From f72f22b250ecf22657ffc9e6082086377031ea8a Mon Sep 17 00:00:00 2001 From: tzlil Date: Sun, 30 Jul 2023 13:19:39 +0300 Subject: clean up a bit --- hosts/default.nix | 22 ++++- hosts/navi/default.nix | 24 +----- hosts/vps/default.nix | 50 ++--------- hosts/vps/git.nix | 93 -------------------- hosts/vps/hardware-configuration.nix | 36 ++++++++ hosts/vps/hydrus.nix | 60 ------------- hosts/vps/maloja.nix | 51 ----------- hosts/vps/matrix.nix | 159 ----------------------------------- hosts/vps/services/git.nix | 93 ++++++++++++++++++++ hosts/vps/services/hydrus.nix | 60 +++++++++++++ hosts/vps/services/maloja.nix | 51 +++++++++++ hosts/vps/services/matrix.nix | 159 +++++++++++++++++++++++++++++++++++ hosts/vps/services/website.nix | 139 ++++++++++++++++++++++++++++++ hosts/vps/website.nix | 139 ------------------------------ mixins/cli.nix | 1 + profiles/core.nix | 43 ---------- profiles/gentoo.nix | 37 -------- profiles/impermanence.nix | 7 +- profiles/stdenv.nix | 37 ++++++++ profiles/tzlil.nix | 7 +- 20 files changed, 611 insertions(+), 657 deletions(-) delete mode 100644 hosts/vps/git.nix create mode 100644 hosts/vps/hardware-configuration.nix delete mode 100644 hosts/vps/hydrus.nix delete mode 100644 hosts/vps/maloja.nix delete mode 100644 hosts/vps/matrix.nix create mode 100644 hosts/vps/services/git.nix create mode 100644 hosts/vps/services/hydrus.nix create mode 100644 hosts/vps/services/maloja.nix create mode 100644 hosts/vps/services/matrix.nix create mode 100644 hosts/vps/services/website.nix delete mode 100644 hosts/vps/website.nix delete mode 100644 profiles/core.nix delete mode 100644 profiles/gentoo.nix create mode 100644 profiles/stdenv.nix diff --git a/hosts/default.nix b/hosts/default.nix index 164030c..1367391 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -7,7 +7,7 @@ inputs: let ../profiles/security.nix ../profiles/ssh.nix ../profiles/network.nix - ../profiles/impermanence.nix + ../profiles/impermanence.nix ]; } inputs.agenix.nixosModules.age @@ -32,6 +32,11 @@ inputs: let hermetic = false; }; }; + + stateVersion = v: { + home-manager.users.tzlil.home.stateVersion = v; + system.stateVersion = v; + }; in { navi = inputs.nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -41,6 +46,21 @@ in { "${inputs.self}/hosts/navi" {networking.hostName = "navi";} (nixinate "navi") + (stateVersion "23.11") + ] + ++ commonProfiles + ++ commonHome; + }; + + vps = inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = {inherit inputs;}; + modules = + [ + "${inputs.self}/hosts/vps" + {networking.hostName = "vps";} + (nixinate "vps") + (stateVersion "22.05") ] ++ commonProfiles ++ commonHome; diff --git a/hosts/navi/default.nix b/hosts/navi/default.nix index 497f5f7..e689bc3 100644 --- a/hosts/navi/default.nix +++ b/hosts/navi/default.nix @@ -7,26 +7,22 @@ }: { imports = [ ./hardware-configuration.nix - # ../../profiles/core.nix ../../profiles/graphical.nix ../../mixins/tailscale.nix ../../mixins/cli.nix ../../mixins/greet.nix - # ../../mixins/hyprland.nix ../../mixins/sway.nix ../../mixins/pipewire.nix ../../mixins/multimedia.nix - # ../../mixins/emacs ../../mixins/syncthing.nix ]; config = { - system.stateVersion = "23.11"; boot = { tmp.cleanOnBoot = true; initrd = { supportedFilesystems = ["btrfs"]; - availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "usbhid" "snd_usb_audio"]; + availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "usbhid" "snd_usb_audio" "hid_logitech_dj" "hid_logitech_hidpp"]; }; supportedFilesystems = ["ntfs"]; kernelModules = ["kvm-intel" "snd-seq" "snd-rawmidi" "bridge"]; @@ -45,24 +41,6 @@ time.timeZone = lib.mkDefault "Israel"; - /* - fileSystems."/" = { - device = "none"; - fsType = "tmpfs"; - # hyprland doesnt compile with noexec root - options = ["defaults" "size=8G" "mode=755"]; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/34CB-F158"; - fsType = "vfat"; - }; - - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/8a8cc550-034e-4545-a958-564779f51061"; - fsType = "btrfs"; - }; - */ zramSwap = { enable = true; algorithm = "zstd"; diff --git a/hosts/vps/default.nix b/hosts/vps/default.nix index 3597c5c..4741374 100644 --- a/hosts/vps/default.nix +++ b/hosts/vps/default.nix @@ -5,29 +5,17 @@ ... }: { imports = [ - ../../profiles/core.nix - ../../profiles/user.nix - ../../profiles/ssh.nix + ./hardware-configuration.nix ../../mixins/tailscale.nix ../../mixins/cli.nix - ./website.nix - ./git.nix - ./hydrus.nix - ./matrix.nix - ./maloja.nix + ./services/website.nix + ./services/git.nix + ./services/hydrus.nix + ./services/matrix.nix + ./services/maloja.nix ]; config = { - _module.args.nixinate = { - host = "vps"; - sshUser = "tzlil"; - buildOn = "remote"; # valid args are "local" or "remote" - substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" - hermetic = false; - }; - - networking.hostName = "vps"; - boot = { kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; loader.grub.device = "/dev/vda"; @@ -41,34 +29,8 @@ networking.interfaces.ens3.