From: Preston Pan Date: Wed, 11 Feb 2026 22:43:01 +0000 (-0800) Subject: add vps stuff; fix internet issues plauging my devices X-Git-Url: https://ret2pop.net/gitweb/?a=commitdiff_plain;h=6a4f95482fa2c0faeafa028eae164d00c6418ac3;p=monorepo.git add vps stuff; fix internet issues plauging my devices --- diff --git a/config/elfeed.org b/config/elfeed.org index 8d02331..b659f8e 100644 --- a/config/elfeed.org +++ b/config/elfeed.org @@ -20,6 +20,8 @@ Credibility: misreported on ER EPR correspondence *** [[https://notrelated.xyz/rss][Not Related]] :lukesmith: This is a podcast by Luke Smith that talks about anything that he wants to. ** Forums :forum: +*** [[http://lesserwrong.com/feed.xml][LessWrong]] +The birthplace of bay area rationalism. ** Science Journals :journal: I like to get new information about recent studies related to technology. *** [[http://www.nature.com/nmat/current_issue/rss/][Nature]] @@ -34,8 +36,14 @@ This is a list of NASA feeds: These are YouTube channels that I find interesting enough to keep up with. Note that I keep up with a variety of thinkers that I may or may not disagree with, but they are nonetheless the most intellectual version of what their general cohort say: +*** [[https://youtube.com/feeds/videos.xml?channel_id=UCFQMnBA3CS502aghlcr0_aw][CoffeeZilla]] +Exposes scams. +*** [[https://youtube.com/feeds/videos.xml?channel_id=UC28n0tlcNSa1iPe5mettocg][VoidZilla]] +Extras from coffezilla channel. *** [[https://youtube.com/feeds/videos.xml?channel_id=UCKGCof63C6pLCFT4R6YPEtQ][Jred]] This youtube channel is about existential dread apparently. I don't have such a thing but it's fun to watch anyways. +*** [[https://youtube.com/feeds/videos.xml?channel_id=UC1qIX2Ya5ErOrU9tv0GVUAw][CyberYamu]] +A channel about the daily experience of a schizotypal girl. *** [[https://youtube.com/feeds/videos.xml?channel_id=UCwVevVbti5Uuxj6Mkl5NHRA][Lemonade Stand]] Podcast channel that talks about modern day economics. *** [[https://youtube.com/feeds/videos.xml?channel_id=UCSHZKyawb77ixDdsGog4iWA][Lex Fridman]] diff --git a/config/nix.org b/config/nix.org index 5ca3321..d0643cf 100644 --- a/config/nix.org +++ b/config/nix.org @@ -214,13 +214,19 @@ with mkDiskoFiles. In order to use the sops configuration, you must change the age public key to the one that you own: #+begin_src yaml :tangle ../nix/.sops.yaml -keys: - - &primary age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr -creation_rules: - - path_regex: secrets/secrets.yaml$ - key_groups: - - age: - - *primary + keys: + - &primary age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr + - &vps age1acpuyy2qnduyxzwvusd8urr6a78e3f37ylhvh2pngyqytf5r8ans5vkest + creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary + + - path_regex: secrets/vps_secrets.yaml$ + key_groups: + - age: + - *vps #+end_src also note that you will have to write your own secrets.yaml file, with an entry called ~mail~, which is used for the imaps and smtps password. @@ -453,6 +459,115 @@ under ~default.nix~ in the ~systems~ folder. }; } #+end_src +** Secrets +This uses sops in order to declaratively create the secrets on my system by unencrypting +the yaml file specified. Yes, this is safe to include in the repo. +#+begin_src nix :tangle ../nix/modules/secrets.nix + { config, ... }: + { + sops = { + defaultSopsFile = if config.monorepo.profiles.server.enable + then ../secrets/vps_secrets.yaml + else ../secrets/secrets.yaml; + + + templates = if config.monorepo.profiles.server.enable then { + "matterbridge" = { + owner = "matterbridge"; + content = '' + [irc.myirc] + Server="127.0.0.1:6667" + Nick="bridge" + RemoteNickFormat="[{PROTOCOL}] <{NICK}> " + UseTLS=false + + [telegram.mytelegram] + Token="${config.sops.placeholder.telegram_token}" + RemoteNickFormat="<({PROTOCOL}){NICK}> " + MessageFormat="HTMLNick :" + QuoteFormat="{MESSAGE} (re @{QUOTENICK}: {QUOTEMESSAGE})" + QuoteLengthLimit=46 + IgnoreMessages="^/" + + [discord.mydiscord] + Token="${config.sops.placeholder.discord_token}" + Server="Null Identity" + AutoWebHooks=true + RemoteNickFormat="[{PROTOCOL}] <{NICK}> " + PreserveThreading=true + + [[gateway]] + name="gateway1" + enable=true + + [[gateway.inout]] + account="irc.myirc" + channel="#nullring" + + [[gateway.inout]] + account="discord.mydiscord" + channel="ID:996282946879242262" + + [[gateway.inout]] + account="telegram.mytelegram" + channel="-5290629325" + ''; + }; + } else {}; + + age = { + keyFile = "/home/${config.monorepo.vars.userName}/.config/sops/age/keys.txt"; + }; + + secrets = if ! config.monorepo.profiles.server.enable then { + mail = { + format = "yaml"; + }; + cloudflare-dns = { + format = "yaml"; + }; + digikey = { + format = "yaml"; + }; + dn42 = { + format = "yaml"; + }; + } else { + znc = { + format = "yaml"; + }; + znc_password_salt = { + format = "yaml"; + }; + znc_password_hash = { + format = "yaml"; + }; + matrix_bridge = { + format = "yaml"; + }; + livekit_secret = { + format = "yaml"; + mode = "0444"; + }; + livekit = { + format = "yaml"; + }; + conduit_secrets = { + format = "yaml"; + }; + mautrix_env = { + format = "yaml"; + }; + telegram_token = { + format = "yaml"; + }; + discord_token = { + format = "yaml"; + }; + }; + }; + } +#+end_src ** X11 My Xorg configuration is used as a backup for when wayland applications don't work. Note that using this configuration is extremely inefficient and my i3 configuration is unoptimized. @@ -492,18 +607,18 @@ In order to run docker/podman containers, I need this file: #+begin_src nix :tangle ../nix/modules/docker.nix { lib, config, vars, ... }: { - virtualisation = { - oci-containers = { - backend = "podman"; - containers = {}; - }; - containers.enable = true; - podman = { - enable = true; - dockerCompat = true; - defaultNetwork.settings.dns_enabled = true; - }; - }; + # virtualisation = { + # oci-containers = { + # backend = "podman"; + # containers = {}; + # }; + # containers.enable = true; + # podman = { + # enable = true; + # dockerCompat = true; + # defaultNetwork.settings.dns_enabled = true; + # }; + # }; } #+end_src ** Pipewire @@ -621,22 +736,6 @@ distribution soon, and I'm waiting on that. }; } #+end_src -** TODO Murmur -#+begin_src nix :tangle ../nix/modules/murmur.nix - { lib, config, ... }: - { - services.murmur = { - enable = lib.mkDefault config.monorepo.profiles.server.enable; - openFirewall = true; - hostName = "0.0.0.0"; - welcometext = "Wecome to the Null Murmur instance!"; - registerName = "nullring"; - registerHostname = "${config.monorepo.vars.orgHost}"; - sslCert = "/var/lib/acme/${config.monorepo.vars.orgHost}/fullchain.pem"; - sslKey = "/var/lib/acme/${config.monorepo.vars.orgHost}/sslKey.pem"; - }; - } -#+end_src ** TODO i2pd I use i2p for some p2p connections. We enable it with the server profile: #+begin_src nix :tangle ../nix/modules/i2pd.nix @@ -771,12 +870,14 @@ Note that the password hash and whatnot is completely random so there is almost no point to cracking it with hashcat. ** Conduit This is a modern matrix server that is meant to be lightweight while -still federating and hosting the same protocol. +still federating and hosting the same protocol. There is also a configuration +for lk-jwt which is important for configuring p2p calls in matrix. #+begin_src nix :tangle ../nix/modules/conduit.nix { config, lib, ... }: { services.matrix-conduit = { enable = lib.mkDefault config.monorepo.profiles.server.enable; + secretFile = "/run/secrets/conduit_secrets"; settings.global = { server_name = "matrix.