blacksteel: file structure

hosts/blacksteel/Caddyfile

@@ -2,7 +2,7 @@
 	encode zstd gzip
 	handle_path /robots.txt {
 		file_server * {
-			root /var/www/robots/robots.txt
+			root @robots@
 		}
 	}
 }

hosts/blacksteel/default.nix

@@ -1,7 +1,7 @@
 {
-  pkgs,
   lib,
   config,
+  pkgs,
   ...
 }: {
   imports = [
@@ -13,6 +13,13 @@
     # Hardware
     ./hardware-configuration.nix
     ./anti-feature.nix
+
+    # Services
+    ./services/samba.nix
+    ./services/matrix.nix
+    ./services/mastodon.nix
+    ./services/minecraft.nix
+    ./services/jellyfin.nix
   ];
 
   boot.loader.efi.canTouchEfiVariables = true;
@@ -43,9 +50,6 @@
     };
   };
 
-  ######## Services
-  environment.systemPackages = with pkgs; [qbittorrent-nox];
-
   services.tailscale = {
     enable = true;
     openFirewall = true;
@@ -70,6 +74,7 @@
     enable = true;
     configFile = pkgs.substituteAll {
       src = ./Caddyfile;
+      robots = toString ../lightsail-tokyo/robots.txt;
       inherit (pkgs) mastodon;
     };
   };
@@ -78,25 +83,10 @@
     SupplementaryGroups = ["mastodon" "matrix-synapse"];
   };
 
-  systemd.tmpfiles.settings = {
-    "10-www" = {
-      "/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt;
-    };
-  };
-
   services.postgresql = {
     enable = true;
     settings = {
-      # Generated by pgTune
+      # https://pgtune.leopard.in.ua/
-      # https://pgtune.leopard.in.ua/#/
-      #
-      # DB Version: 15
-      # OS Type: linux
-      # DB Type: web
-      # Total Memory (RAM): 16 GB
-      # CPUs num: 8
-      # Data Storage: ssd
-
       max_connections = 200;
       shared_buffers = "4GB";
       effective_cache_size = "12GB";
@@ -130,180 +120,4 @@
     compression = "zstd";
     startAt = "weekly";
   };
-
-  services.minecraft-server = {
-    enable = true;
-    eula = true;
-    openFirewall = true;
-
-    package = pkgs.minecraftServers.vanilla-1-21;
-
-    # Aikar's flag
-    # https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/
-    # https://docs.papermc.io/paper/aikars-flags
-    jvmOpts = lib.concatStringsSep " " [
-      "-Xms2G"
-      "-Xmx2G"
-      "-XX:+UseG1GC"
-      "-XX:+ParallelRefProcEnabled"
-      "-XX:MaxGCPauseMillis=200"
-      "-XX:+UnlockExperimentalVMOptions"
-      "-XX:+DisableExplicitGC"
-      "-XX:+AlwaysPreTouch"
-      "-XX:G1NewSizePercent=30"
-      "-XX:G1MaxNewSizePercent=40"
-      "-XX:G1HeapRegionSize=8M"
-      "-XX:G1ReservePercent=20"
-      "-XX:G1HeapWastePercent=5"
-      "-XX:G1MixedGCCountTarget=4"
-      "-XX:InitiatingHeapOccupancyPercent=15"
-      "-XX:G1MixedGCLiveThresholdPercent=90"
-      "-XX:G1RSetUpdatingPauseTimePercent=5"
-      "-XX:SurvivorRatio=32"
-      "-XX:+PerfDisableSharedMem"
-      "-XX:MaxTenuringThreshold=1"
-      "-Dusing.aikars.flags=https://mcflags.emc.gs"
-      "-Daikars.new.flags=true"
-    ];
-
-    declarative = true;
-    serverProperties = {
-      motd = "NixOS Minecraft server!";
-      white-list = true;
-
-      difficulty = 3;
-      gamemode = 0;
-      max-players = 5;
-    };
-    whitelist = {
-      "Guanran928" = "86dbb6c5-8d8b-4c45-b8eb-b3fdf03bfb27";
-      "i_love_ravens" = "2788dd4b-b010-4a2f-9b5c-aad0c0e0cba5";
-    };
-  };
-
-  services.samba = {
-    enable = true;
-    openFirewall = true;
-    shares = {
-      "share" = {
-        path = "/srv/samba/share";
-        "read only" = "no";
-      };
-      "external" = {
-        path = "/mnt";
-        "read only" = "no";
-      };
-    };
-  };
-
-  services.samba-wsdd = {
-    enable = true;
-    openFirewall = true;
-  };
-
-  systemd.tmpfiles.rules = [
-    "d /srv/samba/share 0755 guanranwang root"
-  ];
-
-  services.matrix-synapse = {
-    enable = true;
-    withJemalloc = true;
-    enableRegistrationScript = false;
-    extraConfigFiles = [config.sops.secrets."synapse/secret".path];
-    settings = {
-      server_name = "ny4.dev";
-      public_baseurl = "https://matrix.ny4.dev";
-      presence.enabled = false; # tradeoff
-      listeners = [
-        {
-          path = "/run/matrix-synapse/synapse.sock";
-          type = "http";
-          resources = [
-            {
-              names = ["client" "federation"];
-              compress = true;
-            }
-          ];
-        }
-      ];
-
-      # https://element-hq.github.io/synapse/latest/openid.html#keycloak
-      oidc_providers = [
-        {
-          idp_id = "keycloak";
-          idp_name = "id.ny4.dev";
-          issuer = "https://id.ny4.dev/realms/ny4";
-          client_id = "synapse";
-          client_secret_path = config.sops.secrets."synapse/oidc".path;
-          scopes = ["openid" "profile"];
-          user_mapping_provider.config = {
-            localpart_template = "{{ user.preferred_username }}";
-            display_name_template = "{{ user.name }}";
-          };
-          backchannel_logout_enabled = true;
-          allow_existing_users = true;
-        }
-      ];
-    };
-  };
-
-  systemd.services.matrix-synapse = {
-    environment = config.networking.proxy.envVars;
-    serviceConfig.RuntimeDirectory = ["matrix-synapse"];
-  };
-
-  services.matrix-sliding-sync = {
-    enable = true;
-    environmentFile = config.sops.secrets."syncv3/environment".path;
-    settings = {
-      SYNCV3_SERVER = "/run/matrix-synapse/synapse.sock";
-      SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
-    };
-  };
-
-  systemd.services.matrix-sliding-sync.serviceConfig = {
-    RuntimeDirectory = ["matrix-sliding-sync"];
-    SupplementaryGroups = ["matrix-synapse"];
-  };
-
-  services.mastodon = {
-    enable = true;
-    localDomain = "ny4.dev";
-    streamingProcesses = 1;
-    mediaAutoRemove.olderThanDays = 14;
-    # FIXME: this doesn't exist
-    smtp = {
-      createLocally = false;
-      fromAddress = "mastodon@ny4.dev";
-    };
-    extraConfig = rec {
-      SINGLE_USER_MODE = "true";
-      WEB_DOMAIN = "mastodon.ny4.dev";
-
-      # keycloak
-      OMNIAUTH_ONLY = "true";
-      OIDC_ENABLED = "true";
-      OIDC_CLIENT_ID = "mastodon";
-      # OIDC_CLIENT_SECRET # EnvironmentFile
-      OIDC_DISCOVERY = "true";
-      OIDC_DISPLAY_NAME = "id.ny4.dev";
-      OIDC_ISSUER = "https://id.ny4.dev/realms/ny4";
-      OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
-      OIDC_SCOPE = "openid,profile,email";
-      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
-      OIDC_UID_FIELD = "preferred_username";
-    };
-  };
-
-  systemd.services.mastodon-web = {
-    environment = config.networking.proxy.envVars;
-    serviceConfig.EnvironmentFile = [config.sops.secrets."mastodon/environment".path];
-  };
-
-  systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
-
-  services.jellyfin = {
-    enable = true;
-    openFirewall = true;
-  };
 }

