Compare commits
No commits in common. "b8ae40febd239bdd67e362c604316c4f7077c815" and "5f5dc1cbcdc66edebe896430527ae614f249da6e" have entirely different histories.
b8ae40febd
...
5f5dc1cbcd
@ -202,10 +202,10 @@ with pkgs;
|
|||||||
# Limit the memory and CPU use of Nix
|
# Limit the memory and CPU use of Nix
|
||||||
systemd.services.nixos-upgrade.serviceConfig = {
|
systemd.services.nixos-upgrade.serviceConfig = {
|
||||||
MemoryHigh = [ "500M" ];
|
MemoryHigh = [ "500M" ];
|
||||||
MemoryMax = [ "2G" ];
|
MemoryMax = [ "2048M" ];
|
||||||
MemorySwapMax = [ "500M" ];
|
CPUWeight = [ "20" ];
|
||||||
CPUWeight = [ "50" ];
|
CPUQuota = [ "85%" ];
|
||||||
CPUQuota = [ "50%" ];
|
IOWeight = [ "20" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Configure git for auto-upgrade
|
# Configure git for auto-upgrade
|
||||||
|
|||||||
15
flake.nix
15
flake.nix
@ -15,16 +15,8 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs =
|
outputs = { self, nixpkgs, nixpkgs-unstable, agenix, nixos-hardware
|
||||||
{
|
, nix-matrix-appservices, ... }@inputs:
|
||||||
self,
|
|
||||||
nixpkgs,
|
|
||||||
nixpkgs-unstable,
|
|
||||||
agenix,
|
|
||||||
nixos-hardware,
|
|
||||||
nix-matrix-appservices,
|
|
||||||
...
|
|
||||||
}@inputs:
|
|
||||||
let
|
let
|
||||||
system = "aarch64-linux";
|
system = "aarch64-linux";
|
||||||
|
|
||||||
@ -34,8 +26,7 @@
|
|||||||
|
|
||||||
lib = nixpkgs.lib;
|
lib = nixpkgs.lib;
|
||||||
|
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
nixosConfigurations.zion = lib.nixosSystem {
|
nixosConfigurations.zion = lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = [
|
modules = [
|
||||||
|
|||||||
@ -1,9 +1,4 @@
|
|||||||
{
|
{ config, lib, pkgs, ... }:
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
|
|
||||||
with pkgs;
|
with pkgs;
|
||||||
|
|
||||||
@ -16,8 +11,7 @@ let
|
|||||||
conn_max_lifetime = -1;
|
conn_max_lifetime = -1;
|
||||||
};
|
};
|
||||||
|
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
# Matrix server configuration
|
# Matrix server configuration
|
||||||
services.dendrite = {
|
services.dendrite = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -40,31 +34,16 @@ in
|
|||||||
"/var/lib/matrix-as-telegram/telegram-registration.yaml"
|
"/var/lib/matrix-as-telegram/telegram-registration.yaml"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
media_api = {
|
media_api = { inherit database; };
|
||||||
inherit database;
|
room_server = { inherit database; };
|
||||||
};
|
push_server = { inherit database; };
|
||||||
room_server = {
|
|
||||||
inherit database;
|
|
||||||
};
|
|
||||||
push_server = {
|
|
||||||
inherit database;
|
|
||||||
};
|
|
||||||
mscs = {
|
mscs = {
|
||||||
inherit database;
|
inherit database;
|
||||||
mscs = [
|
mscs = [ "msc2836" "msc2946" ];
|
||||||
"msc2836"
|
|
||||||
"msc2946"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
sync_api = {
|
|
||||||
inherit database;
|
|
||||||
};
|
|
||||||
key_server = {
|
|
||||||
inherit database;
|
|
||||||
};
|
|
||||||
federation_api = {
|
|
||||||
inherit database;
|
|
||||||
};
|
};
|
||||||
|
sync_api = { inherit database; };
|
||||||
|
key_server = { inherit database; };
|
||||||
|
federation_api = { inherit database; };
|
||||||
user_api = {
|
user_api = {
|
||||||
account_database = database;
|
account_database = database;
|
||||||
device_database = database;
