Add luminance and external monitor kernel modules

modules/cloud/authentik/default.nix

@@ -105,6 +105,7 @@ in
         ports = [
           "127.0.0.1:${toString cfg.port}:9000"
         ];
+
       };
       services.worker.service = {
         image = images.authentik;
@@ -123,6 +124,7 @@ in
           AUTHENTIK_POSTGRESQL__NAME = "authentik";
         };
         env_file = [ cfg.envFile "${authentikEnv}" ];
+        user = "root";
       };
       docker-compose.volumes = {
         database.driver = "local";

modules/common/linux/default.nix

@@ -26,15 +26,13 @@ let
       };
     };
 
-    graphics = { config, ... }: {
+    graphics = { config, pkgs, ... }: {
-      hardware =
+      hardware.graphics.enable = true;
-        if config.system.nixos.release == "24.05" then {
+      hardware.graphics.enable32Bit = true;
-          opengl.enable = true;
+      # Monitor backlight
-          opengl.driSupport32Bit = true;
+      hardware.i2c.enable = true;
-        } else {
+      services.ddccontrol.enable = true;
-          graphics.enable = true;
+      environment.systemPackages = [ pkgs.luminance pkgs.ddcutil ];
-          graphics.enable32Bit = true;
-        };
     };
 
     accounts = { pkgs, ... }: mkIf (config.common.linux.enable && !pkgs.stdenv.isAarch64) {
@@ -88,7 +86,7 @@ let
       enable = true;
       # defaults (no need to be set unless modified)
       quantum = 32;
-      rate = 48000;
+      rate = 44100;
     };
     security.rtkit.enable = true;
 
@@ -240,6 +238,8 @@ in
         "wheel" # Enable ‘sudo’ for the user.
         "plugdev" # Enable openrazer-daemon privileges
         "audio"
+        "video"
+        "input"
       ];
       shell = pkgs.fish;
     };

nki-home/audio/default.nix

@@ -1,5 +1,5 @@
 { config, pkgs, lib, ... }: {
   environment.etc = {
-    "wireplumber/main.lua.d/51-sdac.lua".source = ./sdac.lua;
+    "wireplumber/wireplumber.conf.d/51-sdac.conf".source = ./sdac.conf.json;
   };
 }

nki-home/audio/sdac.conf.json

@@ -0,0 +1,19 @@
+monitor.alsa.rules = [
+  {
+    matches = [
+      {
+        device.name = "alsa_output.usb-Grace_Design_SDAC-00.*"
+      }
+    ]
+    actions = {
+      update-props = {
+        # audio.format = "S24_3LE"
+        audio.rate = 88200
+        api.alsa.period-size = 2
+        api.alsa.headroom = 0
+        api.alsa.disable-batch = true
+      }
+    }
+  }
+]
+

nki-home/audio/sdac.lua

@@ -6,7 +6,7 @@ rule = {
   },
   apply_properties = {
     ["audio.format"] = "S24_3LE",
-    ["audio.rate"] = 96000,
+    ["audio.rate"] = 44100,
     ["api.alsa.period-size"] = 2,
     ["api.alsa.headroom"] = 0,
     ["api.alsa.disable-batch"] = true

nki-personal-do/configuration.nix

@@ -26,6 +26,7 @@
     ./peertube.nix
     ./outline.nix
     ./vikunja.nix
+    ./n8n.nix
   ];
 
   system.stateVersion = "21.11";
@@ -61,6 +62,7 @@
   ];
 
   virtualisation.docker.enable = true;
+  virtualisation.docker.extraOptions = "--data-root /mnt/data/docker";
 
   services.do-agent.enable = true;
 
@@ -152,7 +154,7 @@
   };
 
   # Mail
-  sops.secrets.mail-users = { owner = "maddy"; };
+  sops.secrets.mail-users = { owner = "maddy"; reloadUnits = [ "maddy.service" ]; };
   cloud.mail = {
     enable = true;
     debug = true;

nki-personal-do/headscale.nix

@@ -27,7 +27,8 @@ rec {
     noCloudflare = true;
   };
 
