flake/hosts/pek0/default.nix

{
  lib,
  config,
  pkgs,
  ...
}:
{
  imports = [
    # OS
    ../../nixos/profiles/sing-box

    # Hardware
    ./hardware-configuration.nix
    ./anti-feature.nix

    # Services
    ./services/jellyfin.nix
    ./services/mastodon.nix
    ./services/matrix.nix
    ./services/minecraft.nix
    ./services/samba.nix
    ./services/transmission.nix
  ];

  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.systemd-boot.enable = true;
  networking.hostName = "pek0";
  system.stateVersion = "24.05";

  ######## Secrets
  sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
    "synapse/secret" = {
      restartUnits = [ "matrix-synapse.service" ];
      owner = config.systemd.services.matrix-synapse.serviceConfig.User;
    };
    "synapse/oidc" = {
      restartUnits = [ "matrix-synapse.service" ];
      owner = config.systemd.services.matrix-synapse.serviceConfig.User;
    };
    "mastodon/environment" = {
      restartUnits = [ "mastodon-web.service" ];
    };
    "cloudflared/secret" = {
      restartUnits = [ "cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service" ];
      owner =
        config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;
    };
  };

  services.tailscale = {
    enable = true;
    openFirewall = true;
  };

  services.cloudflared = {
    enable = true;
    tunnels = {
      "6222a3e0-98da-4325-be19-0f86a7318a41" = {
        credentialsFile = config.sops.secrets."cloudflared/secret".path;
        default = "http_status:404";
        ingress = lib.genAttrs [
          "mastodon.ny4.dev"
          "matrix.ny4.dev"
          "pek0.ny4.dev"
        ] (_: "http://localhost");
      };
    };
  };

  services.caddy.enable = true;
  services.caddy.settings.apps.http.servers.srv0 = {
    listen = [ ":80" ];
    trusted_proxies = {
      ranges = [
        "192.168.0.0/16"
        "172.16.0.0/12"
        "10.0.0.0/8"
        "127.0.0.1/8"
        "fd00::/8"
        "::1"
      ];
      source = "static";
    };
    trusted_proxies_strict = 1;
  };

  systemd.services."caddy".serviceConfig.SupplementaryGroups = [
    "mastodon"
    "matrix-synapse"
  ];

  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
    settings = {
      max_connections = 200;
      shared_buffers = "4GB";
      effective_cache_size = "12GB";
      maintenance_work_mem = "1GB";
      checkpoint_completion_target = 0.9;
      wal_buffers = "16MB";
      default_statistics_target = 100;
      random_page_cost = 1.1;
      effective_io_concurrency = 200;
      work_mem = "5242kB";
      huge_pages = "off";
      min_wal_size = "1GB";
      max_wal_size = "4GB";
      max_worker_processes = 8;
      max_parallel_workers_per_gather = 4;
      max_parallel_workers = 8;
      max_parallel_maintenance_workers = 4;
    };
    initialScript = pkgs.writeText "synapse-init.sql" ''
      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
        TEMPLATE template0
        LC_COLLATE = "C"
        LC_CTYPE = "C";
    '';
  };

