sid/synix
1
0
Fork 0
Code Issues 7 Pull requests 1 Projects Activity Actions

initial commit
All checks were successful
Deploy docs / build-and-deploy (push) Successful in 3s
Details

Browse source
This commit is contained in:
sid 2026-02-23 20:34:35 +01:00
commit 95a533c876
451 changed files with 18255 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
docs/modules/nixos/audio.md Normal file
View file

@ -0,0 +1,9 @@
# Audio
PipeWire is a server for handling audio, video streams, and hardware on Linux.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/audio).
## References
- [Homepage](https://pipewire.org/)

90
docs/modules/nixos/baibot.md Normal file
View file

@ -0,0 +1,90 @@
# Baibot
Baibot is a Matrix AI bot.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/baibot).
## References
- [GitHub](https://github.com/etkecc/baibot)
## Setup
### Configuration
Since baibot's configuration file requires setting secrets as plain text strings, configuring the baibot service through Nix is not supported. You have to create a configuration file on your machine and point to it with `services.baibot.configFile`.
Use the [template configuration file](https://github.com/etkecc/baibot/blob/main/etc/app/config.yml.dist) for reference.
### User Creation
Create the `baibot` user on your Matrix instance. If you are using the [synix Matrix module](./matrix-synapse.md), this can be done with the `register_new_matrix_user` alias:
```bash
register_new_matrix_user
```
Set the `user localpart` and `password` according to your configuration.
Restart both `matrix-synapse.service` and `baibot.service`. You can then invite Baibot to any room you like.
### OpenAI API
Send this message in a room where Baibot has joined:
```
!bai agent create-global openai openai
```
The bot will reply with a YAML configuration which you need to edit and send back:
```yaml
base_url: https://api.openai.com/v1
api_key: YOUR_API_KEY_HERE
text_generation:
model_id: gpt-4o
prompt: 'You are a brief, but helpful bot called {{ baibot_name }} powered by the {{ baibot_model_id }} model. The date/time of this conversation''s start is: {{ baibot_conversation_start_time_utc }}.'
temperature: 1.0
max_response_tokens: 16384
max_context_tokens: 128000
speech_to_text:
model_id: whisper-1
text_to_speech:
model_id: tts-1-hd
voice: onyx
speed: 1.0
response_format: opus
image_generation:
model_id: dall-e-3
style: vivid
size: 1024x1024
quality: standard
```
Set `openai` as the default for any purpose you like:
```
!bai config global set-handler text-generation global/openai
!bai config global set-handler speech-to-text global/openai
!bai config global set-handler text-to-speech global/openai
!bai config global set-handler image-generation global/openai
```
## Tips
### Set STT to Transcribe Only
```
!bai config global speech-to-text set-flow-type only_transcribe
```
### Set user access
```
!bai access set-users SPACE_SEPARATED_PATTERNS
```
> For example: `@*:example.com`
## Todo
1. Set up a local LLM for speech-to-text with Ollama.
1. Whitelist each user for the speech-to-text engine only.

25
docs/modules/nixos/cifsmount.md Normal file
View file

@ -0,0 +1,25 @@
# cifsMount
> Warning: This module is not actively maintained. Expect things to break!
This module allows you to automount cifs shares after the login of the specified user. The remote has to have a running samba server.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/cifsMount).
## Config
```nix
config.services.cifsMount = {
enable = true;
remotes = [
{
host = "ip_address";
shareName = "share_name";
mountPoint = "/home/user/mount_point";
credentialsFile = "/home/user/.smbcredentials";
user = "user";
}
# more remotes ...
];
};
```

17
docs/modules/nixos/common.md Normal file
View file

@ -0,0 +1,17 @@
# Common
The common module sets some opinionated defaults.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/common).
It is recommended to import it in your NixOS configuration as some synix modules may depend on it:
```nix
{ inputs, ... }:
{
imports = [
inputs.synix.nixosModules.common
];
}
```

20
docs/modules/nixos/device.md Normal file
View file

@ -0,0 +1,20 @@
# Device
This module lets you set some defaults for a device type.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/device).
Available devices are:
- desktop
- laptop
- server
- vm
To enable these defaults, you need to import this module in your host configuration. For example:
```nix
# hosts/HOSTNAME/default.nix
imports = [ inputs.synix.nixosModules.device.vm ]; # this imports all defaults for VMs. See `vm.nix`
```

7
docs/modules/nixos/ftp-webserver.md Normal file
View file

@ -0,0 +1,7 @@
# FTP web server
> Warning: This module is not actively maintained. Expect things to break!
This module sets up a simple ftp web server behind a reverse proxy (`ftp.domain.tld` by default).
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/ftp-webserver).

