From b5f1220ea906e484a71c93ca8c5de9e30f9bdc13 Mon Sep 17 00:00:00 2001 From: Tristan Date: Mon, 4 Aug 2025 21:39:05 +0100 Subject: [PATCH 1/4] alpine: loki fixes --- nixos/services/authentik.nix | 2 +- nixos/services/grafana.nix | 2 +- nixos/services/loki.nix | 116 +++++++++++++++++------------------ nixos/services/nfs.nix | 13 ++++ 4 files changed, 71 insertions(+), 62 deletions(-) create mode 100644 nixos/services/nfs.nix diff --git a/nixos/services/authentik.nix b/nixos/services/authentik.nix index 9496e99..3f95bab 100644 --- a/nixos/services/authentik.nix +++ b/nixos/services/authentik.nix @@ -10,7 +10,7 @@ }; authentik-config = { autoStart = true; - image = "ghcr.io/goauthentik/server:2025.6.0"; + image = "ghcr.io/goauthentik/server:2025.6.3"; volumes = ["/home/tristan/pods/authentik/media:/media"]; environment = { AUTHENTIK_POSTGRESQL__USER = postgres.user; diff --git a/nixos/services/grafana.nix b/nixos/services/grafana.nix index 9bfb549..c6790ba 100644 --- a/nixos/services/grafana.nix +++ b/nixos/services/grafana.nix @@ -48,7 +48,7 @@ in { { name = "synapse"; url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/grafana/synapse.json"; - sha256 = "sha256:07qlr0waw9phmyd38bv22bn5v303w3397b89l44l3lzwhpnhs16s"; + sha256 = "sha256:16fl81sx1by0wldw4vda0zr1pvbq1dpih1fikzwlvmk63mpc80kb"; } ]; }]; diff --git a/nixos/services/loki.nix b/nixos/services/loki.nix index d114318..a5bf354 100644 --- a/nixos/services/loki.nix +++ b/nixos/services/loki.nix @@ -21,78 +21,74 @@ in { storage_config."filesystem".directory = "/tmp/loki/chunks"; common = { ring = { - instance_addr = "127.0.0.1"; kvstore.store = "inmemory"; }; replication_factor = 1; path_prefix = "/tmp/loki"; }; + # https://grafana.com/docs/loki/latest/configure/#limits_config limits_config = { ingestion_rate_strategy = "local"; - ingestion_rate_mb = 24; - ingestion_burst_size_mb = 36; + ingestion_rate_mb = 128; + ingestion_burst_size_mb = 256; + max_streams_per_user = 0; + max_global_streams_per_user = 0; }; }; }; - services.prometheus.scrapeConfigs = [{ - job_name = "loki"; - static_configs = [ - { - targets = ["localhost:3100"]; - } - ]; - }]; - services.promtail = { - enable = true; - # https://grafana.com/docs/loki/latest/send-data/promtail/configuration/ - configuration = { - server = { - http_listen_port = 9080; - grpc_listen_port = 0; - }; - clients = [ - {url = "http://localhost:3100/loki/api/v1/push";} - ]; - scrape_configs = [ + services.prometheus.scrapeConfigs = [ + { + job_name = "loki"; + static_configs = [ { - job_name = "system"; - journal = { - path = "/var/log/journal/"; - }; - relabel_configs = [ - { - source_labels = ["__journal_message"]; - target_label = "message"; - regex = "(.+)"; - } - { - source_labels = ["__journal__systemd_unit"]; - target_label = "systemd_unit"; - regex = "(.+)"; - } - { - source_labels = ["__journal__systemd_user_unit"]; - target_label = "systemd_user_unit"; - regex = "(.+)"; - } - { - source_labels = ["__journal__transport"]; - target_label = "transport"; - regex = "(.+)"; - } - { - source_labels = ["__journal__priority_keyword"]; - target_label = "severity"; - regex = "(.+)"; - } - ]; + targets = ["localhost:3100"]; } ]; - }; + } + ]; + services.alloy = { + enable = true; }; - services.grafana.provision.datasources.settings.datasources = [{ - name = "Loki"; - type = "loki"; - url = "http://localhost:${toString loki.configuration.server.http_listen_port}"; - }]; + environment.etc."alloy/config.alloy" = { + text = '' + discovery.relabel "system" { + targets = [] + + rule { + source_labels = ["__journal__systemd_unit", "__journal__systemd_user_unit"] + regex = "(.+)" + target_label = "systemd_unit" + } + + rule { + source_labels = ["__journal__priority_keyword"] + regex = "(.+)" + target_label = "severity" + } + } + + loki.source.journal "system" { + max_age = "1h0m0s" + path = "/var/log/journal/" + relabel_rules = discovery.relabel.system.rules + forward_to = [loki.write.default.receiver] + labels = {} + } + + loki.write "default" { + endpoint { + url = "http://localhost:3100/loki/api/v1/push" + } + max_streams = 24 + } + + ''; + }; + services.grafana.provision.datasources.settings.datasources = [ + { + name = "Loki"; + type = "loki"; + url = "http://localhost:${toString loki.configuration.server.http_listen_port}"; + } + ]; } diff --git a/nixos/services/nfs.nix b/nixos/services/nfs.nix new file mode 100644 index 0000000..aa645de --- /dev/null +++ b/nixos/services/nfs.nix @@ -0,0 +1,13 @@ +{config, ...