From 6ef0abd5962c904fe0acc9590debb883caff1769 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 10 Oct 2023 15:36:14 +0000 Subject: [PATCH 01/16] home: xdg: set 'REPO_CONFIG_DIR' Unfortunately, it will create a `.repoconfig` inside that directory. But that's still better than littering my $HOME. --- home/xdg/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/xdg/default.nix b/home/xdg/default.nix index 3fd8dc9..af9ec18 100644 --- a/home/xdg/default.nix +++ b/home/xdg/default.nix @@ -47,6 +47,7 @@ in LESSHISTFILE = "${dataHome}/less/history"; LESSKEY = "${configHome}/less/lesskey"; PSQL_HISTORY = "${dataHome}/psql_history"; + REPO_CONFIG_DIR = "${configHome}/repo"; REDISCLI_HISTFILE = "${dataHome}/redis/rediscli_history"; XCOMPOSECACHE = "${dataHome}/X11/xcompose"; }; From f9541cbc33d196fc3e811167d67a38d0d47cb422 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 12:56:41 +0000 Subject: [PATCH 02/16] hosts: homes: mousqueton: disable 'git' package I had some troubles with `git` once again... This reverts commit 13769429f6db871d8d8d64391584e280860a3fc7. --- hosts/homes/ambroisie@mousqueton/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix index f54453b..9096610 100644 --- a/hosts/homes/ambroisie@mousqueton/default.nix +++ b/hosts/homes/ambroisie@mousqueton/default.nix @@ -1,5 +1,5 @@ # Google Cloudtop configuration -{ ... }: +{ lib, pkgs, ... }: { # Google specific configuration home.homeDirectory = "/usr/local/google/home/ambroisie"; @@ -13,6 +13,8 @@ LD_PRELOAD = "/lib/x86_64-linux-gnu/libnss_cache.so.2\${LD_PRELOAD:+:}$LD_PRELOAD"; }; + programs.git.package = lib.mkForce pkgs.emptyDirectory; + # I use scripts that use the passthrough sequence often on this host my.home.tmux.enablePassthrough = true; } From fd093465267cf0d53ebc2c710b4ac27c9ce1836f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 13:40:22 +0000 Subject: [PATCH 03/16] direnv: remove explicit 'shellHooks' evaluation I _think_ nix-direnv does it automatically, so no need to do it myself. --- .envrc | 2 -- 1 file changed, 2 deletions(-) diff --git a/.envrc b/.envrc index 95ed6fb..7f5642d 100644 --- a/.envrc +++ b/.envrc @@ -6,5 +6,3 @@ use flake watch_file ./flake/checks.nix watch_file ./flake/dev-shells.nix - -eval "$shellHooks" From e09899d59c8c383773e9e76bb9cd7268ca775143 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 13:41:36 +0000 Subject: [PATCH 04/16] direnv: fix 'watch_file' directives I should use `nix_direnv_watch_file` and call it _before_ `use_flake`. --- .envrc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.envrc b/.envrc index 7f5642d..956a218 100644 --- a/.envrc +++ b/.envrc @@ -2,7 +2,7 @@ if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs=" fi -use flake +nix_direnv_watch_file ./flake/checks.nix +nix_direnv_watch_file ./flake/dev-shells.nix -watch_file ./flake/checks.nix -watch_file ./flake/dev-shells.nix +use flake From aca743dea7a76fe96c489f974b435ac2d6ab5b6c Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 13:47:01 +0000 Subject: [PATCH 05/16] templates: simplify direnv configurations This was mostly a copy-paste error (the `watch_file` calls). As for the shell hooks, it looks like `nix-direnv` takes care of that automatically. --- templates/c++-cmake/.envrc | 5 ----- templates/c++-meson/.envrc | 5 ----- 2 files changed, 10 deletions(-) diff --git a/templates/c++-cmake/.envrc b/templates/c++-cmake/.envrc index 95ed6fb..f347aa9 100644 --- a/templates/c++-cmake/.envrc +++ b/templates/c++-cmake/.envrc @@ -3,8 +3,3 @@ if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then fi use flake - -watch_file ./flake/checks.nix -watch_file ./flake/dev-shells.nix - -eval "$shellHooks" diff --git a/templates/c++-meson/.envrc b/templates/c++-meson/.envrc index 95ed6fb..f347aa9 100644 --- a/templates/c++-meson/.envrc +++ b/templates/c++-meson/.envrc @@ -3,8 +3,3 @@ if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then fi use flake - -watch_file ./flake/checks.nix -watch_file ./flake/dev-shells.nix - -eval "$shellHooks" From ce19887f77e7ab7e735882eb6c5163ccf6d30145 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 15:17:26 +0000 Subject: [PATCH 06/16] treewide: update 'nix-direnv' bootstrapping --- .envrc | 4 ++-- templates/c++-cmake/.envrc | 4 ++-- templates/c++-meson/.envrc | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.envrc