zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:attic
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
...
compare: zuckerberg:be23526c2c060a9868bed26938a33626890deab6
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

66 Commits
attic ... be23526c2c

Author SHA1 Message Date
Zuckerberg
be23526c2c Add KeepassXC keys, remove some very old user keys, and rekey
All checks were successful
Check Flake / check-flake (push) Successful in 1m50s
Details
2025-07-16 22:01:33 -07:00
Zuckerberg
e234577268 Disable inactive cache push experiment 2025-07-16 22:00:11 -07:00
Zuckerberg
82b67ed566 Add Whiteboard app to Nextcloud
All checks were successful
Check Flake / check-flake (push) Successful in 2m17s
Details
2025-07-16 20:49:39 -07:00
Zuckerberg
53c2e2222c Move shell aliases 2025-07-16 20:48:26 -07:00
Zuckerberg
846da159d0 Iodine stopped working again 2025-07-16 20:47:49 -07:00
Zuckerberg
a45125421e Add collabora online and move nextcloud domain 2025-07-16 20:46:51 -07:00
Zuckerberg
f4e40955c8 Use upstreamed pcie coral and vaapi frigate configuration
All checks were successful
Check Flake / check-flake (push) Successful in 12m12s
Details
2025-07-13 18:04:36 -07:00
Zuckerberg
af9e462b27 Allow substituters to be offline
Some checks failed
Check Flake / check-flake (push) Has been cancelled
Details
2025-07-13 17:54:32 -07:00
Zuckerberg
2faea9d380 Update nixpkgs and other flake inputs 2025-07-13 17:52:08 -07:00
Zuckerberg
8571922796 Add new helpful utilities 2025-07-12 11:42:40 -07:00
Zuckerberg
131d5e9313 Add rest command for home assistant 2025-07-12 10:50:37 -07:00
Zuckerberg
fe0ce3a245 Get recyclarr initially running 2025-07-12 10:48:13 -07:00
Zuckerberg
7b26cfb4eb update single input cmd 2025-07-12 10:27:09 -07:00
Zuckerberg
1c9fa418b3 Make s0 easier to unlock
All checks were successful
Check Flake / check-flake (push) Successful in 1m25s
Details
2025-03-29 22:52:00 -07:00
Zuckerberg
8c4dc9cb74 Improve usage of roles. It should be much easier to read and use now. 2025-03-29 22:48:14 -07:00
Zuckerberg
1f9fbd87ac Use upstream pykms and Actual Budget. Move Actual to s0. Add automated backups for Actual.
All checks were successful
Check Flake / check-flake (push) Successful in 1m37s
Details
2025-03-29 18:36:13 -07:00
Zuckerberg
23c8076e4d Pinning system nixpkgs is not needed anymore. nixpkgs already does this automatically for flakes.
All checks were successful
Check Flake / check-flake (push) Successful in 1m50s
Details
2025-03-28 21:45:46 -07:00
Zuckerberg
75ae399b5a Update nixpkgs. Move to new dashy service 2025-03-28 21:05:37 -07:00
Zuckerberg
87ddad27a4 Add Home Manager 2025-03-28 20:27:14 -07:00
Zuckerberg
8dd2a00123 Tauri development extensions 2025-03-28 20:24:33 -07:00
Zuckerberg
944a783ff2 Add nix LSPs for development 2025-03-28 20:23:07 -07:00
Zuckerberg
c2cb43fd2c Enable iperf3 server on ponyo 2025-03-28 20:22:14 -07:00
Zuckerberg
02b2fb6309 Disable gc on howl so nix backed projects don't loose their cache 2025-03-28 20:19:15 -07:00
Zuckerberg
b43660aaef Clean up very old unused config 2025-03-28 20:17:54 -07:00
Zuckerberg
567d755850 If machine role is personal set de.enable = true; automatically 2025-03-28 20:16:26 -07:00
Zuckerberg
adc9b9f2b7 Add sandman.s0.neet.dev 2025-03-28 19:39:59 -07:00
Zuckerberg
9181e3bfa3 Update librechat to v0.7.7 2025-03-28 19:38:41 -07:00
Zuckerberg
9845270512 Fix gparted 2025-03-28 19:35:35 -07:00
Zuckerberg
b3b3044690 Downgrade to dailybot to python 3.11
All checks were successful
Check Flake / check-flake (push) Successful in 1m22s
Details
2025-02-18 22:43:47 -08:00
Zuckerberg
fb1970c316 Upgrade librechat
All checks were successful
Check Flake / check-flake (push) Successful in 6m43s
Details
2025-02-17 12:12:46 -08:00
Zuckerberg
34f1edf3b3 Fix s0 setting the incorrect default route by using a static configuration 2025-02-17 12:11:52 -08:00
Zuckerberg
823f0a6ef2 Disable frigate detect for now. It is using excessive CPU 2025-02-17 12:10:59 -08:00
Zuckerberg
00d2ccc684 Fix sound in some games running in wine 2025-02-17 12:09:51 -08:00
Zuckerberg
b2acaff783 Fix pykms by downgrading to python 3.11 2025-02-17 12:09:20 -08:00
Zuckerberg
c51f4ad65b Unlock zoidberg using TPM2
All checks were successful
Check Flake / check-flake (push) Successful in 1m6s
Details
2024-11-21 21:31:19 -08:00
Zuckerberg
eb6a50664c Upgrade NixOS. Use upstream libedgetpu, frigate, and gasket kernel module. Fix services broken by upgrade.
All checks were successful
Check Flake / check-flake (push) Successful in 17m43s
Details
2024-11-19 21:28:56 -08:00
Zuckerberg
89ce0f7fc0 Change Howl's NVMe 2024-11-19 21:08:19 -08:00
Zuckerberg
8ff552818b Rollover digital ocean auth token
All checks were successful
Check Flake / check-flake (push) Successful in 1m13s
Details
2024-10-27 16:41:02 -07:00
Zuckerberg
020689d987 Fix zigbee2mqtt auth 2024-10-27 16:40:47 -07:00
Zuckerberg
9109e356bd Backup vikunja
All checks were successful
Check Flake / check-flake (push) Successful in 2m6s
Details
2024-10-27 16:26:32 -07:00
Zuckerberg
c7d9e84f73 Lock down access to mqtt
All checks were successful
Check Flake / check-flake (push) Successful in 1m6s
Details
2024-10-27 16:15:23 -07:00
Zuckerberg
5b666a0565 Add nextcloud apps
Some checks failed
Check Flake / check-flake (push) Has been cancelled
Details
2024-10-11 21:58:54 -07:00
Zuckerberg
6bc11767ca Update Actual Budget
All checks were successful
Check Flake / check-flake (push) Successful in 2m46s
Details
2024-10-11 21:20:46 -07:00
Zuckerberg
bdd2d9bef9 Update nextcloud 2024-10-11 21:20:18 -07:00
Zuckerberg
5acc8b3fca Block email for ellen@runyan.org
All checks were successful
Check Flake / check-flake (push) Successful in 1m5s
Details
2024-10-10 20:04:50 -07:00
Zuckerberg
1e25d8bb71 Add vikunja
Some checks failed
Check Flake / check-flake (push) Has been cancelled
Details
2024-10-10 20:02:43 -07:00
Zuckerberg
ac1cf1c531 Open up mqtt for valetudo 2024-10-10 20:02:09 -07:00
Zuckerberg
02357198bc Change timezone 2024-10-10 20:01:41 -07:00
Zuckerberg
89b49aafc0 flake.lock: Update
All checks were successful
Check Flake / check-flake (push) Successful in 1h32m23s
Details 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/c2fc0762bbe8feb06a2e59a364fa81b3a57671c9' (2024-05-24)
  → 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41' (2024-08-10)
• Updated input 'deploy-rs':
    'github:serokell/deploy-rs/3867348fa92bc892eba5d9ddb2d7a97b9e127a8a' (2024-06-12)
  → 'github:serokell/deploy-rs/aa07eb05537d4cd025e2310397a6adcedfe72c76' (2024-09-27)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11)
  → 'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a' (2024-09-17)
• Updated input 'nix-index-database':
    'github:Mic92/nix-index-database/ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac' (2024-05-27)
  → 'github:Mic92/nix-index-database/5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259' (2024-10-07)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/7b49d3967613d9aacac5b340ef158d493906ba79' (2024-06-01)
  → 'github:NixOS/nixos-hardware/b7ca02c7565fbf6d27ff20dd6dbd49c5b82eef28' (2024-10-04)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/805a384895c696f802a9bf5bf4720f37385df547' (2024-05-31)
  → 'github:NixOS/nixpkgs/ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6' (2024-10-06)
• Updated input 'simple-nixos-mailserver':
    'gitlab:simple-nixos-mailserver/nixos-mailserver/29916981e7b3b5782dc5085ad18490113f8ff63b' (2024-06-11)
  → 'gitlab:simple-nixos-mailserver/nixos-mailserver/af7d3bf5daeba3fc28089b015c0dd43f06b176f2' (2024-08-05)
• Removed input 'simple-nixos-mailserver/utils'
 2024-10-06 20:28:24 -06:00
Zuckerberg
e56271b2c3 Add reverse proxy for valetudo
All checks were successful
Check Flake / check-flake (push) Successful in 1m6s
Details
2024-10-06 19:16:05 -06:00
Zuckerberg
f9ef5e4b89 Clean up 2024-10-06 17:15:25 -06:00
Zuckerberg
e516bd87b5 Fix VLANs 2024-10-06 17:11:58 -06:00
Zuckerberg
7c9c657bd0 Fix audio stuttering in wine/proton 
See: https://old.reddit.com/r/linux_gaming/comments/11yp7ig/pipewire_audio_stuttering_when_playing_games_or/
 2024-10-06 17:07:53 -06:00
Zuckerberg
dff7d65456 vscodium WGSL support 2024-10-06 17:06:28 -06:00
Zuckerberg
d269d2e5a0 Enable wayland support in chromium based apps 2024-07-17 21:42:43 -06:00
Zuckerberg
2527b614e9 vscodium rust dev support 2024-07-17 21:15:33 -06:00
Zuckerberg
528a53a606 Fix chromium acceleration and wayland support 2024-07-17 21:15:02 -06:00
Zuckerberg
66bfc62566 Refactor frigate config to add a bunch of features
All checks were successful
Check Flake / check-flake (push) Successful in 2h20m26s
Details 
- Enable vaapi GPU video encode/decode support
- Use go2rtc. This allows for watching high resolution camera feeds
- Split nix config into pieces that are easier to understand
- Add utilities for easily adding new cameras in the future
- misc changes
 2024-06-30 12:49:26 -06:00
Zuckerberg
91874b9d53 Move frigate into it's own config file 2024-06-30 07:42:23 -06:00
Zuckerberg
50fc0a53d2 Enable more hass integrations 2024-06-29 10:13:46 -06:00
Zuckerberg
0b3322afda First VLAN camera in frigate 2024-06-29 10:13:03 -06:00
Zuckerberg
b32f6fa315 Enable memtest86 2024-06-29 10:12:11 -06:00
Zuckerberg
fe41ffc788 Allow s0 to access VLANs 2024-06-29 10:11:34 -06:00
Zuckerberg
eac443f280 Fix home assisstant
All checks were successful
Check Flake / check-flake (push) Successful in 1m7s
Details
2024-06-21 23:26:30 -06:00
Zuckerberg
d557820d6c Lockdown intranet services behind tailscale 2024-06-21 21:04:49 -06:00
Zuckerberg
4d658e10d3 Make LibreChat's auth sessions last longer 2024-06-21 19:54:47 -06:00
88 changed files with 1533 additions and 10329 deletions
Expand all files Collapse all files

