From 9d96dc1a44084c4e403397fe7d7918d42adb39e3 Mon Sep 17 00:00:00 2001 From: chayleaf Date: Tue, 27 Jun 2023 15:25:19 +0700 Subject: [PATCH] server: btrfs->bcachefs; add maubot.nix; update searxng router: add remote query editing support --- flake.lock | 58 +++++++++++++++++++++++- flake.nix | 25 ++++++---- pkgs/_sources/generated.json | 28 ++++++++++++ pkgs/_sources/generated.nix | 22 ++++++--- pkgs/default.nix | 7 +++ pkgs/firefox-addons/default.nix | 11 +++-- pkgs/nvfetcher.toml | 23 +++++----- system/devices/hp-probook-g0-server.nix | 5 +- system/hardware/bpi-r3/pkgs.nix | 11 +---- system/hosts/nixserver/default.nix | 12 ++--- system/hosts/nixserver/maubot.nix | 31 +++++++++++-- system/hosts/router/avahi-resolver-v2.py | 51 +++++++++++++++------ system/hosts/router/default.nix | 10 +++- system/modules/impermanence.nix | 1 + 14 files changed, 226 insertions(+), 69 deletions(-) diff --git a/flake.lock b/flake.lock index f9a2ba1..c629ddf 100644 --- a/flake.lock +++ b/flake.lock @@ -33,6 +33,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1668681692, @@ -67,6 +83,21 @@ } }, "flake-utils": { + "locked": { + "lastModified": 1678901627, + "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "inputs": { "systems": "systems" }, @@ -119,6 +150,28 @@ "type": "github" } }, + "maubot": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1687853065, + "narHash": "sha256-HNq95YrJm8ng7lSdGbyDCihgrS6xhQm6Agyej6ttmGg=", + "owner": "chayleaf", + "repo": "maubot.nix", + "rev": "f06cffda880a0a403a3b4c40263a03dd2523775b", + "type": "github" + }, + "original": { + "owner": "chayleaf", + "repo": "maubot.nix", + "type": "github" + } + }, "nix-gaming": { "inputs": { "flake-parts": "flake-parts", @@ -158,7 +211,7 @@ "nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "nixpkgs": [ "nixpkgs" ], @@ -295,6 +348,7 @@ "flake-compat": "flake-compat", "home-manager": "home-manager", "impermanence": "impermanence", + "maubot": "maubot", "nix-gaming": "nix-gaming", "nixos-hardware": "nixos-hardware", "nixos-mailserver": "nixos-mailserver", @@ -308,7 +362,7 @@ }, "rust-overlay": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ] diff --git a/flake.nix b/flake.nix index 2e5c10c..d81abec 100644 --- a/flake.nix +++ b/flake.nix @@ -30,6 +30,10 @@ url = "github:chayleaf/nixos-router"; inputs.nixpkgs.follows = "nixpkgs"; }; + maubot = { + url = "github:chayleaf/maubot.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nixos-mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; inputs.nixpkgs.follows = "nixpkgs"; @@ -41,11 +45,13 @@ }; }; - outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, notnft, nixos-mailserver, nixos-router, ... }: + outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, notnft, nixos-mailserver, nixos-router, maubot, ... }: let # --impure required for developing - # it takes the paths for notlua,notnft,nixos-router from filesystem as opposed to flake inputs - developing = false; + # it takes the paths for modules from filesystem as opposed to flake inputs + devNft = false; + devNixRt = false; + devMaubot = false; # IRL-related stuff I'd rather not put into git priv = if builtins.pathExists ./private.nix then (import ./private.nix { }) @@ -88,26 +94,27 @@ modules = [ nixos-mailserver.nixosModules.default ./system/devices/hp-probook-g0-server.nix + (if devMaubot then import /${devPath}/maubot.nix/module else maubot.nixosModules.default) ]; }; router-emmc = rec { system = "aarch64-linux"; - specialArgs.notnft = if developing then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system}; - specialArgs.router-lib = if developing then import /${devPath}/nixos-router/lib.nix { inherit (nixpkgs) lib; } else nixos-router.lib.