diff options
| author | azahi <azat@bahawi.net> | 2025-02-05 17:18:02 +0300 |
|---|---|---|
| committer | azahi <azat@bahawi.net> | 2025-02-05 17:18:02 +0300 |
| commit | ec25e095a26ad1e4823887a6653132948ebc5f87 (patch) | |
| tree | f3d9e02f13515e7c63bc716dc39e193924589bc8 | |
| parent | 2025-02-02 (diff) | |
2025-02-05
Diffstat (limited to '')
| -rw-r--r-- | configurations/eonwe/default.nix | 9 | ||||
| -rw-r--r-- | configurations/ilmare/default.nix | 5 | ||||
| -rw-r--r-- | flake.lock | 145 | ||||
| -rw-r--r-- | flake.nix | 8 | ||||
| -rw-r--r-- | modules/acme.nix | 7 | ||||
| -rw-r--r-- | modules/common/stylix.nix | 1 | ||||
| -rw-r--r-- | modules/firefox/default.nix | 8 | ||||
| -rw-r--r-- | modules/kde.nix | 94 | ||||
| -rw-r--r-- | modules/matrix/dendrite.nix | 29 | ||||
| -rw-r--r-- | modules/matrix/element.nix | 15 | ||||
| -rw-r--r-- | modules/nsd.nix | 10 | ||||
| -rw-r--r-- | modules/openssh.nix | 1 | ||||
| -rw-r--r-- | modules/plausible.nix | 2 | ||||
| -rw-r--r-- | modules/profiles/dev/default.nix | 1 | ||||
| -rw-r--r-- | modules/searx.nix | 2 | ||||
| -rw-r--r-- | modules/unbound-ng.nix | 2 | ||||
| -rw-r--r-- | modules/unbound.nix | 121 | ||||
| -rw-r--r-- | modules/wireguard.nix | 1 | ||||
| -rw-r--r-- | overlays.nix | 3 |
19 files changed, 331 insertions, 133 deletions
diff --git a/configurations/eonwe/default.nix b/configurations/eonwe/default.nix index d9ae2bc..a5cf7e9 100644 --- a/configurations/eonwe/default.nix +++ b/configurations/eonwe/default.nix @@ -154,18 +154,15 @@ with lib; services = { displayManager = { sddm.enable = lib.mkForce false; - ly = { - enable = true; - settings.animation = "matrix"; - }; + ly.enable = true; }; smartd = { enable = true; notifications.mail = { enable = true; - sender = "admin+smartd@${my.domain.shire}"; - recipient = "admin+smartd@${my.domain.shire}"; + sender = "smartd@${my.domain.shire}"; + recipient = "smartd@${my.domain.shire}"; }; }; diff --git a/configurations/ilmare/default.nix b/configurations/ilmare/default.nix index bb89699..6ced115 100644 --- a/configurations/ilmare/default.nix +++ b/configurations/ilmare/default.nix @@ -18,6 +18,11 @@ }; services = { + displayManager = { + sddm.enable = lib.mkForce false; + ly.enable = true; + }; + thinkfan = { enable = true; settings = { diff --git a/flake.lock b/flake.lock index 1c6cbe6..27446a2 100644 --- a/flake.lock +++ b/flake.lock @@ -302,11 +302,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1736143030, - "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", + "lastModified": 1738453229, + "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", "type": "github" }, "original": { @@ -335,6 +335,24 @@ }, "flake-utils_2": { "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { "systems": [ "stylix", "systems" @@ -480,6 +498,27 @@ "type": "github" } }, + "gomod2nix": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733668782, + "narHash": "sha256-tPsqU00FhgdFr0JiQUiBMgPVbl1jbPCY5gbFiJycL3I=", + "owner": "nix-community", + "repo": "gomod2nix", + "rev": "514283ec89c39ad0079ff2f3b1437404e4cba608", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "gomod2nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -487,11 +526,11 @@ ] }, "locked": { - "lastModified": 1738275749, - "narHash": "sha256-PM+cGduJ05EZ+YXulqAwUFjvfKpPmW080mcuN6R1POw=", + "lastModified": 1738704702, + "narHash": "sha256-aq66AZxs/i4dJNpLF8gQbMg8BFjm92fXjzsuLr7JYYk=", "owner": "nix-community", "repo": "home-manager", - "rev": "a8159195bfaef3c64df75d3b1e6a68d49d392be9", + "rev": "1e47f7101fedd857e561782d00d4cb1f6b69e7df", "type": "github" }, "original": { @@ -585,11 +624,11 @@ ] }, "locked": { - "lastModified": 1738287839, - "narHash": "sha256-Vh060kC/aTX+e8Ru195wo+QySd0z91wJ++JZNSDJxy8=", + "lastModified": 1738547119, + "narHash": "sha256-cc6AfR7W0AavgqA5nHUXRUus4Rr7oPWQNku5nhR4SYs=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "58f1ae4ac2620cbcef912e32b17f9a64fcb372ad", + "rev": "5b93268c80c3300dbec0fbbb2b50f674f84a474a", "type": "github" }, "original": { @@ -605,11 +644,11 @@ ] }, "locked": { - "lastModified": 1737861961, - "narHash": "sha256-LIRtMvAwLGb8pBoamzgEF67oKlNPz4LuXiRPVZf+TpE=", + "lastModified": 1738466368, + "narHash": "sha256-PZhUjtvQZOH3PO0EYdTpQvcqkgkq1NkP2A6w9SPHYsk=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "79b7b8eae3243fc5aa9aad34ba6b9bbb2266f523", + "rev": "46a8f5fc9552b776bfc5c5c96ea3bede33f68f52", "type": "github" }, "original": { @@ -647,11 +686,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1737751639, - "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=", + "lastModified": 1738638143, + "narHash": "sha256-ZYMe4c4OCtIUBn5hx15PEGr0+B1cNEpl2dsaLxwY2W0=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4", + "rev": "9bdd53f5908453e4d03f395eb1615c3e9a351f70", "type": "github" }, "original": { @@ -662,11 +701,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1738370331, - "narHash": "sha256-AGpeTVt2yBf/uN2dMCnu7pXqkN3AipnoVo5R1Ar5wXU=", + "lastModified": 1738708711, + "narHash": "sha256-W+9SZ9+mrU2HkPOjEOKq+eNAu2yKM7xmk81R6BEAhrs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9d52b7a88651b112d024ba445d176cad032eafe4", + "rev": "6ed2888f9e37c446300c3ac39409dda3d5c30197", "type": "github" }, "original": { @@ -708,23 +747,23 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1735774519, - "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", + "lastModified": 1738452942, + "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" } }, "nixpkgs-master": { "locked": { - "lastModified": 1738370331, - "narHash": "sha256-AGpeTVt2yBf/uN2dMCnu7pXqkN3AipnoVo5R1Ar5wXU=", + "lastModified": 1738708711, + "narHash": "sha256-W+9SZ9+mrU2HkPOjEOKq+eNAu2yKM7xmk81R6BEAhrs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9d52b7a88651b112d024ba445d176cad032eafe4", + "rev": "6ed2888f9e37c446300c3ac39409dda3d5c30197", "type": "github" }, "original": { @@ -782,6 +821,29 @@ "type": "github" } }, + "plasma-manager": { + "inputs": { + "home-manager": [ + "home-manager" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736549395, + "narHash": "sha256-XzwkB62Tt5UYoL1jXiHzgk/qz2fUpGHExcSIbyGTtI0=", + "owner": "nix-community", + "repo": "plasma-manager", + "rev": "a53af7f1514ef4cce8620a9d6a50f238cdedec8b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "plasma-manager", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -794,6 +856,7 @@ "flake-parts": "flake-parts", "flake-utils": "flake-utils", "git-hooks": "git-hooks", + "gomod2nix": "gomod2nix", "home-manager": "home-manager", "homelab-svg-assets": "homelab-svg-assets", "impermanence": "impermanence", @@ -809,6 +872,7 @@ "nixpkgs-stable": "nixpkgs-stable", "nmap-vulners": "nmap-vulners", "nmap-vulscan": "nmap-vulscan", + "plasma-manager": "plasma-manager", "srvos": "srvos", "stylix": "stylix", "vscode-extensions": "vscode-extensions" @@ -844,7 +908,7 @@ "flake-compat": [ "flake-compat" ], - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "git-hooks": "git-hooks_2", "gnome-shell": "gnome-shell", "home-manager": [ @@ -853,18 +917,18 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems_3", + "systems": "systems_4", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-tmux": "tinted-tmux", "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1738278499, - "narHash": "sha256-q1SUyXSQ9znHTME53/vPLe+Ga3V1wW3X3gWfa8JsBUM=", + "lastModified": 