*** [[https://notrelated.xyz/rss][Not Related]] :lukesmith:
This is a podcast by Luke Smith that talks about anything that he wants to.
** Forums :forum:
+*** [[http://lesserwrong.com/feed.xml][LessWrong]]
+The birthplace of bay area rationalism.
** Science Journals :journal:
I like to get new information about recent studies related to technology.
*** [[http://www.nature.com/nmat/current_issue/rss/][Nature]]
These are YouTube channels that I find interesting enough to keep up with. Note that I keep
up with a variety of thinkers that I may or may not disagree with, but they are nonetheless
the most intellectual version of what their general cohort say:
+*** [[https://youtube.com/feeds/videos.xml?channel_id=UCFQMnBA3CS502aghlcr0_aw][CoffeeZilla]]
+Exposes scams.
+*** [[https://youtube.com/feeds/videos.xml?channel_id=UC28n0tlcNSa1iPe5mettocg][VoidZilla]]
+Extras from coffezilla channel.
*** [[https://youtube.com/feeds/videos.xml?channel_id=UCKGCof63C6pLCFT4R6YPEtQ][Jred]]
This youtube channel is about existential dread apparently. I don't have such a thing but it's fun to watch anyways.
+*** [[https://youtube.com/feeds/videos.xml?channel_id=UC1qIX2Ya5ErOrU9tv0GVUAw][CyberYamu]]
+A channel about the daily experience of a schizotypal girl.
*** [[https://youtube.com/feeds/videos.xml?channel_id=UCwVevVbti5Uuxj6Mkl5NHRA][Lemonade Stand]]
Podcast channel that talks about modern day economics.
*** [[https://youtube.com/feeds/videos.xml?channel_id=UCSHZKyawb77ixDdsGog4iWA][Lex Fridman]]
In order to use the sops configuration, you must change the age public key to the one that
you own:
#+begin_src yaml :tangle ../nix/.sops.yaml
-keys:
- - &primary age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr
-creation_rules:
- - path_regex: secrets/secrets.yaml$
- key_groups:
- - age:
- - *primary
+ keys:
+ - &primary age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr
+ - &vps age1acpuyy2qnduyxzwvusd8urr6a78e3f37ylhvh2pngyqytf5r8ans5vkest
+ creation_rules:
+ - path_regex: secrets/secrets.yaml$
+ key_groups:
+ - age:
+ - *primary
+
+ - path_regex: secrets/vps_secrets.yaml$
+ key_groups:
+ - age:
+ - *vps
#+end_src
also note that you will have to write your own secrets.yaml file, with an entry called ~mail~,
which is used for the imaps and smtps password.
};
}
#+end_src
+** Secrets
+This uses sops in order to declaratively create the secrets on my system by unencrypting
+the yaml file specified. Yes, this is safe to include in the repo.
+#+begin_src nix :tangle ../nix/modules/secrets.nix
+ { config, ... }:
+ {
+ sops = {
+ defaultSopsFile = if config.monorepo.profiles.server.enable
+ then ../secrets/vps_secrets.yaml
+ else ../secrets/secrets.yaml;
+
+
+ templates = if config.monorepo.profiles.server.enable then {
+ "matterbridge" = {
+ owner = "matterbridge";
+ content = ''
+ [irc.myirc]
+ Server="127.0.0.1:6667"
+ Nick="bridge"
+ RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
+ UseTLS=false
+
+ [telegram.mytelegram]
+ Token="${config.sops.placeholder.telegram_token}"
+ RemoteNickFormat="<({PROTOCOL}){NICK}> "
+ MessageFormat="HTMLNick :"
+ QuoteFormat="{MESSAGE} (re @{QUOTENICK}: {QUOTEMESSAGE})"
+ QuoteLengthLimit=46
+ IgnoreMessages="^/"
+
+ [discord.mydiscord]
+ Token="${config.sops.placeholder.discord_token}"
+ Server="Null Identity"
+ AutoWebHooks=true
+ RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
+ PreserveThreading=true
+
+ [[gateway]]
+ name="gateway1"
+ enable=true
+
+ [[gateway.inout]]
+ account="irc.myirc"
+ channel="#nullring"
+
+ [[gateway.inout]]
+ account="discord.mydiscord"
+ channel="ID:996282946879242262"
+
+ [[gateway.inout]]
+ account="telegram.mytelegram"
+ channel="-5290629325"
+ '';
+ };
+ } else {};
+
+ age = {
+ keyFile = "/home/${config.monorepo.vars.userName}/.config/sops/age/keys.txt";
+ };
+
+ secrets = if ! config.monorepo.profiles.server.enable then {
+ mail = {
+ format = "yaml";
+ };
+ cloudflare-dns = {
+ format = "yaml";
+ };
+ digikey = {
+ format = "yaml";
+ };
+ dn42 = {
+ format = "yaml";
+ };
+ } else {
+ znc = {
+ format = "yaml";
+ };
+ znc_password_salt = {
+ format = "yaml";
+ };
+ znc_password_hash = {
+ format = "yaml";
+ };
+ matrix_bridge = {
+ format = "yaml";
+ };
+ livekit_secret = {
+ format = "yaml";
+ mode = "0444";
+ };
+ livekit = {
+ format = "yaml";
+ };
+ conduit_secrets = {
+ format = "yaml";
+ };
+ mautrix_env = {
+ format = "yaml";
+ };
+ telegram_token = {
+ format = "yaml";
+ };
+ discord_token = {
+ format = "yaml";
+ };
+ };
+ };
+ }
+#+end_src
** X11
My Xorg configuration is used as a backup for when wayland applications don't work. Note that
using this configuration is extremely inefficient and my i3 configuration is unoptimized.
#+begin_src nix :tangle ../nix/modules/docker.nix
{ lib, config, vars, ... }:
{
- virtualisation = {
- oci-containers = {
- backend = "podman";
- containers = {};
- };
- containers.enable = true;
- podman = {
- enable = true;
- dockerCompat = true;
- defaultNetwork.settings.dns_enabled = true;
- };
- };
+ # virtualisation = {
+ # oci-containers = {
+ # backend = "podman";
+ # containers = {};
+ # };
+ # containers.enable = true;
+ # podman = {
+ # enable = true;
+ # dockerCompat = true;
+ # defaultNetwork.settings.dns_enabled = true;
+ # };
+ # };
}
#+end_src
** Pipewire
};
}
#+end_src
-** TODO Murmur
-#+begin_src nix :tangle ../nix/modules/murmur.nix
- { lib, config, ... }:
- {
- services.murmur = {
- enable = lib.mkDefault config.monorepo.profiles.server.enable;
- openFirewall = true;
- hostName = "0.0.0.0";
- welcometext = "Wecome to the Null Murmur instance!";
- registerName = "nullring";
- registerHostname = "${config.monorepo.vars.orgHost}";
- sslCert = "/var/lib/acme/${config.monorepo.vars.orgHost}/fullchain.pem";
- sslKey = "/var/lib/acme/${config.monorepo.vars.orgHost}/sslKey.pem";
- };
- }
-#+end_src
** TODO i2pd
I use i2p for some p2p connections. We enable it with the server profile:
#+begin_src nix :tangle ../nix/modules/i2pd.nix
is almost no point to cracking it with hashcat.
** Conduit
This is a modern matrix server that is meant to be lightweight while
-still federating and hosting the same protocol.
+still federating and hosting the same protocol. There is also a configuration
+for lk-jwt which is important for configuring p2p calls in matrix.
