diff options
| author | Preston Pan <ret2pop@gmail.com> | 2026-02-11 14:43:01 -0800 |
|---|---|---|
| committer | Preston Pan <ret2pop@gmail.com> | 2026-02-11 14:43:01 -0800 |
| commit | 6a4f95482fa2c0faeafa028eae164d00c6418ac3 (patch) | |
| tree | 8f87a90ae697b1a1ea6c3ed63c59d5e22de55425 /nix/modules | |
| parent | a3106cdc192a64daa6421dc63ab3dd6000bdc112 (diff) | |
add vps stuff; fix internet issues plauging my devices
Diffstat (limited to 'nix/modules')
| -rw-r--r-- | nix/modules/conduit.nix | 30 | ||||
| -rw-r--r-- | nix/modules/configuration.nix | 120 | ||||
| -rw-r--r-- | nix/modules/coturn.nix | 10 | ||||
| -rw-r--r-- | nix/modules/docker.nix | 24 | ||||
| -rw-r--r-- | nix/modules/gitweb.nix | 5 | ||||
| -rw-r--r-- | nix/modules/home/default.nix | 2 | ||||
| -rw-r--r-- | nix/modules/home/emacs.nix | 1 | ||||
| -rw-r--r-- | nix/modules/home/firefox.nix | 2 | ||||
| -rw-r--r-- | nix/modules/home/git.nix | 1 | ||||
| -rw-r--r-- | nix/modules/home/mpd.nix | 25 | ||||
| -rw-r--r-- | nix/modules/home/personal_secrets.nix | 23 | ||||
| -rw-r--r-- | nix/modules/home/secrets.nix | 29 | ||||
| -rw-r--r-- | nix/modules/home/user.nix | 2 | ||||
| -rw-r--r-- | nix/modules/home/vps_secrets.nix | 43 | ||||
| -rw-r--r-- | nix/modules/honk.nix | 2 | ||||
| -rw-r--r-- | nix/modules/impermanence.nix | 1 | ||||
| -rw-r--r-- | nix/modules/maddy.nix | 13 | ||||
| -rw-r--r-- | nix/modules/matterbridge.nix | 2 | ||||
| -rw-r--r-- | nix/modules/mautrix.nix | 2 | ||||
| -rw-r--r-- | nix/modules/murmur.nix | 3 | ||||
| -rw-r--r-- | nix/modules/nginx.nix | 104 | ||||
| -rw-r--r-- | nix/modules/ntfy-sh.nix | 12 | ||||
| -rw-r--r-- | nix/modules/nvidia.nix | 2 | ||||
| -rw-r--r-- | nix/modules/secrets.nix | 101 |
24 files changed, 424 insertions, 135 deletions
diff --git a/nix/modules/conduit.nix b/nix/modules/conduit.nix index dc3ea56..6e4611f 100644 --- a/nix/modules/conduit.nix +++ b/nix/modules/conduit.nix @@ -2,6 +2,7 @@ { services.matrix-conduit = { enable = lib.mkDefault config.monorepo.profiles.server.enable; + secretFile = "/run/secrets/conduit_secrets"; settings.global = { server_name = "matrix.${config.monorepo.vars.orgHost}"; trusted_servers = [ @@ -14,4 +15,33 @@ allow_registration = false; }; }; + services.lk-jwt-service = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + port = 6495; + livekitUrl = "wss://livekit.nullring.xyz"; + keyFile = "/run/secrets/livekit_secret"; + }; + services.livekit = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + keyFile = "/run/secrets/livekit_secret"; + settings = { + port = 7880; + turn = { + enabled = true; + domain = "livekit.${config.monorepo.vars.orgHost}"; + cert_file = "/var/lib/acme/livekit.${config.monorepo.vars.orgHost}/fullchain.pem"; + key_file = "/var/lib/acme/livekit.${config.monorepo.vars.orgHost}/key.pem"; + tls_port = 5349; + udp_port = 3478; + }; + + rtc = { + use_external_ip = true; + tcp_port = 7881; + udp_port = 7882; + port_range_start = 50000; + port_range_end = 60000; + }; + }; + }; } diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index e2d12e2..35944e0 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -11,6 +11,7 @@ ./nvidia.nix ./cuda.nix ./nginx.nix + ./secrets.nix ./git-daemon.nix ./ollama.nix ./i2pd.nix @@ -22,8 +23,13 @@ ./znc.nix ./docker.nix ./impermanence.nix + ./coturn.nix ]; + environment.etc."wpa_supplicant.conf".text = '' +country=CA +''; + documentation = { enable = lib.mkDefault config.monorepo.profiles.documentation.enable; man.enable = lib.mkDefault config.monorepo.profiles.documentation.enable; @@ -60,6 +66,13 @@ }; extraModprobeConfig = '' options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1 + options