diff --git a/common/hardware/laptop.nix b/common/hardware/laptop.nix index 28866e3..e3110b2 100644 --- a/common/hardware/laptop.nix +++ b/common/hardware/laptop.nix @@ -56,9 +56,7 @@ in }; boot = { - kernelParams = [ - "quiet" - ]; + kernelParams = [ "quiet" ]; loader.efi.canTouchEfiVariables = true; initrd.availableKernelModules = [ "xhci_pci" diff --git a/common/hardware/tlp.nix b/common/hardware/tlp.nix index 099938f..54cea3c 100644 --- a/common/hardware/tlp.nix +++ b/common/hardware/tlp.nix @@ -83,9 +83,7 @@ in services.power-profiles-daemon.enable = false; services.upower.enable = true; - boot.extraModulePackages = [ - cpupower - ] ++ optional enable_perf_policy x86_energy_perf_policy; + boot.extraModulePackages = [ cpupower ] ++ optional enable_perf_policy x86_energy_perf_policy; services.tlp = { enable = true; diff --git a/common/tooling/default.nix b/common/tooling/default.nix index 6da5b2c..060815f 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -50,11 +50,11 @@ in fbcat gomuks ranger - + visualvm imagemagick nmap - + parted glib glibc diff --git a/common/tooling/python.nix b/common/tooling/python.nix index 0996143..e593156 100644 --- a/common/tooling/python.nix +++ b/common/tooling/python.nix @@ -17,7 +17,11 @@ in programs.xonsh = { enable = true; - config = lib.concatLines (lib.mapAttrsToList (name: value: ''aliases["${name}"] = "${value}"'') config.environment.shellAliases); + config = lib.concatLines ( + lib.mapAttrsToList ( + name: value: ''aliases["${name}"] = "${value}"'' + ) config.environment.shellAliases + ); package = pkgs.xonsh.override { extraPackages = ps: with ps; [ diff --git a/configuration.nix b/configuration.nix index b85ea8b..8920658 100644 --- a/configuration.nix +++ b/configuration.nix @@ -13,7 +13,7 @@ kernelPackages = pkgs.linuxPackages_zen; }; - services.logrotate.checkConfig = false; # fixme: actually needed? + services.logrotate.checkConfig = false; # fixme: actually needed? grimmShared = { enable = true; diff --git a/fake_flake.nix b/fake_flake.nix index 8ce0d30..aa3a82b 100644 --- a/fake_flake.nix +++ b/fake_flake.nix @@ -9,12 +9,17 @@ let nivSources = import ./nix/sources.nix; asGithubRef = src: "github:${src.owner}/${src.repo}/${src.rev}"; - build_target = let env_host = builtins.getEnv "NIXOS_TARGET_HOST"; in if env_host != "" then env_host else builtins.replaceStrings ["\n"] [""] (lib.toLower (builtins.readFile /proc/sys/kernel/hostname)); + build_target = + let + env_host = builtins.getEnv "NIXOS_TARGET_HOST"; + in + if env_host != "" then + env_host + else + builtins.replaceStrings [ "\n" ] [ "" ] (lib.toLower (builtins.readFile /proc/sys/kernel/hostname)); host_modules = { - grimmauld-nixos = [ - ./specific/grimm-nixos-laptop/configuration.nix - ]; + grimmauld-nixos = [ ./specific/grimm-nixos-laptop/configuration.nix ]; grimmauld-nixos-server = [ ./specific/grimmauld-nixos-server/configuration.nix @@ -49,11 +54,11 @@ in "${nivSources.nixos-mailserver}/default.nix" "${nivSources.nixos-matrix-modules}/module.nix" - # fixme: ideally we'd not rely on the flake syntax to load the module + # fixme: ideally we'd not rely on the flake syntax to load the module (builtins.getFlake (asGithubRef nivSources.chaotic)).nixosModules.default # (builtins.getFlake (asGithubRef nivSources.nixos-matrix-modules)).nixosModules.default # (builtins.getFlake "git+${nivSources.nixos-mailserver.repo}").nixosModules.default - ] ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target}; + ] ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target}; nixpkgs.hostPlatform = system; diff --git a/modules/discord-matrix-bridge.nix b/modules/discord-matrix-bridge.nix index a854fe4..d98d462 100644 --- a/modules/discord-matrix-bridge.nix +++ b/modules/discord-matrix-bridge.nix @@ -1,22 +1,40 @@ -{ config, lib, pkgs, ...