Henry-Hiles/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

RM local modules

Browse source
This commit is contained in:
Henry Hiles 2025-05-04 20:48:40 -04:00
parent 476016706d
commit 2b93b04dbe
Signed by: Henry-Hiles
SSH key fingerprint: SHA256:VKQUdS31Q90KvX7EkKMHMBpUspcmItAh86a+v7PGiIs
4 changed files with 43 additions and 260 deletions
Download patch file Download diff file Expand all files Collapse all files

84
flake.lock generated
View file

@ -10,11 +10,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1736955230, "lastModified": 1745630506,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", "rev": "96e078c646b711aee04b82ba01aefbff87004ded",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -72,11 +72,11 @@
"fromYaml": "fromYaml" "fromYaml": "fromYaml"
}, },
"locked": { "locked": {
"lastModified": 1732200724, "lastModified": 1745523430,
"narHash": "sha256-+R1BH5wHhfnycySb7Sy5KbYEaTJZWm1h+LW1OtyhiTs=", "narHash": "sha256-EAYWV+kXbwsH+8G/8UtmcunDeKwLwSOyfcmzZUkWE/c=",
"owner": "SenchoPens", "owner": "SenchoPens",
"repo": "base16.nix", "repo": "base16.nix",
"rev": "153d52373b0fb2d343592871009a286ec8837aec", "rev": "58bfe2553d937d8af0564f79d5b950afbef69717",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -180,11 +180,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1700795494, "lastModified": 1744478979,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -236,11 +236,11 @@
"firefox-gnome-theme_2": { "firefox-gnome-theme_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1743774811, "lastModified": 1744642301,
"narHash": "sha256-oiHLDHXq7ymsMVYSg92dD1OLnKLQoU/Gf2F1GoONLCE=", "narHash": "sha256-5A6LL7T0lttn1vrKsNOKUk9V0ittdW0VEqh6AtefxJ4=",
"owner": "rafaelmardojai", "owner": "rafaelmardojai",
"repo": "firefox-gnome-theme", "repo": "firefox-gnome-theme",
"rev": "df53a7a31872faf5ca53dd0730038a62ec63ca9e", "rev": "59e3de00f01e5adb851d824cf7911bd90c31083a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -531,11 +531,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1703113217, "lastModified": 1745494811,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -551,11 +551,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1744833442, "lastModified": 1746369725,
"narHash": "sha256-BBMWW2m64Grcc5FlXz74+vdkUyCJOfUGnl+VcS/4x44=", "narHash": "sha256-m3ai7LLFYsymMK0uVywCceWfUhP0k3CALyFOfcJACqE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "c6b75d69b6994ba68ec281bd36faebcc56097800", "rev": "1a1793f6d940d22c6e49753548c5b6cb7dc5545d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -572,11 +572,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743869639, "lastModified": 1746369725,
"narHash": "sha256-Xhe3whfRW/Ay05z9m1EZ1/AkbV1yo0tm1CbgjtCi4rQ=", "narHash": "sha256-m3ai7LLFYsymMK0uVywCceWfUhP0k3CALyFOfcJACqE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "d094c6763c6ddb860580e7d3b4201f8f496a6836", "rev": "1a1793f6d940d22c6e49753548c5b6cb7dc5545d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -689,11 +689,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1744463964, "lastModified": 1746328495,
"narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=", "narHash": "sha256-uKCfuDs7ZM3QpCE/jnfubTg459CnKnJG/LwqEVEdEiw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650", "rev": "979daf34c8cacebcd917d540070b52a3c2b9b16e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -705,11 +705,11 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1743583204, "lastModified": 1745930157,
"narHash": "sha256-F7n4+KOIfWrwoQjXrL2wD9RhFYLs2/GGe/MQY1sSdlE=", "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2c8d3f48d33929642c1c12cd243df4cc7d2ce434", "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -729,11 +729,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1743884191, "lastModified": 1746056780,
"narHash": "sha256-foVcginhVvjg8ZnTzY5wwMeZ4wjJ8yX66PW5kgyivPE=", "narHash": "sha256-/emueQGaoT4vu0QjU9LDOG5roxRSfdY0K2KkxuzazcM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "fde90f5f52e13eed110a0e53a2818a2b09e4d37c", "rev": "d476cd0972dd6242d76374fcc277e6735715c167",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -750,11 +750,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1744830196, "lastModified": 1746393339,
"narHash": "sha256-za99eK3Xz6/NGPAWv4m5oVcRiklep+Xx70rYcj7sIcw=", "narHash": "sha256-7PXmCQfExrIOh8ISeruCWnmi3C1h/QjzfWyLA8FRRm8=",
"owner": "wamserma", "owner": "wamserma",
"repo": "flake-programs-sqlite", "repo": "flake-programs-sqlite",
"rev": "34d474ee18062e7c3b42dd3d79e62a7971ea4965", "rev": "d61db790e37ccdb961510746bbfdf615fd085c99",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -832,11 +832,11 @@
"tinted-zed": "tinted-zed" "tinted-zed": "tinted-zed"
}, },
"locked": { "locked": {
"lastModified": 1744668092, "lastModified": 1746395987,
"narHash": "sha256-XDmpI3ywMkypsHKRF2am6BzZ5OjwpQMulAe8L87Ek8U=", "narHash": "sha256-Na6MAPSWIWzxsgxwcxLhQ160ExvyyhCdC1JDcBA8vW8=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "38aff11a7097f4da6b95d4c4d2c0438f25a08d52", "rev": "70f331c8e7da588e07e70cef15a114f9fcec3cee",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -942,11 +942,11 @@
"tinted-schemes": { "tinted-schemes": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1742851696, "lastModified": 1744974599,
"narHash": "sha256-sR4K+OVFKeUOvNIqcCr5Br7NLxOBEwoAgsIyjsZmb8s=", "narHash": "sha256-Fg+rdGs5FAgfkYNCs74lnl8vkQmiZVdBsziyPhVqrlY=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "schemes", "repo": "schemes",
"rev": "c37771c4ae8ff1667e27ddcf24991ebeb94a4e77", "rev": "28c26a621123ad4ebd5bbfb34ab39421c0144bdd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -958,11 +958,11 @@
"tinted-tmux": { "tinted-tmux": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1743296873, "lastModified": 1745111349,
"narHash": "sha256-8IQulrb1OBSxMwdKijO9fB70ON//V32dpK9Uioy7FzY=", "narHash": "sha256-udV+nHdpqgkJI9D0mtvvAzbqubt9jdifS/KhTTbJ45w=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "tinted-tmux", "repo": "tinted-tmux",
"rev": "af5152c8d7546dfb4ff6df94080bf5ff54f64e3a", "rev": "e009f18a01182b63559fb28f1c786eb027c3dee9",
"type": "github" "type": "github"
}, },
"original": { "original": {

