thary/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Thary
2025-08-20 18:24:02 +03:00
commit 2dec42d487
116 changed files with 6591 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
hosts/cepheus/caddy.nix Normal file
View File

@@ -0,0 +1,17 @@
{ inputs, ... }: {
services.caddy = {
enable = true;
virtualHosts."nothing.run, www.nothing.run".extraConfig = ''
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `{"m.server": "matrix.nothing.run:443"}`
respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.nothing.run"},"org.matrix.msc3575.proxy":{"url":"https://matrix.nothing.run"}}`
root * ${inputs.website.website}
file_server
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

37
hosts/cepheus/couchdb.nix Normal file
View File

@@ -0,0 +1,37 @@
{ pkgs, lib, ... }: {
containers.couchdb = {
autoStart = true;
bindMounts = {
"/var/lib/couchdb" = { hostPath = "/nix/persist/services/couchdb"; isReadOnly = false; };
};
hostAddress = "192.168.105.10";
localAddress = "192.168.105.11";
privateNetwork = true;
config = { ... }: {
services.couchdb = {
enable = true;
bindAddress = "192.168.105.11";
port = 5984;
databaseDir = "/var/lib/couchdb";
viewIndexDir = "/var/lib/couchdb";
adminUser = lib.removeSuffix "\n" ("admin_" + pkgs.lib.readFile "${pkgs.runCommand "timestamp" {} "echo `head -c 12 /dev/urandom | base64 | sed 's/[+=\\/A-Z]//g'` > $out"}");
adminPass = pkgs.lib.readFile "${pkgs.runCommand "timestamp" {} "echo `head -c 32 /dev/urandom | base64 | sed 's/[+=\\/A-Z]//g'` > $out"}";
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 5984 ];
};
system.stateVersion = "25.05";
};
};
services.caddy.virtualHosts = {
"couchdb.nothing.run".extraConfig = ''
reverse_proxy http://192.168.105.11:5984
'';
};
}

37
hosts/cepheus/default.nix Normal file
View File

@@ -0,0 +1,37 @@
{ lib, config, ... }: {
nixpkgs.hostPlatform = "x86_64-linux";
hardware.enableRedistributableFirmware = true;
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"usb_storage"
"sd_mod"
"ata_piix"
"virtio_pci"
"virtio_scsi"
"sr_mod"
];
age.secrets.cepheus_userhjkl_password = {
rekeyFile = ./secrets/password.age;
owner = "userhjkl";
group = "users";
mode = "0400";
};
n.host = {
hardware.cpu = "virt";
bootloader = "grub";
domain = "nothing.run";
hostId = "0b6ce634";
users."userhjkl" = lib.mkUser config.age.secrets.cepheus_userhjkl_password.path true;
defaultUser = "userhjkl";
types = [ "server" ];
};
imports = [
(lib.fs.ext4 "/" "/dev/disk/by-uuid/8c2eee33-ab23-42b5-b22c-777fbede1ccf" null)
(lib.fs.vfat "/boot" "/dev/disk/by-uuid/8B83-5678" null)
];
}

195
hosts/cepheus/gitea.nix Normal file
View File

@@ -0,0 +1,195 @@
{ config, pkgs, lib, ... }: {
age.secrets.kanidm-oauth2-gitea = lib.mkSecret "kanidm";
services.kanidm.provision = {
groups."gitea.access" = {};
groups."gitea.admins" = {};
systems.oauth2.gitea = {
displayName = "gitea";
originUrl = "https://tea.nothing.run/user/oauth2/kanidm/callback";
originLanding = "https://tea.nothing.run/";
basicSecretFile = config.age.secrets.kanidm-oauth2-gitea.path;
scopeMaps."gitea.access" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."gitea.admins" = [ "admins" ];
};
};
};
containers.gitea = let host-config = config; in {
autoStart = true;
bindMounts = {
"/var/lib/gitea" = { hostPath = "/nix/persist/services/gitea"; isReadOnly = false; };
# "${config.age.secretsDir}" = { hostPath = config.age.secretsDir; isReadOnly = true; };
"/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
};
# tmpfs = [ "/" ];
hostAddress = "192.168.102.10";
localAddress = "192.168.102.11";
# forwardPorts = [
# {
# containerPort = 22;
# hostPort = 9922;
# protocol = "tcp";
# }
# ];
privateNetwork = true;
config = { lib, config, ... }: {
imports = [
../../modules/global/dnscrypt-proxy.nix
];
users.groups.kanidm = {};
users.groups.git = { };
users.users.git = {
isSystemUser = true;
useDefaultShell = true;
group = "git";
extraGroups = [ "kanidm" ];
home = config.services.gitea.stateDir;
openssh.authorizedKeys.keys = lib.mkForce host-config.users.users.root.openssh.authorizedKeys.keys;
};
services.openssh = {
enable = true;
# settings = {
# PasswordAuthentication = false;
# KbdInteractiveAuthentication = false;
# PermitRootLogin = "prohibit-password";
# };
# openFirewall = true;
# ports = [ 22 ];
# settings.AcceptEnv = "GIT_PROTOCOL";
};
services.gitea = {
enable = true;
package = pkgs.gitea;
user = "git";
group = "git";
settings = {
DEFAULT.APP_NAME = "Hollow Tea";
mailer.ENABLED = false;
metrics.ENABLED = false;
oauth2_client = {
ACCOUNT_LINKING = "login";
USERNAME = "nickname";
ENABLE_AUTO_REGISTRATION = false;
REGISTER_EMAIL_CONFIRM = false;
UPDATE_AVATAR = true;
};
repository = {
DEFAULT_PRIVATE = "private";
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
};
server = {
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 3000;
DOMAIN = "tea.nothing.run";
ROOT_URL = "https://tea.nothing.run";
LANDING_PAGE = "login";
SSH_PORT = 9922;
SSH_USER = "git";
};
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_INTERNAL_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
REGISTER_EMAIL_CONFIRM = false;
ENABLE_NOTIFY_MAIL = false;
};
"service.explore" = {
REQUIRE_SIGNIN_VIEW = true;
DISABLE_USERS_PAGE = false;
DISABLE_ORGANIZATIONS_PAGE = true;
DISABLE_CODE_PAGE = true;
};
admin.DISABLE_REGULAR_ORG_CREATION = true; # Prohibit creation of organizations by non-admin users
session.COOKIE_SECURE = true;
};
};
systemd.services.gitea = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.RestartSec = "60"; # Retry every minute
preStart =
let
exe = lib.getExe config.services.gitea.package;
providerName = "kanidm";
clientId = "gitea";
args = lib.escapeShellArgs (
lib.concatLists [
[
"--name"
providerName
]
[
"--provider"
"openidConnect"
]
[
"--key"
clientId
]
[
"--auto-discover-url"
"https://idm.nothing.run/oauth2/openid/${clientId}/.well-known/openid-configuration"
]
[
"--scopes"
"email"
]
[
"--scopes"
"profile"
]
[
"--group-claim-name"
"groups"
]
[
"--admin-group"
"admin"
]
[ "--skip-local-2fa" ]
]
);
in
lib.mkAfter ''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
SECRET="$(< ${host-config.age.secrets.kanidm-oauth2-gitea.path})"
if [[ -z "$provider_id" ]]; then
${exe} admin auth add-oauth ${args} --secret "$SECRET"
else
${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
fi
'';
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 3000 22 ];
};
system.stateVersion = "25.05";
};
};
networking.firewall.allowedTCPPorts = [ 9922 ];
services.caddy.virtualHosts = {
"tea.nothing.run".extraConfig = ''
reverse_proxy http://192.168.102.11:3000
'';
};
}

