diff options
| author | Preston Pan <ret2pop@nullring.xyz> | 2026-02-16 23:13:47 -0800 |
|---|---|---|
| committer | Preston Pan <ret2pop@nullring.xyz> | 2026-02-16 23:13:47 -0800 |
| commit | 06198567765055febc8829f9f2ca398dd6817d93 (patch) | |
| tree | 8553f885ae27fc7f64dc3655802dc3c129416f99 /nix/modules | |
| parent | efe21725f8d68a6be6fb3c4697c88666d11b13a8 (diff) | |
finish up most of the sysadmin work
Diffstat (limited to 'nix/modules')
| -rw-r--r-- | nix/modules/conduit.nix | 2 | ||||
| -rw-r--r-- | nix/modules/configuration.nix | 10 | ||||
| -rw-r--r-- | nix/modules/gotosocial.nix | 14 | ||||
| -rw-r--r-- | nix/modules/home/default.nix | 6 | ||||
| -rw-r--r-- | nix/modules/home/emacs.nix | 1 | ||||
| -rw-r--r-- | nix/modules/home/mpd.nix | 10 | ||||
| -rw-r--r-- | nix/modules/home/user.nix | 8 | ||||
| -rw-r--r-- | nix/modules/maddy.nix | 6 | ||||
| -rw-r--r-- | nix/modules/matrix-appservice-irc.nix | 10 | ||||
| -rw-r--r-- | nix/modules/nginx.nix | 42 | ||||
| -rw-r--r-- | nix/modules/public_inbox.nix | 82 | ||||
| -rw-r--r-- | nix/modules/secrets.nix | 24 |
12 files changed, 202 insertions, 13 deletions
diff --git a/nix/modules/conduit.nix b/nix/modules/conduit.nix index 6e4611f..4d7a30c 100644 --- a/nix/modules/conduit.nix +++ b/nix/modules/conduit.nix @@ -18,7 +18,7 @@ services.lk-jwt-service = { enable = lib.mkDefault config.monorepo.profiles.server.enable; port = 6495; - livekitUrl = "wss://livekit.nullring.xyz"; + livekitUrl = "wss://livekit.${config.monorepo.vars.orgHost}"; keyFile = "/run/secrets/livekit_secret"; }; services.livekit = { diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index e09571b..02d4a94 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, ... }: { imports = [ + ./public_inbox.nix ./matterbridge.nix ./mautrix.nix ./xserver.nix @@ -404,6 +405,7 @@ country=CA users.groups.matterbridge = lib.mkDefault {}; users.groups.maddy = lib.mkDefault {}; users.groups.ntfy-sh = lib.mkDefault {}; + users.groups.public-inbox = lib.mkDefault {}; users.users = { conduit = { @@ -427,11 +429,18 @@ country=CA extraGroups = [ "acme" "nginx" ]; }; + public-inbox = { + isSystemUser = lib.mkDefault true; + group = "public-inbox"; + + extraGroups = [ "acme" "nginx" ]; + }; ngircd = { isSystemUser = lib.mkDefault true; group = "ngircd"; extraGroups = [ "acme" "nginx" ]; }; + livekit = { isSystemUser = lib.mkDefault true; group = "livekit"; @@ -463,6 +472,7 @@ country=CA group = "git"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCedJm0yYB0qLah/Y7PqLVgNh6qp+yujssGtuR05KbZLzSnsLUjUMObMyjFB9xTKrSGDqyoMkNe2l5VXMBJ9wBKLbzqMWbkakAWOj7EC/qZ6dFWA075mniwAuWKY/Q8QYohAJbbeU4j0ObWrltd4ar2Ac9vsVyftYF5efg8PEqVdOxzrBn5taY1zCCRjee5ISeRDIovnBbq7x86jsx5VnXTjMN9FZCI2qmz992Sg/PPXpXat+O1YQlG0eBHEny2Ug9gaAYnGOVr6kZKE4lrjz47nrXVXO6lJsNXmuzTVnEgo30DAA3dV4fws/M5ptM5Pgg2qe94HyHWhhmtXOekWmGtP3YxpVe3M/SPl31UL570ZDuuCcpJTsbe90ZyXC3CiSJkLKbmFkfOgZ6DI2LT8KSp09/2NCtZYriLN/nXObn6gQzByGMxVyKNx2hh8ENt9hzTCAk5lYDK3g3wS8eLCY3EH/caEqT9mLZEZeRHtAhtfozo1VJL7sSZ0Zm7wiIxHylwOshh1sYI1gb1MgMqNnrr1t8+8UK+Q0NERQW3yiphG36HXWy/DdCG0EF+N850KbgH1FFur+m+3hZCZCFVp3tGCcOC+bxWMBT3+9yC6LARi5cFjLQaWLsNO5xEs4vqX3+s3QjJ0pAYDkgtoeY2Fbh+imN+JasWn/cSy5p3UdE4ZQ== andrei@kiss" ]; }; "${config.monorepo.vars.userName}" = { diff --git a/nix/modules/gotosocial.nix b/nix/modules/gotosocial.nix new file mode 100644 index 0000000..6b81128 --- /dev/null +++ b/nix/modules/gotosocial.nix @@ -0,0 +1,14 @@ +{ lib, config, ... }: +{ + services.gotosocial = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + setupPostgresqlDB = true; + settings = { + application-name = "Nullring GoToSocial Instance"; + host = "gotosocial.