From 1015436dadfe90e57f4160319556a2a15d19f1ab Mon Sep 17 00:00:00 2001 From: kat witch Date: Tue, 18 Jan 2022 23:48:10 +0000 Subject: [PATCH] loose updates --- config/hosts/kyouko.nix | 116 ----------------------- config/hosts/yukari.nix | 1 + config/profiles/base/profiles.nix | 4 + config/profiles/gui/fonts.nix | 1 + config/profiles/gui/profile.nix | 7 +- config/profiles/vfio/tsc-tolerance.patch | 2 +- config/services/access.nix | 13 +++ config/services/kattv.nix | 3 +- config/services/nextcloud.nix | 79 +++++++++++++++ config/services/nginx.nix | 2 +- config/users/kat/gui/firefox/default.nix | 2 +- config/users/kat/i3/i3.nix | 2 + config/users/kat/sway/sway.nix | 2 + 13 files changed, 112 insertions(+), 122 deletions(-) delete mode 100644 config/hosts/kyouko.nix create mode 100644 config/services/nextcloud.nix diff --git a/config/hosts/kyouko.nix b/config/hosts/kyouko.nix deleted file mode 100644 index b11ff8ca..00000000 --- a/config/hosts/kyouko.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ meta, config, lib, pkgs, ... }: - -with lib; - -{ - # Imports - - imports = with meta; [ - profiles.hardware.hcloud-imperative - profiles.network - users.kat.server -# users.kat.services.weechat - services.logrotate - services.nginx - services.postgres - services.restic - services.taskserver -# services.znc - ]; - - kw.monitoring = { - server.enable = true; - }; - - services.prometheus = { - scrapeConfigs = [ - { - job_name = "boline"; - static_configs = [{ targets = [ "boline.${config.network.addresses.yggdrasil.prefix}.${config.network.dns.domain}:8002" ]; }]; - } - ]; - }; - - # Terraform - - deploy.tf = { - resources.kyouko = { - provider = "null"; - type = "resource"; - connection = { - port = head config.services.openssh.ports; - host = config.network.addresses.public.nixos.ipv4.address; - }; - }; - }; - - # File Systems and Swap - - fileSystems = { - "/" = { - device = "/dev/sda1"; - fsType = "ext4"; - }; - }; - - # Bootloader - - boot.loader.grub = { - enable = true; - version = 2; - device = "/dev/sda"; - }; - - # Networking - - networking = { - hostId = "7b0ac74e"; - useDHCP = false; - interfaces = { - enp1s0 = { - useDHCP = true; - ipv6.addresses = [{ - address = config.network.addresses.public.nixos.ipv6.address; - prefixLength = 64; - }]; - }; - }; - defaultGateway6 = { - address = "fe80::1"; - interface = "enp1s0"; - }; - }; - - network = { - addresses = { - public = { - enable = true; - nixos = { - ipv4.address = "168.119.126.111"; - ipv6.address = "2a01:4f8:c2c:b7a8::1"; - }; - }; - }; - yggdrasil = { - enable = true; - pubkey = "0da9fce0b282c63b449a813183e8fa15d1480b344228068f2af860afafa8928d"; - address = "204:4ac0:63e9:afa7:3897:6caf:d9cf:82e0"; - listen.enable = true; - listen.endpoints = [ "tcp://${config.network.addresses.public.nixos.ipv4.address}:52969" "tcp://[${config.network.addresses.public.nixos.ipv6.address}]:52969" ]; - }; - }; - - # Firewall - - network.firewall = { - public = { - interfaces = singleton "enp1s0"; - tcp.ports = singleton 52969; - }; - private.interfaces = singleton "yggdrasil"; - }; - - # State - system.stateVersion = "20.09"; -} - diff --git a/config/hosts/yukari.nix b/config/hosts/yukari.nix index 11028442..ae5ad45c 100644 --- a/config/hosts/yukari.nix +++ b/config/hosts/yukari.nix @@ -5,6 +5,7 @@ profiles.gui users.kat.guiFull services.jellyfin + services.nextcloud services.kattv-ingest services.kattv2-ingest