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - virtualisation.hypervGuest.enable = true; - time.timeZone = lib.mkDefault "Frankfurt"; - fileSystems = { - "/" = { - device = "none"; - fsType = "tmpfs"; - options = ["noexec" "defaults" "size=2G" "mode=755"]; - }; - "/nix" = { - device = "/dev/disk/by-uuid/e4c4735d-bfdd-477f-bc43-d07510cb6a9a"; - fsType = "btrfs"; - }; - "/boot" = { - device = "/dev/disk/by-uuid/7ea63707-099d-4c21-90eb-a51bfa6d8ba5"; - fsType = "ext4"; - }; - }; - - swapDevices = [{device = "/dev/disk/by-uuid/00eb2d2e-4d7c-4e95-804d-e9ecb22679d4";}]; - - zramSwap = { - enable = true; - algorithm = "zstd"; - }; networking.networkmanager.enable = lib.mkForce false; diff --git a/hosts/vps/git.nix b/hosts/vps/git.nix deleted file mode 100644 index 8bd4653..0000000 --- a/hosts/vps/git.nix +++ /dev/null @@ -1,93 +0,0 @@ -{ - pkgs, - config, - ... -}: { - config = { - users.groups.git = {}; - users.users.git = { - isSystemUser = true; - description = "tzlil"; - group = "git"; - home = "/home/git"; - packages = [pkgs.git]; - shell = "${pkgs.git}/bin/git-shell"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe" - ]; - }; - - # for syntax highlighting - users.groups.fcgiwrap = {}; - users.users.fcgiwrap = { - isSystemUser = true; - group = "fcgiwrap"; - packages = [pkgs.highlight pkgs.fcgiwrap]; - }; - - services = { - fcgiwrap = { - enable = true; - user = "fcgiwrap"; - group = "fcgiwrap"; - }; - caddy = { - virtualHosts."tzlil.net".extraConfig = '' - bind 0.0.0.0 - ${config.website.defaultHeaders} - handle_path /cgit/* { - handle /cgit.png { - root * ${pkgs.cgit}/cgit - file_server - } - handle /cgit.css { - try_files ${pkgs.fetchurl { - url = "https://jeremias.stotter.eu/cgi-bin/cgit.cgi/cgit-dark/plain/cgit.css"; - sha256 = "sha256-wqszujnWV5PRh3L23L1BFj/PKUElpyu1KhjqrHS8lCw="; - }} / - file_server - } - handle /favicon.ico { - root * ${pkgs.cgit}/cgit - file_server - } - handle { - reverse_proxy unix//run/fcgiwrap.sock { - transport fastcgi { - env SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi - env CGIT_CONFIG ${pkgs.writeText "cgitrc" (pkgs.lib.generators.toKeyValue {} { - css = "/cgit/cgit.css"; - logo = "/cgit/cgit.png"; - favicon = "/favicon.ico"; - clone-url = pkgs.lib.concatStringsSep " " [ - "http://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL" - "ssh://git@tzlil.net:$CGIT_REPO_URL" - ]; - enable-log-filecount = 1; - enable-log-linecount = 1; - enable-git-config = 1; - root-title = "tzlil.net"; - root-desc = "Tzlil's Git Repositories"; - scan-path = "/home/git"; - about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.py"; - source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; - logo-link = "/"; - virtual-root = "/cgit"; - readme = ":README.md"; - })} - } - } - } - } - ''; - }; - }; - environment.persistence."/nix/persist".directories = [ - { - directory = "/home/git"; - user = "git"; - group = "git"; - } - ]; - }; -} diff --git a/hosts/vps/hardware-configuration.nix b/hosts/vps/hardware-configuration.nix new file mode 100644 index 0000000..2d9a5fa --- /dev/null +++ b/hosts/vps/hardware-configuration.nix @@ -0,0 +1,36 @@ +{ + inputs, + pkgs, + lib, + config, + ... +}: { + fileSystems = { + "/" = { + device = "none"; + fsType = "tmpfs"; + options = ["noexec" "defaults" "size=2G" "mode=755"]; + }; + "/nix" = { + device = "/dev/disk/by-uuid/e4c4735d-bfdd-477f-bc43-d07510cb6a9a"; + fsType = "btrfs"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/7ea63707-099d-4c21-90eb-a51bfa6d8ba5"; + fsType = "ext4"; + }; + }; + + swapDevices = [{device = "/dev/disk/by-uuid/00eb2d2e-4d7c-4e95-804d-e9ecb22679d4";}]; + + zramSwap = { + enable = true; + algorithm = "zstd"; + }; + + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + virtualisation.hypervGuest.enable = true; + +} diff --git a/hosts/vps/hydrus.nix b/hosts/vps/hydrus.nix deleted file mode 100644 index c967fbc..0000000 --- a/hosts/vps/hydrus.