• Activity
  • Votes
  • Comments
  • New
  • All activity
  • Showing only topics in ~comp with the tag "linux". Back to normal view / Search all groups
    1. NixOS Configuration for a VPS

      Since I took so long to reply to Tips to use NixOS on a server? by @simao, I decided to create a new topic to share my configs. Hopefully this is informative for anyone looking to do similar...

      Since I took so long to reply to Tips to use NixOS on a server? by @simao, I decided to create a new topic to share my configs. Hopefully this is informative for anyone looking to do similar things - I'll also gladly take critiques, since my setup is probably not perfect.

      First, I will share the output of 'lsblk' on my VPS:

      NAME      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
      vda       253:0    0   180G  0 disk  
      ├─vda1    253:1    0   512M  0 part  /boot
      └─vda2    253:2    0 179.5G  0 part  
        └─crypt 254:0    0 179.5G  0 crypt 
      

      That is, I use an unencrypted /boot partition, vda1, with GRUB 2 to prompt for a passphrase during boot, to unlock the LUKS encrypted vda2. I prefer to use ZFS as my file system for the encrypted drive, and LUKS rather than ZFS encryption. This is an MBR drive, since that's what my VPS provider uses, though UEFI would look the same. The particular way I do this also requires access through the provider's tools, and not ssh or similar. The hardware-configuration.nix file reflects this:

      Click to view the hardware configuration file
      # Do not modify this file!  It was generated by ‘nixos-generate-config’
      # and may be overwritten by future invocations.  Please make changes
      # to /etc/nixos/configuration.nix instead.
      { config, lib, pkgs, modulesPath, ... }:
      
      {
        imports =
          [ (modulesPath + "/profiles/qemu-guest.nix")
          ];
      
        boot.initrd.availableKernelModules = [ "aes_x86_64" "ata_piix" "cryptd" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
        boot.initrd.kernelModules = [ ];
        boot.kernelModules = [ ];
        boot.extraModulePackages = [ ];
      
        fileSystems."/" =
          { device = "rpool/root/nixos";
            fsType = "zfs";
          };
      
        fileSystems."/home" =
          { device = "rpool/home";
            fsType = "zfs";
          };
      
        fileSystems."/boot" =
          { device = "/dev/disk/by-uuid/294de4f1-72e2-4377-b565-b3d4eaaa37b6";
            fsType = "ext4";
          };
      
        swapDevices = [ ];
      
      }
      
      I disobey the warning at the top to add `"aes_x86_64"` and `"cryptd"` to the available kernel modules, to speed up encryption. The `configuration.nix` follows:
      Click to view the configuration file
      # Edit this configuration file to define what should be installed on
      # your system.  Help is available in the configuration.nix(5) man page
      # and in the NixOS manual (accessible by running ‘nixos-help’).
      
      { config, lib, pkgs, ... }:
      
      {
        imports =
          [ # Include the results of the hardware scan.
            ./hardware-configuration.nix
          ];
      
        # Hardware stuff
        # add the following to hardware-configuration.nix - speeds up encryption
        #boot.initrd.availableKernelModules ++ [ "aes_x86_64" "cryptd" ];
        boot.initrd.luks.devices.crypt = {
          # Change this if moving to another machine!
          device = "/dev/disk/by-uuid/86090289-1c1f-4935-abce-a1aeee1b6125";
        };
        boot.kernelParams = [ "zfs.zfs_arc_max=536870912" ]; # sets zfs arc cache max target in bytes
        boot.supportedFilesystems = [ "zfs" ];
        nix.maxJobs = lib.mkDefault 6; # number of cpu cores
      
        # Use the GRUB 2 boot loader.
        boot.loader.grub.enable = true;
        boot.loader.grub.version = 2;
        # boot.loader.grub.efiSupport = true;
        # boot.loader.grub.efiInstallAsRemovable = true;
        # boot.loader.efi.efiSysMountPoint = "/boot/efi";
        # Define on which hard drive you want to install Grub.
        boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
        boot.loader.grub.enableCryptodisk = true;
        boot.loader.grub.zfsSupport = true;
      
        networking.hostName = "m"; # Define your hostname.
        # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
      
