diff --git a/hosts/blacksteel/Caddyfile b/hosts/blacksteel/Caddyfile index 45e1563..921031d 100644 --- a/hosts/blacksteel/Caddyfile +++ b/hosts/blacksteel/Caddyfile @@ -2,7 +2,7 @@ encode zstd gzip handle_path /robots.txt { file_server * { - root /var/www/robots/robots.txt + root @robots@ } } } diff --git a/hosts/blacksteel/default.nix b/hosts/blacksteel/default.nix index 907a07e..66ccf52 100644 --- a/hosts/blacksteel/default.nix +++ b/hosts/blacksteel/default.nix @@ -1,7 +1,7 @@ { - pkgs, lib, config, + pkgs, ... }: { imports = [ @@ -13,6 +13,13 @@ # Hardware ./hardware-configuration.nix ./anti-feature.nix + + # Services + ./services/samba.nix + ./services/matrix.nix + ./services/mastodon.nix + ./services/minecraft.nix + ./services/jellyfin.nix ]; boot.loader.efi.canTouchEfiVariables = true; @@ -43,9 +50,6 @@ }; }; - ######## Services - environment.systemPackages = with pkgs; [qbittorrent-nox]; - services.tailscale = { enable = true; openFirewall = true; @@ -70,6 +74,7 @@ enable = true; configFile = pkgs.substituteAll { src = ./Caddyfile; + robots = toString ../lightsail-tokyo/robots.txt; inherit (pkgs) mastodon; }; }; @@ -78,25 +83,10 @@ SupplementaryGroups = ["mastodon" "matrix-synapse"]; }; - systemd.tmpfiles.settings = { - "10-www" = { - "/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt; - }; - }; - services.postgresql = { enable = true; settings = { - # Generated by pgTune - # https://pgtune.leopard.in.ua/#/ - # - # DB Version: 15 - # OS Type: linux - # DB Type: web - # Total Memory (RAM): 16 GB - # CPUs num: 8 - # Data Storage: ssd - + # https://pgtune.leopard.in.ua/ max_connections = 200; shared_buffers = "4GB"; effective_cache_size = "12GB"; @@ -130,180 +120,4 @@ compression = "zstd"; startAt = "weekly"; }; - - services.minecraft-server = { - enable = true; - eula = true; - openFirewall = true; - - package = pkgs.minecraftServers.vanilla-1-21; - - # Aikar's flag - # https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/ - # https://docs.papermc.io/paper/aikars-flags - jvmOpts = lib.concatStringsSep " " [ - "-Xms2G" - "-Xmx2G" - "-XX:+UseG1GC" - "-XX:+ParallelRefProcEnabled" - "-XX:MaxGCPauseMillis=200" - "-XX:+UnlockExperimentalVMOptions" - "-XX:+DisableExplicitGC" - "-XX:+AlwaysPreTouch" - "-XX:G1NewSizePercent=30" - "-XX:G1MaxNewSizePercent=40" - "-XX:G1HeapRegionSize=8M" - "-XX:G1ReservePercent=20" - "-XX:G1HeapWastePercent=5" - "-XX:G1MixedGCCountTarget=4" - "-XX:InitiatingHeapOccupancyPercent=15" - "-XX:G1MixedGCLiveThresholdPercent=90" - "-XX:G1RSetUpdatingPauseTimePercent=5" - "-XX:SurvivorRatio=32" - "-XX:+PerfDisableSharedMem" - "-XX:MaxTenuringThreshold=1" - "-Dusing.aikars.flags=https://mcflags.emc.gs" - "-Daikars.new.flags=true" - ]; - - declarative = true; - serverProperties = { - motd = "NixOS Minecraft server!"; - white-list = true; - - difficulty = 3; - gamemode = 0; - max-players = 5; - }; - whitelist = { - "Guanran928" = "86dbb6c5-8d8b-4c45-b8eb-b3fdf03bfb27"; - "i_love_ravens" = "2788dd4b-b010-4a2f-9b5c-aad0c0e0cba5"; - }; - }; - - services.samba = { - enable = true; - openFirewall = true; - shares = { - "share" = { - path = "/srv/samba/share"; - "read only" = "no"; - }; - "external" = { - path = "/mnt"; - "read only" = "no"; - }; - }; - }; - - services.samba-wsdd = { - enable = true; - openFirewall = true; - }; - - systemd.tmpfiles.rules = [ - "d /srv/samba/share 0755 guanranwang root" - ]; - - services.matrix-synapse = { - enable = true; - withJemalloc = true; - enableRegistrationScript = false; - extraConfigFiles = [config.sops.secrets."synapse/secret".path]; - settings = { - server_name = "ny4.dev"; - public_baseurl = "https://matrix.ny4.dev"; - presence.enabled = false; # tradeoff - listeners = [ - { - path = "/run/matrix-synapse/synapse.sock"; - type = "http"; - resources = [ - { - names = ["client" "federation"]; - compress = true; - } - ]; - } - ]; - - # https://element-hq.github.io/synapse/latest/openid.html#keycloak - oidc_providers = [ - { - idp_id = "keycloak"; - idp_name = "id.ny4.dev"; - issuer = "https://id.ny4.dev/realms/ny4"; - client_id = "synapse"; - client_secret_path = config.sops.secrets."synapse/oidc".path; - scopes = ["openid" "profile"]; - user_mapping_provider.config = { - localpart_template = "{{ user.preferred_username }}"; - display_name_template = "{{ user.name }}"; - }; - backchannel_logout_enabled = true; - allow_existing_users = true; - } - ]; - }; - }; - - systemd.services.matrix-synapse = { - environment = config.networking.proxy.envVars; - serviceConfig.RuntimeDirectory = ["matrix-synapse"]; - }; - - services.matrix-sliding-sync = { - enable = true; - environmentFile = config.sops.secrets."syncv3/environment".path; - settings = { - SYNCV3_SERVER = "/run/matrix-synapse/synapse.sock"; - SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock"; - }; - }; - - systemd.services.matrix-sliding-sync.serviceConfig = { - RuntimeDirectory = ["matrix-sliding-sync"]; - SupplementaryGroups = ["matrix-synapse"]; - }; - - services.mastodon = { - enable = true; - localDomain = "ny4.dev"; - streamingProcesses = 1; - mediaAutoRemove.olderThanDays = 14; - # FIXME: this doesn't exist - smtp = { - createLocally = false; - fromAddress = "mastodon@ny4.dev"; - }; - extraConfig = rec { - SINGLE_USER_MODE = "true"; - WEB_DOMAIN = "mastodon.ny4.dev"; - - # keycloak - OMNIAUTH_ONLY = "true"; - OIDC_ENABLED = "true"; - OIDC_CLIENT_ID = "mastodon"; - # OIDC_CLIENT_SECRET # EnvironmentFile - OIDC_DISCOVERY = "true"; - OIDC_DISPLAY_NAME = "id.ny4.dev"; - OIDC_ISSUER = "https://id.ny4.dev/realms/ny4"; - OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback"; - OIDC_SCOPE = "openid,profile,email"; - OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true"; - OIDC_UID_FIELD = "preferred_username"; - }; - }; - - systemd.services.mastodon-web = { - environment = config.networking.proxy.envVars; - serviceConfig.EnvironmentFile = [config.sops.secrets."mastodon/environment".path]; - }; - - systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars; - - services.jellyfin = { - enable = true; - openFirewall = true; - }; } diff --git a/hosts/blacksteel/services/jellyfin.nix b/hosts/blacksteel/services/jellyfin.nix new file mode 100644 index 0000000..8379831 --- /dev/null +++ b/hosts/blacksteel/services/jellyfin.nix @@ -0,0 +1,6 @@ +{ + services.jellyfin = { + enable = true; + openFirewall = true; + }; +} diff --git a/hosts/blacksteel/services/mastodon.nix b/hosts/blacksteel/services/mastodon.nix new file mode 100644 index 0000000..94e194b --- /dev/null +++ b/hosts/blacksteel/services/mastodon.nix @@ -0,0 +1,37 @@ +{config, ...}: { + services.mastodon = { + enable = true; + localDomain = "ny4.dev"; + streamingProcesses = 1; + mediaAutoRemove.olderThanDays = 14; + # FIXME: this doesn't exist + smtp = { + createLocally = false; + fromAddress = "mastodon@ny4.dev"; + }; + extraConfig = rec { + SINGLE_USER_MODE = "true"; + WEB_DOMAIN = "mastodon.ny4.dev"; + + # keycloak + OMNIAUTH_ONLY = "true"; + OIDC_ENABLED = "true"; + OIDC_CLIENT_ID = "mastodon"; + # OIDC_CLIENT_SECRET # EnvironmentFile + OIDC_DISCOVERY = "true"; + OIDC_DISPLAY_NAME = "id.ny4.dev"; + OIDC_ISSUER = "https://id.ny4.dev/realms/ny4"; + OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback"; + OIDC_SCOPE = "openid,profile,email"; + OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true"; + OIDC_UID_FIELD = "preferred_username"; + }; + }; + + systemd.services.mastodon-web = { + environment = config.networking.proxy.envVars; + serviceConfig.EnvironmentFile = [config.sops.secrets."mastodon/environment".path]; + }; + + systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars; +} diff --git a/hosts/blacksteel/services/matrix.nix b/hosts/blacksteel/services/matrix.nix new file mode 100644 index 0000000..27326fd --- /dev/null +++ b/hosts/blacksteel/services/matrix.nix @@ -0,0 +1,62 @@ +{config, ...