small cleanup

This commit is contained in:
chayleaf 2023-05-11 17:28:47 +07:00
parent 33b4fe95c2
commit d5f9e87bc9
8 changed files with 52 additions and 62 deletions

View file

@ -4,7 +4,7 @@ To install, put `system` to `/etc/nixos`, put `home` to
`~/.config/home-manager` (and `overlays.nix` to `~/.config/nixpkgs`) `~/.config/home-manager` (and `overlays.nix` to `~/.config/nixpkgs`)
The reason they are separate is because I want to be able to iterate The reason they are separate is because I want to be able to iterate
home config quickly, and `nixos-rebuild`'ing the entire sytem for every home config quickly, and `nixos-rebuild`'ing the entire system for every
little change is pretty annoying (not to mention the necessity of little change is pretty annoying (not to mention the necessity of
`sudo`). I'll probably merge them later, especially after `sudo`). I'll probably merge them later, especially after
[Tvix](https://tvl.fyi/blog/rewriting-nix) becomes feature-complete. [Tvix](https://tvl.fyi/blog/rewriting-nix) becomes feature-complete.

View file

@ -26,20 +26,32 @@
let let
hw = nixos-hardware.nixosModules; hw = nixos-hardware.nixosModules;
# IRL-related stuff I'd rather not put into git # IRL-related stuff I'd rather not put into git
priv = if builtins.pathExists ./private/default.nix then (import ./private) priv =
else if builtins.pathExists ./private.nix then (import ./private.nix) if builtins.pathExists ./private.nix then (import ./private.nix)
else { }; else if builtins.pathExists ./private/default.nix then (import ./private)
else { };
getPriv = hostname: with builtins; if hasAttr hostname priv then getAttr hostname priv else { }; getPriv = hostname: with builtins; if hasAttr hostname priv then getAttr hostname priv else { };
common = hostname: [ (getPriv hostname) impermanence.nixosModule ]; common = hostname: [ (getPriv hostname) ];
extraArgs = { extraArgs = {
inherit nixpkgs; inherit nixpkgs;
}; };
lib = nixpkgs.lib // {
quotePotentialIpV6 = addr:
if nixpkgs.lib.hasInfix ":" addr then "[${addr}]" else addr;
};
specialArgs = {
inherit lib;
};
mkHost = args @ { system ? "x86_64-linux", modules, ... }: {
inherit system extraArgs specialArgs;
} // args;
in utils.lib.mkFlake { in utils.lib.mkFlake {
inherit self inputs; inherit self inputs;
hostDefaults.modules = [ hostDefaults.modules = [
./modules/vfio.nix ./modules/vfio.nix
./modules/ccache.nix ./modules/ccache.nix
./modules/impermanence.nix ./modules/impermanence.nix
impermanence.nixosModule
{ {
# make this flake's nixpkgs available to the whole system # make this flake's nixpkgs available to the whole system
nix = { nix = {
@ -47,12 +59,11 @@
generateRegistryFromInputs = true; generateRegistryFromInputs = true;
linkInputs = true; linkInputs = true;
}; };
nixpkgs.overlays = [ (self: super: import ./pkgs { pkgs = super; }) ]; nixpkgs.overlays = [ (self: super: import ./pkgs { pkgs = super; inherit lib; }) ];
} }
]; ];
hosts = { hosts = {
nixmsi = { nixmsi = mkHost {
system = "x86_64-linux";
modules = [ modules = [
./hosts/nixmsi.nix ./hosts/nixmsi.nix
nix-gaming.nixosModules.pipewireLowLatency nix-gaming.nixosModules.pipewireLowLatency
@ -62,17 +73,14 @@
hw.common-gpu-amd # configures drivers hw.common-gpu-amd # configures drivers
hw.common-pc-laptop # enables tlp hw.common-pc-laptop # enables tlp
] ++ common "nixmsi"; ] ++ common "nixmsi";
inherit extraArgs;
}; };
nixserver = { nixserver = mkHost {
system = "x86_64-linux";
modules = [ modules = [
./hosts/nixserver ./hosts/nixserver
nixos-mailserver.nixosModules.default nixos-mailserver.nixosModules.default
hw.common-pc-hdd hw.common-pc-hdd
hw.common-cpu-intel hw.common-cpu-intel
] ++ common "nixserver"; ] ++ common "nixserver";
inherit extraArgs;
}; };
}; };
}; };

