diff --git a/host/Arc/configuration.nix b/host/Arc/configuration.nix
new file mode 100644
index 0000000..b97a8fa
--- /dev/null
+++ b/host/Arc/configuration.nix
@@ -0,0 +1,240 @@
+args@{
+ config,
+ pkgs,
+ lib,
+ nhekoSrc,
+ mtxclientSrc,
+ ...
+}:
+
+{
+ imports = [
+ # base imports
+ ../../modules/base-client.nix
+ ../../packages/vim.nix
+ ../../modules/users/Arci.nix
+
+ # hardware-specific imports
+ #./optional/hardware-specific/nvidia.nix
+
+ #./optional/gui/x11.nix
+ ./optional/gui/wayland.nix
+ ];
+
+ boot = {
+ kernelPackages = pkgs.linuxPackages_latest;
+ loader = {
+ grub = {
+ configurationLimit = 10;
+ enable = true;
+ device = "nodev"; # nodev for EFI only
+ # EFI
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ };
+ };
+ };
+ programs.noisetorch.enable = true;
+ programs.gamemode.enable = true;
+ users.users.Rory.extraGroups = [ "gamemode" ];
+ users.users.Arci.extraGroups = [ "gamemode" ];
+
+ environment.sessionVariables = {
+ ZSH_DISABLE_COMPFIX = "true";
+ };
+
+ networking = {
+ hostName = "Arc";
+ networkmanager.enable = true;
+ wireless.enable = false;
+ firewall = {
+ enable = false;
+ # allowedTCPPorts = [ ... ];
+ # allowedUDPPorts = [ ... ];
+ };
+
+ #useDHCP = true; # Doesn't work with NetworkManager, investigate
+ };
+
+ time.timeZone = "Europe/Brussels";
+ i18n.defaultLocale = "en_US.UTF-8";
+
+ services = {
+ xserver = {
+ displayManager.gdm.enable = true;
+ displayManager.lightdm.enable = false;
+ enable = true;
+ updateDbusEnvironment = true;
+ xkb.layout = "us";
+ };
+ libinput.enable = true;
+
+ openssh = {
+ enable = true;
+ extraConfig = ''
+ MaxAuthTries 32
+ '';
+ settings.PermitRootLogin = "yes";
+ };
+ pipewire = {
+ enable = true;
+ audio.enable = true;
+ pulse.enable = true;
+ wireplumber.enable = true;
+ jack.enable = true;
+ alsa.enable = true;
+ };
+
+ desktopManager.plasma6.enable = true;
+ };
+
+ services.desktopManager.gnome.enable = false;
+ environment.systemPackages = with pkgs; [
+ eog
+ #mpv
+ #libreoffice
+ qt6.qtwayland
+
+ #easyeffects
+ kitty
+ #youtube-music
+
+ dbeaver-bin
+ vscode
+
+ # - Utilities
+ #inkscape-with-extensions
+ #gimp
+
+ # - Languages
+ #dotnet-sdk_8
+ dotnetCorePackages.sdk_9_0
+
+ #games
+ #osu-lazer-bin
+ #steam
+ steam-run
+ #steam-acf
+
+ # extra packages
+ dmenu
+
+ nemo
+ file-roller
+ firefox-bin
+ #ungoogled-chromium #needed for Rider in order to debug WASM
+
+ unrar-wrapper
+ #mangohud
+ #prismlauncher
+ #vesktop
+ #mindustry
+
+ blueman
+ ft2-clone
+ ];
+
+ programs.steam = {
+ enable = false;
+ gamescopeSession.enable = true;
+ extraCompatPackages = with pkgs; [
+ steam-play-none
+ proton-ge-bin
+ ];
+ };
+ virtualisation.waydroid.enable = false;
+
+ xdg = {
+ portal = {
+ enable = true;
+ extraPortals = with pkgs; [
+ #xdg-desktop-portal-gtk
+ xdg-desktop-portal-xapp
+ # (callPackage ../../modules/packages/xdg-desktop-portal-gtk.nix { })
+ ];
+ config = {
+ common = {
+ default = [ "gtk" ];
+ };
+ };
+ xdgOpenUsePortal = true;
+ };
+ #sounds.enable = true;
+ #mime.enable = true;
+ #menus.enable = true;
+ #icons.enable = true;
+ #autostart.enable = true;
+ };
+ fonts = {
+ packages = with pkgs; [
+ #(nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
+ nerd-fonts.jetbrains-mono
+ noto-fonts-monochrome-emoji
+ ];
+ fontconfig.defaultFonts.monospace = with pkgs; [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
+ fontconfig.defaultFonts.sansSerif = with pkgs; [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
+ fontconfig.defaultFonts.serif = with pkgs; [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
+ fontconfig.defaultFonts.emoji = with pkgs; [ "freefont" ];
+ enableDefaultPackages = lib.mkForce false;
+ enableGhostscriptFonts = lib.mkForce false;
+ };
+
+ nixpkgs = {
+ config = {
+ allowUnfree = true;
+ permittedInsecurePackages = [
+ "electron-25.9.0"
+ "olm-3.2.16"
+ "dotnet-sdk-wrapped-7.0.410"
+ "dotnet-sdk-7.0.410"
+ ];
+ };
+ };
+ security = {
+ polkit.enable = true;
+ sudo.wheelNeedsPassword = false;
+ };
+
+ hardware = {
+ pulseaudio.enable = false;
+ };
+
+ programs.dconf.enable = true;
+
+ #networking.wireguard.interfaces = {
+ # wg-KP-Ran = {
+
+ #};
+ # };
+
+ virtualisation.libvirtd.enable = true;
+ programs.virt-manager.enable = true;
+
+ monitoring = {
+ monitorAll = false;
+ localPrometheus = true;
+ exposePrometheus = true;
+ localGrafana = true;
+ exposeGrafana = true;
+ nginxHost = "monitoring.localhost";
+ nginxSsl = false;
+ };
+ networking.hosts."127.0.0.1" = builtins.attrNames config.services.nginx.virtualHosts;
+
+ services.gvfs.enable = true;
+ zramSwap = {
+ enable = true;
+ memoryPercent = 200;
+ };
+ services.pcscd.enable = true;
+
+ virtualisation.vmVariant = {
+ users = {
+ mutableUsers = false;
+ users.Rory.password = "password";
+ };
+ networking.interfaces.enp34s0 = lib.mkForce { };
+ };
+
+ system.stateVersion = "24.11"; # DO NOT EDIT!
+}
diff --git a/host/Arc/hacks/drm-amd-3437.patch b/host/Arc/hacks/drm-amd-3437.patch
new file mode 100644
index 0000000..1867762
--- /dev/null
+++ b/host/Arc/hacks/drm-amd-3437.patch
@@ -0,0 +1,13 @@
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+index c556c8b653fa..272ad5e4a328 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+@@ -180,7 +180,7 @@ void amdgpu_bo_placement_from_domain(struct amdgpu_bo *abo, u32 domain)
+ * When GTT is just an alternative to VRAM make sure that we
+ * only use it as fallback and still try to fill up VRAM first.
+ */
+- if (domain & abo->preferred_domains & AMDGPU_GEM_DOMAIN_VRAM)
++ if (domain & abo->preferred_domains & AMDGPU_GEM_DOMAIN_VRAM && !(adev->flags & AMD_IS_APU))
+ places[c].flags |= TTM_PL_FLAG_FALLBACK;
+ c++;
+ }
\ No newline at end of file
diff --git a/host/Arc/hooks/post-rebuild.sh b/host/Arc/hooks/post-rebuild.sh
new file mode 100755
index 0000000..30733ad
--- /dev/null
+++ b/host/Arc/hooks/post-rebuild.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+set -x
+
+git restore --staged hardware-configuration.nix
+git restore --staged Ran.ca
+git restore --staged modules/opensuse/
+git restore --staged opensuse/
\ No newline at end of file
diff --git a/host/Arc/hooks/pre-rebuild.sh b/host/Arc/hooks/pre-rebuild.sh
new file mode 100755
index 0000000..d4ec9d3
--- /dev/null
+++ b/host/Arc/hooks/pre-rebuild.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+set -x
+
+git add -f hardware-configuration.nix
+git add -f Ran.ca
+git add -f modules/opensuse/
+git add -f opensuse/
\ No newline at end of file
diff --git a/host/Rory-desktop/nginx/discord.localhost.nix b/host/Arc/nginx/discord.localhost.nix
index b40e13c..b40e13c 100755..100644
--- a/host/Rory-desktop/nginx/discord.localhost.nix
+++ b/host/Arc/nginx/discord.localhost.nix
diff --git a/host/Arc/optional/gui/wayland.nix b/host/Arc/optional/gui/wayland.nix
new file mode 100644
index 0000000..281c72d
--- /dev/null
+++ b/host/Arc/optional/gui/wayland.nix
@@ -0,0 +1,63 @@
+{
+ pkgs,
+ hyprland,
+ hy3,
+ ...
+}:
+
+{
+ #programs.sway = {
+ # enable = true;
+#
+ # wrapperFeatures.gtk = true;
+ # extraSessionCommands = ''
+ # # -- Wayland fixes
+ # # SDL:
+ # export SDL_VIDEODRIVER=wayland
+ # # QT (needs qt5.qtwayland in systemPackages):
+ # export QT_QPA_PLATFORM=wayland-egl
+ # export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
+ # # Fix for some Java AWT applications (e.g. Android Studio),
+ # # use this if they aren't displayed properly:
+ # export _JAVA_AWT_WM_NONREPARENTING=1
+ # '';
+#
+ # extraPackages = with pkgs; [
+ # swaybg
+ # #swayidle
+ # #swaylock
+ # waybar
+ # wl-clipboard
+ # grim
+ # slurp
+ # easyeffects
+ # keepassxc
+ # ];
+ #};
+
+ programs.hyprland = {
+ enable = true;
+ package = hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
+ };
+
+ programs.hyprlock.enable = true;
+ environment.systemPackages = with pkgs;[
+ wmenu
+
+ waybar
+ wl-clipboard
+ grim
+ slurp
+ #easyeffects
+ keepassxc
+ networkmanagerapplet
+ ];
+
+ #environment.etc."hyprPlugins" = {
+ # text = ''
+ # plugin = ${hy3.packages.${pkgs.stdenv.hostPlatform.system}.hy3}/lib/libhy3.so
+ # '';
+ #};
+
+ xdg.portal.wlr.enable = true;
+}
diff --git a/host/Rory-desktop/optional/gui/x11.nix b/host/Arc/optional/gui/x11.nix
index 9070298..9070298 100644
--- a/host/Rory-desktop/optional/gui/x11.nix
+++ b/host/Arc/optional/gui/x11.nix
diff --git a/host/Arc/optional/hardware-specific/amd.nix b/host/Arc/optional/hardware-specific/amd.nix
new file mode 100644
index 0000000..e4758a6
--- /dev/null
+++ b/host/Arc/optional/hardware-specific/amd.nix
@@ -0,0 +1,42 @@
+{
+ config,
+ pkgs,
+ lib,
+ nhekoSrc,
+ mtxclientSrc,
+ ...
+}:
+
+{
+ imports = [ ];
+
+ boot.initrd.kernelModules = [ "amdgpu" ];
+
+ services = {
+ xserver = {
+ windowManager.i3.extraSessionCommands = ''
+ xrandr --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --primary --output DP-1 --mode 1920x1080 --pos 3840x1080 --rotate normal --output HDMI-2 --off --output DP-2 --off
+ '';
+ wacom.enable = true;
+ };
+ picom.backend = "glx";
+ };
+
+ environment.systemPackages = with pkgs; [
+ rocmPackages.rocm-smi # useful to have
+ ];
+
+ hardware = {
+ graphics = {
+ enable = true;
+ enable32Bit = true;
+ extraPackages = with pkgs; [
+ rocmPackages.clr.icd
+ #amdvlk
+ ];
+ #extraPackages32 = with pkgs; [ driversi686Linux.amdvlk ];
+ };
+ };
+
+ systemd.tmpfiles.rules = [ "L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}" ];
+}
diff --git a/host/Arc/optional/hardware-specific/nvidia.nix b/host/Arc/optional/hardware-specific/nvidia.nix
new file mode 100644
index 0000000..1f98541
--- /dev/null
+++ b/host/Arc/optional/hardware-specific/nvidia.nix
@@ -0,0 +1,40 @@
+{
+ config,
+ pkgs,
+ lib,
+ nhekoSrc,
+ mtxclientSrc,
+ ...
+}:
+
+{
+ imports = [
+
+ ];
+
+ services = {
+ xserver = {
+ #videoDrivers = [ "nvidia" ];
+ #windowManager.i3.extraSessionCommands = ''
+ # todo: restore
+ #'';
+ };
+ picom.backend = "glx";
+ };
+
+ hardware = {
+ graphics = {
+ enable = true;
+ };
+
+ nvidia = {
+ modesetting.enable = true;
+ powerManagement.enable = false;
+ powerManagement.finegrained = false;
+ open = true;
+ nvidiaSettings = true;
+ nvidiaPersistenced = true;
+ package = config.boot.kernelPackages.nvidiaPackages.stable;
+ };
+ };
+}
diff --git a/host/Module-dev/configuration.nix b/host/Module-dev/configuration.nix
new file mode 100644
index 0000000..f3f66fe
--- /dev/null
+++ b/host/Module-dev/configuration.nix
@@ -0,0 +1,55 @@
+{
+ pkgs,
+ lib,
+ grapevine,
+ ...
+}:
+
+{
+ imports = [
+ ../../modules/base-server.nix
+ ./set/matrix/root.nix
+ ];
+
+ networking = {
+ hostName = "Module-dev";
+ useDHCP = lib.mkForce true;
+ defaultGateway.interface = "eth0";
+ nat = {
+ enable = true;
+ internalInterfaces = [
+ "ve-+"
+ "vb-+"
+ ];
+ externalInterface = "ens18";
+ enableIPv6 = false;
+ };
+ enableIPv6 = lib.mkForce false;
+ nameservers = lib.mkForce [ "192.168.1.1" ];
+ };
+
+ monitoring = {
+ monitorAll = true;
+ localPrometheus = true;
+ exposePrometheus = true;
+ localGrafana = true;
+ exposeGrafana = true;
+ nginxHost = "monitoring.rory.gay";
+ nginxSsl = true;
+ };
+
+ nixpkgs.config.permittedInsecurePackages = [
+ "olm-3.2.16"
+ "dotnet-runtime-wrapped-7.0.20"
+ "dotnet-runtime-7.0.20"
+ "dotnet-sdk-7.0.20"
+ ];
+ services.irqbalance.enable = true;
+
+ environment.memoryAllocator.provider = "jemalloc";
+
+ system.stateVersion = lib.trivial.release; # DO NOT copy to real configs!
+
+ environment.systemPackages = with pkgs; [ waypipe ];
+ nix.nrBuildUsers = 128;
+}
diff --git a/host/Module-dev/set/matrix/postgres.nix b/host/Module-dev/set/matrix/postgres.nix
new file mode 100644
index 0000000..0a6a8d7
--- /dev/null
+++ b/host/Module-dev/set/matrix/postgres.nix
@@ -0,0 +1,22 @@
+{ pkgs, ... }:
+
+{
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_17_jit;
+ enableTCPIP = true;
+ authentication = pkgs.lib.mkOverride 10 ''
+ # TYPE, DATABASE, USER, ADDRESS, METHOD
+ local all all trust
+ host all all 127.0.0.1/32 trust
+ host all all ::1/128 trust
+ host discordbots discordbots 192.168.1.2/32 trust
+ host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust
+ host all all 0.0.0.0/0 md5
+ '';
+ settings = {
+ max_connections = 2500;
+ superuser_reserved_connections = 3;
+ };
+ };
+}
diff --git a/host/Module-dev/set/matrix/root.nix b/host/Module-dev/set/matrix/root.nix
new file mode 100644
index 0000000..83636d2
--- /dev/null
+++ b/host/Module-dev/set/matrix/root.nix
@@ -0,0 +1,202 @@
+{ pkgs, config, ... }:
+
+let
+ mkWorker =
+ name: tasks:
+ import ../../../../modules/software-templates/synapse-workers/generic.nix {
+ workerName = name;
+ tasks = tasks;
+ };
+in
+{
+ # Worker plumbing examples: https://github.com/element-hq/synapse/blob/master/docker/configure_workers_and_start.py
+ # Documentation: https://github.com/element-hq/synapse/blob/develop/docs/workers.md
+ imports = [
+ ../../../../modules/software-templates/synapse-workers/module.nix
+ ./postgres.nix
+
+ (mkWorker "sync" [ "sync" ])
+ ];
+
+ services.matrix-synapse = {
+ enable = true;
+ withJemalloc = true;
+
+ nginxVirtualHostName = "matrix.rory.gay";
+ enableWorkers = true;
+
+ federationSenders = 16; # 16
+ pushers = 1;
+ mediaRepoWorkers = 2; # 4
+ clientReaders = 2; # 4
+ syncWorkers = 2; # 4
+ authWorkers = 0;
+
+ eventCreators = 16;
+
+ federationReaders = 8; # 8
+ federationInboundWorkers = 16; # 8
+
+ enableAppserviceWorker = true;
+ enableBackgroundWorker = true;
+ enableUserDirWorker = true;
+
+ accountDataStreamWriters = 1;
+ eventStreamWriters = 2; # 8
+ presenceStreamWriters = 1;
+ pushRuleStreamWriters = 1;
+ receiptStreamWriters = 1;
+ toDeviceStreamWriters = 1;
+ typingStreamWriters = 1;
+
+ # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
+ settings = {
+ server_name = "rory.gay";
+
+ dummy_devents_treshold = 2;
+ cleanup_extremities_with_dummy_events = true;
+
+ enable_registration = true;
+ registration_requires_token = true;
+
+ require_membership_for_aliases = false;
+ redaction_retention_period = null;
+ user_ips_max_age = null;
+ allow_device_name_lookup_over_federation = true;
+
+ federation = {
+ client_timeout = "30s"; # default=60s
+ max_short_retries = 12;
+ max_short_retry_delay = "5s";
+ max_long_retries = 5;
+ max_long_retry_delay = "30s";
+
+ # rapid retry, small increments
+ destination_min_retry_interval = "5m"; # default=10m
+ destination_max_retry_interval = "12h"; # default=7d
+ destination_retry_multiplier = 1.2; # default=2
+ };
+
+ registration_shared_secret_path = pkgs.writeText "registration_shared_secret.txt" ''
+ sometext
+ '';
+
+ listeners = [
+ {
+ port = 8008;
+ bind_addresses = [ "127.0.0.1" ];
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = [
+ "client"
+ "federation"
+ ];
+ compress = false;
+ }
+ ];
+ }
+ {
+ type = "http";
+ path = "/run/matrix-synapse/main.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ];
+ presence = {
+ enablee = true;
+ update_interval = 60;
+ };
+ database = {
+ name = "psycopg2";
+ args = {
+ user = "matrix-synapse-rory-gay";
+ password = "somepassword";
+ database = "matrix-synapse-rory-gay";
+ host = "/run/postgresql";
+ application_name = "matrix-synapse (rory.gay) - main";
+ cp_min = 2;
+ cp_max = 5;
+
+ # cp_reconnect - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L129
+ # cp_noisy - default=False - https://docs.twisted.org/en/stable/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ - info logs during operation
+ # check_same_thread - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/config/database.py#L65 - can this even be set?
+ };
+
+ # synchronous_commit - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L56
+ # statement_timeout - default=60 * 60 * 1000 ms - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L63
+ # allow_unsafe_locale - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L99
+ # allow_outdated_version - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L92 - needs source link
+ # txn_limit - default=0 - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L564
+
+ statement_timeout = 24 * 60 * 60 * 1000; # 24 hours, good for bg jobs
+ txn_limit = 500; # maybe dropping old data from pg caches helps?
+ };
+
+ ui_auth = {
+ session_timeout = "1m";
+ };
+
+ login_via_existing_session = {
+ enabled = true;
+ require_ui_auth = true;
+ token_timeout = "1y";
+ };
+
+ report_stats = false;
+
+ user_directory = {
+ enabled = true;
+ search_all_users = true;
+ prefer_local_users = true;
+ };
+
+ # https://github.com/element-hq/synapse/blob/master/synapse/config/experimental.py
+ experimental_features = {
+ "msc2815_enabled" = true; # Redacted event content
+ "msc3026_enabled" = true; # Busy presence
+ "msc3266_enabled" = true; # Room summary API
+ "msc3916_authenticated_media_enabled" = true; # Authenticated media
+ "msc3823_account_suspension" = true; # Account suspension
+ "msc4151_enabled" = true; # Report room API (CS-API)
+ };
+
+ redis = {
+ enabled = true;
+ path = "/run/redis-matrix-synapse/redis.sock";
+ };
+
+ instance_map = {
+ main = {
+ # replication listener
+ path = "/run/matrix-synapse/main.sock";
+ };
+ };
+ };
+ # // import ./ratelimits.nix
+ # // import ./caches.nix;
+ };
+
+ services.redis = {
+ package = pkgs.valkey;
+ servers.matrix-synapse = {
+ enable = true;
+ user = "matrix-synapse";
+ };
+ };
+
+ services.postgresql = {
+ initialScript = pkgs.writeText "synapse-init.sql" ''
+ CREATE USER "${config.services.matrix-synapse.settings.database.args.user}" WITH PASSWORD '${config.services.matrix-synapse.settings.database.args.password}';
+ CREATE DATABASE "${config.services.matrix-synapse.settings.database.args.database}" OWNER '${config.services.matrix-synapse.settings.database.args.user}' LOCALE 'C' ENCODING 'UTF8' TEMPLATE "template0";
+ '';
+ };
+
+ systemd.tmpfiles.rules = [ "D /run/redis-matrix-synapse 0755 matrix-synapse matrix-synapse" ];
+}
diff --git a/host/Rory-NTFS/configuration.nix b/host/Rory-NTFS/configuration.nix
new file mode 100644
index 0000000..98e28de
--- /dev/null
+++ b/host/Rory-NTFS/configuration.nix
@@ -0,0 +1,229 @@
+{
+ pkgs,
+ lib,
+ nhekoSrc,
+ mtxclientSrc,
+ ...
+}:
+
+{
+ imports = [
+ ../../modules/base-client.nix
+ ../../packages/vim.nix
+ ./optional/gui/wayland.nix
+ ];
+
+ boot = {
+ kernelPackages = pkgs.linuxPackages_latest;
+ loader = {
+ grub = {
+ enable = true;
+ device = "nodev"; # nodev for EFI only
+ # EFI
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ };
+ };
+ #readOnlyNixStore = false;
+ };
+
+ services.udev.extraRules = ''
+ #SUBSYSTEM=="usb", ATTR{idVendor}=="18d1", MODE="0664", GROUP="users"
+ # SDP protocol
+ KERNEL=="hidraw*", ATTRS{idVendor}=="1fc9", MODE="0666"
+ ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="1fc9", MODE="0666"
+ ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0d28", MODE="0666"
+ # Flashloader
+ KERNEL=="hidraw*", ATTRS{idVendor}=="15a2", MODE="0666"
+ # Controller
+ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", MODE="0666"
+ SUBSYSTEMS=="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="9400", MODE="0660", TAG+="uaccess"
+ '';
+
+ #systemd.services.NetworkManager-wait-online.enable = false;
+
+ networking = {
+ hostName = "Rory-portable";
+ networkmanager.enable = true;
+ wireless.enable = false;
+ firewall = {
+ enable = false;
+ # allowedTCPPorts = [ ... ];
+ # allowedUDPPorts = [ ... ];
+ };
+
+ #interfaces.enp34s0.ipv4.addresses = [ {
+ # address = "192.168.0.3";
+ # prefixLength = 24;
+ #} ];
+ #
+ #defaultGateway = "192.168.0.1";
+ # useDHCP = true;
+ };
+ systemd.sleep.extraConfig = ''
+ AllowSuspend=yes
+ AllowHibernation=yes
+ AllowHybridSleep=yes
+ AllowSuspendThenHibernate=yes
+ '';
+
+ services.power-profiles-daemon.enable = true;
+ time.timeZone = "Europe/Brussels";
+
+ services = {
+ libinput.touchpad.naturalScrolling = true;
+ xserver = {
+ enable = true;
+ updateDbusEnvironment = true;
+ xkb.layout = "us";
+ };
+ libinput.enable = true;
+
+ openssh = {
+ enable = true;
+ settings.PermitRootLogin = "yes";
+ extraConfig = ''
+ MaxAuthTries 32
+ '';
+ };
+ pipewire = {
+ enable = true;
+ audio.enable = true;
+ pulse.enable = true;
+ wireplumber.enable = true;
+ jack.enable = true;
+ alsa.enable = true;
+ };
+ };
+
+ environment.systemPackages = with pkgs; [
+ libreoffice
+ qt6.qtwayland
+
+ gnome-console
+ feh
+ easyeffects
+ kitty
+ #youtube-music
+
+ # - IDEs
+ #jetbrains-toolbox
+ #jetbrains.rider
+ #jetbrains.webstorm
+ #jetbrains.clion
+ #github-copilot-intellij-agent
+
+ #dbeaver-bin
+ #insomnia
+ #vscode
+
+ # - Utilities
+ #inkscape-with-extensions
+ #gimp # -with-plugins
+
+ # - Languages
+ #dotnet-sdk_7
+ #dotnet-sdk_8
+ #(callPackage ../../packages/dotnet-pack.nix { inherit pkgs; })
+
+ #games
+ #osu-lazer-bin
+ #steam
+ #steam-run
+
+ # extra packages
+ dmenu
+
+ nemo
+ file-roller
+ firefox-bin
+ #ungoogled-chromium # needed for Rider in order to debug WASM
+
+ unrar-wrapper
+
+ #(schildichat-desktop.override { electron = electron; })
+ (callPackage ../../packages/nheko-git.nix {
+ inherit nhekoSrc;
+ inherit mtxclientSrc;
+ voipSupport = false;
+ })
+ #(callPackage ../../packages/mc/server/modpack/curseforge/techopolis-2/5.4.nix { })
+
+ #vesktop
+ virt-viewer
+ wireguard-tools
+
+ # (dwarf-fortress-packages.dwarf-fortress-full.override { enableStoneSense = true; enableFPS = true; theme = dwarf-fortress-packages.themes.spacefox; })
+ ];
+
+ #programs.steam.enable = true;
+ #programs.steam.gamescopeSession.enable = true;
+
+ #environment.gnome.excludePackages = [
+ # pkgs.orca
+ # pkgs.gnome-tour
+ # pkgs.gnome-user-docs
+ #];
+ xdg = {
+ portal = {
+ enable = true;
+ extraPortals = with pkgs; [
+ #xdg-desktop-portal-gtk
+ xdg-desktop-portal-xapp
+# (callPackage ../../packages/xdg-desktop-portal-gtk.nix { })
+ ];
+ config = {
+ common = {
+ default = [ "gtk" ];
+ };
+ };
+ xdgOpenUsePortal = true;
+ };
+ #sounds.enable = true;
+ #mime.enable = true;
+ #menus.enable = true;
+ #icons.enable = true;
+ #autostart.enable = true;
+ };
+ fonts = {
+ packages = with pkgs; [
+ nerd-fonts.jetbrains-mono
+ noto-fonts-monochrome-emoji
+ ];
+ fontconfig.defaultFonts.monospace = [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
+ fontconfig.defaultFonts.sansSerif = [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
+ fontconfig.defaultFonts.serif = [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
+ fontconfig.defaultFonts.emoji = [ "freefont" ];
+ enableDefaultPackages = lib.mkForce false;
+ enableGhostscriptFonts = lib.mkForce false;
+ };
+
+ programs.dconf.enable = true;
+ environment.etc."resolv.conf".text = ''
+ nameserver 8.8.8.8
+ nameserver 8.4.4.8
+ nameserver 1.1.1.1
+ nameserver 1.0.0.1
+ '';
+
+ #networking.wireguard.interfaces = {
+ # wg-KP-Ran = {
+
+ #};
+ # };
+
+ #virtualisation.libvirtd.enable = true;
+ #programs.virt-manager.enable = true;
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+
+ nixpkgs = {
+ config = {
+ allowUnfree = true;
+ permittedInsecurePackages = [
+ "electron-25.9.0"
+ "olm-3.2.16"
+ ];
+ };
+ };
+}
diff --git a/host/Rory-desktop/optional/gui/wayland.nix b/host/Rory-NTFS/optional/gui/wayland.nix
index 689dee7..eac6391 100644
--- a/host/Rory-desktop/optional/gui/wayland.nix
+++ b/host/Rory-NTFS/optional/gui/wayland.nix
@@ -1,7 +1,5 @@
{
- config,
pkgs,
- lib,
...