70
docs/modules/nixos/headplane.md Normal file
View file

@ -0,0 +1,70 @@
# Headplane
A feature-complete Web UI for Headscale.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/headplane).
## References
- [Website](https://headplane.net)
- [GitHub](https://github.com/tale/headplane)
- [NixOS options](https://headplane.net/NixOS-options)
## Sops
Provide the following entries to your `secrets.yaml`:
> Replace `abc123` with your actual secrets
```yaml
headplane:
cookie_secret: abc123
agent_pre_authkey: abc123
```
Generate your cookie secret with:
```bash
nix-shell -p openssl --run "openssl rand -hex 16"
```
Generate your agent pre-authkey with:
```bash
sudo headscale users create headplane-agent
sudo headscale users list # get headplane-agent user id
sudo headscale preauthkeys create --expiration 99y --reusable --user <HEADPLANE-AGENT-ID>
```
## Setup
Set a CNAME record for your Headplane subdomain (`headplane` by default) pointing to your domain.
## Config
```nix
# flake.nix
headplane.url = "github:tale/headplane";
headplane.inputs.nixpkgs.follows = "nixpkgs";
```
```nix
# configuration.nix
{
imports = [ inputs.synix.nixosModules.headplane ];
services.headplane = {
enable = true;
};
}
```
## Usage
Create a Headscale API key:
```bash
sudo headscale apikeys create
```
Visit the admin login page: `https://sub.domain.tld/admin/login`

58
docs/modules/nixos/headscale.md Normal file
View file

@ -0,0 +1,58 @@
# Headscale
Headscale is an open source, self-hosted implementation of the Tailscale control server.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/headscale).
## References
- [Website](https://headscale.net/stable/)
- [GitHub](https://github.com/juanfont/headscale)
- [Example configuration file](https://github.com/juanfont/headscale/blob/main/config-example.yaml)
## Setup
Set a CNAME record for your Headscale subdomain (`headscale` by default) pointing to your domain.
## Config
```nix
{
imports = [ inputs.synix.nixosModules.headscale ];
services.headscale = {
enable = true;
openFirewall = true;
};
}
```
## Usage
Create a new user:
```bash
sudo headscale users create <USER>
```
Get the user's id:
```bash
sudo headscale users list
```
Create a pre auth key for that user:
```bash
sudo headscale preauthkeys create --expiration 99y --reusable --user <ID>
```
Give the user the pre-auth key.
## Troubleshooting
Check if your ACL config is valid:
```bash
sudo headscale policy check --file PATH/TO/acl.hujson
```

26
docs/modules/nixos/i2pd.md Normal file
View file

@ -0,0 +1,26 @@
# I2P Daemon
I2P is an End-to-End encrypted and anonymous Internet.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/i2pd).
## References
- [Homepage](https://i2pd.website/)
- [Documentation](https://i2pd.readthedocs.io/en/latest/)
- [GitHub](https://github.com/PurpleI2P/i2pd)
- [I2P on NixOS guide](https://voidcruiser.nl/rambles/i2p-on-nixos/)
## Configuration
### NixOS
```nix
{ inputs, ... }:
{
imports = [ inputs.synix.nixosModules.i2pd ];
services.i2pd.enable = true;
}
```

30
docs/modules/nixos/jellyfin.md Normal file
View file

@ -0,0 +1,30 @@
# Jellyfin
Jellyfin is a free and open-source media server and suite of multimedia applications.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/jellyfin).
## References
[docs](https://jellyfin.org/docs/)
## Setup
Users, Plugins, and Libraries are managed in the web interface. You have to declare them manually.
Visit the web interface and follow the on screen instructions. Create libraries corresponding to `config.services.jellyfin.libraries`.
## Upload files
```bash
rsync -arvzP -e 'ssh -p SSH_PORT' LOCAL_PATH YOU@REMOTE:JELLYFIN_DATA_DIR/libraries/LIBRARY
```
> the user `YOU` has to be in the *jellyfin* group on the remote machine `REMOTE`
- `SSH_PORT`: Your SSH port
- `LOCAL_PATH`: Local path to your media file(s)
- `YOU`: Your user on your remote machine
- `REMOTE`: IP/domain of your remote machine
- `JELLYFIN_DATA_DIR`: `config.services.jellyfin.dataDir`
- `LIBRARY`: Target library. See `config.services.jellyfin.libraries`