1738611626, + "narHash": "sha256-IgjqlYPaS8Bg+jc6a691w27XDFhBeM7gkP4eDcR2EBs=", "owner": "danth", "repo": "stylix", - "rev": "b00c9f46ae6c27074d24d2db390f0ac5ebcc329f", + "rev": "d513f59da5856978c363d2f82103f708f4a6024d", "type": "github" }, "original": { @@ -918,6 +982,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tinted-foot": { "flake": false, "locked": { @@ -997,11 +1076,11 @@ ] }, "locked": { - "lastModified": 1738287944, - "narHash": "sha256-q8pOnhaA95ZZf+CJ4ahScSzt5pbnL7lShFuMwTwiw7I=", + "lastModified": 1738633599, + "narHash": "sha256-EXZoqWNfwBGrlrSNB5Vz5AL+pYc5p8keM35mglYw6j4=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "529e0a84346f34db86ea24203c0b2e975fefb4f2", + "rev": "615f991fb42739207e7f71138e03b1b9bbe45e72", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3092c23..24d5cb3 100644 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,14 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + plasma-manager = { + url = "github:nix-community/plasma-manager"; + inputs = { + nixpkgs.follows = "nixpkgs"; + home-manager.follows = "home-manager"; + }; + }; + disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/acme.nix b/modules/acme.nix index 9a2f3f1..bbaf434 100644 --- a/modules/acme.nix +++ b/modules/acme.nix @@ -21,7 +21,7 @@ in email = mkOption { description = "Email for notifications."; type = with types; str; - default = "admin+acme@${my.domain.shire}"; + default = "hostmaster@${my.domain.shire}"; }; }; @@ -30,10 +30,7 @@ in security.acme = { acceptTerms = true; - defaults = { - inherit (cfg) email; - validMinDays = 60; - }; + defaults = { inherit (cfg) email; }; }; }; } diff --git a/modules/common/stylix.nix b/modules/common/stylix.nix index f17cb4c..4476260 100644 --- a/modules/common/stylix.nix +++ b/modules/common/stylix.nix @@ -40,7 +40,6 @@ with lib; config = { stylix = { enable = this.isHeadful; - autoEnable = this.isHeadful; image = pkgs.fetchurl { url = "https://upload.wikimedia.org/wikipedia/commons/a/a5/Bonaparte_ante_la_Esfinge%2C_por_Jean-Léon_Gérôme.jpg"; diff --git a/modules/firefox/default.nix b/modules/firefox/default.nix index bad56ff..3507f2d 100644 --- a/modules/firefox/default.nix +++ b/modules/firefox/default.nix @@ -40,7 +40,7 @@ in let mkCssWithRoot = css: - mkMerge [ + [ ( let mapFonts = concatMapStringsSep ", " (font: ''"${font}"''); @@ -59,7 +59,8 @@ in '' ) (builtins.readFile css) - ]; + ] + |> concatLines; in { id = 0; @@ -516,6 +517,7 @@ in "browser.theme.dark-private-windows" = false; "browser.toolbars.bookmarks.visibility" = "newtab"; "browser.translations.enable" = false; + "browser.uidensity" = 0; "browser.urlbar.decodeURLsOnCopy" = true; "browser.urlbar.suggest.addons" = false; "browser.urlbar.suggest.bookmark" = true; @@ -538,7 +540,9 @@ in "media.hardwaremediakeys.enabled" = false; "media.videocontrols.picture-in-picture.video-toggle.enabled" = false; "reader.parse-on-load.enabled" = false; + "svg.context-properties.content.enabled" = true; "toolkit.legacyUserProfileCustomizations.stylesheets" = true; + "widget.gtk.rounded-bottom-corners.enabled" = true; }; }; }; diff --git a/modules/kde.nix b/modules/kde.nix index c227620..f20d5ea 100644 --- a/modules/kde.nix +++ b/modules/kde.nix @@ -1,17 +1,17 @@ { config, + inputs, lib, pkgs, ... }: -with lib; let cfg = config.nixfiles.modules.kde; in { - options.nixfiles.modules.kde.enable = mkEnableOption "KDE Plasma"; + options.nixfiles.modules.kde.enable = lib.mkEnableOption "KDE Plasma"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { nixfiles.modules = { common.xdg.defaultApplications."org.kde.dolphin" = [ "inode/directory" ]; @@ -19,29 +19,83 @@ in sound.enable = true; }; + # stylix.targets.qt.platform = "kde"; + hm = { - stylix.targets.kde.enable = true; + imports = [ inputs.plasma-manager.homeManagerModules.plasma-manager ]; - programs.firefox.profiles.default.settings = { - "widget.use-xdg-desktop-portal.file-picker" = 1; - "widget.use-xdg-desktop-portal.mime-handler" = 1; - }; + home.sessionVariables.GTK_THEME = config.hm.gtk.theme.name; - gtk.theme = { - package = mkForce pkgs.breeze-gtk; - name = mkForce "Breeze"; + gtk.theme = lib.mkForce { + package = pkgs.kdePackages.breeze-gtk; + name = "Breeze"; }; + # programs = { + # plasma = { + # enable = true; + + # fonts = { + # windowTitle = with config.stylix.fonts; { + # family = sansSerif.name; + # pointSize = sizes.desktop; + # }; + # }; + + # desktop = { + # icons = { + # alignment = "left"; + # arrangement = "topToBottom"; + # sorting = { + # mode = "name"; + # descending = true; + # foldersFirst = true; + # }; + # }; + # }; + + # session = { + # general.askForConfirmationOnLogout = true; + # sessionRestore = { + # excludeApplications = [ ]; + # restoreOpenApplicationsOnLogin = "whenSessionWasManuallySaved"; + # }; + # }; + + # spectacle = { + # shortcuts = { + # launch = "Meta+S"; + # launchWithoutCapturing = "Meta+Alt+S"; + + # captureActiveWindow = "Meta+Print"; + # captureCurrentMonitor = "Print"; + # captureEntireDesktop = "Shift+Print"; + # captureRectangularRegion = "Meta+Shift+S"; + # captureWindowUnderCursor = "Meta+Ctrl+Print"; + + # recordRegion = "Meta+Shift+R"; + # recordScreen = "Meta+Alt+R"; + # recordWindow = "Meta+Ctrl+R"; + # }; + # }; + + # configFile = { + # kcminputrc.Keyboard = with config.services.xserver; { + # RepeatDelay = autoRepeatDelay; + # RepeatRate = autoRepeatInterval; + # }; + # }; + # }; + # }; + xdg.configFile = { - "fontconfig/conf.d/10-hm-fonts.conf".force = mkForce true; - "mimeapps.list".force = mkForce true; - "kcminputrc".text = generators.toINI { } { - Keyboard = with config.services.xserver; { - RepeatDelay = autoRepeatDelay; - RepeatRate = autoRepeatInterval; - }; - }; - "baloofilerc".text = generators.toINI { } { "Basic Settings"."Indexing-Enabled" = false; }; + "fontconfig/conf.d/10-hm-fonts.conf".force = lib.mkForce true; + "mimeapps.list".force = lib.mkForce true; + }; + + programs.firefox.profiles.default.settings = { + "widget.use-xdg-desktop-portal.file-picker" = 1; + "widget.use-xdg-desktop-portal.mime-handler" = 1; }; }; diff --git a/modules/matrix/dendrite.nix b/modules/matrix/dendrite.nix index c391ba0..89704ea 100644 --- a/modules/matrix/dendrite.nix +++ b/modules/matrix/dendrite.nix @@ -6,22 +6,21 @@ this, ... }: -with lib; let cfg = config.nixfiles.modules.matrix.dendrite; in { options.nixfiles.modules.matrix.dendrite = { - enable = mkEnableOption "Dendrite Matrix server"; + enable = lib.mkEnableOption "Dendrite Matrix server"; - port = mkOption { + port = lib.mkOption { description = "Port."; - type = with types; port; + type = lib.types.port; default = 8008; }; - domain = mkOption { - type = types.str; + domain = lib.mkOption { + type = lib.types.str; default = config.networking.domain; description = "Domain name sans protocol scheme."; }; @@ -31,7 +30,7 @@ in let db = "dendrite"; in - mkIf cfg.enable { + lib.mkIf cfg.enable { ark.directories = [ "/var/lib/dendrite" "/var/lib/private/dendrite" @@ -58,14 +57,16 @@ in add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = "200 '${generators.toJSON { } { "m.server" = "${cfg.domain}:443"; }}'"; + return = "200 '${lib.generators.toJSON { } { "m.server" = "${cfg.domain}:443"; }}'"; }; "= /.well-known/matrix/client" = { extraConfig = '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = "200 '${generators.toJSON { } { "m.homeserver".base_url = "https://${cfg.domain}"; }}'"; + return = "200 '${ + lib.generators.toJSON { } { "m.homeserver".base_url = "https://${cfg.domain}"; } + }'"; }; }; }; @@ -119,7 +120,7 @@ in serviceConfig = let needsPrivileges = cfg.port < 1024; - capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; + capabilities = [ "" ] ++ lib.optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; in { Restart = "on-failure"; @@ -185,13 +186,13 @@ in ]; }; in - concatStringsSep " " [ - (getExe pkgs.envsubst) + lib.concatStringsSep " " [ + (lib.getExe pkgs.envsubst) "-i ${(pkgs.formats.yaml { }).generate "dendrite.yaml" settings}" "-o /run/dendrite/dendrite.yaml" ]; - ExecStart = concatStringsSep " " [ - (getExe' pkgs.dendrite "dendrite") + ExecStart = lib.concatStringsSep " " [ + (lib.getExe' pkgs.dendrite "dendrite") "--config /run/dendrite/dendrite.yaml" "--http-bind-address 127.0.0.1:${toString cfg.port}" ]; diff --git a/modules/matrix/element.nix b/modules/matrix/element.nix index 01b991e..c1c29a7 100644 --- a/modules/matrix/element.nix +++ b/modules/matrix/element.nix @@ -4,28 +4,27 @@ pkgs, ... }: -with lib; let cfg = config.nixfiles.modules.matrix.element; in { options.nixfiles.modules.matrix.element = { - enable = mkEnableOption "Element, a Matrix web interface"; + enable = lib.mkEnableOption "Element, a Matrix web interface"; - domain = mkOption { + domain = lib.mkOption { description = "Domain name sans protocol scheme."; - type = with types; nullOr str; + type = with lib.types; nullOr str; default = "element.${config.networking.domain}"; }; - homeserver = mkOption { + homeserver = lib.mkOption { description = "Default Matrix homeserver."; - type = with types; str; - default = my.domain.azahi; + type = lib.types.str; + default = lib.my.domain.azahi; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { assertions = [ { assertion = diff --git a/modules/nsd.nix b/modules/nsd.nix index 13cebe9..efc175c 100644 --- a/modules/nsd.nix +++ b/modules/nsd.nix @@ -78,8 +78,8 @@ in { p = "quarantine"; sp = "quarantine"; - rua = [ "mailto:admin+rua@${domain}" ]; - ruf = [ "mailto:admin+ruf@${domain}" ]; + rua = [ "mailto:postmaster@${domain}" ]; + ruf = [ "mailto:postmaster@${domain}" ]; } ]; DKIM = optional (dkimKey != null) { @@ -102,8 +102,8 @@ in SOA = { nameServer = "${cfg.fqdn}."; - adminEmail = "admin+dns@${my.domain.shire}"; - serial = 2024010301; # Don't forget to bump the revision! + adminEmail = "hostmaster@${my.domain.shire}"; + serial = 2025020201; # Don't forget to bump the revision! }; NS = with my.domain; [ @@ -111,7 +111,7 @@ in # "ns2.${shire}" ]; - CAA = letsEncrypt "admin+caa@${my.domain.shire}"; + CAA = letsEncrypt "hostmaster@${my.domain.shire}"; } sldIps extra diff --git a/modules/openssh.nix b/modules/openssh.nix index a41f0d6..d850322 100644 --- a/modules/openssh.nix +++ b/modules/openssh.nix @@ -37,6 +37,7 @@ in controlMaster = "auto"; controlPersist = "24H"; + controlPath = "~/.ssh/control/%r@%n:%p"; # The directory must exist. serverAliveCountMax = 30; serverAliveInterval = 60; diff --git a/modules/plausible.nix b/modules/plausible.nix index 89729fd..e910986 100644 --- a/modules/plausible.nix +++ b/modules/plausible.nix @@ -88,7 +88,7 @@ in # }; mail = { - email = "admin+plausible@${my.domain.shire}"; + email = "plausible@${my.domain.shire}"; smtp = { hostAddr = my.domain.shire; hostPort = 465; diff --git a/modules/profiles/dev/default.nix