}:
@@ -20,16 +18,7 @@
# Fix for some Java AWT applications (e.g. Android Studio),
# use this if they aren't displayed properly:
export _JAVA_AWT_WM_NONREPARENTING=1
- cp ${../../../../modules/users/Rory/wallpaper.webp} ~/.cache/wallpaper.webp
-
'';
- #(
- #sleep 5
- #${pkgs.swaybg}/bin/swaybg -i ${../../../../modules/users/Rory/wallpaper.webp}
- #$ {pkgs.swayidle}/bin/swayidle -w timeout 300 'swaylock -f -i ${../../../../modules/users/Rory/wallpaper.webp}' 'swaymsg "output * dpms off"'
- #$ {pkgs.swaylock}/bin/swaylock -f -i ${../../../../modules/users/Rory/wallpaper.webp}
- #${pkgs.waybar}/bin/waybar
- #) &
extraPackages = with pkgs; [
swaybg
diff --git a/host/Rory-NTFS/optional/hardware-specific/amd.nix b/host/Rory-NTFS/optional/hardware-specific/amd.nix
new file mode 100644
index 0000000..4456c6f
--- /dev/null
+++ b/host/Rory-NTFS/optional/hardware-specific/amd.nix
@@ -0,0 +1,45 @@
+{
+ config,
+ pkgs,
+ lib,
+ nhekoSrc,
+ mtxclientSrc,
+ ...
+}:
+
+{
+ imports = [ ];
+
+ boot.initrd.kernelModules = [ "amdgpu" ];
+
+ services = {
+ xserver = {
+ windowManager.i3.extraSessionCommands = ''
+ xrandr --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --primary --output DP-1 --mode 1920x1080 --pos 3840x1080 --rotate normal --output HDMI-2 --off --output DP-2 --off
+ '';
+ wacom.enable = true;
+ };
+ picom.backend = "glx";
+ };
+
+ environment.systemPackages = with pkgs; [
+ rocmPackages.rocm-smi # useful to have
+ ];
+
+ hardware = {
+ graphics = {
+ enable = true;
+ #driSupport = true;
+ driSupport32Bit = true;
+ extraPackages = with pkgs; [
+ rocmPackages.clr.icd
+ amdvlk
+ ];
+ extraPackages32 = with pkgs; [ driversi686Linux.amdvlk ];
+ };
+ };
+
+ systemd.tmpfiles.rules = [ "L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}" ];
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
diff --git a/host/Rory-NTFS/optional/hardware-specific/nvidia.nix b/host/Rory-NTFS/optional/hardware-specific/nvidia.nix
new file mode 100644
index 0000000..c146c3a
--- /dev/null
+++ b/host/Rory-NTFS/optional/hardware-specific/nvidia.nix
@@ -0,0 +1,44 @@
+{
+ config,
+ pkgs,
+ lib,
+ nhekoSrc,
+ mtxclientSrc,
+ ...
+}:
+
+{
+ imports = [
+
+ ];
+
+ services = {
+ xserver = {
+ videoDrivers = [ "nvidia" ];
+ #windowManager.i3.extraSessionCommands = ''
+ # todo: restore
+ #'';
+ };
+ picom.backend = "glx";
+ };
+
+ hardware = {
+ graphics = {
+ enable = true;
+ driSupport = true;
+ driSupport32Bit = true;
+ };
+
+ nvidia = {
+ modesetting.enable = true;
+ powerManagement.enable = false;
+ powerManagement.finegrained = false;
+ open = true;
+ nvidiaSettings = true;
+ nvidiaPersistenced = true;
+ package = config.boot.kernelPackages.nvidiaPackages.stable;
+ };
+ };
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
diff --git a/host/Rory-desktop/configuration.nix b/host/Rory-desktop/configuration.nix
index aa09659..d48d10c 100644
--- a/host/Rory-desktop/configuration.nix
+++ b/host/Rory-desktop/configuration.nix
@@ -12,26 +12,33 @@ args@{
# base imports
../../modules/base-client.nix
# (import ../../modules/base-secrets.nix { path = "/home/rory/.config/sops/config.yaml"; })
- ../../modules/packages/vim.nix
+ ../../packages/vim.nix
# ../../modules/environments/home.nix
- # ../../modules/software-templates/profilers.nix
- ./postgres.nix
- ./nginx.nix
+ ../../modules/software-templates/profilers.nix
+ ../../modules/software-templates/dotnet.client.nix
+ #../../modules/hardware/google-stadia-controller.nix
+
+ ./services/nginx.nix
+ ./services/postgres.nix
# hardware-specific imports
./optional/hardware-specific/amd.nix
- ./optional/gui/x11.nix
- ./optional/gui/wayland.nix
-
- #./printing.nix
-# ./ollama.nix
+ #./services/edu/mongodb.nix
+ ./optional/gui/hyprland.nix
+ #./optional/gui/x11.nix
+ #./services/libvirt.nix
+ #./services/printing.nix
+ #./services/rabbitmq.nix
+ #./services/ollama.nix
+ #./services/waydroid.nix
];
boot = {
kernelPackages = pkgs.linuxPackages_latest;
loader = {
grub = {
+ configurationLimit = 10;
enable = true;
device = "nodev"; # nodev for EFI only
# EFI
@@ -39,34 +46,19 @@ args@{
efiInstallAsRemovable = true;
};
};
- kernelPatches = [
- {
- # FIXME: https://gitlab.freedesktop.org/drm/amd/-/issues/3437
- name = "drm-amd-3437-hack";
- patch = ./hacks/drm-amd-3437.patch;
- }
- ];
-
- #readOnlyNixStore = false;
};
- programs.noisetorch.enable = true;
+
+ # TODO: re-enable when USB is fixed
+ #programs.noisetorch.enable = true;
+
+ programs.gamemode.enable = true;
+ users.users.Rory.extraGroups = [ "gamemode" ];
environment.sessionVariables = {
ZSH_DISABLE_COMPFIX = "true";
};
- services.udev.extraRules = ''
- #SUBSYSTEM=="usb", ATTR{idVendor}=="18d1", MODE="0664", GROUP="users"
- # SDP protocol
- KERNEL=="hidraw*", ATTRS{idVendor}=="1fc9", MODE="0666"
- ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="1fc9", MODE="0666"
- ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0d28", MODE="0666"
- # Flashloader
- KERNEL=="hidraw*", ATTRS{idVendor}=="15a2", MODE="0666"
- # Controller
- KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", MODE="0666"
- SUBSYSTEMS=="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="9400", MODE="0660", TAG+="uaccess"
- '';
+# hardware.google-stadia-controller.enable = true;
networking = {
hostName = "Rory-desktop";
@@ -86,7 +78,7 @@ args@{
];
defaultGateway = "192.168.0.1";
- # useDHCP = true;
+ #useDHCP = true; # Doesn't work with NetworkManager, investigate
};
time.timeZone = "Europe/Brussels";
@@ -110,6 +102,7 @@ args@{
'';
settings.PermitRootLogin = "yes";
};
+ pulseaudio.enable = false;
pipewire = {
enable = true;
audio.enable = true;
@@ -120,11 +113,13 @@ args@{
};
};
+ services.desktopManager.gnome.enable = false;
environment.systemPackages = with pkgs; [
+ eog
+ mpv
libreoffice
qt6.qtwayland
- gnome-console
feh
easyeffects
kitty
@@ -132,10 +127,19 @@ args@{
# - IDEs
#jetbrains-toolbox
- jetbrains.rider
- #jetbrains.webstorm
+ (jetbrains.plugins.addPlugins jetbrains.webstorm [
+ jetbrains.plugins.github-copilot-fixed
+ #"github-copilot"
+ ])
+ (jetbrains.plugins.addPlugins jetbrains.clion [
+ jetbrains.plugins.github-copilot-fixed
+ #"github-copilot"
+ "nixidea"
+ "visual-studio-keymap"
+ ]) #"string-manipulation"
+ #jetbrains.rider
#jetbrains.clion
- github-copilot-intellij-agent
+ #github-copilot-intellij-agent
dbeaver-bin
#insomnia
@@ -146,13 +150,10 @@ args@{
gimp
# - Languages
- dotnet-sdk_8
+ dotnetCorePackages.sdk_9_0
#games
osu-lazer-bin
- #steam
- steam-run
- steam-acf
# extra packages
dmenu
@@ -163,41 +164,47 @@ args@{
#ungoogled-chromium #needed for Rider in order to debug WASM
#yuzu-early-access
- wineWowPackages.unstableFull
- winetricks
+ #wineWowPackages.unstableFull
+ #winetricks
#fragments
- peek
unrar-wrapper
#(schildichat-desktop.override { electron = electron; })
- (callPackage ../../modules/packages/nheko-git.nix {
+ (callPackage ../../packages/nheko-git.nix {
inherit nhekoSrc;
inherit mtxclientSrc;
voipSupport = false;
})
- #(callPackage ../../modules/packages/mc/server/modpack/curseforge/techopolis-2/5.4.nix { })
+ #(callPackage ../../packages/mc/server/modpack/curseforge/techopolis-2/5.4.nix { })
#vesktop
- virt-viewer
+ #discord-development
+
# (dwarf-fortress-packages.dwarf-fortress-full.override { enableStoneSense = true; enableFPS = true; theme = dwarf-fortress-packages.themes.spacefox; })
mangohud
prismlauncher
- ];
- programs.steam.enable = true;
- programs.steam.gamescopeSession.enable = true;
- virtualisation.waydroid.enable = true;
+ thunderbird
+
+ p11-kit
+ opensc
+ eid-mw
+ jitsi-meet-electron
+ #nixd
+ ];
+ environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
+ module: ${pkgs.opensc}/lib/opensc-pkcs11.so
+ '';
xdg = {
portal = {
-
enable = true;
extraPortals = with pkgs; [
#xdg-desktop-portal-gtk
xdg-desktop-portal-xapp
- (callPackage ../../modules/packages/xdg-desktop-portal-gtk.nix { })
+ # (callPackage ../../packages/xdg-desktop-portal-gtk.nix { })
];
config = {
common = {
@@ -205,8 +212,6 @@ args@{
};
};
xdgOpenUsePortal = true;
- #gtkUsePortal = true; # deprecated
-
};
#sounds.enable = true;
#mime.enable = true;
@@ -214,14 +219,22 @@ args@{
#icons.enable = true;
#autostart.enable = true;
};
+
fonts = {
packages = with pkgs; [
- (nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
+ #(nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
+ nerd-fonts.jetbrains-mono
noto-fonts-monochrome-emoji
];
- fontconfig.defaultFonts.monospace = with pkgs; [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
- fontconfig.defaultFonts.sansSerif = with pkgs; [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
- fontconfig.defaultFonts.serif = with pkgs; [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
+ fontconfig.defaultFonts.monospace = with pkgs; [
+ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
+ ];
+ fontconfig.defaultFonts.sansSerif = with pkgs; [
+ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
+ ];
+ fontconfig.defaultFonts.serif = with pkgs; [
+ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
+ ];
fontconfig.defaultFonts.emoji = with pkgs; [ "freefont" ];
enableDefaultPackages = lib.mkForce false;
enableGhostscriptFonts = lib.mkForce false;
@@ -233,25 +246,18 @@ args@{
permittedInsecurePackages = [
"electron-25.9.0"
"olm-3.2.16"
+ "dotnet-sdk-wrapped-7.0.410"
+ "dotnet-sdk-7.0.410"
];
};
-
};
+
security = {
polkit.enable = true;
sudo.wheelNeedsPassword = false;
};
- hardware = {
- pulseaudio.enable = false;
- };
programs.dconf.enable = true;
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
#networking.wireguard.interfaces = {
# wg-KP-Ran = {
@@ -259,9 +265,6 @@ args@{
#};
# };
- virtualisation.libvirtd.enable = true;
- programs.virt-manager.enable = true;
-
monitoring = {
monitorAll = true;
localPrometheus = true;
@@ -271,8 +274,23 @@ args@{
nginxHost = "monitoring.localhost";
nginxSsl = false;
};
+
networking.hosts."127.0.0.1" = builtins.attrNames config.services.nginx.virtualHosts;
-
+
+ services.gvfs.enable = true;
+ zramSwap = {
+ enable = true;
+ memoryPercent = 200;
+ };
+ services.pcscd.enable = true;
+
+ virtualisation.vmVariant = {
+ users = {
+ mutableUsers = false;
+ users.Rory.password = "password";
+ };
+ networking.interfaces.enp34s0 = lib.mkForce { };
+ };
system.stateVersion = "22.11"; # DO NOT EDIT!
}
diff --git a/host/Rory-desktop/hooks/post-rebuild.sh b/host/Rory-desktop/hooks/post-rebuild.sh
new file mode 100755
index 0000000..30733ad
--- /dev/null
+++ b/host/Rory-desktop/hooks/post-rebuild.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+set -x
+
+git restore --staged hardware-configuration.nix
+git restore --staged Ran.ca
+git restore --staged modules/opensuse/
+git restore --staged opensuse/
\ No newline at end of file
diff --git a/host/Rory-desktop/hooks/pre-rebuild.sh b/host/Rory-desktop/hooks/pre-rebuild.sh
new file mode 100755
index 0000000..d4ec9d3
--- /dev/null
+++ b/host/Rory-desktop/hooks/pre-rebuild.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+set -x
+
+git add -f hardware-configuration.nix
+git add -f Ran.ca
+git add -f modules/opensuse/
+git add -f opensuse/
\ No newline at end of file
diff --git a/host/Rory-desktop/optional/gui/hyprland.nix b/host/Rory-desktop/optional/gui/hyprland.nix
new file mode 100644
index 0000000..d9dcbb2
--- /dev/null
+++ b/host/Rory-desktop/optional/gui/hyprland.nix
@@ -0,0 +1,32 @@
+{
+ pkgs,
+ hyprland,
+ hy3,
+ ...
+}:
+
+{
+ programs.hyprland = {
+ enable = true;
+ package = hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
+ };
+
+ programs.hyprlock.enable = true;
+ environment.systemPackages = with pkgs;[
+ wmenu
+ waybar
+ wl-clipboard
+ grim
+ slurp
+ easyeffects
+ keepassxc
+ ];
+
+ environment.etc."hyprPlugins" = {
+ text = ''
+ plugin = ${hy3.packages.${pkgs.stdenv.hostPlatform.system}.hy3}/lib/libhy3.so
+ '';
+ };
+
+ xdg.portal.wlr.enable = true;
+}
diff --git a/host/Rory-desktop/optional/gui/i3.nix b/host/Rory-desktop/optional/gui/i3.nix
new file mode 100644
index 0000000..9070298
--- /dev/null
+++ b/host/Rory-desktop/optional/gui/i3.nix
@@ -0,0 +1,36 @@
+{
+ config,
+ pkgs,
+ lib,
+ nhekoSrc,
+ mtxclientSrc,
+ ...
+}:
+
+{
+ imports = [ ];
+
+ services = {
+ xserver = {
+ windowManager.i3.enable = true;
+ windowManager.i3.extraSessionCommands = ''
+ # output from arandr:
+ #xrandr --output DP-1 --mode 1920x1080 --pos 3840x1080 --rotate normal --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --output HDMI-2 --off --output DP-2 --off
+ xrandr --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --primary --output DP-1 --mode 1920x1080 --pos 3840x1080 --rotate normal --output HDMI-2 --off --output DP-2 --off
+ ${pkgs.polybarFull}/bin/polybar &
+ ${pkgs.dunst}/bin/dunst &
+ ${pkgs.picom}/bin/picom --config ~/.config/picom.conf &
+ ${pkgs.feh}/bin/feh --no-fehbg --bg-fill ${../../../../modules/users/Rory/wallpaper.webp}
+ '';
+ windowManager.i3.extraPackages = with pkgs; [
+ easyeffects
+ keepassxc
+ ];
+ };
+
+ picom.enable = false;
+ #picom.vSync = false;
+ #picom.backend = "glx";
+ };
+
+}
diff --git a/host/Rory-desktop/optional/gui/sway.nix b/host/Rory-desktop/optional/gui/sway.nix
new file mode 100644
index 0000000..f19635f
--- /dev/null
+++ b/host/Rory-desktop/optional/gui/sway.nix
@@ -0,0 +1,39 @@
+{
+ pkgs,
+ hyprland,
+ hy3,
+ ...
+}:
+
+{
+ programs.sway = {
+ enable = true;
+
+ wrapperFeatures.gtk = true;
+ extraSessionCommands = ''
+ # -- Wayland fixes
+ # SDL:
+ export SDL_VIDEODRIVER=wayland
+ # QT (needs qt5.qtwayland in systemPackages):
+ export QT_QPA_PLATFORM=wayland-egl
+ export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
+ # Fix for some Java AWT applications (e.g. Android Studio),
+ # use this if they aren't displayed properly:
+ export _JAVA_AWT_WM_NONREPARENTING=1
+ '';
+
+ extraPackages = with pkgs; [
+ swaybg
+ #swayidle
+ #swaylock
+ waybar
+ wl-clipboard
+ grim
+ slurp
+ easyeffects
+ keepassxc
+ ];
+ };
+
+ xdg.portal.wlr.enable = true;
+}
diff --git a/host/Rory-desktop/optional/hardware-specific/amd.nix b/host/Rory-desktop/optional/hardware-specific/amd.nix
index 3ae47d2..e4758a6 100644
--- a/host/Rory-desktop/optional/hardware-specific/amd.nix
+++ b/host/Rory-desktop/optional/hardware-specific/amd.nix
@@ -32,13 +32,11 @@
enable32Bit = true;
extraPackages = with pkgs; [
rocmPackages.clr.icd
- amdvlk
+ #amdvlk
];
- extraPackages32 = with pkgs; [ driversi686Linux.amdvlk ];
+ #extraPackages32 = with pkgs; [ driversi686Linux.amdvlk ];
};
};
systemd.tmpfiles.rules = [ "L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}" ];
-
- system.stateVersion = "22.11"; # DO NOT EDIT!
}
diff --git a/host/Rory-desktop/services/edu/mongodb.nix b/host/Rory-desktop/services/edu/mongodb.nix
new file mode 100644
index 0000000..92ffc6a
--- /dev/null
+++ b/host/Rory-desktop/services/edu/mongodb.nix
@@ -0,0 +1,20 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+{
+ services.mongodb = {
+ enable = true;
+ package = pkgs.mongodb-ce;
+ enableAuth = true;
+ initialRootPasswordFile = "/etc/mongo-pass";
+ #bind_ip = "/run/mongodb.sock";
+ extraConfig = ''
+ net.unixDomainSocket.filePermissions: 0777
+ '';
+ };
+
+}
diff --git a/host/Rory-desktop/services/libvirt.nix b/host/Rory-desktop/services/libvirt.nix
new file mode 100644
index 0000000..405a73d
--- /dev/null
+++ b/host/Rory-desktop/services/libvirt.nix
@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+ virtualisation.libvirtd.enable = true;
+ programs.virt-manager.enable = true;
+ environment.systemPackages = with pkgs; [
+ virt-viewer
+ ];
+}
\ No newline at end of file
diff --git a/host/Rory-desktop/mariadb.nix b/host/Rory-desktop/services/mariadb.nix
index 758cb3d..758cb3d 100644
--- a/host/Rory-desktop/mariadb.nix
+++ b/host/Rory-desktop/services/mariadb.nix
diff --git a/host/Rory-desktop/services/nginx.nix b/host/Rory-desktop/services/nginx.nix
new file mode 100644
index 0000000..bd1f364
--- /dev/null
+++ b/host/Rory-desktop/services/nginx.nix
@@ -0,0 +1,43 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+{
+ services = {
+ nginx = {
+ enable = true;
+ #package = pkgs.nginxQuic;
+ recommendedProxySettings = true;
+ #recommendedTlsSettings = true;
+ recommendedZstdSettings = true;
+ # recommendedGzipSettings = true;
+ recommendedBrotliSettings = true;
+ recommendedOptimisation = true;
+ #defaultMimeTypes = ../../../../packages/nginx/mime.types;
+ appendConfig = ''
+ worker_processes 16;
+ '';
+ eventsConfig = ''
+ #use kqueue;
+ worker_connections 512;
+ '';
+ appendHttpConfig = ''
+ #sendfile on;
+ disable_symlinks off;
+ '';
+ additionalModules = with pkgs.nginxModules; [ moreheaders ];
+ virtualHosts = {
+ "discord.localhost" = import ./nginx/discord.localhost.nix { inherit pkgs; };
+ "hse.localhost" = import ./nginx/hse.localhost.nix { inherit pkgs; };
+ "matrix.opensuse.localhost" = import ./nginx/matrix.opensuse.localhost.nix { inherit pkgs; };
+ "synapse.localhost" = import ./nginx/synapse.localhost.nix { inherit pkgs; };
+ };
+ };
+ };
+ systemd.services.nginx.serviceConfig = {
+ LimitNOFILE = 5000000;
+ };
+}
diff --git a/host/Rory-desktop/services/nginx/discord.localhost.nix b/host/Rory-desktop/services/nginx/discord.localhost.nix
new file mode 100755
index 0000000..b40e13c
--- /dev/null
+++ b/host/Rory-desktop/services/nginx/discord.localhost.nix
@@ -0,0 +1,36 @@
+{ pkgs, ... }:
+
+{
+ root = "/www/discord";
+ addSSL = true;
+ enableACME = false;
+
+ # We don't care about certificates around here...
+ sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
+ sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
+
+ extraConfig = ''
+ autoindex on;
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: GET, POST, OPTIONS';
+ more_set_headers 'Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+ more_set_headers 'Access-Control-Expose-Headers: Content-Length,Content-Range';
+ more_set_headers 'Access-Control-Allow-Credentials: true';
+ '';
+
+ locations = {
+ "/" = {
+ index = "index.html";
+ extraConfig = ''
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ more_set_headers 'Access-Control-Expose-Headers: *';
+ more_set_headers 'Access-Control-Max-Age' 1728000;
+
+ # default to /index.html if file not found
+ try_files $uri $uri/ /index.html;
+ '';
+ };
+ };
+}
diff --git a/host/Rory-desktop/services/nginx/hse.localhost.nix b/host/Rory-desktop/services/nginx/hse.localhost.nix
new file mode 100755
index 0000000..5812b02
--- /dev/null
+++ b/host/Rory-desktop/services/nginx/hse.localhost.nix
@@ -0,0 +1,75 @@
+{pkgs, ...}:
+{
+ enableACME = false;
+ addSSL = true;
+ # We don't care about certificates around here...
+ sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
+ sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
+ locations."/" = {
+ #proxyPass = "http://127.0.0.1:9001";
+ proxyPass = "http://localhost:5298";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+
+# locations."= /.well-known/matrix/server".extraConfig = ''
+# more_set_headers 'Content-Type application/json';
+# more_set_headers 'Access-Control-Allow-Origin *';
+# return 200 '${builtins.toJSON { "m.server" = "hse.localhost:5298"; }}';
+# '';
+# locations."= /.well-known/matrix/client".extraConfig = ''
+# more_set_headers 'Content-Type application/json';
+# more_set_headers 'Access-Control-Allow-Origin *';
+# return 200 '${
+# builtins.toJSON {
+# "m.homeserver".base_url = "http://hse.localhost:5298";
+# "org.matrix.msc3575.proxy".url = "https://matrix.rory.gay";
+# }
+# }';
+# '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+
+ locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+ proxyPass = "http://localhost:8100";
+ };
+}
diff --git a/host/Rory-desktop/services/nginx/matrix.opensuse.localhost.nix b/host/Rory-desktop/services/nginx/matrix.opensuse.localhost.nix
new file mode 100644
index 0000000..87287a4
--- /dev/null
+++ b/host/Rory-desktop/services/nginx/matrix.opensuse.localhost.nix
@@ -0,0 +1,75 @@
+{pkgs, ...}:
+{
+ enableACME = false;
+ addSSL = true;
+ # We don't care about certificates around here...
+ sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
+ sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
+ locations."/" = {
+ #proxyPass = "http://127.0.0.1:9001";
+ proxyPass = "http://localhost:8008";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+
+# locations."= /.well-known/matrix/server".extraConfig = ''
+# more_set_headers 'Content-Type application/json';
+# more_set_headers 'Access-Control-Allow-Origin *';
+# return 200 '${builtins.toJSON { "m.server" = "hse.localhost:5298"; }}';
+# '';
+# locations."= /.well-known/matrix/client".extraConfig = ''
+# more_set_headers 'Content-Type application/json';
+# more_set_headers 'Access-Control-Allow-Origin *';
+# return 200 '${
+# builtins.toJSON {
+# "m.homeserver".base_url = "http://hse.localhost:5298";
+# "org.matrix.msc3575.proxy".url = "https://matrix.rory.gay";
+# }
+# }';
+# '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+
+ locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+ proxyPass = "http://localhost:8100";
+ };
+}
diff --git a/host/Rory-desktop/services/nginx/synapse.localhost.nix b/host/Rory-desktop/services/nginx/synapse.localhost.nix
new file mode 100755
index 0000000..9f89678
--- /dev/null
+++ b/host/Rory-desktop/services/nginx/synapse.localhost.nix
@@ -0,0 +1,70 @@
+{ pkgs }:
+{
+ enableACME = false;
+ addSSL = true;
+ # We don't care about certificates around here...
+ sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
+ sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
+ locations."/" = {
+ #proxyPass = "http://127.0.0.1:9001";
+ proxyPass = "http://localhost:8008";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+
+ locations."= /.well-known/matrix/server".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.server" = "synapse.localhost:443"; }}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ "m.homeserver".base_url = "http://synapse.localhost";
+ }
+ }';
+ '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+}
diff --git a/host/Rory-desktop/ollama.nix b/host/Rory-desktop/services/ollama.nix
index 7f0ae8c..b1b0a7a 100755
--- a/host/Rory-desktop/ollama.nix
+++ b/host/Rory-desktop/services/ollama.nix
@@ -21,17 +21,24 @@
#];
services.ollama = {
- enable = false;
+ enable = true;
home = "/data/ollama/home";
models = "/data/ollama/home/models";
environmentVariables = {
OLLAMA_LLM_LIBRARY = "rocm";
+ HCC_AMDGPU_TARGET = "gfx1102";
};
# writablePaths = [ "/data/ollama/home" ];
#listenAddress = "0.0.0.0:11434";
host = "0.0.0.0";
port = 11434;
- sandbox = false;
+ user = "ollama";
+ group = "ollama";
acceleration = "rocm";
+ rocmOverrideGfx = "11.0.2";
};
+
+ #services.nextjs-ollama-llm-ui = {
+
+ #};
}
diff --git a/host/Rory-desktop/postgres.nix b/host/Rory-desktop/services/postgres.nix
index 60fd8d6..c201b04 100755
--- a/host/Rory-desktop/postgres.nix
+++ b/host/Rory-desktop/services/postgres.nix
@@ -28,10 +28,17 @@
# '';
#dataDir = "/mnt/postgres/data";
settings = {
- "max_connections" = "100";
- "shared_buffers" = "128MB";
+ "max_connections" = "1000";
+ "shared_buffers" = "512MB";
"max_wal_size" = "1GB";
"min_wal_size" = "80MB";
+
+ shared_preload_libraries = "pg_stat_statements";
+ track_io_timing = "on";
+ track_functions = "pl";
+ "pg_stat_statements.max" = "10000"; # additional
+ "pg_stat_statements.track" = "all"; # additional
+
};
};
diff --git a/host/Rory-portable/printing.nix b/host/Rory-desktop/services/printing.nix
index f25580f..4f86347 100644
--- a/host/Rory-portable/printing.nix
+++ b/host/Rory-desktop/services/printing.nix
@@ -14,7 +14,7 @@
environment.systemPackages = with pkgs; [
xsane
- gnome.simple-scan
+ simple-scan
];
hardware = {
@@ -39,7 +39,7 @@
};
avahi = {
enable = true;
- nssmdns = true;
+ nssmdns4 = true;
reflector = true;
publish = {
workstation = true;
@@ -51,6 +51,4 @@
};
};
};
-
- system.stateVersion = "22.11"; # DO NOT EDIT!
