summaryrefslogtreecommitdiff
path: root/modules/nixos
diff options
context:
space:
mode:
Diffstat (limited to 'modules/nixos')
-rw-r--r--modules/nixos/bluetooth.nix11
-rw-r--r--modules/nixos/grafana.nix6
-rw-r--r--modules/nixos/kde.nix1
-rw-r--r--modules/nixos/matrix/dendrite.nix193
-rw-r--r--modules/nixos/monitoring/default.nix7
-rw-r--r--modules/nixos/openssh.nix21
-rw-r--r--modules/nixos/profiles/headless.nix5
7 files changed, 146 insertions, 98 deletions
diff --git a/modules/nixos/bluetooth.nix b/modules/nixos/bluetooth.nix
index cf92179..76131bf 100644
--- a/modules/nixos/bluetooth.nix
+++ b/modules/nixos/bluetooth.nix
@@ -16,14 +16,9 @@ in {
hardware.bluetooth = {
enable = true;
settings.General.FastConnectable = true;
- };
-
- environment = {
- etc."bluetooth/input.conf".text = generators.toINI {} {
- General = {
- IdleTimeout = 15;
- UserspaceHID = true;
- };
+ input.General = {
+ IdleTimeout = 15;
+ UserspaceHID = true;
};
};
};
diff --git a/modules/nixos/grafana.nix b/modules/nixos/grafana.nix
index a614502..0b2e210 100644
--- a/modules/nixos/grafana.nix
+++ b/modules/nixos/grafana.nix
@@ -39,7 +39,7 @@ in {
group = "grafana";
};
grafana-smtp-password = {
- file = "${inputs.self}/secrets/grafana-smtp-password";
+ file = "${inputs.self}/secrets/smtp-password";
owner = "grafana";
group = "grafana";
};
@@ -98,8 +98,8 @@ in {
auto_assign_org_role = "Viewer";
};
security = with config.secrets; {
- secret_key = grafana-key.path;
- admin_password = grafana-admin-password.path;
+ secret_key = "$__file{${grafana-key.path}}";
+ admin_password = "$__file{${grafana-admin-password.path}}";
};
analytics.reporting_enable = false;
};
diff --git a/modules/nixos/kde.nix b/modules/nixos/kde.nix
index a430294..66fabbd 100644
--- a/modules/nixos/kde.nix
+++ b/modules/nixos/kde.nix
@@ -30,7 +30,6 @@ in {
enable = true;
excludePackages = with pkgs.plasma5Packages; [
elisa
- gwenview
khelpcenter
okular
print-manager
diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix
index 0fad5f2..6b662b2 100644
--- a/modules/nixos/matrix/dendrite.nix
+++ b/modules/nixos/matrix/dendrite.nix
@@ -11,6 +11,12 @@ in {
options.nixfiles.modules.matrix.dendrite = {
enable = mkEnableOption "Dendrite Matrix server";
+ port = mkOption {
+ description = "Port.";
+ type = with types; port;
+ default = 8008;
+ };
+
domain = mkOption {
type = types.str;
default = config.networking.domain;
@@ -68,90 +74,129 @@ in {
};
};
- services = {
- dendrite = {
- enable = true;
- httpPort = 8008;
- environmentFile = config.secrets.dendrite-environment-file.path;
- settings = {
- version = 2;
- global = {
- server_name = cfg.domain;
- private_key = config.secrets.dendrite-private-key.path;
- database = {
- connection_string = "postgresql://${db}@/${db}?host=/run/postgresql";
- max_open_conns = 64;
- max_idle_connections = 8;
+ services.postgresql = {
+ ensureDatabases = [db];
+ ensureUsers = [
+ {
+ name = db;
+ ensurePermissions."DATABASE \"${db}\"" = "ALL";
+ }
+ ];
+ };
+
+ systemd.services.dendrite = {
+ description = "Dendrite Matrix homeserver";
+ requires = ["network.target"];
+ wantedBy = ["multi-user.target"];
+ serviceConfig = let
+ needsPrivileges = cfg.port < 1024;
+ capabilities = [""] ++ optionals needsPrivileges ["CAP_NET_BIND_SERVICE"];
+ in {
+ Restart = "on-failure";
+ ExecStartPre = let
+ settings = {
+ version = 2;
+ global = {
+ server_name = cfg.domain;
+ private_key = config.secrets.dendrite-private-key.path;
+ database = {
+ connection_string = "postgresql://${db}@/${db}?host=/run/postgresql";
+ max_open_conns = 64;
+ max_idle_connections = 8;
+ };
+ cache = {
+ max_size_estimated = "1gb";
+ max_age = "1h";
+ };
+ trusted_third_party_id_servers = [
+ "matrix.org"
+ "nixos.org"
+ "vector.im"
+ ];
+ presence = {
+ enable_inbound = false;
+ enable_outbound = false;
+ };
};
- cache = {
- max_size_estimated = "1gb";
- max_age = "1h";
+ client_api = {
+ registration_disabled = true;
+ guests_disabled = true;
+ registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
};
- trusted_third_party_id_servers = [
- "matrix.org"
- "nixos.org"
- "vector.im"
- ];
- presence = {
- enable_inbound = false;
- enable_outbound = false;
+ media_api = {
+ base_path = "/var/lib/dendrite/media_store";
+ max_file_size_bytes = 0;
+ dynamic_thumbnails = true;
