small cleanup

README.md

@@ -4,7 +4,7 @@ To install, put `system` to `/etc/nixos`, put `home` to
 `~/.config/home-manager` (and `overlays.nix` to `~/.config/nixpkgs`)
 
 The reason they are separate is because I want to be able to iterate
-home config quickly, and `nixos-rebuild`'ing the entire sytem for every
+home config quickly, and `nixos-rebuild`'ing the entire system for every
 little change is pretty annoying (not to mention the necessity of
 `sudo`). I'll probably merge them later, especially after
 [Tvix](https://tvl.fyi/blog/rewriting-nix) becomes feature-complete.

system/flake.nix

@@ -26,20 +26,32 @@
   let
     hw = nixos-hardware.nixosModules;
     # IRL-related stuff I'd rather not put into git
-    priv = if builtins.pathExists ./private/default.nix then (import ./private)
-           else if builtins.pathExists ./private.nix then (import ./private.nix)
+    priv =
+      if builtins.pathExists ./private.nix then (import ./private.nix)
+      else if builtins.pathExists ./private/default.nix then (import ./private)
       else { };
     getPriv = hostname: with builtins; if hasAttr hostname priv then getAttr hostname priv else { };
-    common = hostname: [ (getPriv hostname) impermanence.nixosModule ];
+    common = hostname: [ (getPriv hostname) ];
     extraArgs = {
       inherit nixpkgs;
     };
+    lib = nixpkgs.lib // {
+      quotePotentialIpV6 = addr:
+        if nixpkgs.lib.hasInfix ":" addr then "[${addr}]" else addr;
+    };
+    specialArgs = {
+      inherit lib;
+    };
+    mkHost = args @ { system ? "x86_64-linux", modules, ... }: {
+      inherit system extraArgs specialArgs;
+    } // args;
   in utils.lib.mkFlake {
     inherit self inputs;
     hostDefaults.modules = [
       ./modules/vfio.nix
       ./modules/ccache.nix
       ./modules/impermanence.nix
+      impermanence.nixosModule 
       {
         # make this flake's nixpkgs available to the whole system
         nix = {
@@ -47,12 +59,11 @@
           generateRegistryFromInputs = true;
           linkInputs = true;
         };
-        nixpkgs.overlays = [ (self: super: import ./pkgs { pkgs = super; }) ];
+        nixpkgs.overlays = [ (self: super: import ./pkgs { pkgs = super; inherit lib; }) ];
       }
     ];
     hosts = {
-      nixmsi = {
-        system = "x86_64-linux";
+      nixmsi = mkHost {
         modules = [
           ./hosts/nixmsi.nix
           nix-gaming.nixosModules.pipewireLowLatency
@@ -62,17 +73,14 @@
           hw.common-gpu-amd # configures drivers
           hw.common-pc-laptop # enables tlp
         ] ++ common "nixmsi";
-        inherit extraArgs;
       };
-      nixserver = {
-        system = "x86_64-linux";
+      nixserver = mkHost {
         modules = [
           ./hosts/nixserver
           nixos-mailserver.nixosModules.default
           hw.common-pc-hdd
           hw.common-cpu-intel
         ] ++ common "nixserver";
-        inherit extraArgs;
       };
     };
   };

system/hosts/nixserver/default.nix

@@ -5,9 +5,6 @@
 
 let
   cfg = config.server;
-  # TODO: move to lib
-  quotePotentialIpV6 = addr:
-    if lib.hasInfix ":" addr then "[${addr}]" else addr;
 
   efiPart = "/dev/disk/by-uuid/3E2A-A5CB";
   rootUuid = "6aace237-9b48-4294-8e96-196759a5305b";
@@ -221,7 +218,7 @@ in {
   # SSH
   services.openssh = {
     enable = true;
-    settings.PermitRootLogin = "no";
+    # settings.PermitRootLogin = "no";
     settings.PasswordAuthentication = false;
     listenAddresses = [{
       addr = "0.0.0.0";
@@ -243,7 +240,7 @@ in {
   });
   services.searx.runInUwsgi = true;
   services.searx.uwsgiConfig = let inherit (config.services.searx) settings; in {
-    socket = "${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
+    socket = "${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
   };
   users.groups.searx.members = [ "nginx" ];
   services.searx.environmentFile = "/etc/nixos/private/searx.env";
@@ -284,9 +281,9 @@ in {
   services.nginx.virtualHosts."search.${cfg.domainName}" = let inherit (config.services.searx) settings; in {
     enableACME = true;
     forceSSL = true;
-    # locations."/".proxyPass = "http://${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
+    # locations."/".proxyPass = "http://${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
     locations."/".extraConfig = ''
-      uwsgi_pass "${quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
+      uwsgi_pass "${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
       include ${config.services.nginx.package}/conf/uwsgi_params;
     '';
   };
@@ -389,7 +386,7 @@ in {
   services.nginx.virtualHosts."git.${cfg.domainName}" = let inherit (config.services.gitea) settings; in {
     enableACME = true;
     forceSSL = true;
-    locations."/".proxyPass = "http://${quotePotentialIpV6 settings.server.HTTP_ADDR}:${toString settings.server.HTTP_PORT}";
+    locations."/".proxyPass = "http://${lib.quotePotentialIpV6 settings.server.HTTP_ADDR}:${toString settings.server.HTTP_PORT}";
   };
   services.gitea = {
     enable = true;
@@ -449,6 +446,13 @@ in {
     https = true;
   };
 