  services.postgresqlBackup = {
    enable = true;
    location = "/var/lib/backup/postgresql";
    compression = "zstd";
    startAt = "weekly";
  };
}
blacksteel/minecraft: update to papermc version 1.20.4.431 2024-02-23 11:57:21 +00:00			`{`
			`lib,`
treewide: update I honestly have no idea how to commit this pile of stuff one by one... 2024-05-23 16:15:10 +00:00			`config,`
blacksteel: file structure 2024-08-11 10:08:41 +00:00			`pkgs,`
blacksteel/minecraft: update to papermc version 1.20.4.431 2024-02-23 11:57:21 +00:00			`...`
treewide: alejandra -> nixfmt-rfc-style 2024-08-25 15:02:35 +00:00			`}:`
			`{`
hosts: add blacksteel 2024-02-13 04:01:59 +00:00			`imports = [`
			`# OS`
nixos: mihomo -> sing-box 2024-08-24 08:10:54 +00:00			`../../nixos/profiles/sing-box`
hosts: add blacksteel 2024-02-13 04:01:59 +00:00
			`# Hardware`
			`./hardware-configuration.nix`
			`./anti-feature.nix`
blacksteel: file structure 2024-08-11 10:08:41 +00:00
			`# Services`
fixup! blacksteel: file structure 2024-08-16 08:49:03 +00:00			`./services/jellyfin.nix`
blacksteel: file structure 2024-08-11 10:08:41 +00:00			`./services/mastodon.nix`
fixup! blacksteel: file structure 2024-08-16 08:49:03 +00:00			`./services/matrix.nix`
blacksteel: file structure 2024-08-11 10:08:41 +00:00			`./services/minecraft.nix`
fixup! blacksteel: file structure 2024-08-16 08:49:03 +00:00			`./services/samba.nix`
pek0: qbittorrent-nox -> transmission 2024-08-30 23:51:49 +00:00			`./services/transmission.nix`
hosts: add blacksteel 2024-02-13 04:01:59 +00:00			`];`

nixos/core: set bootloader for per-host 2024-04-22 14:34:20 +00:00			`boot.loader.efi.canTouchEfiVariables = true;`
			`boot.loader.systemd-boot.enable = true;`
hosts: blacksteel -> pek0 2024-08-31 00:00:40 +00:00			`networking.hostName = "pek0";`
treewide: bump stateVersion 2024-08-12 07:25:36 +00:00			`system.stateVersion = "24.05";`
hosts: add blacksteel 2024-02-13 04:01:59 +00:00
treewide: update I honestly have no idea how to commit this pile of stuff one by one... 2024-05-23 16:15:10 +00:00			`######## Secrets`
treewide: alejandra -> nixfmt-rfc-style 2024-08-25 15:02:35 +00:00			`sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {`
flake: bump 2024-08-09 09:46:45 +00:00			`"synapse/secret" = {`
treewide: alejandra -> nixfmt-rfc-style 2024-08-25 15:02:35 +00:00			`restartUnits = [ "matrix-synapse.service" ];`
flake: bump 2024-08-09 09:46:45 +00:00			`owner = config.systemd.services.matrix-synapse.serviceConfig.User;`
			`};`
			`"synapse/oidc" = {`
treewide: alejandra -> nixfmt-rfc-style 2024-08-25 15:02:35 +00:00			`restartUnits = [ "matrix-synapse.service" ];`
flake: bump 2024-08-09 09:46:45 +00:00			`owner = config.systemd.services.matrix-synapse.serviceConfig.User;`
			`};`
			`"mastodon/environment" = {`
treewide: alejandra -> nixfmt-rfc-style 2024-08-25 15:02:35 +00:00			`restartUnits = [ "mastodon-web.service" ];`
flake: bump 2024-08-09 09:46:45 +00:00			`};`
			`"cloudflared/secret" = {`
treewide: alejandra -> nixfmt-rfc-style 2024-08-25 15:02:35 +00:00			`restartUnits = [ "cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service" ];`
			`owner =`
			`config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;`
treewide: update I honestly have no idea how to commit this pile of stuff one by one... 2024-05-23 16:15:10 +00:00			`};`
			`};`