}: let +{ + config, + lib, + pkgs, + ... +}: +let bridge_port = 9005; # netstat -nlp | grep 9005 -in { - nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: { - src = pkgs.fetchFromGitHub { - owner = "t2bot"; - repo = "matrix-appservice-discord"; - rev = "8361ca6121bf1f0902154baa538cb6d5766e477f"; - hash = "sha256-oXon6pFJgqQ1uBLtsSVNH7XSOpxxJYqpW2n9cFrs3sU="; - }; - patches = (let oldPatches = old.patches or []; in if oldPatches == null then [] else oldPatches) ++ [ ./patch_bridge_perms.patch ]; - doCheck = false; - });}) +in +{ + nixpkgs.overlays = [ + (final: prev: { + matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: { + src = pkgs.fetchFromGitHub { + owner = "t2bot"; + repo = "matrix-appservice-discord"; + rev = "8361ca6121bf1f0902154baa538cb6d5766e477f"; + hash = "sha256-oXon6pFJgqQ1uBLtsSVNH7XSOpxxJYqpW2n9cFrs3sU="; + }; + patches = + ( + let + oldPatches = old.patches or [ ]; + in + if oldPatches == null then [ ] else oldPatches + ) + ++ [ ./patch_bridge_perms.patch ]; + doCheck = false; + }); + }) ]; - age.secrets.matrix_discord_bridge_token.file = ../secrets/matrix_discord_bridge_token.age; - services.matrix-synapse-next.settings.app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" ]; + services.matrix-synapse-next.settings.app_service_config_files = [ + "/var/lib/matrix-synapse/discord-registration.yaml" + ]; services.matrix-appservice-discord = { enable = true; @@ -31,13 +49,12 @@ in { disablePresence = true; disableTypingNotifications = true; }; -# logging.console = "silly"; + # logging.console = "silly"; }; - serviceDependencies = ["matrix-synapse.target"]; + serviceDependencies = [ "matrix-synapse.target" ]; port = bridge_port; localpart = "_discord_"; package = pkgs.matrix-appservice-discord; environmentFile = config.age.secrets.matrix_discord_bridge_token.path; }; } - diff --git a/modules/email.nix b/modules/email.nix index fd791eb..06fd8a4 100644 --- a/modules/email.nix +++ b/modules/email.nix @@ -1,11 +1,12 @@ -{ config, ... }: +{ config, ... }: let inherit (config.networking) domain; mail_host = "mail.${domain}"; -in { +in +{ security.acme.certs."${domain}".extraDomainNames = [ mail_host ]; -# services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason + # services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason mailserver = { enable = true; fqdn = mail_host; @@ -16,7 +17,7 @@ in { loginAccounts = { "contact@${domain}" = { hashedPasswordFile = ./mailpass/contact; - aliases = ["kontakt@${domain}"]; + aliases = [ "kontakt@${domain}" ]; }; "admin@${domain}" = { hashedPasswordFile = ./mailpass/admin; @@ -33,9 +34,10 @@ in { keyFile = "/var/lib/acme/${domain}/key.pem"; }; - services.nginx = { + services.nginx = { enable = true; - virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P + virtualHosts."