-  systemd.services.headscale.requires = [ "postgresql.service" ];
+  systemd.services.headscale.requires = [ "postgresql.service" "arion-authentik.service" ];
+  systemd.services.headscale.after = [ "postgresql.service" "arion-authentik.service" ];
   services.headscale = {
     enable = true;
     inherit port;

nki-personal-do/miniflux.nix

@@ -42,7 +42,7 @@ in
   systemd.services.miniflux = {
     description = "Miniflux service";
     wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
+    after = [ "network.target" "postgresql.service" ];
     requires = [ "postgresql.service" ];
 
     serviceConfig = {

nki-personal-do/n8n.nix

@@ -0,0 +1,71 @@
+{ config, lib, ... }:
+let
+  secrets = config.sops.secrets;
+
+  host = "n8n.dtth.ch";
+  db = "n8n";
+  user = db;
+  port = 23412;
+
+  dataFolder = "/mnt/data/n8n";
+in
+{
+  sops.secrets."n8n/env" = { reloadUnits = [ "n8n.service" ]; };
+  cloud.postgresql.databases = [ db ];
+  cloud.traefik.hosts.n8n = {
+    inherit port host;
+  };
+
+  # users
+  users.users."${user}" = {
+    group = "${user}";
+    isSystemUser = true;
+  };
+  users.groups."${user}" = { };
+
+  services.n8n = {
+    enable = true;
+    webhookUrl = "https://${host}";
+  };
+
+  systemd.services.n8n = {
+    environment = {
+      # Database
+      DB_TYPE = "postgresdb";
+      DB_POSTGRESDB_DATABASE = db;
+      DB_POSTGRESDB_HOST = "/var/run/postgresql";
+      DB_POSTGRESDB_USER = db;
+      # Deployment
+      N8N_EDITOR_BASE_URL = "https://${host}";
+      N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = "true";
+      N8N_USER_FOLDER = lib.mkForce dataFolder;
+      HOME = lib.mkForce dataFolder;
+      N8N_HOST = host;
+      N8N_PORT = toString port;
+      N8N_LISTEN_ADDRESS = "127.0.0.1";
+      N8N_HIRING_BANNER_ENABLED = "false";
+      N8N_PROXY_HOPS = "1";
+      # Logs
+      N8N_LOG_LEVEL = "debug";
+      # License
+      N8N_HIDE_USAGE_PAGE = "true";
+      # Security
+      N8N_BLOCK_ENV_ACCESS_IN_NODE = "true";
+      # Timezone
+      GENERIC_TIMEZONE = "Europe/Berlin";
+    };
+    serviceConfig = {
+      EnvironmentFile = [ secrets."n8n/env".path ];
+      User = user;
+      DynamicUser = lib.mkForce false;
+      ReadWritePaths = [ dataFolder ];
+      # ReadOnlyPaths = [ "/var/run/postgresql" ];
+    };
+    unitConfig.RequiresMountsFor = [ dataFolder ];
+  };
+  systemd.tmpfiles.settings."10-n8n".${dataFolder}.d = {
+    user = user;
+    group = user;
+    mode = "0700";
+  };
+}

nki-personal-do/peertube.nix

@@ -76,5 +76,10 @@ in
 
     dataDirs = [ "/var/lib/peertube" "/mnt/data/peertube" ];
   };
+
+  systemd.services.peertube = {
+    requires = [ "arion-authentik.service" ];
+    after = [ "arion-authentik.service" ];
+  };
 }
 