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: { - config = { - users.groups.hydrus = {}; - users.users.hydrus = { - isSystemUser = true; - description = "hydrus"; - group = "hydrus"; - home = "/home/hydrus"; - }; - - systemd.services.Xvnc = { - description = "Xvnc"; - wantedBy = ["multi-user.target"]; - - serviceConfig = { - ExecStart = "${pkgs.turbovnc}/bin/Xvnc :30 -iglx -depth 24 -rfbwait 120000 -deferupdate 1 -localhost -verbose -securitytypes none"; - User = "hydrus"; - Group = "hydrus"; - Restart = "on-failure"; - RestartSec = "5s"; - }; - }; - - systemd.services.hydrus = { - description = "Hydrus"; - wantedBy = ["multi-user.target" "Xvnc.service"]; - wants = ["podman-hydrus-web.service"]; - - serviceConfig = { - Environment = "DISPLAY=:30"; - ExecStart = "${pkgs.hydrus}/bin/hydrus-client -d /home/hydrus"; - User = "hydrus"; - Group = "hydrus"; - Restart = "on-failure"; - RestartSec = "5s"; - }; - }; - - security.lockKernelModules = lib.mkForce false; - virtualisation.oci-containers.containers.hydrus-web = { - ports = ["100.67.217.90:8080:80"]; - image = "ghcr.io/floogulinc/hydrus-web:dev"; - }; - - networking.firewall.allowedTCPPorts = [45869]; - - environment.persistence."/nix/persist".directories = [ - { - directory = "/home/hydrus"; - user = "hydrus"; - group = "hydrus"; - } - ]; - }; -} diff --git a/hosts/vps/maloja.nix b/hosts/vps/maloja.nix deleted file mode 100644 index 3d4530d..0000000 --- a/hosts/vps/maloja.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: { - config = { - users.groups.maloja = {}; - users.users.maloja = { - isSystemUser = true; - description = "maloja"; - group = "maloja"; - home = "/var/lib/maloja"; - }; - - security.lockKernelModules = lib.mkForce false; - virtualisation.oci-containers.containers.maloja = { - ports = ["42010:42010"]; - image = "krateng/maloja"; - volumes = [ - "/var/lib/maloja:/data" - ]; - environment = { - MALOJA_DATA_DIRECTORY = "/data"; - MALOJA_SKIP_SETUP = "True"; - MALOJA_NAME = "tzlil"; - MAlOJA_PROXY_IMAGES = "True"; - }; - }; - - # systemd.services.podman-maloja.serviceConfig.User = "maloja"; - # systemd.services.podman-maloja.serviceConfig.Group = "maloja"; - - networking.firewall.allowedTCPPorts = [42010]; - - environment.persistence."/nix/persist".directories = [ - { - directory = "/var/lib/maloja"; - user = "maloja"; - group = "maloja"; - } - ]; - - services.caddy = { - virtualHosts."fm.tzlil.net".extraConfig = '' - bind 0.0.0.0 - reverse_proxy :42010 - ''; - }; - }; -} diff --git a/hosts/vps/matrix.nix b/hosts/vps/matrix.nix deleted file mode 100644 index e2aa1a5..0000000 --- a/hosts/vps/matrix.nix +++ /dev/null @@ -1,159 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: { - config = { - # services.matrix-synapse = { - # enable = true; - # settings.server_name = config.networking.domain; - # settings.listeners = [ - # { - # port = 8008; - # bind_addresses = ["::1"]; - # type = "http"; - # tls = false; - # x_forwarded = true; - # resources = [ - # { - # names = ["client" "federation"]; - # compress = true; - # } - # ]; - # } - # ]; - # }; - # networking.firewall.allowedTCPPorts = [80 443]; - - age.secrets.matrix = { - file = ../../secrets/matrix.age; - mode = "600"; - owner = "root"; - group = "root"; - }; - - services.dendrite = let - database_config = { - connection_string = "postgresql:///dendrite?host=/run/postgresql"; - max_open_conns = 10; - max_idle_conns = 5; - }; - in { - enable = true; - - loadCredential = ["private_key:${config.age.secrets.matrix.path}" "tlsCert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.crt" "tlsKey:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.key"]; - - # tlsCert = "$CREDENTIALS_DIRECTORY/tlsCert"; - # tlsKey = "$CREDENTIALS_DIRECTORY/tlsKey"; - - # httpPort = null; - # httpsPort = 8448; - - settings = { - global = { - server_name = "tzlil.net"; - private_key = "$CREDENTIALS_DIRECTORY/private_key"; - - # preserve across restarts - jetstream.storage_path = "/var/lib/dendrite/"; - - dns_cache = { - enabled = true; - cache_size = 4096; - cache_lifetime = "600s"; - }; - - presence = { - enable_inbound = true; - enable_outbound = true; - }; - - cache.max_size_estimated = "16gb"; - }; - federation_api.key_perspectives = [ - { - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - } - ]; - - app_service_api.database = database_config; - federation_api.database = database_config; - key_server.database = database_config; - media_api.database = database_config; - mscs.database = database_config; - room_server.database = database_config; - sync_api.database = database_config; - user_api.account_database = database_config; - user_api.device_database = database_config; - }; - }; - - systemd.services.dendrite.serviceConfig.ExecStart = lib.mkForce (lib.strings.concatStringsSep " " [ - "${pkgs.dendrite}/bin/dendrite" - "--config /run/dendrite/dendrite.yaml" - "--http-bind-address :8008" - "--https-bind-address :8448" - "--tls-cert $CREDENTIALS_DIRECTORY/tlsCert" - "--tls-key $CREDENTIALS_DIRECTORY/tlsKey" - ]); - - services.postgresql = { - enable = true; - ensureUsers = [ - { - name = "dendrite"; - ensurePermissions = { - "DATABASE dendrite" = "ALL PRIVILEGES"; - }; - } - ]; - - ensureDatabases = ["dendrite"]; - }; - - # not needed if i use /var/lib/private , DynamicUser can remap the permissions for the service - # systemd.services.dendrite.serviceConfig.User = "dendrite"; - # systemd.services.dendrite.serviceConfig.Group = "dendrite"; - environment.persistence."