        # The global useDHCP flag is deprecated, therefore explicitly set to false here.
        # Per-interface useDHCP will be mandatory in the future, so this generated config
        # replicates the default behaviour.
        networking.useDHCP = false;
        networking.interfaces.ens3.useDHCP = true;
        networking.hostId = "aoeu"; # set this to the first eight characters of /etc/machine-id for zfs
        networking.nat = {
          enable = true;
          externalInterface = "ens3"; # this may not be the interface name
          internalInterfaces = [ "wg0" ];
        };
        networking.firewall = {
          enable = true;
          allowedTCPPorts = [ 53 25565 ]; # open 53 for DNS and 25565 for Minecraft
          allowedUDPPorts = [ 53 51820 ]; # open 53 for DNS and 51820 for Wireguard - change the Wireguard port
        };
        networking.wg-quick.interfaces = {
          wg0 = {
            address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ];
            listenPort = 51820;
            privateKeyFile = "/root/wireguard-keys/privatekey"; # fill this file with the server's private key and make it so only root has read/write access
      
            postUp = ''
              ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
              ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o ens3 -j MASQUERADE
              ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
              ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o ens3 -j MASQUERADE
            '';
      
            preDown = ''
              ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
              ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o ens3 -j MASQUERADE
              ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
              ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o ens3 -j MASQUERADE
            '';
      
            peers = [
              { # peer0
                publicKey = "{client public key}"; # replace this with the client's public key
                presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; # fill this file with the preshared key and make it so only root has read/write access
                allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ];
              }
            ];
          };
        };
      
        # Configure network proxy if necessary
        # networking.proxy.default = "http://user:password@proxy:port/";
        # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
      
        nixpkgs.config = {
          allowUnfree = true; # don't set this if you want to ensure only free software
        };
      
        # Select internationalisation properties.
        i18n.defaultLocale = "en_US.UTF-8";
        console = {
          font = "Lat2-Terminus16";
          keyMap = "us";
        };
      
        # Set your time zone.
        time.timeZone = "America/New_York"; # set this to the same timezone your server is located in
      
        # List packages installed in system profile. To search, run:
        # $ nix search wget
        environment = {
          systemPackages = with pkgs; let
            nvimcust = neovim.override { # lazy minimal neovim config
              viAlias = true;
              vimAlias = true;
              withPython = true;
              configure = {
                packages.myPlugins = with pkgs.vimPlugins; {
                  start = [ deoplete-nvim ];
                  opt = [];
                };
                customRC = ''
                  if filereadable($HOME . "/.config/nvim/init.vim")
                    source ~/.config/nvim/init.vim
                  endif
      
                  set number
      
                  set expandtab
      
                  filetype plugin on
                  syntax on
      
                  let g:deoplete#enable_at_startup = 1
                '';
              };
            };
          in
          [
            jdk8
            nvimcust
            p7zip
            wget
            wireguard
          ];
        };
      
        # Some programs need SUID wrappers, can be configured further or are
        # started in user sessions.
        # programs.mtr.enable = true;
        # programs.gnupg.agent = {
        #   enable = true;
        #   enableSSHSupport = true;
        #   pinentryFlavor = "gnome3";
        # };
      
        # List services that you want to enable:
      
        # Enable the OpenSSH daemon.
        services = {
          dnsmasq = {
            enable = true;
            # this allows DNS requests from wg0 to be forwarded to the DNS server on this machine
            extraConfig = ''
              interface=wg0
            '';
          };
          fail2ban = {
            enable = true;
          };
          openssh = {
            enable = true;
            permitRootLogin = "no";
          };
          zfs = {
            autoScrub = {
              enable = true;
              interval = "monthly";
            };
          };
        };
      
        # Set sudo to request root password for all users
        # this should be changed for a multi-user server
        security.sudo.extraConfig = ''
          Defaults rootpw
        '';
      
