liv/nixos-config
1
0
Fork 0
mirror of https://github.com/Ahwxorg/nixos-config.git synced 2025-12-04 15:00:13 +01:00
Code Issues 1 Projects Releases Packages Wiki Activity Actions

flake: update (merge)

Browse source
This commit is contained in:
Ahwx 2024-08-20 18:13:46 +02:00
commit 37a205804e
13 changed files with 174 additions and 206 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1,2 +1,2 @@
secrets/
modules/services/matrix/secrets.yaml
modules/services/matrix/default.nix

44
flake.lock generated
View file

@ -1,5 +1,6 @@
{
"nodes": {
<<<<<<< HEAD
"agenix": {
"inputs": {
"darwin": "darwin",
@ -23,6 +24,8 @@
"type": "github"
}
},
=======
>>>>>>> refs/remotes/origin/master
"alejandra": {
"inputs": {
"fenix": "fenix",
@ -338,27 +341,6 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -457,7 +439,7 @@
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_2",
"systems": "systems",
"xdph": "xdph"
},
"locked": {
@ -901,11 +883,10 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"alejandra": "alejandra",
"catppuccin": "catppuccin",
"catppuccin-bat": "catppuccin-bat",
"home-manager": "home-manager_2",
"home-manager": "home-manager",
"hypr-contrib": "hypr-contrib",
"hyprland": "hyprland",
"hyprpicker": "hyprpicker",
@ -934,21 +915,6 @@
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",

11
flake.nix
View file

@ -30,16 +30,9 @@
url = "github:catppuccin/bat";
flake = false;
};
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
iceshrimp = {
url = "git+https://iceshrimp.dev/iceshrimp/packaging";
};
};
outputs = { nixpkgs, self, iceshrimp, agenix, catppuccin, ...} @ inputs:
outputs = { nixpkgs, self, iceshrimp, catppuccin, ...} @ inputs:
let
selfPkgs = import ./pkgs;
username = "liv";
@ -73,7 +66,7 @@
modules = [(
import ./hosts/violet
)];
specialArgs = { host="violet"; inherit self inputs username agenix iceshrimp ; };
specialArgs = { host="violet"; inherit self inputs username iceshrimp ; };
};
vm = nixpkgs.lib.nixosSystem {

3
hosts/violet/default.nix
View file

@ -1,11 +1,10 @@
{ pkgs, config, iceshrimp, agenix, ... }:
{ pkgs, config, iceshrimp, ... }:
{
imports = [
./hardware-configuration.nix
./../../modules/core
./../../modules/services/violet.nix
iceshrimp.nixosModules.default
agenix.nixosModules.default
];
networking.hostName = "violet";

1
modules/home/packages.nix
View file

@ -22,6 +22,7 @@
gimp
darktable
lazygit
gitleaks # TODO: adds pre-commit hook
libreoffice
xfce.thunar
prismlauncher

41
modules/services/iceshrimp.nix
View file

@ -2,26 +2,29 @@
{
services = {
postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
# postgresql = {
# enable = true;
# initialScript = pkgs.writeText "iceshrimp.sql" ''
# CREATE ROLE "iceshrimp" WITH LOGIN PASSWORD 'uph2reeloo3aeDae4muc';
# CREATE DATABASE "iceshrimp" WITH OWNER "iceshrimp"
# TEMPLATE template0
# LC_COLLATE = "C"
# LC_CTYPE = "C";
# '';
# };
iceshrimp = {
enable = true;
settings = {
url = "https://fedi.liv.town"; # The domain your Iceshrimp UI will be served on.
settings.db.host = "/run/postgresql"; # omitting this setting causes some configurations to fail
};
dbPasswordFile = /var/iceshrimp/dbPasswordFile;
secretConfig = /var/iceshrimp/secretConfig.yml;
};
# > "@liv the nix package is sadly broken at the moment"
# iceshrimp = {
# enable = true;
# settings = {
# configureNginx = true;
# createDb = true;
# url = "https://fedi.liv.town"; # The domain your Iceshrimp UI will be served on.
# # settings.db.host = "/run/postgresql"; # omitting this setting causes some configurations to fail
# };
# dbPasswordFile = /var/iceshrimp/dbPasswordFile;
# secretConfig = /var/iceshrimp/secretConfig.yml;
# };
};
}