b/.envrc index 956a218..9222bda 100644 --- a/.envrc +++ b/.envrc @@ -1,5 +1,5 @@ -if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs=" +if ! has nix_direnv_version || ! nix_direnv_version 2.4.0; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.4.0/direnvrc" "sha256-XQzUAvL6pysIJnRJyR7uVpmUSZfc7LSgWQwq/4mBr1U=" fi nix_direnv_watch_file ./flake/checks.nix diff --git a/templates/c++-cmake/.envrc b/templates/c++-cmake/.envrc index f347aa9..ccf325e 100644 --- a/templates/c++-cmake/.envrc +++ b/templates/c++-cmake/.envrc @@ -1,5 +1,5 @@ -if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs=" +if ! has nix_direnv_version || ! nix_direnv_version 2.4.0; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.4.0/direnvrc" "sha256-XQzUAvL6pysIJnRJyR7uVpmUSZfc7LSgWQwq/4mBr1U=" fi use flake diff --git a/templates/c++-meson/.envrc b/templates/c++-meson/.envrc index f347aa9..ccf325e 100644 --- a/templates/c++-meson/.envrc +++ b/templates/c++-meson/.envrc @@ -1,5 +1,5 @@ -if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs=" +if ! has nix_direnv_version || ! nix_direnv_version 2.4.0; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.4.0/direnvrc" "sha256-XQzUAvL6pysIJnRJyR7uVpmUSZfc7LSgWQwq/4mBr1U=" fi use flake From a5febc40e4043bd00c552acde7bf2442f072fa34 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 15:19:44 +0000 Subject: [PATCH 07/16] home: comma: remove 'COMMA_PKGS_FLAKE' definition Now that my configurations also set `nixpkgs` in `NIX_PATH`, there's isn't a need for this to be defined anymore. --- home/comma/default.nix | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/home/comma/default.nix b/home/comma/default.nix index cc6a0ad..60de863 100644 --- a/home/comma/default.nix +++ b/home/comma/default.nix @@ -5,25 +5,11 @@ in { options.my.home.comma = with lib; { enable = my.mkDisableOption "comma configuration"; - - pkgsFlake = mkOption { - type = types.str; - default = "pkgs"; - example = "nixpkgs"; - description = '' - Which flake from the registry should be used with - nix shell. - ''; - }; }; config = lib.mkIf cfg.enable { home.packages = with pkgs; [ ambroisie.comma ]; - - home.sessionVariables = { - COMMA_PKGS_FLAKE = cfg.pkgsFlake; - }; }; } From 2d36ffd96dba1ac9acab698d9370983eec0b3574 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 15:19:44 +0000 Subject: [PATCH 08/16] pkgs: comma: rename 'COMMA_{,NIX}PKGS_FLAKE' This aligns with the rust implementation of this tool [1]. [1]: https://github.com/nix-community/comma/commit/17a4f3384954a43cec0f91361f153cda908fe3d3 --- pkgs/comma/comma | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/comma/comma b/pkgs/comma/comma index ba5c6ae..4367a26 100755 --- a/pkgs/comma/comma +++ b/pkgs/comma/comma @@ -30,4 +30,4 @@ if [ -z "$PROGRAM" ]; then exit 1 fi -nix shell "${COMMA_PKGS_FLAKE:-nixpkgs}#$PROGRAM" -c "$@" +nix shell "${COMMA_NIXPKGS_FLAKE:-nixpkgs}#$PROGRAM" -c "$@" From dae1a434d558b96d8ed3424b8eef09610aecb122 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 18:02:22 +0200 Subject: [PATCH 09/16] modules: services: transmission: bump to 4 Not sure why exactly this isn't the default, I'll have to watch out for when upstream catches up. --- modules/services/transmission/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/services/transmission/default.nix b/modules/services/transmission/default.nix index dcba0aa..28df477 100644 --- a/modules/services/transmission/default.nix +++ b/modules/services/transmission/default.nix @@ -3,7 +3,7 @@ # Inspired by [1] # # [1]: https://github.com/delroth/infra.delroth.net/blob/master/roles/seedbox.nix -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let cfg = config.my.services.transmission; in @@ -45,6 +45,7 @@ in config = lib.mkIf cfg.enable { services.transmission = { enable = true; + package = pkgs.transmission_4; group = "media"; downloadDirPermissions = "775"; From 3b3e7093beb225810a728b44f31afeb24f2f247c Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 6 Oct 2023 23:11:46 +0200 Subject: [PATCH 10/16] modules: services: pirate: make more fine-grained --- modules/services/pirate/default.nix | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/modules/services/pirate/default.nix b/modules/services/pirate/default.nix index 7c341e7..59f9794 100644 --- a/modules/services/pirate/default.nix +++ b/modules/services/pirate/default.nix @@ -29,7 +29,7 @@ let ]; }; - mkFail2Ban = service: { + mkFail2Ban = service: lib.mkIf cfg.