diff --git a/flake.nix b/flake.nix index 7e84d2d..9645a1b 100644 --- a/flake.nix +++ b/flake.nix @@ -104,6 +104,17 @@ cudaSupport = true; }; }; + kylekrein-server-pkgs = nixpkgs: import nixpkgs { + system = x86; + overlays = [ + #nativePackagesOverlay + #ladybirdMaster + ]; + config = { + allowBroken = true; + allowUnfree = true; + }; + }; kylekrein-mac-pkgs = nixpkgs: import nixpkgs { system = arm; overlays = [ @@ -200,6 +211,25 @@ ./nixos/configuration.nix ]; }; + "kylekrein-server" = nixpkgs.lib.nixosSystem { + specialArgs = { + hwconfig = { + hostname = "kylekrein-server"; + isLaptop = false; + system = x86; + useImpermanence = false; + }; + inherit first-nixos-install; + inherit inputs; + unstable-pkgs = kylekrein-server-pkgs nixpkgs-unstable; + }; + + system = x86; + pkgs = kylekrein-server-pkgs nixpkgs; + modules = [ + ./nixos/hosts/kylekrein-server + ]; + }; "kylekrein-wsl" = nixpkgs.lib.nixosSystem { specialArgs = { hwconfig = { diff --git a/nixos/hardware/nvidia/default.nix b/nixos/hardware/nvidia/default.nix index f5d1d33..5333ae0 100644 --- a/nixos/hardware/nvidia/default.nix +++ b/nixos/hardware/nvidia/default.nix @@ -36,18 +36,18 @@ nvidiaSettings = true; # Optionally, you may need to select the appropriate driver version for your specific GPU. - package = config.boot.kernelPackages.nvidiaPackages.latest; + #package = config.boot.kernelPackages.nvidiaPackages.latest; }; logitech.wireless.enable = true; }; services.xserver.videoDrivers = [ "nvidia" ]; - #hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.mkDriver { #fixes https://github.com/NixOS/nixpkgs/issues/375730 temporary - # version = "570.86.16"; # use new 570 drivers - # sha256_64bit = "sha256-RWPqS7ZUJH9JEAWlfHLGdqrNlavhaR1xMyzs8lJhy9U="; - # openSha256 = "sha256-DuVNA63+pJ8IB7Tw2gM4HbwlOh1bcDg2AN2mbEU9VPE="; - # settingsSha256 = "sha256-9rtqh64TyhDF5fFAYiWl3oDHzKJqyOW3abpcf2iNRT8="; - # usePersistenced = false; - # }; + hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.mkDriver { #fixes https://github.com/NixOS/nixpkgs/issues/375730 temporary + version = "570.133.07"; # use new 570 drivers + sha256_64bit = "sha256-LUPmTFgb5e9VTemIixqpADfvbUX1QoTT2dztwI3E3CY="; + openSha256 = "sha256-9l8N83Spj0MccA8+8R1uqiXBS0Ag4JrLPjrU3TaXHnM="; + settingsSha256 = "sha256-ZpuVZybW6CFN/gz9rx+UJvQ715FZnAOYfHn5jt5Z2C8="; + usePersistenced = false; + }; } diff --git a/nixos/hosts/kylekrein-homepc/default.nix b/nixos/hosts/kylekrein-homepc/default.nix index 236de9d..fc7de8f 100644 --- a/nixos/hosts/kylekrein-homepc/default.nix +++ b/nixos/hosts/kylekrein-homepc/default.nix @@ -1,4 +1,6 @@ { + options, + config, pkgs, lib, hwconfig, @@ -6,6 +8,7 @@ ... }: { imports = [ + "${inputs.nixpkgs-unstable}/nixos/modules/services/matrix/conduwuit.nix" ../../hardware/nvidia ../../modules/hyprland @@ -21,7 +24,8 @@ ../../users/tania ]; - +options.services.conduwuit.settings.global.database_path = lib.mkOption { apply = old: "/persist/conduwuit/";}; +config = { sops.secrets."ssh_keys/${hwconfig.hostname}" = {}; environment.systemPackages = with pkgs; [ blender @@ -34,6 +38,7 @@ }; services.zerotierone = { enable = true; + port = 9994; joinNetworks = [ "A84AC5C10AD269CA" "db64858fed285e0f" @@ -42,7 +47,7 @@ #LLMs services.ollama = { enable = true; - loadModels = [ "deepseek-r1:32b" "deepseek-r1:8b" "qwq" "gemma3:27b"]; + loadModels = [ "deepseek-r1:32b" "qwq" "gemma3:27b"]; acceleration = "cuda"; home = "/persist/ollama"; user = "ollama"; @@ -67,31 +72,92 @@ systemd.services.open-webui.serviceConfig.DynamicUser = lib.mkForce false; #Chat host - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ 80 443 22 8448 9993 ] ++ [ config.services.zerotierone.port ]; + networking.firewall.allowedUDPPorts = [config.services.zerotierone.port]; security.acme = { acceptTerms = true; defaults.email = "alex.lebedev2003@icloud.com"; + certs = { + "kylekrein.com" = { + webroot = "/var/lib/acme/challenges-kylekrein"; + email = "alex.lebedev2003@icloud.com"; + group = "nginx"; + extraDomainNames = [ + "matrix.kylekrein.com" + "chat.kylekrein.com" + ]; + }; + }; }; - services.nginx.enable = false; + users.users.nginx.extraGroups = [ "acme" ]; + services.hypridle.enable = lib.mkForce false; + programs.hyprlock.enable = lib.mkForce false; + sops.secrets."services/conduwuit" = {neededForUsers = true;}; + + services.conduwuit = { + enable = false; + settings = { + global = { + server_name = "kylekrein.com"; + port = [ 6167 ]; + trusted_servers = [ "matrix.org" ]; + allow_registration = true; + allow_federation = true; + allow_encryption = true; + }; + }; + extraEnvironment = { + CONDUWUIT_REGISTRATION_TOKEN = ""; + #CONDUWUIT_REGISTRATION_TOKEN_FILE = ''"${config.sops.secrets."services/conduwuit".path}"''; + CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🐝"; + CONDUWUIT_REQUIRE_AUTH_FOR_PROFILE_REQUESTS = "true"; + CONDUWUIT_ALLOW_LOCAL_PRESENCE = "true"; + }; + }; + systemd.services.conduwuit.serviceConfig = { + DynamicUser = lib.mkForce false; + StateDirectory = lib.mkForce "/persist/conduwuit"; + RuntimeDirectory = lib.mkForce "/persist/conduwuit/runtime"; + }; + + services.nginx.enable = true; services.nginx = { # Use recommended settings recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; + clientMaxBodySize = "20000000"; }; services.nginx.virtualHosts = let SSL = { - enableACME = true; + #enableACME = true; forceSSL = true; + useACMEHost = "kylekrein.com"; + acmeRoot = "/var/lib/acme/challenges-kylekrein"; }; in { + "kylekrein.com" = (SSL // { + listen = [{port = 443; addr="0.0.0.0"; ssl=true;} {port = 8448; addr="0.0.0.0"; ssl=true;}]; + locations."/" = { + proxyPass = "http://localhost:6167"; + proxyWebsockets = true; + }; + }); "chat.kylekrein.com" = (SSL // { locations."/" = { - proxyPass = "http://127.0.0.1:8080/"; + proxyPass = "http://localhost:8080/"; + proxyWebsockets = true; + }; + }); + "matrix.kylekrein.com" = (SSL // { + listen = [{port = 443; addr="0.0.0.0"; ssl=true;} {port = 8448; addr="0.0.0.0"; ssl=true;}]; + locations."