#+begin_src nix :tangle ../nix/modules/conduit.nix
{ config, lib, ... }:
{
services.matrix-conduit = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ secretFile = "/run/secrets/conduit_secrets";
settings.global = {
server_name = "matrix.${config.monorepo.vars.orgHost}";
trusted_servers = [
allow_registration = false;
};
};
+ services.lk-jwt-service = {
+ enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ port = 6495;
+ livekitUrl = "wss://livekit.nullring.xyz";
+ keyFile = "/run/secrets/livekit_secret";
+ };
+ services.livekit = {
+ enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ keyFile = "/run/secrets/livekit_secret";
+ settings = {
+ port = 7880;
+ turn = {
+ enabled = true;
+ domain = "livekit.${config.monorepo.vars.orgHost}";
+ cert_file = "/var/lib/acme/livekit.${config.monorepo.vars.orgHost}/fullchain.pem";
+ key_file = "/var/lib/acme/livekit.${config.monorepo.vars.orgHost}/key.pem";
+ tls_port = 5349;
+ udp_port = 3478;
+ };
+
+ rtc = {
+ use_external_ip = true;
+ tcp_port = 7881;
+ udp_port = 7882;
+ port_range_start = 50000;
+ port_range_end = 60000;
+ };
+ };
+ };
}
#+end_src
-** Honk
-In order to connect to activitypub:
-#+begin_src nix :tangle ../nix/modules/honk.nix
+** Coturn
+This is important for p2p calls in matrix as well.
+#+begin_src nix :tangle ../nix/modules/coturn.nix
{ lib, config, ... }:
{
- services.honk = {
- enable = config.monorepo.vars.ttyonly;
- servername = "ret2pop.net";
- username = "ret2pop";
+ services.coturn = {
+ enable = false;
+ use-auth-secret = true;
+ listening-ips = [ "0.0.0.0" ];
+ cert = "/var/lib/acme/matrix.${config.monorepo.vars.orgHost}/fullchain.pem";
+ static-auth-secret-file = "/run/secrets/coturn_secret";
};
}
#+end_src
{
services.matterbridge = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
- configPath = "/etc/matterbridge.toml";
+ configPath = "${config.sops.templates.matterbridge.path}";
};
}
#+end_src
{
services.mautrix-discord = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
- environmentFile = "/etc/mautrix";
+ environmentFile = "/run/secrets/mautrix_env";
settings = {
bridge = {
animated_sticker = {
};
}
#+end_src
+** TODO Ntfy
+#+begin_src nix :tangle ../nix/modules/ntfy-sh.nix
+ { lib, config, ... }:
+ {
+ services.ntfy-sh = {
+ # enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ enable = false;
+ settings = {
+ base-url = "https://ntfy.${config.monorepo.vars.remoteHost}";
+ listen-http = "127.0.0.1:2586";
+ envrionmentFile = "/run/secrets/ntfy";
+ };
+ };
+ }
+#+end_src
** Nginx
These are all my virtual hosts. For many of these servers we have to
have a reverse proxy in order to expose the locally running instances
to the outside world under a domain.
#+begin_src nix :tangle ../nix/modules/nginx.nix
- { config, lib, services, ... }:
+ { config, lib, ... }:
{
services.nginx = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
user = "nginx";
- # Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
- recommendedProxySettings = true;
recommendedTlsSettings = true;
- appendHttpConfig = '''';
+ recommendedProxySettings = false;
gitweb = {
enable = true;
addr = "[::]";
port = 443;
ssl = true;
- } {
+ }
+ {
addr = "0.0.0.0";
port = 8448;
ssl = true;
proxy_read_timeout 5m;
'';
};
+ locations."= /.well-known/matrix/server" = {
+ extraConfig = ''
+ add_header Content-Type application/json;
+ add_header Access-Control-Allow-Origin *;
+ '';
+
+ return = ''200 '{"m.server": "matrix.nullring.xyz:443"}' '';
+ };
+ locations."/.well-known/matrix/client" = {
+ extraConfig = ''
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ '';
+
+ return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.${config.monorepo.vars.orgHost}\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix.${config.monorepo.vars.orgHost}:8443\"}]}'";
+ };
extraConfig = ''
merge_slashes off;
'';
};
+
+ "matrix.${config.monorepo.vars.orgHost}-livekit" = {
+ serverName = "matrix.${config.monorepo.vars.orgHost}";
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ }
+ {
+ addr = "[::]";
+ port = 8443;
+ ssl = true;
+ }
+ ];
+ addSSL = true;
+ enableACME = false;
+ forceSSL = false;
+ useACMEHost = "matrix.${config.monorepo.vars.orgHost}";
+
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:6495";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ '';
+ };
+ };
+
+ "livekit.${config.monorepo.vars.orgHost}" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:7880";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_read_timeout 3600s;
+ proxy_send_timeout 3600s;
+
+ # Standard headers for LiveKit
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ # proxy_set_header Upgrade $http_upgrade;
+ # proxy_set_header Connection "upgrade";
+
+ # --- CORS CONFIGURATION START ---
+ # 1. Allow all origins (including app.element.io)
+ add_header 'Access-Control-Allow-Origin' '*' always;
+
+ # 2. Allow specific methods (POST is required for /sfu/get)
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
+
+ # 3. Allow headers (Content-Type is crucial for JSON)
+ add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+
+ # 4. Handle the OPTIONS preflight request immediately
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*' always;
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
+ add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain; charset=utf-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ # --- CORS CONFIGURATION END ---
+ '';
+ };
+ };
+
"${config.monorepo.vars.remoteHost}" = {
serverName = "${config.monorepo.vars.remoteHost}";
serverAliases = [ "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" ];
enableACME = true;
};
- "mail.${config.monorepo.vars.remoteHost}" = {
- serverName = "mail.${config.monorepo.vars.remoteHost}";
+ "mail.${config.monorepo.vars.orgHost}" = {
+ serverName = "mail.${config.monorepo.vars.orgHost}";
root = "/var/www/dummy";
addSSL = true;
enableACME = true;
{ lib, config, ... }:
{
services.gitweb = {
- gitwebTheme = true;
+ gitwebTheme = lib.mkDefault config.monorepo.profiles.server.enable;
projectroot = "/srv/git/";
+ extraConfig = ''
+ our $export_ok = "git-daemon-export-ok";
+ '';
};
}
#+end_src
enable = lib.mkDefault config.monorepo.profiles.cuda.enable;
finegrained = false;
};
- nvidiaSettings = lib.mkDefault config.monorepo.profiles.cuda.enable;
open = config.monorepo.profiles.cuda.enable;
package = config.boot.kernelPackages.nvidiaPackages.stable;
+ nvidiaSettings = false;
};
};
}
enable = lib.mkDefault config.monorepo.profiles.server.enable;
openFirewall = true;
hostName = "${config.monorepo.vars.remoteHost}";
- primaryDomain = "mail.${config.monorepo.vars.remoteHost}";
+ primaryDomain = "mail.${config.monorepo.vars.orgHost}";
tls = {
- loader = "acme";
+ certificates = [
+ {
+ keyPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/key.pem";
+ certPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/fullchain.pem";
+ }
+ ];
};
config = builtins.replaceStrings [
"imap tcp://0.0.0.0:143"
"submission tcp://0.0.0.0:587"
+ "smtp tcp://0.0.0.0:25"
] [
"imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
"submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
+ "smtps tls://0.0.0.0:465 smtp tcp://0.0.0.0:25"
] options.services.maddy.config.default;
ensureCredentials = {
"${config.monorepo.vars.userName}@localhost" = {
- passwordFile = "/secrets/${config.monorepo.vars.userName}-localhost";
+ passwordFile = "/run/secrets/mail_password";
};
};
};
];
files = [
"/etc/machine-id"
- "/etc/matterbridge.toml"
{ file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
];
users."${config.monorepo.vars.userName}" = {
./nvidia.nix
./cuda.nix
./nginx.nix
+ ./secrets.nix
./git-daemon.nix
./ollama.nix
./i2pd.nix
./znc.nix
./docker.nix
./impermanence.nix
+ ./coturn.nix
];
+ environment.etc."wpa_supplicant.conf".text = ''
+ country=CA
+ '';
+
documentation = {
enable = lib.mkDefault config.monorepo.profiles.documentation.enable;
man.enable = lib.mkDefault config.monorepo.profiles.documentation.enable;
};
extraModprobeConfig = ''
options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1
+ options rtw88_core disable_lps_deep=y power_save=0 disable_aspm_l1ss=y
+ options rtw88_pci disable_msi=y disable_aspm=y
+ options rtw_core disable_lps_deep=y
+ options rtw_pci disable_msi=y disable_aspm=y
+ options rtw89_core disable_ps_mode=y
+ options rtw89_pci disable_aspm_l1=y disable_aspm_l1ss=y disable_clkreq=y
+ options iwlwifi 11n_disable=8 uapsd_disable=1 bt_coex_active=0 disable_11ax=1 power_save=0
'';
extraModulePackages = [ ];
];
kernelParams = [
+ "cfg80211.reg_alpha2=CA"
"usbcore.autosuspend=-1"
+ "pcie_aspm=off"
+ "pci=noaer"
# "debugfs=off"
"page_alloc.shuffle=1"
"slab_nomerge"
"kernel.perf_event_paranoid" = 3;
# net
+ "net.ipv4.ip_forward" = 1;
"net.ipv4.icmp_echo_ignore_broadcasts" = true;
- "net.ipv4.conf.all.accept_redirects" = false;
- "net.ipv4.conf.all.secure_redirects" = false;
- "net.ipv4.conf.default.accept_redirects" = false;
- "net.ipv4.conf.default.secure_redirects" = false;
- "net.ipv6.conf.all.accept_redirects" = false;
- "net.ipv6.conf.default.accept_redirects" = false;
+ # "net.ipv4.conf.all.accept_redirects" = false;
+ # "net.ipv4.conf.all.secure_redirects" = false;
+ # "net.ipv4.conf.default.accept_redirects" = false;
+ # "net.ipv4.conf.default.secure_redirects" = false;
+ # "net.ipv6.conf.all.accept_redirects" = false;
+ # "net.ipv6.conf.default.accept_redirects" = false;
};
};
dhcpcd.enable = (! config.monorepo.profiles.server.enable);
networkmanager = {
enable = true;
- wifi.powersave = false;
+ wifi = {
+ powersave = false;
+ };
ensureProfiles = {
- profiles = {
- home-wifi = {
- connection = {
- id = "home-wifi";
- permissions = "";
- type = "wifi";
- };
- ipv4 = {
- dns-search = "";
- method = "auto";
- };
- ipv6 = {
- addr-gen-mode = "stable-privacy";
- dns-search = "";
- method = "auto";
- };
- wifi = {
- mac-address-blacklist = "";
- mode = "infrastructure";
- ssid = "TELUS6572";
- };
- wifi-security = {
- auth-alg = "open";
- key-mgmt = "wpa-psk";
- # when someone actually steals my internet then I will be concerned.
