This commit is contained in:
@@ -9,11 +9,6 @@ in
|
||||
config = {
|
||||
my = {
|
||||
secrets.files = {
|
||||
"dhparams.pem" = {
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
mode = "440";
|
||||
};
|
||||
"britway/cloudflare-credentials.conf" = {
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
@@ -45,7 +40,7 @@ in
|
||||
"*.${pubDomain}"
|
||||
];
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = config.age.secrets."britway/cloudflare-credentials.conf".path;
|
||||
environmentFile = config.age.secrets."britway/cloudflare-credentials.conf".path;
|
||||
};
|
||||
};
|
||||
};
|
||||
@@ -58,7 +53,6 @@ in
|
||||
logError = "stderr info";
|
||||
recommendedTlsSettings = true;
|
||||
serverTokens = true;
|
||||
sslDhparam = config.age.secrets."dhparams.pem".path;
|
||||
|
||||
# Based on recommended*Settings, but probably better to be explicit about these
|
||||
appendHttpConfig = ''
|
||||
|
||||
@@ -44,7 +44,7 @@ in
|
||||
};
|
||||
|
||||
pdns-recursor = {
|
||||
yaml-settings = {
|
||||
settings = {
|
||||
incoming = {
|
||||
listen = [
|
||||
"127.0.0.1" "::1"
|
||||
|
||||
@@ -95,7 +95,7 @@ in
|
||||
"*.${pubDomain}"
|
||||
];
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
|
||||
environmentFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
|
||||
};
|
||||
};
|
||||
};
|
||||
@@ -111,7 +111,6 @@ in
|
||||
recommendedTlsSettings = true;
|
||||
clientMaxBodySize = "0";
|
||||
serverTokens = true;
|
||||
sslDhparam = config.age.secrets."dhparams.pem".path;
|
||||
|
||||
# Based on recommended*Settings, but probably better to be explicit about these
|
||||
appendHttpConfig = ''
|
||||
@@ -182,11 +181,6 @@ in
|
||||
secrets = {
|
||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+KINpHLMduBuW96JzfSRDLUzkI+XaCBghu5/wHiW5R";
|
||||
files = {
|
||||
"dhparams.pem" = {
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
mode = "440";
|
||||
};
|
||||
"middleman/cloudflare-credentials.conf" = {
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
|
||||
@@ -13,6 +13,7 @@ in
|
||||
"/var/lib/machines/jam" = {
|
||||
device = "/mnt/jam";
|
||||
options = [ "bind" ];
|
||||
fsType = "none";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
@@ -198,18 +198,17 @@ in
|
||||
|
||||
mautrix-whatsapp = {
|
||||
enable = true;
|
||||
package = pkgs.mautrix-whatsapp.overrideAttrs (o: rec {
|
||||
# TODO: Remove when upgrading nixpkgs
|
||||
version = "26.05";
|
||||
tag = "v0.2605.0";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "mautrix";
|
||||
repo = "whatsapp";
|
||||
inherit tag;
|
||||
hash = "sha256-WlVfGQoP9e/wl98hUJei8O2JMcOKijoEY8XuU/z69Qk=";
|
||||
};
|
||||
vendorHash = "sha256-Hi/dZHJHoTTCnxLXgbkcYzuzis4fl5kxb5wMd9fKTY8=";
|
||||
});
|
||||
# package = pkgs.mautrix-whatsapp.overrideAttrs (o: rec {
|
||||
# version = "26.05";
|
||||
# tag = "v0.2605.0";
|
||||
# src = pkgs.fetchFromGitHub {
|
||||
# owner = "mautrix";
|
||||
# repo = "whatsapp";
|
||||
# inherit tag;
|
||||
# hash = "sha256-WlVfGQoP9e/wl98hUJei8O2JMcOKijoEY8XuU/z69Qk=";
|
||||
# };
|
||||
# vendorHash = "sha256-Hi/dZHJHoTTCnxLXgbkcYzuzis4fl5kxb5wMd9fKTY8=";
|
||||
# });
|
||||
environmentFile = config.age.secrets."chatterbox/mautrix-whatsapp.env".path;
|
||||
settings = {
|
||||
database = {
|
||||
@@ -254,18 +253,17 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
# TODO: Remove when upgrading nixpkgs
|
||||
mautrix-meta.package = pkgs.mautrix-meta.overrideAttrs (o: rec {
|
||||
version = "26.05.1";
|
||||
tag = "v0.2605.1";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "mautrix";
|
||||
repo = "meta";
|
||||
inherit tag;
|
||||