9
docs/modules/nixos/jirafeau.md Normal file
View file

@ -0,0 +1,9 @@
# Jirafeau
Jirafeau is a project that allows "one-click filesharing", making it easy to upload a file and give it a unique link.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/jirafeau).
## References
- [docs](https://github.com/Newlode/jirafeauhttps://github.com/Newlode/jirafeau)

62
docs/modules/nixos/mailserver.md Normal file
View file

@ -0,0 +1,62 @@
# Mail
A simple NixOS mailserver.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/mailserver).
## References
- [docs](https://nixos-mailserver.readthedocs.io/en/latest/index.html)
## Setup
Follow the [setup guide](https://nixos-mailserver.readthedocs.io/en/master/setup-guide.html#setup-dns-a-record-for-server).
## Sops
Provide every user's hashed password to your host's `secrets.yaml`:
> Replace `abc123` with your actual secrets
```yaml
mailserver:
accounts:
user1: abc123
user2: abc123
# ...
```
Generate hashed passwords with:
```sh
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
```
## Config
### `flake.nix`
```nix
inputs = {
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
};
```
### Host configuration:
```nix
imports = [ inputs.synix.nixosModules.mailserver ]
mailserver = {
enable = true;
accounts = {
admin = {
aliases = [ "postmaster" ];
};
alice = { };
};
};
```
You may need to set [`mailserver.stateVersion`](https://nixos-mailserver.readthedocs.io/en/master/migrations.html). At the time of writing, you need to set it to `3`, but you should check the mailserver docs yourself.

144
docs/modules/nixos/matrix-synapse.md Normal file
View file

@ -0,0 +1,144 @@
# Matrix-Synapse
Synapse is a [Matrix](https://matrix.org/) homeserver. Matrix is an open network for secure, decentralised communication.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/matrix-synapse).
## References
- [Synapse repository](https://github.com/element-hq/synapse)
- [Synapse documentation](https://matrix-org.github.io/synapse/latest/welcome_and_overview.html)
- [Coturn repository](https://github.com/coturn/coturn)
- [Coturn example configuration](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf)
## Setup
### DNS
Make sure you have a CNAME record for `turn` pointing to your machine running Coturn.
The fqdn is set by `services.coturn.realm`.
### Sops
Provide the following entries to your secrets.yaml:
> Replace `abc123` with your actual secret(s)
```yaml
coturn:
static-auth-secret: abc123
matrix:
registration-shared-secret: abc123
livekit:
key: abc123
```
Generate the livekit key with:
```bash
nix-shell -p livekit --run "livekit-server generate-keys | tail -1 | awk '{print $3}'"
```
## Config
[Coturn has its own module](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/matrix-synapse), making it easy to outsource to a small VPS with a static IPv4 address.
If you do so, both machines need the secret `coturn/static-auth-secret`.
In the following example, both services run on the same machine:
```nix
{
imports = [
inputs.synix.nixosModules.coturn
inputs.synix.nixosModules.matrix-synapse
];
networking.domain = "example.tld";
services.coturn = {
enable = true;
sops = true;
openFirewall = true;
};
services.matrix-synapse = {
enable = true;
sops = true;
coturn.enable = true;
# see below
bridges = {
whatsapp = {
enable = true;
admin = "@you:example.tld";
};
signal = {
enable = true;
admin = "@you:example.tld";
};
};
};
# You only need this if you want to use bridges
nixpkgs.config.permittedInsecurePackages = [
"olm-3.2.16"
];
}
```
## Bridges
> Warning: Bridges use [`mautrix-go`](https://github.com/mautrix/go) which relies on [deprecated `libolm`](https://github.com/mautrix/go/issues/262).
### Sops
Provide the following entries to your secrets.yaml:
> Replace `abc123` with your actual secret(s) and `BRIDGE` with the name of your bridge (e.g., `whatsapp` or `signal`)
```yaml
mautrix-BRIDGE:
encryption-pickle-key: abc123
provisioning-shared-secret: abc123
public-media-signing-key: abc123
direct-media-server-key: abc123
```
Generate the secrets with:
```bash
nix-shell -p openssl --run "openssl rand -base64 32"
```
### NixOS configuration
The `config.yaml` for each bridge is managed through `services.mautrix-BRIDGE.settings`:
- [services.mautrix-signal.settings](https://search.nixos.org/options?channel=unstable&query=services.mautrix-signal.settings): Generate an example config with: `mautrix-signal -c signal.yaml --generate-example-config`
- [services.mautrix-whatsapp.settings](https://search.nixos.org/options?channel=unstable&query=services.mautrix-whatsapp.settings): Generate an example config with: `mautrix-whatsapp -c whatsapp.yaml --generate-example-config`
### Authentication
1. Open chat with bridge bot: `@BOT:DOMAIN.TLD`
- WhatsApp: `whatsappbot`
- Signal: `signalbot`
1. Send: `login qr`
1. Scan QR code
1. Switch puppets: `login-matrix ACCESS_TOKEN`
- Get your token with: Settings > Help & About > Advanced > Access Token
## Administration
### Register users
```bash
register_new_matrix_user -u USERNAME -p PASSWORD
```
## Troubleshooting
### Bridges: Specified admin user is not an admin in portal rooms
There seems to be a bug that the user specified under `services.matrix-synapse.bridges.whatsapp.admin` does not have admin permissions in portal rooms. You can set the power level manually inside each portal room:
```plaintext
!wa set-pl @YOU:DOMAIN.TLD 100
```

