From 199b9f3d788f79e6f9732fd4ce7dfeda67a7e9b1 Mon Sep 17 00:00:00 2001 From: Simon Gardling Date: Tue, 28 Jan 2025 21:29:13 -0500 Subject: [PATCH] overhaul of qbt + tmpfiles --- .gitattributes | 1 + configuration.nix | 41 ++++++- flake.lock | 184 ++++++++++++++++++++++++++++++-- flake.nix | 8 ++ secrets/minecraft-whitelist.nix | Bin 353 -> 408 bytes secrets/zfs-key | Bin 0 -> 54 bytes services/caddy.nix | 2 +- services/gitea.nix | 2 +- services/immich.nix | 2 +- services/jellyfin.nix | 4 +- services/matrix.nix | 2 +- services/minecraft.nix | 6 +- services/owntracks.nix | 2 +- services/qbittorrent.nix | 23 ++-- 14 files changed, 246 insertions(+), 31 deletions(-) create mode 100644 secrets/zfs-key diff --git a/.gitattributes b/.gitattributes index 5238122..8771b43 100644 --- a/.gitattributes +++ b/.gitattributes @@ -6,3 +6,4 @@ secrets/caddy_auth.nix filter=git-crypt diff=git-crypt secrets/matrix_reg_token.nix filter=git-crypt diff=git-crypt secrets/owntracks_caddy_auth.nix filter=git-crypt diff=git-crypt secrets/secureboot.tar filter=git-crypt diff=git-crypt +secrets/zfs-key filter=git-crypt diff=git-crypt diff --git a/configuration.nix b/configuration.nix index 25ea396..ae78331 100644 --- a/configuration.nix +++ b/configuration.nix @@ -32,6 +32,12 @@ hybrid-sleep.enable = false; }; + powerManagement = { + powertop.enable = true; + enable = true; + cpuFreqGovernor = "powersave"; + }; + nix = { # optimize the store optimise.automatic = true; @@ -65,7 +71,6 @@ loader = { # Use the systemd-boot EFI boot loader. - systemd-boot.enable = true; efi.canTouchEfiVariables = true; # 1s timeout @@ -76,10 +81,32 @@ compressor = "zstd"; }; - # kernelModules = [ - # # kernel module for case fan control - # "nct6775" - # ]; + kernelModules = [ + "msr" + ]; + + loader.systemd-boot.enable = lib.mkForce false; + + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + }; + + system.activationScripts = { + # extract all my secureboot keys + "secureboot-keys".text = '' + #!/bin/sh + rm -fr ${config.boot.lanzaboote.pkiBundle} || true + mkdir -p ${config.boot.lanzaboote.pkiBundle} + ${pkgs.gnutar}/bin/tar xf /etc/nixos/secrets/secureboot.tar -C ${config.boot.lanzaboote.pkiBundle} + ''; + + "zfs-encryption-keys".text = '' + #!/bin/sh + rm -fr /etc/zfs-key + cp /etc/nixos/secrets/zfs-key /etc/zfs-key + ''; }; environment.etc = { @@ -137,6 +164,8 @@ wget + powertop + (pkgs.writeScriptBin "mc-console" '' #!/bin/sh ${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach @@ -172,6 +201,8 @@ pfetch-rs + sbctl + ]; services.zfs = { diff --git a/flake.lock b/flake.lock index 0b9b65c..dfb48bb 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,37 @@ { "nodes": { + "crane": { + "locked": { + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1673956053, @@ -16,6 +47,27 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -34,6 +86,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -55,20 +129,45 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1737639419, + "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "nix-minecraft": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1737683037, - "narHash": "sha256-1J2Pf6ub2DkkoqRq2xEFrusJKR4XHnnFk0wyOPrV2PM=", + "lastModified": 1738028598, + "narHash": "sha256-0AjsOFj8Tyl1S8mEgr2MKCHIj0Y+/Gy275xas2kduqQ=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "f80c70946d3e27a466b8b9e65b24e36d571eac8b", + "rev": "381b2e789876208216b26725009826c80c99399f", "type": "github" }, "original": { @@ -95,11 +194,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1737672001, - "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=", + "lastModified": 