36
hosts/cepheus/hedgedoc.nix Executable file
View File

@@ -0,0 +1,36 @@
{ config, ... }:
let
inherit (config.networking) domain;
service_port = 8259;
db = "hedgedoc";
in {
services.hedgedoc = {
# enable = true; # TODO
enable = false;
settings = {
# TODO: kanidm auth
port = service_port;
protocolUseSSL = true;
domain = "pad.${domain}";
host = "127.0.0.1";
allowGravatar = false;
allowPDFExport = true;
dbURL = "postgres://${db}:${db}@localhost:${toString config.services.postgresql.settings.port}/${db}";
allowEmailRegister = false;
allowAnonymous = false;
loglevel = "none";
};
};
imp.dirs = [
{ directory = "/var/lib/hedgedoc"; user = "hedgedoc"; group = "hedgedoc"; mode = "u=rwx,g=rx,o="; }
];
services.caddy.virtualHosts = {
"pad.${domain}".extraConfig = ''
reverse_proxy http://127.0.0.1:${toString service_port}
'';
};
}

107
hosts/cepheus/kanidm.nix Normal file
View File

@@ -0,0 +1,107 @@
{ config, pkgs, lib, ... }:
let
kanidmPort = 1888;
in {
age.secrets.kanidm-admin-password = lib.mkSecret "kanidm";
age.secrets.kanidm-idm-admin-password = lib.mkSecret "kanidm";
users.groups.kanidm = {};
users.users.kanidm.group = "kanidm";
users.users.kanidm.isSystemUser = true;
containers.kanidm = {
autoStart = true;
bindMounts = {
"/certs" = { hostPath = "/nix/persist/services/kanidm/certs"; isReadOnly = false; };
"/var/lib/kanidm" = { hostPath = "/nix/persist/services/kanidm/db"; isReadOnly = false; };
# "${config.age.secretsDir}" = { hostPath = config.age.secretsDir; isReadOnly = true; };
"/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
};
# tmpfs = [ "/" ];
hostAddress = "192.168.101.10";
localAddress = "192.168.101.11";
privateNetwork = true;
# privateNetwork = false;
config = { lib, ... }: {
imports = [
# ../../modules/global/nix.nix
../../modules/global/dnscrypt-proxy.nix
];
services.kanidm = {
enableServer = true;
package = pkgs.kanidmWithSecretProvisioning;
enableClient = true;
serverSettings = {
domain = "idm.nothing.run";
origin = "https://idm.nothing.run";
# bindaddress = "127.0.0.1:${toString kanidmPort}";
bindaddress = "0.0.0.0:${toString kanidmPort}";
log_level = "trace";
trust_x_forward_for = true;
tls_chain = "/certs/chain.pem";
tls_key = "/certs/key.pem";
};
clientSettings = {
uri = "https://127.0.0.1:${toString kanidmPort}";
verify_ca = false;
verify_hostnames = false;
};
provision = lib.mkMerge [
{ enable = lib.mkForce true; }
config.services.kanidm.provision
];
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ kanidmPort ];
};
system.stateVersion = "25.05";
};
};
services.kanidm.provision = {
acceptInvalidCerts = true;
instanceUrl = "https://127.0.0.1:${toString kanidmPort}";
adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
groups.admins = {};
persons = {
"thary" = {
"displayName" = "Thary";
"mailAddresses" = [
"thary@riseup.net"
"thary@nothing.run"
];
groups = [
"gitea.access" "gitea.admins"
"miniflux.access"
];
};
};
};
imp.home.dirs = [ ".cache/kanidm_tokens" ];
services.kanidm.enableClient = true;
services.kanidm.clientSettings = {
uri = "https://idm.nothing.run";
verify_ca = true;
verify_hostnames = true;
};
services.caddy.virtualHosts = {
"idm.nothing.run".extraConfig = ''
reverse_proxy https://192.168.101.11:${toString kanidmPort} {
transport http {
tls
tls_insecure_skip_verify
}
}
'';
};
}