rtw88_core disable_lps_deep=y power_save=0 disable_aspm_l1ss=y + options rtw88_pci disable_msi=y disable_aspm=y + options rtw_core disable_lps_deep=y + options rtw_pci disable_msi=y disable_aspm=y + options rtw89_core disable_ps_mode=y + options rtw89_pci disable_aspm_l1=y disable_aspm_l1ss=y disable_clkreq=y + options iwlwifi 11n_disable=8 uapsd_disable=1 bt_coex_active=0 disable_11ax=1 power_save=0 ''; extraModulePackages = [ ]; @@ -97,7 +110,10 @@ ]; kernelParams = [ + "cfg80211.reg_alpha2=CA" "usbcore.autosuspend=-1" + "pcie_aspm=off" + "pci=noaer" # "debugfs=off" "page_alloc.shuffle=1" "slab_nomerge" @@ -169,14 +185,15 @@ "kernel.perf_event_paranoid" = 3; # net + "net.ipv4.ip_forward" = 1; "net.ipv4.icmp_echo_ignore_broadcasts" = true; - "net.ipv4.conf.all.accept_redirects" = false; - "net.ipv4.conf.all.secure_redirects" = false; - "net.ipv4.conf.default.accept_redirects" = false; - "net.ipv4.conf.default.secure_redirects" = false; - "net.ipv6.conf.all.accept_redirects" = false; - "net.ipv6.conf.default.accept_redirects" = false; + # "net.ipv4.conf.all.accept_redirects" = false; + # "net.ipv4.conf.all.secure_redirects" = false; + # "net.ipv4.conf.default.accept_redirects" = false; + # "net.ipv4.conf.default.secure_redirects" = false; + # "net.ipv6.conf.all.accept_redirects" = false; + # "net.ipv6.conf.default.accept_redirects" = false; }; }; @@ -185,40 +202,42 @@ dhcpcd.enable = (! config.monorepo.profiles.server.enable); networkmanager = { enable = true; - wifi.powersave = false; + wifi = { + powersave = false; + }; ensureProfiles = { - profiles = { - home-wifi = { - connection = { - id = "home-wifi"; - permissions = ""; - type = "wifi"; - }; - ipv4 = { - dns-search = ""; - method = "auto"; - }; - ipv6 = { - addr-gen-mode = "stable-privacy"; - dns-search = ""; - method = "auto"; - }; - wifi = { - mac-address-blacklist = ""; - mode = "infrastructure"; - ssid = "TELUS6572"; - }; - wifi-security = { - auth-alg = "open"; - key-mgmt = "wpa-psk"; - # when someone actually steals my internet then I will be concerned. - # This password only matters if you actually show up to my house in real life. - # That would perhaps allow for some nasty networking related shenanigans. - # I guess we'll cross that bridge when I get there. - psk = "b4xnrv6cG6GX"; - }; - }; - }; + # profiles = { + # home-wifi = { + # connection = { + # id = "TELUS6572"; + # permissions = ""; + # type = "wifi"; + # }; + # ipv4 = { + # dns-search = ""; + # method = "auto"; + # }; + # ipv6 = { + # addr-gen-mode = "stable-privacy"; + # dns-search = ""; + # method = "auto"; + # }; + # wifi = { + # mac-address-blacklist = ""; + # mode = "infrastructure"; + # ssid = "TELUS6572"; + # }; + # wifi-security = { + # auth-alg = "open"; + # key-mgmt = "wpa-psk"; + # # when someone actually steals my internet then I will be concerned. + # # This password only matters if you actually show up to my house in real life. + # # That would perhaps allow for some nasty networking related shenanigans. + # # I guess we'll cross that bridge when I get there. + # psk = "b4xnrv6cG6GX"; + # }; + # }; + # }; }; }; firewall = { @@ -228,6 +247,7 @@ }; hardware = { + wirelessRegulatoryDatabase = true; enableAllFirmware = true; cpu.intel.updateMicrocode = true; graphics.enable = ! config.monorepo.profiles.ttyonly.enable; @@ -345,6 +365,8 @@ restic sbctl git + git-lfs + git-lfs-transfer vim curl nmap @@ -363,14 +385,25 @@ users.groups.git = lib.mkDefault {}; users.groups.ircd = lib.mkDefault {}; users.groups.ngircd = lib.mkDefault {}; + users.groups.conduit = lib.mkDefault {}; + users.groups.livekit = lib.mkDefault {}; + users.groups.matterbridge = lib.mkDefault {}; users.users = { - + matterbridge = { + isSystemUser = lib.mkDefault true; + group = "matterbridge"; + }; ngircd = { isSystemUser = lib.mkDefault true; group = "ngircd"; extraGroups = [ "acme" "nginx" ]; }; + livekit = { + isSystemUser = lib.mkDefault true; + group = "livekit"; + extraGroups = [ "acme" "nginx" ]; + }; ircd = { isSystemUser = lib.mkDefault true; @@ -393,7 +426,7 @@ git = { isSystemUser = true; home = "/srv/git"; - shell = "${pkgs.git}/bin/git-shell"; + shell = "/bin/sh"; group = "git"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell" @@ -404,6 +437,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell" ]; + linger = true; initialPassword = "${config.monorepo.vars.userName}"; isNormalUser = true; description = config.monorepo.vars.fullName; @@ -420,6 +454,9 @@ nix = { settings = { + keep-outputs = true; + keep-derivations = true; + auto-optimise-store = true; max-jobs = 4; cores = 0; substituters = [ @@ -431,6 +468,7 @@ experimental-features = "nix-command flakes ca-derivations"; trusted-users = [ "@wheel" ]; }; + gc.automatic = true; }; time.timeZone = config.monorepo.vars.timeZone; i18n.defaultLocale = "en_CA.UTF-8"; diff --git a/nix/modules/coturn.nix b/nix/modules/coturn.nix new file mode 100644 index 0000000..3ceeac6 --- /dev/null +++ b/nix/modules/coturn.nix @@ -0,0 +1,10 @@ +{ lib, config, ... }: +{ + services.coturn = { + enable = false; + use-auth-secret = true; + listening-ips = [ "0.0.0.0" ]; + cert = "/var/lib/acme/matrix.${config.monorepo.vars.orgHost}/fullchain.pem"; + static-auth-secret-file = "/run/secrets/coturn_secret"; + }; +} diff --git a/nix/modules/docker.nix b/nix/modules/docker.nix index ac2c456..9eb18f5 100644 --- a/nix/modules/docker.nix +++ b/nix/modules/docker.nix @@ -1,15 +1,15 @@ { lib, config, vars, ... }: { - virtualisation = { - oci-containers = { - backend = "podman"; - containers = {}; - }; - containers.enable = true; - podman = { - enable = true; - dockerCompat = true; - defaultNetwork.settings.dns_enabled = true; - }; - }; + # virtualisation = { + # oci-containers = { + # backend = "podman"; + # containers = {}; + # }; + # containers.enable = true; + # podman = { + # enable = true; + # dockerCompat = true; + # defaultNetwork.settings.dns_enabled = true; + # }; + # }; } diff --git a/nix/modules/gitweb.nix b/nix/modules/gitweb.nix index 51cff87..c98e4c6 100644 --- a/nix/modules/gitweb.nix +++ b/nix/modules/gitweb.nix @@ -1,7 +1,10 @@ { lib, config, ... }: { services.gitweb = { - gitwebTheme = true; + gitwebTheme = lib.mkDefault config.monorepo.profiles.server.enable; projectroot = "/srv/git/"; + extraConfig = '' +our $export_ok = "git-daemon-export-ok"; +''; }; } diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix index c991927..b1c07c3 100644 --- a/nix/modules/home/default.nix +++ b/nix/modules/home/default.nix @@ -4,7 +4,6 @@ sops-nix.homeManagerModules.sops ../vars.nix ./fcitx.nix - ./secrets.nix ./emacs.nix ./firefox.nix ./git.nix @@ -22,6 +21,7 @@ ./mako.nix ./user.nix ./gtk.nix + ./secrets.nix ]; options = { diff --git a/nix/modules/home/emacs.nix b/nix/modules/home/emacs.nix index 2b7840d..4256d34 100644 --- a/nix/modules/home/emacs.nix +++ b/nix/modules/home/emacs.nix @@ -77,6 +77,7 @@ epkgs.solidity-flycheck epkgs.solidity-mode epkgs.sudo-edit + epkgs.telega epkgs.treemacs epkgs.treemacs-evil epkgs.treemacs-magit diff --git a/nix/modules/home/firefox.nix b/nix/modules/home/firefox.nix index b99544b..3ae8f71 100644 --- a/nix/modules/home/firefox.nix +++ b/nix/modules/home/firefox.nix @@ -2,7 +2,7 @@ { programs.firefox = { enable = lib.mkDefault config.monorepo.profiles.graphics.enable; - package = pkgs.firefox-bin; + package = pkgs.firefox; policies = { EnableTrackingProtection = true; OfferToSaveLogins = false; diff --git a/nix/modules/home/git.nix b/nix/modules/home/git.nix index 0e6e66c..c80b6f9 100644 --- a/nix/modules/home/git.nix +++ b/nix/modules/home/git.nix @@ -2,6 +2,7 @@ { programs.git = { enable = lib.mkDefault config.monorepo.profiles.graphics.enable; + lfs.enable = lib.mkDefault config.monorepo.profiles.graphics.enable; userName = config.monorepo.vars.fullName; userEmail = config.monorepo.profiles.email.email; signing = { diff --git a/nix/modules/home/mpd.nix b/nix/modules/home/mpd.nix index 3ab9d2d..8f646ea 100644 --- a/nix/modules/home/mpd.nix +++ b/nix/modules/home/mpd.nix @@ -24,19 +24,20 @@ always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped. tags "yes" # httpd supports sending tags to listening streams. } -audio_output { - type "shout" - encoding "ogg" - name "my cool stream" - host "localhost" - port "8000" - mount "/example.ogg" - user "source" - password "<source-password>" - bitrate "64" - format "44100:16:1" - description "Nullring public radio" +audio_output { + type "shout" + name "My VPS Stream" + host "127.0.0.1" + port "8888" # This must match your SSH tunnel local port + mount "/stream" # The URL path (e.g. http://vps:8000/stream) + password "SuperSecretSourcePass" + bitrate "128" + format "44100:16:2" + protocol "icecast2" # Essential for modern Icecast + user "source" # Default icecast source user + description "My MPD Stream" + genre "Mixed" } ''; }; diff --git a/nix/modules/home/personal_secrets.nix b/nix/modules/home/personal_secrets.nix new file mode 100644 index 0000000..9013de1 --- /dev/null +++ b/nix/modules/home/personal_secrets.nix @@ -0,0 +1,23 @@ +{ lib, config, ... }: +{ + config = lib.mkIf config.monorepo.profiles.graphics.enable { + sops.secrets = { + mail = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/mail"; + }; + cloudflare-dns = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/cloudflare-dns"; + }; + digikey = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/digikey"; + }; + dn42 = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/dn42"; + }; + }; + }; +} diff --git a/nix/modules/home/secrets.nix b/nix/modules/home/secrets.nix index 20c3d44..a38b4e0 100644 --- a/nix/modules/home/secrets.nix +++ b/nix/modules/home/secrets.nix @@ -1,11 +1,15 @@ { config, ... }: { sops = { - defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFile = if config.monorepo.profiles.graphics.enable + then ../../secrets/secrets.yaml + else ../../secrets/vps_secrets.yaml; + age = { - keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt"; + keyFile = "/home/${config.monorepo.vars.userName}/.config/sops/age/keys.txt"; }; - secrets = { + + secrets = if config.monorepo.profiles.graphics.enable then { mail = { format = "yaml"; path = "${config.sops.defaultSymlinkPath}/mail"; @@ -22,24 +26,7 @@ format = "yaml"; path = "${config.sops.defaultSymlinkPath}/dn42"; }; - znc = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/znc"; - }; - znc_password_salt = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/znc_password_salt"; - }; - - znc_password_hash = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/znc_password_hash"; - }; - - matrix_bridge = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/matrix_bridge"; - }; + } else { }; defaultSymlinkPath = "/run/user/1000/secrets"; defaultSecretsMountPoint = "/run/user/1000/secrets.d"; diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix index c97347e..356a0fe 100644 --- a/nix/modules/home/user.nix +++ b/nix/modules/home/user.nix @@ -45,7 +45,7 @@ # Apps # octaveFull - vesktop grim swww vim telegram-desktop qwen-code fluffychat