1737885640, + "narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8", + "rev": "4e96537f163fad24ed9eb317798a79afc85b51b7", "type": "github" }, "original": { @@ -111,11 +210,11 @@ }, "nixpkgs-qbt": { "locked": { - "lastModified": 1728358927, - "narHash": "sha256-8SUsg/Nmn8aEURRdZwxKKNnz22zRMyNwNoP1+aWnhlg=", + "lastModified": 1738103934, + "narHash": "sha256-MhDdcDDdK2uscLU370r3V9PQcejx+2LVbMG8bjCXMb0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ed446194bbf78795e4ec2d004da093116c93653f", + "rev": "4f4706686c921ef202712a00da1c96f0100f6921", "type": "github" }, "original": { @@ -125,9 +224,53 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nix-minecraft": "nix-minecraft", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", @@ -135,6 +278,27 @@ "vpn-confinement": "vpn-confinement" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 166a722..8a93b37 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,11 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nix-minecraft = { @@ -29,6 +34,7 @@ vpn-confinement, nixpkgs-qbt, home-manager, + lanzaboote, ... }@inputs: let @@ -115,6 +121,8 @@ nixpkgs.overlays = [ nix-minecraft.overlay ]; } + lanzaboote.nixosModules.lanzaboote + home-manager.nixosModules.home-manager ( { diff --git a/secrets/minecraft-whitelist.nix b/secrets/minecraft-whitelist.nix index 92ba758f1a2d7aca653b849cd160347f3e833799..5c7462f66d9489a9513db9e49d5dad2fc36f1f76 100644 GIT binary patch literal 408 zcmZQ@_Y83kiVO&0SS&m_*o&!+yW)=76K9K;+Zu`(^LMpfdNP51`i76Ud!r_WluqO< zyxM(X!N&TnD>ksJRMh{CURNdYi)XKM>8CA~CjAQUgf*ufUAt|~sXASm51W>8e7ZJg zjlvxtceOT|Ysa}<)@(7C`txqVwuz6{sPI2fe6(Q6i(Z+|>qqsXkGtgmk~;nCn=I?* z*$HpVbX5*Gy6D;bw|lfb;J21eag480Tu1mnmDw}v6|UvpK9#D|WGEK3ZsYnQZH}%3 z>KfhWnR}zm8KQ01zGmw1s5&&gWJ=+xicF3QxiF8hA&$13ip|N@<^XF_W{pt4O O#@CPR?XN;jz5oD4(yIIb diff --git a/secrets/zfs-key b/secrets/zfs-key new file mode 100644 index 0000000000000000000000000000000000000000..35c226ca6a103c08dc5a1eac710b115d11661f17 GIT binary patch literal 54 zcmZQ@_Y83kiVO&0$dsAJ>AfhyekHr^{=JN%av`rGmeg&u&tICYD5!U1a&+s-gB;xs K=Gqx2Dg^-et`q(M literal 0 HcmV?d00001 diff --git a/services/caddy.nix b/services/caddy.nix index be4c1df..0c89c18 100644 --- a/services/caddy.nix +++ b/services/caddy.nix @@ -78,7 +78,7 @@ in }; systemd.tmpfiles.rules = [ - "d ${service_configs.https.data_dir} g+rwx ${config.services.caddy.user} ${config.services.caddy.group}" + "d ${service_configs.https.data_dir} 770 ${config.services.caddy.user} ${config.services.caddy.group}" ]; systemd.packages = with pkgs; [ nssTools ]; diff --git a/services/gitea.nix b/services/gitea.nix index 0bd615d..8c14677 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -31,7 +31,7 @@ }; systemd.tmpfiles.rules = [ - "d ${config.services.gitea.stateDir} 0750 ${config.services.gitea.user} ${config.services.gitea.group}" + "d ${config.services.gitea.stateDir} 0770 ${config.services.gitea.user} ${config.services.gitea.group}" ]; services.postgresql = { diff --git a/services/immich.nix b/services/immich.nix index 3f51fba..98226ed 100644 --- a/services/immich.nix +++ b/services/immich.nix @@ -17,7 +17,7 @@ }; systemd.tmpfiles.rules = [ - "d ${config.services.immich.mediaLocation} 0750 ${config.services.immich.user} ${config.services.immich.group}" + "d ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}" ]; environment.systemPackages = with pkgs; [ diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 30bffb1..9db8244 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -23,8 +23,8 @@ }; systemd.tmpfiles.rules = [ - "d ${config.services.jellyfin.dataDir} 0750 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" - "d ${config.services.jellyfin.cacheDir} 0750 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" + "d ${config.services.jellyfin.dataDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" + "d ${config.services.jellyfin.cacheDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" ]; users.users.