+ max_thumbnail_generators = 8;
+ thumbnail_sizes = [
+ {
+ width = 32;
+ height = 32;
+ method = "crop";
+ }
+ {
+ width = 96;
+ height = 96;
+ method = "crop";
+ }
+ {
+ width = 640;
+ height = 480;
+ method = "scale";
+ }
+ ];
};
- };
- client_api = {
- registration_disabled = true;
- guests_disabled = true;
- registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
- };
- media_api = {
- max_file_size_bytes = 0;
- dynamic_thumbnails = true;
- max_thumbnail_generators = 8;
- thumbnail_sizes = [
+ logging = [
{
- width = 32;
- height = 32;
- method = "crop";
- }
- {
- width = 96;
- height = 96;
- method = "crop";
- }
- {
- width = 640;
- height = 480;
- method = "scale";
+ type = "std";
+ level = "warn";
}
];
};
- logging = [
- {
- type = "std";
- level = "warn";
- }
+ in
+ concatStringsSep " " [
+ "${pkgs.envsubst}/bin/envsubst"
+ "-i ${(pkgs.formats.yaml {}).generate "dendrite.yaml" settings}"
+ "-o /run/dendrite/dendrite.yaml"
];
- };
- };
-
- postgresql = {
- ensureDatabases = [db];
- ensureUsers = [
- {
- name = db;
- ensurePermissions."DATABASE \"${db}\"" = "ALL";
- }
+ ExecStart = concatStringsSep " " [
+ "${pkgs.dendrite}/bin/dendrite-monolith-server"
+ "--config /run/dendrite/dendrite.yaml"
+ "--http-bind-address 127.0.0.1:${toString cfg.port}"
];
+ ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+ EnvironmentFile = config.secrets.dendrite-environment-file.path;
+ DynamicUser = true;
+ StateDirectory = "dendrite";
+ RuntimeDirectory = "dendrite";
+ RuntimeDirectoryMode = "0700";
+ AmbientCapabilities = capabilities;
+ CapabilityBoundingSet = capabilities;
+ UMask = "0077";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ PrivateTmp = true;
+ PrivateUsers = !needsPrivileges;
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ ProtectSystem = "strict";
+ ProtectProc = "noaccess";
+ ProcSubset = "pid";
+ RemoveIPC = true;
+ RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = ["@system-service" "~@privileged"];
};
};
-
- systemd.services.dendrite.serviceConfig.ExecStart =
- mkForce
- (concatStringsSep " " [
- "${pkgs.dendrite}/bin/dendrite-monolith-server"
- "--config /run/dendrite/dendrite.yaml"
- "--http-bind-address 127.0.0.1:${
- toString config.services.dendrite.httpPort
- }"
- ]);
};
}
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
index 4ff4c50..57a0d09 100644
--- a/modules/nixos/monitoring/default.nix
+++ b/modules/nixos/monitoring/default.nix
@@ -38,6 +38,13 @@ in {
access = "proxy";
url = "https://${loki.domain}";
}
+ {
+ name = "Alertmanager";
+ type = "alertmanager";
+ access = "proxy";
+ jsonData.implementation = "prometheus";
+ url = "https://${alertmanager.domain}";
+ }
];
# https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix
index 9a131d7..c7a144e 100644
--- a/modules/nixos/openssh.nix
+++ b/modules/nixos/openssh.nix
@@ -18,16 +18,16 @@ in {
};
config = mkIf cfg.server.enable {
- # TODO Enable on a fresh system.
- # ark = {
- # files = [
- # "/etc/ssh/ssh_host_ed25519_key"
- # "/etc/ssh/ssh_host_ed25519_key.pub"
- # "/etc/ssh/ssh_host_rsa_key"
- # "/etc/ssh/ssh_host_rsa_key.pub"
- # ];
- # directories = ["/etc/ssh/authorized_keys.d"];
- # };
+ # FIXME This is mounted after the activation script is launched.
+ ark = {
+ files = [
+ "/etc/ssh/ssh_host_ed25519_key"
+ "/etc/ssh/ssh_host_ed25519_key.pub"
+ "/etc/ssh/ssh_host_rsa_key"
+ "/etc/ssh/ssh_host_rsa_key.pub"
+ ];
+ # directories = ["/etc/ssh/authorized_keys.d"];
+ };
programs.mosh.enable = true;
@@ -36,7 +36,6 @@ in {
enable = true;
ports = [cfg.server.port];
settings = {
- AllowUsers = my.username;
ClientAliveCountMax = 3;
ClientAliveInterval = 60;
KbdInteractiveAuthentication = false;
diff --git a/modules/nixos/profiles/headless.nix b/modules/nixos/profiles/headless.nix
index 9faf531..efe4d03 100644
--- a/modules/nixos/profiles/headless.nix
+++ b/modules/nixos/profiles/headless.nix
@@ -19,7 +19,10 @@ in {
promtail.enable = true;
};
- # Pin version to prevent any surprises.
+ # Pin version to prevent any surprises. Try keeping this up-to-date[1] with
+ # the latest LTS release + hardened patches (just in case).
+ #
+ # [1]: https://kernel.org
boot.kernelPackages = pkgs.linuxPackages_5_15_hardened;
nix = {
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-20 08:45:41 +0000