${config.monorepo.vars.orgHost}"; + protocol = "https"; + bind-address = "127.0.0.1"; + port = 8080; + }; + }; +} diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix index b1c07c3..a45ce59 100644 --- a/nix/modules/home/default.nix +++ b/nix/modules/home/default.nix @@ -53,19 +53,19 @@ email = { email = lib.mkOption { type = lib.types.str; - default = "ret2pop@gmail.com"; + default = "ret2pop@nullring.xyz"; example = "john@example.com"; description = "Email address and imaps/smtps account"; }; imapsServer = lib.mkOption { type = lib.types.str; - default = "imap.gmail.com"; + default = "mail.nullring.xyz"; example = "imap.example.com"; description = "imaps server address"; }; smtpsServer = lib.mkOption { type = lib.types.str; - default = "smtp.gmail.com"; + default = "mail.nullring.xyz"; example = "smtp.example.com"; description = "smtp server address"; }; diff --git a/nix/modules/home/emacs.nix b/nix/modules/home/emacs.nix index 4256d34..cdf1def 100644 --- a/nix/modules/home/emacs.nix +++ b/nix/modules/home/emacs.nix @@ -9,6 +9,7 @@ (setq system-email "${config.monorepo.profiles.email.email}") (setq system-username "${config.monorepo.vars.internetName}") (setq system-fullname "${config.monorepo.vars.fullName}") +(setq system-gpgkey "${config.monorepo.vars.gpgKey}") (load "${pkgs.writeText "init.el" (builtins.readFile ../../init.el)}") ''; diff --git a/nix/modules/home/mpd.nix b/nix/modules/home/mpd.nix index 8f646ea..2ab711b 100644 --- a/nix/modules/home/mpd.nix +++ b/nix/modules/home/mpd.nix @@ -13,16 +13,16 @@ type "pipewire" name "pipewire output" } + audio_output { type "httpd" - name "My HTTP Stream" + name "Ret2pop's Music Stream" encoder "opus" # optional port "8000" - # quality "5.0" # do not define if bitrate is defined - bitrate "128000" # do not define if quality is defined + bitrate "128000" format "48000:16:1" - always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped. - tags "yes" # httpd supports sending tags to listening streams. + always_on "yes" + tags "yes" } audio_output { diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix index 55e16fc..cb29b4c 100644 --- a/nix/modules/home/user.nix +++ b/nix/modules/home/user.nix @@ -30,6 +30,8 @@ packages = with pkgs; (if config.monorepo.profiles.graphics.enable then [ # wikipedia # kiwix kiwix-tools + gnupg + unzip mupdf zathura @@ -149,6 +151,12 @@ cd "$HOME" ''; }; }; + xdg.mimeApps = { + enable = true; + defaultApplications = { + "x-scheme-handler/mailto" = "emacsclient-mail.desktop"; + }; + }; programs.bash.enable = true; fonts.fontconfig.enable = true; diff --git a/nix/modules/maddy.nix b/nix/modules/maddy.nix index 42f24f9..1d4710d 100644 --- a/nix/modules/maddy.nix +++ b/nix/modules/maddy.nix @@ -29,6 +29,12 @@ "${config.monorepo.vars.internetName}@${config.monorepo.vars.orgHost}" = { passwordFile = "/run/secrets/mail_password"; }; + "monorepo@${config.monorepo.vars.orgHost}" = { + passwordFile = "/run/secrets/mail_monorepo_password"; + }; + "discussion@${config.monorepo.vars.orgHost}" = { + passwordFile = "/run/secrets/mail_monorepo_password"; + }; }; }; } diff --git a/nix/modules/matrix-appservice-irc.nix b/nix/modules/matrix-appservice-irc.nix new file mode 100644 index 0000000..518cdde --- /dev/null +++ b/nix/modules/matrix-appservice-irc.nix @@ -0,0 +1,10 @@ +{ lib, config, ... }: +{ + enable = lib.mkDefault config.monorepo.profiles.server.enable; + registrationUrl = "localhost"; + + settings = { + homeserver.url = "https://matrix.nullring.xyz"; + homserver.domain = "matrix.nullring.xyz"; + }; +} diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix index 87f11c1..621c9ef 100644 --- a/nix/modules/nginx.nix +++ b/nix/modules/nginx.nix @@ -10,7 +10,7 @@ gitweb = { enable = true; - virtualHost = "${config.monorepo.vars.remoteHost}"; + virtualHost = "${config.monorepo.vars.orgHost}"; }; virtualHosts = { @@ -49,11 +49,12 @@ }; locations."= /.well-known/matrix/server" = { extraConfig = '' + default_type application/json; add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = ''200 '{"m.server": "matrix.nullring.xyz:443"}' ''; + return = ''200 '{"m.server": "matrix.${config.monorepo.vars.orgHost}:443"}' ''; }; locations."/.well-known/matrix/client" = { extraConfig = '' @@ -115,8 +116,8 @@ proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - # proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; # --- CORS CONFIGURATION START --- # 1. Allow all origins (including app.element.io) @@ -161,6 +162,39 @@ enableACME = true; }; + "list.${config.monorepo.vars.orgHost}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:9090"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + + # the port comes from ssh tunnelling + "music.${config.monorepo.vars.remoteHost}" = { + addSSL = true; + enableACME = true; + basicAuthFile = config.sops.secrets."mpd_password".path; + locations."/" = { + proxyPass = "http://localhost:8000"; + extraConfig = '' +proxy_buffering off; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_read_timeout 36000s; +''; + }; + }; + "${config.monorepo.vars.orgHost}" = { serverName = "${config.monorepo.vars.orgHost}"; root = "/var/www/nullring/"; diff --git a/nix/modules/public_inbox.nix b/nix/modules/public_inbox.nix new file mode 100644 index 0000000..9f1532c --- /dev/null +++ b/nix/modules/public_inbox.nix @@ -0,0 +1,82 @@ +{ lib, config, ... }: +{ + systemd.tmpfiles.rules = [ + "C+ /var/lib/public-inbox/style.css 0644 public-inbox public-inbox - ${../data/public-inbox.css}" + ]; + systemd.services.public-inbox-httpd = if config.monorepo.profiles.server.enable then { + preStart = '' + # Copy or link the file. + # Using 'cp' is often safer for sandboxed services than linking to the store. Lol. + cp -f ${../data/public-inbox.css} /var/lib/public-inbox/style.css + chmod 644 /var/lib/public-inbox/style.css + ''; + + serviceConfig = { + # Allow the service to see the file it just created + BindPaths = [ + "/var/lib/public-inbox" + ]; + ReadOnlyPaths = [ "/var/lib/public-inbox/style.css" ]; + # Ensure it can actually write to the directory during preStart + ReadWritePaths = [ "/var/lib/public-inbox" ]; + }; + } else {}; + + systemd.services.public-inbox-watch = if config.monorepo.profiles.server.enable then { + after = [ "sops-nix.service" ]; + confinement.enable = lib.mkForce false; + preStart = '' + mkdir -p /var/lib/public-inbox/.tmp + chmod 0700 /var/lib/public-inbox/.tmp + ln -sfn ${config.sops.templates."public-inbox-netrc".path} /var/lib/public-inbox/.netrc + ''; + environment = { + PUBLIC_INBOX_FORCE_IPV4 = "1"; + NETRC = config.sops.templates."public-inbox-netrc".path; + HOME = "/var/lib/public-inbox"; + TMPDIR = "/var/lib/public-inbox/.tmp"; + }; + + serviceConfig = { + RestrictSUIDSGID = lib.mkForce false; + ReadWritePaths = [ "/var/lib/public-inbox" ]; + RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + PrivateNetwork = lib.mkForce false; + SystemCallFilter = lib.mkForce []; + RootDirectory = lib.mkForce ""; + + CapabilityBoundingSet = lib.mkForce [ "~" ]; + UMask = lib.mkForce "0022"; + ProtectSystem = lib.mkForce false; + }; + } else {}; + + services.public-inbox = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + settings = { + publicinbox.css = ["/var/lib/public-inbox/style.css"]; + publicinbox.wwwlisting = "all"; + }; + http = { + enable = true; + port = 9090; + }; + inboxes = { + "monorepo" = { + description = "discussion of ret2pop's monorepo project and related work."; + address = [ "monorepo@${config.monorepo.vars.orgHost}" ]; + inboxdir = "/var/lib/public-inbox/monorepo"; + url = "https://list.${config.monorepo.vars.orgHost}/monorepo"; + watch = [ "imaps://monorepo%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ]; + }; + + "discussion" = { + description = "Main Nullring Discussion Mailing List"; + address = [ "discussion@${config.monorepo.vars.orgHost}" ]; + inboxdir = "/var/lib/public-inbox/discuss"; + url = "https://list.${config.monorepo.vars.orgHost}/discussion"; + watch = [ "imaps://discussion%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ]; + }; + }; + }; +} diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix index f7deb5d..1a09652 100644 --- a/nix/modules/secrets.nix +++ b/nix/modules/secrets.nix @@ -7,6 +7,15 @@ templates = if config.monorepo.profiles.server.enable then { + "public-inbox-netrc" = { + owner = "public-inbox"; + group = "public-inbox"; + mode = "0400"; + content = '' +machine mail.${config.monorepo.vars.orgHost} login monorepo@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"} +machine mail.${config.monorepo.vars.orgHost} login discussion@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"} + ''; + }; "matterbridge" = { owner = "matterbridge"; content = '' @@ -91,6 +100,17 @@ channel="-5290629325" format = "yaml"; owner = "maddy"; }; + + mail_monorepo_password = { + format = "yaml"; + owner = "maddy"; + }; + + mail_monorepo_password_pi = { + format = "yaml"; + owner = "public-inbox"; + }; + conduit_secrets = { format = "yaml"; }; @@ -103,6 +123,10 @@ channel="-5290629325" discord_token = { format = "yaml"; }; + mpd_password = { + format = "yaml"; + owner = "nginx"; + }; ntfy = { format = "yaml"; owner = "ntfy-sh"; |