diff --git a/README.md b/README.md index a3071c5..c203603 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,10 @@ I have made a few commands for post installation (and for an iso installer to us ## Technical details +### Project structure + +The project is set up to + ### [Home manager](https://github.com/nix-community/home-manager) Home manager is imported as a module within the global configuration, it is therefor not needed to build home-manager packages separately in this configuration. On multi user systems it might be useful to pull the home-manager configurations from separate repos for different users, so you don't have to give your users access to the global configuration. diff --git a/flake.lock b/flake.lock index 401d4d2..3528af8 100644 --- a/flake.lock +++ b/flake.lock @@ -89,11 +89,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1772153824, - "narHash": "sha256-T65qXmlcD9qFpPTi+mOXsn4dIkO2N8Ls67nqmuzepv0=", + "lastModified": 1773146250, + "narHash": "sha256-azzOjRqTxAqByzRP87jUUsmfOQ85i7h/YkrgTX0jZgg=", "owner": "catppuccin", "repo": "nix", - "rev": "4b0f5b7bf7b3eeb484d49524f3c9791864ab9362", + "rev": "0fa0d06dd3cd09f37f76d19b389d7ff947dfd7e8", "type": "github" }, "original": { @@ -139,11 +139,11 @@ ] }, "locked": { - "lastModified": 1772420042, - "narHash": "sha256-naZz40TUFMa0E0CutvwWsSPhgD5JldyTUDEgP9ADpfU=", + "lastModified": 1773025010, + "narHash": "sha256-khlHllTsovXgT2GZ0WxT4+RvuMjNeR5OW0UYeEHPYQo=", "owner": "nix-community", "repo": "disko", - "rev": "5af7af10f14706e4095bd6bc0d9373eb097283c6", + "rev": "7b9f7f88ab3b339f8142dc246445abb3c370d3d3", "type": "github" }, "original": { @@ -306,11 +306,11 @@ ] }, "locked": { - "lastModified": 1769939035, - "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=", + "lastModified": 1772893680, + "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "a8ca480175326551d6c4121498316261cbb5b260", + "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", "type": "github" }, "original": { @@ -389,11 +389,11 @@ ] }, "locked": { - "lastModified": 1772633327, - "narHash": "sha256-jl+DJB2DUx7EbWLRng+6HNWW/1/VQOnf0NsQB4PlA7I=", + "lastModified": 1773286336, + "narHash": "sha256-+yFtmhOHterllxWmV6YbdevTXpJdGS0mS0UmJ0k9fh0=", "owner": "nix-community", "repo": "home-manager", - "rev": "5a75730e6f21ee624cbf86f4915c6e7489c74acc", + "rev": "7d06e0cefe6e4a1e85b2b3274dcb0b3da242a557", "type": "github" }, "original": { @@ -409,11 +409,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1772517207, - "narHash": "sha256-qxHfxqbigqBTn//U4leIS5he22Wp1GS0+zmwGV7Pozs=", + "lastModified": 1773237643, + "narHash": "sha256-L1/RhR9gBGon3+vUwt8LxFnkwBqZMNdQTHnjwGodjtw=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "7ca1501c2d80900b5967baea4d42581f84b388dd", + "rev": "cff48bb8dad9d56abd761825d02b892c543a1f38", "type": "github" }, "original": { @@ -472,11 +472,11 @@ ] }, "locked": { - "lastModified": 1772341813, - "narHash": "sha256-/PQ0ubBCMj/MVCWEI/XMStn55a8dIKsvztj4ZVLvUrQ=", + "lastModified": 1772945408, + "narHash": "sha256-PMt48sEQ8cgCeljQ9I/32uoBq/8t8y+7W/nAZhf72TQ=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "a2051ff239ce2e8a0148fa7a152903d9a78e854f", + "rev": "1c1d8ea87b047788fd7567adf531418c5da321ec", "type": "github" }, "original": { @@ -523,11 +523,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1771969195, - "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=", + "lastModified": 1772972630, + "narHash": "sha256-mUJxsNOrBMNOUJzN0pfdVJ1r2pxeqm9gI/yIKXzVVbk=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e", + "rev": "3966ce987e1a9a164205ac8259a5fe8a64528f72", "type": "github" }, "original": { @@ -539,11 +539,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1771848320, - "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", + "lastModified": 1772773019, + "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2fc6539b481e1d2569f25f8799236694180c0993", + "rev": "aca4d95fce4914b3892661bcb80b8087293536c6", "type": "github" }, "original": { @@ -555,11 +555,11 @@ }, "nixpkgs-edge": { "locked": { - "lastModified": 1772650872, - "narHash": "sha256-3ntx/EmA6eaMLYX0nGXCXm75YdCbyfEO2eJopgZuKrk=", + "lastModified": 1773321471, + "narHash": "sha256-H8Rxavz5NavZFNEBRR5nUdGtwipp5R+uE0i7sZ9RAek=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "468dfc97e8f0b074cba09361bceeacdd87893060", + "rev": "eea6fb66b4f4a7abe59b10be3875cd87fba366f5", "type": "github" }, "original": { @@ -570,11 +570,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1772542754, - "narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=", + "lastModified": 1773122722, + "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4", + "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50", "type": "github" }, "original": { @@ -618,11 +618,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1772542754, - "narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=", + "lastModified": 1773122722, + "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4", + "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50", "type": "github" }, "original": { @@ -634,11 +634,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1770650459, - "narHash": "sha256-hGeOnueXorzwDD1V9ldZr+y+zad4SNyqMnQsa/mIlvI=", + "lastModified": 1773046814, + "narHash": "sha256-3CEw64UyzEk5QjfbcXNIl4TfmIpa2oY+duuo6aiawcU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fff0554c67696d76a0cdd9cfe14403fbdbf1f378", + "rev": "0c6c0dd2469abaa216599bb19bbf77a328af6564", "type": "github" }, "original": { @@ -650,11 +650,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1772173633, - "narHash": "sha256-MOH58F4AIbCkh6qlQcwMycyk5SWvsqnS/TCfnqDlpj4=", + "lastModified": 1772736753, + "narHash": "sha256-au/m3+EuBLoSzWUCb64a/MZq6QUtOV8oC0D9tY2scPQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c0f3d81a7ddbc2b1332be0d8481a672b4f6004d6", + "rev": "917fec990948658ef1ccd07cef2a1ef060786846", "type": "github" }, "original": { @@ -855,11 +855,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1772636567, - "narHash": "sha256-1QlCWLQ5mhkbViPhOxkaW7ifp+IEiYFg7KgMDK0Uvm4=", + "lastModified": 1773319868, + "narHash": "sha256-r9pCiDafaa7CEUjYpz5976svX7KGsDV8MI0Yh8K5WXg=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "e1afec5b08a82092271376b4fc909c91de89e260", + "rev": "86579c67151f83e1ca6e8101a6ab8adfe8e78484", "type": "gitlab" }, "original": { @@ -874,11 +874,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1772495394, - "narHash": "sha256-hmIvE/slLKEFKNEJz27IZ8BKlAaZDcjIHmkZ7GCEjfw=", + "lastModified": 1773096132, + "narHash": "sha256-M3zEnq9OElB7zqc+mjgPlByPm1O5t2fbUrH3t/Hm5Ag=", "owner": "Mic92", "repo": "sops-nix", - "rev": "1d9b98a29a45abe9c4d3174bd36de9f28755e3ff", + "rev": "d1ff3b1034d5bab5d7d8086a7803c5a5968cd784", "type": "github" }, "original": { @@ -1053,11 +1053,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1771148613, - "narHash": "sha256-nLzdw8jskekSRrunxBDCA0NCHr/2aJjcXqZ1Fcqm5eY=", + "lastModified": 1773119656, + "narHash": "sha256-AE6SthrvDyUU70myW7wAq4mzQbtmK5Spng7Y/OdCdhI=", "owner": "dj95", "repo": "zjstatus", - "rev": "7a039f56da80681408454d6e175fde3f54b9e592", + "rev": "e80d508ffbff6ab6b39a481ae9986109d3c313ac", "type": "github" }, "original": { diff --git a/home-manager/desktop/package-configs/plasma-desktop/default.nix b/home-manager/desktop/package-configs/plasma-desktop/default.nix index cf7da00..73021f0 100644 --- a/home-manager/desktop/package-configs/plasma-desktop/default.nix +++ b/home-manager/desktop/package-configs/plasma-desktop/default.nix @@ -16,10 +16,10 @@ WantedBy = ["default.target"]; }; Service = { - Type = "OneShot"; + Type = "oneshot"; ExecStart = "${pkgs.writeShellScript "set-kde-connect-commands" '' #!/run/current-system/sw/bin/bash - find ${config.home.homeDirectory}/.config/kdeconnect/ -type d -name 'kdeconnect_runcommand' -execdir mkdir -p {}/config \; -execdir cp ${builtins.toPath ./kde-connect-commands} {}/config \; + find ${config.home.homeDirectory}/.config/kdeconnect/ -type d -name 'kdeconnect_runcommand' -execdir mkdir -p {}/config \; -execdir cp -rf ${builtins.toPath ./kde-connect-commands} {}/config \; -execdir chmod --recursive +rwx {}/config/ \; ''}"; RemainAfterExit = true; }; @@ -309,7 +309,13 @@ "services/services.services.org.kde.spectacle.desktop"."