add server config

2023-05-11 05:33:08 +07:00 · 2023-05-11 05:33:08 +07:00 · 33b4fe95c2
parent 8655459e46
commit 33b4fe95c2
18 changed files with 1150 additions and 55 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 private.nix
 private/
--- a/system/flake.lock
+++ b/system/flake.lock
@ -1,5 +1,37 @@
 {
  "nodes": {
    "blobs": {
      "flake": false,
      "locked": {
        "lastModified": 1604995301,
        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "type": "gitlab"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1668681692,
        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
@ -83,6 +115,32 @@
        "type": "github"
      }
    },
    "nixos-mailserver": {
      "inputs": {
        "blobs": "blobs",
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-22_11": [
          "nixpkgs"
        ],
        "utils": "utils"
      },
      "locked": {
        "lastModified": 1671738303,
        "narHash": "sha256-PRgqtaWf2kMSYqVmcnmhTh+UsC0RmvXRTr+EOw5VZUA=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
        "rev": "6d0d9fb966cc565a3df74d3b686f924c7615118c",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1683408522,
@ -104,9 +162,10 @@
        "impermanence": "impermanence",
        "nix-gaming": "nix-gaming",
        "nixos-hardware": "nixos-hardware",
        "nixos-mailserver": "nixos-mailserver",
        "nixpkgs": "nixpkgs",
        "rust-overlay": "rust-overlay",
-        "utils": "utils"
+        "utils": "utils_2"
      }
    },
    "rust-overlay": {
@ -117,11 +176,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1683685144,
+        "lastModified": 1683708507,
-        "narHash": "sha256-HZBieMZj9Rp+WtbGiK5JaUciZwJ/2YX6LRe5z8jkfow=",
+        "narHash": "sha256-i5zgWcuyZcNBnlrzVjhpAFQdJWr4OyhvQ1owAEHFFKw=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "74e44edb87aeed50798f5b81795ebad250d4a0c0",
+        "rev": "ed55dc022aa23ed3c42f383cf1782290b3b939d5",
        "type": "github"
      },
      "original": {
@ -146,6 +205,21 @@
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1605370193,
        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "utils_2": {
      "inputs": {
        "flake-utils": "flake-utils_2"
      },
--- a/system/flake.nix
+++ b/system/flake.nix
@ -15,14 +15,25 @@
      url = "github:fufexan/nix-gaming";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-mailserver = {
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixpkgs-22_11.follows = "nixpkgs";
    };
  };
-  outputs = inputs@{ self, nixpkgs, utils, nixos-hardware, impermanence, nix-gaming, ... }:
+  outputs = inputs@{ self, nixpkgs, utils, nixos-hardware, impermanence, nix-gaming, nixos-mailserver, ... }:
  let
    hw = nixos-hardware.nixosModules;
    # IRL-related stuff I'd rather not put into git
-    priv = if builtins.pathExists ./private.nix then (import ./private.nix) else { };
+    priv = if builtins.pathExists ./private/default.nix then (import ./private)
-    getPriv = (hostname: with builtins; if hasAttr hostname priv then getAttr hostname priv else { });
+           else if builtins.pathExists ./private.nix then (import ./private.nix)
           else { };
    getPriv = hostname: with builtins; if hasAttr hostname priv then getAttr hostname priv else { };
    common = hostname: [ (getPriv hostname) impermanence.nixosModule ];
    extraArgs = {
      inherit nixpkgs;
    };
  in utils.lib.mkFlake {
    inherit self inputs;
    hostDefaults.modules = [
@ -44,18 +55,24 @@
        system = "x86_64-linux";
        modules = [
          ./hosts/nixmsi.nix
          impermanence.nixosModule
          nix-gaming.nixosModules.pipewireLowLatency
          hw.common-pc-ssd # enables fstrim
          hw.common-cpu-amd # microcode
          hw.common-cpu-amd-pstate # amd-pstate
          hw.common-gpu-amd # configures drivers
          hw.common-pc-laptop # enables tlp
-          (getPriv "nixmsi")
+        ] ++ common "nixmsi";
-        ];
+        inherit extraArgs;
        extraArgs = {
          inherit nixpkgs;
      };
      nixserver = {
        system = "x86_64-linux";
        modules = [
          ./hosts/nixserver
          nixos-mailserver.nixosModules.default
          hw.common-pc-hdd
          hw.common-cpu-intel
        ] ++ common "nixserver";
        inherit extraArgs;
      };
    };
  };
--- a/system/hosts/nixmsi.nix
+++ b/system/hosts/nixmsi.nix
@ -108,6 +108,11 @@ in {
    opengl.extraPackages = with pkgs; [ vulkan-validation-layers ];
  };
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
  };
  services.tlp.enable = true;
  services.tlp.settings = {
    USB_EXCLUDE_PHONE = 1;
@ -207,7 +212,6 @@ in {
  ++ (lib.range 1714 1764);
  networking.firewall.allowedUDPPorts = lib.range 1714 1764;
  # networking.hostName = "nixmsi";
  networking.wireless.iwd.enable = true;
  #networking.networkmanager.enable = true;
@ -327,17 +331,6 @@ in {
  documentation.dev.enable = true;
  ### RANDOM PATCHES ###
  # I've had some weird issues with the entire system breaking after
  # suspend because of /dev/shm getting nuked, maybe this'll help
  services.logind.extraConfig = ''
    RemoveIPC=no
  '';