}: { + services.nfs = { + settings = { + mountd.manage-gids = true; + }; + server = { + enable = true; + exports = '' + /mnt/storage/media 100.106.241.122/8(rw,fsid=root) + ''; + }; + }; +} From 74b6fb4c4e81eba77034a68238c2f8566dd5fc78 Mon Sep 17 00:00:00 2001 From: Tristan Date: Mon, 4 Aug 2025 22:58:39 +0100 Subject: [PATCH 2/4] framework: niri touchpad disable when typing --- home/desktop/niri/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/home/desktop/niri/default.nix b/home/desktop/niri/default.nix index 8dca46d..30bd752 100644 --- a/home/desktop/niri/default.nix +++ b/home/desktop/niri/default.nix @@ -42,6 +42,9 @@ input.focus-follows-mouse = { enable = true; }; + input.touchpad = { + dwt = true; # disable when typing + }; prefer-no-csd = true; spawn-at-startup = [ {command = [(lib.getExe pkgs.xwayland-satellite)];} From 19811d68546a3089daf665351af3fc7e24abac60 Mon Sep 17 00:00:00 2001 From: Tristan Date: Tue, 5 Aug 2025 14:37:57 +0100 Subject: [PATCH 3/4] alpine: add samba for public jellyfin library --- flake.nix | 2 ++ nixos/services/fail2ban.nix | 5 ++++ nixos/services/loki.nix | 5 +++- nixos/services/samba.nix | 52 +++++++++++++++++++++++++++++++++++++ 4 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 nixos/services/fail2ban.nix create mode 100644 nixos/services/samba.nix diff --git a/flake.nix b/flake.nix index 67b55a2..e93b95e 100644 --- a/flake.nix +++ b/flake.nix @@ -84,6 +84,7 @@ alpine = mkConf { nixos-modules = [ ./hardware/alpine.nix + ./nixos/services/fail2ban.nix ./nixos/services/anki.nix ./nixos/services/forgejo.nix ./nixos/services/vaultwarden.nix @@ -99,6 +100,7 @@ ./nixos/services/authentik.nix ./nixos/services/monero.nix ./nixos/services/arr.nix + ./nixos/services/samba.nix ]; }; diff --git a/nixos/services/fail2ban.nix b/nixos/services/fail2ban.nix new file mode 100644 index 0000000..8b05b75 --- /dev/null +++ b/nixos/services/fail2ban.nix @@ -0,0 +1,5 @@ +{...}: { + services.fail2ban = { + enable = true; + }; +} diff --git a/nixos/services/loki.nix b/nixos/services/loki.nix index a5bf354..67afff0 100644 --- a/nixos/services/loki.nix +++ b/nixos/services/loki.nix @@ -48,6 +48,9 @@ in { ]; services.alloy = { enable = true; + extraFlags = [ + "--server.http.listen-addr=100.106.241.122:12345" + ]; }; environment.etc."alloy/config.alloy" = { text = '' @@ -79,7 +82,7 @@ in { endpoint { url = "http://localhost:3100/loki/api/v1/push" } - max_streams = 24 + max_streams = 64 } ''; diff --git a/nixos/services/samba.nix b/nixos/services/samba.nix new file mode 100644 index 0000000..e1e0fb8 --- /dev/null +++ b/nixos/services/samba.nix @@ -0,0 +1,52 @@ +{...}: { + users.users.guest = { + extraGroups = ["media"]; + isNormalUser = true; + }; + services.samba = { + enable = true; + openFirewall = true; + settings = { + global = { + "workgroup" = "WORKGROUP"; + "server string" = "Tristan's Media Server"; + "netbios name" = "alpine"; + "security" = "user"; + #"use sendfile" = "yes"; + #"max protocol" = "smb2"; + # note: localhost is the ipv6 localhostĀ ::1 + "hosts allow" = "192.168.1. 127.0.0.1 localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "guest"; + "map to guest" = "bad user"; + }; + "Music" = { + "path" = "/mnt/storage/media/Public/"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "guest only" = "yes"; + "create mask" = "0644"; + "directory mask" = "0755"; + }; + }; + }; + + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; + + services.avahi = { + publish.enable = true; + publish.userServices = true; + # ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile` + nssmdns4 = true; + # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it + enable = true; + openFirewall = true; + }; + + networking.firewall.enable = true; + networking.firewall.allowPing = true; +} From 5980c2ef82d3e341ac470f63b78d50d3cd523297 Mon Sep 17 00:00:00 2001 From: Tristan Date: Sat, 9 Aug 2025 16:11:32 +0100 Subject: [PATCH 4/4] alpine: remove samba --- flake.nix | 1 - nixos/services/synapse/default.nix | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index e93b95e..1c1bbae 100644 --- a/flake.nix +++ b/flake.nix @@ -100,7 +100,6 @@ ./nixos/services/authentik.nix ./nixos/services/monero.nix ./nixos/services/arr.nix - ./nixos/services/samba.nix ]; }; diff --git a/nixos/services/synapse/default.nix b/nixos/services/synapse/default.nix index c09c4ed..229063e 100644 --- a/nixos/services/synapse/default.nix +++ b/nixos/services/synapse/default.nix @@ -63,6 +63,7 @@ in { services.matrix-synapse = { enable = true; extraConfigFiles = [templates."synapse/secrets.yaml".path]; + # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html settings = { signing_key_path = secrets."synapse/signing_key".path; server_name = domain;