From a658c88fc06fb1af319dffee9ce702bf028283eb Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 16 Mar 2025 15:09:01 +0000 Subject: [PATCH 1/5] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/0b95936d94ea2a3ce66538f299351cf0b491aa15?dir=pkgs/firefox-addons' (2025-03-07) → 'gitlab:rycee/nur-expressions/5a0ac85616aa6b166ea715a41bc1255bb802b189?dir=pkgs/firefox-addons' (2025-03-16) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/95711f926676018d279ba09fe7530d03b5d5b3e2' (2025-03-07) → 'github:nix-community/home-manager/4e12151c9e014e2449e0beca2c0e9534b96a26b4' (2025-03-14) • Updated input 'lix-module': 'git+https://git.lix.systems/lix-project/nixos-module?ref=stable&rev=a3573779c9ba3d55b90aee6e9b4e70e23d34c1ba' (2025-01-18) → 'git+https://git.lix.systems/lix-project/nixos-module?ref=stable&rev=ed7a2fa83145868ecb830d6b3c73ebfd81a9e911' (2025-03-13) • Updated input 'lix-module/lix': 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/2837da71ec1588c1187d2e554719b15904a46c8b.tar.gz?narHash=sha256-CCKIAE84dzkrnlxJCKFyffAxP3yfsOAbdvydUGqq24g%3D&rev=2837da71ec1588c1187d2e554719b15904a46c8b' (2025-01-18) → 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/079528098f5998ba13c88821a2eca1005c1695de.tar.gz?narHash=sha256-pgDJZjj4jpzkFxsqBTI/9Yb0n3gW%2BDvDtuv9SwQZZcs%3D&rev=079528098f5998ba13c88821a2eca1005c1695de' (2025-01-18) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/20755fa05115c84be00b04690630cb38f0a203ad' (2025-03-07) → 'github:NixOS/nixpkgs/cdd2ef009676ac92b715ff26630164bb88fec4e0' (2025-03-13) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/9290fda826610430b3fc8cc98443c3a2faaaf151' (2025-03-07) → 'github:NixOS/nixpkgs/f182029bf7f08a57762b4c762d0917b6803ceff4' (2025-03-15) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/10069ef4cf863633f57238f179a0297de84bd8d3' (2025-03-06) → 'github:NixOS/nixpkgs/c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5' (2025-03-15) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/f104cca31ba6c0403b678ad9428726476b503782' (2025-03-07) → 'github:NixOS/nixpkgs/f985965fff9d4e5df55df0489ef113d09a6ee08d' (2025-03-16) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/814314b94a4d44197d2708d4b48d9df1d14892e2' (2025-03-07) → 'github:randomnetcat/nix-configs/a448b9a9ce66f8e1d1a1de1205f384da25574c7b' (2025-03-16) --- flake.lock | 58 +++++++++++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/flake.lock b/flake.lock index 5d05a00..04db858 100644 --- a/flake.lock +++ b/flake.lock @@ -93,11 +93,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1741379467, - "narHash": "sha256-f314Ke28BGoVh4TK8FCzlPZgOl+oV7PvLyPF++ln9M4=", + "lastModified": 1742097805, + "narHash": "sha256-N3/7llBZ93Itf7ndnNtEm7lPoMqSC57B/PNaMB6cL1Q=", "owner": "rycee", "repo": "nur-expressions", - "rev": "0b95936d94ea2a3ce66538f299351cf0b491aa15", + "rev": "5a0ac85616aa6b166ea715a41bc1255bb802b189", "type": "gitlab" }, "original": { @@ -217,11 +217,11 @@ ] }, "locked": { - "lastModified": 1741378606, - "narHash": "sha256-ytDmwV93lZ1f6jswJkxEQz5cBlwje/2rH/yUZDADZNs=", + "lastModified": 1741955947, + "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=", "owner": "nix-community", "repo": "home-manager", - "rev": "95711f926676018d279ba09fe7530d03b5d5b3e2", + "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4", "type": "github" }, "original": { @@ -234,14 +234,14 @@ "flake": false, "locked": { "lastModified": 1737234286, - "narHash": "sha256-CCKIAE84dzkrnlxJCKFyffAxP3yfsOAbdvydUGqq24g=", - "rev": "2837da71ec1588c1187d2e554719b15904a46c8b", + "narHash": "sha256-pgDJZjj4jpzkFxsqBTI/9Yb0n3gW+DvDtuv9SwQZZcs=", + "rev": "079528098f5998ba13c88821a2eca1005c1695de", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/2837da71ec1588c1187d2e554719b15904a46c8b.tar.gz?rev=2837da71ec1588c1187d2e554719b15904a46c8b" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/079528098f5998ba13c88821a2eca1005c1695de.tar.gz?rev=079528098f5998ba13c88821a2eca1005c1695de" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/2.92.0.