Specify default locale and encoding for postgresql

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/64679cd7f318c9b6595902b47d4585b1d51d5f9e' (2024-07-04)
  → 'github:nix-community/disko/f1a00e7f55dc266ef286cc6fc8458fa2b5ca2414' (2024-07-08)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/6e253f12b1009053eff5344be5e835f604bb64cd' (2024-07-02)
  → 'github:NixOS/nixos-hardware/da0aa7b533d49e6319c603e07b46a5690082f65f' (2024-07-07)
• Updated input 'plasma-manager':
    'github:nix-community/plasma-manager/14a12e744c9a6f420598c306869ebad8071e99d1' (2024-07-07)
  → 'github:nix-community/plasma-manager/995d818078778b366e6302ea32d83c2ba586e015' (2024-07-07)

flake.lock

@@ -8,11 +8,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1716561646,
+        "lastModified": 1718371084,
-        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
+        "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
+        "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1715699772,
+        "lastModified": 1718194053,
-        "narHash": "sha256-sKhqIgucN5sI/7UQgBwsonzR4fONjfMr9OcHK/vPits=",
+        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "b3ea6f333f9057b77efd9091119ba67089399ced",
+        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
         "type": "github"
       },
       "original": {
@@ -88,11 +88,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713532798,
+        "lastModified": 1717408969,
-        "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
+        "narHash": "sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY=",
         "owner": "numtide",
         "repo": "devshell",
-        "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
+        "rev": "1ebbe68d57457c8cae98145410b164b5477761f4",
         "type": "github"
       },
       "original": {
@@ -108,11 +108,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1717177033,
+        "lastModified": 1720402389,
-        "narHash": "sha256-G3CZJafCO8WDy3dyA2EhpUJEmzd5gMJ2IdItAg0Hijw=",
+        "narHash": "sha256-zJv6euDOrJWMHBhxfp/ay+Dvjwpe8YtMuEI5b09bxmo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "0274af4c92531ebfba4a5bd493251a143bc51f3c",
+        "rev": "f1a00e7f55dc266ef286cc6fc8458fa2b5ca2414",
         "type": "github"
       },
       "original": {
@@ -124,11 +124,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1716813977,
+        "lastModified": 1719758591,
-        "narHash": "sha256-8fabA8OY1n2OcJFbbE03+bMydVANSBrNGo8hkzhXxxU=",
+        "narHash": "sha256-3DE/UnxJxRWjtWPZuuiT3TIG7HrHf+srpmiCTFkrAQs=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "8171c0578feb835ce66d49edba7429f46b7ac3f6",
+        "rev": "8fb5267c5b3434f76983e29749aba7cd636e03ca",
         "type": "github"
       },
       "original": {
@@ -207,11 +207,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715865404,
+        "lastModified": 1719994518,
-        "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
+        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
+        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
         "type": "github"
       },
       "original": {
@@ -220,21 +220,6 @@
         "type": "github"
       }
     },
-    "flake-root": {
-      "locked": {
-        "lastModified": 1713493429,
-        "narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=",
-        "owner": "srid",
-        "repo": "flake-root",
-        "rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "srid",
-        "repo": "flake-root",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "inputs": {
         "systems": "systems_4"
@@ -267,11 +252,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716213921,
+        "lastModified": 1719259945,
-        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
+        "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
+        "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07",
         "type": "github"
       },
       "original": {
@@ -283,11 +268,11 @@
     "gitea-github-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1715978309,
+        "lastModified": 1717248105,
-        "narHash": "sha256-L9FYLtrK8Lm/wBeafb6eTRL5l2BYov6X6nJOL6rYZvY=",
+        "narHash": "sha256-BwSsIkl7DpN/c8HNXOh2aKjOuPmFsGybv4RegOC7Xq0=",
         "ref": "main",
-        "rev": "1b61f3f5cb38a1198d0a525d059a5a1905f2cfca",
+        "rev": "4f829f88e6f443ff048c4d337bd010315aa4b50a",
-        "revCount": 96,
+        "revCount": 101,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/gitea-github-theme.git"
       },
@@ -347,11 +332,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716736833,
+        "lastModified": 1720042825,
-        "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
+        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
+        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
         "type": "github"
       },
       "original": {
@@ -369,19 +354,36 @@
         ]
       },
       "locked": {
-        "lastModified": 1717052710,
+        "lastModified": 1720042825,
-        "narHash": "sha256-LRhOxzXmOza5SymhOgnEzA8EAQp+94kkeUYWKKpLJ/U=",
+        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "29c69d9a466e41d46fd3a7a9d0591ef9c113c2ae",
+        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
+        "ref": "release-24.05",
         "repo": "home-manager",
         "type": "github"
       }
     },
+    "kvlibadwaita": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1710621848,
+        "narHash": "sha256-xBl6zmpqTAH5MIT5iNAdW6kdOcB5MY0Dtrb95hdYpwA=",
+        "owner": "GabePoel",
+        "repo": "KvLibadwaita",
+        "rev": "87c1ef9f44ec48855fd09ddab041007277e30e37",
+        "type": "github"
+      },
+      "original": {
+        "owner": "GabePoel",
+        "repo": "KvLibadwaita",
+        "type": "github"
+      }
+    },
     "nix-darwin": {
       "inputs": {
         "nixpkgs": [
@@ -390,11 +392,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716993688,
