many updates, yasssss

hosts/architect/default.nix

@@ -23,10 +23,9 @@ in {
     ./matrix.nix
     ./fail2ban.nix
     ./dns.nix
-     ./minecraft.nix
+    #./minecraft.nix
     ./prowlarr.nix
     ./plex.nix
-    ./transmission.nix
     ./githubrunner.nix
     ./libreddit.nix
     ./invidious.nix
@@ -36,6 +35,7 @@ in {
     ./navidrome.nix
     ./jellyfin.nix
     ./prosody.nix
+    ./deluge.nix
   ];
 
   time.timeZone = "Europe/Rome";
@@ -76,7 +76,10 @@ in {
     };
 
     loader = {
-      systemd-boot.enable = true;
+      systemd-boot ={
+        enable = true;
+        memtest86.enable = true;
+      };
       efi.canTouchEfiVariables = true;
     };
 
@@ -135,7 +138,6 @@ in {
     opengl.driSupport = true;
   };
 
-  boot.crashDump.enable = true;
   services.das_watchdog.enable = true;
 
   services = {

hosts/architect/deluge.nix

@@ -0,0 +1,52 @@
+{ lib, config, pkgs, ... }:
+
+let
+  domain = "htdel.giugl.io";
+  network = import ./network.nix;
+in {
+  services = {
+    deluge = {
+      enable = true;
+      group = "media";
+      declarative = true;
+      config = {
+        download_location = "/media/deluge";
+        max_upload_speed = 20;
+        # full-stream
+        enc_level = 1;
+        # forced
+        enc_in_policy = 0;
+        # forced
+        enc_out_policy = 0;
+        max_active_seeding = 100;
+        max_connections_global = 1000;
+        max_active_limit = 100;
+        max_active_downloading =  100;
+        listen_ports = [ 51413 51414 ];
+        random_port = false;
+        enabled_plugins = [ "Label" "Extractor" ];
+      };
+      web.enable = true;
+      authFile = "/secrets/deluge/auth";
+      extraPackages = [ pkgs.unrar ];
+    };
+
+    nginx.virtualHosts.${domain} = {
+      locations."/" = {
+        proxyPass = "http://localhost:8112";
+        extraConfig = ''
+          allow 10.0.0.0/24;
+          ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
+          deny all;
+        '';
+      };
+    };
+  };
+
+  networking.extraHosts = ''
+    ${network.architect-lan} ${domain}
+    ${network.architect-wg} ${domain}
+  '';
+
+  users.groups.media.members = [ "deluge" ];
+}

hosts/architect/firewall.nix

@@ -9,23 +9,22 @@ let
     443 # https
     8448 # matrix
     10022 # gitea
-    30303
+    18080 # monero
     51413 # transmission
   ];
   open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
     1194 # wireguard
-    30303
     51413 # transmission
   ];
   open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
     22
     80
     443
-    8848
     32400 # plex
   ];
   open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
     53 # dns
+    1194 # vpn
   ];
 
 in {

hosts/architect/jellyfin.nix

@@ -10,6 +10,7 @@ in {
   services = {
     jellyfin = {
       enable = true;
+      group = "media";
       package = pkgs.unstable.jellyfin;
     };
 
@@ -35,4 +36,10 @@ in {
   users.groups.media.members = [ "jellyfin" ];
   users.groups.video.members = [ "jellyfin" ];
   users.groups.render.members = [ "jellyfin" ];
+
+  fileSystems."/tmp/jellyfin" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [ "defaults" "size=20G" "uid=jellyfin" ];
+  };
 }

hosts/architect/matrix.nix

@@ -18,14 +18,13 @@ in {
       #      enable_registration = true;
       app_service_config_files = [
         "/var/lib/matrix-synapse/discord-registration.yaml"
+#        "/var/lib/matrix-synapse/hookshot-registration.yml"
         #        "/var/lib/matrix-synapse/telegram-registration.yaml"
       ];
       extraConfig = ''
         auto_join_rooms:
-          - "#infra:matrix.giugl.io"
           - "#general:matrix.giugl.io"
-          - "#movies:matrix.giugl.io"
+        max_upload_size: "50M"
-        max_upload_size: "30M"
       '';
       listeners = [{
         port = 8008;
@@ -125,18 +124,12 @@ in {
         enableACME = true;
         forceSSL = true;
 