}
diff --git a/host/Rory-desktop/services/rabbitmq.nix b/host/Rory-desktop/services/rabbitmq.nix
new file mode 100644
index 0000000..f786a70
--- /dev/null
+++ b/host/Rory-desktop/services/rabbitmq.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+ services.rabbitmq = {
+ enable = true;
+ };
+}
\ No newline at end of file
diff --git a/host/Rory-desktop/services/steam.nix b/host/Rory-desktop/services/steam.nix
new file mode 100644
index 0000000..a01b46e
--- /dev/null
+++ b/host/Rory-desktop/services/steam.nix
@@ -0,0 +1,11 @@
+{ ... }:
+{
+ programs.steam = {
+ enable = true;
+ gamescopeSession.enable = true;
+ extraCompatPackages = with pkgs; [
+ steam-play-none
+ proton-ge-bin
+ ];
+ };
+}
\ No newline at end of file
diff --git a/host/Rory-desktop/services/waydroid.nix b/host/Rory-desktop/services/waydroid.nix
new file mode 100644
index 0000000..45a90ea
--- /dev/null
+++ b/host/Rory-desktop/services/waydroid.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+ virtualisation.waydroid.enable = true;
+}
\ No newline at end of file
diff --git a/host/Rory-laptop/configuration.nix b/host/Rory-laptop/configuration.nix
new file mode 100644
index 0000000..894878a
--- /dev/null
+++ b/host/Rory-laptop/configuration.nix
@@ -0,0 +1,376 @@
+args@{
+ config,
+ pkgs,
+ lib,
+ nhekoSrc,
+ mtxclientSrc,
+ ...
+}:
+
+{
+ imports = [
+ # base imports
+ ../../modules/base-client.nix
+ # (import ../../modules/base-secrets.nix { path = "/home/rory/.config/sops/config.yaml"; })
+ ../../packages/vim.nix
+ # ../../modules/environments/home.nix
+ #../../modules/software-templates/profilers.nix
+ ../../modules/software-templates/dotnet.client.nix
+
+ ./postgres.nix
+ ./nginx.nix
+
+ ./edu/vmware.nix
+ ./edu/nodejs-dev.nix
+
+ # hardware-specific imports
+ #./optional/hardware-specific/nvidia.nix
+ ./optional/hardware-specific/intel.nix
+ ./optional/gui/wayland.nix
+ ];
+
+ boot = {
+ kernelPackages = pkgs.linuxPackages_latest;
+ loader = {
+ grub = {
+ configurationLimit = 10;
+ enable = true;
+ device = "nodev"; # nodev for EFI only
+ # EFI
+ efiSupport = true;
+ #efiInstallAsRemovable = true;
+ };
+ #efi.canTouchEfiVariables = true;
+ };
+ };
+ programs.noisetorch.enable = true;
+ programs.gamemode.enable = true;
+ users.users.Rory.extraGroups = [ "gamemode" ];
+ virtualisation.diskSize = 81920;
+
+ environment.sessionVariables = {
+ ZSH_DISABLE_COMPFIX = "true";
+ };
+
+ networking = {
+ hostName = "Rory-laptop";
+ networkmanager.enable = true;
+ wireless.enable = false;
+ firewall = {
+ enable = false;
+ # allowedTCPPorts = [ ... ];
+ # allowedUDPPorts = [ ... ];
+ };
+
+ #interfaces.enp2s0.ipv4.addresses = [
+ # {
+ # address = "192.168.0.4";
+ # prefixLength = 24;
+ # }
+ #];
+
+ #defaultGateway = "192.168.0.1";
+ #useDHCP = true; # Doesn't work with NetworkManager, investigate
+ };
+
+ time.timeZone = "Europe/Brussels";
+ i18n.defaultLocale = "en_US.UTF-8";
+
+ services = {
+ blueman.enable = true;
+ resolved.enable = true;
+ mullvad-vpn = {
+ enable = true;
+ package = pkgs.mullvad-vpn;
+ };
+ xserver = {
+ displayManager.gdm.enable = true;
+ displayManager.lightdm.enable = false;
+ enable = true;
+ updateDbusEnvironment = true;
+ xkb.layout = "us";
+ wacom.enable = true;
+ };
+ libinput.enable = true;
+
+ openssh = {
+ enable = true;
+ extraConfig = ''
+ MaxAuthTries 32
+ '';
+ settings.PermitRootLogin = "yes";
+ };
+ pipewire = {
+ enable = true;
+ audio.enable = true;
+ pulse.enable = true;
+ wireplumber.enable = true;
+ jack.enable = true;
+ alsa.enable = true;
+ };
+ };
+
+ services.desktopManager.gnome.enable = false;
+ environment.systemPackages = with pkgs; [
+ eog
+ mpv
+ libreoffice
+ qt6.qtwayland
+
+ feh
+ easyeffects
+ kitty
+ youtube-music
+
+ # - IDEs
+
+ (jetbrains.plugins.addPlugins jetbrains.webstorm [
+ jetbrains.plugins.github-copilot-fixed
+ #"github-copilot"
+ ])
+ (jetbrains.plugins.addPlugins jetbrains.idea-ultimate [
+ jetbrains.plugins.github-copilot-fixed
+ #"github-copilot"
+ ])
+ (jetbrains.plugins.addPlugins jetbrains.clion [
+ jetbrains.plugins.github-copilot-fixed
+ #"github-copilot"
+ "string-manipulation"
+ "nixidea"
+ "visual-studio-keymap"
+ ])
+ binutils
+
+ dbeaver-bin
+ vscode
+
+ # - Utilities
+ inkscape-with-extensions
+ gimp
+
+ # - Languages
+ #dotnet-sdk_8
+ dotnetCorePackages.sdk_9_0
+
+ #games
+ osu-lazer-bin
+
+ # extra packages
+ dmenu
+ hyprlock
+
+ nemo
+ file-roller
+ firefox-bin
+ #ungoogled-chromium #needed for Rider in order to debug WASM
+
+ #yuzu-early-access
+ #wineWowPackages.unstableFull
+ #winetricks
+ #fragments
+ #peek
+
+ unrar-wrapper
+
+ #(schildichat-desktop.override { electron = electron; })
+ (callPackage ../../packages/nheko-git.nix {
+ inherit nhekoSrc;
+ inherit mtxclientSrc;
+ voipSupport = false;
+ })
+ #(callPackage ../../packages/mc/server/modpack/curseforge/techopolis-2/5.4.nix { })
+
+ #vesktop
+ virt-viewer
+
+ # (dwarf-fortress-packages.dwarf-fortress-full.override { enableStoneSense = true; enableFPS = true; theme = dwarf-fortress-packages.themes.spacefox; })
+ mangohud
+ prismlauncher
+
+ thunderbird
+
+ jitsi-meet-electron
+ # nixd # broken 24/03/2025
+ mullvad-vpn
+ blueman
+ ft2-clone
+ wxmaxima
+ ];
+ environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
+ module: ${pkgs.opensc}/lib/opensc-pkcs11.so
+ '';
+
+ boot.initrd.systemd.emergencyAccess = true;
+
+ # Speed up boot
+ boot.initrd.systemd.network.wait-online.enable = false;
+ systemd.network.wait-online.enable = false;
+ services.power-profiles-daemon.enable = true;
+ systemd.services."NetworkManager-wait-online".enable = false;
+ virtualisation.libvirtd.onBoot = "ignore";
+
+# systemd.services."systemd-rfkill".serviceConfig.Type = "simple"; # maybe exec?
+ systemd.services."NetworkManager".serviceConfig.Type = "exec"; # maybe exec?
+# systemd.services."home-manager-Rory".serviceConfig.Type = lib.mkForce "exec";
+# systemd.services."systemd-backlight@backlight:intel_backlight".serviceConfig.Type = "exec";
+# systemd.services."wpa_supplicant".serviceConfig.Type = "exec";
+# systemd.services."libvirtd".serviceConfig.Type = lib.mkForce "exec";
+# systemd.services."nginx".serviceConfig.Type = "exec";
+# systemd.services."grafana".serviceConfig.Type = "exec";
+# systemd.services."prometheus".serviceConfig.Type = "exec";
+# systemd.services."bluetooth".serviceConfig.Type = "exec";
+# systemd.services."vmware-usbarbitrator".enable = false;
+# systemd.services."vmware-authdlauncher".enable = false;
+# systemd.services."waydroid-container".enable = false;
+# systemd.services."NetworkManager".serviceConfig.TimeoutStartSec = 10;
+ boot.kernelParams = [
+ #"quiet"
+ "loglevel=8" #3
+ #"systemd.show_status=auto"
+ #"rd.udev.log_level=3"
+ #"libahci.ignore_sss=1"
+ ];
+
+ # Simplfy initrd
+ #boot.bcache.enable = false;
+ #boot.initrd.services.bcache.enable = false;
+ #services.lvm.enable = false;
+ #boot.initrd.services.resolved.enable = false;
+ #boot.initrd.network.udhcpc.enable = false;
+ #boot.initrd.network.enable = false;
+ #boot.initrd.services.lvm.enable = false;
+ #boot.initrd.compressor = "cat";
+#
+ #boot.initrd.systemd.units."systemd-backlight@.service".enable = false;
+ #boot.initrd.systemd.units."dev-ttyS0.device".enable = false;
+ #boot.initrd.systemd.units."dev-ttyS1.device".enable = false;
+ #boot.initrd.systemd.units."dev-ttyS2.device".enable = false;
+ #boot.initrd.systemd.units."dev-ttyS3.device".enable = false;
+ #boot.initrd.systemd.units."dev-ttyS4.device".enable = false;
+ #boot.initrd.systemd.units."dev-sda.device".enable = false;
+ #boot.initrd.systemd.units."dev-sda1.device".enable = false;
+ #boot.initrd.systemd.units."dev-sda2.device".enable = false;
+ #
+ #boot.initrd.includeDefaultModules = false;
+ #boot.initrd.availableKernelModules = [
+ # "nvme"
+ #];
+#
+ #services.orca.enable = true;
+
+ virtualisation.waydroid.enable = true;
+
+ xdg = {
+ portal = {
+ enable = true;
+ extraPortals = with pkgs; [
+ #xdg-desktop-portal-gtk
+ xdg-desktop-portal-xapp
+ # (callPackage ../../packages/xdg-desktop-portal-gtk.nix { })
+ ];
+ config = {
+ common = {
+ default = [ "gtk" ];
+ };
+ };
+ xdgOpenUsePortal = true;
+ };
+ #sounds.enable = true;
+ #mime.enable = true;
+ #menus.enable = true;
+ #icons.enable = true;
+ #autostart.enable = true;
+ };
+ fonts = {
+ packages = with pkgs; [
+ nerd-fonts.jetbrains-mono
+ noto-fonts-monochrome-emoji
+ ];
+ fontconfig.defaultFonts.monospace = with pkgs; [
+ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
+ ];
+ fontconfig.defaultFonts.sansSerif = with pkgs; [
+ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
+ ];
+ fontconfig.defaultFonts.serif = with pkgs; [
+ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
+ ];
+ fontconfig.defaultFonts.emoji = with pkgs; [ "freefont" ];
+ enableDefaultPackages = lib.mkForce false;
+ enableGhostscriptFonts = lib.mkForce false;
+ };
+
+ nixpkgs = {
+ config = {
+ allowUnfree = true;
+ permittedInsecurePackages = [
+ "electron-25.9.0"
+ "olm-3.2.16"
+ "dotnet-sdk-wrapped-7.0.410"
+ "dotnet-sdk-7.0.410"
+ ];
+ };
+ };
+ security = {
+ polkit.enable = true;
+ sudo.wheelNeedsPassword = false;
+ };
+
+ services.pulseaudio.enable = false;
+ hardware = {
+ bluetooth = {
+ enable = true;
+ powerOnBoot = true;
+ };
+ };
+
+ services.locate.package = pkgs.plocate;
+ services.locate.enable = true;
+ programs.dconf.enable = true;
+
+ #networking.wireguard.interfaces = {
+ # wg-KP-Ran = {
+
+ #};
+ # };
+
+ virtualisation.libvirtd = {
+ enable = true;
+ qemu = {
+ swtpm.enable = true;
+ ovmf.enable = true;
+ };
+ };
+ programs.virt-manager.enable = true;
+
+ monitoring = {
+ monitorAll = true;
+ localPrometheus = true;
+ exposePrometheus = true;
+ localGrafana = true;
+ exposeGrafana = true;
+ nginxHost = "monitoring.localhost";
+ nginxSsl = false;
+ };
+ networking.hosts."127.0.0.1" = builtins.attrNames config.services.nginx.virtualHosts;
+
+ services.gvfs.enable = true;
+ zramSwap = {
+ enable = true;
+ memoryPercent = 200;
+ };
+
+ virtualisation.vmVariant = {
+ users = {
+ mutableUsers = false;
+ users.Rory.password = "password";
+ };
+ networking.interfaces.enp34s0 = lib.mkForce { };
+ };
+
+ services.rabbitmq = {
+ #enable = true;
+ };
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
diff --git a/host/Rory-laptop/edu/nodejs-dev.nix b/host/Rory-laptop/edu/nodejs-dev.nix
new file mode 100644
index 0000000..3850cb9
--- /dev/null
+++ b/host/Rory-laptop/edu/nodejs-dev.nix
@@ -0,0 +1,25 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+{
+ environment.systemPackages = with pkgs; [
+ nodejs_latest
+
+ ];
+
+ services.mongodb = {
+ enable = true;
+ package = pkgs.mongodb-ce;
+ enableAuth = true;
+ initialRootPasswordFile = "/etc/mongo-pass";
+ #bind_ip = "/run/mongodb.sock";
+ extraConfig = ''
+ net.unixDomainSocket.filePermissions: 0777
+ '';
+ };
+
+}
diff --git a/host/Rory-laptop/edu/vmware.nix b/host/Rory-laptop/edu/vmware.nix
new file mode 100644
index 0000000..de9e988
--- /dev/null
+++ b/host/Rory-laptop/edu/vmware.nix
@@ -0,0 +1,18 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+{
+ virtualisation.vmware.host = {
+ enable = true;
+ extraConfig = ''
+ # Allow unsupported device's OpenGL and Vulkan acceleration for guest vGPU
+ mks.gl.allowUnsupportedDrivers = "TRUE"
+ mks.vk.allowUnsupportedDevices = "TRUE"
+ '';
+ };
+
+}
diff --git a/host/Rory-laptop/hacks/drm-amd-3437.patch b/host/Rory-laptop/hacks/drm-amd-3437.patch
new file mode 100644
index 0000000..1867762
--- /dev/null
+++ b/host/Rory-laptop/hacks/drm-amd-3437.patch
@@ -0,0 +1,13 @@
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+index c556c8b653fa..272ad5e4a328 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+@@ -180,7 +180,7 @@ void amdgpu_bo_placement_from_domain(struct amdgpu_bo *abo, u32 domain)
+ * When GTT is just an alternative to VRAM make sure that we
+ * only use it as fallback and still try to fill up VRAM first.
+ */
+- if (domain & abo->preferred_domains & AMDGPU_GEM_DOMAIN_VRAM)
++ if (domain & abo->preferred_domains & AMDGPU_GEM_DOMAIN_VRAM && !(adev->flags & AMD_IS_APU))
+ places[c].flags |= TTM_PL_FLAG_FALLBACK;
+ c++;
+ }
\ No newline at end of file
diff --git a/host/Rory-laptop/hooks/post-rebuild.sh b/host/Rory-laptop/hooks/post-rebuild.sh
new file mode 100755
index 0000000..30733ad
--- /dev/null
+++ b/host/Rory-laptop/hooks/post-rebuild.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+set -x
+
+git restore --staged hardware-configuration.nix
+git restore --staged Ran.ca
+git restore --staged modules/opensuse/
+git restore --staged opensuse/
\ No newline at end of file
diff --git a/host/Rory-laptop/hooks/pre-rebuild.sh b/host/Rory-laptop/hooks/pre-rebuild.sh
new file mode 100755
index 0000000..d4ec9d3
--- /dev/null
+++ b/host/Rory-laptop/hooks/pre-rebuild.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+set -x
+
+git add -f hardware-configuration.nix
+git add -f Ran.ca
+git add -f modules/opensuse/
+git add -f opensuse/
\ No newline at end of file
diff --git a/host/Rory-laptop/mariadb.nix b/host/Rory-laptop/mariadb.nix
new file mode 100644
index 0000000..758cb3d
--- /dev/null
+++ b/host/Rory-laptop/mariadb.nix
@@ -0,0 +1,14 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+{
+ services.mysql = {
+ enable = true;
+ package = pkgs.mariadb;
+ };
+
+}
diff --git a/host/Rory-desktop/nginx.nix b/host/Rory-laptop/nginx.nix
index dfb1d03..0a72304 100644
--- a/host/Rory-desktop/nginx.nix
+++ b/host/Rory-laptop/nginx.nix
@@ -13,16 +13,16 @@
recommendedProxySettings = true;
#recommendedTlsSettings = true;
recommendedZstdSettings = true;
-# recommendedGzipSettings = true;
+ # recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedOptimisation = true;
- #defaultMimeTypes = ../../../../modules/packages/nginx/mime.types;
+ #defaultMimeTypes = ../../../../packages/nginx/mime.types;
appendConfig = ''
- worker_processes 16;
+ #worker_processes 16;
'';
eventsConfig = ''
#use kqueue;
- worker_connections 512;
+ #worker_connections 512;
'';
appendHttpConfig = ''
#sendfile on;
@@ -31,6 +31,7 @@
additionalModules = with pkgs.nginxModules; [ moreheaders ];
virtualHosts = {
"discord.localhost" = import ./nginx/discord.localhost.nix { inherit pkgs; };
+ "hse.localhost" = import ./nginx/hse.localhost.nix {inherit pkgs;};
};
};
diff --git a/host/Rory-laptop/nginx/discord.localhost.nix b/host/Rory-laptop/nginx/discord.localhost.nix
new file mode 100644
index 0000000..b40e13c
--- /dev/null
+++ b/host/Rory-laptop/nginx/discord.localhost.nix
@@ -0,0 +1,36 @@
+{ pkgs, ... }:
+
+{
+ root = "/www/discord";
+ addSSL = true;
+ enableACME = false;
+
+ # We don't care about certificates around here...
+ sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
+ sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
+
+ extraConfig = ''
+ autoindex on;
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: GET, POST, OPTIONS';
+ more_set_headers 'Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+ more_set_headers 'Access-Control-Expose-Headers: Content-Length,Content-Range';
+ more_set_headers 'Access-Control-Allow-Credentials: true';
+ '';
+
+ locations = {
+ "/" = {
+ index = "index.html";
+ extraConfig = ''
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ more_set_headers 'Access-Control-Expose-Headers: *';
+ more_set_headers 'Access-Control-Max-Age' 1728000;
+
+ # default to /index.html if file not found
+ try_files $uri $uri/ /index.html;
+ '';
+ };
+ };
+}
diff --git a/host/Rory-laptop/nginx/hse.localhost.nix b/host/Rory-laptop/nginx/hse.localhost.nix
new file mode 100755
index 0000000..5812b02
--- /dev/null
+++ b/host/Rory-laptop/nginx/hse.localhost.nix
@@ -0,0 +1,75 @@
+{pkgs, ...}:
+{
+ enableACME = false;
+ addSSL = true;
+ # We don't care about certificates around here...
+ sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
+ sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
+ locations."/" = {
+ #proxyPass = "http://127.0.0.1:9001";
+ proxyPass = "http://localhost:5298";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+
+# locations."= /.well-known/matrix/server".extraConfig = ''
+# more_set_headers 'Content-Type application/json';
+# more_set_headers 'Access-Control-Allow-Origin *';
+# return 200 '${builtins.toJSON { "m.server" = "hse.localhost:5298"; }}';
+# '';
+# locations."= /.well-known/matrix/client".extraConfig = ''
+# more_set_headers 'Content-Type application/json';
+# more_set_headers 'Access-Control-Allow-Origin *';
+# return 200 '${
+# builtins.toJSON {
+# "m.homeserver".base_url = "http://hse.localhost:5298";
+# "org.matrix.msc3575.proxy".url = "https://matrix.rory.gay";
+# }
+# }';
+# '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+
+ locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+ proxyPass = "http://localhost:8100";
+ };
+}
diff --git a/host/Rory-laptop/ollama.nix b/host/Rory-laptop/ollama.nix
new file mode 100644
index 0000000..b1b0a7a
--- /dev/null
+++ b/host/Rory-laptop/ollama.nix
@@ -0,0 +1,44 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+{
+ # systemd.tmpfiles.rules = [ "d /data/ollama 0750 ostgres postgres" ];
+
+ #overlays
+ #nixpkgs.overlays = [
+ # (final: old: {
+ # rocmPackages = old.rocmPackages // {
+ # rocblas = (old.rocmPackages.rocblas.overrideAttrs (oldAttrs: {
+ # gpuTargets = [ "gfx1102" ];
+ # }));
+ # };
+ # }
+ # )
+ #];
+
+ services.ollama = {
+ enable = true;
+ home = "/data/ollama/home";
+ models = "/data/ollama/home/models";
+ environmentVariables = {
+ OLLAMA_LLM_LIBRARY = "rocm";
+ HCC_AMDGPU_TARGET = "gfx1102";
+ };
+ # writablePaths = [ "/data/ollama/home" ];
+ #listenAddress = "0.0.0.0:11434";
+ host = "0.0.0.0";
+ port = 11434;
+ user = "ollama";
+ group = "ollama";
+ acceleration = "rocm";
+ rocmOverrideGfx = "11.0.2";
+ };
+
+ #services.nextjs-ollama-llm-ui = {
+
+ #};
+}
diff --git a/host/Rory-laptop/optional/gui/wayland.nix b/host/Rory-laptop/optional/gui/wayland.nix
new file mode 100644
index 0000000..ab72165
--- /dev/null
+++ b/host/Rory-laptop/optional/gui/wayland.nix
@@ -0,0 +1,60 @@
+{
+ pkgs,
+ hyprland,
+ hy3,
+ ...
+}:
+
+{
+ programs.sway = {
+ enable = true;
+
+ wrapperFeatures.gtk = true;
+ extraSessionCommands = ''
+ # -- Wayland fixes
+ # SDL:
+ export SDL_VIDEODRIVER=wayland
+ # QT (needs qt5.qtwayland in systemPackages):
+ export QT_QPA_PLATFORM=wayland
+ export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
+ # Fix for some Java AWT applications (e.g. Android Studio),
+ # use this if they aren't displayed properly:
+ export _JAVA_AWT_WM_NONREPARENTING=1
+ '';
+
+ extraPackages = with pkgs; [
+ swaybg
+ #swayidle
+ #swaylock
+ waybar
+ wl-clipboard
+ grim
+ slurp
+ easyeffects
+ keepassxc
+ networkmanagerapplet
+ ];
+ };
+
+ programs.hyprland = {
+ enable = true;
+ package = hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
+ xwayland.enable = true;
+ withUWSM = true;
+ };
+ security.rtkit.enable = true;
+
+ programs.hyprlock.enable = true;
+ environment.systemPackages = with pkgs;[
+ wmenu
+ kdePackages.xwaylandvideobridge
+ ];
+
+ environment.etc."hyprPlugins" = {
+ text = ''
+ plugin = ${hy3.packages.${pkgs.stdenv.hostPlatform.system}.hy3}/lib/libhy3.so
+ '';
+ };
+
+ xdg.portal.wlr.enable = true;
+}
diff --git a/host/Rory-laptop/optional/gui/x11.nix b/host/Rory-laptop/optional/gui/x11.nix
new file mode 100644
index 0000000..9070298
--- /dev/null
+++ b/host/Rory-laptop/optional/gui/x11.nix
@@ -0,0 +1,36 @@
+{
+ config,
+ pkgs,
+ lib,
+ nhekoSrc,
+ mtxclientSrc,
+ ...
+}:
+
+{
+ imports = [ ];
+
+ services = {
+ xserver = {
+ windowManager.i3.enable = true;
+ windowManager.i3.extraSessionCommands = ''
+ # output from arandr:
+ #xrandr --output DP-1 --mode 1920x1080 --pos 3840x1080 --rotate normal --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --output HDMI-2 --off --output DP-2 --off
+ xrandr --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --primary --output DP-1 --mode 1920x1080 --pos 3840x1080 --rotate normal --output HDMI-2 --off --output DP-2 --off
+ ${pkgs.polybarFull}/bin/polybar &
+ ${pkgs.dunst}/bin/dunst &
+ ${pkgs.picom}/bin/picom --config ~/.config/picom.conf &
+ ${pkgs.feh}/bin/feh --no-fehbg --bg-fill ${../../../../modules/users/Rory/wallpaper.webp}
+ '';
+ windowManager.i3.extraPackages = with pkgs; [
+ easyeffects
+ keepassxc
+ ];
+ };
+
+ picom.enable = false;
+ #picom.vSync = false;
+ #picom.backend = "glx";
+ };
+
+}
diff --git a/host/Rory-laptop/optional/hardware-specific/amd.nix b/host/Rory-laptop/optional/hardware-specific/amd.nix
new file mode 100644
index 0000000..e4758a6
--- /dev/null
+++ b/host/Rory-laptop/optional/hardware-specific/amd.nix
@@ -0,0 +1,42 @@
+{
+ config,
+ pkgs,
+ lib,
+ nhekoSrc,
+ mtxclientSrc,
+ ...
+}:
+
+{
+ imports = [ ];
+
+ boot.initrd.kernelModules = [ "amdgpu" ];
+
+ services = {
+ xserver = {
+ windowManager.i3.extraSessionCommands = ''
+ xrandr --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --primary --output DP-1 --mode 1920x1080 --pos 3840x1080 --rotate normal --output HDMI-2 --off --output DP-2 --off
+ '';
+ wacom.enable = true;
+ };
+ picom.backend = "glx";
+ };
+
+ environment.systemPackages = with pkgs; [
+ rocmPackages.rocm-smi # useful to have
+ ];
+
+ hardware = {
+ graphics = {
+ enable = true;
+ enable32Bit = true;
+ extraPackages = with pkgs; [
+ rocmPackages.clr.icd
+ #amdvlk
+ ];
+ #extraPackages32 = with pkgs; [ driversi686Linux.amdvlk ];
+ };
+ };
+
+ systemd.tmpfiles.rules = [ "L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}" ];
+}
diff --git a/host/Rory-laptop/optional/hardware-specific/intel.nix b/host/Rory-laptop/optional/hardware-specific/intel.nix
new file mode 100644
index 0000000..0cb03f0
--- /dev/null
+++ b/host/Rory-laptop/optional/hardware-specific/intel.nix
@@ -0,0 +1,25 @@
+{
+ pkgs,
+ ...
