hardware/purism_librem_15.nix

@@ -2,11 +2,10 @@
 {
   config,
   lib,
-  modulesPath,
   pkgs,
   ...
 }: {
-  imports = [(modulesPath + "/installer/scan/not-detected.nix")];
+  imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
 
   boot = {
     initrd = {
@@ -17,28 +16,26 @@
         "usbhid" # USB HID transport layer
         "usb_storage" # USB Mass Storage support
         "sd_mod" # SCSI disk support
+        "aesni_intel" # AES-NI + SSE2 implementation of AEGIS-128
+        "cryptd" # Software async crypto daemon
       ];
+      kernelModules = ["dm-snapshot"];
+      luks.devices."cryptroot".device = "/dev/disk/by-uuid/52040288-dea9-4e74-9438-d0946b48a1f4";
     };
     kernelModules = ["kvm-intel"]; # Enable kvm for libvirtd
   };
 
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/0bdc11fc-c497-47ff-bcc2-3044f81f40be";
-      fsType = "ext4";
-    };
-    "/home" = {
-      device = "/dev/disk/by-uuid/9c8a9dd1-b234-4a6d-ad62-3962e85d4063";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/848e15eb-992b-499f-89b1-be8bc59af41c";
+    fsType = "ext4";
   };
 
-  swapDevices = [{device = "/dev/disk/by-uuid/05aed0b0-3a79-44f2-aa4d-e5e5724643f2";}];
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/a9d48855-edaf-40b9-9296-58e9b7c7eb96";
+    fsType = "ext4";
+  };
 
-  networking.useDHCP = lib.mkDefault true;
+  swapDevices = [{device = "/dev/disk/by-uuid/ac308d76-cc12-4a73-83ee-64a2ad07b91e";}];
 
   nix.settings.max-jobs = lib.mkDefault 4;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/dionach.nix

@@ -16,7 +16,6 @@
     loader.grub = {
       enable = true;
       device = "/dev/nvme0n1"; # or "nodev" for efi only
-      useOSProber = true;
     };
     kernel.sysctl."net.ipv4.ip_forward" = "1";
     extraModprobeConfig = "options kvm_intel nested=1";
@@ -24,11 +23,6 @@
 
   networking = {
     hostName = "dionach"; # Define your hostname.
-    firewall = {
-      enable = true;
-      checkReversePath = false; # Needed for libvirtd
-      allowedTCPPorts = [15000];
-    };
   };
 
   systemd.network.networks.enp0s20f0u4u4i5.ipv6SendRAConfig = {
@@ -39,9 +33,15 @@
 
   services.kbfs.enable = true;
 
+  networking.firewall = {
+    enable = true;
+    checkReversePath = false; # Needed for libvirtd
+    allowedTCPPorts = [15000];
+  };
+
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "20.03"; # Did you read the comment?
 }

profiles/desktop_common.nix

@@ -31,7 +31,6 @@
     mplayer # A movie player that supports many video formats
     nextcloud-client # Nextcloud desktop client
     pwgen # Password generator
-    rsync
     shotwell # Photo organizer
     signal-desktop # Private, simple, and secure messenger
     usbutils # Tools for working with USB devices, such as lsusb
@@ -70,27 +69,19 @@
       };
       libinput.enable = true; # Enable touchpad support.
     };
-
-    pipewire = {
-      enable = true;
-      alsa = {
-        enable = true;
-        support32Bit = true;
-      };
-      pulse.enable = true;
-    };
   };
 
   sound.enable = true; # Enable sound.
-  security.rtkit.enable = true; # realtime scheduling for sound
 
   # Configure common hardware settings
   hardware = {
     pulseaudio = {
-      enable = false;
+      enable = true;
+      package = pkgs.pulseaudioFull;
     };
     bluetooth = {
       enable = true; # Enable bluetooth
+      hsphfpd.enable = true;
       settings = {
         General = {
           Enable = "Source,Sink,Media,Socket";

profiles/forgejo.nix

@@ -9,12 +9,18 @@
   sources = import ../nix/sources.nix;
   unstable = import sources.nixpkgsUnstable {};
 in {
-  services.forgejo = {
+  services.gitea = {
     enable = true; # Enable Forgejo
+    appName = "mcwhirter.io: Forgejo Service"; # Give the site a name
     database = {
       type = "postgres"; # Database type
-      passwordFile = "/run/keys/forgejo-dbpass"; # Where to find the password
+      passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
     };
+    disableRegistration = true;
+    domain = "source.mcwhirter.io"; # Domain name
+    rootUrl = "https://source.mcwhirter.io/"; # Root web URL
+    httpPort = 3002; # Provided unique port
+    package = pkgs.forgejo; # a soft fork of gitea
     settings = let
       docutils = pkgs.python39.withPackages (ps:
         with ps; [
@@ -22,21 +28,12 @@ in {
           pygments # Provides syntax highlighting
         ]);
     in {
-      DEFAULT.APP_NAME = "mcwhirter.io: Forgejo Service"; # Give the site a name
       mailer = {
         ENABLED = true;
-        FROM = "forgejo@mcwhirter.io";
+        FROM = "gitea@mcwhirter.io";
       };
       repository = {DEFAULT_BRANCH = "consensus";};
       service = {REGISTER_EMAIL_CONFIRM = true;};
-      server = {
-        DOMAIN = "source.mcwhirter.io"; # Domain name
-        HTTP_PORT = 3002; # Provided unique port
-        ROOT_URL = "https://source.mcwhirter.io/"; # Root web URL
-      };
-      service = {
-        DISABLE_REGISTRATION = true;
-      };
       "markup.restructuredtext" = {
         ENABLED = true;
         FILE_EXTENSIONS = ".rst";
@@ -52,10 +49,10 @@ in {
 
