From e6c9d19b0fc52db7fdd87c3c843a7074b5a85fe5 Mon Sep 17 00:00:00 2001 From: s0me1newithhand7s Date: Sun, 8 Feb 2026 22:38:28 +0300 Subject: [PATCH] viola: upstream Signed-off-by: s0me1newithhand7s --- .re-commit-config.yaml | 1 + viola/boot/initrd.nix | 3 +- viola/boot/kernel.nix | 9 +- viola/boot/lanzaboote.nix | 4 +- viola/boot/loader/systemd-boot.nix | 2 +- viola/boot/tmp.nix | 2 +- viola/boot/zfs.nix | 9 -- viola/console/console.nix | 2 +- viola/default.nix | 10 +- viola/environment/systemPackages.nix | 2 + viola/environment/variables.nix | 2 - viola/hardware/cpu.nix | 2 +- viola/hardware/graphics.nix | 2 +- viola/hardware/zram.nix | 4 +- viola/home-manager/users.nix | 20 +-- viola/i18n/locales.nix | 2 +- viola/networking/firewall.nix | 32 +++- viola/networking/hostId.nix | 2 +- viola/networking/hostname.nix | 4 +- viola/networking/hosts.nix | 2 +- viola/networking/interfaces.nix | 4 +- viola/networking/nameservers.nix | 2 +- viola/networking/networkmanager.nix | 2 +- viola/networking/timeServers.nix | 2 +- viola/networking/wireguard.nix | 2 +- viola/nix/settings/allowed-users.nix | 2 +- viola/nix/settings/auto-optimise-store.nix | 2 +- viola/nix/settings/experimental-features.nix | 2 +- viola/nix/settings/substituters.nix | 6 +- viola/nix/settings/trusted-public-keys.nix | 2 +- viola/nix/settings/trusted-users.nix | 2 +- viola/nixpkgs/config.nix | 2 +- viola/nixpkgs/overlays.nix | 2 +- viola/nixpkgs/system.nix | 2 +- viola/programs/nh.nix | 2 +- viola/programs/ssh.nix | 2 +- viola/security/polkit.nix | 2 +- viola/security/rtkit.nix | 2 +- viola/security/sudo-rs.nix | 2 +- viola/services/garage.nix | 12 ++ viola/services/irqbalance.nix | 2 +- viola/services/libinput.nix | 2 +- viola/services/netbird.nix | 2 +- viola/services/pipewire.nix | 2 +- viola/services/postgresql.nix | 56 +++++++ viola/services/redis.nix | 152 +++++++++++++++++++ viola/services/scx.nix | 3 +- viola/services/stalwart.nix | 135 ++++++++++++++++ viola/services/vaultwarden.nix | 12 ++ viola/services/woodpecker.nix | 20 +++ viola/services/zapret.nix | 145 ------------------ viola/services/zerotier.nix | 10 -- viola/systemd/oomd.nix | 2 +- viola/systemd/slices/root-slice.nix | 2 +- viola/systemd/slices/system-slice.nix | 2 +- viola/systemd/slices/user-slice.nix | 2 +- viola/time/timeZone.nix | 2 +- viola/users/mutableUsers.nix | 2 +- viola/users/users/hand7s.nix | 5 +- viola/users/users/root.nix | 4 +- viola/virtualisation/docker.nix | 2 +- 61 files changed, 492 insertions(+), 244 deletions(-) create mode 120000 .re-commit-config.yaml delete mode 100644 viola/boot/zfs.nix create mode 100644 viola/services/garage.nix create mode 100644 viola/services/postgresql.nix create mode 100644 viola/services/redis.nix create mode 100644 viola/services/stalwart.nix create mode 100644 viola/services/vaultwarden.nix create mode 100644 viola/services/woodpecker.nix delete mode 100644 viola/services/zapret.nix delete mode 100644 viola/services/zerotier.nix diff --git a/.re-commit-config.yaml b/.re-commit-config.yaml new file mode 120000 index 0000000..b19354f --- /dev/null +++ b/.re-commit-config.yaml @@ -0,0 +1 @@ +/nix/store/0nibh6zrkxhh7qc1q6kkq5810iqd0059-pre-commit-config.json \ No newline at end of file diff --git a/viola/boot/initrd.nix b/viola/boot/initrd.nix index 568c6d0..86f16c1 100644 --- a/viola/boot/initrd.nix +++ b/viola/boot/initrd.nix @@ -1,4 +1,4 @@ -{lib, ...}: { +_: { boot = { initrd = { availableKernelModules = [ @@ -14,7 +14,6 @@ supportedFilesystems = { vfat = true; btrfs = true; - zfs = lib.mkForce true; }; systemd = { diff --git a/viola/boot/kernel.nix b/viola/boot/kernel.nix index 5f182f8..275cc4c 100644 --- a/viola/boot/kernel.nix +++ b/viola/boot/kernel.nix @@ -1,8 +1,4 @@ -{ - config, - lib, - ... -}: { +{config, ...