View file

@ -5,9 +5,6 @@
let let
cfg = config.server; cfg = config.server;
# TODO: move to lib
quotePotentialIpV6 = addr:
if lib.hasInfix ":" addr then "[${addr}]" else addr;
efiPart = "/dev/disk/by-uuid/3E2A-A5CB"; efiPart = "/dev/disk/by-uuid/3E2A-A5CB";
rootUuid = "6aace237-9b48-4294-8e96-196759a5305b"; rootUuid = "6aace237-9b48-4294-8e96-196759a5305b";
@ -221,7 +218,7 @@ in {
# SSH # SSH
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PermitRootLogin = "no"; # settings.PermitRootLogin = "no";
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
listenAddresses = [{ listenAddresses = [{
addr = "0.0.0.0"; addr = "0.0.0.0";
@ -243,7 +240,7 @@ in {
}); });
services.searx.runInUwsgi = true; services.searx.runInUwsgi = true;
services.searx.uwsgiConfig = let inherit (config.services.searx) settings; in { services.searx.uwsgiConfig = let inherit (config.services.searx) settings; in {
socket = "${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}"; socket = "${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
}; };
users.groups.searx.members = [ "nginx" ]; users.groups.searx.members = [ "nginx" ];
services.searx.environmentFile = "/etc/nixos/private/searx.env"; services.searx.environmentFile = "/etc/nixos/private/searx.env";
@ -284,9 +281,9 @@ in {
services.nginx.virtualHosts."search.${cfg.domainName}" = let inherit (config.services.searx) settings; in { services.nginx.virtualHosts."search.${cfg.domainName}" = let inherit (config.services.searx) settings; in {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
# locations."/".proxyPass = "http://${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}"; # locations."/".proxyPass = "http://${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
locations."/".extraConfig = '' locations."/".extraConfig = ''
uwsgi_pass "${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}"; uwsgi_pass "${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
include ${config.services.nginx.package}/conf/uwsgi_params; include ${config.services.nginx.package}/conf/uwsgi_params;
''; '';
}; };
@ -389,7 +386,7 @@ in {
services.nginx.virtualHosts."git.${cfg.domainName}" = let inherit (config.services.gitea) settings; in { services.nginx.virtualHosts."git.${cfg.domainName}" = let inherit (config.services.gitea) settings; in {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://${quotePotentialIpV6 settings.server.HTTP_ADDR}:${toString settings.server.HTTP_PORT}"; locations."/".proxyPass = "http://${lib.quotePotentialIpV6 settings.server.HTTP_ADDR}:${toString settings.server.HTTP_PORT}";
}; };
services.gitea = { services.gitea = {
enable = true; enable = true;
@ -449,6 +446,13 @@ in {
https = true; https = true;
}; };
services.pleroma = {
enable = true;
secretConfigFile = "/var/lib/pleroma/secrets.exs";
configs = [ ''
import Config
'' ];
};
systemd.services.pleroma.path = [ pkgs.exiftool pkgs.gawk ]; systemd.services.pleroma.path = [ pkgs.exiftool pkgs.gawk ];
services.nginx.virtualHosts."pleroma.${cfg.domainName}" = { services.nginx.virtualHosts."pleroma.${cfg.domainName}" = {
enableACME = true; enableACME = true;

View file

@ -1,12 +1,9 @@
{ config { config
, pkgs , pkgs
, lib
, ... }: , ... }:
let let
cfg = config.server; cfg = config.server;
quotePotentialIpV6 = addr:
if lib.hasInfix ":" addr then "[${addr}]" else addr;
in { in {
services.nginx.virtualHosts."${cfg.domainName}" = { services.nginx.virtualHosts."${cfg.domainName}" = {
locations."/fdroid/".alias = "/var/lib/fdroid/repo/"; locations."/fdroid/".alias = "/var/lib/fdroid/repo/";