99
docs/modules/nixos/maubot.md Normal file
View file

@ -0,0 +1,99 @@
# Maubot
A plugin-based Matrix bot system.
> Warning: Maubot uses [deprecated `libolm`](https://github.com/mautrix/go/issues/262).
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/maubot).
## References
- [GitHub repository](https://github.com/maubot/maubot)
## Sops
Provide the following entries to your host's `secrets.yaml`:
> Replace `abc123` with your actual secrets as well as `alice` and `bob` with your actual admin user names.
```yaml
maubot:
admins:
alice: abc123
bob: abc123
# ...
```
## Config
This module only works if Matrix Synapse is running on the same machine.
See [the module on synix](./matrix-synapse.md).
```nix
{
imports = [
inputs.synix.nixosModules.maubot
inputs.synix.nixosModules.matrix-synapse
];
nixpkgs.config.permittedInsecurePackages = [
"olm-3.2.16"
];
services.maubot = {
enable = true;
sops = true;
admins = [
"alice"
"bob"
];
plugins = with config.services.maubot.package.plugins; [
gitlab
reminder
];
};
services.matrix-synapse = {
enable = true;
# ...
};
}
```
## Setup
1. Create a bot: `$ register_new_matrix_user`
1. Login as your admin user: `$ mbc login`
1. Authenticate as bot: `$ mbc auth`
1. Take note of the access token and device ID
1. Visit `https:/EXAMPLE.TLD/_matrix/maubot`
1. Create a client (if not already preset)
1. Create an instance
## Bots
### GitLab
> See [Readme on GitHub](https://github.com/maubot/gitlab?tab=readme-ov-file)
Create a personal access token with full API access.
```
!gitlab server login https://git.example.com PERSONAL_ACCESS_TOKEN
!gitlab webhook add https://git.example.com user/project
```
Check the webhook URL for potential errors.
## Tips
### Upload a profile picture to Matrix
```sh
curl -X POST "https://YOUR_HOMESERVER_URL/_matrix/media/v3/upload" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: image/png" \
--data-binary "@/path/to/your/image.png"
```
The respond body contains a valid avatar URL (`mxc://...`).