jami + vesktop grim swww vim kotatogram-desktop tg qwen-code element-desktop jami # Sound/media pavucontrol alsa-utils imagemagick ffmpeg helvum diff --git a/nix/modules/home/vps_secrets.nix b/nix/modules/home/vps_secrets.nix new file mode 100644 index 0000000..df75a39 --- /dev/null +++ b/nix/modules/home/vps_secrets.nix @@ -0,0 +1,43 @@ +{ lib, config, ... }: +{ + config = lib.mkIf (!config.monorepo.profiles.graphics.enable) { + sops.secrets = { + znc = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/znc"; + }; + znc_password_salt = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/znc_password_salt"; + }; + znc_password_hash = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/znc_password_hash"; + }; + matrix_bridge = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/matrix_bridge"; + }; + coturn_secret = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/coturn_secret"; + }; + livekit_secret = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/livekit_secret"; + }; + livekit = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/livekit"; + }; + conduit_secrets = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/conduit_secrets"; + }; + mautrix_env = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/mautrix_env"; + }; + }; + }; +} diff --git a/nix/modules/honk.nix b/nix/modules/honk.nix index b13a9dc..985a544 100644 --- a/nix/modules/honk.nix +++ b/nix/modules/honk.nix @@ -1,7 +1,7 @@ { lib, config, ... }: { services.honk = { - enable = config.monorepo.vars.ttyonly; + enable = lib.mkDefault config.monorepo.profiles.server.enable; servername = "ret2pop.net"; username = "ret2pop"; }; diff --git a/nix/modules/impermanence.nix b/nix/modules/impermanence.nix index ad942ff..4fa886a 100644 --- a/nix/modules/impermanence.nix +++ b/nix/modules/impermanence.nix @@ -59,7 +59,6 @@ ]; files = [ "/etc/machine-id" - "/etc/matterbridge.toml" { file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; } ]; users."${config.monorepo.vars.userName}" = { diff --git a/nix/modules/maddy.nix b/nix/modules/maddy.nix index c84b59c..ab98f87 100644 --- a/nix/modules/maddy.nix +++ b/nix/modules/maddy.nix @@ -4,20 +4,27 @@ enable = lib.mkDefault config.monorepo.profiles.server.enable; openFirewall = true; hostName = "${config.monorepo.vars.remoteHost}"; - primaryDomain = "mail.${config.monorepo.vars.remoteHost}"; + primaryDomain = "mail.${config.monorepo.vars.orgHost}"; tls = { - loader = "acme"; + certificates = [ + { + keyPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/key.pem"; + certPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/fullchain.pem"; + } + ]; }; config = builtins.replaceStrings [ "imap tcp://0.0.0.0:143" "submission tcp://0.0.0.0:587" + "smtp tcp://0.0.0.0:25" ] [ "imap tls://0.0.0.0:993 tcp://0.0.0.0:143" "submission tls://0.0.0.0:465 tcp://0.0.0.0:587" + "smtps tls://0.0.0.0:465 smtp tcp://0.0.0.0:25" ] options.services.maddy.config.default; ensureCredentials = { "${config.monorepo.vars.userName}@localhost" = { - passwordFile = "/secrets/${config.monorepo.vars.userName}-localhost"; + passwordFile = "/run/secrets/mail_password"; }; }; }; diff --git a/nix/modules/matterbridge.nix b/nix/modules/matterbridge.nix index 567e2b7..85a2295 100644 --- a/nix/modules/matterbridge.nix +++ b/nix/modules/matterbridge.nix @@ -2,6 +2,6 @@ { services.matterbridge = { enable = lib.mkDefault config.monorepo.profiles.server.enable; - configPath = "/etc/matterbridge.toml"; + configPath = "${config.sops.templates.matterbridge.path}"; }; } diff --git a/nix/modules/mautrix.nix b/nix/modules/mautrix.nix index 5eacb4a..abdb50d 100644 --- a/nix/modules/mautrix.nix +++ b/nix/modules/mautrix.nix @@ -2,7 +2,7 @@ { services.mautrix-discord = { enable = lib.mkDefault config.monorepo.profiles.server.enable; - environmentFile = "/etc/mautrix"; + environmentFile = "/run/secrets/mautrix_env"; settings = { bridge = { animated_sticker = { diff --git a/nix/modules/murmur.nix b/nix/modules/murmur.nix index f2dd124..fcd4434 100644 --- a/nix/modules/murmur.nix +++ b/nix/modules/murmur.nix @@ -1,7 +1,8 @@ { lib, config, ... }: { services.murmur = { - enable = lib.mkDefault config.monorepo.profiles.server.enable; +# enable = lib.mkDefault config.monorepo.profiles.server.enable; + enable = false; openFirewall = true; hostName = "0.0.0.0"; welcometext = "Wecome to the Null Murmur instance!"; diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix index 9337774..a3c079b 100644 --- a/nix/modules/nginx.nix +++ b/nix/modules/nginx.nix @@ -1,14 +1,12 @@ -{ config, lib, services, ... }: +{ config, lib, ... }: { services.nginx = { enable = lib.mkDefault config.monorepo.profiles.server.enable; user = "nginx"; - # Use recommended settings recommendedGzipSettings = true; recommendedOptimisation = true; - recommendedProxySettings = true; recommendedTlsSettings = true; - appendHttpConfig = ''''; + recommendedProxySettings = false; gitweb = { enable = true; @@ -29,7 +27,8 @@ addr = "[::]"; port = 443; ssl = true; - } { + } + { addr = "0.0.0.0"; port = 8448; ssl = true; @@ -48,11 +47,102 @@ proxy_read_timeout 5m; ''; }; + locations."= /.well-known/matrix/server" = { + extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + ''; + + return = ''200 '{"m.server": "matrix.nullring.xyz:443"}' ''; + }; + locations."/.well-known/matrix/client" = { + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.${config.monorepo.vars.orgHost}\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix.${config.monorepo.vars.orgHost}:8443\"}]}'"; + }; extraConfig = '' merge_slashes off; ''; }; + + "matrix.${config.monorepo.vars.orgHost}-livekit" = { + serverName = "matrix.${config.monorepo.vars.orgHost}"; + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + } + { + addr = "[::]"; + port = 8443; + ssl = true; + } + ]; + addSSL = true; + enableACME = false; + forceSSL = false; + useACMEHost = "matrix.${config.monorepo.vars.orgHost}"; + + locations."/" = { + proxyPass = "http://127.0.0.1:6495"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + + "livekit.${config.monorepo.vars.orgHost}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:7880"; + proxyWebsockets = true; + extraConfig = '' + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + + # Standard headers for LiveKit + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "upgrade"; + + # --- CORS CONFIGURATION START --- + # 1. Allow all origins (including app.element.io) + add_header 'Access-Control-Allow-Origin' '*' always; + + # 2. Allow specific methods (POST is required for /sfu/get) + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always; + + # 3. Allow headers (Content-Type is crucial for JSON) + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + + # 4. Handle the OPTIONS preflight request immediately + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + # --- CORS CONFIGURATION END --- + ''; + }; + }; + "${config.monorepo.vars.remoteHost}" = { serverName = "${config.monorepo.vars.remoteHost}"; serverAliases = [ "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" ]; @@ -68,8 +158,8 @@ enableACME = true; }; - "mail.${config.monorepo.vars.remoteHost}" = { - serverName = "mail.${config.monorepo.vars.remoteHost}"; + "mail.${config.monorepo.vars.orgHost}" = { + serverName = "mail.