34
hosts/cepheus/matrix-web-clients.nix Normal file
View File

@@ -0,0 +1,34 @@
{ pkgs, ... }: {
services.caddy = {
enable = true;
virtualHosts."cinny.nothing.run".extraConfig = ''
root * ${pkgs.cinny.override {conf = {
defaultHomeserver = 0;
homeserverList = [ "matrix.nothing.run" "matrix.inex.rocks" ];
allowCustomHomeservers = false;
};}}
file_server
'';
virtualHosts."element.nothing.run".extraConfig = ''
root * ${pkgs.element-web.override {
conf = {
default_server_config = {
"m.homeserver".base_url = "https://nothing.run";
"m.identity_server" = {};
};
disable_custom_urls = true;
brand = "Nothing Chat";
default_theme = "dark";
jitsi.preferred_domain = "https://jitsi.inex.rocks"; # TODO: host jitsi
};}}
file_server
'';
virtualHosts."riot.nothing.run".extraConfig = ''
redir https://element.nothing.run
'';
# TODO: schildichat-web (there is no package in nixpkgs)
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

76
hosts/cepheus/miniflux.nix Normal file
View File

@@ -0,0 +1,76 @@
{ config, pkgs, lib, ... }: {
age.secrets.kanidm-oauth2-miniflux = lib.mkSecret "kanidm";
services.kanidm.provision = {
groups."miniflux.access" = {};
systems.oauth2.miniflux = {
displayName = "miniflux";
originUrl = "https://rss.nothing.run/oauth2/oidc/callback";
originLanding = "https://rss.nothing.run/";
basicSecretFile = config.age.secrets.kanidm-oauth2-miniflux.path;
scopeMaps."miniflux.access" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
};
};
age.secrets.miniflux-admin-credentials = {
generator.script = _: ''
echo "ADMIN_USERNAME = 'admin_fmA4ei32f'"
echo "ADMIN_PASSWORD = '$(head -c 32 /dev/urandom | base64)'"
'';
group = "kanidm";
mode = "444";
};
containers.miniflux = {
autoStart = true;
bindMounts = {
"/run/postgresql" = { hostPath = "/nix/persist/services/miniflux"; isReadOnly = false; };
"/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
};
hostAddress = "192.168.103.10";
localAddress = "192.168.103.11";
privateNetwork = true;
config = { ... }: {
imports = [ ../../modules/global/dnscrypt-proxy.nix ];
users.groups.kanidm = {};
users.users.postgres.extraGroups = [ "kanidm" ];
services.miniflux = {
enable = true;
createDatabaseLocally = true;
adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path;
config = {
LISTEN_ADDR = "192.168.103.11:8080";
CREATE_ADMIN = 1;
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID = "miniflux";
OAUTH2_CLIENT_SECRET = config.age.secrets.kanidm-oauth2-miniflux.path;
OAUTH2_REDIRECT_URL = "https://rss.nothing.run/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://idm.nothing.run/oauth2/openid/miniflux";
OAUTH2_USER_CREATION = 1;
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 8080 ];
};
system.stateVersion = "25.05";
};
};
services.caddy.virtualHosts = {
"rss.nothing.run".extraConfig = ''
reverse_proxy http://192.168.103.11:8080
'';
};
}

4
hosts/cepheus/postgres.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }: {
services.postgresql.enable = true;
imp.dirs = [ "/var/lib/postgresql" ];
}

8
hosts/cepheus/secrets/matrix_admin_api_token.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 8IT6eg yX9WPef2jwkv9rsWS1Zz37qNwP/7AXVwwR3y7sy5/0k
d6IIsuuPi+ZZA/HDyDYgbjL7AiFtEEx+Ez3IWeVYo5Y
-> d6L4.Y&D-grease *z=Q"@Cb f{ VN
3IcbB/YPlZaTqaKIYjkvYmxlLVSBkOnLPMm3uPQrzA2i9bTNH6tjGVG0c64jYif4
GXbSIKn1wkTmkYBX3FQAPsPwBQ
--- u4kYHCN4Flk12expFXLzogEmv0LleaTExylppjkLdJg
<EFBFBD>k6<>\<5C>Z,<2C><>o<EFBFBD>V<>OOh<4F><68><15>+<2B><14>"<22><1F><><EFBFBD><EFBFBD> \<5C><>N)&M8<><38>&x1g&Zxn<78><6E><EFBFBD>!<21><02><>Aȅ,\<5C><>飩-<2D>o<EFBFBD><6F><EFBFBD>m<EFBFBD>r<EFBFBD>iD1<>D<EFBFBD>e<EFBFBD>_4

