diff options
author | Azat Bahawi <azat@bahawi.net> | 2023-03-11 12:51:58 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2023-03-11 12:51:58 +0300 |
commit | 0ef23d4501592a192ba020a2ac34abb1a3d8fc5e (patch) | |
tree | 17f0377d71f7c645acf8502c769a0ade76cbc901 /modules/nixos | |
parent | 2023-02-20 (diff) |
2023-03-11
Diffstat (limited to '')
-rw-r--r-- | modules/nixos/beets.nix (renamed from modules/common/beets.nix) | 0 | ||||
-rw-r--r-- | modules/nixos/default.nix | 3 | ||||
-rw-r--r-- | modules/nixos/k3s.nix | 29 | ||||
-rw-r--r-- | modules/nixos/murmur.nix | 28 | ||||
-rw-r--r-- | modules/nixos/profiles/headful.nix | 22 |
5 files changed, 70 insertions, 12 deletions
diff --git a/modules/common/beets.nix b/modules/nixos/beets.nix index 83cbff1..83cbff1 100644 --- a/modules/common/beets.nix +++ b/modules/nixos/beets.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 850d93e..8ac9a29 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -3,6 +3,7 @@ _: { ./acme.nix ./alertmanager.nix ./android.nix + ./beets.nix ./bluetooth.nix ./common ./discord.nix @@ -21,6 +22,7 @@ _: { ./grafana.nix ./hydra.nix ./ipfs.nix + ./k3s.nix ./kde.nix ./libvirtd.nix ./lidarr.nix @@ -29,6 +31,7 @@ _: { ./matrix ./monitoring ./mpd.nix + ./murmur.nix ./nextcloud.nix ./nginx.nix ./node-exporter.nix diff --git a/modules/nixos/k3s.nix b/modules/nixos/k3s.nix new file mode 100644 index 0000000..dcbd052 --- /dev/null +++ b/modules/nixos/k3s.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.k3s; +in { + options.nixfiles.modules.k3s = { + enable = mkEnableOption "K3s"; + }; + + config = mkIf cfg.enable { + ark.directories = [ + "/etc/rancher/k3s" + "/var/lib/rancher/k3s" + ]; + + services.k3s = { + enable = true; + role = "server"; + }; + + systemd.services.k3s.environment = { + K3S_KUBECONFIG_OUTPUT = "/etc/rancher/k3s/k3s.yaml"; + K3S_KUBECONFIG_MODE = "600"; + }; + }; +} diff --git a/modules/nixos/murmur.nix b/modules/nixos/murmur.nix new file mode 100644 index 0000000..cbd90d4 --- /dev/null +++ b/modules/nixos/murmur.nix @@ -0,0 +1,28 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.murmur; +in { + options.nixfiles.modules.murmur.enable = mkEnableOption "Murmur"; + + config = mkIf cfg.enable { + secrets.murmur-environment = { + file = "${inputs.self}/secrets/murmur-environment"; + owner = "murmur"; + group = "murmur"; + }; + + services.murmur = { + enable = true; + openFirewall = true; + logDays = -1; + registerName = mkDefault my.domain.shire; + password = "$MURMUR_PASSWORD"; + environmentFile = config.secrets."murmur-environment".path; + }; + }; +} diff --git a/modules/nixos/profiles/headful.nix b/modules/nixos/profiles/headful.nix index d0ca777..67bec29 100644 --- a/modules/nixos/profiles/headful.nix +++ b/modules/nixos/profiles/headful.nix @@ -22,6 +22,7 @@ in { home.packages = with pkgs; [ calibre imv + mumble neochat tdesktop tor-browser @@ -33,18 +34,15 @@ in { boot = { kernelPackages = mkDefault pkgs.linuxPackages_latest; - # There are (arguably) not a lot of reasons to keep mitigations enabled - # for on machine that is not web-facing. First of all, to completely - # mitigate any possible Spectre holes one would need to disable - # Hyperthreading altogether which will essentially put one's computer into - # the stone age by not being able to to effectively utilise multi-core its - # multicore capabilities. Secondly, by enabling mitigations, we introduce - # a plethora of performance overheads[1], which, albeit small, but still - # contribute to the overall speed of things. This is however still poses a - # security risk, which I am willing to take. - # - # [1]: https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11 - kernelParams = ["mitigations=off"]; + kernelParams = [ + # https://wiki.archlinux.org/title/improving_performance#Watchdogs + "nowatchdog" + "kernel.nmi_watchdog=0" + # A security risk I'm willing to take for a reason[1]. + # + # [1]: https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11 + "mitigations=off" + ]; loader = { efi.canTouchEfiVariables = true; |