5
Makefile
View File

@@ -25,3 +25,8 @@ clean-old-nixos-profiles:
.PHONY: gc .PHONY: gc
gc: gc:
nix store gc nix store gc
# Update a flake input by name (ex: 'nixpkgs')
.PHONY: update-input
update-input:
nix flake update $(filter-out $@,$(MAKECMDGOALS))

2
README.md
View File

@@ -4,7 +4,7 @@
- `/common` - common configuration imported into all `/machines` - `/common` - common configuration imported into all `/machines`
- `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
- `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA - `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
- `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing. - `/pc` - config that a graphical PC should have. Have the `personal` role set in the machine's `properties.nix` to enable everthing.
- `/server` - config that creates new nixos services or extends existing ones to meet my needs - `/server` - config that creates new nixos services or extends existing ones to meet my needs
- `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services - `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
- `/kexec` - a special machine for generating minimal kexec images. Does not import `/common` - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`

7
common/binary-cache.nix
View File

@@ -12,6 +12,13 @@
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=" "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
]; ];
# Allow substituters to be offline
# This isn't exactly ideal since it would be best if I could set up a system
# so that it is an error if a derivation isn't available for any substituters
# and use this flag as intended for deciding if it should build missing
# derivations locally. See https://github.com/NixOS/nix/issues/6901
fallback = true;
}; };
}; };
} }

9
common/default.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
{ {
imports = [ imports = [
@@ -20,12 +20,12 @@
system.stateVersion = "23.11"; system.stateVersion = "23.11";
networking.useDHCP = false; networking.useDHCP = lib.mkDefault true;
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowPing = true; networking.firewall.allowPing = true;
time.timeZone = "America/Denver"; time.timeZone = "America/Los_Angeles";
i18n = { i18n = {
defaultLocale = "en_US.UTF-8"; defaultLocale = "en_US.UTF-8";
extraLocaleSettings = { extraLocaleSettings = {
@@ -98,4 +98,7 @@
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "zuckerberg@neet.dev"; security.acme.defaults.email = "zuckerberg@neet.dev";
# Enable Desktop Environment if this is a PC (machine role is "personal")
de.enable = lib.mkDefault (config.thisMachine.hasRole."personal");
} }

6
common/flakes.nix
View File

@@ -13,12 +13,6 @@ in
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';
# pin nixpkgs for system commands such as "nix shell"
registry.nixpkgs.flake = config.inputs.nixpkgs;
# pin system nixpkgs to the same version as the flake input
nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
}; };
}; };
} }