7
hosts/cepheus/secrets/password.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 8IT6eg OGouWD06nC1BworHWu+bhrnwb5Q4skSrOKU703Rqr2E
/T0+bnhxRzgry7nVdlHFoYGEXc/6Q3dIxtvlATMl/3s
-> `-grease
+LfEGtXt+5BOYK5njRUFRhQix/yPMIs
--- Hxczp2zWnEqT0MQYjPc3O7Dva8r9pUOXkXHuv2DuIP4
<EFBFBD>`<60>FF<46><46>#<67>t<EFBFBD> <0B>Ŗ<EFBFBD><C596><EFBFBD>K:)<29>g\<5C>gC<67>R3*0 <0B><>V<EFBFBD>vt<76><74>:t70w<19>ND<01><><EFBFBD>)x<><78><><D79E>IP<49><50><EFBFBD>u<1F><>6<><36><EFBFBD>@<40>hf<68>ag[<5B> <0C>ܺ<EFBFBD><DCBA><EFBFBD><EFBFBD>

9
hosts/cepheus/synapse-admin.nix Executable file
View File

@@ -0,0 +1,9 @@
{ pkgs, config, ... }: {
services.caddy = {
virtualHosts."synapse-admin.${config.networking.domain}".extraConfig = ''
encode zstd gzip
root * ${pkgs.synapse-admin-etkecc}
file_server
'';
};
}

37
hosts/cepheus/synapse-revitalization.nix Normal file
View File

@@ -0,0 +1,37 @@
{ pkgs, config, ... }: {
age.secrets.matrix_admin_api_token = {
rekeyFile = ./secrets/matrix_admin_api_token.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0400";
};
systemd.services."synapse-revitalization" =
let pkg = "${pkgs.synapse-revitalization}/bin/synapse-revitalization";
script = pkgs.writeShellScript "synapse-revitalization-script" ''
journalctl -f -u matrix-synapse -o cat |
while read -r line; do
echo "$line" | grep "as we're not in the room" && ${pkg} "$line" &
echo "$line" | grep "Ignoring PDU for unknown room_id" && ${pkg} "$line" &
done
'';
in {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
# User = "matrix-synapse";
# Group = "matrix-synapse";
User = "root";
Group = "root";
ExecStart = script;
Restart = "always";
};
environment = {
"SYNAPSE_REVITALIZATION_ADMIN_AUTH_TOKEN_FILE" = config.age.secrets.matrix_admin_api_token.path;
"SYNAPSE_REVITALIZATION_SERVER_KEY_FILE" = "/var/lib/matrix-synapse/homeserver.signing.key";
"SYNAPSE_REVITALIZATION_SERVER_NAME" = "nothing.run";
"SYNAPSE_REVITALIZATION_SERVER_ADDRESS" = "matrix.nothing.run";
};
};
}

