kylekrein/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Server, deploy-rs

Browse source
This commit is contained in:
Aleksandr Lebedev 2025-08-10 11:48:47 +02:00
parent 8468556385
commit df711fbbe6
13 changed files with 828 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

4
checks/deploy/default.nix Normal file
View file

@ -0,0 +1,4 @@
{inputs}:
builtins.mapAttrs
(system: deploy-lib: deploy-lib.deployChecks inputs.self.deploy)
inputs.deploy-rs.lib

11
checks/fmt/default.nix Normal file
View file

@ -0,0 +1,11 @@
{
inputs,
system,
...
}:
inputs.pre-commit-hooks.lib.${system}.run {
src = ../..;
hooks = {
alejandra.enable = true;
};
}

196
flake.lock generated
View file

@ -309,6 +309,28 @@
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat_5",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1749105467,
"narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "6bc76b872374845ba9d645a2f012b764fecd765f",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"devenv": {
"inputs": {
"cachix": "cachix_2",
@ -464,6 +486,38 @@
"type": "github"
}
},
"flake-compat_10": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_11": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
@ -516,11 +570,11 @@
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
@ -548,37 +602,20 @@
"flake-compat_7": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"ref": "v1.0.1",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_8": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_9": {
"flake": false,
"locked": {
"lastModified": 1747046372,
@ -594,6 +631,23 @@
"type": "github"
}
},
"flake-compat_9": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"ref": "v1.0.1",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -790,7 +844,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
@ -823,7 +877,7 @@
},
"flake-utils_4": {
"inputs": {
"systems": "systems_4"
"systems": "systems_5"
},
"locked": {
"lastModified": 1694529238,
@ -928,6 +982,27 @@
"type": "github"
}
},
"gitignore_3": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gnome-shell": {
"flake": false,
"locked": {
@ -1027,7 +1102,7 @@
"lanzaboote": {
"inputs": {
"crane": "crane_3",
"flake-compat": "flake-compat_5",
"flake-compat": "flake-compat_6",
"flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs_9",
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
@ -1474,7 +1549,7 @@
},
"nixos-wsl": {
"inputs": {
"flake-compat": "flake-compat_6",
"flake-compat": "flake-compat_7",
"nixpkgs": "nixpkgs_13"
},
"locked": {
@ -2049,7 +2124,7 @@
"plugin-vim-repeat": "plugin-vim-repeat",
"plugin-vim-startify": "plugin-vim-startify",
"plugin-which-key": "plugin-which-key",
"systems": "systems_3"
"systems": "systems_4"
},
"locked": {
"lastModified": 1736795850,
@ -4019,6 +4094,28 @@
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_8",
"gitignore": "gitignore_3",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1754416808,
"narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
@ -4068,6 +4165,7 @@
"beeengine": "beeengine",
"chaotic": "chaotic",
"conduwuit": "conduwuit",
"deploy-rs": "deploy-rs",
"disko": "disko",
"emacs-kylekrein": "emacs-kylekrein",
"home-manager": "home-manager_2",
@ -4084,6 +4182,7 @@
"nixos-hardware": "nixos-hardware",
"nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs_14",
"pre-commit-hooks": "pre-commit-hooks",
"snowfall-flake": "snowfall-flake",
"snowfall-lib": "snowfall-lib_2",
"sops-nix": "sops-nix",
@ -4191,7 +4290,7 @@
},
"snowfall-flake": {
"inputs": {
"flake-compat": "flake-compat_7",
"flake-compat": "flake-compat_9",
"nixpkgs": [
"nixpkgs"
],
@ -4213,7 +4312,7 @@
},
"snowfall-lib": {
"inputs": {
"flake-compat": "flake-compat_8",
"flake-compat": "flake-compat_10",
"flake-utils-plus": "flake-utils-plus",
"nixpkgs": [
"snowfall-flake",
@ -4237,7 +4336,7 @@
},
"snowfall-lib_2": {
"inputs": {
"flake-compat": "flake-compat_9",
"flake-compat": "flake-compat_11",
"flake-utils-plus": "flake-utils-plus_2",
"nixpkgs": [
"nixpkgs"
@ -4286,7 +4385,7 @@
"gnome-shell": "gnome-shell",
"nixpkgs": "nixpkgs_16",
"nur": "nur",
"systems": "systems_5",
"systems": "systems_6",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes",
@ -4383,6 +4482,21 @@
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tinted-foot": {
"flake": false,
"locked": {
@ -4523,6 +4637,24 @@
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"xwayland-satellite-stable": {
"flake": false,
"locked": {