+        "lastModified": 1719845423,
-        "narHash": "sha256-vo5k2wQekfeoq/2aleQkBN41dQiQHNTniZeVONWiWLs=",
+        "narHash": "sha256-ZLHDmWAsHQQKnmfyhYSHJDlt8Wfjv6SQhl2qek42O7A=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "c0d5b8c54d6828516c97f6be9f2d00c63a363df4",
+        "rev": "ec12b88104d6c117871fad55e931addac4626756",
         "type": "github"
       },
       "original": {
@@ -405,11 +407,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1716987116,
+        "lastModified": 1720372297,
-        "narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=",
+        "narHash": "sha256-bwy1rPQSQSCj/TNf1yswHW88nBQYvJQkeScGvOA8pd4=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "8251761f93d6f5b91cee45ac09edb6e382641009",
+        "rev": "da0aa7b533d49e6319c603e07b46a5690082f65f",
         "type": "github"
       },
       "original": {
@@ -425,18 +427,20 @@
         "nixpkgs": [
           "nixpkgs"
         ],
+        "nixpkgs-24_05": "nixpkgs-24_05",
         "utils": "utils_2"
       },
       "locked": {
-        "lastModified": 1714720456,
+        "lastModified": 1718084203,
-        "narHash": "sha256-e0WFe1BHqX23ADpGBc4ZRu38Mg+GICCZCqyS6EWCbHc=",
+        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "41059fc548088e49e3ddb3a2b4faeb5de018e60f",
+        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
         "type": "gitlab"
       },
       "original": {
         "owner": "simple-nixos-mailserver",
+        "ref": "nixos-24.05",
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }
@@ -457,13 +461,28 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
+    "nixpkgs-24_05": {
       "locked": {
-        "lastModified": 1716948383,
+        "lastModified": 1717144377,
-        "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-24.05",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1720031269,
+        "narHash": "sha256-rwz8NJZV+387rnWpTYcXaRNvzUSnnF9aHONoJIYmiUQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9f4128e00b0ae8ec65918efeba59db998750ead6",
         "type": "github"
       },
       "original": {
@@ -490,11 +509,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1717144377,
+        "lastModified": 1720244366,
-        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
+        "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
+        "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
         "type": "github"
       },
       "original": {
@@ -508,7 +527,6 @@
         "devshell": "devshell",
         "flake-compat": "flake-compat_3",
         "flake-parts": "flake-parts",
-        "flake-root": "flake-root",
         "git-hooks": "git-hooks",
         "home-manager": "home-manager_3",
         "nix-darwin": "nix-darwin",
@@ -518,19 +536,43 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1717188043,
+        "lastModified": 1720296628,
-        "narHash": "sha256-qg8Tq7OcKtc0BS4RVUYrMZ+KofgMv6DiXOnqz7TN8CA=",
+        "narHash": "sha256-v42XPTrP7oJSAFhn9zJVvPc1DbPVW/Id6J8/eKCY9oo=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "1bbd58b6b293840716355e63fb3d5aa5af00d389",
+        "rev": "a53fa82a0564d3fe94a89c1dd53b703c3c67d1cd",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
+        "ref": "nixos-24.05",
         "repo": "nixvim",
         "type": "github"
       }
     },
+    "plasma-manager": {
+      "inputs": {
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1720369165,
+        "narHash": "sha256-MLRzgdEEmckPVwwllD8+4zkqnnxfMgFw5zk6O3JUiks=",
+        "owner": "nix-community",
+        "repo": "plasma-manager",
+        "rev": "995d818078778b366e6302ea32d83c2ba586e015",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "plasma-manager",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -539,11 +581,13 @@
         "firefox-gnome-theme": "firefox-gnome-theme",
         "gitea-github-theme": "gitea-github-theme",
         "home-manager": "home-manager_2",
+        "kvlibadwaita": "kvlibadwaita",
         "nixos-hardware": "nixos-hardware",
         "nixos-mailserver": "nixos-mailserver",
         "nixpkgs": "nixpkgs_3",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nixvim": "nixvim",
+        "plasma-manager": "plasma-manager",
         "secrets": "secrets",
         "thunderbird-gnome-theme": "thunderbird-gnome-theme"
       }
@@ -551,11 +595,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1716018239,
+        "lastModified": 1720459643,
-        "narHash": "sha256-Ai13Sbj4DzuQSIrX2rjO0PG6PPpmvfwbCpTxX0kB7FI=",
+        "narHash": "sha256-X71/NplPXPe9pCvrd9ELpnYBEYtju4+x3LA7S5I1GXM=",
         "ref": "refs/heads/master",
-        "rev": "c2adb575ca3a816287c7d8f3c23cde6dfd316e6f",
+        "rev": "f8d68b934f4380ecbc6365b4ef7f7c632833d1aa",
-        "revCount": 19,
+        "revCount": 21,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },
@@ -648,11 +692,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715940852,
+        "lastModified": 1719887753,
-        "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
+        "narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
+        "rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -23,15 +23,24 @@
       url = "git+ssh://git@git.vimium.com/jordan/gitea-github-theme.git?ref=main";
       flake = false;
     };
+    kvlibadwaita = {
+      url = "github:GabePoel/KvLibadwaita";
+      flake = false;
+    };
     nixos-hardware.url = "github:NixOS/nixos-hardware";
     nixos-mailserver = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nixvim = {
-      url = "github:nix-community/nixvim";
+      url = "github:nix-community/nixvim/nixos-24.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    plasma-manager = {
+      url = "github:nix-community/plasma-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
     secrets = {
       url = "git+ssh://git@git.vimium.com/jordan/nix-secrets.git";
       flake = false;
@@ -42,7 +51,7 @@
     };
   };
 
