about summary refs log tree commit diff
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-05-06 18:55:06 +0300
committerAzat Bahawi <azat@bahawi.net>2023-05-06 18:55:06 +0300
commit8f7371998f813857f25afef4160075665f924ab7 (patch)
tree7bffc723cbed32ab8aacae2feaf60de039bd3ff3
parent2023-05-04 (diff)
2023-05-06
Diffstat (limited to '')
-rw-r--r--flake.lock42
-rw-r--r--modules/common/common/nix/default.nix7
-rw-r--r--modules/darwin/common/nix.nix2
-rw-r--r--modules/nixos/common/security.nix2
-rw-r--r--modules/nixos/common/xdg.nix5
-rw-r--r--modules/nixos/matrix/dendrite.nix14
-rw-r--r--modules/nixos/matrix/synapse.nix14
-rw-r--r--modules/nixos/nsd.nix58
-rw-r--r--modules/nixos/sound.nix4
-rw-r--r--nixosConfigurations/eonwe/default.nix7
-rw-r--r--nixosConfigurations/manwe/webserver.nix35
11 files changed, 119 insertions, 71 deletions
diff --git a/flake.lock b/flake.lock
index 3ed97db..176bdc8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -240,11 +240,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682779989,
-        "narHash": "sha256-H8AjcIBYFYrlRobYJ+n1B+ZJ6TsaaeZpuLn4iRqVvr4=",
+        "lastModified": 1683221986,
+        "narHash": "sha256-n688GK4wO2pZpI4gHOxj/PF85bzUMPEJ8B3Wd3cHSjk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3144311f31194b537808ae6848f86f3dbf977d59",
+        "rev": "f3824311a16cbe70dbaeedc17a97dfcd11901c3f",
         "type": "github"
       },
       "original": {
@@ -296,11 +296,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682645728,
-        "narHash": "sha256-ZntcUOTbkw7klRK5kRPIJOp8bB9785CXKPt5eW2X4cc=",
+        "lastModified": 1683163598,
+        "narHash": "sha256-1mbFzocbp6qTMTZtgylIUKKBxQAvRfZN18l4zft5KSg=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "699ed72b94864505a38c97de3015bdfb992e1f84",
+        "rev": "400056c5694a7ce5b7a97e446b64dee44c48d01c",
         "type": "github"
       },
       "original": {
@@ -312,11 +312,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1682836095,
-        "narHash": "sha256-PdzpJhuXBz71AgWNWMMYLbB8GMMce6QguhQY/6HOOcc=",
+        "lastModified": 1683009613,
+        "narHash": "sha256-jJh8JaoHOLlk7iFLgZk1PlxCCNA2KTKfOLMLCa9mduA=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "e4a21ddcb45ee5f5c85a5d9e9698debf77fb98c3",
+        "rev": "7dc46304675f4ff2d6be921ef60883efd31363c4",
         "type": "github"
       },
       "original": {
@@ -328,11 +328,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1682809678,
-        "narHash": "sha256-jqR8t82mWotOSgnWZvr6xXCO/tc3fCPTLMPvI7Jo5rA=",
+        "lastModified": 1683205728,
+        "narHash": "sha256-WF63FGzW3F3MHsUYkqbPyXrJgNR+gNOMAZDNoP5LYWE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3dcff817eebb7e4afc4e9eae0ce6f722f4d9e399",
+        "rev": "f73acb5733244d0740c8181af30a58912427f5c6",
         "type": "github"
       },
       "original": {
@@ -344,11 +344,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1682883825,
-        "narHash": "sha256-JJeaDa6bOxf1AcW5ZvTs9skJzMz7uPRPRvDCNdDDflo=",
+        "lastModified": 1683236789,
+        "narHash": "sha256-BvCGBja7mzUqhbueGsGOyBlKPsnaVoA+HHmLkE6/QKs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9d27bdd3b5d88ec2c1674fd9b93cf6b6751776ff",
+        "rev": "bbccd7d90372f5042b404ea74ead61d7df124384",
         "type": "github"
       },
       "original": {
@@ -360,11 +360,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1682858021,
-        "narHash": "sha256-tMZILw7wABxSRUcJNrwLmBJ7h8+Bf4eyVGXLUyoZIr4=",
+        "lastModified": 1683207485,
+        "narHash": "sha256-gs+PHt/y/XQB7S8+YyBLAM8LjgYpPZUVFQBwpFSmJro=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "923f835a6c8eadb655c08370ade5c42990e790cd",
+        "rev": "cc45a3f8c98e1c33ca996e3504adefbf660a72d1",
         "type": "github"
       },
       "original": {
@@ -410,11 +410,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1682879890,
-        "narHash": "sha256-gnNDKsgsLX0dxumLDTuFylSRVvscErxRa0425gUk5Xk=",
+        "lastModified": 1683236736,
+        "narHash": "sha256-ruEH8oO2WLlZI8CSrKPmMbIFNO4/oEGeBwyTyszhw5Y=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "57e8229760e718f670cd7b359b509246e6d734ab",
+        "rev": "ee7b5b05842c7db8688a3a21f7c10e2eb8762882",
         "type": "github"
       },
       "original": {
diff --git a/modules/common/common/nix/default.nix b/modules/common/common/nix/default.nix
index 723a2b8..0c49034 100644
--- a/modules/common/common/nix/default.nix
+++ b/modules/common/common/nix/default.nix
@@ -4,7 +4,7 @@
   lib,
   localUsername ? lib.my.username,
   pkgs,
-  pkgsPR,
+  pkgsPr,
   this,
   ...
 }:
@@ -25,7 +25,7 @@ with lib; {
         repo = "nixpkgs";
         inherit rev hash;
       });
-    pkgsPR = pr: pkgsRev "refs/pull/${toString pr}/head";
+    pkgsPr = pr: pkgsRev "refs/pull/${toString pr}/head";
   };
 
