From 5c72cf5d956ec9ef091447d518351d9f4c12cd1f Mon Sep 17 00:00:00 2001 From: kat witch Date: Thu, 7 Apr 2022 14:58:32 +0100 Subject: [PATCH] Massive revamp, Jellyfin->Plex --- config/hosts/chen.nix | 9 +- config/hosts/daiyousei.nix | 5 +- config/hosts/koishi.nix | 62 ++++++++---- config/hosts/marisa.nix | 5 - config/hosts/ran.nix | 9 +- config/hosts/yukari.nix | 11 +- config/modules/nixos/disables.nix | 2 + config/modules/nixos/network.nix | 3 +- config/profiles/base/access.nix | 4 +- config/services/access.nix | 30 +----- config/services/daiyousei-access.nix | 24 +++++ config/services/ha.nix | 62 +++++++++--- config/services/jellyfin.nix | 20 ++++ config/services/kattv-ingest.nix | 27 ++--- config/services/kattv2-ingest.nix | 9 +- config/services/kubernetes.nix | 123 +++++++++++++++++++++++ config/services/murmur.nix | 2 +- config/services/plex.nix | 7 ++ config/services/synapse.nix | 36 +++---- config/tf | 2 +- config/users/arc/default.nix | 1 + config/users/kat/gui/firefox/default.nix | 5 +- config/users/kat/gui/nextcloud.nix | 13 +++ config/users/kat/nixos.nix | 1 + outputs.nix | 25 ++++- trusted/flake.lock | 6 +- 26 files changed, 359 insertions(+), 144 deletions(-) create mode 100644 config/modules/nixos/disables.nix create mode 100644 config/services/daiyousei-access.nix create mode 100644 config/services/kubernetes.nix create mode 100644 config/services/plex.nix create mode 100644 config/users/kat/gui/nextcloud.nix diff --git a/config/hosts/chen.nix b/config/hosts/chen.nix index 70c15c23..981ee458 100644 --- a/config/hosts/chen.nix +++ b/config/hosts/chen.nix @@ -10,6 +10,7 @@ with lib; profiles.network services.kattv2 services.dnscrypt-proxy + users.arc ]; # Terraform @@ -67,11 +68,9 @@ with lib; userControlled.enable = false; interfaces = singleton "wlp1s0"; }; - interfaces.enp0s20u1.ipv4.addresses = singleton { - inherit (config.network.addresses.private.nixos.ipv4) address; - prefixLength = 24; + interfaces.enp0s20u1 = { + useDHCP = true; }; - defaultGateway = config.network.privateGateway; }; network = { @@ -79,7 +78,7 @@ with lib; private = { enable = true; nixos = { - ipv4.address = "192.168.1.34"; + ipv4.address = "192.168.1.196"; }; }; }; diff --git a/config/hosts/daiyousei.nix b/config/hosts/daiyousei.nix index 49312527..0d9d0666 100644 --- a/config/hosts/daiyousei.nix +++ b/config/hosts/daiyousei.nix @@ -1,4 +1,4 @@ -{ config, tf, meta, kw, pkgs, lib, ... }: with lib; { +{ config, inputs, tf, meta, kw, pkgs, lib, ... }: with lib; { imports = with meta; [ profiles.hardware.aarch64 profiles.hardware.oracle.ubuntu @@ -13,13 +13,12 @@ services.syncplay services.filehost services.keycloak - services.vikunja - services.tt-rss services.openldap services.mail services.hedgedoc services.website services.dnscrypt-proxy + services.daiyousei-access services.vaultwarden services.weechat services.znc diff --git a/config/hosts/koishi.nix b/config/hosts/koishi.nix index 773cbcc3..d11a32c9 100644 --- a/config/hosts/koishi.nix +++ b/config/hosts/koishi.nix @@ -21,19 +21,40 @@ }; }; - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/31bfd91b-bdba-47a9-81bf-c96e0adc88e3"; - fsType = "xfs"; - }; - "/boot" = { - device = "/dev/disk/by-uuid/89A2-ED28"; - fsType = "vfat"; - }; - }; + programs.ssh.extraConfig = '' +Host daiyousei-build + HostName daiyousei.kittywit.ch + Port 62954 + User root + ''; - swapDevices = - [ { device = "/dev/disk/by-uuid/96952382-7f56-46b5-8c84-1f0130f68b63"; } + nix.buildMachines = [ { + hostName = "daiyousei-build"; + system = "aarch64-linux"; + # systems = ["x86_64-linux" "aarch64-linux"]; + maxJobs = 100; + speedFactor = 1; + supportedFeatures = [ "benchmark" "big-parallel" "kvm" ]; + mandatoryFeatures = [ ]; + }] ; + nix.distributedBuilds = true; + # optional, useful when the builder has a faster internet connection than yours + nix.extraOptions = '' + builders-use-substitutes = true + ''; + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/31bfd91b-bdba-47a9-81bf-c96e0adc88e3"; + fsType = "xfs"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/89A2-ED28"; + fsType = "vfat"; + }; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/96952382-7f56-46b5-8c84-1f0130f68b63"; } ]; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; @@ -59,17 +80,16 @@ hostId = "dddbb888"; useDHCP = false; /* wireless = { - enable = true; - userControlled.enable = true; - interfaces = singleton "wlp3s0"; + enable = true; + userControlled.enable = true; + interfaces = singleton "wlp3s0"; }; interfaces = { - wlp3s0.ipv4.addresses = singleton { - inherit (config.network.addresses.private.nixos.ipv4) address; - prefixLength = 24; - }; + wlp3s0.ipv4.addresses = singleton { + inherit (config.network.addresses.private.nixos.ipv4) address; + prefixLength = 24; + }; }; */ - defaultGateway = config.network.privateGateway; }; network = { @@ -77,7 +97,7 @@ private = { enable = true; nixos = { - ipv4.address = "192.168.1.3"; + ipv4.address = "192.168.1.121"; }; }; }; diff --git a/config/hosts/marisa.nix b/config/hosts/marisa.nix index 848ea642..e4a091b3 100644 --- a/config/hosts/marisa.nix +++ b/config/hosts/marisa.nix @@ -59,11 +59,6 @@ }; }; - services.owncast = { - enable = true; - port = 8082; - }; - network = { addresses.public = { enable = true; diff --git a/config/hosts/ran.nix b/config/hosts/ran.nix index 785fd929..6d3d9beb 100644 --- a/config/hosts/ran.nix +++ b/config/hosts/ran.nix @@ -10,6 +10,7 @@ with lib; profiles.network services.kattv services.dnscrypt-proxy + users.arc ]; # Terraform @@ -53,11 +54,7 @@ with lib; networking = { hostId = "9f89b327"; useDHCP = false; - interfaces.enp1s0.ipv4.addresses = singleton { - inherit (config.network.addresses.private.nixos.ipv4) address; - prefixLength = 24; - }; - defaultGateway = config.network.privateGateway; + interfaces.enp1s0.useDHCP = true; }; network = { @@ -65,7 +62,7 @@ with lib; private = { enable = true; nixos = { - ipv4.address = "192.168.1.32"; + ipv4.address = "192.168.1.215"; }; }; }; diff --git a/config/hosts/yukari.nix b/config/hosts/yukari.nix index bc9b69fa..0041cbda 100644 --- a/config/hosts/yukari.nix +++ b/config/hosts/yukari.nix @@ -2,9 +2,6 @@ imports = with meta; [ profiles.hardware.rm-310 profiles.network - profiles.gui - users.kat.guiFull - services.jellyfin services.ha services.nextcloud services.kattv-ingest @@ -15,6 +12,9 @@ services.transmission services.tvheadend services.zfs + services.plex + services.kubernetes + users.arc ]; deploy.tf = { @@ -89,7 +89,10 @@ networking = { hostId = "3ef9a419"; useDHCP = false; - interfaces.eno1.useDHCP = true; /*.ipv4.addresses = singleton { + interfaces.eno1 = { + useDHCP = true; + tempAddress = "disabled"; + }; /*.ipv4.addresses = singleton { inherit (config.network.addresses.private.nixos.ipv4) address; prefixLength = 24; }; diff --git a/config/modules/nixos/disables.nix b/config/modules/nixos/disables.nix new file mode 100644 index 00000000..78ca9f26 --- /dev/null +++ b/config/modules/nixos/disables.nix @@ -0,0 +1,2 @@ +{ inputs, ... }: { +} diff --git a/config/modules/nixos/network.nix b/config/modules/nixos/network.nix index 9365786d..2d87f788 100644 --- a/config/modules/nixos/network.nix +++ b/config/modules/nixos/network.nix @@ -91,7 +91,7 @@ in }; privateGateway = mkOption { type = types.str; - default = "192.168.1.254"; + default = "192.168.1.1"; }; tf = { enable = mkEnableOption "Was the system provisioned by terraform?"; @@ -184,7 +184,6 @@ in else if cfg.addresses.private.enable then "${cfg.addresses.private.prefix}.