diff options
Diffstat (limited to 'users/tazjin/nixos/camden/default.nix')
-rw-r--r-- | users/tazjin/nixos/camden/default.nix | 110 |
1 files changed, 45 insertions, 65 deletions
diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix index d8c439b4f4..130b51dd38 100644 --- a/users/tazjin/nixos/camden/default.nix +++ b/users/tazjin/nixos/camden/default.nix @@ -1,11 +1,8 @@ # This file configures camden.tazj.in, my homeserver. { depot, pkgs, lib, ... }: -config: let - nixpkgs = import depot.third_party.nixpkgsSrc { - config.allowUnfree = true; - }; - +config: +let nginxRedirect = { from, to, acmeHost }: { serverName = from; useACMEHost = acmeHost; @@ -13,25 +10,13 @@ config: let extraConfig = "return 301 https://${to}$request_uri;"; }; -in lib.fix(self: { - depot = depot; - - # Disable the current ACME module and use the old one from 19.09 - # instead, until the various regressions have been sorted out. - # TODO(tazjin): Remove this once the new ACME module works. - disabledModules = [ "security/acme.nix" ]; - imports = - let oldChannel = fetchTarball { - # NixOS 19.09 on 2020-10-04 - url = "https://github.com/NixOS/nixpkgs-channels/archive/75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1.tar.gz"; - sha256 = "157c64220lf825ll4c0cxsdwg7cxqdx4z559fdp7kpz0g6p8fhhr"; - }; - in [ - "${depot.depotPath}/ops/nixos/depot.nix" - "${depot.depotPath}/ops/nixos/quassel.nix" - "${depot.depotPath}/ops/nixos/smtprelay.nix" - "${oldChannel}/nixos/modules/security/acme.nix" - ]; + mod = name: depot.path.origSrc + ("/ops/modules/" + name); +in +lib.fix (self: { + imports = [ + (mod "quassel.nix") + (mod "smtprelay.nix") + ]; # camden is intended to boot unattended, despite having an encrypted # root partition. @@ -44,8 +29,14 @@ in lib.fix(self: { boot = { initrd = { availableKernelModules = [ - "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" - "rtsx_usb_sdmmc" "r8169" + "ahci" + "xhci_pci" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + "rtsx_usb_sdmmc" + "r8169" ]; kernelModules = [ "dm-snapshot" ]; @@ -63,7 +54,7 @@ in lib.fix(self: { efi.canTouchEfiVariables = true; }; - cleanTmpDir = true; + tmp.cleanOnBoot = true; }; fileSystems = { @@ -83,25 +74,17 @@ in lib.fix(self: { }; }; - nix = { - maxJobs = lib.mkDefault 4; - - nixPath = [ - "depot=/home/tazjin/depot" - "nixpkgs=${depot.third_party.nixpkgsSrc}" - ]; - - trustedUsers = [ "root" "tazjin" ]; - - binaryCaches = [ + nix.settings = { + max-jobs = lib.mkDefault 4; + trusted-users = [ "root" "tazjin" ]; + substituters = [ "https://tazjin.cachix.org" ]; - binaryCachePublicKeys = [ + trusted-public-keys = [ "tazjin.cachix.org-1:IZkgLeqfOr1kAZjypItHMg1NoBjm4zX9Zzep8oRSh7U=" ]; }; - nixpkgs.pkgs = nixpkgs; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; @@ -125,7 +108,7 @@ in lib.fix(self: { programs.mosh.enable = true; fonts = { - fonts = [ nixpkgs.jetbrains-mono ]; + packages = [ pkgs.jetbrains-mono ]; fontconfig.defaultFonts.monospace = [ "JetBrains Mono" ]; }; @@ -134,15 +117,14 @@ in lib.fix(self: { (with depot; [ fun.idual.script fun.idual.setAlarm - third_party.pounce ]) ++ # programs from nixpkgs - (with nixpkgs; [ + (with pkgs; [ bat curl direnv - emacs26-nox + emacs28-nox fswebcam git gnupg @@ -162,14 +144,14 @@ in lib.fix(self: { isNormalUser = true; uid = 1000; extraGroups = [ "git" "wheel" "quassel" "video" ]; - shell = nixpkgs.fish; + shell = pkgs.fish; }; # Set up a user & group for general git shenanigans - groups.git = {}; + groups.git = { }; users.git = { group = "git"; - isNormalUser = false; + isSystemUser = true; }; }; @@ -181,13 +163,13 @@ in lib.fix(self: { services.tailscale.enable = true; # Allow sudo-ing via the forwarded SSH agent. - security.pam.enableSSHAgentAuth = true; + security.pam.sshAgentAuth.enable = true; # NixOS 20.03 broke nginx and I can't be bothered to debug it # anymore, all solution attempts have failed, so here's a # brute-force fix. systemd.services.fix-nginx = { - script = "${nixpkgs.coreutils}/bin/chown -R nginx: /var/spool/nginx /var/cache/nginx"; + script = "${pkgs.coreutils}/bin/chown -R nginx: /var/spool/nginx /var/cache/nginx"; serviceConfig = { User = "root"; @@ -205,38 +187,36 @@ in lib.fix(self: { # Provision a TLS certificate outside of nginx to avoid # nixpkgs#38144 security.acme = { - # acceptTerms = true; + acceptTerms = true; certs."tazj.in" = { email = "mail@tazj.in"; - user = "nginx"; group = "nginx"; webroot = "/var/lib/acme/acme-challenge"; - extraDomains = { - "cs.tazj.in" = null; - "git.tazj.in" = null; - "www.tazj.in" = null; + postRun = "systemctl reload nginx"; + + extraDomainNames = [ + "cs.tazj.in" + "git.tazj.in" + "www.tazj.in" # Local domains (for this machine only) - "camden.tazj.in" = null; - }; - postRun = "systemctl reload nginx"; + "camden.tazj.in" + ]; }; certs."quassel.tazj.in" = { email = "mail@tazj.in"; webroot = "/var/lib/acme/challenge-quassel"; - user = "nginx"; # required because of a bug in the ACME module group = "quassel"; - allowKeysForGroup = true; }; }; # Forward logs to Google Cloud Platform services.journaldriver = { - enable = true; - logStream = "home"; - googleCloudProject = "tazjins-infrastructure"; + enable = true; + logStream = "home"; + googleCloudProject = "tazjins-infrastructure"; applicationCredentials = "/etc/gcp/key.json"; }; @@ -249,7 +229,7 @@ in lib.fix(self: { }; services.bitlbee = { - enable = true; + enable = false; portNumber = 2337; # bees }; @@ -257,7 +237,7 @@ in lib.fix(self: { services.nginx = { enable = true; enableReload = true; - package = with nixpkgs; nginx.override { + package = with pkgs; nginx.override { modules = [ nginxModules.rtmp ]; }; |