overhaul of qbt + tmpfiles

2025-01-28 21:29:13 -05:00 · 2025-01-28 21:29:13 -05:00 · 199b9f3d78
commit 199b9f3d78
parent 268910b783
14 changed files with 246 additions and 31 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -6,3 +6,4 @@ secrets/caddy_auth.nix filter=git-crypt diff=git-crypt
 secrets/matrix_reg_token.nix filter=git-crypt diff=git-crypt
 secrets/owntracks_caddy_auth.nix filter=git-crypt diff=git-crypt
 secrets/secureboot.tar filter=git-crypt diff=git-crypt
+secrets/zfs-key filter=git-crypt diff=git-crypt
--- a/configuration.nix
+++ b/configuration.nix
@ -32,6 +32,12 @@
    hybrid-sleep.enable = false;
  };

+  powerManagement = {
+    powertop.enable = true;
+    enable = true;
+    cpuFreqGovernor = "powersave";
+  };
+
  nix = {
    # optimize the store
    optimise.automatic = true;
@ -65,7 +71,6 @@

    loader = {
      # Use the systemd-boot EFI boot loader.
-      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;

      # 1s timeout
@ -76,10 +81,32 @@
      compressor = "zstd";
    };

-    # kernelModules = [
-    #   # kernel module for case fan control
-    #   "nct6775"
-    # ];
+    kernelModules = [
+      "msr"
+    ];
+
+    loader.systemd-boot.enable = lib.mkForce false;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
+
+  system.activationScripts = {
+    # extract all my secureboot keys
+    "secureboot-keys".text = ''
+      #!/bin/sh
+      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+      mkdir -p ${config.boot.lanzaboote.pkiBundle}
+      ${pkgs.gnutar}/bin/tar xf /etc/nixos/secrets/secureboot.tar -C ${config.boot.lanzaboote.pkiBundle}
+    '';
+
+    "zfs-encryption-keys".text = ''
+      #!/bin/sh
+      rm -fr /etc/zfs-key
+      cp /etc/nixos/secrets/zfs-key /etc/zfs-key
+    '';
  };

  environment.etc = {
@ -137,6 +164,8 @@

    wget

+    powertop
+
    (pkgs.writeScriptBin "mc-console" ''
      #!/bin/sh
      ${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach
@ -172,6 +201,8 @@

    pfetch-rs

+    sbctl
+
  ];

  services.zfs = {
--- a/flake.lock
+++ b/flake.lock
@ -1,6 +1,37 @@
 {
  "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
@ -16,6 +47,27 @@
        "type": "github"
      }
    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
@ -34,6 +86,28 @@
        "type": "github"
      }
    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -55,20 +129,45 @@
        "type": "github"
      }
    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
    "nix-minecraft": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1737683037,
-        "narHash": "sha256-1J2Pf6ub2DkkoqRq2xEFrusJKR4XHnnFk0wyOPrV2PM=",
+        "lastModified": 1738028598,
+        "narHash": "sha256-0AjsOFj8Tyl1S8mEgr2MKCHIj0Y+/Gy275xas2kduqQ=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "f80c70946d3e27a466b8b9e65b24e36d571eac8b",
+        "rev": "381b2e789876208216b26725009826c80c99399f",
        "type": "github"
      },
      "original": {
@ -95,11 +194,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1737672001,
-        "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=",
+        "lastModified": 1737885640,
+        "narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8",
+        "rev": "4e96537f163fad24ed9eb317798a79afc85b51b7",
        "type": "github"
      },
      "original": {
@ -111,11 +210,11 @@
    },
    "nixpkgs-qbt": {
      "locked": {
-        "lastModified": 1728358927,
-        "narHash": "sha256-8SUsg/Nmn8aEURRdZwxKKNnz22zRMyNwNoP1+aWnhlg=",
+        "lastModified": 1738103934,
+        "narHash": "sha256-MhDdcDDdK2uscLU370r3V9PQcejx+2LVbMG8bjCXMb0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ed446194bbf78795e4ec2d004da093116c93653f",
+        "rev": "4f4706686c921ef202712a00da1c96f0100f6921",
        "type": "github"
      },
      "original": {
@ -125,9 +224,53 @@
        "type": "github"
      }
    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
+        "lanzaboote": "lanzaboote",
        "nix-minecraft": "nix-minecraft",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
@ -135,6 +278,27 @@
        "vpn-confinement": "vpn-confinement"
      }
    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -4,6 +4,11 @@
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";

+    lanzaboote = {
+      url = "github:nix-community/lanzaboote";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";

    nix-minecraft = {
@ -29,6 +34,7 @@
      vpn-confinement,
      nixpkgs-qbt,
      home-manager,
+      lanzaboote,
      ...
    }@inputs:
    let
@ -115,6 +121,8 @@
              nixpkgs.overlays = [ nix-minecraft.overlay ];
            }