  # why is this not part of base NixOS?
  systemd.tmpfiles.rules = [ "d /var/lib/systemd/pstore 0755 root root 14d" ];
  # autologin once after boot
  # --skip-login means directly call login instead of first asking for username
  # (normally login asks for username too, but getty prefers to do it by itself for whatever reason)
--- a/system/hosts/nixserver/default.nix
+++ b/system/hosts/nixserver/default.nix
@ -0,0 +1,464 @@
 { lib
 , pkgs
 , config
 , ... }:
 let
  cfg = config.server;
  # TODO: move to lib
  quotePotentialIpV6 = addr:
    if lib.hasInfix ":" addr then "[${addr}]" else addr;
  efiPart = "/dev/disk/by-uuid/3E2A-A5CB";
  rootUuid = "6aace237-9b48-4294-8e96-196759a5305b";
  rootPart = "/dev/disk/by-uuid/${rootUuid}";
  hosted-domains =
    map
      (prefix: if prefix == null then cfg.domainName else "${prefix}.${cfg.domainName}")
  [
    null
    "dns"
    "mumble"
    "mail"
    "music"
    "www"
    "matrix"
    "search"
    "git"
    "cloud"
    "ns1"
    "ns2"
  ];
 in {
  imports = [
    ./options.nix
    ./matrix.nix
    ./fdroid.nix
    ./mumble.nix
  ];
  system.stateVersion = "22.11";
  boot = {
    initrd = {
      availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
    };
    kernelModules = [ "kvm-intel" ];
    kernelParams = [
      "consoleblank=60"
    ];
    loader = {
      grub = {
        enable = true;
        device = "nodev";
        version = 2;
        efiSupport = true;
        efiInstallAsRemovable = true;
        gfxmodeEfi = "1920x1080";
        gfxmodeBios = "1920x1080";
      };
      efi.efiSysMountPoint = "/boot/efi";
    };
  };
  hardware.enableRedistributableFirmware = true;
  fileSystems = {
    "/" =    { device = "none"; fsType = "tmpfs"; neededForBoot = true;
               options = [ "defaults" "size=2G" "mode=755" ]; };
    "/persist" =
             { device = rootPart; fsType = "btrfs"; neededForBoot = true;
               options = [ "compress=zstd:15" ]; };
    "/boot" =
             { device = rootPart; fsType = "btrfs"; neededForBoot = true;
               options = [ "compress=zstd:15" "subvol=boot" ]; };
    "/boot/efi" =
             { device = efiPart; fsType = "vfat"; };
  };
  zramSwap.enable = true;
  swapDevices = [ ];
  impermanence = {
    enable = true;
    path = /persist;
    directories = [
      { directory = /var/www/${cfg.domainName}; }
      { directory = /var/lib/maubot; }
      { directory = /var/lib/fdroid; }
      { directory = config.mailserver.dkimKeyDirectory; }
      { directory = config.mailserver.mailDirectory; }
      { directory = /home/user; }
      { directory = /root; }
      { directory = /nix; }
    ];
  };
  services.beesd = {
    filesystems.root = {
      spec = "UUID=${rootUuid}";
      hashTableSizeMB = 128;
      extraOptions = [ "--loadavg-target" "8.0" ];
    };
  };
  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
  i18n.supportedLocales = lib.mkDefault [
    "C.UTF-8/UTF-8"
    "en_US.UTF-8/UTF-8"
    "en_DK.UTF-8/UTF-8"
  ];
  # ISO-8601
  i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
  console.font = "${pkgs.terminus_font}/share/consolefonts/ter-v24n.psf.gz";
  networking.useDHCP = true;
  networking.resolvconf.extraConfig = ''
    name_servers="127.0.0.1 ::1"
  '';
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      # ssh
      22
      # dns
      53 853
      # http/s
      80 443
    ];
    allowedUDPPorts = [
      # dns
      53 853
      # wireguard
      # 5553
    ];
  };
  # UNBOUND
  services.unbound = {
    enable = true;
    package = pkgs.unbound-with-systemd.override {
      withPythonModule = true;
      python = pkgs.python3.withPackages (pkgs: with pkgs; [ pydbus dnspython ]);
    };
    localControlSocketPath = "/run/unbound/unbound.ctl";
    resolveLocalQueries = false;
    settings = {
      server = {
        interface = [ "0.0.0.0" "::" ];
        access-control =  [ "${cfg.lanCidrV4} allow" "${cfg.lanCidrV6} allow" ];
        aggressive-nsec = true;
        do-ip6 = true;
        module-config = ''"validator iterator"'';
        local-zone = [
          ''"local." static''
        ] ++ (lib.optionals (cfg.localIpV4 != null || cfg.localIpV6 != null) [
          ''"${cfg.domainName}." typetransparent''
        ]);
        local-data = builtins.concatLists (map (domain:
          lib.optionals (cfg.localIpV4 != null) [
            ''"${domain}. A ${cfg.localIpV4}"''
          ] ++ (lib.optionals (cfg.localIpV6 != null) [
            ''"${domain}. A ${cfg.localIpV6}"''
          ])) hosted-domains);
      };
      python.python-script = toString (pkgs.fetchurl {
        url = "https://raw.githubusercontent.com/NLnetLabs/unbound/a912786ca9e72dc1ccde98d5af7d23595640043b/pythonmod/examples/avahi-resolver.py";
        sha256 = "0r1iqjf08wrkpzvj6pql1jqa884hbbfy9ix5gxdrkrva09msiqgi";
      });
      remote-control.control-enable = true;
    };
  };
  systemd.services.unbound.environment.MDNS_ACCEPT_NAMES = "^.*\\.local\\.$";
  # just in case
  networking.hosts."127.0.0.1" = [ "localhost" ] ++ hosted-domains;
  # CUPS
  services.printing = {
    enable = true;
    allowFrom = [ cfg.lanCidrV4 cfg.lanCidrV6 ];
    browsing = true;
    clientConf = ''
      ServerName ${cfg.domainName}
    '';
    defaultShared = true;
    drivers = [ pkgs.hplip ];
    startWhenNeeded = false;
  };
  programs.fish.enable = true;
  users.defaultUserShell = pkgs.fish;
  users.users.user = {
    isNormalUser = true;
    extraGroups = [ "wheel" config.services.unbound.group ];
