From b07e10139c88d6060e57ca52b2dc12b17b53ac82 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sun, 21 May 2023 23:10:32 +0300 Subject: 2023-05-21 --- modules/nixos/chromium.nix | 27 ++++++++ modules/nixos/common/locale.nix | 12 +++- modules/nixos/common/systemd.nix | 2 + modules/nixos/default.nix | 1 + modules/nixos/matrix/dendrite.nix | 20 ++++++ modules/nixos/monitoring/default.nix | 18 +++--- modules/nixos/profiles/headful.nix | 7 ++- modules/nixos/promtail.nix | 41 ++++++------ modules/nixos/syncthing.nix | 117 ++++++++++++++++++----------------- modules/nixos/unbound.nix | 17 ++++- 10 files changed, 170 insertions(+), 92 deletions(-) create mode 100644 modules/nixos/chromium.nix (limited to 'modules/nixos') diff --git a/modules/nixos/chromium.nix b/modules/nixos/chromium.nix new file mode 100644 index 0000000..4f0ae12 --- /dev/null +++ b/modules/nixos/chromium.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.nixfiles.modules.chromium; +in { + options.nixfiles.modules.chromium.enable = mkEnableOption "Chromium"; + + config = mkIf cfg.enable { + hm = { + home.packages = with pkgs; [profile-cleaner]; + + programs.chromium = { + enable = true; + + package = pkgs.chromium; + + extensions = [ + {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} # uBlock Origin + ]; + }; + }; + }; +} diff --git a/modules/nixos/common/locale.nix b/modules/nixos/common/locale.nix index 62d19f4..7529996 100644 --- a/modules/nixos/common/locale.nix +++ b/modules/nixos/common/locale.nix @@ -12,9 +12,15 @@ with lib; { }; services.xserver = { - layout = comcat ["us" "ru"]; - xkbVariant = comcat ["" "phonetic"]; - xkbOptions = comcat [ + layout = concatStringsSep "," [ + "us" + "ru" + ]; + xkbVariant = concatStringsSep "," [ + "" + "phonetic" + ]; + xkbOptions = concatStringsSep "," [ "terminate:ctrl_alt_bksp" "caps:escape" "compose:menu" diff --git a/modules/nixos/common/systemd.nix b/modules/nixos/common/systemd.nix index 29020a0..4e9eb26 100644 --- a/modules/nixos/common/systemd.nix +++ b/modules/nixos/common/systemd.nix @@ -4,6 +4,8 @@ directories = ["/var/lib/systemd/coredump"]; }; + my.extraGroups = ["systemd-journal"]; + hm.systemd.user.startServices = "sd-switch"; services.journald.extraConfig = '' diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 3c6e61b..f8347cf 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -5,6 +5,7 @@ _: { ./android.nix ./beets.nix ./bluetooth.nix + ./chromium.nix ./common ./discord.nix ./docker.nix diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix index d9c4914..d7c7b18 100644 --- a/modules/nixos/matrix/dendrite.nix +++ b/modules/nixos/matrix/dendrite.nix @@ -67,6 +67,7 @@ in { }; }; }; + postgresql = { enable = true; extraPostStart = [ @@ -75,6 +76,25 @@ in { '' ]; }; + + # Silence annoying errors when connecting to poorly configured federated + # homeservers. + promtail.filters = [ + { + match = { + selector = ''{syslog_identifier="dendrite"} |~ ".*Failed to fetch key for server.*"''; + action = "drop"; + drop_counter_reason = "noisy_error"; + }; + } + { + match = { + selector = ''{syslog_identifier="dendrite"} |~ ".*could not download key for.