${service}.enable { services.fail2ban.jails = { ${service} = '' enabled = true @@ -47,14 +47,30 @@ let }; }; - mkFullConfig = service: lib.mkMerge [ + mkFullConfig = service: lib.mkIf cfg.${service}.enable (lib.mkMerge [ (mkService service) (mkRedirection service) - ]; + ]); in { options.my.services.pirate = { enable = lib.mkEnableOption "Media automation"; + + bazarr = { + enable = lib.my.mkDisableOption "Bazarr"; + }; + + lidarr = { + enable = lib.my.mkDisableOption "Lidarr"; + }; + + radarr = { + enable = lib.my.mkDisableOption "Radarr"; + }; + + sonarr = { + enable = lib.my.mkDisableOption "Sonarr"; + }; }; config = lib.mkIf cfg.enable (lib.mkMerge [ From f8a0eef4dd993d43dafec88aa33b099b9d05d11c Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 6 Oct 2023 23:13:47 +0200 Subject: [PATCH 11/16] hosts: nixos: porthos: services: disable lidarr --- hosts/nixos/porthos/services.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix index 863048c..8487157 100644 --- a/hosts/nixos/porthos/services.nix +++ b/hosts/nixos/porthos/services.nix @@ -116,7 +116,13 @@ in secretKeyFile = secrets."paperless/secret-key".path; }; # The whole *arr software suite - pirate.enable = true; + pirate = { + enable = true; + # ... But not Lidarr because I don't care for music that much + lidarr = { + enable = false; + }; + }; # Podcast automatic downloader podgrab = { enable = true; From fcdb5ba59329dc129e93ab228e38943fc90fe978 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 18 Oct 2023 21:36:09 +0200 Subject: [PATCH 12/16] modules: services: woodpecker: remove DNS hack I'm not sure what changed, but it looks like I don't need it anymore. Initially I wanted to apply the same DNS fix as [1]. [1]: https://blog.kotatsu.dev/posts/2023-04-21-woodpecker-nix-caching/ --- modules/services/woodpecker/agent-docker/default.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/services/woodpecker/agent-docker/default.nix b/modules/services/woodpecker/agent-docker/default.nix index b18d075..79d3299 100644 --- a/modules/services/woodpecker/agent-docker/default.nix +++ b/modules/services/woodpecker/agent-docker/default.nix @@ -27,9 +27,6 @@ in # Make sure it is activated in that case my.system.docker.enable = true; - # FIXME: figure out the issue - services.unbound.resolveLocalQueries = false; - # Adjust runner service for nix usage systemd.services.woodpecker-agent-docker = { after = [ "docker.socket" ]; # Needs the socket to be available From 9010c36fa0a59177f6348648954bd5448d912c35 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:28:11 +0000 Subject: [PATCH 13/16] modules: services: matrix: refactor vhost --- modules/services/matrix/default.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index c73afed..9acd8c2 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -13,6 +13,7 @@ let federationPort = { public = 8448; private = 11338; }; clientPort = { public = 443; private = 11339; }; domain = config.networking.domain; + matrixDomain = "matrix.${domain}"; in { options.my.services.matrix = with lib; { @@ -52,7 +53,7 @@ in settings = { server_name = domain; - public_baseurl = "https://matrix.${domain}"; + public_baseurl = "https://${matrixDomain}"; enable_registration = false; @@ -98,7 +99,7 @@ in conf = { default_server_config = { "m.homeserver" = { - "base_url" = "https://matrix.${domain}"; + "base_url" = "https://${matrixDomain}"; "server_name" = domain; }; "m.identity_server" = { @@ -120,7 +121,7 @@ in # Those are too complicated to use my wrapper... services.nginx.virtualHosts = { - "matrix.${domain}" = { + ${matrixDomain} = { onlySSL = true; useACMEHost = domain; @@ -148,9 +149,9 @@ in }; # same as above, but listening on the federation port - "matrix.${domain}_federation" = { + "${matrixDomain}_federation" = { onlySSL = true; - serverName = "matrix.${domain}"; + serverName = matrixDomain; useACMEHost = domain; locations."/".return = "404"; @@ -171,7 +172,7 @@ in locations."= /.well-known/matrix/server".extraConfig = let - server = { "m.server" = "matrix.${domain}:${toString federationPort.public}"; }; + server = { "m.server" = "${matrixDomain}:${toString federationPort.public}"; }; in '' add_header Content-Type application/json; @@ -181,7 +182,7 @@ in locations."