  };
  environment.systemPackages = with pkgs; [
    comma
    git
    vim
    wget
    # rxvt-unicode-unwrapped.terminfo
    kitty.terminfo
    tmux
  ];
  services.postgresql.enable = true;
  services.postgresql.package = pkgs.postgresql_13;
  nix = {
    settings = {
      allowed-users = [ "user" ];
      auto-optimise-store = true;
    };
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };
  systemd.services.nix-daemon.serviceConfig.LimitSTACKSoft = "infinity";
  # SSH
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "no";
    settings.PasswordAuthentication = false;
    listenAddresses = [{
      addr = "0.0.0.0";
    } {
      addr = "::";
    }];
  };
  services.fail2ban.enable = true;
  # SEARXNG
  services.searx.enable = true;
  services.searx.package = pkgs.searxng.overrideAttrs (_: {
    src = pkgs.fetchFromGitHub {
      owner = "searxng";
      repo = "searxng";
      rev = "cb1c3741d7de1354b524589114617f183009f6a8";
      sha256 = "sha256-7erY5Bd1ZoTpAIDbhIupu64Xd1PQspaW6vBqu7knzNI=";
    };
  });
  services.searx.runInUwsgi = true;
  services.searx.uwsgiConfig = let inherit (config.services.searx) settings; in {
    socket = "${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
  };
  users.groups.searx.members = [ "nginx" ];
  services.searx.environmentFile = "/etc/nixos/private/searx.env";
  services.searx.settings = {
    use_default_settings = true;
    search = {
        safe_search = 0; # Filter results. 0: None, 1: Moderate, 2: Strict
        autocomplete = "duckduckgo"; # Existing autocomplete backends: "dbpedia", "duckduckgo", "google", "startpage", "swisscows", "qwant", "wikipedia" - leave blank to turn it off by default
        default_lang = ""; # Default search language - leave blank to detect from browser information or use codes from 'languages.py'
    };
    server = {
      port = 8888;
      bind_address = "::1";
      secret_key = "@SEARX_SECRET_KEY@";
      base_url = "https://search.${cfg.domainName}/";
      image_proxy = true;
      default_http_headers = {
        X-Content-Type-Options = "nosniff";
        X-XSS-Protection = "1; mode=block";
        X-Download-Options = "noopen";
        X-Robots-Tag = "noindex, nofollow";
        Referrer-Policy = "no-referrer";
      };
    };
    outgoing = {
      request_timeout = 5.0;       # default timeout in seconds, can be override by engine
      max_request_timeout = 15.0;  # the maximum timeout in seconds
      pool_connections = 100;      # Maximum number of allowable connections, or null
      pool_maxsize = 10;           # Number of allowable keep-alive connections, or null
      enable_http2 = true;         # See https://www.python-httpx.org/http2/
    };
    /* = {
      name = "soundcloud";
      disabled = true;
    };*/
  };
  services.nginx.virtualHosts."search.${cfg.domainName}" = let inherit (config.services.searx) settings; in {
    enableACME = true;
    forceSSL = true;
    # locations."/".proxyPass = "http://${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
    locations."/".extraConfig = ''
      uwsgi_pass "${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
      include ${config.services.nginx.package}/conf/uwsgi_params;
    '';
  };
  # NGINX
  services.nginx.enable = true;
  services.nginx.streamConfig =
    let
      cert = config.security.acme.certs."${cfg.domainName}".directory + "/fullchain.pem";
      certKey = config.security.acme.certs."${cfg.domainName}".directory + "/key.pem";
      trustedCert = config.security.acme.certs."${cfg.domainName}".directory + "/chain.pem";
    in ''
      upstream dns {
        zone dns 64k;
        server 127.0.0.1:53;
      }
      server {
        listen 853 ssl;
        ssl_certificate ${cert};
        ssl_certificate_key ${certKey};
        ssl_trusted_certificate ${trustedCert};
        proxy_pass dns;
      }
    '';
  services.nginx.commonHttpConfig = "log_format postdata '{\"ip\":\"$remote_addr\",\"time\":\"$time_iso8601\",\"referer\":\"$http_referer\",\"body\":\"$request_body\",\"ua\":\"$http_user_agent\"}';";
  services.nginx.recommendedTlsSettings = true;
  services.nginx.recommendedOptimisation = true;
  services.nginx.recommendedGzipSettings = true;
  services.nginx.recommendedProxySettings = true;
  # BLOG
  services.nginx.virtualHosts."${cfg.domainName}" = {
    enableACME = true;
    forceSSL = true;
    extraConfig = "autoindex on;";
    locations."/".root = "/var/www/${cfg.domainName}/";
    locations."/src".root = "/var/www/${cfg.domainName}/";
    locations."/src".extraConfig = "index force_dirlisting;";
    locations."/submit_comment".extraConfig = ''
      access_log /var/log/nginx/comments.log postdata;
      proxy_pass https://${cfg.domainName}/submit.htm;
      break;
    '';
    locations."/submit.htm" = {
      extraConfig = ''
        return 200 '<!doctype html><html><head><base href="/"/><link rel="preload" href="style.css" as="style"><title>Success!</title><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><link rel="icon" type="image/jpeg" href="pfp.jpg"><link rel="alternate" type="application/rss+xml" title="RSS" href="https://${cfg.domainName}/blog/index.xml"><link href="style.css" rel="stylesheet" /><script src="main.js"></script><meta http-equiv="refresh" content="10; url=$http_referer" /></head><body onload="documentLoaded()"><hr/><div class="main-body"><p>Success! It may take a while for your comment to get moderated.</p><p>Please wait for 10 seconds until you get redirected back...</p><p>Or just go there <a href="$http_referer">manually</a>.</p></div><hr/></body></html>';