47
common/machine-info/default.nix
View File

@@ -5,20 +5,9 @@
let let
machines = config.machines.hosts; machines = config.machines.hosts;
in
{
imports = [
./ssh.nix
./roles.nix
];
options.machines = { hostOptionsSubmoduleType = lib.types.submodule {
hosts = lib.mkOption {
type = lib.types.attrsOf
(lib.types.submodule {
options = { options = {
hostNames = lib.mkOption { hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
description = '' description = ''
@@ -26,21 +15,18 @@ in
Used for automatically trusting hosts for ssh connections. Used for automatically trusting hosts for ssh connections.
''; '';
}; };
arch = lib.mkOption { arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ]; type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = '' description = ''
The architecture of this machine. The architecture of this machine.
''; '';
}; };
systemRoles = lib.mkOption { systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum? type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = '' description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info) The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
''; '';
}; };
hostKey = lib.mkOption { hostKey = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = '' description = ''
@@ -48,7 +34,6 @@ in
and for decrypting secrets with agenix. and for decrypting secrets with agenix.
''; '';
}; };
remoteUnlock = lib.mkOption { remoteUnlock = lib.mkOption {
default = null; default = null;
type = lib.types.nullOr (lib.types.submodule { type = lib.types.nullOr (lib.types.submodule {
@@ -80,7 +65,6 @@ in
}; };
}); });
}; };
userKeys = lib.mkOption { userKeys = lib.mkOption {
default = [ ]; default = [ ];
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
@@ -90,7 +74,6 @@ in
TODO: consider auto populating other programs that use ssh keys such as gitea TODO: consider auto populating other programs that use ssh keys such as gitea
''; '';
}; };
deployKeys = lib.mkOption { deployKeys = lib.mkOption {
default = [ ]; default = [ ];
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
@@ -98,17 +81,30 @@ in
The list of deployment keys. Each key here can be used to log into all other systems as `root`. The list of deployment keys. Each key here can be used to log into all other systems as `root`.
''; '';
}; };
configurationPath = lib.mkOption { configurationPath = lib.mkOption {
type = lib.types.path; type = lib.types.path;
description = '' description = ''
The path to this machine's configuration directory. The path to this machine's configuration directory.
''; '';
}; };
};
};
in
{
imports = [
./ssh.nix
./roles.nix
];
options.machines = {
hosts = lib.mkOption {
type = lib.types.attrsOf hostOptionsSubmoduleType;
}; };
});
}; };
options.thisMachine.config = lib.mkOption {
# For ease of use, a direct copy of the host config from machines.hosts.${hostName}
type = hostOptionsSubmoduleType;
}; };
config = { config = {
@@ -196,5 +192,16 @@ in
builtins.map (p: { "${dirName p}" = p; }) propFiles; builtins.map (p: { "${dirName p}" = p; }) propFiles;
in in
properties ../../machines; properties ../../machines;
# Don't try to evaluate "thisMachine" when reflecting using moduleless.nix.
# When evaluated by moduleless.nix this will fail due to networking.hostName not
# existing. This is because moduleless.nix is not intended for reflection from the
# perspective of a perticular machine but is instead intended for reflecting on
# the properties of all machines as a whole system.
thisMachine.config = config.machines.hosts.${config.networking.hostName};
# Add ssh keys from KeepassXC
machines.ssh.userKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILACiZO7QnB4bcmziVaUkUE0ZPMR0M/yJbbHYsHIZz9g" ];
machines.ssh.deployKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID58MvKGs3GDMMcN8Iyi9S59SciSrVM97wKtOvUAl3li" ];
}; };
} }

42
common/machine-info/roles.nix
View File

@@ -1,19 +1,55 @@
{ config, lib, ... }: { config, lib, ... }:
# Maps roles to their hosts # Maps roles to their hosts.
# machines.withRole = {
# personal = [
# "machine1" "machine3"
# ];
# cache = [
# "machine2"
# ];
# };
#
# A list of all possible roles
# machines.allRoles = [
# "personal"
# "cache"
# ];
#
# For each role has true or false if the current machine has that role
# thisMachine.hasRole = {
# personal = true;
# cache = false;
# };
{ {
options.machines.roles = lib.mkOption { options.machines.withRole = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str); type = lib.types.attrsOf (lib.types.listOf lib.types.str);
}; };
options.machines.allRoles = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
options.thisMachine.hasRole = lib.mkOption {
type = lib.types.attrsOf lib.types.bool;
};
config = { config = {
machines.roles = lib.zipAttrs machines.withRole = lib.zipAttrs
(lib.mapAttrsToList (lib.mapAttrsToList
(host: cfg: (host: cfg:
lib.foldl (lib.mergeAttrs) { } lib.foldl (lib.mergeAttrs) { }
(builtins.map (role: { ${role} = host; }) (builtins.map (role: { ${role} = host; })
cfg.systemRoles)) cfg.systemRoles))
config.machines.hosts); config.machines.hosts);
machines.allRoles = lib.attrNames config.machines.withRole;
thisMachine.hasRole = lib.mapAttrs
(role: cfg:
builtins.elem config.networking.hostName config.machines.withRole.${role}
)
config.machines.withRole;
}; };
} }

2
common/machine-info/ssh.nix
View File

@@ -39,6 +39,6 @@ in
builtins.map builtins.map
(host: machines.hosts.${host}.hostKey) (host: machines.hosts.${host}.hostKey)
hosts) hosts)
machines.roles; machines.withRole;
}; };
} }

4
common/network/pia-wireguard.nix
View File

@@ -151,7 +151,7 @@ in
partOf = [ containerServiceName ]; partOf = [ containerServiceName ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools jq curl iproute iputils ]; path = with pkgs; [ wireguard-tools jq curl iproute2 iputils ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@@ -224,7 +224,7 @@ in
after = [ "network.target" "network-online.target" ]; after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools iproute curl jq iptables ]; path = with pkgs; [ wireguard-tools iproute2 curl jq iptables ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";

20
common/nix-builder.nix
View File

@@ -1,18 +1,14 @@
{ config, lib, ... }: { config, lib, ... }:
let let
builderRole = "nix-builder";
builderUserName = "nix-builder"; builderUserName = "nix-builder";
machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts; builderRole = "nix-builder";
otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role); builders = config.machines.withRole.${builderRole};
thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role); thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole};
builders = machinesByRole builderRole;
thisMachineIsABuilder = thisMachineHasRole builderRole;
# builders don't include themselves as a remote builder # builders don't include themselves as a remote builder
otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders; otherBuilders = lib.filter (hostname: hostname != config.networking.hostName) builders;
in in
lib.mkMerge [ lib.mkMerge [
# configure builder # configure builder
@@ -40,9 +36,9 @@ lib.mkMerge [
nix.distributedBuilds = true; nix.distributedBuilds = true;
nix.buildMachines = builtins.map nix.buildMachines = builtins.map
(builderCfg: { (builderHostname: {
hostName = builtins.elemAt builderCfg.hostNames 0; hostName = builderHostname;
system = builderCfg.arch; system = config.machines.hosts.${builderHostname}.arch;
protocol = "ssh-ng"; protocol = "ssh-ng";
sshUser = builderUserName; sshUser = builderUserName;
sshKey = "/etc/ssh/ssh_host_ed25519_key"; sshKey = "/etc/ssh/ssh_host_ed25519_key";
@@ -50,7 +46,7 @@ lib.mkMerge [
speedFactor = 10; speedFactor = 10;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}) })
(builtins.attrValues otherBuilders); otherBuilders;
# It is very likely that the builder's internet is faster or just as fast # It is very likely that the builder's internet is faster or just as fast
nix.extraOptions = '' nix.extraOptions = ''

9
common/pc/audio.nix
View File

@@ -19,6 +19,15 @@ in
jack.enable = true; jack.enable = true;
}; };
services.pipewire.extraConfig.pipewire."92-fix-wine-audio" = {
context.properties = {
default.clock.rate = 48000;
default.clock.quantum = 256;
default.clock.min-quantum = 256;
default.clock.max-quantum = 2048;
};
};
users.users.googlebot.extraGroups = [ "audio" ]; users.users.googlebot.extraGroups = [ "audio" ];
# bt headset support # bt headset support

4
common/pc/chromium.nix
View File

@@ -52,12 +52,12 @@ in
# ungoogled = true; # ungoogled = true;
# --enable-native-gpu-memory-buffers # fails on AMD APU # --enable-native-gpu-memory-buffers # fails on AMD APU
# --enable-webrtc-vp9-support # --enable-webrtc-vp9-support
commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video --enable-gpu-rasterization"; commandLineArgs = "--use-vulkan";
}; };
}; };
# todo vulkan in chrome # todo vulkan in chrome
# todo video encoding in chrome # todo video encoding in chrome
hardware.opengl = { hardware.graphics = {
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD intel-media-driver # LIBVA_DRIVER_NAME=iHD

17
common/pc/default.nix
View File

@@ -6,12 +6,10 @@ in
{ {
imports = [ imports = [
./kde.nix ./kde.nix
# ./xfce.nix
./yubikey.nix ./yubikey.nix
./chromium.nix ./chromium.nix
./firefox.nix ./firefox.nix
./audio.nix ./audio.nix
# ./torbrowser.nix
./pithos.nix ./pithos.nix
./vscodium.nix ./vscodium.nix
./discord.nix ./discord.nix
@@ -27,9 +25,10 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# vulkan environment.systemPackages = with pkgs; [
hardware.opengl.driSupport = true; # https://github.com/NixOS/nixpkgs/pull/328086#issuecomment-2235384618
hardware.opengl.driSupport32Bit = true; gparted
];
# Applications # Applications
users.users.googlebot.packages = with pkgs; [ users.users.googlebot.packages = with pkgs; [
@@ -42,7 +41,6 @@ in
mpv mpv
nextcloud-client nextcloud-client
signal-desktop signal-desktop
gparted
libreoffice-fresh libreoffice-fresh
thunderbird thunderbird
spotify spotify
@@ -56,6 +54,8 @@ in
# For Nix IDE # For Nix IDE
nixpkgs-fmt nixpkgs-fmt
nixd
nil
]; ];
# Networking # Networking
@@ -89,5 +89,10 @@ in
# for luks onlock over tor # for luks onlock over tor
services.tor.enable = true; services.tor.enable = true;
services.tor.client.enable = true; services.tor.client.enable = true;
# Enable wayland support in various chromium based applications
environment.sessionVariables.NIXOS_OZONE_WL = "1";
fonts.packages = with pkgs; [ nerd-fonts.symbols-only ];
}; };
} }