/nix/persist".directories = [ - { - directory = "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"; - user = "postgres"; - group = "postgres"; - } - - { - directory = "/var/lib/private/dendrite"; - user = "root"; - group = "root"; - } - ]; - - systemd.services.dendrite.after = ["postgresql.service"]; - - services.caddy = { - # for federation - virtualHosts."tzlil.net:8448".extraConfig = '' - reverse_proxy /_matrix/* localhost:8008 - ''; - # for clients - virtualHosts."tzlil.net".extraConfig = '' - reverse_proxy /_matrix/* localhost:8008 - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - respond /.well-known/matrix/server `{"m.server": "tzlil.net"}` - ''; - }; - networking.firewall.allowedTCPPorts = [8448]; - }; -} diff --git a/hosts/vps/services/git.nix b/hosts/vps/services/git.nix new file mode 100644 index 0000000..8bd4653 --- /dev/null +++ b/hosts/vps/services/git.nix @@ -0,0 +1,93 @@ +{ + pkgs, + config, + ... +}: { + config = { + users.groups.git = {}; + users.users.git = { + isSystemUser = true; + description = "tzlil"; + group = "git"; + home = "/home/git"; + packages = [pkgs.git]; + shell = "${pkgs.git}/bin/git-shell"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe" + ]; + }; + + # for syntax highlighting + users.groups.fcgiwrap = {}; + users.users.fcgiwrap = { + isSystemUser = true; + group = "fcgiwrap"; + packages = [pkgs.highlight pkgs.fcgiwrap]; + }; + + services = { + fcgiwrap = { + enable = true; + user = "fcgiwrap"; + group = "fcgiwrap"; + }; + caddy = { + virtualHosts."tzlil.net".extraConfig = '' + bind 0.0.0.0 + ${config.website.defaultHeaders} + handle_path /cgit/* { + handle /cgit.png { + root * ${pkgs.cgit}/cgit + file_server + } + handle /cgit.css { + try_files ${pkgs.fetchurl { + url = "https://jeremias.stotter.eu/cgi-bin/cgit.cgi/cgit-dark/plain/cgit.css"; + sha256 = "sha256-wqszujnWV5PRh3L23L1BFj/PKUElpyu1KhjqrHS8lCw="; + }} / + file_server + } + handle /favicon.ico { + root * ${pkgs.cgit}/cgit + file_server + } + handle { + reverse_proxy unix//run/fcgiwrap.sock { + transport fastcgi { + env SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi + env CGIT_CONFIG ${pkgs.writeText "cgitrc" (pkgs.lib.generators.toKeyValue {} { + css = "/cgit/cgit.css"; + logo = "/cgit/cgit.png"; + favicon = "/favicon.ico"; + clone-url = pkgs.lib.concatStringsSep " " [ + "http://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL" + "ssh://git@tzlil.net:$CGIT_REPO_URL" + ]; + enable-log-filecount = 1; + enable-log-linecount = 1; + enable-git-config = 1; + root-title = "tzlil.net"; + root-desc = "Tzlil's Git Repositories"; + scan-path = "/home/git"; + about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.py"; + source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; + logo-link = "/"; + virtual-root = "/cgit"; + readme = ":README.md"; + })} + } + } + } + } + ''; + }; + }; + environment.persistence."/nix/persist".directories = [ + { + directory = "/home/git"; + user = "git"; + group = "git"; + } + ]; + }; +} diff --git a/hosts/vps/services/hydrus.nix b/hosts/vps/services/hydrus.nix new file mode 100644 index 0000000..c967fbc --- /dev/null +++ b/hosts/vps/services/hydrus.nix @@ -0,0 +1,60 @@ +{ + pkgs, + config, + lib, + ... +}: { + config = { + users.groups.hydrus = {}; + users.users.hydrus = { + isSystemUser = true; + description = "hydrus"; + group = "hydrus"; + home = "/home/hydrus"; + }; + + systemd.services.Xvnc = { + description = "Xvnc"; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + ExecStart = "${pkgs.turbovnc}/bin/Xvnc :30 -iglx -depth 24 -rfbwait 120000 -deferupdate 1 -localhost -verbose -securitytypes none"; + User = "hydrus"; + Group = "hydrus"; + Restart = "on-failure"; + RestartSec = "5s"; + }; + }; + + systemd.services.hydrus = { + description = "Hydrus"; + wantedBy = ["multi-user.target" "Xvnc.service"]; + wants = ["podman-hydrus-web.service"]; + + serviceConfig = { + Environment = "DISPLAY=:30"; + ExecStart = "${pkgs.hydrus}/bin/hydrus-client -d /home/hydrus"; + User = "hydrus"; + Group = "hydrus"; + Restart = "on-failure"; + RestartSec = "5s"; + }; + }; + + security.lockKernelModules = lib.mkForce false; + virtualisation.oci-containers.containers.hydrus-web = { + ports = ["100.67.217.90:8080:80"]; + image = "ghcr.io/floogulinc/hydrus-web:dev"; + }; + + networking.firewall.allowedTCPPorts = [45869]; + + environment.persistence."