${config.monorepo.vars.orgHost}"; trusted_servers = [ @@ -789,17 +890,48 @@ still federating and hosting the same protocol. allow_registration = false; }; }; + services.lk-jwt-service = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + port = 6495; + livekitUrl = "wss://livekit.nullring.xyz"; + keyFile = "/run/secrets/livekit_secret"; + }; + services.livekit = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + keyFile = "/run/secrets/livekit_secret"; + settings = { + port = 7880; + turn = { + enabled = true; + domain = "livekit.${config.monorepo.vars.orgHost}"; + cert_file = "/var/lib/acme/livekit.${config.monorepo.vars.orgHost}/fullchain.pem"; + key_file = "/var/lib/acme/livekit.${config.monorepo.vars.orgHost}/key.pem"; + tls_port = 5349; + udp_port = 3478; + }; + + rtc = { + use_external_ip = true; + tcp_port = 7881; + udp_port = 7882; + port_range_start = 50000; + port_range_end = 60000; + }; + }; + }; } #+end_src -** Honk -In order to connect to activitypub: -#+begin_src nix :tangle ../nix/modules/honk.nix +** Coturn +This is important for p2p calls in matrix as well. +#+begin_src nix :tangle ../nix/modules/coturn.nix { lib, config, ... }: { - services.honk = { - enable = config.monorepo.vars.ttyonly; - servername = "ret2pop.net"; - username = "ret2pop"; + services.coturn = { + enable = false; + use-auth-secret = true; + listening-ips = [ "0.0.0.0" ]; + cert = "/var/lib/acme/matrix.${config.monorepo.vars.orgHost}/fullchain.pem"; + static-auth-secret-file = "/run/secrets/coturn_secret"; }; } #+end_src @@ -810,7 +942,7 @@ I want to connect IRC to discord with matterbridge. { services.matterbridge = { enable = lib.mkDefault config.monorepo.profiles.server.enable; - configPath = "/etc/matterbridge.toml"; + configPath = "${config.sops.templates.matterbridge.path}"; }; } #+end_src @@ -823,7 +955,7 @@ does not support conduit at the moment. Note that this is not fully declarative { services.mautrix-discord = { enable = lib.mkDefault config.monorepo.profiles.server.enable; - environmentFile = "/etc/mautrix"; + environmentFile = "/run/secrets/mautrix_env"; settings = { bridge = { animated_sticker = { @@ -1015,22 +1147,35 @@ I run my own git server in order to have a mirror in case github goes down. }; } #+end_src +** TODO Ntfy +#+begin_src nix :tangle ../nix/modules/ntfy-sh.nix + { lib, config, ... }: + { + services.ntfy-sh = { + # enable = lib.mkDefault config.monorepo.profiles.server.enable; + enable = false; + settings = { + base-url = "https://ntfy.${config.monorepo.vars.remoteHost}"; + listen-http = "127.0.0.1:2586"; + envrionmentFile = "/run/secrets/ntfy"; + }; + }; + } +#+end_src ** Nginx These are all my virtual hosts. For many of these servers we have to have a reverse proxy in order to expose the locally running instances to the outside world under a domain. #+begin_src nix :tangle ../nix/modules/nginx.nix - { config, lib, services, ... }: + { config, lib, ... }: { services.nginx = { enable = lib.mkDefault config.monorepo.profiles.server.enable; user = "nginx"; - # Use recommended settings recommendedGzipSettings = true; recommendedOptimisation = true; - recommendedProxySettings = true; recommendedTlsSettings = true; - appendHttpConfig = ''''; + recommendedProxySettings = false; gitweb = { enable = true; @@ -1051,7 +1196,8 @@ to the outside world under a domain. addr = "[::]"; port = 443; ssl = true; - } { + } + { addr = "0.0.0.0"; port = 8448; ssl = true; @@ -1070,11 +1216,102 @@ to the outside world under a domain. proxy_read_timeout 5m; ''; }; + locations."= /.well-known/matrix/server" = { + extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + ''; + + return = ''200 '{"m.server": "matrix.nullring.xyz:443"}' ''; + }; + locations."/.well-known/matrix/client" = { + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.${config.monorepo.vars.orgHost}\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix.${config.monorepo.vars.orgHost}:8443\"}]}'"; + }; extraConfig = '' merge_slashes off; ''; }; + + "matrix.${config.monorepo.vars.orgHost}-livekit" = { + serverName = "matrix.${config.monorepo.vars.orgHost}"; + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + } + { + addr = "[::]"; + port = 8443; + ssl = true; + } + ]; + addSSL = true; + enableACME = false; + forceSSL = false; + useACMEHost = "matrix.${config.monorepo.vars.orgHost}"; + + locations."/" = { + proxyPass = "http://127.0.0.1:6495"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + + "livekit.${config.monorepo.vars.orgHost}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:7880"; + proxyWebsockets = true; + extraConfig = '' + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + + # Standard headers for LiveKit + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "upgrade"; + + # --- CORS CONFIGURATION START --- + # 1. Allow all origins (including app.element.io) + add_header 'Access-Control-Allow-Origin' '*' always; + + # 2. Allow specific methods (POST is required for /sfu/get) + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always; + + # 3. Allow headers (Content-Type is crucial for JSON) + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + + # 4. Handle the OPTIONS preflight request immediately + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + # --- CORS CONFIGURATION END --- + ''; + }; + }; + "${config.monorepo.vars.remoteHost}" = { serverName = "${config.monorepo.vars.remoteHost}"; serverAliases = [ "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" ]; @@ -1090,8 +1327,8 @@ to the outside world under a domain. enableACME = true; }; - "mail.${config.monorepo.vars.remoteHost}" = { - serverName = "mail.${config.monorepo.vars.remoteHost}"; + "mail.${config.monorepo.vars.orgHost}" = { + serverName = "mail.${config.monorepo.vars.orgHost}"; root = "/var/www/dummy"; addSSL = true; enableACME = true; @@ -1107,8 +1344,11 @@ world. This was the easiest frontend to set up on NixOS. { lib, config, ... }: { services.gitweb = { - gitwebTheme = true; + gitwebTheme = lib.mkDefault config.monorepo.profiles.server.enable; projectroot = "/srv/git/"; + extraConfig = '' + our $export_ok = "git-daemon-export-ok"; + ''; }; } #+end_src @@ -1131,9 +1371,9 @@ I have an Nvidia GPU on my computer. enable = lib.mkDefault config.monorepo.profiles.cuda.enable; finegrained = false; }; - nvidiaSettings = lib.mkDefault config.monorepo.profiles.cuda.enable; open = config.monorepo.profiles.cuda.enable; package = config.boot.kernelPackages.nvidiaPackages.stable; + nvidiaSettings = false; }; }; } @@ -1159,20 +1399,27 @@ I need CUDA on some computers because I run local LLMs. enable = lib.mkDefault config.monorepo.profiles.server.enable; openFirewall = true; hostName = "${config.monorepo.vars.remoteHost}"; - primaryDomain = "mail.${config.monorepo.vars.remoteHost}"; + primaryDomain = "mail.