${system}; + specialArgs.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system}; + specialArgs.router-lib = if devNixRt then import /${devPath}/nixos-router/lib.nix { inherit (nixpkgs) lib; } else nixos-router.lib.${system}; specialArgs.server-config = nixosConfigurations.nixserver.config; modules = [ (import ./system/devices/bpi-r3-router.nix "emmc") - (if developing then (import /${devPath}/nixos-router) else nixos-router.nixosModules.default) + (if devNixRt then (import /${devPath}/nixos-router) else nixos-router.nixosModules.default) ]; }; router-sd = rec { system = "aarch64-linux"; - specialArgs.notnft = if developing then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system}; - specialArgs.router-lib = if developing then import /${devPath}/nixos-router/lib.nix { inherit (nixpkgs) lib; } else nixos-router.lib.${system}; + specialArgs.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system}; + specialArgs.router-lib = if devNixRt then import /${devPath}/nixos-router/lib.nix { inherit (nixpkgs) lib; } else nixos-router.lib.${system}; specialArgs.server-config = nixosConfigurations.nixserver.config; modules = [ (import ./system/devices/bpi-r3-router.nix "sd") - (if developing then (import /${devPath}/nixos-router) else nixos-router.nixosModules.default) + (if devNixRt then (import /${devPath}/nixos-router) else nixos-router.nixosModules.default) ]; }; nixmsi = rec { diff --git a/pkgs/_sources/generated.json b/pkgs/_sources/generated.json index cb642f3..1a4c961 100644 --- a/pkgs/_sources/generated.json +++ b/pkgs/_sources/generated.json @@ -1,4 +1,18 @@ { + "atf-bpir3": { + "cargoLocks": null, + "date": "2022-12-13", + "extract": null, + "name": "atf-bpir3", + "passthru": null, + "pinned": false, + "src": { + "sha256": "sha256-pW2yytXRIFEIbG1gnuXq8TiLe/Eew7zESe6Pijh2qVk=", + "type": "tarball", + "url": "https://github.com/frank-w/u-boot/archive/c30a1caf8274af67bf31f3fb5abc45df5737df36.tar.gz" + }, + "version": "c30a1caf8274af67bf31f3fb5abc45df5737df36" + }, "fastforward": { "cargoLocks": null, "date": null, @@ -29,6 +43,20 @@ }, "version": "GE-Proton8-4" }, + "searxng": { + "cargoLocks": null, + "date": "2023-06-25", + "extract": null, + "name": "searxng", + "passthru": null, + "pinned": false, + "src": { + "sha256": "sha256-sk28RG9/ZoPL71x99tNi884Mw0taMTYWh6HXINTr1xQ=", + "type": "tarball", + "url": "https://github.com/searxng/searxng/archive/e8706fb738da9feb21e596f403dddb40e69c8a7b.tar.gz" + }, + "version": "e8706fb738da9feb21e596f403dddb40e69c8a7b" + }, "yomichan": { "cargoLocks": null, "date": null, diff --git a/pkgs/_sources/generated.nix b/pkgs/_sources/generated.nix index f70826a..6549939 100644 --- a/pkgs/_sources/generated.nix +++ b/pkgs/_sources/generated.nix @@ -1,6 +1,15 @@ # This file was generated by nvfetcher, please do not modify it manually. { fetchgit, fetchurl, fetchFromGitHub, dockerTools }: { + atf-bpir3 = { + pname = "atf-bpir3"; + version = "c30a1caf8274af67bf31f3fb5abc45df5737df36"; + src = fetchTarball { + url = "https://github.com/frank-w/u-boot/archive/c30a1caf8274af67bf31f3fb5abc45df5737df36.tar.gz"; + sha256 = "sha256-pW2yytXRIFEIbG1gnuXq8TiLe/Eew7zESe6Pijh2qVk="; + }; + date = "2022-12-13"; + }; fastforward = { pname = "fastforward"; version = "0.2237"; @@ -17,12 +26,13 @@ sha256 = "sha256-OPwmVxBGaWo51pDJcqvxvZ8qxMH8X0DwZTpwiKbdx/I="; }; }; - yomichan = { - pname = "yomichan"; - version = "22.10.23.0"; - src = fetchurl { - url = "https://github.com/FooSoft/yomichan/releases/download/22.10.23.0/yomichan-firefox-dev.xpi"; - sha256 = "sha256-l70wVXHEArifukDelZeoVxIyP2Crs6QZSD/kFdEml/8="; + searxng = { + pname = "searxng"; + version = "e8706fb738da9feb21e596f403dddb40e69c8a7b"; + src = fetchTarball { + url = "https://github.com/searxng/searxng/archive/e8706fb738da9feb21e596f403dddb40e69c8a7b.tar.gz"; + sha256 = "sha256-sk28RG9/ZoPL71x99tNi884Mw0taMTYWh6HXINTr1xQ="; }; + date = "2023-06-25"; }; } diff --git a/pkgs/default.nix b/pkgs/default.nix index bb8e1c8..33d5d3a 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -41,6 +41,13 @@ in ''; }; rofi-steam-game-list = callPackage ./rofi-steam-game-list { }; + searxng = pkgs.searxng.overrideAttrs (old: { + inherit (sources.searxng) src; + version = "unstable-" + sources.searxng.date; + propagatedBuildInputs = old.propagatedBuildInputs ++ (with pkgs'.python3.pkgs; [ + pytomlpp + ]); + }); # system76-scheduler = callPackage ./system76-scheduler.nix { }; techmino = callPackage ./techmino { }; diff --git a/pkgs/firefox-addons/default.nix b/pkgs/firefox-addons/default.nix index 769c734..dc150b7 100644 --- a/pkgs/firefox-addons/default.nix +++ b/pkgs/firefox-addons/default.nix @@ -22,11 +22,14 @@ in inherit lib stdenv fetchurl; inherit (nur.repos.rycee.firefox-addons) buildFirefoxXpiAddon; }) // { - # addons.mozilla.org's version is horribly outdated for whatever reason - # I guess the extension normally autoupdates by itself? - # this is an unsigned build + # this is no longer maintained, hardcode last released version yomichan = buildExtension { - inherit (sources.yomichan) pname version src; + pname = "yomichan"; + version = "22.10.23.0"; + src = fetchurl { + url = "https://github.com/FooSoft/yomichan/releases/download/22.10.23.0/yomichan-firefox-dev.xpi"; + sha256 = "sha256-l70wVXHEArifukDelZeoVxIyP2Crs6QZSD/kFdEml/8="; + }; id = "alex.testing@foosoft.net.xpi"; meta = with lib; { homepage = "https://foosoft.net/projects/yomichan"; diff --git a/pkgs/nvfetcher.toml b/pkgs/nvfetcher.toml index 40a2eb7..0f84672 100644 --- a/pkgs/nvfetcher.toml +++ b/pkgs/nvfetcher.toml @@ -2,21 +2,22 @@ src.github = "GloriousEggroll/proton-ge-custom" fetch.url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/$ver/$ver.tar.gz" -[yomichan] -src.github = "FooSoft/yomichan" -fetch.url = "https://github.com/FooSoft/yomichan/releases/download/$ver/yomichan-firefox-dev.xpi" - [fastforward] # allow prereleases src.github_tag = "FastForwardTeam/FastForward" +src.use_commit = true fetch.url = "https://github.com/FastForwardTeam/FastForward/releases/download/$ver/fastforwardteam-$ver.xpi" # nix-prefetch doesnt work with git right now for some reason, whatever -# [atf-bpir3] -# src.git = "https://github.com/frank-w/u-boot.git" -# src.branch = "r3-atf" -# src.use_commit = true +[atf-bpir3] +src.git = "https://github.com/frank-w/u-boot.git" +src.branch = "r3-atf" +src.use_commit = true +fetch.tarball = "https://github.com/frank-w/u-boot/archive/$ver.tar.gz" # fetch.git = "https://github.com/frank-w/u-boot.git" -# fetch.branch = "$ver" -#fetch.github = "frank-w/u-boot" -# fetch.branch = "r3-atf" + +[searxng] +src.git = "https://github.com/searxng/searxng.git" +src.use_commit = true +fetch.tarball = "https://github.com/searxng/searxng/archive/$ver.tar.gz" + diff --git a/system/devices/hp-probook-g0-server.nix b/system/devices/hp-probook-g0-server.nix index bc6cc5f..4ba2e49 100644 --- a/system/devices/hp-probook-g0-server.nix +++ b/system/devices/hp-probook-g0-server.nix @@ -4,6 +4,8 @@ let efiPart = "/dev/disk/by-uuid/3E2A-A5CB"; rootUuid = "6aace237-9b48-4294-8e96-196759a5305b"; rootPart = "/dev/disk/by-uuid/${rootUuid}"; + root2Uuid = "e7e5ca5e-294e-42be-a58c-cb4d54a583e8"; + root2Part = "/dev/disk/by-uuid/${root2Uuid}"; in { imports = [ ../hardware/hp-probook-g0.nix @@ -23,8 +25,7 @@ in { "/" = { device = "none"; fsType = "tmpfs"; neededForBoot = true; options = [ "defaults" "size=2G" "mode=755" ]; }; "/persist" = - { device = rootPart; fsType = "btrfs"; neededForBoot = true; - options = [ "compress=zstd:15" ]; }; + { device = root2Part; fsType = "bcachefs"; neededForBoot = true; }; "/boot" = { device = rootPart; fsType = "btrfs"; neededForBoot = true; options = [ "compress=zstd:15" "subvol=boot" ]; }; diff --git a/system/hardware/bpi-r3/pkgs.nix b/system/hardware/bpi-r3/pkgs.nix index 48b2387..d666d50 100644 --- a/system/hardware/bpi-r3/pkgs.nix +++ b/system/hardware/bpi-r3/pkgs.nix @@ -1,19 +1,12 @@ { pkgs , pkgs' , lib -# , sources +, sources , ... }: let armTrustedFirmwareBpiR3 = { bootDevice, uboot ? null }: pkgs.buildArmTrustedFirmware rec { - # TODO: nvfetcherify this - src = pkgs.fetchFromGitHub { - owner = "frank-w"; - repo = "u-boot"; - # branch r3-atf - rev = "c30a1caf8274af67bf31f3fb5abc45df5737df36"; - hash = "sha256-pW2yytXRIFEIbG1gnuXq8TiLe/Eew7zESe6Pijh2qVk="; - }; + inherit (sources.atf-bpir3) src; patches = [ ./bpi-r3-atf-backport-mkimage-support.patch ]; extraMakeFlags = assert builtins.elem bootDevice [ "nor" "snand" "spim-nand" "emmc" "sdmmc" "ram" diff --git a/system/hosts/nixserver/default.nix b/system/hosts/nixserver/default.nix index 64c1bfb..2435931 100644 --- a/system/hosts/nixserver/default.nix +++ b/system/hosts/nixserver/default.nix @@ -149,14 +149,7 @@ in { # SEARXNG services.searx.enable = true; - services.searx.package = pkgs.searxng.overrideAttrs (_: { - src = pkgs.fetchFromGitHub { - owner = "searxng"; - repo = "searxng"; - rev = "cb1c3741d7de1354b524589114617f183009f6a8"; - sha256 = "sha256-7erY5Bd1ZoTpAIDbhIupu64Xd1PQspaW6vBqu7knzNI="; - }; - }); + services.searx.package = pkgs.searxng; services.searx.runInUwsgi = true; services.searx.uwsgiConfig = let inherit (config.services.searx) settings; in { socket = "${lib.quoteListenAddr settings.server.bind_address}:${toString settings.server.port}"; @@ -192,6 +185,9 @@ in { enable_http2 = true; # See https://www.python-httpx.org/http2/ }; }; + # workaround for a bug, will probably get fixed upstream some day + services.uwsgi.instance.vassals.searx.pythonPackages = lib.mkForce (self: [ pkgs.searxng self.pytomlpp ]); + services.nginx.virtualHosts."search.