-       # root = pkgs.element-web.override {
+        root = pkgs.element-web.override {
-       #   conf = {
-       #     default_server_config."m.homeserver" = {
-       #       "base_url" = "https://${domain}";
-       #       "server_name" = "${domain}";
-       #     };
-       #   };
-       # };
-       root = pkgs.unstable.cinny.override {
           conf = {
-            homeserverList = [ "${domain}" ];
+            default_server_config."m.homeserver" = {
-            defaultHomeserver = 0;
+              "base_url" = "https://${domain}";
+              "server_name" = "${domain}";
+            };
           };
         };
       };
@@ -152,64 +145,63 @@ in {
         bridge = {
           domain = domain;
           homeserverUrl = "https://${domain}";
-          disablePresence = true;
         };
       };
     };
 
     # telegram bridge
 
-    mautrix-telegram = {
+    #   mautrix-telegram = {
-      enable = true;
+    #     enable = true;
-      environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env;
+    #     environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env;
 
-      settings = {
+    #     settings = {
-        homeserver = {
+    #       homeserver = {
-          address = "https://${domain}";
+    #         address = "https://${domain}";
-          domain = "${domain}";
+    #         domain = "${domain}";
-        };
+    #       };
 
-        appservice = {
+    #       appservice = {
-          provisioning.enabled = false;
+    #         provisioning.enabled = false;
-          id = "telegram";
+    #         id = "telegram";
-        };
+    #       };
 
-        bridge = {
+    #       bridge = {
-          permissions = {
+    #         permissions = {
-            "@pepe:${domain}" = "admin";
+    #           "@pepe:${domain}" = "admin";
-            "${domain}" = "puppeting";
+    #           "${domain}" = "puppeting";
-          };
+    #         };
 
-          # Animated stickers conversion requires additional packages in the
+    #         # Animated stickers conversion requires additional packages in the
-          # service's path.
+    #         # service's path.
-          # If this isn't a fresh installation, clearing the bridge's uploaded
+    #         # If this isn't a fresh installation, clearing the bridge's uploaded
-          # file cache might be necessary (make a database backup first!):
+    #         # file cache might be necessary (make a database backup first!):
-          # delete from telegram_file where \
+    #         # delete from telegram_file where \
-          #   mime_type in ('application/gzip', 'application/octet-stream')
+    #         #   mime_type in ('application/gzip', 'application/octet-stream')
-          animated_sticker = {
+    #         animated_sticker = {
-            target = "gif";
+    #           target = "gif";
-            args = {
+    #           args = {
-              width = 256;
+    #             width = 256;
-              height = 256;
+    #             height = 256;
-              fps = 30; # only for webm
+    #             fps = 30; # only for webm
-              background = "020202"; # only for gif, transparency not supported
+    #             background = "020202"; # only for gif, transparency not supported
-            };
+    #           };
-          };
+    #         };
 
-          encryption = {
+    #         encryption = {
-            allow = true;
+    #           allow = true;
-            default = true;
+    #           default = true;
-          };
+    #         };
-        };
+    #       };
-      };
+    #     };
-    };
+    #   };
 
   };
 
-  systemd.services.mautrix-telegram.path = with pkgs; [
+  # systemd.services.mautrix-telegram.path = with pkgs; [
-    lottieconverter # for animated stickers conversion, unfree package
+  #   lottieconverter # for animated stickers conversion, unfree package
-    ffmpeg # if converting animated stickers to webm (very slow!)
+  #   ffmpeg # if converting animated stickers to webm (very slow!)
-  ];
+  # ];
 
   networking.extraHosts = ''
     ${network.architect-lan} ${domain} ${webui_domain}

hosts/architect/modules/jellyfin.nix

@@ -50,8 +50,8 @@ in {
       serviceConfig = rec {
         User = cfg.user;
         Group = cfg.group;
-        # Allows access to drm devices for transcoding with hardware acceleration
+#        # Allows access to drm devices for transcoding with hardware acceleration
-        SupplementaryGroups = [ "video" ];
+#        SupplementaryGroups = [ "video" ];
         StateDirectory = "jellyfin";
         CacheDirectory = "jellyfin";
         ExecStart =
@@ -65,7 +65,7 @@ in {
         AmbientCapabilities = "";
         CapabilityBoundingSet = "";
 
-        # ProtectClock= adds DeviceAllow=char-rtc r
+       # # ProtectClock= adds DeviceAllow=char-rtc r
        # DeviceAllow = [
        #   "char-drm r"
        #   "/dev/nvidia0 r"
@@ -73,33 +73,39 @@ in {
        #   "/dev/nvidia-uvm r"
        #   "/dev/nvidia-uvm-tools r"
        # ];
+        DeviceAllow = "";
+        LockPersonality = true;
 