${mail_host}" = { + # you should NOT be here from a browser :P serverName = mail_host; forceSSL = true; useACMEHost = domain; diff --git a/modules/fail2ban.nix b/modules/fail2ban.nix index 80da631..d1d0bee 100644 --- a/modules/fail2ban.nix +++ b/modules/fail2ban.nix @@ -1,10 +1,13 @@ -{ ... }: { +{ ... }: +{ services.fail2ban = { enable = true; maxretry = 5; ignoreIP = [ # Whitelist some subnets - "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" "matrix.org" "app.element.io" # don't ratelimit matrix users ]; diff --git a/modules/gitea.nix b/modules/gitea.nix index 63dbb18..95d7f7e 100644 --- a/modules/gitea.nix +++ b/modules/gitea.nix @@ -1,10 +1,17 @@ -{ lib, config, inputs, pkgs, ... }: +{ + lib, + config, + inputs, + pkgs, + ... +}: let inherit (config.networking) domain; gitea_host = "git.${domain}"; gitea_port = 8081; gitea_ssh_port = 2222; -in { +in +{ services.gitea = { enable = true; settings = { @@ -17,22 +24,19 @@ in { START_SSH_SERVER = true; BUILTIN_SSH_SERVER_USER = "git"; SSH_PORT = gitea_ssh_port; -# SSH_LISTEN_HOST="::"; # fixme? -# SSH_AUTHORIZED_PRINCIPALS_ALLOW="username"; + # SSH_LISTEN_HOST="::"; # fixme? + # SSH_AUTHORIZED_PRINCIPALS_ALLOW="username"; }; -# log.LEVEL = "Debug"; + # log.LEVEL = "Debug"; "ssh.minimum_key_sizes".RSA = 2048; "git.timeout".MIGRATE = 6000; }; lfs.enable = true; }; - environment.systemPackages = with pkgs; [ - gitea - ]; + environment.systemPackages = with pkgs; [ gitea ]; - - security.acme.certs."${domain}".extraDomainNames = [ gitea_host]; + security.acme.certs."${domain}".extraDomainNames = [ gitea_host ]; networking.firewall.allowedTCPPorts = [ gitea_ssh_port ]; services.nginx = { @@ -47,4 +51,3 @@ in { }; }; } - diff --git a/modules/grafana.nix b/modules/grafana.nix index 628c142..69f3dc2 100644 --- a/modules/grafana.nix +++ b/modules/grafana.nix @@ -3,7 +3,8 @@ let inherit (config.networking) domain; grafana_host = "grafana.${domain}"; grafana_port = 8082; -in { +in +{ age.secrets.grafana_admin_pass = { file = ../secrets/grafana_admin_pass.age; owner = "grafana"; diff --git a/modules/letsencrypt.nix b/modules/letsencrypt.nix index 56113c3..4d2317c 100644 --- a/modules/letsencrypt.nix +++ b/modules/letsencrypt.nix @@ -1,8 +1,15 @@ -{ lib, config, inputs, pkgs, ... }: +{ + lib, + config, + inputs, + pkgs, + ... +}: let inherit (config.networking) domain; root_email = "contact@${domain}"; -in { +in +{ security.acme = { acceptTerms = true; defaults.email = root_email; diff --git a/modules/mastodon.nix b/modules/mastodon.nix index 04888cd..0d3258e 100644 --- a/modules/mastodon.nix +++ b/modules/mastodon.nix @@ -1,8 +1,9 @@ -{ config, ... } : +{ config, ... }: let inherit (config.networking) domain; mastodon_host = "mastodon.${domain}"; -in { +in +{ security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ]; services.mastodon = { enable = true; diff --git a/modules/matrix.nix b/modules/matrix.nix index 963e8d1..7351e6b 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -1,9 +1,16 @@ -{ lib, config, inputs, pkgs, ... }: +{ + lib, + config, + inputs, + pkgs, + ... +}: let inherit (config.networking) domain; matrix_host = "matrix.${domain}"; -in { -services.postgresql = { +in +{ + services.postgresql = { enable = true; # CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse; ensureDatabases = [ "synapse" ]; @@ -15,40 +22,42 @@ services.postgresql = { } ]; authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method -local all postgres peer -local all all peer -host all all 127.0.0.1/32 md5 -host synapse matrix-synapse ::1/128 md5 -host nextcloud nextcloud ::1/128 md5 -host all all ::1/128 md5 -local replication all peer -host replication all 127.0.0.1/32 md5 -host replication all ::1/128 md5 + #type database DBuser auth-method + local all postgres peer + local all all peer + host all all 127.0.0.1/32 md5 + host synapse matrix-synapse ::1/128 md5 + host nextcloud nextcloud ::1/128 md5 + host all all ::1/128 md5 + local replication all peer + host replication all 127.0.0.1/32 md5 + host replication all ::1/128 md5 ''; identMap = '' - # ArbitraryMapName systemUser DBUser - superuser_map root postgres - superuser_map matrix-synapse synapse - superuser_map nextcloud nextcloud - superuser_map postgres postgres - # Let other names login as themselves - superuser_map /^(.