zenix: resolve warnings

2025-12-20 15:32:47 +00:00 · 2025-12-20 15:32:47 +00:00 · 981cfea419
commit 981cfea419
parent ba4d4bba1b 8a4b37e7ed
26 changed files with 237 additions and 224 deletions
--- a/nixos/modules/work.nix
+++ b/nixos/modules/work.nix
@ -11,11 +11,10 @@ in {
    "vscode"
    "steam-run"
    "postman"
-    "drawio" # the creator had a hissyfit over a negative review: https://github.com/jgraph/drawio/discussions/4623
+    "drawio"
  ];

  nixpkgs.config.permittedInsecurePackages = [
-    "openssl-1.1.1w" # required for mongodb
    "electron-27.3.11"
  ];

@ -30,8 +29,6 @@ in {

  nixpkgs.overlays = [(import ../../lib/cypress.nix)];

-  services.onedrive.enable = true;
-
  users.users.${user}.extraGroups = ["docker"];
  virtualisation.docker = {
    enable = true;
--- a/nixos/services/authentik.nix
+++ b/nixos/services/authentik.nix
@ -10,7 +10,7 @@
  };
  authentik-config = {
    autoStart = true;
-    image = "ghcr.io/goauthentik/server:2025.6.3";
+    image = "ghcr.io/goauthentik/server:2025.8.4";
    volumes = ["/home/tristan/pods/authentik/media:/media"];
    environment = {
      AUTHENTIK_POSTGRESQL__USER = postgres.user;
--- a/nixos/services/grafana.nix
+++ b/nixos/services/grafana.nix
@ -1,15 +1,27 @@
-{config, lib, pkgs, ...}: let
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
  cfg = config.services.grafana;
  secrets = config.sops.secrets;
-  mkDashboards = dashboards: pkgs.symlinkJoin {
-    name = "dashboards";
-    paths = map mkDashboard dashboards;
-  };
-  mkDashboard = {name, url, sha256, patch ? lib.id}: pkgs.writeTextFile {
-    inherit name;
-    text = patch (builtins.readFile ( builtins.fetchurl {inherit url sha256;} ));
-    destination = "/dash/${name}.json";
-  };
+  mkDashboards = dashboards:
+    pkgs.symlinkJoin {
+      name = "dashboards";
+      paths = map mkDashboard dashboards;
+    };
+  mkDashboard = {
+    name,
+    url,
+    sha256,
+    patch ? lib.id,
+  }:
+    pkgs.writeTextFile {
+      inherit name;
+      text = patch (builtins.readFile (builtins.fetchurl {inherit url sha256;}));
+      destination = "/dash/${name}.json";
+    };
 in {
  sops.secrets."grafana/oidc_client_secret" = {
    owner = "grafana";
@ -34,24 +46,26 @@ in {
        role_attribute_path = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
      };
    };
-    provision.dashboards.settings.providers = [{
-      name = "Node Exporter";
-      type = "file";
-      options.path = mkDashboards [
+    provision.dashboards.settings.providers = [
      {
-        name = "node-exporter";
-        url = "https://grafana.com/api/dashboards/1860/revisions/37/download";
-        sha256 = "sha256:0qza4j8lywrj08bqbww52dgh2p2b9rkhq5p313g72i57lrlkacfl";
-        # https://github.com/rfmoz/grafana-dashboards/issues/169
-        patch = builtins.replaceStrings ["$__rate_interval"] ["$__range"];
+        name = "Node Exporter";
+        type = "file";
+        options.path = mkDashboards [
+          {
+            name = "node-exporter";
+            url = "https://grafana.com/api/dashboards/1860/revisions/37/download";
+            sha256 = "sha256:0qza4j8lywrj08bqbww52dgh2p2b9rkhq5p313g72i57lrlkacfl";
+            # https://github.com/rfmoz/grafana-dashboards/issues/169
+            patch = builtins.replaceStrings ["$__rate_interval"] ["$__range"];
+          }
+          {
+            name = "synapse";
+            url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/grafana/synapse.json";
+            sha256 = "sha256:0yzj1i4zbjy9cms75ip6ad8qyjgv9kka42gxsbzyzr2syznsmqw0";
+          }
+        ];
      }
-      {
-        name = "synapse";
-        url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/grafana/synapse.json";
-        sha256 = "sha256:16fl81sx1by0wldw4vda0zr1pvbq1dpih1fikzwlvmk63mpc80kb";
-      }
-      ];
-    }];
+    ];
  };
  services.nginx.virtualHosts = {
    ${cfg.settings.server.domain} = {
--- a/nixos/services/jellyfin.nix
+++ b/nixos/services/jellyfin.nix
@ -1,10 +1,11 @@
-{
+{pkgs, ...}: {
  users.groups.media = {};
  services.jellyfin = {
    enable = true;
    group = "media"; # access to user stuff
    openFirewall = true;
  };
+  environment.variables.JELLYFIN_FFMPEG = "${pkgs.jellyfin-ffmpeg}/bin/ffmpeg";
  services.nginx.virtualHosts."movies.tristans.cloud" = {
    forceSSL = true;
    enableACME = true;
--- a/nixos/services/mautrix/signal.nix
+++ b/nixos/services/mautrix/signal.nix
@ -1,10 +1,13 @@
-{config, lib, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
  inherit (import ./lib.nix) toAppRegistration;
  inherit (config.sops) templates placeholder;
 in {
-
  virtualisation.oci-containers.containers.mautrix-signal = {
-    image = "dock.mau.dev/mautrix/signal:v0.8.3";
+    image = "dock.mau.dev/mautrix/signal:v25.10";
    dependsOn = ["mautrix-signal-psql"];
    volumes = [
      "/home/tristan/pods/signal-bridge/mautrix-signal:/data:z"
@ -15,16 +18,15 @@ in {
    ];
  };

