2023-03-11

5 files changed, 70 insertions, 12 deletions

diff --git a/modules/common/beets.nix b/modules/nixos/beets.nix
index 83cbff1..83cbff1 100644
--- a/modules/common/beets.nix
+++ b/modules/nixos/beets.nix
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 850d93e..8ac9a29 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -3,6 +3,7 @@ _: {
     ./acme.nix
     ./alertmanager.nix
     ./android.nix
+    ./beets.nix
     ./bluetooth.nix
     ./common
     ./discord.nix
@@ -21,6 +22,7 @@ _: {
     ./grafana.nix
     ./hydra.nix
     ./ipfs.nix
+    ./k3s.nix
     ./kde.nix
     ./libvirtd.nix
     ./lidarr.nix
@@ -29,6 +31,7 @@ _: {
     ./matrix
     ./monitoring
     ./mpd.nix
+    ./murmur.nix
     ./nextcloud.nix
     ./nginx.nix
     ./node-exporter.nix
diff --git a/modules/nixos/k3s.nix b/modules/nixos/k3s.nix
new file mode 100644
index 0000000..dcbd052
--- /dev/null
+++ b/modules/nixos/k3s.nix
@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.k3s;
+in {
+  options.nixfiles.modules.k3s = {
+    enable = mkEnableOption "K3s";
+  };
+
+  config = mkIf cfg.enable {
+    ark.directories = [
+      "/etc/rancher/k3s"
+      "/var/lib/rancher/k3s"
+    ];
+
+    services.k3s = {
+      enable = true;
+      role = "server";
+    };
+
+    systemd.services.k3s.environment = {
+      K3S_KUBECONFIG_OUTPUT = "/etc/rancher/k3s/k3s.yaml";
+      K3S_KUBECONFIG_MODE = "600";
+    };
+  };
+}
diff --git a/modules/nixos/murmur.nix b/modules/nixos/murmur.nix
new file mode 100644
index 0000000..cbd90d4
--- /dev/null
+++ b/modules/nixos/murmur.nix
@@ -0,0 +1,28 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.murmur;
+in {
+  options.nixfiles.modules.murmur.enable = mkEnableOption "Murmur";
+
+  config = mkIf cfg.enable {
+    secrets.murmur-environment = {
+      file = "${inputs.self}/secrets/murmur-environment";
+      owner = "murmur";
+      group = "murmur";
+    };
+
+    services.murmur = {
+      enable = true;
+      openFirewall = true;
+      logDays = -1;
+      registerName = mkDefault my.domain.shire;
+      password = "$MURMUR_PASSWORD";
+      environmentFile = config.secrets."murmur-environment".path;
+    };
+  };
+}
diff --git a/modules/nixos/profiles/headful.nix b/modules/nixos/profiles/headful.nix
index d0ca777..67bec29 100644
--- a/modules/nixos/profiles/headful.nix
+++ b/modules/nixos/profiles/headful.nix
@@ -22,6 +22,7 @@ in {
       home.packages = with pkgs; [
         calibre
         imv
+        mumble
         neochat
         tdesktop
         tor-browser
@@ -33,18 +34,15 @@ in {
     boot = {
       kernelPackages = mkDefault pkgs.linuxPackages_latest;
 
-      # There are (arguably) not a lot of reasons to keep mitigations enabled
-      # for on machine that is not web-facing. First of all, to completely
-      # mitigate any possible Spectre holes one would need to disable
-      # Hyperthreading altogether which will essentially put one's computer into
-      # the stone age by not being able to to effectively utilise multi-core its
-      # multicore capabilities. Secondly, by enabling mitigations, we introduce
-      # a plethora of performance overheads[1], which, albeit small, but still
-      # contribute to the overall speed of things. This is however still poses a
-      # security risk, which I am willing to take.
-      #
-      # [1]: https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11
-      kernelParams = ["mitigations=off"];
+      kernelParams = [
+        # https://wiki.archlinux.org/title/improving_performance#Watchdogs
+        "nowatchdog"
+        "kernel.nmi_watchdog=0"
+        # A security risk I'm willing to take for a reason[1].
+        #
+        # [1]: https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11
+        "mitigations=off"
+      ];
 
       loader = {
         efi.canTouchEfiVariables = true;