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/release-2.92.tar.gz" } }, "lix-module": { @@ -254,11 +254,11 @@ ] }, "locked": { - "lastModified": 1737237494, - "narHash": "sha256-YMLrcBpf0TR5r/eaqm8lxzFPap2TxCor0ZGcK3a7+b8=", + "lastModified": 1741892773, + "narHash": "sha256-8oUT6D7VlsuLkms3zBsUaPBUoxucmFq62QdtyVpjq0Y=", "ref": "stable", - "rev": "a3573779c9ba3d55b90aee6e9b4e70e23d34c1ba", - "revCount": 127, + "rev": "ed7a2fa83145868ecb830d6b3c73ebfd81a9e911", + "revCount": 130, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, @@ -270,11 +270,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1741332913, - "narHash": "sha256-ri1e8ZliWS3Jnp9yqpKApHaOo7KBN33W8ECAKA4teAQ=", + "lastModified": 1741862977, + "narHash": "sha256-prZ0M8vE/ghRGGZcflvxCu40ObKaB+ikn74/xQoNrGQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "20755fa05115c84be00b04690630cb38f0a203ad", + "rev": "cdd2ef009676ac92b715ff26630164bb88fec4e0", "type": "github" }, "original": { @@ -301,11 +301,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1741318725, - "narHash": "sha256-3ShROHs7BXBDH3VNoPmbG4mL8DvRpDM8s4NxkmRVz1Q=", + "lastModified": 1742072093, + "narHash": "sha256-2aEgxL5RSzNHWFLWEUFXZhkVEYDOuVSXQBiOonzT/Kg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9290fda826610430b3fc8cc98443c3a2faaaf151", + "rev": "f182029bf7f08a57762b4c762d0917b6803ceff4", "type": "github" }, "original": { @@ -317,11 +317,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1741246872, - "narHash": "sha256-Q6pMP4a9ed636qilcYX8XUguvKl/0/LGXhHcRI91p0U=", + "lastModified": 1742069588, + "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "10069ef4cf863633f57238f179a0297de84bd8d3", + "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5", "type": "github" }, "original": { @@ -333,11 +333,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1741323510, - "narHash": "sha256-zQL0iErtVTxywxyWc7ajRmRNCncny95uD+2wmBHYOzc=", + "lastModified": 1742095305, + "narHash": "sha256-L8qjRx4MbX/juwbo8+4qYbqQy0MFUzUJLV5o8oujvaA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f104cca31ba6c0403b678ad9428726476b503782", + "rev": "f985965fff9d4e5df55df0489ef113d09a6ee08d", "type": "github" }, "original": { @@ -373,11 +373,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1741308008, - "narHash": "sha256-J+7n6svwbpvSoUgFfjfYNVAT50SarBYiwLgTIixjYlM=", + "lastModified": 1742090267, + "narHash": "sha256-A+pimpalPZr9Un1yJaVsc+3J71IHuAPN+NSo5MqHtzM=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "814314b94a4d44197d2708d4b48d9df1d14892e2", + "rev": "a448b9a9ce66f8e1d1a1de1205f384da25574c7b", "type": "github" }, "original": { From addbf7ac3e43d2c231deaaa35c571d22040d69b3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 17 Mar 2025 02:01:22 +0000 Subject: [PATCH 2/5] orm: move actual.qenya.tel -> actual.unspecified.systems --- hosts/orm/default.nix | 16 +++++++++++++++- services/actual.nix | 8 +++++--- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index a6f95ad..c7bbba5 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -57,7 +57,21 @@ }; networking.firewall.interfaces."wg-birdsong".allowedTCPPorts = [ 5432 ]; - qenya.services.actual.enable = true; + qenya.services.actual = { + enable = true; + domain = "actual.unspecified.systems"; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "actual.qenya.tel" = { + forceSSL = true; + enableACME = true; + locations."/".return = "301 https://actual.unspecified.systems$request_uri"; + }; + }; + }; system.stateVersion = "23.11"; } diff --git a/services/actual.nix b/services/actual.nix index d5a1599..b46540e 100644 --- a/services/actual.nix +++ b/services/actual.nix @@ -1,20 +1,22 @@ { config, lib, pkgs, ... }: -with lib; let + inherit (lib) mkIf mkOption mkEnableOption types; cfg = config.qenya.services.actual; - domain = "actual.qenya.tel"; in { options.qenya.services.actual = { enable = mkEnableOption "Actual Budget"; + domain = mkOption { + type = types.str; + }; }; config = mkIf cfg.enable { services.nginx = { enable = true; virtualHosts = { - ${domain} = { + ${cfg.domain} = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5006/"; From 55000c365a8ae372a9936ca3c5be02e66d2594ee Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 17 Mar 2025 02:25:28 +0000 Subject: [PATCH 3/5] web-redirect: init new service for simple domain redirects --- hosts/orm/default.nix | 11 +++-------- hosts/yevaud/default.nix | 17 +++++++---------- services/default.nix | 3 ++- services/web-redirect.nix | 30 ++++++++++++++++++++++++++++++ 4 files changed, 42 insertions(+), 19 deletions(-) create mode 100644 services/web-redirect.nix diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index c7bbba5..5814498 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -61,15 +61,10 @@ enable = true; domain = "actual.unspecified.systems"; }; - - services.nginx = { + fountain.services.web-redirect = { enable = true; - virtualHosts = { - "actual.qenya.tel" = { - forceSSL = true; - enableACME = true; - locations."