about summary refs log tree commit diff
path: root/modules/nixos
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-05-21 23:10:32 +0300
committerAzat Bahawi <azat@bahawi.net>2023-05-21 23:10:32 +0300
commitb07e10139c88d6060e57ca52b2dc12b17b53ac82 (patch)
tree5b5cddc2f47bddb8e8914aa66ae18d52cd519965 /modules/nixos
parent2023-05-06 (diff)
2023-05-21
Diffstat (limited to 'modules/nixos')
-rw-r--r--modules/nixos/chromium.nix27
-rw-r--r--modules/nixos/common/locale.nix12
-rw-r--r--modules/nixos/common/systemd.nix2
-rw-r--r--modules/nixos/default.nix1
-rw-r--r--modules/nixos/matrix/dendrite.nix20
-rw-r--r--modules/nixos/monitoring/default.nix18
-rw-r--r--modules/nixos/profiles/headful.nix7
-rw-r--r--modules/nixos/promtail.nix41
-rw-r--r--modules/nixos/syncthing.nix117
-rw-r--r--modules/nixos/unbound.nix17
10 files changed, 170 insertions, 92 deletions
diff --git a/modules/nixos/chromium.nix b/modules/nixos/chromium.nix
new file mode 100644
index 0000000..4f0ae12
--- /dev/null
+++ b/modules/nixos/chromium.nix
@@ -0,0 +1,27 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.chromium;
+in {
+  options.nixfiles.modules.chromium.enable = mkEnableOption "Chromium";
+
+  config = mkIf cfg.enable {
+    hm = {
+      home.packages = with pkgs; [profile-cleaner];
+
+      programs.chromium = {
+        enable = true;
+
+        package = pkgs.chromium;
+
+        extensions = [
+          {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} # uBlock Origin
+        ];
+      };
+    };
+  };
+}
diff --git a/modules/nixos/common/locale.nix b/modules/nixos/common/locale.nix
index 62d19f4..7529996 100644
--- a/modules/nixos/common/locale.nix
+++ b/modules/nixos/common/locale.nix
@@ -12,9 +12,15 @@ with lib; {
   };
 
   services.xserver = {
-    layout = comcat ["us" "ru"];
-    xkbVariant = comcat ["" "phonetic"];
-    xkbOptions = comcat [
+    layout = concatStringsSep "," [
+      "us"
+      "ru"
+    ];
+    xkbVariant = concatStringsSep "," [
+      ""
+      "phonetic"
+    ];
+    xkbOptions = concatStringsSep "," [
       "terminate:ctrl_alt_bksp"
       "caps:escape"
       "compose:menu"
diff --git a/modules/nixos/common/systemd.nix b/modules/nixos/common/systemd.nix
index 29020a0..4e9eb26 100644
--- a/modules/nixos/common/systemd.nix
+++ b/modules/nixos/common/systemd.nix
@@ -4,6 +4,8 @@
     directories = ["/var/lib/systemd/coredump"];
   };
 
+  my.extraGroups = ["systemd-journal"];
+
   hm.systemd.user.startServices = "sd-switch";
 
   services.journald.extraConfig = ''
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 3c6e61b..f8347cf 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -5,6 +5,7 @@ _: {
     ./android.nix
     ./beets.nix
     ./bluetooth.nix
+    ./chromium.nix
     ./common
     ./discord.nix
     ./docker.nix
diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix
index d9c4914..d7c7b18 100644
--- a/modules/nixos/matrix/dendrite.nix
+++ b/modules/nixos/matrix/dendrite.nix
@@ -67,6 +67,7 @@ in {
             };
           };
         };
+
         postgresql = {
           enable = true;
           extraPostStart = [
@@ -75,6 +76,25 @@ in {
             ''
           ];
         };
+
+        # Silence annoying errors when connecting to poorly configured federated
+        # homeservers.
+        promtail.filters = [
+          {
+            match = {
+              selector = ''{syslog_identifier="dendrite"} |~ ".*Failed to fetch key for server.*"'';
+              action = "drop";
+              drop_counter_reason = "noisy_error";
+            };
+          }
+          {
+            match = {
+              selector = ''{syslog_identifier="dendrite"} |~ ".*could not download key for.*"'';
+              action = "drop";
+              drop_counter_reason = "noisy_error";
+            };
+          }
+        ];
       };
 
       services.postgresql = {
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
index 37e34d9..7f62874 100644
--- a/modules/nixos/monitoring/default.nix
+++ b/modules/nixos/monitoring/default.nix
@@ -122,8 +122,6 @@ in {
       loki.configuration.ruler.alertmanager_url = "https://${config.nixfiles.modules.alertmanager.domain}";
 
