zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:71baa09bd2a17919aa62c4678187ebba28b925a4
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
...
compare: zuckerberg:attic
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

112 Commits
71baa09bd2 ... attic

Author SHA1 Message Date
Zuckerberg
ef247cb3dd speed up
All checks were successful
Check Flake / check-flake (push) Successful in 2h31m6s
Details
2024-06-17 21:11:06 -06:00
Zuckerberg
cad04680c4 try again
Some checks failed
Check Flake / check-flake (push) Failing after 3h11m0s
Details
2024-06-16 21:30:10 -06:00
Zuckerberg
a2d176a4fc try again
Some checks failed
Check Flake / check-flake (push) Failing after 4s
Details
2024-06-16 21:22:17 -06:00
Zuckerberg
1f813395ee try again
Some checks failed
Check Flake / check-flake (push) Failing after 16s
Details
2024-06-16 21:21:19 -06:00
Zuckerberg
0d5bce2a4f try again
Some checks failed
Check Flake / check-flake (push) Failing after 7s
Details
2024-06-16 21:05:33 -06:00
Zuckerberg
0c2f7cd1b2 try again
Some checks failed
Check Flake / check-flake (push) Failing after 7s
Details
2024-06-16 21:01:29 -06:00
Zuckerberg
b80b31d3c3 try again
Some checks failed
Check Flake / check-flake (push) Failing after 4s
Details
2024-06-16 20:58:18 -06:00
Zuckerberg
caacb4b7a7 try again
Some checks failed
Check Flake / check-flake (push) Failing after 2s
Details
2024-06-16 20:55:50 -06:00
Zuckerberg
25dba0ee19 Use custom action
Some checks failed
Check Flake / check-flake (push) Failing after 1s
Details
2024-06-16 20:54:47 -06:00
Zuckerberg
4bed47ae43 Try to install attic for gitea builder
Some checks failed
Check Flake / check-flake (push) Failing after 6s
Details
2024-06-16 20:44:31 -06:00
Zuckerberg
7c4d2d53f2 Use attic as nixos binary cache and update CI accordingly
Some checks failed
Check Flake / check-flake (push) Failing after 8s
Details
2024-06-16 20:39:11 -06:00
Zuckerberg
9ac9613d67 Add gc cmd to makefile 2024-06-16 20:37:21 -06:00
Zuckerberg
e657ebb134 Clean up flake inputs 2024-06-16 12:47:29 -06:00
Zuckerberg
d1b07ec06b Add llsblk helper cmd alias 2024-06-16 12:10:39 -06:00
Zuckerberg
89621945f8 Fix zoidberg 2024-06-16 12:09:58 -06:00
Zuckerberg
e69fd5bf8f Use Firefox
All checks were successful
Check Flake / check-flake (push) Successful in 3m2s
Details
2024-06-09 22:43:34 -06:00
Zuckerberg
c856b762e7 Goodbye Ray
All checks were successful
Check Flake / check-flake (push) Successful in 4m30s
Details
2024-06-08 16:39:00 -06:00
Zuckerberg
b7f82f2d44 Consolidate common PC config
All checks were successful
Check Flake / check-flake (push) Successful in 1m14s
Details
2024-06-03 21:07:53 -06:00
Zuckerberg
588e94dcf4 Update to NixOS 24.05
All checks were successful
Check Flake / check-flake (push) Successful in 1m11s
Details
2024-06-02 21:12:07 -06:00
Zuckerberg
fd1ead0b62 Add nixos-hardware config for Howl 2024-06-01 19:57:24 -06:00
Zuckerberg
37bd7254b9 Add Howl
All checks were successful
Check Flake / check-flake (push) Successful in 1m54s
Details
2024-05-31 23:29:39 -06:00
Zuckerberg
74e41de9d6 Enable unify v8 service
All checks were successful
Check Flake / check-flake (push) Successful in 56s
Details
2024-05-26 17:24:46 -06:00
Zuckerberg
0bf0b8b88b Enable ollama service 2024-05-26 17:24:07 -06:00
Zuckerberg
702129d778 Enable CUDA support 2024-05-26 17:23:38 -06:00
Zuckerberg
88c67dde84 Open C&C ports 2024-05-26 17:21:58 -06:00
Zuckerberg
8e3a0761e8 Clean up 2024-05-26 17:21:34 -06:00
Zuckerberg
a785890990 Fix esphome so that it can build again 2024-05-26 17:20:05 -06:00
Zuckerberg
b482a8c106 Restore frigate functionality by reverting to an older tensorflow version for libedgetpu 2024-05-26 17:16:59 -06:00
Zuckerberg
efe50be604 Update nixpkgs
All checks were successful
Check Flake / check-flake (push) Successful in 53s
Details
2024-03-17 09:39:54 -06:00
Zuckerberg
99904d0066 Update 'Actual' and 'Actual Server' to 'v24.3.0'
All checks were successful
Check Flake / check-flake (push) Successful in 14m33s
Details
2024-03-03 14:57:23 -07:00
Zuckerberg
55e44bc3d0 Add 'tree' to system pkgs 2024-03-03 14:53:14 -07:00
Zuckerberg
da7ffa839b Blackhole spammed email address
All checks were successful
Check Flake / check-flake (push) Successful in 5m18s
Details
2024-02-20 18:13:19 -07:00
Zuckerberg
01af25a57e Add Actual server
All checks were successful
Check Flake / check-flake (push) Successful in 6m3s
Details
2024-02-19 19:44:07 -07:00
Zuckerberg
bfc1bb2da9 Use a makefile for utility snippets
All checks were successful
Check Flake / check-flake (push) Successful in 12m54s
Details
2024-02-18 17:30:52 -07:00
Zuckerberg
0e59fa3518 Add easy boot configuration profile limit 2024-02-18 17:30:12 -07:00
Zuckerberg
7e812001f0 Add librechat
All checks were successful
Check Flake / check-flake (push) Successful in 6m12s
Details
2024-02-09 19:57:09 -07:00
Zuckerberg
14c19b80ef Stop auto upgrade
All checks were successful
Check Flake / check-flake (push) Successful in 1m2s
Details
2024-02-05 11:32:16 -07:00
Zuckerberg
e8dd0cb5ff Increase gitea session length
All checks were successful
Check Flake / check-flake (push) Successful in 2m17s
Details
2024-02-04 15:48:06 -07:00
Zuckerberg
dc9f5e969a Update nextcloud
All checks were successful
Check Flake / check-flake (push) Successful in 2m48s
Details
2024-02-04 14:34:42 -07:00
Zuckerberg
03150667b6 Enable gitea index and lfs. Fix warning.
All checks were successful
Check Flake / check-flake (push) Successful in 4m49s
Details
2024-02-04 13:59:39 -07:00
Zuckerberg
1dfd7bc8a2 Increase seed ratio
All checks were successful
Check Flake / check-flake (push) Successful in 2m58s
Details
2024-02-03 14:15:49 -07:00
Zuckerberg
fa649b1e2a Add missing locale settings to perl stops complaining
All checks were successful
Check Flake / check-flake (push) Successful in 12m4s
Details
2024-02-03 14:11:26 -07:00
Zuckerberg
e34752c791 Fix transmission running in a container 
https://github.com/NixOS/nixpkgs/issues/258793
 2024-02-03 14:10:35 -07:00
Zuckerberg
75031567bd Two radio endpoints
All checks were successful
Check Flake / check-flake (push) Successful in 50s
Details
2024-02-02 20:23:40 -07:00
Zuckerberg
800a95d431 Update to nixos 23.11
All checks were successful
Check Flake / check-flake (push) Successful in 1m24s
Details
2024-02-01 21:42:33 -07:00
Zuckerberg
932b05a42e Basic oauth proxy for frigate
All checks were successful
Check Flake / check-flake (push) Successful in 1m13s
Details
2024-01-30 22:12:18 -07:00
Zuckerberg
b5cc4d4609 Emulate ARM systems for building 2024-01-30 21:59:09 -07:00
Zuckerberg
ba3d15d82a PoC: Frigate + PCIe Coral + ESPCam, Home Assistant, ESPHome, MQTT, zigbee2mqtt
All checks were successful
Check Flake / check-flake (push) Successful in 3m24s
Details
2023-12-17 21:29:45 -07:00
Zuckerberg
e80fb7b3db PoC: Frigate + PCIe Coral + ESPCam, Home Assistant, ESPHome, MQTT, zigbee2mqtt
Some checks failed
Check Flake / check-flake (push) Failing after 1m1s
Details
2023-12-17 14:29:45 -07:00
Zuckerberg
84e1f6e573 wireless role was removed 2023-12-02 10:26:44 -07:00
Zuckerberg
c4847bd39b Use dashy for services homepage
All checks were successful
Check Flake / check-flake (push) Successful in 5m25s
Details
2023-11-08 21:35:10 -07:00
Zuckerberg
c0c1ec5c67 Enable autologin for zoidberg 2023-11-08 21:34:13 -07:00
Zuckerberg
6739115cfb Fix sddm barrier service for current nixpkgs version 2023-11-08 21:33:38 -07:00
Zuckerberg
4606cc32ba Enable adb debugging 2023-11-08 21:32:26 -07:00
Zuckerberg
2d27bf7505 Allow other users to access public samba mount 2023-11-08 21:32:00 -07:00
Zuckerberg
d07af6d101 Should use tailscale eventually for remote luks unlocking 2023-11-08 21:31:14 -07:00
Zuckerberg
4890dc20e0 Add basic nix utilities
All checks were successful
Check Flake / check-flake (push) Successful in 2m21s
Details
2023-10-20 20:13:08 -06:00
Zuckerberg
8b01a9b240 Use podman instead of docker 2023-10-20 20:12:14 -06:00
Zuckerberg
8dfba8646c Fix CI builder
All checks were successful
Check Flake / check-flake (push) Successful in 1m5s
Details
2023-10-20 19:52:33 -06:00
Zuckerberg
63c0f52955 s0: use eth1
Some checks failed
Check Flake / check-flake (push) Failing after 9s
Details
2023-10-16 20:21:00 -06:00
Zuckerberg
5413a8e7db Remove mounts that fail. These never worked 2023-10-16 20:20:32 -06:00
Zuckerberg
330c801e43 Fix issue where wg vpn starts slightly too early for internet access 2023-10-16 20:19:34 -06:00
Zuckerberg
8ba08ce982 Zoidberg move /boot device
Some checks failed
Check Flake / check-flake (push) Failing after 6m57s
Details
2023-10-15 19:23:24 -06:00
Zuckerberg
2b50aeba93 Zoidberg auto login 2023-10-15 19:22:51 -06:00
Zuckerberg
c1aef574b1 Try to build only x84_64 for now
Some checks failed
Check Flake / check-flake (push) Failing after 8m22s
Details
2023-10-15 19:09:40 -06:00
Zuckerberg
52ed25f1b9 Push derivations built during nix flake check to binary cache
Some checks failed
Check Flake / check-flake (push) Failing after 1m17s
Details
2023-10-15 18:00:38 -06:00
Zuckerberg
0446d18712 Use official nixos module for gitea actions runner 2023-10-15 17:58:03 -06:00
Zuckerberg
d2bbbb827e Disable router 2023-10-15 17:55:44 -06:00
Zuckerberg
6fba594625 Target nixpkgs 23.05 2023-10-15 17:55:04 -06:00
Zuckerberg
fa6e092c06 Update zoidberg keyfile
Some checks failed
Check Flake / check-flake (push) Failing after 6m52s
Details
2023-09-04 17:18:42 -06:00
Zuckerberg
3a6dae2b82 Enable barrier for use system wide
Some checks failed
Check Flake / check-flake (push) Failing after 7m29s
Details
2023-09-03 21:59:31 -06:00
Zuckerberg
62bb740634 Enable ROCm 2023-09-03 21:58:52 -06:00
Zuckerberg
577e0d21bc Xbox wireless controller support 2023-09-03 21:58:08 -06:00
Zuckerberg
b481a518f5 Samba mount 2023-09-03 21:57:24 -06:00
Zuckerberg
f93b2c6908 Steam login option 2023-09-03 21:56:37 -06:00
Zuckerberg
890b24200e Retroarch
Some checks failed
Check Flake / check-flake (push) Failing after 8m51s
Details
2023-08-13 18:03:45 -06:00
Zuckerberg
d3259457de Use latest kernel so amdgpu doesn't crash 2023-08-12 23:17:26 -06:00
Zuckerberg
8eb42ee68b Add common user for kodi 2023-08-12 23:16:52 -06:00
Zuckerberg
9d4c48badb Use Barrier 2023-08-12 23:16:26 -06:00
Zuckerberg
9cf2b82e92 Update nixpkgs and cleanup
Some checks failed
Check Flake / check-flake (push) Failing after 10m41s
Details
2023-08-12 19:40:22 -06:00
Zuckerberg
61ca918cca flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/2994d002dcff5353ca1ac48ec584c7f6589fe447' (2023-04-21)
  → 'github:ryantm/agenix/d8c973fd228949736dedf61b7f8cc1ece3236792' (2023-07-24)
• Added input 'agenix/home-manager':
    'github:nix-community/home-manager/32d3e39c491e2f91152c84f8ad8b003420eab0a1' (2023-04-22)
• Added input 'agenix/home-manager/nixpkgs':
    follows 'agenix/nixpkgs'
• Updated input 'deploy-rs':
    'github:serokell/deploy-rs/c2ea4e642dc50fd44b537e9860ec95867af30d39' (2023-04-21)
  → 'github:serokell/deploy-rs/724463b5a94daa810abfc64a4f87faef4e00f984' (2023-06-14)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/cfacdce06f30d2b68473a46042957675eebb3401' (2023-04-11)
  → 'github:numtide/flake-utils/919d646de7be200f3bf08cb76ae1f09402b6f9b4' (2023-07-11)
• Updated input 'nix-index-database':
    'github:Mic92/nix-index-database/e3e320b19c192f40a5b98e8776e3870df62dee8a' (2023-04-25)
  → 'github:Mic92/nix-index-database/6c626d54d0414d34c771c0f6f9d771bc8aaaa3c4' (2023-08-06)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/297187b30a19f147ef260abb5abd93b0706af238' (2023-04-30)
  → 'github:NixOS/nixpkgs/a4d0fe7270cc03eeb1aba4e8b343fe47bfd7c4d5' (2023-08-13)
 2023-08-12 19:00:16 -06:00
Zuckerberg
ef61792da4 Add maestral
Some checks failed
Check Flake / check-flake (push) Failing after 30s
Details
2023-08-12 18:27:24 -06:00
Zuckerberg
3dc97f4960 Enable kde scaling 2023-08-12 18:27:01 -06:00
Zuckerberg
f4a26a8d15 Enable zfs scrubbing 2023-08-12 18:26:13 -06:00
Zuckerberg
37782a26d5 Add pavucontrol-qt 2023-08-12 18:25:46 -06:00
Zuckerberg
1434bd2df1 Share userspace packages
Some checks failed
Check Flake / check-flake (push) Failing after 19s
Details
2023-08-11 20:48:27 -06:00
Zuckerberg
e49ea3a7c4 Share userspace packages
Some checks failed
Check Flake / check-flake (push) Failing after 8s
Details
2023-08-11 20:45:34 -06:00
Zuckerberg
9a6cde1e89 Get zoidberg ready
Some checks failed
Check Flake / check-flake (push) Failing after 1m34s
Details
2023-08-11 19:51:42 -06:00
Zuckerberg
35972b6d68 Xbox controller support
Some checks failed
Check Flake / check-flake (push) Failing after 18s
Details
2023-08-10 20:39:41 -06:00
Zuckerberg
b8021c1756 Samba mount for zoidberg
Some checks failed
Check Flake / check-flake (push) Failing after 18s
Details
2023-08-10 19:45:11 -06:00
Zuckerberg
4b21489141 Increase boot timeout for zoidberg
Some checks failed
Check Flake / check-flake (push) Failing after 19s
Details
2023-08-10 19:44:44 -06:00
Zuckerberg
a256ab7728 Rekey secrets 2023-08-10 19:44:20 -06:00
Zuckerberg
da7ebe7baa Add Zoidberg
Some checks failed
Check Flake / check-flake (push) Failing after 2m43s
Details
2023-08-10 19:40:01 -06:00
Zuckerberg
1922bbbcfd Local arduino development 2023-08-10 18:05:45 -06:00
Zuckerberg
b17be86927 Cleanup 2023-08-10 18:04:46 -06:00
Zuckerberg
ec73a63e09 Define vscodium extensions
All checks were successful
Check Flake / check-flake (push) Successful in 30m4s
Details
2023-05-10 12:05:46 -06:00
Zuckerberg
af26a004e5 Forwards 2023-05-10 12:04:57 -06:00
Zuckerberg
d83782f315 Set up Nix build worker
All checks were successful
Check Flake / check-flake (push) Successful in 19m33s
Details
2023-04-30 12:49:15 -06:00
Zuckerberg
162b544249 Set binary cache priority 2023-04-30 09:13:49 -06:00
Zuckerberg
0c58e62ed4 flake.lock: Update
All checks were successful
Check Flake / check-flake (push) Successful in 1m27s
Details 
Flake lock file updates:

• Updated input 'nix-index-database':
    'github:Mic92/nix-index-database/68ec961c51f48768f72d2bbdb396ce65a316677e' (2023-04-15)
  → 'github:Mic92/nix-index-database/e3e320b19c192f40a5b98e8776e3870df62dee8a' (2023-04-25)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8' (2023-04-22)
  → 'github:NixOS/nixpkgs/297187b30a19f147ef260abb5abd93b0706af238' (2023-04-30)
 2023-04-29 20:34:11 -06:00
Zuckerberg
96de109d62 Basic binary cache
All checks were successful
Check Flake / check-flake (push) Successful in 7m55s
Details
2023-04-29 20:33:10 -06:00
Zuckerberg
0efcf8f3fc Flake check gitea action
All checks were successful
Check Flake / check-flake (push) Successful in 1m28s
Details
2023-04-29 19:20:48 -06:00
Zuckerberg
2009180827 Add mail user 2023-04-29 18:24:20 -06:00
Zuckerberg
306ce8bc3f Move s0 to systemd-boot 2023-04-25 23:41:08 -06:00
Zuckerberg
b5dd983ba3 Automatically set machine hostname 2023-04-24 20:52:17 -06:00
Zuckerberg
832894edfc Gitea runner 2023-04-23 10:29:18 -06:00
Zuckerberg
feb6270952 Update options for newer nixpkgs 2023-04-23 10:28:55 -06:00
Zuckerberg
b4dd2d4a92 update TODOs 2023-04-23 10:16:54 -06:00
Zuckerberg
38c2e5aece Fix properties.nix path loading 2023-04-21 23:24:05 -06:00
Zuckerberg
0ef689b750 flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31)
  → 'github:ryantm/agenix/2994d002dcff5353ca1ac48ec584c7f6589fe447' (2023-04-21)
• Updated input 'deploy-rs':
    'github:serokell/deploy-rs/8c9ea9605eed20528bf60fae35a2b613b901fd77' (2023-01-19)
  → 'github:serokell/deploy-rs/c2ea4e642dc50fd44b537e9860ec95867af30d39' (2023-04-21)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02)
  → 'github:numtide/flake-utils/cfacdce06f30d2b68473a46042957675eebb3401' (2023-04-11)
• Added input 'flake-utils/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Updated input 'nix-index-database':
    'github:Mic92/nix-index-database/4306fa7c12e098360439faac1a2e6b8e509ec97c' (2023-02-26)
  → 'github:Mic92/nix-index-database/68ec961c51f48768f72d2bbdb396ce65a316677e' (2023-04-15)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/78c4d33c16092e535bc4ba1284ba49e3e138483a' (2023-03-03)
  → 'github:NixOS/nixpkgs/8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8' (2023-04-22)
 2023-04-21 21:22:00 -06:00
Zuckerberg
e72e19b7e8 Fix auto upgrade 2023-04-21 18:58:54 -06:00
Zuckerberg
03603119e5 Fix invalid import issue. 2023-04-21 18:57:06 -06:00
96 changed files with 11169 additions and 790 deletions
Expand all files Collapse all files

28
.gitea/workflows/check-flake.yaml Normal file
View File

@@ -0,0 +1,28 @@
name: Check Flake
on: [push]
env:
DEBIAN_FRONTEND: noninteractive
PATH: /run/current-system/sw/bin/
jobs:
check-flake:
runs-on: nixos
steps:
- name: Checkout the repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- run: attic -V
- name: Setup Attic Cache
uses: https://git.neet.dev/zuckerberg/attic-action@v0.2.5
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
- name: Check Flake
run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace

27
Makefile Normal file
View File

@@ -0,0 +1,27 @@
# Lockfile utils
.PHONY: update-lockfile
update-lockfile:
nix flake update --commit-lock-file
.PHONY: update-lockfile-without-commit
update-lockfile-without-commit:
nix flake update
# Agenix utils
.PHONY: edit-secret
edit-secret:
cd secrets && agenix -e $(filter-out $@,$(MAKECMDGOALS))
.PHONY: rekey-secrets
rekey-secrets:
cd secrets && agenix -r
# NixOS utils
.PHONY: clean-old-nixos-profiles
clean-old-nixos-profiles:
doas nix-collect-garbage -d
# Garbage Collect
.PHONY: gc
gc:
nix store gc

2
TODO.md
View File

@@ -73,6 +73,8 @@
- offsite backup yubikey, pw db, and ssh key with /secrets access - offsite backup yubikey, pw db, and ssh key with /secrets access
### Misc ### Misc
- for automated kernel upgrades on luks systems, need to kexec with initrd that contains luks key
- https://github.com/flowztul/keyexec/blob/master/etc/default/kexec-cryptroot
- https://github.com/pop-os/system76-scheduler - https://github.com/pop-os/system76-scheduler
- improve email a little bit https://helloinbox.email - improve email a little bit https://helloinbox.email
- remap razer keys https://github.com/sezanzeb/input-remapper - remap razer keys https://github.com/sezanzeb/input-remapper

2
common/auto-update.nix
View File

@@ -9,7 +9,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
system.autoUpgrade = { system.autoUpgrade = {
flake = "git+https://git.neet.dev/zuckerberg/nix-config.git"; flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
}; };
}; };
} }

17
common/binary-cache.nix Normal file
View File

@@ -0,0 +1,17 @@
{ config, lib, ... }:
{
nix = {
settings = {
substituters = [
"https://cache.nixos.org/"
"https://nix-community.cachix.org"
"http://s0.koi-bebop.ts.net:28338/nixos"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixos:IDhKojUaMz+UIiri1/DQk9EpqDokih8dwxmp41uJnls="
];
};
};
}

8
common/boot/bios.nix
View File

@@ -10,18 +10,20 @@ in
device = mkOption { device = mkOption {
type = types.str; type = types.str;
}; };
configurationLimit = mkOption {
default = 20;
type = types.int;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Use GRUB 2 for BIOS
boot.loader = { boot.loader = {
timeout = 2; timeout = 2;
grub = { grub = {
enable = true; enable = true;
device = cfg.device; device = cfg.device;
version = 2;
useOSProber = true; useOSProber = true;
configurationLimit = 20; configurationLimit = cfg.configurationLimit;
theme = pkgs.nixos-grub2-theme; theme = pkgs.nixos-grub2-theme;
}; };
}; };

8
common/boot/efi.nix
View File

@@ -7,21 +7,23 @@ in
{ {
options.efi = { options.efi = {
enable = mkEnableOption "enable efi boot"; enable = mkEnableOption "enable efi boot";
configurationLimit = mkOption {
default = 20;
type = types.int;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Use GRUB2 for EFI
boot.loader = { boot.loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
timeout = 2; timeout = 2;
grub = { grub = {
enable = true; enable = true;
device = "nodev"; device = "nodev";
version = 2;
efiSupport = true; efiSupport = true;
useOSProber = true; useOSProber = true;
# memtest86.enable = true; # memtest86.enable = true;
configurationLimit = 20; configurationLimit = cfg.configurationLimit;
theme = pkgs.nixos-grub2-theme; theme = pkgs.nixos-grub2-theme;
}; };
}; };

7
common/boot/remote-luks-unlock.nix
View File

@@ -1,5 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
# TODO: use tailscale instead of tor https://gist.github.com/antifuchs/e30d58a64988907f282c82231dde2cbc
let let
cfg = config.remoteLuksUnlock; cfg = config.remoteLuksUnlock;
in in
@@ -33,11 +35,6 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# boot.initrd.luks.devices.${cfg.device.name} = {
# device = cfg.device.path;
# allowDiscards = cfg.device.allowDiscards;
# };
# Unlock LUKS disk over ssh # Unlock LUKS disk over ssh
boot.initrd.network.enable = true; boot.initrd.network.enable = true;
boot.initrd.kernelModules = cfg.kernelModules; boot.initrd.kernelModules = cfg.kernelModules;

15
common/default.nix
View File

@@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./backups.nix ./backups.nix
./binary-cache.nix
./flakes.nix ./flakes.nix
./auto-update.nix ./auto-update.nix
./shell.nix ./shell.nix
@@ -11,12 +12,13 @@
./server ./server
./pc ./pc
./machine-info ./machine-info
./nix-builder.nix
./ssh.nix ./ssh.nix
]; ];
nix.flakes.enable = true; nix.flakes.enable = true;
system.stateVersion = "21.11"; system.stateVersion = "23.11";
networking.useDHCP = false; networking.useDHCP = false;
@@ -24,7 +26,13 @@
networking.firewall.allowPing = true; networking.firewall.allowPing = true;
time.timeZone = "America/Denver"; time.timeZone = "America/Denver";
i18n.defaultLocale = "en_US.UTF-8"; i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LANGUAGE = "en_US.UTF-8";
LC_ALL = "en_US.UTF-8";
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
@@ -53,6 +61,9 @@
lm_sensors lm_sensors
picocom picocom
lf lf
gnumake
tree
attic
]; ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;

1
common/flakes.nix
View File

@@ -10,7 +10,6 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
nix = { nix = {
package = pkgs.nixFlakes;
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';

180
common/machine-info/default.nix
View File

@@ -12,100 +12,103 @@ in
./roles.nix ./roles.nix
]; ];
options.machines.hosts = lib.mkOption { options.machines = {
type = lib.types.attrsOf
(lib.types.submodule {
options = {
hostNames = lib.mkOption { hosts = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.attrsOf
description = '' (lib.types.submodule {
List of hostnames for this machine. The first one is the default so it is the target of deployments. options = {
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption { hostNames = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ]; type = lib.types.listOf lib.types.str;
description = '' description = ''
The architecture of this machine. List of hostnames for this machine. The first one is the default so it is the target of deployments.
''; Used for automatically trusting hosts for ssh connections.
}; '';
};
systemRoles = lib.mkOption { arch = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum? type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = '' description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info) The architecture of this machine.
''; '';
}; };
hostKey = lib.mkOption { systemRoles = lib.mkOption {
type = lib.types.str; type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = '' description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
and for decrypting secrets with agenix. '';
''; };
};
remoteUnlock = lib.mkOption { hostKey = lib.mkOption {
default = null; type = lib.types.str;
type = lib.types.nullOr (lib.types.submodule { description = ''
options = { The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
}; };
});
};
clearnetHost = lib.mkOption { userKeys = lib.mkOption {
default = null; default = [ ];
type = lib.types.nullOr lib.types.str; type = lib.types.listOf lib.types.str;
description = '' description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
'';
};
onionHost = lib.mkOption { TODO: consider auto populating other programs that use ssh keys such as gitea
default = null; '';
type = lib.types.nullOr lib.types.str; };
description = ''
The hostname resolvable over tor used to luks boot unlock this machine deployKeys = lib.mkOption {
''; default = [ ];
}; type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
}; };
});
userKeys = lib.mkOption { };
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
}; };
config = { config = {
@@ -184,14 +187,13 @@ in
}) })
(propertiesFiles dir); (propertiesFiles dir);
propertiesFiles = dir: propertiesFiles = dir:
lib.foldl (lib.mergeAttrs) { } (propertiesFiles' dir ""); lib.foldl (lib.mergeAttrs) { } (propertiesFiles' dir);
propertiesFiles' = dir: dirName: propertiesFiles' = dir:
let let
dirContents = builtins.readDir dir; propFiles = lib.filter (p: baseNameOf p == "properties.nix") (lib.filesystem.listFilesRecursive dir);
dirPaths = lib.filter (path: dirContents.${path} == "directory") (lib.attrNames dirContents); dirName = path: builtins.baseNameOf (builtins.dirOf path);
propFiles = builtins.map (p: "${dir}/${p}") (lib.filter (path: path == "properties.nix") (lib.attrNames dirContents));
in in
lib.concatMap (d: propertiesFiles' "${dir}/${d}" d) dirPaths ++ builtins.map (p: { "${dirName}" = p; }) propFiles; builtins.map (p: { "${dirName p}" = p; }) propFiles;
in in
properties ../../machines; properties ../../machines;
}; };

12
common/network/pia-wireguard.nix
View File

@@ -11,6 +11,7 @@
# TODO implement this module such that the wireguard VPN doesn't have to live in a container # TODO implement this module such that the wireguard VPN doesn't have to live in a container
# TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort # TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
# TODO verify signatures of PIA responses # TODO verify signatures of PIA responses
# TODO `RuntimeMaxSec = "30d";` for pia-vpn-wireguard-init isn't allowed per the systemd logs. Find alternative.
with builtins; with builtins;
with lib; with lib;
@@ -143,14 +144,14 @@ in
systemd.services.pia-vpn-wireguard-init = { systemd.services.pia-vpn-wireguard-init = {
description = "Creates PIA VPN Wireguard Interface"; description = "Creates PIA VPN Wireguard Interface";
requires = [ "network-online.target" ]; wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ]; after = [ "network.target" "network-online.target" ];
before = [ containerServiceName ]; before = [ containerServiceName ];
requiredBy = [ containerServiceName ]; requiredBy = [ containerServiceName ];
partOf = [ containerServiceName ]; partOf = [ containerServiceName ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools jq curl iproute ]; path = with pkgs; [ wireguard-tools jq curl iproute iputils ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@@ -162,6 +163,11 @@ in
}; };
script = '' script = ''
echo Waiting for internet...
while ! ping -c 1 -W 1 1.1.1.1; do
sleep 1
done
# Prepare to connect by generating wg secrets and auth'ing with PIA since the container # Prepare to connect by generating wg secrets and auth'ing with PIA since the container
# cannot do without internet to start with. NAT'ing the host's internet would address this # cannot do without internet to start with. NAT'ing the host's internet would address this
# issue but is not ideal because then leaking network outside of the VPN is more likely. # issue but is not ideal because then leaking network outside of the VPN is more likely.
@@ -214,7 +220,7 @@ in
vpn-container.config.systemd.services.pia-vpn-wireguard = { vpn-container.config.systemd.services.pia-vpn-wireguard = {
description = "Initializes the PIA VPN WireGuard Tunnel"; description = "Initializes the PIA VPN WireGuard Tunnel";
requires = [ "network-online.target" ]; wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ]; after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];

3
common/network/vpn.nix
View File

@@ -72,9 +72,6 @@ in
config = { config = {
imports = allModules ++ [ cfg.config ]; imports = allModules ++ [ cfg.config ];
# speeds up evaluation
nixpkgs.pkgs = pkgs;
# networking.firewall.enable = mkForce false; # networking.firewall.enable = mkForce false;
networking.firewall.trustedInterfaces = [ networking.firewall.trustedInterfaces = [
# completely trust internal interface to host # completely trust internal interface to host

60
common/nix-builder.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, lib, ... }:
let
builderRole = "nix-builder";
builderUserName = "nix-builder";
machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts;
otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role);
thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role);
builders = machinesByRole builderRole;
thisMachineIsABuilder = thisMachineHasRole builderRole;
# builders don't include themselves as a remote builder
otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders;
in
lib.mkMerge [
# configure builder
(lib.mkIf thisMachineIsABuilder {
users.users.${builderUserName} = {
description = "Distributed Nix Build User";
group = builderUserName;
isSystemUser = true;
createHome = true;
home = "/var/lib/nix-builder";
useDefaultShell = true;
openssh.authorizedKeys.keys = builtins.map
(builderCfg: builderCfg.hostKey)
(builtins.attrValues config.machines.hosts);
};
users.groups.${builderUserName} = { };
nix.settings.trusted-users = [
builderUserName
];
})
# use each builder
{
nix.distributedBuilds = true;
nix.buildMachines = builtins.map
(builderCfg: {
hostName = builtins.elemAt builderCfg.hostNames 0;
system = builderCfg.arch;
protocol = "ssh-ng";
sshUser = builderUserName;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
maxJobs = 3;
speedFactor = 10;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
})
(builtins.attrValues otherBuilders);
# It is very likely that the builder's internet is faster or just as fast
nix.extraOptions = ''
builders-use-substitutes = true
'';
}
]

39
common/pc/audio.nix
View File

@@ -17,45 +17,6 @@ in
alsa.support32Bit = true; alsa.support32Bit = true;
pulse.enable = true; pulse.enable = true;
jack.enable = true; jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
config.pipewire = {
"context.objects" = [
{
# A default dummy driver. This handles nodes marked with the "node.always-driver"
# properyty when no other driver is currently active. JACK clients need this.
factory = "spa-node-factory";
args = {
"factory.name" = "support.node.driver";
"node.name" = "Dummy-Driver";
"priority.driver" = 8000;
};
}
{
factory = "adapter";
args = {
"factory.name" = "support.null-audio-sink";
"node.name" = "Microphone-Proxy";
"node.description" = "Microphone";
"media.class" = "Audio/Source/Virtual";
"audio.position" = "MONO";
};
}
{
factory = "adapter";
args = {
"factory.name" = "support.null-audio-sink";
"node.name" = "Main-Output-Proxy";
"node.description" = "Main Output";
"media.class" = "Audio/Sink";
"audio.position" = "FL,FR";
};
}
];
};
}; };
users.users.googlebot.extraGroups = [ "audio" ]; users.users.googlebot.extraGroups = [ "audio" ];

32
common/pc/chromium.nix
View File

@@ -17,38 +17,6 @@ let
"PREFIX=$(out)" "PREFIX=$(out)"
]; ];
}; };
nvidia-vaapi-driver = pkgs.stdenv.mkDerivation rec {
pname = "nvidia-vaapi-driver";
version = "0.0.5";
src = pkgs.fetchFromGitHub {
owner = "elFarto";
repo = pname;
rev = "v${version}";
sha256 = "2bycqKolVoaHK64XYcReteuaON9TjzrFhaG5kty28YY=";
};
patches = [
./use-meson-v57.patch
];
nativeBuildInputs = with pkgs; [
meson
cmake
ninja
pkg-config
];
buildInputs = with pkgs; [
nv-codec-headers-11-1-5-1
libva
gst_all_1.gstreamer
gst_all_1.gst-plugins-bad
libglvnd
];
};
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {

30
common/pc/default.nix
View File

@@ -6,19 +6,20 @@ in
{ {
imports = [ imports = [
./kde.nix ./kde.nix
./xfce.nix # ./xfce.nix
./yubikey.nix ./yubikey.nix
./chromium.nix ./chromium.nix
# ./firefox.nix ./firefox.nix
./audio.nix ./audio.nix
# ./torbrowser.nix # ./torbrowser.nix
./pithos.nix ./pithos.nix
./spotify.nix
./vscodium.nix ./vscodium.nix
./discord.nix ./discord.nix
./steam.nix ./steam.nix
./touchpad.nix ./touchpad.nix
./mount-samba.nix ./mount-samba.nix
./udev.nix
./virtualisation.nix
]; ];
options.de = { options.de = {
@@ -37,26 +38,24 @@ in
mumble mumble
tigervnc tigervnc
bluez-tools bluez-tools
vscodium
element-desktop element-desktop
mpv mpv
nextcloud-client nextcloud-client
signal-desktop signal-desktop
minecraft
gparted gparted
libreoffice-fresh libreoffice-fresh
thunderbird thunderbird
spotifyd spotify
spotify-qt
arduino arduino
yt-dlp yt-dlp
jellyfin-media-player jellyfin-media-player
joplin-desktop joplin-desktop
config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
lxqt.pavucontrol-qt
barrier
# For Nix IDE # For Nix IDE
nixpkgs-fmt nixpkgs-fmt
rnix-lsp
]; ];
# Networking # Networking
@@ -70,12 +69,25 @@ in
]; ];
# Printer discovery # Printer discovery
services.avahi.enable = true; services.avahi.enable = true;
services.avahi.nssmdns = true; services.avahi.nssmdns4 = true;
programs.file-roller.enable = true; programs.file-roller.enable = true;
# Security # Security
services.gnome.gnome-keyring.enable = true; services.gnome.gnome-keyring.enable = true;
security.pam.services.googlebot.enableGnomeKeyring = true; security.pam.services.googlebot.enableGnomeKeyring = true;
# Android dev
programs.adb.enable = true;
# Mount personal SMB stores
services.mount-samba.enable = true;
# allow building ARM derivations
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# for luks onlock over tor
services.tor.enable = true;
services.tor.client.enable = true;
}; };
} }

31
common/pc/firefox.nix
View File

@@ -20,31 +20,6 @@ let
}; };
firefox = pkgs.wrapFirefox somewhatPrivateFF { firefox = pkgs.wrapFirefox somewhatPrivateFF {
desktopName = "Sneed Browser";
nixExtensions = [
(pkgs.fetchFirefoxAddon {
name = "ublock-origin";
url = "https://addons.mozilla.org/firefox/downloads/file/3719054/ublock_origin-1.33.2-an+fx.xpi";
sha256 = "XDpe9vW1R1iVBTI4AmNgAg1nk7BVQdIAMuqd0cnK5FE=";
})
(pkgs.fetchFirefoxAddon {
name = "sponsorblock";
url = "https://addons.mozilla.org/firefox/downloads/file/3720594/sponsorblock_skip_sponsorships_on_youtube-2.0.12.3-an+fx.xpi";
sha256 = "HRtnmZWyXN3MKo4AvSYgNJGkBEsa2RaMamFbkz+YzQg=";
})
(pkgs.fetchFirefoxAddon {
name = "KeePassXC-Browser";
url = "https://addons.mozilla.org/firefox/downloads/file/3720664/keepassxc_browser-1.7.6-fx.xpi";
sha256 = "3K404/eq3amHhIT0WhzQtC892he5I0kp2SvbzE9dbZg=";
})
(pkgs.fetchFirefoxAddon {
name = "https-everywhere";
url = "https://addons.mozilla.org/firefox/downloads/file/3716461/https_everywhere-2021.1.27-an+fx.xpi";
sha256 = "2gSXSLunKCwPjAq4Wsj0lOeV551r3G+fcm1oeqjMKh8=";
})
];
extraPolicies = { extraPolicies = {
CaptivePortal = false; CaptivePortal = false;
DisableFirefoxStudies = true; DisableFirefoxStudies = true;
@@ -74,12 +49,6 @@ let
ExtensionRecommendations = false; ExtensionRecommendations = false;
SkipOnboarding = true; SkipOnboarding = true;
}; };
WebsiteFilter = {
Block = [
"http://paradigminteractive.io/"
"https://paradigminteractive.io/"
];
};
}; };
extraPrefs = '' extraPrefs = ''

10
common/pc/kde.nix
View File

@@ -5,15 +5,11 @@ let
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# kde plasma services.displayManager.sddm.enable = true;
services.xserver = { services.displayManager.sddm.wayland.enable = true;
enable = true; services.desktopManager.plasma6.enable = true;
desktopManager.plasma5.enable = true;
displayManager.sddm.enable = true;
};
# kde apps # kde apps
nixpkgs.config.firefox.enablePlasmaBrowserIntegration = true;
users.users.googlebot.packages = with pkgs; [ users.users.googlebot.packages = with pkgs; [
# akonadi # akonadi
# kmail # kmail

4
common/pc/mount-samba.nix
View File

@@ -13,6 +13,8 @@ let
auth_opts = "sec=ntlmv2i,credentials=/run/agenix/smb-secrets"; auth_opts = "sec=ntlmv2i,credentials=/run/agenix/smb-secrets";
version_opts = "vers=3.1.1"; version_opts = "vers=3.1.1";
public_user_opts = "gid=${toString config.users.groups.users.gid}";
opts = "${systemd_opts},${network_opts},${user_opts},${version_opts},${auth_opts}"; opts = "${systemd_opts},${network_opts},${user_opts},${version_opts},${auth_opts}";
in in
{ {
@@ -24,7 +26,7 @@ in
fileSystems."/mnt/public" = { fileSystems."/mnt/public" = {
device = "//s0.koi-bebop.ts.net/public"; device = "//s0.koi-bebop.ts.net/public";
fsType = "cifs"; fsType = "cifs";
options = [ opts ]; options = [ "${opts},${public_user_opts}" ];
}; };
fileSystems."/mnt/private" = { fileSystems."/mnt/private" = {

86
common/pc/spotify.nix
View File

@@ -1,86 +0,0 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.spotifyd;
toml = pkgs.formats.toml { };
spotifydConf = toml.generate "spotify.conf" cfg.settings;
in
{
disabledModules = [
"services/audio/spotifyd.nix"
];
options = {
services.spotifyd = {
enable = mkEnableOption "spotifyd, a Spotify playing daemon";
settings = mkOption {
default = { };
type = toml.type;
example = { global.bitrate = 320; };
description = ''
Configuration for Spotifyd. For syntax and directives, see
<link xlink:href="https://github.com/Spotifyd/spotifyd#Configuration"/>.
'';
};
users = mkOption {
type = with types; listOf str;
default = [ ];
description = ''
Usernames to be added to the "spotifyd" group, so that they
can start and interact with the userspace daemon.
'';
};
};
};
config = mkIf cfg.enable {
# username specific stuff because i'm lazy...
services.spotifyd.users = [ "googlebot" ];
users.users.googlebot.packages = with pkgs; [
spotify
spotify-tui
];
users.groups.spotifyd = {
members = cfg.users;
};
age.secrets.spotifyd = {
file = ../../secrets/spotifyd.age;
group = "spotifyd";
mode = "0440"; # group can read
};
# spotifyd to read secrets and run as user service
services.spotifyd = {
settings.global = {
username_cmd = "sed '1q;d' /run/agenix/spotifyd";
password_cmd = "sed '2q;d' /run/agenix/spotifyd";
bitrate = 320;
backend = "pulseaudio";
device_name = config.networking.hostName;
device_type = "computer";
# on_song_change_hook = "command_to_run_on_playback_events"
autoplay = true;
};
};
systemd.user.services.spotifyd-daemon = {
enable = true;
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
description = "spotifyd, a Spotify playing daemon";
environment.SHELL = "/bin/sh";
serviceConfig = {
ExecStart = "${pkgs.spotifyd}/bin/spotifyd --no-daemon --config-path ${spotifydConf}";
Restart = "always";
CacheDirectory = "spotifyd";
};
};
};
}

4
common/pc/touchpad.nix
View File

@@ -9,7 +9,7 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.xserver.libinput.enable = true; services.libinput.enable = true;
services.xserver.libinput.touchpad.naturalScrolling = true; services.libinput.touchpad.naturalScrolling = true;
}; };
} }

25
common/pc/udev.nix Normal file
View File

@@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
let
cfg = config.de;
in
{
config = lib.mkIf cfg.enable {
services.udev.extraRules = ''
# depthai
SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
# Moonlander
# Rules for Oryx web flashing and live training
KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="plugdev"
KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="plugdev"
# Wally Flashing rules for the Moonlander and Planck EZ
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu"
'';
services.udev.packages = [ pkgs.platformio ];
users.groups.plugdev = {
members = [ "googlebot" ];
};
};
}

22
common/pc/use-meson-v57.patch
View File

@@ -1,22 +0,0 @@
diff --git a/meson.build b/meson.build
index dace367..8c0e290 100644
--- a/meson.build
+++ b/meson.build
@@ -8,7 +8,7 @@ project(
'warning_level=0',
],
license: 'MIT',
- meson_version: '>= 0.58.0',
+ meson_version: '>= 0.57.0',
)
cc = meson.get_compiler('c')
@@ -47,8 +47,3 @@ shared_library(
gnu_symbol_visibility: 'hidden',
)
-meson.add_devenv(environment({
- 'NVD_LOG': '1',
- 'LIBVA_DRIVER_NAME': 'nvidia',
- 'LIBVA_DRIVERS_PATH': meson.project_build_root(),
-}))

23
common/pc/virtualisation.nix Normal file
View File

@@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
let
cfg = config.de;
in
{
config = lib.mkIf cfg.enable {
# AppVMs
virtualisation.appvm.enable = true;
virtualisation.appvm.user = "googlebot";
# Use podman instead of docker
virtualisation.podman.enable = true;
virtualisation.podman.dockerCompat = true;
# virt-manager
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
environment.systemPackages = with pkgs; [ virt-manager ];
users.users.googlebot.extraGroups = [ "libvirtd" "adbusers" ];
};
}

16
common/pc/vscodium.nix
View File

@@ -4,8 +4,20 @@ let
cfg = config.de; cfg = config.de;
extensions = with pkgs.vscode-extensions; [ extensions = with pkgs.vscode-extensions; [
# bbenoist.Nix # nix syntax support bbenoist.nix # nix syntax support
# arrterian.nix-env-selector # nix dev envs arrterian.nix-env-selector # nix dev envs
dart-code.dart-code
dart-code.flutter
golang.go
jnoortheen.nix-ide
ms-vscode.cpptools
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "platformio-ide";
publisher = "platformio";
version = "3.1.1";
sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
}
]; ];
vscodium-with-extensions = pkgs.vscode-with-extensions.override { vscodium-with-extensions = pkgs.vscode-with-extensions.override {

87
common/server/actualbudget.nix Normal file
View File

@@ -0,0 +1,87 @@
# Starting point:
# https://github.com/aldoborrero/mynixpkgs/commit/c501c1e32dba8f4462dcecb57eee4b9e52038e27
{ config, pkgs, lib, ... }:
let
cfg = config.services.actual-server;
stateDir = "/var/lib/${cfg.stateDirName}";
in
{
options.services.actual-server = {
enable = lib.mkEnableOption "Actual Server";
hostname = lib.mkOption {
type = lib.types.str;
default = "localhost";
description = "Hostname for the Actual Server.";
};
port = lib.mkOption {
type = lib.types.int;
default = 25448;
description = "Port on which the Actual Server should listen.";
};
stateDirName = lib.mkOption {
type = lib.types.str;
default = "actual-server";
description = "Name of the directory under /var/lib holding the server's data.";
};
upload = {
fileSizeSyncLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for synchronized files.";
};
syncEncryptedFileSizeLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for synchronized encrypted files.";
};
fileSizeLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for file uploads.";
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.actual-server = {
description = "Actual Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.actual-server}/bin/actual-server";
Restart = "always";
StateDirectory = cfg.stateDirName;
WorkingDirectory = stateDir;
DynamicUser = true;
UMask = "0007";
};
environment = {
NODE_ENV = "production";
ACTUAL_PORT = toString cfg.port;
# Actual is actually very bad at configuring it's own paths despite that information being readily available
ACTUAL_USER_FILES = "${stateDir}/user-files";
ACTUAL_SERVER_FILES = "${stateDir}/server-files";
ACTUAL_DATA_DIR = stateDir;
ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeSyncLimitMB or "");
ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SIZE_LIMIT_MB = toString (cfg.upload.syncEncryptedFileSizeLimitMB or "");
ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeLimitMB or "");
};
};
services.nginx.virtualHosts.${cfg.hostname} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
};
};
}

40
common/server/atticd.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, lib, ... }:
let
cfg = config.services.atticd;
in
{
config = lib.mkIf cfg.enable {
services.atticd = {
credentialsFile = "/run/agenix/atticd-credentials";
settings = {
listen = "[::]:28338";
# Speed things up
require-proof-of-possession = false;
chunking = {
# Disable chunking for performance (I have plenty of space)
nar-size-threshold = 0;
# Chunking is disabled due to poor performance so these values don't matter but are required anyway.
# One day, when I move away from ZFS maybe this will perform well enough.
# nar-size-threshold = 64 * 1024; # 64 KiB
min-size = 16 * 1024; # 16 KiB
avg-size = 64 * 1024; # 64 KiB
max-size = 256 * 1024; # 256 KiB
};
# Disable compression for performance (I have plenty of space)
compression.type = "none";
garbage-collection = {
default-retention-period = "6 months";
};
};
};
age.secrets.atticd-credentials.file = ../../secrets/atticd-credentials.age;
};
}

53
common/server/dashy.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dashy;
in
{
options.services.dashy = {
enable = mkEnableOption "dashy";
imageTag = mkOption {
type = types.str;
default = "latest";
};
port = mkOption {
type = types.int;
default = 56815;
};
configFile = lib.mkOption {
type = lib.types.path;
description = "Path to the YAML configuration file";
};
};
config = mkIf cfg.enable {
virtualisation.oci-containers.containers = {
dashy = {
image = "lissy93/dashy:${cfg.imageTag}";
environment = {
TZ = "${config.time.timeZone}";
};
ports = [
"127.0.0.1:${toString cfg.port}:80"
];
volumes = [
"${cfg.configFile}:/app/public/conf.yml"
];
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."s0.koi-bebop.ts.net" = {
default = true;
addSSL = true;
serverAliases = [ "s0" ];
sslCertificate = "/secret/ssl/s0.koi-bebop.ts.net.crt";
sslCertificateKey = "/secret/ssl/s0.koi-bebop.ts.net.key";
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
};
};
};
}

5
common/server/default.nix
View File

@@ -18,5 +18,10 @@
./nextcloud.nix ./nextcloud.nix
./iodine.nix ./iodine.nix
./searx.nix ./searx.nix
./gitea-actions-runner.nix
./dashy.nix
./librechat.nix
./actualbudget.nix
./atticd.nix
]; ];
} }

137
common/server/gitea-actions-runner.nix Normal file
View File

@@ -0,0 +1,137 @@
{ config, pkgs, lib, allModules, ... }:
# Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container
# This is useful for providing a real Nix/OS builder to gitea.
# Warning, NixOS containers are not secure. For example, the container shares the /nix/store
# Therefore, this should not be used to run untrusted code.
# To enable, assign a machine the 'gitea-actions-runner' system role
# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
let
runnerRole = "gitea-actions-runner";
runners = config.machines.roles.${runnerRole};
thisMachineIsARunner = builtins.elem config.networking.hostName runners;
containerName = "gitea-runner";
in
{
config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
# containers.${containerName} = {
# ephemeral = true;
# autoStart = true;
# # for podman
# enableTun = true;
# # privateNetwork = true;
# # hostAddress = "172.16.101.1";
# # localAddress = "172.16.101.2";
# bindMounts =
# {
# "/run/agenix/gitea-actions-runner-token" = {
# hostPath = "/run/agenix/gitea-actions-runner-token";
# isReadOnly = true;
# };
# "/var/lib/gitea-runner" = {
# hostPath = "/var/lib/gitea-runner";
# isReadOnly = false;
# };
# };
# extraFlags = [
# # Allow podman
# ''--system-call-filter=thisystemcalldoesnotexistforsure''
# ];
# additionalCapabilities = [
# "CAP_SYS_ADMIN"
# ];
# config = {
# imports = allModules;
# # speeds up evaluation
# nixpkgs.pkgs = pkgs;
# networking.hostName = lib.mkForce containerName;
# # don't use remote builders
# nix.distributedBuilds = lib.mkForce false;
# environment.systemPackages = with pkgs; [
# git
# # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
# nodejs
# ];
# services.gitea-actions-runner.instances.inst = {
# enable = true;
# name = config.networking.hostName;
# url = "https://git.neet.dev/";
# tokenFile = "/run/agenix/gitea-actions-runner-token";
# labels = [
# "ubuntu-latest:docker://node:18-bullseye"
# "nixos:host"
# ];
# };
# # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
# systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
# users.users.gitea-runner = {
# home = "/var/lib/gitea-runner";
# group = "gitea-runner";
# isSystemUser = true;
# createHome = true;
# };
# users.groups.gitea-runner = { };
# virtualisation.podman.enable = true;
# boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# };
# };
# networking.nat.enable = true;
# networking.nat.internalInterfaces = [
# "ve-${containerName}"
# ];
# networking.ip_forward = true;
# don't use remote builders
nix.distributedBuilds = lib.mkForce false;
services.gitea-actions-runner.instances.inst = {
enable = true;
name = config.networking.hostName;
url = "https://git.neet.dev/";
tokenFile = "/run/agenix/gitea-actions-runner-token";
labels = [
"ubuntu-latest:docker://node:18-bullseye"
"nixos:host"
];
};
environment.systemPackages = with pkgs; [
git
# Gitea Actions rely heavily on node. Include it because it would be installed anyway.
nodejs
attic
];
# To allow building on the host, must override the the service's config so it doesn't use a dynamic user
systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
users.users.gitea-runner = {
home = "/var/lib/gitea-runner";
group = "gitea-runner";
isSystemUser = true;
createHome = true;
};
users.groups.gitea-runner = { };
virtualisation.podman.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
};
}

19
common/server/gitea.nix
View File

@@ -12,12 +12,14 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.gitea = { services.gitea = {
domain = cfg.hostname;
rootUrl = "https://${cfg.hostname}/";
appName = cfg.hostname; appName = cfg.hostname;
# lfs.enable = true; lfs.enable = true;
# dump.enable = true; # dump.enable = true;
settings = { settings = {
server = {
ROOT_URL = "https://${cfg.hostname}/";
DOMAIN = cfg.hostname;
};
other = { other = {
SHOW_FOOTER_VERSION = false; SHOW_FOOTER_VERSION = false;
}; };
@@ -29,6 +31,9 @@ in
}; };
session = { session = {
COOKIE_SECURE = true; COOKIE_SECURE = true;
PROVIDER = "db";
SESSION_LIFE_TIME = 259200; # 3 days
GC_INTERVAL_TIME = 259200; # 3 days
}; };
mailer = { mailer = {
ENABLED = true; ENABLED = true;
@@ -39,6 +44,12 @@ in
USER = "robot@runyan.org"; USER = "robot@runyan.org";
FROM = "no-reply@neet.dev"; FROM = "no-reply@neet.dev";
}; };
actions = {
ENABLED = true;
};
indexer = {
REPO_INDEXER_ENABLED = true;
};
}; };
mailerPasswordFile = "/run/agenix/robots-email-pw"; mailerPasswordFile = "/run/agenix/robots-email-pw";
}; };
@@ -57,7 +68,7 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:${toString cfg.httpPort}"; proxyPass = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
}; };
}; };
}; };

