configuration.nix

@@ -202,10 +202,10 @@ with pkgs;
   # Limit the memory and CPU use of Nix
   systemd.services.nixos-upgrade.serviceConfig = {
     MemoryHigh = [ "500M" ];
-    MemoryMax = [ "2G" ];
+    MemoryMax = [ "2048M" ];
-    MemorySwapMax = [ "500M" ];
+    CPUWeight = [ "20" ];
-    CPUWeight = [ "50" ];
+    CPUQuota = [ "85%" ];
-    CPUQuota = [ "50%" ];
+    IOWeight = [ "20" ];
   };
 
   # Configure git for auto-upgrade

flake.nix

@@ -15,16 +15,8 @@
     };
   };
 
-  outputs =
+  outputs = { self, nixpkgs, nixpkgs-unstable, agenix, nixos-hardware
-    {
+    , nix-matrix-appservices, ... }@inputs:
-      self,
-      nixpkgs,
-      nixpkgs-unstable,
-      agenix,
-      nixos-hardware,
-      nix-matrix-appservices,
-      ...
-    }@inputs:
     let
       system = "aarch64-linux";
 
@@ -34,8 +26,7 @@
 
       lib = nixpkgs.lib;
 
-    in
+    in {
-    {
       nixosConfigurations.zion = lib.nixosSystem {
         inherit system;
         modules = [

modules/communication.nix

@@ -1,9 +1,4 @@
-{
+{ config, lib, pkgs, ... }:
-  config,
-  lib,
-  pkgs,
-  ...
-}:
 
 with pkgs;
 
@@ -16,8 +11,7 @@ let
     conn_max_lifetime = -1;
   };
 
-in
+in {
-{
   # Matrix server configuration
   services.dendrite = {
     enable = true;
@@ -40,31 +34,16 @@ in
           "/var/lib/matrix-as-telegram/telegram-registration.yaml"
         ];
       };
-      media_api = {
+      media_api = { inherit database; };
-        inherit database;
+      room_server = { inherit database; };
-      };
+      push_server = { inherit database; };
-      room_server = {
-        inherit database;
-      };
-      push_server = {
-        inherit database;
-      };
       mscs = {
         inherit database;
-        mscs = [
+        mscs = [ "msc2836" "msc2946" ];
-          "msc2836"
-          "msc2946"
-        ];
-      };
-      sync_api = {
-        inherit database;
-      };
-      key_server = {
-        inherit database;
-      };
-      federation_api = {
-        inherit database;
       };
+      sync_api = { inherit database; };
+      key_server = { inherit database; };
+      federation_api = { inherit database; };
       user_api = {
         account_database = database;
         device_database = database;
@@ -106,7 +85,7 @@ in
       facebook = {
         port = 8228;
         format = "mautrix-python";
-        package = mautrix-meta;
+        package = mautrix-facebook;
         serviceConfig.EnvironmentFile = config.age.secrets.facebook.path;
         settings = {
           appservice.database = "$DB_STRING";
@@ -114,7 +93,39 @@ in
           bridge.permissions."@coolneng:coolneng.duckdns.org" = "admin";
         };
       };
+      signal = {
+        port = 8338;
+        format = "mautrix-python";
+        package = mautrix-signal;
+        serviceConfig = {
+          EnvironmentFile = config.age.secrets.signal.path;
+          StateDirectory = [ "matrix-as-signal" "signald" ];
+          JoinNamespaceOf = "signald.service";
+          SupplementaryGroups = [ "signald" ];
         };
+        settings = {
+          appservice.database = "$DB_STRING";
+          homeserver.software = "standard";
+          bridge.permissions."@coolneng:coolneng.duckdns.org" = "admin";
+          signal = {
+            socket_path = config.services.signald.socketPath;
+            outgoing_attachment_dir = "/var/lib/signald/tmp";
+          };
+        };
+      };
+    };
+  };
+
+  # Additional settings for mautrix-signal
+  services.signald = {
+    enable = true;
+    user = "matrix-as-signal";
+  };
+  systemd.services.matrix-as-signal = {
+    requires = [ "signald.service" ];
+    after = [ "signald.service" ];
+    unitConfig.JoinsNamespaceOf = "signald.service";
+    path = [ ffmpeg ];
   };
 
   # Enable voice messages for facebook
@@ -124,16 +135,9 @@ in
   services.mosquitto = {
     enable = true;
     dataDir = "/vault/mosquitto";
-    logType = [
+    logType = [ "websockets" "error" "warning" "notice" "information" ];
-      "websockets"
-      "error"
-      "warning"
-      "notice"
-      "information"
-    ];
     logDest = [ "syslog" ];
-    listeners = [
+    listeners = [{
-      {
       users.homeostasis = {
         acl = [ "write #" ];
         hashedPasswordFile = config.age.secrets.mqtt-sender.path;
@@ -142,8 +146,7 @@ in
         acl = [ "read #" ];
         hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
       };
-      }
+    }];
-    ];
   };
 
 }

modules/device.nix

@@ -1,9 +1,4 @@
-{
+{ config, lib, pkgs, ... }:
-  config,
-  lib,
-  pkgs,
-  ...
-}:
 
 with pkgs;
 

modules/devops.nix

@@ -1,10 +1,4 @@
-{
+{ config, pkgs, lib, ... }: {
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-{
   # Set up Gitea with LFS support
   services.gitea = {
     enable = true;

modules/hardware-configuration.nix

@@ -1,21 +1,12 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}:
 
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
-    "xhci_pci"
-    "usb_storage"
-  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
@@ -126,7 +117,8 @@
     options = [ "bind" ];
   };
 
-  swapDevices = [ { device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; } ];
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; }];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

modules/monitoring.nix

@@ -1,9 +1,4 @@
-{
+{ config, lib, pkgs, ... }:
-  config,
-  lib,
-  pkgs,
-  ...
-}:
 
 with pkgs;
 
@@ -61,20 +56,20 @@ with pkgs;
       postgres.enable = true;
       smartctl.enable = true;
     };
-    scrapeConfigs = [
+    scrapeConfigs = [{
-      {
       job_name = "zion";
-        static_configs = [
+      static_configs = [{
-          {
         targets = [
           "localhost:${toString config.services.prometheus.exporters.node.port}"
-              "localhost:${toString config.services.prometheus.exporters.postgres.port}"
+          "localhost:${
-              "localhost:${toString config.services.prometheus.exporters.smartctl.port}"
+            toString config.services.prometheus.exporters.postgres.port
-            ];
+          }"
-          }
+          "localhost:${
-        ];
+            toString config.services.prometheus.exporters.smartctl.port
-      }
+          }"
         ];
+      }];
+    }];
   };
 
   # Grafana configuration

modules/networking.nix

@@ -42,6 +42,7 @@ in
     protocol = "duckdns";
     domains = [ "coolneng.duckdns.org" ];
     passwordFile = config.age.secrets.ddclient.path;
+    extraConfig = "";
   };
 
   # Firewall configuration
@@ -57,6 +58,11 @@ in
       wireguard_port # Wireguard
       53 # DNS
     ];
+    extraCommands = ''
+      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
+    '';
   };
 
   # Wireguard setup
@@ -104,11 +110,7 @@ in
       bogus-priv = true;
       no-resolv = true;
 
-      listen-address = [
+      listen-address = [ "127.0.0.1" "192.168.13.2" "10.8.0.1" ];
-        "127.0.0.1"
-        "192.168.13.2"
-        "10.8.0.1"
-      ];
       bind-interfaces = true;
       server = [ "127.0.0.1#43" ];