zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:1f9fbd87ac8be91ef3c56fb6e76e600947666a61
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
...
compare: zuckerberg:master
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

47 Commits
1f9fbd87ac ... master

Author SHA1 Message Date
Zuckerberg
bab2df5d7e Use programs.ssh.askPassword
All checks were successful
Check Flake / check-flake (push) Successful in 4m56s
Details
2026-01-11 15:24:53 -08:00
Zuckerberg
adc04d1bc7 Update nixos mailserver
All checks were successful
Check Flake / check-flake (push) Successful in 18m38s
Details
2026-01-11 14:25:17 -08:00
Zuckerberg
da9a8f8c03 Update nixpkgs 2026-01-11 14:25:03 -08:00
Zuckerberg
415cbca33e VLAN workaround for now 2026-01-10 23:04:48 -08:00
Zuckerberg
51272a172b Add system76-keyboard-configurator to fry 2026-01-10 23:03:19 -08:00
Zuckerberg
f053c677e8 Set up openwebui + ollama 2026-01-10 23:02:43 -08:00
Zuckerberg
c130ce6edd Don't generate zed user config file for now 2026-01-10 22:55:31 -08:00
Zuckerberg
4718326cb6 Configure ssh-agent to work with keepassxc ssh keys 2026-01-10 22:53:28 -08:00
Zuckerberg
61698aa7e2 Add kde connect 2026-01-10 22:52:17 -08:00
Zuckerberg
e0af023ac9 barrier was removed from nixpkgs 2026-01-10 22:51:09 -08:00
Zuckerberg
c0088553ff jellyfin-media-player was removed from nixpkgs 2026-01-10 22:49:04 -08:00
Zuckerberg
577736fcb2 Add deploy command 2026-01-10 22:46:39 -08:00
Zuckerberg
cf087b0e39 Add fry
All checks were successful
Check Flake / check-flake (push) Successful in 1h22m48s
Details
2025-10-12 13:36:02 -07:00
Zuckerberg
cb1c4752ec Use latest kernel on Howl 2025-10-12 13:35:23 -07:00
Zuckerberg
b77fb54dc6 Disable annoying pls shell integration 2025-10-12 13:35:02 -07:00
Zuckerberg
3d6a759827 Update nixpkgs 2025-10-12 13:33:53 -07:00
Zuckerberg
0c455baebd Add languagetool
All checks were successful
Check Flake / check-flake (push) Successful in 5m13s
Details
2025-08-16 19:04:10 -07:00
Zuckerberg
b58df0632a Add outline service
All checks were successful
Check Flake / check-flake (push) Successful in 15m2s
Details
2025-08-10 20:49:50 -07:00
Zuckerberg
4956e41285 Add memos service 2025-08-10 19:03:35 -07:00
Zuckerberg
ead6653de1 Add services to tailscale auth 2025-08-10 19:02:47 -07:00
Zuckerberg
dd4a5729d4 Workaround for broken librespot spotify api integration
All checks were successful
Check Flake / check-flake (push) Successful in 4m49s
Details
2025-08-10 15:18:29 -07:00
Zuckerberg
f248c129c8 Open port 8095 for music assistant too 2025-08-10 15:17:52 -07:00
Zuckerberg
c011faab18 Use flaresolverr with linkwarden 2025-08-10 15:17:27 -07:00
Zuckerberg
a5d0b3b748 Bring back APU2 router for more experimentation
All checks were successful
Check Flake / check-flake (push) Successful in 19m21s
Details
2025-08-05 19:45:50 -07:00
Zuckerberg
ed3bee2e4e Improve minimal iso so it can boot on APU2 from sd card 2025-08-05 19:44:49 -07:00
Zuckerberg
dbde2a40f2 Add linkwarden 2025-08-05 19:42:29 -07:00
Zuckerberg
6c69d82156 Add support for Home Assistant voice (whisper + piper + cloud llm) and Music Assistant via Spotify by librespot 
Music assistant has custom modifications they made to librespot that they haven't bothered to even try to upstream.
Thus, they require a custom librespot.  I tried and tried and tried and tried to just override the one already in nixpkgs
but I had trouble doing so despite copying the pattern already shown in nixpkgs for overriding the src of a cargo pkg
(See mopidy) but it just didn't work... Oh well. So I just patch nixpkgs instead with the new source. It works I guess.

This is about where I gave up...

```nix
nixpkgs.overlays = [
  (final: prev: {
    # Cannot use librespot upstream because music-assistant requires custom changes
    # that they never bothered to even try to uptream
    librespot = prev.librespot.overrideAttrs (oldAttrs: rec {
      src = prev.fetchFromGitHub {
        owner = "music-assistant";
        repo = "librespot";
        rev = "786cc46199e583f304a84c786acb0a9b37bc3fbd";
        sha256 = "sha256-xaOrqC8yCjF23Tz31RD3CzqZ3xxrDM6ncW1yoovEaGQ=";
      };

      cargoDeps = oldAttrs.cargoDeps.overrideAttrs (oldAttrs': {
        vendorStaging = oldAttrs'.vendorStaging.overrideAttrs {
          outputHash = "sha256-SqvJSHkyd1IicT6c4pE96dBJNNodULhpyG14HRGVWCk=";
        };
      });
    });
  })
];
```
 2025-08-05 19:37:50 -07:00
Zuckerberg
01b01f06b4 Stop using systemd-networkd it has some flaws with NixOS' networking I need to figure out later. 
It is very elegant, easy to debug/understand, and I definitely want to use it but The most significant
problem is it doesn't work with NixOS containers private networking.  So I'll need to figure that out
or maybe it will be fixed upstream soon.
 2025-08-05 19:27:29 -07:00
Zuckerberg
cf560d4e53 Downgrade Howl's kernel because newer kernels just are horrible with Howl's network card 2025-08-05 19:24:46 -07:00
Zuckerberg
8cf4957e15 Add build iso helper command 2025-08-05 19:23:42 -07:00
Zuckerberg
dc02438a63 Finally a fix DHCP+VLANs thanks to systemd-networkd
All checks were successful
Check Flake / check-flake (push) Successful in 3m31s
Details
2025-07-22 21:20:12 -07:00
Zuckerberg
948984af2d Set ghostty preferences
All checks were successful
Check Flake / check-flake (push) Successful in 22m14s
Details
2025-07-18 19:46:18 -07:00
Zuckerberg
be23526c2c Add KeepassXC keys, remove some very old user keys, and rekey
All checks were successful
Check Flake / check-flake (push) Successful in 1m50s
Details
2025-07-16 22:01:33 -07:00
Zuckerberg
e234577268 Disable inactive cache push experiment 2025-07-16 22:00:11 -07:00
Zuckerberg
82b67ed566 Add Whiteboard app to Nextcloud
All checks were successful
Check Flake / check-flake (push) Successful in 2m17s
Details
2025-07-16 20:49:39 -07:00
Zuckerberg
53c2e2222c Move shell aliases 2025-07-16 20:48:26 -07:00
Zuckerberg
846da159d0 Iodine stopped working again 2025-07-16 20:47:49 -07:00
Zuckerberg
a45125421e Add collabora online and move nextcloud domain 2025-07-16 20:46:51 -07:00
Zuckerberg
f4e40955c8 Use upstreamed pcie coral and vaapi frigate configuration
All checks were successful
Check Flake / check-flake (push) Successful in 12m12s
Details
2025-07-13 18:04:36 -07:00
Zuckerberg
af9e462b27 Allow substituters to be offline
Some checks failed
Check Flake / check-flake (push) Has been cancelled
Details
2025-07-13 17:54:32 -07:00
Zuckerberg
2faea9d380 Update nixpkgs and other flake inputs 2025-07-13 17:52:08 -07:00
Zuckerberg
8571922796 Add new helpful utilities 2025-07-12 11:42:40 -07:00
Zuckerberg
131d5e9313 Add rest command for home assistant 2025-07-12 10:50:37 -07:00
Zuckerberg
fe0ce3a245 Get recyclarr initially running 2025-07-12 10:48:13 -07:00
Zuckerberg
7b26cfb4eb update single input cmd 2025-07-12 10:27:09 -07:00
Zuckerberg
1c9fa418b3 Make s0 easier to unlock
All checks were successful
Check Flake / check-flake (push) Successful in 1m25s
Details
2025-03-29 22:52:00 -07:00
Zuckerberg
8c4dc9cb74 Improve usage of roles. It should be much easier to read and use now. 2025-03-29 22:48:14 -07:00
70 changed files with 1166 additions and 840 deletions
Expand all files Collapse all files

17
Makefile
View File

@@ -24,4 +24,19 @@ clean-old-nixos-profiles:
# Garbage Collect # Garbage Collect
.PHONY: gc .PHONY: gc
gc: gc:
nix store gc nix store gc
# Update a flake input by name (ex: 'nixpkgs')
.PHONY: update-input
update-input:
nix flake update $(filter-out $@,$(MAKECMDGOALS))
# Build Custom Install ISO
.PHONY: iso
iso:
nix build .#packages.x86_64-linux.iso
# Deploy a host by name (ex: 's0')
.PHONY: deploy
deploy:
deploy --remote-build --boot --debug-logs --skip-checks .#$(filter-out $@,$(MAKECMDGOALS))

7
common/binary-cache.nix
View File

@@ -12,6 +12,13 @@
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=" "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
]; ];
# Allow substituters to be offline
# This isn't exactly ideal since it would be best if I could set up a system
# so that it is an error if a derivation isn't available for any substituters
# and use this flag as intended for deciding if it should build missing
# derivations locally. See https://github.com/NixOS/nix/issues/6901
fallback = true;
}; };
}; };
} }

4
common/default.nix
View File

@@ -100,7 +100,5 @@
security.acme.defaults.email = "zuckerberg@neet.dev"; security.acme.defaults.email = "zuckerberg@neet.dev";
# Enable Desktop Environment if this is a PC (machine role is "personal") # Enable Desktop Environment if this is a PC (machine role is "personal")
de.enable = ( de.enable = lib.mkDefault (config.thisMachine.hasRole."personal");
builtins.elem config.networking.hostName config.machines.roles.personal
);
} }

195
common/machine-info/default.nix
View File

@@ -5,6 +5,90 @@
let let
machines = config.machines.hosts; machines = config.machines.hosts;
hostOptionsSubmoduleType = lib.types.submodule {
options = {
hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of hostnames for this machine. The first one is the default so it is the target of deployments.
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = ''
The architecture of this machine.
'';
};
systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
};
});
};
userKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
};
in in
{ {
imports = [ imports = [
@@ -13,104 +97,16 @@ in
]; ];
options.machines = { options.machines = {
hosts = lib.mkOption { hosts = lib.mkOption {
type = lib.types.attrsOf type = lib.types.attrsOf hostOptionsSubmoduleType;
(lib.types.submodule {
options = {
hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of hostnames for this machine. The first one is the default so it is the target of deployments.
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = ''
The architecture of this machine.
'';
};
systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
};
});
};
userKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
}; };
}; };
options.thisMachine.config = lib.mkOption {
# For ease of use, a direct copy of the host config from machines.hosts.${hostName}
type = hostOptionsSubmoduleType;
};
config = { config = {
assertions = (lib.concatLists (lib.mapAttrsToList assertions = (lib.concatLists (lib.mapAttrsToList
( (
@@ -196,5 +192,16 @@ in
builtins.map (p: { "${dirName p}" = p; }) propFiles; builtins.map (p: { "${dirName p}" = p; }) propFiles;
in in
properties ../../machines; properties ../../machines;
# Don't try to evaluate "thisMachine" when reflecting using moduleless.nix.
# When evaluated by moduleless.nix this will fail due to networking.hostName not
# existing. This is because moduleless.nix is not intended for reflection from the
# perspective of a perticular machine but is instead intended for reflecting on
# the properties of all machines as a whole system.
thisMachine.config = config.machines.hosts.${config.networking.hostName};
# Add ssh keys from KeepassXC
machines.ssh.userKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILACiZO7QnB4bcmziVaUkUE0ZPMR0M/yJbbHYsHIZz9g" ];
machines.ssh.deployKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID58MvKGs3GDMMcN8Iyi9S59SciSrVM97wKtOvUAl3li" ];
}; };
} }

42
common/machine-info/roles.nix
View File

@@ -1,19 +1,55 @@
{ config, lib, ... }: { config, lib, ... }:
# Maps roles to their hosts # Maps roles to their hosts.
# machines.withRole = {
# personal = [
# "machine1" "machine3"
# ];
# cache = [
# "machine2"
# ];
# };
#
# A list of all possible roles
# machines.allRoles = [
# "personal"
# "cache"
# ];
#
# For each role has true or false if the current machine has that role
# thisMachine.hasRole = {
# personal = true;
# cache = false;
# };
{ {
options.machines.roles = lib.mkOption { options.machines.withRole = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str); type = lib.types.attrsOf (lib.types.listOf lib.types.str);
}; };
options.machines.allRoles = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
options.thisMachine.hasRole = lib.mkOption {
type = lib.types.attrsOf lib.types.bool;
};
config = { config = {
machines.roles = lib.zipAttrs machines.withRole = lib.zipAttrs
(lib.mapAttrsToList (lib.mapAttrsToList
(host: cfg: (host: cfg:
lib.foldl (lib.mergeAttrs) { } lib.foldl (lib.mergeAttrs) { }
(builtins.map (role: { ${role} = host; }) (builtins.map (role: { ${role} = host; })
cfg.systemRoles)) cfg.systemRoles))
config.machines.hosts); config.machines.hosts);
machines.allRoles = lib.attrNames config.machines.withRole;
thisMachine.hasRole = lib.mapAttrs
(role: cfg:
builtins.elem config.networking.hostName config.machines.withRole.${role}
)
config.machines.withRole;
}; };
} }

2
common/machine-info/ssh.nix
View File

@@ -39,6 +39,6 @@ in
builtins.map builtins.map
(host: machines.hosts.${host}.hostKey) (host: machines.hosts.${host}.hostKey)
hosts) hosts)
machines.roles; machines.withRole;
}; };
} }