216
hosts/cepheus/synapse.nix Executable file
View File

@@ -0,0 +1,216 @@
{ lib, config, pkgs, ... }:
let
domain = "nothing.run";
ulid = "01K2FWKJXXG713J0PERVHJ54S3";
in {
environment.systemPackages = with pkgs; [ synapse synadm ];
age.secrets.kanidm-oauth2-mas = lib.mkSecret "kanidm";
services.kanidm.provision = {
groups."matrix.access" = {};
# groups."matrix.admins" = {};
systems.oauth2.matrix = {
displayName = "matrix";
originUrl = "https://mas.nothing.run/upstream/callback/${ulid}";
originLanding = "https://mas.nothing.run/";
basicSecretFile = config.age.secrets.kanidm-oauth2-mas.path;
scopeMaps."matrix.access" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = false;
# enableLegacyCrypto = true;
preferShortUsername = true;
# claimMaps.groups = {
# joinType = "array";
# valuesByGroup."matrix.admins" = [ "admins" ];
# };
};
};
# containers.matrix-synapse = {
# autoStart = true;
# bindMounts = {
# "/var/lib/matrix-synapse" = { hostPath = "/nix/persist/services/synapse/data"; isReadOnly = false; };
# "/var/lib/postgresql" = { hostPath = "/nix/persist/services/synapse/db"; isReadOnly = false; };
# "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
# };
# hostAddress = "192.168.107.10";
# localAddress = "192.168.107.11";
#
# privateNetwork = true;
#
# config = { ... }: {
systemd.services.matrix-authentication-service =
let config = pkgs.writeText "mas-configuration.json" (builtins.toJSON {
upstream_oauth2.providers = [
{
id = ulid;
issuer = "https://idm.nothing.run/oauth2/openid/matrix";
token_endpoint_auth_method = "client_secret_basic";
human_name = "matrix";
client_id = "matrix";
scope = "openid email profile";
pkce_method = "always";
claims_imports.localpart.action = "require";
claims_imports.displayname.action = "ignore";
claims_imports.email.action = "require";
}
];
http = {
public_base = "https://mas.nothing.run";
listeners = [{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
name = "assets";
path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets";
} # What is it?
];
binds = [{
host = "127.0.0.1";
port = 8086;
}];
proxy_protocol = false;
}];
};
# database.uri = "postgresql:///matrix-authentication-service?host=/run/postgresql";
database.uri = "postgresql://matrix-authentication-service@127.0.0.1:5432/matrix-authentication-service";
matrix = {
kind = "synapse";
homeserver = "nothing.run";
endpoint = "https://matrix.nothing.run:443";
};
passwords = {
enabled = true;
schemes = [
{
version = 2;
algorithm = "argon2id";
}
{
version = 1;
algorithm = "bcrypt";
unicode_normalization = true;
}
];
minimum_complexity = 8;
};
});
in {
enable = true;
description = "Matrix Authentication Service";
# wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${lib.getExe pkgs.matrix-authentication-service} --config ${config}";
Restart = "on-failure";
RestartSec = "10s";
};
};
services.postgresql = {
ensureDatabases = [ "matrix-authentication-service" ];
ensureUsers = [
{
name = "matrix-authentication-service";
ensureDBOwnership = true;
}
];
};
services.matrix-synapse = {
enable = true;
settings = {
server_name = domain;
enable_metrics = true;
listeners = [
{ port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = true;
} ];
}
# { port = 3002; # Metrics
# bind_addresses = [ "0.0.0.0" ];
# # type = "metrics";
# type = "http";
# tls = false;
# x_forwarded = true;
# resources = [ {
# names = [ "metrics" ];
# compress = true;
# } ];
# }
];
database = {
name = "psycopg2";
args = let db = "matrix-synapse"; in {
user = db;
database = db;
};
};
# registration_shared_secret = secrets.matrix.shared_secret;
registration_shared_secret = pkgs.lib.readFile "${pkgs.runCommand "timestamp" {} "echo `cat /dev/random | head -c 50 | base64` > $out"}";
max_upload_size = "20M";
enable_authenticated_media = true;
require_auth_for_profile_requests = true;
enable_registration_captcha = false;
enable_registration = false;
};
# log.root.level = "ERROR";
log.root.level = "INFO";
};
# networking.firewall.allowedTCPPorts = [ 8008 8080 ];
# };
# };
# services.caddy = {
# virtualHosts = {
# "matrix.${domain}".extraConfig = ''
# reverse_proxy /_matrix/* http://192.168.107.11:8008
# reverse_proxy /_synapse/client/* http://192.168.107.11:8008
# reverse_proxy /client/* http://192.168.107.11:8008
# reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync/* http://192.168.107.11:8008
# reverse_proxy /_synapse/admin/* http://192.168.107.11:8008
# '';
# # Add `reverse_proxy /_synapse/admin/* http://127.0.0.1:8008` to allow access to the admin API
#
# "mas.${domain}".extraConfig = ''
# reverse_proxy http://192.168.107.11:8080
# '';
# };
# };
services.caddy = {
virtualHosts = {
"matrix.${domain}".extraConfig = ''
reverse_proxy /_matrix/* http://127.0.0.1:8008
reverse_proxy /_synapse/client/* http://127.0.0.1:8008
reverse_proxy /client/* http://127.0.0.1:8008
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync/* http://127.0.0.1:8008
reverse_proxy /_synapse/admin/* http://127.0.0.1:8008
'';
# Add `reverse_proxy /_synapse/admin/* http://127.0.0.1:8008` to allow access to the admin API
"mas.${domain}".extraConfig = ''
reverse_proxy http://127.0.0.1:8086
'';
};
};
}

6
hosts/naos/caddy.nix Normal file
View File

@@ -0,0 +1,6 @@
{ ... }: {
# services.caddy = {
# enable = true;
# };
# networking.firewall.allowedTCPPorts = [ 80 443 ];
}

38
hosts/naos/default.nix Normal file
View File

@@ -0,0 +1,38 @@
{ lib, config, ... }: {
nixpkgs.hostPlatform = "x86_64-linux";
hardware.enableRedistributableFirmware = true;
boot.initrd.availableKernelModules = [
"ata_piix"
"usb_storage"
"usbhid"
"sd_mod"
];
age.secrets.naos_userasdf_password = {
rekeyFile = ./secrets/password.age;
owner = "userasdf";
group = "users";
mode = "0400";
};
n.host = {
hardware.cpu = "intel";
bootloader = "sysdboot";
hostId = "553fb274";
users."userasdf" = lib.mkUser config.age.secrets.naos_userasdf_password.path true;
defaultUser = "userasdf";
types = [ "server" ];
};
imports = [
(lib.fs.zfs "/nix" "rpool/nix" null)
(lib.fs.luks "cryptroot"
"/dev/disk/by-partuuid/ed673238-50b1-4ebf-b6fc-4a25568917c6"
{ allowDiscards = true; # Used if primary device is a SSD
preLVM = true; })
(lib.fs.tmpfs "/" "none" [ "mode=755" "size=30%" ])
(lib.fs.vfat "/boot" "/dev/disk/by-uuid/CDA1-7D4A" null)
];
}

16
hosts/naos/jellyfin.nix Normal file
View File

@@ -0,0 +1,16 @@
{ pkgs, ... }: {
# imp.dirs = [ "/nix/persist/services/jellyfin" ];
# services.jellyfin = {
# enable = true;
# dataDir = "/nix/persist/films";
# configDir = "/nix/persist/services/jellyfin/cfg";
# cacheDir = "/nix/persist/services/jellyfin/cache";
# logDir = "/nix/persist/services/jellyfin/log";
# openFirewall = false;
# };
# environment.systemPackages = [
# pkgs.jellyfin
# pkgs.jellyfin-web
# pkgs.jellyfin-ffmpeg
# ];
}

19
hosts/naos/luks.nix Normal file
View File

@@ -0,0 +1,19 @@
{ ... }: {
# boot.kernelParams = [ "ip=dhcp" ];
boot.initrd = {
availableKernelModules = [ "r8169" ];
network = {
enable = true;
udhcpc.enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEDqpSiQpbSsClh6UGb7Z2DA1Hy+EyePzTy+5hEVD/A" ];
hostKeys = [ "/nix/keys/identity" ];
};
postCommands = ''
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
'';
};
};
}