      '';
    };
  };
  services.nginx.virtualHosts."www.${cfg.domainName}" = {
    enableACME = true;
    globalRedirect = cfg.domainName;
  };
  # MAILSERVER
  # roundcube
  services.nginx.virtualHosts."mail.${cfg.domainName}" = {
    enableACME = true;
  };
  services.roundcube = {
    enable = true;
    package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]);
    dicts = with pkgs.aspellDicts; [ en ru ];
    hostName = "mail.${cfg.domainName}";
    maxAttachmentSize = 100;
    plugins = [ "persistent_login" ];
  };
  mailserver = {
    enable = true;
    fqdn = "mail.${cfg.domainName}";
    domains = [ cfg.domainName ];
    certificateScheme = 1;
    certificateFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/fullchain.pem";
    keyFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/key.pem";
    localDnsResolver = false;
    recipientDelimiter = "-";
    lmtpSaveToDetailMailbox = "no";
    hierarchySeparator = "/";
  };
  # Only allow local connections to noreply account
  mailserver.loginAccounts."noreply@${cfg.domainName}" = {
    # password is set in private.nix
    hashedPassword = cfg.hashedNoreplyPassword;
    sendOnly = true;
  };
  services.dovecot2.extraConfig =
    let passwd = builtins.toFile "dovecot2-local-passwd" ''
        noreply@${cfg.domainName}:{plain}${cfg.unhashedNoreplyPassword}::::::allow_nets=local,127.0.0.0/8,::1
      '';
    in ''
      passdb {
        driver = passwd-file
        args = ${passwd}
      }
    '';
  # GITEA
  services.nginx.virtualHosts."git.${cfg.domainName}" = let inherit (config.services.gitea) settings; in {
    enableACME = true;
    forceSSL = true;
    locations."/".proxyPass = "http://${quotePotentialIpV6 settings.server.HTTP_ADDR}:${toString settings.server.HTTP_PORT}";
  };
  services.gitea = {
    enable = true;
    database = {
      createDatabase = false;
      passwordFile = "/var/lib/gitea/db_password";
      type = "postgres";
    };
    settings = {
      mailer = {
        ENABLED = true;
        FROM = "Gitea <noreply@${cfg.domainName}>";
        MAILER_TYPE = "smtp";
        HOST = "mail.${cfg.domainName}:587";
        USER = "noreply@${cfg.domainName}";
        PASSWD = cfg.unhashedNoreplyPassword;
        SKIP_VERIFY = true;
      };
      session = {
        COOKIE_SECURE = true;
      };
      server = {
        ROOT_URL = "https://git.${cfg.domainName}";
        HTTP_ADDR = "::1";
        HTTP_PORT = 3310;
        DOMAIN = "git.${cfg.domainName}";
        # START_SSH_SERVER = true;
        # SSH_PORT = 2222;
      };
      service = {
        DISABLE_REGISTRATION = true;
        REGISTER_EMAIL_CONFIRM = true;
      };
    };
  };
  # NEXTCLOUD
  services.nginx.virtualHosts."cloud.${cfg.domainName}" = {
    enableACME = true;
    forceSSL = true;
  };
  services.nextcloud = {
    enable = true;
    enableBrokenCiphersForSSE = false;
    package = pkgs.nextcloud26;
    autoUpdateApps.enable = true;
    # TODO: use socket auth and remove the next line
    database.createLocally = false;
    config = {
      adminpassFile = "/var/lib/nextcloud/admin_password";
      dbpassFile = "/var/lib/nextcloud/db_password";
      dbtype = "pgsql";
      dbhost = "/run/postgresql";
      overwriteProtocol = "https";
    };
    hostName = "cloud.${cfg.domainName}";
    https = true;
  };
  systemd.services.pleroma.path = [ pkgs.exiftool pkgs.gawk ];
  services.nginx.virtualHosts."pleroma.${cfg.domainName}" = {
    enableACME = true;
    forceSSL = true;
    locations."/".proxyPass = "http://127.0.0.1:9970";
  };
  /*locations."/dns-query".extraConfig = ''
    grpc_pass grpc://127.0.0.1:53453;
  '';*/
  # TODO: firefox sync?
 }
--- a/system/hosts/nixserver/fdroid.nix
+++ b/system/hosts/nixserver/fdroid.nix
@ -0,0 +1,51 @@
 { config
 , pkgs
 , lib
 , ... }:
 let
  cfg = config.server;
  quotePotentialIpV6 = addr:
    if lib.hasInfix ":" addr then "[${addr}]" else addr;
 in {
  services.nginx.virtualHosts."${cfg.domainName}" = {
    locations."/fdroid/".alias = "/var/lib/fdroid/repo/";
  };
  users.users.fdroid = {
    home = "/var/lib/fdroid";
    group = "fdroid";
    isSystemUser = true;
  };
  users.groups.fdroid = { };
  systemd.timers.update-fdroid = {
    wantedBy = [ "timers.target" ];
    partOf = [ "update-fdroid.service" ];
    # slightly unusual time to reduce server load
    timerConfig.OnCalendar = [ "*-*-* 00:40:00" ]; # every day
  };
  systemd.services.update-fdroid = {
    serviceConfig = let
      inherit (pkgs) fdroidserver;
      fdroidScript = pkgs.writeText "update-froid.py" ''
        import requests, subprocess, os, sys
        x = requests.get('https://api.github.com/repos/ppy/osu/releases').json()
        for q in x:
            for w in q.get('assets', []):
                if w.get('name', "").endswith('.apk'):
                    os.chdir('/var/lib/fdroid')
                    subprocess.run(['${pkgs.wget}/bin/wget', w['browser_download_url'], '-O', '/var/tmp/lazer.apk'], check=True)
                    os.rename('/var/tmp/lazer.apk', '/var/lib/fdroid/repo/sh.ppy.osulazer.apk')
                    subprocess.run(['${fdroidserver}/bin/fdroid', 'update', '--allow-disabled-algorithms'])
                    sys.exit()
      '';
      fdroidPython = pkgs.python3.withPackages (p: with p; [ requests ]);
    in {
      Type = "oneshot";
      ExecStart = "${fdroidPython} ${fdroidScript}";
    };
    environment.JAVA_HOME = "${pkgs.jdk11_headless}";