- # This password only matters if you actually show up to my house in real life.
- # That would perhaps allow for some nasty networking related shenanigans.
- # I guess we'll cross that bridge when I get there.
- psk = "b4xnrv6cG6GX";
- };
- };
- };
+ # profiles = {
+ # home-wifi = {
+ # connection = {
+ # id = "TELUS6572";
+ # permissions = "";
+ # type = "wifi";
+ # };
+ # ipv4 = {
+ # dns-search = "";
+ # method = "auto";
+ # };
+ # ipv6 = {
+ # addr-gen-mode = "stable-privacy";
+ # dns-search = "";
+ # method = "auto";
+ # };
+ # wifi = {
+ # mac-address-blacklist = "";
+ # mode = "infrastructure";
+ # ssid = "TELUS6572";
+ # };
+ # wifi-security = {
+ # auth-alg = "open";
+ # key-mgmt = "wpa-psk";
+ # # when someone actually steals my internet then I will be concerned.
+ # # This password only matters if you actually show up to my house in real life.
+ # # That would perhaps allow for some nasty networking related shenanigans.
+ # # I guess we'll cross that bridge when I get there.
+ # psk = "b4xnrv6cG6GX";
+ # };
+ # };
+ # };
};
};
firewall = {
};
hardware = {
+ wirelessRegulatoryDatabase = true;
enableAllFirmware = true;
cpu.intel.updateMicrocode = true;
graphics.enable = ! config.monorepo.profiles.ttyonly.enable;
restic
sbctl
git
+ git-lfs
+ git-lfs-transfer
vim
curl
nmap
users.groups.git = lib.mkDefault {};
users.groups.ircd = lib.mkDefault {};
users.groups.ngircd = lib.mkDefault {};
+ users.groups.conduit = lib.mkDefault {};
+ users.groups.livekit = lib.mkDefault {};
+ users.groups.matterbridge = lib.mkDefault {};
users.users = {
-
+ matterbridge = {
+ isSystemUser = lib.mkDefault true;
+ group = "matterbridge";
+ };
ngircd = {
isSystemUser = lib.mkDefault true;
group = "ngircd";
extraGroups = [ "acme" "nginx" ];
};
+ livekit = {
+ isSystemUser = lib.mkDefault true;
+ group = "livekit";
+ extraGroups = [ "acme" "nginx" ];
+ };
ircd = {
isSystemUser = lib.mkDefault true;
git = {
isSystemUser = true;
home = "/srv/git";
- shell = "${pkgs.git}/bin/git-shell";
+ shell = "/bin/sh";
group = "git";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
];
+ linger = true;
initialPassword = "${config.monorepo.vars.userName}";
isNormalUser = true;
description = config.monorepo.vars.fullName;
nix = {
settings = {
+ keep-outputs = true;
+ keep-derivations = true;
+ auto-optimise-store = true;
max-jobs = 4;
cores = 0;
substituters = [
experimental-features = "nix-command flakes ca-derivations";
trusted-users = [ "@wheel" ];
};
+ gc.automatic = true;
};
time.timeZone = config.monorepo.vars.timeZone;
i18n.defaultLocale = "en_CA.UTF-8";
sops-nix.homeManagerModules.sops
../vars.nix
./fcitx.nix
- ./secrets.nix
./emacs.nix
./firefox.nix
./git.nix
./mako.nix
./user.nix
./gtk.nix
+ ./secrets.nix
];
options = {
};
}
#+end_src
+*** Secrets
+#+begin_src nix :tangle ../nix/modules/home/secrets.nix
+ { config, ... }:
+ {
+ sops = {
+ defaultSopsFile = if config.monorepo.profiles.graphics.enable
+ then ../../secrets/secrets.yaml
+ else ../../secrets/vps_secrets.yaml;
+
+ age = {
+ keyFile = "/home/${config.monorepo.vars.userName}/.config/sops/age/keys.txt";
+ };
+
+ secrets = if config.monorepo.profiles.graphics.enable then {
+ mail = {
+ format = "yaml";
+ path = "${config.sops.defaultSymlinkPath}/mail";
+ };
+ cloudflare-dns = {
+ format = "yaml";
+ path = "${config.sops.defaultSymlinkPath}/cloudflare-dns";
+ };
+ digikey = {
+ format = "yaml";
+ path = "${config.sops.defaultSymlinkPath}/digikey";
+ };
+ dn42 = {
+ format = "yaml";
+ path = "${config.sops.defaultSymlinkPath}/dn42";
+ };
+ } else {
+ };
+ defaultSymlinkPath = "/run/user/1000/secrets";
+ defaultSecretsMountPoint = "/run/user/1000/secrets.d";
+ };
+ }
+#+end_src
*** Firefox
I conditionally enable metamask based on the cryptocurrency option. Everything else here should
be straightforward.
{
programs.firefox = {
enable = lib.mkDefault config.monorepo.profiles.graphics.enable;
- package = pkgs.firefox-bin;
+ package = pkgs.firefox;
policies = {
EnableTrackingProtection = true;
OfferToSaveLogins = false;
epkgs.solidity-flycheck
epkgs.solidity-mode
epkgs.sudo-edit
+ epkgs.telega
epkgs.treemacs
epkgs.treemacs-evil
epkgs.treemacs-magit
{
programs.git = {
enable = lib.mkDefault config.monorepo.profiles.graphics.enable;
+ lfs.enable = lib.mkDefault config.monorepo.profiles.graphics.enable;
userName = config.monorepo.vars.fullName;
userEmail = config.monorepo.profiles.email.email;
signing = {
always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped.
tags "yes" # httpd supports sending tags to listening streams.