${config.monorepo.vars.orgHost}"; root = "/var/www/dummy"; addSSL = true; enableACME = true; diff --git a/nix/modules/ntfy-sh.nix b/nix/modules/ntfy-sh.nix new file mode 100644 index 0000000..9311af2 --- /dev/null +++ b/nix/modules/ntfy-sh.nix @@ -0,0 +1,12 @@ +{ lib, config, ... }: +{ + services.ntfy-sh = { +# enable = lib.mkDefault config.monorepo.profiles.server.enable; + enable = false; + settings = { + base-url = "https://ntfy.${config.monorepo.vars.remoteHost}"; + listen-http = "127.0.0.1:2586"; + envrionmentFile = "/run/secrets/ntfy"; + }; + }; +} diff --git a/nix/modules/nvidia.nix b/nix/modules/nvidia.nix index f6a398a..5b05d28 100644 --- a/nix/modules/nvidia.nix +++ b/nix/modules/nvidia.nix @@ -14,9 +14,9 @@ enable = lib.mkDefault config.monorepo.profiles.cuda.enable; finegrained = false; }; - nvidiaSettings = lib.mkDefault config.monorepo.profiles.cuda.enable; open = config.monorepo.profiles.cuda.enable; package = config.boot.kernelPackages.nvidiaPackages.stable; + nvidiaSettings = false; }; }; } diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix index 29504f6..d1c711c 100644 --- a/nix/modules/secrets.nix +++ b/nix/modules/secrets.nix @@ -1,61 +1,104 @@ { config, ... }: { sops = { - defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFile = if config.monorepo.profiles.server.enable + then ../secrets/vps_secrets.yaml + else ../secrets/secrets.yaml; + + + templates = if config.monorepo.profiles.server.enable then { + "matterbridge" = { + owner = "matterbridge"; + content = '' +[irc.myirc] +Server="127.0.0.1:6667" +Nick="bridge" +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " +UseTLS=false + +[telegram.mytelegram] +Token="${config.sops.placeholder.telegram_token}" +RemoteNickFormat="<({PROTOCOL}){NICK}> " +MessageFormat="HTMLNick :" +QuoteFormat="{MESSAGE} (re @{QUOTENICK}: {QUOTEMESSAGE})" +QuoteLengthLimit=46 +IgnoreMessages="^/" + +[discord.mydiscord] +Token="${config.sops.placeholder.discord_token}" +Server="Null Identity" +AutoWebHooks=true +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " +PreserveThreading=true + +[[gateway]] +name="gateway1" +enable=true + +[[gateway.inout]] +account="irc.myirc" +channel="#nullring" + +[[gateway.inout]] +account="discord.mydiscord" +channel="ID:996282946879242262" + +[[gateway.inout]] +account="telegram.mytelegram" +channel="-5290629325" +''; + }; + } else {}; + age = { - keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt"; + keyFile = "/home/${config.monorepo.vars.userName}/.config/sops/age/keys.txt"; }; - secrets = { + + secrets = if ! config.monorepo.profiles.server.enable then { mail = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/mail"; }; cloudflare-dns = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; - path = "${config.sops.defaultSymlinkPath}/cloudflare-dns"; }; digikey = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; - path = "${config.sops.defaultSymlinkPath}/digikey"; }; dn42 = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/dn42"; }; + } else { znc = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/znc"; }; znc_password_salt = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/znc_password_salt"; }; - znc_password_hash = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/znc_password_hash"; }; - matrix_bridge = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/matrix_bridge"; + }; + livekit_secret = { + format = "yaml"; + mode = "0444"; + }; + livekit = { + format = "yaml"; + }; + conduit_secrets = { + format = "yaml"; + }; + mautrix_env = { + format = "yaml"; + }; + telegram_token = { + format = "yaml"; + }; + discord_token = { + format = "yaml"; }; }; - defaultSymlinkPath = "/run/user/1000/secrets"; - defaultSecretsMountPoint = "/run/user/1000/secrets.d"; }; } |