2
common/pc/kde.nix
View File

@@ -14,7 +14,7 @@ in
# akonadi # akonadi
# kmail # kmail
# plasma5Packages.kmail-account-wizard # plasma5Packages.kmail-account-wizard
kate kdePackages.kate
]; ];
}; };
} }

25
common/pc/torbrowser.nix
View File

@@ -1,25 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.de;
in
{
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [
(self: super: {
tor-browser-bundle-bin = super.tor-browser-bundle-bin.overrideAttrs (old: rec {
version = "10.0.10";
lang = "en-US";
src = pkgs.fetchurl {
url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz";
sha256 = "vYWZ+NsGN8YH5O61+zrUjlFv3rieaBqjBQ+a18sQcZg=";
};
});
})
];
users.users.googlebot.packages = with pkgs; [
tor-browser-bundle-bin
];
};
}

6
common/pc/touchpad.nix
View File

@@ -1,13 +1,9 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
cfg = config.de.touchpad; cfg = config.de;
in in
{ {
options.de.touchpad = {
enable = lib.mkEnableOption "enable touchpad";
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.libinput.enable = true; services.libinput.enable = true;
services.libinput.touchpad.naturalScrolling = true; services.libinput.touchpad.naturalScrolling = true;

15
common/pc/vscodium.nix
View File

@@ -11,6 +11,9 @@ let
golang.go golang.go
jnoortheen.nix-ide jnoortheen.nix-ide
ms-vscode.cpptools ms-vscode.cpptools
rust-lang.rust-analyzer
vadimcn.vscode-lldb
tauri-apps.tauri-vscode
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{ {
name = "platformio-ide"; name = "platformio-ide";
@@ -18,6 +21,18 @@ let
version = "3.1.1"; version = "3.1.1";
sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q="; sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
} }
{
name = "wgsl-analyzer";
publisher = "wgsl-analyzer";
version = "0.8.1";
sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
}
{
name = "volar";
publisher = "Vue";
version = "2.2.4";
sha256 = "FHS/LNjSUVfCb4SVF9naR4W0JqycWzSWiK54jfbRagA=";
}
]; ];
vscodium-with-extensions = pkgs.vscode-with-extensions.override { vscodium-with-extensions = pkgs.vscode-with-extensions.override {

23
common/pc/xfce.nix
View File

@@ -1,23 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.de;
in
{
config = lib.mkIf cfg.enable {
services.xserver = {
enable = true;
desktopManager = {
xterm.enable = false;
xfce.enable = true;
};
displayManager.sddm.enable = true;
};
# xfce apps
# TODO for some reason whiskermenu needs to be global for it to work
environment.systemPackages = with pkgs; [
xfce.xfce4-whiskermenu-plugin
];
};
}

83
common/server/actualbudget.nix
View File

@@ -1,87 +1,16 @@
# Starting point:
# https://github.com/aldoborrero/mynixpkgs/commit/c501c1e32dba8f4462dcecb57eee4b9e52038e27
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.services.actual-server; cfg = config.services.actual;
stateDir = "/var/lib/${cfg.stateDirName}";
in in
{ {
options.services.actual-server = {
enable = lib.mkEnableOption "Actual Server";
hostname = lib.mkOption {
type = lib.types.str;
default = "localhost";
description = "Hostname for the Actual Server.";
};
port = lib.mkOption {
type = lib.types.int;
default = 25448;
description = "Port on which the Actual Server should listen.";
};
stateDirName = lib.mkOption {
type = lib.types.str;
default = "actual-server";
description = "Name of the directory under /var/lib holding the server's data.";
};
upload = {
fileSizeSyncLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for synchronized files.";
};
syncEncryptedFileSizeLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for synchronized encrypted files.";
};
fileSizeLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for file uploads.";
};
};
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
systemd.services.actual-server = { services.actual.settings = {
description = "Actual Server"; port = 25448;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.actual-server}/bin/actual-server";
Restart = "always";
StateDirectory = cfg.stateDirName;
WorkingDirectory = stateDir;
DynamicUser = true;
UMask = "0007";
};
environment = {
NODE_ENV = "production";
ACTUAL_PORT = toString cfg.port;
# Actual is actually very bad at configuring it's own paths despite that information being readily available
ACTUAL_USER_FILES = "${stateDir}/user-files";
ACTUAL_SERVER_FILES = "${stateDir}/server-files";
ACTUAL_DATA_DIR = stateDir;
ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeSyncLimitMB or "");
ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SIZE_LIMIT_MB = toString (cfg.upload.syncEncryptedFileSizeLimitMB or "");
ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeLimitMB or "");
};
}; };
services.nginx.virtualHosts.${cfg.hostname} = { backup.group."actual-budget".paths = [
enableACME = true; "/var/lib/actual"
forceSSL = true; ];
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
};
}; };
} }

53
common/server/dashy.nix
View File

@@ -1,53 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dashy;
in
{
options.services.dashy = {
enable = mkEnableOption "dashy";
imageTag = mkOption {
type = types.str;
default = "latest";
};
port = mkOption {
type = types.int;
default = 56815;
};
configFile = lib.mkOption {
type = lib.types.path;
description = "Path to the YAML configuration file";
};
};
config = mkIf cfg.enable {
virtualisation.oci-containers.containers = {
dashy = {
image = "lissy93/dashy:${cfg.imageTag}";
environment = {
TZ = "${config.time.timeZone}";
};
ports = [
"127.0.0.1:${toString cfg.port}:80"
];
volumes = [
"${cfg.configFile}:/app/public/conf.yml"
];
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."s0.koi-bebop.ts.net" = {
default = true;
addSSL = true;
serverAliases = [ "s0" ];
sslCertificate = "/secret/ssl/s0.koi-bebop.ts.net.crt";
sslCertificateKey = "/secret/ssl/s0.koi-bebop.ts.net.key";
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
};
};
};
}

4
common/server/default.nix
View File

@@ -10,8 +10,6 @@
./matrix.nix ./matrix.nix
./zerobin.nix ./zerobin.nix
./gitea.nix ./gitea.nix
./privatebin/privatebin.nix
./radio.nix
./samba.nix ./samba.nix
./owncast.nix ./owncast.nix
./mailserver.nix ./mailserver.nix
@@ -19,8 +17,8 @@
./iodine.nix ./iodine.nix
./searx.nix ./searx.nix
./gitea-actions-runner.nix ./gitea-actions-runner.nix
./dashy.nix
./librechat.nix ./librechat.nix
./actualbudget.nix ./actualbudget.nix
./unifi.nix
]; ];
} }

5
common/server/gitea-actions-runner.nix
View File

@@ -9,10 +9,7 @@
# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running # TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
let let
runnerRole = "gitea-actions-runner"; thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
runners = config.machines.roles.${runnerRole};
thisMachineIsARunner = builtins.elem config.networking.hostName runners;
containerName = "gitea-runner"; containerName = "gitea-runner";
in in
{ {

2
common/server/gitea.nix
View File

@@ -24,7 +24,7 @@ in
SHOW_FOOTER_VERSION = false; SHOW_FOOTER_VERSION = false;
}; };
ui = { ui = {
DEFAULT_THEME = "arc-green"; DEFAULT_THEME = "gitea-dark";
}; };
service = { service = {
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = true;