20
common/nix-builder.nix
View File

@@ -1,18 +1,14 @@
{ config, lib, ... }: { config, lib, ... }:
let let
builderRole = "nix-builder";
builderUserName = "nix-builder"; builderUserName = "nix-builder";
machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts; builderRole = "nix-builder";
otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role); builders = config.machines.withRole.${builderRole};
thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role); thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole};
builders = machinesByRole builderRole;
thisMachineIsABuilder = thisMachineHasRole builderRole;
# builders don't include themselves as a remote builder # builders don't include themselves as a remote builder
otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders; otherBuilders = lib.filter (hostname: hostname != config.networking.hostName) builders;
in in
lib.mkMerge [ lib.mkMerge [
# configure builder # configure builder
@@ -40,9 +36,9 @@ lib.mkMerge [
nix.distributedBuilds = true; nix.distributedBuilds = true;
nix.buildMachines = builtins.map nix.buildMachines = builtins.map
(builderCfg: { (builderHostname: {
hostName = builtins.elemAt builderCfg.hostNames 0; hostName = builderHostname;
system = builderCfg.arch; system = config.machines.hosts.${builderHostname}.arch;
protocol = "ssh-ng"; protocol = "ssh-ng";
sshUser = builderUserName; sshUser = builderUserName;
sshKey = "/etc/ssh/ssh_host_ed25519_key"; sshKey = "/etc/ssh/ssh_host_ed25519_key";
@@ -50,7 +46,7 @@ lib.mkMerge [
speedFactor = 10; speedFactor = 10;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}) })
(builtins.attrValues otherBuilders); otherBuilders;
# It is very likely that the builder's internet is faster or just as fast # It is very likely that the builder's internet is faster or just as fast
nix.extraOptions = '' nix.extraOptions = ''

4
common/pc/chromium.nix
View File

@@ -46,7 +46,6 @@ in
# hardware accelerated video playback (on intel) # hardware accelerated video playback (on intel)
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
chromium = pkgs.chromium.override { chromium = pkgs.chromium.override {
enableWideVine = true; enableWideVine = true;
# ungoogled = true; # ungoogled = true;
@@ -61,12 +60,9 @@ in
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
# vaapiVdpau
libvdpau-va-gl libvdpau-va-gl
nvidia-vaapi-driver nvidia-vaapi-driver
]; ];
extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ];
}; };
}; };
} }

16
common/pc/default.nix
View File

@@ -46,11 +46,12 @@ in
spotify spotify
arduino arduino
yt-dlp yt-dlp
jellyfin-media-player
joplin-desktop joplin-desktop
config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
lxqt.pavucontrol-qt lxqt.pavucontrol-qt
barrier deskflow
file-roller
android-tools
# For Nix IDE # For Nix IDE
nixpkgs-fmt nixpkgs-fmt
@@ -71,15 +72,10 @@ in
services.avahi.enable = true; services.avahi.enable = true;
services.avahi.nssmdns4 = true; services.avahi.nssmdns4 = true;
programs.file-roller.enable = true;
# Security # Security
services.gnome.gnome-keyring.enable = true; services.gnome.gnome-keyring.enable = true;
security.pam.services.googlebot.enableGnomeKeyring = true; security.pam.services.googlebot.enableGnomeKeyring = true;
# Android dev
programs.adb.enable = true;
# Mount personal SMB stores # Mount personal SMB stores
services.mount-samba.enable = true; services.mount-samba.enable = true;
@@ -92,5 +88,11 @@ in
# Enable wayland support in various chromium based applications # Enable wayland support in various chromium based applications
environment.sessionVariables.NIXOS_OZONE_WL = "1"; environment.sessionVariables.NIXOS_OZONE_WL = "1";
fonts.packages = with pkgs; [ nerd-fonts.symbols-only ];
# SSH Ask pass
programs.ssh.enableAskPassword = true;
programs.ssh.askPassword = "${pkgs.kdePackages.ksshaskpass}/bin/ksshaskpass";
}; };
} }

1
common/pc/kde.nix
View File

@@ -15,6 +15,7 @@ in
# kmail # kmail
# plasma5Packages.kmail-account-wizard # plasma5Packages.kmail-account-wizard
kdePackages.kate kdePackages.kate
kdePackages.kdeconnect-kde
]; ];
}; };
} }

18
common/pc/vscodium.nix
View File

@@ -14,24 +14,14 @@ let
rust-lang.rust-analyzer rust-lang.rust-analyzer
vadimcn.vscode-lldb vadimcn.vscode-lldb
tauri-apps.tauri-vscode tauri-apps.tauri-vscode
platformio.platformio-vscode-ide
vue.volar
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "platformio-ide";
publisher = "platformio";
version = "3.1.1";
sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
}
{ {
name = "wgsl-analyzer"; name = "wgsl-analyzer";
publisher = "wgsl-analyzer"; publisher = "wgsl-analyzer";
version = "0.8.1"; version = "0.12.105";
sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y="; sha256 = "sha256-NheEVNIa8CIlyMebAhxRKS44b1bZiWVt8PgC6r3ExMA=";
}
{
name = "volar";
publisher = "Vue";
version = "2.2.4";
sha256 = "FHS/LNjSUVfCb4SVF9naR4W0JqycWzSWiK54jfbRagA=";
} }
]; ];

1
common/server/default.nix
View File

@@ -10,7 +10,6 @@
./matrix.nix ./matrix.nix
./zerobin.nix ./zerobin.nix
./gitea.nix ./gitea.nix
./radio.nix
./samba.nix ./samba.nix
./owncast.nix ./owncast.nix
./mailserver.nix ./mailserver.nix

5
common/server/gitea-actions-runner.nix
View File

@@ -9,10 +9,7 @@
# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running # TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
let let
runnerRole = "gitea-actions-runner"; thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
runners = config.machines.roles.${runnerRole};
thisMachineIsARunner = builtins.elem config.networking.hostName runners;
containerName = "gitea-runner"; containerName = "gitea-runner";
in in
{ {

6
common/server/librechat.nix
View File

@@ -3,10 +3,10 @@
with lib; with lib;
let let
cfg = config.services.librechat; cfg = config.services.librechat-container;
in in
{ {
options.services.librechat = { options.services.librechat-container = {
enable = mkEnableOption "librechat"; enable = mkEnableOption "librechat";
port = mkOption { port = mkOption {
type = types.int; type = types.int;
@@ -21,7 +21,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
librechat = { librechat = {
image = "ghcr.io/danny-avila/librechat:v0.7.7"; image = "ghcr.io/danny-avila/librechat:v0.8.1";
environment = { environment = {
HOST = "0.0.0.0"; HOST = "0.0.0.0";
MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat"; MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";

18
common/server/mailserver.nix
View File

@@ -28,7 +28,6 @@ in
indexDir = "/var/lib/mailindex"; indexDir = "/var/lib/mailindex";
enableManageSieve = true; enableManageSieve = true;
fullTextSearch.enable = true; fullTextSearch.enable = true;
fullTextSearch.indexAttachments = true;
fullTextSearch.memoryLimit = 500; fullTextSearch.memoryLimit = 500;
inherit domains; inherit domains;
loginAccounts = { loginAccounts = {
@@ -64,18 +63,28 @@ in
"cris@runyan.org" "cris@runyan.org"
]; ];
}; };
certificateScheme = "acme-nginx"; # use let's encrypt for certs x509.useACMEHost = config.mailserver.fqdn; # use let's encrypt for certs
stateVersion = 3;
}; };
age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age; age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age; age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age;
age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age; age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
# Get let's encrypt cert
services.nginx = {
enable = true;
virtualHosts."${config.mailserver.fqdn}" = {
forceSSL = true;
enableACME = true;
};
};
# sendmail to use xxx@domain instead of xxx@mail.domain # sendmail to use xxx@domain instead of xxx@mail.domain
services.postfix.origin = "$mydomain"; services.postfix.settings.main.myorigin = "$mydomain";
# relay sent mail through mailgun # relay sent mail through mailgun
# https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620 # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
services.postfix.config = { services.postfix.settings.main = {
smtp_sasl_auth_enable = "yes"; smtp_sasl_auth_enable = "yes";
smtp_sasl_security_options = "noanonymous"; smtp_sasl_security_options = "noanonymous";
smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd"; smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
@@ -93,7 +102,6 @@ in
age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age; age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
# webmail # webmail
services.nginx.enable = true;
services.roundcube = { services.roundcube = {
enable = true; enable = true;
hostName = config.mailserver.fqdn; hostName = config.mailserver.fqdn;

121
common/server/nextcloud.nix
View File

@@ -3,28 +3,44 @@
let let
cfg = config.services.nextcloud; cfg = config.services.nextcloud;
nextcloudHostname = "runyan.org";
collaboraOnlineHostname = "collabora.runyan.org";
whiteboardHostname = "whiteboard.runyan.org";
whiteboardPort = 3002; # Seems impossible to change
# Hardcoded public ip of ponyo... I wish I didn't need this...
public_ip_address = "147.135.114.130";
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.nextcloud = { services.nextcloud = {
https = true; https = true;
package = pkgs.nextcloud30; package = pkgs.nextcloud32;
hostName = "neet.cloud"; hostName = nextcloudHostname;
config.dbtype = "sqlite"; config.dbtype = "sqlite";
config.adminuser = "jeremy"; config.adminuser = "jeremy";
config.adminpassFile = "/run/agenix/nextcloud-pw"; config.adminpassFile = "/run/agenix/nextcloud-pw";
# Apps
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
extraAppsEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; { extraApps = with config.services.nextcloud.package.packages.apps; {
# Want # Want
inherit end_to_end_encryption mail spreed; inherit end_to_end_encryption mail spreed;
# For file and document editing (collabora online and excalidraw)
inherit richdocuments whiteboard;
# Might use # Might use
inherit bookmarks calendar cookbook deck memories onlyoffice qownnotesapi; inherit calendar qownnotesapi;
# Try out # Try out
# inherit maps music news notes phonetrack polls forms; # inherit bookmarks cookbook deck memories maps music news notes phonetrack polls forms;
}; };
extraAppsEnable = true;
# Allows installing Apps from the UI (might remove later)
appstoreEnable = true;
}; };
age.secrets.nextcloud-pw = { age.secrets.nextcloud-pw = {
file = ../../secrets/nextcloud-pw.age; file = ../../secrets/nextcloud-pw.age;
@@ -40,5 +56,100 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
# collabora-online
# https://diogotc.com/blog/collabora-nextcloud-nixos/
services.collabora-online = {
enable = true;
port = 15972;
settings = {
# Rely on reverse proxy for SSL
ssl = {
enable = false;
termination = true;
};
# Listen on loopback interface only
net = {
listen = "loopback";
post_allow.host = [ "localhost" ];
};
# Restrict loading documents from WOPI Host
storage.wopi = {
"@allow" = true;
host = [ config.services.nextcloud.hostName ];
};
server_name = collaboraOnlineHostname;
};
};
services.nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
systemd.services.nextcloud-config-collabora =
let
wopi_url = "http://localhost:${toString config.services.collabora-online.port}";
public_wopi_url = "https://${collaboraOnlineHostname}";
wopi_allowlist = lib.concatStringsSep "," [
"127.0.0.1"
"::1"
public_ip_address
];
in
{
wantedBy = [ "multi-user.target" ];
after = [ "nextcloud-setup.service" "coolwsd.service" ];
requires = [ "coolwsd.service" ];
path = [
config.services.nextcloud.occ
];
script = ''
nextcloud-occ -- config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
nextcloud-occ -- config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
nextcloud-occ -- config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
nextcloud-occ -- richdocuments:setup
'';
serviceConfig = {
Type = "oneshot";
};
};
# Whiteboard
services.nextcloud-whiteboard-server = {
enable = true;
settings.NEXTCLOUD_URL = "https://${nextcloudHostname}";
secrets = [ "/run/agenix/whiteboard-server-jwt-secret" ];
};
systemd.services.nextcloud-config-whiteboard = {
wantedBy = [ "multi-user.target" ];
after = [ "nextcloud-setup.service" ];
requires = [ "coolwsd.service" ];
path = [
config.services.nextcloud.occ
];
script = ''
nextcloud-occ -- config:app:set whiteboard collabBackendUrl --value="https://${whiteboardHostname}"
nextcloud-occ -- config:app:set whiteboard jwt_secret_key --value="$JWT_SECRET_KEY"
'';
serviceConfig = {
Type = "oneshot";
EnvironmentFile = [ "/run/agenix/whiteboard-server-jwt-secret" ];
};
};
age.secrets.whiteboard-server-jwt-secret.file = ../../secrets/whiteboard-server-jwt-secret.age;
services.nginx.virtualHosts.${whiteboardHostname} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString whiteboardPort}";
proxyWebsockets = true;
};
};
}; };
} }

75
common/server/radio.nix
View File

@@ -1,75 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.radio;
radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
in
{
options.services.radio = {
enable = lib.mkEnableOption "enable radio";
user = lib.mkOption {
type = lib.types.str;
default = "radio";
description = ''
The user radio should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "radio";
description = ''
The group radio should run as
'';
};
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/radio";
description = ''
Path to the radio data directory
'';
};
host = lib.mkOption {
type = lib.types.str;
description = ''
Domain radio is hosted on
'';
};
nginx = lib.mkEnableOption "enable nginx";
};
config = lib.mkIf cfg.enable {
services.icecast = {
enable = true;
hostname = cfg.host;
mount = "stream.mp3";
fallback = "fallback.mp3";
};
services.nginx.virtualHosts.${cfg.host} = lib.mkIf cfg.nginx {
enableACME = true;
forceSSL = true;
locations."/".root = config.inputs.radio-web;
};
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
createHome = true;
};
users.groups.${cfg.group} = { };
systemd.services.radio = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
serviceConfig.WorkingDirectory = cfg.dataDir;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user} ${cfg.dataDir}
'';
};
};
}