   nix = let
@@ -38,6 +38,7 @@ with lib; {
         "flakes"
         "nix-command"
         "recursive-nix"
+        "repl-flake"
       ];
       keep-derivations =
         if this.isHeadful
@@ -115,7 +116,7 @@ with lib; {
             ]);
         });
 
-        inherit (pkgsPR "228852" "sha256-NKZySJ3IVMMeSmpc1zYwse52kxGg0dIrsHTMcO8a73Y=") soju;
+        inherit (pkgsPr "228852" "sha256-NKZySJ3IVMMeSmpc1zYwse52kxGg0dIrsHTMcO8a73Y=") soju;
       }
       // (with super; let
         np = nodePackages;
diff --git a/modules/darwin/common/nix.nix b/modules/darwin/common/nix.nix
index 2b39e7d..b291d11 100644
--- a/modules/darwin/common/nix.nix
+++ b/modules/darwin/common/nix.nix
@@ -23,7 +23,7 @@ with lib; {
         repo = "nixpkgs";
         inherit rev hash;
       });
-    pkgsPRx86 = pr: pkgsRevx86 "refs/pull/${toString pr}/head";
+    pkgsPrx86 = pr: pkgsRevx86 "refs/pull/${toString pr}/head";
   };
 
   nix = {
diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix
index 7a3d3b3..2272e12 100644
--- a/modules/nixos/common/security.nix
+++ b/modules/nixos/common/security.nix
@@ -25,5 +25,7 @@ with lib; {
         });
       '';
     };
+
+    rtkit.enable = true;
   };
 }
diff --git a/modules/nixos/common/xdg.nix b/modules/nixos/common/xdg.nix
index 8ddf1ac..d74bf82 100644
--- a/modules/nixos/common/xdg.nix
+++ b/modules/nixos/common/xdg.nix
@@ -15,6 +15,11 @@ with lib; {
     (mkAliasOptionModule ["userDirs"] (withBase "userDirs"))
   ];
 