+}:
+
+{
+ nixpkgs.config.packageOverrides = pkgs: {
+ intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
+ };
+
+ hardware = {
+ graphics = {
+ enable = true;
+ extraPackages = with pkgs; [
+ intel-media-driver # LIBVA_DRIVER_NAME=iHD
+ intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+ libvdpau-va-gl
+ ];
+ };
+ };
+ environment.sessionVariables = {
+ LIBVA_DRIVER_NAME = "iHD";
+ };
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
diff --git a/host/Rory-laptop/optional/hardware-specific/nvidia.nix b/host/Rory-laptop/optional/hardware-specific/nvidia.nix
new file mode 100644
index 0000000..8df1eaf
--- /dev/null
+++ b/host/Rory-laptop/optional/hardware-specific/nvidia.nix
@@ -0,0 +1,36 @@
+{
+ config,
+ ...
+}:
+
+{
+ imports = [
+
+ ];
+
+ services = {
+ xserver = {
+ #videoDrivers = [ "nvidia" ];
+ };
+ #picom.backend = "glx";
+ };
+
+ hardware = {
+ graphics = {
+ enable = true;
+ enable32Bit = true;
+ };
+
+ nvidia = {
+ modesetting.enable = true;
+ powerManagement.enable = false;
+ powerManagement.finegrained = false;
+ open = true;
+ nvidiaSettings = true;
+ nvidiaPersistenced = true;
+ package = config.boot.kernelPackages.nvidiaPackages.stable;
+ };
+ };
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
diff --git a/host/Rory-portable/postgres.nix b/host/Rory-laptop/postgres.nix
index 7223f6a..c201b04 100755..100644
--- a/host/Rory-portable/postgres.nix
+++ b/host/Rory-laptop/postgres.nix
@@ -1,4 +1,9 @@
-{ pkgs, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
{
#systemd.tmpfiles.rules = [ "d /mnt/postgres/data 0750 postgres postgres" ];
@@ -23,10 +28,17 @@
# '';
#dataDir = "/mnt/postgres/data";
settings = {
- "max_connections" = "100";
- "shared_buffers" = "128MB";
+ "max_connections" = "1000";
+ "shared_buffers" = "512MB";
"max_wal_size" = "1GB";
"min_wal_size" = "80MB";
+
+ shared_preload_libraries = "pg_stat_statements";
+ track_io_timing = "on";
+ track_functions = "pl";
+ "pg_stat_statements.max" = "10000"; # additional
+ "pg_stat_statements.track" = "all"; # additional
+
};
};
diff --git a/host/Rory-desktop/printing.nix b/host/Rory-laptop/printing.nix
index f25580f..4f86347 100644
--- a/host/Rory-desktop/printing.nix
+++ b/host/Rory-laptop/printing.nix
@@ -14,7 +14,7 @@
environment.systemPackages = with pkgs; [
xsane
- gnome.simple-scan
+ simple-scan
];
hardware = {
@@ -39,7 +39,7 @@
};
avahi = {
enable = true;
- nssmdns = true;
+ nssmdns4 = true;
reflector = true;
publish = {
workstation = true;
@@ -51,6 +51,4 @@
};
};
};
-
- system.stateVersion = "22.11"; # DO NOT EDIT!
}
diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix
index 3f0bcc4..9448569 100755..100644
--- a/host/Rory-nginx/configuration.nix
+++ b/host/Rory-nginx/configuration.nix
@@ -18,13 +18,15 @@
../../modules/users/Alice.nix
./services/postgres.nix
- ./services/matrix/root.nix
./services/nginx/nginx.nix
#./services/jitsi.nix
./services/cgit.nix
- #./services/ollama.nix
+ ./services/ollama.nix
+ ./services/deluge.nix
./services/prometheus.nix
];
+
+ boot.loader.grub.devices = [ "/dev/vda" ];
users.groups.ocp = { };
networking = {
hostName = "Rory-nginx";
@@ -51,27 +53,25 @@
enableIPv6 = false;
};
enableIPv6 = lib.mkForce false;
- nameservers = lib.mkOverride [ "192.168.1.1" ];
+ nameservers = lib.mkForce [ "192.168.1.1" ];
};
-# environment.etc."resolv.conf" = lib.mkOverride {
-# text = ''
-# nameserver 192.168.1.1
-# '';
-# };
-
monitoring = {
monitorAll = true;
localPrometheus = true;
exposePrometheus = true;
localGrafana = true;
exposeGrafana = true;
- nginxHost = "monitoring.rory.gay";
+ nginxHost = "monitoring.old.rory.gay";
nginxSsl = true;
};
- nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
-
+ nixpkgs.config.permittedInsecurePackages = [
+ "olm-3.2.16"
+ "dotnet-runtime-wrapped-7.0.20"
+ "dotnet-runtime-7.0.20"
+ "dotnet-sdk-7.0.20"
+ ];
services.irqbalance.enable = true;
environment.memoryAllocator.provider = "jemalloc";
@@ -81,23 +81,17 @@
# conduit = grapevine;
#};
- containers."matrixunittests" = import ./services/containers/matrixunittests/container.nix { inherit pkgs lib grapevine; };
-
- containers."matrixunittests-conduit" = import ./services/containers/matrixunittests-conduit/container.nix {
- inherit pkgs lib;
- conduit = conduit;
+ containers."matrixunittests" = import ./services/containers/matrixunittests/container.nix {
+ inherit pkgs lib grapevine;
};
-
- services.pgadmin = {
- enable = true;
- initialEmail = "root@localhost.localdomain";
- initialPasswordFile = "/etc/matrix-user-pass";
- };
- containers."draupnir-cme" = import ./services/containers/draupnir-cme/container.nix { inherit pkgs lib nixpkgs-Draupnir; };
-
- #containers."draupnir-linux-mint" = import ./services/containers/draupnir-linux-mint/container.nix { inherit pkgs lib nixpkgs-Draupnir; };
+ #
+ #containers."matrixunittests-conduit" = import ./services/containers/matrixunittests-conduit/container.nix {
+ # inherit pkgs lib;
+ # conduit = conduit;
+ #};
system.stateVersion = "22.11"; # DO NOT EDIT!
environment.systemPackages = with pkgs; [ waypipe ];
+ nix.nrBuildUsers = 128;
}
diff --git a/host/Rory-nginx/post-rebuild.sh b/host/Rory-nginx/hooks/post-rebuild.sh
index 9b0c17c..198b7e6 100755
--- a/host/Rory-nginx/post-rebuild.sh
+++ b/host/Rory-nginx/hooks/post-rebuild.sh
@@ -1,6 +1,7 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl gnused nix coreutils jq openssl
#set -x
+exit
REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt`
LOCALPART='rory.gay'
REACHABLE_DOMAIN='http://localhost:8008'
diff --git a/host/Rory-nginx/services/containers/draupnir-cme/container.nix b/host/Rory-nginx/services/containers/draupnir-cme/container.nix
deleted file mode 100755
index b8936ac..0000000
--- a/host/Rory-nginx/services/containers/draupnir-cme/container.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ nixpkgs-Draupnir, ... }:
-
-{
- privateNetwork = true;
- autoStart = true;
- specialArgs = {
- inherit nixpkgs-Draupnir;
- };
- config =
- { lib, pkgs, ... }:
- {
- imports = [
- ../shared.nix
- ./root.nix
- ./services/draupnir.nix
- "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
- ];
- nixpkgs.overlays = [ (final: prev: { draupnir = nixpkgs-Draupnir.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir; }) ];
- };
- hostAddress = "192.168.100.1";
- localAddress = "192.168.100.17";
-
- bindMounts."draupnir-access-token" = {
- hostPath = "/etc/draupnir-cme-access-token";
- mountPoint = "/etc/draupnir-access-token";
- isReadOnly = true;
- };
-}
diff --git a/host/Rory-nginx/services/containers/draupnir-linux-mint/container.nix b/host/Rory-nginx/services/containers/draupnir-linux-mint/container.nix
deleted file mode 100755
index 17c981a..0000000
--- a/host/Rory-nginx/services/containers/draupnir-linux-mint/container.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ nixpkgs-Draupnir, ... }:
-
-{
- privateNetwork = true;
- autoStart = true;
- specialArgs = {
- inherit nixpkgs-Draupnir;
- };
- config =
- { lib, pkgs, ... }:
- {
- imports = [
- ../shared.nix
- ./root.nix
- ./services/draupnir.nix
- "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
- ];
- nixpkgs.overlays = [ (final: prev: { draupnir = nixpkgs-Draupnir.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir; }) ];
- };
- hostAddress = "192.168.100.1";
- localAddress = "192.168.100.19";
-
- bindMounts."draupnir-access-token" = {
- hostPath = "/etc/draupnir-linux-mint-access-token";
- mountPoint = "/etc/draupnir-access-token";
- isReadOnly = true;
- };
-}
diff --git a/host/Rory-nginx/services/containers/draupnir-linux-mint/root.nix b/host/Rory-nginx/services/containers/draupnir-linux-mint/root.nix
deleted file mode 100755
index 2254695..0000000
--- a/host/Rory-nginx/services/containers/draupnir-linux-mint/root.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ pkgs, ... }:
-
-{
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
-
- networking.hosts = {
- "192.168.100.18" = [
- "matrix.rory.gay"
- "rory.gay"
- ];
- };
-
- networking.firewall = {
- enable = true;
- };
-}
diff --git a/host/Rory-nginx/services/containers/matrixunittests-conduit/container.nix b/host/Rory-nginx/services/containers/matrixunittests-conduit/container.nix
index 35c4bea..daefba1 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests-conduit/container.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests-conduit/container.nix
@@ -19,12 +19,7 @@
./services/nginx.nix
./services/conduit.nix
];
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
+ networking.useHostResolvConf = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 ];
diff --git a/host/Rory-nginx/services/containers/matrixunittests-conduit/services/conduit.nix b/host/Rory-nginx/services/containers/matrixunittests-conduit/services/conduit.nix
index 3df71be..3df71be 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests-conduit/services/conduit.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests-conduit/services/conduit.nix
diff --git a/host/Rory-nginx/services/containers/matrixunittests-conduit/services/nginx.nix b/host/Rory-nginx/services/containers/matrixunittests-conduit/services/nginx.nix
index 0d7874e..0d7874e 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests-conduit/services/nginx.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests-conduit/services/nginx.nix
diff --git a/host/Rory-nginx/services/containers/matrixunittests/container.nix b/host/Rory-nginx/services/containers/matrixunittests/container.nix
index 1de1ddf..cbd90f8 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests/container.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests/container.nix
@@ -17,12 +17,7 @@
grapevine.nixosModules.default
];
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
+ networking.useHostResolvConf = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [
diff --git a/host/Rory-nginx/services/containers/matrixunittests/services/conduit.nix b/host/Rory-nginx/services/containers/matrixunittests/services/conduit.nix
index a49a003..cd5776f 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests/services/conduit.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests/services/conduit.nix
@@ -6,13 +6,7 @@
enable = true;
settings = {
server_name = "matrixunittests.rory.gay";
- enable_lightning_bolt = true;
- max_concurrent_requests = 1000;
- allow_check_for_updates = false;
allow_registration = true;
- yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
- allow_guest_registration = true;
- disable_federation = true;
listen = [
{
@@ -21,6 +15,8 @@
port = 6167;
}
];
+ federation.enable = false;
+ server_discovery.client.base_url = "https://matrixunittests.rory.gay"; # This is required for some reason
database = {
backend = "rocksdb";
@@ -44,5 +40,4 @@
Restart = "on-failure";
};
};
-
}
diff --git a/host/Rory-nginx/services/containers/matrixunittests/services/nginx.nix b/host/Rory-nginx/services/containers/matrixunittests/services/nginx.nix
index 0236182..0236182 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests/services/nginx.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests/services/nginx.nix
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/container.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/container.nix
index 38049db..6be7c83 100755..100644
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/container.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/container.nix
@@ -18,12 +18,7 @@
./root.nix
../shared.nix
];
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
+ networking.useHostResolvConf = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 ];
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix
index 11d0be3..11d0be3 100755..100644
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix
index db9df9a..db9df9a 100755..100644
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix
index 9d8041a..9d8041a 100755..100644
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/pantalaimon.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/pantalaimon.nix
index 335176f..335176f 100755..100644
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/pantalaimon.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/pantalaimon.nix
diff --git a/host/Rory-nginx/services/deluge.nix b/host/Rory-nginx/services/deluge.nix
new file mode 100644
index 0000000..4a499ed
--- /dev/null
+++ b/host/Rory-nginx/services/deluge.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+ # systemd.tmpfiles.rules = [ "d /data/ollama 0750 ostgres postgres" ];
+
+ services.deluge = {
+ enable = true;
+ web.enable = true;
+ #dataDir = "/mnt/torrent/deluge";
+ declarative = false;
+ user = "Rory";
+ group = "users";
+ };
+}
diff --git a/host/Rory-nginx/services/jitsi.nix b/host/Rory-nginx/services/jitsi.nix
index 9fe8d73..9fe8d73 100755..100644
--- a/host/Rory-nginx/services/jitsi.nix
+++ b/host/Rory-nginx/services/jitsi.nix
diff --git a/host/Rory-nginx/services/mastodon.nix b/host/Rory-nginx/services/mastodon.nix
new file mode 100644
index 0000000..56f1808
--- /dev/null
+++ b/host/Rory-nginx/services/mastodon.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+ services.mastodon = {
+ enable = true;
+ webProcesses = 8;
+ webThreads = 4;
+
+ streamingProcesses = 63;
+ localDomain = "rory.gay";
+ };
+}
diff --git a/host/Rory-nginx/services/matrix/grapevine.nix b/host/Rory-nginx/services/matrix/grapevine.nix
index 0f0006b..c73b48c 100755..100644
--- a/host/Rory-nginx/services/matrix/grapevine.nix
+++ b/host/Rory-nginx/services/matrix/grapevine.nix
@@ -6,7 +6,7 @@
settings = {
conduit_compat = true;
server_name = "conduit.rory.gay";
- trusted_servers = [ "rory.gay" ];
+ #trusted_servers = [ "rory.gay" ];
listen = [
{
@@ -15,17 +15,16 @@
port = 6167;
}
];
+ server_discovery.client.base_url = "https://conduit.rory.gay"; # This is required for some reason
database = {
backend = "rocksdb";
};
-
- allow_check_for_updates = false;
allow_registration = false;
#log = "info";
#log_format = "full";
- log = "debug";
+ #log = "debug";
};
};
}
diff --git a/host/Rory-nginx/services/matrix/ooye.nix b/host/Rory-nginx/services/matrix/ooye.nix
new file mode 100644
index 0000000..7b9c403
--- /dev/null
+++ b/host/Rory-nginx/services/matrix/ooye.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+ services.matrix-ooye = {
+ enable = true;
+ homeserver = "https://matrix.rory.gay";
+ homeserverName = "rory.gay";
+ enableSynapseIntegration = true;
+ };
+}
diff --git a/host/Rory-nginx/services/matrix/root.nix b/host/Rory-nginx/services/matrix/root.nix
index b13c38a..5bb3915 100755..100644
--- a/host/Rory-nginx/services/matrix/root.nix
+++ b/host/Rory-nginx/services/matrix/root.nix
@@ -7,7 +7,8 @@
./matrix-appservice-discord.nix
./draupnir.nix
./grapevine.nix
- ./sliding-sync.nix
+ # ./sliding-sync.nix # removed from nixpkgs, use synapse support instead
+ ./ooye.nix
];
}
diff --git a/host/Rory-nginx/services/matrix/sliding-sync.nix b/host/Rory-nginx/services/matrix/sliding-sync.nix
deleted file mode 100644
index a8fbd0c..0000000
--- a/host/Rory-nginx/services/matrix/sliding-sync.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ ... }:
-{
- services.matrix-sliding-sync = {
- enable = true;
- settings = {
- "SYNCV3_SERVER" = "http://matrix.rory.gay";
- "SYNCV3_DB" = "postgresql://%2Frun%2Fpostgresql/syncv3";
- "SYNCV3_BINDADDR" = "0.0.0.0:8100";
- };
- environmentFile = "/etc/sliding-sync.env";
- };
-}
diff --git a/host/Rory-nginx/services/matrix/synapse/db.nix b/host/Rory-nginx/services/matrix/synapse/db.nix
index 77d9773..409c039 100644
--- a/host/Rory-nginx/services/matrix/synapse/db.nix
+++ b/host/Rory-nginx/services/matrix/synapse/db.nix
@@ -32,19 +32,18 @@
10
else
throw "synapse/db.nix: Invalid dbGroup: ${if dbGroup == null then "null" else dbGroup}";
-
+
# cp_reconnect - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L129
# cp_noisy - default=False - https://docs.twisted.org/en/stable/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ - info logs during operation
# check_same_thread - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/config/database.py#L65 - can this even be set?
};
-
-
- # synchronous_commit - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L56
+
+ # synchronous_commit - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L56
# statement_timeout - default=60 * 60 * 1000 ms - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L63
# allow_unsafe_locale - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L99
# allow_outdated_version - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L92 - needs source link
# txn_limit - default=0 - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L564
-
- statement_timeout = 24 * 60 * 60 * 1000; #24 hours, good for bg jobs
- txn_limit = 500; #maybe dropping old data from pg caches helps?
+
+ statement_timeout = 24 * 60 * 60 * 1000; # 24 hours, good for bg jobs
+ txn_limit = 500; # maybe dropping old data from pg caches helps?
}
diff --git a/host/Rory-nginx/services/matrix/synapse/ratelimits.nix b/host/Rory-nginx/services/matrix/synapse/ratelimits.nix
index ffce1cc..d6d4a94 100644
--- a/host/Rory-nginx/services/matrix/synapse/ratelimits.nix
+++ b/host/Rory-nginx/services/matrix/synapse/ratelimits.nix
@@ -53,7 +53,7 @@
reject_limit = 1000;
concurrent = 100;
};
- federation_rr_transactions_per_room_per_second = 1;
+ federation_rr_transactions_per_room_per_second = 1000;
# media
rc_media_create = {
@@ -82,4 +82,16 @@
per_second = 1000;
burst_count = 1000;
};
+
+ #presence
+ rc_presence.per_user = {
+ per_second = 1;
+ burst_count = 2;
+ };
+
+ #delayed events
+ rc_delayed_event_mgmt = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
}
diff --git a/host/Rory-nginx/services/matrix/synapse/synapse-main.nix b/host/Rory-nginx/services/matrix/synapse/synapse-main.nix
index d1dafb1..d65b614 100755..100644
--- a/host/Rory-nginx/services/matrix/synapse/synapse-main.nix
+++ b/host/Rory-nginx/services/matrix/synapse/synapse-main.nix
@@ -18,7 +18,7 @@
clientReaders = 2; # 4
syncWorkers = 2; # 4
authWorkers = 0;
-
+
eventCreators = 16;
federationReaders = 8; # 8
@@ -40,149 +40,152 @@
#sharedStreamWriters = 1;
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
- settings = {
- server_name = "rory.gay";
-
-# use_frozen_dicts = true;
-# user_agent_suffix = " (rory.gay)";
-
- # look into later: replication_torture_level - https://github.com/element-hq/synapse/blob/develop/synapse/config/server.py#L560
- # limit_remote_rooms ???
- # cleanup_extremities_with_dummy_events - default=True
- # dummy_devents_treshold - default=10 - required forward extremities to send dummy event
- # enable_ephemeral_messages - default=False - ???
- # rooms_to_exclude_from_sync - default=[] - room ids...
- # third_party_event_rules - https://github.com/element-hq/synapse/blob/develop/synapse/config/third_party_event_rules.py - ???
- # default_power_level_content_override - default=None - https://github.com/element-hq/synapse/blob/develop/synapse/config/room.py#L73
-
- dummy_devents_treshold = 2;
- cleanup_extremities_with_dummy_events = true;
-
- enable_registration = true;
- registration_requires_token = true;
-
- require_membership_for_aliases = false;
- redaction_retention_period = null;
- user_ips_max_age = null;
- allow_device_name_lookup_over_federation = true;
-
- federation = {
- client_timeout = "30s"; # default=60s
- max_short_retries = 12;
- max_short_retry_delay = "5s";
- max_long_retries = 5;
- max_long_retry_delay = "30s";
-
- # rapid retry, small increments
- destination_min_retry_interval = "5m"; # default=10m
- destination_max_retry_interval = "12h"; #default=7d
- destination_retry_multiplier = 1.2; #default=2
- };
-
- registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
-
- listeners = [
- {
- port = 8008;
- bind_addresses = [ "127.0.0.1" ];
- type = "http";
- tls = false;
- x_forwarded = true;
- resources = [
- {
- names = [
- "client"
- "federation"
- ];
- compress = false;
- }
- ];
- }
- {
- type = "http";
- path = "/run/matrix-synapse/main.sock";
- resources = [
- {
- names = [ "replication" ];
- compress = false;
- }
- ];
- }
- ];
- presence = {
- enablee = true;
- update_interval = 60;
- };
- database = (
- import ./db.nix {
- workerName = "main";
- dbGroup = "medium";
- }
- );
- app_service_config_files = [
- #"/etc/matrix-synapse/appservice-registration.yaml"
- "/var/lib/matrix-synapse/modas-registration.yaml"
- ];
-
- #region Media
- max_upload_size = "512M";
-
- max_avatar_size = "512M";
- max_image_pixels = "250M";
-
- max_pending_media_uploads = 512;
- dynamic_thumbnails = true;
-
- prevent_media_downloads_from = [
- # none, give me all the media
- ];
- enable_authenticated_media = false;
-
- url_preview_enabled = true;
- max_spider_size = "50M";
-
- #endregion
-
- ui_auth = {
- session_timeout = "1m";
- };
-
- login_via_existing_session = {
- enabled = true;
- require_ui_auth = true;
- token_timeout = "1y";
- };
-
- report_stats = false;
-
- user_directory = {
- enabled = true;
- search_all_users = true;
- prefer_local_users = true;
- };
-
- # https://github.com/element-hq/synapse/blob/master/synapse/config/experimental.py
- experimental_features = {
- "msc2815_enabled" = true; # Redacted event content
- "msc3026_enabled" = true; # Busy presence
- "msc3266_enabled" = true; # Room summary API
- "msc3916_authenticated_media_enabled" = true; # Authenticated media
- "msc3823_account_suspension" = true; # Account suspension
- "msc4151_enabled" = true; # Report room API (CS-API)
- };
-
- redis = {
- enabled = true;
- path = "/run/redis-matrix-synapse/redis.sock";
- };
-
- instance_map = {
- main = {
- # replication listener
- path = "/run/matrix-synapse/main.sock";
+ settings =
+ {
+ server_name = "rory.gay";
+
+ # use_frozen_dicts = true;
+ # user_agent_suffix = " (rory.gay)";
+
+ # look into later: replication_torture_level - https://github.com/element-hq/synapse/blob/develop/synapse/config/server.py#L560
+ # limit_remote_rooms ???
+ # cleanup_extremities_with_dummy_events - default=True
+ # dummy_devents_treshold - default=10 - required forward extremities to send dummy event
+ # enable_ephemeral_messages - default=False - ???
+ # rooms_to_exclude_from_sync - default=[] - room ids...
+ # third_party_event_rules - https://github.com/element-hq/synapse/blob/develop/synapse/config/third_party_event_rules.py - ???
+ # default_power_level_content_override - default=None - https://github.com/element-hq/synapse/blob/develop/synapse/config/room.py#L73
+
+ dummy_devents_treshold = 2;
+ cleanup_extremities_with_dummy_events = true;
+
+ enable_registration = true;
+ registration_requires_token = true;
+
+ require_membership_for_aliases = false;
+ redaction_retention_period = null;
+ user_ips_max_age = null;
+ allow_device_name_lookup_over_federation = true;
+
+ federation = {
+ client_timeout = "30s"; # default=60s
+ max_short_retries = 12;
+ max_short_retry_delay = "5s";
+ max_long_retries = 5;
+ max_long_retry_delay = "30s";
+
+ # rapid retry, small increments
+ destination_min_retry_interval = "5m"; # default=10m
+ destination_max_retry_interval = "12h"; # default=7d
+ destination_retry_multiplier = 1.2; # default=2
+ };
+
+ registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
+
+ listeners = [
+ {
+ port = 8008;
+ bind_addresses = [ "127.0.0.1" ];
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = [
+ "client"
+ "federation"
+ ];
+ compress = false;
+ }
+ ];
+ }
+ {
+ type = "http";
+ path = "/run/matrix-synapse/main.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ];
+ presence = {
+ enablee = true;
+ update_interval = 60;
+ };
+ database = (
+ import ./db.nix {
+ workerName = "main";
+ dbGroup = "medium";
+ }
+ );
+ app_service_config_files = [
+ #"/etc/matrix-synapse/appservice-registration.yaml"
+ "/var/lib/matrix-synapse/modas-registration.yaml"
+ ];
+
+ #region Media
+ max_upload_size = "512M";
+
+ max_avatar_size = "512M";
+ max_image_pixels = "250M";
+
+ max_pending_media_uploads = 512;
+ dynamic_thumbnails = true;
+
+ prevent_media_downloads_from = [
+ # none, give me all the media
+ ];
+ enable_authenticated_media = false;
+
+ url_preview_enabled = true;
+ max_spider_size = "50M";
+
+ #endregion
+
+ ui_auth = {
+ session_timeout = "1m";
+ };
+
+ login_via_existing_session = {
+ enabled = true;
+ require_ui_auth = true;
+ token_timeout = "1y";
+ };
+
+ report_stats = false;
+
+ user_directory = {
+ enabled = true;
+ search_all_users = true;
+ prefer_local_users = true;
+ };
+
+ # https://github.com/element-hq/synapse/blob/master/synapse/config/experimental.py
+ experimental_features = {
+ "msc2815_enabled" = true; # Redacted event content
+ "msc3026_enabled" = true; # Busy presence
+ "msc3266_enabled" = true; # Room summary API
+ "msc3916_authenticated_media_enabled" = true; # Authenticated media
+ "msc3823_account_suspension" = true; # Account suspension
+ "msc4151_enabled" = true; # Report room API (CS-API)
+ };
+
+ redis = {
+ enabled = true;
+ path = "/run/redis-matrix-synapse/redis.sock";
+ };
+
+ instance_map = {
+ main = {
+ # replication listener
+ path = "/run/matrix-synapse/main.sock";
+ };
};
- };
- } // import ./ratelimits.nix // import ./caches.nix;
+ }
+ // import ./ratelimits.nix
+ // import ./caches.nix;
};
systemd.services.matrix-synapse-reg-token = {
@@ -207,7 +210,7 @@
};
services.redis = {
- package = pkgs.keydb;
+ package = pkgs.valkey;
servers.matrix-synapse = {
enable = true;
user = "matrix-synapse";
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/auth.nix b/host/Rory-nginx/services/matrix/synapse/workers/auth.nix
index 3c8d1e9..6e97c15 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/auth.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/auth.nix
@@ -97,6 +97,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix b/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix
index 9a0aafa..f327004 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix
@@ -28,6 +28,8 @@ let
# unstable
"~ ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
+ "~ ^/_matrix/client/v3/keys/query$"
+ "~ ^/_matrix/client/v3/room_keys/keys/"
]
++ lib.optionals (cfg.authWorkers == 0) [
"~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$"
@@ -113,13 +115,15 @@ in
value = {
extraConfig = ''
keepalive 32;
- least_conn;
+# least_conn;
+ hash $request_uri consistent;
'';
servers = lib.listToAttrs (
lib.map (index: {
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix b/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix
index 2be7a5b..1c08d4b 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix
@@ -13,6 +13,7 @@ let
"~ ^/_matrix/client/(api/v1|r0|v3|unstable)/join/"
"~ ^/_matrix/client/(api/v1|r0|v3|unstable)/knock/"
"~ ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
+ "~ ^/_synapse/admin/v1/rooms" # We have a lot of them, so let's do a bunch of jobs at once!