services.postgres diff --git a/config/profiles/base/profiles.nix b/config/profiles/base/profiles.nix index 83a55d37..09c5b4c5 100644 --- a/config/profiles/base/profiles.nix +++ b/config/profiles/base/profiles.nix @@ -6,6 +6,8 @@ with lib; options = { deploy.profile = { gui = mkEnableOption "Graphical System"; + sway = mkEnableOption "Sway WM"; + i3 = mkEnableOption "i3 WM"; vfio = mkEnableOption "VFIO"; shared = mkEnableOption "Shared System"; trusted = mkEnableOption "Trusted Submodule"; @@ -52,6 +54,8 @@ with lib; ({ nixos, ... }: { options.deploy.profile = { gui = mkEnableOption "Graphical System"; + sway = mkEnableOption "Sway WM"; + i3 = mkEnableOption "i3 WM"; vfio = mkEnableOption "VFIO"; shared = mkEnableOption "Shared System"; trusted = mkEnableOption "Trusted Submodule" // { diff --git a/config/profiles/gui/fonts.nix b/config/profiles/gui/fonts.nix index 8b96f421..ce1bd942 100644 --- a/config/profiles/gui/fonts.nix +++ b/config/profiles/gui/fonts.nix @@ -16,6 +16,7 @@ }; fonts.fonts = with pkgs; [ + cantarell-fonts emacs-all-the-icons-fonts font-awesome cozette diff --git a/config/profiles/gui/profile.nix b/config/profiles/gui/profile.nix index c5a16595..e041b4fc 100644 --- a/config/profiles/gui/profile.nix +++ b/config/profiles/gui/profile.nix @@ -1,5 +1,10 @@ -{ config, meta, ... }: { +{ config, pkgs, meta, ... }: { imports = with meta; [ services.dnscrypt-proxy ]; + + environment.systemPackages = with pkgs; [ + lyx + texlive.combined.scheme-full + ]; } diff --git a/config/profiles/vfio/tsc-tolerance.patch b/config/profiles/vfio/tsc-tolerance.patch index e100b221..5a273ede 100644 --- a/config/profiles/vfio/tsc-tolerance.patch +++ b/config/profiles/vfio/tsc-tolerance.patch @@ -17,7 +17,7 @@ index b8a14d2fb..f8f848d13 100644 * a lower bound for cs->uncertainty_margin values when registering clocks. */ -#define WATCHDOG_MAX_SKEW (50 * NSEC_PER_USEC) -+#define WATCHDOG_MAX_SKEW (60 * NSEC_PER_USEC) ++#define WATCHDOG_MAX_SKEW (80 * NSEC_PER_USEC) #ifdef CONFIG_CLOCKSOURCE_WATCHDOG static void clocksource_watchdog_work(struct work_struct *work); diff --git a/config/services/access.nix b/config/services/access.nix index 4ee3600a..864cd75c 100644 --- a/config/services/access.nix +++ b/config/services/access.nix @@ -11,6 +11,12 @@ cname = { inherit (config.network.addresses.public) target; }; }; + deploy.tf.dns.records.services_cloud = { + inherit (config.network.dns) zone; + domain = "cloud"; + cname = { inherit (config.network.addresses.public) target; }; + }; + services.nginx.virtualHosts = mkMerge [ { "cast.${config.network.dns.domain}" = { @@ -20,6 +26,13 @@ "/".proxyPass = "http://127.0.0.1:8082"; }; }; + "cloud.${config.network.dns.domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://cloud.int.kittywit.ch:80/"; + }; + }; "media.${config.network.dns.domain}" = { forceSSL = true; enableACME = true; diff --git a/config/services/kattv.nix b/config/services/kattv.nix index e3f47a68..71dc597a 100644 --- a/config/services/kattv.nix +++ b/config/services/kattv.nix @@ -15,8 +15,7 @@ let cameracapture = { element."v4l2src" = { device = "/dev/videomew"; - #saturation = 100; - #brightness = 100; + brightness = 100; #extra-controls = "c,exposure_auto=3"; }; }; diff --git a/config/services/nextcloud.nix b/config/services/nextcloud.nix new file mode 100644 index 00000000..2e9d021e --- /dev/null +++ b/config/services/nextcloud.nix @@ -0,0 +1,79 @@ +{ config, pkgs, lib, tf, kw, ... }: with lib; let + cfg = config.services.nextcloud; +in { + deploy.tf.dns.records.services_internal_cloud = { + inherit (config.network.dns) zone; + domain = "cloud.int"; + cname = { inherit (config.network.addresses.yggdrasil) target; }; + }; + + kw.secrets.variables = + mapListToAttrs + (field: + nameValuePair "nextcloud-${field}" { + path = "secrets/nextcloud"; + inherit field; + }) [ "adminpass" "dbpass" ]; + + secrets.files.nextcloud-adminpass = { + text = '' + ${tf.variables.nextcloud-adminpass.ref} + ''; + owner = "nextcloud"; + group = "nextcloud"; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [{ + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + }]; + }; + + services.nextcloud = { + enable = true; + package = pkgs.nextcloud23; + config = { + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + defaultPhoneRegion = "GB"; + adminpassFile = config.secrets.files.nextcloud-adminpass.path; + extraTrustedDomains = [ + "cloud.kittywit.ch" + ]; + }; + https = true; + enableImagemagick = true; + home = "/mnt/zraw/nextcloud"; + hostName = "cloud.kittywit.ch"; + autoUpdateApps = { + enable = true; + }; + }; + + services.nginx.virtualHosts."cloud.kittywit.ch".extraConfig = mkForce '' + index index.php index.html /index.php$request_uri; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options sameorigin; + add_header Referrer-Policy no-referrer; + client_max_body_size ${cfg.maxUploadSize}; + fastcgi_buffers 64 4K; + fastcgi_hide_header X-Powered-By; + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + ${optionalString cfg.webfinger '' + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''} + ''; +} diff --git a/config/services/nginx.nix b/config/services/nginx.nix index 51977b8e..e7257106 100644 --- a/config/services/nginx.nix +++ b/config/services/nginx.nix @@ -23,7 +23,7 @@ with lib; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - commonHttpConfig = '' + commonHttpConfig = mkIf (config.networking.hostName != "yukari") '' map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } diff --git a/config/users/kat/gui/firefox/default.nix b/config/users/kat/gui/firefox/default.nix index 6535058e..08124aca 100644 --- a/config/users/kat/gui/firefox/default.nix +++ b/config/users/kat/gui/firefox/default.nix @@ -173,7 +173,7 @@ in }; }; programs.firefox.tridactyl = let - xsel = "${pkgs.wl-clipboard}/bin/wl-copy"; + xsel = if config.deploy.profile.sway then "${pkgs.wl-clipboard}/bin/wl-copy" else "${pkgs.xsel}/bin/xsel"; urxvt = "${pkgs.kitty}/bin/kitty"; mpv = "${config.programs.mpv.finalPackage}/bin/mpv"; vim = "${config.programs.neovim.package}/bin/nvim"; diff --git a/config/users/kat/i3/i3.nix b/config/users/kat/i3/i3.nix index 15a8411f..794115ea 100644 --- a/config/users/kat/i3/i3.nix +++ b/config/users/kat/i3/i3.nix @@ -13,6 +13,8 @@ exec ~/.xsession ''; + deploy.profile.i3 = true; + xsession = { enable = true; windowManager.i3 = diff --git a/config/users/kat/sway/sway.nix b/config/users/kat/sway/sway.nix index b32ff3cc..847328df 100644 --- a/config/users/kat/sway/sway.nix +++ b/config/users/kat/sway/sway.nix @@ -8,6 +8,8 @@ let lockCommand = config.programs.swaylock.script; in WLR_DRM_DEVICES = "/dev/dri/card0"; }; + deploy.profile.sway = true; + home.packages = with pkgs; [ grim slurp swaylock-fancy wl-clipboard jq quintom-cursor-theme gsettings-desktop-schemas glib wofi wmctrl ]; services.i3gopher = { enable = true; };