5
common/shell.nix
View File

@@ -21,8 +21,6 @@
shellInit = '' shellInit = ''
# disable annoying fish shell greeting # disable annoying fish shell greeting
set fish_greeting set fish_greeting
alias sudo="doas"
''; '';
}; };
@@ -43,6 +41,9 @@
# comma uses the "nix-index" package built into nixpkgs by default. # comma uses the "nix-index" package built into nixpkgs by default.
# That package doesn't use the prebuilt nix-index database so it needs to be changed. # That package doesn't use the prebuilt nix-index database so it needs to be changed.
comma = prev.comma.overrideAttrs (old: { comma = prev.comma.overrideAttrs (old: {
nativeBuildInputs = old.nativeBuildInputs ++ [
prev.makeWrapper
];
postInstall = '' postInstall = ''
wrapProgram $out/bin/comma \ wrapProgram $out/bin/comma \
--prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]} --prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]}

2
common/ssh.nix
View File

@@ -31,8 +31,6 @@
# TODO: Old ssh keys I will remove some day... # TODO: Old ssh keys I will remove some day...
machines.ssh.userKeys = [ machines.ssh.userKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
]; ];
} }

156
flake.lock generated
View File

@@ -14,11 +14,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1723293904, "lastModified": 1762618334,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", "rev": "fcdea223397448d35d9b31f798479227e80183f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -74,11 +74,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1700795494, "lastModified": 1744478979,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -101,11 +101,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1727447169, "lastModified": 1766051518,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -117,11 +117,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1767039857,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -137,11 +137,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726560853, "lastModified": 1731533236,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -150,6 +150,54 @@
"type": "github" "type": "github"
} }
}, },
"git-hooks": {
"inputs": {
"flake-compat": [
"simple-nixos-mailserver",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"simple-nixos-mailserver",
"nixpkgs"
]
},
"locked": {
"lastModified": 1763988335,
"narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"simple-nixos-mailserver",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -157,15 +205,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1740845322, "lastModified": 1768068402,
"narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=", "narHash": "sha256-bAXnnJZKJiF7Xr6eNW6+PhBf1lg2P1aFUO9+xgWkXfA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d", "rev": "8bc5473b6bc2b6e1529a9c4040411e1199c43b4c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "master",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@@ -177,11 +226,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1728263287, "lastModified": 1765267181,
"narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=", "narHash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259", "rev": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -192,11 +241,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1728056216, "lastModified": 1767185284,
"narHash": "sha256-IrO06gFUDTrTlIP3Sz+mRB6WUoO2YsgMtOD3zi0VEt0=", "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "b7ca02c7565fbf6d27ff20dd6dbd49c5b82eef28", "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -208,11 +257,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1740374225, "lastModified": 1768105724,
"narHash": "sha256-Dnmzy5YWUVj3BNaZo5jRpZslXexbNKEk3ADGGcz9RpY=", "narHash": "sha256-0edMCoDc1VpuqDjy0oz8cDa4kjRuhXE3040sac2iZW4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3349acd765bdffe454f7c8bbc450855577c1a6cf", "rev": "4c41b0361812441bf3b4427195e57ab271d5167f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -222,47 +271,6 @@
"type": "github" "type": "github"
} }
}, },
"radio": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1631585589,
"narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"revCount": 38,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
},
"original": {
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
}
},
"radio-web": {
"flake": false,
"locked": {
"lastModified": 1652121792,
"narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
"ref": "refs/heads/master",
"rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
"revCount": 5,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
@@ -274,8 +282,6 @@
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"radio": "radio",
"radio-web": "radio-web",
"simple-nixos-mailserver": "simple-nixos-mailserver", "simple-nixos-mailserver": "simple-nixos-mailserver",
"systems": "systems" "systems": "systems"
} }
@@ -286,19 +292,17 @@
"flake-compat": [ "flake-compat": [
"flake-compat" "flake-compat"
], ],
"git-hooks": "git-hooks",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
],
"nixpkgs-24_05": [
"nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1722877200, "lastModified": 1766321686,
"narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=", "narHash": "sha256-icOWbnD977HXhveirqA10zoqvErczVs3NKx8Bj+ikHY=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", "rev": "7d433bf89882f61621f95082e90a4ab91eb0bdd3",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {

28
flake.nix
View File

@@ -19,7 +19,7 @@
# Home Manager # Home Manager
home-manager = { home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
@@ -28,7 +28,6 @@
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
nixpkgs-24_05.follows = "nixpkgs";
flake-compat.follows = "flake-compat"; flake-compat.follows = "flake-compat";
}; };
}; };
@@ -43,19 +42,6 @@
}; };
}; };
# Radio
radio = {
url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
radio-web = {
url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
flake = false;
};
# Dailybot # Dailybot
dailybuild_modules = { dailybuild_modules = {
url = "git+https://git.neet.dev/zuckerberg/dailybot.git"; url = "git+https://git.neet.dev/zuckerberg/dailybot.git";
@@ -84,13 +70,11 @@
outputs = { self, nixpkgs, ... }@inputs: outputs = { self, nixpkgs, ... }@inputs:
let let
machines = (import ./common/machine-info/moduleless.nix machineHosts = (import ./common/machine-info/moduleless.nix
{ {
inherit nixpkgs; inherit nixpkgs;
assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix"; assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
}).machines; }).machines.hosts;
machineHosts = machines.hosts;
machineRoles = machines.roles;
in in
{ {
nixosConfigurations = nixosConfigurations =
@@ -115,10 +99,7 @@
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users.googlebot = import ./home/googlebot.nix { home-manager.users.googlebot = import ./home/googlebot.nix;
inherit hostname;
inherit machineRoles;
};
}; };
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
@@ -136,7 +117,6 @@
name = "nixpkgs-patched"; name = "nixpkgs-patched";
src = nixpkgs; src = nixpkgs;
patches = [ patches = [
./patches/gamepadui.patch
./patches/dont-break-nix-serve.patch ./patches/dont-break-nix-serve.patch
]; ];
}; };

111
home/googlebot.nix
View File

@@ -1,9 +1,8 @@
{ hostname, machineRoles }: { config, lib, pkgs, osConfig, ... }:
{ config, lib, pkgs, ... }:
let let
# Check if the current machine has the role "personal" # Check if the current machine has the role "personal"
thisMachineIsPersonal = builtins.elem hostname machineRoles.personal; thisMachineIsPersonal = osConfig.thisMachine.hasRole."personal";
in in
{ {
home.username = "googlebot"; home.username = "googlebot";
@@ -12,72 +11,48 @@ in
home.stateVersion = "24.11"; home.stateVersion = "24.11";
programs.home-manager.enable = true; programs.home-manager.enable = true;
services.ssh-agent.enable = true;
# System Monitoring
programs.btop.enable = true;
programs.bottom.enable = true;
# Modern "ls" replacement
programs.pls.enable = true;
programs.pls.enableFishIntegration = false;
programs.eza.enable = true;
# Graphical terminal
programs.ghostty.enable = thisMachineIsPersonal;
programs.ghostty.settings = {
theme = "Snazzy";
font-size = 10;
};
# Advanced terminal file explorer
programs.broot.enable = true;
# Shell promt theming
programs.fish.enable = true;
programs.starship.enable = true;
programs.starship.enableFishIntegration = true;
programs.starship.enableInteractive = true;
# programs.oh-my-posh.enable = true;
# programs.oh-my-posh.enableFishIntegration = true;
# Advanced search
programs.ripgrep.enable = true;
# tldr: Simplified, example based and community-driven man pages.
programs.tealdeer.enable = true;
home.shellAliases = {
sudo = "doas";
ls2 = "eza";
explorer = "broot";
};
programs.zed-editor = { programs.zed-editor = {
enable = thisMachineIsPersonal; enable = thisMachineIsPersonal;
extensions = [
"nix"
"toml"
"html"
"make"
"git-firefly"
"vue"
"scss"
];
userSettings = {
assistant = {
enabled = true;
version = "2";
default_model = {
provider = "openai";
model = "gpt-4-turbo";
};
};
features = {
edit_prediction_provider = "zed";
};
node = {
path = lib.getExe pkgs.nodejs;
npm_path = lib.getExe' pkgs.nodejs "npm";
};
auto_update = false;
terminal = {
blinking = "off";
copy_on_select = false;
};
lsp = {
rust-analyzer = {
# binary = {
# path = lib.getExe pkgs.rust-analyzer;
# };
binary = {
path = "/run/current-system/sw/bin/nix";
arguments = [ "develop" "--command" "rust-analyzer" ];
};
initialization_options = {
cargo = {
features = "all";
};
};
};
};
# tell zed to use direnv and direnv can use a flake.nix enviroment.
load_direnv = "shell_hook";
base_keymap = "VSCode";
theme = {
mode = "system";
light = "One Light";
dark = "Andrometa";
};
ui_font_size = 12;
buffer_font_size = 12;
};
}; };
} }

16
machines/ephemeral/minimal.nix
View File

@@ -7,12 +7,20 @@
../../common/ssh.nix ../../common/ssh.nix
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ]; boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"e1000"
"e1000e"
"virtio_pci"
"r8169"
"sdhci"
"sdhci_pci"
"mmc_core"
"mmc_block"
];
boot.kernelParams = [ boot.kernelParams = [
"panic=30"
"boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0,115200" # enable serial console "console=ttyS0,115200" # enable serial console
"console=tty1"
]; ];
boot.kernel.sysctl."vm.overcommit_memory" = "1"; boot.kernel.sysctl."vm.overcommit_memory" = "1";

70
machines/fry/default.nix Normal file
View File

@@ -0,0 +1,70 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
# don't use remote builders
nix.distributedBuilds = lib.mkForce false;
nix.gc.automatic = lib.mkForce false;
environment.systemPackages = with pkgs; [
system76-keyboard-configurator
];
services.ollama = {
enable = true;
package = pkgs.ollama-vulkan;
host = "127.0.0.1";
};
services.open-webui = {
enable = true;
host = "127.0.0.1"; # nginx proxy
port = 12831;
environment = {
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_API_BASE_URL = "http://localhost:${toString config.services.ollama.port}";
};
};
# nginx
services.nginx = {
enable = true;
openFirewall = false; # All nginx services are internal
virtualHosts =
let
mkHost = external: config:
{
${external} = {
useACMEHost = "fry.neet.dev"; # Use wildcard cert
forceSSL = true;
locations."/" = config;
};
};
mkVirtualHost = external: internal:
mkHost external {
proxyPass = internal;
proxyWebsockets = true;
};
in
lib.mkMerge [
(mkVirtualHost "chat.fry.neet.dev" "http://localhost:${toString config.services.open-webui.port}")
];
};
# Get wildcard cert
security.acme.certs."fry.neet.dev" = {
dnsProvider = "digitalocean";
credentialsFile = "/run/agenix/digitalocean-dns-credentials";
extraDomainNames = [ "*.fry.neet.dev" ];
group = "nginx";
dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = false; # sadly this erroneously fails
};
age.secrets.digitalocean-dns-credentials.file = ../../secrets/digitalocean-dns-credentials.age;
}

50
machines/fry/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,50 @@
{ config, lib, pkgs, modulesPath, nixos-hardware, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
nixos-hardware.nixosModules.framework-amd-ai-300-series
];
boot.kernelPackages = pkgs.linuxPackages_latest;
services.fwupd.enable = true;
# boot
boot.loader.systemd-boot.enable = true;
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" "r8169" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
# thunderbolt
services.hardware.bolt.enable = true;
# firmware
firmware.x86_64.enable = true;
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/d4f2f25a-5108-4285-968f-b24fb516d4f3";
allowDiscards = true;
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a8901bc1-8642-442a-940a-ddd3f428cd0f";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/13E5-C9D4";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/03356a74-33f0-4a2e-b57a-ec9dfc9d85c5"; }
];
# Ensures that dhcp is active during initrd (Network Manager is used post boot)
boot.initrd.network.udhcpc.enable = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

24
machines/fry/properties.nix Normal file
View File

@@ -0,0 +1,24 @@
{
hostNames = [
"fry"
];
arch = "x86_64-linux";
systemRoles = [
"personal"
"dns-challenge"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/Df5lG07Il7fizEgZR/T9bMlR0joESRJ7cqM9BkOyP";
userKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5/h6YySqNemA4+e+xslhspBp34ulXKembe3RoeZ5av"
];
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1RC1lhP4TSL2THvKAQAH7Y/eSGQPo/MjhTsZD6CEES";
clearnetHost = "192.168.1.3";
onionHost = "z7smmigsfrabqfnxqogfogmsu36jhpsyscncmd332w5ioheblw6i4lid.onion";
};
}

4
machines/howl/properties.nix
View File

@@ -15,10 +15,6 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPnLt84bKhUgFxjQf10+Htro9Lo1Pabqm8mGalBUniv" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPnLt84bKhUgFxjQf10+Htro9Lo1Pabqm8mGalBUniv"
]; ];
deployKeys = [
# TODO
];
remoteUnlock = { remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0N80r0Sl2WlJaUqfxZPkOtYyGumFazkIqq7eq3Gd2o"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0N80r0Sl2WlJaUqfxZPkOtYyGumFazkIqq7eq3Gd2o";
onionHost = "ll6yjnkh4psmfwmtkmqoutl4gq4elqzbmjxv4s6gpgoavyi3kwhjvnqd.onion"; onionHost = "ll6yjnkh4psmfwmtkmqoutl4gq4elqzbmjxv4s6gpgoavyi3kwhjvnqd.onion";