}
+
audio_output {
- type "shout"
- encoding "ogg"
- name "my cool stream"
- host "localhost"
- port "8000"
- mount "/example.ogg"
- user "source"
- password "<source-password>"
-
- bitrate "64"
- format "44100:16:1"
- description "Nullring public radio"
+ type "shout"
+ name "My VPS Stream"
+ host "127.0.0.1"
+ port "8888" # This must match your SSH tunnel local port
+ mount "/stream" # The URL path (e.g. http://vps:8000/stream)
+ password "SuperSecretSourcePass"
+ bitrate "128"
+ format "44100:16:2"
+ protocol "icecast2" # Essential for modern Icecast
+ user "source" # Default icecast source user
+ description "My MPD Stream"
+ genre "Mixed"
}
'';
};
};
}
#+end_src
-*** Secrets
-This uses sops in order to declaratively create the secrets on my system by unencrypting
-the yaml file specified. Yes, this is safe to include in the repo.
-#+begin_src nix :tangle ../nix/modules/home/secrets.nix
- { config, ... }:
- {
- sops = {
- defaultSopsFile = ../../secrets/secrets.yaml;
- age = {
- keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt";
- };
- secrets = {
- mail = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/mail";
- };
- cloudflare-dns = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/cloudflare-dns";
- };
- digikey = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/digikey";
- };
- dn42 = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/dn42";
- };
- znc = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/znc";
- };
- znc_password_salt = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/znc_password_salt";
- };
-
- znc_password_hash = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/znc_password_hash";
- };
-
- matrix_bridge = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/matrix_bridge";
- };
- };
- defaultSymlinkPath = "/run/user/1000/secrets";
- defaultSecretsMountPoint = "/run/user/1000/secrets.d";
- };
- }
-#+end_src
*** Waybar
This is the bar I use for my hyprland configuration. You will need to adjust the monitors field
in the ~default.nix~ for it to really appear.
# Apps
# octaveFull
- vesktop grim swww vim telegram-desktop qwen-code fluffychat jami
+ vesktop grim swww vim kotatogram-desktop tg qwen-code element-desktop jami
# Sound/media
pavucontrol alsa-utils imagemagick ffmpeg helvum
boot.loader.grub.device = "nodev";
networking = {
+ extraHosts = ''
+ 127.0.0.1 livekit.${config.monorepo.vars.orgHost}
+ 127.0.0.1 matrix.${config.monorepo.vars.orgHost}
+ '';
interfaces.ens3.ipv4.addresses = [
{
address = ipv4addr;
}
];
defaultGateway = "66.42.84.1";
- firewall.allowedTCPPorts = [
- 80
- 143
- 443
- 465
- 587
- 993
- 6697
- 6667
- 8448
- ];
+ firewall = {
+ allowedTCPPorts = [
+ 80
+ 143
+ 443
+ 465
+ 587
+ 993
+ 3478
+ 5349
+ 6697
+ 6667
+ 7881
+ 8443
+ 8448
+ ];
+ allowedUDPPorts = [
+ 3478 5349 7882
+ ];
+ allowedUDPPortRanges = [
+ { from = 49152; to = 65535; }
+ ];
+ };
domains = {
enable = true;
baseDomains = {
};
subDomains = {
"${config.monorepo.vars.remoteHost}" = {};
+ "notes.${config.monorepo.vars.remoteHost}" = {
+ a.data = "45.76.87.125";
+ };
"matrix.${config.monorepo.vars.remoteHost}" = {};
"www.${config.monorepo.vars.remoteHost}" = {};
- "mail.${config.monorepo.vars.remoteHost}" = {
- mx.data = "10 mail.${config.monorepo.vars.remoteHost}.";
- };
+ "mail.${config.monorepo.vars.remoteHost}" = {};
+ "livekit.${config.monorepo.vars.orgHost}" = {};
"${config.monorepo.vars.orgHost}" = {};
"git.${config.monorepo.vars.orgHost}" = {};
"matrix.${config.monorepo.vars.orgHost}" = {};
keys:
- &primary age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr
+ - &vps age1acpuyy2qnduyxzwvusd8urr6a78e3f37ylhvh2pngyqytf5r8ans5vkest
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *primary
+
+ - path_regex: secrets/vps_secrets.yaml$
+ key_groups:
+ - age:
+ - *vps
{
services.matrix-conduit = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ secretFile = "/run/secrets/conduit_secrets";
settings.global = {
server_name = "matrix.${config.monorepo.vars.orgHost}";
trusted_servers = [
allow_registration = false;
};
};
+ services.lk-jwt-service = {
+ enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ port = 6495;
+ livekitUrl = "wss://livekit.nullring.xyz";
+ keyFile = "/run/secrets/livekit_secret";
+ };
+ services.livekit = {
+ enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ keyFile = "/run/secrets/livekit_secret";
+ settings = {
+ port = 7880;
+ turn = {
+ enabled = true;
+ domain = "livekit.${config.monorepo.vars.orgHost}";
+ cert_file = "/var/lib/acme/livekit.${config.monorepo.vars.orgHost}/fullchain.pem";
+ key_file = "/var/lib/acme/livekit.${config.monorepo.vars.orgHost}/key.pem";
+ tls_port = 5349;
+ udp_port = 3478;
+ };
+
+ rtc = {
+ use_external_ip = true;
+ tcp_port = 7881;
+ udp_port = 7882;
+ port_range_start = 50000;
+ port_range_end = 60000;
+ };
+ };
+ };
}
./nvidia.nix
./cuda.nix
./nginx.nix
+ ./secrets.nix
./git-daemon.nix
./ollama.nix
./i2pd.nix
./znc.nix
./docker.nix
./impermanence.nix
+ ./coturn.nix
];
+ environment.etc."wpa_supplicant.conf".text = ''
+country=CA
+'';
+
documentation = {
enable = lib.mkDefault config.monorepo.profiles.documentation.enable;
man.enable = lib.mkDefault config.monorepo.profiles.documentation.enable;
};
extraModprobeConfig = ''
options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1
+ options rtw88_core disable_lps_deep=y power_save=0 disable_aspm_l1ss=y
+ options rtw88_pci disable_msi=y disable_aspm=y
+ options rtw_core disable_lps_deep=y
+ options rtw_pci disable_msi=y disable_aspm=y
+ options rtw89_core disable_ps_mode=y
+ options rtw89_pci disable_aspm_l1=y disable_aspm_l1ss=y disable_clkreq=y
+ options iwlwifi 11n_disable=8 uapsd_disable=1 bt_coex_active=0 disable_11ax=1 power_save=0
'';
extraModulePackages = [ ];
];
kernelParams = [
+ "cfg80211.reg_alpha2=CA"
"usbcore.autosuspend=-1"
+ "pcie_aspm=off"
+ "pci=noaer"
# "debugfs=off"
"page_alloc.shuffle=1"
"slab_nomerge"
"kernel.perf_event_paranoid" = 3;
# net
+ "net.ipv4.ip_forward" = 1;
"net.ipv4.icmp_echo_ignore_broadcasts" = true;
- "net.ipv4.conf.all.accept_redirects" = false;
- "net.ipv4.conf.all.secure_redirects" = false;
- "net.ipv4.conf.default.accept_redirects" = false;
- "net.ipv4.conf.default.secure_redirects" = false;
- "net.ipv6.conf.all.accept_redirects" = false;
- "net.ipv6.conf.default.accept_redirects" = false;
+ # "net.ipv4.conf.all.accept_redirects" = false;
+ # "net.ipv4.conf.all.secure_redirects" = false;
+ # "net.ipv4.conf.default.accept_redirects" = false;
+ # "net.ipv4.conf.default.secure_redirects" = false;
+ # "net.ipv6.conf.all.accept_redirects" = false;
+ # "net.ipv6.conf.default.accept_redirects" = false;
};
};
dhcpcd.enable = (! config.monorepo.profiles.server.enable);
networkmanager = {
enable = true;
- wifi.powersave = false;
+ wifi = {
+ powersave = false;
+ };
ensureProfiles = {
- profiles = {
- home-wifi = {
- connection = {
- id = "home-wifi";
- permissions = "";
- type = "wifi";
- };
- ipv4 = {
- dns-search = "";
- method = "auto";
- };
- ipv6 = {
- addr-gen-mode = "stable-privacy";
- dns-search = "";
- method = "auto";
- };
- wifi = {
- mac-address-blacklist = "";
- mode = "infrastructure";
- ssid = "TELUS6572";
- };
- wifi-security = {
- auth-alg = "open";
- key-mgmt = "wpa-psk";
- # when someone actually steals my internet then I will be concerned.
