Update

averyanalex · May 25, 2024 · 6e5b082 · 6e5b082
1 parent 6cbe73b
commit 6e5b082
Show file tree

Hide file tree

Showing 46 changed files with 1,323 additions and 659 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -4,10 +4,12 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
+    nixpkgs-master.url = "github:nixos/nixpkgs";
 
     nixos-hardware.url = "github:nixos/nixos-hardware";
 
     flake-utils.url = "github:numtide/flake-utils";
+    rust-overlay.url = "github:oxalica/rust-overlay";
 
     ragenix = {
       url = "github:yaxitech/ragenix";
@@ -27,12 +29,18 @@
     nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
     impermanence.url = "github:nix-community/impermanence";
     nur.url = "github:nix-community/NUR";
-    jupyenv.url = "github:tweag/jupyenv";
+    # jupyenv = {
+    #   url = "github:averyanalex/jupyenv";
+    #   inputs = {
+    #     # nixpkgs.follows = "nixpkgs";
+    #     # nixpkgs-stable.follows = "nixpkgs-stable";
+    #     # rust-overlay.follows = "rust-overlay";
+    #   };
+    # };
     lanzaboote.url = "github:nix-community/lanzaboote";
     mailserver = {
       url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
-      # inputs.nixpkgs-23_11.follows = "nixpkgs-stable";
-      # inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
 
     hyprland = {
@@ -48,10 +56,14 @@
       url = "github:averyanalex/blog";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    memexpert = {
+      url = "github:averyanalex/memexpert";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     cpmbot = {
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-utils.follows = "flake-utils";
-      url = "github:cpmbot/bot";
+      url = "github:averyanalex/matetech-answers-bot";
     };
     gayradarbot = {
       inputs.nixpkgs.follows = "nixpkgs";

diff --git a/hardware/ec2.nix b/hardware/ec2.nix
@@ -9,7 +9,7 @@
   ];
 
   config = {
-    boot.growPartition = true;
+    # boot.growPartition = true;
     fileSystems."/persist" = {
       device = "/dev/nvme0n1p2";
       fsType = "ext4";

diff --git a/machines/alligator/default.nix b/machines/alligator/default.nix
@@ -11,6 +11,7 @@
     inputs.self.nixosModules.profiles.networkd
     inputs.self.nixosModules.profiles.libvirt
     inputs.self.nixosModules.profiles.persist-yggdrasil
+    inputs.self.nixosModules.profiles.pmbootstrap
     inputs.self.nixosModules.roles.desktop
 
     ./miner.nix

diff --git a/machines/alligator/hardware.nix b/machines/alligator/hardware.nix
@@ -32,8 +32,8 @@
 
   # Screen
   environment.systemPackages = [pkgs.ddcutil];
-  boot.extraModulePackages = [config.boot.kernelPackages.ddcci-driver];
-  boot.kernelModules = ["ddcci"];
+  # boot.extraModulePackages = [config.boot.kernelPackages.ddcci-driver];
+  # boot.kernelModules = ["ddcci"];
   boot.kernelParams = [
     "video=DP-1:3440x1440@144"
   ];

diff --git a/machines/falcon/default.nix b/machines/falcon/default.nix
@@ -8,6 +8,7 @@
     inputs.self.nixosModules.hardware.aeza
 
     inputs.self.nixosModules.profiles.remote-builder-client
+    inputs.self.nixosModules.profiles.server.aplusmuz
 
     ./mounts.nix
     ./tor.nix

diff --git a/machines/grizzly/default.nix b/machines/grizzly/default.nix
@@ -15,10 +15,20 @@
   ];
 
   boot.kernel.sysctl = {
-    "net.ipv4.tcp_low_latency" = 1;
+    # "net.ipv4.tcp_low_latency" = 1;
+    "net.core.rmem_default" = 1048576;
+    "net.core.rmem_max" = 16777216;
+    "net.core.wmem_default" = 1048576;
+    "net.core.wmem_max" = 16777216;
+    "net.core.optmem_max" = 65536;
+    # "net.ipv4.tcp_rmem" = "4096 1048576 2097152";
+    "net.ipv4.tcp_rmem" = "4096 1048576 16777216";
+    "net.ipv4.tcp_wmem" = "4096 65536 16777216";
+    "net.core.netdev_max_backlog" = 16384;
+    "net.ipv4.tcp_mtu_probing" = 1;
   };
 