*)$ \1 - ''; + # ArbitraryMapName systemUser DBUser + superuser_map root postgres + superuser_map matrix-synapse synapse + superuser_map nextcloud nextcloud + superuser_map postgres postgres + # Let other names login as themselves + superuser_map /^(.*)$ \1 + ''; }; - systemd.services.postgresql.postStart = let - password_file_path = config.age.secrets.synapse_db_pass.path; - in '' - $PSQL -tA <<'EOF' - DO $$ - DECLARE password TEXT; - BEGIN - password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', ''')); - EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password); - END $$; - EOF - ''; + systemd.services.postgresql.postStart = + let + password_file_path = config.age.secrets.synapse_db_pass.path; + in + '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', ''')); + EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password); + END $$; + EOF + ''; services.matrix-synapse-next = { enable = true; @@ -71,10 +80,10 @@ host replication all ::1/128 md5 enable_registration = true; registration_requires_token = true; registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path; -# enable_registration_without_verification = true; -# mainLogConfig = ./matrix_synapse_log_config.yaml; + # enable_registration_without_verification = true; + # mainLogConfig = ./matrix_synapse_log_config.yaml; -# registrations_require_3pid = [ "email" ]; + # registrations_require_3pid = [ "email" ]; database = { name = "psycopg2"; @@ -89,7 +98,7 @@ host replication all ::1/128 md5 passfile = config.age.secrets.synapse_db_pass_prepared.path; }; }; - }; + }; }; services.redis.servers."".enable = true; @@ -125,16 +134,16 @@ host replication all ::1/128 md5 locations."/.well-known/matrix/server" = { return = "200 '{\"m.server\":\"${matrix_host}:443\"}'"; extraConfig = '' -default_type application/json; -add_header Access-Control-Allow-Origin *; -add_header Accept-Ranges bytes;''; + default_type application/json; + add_header Access-Control-Allow-Origin *; + add_header Accept-Ranges bytes;''; }; locations."/.well-known/matrix/client" = { return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'"; extraConfig = '' -add_header Access-Control-Allow-Origin *; -default_type application/json; -''; + add_header Access-Control-Allow-Origin *; + default_type application/json; + ''; }; locations."/_matrix" = { proxyPass = "http://$synapse_backend"; @@ -171,5 +180,5 @@ default_type application/json; }; }; }; -# networking.firewall.allowedTCPPorts = [ 8448 8008 ]; + # networking.firewall.allowedTCPPorts = [ 8448 8008 ]; } diff --git a/modules/mjolnir.nix b/modules/mjolnir.nix index 2b74052..32520dc 100644 --- a/modules/mjolnir.nix +++ b/modules/mjolnir.nix @@ -1,8 +1,8 @@ -{ config, ... } : +{ config, ... }: let - -in { - age.secrets = { +in +{ + age.secrets = { matrix_mjolnir_pass = { file = ../secrets/matrix_mjolnir_pass.age; owner = "mjolnir"; @@ -14,7 +14,7 @@ in { file = ../secrets/matrix_mjolnir_tle_pass.age; owner = "mjolnir"; group = "mjolnir"; - mode = "0777"; # not ideal, but