+            lanzaboote.nixosModules.lanzaboote
+
            home-manager.nixosModules.home-manager
            (
              {
--- a/secrets/minecraft-whitelist.nix
+++ b/secrets/minecraft-whitelist.nix
--- a/secrets/zfs-key
+++ b/secrets/zfs-key
--- a/services/caddy.nix
+++ b/services/caddy.nix
@ -78,7 +78,7 @@ in
  };

  systemd.tmpfiles.rules = [
-    "d ${service_configs.https.data_dir} g+rwx ${config.services.caddy.user} ${config.services.caddy.group}"
+    "d ${service_configs.https.data_dir} 770 ${config.services.caddy.user} ${config.services.caddy.group}"
  ];

  systemd.packages = with pkgs; [ nssTools ];
--- a/services/gitea.nix
+++ b/services/gitea.nix
@ -31,7 +31,7 @@
  };

  systemd.tmpfiles.rules = [
-    "d ${config.services.gitea.stateDir} 0750 ${config.services.gitea.user} ${config.services.gitea.group}"
+    "d ${config.services.gitea.stateDir} 0770 ${config.services.gitea.user} ${config.services.gitea.group}"
  ];

  services.postgresql = {
--- a/services/immich.nix
+++ b/services/immich.nix
@ -17,7 +17,7 @@
  };

  systemd.tmpfiles.rules = [
-    "d ${config.services.immich.mediaLocation} 0750 ${config.services.immich.user} ${config.services.immich.group}"
+    "d ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}"
  ];

  environment.systemPackages = with pkgs; [
--- a/services/jellyfin.nix
+++ b/services/jellyfin.nix
@ -23,8 +23,8 @@
  };

  systemd.tmpfiles.rules = [
-    "d ${config.services.jellyfin.dataDir} 0750 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
-    "d ${config.services.jellyfin.cacheDir} 0750 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
+    "d ${config.services.jellyfin.dataDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
+    "d ${config.services.jellyfin.cacheDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
  ];

  users.users.${config.services.jellyfin.user}.extraGroups = [
--- a/services/matrix.nix
+++ b/services/matrix.nix
@ -34,6 +34,6 @@
  };

  systemd.tmpfiles.rules = [
-    "d /var/lib/private/matrix-conduit 0750 conduit conduit"
+    "d /var/lib/private/matrix-conduit 0770 conduit conduit"
  ];
 }
--- a/services/minecraft.nix
+++ b/services/minecraft.nix
@ -44,8 +44,8 @@ in
          with pkgs;
          builtins.attrValues {
            FabricApi = fetchurl {
-              url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar";
-              sha512 = "24ed904096a17f65ef2ee4b04e076df2df076bd7748c838573cf97f5b38d2353bf62fe202779fb0c8372a82fb1133e16ce1fba585e2ec5aa5a5164203e785072";
+              url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/S6sAWXmr/fabric-api-0.115.0%2B1.21.4.jar";
+              sha512 = "abb2b28e9b874adfc82c3c87ddf348e2e98adc5153aed7ae5bcaddf5b1d8bd98982a052ab91411b7fad3bbdffc5d788be60d22b9c95dd21e62b96ea49aa404ca";
            };

            FerriteCore = fetchurl {
@ -84,7 +84,7 @@ in
  };

  systemd.tmpfiles.rules = [
-    "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0750 minecraft minecraft"
+    "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0770 minecraft minecraft"
  ];

  users.users.${username}.extraGroups = [
--- a/services/owntracks.nix
+++ b/services/owntracks.nix
@ -29,6 +29,6 @@ in
  };

  systemd.tmpfiles.rules = [
-    "d ${service_configs.owntracks.data_dir} 0750 owntracks owntracks"
+    "d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks"
  ];
 }
--- a/services/qbittorrent.nix
+++ b/services/qbittorrent.nix
@ -3,6 +3,7 @@
  config,
  service_configs,
  username,
+  lib,
  ...
 }:
 {
@ -53,24 +54,34 @@
      Session = {
        GlobalUPSpeedLimit = 500; # in KiB/s
        GlobalDLSpeedLimit = 0;
+        IgnoreLimitsOnLAN = true;

        # Including overhead in limits ruins download because download
        # uses upload to communicate with seeders
        IncludeOverheadInLimits = false;

-        GlobalMaxRatio = 2;
-        QueueingSystemEnabled = false; # seed all torrents all the timei
+        GlobalMaxRatio = 3;
+        QueueingSystemEnabled = false; # seed all torrents all the time

-        # add a few trackers TODO! add a script so I can just do a list
        AddTrackersEnabled = true;
-        AdditionalTrackers = "udp://tracker.opentrackr.org:1337/announce\\nudp://open.stealth.si:80/announce\\nudp://open.demonii.com:1337\\nudp://exodus.desync.com:6969/announce";
+        AdditionalTrackers = (lib.concatStrings (
+          map (url: url + "\\n") [
+            "udp://tracker.opentrackr.org:1337/announce"
+            "udp://open.stealth.si:80/announce"
+            "udp://open.demonii.com:1337"
+            "udp://exodus.desync.com:6969/announce"
+            "udp://tracker.dler.org:6969/announce"
+            "udp://tracker.bittor.pw:1337/announce"
+            "udp://tracker.torrent.eu.org:451/announce"
+          ]
+        ));
      };
    };
  };

  systemd.tmpfiles.rules = [
-    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
-    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0770 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
  ];

  # make qbittorrent use a vpn