-  systemd.services.systemd-timesync.serviceConfig = {
+  systemd.services.systemd-timesyncd.serviceConfig = {
     CPUSchedulingPolicy = "rr";
     CPUSchedulingPriority = 60;
   };

diff --git a/machines/grizzly/influxdb.nix b/machines/grizzly/influxdb.nix
@@ -17,9 +17,6 @@
 
   services.nginx.virtualHosts."influxdb-grizzly.neutrino.su" = {
     useACMEHost = "neutrino.su";
-    forceSSL = true;
-    quic = true;
-    kTLS = true;
     locations."/".proxyPass = "http://127.0.0.1:8086";
     locations."/".proxyWebsockets = true;
   };

diff --git a/machines/hamster/default.nix b/machines/hamster/default.nix
@@ -6,6 +6,7 @@
     inputs.self.nixosModules.profiles.netman
     inputs.self.nixosModules.profiles.libvirt
     inputs.self.nixosModules.profiles.secureboot
+    inputs.self.nixosModules.profiles.pmbootstrap
     # inputs.self.nixosModules.profiles.remote-builder-client
 
     inputs.self.nixosModules.hardware.thinkbook

diff --git a/machines/hawk/default.nix b/machines/hawk/default.nix
@@ -6,12 +6,7 @@
   makeAveryanHost = proxyPass: {
     locations."/".proxyPass = proxyPass;
     locations."/".proxyWebsockets = true;
-    extraConfig = ''
-      proxy_buffering off;
-    '';
     useACMEHost = "averyan.ru";
-    forceSSL = true;
-    kTLS = true;
   };
 in {
   imports = [

diff --git a/machines/whale/cosmovert.nix b/machines/whale/cosmovert.nix
@@ -0,0 +1,76 @@
+{pkgs, ...}: let
+  dockerImage = pkgs.dockerTools.pullImage {
+    imageName = "wordpress";
+    finalImageTag = "latest";
+    imageDigest = "sha256:d2d062bf3903cd7b73442a5266acff12f00ed66b48808f9b0d269e8d775b429f";
+    sha256 = "u8P1PE8R4v6rncL8PvZktj2ExxD+TXIARg9JqIk6wY0=";
+  };
+in {
+  systemd.tmpfiles.rules = [
+    "d /persist/cosmovert 755 33 33 - -"
+  ];
+
+  services.nginx.virtualHosts."cosmovert.ru" = {
+    useACMEHost = "cosmovert.ru";
+    locations."/".proxyPass = "http://127.0.0.1:8527";
+    locations."/".proxyWebsockets = true;
+  };
+
+  # networking.firewall.interfaces."vms".allowedTCPPorts = [3306];
+
+  # containers.cosmovert = {
+  #   autoStart = true;
+  #   ephemeral = true;
+
+  #   privateNetwork = true;
+  #   hostBridge = "vms";
+  #   localAddress = "192.168.12.73/24";
+
+  #   extraFlags = ["--system-call-filter=@keyring" "--system-call-filter=bpf"];
+
+  #   bindMounts = {
+  #     "/wp-data" = {
+  #       hostPath = "/persist/cosmovert";
+  #       isReadOnly = false;
+  #     };
+  #   };
+
+  #   config = {
+  #     config,
+  #     pkgs,
+  #     ...
+  #   }: {
+  #     system.stateVersion = "24.05";
+
+  #     networking = {
+  #       defaultGateway = {
+  #         address = "192.168.12.1";
+  #         interface = "eth0";
+  #       };
+  #       firewall.enable = false;
+  #       useHostResolvConf = false;
+  #       nameservers = ["9.9.9.9" "8.8.8.8" "1.1.1.1" "77.88.8.8"];
+  #     };
+  #     services.resolved.enable = true;
+
+  virtualisation.oci-containers = {
+    containers = {
+      cosmovert-wp = {
+        image = "wordpress";
+        imageFile = dockerImage;
+        volumes = [
+          "/persist/cosmovert:/var/www/html"
+        ];
+        ports = ["127.0.0.1:8527:80"];
+        extraOptions = ["--network=slirp4netns"];
+        environment = {
+          TZ = "Europe/Moscow";
+          ENABLE_HTTPS = "true";
+        };
+      };
+    };
+    backend = "podman";
+  };
+  #   };
+  # };
+}
diff --git a/machines/whale/default.nix b/machines/whale/default.nix
@@ -10,12 +10,6 @@
   makeHost = proxyPass: {
     locations."/".proxyPass = proxyPass;
     locations."/".proxyWebsockets = true;
-    extraConfig = ''
-      proxy_buffering off;
-    '';
-    forceSSL = true;
-    quic = true;
-    kTLS = true;
   };
 