${config.monorepo.vars.orgHost}"; tls = { - loader = "acme"; + certificates = [ + { + keyPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/key.pem"; + certPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/fullchain.pem"; + } + ]; }; config = builtins.replaceStrings [ "imap tcp://0.0.0.0:143" "submission tcp://0.0.0.0:587" + "smtp tcp://0.0.0.0:25" ] [ "imap tls://0.0.0.0:993 tcp://0.0.0.0:143" "submission tls://0.0.0.0:465 tcp://0.0.0.0:587" + "smtps tls://0.0.0.0:465 smtp tcp://0.0.0.0:25" ] options.services.maddy.config.default; ensureCredentials = { "${config.monorepo.vars.userName}@localhost" = { - passwordFile = "/secrets/${config.monorepo.vars.userName}-localhost"; + passwordFile = "/run/secrets/mail_password"; }; }; }; @@ -1242,7 +1489,6 @@ This is my impermanence profile, which removes all files on reboot except for th ]; files = [ "/etc/machine-id" - "/etc/matterbridge.toml" { file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; } ]; users."${config.monorepo.vars.userName}" = { @@ -1300,6 +1546,7 @@ because they enhance security. ./nvidia.nix ./cuda.nix ./nginx.nix + ./secrets.nix ./git-daemon.nix ./ollama.nix ./i2pd.nix @@ -1311,8 +1558,13 @@ because they enhance security. ./znc.nix ./docker.nix ./impermanence.nix + ./coturn.nix ]; + environment.etc."wpa_supplicant.conf".text = '' + country=CA + ''; + documentation = { enable = lib.mkDefault config.monorepo.profiles.documentation.enable; man.enable = lib.mkDefault config.monorepo.profiles.documentation.enable; @@ -1349,6 +1601,13 @@ because they enhance security. }; extraModprobeConfig = '' options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1 + options rtw88_core disable_lps_deep=y power_save=0 disable_aspm_l1ss=y + options rtw88_pci disable_msi=y disable_aspm=y + options rtw_core disable_lps_deep=y + options rtw_pci disable_msi=y disable_aspm=y + options rtw89_core disable_ps_mode=y + options rtw89_pci disable_aspm_l1=y disable_aspm_l1ss=y disable_clkreq=y + options iwlwifi 11n_disable=8 uapsd_disable=1 bt_coex_active=0 disable_11ax=1 power_save=0 ''; extraModulePackages = [ ]; @@ -1386,7 +1645,10 @@ because they enhance security. ]; kernelParams = [ + "cfg80211.reg_alpha2=CA" "usbcore.autosuspend=-1" + "pcie_aspm=off" + "pci=noaer" # "debugfs=off" "page_alloc.shuffle=1" "slab_nomerge" @@ -1458,14 +1720,15 @@ because they enhance security. "kernel.perf_event_paranoid" = 3; # net + "net.ipv4.ip_forward" = 1; "net.ipv4.icmp_echo_ignore_broadcasts" = true; - "net.ipv4.conf.all.accept_redirects" = false; - "net.ipv4.conf.all.secure_redirects" = false; - "net.ipv4.conf.default.accept_redirects" = false; - "net.ipv4.conf.default.secure_redirects" = false; - "net.ipv6.conf.all.accept_redirects" = false; - "net.ipv6.conf.default.accept_redirects" = false; + # "net.ipv4.conf.all.accept_redirects" = false; + # "net.ipv4.conf.all.secure_redirects" = false; + # "net.ipv4.conf.default.accept_redirects" = false; + # "net.ipv4.conf.default.secure_redirects" = false; + # "net.ipv6.conf.all.accept_redirects" = false; + # "net.ipv6.conf.default.accept_redirects" = false; }; }; @@ -1474,40 +1737,42 @@ because they enhance security. dhcpcd.enable = (! config.monorepo.profiles.server.enable); networkmanager = { enable = true; - wifi.powersave = false; + wifi = { + powersave = false; + }; ensureProfiles = { - profiles = { - home-wifi = { - connection = { - id = "home-wifi"; - permissions = ""; - type = "wifi"; - }; - ipv4 = { - dns-search = ""; - method = "auto"; - }; - ipv6 = { - addr-gen-mode = "stable-privacy"; - dns-search = ""; - method = "auto"; - }; - wifi = { - mac-address-blacklist = ""; - mode = "infrastructure"; - ssid = "TELUS6572"; - }; - wifi-security = { - auth-alg = "open"; - key-mgmt = "wpa-psk"; - # when someone actually steals my internet then I will be concerned. - # This password only matters if you actually show up to my house in real life. - # That would perhaps allow for some nasty networking related shenanigans. - # I guess we'll cross that bridge when I get there. - psk = "b4xnrv6cG6GX"; - }; - }; - }; + # profiles = { + # home-wifi = { + # connection = { + # id = "TELUS6572"; + # permissions = ""; + # type = "wifi"; + # }; + # ipv4 = { + # dns-search = ""; + # method = "auto"; + # }; + # ipv6 = { + # addr-gen-mode = "stable-privacy"; + # dns-search = ""; + # method = "auto"; + # }; + # wifi = { + # mac-address-blacklist = ""; + # mode = "infrastructure"; + # ssid = "TELUS6572"; + # }; + # wifi-security = { + # auth-alg = "open"; + # key-mgmt = "wpa-psk"; + # # when someone actually steals my internet then I will be concerned. + # # This password only matters if you actually show up to my house in real life. + # # That would perhaps allow for some nasty networking related shenanigans. + # # I guess we'll cross that bridge when I get there. + # psk = "b4xnrv6cG6GX"; + # }; + # }; + # }; }; }; firewall = { @@ -1517,6 +1782,7 @@ because they enhance security. }; hardware = { + wirelessRegulatoryDatabase = true; enableAllFirmware = true; cpu.intel.updateMicrocode = true; graphics.enable = ! config.monorepo.profiles.ttyonly.enable; @@ -1634,6 +1900,8 @@ because they enhance security. restic sbctl git + git-lfs + git-lfs-transfer vim curl nmap @@ -1652,14 +1920,25 @@ because they enhance security. users.groups.git = lib.mkDefault {}; users.groups.ircd = lib.mkDefault {}; users.groups.ngircd = lib.mkDefault {}; + users.groups.conduit = lib.mkDefault {}; + users.groups.livekit = lib.mkDefault {}; + users.groups.matterbridge = lib.mkDefault {}; users.users = { - + matterbridge = { + isSystemUser = lib.mkDefault true; + group = "matterbridge"; + }; ngircd = { isSystemUser = lib.mkDefault true; group = "ngircd"; extraGroups = [ "acme" "nginx" ]; }; + livekit = { + isSystemUser = lib.mkDefault true; + group = "livekit"; + extraGroups = [ "acme" "nginx" ]; + }; ircd = { isSystemUser = lib.mkDefault true; @@ -1682,7 +1961,7 @@ because they enhance security. git = { isSystemUser = true; home = "/srv/git"; - shell = "${pkgs.git}/bin/git-shell"; + shell = "/bin/sh"; group = "git"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell" @@ -1693,6 +1972,7 @@ because they enhance security. "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell" ]; + linger = true; initialPassword = "${config.monorepo.vars.userName}"; isNormalUser = true; description = config.monorepo.vars.fullName; @@ -1709,6 +1989,9 @@ because they enhance security. nix = { settings = { + keep-outputs = true; + keep-derivations = true; + auto-optimise-store = true; max-jobs = 4; cores = 0; substituters = [ @@ -1720,6 +2003,7 @@ because they enhance security. experimental-features = "nix-command flakes ca-derivations"; trusted-users = [ "@wheel" ]; }; + gc.automatic = true; }; time.timeZone = config.monorepo.vars.timeZone; i18n.defaultLocale = "en_CA.UTF-8"; @@ -1905,7 +2189,6 @@ I have many imports that we'll go through next. sops-nix.homeManagerModules.sops ../vars.nix ./fcitx.nix - ./secrets.nix ./emacs.nix ./firefox.nix ./git.nix @@ -1923,6 +2206,7 @@ I have many imports that we'll go through next. ./mako.nix ./user.nix ./gtk.nix + ./secrets.nix ]; options = { @@ -2121,6 +2405,43 @@ I have many imports that we'll go through next. }; } #+end_src +*** Secrets +#+begin_src nix :tangle ../nix/modules/home/secrets.nix + { config, ... }: + { + sops = { + defaultSopsFile = if config.monorepo.profiles.graphics.enable + then ../../secrets/secrets.yaml + else ../../secrets/vps_secrets.yaml; + + age = { + keyFile = "/home/${config.monorepo.vars.userName}/.config/sops/age/keys.txt"; + }; + + secrets = if config.monorepo.profiles.graphics.enable then { + mail = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/mail"; + }; + cloudflare-dns = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/cloudflare-dns"; + }; + digikey = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/digikey"; + }; + dn42 = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/dn42"; + }; + } else { + }; + defaultSymlinkPath = "/run/user/1000/secrets"; + defaultSecretsMountPoint = "/run/user/1000/secrets.d"; + }; + } +#+end_src *** Firefox I conditionally enable metamask based on the cryptocurrency option. Everything else here should be straightforward. @@ -2129,7 +2450,7 @@ be straightforward. { programs.firefox = { enable = lib.mkDefault config.monorepo.profiles.graphics.enable; - package = pkgs.firefox-bin; + package = pkgs.firefox; policies = { EnableTrackingProtection = true; OfferToSaveLogins = false; @@ -2497,6 +2818,7 @@ as an org file which gets automatically tangled to an emacs-lisp file. epkgs.solidity-flycheck epkgs.solidity-mode epkgs.sudo-edit + epkgs.telega epkgs.treemacs epkgs.treemacs-evil epkgs.treemacs-magit @@ -2553,6 +2875,7 @@ Make sure those are set correctly. I've set it to sign by default. { programs.git = { enable = lib.mkDefault config.monorepo.profiles.graphics.enable; + lfs.enable = lib.mkDefault config.monorepo.profiles.graphics.enable; userName = config.monorepo.vars.fullName; userEmail = config.monorepo.profiles.email.email; signing = { @@ -2941,19 +3264,20 @@ in the ~~/music~ directory and then run ~mpc add /~ afterwards. always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped. tags "yes" # httpd supports sending tags to listening streams. } + audio_output { - type "shout" - encoding "ogg" - name "my cool stream" - host "localhost" - port "8000" - mount "/example.ogg" - user "source" - password "" - - bitrate "64" - format "44100:16:1" - description "Nullring public radio" + type "shout" + name "My VPS Stream" + host "127.0.0.1" + port "8888" # This must match your SSH tunnel local port + mount "/stream" # The URL path (e.g. http://vps:8000/stream) + password "SuperSecretSourcePass" + bitrate "128" + format "44100:16:2" + protocol "icecast2" # Essential for modern Icecast + user "source" # Default icecast source user + description "My MPD Stream" + genre "Mixed" } ''; }; @@ -3004,58 +3328,6 @@ here: }; } #+end_src -*** Secrets -This uses sops in order to declaratively create the secrets on my system by unencrypting -the yaml file specified. Yes, this is safe to include in the repo. -#+begin_src nix :tangle ../nix/modules/home/secrets.nix - { config, ... }: - { - sops = { - defaultSopsFile = ../../secrets/secrets.yaml; - age = { - keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt"; - }; - secrets = { - mail = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/mail"; - }; - cloudflare-dns = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/cloudflare-dns"; - }; - digikey = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/digikey"; - }; - dn42 = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/dn42"; - }; - znc = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/znc"; - }; - znc_password_salt = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/znc_password_salt"; - }; - - znc_password_hash = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/znc_password_hash"; - }; - - matrix_bridge = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/matrix_bridge"; - }; - }; - defaultSymlinkPath = "/run/user/1000/secrets"; - defaultSecretsMountPoint = "/run/user/1000/secrets.d"; - }; - } -#+end_src *** Waybar This is the bar I use for my hyprland configuration. You will need to adjust the monitors field in the ~default.nix~ for it to really appear. @@ -3670,7 +3942,7 @@ for these configurations. # Apps # octaveFull - vesktop grim swww vim telegram-desktop qwen-code fluffychat jami + vesktop grim swww vim kotatogram-desktop tg qwen-code element-desktop jami # Sound/media pavucontrol alsa-utils imagemagick ffmpeg helvum @@ -3925,6 +4197,10 @@ Spontaneity is my VPS instance. boot.loader.grub.device = "nodev"; networking = { + extraHosts = '' + 127.0.0.1 livekit.${config.monorepo.vars.orgHost} + 127.0.0.1 matrix.${config.monorepo.vars.orgHost} + ''; interfaces.ens3.ipv4.addresses = [ { address = ipv4addr; @@ -3938,17 +4214,29 @@ Spontaneity is my VPS instance. } ]; defaultGateway = "66.42.84.1"; - firewall.allowedTCPPorts = [ - 80 - 143 - 443 - 465 - 587 - 993 - 6697 - 6667 - 8448 - ]; + firewall = { + allowedTCPPorts = [ + 80 + 143 + 443 + 465 + 587 + 993 + 3478 + 5349 + 6697 + 6667 + 7881 + 8443 + 8448 + ]; + allowedUDPPorts = [ + 3478 5349 7882 + ]; + allowedUDPPortRanges = [ + { from = 49152; to = 65535; } + ]; + }; domains = { enable = true; baseDomains = { @@ -3963,12 +4251,14 @@ Spontaneity is my VPS instance. }; subDomains = { "${config.monorepo.vars.remoteHost}" = {}; + "notes.${config.monorepo.vars.remoteHost}" = { + a.data = "45.76.87.125"; + }; "matrix.${config.monorepo.vars.remoteHost}" = {}; "www.${config.monorepo.vars.remoteHost}" = {}; - "mail.${config.monorepo.vars.remoteHost}" = { - mx.data = "10 mail.${config.monorepo.vars.remoteHost}."; - }; + "mail.${config.monorepo.vars.remoteHost}" = {}; + "livekit.${config.monorepo.vars.orgHost}" = {}; "${config.monorepo.vars.orgHost}" = {}; "git.${config.monorepo.vars.orgHost}" = {}; "matrix.${config.monorepo.vars.orgHost}" = {}; diff --git a/nix/.sops.yaml b/nix/.sops.yaml index 9c91d66..3613e2b 100644 --- a/nix/.sops.yaml +++ b/nix/.sops.yaml @@ -1,7 +1,13 @@ keys: - &primary age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr + - &vps age1acpuyy2qnduyxzwvusd8urr6a78e3f37ylhvh2pngyqytf5r8ans5vkest creation_rules: - path_regex: secrets/secrets.yaml$ key_groups: - age: - *primary + + - path_regex: secrets/vps_secrets.yaml$ + key_groups: + - age: + - *vps diff --git a/nix/modules/conduit.nix b/nix/modules/conduit.nix index dc3ea56..6e4611f 100644 --- a/nix/modules/conduit.nix +++ b/nix/modules/conduit.nix @@ -2,6 +2,7 @@ { services.matrix-conduit = { enable = lib.mkDefault config.monorepo.profiles.server.enable; + secretFile = "/run/secrets/conduit_secrets"; settings.global = { server_name = "matrix.${config.monorepo.vars.orgHost}"; trusted_servers = [ @@ -14,4 +15,33 @@ allow_registration = false; }; }; + services.lk-jwt-service = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + port = 6495; + livekitUrl = "wss://livekit.nullring.xyz"; + keyFile = "/run/secrets/livekit_secret"; + }; + services.livekit = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + keyFile = "/run/secrets/livekit_secret"; + settings = { + port = 7880; + turn = { + enabled = true; + domain = "livekit.${config.monorepo.vars.orgHost}"; + cert_file = "/var/lib/acme/livekit.${config.monorepo.vars.orgHost}/fullchain.pem"; + key_file = "/var/lib/acme/livekit.