133
modules/common/services/livekit.nix
View file

@ -1,133 +0,0 @@
{
config,
lib,
pkgs,
utils,
...
}: let
cfg = config.services.livekit;
format = pkgs.formats.json {};
in {
meta.maintainers = with lib.maintainers; [quadradical];
options.services.livekit = {
enable = lib.mkEnableOption "Enable the livekit server";
package = lib.mkPackageOption pkgs "livekit" {};
keyFile = lib.mkOption {
type = lib.types.path;
description = ''
LiveKit key file, with syntax `APIkey: secret`.
The key and secret are used by other clients or services to connect to your Livekit instance.
'';
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Opens port range for LiveKit on the firewall.";
};
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
port = lib.mkOption {
type = lib.types.port;
default = 7880;
description = "Main TCP port for RoomService and RTC endpoint.";
};
rtc = {
port_range_start = lib.mkOption {
type = lib.types.int;
default = 50000;
description = "Start of UDP port range for WebRTC";
};
port_range_end = lib.mkOption {
type = lib.types.int;
default = 51000;
description = "End of UDP port range for WebRTC";
};
use_external_ip = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
When set to true, attempts to discover the host's public IP via STUN.
This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one
'';
};
};
};
};
default = {};
description = ''
LiveKit configuration file expressed in nix.
For an example configuration, see <https://docs.livekit.io/home/self-hosting/deployment/#configuration>.
For all possible values, see <https://github.com/livekit/livekit/blob/master/config-sample.yaml>.
'';
};
};
config = lib.mkIf cfg.enable {
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [
cfg.settings.port
];
allowedUDPPortRanges = [
{
from = cfg.settings.rtc.port_range_start;
to = cfg.settings.rtc.port_range_end;
}
];
};
systemd.services.livekit = {
description = "LiveKit SFU server";
documentation = ["https://docs.livekit.io"];
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
serviceConfig = {
DynamicUser = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
ProtectHome = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
LoadCredential = ["livekit-secrets:${cfg.keyFile}"];
ExecStart = utils.escapeSystemdExecArgs [
(lib.getExe cfg.package)
"--config=${format.generate "livekit.json" cfg.settings}"
"--key-file=/run/credentials/livekit.service/livekit-secrets"
];
Restart = "on-failure";
RestartSec = 5;
UMask = "077";
};
};
};
}