19
flake.nix
View file

@ -73,13 +73,21 @@
# The name "snowfall-lib" is required due to how Snowfall Lib processes your
# flake's inputs.
snowfall-lib = {
url = "github:KyleKrein/snowfall-lib";#"git+file:///home/kylekrein/Git/snowfall-lib";
url = "github:KyleKrein/snowfall-lib"; #"git+file:///home/kylekrein/Git/snowfall-lib";
inputs.nixpkgs.follows = "nixpkgs";
};
snowfall-flake = {
url = "github:snowfallorg/flake";
inputs.nixpkgs.follows = "nixpkgs";
};
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
pre-commit-hooks = {
url = "github:cachix/git-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs:
@ -121,6 +129,15 @@
templates = import ./templates {};
deploy.nodes.server = {
hostname = "kylekrein.com";
interactiveSudo = false;
profiles.system = {
user = "kylekrein";
path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.kylekrein-server;
};
};
outputs-builder = channels: {
formatter = channels.nixpkgs.alejandra;
};

13
homes/x86_64-linux/kylekrein/default.nix
View file

@ -17,25 +17,30 @@ in
enable = true;
firstNixOSInstall = 1729112485;
};
librewolf = enabled;
librewolf.enable = osConfig.custom.presets.wayland.enable;
prismlauncher.enable = osConfig.custom.presets.gaming.enable;
bottles = enabled;
bottles.enable = osConfig.custom.presets.wayland.enable;
};
};
home = {
packages = with pkgs;
[
neovim
]
++ lib.optionals osConfig.custom.presets.wayland.enable [
gdb
element-desktop
obs-studio
neovim
localsend
kdePackages.kdenlive
]
++ lib.optionals osConfig.custom.presets.gaming.enable [mcpelauncher-ui-qt];
sessionVariables = {
EDITOR = "emacsclient -c";
EDITOR =
if osConfig.custom.presets.wayland.enable
then "emacsclient -c"
else "nvim";
NH_OS_FLAKE = "${home}/nixos-config";
NH_HOME_FLAKE = "${home}/nixos-config";
NH_DARWIN_FLAKE = "${home}/nixos-config";

7
homes/x86_64-linux/kylekrein/emacs.nix
View file

@ -2,15 +2,18 @@
pkgs,
system,
inputs,
osConfig,
lib,
config,
...
}: let
emacs = inputs.emacs-kylekrein.packages.${system}.with-lsps-native;
in {
programs.emacs = {
enable = true;
enable = osConfig.custom.presets.wayland.enable;
package = emacs;
};
systemd.user.services.emacs = {
systemd.user.services.emacs = lib.mkIf config.programs.emacs.enable {
Unit = {
Description = "Launches (and relaunches) emacs";
};

