merge alpine zenix and framework

flake.nix

@@ -84,6 +84,7 @@
       alpine = mkConf {
         nixos-modules = [
           ./hardware/alpine.nix
+          ./nixos/services/fail2ban.nix
           ./nixos/services/anki.nix
           ./nixos/services/forgejo.nix
           ./nixos/services/vaultwarden.nix

home/desktop/niri/default.nix

@@ -42,6 +42,9 @@
       input.focus-follows-mouse = {
         enable = true;
       };
+      input.touchpad = {
+        dwt = true; # disable when typing
+      };
       prefer-no-csd = true;
       spawn-at-startup = [
         {command = [(lib.getExe pkgs.xwayland-satellite)];}

nixos/services/authentik.nix

@@ -10,7 +10,7 @@
   };
   authentik-config = {
     autoStart = true;
-    image = "ghcr.io/goauthentik/server:2025.6.0";
+    image = "ghcr.io/goauthentik/server:2025.6.3";
     volumes = ["/home/tristan/pods/authentik/media:/media"];
     environment = {
       AUTHENTIK_POSTGRESQL__USER = postgres.user;

nixos/services/fail2ban.nix

@@ -0,0 +1,5 @@
+{...}: {
+  services.fail2ban = {
+    enable = true;
+  };
+}

nixos/services/grafana.nix

@@ -48,7 +48,7 @@ in {
       {
         name = "synapse";
         url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/grafana/synapse.json";
-        sha256 = "sha256:07qlr0waw9phmyd38bv22bn5v303w3397b89l44l3lzwhpnhs16s";
+        sha256 = "sha256:16fl81sx1by0wldw4vda0zr1pvbq1dpih1fikzwlvmk63mpc80kb";
       }
       ];
     }];

nixos/services/loki.nix

@@ -21,78 +21,77 @@ in {
       storage_config."filesystem".directory = "/tmp/loki/chunks";
       common = {
         ring = {
-          instance_addr = "127.0.0.1";
           kvstore.store = "inmemory";
         };
         replication_factor = 1;
         path_prefix = "/tmp/loki";
       };
+      # https://grafana.com/docs/loki/latest/configure/#limits_config
       limits_config = {
         ingestion_rate_strategy = "local";
-        ingestion_rate_mb = 24;
+        ingestion_rate_mb = 128;
-        ingestion_burst_size_mb = 36;
+        ingestion_burst_size_mb = 256;
+        max_streams_per_user = 0;
+        max_global_streams_per_user = 0;
       };
     };
   };
-  services.prometheus.scrapeConfigs = [{
+  services.prometheus.scrapeConfigs = [
+    {
       job_name = "loki";
       static_configs = [
         {
           targets = ["localhost:3100"];
         }
       ];
-  }];
+    }
-  services.promtail = {
+  ];
+  services.alloy = {
     enable = true;
-    # https://grafana.com/docs/loki/latest/send-data/promtail/configuration/
+    extraFlags = [
-    configuration = {
+      "--server.http.listen-addr=100.106.241.122:12345"
-      server = {
-        http_listen_port = 9080;
-        grpc_listen_port = 0;
-      };
-      clients = [
-        {url = "http://localhost:3100/loki/api/v1/push";}
-      ];
-      scrape_configs = [
-        {
-          job_name = "system";
-          journal = {
-            path = "/var/log/journal/";
-          };
-          relabel_configs = [
-            {
-              source_labels = ["__journal_message"];
-              target_label = "message";
-              regex = "(.+)";
-            }
-            {
-              source_labels = ["__journal__systemd_unit"];
-              target_label = "systemd_unit";
-              regex = "(.+)";
-            }
-            {
-              source_labels = ["__journal__systemd_user_unit"];
-              target_label = "systemd_user_unit";
-              regex = "(.+)";
-            }
-            {
-              source_labels = ["__journal__transport"];
-              target_label = "transport";
-              regex = "(.+)";
-            }
-            {
-              source_labels = ["__journal__priority_keyword"];
-              target_label = "severity";
-              regex = "(.+)";
-            }
-          ];
-        }
     ];
   };
+  environment.etc."alloy/config.alloy" = {
+    text = ''
+      discovery.relabel "system" {
+        targets = []
+
+        rule {
+          source_labels = ["__journal__systemd_unit", "__journal__systemd_user_unit"]
+          regex         = "(.+)"
+          target_label  = "systemd_unit"
+        }
+
+        rule {
+          source_labels = ["__journal__priority_keyword"]
+          regex         = "(.+)"
+          target_label  = "severity"
+        }
+      }
+
+      loki.source.journal "system" {
+        max_age       = "1h0m0s"
+        path          = "/var/log/journal/"
+        relabel_rules = discovery.relabel.system.rules
+        forward_to    = [loki.write.default.receiver]
+        labels        = {}
+      }
+
+      loki.write "default" {
+        endpoint {
+          url = "http://localhost:3100/loki/api/v1/push"
+        }
+        max_streams = 64
+      }
+
+    '';
   };
-  services.grafana.provision.datasources.settings.datasources = [{
+  services.grafana.provision.datasources.settings.datasources = [
+    {
       name = "Loki";
       type = "loki";
       url = "http://localhost:${toString loki.configuration.server.http_listen_port}";
-  }];
+    }
+  ];
 }

nixos/services/nfs.nix

@@ -0,0 +1,13 @@
+{config, ...}: {
+  services.nfs = {
+    settings = {
+      mountd.manage-gids = true;
+    };
+    server = {
+      enable = true;
+      exports = ''
+        /mnt/storage/media 100.106.241.122/8(rw,fsid=root)
+      '';
+    };
+  };
+}

nixos/services/samba.nix

@@ -0,0 +1,52 @@
+{...}: {
+  users.users.guest = {
+    extraGroups = ["media"];
+    isNormalUser = true;
+  };
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "server string" = "Tristan's Media Server";
+        "netbios name" = "alpine";
+        "security" = "user";
+        #"use sendfile" = "yes";
+        #"max protocol" = "smb2";
+        # note: localhost is the ipv6 localhost ::1
+        "hosts allow" = "192.168.1. 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "guest";
+        "map to guest" = "bad user";
+      };
+      "Music" = {
+        "path" = "/mnt/storage/media/Public/";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "yes";
+        "guest only" = "yes";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+      };
+    };
+  };
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.avahi = {
+    publish.enable = true;
+    publish.userServices = true;
+    # ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile`
+    nssmdns4 = true;
+    # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
+    enable = true;
+    openFirewall = true;
+  };
+
+  networking.firewall.enable = true;
+  networking.firewall.allowPing = true;
+}

nixos/services/synapse/default.nix

@@ -63,6 +63,7 @@ in {
   services.matrix-synapse = {
     enable = true;
     extraConfigFiles = [templates."synapse/secrets.yaml".path];
+    # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
     settings = {
       signing_key_path = secrets."synapse/signing_key".path;
       server_name = domain;