}: { boot = { kernel = { sysctl = { @@ -16,7 +12,6 @@ }; }; - kernelPackages = pkgs.linuxPackages_cachyos-server; extraModulePackages = with config.boot.kernelPackages; [ rtl8821ce yt6801 @@ -35,6 +30,7 @@ "page_alloc.shuffle=1" "page_poison=1" "slab_nomerge" + "zswap.enabled=0" "kernel.watchdog=0" "oops=panic" @@ -73,7 +69,6 @@ supportedFilesystems = { vfat = true; btrfs = true; - zfs = lib.mkForce true; }; consoleLogLevel = 0; diff --git a/viola/boot/lanzaboote.nix b/viola/boot/lanzaboote.nix index 4a1320e..8036b8a 100644 --- a/viola/boot/lanzaboote.nix +++ b/viola/boot/lanzaboote.nix @@ -1,7 +1,7 @@ -{...}: { +_: { boot = { lanzaboote = { - enable = false; + enable = true; configurationLimit = 7; pkiBundle = "/var/lib/sbctl"; settings = { diff --git a/viola/boot/loader/systemd-boot.nix b/viola/boot/loader/systemd-boot.nix index 8e2989c..d8ebe95 100644 --- a/viola/boot/loader/systemd-boot.nix +++ b/viola/boot/loader/systemd-boot.nix @@ -1,4 +1,4 @@ -{...}: { +_: { boot = { loader = { systemd-boot = { diff --git a/viola/boot/tmp.nix b/viola/boot/tmp.nix index ac46b34..904e141 100644 --- a/viola/boot/tmp.nix +++ b/viola/boot/tmp.nix @@ -1,4 +1,4 @@ -{...}: { +_: { boot = { tmp = { useTmpfs = true; diff --git a/viola/boot/zfs.nix b/viola/boot/zfs.nix deleted file mode 100644 index f6d2f2d..0000000 --- a/viola/boot/zfs.nix +++ /dev/null @@ -1,9 +0,0 @@ -{...}: { - boot = { - zfs = { - package = pkgs.zfs_cachyos; - allowHibernation = false; - removeLinuxDRM = false; - }; - }; -} diff --git a/viola/console/console.nix b/viola/console/console.nix index 1e60d13..e3a24c9 100644 --- a/viola/console/console.nix +++ b/viola/console/console.nix @@ -1,4 +1,4 @@ -{...}: { +_: { console = { useXkbConfig = true; }; diff --git a/viola/default.nix b/viola/default.nix index 263fa6d..535051b 100644 --- a/viola/default.nix +++ b/viola/default.nix @@ -6,7 +6,6 @@ "${self}/viola/boot/plymouth.nix" "${self}/viola/boot/tmp.nix" "${self}/viola/boot/loader/systemd-boot.nix" - "${self}/viola/boot/zfs.nix" "${self}/viola/disko/disk.nix" "${self}/viola/disko/lvm_vg.nix" @@ -60,14 +59,19 @@ "${self}/viola/services/netbird.nix" "${self}/viola/services/scx.nix" "${self}/viola/services/xserver.nix" - "${self}/viola/services/zapret.nix" - "${self}/viola/services/zerotier.nix" "${self}/viola/services/usbmuxd.nix" "${self}/viola/services/irqbalance.nix" "${self}/viola/services/forgejo.nix" + "${self}/viola/services/postgresql.nix" + "${self}/viola/services/vaultwarden.nix" "${self}/viola/services/privatebin.nix" + "${self}/viola/services/woodpecker.nix" + "${self}/viola/services/stalwart.nix" "${self}/viola/services/homepage.nix" + "${self}/viola/services/redis.nix" "${self}/viola/services/zitadel.nix" + "${self}/viola/services/garage.nix" + "${self}/viola/sops/defaults.nix" "${self}/viola/sops/secrets.nix" diff --git a/viola/environment/systemPackages.nix b/viola/environment/systemPackages.nix index 28deca2..4801164 100644 --- a/viola/environment/systemPackages.nix +++ b/viola/environment/systemPackages.nix @@ -10,5 +10,7 @@ uutils-diffutils home-manager ]; + + enableAllTerminfo = false; }; } diff --git a/viola/environment/variables.nix b/viola/environment/variables.nix index 52c5a9e..2cd14c2 100644 --- a/viola/environment/variables.nix +++ b/viola/environment/variables.nix @@ -13,7 +13,5 @@ GRIMBLAST_HIDE_CURSOR = "0"; TERM = "xterm-256color"; }; - - enableAllTerminfo = true; }; } diff --git a/viola/hardware/cpu.nix b/viola/hardware/cpu.nix index e5746c6..441946f 100644 --- a/viola/hardware/cpu.nix +++ b/viola/hardware/cpu.nix @@ -1,4 +1,4 @@ -{...