        # Define a user account. Don't forget to set a password with ‘passwd’.
        users.users = {
          vpsadmin = { # admin account that has a password
            isNormalUser = true;
            home = "/home/vpsadmin";
            extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
            shell = pkgs.zsh;
          };
          mcserver = { # passwordless user to run a service - in this instance minecraft
            isNormalUser = true;
            home = "/home/mcserver";
            extraGroups = [];
            shell = pkgs.zsh;
          };
        };
      
        systemd = {
          services = {
            mcserverrun = { # this service runs a systemd sandboxed modded minecraft server as user mcserver
              enable = true;
              description = "Start and keep minecraft server running";
              wants = [ "network.target" ];
              after = [ "network.target" ];
              serviceConfig = {
                User = "mcserver";
                NoNewPrivileges = true;
                PrivateTmp = true;
                ProtectSystem = "strict";
                PrivateDevices = true;
                ReadWritePaths = "/home/mcserver/Eternal_current";
                WorkingDirectory = "/home/mcserver/Eternal_current";
                ExecStart = "${pkgs.jdk8}/bin/java -Xms11520M -Xmx11520M -server -XX:+AggressiveOpts -XX:ParallelGCThreads=3 -XX:+UseConcMarkSweepGC -XX:+UnlockExperimentalVMOptions -XX:+UseParNewGC -XX:+ExplicitGCInvokesConcurrent -XX:MaxGCPauseMillis=10 -XX:GCPauseIntervalMillis=50 -XX:+UseFastAccessorMethods -XX:+OptimizeStringConcat -XX:NewSize=84m -XX:+UseAdaptiveGCBoundary -XX:NewRatio=3 -jar forge-1.12.2-14.23.5.2847-universal.jar nogui";
                Restart = "always";
                RestartSec = 12;
              };
              wantedBy = [ "multi-user.target" ];
            };
            mcserverscheduledrestart = { # this service restarts the minecraft server on a schedule
              enable = true;
              description = "restart mcserverrun service";
              serviceConfig = {
                Type = "oneshot";
                ExecStart = "${pkgs.systemd}/bin/systemctl try-restart mcserverrun.service";
              };
            };
          };
          timers = {
            mcserverscheduledrestart = { # this timer triggers the service of the same name
              enable = true;
              description = "restart mcserverrun service daily";
              timerConfig = {
                OnCalendar = "*-*-* 6:00:00";
              };
              wantedBy = [ "timers.target" ];
            };
          };
        };
      
        # This value determines the NixOS release from which the default
        # settings for stateful data, like file locations and database versions
        # on your system were taken. It‘s perfectly fine and recommended to leave
        # this value at the release version of the first install of this system.
        # Before changing this value read the documentation for this option
        # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
        system.stateVersion = "20.09"; # Did you read the comment?
      
      }
      
      You'll notice that this server acts as a Wireguard endpoint and as a Minecraft server. I described the first part on the [NixOS wiki page for Wireguard](https://nixos.wiki/wiki/Wireguard) under the section that mentions dnsmasq. The second part is done using NixOS's systemd support, which can be a bit confusing at first but is easy enough once you know how it works.

      Edit: Also, the provider I use is ExtraVM, who has been excellent.

      6 votes
    2. Tips to use NixOS on a server?

      I see some people using NixOs on their servers. I would like to try it out to self host some services and learn about NixOs. I use hetzner and they have an NixOs iso available so I can just use...

      I see some people using NixOs on their servers. I would like to try it out to self host some services and learn about NixOs.

      I use hetzner and they have an NixOs iso available so I can just use that to install NixOs. But how do people manage remote instances of NixOs? They would just use ansible or something like it, to run nix on the host, or is there a better way?

      Thanks

      11 votes
    3. Are there any good tools for "one-off" file encryption?

      Sorry if this is a silly question, but I keep running into situations where a small CLI or GUI tool that could be handed a single file and hand me back an encrypted version would be useful. I've...

      Sorry if this is a silly question, but I keep running into situations where a small CLI or GUI tool that could be handed a single file and hand me back an encrypted version would be useful. I've done some googling, but all I typically turn up is blogspam about random Windows-only tools that seem to be of dubious quality.

      Anyone know of a good tool for this type of thing?

      9 votes
    4. Help Packaging Elmer FEM for Nix

      I'm trying to package Elmer for use with NixOS, and could use some help from any experienced Nix users. My current attempt is located here. There is some junk left around in that file from my...