/" = { + proxyPass = "http://localhost:6167"; proxyWebsockets = true; }; }); }; - + systemd.network.wait-online.enable = lib.mkForce false; +}; } diff --git a/nixos/hosts/kylekrein-server/default.nix b/nixos/hosts/kylekrein-server/default.nix new file mode 100644 index 0000000..0ea97a7 --- /dev/null +++ b/nixos/hosts/kylekrein-server/default.nix @@ -0,0 +1,161 @@ +{ + options, + config, + pkgs, + lib, + hwconfig, + inputs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + inputs.stylix.nixosModules.stylix + inputs.nixos-facter-modules.nixosModules.facter + inputs.home-manager.nixosModules.default + inputs.disko.nixosModules.default + ../../modules/sops + ../../modules/services/autoupgrade + "${inputs.nixpkgs-unstable}/nixos/modules/services/matrix/conduwuit.nix" + + ../../users/kylekrein + ./hardware.nix + ./networking.nix + ]; +options.services.conduwuit.settings.global.database_path = lib.mkOption { apply = old: "/persist/conduwuit/";}; +config = { + home-manager.users = lib.mkForce {}; + stylix.image = ../../modules/hyprland/wallpaper.jpg; + #sops.secrets."ssh_keys/${hwconfig.hostname}" = {}; + boot.tmp.cleanOnBoot = true; + boot.loader.systemd-boot.enable = true; + networking.hostName = hwconfig.hostname; +users = { + mutableUsers = false; + users = { + root = { + # disable root login here, and also when installing nix by running nixos-install --no-root-passwd + # https://discourse.nixos.org/t/how-to-disable-root-user-account-in-configuration-nix/13235/3 + hashedPassword = "!"; # disable root logins, nothing hashes to ! + }; + }; + }; + environment.systemPackages = with pkgs; [ + neovim + ]; + services.openssh = { + enable = true; + # require public key authentication for better security + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "no"; + #extraConfig = "HostKey ${config.sops.secrets."ssh_keys/${hwconfig.hostname}".path}"; + }; + + zramSwap = { + enable = true; # Hopefully? helps with freezing when using swap + }; + #Chat host + networking.firewall.allowedTCPPorts = [ 80 443 22 8448 ]; + security.acme = { + acceptTerms = true; + defaults.email = "alex.lebedev2003@icloud.com"; + certs = { + "kylekrein.com" = { + webroot = "/var/lib/acme/challenges-kylekrein"; + email = "alex.lebedev2003@icloud.com"; + group = "nginx"; + extraDomainNames = [ + "matrix.kylekrein.com" + #"chat.kylekrein.com" + ]; + }; + }; + }; + users.users.nginx.extraGroups = [ "acme" ]; + sops.secrets."services/conduwuit" = {neededForUsers = true;}; + + services.conduwuit = { + enable = true; + settings = { + global = { + server_name = "kylekrein.com"; + port = [ 6167 ]; + trusted_servers = [ "matrix.org" ]; + #allow_registration = true; + allow_federation = true; + allow_encryption = true; + }; + }; + extraEnvironment = { + CONDUWUIT_REGISTRATION_TOKEN = ""; + #CONDUWUIT_REGISTRATION_TOKEN_FILE = ''"${config.sops.secrets."services/conduwuit".path}"''; + CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🐝"; + CONDUWUIT_REQUIRE_AUTH_FOR_PROFILE_REQUESTS = "true"; + CONDUWUIT_ALLOW_LOCAL_PRESENCE = "true"; + }; + }; + systemd.services.conduwuit.serviceConfig = { + DynamicUser = lib.mkForce false; + StateDirectory = lib.mkForce "/persist/conduwuit"; + RuntimeDirectory = lib.mkForce "/persist/conduwuit/runtime"; + }; + + services.nginx.enable = true; + services.nginx = { + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + clientMaxBodySize = "20000000"; + }; + services.nginx.virtualHosts = let + SSL = { + #enableACME = true; + forceSSL = true; + useACMEHost = "kylekrein.com"; + acmeRoot = "/var/lib/acme/challenges-kylekrein"; + }; in { + "kylekrein.com" = (SSL // { + listen = [{port = 443; addr="0.0.0.0"; ssl=true;} {port = 8448; addr="0.0.0.0"; ssl=true;}]; + locations."