    path = [ pkgs.jdk11_headless ];
  };
 }
--- a/system/hosts/nixserver/matrix.nix
+++ b/system/hosts/nixserver/matrix.nix
@ -0,0 +1,122 @@
 { config
 , pkgs
 , lib
 , ... }:
 let
  cfg = config.server;
  quotePotentialIpV6 = addr:
    if lib.hasInfix ":" addr then "[${addr}]" else addr;
  matrixServerJson = {
    "m.server" = "matrix.${cfg.domainName}:443";
  };
  matrixClientJson = {
    "m.homeserver" = { base_url = "https://matrix.${cfg.domainName}"; };
    "m.identity_server" = { base_url = "https://vector.im"; };
  };
  matrixServerConfigResponse = ''
    add_header Content-Type application/json;
    return 200 '${builtins.toJSON matrixServerJson}';
  '';
  matrixClientConfigResponse = ''
    add_header Content-Type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON matrixClientJson}';
  '';
  matrixAddr = "::1";
  matrixPort = 8008;
 in {
  imports = [ ./maubot.nix ];
  networking.firewall.allowedTCPPorts = [ 8008 8448 ];
  systemd.services.matrix-synapse.serviceConfig.TimeoutStartSec = 180;
  services.nginx.virtualHosts."${cfg.domainName}" = {
    locations."= /.well-known/matrix/server".extraConfig = matrixServerConfigResponse;
    locations."= /.well-known/matrix/client".extraConfig = matrixClientConfigResponse;
  };
  services.nginx.virtualHosts."matrix.${cfg.domainName}" = {
    enableACME = true;
    forceSSL = true;
    locations = {
      "= /.well-known/matrix/server".extraConfig = matrixServerConfigResponse;
      "= /.well-known/matrix/client".extraConfig = matrixClientConfigResponse;
      "/".proxyPass = "http://${quotePotentialIpV6 matrixAddr}:${toString matrixPort}";
    };
  };
  systemd.services.heisenbridge.wants = [ "matrix-synapse.service" ];
  systemd.services.heisenbridge.after = [ "matrix-synapse.service" ];
  services.heisenbridge = {
    enable = true;
    homeserver = "http://${quotePotentialIpV6 matrixAddr}:${toString matrixPort}/";
  };
  # so synapse can read the registration
  users.groups.heisenbridge.members = [ "matrix-synapse" ];
  services.matrix-synapse = {
    enable = true;
    extraConfigFiles = [ "/var/lib/matrix-synapse/config.yaml" ];
    settings = {
      app_service_config_files = [
        "/var/lib/heisenbridge/registration.yml"
      ];
      allow_guest_access = true;
      url_preview_enabled = true;
      tls_certificate_path = config.security.acme.certs."matrix.${cfg.domainName}".directory + "/fullchain.pem";
      tls_private_key_path = config.security.acme.certs."matrix.${cfg.domainName}".directory + "/key.pem";
      public_baseurl = "https://matrix.${cfg.domainName}/";
      server_name = "matrix.${cfg.domainName}";
      max_upload_size = "100M";
      email = {
        smtp_host = "mail.pavluk.org";
        smtp_port = 587;
        smtp_user = "noreply";
        smtp_password = cfg.unhashedNoreplyPassword;
        notif_from = "${cfg.domainName} matrix homeserver <noreply@${cfg.domainName}>";
        app_name = cfg.domainName;
        notif_for_new_users = false;
        enable_notifs = true;
      };
      listeners = [{
        port = matrixPort;
        bind_addresses = [ matrixAddr ];
        type = "http";
        tls = false;
        x_forwarded = true;
        resources = [{
          names = [ "client" "federation" ];
          compress = false;
        }];
      }];
    };
  };
  # maubot
  users.users.maubot = {
    home = "/var/lib/maubot";
    group = "maubot";
    isSystemUser = true;
  };
  users.groups.maubot = { };
  systemd.services.maubot = {
    description = "Maubot";
    wants = [ "matrix-synapse.service" "nginx.service" ];
    after = [ "matrix-synapse.service" "nginx.service" ];
    wantedBy = [ "multi-user.target" ];
    environment = {
      LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib";
    };
    serviceConfig = {
      User = "maubot";
      Group = "maubot";
      WorkingDirectory = "/var/lib/maubot/data";
    };
    script = "${pkgs.python3.withPackages (pks: with pks; [
      pkgs.maubot (pkgs.pineapplebot.override {
        magic = cfg.pizzabotMagic;
      }) feedparser levenshtein python-dateutil pytz
    ])}/bin/python3 -m maubot";
  };
 }
--- a/system/hosts/nixserver/maubot.nix
+++ b/system/hosts/nixserver/maubot.nix
@ -0,0 +1,45 @@
 { config
 , pkgs
 , lib
 , ... }:
 let
  cfg = config.server;
  quotePotentialIpV6 = addr:
    if lib.hasInfix ":" addr then "[${addr}]" else addr;
  # i've yet to create a maubot module so this is hardcoded
  maubotAddr = "127.0.0.1";
  maubotPort = 29316;
 in {
  services.nginx.virtualHosts."matrix.${cfg.domainName}".locations = {
    "/_matrix/maubot/" = {
      proxyPass = "http://${quotePotentialIpV6 maubotAddr}:${toString maubotPort}";
      proxyWebsockets = true;
    };
  };
  users.users.maubot = {
    home = "/var/lib/maubot";
    group = "maubot";
    isSystemUser = true;
  };
  users.groups.maubot = { };
  systemd.services.maubot = {
    description = "Maubot";
    wants = [ "matrix-synapse.service" "nginx.service" ];
    after = [ "matrix-synapse.service" "nginx.service" ];
    wantedBy = [ "multi-user.target" ];
    environment = {
      LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib";
    };
    serviceConfig = {
      User = "maubot";
      Group = "maubot";
      WorkingDirectory = "/var/lib/maubot/data";
    };
    script = "${pkgs.python3.withPackages (pks: with pks; [
      pkgs.maubot (pkgs.pineapplebot.override {
        magic = cfg.pizzabotMagic;
      }) feedparser levenshtein python-dateutil pytz
    ])}/bin/python3 -m maubot";