hosts/blacksteel/services/jellyfin.nix

@@ -0,0 +1,6 @@
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+}

hosts/blacksteel/services/mastodon.nix

@@ -0,0 +1,37 @@
+{config, ...}: {
+  services.mastodon = {
+    enable = true;
+    localDomain = "ny4.dev";
+    streamingProcesses = 1;
+    mediaAutoRemove.olderThanDays = 14;
+    # FIXME: this doesn't exist
+    smtp = {
+      createLocally = false;
+      fromAddress = "mastodon@ny4.dev";
+    };
+    extraConfig = rec {
+      SINGLE_USER_MODE = "true";
+      WEB_DOMAIN = "mastodon.ny4.dev";
+
+      # keycloak
+      OMNIAUTH_ONLY = "true";
+      OIDC_ENABLED = "true";
+      OIDC_CLIENT_ID = "mastodon";
+      # OIDC_CLIENT_SECRET # EnvironmentFile
+      OIDC_DISCOVERY = "true";
+      OIDC_DISPLAY_NAME = "id.ny4.dev";
+      OIDC_ISSUER = "https://id.ny4.dev/realms/ny4";
+      OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
+      OIDC_SCOPE = "openid,profile,email";
+      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
+      OIDC_UID_FIELD = "preferred_username";
+    };
+  };
+
+  systemd.services.mastodon-web = {
+    environment = config.networking.proxy.envVars;
+    serviceConfig.EnvironmentFile = [config.sops.secrets."mastodon/environment".path];
+  };
+
+  systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
+}