50
machines/ponyo/default.nix
View File

@@ -56,44 +56,6 @@
config.services.drastikbot.dataDir config.services.drastikbot.dataDir
]; ];
# music radio
vpn-container.enable = true;
vpn-container.config = {
services.radio = {
enable = true;
host = "radio.runyan.org";
};
};
pia.wireguard.badPortForwardPorts = [ ];
services.nginx.virtualHosts = {
"radio.runyan.org" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
"radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
};
# matrix home server # matrix home server
services.matrix = { services.matrix = {
enable = true; enable = true;
@@ -116,7 +78,7 @@
services.postgresql.package = pkgs.postgresql_15; services.postgresql.package = pkgs.postgresql_15;
# iodine DNS-based vpn # iodine DNS-based vpn
services.iodine.server.enable = true; # services.iodine.server.enable = true;
# proxied web services # proxied web services
services.nginx.enable = true; services.nginx.enable = true;
@@ -133,12 +95,12 @@
root = "/var/www/tmp"; root = "/var/www/tmp";
}; };
# redirect runyan.org to github # redirect neet.cloud to nextcloud instance on runyan.org
services.nginx.virtualHosts."runyan.org" = { services.nginx.virtualHosts."neet.cloud" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect; return 302 https://runyan.org$request_uri;
''; '';
}; };
@@ -147,6 +109,6 @@
services.owncast.hostname = "live.neet.dev"; services.owncast.hostname = "live.neet.dev";
# librechat # librechat
services.librechat.enable = true; services.librechat-container.enable = true;
services.librechat.host = "chat.neet.dev"; services.librechat-container.host = "chat.neet.dev";
} }

3
machines/router/default.nix
View File

@@ -22,8 +22,7 @@
# networking.useDHCP = lib.mkForce true; # networking.useDHCP = lib.mkForce true;
# TODO networking.usePredictableInterfaceNames = false;
# networking.usePredictableInterfaceNames = true;
powerManagement.cpuFreqGovernor = "ondemand"; powerManagement.cpuFreqGovernor = "ondemand";

14
machines/router/hardware-configuration.nix
View File

@@ -10,8 +10,6 @@
# Enable serial output # Enable serial output
boot.kernelParams = [ boot.kernelParams = [
"panic=30"
"boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0,115200n8" # enable serial console "console=ttyS0,115200n8" # enable serial console
]; ];
boot.loader.grub.extraConfig = " boot.loader.grub.extraConfig = "
@@ -23,6 +21,8 @@
# firmware # firmware
firmware.x86_64.enable = true; firmware.x86_64.enable = true;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
hardware.enableRedistributableFirmware = true;
hardware.enableAllFirmware = true;
# boot # boot
bios = { bios = {
@@ -31,20 +31,18 @@
}; };
# disks # disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
fileSystems."/" = fileSystems."/" =
{ {
device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce"; device = "/dev/disk/by-uuid/6aa7f79e-bef8-4b0f-b22c-9d1b3e8ac94b";
fsType = "btrfs"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ {
device = "/dev/disk/by-uuid/d97f324f-3a2e-4b84-ae2a-4b3d1209c689"; device = "/dev/disk/by-uuid/14dfc562-0333-4ddd-b10c-4eeefe1cd05f";
fsType = "ext3"; fsType = "ext3";
}; };
swapDevices = swapDevices =
[{ device = "/dev/disk/by-uuid/45bf58dd-67eb-45e4-9a98-246e23fa7abd"; }]; [{ device = "/dev/disk/by-uuid/adf37c64-3b54-480c-a9a7-099d61c6eac7"; }];
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
} }

17
machines/router/properties.nix Normal file
View File

@@ -0,0 +1,17 @@
{
hostNames = [
"router"
"192.168.6.159"
"192.168.3.1"
];
arch = "x86_64-linux";
systemRoles = [
"server"
"wireless"
"router"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDCMhEvWJxFBNyvpyuljv5Uun8AdXCxBK9HvPBRe5x6";
}

21
machines/router/properties.nix.disabled
View File

@@ -1,21 +0,0 @@
{
hostNames = [
"router"
"192.168.1.228"
];
arch = "x86_64-linux";
systemRoles = [
"server"
"wireless"
"router"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
onionHost = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
};
}

255
machines/router/router.nix
View File

@@ -31,8 +31,10 @@ in
networking.bridges = { networking.bridges = {
br0 = { br0 = {
interfaces = [ interfaces = [
"enp2s0" "eth2"
"wlp4s0" # "wlp4s0"
# "wlan1"
"wlan0"
"wlan1" "wlan1"
]; ];
}; };
@@ -64,142 +66,173 @@ in
services.dnsmasq = { services.dnsmasq = {
enable = true; enable = true;
extraConfig = '' settings = {
# sensible behaviours # sensible behaviours
domain-needed domain-needed = true;
bogus-priv bogus-priv = true;
no-resolv no-resolv = true;
# upstream name servers # upstream name servers
server=1.1.1.1 server = [
server=8.8.8.8 "1.1.1.1"
"8.8.8.8"
];
# local domains # local domains
expand-hosts expand-hosts = true;
domain=home domain = "home";
local=/home/ local = "/home/";
# Interfaces to use DNS on # Interfaces to use DNS on
interface=br0 interface = "br0";
# subnet IP blocks to use DHCP on # subnet IP blocks to use DHCP on
dhcp-range=${cfg.privateSubnet}.10,${cfg.privateSubnet}.254,24h dhcp-range = "${cfg.privateSubnet}.10,${cfg.privateSubnet}.254,24h";
''; };
}; };
services.hostapd = { services.hostapd = {
enable = true; enable = true;
radios = { radios = {
# 2.4GHz # Simple 2.4GHz AP
wlp4s0 = { wlan0 = {
band = "2g";
noScan = true;
channel = 6;
countryCode = "US"; countryCode = "US";
wifi4 = { networks.wlan0 = {
capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+" ]; ssid = "CXNK00BF9176-1";
}; authentication.saePasswords = [{ passwordFile = "/run/agenix/hostapd-pw-CXNK00BF9176"; }];
wifi5 = {
operatingChannelWidth = "20or40";
capabilities = [ "MAX-A-MPDU-LEN-EXP0" ];
};
wifi6 = {
enable = true;
singleUserBeamformer = true;
singleUserBeamformee = true;
multiUserBeamformer = true;
operatingChannelWidth = "20or40";
};
networks = {
wlp4s0 = {
ssid = "CXNK00BF9176";
authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
};
# wlp4s0-1 = {
# ssid = "- Experimental 5G Tower by AT&T";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
# wlp4s0-2 = {
# ssid = "FBI Surveillance Van 2";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
};
settings = {
he_oper_centr_freq_seg0_idx = 8;
vht_oper_centr_freq_seg0_idx = 8;
}; };
}; };
# 5GHz # WiFi 5 (5GHz) with two advertised networks
wlan1 = { wlan1 = {
band = "5g"; band = "5g";
noScan = true; channel = 0;
channel = 128;
countryCode = "US"; countryCode = "US";
wifi4 = { networks.wlan1 = {
capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-" ]; ssid = "CXNK00BF9176-1";
}; authentication.saePasswords = [{ passwordFile = "/run/agenix/hostapd-pw-CXNK00BF9176"; }];
wifi5 = {
operatingChannelWidth = "160";
capabilities = [ "RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7" ];
};
wifi6 = {
enable = true;
singleUserBeamformer = true;
singleUserBeamformee = true;
multiUserBeamformer = true;
operatingChannelWidth = "160";
};
networks = {
wlan1 = {
ssid = "CXNK00BF9176";
authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
};
# wlan1-1 = {
# ssid = "- Experimental 5G Tower by AT&T";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
# wlan1-2 = {
# ssid = "FBI Surveillance Van 5";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
};
settings = {
vht_oper_centr_freq_seg0_idx = 114;
he_oper_centr_freq_seg0_idx = 114;
}; };
}; };
}; };
}; };
age.secrets.hostapd-pw-experimental-tower.file = ../../secrets/hostapd-pw-experimental-tower.age;
age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age; age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age;
hardware.firmware = [ # wlan0 5Ghz 00:0a:52:08:38:32
pkgs.mt7916-firmware # wlp4s0 2.4Ghz 00:0a:52:08:38:33
];
nixpkgs.overlays = [ # services.hostapd = {
(self: super: { # enable = true;
mt7916-firmware = pkgs.stdenvNoCC.mkDerivation { # radios = {
pname = "mt7916-firmware"; # # 2.4GHz
version = "custom-feb-02-23"; # wlp4s0 = {
src = ./firmware/mediatek; # from here https://github.com/openwrt/mt76/issues/720#issuecomment-1413537674 # band = "2g";
dontBuild = true; # noScan = true;
installPhase = '' # channel = 6;
for i in \ # countryCode = "US";
mt7916_eeprom.bin \ # wifi4 = {
mt7916_rom_patch.bin \ # capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+" ];
mt7916_wa.bin \ # };
mt7916_wm.bin; # wifi5 = {
do # operatingChannelWidth = "20or40";
install -D -pm644 $i $out/lib/firmware/mediatek/$i # capabilities = [ "MAX-A-MPDU-LEN-EXP0" ];
done # };
''; # wifi6 = {
meta = with lib; { # enable = true;
license = licenses.unfreeRedistributableFirmware; # singleUserBeamformer = true;
}; # singleUserBeamformee = true;
}; # multiUserBeamformer = true;
}) # operatingChannelWidth = "20or40";
]; # };
# networks = {
# wlp4s0 = {
# ssid = "CXNK00BF9176";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
# };
# # wlp4s0-1 = {
# # ssid = "- Experimental 5G Tower by AT&T";
# # authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# # };
# # wlp4s0-2 = {
# # ssid = "FBI Surveillance Van 2";
# # authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# # };
# };
# settings = {
# he_oper_centr_freq_seg0_idx = 8;
# vht_oper_centr_freq_seg0_idx = 8;
# };
# };
# # 5GHz
# wlan1 = {
# band = "5g";
# noScan = true;
# channel = 128;
# countryCode = "US";
# wifi4 = {
# capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-" ];
# };
# wifi5 = {
# operatingChannelWidth = "160";
# capabilities = [ "RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7" ];
# };
# wifi6 = {
# enable = true;
# singleUserBeamformer = true;
# singleUserBeamformee = true;
# multiUserBeamformer = true;
# operatingChannelWidth = "160";
# };
# networks = {
# wlan1 = {
# ssid = "CXNK00BF9176";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
# };
# # wlan1-1 = {
# # ssid = "- Experimental 5G Tower by AT&T";
# # authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# # };
# # wlan1-2 = {
# # ssid = "FBI Surveillance Van 5";
# # authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# # };
# };
# settings = {
# vht_oper_centr_freq_seg0_idx = 114;
# he_oper_centr_freq_seg0_idx = 114;
# };
# };
# };
# };
# age.secrets.hostapd-pw-experimental-tower.file = ../../secrets/hostapd-pw-experimental-tower.age;
# age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age;
# hardware.firmware = [
# pkgs.mt7916-firmware
# ];
# nixpkgs.overlays = [
# (self: super: {
# mt7916-firmware = pkgs.stdenvNoCC.mkDerivation {
# pname = "mt7916-firmware";
# version = "custom-feb-02-23";
# src = ./firmware/mediatek; # from here https://github.com/openwrt/mt76/issues/720#issuecomment-1413537674
# dontBuild = true;
# installPhase = ''
# for i in \
# mt7916_eeprom.bin \
# mt7916_rom_patch.bin \
# mt7916_wa.bin \
# mt7916_wm.bin;
# do
# install -D -pm644 $i $out/lib/firmware/mediatek/$i
# done
# '';
# meta = with lib; {
# license = licenses.unfreeRedistributableFirmware;
# };
# };
# })
# ];
}; };
} }

10
machines/storage/s0/dashy.nix
View File

@@ -214,15 +214,6 @@
statusCheck = true; statusCheck = true;
id = "0_836_matrix"; id = "0_836_matrix";
}; };
radio = {
title = "Radio";
description = "Radio service";
icon = "generative";
url = "https://radio.runyan.org";
target = "sametab";
statusCheck = true;
id = "1_836_radio";
};
mumble = { mumble = {
title = "Mumble"; title = "Mumble";
description = "voice.neet.space"; description = "voice.neet.space";
@@ -280,7 +271,6 @@
}; };
servicesList = [ servicesList = [
servicesItems.matrix servicesItems.matrix
servicesItems.radio
servicesItems.mumble servicesItems.mumble
servicesItems.irc servicesItems.irc
servicesItems.git servicesItems.git