containers are weird + mode = "0777"; # not ideal, but containers are weird }; }; @@ -22,9 +22,7 @@ in { services.mjolnir = { enable = true; homeserverUrl = config.services.matrix-synapse-next.settings.public_baseurl; - protectedRooms = [ - "https://matrix.to/#/!zDkrFrfuMIKbqYFbFv:grimmauld.de" - ]; + protectedRooms = [ "https://matrix.to/#/!zDkrFrfuMIKbqYFbFv:grimmauld.de" ]; managementRoom = "!kgfXXqEYHGgToIwhMP:grimmauld.de"; pantalaimon = { enable = true; @@ -37,33 +35,35 @@ in { }; services.logrotate.checkConfig = false; # needed or this explodes - containers.mjolnirtle = let - baseurl = config.services.matrix-synapse-next.settings.public_baseurl; - pass_file = config.age.secrets.matrix_mjolnir_tle_pass.path; - in { - privateNetwork = false; # don't want nat - autoStart = true; - bindMounts."${pass_file}".isReadOnly = true; - config = { config, ... }: { - system.stateVersion = "unstable"; - # tle mjolnir - services.logrotate.checkConfig = false; - services.mjolnir = { - enable = true; - homeserverUrl = baseurl; - protectedRooms = [ - "https://matrix.to/#/!BgDBnHgMgilMMnPMyp:grimmauld.de" - ]; - managementRoom = "!NQedmlMeoQErGgAwxm:grimmauld.de"; - pantalaimon = { - enable = true; - username = "mjolnir_tle"; - options = { - homeserver = baseurl; - }; - passwordFile = pass_file; + containers.mjolnirtle = + let + baseurl = config.services.matrix-synapse-next.settings.public_baseurl; + pass_file = config.age.secrets.matrix_mjolnir_tle_pass.path; + in + { + privateNetwork = false; # don't want nat + autoStart = true; + bindMounts."${pass_file}".isReadOnly = true; + config = + { config, ... }: + { + system.stateVersion = "unstable"; + # tle mjolnir + services.logrotate.checkConfig = false; + services.mjolnir = { + enable = true; + homeserverUrl = baseurl; + protectedRooms = [ "https://matrix.to/#/!BgDBnHgMgilMMnPMyp:grimmauld.de" ]; + managementRoom = "!NQedmlMeoQErGgAwxm:grimmauld.de"; + pantalaimon = { + enable = true; + username = "mjolnir_tle"; + options = { + homeserver = baseurl; + }; + passwordFile = pass_file; + }; + }; + }; }; - }; - }; - }; } diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index bb4cb6b..d953b44 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -1,9 +1,15 @@ -{ lib, pkgs, config, ...} : +{ + lib, + pkgs, + config, + ... +}: let inherit (config.networking) domain; nextcloud_host = "cloud.${domain}"; nextcloud_port = 8083; -in { +in +{ services.postgresql = { enable = true; ensureDatabases = [ "nextcloud" ]; @@ -37,7 +43,7 @@ in { nextcloud-occ config:system:set redis 'port' --value 6379 --type integer nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string - ''; + ''; services.nextcloud = { enable = true; @@ -46,13 +52,13 @@ in { package = pkgs.nextcloud28; caching.redis = true; -# extraApps = with config.services.nextcloud.package.packages.apps; [ -# news contacts calendar tasks; -# ]; + # extraApps = with config.services.nextcloud.package.packages.apps; [ + # news contacts calendar tasks; + # ]; config = { adminpassFile = config.age.secrets.nextcloud_admin_pass.path; dbuser = "nextcloud"; - dbhost= "localhost:${builtins.toString config.services.postgresql.settings.port}"; + dbhost = "localhost:${builtins.toString config.services.postgresql.settings.port}"; dbtype = "pgsql"; }; settings = { @@ -64,7 +70,6 @@ in { port = 6379; timeout = 0.0; }; - }; phpOptions = { "opcache.interned_strings_buffer" = "12"; diff --git a/modules/prometheus.nix b/modules/prometheus.nix index 9c525c0..32ffead 100644 --- a/modules/prometheus.nix +++ b/modules/prometheus.nix @@ -1,10 +1,11 @@ -{ config, ... } : +{ config, ... }: let inherit (config.networking) domain; prometheus_host = "prometheus.