   systemd = {
     services = {
-      forgejo = {
-        # Ensure forgejo starts after nixops keys are loaded
-        after = ["forgejo-dbpass-key.service"];
-        wants = ["forgejo-dbpass-key.service"];
+      gitea = {
+        # Ensure gitea starts after nixops keys are loaded
+        after = ["gitea-dbpass-key.service"];
+        wants = ["gitea-dbpass-key.service"];
       };
     };
   };
@@ -63,23 +60,27 @@ in {
   services.postgresql = {
     enable = true; # Ensure postgresql is enabled
     authentication = ''
-      local forgejo all ident map=forgejo-users
+      local gitea all ident map=gitea-users
     '';
     identMap =
-      # Map the forgejo user to postgresql
+      # Map the gitea user to postgresql
       ''
-        forgejo-users forgejo forgejo
+        gitea-users gitea gitea
       '';
-    ensureDatabases = ["forgejo"]; # Ensure the database persists
+    ensureDatabases = ["gitea"]; # Ensure the database persists
     ensureUsers = [
       {
-        name = "forgejo"; # Ensure the database user persists
-        ensureDBOwnership = true;
+        name = "gitea"; # Ensure the database user persists
+        ensurePermissions = {
+          # Ensure the database permissions persist
+          "DATABASE gitea" = "ALL PRIVILEGES";
+          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
+        };
       }
     ];
   };
 
-  services.postgresqlBackup.databases = ["forgejo"];
+  services.postgresqlBackup.databases = ["gitea"];
 
   services.nginx = {
     enable = true; # Enable Nginx
@@ -116,5 +117,5 @@ in {
     };
   };
 
-  users.groups.keys.members = ["forgejo"]; # Required due to NixOps issue #1204
+  users.groups.keys.members = ["gitea"]; # Required due to NixOps issue #1204
 }

profiles/iog.nix

@@ -65,6 +65,9 @@ in {
 
   services = {
     keybase.enable = true;
+    #postgresql = {
+    #  enable = true;                  # Ensure postgresql is enabled
+    #  package = pkgs.postgresql_10;   # Set the required version, if needed
   };
 
   users.groups.docker.members = ["craige"];

profiles/mastodon.nix

@@ -17,7 +17,6 @@
       extraConfig = {
         WEB_DOMAIN = "social.mcwhirter.io";
       };
-      streamingProcesses = 5;
     };
   };
 

profiles/matrix.nix

@@ -129,7 +129,11 @@
       ensureUsers = [
         {
           name = "matrix-synapse"; # Ensure the database user persists
-          ensureDBOwnership = true;
+          ensurePermissions = {
+            # Ensure the database permissions persist
+            "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
+            "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
+          };
         }
       ];
       # Initial database creation

profiles/nextcloud.nix

@@ -27,12 +27,8 @@
       enable = true; # Run regular auto update of all apps installed
       startAt = "01:00:00"; # When to run the update
     };
+    enableBrokenCiphersForSSE = false; # force upgrade to SSL v3
     package = pkgs.nextcloud27;
-    extraApps = with config.services.nextcloud.package.packages.apps; {
-      inherit calendar contacts deck news notes tasks twofactor_webauthn;
-    };
-    extraAppsEnable = true;
-    appstoreEnable = true;
   };
 
   systemd = {
@@ -47,19 +43,15 @@
 
   services.postgresql = {
     enable = true; # Ensure postgresql is enabled
-    authentication = ''
-      local nextcloud all ident map=nextcloud-users
-    '';
-    identMap =
-      # Map the forgejo user to postgresql
-      ''
-        nextcloud-users nextcloud nextcloud
-      '';
     ensureDatabases = ["nextcloud"]; # Ensure the database persists
     ensureUsers = [
       {
         name = "nextcloud"; # Ensure the database user persists
-        ensureDBOwnership = true;
+        ensurePermissions = {
+          # Ensure the database permissions persist
+          "DATABASE nextcloud" = "ALL PRIVILEGES";
+          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
+        };
       }
     ];
   };

profiles/server_common.nix

@@ -20,7 +20,7 @@ in {
   };
 
   services.postgresql = {
-    package = pkgs.postgresql_16;
+    package = pkgs.postgresql_11;
   };
 
   security.polkit.enable = false; # avoid CVE-2021-4034 (PwnKit)

profiles/tt-rss.nix

@@ -34,7 +34,11 @@
     ensureUsers = [
       {
         name = "tt_rss"; # Ensure the database user persists
-        ensureDBOwnership = true;
+        ensurePermissions = {
+          # Ensure the database permissions persist
+          "DATABASE tt_rss" = "ALL PRIVILEGES";
+          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
+        };
       }
     ];
   };