62
common/server/librechat.nix Normal file
View File

@@ -0,0 +1,62 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.librechat;
in
{
options.services.librechat = {
enable = mkEnableOption "librechat";
port = mkOption {
type = types.int;
default = 3080;
};
host = lib.mkOption {
type = lib.types.str;
example = "example.com";
};
};
config = mkIf cfg.enable {
virtualisation.oci-containers.containers = {
librechat = {
image = "ghcr.io/danny-avila/librechat:v0.6.6";
environment = {
HOST = "0.0.0.0";
MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
ENDPOINTS = "openAI,google,bingAI,gptPlugins";
};
environmentFiles = [
"/run/agenix/librechat-env-file"
];
ports = [
"${toString cfg.port}:3080"
];
};
};
age.secrets.librechat-env-file.file = ../../secrets/librechat-env-file.age;
services.mongodb.enable = true;
services.mongodb.bind_ip = "0.0.0.0";
# easier podman maintenance
virtualisation.oci-containers.backend = "podman";
virtualisation.podman.dockerSocket.enable = true;
virtualisation.podman.dockerCompat = true;
# For mongodb access
networking.firewall.trustedInterfaces = [
"podman0" # for librechat
];
services.nginx.virtualHosts.${cfg.host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
proxyWebsockets = true;
};
};
};
}

14
common/server/mailserver.nix
View File

@@ -37,6 +37,10 @@ in
# catchall for all domains # catchall for all domains
aliases = map (domain: "@${domain}") domains; aliases = map (domain: "@${domain}") domains;
}; };
"cris@runyan.org" = {
hashedPasswordFile = "/run/agenix/cris-hashed-email-pw";
aliases = [ "chris@runyan.org" ];
};
"robot@runyan.org" = { "robot@runyan.org" = {
aliases = [ aliases = [
"no-reply@neet.dev" "no-reply@neet.dev"
@@ -51,10 +55,18 @@ in
"joslyn@runyan.org" "joslyn@runyan.org"
"damon@runyan.org" "damon@runyan.org"
"jonas@runyan.org" "jonas@runyan.org"
"simon@neet.dev"
]; ];
certificateScheme = 3; # use let's encrypt for certs forwards = {
"amazon@runyan.org" = [
"jeremy@runyan.org"
"cris@runyan.org"
];
};
certificateScheme = "acme-nginx"; # use let's encrypt for certs
}; };
age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age; age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age;
age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age; age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
# sendmail to use xxx@domain instead of xxx@mail.domain # sendmail to use xxx@domain instead of xxx@mail.domain

3
common/server/nextcloud.nix
View File

@@ -8,13 +8,12 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.nextcloud = { services.nextcloud = {
https = true; https = true;
package = pkgs.nextcloud25; package = pkgs.nextcloud29;
hostName = "neet.cloud"; hostName = "neet.cloud";
config.dbtype = "sqlite"; config.dbtype = "sqlite";
config.adminuser = "jeremy"; config.adminuser = "jeremy";
config.adminpassFile = "/run/agenix/nextcloud-pw"; config.adminpassFile = "/run/agenix/nextcloud-pw";
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
enableBrokenCiphersForSSE = false;
}; };
age.secrets.nextcloud-pw = { age.secrets.nextcloud-pw = {
file = ../../secrets/nextcloud-pw.age; file = ../../secrets/nextcloud-pw.age;

2
common/server/samba.nix
View File

@@ -97,7 +97,7 @@
# Printer discovery # Printer discovery
# (is this needed?) # (is this needed?)
services.avahi.enable = true; services.avahi.enable = true;
services.avahi.nssmdns = true; services.avahi.nssmdns4 = true;
# printer sharing # printer sharing
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [

2
common/shell.nix
View File

@@ -34,6 +34,8 @@
io_seq_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file"; io_seq_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_rand_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file"; io_rand_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file"; io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
llsblk = "lsblk -o +uuid,fsType";
}; };
nixpkgs.overlays = [ nixpkgs.overlays = [

214
flake.lock generated
View File

@@ -3,16 +3,20 @@
"agenix": { "agenix": {
"inputs": { "inputs": {
"darwin": "darwin", "darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
],
"systems": [
"systems"
] ]
}, },
"locked": { "locked": {
"lastModified": 1675176355, "lastModified": 1716561646,
"narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=", "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28", "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -21,27 +25,34 @@
"type": "github" "type": "github"
} }
}, },
"archivebox": { "attic": {
"inputs": { "inputs": {
"crane": "crane",
"flake-compat": [
"flake-compat"
],
"flake-utils": [ "flake-utils": [
"flake-utils" "flake-utils"
], ],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
],
"nixpkgs-stable": [
"nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1648612759, "lastModified": 1717279440,
"narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=", "narHash": "sha256-kH04ReTjxOpQumgWnqy40vvQLSnLGxWP6RF3nq5Esrk=",
"ref": "refs/heads/master", "owner": "zhaofengli",
"rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5", "repo": "attic",
"revCount": 2, "rev": "717cc95983cdc357bc347d70be20ced21f935843",
"type": "git", "type": "github"
"url": "https://git.neet.dev/zuckerberg/archivebox.git"
}, },
"original": { "original": {
"type": "git", "owner": "zhaofengli",
"url": "https://git.neet.dev/zuckerberg/archivebox.git" "repo": "attic",
"type": "github"
} }
}, },
"blobs": { "blobs": {
@@ -60,6 +71,27 @@
"type": "gitlab" "type": "gitlab"
} }
}, },
"crane": {
"inputs": {
"nixpkgs": [
"attic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717025063,
"narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
"owner": "ipetkov",
"repo": "crane",
"rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"dailybuild_modules": { "dailybuild_modules": {
"inputs": { "inputs": {
"flake-utils": [ "flake-utils": [
@@ -76,11 +108,11 @@
"rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34", "rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
"revCount": 19, "revCount": 19,
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git" "url": "https://git.neet.dev/zuckerberg/dailybot.git"
}, },
"original": { "original": {
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git" "url": "https://git.neet.dev/zuckerberg/dailybot.git"
} }
}, },
"darwin": { "darwin": {
@@ -91,11 +123,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1673295039, "lastModified": 1700795494,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943", "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -107,21 +139,22 @@
}, },
"deploy-rs": { "deploy-rs": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": [
"flake-compat"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"utils": [ "utils": [
"simple-nixos-mailserver", "flake-utils"
"utils"
] ]
}, },
"locked": { "locked": {
"lastModified": 1674127017, "lastModified": 1718194053,
"narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=", "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77", "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -133,11 +166,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1668681692, "lastModified": 1696426674,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -147,12 +180,17 @@
} }
}, },
"flake-utils": { "flake-utils": {
"inputs": {
"systems": [
"systems"
]
},
"locked": { "locked": {
"lastModified": 1667395993, "lastModified": 1710146030,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -161,6 +199,27 @@
"type": "github" "type": "github"
} }
}, },
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nix-index-database": { "nix-index-database": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -168,11 +227,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1677382901, "lastModified": 1716772633,
"narHash": "sha256-2idFWlTVG+qUZkU2/W50amGSIxmN56igIkMAXKbv4S4=", "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "4306fa7c12e098360439faac1a2e6b8e509ec97c", "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -181,47 +240,52 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1677823547, "lastModified": 1717248095,
"narHash": "sha256-xD2qco8Pw8HAXgjf9OSi2H2N20WaTrtvgcl21525kVE=", "narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixos-hardware",
"rev": "78c4d33c16092e535bc4ba1284ba49e3e138483a", "rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "master", "ref": "master",
"repo": "nixpkgs", "repo": "nixos-hardware",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-22_05": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1654936503, "lastModified": 1717144377,
"narHash": "sha256-soKzdhI4jTHv/rSbh89RdlcJmrPgH8oMb/PLqiqIYVQ=", "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "dab6df51387c3878cdea09f43589a15729cae9f4", "rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"ref": "nixos-22.05", "ref": "nixos-24.05",
"type": "indirect" "repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs-hostapd-pr": { "nixpkgs-frigate": {
"flake": false,
"locked": { "locked": {
"narHash": "sha256-1rGQKcB1jeRPc1n021ulyOVkA6L6xmNYKmeqQ94+iRc=", "lastModified": 1695825837,
"type": "file", "narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=",
"url": "https://github.com/NixOS/nixpkgs/pull/222536.patch" "owner": "NixOS",
"repo": "nixpkgs",
"rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
"type": "github"
}, },
"original": { "original": {
"type": "file", "owner": "NixOS",
"url": "https://github.com/NixOS/nixpkgs/pull/222536.patch" "repo": "nixpkgs",
"rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
"type": "github"
} }
}, },
"radio": { "radio": {
@@ -268,54 +332,64 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"archivebox": "archivebox", "attic": "attic",
"dailybuild_modules": "dailybuild_modules", "dailybuild_modules": "dailybuild_modules",
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-hostapd-pr": "nixpkgs-hostapd-pr", "nixpkgs-frigate": "nixpkgs-frigate",
"radio": "radio", "radio": "radio",
"radio-web": "radio-web", "radio-web": "radio-web",
"simple-nixos-mailserver": "simple-nixos-mailserver" "simple-nixos-mailserver": "simple-nixos-mailserver",
"systems": "systems"
} }
}, },
"simple-nixos-mailserver": { "simple-nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": [
"flake-compat"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-22_05": "nixpkgs-22_05", "nixpkgs-24_05": [
"utils": "utils" "nixpkgs"
],
"utils": [
"flake-utils"
]
}, },
"locked": { "locked": {
"lastModified": 1655930346, "lastModified": 1718084203,
"narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=", "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d", "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"ref": "nixos-22.05", "ref": "master",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"type": "gitlab" "type": "gitlab"
} }
}, },
"utils": { "systems": {
"locked": { "locked": {
"lastModified": 1605370193, "lastModified": 1681028828,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "numtide", "owner": "nix-systems",
"repo": "flake-utils", "repo": "default",
"rev": "5021eac20303a61fafe17224c087f5519baed54d", "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "numtide", "owner": "nix-systems",
"repo": "flake-utils", "repo": "default",
"type": "github" "type": "github"
} }
} }

142
flake.nix
View File

@@ -1,47 +1,91 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/master"; # nixpkgs
# nixpkgs-patch-howdy.url = "https://github.com/NixOS/nixpkgs/pull/216245.diff"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
# nixpkgs-patch-howdy.flake = false; nixpkgs-frigate.url = "github:NixOS/nixpkgs/5cfafa12d57374f48bcc36fda3274ada276cf69e";
flake-utils.url = "github:numtide/flake-utils"; # Common Utils Among flake inputs
systems.url = "github:nix-systems/default";
flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
flake-compat = {
url = "github:edolstra/flake-compat";
flake = false;
};
# mail server # NixOS hardware
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
# agenix # Mail Server
agenix.url = "github:ryantm/agenix"; simple-nixos-mailserver = {
agenix.inputs.nixpkgs.follows = "nixpkgs"; url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-24_05.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
utils.follows = "flake-utils";
};
};
# radio # Agenix
radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473"; agenix = {
radio.inputs.nixpkgs.follows = "nixpkgs"; url = "github:ryantm/agenix";
radio.inputs.flake-utils.follows = "flake-utils"; inputs = {
radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git"; nixpkgs.follows = "nixpkgs";
radio-web.flake = false; systems.follows = "systems";
};
};
# drastikbot # Radio
dailybuild_modules.url = "git+https://git.neet.dev/zuckerberg/dailybuild_modules.git"; radio = {
dailybuild_modules.inputs.nixpkgs.follows = "nixpkgs"; url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
dailybuild_modules.inputs.flake-utils.follows = "flake-utils"; inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
radio-web = {
url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
flake = false;
};
# archivebox # Dailybot
archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git"; dailybuild_modules = {
archivebox.inputs.nixpkgs.follows = "nixpkgs"; url = "git+https://git.neet.dev/zuckerberg/dailybot.git";
archivebox.inputs.flake-utils.follows = "flake-utils"; inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
# nixos config deployment # NixOS deployment
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs = {
deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; url = "github:serokell/deploy-rs";
deploy-rs.inputs.utils.follows = "simple-nixos-mailserver/utils"; inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
utils.follows = "flake-utils";
};
};
# prebuilt nix-index database # Prebuilt nix-index database
nix-index-database.url = "github:Mic92/nix-index-database"; nix-index-database = {
nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs-hostapd-pr.url = "https://github.com/NixOS/nixpkgs/pull/222536.patch"; # Attic
nixpkgs-hostapd-pr.flake = false; attic = {
url = "github:zhaofengli/attic";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
flake-compat.follows = "flake-compat";
};
};
}; };
outputs = { self, nixpkgs, ... }@inputs: outputs = { self, nixpkgs, ... }@inputs:
@@ -55,17 +99,24 @@
{ {
nixosConfigurations = nixosConfigurations =
let let
modules = system: with inputs; [ modules = system: hostname: with inputs; [
./common ./common
simple-nixos-mailserver.nixosModule simple-nixos-mailserver.nixosModule
agenix.nixosModules.default agenix.nixosModules.default
dailybuild_modules.nixosModule dailybuild_modules.nixosModule
archivebox.nixosModule
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
attic.nixosModules.atticd
self.nixosModules.kernel-modules
({ lib, ... }: { ({ lib, ... }: {
config.environment.systemPackages = [ config = {
agenix.packages.${system}.agenix nixpkgs.overlays = [ self.overlays.default ];
];
environment.systemPackages = [
agenix.packages.${system}.agenix
];
networking.hostName = hostname;
};
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = inputs; }; options.inputs = lib.mkOption { default = inputs; };
@@ -73,16 +124,16 @@
}) })
]; ];
mkSystem = system: nixpkgs: path: mkSystem = system: nixpkgs: path: hostname:
let let
allModules = modules system; allModules = modules system hostname;
# allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920 # allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches { patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched"; name = "nixpkgs-patched";
src = nixpkgs; src = nixpkgs;
patches = [ patches = [
inputs.nixpkgs-hostapd-pr ./patches/gamepadui.patch
]; ];
}; };
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; }); patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
@@ -94,12 +145,14 @@
specialArgs = { specialArgs = {
inherit allModules; inherit allModules;
lib = self.lib;
nixos-hardware = inputs.nixos-hardware;
}; };
}; };
in in
nixpkgs.lib.mapAttrs nixpkgs.lib.mapAttrs
(hostname: cfg: (hostname: cfg:
mkSystem cfg.arch nixpkgs cfg.configurationPath) mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
machines; machines;
packages = packages =
@@ -122,6 +175,9 @@
"aarch64-linux"."iso" = mkIso "aarch64-linux"; "aarch64-linux"."iso" = mkIso "aarch64-linux";
}; };
overlays.default = import ./overlays { inherit inputs; };
nixosModules.kernel-modules = import ./overlays/kernel-modules;
deploy.nodes = deploy.nodes =
let let
mkDeploy = configName: arch: hostname: { mkDeploy = configName: arch: hostname: {
@@ -137,5 +193,7 @@
machines; machines;
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
lib = nixpkgs.lib.extend (final: prev: import ./lib { lib = nixpkgs.lib; });
}; };
} }

56
lib/default.nix Normal file
View File

@@ -0,0 +1,56 @@
{ lib, ... }:
with lib;
{
# Passthrough trace for debugging
pTrace = v: traceSeq v v;
# find the total sum of a int list
sum = foldr (x: y: x + y) 0;
# splits a list of length two into two params then they're passed to a func
splitPair = f: pair: f (head pair) (last pair);
# Finds the max value in a list
maxList = foldr max 0;
# Sorts a int list. Greatest value first
sortList = sort (x: y: x > y);
# Cuts a list in half and returns the two parts in a list
cutInHalf = l: [ (take (length l / 2) l) (drop (length l / 2) l) ];
# Splits a list into a list of lists with length cnt
chunksOf = cnt: l:
if length l > 0 then
[ (take cnt l) ] ++ chunksOf cnt (drop cnt l)
else [ ];
# same as intersectLists but takes an array of lists to intersect instead of just two
intersectManyLists = ll: foldr intersectLists (head ll) ll;
# converts a boolean to a int (c style)
boolToInt = b: if b then 1 else 0;
# drops the last element of a list
dropLast = l: take (length l - 1) l;
# transposes a matrix
transpose = ll:
let
outerSize = length ll;
innerSize = length (elemAt ll 0);
in
genList (i: genList (j: elemAt (elemAt ll j) i) outerSize) innerSize;
# attriset recursiveUpdate but for a list of attrisets
combineAttrs = foldl recursiveUpdate { };
# visits every single attriset element of an attriset recursively
# and accumulates the result of every visit in a flat list
recurisveVisitAttrs = f: set:
let
visitor = n: v:
if isAttrs v then [ (f n v) ] ++ recurisveVisitAttrs f v
else [ (f n v) ];
in
concatLists (map (name: visitor name set.${name}) (attrNames set));
# merges two lists of the same size (similar to map but both lists are inputs per iteration)
mergeLists = f: a: imap0 (i: f (elemAt a i));
map2D = f: ll:
let
outerSize = length ll;
innerSize = length (elemAt ll 0);
getElem = x: y: elemAt (elemAt ll y) x;
in
genList (y: genList (x: f x y (getElem x y)) innerSize) outerSize;
}

4
lockfile-update.sh
View File

@@ -1,4 +0,0 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p bash
nix flake update --commit-lock-file

