zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions 1 Activity

Compare commits

base: zuckerberg:576ee472463a3b01bb44cc1a72224776836c2982
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:hyprland zuckerberg:pia-vpn-v2 zuckerberg:kexec_luks2
...
compare: zuckerberg:1e7aa17d3dbb75ddc8f1b6f72b1daa46b692762b
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:hyprland zuckerberg:pia-vpn-v2 zuckerberg:kexec_luks2

3 Commits
576ee47246 ... 1e7aa17d3d

Author SHA1 Message Date
Zuckerberg
1e7aa17d3d Log DIMM temperatures on each check run
All checks were successful
Check Flake / check-flake (push) Successful in 3m58s
Details
2026-03-05 21:31:29 -08:00
Zuckerberg
77415c30fa Fix VPN check alert limiting to only count failures 
StartLimitBurst counts all starts (including successes), so the timer
was getting blocked after ~15 min. Replace with a JSON counter file
that resets on success and daily, only triggering OnFailure alerts for
the first 3 failures per day.
 2026-03-05 21:28:39 -08:00
Zuckerberg
e3f78b460c Remove recyclarr, I'm not using it currently 2026-03-05 21:27:35 -08:00
6 changed files with 56 additions and 64 deletions
Expand all files Collapse all files

49
common/network/pia-vpn/vpn-container.nix
View File

@@ -228,44 +228,73 @@ in
};
# Periodic VPN connectivity check — fails if VPN or internet is down,
# triggering ntfy alert via the OnFailure drop-in
# triggering ntfy alert via the OnFailure drop-in.
# Tracks failures with a counter file so only the first 3 failures per
# day trigger an alert (subsequent failures exit 0 to suppress noise).
systemd.services.pia-vpn-check = {
description = "Check PIA VPN connectivity";
after = [ "pia-vpn-setup.service" ];
requires = [ "pia-vpn-setup.service" ];
path = with pkgs; [ wireguard-tools iputils coreutils gawk ];
unitConfig = {
StartLimitBurst = 3;
StartLimitIntervalSec = "1d";
};
path = with pkgs; [ wireguard-tools iputils coreutils gawk jq ];
serviceConfig.Type = "oneshot";
script = ''
set -euo pipefail
COUNTER_FILE="/var/lib/pia-vpn/check-fail-count.json"
MAX_ALERTS=3
check_vpn() {
# Check that WireGuard has a peer with a recent handshake (within 3 minutes)
handshake=$(wg show ${cfg.interfaceName} latest-handshakes | awk '{print $2}')
if [ -z "$handshake" ] || [ "$handshake" -eq 0 ]; then
echo "No WireGuard handshake recorded" >&2
exit 1
return 1
fi
now=$(date +%s)
age=$((now - handshake))
if [ "$age" -gt 180 ]; then
echo "WireGuard handshake is stale (''${age}s ago)" >&2
exit 1
return 1
fi
# Verify internet connectivity through VPN tunnel
if ! ping -c1 -W10 1.1.1.1 >/dev/null 2>&1; then
echo "Cannot reach internet through VPN" >&2
exit 1
return 1
fi
echo "PIA VPN connectivity OK (handshake ''${age}s ago)"
return 0
}
if check_vpn; then
rm -f "$COUNTER_FILE"
exit 0
fi
# Failed read and update counter (reset if from a previous day)
today=$(date +%Y-%m-%d)
count=0
if [ -f "$COUNTER_FILE" ]; then
stored=$(jq -r '.date // ""' "$COUNTER_FILE")
if [ "$stored" = "$today" ]; then
count=$(jq -r '.count // 0' "$COUNTER_FILE")
fi
fi
count=$((count + 1))
jq -n --arg date "$today" --argjson count "$count" \
'{"date": $date, "count": $count}' > "$COUNTER_FILE"
if [ "$count" -le "$MAX_ALERTS" ]; then
echo "Failure $count/$MAX_ALERTS today alerting" >&2
exit 1
else
echo "Failure $count today suppressing alert (already sent $MAX_ALERTS)" >&2
exit 0
fi
'';
};

