zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions 1 Activity

Compare commits

base: zuckerberg:5a8daad5908f80eff7de769389fa186c889766b1
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:hyprland zuckerberg:pia-vpn-v2 zuckerberg:kexec_luks2
..
compare: zuckerberg:43ec75741dd9ed8e3410bc8210163d545b048e09
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:hyprland zuckerberg:pia-vpn-v2 zuckerberg:kexec_luks2

3 Commits
5a8daad590 ... 43ec75741d

Author SHA1 Message Date
Zuckerberg
43ec75741d Fix memos failing to open SQLite database on ZFS
Some checks failed
Check Flake / check-flake (push) Failing after 18s
Details 
ProtectSystem=strict with ReadWritePaths fails silently on ZFS submounts
(/var/lib is a separate dataset), leaving the data dir read-only. Downgrade
to ProtectSystem=full which leaves /var writable while still protecting
/usr and /boot.
 2026-03-01 17:54:11 -08:00
Zuckerberg
000bbd7f4d Update interface names because usePredictableInterfaceNames is now off 2026-03-01 17:52:42 -08:00
Zuckerberg
e4f0d065f9 Fix tinyproxy starting before VPN bridge is configured 
tinyproxy binds to the bridge IP but had no ordering dependency on
systemd-networkd, so it could start before the bridge existed.
 2026-03-01 17:52:35 -08:00
2 changed files with 5 additions and 1 deletions
Expand all files Collapse all files

3
common/network/pia-vpn/default.nix
View File

@@ -234,6 +234,9 @@ in
before = [ "container@pia-vpn.service" ];
after = [ "systemd-networkd.service" ];
requires = [ "systemd-networkd.service" ];
serviceConfig.ExecStartPre = [
"+${pkgs.systemd}/lib/systemd/systemd-networkd-wait-online --interface=${cfg.bridgeName}:no-carrier --timeout=60"
];
};
# WireGuard interface creation (host-side oneshot)

3
machines/storage/s0/default.nix
View File

@@ -341,7 +341,8 @@
enable = true;
settings.MEMOS_PORT = "57643";
};
systemd.services.memos.serviceConfig.PrivateUsers = lib.mkForce false;
# ReadWritePaths doesn't work with ProtectSystem=strict on ZFS submounts (/var/lib is a separate dataset)
systemd.services.memos.serviceConfig.ProtectSystem = lib.mkForce "full";
services.outline = {
enable = true;