57
machines/ephemeral/sdimg.nix Normal file
View File

@@ -0,0 +1,57 @@
{ config, modulesPath, pkgs, lib, ... }:
let
pinecube-uboot = pkgs.buildUBoot {
defconfig = "pinecube_defconfig";
extraMeta.platforms = [ "armv7l-linux" ];
filesToInstall = [ "u-boot-sunxi-with-spl.bin" ];
};
in
{
imports = [
(modulesPath + "/installer/sd-card/sd-image.nix")
./minimal.nix
];
sdImage.populateFirmwareCommands = "";
sdImage.populateRootCommands = ''
mkdir -p ./files/boot
${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
'';
sdImage.postBuildCommands = ''
dd if=${pinecube-uboot}/u-boot-sunxi-with-spl.bin of=$img bs=1024 seek=8 conv=notrunc
'';
###
networking.hostName = "pinecube";
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = 7;
# cma is 64M by default which is waay too much and we can't even unpack initrd
boot.kernelParams = [ "console=ttyS0,115200n8" "cma=32M" ];
boot.kernelModules = [ "spi-nor" ]; # Not sure why this doesn't autoload. Provides SPI NOR at /dev/mtd0
boot.extraModulePackages = [ config.boot.kernelPackages.rtl8189es ];
zramSwap.enable = true; # 128MB is not much to work with
sound.enable = true;
environment.systemPackages = with pkgs; [
ffmpeg
(v4l_utils.override { withGUI = false; })
usbutils
];
services.getty.autologinUser = lib.mkForce "googlebot";
users.users.googlebot = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "video" ];
openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
};
networking.wireless.enable = true;
}

13
machines/howl/default.nix Normal file
View File

@@ -0,0 +1,13 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
# don't use remote builders
nix.distributedBuilds = lib.mkForce false;
de.enable = true;
de.touchpad.enable = true;
}

58
machines/howl/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,58 @@
{ config, lib, pkgs, modulesPath, nixos-hardware, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
nixos-hardware.nixosModules.framework-13-7040-amd
];
boot.kernelPackages = pkgs.linuxPackages_latest;
hardware.framework.amd-7040.preventWakeOnAC = true;
services.fwupd.enable = true;
# fingerprint reader has initially shown to be more of a nuisance than a help
# it makes sddm log in fail most of the time and take several minutes to finish
services.fprintd.enable = false;
# boot
boot.loader.systemd-boot.enable = true;
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
# thunderbolt
services.hardware.bolt.enable = true;
# firmware
firmware.x86_64.enable = true;
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c801586b-f0a2-465c-8dae-532e61b83fee";
allowDiscards = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/95db6950-a7bc-46cf-9765-3ea675ccf014";
fsType = "btrfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/B087-2C20";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[{ device = "/dev/disk/by-uuid/49fbdf62-eef4-421b-aac3-c93494afd23c"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

26
machines/howl/properties.nix Normal file
View File

@@ -0,0 +1,26 @@
{
hostNames = [
"howl"
];
arch = "x86_64-linux";
systemRoles = [
"personal"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQi3q8jU6vRruExAL60J7GFO1gS8HsmXVJuKRT4ljrG";
userKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPnLt84bKhUgFxjQf10+Htro9Lo1Pabqm8mGalBUniv"
];
deployKeys = [
# TODO
];
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0N80r0Sl2WlJaUqfxZPkOtYyGumFazkIqq7eq3Gd2o";
onionHost = "ll6yjnkh4psmfwmtkmqoutl4gq4elqzbmjxv4s6gpgoavyi3kwhjvnqd.onion";
};
}

8
machines/phil/hardware-configuration.nix
View File

@@ -21,24 +21,24 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.initrd.luks.devices."enc-pv" = { boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/9f1727c7-1e95-47b9-9807-8f38531eed47"; device = "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194";
allowDiscards = true; allowDiscards = true;
}; };
fileSystems."/" = fileSystems."/" =
{ {
device = "/dev/mapper/vg-root"; device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ {
device = "/dev/disk/by-uuid/EC6B-53AA"; device = "/dev/disk/by-uuid/F185-C4E5";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices =
[{ device = "/dev/disk/by-uuid/b916094f-cf2a-4be7-b8f1-674ba6473061"; }]; [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
networking.interfaces.enp0s6.useDHCP = lib.mkDefault true; networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;

5
machines/phil/properties.nix
View File

@@ -8,12 +8,13 @@
systemRoles = [ systemRoles = [
"server" "server"
"nix-builder"
]; ];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlOs6mTZCSJL/XM6NysHN0ZNQAyj2GEwBV2Ze6NxRmr"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
remoteUnlock = { remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqy9X/m67oXJBX+OMdIqpiLONYc5aQ2nHeEPAaj/vgN"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
clearnetHost = "unlock.phil.neet.dev"; clearnetHost = "unlock.phil.neet.dev";
}; };
} }

48
machines/ponyo/default.nix
View File

@@ -5,9 +5,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
networking.hostName = "ponyo"; # system.autoUpgrade.enable = true;
system.autoUpgrade.enable = true;
# p2p mesh network # p2p mesh network
services.tailscale.exitNode = true; services.tailscale.exitNode = true;
@@ -65,17 +63,32 @@
}; };
}; };
pia.wireguard.badPortForwardPorts = [ ]; pia.wireguard.badPortForwardPorts = [ ];
services.nginx.virtualHosts."radio.runyan.org" = { services.nginx.virtualHosts = {
enableACME = true; "radio.runyan.org" = {
forceSSL = true; enableACME = true;
locations = { forceSSL = true;
"/stream.mp3" = { locations = {
proxyPass = "http://vpn.containers:8001/stream.mp3"; "/stream.mp3" = {
extraConfig = '' proxyPass = "http://vpn.containers:8001/stream.mp3";
add_header Access-Control-Allow-Origin *; extraConfig = ''
''; add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
"radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
}; };
"/".root = config.inputs.radio-web;
}; };
}; };
@@ -98,7 +111,7 @@
}; };
}; };
# pin postgresql for matrix (will need to migrate eventually) # pin postgresql for matrix (will need to migrate eventually)
services.postgresql.package = pkgs.postgresql_11; services.postgresql.package = pkgs.postgresql_15;
# iodine DNS-based vpn # iodine DNS-based vpn
services.iodine.server.enable = true; services.iodine.server.enable = true;
@@ -138,4 +151,11 @@
# owncast live streaming # owncast live streaming
services.owncast.enable = true; services.owncast.enable = true;
services.owncast.hostname = "live.neet.dev"; services.owncast.hostname = "live.neet.dev";
# librechat
services.librechat.enable = true;
services.librechat.host = "chat.neet.dev";
services.actual-server.enable = true;
services.actual-server.hostname = "actual.runyan.org";
} }

1
machines/ponyo/hardware-configuration.nix
View File

@@ -16,6 +16,7 @@
bios = { bios = {
enable = true; enable = true;
device = "/dev/sda"; device = "/dev/sda";
configurationLimit = 3; # Save room in /nix/store
}; };
remoteLuksUnlock.enable = true; remoteLuksUnlock.enable = true;

1
machines/ponyo/properties.nix
View File

@@ -15,6 +15,7 @@
"nextcloud" "nextcloud"
"dailybot" "dailybot"
"gitea" "gitea"
"librechat"
]; ];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";

57
machines/ray/default.nix
View File

@@ -1,57 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
networking.hostName = "ray";
# for luks onlock over tor
services.tor.enable = true;
services.tor.client.enable = true;
# services.howdy.enable = true;
hardware.openrazer.enable = true;
hardware.openrazer.users = [ "googlebot" ];
hardware.openrazer.devicesOffOnScreensaver = false;
users.users.googlebot.packages = [ pkgs.polychromatic ];
services.udev.extraRules = ''
# depthai
SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
# Moonlander
# Rules for Oryx web flashing and live training
KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="plugdev"
KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="plugdev"
# Wally Flashing rules for the Moonlander and Planck EZ
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu"
'';
users.groups.plugdev = {
members = [ "googlebot" ];
};
# virt-manager
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
environment.systemPackages = with pkgs; [ virt-manager ];
users.users.googlebot.extraGroups = [ "libvirtd" ];
# allow building ARM derivations
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
services.spotifyd.enable = true;
virtualisation.docker.enable = true;
virtualisation.appvm.enable = true;
virtualisation.appvm.user = "googlebot";
services.mount-samba.enable = true;
de.enable = true;
de.touchpad.enable = true;
}

65
machines/ray/hardware-configuration.nix
View File

@@ -1,65 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
# boot
efi.enable = true;
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
# kernel
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
# firmware
firmware.x86_64.enable = true;
hardware.enableAllFirmware = true;
# gpu
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true; # for nvidia-vaapi-driver
prime = {
reverseSync.enable = true;
offload.enableOffloadCmd = true;
nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:4:0:0";
};
};
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
allowDiscards = true;
};
fileSystems."/" =
{
device = "/dev/vg/root";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{
device = "/dev/vg/root";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/2C85-2B59";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/vg/swap"; }];
# high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true;
}

22
machines/ray/properties.nix
View File

@@ -1,22 +0,0 @@
{
hostNames = [
"ray"
];
arch = "x86_64-linux";
systemRoles = [
"personal"
"deploy"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
userKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP"
];
deployKeys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo="
];
}

2
machines/router/default.nix
View File

@@ -11,8 +11,6 @@
# https://github.com/skogsbrus/os/blob/master/sys/router.nix # https://github.com/skogsbrus/os/blob/master/sys/router.nix
# http://trac.gateworks.com/wiki/wireless/wifi # http://trac.gateworks.com/wiki/wireless/wifi
networking.hostName = "router";
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
services.tailscale.exitNode = true; services.tailscale.exitNode = true;

0
machines/router/properties.nix → machines/router/properties.nix.disabled
View File

20
machines/router/router.nix
View File

@@ -92,7 +92,7 @@ in
radios = { radios = {
# 2.4GHz # 2.4GHz
wlp4s0 = { wlp4s0 = {
hwMode = "g"; band = "2g";
noScan = true; noScan = true;
channel = 6; channel = 6;
countryCode = "US"; countryCode = "US";
@@ -124,15 +124,15 @@ in
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower"; # authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# }; # };
}; };
extraConfig = '' settings = {
he_oper_centr_freq_seg0_idx=8 he_oper_centr_freq_seg0_idx = 8;
vht_oper_centr_freq_seg0_idx=8 vht_oper_centr_freq_seg0_idx = 8;
''; };
}; };
# 5GHz # 5GHz
wlan1 = { wlan1 = {
hwMode = "a"; band = "5g";
noScan = true; noScan = true;
channel = 128; channel = 128;
countryCode = "US"; countryCode = "US";
@@ -164,10 +164,10 @@ in
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower"; # authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# }; # };
}; };
extraConfig = '' settings = {
vht_oper_centr_freq_seg0_idx=114 vht_oper_centr_freq_seg0_idx = 114;
he_oper_centr_freq_seg0_idx=114 he_oper_centr_freq_seg0_idx = 114;
''; };
}; };
}; };
}; };

249
machines/storage/s0/dashy.yaml Normal file
View File

@@ -0,0 +1,249 @@
appConfig:
theme: vaporware
customColors:
material-dark-original:
primary: '#f36558'
background: '#39434C'
background-darker: '#eb615c'
material-light: '#f36558'
item-text-color: '#ff948a'
curve-factor: 5px
enableErrorReporting: false
layout: auto
iconSize: large
language: en
startingView: default
defaultOpeningMethod: sametab
statusCheck: true
statusCheckInterval: 20
faviconApi: faviconkit
routingMode: history
enableMultiTasking: false
webSearch:
disableWebSearch: false
searchEngine: duckduckgo
openingMethod: sametab
searchBangs: {}
enableFontAwesome: true
cssThemes: []
externalStyleSheet: []
hideComponents:
hideHeading: false
hideNav: false
hideSearch: false
hideSettings: false
hideFooter: false
hideSplashScreen: false
auth:
enableGuestAccess: false
users: []
enableKeycloak: false
keycloak: {}
allowConfigEdit: true
enableServiceWorker: false
disableContextMenu: false
disableUpdateChecks: false
disableSmartSort: false
pageInfo:
title: s0
description: s0
sections:
- name: Media & Entertainment
icon: fas fa-photo-video
displayData:
sortBy: most-used
cols: 1
rows: 1
collapsed: false
hideForGuests: false
items:
- &ref_0
title: Jellyfin
icon: hl-jellyfin
url: http://s0:8097
target: sametab
statusCheck: true
statusCheckUrl: http://jellyfin.s0
id: 0_1956_jellyfin
- &ref_1
title: Sonarr
description: Manage TV
icon: hl-sonarr
url: http://s0:8989
target: sametab
statusCheck: true
statusCheckUrl: http://sonarr.s0
id: 1_1956_sonarr
- &ref_2
title: Radarr
description: Manage Movies
icon: hl-radarr
url: http://s0:7878
target: sametab
statusCheck: true
statusCheckUrl: http://radarr.s0
id: 2_1956_radarr
- &ref_3
title: Lidarr
description: Manage Music
icon: hl-lidarr
url: http://s0:8686
target: sametab
statusCheck: true
statusCheckUrl: http://lidarr.s0
id: 3_1956_lidarr
- &ref_4
title: Prowlarr
description: Indexers
icon: hl-prowlarr
url: http://prowlarr.s0
target: sametab
statusCheck: true
statusCheckUrl: http://prowlarr.s0
id: 4_1956_prowlarr
- &ref_5
title: Bazarr
description: Subtitles
icon: hl-bazarr
url: http://s0:6767
target: sametab
statusCheck: true
statusCheckUrl: http://bazarr.s0
id: 5_1956_bazarr
- &ref_6
title: Navidrome
description: Play Music
icon: hl-navidrome
url: http://s0:4534
target: sametab
statusCheck: true
statusCheckUrl: http://music.s0
id: 6_1956_navidrome
- &ref_7
title: Transmission
description: Torrenting
icon: hl-transmission
url: http://s0:9091
target: sametab
statusCheck: true
statusCheckUrl: http://transmission.s0
id: 7_1956_transmission
filteredItems:
- *ref_0
- *ref_1
- *ref_2
- *ref_3
- *ref_4
- *ref_5
- *ref_6
- *ref_7
- name: Network
icon: fas fa-network-wired
items:
- &ref_8
title: Gateway
description: openwrt
icon: hl-openwrt
url: http://openwrt.lan/
target: sametab
statusCheck: true
id: 0_746_gateway
- &ref_9
title: Wireless
description: openwrt (ish)
icon: hl-openwrt
url: http://PacketProvocateur.lan
target: sametab
statusCheck: true
id: 1_746_wireless
filteredItems:
- *ref_8
- *ref_9
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false
- name: Services
icon: fas fa-monitor-heart-rate
items:
- &ref_10
title: Matrix
description: ''
icon: hl-matrix
url: https://chat.neet.space
target: sametab
statusCheck: true
id: 0_836_matrix
- &ref_11
title: Radio
description: Radio service
icon: generative
url: https://radio.runyan.org
target: sametab
statusCheck: true
id: 1_836_radio
- &ref_12
title: Mumble
description: voice.neet.space
icon: hl-mumble
url: https://voice.neet.space
target: sametab
statusCheck: false
id: 2_836_mumble
- &ref_13
title: IRC
description: irc.neet.dev
icon: hl-thelounge
url: https://irc.neet.dev
target: sametab
statusCheck: true
id: 3_836_irc
- &ref_14
title: Git
description: git.neet.dev
icon: hl-gitea
url: https://git.neet.dev
target: sametab
statusCheck: true
id: 4_836_git
- &ref_15
title: Nextcloud
description: neet.cloud
icon: hl-nextcloud
url: https://neet.cloud
target: sametab
statusCheck: true
id: 5_836_nextcloud
- &ref_16
title: Roundcube
description: mail.neet.dev
icon: hl-roundcube
url: https://mail.neet.dev
target: sametab
statusCheck: true
id: 6_836_roundcube
- &ref_17
title: Jitsi Meet
description: meet.neet.space
icon: hl-jitsimeet
url: https://meet.neet.space
target: sametab
statusCheck: true
id: 7_836_jitsimeet
filteredItems:
- *ref_10
- *ref_11
- *ref_12
- *ref_13
- *ref_14
- *ref_15
- *ref_16
- *ref_17
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false