/nix/persist".directories = [ + { + directory = "/home/hydrus"; + user = "hydrus"; + group = "hydrus"; + } + ]; + }; +} diff --git a/hosts/vps/services/maloja.nix b/hosts/vps/services/maloja.nix new file mode 100644 index 0000000..3d4530d --- /dev/null +++ b/hosts/vps/services/maloja.nix @@ -0,0 +1,51 @@ +{ + pkgs, + config, + lib, + ... +}: { + config = { + users.groups.maloja = {}; + users.users.maloja = { + isSystemUser = true; + description = "maloja"; + group = "maloja"; + home = "/var/lib/maloja"; + }; + + security.lockKernelModules = lib.mkForce false; + virtualisation.oci-containers.containers.maloja = { + ports = ["42010:42010"]; + image = "krateng/maloja"; + volumes = [ + "/var/lib/maloja:/data" + ]; + environment = { + MALOJA_DATA_DIRECTORY = "/data"; + MALOJA_SKIP_SETUP = "True"; + MALOJA_NAME = "tzlil"; + MAlOJA_PROXY_IMAGES = "True"; + }; + }; + + # systemd.services.podman-maloja.serviceConfig.User = "maloja"; + # systemd.services.podman-maloja.serviceConfig.Group = "maloja"; + + networking.firewall.allowedTCPPorts = [42010]; + + environment.persistence."/nix/persist".directories = [ + { + directory = "/var/lib/maloja"; + user = "maloja"; + group = "maloja"; + } + ]; + + services.caddy = { + virtualHosts."fm.tzlil.net".extraConfig = '' + bind 0.0.0.0 + reverse_proxy :42010 + ''; + }; + }; +} diff --git a/hosts/vps/services/matrix.nix b/hosts/vps/services/matrix.nix new file mode 100644 index 0000000..e2aa1a5 --- /dev/null +++ b/hosts/vps/services/matrix.nix @@ -0,0 +1,159 @@ +{ + pkgs, + config, + lib, + ... +}: { + config = { + # services.matrix-synapse = { + # enable = true; + # settings.server_name = config.networking.domain; + # settings.listeners = [ + # { + # port = 8008; + # bind_addresses = ["::1"]; + # type = "http"; + # tls = false; + # x_forwarded = true; + # resources = [ + # { + # names = ["client" "federation"]; + # compress = true; + # } + # ]; + # } + # ]; + # }; + # networking.firewall.allowedTCPPorts = [80 443]; + + age.secrets.matrix = { + file = ../../secrets/matrix.age; + mode = "600"; + owner = "root"; + group = "root"; + }; + + services.dendrite = let + database_config = { + connection_string = "postgresql:///dendrite?host=/run/postgresql"; + max_open_conns = 10; + max_idle_conns = 5; + }; + in { + enable = true; + + loadCredential = ["private_key:${config.age.secrets.matrix.path}" "tlsCert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.crt" "tlsKey:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.key"]; + + # tlsCert = "$CREDENTIALS_DIRECTORY/tlsCert"; + # tlsKey = "$CREDENTIALS_DIRECTORY/tlsKey"; + + # httpPort = null; + # httpsPort = 8448; + + settings = { + global = { + server_name = "tzlil.net"; + private_key = "$CREDENTIALS_DIRECTORY/private_key"; + + # preserve across restarts + jetstream.storage_path = "/var/lib/dendrite/"; + + dns_cache = { + enabled = true; + cache_size = 4096; + cache_lifetime = "600s"; + }; + + presence = { + enable_inbound = true; + enable_outbound = true; + }; + + cache.max_size_estimated = "16gb"; + }; + federation_api.key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; + + app_service_api.database = database_config; + federation_api.database = database_config; + key_server.database = database_config; + media_api.database = database_config; + mscs.database = database_config; + room_server.database = database_config; + sync_api.database = database_config; + user_api.account_database = database_config; + user_api.device_database = database_config; + }; + }; + + systemd.services.dendrite.serviceConfig.ExecStart = lib.mkForce (lib.strings.concatStringsSep " " [ + "${pkgs.dendrite}/bin/dendrite" + "--config /run/dendrite/dendrite.yaml" + "--http-bind-address :8008" + "--https-bind-address :8448" + "--tls-cert $CREDENTIALS_DIRECTORY/tlsCert" + "--tls-key $CREDENTIALS_DIRECTORY/tlsKey" + ]); + + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "dendrite"; + ensurePermissions = { + "DATABASE dendrite" = "ALL PRIVILEGES"; + }; + } + ]; + + ensureDatabases = ["dendrite"]; + }; + + # not needed if i use /var/lib/private , DynamicUser can remap the permissions for the service + # systemd.services.dendrite.serviceConfig.User = "dendrite"; + # systemd.services.dendrite.serviceConfig.Group = "dendrite"; + environment.persistence."