+  xdg.portal = mkIf this.isHeadful {
+    enable = true;
+    xdgOpenUsePortal = true;
+  };
+
   hm.xdg = mkMerge [
     {
       enable = true;
diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix
index bd19f8b..d9c4914 100644
--- a/modules/nixos/matrix/dendrite.nix
+++ b/modules/nixos/matrix/dendrite.nix
@@ -52,20 +52,18 @@ in {
               extraConfig = ''
                 add_header Content-Type application/json;
               '';
-              return = "200 '${
-                generators.toJSON {} {"m.server" = "${cfg.domain}:443";}
-              }'";
+              return = "200 '${generators.toJSON {} {
+                "m.server" = "${cfg.domain}:443";
+              }}'";
             };
             "= /.well-known/matrix/client" = {
               extraConfig = ''
                 add_header Content-Type application/json;
                 add_header Access-Control-Allow-Origin *;
               '';
-              return = "200 '${
-                generators.toJSON {} {
-                  "m.homeserver".base_url = "https://${cfg.domain}";
-                }
-              }'";
+              return = "200 '${generators.toJSON {} {
+                "m.homeserver".base_url = "https://${cfg.domain}";
+              }}'";
             };
           };
         };
diff --git a/modules/nixos/matrix/synapse.nix b/modules/nixos/matrix/synapse.nix
index a74ebb4..40595a0 100644
--- a/modules/nixos/matrix/synapse.nix
+++ b/modules/nixos/matrix/synapse.nix
@@ -33,20 +33,18 @@ in {
               extraConfig = ''
                 add_header Content-Type application/json;
               '';
-              return = "200 '${
-                generators.toJSON {} {"m.server" = "${cfg.domain}:443";}
-              }'";
+              return = "200 '${generators.toJSON {} {
+                "m.server" = "${cfg.domain}:443";
+              }}'";
             };
             "= /.well-known/matrix/client" = {
               extraConfig = ''
                 add_header Content-Type application/json;
                 add_header Access-Control-Allow-Origin *;
               '';
-              return = "200 '${
-                generators.toJSON {} {
-                  "m.homeserver".base_url = "https://${cfg.domain}";
-                }
-              }'";
+              return = "200 '${generators.toJSON {} {
+                "m.homeserver".base_url = "https://${cfg.domain}";
+              }}'";
             };
           };
         };
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix
index 255c787..f8d9e4b 100644
--- a/modules/nixos/nsd.nix
+++ b/modules/nixos/nsd.nix
@@ -19,6 +19,27 @@ in {
   };
 
   config = mkIf cfg.enable {
+    nixfiles.modules.nginx = let
+      domain = my.domain.shire;
+    in {
+      enable = true;
+      virtualHosts = mapAttrs' (_: v:
+        nameValuePair "mta-sts.${v}" {
+          locations."= /.well-known/mta-sts.txt" = {
+            extraConfig = ''
+              add_header default_type text/plain;
+            '';
+            return = "200 '${concatStringsSep "\\r\\n" [
+              "version: STSv1"
+              "mode: enforce"
+              "max_age: 2419200"
+              "mx: ${domain}"
+            ]}'";
+          };
+        })
+      my.domain;
+    };
+
     services = {
       nsd = {
         enable = true;
@@ -40,8 +61,8 @@ in {
               domain ? my.domain.shire,
               dkimKey ? null,
             }: {
-              MX = [(mx.mx 10 "${domain}.")];
-              TXT = [(spf.strict ["a" "mx"])];
+              MX = [(mx.mx 10 "${my.domain.shire}.")];
+              TXT = [(spf.soft ["a"])];
               DMARC = [
                 {
                   p = "quarantine";
@@ -54,6 +75,7 @@ in {
                 selector = "mail";
                 p = dkimKey;
               };
+              subdomains._mta-sts.TXT = ["v=STSv1; id=20230506134541Z"];
             };
 
             mkZone = {
@@ -88,10 +110,11 @@ in {
             ariadneIdProof.TXT = ["openpgp4fpr:${my.pgp.fingerprint}"];
           in
             mkMerge [
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.shire;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
@@ -103,6 +126,8 @@ in {
                       yavanna = ips "yavanna";
                       "*.yavanna" = yavanna;
 
+                      mta-sts = manwe;
+
                       ns1 = manwe;
                       # ns2 = varda;
 