92
machines/storage/s0/default.nix
View File

@@ -3,11 +3,12 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./home-automation.nix
]; ];
networking.hostName = "s0"; networking.hostName = "s0";
system.autoUpgrade.enable = true; # system.autoUpgrade.enable = true;
services.iperf3.enable = true; services.iperf3.enable = true;
services.iperf3.openFirewall = true; services.iperf3.openFirewall = true;
@@ -22,9 +23,6 @@
# samba # samba
services.samba.enable = true; services.samba.enable = true;
# disable suspend on lid close
services.logind.lidSwitch = "ignore";
# navidrome # navidrome
services.navidrome = { services.navidrome = {
enable = true; enable = true;
@@ -34,7 +32,6 @@
MusicFolder = "/data/samba/Public/Media/Music"; MusicFolder = "/data/samba/Public/Media/Music";
}; };
}; };
networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ];
# allow access to transmisson data # allow access to transmisson data
users.users.googlebot.extraGroups = [ "transmission" ]; users.users.googlebot.extraGroups = [ "transmission" ];
@@ -102,13 +99,19 @@
# "speed-limit-up-enabled" = true; # "speed-limit-up-enabled" = true;
/* seeding limit */ /* seeding limit */
"ratio-limit" = 2; "ratio-limit" = 3;
"ratio-limit-enabled" = true; "ratio-limit-enabled" = true;
"download-queue-enabled" = true; "download-queue-enabled" = true;
"download-queue-size" = 20; # gotta go fast "download-queue-size" = 20; # gotta go fast
}; };
}; };
# https://github.com/NixOS/nixpkgs/issues/258793
systemd.services.transmission.serviceConfig = {
RootDirectoryStartOnly = lib.mkForce (lib.mkForce false);
RootDirectory = lib.mkForce (lib.mkForce "");
};
users.groups.public_data.gid = 994; users.groups.public_data.gid = 994;
users.users.public_data = { users.users.public_data = {
isSystemUser = true; isSystemUser = true;
@@ -146,22 +149,75 @@
# nginx # nginx
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://vpn.containers:6767"; services.nginx.virtualHosts."bazarr.s0" = {
services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://vpn.containers:7878"; listen = [{ addr = "0.0.0.0"; port = 6767; } { addr = "0.0.0.0"; port = 80; }];
services.nginx.virtualHosts."lidarr.s0".locations."/".proxyPass = "http://vpn.containers:8686"; locations."/".proxyPass = "http://vpn.containers:6767";
services.nginx.virtualHosts."sonarr.s0".locations."/".proxyPass = "http://vpn.containers:8989"; };
services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696"; services.nginx.virtualHosts."radarr.s0" = {
services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533"; listen = [{ addr = "0.0.0.0"; port = 7878; } { addr = "0.0.0.0"; port = 80; }];
services.nginx.virtualHosts."jellyfin.s0".locations."/" = { locations."/".proxyPass = "http://vpn.containers:7878";
proxyPass = "http://localhost:8096"; };
proxyWebsockets = true; services.nginx.virtualHosts."lidarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 8686; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:8686";
};
services.nginx.virtualHosts."sonarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 8989; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:8989";
};
services.nginx.virtualHosts."prowlarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 9696; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:9696";
};
services.nginx.virtualHosts."music.s0" = {
listen = [{ addr = "0.0.0.0"; port = 4534; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://localhost:4533";
};
services.nginx.virtualHosts."jellyfin.s0" = {
listen = [{ addr = "0.0.0.0"; port = 8097; } { addr = "0.0.0.0"; port = 80; }];
locations."/" = {
proxyPass = "http://localhost:8096";
proxyWebsockets = true;
};
}; };
services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = { services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
proxyPass = "http://localhost:8096"; proxyPass = "http://localhost:8096";
proxyWebsockets = true; proxyWebsockets = true;
}; };
services.nginx.virtualHosts."transmission.s0".locations."/" = { services.nginx.virtualHosts."transmission.s0" = {
proxyPass = "http://vpn.containers:9091"; listen = [{ addr = "0.0.0.0"; port = 9091; } { addr = "0.0.0.0"; port = 80; }];
proxyWebsockets = true; locations."/" = {
proxyPass = "http://vpn.containers:9091";
proxyWebsockets = true;
};
}; };
networking.firewall.allowedTCPPorts = [
6767
7878
8686
8989
9696
4534
8097
9091
8443 # unifi
];
virtualisation.oci-containers.backend = "podman";
virtualisation.podman.dockerSocket.enable = true; # TODO needed?
services.dashy = {
enable = true;
configFile = ./dashy.yaml;
};
services.unifi = {
enable = true;
openFirewall = true;
unifiPackage = pkgs.unifi8;
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
services.atticd.enable = true;
} }

18
machines/storage/s0/hardware-configuration.nix
View File

@@ -7,7 +7,7 @@
]; ];
# boot # boot
efi.enable = true; boot.loader.systemd-boot.enable = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
@@ -31,18 +31,14 @@
boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc"; boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
# mounts # mounts
services.zfs.autoScrub.enable = true;
services.zfs.trim.enable = true;
fileSystems."/" = fileSystems."/" =
{ {
device = "rpool/nixos/root"; device = "rpool/nixos/root";
fsType = "zfs"; fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ]; options = [ "zfsutil" "X-mount.mkdir" ];
}; };
fileSystems."/home" =
{
device = "rpool/nixos/home";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/lib" = fileSystems."/var/lib" =
{ {
device = "rpool/nixos/var/lib"; device = "rpool/nixos/var/lib";
@@ -55,13 +51,6 @@
fsType = "zfs"; fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ]; options = [ "zfsutil" "X-mount.mkdir" ];
}; };
fileSystems."/data" =
{
device = "rpool/nixos/data";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot" = fileSystems."/boot" =
{ {
device = "/dev/disk/by-uuid/4FB4-738E"; device = "/dev/disk/by-uuid/4FB4-738E";
@@ -70,6 +59,7 @@
swapDevices = [ ]; swapDevices = [ ];
networking.interfaces.eth0.useDHCP = true; networking.interfaces.eth0.useDHCP = true;
networking.interfaces.eth1.useDHCP = true;
powerManagement.cpuFreqGovernor = "powersave"; powerManagement.cpuFreqGovernor = "powersave";
} }

188
machines/storage/s0/home-automation.nix Normal file
View File

@@ -0,0 +1,188 @@
{ config, lib, pkgs, ... }:
let
frigateHostname = "frigate.s0";
frigatePort = 61617;
mkEsp32Cam = address: {
ffmpeg = {
input_args = "";
inputs = [{
path = address;
roles = [ "detect" "record" ];
}];
output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
};
rtmp.enabled = false;
snapshots = {
enabled = true;
bounding_box = true;
};
record = {
enabled = true;
retain.days = 10; # Keep video for 10 days
events.retain = {
default = 30; # Keep video with detections for 30 days
mode = "active_objects";
};
};
detect = {
enabled = true;
width = 800;
height = 600;
fps = 10;
};
objects = {
track = [ "person" ];
};
};
in
{
networking.firewall.allowedTCPPorts = [
# 1883 # mqtt
55834 # mqtt zigbee frontend
frigatePort
4180 # oauth proxy
];
services.frigate = {
enable = true;
hostname = frigateHostname;
settings = {
mqtt = {
enabled = true;
host = "localhost:1883";
};
cameras = {
dahlia-cam = mkEsp32Cam "http://dahlia-cam.lan:8080";
};
# ffmpeg = {
# hwaccel_args = "preset-vaapi";
# };
detectors.coral = {
type = "edgetpu";
device = "pci";
};
};
};
# AMD GPU for vaapi
systemd.services.frigate.environment.LIBVA_DRIVER_NAME = "radeonsi";
# Coral TPU for frigate
services.udev.packages = [ pkgs.libedgetpu ];
users.groups.apex = { };
systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
systemd.services.frigate.serviceConfig = {
SupplementaryGroups = "apex";
};
# Coral PCIe driver
kernel.enableGasketKernelModule = true;
# Allow accessing frigate UI on a specific port in addition to by hostname
services.nginx.virtualHosts.${frigateHostname} = {
listen = [{ addr = "0.0.0.0"; port = frigatePort; } { addr = "0.0.0.0"; port = 80; }];
};
services.esphome = {
enable = true;
address = "0.0.0.0";
openFirewall = true;
};
# TODO remove after upgrading nixos version
systemd.services.esphome.serviceConfig.ProcSubset = lib.mkForce "all";
systemd.services.esphome.serviceConfig.ProtectHostname = lib.mkForce false;
systemd.services.esphome.serviceConfig.ProtectKernelLogs = lib.mkForce false;
systemd.services.esphome.serviceConfig.ProtectKernelTunables = lib.mkForce false;
# TODO lock down
services.mosquitto = {
enable = true;
listeners = [
{
acl = [ "pattern readwrite #" ];
omitPasswordAuth = true;
settings.allow_anonymous = true;
}
];
};
services.zigbee2mqtt = {
enable = true;
settings = {
homeassistant = true;
permit_join = false;
serial = {
port = "/dev/ttyACM0";
};
mqtt = {
server = "mqtt://localhost:1883";
# base_topic = "zigbee2mqtt";
};
frontend = {
host = "0.0.0.0";
port = 55834;
};
};
};
services.home-assistant = {
enable = true;
openFirewall = true;
configWritable = true;
extraComponents = [
"esphome"
"met"
"radio_browser"
"wled"
"mqtt"
];
# config = null;
config = {
# Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/
default_config = { };
};
};
# TODO need services.oauth2-proxy.cookie.domain ?
services.oauth2-proxy =
let
nextcloudServer = "https://neet.cloud/";
in
{
enable = true;
httpAddress = "http://0.0.0.0:4180";
nginx.domain = frigateHostname;
# nginx.virtualHosts = [
# frigateHostname
# ];
email.domains = [ "*" ];
cookie.secure = false;
provider = "nextcloud";
# redirectURL = "http://s0:4180/oauth2/callback"; # todo forward with nginx?
clientID = "4FfhEB2DNzUh6wWhXTjqQQKu3Ibm6TeYpS8TqcHe55PJC1DorE7vBZBELMKDjJ0X";
keyFile = "/run/agenix/oauth2-proxy-env";
loginURL = "${nextcloudServer}/index.php/apps/oauth2/authorize";
redeemURL = "${nextcloudServer}/index.php/apps/oauth2/api/v1/token";
validateURL = "${nextcloudServer}/ocs/v2.php/cloud/user?format=json";
# todo --cookie-refresh
extraConfig = {
# cookie-csrf-per-request = true;
# cookie-csrf-expire = "5m";
# user-id-claim = "preferred_username";
};
};
age.secrets.oauth2-proxy-env.file = ../../../secrets/oauth2-proxy-env.age;
}

2
machines/storage/s0/properties.nix
View File

@@ -9,6 +9,8 @@
"storage" "storage"
"server" "server"
"pia" "pia"
"binary-cache"
"gitea-actions-runner"
]; ];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

109
machines/zoidberg/default.nix Normal file
View File

@@ -0,0 +1,109 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
de.enable = true;
# Login DE Option: Steam
programs.steam.gamescopeSession.enable = true;
# programs.gamescope.capSysNice = true;
# Login DE Option: Kodi
services.xserver.desktopManager.kodi.enable = true;
services.xserver.desktopManager.kodi.package =
(
pkgs.kodi.passthru.withPackages (kodiPackages: with kodiPackages; [
jellyfin
joystick
])
);
services.mount-samba.enable = true;
# Login DE Option: RetroArch
services.xserver.desktopManager.retroarch.enable = true;
services.xserver.desktopManager.retroarch.package = pkgs.retroarchFull;
# wireless xbox controller support
hardware.xone.enable = true;
boot.kernelModules = [ "xone-wired" "xone-dongle" ];
hardware.enableRedistributableFirmware = true;
hardware.enableAllFirmware = true;
# ROCm
hardware.opengl.extraPackages = with pkgs; [
rocm-opencl-icd
rocm-opencl-runtime
];
systemd.tmpfiles.rules = [
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"
];
# System wide barrier instance
# systemd.services.barrier-sddm = {
# description = "Barrier mouse/keyboard share";
# requires = [ "display-manager.service" ];
# after = [ "network.target" "display-manager.service" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# Restart = "always";
# RestartSec = 10;
# # todo use user/group
# };
# path = with pkgs; [ barrier doas ];
# script = ''
# # Wait for file to show up. "display-manager.service" finishes a bit too soon
# while ! [ -e /run/sddm/* ]; do sleep 1; done;
# export XAUTHORITY=$(ls /run/sddm/*)
# # Disable crypto is fine because tailscale is E2E encrypting better than barrier could anyway
# barrierc -f --disable-crypto --name zoidberg ray.koi-bebop.ts.net
# '';
# };
# Login into X11 plasma so barrier works well
services.displayManager.defaultSession = "plasma";
users.users.cris = {
isNormalUser = true;
hashedPassword = "$y$j9T$LMGwHVauFWAcAyWSSmcuS/$BQpDyjDHZZbvj54.ijvNb03tr7IgX9wcjYCuCxjSqf6";
uid = 1001;
packages = with pkgs; [
maestral
maestral-gui
] ++ config.users.users.googlebot.packages;
};
# Dr. John A. Zoidberg
users.users.john = {
isNormalUser = true;
inherit (config.users.users.googlebot) hashedPassword packages;
uid = 1002;
};
# Auto login into Plasma in john zoidberg account
services.displayManager.sddm.settings = {
Autologin = {
Session = "plasma";
User = "john";
};
};
environment.systemPackages = with pkgs; [
jellyfin-media-player
config.services.xserver.desktopManager.kodi.package
spotify
retroarchFull
];
# Command and Conquer Ports
networking.firewall.allowedUDPPorts = [ 4321 27900 ];
networking.firewall.allowedTCPPorts = [ 6667 28910 29900 29920 ];
nixpkgs.config.rocmSupport = true;
services.ollama = {
enable = true;
acceleration = "rocm";
};
}

46
machines/zoidberg/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
# boot
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = lib.mkForce 15;
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
# kernel
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.kernelPackages = pkgs.linuxPackages_latest;
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/04231c41-2f13-49c0-8fce-0357eea67990";
allowDiscards = true;
# Fetch key from USB drive
keyFileSize = 4096;
keyFile = "/dev/disk/by-id/usb-Mass_Storage_Device_121220160204-0:0-part2";
fallbackToPassword = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/39ee326c-a42f-49f3-84d9-f10091a903cd";
fsType = "btrfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/954B-AB3E";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/44e36954-9f1c-49ae-af07-72b240f93a95"; }];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

14
machines/zoidberg/properties.nix Normal file
View File

@@ -0,0 +1,14 @@
{
hostNames = [
"zoidberg"
];
arch = "x86_64-linux";
systemRoles = [
"personal"
"media-center"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvdC1EiLqSNVmk5L1p7cWRIrrlelbK+NMj6tEBrwqIq";
}

39
overlays/actualbudget/default.nix Normal file
View File

@@ -0,0 +1,39 @@
{ lib
, buildNpmPackage
, fetchFromGitHub
, python3
, nodejs
, runtimeShell
}:
buildNpmPackage rec {
pname = "actual-server";
version = "24.3.0";
src = fetchFromGitHub {
owner = "actualbudget";
repo = pname;
rev = "refs/tags/v${version}";
hash = "sha256-y51Dhdn84AWR/gM4LnAzvBIBpvKwUiclnPnwzkRoJ0I=";
};
npmDepsHash = "sha256-/UM2Tz8t4hi621HtXSu0LTDIzZ9SWMqKXqKfPwkdpE8=";
patches = [
./migrations-should-use-pkg-path.patch
];
postPatch = ''
cp ${./package-lock.json} package-lock.json
'';
dontNpmBuild = true;
postInstall = ''
mkdir -p $out/bin
cat <<EOF > $out/bin/actual-server
#!${runtimeShell}
exec ${nodejs}/bin/node $out/lib/node_modules/actual-sync/app.js "\$@"
EOF
chmod +x $out/bin/actual-server
'';
}

47
overlays/actualbudget/migrations-should-use-pkg-path.patch Normal file
View File

@@ -0,0 +1,47 @@
diff --git a/src/load-config.js b/src/load-config.js
index d3cc5dd..cfcad8a 100644
--- a/src/load-config.js
+++ b/src/load-config.js
@@ -3,7 +3,8 @@ import path from 'node:path';
import { fileURLToPath } from 'node:url';
import createDebug from 'debug';
-const debug = createDebug('actual:config');
+// const debug = createDebug('actual:config');
+const debug = console.log;
const debugSensitive = createDebug('actual-sensitive:config');
const projectRoot = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
@@ -90,6 +91,7 @@ const finalConfig = {
serverFiles: process.env.ACTUAL_SERVER_FILES || config.serverFiles,
userFiles: process.env.ACTUAL_USER_FILES || config.userFiles,
webRoot: process.env.ACTUAL_WEB_ROOT || config.webRoot,
+ dataDir: process.env.ACTUAL_DATA_DIR || config.dataDir,
https:
process.env.ACTUAL_HTTPS_KEY && process.env.ACTUAL_HTTPS_CERT
? {
diff --git a/src/migrations.js b/src/migrations.js
index 964e1f2..3a341d7 100644
--- a/src/migrations.js
+++ b/src/migrations.js
@@ -1,6 +1,12 @@
import migrate from 'migrate';
import path from 'node:path';
import config from './load-config.js';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const appRoot = path.dirname(__dirname);
+const migrationsDirectory = path.join(appRoot, "migrations");
export default function run(direction = 'up') {
console.log(
@@ -13,6 +19,7 @@ export default function run(direction = 'up') {
stateStore: `${path.join(config.dataDir, '.migrate')}${
config.mode === 'test' ? '-test' : ''
}`,
+ migrationsDirectory,
},
(err, set) => {
if (err) {

8807
overlays/actualbudget/package-lock.json generated Normal file
View File

File diff suppressed because it is too large Load Diff

22
overlays/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{ inputs }:
final: prev:
let
system = prev.system;
frigatePkgs = inputs.nixpkgs-frigate.legacyPackages.${system};
in
{
# It seems that libedgetpu needs to be built with the newer version of tensorflow in nixpkgs
# but I am lazy so I instead just downgrade by using the old nixpkgs
libedgetpu = frigatePkgs.callPackage ./libedgetpu { };
frigate = frigatePkgs.frigate;
actual-server = prev.callPackage ./actualbudget { };
unifi8 = prev.unifi.overrideAttrs (oldAttrs: rec {
version = "8.1.113";
src = prev.fetchurl {
url = "https://dl.ui.com/unifi/8.1.113/unifi_sysvinit_all.deb";
sha256 = "1knm+l8MSb7XKq2WIbehAnz7loRPjgnc+R98zpWKEAE=";
};
});
}

19
overlays/kernel-modules/default.nix Normal file
View File

@@ -0,0 +1,19 @@
{ config, lib, ... }:
# Adds additional kernel modules to the nixos system
# Not actually an overlay but a module. Has to be this way because kernel
# modules are tightly coupled to the kernel version they were built against.
# https://nixos.wiki/wiki/Linux_kernel
let
cfg = config.kernel;
gasket = config.boot.kernelPackages.callPackage ./gasket.nix { };
in
{
options.kernel.enableGasketKernelModule = lib.mkEnableOption "Enable Gasket Kernel Module";
config = lib.mkIf cfg.enableGasketKernelModule {
boot.extraModulePackages = [ gasket ];
};
}