|
device_database = database;
|
||||||
@ -106,7 +85,7 @@ in
|
|||||||
facebook = {
|
facebook = {
|
||||||
port = 8228;
|
port = 8228;
|
||||||
format = "mautrix-python";
|
format = "mautrix-python";
|
||||||
package = mautrix-meta;
|
package = mautrix-facebook;
|
||||||
serviceConfig.EnvironmentFile = config.age.secrets.facebook.path;
|
serviceConfig.EnvironmentFile = config.age.secrets.facebook.path;
|
||||||
settings = {
|
settings = {
|
||||||
appservice.database = "$DB_STRING";
|
appservice.database = "$DB_STRING";
|
||||||
@ -114,9 +93,41 @@ in
|
|||||||
bridge.permissions."@coolneng:coolneng.duckdns.org" = "admin";
|
bridge.permissions."@coolneng:coolneng.duckdns.org" = "admin";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
signal = {
|
||||||
|
port = 8338;
|
||||||
|
format = "mautrix-python";
|
||||||
|
package = mautrix-signal;
|
||||||
|
serviceConfig = {
|
||||||
|
EnvironmentFile = config.age.secrets.signal.path;
|
||||||
|
StateDirectory = [ "matrix-as-signal" "signald" ];
|
||||||
|
JoinNamespaceOf = "signald.service";
|
||||||
|
SupplementaryGroups = [ "signald" ];
|
||||||
|
};
|
||||||
|
settings = {
|
||||||
|
appservice.database = "$DB_STRING";
|
||||||
|
homeserver.software = "standard";
|
||||||
|
bridge.permissions."@coolneng:coolneng.duckdns.org" = "admin";
|
||||||
|
signal = {
|
||||||
|
socket_path = config.services.signald.socketPath;
|
||||||
|
outgoing_attachment_dir = "/var/lib/signald/tmp";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Additional settings for mautrix-signal
|
||||||
|
services.signald = {
|
||||||
|
enable = true;
|
||||||
|
user = "matrix-as-signal";
|
||||||
|
};
|
||||||
|
systemd.services.matrix-as-signal = {
|
||||||
|
requires = [ "signald.service" ];
|
||||||
|
after = [ "signald.service" ];
|
||||||
|
unitConfig.JoinsNamespaceOf = "signald.service";
|
||||||
|
path = [ ffmpeg ];
|
||||||
|
};
|
||||||
|
|
||||||
# Enable voice messages for facebook
|
# Enable voice messages for facebook
|
||||||
systemd.services.matrix-as-facebook.path = [ ffmpeg ];
|
systemd.services.matrix-as-facebook.path = [ ffmpeg ];
|
||||||
|
|
||||||
@ -124,26 +135,18 @@ in
|
|||||||
services.mosquitto = {
|
services.mosquitto = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dataDir = "/vault/mosquitto";
|
dataDir = "/vault/mosquitto";
|
||||||
logType = [
|
logType = [ "websockets" "error" "warning" "notice" "information" ];
|
||||||
"websockets"
|
|
||||||
"error"
|
|
||||||
"warning"
|
|
||||||
"notice"
|
|
||||||
"information"
|
|
||||||
];
|
|
||||||
logDest = [ "syslog" ];
|
logDest = [ "syslog" ];
|
||||||
listeners = [
|
listeners = [{
|
||||||
{
|
users.homeostasis = {
|
||||||
users.homeostasis = {
|
acl = [ "write #" ];
|
||||||
acl = [ "write #" ];
|
hashedPasswordFile = config.age.secrets.mqtt-sender.path;
|
||||||
hashedPasswordFile = config.age.secrets.mqtt-sender.path;
|
};
|
||||||
};
|
users.prometheus = {
|
||||||
users.prometheus = {
|
acl = [ "read #" ];
|
||||||
acl = [ "read #" ];
|
hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
|
||||||
hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
|
};
|
||||||
};
|
}];
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,9 +1,4 @@
|
|||||||
{
|
{ config, lib, pkgs, ... }:
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
|
|
||||||
with pkgs;
|
with pkgs;