${domain}"; prometheus_port = 9090; # netstat -nlp | grep 9090 -in { - security.acme.certs."${domain}".extraDomainNames = [ prometheus_host]; +in +{ + security.acme.certs."${domain}".extraDomainNames = [ prometheus_host ]; services.prometheus = { enable = true; @@ -13,13 +14,15 @@ in { scrapeConfigs = [ { job_name = "chrysalis"; - static_configs = [{ - targets = [ - "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" - "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" - "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" - ]; - }]; + static_configs = [ + { + targets = [ + "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" + "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" + "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" + ]; + } + ]; } ]; exporters = { @@ -44,7 +47,7 @@ in { forceSSL = true; useACMEHost = domain; locations."/" = { -# proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}"; + # proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}"; return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you! }; }; diff --git a/modules/ptero.nix b/modules/ptero.nix index 9c326a2..2cfaed6 100644 --- a/modules/ptero.nix +++ b/modules/ptero.nix @@ -1,4 +1,5 @@ -{config, pkgs, ...}: let +{ config, pkgs, ... }: +let inherit (config.networking) domain; root_email = "contact@${domain}"; ptero_host = "ptero.${domain}"; @@ -7,13 +8,14 @@ local_bridge = "ptero-local-br"; ptero_ver = "1.11.5"; ptero_port = "8042"; -in { +in +{ users.users.${panel_user} = { isSystemUser = true; - extraGroups = ["docker"]; + extraGroups = [ "docker" ]; group = panel_user; }; - users.groups.${panel_user} = {}; + users.groups.${panel_user} = { }; age.secrets.ptero_env = { file = ../secrets/ptero_env.age; @@ -22,17 +24,17 @@ in { systemd.services.init-ptero-data-dir = { description = "Create the pterodactyl panel data dir"; wantedBy = [ "multi-user.target" ]; - + serviceConfig.Type = "oneshot"; - script ='' -mkdir -p ${DATA_DIR}/database -mkdir -p ${DATA_DIR}/cache -mkdir -p ${DATA_DIR}/panel/var -mkdir -p ${DATA_DIR}/panel/logs -mkdir -p ${DATA_DIR}/panel/nginx -chown ${panel_user}:${panel_user} -R ${DATA_DIR} -chmod +777 -R ${DATA_DIR} -''; + script = '' + mkdir -p ${DATA_DIR}/database + mkdir -p ${DATA_DIR}/cache + mkdir -p ${DATA_DIR}/panel/var + mkdir -p ${DATA_DIR}/panel/logs + mkdir -p ${DATA_DIR}/panel/nginx + chown ${panel_user}:${panel_user} -R ${DATA_DIR} + chmod +777 -R ${DATA_DIR} + ''; }; virtualisation.oci-containers.backend = "podman"; @@ -41,19 +43,21 @@ chmod +777 -R ${DATA_DIR} description = "Create the network bridge ${local_bridge} for ptero."; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - - serviceConfig.Type = "oneshot"; - script = let podmancli = "${config.virtualisation.podman.package}/bin/podman"; - in '' - check=$(${podmancli} pod ls | grep "ptero" || true) - if [ -z "$check" ]; then - ${podmancli} pod create -p "${ptero_port}:80" ptero - else - echo "ptero pod already exists" - fi - ''; - }; + serviceConfig.Type = "oneshot"; + script = + let + podmancli = "${config.virtualisation.podman.package}/bin/podman"; + in + '' + check=$(${podmancli} pod ls | grep "ptero" || true) + if [ -z "$check" ]; then + ${podmancli} pod create -p "${ptero_port}:80" ptero + else + echo "ptero