9
common/server/librechat.nix
View File

@@ -21,11 +21,18 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
librechat = { librechat = {
image = "ghcr.io/danny-avila/librechat:v0.6.6"; image = "ghcr.io/danny-avila/librechat:v0.7.7";
environment = { environment = {
HOST = "0.0.0.0"; HOST = "0.0.0.0";
MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat"; MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
ENDPOINTS = "openAI,google,bingAI,gptPlugins"; ENDPOINTS = "openAI,google,bingAI,gptPlugins";
OPENAI_MODELS = lib.concatStringsSep "," [
"gpt-4o-mini"
"o3-mini"
"gpt-4o"
"o1"
];
REFRESH_TOKEN_EXPIRY = toString (1000 * 60 * 60 * 24 * 30); # 30 days
}; };
environmentFiles = [ environmentFiles = [
"/run/agenix/librechat-env-file" "/run/agenix/librechat-env-file"

2
common/server/mailserver.nix
View File

@@ -28,7 +28,6 @@ in
indexDir = "/var/lib/mailindex"; indexDir = "/var/lib/mailindex";
enableManageSieve = true; enableManageSieve = true;
fullTextSearch.enable = true; fullTextSearch.enable = true;
fullTextSearch.indexAttachments = true;
fullTextSearch.memoryLimit = 500; fullTextSearch.memoryLimit = 500;
inherit domains; inherit domains;
loginAccounts = { loginAccounts = {
@@ -56,6 +55,7 @@ in
"damon@runyan.org" "damon@runyan.org"
"jonas@runyan.org" "jonas@runyan.org"
"simon@neet.dev" "simon@neet.dev"
"ellen@runyan.org"
]; ];
forwards = { forwards = {
"amazon@runyan.org" = [ "amazon@runyan.org" = [

126
common/server/nextcloud.nix
View File

@@ -3,17 +3,44 @@
let let
cfg = config.services.nextcloud; cfg = config.services.nextcloud;
nextcloudHostname = "runyan.org";
collaboraOnlineHostname = "collabora.runyan.org";
whiteboardHostname = "whiteboard.runyan.org";
whiteboardPort = 3002; # Seems impossible to change
# Hardcoded public ip of ponyo... I wish I didn't need this...
public_ip_address = "147.135.114.130";
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.nextcloud = { services.nextcloud = {
https = true; https = true;
package = pkgs.nextcloud29; package = pkgs.nextcloud31;
hostName = "neet.cloud"; hostName = nextcloudHostname;
config.dbtype = "sqlite"; config.dbtype = "sqlite";
config.adminuser = "jeremy"; config.adminuser = "jeremy";
config.adminpassFile = "/run/agenix/nextcloud-pw"; config.adminpassFile = "/run/agenix/nextcloud-pw";
# Apps
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
extraAppsEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
# Want
inherit end_to_end_encryption mail spreed;
# For file and document editing (collabora online and excalidraw)
inherit richdocuments whiteboard;
# Might use
inherit calendar qownnotesapi;
# Try out
# inherit bookmarks cookbook deck memories maps music news notes phonetrack polls forms;
};
# Allows installing Apps from the UI (might remove later)
appstoreEnable = true;
}; };
age.secrets.nextcloud-pw = { age.secrets.nextcloud-pw = {
file = ../../secrets/nextcloud-pw.age; file = ../../secrets/nextcloud-pw.age;
@@ -29,5 +56,100 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
# collabora-online
# https://diogotc.com/blog/collabora-nextcloud-nixos/
services.collabora-online = {
enable = true;
port = 15972;
settings = {
# Rely on reverse proxy for SSL
ssl = {
enable = false;
termination = true;
};
# Listen on loopback interface only
net = {
listen = "loopback";
post_allow.host = [ "localhost" ];
};
# Restrict loading documents from WOPI Host
storage.wopi = {
"@allow" = true;
host = [ config.services.nextcloud.hostName ];
};
server_name = collaboraOnlineHostname;
};
};
services.nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
systemd.services.nextcloud-config-collabora =
let
wopi_url = "http://localhost:${toString config.services.collabora-online.port}";
public_wopi_url = "https://${collaboraOnlineHostname}";
wopi_allowlist = lib.concatStringsSep "," [
"127.0.0.1"
"::1"
public_ip_address
];
in
{
wantedBy = [ "multi-user.target" ];
after = [ "nextcloud-setup.service" "coolwsd.service" ];
requires = [ "coolwsd.service" ];
path = [
config.services.nextcloud.occ
];
script = ''
nextcloud-occ -- config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
nextcloud-occ -- config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
nextcloud-occ -- config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
nextcloud-occ -- richdocuments:setup
'';
serviceConfig = {
Type = "oneshot";
};
};
# Whiteboard
services.nextcloud-whiteboard-server = {
enable = true;
settings.NEXTCLOUD_URL = "https://${nextcloudHostname}";
secrets = [ "/run/agenix/whiteboard-server-jwt-secret" ];
};
systemd.services.nextcloud-config-whiteboard = {
wantedBy = [ "multi-user.target" ];
after = [ "nextcloud-setup.service" ];
requires = [ "coolwsd.service" ];
path = [
config.services.nextcloud.occ
];
script = ''
nextcloud-occ -- config:app:set whiteboard collabBackendUrl --value="https://${whiteboardHostname}"
nextcloud-occ -- config:app:set whiteboard jwt_secret_key --value="$JWT_SECRET_KEY"
'';
serviceConfig = {
Type = "oneshot";
EnvironmentFile = [ "/run/agenix/whiteboard-server-jwt-secret" ];
};
};
age.secrets.whiteboard-server-jwt-secret.file = ../../secrets/whiteboard-server-jwt-secret.age;
services.nginx.virtualHosts.${whiteboardHostname} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString whiteboardPort}";
proxyWebsockets = true;
};
};
}; };
} }

8
common/server/nginx.nix
View File

@@ -4,6 +4,10 @@ let
cfg = config.services.nginx; cfg = config.services.nginx;
in in
{ {
options.services.nginx = {
openFirewall = lib.mkEnableOption "Open firewall ports 80 and 443";
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.nginx = { services.nginx = {
recommendedGzipSettings = true; recommendedGzipSettings = true;
@@ -12,6 +16,8 @@ in
recommendedTlsSettings = true; recommendedTlsSettings = true;
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx.openFirewall = lib.mkDefault true;
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 80 443 ];
}; };
} }

42
common/server/privatebin/conf.php
View File

@@ -1,42 +0,0 @@
;<?php http_response_code(403); /*
[main]
name = "Kode Paste"
discussion = false
opendiscussion = false
password = true
fileupload = false
burnafterreadingselected = false
defaultformatter = "plaintext"
sizelimit = 10485760
template = "bootstrap"
languageselection = false
[expire]
default = "1week"
[expire_options]
5min = 300
10min = 600
1hour = 3600
1day = 86400
1week = 604800
[formatter_options]
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
[traffic]
limit = 10
dir = "/var/lib/privatebin"
[purge]
limit = 300
batchsize = 10
dir = "/var/lib/privatebin"
[model]
class = Filesystem
[model_options]
dir = "/var/lib/privatebin"

74
common/server/privatebin/privatebin.nix
View File

@@ -1,74 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.privatebin;
privateBinSrc = pkgs.stdenv.mkDerivation {
name = "privatebin";
src = pkgs.fetchFromGitHub {
owner = "privatebin";
repo = "privatebin";
rev = "d65bf02d7819a530c3c2a88f6f9947651fe5258d";
sha256 = "7ttAvEDL1ab0cUZcqZzXFkXwB2rF2t4eNpPxt48ap94=";
};
installPhase = ''
cp -ar $src $out
'';
};
in
{
options.services.privatebin = {
enable = lib.mkEnableOption "enable privatebin";
host = lib.mkOption {
type = lib.types.str;
example = "example.com";
};
};
config = lib.mkIf cfg.enable {
users.users.privatebin = {
description = "privatebin service user";
group = "privatebin";
isSystemUser = true;
};
users.groups.privatebin = { };
services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = privateBinSrc;
index = "index.php";
};
locations."~ \.php$" = {
root = privateBinSrc;
extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.privatebin.socket};
fastcgi_index index.php;
'';
};
};
systemd.tmpfiles.rules = [
"d '/var/lib/privatebin' 0750 privatebin privatebin - -"
];
services.phpfpm.pools.privatebin = {
user = "privatebin";
group = "privatebin";
phpEnv = {
CONFIG_PATH = "${./conf.php}";
};
settings = {
pm = "dynamic";
"listen.owner" = config.services.nginx.user;
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
};
};
}