|
||||||
|
|
||||||
|
|||||||
@ -1,10 +1,4 @@
|
|||||||
{
|
{ config, pkgs, lib, ... }: {
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
{
|
|
||||||
# Set up Gitea with LFS support
|
# Set up Gitea with LFS support
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|||||||
@ -1,21 +1,12 @@
|
|||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
# and may be overwritten by future invocations. Please make changes
|
# and may be overwritten by future invocations. Please make changes
|
||||||
# to /etc/nixos/configuration.nix instead.
|
# to /etc/nixos/configuration.nix instead.
|
||||||
{
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
modulesPath,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [
|
boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
|
||||||
"xhci_pci"
|
|
||||||
"usb_storage"
|
|
||||||
];
|
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [ ];
|
||||||
boot.kernelModules = [ ];
|
boot.kernelModules = [ ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
@ -126,7 +117,8 @@
|
|||||||
options = [ "bind" ];
|
options = [ "bind" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ { device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; } ];
|
swapDevices =
|
||||||
|
[{ device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; }];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
|||||||
@ -1,9 +1,4 @@
|
|||||||
{
|
{ config, lib, pkgs, ... }:
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
|
|
||||||
with pkgs;
|
with pkgs;
|
||||||
|
|
||||||
@ -61,20 +56,20 @@ with pkgs;
|
|||||||
postgres.enable = true;
|
postgres.enable = true;
|
||||||
smartctl.enable = true;
|
smartctl.enable = true;
|
||||||
};
|
};
|
||||||
scrapeConfigs = [
|
scrapeConfigs = [{
|
||||||
{
|
job_name = "zion";
|
||||||
job_name = "zion";
|
static_configs = [{
|
||||||
static_configs = [
|
targets = [
|
||||||
{
|
"localhost:${toString config.services.prometheus.exporters.node.port}"
|
||||||
targets = [
|
"localhost:${
|
||||||
"localhost:${toString config.services.prometheus.exporters.node.port}"
|
toString config.services.prometheus.exporters.postgres.port
|
||||||
"localhost:${toString config.services.prometheus.exporters.postgres.port}"
|
}"
|
||||||
"localhost:${toString config.services.prometheus.exporters.smartctl.port}"
|
"localhost:${
|
||||||
];
|
toString config.services.prometheus.exporters.smartctl.port
|
||||||
}
|
}"
|
||||||
];
|
];
|
||||||
}
|
}];
|
||||||
];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Grafana configuration
|
# Grafana configuration
|
||||||
|
|||||||
@ -42,6 +42,7 @@ in
|
|||||||
protocol = "duckdns";
|
protocol = "duckdns";
|
||||||
domains = [ "coolneng.duckdns.org" ];
|
domains = [ "coolneng.duckdns.org" ];
|
||||||
passwordFile = config.age.secrets.ddclient.path;
|
passwordFile = config.age.secrets.ddclient.path;
|
||||||
|
extraConfig = "";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Firewall configuration
|
# Firewall configuration
|
||||||
@ -57,6 +58,11 @@ in
|
|||||||
wireguard_port # Wireguard
|
wireguard_port # Wireguard
|
||||||
53 # DNS
|
53 # DNS
|
||||||
];
|
];
|
||||||
|
extraCommands = ''
|
||||||
|
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
|
||||||
|
config.systemd.network.networks."24-home".name
|
||||||
|
} -j MASQUERADE
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# Wireguard setup
|
# Wireguard setup
|
||||||
@ -104,11 +110,7 @@ in
|
|||||||
bogus-priv = true;
|
bogus-priv = true;
|
||||||
no-resolv = true;
|
no-resolv = true;
|
||||||
|
|
||||||
listen-address = [
|
listen-address = [ "127.0.0.1" "192.168.13.2" "10.8.0.1" ];
|
||||||
"127.0.0.1"
|
|
||||||
"192.168.13.2"
|
|
||||||
"10.8.0.1"
|
|
||||||
];
|
|
||||||
bind-interfaces = true;
|
bind-interfaces = true;
|
||||||
server = [ "127.0.0.1#43" ];
|
server = [ "127.0.0.1#43" ];
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user