adjust brightness, disable touchpad sometimes

README.md

@@ -1,3 +1,5 @@
+see TODO.md for my aspirations
+
 ## usage
 
 ### install

TODO.md

@@ -0,0 +1,20 @@
+- add other remote
+- fully automate remote provisioning (remote keys)
+- fix ipv6 on remotes
+- modularize home manager
+- add services?
+    - 0x0
+    - forgejo
+    - matrix homeserver
+    - matrix webclient
+    - radicale
+    - tor relay
+    - wireguard as vpn
+- add home functionality
+    - better term emulator
+    - switch browser?
+        - chromium: much better sandboxing
+        - ladybird: be an early tester, contribute
+        - glide: sexier tridactyl implementation
+        - browsh: the GOAT
+    - get mouse out of here

machines.nix

@@ -30,6 +30,9 @@
 
       # apps
       ./modules/nixos/steam.nix
+
+      # substitutors
+      ./substitutors.nix
     ];
   };
   "109-199-104-83" = {
@@ -69,6 +72,13 @@
       # webmail.domain
       ./modules/nixos/roundcube.nix
 
+      # matrix homeserver
+      # matrix.domain
+      # ./modules/nixos/matrix-conduit.nix
+
+      # matrix homeserver
+      ./modules/nixos/matrix-synapse.nix
+
       # BROKEN
       # forgejo
       # git.domain

modules/nixos/matrix-conduit.nix

@@ -0,0 +1,82 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  well_known_server = pkgs.writeText "well-known-matrix-server" ''
+    {
+      "m.server": "matrix.${config.services.matrix-conduit.settings.global.server_name}"
+    }
+  '';
+  well_known_client = pkgs.writeText "well-known-matrix-client" ''
+    {
+      "m.homeserver": {
+        "base_url": "https://matrix.${config.services.matrix-conduit.settings.global.server_name}"
+      }
+  '';
+in {
+  services.matrix-conduit = {
+    enable = true;
+    settings.global = {
+      server_name = "${config.networking.domain}";
+    };
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "matrix.${config.services.matrix-conduit.settings.global.server_name}" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+        locations."/_matrix/" = {
+          proxyPass = "http://backend_conduit$request_uri";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffering off;
+          '';
+        };
+        extraConfig = ''
+          merge_slashes off;
+        '';
+      };
+      "${config.services.matrix-conduit.settings.global.server_name}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/.well-known/matrix/server/" = {
+          alias = "${well_known_server}";
+          extraConfig = ''
+            default_type application/json;
+          '';
+        };
+        locations."/.well-known/matrix/client/" = {
+          alias = "${well_known_client}";
+          extraConfig = ''
+            default_type application/json;
+            add_header Access-Control-Allow-Origin "";
+          '';
+        };
+      };
+    };
+    upstreams = {
+      backend-conduit = {
+        servers = {
+          "localhost:${builtins.toString config.services.matrix-conduit.settings.global.port}" = {};
+        };
+      };
+    };
+  };
+  networking.firewall.allowedTCPPorts = [8448];
+  networking.firewall.allowedUDPPorts = [8448];
+}

modules/nixos/matrix-synapse.nix

@@ -0,0 +1,65 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
+  fqdn = "${config.networking.hostName}.${config.networking.domain}";
+  baseUrl = "https://${fqdn}";
+  clientConfig."m.homeserver".base_url = baseUrl;
+  serverConfig."m.server" = "${fqdn}:443";
+  mkWellKnown = data: ''
+    default_type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  services.postgresql.enable = true;
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "${config.networking.domain}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+      };
+      "${fqdn}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".extraConfig = ''
+          return 404;
+        '';
+        locations."/_matrix".proxyPass = "http://[::1]:8008";
+        locations."/_synapse/client".proxyPass = "http://[::1]:8008";
+      };
+    };
+  };
+  services.matrix-synapse = {
+    enable = true;
+    settings.server_name = config.networking.domain;
+    settings.public_baseurl = baseUrl;
+    settings.listeners = [
+      {
+        port = 8008;
+        bind_addresses = ["::1"];
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          {
+            names = [
+              "client"
+              "federation"
+            ];
+            compress = true;
+          }
+        ];
+      }
+    ];
+  };
+}

modules/nixos/openvpn-client.nix

@@ -1,8 +1,11 @@
-{lib, ...}: {
+{
   services.openvpn.servers = {
     "173.249.5.230" = {config = ''config /etc/openvpn-confs/173.249.5.230.ovpn'';};
   };
-  networking.enableIPv6 = lib.mkForce false;
   environment.persistence."/persist".directories = ["/etc/openvpn-confs"];
-  boot.kernelParams = ["ipv6.disable=1"];
+
+  # turns out disabling ipv6 is a bad idea; I'm just going to enable v6 on the remote xD
+  #  networking.enableIPv6 = lib.mkForce false;
+  # workaround; NetworkManager reenables ipv6 without the following
+  #  boot.kernelParams = ["ipv6.disable=1"];
 }

pub-keys.nix

@@ -1,6 +1,7 @@
 {
   age.secrets = {
     andromeda-pw.file = ./secrets/andromeda-pw.age;
+    conduit-secretFile.file = ./secrets/conduit-secretFile.age;
     "dkim-galaxious.de.mail.key".file = ./secrets/dkim-galaxious.de.mail.key.age;
     mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
     mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;