  };
 }
--- a/system/hosts/nixserver/mumble.nix
+++ b/system/hosts/nixserver/mumble.nix
@ -0,0 +1,81 @@
 { config
 , lib
 , ... }:
 let
  cfg = config.server;
  quotePotentialIpV6 = addr:
    if lib.hasInfix ":" addr then "[${addr}]" else addr;
 in {
  services.murmur = {
    enable = true;
    imgMsgLength = 0;
    textMsgLength = 0;
    registerName = "mumble.${cfg.domainName}";
    registerHostname = "mumble.${cfg.domainName}";
    sslCa = config.security.acme.certs."mumble.${cfg.domainName}".directory + "/chain.pem";
    sslCert = config.security.acme.certs."mumble.${cfg.domainName}".directory + "/fullchain.pem";
    sslKey = config.security.acme.certs."mumble.${cfg.domainName}".directory + "/key.pem";
    # clientCertRequired = true;
    extraConfig = ''
      bandwidth=320000
      opusthreshold=0
    '';
  };
  # Allow murmur to read the certificate
  security.acme.certs."mumble.${cfg.domainName}" = {
    group = "nginxandmurmur";
    postRun = "systemctl try-reload-or-restart murmur";
  };
  users.groups.nginxandmurmur.members = [ "murmur" "nginx" ];
  # Mumble music bot
  services.nginx.virtualHosts."mumble.${cfg.domainName}" = let inherit (config.services.botamusique) settings; in {
    enableACME = true;
    forceSSL = true;
    globalRedirect = cfg.domainName;
    locations."/music".extraConfig = "return 301 https://mumble.${cfg.domainName}/music/;";
    locations."/music/".proxyPass = "http://${quotePotentialIpV6 settings.webinterface.listening_addr}:${toString settings.webinterface.listening_port}/";
  };
  services.botamusique = {
    enable = true;
    settings = {
      youtube_dl = {
        cookiefile = "/var/lib/botamusique/cookie_ydl";
      };
      webinterface = {
        enabled = true;
        listening_addr = "::1";
        listening_port = 8181;
        is_web_proxified = true;
        access_address = "https://mumble.${cfg.domainName}/music";
        auth_method = "token";
        upload_enabled = true;
        max_upload_file_size = "100MB";
        delete_allowed = true;
      };
      bot = {
        bandwidth = 200000;
        volume = 1.0;
        ducking = true;
        ducking_volume = 0.75;
      };
      server.certificate = "/var/lib/botamusique/cert.pem";
    };
  };
  systemd.services.botamusique.wants = [ "murmur.service" ];
  systemd.services.botamusique.after = [ "murmur.service" ];
  networking.firewall = {
    allowedTCPPorts = [
      64738
      # Used for mumble-web signaling (not sure if it needs TCP or UDP)
      # 20000 20001 20002 20003 20004 20005 20006 20007 20008 20009 20010
    ];
    allowedUDPPorts = [
      64738
      # 20000 20001 20002 20003 20004 20005 20006 20007 20008 20009 20010
    ];
  };
 }
--- a/system/hosts/nixserver/options.nix
+++ b/system/hosts/nixserver/options.nix
@ -0,0 +1,58 @@
 { lib
 , ... }:
 {
  options.server = with lib; mkOption {
    type = types.submodule {
      options = {
        domainName = mkOption {
          type = types.str;
          default = "pavluk.org";
          description = "domain name";
        };
        lanCidrV4 = mkOption {
          type = types.str;
          description = "LAN mask (IPv4)";
          example = "192.168.1.0/96";
          default = "0.0.0.0/0";
        };
        lanCidrV6 = mkOption {
          type = types.str;
          description = "LAN mask (IPv6)";
          example = "fd01:abcd::/64";
          default = "::/0";
        };
        localIpV4 = mkOption {
          type = with types; nullOr str;
          description = "server's local IPv4 address";
          example = "192.168.1.2";
          default = null;
        };
        localIpV6 = mkOption {
          type = with types; nullOr str;
          description = "server's local IPv6 address";
          example = "fd01:abcd::2";
          default = null;
        };
        noreplyPassword = mkOption {
          type = types.str;
          description = "noreply (only available via localhost) account password";
          default = "totallysafe";
        };
        hashedNoreplyPassword = mkOption {
          type = types.str;
          description = "hashed noreply password via mkpasswd -sm bcrypt";
        };
        unhashedNoreplyPassword = mkOption {
          type = types.str;
          description = "unhashed noreply password. \
              This should preferably be different from the password that is hashed for better security (yes, really)";
        };
        pizzabotMagic = mkOption {
          type = types.str;
          default = "<PIZZABOT_MAGIC_SEP>";
        };
      };
    };
    description = "server settings";
  };
 }
--- a/system/modules/ccache.nix
+++ b/system/modules/ccache.nix
@ -4,7 +4,7 @@
    config.programs.ccache.cacheDir
    "/var/cache/sccache"
  ];
-  environment.persistence."/persist".directories = lib.mkIf config.programs.ccache.enable [
+  impermanence.directories = lib.mkIf config.programs.ccache.enable [
    config.programs.ccache.cacheDir
    "/var/cache/sccache"
  ];
--- a/system/modules/impermanence.nix
+++ b/system/modules/impermanence.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 let
  cfg = config.impermanence;
@ -16,7 +16,7 @@ in {
          description = "Default path for persistence";
        };
        directories = mkOption {
-          type = with types; listOf path;
+          type = with types; listOf (either path attrs);
          default = [ ];
          description = "Extra directories to persist";
        };
@ -36,41 +36,90 @@ in {
    default = { };
  };