-  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, nixos-mailserver, secrets, ... }:
+  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, nixos-mailserver, ... }:
     let
       mkPkgsForSystem = system: inputs.nixpkgs;
       overlays = [
@@ -77,6 +86,7 @@
                 nixpkgs.pkgs = import nixpkgs {
                   inherit overlays system;
                   config.allowUnfree = true;
+                  config.nvidia.acceptLicense = true;
                 };
                 networking.hostName = name;
               })

hosts/atlas/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 
 {
   imports = [
@@ -16,6 +16,9 @@
     networkmanager.enable = true;
   };
 
+  virtualisation.virtualbox.host.enable = true;
+  users.extraGroups.vboxusers.members = [ "jordan" ];
+
   modules = {
     desktop = {
       apps = {

hosts/desktop.nix

@@ -30,6 +30,7 @@
       "nocto"
       "ro"
       "x-systemd.automount"
+      "x-systemd.requires=tailscaled.service"
       "noauto"
     ];
   };

hosts/hypnos/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 
 {
   imports = [
@@ -14,13 +14,26 @@
 
   networking.hostId = "cf791898";
 
+  # nvidia 470 driver doesn't work with Wayland
+  services = {
+    xserver = {
+      displayManager.gdm.wayland = lib.mkForce false;
+      videoDrivers = [ "nvidia" ];
+    };
+    displayManager = {
+      defaultSession = if config.modules.desktop.kde.enable then "plasmax11" else "gnome-xorg";
+      sddm.wayland.enable = lib.mkForce false;
+    };
+  };
+
+  # Workaround for label rendering bug in GTK4 with nvidia 470 driver
+  environment.sessionVariables.GSK_RENDERER = "gl";
+
   modules = {
     desktop = {
       browsers = {
         firefox.enable = true;
       };
-      gnome.enable = lib.mkForce false;
-      kde.enable = true;
       media.recording = {
         audio.enable = true;
       };

hosts/hypnos/hardware-configuration.nix

@@ -8,13 +8,10 @@
   boot = {
     initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
     kernelModules = [ "applesmc" "kvm-intel" "wl" ];
-    kernelPatches = [
+    extraModulePackages = [
-      {
+      config.boot.kernelPackages.broadcom_sta
-        name = "spoof-mac-os-x";
+      config.boot.kernelPackages.nvidiaPackages.legacy_470
-        patch = ./0001-Add-apple_set_os-EFI-boot-service.patch;
-      }
     ];
-    extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
   };
 
   networking.useDHCP = lib.mkDefault true;
@@ -23,19 +20,19 @@
 
   hardware = {
     cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    nvidia = {
+      package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+      modesetting.enable = true;
+      powerManagement.enable = true;
+    };
     opengl = {
       enable = true;
       extraPackages = with pkgs; [
-        intel-vaapi-driver
-        intel-media-driver
         libvdpau-va-gl
       ];
       driSupport = true;
+      driSupport32Bit = true;
     };
   };
-
-  environment.variables = {
-    VDPAU_DRIVER = "va_gl";
-  };
 }
 

hosts/library/default.nix

@@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 
-with lib.my;
 {
   imports = [
     ./hardware-configuration.nix
@@ -22,7 +21,6 @@ with lib.my;
         22  # SSH
       ];
     };
-    networkmanager.enable = true;
   };
 
   services.zfs = {
@@ -44,6 +42,17 @@ with lib.my;
     enable = true;
   };
 
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        domain = "library.mesh.vimium.net";
+        http_addr = "0.0.0.0";
+        http_port = 3000;
+      };
+    };
+  };
+
   services.prometheus = {
     enable = true;
     port = 9001;
@@ -60,7 +69,7 @@ with lib.my;
     };
     scrapeConfigs = [
       {
-        job_name = "library";
+        job_name = "node";
         static_configs = [{
           targets = [
             "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
@@ -146,7 +155,19 @@ with lib.my;
     };
   };
 
-  services.jellyfin.enable = true;
+  hardware.opengl = {
+    enable = true;
+    extraPackages = with pkgs; [
+      vaapiVdpau
+    ];
+    driSupport = true;
+  };
+  users.users.jellyfin.extraGroups = [ "video" "render" ];
+  services.jellyfin = {
+    enable = true;
+    cacheDir = "/var/cache/jellyfin";
+    dataDir = "/var/lib/jellyfin";
+  };
 
   modules = {
     podman.enable = true;
@@ -160,6 +181,7 @@ with lib.my;
       borgmatic = {
         enable = true;
         directories = [
+          config.services.jellyfin.dataDir
           "/home/jordan"
         ];
         repoPath = "ssh://b61758r4@b61758r4.repo.borgbase.com/./repo";

hosts/odyssey/default.nix

@@ -67,6 +67,7 @@
         audio.enable = true;
         video.enable = true;
       };
+      office.libreoffice.enable = true;
     };
     dev = {
       node.enable = true;

hosts/odyssey/hardware-configuration.nix

@@ -19,6 +19,7 @@
     cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
     nvidia = {
       modesetting.enable = true;
+      package = config.boot.kernelPackages.nvidiaPackages.beta;
       powerManagement.enable = true;
     };
   };

hosts/server.nix

@@ -18,13 +18,13 @@
         webroot = "/var/lib/acme/acme-challenge";
       };
     };
-    auditd.enable = true;
+    # auditd.enable = true;
-    audit = {
+    # audit = {
-      enable = true;
+    #   enable = true;
-      rules = [
+    #   rules = [
-        "-a exit,always -F arch=b64 -S execve"
+    #     "-a exit,always -F arch=b64 -S execve"
-      ];
+    #   ];
-    };
+    # };
   };
 
   systemd = {

hosts/vps1/default.nix

@@ -1,4 +1,7 @@
-{ config, lib, pkgs, inputs, ... }:
+{
+  lib,
+  ...
+}:
 
 {
   imports = [
@@ -40,7 +43,8 @@
 
   services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 
-  modules = {
+  modules = rec {
+    databases.postgresql.enable = true;
     services = {
       borgmatic = {
         enable = true;
@@ -51,10 +55,17 @@
         ];
         repoPath = "ssh://p91y8oh7@p91y8oh7.repo.borgbase.com/./repo";
       };
-      coturn.enable = true;
+      coturn = {
+        enable = true;
+        realm = "turn.vimium.com";
+        matrixIntegration = true;
+      };
       gitea.enable = true;
       headscale.enable = true;
-      matrix-synapse.enable = true;
+      matrix-synapse = {
+        enable = true;
+        usePostgresql = databases.postgresql.enable;
+      };
       nginx.enable = true;
       photoprism.enable = true;
     };

modules/databases/postgresql.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.modules.databases.postgresql;
+in {
+  options.modules.databases.postgresql = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.postgresql = {
+      enable = true;
+      initdbArgs = [
+        "--allow-group-access"
+        "--encoding=UTF8"
+        "--locale=C"
+      ];
+      settings = {
+        log_connections = true;
+        log_disconnections = true;
+        log_destination = lib.mkForce "syslog";
+      };
+    };
+
+    services.borgmatic.settings = {
+      postgresql_databases = [
+        {
+          name = "all";
+        }
+      ];
+    };
+  };
+}

