Compare commits
No commits in common. "91ab1b85d179f1e9f49b867a5de3687de8ed9d98" and "e1db3dc03402ea63ee1cdb83544d3eea84853f53" have entirely different histories.
91ab1b85d1
...
e1db3dc034
|
@ -2,11 +2,10 @@
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
modulesPath,
|
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
|
imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
initrd = {
|
initrd = {
|
||||||
|
@ -17,28 +16,26 @@
|
||||||
"usbhid" # USB HID transport layer
|
"usbhid" # USB HID transport layer
|
||||||
"usb_storage" # USB Mass Storage support
|
"usb_storage" # USB Mass Storage support
|
||||||
"sd_mod" # SCSI disk support
|
"sd_mod" # SCSI disk support
|
||||||
|
"aesni_intel" # AES-NI + SSE2 implementation of AEGIS-128
|
||||||
|
"cryptd" # Software async crypto daemon
|
||||||
];
|
];
|
||||||
|
kernelModules = ["dm-snapshot"];
|
||||||
|
luks.devices."cryptroot".device = "/dev/disk/by-uuid/52040288-dea9-4e74-9438-d0946b48a1f4";
|
||||||
};
|
};
|
||||||
kernelModules = ["kvm-intel"]; # Enable kvm for libvirtd
|
kernelModules = ["kvm-intel"]; # Enable kvm for libvirtd
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems = {
|
fileSystems."/" = {
|
||||||
"/" = {
|
device = "/dev/disk/by-uuid/848e15eb-992b-499f-89b1-be8bc59af41c";
|
||||||
device = "/dev/disk/by-uuid/0bdc11fc-c497-47ff-bcc2-3044f81f40be";
|
fsType = "ext4";
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
"/home" = {
|
|
||||||
device = "/dev/disk/by-uuid/9c8a9dd1-b234-4a6d-ad62-3962e85d4063";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [{device = "/dev/disk/by-uuid/05aed0b0-3a79-44f2-aa4d-e5e5724643f2";}];
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/disk/by-uuid/a9d48855-edaf-40b9-9296-58e9b7c7eb96";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
swapDevices = [{device = "/dev/disk/by-uuid/ac308d76-cc12-4a73-83ee-64a2ad07b91e";}];
|
||||||
|
|
||||||
nix.settings.max-jobs = lib.mkDefault 4;
|
nix.settings.max-jobs = lib.mkDefault 4;
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,7 +16,6 @@
|
||||||
loader.grub = {
|
loader.grub = {
|
||||||
enable = true;
|
enable = true;
|
||||||
device = "/dev/nvme0n1"; # or "nodev" for efi only
|
device = "/dev/nvme0n1"; # or "nodev" for efi only
|
||||||
useOSProber = true;
|
|
||||||
};
|
};
|
||||||
kernel.sysctl."net.ipv4.ip_forward" = "1";
|
kernel.sysctl."net.ipv4.ip_forward" = "1";
|
||||||
extraModprobeConfig = "options kvm_intel nested=1";
|
extraModprobeConfig = "options kvm_intel nested=1";
|
||||||
|
@ -24,11 +23,6 @@
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "dionach"; # Define your hostname.
|
hostName = "dionach"; # Define your hostname.
|
||||||
firewall = {
|
|
||||||
enable = true;
|
|
||||||
checkReversePath = false; # Needed for libvirtd
|
|
||||||
allowedTCPPorts = [15000];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.network.networks.enp0s20f0u4u4i5.ipv6SendRAConfig = {
|
systemd.network.networks.enp0s20f0u4u4i5.ipv6SendRAConfig = {
|
||||||
|
@ -39,9 +33,15 @@
|
||||||
|
|
||||||
services.kbfs.enable = true;
|
services.kbfs.enable = true;
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
enable = true;
|
||||||
|
checkReversePath = false; # Needed for libvirtd
|
||||||
|
allowedTCPPorts = [15000];
|
||||||
|
};
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
# servers. You should change this only after NixOS release notes say you
|
# servers. You should change this only after NixOS release notes say you
|
||||||
# should.
|
# should.
|
||||||
system.stateVersion = "23.11"; # Did you read the comment?
|
system.stateVersion = "20.03"; # Did you read the comment?