75
common/server/radio.nix
View File

@@ -1,75 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.radio;
radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
in
{
options.services.radio = {
enable = lib.mkEnableOption "enable radio";
user = lib.mkOption {
type = lib.types.str;
default = "radio";
description = ''
The user radio should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "radio";
description = ''
The group radio should run as
'';
};
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/radio";
description = ''
Path to the radio data directory
'';
};
host = lib.mkOption {
type = lib.types.str;
description = ''
Domain radio is hosted on
'';
};
nginx = lib.mkEnableOption "enable nginx";
};
config = lib.mkIf cfg.enable {
services.icecast = {
enable = true;
hostname = cfg.host;
mount = "stream.mp3";
fallback = "fallback.mp3";
};
services.nginx.virtualHosts.${cfg.host} = lib.mkIf cfg.nginx {
enableACME = true;
forceSSL = true;
locations."/".root = config.inputs.radio-web;
};
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
createHome = true;
};
users.groups.${cfg.group} = { };
systemd.services.radio = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
serviceConfig.WorkingDirectory = cfg.dataDir;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user} ${cfg.dataDir}
'';
};
};
}

38
common/server/samba.nix
View File

@@ -5,30 +5,28 @@
services.samba = { services.samba = {
openFirewall = true; openFirewall = true;
package = pkgs.sambaFull; # printer sharing package = pkgs.sambaFull; # printer sharing
securityType = "user";
# should this be on? # should this be on?
nsswins = true; nsswins = true;
extraConfig = '' settings = {
workgroup = HOME global = {
server string = smbnix security = "user";
netbios name = smbnix workgroup = "HOME";
security = user "server string" = "smbnix";
use sendfile = yes "netbios name" = "smbnix";
min protocol = smb2 "use sendfile" = "yes";
guest account = nobody "min protocol" = "smb2";
map to guest = bad user "guest account" = "nobody";
"map to guest" = "bad user";
# printing # printing
load printers = yes "load printers" = "yes";
printing = cups printing = "cups";
printcap name = cups "printcap name" = "cups";
hide files = /.nobackup/.DS_Store/._.DS_Store/ "hide files" = "/.nobackup/.DS_Store/._.DS_Store/";
''; };
shares = {
public = { public = {
path = "/data/samba/Public"; path = "/data/samba/Public";
browseable = "yes"; browseable = "yes";
@@ -77,9 +75,9 @@
# backups # backups
backup.group."samba".paths = [ backup.group."samba".paths = [
config.services.samba.shares.googlebot.path config.services.samba.settings.googlebot.path
config.services.samba.shares.cris.path config.services.samba.settings.cris.path
config.services.samba.shares.public.path config.services.samba.settings.public.path
]; ];
# Windows discovery of samba server # Windows discovery of samba server

26
common/server/unifi.nix Normal file
View File

@@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.unifi;
in
{
options.services.unifi = {
# Open select Unifi ports instead of using openFirewall to avoid opening access to unifi's control panel
openMinimalFirewall = lib.mkEnableOption "Open bare minimum firewall ports";
};
config = lib.mkIf cfg.enable {
services.unifi.unifiPackage = pkgs.unifi;
services.unifi.mongodbPackage = pkgs.mongodb-7_0;
networking.firewall = lib.mkIf cfg.openMinimalFirewall {
allowedUDPPorts = [
3478 # STUN
10001 # used for device discovery.
];
allowedTCPPorts = [
8080 # Used for device and application communication.
];
};
};
}

2
common/shell.nix
View File

@@ -21,8 +21,6 @@
shellInit = '' shellInit = ''
# disable annoying fish shell greeting # disable annoying fish shell greeting
set fish_greeting set fish_greeting
alias sudo="doas"
''; '';
}; };

2
common/ssh.nix
View File

@@ -31,8 +31,6 @@
# TODO: Old ssh keys I will remove some day... # TODO: Old ssh keys I will remove some day...
machines.ssh.userKeys = [ machines.ssh.userKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
]; ];
} }

195
flake.lock generated
View File

@@ -3,7 +3,9 @@
"agenix": { "agenix": {
"inputs": { "inputs": {
"darwin": "darwin", "darwin": "darwin",
"home-manager": "home-manager", "home-manager": [
"home-manager"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@@ -12,11 +14,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716561646, "lastModified": 1750173260,
"narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=", "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9", "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -51,11 +53,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1651719222, "lastModified": 1739947126,
"narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=", "narHash": "sha256-JoiddH5H9up8jC/VKU8M7wDlk/bstKoJ3rHj+TkW4Zo=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34", "rev": "ea1ad60f1c6662103ef4a3705d8e15aa01219529",
"revCount": 19, "revCount": 20,
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybot.git" "url": "https://git.neet.dev/zuckerberg/dailybot.git"
}, },
@@ -72,11 +74,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1700795494, "lastModified": 1744478979,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -99,11 +101,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718194053, "lastModified": 1749105467,
"narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=", "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a", "rev": "6bc76b872374845ba9d645a2f012b764fecd765f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -115,11 +117,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1747046372,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -135,11 +137,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1731533236,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -148,23 +150,71 @@
"type": "github" "type": "github"
} }
}, },
"home-manager": { "git-hooks": {
"inputs": { "inputs": {
"flake-compat": [
"simple-nixos-mailserver",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [ "nixpkgs": [
"agenix", "simple-nixos-mailserver",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1703113217, "lastModified": 1750779888,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"simple-nixos-mailserver",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1752208517,
"narHash": "sha256-aRY1cYOdVdXdNjcL/Twpa27CknO7pVHxooPsBizDraE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", "rev": "c6a01e54af81b381695db796a43360bf6db5702f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@@ -176,11 +226,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716772633, "lastModified": 1752346111,
"narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=", "narHash": "sha256-SVxCIYnbED0rNYSpm3QQoOhqxYRp1GuE9FkyM5Y2afs=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac", "rev": "deff7a9a0aa98a08d8c7839fe2658199ce9828f8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -191,11 +241,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1717248095, "lastModified": 1752048960,
"narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=", "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "7b49d3967613d9aacac5b340ef158d493906ba79", "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -207,77 +257,20 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1717144377, "lastModified": 1752431364,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", "narHash": "sha256-ciGIXIMq2daX5o4Tn6pnZTd1pf5FICHbqUlHu658G9c=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "805a384895c696f802a9bf5bf4720f37385df547", "rev": "fb0f0dbfd95f0e19fdeab8e0f18bf0b5cf057b68",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-24.05", "ref": "release-25.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-frigate": {
"locked": {
"lastModified": 1695825837,
"narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
"type": "github"
}
},
"radio": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1631585589,
"narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"revCount": 38,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
},
"original": {
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
}
},
"radio-web": {
"flake": false,
"locked": {
"lastModified": 1652121792,
"narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
"ref": "refs/heads/master",
"rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
"revCount": 5,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
@@ -285,12 +278,10 @@
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-frigate": "nixpkgs-frigate",
"radio": "radio",
"radio-web": "radio-web",
"simple-nixos-mailserver": "simple-nixos-mailserver", "simple-nixos-mailserver": "simple-nixos-mailserver",
"systems": "systems" "systems": "systems"
} }
@@ -301,27 +292,25 @@
"flake-compat": [ "flake-compat": [
"flake-compat" "flake-compat"
], ],
"git-hooks": "git-hooks",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-24_05": [ "nixpkgs-25_05": [
"nixpkgs" "nixpkgs"
],
"utils": [
"flake-utils"
] ]
}, },
"locked": { "locked": {
"lastModified": 1718084203, "lastModified": 1747965231,
"narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=", "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "29916981e7b3b5782dc5085ad18490113f8ff63b", "rev": "53007af63fade28853408370c4c600a63dd97f41",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"ref": "master", "ref": "nixos-25.05",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"type": "gitlab" "type": "gitlab"
} }