7
hosts/naos/secrets/password.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 8IT6eg a5gQkLDKM9tbEe0ZSqRKjLz7u0iOUwaxVeetTjTkbDU
w4V3IBC/MC7Pxn/92aTLNp24uZz623vEUa9wK5pS0wk
-> @Mkd`z-grease ?mx2I=/d
XDeroqJTqWJmt+aS2vLar9WtRzG3a2SlKoTwCx6s
--- ml0i3EekhNXcxocnc5Z+RQp4t9bo8qUZRAQJeWw4soE
7

41
hosts/phoenix/chromium.nix Normal file
View File

@@ -0,0 +1,41 @@
{ pkgs, ... }: {
hm = {
programs.chromium = {
enable = true;
package = pkgs.ungoogled-chromium;
commandLineArgs = [
"--enable-features=WebUIDarkMode,OzonePlatform,EncryptedClientHello,TouchpadOverscrollHistoryNavigation,VaapiVideoDecoder,WebAssembly"
"--disable-features=UserAgentClientHint"
"--force-webrtc-ip-handling-policy=default_public_interface_only"
"--force-dark-mode"
"--disable-beforeunload"
"--disable-search-engine-collection"
"--extension-mime-request-handling=download-as-regular-file"
"--disable-top-sites"
"--disable-file-system"
"--disable-default-apps"
"--disable-grease-tls"
"--ozone-platform=wayland"
# ''--js-flags="--jitless"''
''
--user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"''
''
--http-accept-header="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"''
"--fingerprinting-canvas-image-data-noise"
"--fingerprinting-canvas-measuretext-noise"
"--fingerprinting-client-rects-noise"
"--enable-quic"
"--gtk-version=4"
];
# extensions = [
#
# ];
};
};
imp.home.dirs = [ ".config/chromium" ];
nodes.phoenix.hardware.graphics.extraPackages = with pkgs; [
nvidia-vaapi-driver
libvdpau-va-gl
];
}

35
hosts/phoenix/default.nix Normal file
View File

@@ -0,0 +1,35 @@
{ lib, config, ... }: {
nixpkgs.hostPlatform = "x86_64-linux";
hardware.enableRedistributableFirmware = true;
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
age.secrets.phoenix_user_password = {
rekeyFile = ./secrets/password.age;
owner = "user";
group = "users";
mode = "0400";
};
n.host = {
hardware.cpu = "amd";
bootloader = "lanzaboote";
hostId = "053c9578";
users."user" = lib.mkUser config.age.secrets.phoenix_user_password.path true;
defaultUser = "user";
types = [ "desktop" ];
};
imports = [
(lib.fs.zfs "/nix" "rpool/nix" null)
(lib.fs.luks "crypted"
"/dev/disk/by-partuuid/0f262ab8-0aad-5f42-8ee5-493f68465aff"
{ header = "/dev/disk/by-partuuid/11ca2df8-17c3-47a2-8ba0-49976273008f";
allowDiscards = true; # Used if primary device is a SSD
preLVM = true; })
(lib.fs.tmpfs "/" "none" [ "mode=755" "size=40%" ])
(lib.fs.vfat "/boot" "/dev/disk/by-uuid/6D12-D841" null)
(lib.fs.swap "/dev/disk/by-uuid/391c74f2-8703-4d17-af3b-1f8087f8ad0a")
];
}

100
hosts/phoenix/games.nix Normal file
View File

@@ -0,0 +1,100 @@
{ pkgs, lib, inputs, username, ... }: {
hm.home.packages = (with pkgs; [
# steam-tui
steamcmd
steam-run
xwayland-satellite
# wineWow64Packages.waylandFull
bottles
glfw3-minecraft
prismlauncher
openspades
# zeroad
superTuxKart
wine64Packages.waylandFull
(pkgs.writeShellScriptBin "rungame"
''export __NV_PRIME_RENDER_OFFLOAD=1
export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
export __GLX_VENDOR_LIBRARY_NAME=nvidia
export __VK_LAYER_NV_optimus=NVIDIA_only
exec "${pkgs.gamemode}/bin/gamemoderun" "$@"''
)
]) ++ (
let
mkNixPak = inputs.nixpak.lib.nixpak { inherit pkgs; inherit lib; };
mkGameRunner' = name: rw': exe: network: mkNixPak {
config = { sloth, ... }:
let runfile = pkgs.writeScriptBin name ''
${exe}
'';
in {
dbus.enable = false;
gpu.enable = true;
gpu.provider = "nixos";
bubblewrap = {
inherit network;
sockets.pulse = true;
sockets.wayland = true;
bind.rw = rw';
bind.ro = [ "/etc" "/sys" "/lib64" "${runfile}" "/bin" ];
tmpfs = [ "/tmp" ];
bind.dev = [ "/dev/nvidia0" "/dev/nvidiactl" "/dev/nvidia-modeset" ];
};
app.package = runfile;
};
};
mkWineGameRunner' = name: workdir: exe: network: (mkGameRunner' name [workdir]
''WINEPREFIX="${workdir}/wineprefix" ${lib.getExe pkgs.wine64Packages.waylandFull} ${workdir}/${exe}'' network);
mkSteamrunGameRunner' = name: workdir: exe: network: (mkGameRunner' name [workdir]
''DISPLAY=:0 ${lib.getExe pkgs.steam-run} ${workdir}/${exe}'' network);
mkWineGameRunner = name: workdir: exe: [
((mkWineGameRunner' "${name}-run" workdir exe false).config.script)
((mkWineGameRunner' "${name}-run-inet" workdir exe true).config.script)
];
mkSteamrunGameRunner = name: workdir: exe: [
(mkSteamrunGameRunner' "${name}-run" workdir exe false).config.script
(mkSteamrunGameRunner' "${name}-run-inet" workdir exe true).config.script
];
dirs = ["/home/${username}/Games" "/mnt/gd" "/home/${username}/.wine"];
in
(mkWineGameRunner "littlenighmares" "/home/${username}/Games/LittleNightmares/1" "game_info/data/Atlas/Binaries/Win64/LittleNightmares.exe")
# (mkGameRunner' "wine-basic-run" dirs "${lib.getExe pkgs.wine64Packages.waylandFull} $@" false ).config.script
# (mkGameRunner' "wine-basic-run-inet" dirs "${lib.getExe pkgs.wine64Packages.waylandFull} $@" true ).config.script
);
programs = {
steam = {
enable = true;
remotePlay.openFirewall = false; # Open ports in the firewall for Steam Remote Play
# extest.enable = true;
};
gamemode = {
enable = true;
settings = {
};
};
};
boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
imp.home.dirs = [
".local/share/Steam" ".steam"
".local/share/bottles"
".local/share/PrismLauncher"
".local/share/Paradox Interactive"
".local/share/openspades"
];
n.misc.unfreePackages = [
"steam"
"steam-unwrapped"
"steamcmd"
"steam-run"
];
}