= /.well-known/matrix/client".extraConfig = let client = { - "m.homeserver" = { "base_url" = "https://matrix.${domain}"; }; + "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file From 898b6a3b6470cb5fd6d44fd27b2fd5a7a9547ad3 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 14/16] hosts: nixos: porthos: secrets: add matrix sync --- .../nixos/porthos/secrets/matrix/sliding-sync-secret.age | 9 +++++++++ hosts/nixos/porthos/secrets/secrets.nix | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age diff --git a/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age new file mode 100644 index 0000000..d375a35 --- /dev/null +++ b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg N182xey8TWRVUWTRP16rT0zlhYZNr/pOZVR7YRnlIkk +HVqAag55z1cKLgjR3WsUj2wvaVjxm169JcDRJGRvCVU +-> ssh-ed25519 jPowng Dc+aaUTxDsMTY+oOst0SC3ldq1e6zX8F5A5uBL5RHhc +JWZou6+VaFc5f2OLRIrmFFWg3Er6WSY+TloXU0mP1K8 +-> |9_9Aqh%-grease $ X8Mn|5 aKnl' fl Date: Thu, 28 Sep 2023 18:42:13 +0200 Subject: [PATCH 15/16] modules: services: matrix: register dummy vhosts This is simply to make use of my infrastructure for port collision detection. --- modules/services/matrix/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 9acd8c2..42c5cda 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -117,6 +117,15 @@ in }; }; } + # Dummy VHosts for port collision detection + { + subdomain = "matrix-federation"; + port = federationPort.private; + } + { + subdomain = "matrix-client"; + port = clientPort.private; + } ]; # Those are too complicated to use my wrapper... From 2ace0c0d7abc750f266861bf3bbebe8d2742b3d1 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 16/16] modules: services: matrix: add sliding sync --- hosts/nixos/porthos/services.nix | 3 +++ modules/services/matrix/default.nix | 40 +++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix index 8487157..d73cdc1 100644 --- a/hosts/nixos/porthos/services.nix +++ b/hosts/nixos/porthos/services.nix @@ -64,6 +64,9 @@ in mailConfigFile = secrets."matrix/mail".path; # Only necessary when doing the initial registration secretFile = secrets."matrix/secret".path; + slidingSync = { + secretFile = secrets."matrix/sliding-sync-secret".path; + }; }; miniflux = { enable = true; diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 42c5cda..8424396 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -26,6 +26,21 @@ in description = "Shared secret to register users"; }; + slidingSync = { + port = mkOption { + type = types.port; + default = 8009; + example = 8084; + description = "Port used by sliding sync server"; + }; + + secretFile = mkOption { + type = types.str; + example = "/var/lib/matrix/sliding-sync-secret-file.env"; + description = "Secret file which contains SYNCV3_SECRET definition"; + }; + }; + mailConfigFile = mkOption { type = types.str; example = "/var/lib/matrix/email-config.yaml"; @@ -89,6 +104,17 @@ in extraConfigFiles = [ cfg.mailConfigFile ] ++ lib.optional (cfg.secretFile != null) cfg.secretFile; + + sliding-sync = { + enable = true; + + settings = { + SYNCV3_SERVER = "https://${matrixDomain}"; + SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.slidingSync.port}"; + }; + + environmentFile = cfg.slidingSync.secretFile; + }; }; my.services.nginx.virtualHosts = [ @@ -105,6 +131,9 @@ in "m.identity_server" = { "base_url" = "https://vector.im"; }; + "org.matrix.msc3575.proxy" = { + "url" = "https://matrix-sync.${matrixDomain}"; + }; }; showLabsSettings = true; defaultCountryCode = "FR"; # cocorico @@ -126,6 +155,11 @@ in subdomain = "matrix-client"; port = clientPort.private; } + # Sliding sync + { + subdomain = "matrix-sync"; + inherit (cfg.slidingSync) port; + } ]; # Those are too complicated to use my wrapper... @@ -148,6 +182,11 @@ in "/_matrix" = proxyToClientPort; "/_synapse/client" = proxyToClientPort; + + # Sliding sync + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://${config.services.matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}"; + }; }; listen = [ @@ -193,6 +232,7 @@ in client = { "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; + "org.matrix.msc3575.proxy" = { "url" = "https://matrix-sync.${matrixDomain}"; }; }; # ACAO required to allow element-web on any URL to request this json file in