- # This password only matters if you actually show up to my house in real life.
- # That would perhaps allow for some nasty networking related shenanigans.
- # I guess we'll cross that bridge when I get there.
- psk = "b4xnrv6cG6GX";
- };
- };
- };
+ # profiles = {
+ # home-wifi = {
+ # connection = {
+ # id = "TELUS6572";
+ # permissions = "";
+ # type = "wifi";
+ # };
+ # ipv4 = {
+ # dns-search = "";
+ # method = "auto";
+ # };
+ # ipv6 = {
+ # addr-gen-mode = "stable-privacy";
+ # dns-search = "";
+ # method = "auto";
+ # };
+ # wifi = {
+ # mac-address-blacklist = "";
+ # mode = "infrastructure";
+ # ssid = "TELUS6572";
+ # };
+ # wifi-security = {
+ # auth-alg = "open";
+ # key-mgmt = "wpa-psk";
+ # # when someone actually steals my internet then I will be concerned.
+ # # This password only matters if you actually show up to my house in real life.
+ # # That would perhaps allow for some nasty networking related shenanigans.
+ # # I guess we'll cross that bridge when I get there.
+ # psk = "b4xnrv6cG6GX";
+ # };
+ # };
+ # };
};
};
firewall = {
};
hardware = {
+ wirelessRegulatoryDatabase = true;
enableAllFirmware = true;
cpu.intel.updateMicrocode = true;
graphics.enable = ! config.monorepo.profiles.ttyonly.enable;
restic
sbctl
git
+ git-lfs
+ git-lfs-transfer
vim
curl
nmap
users.groups.git = lib.mkDefault {};
users.groups.ircd = lib.mkDefault {};
users.groups.ngircd = lib.mkDefault {};
+ users.groups.conduit = lib.mkDefault {};
+ users.groups.livekit = lib.mkDefault {};
+ users.groups.matterbridge = lib.mkDefault {};
users.users = {
-
+ matterbridge = {
+ isSystemUser = lib.mkDefault true;
+ group = "matterbridge";
+ };
ngircd = {
isSystemUser = lib.mkDefault true;
group = "ngircd";
extraGroups = [ "acme" "nginx" ];
};
+ livekit = {
+ isSystemUser = lib.mkDefault true;
+ group = "livekit";
+ extraGroups = [ "acme" "nginx" ];
+ };
ircd = {
isSystemUser = lib.mkDefault true;
git = {
isSystemUser = true;
home = "/srv/git";
- shell = "${pkgs.git}/bin/git-shell";
+ shell = "/bin/sh";
group = "git";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
];
+ linger = true;
initialPassword = "${config.monorepo.vars.userName}";
isNormalUser = true;
description = config.monorepo.vars.fullName;
nix = {
settings = {
+ keep-outputs = true;
+ keep-derivations = true;
+ auto-optimise-store = true;
max-jobs = 4;
cores = 0;
substituters = [
experimental-features = "nix-command flakes ca-derivations";
trusted-users = [ "@wheel" ];
};
+ gc.automatic = true;
};
time.timeZone = config.monorepo.vars.timeZone;
i18n.defaultLocale = "en_CA.UTF-8";
--- /dev/null
+{ lib, config, ... }:
+{
+ services.coturn = {
+ enable = false;
+ use-auth-secret = true;
+ listening-ips = [ "0.0.0.0" ];
+ cert = "/var/lib/acme/matrix.${config.monorepo.vars.orgHost}/fullchain.pem";
+ static-auth-secret-file = "/run/secrets/coturn_secret";
+ };
+}
{ lib, config, vars, ... }:
{
- virtualisation = {
- oci-containers = {
- backend = "podman";
- containers = {};
- };
- containers.enable = true;
- podman = {
- enable = true;
- dockerCompat = true;
- defaultNetwork.settings.dns_enabled = true;
- };
- };
+ # virtualisation = {
+ # oci-containers = {
+ # backend = "podman";
+ # containers = {};
+ # };
+ # containers.enable = true;
+ # podman = {
+ # enable = true;
+ # dockerCompat = true;
+ # defaultNetwork.settings.dns_enabled = true;
+ # };
+ # };
}
{ lib, config, ... }:
{
services.gitweb = {
- gitwebTheme = true;
+ gitwebTheme = lib.mkDefault config.monorepo.profiles.server.enable;
projectroot = "/srv/git/";
+ extraConfig = ''
+our $export_ok = "git-daemon-export-ok";
+'';
};
}
sops-nix.homeManagerModules.sops
../vars.nix
./fcitx.nix
- ./secrets.nix
./emacs.nix
./firefox.nix
./git.nix
./mako.nix
./user.nix
./gtk.nix
+ ./secrets.nix
];
options = {
epkgs.solidity-flycheck
epkgs.solidity-mode
epkgs.sudo-edit
+ epkgs.telega
epkgs.treemacs
epkgs.treemacs-evil
epkgs.treemacs-magit
{
programs.firefox = {
enable = lib.mkDefault config.monorepo.profiles.graphics.enable;
- package = pkgs.firefox-bin;
+ package = pkgs.firefox;
policies = {
EnableTrackingProtection = true;
OfferToSaveLogins = false;
{
programs.git = {
enable = lib.mkDefault config.monorepo.profiles.graphics.enable;
+ lfs.enable = lib.mkDefault config.monorepo.profiles.graphics.enable;
userName = config.monorepo.vars.fullName;
userEmail = config.monorepo.profiles.email.email;
signing = {
always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped.
tags "yes" # httpd supports sending tags to listening streams.
