mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sab

Browse Source
This commit is contained in:
mjallen18
2026-02-09 16:35:51 -06:00
parent 9ad06425c8
commit 1731647367
8 changed files with 151 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
homes/x86_64-linux/matt@matt-nixos/default.nix
View File

@@ -1,5 +1,4 @@
{ {
inputs,
lib, lib,
pkgs, pkgs,
namespace, namespace,

3
modules/nixos/services/arrs/default.nix
View File

@@ -81,7 +81,8 @@ let
secretFiles = [ secretFiles = [
config.sops.templates."sabnzbd.ini".path config.sops.templates."sabnzbd.ini".path
]; ];
settings = { configFile = null;
settings = lib.mkForce {
misc = { misc = {
host = "0.0.0.0"; host = "0.0.0.0";
port = 8280; port = 8280;

19
modules/nixos/services/coturn/default.nix
View File

@@ -56,17 +56,26 @@ let
''; '';
}; };
networking.firewall = { networking.firewall = {
interfaces.enp197s0 = let interfaces.enp197s0 =
range = with config.services.coturn; [ { let
range = with config.services.coturn; [
{
from = min-port; from = min-port;
to = max-port; to = max-port;
} ]; }
];
in in
{ {
allowedUDPPortRanges = range; allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 5349 ]; allowedUDPPorts = [
3478
5349
];
allowedTCPPortRanges = [ ]; allowedTCPPortRanges = [ ];
allowedTCPPorts = [ 3478 5349 ]; allowedTCPPorts = [
3478
5349
];
}; };
}; };
}; };

14
modules/nixos/services/matrix/default.nix
View File

@@ -68,7 +68,7 @@ let
settings = { settings = {
server_name = "mjallen.dev"; server_name = "mjallen.dev";
public_baseurl = "https://matrix.mjallen.dev"; public_baseurl = "https://matrix.mjallen.dev";
serve_server_wellknown = true; serve_server_wellknown = false;
listeners = [ listeners = [
{ {
@@ -106,7 +106,7 @@ let
# Registration settings # Registration settings
enable_registration = false; # Set to true initially to create admin user enable_registration = false; # Set to true initially to create admin user
enable_registration_without_verification = false; enable_registration_without_verification = lib.mkForce false;
# Media settings # Media settings
max_upload_size = "50M"; max_upload_size = "50M";
@@ -119,7 +119,10 @@ let
server_name = "matrix.org"; server_name = "matrix.org";
} }
]; ];
turn_uris = ["turn:${config.services.coturn.realm}:3478?transport=udp" "turn:${config.services.coturn.realm}:3478?transport=tcp"]; turn_uris = [
"turn:${config.services.coturn.realm}:3478?transport=udp"
"turn:${config.services.coturn.realm}:3478?transport=tcp"
];
turn_shared_secret = config.services.coturn.static-auth-secret; turn_shared_secret = config.services.coturn.static-auth-secret;
turn_user_lifetime = "1h"; turn_user_lifetime = "1h";
}; };
@@ -144,5 +147,8 @@ let
}; };
in in
{ {
imports = [ matrixConfig ]; imports = [
matrixConfig
./livekit.nix
];
} }

39
modules/nixos/services/matrix/livekit.nix
View File

@@ -1,10 +1,16 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
namespace,
...
}:
let let
cfg = config.${namespace}.services.${name}; cfg = config.${namespace}.services.matrix;
keyFile = "/run/livekit.key"; keyFile = "/run/livekit.key";
file = pkgs.writeText "file.txt" '' file = pkgs.writeText ".well-known.json" ''
{ {
"m.homeserver": { "m.homeserver": {
"base_url": "https://matrix.mjallen.dev" "base_url": "https://matrix.mjallen.dev"
@@ -24,6 +30,7 @@ let
''; '';
in in
{ {
config = lib.mkIf cfg.enable {
services.livekit = { services.livekit = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
@@ -32,11 +39,11 @@ in
}; };
services.lk-jwt-service = { services.lk-jwt-service = {
enable = true; enable = true;
port = 8585;
# can be on the same virtualHost as synapse # can be on the same virtualHost as synapse
livekitUrl = "wss://mjallen.dev/livekit/sfu"; livekitUrl = "wss://mjallen.dev/livekit/sfu";
inherit keyFile; inherit keyFile;
}; };
config = lib.mkIf cfg.enable {
# generate the key when needed # generate the key when needed
systemd.services.livekit-key = { systemd.services.livekit-key = {
before = [ before = [
@@ -58,13 +65,28 @@ in
}; };
# restrict access to livekit room creation to a homeserver # restrict access to livekit room creation to a homeserver
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "mjallen.dev"; systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "mjallen.dev";
services.nginx.virtualHosts = { services.nginx = {
enable = true;
defaultHTTPListenPort = 8188;
virtualHosts = {
"matrix.mjallen.dev".locations = { "matrix.mjallen.dev".locations = {
"^~ /.well-known/matrix/client" = { "= /.well-known/matrix/client" = {
alias = file; alias = file;
extraConfig = "default_type text/plain;"; extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
};
}; };
"mjallen.dev".locations = { "mjallen.dev".locations = {
"= /.well-known/matrix/client" = {
alias = file;
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
};
"^~ /livekit/jwt/" = { "^~ /livekit/jwt/" = {
priority = 400; priority = 400;
proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
@@ -85,6 +107,7 @@ in
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
} };
};
}; };
} }

29
modules/nixos/services/traefik/default.nix
View File

@@ -296,6 +296,11 @@ in
url = hassUrl; url = hassUrl;
} }
]; ];
nginx.loadBalancer.servers = [
{
url = "http://localhost:8188";
}
];
} }
// reverseProxyServiceConfigs; // reverseProxyServiceConfigs;
@@ -312,6 +317,30 @@ in
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
matrix2 = {
entryPoints = [ "websecure" ];
rule = "Host(`matrix.mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)";
service = "nginx";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
priority = 1;
tls.certResolver = "letsencrypt";
};
matrix3 = {
entryPoints = [ "websecure" ];
rule = "Host(`mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)";
service = "nginx";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
priority = 1;
tls.certResolver = "letsencrypt";
};
cache = { cache = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`cache.${domain}`)"; rule = "Host(`cache.${domain}`)";

1
packages/librepods-beta/default.nix
View File

@@ -9,7 +9,6 @@
wayland, wayland,
libxkbcommon, libxkbcommon,
libGL, libGL,
xorg,
expat, expat,
fontconfig, fontconfig,
freetype, freetype,

17
systems/x86_64-linux/jallen-nas/default.nix
View File

@@ -334,12 +334,17 @@ in
tpm2-tools tpm2-tools
tpm2-tss tpm2-tss
]; ];
# persistence."/media/nas/main/persist" = { persistence."/media/nas/main/persist" = {
# hideMounts = true; hideMounts = true;
# directories = [ directories = [
{
# ]; directory = "/var/lib/sabnzbd";
# }; user = "sabnzbd";
group = "sabnzbd";
mode = "u=rwx,g=rx,o=rx";
}
];
};
}; };
networking.firewall.checkReversePath = false; networking.firewall.checkReversePath = false;