_launch" = "Print"; }; configFile = { - kwinrc.Plugins.rememberwindowpositionsEnabled = true; + kwinrc = { + Plugins.rememberwindowpositionsEnabled = true; + Script-rememberwindowpositions = { + restoreType = 3; + whitelist = "org.mozilla.firefox\nfirefox\nlibrewolf\nkonsole\nvesktop\nsignal-dekstop\nthunderbird"; + }; + }; }; }; } diff --git a/home-manager/hosts/GLaDOS/lillian.nix b/home-manager/hosts/GLaDOS/lillian.nix index 4ac2123..3d0af5d 100644 --- a/home-manager/hosts/GLaDOS/lillian.nix +++ b/home-manager/hosts/GLaDOS/lillian.nix @@ -39,6 +39,25 @@ # enableSessionWide = true; }; + programs.plasma.configFile.kwinrc = { + "Tiling/Desktop_1/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0; + "Tiling/Desktop_1/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_1/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0; + "Tiling/Desktop_1/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_2/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0; + "Tiling/Desktop_2/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_2/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0; + "Tiling/Desktop_2/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_3/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0; + "Tiling/Desktop_3/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_3/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0; + "Tiling/Desktop_3/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_4/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0; + "Tiling/Desktop_4/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_4/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0; + "Tiling/Desktop_4/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + }; + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion home.stateVersion = "26.05"; } diff --git a/modules/nixos/preservation/default.nix b/modules/nixos/preservation/default.nix new file mode 100644 index 0000000..234f137 --- /dev/null +++ b/modules/nixos/preservation/default.nix @@ -0,0 +1,208 @@ +{ lib, config, ...}: +let cfg = config.preservationSetup; in { + options = { + preservationSetup.enable = lib.mkEnableOption "Enable setup of preservation of files in /persistent"; + global.desktop = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether or not we should make desktop preservation files."; + }; + global.server = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether or not we should make server preservation files."; + }; + }; + + config = lib.mkIf cfg.enable { + + preservation = { + # the module doesn't do anything unless it is enabled + enable = true; + + preserveAt."/persistent" = { + # preserve system directories + directories = [ + #Shared + "/var/lib/sbctl" + "/var/lib/bluetooth" + "/var/lib/fprint" + "/var/lib/fwupd" + "/var/lib/libvirt" + "/var/lib/tpm2-tss" + "/var/lib/tpm2-udev-trigger" + "/var/lib/power-profiles-daemon" + "/var/lib/systemd/coredump" + "/var/lib/systemd/rfkill" + "/var/lib/systemd/timers" + "/var/log" + { + directory = "/var/lib/nixos"; + inInitrd = true; + } + { + directory = "/var/secrets"; + inInitrd = true; + } + ] ++ lib.mkIf (cfg.desktop == true) [ + #Desktop + "/var/lib/decky-loader" + "/var/lib/flatpak" + ] ++ lib.mkIf (cfg.server == true) [ + #Server + "/var/lib/continuwuity" + "/var/lib/dhcpcd" + "/var/lib/docker" + "/var/lib/dovecot" + "/var/lib/forgejo" + "/var/lib/gotosocial" + "/var/lib/grafana" + "/var/lib/jellyfin" + "/var/lib/media" + "/var/lib/mollysocket" + "/var/lib/private" + "/var/lib/mysql" + "/var/lib/nextcloud" + "/var/lib/onlyoffice" + "/var/lib/postfix" + "/var/lib/postgresql" + "/var/lib/prometheus2" + "/var/lib/rabbitmq" + "/var/lib/redis-nextcloud" + "/var/lib/redis-rspamd" + "/var/lib/secrets" + "/var/lib/writefreely" + "/var/db" + "/var/dkim" + "/var/secrets" + "/var/sieve" + "/var/vmail" + "/var/mysql" + ]; + + # preserve system files + files = [ + { + file = "/etc/machine-id"; + inInitrd = true; + how = "symlink"; + } + "/var/lib/usbguard/rules.conf" + + # creates a symlink on the volatile root + # creates an empty directory on the persistent volume, i.e. /persistent/var/lib/systemd + # does not create an empty file at the symlink's target (would require `createLinkTarget = true`) + { + file = "/var/lib/systemd/random-seed"; + how = "symlink"; + inInitrd = true; + configureParent = true; + } + "/var/lib/systemd/tpm2-srk-public-key.pem" + "/var/lib/systemd/tpm2-srk-public-key.tpm2b_public" + ]; + + # preserve user-specific files, implies ownership + users = { + lillian = { + commonMountOptions = [ + "x-gvfs-hide" + ]; + directories = [ + { + directory = ".ssh"; + mode = "0700"; + } + ] ++ lib.mkIf (cfg.desktop == true) [ + #Desktop + ".local/state/wireplumber" + ".local/share/direnv" + ".local/state/nix" + ".local/state/comma" + ".local/state/home-manager" + ".local/share/PrismLauncher" + ".local/share/qBittorrent" + ".local/share/kwalletd" + ".local/share/kwin" #TODO: add the window script via nix instead of saving it imperatively and keeping it + ".local/share/lutris" + ".local/share/Nextcloud" + ".local/share/Steam" + ".local/share/zoxide" + ".local/share/flatpak" + ".local/share/applications" + ".local/share/firefoxpwa/" + ".local/share/zoxide" + ".mozilla" + ".steam" + ".zsh" + ".pki" + ".tldrc" + ".thunderbird" + "Code" + "Writing" + "Games" + ".config/kdeconnect" + ".config/Nextcloud" + ".config/noisetorch" + ".config/qBittorrent" + ".config/r2modman" + ".config/r2modmanPlus-local" + ".config/Ryujinx" + ".config/Signal" + ".config/sops" + ".config/vesktop" + ".config/kde.org" + ]; + #Shared + files = [ + ".z" + ".zsh_history" + ]; + }; + root = { + # specify user home when it is not `/home/${user}` + home = "/root"; + directories = [ + { + directory = ".ssh"; + mode = "0700"; + } + ]; + }; + }; + }; + }; + systemd.services.systemd-machine-id-commit = { + unitConfig.ConditionPathIsMountPoint = [ + "" + "/persistent/etc/machine-id" + ]; + serviceConfig.ExecStart = [ + "" + "systemd-machine-id-setup --commit --root /persistent" + ]; + }; + systemd.tmpfiles.settings.preservation = { + "/home/lillian/.config".d = { + user = "lillian"; + group = "users"; + mode = "0755"; + }; + "/home/lillian/.local".d = { + user = "lillian"; + group = "users"; + mode = "0755"; + }; + "/home/lillian/.local/share".d = { + user = "lillian"; + group = "users"; + mode = "0755"; + }; + "/home/lillian/.local/state".d = { + user = "lillian"; + group = "users"; + mode = "0755"; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/default.nix b/modules/nixos/shared-packages/default.nix new file mode 100644 index 0000000..afad336 --- /dev/null +++ b/modules/nixos/shared-packages/default.nix @@ -0,0 +1,159 @@ +{ + outputs, + pkgs, + pkgs-edge, + lib, + config, + ... +}: +let cfg = config.sharedPackages; in { + options = { + sharedPackages.enable = lib.mkEnableOption "Whether or not to install shared packages and settings"; + global.desktopPackages = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether or not to install shared desktop packages and settings."; + }; + global.serverPackages = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether or not to install shared server packages and settings."; + }; + }; + + config = lib.mkIf cfg.enable { + imports = [] ++ lib.mkIf (cfg.desktopPackages == true) [ + ./desktop-settings + ] ++ lib.mkIf (cfg.serverPackages == true) [ + ./server-settings + ]; + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + ]; + }; + + environment.systemPackages = + (with pkgs; [ + # Custom tools + rebuild + rebuild-no-inhibit + install-nix + install-nix-no-inhibit + update + upgrade + simple-completion-language-server + + # System tools + age + alejandra + e2fsprogs + # uutils-findutils + git + git-filter-repo + pre-commit + helix + home-manager + htop + just + killall + oh-my-zsh + rsync + tre-command + wget + zsh + tldr + nmap + knot-dns + libressl + nettools + starship + + # System libraries + ] ++ lib.mkIf (cfg.desktop == true) [ + # Custom tools + dvd + dvt + servo + restart + + # System tools + aha + ttf-ms-win10 + wineWow64Packages.stable + bottles + tpm2-abrmd + jdk21_headless + #bcachefs-tools + clinfo + direnv + exfat + exfatprogs + gamemode + git-filter-repo + gnupg + pciutils + podman + podman-compose + python3Minimal + sbctl + tpm2-tools + tpm2-tss + virtualgl + vulkan-tools + # waydroid + waypipe + wayland-utils + yubikey-personalization + zsh + + # KDE/QT + kdePackages.plasma-desktop + kdePackages.plasma-wayland-protocols + kdePackages.libplasma + kdePackages.plasma-integration + kdePackages.plasma-activities + kdePackages.plasma-workspace + kdePackages.discover + kdePackages.filelight + kdePackages.kcalc + kdePackages.kdepim-addons + kdePackages.kirigami + kdePackages.kdeconnect-kde + kdePackages.konsole + # kdePackages.krunner-ssh + # kdePackages.krunner-symbols + kdePackages.packagekit-qt + kdePackages.plasma-pa + kdePackages.sddm-kcm + kdePackages.dolphin-plugins + kdePackages.qtstyleplugin-kvantum + kdePackages.krdc + kdePackages.krfb + kdePackages.kate + kdePackages.qrca + libportal-qt5 + libportal + + # User tools + freetube + noisetorch + qjackctl + wireplumber + intiface-central + #rustdesk + ] + + ) + ++ (with pkgs-edge; [ + # list of latest packages from nixpkgs master + # Can be used to install latest version of some packages + ] ++ lib.mkIf (cfg.desktop == true) [ + kdePackages.plasma-vault + ] + ); +}; +} diff --git a/modules/nixos/shared-packages/desktop-settings/default.nix b/modules/nixos/shared-packages/desktop-settings/default.nix new file mode 100644 index 0000000..7935bf4 --- /dev/null +++ b/modules/nixos/shared-packages/desktop-settings/default.nix @@ -0,0 +1,144 @@ +{ + pkgs, + lib, + config, + ... +}: { + imports = [ + ./firefox + ]; + services.udev.extraRules = '' + KERNEL=="hidraw*", ATTRS{idVendor}=="057e", MODE="0660", TAG+="uaccess" + KERNEL=="hidraw*", KERNELS=="*057e:*", MODE="0660", TAG+="uaccess" + KERNEL=="hidraw*", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess" + KERNEL=="hidraw*", KERNELS=="*2DC8:*", MODE="0660", TAG+="uaccess" + KERNEL=="hidraw*", ATTRS{idProduct}=="6012", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess" + KERNEL=="hidraw*", KERNELS=="*2DC8:6012*", MODE="0660", TAG+="uaccess" + ''; + + fonts.packages = [pkgs.ttf-ms-win10]; + + programs = { + # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently + command-not-found.enable = lib.mkForce false; + # nix-index.enable = true; + nix-index-database.comma.enable = true; + + direnv = { + enable = true; + }; + + # steam = { + # enable = true; + # remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play + # dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server + # extest.enable = true; + # }; + kdeconnect.enable = true; + + noisetorch = { + enable = true; + }; + }; + + xdg.portal.enable = true; + + # Enable networking + networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + services = { + # Enable the X11 windowing system. + xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + # displayManager.sddm = { + # enable = true; + # wayland.enable = true; + # }; + displayManager.defaultSession = lib.mkDefault "plasma"; + desktopManager.plasma6.enable = true; + desktopManager.plasma6.notoPackage = pkgs.atkinson-hyperlegible; + + # Enable flatpak support + flatpak.enable = true; + packagekit.enable = true; + + # Configure keymap in X11 + xserver.xkb = { + layout = "us"; + variant = ""; + options = "terminate:ctrl_alt_bksp,compose:caps_toggle"; + }; + + # Enable CUPS to print documents. + printing.enable = true; + + # Enable fwupd daemon and user space client + fwupd.enable = true; + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + wireplumber.enable = true; + }; + + avahi = { + nssmdns4 = true; + enable = true; + ipv4 = true; + ipv6 = true; + publish = { + enable = true; + addresses = true; + workstation = true; + }; + }; + }; + hardware = { + graphics.enable32Bit = true; + + # Enable bluetooth hardware + bluetooth.enable = true; + }; + security.rtkit.enable = true; + + services.pulseaudio.enable = false; + virtualisation.podman = { + enable = true; + dockerCompat = true; + }; + security.tpm2 = { + enable = true; + pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so + tctiEnvironment.enable = true; + }; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables + users.users.lillian.extraGroups = ["tss"]; + boot = { + # tss group has access to TPM devices + bootspec.enable = true; + binfmt.emulatedSystems = ["aarch64-linux"]; + #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + #boot.supportedFilesystems = ["bcachefs"]; + extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out]; + kernelModules = [ + # Virtual Camera + "v4l2loopback" + # Virtual Microphone, built-in + "snd-aloop" + ]; + + # Set initial kernel module settings + extraModprobeConfig = '' + # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming + # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams + # https://github.com/umlaeute/v4l2loopback + options v4l2loopback exclusive_caps=1 card_label="Virtual Camera" + ''; + loader.systemd-boot.configurationLimit = 3; + loader.efi.canTouchEfiVariables = true; +}; +} diff --git a/modules/nixos/shared-packages/desktop-settings/firefox/default.nix b/modules/nixos/shared-packages/desktop-settings/firefox/default.nix new file mode 100644 index 0000000..c57887f --- /dev/null +++ b/modules/nixos/shared-packages/desktop-settings/firefox/default.nix @@ -0,0 +1,182 @@ +{pkgs, ...}: { + programs.firefox = { + enable = true; + package = pkgs.librewolf; + policies = { + DisableTelemetry = true; + DisableFirefoxStudies = true; + DisablePocket = true; + DisableFirefoxAccounts = true; + DisableAccounts = true; + DisableProfileImport = true; + OverrideFirstRunPage = ""; + OverridePostUpdatePage = ""; + DontCheckDefaultBrowser = true; + DisplayBookmarksToolbar = "newtab"; + ManualAppUpdateOnly = true; + OfferToSaveLogins = false; + PasswordManagerEnabled = false; + DownloadDirectory = "\${home}/Downloads"; + EnableTrackingProtection = { + Value = true; + Cryptomining = true; + Fingerprinting = true; + }; + ExtensionSettings = { + # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below + # Catppuccin Macchiato - Mauve theme: + "{55750c61-e5f3-4d9a-898d-0643b3093678}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/catppuccin-macchiato-mauve/latest.xpi"; + installation_mode = "force_installed"; + }; + # Sideberry: + #"{3c078156-979c-498b-8990-85f7987dd929}" = { + # install_url = "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"; + # installation_mode = "force_installed"; + #}; + # Privacy Badger: + "jid1-MnnxcxisBPnSXQ@jetpack" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi"; + installation_mode = "force_installed"; + }; + # Bitwarden: + "{446900e4-71c2-419f-a6a7-df9c091e268b}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"; + installation_mode = "force_installed"; + }; + # Libredirect: + "7esoorv3@alefvanoon.anonaddy.me" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/libredirect/latest.xpi"; + installation_mode = "force_installed"; + }; + # DarkReader: + "addon@darkreader.org" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi"; + installation_mode = "force_installed"; + }; + # SimpleLogin: + "addon@simplelogin" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/simplelogin/latest.xpi"; + installation_mode = "force_installed"; + }; + # Cookie Auto Delete: + "CookieAutoDelete@kennydo.com" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/cookie-autodelete/latest.xpi"; + installation_mode = "force_installed"; + }; + # Don't fuck with paste: + "DontFuckWithPaste@raim.ist" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/don-t-fuck-with-paste/latest.xpi"; + installation_mode = "force_installed"; + }; + # Firefox pwas: + "firefoxpwa@filips.si" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/pwas-for-firefox/latest.xpi"; + installation_mode = "force_installed"; + }; + # Consent o matic: + "gdpr@cavi.au.dk" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi"; + installation_mode = "force_installed"; + }; + # Mailvelope: + "jid1-AQqSMBYb0a8ADg@jetpack" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/mailvelope/latest.xpi"; + installation_mode = "force_installed"; + }; + # KDE connect: + "kde-connect@0xc0dedbad.com" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/kde-connect/latest.xpi"; + installation_mode = "force_installed"; + }; + # Plasma browser integration: + "plasma-browser-integration@kde.org" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi"; + installation_mode = "force_installed"; + }; + # Shinigami eyes: + "shinigamieyes@shinigamieyes" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/shinigami-eyes/latest.xpi"; + installation_mode = "force_installed"; + }; + # uBlock Origin: + "uBlock0@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; + installation_mode = "force_installed"; + }; + # uBlock Scope: + "uBO-Scope@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ubo-scope/latest.xpi"; + installation_mode = "force_installed"; + }; + # Wayback machine: + "wayback_machine@mozilla.org" = { + install_url = "https://addons.mozilla.org/firefox/downloads/file/4047136/wayback_machine_new-3.2.xpi"; + installation_mode = "force_installed"; + }; + # Tree Style Tabs + # "treestyletab@piro.sakura.ne.jp" = { + # install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi"; + # installation_mode = "force_installed"; + # }; + # Adaptive Tab Bar Colour + "ATBC@EasonWong" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi"; + installation_mode = "force_installed"; + }; + }; + FirefoxHome = { + Search = true; + TopSites = false; + SponsoredTopSites = false; + Highlights = false; + Pocket = false; + SponsoredPocket = false; + Snippets = false; + }; + FirefoxSuggest = { + WebSuggestions = false; + SponsoredSuggestions = false; + ImproveSuggest = false; + }; + Preferences = { + "browser.compactmode.show" = true; + "browser.uidensity" = 0; + # "browser.newtabpage.activity-stream.feeds.topsites" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.system.showSponsored" = false; + "font.name.serif.x-western" = "Crimson"; + "font.name.sans-serif.x-western" = "Atkinson Hyperlegible"; + "font.name.monospace.x-western" = "FiraCode Nerd Font"; + "font.size.variable.x-western" = 14; + "floorp.browser.sidebar.useIconProvider" = "duckduckgo"; + "floorp.browser.tabbar.settings" = 2; + "floorp.browser.tabs.verticaltab" = true; + "floorp.tabbar.style" = 2; + "floorp.browser.user.interface" = 8; + "signon.rememberSignons" = true; + "browser.ml.chat.enabled" = false; + "browser.ml.chat.shortcuts" = false; + }; + # TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks + # Bookmarks = [ + # { + # Title = "NixOS wiki"; + # Placement = "toolbar"; + # URL = "https://nixos.wiki/"; + # } + # { + # Title = "NixOS options"; + # Placement = "toolbar"; + # URL = "https://nixos.org/manual/nixos/stable/options"; + # } + # { + # Title = "NixOS home-manager options"; + # Placement = "toolbar"; + # URL = "https://nix-community.github.io/home-manager/options.xhtml"; + # } + # ]; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/akkoma/default.nix b/modules/nixos/shared-packages/server-settings/akkoma/default.nix new file mode 100644 index 0000000..d0495bf --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/akkoma/default.nix @@ -0,0 +1,48 @@ +{ + config, + pkgs, + ... +}: { + sops.secrets."releaseCookie".mode = "0440"; + sops.secrets."releaseCookie".owner = config.users.users.akkoma.name; + + users.groups.akkoma = {}; + + users.users = { + akkoma = { + isSystemUser = true; + group = "akkoma"; + }; + }; + + services.akkoma = { + enable = true; + package = pkgs.akkoma; + extraPackages = with pkgs; [ffmpeg exiftool imagemagick]; + nginx = { + enableACME = true; + forceSSL = true; + serverName = "akkoma.gladtherescake.eu"; + }; + #dist.cookie._secret = config.sops.secrets."releaseCookie".path; + config = { + ":pleroma".":instance" = { + name = "GLaDTheresCake Akkoma"; + email = "akkoma@gladtherescake.eu"; + notify_email = "no-reply@akkoma.gladtherescake.eu"; + emails.mailer = { + enabled = true; + adapter = "Swoosh.Adapters.Sendmail"; + cmd_path = "sendmail"; + cmd_args = "-N delay,failure,success"; + qmail = true; + }; + description = "Lillian's Akkoma server!"; + languages = ["en" "nl"]; + registrations_open = true; + max_pinned_statuses = 10; + cleanup_attachments = true; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/aria2/container.nix b/modules/nixos/shared-packages/server-settings/aria2/container.nix new file mode 100644 index 0000000..c76c97c --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/aria2/container.nix @@ -0,0 +1,101 @@ +{config, ...}: { + users.users.aria2.group = "aria2"; + users.groups.aria2 = {}; + users.users.aria2.isSystemUser = true; + + sops.secrets."wg-private".mode = "0440"; + sops.secrets."wg-private".owner = config.users.users.aria2.name; + containers.aria2 = { + forwardPorts = [ + { + containerPort = 6969; + hostPort = 6969; + protocol = "udp"; + } + ]; + bindMounts = { + "/var/lib/media" = { + hostPath = "/var/lib/media"; + isReadOnly = false; + }; + "/var/lib/wg/private-key" = { + hostPath = config.sops.secrets."wg-private".path; + isReadOnly = true; + }; + }; + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::2"; + config = { + config, + pkgs, + ... + }: { + system.stateVersion = "unstable"; + networking.firewall.allowedTCPPorts = [6969]; + networking.firewall.allowedUDPPorts = [6969 51820]; + users.users = { + aria2.extraGroups = ["jellyfin" "nextcloud"]; + }; + services.aria2 = { + enable = true; + downloadDir = "/var/lib/media"; + rpcListenPort = 6969; + }; + networking.wg-quick.interfaces = { + wg0 = { + postUp = '' + # Mark packets on the wg0 interface + wg set wg0 fwmark 51820 + + # Forbid anything else which doesn't go through wireguard VPN on + # ipV4 and ipV6 + ${pkgs.iptables}/bin/iptables -A OUTPUT \ + ! -d 192.168.0.0/16 \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/ip6tables -A OUTPUT \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \ + --dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT + ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \ + -j ACCEPT + ''; + postDown = '' + ${pkgs.iptables}/bin/iptables -D OUTPUT \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/ip6tables -D OUTPUT \ + ! -o wg0 -m mark \ + ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ''; + + address = ["10.2.0.2/32"]; + dns = ["10.2.0.1"]; + privateKeyFile = "/var/lib/wg/private-key"; + + peers = [ + { + publicKey = "7A19/lMrfmpFZARivC7FS8DcGxMn5uUq9LcOqFjzlDo="; + allowedIPs = ["0.0.0.0/0"]; + endpoint = "185.159.158.182:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/aria2/default.nix b/modules/nixos/shared-packages/server-settings/aria2/default.nix new file mode 100644 index 0000000..e7d15bd --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/aria2/default.nix @@ -0,0 +1,15 @@ +{config, ...}: { + users.users.aria2.group = "aria2"; + users.groups.aria2 = {}; + users.users.aria2.isSystemUser = true; + + sops.secrets."rpcSecret".mode = "0440"; + sops.secrets."rpcSecret".owner = config.users.users.aria2.name; + + services.aria2 = { + enable = true; + downloadDir = "/var/lib/media"; + rpcListenPort = 6969; + rpcSecretFile = config.sops.secrets."rpcSecret".path; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/caddy/default.nix b/modules/nixos/shared-packages/server-settings/caddy/default.nix new file mode 100644 index 0000000..029c590 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/caddy/default.nix @@ -0,0 +1,56 @@ +{config, ...}: { + services.phpfpm.pools.nextcloud.settings = { + "listen.owner" = config.services.caddy.user; + "listen.group" = config.services.caddy.group; + }; + + users.users.caddy.extraGroups = ["nextcloud"]; + + services.caddy = { + enable = true; + + # Setup Nextcloud virtual host to listen on ports + virtualHosts = { + "${config.services.nextcloud.hostName}" = { + useACMEHost = "${config.services.nextcloud.hostName}"; + extraConfig = '' + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/webfinger /index.php/.well-known/webfinger 301 + redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 + + encode gzip + reverse_proxy localhost:9000 + header Strict-Transport-Security max-age=31536000; + @forbidden { + path /.htaccess + path /data/* + path /config/* + path /db_structure + path /.xml + path /README + path /3rdparty/* + path /lib/* + path /templates/* + path /occ + path /console.php + } + handle @forbidden { + respond 404 + } + + handle { + root * /var/www/html + php_fastcgi 127.0.0.1:9000 { + # Tells nextcloud to remove /index.php from URLs in links + env front_controller_active true + } + file_server + } + ''; + }; + "onlyoffice.gladtherescake.eu" = { + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/cinny/default.nix b/modules/nixos/shared-packages/server-settings/cinny/default.nix new file mode 100644 index 0000000..63891b4 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/cinny/default.nix @@ -0,0 +1,17 @@ +{pkgs, ...}: { + services.nginx = { + enable = true; + virtualHosts = { + "cinny.gladtherescake.eu" = { + root = "${pkgs.cinny}"; + ## Force HTTP redirect to HTTPS + forceSSL = true; + ## LetsEncrypt + enableACME = true; + locations."/" = { + index = "index.html"; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/conduit/default.nix b/modules/nixos/shared-packages/server-settings/conduit/default.nix new file mode 100644 index 0000000..09268ee --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/conduit/default.nix @@ -0,0 +1,153 @@ +{ + config, + pkgs, + ... +}: let + # You'll need to edit these values + # The hostname that will appear in your user and room IDs + server_name = "matrix.gladtherescake.eu"; + + # An admin email for TLS certificate notifications + admin_email = "letsencrypt@gladtherescake.eu"; + + # These ones you can leave alone + + # Build a dervation that stores the content of `${server_name}/.well-known/matrix/server` + well_known_server = pkgs.writeText "well-known-matrix-server" '' + { + "m.server": "${server_name}" + } + ''; + + # Build a dervation that stores the content of `${server_name}/.well-known/matrix/client` + well_known_client = pkgs.writeText "well-known-matrix-client" '' + { + "m.homeserver": { + "base_url": "https://${server_name}" + } + } + ''; +in { + # Configure continuwuity itself + services.matrix-continuwuity = { + enable = true; + + settings.global = { + inherit server_name; + allow_registration = false; + # emergency_password = "testpassword"; + turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"]; + turn_secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT"; + well_known = { + server = "matrix.gladtherescake.eu:443"; + client = "https://matrix.gladtherescake.eu"; + }; + }; + }; + + # Configure automated TLS acquisition/renewal + security.acme = { + acceptTerms = true; + defaults = { + email = admin_email; + }; + }; + + # ACME data must be readable by the NGINX user + users.users.nginx.extraGroups = [ + "acme" + ]; + + # Configure NGINX as a reverse proxy + services.nginx = { + enable = true; + + virtualHosts = { + "${server_name}" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + ]; + + locations."/_matrix/" = { + proxyPass = "http://backend_continuwuity"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + ''; + }; + locations."=/.well-known/matrix/server" = { + # Use the contents of the derivation built previously + alias = "${well_known_server}"; + + extraConfig = '' + # Set the header since by default NGINX thinks it's just bytes + default_type application/json; + ''; + }; + + locations."