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,7 +31,6 @@
|
||||||
mplayer # A movie player that supports many video formats
|
mplayer # A movie player that supports many video formats
|
||||||
nextcloud-client # Nextcloud desktop client
|
nextcloud-client # Nextcloud desktop client
|
||||||
pwgen # Password generator
|
pwgen # Password generator
|
||||||
rsync
|
|
||||||
shotwell # Photo organizer
|
shotwell # Photo organizer
|
||||||
signal-desktop # Private, simple, and secure messenger
|
signal-desktop # Private, simple, and secure messenger
|
||||||
usbutils # Tools for working with USB devices, such as lsusb
|
usbutils # Tools for working with USB devices, such as lsusb
|
||||||
|
@ -70,27 +69,19 @@
|
||||||
};
|
};
|
||||||
libinput.enable = true; # Enable touchpad support.
|
libinput.enable = true; # Enable touchpad support.
|
||||||
};
|
};
|
||||||
|
|
||||||
pipewire = {
|
|
||||||
enable = true;
|
|
||||||
alsa = {
|
|
||||||
enable = true;
|
|
||||||
support32Bit = true;
|
|
||||||
};
|
|
||||||
pulse.enable = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
sound.enable = true; # Enable sound.
|
sound.enable = true; # Enable sound.
|
||||||
security.rtkit.enable = true; # realtime scheduling for sound
|
|
||||||
|
|
||||||
# Configure common hardware settings
|
# Configure common hardware settings
|
||||||
hardware = {
|
hardware = {
|
||||||
pulseaudio = {
|
pulseaudio = {
|
||||||
enable = false;
|
enable = true;
|
||||||
|
package = pkgs.pulseaudioFull;
|
||||||
};
|
};
|
||||||
bluetooth = {
|
bluetooth = {
|
||||||
enable = true; # Enable bluetooth
|
enable = true; # Enable bluetooth
|
||||||
|
hsphfpd.enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
General = {
|
General = {
|
||||||
Enable = "Source,Sink,Media,Socket";
|
Enable = "Source,Sink,Media,Socket";
|
||||||
|
|
|
@ -9,12 +9,18 @@
|
||||||
sources = import ../nix/sources.nix;
|
sources = import ../nix/sources.nix;
|
||||||
unstable = import sources.nixpkgsUnstable {};
|
unstable = import sources.nixpkgsUnstable {};
|
||||||
in {
|
in {
|
||||||
services.forgejo = {
|
services.gitea = {
|
||||||
enable = true; # Enable Forgejo
|
enable = true; # Enable Forgejo
|
||||||
|
appName = "mcwhirter.io: Forgejo Service"; # Give the site a name
|
||||||
database = {
|
database = {
|
||||||
type = "postgres"; # Database type
|
type = "postgres"; # Database type
|
||||||
passwordFile = "/run/keys/forgejo-dbpass"; # Where to find the password
|
passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
|
||||||
};
|
};
|
||||||
|
disableRegistration = true;
|
||||||
|
domain = "source.mcwhirter.io"; # Domain name
|
||||||
|
rootUrl = "https://source.mcwhirter.io/"; # Root web URL
|
||||||
|
httpPort = 3002; # Provided unique port
|
||||||
|
package = pkgs.forgejo; # a soft fork of gitea
|
||||||
settings = let
|
settings = let
|
||||||
docutils = pkgs.python39.withPackages (ps:
|
docutils = pkgs.python39.withPackages (ps:
|
||||||
with ps; [
|
with ps; [
|
||||||
|
@ -22,21 +28,12 @@ in {
|
||||||
pygments # Provides syntax highlighting
|
pygments # Provides syntax highlighting
|
||||||
]);
|
]);
|
||||||
in {
|
in {
|
||||||
DEFAULT.APP_NAME = "mcwhirter.io: Forgejo Service"; # Give the site a name
|
|
||||||
mailer = {
|
mailer = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
FROM = "forgejo@mcwhirter.io";
|
FROM = "gitea@mcwhirter.io";
|
||||||
};
|
};
|
||||||
repository = {DEFAULT_BRANCH = "consensus";};
|
repository = {DEFAULT_BRANCH = "consensus";};
|
||||||
service = {REGISTER_EMAIL_CONFIRM = true;};
|
service = {REGISTER_EMAIL_CONFIRM = true;};
|
||||||
server = {
|
|
||||||
DOMAIN = "source.mcwhirter.io"; # Domain name
|
|
||||||
HTTP_PORT = 3002; # Provided unique port
|
|
||||||
ROOT_URL = "https://source.mcwhirter.io/"; # Root web URL
|
|
||||||
};
|
|
||||||
service = {
|
|
||||||
DISABLE_REGISTRATION = true;
|
|
||||||
};
|
|
||||||
"markup.restructuredtext" = {
|
"markup.restructuredtext" = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
FILE_EXTENSIONS = ".rst";
|
FILE_EXTENSIONS = ".rst";
|
||||||
|
@ -52,10 +49,10 @@ in {
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
services = {
|
services = {
|
||||||
forgejo = {
|
gitea = {
|
||||||
# Ensure forgejo starts after nixops keys are loaded
|
# Ensure gitea starts after nixops keys are loaded
|
||||||
after = ["forgejo-dbpass-key.service"];
|
after = ["gitea-dbpass-key.service"];
|
||||||
wants = ["forgejo-dbpass-key.service"];
|
wants = ["gitea-dbpass-key.service"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -63,23 +60,27 @@ in {
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true; # Ensure postgresql is enabled
|
enable = true; # Ensure postgresql is enabled
|
||||||
authentication = ''
|
authentication = ''
|
||||||