];
federation = [ ];
media = [ ];
@@ -86,13 +87,15 @@ in
value = {
extraConfig = ''
keepalive 32;
- least_conn;
+# least_conn;
+ hash $request_uri consistent;
'';
servers = lib.listToAttrs (
lib.map (index: {
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix b/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix
index effaa69..bdaf456 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix
@@ -86,6 +86,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix b/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix
index 5b3d4bf..c5852d3 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix
@@ -21,14 +21,16 @@ let
"~ ^/_matrix/federation/(v1|v2)/send_leave/"
"~ ^/_matrix/federation/v1/make_knock/"
"~ ^/_matrix/federation/v1/send_knock/"
- "~ ^/_matrix/federation/(v1|v2)/invite/"
+ "~ ^/_matrix/federation/(v1|v2)/invite/" # Needs special handling, define manually
"~ ^/_matrix/federation/(v1|v2)/query_auth/"
"~ ^/_matrix/federation/(v1|v2)/event_auth/"
"~ ^/_matrix/federation/v1/timestamp_to_event/"
"~ ^/_matrix/federation/(v1|v2)/exchange_third_party_invite/"
"~ ^/_matrix/federation/(v1|v2)/user/devices/"
"~ ^/_matrix/federation/(v1|v2)/get_groups_publicised$"
+ "~ ^/_matrix/federation/v1/hierarchy/"
"~ ^/_matrix/key/v2/query"
+ "~ ^/_matrix/federation/v1/user/keys/query$"
# extra
"~ ^/_matrix/key/v2/server$"
];
@@ -110,6 +112,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
@@ -134,6 +137,14 @@ in
)
)
);
+
+ #virtualHosts."${cfg.nginxVirtualHostName}".locations."~ ^/_matrix/federation/(v1|v2)/invite/" = {
+ # proxyPass = "http://${workerName}-federation";
+ # extraConfig = ''
+ # proxy_http_version 1.1;
+ # proxy_set_header Connection "";
+ # '';
+ #};
};
};
}
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix b/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix
index 468916e..c2622be 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix
@@ -88,6 +88,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix b/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix
index e52010c..25271a5 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix
@@ -14,6 +14,7 @@ let
"~ ^/_synapse/admin/v1/purge_media_cache$"
"~ ^/_synapse/admin/v1/room/.*/media.*$"
"~ ^/_synapse/admin/v1/user/.*/media.*$"
+ "~ ^/_synapse/admin/v1/users/.*/media$"
"~ ^/_synapse/admin/v1/media/.*$"
"~ ^/_synapse/admin/v1/quarantine_media/.*$"
"~ ^/_matrix/media/"
@@ -106,6 +107,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/module.nix b/host/Rory-nginx/services/matrix/synapse/workers/module.nix
index 32f2095..3b6456b 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/module.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/module.nix
@@ -33,7 +33,7 @@ in
./stream-writers/to_device-stream-writer.nix
./stream-writers/typing-stream-writer.nix
-# ./stream-writers/shared-stream-writer.nix
+ # ./stream-writers/shared-stream-writer.nix
];
options.services.matrix-synapse = {
enableWorkers = lib.mkEnableOption "Enable dedicated workers";
@@ -60,7 +60,7 @@ in
receiptStreamWriters = mkIntOption "Number of read receipt stream writers";
presenceStreamWriters = mkIntOption "Number of presence stream writers";
pushRuleStreamWriters = mkIntOption "Number of push rule stream writers";
-
+
sharedStreamWriters = mkIntOption "Number of shared stream writers";
nginxVirtualHostName = lib.mkOption {
@@ -68,6 +68,12 @@ in
default = null;
description = "The virtual host name for the nginx server";
};
+
+ allowedRemoteInviteOrigins = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ default = [ ];
+ description = "List of allowed remote invite origins";
+ };
};
config = {
@@ -77,7 +83,6 @@ in
message = "nginxVirtualHostName must be set when enableWorkers is true";
}
-
# Stream types and count limitations: https://github.com/element-hq/synapse/blob/develop/synapse/config/workers.py#L344
{
assertion = cfg.typingStreamWriters <= 1;
@@ -104,11 +109,26 @@ in
assertion = cfg.pushRuleStreamWriters <= 1;
message = "Only one push rule stream writer is supported";
}
-
+
{
assertion = cfg.sharedStreamWriters <= 1;
message = "Only one shared stream writer is supported";
}
];
+
+ # Matrix utility maps
+ services.nginx.appendHttpConfig = ''
+ # Map authorization header to origin name
+ map $http_authorization $mx_origin_name {
+ default "";
+ "~*X-Matrix origin=(?<origin>[^,]+)" $origin;
+ }
+
+ # Map origin name to whether it can invite
+ map $mx_origin_name $mx_can_invite {
+ default 0;
+ ${lib.concatMapStringsSep "\n" (origin: " \"${origin}\" 1;") cfg.allowedRemoteInviteOrigins}
+ }
+ '';
};
}
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix b/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix
index edf1632..05f8c1a 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix
@@ -87,6 +87,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
index 48649f6..ee9e8c9 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
@@ -92,6 +92,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
index 5395aea..2772e0f 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
@@ -89,6 +89,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
index e6487ca..e496715 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
@@ -89,6 +89,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
index 4a4af04..4c44de5 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
@@ -89,6 +89,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
index 54c31b4..ce7f028 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
@@ -92,6 +92,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
index 5fd0bd0..1170613 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
@@ -95,6 +95,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
index 2b487d6..689805b 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
@@ -89,6 +89,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
index 5bff505..a046ca6 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
@@ -89,6 +89,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/sync.nix b/host/Rory-nginx/services/matrix/synapse/workers/sync.nix
index 67b63dd..fbdb73e 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/sync.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/sync.nix
@@ -11,6 +11,7 @@ let
"~ ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$"
"~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$"
"~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
+ "~ ^/_matrix/client/unstable/org.matrix.simplified_msc3575/sync$"
];
federation = [ ];
media = [ ];
@@ -91,6 +92,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/nginx/nginx.nix b/host/Rory-nginx/services/nginx/nginx.nix
index bd6e62d..0547cd5 100755..100644
--- a/host/Rory-nginx/services/nginx/nginx.nix
+++ b/host/Rory-nginx/services/nginx/nginx.nix
@@ -22,7 +22,7 @@ in
#recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedOptimisation = true;
- defaultMimeTypes = ../../../../modules/packages/nginx/mime.types;
+ defaultMimeTypes = ../../../../packages/nginx/mime.types;
appendConfig = ''
worker_processes 16;
'';
@@ -38,23 +38,13 @@ in
'';
additionalModules = with pkgs.nginxModules; [ moreheaders ];
virtualHosts = {
- "boorunav.com" = serveDir { path = "/data/nginx/html_boorunav"; };
- "catgirlsaresexy.com" = serveDir { path = "/data/nginx/html_catgirlsaresexy"; };
"sugarcanemc.org" = serveDir { path = "/data/nginx/html_sugarcanemc"; };
- "siliconheaven.thearcanebrony.net" = serveDir { path = "/data/nginx/html_siliconheaven"; };
- "lfs.thearcanebrony.net" = serveDir { path = "/data/nginx/html_lfs"; };
- "git.thearcanebrony.net" = serveDir { path = "/data/nginx/html_git"; };
- "files.thearcanebrony.net" = serveDir { path = "/data/nginx/html_files"; };
- "spigotav.thearcanebrony.net" = serveDir { path = "/data/nginx/html_spigotav"; };
- "terra.thearcanebrony.net" = serveDir { path = "/data/nginx/html_terrarchive"; };
- "vives.thearcanebrony.net" = serveDir { path = "/data/nginx/html_vives"; };
-
- "git.rory.gay" = serveDir { path = "/data/nginx/html_git"; };
- "wad.rory.gay" = serveDir { path = "/data/nginx/html_wad"; } // { locations."/".extraConfig = "autoindex on; try_files $uri $uri/ /index.html;"; };
+ "wad.rory.gay" = serveDir { path = "/data/nginx/html_wad"; } // {
+ locations."/".extraConfig = "autoindex on; try_files $uri $uri/ /index.html;";
+ };
"wad-api.rory.gay" = import ./rory.gay/wad-api.nix;
- "thearcanebrony.net" = import ./thearcanebrony.net/root.nix;
"sentry.thearcanebrony.net" = import ./thearcanebrony.net/sentry.nix;
"search.thearcanebrony.net" = import ./thearcanebrony.net/search.nix;
@@ -67,11 +57,9 @@ in
#matrix...
"conduit.rory.gay" = import ./rory.gay/conduit.nix;
- "matrix.rory.gay" = import ./rory.gay/matrix.nix;
"pcpoc.rory.gay" = import ./rory.gay/pcpoc.nix;
"matrixunittests.rory.gay" = import ./rory.gay/matrixunittests.nix;
"conduit.matrixunittests.rory.gay" = import ./rory.gay/conduit.matrixunittests.nix;
- "mru.rory.gay" = import ./rory.gay/mru.nix;
#bots...
"0bottests.bots.rory.gay" = import ./rory.gay/bots.nix;
@@ -101,7 +89,7 @@ in
};
systemd.services.nginx.requires = [ "data.mount" ];
security.acme.acceptTerms = true;
- security.acme.defaults.email = "root@thearcanebrony.net";
+ security.acme.defaults.email = "root@rory.gay";
networking.hosts."127.0.0.1" = builtins.attrNames config.services.nginx.virtualHosts;
}
diff --git a/host/Rory-nginx/services/nginx/rory.gay/bots.nix b/host/Rory-nginx/services/nginx/rory.gay/bots.nix
index 9bd18a8..9bd18a8 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/bots.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/bots.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/cgit.nix b/host/Rory-nginx/services/nginx/rory.gay/cgit.nix
index 812e946..812e946 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/cgit.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/cgit.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/conduit.matrixunittests.nix b/host/Rory-nginx/services/nginx/rory.gay/conduit.matrixunittests.nix
index 9503747..9503747 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/conduit.matrixunittests.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/conduit.matrixunittests.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/conduit.nix b/host/Rory-nginx/services/nginx/rory.gay/conduit.nix
index 250a6b2..ef0fbd8 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/conduit.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/conduit.nix
@@ -26,7 +26,7 @@
proxy_send_timeout 54000;
'';
};
- #locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008";
+ #locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008";
locations."/_conduwuit/".extraConfig = ''
return 404;
'';
diff --git a/host/Rory-nginx/services/nginx/rory.gay/ec.nix b/host/Rory-nginx/services/nginx/rory.gay/ec.nix
new file mode 100644
index 0000000..0985503
--- /dev/null
+++ b/host/Rory-nginx/services/nginx/rory.gay/ec.nix
@@ -0,0 +1,26 @@
+{
+ enableACME = true;
+ addSSL = true;
+ kTLS = true;
+ root = "/data/nginx/html_ec";
+ reuseport = true;
+ extraConfig = ''
+ brotli off;
+ brotli_static off;
+ '';
+ locations = {
+ "/" = {
+ index = "index.html";
+ extraConfig = ''
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ more_set_headers 'Access-Control-Expose-Headers: *';
+ more_set_headers 'Access-Control-Max-Age' 1728000;
+
+ # default to /index.html if file not found
+ try_files $uri $uri/ /index.html;
+ '';
+ };
+ };
+}
diff --git a/host/Rory-nginx/services/nginx/rory.gay/jitsi.nix b/host/Rory-nginx/services/nginx/rory.gay/jitsi.nix
index f6091bc..9469087 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/jitsi.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/jitsi.nix
@@ -39,7 +39,13 @@ in
proxy_set_header Host $host;
'';
};
- locations."=/external_api.js" = lib.mkDefault { alias = "${pkgs.jitsi-meet}/libs/external_api.min.js"; };
- locations."=/config.js" = lib.mkDefault { alias = overrideJs "${pkgs.jitsi-meet}/config.js" "config" (lib.recursiveUpdate defaultCfg cfg.config) cfg.extraConfig; };
- locations."=/interface_config.js" = lib.mkDefault { alias = overrideJs "${pkgs.jitsi-meet}/interface_config.js" "interfaceConfig" cfg.interfaceConfig ""; };
+ locations."=/external_api.js" = lib.mkDefault {
+ alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
+ };
+ locations."=/config.js" = lib.mkDefault {
+ alias = overrideJs "${pkgs.jitsi-meet}/config.js" "config" (lib.recursiveUpdate defaultCfg cfg.config) cfg.extraConfig;
+ };
+ locations."=/interface_config.js" = lib.mkDefault {
+ alias = overrideJs "${pkgs.jitsi-meet}/interface_config.js" "interfaceConfig" cfg.interfaceConfig "";
+ };
}
diff --git a/host/Rory-nginx/services/nginx/rory.gay/matrix-bak.nix b/host/Rory-nginx/services/nginx/rory.gay/matrix-bak.nix
index 5d44454..5d44454 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/matrix-bak.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/matrix-bak.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/matrix.nix b/host/Rory-nginx/services/nginx/rory.gay/matrix.nix
index d48f4ca..d48f4ca 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/matrix.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/matrix.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/matrixunittests.nix b/host/Rory-nginx/services/nginx/rory.gay/matrixunittests.nix
index edb1704..edb1704 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/matrixunittests.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/matrixunittests.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/mru.nix b/host/Rory-nginx/services/nginx/rory.gay/mru.nix
index dd59830..d1e1cd7 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/mru.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/mru.nix
@@ -1,12 +1,12 @@
{
enableACME = true;
addSSL = true;
- quic = true;
+# quic = true;
http3 = true;
http3_hq = true;
kTLS = true;
root = "/data/nginx/html_mru";
- reuseport = true;
+# reuseport = true;
extraConfig = ''
brotli off;
brotli_static off;
diff --git a/host/Rory-nginx/services/nginx/rory.gay/pcpoc.nix b/host/Rory-nginx/services/nginx/rory.gay/pcpoc.nix
index b62c5fe..b62c5fe 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/pcpoc.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/pcpoc.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/root.nix b/host/Rory-nginx/services/nginx/rory.gay/root.nix
index 11d06c0..11d06c0 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/root.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/root.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/wad-api.nix b/host/Rory-nginx/services/nginx/rory.gay/wad-api.nix
index 65e9bdb..65e9bdb 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/wad-api.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/wad-api.nix
diff --git a/host/Rory-nginx/services/nginx/thearcanebrony.net/awooradio.nix b/host/Rory-nginx/services/nginx/thearcanebrony.net/awooradio.nix
index f13cb0c..f13cb0c 100755..100644
--- a/host/Rory-nginx/services/nginx/thearcanebrony.net/awooradio.nix
+++ b/host/Rory-nginx/services/nginx/thearcanebrony.net/awooradio.nix
diff --git a/host/Rory-nginx/services/nginx/thearcanebrony.net/root.nix b/host/Rory-nginx/services/nginx/thearcanebrony.net/root.nix
index 86dddac..86dddac 100755..100644
--- a/host/Rory-nginx/services/nginx/thearcanebrony.net/root.nix
+++ b/host/Rory-nginx/services/nginx/thearcanebrony.net/root.nix
diff --git a/host/Rory-nginx/services/nginx/thearcanebrony.net/search.nix b/host/Rory-nginx/services/nginx/thearcanebrony.net/search.nix
index cd655d8..cd655d8 100755..100644
--- a/host/Rory-nginx/services/nginx/thearcanebrony.net/search.nix
+++ b/host/Rory-nginx/services/nginx/thearcanebrony.net/search.nix
diff --git a/host/Rory-nginx/services/nginx/thearcanebrony.net/sentry.nix b/host/Rory-nginx/services/nginx/thearcanebrony.net/sentry.nix
index f496190..f496190 100755..100644
--- a/host/Rory-nginx/services/nginx/thearcanebrony.net/sentry.nix
+++ b/host/Rory-nginx/services/nginx/thearcanebrony.net/sentry.nix
diff --git a/host/Rory-nginx/services/ollama.nix b/host/Rory-nginx/services/ollama.nix
index c9709da..16f4e1c 100755..100644
--- a/host/Rory-nginx/services/ollama.nix
+++ b/host/Rory-nginx/services/ollama.nix
@@ -10,8 +10,10 @@
environmentVariables = {
OLLAMA_LLM_LIBRARY = "cpu_avx2";
};
- writablePaths = [ "/data/ollama/home" ];
- listenAddress = "0.0.0.0:11434";
- sandbox = false;
+ #listenAddress = "0.0.0.0:11434";
+ host = "0.0.0.0";
+ port = 11434;
+ user = "ollama";
+ group = "ollama";
};
}
diff --git a/host/Rory-nginx/services/postgres.nix b/host/Rory-nginx/services/postgres.nix
index c728151..f0fb3e7 100755..100644
--- a/host/Rory-nginx/services/postgres.nix
+++ b/host/Rory-nginx/services/postgres.nix
@@ -5,7 +5,7 @@
services.postgresql = {
enable = true;
- package = pkgs.postgresql_16;
+ package = pkgs.postgresql_16_jit;
enableTCPIP = true;
authentication = pkgs.lib.mkOverride 10 ''
# TYPE, DATABASE, USER, ADDRESS, METHOD
@@ -27,8 +27,8 @@
max_connections = 2500;
superuser_reserved_connections = 3;
- shared_buffers = "32GB";
- work_mem = "16GB";
+ shared_buffers = "64GB";
+ work_mem = "32GB";
maintenance_work_mem = "8GB";
huge_pages = "try";
effective_cache_size = "64GB"; # was 22
@@ -44,17 +44,17 @@
wal_level = "replica";
max_wal_senders = 0;
- synchronous_commit = "off"; # was ond3
+ synchronous_commit = "on"; # was ond3
checkpoint_timeout = "15min";
checkpoint_completion_target = "0.9";
max_wal_size = "2GB";
min_wal_size = "1GB";
- wal_compression = "on";
+ wal_compression = "off";
wal_buffers = "-1";
- wal_writer_delay = "200ms";
- wal_writer_flush_after = "1MB";
+ wal_writer_delay = "500ms"; # was 100
+ wal_writer_flush_after = "32MB"; # was 1
#checkpoint_segments = "64"; # additional
default_statistics_target = "250"; # additional
@@ -63,10 +63,10 @@
bgwriter_lru_multiplier = "2.0";
bgwriter_flush_after = "0";
- max_worker_processes = "32"; # was 14
- max_parallel_workers_per_gather = "16"; # was 7
- max_parallel_maintenance_workers = "16"; # was 7
- max_parallel_workers = "32"; # was 14
+ max_worker_processes = "64"; # was 14
+ max_parallel_workers_per_gather = "32"; # was 7
+ max_parallel_maintenance_workers = "32"; # was 7
+ max_parallel_workers = "64"; # was 14
parallel_leader_participation = "on";
enable_partitionwise_join = "on";
@@ -80,20 +80,20 @@
};
};
-# services.prometheus.exporters.postgres = {
-# enable = true;
-# port = 9187;
-# extraFlags = [
-# "--collector.database_wraparound"
-# "--collector.long_running_transactions"
-# "--collector.postmaster"
-# "--collector.process_idle"
-# "--collector.stat_activity_autovacuum"
-# "--collector.stat_statements"
-# #"--collector.stat_wal_receiver" #we dont have WAL receivers
-# "--collector.statio_user_indexes"
-# "--collector.xlog_location"
-# ];
-# };
+ # services.prometheus.exporters.postgres = {
+ # enable = true;
+ # port = 9187;
+ # extraFlags = [
+ # "--collector.database_wraparound"
+ # "--collector.long_running_transactions"
+ # "--collector.postmaster"
+ # "--collector.process_idle"
+ # "--collector.stat_activity_autovacuum"
+ # "--collector.stat_statements"
+ # #"--collector.stat_wal_receiver" #we dont have WAL receivers
+ # "--collector.statio_user_indexes"
+ # "--collector.xlog_location"
+ # ];
+ # };
}
diff --git a/host/Rory-ovh/configuration.nix b/host/Rory-ovh/configuration.nix
new file mode 100755
index 0000000..3ded494
--- /dev/null
+++ b/host/Rory-ovh/configuration.nix
@@ -0,0 +1,122 @@
+{
+ pkgs,
+ lib,
+ nixpkgs-Draupnir,
+ nixpkgs-DraupnirPkg,
+ ...
+}:
+
+{
+ imports = [
+ ../../modules/base-server.nix
+ ../../modules/users/levi.nix
+ ../../modules/users/db2k.nix
+ ../../modules/users/ks.nix
+ ../../modules/users/Alice.nix
+
+ ./services/prometheus.nix
+
+ ./services/nginx/nginx.nix
+ ./services/cgit.nix
+ ./services/postgres.nix
+ ./services/matrix/synapse/synapse-main.nix
+ ./services/matrix/draupnir.nix
+ ./services/email/root.nix
+ #./services/wireguard/wireguard.nix
+ ./services/safensound.nix
+ ];
+
+ users.groups.ocp = { };
+ boot.loader.grub.devices = lib.mkForce [ "nodev" ];
+ networking = {
+ hostName = "Rory-ovh";
+ nat = {
+ enable = true;
+ internalInterfaces = [
+ "ve-+"
+ "vb-+"
+ ];
+ externalInterface = "enp98s0f0";
+ enableIPv6 = false;
+ };
+ enableIPv6 = lib.mkForce false;
+ nameservers = lib.mkForce [ "1.1.1.1" ];
+ firewall.enable = lib.mkForce true;
+ resolvconf.enable = false;
+ defaultGateway = lib.mkForce null;
+ defaultGateway6 = lib.mkForce null;
+ };
+
+ systemd.network = {
+ enable = true;
+ networks.enp98s0f0 = {
+ name = "enp98s0f0";
+ DHCP = "no";
+ #gateway = [ "51.210.113.254" ];
+ routes = [
+ {
+ Gateway = "51.210.113.254";
+ GatewayOnLink = true;
+ }
+ ];
+ address = [ "51.210.113.110/32" ];
+ };
+ };
+
+ monitoring = {
+ monitorAll = true;
+ localPrometheus = true;
+ exposePrometheus = true;
+ localGrafana = true;
+ exposeGrafana = true;
+ nginxHost = "monitoring.rory.gay";
+ nginxSsl = true;
+ };
+
+ nixpkgs.config.permittedInsecurePackages = [
+ "olm-3.2.16"
+ "dotnet-runtime-wrapped-7.0.20"
+ "dotnet-runtime-7.0.20"
+ "dotnet-sdk-7.0.20"
+ ];
+ services.irqbalance.enable = true;
+
+ environment.memoryAllocator.provider = "jemalloc";
+
+ containers."draupnir-cme" = import ./services/containers/draupnir-cme/container.nix {
+ inherit
+ pkgs
+ lib
+ nixpkgs-Draupnir
+ nixpkgs-DraupnirPkg
+ ;
+ };
+
+ containers."draupnir-fedora" = import ./services/containers/draupnir-fedora/container.nix {
+ inherit
+ pkgs
+ lib
+ nixpkgs-Draupnir
+ nixpkgs-DraupnirPkg
+ ;
+ };
+
+ containers."draupnir-ansible" = import ./services/containers/draupnir-ansible/container.nix {
+ inherit
+ pkgs
+ lib
+ nixpkgs-Draupnir
+ nixpkgs-DraupnirPkg
+ ;
+ };
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+
+ environment.systemPackages = with pkgs; [ waypipe ];
+
+ nix.nrBuildUsers = 128;
+ services.owncast = {
+ enable = true;
+ port = 1934;
+ };
+}
diff --git a/host/Rory-ovh/hooks/post-rebuild.sh b/host/Rory-ovh/hooks/post-rebuild.sh
new file mode 100755
index 0000000..f4f5896
--- /dev/null
+++ b/host/Rory-ovh/hooks/post-rebuild.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl gnused nix coreutils jq openssl
+#set -x
+exit
+REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt`
+LOCALPART='rory.gay'
+REACHABLE_DOMAIN='http://localhost:8008'
+
+# -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md
+# Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat>
+# Explicit authorisation to use the code has been granted by the original author
+# for use by members of the Rory& system (https://rory.gay)
+
+# the magic function:
+register(){
+ echo "Registering $1"
+ _nonce=`curl -s http://localhost:8008/_synapse/admin/v1/register | jq -r .nonce`
+ #data: nonce, domain, username, password
+ _hmac=`printf '%s\0%s\0%s\0%s' "$_nonce" "$1" "$2" "admin" | openssl dgst -sha1 -hmac "$REG_KEY" | awk '{print $2}'`
+ curl -s -XPOST -d '{"nonce": "'"$_nonce"'", "username": "'"$1"'", "displayname": "'"$1"'", "password": "'"$2"'", "admin": true, "mac": "'"$_hmac"'"}' $REACHABLE_DOMAIN/_synapse/admin/v1/register | tee -a matrix-user-tokens.txt
+ echo
+}
+
+# -- END OF LICENSED CODE
+
+#PASSWD=`cat /etc/matrix-user-pass`
+#for u in {draupnir,Alicia,Emma,Rory,root,Quetzelle}
+#do
+# register $u $PASSWD
+#done
diff --git a/host/Rory-ovh/services/cgit.nix b/host/Rory-ovh/services/cgit.nix
new file mode 100644
index 0000000..cbdc350
--- /dev/null
+++ b/host/Rory-ovh/services/cgit.nix
@@ -0,0 +1,62 @@
+{ pkgs, lib, cgit-magenta, ... }:
+
+let
+ pkg = cgit-magenta.packages.${pkgs.stdenv.hostPlatform.system}.default;
+ base_cgit_config = {
+ enable = true;
+ nginx.virtualHost = "cgit.rory.gay";
+ #package = pkgs.cgit-pink;
+ package = pkg;
+ scanPath = "/data/git";
+ settings = {
+ css = "/cgit.css";
+ logo = "/cgit.png";
+ favicon = "/favicon.ico";
+ readme = ":README.MD";
+ about-filter = "${pkg}/lib/cgit/filters/about-formatting.sh";
+ source-filter = "${pkg}/lib/cgit/filters/syntax-highlighting.py";
+ clone-url = (
+ lib.concatStringsSep " " [
+ "https://cgit.rory.gay/$CGIT_REPO_URL"
+ "ssh://<user>@git.rory.gay:$CGIT_REPO_URL"
+ ]
+ );
+ enable-log-filecount = 1;
+ enable-log-linecount = 1;
+ enable-git-config = 1;
+ #testing
+ enable-blame = 1;
+ enable-commit-graph = 1;
+ enable-follow-links = 1;
+ enable-http-clone = 1;
+ enable-index-links = 1;
+ enable-remote-branches = 1;
+ enable-subject-links = 1;
+ enable-tree-linenumbers = 1;
+ max-atom-items = 100;
+ max-commit-count = 250;
+ max-repo-count = 500;
+ snapshots = "tar.xz";
+ #side-by-side-diffs = 1;
+
+ root-title = "cgit.rory.gay";
+ root-desc = "Rory&s Git Repositories";
+ };
+ };
+in
+{
+ services.cgit."main" = base_cgit_config;
+ services.fcgiwrap.instances."cgit-main".process.prefork = 32;
+
+ services.cgit."ocp" = lib.attrsets.recursiveUpdate base_cgit_config {
+ scanPath = "/data/git/.ocp";
+ nginx.location = "/.ocp/";
+ settings.clone-url = (
+ lib.concatStringsSep " " [
+ "https://cgit.rory.gay/.ocp/$CGIT_REPO_URL"
+ "ssh://<user>@git.rory.gay:.ocp/$CGIT_REPO_URL"
+ ]
+ );
+ };
+ services.fcgiwrap.instances."cgit-ocp".process.prefork = 32;
+}
diff --git a/host/Rory-ovh/services/containers/draupnir-ansible/container.nix b/host/Rory-ovh/services/containers/draupnir-ansible/container.nix
new file mode 100644
index 0000000..5ab1aed
--- /dev/null
+++ b/host/Rory-ovh/services/containers/draupnir-ansible/container.nix
@@ -0,0 +1,37 @@
+{
+# nixpkgs-Draupnir,
+# nixpkgs-DraupnirPkg,
+ ...