378
modules/nixos/services/conduwuit/default.nix Normal file
View file

@ -0,0 +1,378 @@
{
config,
lib,
pkgs,
namespace,
...
}: let
cfg = config.${namespace}.services.conduwuit;
defaultUser = "conduwuit";
defaultGroup = "conduwuit";
format = pkgs.formats.toml {};
configFile = format.generate "conduwuit.toml" cfg.settings;
in {
meta.maintainers = with lib.maintainers; [niklaskorz];
options.${namespace}.services.conduwuit = {
enable = lib.mkEnableOption "conduwuit";
user = lib.mkOption {
type = lib.types.nonEmptyStr;
description = ''
The user {command}`conduwuit` is run as.
'';
default = defaultUser;
};
group = lib.mkOption {
type = lib.types.nonEmptyStr;
description = ''
The group {command}`conduwuit` is run as.
'';
default = defaultGroup;
};
extraEnvironment = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
description = "Extra Environment variables to pass to the conduwuit server.";
default = {};
example = {
RUST_BACKTRACE = "yes";
};
};
package = lib.mkPackageOption pkgs "conduwuit" {};
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
global.server_name = lib.mkOption {
type = lib.types.nonEmptyStr;
example = "example.com";
description = "The server_name is the name of this server. It is used as a suffix for user and room ids.";
};
global.address = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.nonEmptyStr);
default = null;
example = [
"127.0.0.1"
"::1"
];
description = ''
Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator.
If set to `null`, conduwuit will listen on IPv4 and IPv6 localhost.
Must be `null` if `unix_socket_path` is set.
'';
};
global.port = lib.mkOption {
type = lib.types.listOf lib.types.port;
default = [6167];
description = ''
The port(s) conduwuit will be running on.
You need to set up a reverse proxy in your web server (e.g. apache or nginx),
so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit
instance running on this port.
'';
};
global.unix_socket_path = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Listen on a UNIX socket at the specified path. If listening on a UNIX socket,
listening on an address will be disabled. The `address` option must be set to
`null` (the default value). The option {option}`services.conduwuit.group` must
be set to a group your reverse proxy is part of.
This will automatically add a system user "conduwuit" to your system if
{option}`services.conduwuit.user` is left at the default, and a "conduwuit"
group if {option}`services.conduwuit.group` is left at the default.
'';
};
global.unix_socket_perms = lib.mkOption {
type = lib.types.ints.positive;
default = 660;
description = "The default permissions (in octal) to create the UNIX socket with.";
};
global.max_request_size = lib.mkOption {
type = lib.types.ints.positive;
default = 20000000;
description = "Max request size in bytes. Don't forget to also change it in the proxy.";
};
global.allow_registration = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether new users can register on this server.
Registration with token requires `registration_token` or `registration_token_file` to be set.
If set to true without a token configured, and
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
is set to true, users can freely register.
'';
};
global.allow_encryption = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
};
global.allow_federation = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether this server federates with other servers.
'';
};
global.trusted_servers = lib.mkOption {
type = lib.types.listOf lib.types.nonEmptyStr;
default = ["matrix.org"];
description = ''
Servers listed here will be used to gather public keys of other servers
(notary trusted key servers).
Currently, conduwuit doesn't support inbound batched key requests, so
this list should only contain other Synapse servers.
Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]`
'';
};
global.database_path = lib.mkOption {
readOnly = true;
type = lib.types.path;
default = "/var/lib/conduwuit/";
description = ''
Path to the conduwuit database, the directory where conduwuit will save its data.
Note that database_path cannot be edited because of the service's reliance on systemd StateDir.
'';
};
global.database_backup_path = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Path to the conduwuit database, the directory where conduwuit will backup its data.