-        #        LockPersonality = true;
-        #
         PrivateTmp = true;
-        #        PrivateUsers = true;
+        PrivateUsers = true;
-        #
+
 #        ProtectClock = true;
-        #        ProtectControlGroups = true;
+        ProtectControlGroups = true;
-        #        ProtectHostname = true;
+        ProtectHostname = true;
-        #        ProtectKernelLogs = true;
+        ProtectKernelLogs = true;
-        #        ProtectKernelModules = true;
+        ProtectKernelModules = true;
-        #        ProtectKernelTunables = true;
+        ProtectKernelTunables = true;
-        #
+
-        #        RemoveIPC = true;
+        RemoveIPC = true;
-        #
+
-        #        RestrictNamespaces = true;
+        RestrictNamespaces = true;
        # # AF_NETLINK needed because Jellyfin monitors the network connection
-        #        RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ];
+        RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
-        #        RestrictRealtime = true;
+        RestrictRealtime = true;
-        #        RestrictSUIDSGID = true;
+        RestrictSUIDSGID = true;
-        #
+
-        #        SystemCallArchitectures = "native";
+        SystemCallArchitectures = "native";
-        #        SystemCallErrorNumber = "EPERM";
+        SystemCallErrorNumber = "EPERM";
-        #        SystemCallFilter = [
+        SystemCallFilter = [
-        #          "@system-service"
+          "@system-service"
-        #          "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
+          "~@cpu-emulation"
-        #        ];
+          "~@debug"
+          "~@keyring"
+          "~@memlock"
+          "~@obsolete"
+          "~@privileged"
+          "~@setuid"
+        ];
       };
     };
 

hosts/architect/network.nix

@@ -45,6 +45,8 @@ rec {
   frznn-wg = "10.3.0.29";
   ludo-wg = "10.3.0.30";
   parina-wg = "10.3.0.31";
+  nilo-wg = "10.3.0.32";
+  parina-ipad-wg = "10.3.0.33";
   eleonora-wg = "10.3.0.100";
   angellane-wg = "10.3.0.200";
   hotpottino-wg = "10.3.0.201";
@@ -56,7 +58,7 @@ rec {
     [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ];
   routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
   c2c-wg = [ ] ++ gdevices-wg;
-  towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg ] ++ gdevices-wg
+  towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ] ++ gdevices-wg
     ++ routers-wg;
   gamenet-wg = [
     andrew-wg

hosts/architect/nitter.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 
 let
   domain = "tweet.giugl.io";
@@ -10,6 +10,7 @@ in {
       server = {
         port = 9093;
         hostname = domain;
+        staticDir = "${pkgs.unstable.nitter}/share/nitter/public";
       };
       preferences = {
         replaceYouTube = "tube.giugl.io";

hosts/architect/prosody.nix

@@ -23,8 +23,8 @@ in {
       uploadHttp = { domain = upload_domain; };
 
       admins = [ "giulio@${domain}" ];
-      httpInterfaces = [ "wg0" ];
+      #httpInterfaces = [ "wg0" ];
-      httpsInterfaces = [ "wg0" ];
+      #httpsInterfaces = [ "wg0" ];
     };
   };
 

hosts/architect/wireguard.nix

@@ -32,6 +32,8 @@ with import ./network.nix; {
       ${frznn-wg}           frznn.devs.giugl.io
       ${ludo-wg}            ludo.devs.giugl.io
       ${parina-wg}          parina.devs.giugl.io
+      ${parina-ipad-wg}     parinaipad.devs.giugl.io
+      ${nilo-wg}            nilo.devs.giugl.io
     '';
 
     wireguard = {
@@ -249,6 +251,18 @@ with import ./network.nix; {
             allowedIPs = [ parina-wg ];
             publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
           }
+
+          {
+            # nilo
+            allowedIPs = [ nilo-wg ];
+            publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
+          }
+
+          {
+            # parina ipad
+            allowedIPs = [ parina-ipad-wg ];
+            publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
+          }
         ];
       };
     };

roles/home/common.nix

@@ -202,7 +202,7 @@
       vim-vsnip
       nvim-cmp
       cmp-nvim-lsp
-      (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars))
+      (nvim-treesitter.withPlugins (_: unstable.tree-sitter.allGrammars))
       nvim-treesitter-textobjects
     ];
   };