*"''; + action = "drop"; + drop_counter_reason = "noisy_error"; + }; + } + ]; }; services.postgresql = { diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix index 37e34d9..7f62874 100644 --- a/modules/nixos/monitoring/default.nix +++ b/modules/nixos/monitoring/default.nix @@ -122,8 +122,6 @@ in { loki.configuration.ruler.alertmanager_url = "https://${config.nixfiles.modules.alertmanager.domain}"; prometheus = { - # It would be nice if these could be generated dynamically. That would - # require a complete rework of how configurations are defined, though. scrapeConfigs = with my.configurations; mapAttrsToList ( @@ -144,13 +142,15 @@ in { hosts; } ]; - relabel_configs = [ - { - source_labels = ["__address__"]; - regex = "([^:]+):\\d+"; - target_label = "instance"; - } - ]; + relabel_configs = + [ + { + source_labels = ["__address__"]; + regex = "([^:]+):\\d+"; + target_label = "instance"; + } + ] + ++ optionals (hasAttr "relabel" value) value.relabel; } ) { diff --git a/modules/nixos/profiles/headful.nix b/modules/nixos/profiles/headful.nix index 3bdf8fd..9e2b7a3 100644 --- a/modules/nixos/profiles/headful.nix +++ b/modules/nixos/profiles/headful.nix @@ -109,6 +109,11 @@ in { environment.systemPackages = with pkgs; [lm_sensors]; - my.extraGroups = ["audio" "video" "input"]; + my.extraGroups = [ + "audio" + "input" + "render" + "video" + ]; }; } diff --git a/modules/nixos/promtail.nix b/modules/nixos/promtail.nix index d52384a..157eb72 100644 --- a/modules/nixos/promtail.nix +++ b/modules/nixos/promtail.nix @@ -21,6 +21,12 @@ in { type = with types; str; default = "https://${config.nixfiles.modules.loki.domain}"; }; + + filters = mkOption { + description = ''Filters to use with "scrape_config.pipeline_stages".''; + type = with types; listOf attrs; + default = []; + }; }; config = mkIf cfg.enable { @@ -56,7 +62,7 @@ in { scrape_configs = [ { job_name = "journal"; - journal.max_age = "12h"; + journal.max_age = "24h"; relabel_configs = map (n: let label = toLower n; @@ -74,12 +80,12 @@ in { "MESSAGE" # "MESSAGE_ID" - # "PRIORITY" + "PRIORITY" # "CODE_FILE" # "CODE_LINE" # "CODE_FUNC" # "ERRNO" - # "SYSLOG_FACILITY" + "SYSLOG_FACILITY" "SYSLOG_IDENTIFIER" # "SYSLOG_PID" # "_PID" @@ -93,8 +99,8 @@ in { # "_AUDIT_LOGINUID" # "_SYSTEMD_CGROUP" # "_SYSTEMD_SESSION" - "_SYSTEMD_UNIT" - "_SYSTEMD_USER_UNIT" + # "_SYSTEMD_UNIT" + # "_SYSTEMD_USER_UNIT" # "_SYSTEMD_OWNER_UID" # "_SYSTEMD_SLICE" # "_SELINUX_CONTEXT" @@ -106,23 +112,16 @@ in { # "__CURSOR" # "__REALTIME_TIMESTAMP" # "__MONOTONIC_TIMESTAMP" + ] + ++ [ + { + # This is weird. I can't find where is this defined in the + # source code but apparently it exists. + source_labels = ["__journal_priority_keyword"]; + target_label = "level"; + } ]; - pipeline_stages = [ - { - match = { - selector = ''{systemd_unit="dendrite.service"} |~ ".*Failed to fetch key for server.*"''; - action = "drop"; - drop_counter_reason = "noisy_error"; - }; - } - { - match = { - selector = ''{systemd_unit="dendrite.service"} |~ ".*could not download key for.*"''; - action = "drop"; - drop_counter_reason = "noisy_error"; - }; - } - ]; + pipeline_stages = cfg.filters; } ]; }; diff --git a/modules/nixos/syncthing.nix b/modules/nixos/syncthing.nix index b0d98bc..faf6723 100644 --- a/modules/nixos/syncthing.nix +++ b/modules/nixos/syncthing.nix @@ -48,74 +48,77 @@ in { key = config.secrets."syncthing-key-${this.hostname}".path; overrideDevices = true; - devices = mapAttrs (name: attr: - mkIf (attr.syncthing.id != null && hasAttr "wireguard" attr) { - inherit (attr.syncthing) id; - addresses = ["tcp://${name}.