'';
};
global.database_backups_to_keep = lib.mkOption {
type = lib.types.ints.positive;
default = 1;
description = "";
};
global.allow_check_for_updates = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
If enabled, conduwuit will send a simple GET request periodically to
<https://pupbrain.dev/check-for-updates/stable> for any new announcements made.
Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint.
Disabled by default.
'';
};
global.allow_local_presence = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
'';
};
global.allow_incoming_presence = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
'';
};
global.allow_outgoing_presence = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
'';
};
global.require_auth_for_profile_requests = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
'';
};
global.new_user_displayname_suffix = lib.mkOption {
type = lib.types.str;
default = "🏳";
description = ''
'';
};
global.registration_token = lib.mkOption {
type = lib.types.str;
default = "";
description = ''
'';
};
global.registration_token_file = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
'';
};
global.allow_public_room_directory_over_federation = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
'';
};
global.allow_public_room_directory_without_auth = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
'';
};
global.allow_device_name_federation = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
'';
};
global.allow_inbound_profile_lookup_federation_requests = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
'';
};
global.turn_secret = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
'';
};
global.turn_uris = lib.mkOption {
type = lib.types.listOf lib.types.nonEmptyStr;
default = [];
description = ''
'';
};
global.turn_secret_file = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
'';
};
global.prevent_media_downloads_from = lib.mkOption {
type = lib.types.listOf lib.types.nonEmptyStr;
default = [];
description = ''
'';
};
global.well_known.client = lib.mkOption {
type = lib.types.str;
default = "";
description = ''
'';
};
global.well_known.server = lib.mkOption {
type = lib.types.str;
default = "";
description = ''
'';
};
};
};
default = {};
# TOML does not allow null values, so we use null to omit those fields
apply = lib.filterAttrsRecursive (_: v: v != null);
description = ''
Generates the conduwuit.toml configuration file. Refer to
<https://conduwuit.puppyirl.gay/configuration.html>
for details on supported values.
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = !(cfg.settings ? global.unix_socket_path) || !(cfg.settings ? global.address);
message = ''
In `services.conduwuit.settings.global`, `unix_socket_path` and `address` cannot be set at the
same time.
Leave one of the two options unset or explicitly set them to `null`.
'';
}
{
assertion = cfg.user != defaultUser -> config ? users.users.${cfg.user};
message = "If `services.conduwuit.user` is changed, the configured user must already exist.";
}
{
assertion = cfg.group != defaultGroup -> config ? users.groups.${cfg.group};
message = "If `services.conduwuit.group` is changed, the configured group must already exist.";
}
];
users.users = lib.mkIf (cfg.user == defaultUser) {
${defaultUser} = {
group = cfg.group;
home = cfg.settings.global.database_path;
isSystemUser = true;
};
};
users.groups = lib.mkIf (cfg.group == defaultGroup) {
${defaultGroup} = {};
};
systemd.services.conduwuit = {
description = "Conduwuit Matrix Server";
documentation = ["https://conduwuit.puppyirl.gay/"];
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
environment = lib.mkMerge [
{CONDUWUIT_CONFIG = configFile;}
cfg.extraEnvironment
];
startLimitBurst = 5;
startLimitIntervalSec = 60;
serviceConfig = {
DynamicUser = true;
User = cfg.user;
Group = cfg.group;
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateIPC = true;
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service @resources"
"~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc"
];
SystemCallErrorNumber = "EPERM";
StateDirectory = "conduwuit";
StateDirectoryMode = "0700";
RuntimeDirectory = "conduwuit";
RuntimeDirectoryMode = "0750";
ExecStart = lib.getExe cfg.package;
Restart = "on-failure";
RestartSec = 10;
};
};
};
}