36
overlays/kernel-modules/gasket.nix Normal file
View File

@@ -0,0 +1,36 @@
{ stdenv, lib, fetchFromGitHub, kernel }:
stdenv.mkDerivation rec {
pname = "gasket";
version = "1.0-18-unstable-2023-09-05";
src = fetchFromGitHub {
owner = "google";
repo = "gasket-driver";
rev = "5815ee3908a46a415aac616ac7b9aedcb98a504c";
sha256 = "sha256-O17+msok1fY5tdX1DvqYVw6plkUDF25i8sqwd6mxYf8=";
};
makeFlags = kernel.makeFlags ++ [
"-C"
"${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
"M=$(PWD)"
];
buildFlags = [ "modules" ];
installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
installTargets = [ "modules_install" ];
sourceRoot = "${src.name}/src";
hardeningDisable = [ "pic" "format" ];
nativeBuildInputs = kernel.moduleBuildDependencies;
meta = with lib; {
description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
homepage = "https://github.com/google/gasket-driver";
license = licenses.gpl2;
maintainers = [ lib.maintainers.kylehendricks ];
platforms = platforms.linux;
broken = versionOlder kernel.version "5.15";
};
}

72
overlays/libedgetpu/default.nix Normal file
View File

@@ -0,0 +1,72 @@
{ stdenv
, lib
, fetchFromGitHub
, libusb1
, abseil-cpp
, flatbuffers
, xxd
}:
let
flatbuffers_1_12 = flatbuffers.overrideAttrs (oldAttrs: rec {
version = "1.12.0";
NIX_CFLAGS_COMPILE = "-Wno-error=class-memaccess -Wno-error=maybe-uninitialized";
cmakeFlags = (oldAttrs.cmakeFlags or [ ]) ++ [ "-DFLATBUFFERS_BUILD_SHAREDLIB=ON" ];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
configureFlags = (oldAttrs.configureFlags or [ ]) ++ [ "--enable-shared" ];
src = fetchFromGitHub {
owner = "google";
repo = "flatbuffers";
rev = "v${version}";
sha256 = "sha256-L1B5Y/c897Jg9fGwT2J3+vaXsZ+lfXnskp8Gto1p/Tg=";
};
});
in
stdenv.mkDerivation rec {
pname = "libedgetpu";
version = "grouper";
src = fetchFromGitHub {
owner = "google-coral";
repo = pname;
rev = "release-${version}";
sha256 = "sha256-73hwItimf88Iqnb40lk4ul/PzmCNIfdt6Afi+xjNiBE=";
};
patches = [ ./libedgetpu-stddef.diff ];
makeFlags = [ "-f" "makefile_build/Makefile" "libedgetpu" ];
buildInputs = [
libusb1
abseil-cpp
flatbuffers_1_12
];
nativeBuildInputs = [
xxd
];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
TFROOT = "${fetchFromGitHub {
owner = "tensorflow";
repo = "tensorflow";
rev = "v2.7.4";
sha256 = "sha256-liDbUAdaVllB0b74aBeqNxkYNu/zPy7k3CevzRF5dk0=";
}}";
enableParallelBuilding = false;
installPhase = ''
mkdir -p $out/lib
cp out/direct/k8/libedgetpu.so.1.0 $out/lib
ln -s $out/lib/libedgetpu.so.1.0 $out/lib/libedgetpu.so.1
mkdir -p $out/lib/udev/rules.d
cp debian/edgetpu-accelerator.rules $out/lib/udev/rules.d/99-edgetpu-accelerator.rules
# PCIe rule
echo 'SUBSYSTEM=="apex", MODE="0660", GROUP="apex"' > $out/lib/udev/rules.d/65-apex.rules
'';
}

12
overlays/libedgetpu/libedgetpu-stddef.diff Normal file
View File

@@ -0,0 +1,12 @@
diff --git a/api/allocated_buffer.h b/api/allocated_buffer.h
index 97740f0..7bc0547 100644
--- a/api/allocated_buffer.h
+++ b/api/allocated_buffer.h
@@ -16,6 +16,7 @@
#define DARWINN_API_ALLOCATED_BUFFER_H_
#include <functional>
+#include <cstddef>
namespace platforms {
namespace darwinn {

13
patches/gamepadui.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix
index 29c449c16946..f6c728eb7f0c 100644
--- a/nixos/modules/programs/steam.nix
+++ b/nixos/modules/programs/steam.nix
@@ -11,7 +11,7 @@ let
in
pkgs.writeShellScriptBin "steam-gamescope" ''
${builtins.concatStringsSep "\n" exports}
- gamescope --steam ${builtins.toString cfg.gamescopeSession.args} -- steam -tenfoot -pipewire-dmabuf
+ gamescope --steam ${builtins.toString cfg.gamescopeSession.args} -- steam -gamepadui -steamdeck -pipewire-dmabuf &> /tmp/steamlog
'';
gamescopeSessionFile =

8
secrets/atticd-credentials.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw tMy5kLAcQD62yAfEVJ4LQZjs0kkEEQOfM4HN9yj3hBY
JvlklGTxxfAZbP+alm3nxLxqhmcu2mTKwRU5WaapL9w
-> ssh-ed25519 w3nu8g ZGzufldXq7kmIpqFecbkpDxiykWZ207k0+09I2dmxEM
SK25e5HBe4b5reGXXfCjIFbFGzfu32RFjY++/yteRVc
--- xZOe1syYAcVRDhiNRv+CsfFgoQbiANA6vNCon+5NExc
ñ1Å,C-.M§Áè?ÐêóµµàY|u+
³Ø<C2B3>÷ŽæÒ¡ôm†Œûäfß]=érøÜüÎAg¤€æSú:Ð8•S¦LiœùªsêÁâ9JŠð<>¸ÏæñÄÐÃ<ûAz¹[ý§xï<78>:‡'U*<2A>wÀ™D/…±VpM~!õ,* ¿”µ¡øk¥Ö´ßEíîïh {¢p$¾R`ÿ

BIN
secrets/backblaze-s3-backups.age
View File

Binary file not shown.

10
secrets/cris-hashed-email-pw.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g WZ9p/pCsEDpKbgGDLcTtisn25kExQX9iv+tL3wyPwiY
vom2z9QRIQSFB0+4/7lSWUEB0eoAG+08nXgiUg/OSX4
-> ssh-ed25519 w3nu8g ECLZwCRJVJqyUMf70EOl2/3ExTruKaxCSQlY5fBZqxk
VemnmGpzx1VprkybW1hPlkfmiDaNcBDoEzX0mDZgmu0
-> ssh-ed25519 dMQYog QiPsbFE8MtXnRNBwkUEC+6grqXEbDstEtxYR8uJks2w
O3JWQGppFeZEd6o3W0KVTEIyNVGeLxKfTYTlgsAEVHQ
--- RncZzBFEyMAkpZRWrPORA0DPHuCTNswmWG5CMNnfm4A
ñ/¼ÔËõôŒ8nàÅ¥«¸7hîtä?T˜=%zˆ°[¤ÝØ!(…uÔdÇuò@
×¢EbƒyŽ¦ù¦D=Ü!„XþtÞÔ:#¦þþãÞXÈX@ú_M

11
secrets/gitea-actions-runner-token.age Normal file
View File

@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 WBT1Hw PbGwwDeulHF6kdh073rq0RvD1hlx6spnKNgKU+QeDAw
7dITwSQ2p1LZuaVEzLxcGOhB97MQT2zGoRrnNUMcOFk
-> ssh-ed25519 hPp1nw Dn+5Fpme+JmRZKkCkqtCuD87p+sDYDA6OZ2aUmBkCRs
Dgg3orXF4RYT/fHtc2tRuIhOQu48zICMqgPyV47vpf4
-> ssh-ed25519 w3nu8g dghNLDH1Tm+sm42HXDhrLFtmU4iDF1yCGrO2VSgzZjo
71scUVrGr4c4dunAFJYKd+uJ6aYJpSWBAk9swbv+IzM
-> ssh-ed25519 dMQYog Wnl1+rh0Q3YD2s1UD0OYVm39wY/Uw1NRK3K7EFhFMls
wXF6QBonlCalS1vI9cxzWgv1Gi+yAtYn6HrYCfpl5Nw
--- rLOoGk0iX+wuNd1CKv7g2PRd2Ic+8JHCQhrVBaF9zbE
<EFBFBD>òüüˤ/A¦Ì(ØiHC¸@¢Þð‰h`ˆ3ªá´' ¬ÚöáDì>ð¿¤~¸ÿÁö?ÑÃMêÙ@<40>t°(“Ò@ö׿^xÆ}

17
secrets/hashed-email-pw.age
View File

@@ -1,10 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g 93Az2iuqeWL6H/S3XDPXFoEPcrY/n/z9mlSNb5wABkU -> ssh-ed25519 6AT2/g 98/m3t8axoVBE6WzdxBtRhV2uSQKSCXwQjyxfWXPmQk
LpMPjpDtBrY2aHpqHwT5AY7vtsYHNcOjpz+LFY4TGCg AxV0FTvqbWfk/gf65d05PcotbEnYr4PgDQnsaYxP/MU
-> ssh-ed25519 dMQYog 4qT0aF1IHsTtN1avMPWYG5Az2xmEZhVUhqcwyNFdfU4 -> ssh-ed25519 w3nu8g jys7B4COD4iINANeSCD3BqGFoghxTmsbuXoOOIiP+wQ
+wD0hE035JqYdDgJmkvNXwJyMzXrquA+RsD8QdK3xP8 b7eSN5fe4szfliINOr7ZQ7AoSsIK5akmIQ6uLDabcIE
-> !vfM7-grease -> ssh-ed25519 dMQYog ToNUqTPYmxpz9OUcC94egELcPfHQHCErfHN6l9kSrRY
7nQGFFUWY9UIjfrb+/VfaG0zJ21zmDnDh5khs/0tioJevrrrlhub9Bz8iM/Jsfxy 2KoSVoWp+FH29YfH57ri2KOvhkuqYew1+PXm99e0BaI
KUhwV8O8tL/5+30RFSlFRaAB6xPCGg24Yq6E --- Cjk3E/MjgCF45aLlFeyoGiaUEZk/QuKtsvPb6GpzD8Q
--- jVsDtz2xpvK/XCHcdN5JVZx5zSxyEAM6D/xJIgN4YfY m°å>‹“~czÆê匦†``ÜÏqX«š'ÁÎ%ôwÔž~×ÄL·eä'a±]û´LÉÀ‰%ÍYTÊÓc9f¡W¶Ã^¤9ÊõÙÝ2®™æ¶ÆBÌa ƒ™
Ñì°ßév.rK,Æ$

20
secrets/hashed-robots-email-pw.age
View File

@@ -1,11 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g O0XP3tiD5bv5aFK54eTpo4I6oXHk+P0/zyy5A1GQlwg -> ssh-ed25519 6AT2/g 3E1kcHjq89rNd4NN6n3AcG2f5teA8+Rmt1NXNwatwnk
0D5I+dRmW6Ak7VvQrNDa4NiHgBtD4sAS87U9iXKHrRs trLztKaYvmhNJYiT+SHZipePcZcSCDprNCugSjtVFjs
-> ssh-ed25519 dMQYog pofEwx9ktCWDTYGp/rXwxq1ZkMLaR4q4JTWJxHl6rRw -> ssh-ed25519 w3nu8g bR2A/UCxtD2POHI4Ky/rvfC23ZbGTGnBZc/1XtRq+3s
CoUEZHQaQd4wFi6pcZPZfhPACXI9qgrB1xAuSilGJpI UyX6/DEC9boQb/Ktgw47DzsPo64Tn0LoITax95JdskE
-> /5^-grease e yP^gopW& -> ssh-ed25519 dMQYog haLpVq9+Tq2FytfsXTwLvCk1ZUQsZ4JCiRLPFAb0SCg
8qWOBZeGzhSSfGdjHDOGhs2MoZEQneLFMj8DsBqTrnttzgjtg8VSwuMD2JA3yiA5 vZ5e8P1uEDTVS83MsWwh1j0tON9FeVc5F1O6wzwX5Vw
43u5T24PCzhKor8puT830nMU3HfQ3FA1RtiUpu1FWPA --- ZnZiddI8Uqr7da1gSahlryY004ii9G2mJS8C4u+lv6o
--- gJaY0whK+GQ+F6m3jCfeGkPbJoIkGxmcJ++XVseDeWI
<14>¤ kª†süVûÊ ¹e£g“-}Þ[&`Ú<E0LË÷-gõ_E<5F>W¹?íèJž¸ñ-ɵ#Ý ŽíJÙñZÔõŒ4Š3ñ\÷0ðómÝTúf9žºÛÆ@àÅ©;
ƒ$÷"Ãý|ÕÞÆ^n“ÑàÆÜ ~2Tô± Ì<>6/ ˆjÈO<C388>þõvMŠôé/e¯XÆr~GÚ&oèn;=,îÂÿô½ï2]?j øù©œÉ‰Aúß

14
secrets/hostapd-pw-CXNK00BF9176.age
View File

@@ -1,9 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 VyYH/Q X+fXLJz227KkBLu45rb9mUkkIpENSMtZeEJjl6qj5Xw -> ssh-ed25519 w3nu8g ER07FH17Wm9op5F4pCftNK76f+nNjtA6zQc/2dLyAHI
AFAFnvsiogoMMwsAJO0DDoaizL9lmCLsF4QHDjmubr0 nxxq/8tS3ENJhAEIhJCiSi7dV+68AmcEMh9zvZoWpdY
-> ssh-ed25519 dMQYog P84+7TBcMFSALTn6FR/aXyqFE9DfOzp38ImkdWj7nE0 -> ssh-ed25519 dMQYog JelCfh+akP7C/i1kimq3fC5PRQa9gHbmBaOnjKu+PDw
PqOn1OL9Zt0x1pBIYOSKkkS//mbk1OX5pnDGp+OLYeI GVTwo7MzkpCereZRh0HVjGYmtdMY1gHowMZtUQl7XQw
-> @?-grease --- p2l83t3bEdBrrp1ctaqqKhwB4l2McgZqZTtc2SXgd8Q
3JvpmcTxdTgvv6vPL8dXEwjR+g ø±ôeÆd\Yå4lXVF§U©<55>þM||)دÔûú•¶Ü8¿>ëž­%ðóJ$à´Õè
--- aMYF1SbC+p01YWmg24+Ih78VPQcwzGU/P1cEfgRvXV8
Ÿ @$™sžQ¼z<15><>®xkÊNfÛuÕ;§¿ ÎvI0•ªÇÎ^4.?, 8…çî

BIN
secrets/hostapd-pw-experimental-tower.age
View File

Binary file not shown.

17
secrets/iodine.age
View File

@@ -1,10 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g yTW46JmDIftcOqogIDjheXJf2sw/dG2WEJxfCXU/LDk -> ssh-ed25519 6AT2/g Knb25oYknkiXyMqVBR3T0sFSO4hDjWUTq3xIml/b4ig
0Co5/Rn22kmdcPr61ZOrmZJbPFHx2wJ8/YkbDjcjqKo n7xamnrZ+SCWiKqniF3r2JvH4G8q2pJaHzF0riNEDf4
-> ssh-ed25519 dMQYog RtZT0PwVL4kxUHilOhH2GBp8Z9WfyBkaxB62pjKpHA4 -> ssh-ed25519 w3nu8g 7+2R5RpLjBf4jjj3S8ibMquUWgRMrifziGQubwuLrhA
muMlIt8VYQftMYacfdnQFeejfWpKTEG5gxbFNy97GTc 3jLCalnbA3Z2jr8Zs+qrpzSoi3Jv6E5OV2binpr3Kk4
-> 4|)`7yq-grease P#\5k8 +f -> ssh-ed25519 dMQYog Nh2e7me0tiG7ZwQK8669VS0LCYFSH+b33I9tr8uI5CY
jMegn6ATsj2Ai9B5Xmy+tay1nppwxvF1IGJH+hLNanYMsTIDZypM6UsNdzYQ/3mw 7Gs1N9eZa1CGR9pczzugHbqnghqevX7kQCOeqR4q0eI
VZ9ooy8TKUgAJ7jsd6IrKw --- OzW+omJsZA/b4DMF4hdQga7JVgiEYluZok3r8JM258I
--- tLaPQWJA0Hh5MrxfhaySURgY02K16IlzvsxKpOWGva0 *³²ÝPŽ†AcèÈ1·@Át¸e÷nf&ù#I7‡a‰Ûâc†ÃÀ<C383>êbDâ~aõ]1w=Á
5?lヌ'シ!ケコ<EFBDB9><EFBDBA>キ匪Nxス+<2B>A9゚ムリl/グ諟ホ|旙<>Sオ&コサ、<>Q;_<>K

BIN
secrets/librechat-env-file.age Normal file
View File

Binary file not shown.

BIN
secrets/nextcloud-pw.age
View File

Binary file not shown.

BIN
secrets/oauth2-proxy-env.age Normal file
View File

Binary file not shown.

