loose updates

config/hosts/kyouko.nix

@@ -1,116 +0,0 @@
-{ meta, config, lib, pkgs, ... }:
-
-with lib;
-
-{
-  # Imports
-
-  imports = with meta; [
-    profiles.hardware.hcloud-imperative
-    profiles.network
-    users.kat.server
-#    users.kat.services.weechat
-    services.logrotate
-    services.nginx
-    services.postgres
-    services.restic
-    services.taskserver
-#    services.znc
-  ];
-
-  kw.monitoring = {
-    server.enable = true;
-  };
-
-  services.prometheus = {
-    scrapeConfigs = [
-      {
-        job_name = "boline";
-        static_configs = [{ targets = [ "boline.${config.network.addresses.yggdrasil.prefix}.${config.network.dns.domain}:8002" ]; }];
-      }
-    ];
-  };
-
-  # Terraform
-
-  deploy.tf = {
-    resources.kyouko = {
-      provider = "null";
-      type = "resource";
-      connection = {
-        port = head config.services.openssh.ports;
-        host = config.network.addresses.public.nixos.ipv4.address;
-      };
-    };
-  };
-
-  # File Systems and Swap
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/sda1";
-      fsType = "ext4";
-    };
-  };
-
-  # Bootloader
-
-  boot.loader.grub = {
-    enable = true;
-    version = 2;
-    device = "/dev/sda";
-  };
-
-  # Networking
-
-  networking = {
-    hostId = "7b0ac74e";
-    useDHCP = false;
-    interfaces = {
-      enp1s0 = {
-        useDHCP = true;
-        ipv6.addresses = [{
-          address = config.network.addresses.public.nixos.ipv6.address;
-          prefixLength = 64;
-        }];
-      };
-    };
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "enp1s0";
-    };
-  };
-
-  network = {
-    addresses = {
-      public = {
-        enable = true;
-        nixos = {
-          ipv4.address = "168.119.126.111";
-          ipv6.address = "2a01:4f8:c2c:b7a8::1";
-        };
-      };
-    };
-    yggdrasil = {
-      enable = true;
-      pubkey = "0da9fce0b282c63b449a813183e8fa15d1480b344228068f2af860afafa8928d";
-      address = "204:4ac0:63e9:afa7:3897:6caf:d9cf:82e0";
-      listen.enable = true;
-      listen.endpoints = [ "tcp://${config.network.addresses.public.nixos.ipv4.address}:52969" "tcp://[${config.network.addresses.public.nixos.ipv6.address}]:52969" ];
-    };
-  };
-
-  # Firewall
-
-  network.firewall = {
-    public = {
-      interfaces = singleton "enp1s0";
-      tcp.ports = singleton 52969;
-    };
-    private.interfaces = singleton "yggdrasil";
-  };
-
-  # State
-  system.stateVersion = "20.09";
-}
-

config/hosts/yukari.nix

@@ -5,6 +5,7 @@
     profiles.gui
     users.kat.guiFull
     services.jellyfin
+    services.nextcloud
     services.kattv-ingest
     services.kattv2-ingest
     services.postgres

config/profiles/base/profiles.nix

@@ -6,6 +6,8 @@ with lib;
   options = {
     deploy.profile = {
       gui = mkEnableOption "Graphical System";
+      sway = mkEnableOption "Sway WM";
+      i3 = mkEnableOption "i3 WM";
       vfio = mkEnableOption "VFIO";
       shared = mkEnableOption "Shared System";
       trusted = mkEnableOption "Trusted Submodule";
@@ -52,6 +54,8 @@ with lib;
           ({ nixos, ... }: {
             options.deploy.profile = {
               gui = mkEnableOption "Graphical System";
+              sway = mkEnableOption "Sway WM";
+              i3 = mkEnableOption "i3 WM";
               vfio = mkEnableOption "VFIO";
               shared = mkEnableOption "Shared System";
               trusted = mkEnableOption "Trusted Submodule" // {

config/profiles/gui/fonts.nix

@@ -16,6 +16,7 @@
   };
 
   fonts.fonts = with pkgs; [
+    cantarell-fonts
     emacs-all-the-icons-fonts
     font-awesome
     cozette

config/profiles/gui/profile.nix

@@ -1,5 +1,10 @@
-{ config, meta, ... }: {
+{ config, pkgs, meta, ... }: {
   imports = with meta; [
     services.dnscrypt-proxy
   ];
+
+  environment.systemPackages = with pkgs; [
+    lyx
+    texlive.combined.scheme-full
+  ];
 }

config/profiles/vfio/tsc-tolerance.patch

@@ -17,7 +17,7 @@ index b8a14d2fb..f8f848d13 100644
   * a lower bound for cs->uncertainty_margin values when registering clocks.
   */
 -#define WATCHDOG_MAX_SKEW (50 * NSEC_PER_USEC)
-+#define WATCHDOG_MAX_SKEW (60 * NSEC_PER_USEC)
++#define WATCHDOG_MAX_SKEW (80 * NSEC_PER_USEC)
  