  config = lib.mkIf cfg.enable {
    # why is this not part of base NixOS?
    systemd.tmpfiles.rules = [ "d /var/lib/systemd/pstore 0755 root root 14d" ];
    # as weird as it sounds, I won't use tmpfs for /tmp in case I'll have to put files over 2GB there
    boot.tmp.cleanOnBoot = lib.mkIf cfg.persistTmp true;
    environment.persistence.${toString cfg.path} = {
      hideMounts = true;
-      directories = map toString ([
+      directories = map (x:
        if builtins.isPath x then toString x
        else if builtins.isAttrs x && x?directory && builtins.isPath x.directory then x // { directory = toString x.directory; }
        else x)
      ([
        # nixos files
-        /etc/nixos
+        { directory = /etc/nixos; user = "root"; group = "root"; mode = "0755"; }
-        /var/lib/nixos
+        { directory = /var/lib/nixos; user = "root"; group = "root"; mode = "0755"; }
-        /var/log
+        { directory = /var/log; user = "root"; group = "root"; mode = "0755"; }
        # persist this since everything here is cleaned up by systemd-tmpfiles over time anyway
        # ...or so I'd like to believe
-        /var/lib/systemd
+        { directory = /var/lib/systemd; user = "root"; group = "root"; mode = "0755"; }
-        /var/tmp
+        { directory = /var/tmp; user = "root"; group = "root"; mode = "1777"; }
        { directory = /var/spool; user = "root"; group = "root"; mode = "0777"; }
      ] ++ (lib.optionals cfg.persistTmp [
-        /tmp
+        { directory = /tmp; user = "root"; group = "root"; mode = "1777"; }
      ]) ++ (lib.optionals config.services.mullvad-vpn.enable [
-        /etc/mullvad-vpn
+        { directory = /etc/mullvad-vpn; user = "root"; group = "root"; mode = "0700"; }
-        /var/cache/mullvad-vpn
+        { directory = /var/cache/mullvad-vpn; user = "root"; group = "root"; mode = "0755"; }
      ]) ++ (lib.optionals config.virtualisation.libvirtd.enable ([
-        /var/cache/libvirt
+        # { directory = /var/cache/libvirt; user = "root"; group = "root"; mode = "0755"; }
-        /var/lib/libvirt
+        { directory = /var/lib/libvirt; user = "root"; group = "root"; mode = "0755"; }
      ] ++ (lib.optionals config.virtualisation.libvirtd.qemu.swtpm.enable [
-        /var/lib/swtpm-localca
+        { directory = /var/lib/swtpm-localca; user = "root"; group = "root"; mode = "0750"; }
      ]))) ++ (lib.optionals config.networking.wireless.iwd.enable [
-        /var/lib/iwd
+        { directory = /var/lib/iwd; user = "root"; group = "root"; mode = "0700"; }
      ]) ++ (lib.optionals (builtins.any (x: x.useDHCP) (builtins.attrValues config.networking.interfaces) || config.networking.useDHCP) [
-        /var/db/dhcpcd
+        { directory = /var/db/dhcpcd; user = "root"; group = "root"; mode = "0755"; }
      ]) ++ (lib.optionals config.services.gitea.enable [
        { directory = /var/lib/gitea; user = "gitea"; group = "gitea"; mode = "0755"; }
      ]) ++ (lib.optionals config.services.matrix-synapse.enable [
        { directory = /var/lib/matrix-synapse; user = "matrix-synapse"; group = "matrix-synapse"; mode = "0700"; }
      ]) ++ (lib.optionals config.services.heisenbridge.enable [
        { directory = /var/lib/heisenbridge; user = "heisenbridge"; group = "heisenbridge"; mode = "0755"; }
      ]) ++ (lib.optionals config.services.murmur.enable [
        { directory = /var/lib/murmur; user = "murmur"; group = "murmur"; mode = "0700"; }
      ]) ++ (lib.optionals config.services.nextcloud.enable [
        { directory = /var/lib/nextcloud; user = "nextcloud"; group = "nextcloud"; mode = "0750"; }
      ]) ++ (lib.optionals config.services.botamusique.enable [
        { directory = /var/lib/private/botamusique; user = "root"; group = "root"; mode = "0750"; }
      ]) ++ (lib.optionals config.security.acme.acceptTerms [
        { directory = /var/lib/acme; user = "acme"; group = "acme"; mode = "0755"; }
      ]) ++ (lib.optionals config.services.printing.enable [
        { directory = /var/lib/cups; user = "root"; group = "root"; mode = "0755"; }
      ]) ++ (lib.optionals config.services.fail2ban.enable [
        { directory = /var/lib/fail2ban; user = "fail2ban"; group = "fail2ban"; mode = "0750"; }
      ]) ++ (lib.optionals config.services.opendkim.enable [
        { directory = /var/lib/opendkim; user = "opendkim"; group = "opendkim"; mode = "0700"; }
      ]) ++ (lib.optionals config.services.pleroma.enable [
        { directory = /var/lib/pleroma; user = "pleroma"; group = "pleroma"; mode = "0700"; }
      ]) ++ (lib.optionals config.services.postfix.enable [
        { directory = /var/lib/postfix; user = "root"; group = "root"; mode = "0755"; }
      ]) ++ (lib.optionals config.services.postgresql.enable [
        { directory = /var/lib/postgresql; user = "postgres"; group = "postgres"; mode = "0755"; }
      ]) ++ (lib.optionals config.services.unbound.enable [
        { directory = /var/lib/unbound; user = "unbound"; group = "unbound"; mode = "0755"; }
      ]) ++ (lib.optionals config.services.roundcube.enable [
        { directory = /var/lib/roundcube; user = "roundcube"; group = "roundcube"; mode = "0700"; }
      ]) ++ (lib.optionals config.services.rspamd.enable [
        { directory = /var/lib/rspamd; user = "rspamd"; group = "rspamd"; mode = "0700"; }
      ]) ++ (lib.optionals (
        (builtins.hasAttr "rspamd" config.services.redis.servers)
        && (builtins.hasAttr "enable" config.services.redis.servers.rspamd)
        && config.services.redis.servers.rspamd.enable
      ) [
        { directory = /var/lib/redis-rspamd; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; }
      ]) ++ (lib.optionals config.services.dovecot2.enable [
        { directory = /var/lib/dhparams; user = "root"; group = "root"; mode = "0755"; }