fixup! blacksteel: add minecraft server 2024-02-16 09:07:56 +00:00			`services.tailscale = {`
			`enable = true;`
			`openFirewall = true;`
			`};`
blacksteel: add samba 2024-02-15 16:58:18 +00:00
nixos: frp -> cloudflared 2024-06-21 07:18:05 +00:00			`services.cloudflared = {`
treewide: update I honestly have no idea how to commit this pile of stuff one by one... 2024-05-23 16:15:10 +00:00			`enable = true;`
nixos: frp -> cloudflared 2024-06-21 07:18:05 +00:00			`tunnels = {`
			`"6222a3e0-98da-4325-be19-0f86a7318a41" = {`
			`credentialsFile = config.sops.secrets."cloudflared/secret".path;`
			`default = "http_status:404";`
nixos: cleanup 2024-07-24 16:53:10 +00:00			`ingress = lib.genAttrs [`
			`"mastodon.ny4.dev"`
			`"matrix.ny4.dev"`
nixos: use prometheus 2024-08-29 17:42:37 +00:00			`"pek0.ny4.dev"`
nixos: cleanup 2024-07-24 16:53:10 +00:00			`] (_: "http://localhost");`
nixos: frp -> cloudflared 2024-06-21 07:18:05 +00:00			`};`
treewide: update I honestly have no idea how to commit this pile of stuff one by one... 2024-05-23 16:15:10 +00:00			`};`
			`};`

nixos/caddy: caddyfile -> rfc42 2024-08-31 02:15:09 +00:00			`services.caddy.enable = true;`
			`services.caddy.settings.apps.http.servers.srv0 = {`
			`listen = [ ":80" ];`
			`trusted_proxies = {`
			`ranges = [`
			`"192.168.0.0/16"`
			`"172.16.0.0/12"`
			`"10.0.0.0/8"`
			`"127.0.0.1/8"`
			`"fd00::/8"`
			`"::1"`
			`];`
			`source = "static";`
nixos: frp -> cloudflared 2024-06-21 07:18:05 +00:00			`};`
nixos/caddy: caddyfile -> rfc42 2024-08-31 02:15:09 +00:00			`trusted_proxies_strict = 1;`
nixos: frp -> cloudflared 2024-06-21 07:18:05 +00:00			`};`

tyo0/forgejo: fine grain unix socket permission 2024-09-07 07:24:37 +00:00			`systemd.services."caddy".serviceConfig.SupplementaryGroups = [`
			`"mastodon"`
			`"matrix-synapse"`
			`];`
treewide: update I honestly have no idea how to commit this pile of stuff one by one... 2024-05-23 16:15:10 +00:00
			`services.postgresql = {`
			`enable = true;`
blacksteel: use postgresql_16 2024-08-11 13:26:31 +00:00			`package = pkgs.postgresql_16;`
treewide: update I honestly have no idea how to commit this pile of stuff one by one... 2024-05-23 16:15:10 +00:00			`settings = {`
			`max_connections = 200;`
			`shared_buffers = "4GB";`
			`effective_cache_size = "12GB";`
			`maintenance_work_mem = "1GB";`
			`checkpoint_completion_target = 0.9;`
			`wal_buffers = "16MB";`
			`default_statistics_target = 100;`
blacksteel: use postgresql_16 2024-08-11 13:26:31 +00:00			`random_page_cost = 1.1;`
treewide: update I honestly have no idea how to commit this pile of stuff one by one... 2024-05-23 16:15:10 +00:00			`effective_io_concurrency = 200;`
			`work_mem = "5242kB";`
			`huge_pages = "off";`
			`min_wal_size = "1GB";`
			`max_wal_size = "4GB";`
			`max_worker_processes = 8;`
			`max_parallel_workers_per_gather = 4;`
			`max_parallel_workers = 8;`
			`max_parallel_maintenance_workers = 4;`
			`};`
			`initialScript = pkgs.writeText "synapse-init.sql" ''`
			`CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';`
			`CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"`
			`TEMPLATE template0`
			`LC_COLLATE = "C"`
			`LC_CTYPE = "C";`
			`'';`
			`};`

			`services.postgresqlBackup = {`
			`enable = true;`
			`location = "/var/lib/backup/postgresql";`
			`compression = "zstd";`
			`startAt = "weekly";`
			`};`
hosts: add blacksteel 2024-02-13 04:01:59 +00:00			`}`