}: { + services.matrix-synapse = { + enable = true; + withJemalloc = true; + enableRegistrationScript = false; + extraConfigFiles = [config.sops.secrets."synapse/secret".path]; + settings = { + server_name = "ny4.dev"; + public_baseurl = "https://matrix.ny4.dev"; + presence.enabled = false; # tradeoff + listeners = [ + { + path = "/run/matrix-synapse/synapse.sock"; + type = "http"; + resources = [ + { + names = ["client" "federation"]; + compress = true; + } + ]; + } + ]; + + # https://element-hq.github.io/synapse/latest/openid.html#keycloak + oidc_providers = [ + { + idp_id = "keycloak"; + idp_name = "id.ny4.dev"; + issuer = "https://id.ny4.dev/realms/ny4"; + client_id = "synapse"; + client_secret_path = config.sops.secrets."synapse/oidc".path; + scopes = ["openid" "profile"]; + user_mapping_provider.config = { + localpart_template = "{{ user.preferred_username }}"; + display_name_template = "{{ user.name }}"; + }; + backchannel_logout_enabled = true; + allow_existing_users = true; + } + ]; + }; + }; + + systemd.services.matrix-synapse = { + environment = config.networking.proxy.envVars; + serviceConfig.RuntimeDirectory = ["matrix-synapse"]; + }; + + services.matrix-sliding-sync = { + enable = true; + environmentFile = config.sops.secrets."syncv3/environment".path; + settings = { + SYNCV3_SERVER = "/run/matrix-synapse/synapse.sock"; + SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock"; + }; + }; + + systemd.services.matrix-sliding-sync.serviceConfig = { + RuntimeDirectory = ["matrix-sliding-sync"]; + SupplementaryGroups = ["matrix-synapse"]; + }; +} diff --git a/hosts/blacksteel/services/minecraft.nix b/hosts/blacksteel/services/minecraft.nix new file mode 100644 index 0000000..4f1eaae --- /dev/null +++ b/hosts/blacksteel/services/minecraft.nix @@ -0,0 +1,54 @@ +{ + lib, + pkgs, + ... +}: { + services.minecraft-server = { + enable = true; + eula = true; + openFirewall = true; + package = pkgs.minecraftServers.vanilla-1-21; + + # Aikar's flag + # https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/ + # https://docs.papermc.io/paper/aikars-flags + jvmOpts = lib.concatStringsSep " " [ + "-Xms2G" + "-Xmx2G" + "-XX:+UseG1GC" + "-XX:+ParallelRefProcEnabled" + "-XX:MaxGCPauseMillis=200" + "-XX:+UnlockExperimentalVMOptions" + "-XX:+DisableExplicitGC" + "-XX:+AlwaysPreTouch" + "-XX:G1NewSizePercent=30" + "-XX:G1MaxNewSizePercent=40" + "-XX:G1HeapRegionSize=8M" + "-XX:G1ReservePercent=20" + "-XX:G1HeapWastePercent=5" + "-XX:G1MixedGCCountTarget=4" + "-XX:InitiatingHeapOccupancyPercent=15" + "-XX:G1MixedGCLiveThresholdPercent=90" + "-XX:G1RSetUpdatingPauseTimePercent=5" + "-XX:SurvivorRatio=32" + "-XX:+PerfDisableSharedMem" + "-XX:MaxTenuringThreshold=1" + "-Dusing.aikars.flags=https://mcflags.emc.gs" + "-Daikars.new.flags=true" + ]; + + declarative = true; + serverProperties = { + motd = "NixOS Minecraft server!"; + white-list = true; + + difficulty = 3; + gamemode = 0; + max-players = 5; + }; + whitelist = { + "Guanran928" = "86dbb6c5-8d8b-4c45-b8eb-b3fdf03bfb27"; + "i_love_ravens" = "2788dd4b-b010-4a2f-9b5c-aad0c0e0cba5"; + }; + }; +} diff --git a/hosts/blacksteel/services/qbittorrent.nix b/hosts/blacksteel/services/qbittorrent.nix new file mode 100644 index 0000000..d1d9251 --- /dev/null +++ b/hosts/blacksteel/services/qbittorrent.nix @@ -0,0 +1,7 @@ +{pkgs, ...}: { + # TODO: https://github.com/NixOS/nixpkgs/pull/287923 + # currently running qbittorrent-nox with tmux :c + environment.systemPackages = with pkgs; [ + qbittorrent-nox + ]; +} diff --git a/hosts/blacksteel/services/samba.nix b/hosts/blacksteel/services/samba.nix new file mode 100644 index 0000000..316be04 --- /dev/null +++ b/hosts/blacksteel/services/samba.nix @@ -0,0 +1,25 @@ +{ + services.samba = { + enable = true; + openFirewall = true; + shares = { + "share" = { + path = "/srv/samba/share"; + "read only" = "no"; + }; + "external" = { + path = "/mnt"; + "read only" = "no"; + }; + }; + }; + + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; + + systemd.tmpfiles.rules = [ + "d /srv/samba/share 0755 guanranwang root" + ]; +}