42
flake.nix
View File

@@ -1,8 +1,7 @@
{ {
inputs = { inputs = {
# nixpkgs # nixpkgs
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs.url = "github:NixOS/nixpkgs/release-25.05";
nixpkgs-frigate.url = "github:NixOS/nixpkgs/5cfafa12d57374f48bcc36fda3274ada276cf69e";
# Common Utils Among flake inputs # Common Utils Among flake inputs
systems.url = "github:nix-systems/default"; systems.url = "github:nix-systems/default";
@@ -18,14 +17,19 @@
# NixOS hardware # NixOS hardware
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
# Home Manager
home-manager = {
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs";
};
# Mail Server # Mail Server
simple-nixos-mailserver = { simple-nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
nixpkgs-24_05.follows = "nixpkgs"; nixpkgs-25_05.follows = "nixpkgs";
flake-compat.follows = "flake-compat"; flake-compat.follows = "flake-compat";
utils.follows = "flake-utils";
}; };
}; };
@@ -35,22 +39,10 @@
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
systems.follows = "systems"; systems.follows = "systems";
home-manager.follows = "home-manager";
}; };
}; };
# Radio
radio = {
url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
radio-web = {
url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
flake = false;
};
# Dailybot # Dailybot
dailybuild_modules = { dailybuild_modules = {
url = "git+https://git.neet.dev/zuckerberg/dailybot.git"; url = "git+https://git.neet.dev/zuckerberg/dailybot.git";
@@ -79,7 +71,7 @@
outputs = { self, nixpkgs, ... }@inputs: outputs = { self, nixpkgs, ... }@inputs:
let let
machines = (import ./common/machine-info/moduleless.nix machineHosts = (import ./common/machine-info/moduleless.nix
{ {
inherit nixpkgs; inherit nixpkgs;
assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix"; assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
@@ -94,6 +86,7 @@
agenix.nixosModules.default agenix.nixosModules.default
dailybuild_modules.nixosModule dailybuild_modules.nixosModule
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
home-manager.nixosModules.home-manager
self.nixosModules.kernel-modules self.nixosModules.kernel-modules
({ lib, ... }: { ({ lib, ... }: {
config = { config = {
@@ -104,6 +97,10 @@
]; ];
networking.hostName = hostname; networking.hostName = hostname;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.googlebot = import ./home/googlebot.nix;
}; };
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
@@ -121,7 +118,8 @@
name = "nixpkgs-patched"; name = "nixpkgs-patched";
src = nixpkgs; src = nixpkgs;
patches = [ patches = [
./patches/gamepadui.patch # ./patches/gamepadui.patch
./patches/dont-break-nix-serve.patch
]; ];
}; };
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; }); patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
@@ -141,7 +139,7 @@
nixpkgs.lib.mapAttrs nixpkgs.lib.mapAttrs
(hostname: cfg: (hostname: cfg:
mkSystem cfg.arch nixpkgs cfg.configurationPath hostname) mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
machines; machineHosts;
packages = packages =
let let
@@ -178,7 +176,7 @@
nixpkgs.lib.mapAttrs nixpkgs.lib.mapAttrs
(hostname: cfg: (hostname: cfg:
mkDeploy hostname cfg.arch (builtins.head cfg.hostNames)) mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
machines; machineHosts;
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;

119
home/googlebot.nix Normal file
View File

@@ -0,0 +1,119 @@
{ config, lib, pkgs, osConfig, ... }:
let
# Check if the current machine has the role "personal"
thisMachineIsPersonal = osConfig.thisMachine.hasRole."personal";
in
{
home.username = "googlebot";
home.homeDirectory = "/home/googlebot";
home.stateVersion = "24.11";
programs.home-manager.enable = true;
services.ssh-agent.enable = true;
# System Monitoring
programs.btop.enable = true;
programs.bottom.enable = true;
# Modern "ls" replacement
programs.pls.enable = true;
programs.pls.enableFishIntegration = true;
programs.eza.enable = true;
# Graphical terminal
programs.ghostty.enable = thisMachineIsPersonal;
# Advanced terminal file explorer
programs.broot.enable = true;
# Shell promt theming
programs.fish.enable = true;
programs.starship.enable = true;
programs.starship.enableFishIntegration = true;
programs.starship.enableInteractive = true;
# programs.oh-my-posh.enable = true;
# programs.oh-my-posh.enableFishIntegration = true;
# Advanced search
programs.ripgrep.enable = true;
# tldr: Simplified, example based and community-driven man pages.
programs.tealdeer.enable = true;
home.shellAliases = {
sudo = "doas";
ls2 = "eza";
explorer = "broot";
};
programs.zed-editor = {
enable = thisMachineIsPersonal;
extensions = [
"nix"
"toml"
"html"
"make"
"git-firefly"
"vue"
"scss"
];
userSettings = {
assistant = {
enabled = true;
version = "2";
default_model = {
provider = "openai";
model = "gpt-4-turbo";
};
};
features = {
edit_prediction_provider = "zed";
};
node = {
path = lib.getExe pkgs.nodejs;
npm_path = lib.getExe' pkgs.nodejs "npm";
};
auto_update = false;
terminal = {
blinking = "off";
copy_on_select = false;
};
lsp = {
rust-analyzer = {
# binary = {
# path = lib.getExe pkgs.rust-analyzer;
# };
binary = {
path = "/run/current-system/sw/bin/nix";
arguments = [ "develop" "--command" "rust-analyzer" ];
};
initialization_options = {
cargo = {
features = "all";
};
};
};
};
# tell zed to use direnv and direnv can use a flake.nix enviroment.
load_direnv = "shell_hook";
base_keymap = "VSCode";
theme = {
mode = "system";
light = "One Light";
dark = "Andrometa";
};
ui_font_size = 12;
buffer_font_size = 12;
};
};
}

4
machines/ephemeral/kexec.nix
View File

@@ -29,10 +29,10 @@
text = '' text = ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
set -e set -e
${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}" ${pkgs.kexec-tools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
sync sync
echo "executing kernel, filesystems will be improperly umounted" echo "executing kernel, filesystems will be improperly umounted"
${pkgs.kexectools}/bin/kexec -e ${pkgs.kexec-tools}/bin/kexec -e
''; '';
}; };
kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") { kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {

3
machines/howl/default.nix
View File

@@ -8,6 +8,5 @@
# don't use remote builders # don't use remote builders
nix.distributedBuilds = lib.mkForce false; nix.distributedBuilds = lib.mkForce false;
de.enable = true; nix.gc.automatic = lib.mkForce false;
de.touchpad.enable = true;
} }

10
machines/howl/hardware-configuration.nix
View File

@@ -6,7 +6,7 @@
nixos-hardware.nixosModules.framework-13-7040-amd nixos-hardware.nixosModules.framework-13-7040-amd
]; ];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_6_14;
hardware.framework.amd-7040.preventWakeOnAC = true; hardware.framework.amd-7040.preventWakeOnAC = true;
services.fwupd.enable = true; services.fwupd.enable = true;
@@ -30,22 +30,22 @@
# disks # disks
remoteLuksUnlock.enable = true; remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = { boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c801586b-f0a2-465c-8dae-532e61b83fee"; device = "/dev/disk/by-uuid/2e4a6960-a6b1-40ee-9c2c-2766eb718d52";
allowDiscards = true; allowDiscards = true;
}; };
fileSystems."/" = fileSystems."/" =
{ {
device = "/dev/disk/by-uuid/95db6950-a7bc-46cf-9765-3ea675ccf014"; device = "/dev/disk/by-uuid/1f62386c-3243-49f5-b72f-df8fc8f39db8";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ {
device = "/dev/disk/by-uuid/B087-2C20"; device = "/dev/disk/by-uuid/F4D9-C5E8";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [ "fmask=0022" "dmask=0022" ];
}; };
swapDevices = swapDevices =
[{ device = "/dev/disk/by-uuid/49fbdf62-eef4-421b-aac3-c93494afd23c"; }]; [{ device = "/dev/disk/by-uuid/5f65cb11-2649-48fe-9c78-3e325b857c53"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