+}:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ specialArgs = {
+# inherit nixpkgs-Draupnir;
+# inherit nixpkgs-DraupnirPkg;
+ };
+ config =
+ { lib, pkgs, ... }:
+ {
+ imports = [
+ ../shared.nix
+ ./root.nix
+ ./services/draupnir.nix
+# "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
+ ];
+# nixpkgs.overlays = [
+# (final: prev: {
+# draupnir = nixpkgs-DraupnirPkg.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
+# })
+# ];
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.19";
+
+ bindMounts."draupnir-access-token" = {
+ hostPath = "/data/secrets/draupnir-ansible-access-token";
+ mountPoint = "/etc/draupnir-access-token";
+ isReadOnly = true;
+ };
+}
diff --git a/host/Rory-nginx/services/containers/draupnir-cme/root.nix b/host/Rory-ovh/services/containers/draupnir-ansible/root.nix
index e4da810..0ebce9e 100755..100644
--- a/host/Rory-nginx/services/containers/draupnir-cme/root.nix
+++ b/host/Rory-ovh/services/containers/draupnir-ansible/root.nix
@@ -1,12 +1,7 @@
{ ... }:
{
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
+ networking.useHostResolvConf = true;
networking.hosts = {
"192.168.100.1" = [
diff --git a/host/Rory-ovh/services/containers/draupnir-ansible/services/draupnir.nix b/host/Rory-ovh/services/containers/draupnir-ansible/services/draupnir.nix
new file mode 100644
index 0000000..c05b170
--- /dev/null
+++ b/host/Rory-ovh/services/containers/draupnir-ansible/services/draupnir.nix
@@ -0,0 +1,30 @@
+{ ... }:
+
+{
+ services.draupnir = {
+ enable = true;
+ secrets.accessToken = "/etc/draupnir-access-token";
+
+ settings = {
+ homeserverUrl = "https://matrix.rory.gay";
+ managementRoom = "#draupnir-ansible-mgmt:rory.gay";
+ recordIgnoredInvites = true; # We want to be aware of invites
+ autojoinOnlyIfManager = true; # ... but we don't want the bot to be invited to eg. Matrix HQ...
+ automaticallyRedactForReasons = [ "*" ]; # Always autoredact
+ fasterMembershipChecks = true;
+
+ backgroundDelayMS = 10; # delay isn't needed, I don't mind the performance hit
+ pollReports = false;
+
+ admin.enableMakeRoomAdminCommand = false;
+ commands.ban.defaultReasons = [ "spam" ];
+
+ protections = {
+ wordlist = {
+ words = [ "https://postimg.cc/" ];
+ minutesBeforeTrusting = 0;
+ };
+ };
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/containers/draupnir-cme/container.nix b/host/Rory-ovh/services/containers/draupnir-cme/container.nix
new file mode 100755
index 0000000..b1ee74b
--- /dev/null
+++ b/host/Rory-ovh/services/containers/draupnir-cme/container.nix
@@ -0,0 +1,37 @@
+{
+ #nixpkgs-Draupnir,
+ #nixpkgs-DraupnirPkg,
+ ...
+}:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ specialArgs = {
+ #inherit nixpkgs-Draupnir;
+ #inherit nixpkgs-DraupnirPkg;
+ };
+ config =
+ { lib, pkgs, ... }:
+ {
+ imports = [
+ ../shared.nix
+ ./root.nix
+ ./services/draupnir.nix
+ #"${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
+ ];
+# nixpkgs.overlays = [
+# (final: prev: {
+# draupnir = nixpkgs-DraupnirPkg.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
+# })
+# ];
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.17";
+
+ bindMounts."draupnir-access-token" = {
+ hostPath = "/data/secrets/draupnir-cme-access-token";
+ mountPoint = "/etc/draupnir-access-token";
+ isReadOnly = true;
+ };
+}
diff --git a/host/Rory-ovh/services/containers/draupnir-cme/root.nix b/host/Rory-ovh/services/containers/draupnir-cme/root.nix
new file mode 100755
index 0000000..0ebce9e
--- /dev/null
+++ b/host/Rory-ovh/services/containers/draupnir-cme/root.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+ networking.useHostResolvConf = true;
+
+ networking.hosts = {
+ "192.168.100.1" = [
+ "matrix.rory.gay"
+ "rory.gay"
+ ];
+ };
+
+ networking.firewall = {
+ enable = true;
+ };
+}
diff --git a/host/Rory-nginx/services/containers/draupnir-cme/services/draupnir.nix b/host/Rory-ovh/services/containers/draupnir-cme/services/draupnir.nix
index cf59809..4b3cd57 100755
--- a/host/Rory-nginx/services/containers/draupnir-cme/services/draupnir.nix
+++ b/host/Rory-ovh/services/containers/draupnir-cme/services/draupnir.nix
@@ -3,10 +3,10 @@
{
services.draupnir = {
enable = true;
- accessTokenFile = "/etc/draupnir-access-token";
- homeserverUrl = "https://matrix.rory.gay";
+ secrets.accessToken = "/etc/draupnir-access-token";
settings = {
+ homeserverUrl = "https://matrix.rory.gay";
managementRoom = "#draupnir-cme:rory.gay";
recordIgnoredInvites = true; # We want to be aware of invites
autojoinOnlyIfManager = true; # ... but we don't want the bot to be invited to eg. Matrix HQ...
diff --git a/host/Rory-ovh/services/containers/draupnir-fedora/container.nix b/host/Rory-ovh/services/containers/draupnir-fedora/container.nix
new file mode 100644
index 0000000..5ba9765
--- /dev/null
+++ b/host/Rory-ovh/services/containers/draupnir-fedora/container.nix
@@ -0,0 +1,37 @@
+{
+# nixpkgs-Draupnir,
+# nixpkgs-DraupnirPkg,
+ ...
+}:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ specialArgs = {
+# inherit nixpkgs-Draupnir;
+# inherit nixpkgs-DraupnirPkg;
+ };
+ config =
+ { lib, pkgs, ... }:
+ {
+ imports = [
+ ../shared.nix
+ ./root.nix
+ ./services/draupnir.nix
+# "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
+ ];
+# nixpkgs.overlays = [
+# (final: prev: {
+# draupnir = nixpkgs-DraupnirPkg.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
+# })
+# ];
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.18";
+
+ bindMounts."draupnir-access-token" = {
+ hostPath = "/data/secrets/draupnir-fedora-access-token";
+ mountPoint = "/etc/draupnir-access-token";
+ isReadOnly = true;
+ };
+}
diff --git a/host/Rory-ovh/services/containers/draupnir-fedora/root.nix b/host/Rory-ovh/services/containers/draupnir-fedora/root.nix
new file mode 100644
index 0000000..0ebce9e
--- /dev/null
+++ b/host/Rory-ovh/services/containers/draupnir-fedora/root.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+ networking.useHostResolvConf = true;
+
+ networking.hosts = {
+ "192.168.100.1" = [
+ "matrix.rory.gay"
+ "rory.gay"
+ ];
+ };
+
+ networking.firewall = {
+ enable = true;
+ };
+}
diff --git a/host/Rory-nginx/services/containers/draupnir-linux-mint/services/draupnir.nix b/host/Rory-ovh/services/containers/draupnir-fedora/services/draupnir.nix
index 042651a..a39b3a9 100755..100644
--- a/host/Rory-nginx/services/containers/draupnir-linux-mint/services/draupnir.nix
+++ b/host/Rory-ovh/services/containers/draupnir-fedora/services/draupnir.nix
@@ -3,11 +3,11 @@
{
services.draupnir = {
enable = true;
- accessTokenFile = "/etc/draupnir-access-token";
- homeserverUrl = "https://matrix.rory.gay";
+ secrets.accessToken = "/etc/draupnir-access-token";
settings = {
- managementRoom = "#draupnir-linux-mint:rory.gay";
+ homeserverUrl = "https://matrix.rory.gay";
+ managementRoom = "#draupnir-fedora-mgmt:rory.gay";
recordIgnoredInvites = true; # We want to be aware of invites
autojoinOnlyIfManager = true; # ... but we don't want the bot to be invited to eg. Matrix HQ...
automaticallyRedactForReasons = [ "*" ]; # Always autoredact
@@ -17,10 +17,14 @@
pollReports = false;
admin.enableMakeRoomAdminCommand = false;
- commands.ban.defaultReasons = [
- "spam"
- "code of conduct violation"
- ];
+ commands.ban.defaultReasons = [ "spam" ];
+
+ protections = {
+ wordlist = {
+ words = [ "https://postimg.cc/" ];
+ minutesBeforeTrusting = 0;
+ };
+ };
};
};
}
diff --git a/host/Rory-ovh/services/containers/shared.nix b/host/Rory-ovh/services/containers/shared.nix
new file mode 100644
index 0000000..f267ff0
--- /dev/null
+++ b/host/Rory-ovh/services/containers/shared.nix
@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+ environment.systemPackages = with pkgs; [
+ neofetch
+ lnav
+ zsh
+ git
+ lsd
+ htop
+ btop
+ duf
+ kitty.terminfo
+ neovim
+ jq
+ dig
+ ];
+}
diff --git a/host/Rory-ovh/services/email/autoconfig.nix b/host/Rory-ovh/services/email/autoconfig.nix
new file mode 100644
index 0000000..5f3bce2
--- /dev/null
+++ b/host/Rory-ovh/services/email/autoconfig.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+{
+ services.go-autoconfig = {
+ enable = !config.virtualisation.isVmVariant;
+ settings = {
+ service_addr = ":1323";
+ domain = "autoconfig.rory.gay";
+ imap = {
+ server = "rory.gay";
+ port = 993;
+ };
+ smtp = {
+ server = "rory.gay";
+ port = 587;
+ };
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/email/maddy.conf b/host/Rory-ovh/services/email/maddy.conf
new file mode 100644
index 0000000..1d3eb2f
--- /dev/null
+++ b/host/Rory-ovh/services/email/maddy.conf
@@ -0,0 +1,124 @@
+
+# Minimal configuration with TLS disabled, adapted from upstream example
+# configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
+# Do not use this in production!
+
+auth.pass_table local_authdb {
+ table sql_table {
+ driver sqlite3
+ dsn credentials.db
+ table_name passwords
+ }
+}
+
+storage.imapsql local_mailboxes {
+ driver sqlite3
+ dsn imapsql.db
+}
+
+table.chain local_rewrites {
+ optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
+ optional_step static {
+ entry postmaster root@$(primary_domain)
+ }
+ optional_step file /etc/maddy/aliases
+}
+
+msgpipeline local_routing {
+ destination postmaster $(local_domains) {
+ modify {
+ replace_rcpt &local_rewrites
+ }
+ deliver_to &local_mailboxes
+ }
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+}
+
+smtp tcp://0.0.0.0:25 {
+ limits {
+ all rate 20 1s
+ all concurrency 10
+ }
+ dmarc yes
+ check {
+ require_mx_record
+ dkim
+ spf
+ }
+ source $(local_domains) {
+ reject 501 5.1.8 "Use Submission for outgoing SMTP"
+ }
+ default_source {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+ }
+}
+
+submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
+ limits {
+ all rate 50 1s
+ }
+ auth &local_authdb
+ source $(local_domains) {
+ check {
+ authorize_sender {
+ prepare_email &local_rewrites
+ user_to_email identity
+ }
+ }
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ modify {
+ dkim $(primary_domain) $(local_domains) default
+ }
+ deliver_to &remote_queue
+ }
+ }
+ default_source {
+ reject 501 5.1.8 "Non-local sender domain"
+ }
+}
+
+target.remote outbound_delivery {
+ limits {
+ destination rate 20 1s
+ destination concurrency 10
+ }
+ mx_auth {
+ dane
+ mtasts {
+ cache fs
+ fs_dir mtasts_cache/
+ }
+ local_policy {
+ min_tls_level encrypted
+ min_mx_level none
+ }
+ }
+}
+
+target.queue remote_queue {
+ target &outbound_delivery
+ autogenerated_msg_domain $(primary_domain)
+ bounce {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+ }
+ }
+}
+
+imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
+ auth &local_authdb
+ storage &local_mailboxes
+}
\ No newline at end of file
diff --git a/host/Rory-ovh/services/email/maddy.nix b/host/Rory-ovh/services/email/maddy.nix
new file mode 100644
index 0000000..548cb1a
--- /dev/null
+++ b/host/Rory-ovh/services/email/maddy.nix
@@ -0,0 +1,71 @@
+{
+ lib,
+ pkgs,
+ options,
+ config,
+ ...
+}:
+{
+ config = lib.mkIf (!config.virtualisation.isVmVariant) {
+ services.maddy = {
+ enable = true;
+ primaryDomain = "rory.gay";
+ hostname = "mail.rory.gay";
+ ensureAccounts = [
+ "root@rory.gay"
+ ];
+ ensureCredentials = {
+ "root@rory.gay".passwordFile = "/var/lib/maddy/passwd/root";
+ };
+ config = builtins.readFile ./maddy.conf;
+ # builtins.replaceStrings
+ # [
+ # "imap tcp://0.0.0.0:143"
+ # "submission tcp://0.0.0.0:587"
+ # "entry postmaster postmaster@$(primary_domain)"
+ # ]
+ # [
+ # "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
+ # "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
+ # "entry postmaster root@$(primary_domain)"
+ # ]
+ # options.services.maddy.config.default;
+
+ tls = {
+ loader = "file";
+ certificates = [
+ {
+ # certPath = "/var/lib/acme/mail.rory.gay/fullchain.pem";
+ # keyPath = "/var/lib/acme/mail.rory.gay/key.pem";
+ certPath = "/run/credentials/maddy.service/acme-fullchain.pem";
+ keyPath = "/run/credentials/maddy.service/acme-key.pem";
+ }
+ ];
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = [
+ 25
+ 143
+ 465
+ 587
+ 993
+ ];
+
+ users.users.maddy.extraGroups = [ "nginx" ];
+
+ fileSystems."/var/lib/maddy" = {
+ depends = [ "/" ];
+ device = "/data/maddy";
+ fsType = "none";
+ options = [ "bind" ];
+ };
+
+ systemd.services.maddy.serviceConfig = {
+ LoadCredential = [
+ "acme-fullchain.pem:/var/lib/acme/rory.gay/fullchain.pem"
+ "acme-key.pem:/var/lib/acme/rory.gay/key.pem"
+ ];
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/email/nginx.nix b/host/Rory-ovh/services/email/nginx.nix
new file mode 100644
index 0000000..5b04612
--- /dev/null
+++ b/host/Rory-ovh/services/email/nginx.nix
@@ -0,0 +1,32 @@
+{ config, ... }:
+{
+ services.nginx.virtualHosts = {
+ "mta-sts.rory.gay" = {
+ enableACME = !config.virtualisation.isVmVariant;
+ forceSSL = !config.virtualisation.isVmVariant;
+ locations = {
+ "/.well-known/mta-sts.txt" = {
+ # age 604800
+ return = ''
+ 200 "version: STSv1
+ mode: enforce
+ max_age: 120
+ mx: mail.rory.gay
+ "'';
+ };
+ };
+ };
+ "mail.rory.gay" = {
+ enableACME = !config.virtualisation.isVmVariant;
+ forceSSL = !config.virtualisation.isVmVariant;
+ locations = {
+ "/".return = "200 'OK'";
+ };
+ };
+ "autoconfig.rory.gay" = {
+ enableACME = !config.virtualisation.isVmVariant;
+ forceSSL = !config.virtualisation.isVmVariant;
+ locations."/".proxyPass = "http://localhost:1323";
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/email/root.nix b/host/Rory-ovh/services/email/root.nix
new file mode 100644
index 0000000..7db85d8
--- /dev/null
+++ b/host/Rory-ovh/services/email/root.nix
@@ -0,0 +1,8 @@
+{ ... }:
+{
+ imports = [
+ ./autoconfig.nix
+ ./maddy.nix
+ ./nginx.nix
+ ];
+}
diff --git a/host/Rory-ovh/services/mastodon.nix b/host/Rory-ovh/services/mastodon.nix
new file mode 100644
index 0000000..56f1808
--- /dev/null
+++ b/host/Rory-ovh/services/mastodon.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+ services.mastodon = {
+ enable = true;
+ webProcesses = 8;
+ webThreads = 4;
+
+ streamingProcesses = 63;
+ localDomain = "rory.gay";
+ };
+}
diff --git a/host/Rory-nginx/services/matrix/coturn.nix b/host/Rory-ovh/services/matrix/coturn.nix
index 805faa9..805faa9 100755
--- a/host/Rory-nginx/services/matrix/coturn.nix
+++ b/host/Rory-ovh/services/matrix/coturn.nix
diff --git a/host/Rory-nginx/services/matrix/draupnir.nix b/host/Rory-ovh/services/matrix/draupnir.nix
index f20a7d0..3f6d89a 100755
--- a/host/Rory-nginx/services/matrix/draupnir.nix
+++ b/host/Rory-ovh/services/matrix/draupnir.nix
@@ -1,28 +1,20 @@
-{ ... }:
+{ pkgs, draupnirSrc, ... }:
{
services.draupnir = {
+
enable = true;
- homeserverUrl = "https://matrix.rory.gay";
- accessTokenFile = "/etc/draupnir-access-token";
+ secrets.accessToken = "/data/secrets/draupnir-access-token";
- #pantalaimon = {
- # enable = false;
- # username = "draupnir";
- # passwordFile = "/etc/draupnir-password";
- # options = {
- #homeserver = "http://localhost:8008";
- #ssl = false;
- # };
- #};
settings = {
+ homeserverUrl = "https://matrix.rory.gay";
managementRoom = "#draupnir-mgmt:rory.gay";
- verboseLogging = false;
recordIgnoredInvites = true; # Let's log ignored invites, just incase
autojoinOnlyIfManager = true; # Let's not open ourselves up to DoS attacks
automaticallyRedactForReasons = [ "*" ]; # I always want autoredact
fasterMembershipChecks = true;
- roomStateBackingStore.enabled = true; # broken under nix.
+ logLevel = "DEBUG";
+ #roomStateBackingStore.enabled = true; # broken under nix.
backgroundDelayMS = 10; # delay isn't needed, I don't mind the performance hit
pollReports = false; # this is a single person homeserver... let's save ourself the work
@@ -41,6 +33,7 @@
"faggot"
"ywnbaw"
"nigger"
+ "https://postimg.cc/"
];
minutesBeforeTrusting = 0;
};
diff --git a/host/Rory-ovh/services/matrix/grapevine.nix b/host/Rory-ovh/services/matrix/grapevine.nix
new file mode 100755
index 0000000..7368c2a
--- /dev/null
+++ b/host/Rory-ovh/services/matrix/grapevine.nix
@@ -0,0 +1,31 @@
+{ ... }:
+
+{
+ services.grapevine = {
+ enable = true;
+ settings = {
+ conduit_compat = true;
+ server_name = "conduit.rory.gay";
+ #trusted_servers = [ "rory.gay" ];
+ federation.self_test = false;
+
+ listen = [
+ {
+ type = "tcp";
+ address = "127.0.0.1";
+ port = 6167;
+ }
+ ];
+ server_discovery.client.base_url = "https://conduit.rory.gay"; # This is required for some reason
+
+ database = {
+ backend = "rocksdb";
+ };
+ allow_registration = false;
+
+ #log = "info";
+ #log_format = "full";
+ #log = "debug";
+ };
+ };
+}
diff --git a/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix b/host/Rory-ovh/services/matrix/matrix-appservice-discord.nix
index 3041aaa..3041aaa 100755
--- a/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix
+++ b/host/Rory-ovh/services/matrix/matrix-appservice-discord.nix
diff --git a/host/Rory-ovh/services/matrix/ooye.nix b/host/Rory-ovh/services/matrix/ooye.nix
new file mode 100644
index 0000000..7b9c403
--- /dev/null
+++ b/host/Rory-ovh/services/matrix/ooye.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+ services.matrix-ooye = {
+ enable = true;
+ homeserver = "https://matrix.rory.gay";
+ homeserverName = "rory.gay";
+ enableSynapseIntegration = true;
+ };
+}
diff --git a/host/Rory-ovh/services/matrix/root.nix b/host/Rory-ovh/services/matrix/root.nix
new file mode 100755
index 0000000..d32cc54
--- /dev/null
+++ b/host/Rory-ovh/services/matrix/root.nix
@@ -0,0 +1,13 @@
+{ ... }:
+
+{
+ imports = [
+ ./synapse/synapse-main.nix
+ ./coturn.nix
+ ./matrix-appservice-discord.nix
+ ./draupnir.nix
+ ./grapevine.nix
+ ./ooye.nix
+ ];
+
+}
diff --git a/host/Rory-ovh/services/matrix/synapse/caches.nix b/host/Rory-ovh/services/matrix/synapse/caches.nix
new file mode 100644
index 0000000..f00c78c
--- /dev/null
+++ b/host/Rory-ovh/services/matrix/synapse/caches.nix
@@ -0,0 +1,25 @@
+{
+ gc_min_interval = [
+ "15m"
+ "30m"
+ "60m"
+ ];
+ gc_thresholds = [
+ 10000
+
+ 5000
+ 2500
+ ];
+ event_cache_size = "12000K"; # defaults to 10K
+ caches = {
+ global_factor = 500000.0;
+ cache_entry_ttl = "24h";
+ expire_caches = true;
+ sync_response_cache_duration = "15m";
+ cache_autotuning = {
+ max_cache_memory_usage = "65536M";
+ target_cache_memory_usage = "32768M";
+ min_cache_ttl = "6h";
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/matrix/synapse/db.nix b/host/Rory-ovh/services/matrix/synapse/db.nix
new file mode 100644
index 0000000..409c039
--- /dev/null
+++ b/host/Rory-ovh/services/matrix/synapse/db.nix
@@ -0,0 +1,49 @@
+{
+ workerName ? null,
+ dbGroup ? null,
+}:
+{
+ name = "psycopg2";
+ args = {
+ user = "matrix-synapse-rory-gay";
+ password = "somepassword";
+ database = "matrix-synapse-rory-gay";
+ host = "/run/postgresql";
+ application_name = "matrix-synapse (rory.gay) - ${if workerName == null then throw "synapse/db.nix: workerName unspecified" else workerName}";
+ cp_min =
+ if dbGroup == "solo" then
+ 1
+ else if dbGroup == "small" then
+ 2
+ else if dbGroup == "medium" then
+ 5
+ else if dbGroup == "large" then
+ 10
+ else
+ throw "synapse/db.nix: Invalid dbGroup: ${if dbGroup == null then "null" else dbGroup}";
+ cp_max =
+ if dbGroup == "solo" then
+ 1
+ else if dbGroup == "small" then
+ 2
+ else if dbGroup == "medium" then
+ 10
+ else if dbGroup == "large" then
+ 10
+ else
+ throw "synapse/db.nix: Invalid dbGroup: ${if dbGroup == null then "null" else dbGroup}";
+
+ # cp_reconnect - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L129
+ # cp_noisy - default=False - https://docs.twisted.org/en/stable/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ - info logs during operation
+ # check_same_thread - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/config/database.py#L65 - can this even be set?
+ };
+
+ # synchronous_commit - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L56
+ # statement_timeout - default=60 * 60 * 1000 ms - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L63
+ # allow_unsafe_locale - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L99
+ # allow_outdated_version - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L92 - needs source link
+ # txn_limit - default=0 - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L564
+
+ statement_timeout = 24 * 60 * 60 * 1000; # 24 hours, good for bg jobs
+ txn_limit = 500; # maybe dropping old data from pg caches helps?
+}
diff --git a/host/Rory-ovh/services/matrix/synapse/ratelimits.nix b/host/Rory-ovh/services/matrix/synapse/ratelimits.nix
new file mode 100644
index 0000000..85f51f2
--- /dev/null
+++ b/host/Rory-ovh/services/matrix/synapse/ratelimits.nix
@@ -0,0 +1,97 @@
+{
+ # messages
+ rc_message = {
+ per_second = 1000000;
+ burst_count = 1000000;
+ };
+ rc_admin_redaction = {
+ per_second = 10000000;
+ burst_count = 10000000;
+ };
+
+ # room joins
+ rc_joins = {
+ local = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ remote = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ };
+ rc_joins_per_room = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ # room invites
+ rc_invites = {
+ per_room = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ per_user = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ per_issuer = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ };
+ rc_third_party_invite = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ # federation
+ rc_federation = {
+ window_size = 10;
+ sleep_limit = 1000;
+ sleep_delay = 100;
+ reject_limit = 1000;
+ concurrent = 100;
+ };
+ federation_rr_transactions_per_room_per_second = 100;
+
+ # media
+ rc_media_create = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ remote_media_download_burst_count = "512G";
+ remote_media_download_per_second = "512G";
+
+ # authentication
+ rc_login = {
+ address = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ account = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ failed_attempts = {
+ per_second = 0.1;
+ burst_count = 3;
+ };
+ };
+ rc_3pid_validation = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ #presence
+ rc_presence.per_user = {
+ per_second = 1;
+ burst_count = 2;
+ };
+
+ #delayed events
+ rc_delayed_event_mgmt = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+}
diff --git a/host/Rory-ovh/services/matrix/synapse/synapse-main.nix b/host/Rory-ovh/services/matrix/synapse/synapse-main.nix
new file mode 100755
index 0000000..7907927
--- /dev/null
+++ b/host/Rory-ovh/services/matrix/synapse/synapse-main.nix
@@ -0,0 +1,283 @@
+{ config, pkgs, ... }:
+
+{
+ # Worker plumbing examples: https://github.com/element-hq/synapse/blob/master/docker/configure_workers_and_start.py
+ # Documentation: https://github.com/element-hq/synapse/blob/develop/docs/workers.md
+ services.matrix-synapse = {
+ enable = true;
+ withJemalloc = true;
+ dataDir = "/data/matrix-synapse";
+
+ nginxVirtualHostName = "matrix.rory.gay";
+ enableWorkers = true;
+
+ federationSenders = if config.virtualisation.isVmVariant then 0 else 16; # 16
+ pushers = if config.virtualisation.isVmVariant then 1 else 1;
+ mediaRepoWorkers = if config.virtualisation.isVmVariant then 1 else 2; # 4
+ clientReaders = if config.virtualisation.isVmVariant then 2 else 2; # 4
+ syncWorkers = if config.virtualisation.isVmVariant then 2 else 2; # 4
+ #authWorkers = 0;
+
+ eventCreators = if config.virtualisation.isVmVariant then 2 else 16;
+
+ federationReaders = if config.virtualisation.isVmVariant then 0 else 8; # 8
+ federationInboundWorkers = if config.virtualisation.isVmVariant then 0 else 16; # 8
+
+ enableAppserviceWorker = if config.virtualisation.isVmVariant then true else true;
+ enableBackgroundWorker = if config.virtualisation.isVmVariant then true else true;
+ enableUserDirWorker = if config.virtualisation.isVmVariant then true else true;
+
+ accountDataStreamWriters = 1;
+ eventStreamWriters = 2; # 8
+ presenceStreamWriters = 1;
+ pushRuleStreamWriters = 1;
+ receiptStreamWriters = 1;
+ toDeviceStreamWriters = 1;
+ typingStreamWriters = 1;
+
+ plugins = with pkgs.matrix-synapse-plugins; [
+ synapse-http-antispam
+ ];
+
+ #untested:
+ #sharedStreamWriters = 1;
+
+ # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
+ settings =
+ {
+ server_name = "rory.gay";
+
+ # use_frozen_dicts = true;
+ # user_agent_suffix = " (rory.gay)";
+
+ # look into later: replication_torture_level - https://github.com/element-hq/synapse/blob/develop/synapse/config/server.py#L560
+ # limit_remote_rooms ???