+  services.pleroma = {
+    enable = true;
+    secretConfigFile = "/var/lib/pleroma/secrets.exs";
+    configs = [ ''
+      import Config
+    '' ];
+  };
   systemd.services.pleroma.path = [ pkgs.exiftool pkgs.gawk ];
   services.nginx.virtualHosts."pleroma.${cfg.domainName}" = {
     enableACME = true;

system/hosts/nixserver/fdroid.nix

@@ -1,12 +1,9 @@
 { config
 , pkgs
-, lib
 , ... }:
 
 let
   cfg = config.server;
-  quotePotentialIpV6 = addr:
-    if lib.hasInfix ":" addr then "[${addr}]" else addr;
 in {
   services.nginx.virtualHosts."${cfg.domainName}" = {
     locations."/fdroid/".alias = "/var/lib/fdroid/repo/";

system/hosts/nixserver/matrix.nix

@@ -1,12 +1,9 @@
 { config
-, pkgs
 , lib
 , ... }:
 
 let
   cfg = config.server;
-  quotePotentialIpV6 = addr:
-    if lib.hasInfix ":" addr then "[${addr}]" else addr;
   matrixServerJson = {
     "m.server" = "matrix.${cfg.domainName}:443";
   };
@@ -42,7 +39,7 @@ in {
     locations = {
       "= /.well-known/matrix/server".extraConfig = matrixServerConfigResponse;
       "= /.well-known/matrix/client".extraConfig = matrixClientConfigResponse;
-      "/".proxyPass = "http://${quotePotentialIpV6 matrixAddr}:${toString matrixPort}";
+      "/".proxyPass = "http://${lib.quotePotentialIpV6 matrixAddr}:${toString matrixPort}";
     };
   };
 
@@ -50,7 +47,7 @@ in {
   systemd.services.heisenbridge.after = [ "matrix-synapse.service" ];
   services.heisenbridge = {
     enable = true;
-    homeserver = "http://${quotePotentialIpV6 matrixAddr}:${toString matrixPort}/";
+    homeserver = "http://${lib.quotePotentialIpV6 matrixAddr}:${toString matrixPort}/";
   };
   # so synapse can read the registration
   users.groups.heisenbridge.members = [ "matrix-synapse" ];
@@ -92,31 +89,4 @@ in {
       }];
     };
   };
-
-  # maubot
-  users.users.maubot = {
-    home = "/var/lib/maubot";
-    group = "maubot";
-    isSystemUser = true;
-  };
-  users.groups.maubot = { };
-  systemd.services.maubot = {
-    description = "Maubot";
-    wants = [ "matrix-synapse.service" "nginx.service" ];
-    after = [ "matrix-synapse.service" "nginx.service" ];
-    wantedBy = [ "multi-user.target" ];
-    environment = {
-      LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib";
-    };
-    serviceConfig = {
-      User = "maubot";
-      Group = "maubot";
-      WorkingDirectory = "/var/lib/maubot/data";
-    };
-    script = "${pkgs.python3.withPackages (pks: with pks; [
-      pkgs.maubot (pkgs.pineapplebot.override {
-        magic = cfg.pizzabotMagic;
-      }) feedparser levenshtein python-dateutil pytz
-    ])}/bin/python3 -m maubot";
-  };
 }

system/hosts/nixserver/maubot.nix

@@ -5,15 +5,13 @@
 
 let
   cfg = config.server;
-  quotePotentialIpV6 = addr:
-    if lib.hasInfix ":" addr then "[${addr}]" else addr;
   # i've yet to create a maubot module so this is hardcoded
   maubotAddr = "127.0.0.1";
   maubotPort = 29316;
 in {
   services.nginx.virtualHosts."matrix.${cfg.domainName}".locations = {
     "/_matrix/maubot/" = {
-      proxyPass = "http://${quotePotentialIpV6 maubotAddr}:${toString maubotPort}";
+      proxyPass = "http://${lib.quotePotentialIpV6 maubotAddr}:${toString maubotPort}";
       proxyWebsockets = true;
     };
   };

system/hosts/nixserver/mumble.nix

@@ -4,8 +4,6 @@
 
 let
   cfg = config.server;
-  quotePotentialIpV6 = addr:
-    if lib.hasInfix ":" addr then "[${addr}]" else addr;
 in {
   services.murmur = {
     enable = true;
@@ -35,7 +33,7 @@ in {
     forceSSL = true;
     globalRedirect = cfg.domainName;
     locations."/music".extraConfig = "return 301 https://mumble.${cfg.domainName}/music/;";
-    locations."/music/".proxyPass = "http://${quotePotentialIpV6 settings.webinterface.listening_addr}:${toString settings.webinterface.listening_port}/";
+    locations."/music/".proxyPass = "http://${lib.quotePotentialIpV6 settings.webinterface.listening_addr}:${toString settings.webinterface.listening_port}/";
   };
 
   services.botamusique = {

system/pkgs/default.nix

@@ -1,5 +1,20 @@
-{ pkgs, ... }: let inherit (pkgs) callPackage; in {
+{ pkgs
+, lib
+, ... }:
+
+let
+  inherit (pkgs) callPackage;
+in {
   system76-scheduler = callPackage ./system76-scheduler.nix { };
   maubot = callPackage ./maubot.nix { };
   pineapplebot = callPackage ./pineapplebot.nix { };
+  inherit lib;
 }
+/*
+// (lib.optionalAttrs (pkgs.system == "...") {
+  fdroidserver = pkgs.fdroidserver.overridePythonAttrs (oldAttrs: {
+    # remove apksigner, since official Android SDK is unavailable on arm64
+    makeWrapperArgs = [ ];
+  });
+})
+*/