hosts/blacksteel/services/matrix.nix

@@ -0,0 +1,62 @@
+{config, ...}: {
+  services.matrix-synapse = {
+    enable = true;
+    withJemalloc = true;
+    enableRegistrationScript = false;
+    extraConfigFiles = [config.sops.secrets."synapse/secret".path];
+    settings = {
+      server_name = "ny4.dev";
+      public_baseurl = "https://matrix.ny4.dev";
+      presence.enabled = false; # tradeoff
+      listeners = [
+        {
+          path = "/run/matrix-synapse/synapse.sock";
+          type = "http";
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+
+      # https://element-hq.github.io/synapse/latest/openid.html#keycloak
+      oidc_providers = [
+        {
+          idp_id = "keycloak";
+          idp_name = "id.ny4.dev";
+          issuer = "https://id.ny4.dev/realms/ny4";
+          client_id = "synapse";
+          client_secret_path = config.sops.secrets."synapse/oidc".path;
+          scopes = ["openid" "profile"];
+          user_mapping_provider.config = {
+            localpart_template = "{{ user.preferred_username }}";
+            display_name_template = "{{ user.name }}";
+          };
+          backchannel_logout_enabled = true;
+          allow_existing_users = true;
+        }
+      ];
+    };
+  };
+
+  systemd.services.matrix-synapse = {
+    environment = config.networking.proxy.envVars;
+    serviceConfig.RuntimeDirectory = ["matrix-synapse"];
+  };
+
+  services.matrix-sliding-sync = {
+    enable = true;
+    environmentFile = config.sops.secrets."syncv3/environment".path;
+    settings = {
+      SYNCV3_SERVER = "/run/matrix-synapse/synapse.sock";
+      SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
+    };
+  };
+
+  systemd.services.matrix-sliding-sync.serviceConfig = {
+    RuntimeDirectory = ["matrix-sliding-sync"];
+    SupplementaryGroups = ["matrix-synapse"];
+  };
+}

hosts/blacksteel/services/minecraft.nix

@@ -0,0 +1,54 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  services.minecraft-server = {
+    enable = true;
+    eula = true;
+    openFirewall = true;
+    package = pkgs.minecraftServers.vanilla-1-21;
+
+    # Aikar's flag
+    # https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/
+    # https://docs.papermc.io/paper/aikars-flags
+    jvmOpts = lib.concatStringsSep " " [
+      "-Xms2G"
+      "-Xmx2G"
+      "-XX:+UseG1GC"
+      "-XX:+ParallelRefProcEnabled"
+      "-XX:MaxGCPauseMillis=200"
+      "-XX:+UnlockExperimentalVMOptions"
+      "-XX:+DisableExplicitGC"
+      "-XX:+AlwaysPreTouch"
+      "-XX:G1NewSizePercent=30"
+      "-XX:G1MaxNewSizePercent=40"
+      "-XX:G1HeapRegionSize=8M"
+      "-XX:G1ReservePercent=20"
+      "-XX:G1HeapWastePercent=5"
+      "-XX:G1MixedGCCountTarget=4"
+      "-XX:InitiatingHeapOccupancyPercent=15"
+      "-XX:G1MixedGCLiveThresholdPercent=90"
+      "-XX:G1RSetUpdatingPauseTimePercent=5"
+      "-XX:SurvivorRatio=32"
+      "-XX:+PerfDisableSharedMem"
+      "-XX:MaxTenuringThreshold=1"
+      "-Dusing.aikars.flags=https://mcflags.emc.gs"
+      "-Daikars.new.flags=true"
+    ];
+
+    declarative = true;
+    serverProperties = {
+      motd = "NixOS Minecraft server!";
+      white-list = true;
+
+      difficulty = 3;
+      gamemode = 0;
+      max-players = 5;
+    };
+    whitelist = {
+      "Guanran928" = "86dbb6c5-8d8b-4c45-b8eb-b3fdf03bfb27";
+      "i_love_ravens" = "2788dd4b-b010-4a2f-9b5c-aad0c0e0cba5";
+    };
+  };
+}

hosts/blacksteel/services/qbittorrent.nix

@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+  # TODO: https://github.com/NixOS/nixpkgs/pull/287923
+  # currently running qbittorrent-nox with tmux :c
+  environment.systemPackages = with pkgs; [
+    qbittorrent-nox
+  ];
+}

hosts/blacksteel/services/samba.nix

@@ -0,0 +1,25 @@
+{
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    shares = {
+      "share" = {
+        path = "/srv/samba/share";
+        "read only" = "no";
+      };
+      "external" = {
+        path = "/mnt";
+        "read only" = "no";
+      };
+    };
+  };
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /srv/samba/share 0755 guanranwang root"
+  ];
+}