hash = "sha256-zpolDtwGulDTiojJPnkj9O0D5b4rgPYQX6A28rvuvM0=";
|
||||
};
|
||||
vendorHash = "sha256-+i45bXBhlXPXX24VMS9IJLLX+i4VPnqy5RAH4j88sTA=";
|
||||
});
|
||||
# mautrix-meta.package = pkgs.mautrix-meta.overrideAttrs (o: rec {
|
||||
# version = "26.05.1";
|
||||
# tag = "v0.2605.1";
|
||||
# src = pkgs.fetchFromGitHub {
|
||||
# owner = "mautrix";
|
||||
# repo = "meta";
|
||||
# inherit tag;
|
||||
# hash = "sha256-zpolDtwGulDTiojJPnkj9O0D5b4rgPYQX6A28rvuvM0=";
|
||||
# };
|
||||
# vendorHash = "sha256-+i45bXBhlXPXX24VMS9IJLLX+i4VPnqy5RAH4j88sTA=";
|
||||
# });
|
||||
mautrix-meta.instances = {
|
||||
messenger = {
|
||||
enable = true;
|
||||
|
||||
@@ -60,10 +60,10 @@ in
|
||||
transmission.extraGroups = [ "media" ];
|
||||
radarr.extraGroups = [ "media" ];
|
||||
sonarr.extraGroups = [ "media" ];
|
||||
jellyseerr = {
|
||||
seerr = {
|
||||
isSystemUser = true;
|
||||
uid = uids.jellyseerr;
|
||||
group = "jellyseerr";
|
||||
group = "seerr";
|
||||
};
|
||||
photoprism = {
|
||||
isSystemUser = true;
|
||||
@@ -77,7 +77,7 @@ in
|
||||
};
|
||||
groups = {
|
||||
media.gid = 2000;
|
||||
jellyseerr.gid = gids.jellyseerr;
|
||||
seerr.gid = gids.jellyseerr;
|
||||
photoprism.gid = gids.photoprism;
|
||||
copyparty.gid = gids.copyparty;
|
||||
};
|
||||
@@ -88,15 +88,15 @@ in
|
||||
jackett.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
|
||||
transmission.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
|
||||
|
||||
radarr.serviceConfig.UMask = "0002";
|
||||
radarr.serviceConfig.UMask = mkForce "0002";
|
||||
radarr.path = with pkgs; [ ffmpeg ];
|
||||
sonarr.serviceConfig.UMask = "0002";
|
||||
sonarr.serviceConfig.UMask = mkForce "0002";
|
||||
sonarr.path = with pkgs; [ ffmpeg ];
|
||||
jellyseerr.serviceConfig = {
|
||||
seerr.serviceConfig = {
|
||||
# Needs to be able to read its secrets
|
||||
DynamicUser = mkForce false;
|
||||
User = "jellyseerr";
|
||||
Group = "jellyseerr";
|
||||
User = "seerr";
|
||||
Group = "seerr";
|
||||
};
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/issues/258793#issuecomment-1748168206
|
||||
@@ -145,7 +145,7 @@ in
|
||||
jackett.enable = true;
|
||||
radarr.enable = true;
|
||||
sonarr.enable = true;
|
||||
jellyseerr = {
|
||||
seerr = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
|
||||
@@ -40,11 +40,6 @@ in
|
||||
secrets = {
|
||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQM9U1e/XcUCyMJITrpAHjAGahpqkZCmtX6pJkYzuks";
|
||||
files = {
|
||||
"dhparams.pem" = {
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
mode = "440";
|
||||
};
|
||||
"pdns-file-records.key" = {
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
@@ -176,7 +171,7 @@ in
|
||||
"*.${config.networking.domain}"
|
||||
];
|
||||
dnsProvider = "exec";
|
||||
credentialsFile =
|
||||
environmentFile =
|
||||
let
|
||||
script = pkgs.writeShellScript "lego-update-int.sh" ''
|
||||
case "$1" in
|
||||
@@ -207,7 +202,7 @@ in
|
||||
"*.s3.${pubDomain}"
|
||||
];
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
|
||||
environmentFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
|
||||
postRun =
|
||||
let
|
||||
sshKey = config.age.secrets."middleman/mailcow-ssh.key".path;
|
||||
@@ -256,7 +251,6 @@ in
|
||||
valid = "5s";
|
||||
};
|
||||
proxyResolveWhileRunning = true;
|
||||
sslDhparam = config.age.secrets."dhparams.pem".path;
|
||||
|
||||
appendConfig = ''
|
||||
worker_processes auto;
|
||||
|
||||
@@ -35,6 +35,7 @@ in
|
||||
"/var/lib/harmonia" = {
|
||||
device = "/mnt/nix-cache";
|
||||
options = [ "bind" ];
|
||||
fsType = "none";
|
||||
};
|
||||
};
|
||||
|
||||
@@ -161,6 +162,9 @@ in
|
||||
];
|
||||
};