108
machines/storage/s0/default.nix
View File

@@ -20,13 +20,13 @@
secretKeyFile = "/run/agenix/binary-cache-private-key"; secretKeyFile = "/run/agenix/binary-cache-private-key";
}; };
age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age; age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
users.users.cache-push = { # users.users.cache-push = {
isNormalUser = true; # isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ]; # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
}; # };
nix.settings = { # nix.settings = {
trusted-users = [ "cache-push" ]; # trusted-users = [ "cache-push" ];
}; # };
services.iperf3.enable = true; services.iperf3.enable = true;
services.iperf3.openFirewall = true; services.iperf3.openFirewall = true;
@@ -75,9 +75,36 @@
services.lidarr.enable = true; services.lidarr.enable = true;
services.lidarr.user = "public_data"; services.lidarr.user = "public_data";
services.lidarr.group = "public_data"; services.lidarr.group = "public_data";
services.recyclarr = {
enable = true;
configuration = {
radarr.radarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/radarr-api-key";
};
base_url = "http://localhost:7878";
quality_definition.type = "movie";
};
sonarr.sonarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/sonarr-api-key";
};
base_url = "http://localhost:8989";
quality_definition.type = "series";
};
};
};
systemd.services.recyclarr.serviceConfig.LoadCredential = [
"radarr-api-key:/run/agenix/radarr-api-key"
"sonarr-api-key:/run/agenix/sonarr-api-key"
];
services.transmission = { services.transmission = {
enable = true; enable = true;
package = pkgs.transmission_4;
performanceNetParameters = true; performanceNetParameters = true;
user = "public_data"; user = "public_data";
group = "public_data"; group = "public_data";
@@ -145,21 +172,18 @@
8686 # lidarr 8686 # lidarr
9091 # transmission web 9091 # transmission web
]; ];
age.secrets.radarr-api-key.file = ../../../secrets/radarr-api-key.age;
age.secrets.sonarr-api-key.file = ../../../secrets/sonarr-api-key.age;
# jellyfin # jellyfin
# jellyfin cannot run in the vpn container and use hardware encoding # jellyfin cannot run in the vpn container and use hardware encoding
# I could not figure out how to allow the container to access the encoder # I could not figure out how to allow the container to access the encoder
services.jellyfin.enable = true; services.jellyfin.enable = true;
users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ]; users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.graphics = { hardware.graphics = {
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver intel-media-driver
vaapiIntel
vaapiVdpau
libvdpau-va-gl libvdpau-va-gl
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
]; ];
@@ -209,7 +233,7 @@
globalRedirect = "s0.neet.dev"; globalRedirect = "s0.neet.dev";
}; };
} }
(mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant (mkVirtualHost "ha.s0.neet.dev" "http://localhost:${toString config.services.home-assistant.config.http.server_port}")
(mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052") (mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
(mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834") (mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
{ {
@@ -223,6 +247,10 @@
(mkVirtualHost "sandman.s0.neet.dev" "http://192.168.9.14:3000") # es (mkVirtualHost "sandman.s0.neet.dev" "http://192.168.9.14:3000") # es
(mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}") (mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
(mkVirtualHost "budget.s0.neet.dev" "http://localhost:${toString config.services.actual.settings.port}") # actual budget (mkVirtualHost "budget.s0.neet.dev" "http://localhost:${toString config.services.actual.settings.port}") # actual budget
(mkVirtualHost "linkwarden.s0.neet.dev" "http://localhost:${toString config.services.linkwarden.port}")
(mkVirtualHost "memos.s0.neet.dev" "http://localhost:${toString config.services.memos.settings.MEMOS_PORT}")
(mkVirtualHost "outline.s0.neet.dev" "http://localhost:${toString config.services.outline.port}")
(mkVirtualHost "languagetool.s0.neet.dev" "http://localhost:${toString config.services.languagetool.port}")
]; ];
tailscaleAuth = { tailscaleAuth = {
@@ -243,6 +271,11 @@
"zigbee.s0.neet.dev" "zigbee.s0.neet.dev"
"vacuum.s0.neet.dev" "vacuum.s0.neet.dev"
"todo.s0.neet.dev" "todo.s0.neet.dev"
"budget.s0.neet.dev"
"linkwarden.s0.neet.dev"
# "memos.s0.neet.dev" # messes up memos /auth route
# "outline.s0.neet.dev" # messes up outline /auth route
"languagetool.s0.neet.dev"
]; ];
expectedTailnet = "koi-bebop.ts.net"; expectedTailnet = "koi-bebop.ts.net";
}; };
@@ -286,5 +319,54 @@
services.actual.enable = true; services.actual.enable = true;
services.linkwarden = {
enable = true;
enableRegistration = true;
port = 41709;
environment.NEXTAUTH_URL = "https://linkwarden.s0.neet.dev/api/v1/auth";
environmentFile = "/run/agenix/linkwarden-environment";
};
age.secrets.linkwarden-environment.file = ../../../secrets/linkwarden-environment.age;
services.meilisearch = {
enable = true;
package = pkgs.meilisearch;
};
services.flaresolverr = {
enable = true;
port = 48072;
};
services.memos = {
enable = true;
settings.MEMOS_PORT = "57643";
};
services.outline = {
enable = true;
forceHttps = false; # https through nginx
port = 43933;
publicUrl = "https://outline.s0.neet.dev";
storage.storageType = "local";
smtp = {
secure = true;
fromEmail = "robot@runyan.org";
username = "robot@runyan.org";
replyEmail = "robot@runyan.org";
host = "mail.neet.dev";
port = 465;
passwordFile = "/run/agenix/robots-email-pw";
};
};
age.secrets.robots-email-pw = {
file = ../../../secrets/robots-email-pw.age;
owner = config.services.outline.user;
};
services.languagetool = {
enable = true;
port = 60613;
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
} }

28
machines/storage/s0/frigate.nix
View File

@@ -84,6 +84,11 @@ lib.mkMerge [
services.frigate = { services.frigate = {
enable = true; enable = true;
hostname = frigateHostname; hostname = frigateHostname;
# Sadly this fails because it doesn't support frigate's var substition format
# which is critical... so what's even the point of it then?
checkConfig = false;
settings = { settings = {
mqtt = { mqtt = {
enabled = true; enabled = true;
@@ -136,37 +141,16 @@ lib.mkMerge [
} }
{ {
# hardware encode/decode with amdgpu vaapi # hardware encode/decode with amdgpu vaapi
systemd.services.frigate = { services.frigate.vaapiDriver = "radeonsi";
environment.LIBVA_DRIVER_NAME = "radeonsi";
serviceConfig = {
SupplementaryGroups = [ "render" "video" ]; # for access to dev/dri/*
AmbientCapabilities = "CAP_PERFMON";
};
};
services.frigate.settings.ffmpeg.hwaccel_args = "preset-vaapi"; services.frigate.settings.ffmpeg.hwaccel_args = "preset-vaapi";
} }
{ {
# Coral TPU for frigate # Coral TPU for frigate
services.udev.packages = [ pkgs.libedgetpu ];
users.groups.apex = { };
systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ];
# Coral PCIe driver
boot.extraModulePackages = with config.boot.kernelPackages; [ gasket ];
services.udev.extraRules = ''
SUBSYSTEM=="apex", MODE="0660", GROUP="apex"
'';
services.frigate.settings.detectors.coral = { services.frigate.settings.detectors.coral = {
type = "edgetpu"; type = "edgetpu";
device = "pci"; device = "pci";
}; };
} }
{
# Fix bug in nixos module where cache is not cleared when starting the service because "rm" cannot be found
systemd.services.frigate.serviceConfig.ExecStartPre = lib.mkForce "${pkgs.bash}/bin/sh -c 'rm -f /var/cache/frigate/*.mp4'";
}
{ {
# Don't require authentication for frigate # Don't require authentication for frigate
# This is ok because the reverse proxy already requires tailscale access anyway # This is ok because the reverse proxy already requires tailscale access anyway

57
machines/storage/s0/hardware-configuration.nix
View File

@@ -58,43 +58,48 @@
}; };
swapDevices = [ ]; swapDevices = [ ];
### networking ###
# systemd.network.enable = true;
networking = { networking = {
dhcpcd.enable = false; # useNetworkd = true;
dhcpcd.enable = true;
interfaces."eth0".useDHCP = true;
interfaces."eth1".useDHCP = false;
interfaces."main@eth1".useDHCP = true;
interfaces."iot@eth1".useDHCP = true;
interfaces."management@eth1".useDHCP = true;
vlans = { vlans = {
main = {
id = 5;
interface = "eth1";
};
iot = { iot = {
id = 2; id = 2;
interface = "eth1"; interface = "eth1";
}; };
management = {
id = 4;
interface = "eth1";
};
}; };
interfaces.eth1.ipv4.addresses = [{ # interfaces.eth1.ipv4.addresses = [{
address = "192.168.1.2"; # address = "192.168.1.2";
prefixLength = 21; # prefixLength = 21;
}]; # }];
interfaces.iot.ipv4.addresses = [{ # interfaces.iot.ipv4.addresses = [{
address = "192.168.9.8"; # address = "192.168.9.8";
prefixLength = 22; # prefixLength = 22;
}]; # }];
defaultGateway = "192.168.1.1"; defaultGateway = {
nameservers = [ "1.1.1.1" "8.8.8.8" ]; # interface = "eth1";
address = "192.168.1.1";
};
# nameservers = [ "1.1.1.1" "8.8.8.8" ];
}; };
# networking = {
# vlans = {
# iot = {
# id = 2;
# interface = "eth1";
# };
# };
# defaultGateway = {
# interface = "eth1";
# address = "192.168.1.1";
# metric = 10; # always use this route as default gateway
# };
# };
powerManagement.cpuFreqGovernor = "powersave"; powerManagement.cpuFreqGovernor = "powersave";
} }

62
machines/storage/s0/home-automation.nix
View File

@@ -15,13 +15,20 @@
]; ];
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
1883 # mqtt # mqtt
1883
# Must be exposed so some local devices (such as HA voice preview) can pair with home assistant
config.services.home-assistant.config.http.server_port
# Music assistant (must be exposed so local devices can fetch the audio stream from it)
8095
8097
]; ];
services.zigbee2mqtt = { services.zigbee2mqtt = {
enable = true; enable = true;
settings = { settings = {
homeassistant = true;
permit_join = false; permit_join = false;
serial = { serial = {
adapter = "ember"; adapter = "ember";
@@ -47,6 +54,7 @@
enable = true; enable = true;
extraComponents = [ extraComponents = [
"default_config" "default_config"
"rest_command"
"esphome" "esphome"
"met" "met"
"radio_browser" "radio_browser"
@@ -74,13 +82,23 @@
"homekit_controller" "homekit_controller"
"zha" "zha"
"bluetooth" "bluetooth"
"whisper"
"piper"
"wyoming"
"tts"
"music_assistant"
"openai_conversation"
]; ];
# config = null;
config = { config = {
# Includes dependencies for a basic setup # Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/ # https://www.home-assistant.io/integrations/default_config/
default_config = { }; default_config = { };
homeassistant = {
external_url = "https://ha.s0.neet.dev";
internal_url = "http://192.168.1.2:${toString config.services.home-assistant.config.http.server_port}";
};
# Enable reverse proxy support # Enable reverse proxy support
http = { http = {
use_x_forwarded_for = true; use_x_forwarded_for = true;
@@ -94,6 +112,44 @@
]; ];
# Allow using automations generated from the UI # Allow using automations generated from the UI
"automation ui" = "!include automations.yaml"; "automation ui" = "!include automations.yaml";
"rest_command" = {
json_post_request = {
url = "{{ url }}";
method = "POST";
content_type = "application/json";
payload = "{{ payload | default('{}') }}";
};
};
}; };
}; };
services.wyoming.faster-whisper.servers."hass" = {
enable = true;
uri = "tcp://0.0.0.0:45785";
model = "distil-small.en";
language = "en";
};
services.wyoming.piper.servers."hass" = {
enable = true;
uri = "tcp://0.0.0.0:45786";
voice = "en_US-joe-medium";
};
services.music-assistant = {
enable = true;
providers = [
"hass"
"hass_players"
"jellyfin"
"radiobrowser"
"spotify"
];
};
networking.hosts = {
# Workaround for broken spotify api integration
# https://github.com/librespot-org/librespot/issues/1527#issuecomment-3167094158
"0.0.0.0" = [ "apresolve.spotify.com" ];
};
} }

7
machines/storage/s0/properties.nix
View File

@@ -1,6 +1,7 @@
{ {
hostNames = [ hostNames = [
"s0" "s0"
"s0.neet.dev"
]; ];
arch = "x86_64-linux"; arch = "x86_64-linux";
@@ -13,12 +14,18 @@
"gitea-actions-runner" "gitea-actions-runner"
"frigate" "frigate"
"zigbee" "zigbee"
"media-server"
"linkwarden"
"outline"
"dns-challenge"
]; ];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
remoteUnlock = { remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
clearnetHost = "192.168.1.2";
onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion"; onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
}; };
} }

32
machines/zoidberg/default.nix
View File

@@ -20,10 +20,6 @@
); );
services.mount-samba.enable = true; services.mount-samba.enable = true;
# Login DE Option: RetroArch
services.xserver.desktopManager.retroarch.enable = true;
services.xserver.desktopManager.retroarch.package = pkgs.retroarchFull;
# wireless xbox controller support # wireless xbox controller support
hardware.xone.enable = true; hardware.xone.enable = true;
boot.kernelModules = [ "xone-wired" "xone-dongle" ]; boot.kernelModules = [ "xone-wired" "xone-dongle" ];
@@ -39,28 +35,6 @@
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}" "L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"
]; ];
# System wide barrier instance
# systemd.services.barrier-sddm = {
# description = "Barrier mouse/keyboard share";
# requires = [ "display-manager.service" ];
# after = [ "network.target" "display-manager.service" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# Restart = "always";
# RestartSec = 10;
# # todo use user/group
# };
# path = with pkgs; [ barrier doas ];
# script = ''
# # Wait for file to show up. "display-manager.service" finishes a bit too soon
# while ! [ -e /run/sddm/* ]; do sleep 1; done;
# export XAUTHORITY=$(ls /run/sddm/*)
# # Disable crypto is fine because tailscale is E2E encrypting better than barrier could anyway
# barrierc -f --disable-crypto --name zoidberg ray.koi-bebop.ts.net
# '';
# };
# Login into X11 plasma so barrier works well
services.displayManager.defaultSession = "plasma"; services.displayManager.defaultSession = "plasma";
users.users.cris = { users.users.cris = {
@@ -89,19 +63,17 @@
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
jellyfin-media-player
config.services.xserver.desktopManager.kodi.package config.services.xserver.desktopManager.kodi.package
spotify spotify
retroarchFull
]; ];
# Command and Conquer Ports # Command and Conquer Ports
networking.firewall.allowedUDPPorts = [ 4321 27900 ]; networking.firewall.allowedUDPPorts = [ 4321 27900 ];
networking.firewall.allowedTCPPorts = [ 6667 28910 29900 29920 ]; networking.firewall.allowedTCPPorts = [ 6667 28910 29900 29920 ];
nixpkgs.config.rocmSupport = true;
services.ollama = { services.ollama = {
enable = true; enable = true;
acceleration = "rocm"; package = pkgs.ollama-vulkan;
host = "127.0.0.1";
}; };
} }

4
patches/dont-break-nix-serve.patch
View File

@@ -1,8 +1,8 @@
diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix
index 49f8ed673816..643b59d68dde 100644 index f8d8f64e55da..39326d094118 100644
--- a/nixos/modules/services/video/frigate.nix --- a/nixos/modules/services/video/frigate.nix
+++ b/nixos/modules/services/video/frigate.nix +++ b/nixos/modules/services/video/frigate.nix
@@ -482,10 +482,6 @@ in @@ -609,10 +609,6 @@ in
}; };
}; };
extraConfig = '' extraConfig = ''

