zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity
762 Commits 4 Branches 0 Tags
pia-vpn-v2
Commit Graph

762 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Zuckerberg
3b71f4b1fd dedupe
All checks were successful
Check Flake / check-flake (push) Successful in 6m4s
Details
2026-02-26 19:42:38 -08:00
Zuckerberg
dc3c2194ab use port 8080 instead
All checks were successful
Check Flake / check-flake (push) Successful in 3m21s
Details
2026-02-26 00:26:49 -08:00
Zuckerberg
39009cbc18 use container hostname alias for script
All checks were successful
Check Flake / check-flake (push) Successful in 3m17s
Details
2026-02-26 00:17:47 -08:00
Zuckerberg
3365a1652c restore port option 2026-02-26 00:16:39 -08:00
Zuckerberg
6466406975 fix transmission port forwarding
All checks were successful
Check Flake / check-flake (push) Successful in 3m25s
Details
2026-02-26 00:08:40 -08:00
Zuckerberg
4eb0401263 disable services which don't work in nixos containers
All checks were successful
Check Flake / check-flake (push) Successful in 3m17s
Details
2026-02-25 23:37:26 -08:00
Zuckerberg
f4a4edf478 fix networking online target + ntfy notifications
All checks were successful
Check Flake / check-flake (push) Successful in 3m36s
Details
2026-02-25 23:24:23 -08:00
Zuckerberg
1ac3f05e3e define vpn container hosts within containers too 2026-02-25 23:23:49 -08:00
Zuckerberg
c1030c1dfe remove debugging messages
All checks were successful
Check Flake / check-flake (push) Successful in 3m28s
Details
2026-02-25 00:31:31 -08:00
Zuckerberg
52469693e3 maybe fix
All checks were successful
Check Flake / check-flake (push) Successful in 3m17s
Details
2026-02-25 00:25:15 -08:00
Zuckerberg
ffce43b8d0 debug
Some checks failed
Check Flake / check-flake (push) Has been cancelled
Details
2026-02-25 00:22:07 -08:00
Zuckerberg
96a6007693 debug 2026-02-25 00:14:19 -08:00
Zuckerberg
32cb438db9 networking fixes
All checks were successful
Check Flake / check-flake (push) Successful in 3m20s
Details
2026-02-25 00:10:49 -08:00
Zuckerberg
0368661e24 networking fixes
Some checks failed
Check Flake / check-flake (push) Has been cancelled
Details
2026-02-25 00:08:27 -08:00
Zuckerberg
12209b69b8 networking fixes
All checks were successful
Check Flake / check-flake (push) Successful in 3m21s
Details
2026-02-24 23:55:02 -08:00
Zuckerberg
3bc41dfdb3 networking fixes
Some checks failed
Check Flake / check-flake (push) Failing after 1m7s
Details
2026-02-24 23:53:50 -08:00
Zuckerberg
1cbbe64707 networking fixes
All checks were successful
Check Flake / check-flake (push) Successful in 3m18s
Details
2026-02-24 23:46:51 -08:00
Zuckerberg
6191e4060f networking fixes
All checks were successful
Check Flake / check-flake (push) Successful in 3m18s
Details
2026-02-24 23:37:15 -08:00
googlebot
a0fcacdcf9 Rewrite PIA VPN as multi-container bridge architecture
All checks were successful
Check Flake / check-flake (push) Successful in 4m44s
Details 
Replace the single VPN container (veth pair, host-side auth scripts) with a
multi-container setup on a shared bridge network:

- Dedicated VPN container handles all PIA auth, WireGuard config, NAT, and
  optional port forwarding DNAT
- Service containers default-route through VPN container (leak-proof by topology)
- Host runs tinyproxy on bridge for PIA API bootstrap before WG is up
- WG interface is still created in host netns and moved into VPN container
  namespace
- Monthly renewal to ensure that connection stays up (PIA allows connections to
  last up to 2 months)
- Drop OpenVPN support entirely
 2026-02-24 23:11:46 -08:00
Zuckerberg
684851d641 Prevent containers from running non-container services
All checks were successful
Check Flake / check-flake (push) Successful in 2m21s
Details
Auto Update Flake / auto-update (push) Successful in 3m29s
Details
2026-02-22 18:18:05 -08:00
Zuckerberg
4cf50b5fb1 Restart atticd whenever PostgreSQL restarts
All checks were successful
Check Flake / check-flake (push) Successful in 3m7s
Details
2026-02-22 17:53:46 -08:00
googlebot
288a2841aa Replace Uptime Kuma with Gatus for declarative uptime monitoring
All checks were successful
Check Flake / check-flake (push) Successful in 2m4s
Details 
Gatus is configured entirely via YAML (mapped from Nix attrsets),
making nix-config the single source of truth for all monitoring
config instead of Uptime Kuma's web UI/SQLite database.