@@ -124,37 +149,52 @@ in {
                   }
                 ];
               })
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.azahi;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   ariadneIdProof
                   {
-                    subdomains.git = ips "manwe";
+                    subdomains = {
+                      mta-sts = ips "manwe";
+
+                      git = ips "manwe";
+                    };
                   }
                 ];
               })
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.gondor;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
-                    subdomains.frodo = ips "manwe" // ariadneIdProof;
+                    subdomains = {
+                      mta-sts = ips "manwe";
+
+                      frodo = ips "manwe" // ariadneIdProof;
+                    };
                   }
                 ];
               })
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.rohan;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
-                    subdomains.frodo = ips "manwe" // ariadneIdProof;
+                    subdomains = {
+                      mta-sts = ips "manwe";
+
+                      frodo = ips "manwe" // ariadneIdProof;
+                    };
                   }
                 ];
               })
diff --git a/modules/nixos/sound.nix b/modules/nixos/sound.nix
index ae35e44..073d59c 100644
--- a/modules/nixos/sound.nix
+++ b/modules/nixos/sound.nix
@@ -13,8 +13,8 @@ in {
     services.pipewire = {
       enable = true;
 
-      alsa.enable = false;
-      jack.enable = false;
+      alsa.enable = true;
+      jack.enable = true;
       pulse.enable = true;
     };
   };
diff --git a/nixosConfigurations/eonwe/default.nix b/nixosConfigurations/eonwe/default.nix
index 2c53b64..5de3315 100644
--- a/nixosConfigurations/eonwe/default.nix
+++ b/nixosConfigurations/eonwe/default.nix
@@ -16,7 +16,7 @@ with lib; {
 
     games = {
       lutris.enable = true;
-      minecraft.client.enable = true;
+      # minecraft.client.enable = true; # FIXME Build fails.
       steam.enable = true;
       steam-run.quirks.crusaderKings3 = true;
     };
@@ -36,14 +36,12 @@ with lib; {
       burpsuite
       gzdoom
       kdenlive
-      nikto
       obs-studio
       openmw
       openttd
       radeontop
       vcmi
       whatweb
-      zap
     ];
 
     programs = {
@@ -104,6 +102,9 @@ with lib; {
       "clearcpuid=514"
     ];
 
+    # https://wiki.archlinux.org/title/improving_performance#Watchdogs
+    blacklistedKernelModules = ["sp5100_tco"];
+
     # The boot drive is Samsung SSD 980 PRO 2TB.
     initrd.kernelModules = ["nvme"];
 
diff --git a/nixosConfigurations/manwe/webserver.nix b/nixosConfigurations/manwe/webserver.nix
index 4dded7e..f07d545 100644
--- a/nixosConfigurations/manwe/webserver.nix
+++ b/nixosConfigurations/manwe/webserver.nix
@@ -4,20 +4,23 @@
   ...
 }:
 with lib; {
-  nixfiles.modules.nginx.virtualHosts = with my.domain;
-    {
-      ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ";
-      "git.${shire}".locations."/".return = "301 https://git.${azahi}";
-      "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}";
-      ${azahi} = {
-        serverAliases = ["frodo.${gondor}" "frodo.${rohan}"];
-        locations."/".root = inputs.azahi-cc;
-      };
-    }
-    // (let
-      frodo = "301 https://frodo.";
-    in {
-      ${gondor}.locations."/".return = concatStrings [frodo gondor];
-      ${rohan}.locations."/".return = concatStrings [frodo rohan];
-    });
+  nixfiles.modules.nginx = {
+    enable = true;
+    virtualHosts = with my.domain;
+      {
+        ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ";
+        "git.${shire}".locations."/".return = "301 https://git.${azahi}";
+        "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}";
+        ${azahi} = {
+          serverAliases = ["frodo.${gondor}" "frodo.${rohan}"];
+          locations."/".root = inputs.azahi-cc;
+        };
+      }
+      // (let
+        frodo = "301 https://frodo.";
+      in {
+        ${gondor}.locations."/".return = concatStrings [frodo gondor];
+        ${rohan}.locations."/".return = concatStrings [frodo rohan];
+      });
+  };
 }

Consider giving Nix/NixOS a try! <3