13
patches/gamepadui.patch
View File

@@ -1,13 +0,0 @@
diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix
index 29c449c16946..f6c728eb7f0c 100644
--- a/nixos/modules/programs/steam.nix
+++ b/nixos/modules/programs/steam.nix
@@ -11,7 +11,7 @@ let
in
pkgs.writeShellScriptBin "steam-gamescope" ''
${builtins.concatStringsSep "\n" exports}
- gamescope --steam ${builtins.toString cfg.gamescopeSession.args} -- steam -tenfoot -pipewire-dmabuf
+ gamescope --steam ${builtins.toString cfg.gamescopeSession.args} -- steam -gamepadui -steamdeck -pipewire-dmabuf &> /tmp/steamlog
'';
gamescopeSessionFile =

53
secrets/backblaze-s3-backups.age
View File

@@ -1,24 +1,31 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 N7drjg YHZO6ENbBihFQFqRRjdWtgfX3R+qHtaJWIa54igHpEc -> ssh-ed25519 qEbiMg V0tr/++dhQWcgmy46gcBm3t5qffN6N4ykabjMGdLLxg
HLeZDyErwJme8knPYCxuSXMmHBkz2kDI6OBG6/EtP7w oCCUu3kOopP5JgYAiytDrxHOo3LVtyAu1OAmJRg1nV8
-> ssh-ed25519 yHDAQw 2YvHNNsiDJSUkKZOlhWzP4l1NfH0zTnldZV4Jjfy620 -> ssh-ed25519 N7drjg HAu/AkGATNY7L3O2ospdN+r+KKVWD1yzi/kKmH5Fhzc
dHM0wG9JLiQJJ+NquhPeI/xv1iEqsxRy9D//NcYTr8k p8Y2vToiWACE/LNXa14fbAwuc5FfgR5day8Gu1uSVL8
-> ssh-ed25519 jQaHAA QtNkLsgdVgJqbmxLFhaf7AIG208NXHzgBweO8L3Dc3E -> ssh-ed25519 jQaHAA YuZH6pmrOAgzPNA2Mx7u827fYXOHJQ9XW8XR5h7XAFs
SGjvdajk9M5azgP4QcynnxKieKEJYil1T2az4hYffdM x1urfkuEH/1hHxBDK1Y7vjQMSUpUIj7uK7EGs/GtNk4
-> ssh-ed25519 w3nu8g JuFJuOdVOc8Uk5es2rpqPVHgg+l6/K0J+MHDFuffn0A -> ssh-ed25519 ZDy34A AFzSzksrxlpyZfromJSB7u2HTVf7EC8Aydb7U0mQWUs
n7tzohV+Uvecu6GVNeht/O/dL4x6e5SVdHEzRbJg3rI eWffyc2OIIEBxkk3y68xSzrDbheTzKnlilEt2VoNSaI
-> ssh-ed25519 dMQYog 44RRRe8M2FJWigy3d9TNaUQSM47gLDgU38F6ow1Xe2c -> ssh-ed25519 w3nu8g MSI33XCDIZN4azrtb6hh6k6Gl1BYwaRK5/ROS6DHj10
uQVkQma/hZVMCMtgcelyZhscvc46LItvbcPBuJI81Ns kg057sgb1LLkoNgzTmCdgoM35BqV2gRjk4GLIytR8ng
-> ssh-ed25519 WBT1Hw +b+2TOduL4XERN7qOYPtJ3R5w54m7VYqmyy8Smz6tXU -> ssh-ed25519 evqvfg Rssqwh73ihyNldaHFb65m0PGIi0VAySg7bHK8BTrHRI
TyQ+bjSK6IYSulW0rm12V+lpXYCt5kr3byaNNGJeMVc bNCBI3MvfFT88sgVFbgCaOrRozcDMISdCn9IJJeACOI
-> ssh-ed25519 6AT2/g ZUmtQOHWmn0shq1iP3Ca7aQ74PLcqZGTprvsM/HAXR8 -> ssh-ed25519 WBT1Hw y+gFWQQ/FbD1im+D6rcsGsVOYpfkgw0b2P6Gx4J+5WM
eNonzRSAwNCQi0DgtVs67zCjpOYsqeLEJYBmLjuS9rI od9fIeEqmEbMd0Bv+iI3UdUl2MtelF/Q+ew+4wKU6nw
-> ssh-ed25519 hPp1nw qzrGZr5bFvfPwWrfNIUFubvGXBT+oQo9HZQuePSbPwk -> ssh-ed25519 6AT2/g +sWGzEbUwMjkY+oTFa72/wbP0VejtVpvEJocmb4ApjY
MKNlVl3OXBYEFWiu2hbbXDQnqkV4nENG+lcLcd+H33I 2HipJHjD9dKzUSWdBCVkDgpUtHNaQl7WJFvEPS6fpxw
-> ssh-ed25519 w3nu8g H2UDASHwHNxU74g5IbuHIDHEZYgyWNmSX7Wv/lV41HQ -> ssh-ed25519 r848+g BTw707tEO/KQhhKsWgYYdGC+pdQyA4zhaHLt6BFen3E
WMgKT0GZxWQoK57E9B2j8MsyOroMhWd5SiCQtZa7AIY ldBDOfC7/8vkOS01D/solHplEeIMvArHZsJL31FMYdg
-> ssh-ed25519 dMQYog YkL6XApXeP9qc4pVaIHFaNmYIK/PVEKoJz5SotQbGmQ -> ssh-ed25519 hPp1nw Sbzvkbw5FauhfNT1oQjjycUZ84c6sijyUlYgCc7bzjE
H+3wAxIl9Yip4xQqjhje9tL1V4m00NNSxNjH6Dbb1K8 WQJ3KW8pGB8i0I7yI0/Tr99wTCsZwEtSWpUm4CiU/wA
--- vBQpXXpKzzXwpNP17r8OBqO4Q3bIS4pHqbEl4u9dB1w -> ssh-ed25519 ZDy34A I4d/QR9LScC9NpN5upKITEc2BjJXKb4BiF/FZwpcW1Y
ÎL“9[íg¡dŒxgº8Ø*0«šœ…·¾öWå&`*?`ÔÊ­I÷Ýd1*ªñ¶bM\<>D™+«)‡ r+hmbq4s4N5RuhlmTn7/SuBBdfRv/mzDbq++tbK7s2M
\ƒg¤hDá3#k3;Åj ¾ÞŽ±Ý¾Hš·ÙF&ÙX %6˜Bî8”¹T·fG`Q¯®âñ?[hDªö*c -> ssh-ed25519 w3nu8g Ut4z05l9uePnZRI38zmLvcgRdvCcy+YmFkn1IiqDRk8
64uJWpnsfmfc7z5JZnTnwHNPsp52B3/YFgIvT8Bt3GY
-> ssh-ed25519 evqvfg a6ZizyN6wCKvPtpu2hgPeQ8YTBouC+y8iQFeaJ46Ygg
olN0U7gzDid2EbhO4kGhhZjo7cvI/y+I7yeahrgS63Y
--- MQfYtj3KvglxbRIcFSCtH3XdKElzS84QEfMhvcYN8ms
ÌØàÕFwH猧¿2&öÐ+é®L
çr\ÊÚ2<>q§“*Ù,
0¥}ÌanZHÅmF5ª# \îêÎnInŽiªó)<29>ÿ´xµKž}7cÁ e¶å_6;–ðŽ„>e=¢„ˆÐXiK!Š~—³ú¿Ùò÷C2gS;⇣Å8

BIN
secrets/binary-cache-private-key.age
View File

Binary file not shown.

BIN
secrets/binary-cache-push-sshkey.age
View File

Binary file not shown.

BIN
secrets/cris-hashed-email-pw.age
View File

Binary file not shown.

BIN
secrets/digitalocean-dns-credentials.age
View File

Binary file not shown.

16
secrets/frigate-credentials.age
View File

@@ -1,7 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 hPp1nw zOXF7NsZjm+DCYrJ+Ap2mX35JUt37CLJP1RhyOjB/XE -> ssh-ed25519 hPp1nw MMPi5i5lVf/mcXOraMoErj12pjLWQppVTc18kMFTskM
ePprJM2cnhYZhP8aJUXOZeGHJm/DHlRYomWN+lFaU6w eez7lnpUwseCP/5MZRxjyPZ11gfLHBYPPGEUXUftrAU
-> ssh-ed25519 w3nu8g gjeFAbFWXyPdGauKHXAzuIP9fmaj2Oysq9fHO8q7u38 -> ssh-ed25519 ZDy34A dzbWYENdNUIHId+2XUt+gLpnw8xaVsSHrWfIhhBTYBI
KiMR0pgEPtsfZnYAIsH7UHNhnsB6rtsW/hqV03uS2dI NszPXqq/beWLE9pKMhbXYSEB3WDaU2EPy66yPC+oU+Y
--- BPzPECz1g6vEv4OlRn6+FnWP9oq3tn6TN2o867icxYA -> ssh-ed25519 w3nu8g HjJYUyssutwK+bO120fPZoycsIEdLL0gnX1UDMHJKlY
}ìjºùŽ+l&þàx<C3A0>-TïÝb‡ÅèØÄ·<C384>Dg‰ñgc*ˆ0<CB86>÷µcp jjr1bEAD4HHN1Hbdtj8VR6CqfkTHXZ6huJQ1fnp83s4
-> ssh-ed25519 evqvfg nNibZIdrlMqQXZYT+qFPyd8uB1gZgDjPdfIS7RRjJCM
5LNiRyVpkJr4x1CtV+FRsLF+Tk1KUQDFIrTBQVw3N5c
--- 7dJKHwTqDkiiZaojRRK0mpxWopbhLwydPwFXtden9iI
'oºé¹òîÌä<C38C>=1õ¶Bc×°V­d qâÀ=Þÿ¸¸°µï뎀ˆÔjÿ`ǦÎéÏÎ&åÂ@Ûó ½Ç 5RQØ´Ûh™ÞOÉÓÅPŽá£Cv7ü<37>A ûw£s±¸¥QÀR<C380>Ù­O<C2AD>M"Wèí*<2A>s Ýߤâ×a`Æp¬

20
secrets/gitea-actions-runner-token.age
View File

@@ -1,11 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 WBT1Hw PbGwwDeulHF6kdh073rq0RvD1hlx6spnKNgKU+QeDAw -> ssh-ed25519 hPp1nw CSR2HrrPUfaeOgAa3vt4yuQOrqyu0qnFBmTT2O4Rdnc
7dITwSQ2p1LZuaVEzLxcGOhB97MQT2zGoRrnNUMcOFk nYiiPmn/4Qmrc5VOK+/mmtzKD9xdvEF6SmRiPi/aFqs
-> ssh-ed25519 hPp1nw Dn+5Fpme+JmRZKkCkqtCuD87p+sDYDA6OZ2aUmBkCRs -> ssh-ed25519 ZDy34A cmlgkgy5QvYYn6nHymo0u723S470qvUFt0Ubp6ggKj8
Dgg3orXF4RYT/fHtc2tRuIhOQu48zICMqgPyV47vpf4 8ACCrqGCkVbuFMNoGKMd67oMtZWhQHBigU7Tdqoqy80
-> ssh-ed25519 w3nu8g dghNLDH1Tm+sm42HXDhrLFtmU4iDF1yCGrO2VSgzZjo -> ssh-ed25519 w3nu8g GWytr1KtsXVQt6CKqqdjH92/Lc7aBjqa2N80oqeOdwU
71scUVrGr4c4dunAFJYKd+uJ6aYJpSWBAk9swbv+IzM c9GfCkKIaxMgsKWplXIQjiB5c6UE+UkRd4xlg1I5JSA
-> ssh-ed25519 dMQYog Wnl1+rh0Q3YD2s1UD0OYVm39wY/Uw1NRK3K7EFhFMls -> ssh-ed25519 evqvfg K4Z7DqPilKW9kEfFLDzJ7c2G6PvjRhxhCTEuw0Tw8hU
wXF6QBonlCalS1vI9cxzWgv1Gi+yAtYn6HrYCfpl5Nw QsVD2iKObcP7HyVCXn9gPWvewn2Jm/OYLA1Eu6MRP1k
--- rLOoGk0iX+wuNd1CKv7g2PRd2Ic+8JHCQhrVBaF9zbE --- DGe/5H+9vk1EGj/mkUnvzk4VC5JVDIwVeaD78EHRiiI
<EFBFBD>òüüˤ/A¦Ì(ØiHC¸@¢Þð‰h`ˆ3ªá´' ¬ÚöáDì>ð¿¤~¸ÿÁö?ÑÃMêÙ@<40>t°(“Ò@ö׿^xÆ} êPŸËÓ²ûªÒÖ duÀÉr†¿"KÇ"©„M¬áÆ©xó3 ®²Æ ú™*J.Y_ÃíT%<25>tµ(ÿYʵ´8/Qa©r]ÍmÑÿÒ¤º

19
secrets/hashed-email-pw.age
View File

@@ -1,9 +1,12 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g 98/m3t8axoVBE6WzdxBtRhV2uSQKSCXwQjyxfWXPmQk -> ssh-ed25519 6AT2/g BLyjF65Y/bq9gkAuzl2PZmL7Ge1BTf6MQ/J+04fwwCA
AxV0FTvqbWfk/gf65d05PcotbEnYr4PgDQnsaYxP/MU mdGmV3lmTPhVmORAVtJucy5EaNmOiCkZqdw+in8r8+E
-> ssh-ed25519 w3nu8g jys7B4COD4iINANeSCD3BqGFoghxTmsbuXoOOIiP+wQ -> ssh-ed25519 ZDy34A h7f7GMXKCzuVnoIai84+gNq18XqxOPQLt2a4tmmQSxs
b7eSN5fe4szfliINOr7ZQ7AoSsIK5akmIQ6uLDabcIE RMoh4ecaEFybnE1ObWFZFHJKrIO3SbRynyDBljfSRAY
-> ssh-ed25519 dMQYog ToNUqTPYmxpz9OUcC94egELcPfHQHCErfHN6l9kSrRY -> ssh-ed25519 w3nu8g XubNz2enRmr1uNZlErXBJngZrY52fJC4AUIbsaTh8yE
2KoSVoWp+FH29YfH57ri2KOvhkuqYew1+PXm99e0BaI w5w3FK30UqLok7VeG8wILcyXeAIrf/Uzbf7AnHPfYAw
--- Cjk3E/MjgCF45aLlFeyoGiaUEZk/QuKtsvPb6GpzD8Q -> ssh-ed25519 evqvfg 9UkiG9r2b0ZJwN6DPL+j08YKjBOx2x6jrJlzg+N79lk
m°å>‹“~czÆê匦†``ÜÏqX«š'ÁÎ%ôwÔž~×ÄL·eä'a±]û´LÉÀ‰%ÍYTÊÓc9f¡W¶Ã^¤9ÊõÙÝ2®™æ¶ÆBÌa ƒ™ nmpBD/vZ7h3pAzeL8CO2oABTeA5iujG9Vr4aUgWaO0E
--- 00dECq/aOgxAgnD19UdntMCzn27Iywp4bQoyAaKJ3yw
»ŽlŸ÷ƒƒÔrñDžgFOí þrÍ=éŒUCR‰wW÷Æ Ô­Ï*þA$÷³åÝÓeV
RH ¶T<01>ISK·é

BIN
secrets/hashed-robots-email-pw.age
View File

Binary file not shown.