nki-personal-do/secrets/secrets.yaml

@@ -5,7 +5,7 @@ authentik-oidc-client-secret: ENC[AES256_GCM,data:lD/xyU87nik68JX+T2H3Gw5ZqsSGzX
 cloudflare-dns-api-token: ENC[AES256_GCM,data:2ny3JehpK30fTUDKrbzHv1QOczriChRyMQn6kNPULpUJ+eVwdptLvg==,iv:8wNAn3oawzLez7sO4ZvhFXcaZIpFVKgKCvTBlszFHn8=,tag:fRaO+u/5MtAWnTiy2Zwh0Q==,type:str]
 #ENC[AES256_GCM,data:KWrVRQg+cLm5MUdfsYrh7hkI4CWkl4Z0sDj0769eebeXDy+veixrQrxh1ZW+ro3WLwoIdU/IH5DPM4TWYn2qoM5aDHjGX764pr1x,iv:uZHBsGvSHv9vd/Wragl1dYNJ+8vCcMit2K3SrMFlz7s=,tag:7z4LyADfQvXsM2vvtWru8w==,type:comment]
 traefik-dashboard-users: ENC[AES256_GCM,data:kviapOq+xzxhjryse+5DaZbXRS/LEYyjqqFbHymXAZVEkWlu0T5pZ2bxSNCbXN+tXnb0u+6YPgGCaRNPLW74AF1hO8W8QqlLDA==,iv:41bwPyFQcuOLILTjLWUu5Kcnct/MaIIJsMbllc+n7Y0=,tag:17HyUjfRUcLGb0FrUm1O2A==,type:str]
-mail-users: ENC[AES256_GCM,data:/Ca14QPfdmVS8U/MpPgApi9FTfgE3PMojNBmJaOtGxf7RYrq0AjCqIq5d5Byzp7K92xrUdIKWSr+lTAxK7TnMbM9y8EdGJ1v+ZIgAW9dVEFVxZ+wm3dwaFZ5jLn+f6dwB9JdTVFvHuOyxf+abMiGAVxCJIxdV9JreEnS3tMJPIFdl97WFuBFG6DJlT9hjwvAmscXYQFioCHtmnvp/E4r+gMxOs04TLVj+vrhP/JbTgIJ2uTiaB9lYJbVMqeaz9W64LyQlPLeh1cdZHFtYN8vMR8UfkQIAVKRREEu0+/wjH5ZTEQsktjw2j1jNbz+mmcPnJLpfVWzZoAW7Dt+azQ+V4X1GP510q9JpfYZUuy6DtstIrbn3+CSqPm4oFmCD77ASwqOtKRvP0qbx8SC3Bn/s6zFHakxzTPLA5HtrDDhnqm3xl+PYdEW1wlINaVyvGtwK5SYUwVFJVGBdeiof2Zn9Zz2T417JAVN9C7qZ3BY2Ur8Fx9DDqZGclwJNhHC5HLaqWG4ajAJIeSzmtu8Bn5wmuF8c1AobkoljCunRjaXGfMt0+FVDnxkppXeONOiuLCw44Ii+ejZ3gxtz+xebYiLQhhYx2vOX1vJJfG0T8FDawTn32jlakmt1Nb9IzwgTWE/0yQAKJTjWztEahEcUUxmslISKPUlLtvCyUOf31Wq4Eg+iC0qMoKFTejp+DjLVwPhEMpNdMRA1JC8Wg==,iv:agQUE9UstOv/QYYamKWU6ouw9aSmrvl8HEYc8eTM25A=,tag:Qf+FuSpvfea9POljQ3UweQ==,type:str]
+mail-users: ENC[AES256_GCM,data:4ugvUKK1Hxlnt/bTrAe7pEt5Ehla6yfCzeeZkwaXGN0rlYO3zIFz2paajuFDVoZ1UOntxgdoL/bmS55SkvinQybzQqK+1HUb5N4esODZyJkf8qhacBjjUnDq2sK0GXmoWRoR36ny4haRTbfzTxoVph+Y81P6+T7etnMuARM55i/kWCTcKyin9WKkllLF8vEi6MdbvDj5fwVSxKYQZk2Ti4xY+hCGkEUFL3S2l4Hgbzt2irV0ccjU4+GXSrRepFWSakvDl0fuQf0N3oXMQWCYkRqsoPdtV/n1+C1all9HWtA4XNcnNHlPk7bbi51gO3fSQwmayrgsqO4QAIKY2oJMCrMOabvSjRF8pjR/WFqEMN6fLOCByPYTtej2JEDZ0mg/uQIuIh+Us+QIO/ulMSK+Cq4WTBsmN0V9tYucp1vNv2xzuLUN4GkHc0tRZ6jIVPFUCIGEgw9x7qVPNqFPgr4RFzGGP12746+UwHqDuBIz4od47aQMNrXJOD9xbX7mp54bqwkdASIP/5iBAsnzRDhg/9hHMkJrhPjzrGC4feVNYzI9yo+v0cOPworKYuSfk6KYX5SGu2HgcgCG7zGRL4/NoytNwDGoqBKWA81Xuyp9+vMFF//nm5bKQH6Zt2gVaMViyqKZrTkITrOZMaMKVkOeiJdQQpsM1jqU5ygsrHIq9jc8BJ2MbK8WW2wlfovAo2MNtSN68LknoWiMbEuRXIcC8rhvdVX9C++XT/JQH+kHwg==,iv:059jHrKniQmw2H45FDz/5DJqeTzKdsg9a51pX3FxvHE=,tag:aCMJOFv8PWtz80ouUqUCGA==,type:str]
 youmubot-env: ENC[AES256_GCM,data:EQ9e6lmCrjofHiHyN5Qe4b2oplP9/3JKl0vuFp54Hw9aYIS7j3nqzWLCvV54ZK7j1PcQ+CQorjeCVMV0TUy1f1Pf3qjrLkdOdV7ICq540gdfXOeXuhAx2EILpGkwIYOdKmTMSO3l2QkOlM02RNOn1lq/DogAydkEq7gJ7qSWnUEr45oNCa1+LamH8vcbDmIyzUWWXyA5EQ==,iv:fnNGZ6OaZ4D71SvWPRynsMpO1IsvxjQ3XtrswNSY+Wo=,tag:cN/ZnKrjSfD6AbU9pYNl+Q==,type:str]
 outline:
     smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str]
@@ -45,6 +45,8 @@ nix-build-farm:
 vikunja:
     env: ENC[AES256_GCM,data:wHwLaX7z31Ogee0fSIJ4EpP/FUHOmj8lESqPacmrgokf9+2NpG8OKt99csDiYM9EEq2S3P70N6r+Dhzxob53lmQhNK8JuvZqrZ1HxgvMXirjnkXl0LGqVHBM4QdMvxVkICRNc1GMrG6ZY4OBQkn5did1ZZiCuXFC/ByuNTqBNHXoZmZMrewF9MFY+wfGx7+gIYzZ5JF1sgkTqtBdnAiUT2t9AaYNc8qjoZvNj3sgMb35/tKG0CYpt0vz6QuMQwOBJNrRkh2lV7YgTcr1tOkTc2FvRoLLyDykl8fjUf9KDcJLz672E90D0rRA5oHp/Lk28sSThh9WAM0skJofjXMOpq9ScsljWovUuizXUVCg5O/79EyhI7zPX6M3C/415sWdmGLYcRYRq7Ww1IoRgi2j9nCDLstHSMgF1igRWnsBEIFISCmSURMHOZNMkxWsxJ+0HJoMX9bmoZLLMrkjCqyPi/1r0X90aforkmA2xB+pC8rvYBKSxXYt8Nfu6KOK1JsmKTMmmC1R1dswuXvt/qCCH0yf0tl7GrGACKkDerDXVDZj4+SygkXM2bQF/L/KjQI7UspSdmGUmAvjhX31Zt1qZoYa2E2gabBWSGgXDuNixgbL/twaUA1CcA+ZPVBH0oAlOCc0dLXy0OZSn2U4IV1NH//66s1cmWEQQs4GKxhXzABiBvYaSj45LQtnEo2/HaifKhBWPxkjY9fW85Hy4Bgock4ReHYKsCF0LbsgKZhZ+WQp9mjTGLKxmRJJskwSEgxLmjK+AC2FK8zq2COMQ/eOxHe9OxEwjiQs5xCwnYXt2wOMHcxg3yoBCkTxoqMLs11kWORqcXzyoW1rV5W5DHk8K+7a4N385arHyg9+9S2FtfFUL46/GPcqf7lw5qgCDP/An5lPQZxA7/ItLzxFkviSx+e/cNl3UMTdx2aX4dn4L2cv54GuXDMHVHw++onJJnqn97aczK4O5y0=,iv:4T7vftUcSOS84MpZUOM9ODA36GSrKeW5TClQM3GN2mk=,tag:5mzK4NsmmrYERRn+Vb01Eg==,type:str]
     provider-clientsecret: ENC[AES256_GCM,data:/fN1rH2CKoaivhespd+/KamERjBQOdwR7QQ+hoB+pQ3ZSrBVIKbLMWyOJe8f7rVwXAByqDxQIZJEVPjcjhWSU1eicwpu57FBx+/xJLFazspTVZ+5XKyAwR+UxTHDGAgtFV00QHN53l7ygg4joWWko4IPN1JIpNIASaIWWzpsrIo=,iv:NLsZcmE1kKlzV7B/XPVfENMWlpQtOpESH0ByX1KQ8IQ=,tag:P+ZmsKq0KJAeRTTbvbduMg==,type:str]
+n8n:
+    env: ENC[AES256_GCM,data:LA/6tMfGgX0cDNfhIZ+n2Ay+6OW5gPPebcXQnfO3qQJSjMjf9vwauF2+W3KpIvM1Dsg3hyNEwqLNRn/28bgWC/qpBpgU2/gVI2n5oxcQaYGgnS/jB0nZWXvORVTnXjH0R+HBFCWgMJe7v+o0EeBH6kni/Nc9geb8paRkxZOGVKeJQy9K4OB2CN6FVO9KeR7gpeQpsh5V5SVW1MoND2tpCOiIK7d0uM6OHF/7p2RFrEEAarvJssj/dZRHjA/jALuqbQ6UDAaAppqlkEgIdZdFEfgebfCWR4e4aWjznW1DGOQQYtg4k/Kj8J/df8CWXX+lUO+9nTo/lhhcH395w+CRE8GUwze15yxQppUwqyLKdYwgmpK1tFnLP/W/As2f97c1fBB9rXrZYOUEIq4GspHOTPgjzcRfWOxX8cMKG69EmeZ3mWPsIDaC1ZvkVQjjcH/o9aC7QeFCwPfcy+mgI+9RjAaCw7qdig1CwgQabAaCd2hzQ4FTXBFJoZRfYZ1v3Rdwe8zqMivIcw2AHv6kYx6c9A==,iv:KmyJ/CLAGrYfzHjSWygtgA/+am9fUrKnOsGRPgV9QfU=,tag:G3LhfdSujcaC9ZZFUse0DQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -78,8 +80,8 @@ sops:
             by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
             hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-07T15:58:00Z"
+    lastmodified: "2024-12-07T23:38:16Z"
-    mac: ENC[AES256_GCM,data:ugW/IqGYYblO7GAM/W1PePKOJr5iJM42/SCHL8ew/QwXuOibhWWGkxObFeZ83u0DCmhH2fPqK/rI3seA6QLaWFeB2wrkyy4u13D5PISrObVtmQVD50kogObqd2CVdlQFIGQypw3/EB8oWNPcBRCvlAPPhZaB9a3SWS4CaTu+lPg=,iv:6IW7xOO9hBqK65WSLYnk7ViGs9xhoaMpsCeITbWNgHs=,tag:zXtnRBQemAT3cN1+QM7OHA==,type:str]
+    mac: ENC[AES256_GCM,data:GKCMZJVKj5Fq7Ak4wQgI/pAl8JKDdzAYCBRwnxHlg0Z10AstbchAYm+LLwCaE85ebl6m/JexmfJeutJo0yGXuOIQKcEgfyNq9O/i/y34ISc4looQ6cyH5Hcxsd9JXgrmgQzVPquBXQzDHz4rj93VhNrvqmw+SgDPZVwcUznvCBI=,iv:HtUmf0qjvbYW7ngocISpqycX7ceNv0YsILgZhOMTSMg=,tag:kJ7EFOLL8o/2OFkn5PhvJw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1