View file

@ -1,12 +1,9 @@
{ config { config
, pkgs
, lib , lib
, ... }: , ... }:
let let
cfg = config.server; cfg = config.server;
quotePotentialIpV6 = addr:
if lib.hasInfix ":" addr then "[${addr}]" else addr;
matrixServerJson = { matrixServerJson = {
"m.server" = "matrix.${cfg.domainName}:443"; "m.server" = "matrix.${cfg.domainName}:443";
}; };
@ -42,7 +39,7 @@ in {
locations = { locations = {
"= /.well-known/matrix/server".extraConfig = matrixServerConfigResponse; "= /.well-known/matrix/server".extraConfig = matrixServerConfigResponse;
"= /.well-known/matrix/client".extraConfig = matrixClientConfigResponse; "= /.well-known/matrix/client".extraConfig = matrixClientConfigResponse;
"/".proxyPass = "http://${quotePotentialIpV6 matrixAddr}:${toString matrixPort}"; "/".proxyPass = "http://${lib.quotePotentialIpV6 matrixAddr}:${toString matrixPort}";
}; };
}; };
@ -50,7 +47,7 @@ in {
systemd.services.heisenbridge.after = [ "matrix-synapse.service" ]; systemd.services.heisenbridge.after = [ "matrix-synapse.service" ];
services.heisenbridge = { services.heisenbridge = {
enable = true; enable = true;
homeserver = "http://${quotePotentialIpV6 matrixAddr}:${toString matrixPort}/"; homeserver = "http://${lib.quotePotentialIpV6 matrixAddr}:${toString matrixPort}/";
}; };
# so synapse can read the registration # so synapse can read the registration
users.groups.heisenbridge.members = [ "matrix-synapse" ]; users.groups.heisenbridge.members = [ "matrix-synapse" ];
@ -92,31 +89,4 @@ in {
}]; }];
}; };
}; };
# maubot
users.users.maubot = {
home = "/var/lib/maubot";
group = "maubot";
isSystemUser = true;
};
users.groups.maubot = { };
systemd.services.maubot = {
description = "Maubot";
wants = [ "matrix-synapse.service" "nginx.service" ];
after = [ "matrix-synapse.service" "nginx.service" ];
wantedBy = [ "multi-user.target" ];
environment = {
LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib";
};
serviceConfig = {
User = "maubot";
Group = "maubot";
WorkingDirectory = "/var/lib/maubot/data";
};
script = "${pkgs.python3.withPackages (pks: with pks; [
pkgs.maubot (pkgs.pineapplebot.override {
magic = cfg.pizzabotMagic;
}) feedparser levenshtein python-dateutil pytz
])}/bin/python3 -m maubot";
};
} }

View file

@ -5,15 +5,13 @@
let let
cfg = config.server; cfg = config.server;
quotePotentialIpV6 = addr:
if lib.hasInfix ":" addr then "[${addr}]" else addr;
# i've yet to create a maubot module so this is hardcoded # i've yet to create a maubot module so this is hardcoded
maubotAddr = "127.0.0.1"; maubotAddr = "127.0.0.1";
maubotPort = 29316; maubotPort = 29316;
in { in {
services.nginx.virtualHosts."matrix.${cfg.domainName}".locations = { services.nginx.virtualHosts."matrix.${cfg.domainName}".locations = {
"/_matrix/maubot/" = { "/_matrix/maubot/" = {
proxyPass = "http://${quotePotentialIpV6 maubotAddr}:${toString maubotPort}"; proxyPass = "http://${lib.quotePotentialIpV6 maubotAddr}:${toString maubotPort}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };

View file

@ -4,8 +4,6 @@
let let
cfg = config.server; cfg = config.server;
quotePotentialIpV6 = addr:
if lib.hasInfix ":" addr then "[${addr}]" else addr;
in { in {
services.murmur = { services.murmur = {
enable = true; enable = true;
@ -35,7 +33,7 @@ in {
forceSSL = true; forceSSL = true;
globalRedirect = cfg.domainName; globalRedirect = cfg.domainName;
locations."/music".extraConfig = "return 301 https://mumble.${cfg.domainName}/music/;"; locations."/music".extraConfig = "return 301 https://mumble.${cfg.domainName}/music/;";
locations."/music/".proxyPass = "http://${quotePotentialIpV6 settings.webinterface.listening_addr}:${toString settings.webinterface.listening_port}/"; locations."/music/".proxyPass = "http://${lib.quotePotentialIpV6 settings.webinterface.listening_addr}:${toString settings.webinterface.listening_port}/";
}; };
services.botamusique = { services.botamusique = {

View file

@ -1,5 +1,20 @@
{ pkgs, ... }: let inherit (pkgs) callPackage; in { { pkgs
, lib
, ... }:
let
inherit (pkgs) callPackage;
in {
system76-scheduler = callPackage ./system76-scheduler.nix { }; system76-scheduler = callPackage ./system76-scheduler.nix { };
maubot = callPackage ./maubot.nix { }; maubot = callPackage ./maubot.nix { };
pineapplebot = callPackage ./pineapplebot.nix { }; pineapplebot = callPackage ./pineapplebot.nix { };
inherit lib;
} }
/*
// (lib.optionalAttrs (pkgs.system == "...") {
fdroidserver = pkgs.fdroidserver.overridePythonAttrs (oldAttrs: {
# remove apksigner, since official Android SDK is unavailable on arm64
makeWrapperArgs = [ ];
});
})
*/