local forgejo all ident map=forgejo-users
|
local gitea all ident map=gitea-users
|
||||||
'';
|
'';
|
||||||
identMap =
|
identMap =
|
||||||
# Map the forgejo user to postgresql
|
# Map the gitea user to postgresql
|
||||||
''
|
''
|
||||||
forgejo-users forgejo forgejo
|
gitea-users gitea gitea
|
||||||
'';
|
'';
|
||||||
ensureDatabases = ["forgejo"]; # Ensure the database persists
|
ensureDatabases = ["gitea"]; # Ensure the database persists
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "forgejo"; # Ensure the database user persists
|
name = "gitea"; # Ensure the database user persists
|
||||||
ensureDBOwnership = true;
|
ensurePermissions = {
|
||||||
|
# Ensure the database permissions persist
|
||||||
|
"DATABASE gitea" = "ALL PRIVILEGES";
|
||||||
|
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.postgresqlBackup.databases = ["forgejo"];
|
services.postgresqlBackup.databases = ["gitea"];
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true; # Enable Nginx
|
enable = true; # Enable Nginx
|
||||||
|
@ -116,5 +117,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.keys.members = ["forgejo"]; # Required due to NixOps issue #1204
|
users.groups.keys.members = ["gitea"]; # Required due to NixOps issue #1204
|
||||||
}
|
}
|
||||||
|
|
|
@ -65,6 +65,9 @@ in {
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
keybase.enable = true;
|
keybase.enable = true;
|
||||||
|
#postgresql = {
|
||||||
|
# enable = true; # Ensure postgresql is enabled
|
||||||
|
# package = pkgs.postgresql_10; # Set the required version, if needed
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.docker.members = ["craige"];
|
users.groups.docker.members = ["craige"];
|
||||||
|
|
|
@ -17,7 +17,6 @@
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
WEB_DOMAIN = "social.mcwhirter.io";
|
WEB_DOMAIN = "social.mcwhirter.io";
|
||||||
};
|
};
|
||||||
streamingProcesses = 5;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -129,7 +129,11 @@
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "matrix-synapse"; # Ensure the database user persists
|
name = "matrix-synapse"; # Ensure the database user persists
|
||||||
ensureDBOwnership = true;
|
ensurePermissions = {
|
||||||
|
# Ensure the database permissions persist
|
||||||
|
"DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
|
||||||
|
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
# Initial database creation
|
# Initial database creation
|
||||||
|
|
|
@ -27,12 +27,8 @@
|
||||||
enable = true; # Run regular auto update of all apps installed
|
enable = true; # Run regular auto update of all apps installed
|
||||||
startAt = "01:00:00"; # When to run the update
|
startAt = "01:00:00"; # When to run the update
|
||||||
};
|
};
|
||||||
|
enableBrokenCiphersForSSE = false; # force upgrade to SSL v3
|
||||||
package = pkgs.nextcloud27;
|
package = pkgs.nextcloud27;
|
||||||
extraApps = with config.services.nextcloud.package.packages.apps; {
|
|
||||||
inherit calendar contacts deck news notes tasks twofactor_webauthn;
|
|
||||||
};
|
|
||||||
extraAppsEnable = true;
|
|
||||||
appstoreEnable = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
|
@ -47,19 +43,15 @@
|
||||||
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true; # Ensure postgresql is enabled
|
enable = true; # Ensure postgresql is enabled
|
||||||
authentication = ''
|
|
||||||
local nextcloud all ident map=nextcloud-users
|
|
||||||
'';
|
|
||||||
identMap =
|
|
||||||
# Map the forgejo user to postgresql
|
|
||||||
''
|
|
||||||
nextcloud-users nextcloud nextcloud
|
|
||||||
'';
|
|
||||||
ensureDatabases = ["nextcloud"]; # Ensure the database persists
|
ensureDatabases = ["nextcloud"]; # Ensure the database persists
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "nextcloud"; # Ensure the database user persists
|
name = "nextcloud"; # Ensure the database user persists
|
||||||
ensureDBOwnership = true;
|
ensurePermissions = {
|
||||||
|
# Ensure the database permissions persist
|
||||||
|
"DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||||
|
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -20,7 +20,7 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
package = pkgs.postgresql_16;
|
package = pkgs.postgresql_11;
|
||||||
};
|
};
|
||||||
|
|
||||||
security.polkit.enable = false; # avoid CVE-2021-4034 (PwnKit)
|
security.polkit.enable = false; # avoid CVE-2021-4034 (PwnKit)
|
||||||
|
|
|
@ -34,7 +34,11 @@
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "tt_rss"; # Ensure the database user persists
|
name = "tt_rss"; # Ensure the database user persists
|
||||||
ensureDBOwnership = true;
|
ensurePermissions = {
|
||||||
|
# Ensure the database permissions persist
|
||||||
|
"DATABASE tt_rss" = "ALL PRIVILEGES";
|
||||||
|
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue