swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 17:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: init nixos-server, work screenshare & qol

Browse source
This commit is contained in:
Swarsel 2024-09-23 21:18:36 +02:00
parent e4f38440f8
commit dcf7b84d94
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
34 changed files with 1644 additions and 298 deletions
Download patch file Download diff file Expand all files Collapse all files

32
profiles/server/common/calibre.nix Normal file
View file

@ -0,0 +1,32 @@
{ pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
calibre
];
sops.secrets.kavita = { owner = "kavita"; };
services.kavita = {
enable = true;
user = "kavita";
port = 8080;
tokenKeyFile = config.sops.secrets.kavita.path;
};
services.nginx = {
"scroll.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.22:8080";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
}

53
profiles/server/common/default.nix Normal file
View file

@ -0,0 +1,53 @@
{ lib, config, inputs, ... }:
{
imports = [
../../common/nixos/xserver.nix
../../common/nixos/gc.nix
../../common/nixos/store.nix
../../common/nixos/time.nix
../../common/nixos/pipewire.nix
./packages.nix
./sops.nix
./ssh.nix
./nginx.nix
./kavita.nix
./jellyfin.nix
./navidrome.nix
./spotifyd.nix
./mpd.nix
./matrix.nix
];
nix =
let
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
in
{
settings = {
experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
];
trusted-users = [ "swarsel" ];
flake-registry = "";
warn-dirty = false;
};
channel.enable = false;
registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
};
environment.shellAliases = lib.recursiveUpdate
{
npswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
nswitch = "cd /.dotfiles; nixos-rebuild --flake .#$(hostname) switch; cd -;";
}
config.swarselsystems.shellAliases;
nixpkgs.config.permittedInsecurePackages = [
"olm-3.2.16"
];
system.stateVersion = lib.mkDefault "23.05";
}

44
profiles/server/common/jellyfin.nix Normal file
View file

@ -0,0 +1,44 @@
{ pkgs, lib, config, ... }:
{
config = lib.mkIf config.swarselsystems.server.jellyfin {
users.users.jellyfin = {
extraGroups = [ "video" "render" ];
};
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
vaapiVdpau
libvdpau-va-gl
];
};
services.jellyfin = {
enable = true;
user = "jellyfin";
# openFirewall = true; # this works only for the default ports
};
services.nginx = {
virtualHosts = {
"screen.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.16:8096";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
};
}

35
profiles/server/common/kavita.nix Normal file
View file

@ -0,0 +1,35 @@
{ pkgs, lib, config, ... }:
{
config = lib.mkIf config.swarselsystems.server.kavita {
environment.systemPackages = with pkgs; [
calibre
];
sops.secrets.kavita = { owner = "kavita"; };
services.kavita = {
enable = true;
user = "kavita";
settings.Port = 8080;
tokenKeyFile = config.sops.secrets.kavita.path;
};
services.nginx = {
virtualHosts = {
"scroll.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.22:8080";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
};
}

273
profiles/server/common/matrix.nix Normal file
View file

@ -0,0 +1,273 @@
{ config, lib, pkgs, modulesPath, sops, ... }:
let
matrixDomain = "swatrix.swarsel.win";
in
{
config = lib.mkIf config.swarselsystems.server.matrix {
environment.systemPackages = with pkgs; [
matrix-synapse
lottieconverter
ffmpeg
];
sops = {
secrets = {
matrixsharedsecret = { owner = "matrix-synapse"; };
mautrixtelegram_as = { owner = "matrix-synapse"; };
mautrixtelegram_hs = { owner = "matrix-synapse"; };
mautrixtelegram_api_id = { owner = "matrix-synapse"; };
mautrixtelegram_api_hash = { owner = "matrix-synapse"; };
};
templates = {
"matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
'';
matrixshared = {
owner = "matrix-synapse";
content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
'';
};
mautrixtelegram = {
owner = "matrix-synapse";
content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
'';
};
};
};
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.matrix-synapse = {
enable = true;
settings = {
app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/whatsapp-registration.yaml"
"/var/lib/matrix-synapse/signal-registration.yaml"
"/var/lib/matrix-synapse/doublepuppet.yaml"
];
server_name = matrixDomain;
public_baseurl = "https://${matrixDomain}";
listeners = [
{
port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
];
};
extraConfigFiles = [
config.sops.templates.matrixshared.path
];
};
services.mautrix-telegram = {
enable = true;
environmentFile = config.sops.templates.mautrixtelegram.path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29317";
hostname = "0.0.0.0";
port = "29317";
provisioning.enabled = true;
id = "telegram";
# ephemeral_events = true; # not needed due to double puppeting
public = {
enabled = false;
};
database = "postgresql:///mautrix-telegram?host=/run/postgresql";
};
bridge = {
relaybot.authless_portals = true;
allow_avatar_remove = true;
allow_contact_info = true;
sync_channel_members = true;
startup_sync = true;
sync_create_limit = 0;
sync_direct_chats = true;
telegram_link_preview = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
animated_sticker = {
target = "gif";
args = {
width = 256;
height = 256;
fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported
};
};
};
};
};
systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
services.mautrix-whatsapp = {
enable = true;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29318";
hostname = "0.0.0.0";
port = 29318;
database = {
type = "postgres";
uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .FullName .PushName .JID}} (WA)";
history_sync = {
backfill = true;
max_initial_conversations = -1;
message_count = -1;
request_full_sync = true;
full_sync_config = {
days_limit = 900;
size_mb_limit = 5000;
storage_quota_mb = 5000;
};
};
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
sync_manual_marked_unread = true;
send_presence_on_typing = true;
parallel_member_sync = true;
url_previews = true;
caption_in_message = true;
extev_polls = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
services.mautrix-signal = {
enable = true;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29328";
hostname = "0.0.0.0";
port = 29328;
database = {
type = "postgres";
uri = "postgresql:///mautrix-signal?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
caption_in_message = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
# messages out after a while.
systemd.timers."restart-bridges" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1d";
OnUnitActiveSec = "1d";
Unit = "restart-bridges.service";
};
};
systemd.services."restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
services.nginx = {
virtualHosts = {
"swatrix.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.23:8008";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
};
}