        { directory = /var/lib/dovecot; user = "root"; group = "root"; mode = "0755"; }
      ]) ++ (lib.optionals config.security.sudo.enable [
-        /var/db/sudo/lectured
+        { directory = /var/db/sudo/lectured; user = "root"; group = "root"; mode = "0700"; }
      ]) ++ cfg.directories);
      files = map toString ([
        # hardware-related
        /etc/adjtime
        # needed at least for /var/log
        /etc/machine-id
      ] ++ cfg.files);
    };
--- a/system/modules/vfio.nix
+++ b/system/modules/vfio.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ options, config, lib, pkgs, ... }:
 let
  cfg = config.vfio;
 in {
@ -73,9 +73,10 @@ in {
    description = "VFIO settings";
    default = { };
  };
  # compatibility so this module loads on non-amd hardware
  config = let
-    enableIvshmem = config.vfio.lookingGlass.enable && (builtins.length config.vfio.lookingGlass.ivshmem) > 0;
+    enableIvshmem = cfg.lookingGlass.enable && (builtins.length cfg.lookingGlass.ivshmem) > 0;
-  in lib.mkIf config.vfio.enable {
+  in lib.mkIf cfg.enable {
    # add a custom kernel param for early loading vfio drivers
    # because if we change boot.initrd options in a specialization, two initrds will be built
    # and we don't want to build two initrds
@ -151,9 +152,13 @@ in {
            SUBSYSTEM=="kvmfr", KERNEL=="kvmfr${toString i}", OWNER="${ivshmem.owner}", GROUP="kvm", MODE="0660"
          '')
          cfg.lookingGlass.ivshmem));
    hardware = {
      opengl.enable = true;
    } // (lib.optionalAttrs (cfg.enable && !(cfg.nvidiaGpu)) {
      # disable early KMS so GPU can be properly unbound
-    hardware.amdgpu.loadInInitrd = lib.mkIf (!cfg.nvidiaGpu) false;
+      # can't use mkif because the option may not even exist
-    hardware.opengl.enable = true;
+      amdgpu.loadInInitrd = false;
    });
    # needed for virt-manager
    programs.dconf.enable = true;
    virtualisation.libvirtd = {
--- a/system/pkgs/default.nix
+++ b/system/pkgs/default.nix
@ -1,3 +1,5 @@
 { pkgs, ... }: let inherit (pkgs) callPackage; in {
-  system76-scheduler = callPackage ../pkgs/system76-scheduler.nix { };
+  system76-scheduler = callPackage ./system76-scheduler.nix { };
  maubot = callPackage ./maubot.nix { };
  pineapplebot = callPackage ./pineapplebot.nix { };
 }
--- a/system/pkgs/maubot.nix
+++ b/system/pkgs/maubot.nix
@ -0,0 +1,95 @@
 { lib
 , fetchpatch
 , python3
 , runCommand
 , encryptionSupport ? true
 }:
 let
  python = python3.override {
    packageOverrides = self: super: {
      sqlalchemy = super.buildPythonPackage rec {
        pname = "SQLAlchemy";
        version = "1.3.24";
        src = super.fetchPypi {
          inherit pname version;
          sha256 = "sha256-67t3fL+TEjWbiXv4G6ANrg9ctp+6KhgmXcwYpvXvdRk=";
        };
        postInstall = ''
          sed -e 's:--max-worker-restart=5::g' -i setup.cfg
        '';
        doCheck = false;
      };
    };
  };
  self = with python.pkgs; buildPythonPackage rec {
    pname = "maubot";
    version = "0.4.1";
    disabled = pythonOlder "3.8";
    src = fetchPypi {
      inherit pname version;
      sha256 = "sha256-Ro2PPgF8818F8JewPZ3AlbfWFNNHKTZkQq+1zpm3kk4=";
    };
    patches = [
      # add entry point
      (fetchpatch {
        url = "https://patch-diff.githubusercontent.com/raw/maubot/maubot/pull/146.patch";
        sha256 = "0yn5357z346qzy5v5g124mgiah1xsi9yyfq42zg028c8paiw8s8x";
      })
    ];
    propagatedBuildInputs = [
      # requirements.txt
      mautrix
      aiohttp
      yarl
      sqlalchemy
      asyncpg
      aiosqlite
      CommonMark
      ruamel-yaml
      attrs
      bcrypt
      packaging
      click
      colorama
      questionary
      jinja2
    ]
    # optional-requirements.txt
    ++ lib.optionals encryptionSupport [
      python-olm
      pycryptodome
      unpaddedbase64
    ];
    passthru.tests = {
      simple = runCommand "${pname}-tests" { } ''
        ${self}/bin/mbc --help > $out
      '';
    };
    # Setuptools is trying to do python -m maubot test
    dontUseSetuptoolsCheck = true;
    pythonImportsCheck = [
      "maubot"
    ];
    meta = with lib; {
      description = "A plugin-based Matrix bot system written in Python";
      homepage = "https://github.com/maubot/maubot";
      changelog = "https://github.com/maubot/maubot/blob/v${version}/CHANGELOG.md";
      license = licenses.agpl3Plus;
      maintainers = with maintainers; [ chayleaf ];
    };
  };
 in
 self
--- a/system/pkgs/pineapplebot.nix
+++ b/system/pkgs/pineapplebot.nix
@ -0,0 +1,34 @@
 { python3
 , fetchFromGitHub
 , rustPlatform
 , magic ? "<PIZZABOT_MAGIC_SEP>"
 , ... }:
 python3.pkgs.buildPythonPackage rec {
  pname = "pineapplebot";
  version = "0.1.0";
  src = fetchFromGitHub {
    owner = "chayleaf";
    repo = "pizzabot_v3";
    rev = "master";
    sha256 = "sha256-ZLskMlllZfmqIlbSr0pNHHJehDycohiwqgYbuEYP7Qc=";
  };
  preBuild = ''
    head -n13 Cargo.toml > Cargo.toml.new
    mv Cargo.toml.new Cargo.toml
  '';
  sourceRoot = "source/pineapplebot";
  cargoDeps = rustPlatform.fetchCargoTarball {
    inherit src sourceRoot;
    name = "${pname}-${version}";
    sha256 = "14jxgykwg1apy97gy1j8mz7ny2cqg4q9s03a2bk9kx2y6ibm4668";
  };
  nativeBuildInputs = with rustPlatform; [
    cargoSetupHook
    maturinBuildHook
  ];
  doCheck = false;
  doInstallCheck = true;
  pythonImportsCheck = [ "pineapplebot" ];
  PIZZABOT_MAGIC = magic;
 }
--- a/system/private.nix.sample
+++ b/system/private.nix.sample
@ -1,5 +0,0 @@
 {
  nixmsi = { ... }: {
    # insert private config here
  };
 }
--- a/system/private.sample.nix
+++ b/system/private.sample.nix
@ -0,0 +1,9 @@
 {
  nixmsi = { pkgs, lib, ... }: {
    # insert private config here
    # time.timeZone = ...;
    # users.users.root.initialHashedPassword = ...;
    # users.users.user.initialHashedPassword = ...;
  };
  nixserver = { ... }: { };
 }