${cfg.dns.domain}" else ""); } (mkIf cfg.addresses.private.enable { - defaultGateway = mkDefault cfg.privateGateway; }) ]; diff --git a/config/profiles/base/access.nix b/config/profiles/base/access.nix index b1b90e2b..b1a4bcb3 100644 --- a/config/profiles/base/access.nix +++ b/config/profiles/base/access.nix @@ -25,12 +25,12 @@ hashedPassword = "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB."; openssh.authorizedKeys.keys = with pkgs.lib; - concatLists (mapAttrsToList + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi" ] ++ (concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ]) - config.users.users); + config.users.users)); }; } diff --git a/config/services/access.nix b/config/services/access.nix index 99c44015..e246b537 100644 --- a/config/services/access.nix +++ b/config/services/access.nix @@ -17,21 +17,8 @@ cname = { inherit (config.network.addresses.public) target; }; }; - deploy.tf.dns.records.services_home = { - inherit (config.network.dns) zone; - domain = "home"; - cname = { inherit (config.network.addresses.public) target; }; - }; - services.nginx.virtualHosts = mkMerge [ { - "cast.${config.network.dns.domain}" = { - forceSSL = true; - enableACME = true; - locations = { - "/".proxyPass = "http://127.0.0.1:8082"; - }; - }; "cloud.${config.network.dns.domain}" = { forceSSL = true; enableACME = true; @@ -39,26 +26,13 @@ "/".proxyPass = "http://cloud.int.kittywit.ch:80/"; }; }; - "home.${config.network.dns.domain}" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { - proxyPass = "http://home.int.kittywit.ch:80/"; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - ''; - }; - }; - }; "media.${config.network.dns.domain}" = { forceSSL = true; enableACME = true; locations = { - "/jellyfin/".proxyPass = "http://${meta.network.nodes.yukari.network.addresses.wireguard.nixos.ipv4.address}:8096/jellyfin/"; + "/jellyfin/".proxyPass = "http://[${meta.network.nodes.yukari.network.addresses.yggdrasil.nixos.ipv6.address}]:8096/jellyfin/"; "/jellyfin/socket" = { - proxyPass = "http://${meta.network.nodes.yukari.network.addresses.wireguard.nixos.ipv4.address}:8096/jellyfin/"; + proxyPass = "http://[${meta.network.nodes.yukari.network.addresses.yggdrasil.nixos.ipv6.address}]:8096/jellyfin/"; extraConfig = '' proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; diff --git a/config/services/daiyousei-access.nix b/config/services/daiyousei-access.nix new file mode 100644 index 00000000..0988d260 --- /dev/null +++ b/config/services/daiyousei-access.nix @@ -0,0 +1,24 @@ + +{ config, lib, meta, ... }: with lib; { + deploy.tf.dns.records.services_home = { + inherit (config.network.dns) zone; + domain = "home"; + cname = { inherit (config.network.addresses.public) target; }; + }; + + services.nginx.virtualHosts = { + "home.