}: { +_: { hardware = { enableRedistributableFirmware = true; cpu = { diff --git a/viola/hardware/graphics.nix b/viola/hardware/graphics.nix index f81ccb7..76c79bf 100644 --- a/viola/hardware/graphics.nix +++ b/viola/hardware/graphics.nix @@ -1,4 +1,4 @@ -{...}: { +_: { hardware = { graphics = { enable = true; diff --git a/viola/hardware/zram.nix b/viola/hardware/zram.nix index b973787..d37077e 100644 --- a/viola/hardware/zram.nix +++ b/viola/hardware/zram.nix @@ -1,8 +1,8 @@ -{...}: { +_: { zramSwap = { enable = true; algorithm = "zstd"; priority = 100; - memoryPercent = 100; + memoryPercent = 200; }; } diff --git a/viola/home-manager/users.nix b/viola/home-manager/users.nix index 04c47d9..9d92dc6 100644 --- a/viola/home-manager/users.nix +++ b/viola/home-manager/users.nix @@ -1,19 +1,16 @@ -{ - inputs, - self, - ... -}: { +{self, ...}: { home-manager = { users = { - hand7s = { + "hand7s" = { imports = [ "${self}/hand7s/" - inputs.spicetify-nix.homeManagerModules.default - inputs.hyprland.homeManagerModules.default - inputs.chaotic.homeManagerModules.default - inputs.sops-nix.homeManagerModules.sops + self.inputs.agenix.homeManagerModules.default + self.inputs.spicetify-nix.homeManagerModules.default + self.inputs.hyprland.homeManagerModules.default + self.inputs.chaotic.homeManagerModules.default + self.inputs.sops-nix.homeManagerModules.sops - inputs.nix-index-database.homeModules.nix-index + self.inputs.nix-index-database.homeModules.nix-index ]; }; }; @@ -22,7 +19,6 @@ extraSpecialArgs = { inherit - inputs self ; }; diff --git a/viola/i18n/locales.nix b/viola/i18n/locales.nix index 09234a5..f456740 100644 --- a/viola/i18n/locales.nix +++ b/viola/i18n/locales.nix @@ -1,4 +1,4 @@ -{...}: { +_: { i18n = { defaultLocale = "en_US.UTF-8"; supportedLocales = [ diff --git a/viola/networking/firewall.nix b/viola/networking/firewall.nix index 7023a46..04c13fd 100644 --- a/viola/networking/firewall.nix +++ b/viola/networking/firewall.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking = { firewall = { allowPing = true; @@ -8,18 +8,48 @@ 80 8080 8443 + 8980 53350 53351 53353 + + # mc + 25565 + + # mail + 24 + 25 + 110 + 143 + 465 + 587 + 993 + 995 + 4190 ]; allowedTCPPorts = [ 80 8080 8443 + 8980 53350 53351 53353 + + # mc + 25565 + + # mail + 24 + 25 + 110 + 143 + 465 + 587 + 993 + 995 + 4190 ]; }; }; diff --git a/viola/networking/hostId.nix b/viola/networking/hostId.nix index 10b6b21..b0a983f 100644 --- a/viola/networking/hostId.nix +++ b/viola/networking/hostId.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking = { hostId = "5c79d46a"; }; diff --git a/viola/networking/hostname.nix b/viola/networking/hostname.nix index ba82957..ea70707 100644 --- a/viola/networking/hostname.nix +++ b/viola/networking/hostname.nix @@ -1,5 +1,5 @@ -{...}: { +_: { networking = { - hostName = "s0meMiniPC-nix"; + hostName = "viola"; }; } diff --git a/viola/networking/hosts.nix b/viola/networking/hosts.nix index 04747e5..e42e2b1 100644 --- a/viola/networking/hosts.nix +++ b/viola/networking/hosts.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking = { hosts = { # nope diff --git a/viola/networking/interfaces.nix b/viola/networking/interfaces.nix index 26f5eb8..03a3a3e 100644 --- a/viola/networking/interfaces.nix +++ b/viola/networking/interfaces.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking = { firewall = { interfaces = { @@ -8,6 +8,7 @@ 6969 8080 8443 + 8980 53350 53351 53352 @@ -18,6 +19,7 @@ 6969 8080 8443 + 8980 53350 53351 53352 diff --git a/viola/networking/nameservers.nix b/viola/networking/nameservers.nix index a4d22c1..31726b9 100644 --- a/viola/networking/nameservers.nix +++ b/viola/networking/nameservers.