=/.well-known/matrix/client" = { + # Use the contents of the derivation built previously + alias = "${well_known_client}"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${server_name}\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://${server_name}\"}}'"; + + extraConfig = '' + # Set the header since by default NGINX thinks it's just bytes + default_type application/json; + + # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients + add_header Access-Control-Allow-Origin "*"; + ''; + }; + locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = { + proxyPass = "http://matrix.gladtherescake.eu/client/unstable/org.matrix.msc3575/sync"; + proxyWebsockets = true; + recommendedProxySettings = false; + return = "200 '{\"contacts\": [{\"matrix_id\": \"@admin:server.name\", \"email_address\": \"admin@server.name\", \"role\": \"m.role.admin\"}]}'"; + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + ''; + }; + + extraConfig = '' + merge_slashes off; + ''; + }; + }; + + upstreams = { + "backend_continuwuity" = { + servers = { + "[::1]:${toString config.services.matrix-continuwuity.settings.global.port}" = {}; + }; + }; + }; + }; + + # Open firewall ports for HTTP, HTTPS, and Matrix federation + networking.firewall.allowedTCPPorts = [80 443 8448]; + networking.firewall.allowedUDPPorts = [80 443 8448]; +} diff --git a/modules/nixos/shared-packages/server-settings/coturn/default.nix b/modules/nixos/shared-packages/server-settings/coturn/default.nix new file mode 100644 index 0000000..db36913 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/coturn/default.nix @@ -0,0 +1,44 @@ +{config, ...}: { + sops.secrets."coturn-auth-secret".mode = "0440"; + sops.secrets."coturn-auth-secret".owner = config.users.users.turnserver.name; + users.users.nginx.extraGroups = ["turnserver"]; + services.coturn = { + enable = true; + use-auth-secret = true; + static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path; + realm = "turn.gladtherescake.eu"; + relay-ips = [ + "62.171.160.195" + "2a02:c207:2063:2448::1" + ]; + extraConfig = " + cipher-list=\"HIGH\" + no-loopback-peers + no-multicast-peers + "; + secure-stun = true; + cert = "/var/lib/acme/turn.gladtherescake.eu/fullchain.pem"; + pkey = "/var/lib/acme/turn.gladtherescake.eu/key.pem"; + min-port = 49152; + max-port = 49999; + }; + + # setup certs + services.nginx = { + enable = true; + virtualHosts = { + "turn.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + + # share certs with coturn and restart on renewal + security.acme.certs = { + "turn.gladtherescake.eu" = { + group = "turnserver"; + postRun = "systemctl reload nginx.service; systemctl restart coturn.service"; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/dashboard/default.nix b/modules/nixos/shared-packages/server-settings/dashboard/default.nix new file mode 100644 index 0000000..7bbb7fc --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/default.nix @@ -0,0 +1,8 @@ +{...}: { + imports = [ + ./grafana + #./loki + ./prometheus + ./telegraf + ]; +} diff --git a/modules/nixos/shared-packages/server-settings/dashboard/grafana/default.nix b/modules/nixos/shared-packages/server-settings/dashboard/grafana/default.nix new file mode 100644 index 0000000..41f696e --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/grafana/default.nix @@ -0,0 +1,44 @@ +{config, ...}: { + # grafana configuration + services.grafana = { + enable = true; + settings.server = { + domain = "grafana.lillianviolet.dev"; + http_port = 2342; + http_addr = "127.0.0.1"; + }; + provision = { + datasources.settings = { + apiVersion = 1; + datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + access = "proxy"; + url = "http://localhost:${toString config.services.prometheus.port}"; + isDefault = true; + } + { + name = "Loki"; + type = "loki"; + access = "proxy"; + url = "http://localhost:3100"; + isDefault = true; + } + ]; + }; + }; + }; + + # nginx reverse proxy + services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = { + ## Force HTTP redirect to HTTPS + forceSSL = true; + ## LetsEncrypt + enableACME = true; + locations."/" = { + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/dashboard/loki/default.nix b/modules/nixos/shared-packages/server-settings/dashboard/loki/default.nix new file mode 100644 index 0000000..e83159b --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/loki/default.nix @@ -0,0 +1,6 @@ +{...}: { + services.loki = { + enable = true; + configFile = ./loki.yaml; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/dashboard/loki/loki.yaml b/modules/nixos/shared-packages/server-settings/dashboard/loki/loki.yaml new file mode 100644 index 0000000..d0e9699 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/loki/loki.yaml @@ -0,0 +1,40 @@ +# Enables authentication through the X-Scope-OrgID header, which must be present +# if true. If false, the OrgID will always be set to "fake". +auth_enabled: false + +server: + http_listen_address: "0.0.0.0" + http_listen_port: 3100 + +ingester: + lifecycler: + address: "127.0.0.1" + ring: + kvstore: + store: inmemory + replication_factor: 1 + final_sleep: 0s + chunk_idle_period: 5m + chunk_retain_period: 30s + +schema_config: + configs: + - from: 2020-05-15 + store: boltdb + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 168h + +storage_config: + boltdb: + directory: /tmp/loki/index + + filesystem: + directory: /tmp/loki/chunks + +limits_config: + enforce_metric_name: false + reject_old_samples: true + reject_old_samples_max_age: 168h \ No newline at end of file diff --git a/modules/nixos/shared-packages/server-settings/dashboard/prometheus/default.nix b/modules/nixos/shared-packages/server-settings/dashboard/prometheus/default.nix new file mode 100644 index 0000000..fd08b3e --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/prometheus/default.nix @@ -0,0 +1,34 @@ +{config, ...}: { + services.prometheus = { + enable = true; + port = 9001; + # Export the current system metrics + exporters = { + node = { + enable = true; + enabledCollectors = ["systemd"]; + port = 9002; + }; + }; + scrapeConfigs = [ + # Scrape the current system + { + job_name = "GrafanaService system"; + static_configs = [ + { + targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; + } + ]; + } + # Scrape the Loki service + { + job_name = "Loki service"; + static_configs = [ + { + targets = ["127.0.0.1:3100"]; + } + ]; + } + ]; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/dashboard/telegraf/default.nix b/modules/nixos/shared-packages/server-settings/dashboard/telegraf/default.nix new file mode 100644 index 0000000..591e279 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/telegraf/default.nix @@ -0,0 +1,49 @@ +{config, ...}: { + sops.secrets."grafana-telegraf-key".mode = "0440"; + sops.secrets."grafana-telegraf-key".owner = config.users.users.telegraf.name; + services.telegraf = { + enable = true; + extraConfig = { + agent = { + interval = "10s"; + round_interval = true; + metric_batch_size = 1000; + metric_buffer_limit = 10000; + collection_jitter = "0s"; + flush_interval = "10s"; + flush_jitter = "0s"; + precision = ""; + debug = false; + quiet = false; + logfile = ""; + hostname = "queen"; + omit_hostname = false; + }; + inputs = { + cpu = { + percpu = true; + totalcpu = true; + collect_cpu_time = false; + report_active = false; + core_tags = false; + }; + disk = { + ignore_fs = ["tmpfs" "devtmpfs" "devfs" "overlay" "aufs" "squashfs"]; + }; + diskio = {}; + kernel = {}; + mem = {}; + system = {}; + }; + outputs = { + websocket = { + url = "ws://localhost:${toString config.services.prometheus.port}/api/live/push/telegraf"; + data_format = "influx"; + headers = { + Authorisation = "Bearer glsa_lqpcKV34Pp0d7eIhKN79E2HTwzWWwN4m_fe64e398"; + }; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/default.nix b/modules/nixos/shared-packages/server-settings/default.nix new file mode 100644 index 0000000..9c129cb --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/default.nix @@ -0,0 +1,19 @@ +{...}: { + imports = [ + ./conduit + ./forgejo + ./gotosocial + ./mail-server + ./nextcloud + # ./phanpy + ./postgres + ./roundcube + ./coturn + # ./dashboard + #./cinny + #./firefox-sync + ./writefreely + ./mollysocket + ./jellyfin + ]; +} diff --git a/modules/nixos/shared-packages/server-settings/firefox-sync/default.nix b/modules/nixos/shared-packages/server-settings/firefox-sync/default.nix new file mode 100644 index 0000000..a97abf3 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/firefox-sync/default.nix @@ -0,0 +1,30 @@ +{ + config, + pkgs, + ... +}: let + port = 5126; +in { + sops.secrets."sync-secrets".mode = "0440"; + sops.secrets."sync-secrets".owner = config.users.users.firefox-syncserver.name; + + users.groups.firefox-syncserver = {}; + users.users.firefox-syncserver = { + isSystemUser = true; + group = "firefox-syncserver"; + extraGroups = [config.users.groups.keys.name]; + }; + + services.mysql.package = pkgs.mariadb; + services.firefox-syncserver = { + enable = true; + secrets = config.sops.secrets."sync-secrets".path; + singleNode = { + enable = true; + hostname = "sync.gladtherescake.eu"; + url = "http://localhost:${toString port}"; + enableNginx = true; + enableTLS = true; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/forgejo/default.nix b/modules/nixos/shared-packages/server-settings/forgejo/default.nix new file mode 100644 index 0000000..b4efc44 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/forgejo/default.nix @@ -0,0 +1,71 @@ +{pkgs, ...