diff options
Diffstat (limited to 'lass')
43 files changed, 997 insertions, 734 deletions
diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix index ed5bbcf12..6992db4a5 100644 --- a/lass/1systems/aergia/config.nix +++ b/lass/1systems/aergia/config.nix @@ -26,6 +26,7 @@ <stockholm/lass/2configs/dunst.nix> <stockholm/lass/2configs/print.nix> <stockholm/lass/2configs/br.nix> + <stockholm/lass/2configs/c-base.nix> ]; system.stateVersion = "22.11"; @@ -47,11 +48,6 @@ }; hardware.pulseaudio.package = pkgs.pulseaudioFull; - lass.browser.config = { - fy = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; }; - qt = { browser = "qutebrowser"; groups = [ "audio" "video" ]; hidden = true; }; - }; - nix.trustedUsers = [ "root" "lass" ]; # nix.extraOptions = '' diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index de5f7540e..023639083 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -3,6 +3,7 @@ imports = [ ./config.nix (modulesPath + "/installer/scan/not-detected.nix") + <stockholm/lass/2configs/antimicrox> ]; disko.devices = import ./disk.nix; @@ -20,15 +21,41 @@ boot.kernelParams = [ # Enable energy savings during sleep "mem_sleep_default=deep" - "initcall_blacklist=acpi_cpufreq_init" + + # use less power with pstate + "amd_pstate=passive" # for ryzenadj -i "iomem=relaxed" + + # suspend + "resume_offset=178345675" ]; - # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html - # On recent AMD CPUs this can be more energy efficient. - boot.kernelModules = [ "amd-pstate" "kvm-amd" ]; + boot.kernelModules = [ + # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html + # On recent AMD CPUs this can be more energy efficient. + "amd-pstate" + "kvm-amd" + + # needed for zenstates + "msr" + + # zenpower + "zenpower" + ]; + + boot.extraModulePackages = [ + (config.boot.kernelPackages.zenpower.overrideAttrs (old: { + src = pkgs.fetchFromGitea { + domain = "git.exozy.me"; + owner = "a"; + repo = "zenpower3"; + rev = "c176fdb0d5bcba6ba2aba99ea36812e40f47751f"; + hash = "sha256-d2WH8Zv7F0phZmEKcDiaak9On+Mo9bAFhMulT/N5FWI="; + }; + })) + ]; # hardware.cpu.amd.updateMicrocode = true; @@ -36,7 +63,16 @@ "amdgpu" ]; - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "nvme" + "thunderbolt" + "xhci_pci" + "usbhid" + ]; + + boot.initrd.kernelModules = [ + "amdgpu" + ]; environment.systemPackages = [ pkgs.vulkan-tools @@ -54,7 +90,13 @@ hardware.video.hidpi.enable = lib.mkDefault true; # corectrl - programs.corectrl.enable = true; + programs.corectrl = { + enable = true; + gpuOverclock = { + enable = true; + ppfeaturemask = "0xffffffff"; + }; + }; users.users.mainUser.extraGroups = [ "corectrl" ]; # use newer ryzenadj @@ -72,7 +114,7 @@ # keyboard quirks services.xserver.displayManager.sessionCommands = '' - xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert + ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert ''; services.udev.extraHwdb = /* sh */ '' # disable back buttons @@ -82,5 +124,20 @@ ''; # ignore power key - services.logind.extraConfig = "HandlePowerKey=ignore"; + + # update cpu microcode + hardware.cpu.amd.updateMicrocode = true; + + # suspend to disk + swapDevices = [{ + device = "/swapfile"; + }]; + boot.resumeDevice = "/dev/mapper/aergia1"; + services.logind.lidSwitch = "suspend-then-hibernate"; + services.logind.extraConfig = '' + HandlePowerKey=hibernate + ''; + + # firefox touchscreen support + environment.sessionVariables.MOZ_USE_XINPUT2 = "1"; } diff --git a/lass/1systems/coaxmetal/config.nix b/lass/1systems/coaxmetal/config.nix index 2c88b68cc..1df56f591 100644 --- a/lass/1systems/coaxmetal/config.nix +++ b/lass/1systems/coaxmetal/config.nix @@ -54,12 +54,6 @@ }; hardware.pulseaudio.package = pkgs.pulseaudioFull; - lass.browser.config = { - dc = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; }; - ff = { browser = "firefox"; groups = [ "audio" "video" ]; hidden = true; }; - fy = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; }; - }; - nix.trustedUsers = [ "root" "lass" ]; services.tor = { diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 077f7b3fa..c232be9bd 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -35,6 +35,7 @@ with import <stockholm/lib>; systemd.tmpfiles.rules = [ "d /home/lass/.local/share 0700 lass users -" "d /home/lass/.local 0700 lass users -" + "d /home/lass/.config 0700 lass users -" "d /var/state/lass_mail 0700 lass users -" "L+ /home/lass/Maildir - - - - ../../var/state/lass_mail" diff --git a/lass/1systems/lasspi/config.nix b/lass/1systems/lasspi/config.nix index 9f823dfc8..d2207627d 100644 --- a/lass/1systems/lasspi/config.nix +++ b/lass/1systems/lasspi/config.nix @@ -1,4 +1,3 @@ -with import <stockholm/lib>; { config, lib, pkgs, ... }: let in @@ -18,9 +17,9 @@ in }; environment.systemPackages = with pkgs; [ vim - rxvt_unicode.terminfo + rxvt-unicode-unwrapped.terminfo ]; services.openssh.enable = true; - system.stateVersion = "21.05"; + system.stateVersion = "22.05"; } diff --git a/lass/1systems/lasspi/physical.nix b/lass/1systems/lasspi/physical.nix index 868bafad5..07efb5ca5 100644 --- a/lass/1systems/lasspi/physical.nix +++ b/lass/1systems/lasspi/physical.nix @@ -1,15 +1,14 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { - # This configuration worked on 09-03-2021 nixos-unstable @ commit 102eb68ceec - # The image used https://hydra.nixos.org/build/134720986 imports = [ + (modulesPath + "/installer/scan/not-detected.nix") ./config.nix ]; boot = { # kernelPackages = pkgs.linuxPackages_rpi4; tmpOnTmpfs = true; - initrd.availableKernelModules = [ "usbhid" "usb_storage" ]; + initrd.availableKernelModules = [ "usbhid" "usb_storage" "xhci_pci" ]; # ttyAMA0 is the serial console broken out to the GPIO kernelParams = [ "8250.nr_uarts=1" @@ -20,19 +19,23 @@ ]; }; - boot.loader.raspberryPi = { - enable = true; - version = 4; - }; + # boot.loader.raspberryPi = { + # enable = true; + # version = 4; + # # uboot.enable = true; + # }; boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; # Required for the Wireless firmware hardware.enableRedistributableFirmware = true; + networking.interfaces.eth0.useDHCP = true; + # Assuming this is installed on top of the disk image. fileSystems = { "/" = { - device = "/dev/disk/by-label/NIXOS_SD"; + device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; fsType = "ext4"; options = [ "noatime" ]; }; diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 7f6be782e..cc08070af 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -7,12 +7,19 @@ # sync-containers <stockholm/lass/2configs/consul.nix> - <stockholm/lass/2configs/yellow-host.nix> - <stockholm/lass/2configs/radio/container-host.nix> + <stockholm/lass/2configs/services/flix/container-host.nix> + <stockholm/lass/2configs/services/radio/container-host.nix> <stockholm/lass/2configs/ubik-host.nix> + <stockholm/lass/2configs/orange-host.nix> + <stockholm/krebs/2configs/hotdog-host.nix> # other containers <stockholm/lass/2configs/riot.nix> + + # proxying of services + <stockholm/lass/2configs/services/radio/proxy.nix> + <stockholm/lass/2configs/services/flix/proxy.nix> + <stockholm/lass/2configs/services/coms/proxy.nix> ]; krebs.build.host = config.krebs.hosts.neoprism; diff --git a/lass/1systems/orange/config.nix b/lass/1systems/orange/config.nix index 3bc20878e..5e975dba8 100644 --- a/lass/1systems/orange/config.nix +++ b/lass/1systems/orange/config.nix @@ -5,6 +5,7 @@ with import <stockholm/lib>; <stockholm/lass> <stockholm/lass/2configs> <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/mumble-reminder.nix> ]; krebs.build.host = config.krebs.hosts.orange; diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index bcc8c1a08..2e82fae6f 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -134,10 +134,9 @@ with import <stockholm/lib>; <stockholm/lass/2configs/reaktor-coders.nix> <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> - <stockholm/lass/2configs/jitsi.nix> + <stockholm/lass/2configs/services/coms/jitsi.nix> <stockholm/lass/2configs/fysiirc.nix> <stockholm/lass/2configs/bgt-bot> - <stockholm/lass/2configs/mumble-reminder.nix> <stockholm/krebs/2configs/mastodon-proxy.nix> { services.tor = { @@ -281,7 +280,7 @@ with import <stockholm/lib>; { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; } ]; } - <stockholm/lass/2configs/murmur.nix> + <stockholm/lass/2configs/services/coms/murmur.nix> <stockholm/lass/2configs/docker.nix> { systemd.services."container@yellow".reloadIfChanged = mkForce false; diff --git a/lass/1systems/radio/config.nix b/lass/1systems/radio/config.nix index 5e34335d3..00e9bd3fe 100644 --- a/lass/1systems/radio/config.nix +++ b/lass/1systems/radio/config.nix @@ -7,7 +7,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/syncthing.nix> - <stockholm/lass/2configs/radio> + <stockholm/lass/2configs/services/radio> ]; krebs.build.host = config.krebs.hosts.radio; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index ff8189e24..fb28fb029 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -5,6 +5,7 @@ in { <stockholm/lass> <stockholm/lass/2configs> <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/services/flix> ]; krebs.build.host = config.krebs.hosts.yellow; @@ -14,281 +15,8 @@ in { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; }; - users.groups.download.members = [ "transmission" ]; - networking.useHostResolvConf = false; networking.useNetworkd = true; - services.transmission = { - enable = true; - home = "/var/state/transmission"; - group = "download"; - downloadDirPermissions = "775"; - settings = { - download-dir = "/var/download/transmission"; - incomplete-dir-enabled = false; - rpc-bind-address = "::"; - message-level = 1; - umask = 18; - rpc-whitelist-enabled = false; - rpc-host-whitelist-enabled = false; - }; - }; - - security.acme.defaults.email = "spam@krebsco.de"; - security.acme.acceptTerms = true; - security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL; - services.nginx = { - enable = true; - package = pkgs.nginx.override { - modules = with pkgs.nginxModules; [ - fancyindex - ]; - }; - virtualHosts."yellow.r" = { - default = true; - enableACME = true; - addSSL = true; - locations."/" = { - root = "/var/download"; - extraConfig = '' - fancyindex on; - fancyindex_footer "/fancy.html"; - include ${pkgs.nginx}/conf/mime.types; - include ${pkgs.writeText "extrMime" '' - types { - video/webm mkv; - } - ''}; - create_full_put_path on; - ''; - }; - locations."/chatty" = { - proxyPass = "http://localhost:3000"; - extraConfig = '' - rewrite /chatty/(.*) /$1 break; - proxy_set_header Host $host; - ''; - }; - locations."= /fancy.html".extraConfig = '' - alias ${pkgs.writeText "nginx_footer" '' - <div id="mydiv"> - <!-- Include a header DIV with the same name as the draggable DIV, followed by "header" --> - <div id="mydivheader">Click here to move</div> - <iframe src="/chatty/index.html"></iframe> - </div> - <style> - #mydiv { - position: absolute; - z-index: 9; - background-color: #f1f1f1; - border: 1px solid #d3d3d3; - text-align: center; - } - - #mydivheader { - padding: 10px; - cursor: move; - z-index: 10; - background-color: #2196F3; - color: #fff; - } - </style> - <script> - // Make the DIV element draggable: - dragElement(document.getElementById("mydiv")); - - function dragElement(elmnt) { - var pos1 = 0, pos2 = 0, pos3 = 0, pos4 = 0; - if (document.getElementById(elmnt.id + "header")) { - // if present, the header is where you move the DIV from: - document.getElementById(elmnt.id + "header").onmousedown = dragMouseDown; - } else { - // otherwise, move the DIV from anywhere inside the DIV: - elmnt.onmousedown = dragMouseDown; - } - - function dragMouseDown(e) { - e = e || window.event; - e.preventDefault(); - // get the mouse cursor position at startup: - pos3 = e.clientX; - pos4 = e.clientY; - document.onmouseup = closeDragElement; - // call a function whenever the cursor moves: - document.onmousemove = elementDrag; - } - - function elementDrag(e) { - e = e || window.event; - e.preventDefault(); - // calculate the new cursor position: - pos1 = pos3 - e.clientX; - pos2 = pos4 - e.clientY; - pos3 = e.clientX; - pos4 = e.clientY; - // set the element's new position: - elmnt.style.top = (elmnt.offsetTop - pos2) + "px"; - elmnt.style.left = (elmnt.offsetLeft - pos1) + "px"; - } - - function closeDragElement() { - // stop moving when mouse button is released: - document.onmouseup = null; - document.onmousemove = null; - } - } - </script> - ''}; - ''; - }; - virtualHosts."jelly.r" = { - enableACME = true; - addSSL = true; - locations."