delta/dotfiles
1
0
Fork 0
mirror of https://github.com/deltathetawastaken/dotfiles.git synced 2025-12-06 07:16:37 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity
dotfiles/hosts/dlaptop/services.nix
delta a2dc9994e1
Some checks are pending
laptop / tests (push) Waiting to run
Details
intelnuc / tests (push) Waiting to run
Details
add prtapc matrix server
2024-09-02 13:26:58 +03:00

153 lines
4.5 KiB
Nix
Raw Blame History

{ pkgs, lib, inputs, nur, config, ... }:
{
# users.users.delta.packages = [
# (pkgs.writeScriptBin "warp-cli" "${pkgs.cloudflare-warp}/bin/warp-cli $@")
# ];
# systemd.services.cloudflare-warp = {
# enable = true;
# description = "cloudflare warp service";
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# Restart = "on-failure";
# RestartSec = "15";
# };
# script = "${pkgs.cloudflare-warp}/bin/warp-svc";
# postStart = ''
# while true; do
# set -e
# status=$(${pkgs.cloudflare-warp}/bin/warp-cli status || true)
# set +e
# if [[ "$status" != *"Unable to connect to CloudflareWARP daemon"* ]]; then
# ${pkgs.cloudflare-warp}/bin/warp-cli set-custom-endpoint 162.159.193.1:2408
# exit 0
# fi
# sleep 15
# done
# '';
# };
users.groups.cloudflared = { };
users.users.cloudflared = {
group = "cloudflared";
isSystemUser = true;
};
services.cloudflared.enable = true;
services.cloudflared.tunnels = {
"dlaptop" = {
default = "http_status:404";
credentialsFile = "/run/secrets/cloudflared";
};
};
services.openssh.enable = true;
systemd.services.sshd.wantedBy = lib.mkForce [];
services.tailscale = {
enable = true;
extraUpFlags = "--accept-dns=false";
};
services.syncthing.enable = true;
#services.blueman.enable = true;
services.tumbler.enable = true;
services.gvfs.enable = true;
services.flatpak.enable = true;
services.printing.enable = true;
services.pcscd.enable = true;
services.udev.packages = [
pkgs.gnome.gnome-settings-daemon
pkgs.android-udev-rules
pkgs.yubikey-personalization
];
services.udev.extraRules = ''
# Suspend the system when battery level drops to 6% or lower
# SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-6]", RUN+="${pkgs.systemd}/bin/systemctl hibernate"
# # lock when yubi removed
# ACTION=="remove",\
# ENV{ID_BUS}=="usb",\
# ENV{ID_MODEL_ID}=="0407",\
# ENV{ID_VENDOR_ID}=="1050",\
# ENV{ID_VENDOR}=="Yubico",\
# RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
'';
systemd.services.cloudflared-tunnel-dlaptop.serviceConfig.Restart = lib.mkForce "on-failure";
systemd.services.cloudflared-tunnel-dlaptop.serviceConfig.RestartSec = lib.mkForce 60;
systemd.services.cloudflared-tunnel-dlaptop.wantedBy = lib.mkForce [];
systemd.tmpfiles.rules = [
"d /media/torrents 0775 qbit users"
];
users.users.qbit = {
group = "qbit";
isSystemUser = true;
createHome = true;
home = "/var/lib/qbit";
};
users.groups.qbit = {
gid = 10000;
};
system.activationScripts."qbitnoxwebui" = ''
if [ ! -d "/var/lib/qbit" ]; then
mkdir -p /var/lib/qbit
chown -R qbit:qbit /var/lib/qbit
fi
if [ ! -d "/var/lib/qbit/qbittorrent-webui-cjratliff.com" ]; then
${pkgs.git}/bin/git clone https://github.com/Carve/qbittorrent-webui-cjratliff.com /var/lib/qbit/qbittorrent-webui-cjratliff.com
chown -R qbit:qbit /var/lib/qbit
fi
'';
systemd.services.qbitnox = {
enable = true;
after = [ "novpn.service" "network-online.target" ];
wants = [ "novpn.service" "network-online.target" "dnscrypt-proxy2.service" ];
bindsTo = [ "novpn.service" ];
serviceConfig = {
Restart = "always";
RuntimeMaxSec = 86400;
User = "qbit";
Group = "qbit";
NetworkNamespacePath = "/run/netns/novpn";
PrivateTmp = false;
PrivateNetwork = false;
RemoveIPC = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectHome = "yes";
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "full";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
CapabilityBoundingSet = "";
SystemCallFilter = [ "@system-service" ];
};
# script = "${config.nur.repos.xddxdd.qbittorrent-enhanced-edition-nox}/bin/qbittorrent-nox";
script = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox";
};
systemd.services.novpn.wants = [ "qbitnox.service" ];
}
Reference in a new issue View git blame Copy permalink