BIN
secrets/hostapd-pw-CXNK00BF9176.age
View File

Binary file not shown.

BIN
secrets/hostapd-pw-experimental-tower.age
View File

Binary file not shown.

18
secrets/iodine.age
View File

@@ -1,9 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g Knb25oYknkiXyMqVBR3T0sFSO4hDjWUTq3xIml/b4ig -> ssh-ed25519 6AT2/g 3s+reqcb4Hu/3Z7rICFZBOkW02ibISthFAT1sveyLBo
n7xamnrZ+SCWiKqniF3r2JvH4G8q2pJaHzF0riNEDf4 Eh5ynxeqqXhNbv/ASWZxzKXAzKX41uI5iJI4KqluHRI
-> ssh-ed25519 w3nu8g 7+2R5RpLjBf4jjj3S8ibMquUWgRMrifziGQubwuLrhA -> ssh-ed25519 ZDy34A cHcA2p0VrGr6jP/CUTOSU4Gef04ujh6wmJjmEWmWNE0
3jLCalnbA3Z2jr8Zs+qrpzSoi3Jv6E5OV2binpr3Kk4 wwaQnj7RABFzTbU74awlIJeHHePtO7jihNd2EUkNZPU
-> ssh-ed25519 dMQYog Nh2e7me0tiG7ZwQK8669VS0LCYFSH+b33I9tr8uI5CY -> ssh-ed25519 w3nu8g hN/fWUHspXoJmpibR4NAL3EXkKExe2tRjUzmLGK6VnE
7Gs1N9eZa1CGR9pczzugHbqnghqevX7kQCOeqR4q0eI F1KQnGe3M8eD9hjnHLc7hqFTw9iXh7ICz0u421DuFOs
--- OzW+omJsZA/b4DMF4hdQga7JVgiEYluZok3r8JM258I -> ssh-ed25519 evqvfg r3AoIJ3KWCYIsV8+RTgYY+Eg+1EcBVNrX+ZRunKaug8
*³²ÝPŽ†AcèÈ1·@Át¸e÷nf&ù#I7‡a‰Ûâc†ÃÀ<C383>êbDâ~aõ]1w=Á KSXd4uq1/0ErZzSTPrCmY/66v4TT5PmFqv9LRSHNi9A
--- 3bGqZANqdfEgdiUzu38n4dzPOShgGUzQGtO7l2S+hwU
Ì?\<5C>•Öå¢aÚ'¤¤ÐÚ{˜/}ÉýÝL„:¨|¸G`†Ó+ºMÜÈY$s¸+Uk¥áäg‡ID¾K·

BIN
secrets/librechat-env-file.age
View File

Binary file not shown.

BIN
secrets/linkwarden-environment.age Normal file
View File

Binary file not shown.

BIN
secrets/nextcloud-pw.age
View File

Binary file not shown.

BIN
secrets/oauth2-proxy-env.age
View File

Binary file not shown.

22
secrets/pia-login.age
View File

@@ -1,11 +1,13 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g MGKlbzVOk5+czgAOerwl+eIyOifXJm/q4UgQUXVpx1c -> ssh-ed25519 6AT2/g MrkHK56b1uQIiMoSrGmCun5QzwFWQiCFZjHQuAkdBlc
43l6s4+5TSMQyO9tAg7v9Y5OdXOjKYz56lbr9Jm2r+o ipK76P2VS5c00f3n468l+VsTndtEUwHtJTOhR1Zntew
-> ssh-ed25519 hPp1nw aOxni4sFPPgedUkBOuOyEWfFPJrhdTJnivIaWt5RJxM -> ssh-ed25519 hPp1nw iVISLjddu2lJpNPXewFDmjhORkkzBNUBmq33n2l9yXg
KNaxijzSMp7EjYKwWiAP66nPYYZK3/VXL8u+3uJt6bg 4oOAaQpnWNsVXfDEK4rclKhAwv8xnE3EUS7PF44/GYc
-> ssh-ed25519 w3nu8g qTAzEzQbFze35AtbvkYREw3wa7ApDN5u7RSZUXrEpms -> ssh-ed25519 ZDy34A gZY++iCMswmQVkKiIUUuuR8srojCpykELGpa0mqHMFA
Dy0uGF458A9RJMvDl2XKOkEABbbRgT+eIgvb6ZOEQqg MSpvndXZY7Gm8VUQUdn/x39dVOsJ0d77H4zN0Ct+b1Q
-> ssh-ed25519 dMQYog 5DfYuGeWuN0/CO6WWbFIi7LaKl23FXYVdPROM+TFpCA -> ssh-ed25519 w3nu8g mnrSRjcTax6g1PHvOwCV/Al6AWkCwiRwMnuZg4vPHys
PDBdDn+YUMKYNKFkCEfXesmkB/XUxZRK3ddQt0kqQ7g S2V1O0GF7wipp9Bg+7PA6z4WNbK/zv015AM1SfA/Jrg
--- JOeG87EVD+QBx6n+rMoPTOni0PyoG7xx4a2USNiapYI -> ssh-ed25519 evqvfg 8M2kGsTS/cd0daAr87u0QqS6RH00O1zkSjYdXTxjYGU
Zsý{ÅiÁ_\+ô@@Üò߸ù&_š5­$¿Gt2¢rF“y×ÄQ§Iaž 7ôÙÉzàgf­%O(µÙ,VéÂ}ÿn|û'J¸2ø¨óQÑ B uCUwdJFCdFWWlQPpINjf4dAIYZ/pa8tfz8pVjDLPJF0
--- iyh7GvKqnNeyIgedqWGQMtYfXJGo1RphDpzuDXJbp1k
#/Þ¿ «[4èAã<±Ëi×òæ˜ækÞfÓÕ

11
secrets/radarr-api-key.age Normal file
View File

@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw gfVRDt7ReEnz10WvPa8UfBBnsRsiw7sxxXQMuXRnCVs
slBNX9Yc1qSu1P5ioNDNLPd97NGE/LWPS/A+u9QGo4E
-> ssh-ed25519 ZDy34A e5MSY5qDP6WuEgbiK0p5esMQJBb3ScVpb15Ff8sTQgQ
9nsimoUQncnbfiu13AnFWZXcpaiySUYdS1eH5O/3Fgg
-> ssh-ed25519 w3nu8g op1KSUhJgM6w/nlaUssQDiraQpVzgnWd//JMu2vFgms
KvEaJfsB7Qkf+PnzFJdZ3wAxm2qj23IS8RRxyuGN2G4
-> ssh-ed25519 evqvfg 9L6pFuqkcChZq/W4zkATXm1Y76SEK+S4SyaiSlJd+C4
j/UWJvo4Cr/UDfaN2milpJ6rU0w1EWdTAzV3SlrCcW8
--- bdG4zC5dx6cSPetH3DNeHEk6EYCJ5TXGrn8OhUMknNU
/¶ø+ÏpñR[¤àJ-*@ÌÿŸx0Ú©ò-ä.*&T·™~-i 2€eƒ¡`@ëQ8š<l™à QK0AÕ§

50
secrets/restic-password.age
View File

@@ -1,23 +1,29 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 N7drjg Njjfv0Etdr9U27s+wznqw5YmnKcj3lISQ2vudDPj7F0 -> ssh-ed25519 qEbiMg CX8Y/Si5PzI0enQNfUIAJG5JxqPRLmpHZn2qbnOdqEk
bw3SSPfReGSmJ5tQPv+niYn7USyZZffxvgs3J5VxiWw RtBaY00wl7B+gz9uSxYiNFj9Jf5D18LFvD3XjcqXg00
-> ssh-ed25519 yHDAQw DVlCM84Q1P087cmlS+NzH/i2noLprEbfqSpvFS3Pzig -> ssh-ed25519 N7drjg 1bVVPpaqoAb9AGsb8lWCP5nBTVO3nRwCmK2X6M4eCn4
PooFRhm8ofoTAT1UxJ3Y+0RMqK3CriwqpGrrKGfFYTs SW4KXrdN0uulfVGDp5zx351v7+HyIQ2dAP2VB1Yjxx8
-> ssh-ed25519 jQaHAA rfoKG06gXsXPVfNql5Kk5OBebaXsRd4vCirzPB2y0jk -> ssh-ed25519 jQaHAA ocZpVZtXwnbZWC5RlrPmDtUnRpCnGaJLjCx3IKENJjw
T0xv0iiWSi+FscI/OX6sT137VuiWpAS+P9XsMBT9K7Q x5AUP4Q1Odls9RWdtUtDBWAEbbiOaRwnBiI4+FJUhnA
-> ssh-ed25519 w3nu8g 869dCSpsCphoOPZ0z6rzbI5QKieIA4M9tAyVP40P2hY -> ssh-ed25519 ZDy34A JBwwmjzcV7UFHRky6rOF5jFVMxsj0SmLfCEPPzD8qBc
N705ablrfdQWK2aEOFCkmdEQQmwJVcqVXOkhYIp1Z3o ESDhUTfMFVqTfyMpIcx2E4Fg1iRljqXA3kkaaBH5NRI
-> ssh-ed25519 dMQYog ry0Qkn4YSLctLRzp1fZQ6EnbeGvv3Gge2UOsYBwbk2A -> ssh-ed25519 w3nu8g 32W6EjkjvobPZAV/+2dtZJWW1Xz5yEW1Y+xuPssHPyY
LO1eyrU0rQJdAjZKCBr+WH2EP/juXcS7Iwrl8tZIMOM DeoxVYTuxkFfV7JFk+PweykeN5z7+GM3IPbzJ9Aze/U
-> ssh-ed25519 WBT1Hw NbtlJrLEcf4yO/akQyE7b9TdyM2e6m8Aj9/MzV7SliY -> ssh-ed25519 evqvfg /71B+elrbVgtDqNTPNHiIIWUCoLMh7Nw45ZxfhZSaSA
JBWsIu/Aycys+uUxC2xSTE2gC0YUpC7Jkkxa0E0TfRI z/c5GQKyJ0i7lJh6Fl2cuwrI876BKZGY4+ruPHazg7g
-> ssh-ed25519 6AT2/g kvri9lMh7mXuJTFh15sRPhkz8+75i2YYcdZL12cLPnI -> ssh-ed25519 WBT1Hw /9VARjhq1i3zt8SAJ3KwXz4jDSzNID056rzOeZzdXHk
hsJETu9Xhbfhzzf6Z3YIKFLGN+Eczgn8EqEBPQl7a1s 81JSPCyru+4wS1USnTaVcO+l0t8d/WHkzC3idgXE6T8
-> ssh-ed25519 hPp1nw sJtNVroSF/uQNwvnbLE8vXw+1e4LMu3Gurm+KM+0IwE -> ssh-ed25519 6AT2/g fLTmQkkH94zZBIef5LyH/v/m1s30E2Yy6AiQEtBjaxo
wlYZUEnr1Q3TlxUAUrKAMdVWUbVWy+3+q2fw+ssIoFs Hx5/ld4RO/Wd4KWX+cAzets9rCAYGorEIJU6FUEavWY
-> ssh-ed25519 w3nu8g gA7oDI/02jl+TjMjSUHZqevmHb6gSinWF4KtjDJgFF0 -> ssh-ed25519 r848+g XZtbfc7x3XWiUyjDyqEbJyziovGiY16qendRDtR113s
KDgSWaZi99/PkKT8g5bTVHvu8EVcPBlF79APxeorABM fO+QDGyAukeMT/fQrs3YQfIIoXTIb/DgGYRlw0nEyqU
-> ssh-ed25519 dMQYog PDdSuky8g5OoqyF4K5N6SSa3ln6O8vlvL4viGqJ8mUc -> ssh-ed25519 hPp1nw kRQYgbHSM5mVEilZA1CSYbgvSriFJyBP9vUnwQTk2D4
LWanrtAIfekuzhr+AGR8e34CD41vPI0BA8YA8YkcyBA LQdVdVO4MjvB4/hTVwgtLG+Amg6WbQwEaBlgMVVFSqI
--- LENK2A8P2SxCmpQSI3QNCNz2RDhGwCqLQGybmD73ka8 -> ssh-ed25519 ZDy34A ZJsdPqw9MjPUH5hr0Heug25ZKtzCmnykDmiMEW6b9iY
Ö{¹˜ô'Þú”êã«ŵÔjã.ùÄnG=ñY‰gï•c$T¬ kgN2CU+jrY5SNCKXmhsw/H5kGg+zEiYDUSrG9URA28o
-> ssh-ed25519 w3nu8g JxgCPagw/jHEEMxuU+Q9aZylQlRtmkrutly80aU/QQA
C64qkcYda7plc0eNDc6hk0Lf3tRMNrUR5QlEpeEiflY
-> ssh-ed25519 evqvfg wx4dPODWj1le9AuzS+M+CufWd52ySy9WfOIPdB+w/Ag
QyLJBNCtLVwpp3cIcO5NUHMaDNc3duUQeMGH2SQBPck
--- HgYMHuLleFiKLGaf8buXjOHpUiVhgeL1NaJwyRNHAdY
êRí÷; cßÕPò*“ýÞŠäœl©‡J]çu­SŠKr}ž¡:'4·#Käù0P45ÂEÒVªo

BIN
secrets/robots-email-pw.age
View File

Binary file not shown.