}: { + imports = []; + + #sops.secrets."mailpassunhash".mode = "0440"; + #sops.secrets."mailpassunhash".owner = config.users.users.virtualMail.name; + + services.forgejo = { + enable = true; + #TODO: different mail passwords for different services + #mailerPasswordFile = config.sops.secrets."mailpassunhash".path; + database = { + type = "postgres"; + }; + settings = { + "cron.sync_external_users" = { + RUN_AT_START = true; + SCHEDULE = "@every 24h"; + UPDATE_EXISTING = true; + }; + mailer = { + ENABLED = true; + PROTOCOL = "sendmail"; + FROM = "no-reply@git.lillianviolet.dev"; + SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail"; + SENDMAIL_ARGS = "-bs"; + }; + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; + federation = { + ENABLED = true; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; + service.DISABLE_REGISTRATION = true; + server = { + DOMAIN = "git.lillianviolet.dev"; + ROOT_URL = "https://git.lillianviolet.dev/"; + HTTP_PORT = 3218; + }; + "markup.jupyter" = { + ENABLED = true; + FILE_EXTENSIONS = ".ipynb"; + RENDER_COMMAND = "${pkgs.jupyter}/bin/jupyter nbconvert --stdout --to html --template full"; + IS_INPUT_FILE = true; + RENDER_CONTENT_MODE = "no-sanitizer"; + }; + "markup.sanitizer.jupyter0" = { + ELEMENT = "div"; + ALLOW_ATTR = "class"; + REGEXP = ""; + }; + "markup.sanitizer.jupyter0.img" = { + ALLOW_DATA_URI_IMAGES = true; + }; + }; + }; + + services.nginx = { + virtualHosts = { + "git.lillianviolet.dev" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3218"; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/gotosocial/default.nix b/modules/nixos/shared-packages/server-settings/gotosocial/default.nix new file mode 100644 index 0000000..3740c15 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/gotosocial/default.nix @@ -0,0 +1,43 @@ +{pkgs, ...}: { + users.users.gotosocial.extraGroups = ["virtualMail"]; + + services.nginx = { + virtualHosts = { + "social.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:4257"; + }; + }; + }; + }; + + services.gotosocial = { + enable = true; + package = pkgs.gotosocial; + setupPostgresqlDB = true; + settings = { + application-name = "gotosocial"; + host = "social.gladtherescake.eu"; + bind-address = "localhost"; + port = 4257; + protocol = "https"; + storage-local-base-path = "/var/lib/gotosocial/storage"; + instance-languages = ["en-gb" "nl"]; + media-image-max-size = 41943040; + media-video-max-size = 209715200; + media-description-max-chars = 2000; + #smtp-host = "localhost"; + #smtp-port = 587; + #smtp-username = "no-reply@social.gladtherescake.eu"; + #smtp-password = config.sops.secrets."mailpassunhash".path; + #smtp-from = "no-reply@social.gladtherescake.eu"; + }; + }; + + systemd.services."gotosocial" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/jellyfin/default.nix b/modules/nixos/shared-packages/server-settings/jellyfin/default.nix new file mode 100644 index 0000000..d172e97 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/jellyfin/default.nix @@ -0,0 +1,20 @@ +{...}: { + services.nginx = { + virtualHosts = { + "video.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8096"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + }; + }; + + services.jellyfin = { + enable = true; + user = "nextcloud"; + group = "nextcloud"; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/mail-server/default.nix b/modules/nixos/shared-packages/server-settings/mail-server/default.nix new file mode 100644 index 0000000..ae56e4c --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/mail-server/default.nix @@ -0,0 +1,108 @@ +{config, ...}: { + sops.secrets."mailpass".mode = "0440"; + sops.secrets."mailpass".owner = config.users.users.virtualMail.name; + + #Fix for the dovecot update + # services.dovecot2.sieve.extensions = ["fileinto"]; + + mailserver = { + stateVersion = 3; + enable = true; + enableImap = true; + enableSubmission = true; + fqdn = "mail.gladtherescake.eu"; + domains = [ + "nextcloud.gladtherescake.eu" + "akkoma.gladtherescake.eu" + "social.gladtherescake.eu" + "gladtherescake.eu" + "lillianviolet.dev" + "git.lillianviolet.dev" + ]; + + loginAccounts = { + "me@gladtherescake.eu" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + aliases = [ + "@gladtherescake.eu" + ]; + catchAll = [ + "gladtherescake.eu" + ]; + }; + "no-reply@nextcloud.gladtherescake.eu" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + }; + "no-reply@akkoma.gladtherescake.eu" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + }; + "no-reply@social.gladtherescake.eu" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + }; + "info@lillianviolet.dev" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + aliases = [ + "@lillianviolet.dev" + ]; + catchAll = [ + "lillianviolet.dev" + ]; + }; + "no-reply@git.lillianviolet.dev" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + }; + }; + + mailboxes = { + All = { + auto = "subscribe"; + specialUse = "All"; + }; + Archive = { + auto = "subscribe"; + specialUse = "Archive"; + }; + Drafts = { + auto = "subscribe"; + specialUse = "Drafts"; + }; + Junk = { + auto = "subscribe"; + specialUse = "Junk"; + }; + Sent = { + auto = "subscribe"; + specialUse = "Sent"; + }; + Trash = { + auto = "no"; + specialUse = "Trash"; + }; + }; + + rejectRecipients = [ + "no-reply@nextcloud.gladtherescake.eu" + "no-reply@akkoma.gladtherescake.eu" + "no-reply@social.gladtherescake.eu" + "no-reply@git.lillianviolet.dev" + "ongebonden@gladtherescake.eu" + "teluyep_canoja_52868396@gladtherescake.eu" + "me.belsimpel@gladtherescake.eu" + "me.tele2@gladtherescake.eu" + "me+tele2@gladtherescake.eu" + "me.archiveorg@gladtherescake.eu" + ]; + x509.useACMEHost = config.mailserver.fqdn; + }; + security.acme.certs.${config.mailserver.fqdn} = { + webroot = "/var/lib/acme/acme-challenge/"; + extraDomainNames = [ + "imap.lillianviolet.dev" + "mail.lillianviolet.dev" + "pop3.lillianviolet.dev" + "lillianviolet.dev" + "gladtherescake.eu" + "mail.gladtherescake.eu" + ]; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/mollysocket/default.nix b/modules/nixos/shared-packages/server-settings/mollysocket/default.nix new file mode 100644 index 0000000..1d445ea --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/mollysocket/default.nix @@ -0,0 +1,25 @@ +{config, ...}: { + sops.secrets."mollysocket-vapid-key".mode = "0440"; + + services.mollysocket = { + enable = true; + environmentFile = config.sops.secrets."mollysocket-vapid-key".path; + settings = { + port = 4381; + allowed_endpoints = ["https://molly.gladtherescake.eu" "https://nextcloud.gladtherescake.eu"]; + allowed_uuids = ["db639f29-b7e7-431a-9c75-bcdcb87b6bdf"]; + webserver = true; + }; + }; + services.nginx = { + virtualHosts = { + "molly.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:4381"; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/nextcloud/default.nix b/modules/nixos/shared-packages/server-settings/nextcloud/default.nix new file mode 100644 index 0000000..8afd0e5 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/nextcloud/default.nix @@ -0,0 +1,126 @@ +{ + config, + pkgs, + ... +}: { + sops.secrets."nextcloudadmin".mode = "0440"; + sops.secrets."nextcloudadmin".owner = config.users.users.nextcloud.name; + sops.secrets."nextclouddb".mode = "0440"; + sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name; + # sops.secrets."local.json".mode = "0440"; + # sops.secrets."local.json".owner = config.users.users.onlyoffice.name; + + users.users = { + # nextcloud.extraGroups = [config.users.groups.keys.name config.users.users.onlyoffice.name]; + nextcloud.extraGroups = [config.users.groups.keys.name]; + #aria2.extraGroups = ["nextcloud"]; + # onlyoffice.extraGroups = [config.users.users.nextcloud.name]; + }; + + # Enable Nginx + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + # Setup Nextcloud virtual host to listen on ports + virtualHosts = { + "nextcloud.gladtherescake.eu" = { + ## Force HTTP redirect to HTTPS + forceSSL = true; + ## LetsEncrypt + enableACME = true; + }; + "onlyoffice.