       prometheus = {
-        # It would be nice if these could be generated dynamically. That would
-        # require a complete rework of how configurations are defined, though.
         scrapeConfigs = with my.configurations;
           mapAttrsToList
           (
@@ -144,13 +142,15 @@ in {
                     hosts;
                 }
               ];
-              relabel_configs = [
-                {
-                  source_labels = ["__address__"];
-                  regex = "([^:]+):\\d+";
-                  target_label = "instance";
-                }
-              ];
+              relabel_configs =
+                [
+                  {
+                    source_labels = ["__address__"];
+                    regex = "([^:]+):\\d+";
+                    target_label = "instance";
+                  }
+                ]
+                ++ optionals (hasAttr "relabel" value) value.relabel;
             }
           )
           {
diff --git a/modules/nixos/profiles/headful.nix b/modules/nixos/profiles/headful.nix
index 3bdf8fd..9e2b7a3 100644
--- a/modules/nixos/profiles/headful.nix
+++ b/modules/nixos/profiles/headful.nix
@@ -109,6 +109,11 @@ in {
 
     environment.systemPackages = with pkgs; [lm_sensors];
 
-    my.extraGroups = ["audio" "video" "input"];
+    my.extraGroups = [
+      "audio"
+      "input"
+      "render"
+      "video"
+    ];
   };
 }
diff --git a/modules/nixos/promtail.nix b/modules/nixos/promtail.nix
index d52384a..157eb72 100644
--- a/modules/nixos/promtail.nix
+++ b/modules/nixos/promtail.nix
@@ -21,6 +21,12 @@ in {
       type = with types; str;
       default = "https://${config.nixfiles.modules.loki.domain}";
     };
+
+    filters = mkOption {
+      description = ''Filters to use with "scrape_config.pipeline_stages".'';
+      type = with types; listOf attrs;
+      default = [];
+    };
   };
 
   config = mkIf cfg.enable {
@@ -56,7 +62,7 @@ in {
         scrape_configs = [
           {
             job_name = "journal";
-            journal.max_age = "12h";
+            journal.max_age = "24h";
             relabel_configs =
               map (n: let
                 label = toLower n;
@@ -74,12 +80,12 @@ in {
 
                 "MESSAGE"
                 # "MESSAGE_ID"
-                # "PRIORITY"
+                "PRIORITY"
                 # "CODE_FILE"
                 # "CODE_LINE"
                 # "CODE_FUNC"
                 # "ERRNO"
-                # "SYSLOG_FACILITY"
+                "SYSLOG_FACILITY"
                 "SYSLOG_IDENTIFIER"
                 # "SYSLOG_PID"
                 # "_PID"
@@ -93,8 +99,8 @@ in {
                 # "_AUDIT_LOGINUID"
                 # "_SYSTEMD_CGROUP"
                 # "_SYSTEMD_SESSION"
-                "_SYSTEMD_UNIT"
-                "_SYSTEMD_USER_UNIT"
+                # "_SYSTEMD_UNIT"
+                # "_SYSTEMD_USER_UNIT"
                 # "_SYSTEMD_OWNER_UID"
                 # "_SYSTEMD_SLICE"
                 # "_SELINUX_CONTEXT"
@@ -106,23 +112,16 @@ in {
                 # "__CURSOR"
                 # "__REALTIME_TIMESTAMP"
                 # "__MONOTONIC_TIMESTAMP"
+              ]
+              ++ [
+                {
+                  # This is weird. I can't find where is this defined in the
+                  # source code but apparently it exists.
+                  source_labels = ["__journal_priority_keyword"];
+                  target_label = "level";
+                }
               ];
-            pipeline_stages = [
-              {
-                match = {
-                  selector = ''{systemd_unit="dendrite.service"} |~ ".*Failed to fetch key for server.*"'';
-                  action = "drop";
-                  drop_counter_reason = "noisy_error";
-                };
-              }
-              {
-                match = {
-                  selector = ''{systemd_unit="dendrite.service"} |~ ".*could not download key for.*"'';
-                  action = "drop";
-                  drop_counter_reason = "noisy_error";
-                };
-              }
-            ];
+            pipeline_stages = cfg.filters;
           }
         ];
       };
diff --git a/modules/nixos/syncthing.nix b/modules/nixos/syncthing.nix
index b0d98bc..faf6723 100644
--- a/modules/nixos/syncthing.nix
+++ b/modules/nixos/syncthing.nix
@@ -48,74 +48,77 @@ in {
         key = config.secrets."syncthing-key-${this.hostname}".path;
 