modules/default.nix

@@ -2,7 +2,9 @@
   imports = [
     ./options.nix
     ./podman.nix
+    ./databases/postgresql.nix
     ./desktop/gnome.nix
+    ./desktop/forensics.nix
     ./desktop/hyprland.nix
     ./desktop/kde.nix
     ./desktop/mimeapps.nix
@@ -10,6 +12,7 @@
     ./desktop/apps/slack.nix
     ./desktop/apps/thunderbird.nix
     ./desktop/apps/zoom.nix
+    ./desktop/browsers/brave.nix
     ./desktop/browsers/firefox.nix
     ./desktop/gaming/emulators.nix
     ./desktop/gaming/lutris.nix

modules/desktop/browsers/brave.nix

@@ -0,0 +1,17 @@
+{ config, lib, pkgs, inputs, ... }:
+
+let cfg = config.modules.desktop.browsers.brave;
+in {
+  options.modules.desktop.browsers.brave = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    user.packages = with pkgs; [
+      brave
+    ];
+  };
+}

modules/desktop/browsers/firefox.nix

@@ -35,23 +35,46 @@ in {
 
           ## Preferences
           "browser.ctrlTab.sortByRecentlyUsed" = true;
+          "browser.discovery.enabled" = false;
           "browser.newtabpage.enabled" = false;
+          "browser.newtabpage.activity-stream.showSponsored" = false;
+          "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+          "browser.newtabpage.activity-stream.default.sites" = "";
+          "browser.privatebrowsing.forceMediaMemoryCache" = true;
           "browser.search.widget.inNavBar" = true;
           "browser.startup.page" = 3;
           "browser.startup.homepage" = "https://www.vimium.com";
           "browser.toolbars.bookmarks.visibility" = "never";
+          "browser.uitour.enabled" = false;
+          "media.memory_cache_max_size" = 65536;
+
+          ## Performance
+          "gfx.webrender.all" = true;
+          "gfx.webrender.compositor" = true;
+          "gfx.webrender.enable" = true;
+          "layers.acceleration.force-enabled" = true;
+          "media.ffmpeg.vaapi.enabled" = true;
 
           ## Experiments
           "app.normandy.enabled" = false;
           "app.normandy.api_url" = "";
           "app.normandy.user_id" = "";
+          "app.shield.optoutstudies.enabled" = false;
+          "browser.shopping.experience2023.active" = false;
+          "browser.shopping.experience2023.enabled" = false;
           "extensions.screenshots.disabled" = true;
           "extensions.screenshots.upload-disabled" = true;
           "experiments.supported" = false;
           "experiments.enabled" = false;
           "experiments.manifest.uri" = "";
           "network.allow-experiments" = false;
-          "privacy.trackingprotection.enabled" = false;
+
+          ## Privacy
+          # "privacy.resistFingerprinting" = true;
+          "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts" = false;
+          "privacy.trackingprotection.enabled" = true;
+          "privacy.trackingprotection.pbmode.enabled" = true;
+          "privacy.userContext.enabled" = true;
 
           ## Geo
           "geo.enabled" = false;
@@ -104,6 +127,28 @@ in {
           "privacy.firstparty.isolate" = true;
           "privacy.firstparty.isolate.restrict_opener_access" = true;
 
+          ## Telemetry
+          "beacon.enabled" = false;
+          "browser.newtabpage.activity-stream.feeds.telemetry" = false;
+          "browser.newtabpage.activity-stream.telemetry" = false;
+          "browser.send_pings" = false;
+          "datareporting.policy.dataSubmissionEnabled" = false;
+          "datareporting.healthReport.uploadEnabled" = false;
+          "toolkit.coverage.opt-out" = true;
+          "toolkit.coverage.endpoint.base" = "";
+          "toolkit.telemetry.archive.enabled" = false;
+          "toolkit.telemetry.bhrPing.enabled" = false;
+          "toolkit.telemetry.coverage.opt-out" = true;
+          "toolkit.telemetry.enabled" = false;
+          "toolkit.telemetry.firstShutdownPing.enabled" = false;
+          "toolkit.telemetry.hybridContent.enabled" = false;
+          "toolkit.telemetry.newProfilePing.enabled" = false;
+          "toolkit.telemetry.reportingPolicy.firstRun" = false;
+          "toolkit.telemetry.server" = "data:,";
+          "toolkit.telemetry.shutdownPingSender.enabled" = false;
+          "toolkit.telemetry.unified" = false;
+          "toolkit.telemetry.updatePing.enabled" = false;
+
           ## Pocket/Hello
           "loop.enabled" = false;
           "loop.feedback.baseUrl" = "";
@@ -125,6 +170,10 @@ in {
           "browser.pocket.useLocaleList" = false;
           "brwoser.pocket.enabledLocales" = "";
 
+          ## Plugins
+          "plugin.state.flash" = 0;
+          "plugin.state.java" = 0;
+
           ## Misc
           "browser.selfsupport.url" = "";
         };

modules/desktop/forensics.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.modules.desktop.forensics;
+in {
+  options.modules.desktop.forensics = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    user.packages = with pkgs; [
+      acquire
+      afflib
+      autopsy
+      fatcat
+      foremost
+      hstsparser
+      networkminer
+      sleuthkit
+      testdisk-qt
+      tracee
+    ];
+  };
+}

modules/desktop/gnome.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, inputs, lib, pkgs, ... }:
 