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + + # Actual Nextcloud Config + services.nextcloud = { + enable = true; + hostName = "nextcloud.gladtherescake.eu"; + + package = pkgs.nextcloud33; + + # Use HTTPS for links + https = true; + + # Auto-update Nextcloud Apps + autoUpdateApps.enable = true; + # Set what time makes sense for you + autoUpdateApps.startAt = "05:00:00"; + configureRedis = true; + maxUploadSize = "16G"; + + #Increase opcache string buffer + phpOptions."opcache.interned_strings_buffer" = "23"; + # Further forces Nextcloud to use HTTPS + settings = { + overwriteprotocol = "https"; + default_phone_region = "NL"; + maintenance_window_start = 3; + log_type = "file"; + }; + appstoreEnable = true; + extraAppsEnable = true; + #extraApps = with config.services.nextcloud.package.packages.apps; { + # List of apps we want to install and are already packaged in + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + # inherit calendar contacts deck forms notes onlyoffice polls twofactor_nextcloud_notification unsplash; + #}; + + config = { + # Nextcloud PostegreSQL database configuration, recommended over using SQLite + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + dbpassFile = config.sops.secrets."nextclouddb".path; + + adminpassFile = config.sops.secrets."nextcloudadmin".path; + adminuser = "GLaDTheresCake"; + }; + }; + + # services.onlyoffice = { + # port = 16783; + # enable = true; + # hostname = "onlyoffice.gladtherescake.eu"; + # #postgresHost = "/run/postgesql"; + # #postgresUser = "onlyoffice"; + # #postgresName = "onlyoffice"; + # #jwtSecretFile = config.sops.secrets."local.json".path; + # }; + + # services.rabbitmq = { + # enable = true; + # }; + + systemd.services."sops-nix.service" = { + before = [ + "nextcloud-setup.service" + "postgresql.service" + "onlyoffice-converter.service" + "onlyoffice-docservice.service" + "nginx.service" + "phpfpm-nextcloud.service" + "redis-nextcloud.service" + ]; + }; + + # Ensure that postgres is running before running the setup + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/ombi/default.nix b/modules/nixos/shared-packages/server-settings/ombi/default.nix new file mode 100644 index 0000000..c82156c --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/ombi/default.nix @@ -0,0 +1,55 @@ +{...}: { + users.users = { + ombi.extraGroups = ["radarr" "sonarr" "aria2" "nextcloud"]; + }; + services.ombi = { + enable = true; + port = 2368; + }; + + users.users = { + radarr.extraGroups = ["aria2" "nextcloud"]; + sonarr.extraGroups = ["aria2" "nextcloud"]; + }; + + services = { + #uses port 7878 + radarr.enable = true; + #uses port 8989 + sonarr.enable = true; + prowlarr.enable = true; + }; + + services.nginx = { + virtualHosts = { + "ombi.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:2368"; + }; + }; + "radarr.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:7878"; + }; + }; + "sonarr.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8989"; + }; + }; + "prowlarr.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:9696"; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/phanpy/default.nix b/modules/nixos/shared-packages/server-settings/phanpy/default.nix new file mode 100644 index 0000000..362f8f7 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/phanpy/default.nix @@ -0,0 +1,17 @@ +{pkgs, ...}: { + services.nginx = { + enable = true; + virtualHosts = { + "phanpy.gladtherescake.eu" = { + root = "${pkgs.phanpy}"; + ## Force HTTP redirect to HTTPS + forceSSL = true; + ## LetsEncrypt + enableACME = true; + locations."/" = { + index = "index.html"; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/postgres/default.nix b/modules/nixos/shared-packages/server-settings/postgres/default.nix new file mode 100644 index 0000000..0a3e4f6 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/postgres/default.nix @@ -0,0 +1,38 @@ +{pkgs, ...}: { + services.postgresql = { + # https://nixos.org/manual/nixos/stable/#module-postgresql + package = pkgs.postgresql_16; + enable = true; + + # Ensure the database, user, and ownership is set + ensureDatabases = [ + "nextcloud" + "onlyoffice" + "akkoma" + "gotosocial" + "gitea" + ]; + ensureUsers = [ + { + name = "nextcloud"; + ensureDBOwnership = true; + } + { + name = "onlyoffice"; + ensureDBOwnership = true; + } + { + name = "akkoma"; + ensureDBOwnership = true; + } + { + name = "gotosocial"; + ensureDBOwnership = true; + } + { + name = "gitea"; + ensureDBOwnership = true; + } + ]; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/postgres/upgrade.nix b/modules/nixos/shared-packages/server-settings/postgres/upgrade.nix new file mode 100644 index 0000000..081a123 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/postgres/upgrade.nix @@ -0,0 +1,36 @@ +{ + config, + pkgs, + ... +}: { + environment.systemPackages = [ + (let + # XXX specify the postgresql package you'd like to upgrade to. + # Do not forget to list the extensions you need. + newPostgres = pkgs.postgresql_16.withPackages (pp: [ + # pp.plv8 + ]); + in + pkgs.writeScriptBin "upgrade-pg-cluster" '' + set -eux + # XXX it's perhaps advisable to stop all services that depend on postgresql + systemctl stop postgresql + + export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}" + + export NEWBIN="${newPostgres}/bin" + + export OLDDATA="${config.services.postgresql.dataDir}" + export OLDBIN="${config.services.postgresql.package}/bin" + + install -d -m 0700 -o postgres -g postgres "$NEWDATA" + cd "$NEWDATA" + sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" + + sudo -u postgres $NEWBIN/pg_upgrade \ + --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \ + --old-bindir $OLDBIN --new-bindir $NEWBIN \ + "$@" + '') + ]; +} diff --git a/modules/nixos/shared-packages/server-settings/roundcube/default.nix b/modules/nixos/shared-packages/server-settings/roundcube/default.nix new file mode 100644 index 0000000..59ee43d --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/roundcube/default.nix @@ -0,0 +1,39 @@ +{ + config, + pkgs, + ... +}: { + # TODO: Figure out how to create packages for some plugins for roundcube! + # https://packagist.org/search/?query=roundcube + # https://discourse.nixos.org/t/roundcube-with-plugins/28292/7 + services.roundcube = { + enable = true; + package = pkgs.roundcube.withPlugins ( + plugins: [ + plugins.contextmenu + plugins.carddav + plugins.custom_from + plugins.persistent_login + plugins.thunderbird_labels + ] + ); + plugins = [ + "contextmenu" + "carddav" + "custom_from" + "persistent_login" + "thunderbird_labels" + ]; + + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = "webmail.lillianviolet.dev"; + extraConfig = '' + # starttls needed for authentication, so the fqdn required to match + # the certificate + $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/writefreely/default.nix b/modules/nixos/shared-packages/server-settings/writefreely/default.nix new file mode 100644 index 0000000..aeb9fa2 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/writefreely/default.nix @@ -0,0 +1,39 @@ +{ + config, + pkgs, + ... +}: { + sops.secrets."writefreely".mode = "0440"; + sops.secrets."writefreely".owner = config.users.users.writefreely.name; + sops.secrets."writefreelymysql".mode = "0440"; + sops.secrets."writefreelymysql".owner = config.users.users.writefreely.name; + services.writefreely = { + enable = true; + host = "writefreely.gladtherescake.eu"; + nginx.enable = true; + nginx.forceSSL = true; + acme.enable = true; + # database = { + # type = "mysql"; + # createLocally = true; + # passwordFile = config.sops.secrets."writefreelymysql".path; + # }; + admin = { + initialPasswordFile = config.sops.secrets."writefreely".path; + name = "GLaDTheresCake"; + }; + settings = { + app = { + min_username_len = 2; + max_blogs = 100; + default_visibility = "public"; + federation = true; + local_timeline = true; + }; + server.port = 1212; + }; + }; + systemd.services.writefreely = { + path = [pkgs.libressl]; + }; +} diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix new file mode 100644 index 0000000..bb15447 --- /dev/null +++ b/modules/nixos/sops/default.nix @@ -0,0 +1,44 @@ +{ lib, config, ...}: +let cfg = config.sopsSetup; in { + options = { + sopsSetup.enable = lib.mkEnableOption "Enable Module"; + global.desktop= lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether or not to install shared desktop secrets."; + }; + }; + + config = lib.mkIf cfg.enable { + sops = { + age.keyFile = "/var/secrets/keys.txt"; + secrets."lillian-password".neededForUsers = true; + + defaultSopsFile = ../hosts/${config.networking.hostName}/secrets/sops.yaml; + + secrets."wg-private-key".mode = "0440"; + secrets."wg-private-key".owner = config.users.users.root.name; + + secrets."ssh-private-key" = { + mode = "0600"; + owner = config.users.users.lillian.name; + path = "/home/lillian/.ssh/id_ed25519"; + }; + }; + secrets."nextcloud-password" = lib.mkIf (cfg.desktop == true) { + mode = "0600"; + owner = config.users.users.lillian.name; + path = "/home/lillian/.netrc"; + }; + secrets."prod.keys" = lib.mkIf (cfg.desktop == true) { + mode = "0600"; + owner = config.users.users.lillian.name; + path = "/home/lillian/.config/Ryujinx/system/prod.keys"; + }; + secrets."title.keys" = lib.mkIf (cfg.desktop == true) { + mode = "0600"; + owner = config.users.users.lillian.name; + path = "/home/lillian/.config/Ryujinx/system/title.keys"; + }; + }; +} diff --git a/modules/nixos/stylix/background.jpg b/modules/nixos/stylix/background.jpg new file mode 100644 index 0000000..2ad658c Binary files /dev/null and b/modules/nixos/stylix/background.jpg differ diff --git a/modules/nixos/stylix/default.nix b/modules/nixos/stylix/default.nix new file mode 100644 index 0000000..2154be0 --- /dev/null +++ b/modules/nixos/stylix/default.nix @@ -0,0 +1,60 @@ + { lib, config, pkgs, ...