   makeAveryanHost = proxyPass: makeHost proxyPass // {useACMEHost = "averyan.ru";};
@@ -35,7 +29,7 @@ in {
     inputs.self.nixosModules.profiles.server.hass
     # inputs.self.nixosModules.profiles.server.hydra
     inputs.self.nixosModules.profiles.server.kluckva
-    inputs.self.nixosModules.profiles.server.mqtt
+    # inputs.self.nixosModules.profiles.server.mqtt
     inputs.self.nixosModules.profiles.server.mysql
     inputs.self.nixosModules.profiles.server.nginx
     inputs.self.nixosModules.profiles.server.ntfy-sh
@@ -44,7 +38,10 @@ in {
     inputs.self.nixosModules.profiles.server.forgejo
     inputs.self.nixosModules.profiles.server.searx
     inputs.self.nixosModules.profiles.server.vaultwarden
-    inputs.self.nixosModules.profiles.server.aplusmuz
+    inputs.self.nixosModules.profiles.server.matomo
+    inputs.self.nixosModules.profiles.server.qdrant
+    inputs.self.nixosModules.profiles.server.meilisearch
+    inputs.self.nixosModules.profiles.server.memexpert
 
     # inputs.self.nixosModules.profiles.libvirt
     inputs.self.nixosModules.profiles.networkd
@@ -67,9 +64,13 @@ in {
     ./i2p.nix
     ./lidarr.nix
     ./ups.nix
-    ./ipfs.nix
+    # ./ipfs.nix
     ./mail.nix
     ./matrix.nix
+    ./cosmovert.nix
+    ./webtlo.nix
+    ./dns.nix
+    ./jupyter.nix
   ];
 
   system.stateVersion = "22.05";
@@ -108,6 +109,8 @@ in {
     "search.averyan.ru" = makeAveryanHost "http://127.0.0.1:8278";
     "lidarr.averyan.ru" = makeAveryanHost "http://127.0.0.1:8686";
     "yacy.averyan.ru" = makeAveryanHost "http://whale:8627";
+    "lab.averyan.ru" = makeAveryanHost "http://127.0.0.1:8874";
+    "memexpert.xyz" = makeHost "http://127.0.0.1:3000" // {useACMEHost = "memexpert.xyz";};
 
     "git.neutrino.su" = makeHost "http://whale:3826" // {useACMEHost = "neutrino.su";};
     "bw.neutrino.su" = makeHost "http://whale:8222" // {useACMEHost = "neutrino.su";};
@@ -162,7 +165,7 @@ in {
         PoolOffset = 100;
         PoolSize = 50;
         EmitDNS = true;
-        DNS = "9.9.9.9";
+        DNS = "192.168.3.1";
       };
     };
 
@@ -216,7 +219,10 @@ in {
     };
   };
 
-  networking.firewall.allowedUDPPorts = [67 546];
+  networking.firewall = {
+    interfaces.${lan}.allowedTCPPorts = [22];
+    allowedUDPPorts = [67 546]; # DHCP
+  };
 
   age.secrets.wg-key-averyan.file = ../../secrets/wireguard/whale.age;
   networking.wireguard.interfaces = {

diff --git a/machines/whale/dns.nix b/machines/whale/dns.nix
@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  services.coredns = {
+    enable = true;
+    config = let
+      nullsProxy = domain: ''
+        forward ${domain} tls://51.195.92.136 tls://54.38.198.100 tls://79.127.215.166 tls://79.127.215.167 tls://179.43.146.42 {
+          tls_servername dns.nullsproxy.com
+        }
+      '';
+      common = ''
+        errors
+        prometheus
+        cache
+        any
+        ${nullsProxy "supercell.com"}
+        ${nullsProxy "clashofclans.com"}
+        ${nullsProxy "brawlstars.com"}
+        ${nullsProxy "brawlstarsgame.com"}
+        forward . tls://1.1.1.1 tls://1.0.0.1 {
+          tls_servername cloudflare-dns.com
+          health_check 15s
+        }
+      '';
+      certDir = config.security.acme.certs."neutrino.su".directory;
+    in ''
+      . {
+        ${common}
+      }
+      tls://. {
+        tls ${certDir}/fullchain.pem ${certDir}/key.pem ${certDir}/chain.pem
+        ${common}
+      }
+    '';
+  };
+  systemd.services.coredns.serviceConfig.SupplementaryGroups = ["acme"];
+
+  networking.firewall.allowedUDPPorts = [53];
+  networking.firewall.allowedTCPPorts = [53 853];
+
+  services.resolved.enable = lib.mkForce false;
+  networking.resolvconf.useLocalResolver = true;
+}