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking = { nameservers = [ # cf dns diff --git a/viola/networking/networkmanager.nix b/viola/networking/networkmanager.nix index 3d66f30..474d212 100644 --- a/viola/networking/networkmanager.nix +++ b/viola/networking/networkmanager.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking = { networkmanager = { enable = false; diff --git a/viola/networking/timeServers.nix b/viola/networking/timeServers.nix index 88e14c4..9289ea6 100644 --- a/viola/networking/timeServers.nix +++ b/viola/networking/timeServers.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking = { timeServers = [ "0.nixos.pool.ntp.org" diff --git a/viola/networking/wireguard.nix b/viola/networking/wireguard.nix index 2ee5c02..bd2336c 100644 --- a/viola/networking/wireguard.nix +++ b/viola/networking/wireguard.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking = { wireguard = { enable = true; diff --git a/viola/nix/settings/allowed-users.nix b/viola/nix/settings/allowed-users.nix index d483d0c..0239519 100644 --- a/viola/nix/settings/allowed-users.nix +++ b/viola/nix/settings/allowed-users.nix @@ -1,4 +1,4 @@ -{...}: { +_: { nix = { settings = { sandbox = true; diff --git a/viola/nix/settings/auto-optimise-store.nix b/viola/nix/settings/auto-optimise-store.nix index 14f13c5..cb7a22a 100644 --- a/viola/nix/settings/auto-optimise-store.nix +++ b/viola/nix/settings/auto-optimise-store.nix @@ -1,4 +1,4 @@ -{...}: { +_: { nix = { settings = { auto-optimise-store = true; diff --git a/viola/nix/settings/experimental-features.nix b/viola/nix/settings/experimental-features.nix index 7ce7e89..9c45bc4 100644 --- a/viola/nix/settings/experimental-features.nix +++ b/viola/nix/settings/experimental-features.nix @@ -1,4 +1,4 @@ -{...}: { +_: { nix = { settings = { experimental-features = [ diff --git a/viola/nix/settings/substituters.nix b/viola/nix/settings/substituters.nix index 762ec5c..da0035f 100644 --- a/viola/nix/settings/substituters.nix +++ b/viola/nix/settings/substituters.nix @@ -1,4 +1,4 @@ -{...}: { +_: { nix = { settings = { substituters = [ @@ -9,10 +9,10 @@ # cachix "https://nix-community.cachix.org/" "https://chaotic-nyx.cachix.org/" - "https://ags.cachix.org" "https://hyprland.cachix.org" "https://chaotic-nyx.cachix.org/" - "https://colmena.cachix.org" + # nix-community + "https://hydra.nix-community.org/" ]; }; }; diff --git a/viola/nix/settings/trusted-public-keys.nix b/viola/nix/settings/trusted-public-keys.nix index e8710cb..4a128cb 100644 --- a/viola/nix/settings/trusted-public-keys.nix +++ b/viola/nix/settings/trusted-public-keys.nix @@ -1,4 +1,4 @@ -{...}: { +_: { nix = { settings = { trusted-public-keys = [ diff --git a/viola/nix/settings/trusted-users.nix b/viola/nix/settings/trusted-users.nix index e4a9dae..4eee825 100644 --- a/viola/nix/settings/trusted-users.nix +++ b/viola/nix/settings/trusted-users.nix @@ -1,4 +1,4 @@ -{...}: { +_: { nix = { settings = { trusted-users = [ diff --git a/viola/nixpkgs/config.nix b/viola/nixpkgs/config.nix index 27b79b0..b93e4ef 100644 --- a/viola/nixpkgs/config.nix +++ b/viola/nixpkgs/config.nix @@ -1,4 +1,4 @@ -{...}: { +_: { nixpkgs = { config = { allowUnfree = true; diff --git a/viola/nixpkgs/overlays.nix b/viola/nixpkgs/overlays.nix index 2881eba..8db0844 100644 --- a/viola/nixpkgs/overlays.nix +++ b/viola/nixpkgs/overlays.nix @@ -1,4 +1,4 @@ -{...}: { +_: { nixpkgs = { overlays = [ ]; diff --git a/viola/nixpkgs/system.nix b/viola/nixpkgs/system.nix index 63fda3b..3cbe59a 100644 --- a/viola/nixpkgs/system.nix +++ b/viola/nixpkgs/system.nix @@ -1,4 +1,4 @@ -{...