48
docs/modules/nixos/mcpo.md Normal file
View file

@ -0,0 +1,48 @@
# mcpo
A simple MCP-to-OpenAPI proxy server.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/mcpo).
## References
- [GitHub](https://github.com/open-webui/mcpo)
## Configuration
You have to provide a package, for example from [synix](https://git.sid.ovh/sid/synix/tree/master/pkgs/mcpo/default.nix).
Setting `mcpServers` is required. The following example runs a NixOS MCP server using [mcp-nixos](https://github.com/utensils/mcp-nixos).
```nix
{ inputs, lib, pkgs, ... }:
let
inherit (pkgs.stdenv.hostPlatform) system;
in
{
imports = [ inputs.synix.nixosModules.mcpo ];
services.mcpo = {
enable = true;
package = inputs.synix.packages."${system}".mcpo;
settings = {
mcpServers = {
nixos = {
command = lib.getExe inputs.mcp-nixos.packages."${system}".mcp-nixos;
};
};
};
};
}
```
## Usage
Each tool will be accessible under its own unique route `127.0.0.1:8000/<mcp-server>`. Following the example from above, visit [127.0.0.1:8000/nixos/docs](http://127.0.0.1:8000/nixos/docs) to send requests manually.
## Open WebUI Integration
Follow the [official Open WebUI integration documentation starting at *Step 2*](https://docs.openwebui.com/openapi-servers/open-webui/#step-2-connect-tool-server-in-open-webui).
In Open WebUI, users have to set *Function Calling* to *Native* in *Settings* > *General* > *Advanced Parameters*. Then, they can enable MCP servers in a chat by clicking *More* (the plus sign) in the bottom left of the prompt window.

42
docs/modules/nixos/miniflux.md Normal file
View file

@ -0,0 +1,42 @@
# Miniflux
Miniflux is a minimalist and opinionated feed reader.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/miniflux).
## References
- [Website](https://miniflux.app/)
- [GitHub](https://github.com/miniflux/v2)
- [Configuration parameters](https://miniflux.app/docs/configuration.html)
## Setup
### DNS
Make sure you have a CNAME record for Miniflux's subdomain (`rss` by default) pointing to your domain.
### Sops
Provide the following entries to your secrets.yaml:
> Replace `abc123` with your actual secret(s)
```yaml
miniflux:
admin-password: abc123
```
## Config
```nix
{
imports = [inputs.synix.nixosModules.miniflux ];
services.miniflux = {
enable = true;
reverseProxy.enable = true;
reverseProxy.subdomain = "rss";
};
}
```

20
docs/modules/nixos/normalUsers.md Normal file
View file

@ -0,0 +1,20 @@
# Normal Users
This module automates user creation for normal users.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/normalUsers).
## Config
For example:
```nix
imports = [ inputs.synix.nixosModules.normalUsers ]
config.normalUsers = {
alice = {
extraGroups = [ "wheel" ];
sshKeyFiles = [ ../../users/alice/pubkeys/id_rsa.pub ];
};
};
```

25
docs/modules/nixos/nvidia.md Normal file
View file

@ -0,0 +1,25 @@
# Nvidia
NixOS module that configures your Nvidia GPU with proprietary drivers.
> Tested on Turing and Ampere. Should work with most modern Nvidia GPUs.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/nvidia).
## Setup
Import this module inside your NixOS configuration:
```
imports = [ inputs.synix.nixosModules.nvidia ];
```
## Config
Set the Nvidia package with `hardware.nvidia.package`. The default ist:
```nix
imports = [ inputs.synix.nixosModules.nvidia ];
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest;
```

44
docs/modules/nixos/open-webui-oci.md Normal file
View file

@ -0,0 +1,44 @@
# Open WebUI OCI
Open WebUI is an extensible, self-hosted AI interface that adapts to your workflow, all while operating entirely offline.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/open-webui-oci).
## References
- [Homepage](https://openwebui.com/)
- [GitHub](https://github.com/open-webui/open-webui)
- [Environment Configuration](https://docs.openwebui.com/getting-started/env-configuration/)
## Configuration
```nix
{ inputs, ... }:
{
imports = [ inputs.synix.nixosModules.open-webui-oci ];
services.open-webui-oci.enable = true;
}
```
## Usage
Visit the web interface at your specified location to create an admin account.
> The default location is `http://127.0.0.1:8080`.
## Troubleshooting
### JSON parse error
If you get this error in the web interface:
```
SyntaxError: Unexpected token 'd', "data: {"id"... is not valid JSON category
```
Clear your browser cache. Steps on Chromium based browsers:
1. Open DevTools (F12) → Right-click refresh button
1. Click "Empty Cache and Hard Reload"

7
docs/modules/nixos/print-server.md Normal file
View file

@ -0,0 +1,7 @@
# Print server
> Note: This module is not actively maintained. Expect things to break!
This module sets up a printing server with a web interface.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/print-server).