51
profiles/server/common/mpd.nix Normal file
View file

@ -0,0 +1,51 @@
{ pkgs, lib, config, ... }:
{
config = lib.mkIf config.swarselsystems.server.mpd {
users = {
groups = {
mpd = { };
};
users = {
mpd = {
isSystemUser = true;
group = "mpd";
extraGroups = [ "audio" "utmp" ];
};
};
};
sops = {
secrets.mpdpass = { owner = "mpd"; };
};
environment.systemPackages = with pkgs; [
pciutils
alsa-utils
mpv
];
services.mpd = {
enable = true;
musicDirectory = "/media";
user = "mpd";
group = "mpd";
network = {
port = 3254;
listenAddress = "any";
};
credentials = [
{
passwordFile = config.sops.secrets.mpdpass.path;
permissions = [
"read"
"add"
"control"
"admin"
];
}
];
};
};
}

76
profiles/server/common/navidrome.nix Normal file
View file

@ -0,0 +1,76 @@
{ pkgs, lib, config, ... }:
{
config = lib.mkIf config.swarselsystems.server.navidrome {
environment.systemPackages = with pkgs; [
pciutils
alsa-utils
mpv
];
users = {
groups = {
navidrome = {
gid = 61593;
};
};
users = {
navidrome = {
isSystemUser = true;
uid = 61593;
group = "navidrome";
extraGroups = [ "audio" "utmp" ];
};
};
};
hardware.enableAllFirmware = true;
services.navidrome = {
enable = true;
settings = {
Address = "0.0.0.0";
Port = 4040;
MusicFolder = "/media";
EnableSharing = true;
EnableTranscodingConfig = true;
Scanner.GroupAlbumReleases = true;
ScanSchedule = "@every 1d";
# Insert these values locally as sops-nix does not work for them
# LastFM.ApiKey = TEMPLATE;
# LastFM.Secret = TEMPLATE;
# Spotify.ID = TEMPLATE;
# Spotify.Secret = TEMPLATE;
UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
UIWelcomeMessage = "~SwarselSound~";
};
};
services.nginx = {
virtualHosts = {
"sound.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://192.168.1.13:4040";
proxyWebsockets = true;
extraConfig = ''
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
'';
};
};
};
};
};
};
}

30
profiles/server/common/nginx.nix Normal file
View file

@ -0,0 +1,30 @@
{ pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
lego
];
sops = {
secrets.dnstokenfull = { owner = "acme"; };
templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
'';
};
security.acme = {
acceptTerms = true;
preliminarySelfsigned = false;
defaults.email = "mrswarsel@gmail.com";
defaults.dnsProvider = "cloudflare";
defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
# virtualHosts are defined in the respective sections
};
}

9
profiles/server/common/packages.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
gnupg
nix-index
ssh-to-age
git
];
}

9
profiles/server/common/sops.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ];
defaultSopsFile = "/.dotfiles/secrets/server/secrets.yaml";
validateSopsFiles = false;
};
}

29
profiles/server/common/spotifyd.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, lib, config, ... }:
{
config = lib.mkIf config.swarselsystems.server.spotifyd {
users.groups.spotifyd = {
gid = 65136;
};
users.users.spotifyd = {
isSystemUser = true;
uid = 65136;
group = "spotifyd";
extraGroups = [ "audio" "utmp" ];
};
services.spotifyd = {
enable = true;
settings = {
global = {
dbus_type = "session";
use_mpris = false;
device = "default:CARD=PCH";
device_name = "SwarselSpot";
mixer = "alsa";
zeroconf_port = 1025;
};
};
};
};
}

11
profiles/server/common/ssh.nix Normal file
View file

@ -0,0 +1,11 @@
_:
{
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
}