3
overlays/conduwuit/default.nix Normal file
View file

@ -0,0 +1,3 @@
{inputs, ...}: final: prev: {
conduwuit = inputs.conduwuit.packages.${prev.system}.all-features;
}

3
overlays/deploy-rs/default.nix Normal file
View file

@ -0,0 +1,3 @@
{inputs, ...}: final: prev: {
deploy-rs = inputs.deploy-rs.packages.${prev.system}.deploy-rs;
}

10
shells/default/default.nix Normal file
View file

@ -0,0 +1,10 @@
{
pkgs,
mkShell,
...
}:
mkShell {
packages = with pkgs; [
pkgs.deploy-rs
];
}

143
systems/x86_64-linux/kylekrein-server/default.nix Normal file
View file

@ -0,0 +1,143 @@
{
lib,
pkgs,
inputs,
namespace,
system,
target,
format,
virtual,
systems,
config,
...
}:
with lib;
with lib.custom; {
imports = lib.snowfall.fs.get-non-default-nix-files ./.;
custom = {
presets.default = enabled;
users.kylekrein = {
enable = true;
config = {};
};
services.conduwuit = {
enable = true;
#user = "turnserver";
settings = {
global = {
server_name = "kylekrein.com";
well_known = {
server = "matrix.kylekrein.com:443";
client = "https://matrix.kylekrein.com";
};
port = [6167];
trusted_servers = ["matrix.org"];
allow_registration = false;
registration_token = ""; #nix shell nixpkgs#openssl -c openssl rand -base64 48 | tr -d '/+' | cut -c1-64
allow_federation = true;
allow_encryption = true;
allow_local_presence = true;
require_auth_for_profile_requests = true;
};
};
extraEnvironment = {
};
};
};
services.caddy = {
enable = true;
#virtualHosts."kylekrein.com:8448".extraConfig = ''
# reverse_proxy http://localhost:6167
#'';
virtualHosts."kylekrein.com".extraConfig = ''
handle_path /.well-known/matrix/* {
header Access-Control-Allow-Origin *
## `Content-Type: application/json` isn't required by the matrix spec
## but some browsers (firefox) and some other tooling might preview json
## content prettier when they are made aware via Content-Type
header Content-Type application/json
respond /client `{ "m.homeserver": { "base_url": "https://matrix.kylekrein.com/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com/"}, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", "livekit_service_url": "https://livekit-jwt.call.matrix.org" } ] }`
respond /server `{ "m.server": "https://matrix.kylekrein.com" }`
## return http/404 if nothing matches
respond 404
}
respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.element.io"}}`
reverse_proxy * http://localhost:6167
'';
# reverse_proxy /.well-known/* http://localhost:6167
#'';
virtualHosts."matrix.kylekrein.com".extraConfig = ''
handle_path /.well-known/matrix/* {
header Access-Control-Allow-Origin *
## `Content-Type: application/json` isn't required by the matrix spec
## but some browsers (firefox) and some other tooling might preview json
## content prettier when they are made aware via Content-Type
header Content-Type application/json
respond /client `{ "m.homeserver": { "base_url": "https://matrix.kylekrein.com/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com/"}, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", "livekit_service_url": "https://livekit-jwt.call.matrix.org" } ] }`
respond /server `{ "m.server": "https://matrix.kylekrein.com" }`
## return http/404 if nothing matches
respond 404
}
respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.element.io"}}`
reverse_proxy * http://localhost:6167
'';
virtualHosts."gitlab.kylekrein.com".extraConfig = ''
reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket
'';
};
#Chat host
networking.firewall.allowedTCPPorts = [80 443 22 8448];
networking.firewall.allowedUDPPorts = [3478 5349];
#sops.secrets."services/conduwuit" = {mode = "0755";};
sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
services.gitlab = {
enable = true;
host = "gitlab.kylekrein.com";
port = 443;
#statePath = "/persist/gitlab/state";
backup.startAt = "3:00";
databasePasswordFile = config.sops.secrets."services/gitlab/dbPassword".path;
initialRootPasswordFile = config.sops.secrets."services/gitlab/rootPassword".path;
secrets = {
secretFile = config.sops.secrets."services/gitlab/secret".path;
otpFile = config.sops.secrets."services/gitlab/otpsecret".path;
dbFile = config.sops.secrets."services/gitlab/dbsecret".path;
jwsFile = config.sops.secrets."services/gitlab/oidcKeyBase".path; #pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
activeRecordSaltFile = config.sops.secrets."services/gitlab/activeRecordSalt".path;
activeRecordPrimaryKeyFile = config.sops.secrets."services/gitlab/activeRecordPrimaryKey".path;
activeRecordDeterministicKeyFile = config.sops.secrets."services/gitlab/activeRecordDeterministicKey".path;
};
};
systemd.services.gitlab-backup.environment.BACKUP = "dump";
boot.tmp.cleanOnBoot = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.systemd-boot.enable = mkForce false;
# ======================== DO NOT CHANGE THIS ========================
system.stateVersion = "24.11";
# ======================== DO NOT CHANGE THIS ========================
}

32
systems/x86_64-linux/kylekrein-server/hardware.nix Normal file
View file

@ -0,0 +1,32 @@
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/4f7e141c-0fc7-415a-815d-944b36f93806";
fsType = "ext4";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

48
systems/x86_64-linux/kylekrein-server/networking.nix Normal file
View file

@ -0,0 +1,48 @@
{lib, ...}: {
# This file was populated at runtime with the networking
# details gathered from the active system.
networking = {
nameservers = [
"8.8.8.8"
];
defaultGateway = "172.31.1.1";
defaultGateway6 = {
address = "";
interface = "eth0";
};
dhcpcd.enable = false;
usePredictableInterfaceNames = lib.mkForce false;
interfaces = {
eth0 = {
ipv4.addresses = [
{
address = "91.99.0.169";
prefixLength = 32;
}
];
ipv6.addresses = [
{
address = "fe80::9400:4ff:fe30:830e";
prefixLength = 64;
}
];
ipv4.routes = [
{
address = "172.31.1.1";
prefixLength = 32;
}
];
ipv6.routes = [
{
address = "";
prefixLength = 128;
}
];
};
};
};
services.udev.extraRules = ''
ATTR{address}=="96:00:04:30:83:0e", NAME="eth0"
'';
}