${config.monorepo.vars.orgHost}/key.pem"; + tls_port = 5349; + udp_port = 3478; + }; + + rtc = { + use_external_ip = true; + tcp_port = 7881; + udp_port = 7882; + port_range_start = 50000; + port_range_end = 60000; + }; + }; + }; } diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index e2d12e2..35944e0 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -11,6 +11,7 @@ ./nvidia.nix ./cuda.nix ./nginx.nix + ./secrets.nix ./git-daemon.nix ./ollama.nix ./i2pd.nix @@ -22,8 +23,13 @@ ./znc.nix ./docker.nix ./impermanence.nix + ./coturn.nix ]; + environment.etc."wpa_supplicant.conf".text = '' +country=CA +''; + documentation = { enable = lib.mkDefault config.monorepo.profiles.documentation.enable; man.enable = lib.mkDefault config.monorepo.profiles.documentation.enable; @@ -60,6 +66,13 @@ }; extraModprobeConfig = '' options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1 + options rtw88_core disable_lps_deep=y power_save=0 disable_aspm_l1ss=y + options rtw88_pci disable_msi=y disable_aspm=y + options rtw_core disable_lps_deep=y + options rtw_pci disable_msi=y disable_aspm=y + options rtw89_core disable_ps_mode=y + options rtw89_pci disable_aspm_l1=y disable_aspm_l1ss=y disable_clkreq=y + options iwlwifi 11n_disable=8 uapsd_disable=1 bt_coex_active=0 disable_11ax=1 power_save=0 ''; extraModulePackages = [ ]; @@ -97,7 +110,10 @@ ]; kernelParams = [ + "cfg80211.reg_alpha2=CA" "usbcore.autosuspend=-1" + "pcie_aspm=off" + "pci=noaer" # "debugfs=off" "page_alloc.shuffle=1" "slab_nomerge" @@ -169,14 +185,15 @@ "kernel.perf_event_paranoid" = 3; # net + "net.ipv4.ip_forward" = 1; "net.ipv4.icmp_echo_ignore_broadcasts" = true; - "net.ipv4.conf.all.accept_redirects" = false; - "net.ipv4.conf.all.secure_redirects" = false; - "net.ipv4.conf.default.accept_redirects" = false; - "net.ipv4.conf.default.secure_redirects" = false; - "net.ipv6.conf.all.accept_redirects" = false; - "net.ipv6.conf.default.accept_redirects" = false; + # "net.ipv4.conf.all.accept_redirects" = false; + # "net.ipv4.conf.all.secure_redirects" = false; + # "net.ipv4.conf.default.accept_redirects" = false; + # "net.ipv4.conf.default.secure_redirects" = false; + # "net.ipv6.conf.all.accept_redirects" = false; + # "net.ipv6.conf.default.accept_redirects" = false; }; }; @@ -185,40 +202,42 @@ dhcpcd.enable = (! config.monorepo.profiles.server.enable); networkmanager = { enable = true; - wifi.powersave = false; + wifi = { + powersave = false; + }; ensureProfiles = { - profiles = { - home-wifi = { - connection = { - id = "home-wifi"; - permissions = ""; - type = "wifi"; - }; - ipv4 = { - dns-search = ""; - method = "auto"; - }; - ipv6 = { - addr-gen-mode = "stable-privacy"; - dns-search = ""; - method = "auto"; - }; - wifi = { - mac-address-blacklist = ""; - mode = "infrastructure"; - ssid = "TELUS6572"; - }; - wifi-security = { - auth-alg = "open"; - key-mgmt = "wpa-psk"; - # when someone actually steals my internet then I will be concerned. - # This password only matters if you actually show up to my house in real life. - # That would perhaps allow for some nasty networking related shenanigans. - # I guess we'll cross that bridge when I get there. - psk = "b4xnrv6cG6GX"; - }; - }; - }; + # profiles = { + # home-wifi = { + # connection = { + # id = "TELUS6572"; + # permissions = ""; + # type = "wifi"; + # }; + # ipv4 = { + # dns-search = ""; + # method = "auto"; + # }; + # ipv6 = { + # addr-gen-mode = "stable-privacy"; + # dns-search = ""; + # method = "auto"; + # }; + # wifi = { + # mac-address-blacklist = ""; + # mode = "infrastructure"; + # ssid = "TELUS6572"; + # }; + # wifi-security = { + # auth-alg = "open"; + # key-mgmt = "wpa-psk"; + # # when someone actually steals my internet then I will be concerned. + # # This password only matters if you actually show up to my house in real life. + # # That would perhaps allow for some nasty networking related shenanigans. + # # I guess we'll cross that bridge when I get there. + # psk = "b4xnrv6cG6GX"; + # }; + # }; + # }; }; }; firewall = { @@ -228,6 +247,7 @@ }; hardware = { + wirelessRegulatoryDatabase = true; enableAllFirmware = true; cpu.intel.updateMicrocode = true; graphics.enable = ! config.monorepo.profiles.ttyonly.enable; @@ -345,6 +365,8 @@ restic sbctl git + git-lfs + git-lfs-transfer vim curl nmap @@ -363,14 +385,25 @@ users.groups.git = lib.mkDefault {}; users.groups.ircd = lib.mkDefault {}; users.groups.ngircd = lib.mkDefault {}; + users.groups.conduit = lib.mkDefault {}; + users.groups.livekit = lib.mkDefault {}; + users.groups.matterbridge = lib.mkDefault {}; users.users = { - + matterbridge = { + isSystemUser = lib.mkDefault true; + group = "matterbridge"; + }; ngircd = { isSystemUser = lib.mkDefault true; group = "ngircd"; extraGroups = [ "acme" "nginx" ]; }; + livekit = { + isSystemUser = lib.mkDefault true; + group = "livekit"; + extraGroups = [ "acme" "nginx" ]; + }; ircd = { isSystemUser = lib.mkDefault true; @@ -393,7 +426,7 @@ git = { isSystemUser = true; home = "/srv/git"; - shell = "${pkgs.git}/bin/git-shell"; + shell = "/bin/sh"; group = "git"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell" @@ -404,6 +437,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell" ]; + linger = true; initialPassword = "${config.monorepo.vars.userName}"; isNormalUser = true; description = config.monorepo.vars.fullName; @@ -420,6 +454,9 @@ nix = { settings = { + keep-outputs = true; + keep-derivations = true; + auto-optimise-store = true; max-jobs = 4; cores = 0; substituters = [ @@ -431,6 +468,7 @@ experimental-features = "nix-command flakes ca-derivations"; trusted-users = [ "@wheel" ]; }; + gc.automatic = true; }; time.timeZone = config.monorepo.vars.timeZone; i18n.defaultLocale = "en_CA.UTF-8"; diff --git a/nix/modules/coturn.nix b/nix/modules/coturn.nix new file mode 100644 index 0000000..3ceeac6 --- /dev/null +++ b/nix/modules/coturn.nix @@ -0,0 +1,10 @@ +{ lib, config, ... }: +{ + services.coturn = { + enable = false; + use-auth-secret = true; + listening-ips = [ "0.0.0.0" ]; + cert = "/var/lib/acme/matrix.${config.monorepo.vars.orgHost}/fullchain.pem"; + static-auth-secret-file = "/run/secrets/coturn_secret"; + }; +} diff --git a/nix/modules/docker.nix b/nix/modules/docker.nix index ac2c456..9eb18f5 100644 --- a/nix/modules/docker.nix +++ b/nix/modules/docker.nix @@ -1,15 +1,15 @@ { lib, config, vars, ... }: { - virtualisation = { - oci-containers = { - backend = "podman"; - containers = {}; - }; - containers.enable = true; - podman = { - enable = true; - dockerCompat = true; - defaultNetwork.settings.dns_enabled = true; - }; - }; + # virtualisation = { + # oci-containers = { + # backend = "podman"; + # containers = {}; + # }; + # containers.enable = true; + # podman = { + # enable = true; + # dockerCompat = true; + # defaultNetwork.settings.dns_enabled = true; + # }; + # }; } diff --git a/nix/modules/gitweb.nix b/nix/modules/gitweb.nix index 51cff87..c98e4c6 100644 --- a/nix/modules/gitweb.nix +++ b/nix/modules/gitweb.nix @@ -1,7 +1,10 @@ { lib, config, ... }: { services.gitweb = { - gitwebTheme = true; + gitwebTheme = lib.mkDefault config.monorepo.profiles.server.enable; projectroot = "/srv/git/"; + extraConfig = '' +our $export_ok = "git-daemon-export-ok"; +''; }; } diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix index c991927..b1c07c3 100644 --- a/nix/modules/home/default.nix +++ b/nix/modules/home/default.nix @@ -4,7 +4,6 @@ sops-nix.homeManagerModules.sops ../vars.nix ./fcitx.nix - ./secrets.nix ./emacs.nix ./firefox.nix ./git.nix @@ -22,6 +21,7 @@ ./mako.nix ./user.nix ./gtk.nix + ./secrets.nix ]; options = { diff --git a/nix/modules/home/emacs.nix b/nix/modules/home/emacs.nix index 2b7840d..4256d34 100644 --- a/nix/modules/home/emacs.nix +++ b/nix/modules/home/emacs.nix @@ -77,6 +77,7 @@ epkgs.solidity-flycheck epkgs.solidity-mode epkgs.sudo-edit + epkgs.telega epkgs.treemacs epkgs.treemacs-evil epkgs.treemacs-magit diff --git a/nix/modules/home/firefox.nix b/nix/modules/home/firefox.nix index b99544b..3ae8f71 100644 --- a/nix/modules/home/firefox.nix +++ b/nix/modules/home/firefox.nix @@ -2,7 +2,7 @@ { programs.firefox = { enable = lib.mkDefault config.monorepo.profiles.graphics.enable; - package = pkgs.firefox-bin; + package = pkgs.firefox; policies = { EnableTrackingProtection = true; OfferToSaveLogins = false; diff --git a/nix/modules/home/git.nix b/nix/modules/home/git.nix index 0e6e66c..c80b6f9 100644 --- a/nix/modules/home/git.nix +++ b/nix/modules/home/git.nix @@ -2,6 +2,7 @@ { programs.git = { enable = lib.mkDefault config.monorepo.profiles.graphics.enable; + lfs.enable = lib.mkDefault config.monorepo.profiles.graphics.enable; userName = config.monorepo.vars.fullName; userEmail = config.monorepo.profiles.email.email; signing = { diff --git a/nix/modules/home/mpd.nix b/nix/modules/home/mpd.nix index 3ab9d2d..8f646ea 100644 --- a/nix/modules/home/mpd.nix +++ b/nix/modules/home/mpd.nix @@ -24,19 +24,20 @@ always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped. tags "yes" # httpd supports sending tags to listening streams. } -audio_output { - type "shout" - encoding "ogg" - name "my cool stream" - host "localhost" - port "8000" - mount "/example.ogg" - user "source" - password "" - bitrate "64" - format "44100:16:1" - description "Nullring public radio" +audio_output { + type "shout" + name "My VPS Stream" + host "127.0.0.1" + port "8888" # This must match your SSH tunnel local port + mount "/stream" # The URL path (e.g. http://vps:8000/stream) + password "SuperSecretSourcePass" + bitrate "128" + format "44100:16:2" + protocol "icecast2" # Essential for modern Icecast + user "source" # Default icecast source user + description "My MPD Stream" + genre "Mixed" } ''; }; diff --git a/nix/modules/home/personal_secrets.nix b/nix/modules/home/personal_secrets.nix new file mode 100644 index 0000000..9013de1 --- /dev/null +++ b/nix/modules/home/personal_secrets.nix @@ -0,0 +1,23 @@ +{ lib, config, ... }: +{ + config = lib.mkIf config.monorepo.profiles.graphics.enable { + sops.secrets = { + mail = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/mail"; + }; + cloudflare-dns = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/cloudflare-dns"; + }; + digikey = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/digikey"; + }; + dn42 = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/dn42"; + }; + }; + }; +} diff --git a/nix/modules/home/secrets.nix b/nix/modules/home/secrets.nix index 20c3d44..a38b4e0 100644 --- a/nix/modules/home/secrets.nix +++ b/nix/modules/home/secrets.nix @@ -1,11 +1,15 @@ { config, ... }: { sops = { - defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFile = if config.monorepo.profiles.graphics.enable + then ../../secrets/secrets.yaml + else ../../secrets/vps_secrets.yaml; + age = { - keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt"; + keyFile = "/home/${config.monorepo.vars.userName}/.config/sops/age/keys.txt"; }; - secrets = { + + secrets = if config.monorepo.profiles.graphics.enable then { mail = { format = "yaml"; path = "${config.sops.defaultSymlinkPath}/mail"; @@ -22,24 +26,7 @@ format = "yaml"; path = "${config.sops.defaultSymlinkPath}/dn42"; }; - znc = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/znc"; - }; - znc_password_salt = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/znc_password_salt"; - }; - - znc_password_hash = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/znc_password_hash"; - }; - - matrix_bridge = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/matrix_bridge"; - }; + } else { }; defaultSymlinkPath = "/run/user/1000/secrets"; defaultSecretsMountPoint = "/run/user/1000/secrets.d"; diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix index c97347e..356a0fe 100644 --- a/nix/modules/home/user.nix +++ b/nix/modules/home/user.nix @@ -45,7 +45,7 @@ # Apps # octaveFull - vesktop grim swww vim telegram-desktop qwen-code fluffychat jami + vesktop grim swww vim kotatogram-desktop tg qwen-code element-desktop jami # Sound/media pavucontrol alsa-utils imagemagick ffmpeg helvum diff --git a/nix/modules/home/vps_secrets.nix b/nix/modules/home/vps_secrets.nix new file mode 100644 index 0000000..df75a39 --- /dev/null +++ b/nix/modules/home/vps_secrets.nix @@ -0,0 +1,43 @@ +{ lib, config, ... }: +{ + config = lib.mkIf (!config.monorepo.profiles.graphics.enable) { + sops.secrets = { + znc = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/znc"; + }; + znc_password_salt = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/znc_password_salt"; + }; + znc_password_hash = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/znc_password_hash"; + }; + matrix_bridge = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/matrix_bridge"; + }; + coturn_secret = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/coturn_secret"; + }; + livekit_secret = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/livekit_secret"; + }; + livekit = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/livekit"; + }; + conduit_secrets = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/conduit_secrets"; + }; + mautrix_env = { + format = "yaml"; + path = "${config.sops.defaultsymlinkpath}/mautrix_env"; + }; + }; + }; +} diff --git a/nix/modules/honk.nix b/nix/modules/honk.nix index b13a9dc..985a544 100644 --- a/nix/modules/honk.nix +++ b/nix/modules/honk.nix @@ -1,7 +1,7 @@ { lib, config, ... }: { services.honk = { - enable = config.monorepo.vars.ttyonly; + enable = lib.mkDefault config.monorepo.profiles.server.enable; servername = "ret2pop.net"; username = "ret2pop"; }; diff --git a/nix/modules/impermanence.nix b/nix/modules/impermanence.nix index ad942ff..4fa886a 100644 --- a/nix/modules/impermanence.nix +++ b/nix/modules/impermanence.nix @@ -59,7 +59,6 @@ ]; files = [ "/etc/machine-id" - "/etc/matterbridge.toml" { file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; } ]; users."${config.monorepo.vars.userName}" = { diff --git a/nix/modules/maddy.nix b/nix/modules/maddy.nix index c84b59c..ab98f87 100644 --- a/nix/modules/maddy.nix +++ b/nix/modules/maddy.nix @@ -4,20 +4,27 @@ enable = lib.mkDefault config.monorepo.profiles.server.enable; openFirewall = true; hostName = "${config.monorepo.vars.remoteHost}"; - primaryDomain = "mail.${config.monorepo.vars.remoteHost}"; + primaryDomain = "mail.${config.monorepo.vars.orgHost}"; tls = { - loader = "acme"; + certificates = [ + { + keyPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/key.pem"; + certPath = "/var/lib/acme/mail.