|
||||
|
||||
# TODO/FIXME: this is bad...
|
||||
nixpkgs.config.permittedInsecurePackages = [ "minio-2025-10-15T17-29-55Z" ];
|
||||
|
||||
services = {
|
||||
minio = {
|
||||
enable = true;
|
||||
|
||||
@@ -183,7 +183,7 @@ in
|
||||
PDS_EMAIL_FROM_ADDRESS = "pds@nul.ie";
|
||||
|
||||
PDS_DID_PLC_URL = "https://plc.directory";
|
||||
PDS_INVITE_REQUIRED = 1;
|
||||
PDS_INVITE_REQUIRED = "true";
|
||||
PDS_BSKY_APP_VIEW_URL = "https://api.bsky.app";
|
||||
PDS_BSKY_APP_VIEW_DID = "did:web:api.bsky.app";
|
||||
PDS_REPORT_SERVICE_URL = "https://mod.bsky.app";
|
||||
|
||||
@@ -125,7 +125,7 @@ in
|
||||
virt-manager.enable = true;
|
||||
wireshark = {
|
||||
enable = true;
|
||||
package = pkgs.wireshark-qt;
|
||||
package = pkgs.wireshark;
|
||||
};
|
||||
};
|
||||
virtualisation.libvirtd.enable = true;
|
||||
|
||||
@@ -34,7 +34,7 @@ in
|
||||
|
||||
services = {
|
||||
pdns-recursor = {
|
||||
yaml-settings = {
|
||||
settings = {
|
||||
incoming = {
|
||||
listen = [
|
||||
"127.0.0.1" "::1"
|
||||
|
||||
@@ -73,8 +73,8 @@ in
|
||||
RootDirectory = lib.mkForce "";
|
||||
};
|
||||
|
||||
radarr.serviceConfig.UMask = "0002";
|
||||
sonarr.serviceConfig.UMask = "0002";
|
||||
radarr.serviceConfig.UMask = lib.mkForce "0002";
|
||||
sonarr.serviceConfig.UMask = lib.mkForce "0002";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
@@ -60,7 +60,7 @@ in
|
||||
"*.${domain}"
|
||||
];
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
|
||||
environmentFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -13,11 +13,6 @@ in
|
||||
owner = "nginx";
|
||||
group = "nginx";
|
||||
};
|
||||
"dhparams.pem" = {
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
mode = "440";
|
||||
};
|
||||
};
|
||||
|
||||
firewall = {
|
||||
@@ -35,7 +30,6 @@ in
|
||||
recommendedTlsSettings = true;
|
||||
clientMaxBodySize = "0";
|
||||
serverTokens = true;
|
||||
sslDhparam = config.age.secrets."dhparams.pem".path;
|
||||
|
||||
# Based on recommended*Settings, but probably better to be explicit about these
|
||||
appendHttpConfig = ''
|
||||
|
||||
@@ -112,7 +112,7 @@
|
||||
steam.enable = true;
|
||||
wireshark = {
|
||||
enable = true;
|
||||
package = pkgs.wireshark-qt;
|
||||
package = pkgs.wireshark;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
+17
-10
@@ -38,6 +38,15 @@ in
|
||||
enable = mkDefault true;
|
||||
wheelNeedsPassword = mkDefault false;
|
||||
};
|
||||
|
||||
# TODO: Add this to fix login
|
||||
# pam = {
|
||||
# services = {
|
||||
# kmscon.rules. = mkIf config.services.kmscon.config.libseat {
|
||||
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
};
|
||||
|
||||
nix = {
|
||||
@@ -157,16 +166,14 @@ in
|
||||
};