pod already exists" + fi + ''; + }; virtualisation.oci-containers.containers."ptero-mysql" = { image = "library/mysql:8.0"; @@ -64,14 +68,17 @@ chmod +777 -R ${DATA_DIR} "MYSQL_DATABASE" = "panel"; }; environmentFiles = [ config.age.secrets.ptero_env.path ]; - volumes = ["${DATA_DIR}/database:/var/lib/mysql" "${DATA_DIR}/database:${DATA_DIR}/database"]; - cmd=["--default-authentication-plugin=mysql_native_password"]; + volumes = [ + "${DATA_DIR}/database:/var/lib/mysql" + "${DATA_DIR}/database:${DATA_DIR}/database" + ]; + cmd = [ "--default-authentication-plugin=mysql_native_password" ]; }; virtualisation.oci-containers.containers."ptero-cache" = { image = "redis:alpine"; workdir = "${DATA_DIR}/cache"; - volumes = ["${DATA_DIR}/cache:${DATA_DIR}/cache"]; + volumes = [ "${DATA_DIR}/cache:${DATA_DIR}/cache" ]; extraOptions = [ "--pod=ptero" ]; }; @@ -85,7 +92,7 @@ chmod +777 -R ${DATA_DIR} extraOptions = [ "--pod=ptero" ]; environment = { "APP_URL" = "https://${ptero_host}"; - "APP_TIMEZONE" = "Europe/Berlin"; + "APP_TIMEZONE" = "Europe/Berlin"; "APP_SERVICE_AUTHOR" = root_email; "MAIL_FROM" = "noreply@${domain}"; @@ -96,8 +103,8 @@ chmod +777 -R ${DATA_DIR} "MAIL_PASSWORD" = ""; "MAIL_ENCRYPTION" = "true"; - "APP_ENV"= "production"; - "APP_ENVIRONMENT_ONLY"= "false"; + "APP_ENV" = "production"; + "APP_ENVIRONMENT_ONLY" = "false"; "CACHE_DRIVER" = "redis"; "SESSION_DRIVER" = "redis"; "QUEUE_DRIVER" = "redis"; @@ -106,7 +113,7 @@ chmod +777 -R ${DATA_DIR} "TRUSTED_PROXIES" = "*"; }; labels = { - "traefik.http.routers.pterodactyl_panel.entrypoints"="web"; + "traefik.http.routers.pterodactyl_panel.entrypoints" = "web"; }; environmentFiles = [ config.age.secrets.ptero_env.path ]; }; diff --git a/modules/puffer.nix b/modules/puffer.nix index ec63366..4f9d894 100644 --- a/modules/puffer.nix +++ b/modules/puffer.nix @@ -1,4 +1,10 @@ -{ lib, config, inputs, pkgs, ... }: +{ + lib, + config, + inputs, + pkgs, + ... +}: let inherit (config.networking) domain; puffer_port = 8080; @@ -6,14 +12,15 @@ let puffer_host = "puffer.${domain}"; tlemap_host = "tlemap.${domain}"; tlemap_port = 8100; -in { +in +{ services.pufferpanel = { enable = true; environment = { PUFFER_WEB_HOST = ":${builtins.toString puffer_port}"; PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}"; }; - extraPackages = with pkgs; []; + extraPackages = with pkgs; [ ]; extraGroups = [ "docker" ]; }; @@ -35,12 +42,21 @@ in { proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}"; }; }; - }; - security.acme.certs."${domain}".extraDomainNames = [ puffer_host tlemap_host ]; - networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ]; + security.acme.certs."${domain}".extraDomainNames = [ + puffer_host + tlemap_host + ]; + networking.firewall.allowedTCPPorts = [ + puffer_sftp_port + 25565 + 25566 + 25567 + 25568 + 7270 + ]; -# virtualisation.podman.enable = true; + # virtualisation.podman.enable = true; virtualisation.docker.enable = true; environment.systemPackages = with pkgs; [ diff --git a/modules/toolchains.nix b/modules/toolchains.nix index 8cd6eec..8a731f0 100644 --- a/modules/toolchains.nix +++ b/modules/toolchains.nix @@ -1,6 +1,8 @@ -{config, pkgs, ...