b/modules/profiles/dev/default.nix index bb7cfc9..a6cc61d 100644 --- a/modules/profiles/dev/default.nix +++ b/modules/profiles/dev/default.nix @@ -80,6 +80,7 @@ in nixpkgs-review opentofu scaleway-cli + scanmem sops sqlitebrowser terraform diff --git a/modules/searx.nix b/modules/searx.nix index ab186af..1b1e6d5 100644 --- a/modules/searx.nix +++ b/modules/searx.nix @@ -48,7 +48,7 @@ in settings = { general = { instance_name = cfg.domain; - contact_url = "mailto:admin+searx@${config.networking.domain}"; + contact_url = "mailto:searx@${config.networking.domain}"; git_url = false; git_branch = false; docs_url = false; diff --git a/modules/unbound-ng.nix b/modules/unbound-ng.nix index 3d3c6da..583d22a 100644 --- a/modules/unbound-ng.nix +++ b/modules/unbound-ng.nix @@ -158,7 +158,7 @@ in enableRootTrustAnchor = true; - localControlSocketPath = "/run/unbound/unbound.socket"; + localControlSocketPath = "/run/unbound/unbound.sock"; }; prometheus.exporters.unbound = { diff --git a/modules/unbound.nix b/modules/unbound.nix index b8de321..7156409 100644 --- a/modules/unbound.nix +++ b/modules/unbound.nix @@ -6,22 +6,21 @@ this, ... }: -with lib; let cfg = config.nixfiles.modules.unbound; in { options.nixfiles.modules.unbound = { - enable = mkEnableOption "Unbound"; + enable = lib.mkEnableOption "Unbound"; - domain = mkOption { + domain = lib.mkOption { description = "Domain name sans protocol scheme."; - type = with types; str; + type = lib.types.str; default = config.networking.domain; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { ark.directories = [ config.services.unbound.stateDir ]; nixfiles.modules.redis.enable = true; @@ -31,6 +30,7 @@ in enable = true; package = pkgs.unbound-with-systemd.override { + withDNSTAP = true; withRedis = true; withTFO = true; }; @@ -47,17 +47,18 @@ in ipv6.address ]; - local-zone = concatLists ( - mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations - ); - local-data = concatLists ( - mapAttrsToList ( + local-zone = + lib.my.configurations + |> lib.mapAttrsToList (x: _: [ "\"${x}.${cfg.domain}\" redirect" ]) + |> lib.concatLists; + local-data = lib.concatLists ( + lib.mapAttrsToList ( hostname: let domain = "${hostname}.${cfg.domain}"; in attr: - (optionals (hasAttr "wireguard" attr) ( + (lib.optionals (lib.hasAttr "wireguard" attr) ( with attr.wireguard; [ "\"${domain} 604800 IN A ${ipv4.address}\"" @@ -65,36 +66,36 @@ in "\"${domain}. A ${ipv4.address}\"" "\"${domain}. AAAA ${ipv6.address}\"" ] - ++ (optionals (hasAttr "domains" attr) ( - concatMap (domain: [ + ++ (lib.optionals (lib.hasAttr "domains" attr) ( + lib.concatMap (domain: [ "\"${domain}. A ${ipv4.address}\"" "\"${domain}. AAAA ${ipv6.address}\"" ]) attr.domains )) )) - ) my.configurations + ) lib.my.configurations ); - local-data-ptr = concatLists ( - mapAttrsToList ( + local-data-ptr = lib.concatLists ( + lib.mapAttrsToList ( hostname: let domain = "${hostname}.${cfg.domain}"; in attr: - (optionals (hasAttr "wireguard" attr) ( + (lib.optionals (lib.hasAttr "wireguard" attr) ( with attr.wireguard; [ "\"${ipv4.address} ${domain}\"" "\"${ipv6.address} ${domain}\"" ] - ++ (optionals (hasAttr "domains" attr) ( - concatMap (domain: [ + ++ (lib.optionals (lib.hasAttr "domains" attr) ( + lib.concatMap (domain: [ "\"${ipv4.address} ${domain}\"" "\"${ipv6.address} ${domain}\"" ]) attr.domains )) )) - ) my.configurations + ) lib.my.configurations ); private-domain = map (domain: "${domain}.") [ @@ -116,6 +117,7 @@ in ]; cache-min-ttl = 0; + cache-max-ttl = 60 * 60 * 24; serve-expired = true; serve-expired-reply-ttl = 0; @@ -123,8 +125,8 @@ in prefetch = true; prefetch-key = true; - hide-identity = true; - hide-version = true; + hide-identity = false; + hide-version = false; extended-statistics = true; @@ -132,14 +134,14 @@ in log-tag-queryreply = false; log-local-actions = false; - verbosity = 0; + verbosity = 1; }; forward-zone = [ { name = "."; forward-tls-upstream = true; - forward-addr = dns.mkDoT dns.const.quad9.ecs; + forward-addr = lib.dns.mkDoT lib.dns.const.quad9.ecs; } ]; @@ -149,36 +151,85 @@ in redis-server-port = port; }; - rpz = { - name = "hagezi.pro"; - zonefile = "hagezi.pro"; - url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"; + dnstap = { + dnstap-enable = true; + dnstap-socket-path = "/run/dnstap-unbound/read.sock"; + dnstap-send-identity = true; + dnstap-send-version = true; + dnstap-log-resolver-query-messages = true; + dnstap-log-resolver-response-messages = true; + dnstap-log-client-query-messages = true; + dnstap-log-client-response-messages = true; + dnstap-log-forwarder-query-messages = true; + dnstap-log-forwarder-response-messages = true; }; + + rpz = [ + { + name = "hagezi-pro"; + zonefile = "hagezi-pro"; + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"; + } + { + name = "big-osid"; + zonefile = "big-osid"; + url = "https://big.oisd.nl/rpz"; + } + { + name = "nsfw-osid"; + zonefile = "nsfw-osid"; + url = "https://nsfw.oisd.nl/rpz"; + } + ]; }; enableRootTrustAnchor = true; - localControlSocketPath = "/run/unbound/unbound.socket"; + localControlSocketPath = "/run/unbound/control.sock"; }; prometheus.exporters.unbound = { enable = true; - listenAddress = mkDefault this.wireguard.ipv4.address; + listenAddress = lib.mkDefault this.wireguard.ipv4.address; port = 9167; inherit (config.services.unbound) group user; unbound.host = "unix://${config.services.unbound.localControlSocketPath}"; }; }; - boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3; + systemd = + let + in + { + services = { + unbound = { + after = [ "dnstap-unbound.service" ]; + requires = [ "dnstap-unbound.service" ]; + }; + + dnstap-unbound = { + serviceConfig = { + ExecStart = "${lib.getExe pkgs.dnstap} -u ${config.services.unbound.settings.dnstap.dnstap-socket-path}"; + User = config.services.unbound.user; + Group = config.services.unbound.group; + RuntimeDirectory = "dnstap-unbound"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; + }; + + boot.kernel.sysctl."net.ipv4.tcp_fastopen" = lib.mkOverride 200 3; - topology = with cfg; { + topology = { nodes.${this.hostname}.services.unbound = { name = "Unbound"; icon = "${inputs.homelab-svg-assets}/assets/unbound.svg"; - details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") ( - filter (i: i != "127.0.0.1" && i != "::1") config.services.unbound.settings.server.interface - ); + details.listen.text = + config.services.unbound.settings.server.interface + |> lib.filter (x: x != "127.0.0.1" && x != "::1") + |> map (x: "${x}:53") + |> lib.concatLines; }; }; }; diff --git a/modules/wireguard.nix b/modules/wireguard.nix index c9d9937..bb5daad 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -262,7 +262,6 @@ in cidrv4 = cfg.ipv4.subnet; cidrv6 = cfg.ipv6.subnet; icon = "interfaces.wireguard"; - style.pattern = "dotted"; }; nodes.${this.hostname}.interfaces.${cfg.interface} = { diff --git a/overlays.nix b/overlays.nix index 3c64def..6158942 100644 --- a/overlays.nix +++ b/overlays.nix @@ -99,5 +99,8 @@ vendorHash.__assign = "sha256-tq9FI8A3pi3ztcLYF6sZ4wmwTD0HWq4g2EAl7eLo+po="; patches.__append = [ ./packages/soju-upload.patch ]; }; + + dnstap = + _: (lib.packages.fromPR 379552 "sha256-Y2l0nrqUnY65wK9tiK6ci6KD3ckgRRtMSnrJvY0czxE=").dnstap; }; } |