secrets/conduit-secretFile.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 mT2fyg x0n1JToeD7bRsDYJpv0HFzQYB9YxxiSqt+dG6elG1Eg
+vspLec9Vm6fvJnlDGjzezThc1qeIYyWncBxYwsE/6rg
+-> ssh-ed25519 UHxfvA nOlZo53SINXJs8tt/vdoiGjMnIW/lYZVdI8TJfAFqxE
+XlxvrHDFlm8c7odfNbBw0/QeYuCj5e4VValql5JNNgg
+-> ssh-ed25519 yXDKAA Rf+obXBUKxOcMqrb6rlOSfZGyjkj1PnRvHUSDToj6Tw
+XV/3FmC48Wcg9r3C5soRKBwOcBgat2ueAa8pU1MUYLE
+--- l/eEq13iyiddR9Rgf47Mv8JxPfjINwCnU4pd3KyxMVQ
+^P%<25>Ϧ<EFBFBD><CFA6>}<7D><>M<EFBFBD><4D><EFBFBD>&ߢه<DFA2>Q<>?d^<04>Y<EFBFBD>	<09>~<7E>Tu<54><75><EFBFBD>o<EFBFBD>f<EFBFBD><66><EFBFBD>7<>n<1D>'!'͓<><10><><EFBFBD>]d͇0>v<>ǟ<EFBFBD><12>.<2E><>E]<1D><>ԇ|<7C>>d<><64>*wDɏ<44><1A><><EFBFBD><EFBFBD><0E><>)cH<63><48><EFBFBD>@W<>v*<2A>Wk<57><6B><EFBFBD>N<EFBFBD><4E>R<EFBFBD>F	I@<40><>;9=u<><75><EFBFBD><EFBFBD><7F><EFBFBD><EFBFBD>τ<EFBFBD>,
<01><><EFBFBD>)<29>>b<><03>:O<>J<EFBFBD>=<3D>W

secrets/secrets.nix

@@ -8,6 +8,11 @@ in {
   "andromeda-pw.age".publicKeys = [andromeda lenovo];
   "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
 
+  # contains the following env
+  # CONDUIT_JWT_SECRET
+  # CONDUIT_TURN_SECRET
+  "conduit-secretFile.age".publicKeys = [andromeda lenovo _109-199-104-83];
+
   # dkim private keys
   "dkim-galaxious.de.mail.key.age".publicKeys = [andromeda lenovo _109-199-104-83];
 

substitutors.nix

@@ -0,0 +1,8 @@
+{
+  # spectrum
+  nix.settings.substituters = ["https://cache.dataaturservice.se/spectrum/"];
+  nix.settings.trusted-public-keys = [
+    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    "spectrum-os.org-2:foQk3r7t2VpRx92CaXb5ROyy/NBdRJQG2uX2XJMYZfU="
+  ];
+}

users/andromeda/home.nix

@@ -101,7 +101,7 @@ in {
           pkgs.nur.repos.rycee.firefox-addons.tridactyl
         ];
         search = {
-          default = "repos";
+          default = "ddghtml";
           privateDefault = "ddghtml";
           order = [
             "wiki"
@@ -159,16 +159,6 @@ in {
                 }
               ];
             };
-
-            "repos" = {
-              template = "https://html.duckduckgo.com/html/";
-              params = [
-                {
-                  name = "q";
-                  value = "{searchTerms}+(site:*.gitlab.org OR site:github.com OR site:git.mtgmonkey.net OR site:sr.ht)";
-                }
-              ];
-            };
           };
         };
         settings = {

users/andromeda/sway_config

@@ -55,6 +55,12 @@ bindsym $mod+Shift+8 move container to workspace number 8
 bindsym $mod+Shift+9 move container to workspace number 9
 bindsym $mod+Shift+0 move container to workspace number 0
 
+seat * hide_cursor 100
+input type:touchpad events disabled
+
+bindsym $mod+r exec 'swaymsg "seat * hide_cursor 100"; swaymsg "input type:touchpad events disabled"'
+bindsym $mod+t exec 'swaymsg "seat * hide_cursor 0"; swaymsg "input type:touchpad events enabled"'
+
 bindsym $mod+f fullscreen
 bindsym $mod+Shift+space floating toggle
 bindsym $mod+Shift+minus move scratchpad
@@ -64,8 +70,8 @@ bindsym --locked XF86AudioMute exec pactl set-sink-mute \@DEFAULT_SINK@ toggle
 bindsym --locked XF86AudioLowerVolume exec pactl set-sink-volume \@DEFAULT_SINK@ -5%
 bindsym --locked XF86AudioRaiseVolume exec pactl set-sink-volume \@DEFAULT_SINK@ +5%
 bindsym --locked XF86AudioMicMute exec pact set-source-mute \@DEFAULT_SOURCE@ toggle
-bindsym --locked XF86MonBrightnessDown exec brightnessctl set 5%-
+bindsym --locked XF86MonBrightnessDown exec brightnessctl set 2%-
-bindsym --locked XF86MonbrightnessUp exec brightnessctl set 5%+
+bindsym --locked XF86MonbrightnessUp exec brightnessctl set 2%+
 
 default_border none
 font pango:monospace 0.001