}: { +_: { nixpkgs = { system = "x86_64-linux"; hostPlatform = "x86_64-linux"; diff --git a/viola/programs/nh.nix b/viola/programs/nh.nix index f43fb06..6d9937d 100644 --- a/viola/programs/nh.nix +++ b/viola/programs/nh.nix @@ -1,4 +1,4 @@ -{...}: { +_: { programs = { nh = { enable = true; diff --git a/viola/programs/ssh.nix b/viola/programs/ssh.nix index b7b9d20..5028eaf 100644 --- a/viola/programs/ssh.nix +++ b/viola/programs/ssh.nix @@ -1,4 +1,4 @@ -{...}: { +_: { programs = { ssh = { startAgent = true; diff --git a/viola/security/polkit.nix b/viola/security/polkit.nix index 7604e82..77e04d1 100644 --- a/viola/security/polkit.nix +++ b/viola/security/polkit.nix @@ -1,4 +1,4 @@ -{...}: { +_: { security = { polkit = { enable = true; diff --git a/viola/security/rtkit.nix b/viola/security/rtkit.nix index d3604df..dd40f89 100644 --- a/viola/security/rtkit.nix +++ b/viola/security/rtkit.nix @@ -1,4 +1,4 @@ -{...}: { +_: { security = { rtkit = { enable = true; diff --git a/viola/security/sudo-rs.nix b/viola/security/sudo-rs.nix index 772460d..4f270c9 100644 --- a/viola/security/sudo-rs.nix +++ b/viola/security/sudo-rs.nix @@ -1,4 +1,4 @@ -{...}: { +_: { security = { sudo-rs = { enable = true; diff --git a/viola/services/garage.nix b/viola/services/garage.nix new file mode 100644 index 0000000..607f265 --- /dev/null +++ b/viola/services/garage.nix @@ -0,0 +1,12 @@ +{pkgs, ...}: { + services = { + garage = { + enable = true; + package = pkgs.garage; + logLevel = "error"; + settings = { + # nope + }; + }; + }; +} diff --git a/viola/services/irqbalance.nix b/viola/services/irqbalance.nix index 2b3b1dd..ee8472e 100644 --- a/viola/services/irqbalance.nix +++ b/viola/services/irqbalance.nix @@ -1,4 +1,4 @@ -{...}: { +_: { services = { irqbalance = { enable = true; diff --git a/viola/services/libinput.nix b/viola/services/libinput.nix index d859d7f..23c2953 100644 --- a/viola/services/libinput.nix +++ b/viola/services/libinput.nix @@ -1,4 +1,4 @@ -{...}: { +_: { services = { libinput = { enable = true; diff --git a/viola/services/netbird.nix b/viola/services/netbird.nix index 071330a..f375f14 100644 --- a/viola/services/netbird.nix +++ b/viola/services/netbird.nix @@ -1,4 +1,4 @@ -{...}: { +_: { services = { netbird = { enable = true; diff --git a/viola/services/pipewire.nix b/viola/services/pipewire.nix index c4bad1e..37c7c5f 100644 --- a/viola/services/pipewire.nix +++ b/viola/services/pipewire.nix @@ -1,4 +1,4 @@ -{...}: { +_: { services = { pipewire = { enable = true; diff --git a/viola/services/postgresql.nix b/viola/services/postgresql.nix new file mode 100644 index 0000000..6dda386 --- /dev/null +++ b/viola/services/postgresql.nix @@ -0,0 +1,56 @@ +{pkgs, ...}: { + services = { + postgresql = { + enable = true; + enableTCPIP = true; + checkConfig = true; + + ensureUsers = [ + { + name = "forgejo"; + ensureDBOwnership = true; + } + + { + name = "vaultwarden"; + ensureDBOwnership = true; + } + + { + name = "woodpecker"; + ensureDBOwnership = true; + } + + { + name = "zitadel"; + ensureDBOwnership = true; + ensureClauses = { + login = true; + superuser = true; + }; + } + + { + name = "stalwart"; + ensureDBOwnership = true; + } + ]; + + ensureDatabases = [ + "vaultwarden" + "forgejo" + "woodpecker" + "stalwart" + "zitadel" + ]; + + initialScript = ""; # nope + + authentication = ""; #nope + + settings = { + port = ${dbport}; + }; + }; + }; +} diff --git a/viola/services/redis.nix b/viola/services/redis.nix new file mode 100644 index 0000000..976a98a --- /dev/null +++ b/viola/services/redis.nix @@ -0,0 +1,152 @@ +{pkgs, ...