}: let +{ config, pkgs, ... }: +let git_user = "Grimmauld"; -in { +in +{ environment.systemPackages = with pkgs; [ (writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@") (writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@") @@ -36,10 +38,15 @@ in { set number set hidden set nocompatible - ''; + ''; packages.myVimPackage = with pkgs.vimPlugins; { # loaded on launch - start = [ vim-nix vim-scala fugitive autoclose-nvim ]; + start = [ + vim-nix + vim-scala + fugitive + autoclose-nvim + ]; # manually loadable by calling `:packadd $plugin-name` opt = [ ]; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a2c83ad..81f95ab 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,13 +2,16 @@ let laptop_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"; laptop_pub_ed = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"; - # obtained with `ssh-keyscan [ip]` + # obtained with `ssh-keyscan [ip]` contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw=="; in { - "nextcloud_pass.age".publicKeys = [ laptop_pub laptop_pub_ed ]; + "nextcloud_pass.age".publicKeys = [ + laptop_pub + laptop_pub_ed + ]; - # "duckdns_token.age".publicKeys = [ contabo_nix_pub ]; + # "duckdns_token.age".publicKeys = [ contabo_nix_pub ]; "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ]; "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ]; "grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ]; diff --git a/specific/grimm-nixos-laptop/configuration.nix b/specific/grimm-nixos-laptop/configuration.nix index 1ee6b88..af19def 100644 --- a/specific/grimm-nixos-laptop/configuration.nix +++ b/specific/grimm-nixos-laptop/configuration.nix @@ -2,7 +2,7 @@ { imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix + ./hardware-configuration.nix # ./modules/kvm.nix ./../../sway ]; diff --git a/specific/grimmauld-nixos-server/configuration.nix b/specific/grimmauld-nixos-server/configuration.nix index 533a2d0..321499d 100644 --- a/specific/grimmauld-nixos-server/configuration.nix +++ b/specific/grimmauld-nixos-server/configuration.nix @@ -1,12 +1,20 @@ -{ lib, config, inputs, pkgs, ... }: +{ + lib, + config, + inputs, + pkgs, + ... +}: let inherit (config.networking) domain; -in { - imports = [ - ./hardware-configuration.nix - ]; +in +{ + imports = [ ./hardware-configuration.nix ]; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; networking.hostName = "grimmauld-nixos-server"; networking.domain = "grimmauld.de"; services.openssh.enable = true; @@ -26,7 +34,7 @@ in { enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies useACMEHost = domain; locations."/" = { - root = "/var/www/${domain}"; + root = "/var/www/${domain}"; }; }; }; diff --git a/specific/grimmauld-nixos-server/hardware-configuration.nix b/specific/grimmauld-nixos-server/hardware-configuration.nix index 4cf2f82..6cf9123 100644 --- a/specific/grimmauld-nixos-server/hardware-configuration.nix +++ b/specific/grimmauld-nixos-server/hardware-configuration.nix @@ -2,12 +2,19 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot.loader.grub.device = "/dev/sda"; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "xen_blkfront" + "vmw_pvscsi" + ]; boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; }; + fileSystems."/" = { + device = "/dev/sda3"; + fsType = "ext4"; + }; environment.sessionVariables = { OMP_NUM_THREADS = "8"; }; - } diff --git a/users.nix b/users.nix index e8731cf..ff1ae4a 100644 --- a/users.nix +++ b/users.nix @@ -35,13 +35,15 @@ { remote = "Videos"; } ]; - packages = with pkgs; lib.optionals config.grimmShared.graphical [ - webcord - discord - obs-studio - element-desktop - ghidra - # rmview - ]; + packages = + with pkgs; + lib.optionals config.grimmShared.graphical [ + webcord + discord + obs-studio + element-desktop + ghidra + # rmview + ]; }; }