+ # cleanup_extremities_with_dummy_events - default=True
+ # dummy_events_threshold - default=10 - required forward extremities to send dummy event
+ # enable_ephemeral_messages - default=False - ???
+ # rooms_to_exclude_from_sync - default=[] - room ids...
+ # third_party_event_rules - https://github.com/element-hq/synapse/blob/develop/synapse/config/third_party_event_rules.py - ???
+ # default_power_level_content_override - default=None - https://github.com/element-hq/synapse/blob/develop/synapse/config/room.py#L73
+
+ dummy_events_threshold = 5;
+ cleanup_extremities_with_dummy_events = true;
+
+ enable_registration = true;
+ registration_requires_token = true;
+
+ require_membership_for_aliases = false;
+ redaction_retention_period = null;
+ user_ips_max_age = null;
+ allow_device_name_lookup_over_federation = true;
+
+ federation = {
+ client_timeout = "90s"; # 30 # default=60s
+ max_short_retries = 6; # 12
+ max_short_retry_delay = "10s"; # 5
+ max_long_retries = 5;
+ max_long_retry_delay = "30s";
+
+ # rapid retry, small increments
+ destination_min_retry_interval = "1m"; # default=10m
+ destination_max_retry_interval = "12h"; # default=7d
+ destination_retry_multiplier = 1.1; # 1.2 # default=2
+ };
+
+ registration_shared_secret_path = "/data/secrets/synapse-shared-secret";
+
+ listeners = [
+ {
+ port = 8008;
+ bind_addresses = [ "127.0.0.1" ];
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = [
+ "client"
+ "federation"
+ ];
+ compress = false;
+ }
+ ];
+ }
+ {
+ type = "http";
+ path = "/run/matrix-synapse/main.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ];
+ presence = {
+ enable = true;
+ update_interval = 60;
+ };
+ database = (
+ import ./db.nix {
+ workerName = "main";
+ dbGroup = "medium";
+ }
+ );
+ app_service_config_files = [
+ #"/etc/matrix-synapse/appservice-registration.yaml"
+ #"/var/lib/matrix-synapse/modas-registration.yaml"
+ ];
+
+ #region Media
+ max_upload_size = "512M";
+
+ max_avatar_size = "512M";
+ max_image_pixels = "250M";
+
+ max_pending_media_uploads = 512;
+ dynamic_thumbnails = true;
+
+ prevent_media_downloads_from = [
+ # none, give me all the media
+ ];
+ enable_authenticated_media = false;
+
+ url_preview_enabled = true;
+ max_spider_size = "50M";
+
+ #endregion
+
+ ui_auth = {
+ session_timeout = "1m";
+ };
+
+ login_via_existing_session = {
+ enabled = true;
+ require_ui_auth = true;
+ token_timeout = "1y";
+ };
+
+ report_stats = false;
+
+ user_directory = {
+ enabled = true;
+ search_all_users = true;
+ prefer_local_users = true;
+ };
+
+ # https://github.com/element-hq/synapse/blob/master/synapse/config/experimental.py
+ experimental_features = {
+ "msc2409_to_device_messages_enabled" = true;
+ "msc2815_enabled" = true; # Redacted event content
+ "msc3026_enabled" = true; # Busy presence
+ "msc3202_transaction_extensions" = true; # appservice transaction extensions (device list/keys)
+ "msc3266_enabled" = true; # Room summary API
+ "msc3391_enabled" = true; # Remove account data
+ "msc3823_account_suspension" = true; # Account suspension
+ "msc3852_enabled" = true; # Last seen on /devices (CS-API/admin)
+ "msc3874_enabled" = true; # filtering /messages with rel_types / not_rel_types
+ "msc3890_enabled" = true; # communicate account data deletion to clients
+ "msc3912_enabled" = true; # /messages with rel_types / not_rel_types and event id
+ "msc3916_authenticated_media_enabled" = true; # Authenticated media
+ "msc4069_profile_inhibit_propagation" = true; # Inhibit profile update propagation
+ "msc4133_enabled" = true; # Custom profile fields
+ "msc4151_enabled" = true; # Report room API (CS-API)
+ "msc4210_enabled" = false; # Remove legacy mentions -- we want this *disabled* for moderation reasons
+ "msc4222_enabled" = true; # state_after in sync
+ };
+
+ redis = {
+ enabled = true;
+ path = "/run/redis-matrix-synapse/redis.sock";
+ };
+
+ instance_map = {
+ main = {
+ # replication listener
+ path = "/run/matrix-synapse/main.sock";
+ };
+ };
+ }
+ // import ./ratelimits.nix
+ // import ./caches.nix;
+ };
+
+ #systemd.services.matrix-synapse-reg-token = {
+ # description = "Random registration token for Synapse.";
+ # before = [ "matrix-synapse.service" ]; # So the registration can be used by Synapse
+ # wantedBy = [ "multi-user.target" ];
+ # after = [ "network.target" ];
+#
+ # script = ''
+ # set -e -x -o pipefail
+ # echo "Starting key generation"
+ # if [ ! -f "registration_shared_secret.txt" ]
+ # then
+ # echo "Generating new key"
+ # strace cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt
+ # echo "Key generation complete"
+ # else
+ # echo "Not generating key, key exists"
+ # fi
+ # echo "Script complete"
+ # '';
+ # serviceConfig = {
+ # User = "matrix-synapse";
+ # Group = "matrix-synapse";
+ # WorkingDirectory = "/var/lib/matrix-synapse";
+ # RemainAfterExit = true;
+ # };
+ #};
+
+ services.redis = {
+ package = pkgs.valkey;
+ servers.matrix-synapse = {
+ enable = true;
+ user = "matrix-synapse";
+ };
+ };
+
+ systemd.tmpfiles.rules = [ "D /run/redis-matrix-synapse 0755 matrix-synapse matrix-synapse" ];
+
+ virtualisation.vmVariant = {
+ systemd.tmpfiles.rules = [ "D /run/secrets 0755 nobody nobody" ];
+ systemd.services."matrix-synapse-generate-token" = {
+ # generate /data/secrets/synapse-shared-secret
+ description = "Generate Synapse shared secret";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ before = [ "matrix-synapse.service" ];
+ script = ''
+ set -e -x -o pipefail
+ echo "Starting key generation"
+ if [ ! -f "/data/secrets/synapse-shared-secret" ]
+ then
+ echo "Generating new key"
+ ${pkgs.openssl}/bin/openssl rand -base64 32 > /data/secrets/synapse-shared-secret
+ echo "Key generation complete"
+ else
+ echo "Not generating key, key exists"
+ fi
+ echo "Script complete"
+ '';
+ };
+ systemd.services."matrix-synapse-postgres-init" = {
+ description = "Generate synapse postgres user";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" "postgresql.service" ];
+ before = [ "matrix-synapse.service" ];
+
+ script = ''
+ set -e -x -o pipefail
+ ${pkgs.postgresql}/bin/createuser ${config.services.matrix-synapse.settings.database.args.user} || true
+ ${pkgs.postgresql}/bin/createdb --encoding=UTF8 --locale=C --template=template0 --owner=${config.services.matrix-synapse.settings.database.args.user} ${config.services.matrix-synapse.settings.database.args.database} || true
+ '';
+ serviceConfig = {
+ User = "postgres";
+ Group = "postgres";
+ WorkingDirectory = config.services.postgresql.dataDir;
+ RemainAfterExit = true;
+ };
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/nginx.nix b/host/Rory-ovh/services/nginx/nginx.nix
new file mode 100755
index 0000000..d422cc8
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/nginx.nix
@@ -0,0 +1,95 @@
+{ config, pkgs, ... }:
+let
+ serveDir = config: {
+ enableACME = if config ? ssl then config.ssl else !config.virtualisation.isVmVariant;
+ addSSL = if config ? ssl then config.ssl else true;
+ root = if config ? path then config.path else builtins.throw "path is required";
+ locations = {
+ "/" = {
+ index = "index.html";
+ };
+ };
+ };
+in
+{
+ services = {
+ nginx = {
+ enable = true;
+ package = pkgs.nginxQuic;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ recommendedZstdSettings = true;
+ #recommendedGzipSettings = true;
+ recommendedBrotliSettings = true;
+ recommendedOptimisation = true;
+ defaultMimeTypes = ../../../../packages/nginx/mime.types;
+ appendConfig = ''
+ worker_processes 16;
+ '';
+ eventsConfig = ''
+ #use kqueue;
+ worker_connections 512;
+ '';
+ appendHttpConfig = ''
+ #sendfile on;
+ disable_symlinks off;
+ log_format combined_vhosts '$remote_addr - $remote_user [$time_local] {host="$host",server_name="$server_name",upstream=$upstream_addr,t=$request_time[u_conn=$upstream_connect_time,u_hdr=$upstream_header_time,u_resp=$upstream_response_time]} "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
+ access_log /var/log/nginx/access.log combined_vhosts;
+ '';
+ additionalModules = with pkgs.nginxModules; [ moreheaders ];
+ virtualHosts = {
+ #"boorunav.com" = serveDir { path = "/data/nginx/html_boorunav"; };
+ # "catgirlsaresexy.com" = serveDir { path = "/data/nginx/html_catgirlsaresexy"; };
+ # "sugarcanemc.org" = serveDir { path = "/data/nginx/html_sugarcanemc"; };
+#
+ #"siliconheaven.thearcanebrony.net" = serveDir { path = "/data/nginx/html_siliconheaven"; };
+ #"lfs.thearcanebrony.net" = serveDir { path = "/data/nginx/html_lfs"; };
+ #"git.thearcanebrony.net" = serveDir { path = "/data/nginx/html_git"; };
+ #"files.thearcanebrony.net" = serveDir { path = "/data/nginx/html_files"; };
+ #"spigotav.thearcanebrony.net" = serveDir { path = "/data/nginx/html_spigotav"; };
+ #"terra.thearcanebrony.net" = serveDir { path = "/data/nginx/html_terrarchive"; };
+ #"vives.thearcanebrony.net" = serveDir { path = "/data/nginx/html_vives"; };
+#
+ # "git.rory.gay" = serveDir { path = "/data/nginx/html_git"; };
+ # "wad.rory.gay" = serveDir { path = "/data/nginx/html_wad"; } // {
+ # locations."/".extraConfig = "autoindex on; try_files $uri $uri/ /index.html;";
+ # };
+ # "wad-api.rory.gay" = import ./rory.gay/wad-api.nix;
+#
+ #"thearcanebrony.net" = import ./thearcanebrony.net/root.nix;
+ # "sentry.thearcanebrony.net" = import ./thearcanebrony.net/sentry.nix;
+ # "search.thearcanebrony.net" = import ./thearcanebrony.net/search.nix;
+#
+ "rory.gay" = import ./rory.gay/root.nix { inherit config; };
+ # "lfs.rory.gay" = serveDir { path = "/data/nginx/html_lfs"; };
+#
+ # "awooradio.thearcanebrony.net" = import ./thearcanebrony.net/awooradio.nix;
+ "cgit.rory.gay" = import ./rory.gay/cgit.nix { inherit config; };
+ # #"jitsi.rory.gay" = import ./rory.gay/jitsi.nix;
+#
+ # #matrix...
+ # "conduit.rory.gay" = import ./rory.gay/conduit.nix;
+ "matrix.rory.gay" = import ./rory.gay/matrix.nix { inherit config; };
+ "libmatrix-fed-test.rory.gay" = import ./rory.gay/libmatrix-fed-test.nix { inherit config; };
+ "safensound.rory.gay" = import ./rory.gay/safensound.nix { inherit config; };
+ "demo.safensound.rory.gay" = import ./rory.gay/demo.safensound.nix { inherit config; };
+ "api.safensound.rory.gay" = import ./rory.gay/api.safensound.nix { inherit config; };
+ "stream.rory.gay" = import ./rory.gay/stream.nix { inherit config; };
+ # "pcpoc.rory.gay" = import ./rory.gay/pcpoc.nix;
+ # "matrixunittests.rory.gay" = import ./rory.gay/matrixunittests.nix;
+ # "conduit.matrixunittests.rory.gay" = import ./rory.gay/conduit.matrixunittests.nix;
+ "mru.rory.gay" = import ./rory.gay/mru.nix { inherit config; };
+ "ec.rory.gay" = import ./rory.gay/ec.nix { inherit config; };
+ };
+ };
+ };
+ systemd.services.nginx.serviceConfig = {
+ LimitNOFILE = 5000000;
+ };
+ security.acme.acceptTerms = true;
+ security.acme.defaults.email = "root@rory.gay";
+
+ networking.hosts."127.0.0.1" = builtins.attrNames config.services.nginx.virtualHosts;
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+ networking.firewall.allowedUDPPorts = [ 443 ];
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/api.safensound.nix b/host/Rory-ovh/services/nginx/rory.gay/api.safensound.nix
new file mode 100755
index 0000000..b0ff075
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/api.safensound.nix
@@ -0,0 +1,72 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+ locations."/" = {
+ #proxyPass = "http://127.0.0.1:9001";
+ proxyPass = "http://localhost:7645";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+
+ locations."= /.well-known/matrix/server".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.server" = "matrix.rory.gay:443"; }}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ "m.homeserver".base_url = "https://matrix.rory.gay";
+ "org.matrix.msc3575.proxy".url = "https://matrix.rory.gay";
+ }
+ }';
+ '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+
+ locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+ proxyPass = "http://localhost:8100";
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/cgit.nix b/host/Rory-ovh/services/nginx/rory.gay/cgit.nix
new file mode 100755
index 0000000..7b49a42
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/cgit.nix
@@ -0,0 +1,14 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+ root = "/data/git";
+ extraConfig = ''
+ autoindex on;
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: GET, POST, OPTIONS';
+ more_set_headers 'Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+ more_set_headers 'Access-Control-Expose-Headers: Content-Length,Content-Range';
+ more_set_headers 'Access-Control-Allow-Credentials: true';
+ '';
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/conduit.matrixunittests.nix b/host/Rory-ovh/services/nginx/rory.gay/conduit.matrixunittests.nix
new file mode 100755
index 0000000..231d5e3
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/conduit.matrixunittests.nix
@@ -0,0 +1,16 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+ http3 = true;
+ http3_hq = true;
+ kTLS = true;
+ extraConfig = ''
+ brotli off;
+ '';
+ locations = {
+ "/" = {
+ proxyPass = "http://192.168.100.15:80";
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/demo.safensound.nix b/host/Rory-ovh/services/nginx/rory.gay/demo.safensound.nix
new file mode 100755
index 0000000..f75c78b
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/demo.safensound.nix
@@ -0,0 +1,30 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+# quic = true;
+ http3 = !config.virtualisation.isVmVariant;
+ http3_hq = !config.virtualisation.isVmVariant;
+ kTLS = !config.virtualisation.isVmVariant;
+ root = "/data/nginx/html_safensound_demo";
+# reuseport = true;
+ extraConfig = ''
+ brotli off;
+ brotli_static off;
+ '';
+ locations = {
+ "/" = {
+ index = "index.html";
+ extraConfig = ''
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ more_set_headers 'Access-Control-Expose-Headers: *';
+ more_set_headers 'Access-Control-Max-Age' 1728000;
+
+ # default to /index.html if file not found
+ try_files $uri $uri/ /index.html;
+ '';
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/ec.nix b/host/Rory-ovh/services/nginx/rory.gay/ec.nix
new file mode 100755
index 0000000..c50b1f9
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/ec.nix
@@ -0,0 +1,26 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+ root = "/data/nginx/html_ec";
+ reuseport = true;
+ extraConfig = ''
+ brotli off;
+ brotli_static off;
+ '';
+ locations = {
+ "/" = {
+ index = "index.html";
+ extraConfig = ''
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ more_set_headers 'Access-Control-Expose-Headers: *';
+ more_set_headers 'Access-Control-Max-Age' 1728000;
+
+ # default to /index.html if file not found
+ try_files $uri $uri/ /index.html;
+ '';
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/jitsi.nix b/host/Rory-ovh/services/nginx/rory.gay/jitsi.nix
new file mode 100755
index 0000000..9469087
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/jitsi.nix
@@ -0,0 +1,51 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+let
+ overrideJs =
+ filePath: varName: newContent: appendExtra:
+ let
+ oldContent = builtins.readFile filePath;
+ regex = "var ${varName} = {[^}]*};";
+ newJs = builtins.replaceStrings [ regex ] [ "var ${varName} = ${newContent};" ] oldContent;
+ in
+ builtins.writeFile filePath newJs;
+
+ cfg = config.services.jitsi-meet;
+in
+{
+ enableACME = true;
+ addSSL = true;
+ extraConfig = ''
+ ssi on;
+ '';
+ locations."@root_path".extraConfig = ''
+ rewrite ^/(.*)$ / break;
+ '';
+ locations."~ ^/([^/\\?&:'\"]+)$".tryFiles = "$uri @root_path";
+ locations."^~ /xmpp-websocket" = {
+ priority = 100;
+ proxyPass = "http://localhost:5280/xmpp-websocket";
+ proxyWebsockets = true;
+ };
+ locations."=/http-bind" = {
+ proxyPass = "http://localhost:5280/http-bind";
+ extraConfig = ''
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ '';
+ };
+ locations."=/external_api.js" = lib.mkDefault {
+ alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
+ };
+ locations."=/config.js" = lib.mkDefault {
+ alias = overrideJs "${pkgs.jitsi-meet}/config.js" "config" (lib.recursiveUpdate defaultCfg cfg.config) cfg.extraConfig;
+ };
+ locations."=/interface_config.js" = lib.mkDefault {
+ alias = overrideJs "${pkgs.jitsi-meet}/interface_config.js" "interfaceConfig" cfg.interfaceConfig "";
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/libmatrix-fed-test.nix b/host/Rory-ovh/services/nginx/rory.gay/libmatrix-fed-test.nix
new file mode 100755
index 0000000..c2909d6
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/libmatrix-fed-test.nix
@@ -0,0 +1,26 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+ locations."/" = {
+ #proxyPass = "http://127.0.0.1:9001";
+ proxyPass = "http://localhost:6500";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/matrix-bak.nix b/host/Rory-ovh/services/nginx/rory.gay/matrix-bak.nix
new file mode 100755
index 0000000..1af3669
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/matrix-bak.nix
@@ -0,0 +1,26 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+ locations."/_matrix" = {
+ proxyPass = "http://192.168.1.5:8008";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+ locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008";
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/matrix.nix b/host/Rory-ovh/services/nginx/rory.gay/matrix.nix
new file mode 100755
index 0000000..45a507f
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/matrix.nix
@@ -0,0 +1,72 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+ locations."/" = {
+ #proxyPass = "http://127.0.0.1:9001";
+ proxyPass = "http://localhost:8008";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+
+ locations."= /.well-known/matrix/server".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.server" = "matrix.rory.gay:443"; }}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ "m.homeserver".base_url = "https://matrix.rory.gay";
+ "org.matrix.msc3575.proxy".url = "https://matrix.rory.gay";
+ }
+ }';
+ '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+
+ locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+ proxyPass = "http://localhost:8100";
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/matrixunittests.nix b/host/Rory-ovh/services/nginx/rory.gay/matrixunittests.nix
new file mode 100755
index 0000000..f23f0dd
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/matrixunittests.nix
@@ -0,0 +1,16 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+ http3 = !config.virtualisation.isVmVariant;
+ http3_hq = !config.virtualisation.isVmVariant;
+ kTLS = !config.virtualisation.isVmVariant;
+ extraConfig = ''
+ brotli off;
+ '';
+ locations = {
+ "/" = {
+ proxyPass = "http://192.168.100.13:80";
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/mru.nix b/host/Rory-ovh/services/nginx/rory.gay/mru.nix
new file mode 100755
index 0000000..6e685de
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/mru.nix
@@ -0,0 +1,30 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+# quic = true;
+ http3 = !config.virtualisation.isVmVariant;
+ http3_hq = !config.virtualisation.isVmVariant;
+ kTLS = !config.virtualisation.isVmVariant;
+ root = "/data/nginx/html_mru";
+# reuseport = true;
+ extraConfig = ''
+ brotli off;
+ brotli_static off;
+ '';
+ locations = {
+ "/" = {
+ index = "index.html";
+ extraConfig = ''
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ more_set_headers 'Access-Control-Expose-Headers: *';
+ more_set_headers 'Access-Control-Max-Age' 1728000;
+
+ # default to /index.html if file not found
+ try_files $uri $uri/ /index.html;
+ '';
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/pcpoc.nix b/host/Rory-ovh/services/nginx/rory.gay/pcpoc.nix
new file mode 100755
index 0000000..b62c5fe
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/pcpoc.nix
@@ -0,0 +1,15 @@
+{
+ enableACME = true;
+ addSSL = true;
+ http3 = true;
+ http3_hq = true;
+ kTLS = true;
+ extraConfig = ''
+ brotli off;
+ '';
+ locations = {
+ "/" = {
+ proxyPass = "http://192.168.100.11:80";
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/root.nix b/host/Rory-ovh/services/nginx/rory.gay/root.nix
new file mode 100755
index 0000000..a7720ec
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/root.nix
@@ -0,0 +1,49 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+ root = "/data/nginx/html_rory_gay";
+ extraConfig = ''autoindex on;'';
+
+ locations."= /.well-known/matrix/server".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.server" = "matrix.rory.gay:443"; }}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ "m.homeserver".base_url = "https://matrix.rory.gay";
+ "org.matrix.msc3575.proxy".url = "https://matrix.rory.gay";
+ }
+ }';
+ '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/safensound.nix b/host/Rory-ovh/services/nginx/rory.gay/safensound.nix
new file mode 100755
index 0000000..9208129
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/safensound.nix
@@ -0,0 +1,30 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+# quic = true;
+ http3 = !config.virtualisation.isVmVariant;
+ http3_hq = !config.virtualisation.isVmVariant;
+ kTLS = !config.virtualisation.isVmVariant;
+ root = "/data/nginx/html_safensound";
+# reuseport = true;
+ extraConfig = ''
+ brotli off;
+ brotli_static off;
+ '';
+ locations = {
+ "/" = {
+ index = "index.html";
+ extraConfig = ''
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ more_set_headers 'Access-Control-Expose-Headers: *';
+ more_set_headers 'Access-Control-Max-Age' 1728000;
+
+ # default to /index.html if file not found
+ try_files $uri $uri/ /index.html;
+ '';
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/stream.nix b/host/Rory-ovh/services/nginx/rory.gay/stream.nix
new file mode 100755
index 0000000..caed22f
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/stream.nix
@@ -0,0 +1,34 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = !config.virtualisation.isVmVariant;
+ locations = {
+ "/" = {
+ proxyPass = "http://localhost:1934";
+ proxyWebsockets = true;
+ recommendedProxySettings = true;
+ extraConfig = ''
+ proxy_ssl_verify off;
+# proxy_set_header Host youthapp.inuits.dev;
+ proxy_ssl_server_name on;
+
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/wad-api.nix b/host/Rory-ovh/services/nginx/rory.gay/wad-api.nix
new file mode 100755
index 0000000..ac07547
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/wad-api.nix
@@ -0,0 +1,32 @@
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = true;
+ locations = {
+ "/" = {
+ proxyPass = "https://youthapp.inuits.dev";
+ recommendedProxySettings = false;
+ extraConfig = ''
+ proxy_ssl_verify off;
+ proxy_set_header Host youthapp.inuits.dev;
+ proxy_ssl_server_name on;
+
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/thearcanebrony.net/awooradio.nix b/host/Rory-ovh/services/nginx/thearcanebrony.net/awooradio.nix
new file mode 100755
index 0000000..c0ca8b0
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/thearcanebrony.net/awooradio.nix
@@ -0,0 +1,13 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = true;
+ locations = {
+ "/" = {
+ extraConfig = ''
+ rewrite ^/api/(.*) /$1 break;
+ return 200 $request_uri;'';
+ proxyPass = "http://localhost:4998";
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/thearcanebrony.net/root.nix b/host/Rory-ovh/services/nginx/thearcanebrony.net/root.nix
new file mode 100755
index 0000000..59cba43
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/thearcanebrony.net/root.nix
@@ -0,0 +1,41 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = true;
+ root = "/data/nginx/html_thearcanebrony";
+ extraConfig = ''autoindex on;'';
+ locations = {
+ "/" = {
+ #index = "index.html";
+ };
+ "/destroy" = {
+ return = "301 https://gitlab.com/KinoshitaProductions/SecureDestroyer/-/raw/master/run";
+ };
+ "= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/thearcanebrony.net/search.nix b/host/Rory-ovh/services/nginx/thearcanebrony.net/search.nix
new file mode 100755
index 0000000..cfb4e1c
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/thearcanebrony.net/search.nix
@@ -0,0 +1,10 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = true;
+ locations = {
+ "/" = {
+ extraConfig = ''rewrite ^ https://thearcanebrony.net/unavailable.html break;'';
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/nginx/thearcanebrony.net/sentry.nix b/host/Rory-ovh/services/nginx/thearcanebrony.net/sentry.nix
new file mode 100755
index 0000000..8cd0826
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/thearcanebrony.net/sentry.nix
@@ -0,0 +1,10 @@
+{ config }:
+{
+ enableACME = !config.virtualisation.isVmVariant;
+ addSSL = true;
+ locations = {
+ "/" = {
+ proxyPass = "http://192.168.1.4:9000";
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/postgres.nix b/host/Rory-ovh/services/postgres.nix
new file mode 100755
index 0000000..10d1cb7
--- /dev/null
+++ b/host/Rory-ovh/services/postgres.nix
@@ -0,0 +1,99 @@
+{ config, pkgs, ... }:
+
+{
+ systemd.tmpfiles.rules = [ "d /data/dedicated/postgres 0750 postgres postgres" ];
+
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_17_jit;
+ enableTCPIP = true;
+ authentication = pkgs.lib.mkOverride 10 ''
+ # TYPE, DATABASE, USER, ADDRESS, METHOD
+ local all all trust
+ host all all 127.0.0.1/32 trust
+ host all all ::1/128 trust
+ host discordbots discordbots 192.168.1.2/32 trust
+ host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust
+ host all all 0.0.0.0/0 md5
+ '';
+ # initialScript = pkgs.writeText "backend-initScript" ''
+ # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
+ # CREATE DATABASE nixcloud;
+ # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
+ # '';
+ dataDir = "/data/dedicated/postgres";
+ settings = {
+ # https://pgconfigurator.cybertec.at/
+ max_connections = 2500;
+ superuser_reserved_connections = 3;
+
+ shared_buffers = if config.virtualisation.isVmVariant then "128MB" else "64GB";
+ work_mem = if config.virtualisation.isVmVariant then "64MB" else "32GB";
+ maintenance_work_mem = if config.virtualisation.isVmVariant then "512MB" else "8GB";
+ huge_pages = "try";
+ effective_cache_size = if config.virtualisation.isVmVariant then "1GB" else "64GB"; # was 22
+ effective_io_concurrency = 100;
+ random_page_cost = 1.1;
+
+ # can use this to view stats: SELECT query, total_time, calls, rows FROM pg_stat_statements ORDER BY total_time DESC LIMIT 10;
+ shared_preload_libraries = "pg_stat_statements";
+ track_io_timing = "on";
+ track_functions = "pl";
+ "pg_stat_statements.max" = "10000"; # additional
+ "pg_stat_statements.track" = "all"; # additional
+
+ wal_level = "replica";
+ max_wal_senders = 0;
+ synchronous_commit = "on"; # was ond3
+
+ checkpoint_timeout = "15min";
+ checkpoint_completion_target = "0.9";
+ max_wal_size = "2GB";
+ min_wal_size = "1GB";
+
+ wal_compression = "off";
+ wal_buffers = "-1";
+ wal_writer_delay = "500ms"; # was 100
+ wal_writer_flush_after = "32MB"; # was 1
+ #checkpoint_segments = "64"; # additional
+ default_statistics_target = "250"; # additional
+
+ bgwriter_delay = "200ms";
+ bgwriter_lru_maxpages = "100";
+ bgwriter_lru_multiplier = "2.0";
+ bgwriter_flush_after = "0";
+
+ max_worker_processes = "64"; # was 14
+ max_parallel_workers_per_gather = "32"; # was 7
+ max_parallel_maintenance_workers = "32"; # was 7
+ max_parallel_workers = "64"; # was 14
+ parallel_leader_participation = "on";
+
+ enable_partitionwise_join = "on";
+ enable_partitionwise_aggregate = "on";
+ jit = "on";
+ max_slot_wal_keep_size = "1GB";
+ track_wal_io_timing = "on";
+ maintenance_io_concurrency = "4";
+ wal_recycle = "on";
+
+ };
+ };
+
+ # services.prometheus.exporters.postgres = {
+ # enable = true;
+ # port = 9187;
+ # extraFlags = [
+ # "--collector.database_wraparound"
+ # "--collector.long_running_transactions"
+ # "--collector.postmaster"
+ # "--collector.process_idle"
+ # "--collector.stat_activity_autovacuum"
+ # "--collector.stat_statements"
+ # #"--collector.stat_wal_receiver" #we dont have WAL receivers
+ # "--collector.statio_user_indexes"
+ # "--collector.xlog_location"
+ # ];
+ # };
+
+}
diff --git a/host/Rory-ovh/services/prometheus.nix b/host/Rory-ovh/services/prometheus.nix
new file mode 100644
index 0000000..9409529
--- /dev/null
+++ b/host/Rory-ovh/services/prometheus.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+ services.prometheus = {
+ enable = true;
+ port = 9001;
+ };
+}
diff --git a/host/Rory-ovh/services/safensound.nix b/host/Rory-ovh/services/safensound.nix
new file mode 100644
index 0000000..69f301a
--- /dev/null
+++ b/host/Rory-ovh/services/safensound.nix
@@ -0,0 +1,28 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+{
+ services.mongodb = {
+ enable = true;
+ package = pkgs.mongodb-ce;
+ enableAuth = true;
+ initialRootPasswordFile = "/etc/mongo-pass";
+ #bind_ip = "/run/mongodb.sock";
+ extraConfig = ''
+ net.unixDomainSocket.filePermissions: 0777
+ '';
+ };
+
+ services.safensound = {
+ enable = true;
+ dbCredentialsPath = "/data/secrets/safensound-mongodb";
+ port = 7645;
+ logRequests = "-";
+ logQueries = true;
+ logAuth = true;
+ };
+}
diff --git a/host/Rory-ovh/services/wireguard/wireguard.nix b/host/Rory-ovh/services/wireguard/wireguard.nix
new file mode 100644
index 0000000..af69f66
--- /dev/null
+++ b/host/Rory-ovh/services/wireguard/wireguard.nix
@@ -0,0 +1,39 @@
+{ pkgs, ... }:
+{
+ networking.nat.internalInterfaces = [ "wg0" ];
+ networking.firewall = {
+ allowedUDPPorts = [ 51820 ];
+ };
+
+ systemd.network = {
+ enable = true;
+ netdevs = {
+ "50-wg0" = {
+ netdevConfig = {
+ Kind = "wireguard";
+ Name = "wg0";
+ MTUBytes = "1300";
+ };
+ wireguardConfig = {
+ PrivateKeyFile = "/data/secrets/wireguard-keys/private";
+ ListenPort = 51820;
+ RouteTable = "main"; # wg-quick creates routing entries automatically but we must use use this option in systemd.