}: { + services = { + redis = { + package = pkgs.valkey; + servers = { + "forgejo" = { + enable = true; + port = ${cacheport1}; + logLevel = "warning"; + databases = 16; + maxclients = 10000; + requirePass = ${cachepass1}; + + settings = { + stop-writes-on-bgsave-error = "yes"; + rdbcompression = "yes"; + rdbchecksum = "yes"; + + maxmemory = "1GB"; + maxmemory-policy = "volatile-lru"; + maxmemory-samples = 3; + }; + + save = [ + [ + 900 + 1 + ] + + [ + 300 + 10 + ] + + [ + 60 + 1000 + ] + ]; + }; + + "woodpecker" = { + enable = false; + port = ${cacheport2}; + logLevel = "warning"; + databases = 16; + maxclients = 10000; + requirePass = ${cachepass2}; + + settings = { + stop-writes-on-bgsave-error = "yes"; + rdbcompression = "yes"; + rdbchecksum = "yes"; + + maxmemory = "1GB"; + maxmemory-policy = "volatile-lru"; + maxmemory-samples = 3; + }; + + save = [ + [ + 900 + 1 + ] + + [ + 300 + 10 + ] + + [ + 60 + 1000 + ] + ]; + }; + + "stalwart" = { + enable = true; + port = ${cacheport3}; + logLevel = "warning"; + databases = 16; + maxclients = 10000; + requirePass = ${cachepass3}; + + settings = { + stop-writes-on-bgsave-error = "yes"; + rdbcompression = "yes"; + rdbchecksum = "yes"; + + maxmemory = "1GB"; + maxmemory-policy = "volatile-lru"; + maxmemory-samples = 3; + }; + + save = [ + [ + 900 + 1 + ] + + [ + 300 + 10 + ] + + [ + 60 + 1000 + ] + ]; + }; + + "zitadel" = { + enable = true; + port = ${cacheport4}; + logLevel = "warning"; + databases = 16; + maxclients = 10000; + requirePass = ${cachepass4}; + + settings = { + stop-writes-on-bgsave-error = "yes"; + rdbcompression = "yes"; + rdbchecksum = "yes"; + + maxmemory = "1GB"; + maxmemory-policy = "volatile-lru"; + maxmemory-samples = 3; + }; + + save = [ + [ + 900 + 1 + ] + + [ + 300 + 10 + ] + + [ + 60 + 1000 + ] + ]; + }; + }; + }; + }; +} diff --git a/viola/services/scx.nix b/viola/services/scx.nix index a60071f..9e4e423 100644 --- a/viola/services/scx.nix +++ b/viola/services/scx.nix @@ -1,8 +1,7 @@ -{...}: { +_: { services = { scx = { enable = true; - # package = pkgs.scx_git.full; scheduler = "scx_lavd"; }; }; diff --git a/viola/services/stalwart.nix b/viola/services/stalwart.nix new file mode 100644 index 0000000..37e5f91 --- /dev/null +++ b/viola/services/stalwart.nix @@ -0,0 +1,135 @@ +_: { + services = { + stalwart-mail = { + enable = true; + settings = { + acme = { + "cloudflare" = { + default = true; + challenge = "dns-01"; + provider = "cloudflare"; + origin = "hand7s.org"; + secret = ${mail_secret}; + contact = [ + "me@hand7s.org" + ]; + + email = "me@hand7s.org"; + directory = "https://acme-staging-v02.api.letsencrypt.org/directory"; + domains = [ + "mail.hand7s.org" + ]; + }; + }; + + server = { + hostname = "mail.hand7s.org"; + + proxy = { + trusted-networks = [ + "::1" + "100.109.213.170/16" + ]; + }; + + listener = { + "lmtp" = { + bind = "[::]:24"; + protocol = "lmtp"; + }; + + "smtp" = { + bind = "[::]:25"; + protocol = "smtp"; + }; + + "pop3" = { + bind = "[::]:110"; + protocol = "pop3"; + }; + + "imap" = { + bind = "[::]:143"; + protocol = "imap"; + }; + + "submissions" = { + bind = "[::]:465"; + protocol = "smtp"; + }; + + "submission" = { + bind = "[::]:587"; + protocol = "smtp"; + }; + + "imaptls" = { + bind = "[::]:993"; + protocol = "smtp"; + }; + + "pop3s" = { + bind = "[::]:995"; + protocol = "pop3"; + }; + + "sieve" = { + bind = "[::]:4190"; + protocol = "managesieve"; + }; + + "management" = { + protocol = "http"; + bind = [ + "127.0.0.1:8980" + ]; + }; + }; + }; + + lookup = { + default = { + hostname = "mail.hand7s.org"; + domain = "hand7s.org"; + }; + }; + + storage = { + data = "postgresql"; + blob = "s3"; + fts = "postgresql"; + lookup = "redis"; + }; + + store = { + # nope + # i'm not redacting my main config + # here to show it here + # refer to stalwart mail + # ty + }; + + authentication = { + fallback-admin = { + user = "admin"; + secret = "admin"; + }; + }; + + tracer = { + journal = { + enable = true; + type = "journal"; + level = "debug"; + }; + + console = { + enable = true; + type = "console"; + level = "trace"; + }; + }; + }; + }; + }; +} diff --git a/viola/services/vaultwarden.nix b/viola/services/vaultwarden.nix new file mode 100644 index 0000000..cddc3d6 --- /dev/null +++ b/viola/services/vaultwarden.nix @@ -0,0 +1,12 @@ +_: { + services = { + vaultwarden = { + enable = true; + dbBackend = "postgresql"; + config = { + # holy private thing + # im NOT sharing it here + }; + }; + }; +} diff --git a/viola/services/woodpecker.nix b/viola/services/woodpecker.nix new file mode 100644 index 0000000..c9a69e0 --- /dev/null +++ b/viola/services/woodpecker.nix @@ -0,0 +1,20 @@ +_: { + services = { + woodpecker-server = { + enable = false; + environment = { + WOODPECKER_OPEN = "true"; + WOODPECKER_DATABASE_DRIVER = "postgres"; + WOODPECKER_DATABASE_DATASOURCE = ${pqsql_socket}; + WOODPECKER_SERVER_ADDR = ${ciport1}; + WOODPECKER_GRPC_ADDR = ${ciport1}; + WOODPECKER_HOST = "https://cicd.hand7s.org"; + + WOODPECKER_FORGEJO = "true"; + WOODPECKER_FORGEJO_URL = "https://git.hand7s.org"; + WOODPECKER_FORGEJO_CLIENT = ${cisecret1}; + FORGEJO_SECRET = ${cisecret2}; + }; + }; + }; +} diff --git a/viola/services/zapret.nix b/viola/services/zapret.nix deleted file mode 100644 index ad671e1..0000000 --- a/viola/services/zapret.nix +++ /dev/null @@ -1,145 +0,0 @@ -{...}: { - services = { - zapret = { - enable = true; - configureFirewall = true; - qnum = 350; - params = [ - "--wssize 1:6" - - "--filter-tcp=80" - "--dpi-desync=multisplit" - "--dpi-desync-split-pos=10" - "--dpi-desync-repeats=6" - "--new" - - "--filter-tcp=443" - "--dpi-desync=multidisorder" - "--dpi-desync-split-pos=1,midsld" - "--new" - - "--filter-tcp=443" - "--dpi-desync=syndata" - "--dpi-desync-fake-syndata=0x00000000" - "--dpi-desync-ttl=10" - "--new" - - "--filter-udp=443" - "--dpi-desync=fake" - "--dpi-desync-repeats=6" - "--dpi-desync-fake-quic=0x00000000" - "--new" - - "--filter-udp=443" - "--dpi-desync=fake,udplen" - "--dpi-desync-udplen-increment=5" - "--dpi-desync-fake-tls=0x00000000" - "--dpi-desync-cutoff=n3" - "--dpi-desync-repeats=2" - "--new" - - "--filter-tcp=443" - "--dpi-desync=split" - "--dpi-desync-fooling=md5sig,badseq" - "--dpi-desync-fake-tls=0x00000000" - "--dpi-desync-split-pos=1" - "--dpi-desync-repeats=10" - "--new" - - "--filter-tcp=443" - "--dpi-desync=fake,split2" - "--dpi-desync-fooling=md5sig" - "--dpi-desync-fake-tls=0x00000000" - "--dpi-desync-split-seqovl=2" - "--dpi-desync-split-pos=2" - - "--dpi-desync-autottl" - "--new" - "--filter-tcp=443" - "--dpi-desync=fake,split2" - "--dpi-desync-fooling=md5sig" - "--dpi-desync-fake-tls=0x00000000" - "--dpi-desync-split-seqovl=2" - "--dpi-desync-split-pos=2" - "--dpi-desync-autottl" - "--new" - - "--filter-tcp=80" - "--dpi-desync=fake,split2" - "--dpi-desync-fooling=md5sig" - "--dpi-desync-fake-tls=0x00000000" - "--dpi-desync-autottl" - "--new" - - "--filter-tcp=80" - "--dpi-desync-ttl=1" - "--dpi-desync-autottl=2" - "--dpi-desync-fake-tls=0x00000000" - "--dpi-desync-split-pos=1" - "--dpi-desync=fake,split2" - "--dpi-desync-repeats=6" - "--dpi-desync-fooling=md5sig" - "--new" - ]; - - whitelist = [ - "googlevideo.com" - "youtu.be" - "youtube.com" - "youtubei.googleapis.com" - "googlevideo.com" - "youtu.be" - "youtube.com" - "youtubei.googleapis.com" - "youtubeembeddedplayer.googleapis.com" - "ytimg.l.google.com" - "ytimg.com" - "jnn-pa.googleapis.com" - "youtube-nocookie.com" - "youtube-ui.l.google.com" - "yt-video-upload.l.google.com" - "wide-youtube.l.google.com" - "youtubekids.com" - "ggpht.com" - "music.youtube.com" - "test.googlevideo.com" - "discord.com" - "gateway.discord.gg" - "cdn.discordapp.com" - "discordapp.net" - "discordapp.com" - "discord.gg" - "media.discordapp.net" - "images-ext-1.discordapp.net" - "discord.app" - "discord.media" - "discordcdn.com" - "discord.dev" - "discord.new" - "discord.gift" - "discordstatus.com" - "dis.gd" - "discord.co" - "discord-attachments-uploads-prd.storage.googleapis.com" - "7tv.app" - "7tv.io" - "10tv.app" - "x.com" - "t.co" - "ads-twitter.com" - "twimg.com" - "twitter.com" - "pscp.tv" - "twtrdns.net" - "twttr.com" - "periscope.tv" - "tweetdeck.com" - "twitpic.com" - "twitter.co" - "twitterinc.com" - "twitteroauth.com" - "twitterstat.us" - ]; - }; - }; -} diff --git a/viola/services/zerotier.nix b/viola/services/zerotier.nix deleted file mode 100644 index 4d032aa..0000000 --- a/viola/services/zerotier.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - services = { - zerotierone = { - enable = false; - joinNetworks = [ - # nope - ]; - }; - }; -} diff --git a/viola/systemd/oomd.nix b/viola/systemd/oomd.nix index cbd28f2..bb9a200 100644 --- a/viola/systemd/oomd.nix +++ b/viola/systemd/oomd.nix @@ -1,4 +1,4 @@ -{...}: { +_: { systemd = { oomd = { enable = true; diff --git a/viola/systemd/slices/root-slice.nix b/viola/systemd/slices/root-slice.nix index 118ca0b..6a386e9 100644 --- a/viola/systemd/slices/root-slice.nix +++ b/viola/systemd/slices/root-slice.nix @@ -1,4 +1,4 @@ -{...}: { +_: { systemd = { slices = { root = { diff --git a/viola/systemd/slices/system-slice.nix b/viola/systemd/slices/system-slice.nix index 148f19b..4de4bba 100644 --- a/viola/systemd/slices/system-slice.nix +++ b/viola/systemd/slices/system-slice.nix @@ -1,4 +1,4 @@ -{...}: { +_: { systemd = { slices = { system = { diff --git a/viola/systemd/slices/user-slice.nix b/viola/systemd/slices/user-slice.nix index 21d74d8..311e668 100644 --- a/viola/systemd/slices/user-slice.nix +++ b/viola/systemd/slices/user-slice.nix @@ -1,4 +1,4 @@ -{...}: { +_: { systemd = { slices = { user = { diff --git a/viola/time/timeZone.nix b/viola/time/timeZone.nix index 57bca35..cef1656 100644 --- a/viola/time/timeZone.nix +++ b/viola/time/timeZone.nix @@ -1,4 +1,4 @@ -{...}: { +_: { time = { timeZone = "Europe/Moscow"; hardwareClockInLocalTime = true; diff --git a/viola/users/mutableUsers.nix b/viola/users/mutableUsers.nix index 54415f1..9bb56d0 100644 --- a/viola/users/mutableUsers.nix +++ b/viola/users/mutableUsers.nix @@ -1,4 +1,4 @@ -{...}: { +_: { users = { mutableUsers = false; }; diff --git a/viola/users/users/hand7s.nix b/viola/users/users/hand7s.nix index 8c0df47..141b5a3 100644 --- a/viola/users/users/hand7s.nix +++ b/viola/users/users/hand7s.nix @@ -1,14 +1,13 @@ -{...}: { +_: { users = { users = { - hand7s = { + "hand7s" = { description = "me"; isSystemUser = false; isNormalUser = true; initialHashedPassword = "$6$ckgRhNWmJgSwOUpJ$kfeAdokd5fa76HWbTmWN2YXx4M/PQVOTJku1ODbqbBhEkUFiLftdaJFRnNXfIM3Jtz0ShoRMSVCB7mDkxDrdi/"; extraGroups = [ "wheel" - "networkmanager" "docker" ]; }; diff --git a/viola/users/users/root.nix b/viola/users/users/root.nix index 595a6f6..faa89b7 100644 --- a/viola/users/users/root.nix +++ b/viola/users/users/root.nix @@ -1,7 +1,7 @@ -{...}: { +_: { users = { users = { - root = { + "root" = { initialHashedPassword = "$6$n4OLMvYHHStHvtmr$6OL0NV1dEM2b6oJRewkhuoFxM80lI67tfbJ6QkCg8WAA1gbeKrcwDAuJjm8zvpY4zcDR3Z5Zbo8uebfOi6XXF0"; }; }; diff --git a/viola/virtualisation/docker.nix b/viola/virtualisation/docker.nix index 1edae88..805ac30 100644 --- a/viola/virtualisation/docker.nix +++ b/viola/virtualisation/docker.nix @@ -1,4 +1,4 @@ -{...}: { +_: { virtualisation = { docker = { enable = true;