${config.monorepo.vars.orgHost}/fullchain.pem"; + } + ]; }; config = builtins.replaceStrings [ "imap tcp://0.0.0.0:143" "submission tcp://0.0.0.0:587" + "smtp tcp://0.0.0.0:25" ] [ "imap tls://0.0.0.0:993 tcp://0.0.0.0:143" "submission tls://0.0.0.0:465 tcp://0.0.0.0:587" + "smtps tls://0.0.0.0:465 smtp tcp://0.0.0.0:25" ] options.services.maddy.config.default; ensureCredentials = { "${config.monorepo.vars.userName}@localhost" = { - passwordFile = "/secrets/${config.monorepo.vars.userName}-localhost"; + passwordFile = "/run/secrets/mail_password"; }; }; }; diff --git a/nix/modules/matterbridge.nix b/nix/modules/matterbridge.nix index 567e2b7..85a2295 100644 --- a/nix/modules/matterbridge.nix +++ b/nix/modules/matterbridge.nix @@ -2,6 +2,6 @@ { services.matterbridge = { enable = lib.mkDefault config.monorepo.profiles.server.enable; - configPath = "/etc/matterbridge.toml"; + configPath = "${config.sops.templates.matterbridge.path}"; }; } diff --git a/nix/modules/mautrix.nix b/nix/modules/mautrix.nix index 5eacb4a..abdb50d 100644 --- a/nix/modules/mautrix.nix +++ b/nix/modules/mautrix.nix @@ -2,7 +2,7 @@ { services.mautrix-discord = { enable = lib.mkDefault config.monorepo.profiles.server.enable; - environmentFile = "/etc/mautrix"; + environmentFile = "/run/secrets/mautrix_env"; settings = { bridge = { animated_sticker = { diff --git a/nix/modules/murmur.nix b/nix/modules/murmur.nix index f2dd124..fcd4434 100644 --- a/nix/modules/murmur.nix +++ b/nix/modules/murmur.nix @@ -1,7 +1,8 @@ { lib, config, ... }: { services.murmur = { - enable = lib.mkDefault config.monorepo.profiles.server.enable; +# enable = lib.mkDefault config.monorepo.profiles.server.enable; + enable = false; openFirewall = true; hostName = "0.0.0.0"; welcometext = "Wecome to the Null Murmur instance!"; diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix index 9337774..a3c079b 100644 --- a/nix/modules/nginx.nix +++ b/nix/modules/nginx.nix @@ -1,14 +1,12 @@ -{ config, lib, services, ... }: +{ config, lib, ... }: { services.nginx = { enable = lib.mkDefault config.monorepo.profiles.server.enable; user = "nginx"; - # Use recommended settings recommendedGzipSettings = true; recommendedOptimisation = true; - recommendedProxySettings = true; recommendedTlsSettings = true; - appendHttpConfig = ''''; + recommendedProxySettings = false; gitweb = { enable = true; @@ -29,7 +27,8 @@ addr = "[::]"; port = 443; ssl = true; - } { + } + { addr = "0.0.0.0"; port = 8448; ssl = true; @@ -48,11 +47,102 @@ proxy_read_timeout 5m; ''; }; + locations."= /.well-known/matrix/server" = { + extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + ''; + + return = ''200 '{"m.server": "matrix.nullring.xyz:443"}' ''; + }; + locations."/.well-known/matrix/client" = { + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.${config.monorepo.vars.orgHost}\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix.${config.monorepo.vars.orgHost}:8443\"}]}'"; + }; extraConfig = '' merge_slashes off; ''; }; + + "matrix.${config.monorepo.vars.orgHost}-livekit" = { + serverName = "matrix.${config.monorepo.vars.orgHost}"; + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + } + { + addr = "[::]"; + port = 8443; + ssl = true; + } + ]; + addSSL = true; + enableACME = false; + forceSSL = false; + useACMEHost = "matrix.${config.monorepo.vars.orgHost}"; + + locations."/" = { + proxyPass = "http://127.0.0.1:6495"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + + "livekit.${config.monorepo.vars.orgHost}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:7880"; + proxyWebsockets = true; + extraConfig = '' + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + + # Standard headers for LiveKit + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "upgrade"; + + # --- CORS CONFIGURATION START --- + # 1. Allow all origins (including app.element.io) + add_header 'Access-Control-Allow-Origin' '*' always; + + # 2. Allow specific methods (POST is required for /sfu/get) + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always; + + # 3. Allow headers (Content-Type is crucial for JSON) + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + + # 4. Handle the OPTIONS preflight request immediately + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + # --- CORS CONFIGURATION END --- + ''; + }; + }; + "${config.monorepo.vars.remoteHost}" = { serverName = "${config.monorepo.vars.remoteHost}"; serverAliases = [ "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" ]; @@ -68,8 +158,8 @@ enableACME = true; }; - "mail.${config.monorepo.vars.remoteHost}" = { - serverName = "mail.${config.monorepo.vars.remoteHost}"; + "mail.${config.monorepo.vars.orgHost}" = { + serverName = "mail.${config.monorepo.vars.orgHost}"; root = "/var/www/dummy"; addSSL = true; enableACME = true; diff --git a/nix/modules/ntfy-sh.nix b/nix/modules/ntfy-sh.nix new file mode 100644 index 0000000..9311af2 --- /dev/null +++ b/nix/modules/ntfy-sh.nix @@ -0,0 +1,12 @@ +{ lib, config, ... }: +{ + services.ntfy-sh = { +# enable = lib.mkDefault config.monorepo.profiles.server.enable; + enable = false; + settings = { + base-url = "https://ntfy.${config.monorepo.vars.remoteHost}"; + listen-http = "127.0.0.1:2586"; + envrionmentFile = "/run/secrets/ntfy"; + }; + }; +} diff --git a/nix/modules/nvidia.nix b/nix/modules/nvidia.nix index f6a398a..5b05d28 100644 --- a/nix/modules/nvidia.nix +++ b/nix/modules/nvidia.nix @@ -14,9 +14,9 @@ enable = lib.mkDefault config.monorepo.profiles.cuda.enable; finegrained = false; }; - nvidiaSettings = lib.mkDefault config.monorepo.profiles.cuda.enable; open = config.monorepo.profiles.cuda.enable; package = config.boot.kernelPackages.nvidiaPackages.stable; + nvidiaSettings = false; }; }; } diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix index 29504f6..d1c711c 100644 --- a/nix/modules/secrets.nix +++ b/nix/modules/secrets.nix @@ -1,61 +1,104 @@ { config, ... }: { sops = { - defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFile = if config.monorepo.profiles.server.enable + then ../secrets/vps_secrets.yaml + else ../secrets/secrets.yaml; + + + templates = if config.monorepo.profiles.server.enable then { + "matterbridge" = { + owner = "matterbridge"; + content = '' +[irc.myirc] +Server="127.0.0.1:6667" +Nick="bridge" +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " +UseTLS=false + +[telegram.mytelegram] +Token="${config.sops.placeholder.telegram_token}" +RemoteNickFormat="<({PROTOCOL}){NICK}> " +MessageFormat="HTMLNick :" +QuoteFormat="{MESSAGE} (re @{QUOTENICK}: {QUOTEMESSAGE})" +QuoteLengthLimit=46 +IgnoreMessages="^/" + +[discord.mydiscord] +Token="${config.sops.placeholder.discord_token}" +Server="Null Identity" +AutoWebHooks=true +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " +PreserveThreading=true + +[[gateway]] +name="gateway1" +enable=true + +[[gateway.inout]] +account="irc.myirc" +channel="#nullring" + +[[gateway.inout]] +account="discord.mydiscord" +channel="ID:996282946879242262" + +[[gateway.inout]] +account="telegram.mytelegram" +channel="-5290629325" +''; + }; + } else {}; + age = { - keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt"; + keyFile = "/home/${config.monorepo.vars.userName}/.config/sops/age/keys.txt"; }; - secrets = { + + secrets = if ! config.monorepo.profiles.server.enable then { mail = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/mail"; }; cloudflare-dns = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; - path = "${config.sops.defaultSymlinkPath}/cloudflare-dns"; }; digikey = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; - path = "${config.sops.defaultSymlinkPath}/digikey"; }; dn42 = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/dn42"; }; + } else { znc = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/znc"; }; znc_password_salt = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/znc_password_salt"; }; - znc_password_hash = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/znc_password_hash"; }; - matrix_bridge = { format = "yaml"; - sopsFile = config.sops.defaultSopsFile; -# sopsFile = ../../secrets/secrets.yaml; - path = "${config.sops.defaultSymlinkPath}/matrix_bridge"; + }; + livekit_secret = { + format = "yaml"; + mode = "0444"; + }; + livekit = { + format = "yaml"; + }; + conduit_secrets = { + format = "yaml"; + }; + mautrix_env = { + format = "yaml"; + }; + telegram_token = { + format = "yaml"; + }; + discord_token = { + format = "yaml"; }; }; - defaultSymlinkPath = "/run/user/1000/secrets"; - defaultSecretsMountPoint = "/run/user/1000/secrets.d"; }; } diff --git a/nix/secrets/secrets.yaml b/nix/secrets/secrets.yaml index 58c15c9..f2c3136 100644 --- a/nix/secrets/secrets.yaml +++ b/nix/secrets/secrets.yaml @@ -2,10 +2,6 @@ mail: ENC[AES256_GCM,data:IFJnuVbshByUh5S3HoSnX5AyOg==,iv:gF0JlnBGAMLduMIG/hZtss digikey: ENC[AES256_GCM,data:U1c2HYB/YjwlyHvD3XVTqWJdb9/8BeS6,iv:DNsBoaqgUPdfO9knQLCMeJVO8kctQ9XNvcY2xcpI0NM=,tag:kuJ9BYqVx0GeTBSW5EsItg==,type:str] cloudflare-dns: ENC[AES256_GCM,data:Gztc/M+r/eRO2DwyLxlIBxS7B7MpOXimbFkQwlYhq9SzGG/fLl6Xqw==,iv:aDyNwbc8EyrNyhucULUkeg7VM7BmqNQTndSTh1SWqq0=,tag:HvysjKquD1g2PCrCgX2swg==,type:str] dn42: ENC[AES256_GCM,data:xSYssg7ReFjmf7LvmqmH/A==,iv:Gj/LZrxzRJLOLbP5rumjmViYWP6ufW3ocngektBW3V8=,tag:SA4f1vAnMFUO5Yk6NTr81Q==,type:str] -znc: ENC[AES256_GCM,data:EYB9Gk/oZgU=,iv:zxtAFRKGPhfeanhOP6YiXQujWny6XGFvf2op2NNlo78=,tag:jxGNirhEbyYrZ+S3ZjssxA==,type:str] -matrix_bridge: ENC[AES256_GCM,data:wkfUpMvpoktkUaFr2BopCRo=,iv:gMdF+nnyl9XeJhGvAUKcfK5mvLytt8DvcPLgxMUtOlg=,tag:v06PRV6rM+4a1E3iW3vjnQ==,type:str] -znc_password_hash: ENC[AES256_GCM,data:OretCSRPEqXUaaEucDsEgjceyOQ9hNpKU61cnR0ZYt7FWAPO4OVYYs/S1xpC11ZmqAItTYZTCXJUoZEI+uwOgg==,iv:/YQewdQvwuQHx9Ci3Qj8yzSe1ZpvQfJ+/+TSl+7eEEc=,tag:m9y1TCGzzdf4F6nFBFdm5w==,type:str] -znc_password_salt: ENC[AES256_GCM,data:7hpewfbF0sGAFUahJuHNRhN8MIc=,iv:Gf2UGgEt9Yi+x44Rqy90QtG3dsUy4GX+FCe58YNk3Qs=,tag:q6Wu1bTasXpqoHxGmgJ4Lw==,type:str] sops: age: - recipient: age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr @@ -17,7 +13,7 @@ sops: OFFNeEtOTk5FSm9RaDFad0UyeWZ2WDgKIwGoB4a5WAIkE93gzqdUzNlo5vgQ1zLy yhEFrE1NbhyItnZIg/yRhqFG0dv7D3pEP3pq2Seew6pKJg/s9UTJ8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-08T08:02:24Z" - mac: ENC[AES256_GCM,data:o+eA42aOTNxbNrfOVj4eFDsVyKA+5GBbYwUWVvLxVgEoiHk+M/XUl3lAlAvCP5L65oGK3ZRrKwgOaPzle6FTWj8GsJD906YZcqNhhydKVpax9NIXjkPbSp0Q7kIws0M7Iudf9GZotrLQZTB8jKGLkGfdjQbhJuQAklyZEAuN1q0=,iv:sEiTEyNOUG5SsffY4LM7lFtS8F1pUIjmO/xOCPrE7oo=,tag:41yJ48o/DLjXa9wgvZ1RcQ==,type:str] + lastmodified: "2026-02-09T22:27:35Z" + mac: ENC[AES256_GCM,data:51iA4W4Sou4OC5pk5oFr9vAbBHDdbiZTi9jiLsSh4/IHx4SDQONc05EoMUsqjidodeAfQCpmvqBFKdVPIaaSZE+0fqyPTs/wjCtbZTAhsH+NTUKn4yU5/HBC3hw2QLz7tCLKgRLhfooHUDQxdFWGMJNB7xSjxdPVcy/1+gngOrE=,iv:TrWBcs/Px2bmh716Jl5xSP/SCXM7akaGrhsC6/pXbQg=,tag:AFqp09TkLkdu903jY5YjEw==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/nix/secrets/vps_secrets.yaml b/nix/secrets/vps_secrets.yaml new file mode 100644 index 0000000..d60ced3 --- /dev/null +++ b/nix/secrets/vps_secrets.yaml @@ -0,0 +1,26 @@ +livekit_secret: ENC[AES256_GCM,data:akkd9OREC024n5NfE/suM0B9SjBdPZbXMnz62Qwy2XNW+HhJw1ixhYoR8PQoR6K0unrAUAFhwWtQp+aJ1i+5q1rdpLV/3povvXYPaGg8EnE=,iv:uMuIfLYT1lvDWY8PYjnWWne7WOd0BBgBJn5mvd9ltAs=,tag:JQlRe5IY4f1RVvsq+56lKQ==,type:str] +livekit: ENC[AES256_GCM,data:DFWsez5+O7fyI1P/3w8wKj2YpblP+fDR/r4Ry7lLJNnZxiCbT3iS0Rm9lfe3zqZbjHvhpnYtOMPApoegJFEonQ==,iv:SditYIuc+W+AdX4AgKx2j4A4K7FXXHpewcf7KzMB8qY=,tag:EwF9DKf7uGZZKf7kF8RsNg==,type:str] +znc: ENC[AES256_GCM,data:iFNZ0tgciFU=,iv:oAAqMoov5Nv9AUBILlRpgTLJyu7l1uQshbag0ujewP4=,tag:RXtbn4EEH2523qX9MC0ODA==,type:str] +conduit_secrets: ENC[AES256_GCM,data:q6r4f275/6JKStX51+5qWozz+5L3UF4gTPaj4TOXskjRSn28cLKuoKix4mpKCqamef3SVU8THmPg3kwF5o4Gbm3XpZLieUyPaGCWxnwEaGZ8V5XaBZE=,iv:vsxezaahD0yCBmg0bAHMQfg9AjB52x/At5AowBTFARs=,tag:AXhgVDcTG7q1K91He7CFJA==,type:str] +mautrix_env: ENC[AES256_GCM,data:Ab1mRgaXSS3VSB2sBo5AT0KaceubrcbAdomUEArmavbsjdWYQLkXbu8/BEALMTgif6c6+4u0iR3dLbRmmobBXGS03mdcR94MQbuWWH6VmHZ5VpydJQOMSl6FBcbOVgGBBp8srUmjVTLsDFobaZCCQJNfK2J3f2wbJqbDMgoUDb5B2LuElAJAuKABxCgl/isCovZpAKwbl65rK1GzZCDc9Z54o3BKLPH6Wa2K4RHnhnYjRl8HZCd/g4WRTVZh6kMIRluWtqdIVHPXAH0oc80=,iv:USZqyHzLt53mkveDxIUq0Tvyw08sUm+MpgsrjWeDiO8=,tag:4Ftfu3ALM77YnftxLkz/YQ==,type:str] +matrix_bridge: ENC[AES256_GCM,data:w0BEETuDXVlKLlAs4JIQxMs=,iv:6IBAyKHmPJLqQWZFJD0NVT0rSXuGuAiCV2O6c3bP42o=,tag:oiyMCb4wtyqLIBrfvTirQw==,type:str] +znc_password_hash: ENC[AES256_GCM,data:ji7qfy8aw5x2UZ5V++VKFHU925Tk2dgv2S90rrzePDhpC824LjqKqCF9Vrk8aNS9qxEB4Om0KVWWjITr1c+gPA==,iv:dX2TXQjQr+Y0y71O6LP13rxJuUz9zECgcPW3czkWmAk=,tag:oBlqoTWJjhaF3gBTUMCNPA==,type:str] +znc_password_salt: ENC[AES256_GCM,data:e7YZkNB32RiqgCPGoehwsfZzOHM=,iv:GrhwBRBZ1ZSHJOnVg0XF6N5Oh/4tJ4Dvje0NiuGC4b8=,tag:IRjUrpkFBDO2OSu5dMyPSw==,type:str] +telegram_token: ENC[AES256_GCM,data:hfstqM3NphVnK86LYp8EYe09kflMzQ1/SO5rm5UIkWN7wdl7mbq+sw3svc4YhQ==,iv:o6TbrGBCly0s3US9041cKmpLpThB/umhBEdZE9E3v54=,tag:WJ/KS4Uc9wtIcjpyfmzLfA==,type:str] +discord_token: ENC[AES256_GCM,data:1mJ0lKTz2SmaP3PIn3ThWX6Mjbv3tywtLtF65SVkkCEtI79wcPeqK83l6jb3yG+ugntNR7lfQxLgbbURnTil3jc7yVOsYreL,iv:ExZ8xFkH6RR7rHATh8oBEEZWfV5Rt1YVEx8gUicQrV0=,tag:wKJ3P8ie/ppHU9VStQlk0Q==,type:str] +mail_password: ENC[AES256_GCM,data:W24/1l9YrV+M1enkAgRv2uZuhUIYAjpcRkX7tbc=,iv:F8oLCpthhecllJvGSmHUaFgmBKDg/g3o85CPJ/nCcxU=,tag:bPxcZNXdQ/jkK+saaIKbSw==,type:str] +sops: + age: + - recipient: age1acpuyy2qnduyxzwvusd8urr6a78e3f37ylhvh2pngyqytf5r8ans5vkest + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTy9PT2o5eDJ5bXFOdXhE + Z0xjNXcwME54N3JtbmJqNm9CYjhQZTNCRlJjCjY1K24ra1RCZTVYRHRWZkwyd1Z6 + Y0llN2pWRkwrYnZBZFJKWHROUUI1V0EKLS0tIGJBK1ZCOW5oUlRWd2dPV21lbkZs + dDZONnI0bG5heTYzaDkxeGo3VlFmdm8K377mvFFxtFSURAWeFvLDJTkm8wppKr/B + Y4qrdU3xBaTwqlsC/7lElQClaUbM+YMF/padENsD6IfyoGN8lGUQQw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-02-11T01:17:40Z" + mac: ENC[AES256_GCM,data:9z5nlQA2Wjw7kgk+i2BMFIePGRdNbagYZ6fQpdyQQTEERl/TK7E8hozIIo48lmhdqXkjK8Vsgon/lnl2QbLfh8sTlpYGfewUaAzERrxW0JPEeY+JqcTaWO/16SNDd5dcd1aYWZILPcjPnz2/wwI3TMWpQG85lEDSXyLMommNdDc=,iv:uzLQtiZ7AJM/eS8/pLvty9YvErCMpx8xhk/d6jxKouQ=,tag:6ebxZG7BlF4ZxnJpp4QBVg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/nix/systems/spontaneity/default.nix b/nix/systems/spontaneity/default.nix index c7d7ed6..7d637bf 100644 --- a/nix/systems/spontaneity/default.nix +++ b/nix/systems/spontaneity/default.nix @@ -26,6 +26,10 @@ boot.loader.grub.device = "nodev"; networking = { + extraHosts = '' + 127.0.0.1 livekit.${config.monorepo.vars.orgHost} + 127.0.0.1 matrix.${config.monorepo.vars.orgHost} + ''; interfaces.ens3.ipv4.addresses = [ { address = ipv4addr; @@ -39,17 +43,29 @@ } ]; defaultGateway = "66.42.84.1"; - firewall.allowedTCPPorts = [ - 80 - 143 - 443 - 465 - 587 - 993 - 6697 - 6667 - 8448 - ]; + firewall = { + allowedTCPPorts = [ + 80 + 143 + 443 + 465 + 587 + 993 + 3478 + 5349 + 6697 + 6667 + 7881 + 8443 + 8448 + ]; + allowedUDPPorts = [ + 3478 5349 7882 + ]; + allowedUDPPortRanges = [ + { from = 49152; to = 65535; } + ]; + }; domains = { enable = true; baseDomains = { @@ -64,12 +80,14 @@ }; subDomains = { "${config.monorepo.vars.remoteHost}" = {}; + "notes.${config.monorepo.vars.remoteHost}" = { + a.data = "45.76.87.125"; + }; "matrix.${config.monorepo.vars.remoteHost}" = {}; "www.${config.monorepo.vars.remoteHost}" = {}; - "mail.${config.monorepo.vars.remoteHost}" = { - mx.data = "10 mail.${config.monorepo.vars.remoteHost}."; - }; + "mail.${config.monorepo.vars.remoteHost}" = {}; + "livekit.${config.monorepo.vars.orgHost}" = {}; "${config.monorepo.vars.orgHost}" = {}; "git.${config.monorepo.vars.orgHost}" = {}; "matrix.${config.monorepo.vars.orgHost}" = {};