139
hosts/phoenix/gnome.nix Normal file
View File

@@ -0,0 +1,139 @@
{ pkgs, lib, ... }: {
services.xserver.desktopManager.gnome.enable = true;
environment.gnome.excludePackages = (with pkgs; [
gnome-tour
yelp # Help view
# ]) ++ (with pkgs.gnome; [
tali # poker game
iagno # go game
hitori # sudoku game
atomix # puzzle game
]);
programs.dconf.enable = true;
imp.home.dirs = [ ".local/share/keyrings" ];
hm = let
extensions = with pkgs.gnomeExtensions; [
# gnomeExtensions.user-themes
blur-my-shell
pop-shell
vitals
];
# inherit (lib.hm.gvariant) mkTuple;
in {
dconf.settings = {
"org/gnome/desktop/input-sources" = {
# sources = [ (mkTuple [ "xkb" "us" ]) (mkTuple [ "xkb" "by+ru" ]) ];
xkb-options = [ "grp:caps_toggle" "compose:rctrl" ];
};
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
enable-hot-corners = false;
# gtk-theme = "adw-gtk3-dark";
show-battery-percentage = true;
toolkit-accessibility = false;
};
"org/gnome/desktop/peripherals/touchpad" = {
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
"org/gnome/desktop/wm/keybindings" = let
binds = map (x: { "switch-to-workspace-${toString x}" = [ "<Super>${toString x}" ];
"move-to-workspace-${toString x}" = [ "<Shift><Super>${toString x}" ]; }) [1 2 3 4 5 6 7 8 9];
in lib.mkMerge (binds ++ [{
close = [ "<Shift><Super>q" ];
minimize = [ "<Super>minus" ];
switch-input-source = [];
switch-input-source-backward = [];
toggle-fullscreen = [ "<Super>F11" ];
}]);
"org/gnome/mutter" = {
dynamic-workspaces = false;
};
"org/gnome/settings-daemon/plugins/color" = {
night-light-enabled = true;
night-light-schedule-automatic = true;
night-light-schedule-from = 20.0;
night-light-schedule-to = 9.0;
night-light-temperature = 3469;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
calculator = [ "Calculator" ];
custom-keybindings = [ "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/" ];
mic-mute = [ "AudioMicMute" ];
screensaver = [ "ScreenSaver" ];
volume-down = [ "AudioLowerVolume" ];
volume-mute = [ "AudioMute" ];
volume-up = [ "AudioRaiseVolume" ];
www = [ "<Super>b" ];
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = {
binding = "<Super>Return";
command = lib.getExe pkgs.gnome-terminal;
name = "GNOME Terminal";
};
"org/gnome/shell/extensions/pop-shell" = {
active-hint = false;
fullscreen-launcher = false;
mouse-cursor-follows-active-window = true;
show-skip-taskbar = true;
show-title = true;
smart-gaps = true;
snap-to-grid = true;
stacking-with-mouse = true;
tile-by-default = true;
tile-enter = [ "<Super>r" ];
};
"org/gnome/shell/extensions/vitals" = {
alphabetize = false;
fixed-widths = true;
hide-icons = false;
hide-zeros = true;
hot-sensors = [ "_memory_usage_" "_processor_usage_" "_storage_free_" ];
memory-measurement = 1;
menu-centered = false;
position-in-panel = 2;
};
"org/gnome/shell/keybindings" = {
toggle-application-view = [ "<Super>d" ];
toggle-quick-settings = [ "<Shift><Super>d" ];
};
# "org/gnome/shell.favorite-apps" = [
# # "chromium.desktop"
# "org.gnome.terminal.desktop"
# "org.gnome.nautilus.desktop"
# ];
"org/gnome/shell" = {
disable-user-extensions = false;
enabled-extensions = map (x: x.extensionUuid) extensions;
};
};
home = {
packages = (with pkgs; [
# pinentry-gnome # maybe I'll delete it
# cava
adw-gtk3
dconf
gnome-tweaks
]) ++ extensions;
sessionVariables.GTK_THEME = "adw-gtk3-dark";
};
};
environment.etc."lemurs/wayland/gnome".source = pkgs.writeShellScript "gnome.sh" "${pkgs.gnome-shell}/bin/niri";
}