21
modules/services/invidious.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, ... }:
{
services.invidious = {
enable = true;
port = 8001;
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "40M";
virtualHosts = {
"video.liv.town" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}";
};
};
};
}

22
modules/services/liv-town.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
virtualisation.docker = {
enable = true;
autoPrune.enable = true;
# enableNvidia = true;
};
users.users.liv = {
extraGroups = [ "docker" ];
};
virtualisation.oci-containers = {
backend = "docker";
containers."livdottown" = {
image = "ghcr.io/ahwxorg/liv.town:latest";
ports = [
"0.0.0.0:4321:8080"
];
};
};
}

136
modules/services/matrix/default.nix
View file

@ -1,136 +0,0 @@
{ pkgs, lib, config, agenix, ... }:
let
fqdn = "liv.town";
baseUrl = "https://${fqdn}";
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
default_type application/json;
# add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
security.acme = {
acceptTerms = true;
defaults.email = "ahwx@ahwx.org";
};
services = {
# postgresql.enable = true;
# postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
# CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
# CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
# TEMPLATE template0
# LC_COLLATE = "C"
# LC_CTYPE = "C";
# '';
nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
# Hardened TLS and HSTS preloading
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Do not add HSTS header to HTTP requests.
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
# proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
# If the A and AAAA DNS records on example.org do not point on the same host as the
# records for myhostname.example.org, you can easily move the /.well-known
# virtualHost section of the code to the host that is serving example.org, while
# the rest stays on myhostname.example.org with no other changes required.
# This pattern also allows to seamlessly move the homeserver from
# myhostname.example.org to myotherhost.example.org by only changing the
# /.well-known redirection target.
"${fqdn}" = {
enableACME = true;
forceSSL = true;
# This section is not needed if the server_name of matrix-synapse is equal to
# the domain (i.e. example.org from @foo:example.org) and the federation port
# is 8448.
# Further reference can be found in the docs about delegation under
# https://element-hq.github.io/synapse/latest/delegate.html
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
# It's also possible to do a redirect here or something else, this vhost is not
# needed for Matrix. It's recommended though to *not put* element
# here, see also the section about Element.
locations."/".extraConfig = ''
return 404;
'';
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
locations."/_matrix".proxyPass = "http://[::1]:8008";
# Forward requests for e.g. SSO and password-resets.
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
locations."wp-login.php".return = "301 https://hil-speed.hetzner.com/10GB.bin";
};
};
};
postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
matrix-synapse = {
enable = true;
settings = {
database.name = "psycopg2";
database.args = {
user = "matrix-synapse";
password = "synapse";
};
server_name = "${fqdn}";
public_baseurl = "https://${fqdn}";
enable_registration = false;
registration_shared_secret = config.age.secrets.matrix-synapse;
#macaroon_secret_key = config.age.secrets.matrix-synapse;
listeners = [
{ port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = true;
} ];
}
];
};
};
};
}

3
modules/services/matrix/secrets.yaml Normal file
View file

@ -0,0 +1,3 @@
registration_shared_secret: ""
report_stats: false

7
modules/services/mumble.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
services.murmur = {
enable = true;
openFirewall = true;
};
}

87
modules/services/nextcloud.nix Normal file
View file

@ -0,0 +1,87 @@
{ config, ... }:
{
security.acme = {
acceptTerms = true;
preliminarySelfsigned = false;
defaults = {
email = "ahwx@ahwx.org";
};
};
services.nextcloud = {
enable = true;
home = "/var/nextcloud/home";
https = true;
configureRedis = false; # caching
maxUploadSize = "10G";
hostName = "cloud.liv.town";
config = {
adminuser = "liv";
adminpassFile = "/var/nextcloud/AdminPass";
};
settings = {
trusted_domains = [
"cloud.liv.town"
];
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Hardened TLS and HSTS preloading
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Do not add HSTS header to HTTP requests.
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
# proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
"${config.services.nextcloud.hostName}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://localhost:8080";
"/".proxyWebsockets = true;
};
};
};
};
}

2
modules/services/violet.nix
View file

@ -1,6 +1,8 @@
{ ...}: {
imports =
[(import ./iceshrimp.nix)]
++ [(import ./invidious.nix)]
++ [(import ./mumble.nix)]
++ [(import ./matrix/default.nix)];
# ++ [(import ./tmux.nix)];
}