}
-audio_output {
- type "shout"
- encoding "ogg"
- name "my cool stream"
- host "localhost"
- port "8000"
- mount "/example.ogg"
- user "source"
- password "<source-password>"
- bitrate "64"
- format "44100:16:1"
- description "Nullring public radio"
+audio_output {
+ type "shout"
+ name "My VPS Stream"
+ host "127.0.0.1"
+ port "8888" # This must match your SSH tunnel local port
+ mount "/stream" # The URL path (e.g. http://vps:8000/stream)
+ password "SuperSecretSourcePass"
+ bitrate "128"
+ format "44100:16:2"
+ protocol "icecast2" # Essential for modern Icecast
+ user "source" # Default icecast source user
+ description "My MPD Stream"
+ genre "Mixed"
}
'';
};
--- /dev/null
+{ lib, config, ... }:
+{
+ config = lib.mkIf config.monorepo.profiles.graphics.enable {
+ sops.secrets = {
+ mail = {
+ format = "yaml";
+ path = "${config.sops.defaultSymlinkPath}/mail";
+ };
+ cloudflare-dns = {
+ format = "yaml";
+ path = "${config.sops.defaultSymlinkPath}/cloudflare-dns";
+ };
+ digikey = {
+ format = "yaml";
+ path = "${config.sops.defaultSymlinkPath}/digikey";
+ };
+ dn42 = {
+ format = "yaml";
+ path = "${config.sops.defaultSymlinkPath}/dn42";
+ };
+ };
+ };
+}
{ config, ... }:
{
sops = {
- defaultSopsFile = ../../secrets/secrets.yaml;
+ defaultSopsFile = if config.monorepo.profiles.graphics.enable
+ then ../../secrets/secrets.yaml
+ else ../../secrets/vps_secrets.yaml;
+
age = {
- keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt";
+ keyFile = "/home/${config.monorepo.vars.userName}/.config/sops/age/keys.txt";
};
- secrets = {
+
+ secrets = if config.monorepo.profiles.graphics.enable then {
mail = {
format = "yaml";
path = "${config.sops.defaultSymlinkPath}/mail";
format = "yaml";
path = "${config.sops.defaultSymlinkPath}/dn42";
};
- znc = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/znc";
- };
- znc_password_salt = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/znc_password_salt";
- };
-
- znc_password_hash = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/znc_password_hash";
- };
-
- matrix_bridge = {
- format = "yaml";
- path = "${config.sops.defaultSymlinkPath}/matrix_bridge";
- };
+ } else {
};
defaultSymlinkPath = "/run/user/1000/secrets";
defaultSecretsMountPoint = "/run/user/1000/secrets.d";
# Apps
# octaveFull
- vesktop grim swww vim telegram-desktop qwen-code fluffychat jami
+ vesktop grim swww vim kotatogram-desktop tg qwen-code element-desktop jami
# Sound/media
pavucontrol alsa-utils imagemagick ffmpeg helvum
--- /dev/null
+{ lib, config, ... }:
+{
+ config = lib.mkIf (!config.monorepo.profiles.graphics.enable) {
+ sops.secrets = {
+ znc = {
+ format = "yaml";
+ path = "${config.sops.defaultsymlinkpath}/znc";
+ };
+ znc_password_salt = {
+ format = "yaml";
+ path = "${config.sops.defaultsymlinkpath}/znc_password_salt";
+ };
+ znc_password_hash = {
+ format = "yaml";
+ path = "${config.sops.defaultsymlinkpath}/znc_password_hash";
+ };
+ matrix_bridge = {
+ format = "yaml";
+ path = "${config.sops.defaultsymlinkpath}/matrix_bridge";
+ };
+ coturn_secret = {
+ format = "yaml";
+ path = "${config.sops.defaultsymlinkpath}/coturn_secret";
+ };
+ livekit_secret = {
+ format = "yaml";
+ path = "${config.sops.defaultsymlinkpath}/livekit_secret";
+ };
+ livekit = {
+ format = "yaml";
+ path = "${config.sops.defaultsymlinkpath}/livekit";
+ };
+ conduit_secrets = {
+ format = "yaml";
+ path = "${config.sops.defaultsymlinkpath}/conduit_secrets";
+ };
+ mautrix_env = {
+ format = "yaml";
+ path = "${config.sops.defaultsymlinkpath}/mautrix_env";
+ };
+ };
+ };
+}
{ lib, config, ... }:
{
services.honk = {
- enable = config.monorepo.vars.ttyonly;
+ enable = lib.mkDefault config.monorepo.profiles.server.enable;
servername = "ret2pop.net";
username = "ret2pop";
};
];
files = [
"/etc/machine-id"
- "/etc/matterbridge.toml"
{ file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
];
users."${config.monorepo.vars.userName}" = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
openFirewall = true;
hostName = "${config.monorepo.vars.remoteHost}";
- primaryDomain = "mail.${config.monorepo.vars.remoteHost}";
+ primaryDomain = "mail.${config.monorepo.vars.orgHost}";
tls = {
- loader = "acme";
+ certificates = [
+ {
+ keyPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/key.pem";
+ certPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/fullchain.pem";
+ }
+ ];
};
config = builtins.replaceStrings [
"imap tcp://0.0.0.0:143"
"submission tcp://0.0.0.0:587"
+ "smtp tcp://0.0.0.0:25"
] [
"imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
"submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
+ "smtps tls://0.0.0.0:465 smtp tcp://0.0.0.0:25"
] options.services.maddy.config.default;
ensureCredentials = {
"${config.monorepo.vars.userName}@localhost" = {
- passwordFile = "/secrets/${config.monorepo.vars.userName}-localhost";
+ passwordFile = "/run/secrets/mail_password";
};
};
};
{
services.matterbridge = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
- configPath = "/etc/matterbridge.toml";
+ configPath = "${config.sops.templates.matterbridge.path}";
};
}
{
services.mautrix-discord = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
- environmentFile = "/etc/mautrix";
+ environmentFile = "/run/secrets/mautrix_env";
settings = {
bridge = {
animated_sticker = {
{ lib, config, ... }:
{
services.murmur = {
- enable = lib.mkDefault config.monorepo.profiles.server.enable;
+# enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ enable = false;
openFirewall = true;
hostName = "0.0.0.0";
welcometext = "Wecome to the Null Murmur instance!";
-{ config, lib, services, ... }:
+{ config, lib, ... }:
{
services.nginx = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
user = "nginx";
- # Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
- recommendedProxySettings = true;
recommendedTlsSettings = true;
- appendHttpConfig = '''';
+ recommendedProxySettings = false;
gitweb = {
enable = true;
addr = "[::]";
port = 443;
ssl = true;
- } {
+ }
+ {
addr = "0.0.0.0";
port = 8448;
ssl = true;
proxy_read_timeout 5m;
'';
};
+ locations."= /.well-known/matrix/server" = {
+ extraConfig = ''
+ add_header Content-Type application/json;
+ add_header Access-Control-Allow-Origin *;
+ '';
+
+ return = ''200 '{"m.server": "matrix.nullring.xyz:443"}' '';
+ };
+ locations."/.well-known/matrix/client" = {
+ extraConfig = ''
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ '';
+
+ return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.${config.monorepo.vars.orgHost}\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix.${config.monorepo.vars.orgHost}:8443\"}]}'";
+ };
extraConfig = ''
merge_slashes off;
'';
};
+
+ "matrix.${config.monorepo.vars.orgHost}-livekit" = {
+ serverName = "matrix.${config.monorepo.vars.orgHost}";
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ }
+ {
+ addr = "[::]";
+ port = 8443;
+ ssl = true;
+ }
+ ];
+ addSSL = true;
+ enableACME = false;
+ forceSSL = false;
+ useACMEHost = "matrix.${config.monorepo.vars.orgHost}";
+
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:6495";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ '';
+ };
+ };
+
+ "livekit.${config.monorepo.vars.orgHost}" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:7880";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_read_timeout 3600s;
+ proxy_send_timeout 3600s;
+
+ # Standard headers for LiveKit
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ # proxy_set_header Upgrade $http_upgrade;
+ # proxy_set_header Connection "upgrade";
+
+ # --- CORS CONFIGURATION START ---
+ # 1. Allow all origins (including app.element.io)
+ add_header 'Access-Control-Allow-Origin' '*' always;
+
+ # 2. Allow specific methods (POST is required for /sfu/get)
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
+
+ # 3. Allow headers (Content-Type is crucial for JSON)
+ add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+
+ # 4. Handle the OPTIONS preflight request immediately
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*' always;
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
+ add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain; charset=utf-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ # --- CORS CONFIGURATION END ---
+ '';
+ };
+ };
+
"${config.monorepo.vars.remoteHost}" = {
serverName = "${config.monorepo.vars.remoteHost}";
serverAliases = [ "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" ];
enableACME = true;
};
- "mail.${config.monorepo.vars.remoteHost}" = {
- serverName = "mail.${config.monorepo.vars.remoteHost}";
+ "mail.${config.monorepo.vars.orgHost}" = {
+ serverName = "mail.${config.monorepo.vars.orgHost}";
root = "/var/www/dummy";
addSSL = true;
enableACME = true;
--- /dev/null
+{ lib, config, ... }:
+{
+ services.ntfy-sh = {
+# enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ enable = false;
+ settings = {
+ base-url = "https://ntfy.${config.monorepo.vars.remoteHost}";
+ listen-http = "127.0.0.1:2586";
+ envrionmentFile = "/run/secrets/ntfy";
+ };
+ };
+}
enable = lib.mkDefault config.monorepo.profiles.cuda.enable;
finegrained = false;
};
- nvidiaSettings = lib.mkDefault config.monorepo.profiles.cuda.enable;
open = config.monorepo.profiles.cuda.enable;
package = config.boot.kernelPackages.nvidiaPackages.stable;
+ nvidiaSettings = false;
};
};
}
{ config, ... }:
{
sops = {
- defaultSopsFile = ../../secrets/secrets.yaml;
+ defaultSopsFile = if config.monorepo.profiles.server.enable
+ then ../secrets/vps_secrets.yaml
+ else ../secrets/secrets.yaml;
+
+
+ templates = if config.monorepo.profiles.server.enable then {
+ "matterbridge" = {
+ owner = "matterbridge";
+ content = ''
+[irc.myirc]
+Server="127.0.0.1:6667"
+Nick="bridge"
+RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
+UseTLS=false
+
+[telegram.mytelegram]
+Token="${config.sops.placeholder.telegram_token}"
+RemoteNickFormat="<({PROTOCOL}){NICK}> "
+MessageFormat="HTMLNick :"
+QuoteFormat="{MESSAGE} (re @{QUOTENICK}: {QUOTEMESSAGE})"
+QuoteLengthLimit=46
+IgnoreMessages="^/"
+
+[discord.mydiscord]
+Token="${config.sops.placeholder.discord_token}"
+Server="Null Identity"
+AutoWebHooks=true
+RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
+PreserveThreading=true
+
+[[gateway]]
+name="gateway1"
+enable=true
+
+[[gateway.inout]]
+account="irc.myirc"
+channel="#nullring"
+
+[[gateway.inout]]
+account="discord.mydiscord"
+channel="ID:996282946879242262"
+
+[[gateway.inout]]
+account="telegram.mytelegram"
+channel="-5290629325"
+'';
+ };
+ } else {};
+
age = {
- keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt";
+ keyFile = "/home/${config.monorepo.vars.userName}/.config/sops/age/keys.txt";
};
- secrets = {
+
+ secrets = if ! config.monorepo.profiles.server.enable then {
mail = {
format = "yaml";
- sopsFile = config.sops.defaultSopsFile;
-# sopsFile = ../../secrets/secrets.yaml;
- path = "${config.sops.defaultSymlinkPath}/mail";
};
cloudflare-dns = {
format = "yaml";
- sopsFile = config.sops.defaultSopsFile;
- path = "${config.sops.defaultSymlinkPath}/cloudflare-dns";
};
digikey = {
format = "yaml";
- sopsFile = config.sops.defaultSopsFile;
- path = "${config.sops.defaultSymlinkPath}/digikey";
};
dn42 = {
format = "yaml";
- sopsFile = config.sops.defaultSopsFile;
-# sopsFile = ../../secrets/secrets.yaml;
- path = "${config.sops.defaultSymlinkPath}/dn42";
};
+ } else {
znc = {
format = "yaml";
- sopsFile = config.sops.defaultSopsFile;
-# sopsFile = ../../secrets/secrets.yaml;
- path = "${config.sops.defaultSymlinkPath}/znc";
};
znc_password_salt = {
format = "yaml";
- sopsFile = config.sops.defaultSopsFile;
-# sopsFile = ../../secrets/secrets.yaml;
- path = "${config.sops.defaultSymlinkPath}/znc_password_salt";
};
-
znc_password_hash = {
format = "yaml";
- sopsFile = config.sops.defaultSopsFile;
-# sopsFile = ../../secrets/secrets.yaml;
- path = "${config.sops.defaultSymlinkPath}/znc_password_hash";
};
-
matrix_bridge = {
format = "yaml";
- sopsFile = config.sops.defaultSopsFile;
-# sopsFile = ../../secrets/secrets.yaml;
- path = "${config.sops.defaultSymlinkPath}/matrix_bridge";
+ };
+ livekit_secret = {
+ format = "yaml";
+ mode = "0444";
+ };
+ livekit = {
+ format = "yaml";
+ };
+ conduit_secrets = {
+ format = "yaml";
+ };
+ mautrix_env = {
+ format = "yaml";
+ };
+ telegram_token = {
+ format = "yaml";
+ };
+ discord_token = {
+ format = "yaml";
};
};
- defaultSymlinkPath = "/run/user/1000/secrets";
- defaultSecretsMountPoint = "/run/user/1000/secrets.d";
};
}
digikey: ENC[AES256_GCM,data:U1c2HYB/YjwlyHvD3XVTqWJdb9/8BeS6,iv:DNsBoaqgUPdfO9knQLCMeJVO8kctQ9XNvcY2xcpI0NM=,tag:kuJ9BYqVx0GeTBSW5EsItg==,type:str]