 let cfg = config.modules.desktop.gnome;
 in {
@@ -21,28 +21,89 @@ in {
 
     programs.dconf.enable = true;
     dconf.settings = {
+      "io/github/celluloid-player/celluloid" = {
+        draggable-video-area-enable = true;
+      };
+      "org/gnome/desktop/interface" = {
+        color-scheme = "prefer-dark";
+        cursor-theme = "Adwaita";
+        enable-hot-corners = false;
+        font-name = "Cantarell 11";
+        gtk-theme = "adw-gtk3-dark";
+        icon-theme = "MoreWaita";
+        monospace-font-name = "UbuntuMono Nerd Font 11";
+        toolbar-style = "both-horiz";
+      };
+      "org/gnome/desktop/peripherals/touchpad" = {
+        tap-to-click = true;
+      };
+      "org/gnome/desktop/sound" = {
+        theme-name = "freedesktop";
+      };
+      "org/gnome/desktop/search-providers" = {
+        disabled = [ "org.gnome.Epiphany.desktop" ];
+      };
+      "org/gnome/desktop/wm/keybindings" = {
+        switch-group = [ "<Super>grave" ];
+        switch-group-backward = [ "<Shift><Super>grave" ];
+      };
+      "org/gnome/desktop/wm/preferences" = {
+        button-layout = "appmenu:close";
+      };
+      "org/gnome/gnome-session" = {
+        auto-save-session = true;
+      };
+      "org/gnome/gnome-system-monitor" = {
+        show-dependencies = true;
+      };
+      "org/gnome/mutter" = {
+        center-new-windows = true;
+        edge-tiling = true;
+        experimental-features = [ "scale-monitor-framebuffer" ];
+      };
+      "org/gnome/settings-daemon/plugins/media-keys" = {
+        volume-up = [
+          "<Shift>F12"
+          "XF86AudioRaiseVolume"
+        ];
+        volume-down = [
+          "<Shift>F11"
+          "XF86AudioLowerVolume"
+        ];
+      };
       "org/gnome/shell" = {
         disable-user-extensions = false;
         enabled-extensions = [
-          # "another-window-session-manager@gmail.com"
+          "appindicatorsupport@rgcjonas.gmail.com"
+          # "arcmenu@arcmenu.com"
           "blur-my-shell@aunetx"
+          # "browser-tabs@com.github.harshadgavali"
           "burn-my-windows@schneegans.github.com"
+          "clipboard-indicator@tudmotu.com"
+          "CoverflowAltTab@palatis.blogspot.com"
+          # "dash-to-panel@jderose9.github.com"
           # "desktop-cube@schneegans.github.com"
-          # "desktop-zoom@colin.kinlo.ch"
+          # "EasyScreenCast@iacopodeenosee.gmail.com"
           "espresso@coadmunkee.github.com"
-          # "flypie@schneegans.github.com"
+          "flypie@schneegans.github.com"
           # "forge@jmmaranan.com"
-          "hue-lights@chlumskyvaclav@gmail.com"
+          "gsconnect@andyholmes.github.io"
+          # "gSnap@micahosborne"
+          # "hidetopbar@mathieu.bidon.ca"
           "just-perfection-desktop@just-perfection"
+          # "mediacontrols@cliffniff.github.com"
+          # "mousefollowsfocus@matthes.biz"
           # "pano@elhan.io"
           # "paperwm@hedning:matrix.org"
+          "pip-on-top@rafostar.github.com"
+          # "rounded-window-corners@yilozt"
           # "search-light@icedman.github.com"
-          "space-bar@luchrioh"
           # "smart-auto-move@khimaros.com"
-          # "systemd-manager@hardpixel.eu"
+          "space-bar@luchrioh"
-          # "tailscale-status@maxgallup.github.com"
           # "tiling-assistant@leleat-on-github"
           "Vitals@CoreCoding.com"
+          "windowIsReady_Remover@nunofarruca@gmail.com"
+          # "worksets@blipk.xyz"
           # "wsmatrix@martin.zurowietz.de"
         ];
         favorite-apps = [
@@ -50,9 +111,6 @@ in {
           "org.gnome.Nautilus.desktop"
         ];
       };
-      "org/gnome/shell/extensions/another-window-session-manager" = {
-        enable-autorestore-sessions = true;
-      };
       "org/gnome/shell/extensions/blur-my-shell/panel" = {
         static-blur = true;
       };
@@ -64,8 +122,14 @@ in {
         glide-open-effect = true;
         glide-close-effect = true;
       };
-      "org/gnome/shell/extensions/desktop-zoom" = {
+      "org/gnome/shell/extensions/dash-to-panel" = {
-        mag-factor-delta = 0.07;
+        intellihide = true;
+        panel-positions = ''
+          {"0":"TOP"}
+        '';
+        trans-panel-opacity = 0.3;
+        trans-use-custom-opacity = true;
+        trans-use-dynamic-opacity = true;
       };
       "org/gnome/shell/extensions/espresso" = {
         enable-fullscreen = true;
@@ -75,18 +139,32 @@ in {
           "com.obsproject.Studio.desktop"
         ];
       };
-      "org/gnome/shell/extensions/paperwm" = {
+      "org/gnome/shell/extensions/flypie" = {
-        use-default-background = true;
+        preview-on-right-side = true;
       };
       "org/gnome/shell/extensions/forge" = {
         window-gap-size = 8;
         window-gap-hidden-on-single = false;
       };
+      "org/gnome/shell/extensions/hidetopbar" = {
+        mouse-sensitive = true;
+        mouse-sensitive-fullscreen-window = true;
+        enable-active-window = false;
+      };
       "org/gnome/shell/extensions/just-perfection" = {
         activities-button = false;
         window-demands-attention-focus = true;
         workspace-wrap-around = true;
       };
+      "org/gnome/shell/extensions/paperwm" = {
+        use-default-background = true;
+      };
+      "org/gnome/shell/extensions/pip-on-top" = {
+        stick = true;
+      };
+      "org/gnome/shell/extensions/search-light" = {
+        popup-at-cursor-monitor = true;
+      };
       "org/gnome/shell/extensions/space-bar/behavior" = {
         enable-activate-workspace-shortcuts = true;
         show-empty-workspaces = true;
@@ -99,15 +177,10 @@ in {
         screen-left-gap = 8;
         window-gap = 8;
       };
-      "org/gnome/desktop/background" = {
+      "org/gnome/Console" = {
-        picture-uri = "file://${pkgs.gnome.gnome-backgrounds}/share/backgrounds/gnome/adwaita-l.jxl";
+        font-scale = 1.4;
-        picture-uri-dark = "file://${pkgs.gnome.gnome-backgrounds}/share/backgrounds/gnome/adwaita-d.jxl";
+        use-system-font = false;
-      };
+        custom-font = "ComicShannsMono Nerd Font 10";
-      "org/gnome/desktop/peripherals/touchpad" = {
-        tap-to-click = true;
-      };
-      "org/gnome/desktop/search-providers" = {
-        disabled = [ "org.gnome.Epiphany.desktop" ];
       };
       "org/gtk/settings/file-chooser" = {
         show-hidden = true;
@@ -117,44 +190,18 @@ in {
         show-hidden = true;
         sort-directories-first = true;
       };
-      "org/gnome/settings-daemon/plugins/media-keys" = {
+    };
-        volume-up = [
+
-          "<Shift>F12"
+    environment.sessionVariables = {
-          "XF86AudioRaiseVolume"
+      QT_STYLE_OVERRIDE = lib.mkForce "kvantum";
-        ];
+      QT_WAYLAND_DECORATION = lib.mkForce "adwaita";
-        volume-down = [
+    };
-          "<Shift>F11"
+
-          "XF86AudioLowerVolume"
+    home.configFile = {
-        ];
+      "Kvantum/kvantum.kvconfig".text = lib.generators.toINI {} {
-      };
+        General.theme = "KvLibadwaitaDark";
-      "org/gnome/gnome-session" = {
-        auto-save-session = true;
-      };
-      "org/gnome/gnome-system-monitor" = {
-        show-dependencies = true;
-      };
-      "org/gnome/Console" = {
-        font-scale = 1.4;
-        use-system-font = false;
-        custom-font = "ComicShannsMono Nerd Font 10";
-      };
-      "org/gnome/mutter" = {
-        center-new-windows = true;
-        edge-tiling = true;
-        experimental-features = [ "scale-monitor-framebuffer" ];
-      };
-      "org/gnome/desktop/interface" = {
-        enable-hot-corners = false;
-        icon-theme = "MoreWaita";
-        monospace-font-name = "UbuntuMono Nerd Font 11";
-      };
-      "org/gnome/desktop/wm/keybindings" = {
-        switch-group = [ "<Super>grave" ];
-        switch-group-backward = [ "<Shift><Super>grave" ];
-      };
-      "io/github/celluloid-player/celluloid" = {
-        draggable-video-area-enable = true;
       };
+      "Kvantum/KvLibadwaita".source = "${inputs.kvlibadwaita}/src/KvLibadwaita";
     };
 