}: +let cfg = config.stylixSetup; in { + options = { + stylixSetup.enable = lib.mkEnableOption "Enable Module"; + }; + config = lib.mkIf cfg.enable { + stylix = { + # targets.qt.platform = lib.mkForce "kde"; + enable = true; + # targets.qt.platform = "kde6"; + autoEnable = true; + base16Scheme = { + scheme = "Catppuccin Macchiato Mauve"; + author = "https://github.com/catppuccin/catppuccin"; + base00 = "24273a"; + base01 = "1e2030"; + base02 = "363a4f"; + base03 = "494d64"; + base04 = "5b6078"; + base05 = "cad3f5"; + base06 = "f4dbd6"; + base07 = "b7bdf8"; + base08 = "ed8796"; + base09 = "f5a97f"; + base0A = "eed49f"; + base0B = "a6da95"; + base0C = "8bd5ca"; + base0D = "c6a0f6"; + base0E = "8aadf4"; + base0F = "f0c6c6"; + }; + image = ./background.jpg; + cursor.package = pkgs.catppuccin-cursors.macchiatoMauve; + cursor.name = "catppuccin-macchiato-mauve-cursors"; + cursor.size = 24; + homeManagerIntegration.followSystem = true; + fonts = { + serif = { + package = pkgs.atkinson-hyperlegible; + name = "Atkinson Hyperlegible Next"; + }; + + monospace = { + package = pkgs.atkinson-hyperlegible-mono; + name = "Atkinson Hyperlegbile Mono"; + }; + + sansSerif = { + package = pkgs.atkinson-hyperlegible; + name = "Atkinson Hyperlegible Next"; + }; + + emoji = { + package = pkgs.noto-fonts-emoji-blob-bin; + name = "Blobmoji"; + }; + }; + }; + }; +} diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index 99c907c..361b1b4 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -57,6 +57,7 @@ direnv exfat exfatprogs + gamemode git-filter-repo gnupg pciutils diff --git a/nixos/shared/default.nix b/nixos/shared/default.nix index e0f4565..baf60e9 100644 --- a/nixos/shared/default.nix +++ b/nixos/shared/default.nix @@ -77,6 +77,7 @@ rm -f /home/lillian/.config/gtk-3.0/gtk.css.backup rm -f /home/lillian/.config/gtk-4.0/settings.ini.backup rm -f /home/lillian/.config/gtk-4.0/gtk.css.backup + rm -r /home/lillian/.gtkrc-2.0.backup ''; }; }; diff --git a/nixos/shared/packages/package-configs/default.nix b/nixos/shared/packages/package-configs/default.nix new file mode 100644 index 0000000..372d666 --- /dev/null +++ b/nixos/shared/packages/package-configs/default.nix @@ -0,0 +1,5 @@ +{...}: { + imports = [ + ./firefox + ]; +} diff --git a/nixos/shared/packages/package-configs/firefox/default.nix b/nixos/shared/packages/package-configs/firefox/default.nix new file mode 100644 index 0000000..c57887f --- /dev/null +++ b/nixos/shared/packages/package-configs/firefox/default.nix @@ -0,0 +1,182 @@ +{pkgs, ...}: { + programs.firefox = { + enable = true; + package = pkgs.librewolf; + policies = { + DisableTelemetry = true; + DisableFirefoxStudies = true; + DisablePocket = true; + DisableFirefoxAccounts = true; + DisableAccounts = true; + DisableProfileImport = true; + OverrideFirstRunPage = ""; + OverridePostUpdatePage = ""; + DontCheckDefaultBrowser = true; + DisplayBookmarksToolbar = "newtab"; + ManualAppUpdateOnly = true; + OfferToSaveLogins = false; + PasswordManagerEnabled = false; + DownloadDirectory = "\${home}/Downloads"; + EnableTrackingProtection = { + Value = true; + Cryptomining = true; + Fingerprinting = true; + }; + ExtensionSettings = { + # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below + # Catppuccin Macchiato - Mauve theme: + "{55750c61-e5f3-4d9a-898d-0643b3093678}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/catppuccin-macchiato-mauve/latest.xpi"; + installation_mode = "force_installed"; + }; + # Sideberry: + #"{3c078156-979c-498b-8990-85f7987dd929}" = { + # install_url = "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"; + # installation_mode = "force_installed"; + #}; + # Privacy Badger: + "jid1-MnnxcxisBPnSXQ@jetpack" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi"; + installation_mode = "force_installed"; + }; + # Bitwarden: + "{446900e4-71c2-419f-a6a7-df9c091e268b}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"; + installation_mode = "force_installed"; + }; + # Libredirect: + "7esoorv3@alefvanoon.anonaddy.me" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/libredirect/latest.xpi"; + installation_mode = "force_installed"; + }; + # DarkReader: + "addon@darkreader.org" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi"; + installation_mode = "force_installed"; + }; + # SimpleLogin: + "addon@simplelogin" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/simplelogin/latest.xpi"; + installation_mode = "force_installed"; + }; + # Cookie Auto Delete: + "CookieAutoDelete@kennydo.com" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/cookie-autodelete/latest.xpi"; + installation_mode = "force_installed"; + }; + # Don't fuck with paste: + "DontFuckWithPaste@raim.ist" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/don-t-fuck-with-paste/latest.xpi"; + installation_mode = "force_installed"; + }; + # Firefox pwas: + "firefoxpwa@filips.si" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/pwas-for-firefox/latest.xpi"; + installation_mode = "force_installed"; + }; + # Consent o matic: + "gdpr@cavi.au.dk" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi"; + installation_mode = "force_installed"; + }; + # Mailvelope: + "jid1-AQqSMBYb0a8ADg@jetpack" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/mailvelope/latest.xpi"; + installation_mode = "force_installed"; + }; + # KDE connect: + "kde-connect@0xc0dedbad.com" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/kde-connect/latest.xpi"; + installation_mode = "force_installed"; + }; + # Plasma browser integration: + "plasma-browser-integration@kde.org" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi"; + installation_mode = "force_installed"; + }; + # Shinigami eyes: + "shinigamieyes@shinigamieyes" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/shinigami-eyes/latest.xpi"; + installation_mode = "force_installed"; + }; + # uBlock Origin: + "uBlock0@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; + installation_mode = "force_installed"; + }; + # uBlock Scope: + "uBO-Scope@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ubo-scope/latest.xpi"; + installation_mode = "force_installed"; + }; + # Wayback machine: + "wayback_machine@mozilla.org" = { + install_url = "https://addons.mozilla.org/firefox/downloads/file/4047136/wayback_machine_new-3.2.xpi"; + installation_mode = "force_installed"; + }; + # Tree Style Tabs + # "treestyletab@piro.sakura.ne.jp" = { + # install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi"; + # installation_mode = "force_installed"; + # }; + # Adaptive Tab Bar Colour + "ATBC@EasonWong" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi"; + installation_mode = "force_installed"; + }; + }; + FirefoxHome = { + Search = true; + TopSites = false; + SponsoredTopSites = false; + Highlights = false; + Pocket = false; + SponsoredPocket = false; + Snippets = false; + }; + FirefoxSuggest = { + WebSuggestions = false; + SponsoredSuggestions = false; + ImproveSuggest = false; + }; + Preferences = { + "browser.compactmode.show" = true; + "browser.uidensity" = 0; + # "browser.newtabpage.activity-stream.feeds.topsites" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.system.showSponsored" = false; + "font.name.serif.x-western" = "Crimson"; + "font.name.sans-serif.x-western" = "Atkinson Hyperlegible"; + "font.name.monospace.x-western" = "FiraCode Nerd Font"; + "font.size.variable.x-western" = 14; + "floorp.browser.sidebar.useIconProvider" = "duckduckgo"; + "floorp.browser.tabbar.settings" = 2; + "floorp.browser.tabs.verticaltab" = true; + "floorp.tabbar.style" = 2; + "floorp.browser.user.interface" = 8; + "signon.rememberSignons" = true; + "browser.ml.chat.enabled" = false; + "browser.ml.chat.shortcuts" = false; + }; + # TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks + # Bookmarks = [ + # { + # Title = "NixOS wiki"; + # Placement = "toolbar"; + # URL = "https://nixos.wiki/"; + # } + # { + # Title = "NixOS options"; + # Placement = "toolbar"; + # URL = "https://nixos.org/manual/nixos/stable/options"; + # } + # { + # Title = "NixOS home-manager options"; + # Placement = "toolbar"; + # URL = "https://nix-community.github.io/home-manager/options.xhtml"; + # } + # ]; + }; + }; +} diff --git a/nixos/shared/preservation.nix b/nixos/shared/preservation.nix index 372ddb2..3a4606f 100644 --- a/nixos/shared/preservation.nix +++ b/nixos/shared/preservation.nix @@ -120,6 +120,7 @@ ".thunderbird" "Code" "Writing" + "Games" ".config/kdeconnect" ".config/Nextcloud" ".config/noisetorch"