diff --git a/README.md b/README.md index abd2990..703be77 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ To install, put `system` to `/etc/nixos`, put `home` to `~/.config/home-manager` (and `overlays.nix` to `~/.config/nixpkgs`) The reason they are separate is because I want to be able to iterate -home config quickly, and `nixos-rebuild`'ing the entire sytem for every +home config quickly, and `nixos-rebuild`'ing the entire system for every little change is pretty annoying (not to mention the necessity of `sudo`). I'll probably merge them later, especially after [Tvix](https://tvl.fyi/blog/rewriting-nix) becomes feature-complete. diff --git a/system/flake.nix b/system/flake.nix index 0aaf2a2..691f807 100644 --- a/system/flake.nix +++ b/system/flake.nix @@ -26,20 +26,32 @@ let hw = nixos-hardware.nixosModules; # IRL-related stuff I'd rather not put into git - priv = if builtins.pathExists ./private/default.nix then (import ./private) - else if builtins.pathExists ./private.nix then (import ./private.nix) - else { }; + priv = + if builtins.pathExists ./private.nix then (import ./private.nix) + else if builtins.pathExists ./private/default.nix then (import ./private) + else { }; getPriv = hostname: with builtins; if hasAttr hostname priv then getAttr hostname priv else { }; - common = hostname: [ (getPriv hostname) impermanence.nixosModule ]; + common = hostname: [ (getPriv hostname) ]; extraArgs = { inherit nixpkgs; }; + lib = nixpkgs.lib // { + quotePotentialIpV6 = addr: + if nixpkgs.lib.hasInfix ":" addr then "[${addr}]" else addr; + }; + specialArgs = { + inherit lib; + }; + mkHost = args @ { system ? "x86_64-linux", modules, ... }: { + inherit system extraArgs specialArgs; + } // args; in utils.lib.mkFlake { inherit self inputs; hostDefaults.modules = [ ./modules/vfio.nix ./modules/ccache.nix ./modules/impermanence.nix + impermanence.nixosModule { # make this flake's nixpkgs available to the whole system nix = { @@ -47,12 +59,11 @@ generateRegistryFromInputs = true; linkInputs = true; }; - nixpkgs.overlays = [ (self: super: import ./pkgs { pkgs = super; }) ]; + nixpkgs.overlays = [ (self: super: import ./pkgs { pkgs = super; inherit lib; }) ]; } ]; hosts = { - nixmsi = { - system = "x86_64-linux"; + nixmsi = mkHost { modules = [ ./hosts/nixmsi.nix nix-gaming.nixosModules.pipewireLowLatency @@ -62,17 +73,14 @@ hw.common-gpu-amd # configures drivers hw.common-pc-laptop # enables tlp ] ++ common "nixmsi"; - inherit extraArgs; }; - nixserver = { - system = "x86_64-linux"; + nixserver = mkHost { modules = [ ./hosts/nixserver nixos-mailserver.nixosModules.default hw.common-pc-hdd hw.common-cpu-intel ] ++ common "nixserver"; - inherit extraArgs; }; }; }; diff --git a/system/hosts/nixserver/default.nix b/system/hosts/nixserver/default.nix index 3f5aa24..6be0920 100644 --- a/system/hosts/nixserver/default.nix +++ b/system/hosts/nixserver/default.nix @@ -5,9 +5,6 @@ let cfg = config.server; - # TODO: move to lib - quotePotentialIpV6 = addr: - if lib.hasInfix ":" addr then "[${addr}]" else addr; efiPart = "/dev/disk/by-uuid/3E2A-A5CB"; rootUuid = "6aace237-9b48-4294-8e96-196759a5305b"; @@ -221,7 +218,7 @@ in { # SSH services.openssh = { enable = true; - settings.PermitRootLogin = "no"; + # settings.PermitRootLogin = "no"; settings.PasswordAuthentication = false; listenAddresses = [{ addr = "0.0.0.0"; @@ -243,7 +240,7 @@ in { }); services.searx.runInUwsgi = true; services.searx.uwsgiConfig = let inherit (config.services.searx) settings; in { - socket = "${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}"; + socket = "${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}"; }; users.groups.searx.members = [ "nginx" ]; services.searx.environmentFile = "/etc/nixos/private/searx.env"; @@ -284,9 +281,9 @@ in { services.nginx.virtualHosts."search.${cfg.domainName}" = let inherit (config.services.searx) settings; in { enableACME = true; forceSSL = true; - # locations."/".proxyPass = "http://${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}"; + # locations."/".proxyPass = "http://${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}"; locations."/".extraConfig = '' - uwsgi_pass "${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}"; + uwsgi_pass "${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}"; include ${config.services.nginx.package}/conf/uwsgi_params; ''; }; @@ -389,7 +386,7 @@ in { services.nginx.virtualHosts."git.${cfg.domainName}" = let inherit (config.services.gitea) settings; in { enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://${quotePotentialIpV6 settings.server.HTTP_ADDR}:${toString settings.server.HTTP_PORT}"; + locations."/".proxyPass = "http://${lib.quotePotentialIpV6 settings.server.HTTP_ADDR}:${toString settings.server.HTTP_PORT}"; }; services.gitea = { enable = true; @@ -449,6 +446,13 @@ in { https = true; }; + services.pleroma = { + enable = true; + secretConfigFile = "/var/lib/pleroma/secrets.exs"; + configs = [ '' + import Config + '' ]; + }; systemd.services.pleroma.path = [ pkgs.exiftool pkgs.gawk ]; services.nginx.virtualHosts."pleroma.