     user.packages = with pkgs; [
@@ -165,6 +212,7 @@ in {
       # d-spy
       # drawing
       # fragments
+      gnome.dconf-editor
       gnome.ghex
       # gnome-builder
       gnome-decoder
@@ -174,48 +222,60 @@ in {
       gnome-podcasts
       identity
       mission-center
+      mousam
       newsflash
       # schemes
       shortwave
-    ];
+      sysprof
-
-    environment.systemPackages = with pkgs; [
-      adw-gtk3
-      gnome.gnome-boxes
-      gnomeExtensions.another-window-session-manager
-      # gnomeExtensions.bifocals
-      gnomeExtensions.blur-my-shell
-      gnomeExtensions.browser-tabs
-      gnomeExtensions.burn-my-windows
-      gnomeExtensions.desktop-cube
-      # gnomeExtensions.desktop-zoom
-      gnomeExtensions.espresso
-      gnome44Extensions."flypie@schneegans.github.com"
-      # gnomeExtensions.forge
-      # gnomeExtensions.gsnap
-      gnomeExtensions.hue-lights
-      gnomeExtensions.just-perfection
-      # gnomeExtensions.mutter-primary-gpu
-      gnomeExtensions.pano
-      gnomeExtensions.paperwm
-      # gnomeExtensions.pip-on-top
-      gnomeExtensions.rounded-window-corners
-      gnomeExtensions.search-light
-      gnomeExtensions.smart-auto-move
-      gnomeExtensions.space-bar
-      gnomeExtensions.systemd-manager
-      gnomeExtensions.tailscale-status
-      gnomeExtensions.tiling-assistant
-      # gnomeExtensions.todotxt
-      gnomeExtensions.vitals
-      # gnomeExtensions.window-is-ready-remover
-      # gnomeExtensions.worksets
-      # gnomeExtensions.workspace-matrix
-      unstable.morewaita-icon-theme
     ] ++ (if config.virtualisation.podman.enable then [
       pods
     ] else []);
 
+    environment.systemPackages = with pkgs.unstable; [
+      adw-gtk3
+      kdePackages.qtstyleplugin-kvantum
+      libsForQt5.qtstyleplugin-kvantum
+      morewaita-icon-theme
+      nautilus-python
+      qadwaitadecorations
+      qadwaitadecorations-qt6
+
+      ## Shell extensions
+      gnomeExtensions.appindicator
+      gnomeExtensions.arcmenu
+      gnomeExtensions.blur-my-shell
+      gnomeExtensions.browser-tabs
+      gnomeExtensions.burn-my-windows
+      gnomeExtensions.clipboard-indicator
+      gnomeExtensions.coverflow-alt-tab
+      gnomeExtensions.dash-to-panel
+      gnomeExtensions.desktop-cube
+      gnomeExtensions.easyScreenCast
+      gnomeExtensions.espresso
+      gnomeExtensions.fly-pie
+      gnomeExtensions.forge
+      gnomeExtensions.gsconnect
+      gnomeExtensions.gsnap
+      gnomeExtensions.hide-top-bar
+      gnomeExtensions.just-perfection
+      gnomeExtensions.media-controls
+      gnomeExtensions.mouse-follows-focus
+      gnomeExtensions.pano
+      gnomeExtensions.paperwm
+      gnomeExtensions.pip-on-top
+      gnomeExtensions.rounded-window-corners
+      gnomeExtensions.search-light
+      gnomeExtensions.smart-auto-move
+      gnomeExtensions.space-bar
+      gnomeExtensions.tiling-assistant
+      # gnomeExtensions.tiling-shell
+      gnomeExtensions.todotxt
+      gnomeExtensions.vitals
+      gnomeExtensions.window-is-ready-remover
+      gnomeExtensions.worksets
+      gnomeExtensions.workspace-matrix
+    ];
+
     home.services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
   };
 }

modules/desktop/kde.nix

@@ -10,13 +10,15 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    services.xserver = {
+    services = {
-      enable = true;
+      xserver = {
+        enable = true;
+      };
+      desktopManager.plasma6.enable = true;
       displayManager.sddm = {
         enable = true;
         wayland.enable = true;
       };
-      desktopManager.plasma5.enable = true;
     };
 
     networking.networkmanager.enable = true;

modules/desktop/office/libreoffice.nix

@@ -1,6 +1,24 @@
 { config, lib, pkgs, ... }:
 