${config.networking.domain}:22000"]; - introducer = this.isHeadless; - }) - my.configurations; - overrideFolders = true; - folders = let - filterDevices = f: - attrNames (filterAttrs (_: attr: - (attr.hostname != this.hostname) - && (attr.syncthing.id != null) - && f attr) - my.configurations); - all = filterDevices (_: true); - notHeadless = filterDevices (attr: !attr.isHeadless); - notOther = filterDevices (attr: !attr.isOther); - simple = { - type = "simple"; - params.keep = "5"; - }; - trashcan = { - type = "trashcan"; - params.cleanoutDays = "7"; - }; - in - with config.hm.xdg.userDirs; { - share = { - path = publicShare; - devices = notHeadless; - versioning = trashcan; - }; - pass = { - path = config.hm.programs.password-store.settings.PASSWORD_STORE_DIR; - devices = notOther; - versioning = trashcan; - }; - org = { - path = "${documents}/org"; - devices = all; - versioning = simple; - }; - roam = { - path = "${documents}/roam"; - devices = notOther; - versioning = simple; + settings = { + devices = mapAttrs (name: attr: + mkIf (attr.syncthing.id != null && hasAttr "wireguard" attr) { + inherit (attr.syncthing) id; + addresses = ["tcp://${name}.${config.networking.domain}:22000"]; + introducer = this.isHeadless; + }) + my.configurations; + + folders = let + filterDevices = f: + attrNames (filterAttrs (_: attr: + (attr.hostname != this.hostname) + && (attr.syncthing.id != null) + && f attr) + my.configurations); + all = filterDevices (_: true); + notHeadless = filterDevices (attr: !attr.isHeadless); + notOther = filterDevices (attr: !attr.isOther); + + simple = { + type = "simple"; + params.keep = "5"; }; - elfeed = { - path = "${config.my.home}/.elfeed"; - devices = notOther; - versioning = trashcan; + trashcan = { + type = "trashcan"; + params.cleanoutDays = "7"; }; - books = { - path = "${documents}/books"; - devices = notOther; - versioning = trashcan; + in + with config.hm.xdg.userDirs; { + share = { + path = publicShare; + devices = notHeadless; + versioning = trashcan; + }; + pass = { + path = config.hm.programs.password-store.settings.PASSWORD_STORE_DIR; + devices = notOther; + versioning = trashcan; + }; + org = { + path = "${documents}/org"; + devices = all; + versioning = simple; + }; + roam = { + path = "${documents}/roam"; + devices = notOther; + versioning = simple; + }; + elfeed = { + path = "${config.my.home}/.elfeed"; + devices = notOther; + versioning = trashcan; + }; + books = { + path = "${documents}/books"; + devices = notOther; + versioning = trashcan; + }; }; - }; - extraOptions = { gui = { insecureAdminAccess = true; insecureSkipHostcheck = this.isHeadless; }; + options = { + testOption = false; autoUpgradeIntervalH = 0; crashReportingEnabled = false; globalAnnounceEnabled = false; diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix index 7805b02..c9d45f2 100644 --- a/modules/nixos/unbound.nix +++ b/modules/nixos/unbound.nix @@ -24,7 +24,22 @@ in { mkIf cfg.enable { ark.directories = [config.services.unbound.stateDir]; - nixfiles.modules.redis.enable = true; + nixfiles.modules = { + redis.enable = true; + + promtail.filters = [ + { + match = { + # Should be fixed[1] in the next release. + # + # [1]: https://github.com/NLnetLabs/unbound/commit/d7e776114114c16816570e48ab3a27eedc401a0e + selector = ''{syslog_identifier="unbound"} |~ ".*could not SSL_read crypto.*"''; + action = "drop"; + drop_counter_reason = "noisy_error"; + }; + } + ]; + }; services = { unbound = { -- cgit v1.2.3