${cfg.domainName}" = let inherit (config.services.searx) settings; in { enableACME = true; forceSSL = true; diff --git a/system/hosts/nixserver/maubot.nix b/system/hosts/nixserver/maubot.nix index 5816785..452ea4e 100644 --- a/system/hosts/nixserver/maubot.nix +++ b/system/hosts/nixserver/maubot.nix @@ -1,6 +1,6 @@ { config -, pkgs , lib +, pkgs , ... }: let @@ -18,13 +18,13 @@ in { proxyWebsockets = true; }; }; - users.users.maubot = { + /*users.users.maubot = { home = "/var/lib/maubot"; group = "maubot"; isSystemUser = true; }; - users.groups.maubot = { }; - systemd.services.maubot = { + users.groups.maubot = { };*/ + /*systemd.services.maubot = { description = "Maubot"; wants = [ "matrix-synapse.service" "nginx.service" ]; after = [ "matrix-synapse.service" "nginx.service" ]; @@ -42,5 +42,28 @@ in { magic = cfg.pizzabotMagic; }) feedparser levenshtein python-dateutil pytz ])}/bin/python3 -m maubot"; + };*/ + systemd.services.maubot = { + after = [ "nginx.service" ]; + requires = [ "nginx.service" ]; }; + services.maubot.enable = true; + services.maubot.settings = { + database = "postgresql://maubot:synapse@localhost/maubot"; + server.public_url = "https://matrix.pavluk.org"; + }; + services.maubot.plugins = with config.services.maubot.package.plugins; [ + com.arachnitech.weather + com.dvdgsng.maubot.urban + xyz.maubot.media + xyz.maubot.reactbot + xyz.maubot.reminder + xyz.maubot.translate + xyz.maubot.rss + ]; + services.maubot.pythonPackages = [ + (pkgs.pineapplebot.override { magic = cfg.pizzabotMagic; }) + ] ++ (with pkgs.python3.pkgs; [ + levenshtein + ]); } diff --git a/system/hosts/router/avahi-resolver-v2.py b/system/hosts/router/avahi-resolver-v2.py index 1978f76..035e7b4 100644 --- a/system/hosts/router/avahi-resolver-v2.py +++ b/system/hosts/router/avahi-resolver-v2.py @@ -198,6 +198,8 @@ IF_UNSPEC = -1 PROTO_UNSPEC = -1 NFT_QUERIES = {} +# dynamic query update token +NFT_TOKEN = "" sysbus = None avahi = None @@ -452,18 +454,19 @@ def add_ips(set: str, ipv6: bool, ips: list, flush: bool = False): f.write(f'While adding ips for set {set}:\n') traceback.print_exc(file=f) +def add_split_domain(domains, splitDomain): + while splitDomain: + key = splitDomain[-1] + if key not in domains.keys(): + domains[key] = {} + domains = domains[key] + splitDomain = splitDomain[:-1] + domains['__IsTrue__'] = True + def build_domains(domains): ret = {} - def fill(tmp, splitDomain): - while splitDomain: - key = splitDomain[-1] - if key not in tmp.keys(): - tmp[key] = {} - tmp = tmp[key] - splitDomain = splitDomain[:-1] - tmp['__IsTrue__'] = True for domain in domains: - fill(ret, domain.split('.')) + add_split_domain(ret, domain.split('.')) return ret def lookup_domain(domains, domain): @@ -487,14 +490,19 @@ def init(*args, **kwargs): global MDNS_TTL, MDNS_GETONE, MDNS_TIMEOUT global MDNS_REJECT_TYPES, MDNS_ACCEPT_TYPES global MDNS_REJECT_NAMES, MDNS_ACCEPT_NAMES - global NFT_QUERIES + global NFT_QUERIES, NFT_TOKEN + NFT_TOKEN = os.environ.get('NFT_TOKEN', '') nft_queries = os.environ.get('NFT_QUERIES', '') if nft_queries: for query in nft_queries.split(';'): name, sets = query.split(':') + dynamic = False + if name.endswith('!'): + name = name.rstrip('!') + dynamic = True set4, set6 = sets.split(',') - NFT_QUERIES[name] = { 'domains': [], 'ips4': [], 'ips6': [], 'name4': set4, 'name6': set6 } + NFT_QUERIES[name] = { 'domains': [], 'ips4': [], 'ips6': [], 'name4': set4, 'name6': set6, 'dynamic': dynamic } for k, v in NFT_QUERIES.items(): try: @@ -618,7 +626,7 @@ def rr2text(rec, ttl): dns.rdata.from_wire(class_, type_, wire, 0, len(wire), None)) def operate(id, event, qstate, qdata): - global NFT_QUERIES + global NFT_QUERIES, NFT_TOKEN qi = qstate.qinfo name = qi.qname_str @@ -628,8 +636,25 @@ def operate(id, event, qstate, qdata): class_str = dns.rdataclass.to_text(class_) rc = get_rcode(qstate.return_msg) - # vpn stuff n2 = name.rstrip('.') + + if NFT_TOKEN and n2.endswith(f'.