|
||||
|
||||
services = {
|
||||
kmscon = {
|
||||
# As it turns out, kmscon hasn't been updated in years and has some bugs...
|
||||
# TODO: Remove if-else when 26.11 releases
|
||||
kmscon = if (config.system.nixos.release == "26.06:u-26.11") then {
|
||||
enable = mkDefault false;
|
||||
hwRender = mkDefault true;
|
||||
extraOptions = "--verbose";
|
||||
extraConfig =
|
||||
''
|
||||
font-name=SauceCodePro Nerd Font Mono
|
||||
'';
|
||||
};
|
||||
config = {
|
||||
hwaccel = config.hardware.graphics.enable;
|
||||
font-name = "SauceCodePro Nerd Font Mono";
|
||||
};
|
||||
} else { };
|
||||
getty.greetingLine = mkDefault' ''<<< Welcome to ${config.system.nixos.distroName} ${config.system.nixos.label} (\m) - \l >>>'';
|
||||
|
||||
openssh = {
|
||||
@@ -247,7 +254,7 @@ in
|
||||
};
|
||||
}
|
||||
(mkIf config.services.kmscon.enable {
|
||||
fonts.fonts = with pkgs; [
|
||||
fonts.packages = with pkgs; [
|
||||
nerd-fonts.sauce-code-pro
|
||||
];
|
||||
})
|
||||
|
||||
@@ -44,8 +44,7 @@ in
|
||||
swaylock-plugin
|
||||
];
|
||||
services = {
|
||||
# TODO: Remove if-else when 26.05 releases
|
||||
resolved = if (config.system.nixos.release == "25.11:u-26.05") then {
|
||||
resolved = {
|
||||
settings.Resolve = {
|
||||
FallbackDNS = mkOverride 99 (
|
||||
"1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google " +
|
||||
@@ -54,7 +53,7 @@ in
|
||||
"2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google" );
|
||||
LLMNR = "resolve";
|
||||
};
|
||||
} else { };
|
||||
};
|
||||
|
||||
pipewire = {
|
||||
enable = true;
|
||||
|
||||
@@ -13,21 +13,13 @@ in
|
||||
};
|
||||
|
||||
services.resolved = {
|
||||
# Explicitly unset fallback DNS (Nix module will not allow for a blank config)
|
||||
# TODO: Remove if-else when 26.05 releases
|
||||
} // (if config.system.nixos.release == "25.11:u-25.11" then {
|
||||
domains = [ config.networking.domain ];
|
||||
extraConfig = ''
|
||||
FallbackDNS=
|
||||
Cache=no-negative
|
||||
'';
|
||||
} else {
|
||||
settings.Resolve = {
|
||||
Domains = [ config.networking.domain ];
|
||||
# Explicitly unset fallback DNS (Nix module will not allow for a blank config)
|
||||
FallbackDNS = "";
|
||||
Cache = "no-negative";
|
||||
};
|
||||
});
|
||||
};
|
||||
}
|
||||
|
||||
(mkIf config.my.build.isDevVM {
|
||||
|
||||
@@ -165,7 +165,7 @@ let
|
||||
|
||||
extraSettingsOpt = with lib.types; mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
|
||||
baseAuthSettings = pkgs.writeText "pdns.conf" (settingsToLines cfg.auth.settings);
|
||||
baseRecursorSettings = (pkgs.formats.yaml { }).generate "pdns-recursor.yaml" config.services.pdns-recursor.yaml-settings;
|
||||
baseRecursorSettings = (pkgs.formats.yaml { }).generate "pdns-recursor.yaml" config.services.pdns-recursor.settings;
|
||||
generateSettings = type: base: dst: if (cfg."${type}".extraSettingsFile != null) then ''
|
||||
oldUmask="$(umask)"
|
||||
umask 006
|
||||
|
||||
@@ -11,9 +11,7 @@ in
|
||||
config = mkIf cfg.enable {
|
||||
services = {
|
||||
getty.autologinUser = mkDefault uname;
|
||||
kmscon.autologinUser = mkDefault uname;
|
||||
# TODO: Update to Setings.Resolve.LLMNR when 26.05 releases
|
||||
resolved.llmnr = mkDefault "false";
|
||||
resolved.settings.Resolve.LLMNR = mkDefault "false";
|
||||
};
|
||||
systemd = {
|
||||
timers = {
|
||||
|
||||
@@ -336,13 +336,13 @@ in
|
||||
(persistSimpleSvc "jackett")
|
||||
(persistSimpleSvc "radarr")
|
||||
(persistSimpleSvc "sonarr")
|
||||
(mkIf config.services.jellyseerr.enable {
|
||||
(mkIf config.services.seerr.enable {
|
||||
my.tmproot.persistence.config.directories = [
|
||||
{
|
||||
directory = "/var/lib/jellyseerr";
|
||||
directory = "/var/lib/seerr";
|
||||
mode = "0750";
|
||||
user = "jellyseerr";
|
||||
group = "jellyseerr";
|
||||
user = "seerr";
|
||||
group = "seerr";
|
||||
}
|
||||
];
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user