diff options
| author | azahi <azat@bahawi.net> | 2025-02-05 17:18:02 +0300 |
|---|---|---|
| committer | azahi <azat@bahawi.net> | 2025-02-05 17:18:02 +0300 |
| commit | ec25e095a26ad1e4823887a6653132948ebc5f87 (patch) | |
| tree | f3d9e02f13515e7c63bc716dc39e193924589bc8 /modules | |
| parent | 2025-02-02 (diff) | |
2025-02-05
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/acme.nix | 7 | ||||
| -rw-r--r-- | modules/common/stylix.nix | 1 | ||||
| -rw-r--r-- | modules/firefox/default.nix | 8 | ||||
| -rw-r--r-- | modules/kde.nix | 94 | ||||
| -rw-r--r-- | modules/matrix/dendrite.nix | 29 | ||||
| -rw-r--r-- | modules/matrix/element.nix | 15 | ||||
| -rw-r--r-- | modules/nsd.nix | 10 | ||||
| -rw-r--r-- | modules/openssh.nix | 1 | ||||
| -rw-r--r-- | modules/plausible.nix | 2 | ||||
| -rw-r--r-- | modules/profiles/dev/default.nix | 1 | ||||
| -rw-r--r-- | modules/searx.nix | 2 | ||||
| -rw-r--r-- | modules/unbound-ng.nix | 2 | ||||
| -rw-r--r-- | modules/unbound.nix | 121 | ||||
| -rw-r--r-- | modules/wireguard.nix | 1 |
14 files changed, 200 insertions, 94 deletions
diff --git a/modules/acme.nix b/modules/acme.nix index 9a2f3f1..bbaf434 100644 --- a/modules/acme.nix +++ b/modules/acme.nix @@ -21,7 +21,7 @@ in email = mkOption { description = "Email for notifications."; type = with types; str; - default = "admin+acme@${my.domain.shire}"; + default = "hostmaster@${my.domain.shire}"; }; }; @@ -30,10 +30,7 @@ in security.acme = { acceptTerms = true; - defaults = { - inherit (cfg) email; - validMinDays = 60; - }; + defaults = { inherit (cfg) email; }; }; }; } diff --git a/modules/common/stylix.nix b/modules/common/stylix.nix index f17cb4c..4476260 100644 --- a/modules/common/stylix.nix +++ b/modules/common/stylix.nix @@ -40,7 +40,6 @@ with lib; config = { stylix = { enable = this.isHeadful; - autoEnable = this.isHeadful; image = pkgs.fetchurl { url = "https://upload.wikimedia.org/wikipedia/commons/a/a5/Bonaparte_ante_la_Esfinge%2C_por_Jean-Léon_Gérôme.jpg"; diff --git a/modules/firefox/default.nix b/modules/firefox/default.nix index bad56ff..3507f2d 100644 --- a/modules/firefox/default.nix +++ b/modules/firefox/default.nix @@ -40,7 +40,7 @@ in let mkCssWithRoot = css: - mkMerge [ + [ ( let mapFonts = concatMapStringsSep ", " (font: ''"${font}"''); @@ -59,7 +59,8 @@ in '' ) (builtins.readFile css) - ]; + ] + |> concatLines; in { id = 0; @@ -516,6 +517,7 @@ in "browser.theme.dark-private-windows" = false; "browser.toolbars.bookmarks.visibility" = "newtab"; "browser.translations.enable" = false; + "browser.uidensity" = 0; "browser.urlbar.decodeURLsOnCopy" = true; "browser.urlbar.suggest.addons" = false; "browser.urlbar.suggest.bookmark" = true; @@ -538,7 +540,9 @@ in "media.hardwaremediakeys.enabled" = false; "media.videocontrols.picture-in-picture.video-toggle.enabled" = false; "reader.parse-on-load.enabled" = false; + "svg.context-properties.content.enabled" = true; "toolkit.legacyUserProfileCustomizations.stylesheets" = true; + "widget.gtk.rounded-bottom-corners.enabled" = true; }; }; }; diff --git a/modules/kde.nix b/modules/kde.nix index c227620..f20d5ea 100644 --- a/modules/kde.nix +++ b/modules/kde.nix @@ -1,17 +1,17 @@ { config, + inputs, lib, pkgs, ... }: -with lib; let cfg = config.nixfiles.modules.kde; in { - options.nixfiles.modules.kde.enable = mkEnableOption "KDE Plasma"; + options.nixfiles.modules.kde.enable = lib.mkEnableOption "KDE Plasma"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { nixfiles.modules = { common.xdg.defaultApplications."org.kde.dolphin" = [ "inode/directory" ]; @@ -19,29 +19,83 @@ in sound.enable = true; }; + # stylix.targets.qt.platform = "kde"; + hm = { - stylix.targets.kde.enable = true; + imports = [ inputs.plasma-manager.homeManagerModules.plasma-manager ]; - programs.firefox.profiles.default.settings = { - "widget.use-xdg-desktop-portal.file-picker" = 1; - "widget.use-xdg-desktop-portal.mime-handler" = 1; - }; + home.sessionVariables.GTK_THEME = config.hm.gtk.theme.name; - gtk.theme = { - package = mkForce pkgs.breeze-gtk; - name = mkForce "Breeze"; + gtk.theme = lib.mkForce { + package = pkgs.kdePackages.breeze-gtk; + name = "Breeze"; }; + # programs = { + # plasma = { + # enable = true; + + # fonts = { + # windowTitle = with config.stylix.fonts; { + # family = sansSerif.name; + # pointSize = sizes.desktop; + # }; + # }; + + # desktop = { + # icons = { + # alignment = "left"; + # arrangement = "topToBottom"; + # sorting = { + # mode = "name"; + # descending = true; + # foldersFirst = true; + # }; + # }; + # }; + + # session = { + # general.askForConfirmationOnLogout = true; + # sessionRestore = { + # excludeApplications = [ ]; + # restoreOpenApplicationsOnLogin = "whenSessionWasManuallySaved"; + # }; + # }; + + # spectacle = { + # shortcuts = { + # launch = "Meta+S"; + # launchWithoutCapturing = "Meta+Alt+S"; + + # captureActiveWindow = "Meta+Print"; + # captureCurrentMonitor = "Print"; + # captureEntireDesktop = "Shift+Print"; + # captureRectangularRegion = "Meta+Shift+S"; + # captureWindowUnderCursor = "Meta+Ctrl+Print"; + + # recordRegion = "Meta+Shift+R"; + # recordScreen = "Meta+Alt+R"; + # recordWindow = "Meta+Ctrl+R"; + # }; + # }; + + # configFile = { + # kcminputrc.Keyboard = with config.services.xserver; { + # RepeatDelay = autoRepeatDelay; + # RepeatRate = autoRepeatInterval; + # }; + # }; + # }; + # }; + xdg.configFile = { - "fontconfig/conf.d/10-hm-fonts.conf".force = mkForce true; - "mimeapps.list".force = mkForce true; - "kcminputrc".text = generators.toINI { } { - Keyboard = with config.services.xserver; { - RepeatDelay = autoRepeatDelay; - RepeatRate = autoRepeatInterval; - }; - }; - "baloofilerc".text = generators.toINI { } { "Basic Settings"."Indexing-Enabled" = false; }; + "fontconfig/conf.d/10-hm-fonts.conf".force = lib.mkForce true; + "mimeapps.list".force = lib.mkForce true; + }; + + programs.firefox.profiles.default.settings = { + "widget.use-xdg-desktop-portal.file-picker" = 1; + "widget.use-xdg-desktop-portal.mime-handler" = 1; }; }; diff --git a/modules/matrix/dendrite.nix b/modules/matrix/dendrite.nix index c391ba0..89704ea 100644 --- a/modules/matrix/dendrite.nix +++ b/modules/matrix/dendrite.nix @@ -6,22 +6,21 @@ this, ... }: -with lib; let cfg = config.nixfiles.modules.matrix.dendrite; in { options.nixfiles.modules.matrix.dendrite = { - enable = mkEnableOption "Dendrite Matrix server"; + enable = lib.mkEnableOption "Dendrite Matrix server"; - port = mkOption { + port = lib.mkOption { description = "Port."; - type = with types; port; + type = lib.types.port; default = 8008; }; - domain = mkOption { - type = types.str; + domain = lib.mkOption { + type = lib.types.str; default = config.networking.domain; description = "Domain name sans protocol scheme."; }; @@ -31,7 +30,7 @@ in let db = "dendrite"; in - mkIf cfg.enable { + lib.mkIf cfg.enable { ark.directories = [ "/var/lib/dendrite" "/var/lib/private/dendrite" @@ -58,14 +57,16 @@ in add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = "200 '${generators.toJSON { } { "m.server" = "${cfg.domain}:443"; }}'"; + return = "200 '${lib.generators.toJSON { } { "m.server" = "${cfg.domain}:443"; }}'"; }; "= /.well-known/matrix/client" = { extraConfig = '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = "200 '${generators.toJSON { } { "m.homeserver".base_url = "https://${cfg.domain}"; }}'"; + return = "200 '${ + lib.generators.toJSON { } { "m.homeserver".base_url = "https://${cfg.domain}"; } + }'"; }; }; }; @@ -119,7 +120,7 @@ in serviceConfig = let needsPrivileges = cfg.port < 1024; - capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; + capabilities = [ "" ] ++ lib.optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; in { Restart = "on-failure"; @@ -185,13 +186,13 @@ in ]; }; in - concatStringsSep " " [ - (getExe pkgs.envsubst) + lib.concatStringsSep " " [ + (lib.getExe pkgs.envsubst) "-i ${(pkgs.formats.yaml { }).generate "dendrite.yaml" settings}" "-o /run/dendrite/dendrite.yaml" ]; - ExecStart = concatStringsSep " " [ - (getExe' pkgs.dendrite "dendrite") + ExecStart = lib.concatStringsSep " " [ + (lib.getExe' pkgs.dendrite "dendrite") "--config /run/dendrite/dendrite.yaml" "--http-bind-address 127.0.0.1:${toString cfg.port}" ]; diff --git a/modules/matrix/element.nix b/modules/matrix/element.nix index 01b991e..c1c29a7 100644 --- a/modules/matrix/element.nix +++ b/modules/matrix/element.nix @@ -4,28 +4,27 @@ pkgs, ... }: -with lib; let cfg = config.nixfiles.modules.matrix.element; in { options.nixfiles.modules.matrix.element = { - enable = mkEnableOption "Element, a Matrix web interface"; + enable = lib.mkEnableOption "Element, a Matrix web interface"; - domain = mkOption { + domain = lib.mkOption { description = "Domain name sans protocol scheme."; - type = with types; nullOr str; + type = with lib.types; nullOr str; default = "element.${config.networking.domain}"; }; - homeserver = mkOption { + homeserver = lib.mkOption { description = "Default Matrix homeserver."; - type = with types; str; - default = my.domain.azahi; + type = lib.types.str; + default = lib.my.domain.azahi; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { assertions = [ { assertion = diff --git a/modules/nsd.nix b/modules/nsd.nix index 13cebe9..efc175c 100644 --- a/modules/nsd.nix +++ b/modules/nsd.nix @@ -78,8 +78,8 @@ in { p = "quarantine"; sp = "quarantine"; - rua = [ "mailto:admin+rua@${domain}" ]; - ruf = [ "mailto:admin+ruf@${domain}" ]; + rua = [ "mailto:postmaster@${domain}" ]; + ruf = [ "mailto:postmaster@${domain}" ]; } ]; DKIM = optional (dkimKey != null) { @@ -102,8 +102,8 @@ in SOA = { nameServer = "${cfg.fqdn}."; - adminEmail = "admin+dns@${my.domain.shire}"; - serial = 2024010301; # Don't forget to bump the revision! + adminEmail = "hostmaster@${my.domain.shire}"; + serial = 2025020201; # Don't forget to bump the revision! }; NS = with my.domain; [ @@ -111,7 +111,7 @@ in # "ns2.${shire}" ]; - CAA = letsEncrypt "admin+caa@${my.domain.shire}"; + CAA = letsEncrypt "hostmaster@${my.domain.shire}"; } sldIps extra diff --git a/modules/openssh.nix b/modules/openssh.nix index a41f0d6..d850322 100644 --- a/modules/openssh.nix +++ b/modules/openssh.nix @@ -37,6 +37,7 @@ in controlMaster = "auto"; controlPersist = "24H"; + controlPath = "~/.ssh/control/%r@%n:%p"; # The directory must exist. serverAliveCountMax = 30; serverAliveInterval = 60; diff --git a/modules/plausible.nix b/modules/plausible.nix index 89729fd..e910986 100644 --- a/modules/plausible.nix +++ b/modules/plausible.nix @@ -88,7 +88,7 @@ in # }; mail = { - email = "admin+plausible@${my.domain.shire}"; + email = "plausible@${my.domain.shire}"; smtp = { hostAddr = my.domain.shire; hostPort = 465; diff --git a/modules/profiles/dev/default.nix b/modules/profiles/dev/default.nix index bb7cfc9..a6cc61d 100644 --- a/modules/profiles/dev/default.nix +++ b/modules/profiles/dev/default.nix @@ -80,6 +80,7 @@ in nixpkgs-review opentofu scaleway-cli + scanmem sops sqlitebrowser terraform diff --git a/modules/searx.nix b/modules/searx.nix index ab186af..1b1e6d5 100644 --- a/modules/searx.nix +++ b/modules/searx.nix @@ -48,7 +48,7 @@ in settings = { general = { instance_name = cfg.domain; - contact_url = "mailto:admin+searx@${config.networking.domain}"; + contact_url = "mailto:searx@${config.networking.domain}"; git_url = false; git_branch = false; docs_url = false; diff --git a/modules/unbound-ng.nix b/modules/unbound-ng.nix index 3d3c6da..583d22a 100644 --- a/modules/unbound-ng.nix +++ b/modules/unbound-ng.nix @@ -158,7 +158,7 @@ in enableRootTrustAnchor = true; - localControlSocketPath = "/run/unbound/unbound.socket"; + localControlSocketPath = "/run/unbound/unbound.sock"; }; prometheus.exporters.unbound = { diff --git a/modules/unbound.nix b/modules/unbound.nix index b8de321..7156409 100644 --- a/modules/unbound.nix +++ b/modules/unbound.nix @@ -6,22 +6,21 @@ this, ... }: -with lib; let cfg = config.nixfiles.modules.unbound; in { options.nixfiles.modules.unbound = { - enable = mkEnableOption "Unbound"; + enable = lib.mkEnableOption "Unbound"; - domain = mkOption { + domain = lib.mkOption { description = "Domain name sans protocol scheme."; - type = with types; str; + type = lib.types.str; default = config.networking.domain; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { ark.directories = [ config.services.unbound.stateDir ]; nixfiles.modules.redis.enable = true; @@ -31,6 +30,7 @@ in enable = true; package = pkgs.unbound-with-systemd.override { + withDNSTAP = true; withRedis = true; withTFO = true; }; @@ -47,17 +47,18 @@ in ipv6.address ]; - local-zone = concatLists ( - mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations - ); - local-data = concatLists ( - mapAttrsToList ( + local-zone = + lib.my.configurations + |> lib.mapAttrsToList (x: _: [ "\"${x}.${cfg.domain}\" redirect" ]) + |> lib.concatLists; + local-data = lib.concatLists ( + lib.mapAttrsToList ( hostname: let domain = "${hostname}.${cfg.domain}"; in attr: - (optionals (hasAttr "wireguard" attr) ( + (lib.optionals (lib.hasAttr "wireguard" attr) ( with attr.wireguard; [ "\"${domain} 604800 IN A ${ipv4.address}\"" @@ -65,36 +66,36 @@ in "\"${domain}. A ${ipv4.address}\"" "\"${domain}. AAAA ${ipv6.address}\"" ] - ++ (optionals (hasAttr "domains" attr) ( - concatMap (domain: [ + ++ (lib.optionals (lib.hasAttr "domains" attr) ( + lib.concatMap (domain: [ "\"${domain}. A ${ipv4.address}\"" "\"${domain}. AAAA ${ipv6.address}\"" ]) attr.domains )) )) - ) my.configurations + ) lib.my.configurations ); - local-data-ptr = concatLists ( - mapAttrsToList ( + local-data-ptr = lib.concatLists ( + lib.mapAttrsToList ( hostname: let domain = "${hostname}.