{NFT_TOKEN}'): + n3 = n2.removesuffix(f'.{NFT_TOKEN}') + for k, v in NFT_QUERIES.items(): + if v['dynamic']: + if n3.endswith(f'.{k}'): + n3 = n3.removesuffix(f'.{k}') + qdomains = v['domains'] + if not lookup_domain(qdomains, n3): + add_split_domain(qdomains, n3.split('.')) + old = [] + if os.path.exists(f'/var/lib/unbound/{k}_domains.json'): + with open(f'/var/lib/unbound/{k}_domains.json', 'rt') as f: + old = json.load(f) + os.rename(f'/var/lib/unbound/{k}_domains.json', f'/var/lib/unbound/{k}_domains.json.bak') + old.append('*.' + n3) + with open(f'/var/lib/unbound/{k}_domains.json', 'wt') as f: + json.dump(old, f) qnames = [] for k, v in NFT_QUERIES.items(): if lookup_domain(v['domains'], n2): diff --git a/system/hosts/router/default.nix b/system/hosts/router/default.nix index 61bf5a8..6d42a2b 100644 --- a/system/hosts/router/default.nix +++ b/system/hosts/router/default.nix @@ -529,6 +529,7 @@ in { }; }; }; + # veths are virtual ethernet cables # veth-wan-a - located in the default namespace # veth-wan-b - located in the wan namespace @@ -676,6 +677,12 @@ in { remote-control.control-enable = true; }; }; + environment.etc."unbound/iot_domains.json".text = builtins.toJSON [ + # ntp time sync + "pool.ntp.org" + # valetudo update check + "api.github.com" "github.com" "*.githubusercontent.com" + ]; networking.hosts."${serverAddress4}" = hosted-domains; networking.hosts."${serverAddress6}" = hosted-domains; systemd.services.unbound = lib.mkIf config.services.unbound.enable { @@ -683,7 +690,8 @@ in { environment.MDNS_ACCEPT_NAMES = "^.*\\.local\\.$"; # load vpn_domains.json and vpn_ips.json, as well as unvpn_domains.json and unvpn_ips.json # resolve domains and append it to ips and add it to the nftables sets - environment.NFT_QUERIES = "vpn:force_vpn4,force_vpn6;unvpn:force_unvpn4,force_unvpn6;iot:allow_iot4,allow_iot6"; + environment.NFT_QUERIES = "vpn:force_vpn4,force_vpn6;unvpn!:force_unvpn4,force_unvpn6;iot:allow_iot4,allow_iot6"; + serviceConfig.EnvironmentFile = "/secrets/unbound_env"; # it needs to run after nftables has been set up because it sets up the sets after = [ "nftables-default.service" ]; wants = [ "nftables-default.service" ]; diff --git a/system/modules/impermanence.nix b/system/modules/impermanence.nix index f1cb786..f1351e3 100644 --- a/system/modules/impermanence.nix +++ b/system/modules/impermanence.nix @@ -92,6 +92,7 @@ in { { directory = /var/lib/acme; user = "acme"; group = "acme"; mode = "0755"; } ] ++ lib.optionals config.services.printing.enable [ { directory = /var/lib/cups; user = "root"; group = "root"; mode = "0755"; } + { directory = /var/cache/cups; user = "root"; group = "lp"; mode = "0770"; } ] ++ lib.optionals config.services.fail2ban.enable [ { directory = /var/lib/fail2ban; user = "root"; group = "root"; mode = "0700"; } ] ++ lib.optionals config.services.opendkim.enable [