${config.network.dns.domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://home.int.kittywit.ch:80/"; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; + }; + }; + }; +} diff --git a/config/services/ha.nix b/config/services/ha.nix index 9e4dcce5..bd5e2562 100644 --- a/config/services/ha.nix +++ b/config/services/ha.nix @@ -1,20 +1,50 @@ { config, ... }: { - services.home-assistant = { - enable = true; - config = null; - extraComponents = [ - "zha" - "esphome" - "met" - "default_config" - "google" - "google_assistant" - "google_cloud" - "google_translate" - "homekit" - "zeroconf" - "luci" - ]; + services = { + home-assistant = { + enable = true; + config = null; + extraComponents = [ + "zha" + "esphome" + "apple_tv" + "spotify" + "met" + "default_config" + "cast" + "jellyfin" + "google" + "google_assistant" + "google_cloud" + "google_translate" + "homekit" + "mqtt" + "zeroconf" + "luci" + ]; + }; + mosquitto = { + enable = true; + persistence = true; + listeners = [ { + acl = [ "pattern readwrite #" ]; + omitPasswordAuth = true; + settings.allow_anonymous = true; + } ]; + }; + zigbee2mqtt = { + enable = true; + settings = { + homeassistant = true; + permit_join = true; + frontend = { + port = 8072; + }; + serial = { + port = "tcp://192.168.1.149:8888"; + adapter = "ezsp"; + }; + }; + }; }; deploy.tf.dns.records.services_internal_home = { diff --git a/config/services/jellyfin.nix b/config/services/jellyfin.nix index 42e4f649..5f0826ea 100644 --- a/config/services/jellyfin.nix +++ b/config/services/jellyfin.nix @@ -15,11 +15,31 @@ }; }; + systemd.services = { + jellyfin-socat = + let + service = lib.singleton "jellyfin.service"; + in + { + after = service; + bindsTo = service; + serviceConfig = { + DynamicUser = true; + }; + script = + let + port = toString 8096; + addr = config.network.addresses.yggdrasil.nixos.ipv6.address; + in "${pkgs.socat}/bin/socat TCP6-LISTEN:${port},bind=${addr},fork TCP4:localhost:${port}"; + }; + }; + network.firewall = { public.tcp.ranges = [{ from = 32768; to = 60999; }]; + public.tcp.ports = [ 8096 ]; private.tcp = { ports = [ 8096 diff --git a/config/services/kattv-ingest.nix b/config/services/kattv-ingest.nix index 87ffcc5a..ad221fde 100644 --- a/config/services/kattv-ingest.nix +++ b/config/services/kattv-ingest.nix @@ -68,12 +68,13 @@ let } "h264parse" ]; - rtmpsink = [ + tcpserversink = [ "flvmux" queue_data { - element.rtmp2sink = { - location = "rtmp://localhost:1935/stream/kattv"; + element.tcpserversink = { + port = 8989; + host = config.network.addresses.yggdrasil.nixos.ipv6.address; }; } ]; @@ -93,26 +94,12 @@ let videoconvert_cpu encode_high - rtmpsink + tcpserversink ]; in -{ - services.nginx.appendConfig = '' - rtmp { - server { - listen [::]:1935 ipv6only=off; - application stream { - live on; - - allow publish all; - allow play all; - } - } - } - ''; - + { network.firewall = { - private.tcp.ports = singleton 1935; + private.tcp.ports = [ 1935 8989 8990 ]; public.tcp.ports = [ 4953 1935 ]; }; diff --git a/config/services/kattv2-ingest.nix b/config/services/kattv2-ingest.nix index fd3eceab..2aecec87 100644 --- a/config/services/kattv2-ingest.nix +++ b/config/services/kattv2-ingest.nix @@ -68,12 +68,13 @@ let } "h264parse" ]; - rtmpsink = [ + tcpserversink = [ "flvmux" queue_data { - element.rtmp2sink = { - location = "rtmp://localhost:1935/stream/kattv2"; + element.tcpserversink = { + port = 8990; + host = config.network.addresses.yggdrasil.nixos.ipv6.address; }; } ]; @@ -93,7 +94,7 @@ let videoconvert_cpu encode_high - rtmpsink + tcpserversink ]; in { diff --git a/config/services/kubernetes.nix b/config/services/kubernetes.nix new file mode 100644 index 00000000..6456c56e --- /dev/null +++ b/config/services/kubernetes.nix @@ -0,0 +1,123 @@ +{ config, pkgs, lib, ... }: +{ + # Set some necessary sysctls + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv4.conf.all.forwarding" = 1; + # k8s opens a LOT of files, raise the total number of openable