      I'm trying to package Elmer for use with NixOS, and could use some help from any experienced Nix users. My current attempt is located here. There is some junk left around in that file from my experimenting, but it's at least a start. There are also a few lines of error included in the comment here.

      Any help is appreciated!

      6 votes
    5. Linux is a subpar choice for professional video editing

      I don't wanna get into a heated discussion, so let me make something very clear: for a regular user, video editing on Linux is probably fine. That is just not my use case. I'm used to a degree of...

      I don't wanna get into a heated discussion, so let me make something very clear: for a regular user, video editing on Linux is probably fine.

      That is just not my use case.

      I'm used to a degree of freedom, choice, and stability that, right now, Linux does not provide in that area.

      I'm a film major who has worked as a professional video editor for many years and editing video on anything that is not nearly as good, reliable and precise as Adobe Premiere feels like torture.

      But even being very flexible regarding features and requirements, after trying all the regular suggestions, as professional tools, and with all the respect I can muster, they are just unusable for me.

      I need a reliable program in which I can throw any format without worrying about constant crashes, but Linux options are all either extremely limited, unstable or both! Before anyone asks: I tried multiple programs, in different versions and installation methods, on entirely different hardware and unaffiliated distributions.

      Kdenlive resembles professional-grade software but constantly crashes at the simplest operations. DaVinci Resolve seems like a good bet but is a nightmare just to install and equally crashy when/if I'm able to do so (last time I had to manually edit the install script following the instructions of some random forum post. This did not cause a good impression. And audio didn't work), and I'm not willing to use something so finicky if Linux doesn't get primary support.

      Besides, Blackmagic Design only provides a few pieces of the puzzle. Professional video editing requires a whole stack of integrated software. Both Windows and Mac OS have this, Linux has not.

      There's also the issue of GPU acceleration.

      I'm not saying FOSS developers owe me anything, nor that they have done a bad job with programs like OpenShot, Pitivi, Blender, whatever. I'm just saying that, regrettably, I'll probably have to install put Windows on dual-boot on my machine in the next few days.

      16 votes
    6. Terry A Davis: Questions to God

      Hey everyone, just watching a very interesting history of Terry A Davis (creator of TempleOS) and around the 30 minute mark there is a list of questions Terry asked to God and the answers he...

      Hey everyone, just watching a very interesting history of Terry A Davis (creator of TempleOS) and around the 30 minute mark there is a list of questions Terry asked to God and the answers he believed he received. I took a look online but was unable to find anything. I don't suppose anyone out there has a link? I'd be very interested to read it. Thanks in advance.

      EDIT: I'm also interested in any links to the art he created (hymns, visual art etc).

      10 votes
    7. I want to learn programming. What language should i pick to write cli apps for linux?

      I'm interested in C or Go, but i'm open to ideas. I have plenty of sh scripts i created to integrate my tools and system, so i have some experience and i don't want a scripting language like...

      I'm interested in C or Go, but i'm open to ideas.

      I have plenty of sh scripts i created to integrate my tools and system, so i have some experience and i don't want a scripting language like python.

      My first plan is to learn the basics of the language and rewrite some of those scripts.

      I think my first pick will be a script that uses ffmpeg to convert my flac files to mp3 or opus. I use sndconv -opus/-mp3 and it checks if there are flac files in the folder (i only have full albums), converts and puts in a folder named "$artist - $album".

      My long term goal is to make a cli/tui music player like cmus.

      UPDATE: i'm having plenty of success with Go right now. I just wrote a basic version of my music conversion script. It's just converting a music i pass as argument to mp3, but i'll keep working on it and adding functionality just to dip my toes in Go. It seems like a good language and i'm having fun!

      Thanks for all the answers!

      18 votes
    8. How can I make "whereis" automatically open the file on Nvim when it is the only result?

      EDIT: SOLVED It looks like it was much simple than I thought and someone solved it on Reddit already. I won't delete, just leave the link if someone is interested. Runtime Environment OS: MX Linux...

      EDIT: SOLVED

      It looks like it was much simple than I thought and someone solved it on Reddit already. I won't delete, just leave the link if someone is interested.