nki-personal-do/vikunja.nix

@@ -81,8 +81,8 @@ in
   };
 
   systemd.services.vikunja = {
-    serviceConfig.User = user;
     serviceConfig.LoadCredential = [ "VIKUNJA_AUTH_OPENID_PROVIDERS_AUTHENTIK_CLIENTSECRET_FILE:${secrets."vikunja/provider-clientsecret".path}" ];
+    serviceConfig.User = user;
     serviceConfig.DynamicUser = lib.mkForce false;
     serviceConfig.ReadWritePaths = [ storageMount ];
     environment.VIKUNJA_AUTH_OPENID_PROVIDERS_AUTHENTIK_CLIENTSECRET_FILE = "%d/VIKUNJA_AUTH_OPENID_PROVIDERS_AUTHENTIK_CLIENTSECRET_FILE";

overlay.nix

@@ -75,6 +75,14 @@ let
       builtins.seq
         (final.lib.assertMsg (prev.vikunja.version == "0.24.5") "Vikunja probably doesn't need custom versions anymore")
         (final.callPackage ./packages/common/vikunja.nix { });
+
+    luminance = prev.luminance.overrideAttrs (attrs: {
+      nativeBuildInputs = attrs.nativeBuildInputs ++ [ final.wrapGAppsHook ];
+      buildInputs = attrs.buildInputs ++ [ final.glib ];
+      postInstall = attrs.postInstall + ''
+        glib-compile-schemas $out/share/glib-2.0/schemas
+      '';
+    });
   };
 
   overlay-libs = final: prev: {
@@ -125,3 +133,5 @@ in
   # Bug fixes
 ] # we assign the overlay created before to the overlays of nixpkgs.
 
+
+