/".return = "301 https://actual.unspecified.systems$request_uri"; - }; + domains = { + "actual.qenya.tel" = "actual.unspecified.systems"; }; }; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index e028d11..9e5758a 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -40,20 +40,17 @@ enable = true; domain = "git.unspecified.systems"; }; + fountain.services.web-redirect = { + enable = true; + domains = { + "git.katherina.rocks" = "git.unspecified.systems"; + "git.qenya.tel" = "git.unspecified.systems"; + }; + }; services.nginx = { enable = true; virtualHosts = { - "git.katherina.rocks" = { - forceSSL = true; - enableACME = true; - locations."/".return = "301 https://git.unspecified.systems$request_uri"; - }; - "git.qenya.tel" = { - forceSSL = true; - enableACME = true; - locations."/".return = "301 https://git.unspecified.systems$request_uri"; - }; "birdsong.network" = { forceSSL = true; enableACME = true; diff --git a/services/default.nix b/services/default.nix index f136e92..2828a8e 100644 --- a/services/default.nix +++ b/services/default.nix @@ -8,5 +8,6 @@ ./navidrome.nix ./pipewire-low-latency.nix ./remote-builder.nix + ./web-redirect.nix ]; -} \ No newline at end of file +} diff --git a/services/web-redirect.nix b/services/web-redirect.nix new file mode 100644 index 0000000..92b9c5a --- /dev/null +++ b/services/web-redirect.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.fountain.services.web-redirect; +in +{ + options.fountain.services.web-redirect = { + enable = mkEnableOption "Module to do simple 301 redirects from one domain to another"; + domains = mkOption { + type = types.attrsOf types.str; + description = "Mapping from source domain to destination domain"; + }; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + virtualHosts = builtins.mapAttrs + (name: value: { + forceSSL = true; + enableACME = true; + locations."/".return = "301 https://${value}$request_uri"; + }) + cfg.domains; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} From d8e85815bde493b6ffa7ca1569eb2034d119cc48 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 17 Mar 2025 02:57:15 +0000 Subject: [PATCH 4/5] users: custom property to define users with root --- common/users/default.nix | 24 +++++++++++++++++++++++- hosts/elucredassa/default.nix | 2 +- hosts/kalessin/default.nix | 2 +- hosts/kilgharrah/default.nix | 2 +- hosts/orm/default.nix | 2 +- hosts/tohru/default.nix | 2 +- hosts/yevaud/default.nix | 2 +- 7 files changed, 29 insertions(+), 7 deletions(-) diff --git a/common/users/default.nix b/common/users/default.nix index d9c87e6..2a4c5b3 100644 --- a/common/users/default.nix +++ b/common/users/default.nix @@ -1,3 +1,9 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption types genAttrs; + cfg = config.fountain; +in { # TODO: consider DRY-ing these imports = [ @@ -7,5 +13,21 @@ ./trungle.nix ]; - users.mutableUsers = false; + options.fountain = { + admins = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of users who should have root on this system"; + }; + }; + + config = { + users.mutableUsers = false; + + users.users = genAttrs cfg.admins + (name: { + extraGroups = [ "wheel" ]; + } + ); + }; } diff --git a/hosts/elucredassa/default.nix b/hosts/elucredassa/default.nix index e4a517a..97aba67 100644 --- a/hosts/elucredassa/default.nix +++ b/hosts/elucredassa/default.nix @@ -37,7 +37,7 @@ in }; fountain.users.qenya.enable = true; - users.users.qenya.extraGroups = [ "wheel" ]; + fountain.admins = [ "qenya" ]; system.stateVersion = "24.11"; } diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 473f587..65a0ced 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -15,7 +15,7 @@ in networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; - users.users.qenya.extraGroups = [ "wheel" ]; + fountain.admins = [ "qenya" ]; fountain.users.randomcat.enable = true; fountain.users.trungle.enable = true; diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index f9f4600..96542d0 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -32,7 +32,7 @@ in fountain.users.qenya.enable = true; age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; - users.users.qenya.extraGroups = [ "wheel" ]; + fountain.admins = [ "qenya" ]; home-manager.users.qenya = { pkgs, ... }: { home.packages = with pkgs; [ obs-studio ]; # For the moment, this hosts some network-accessible services, so we want it on 24/7 diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 5814498..f5aa5fd 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -12,7 +12,7 @@ networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; - users.users.qenya.extraGroups = [ "wheel" ]; + fountain.admins = [ "qenya" ]; qenya.base-server.enable = true; qenya.services.distributed-builds = { diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 3bb4c52..dd1f21f 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -31,10 +31,10 @@ in nix.optimise.automatic = mkForce false; fountain.users.qenya.enable = true; + fountain.admins = [ "qenya" ]; age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path; users.users.qenya.extraGroups = [ - "wheel" # sudo "networkmanager" # UI wifi configuration "dialout" # access to serial ports ]; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 9e5758a..b93c14b 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -16,7 +16,7 @@ networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; - users.users.qenya.extraGroups = [ "wheel" ]; + fountain.admins = [ "qenya" ]; qenya.base-server.enable = true; qenya.services.distributed-builds = { From 52e3168f8d66378f03112a1b24f4c2e2d4e5b349 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 17 Mar 2025 03:00:24 +0000 Subject: [PATCH 5/5] pipewire-low-latency: Remove Not sure it every really did anything useful, and even if it did, my current streaming setup doesn't need it any more --- hosts/kilgharrah/default.nix | 2 -- services/default.nix | 1 - services/pipewire-low-latency.nix | 58 ------------------------------- 3 files changed, 61 deletions(-) delete mode 100644 services/pipewire-low-latency.nix diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 96542d0..c73d439 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -27,8 +27,6 @@ in console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; - qenya.services.pipewire.lowLatency.enable = true; - fountain.users.qenya.enable = true; age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; diff --git a/services/default.nix b/services/default.nix index 2828a8e..9a3f8cb 100644 --- a/services/default.nix +++ b/services/default.nix @@ -6,7 +6,6 @@ ./forgejo.nix ./jellyfin.nix ./navidrome.nix - ./pipewire-low-latency.nix ./remote-builder.nix ./web-redirect.nix ]; diff --git a/services/pipewire-low-latency.nix b/services/pipewire-low-latency.nix deleted file mode 100644 index 0ba2709..0000000 --- a/services/pipewire-low-latency.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib) mkIf mkEnableOption; - cfg = config.qenya.services.pipewire.lowLatency; -in -{ - options.qenya.services.pipewire.lowLatency = { - enable = mkEnableOption "config to decrease sound latency (increasing CPU load) for e.g. streaming"; - # TODO: might be an idea to have the numbers be configurable - }; - - config = mkIf cfg.enable { - # TODO: needs more testing - services.pipewire.extraConfig = { - pipewire."92-low-latency" = { - context.properties = { - default.clock.rate = 48000; - default.clock.quantum = 32; - default.clock.min-quantum = 32; - default.clock.max-quantum = 32; - }; - }; - pipewire-pulse."92-low-latency" = { - context.modules = [ - { - name = "libpipewire-module-protocol-pulse"; - args = { - pulse.min.req = "32/48000"; - pulse.default.req = "32/48000"; - pulse.max.req = "32/48000"; - pulse.min.quantum = "32/48000"; - pulse.max.quantum = "32/48000"; - }; - } - ]; - stream.properties = { - node.latency = "32/48000"; - resample.quality = 1; - }; - }; - }; - # Available from NixOS 24.11. Lifted from https://nixos.wiki/wiki/PipeWire - probably need to adjust numbers - # services.pipewire.wireplumber.extraLuaConfig.main."99-alsa-lowlatency" = '' - # alsa_monitor.rules = { - # { - # matches = {{{ "node.name", "matches", "alsa_output.*" }}}; - # apply_properties = { - # ["audio.format"] = "S32LE", - # ["audio.rate"] = "96000", -- for USB soundcards it should be twice your desired rate - # ["api.alsa.period-size"] = 2, -- defaults to 1024, tweak by trial-and-error - # -- ["api.alsa.disable-batch"] = true, -- generally, USB soundcards use the batch mode - # }, - # }, - # } - # ''; - }; -}