66
docs/modules/nixos/radicale.md Normal file
View file

@ -0,0 +1,66 @@
# Radicale
A simple CalDAV and CardDAV server.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/radicale).
## References
- [Documentation](https://radicale.org/v3.html#documentation-1)
- [Wiki](https://github.com/Kozea/Radicale/wiki)
- [GitHub](https://github.com/Kozea/Radicale)
## Sops
Provide every user's SHA512 hashed password to your host's `secrets.yaml`:
> Replace `abc123` with your actual secrets
```yaml
radicale:
user1: abc123
user2: abc123
# ...
```
Generate hashed passwords with:
```sh
nix-shell -p openssl --run 'openssl passwd -6 <password>'
```
## Setup
Set a CNAME record for your Radicale subdomain (`dav` by default) pointing to your domain.
Add two SRV records:
Calendar:
- type: `SRV`
- name: `_caldavs._tcp`
- priority: `0`
- weight: `1`
- port: `443`
- target: `dav.domain.tld.`
Contacts:
- name: `_carddavs._tcp`
> rest as above
## Config
```nix
{ inputs, ... }:
{
imports = [ inputs.synix.nixosModules.radicale ];
services.radicale = {
enable = true;
users = [
"user1"
"user2"
];
};
}
```

11
docs/modules/nixos/rss-bridge.md Normal file
View file

@ -0,0 +1,11 @@
# RSS-Bridge
RSS-Bridge is a PHP web application. It generates web feeds for websites that don't have one.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/rss-bridge).
## References
- [docs](https://rss-bridge.github.io/rss-bridge/index.html)
- [repo](https://github.com/RSS-Bridge/rss-bridge)
- [bridges](https://github.com/RSS-Bridge/rss-bridge/tree/master/bridges)

58
docs/modules/nixos/sops.md Normal file
View file

@ -0,0 +1,58 @@
# Sops
Atomic secret provisioning for NixOS based on sops.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/sops).
## References
- [GitHub](https://github.com/Mic92/sops-nix)
## Setup
Generate an age key for your host from its ssh host key:
```bash
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
```
Then, add it to `.sops.yaml` (see [usage example](https://github.com/Mic92/sops-nix?tab=readme-ov-file#usage-example)).
## Config
### Flake
```nix
# flake.nix
inputs = {
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};
```
### Host configuration
Create a `secrets` directory in your hosts directory. Declare all your secrets in it:
```nix
# hosts/YOUR_HOST/secrets/default.nix
{ inputs, ... }:
{
imports = [ inputs.synix.nixosModules.sops ];
sops.secrets.your-secret = { };
sops.secrets.other-secret = { };
```
## Usage
For more information on how to use sops-nix, see the [Sops Home Manager module documentation](../home/sops.md).
## Update Keys
Update the keys of your SOPS files after making changes to `.sops.yaml`:
```bash
sops --config PATH/TO/.sops.yaml updatekeys PATH/TO/secrets.yaml
```

36
docs/modules/nixos/tailscale.md Normal file
View file

@ -0,0 +1,36 @@
# Tailscale
Private WireGuard networks made easy.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/tailscale).
## References
- [Website](https://tailscale.com/)
- [GitHub](https://github.com/tailscale/tailscale)
- [Documents](https://tailscale.com/kb/1017/install)
## Sops
Provide the following entries to your `secrets.yaml`:
> Replace `abc123` with your actual secrets
```yaml
tailscale:
auth-key: abc123
```
## Config
```nix
{
imports = [ inputs.synix.nixosModules.tailscale ];
services.tailscale = {
enable = true;
enableSSH = true;
loginServer = "<your-headscale-instance>";
};
}
```