/nix/persist".directories = [ + { + directory = "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"; + user = "postgres"; + group = "postgres"; + } + + { + directory = "/var/lib/private/dendrite"; + user = "root"; + group = "root"; + } + ]; + + systemd.services.dendrite.after = ["postgresql.service"]; + + services.caddy = { + # for federation + virtualHosts."tzlil.net:8448".extraConfig = '' + reverse_proxy /_matrix/* localhost:8008 + ''; + # for clients + virtualHosts."tzlil.net".extraConfig = '' + reverse_proxy /_matrix/* localhost:8008 + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `{"m.server": "tzlil.net"}` + ''; + }; + networking.firewall.allowedTCPPorts = [8448]; + }; +} diff --git a/hosts/vps/services/website.nix b/hosts/vps/services/website.nix new file mode 100644 index 0000000..5d1d48a --- /dev/null +++ b/hosts/vps/services/website.nix @@ -0,0 +1,139 @@ +{ + pkgs, + config, + lib, + ... +}: { + options.website.defaultHeaders = lib.mkOption { + type = lib.types.str; + default = '' + header { + -Server + -Date + -Last-Modified + -Etag + -Accept-Ranges + # disable indexing by search engines + + X-Robots-Tag "noindex, nofollow" + + # disable FLoC tracking + # Permissions-Policy interest-cohort=() + + # enable HSTS + # Strict-Transport-Security max-age=31536000; + + # disable clients from sniffing the media type + # X-Content-Type-Options nosniff + + # clickjacking protection + # X-Frame-Options DENY + + # keep referrer data off of HTTP connections + # Referrer-Policy no-referrer-when-downgrade + } + ''; + }; + config = { + services.caddy = { + enable = true; + virtualHosts = { + "tzlil.net".extraConfig = '' + bind 0.0.0.0 + handle_path / { + try_files ${pkgs.writeText "index.html" '' + +
+            ~?~+=I?~~IIIII++,:   .?= .,I=O8OZ.DNNO, ZD7:::=.? ,,:,,I,,:,~+?II?I?II?=+=~+7$ZO
+            ?==++??==+I???7..:.   :II$77?I+ID~NND8.ZMN7~=~I7:,., :?7,.,.~+?I???????,+~7+$ZOZ
+            7+===I+~===?I77:  ?   ,$7$.:.,I?=7NNNINMMMNOI=++ .~==I$7, ..++?I???I+=?.+:O+ZZOZ
+            ===++I+==?III??I,?,   ~I7NN,..  ??ONNNMMMD$777$7I$ZOO$7?....+=????I~=+,:+,O8DNMM
+            ~=~==7II=+I?II7I,I+,8Z.II8D+=~:.,7$NMMMMMN8$7~. ..  :88I. ..?=?++I:~+=.~~~NMMMNN
+            ~====II?I~+?I?$7I?~8D7+7$ZZNONDN8Z8NMMMMMMNNON:=. :,$.I7  .,+=??I:,=, .:,=DNNMMN
+            =+?==+==?~+=I?$$I+88D:I$8NMNDDNNNDNNNMMMMMMMMM8I$77=MMDO.  :~=+?,,,   .~,?8DDD8D
+            =~=+==I7I=IIIIO$=~OOD=I7ODNNNNMNNDNDNMMMMMMMMNO$O+OZ 78.,.I::++:..   .,::=888OOO
+            ===I=I?~=?I???$I$?OODZ=7Z8NDONNN7D88MMMMMMMMMMNNNN8DNN~..~:7,,+7?,:,:::+8=Z888OO
+            ~+===7?=??I????7Z7ZOD8I777$+NNN:OOZOMMMMMMMMMMMMMMNMM+..~=?=O:+?::=+~:~+IDD888OZ
+            I==II??=I???=::7OI?O88Z=I~,?ZDD,Z$IDMMMMMMMMMMMMMMMM:$$?.~?+=?:,~+?I??==+++I8OOO
+            ==+++??+=.,~,~:7Z$?7I77$=. $I$8I$7+~8NMMMMMMMMMMMMDDMN$ ,:+?=.~==?II+++=+=?II+OZ
+            ==+?+I?,=:+?=~~??I++~7$$$= 777Z,$Z$$ONNMMMMMMMMMMMMMM8? .~=?:.==+?I~+?=+=??II?I8
+            ?=+?I:=~??II=~~, II?+ 7$7?=?77$?$Z:8NMMMNMMMMMMMMMMMD7 ,,===::~=?II.??++?++III+~
+            ??+.I+I=+I+??=~=~ =I+:?7$77?$$$ZI7Z8DM7NMMNMMMMMMMMOI. .,=~~.~~+I?:???==~????II?
+            I??:==?I++I?~==+=~:.?I7I77$?IZ$ZODDOIDNNNNNMMMMNM8?.:. ,,+=,::~+==II=~,=?+?IIIII
+            ??I:?=,=+++?II+=:,:, +77777$$777ODDMMNO~DNNNDD8?..::: .,,+~.,::=??????=+?IIIII?I
+            ????++=~:=?IIIII=~:: ~~+II77$$7$ZO8NMMMND.+:   .=7+=~ ,,:?...~II??+??I?+??IIII?I
+            ??III7II+~:?II7+II?, ~,:,~7777$$$I$8DNMMNO   .~I  .Z:.,:~: ,+???+=,IIIIII??IIIII
+            ???I7I:,~=:,+II+=~I??:.,,,.:77777777$ODMM8 .:+ZI. ,~,..~~ :II?==~:?II??IIIIIIIII
+            No matter where you go, everyone's connected
+
+            my name is tzlil, i'm 18 and from israel
+            i currently work as a security researcher
+            but in a few months i will be drafted to the army
+
+            i like music https://fm.tzlil.net
+
+            my interests:
+            plan9
+            lambda calculus
+            functional programming
+            binary exploitation
+            keyboards and layouts
+            yggdrasil
+            nixos
+
+            my wares:
+            hard:
+              aurora lily58 with sunset kailh low profile
+              laptop(s):
+              - lenovo v14
+
+              phone:
+              - google pixel 7
+
+              OUT OF COMMISSION
+              desktop:
+              - amd ryzen 5 5600g
+
+            soft:
+              nixos
+              keepassxc
+              syncthing
+              tailscale (to mesh between my devices)
+              grapheneos
+              hydrus
+
+            ctfs i played in:
+              google ctf 2023 - 96th place (solo)