      Runtime Environment

      Issue

      Sometimes I use "whereis" (aliased for "wh", but it doesn't make any difference...) for my own scripts.

      I usually copy their paths manually (using tmux) and paste to the command line resulting in something like this:

      nvim /home/my_username/my_scripts_folder/my_script
      

      Could I make that into a single command?

      Thanks in advance!

      3 votes
    9. Please tell me what you think about this idea for a text editor/Linux Distribution combo

      I know there are similar products I could buy in the US that would give me this experience, but I'm not in the US and I don't have much money. In the old days, my father had some kind of machine...

      I know there are similar products I could buy in the US that would give me this experience, but I'm not in the US and I don't have much money.

      In the old days, my father had some kind of machine that was not a proper laptop and not a proper typewriter. It opened instantly to a text editor. As far as I remember, there was no noticeable boot time. It had a keyboard and an entry for a floppy disk. You typed your stuff, saved it to the floppy disk, probably to send via email or to print in another machine. I loved that machine.

      I love these little gadgets that do one thing and one thing only. And, as someone with severe ADHD, they're often a necessity. If my Kindle had Youtube I would never read a book. If my PS4 had Emacs I would never play a game. The list goes on, but the principle is this: a lot of things are useful to me precisely because of what they cannot do.

      And that is why I wanna recreate my father's crazy computer-typewriter.

      Because I know how to use the command line, it really needs to be in total lockdown: I open it up, it shows a very simple text editor (with a few handy features that make it works even more like a typewriter) that I cannot configure, tinker or alter in any way. It's focused on writing (not editing) literature because that's what I need and other kinds of writing require an internet connection.

      It would save and back up automatically (like a typewriter) to one or more drives at your choice.

      There would need to be a few options because of different screen sizes, the number of screens etc, with an interface to make it easier.

      So the idea is an ultra-minimal, kiosk-mode Linux distribution that can either go on a flash drive or be installed on an old laptop. No package management, no internet connection, no access to the command line, no configuration files, no distractions whatsoever. I wanna forget I'm even using Linux. I wanna recreate my father's typewriter/computer that he never let me touch.

      How do I do this?

      14 votes
    10. Please recommend me a Linux distribution that is super-stable and never make me install again, but at the same time allows me to have some newer packages with ease (xpost /r/FindMeADistro)

      I currently use MX-Linux, which is a great distribution but does require me to reinstall it from time to time. It also comes with all the good/bad Debian legacy, and sometimes things can get...

      I currently use MX-Linux, which is a great distribution but does require me to reinstall it from time to time. It also comes with all the good/bad Debian legacy, and sometimes things can get really fucked up (okay, I admit it: MX IS NOT PERFECT. But nothing is, okay? Settle down.)

      My new Linux Distribution doesn't need to have all the new bells and whistles, but it needs to be able to stay reasonably current with new packages and innovations. I don't mind some manual work, but I also don't wanna spend my days maintaining the system.

      This distro is supposed to be a tool to work with, not a hobby to be pimped, riced or whatever. I will occasionally play and edit videos on it (don't worry, it's all AMD, thank you advice for the Tildes ;)

      I use the i3wm window manager (not the gaps fork), so native support is a must and current versions are preferable (MX's version is from 2016. 2016!). If there's not a current version of Emacs, I'll compile my own. The same is true for Neovim, dmenu, rofi and the suckless terminal.

      Configurations on text files do not scare me, but I don't wanna spend all my time scripting stuff. I don't mind compiling stuff either so Gentoo and other source-based distributions are valid options (as long as they allow me to work on stuff instead of working on the distribution...). That said, I have no preference whatsoever between binary and source-based.

      Unstable distributions like Arch and even Manjaro are a no-no. I need my computer to work 99.99% of the time, like a fucking refrigerator. That said, I would like some newer packages and tools such as Gimp, Inkscape and a video editor like Kdenlive. Maybe flatpak is an option? I was never able to get it to work properly.

      I'm also open to crazy things like Nix, but only if it'll make my life easier: I have no philosophies on the mater.

      Any suggestions?

      21 votes