-let cfg = config.modules.desktop.office.libreoffice;
+let
+  cfg = config.modules.desktop.office.libreoffice;
+  # libreoffice-gtk4 = pkgs.libreoffice.override {
+  #   extraMakeWrapperArgs = [
+  #     "--set SAL_USE_VCLPLUGIN gtk4"
+  #   ];
+  #   unwrapped = pkgs.libreoffice-unwrapped.overrideAttrs (oldAttrs: {
+  #     buildInputs = oldAttrs.buildInputs ++ [
+  #       pkgs.gtk4
+  #     ];
+  #     configureFlags = oldAttrs.configureFlags ++ [
+  #       "--disable-werror"
+  #       "--enable-gtk4"
+  #     ];
+  #     passthru = oldAttrs.passthru // {
+  #       inherit (pkgs) gtk4;
+  #     };
+  #   });
+  # };
 in {
   options.modules.desktop.office.libreoffice = {
     enable = lib.mkOption {

modules/options.nix

@@ -69,6 +69,7 @@ with lib;
 
       sharedModules = [
         inputs.nixvim.homeManagerModules.nixvim
+        inputs.plasma-manager.homeManagerModules.plasma-manager
       ];
     };
 

modules/services/coturn/default.nix

@@ -1,60 +1,123 @@
-{ config, lib, pkgs, inputs, ... }:
+{
-
+  config,
-with lib;
+  lib,
+  inputs,
+  ...
+}:
 
 let
   cfg = config.modules.services.coturn;
 in {
   options.modules.services.coturn = {
-    enable = mkOption {
+    enable = lib.mkOption {
       default = false;
       example = true;
     };
+    realm = lib.mkOption {
+      type = lib.types.str;
+      description = "The realm to be used by the TURN server.";
+      example = "turn.vimium.com";
+    };
+    matrixIntegration = lib.mkOption {
+      default = false;
+      description = "Configure the matrix-synapse module to use this TURN server.";
+      example = true;
+    };
   };
 
-  config = mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
-    networking.firewall = {
+    networking.firewall = let
+      range = with config.services.coturn; lib.singleton {
+        from = min-port;
+        to = max-port;
+      };
+    in {
       allowedTCPPorts = [
+        3478  # TURN listener
         5349  # STUN TLS
         5350  # STUN TLS alt
       ];
-      allowedUDPPortRanges = [
+      allowedUDPPorts = [
-        { from = 49152; to = 49999; } # TURN relay
+        3478  # TURN listener
+        5349  # TLS
+        5350  # TLS alt
       ];
+      allowedUDPPortRanges = range; # TURN peer relays
     };
 
     security.acme.certs = {
-      "turn.vimium.com" = {
+      "${config.services.coturn.realm}" = {
+        group = "turnserver";
         reloadServices = [ "coturn" ];
       };
     };
 
-    age.secrets."passwords/services/coturn/shared-secret" = {
+    age.secrets = {
-      file = "${inputs.secrets}/passwords/services/coturn/shared-secret.age";
+      "passwords/services/coturn/static-auth-secret" = {
-      owner = "turnserver";
+        file = "${inputs.secrets}/passwords/services/coturn/static-auth-secret.age";
-      group = "turnserver";
+        owner = "turnserver";
-    };
+        group = "turnserver";
+      };
+    } // (if cfg.matrixIntegration then {
+      "passwords/services/coturn/matrix-turn-config.yml" = {
+        file = "${inputs.secrets}/passwords/services/coturn/matrix-turn-config.yml.age";
+        owner = "matrix-synapse";
+        group = "matrix-synapse";
+      };
+    } else {});
 
-    services.coturn = {
+    services.coturn = rec {
       enable = true;
-      lt-cred-mech = true;
+      realm = cfg.realm;
       use-auth-secret = true;
-      static-auth-secret-file = config.age.secrets."passwords/services/coturn/shared-secret".path;
+      static-auth-secret-file = config.age.secrets."passwords/services/coturn/static-auth-secret".path;
-      realm = "turn.vimium.com";
+      cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
-      relay-ips = [
+      pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
-        "198.244.190.160"
+      min-port = 49000;
-      ];
+      max-port = 50000;
+      no-cli = true;
       no-tcp-relay = true;
       extraConfig = ''
         cipher-list="HIGH"
-        no-loopback-peers
         no-multicast-peers
+
+        # Ban private CIDR blocks
+        denied-peer-ip=0.0.0.0-0.255.255.255
+        denied-peer-ip=10.0.0.0-10.255.255.255
+        denied-peer-ip=100.64.0.0-100.127.255.255
+        denied-peer-ip=127.0.0.0-127.255.255.255
+        denied-peer-ip=169.254.0.0-169.254.255.255
+        denied-peer-ip=172.16.0.0-172.31.255.255
+        denied-peer-ip=192.0.0.0-192.0.0.255
+        denied-peer-ip=192.0.2.0-192.0.2.255
+        denied-peer-ip=192.88.99.0-192.88.99.255
+        denied-peer-ip=192.168.0.0-192.168.255.255
+        denied-peer-ip=198.18.0.0-198.19.255.255
+        denied-peer-ip=198.51.100.0-198.51.100.255
+        denied-peer-ip=203.0.113.0-203.0.113.255
+        denied-peer-ip=240.0.0.0-255.255.255.255
+        denied-peer-ip=::1
+        denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+        denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+        denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+        denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
       '';
-      secure-stun = true;
+    };
-      cert = "/var/lib/acme/turn.vimium.com/fullchain.pem";
+
-      pkey = "/var/lib/acme/turn.vimium.com/key.pem";
+    services.matrix-synapse = lib.mkIf cfg.matrixIntegration {
-      min-port = 49152;
+      settings = with config.services.coturn; {
-      max-port = 49999;
+        turn_uris = [
+          "turn:${realm}:3478?transport=udp"
+          "turn:${realm}:3478?transport=tcp"
+        ];
+        turn_user_lifetime = "1h";
+      };
+      extraConfigFiles = [
+        config.age.secrets."passwords/services/coturn/matrix-turn-config.yml".path
+      ];
     };
   };
 }

