From 8f7371998f813857f25afef4160075665f924ab7 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sat, 6 May 2023 18:55:06 +0300 Subject: 2023-05-06 --- flake.lock | 42 ++++++++++++------------ modules/common/common/nix/default.nix | 7 ++-- modules/darwin/common/nix.nix | 2 +- modules/nixos/common/security.nix | 2 ++ modules/nixos/common/xdg.nix | 5 +++ modules/nixos/matrix/dendrite.nix | 14 ++++---- modules/nixos/matrix/synapse.nix | 14 ++++---- modules/nixos/nsd.nix | 58 ++++++++++++++++++++++++++++----- modules/nixos/sound.nix | 4 +-- nixosConfigurations/eonwe/default.nix | 7 ++-- nixosConfigurations/manwe/webserver.nix | 35 +++++++++++--------- 11 files changed, 119 insertions(+), 71 deletions(-) diff --git a/flake.lock b/flake.lock index 3ed97db..176bdc8 100644 --- a/flake.lock +++ b/flake.lock @@ -240,11 +240,11 @@ ] }, "locked": { - "lastModified": 1682779989, - "narHash": "sha256-H8AjcIBYFYrlRobYJ+n1B+ZJ6TsaaeZpuLn4iRqVvr4=", + "lastModified": 1683221986, + "narHash": "sha256-n688GK4wO2pZpI4gHOxj/PF85bzUMPEJ8B3Wd3cHSjk=", "owner": "nix-community", "repo": "home-manager", - "rev": "3144311f31194b537808ae6848f86f3dbf977d59", + "rev": "f3824311a16cbe70dbaeedc17a97dfcd11901c3f", "type": "github" }, "original": { @@ -296,11 +296,11 @@ ] }, "locked": { - "lastModified": 1682645728, - "narHash": "sha256-ZntcUOTbkw7klRK5kRPIJOp8bB9785CXKPt5eW2X4cc=", + "lastModified": 1683163598, + "narHash": "sha256-1mbFzocbp6qTMTZtgylIUKKBxQAvRfZN18l4zft5KSg=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "699ed72b94864505a38c97de3015bdfb992e1f84", + "rev": "400056c5694a7ce5b7a97e446b64dee44c48d01c", "type": "github" }, "original": { @@ -312,11 +312,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1682836095, - "narHash": "sha256-PdzpJhuXBz71AgWNWMMYLbB8GMMce6QguhQY/6HOOcc=", + "lastModified": 1683009613, + "narHash": "sha256-jJh8JaoHOLlk7iFLgZk1PlxCCNA2KTKfOLMLCa9mduA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "e4a21ddcb45ee5f5c85a5d9e9698debf77fb98c3", + "rev": "7dc46304675f4ff2d6be921ef60883efd31363c4", "type": "github" }, "original": { @@ -328,11 +328,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1682809678, - "narHash": "sha256-jqR8t82mWotOSgnWZvr6xXCO/tc3fCPTLMPvI7Jo5rA=", + "lastModified": 1683205728, + "narHash": "sha256-WF63FGzW3F3MHsUYkqbPyXrJgNR+gNOMAZDNoP5LYWE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3dcff817eebb7e4afc4e9eae0ce6f722f4d9e399", + "rev": "f73acb5733244d0740c8181af30a58912427f5c6", "type": "github" }, "original": { @@ -344,11 +344,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1682883825, - "narHash": "sha256-JJeaDa6bOxf1AcW5ZvTs9skJzMz7uPRPRvDCNdDDflo=", + "lastModified": 1683236789, + "narHash": "sha256-BvCGBja7mzUqhbueGsGOyBlKPsnaVoA+HHmLkE6/QKs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9d27bdd3b5d88ec2c1674fd9b93cf6b6751776ff", + "rev": "bbccd7d90372f5042b404ea74ead61d7df124384", "type": "github" }, "original": { @@ -360,11 +360,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1682858021, - "narHash": "sha256-tMZILw7wABxSRUcJNrwLmBJ7h8+Bf4eyVGXLUyoZIr4=", + "lastModified": 1683207485, + "narHash": "sha256-gs+PHt/y/XQB7S8+YyBLAM8LjgYpPZUVFQBwpFSmJro=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "923f835a6c8eadb655c08370ade5c42990e790cd", + "rev": "cc45a3f8c98e1c33ca996e3504adefbf660a72d1", "type": "github" }, "original": { @@ -410,11 +410,11 @@ }, "nur": { "locked": { - "lastModified": 1682879890, - "narHash": "sha256-gnNDKsgsLX0dxumLDTuFylSRVvscErxRa0425gUk5Xk=", + "lastModified": 1683236736, + "narHash": "sha256-ruEH8oO2WLlZI8CSrKPmMbIFNO4/oEGeBwyTyszhw5Y=", "owner": "nix-community", "repo": "NUR", - "rev": "57e8229760e718f670cd7b359b509246e6d734ab", + "rev": "ee7b5b05842c7db8688a3a21f7c10e2eb8762882", "type": "github" }, "original": { diff --git a/modules/common/common/nix/default.nix b/modules/common/common/nix/default.nix index 723a2b8..0c49034 100644 --- a/modules/common/common/nix/default.nix +++ b/modules/common/common/nix/default.nix @@ -4,7 +4,7 @@ lib, localUsername ? lib.my.username, pkgs, - pkgsPR, + pkgsPr, this, ... }: @@ -25,7 +25,7 @@ with lib; { repo = "nixpkgs"; inherit rev hash; }); - pkgsPR = pr: pkgsRev "refs/pull/${toString pr}/head"; + pkgsPr = pr: pkgsRev "refs/pull/${toString pr}/head"; }; nix = let @@ -38,6 +38,7 @@ with lib; { "flakes" "nix-command" "recursive-nix" + "repl-flake" ]; keep-derivations = if this.isHeadful @@ -115,7 +116,7 @@ with lib; { ]); }); - inherit (pkgsPR "228852" "sha256-NKZySJ3IVMMeSmpc1zYwse52kxGg0dIrsHTMcO8a73Y=") soju; + inherit (pkgsPr "228852" "sha256-NKZySJ3IVMMeSmpc1zYwse52kxGg0dIrsHTMcO8a73Y=") soju; } // (with super; let np = nodePackages; diff --git a/modules/darwin/common/nix.nix b/modules/darwin/common/nix.nix index 2b39e7d..b291d11 100644 --- a/modules/darwin/common/nix.nix +++ b/modules/darwin/common/nix.nix @@ -23,7 +23,7 @@ with lib; { repo = "nixpkgs"; inherit rev hash; }); - pkgsPRx86 = pr: pkgsRevx86 "refs/pull/${toString pr}/head"; + pkgsPrx86 = pr: pkgsRevx86 "refs/pull/${toString pr}/head"; }; nix = { diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix index 7a3d3b3..2272e12 100644 --- a/modules/nixos/common/security.nix +++ b/modules/nixos/common/security.nix @@ -25,5 +25,7 @@ with lib; { }); ''; }; + + rtkit.enable = true; }; } diff --git a/modules/nixos/common/xdg.nix b/modules/nixos/common/xdg.nix index 8ddf1ac..d74bf82 100644 --- a/modules/nixos/common/xdg.nix +++ b/modules/nixos/common/xdg.nix @@ -15,6 +15,11 @@ with lib; { (mkAliasOptionModule ["userDirs"] (withBase "userDirs")) ]; + xdg.portal = mkIf this.isHeadful { + enable = true; + xdgOpenUsePortal = true; + }; + hm.xdg = mkMerge [ { enable = true; diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix index bd19f8b..d9c4914 100644 --- a/modules/nixos/matrix/dendrite.nix +++ b/modules/nixos/matrix/dendrite.nix @@ -52,20 +52,18 @@ in { extraConfig = '' add_header Content-Type application/json; ''; - return = "200 '${ - generators.toJSON {} {"m.server" = "${cfg.domain}:443";} - }'"; + return = "200 '${generators.toJSON {} { + "m.server" = "${cfg.domain}:443"; + }}'"; }; "= /.well-known/matrix/client" = { extraConfig = '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = "200 '${ - generators.toJSON {} { - "m.homeserver".base_url = "https://${cfg.domain}"; - } - }'"; + return = "200 '${generators.toJSON {} { + "m.homeserver".base_url = "https://${cfg.domain}"; + }}'"; }; }; }; diff --git a/modules/nixos/matrix/synapse.nix b/modules/nixos/matrix/synapse.nix index a74ebb4..40595a0 100644 --- a/modules/nixos/matrix/synapse.nix +++ b/modules/nixos/matrix/synapse.nix @@ -33,20 +33,18 @@ in { extraConfig = '' add_header Content-Type application/json; ''; - return = "200 '${ - generators.toJSON {} {"m.server" = "${cfg.domain}:443";} - }'"; + return = "200 '${generators.toJSON {} { + "m.server" = "${cfg.domain}:443"; + }}'"; }; "= /.well-known/matrix/client" = { extraConfig = '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = "200 '${ - generators.toJSON {} { - "m.homeserver".base_url = "https://${cfg.domain}"; - } - }'"; + return = "200 '${generators.toJSON {} { + "m.homeserver".base_url = "https://${cfg.domain}"; + }}'"; }; }; }; diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix index 255c787..f8d9e4b 100644 --- a/modules/nixos/nsd.nix +++ b/modules/nixos/nsd.nix @@ -19,6 +19,27 @@ in { }; config = mkIf cfg.enable { + nixfiles.modules.nginx = let + domain = my.domain.shire; + in { + enable = true; + virtualHosts = mapAttrs' (_: v: + nameValuePair "mta-sts.${v}" { + locations."