20
secrets/pia-login.age
View File

@@ -1,11 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g J3H9xUUwUMB7VkHHGtsZaCm/GiyqTFUrEmsuwcrgrhE -> ssh-ed25519 6AT2/g MGKlbzVOk5+czgAOerwl+eIyOifXJm/q4UgQUXVpx1c
tn+zbj5cISZzkUzJcu7JlaqhE4Dr4fhczSJU2kV91AU 43l6s4+5TSMQyO9tAg7v9Y5OdXOjKYz56lbr9Jm2r+o
-> ssh-ed25519 hPp1nw 370YNPQn4mqeHjOvnIXkm+BzbrRNHkFICJaJhHCSHDQ -> ssh-ed25519 hPp1nw aOxni4sFPPgedUkBOuOyEWfFPJrhdTJnivIaWt5RJxM
WLhDRA8jp50aKkY8t9GvyAHoLxYQD2Bhw3y01hwhoOA KNaxijzSMp7EjYKwWiAP66nPYYZK3/VXL8u+3uJt6bg
-> ssh-ed25519 dMQYog 1dwQN8hmbLY54OnRTXtcwAXHoYLLNV0IK/rQQ9ZgV2A -> ssh-ed25519 w3nu8g qTAzEzQbFze35AtbvkYREw3wa7ApDN5u7RSZUXrEpms
gP2HQinVYW72oJRFW69qAeF/iNEEtJqya1iRMOugNKk Dy0uGF458A9RJMvDl2XKOkEABbbRgT+eIgvb6ZOEQqg
-> ~-grease 2%p4s G:$f41y " vZ87PA*| -> ssh-ed25519 dMQYog 5DfYuGeWuN0/CO6WWbFIi7LaKl23FXYVdPROM+TFpCA
+hI029392lrjxlsXUI8opFVcUK+JOjgBYGMH PDBdDn+YUMKYNKFkCEfXesmkB/XUxZRK3ddQt0kqQ7g
--- juX+tgNpNr8it5QnbcBkR9u88vZkC47L5fIlZQNxPYg --- JOeG87EVD+QBx6n+rMoPTOni0PyoG7xx4a2USNiapYI
,J}¸œ}Y§˜B%ˆo~3M×½HÊ—]ºˆû©ðÔ¤žËn0cVs(´;axc#o™Üüv'kˆù#]o<>N`ÆœøÁ´Ì¿<C38C>˜¼û p<>ÒšKàøk†0( Zsý{ÅiÁ_\+ô@@Üò߸ù&_š5­$¿Gt2¢rF“y×ÄQ§Iaž 7ôÙÉzàgf­%O(µÙ,VéÂ}ÿn|û'J¸2ø¨óQÑ B

5
secrets/rekey.sh
View File

@@ -1,5 +0,0 @@
#!/usr/bin/env bash
set -e
agenix -r
git commit . -m "Rekey secrets"

41
secrets/restic-password.age
View File

@@ -1,20 +1,23 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 yHDAQw LyoiocIPWoX81W5lD5OBD5P48QC3CtVHmpATJTfz70Y -> ssh-ed25519 N7drjg Njjfv0Etdr9U27s+wznqw5YmnKcj3lISQ2vudDPj7F0
fnRfSV68RLkMc+W6WX5aqxMQxDz7UviTNQqB5KAtKYs bw3SSPfReGSmJ5tQPv+niYn7USyZZffxvgs3J5VxiWw
-> ssh-ed25519 dMQYog nQ49ARJDvvVmZEQu1YlYKGba5Dh5U4bGKsLAZfPDqUg -> ssh-ed25519 yHDAQw DVlCM84Q1P087cmlS+NzH/i2noLprEbfqSpvFS3Pzig
9Rs0zISa1FDT3ngBBwp5vXi8aR+a/Z+BrGIEKVUJWkQ PooFRhm8ofoTAT1UxJ3Y+0RMqK3CriwqpGrrKGfFYTs
-> ssh-ed25519 fwBF+g Zap6yPIuauggXP00/It4kYJV2G539vUblQsfwgVzVHg -> ssh-ed25519 jQaHAA rfoKG06gXsXPVfNql5Kk5OBebaXsRd4vCirzPB2y0jk
83K5JgUeHjf6lYv8H3YvsbBzrFOgsQyqLVm4h5Be5gE T0xv0iiWSi+FscI/OX6sT137VuiWpAS+P9XsMBT9K7Q
-> ssh-ed25519 6AT2/g 7QlvTxNNubo2dRwVwfjxr+9MOge9XIsrJVLeAtpkewg -> ssh-ed25519 w3nu8g 869dCSpsCphoOPZ0z6rzbI5QKieIA4M9tAyVP40P2hY
lxzXO7PIKNzrKwj0KhyHetavLM3zqjbXu4h/S7tDJns N705ablrfdQWK2aEOFCkmdEQQmwJVcqVXOkhYIp1Z3o
-> ssh-ed25519 VyYH/Q tfgTbXGhdOru7FyVWPVf9tBLcuLZJQWnWZkL8yOjQyg -> ssh-ed25519 dMQYog ry0Qkn4YSLctLRzp1fZQ6EnbeGvv3Gge2UOsYBwbk2A
HIKUKzWhEM0PD+EKpI5asIwQF3Lx8CYeURVce2QAMZU LO1eyrU0rQJdAjZKCBr+WH2EP/juXcS7Iwrl8tZIMOM
-> ssh-ed25519 hPp1nw xHd4/TCZAi/zwSL0fj7FVGHkykKAmvh29tJReIAUDFg -> ssh-ed25519 WBT1Hw NbtlJrLEcf4yO/akQyE7b9TdyM2e6m8Aj9/MzV7SliY
/TrZ77mu8vGmudrrPkDgQPiLr2o84lDrsVgY31xMHUQ JBWsIu/Aycys+uUxC2xSTE2gC0YUpC7Jkkxa0E0TfRI
-> ssh-ed25519 dMQYog 20tuoqjWl4dQBpEKiiSrbEmwW9ZLml3F8MS7riyu1GI -> ssh-ed25519 6AT2/g kvri9lMh7mXuJTFh15sRPhkz8+75i2YYcdZL12cLPnI
I/jrnGVCw37hxoKnf/yGPlvGlXPXy+c1sz1ouY44KF8 hsJETu9Xhbfhzzf6Z3YIKFLGN+Eczgn8EqEBPQl7a1s
-> 0UxZ/o4-grease V+d -> ssh-ed25519 hPp1nw sJtNVroSF/uQNwvnbLE8vXw+1e4LMu3Gurm+KM+0IwE
VgDtDiYRn+VzFbhXGHjOTbdN/V/vSW7STbKquW96A68DRzKH6yDn/4Ia4tX469eA wlYZUEnr1Q3TlxUAUrKAMdVWUbVWy+3+q2fw+ssIoFs
y6swdFIvbsPFnldalFKxKhHqjKRSJPLAKeWECe/I -> ssh-ed25519 w3nu8g gA7oDI/02jl+TjMjSUHZqevmHb6gSinWF4KtjDJgFF0
--- ZEnygego6ke0cW4acYxInaRQXXOaKoSNklgTn7KPOfg KDgSWaZi99/PkKT8g5bTVHvu8EVcPBlF79APxeorABM
ZÔPÊ|>ªîÃÆÍË<C38D>+:NdÌñ*Pû¢i+¾¡ä§²çÙ3ôGÛ J´”Ž÷bkc<>ìF<‡Ö0zá€Í½÷<C2BD>`W/2 ƒ<>4¯{O"áüF°jS^f_¸£€ -> ssh-ed25519 dMQYog PDdSuky8g5OoqyF4K5N6SSa3ln6O8vlvL4viGqJ8mUc
LWanrtAIfekuzhr+AGR8e34CD41vPI0BA8YA8YkcyBA
--- LENK2A8P2SxCmpQSI3QNCNz2RDhGwCqLQGybmD73ka8
Ö{¹˜ô'Þú”êã«ŵÔjã.ùÄnG=ñY‰gï•c$T¬

17
secrets/robots-email-pw.age
View File

@@ -1,10 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g QHqc7SI3Z2k1atMtYR9aFBJKf0oElbI9dd1vcQbchxg -> ssh-ed25519 6AT2/g bnExFj2dEhR0Jbf5Zs/4MqxIdPjeb1Dc7duQUHKfylw
4bklX308iFaN35PYgA0rqO5ZoXDdgPkB9SO87AgwOwk SV+oJGt24n7CAi4+N9CGZ+SlEgcuAlbLymmmLKffg88
-> ssh-ed25519 dMQYog lF9CFZYQC1ELLuQ1mffIdN6WzHK6/gZzyrv5Ur5my1A -> ssh-ed25519 w3nu8g UO35HobolhH4PRxhGQNxziel7pRhf3VOoGeRbMKH2Fc
4MowtIVjMECAfAKxMxtwVi6kt1h8dLAkYItTeZtzNe8 uphjyV1UmrUxrqMqL6tc3UeFdTILKiVOPVM9uJlUsIU
-> nRNy(o-grease &%h@^ BlVF[M? YjD3^0 |ey -> ssh-ed25519 dMQYog v27Ibyt+wTVR/zh5ZH1xyPbgCsrqGug24eVOJ+KdY3E
atUcl9jHhtLgHLr7qkguIZZtMjbqndHsq1UCkKzl/NhEXmlCp37PKq1vIbF81/Aj I5n+fUhGiHcg0vHTilTszjvFinqCY0ZLcwumiXXwzXE
RG+Cc0A9H5WsJ9OjmyDiU8r4P42fmdd0ocu7nSxMMhUbr1LvcPM+WxUZGPtV3gc --- jo6rKqQQTeJQusZM69EsvJFPCIHRTeN4OL1kwzapaJY
--- LkZ3ouICKivFii191r+z57Ikz2wB8zTcicE3DoVOkPE m¸¡üi=féKúöœ“³·Û ¾¢¬î“9²Íq™²nTôyΤ@23pˆfêwˆ0 t Ε<<3C>ÅE%Á¢ëFIø‹½>#C
žÜòØyäµW_*yÇ6i³¨¼®JZ†£­æƃz÷²Ú<18><>³­NÇG>ŒÏÃÈ!ð‰>²éâ›``Ù•¤ÜéÒJN$ÚHêŸÑyo_×

BIN
secrets/sasl_relay_passwd.age
View File

Binary file not shown.

BIN
secrets/searx.age
View File

Binary file not shown.

18
secrets/secrets.nix
View File

@@ -14,28 +14,38 @@ with roles;
{ {
# email # email
"hashed-email-pw.age".publicKeys = email-server; "hashed-email-pw.age".publicKeys = email-server;
"cris-hashed-email-pw.age".publicKeys = email-server;
"sasl_relay_passwd.age".publicKeys = email-server; "sasl_relay_passwd.age".publicKeys = email-server;
"hashed-robots-email-pw.age".publicKeys = email-server; "hashed-robots-email-pw.age".publicKeys = email-server;
"robots-email-pw.age".publicKeys = gitea; "robots-email-pw.age".publicKeys = gitea;
# nix binary cache
"atticd-credentials.age".publicKeys = binary-cache;
# vpn # vpn
"iodine.age".publicKeys = iodine; "iodine.age".publicKeys = iodine;
"pia-login.age".publicKeys = pia; "pia-login.age".publicKeys = pia;
# cloud # cloud
"nextcloud-pw.age".publicKeys = nextcloud; "nextcloud-pw.age".publicKeys = nextcloud;
"smb-secrets.age".publicKeys = personal; "smb-secrets.age".publicKeys = personal ++ media-center;
"oauth2-proxy-env.age".publicKeys = server;
# services # services
"searx.age".publicKeys = nobody; "searx.age".publicKeys = nobody;
"spotifyd.age".publicKeys = personal;
"wolframalpha.age".publicKeys = dailybot; "wolframalpha.age".publicKeys = dailybot;
# hostapd # hostapd
"hostapd-pw-experimental-tower.age".publicKeys = wireless; "hostapd-pw-experimental-tower.age".publicKeys = nobody;
"hostapd-pw-CXNK00BF9176.age".publicKeys = wireless; "hostapd-pw-CXNK00BF9176.age".publicKeys = nobody;
# backups # backups
"backblaze-s3-backups.age".publicKeys = personal ++ server; "backblaze-s3-backups.age".publicKeys = personal ++ server;
"restic-password.age".publicKeys = personal ++ server; "restic-password.age".publicKeys = personal ++ server;
# gitea actions runner
"gitea-actions-runner-token.age".publicKeys = gitea-actions-runner;
# Librechat
"librechat-env-file.age".publicKeys = librechat;
} }

27
secrets/smb-secrets.age
View File

@@ -1,10 +1,19 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 yHDAQw PhR4X0TShLFSW0ukaV2RhC+aNDc3wUg5KzD4x91K7jI -> ssh-ed25519 N7drjg x2s9QZ7Ijvg4t2peGng9/zX1ZmnGggsvWHJFHEktCgw
oY3NkfLrlYzoj4qV8Y2N+RPUveycUxTn7jX5gtKEaFo o64an6DJ6Be8Jlhzn9ciQTByRAK5f2ckankCRH3y+Uw
-> ssh-ed25519 dMQYog YOOjjLAm6cO6jkfOhqbtb0MiVzML/pm9CVgfdlDmdSk -> ssh-ed25519 yHDAQw HYHo6anhKDnD74ab04Ql4RB8+WBA6EavYASX7532NCE
xnrXzif2IA7Ai1sGkaZKrOxcjMBER5KhsxYd8dk9qgI aTp2V9g18yzUTq1ezqETj6jM2Yb1Bt5+JNkrIDT2Djs
-> rs-grease 6 V\t -> ssh-ed25519 jQaHAA xGKcIQOkO/i4E2ZWZ+O4sAp7ADqCRqfRQHhKQu6yWh4
o8H+k1mjy1DY0YLxaOaYVgZe+bA93TiD1Bz6H7KSxwX+Hsem5ijjSaBiBVvpuQwK RJnqK/t0YQrIej8fRDJGjOtQD7VvgJRfCUWR0/UYcSY
1emVGY1WhOXWc3Zpb7kwohY -> ssh-ed25519 w3nu8g P9DQy19TvDCi3nfOhFj73bNZEtUs1BrLubt5/BtLoU4
--- 1TIT9uR1Plo7w2XEnJSIpmZUF7wfDKCDF2SPCii50iM Sx41bk41dQYa3eoBayUMRIHqMWaRiwXm8BqErDBSbDw
\ùN"åÃÄíñ¨á:ùg´#ߊóù•ˆY½5QåÕ[ÿ¤Å´#\øÈåÇËv #ïÐ!Økp§Bò—åÖ¯<C396>Ö<1E>Ðp Mq³Üäǯ-Úݼ(çߌ)\Æ<><C386>Öô¨ê'1s°G²e^ @Ž~ -> ssh-ed25519 dMQYog OWU92PMFo9tGtlkK9zlmMFhh81TGkYlcX1PrxZl35yc
owDk8wWXETS+iybhTMDmQH+eBuzZRDJIlVGCwu4LqTI
-> ssh-ed25519 jQaHAA MzA8dSYZ/Ysp4ogKEEu84mal8779RgkT4Gy6rBEw+kM
m75x/b83aP5G1vg7EXlcLizcm16fEAUAD+VNcdTMnnQ
-> ssh-ed25519 w3nu8g AAA3Me3KJgLvtQvyxLvlQ7pCnv7w73ja6Z2+3A82eGs
+yCW7qCdjk0fiQJmH8poMoc7APKyX/PY7zZyAG1O+Yg
-> ssh-ed25519 dMQYog Dd8e6srT+EIl2PH0RP1bQVsDx+HCQjhFndx5TFyhfx8
j7Met77pWZzK9cMTt29gWB+d9YFVH5T9qs+ulHS3kAo
--- MgOK/g5hOVkGuUNDBSgVeGc9+ndjxLEA7nKSfLJMr4s
~Ÿ‹¬&”™)<29>ŠG®Ÿ¨‡'UÐÞzc¾uFGì(<ò¯ùçV"ƒÕ3þH0x0$•<>w$Yv O3 "Ï×ðV~ÀŠ¸HÁ~XÛ]GœÆqµ®ã÷œ¢y'ãÓ*Dê±ÏúœÕk#\ðAï<41>5ë{«Fe\~

10
secrets/spotifyd.age
View File

@@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 yHDAQw R1weIMur0s9HsBBwNn+XyBNfAB8CrQf6QEzIJFklcG8
DTK0seypjzSX1B2ce2IWyYwygBeeKlbFpYgzH7i1DHA
-> ssh-ed25519 dMQYog DU9sxA0/cG/O9EG3JYFjL1d2OiqOSZvFjZ1S2zTTWDw
nGlUCvjpUp50ykTIUzSQ19uj2tiVMPo1Ois8xFSWB58
-> z%z.3-grease lF#S
H+5548VgikG9upeHi2GIQ3U71TC0ds+dn8yWOoixHnRhiYZRIhODffjI3D8T18gk
1mjtW+c34E+ALRkSIf5iWwChJxsomS6LiMS3sqtJg4c
--- o2hgAcfMDZyGIehN07CO7OjSCrmwUDRTrwxAKmGcfAY
<<3C>¹ GàÝ<C3A0>Ï0<C38F>

18
secrets/wolframalpha.age
View File

@@ -1,10 +1,10 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g xp04CsJvlYhBZS5W/MSDLWGiNCegAjg4XPv43wU5u0g -> ssh-ed25519 6AT2/g Kw5/he5m/XAJUNv8XEJQU+e+Ou7hCYluMXXWlHiePXY
i6q0YgKOFGaHOKVYMppNtcvjCFfHHqOS9M+oh2mqc1M GkhJOzSlcC9S7bs8FuDNMvMaFU3+fQ5z+o+Pb8wllp8
-> ssh-ed25519 dMQYog Mk90WFb+fYCFV7afu3+VbuAtOlvRAgpJGFGqn4ZWGjE -> ssh-ed25519 w3nu8g fUORtXN1ygOeV42jveCosGXR/Y6R6OG6DK7LPDBEAk8
wHeScgV248lHiL0B/QEraD4QOBudezhJPrppY50u7S8 yFpoasbY/sl6BQp0LVBQnInA4Kxd8A8meEObU1KD108
-> G/9-grease -> ssh-ed25519 dMQYog 75qVEe6/1yOV4DDLAOGaufs3ojx1/Sc1fIQOe+Oirz0
0hCyP7pGu5xkk4eWJTpLWy6f8Zuo8wmgBSNFK7bgzfYdW29mdOrO2Ey3Oa2Gvtji iDFsr6/30AHKH6hUs/WTpHEM8WQ03QMlGbtQkGrnVCU
rze9v27gMUFRXOqPHNmaSjAneCwtcqTMReV+LZr9q9FN6qZnzAE --- islx8t7a6bShXGxvYeDVuUxkmAMtpUfr0Gp7aYrJUkI
--- /SN6cSyrvbDEHTiIvv4MdoVkIjz3yZkvtr2SVBE1rRk 2Ûí4¤†7Õ
=„ñ1fJ…XÍô~ÃÝÆD¬c¹aFâ¨@ݹc=89;¿sôv®Ï ú´‘ ?Õw€À<E282AC>JÁÆØv ¨º9,ËxÅŠò¨‰¦Æ¦ñnäH?>I­

6
update.sh
View File

@@ -1,6 +0,0 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p bash
git pull
nix flake update # intentionally ignore the lockfile
sudo nixos-rebuild switch --flake .