-# when you get around to backing this up
-# 1. stop the server.
-# 2. backup the db.
-# 3. migrate to newer version of postgres
-# 4. migrate db to local
+  # when you get around to backing this up
+  # 1. stop the server.
+  # 2. backup the db.
+  # 3. migrate to newer version of postgres
+  # 4. migrate db to local
  virtualisation.oci-containers.containers.mautrix-signal-psql = {
    image = "docker.io/postgres:14-alpine";
-    # ports = [ "127.0.0.1:5435:5432" ];
-    ports = [ "5435:5432" ];
-    volumes = [ "/home/tristan/pods/signal-bridge/db:/var/lib/postgresql/data" ];
+    ports = ["5435:5432"];
+    volumes = ["/home/tristan/pods/signal-bridge/db:/var/lib/postgresql/data"];
    environmentFiles = [templates."mautrix-signal/psql.env".path];
  };
  sops.templates = {
@ -58,5 +60,4 @@ in {
  services.matrix-synapse.settings.app_service_config_files = [
    templates."mautrix-signal/appservice.yaml".path
  ];
-
 }
--- a/nixos/services/mautrix/whatsapp.nix
+++ b/nixos/services/mautrix/whatsapp.nix
@ -1,5 +1,4 @@
-{config, ...}:
-{
+{config, ...}: {
  nixpkgs.config.permittedInsecurePackages = [
    "olm-3.2.16"
  ];
@ -7,9 +6,9 @@
    enable = true;
    registerToSynapse = true;
    settings = {
-      appservice.database = {
-        type = "sqlite3";
-        uri = "/var/lib/mautrix-whatsapp/mautrix-whatsapp.db";
+      database = {
+        type = "sqlite3-fk-wal";
+        uri = "file:/var/lib/mautrix-whatsapp/mautrix-whatsapp.db?_txlock=immediate";
      };
      homeserver = {
        address = "http://localhost:8008";
@ -20,12 +19,13 @@
          "tristans.cloud" = "user";
          "@tristan:tristans.cloud" = "admin";
        };
-        encryption = {
-          allow = true;
-          appservice = false;
-        };
        personal_filtering_spaces = true;
      };
+      encryption = {
+        allow = true;
+        appservice = false;
+        pickle_key = "maunium.net/go/mautrix-whatsapp";
+      };
    };
  };
 }
--- a/nixos/services/monero.nix
+++ b/nixos/services/monero.nix
@ -8,9 +8,13 @@
    extraConfig = ''
      prune-blockchain=1
      confirm-external-bind=1
-      out-peers=64              # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays
-      in-peers=1024             # The default is unlimited; we prefer to put a cap on this
+      out-peers=8
+      in-peers=16
      zmq-pub=tcp://localhost:18083
+      add-priority-node=p2pmd.xmrvsbeast.com:18080
+      add-priority-node=nodes.hashvault.pro:18080
+      enable-dns-blocklist=1
+      enforce-dns-checkpointing=1
    '';
  };
 }
--- a/nixos/services/synapse/default.nix
+++ b/nixos/services/synapse/default.nix
@ -36,6 +36,11 @@ in {
    "synapse/secrets.yaml" = {
      owner = "matrix-synapse";
      content = builtins.toJSON {
+        jwt_config = {
+          enabled = true;
+          secret = sops.placeholder."synapse/oidc_client_secret";
+          algorithm = "RS256";
+        };
        oidc_providers = [
          {
            idp_id = "authentik";
@ -84,6 +89,21 @@ in {
          ];
        }
      ];
+      # log_config = pkgs.writeTextFile {
+      #   name = "synapse-logging.json";
+      #   text = builtins.toJSON {
+      #     version = 1;
+      #     root = {
+      #       level = "INFO";
+      #       handlers = ["console"];
+      #     };
+      #     formatters.precise.format = "%(levelname)s - %(name)s - %(message)s";
+      #     handlers.console = {
+      #       class = "logging.StreamHandler";
+      #       formatter = "precise";
+      #     };
+      #   };
+      # };
    };
  };

--- a/nixos/workstation.nix
+++ b/nixos/workstation.nix
@ -22,6 +22,7 @@

  hardware.bluetooth.enable = true;
  services.blueman.enable = true;
+  services.power-profiles-daemon.enable = true;

  services.gnome.gnome-keyring.enable = true;

@ -68,7 +69,7 @@
      };

      emoji = {
-        package = pkgs.noto-fonts-emoji;
+        package = pkgs.noto-fonts-color-emoji;
        name = "Noto Color Emoji";
      };
    };