172
docs/modules/nixos/virtualisation.md Normal file
View file

@ -0,0 +1,172 @@
# Virtualisation
Virtualisation using QEMU via libvirt and managed through Virt-manager with VFIO support.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/virtualisation).
## Overview
1. **QEMU** is the hypervisor that provides the core virtualisation capabilities.
1. **libvirt** is a toolkit and API that manages virtualisation platforms, such as QEMU.
1. **Virt-manager** is a GUI tool that interacts with libvirt to manage VMs.
1. **virsh** is a CLI tool that interacts with libvirt to manage VMs.
## Docs
### QEMU
- [Official docs](https://www.qemu.org/docs/master/)
### libvirt
- [Official docs](https://libvirt.org/docs.html)
- [Arch Wiki](https://wiki.archlinux.org/title/Libvirt)
- [virsh CLI](https://www.libvirt.org/manpages/virsh.html)
> If you are using the [Home Manager module](../home/virtualisation.md) as well, then `virsh` is aliased to `virsh --connect qemu:///system`
### Virt-manager
- [GitHub Repository](https://github.com/virt-manager/virt-manager)
- [NixOS Official Wiki](https://wiki.nixos.org/wiki/Virt-manager)
- [NixOS Community Wiki](https://nixos.wiki/wiki/Virt-manager)
- [Arch Wiki](https://wiki.archlinux.org/title/Virt-manager)
## Setup
1. Import this module in your NixOS config. It is recommended to use the [Virtualisation Manager module](../home/virtualisation.md) as well.
1. Add your user to the `libvirtd`, `qemu-libvirtd` and `kvm` group:
```nix
users.extraGroups.libvirtd.members = [ "<you>" ];
users.extraGroups.qemu-libvirtd.members = [ "<you>" ];
users.extraGroups.kvm.members = [ "<you>" ];
```
1. Rebuild and reboot: `rebuild all && sudo reboot now`
1. Enable and start the default network and reboot again: `virsh net-autostart default && virsh net-start default`
## VFIO
### Setup
For successful PCI device passthrough, devices must be properly isolated by IOMMU groups. A device can be safely passed through if:
- It is the **only device** in its IOMMU group (recommended), OR
- **All devices** in its IOMMU group are passed through together
This module includes an `iommu-groups` command to help identify IOMMU groups:
```bash
iommu-groups
```
In this example, IOMMU group 9 contains only the Nvidia GPU which will get passed to the VM:
```
IOMMU Group 9 01:00.0 3D controller [0302]: NVIDIA Corporation TU117M [GeForce GTX 1650 Mobile / Max-Q] [10de:1f9d] (rev a1)
```
Take not of the PCI device ID. In this case: `10de:1f9d`.
### Config
This is an example with the Nvidia GPU above:
```nix
{ inputs, ... }:
{
imports = [ inputs.synix.nixosModules.virtualisation ];
virtualisation = {
vfio = {
enable = true;
IOMMUType = "amd";
devices = [
"10de:1f9d"
];
blacklistNvidia = true;
};
hugepages.enable = true;
};
}
```
### Virt Manager
#### 1. Open VM Hardware Settings
- Select your VM in Virt Manager
- Click *"Show virtual hardware details"*
#### 2. Add PCI Host Device
- Click *"Add Hardware"* button at bottom
- Select *"PCI Host Device"* from the list
- Click *"Finish"*
You may repeat this process for as many devices as you want to add to your VM.
### Looking Glass with KVMFR
*This has not yet been tested.*
### Troubleshooting
#### Check Kernel Parameters
View current kernel parameters:
```bash
cat /proc/cmdline
```
Check VFIO-related parameters:
```bash
dmesg | grep -i vfio
```
Verify IOMMU is enabled:
```bash
dmesg | grep -i iommu
```
#### Verify device binding
```bash
lscpi -k
```
Look for your device you want to pass through. It should say:
```
Kernel driver in use: vfio-pci
```
For example:
```
01:00.0 3D controller: NVIDIA Corporation TU117M [GeForce GTX 1650 Mobile / Max-Q] (rev a1)
Subsystem: Lenovo Device 380d
Kernel driver in use: vfio-pci
Kernel modules: nvidiafb, nouveau
```
#### Verify module status
Ensure blacklisted modules are not loaded:
```bash
lsmod | grep nvidia
lsmod | grep nouveau
```
These should return nothing.
#### `vfio-pci.ids` not appearing
Check generated bootloader config:
```bash
cat /boot/loader/entries/nixos-*.conf
```

5
docs/modules/nixos/webpage.md Normal file
View file

@ -0,0 +1,5 @@
# Web Page
A very simple module to serve a static web page behind a reverse proxy using nginx.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/webPage).

33
docs/modules/nixos/windows-oci.md Normal file
View file

@ -0,0 +1,33 @@
# Windows OCI
Windows inside a Docker container.
View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/windows-oci).
## References
- [dockur on GitHub](https://github.com/dockur/windows)
## Config
```nix
imports = [ inputs.synix.nixosModule.windows-oci ];
services.windows-oci.enable = true;
```
## Setup
You can monitor the installation process with:
```bash
journalctl -u podman-windows.service -f
```
The first-time setup may fail. Rebooting should resolve the issue.
## Usage
Access the VNC web interface at `http://127.0.0.1:8006`. Or connect via RDP at `127.0.0.1`.
TODO: Setup Windows RemoteApp