/" = { + proxyPass = "http://localhost:6167"; + proxyWebsockets = true; + }; + }); + #"chat.kylekrein.com" = (SSL // { + # locations."/" = { + # proxyPass = "http://localhost:8080/"; + # proxyWebsockets = true; + # }; + #}); + "matrix.kylekrein.com" = (SSL // { + listen = [{port = 443; addr="0.0.0.0"; ssl=true;} {port = 8448; addr="0.0.0.0"; ssl=true;}]; + locations."/" = { + proxyPass = "http://localhost:6167"; + proxyWebsockets = true; + }; + }); + }; + system.stateVersion = "24.11"; + nix = { + settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + auto-optimise-store = true; + substituters = [ + "https://hyprland.cachix.org" + "https://nix-gaming.cachix.org" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" + "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + }; +}; +} diff --git a/nixos/hosts/kylekrein-server/hardware.nix b/nixos/hosts/kylekrein-server/hardware.nix new file mode 100644 index 0000000..644b075 --- /dev/null +++ b/nixos/hosts/kylekrein-server/hardware.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4f7e141c-0fc7-415a-815d-944b36f93806"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/hosts/kylekrein-server/networking.nix b/nixos/hosts/kylekrein-server/networking.nix new file mode 100644 index 0000000..ece31d1 --- /dev/null +++ b/nixos/hosts/kylekrein-server/networking.nix @@ -0,0 +1,32 @@ +{ lib, ... }: { + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + nameservers = [ "8.8.8.8" + ]; + defaultGateway = "172.31.1.1"; + defaultGateway6 = { + address = ""; + interface = "eth0"; + }; + dhcpcd.enable = false; + usePredictableInterfaceNames = lib.mkForce false; + interfaces = { + eth0 = { + ipv4.addresses = [ + { address="91.99.0.169"; prefixLength=32; } + ]; + ipv6.addresses = [ + { address="fe80::9400:4ff:fe30:830e"; prefixLength=64; } + ]; + ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ]; + ipv6.routes = [ { address = ""; prefixLength = 128; } ]; + }; + + }; + }; + services.udev.extraRules = '' + ATTR{address}=="96:00:04:30:83:0e", NAME="eth0" + + ''; +} diff --git a/nixos/modules/hyprland/hypridle.nix b/nixos/modules/hyprland/hypridle.nix index 0b7163d..54a53f4 100644 --- a/nixos/modules/hyprland/hypridle.nix +++ b/nixos/modules/hyprland/hypridle.nix @@ -1,11 +1,11 @@ -{ pkgs, lib, ... }: +{ pkgs, lib, hwconfig, ... }: let suspendScript = pkgs.writeShellScript "suspend-script" '' # check if any player has status "Playing" ${lib.getExe pkgs.playerctl} -a status | ${lib.getExe pkgs.ripgrep} Playing -q # only suspend if nothing is playing if [ $? == 1 ]; then - ${pkgs.systemd}/bin/systemctl suspend + ${if hwconfig.isLaptop then "${pkgs.systemd}/bin/systemctl suspend" else "loginctl lock-session"} fi ''; in diff --git a/nixos/modules/impermanence/default.nix b/nixos/modules/impermanence/default.nix index e9e0685..a0647c0 100644 --- a/nixos/modules/impermanence/default.nix +++ b/nixos/modules/impermanence/default.nix @@ -20,6 +20,8 @@ in { "/var/lib/flatpak" "/var/lib/zerotier-one" "/var/lib/systemd/coredump" + "/var/lib/acme" + #"/var/lib/conduwuit" "/etc/NetworkManager/system-connections" { directory = "/var/lib/colord"; @@ -40,6 +42,7 @@ in { "d /persist/home/ 0777 root root -" # /persist/home created, owned by root "d /persist/ollama/ 0755 ollama ollama" "d /persist/open-webui/ 0755 ollama ollama" + "d /persist/conduwuit/ 0755 conduwuit conduwuit" #"d /persist/home/${username} 0700 ${username} users -" # /persist/home/ created, owned by that user #"d /persist/nixos-config 0700 ${username} users -" ]; diff --git a/nixos/modules/sops/secrets/secrets.yaml b/nixos/modules/sops/secrets/secrets.yaml index b97dc05..2d9900e 100644 --- a/nixos/modules/sops/secrets/secrets.yaml +++ b/nixos/modules/sops/secrets/secrets.yaml @@ -5,6 +5,8 @@ users: ssh_keys: kylekrein-mac: ENC[AES256_GCM,data:Gnh34OQWO6eQfNfyYZsVfvktknmZorQYF+lNMKYvV7XkKjZ3RQNHyJ3UWOX+sVwWdtF7EboXkBPdHvnyLvDVIyv7trxTU5IXQzOI+34AKfPHa828HuOLk0AclCmm6GcNq/X4dKTX5DADG4cE4/V+KtdjvSMtLX7I1cjlfsN7JzcsnjERbK8Q0pTMuA44IUdnh0odH9xFEP/f/hVZZZhc5vrMfAqSx3lQxCF62c0wJaorobsPSM7BTzorVgnMnc3zJRAlgQnCnAe306/6g4hurBteIVeGFhA8gSk1fjZh2fm0opo/lgvHRJOwfpvRWJGEedx7hEpjsDr8BRxeBc2OHaRO5UP+fYh8Qtki8ZeFUjr/psjRRz128Kr0C+NS0AByZtwg54d705uwsnf79jPdM1ewGryCcsxqYWCvT0174cIg3sLdQvPnESbV1zU+QsVskFZwYL+gLtzuAwExPW7cM12M/HS+Eb5xtWvRA46FZ/dnKFwQkUA/VgSi08eC5/EYg8dFBht9hDK+kiLPGHML8A6a3CoiMf0pd+DbdOxA21F0Tw==,iv:oEXxrvWosuiH2wSoSkP7YMwBQu3JKIhn/YeiaTL/UT4=,tag:XgBw2q/6LPWg2zuOC9Wb+w==,type:str] kylekrein-homepc: ENC[AES256_GCM,data:/7b7wHk9jX+2Gel3157KO4YHia+IyEurUic0BX9flNKdsjIyG/3N8lORAkIjwnPlFaN2VqGu6o1pFgW2dzkSAyATQIUeWpqL5rjxsG3mJ9/9TLh58Y7MIpFKx2r8AeUY0xEAhT1A4BCbnDMsneQtM9gBkgPdhhv6vVpe4XJS3n+dGPER/bQxxRbEt260EjxvL1OPf5C7Z7qNVhOzxNdgdJMQvXxyhRGlXRrrHFRdbw0nChStevgBL4+FoMuBFkqF/aJSoapwe8PNxp8z+Hk5Em+BQv/ieFcscESssCK1gSbvfz6MQyX+5ig+Gy+t28yy56/ir44PHwX47IOILzg7lABSvN+Uyt+sRKyBfx124hJjqgXf65YQ/fgknQt0NDKwZyP/gPSLC9HiLKdva/P9nuenfSnlLrGtfugejBAVQBMOP2HTp/ZKtveeKLVIzM7NLeHAw8ul1OL8OlOgyO3vhEkEVagLwtQYHqwoF7+z30TzTtGyDzuhohbhUH36D8BD/LTaPHxnnVIzWq/IBOmAU06U/EvS5x/JJtqMm8aaDFFEYA==,iv:+4umMhsr8s0IuiYuEdhDAOfLjAELEHbFVvWqaVyF2yQ=,tag:eE9gCZ3pC4wDLeMs5cQGZg==,type:str] +services: + conduwuit: ENC[AES256_GCM,data:1shEq67QJTkeqrfYSr/eYG7gYWH//5ey6XQ=,iv:hy5wQmue8qU4ALfn9BrNQLnsTk8BsVVXY/8bDj18mXk=,tag:h6+hL0HjgSzd15Kc7Zg4ng==,type:str] sops: kms: [] gcp_kms: [] @@ -20,8 +22,8 @@ sops: M0hSNWNYbGM3a21McUVMaGNqWTdmNTQK3VRFV4EaC8K8AJi2PUt6TeBgueEmPLI8 Vdwwbh89+xD5xf4Zm0LctPRlxxM6diubv0gIZZPy/ZXZfiU32ZnM0w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-21T18:58:11Z" - mac: ENC[AES256_GCM,data:8MZQ486ZMZ6aH71vR7VE1qAmS6Yg2+cVVIrb16aq744/YtennNl70lSkGrpTU2asFaN1tBOkuL5pnhJmJfLIHzI94oQOUZonSoG50HHpo2deTVZLRVqcZjiKobJKA23aChqTI+VR1KM3XCO7KTkjCGt8Kj2r/J9yfjmxh+tmrOo=,iv:n7QK6mH9Y805n3t2KBLw8wgTLaistdk6TYVlKvaTQm0=,tag:2au0n94JerEdNTpq5BFrtQ==,type:str] + lastmodified: "2025-04-02T14:08:10Z" + mac: ENC[AES256_GCM,data:ATGlRrgS1LilKyMpLHPlQj9NV6eK8IaDr36KjFcyMsslzq68Zw/s14C+RjMUYT8dQkzymMxhxh9jAsPtS/J81XFG4RMl7mo6KNmhpPKEkzBuP0cAAIXgSrF4dovveI0imxxsjBba4iOi6Syjo/myg2dGpFwgU1/OgJ2suwB07ME=,iv:37UDQfMvk/o2BByZQfY9ry7ETCC2zU8K+EoRjGHKykc=,tag:wUFJ0fZMt4RZTM3oLJ2YaA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4