files so we don't end up getting issues in userspace + "fs.inotify.max_user_instances" = 16384; + "vm.max_map_count" = 524288; + "vm.swappiness" = 10; + }; + + systemd.services.containerd = { + path = with pkgs; [ containerd kmod zfs runc iptables ]; + }; + + virtualisation.containerd.settings = { + plugins."io.containerd.grpc.v1.cri" = { + cni.bin_dir = "/opt/cni/bin"; + }; + }; + + # disable creating the CNI directory (calico will make it for us) + environment.etc."cni/net.d".enable = false; + + # Firewalling must be disabled for kubes. + networking.firewall.enable = false; + networking.nftables.enable = lib.mkForce false; + + # Useful utilities. + environment.systemPackages = [ + # kubectl_ppc + pkgs.kubectl pkgs.kubetail + ]; + + # Kubernetes configuration. + services.kubernetes = { + # because fuck PKI honestly + easyCerts = true; + roles = ["master" "node"]; + flannel.enable = false; + # where can we contact the (an) apiserver? + apiserverAddress = "https://yukari.int.kittywit.ch:6443"; + # where can we contact the orchestrator? + masterAddress = "yukari.int.kittywit.ch"; + + #Â ipv4 cidr should be before ipv6 otherwise apps that make assumptions break horribly when binding to ipv4 interfaces and then attempting to contact themselves over ipv6 + clusterCidr = "172.18.0.0/16,fc00:abc1::/48"; + + # define dns separately + addons.dns.enable = false; + #Â dns on ipv6 though + #addons.dns.clusterIp = "fc00:abc0::254"; + #Â define newer coredns + #addons.dns.coredns = { + # # AMD64 version. + # # TODO upgrade to 1.8 (requires a new configmap) + # #Â (1.7 removes upstream directive, should just be a case of removing that) + # imageName = "coredns/coredns"; + # imageDigest = "sha256:2044ffefe18e2dd3d6781e532119603ee4e8622b6ba38884dc7ab53325435151"; + # finalImageTag = "1.6.9"; + # sha256 = "0j5gj82jbqylapfrab61qdhm4187pqphyz244n31ik05wd5l8n17"; + #}; + + apiserver = { + # address to advertise the apiserver at, must be reachable by the rest of the cluster + advertiseAddress = "192.168.1.154"; + #Â privileged pods are required to run cluster services like MetalLB and longhorn + allowPrivileged = true; + # bind to ipv4 & ipv6 + bindAddress = "::"; + # needed otherwise we end up with a cert that isn't valid for ipv6 + extraSANs = [ "172.19.0.1" "fc00:abc0::1" ]; + serviceClusterIpRange = "172.19.0.0/16,fc00:abc0::/112"; + # allow all ports (this is a really bad idea don't do this with untrusted workloads) + extraOpts = "--service-node-port-range=1-65535"; + #extraOpts = "--service-node-port-range=1-65535"; + enableAdmissionPlugins = [ + "NamespaceLifecycle" "LimitRanger" "ServiceAccount" "TaintNodesByCondition" "Priority" "DefaultTolerationSeconds" + "DefaultStorageClass" "StorageObjectInUseProtection" "PersistentVolumeClaimResize" "RuntimeClass" "CertificateApproval" "CertificateSigning" + "CertificateSubjectRestriction" "DefaultIngressClass" "MutatingAdmissionWebhook" "ValidatingAdmissionWebhook" "ResourceQuota" + ]; + }; + controllerManager = { + # bind to localhost ipv6 + bindAddress = "::1"; + extraOpts = "--service-cluster-ip-range=172.19.0.0/16,fc00:abc0::/64 --node-cidr-mask-size-ipv4=24 --node-cidr-mask-size-ipv6=64"; + }; + kubelet = { + featureGates = [ "NodeSwap" ]; + clusterDns = "fc00:abc0::254"; + networkPlugin = "cni"; + cni.configDir = "/etc/cni/net.d"; + nodeIp = "192.168.1.154,2a00:23c7:c5ad:6e00::c2e";# "10.0.0.1,2a02:8010:61d0:beef:428d:5cff:fe4e:6a2c"; + extraOpts = '' + --root-dir=/var/lib/kubelet \ + --fail-swap-on=false \ + --cni-bin-dir=/opt/cni/bin \ + ''; + }; + proxy = { + # bind to ipv6 + bindAddress = "::"; + }; + }; + +systemd.services.kubelet = { + preStart = pkgs.lib.mkForce '' + ${lib.concatMapStrings (img: '' + echo "Seeding container image: ${img}" + ${if (lib.hasSuffix "gz" img) then + ''${pkgs.gzip}/bin/zcat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -'' + else + ''${pkgs.coreutils}/bin/cat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -'' + } + '') config.services.kubernetes.kubelet.seedDockerImages} + ${lib.concatMapStrings (package: '' + echo "Linking cni package: ${package}" + ln -fs ${package}/bin/* /opt/cni/bin + '') config.services.kubernetes.kubelet.cni.packages} + ''; + }; +} diff --git a/config/services/murmur.nix b/config/services/murmur.nix index 4f14b25e..ebe4edc0 100644 --- a/config/services/murmur.nix +++ b/config/services/murmur.nix @@ -97,7 +97,7 @@ in Type = if forking then "forking" else "simple"; PIDFile = mkIf forking "/run/murmur/murmurd.pid"; EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; - ExecStart = "${cfg.package}/bin/murmurd -ini ${config.secrets.files.murmur-config.path}"; + ExecStart = "${cfg.package}/bin/mumble-server -ini ${config.secrets.files.murmur-config.path}"; Restart = "always"; RuntimeDirectory = "murmur"; RuntimeDirectoryMode = "0700"; diff --git a/config/services/plex.nix b/config/services/plex.nix new file mode 100644 index 00000000..dae41014 --- /dev/null +++ b/config/services/plex.nix @@ -0,0 +1,7 @@ +{ config, ... }: { + services = { + plex = { + enable = true; + }; + }; +} diff --git a/config/services/synapse.nix b/config/services/synapse.nix index e5ecbe07..50f781bf 100644 --- a/config/services/synapse.nix +++ b/config/services/synapse.nix @@ -154,7 +154,8 @@ CONFIG = { config.secrets.files.mautrix-telegram-env.path; services.matrix-synapse = { enable = true; - logConfig = '' + settings = { + log_config = pkgs.writeText "nya.yaml" '' version: 1 formatters: precise: @@ -179,7 +180,6 @@ CONFIG = { level: WARNING handlers: [console] ''; - settings = { server_name = config.network.dns.domain; app_service_config_files = [ "/var/lib/matrix-synapse/telegram-registration.yaml" @@ -187,8 +187,8 @@ CONFIG = { "/var/lib/matrix-synapse/whatsapp-registration.yaml" ]; max_upload_size = "512M"; - rc_messages_per_second = mkDefault "0.1"; - rc_message_burst_count = mkDefault "25.0"; + rc_messages_per_second = mkDefault 0.1; + rc_message_burst_count = mkDefault 25; public_baseurl = "https://${config.network.dns.domain}"; url_preview_enabled = mkDefault true; enable_registration = mkDefault false; @@ -196,9 +196,10 @@ CONFIG = { report_stats = mkDefault false; dynamic_thumbnails = mkDefault true; allow_guest_access = mkDefault true; + suppress_key_server_warning = mkDefault true; listeners = [{ port = 8008; - bind_address = "::1"; + bind_addresses = [ "::1" ] ; type = "http"; tls = false; x_forwarded = true; @@ -207,20 +208,19 @@ CONFIG = { compress = false; }]; }]; + saml2_config = { + sp_config.metadata.remote = [ { + url = "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/saml/descriptor"; + } ]; + config_path = config.secrets.files.saml2-config.path; + user_mapping_provider = { + config = {}; + }; + password_config = { + enabled = false; + }; + }; }; - extraConfig = '' - suppress_key_server_warning: true - saml2_config: - sp_config: - metadata: - remote: - - url: https://auth.kittywit.ch/auth/realms/kittywitch/protocol/saml/descriptor - config_path: "${config.secrets.files.saml2-config.path}" - user_mapping_provider: - config: - password_config: - enabled: false - ''; }; services.mautrix-telegram = { diff --git a/config/tf b/config/tf index 2ad93ea3..736c050e 160000 --- a/config/tf +++ b/config/tf @@ -1 +1 @@ -Subproject commit 2ad93ea38ae53603ec670ca30a307033da37248d +Subproject commit 736c050ee87fd11137f75112c0548174ec654036 diff --git a/config/users/arc/default.nix b/config/users/arc/default.nix index 8144d8ba..14e99a9d 100644 --- a/config/users/arc/default.nix +++ b/config/users/arc/default.nix @@ -6,6 +6,7 @@ users.users.arc = { uid = 1001; isNormalUser = true; + extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp" ]; diff --git a/config/users/kat/gui/firefox/default.nix b/config/users/kat/gui/firefox/default.nix index 08124aca..2d191e65 100644 --- a/config/users/kat/gui/firefox/default.nix +++ b/config/users/kat/gui/firefox/default.nix @@ -76,15 +76,14 @@ let "breakpad.reportURL" = ""; "beacon.enabled" = false; "browser.search.geoip.url" = ""; - "browser.search.region" = "CA"; - "browser.search.suggest.enabled" = false; + "browser.search.region" = "UK"; + "browser.search.suggest.enabled" = true; "browser.search.update" = false; "browser.selfsupport.url" = ""; "extensions.getAddons.cache.enabled" = false; "extensions.pocket.enabled" = true; "geo.enabled" = false; "geo.wifi.uri" = false; - "keyword.enabled" = false; "media.getusermedia.screensharing.enabled" = false; "media.video_stats.enabled" = false; "device.sensors.enabled" = false; diff --git a/config/users/kat/gui/nextcloud.nix b/config/users/kat/gui/nextcloud.nix new file mode 100644 index 00000000..9e3344b8 --- /dev/null +++ b/config/users/kat/gui/nextcloud.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ... }: { + services = { + nextcloud-client = { + enable = true; + }; + gnome-keyring = { + enable = true; + }; + }; + home.packages = [ + pkgs.gnome3.seahorse + ]; +} diff --git a/config/users/kat/nixos.nix b/config/users/kat/nixos.nix index 9d23098d..47cfb528 100644 --- a/config/users/kat/nixos.nix +++ b/config/users/kat/nixos.nix @@ -6,6 +6,7 @@ isNormalUser = true; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath" ]; shell = pkgs.zsh; extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ]; diff --git a/outputs.nix b/outputs.nix index b0976c90..9593b5f7 100644 --- a/outputs.nix +++ b/outputs.nix @@ -13,13 +13,34 @@ functor = { enable = true; external = [ - (import (inputs.arcexprs + "/modules")).nixos (import (inputs.katexprs + "/modules")).nixos (import (inputs.impermanence + "/nixos.nix")) (import inputs.anicca).modules.nixos (inputs.tf-nix + "/modules/nixos/secrets.nix") (inputs.tf-nix + "/modules/nixos/secrets-users.nix") - ]; + ] ++ (with (import (inputs.arcexprs + "/modules")).nixos; [ + nix + systemd + dht22-exporter + glauth + modprobe + kernel + crypttab + mutable-state + common-root + pulseaudio + wireplumber + alsa + yggdrasil + bindings + matrix-appservices + matrix-synapse-appservices + display + filebin + mosh + base16 base16-shared + doc-warnings + ]); }; }; "modules/home" = { diff --git a/trusted/flake.lock b/trusted/flake.lock index 6eff745b..fcd229b0 100644 --- a/trusted/flake.lock +++ b/trusted/flake.lock @@ -413,12 +413,12 @@ ] }, "locked": { - "narHash": "sha256-2cZ6237JhyatPQObd0Q2FVqoXnXYDcKiCpzWxkF5eRk=", - "path": "/nix/store/zkwg2mlqw200n2v8170738q69lk45yj2-source", + "narHash": "sha256-iIgsdGTiWzoKHHFU9wXFHzHfFEGpJVEozC7HsByyu2U=", + "path": "/nix/store/9gsq8y8c6advmzmh5jbkqdgclc8s1ivs-source", "type": "path" }, "original": { - "path": "/nix/store/zkwg2mlqw200n2v8170738q69lk45yj2-source", + "path": "/nix/store/9gsq8y8c6advmzmh5jbkqdgclc8s1ivs-source", "type": "path" } },