4
common/ntfy/dimm-temp.nix
View File

@@ -9,6 +9,7 @@ let
threshold=55
hot=""
summary=""
while IFS= read -r line; do
case "$line" in
@@ -18,6 +19,7 @@ let
*temp1_input:*)
temp="''${line##*: }"
whole="''${temp%%.*}"
summary="''${summary:+$summary, }$chip: ''${temp}°C"
if [ "$whole" -ge "$threshold" ]; then
hot="$hot"$'\n'" $chip: ''${temp}°C"
fi
@@ -25,6 +27,8 @@ let
esac
done < <(sensors -u 'spd5118-*' 2>/dev/null)
echo "$summary"
if [ -n "$hot" ]; then
message="DIMM temperature above ''${threshold}°C on ${config.networking.hostName}:$hot"

26
machines/storage/s0/default.nix
View File

@@ -143,30 +143,6 @@
services.lidarr.enable = true;
services.lidarr.user = "public_data";
services.lidarr.group = "public_data";
services.recyclarr = {
enable = true;
configuration = {
radarr.radarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/radarr-api-key";
};
base_url = "http://localhost:7878";
quality_definition.type = "movie";
};
sonarr.sonarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/sonarr-api-key";
};
base_url = "http://localhost:8989";
quality_definition.type = "series";
};
};
};
systemd.services.recyclarr.serviceConfig.LoadCredential = [
"radarr-api-key:/run/agenix/radarr-api-key"
"sonarr-api-key:/run/agenix/sonarr-api-key"
];
users.groups.public_data.gid = 994;
users.users.public_data = {
@@ -177,8 +153,6 @@
};
};
};
age.secrets.radarr-api-key.file = ../../../secrets/radarr-api-key.age;
age.secrets.sonarr-api-key.file = ../../../secrets/sonarr-api-key.age;
# jellyfin
# jellyfin cannot run in the vpn container and use hardware encoding

11
secrets/radarr-api-key.age
View File

@@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw gfVRDt7ReEnz10WvPa8UfBBnsRsiw7sxxXQMuXRnCVs
slBNX9Yc1qSu1P5ioNDNLPd97NGE/LWPS/A+u9QGo4E
-> ssh-ed25519 ZDy34A e5MSY5qDP6WuEgbiK0p5esMQJBb3ScVpb15Ff8sTQgQ
9nsimoUQncnbfiu13AnFWZXcpaiySUYdS1eH5O/3Fgg
-> ssh-ed25519 w3nu8g op1KSUhJgM6w/nlaUssQDiraQpVzgnWd//JMu2vFgms
KvEaJfsB7Qkf+PnzFJdZ3wAxm2qj23IS8RRxyuGN2G4
-> ssh-ed25519 evqvfg 9L6pFuqkcChZq/W4zkATXm1Y76SEK+S4SyaiSlJd+C4
j/UWJvo4Cr/UDfaN2milpJ6rU0w1EWdTAzV3SlrCcW8
--- bdG4zC5dx6cSPetH3DNeHEk6EYCJ5TXGrn8OhUMknNU
/¶ø+ÏpñR[¤àJ-*@ÌÿŸx0Ú©ò-ä.*&T·™~-i 2€eƒ¡`@ëQ8š<l™à QK0AÕ§

4
secrets/secrets.nix
View File

@@ -63,8 +63,4 @@ with roles;
# zigbee2mqtt secrets
"zigbee2mqtt.yaml.age".publicKeys = zigbee;
# Sonarr and Radarr secrets
"radarr-api-key.age".publicKeys = media-server;
"sonarr-api-key.age".publicKeys = media-server;
}

BIN
secrets/sonarr-api-key.age
View File

Binary file not shown.