 2026-02-22 17:30:03 -08:00
googlebot
0589ca5748 Add attic binary cache to sandboxed workspaces 
Update the attic cache URL from s0.koi-bebop.ts.net to s0.neet.dev
and configure sandboxed workspaces to inherit the host's binary cache
settings (substituters, trusted keys, netrc auth via agenix).
 2026-02-22 17:22:44 -08:00
googlebot
a4c5cb589a Claude workspaces 2026-02-22 17:19:48 -08:00
googlebot
a697ea10ad Add daily ZFS health check with ntfy alerts and introduce ntfy role 
Add a zfs-alerts module that runs a daily health check on ZFS machines,
sending detailed ntfy notifications for degraded pools, data errors, or
drive errors. Introduce an "ntfy" system role to decouple ntfy alerting
from the server/personal roles, and assign it to all machines.
 2026-02-22 17:17:40 -08:00
Zuckerberg
200d5a5d22 Add ntfy failure alerts for all systemd services
All checks were successful
Check Flake / check-flake (push) Successful in 3m18s
Details
2026-02-22 16:19:43 -08:00
Zuckerberg
339eac52c6 Add uptime kuma
All checks were successful
Check Flake / check-flake (push) Successful in 9m15s
Details
2026-02-22 15:49:26 -08:00
Zuckerberg
bab4b3ff8e Skip build and push when flake.lock has no changes
All checks were successful
Check Flake / check-flake (push) Successful in 2m0s
Details
2026-02-22 15:12:45 -08:00
Zuckerberg
54ab576914 Fix push auth with PAT, correct run link, and add ntfy to check-flake 2026-02-22 15:12:45 -08:00
Zuckerberg
c84c0716ce Fix push auth with PAT and use correct run_number in ntfy link 2026-02-22 15:12:45 -08:00
Zuckerberg
a921f40644 Fix git identity and ntfy URL in auto-update workflow 2026-02-22 15:12:45 -08:00
gitea-runner
a6c17164fa flake.lock: Update
All checks were successful
Check Flake / check-flake (push) Successful in 2m1s
Details 
Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/c6ed3eab64d23520bcbb858aa53fe2b533725d4a?narHash=sha256-WxAEkAbo8dP7qiyPM6VN4ZGAxfuBVlNBNPkrqkrXVEc%3D' (2026-02-21)
  → 'github:nix-community/home-manager/5bd3589390b431a63072868a90c0f24771ff4cbb?narHash=sha256-Tl2I0YXdhSTufGqAaD1ySh8x%2BcvVsEI1mJyJg12lxhI%3D' (2026-02-22)
• Updated input 'microvm':
    'github:astro/microvm.nix/789c90b164b55b4379e7a94af8b9c01489024c18?narHash=sha256-1XJOslVyF7yzf6yd/yl1VjGLywsbtwmQh3X1LuJcLI4%3D' (2026-02-17)
  → 'github:astro/microvm.nix/a3abc020a3d8e624e145f4144ed40702f788ea32?narHash=sha256-Pf4CaRoOLQV02m2POPA%2B0EWvb3gVdpaiS0hNNVZhO3c%3D' (2026-02-21)
• Updated input 'nix-index-database':
    'github:Mic92/nix-index-database/efec7aaad8d43f8e5194df46a007456093c40f88?narHash=sha256-UIKOwG0D9XVIJfNWg6%2BgENAvQP%2B7LO46eO0Jpe%2BItJ0%3D' (2026-02-15)
  → 'github:Mic92/nix-index-database/8f590b832326ab9699444f3a48240595954a4b10?narHash=sha256-/phvMgr1yutyAMjKnZlxkVplzxHiz60i4rc%2BgKzpwhg%3D' (2026-02-22)