         overrideDevices = true;
-        devices = mapAttrs (name: attr:
-          mkIf (attr.syncthing.id != null && hasAttr "wireguard" attr) {
-            inherit (attr.syncthing) id;
-            addresses = ["tcp://${name}.${config.networking.domain}:22000"];
-            introducer = this.isHeadless;
-          })
-        my.configurations;
-
         overrideFolders = true;
-        folders = let
-          filterDevices = f:
-            attrNames (filterAttrs (_: attr:
-              (attr.hostname != this.hostname)
-              && (attr.syncthing.id != null)
-              && f attr)
-            my.configurations);
-          all = filterDevices (_: true);
-          notHeadless = filterDevices (attr: !attr.isHeadless);
-          notOther = filterDevices (attr: !attr.isOther);
 
-          simple = {
-            type = "simple";
-            params.keep = "5";
-          };
-          trashcan = {
-            type = "trashcan";
-            params.cleanoutDays = "7";
-          };
-        in
-          with config.hm.xdg.userDirs; {
-            share = {
-              path = publicShare;
-              devices = notHeadless;
-              versioning = trashcan;
-            };
-            pass = {
-              path = config.hm.programs.password-store.settings.PASSWORD_STORE_DIR;
-              devices = notOther;
-              versioning = trashcan;
-            };
-            org = {
-              path = "${documents}/org";
-              devices = all;
-              versioning = simple;
-            };
-            roam = {
-              path = "${documents}/roam";
-              devices = notOther;
-              versioning = simple;
+        settings = {
+          devices = mapAttrs (name: attr:
+            mkIf (attr.syncthing.id != null && hasAttr "wireguard" attr) {
+              inherit (attr.syncthing) id;
+              addresses = ["tcp://${name}.${config.networking.domain}:22000"];
+              introducer = this.isHeadless;
+            })
+          my.configurations;
+
+          folders = let
+            filterDevices = f:
+              attrNames (filterAttrs (_: attr:
+                (attr.hostname != this.hostname)
+                && (attr.syncthing.id != null)
+                && f attr)
+              my.configurations);
+            all = filterDevices (_: true);
+            notHeadless = filterDevices (attr: !attr.isHeadless);
+            notOther = filterDevices (attr: !attr.isOther);
+
+            simple = {
+              type = "simple";
+              params.keep = "5";
             };
-            elfeed = {
-              path = "${config.my.home}/.elfeed";
-              devices = notOther;
-              versioning = trashcan;
+            trashcan = {
+              type = "trashcan";
+              params.cleanoutDays = "7";
             };
-            books = {
-              path = "${documents}/books";
-              devices = notOther;
-              versioning = trashcan;
+          in
+            with config.hm.xdg.userDirs; {
+              share = {
+                path = publicShare;
+                devices = notHeadless;
+                versioning = trashcan;
+              };
+              pass = {
+                path = config.hm.programs.password-store.settings.PASSWORD_STORE_DIR;
+                devices = notOther;
+                versioning = trashcan;
+              };
+              org = {
+                path = "${documents}/org";
+                devices = all;
+                versioning = simple;
+              };
+              roam = {
+                path = "${documents}/roam";
+                devices = notOther;
+                versioning = simple;
+              };
+              elfeed = {
+                path = "${config.my.home}/.elfeed";
+                devices = notOther;
+                versioning = trashcan;
+              };
+              books = {
+                path = "${documents}/books";
+                devices = notOther;
+                versioning = trashcan;
+              };
             };
-          };
 
-        extraOptions = {
           gui = {
             insecureAdminAccess = true;
             insecureSkipHostcheck = this.isHeadless;
           };
+
           options = {
+            testOption = false;
             autoUpgradeIntervalH = 0;
             crashReportingEnabled = false;
             globalAnnounceEnabled = false;
diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix
index 7805b02..c9d45f2 100644
--- a/modules/nixos/unbound.nix
+++ b/modules/nixos/unbound.nix
@@ -24,7 +24,22 @@ in {
     mkIf cfg.enable {
       ark.directories = [config.services.unbound.stateDir];
 
-      nixfiles.modules.redis.enable = true;
+      nixfiles.modules = {
+        redis.enable = true;
+
+        promtail.filters = [
+          {
+            match = {
+              # Should be fixed[1] in the next release.
+              #
+              # [1]: https://github.com/NLnetLabs/unbound/commit/d7e776114114c16816570e48ab3a27eedc401a0e
+              selector = ''{syslog_identifier="unbound"} |~ ".*could not SSL_read crypto.*"'';
+              action = "drop";
+              drop_counter_reason = "noisy_error";
+            };
+          }
+        ];
+      };
 
       services = {
         unbound = {

Consider giving Nix/NixOS a try! <3