41
hosts/phoenix/gpu.nix Normal file
View File

@@ -0,0 +1,41 @@
{ lib, config, ... }: {
boot.initrd.kernelModules = [ "nvidia" ];
boot.extraModulePackages = [ config.boot.kernelPackages.nvidia_x11 ];
services.xserver.videoDrivers = [ "nvidia" "modesetting" ];
hardware = {
nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
powerManagement.finegrained = false;
open = false; # Use open kernel module, not nouveau
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.stable;
# package = config.boot.kernelPackages.nvidiaPackages.stable.override {
# disable32Bit = true;
# };
prime = {
amdgpuBusId = "PCI:5:0:0";
nvidiaBusId = "PCI:1:0:0";
offload = {
enable = true;
enableOffloadCmd = true;
};
reverseSync.enable = lib.mkForce false;
sync.enable = lib.mkForce false;
};
};
graphics.enable = true; # OpenGL
};
nixpkgs.config.nvidia.acceptLicense = true;
n.misc.unfreePackages = [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
}

12
hosts/phoenix/obsidian.nix Normal file
View File

@@ -0,0 +1,12 @@
{ pkgs, ... }: {
# nixpkgs.overlays = [
# (final: prev: {
# electron = final.electron_33-bin;
# electron_34 = final.electron_33-bin;
# })
# ];
n.misc.unfreePackages = [ "obsidian" ];
hm.home.packages = [ pkgs.obsidian ];
imp.home.dirs = [ ".config/obsidian" "Knowledge" ];
}

4
hosts/phoenix/postgres.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }: {
services.postgresql.enable = true;
imp.dirs = [ "/var/lib/postgresql" ];
}

9
hosts/phoenix/secrets/password.age Normal file
View File

@@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 8IT6eg zOyK3R9L2wLc3j24BeClZfV0qreGhCUEAKe5I/ek/RQ
p8Cs+J6Wr2gqbuxk9pBHzswsVu3hFBsi69fkxvGxNIE
-> zh:p3}L;-grease 0r+81 g
Fd+eCNxUNT6oCVS+ljiPObC9d0oIZQSwkXIhIaEyugAdMBRIfvniO9nkHiHn
--- TsFWr7WQ1ublsHFf0In5XgH+THVqE9w7B3AWv4WthTo
+,
ձ<EFBFBD>7<EFBFBD><EFBFBD><EFBFBD><EFBFBD>>f<<3C><><EFBFBD>5<EFBFBD>^<5E>Y<EFBFBD><59>w<EFBFBD>Ȁ<EFBFBD>9m|\͉?<3F><>\<1A>kaVk<56>W<>ܒo<DC92><6F>S*<2A>q.<2E><>]`<60>[6<>5,<4D><CF9F>B<><42><EFBFBD>di4<69><34>җ<EFBFBD><D297>N<EFBFBD><4E>d<EFBFBD>

36
hosts/tureis/default.nix Normal file
View File

@@ -0,0 +1,36 @@
{ lib, config, ... }: {
nixpkgs.hostPlatform = "x86_64-linux";
hardware.enableRedistributableFirmware = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "usb_storage" ];
boot.kernelModules = [ "usb_storage" ];
boot.extraModulePackages = [ ];
# age.secrets.tureis_user_password = {
# rekeyFile = ./secrets/password.age;
# owner = "user";
# group = "users";
# mode = "0400";
# };
n.host = {
# hardware.cpu = "intel"; # TODO
bootloader = "lanzaboote";
hostId = "db4713ee";
users."user" = lib.mkUser "" true;
defaultUser = "user";
types = [ "desktop" ];
};
imports = [
(lib.fs.luks "nix" "/dev/sda4" {})
(lib.fs.tmpfs "/" "none" [ "mode=755" "size=40%" ])
(lib.fs.vfat "/boot" "/dev/disk/by-uuid/5B0A-68EA" [ "fmask=0022" "dmask=0022" ])
(lib.fs.ext4 "/nix" "/dev/mapper/nix" null)
];
boot.initrd.supportedFilesystems.vfat = true;
}

9
hosts/tureis/secrets/password.age Normal file
View File

@@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 8IT6eg zOyK3R9L2wLc3j24BeClZfV0qreGhCUEAKe5I/ek/RQ
p8Cs+J6Wr2gqbuxk9pBHzswsVu3hFBsi69fkxvGxNIE
-> zh:p3}L;-grease 0r+81 g
Fd+eCNxUNT6oCVS+ljiPObC9d0oIZQSwkXIhIaEyugAdMBRIfvniO9nkHiHn
--- TsFWr7WQ1ublsHFf0In5XgH+THVqE9w7B3AWv4WthTo
+,
ձ<EFBFBD>7<EFBFBD><EFBFBD><EFBFBD><EFBFBD>>f<<3C><><EFBFBD>5<EFBFBD>^<5E>Y<EFBFBD><59>w<EFBFBD>Ȁ<EFBFBD>9m|\͉?<3F><>\<1A>kaVk<56>W<>ܒo<DC92><6F>S*<2A>q.<2E><>]`<60>[6<>5,<4D><CF9F>B<><42><EFBFBD>di4<69><34>җ<EFBFBD><D297>N<EFBFBD><4E>d<EFBFBD>