= /.well-known/mta-sts.txt" = { + extraConfig = '' + add_header default_type text/plain; + ''; + return = "200 '${concatStringsSep "\\r\\n" [ + "version: STSv1" + "mode: enforce" + "max_age: 2419200" + "mx: ${domain}" + ]}'"; + }; + }) + my.domain; + }; + services = { nsd = { enable = true; @@ -40,8 +61,8 @@ in { domain ? my.domain.shire, dkimKey ? null, }: { - MX = [(mx.mx 10 "${domain}.")]; - TXT = [(spf.strict ["a" "mx"])]; + MX = [(mx.mx 10 "${my.domain.shire}.")]; + TXT = [(spf.soft ["a"])]; DMARC = [ { p = "quarantine"; @@ -54,6 +75,7 @@ in { selector = "mail"; p = dkimKey; }; + subdomains._mta-sts.TXT = ["v=STSv1; id=20230506134541Z"]; }; mkZone = { @@ -88,10 +110,11 @@ in { ariadneIdProof.TXT = ["openpgp4fpr:${my.pgp.fingerprint}"]; in mkMerge [ - (mkZone { + (mkZone rec { domain = my.domain.shire; extra = mkMerge [ (mkEmailEntries { + inherit domain; dkimKey = "@DKIM_KEY@"; }) { @@ -103,6 +126,8 @@ in { yavanna = ips "yavanna"; "*.yavanna" = yavanna; + mta-sts = manwe; + ns1 = manwe; # ns2 = varda; @@ -124,37 +149,52 @@ in { } ]; }) - (mkZone { + (mkZone rec { domain = my.domain.azahi; extra = mkMerge [ (mkEmailEntries { + inherit domain; dkimKey = "@DKIM_KEY@"; }) ariadneIdProof { - subdomains.git = ips "manwe"; + subdomains = { + mta-sts = ips "manwe"; + + git = ips "manwe"; + }; } ]; }) - (mkZone { + (mkZone rec { domain = my.domain.gondor; extra = mkMerge [ (mkEmailEntries { + inherit domain; dkimKey = "@DKIM_KEY@"; }) { - subdomains.frodo = ips "manwe" // ariadneIdProof; + subdomains = { + mta-sts = ips "manwe"; + + frodo = ips "manwe" // ariadneIdProof; + }; } ]; }) - (mkZone { + (mkZone rec { domain = my.domain.rohan; extra = mkMerge [ (mkEmailEntries { + inherit domain; dkimKey = "@DKIM_KEY@"; }) { - subdomains.frodo = ips "manwe" // ariadneIdProof; + subdomains = { + mta-sts = ips "manwe"; + + frodo = ips "manwe" // ariadneIdProof; + }; } ]; }) diff --git a/modules/nixos/sound.nix b/modules/nixos/sound.nix index ae35e44..073d59c 100644 --- a/modules/nixos/sound.nix +++ b/modules/nixos/sound.nix @@ -13,8 +13,8 @@ in { services.pipewire = { enable = true; - alsa.enable = false; - jack.enable = false; + alsa.enable = true; + jack.enable = true; pulse.enable = true; }; }; diff --git a/nixosConfigurations/eonwe/default.nix b/nixosConfigurations/eonwe/default.nix index 2c53b64..5de3315 100644 --- a/nixosConfigurations/eonwe/default.nix +++ b/nixosConfigurations/eonwe/default.nix @@ -16,7 +16,7 @@ with lib; { games = { lutris.enable = true; - minecraft.client.enable = true; + # minecraft.client.enable = true; # FIXME Build fails. steam.enable = true; steam-run.quirks.crusaderKings3 = true; }; @@ -36,14 +36,12 @@ with lib; { burpsuite gzdoom kdenlive - nikto obs-studio openmw openttd radeontop vcmi whatweb - zap ]; programs = { @@ -104,6 +102,9 @@ with lib; { "clearcpuid=514" ]; + # https://wiki.archlinux.org/title/improving_performance#Watchdogs + blacklistedKernelModules = ["sp5100_tco"]; + # The boot drive is Samsung SSD 980 PRO 2TB. initrd.kernelModules = ["nvme"]; diff --git a/nixosConfigurations/manwe/webserver.nix b/nixosConfigurations/manwe/webserver.nix index 4dded7e..f07d545 100644 --- a/nixosConfigurations/manwe/webserver.nix +++ b/nixosConfigurations/manwe/webserver.nix @@ -4,20 +4,23 @@ ... }: with lib; { - nixfiles.modules.nginx.virtualHosts = with my.domain; - { - ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ"; - "git.${shire}".locations."/".return = "301 https://git.${azahi}"; - "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}"; - ${azahi} = { - serverAliases = ["frodo.${gondor}" "frodo.${rohan}"]; - locations."/".root = inputs.azahi-cc; - }; - } - // (let - frodo = "301 https://frodo."; - in { - ${gondor}.locations."/".return = concatStrings [frodo gondor]; - ${rohan}.locations."/".return = concatStrings [frodo rohan]; - }); + nixfiles.modules.nginx = { + enable = true; + virtualHosts = with my.domain; + { + ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ"; + "git.${shire}".locations."/".return = "301 https://git.${azahi}"; + "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}"; + ${azahi} = { + serverAliases = ["frodo.${gondor}" "frodo.${rohan}"]; + locations."/".root = inputs.azahi-cc; + }; + } + // (let + frodo = "301 https://frodo."; + in { + ${gondor}.locations."/".return = concatStrings [frodo gondor]; + ${rohan}.locations."/".return = concatStrings [frodo rohan]; + }); + }; } -- cgit v1.2.3