${config.services.jellyfin.user}.extraGroups = [ diff --git a/services/matrix.nix b/services/matrix.nix index 816f3d6..a00ede6 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -34,6 +34,6 @@ }; systemd.tmpfiles.rules = [ - "d /var/lib/private/matrix-conduit 0750 conduit conduit" + "d /var/lib/private/matrix-conduit 0770 conduit conduit" ]; } diff --git a/services/minecraft.nix b/services/minecraft.nix index 6acc0a1..469a17b 100644 --- a/services/minecraft.nix +++ b/services/minecraft.nix @@ -44,8 +44,8 @@ in with pkgs; builtins.attrValues { FabricApi = fetchurl { - url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar"; - sha512 = "24ed904096a17f65ef2ee4b04e076df2df076bd7748c838573cf97f5b38d2353bf62fe202779fb0c8372a82fb1133e16ce1fba585e2ec5aa5a5164203e785072"; + url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/S6sAWXmr/fabric-api-0.115.0%2B1.21.4.jar"; + sha512 = "abb2b28e9b874adfc82c3c87ddf348e2e98adc5153aed7ae5bcaddf5b1d8bd98982a052ab91411b7fad3bbdffc5d788be60d22b9c95dd21e62b96ea49aa404ca"; }; FerriteCore = fetchurl { @@ -84,7 +84,7 @@ in }; systemd.tmpfiles.rules = [ - "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0750 minecraft minecraft" + "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0770 minecraft minecraft" ]; users.users.${username}.extraGroups = [ diff --git a/services/owntracks.nix b/services/owntracks.nix index 458f7b4..0019d7a 100644 --- a/services/owntracks.nix +++ b/services/owntracks.nix @@ -29,6 +29,6 @@ in }; systemd.tmpfiles.rules = [ - "d ${service_configs.owntracks.data_dir} 0750 owntracks owntracks" + "d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks" ]; } diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix index 57bc643..28f9900 100644 --- a/services/qbittorrent.nix +++ b/services/qbittorrent.nix @@ -3,6 +3,7 @@ config, service_configs, username, + lib, ... }: { @@ -53,24 +54,34 @@ Session = { GlobalUPSpeedLimit = 500; # in KiB/s GlobalDLSpeedLimit = 0; + IgnoreLimitsOnLAN = true; # Including overhead in limits ruins download because download # uses upload to communicate with seeders IncludeOverheadInLimits = false; - GlobalMaxRatio = 2; - QueueingSystemEnabled = false; # seed all torrents all the timei + GlobalMaxRatio = 3; + QueueingSystemEnabled = false; # seed all torrents all the time - # add a few trackers TODO! add a script so I can just do a list AddTrackersEnabled = true; - AdditionalTrackers = "udp://tracker.opentrackr.org:1337/announce\\nudp://open.stealth.si:80/announce\\nudp://open.demonii.com:1337\\nudp://exodus.desync.com:6969/announce"; + AdditionalTrackers = (lib.concatStrings ( + map (url: url + "\\n") [ + "udp://tracker.opentrackr.org:1337/announce" + "udp://open.stealth.si:80/announce" + "udp://open.demonii.com:1337" + "udp://exodus.desync.com:6969/announce" + "udp://tracker.dler.org:6969/announce" + "udp://tracker.bittor.pw:1337/announce" + "udp://tracker.torrent.eu.org:451/announce" + ] + )); }; }; }; systemd.tmpfiles.rules = [ - "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" - "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" + "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" + "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0770 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" ]; # make qbittorrent use a vpn