diff options
author | azahi <azat@bahawi.net> | 2025-01-24 04:11:25 +0300 |
---|---|---|
committer | azahi <azat@bahawi.net> | 2025-01-24 04:11:25 +0300 |
commit | 865264328824e329d4d706af6bc370199ed2b188 (patch) | |
tree | c2d5b05e5b2abee8730f0dfbe35414c8a5d94a00 /modules | |
parent | 2025-01-21 (diff) |
Diffstat (limited to '')
-rw-r--r-- | modules/common/documentation.nix | 17 | ||||
-rw-r--r-- | modules/piracy/default.nix | 3 | ||||
-rw-r--r-- | modules/profiles/headful.nix | 1 | ||||
-rw-r--r-- | modules/soju.nix | 183 | ||||
-rw-r--r-- | modules/throttled.nix | 105 |
5 files changed, 124 insertions, 185 deletions
diff --git a/modules/common/documentation.nix b/modules/common/documentation.nix index f9e0fcb..b28988d 100644 --- a/modules/common/documentation.nix +++ b/modules/common/documentation.nix @@ -7,23 +7,28 @@ }: { config = { - hm.manual = { - manpages.enable = this.isHeadful; - html.enable = false; - json.enable = false; + hm = { + manual = { + manpages.enable = this.isHeadful; + html.enable = false; + json.enable = false; + }; + + # Fixes a wierd issue with `direnv` and an unbound value. + home.sessionVariables.MANPATH = ""; }; documentation = { enable = this.isHeadful; dev.enable = true; doc.enable = false; - info.enable = false; + info.enable = true; nixos.enable = true; man.man-db.manualPages = (pkgs.buildEnv { name = "man-paths"; - paths = with config; environment.systemPackages ++ hm.home.packages; + paths = config.environment.systemPackages ++ config.hm.home.packages; pathsToLink = [ "/share/man" ]; extraOutputsToInstall = [ "man" ]; ignoreCollisions = true; diff --git a/modules/piracy/default.nix b/modules/piracy/default.nix index 7682356..3554a02 100644 --- a/modules/piracy/default.nix +++ b/modules/piracy/default.nix @@ -55,6 +55,9 @@ in user = "rtorrent"; inherit (cfg) group; + port = 1337; + openFirewall = true; + rpcSocket = socket; configText = with config.services.rtorrent; diff --git a/modules/profiles/headful.nix b/modules/profiles/headful.nix index 186d97d..a315af4 100644 --- a/modules/profiles/headful.nix +++ b/modules/profiles/headful.nix @@ -54,6 +54,7 @@ in packages = with pkgs; [ anki audacity + ayugram-desktop byedpi eaglemode easyeffects diff --git a/modules/soju.nix b/modules/soju.nix index 2060eca..dbf069d 100644 --- a/modules/soju.nix +++ b/modules/soju.nix @@ -12,24 +12,30 @@ in options.nixfiles.modules.soju = { enable = mkEnableOption "soju"; - address = mkOption { - description = "Address."; - type = with types; str; - default = ""; - }; - port = mkOption { description = "Port."; type = with types; port; default = 6697; }; + httpPort = mkOption { + description = "HTTP Port."; + type = with types; port; + default = 9981; + }; + domain = mkOption { description = "Domain."; type = with types; str; default = config.networking.fqdn; }; + uploadsDir = mkOption { + description = "Uploads directory."; + type = with types; str; + default = "/srv/soju/uploads"; + }; + prometheus = { enable = mkEnableOption "Prometheus exporter" // { default = true; @@ -50,7 +56,25 @@ in mkIf cfg.enable { nixfiles.modules = { acme.enable = true; - nginx.enable = true; + nginx = { + enable = true; + upstreams.soju.servers."127.0.0.1:${toString cfg.httpPort}" = { }; + virtualHosts.${cfg.domain}.locations = { + "/_irc" = { + proxyPass = "http://soju"; + proxyWebsockets = true; + extraConfig = '' + rewrite ^/_irc/(.*)$ /$1 break; + ''; + }; + "/_irc/uploads" = { + root = "/srv/soju"; + extraConfig = '' + rewrite ^/_irc/(.*)$ /$1 break; + ''; + }; + }; + }; postgresql = { enable = true; extraPostStart = [ @@ -71,76 +95,87 @@ in ]; }; - systemd.services.soju = { - description = "soju IRC bouncer"; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - requires = [ "postgresql.service" ]; - after = [ - "network-online.target" - "postgresql.service" - ]; - serviceConfig = { - ExecStart = - let - # https://soju.im/doc/soju.1.html - configFile = pkgs.writeText "soju.conf" '' - listen ircs://${cfg.address}:${toString cfg.port} - tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"} - ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"} - db postgres "${ - concatStringsSep " " [ - "host=/run/postgresql" - "user=${db}" - "dbname=${db}" - "sslmode=disable" - ] - }" - message-store db - hostname ${cfg.domain} - title ${cfg.domain} - ''; - in - concatStringsSep " " [ - (getExe' pkgs.soju "soju") - "-config ${configFile}" - ]; - DynamicUser = true; - SupplementaryGroups = [ config.services.nginx.group ]; - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - UMask = "0077"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - ProtectProc = "invisible"; - ProcSubset = "pid"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_UNIX" - "AF_INET" - "AF_INET6" + systemd = { + services.soju = { + description = "soju IRC bouncer"; + documentation = [ + "https://soju.im/" + "man:soju(1)" + "man:sojuctl(1)" ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + requires = [ "postgresql.service" ]; + after = [ + "network-online.target" + "postgresql.service" ]; + serviceConfig = { + ExecStart = + let + # https://soju.im/doc/soju.1.html + configFile = pkgs.writeText "soju.conf" '' + listen ircs://:${toString cfg.port} + listen http://localhost:${toString cfg.httpPort} + tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"} + ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"} + db postgres "${ + concatStringsSep " " [ + "host=/run/postgresql" + "user=${db}" + "dbname=${db}" + "sslmode=disable" + ] + }" + message-store db + file-upload fs ${cfg.uploadsDir} + hostname ${cfg.domain} + http-ingress https://${cfg.domain}/_irc + ''; + in + "${pkgs.soju}/bin/soju -config ${configFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + DynamicUser = true; + ReadWritePaths = [ cfg.uploadsDir ]; + SupplementaryGroups = [ config.services.nginx.group ]; + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + }; }; + + tmpfiles.rules = [ + "d ${cfg.uploadsDir} 0755 soju soju" + ]; }; }; } diff --git a/modules/throttled.nix b/modules/throttled.nix deleted file mode 100644 index 7d37cd4..0000000 --- a/modules/throttled.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ config, lib, ... }: -with lib; -let - cfg = config.nixfiles.modules.throttled; -in -{ - options.nixfiles.modules.throttled.enable = mkEnableOption "Throttled"; - - config = mkIf cfg.enable { - services.throttled.enable = true; - - environment.etc."throttled.conf".text = mkDefault '' - [GENERAL] - # Enable or disable the script execution - Enabled: True - # SYSFS path for checking if the system is running on AC power - Sysfs_Power_Path: /sys/class/power_supply/AC*/online - # Auto reload config on changes - Autoreload: True - - ## Settings to apply while connected to Battery power - [BATTERY] - # Update the registers every this many seconds - Update_Rate_s: 30 - # Max package power for time window #1 - PL1_Tdp_W: 29 - # Time window #1 duration - PL1_Duration_s: 28 - # Max package power for time window #2 - PL2_Tdp_W: 44 - # Time window #2 duration - PL2_Duration_S: 0.002 - # Max allowed temperature before throttling - Trip_Temp_C: 85 - # Set cTDP to normal=0, down=1 or up=2 (EXPERIMENTAL) - cTDP: 0 - # Disable BDPROCHOT (EXPERIMENTAL) - Disable_BDPROCHOT: False - - ## Settings to apply while connected to AC power - [AC] - # Update the registers every this many seconds - Update_Rate_s: 5 - # Max package power for time window #1 - PL1_Tdp_W: 44 - # Time window #1 duration - PL1_Duration_s: 28 - # Max package power for time window #2 - PL2_Tdp_W: 44 - # Time window #2 duration - PL2_Duration_S: 0.002 - # Max allowed temperature before throttling - Trip_Temp_C: 95 - # Set HWP energy performance hints to 'performance' on high load (EXPERIMENTAL) - # Uncomment only if you really want to use it - # HWP_Mode: False - # Set cTDP to normal=0, down=1 or up=2 (EXPERIMENTAL) - cTDP: 0 - # Disable BDPROCHOT (EXPERIMENTAL) - Disable_BDPROCHOT: False - - # All voltage values are expressed in mV and *MUST* be negative (i.e. undervolt)! - [UNDERVOLT.BATTERY] - # CPU core voltage offset (mV) - CORE: 0 - # Integrated GPU voltage offset (mV) - GPU: 0 - # CPU cache voltage offset (mV) - CACHE: 0 - # System Agent voltage offset (mV) - UNCORE: 0 - # Analog I/O voltage offset (mV) - ANALOGIO: 0 - - # All voltage values are expressed in mV and *MUST* be negative (i.e. undervolt)! - [UNDERVOLT.AC] - # CPU core voltage offset (mV) - CORE: 0 - # Integrated GPU voltage offset (mV) - GPU: 0 - # CPU cache voltage offset (mV) - CACHE: 0 - # System Agent voltage offset (mV) - UNCORE: 0 - # Analog I/O voltage offset (mV) - ANALOGIO: 0 - - # [ICCMAX.AC] - # # CPU core max current (A) - # CORE: - # # Integrated GPU max current (A) - # GPU: - # # CPU cache max current (A) - # CACHE: - - # [ICCMAX.BATTERY] - # # CPU core max current (A) - # CORE: - # # Integrated GPU max current (A) - # GPU: - # # CPU cache max current (A) - # CACHE: - ''; - }; -} |