 +55,7 @@
};
};
accounts.swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
address = "leon@swarsel.win";
userName = "8227dc594dd515ce232eda1471cb9a19";
realName = "Leon Schwarzäugl";
@ -74,7 +77,7 @@
};
};
accounts.nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
primary = false;
address = "nautilus.dw@gmail.com";
userName = "nautilus.dw@gmail.com";
@ -100,7 +103,8 @@
};
};
};
accounts.mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
primary = false;
address = "mrswarsel@gmail.com";
userName = "mrswarsel@gmail.com";
@ -126,5 +130,8 @@
};
};
};
};
};
};
}

8
profiles/nixos/common/polkit.nix
View file

@ -1,16 +1,18 @@
_:
{
security.pam.services = {
security = {
pam.services = {
login.u2fAuth = true;
sudo.u2fAuth = true;
swaylock.u2fAuth = true;
swaylock.fprintAuth = false;
};
security.polkit.enable = true;
polkit.enable = true;
security.sudo.extraConfig = ''
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
'';
};
}

67
profiles/nixos/server/matrix.nix
View file

@ -49,7 +49,37 @@ in
};
};
services.postgresql = {
systemd = {
timers."restart-bridges" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1d";
OnUnitActiveSec = "1d";
Unit = "restart-bridges.service";
};
};
services = {
"restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
};
};
services = {
postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
@ -75,7 +105,7 @@ in
'';
};
services.matrix-synapse = {
matrix-synapse = {
enable = true;
settings = {
app_service_config_files = [
@ -110,7 +140,7 @@ in
];
};
services.mautrix-telegram = {
mautrix-telegram = {
enable = true;
environmentFile = config.sops.templates.mautrixtelegram.path;
settings = {
@ -155,12 +185,8 @@ in
};
};
};
systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
services.mautrix-whatsapp = {
mautrix-whatsapp = {
enable = true;
registerToSynapse = false;
settings = {
@ -207,7 +233,7 @@ in
};
};
services.mautrix-signal = {
mautrix-signal = {
enable = true;
registerToSynapse = false;
settings = {
@ -242,28 +268,8 @@ in
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
# messages out after a while.
systemd.timers."restart-bridges" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1d";
OnUnitActiveSec = "1d";
Unit = "restart-bridges.service";
};
};
systemd.services."restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
services.nginx = {
nginx = {
virtualHosts = {
"swatrix.swarsel.win" = {
enableACME = true;
@ -312,6 +318,7 @@ in
};
};
};
};
}

16
profiles/nixos/server/monitoring.nix
View file

@ -11,15 +11,20 @@
};
};
users.users.nextcloud-exporter = {
users = {
users = {
nextcloud-exporter = {
extraGroups = [ "nextcloud" ];
};
users.users.grafana = {
grafana = {
extraGroups = [ "users" ];
};
};
};
services.grafana = {
services = {
grafana = {
enable = true;
dataDir = "/Vault/data/grafana";
provision = {
@ -62,7 +67,7 @@
};
};
services.prometheus = {
prometheus = {
enable = true;
webExternalUrl = "https://status.swarsel.win/prometheus";
port = 9090;
@ -132,7 +137,7 @@
};
services.nginx = {
nginx = {
virtualHosts = {
"status.swarsel.win" = {
enableACME = true;
@ -156,5 +161,6 @@
};
};
};
};
}

7
profiles/nixos/server/nextcloud.nix
View file

@ -8,7 +8,8 @@
mode = "0440";
};
services.nextcloud = {
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud31;
hostName = "stash.swarsel.win";
@ -27,8 +28,7 @@
};
};
services.nginx = {
nginx = {
virtualHosts = {
"stash.swarsel.win" = {
enableACME = true;
@ -40,5 +40,6 @@
};
};
};
};
}

8
profiles/nixos/server/nginx.nix
View file

@ -17,9 +17,11 @@
security.acme = {
acceptTerms = true;
preliminarySelfsigned = false;
defaults.email = "mrswarsel@gmail.com";
defaults.dnsProvider = "cloudflare";
defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
defaults = {
email = "mrswarsel@gmail.com";
dnsProvider = "cloudflare";
environmentFile = "${config.sops.templates."certs.secret".path}";
};
};
services.nginx = {

5
statix.toml
View file

@ -1,5 +0,0 @@
disabled = [
"repeated_keys"
]
nix_version = '2.4'
ignore = ['.direnv']

14
templates/python/flake.nix
View file

@ -13,15 +13,19 @@
uv2nix = {
url = "github:pyproject-nix/uv2nix";
inputs.pyproject-nix.follows = "pyproject-nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs = {
pyproject-nix.follows = "pyproject-nix";
nixpkgs.follows = "nixpkgs";
};
};
pyproject-build-systems = {
url = "github:pyproject-nix/build-system-pkgs";
inputs.pyproject-nix.follows = "pyproject-nix";
inputs.uv2nix.follows = "uv2nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs = {
pyproject-nix.follows = "pyproject-nix";
uv2nix.follows = "uv2nix";
nixpkgs.follows = "nixpkgs";
};
};
};