modules/services/headscale/default.nix

@@ -28,6 +28,18 @@ in {
         server_url = "https://${fqdn}";
         dns_config = {
           base_domain = "vimium.net";
+          extra_records = [
+            {
+              name = "grafana.mesh.vimium.net";
+              type = "A";
+              value = "100.64.0.6";
+            }
+            {
+              name = "home.mesh.vimium.net";
+              type = "A";
+              value = "100.64.0.7";
+            }
+          ];
         };
         logtail.enabled = false;
       };

modules/services/mail/default.nix

@@ -31,6 +31,7 @@ in {
         $config['smtp_user'] = "%u";
         $config['smtp_pass'] = "%p";
       '';
+      plugins = [ "contextmenu" ];
     };
 
     services.nginx.enable = true;

modules/services/matrix-synapse/default.nix

@@ -1,58 +1,59 @@
-{ config, lib, pkgs, inputs, ... }:
+{
-
+  config,
-with lib;
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   cfg = config.modules.services.matrix-synapse;
-  matrixClientConfig = {
-    "m.homeserver" = {
-      base_url = "https://matrix.vimium.com";
-      server_name = "vimium.com";
-    };
-    "m.identity_server" = {};
-  };
-  matrixServerConfig."m.server" = "matrix.vimium.com:443";
-  mkWellKnown = data: ''
-    more_set_headers 'Content-Type: application/json';
-    return 200 '${builtins.toJSON data}';
-  '';
 in {
   options.modules.services.matrix-synapse = {
-    enable = mkOption {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+    enableElementWeb = lib.mkOption {
+      default = true;
+      example = false;
+    };
+    serverName = lib.mkOption {
+      type = lib.types.str;
+      default = "vimium.com";
+      example = "vimium.com";
+    };
+    usePostgresql = lib.mkOption {
       default = false;
       example = true;
     };
   };
 
-  config = mkIf cfg.enable {
+  config = let
+    matrixClientConfig = {
+      "m.homeserver" = {
+        base_url = "https://matrix.${cfg.serverName}";
+        server_name = cfg.serverName;
+      };
+      "m.identity_server" = {};
+    };
+    matrixServerConfig."m.server" = "matrix.${cfg.serverName}:443";
+    mkWellKnown = data: ''
+      more_set_headers 'Content-Type: application/json';
+      return 200 '${builtins.toJSON data}';
+    '';
+  in lib.mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = [
       8448 # Matrix federation
     ];
 
     security.acme.certs = {
-      "matrix.vimium.com" = {
+      "matrix.${cfg.serverName}" = {
         reloadServices = [ "matrix-synapse" ];
       };
     };
 
     services.nginx.virtualHosts = {
-      "chat.vimium.com" = {
+      "matrix.${cfg.serverName}" = {
-        forceSSL = true;
-        enableACME = true;
-        root = pkgs.unstable.element-web.override {
-          conf = {
-            default_server_config = matrixClientConfig;
-            brand = "Vimium Chat";
-            branding = {
-              auth_header_logo_url = "https://vimium.com/images/logo.svg";
-              auth_footer_links = [
-                { "text" = "Vimium.com"; "url" = "https://vimium.com"; }
-              ];
-            };
-          };
-        };
-      };
-      "matrix.vimium.com" = {
         forceSSL = true;
         enableACME = true;
         listen = [
@@ -102,26 +103,51 @@ in {
           "/_synapse/client".proxyPass = "http://localhost:8008";
         };
       };
-      "vimium.com" = {
+      "${cfg.serverName}" = {
         locations."= /.well-known/matrix/server".extraConfig = (mkWellKnown matrixServerConfig);
         locations."= /.well-known/matrix/client".extraConfig = (mkWellKnown matrixClientConfig);
       };
-    };
+    } // (if cfg.enableElementWeb then {
+      "chat.${cfg.serverName}" = {
+        forceSSL = true;
+        enableACME = true;
+        root = pkgs.unstable.element-web.override {
+          conf = {
+            default_server_config = matrixClientConfig;
+            brand = "Vimium Chat";
+            branding = {
+              auth_header_logo_url = "https://vimium.com/images/logo.svg";
+              auth_footer_links = [
+                { "text" = "Vimium.com"; "url" = "https://vimium.com"; }
+              ];
+            };
+          };
+        };
+      };
+    } else {});
 
     services.matrix-synapse = {
       enable = true;
       settings = {
-        database.name = "sqlite3";
+        database.name = (if cfg.usePostgresql then "psycopg2" else "sqlite3");
+        enable_metrics = false;
         enable_registration = false;
-        server_name = "vimium.com";
+        max_upload_size = "100M";
-        # turn_shared_secret = "???";
+        report_stats = false;
-        # turn_uris = [
+        server_name = cfg.serverName;
-        #   "turn:turn.vimium.com:5349?transport=udp"
-        #   "turn:turn.vimium.com:5350?transport=udp"
-        #   "turn:turn.vimium.com:5349?transport=tcp"
-        #   "turn:turn.vimium.com:5350?transport=tcp"
-        # ];
       };
     };
+
+    services.postgresql = lib.mkIf cfg.usePostgresql {
+      ensureUsers = [
+        {
+          name = "matrix-synapse";
+          ensureDBOwnership = true;
+        }
+      ];
+      ensureDatabases = [
+        "matrix-synapse"
+      ];
+    };
   };
 }

overlays/gnome.nix

@@ -4,7 +4,7 @@ self: super:
     mutter = gsuper.mutter.overrideAttrs (oldAttrs: {
       src = super.fetchurl {
         url = "https://gitlab.gnome.org/Community/Ubuntu/mutter/-/archive/triple-buffering-v4-46/mutter-triple-buffering-v4-46.tar.gz";
-        sha256 = "Rdao3TR6wG7YcpoD+nFFiCaE+97G0MreBgwsQJa3GCE=";
+        sha256 = "5Dow9/wsyeqAQxucegFvPTGIS3jEBFisjSCY3XZronw=";
       };
     });
   });