summary refs log tree commit diff
diff options
context:
space:
mode:
authortzlil <tzlils@protonmail.com>2023-03-31 17:56:36 +0300
committertzlil <tzlils@protonmail.com>2023-03-31 17:56:36 +0300
commit977e7c795ab2ca3d2a226bdbebf4d5e7b3dad96c (patch)
tree1af4ee17e8f907157cbf8eb0dd91bc1ee97c9a53
parentfbbd1a6ee7cb8f4a221b9ec77f714778eb4ae7f4 (diff)
completed hydrus setup, made ssh-agent autostart (wantedBy default.target)
-rw-r--r--flake.lock36
-rw-r--r--hosts/vps/cfg.nix3
-rw-r--r--hosts/vps/hydrus.nix61
-rw-r--r--profiles/security.nix2
-rw-r--r--profiles/user.nix4
5 files changed, 87 insertions, 19 deletions
diff --git a/flake.lock b/flake.lock
index 26453be..ad8a444 100644
--- a/flake.lock
+++ b/flake.lock
@@ -43,11 +43,11 @@
     },
     "hardware": {
       "locked": {
-        "lastModified": 1678397099,
-        "narHash": "sha256-5xq8YJe+h19TlD+EI4AE/3H3jcCcQ2AWU6CWBVc5tRc=",
+        "lastModified": 1680070330,
+        "narHash": "sha256-aoT2YZCd9LEtiEULFLIF0ykKydgE72X8gw/k9/pRS5I=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "556101ff85bd6e20900ec73ee525b935154bc8ea",
+        "rev": "a6aa8174fa61e55bd7e62d35464d3092aefe0421",
         "type": "github"
       },
       "original": {
@@ -64,11 +64,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1678571066,
-        "narHash": "sha256-MrlMr2A3tK1MY/JUGWMVzMwois8+mHWXm/1yYdwQSIc=",
+        "lastModified": 1680249941,
+        "narHash": "sha256-7Ylr0NAr8msd3YVaYBw6uyJIRbtOq5l6aLrmrYA5qTw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bf5712c5865e543fb3f4796511d4cf51efd841b1",
+        "rev": "67b97020b6970d39b4126a7870063d11337ecb80",
         "type": "github"
       },
       "original": {
@@ -87,11 +87,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1678628798,
-        "narHash": "sha256-AQZK2/OmY+Vf+hnDkIJ/oqjCiEhCTHlTo2f1IhSYXFw=",
+        "lastModified": 1680265039,
+        "narHash": "sha256-KUMwbTvoVxEh9VtXCDyWHb1PfvxUyWVvrlT6nahhf8s=",
         "owner": "hyprwm",
         "repo": "Hyprland",
-        "rev": "146d231ec5ea9059a64e34caeba06e790991e81a",
+        "rev": "24ef5d888c648d9a89fdd12c2dbff84f1153aa67",
         "type": "github"
       },
       "original": {
@@ -188,11 +188,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1678470307,
-        "narHash": "sha256-OEeMUr3ueLIXyW/OaFUX5jUdimyQwMg/7e+/Q0gC/QE=",
+        "lastModified": 1680125544,
+        "narHash": "sha256-mlqo1r+TZUOuypWdrZHluxWL+E5WzXlUXNZ9Y0WLDFU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0c4800d579af4ed98ecc47d464a5e7b0870c4b1f",
+        "rev": "9a6aabc4740790ef3bbb246b86d029ccf6759658",
         "type": "github"
       },
       "original": {
@@ -210,11 +210,11 @@
         "utils": "utils_2"
       },
       "locked": {
-        "lastModified": 1678614044,
-        "narHash": "sha256-J27xhKwVJGfB51tTSWT077l+URuRrLbElScvjB3HLgc=",
+        "lastModified": 1680261737,
+        "narHash": "sha256-tJDA4yMBkDESIFyGKKjUObg3UcnGvpdPdnbuK9hDtR4=",
         "owner": "wamserma",
         "repo": "flake-programs-sqlite",
-        "rev": "0937e66bdf1c27d331f4f418c68efc58f5228354",
+        "rev": "fd509bb8400249dc5370068183b86b31a4aacd60",
         "type": "github"
       },
       "original": {
@@ -269,11 +269,11 @@
       "flake": false,
       "locked": {
         "host": "gitlab.freedesktop.org",
-        "lastModified": 1677789111,
-        "narHash": "sha256-dWrk+Q3bLdtFe5rkyaAKWCQJCeE/KFNllcu1DvBC38c=",
+        "lastModified": 1679340088,
+        "narHash": "sha256-/1KiYoBivDj8HC/eVK2Tr2WYkVdKJxq2Lb0tQs0qqJo=",
         "owner": "wlroots",
         "repo": "wlroots",
-        "rev": "5ae17de23f5fd9bb252a698f3771c840280e2c05",
+        "rev": "1d64e12391a638201c679e71d4e22bb45e5faa8e",
         "type": "gitlab"
       },
       "original": {
diff --git a/hosts/vps/cfg.nix b/hosts/vps/cfg.nix
index 3c7787b..c902c53 100644
--- a/hosts/vps/cfg.nix
+++ b/hosts/vps/cfg.nix
@@ -12,6 +12,7 @@
     ../../mixins/cli.nix
     ./website.nix
     ./git.nix
+    ./hydrus.nix
   ];
 
   config = {
@@ -74,5 +75,7 @@
       enable = true;
       algorithm = "zstd";
     };
+
+    networking.networkmanager.enable = lib.mkForce false;
   };
 }
diff --git a/hosts/vps/hydrus.nix b/hosts/vps/hydrus.nix
new file mode 100644
index 0000000..2fe988e
--- /dev/null
+++ b/hosts/vps/hydrus.nix
@@ -0,0 +1,61 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  config = {
+    users.groups.hydrus = {};
+    users.users.hydrus = {
+      isSystemUser = true;
+      description = "hydrus";
+      group = "hydrus";
+      home = "/home/hydrus";
+    };
+
+    systemd.services.Xvnc = {
+      description = "Xvnc";
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.turbovnc}/bin/Xvnc :30 -iglx -depth 24 -rfbwait 120000 -deferupdate 1 -localhost -verbose -securitytypes none";
+        User = "hydrus";
+        Group = "hydrus";
+        Restart = "on-failure";
+        RestartSec = "5s";
+      };
+    };
+
+    systemd.services.hydrus = {
+      description = "Hydrus";
+      wantedBy = [ "multi-user.target" "Xvnc.service" ];
+      wants = [ "podman-hydrus-web.service" ];
+
+      serviceConfig = {
+        Environment = "DISPLAY=:30"; 
+        ExecStart = "${pkgs.hydrus}/bin/hydrus-client -d /home/hydrus";
+        User = "hydrus";
+        Group = "hydrus";
+        Restart = "on-failure";
+        RestartSec = "5s";
+      };
+    };
+
+
+    security.lockKernelModules = lib.mkForce false;
+    virtualisation.oci-containers.containers.hydrus-web = {
+      ports = ["8080:80"];
+      image = "ghcr.io/floogulinc/hydrus-web:dev";
+    };
+
+    networking.firewall.allowedTCPPorts = [45869];
+
+    environment.persistence."/nix/persist".directories = [
+      {
+        directory = "/home/hydrus";
+        user = "hydrus";
+        group = "hydrus";
+      }
+    ];
+  };
+}
diff --git a/profiles/security.nix b/profiles/security.nix
index 8ca89e3..ddd980e 100644
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -21,6 +21,8 @@
     security.allowSimultaneousMultithreading = false;
     security.forcePageTableIsolation = true;
 
+    security.unprivilegedUsernsClone = config.virtualisation.containers.enable;
+
     security.virtualisation.flushL1DataCache = "always";
 
     security.apparmor.enable = true;
diff --git a/profiles/user.nix b/profiles/user.nix
index 0a3bebe..d343e9c 100644
--- a/profiles/user.nix
+++ b/profiles/user.nix
@@ -19,6 +19,8 @@
       # password.file = ../secrets/password.age;
     };
 
+
+  programs.fish.enable = true; # needed now
     users.users.tzlil = {
       isNormalUser = true;
       description = "Me";
@@ -62,7 +64,7 @@
       in {
         Unit = {
           Description = "SSH Agent";
-          After = ["default.target"];
+          WantedBy = ["default.target"];
         };
         Service = {
           ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";