85
modules/common/services/lk-jwt-service.nix
View file

@ -1,85 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
cfg = config.services.lk-jwt-service;
in {
meta.maintainers = [lib.maintainers.quadradical];
options.services.lk-jwt-service = {
enable = lib.mkEnableOption "Enable lk-jwt-service";
package = lib.mkPackageOption pkgs "lk-jwt-service" {};
livekitUrl = lib.mkOption {
type = lib.types.strMatching "^wss?://.*";
example = "wss://example.com/livekit/sfu";
description = ''
The public websocket URL for livekit.
The proto needs to be either `wss://` (recommended) or `ws://` (insecure).
'';
};
keyFile = lib.mkOption {
type = lib.types.path;
description = ''
Path to your LiveKit key file, with syntax `APIkey: secret`.
For more information, see <https://github.com/element-hq/lk-jwt-service#configuration>.
'';
};
port = lib.mkOption {
type = lib.types.port;
default = 8080;
description = "Port that lk-jwt-service should listen on.";
};
};
config = lib.mkIf cfg.enable {
systemd.services.lk-jwt-service = {
description = "Minimal service to issue LiveKit JWTs for MatrixRTC";
documentation = ["https://github.com/element-hq/lk-jwt-service"];
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
environment = {
LIVEKIT_URL = cfg.livekitUrl;
LIVEKIT_JWT_PORT = toString cfg.port;
LIVEKIT_KEY_FILE = "/run/credentials/lk-jwt-service.service/livekit-secrets";
};
serviceConfig = {
DynamicUser = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
ProtectHome = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
LoadCredential = ["livekit-secrets:${cfg.keyFile}"];
ExecStart = lib.getExe cfg.package;
Restart = "on-failure";
RestartSec = 5;
UMask = "077";
};
};
};
}

1
modules/desktop/firefox/default.nix
View file

@ -131,6 +131,7 @@
"jid1-MnnxcxisBPnSXQ@jetpack" # Privacy Badger "jid1-MnnxcxisBPnSXQ@jetpack" # Privacy Badger
"frankerfacez@frankerfacez.com" "frankerfacez@frankerfacez.com"
"7esoorv3@alefvanoon.anonaddy.me" # LibRedirect "7esoorv3@alefvanoon.anonaddy.me" # LibRedirect
"{cf3dba12-a848-4f68-8e2d-f9fadc0721de}" # Google Lighthouse
"{446900e4-71c2-419f-a6a7-df9c091e268b}" # Bitwarden "{446900e4-71c2-419f-a6a7-df9c091e268b}" # Bitwarden
"{4ce83447-8255-43c2-b8f7-e02eb8c2cc39}" # Draw on Page "{4ce83447-8255-43c2-b8f7-e02eb8c2cc39}" # Draw on Page
"{ac34afe8-3a2e-4201-b745-346c0cf6ec7d}" # Better Youtube Shorts "{ac34afe8-3a2e-4201-b745-346c0cf6ec7d}" # Better Youtube Shorts