BIN
secrets/sasl_relay_passwd.age
View File

Binary file not shown.

BIN
secrets/searx.age
View File

Binary file not shown.

10
secrets/secrets.nix
View File

@@ -17,7 +17,7 @@ with roles;
"cris-hashed-email-pw.age".publicKeys = email-server; "cris-hashed-email-pw.age".publicKeys = email-server;
"sasl_relay_passwd.age".publicKeys = email-server; "sasl_relay_passwd.age".publicKeys = email-server;
"hashed-robots-email-pw.age".publicKeys = email-server; "hashed-robots-email-pw.age".publicKeys = email-server;
"robots-email-pw.age".publicKeys = gitea; "robots-email-pw.age".publicKeys = gitea ++ outline;
# nix binary cache # nix binary cache
# public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU= # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
@@ -31,12 +31,14 @@ with roles;
# cloud # cloud
"nextcloud-pw.age".publicKeys = nextcloud; "nextcloud-pw.age".publicKeys = nextcloud;
"whiteboard-server-jwt-secret.age".publicKeys = nextcloud;
"smb-secrets.age".publicKeys = personal ++ media-center; "smb-secrets.age".publicKeys = personal ++ media-center;
"oauth2-proxy-env.age".publicKeys = server; "oauth2-proxy-env.age".publicKeys = server;
# services # services
"searx.age".publicKeys = nobody; "searx.age".publicKeys = nobody;
"wolframalpha.age".publicKeys = dailybot; "wolframalpha.age".publicKeys = dailybot;
"linkwarden-environment.age".publicKeys = linkwarden;
# hostapd # hostapd
"hostapd-pw-experimental-tower.age".publicKeys = nobody; "hostapd-pw-experimental-tower.age".publicKeys = nobody;
@@ -53,11 +55,15 @@ with roles;
"librechat-env-file.age".publicKeys = librechat; "librechat-env-file.age".publicKeys = librechat;
# For ACME DNS Challenge # For ACME DNS Challenge
"digitalocean-dns-credentials.age".publicKeys = server; "digitalocean-dns-credentials.age".publicKeys = dns-challenge;
# Frigate (DVR) # Frigate (DVR)
"frigate-credentials.age".publicKeys = frigate; "frigate-credentials.age".publicKeys = frigate;
# zigbee2mqtt secrets # zigbee2mqtt secrets
"zigbee2mqtt.yaml.age".publicKeys = zigbee; "zigbee2mqtt.yaml.age".publicKeys = zigbee;
# Sonarr and Radarr secrets
"radarr-api-key.age".publicKeys = media-server;
"sonarr-api-key.age".publicKeys = media-server;
} }

40
secrets/smb-secrets.age
View File

@@ -1,19 +1,23 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 N7drjg x2s9QZ7Ijvg4t2peGng9/zX1ZmnGggsvWHJFHEktCgw -> ssh-ed25519 qEbiMg P0wVQfRdC6s4rGpSxPSvgsens9QF+VphlX6QL91RNGk
o64an6DJ6Be8Jlhzn9ciQTByRAK5f2ckankCRH3y+Uw Rdum6JE/NafVt/lvd54D3leH7QnX/hZoqOoUkp58vpw
-> ssh-ed25519 yHDAQw HYHo6anhKDnD74ab04Ql4RB8+WBA6EavYASX7532NCE -> ssh-ed25519 N7drjg LRBM5kYSJGMXCiIaU/tc8kq8L8tjyzYjUb5WeKfx5Dk
aTp2V9g18yzUTq1ezqETj6jM2Yb1Bt5+JNkrIDT2Djs /hTFYyPv1gpKBmXJ0EanmfNZwkOg9SvCY1dhqJkSQ3k
-> ssh-ed25519 jQaHAA xGKcIQOkO/i4E2ZWZ+O4sAp7ADqCRqfRQHhKQu6yWh4 -> ssh-ed25519 jQaHAA 2niqwTr3jLx/7lDG5Yqetu3lqfU+lCYj626oZVT3XFA
RJnqK/t0YQrIej8fRDJGjOtQD7VvgJRfCUWR0/UYcSY NEwUSUcgsGgyeHXTtDo6HYSkX4r7NyloUP+gabOZfOI
-> ssh-ed25519 w3nu8g P9DQy19TvDCi3nfOhFj73bNZEtUs1BrLubt5/BtLoU4 -> ssh-ed25519 ZDy34A 6NZGnadwDwPUscJdtYQywtuq3FNB0FvUDlztBnAAzBw
Sx41bk41dQYa3eoBayUMRIHqMWaRiwXm8BqErDBSbDw so26osNIZk/7tnf8HZwJ+G8+xcyDbpZ6uoX0GJBD7uk
-> ssh-ed25519 dMQYog OWU92PMFo9tGtlkK9zlmMFhh81TGkYlcX1PrxZl35yc -> ssh-ed25519 w3nu8g KX8U395jkHGX7LV9TXRl5OcZfcropPKrgonxJsR0MyI
owDk8wWXETS+iybhTMDmQH+eBuzZRDJIlVGCwu4LqTI KaWlP2Q44p53rqAtlojkj2EBcQH+N1EN/8pYhe92x0E
-> ssh-ed25519 jQaHAA MzA8dSYZ/Ysp4ogKEEu84mal8779RgkT4Gy6rBEw+kM -> ssh-ed25519 evqvfg XCZp8XLQ10+OsDwpeBC0t2RAEhj8EG85ZvbYJ6QAeXI
m75x/b83aP5G1vg7EXlcLizcm16fEAUAD+VNcdTMnnQ w9PAegIWcFKtRrcuBk9ysc/qDecNyZBygVVCCzr2DAo
-> ssh-ed25519 w3nu8g AAA3Me3KJgLvtQvyxLvlQ7pCnv7w73ja6Z2+3A82eGs -> ssh-ed25519 jQaHAA 76ePAMsQpZJO6b2CeE1rgvxhi2JEOxC+OPIW8GBEnWQ
+yCW7qCdjk0fiQJmH8poMoc7APKyX/PY7zZyAG1O+Yg NyGlaWLtx9Vko4sDFdgsQj9oK1/gD4Y6HnVhOJfO0JE
-> ssh-ed25519 dMQYog Dd8e6srT+EIl2PH0RP1bQVsDx+HCQjhFndx5TFyhfx8 -> ssh-ed25519 ZDy34A RrJ8q0EcqfNgg6Fk2ZrY/RiRjI+w0WFrfvHqi7r5pgU
j7Met77pWZzK9cMTt29gWB+d9YFVH5T9qs+ulHS3kAo ayHpp8FAVEIZhKTqYp1h/mL6UFSlQic7dlrHxbmharI
--- MgOK/g5hOVkGuUNDBSgVeGc9+ndjxLEA7nKSfLJMr4s -> ssh-ed25519 w3nu8g q4j19BwrZAkFCICDOdAhGFWiD6eCLJRW9faeTaJEvE0
~Ÿ‹¬&”™)<29>ŠG®Ÿ¨‡'UÐÞzc¾uFGì(<ò¯ùçV"ƒÕ3þH0x0$•<>w$Yv O3 "Ï×ðV~ÀŠ¸HÁ~XÛ]GœÆqµ®ã÷œ¢y'ãÓ*Dê±ÏúœÕk#\ðAï<41>5ë{«Fe\~ Av4UT5VsBvdL0cZOoaTrDOBvX91uuVIwru4WXMC+NNA
-> ssh-ed25519 evqvfg UIsX165L2ccILCU5zFur/9IHarQn9nAaLH3nSbcJJE4
cWztxUlKMcqx9GfAk2C+Gt/aR9ZXaXZYe9XQ3jnl3T8
--- bMWqy/VkrJr/SmencAM0ClMc/jtY82jL2ZUYFdLK2qY
­¥=W}ØŸߥ¿•jUá¢Ctp

BIN
secrets/sonarr-api-key.age Normal file
View File

Binary file not shown.

11
secrets/whiteboard-server-jwt-secret.age Normal file
View File

@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g qKh6Xf7LvaAAwd4WAwkFt4am3bIFV6GUAJtAF38X5Sg
HlIgZr0jst1ZoJaUsqM+cD/FJVHsviZyteKZu/VU9e0
-> ssh-ed25519 ZDy34A lirRPnVNX7ZMefcCjh6jxx+Vk/nG1+8kl18jBvFGFA4
7fXtdP0kSF+S3uPrBEHiO4riUf8/BhCaEzTFgnHTkHQ
-> ssh-ed25519 w3nu8g CoUbAWX4r2jbrcAAyT2jRPY43pK27t08a+CGnnJJZ38
au9ujHws04Hxv8gYlmxw8rmNUGZmsVW5ilp6MyujnxA
-> ssh-ed25519 evqvfg v/onOr1hwFJVX8mvG1MyS+P6B+CC+fH8k7GgV2b22FY
hCUNukeRnYt+dyrpGp7aUzi8Vxx72cm66lcLgxJg0UE
--- akZhal+1DMZXmudX1sZUjH+KJhENZkgQcuUvXyMsQLA
<EFBFBD> ÊOE ~éoÈ,C<>€pµÐ1(Ó Ý®$S¦1òÄùgXÁüöàOyô¹rw°àâ-â:Ýï-ëe0i¡9ÎŒ<C38E>É(÷ÒR4[œÄ”%VA¼6@:ø—

19
secrets/wolframalpha.age
View File

@@ -1,10 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g Kw5/he5m/XAJUNv8XEJQU+e+Ou7hCYluMXXWlHiePXY -> ssh-ed25519 6AT2/g NDsVQFHvqCl9KtbDE5oXyNsA4z9+4YiOsGHZ1m8CYW4
GkhJOzSlcC9S7bs8FuDNMvMaFU3+fQ5z+o+Pb8wllp8 6DBtl+pAuNB+PUnXSVTlVNAeFpr39dAuhOI4k9su1Hg
-> ssh-ed25519 w3nu8g fUORtXN1ygOeV42jveCosGXR/Y6R6OG6DK7LPDBEAk8 -> ssh-ed25519 ZDy34A extU5azTcNDgblB36KXiLnI4oMUbb4R5BWVlXsec5GE
yFpoasbY/sl6BQp0LVBQnInA4Kxd8A8meEObU1KD108 D0re4GCb7KjcR1uVu+MFQe+LdaEY7xUmrYLJmgddYnQ
-> ssh-ed25519 dMQYog 75qVEe6/1yOV4DDLAOGaufs3ojx1/Sc1fIQOe+Oirz0 -> ssh-ed25519 w3nu8g 3w4aYKO7etSZsmCGaL6bKxfrniKCnBKiRRhvPXeHlEQ
iDFsr6/30AHKH6hUs/WTpHEM8WQ03QMlGbtQkGrnVCU inI1cUq5r8xM+xU+jaPD4yuZw4Q6lIZhwAztXICWu5M
--- islx8t7a6bShXGxvYeDVuUxkmAMtpUfr0Gp7aYrJUkI -> ssh-ed25519 evqvfg Dzb7THrNXvfpoIy1yAi2aqJSv2RQ6pvUkAgQS2f6D24
2Ûí4¤†7Õ aXlOBtqoK0xMMA+woITlbXpZoe3EVx5yQaLA24wmUfE
?Õw€À<E282AC>JÁÆØv ¨º9,ËxÅŠò¨‰¦Æ¦ñnäH?>I­ --- qzPxoy3zUBEwJtCsPhi/tWxMcI8SKpxqptPTRQk4Yn0
uS _ô‡ÝÐ6Ÿ*+jòÕþëŠÍ줩⯽žq6÷¤Õvµ¬”…NºŠ´

18
secrets/zigbee2mqtt.yaml.age
View File

@@ -1,8 +1,12 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 hPp1nw TSDuPaFp/Qcz4r819X4QmU/4J2TGpoX7jCCJCdFDog0 -> ssh-ed25519 hPp1nw KENwK0yRInrVRN1Tgwvx/dJsz+z8rQenw1B4aw57v2c
SwQUqEp45xMOeTkvBG6uX28kB8YWG66laYqakSgl9w4 ucnKJeShVBVC8LmQ6VIGTlbB0VBpBi2/lGGfW78jj1U
-> ssh-ed25519 w3nu8g tLZDNE0iBgOpUB3djpNu3CgimsRc0zcds+AgctzxyQ4 -> ssh-ed25519 ZDy34A Ghz/fsNQWte2tUx2+kEHcRPCBGc1orAXV9QkCbsKBzg
Oyz6XORsApM4vFxWyaD3bR/ApIUFPY3q4yGvtbosUIY i9mr3xguDEgLL53ji38H19dkZPHqcfqTy8/S2oaht0U
--- vuXlQmuOFbJhBTACN5ciH2GlOCbRCMPZdlogG2O+KOk -> ssh-ed25519 w3nu8g cN44HlL1Zu724p+Kyrygas3RCRTpEPOfTdzFHkLebC4
Áëÿ!}UIì p0@Xž|°þ#晆0HÙõò#BÇRR<52>Ù BOBnfvEQLTPH6lBdSOPlYeSSdy3pohctl00lXrDs2zk
òùø5¾Iÿ?vX?pÝ<70><>fqÍ[lž¸˜­G7ü; UäÀOUä¶ -> ssh-ed25519 evqvfg HuPgckAebGwcWYCFNvNcNwg2QpyynHuVYRNiuC2j0m0
HgJlN4gbED2FNaWr88Ocqdc1UJ3LA1n6fl/BUeXfwhI
--- eczVQy6oXmBIj1D2v8LuR8ZJxnzyCNxn+rqF135QJJ4
aj0<EFBFBD>žå^ÂÏ<C382>ö(ø'´¨p1)F½>aíO¦€”¶¤:Ú¢šŒÛ!û8T¬
YÌ{ˆ3ɶ;Y