cloudflare-dns: ENC[AES256_GCM,data:Gztc/M+r/eRO2DwyLxlIBxS7B7MpOXimbFkQwlYhq9SzGG/fLl6Xqw==,iv:aDyNwbc8EyrNyhucULUkeg7VM7BmqNQTndSTh1SWqq0=,tag:HvysjKquD1g2PCrCgX2swg==,type:str]
dn42: ENC[AES256_GCM,data:xSYssg7ReFjmf7LvmqmH/A==,iv:Gj/LZrxzRJLOLbP5rumjmViYWP6ufW3ocngektBW3V8=,tag:SA4f1vAnMFUO5Yk6NTr81Q==,type:str]
-znc: ENC[AES256_GCM,data:EYB9Gk/oZgU=,iv:zxtAFRKGPhfeanhOP6YiXQujWny6XGFvf2op2NNlo78=,tag:jxGNirhEbyYrZ+S3ZjssxA==,type:str]
-matrix_bridge: ENC[AES256_GCM,data:wkfUpMvpoktkUaFr2BopCRo=,iv:gMdF+nnyl9XeJhGvAUKcfK5mvLytt8DvcPLgxMUtOlg=,tag:v06PRV6rM+4a1E3iW3vjnQ==,type:str]
-znc_password_hash: ENC[AES256_GCM,data:OretCSRPEqXUaaEucDsEgjceyOQ9hNpKU61cnR0ZYt7FWAPO4OVYYs/S1xpC11ZmqAItTYZTCXJUoZEI+uwOgg==,iv:/YQewdQvwuQHx9Ci3Qj8yzSe1ZpvQfJ+/+TSl+7eEEc=,tag:m9y1TCGzzdf4F6nFBFdm5w==,type:str]
-znc_password_salt: ENC[AES256_GCM,data:7hpewfbF0sGAFUahJuHNRhN8MIc=,iv:Gf2UGgEt9Yi+x44Rqy90QtG3dsUy4GX+FCe58YNk3Qs=,tag:q6Wu1bTasXpqoHxGmgJ4Lw==,type:str]
sops:
age:
- recipient: age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr
OFFNeEtOTk5FSm9RaDFad0UyeWZ2WDgKIwGoB4a5WAIkE93gzqdUzNlo5vgQ1zLy
yhEFrE1NbhyItnZIg/yRhqFG0dv7D3pEP3pq2Seew6pKJg/s9UTJ8Q==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-09-08T08:02:24Z"
- mac: ENC[AES256_GCM,data:o+eA42aOTNxbNrfOVj4eFDsVyKA+5GBbYwUWVvLxVgEoiHk+M/XUl3lAlAvCP5L65oGK3ZRrKwgOaPzle6FTWj8GsJD906YZcqNhhydKVpax9NIXjkPbSp0Q7kIws0M7Iudf9GZotrLQZTB8jKGLkGfdjQbhJuQAklyZEAuN1q0=,iv:sEiTEyNOUG5SsffY4LM7lFtS8F1pUIjmO/xOCPrE7oo=,tag:41yJ48o/DLjXa9wgvZ1RcQ==,type:str]
+ lastmodified: "2026-02-09T22:27:35Z"
+ mac: ENC[AES256_GCM,data:51iA4W4Sou4OC5pk5oFr9vAbBHDdbiZTi9jiLsSh4/IHx4SDQONc05EoMUsqjidodeAfQCpmvqBFKdVPIaaSZE+0fqyPTs/wjCtbZTAhsH+NTUKn4yU5/HBC3hw2QLz7tCLKgRLhfooHUDQxdFWGMJNB7xSjxdPVcy/1+gngOrE=,iv:TrWBcs/Px2bmh716Jl5xSP/SCXM7akaGrhsC6/pXbQg=,tag:AFqp09TkLkdu903jY5YjEw==,type:str]
unencrypted_suffix: _unencrypted
- version: 3.10.2
+ version: 3.11.0
--- /dev/null
+livekit_secret: ENC[AES256_GCM,data:akkd9OREC024n5NfE/suM0B9SjBdPZbXMnz62Qwy2XNW+HhJw1ixhYoR8PQoR6K0unrAUAFhwWtQp+aJ1i+5q1rdpLV/3povvXYPaGg8EnE=,iv:uMuIfLYT1lvDWY8PYjnWWne7WOd0BBgBJn5mvd9ltAs=,tag:JQlRe5IY4f1RVvsq+56lKQ==,type:str]
+livekit: ENC[AES256_GCM,data:DFWsez5+O7fyI1P/3w8wKj2YpblP+fDR/r4Ry7lLJNnZxiCbT3iS0Rm9lfe3zqZbjHvhpnYtOMPApoegJFEonQ==,iv:SditYIuc+W+AdX4AgKx2j4A4K7FXXHpewcf7KzMB8qY=,tag:EwF9DKf7uGZZKf7kF8RsNg==,type:str]
+znc: ENC[AES256_GCM,data:iFNZ0tgciFU=,iv:oAAqMoov5Nv9AUBILlRpgTLJyu7l1uQshbag0ujewP4=,tag:RXtbn4EEH2523qX9MC0ODA==,type:str]
+conduit_secrets: ENC[AES256_GCM,data:q6r4f275/6JKStX51+5qWozz+5L3UF4gTPaj4TOXskjRSn28cLKuoKix4mpKCqamef3SVU8THmPg3kwF5o4Gbm3XpZLieUyPaGCWxnwEaGZ8V5XaBZE=,iv:vsxezaahD0yCBmg0bAHMQfg9AjB52x/At5AowBTFARs=,tag:AXhgVDcTG7q1K91He7CFJA==,type:str]
+mautrix_env: ENC[AES256_GCM,data:Ab1mRgaXSS3VSB2sBo5AT0KaceubrcbAdomUEArmavbsjdWYQLkXbu8/BEALMTgif6c6+4u0iR3dLbRmmobBXGS03mdcR94MQbuWWH6VmHZ5VpydJQOMSl6FBcbOVgGBBp8srUmjVTLsDFobaZCCQJNfK2J3f2wbJqbDMgoUDb5B2LuElAJAuKABxCgl/isCovZpAKwbl65rK1GzZCDc9Z54o3BKLPH6Wa2K4RHnhnYjRl8HZCd/g4WRTVZh6kMIRluWtqdIVHPXAH0oc80=,iv:USZqyHzLt53mkveDxIUq0Tvyw08sUm+MpgsrjWeDiO8=,tag:4Ftfu3ALM77YnftxLkz/YQ==,type:str]
+matrix_bridge: ENC[AES256_GCM,data:w0BEETuDXVlKLlAs4JIQxMs=,iv:6IBAyKHmPJLqQWZFJD0NVT0rSXuGuAiCV2O6c3bP42o=,tag:oiyMCb4wtyqLIBrfvTirQw==,type:str]
+znc_password_hash: ENC[AES256_GCM,data:ji7qfy8aw5x2UZ5V++VKFHU925Tk2dgv2S90rrzePDhpC824LjqKqCF9Vrk8aNS9qxEB4Om0KVWWjITr1c+gPA==,iv:dX2TXQjQr+Y0y71O6LP13rxJuUz9zECgcPW3czkWmAk=,tag:oBlqoTWJjhaF3gBTUMCNPA==,type:str]
+znc_password_salt: ENC[AES256_GCM,data:e7YZkNB32RiqgCPGoehwsfZzOHM=,iv:GrhwBRBZ1ZSHJOnVg0XF6N5Oh/4tJ4Dvje0NiuGC4b8=,tag:IRjUrpkFBDO2OSu5dMyPSw==,type:str]
+telegram_token: ENC[AES256_GCM,data:hfstqM3NphVnK86LYp8EYe09kflMzQ1/SO5rm5UIkWN7wdl7mbq+sw3svc4YhQ==,iv:o6TbrGBCly0s3US9041cKmpLpThB/umhBEdZE9E3v54=,tag:WJ/KS4Uc9wtIcjpyfmzLfA==,type:str]
+discord_token: ENC[AES256_GCM,data:1mJ0lKTz2SmaP3PIn3ThWX6Mjbv3tywtLtF65SVkkCEtI79wcPeqK83l6jb3yG+ugntNR7lfQxLgbbURnTil3jc7yVOsYreL,iv:ExZ8xFkH6RR7rHATh8oBEEZWfV5Rt1YVEx8gUicQrV0=,tag:wKJ3P8ie/ppHU9VStQlk0Q==,type:str]
+mail_password: ENC[AES256_GCM,data:W24/1l9YrV+M1enkAgRv2uZuhUIYAjpcRkX7tbc=,iv:F8oLCpthhecllJvGSmHUaFgmBKDg/g3o85CPJ/nCcxU=,tag:bPxcZNXdQ/jkK+saaIKbSw==,type:str]
+sops:
+ age:
+ - recipient: age1acpuyy2qnduyxzwvusd8urr6a78e3f37ylhvh2pngyqytf5r8ans5vkest
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTy9PT2o5eDJ5bXFOdXhE
+ Z0xjNXcwME54N3JtbmJqNm9CYjhQZTNCRlJjCjY1K24ra1RCZTVYRHRWZkwyd1Z6
+ Y0llN2pWRkwrYnZBZFJKWHROUUI1V0EKLS0tIGJBK1ZCOW5oUlRWd2dPV21lbkZs
+ dDZONnI0bG5heTYzaDkxeGo3VlFmdm8K377mvFFxtFSURAWeFvLDJTkm8wppKr/B
+ Y4qrdU3xBaTwqlsC/7lElQClaUbM+YMF/padENsD6IfyoGN8lGUQQw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2026-02-11T01:17:40Z"
+ mac: ENC[AES256_GCM,data:9z5nlQA2Wjw7kgk+i2BMFIePGRdNbagYZ6fQpdyQQTEERl/TK7E8hozIIo48lmhdqXkjK8Vsgon/lnl2QbLfh8sTlpYGfewUaAzERrxW0JPEeY+JqcTaWO/16SNDd5dcd1aYWZILPcjPnz2/wwI3TMWpQG85lEDSXyLMommNdDc=,iv:uzLQtiZ7AJM/eS8/pLvty9YvErCMpx8xhk/d6jxKouQ=,tag:6ebxZG7BlF4ZxnJpp4QBVg==,type:str]
+ unencrypted_suffix: _unencrypted
+ version: 3.11.0
boot.loader.grub.device = "nodev";
networking = {
+ extraHosts = ''
+ 127.0.0.1 livekit.${config.monorepo.vars.orgHost}
+ 127.0.0.1 matrix.${config.monorepo.vars.orgHost}
+ '';
interfaces.ens3.ipv4.addresses = [
{
address = ipv4addr;
}
];
defaultGateway = "66.42.84.1";
- firewall.allowedTCPPorts = [
- 80
- 143
- 443
- 465
- 587
- 993
- 6697
- 6667
- 8448
- ];
+ firewall = {
+ allowedTCPPorts = [
+ 80
+ 143
+ 443
+ 465
+ 587
+ 993
+ 3478
+ 5349
+ 6697
+ 6667
+ 7881
+ 8443
+ 8448
+ ];
+ allowedUDPPorts = [
+ 3478 5349 7882
+ ];
+ allowedUDPPortRanges = [
+ { from = 49152; to = 65535; }
+ ];
+ };
domains = {
enable = true;
baseDomains = {
};
subDomains = {
"${config.monorepo.vars.remoteHost}" = {};
+ "notes.${config.monorepo.vars.remoteHost}" = {
+ a.data = "45.76.87.125";
+ };
"matrix.${config.monorepo.vars.remoteHost}" = {};
"www.${config.monorepo.vars.remoteHost}" = {};
- "mail.${config.monorepo.vars.remoteHost}" = {
- mx.data = "10 mail.${config.monorepo.vars.remoteHost}.";
- };
+ "mail.${config.monorepo.vars.remoteHost}" = {};
+ "livekit.${config.monorepo.vars.orgHost}" = {};
"${config.monorepo.vars.orgHost}" = {};
"git.${config.monorepo.vars.orgHost}" = {};
"matrix.${config.monorepo.vars.orgHost}" = {};
projects / monorepo.git / commitdiff