  #ifdef CONFIG_CLOCKSOURCE_WATCHDOG
  static void clocksource_watchdog_work(struct work_struct *work);

config/services/access.nix

@@ -11,6 +11,12 @@
     cname = { inherit (config.network.addresses.public) target; };
   };
 
+  deploy.tf.dns.records.services_cloud = {
+    inherit (config.network.dns) zone;
+    domain = "cloud";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+
   services.nginx.virtualHosts = mkMerge [
     {
       "cast.${config.network.dns.domain}" = {
@@ -20,6 +26,13 @@
           "/".proxyPass = "http://127.0.0.1:8082";
         };
       };
+      "cloud.${config.network.dns.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/".proxyPass = "http://cloud.int.kittywit.ch:80/";
+        };
+      };
       "media.${config.network.dns.domain}" = {
         forceSSL = true;
         enableACME = true;

config/services/kattv.nix

@@ -15,8 +15,7 @@ let
   cameracapture = {
     element."v4l2src" = {
       device = "/dev/videomew";
-      #saturation = 100;
-      #brightness = 100;
+      brightness = 100;
       #extra-controls = "c,exposure_auto=3";
     };
   };

config/services/nextcloud.nix

@@ -0,0 +1,79 @@
+{ config, pkgs, lib, tf, kw, ... }: with lib; let
+  cfg = config.services.nextcloud;
+in {
+  deploy.tf.dns.records.services_internal_cloud = {
+    inherit (config.network.dns) zone;
+    domain = "cloud.int";
+    cname = { inherit (config.network.addresses.yggdrasil) target; };
+  };
+
+  kw.secrets.variables =
+    mapListToAttrs
+      (field:
+        nameValuePair "nextcloud-${field}" {
+          path = "secrets/nextcloud";
+          inherit field;
+        }) [ "adminpass" "dbpass" ];
+
+  secrets.files.nextcloud-adminpass = {
+    text = ''
+      ${tf.variables.nextcloud-adminpass.ref}
+    '';
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [{
+      name = "nextcloud";
+      ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+    }];
+  };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud23;
+    config = {
+      dbtype = "pgsql";
+      dbhost = "/run/postgresql";
+      defaultPhoneRegion = "GB";
+      adminpassFile = config.secrets.files.nextcloud-adminpass.path;
+      extraTrustedDomains = [
+        "cloud.kittywit.ch"
+      ];
+    };
+    https = true;
+    enableImagemagick = true;
+    home = "/mnt/zraw/nextcloud";
+    hostName = "cloud.kittywit.ch";
+    autoUpdateApps = {
+      enable = true;
+    };
+  };
+
+  services.nginx.virtualHosts."cloud.kittywit.ch".extraConfig = mkForce ''
+          index index.php index.html /index.php$request_uri;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          add_header X-Robots-Tag none;
+          add_header X-Download-Options noopen;
+          add_header X-Permitted-Cross-Domain-Policies none;
+          add_header X-Frame-Options sameorigin;
+          add_header Referrer-Policy no-referrer;
+          client_max_body_size ${cfg.maxUploadSize};
+          fastcgi_buffers 64 4K;
+          fastcgi_hide_header X-Powered-By;
+          gzip on;
+          gzip_vary on;
+          gzip_comp_level 4;
+          gzip_min_length 256;
+          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+          ${optionalString cfg.webfinger ''
+            rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+            rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+          ''}
+        '';
+}

config/services/nginx.nix

@@ -23,7 +23,7 @@ with lib;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
-    commonHttpConfig = ''
+    commonHttpConfig = mkIf (config.networking.hostName != "yukari") ''
       map $scheme $hsts_header {
           https   "max-age=31536000; includeSubdomains; preload";
       }

config/users/kat/gui/firefox/default.nix

@@ -173,7 +173,7 @@ in
     };
   };
   programs.firefox.tridactyl = let
-      xsel = "${pkgs.wl-clipboard}/bin/wl-copy";
+      xsel = if config.deploy.profile.sway then "${pkgs.wl-clipboard}/bin/wl-copy" else "${pkgs.xsel}/bin/xsel";
       urxvt = "${pkgs.kitty}/bin/kitty";
       mpv = "${config.programs.mpv.finalPackage}/bin/mpv";
       vim = "${config.programs.neovim.package}/bin/nvim";

config/users/kat/i3/i3.nix

@@ -13,6 +13,8 @@
     exec ~/.xsession
   '';
 
+  deploy.profile.i3 = true;
+
   xsession = {
     enable = true;
     windowManager.i3 =

config/users/kat/sway/sway.nix

@@ -8,6 +8,8 @@ let lockCommand = config.programs.swaylock.script; in
     WLR_DRM_DEVICES = "/dev/dri/card0";
   };
 
+  deploy.profile.sway = true;
+
   home.packages = with pkgs; [ grim slurp swaylock-fancy wl-clipboard jq quintom-cursor-theme gsettings-desktop-schemas glib wofi wmctrl ];
 
   services.i3gopher = { enable = true; };