${cfg.domain}"; in attr: - (optionals (hasAttr "wireguard" attr) ( + (lib.optionals (lib.hasAttr "wireguard" attr) ( with attr.wireguard; [ "\"${ipv4.address} ${domain}\"" "\"${ipv6.address} ${domain}\"" ] - ++ (optionals (hasAttr "domains" attr) ( - concatMap (domain: [ + ++ (lib.optionals (lib.hasAttr "domains" attr) ( + lib.concatMap (domain: [ "\"${ipv4.address} ${domain}\"" "\"${ipv6.address} ${domain}\"" ]) attr.domains )) )) - ) my.configurations + ) lib.my.configurations ); private-domain = map (domain: "${domain}.") [ @@ -116,6 +117,7 @@ in ]; cache-min-ttl = 0; + cache-max-ttl = 60 * 60 * 24; serve-expired = true; serve-expired-reply-ttl = 0; @@ -123,8 +125,8 @@ in prefetch = true; prefetch-key = true; - hide-identity = true; - hide-version = true; + hide-identity = false; + hide-version = false; extended-statistics = true; @@ -132,14 +134,14 @@ in log-tag-queryreply = false; log-local-actions = false; - verbosity = 0; + verbosity = 1; }; forward-zone = [ { name = "."; forward-tls-upstream = true; - forward-addr = dns.mkDoT dns.const.quad9.ecs; + forward-addr = lib.dns.mkDoT lib.dns.const.quad9.ecs; } ]; @@ -149,36 +151,85 @@ in redis-server-port = port; }; - rpz = { - name = "hagezi.pro"; - zonefile = "hagezi.pro"; - url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"; + dnstap = { + dnstap-enable = true; + dnstap-socket-path = "/run/dnstap-unbound/read.sock"; + dnstap-send-identity = true; + dnstap-send-version = true; + dnstap-log-resolver-query-messages = true; + dnstap-log-resolver-response-messages = true; + dnstap-log-client-query-messages = true; + dnstap-log-client-response-messages = true; + dnstap-log-forwarder-query-messages = true; + dnstap-log-forwarder-response-messages = true; }; + + rpz = [ + { + name = "hagezi-pro"; + zonefile = "hagezi-pro"; + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"; + } + { + name = "big-osid"; + zonefile = "big-osid"; + url = "https://big.oisd.nl/rpz"; + } + { + name = "nsfw-osid"; + zonefile = "nsfw-osid"; + url = "https://nsfw.oisd.nl/rpz"; + } + ]; }; enableRootTrustAnchor = true; - localControlSocketPath = "/run/unbound/unbound.socket"; + localControlSocketPath = "/run/unbound/control.sock"; }; prometheus.exporters.unbound = { enable = true; - listenAddress = mkDefault this.wireguard.ipv4.address; + listenAddress = lib.mkDefault this.wireguard.ipv4.address; port = 9167; inherit (config.services.unbound) group user; unbound.host = "unix://${config.services.unbound.localControlSocketPath}"; }; }; - boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3; + systemd = + let + in + { + services = { + unbound = { + after = [ "dnstap-unbound.service" ]; + requires = [ "dnstap-unbound.service" ]; + }; + + dnstap-unbound = { + serviceConfig = { + ExecStart = "${lib.getExe pkgs.dnstap} -u ${config.services.unbound.settings.dnstap.dnstap-socket-path}"; + User = config.services.unbound.user; + Group = config.services.unbound.group; + RuntimeDirectory = "dnstap-unbound"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; + }; + + boot.kernel.sysctl."net.ipv4.tcp_fastopen" = lib.mkOverride 200 3; - topology = with cfg; { + topology = { nodes.${this.hostname}.services.unbound = { name = "Unbound"; icon = "${inputs.homelab-svg-assets}/assets/unbound.svg"; - details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") ( - filter (i: i != "127.0.0.1" && i != "::1") config.services.unbound.settings.server.interface - ); + details.listen.text = + config.services.unbound.settings.server.interface + |> lib.filter (x: x != "127.0.0.1" && x != "::1") + |> map (x: "${x}:53") + |> lib.concatLines; }; }; }; diff --git a/modules/wireguard.nix b/modules/wireguard.nix index c9d9937..bb5daad 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -262,7 +262,6 @@ in cidrv4 = cfg.ipv4.subnet; cidrv6 = cfg.ipv6.subnet; icon = "interfaces.wireguard"; - style.pattern = "dotted"; }; nodes.${this.hostname}.interfaces.${cfg.interface} = { |