/".extraConfig = '' - proxy_pass http://localhost:8096/; - proxy_set_header Accept-Encoding ""; - ''; - }; - virtualHosts."transmission.r" = { - enableACME = true; - addSSL = true; - locations."/".extraConfig = '' - proxy_pass http://localhost:9091/; - proxy_set_header Accept-Encoding ""; - ''; - }; - virtualHosts."radar.r" = { - enableACME = true; - addSSL = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:7878"; - }; - }; - virtualHosts."sonar.r" = { - enableACME = true; - addSSL = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:8989"; - }; - }; - }; - - services.samba = { - enable = true; - enableNmbd = false; - extraConfig = '' - workgroup = WORKGROUP - server string = ${config.networking.hostName} - # only allow retiolum addresses - hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 - - # Use sendfile() for performance gain - use sendfile = true - - # No NetBIOS is needed - disable netbios = true - - # Only mangle non-valid NTFS names, don't care about DOS support - mangled names = illegal - - # Performance optimizations - socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 - - # Disable all printing - load printers = false - disable spoolss = true - printcap name = /dev/null - - map to guest = Bad User - max log size = 50 - dns proxy = no - security = user - - [global] - syslog only = yes - ''; - shares.public = { - comment = "Warez"; - path = "/var/download"; - public = "yes"; - "only guest" = "yes"; - "create mask" = "0644"; - "directory mask" = "2777"; - writable = "no"; - printable = "no"; - }; - }; - - systemd.services.bruellwuerfel = - let - bruellwuerfelSrc = pkgs.fetchFromGitHub { - owner = "krebs"; - repo = "bruellwuerfel"; - rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015"; - sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd"; - }; - in { - wantedBy = [ "multi-user.target" ]; - environment = { - IRC_CHANNEL = "#flix"; - IRC_NICK = "bruelli"; - IRC_SERVER = "irc.r"; - IRC_HISTORY_FILE = "/tmp/bruelli.history"; - }; - serviceConfig = { - ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts"; - }; - }; - - krebs.iptables = { - enable = true; - tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir - { predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir - { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web - { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic - { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic - { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin - { predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr - { predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr - { predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr - { predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr - - # smbd - { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } - ]; - tables.filter.OUTPUT = { - policy = "DROP"; - rules = [ - { predicate = "-o lo"; target = "ACCEPT"; } - { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; } - { predicate = "-o tun0"; target = "ACCEPT"; } - { predicate = "-o retiolum"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; } - { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; } - ]; - }; - }; services.openvpn.servers.nordvpn.config = '' client @@ -375,49 +103,19 @@ in { </tls-auth> ''; - systemd.services.flix-index = { - wantedBy = [ "multi-user.target" ]; - path = [ - pkgs.coreutils - pkgs.findutils - pkgs.inotify-tools - ]; - serviceConfig = { - Restart = "always"; - ExecStart = pkgs.writers.writeDash "flix-index" '' |