+              tfcctf 2022     - 4th place
+              google ctf 2022 - 100th place
+
+            contact info:
+            tzlil:tzlil.net
+            tzlils@protonmail.com
+            tzlil@irc.libera.chat
+
+            /cgit/ for repositories
+            
+ ''} / + file_server + } + ''; + }; + }; + networking.firewall.allowedTCPPorts = [80 443]; + + environment.persistence."/nix/persist".directories = [ + { + directory = "/var/lib/caddy"; + user = "caddy"; + group = "caddy"; + } + ]; + }; +} diff --git a/hosts/vps/website.nix b/hosts/vps/website.nix deleted file mode 100644 index 5d1d48a..0000000 --- a/hosts/vps/website.nix +++ /dev/null @@ -1,139 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: { - options.website.defaultHeaders = lib.mkOption { - type = lib.types.str; - default = '' - header { - -Server - -Date - -Last-Modified - -Etag - -Accept-Ranges - # disable indexing by search engines - - X-Robots-Tag "noindex, nofollow" - - # disable FLoC tracking - # Permissions-Policy interest-cohort=() - - # enable HSTS - # Strict-Transport-Security max-age=31536000; - - # disable clients from sniffing the media type - # X-Content-Type-Options nosniff - - # clickjacking protection - # X-Frame-Options DENY - - # keep referrer data off of HTTP connections - # Referrer-Policy no-referrer-when-downgrade - } - ''; - }; - config = { - services.caddy = { - enable = true; - virtualHosts = { - "tzlil.net".extraConfig = '' - bind 0.0.0.0 - handle_path / { - try_files ${pkgs.writeText "index.html" '' - -
-            ~?~+=I?~~IIIII++,:   .?= .,I=O8OZ.DNNO, ZD7:::=.? ,,:,,I,,:,~+?II?I?II?=+=~+7$ZO
-            ?==++??==+I???7..:.   :II$77?I+ID~NND8.ZMN7~=~I7:,., :?7,.,.~+?I???????,+~7+$ZOZ
-            7+===I+~===?I77:  ?   ,$7$.:.,I?=7NNNINMMMNOI=++ .~==I$7, ..++?I???I+=?.+:O+ZZOZ
-            ===++I+==?III??I,?,   ~I7NN,..  ??ONNNMMMD$777$7I$ZOO$7?....+=????I~=+,:+,O8DNMM
-            ~=~==7II=+I?II7I,I+,8Z.II8D+=~:.,7$NMMMMMN8$7~. ..  :88I. ..?=?++I:~+=.~~~NMMMNN
-            ~====II?I~+?I?$7I?~8D7+7$ZZNONDN8Z8NMMMMMMNNON:=. :,$.I7  .,+=??I:,=, .:,=DNNMMN
-            =+?==+==?~+=I?$$I+88D:I$8NMNDDNNNDNNNMMMMMMMMM8I$77=MMDO.  :~=+?,,,   .~,?8DDD8D
-            =~=+==I7I=IIIIO$=~OOD=I7ODNNNNMNNDNDNMMMMMMMMNO$O+OZ 78.,.I::++:..   .,::=888OOO
-            ===I=I?~=?I???$I$?OODZ=7Z8NDONNN7D88MMMMMMMMMMNNNN8DNN~..~:7,,+7?,:,:::+8=Z888OO
-            ~+===7?=??I????7Z7ZOD8I777$+NNN:OOZOMMMMMMMMMMMMMMNMM+..~=?=O:+?::=+~:~+IDD888OZ
-            I==II??=I???=::7OI?O88Z=I~,?ZDD,Z$IDMMMMMMMMMMMMMMMM:$$?.~?+=?:,~+?I??==+++I8OOO
-            ==+++??+=.,~,~:7Z$?7I77$=. $I$8I$7+~8NMMMMMMMMMMMMDDMN$ ,:+?=.~==?II+++=+=?II+OZ
-            ==+?+I?,=:+?=~~??I++~7$$$= 777Z,$Z$$ONNMMMMMMMMMMMMMM8? .~=?:.==+?I~+?=+=??II?I8
-            ?=+?I:=~??II=~~, II?+ 7$7?=?77$?$Z:8NMMMNMMMMMMMMMMMD7 ,,===::~=?II.??++?++III+~
-            ??+.I+I=+I+??=~=~ =I+:?7$77?$$$ZI7Z8DM7NMMNMMMMMMMMOI. .,=~~.~~+I?:???==~????II?
-            I??:==?I++I?~==+=~:.?I7I77$?IZ$ZODDOIDNNNNNMMMMNM8?.:. ,,+=,::~+==II=~,=?+?IIIII
-            ??I:?=,=+++?II+=:,:, +77777$$777ODDMMNO~DNNNDD8?..::: .,,+~.,::=??????=+?IIIII?I
-            ????++=~:=?IIIII=~:: ~~+II77$$7$ZO8NMMMND.+:   .=7+=~ ,,:?...~II??+??I?+??IIII?I
-            ??III7II+~:?II7+II?, ~,:,~7777$$$I$8DNMMNO   .~I  .Z:.,:~: ,+???+=,IIIIII??IIIII
-            ???I7I:,~=:,+II+=~I??:.,,,.:77777777$ODMM8 .:+ZI. ,~,..~~ :II?==~:?II??IIIIIIIII
-            No matter where you go, everyone's connected
-
-            my name is tzlil, i'm 18 and from israel
-            i currently work as a security researcher
-            but in a few months i will be drafted to the army
-
-            i like music https://fm.tzlil.net
-
-            my interests:
-            plan9
-            lambda calculus
-            functional programming
-            binary exploitation
-            keyboards and layouts
-            yggdrasil
-            nixos
-
-            my wares:
-            hard:
-              aurora lily58 with sunset kailh low profile
-              laptop(s):
-              - lenovo v14
-
-              phone:
-              - google pixel 7
-
-              OUT OF COMMISSION
-              desktop:
-              - amd ryzen 5 5600g
-
-            soft:
-              nixos
-              keepassxc
-              syncthing
-              tailscale (to mesh between my devices)
-              grapheneos
-              hydrus
-
-            ctfs i played in:
-              google ctf 2023 - 96th place (solo)
-              tfcctf 2022     - 4th place
-              google ctf 2022 - 100th place
-
-            contact info:
-            tzlil:tzlil.net
-            tzlils@protonmail.com
-            tzlil@irc.libera.chat
-
-            /cgit/ for repositories
-            
- ''} / - file_server - } - ''; - }; - }; - networking.firewall.allowedTCPPorts = [80 443]; - - environment.persistence."/nix/persist".directories = [ - { - directory = "/var/lib/caddy"; - user = "caddy"; - group = "caddy"; - } - ]; - }; -} diff --git a/mixins/cli.nix b/mixins/cli.nix index 6fd5ce6..936098d 100644 --- a/mixins/cli.nix +++ b/mixins/cli.nix @@ -15,6 +15,7 @@ imports = [ inputs.viper-nix-common.homeModules.xdg ]; + programs.command-not-found.dbPath = inputs.programsdb.packages.${pkgs.system}.programs-sqlite; home = { packages = with pkgs; [ rsync diff --git a/profiles/core.nix b/profiles/core.nix deleted file mode 100644 index 4fefbdd..0000000 --- a/profiles/core.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - pkgs, - lib, - config, - inputs, - ... -}: { - # imports = [ - # ../profiles/security.nix - # ../profiles/network.nix - # ]; - config = { - # system.stateVersion = "22.5"; - # nix = { - # registry.nixpkgs.flake = inputs.nixpkgs; - # gc.automatic = true; - # optimise.automatic = true; - # settings = { - # allowed-users = ["root"]; - # trusted-users = ["root"]; - # sandbox = true; - # }; - # extraOptions = '' - # experimental-features = nix-command flakes - # ''; - # }; - # users.mutableUsers = false; - # environment.defaultPackages = lib.mkForce []; - - programs.command-not-found.dbPath = inputs.programsdb.packages.${pkgs.system}.programs-sqlite; - - # boot = { - # tmp.cleanOnBoot = true; - # kernelParams = [ - # "init_on_free=1" - # "page_poison=1" - # "page_alloc.shuffle=1" - # "slab_nomerge" - # "vsyscall=none" - # ]; - # }; - }; -} diff --git a/profiles/gentoo.nix b/profiles/gentoo.nix deleted file mode 100644 index 337a306..0000000 --- a/profiles/gentoo.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - pkgs, - lib, - config, - inputs, - ... -}: { - imports = []; - config = { - nix.binaryCaches = [ - "https://cache.nixos.org/" - "https://cache.allvm.org/" - ]; - - nix.binaryCachePublicKeys = [ - "gravity.cs.illinois.edu-1:yymmNS/WMf0iTj2NnD0nrVV8cBOXM9ivAkEdO1Lro3U=" - ]; - - nativeStdenv = - prev.stdenvAdapters.withCFlags ["-O3" "-pipe" "-march=native"] - (prev.overrideCC prev.llvmPackages_latest.stdenv - (prev.wrapCCWith rec { - cc = prev.llvmPackages_latest.clang-unwrapped; - bintools = final.wrapBintoolsWith { - coreutils = final.uutils-coreutils; - libc = final.musl; - bintools = - final.binutils-unwrapped.overrideAttrs - (old: { - postInstall = '' - ln -sf ${final.mold}/bin/mold $out/bin/ld - ''; - }); - }; - })); - }; -} diff --git a/profiles/impermanence.nix b/profiles/impermanence.nix index 5fdd9eb..c222a43 100644 --- a/profiles/impermanence.nix +++ b/profiles/impermanence.nix @@ -1,4 +1,5 @@ -{inputs, +{ + inputs, config, lib, options, @@ -20,8 +21,8 @@ in { [ ] ++ sshHostKeys - ++ (map (x: x + ".pub") sshHostKeys); + ++ (map (x: x + ".pub") sshHostKeys); }; - age.identityPaths = (map (x: "/nix/persist" + x) sshHostKeys); + age.identityPaths = map (x: "/nix/persist" + x) sshHostKeys; }; } diff --git a/profiles/stdenv.nix b/profiles/stdenv.nix new file mode 100644 index 0000000..337a306 --- /dev/null +++ b/profiles/stdenv.nix @@ -0,0 +1,37 @@ +{ + pkgs, + lib, + config, + inputs, + ... +}: { + imports = []; + config = { + nix.binaryCaches = [ + "https://cache.nixos.org/" + "https://cache.allvm.org/" + ]; + + nix.binaryCachePublicKeys = [ + "gravity.cs.illinois.edu-1:yymmNS/WMf0iTj2NnD0nrVV8cBOXM9ivAkEdO1Lro3U=" + ]; + + nativeStdenv = + prev.stdenvAdapters.withCFlags ["-O3" "-pipe" "-march=native"] + (prev.overrideCC prev.llvmPackages_latest.stdenv + (prev.wrapCCWith rec { + cc = prev.llvmPackages_latest.clang-unwrapped; + bintools = final.wrapBintoolsWith { + coreutils = final.uutils-coreutils; + libc = final.musl; + bintools = + final.binutils-unwrapped.overrideAttrs + (old: { + postInstall = '' + ln -sf ${final.mold}/bin/mold $out/bin/ld + ''; + }); + }; + })); + }; +} diff --git a/profiles/tzlil.nix b/profiles/tzlil.nix index 5e85f35..f2e2505 100644 --- a/profiles/tzlil.nix +++ b/profiles/tzlil.nix @@ -40,7 +40,6 @@ home-manager.users.tzlil = {pkgs, ...} @ hm: { home = { - stateVersion = "22.05"; username = "tzlil"; homeDirectory = "/home/tzlil"; sessionVariables.SSH_AUTH_SOCK = "/run/user/1000/ssh-agent"; @@ -60,9 +59,9 @@ Unit = { Description = "SSH Agent"; }; - Install = { - WantedBy = ["default.target"]; - }; + Install = { + WantedBy = ["default.target"]; + }; Service = { ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent"; ExecStart = -- cgit 1.4.1