+ };
+ wireguardPeers = [
+ {
+ PublicKey = "WLHEyWxEXRn/T0b9xk/8XJnuoCX0fXxWKHUjZ+AORGQ=";
+ AllowedIPs = [ "10.100.0.2" ];
+ }
+ ];
+ };
+ };
+ networks.wg0 = {
+ matchConfig.Name = "wg0";
+ address = [ "10.100.0.1/24" ];
+ networkConfig = {
+ IPMasquerade = "ipv4";
+ IPv4Forwarding = true;
+ };
+ };
+ };
+}
diff --git a/host/Rory-portable/configuration.nix b/host/Rory-portable/configuration.nix
index 0c4fd6d..1982205 100644
--- a/host/Rory-portable/configuration.nix
+++ b/host/Rory-portable/configuration.nix
@@ -9,7 +9,8 @@
{
imports = [
../../modules/base-client.nix
- ../../modules/packages/vim.nix
+ ../../packages/vim.nix
+ ./optional/gui/wayland.nix
];
boot = {
@@ -26,19 +27,6 @@
#readOnlyNixStore = false;
};
- services.udev.extraRules = ''
- #SUBSYSTEM=="usb", ATTR{idVendor}=="18d1", MODE="0664", GROUP="users"
- # SDP protocol
- KERNEL=="hidraw*", ATTRS{idVendor}=="1fc9", MODE="0666"
- ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="1fc9", MODE="0666"
- ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0d28", MODE="0666"
- # Flashloader
- KERNEL=="hidraw*", ATTRS{idVendor}=="15a2", MODE="0666"
- # Controller
- KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", MODE="0666"
- SUBSYSTEMS=="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="9400", MODE="0660", TAG+="uaccess"
- '';
-
#systemd.services.NetworkManager-wait-online.enable = false;
networking = {
@@ -51,7 +39,7 @@
# allowedUDPPorts = [ ... ];
};
- #interfaces.enp34s0.ipv4.addresses = [ {
+ #interfaces.enp34s0.ipv4.addresses = [ {
# address = "192.168.0.3";
# prefixLength = 24;
#} ];
@@ -74,23 +62,9 @@
xserver = {
enable = true;
updateDbusEnvironment = true;
- #videoDrivers = ["amdgpu"]; #"nvidia"
- #desktopManager.gnome.enable = true;
xkb.layout = "us";
- windowManager.i3.enable = true;
- windowManager.i3.extraSessionCommands = ''
- # output from arandr:
- #xrandr --output DP-1 --mode 1920x1080 --pos 3840x1080 --rotate normal --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --output HDMI-2 --off --output DP-2 --off
- #xrandr --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --primary --output DP-1 --mode 1920x1080 --pos 3840x1080 --rotate normal --output HDMI-2 --off --output DP-2 --off
- ${pkgs.polybarFull}/bin/polybar &
- ${pkgs.dunst}/bin/dunst &
- ${pkgs.feh}/bin/feh --no-fehbg --bg-fill ${../../modules/users/Rory/wallpaper.webp}
- '';
};
libinput.enable = true;
- picom.enable = true;
- picom.vSync = false;
- picom.backend = "glx";
openssh = {
enable = true;
@@ -116,32 +90,32 @@
feh
easyeffects
kitty
- youtube-music
+ #youtube-music
# - IDEs
#jetbrains-toolbox
- jetbrains.rider
+ #jetbrains.rider
#jetbrains.webstorm
#jetbrains.clion
- github-copilot-intellij-agent
+ #github-copilot-intellij-agent
- dbeaver-bin
+ #dbeaver-bin
#insomnia
- vscode
+ #vscode
# - Utilities
- inkscape-with-extensions
- gimp # -with-plugins
+ #inkscape-with-extensions
+ #gimp # -with-plugins
# - Languages
#dotnet-sdk_7
- dotnet-sdk_8
- #(callPackage ../../modules/packages/dotnet-pack.nix { inherit pkgs; })
+ #dotnet-sdk_8
+ #(callPackage ../../packages/dotnet-pack.nix { inherit pkgs; })
#games
- osu-lazer-bin
+ #osu-lazer-bin
#steam
- steam-run
+ #steam-run
# extra packages
dmenu
@@ -149,19 +123,17 @@
nemo
file-roller
firefox-bin
- ungoogled-chromium # needed for Rider in order to debug WASM
-
- peek
+ #ungoogled-chromium # needed for Rider in order to debug WASM
unrar-wrapper
#(schildichat-desktop.override { electron = electron; })
- (callPackage ../../modules/packages/nheko-git.nix {
+ (callPackage ../../packages/nheko-git.nix {
inherit nhekoSrc;
inherit mtxclientSrc;
voipSupport = false;
})
- #(callPackage ../../modules/packages/mc/server/modpack/curseforge/techopolis-2/5.4.nix { })
+ #(callPackage ../../packages/mc/server/modpack/curseforge/techopolis-2/5.4.nix { })
#vesktop
virt-viewer
@@ -170,8 +142,8 @@
# (dwarf-fortress-packages.dwarf-fortress-full.override { enableStoneSense = true; enableFPS = true; theme = dwarf-fortress-packages.themes.spacefox; })
];
- programs.steam.enable = true;
- programs.steam.gamescopeSession.enable = true;
+ #programs.steam.enable = true;
+ #programs.steam.gamescopeSession.enable = true;
#environment.gnome.excludePackages = [
# pkgs.orca
@@ -180,12 +152,11 @@
#];
xdg = {
portal = {
-
enable = true;
extraPortals = with pkgs; [
#xdg-desktop-portal-gtk
xdg-desktop-portal-xapp
- (callPackage ../../modules/packages/xdg-desktop-portal-gtk.nix { })
+ # (callPackage ../../packages/xdg-desktop-portal-gtk.nix { })
];
config = {
common = {
@@ -193,8 +164,6 @@
};
};
xdgOpenUsePortal = true;
- #gtkUsePortal = true;
-
};
#sounds.enable = true;
#mime.enable = true;
@@ -203,12 +172,16 @@
#autostart.enable = true;
};
fonts = {
- fonts = with pkgs; [
+ packages = with pkgs; [
(nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
noto-fonts-monochrome-emoji
];
- fontconfig.defaultFonts.monospace = [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
- fontconfig.defaultFonts.sansSerif = [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
+ fontconfig.defaultFonts.monospace = [
+ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
+ ];
+ fontconfig.defaultFonts.sansSerif = [
+ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
+ ];
fontconfig.defaultFonts.serif = [ "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular" ];
fontconfig.defaultFonts.emoji = [ "freefont" ];
enableDefaultPackages = lib.mkForce false;
@@ -229,8 +202,18 @@
#};
# };
- virtualisation.libvirtd.enable = true;
- programs.virt-manager.enable = true;
+ #virtualisation.libvirtd.enable = true;
+ #programs.virt-manager.enable = true;
system.stateVersion = "22.11"; # DO NOT EDIT!
+
+ nixpkgs = {
+ config = {
+ allowUnfree = true;
+ permittedInsecurePackages = [
+ "electron-25.9.0"
+ "olm-3.2.16"
+ ];
+ };
+ };
}
diff --git a/host/Rory-portable/optional/gui/wayland.nix b/host/Rory-portable/optional/gui/wayland.nix
new file mode 100644
index 0000000..eac6391
--- /dev/null
+++ b/host/Rory-portable/optional/gui/wayland.nix
@@ -0,0 +1,37 @@
+{
+ pkgs,
+ ...
+}:
+
+{
+ programs.sway = {
+ enable = true;
+
+ wrapperFeatures.gtk = true;
+ extraSessionCommands = ''
+ # -- Wayland fixes
+ # SDL:
+ export SDL_VIDEODRIVER=wayland
+ # QT (needs qt5.qtwayland in systemPackages):
+ export QT_QPA_PLATFORM=wayland-egl
+ export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
+ # Fix for some Java AWT applications (e.g. Android Studio),
+ # use this if they aren't displayed properly:
+ export _JAVA_AWT_WM_NONREPARENTING=1
+ '';
+
+ extraPackages = with pkgs; [
+ swaybg
+ #swayidle
+ #swaylock
+ waybar
+ wl-clipboard
+ grim
+ slurp
+ easyeffects
+ keepassxc
+ ];
+ };
+
+ xdg.portal.wlr.enable = true;
+}
diff --git a/host/Rory-wsl/configuration.nix b/host/Rory-wsl/configuration.nix
deleted file mode 100644
index b155058..0000000
--- a/host/Rory-wsl/configuration.nix
+++ /dev/null
@@ -1,105 +0,0 @@
-{
- lib,
- pkgs,
- nhekoSrc,
- mtxclientSrc,
- ...
-}:
-
-{
- imports = [
- ../../modules/base-client.nix
- # ../../modules/software-templates/profilers.nix
- # ../../modules/software-templates/dotnet.client.nix
- ];
- wsl = {
- enable = true;
- automountPath = "/mnt";
- #defaultUser = "nixos";
- defaultUser = "Rory";
- startMenuLaunchers = true;
-
- # Fix binfmt registration
- interop.register = true;
-
- # Enable native Docker support
- # docker-native.enable = true;
-
- # Enable integration with Docker Desktop (needs to be installed)
- # docker-desktop.enable = true;
-
- };
- networking.hostName = "Rory-wsl";
- users.users.Rory.uid = 1000;
-
- environment.systemPackages = with pkgs; [
- gnome-console
- feh
- easyeffects
- kitty
- # youtube-music
- nemo
- file-roller
-
- # - IDEs
- # jetbrains-toolbox
- # jetbrains.rider
- # github-copilot-intellij-agent
-
- # dbeaver
- # insomnia
- # vscode
- # discord
-
- # - Languages
- #dotnet-sdk_7
- #dotnet-sdk_8
- # (callPackage ../../modules/packages/dotnet-pack.nix { inherit pkgs; })
-
- # temurin-bin
- # obsidian
- # ungoogled-chromium #needed for Rider in order to debug WASM
- # peek
-
- unrar-wrapper
-
- #(schildichat-desktop.override { electron = electron; })
- (callPackage ../../modules/packages/nheko-git.nix {
- inherit nhekoSrc;
- inherit mtxclientSrc;
- })
- # steam-run
- ];
-
- programs.firefox = {
- enable = true;
- package = pkgs.firefox-devedition;
- #preferencesStatus = "default";
- wrapperConfig.speechSynthesisSupport = false;
- };
-
- fonts = {
- fonts = with pkgs; [
- (nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
- noto-fonts-monochrome-emoji
- ];
- # fontconfig.defaultFonts.monospace = with pkgs; [
- # "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
- # ];
- # fontconfig.defaultFonts.sansSerif = with pkgs; [
- # "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
- # ];
- # fontconfig.defaultFonts.serif = with pkgs; [
- # "JetBrainsMonoNL Nerd Font,JetBrainsMonoNL NF:style=Regular"
- # ];
- fontconfig.defaultFonts.emoji = with pkgs; [ "freefont" ];
- enableDefaultPackages = lib.mkForce false;
- enableGhostscriptFonts = lib.mkForce false;
- };
-
- programs.dconf.enable = true;
-
- system.stateVersion = "23.05";
- nixpkgs.config.permittedInsecurePackages = [ "electron-25.9.0" ];
- home-manager.users.Rory.home.stateVersion = lib.mkForce "23.05";
-}
diff --git a/host/RoryNix/configuration.nix b/host/RoryNix/configuration.nix
index 5876d2f..891d3ad 100644
--- a/host/RoryNix/configuration.nix
+++ b/host/RoryNix/configuration.nix
@@ -8,9 +8,9 @@
{
imports = [
# ./hardware-configuration.nix
- ../../modules/packages/vim.nix
+ ../../packages/vim.nix
../../modules/environments/home.nix
- # ../../modules/packages/overlays/haskell/basement/IntWord64.nix
+ # ../../packages/overlays/haskell/basement/IntWord64.nix
];
boot = {
@@ -43,22 +43,23 @@
services = {
xserver = {
enable = true;
- videoDrivers = [ "intel" ];
+ #videoDrivers = [ "intel" ];
+ videoDrivers = [ "nouveau" ];
desktopManager.gnome.enable = true;
xkb.layout = "us";
- modules = [ pkgs.xorg.xf86videointel ];
+ #modules = [ pkgs.xorg.xf86videointel ];
};
#libinput.enable = true;
gnome = {
core-developer-tools.enable = false;
core-utilities.enable = false;
- tracker-miners.enable = false;
- tracker.enable = false;
+ localsearch.enable = false;
+ tinysparql.enable = false;
sushi.enable = false;
rygel.enable = false;
gnome-user-share.enable = false;
gnome-remote-desktop.enable = false;
- gnome-online-miners.enable = lib.mkForce false;
+ # gnome-online-miners.enable = lib.mkForce false; # removed
gnome-online-accounts.enable = false;
gnome-initial-setup.enable = false;
gnome-browser-connector.enable = false;
@@ -83,8 +84,8 @@
};
};
- sound.enable = true;
- hardware.pulseaudio.enable = false;
+ # sound.enable = true; # removed
+ services.pulseaudio.enable = false;
users.users = {
Rory = {
@@ -146,7 +147,7 @@
zsh-completions
];
- fonts.packages = with pkgs; [ (nerdfonts.override { fonts = [ "JetBrainsMono" ]; }) ];
+ fonts.packages = with pkgs; [ nerd-fonts.jetbrains-mono noto-fonts-monochrome-emoji ];
nix = {
settings = {
experimental-features = [
diff --git a/host/uISO/development.nix b/host/uISO/development.nix
new file mode 100644
index 0000000..90ffcfb
--- /dev/null
+++ b/host/uISO/development.nix
@@ -0,0 +1,51 @@
+{
+ config,
+ lib,
+ pkgs,
+
+ #params
+ #enableBios ? true,
+ #enableEfi ? true,
+ #enableUsb ? true,
+
+ ...
+}:
+
+#with lib;
+
+{
+ users.users.root.initialPassword = "root";
+ services.getty.autologinUser = "root";
+
+ isoImage = {
+ squashfsCompression = "gzip -Xcompression-level 1";
+ compressImage = false;
+ includeSystemBuildDependencies = false;
+ efiSplashImage = null;
+ #splashImage = null;
+ grubTheme = null;
+ };
+
+ boot = {
+ initrd = {
+ #systemd.enable = true;
+ systemd.emergencyAccess = true;
+ };
+ #consoleLogLevel = 1;
+ kernelParams = [
+ "console=ttyS0,115200"
+ "systemd.gpt_auto=0"
+ #"console=tty1"
+ #"quiet"
+ ];
+ };
+ environment.systemPackages = with pkgs; [
+ #xterm
+
+ (callPackage ./pkgs/resize.nix { })
+ #coreutils
+ htop
+ btop
+ neofetch
+ ];
+}
\ No newline at end of file
diff --git a/host/uISO/iso-root.nix b/host/uISO/iso-root.nix
new file mode 100644
index 0000000..6f02772
--- /dev/null
+++ b/host/uISO/iso-root.nix
@@ -0,0 +1,128 @@
+{
+ config,
+ lib,
+ pkgs,
+ nixpkgs,
+
+ #params
+ #enableBios ? true,
+ #enableEfi ? true,
+ #enableUsb ? true,
+
+ ...
+}:
+
+#with lib;
+
+{
+ imports = [
+ (nixpkgs + "/nixos/modules/installer/cd-dvd/iso-image.nix")
+ ];
+
+ fileSystems = lib.mkImageMediaOverride config.lib.isoFileSystems;# // {
+ # "/".device = lib.mkForce "/dev/disk/by-label/NIXOS_ISO";
+ # "/nix/.ro-store".device = lib.mkForce "/sysroot/iso/nix-store.squashfs";
+ #};
+
+ isoImage = {
+ isoName = "Spacebar-Selfhosting-Kit-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.iso";
+
+ makeEfiBootable = false;
+ makeUsbBootable = false;
+ makeBiosBootable = true;
+ };
+
+
+ boot.supportedFilesystems = lib.mkForce [ ];
+ hardware.enableRedistributableFirmware = lib.mkForce false;
+ #environment.systemPackages = lib.mkForce [ ];
+ documentation.enable = lib.mkForce false;
+ documentation.nixos.enable = lib.mkForce false;
+ networking.wireless.enable = lib.mkForce false;
+
+ system.extraDependencies = lib.mkForce [];
+
+ boot = {
+ loader = {
+ grub.memtest86.enable = false;
+ #systemd-boot.enable = true;
+ grub.enable = false;
+ timeout = lib.mkForce 1;
+ };
+
+ #kernelPackages = pkgs.linuxPackages_latest;
+ systemdExecutable = "${pkgs.systemd}/bin/init";
+
+ enableContainers = lib.mkForce false;
+ };
+
+
+ #perlless profile
+ system.switch.enable = lib.mkForce false;
+
+ # Remove perl from activation
+ #system.etc.overlay.enable = lib.mkForce true;
+ #systemd.sysusers.enable = lib.mkForce true;
+
+ # Random perl remnants
+ programs.less.lessopen = lib.mkForce null;
+ programs.command-not-found.enable = lib.mkForce false;
+ environment.defaultPackages = lib.mkForce [ ];
+ documentation.info.enable = lib.mkForce false;
+ documentation.man.enable = false;
+
+ system = {
+ #activatable = false;
+ copySystemConfiguration = false;
+ includeBuildDependencies = false;
+ disableInstallerTools = lib.mkForce true;
+ build = {
+ separateActivationScript = true;
+ };
+ };
+
+ nix.enable = false;
+ networking.firewall.enable = false;
+ networking.networkmanager.enable = false;
+ systemd.coredump.enable = false;
+ services.timesyncd.enable = false;
+
+ services.nscd.enableNsncd = false;
+ networking.dhcpcd.enable = false;
+ services.udev.enable = false;
+ services.nscd.enable = false;
+ system.nssModules = lib.mkForce [];
+
+ systemd.oomd.enable = false;
+ #services.getty = {
+ # autologinUser = "root";
+ # loginProgram = "${pkgs.bash}/bin/bash";
+ # loginOptions = "--login";
+ #};
+
+ security = {
+ loginDefs = {
+ settings = {
+ ENCRYPT_METHOD = "MD5";
+ };
+ };
+ sudo.enable = false;
+ };
+
+ nixpkgs.overlays = [
+ (import ./overlays/systemd-overlay.nix)
+ (import ./overlays/grub-overlay.nix)
+ ];
+
+ services.lvm.enable = lib.mkForce false;
+ boot.initrd.services.lvm.enable = lib.mkForce false;
+ boot.initrd.systemd.suppressedUnits = [
+ "systemd-hibernate-clear.service"
+ ];
+
+ systemd.suppressedSystemUnits = [
+ "systemd-hibernate-clear.service"
+ "systemd-bootctl@.service"
+ "systemd-bootctl.socket"
+ ];
+}
\ No newline at end of file
diff --git a/host/uISO/overlays/grub-overlay.nix b/host/uISO/overlays/grub-overlay.nix
new file mode 100644
index 0000000..abbed8e
--- /dev/null
+++ b/host/uISO/overlays/grub-overlay.nix
@@ -0,0 +1,20 @@
+final: prev: {
+ grub2 = (prev.grub2.override {
+ zfsSupport = false;
+ efiSupport = false;
+ xenSupport = false;
+ }).overrideAttrs (oldAttrs: {
+ doCheck = false;
+ doInstallCheck = false;
+ #remove --enable-grub-mount
+ configureFlags = oldAttrs.configureFlags ++ [ "--disable-year2038 --disable-nls --disable-rpath --disable-dependency-tracking --disable-grub-mount --disable-grub-themes --disable-grub-mkfont" ];
+ # remove unnecessary commands
+ # postInstall = oldAttrs.postInstall + ''
+ # rm -rf $out/share/locale
+ # '';
+ });
+
+ grub2_light = final.grub2;
+ grub2_efi = final.grub2;
+ grub2_xen = final.grub2;
+}
diff --git a/host/uISO/overlays/systemd-overlay.nix b/host/uISO/overlays/systemd-overlay.nix
new file mode 100644
index 0000000..69a4d3f
--- /dev/null
+++ b/host/uISO/overlays/systemd-overlay.nix
@@ -0,0 +1,62 @@
+final: prev: {
+ systemd = prev.systemd.override {
+ #pname = "systemd-extra-minimal";
+ withSelinux = false;
+ withKexectools = false;
+ withLibseccomp = false;
+ withAcl = false;
+ withAudit = false;
+ withAnalyze = false;
+ withApparmor = false;
+ withBootloader = false;
+ withCompression = false;
+ withCoredump = false;
+ withCryptsetup = false;
+ withRepart = false;
+ withDocumentation = false;
+ withEfi = false;
+ withFido2 = false;
+ withHomed = false;
+ withHostnamed = false;
+ withHwdb = true; # required by nixos
+ withImportd = false;
+ withIptables = false;
+ withKmod = true; # required by nixos
+ withLibBPF = false;
+ withLibidn2 = false;
+ withLocaled = false;
+ withLogind = true; # required by nixos
+ withMachined = false;
+ withNetworkd = false;
+ withNss = false;
+ withOomd = false;
+ withPam = true; # required by nixos
+ withPCRE2 = false;
+ withPolkit = false;
+ withPortabled = false;
+ withQrencode = false;
+ withRemote = false;
+ withResolved = false;
+ withShellCompletions = false;
+ withSysusers = false;
+ withSysupdate = false;
+ withTimedated = false;
+ withTimesyncd = false;
+ withTpm2Tss = false;
+ withUkify = false;
+ withUserDb = false;
+ withUtmp = false;
+ withVmspawn = false;
+ withKernelInstall = false;
+ withTests = false;
+ withLogTrace = false;
+ };
+
+ systemd-minimal = final.systemd;
+
+ openssh = prev.openssh.overrideAttrs (oldAttrs: {
+ # Disable PAM support
+ doCheck = false;
+ doInstallCheck = false;
+ });
+}
diff --git a/host/uISO/pkgs/resize.nix b/host/uISO/pkgs/resize.nix
new file mode 100644
index 0000000..5dc3b77
--- /dev/null
+++ b/host/uISO/pkgs/resize.nix
@@ -0,0 +1,9 @@
+{ lib, pkgs, ... }:
+
+derivation {
+ name = "resize";
+ version = "1.0";
+ builder = "${pkgs.bash}/bin/bash";
+ args = [ "-c" "${pkgs.coreutils}/bin/mkdir -p $out/bin; ${pkgs.coreutils}/bin/cp ${pkgs.xterm}/bin/.resize-wrapped $out/bin/resize" ];
+ system = builtins.currentSystem;
+}
\ No newline at end of file
diff --git a/host/uISO/test.sh b/host/uISO/test.sh
new file mode 100755
index 0000000..9033b8c
--- /dev/null
+++ b/host/uISO/test.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+
+nom build .#nixosConfigurations.test-iso.config.system.build.isoImage --impure || exit 1
+clear
+du -sh result/iso/*.iso || exit 1
+sleep 2
+qemu-system-x86_64 -enable-kvm -m 256 -cdrom result/iso/*.iso -nographic -serial mon:stdio
\ No newline at end of file
|