${cfg.domainName}" = { enableACME = true; diff --git a/system/hosts/nixserver/fdroid.nix b/system/hosts/nixserver/fdroid.nix index 84e6307..dbb89d9 100644 --- a/system/hosts/nixserver/fdroid.nix +++ b/system/hosts/nixserver/fdroid.nix @@ -1,12 +1,9 @@ { config , pkgs -, lib , ... }: let cfg = config.server; - quotePotentialIpV6 = addr: - if lib.hasInfix ":" addr then "[${addr}]" else addr; in { services.nginx.virtualHosts."${cfg.domainName}" = { locations."/fdroid/".alias = "/var/lib/fdroid/repo/"; diff --git a/system/hosts/nixserver/matrix.nix b/system/hosts/nixserver/matrix.nix index 7633896..697b604 100644 --- a/system/hosts/nixserver/matrix.nix +++ b/system/hosts/nixserver/matrix.nix @@ -1,12 +1,9 @@ { config -, pkgs , lib , ... }: let cfg = config.server; - quotePotentialIpV6 = addr: - if lib.hasInfix ":" addr then "[${addr}]" else addr; matrixServerJson = { "m.server" = "matrix.${cfg.domainName}:443"; }; @@ -42,7 +39,7 @@ in { locations = { "= /.well-known/matrix/server".extraConfig = matrixServerConfigResponse; "= /.well-known/matrix/client".extraConfig = matrixClientConfigResponse; - "/".proxyPass = "http://${quotePotentialIpV6 matrixAddr}:${toString matrixPort}"; + "/".proxyPass = "http://${lib.quotePotentialIpV6 matrixAddr}:${toString matrixPort}"; }; }; @@ -50,7 +47,7 @@ in { systemd.services.heisenbridge.after = [ "matrix-synapse.service" ]; services.heisenbridge = { enable = true; - homeserver = "http://${quotePotentialIpV6 matrixAddr}:${toString matrixPort}/"; + homeserver = "http://${lib.quotePotentialIpV6 matrixAddr}:${toString matrixPort}/"; }; # so synapse can read the registration users.groups.heisenbridge.members = [ "matrix-synapse" ]; @@ -92,31 +89,4 @@ in { }]; }; }; - - # maubot - users.users.maubot = { - home = "/var/lib/maubot"; - group = "maubot"; - isSystemUser = true; - }; - users.groups.maubot = { }; - systemd.services.maubot = { - description = "Maubot"; - wants = [ "matrix-synapse.service" "nginx.service" ]; - after = [ "matrix-synapse.service" "nginx.service" ]; - wantedBy = [ "multi-user.target" ]; - environment = { - LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib"; - }; - serviceConfig = { - User = "maubot"; - Group = "maubot"; - WorkingDirectory = "/var/lib/maubot/data"; - }; - script = "${pkgs.python3.withPackages (pks: with pks; [ - pkgs.maubot (pkgs.pineapplebot.override { - magic = cfg.pizzabotMagic; - }) feedparser levenshtein python-dateutil pytz - ])}/bin/python3 -m maubot"; - }; } diff --git a/system/hosts/nixserver/maubot.nix b/system/hosts/nixserver/maubot.nix index d945969..1a141f6 100644 --- a/system/hosts/nixserver/maubot.nix +++ b/system/hosts/nixserver/maubot.nix @@ -5,15 +5,13 @@ let cfg = config.server; - quotePotentialIpV6 = addr: - if lib.hasInfix ":" addr then "[${addr}]" else addr; # i've yet to create a maubot module so this is hardcoded maubotAddr = "127.0.0.1"; maubotPort = 29316; in { services.nginx.virtualHosts."matrix.${cfg.domainName}".locations = { "/_matrix/maubot/" = { - proxyPass = "http://${quotePotentialIpV6 maubotAddr}:${toString maubotPort}"; + proxyPass = "http://${lib.quotePotentialIpV6 maubotAddr}:${toString maubotPort}"; proxyWebsockets = true; }; }; diff --git a/system/hosts/nixserver/mumble.nix b/system/hosts/nixserver/mumble.nix index ba43fad..bc6b45b 100644 --- a/system/hosts/nixserver/mumble.nix +++ b/system/hosts/nixserver/mumble.nix @@ -4,8 +4,6 @@ let cfg = config.server; - quotePotentialIpV6 = addr: - if lib.hasInfix ":" addr then "[${addr}]" else addr; in { services.murmur = { enable = true; @@ -35,7 +33,7 @@ in { forceSSL = true; globalRedirect = cfg.domainName; locations."/music".extraConfig = "return 301 https://mumble.${cfg.domainName}/music/;"; - locations."/music/".proxyPass = "http://${quotePotentialIpV6 settings.webinterface.listening_addr}:${toString settings.webinterface.listening_port}/"; + locations."/music/".proxyPass = "http://${lib.quotePotentialIpV6 settings.webinterface.listening_addr}:${toString settings.webinterface.listening_port}/"; }; services.botamusique = { diff --git a/system/pkgs/default.nix b/system/pkgs/default.nix index cda8b20..5d65d2d 100644 --- a/system/pkgs/default.nix +++ b/system/pkgs/default.nix @@ -1,5 +1,20 @@ -{ pkgs, ... }: let inherit (pkgs) callPackage; in { +{ pkgs +, lib +, ... }: + +let + inherit (pkgs) callPackage; +in { system76-scheduler = callPackage ./system76-scheduler.nix { }; maubot = callPackage ./maubot.nix { }; pineapplebot = callPackage ./pineapplebot.nix { }; + inherit lib; } +/* +// (lib.optionalAttrs (pkgs.system == "...") { + fdroidserver = pkgs.fdroidserver.overridePythonAttrs (oldAttrs: { + # remove apksigner, since official Android SDK is unavailable on arm64 + makeWrapperArgs = [ ]; + }); +}) +*/