 2026-02-22 15:04:48 -08:00
Zuckerberg
9df8390f1f Add daily auto-update workflow with shared build script
All checks were successful
Check Flake / check-flake (push) Successful in 2m7s
Details
2026-02-21 23:29:41 -08:00
Zuckerberg
156f0183bd Add ntfy push notification server on ponyo 2026-02-21 23:29:36 -08:00
Zuckerberg
8b92e51ef7 Remove phil machine and aarch64 ISO/kexec 2026-02-21 21:43:12 -08:00
Zuckerberg
7798872bbf Disable SMB3 directory leases to fix stale listings from local file changes 2026-02-21 21:43:12 -08:00
Zuckerberg
cf41285cb8 Update inputs + move to nixos-unstable 2026-02-21 21:43:12 -08:00
Zuckerberg
5a0a525f64 Add Attic binary cache and containerize gitea runner 
Replace nix-serve-only setup with Attic for managed binary caching with
upstream filtering and GC. Move gitea actions runner from host into an
isolated NixOS container with private networking. nix-serve kept alongside
Attic during migration.
 2026-02-21 21:43:08 -08:00
Zuckerberg
9154595910 Ad Incus sandbox on fry I've already been using for a while now
All checks were successful
Check Flake / check-flake (push) Successful in 3m35s
Details
2026-02-17 21:35:23 -08:00
Zuckerberg
1b92363b08 Fix rust analyzer in vscode 2026-02-17 21:28:50 -08:00
Zuckerberg
136f024cf0 Fix tailscale networking when incus is on 2026-02-17 21:28:28 -08:00
Zuckerberg
3d08a3e9bc Improve nix settings for sandboxed workspaces
All checks were successful
Check Flake / check-flake (push) Successful in 1m15s
Details
2026-02-14 11:29:02 -08:00
Zuckerberg
99ef62d31a Fix unused vars
All checks were successful
Check Flake / check-flake (push) Successful in 1m21s
Details
2026-02-11 23:12:00 -08:00
Zuckerberg
298f473ceb Remove unused vscode-server module 2026-02-11 23:00:48 -08:00
Zuckerberg
546bd08f83 Fix CI build. Ephemeral targets should not be in nixosConfigurations
All checks were successful
Check Flake / check-flake (push) Successful in 17m45s
Details
2026-02-11 22:49:11 -08:00
Zuckerberg
10f3e3a7bf Remove old stale/unused configuration 2026-02-11 22:47:38 -08:00
Zuckerberg
d44bd12e17 Update README.md 2026-02-11 21:58:38 -08:00
Zuckerberg
60e89dfc90 Clean up CLAUDE.md and make the claude skill correctly this time
Some checks failed
Check Flake / check-flake (push) Failing after 6s
Details
2026-02-10 21:08:13 -08:00
Zuckerberg
869b6af7f7 Block sandbox access to local network 
Add nftables forward rules to prevent sandboxed workspaces from
reaching RFC1918 private addresses while allowing public internet
and the host gateway (for DNS/NAT).
 2026-02-09 20:16:02 -08:00
Zuckerberg
d6a0e8ec49 Disable tailscaleAuth for now because it doesn't work with tailscale's ACL tagged group
Some checks failed
Check Flake / check-flake (push) Failing after 35s
Details
2026-02-09 19:57:20 -08:00