4
machines/howl/properties.nix
View File

@@ -15,10 +15,6 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPnLt84bKhUgFxjQf10+Htro9Lo1Pabqm8mGalBUniv" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPnLt84bKhUgFxjQf10+Htro9Lo1Pabqm8mGalBUniv"
]; ];
deployKeys = [
# TODO
];
remoteUnlock = { remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0N80r0Sl2WlJaUqfxZPkOtYyGumFazkIqq7eq3Gd2o"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0N80r0Sl2WlJaUqfxZPkOtYyGumFazkIqq7eq3Gd2o";
onionHost = "ll6yjnkh4psmfwmtkmqoutl4gq4elqzbmjxv4s6gpgoavyi3kwhjvnqd.onion"; onionHost = "ll6yjnkh4psmfwmtkmqoutl4gq4elqzbmjxv4s6gpgoavyi3kwhjvnqd.onion";

3
machines/nat/configuration.nix
View File

@@ -9,7 +9,4 @@
networking.hostName = "nat"; networking.hostName = "nat";
networking.interfaces.ens160.useDHCP = true; networking.interfaces.ens160.useDHCP = true;
de.enable = true;
de.touchpad.enable = true;
} }

61
machines/ponyo/default.nix
View File

@@ -10,6 +10,8 @@
# p2p mesh network # p2p mesh network
services.tailscale.exitNode = true; services.tailscale.exitNode = true;
services.iperf3.enable = true;
# email server # email server
mailserver.enable = true; mailserver.enable = true;
@@ -54,44 +56,6 @@
config.services.drastikbot.dataDir config.services.drastikbot.dataDir
]; ];
# music radio
vpn-container.enable = true;
vpn-container.config = {
services.radio = {
enable = true;
host = "radio.runyan.org";
};
};
pia.wireguard.badPortForwardPorts = [ ];
services.nginx.virtualHosts = {
"radio.runyan.org" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
"radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
};
# matrix home server # matrix home server
services.matrix = { services.matrix = {
enable = true; enable = true;
@@ -102,7 +66,7 @@
host = "chat.neet.space"; host = "chat.neet.space";
}; };
jitsi-meet = { jitsi-meet = {
enable = true; enable = false; # disabled until vulnerable libolm dependency is removed/fixed
host = "meet.neet.space"; host = "meet.neet.space";
}; };
turn = { turn = {
@@ -114,18 +78,10 @@
services.postgresql.package = pkgs.postgresql_15; services.postgresql.package = pkgs.postgresql_15;
# iodine DNS-based vpn # iodine DNS-based vpn
services.iodine.server.enable = true; # services.iodine.server.enable = true;
# proxied web services # proxied web services
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts."jellyfin.neet.cloud" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://s0.koi-bebop.ts.net";
proxyWebsockets = true;
};
};
services.nginx.virtualHosts."navidrome.neet.cloud" = { services.nginx.virtualHosts."navidrome.neet.cloud" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@@ -139,12 +95,12 @@
root = "/var/www/tmp"; root = "/var/www/tmp";
}; };
# redirect runyan.org to github # redirect neet.cloud to nextcloud instance on runyan.org
services.nginx.virtualHosts."runyan.org" = { services.nginx.virtualHosts."neet.cloud" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect; return 302 https://runyan.org$request_uri;
''; '';
}; };
@@ -155,7 +111,4 @@
# librechat # librechat
services.librechat.enable = true; services.librechat.enable = true;
services.librechat.host = "chat.neet.dev"; services.librechat.host = "chat.neet.dev";
services.actual-server.enable = true;
services.actual-server.hostname = "actual.runyan.org";
} }

297
machines/storage/s0/dashy.nix Normal file
View File

@@ -0,0 +1,297 @@
{
appConfig = {
theme = "vaporware";
customColors = {
"material-dark-original" = {
primary = "#f36558";
background = "#39434C";
"background-darker" = "#eb615c";
"material-light" = "#f36558";
"item-text-color" = "#ff948a";
"curve-factor" = "5px";
};
};
enableErrorReporting = false;
layout = "auto";
iconSize = "large";
language = "en";
startingView = "default";
defaultOpeningMethod = "sametab";
statusCheck = true;
statusCheckInterval = 20;
faviconApi = "faviconkit";
routingMode = "history";
enableMultiTasking = false;
webSearch = {
disableWebSearch = false;
searchEngine = "duckduckgo";
openingMethod = "sametab";
searchBangs = { };
};
enableFontAwesome = true;
cssThemes = [ ];
externalStyleSheet = [ ];
hideComponents = {
hideHeading = false;
hideNav = false;
hideSearch = false;
hideSettings = false;
hideFooter = false;
hideSplashScreen = false;
};
auth = {
enableGuestAccess = false;
users = [ ];
enableKeycloak = false;
keycloak = { };
};
allowConfigEdit = true;
enableServiceWorker = false;
disableContextMenu = false;
disableUpdateChecks = false;
disableSmartSort = false;
};
pageInfo = {
title = "s0";
description = "s0";
};
sections = [
(
let
# Define the media section items once.
mediaItems = {
jellyfin = {
title = "Jellyfin";
icon = "hl-jellyfin";
url = "https://jellyfin.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "0_1956_jellyfin";
};
sonarr = {
title = "Sonarr";
description = "Manage TV";
icon = "hl-sonarr";
url = "https://sonarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "1_1956_sonarr";
};
radarr = {
title = "Radarr";
description = "Manage Movies";
icon = "hl-radarr";
url = "https://radarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "2_1956_radarr";
};
lidarr = {
title = "Lidarr";
description = "Manage Music";
icon = "hl-lidarr";
url = "https://lidarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "3_1956_lidarr";
};
prowlarr = {
title = "Prowlarr";
description = "Indexers";
icon = "hl-prowlarr";
url = "https://prowlarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "4_1956_prowlarr";
};
bazarr = {
title = "Bazarr";
description = "Subtitles";
icon = "hl-bazarr";
url = "https://bazarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "5_1956_bazarr";
};
navidrome = {
title = "Navidrome";
description = "Play Music";
icon = "hl-navidrome";
url = "https://music.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "6_1956_navidrome";
};
transmission = {
title = "Transmission";
description = "Torrenting";
icon = "hl-transmission";
url = "https://transmission.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "7_1956_transmission";
};
};
# Build the list once.
mediaList = [
mediaItems.jellyfin
mediaItems.sonarr
mediaItems.radarr
mediaItems.lidarr
mediaItems.prowlarr
mediaItems.bazarr
mediaItems.navidrome
mediaItems.transmission
];
in
{
name = "Media & Entertainment";
icon = "fas fa-photo-video";
displayData = {
sortBy = "most-used";
cols = 1;
rows = 1;
collapsed = false;
hideForGuests = false;
};
items = mediaList;
filteredItems = mediaList;
}
)
(
let
networkItems = {
gateway = {
title = "Gateway";
description = "openwrt";
icon = "hl-openwrt";
url = "http://openwrt.lan/";
target = "sametab";
statusCheck = true;
id = "0_746_gateway";
};
wireless = {
title = "Wireless";
description = "openwrt (ish)";
icon = "hl-openwrt";
url = "http://PacketProvocateur.lan";
target = "sametab";
statusCheck = true;
id = "1_746_wireless";
};
};
networkList = [
networkItems.gateway
networkItems.wireless
];
in
{
name = "Network";
icon = "fas fa-network-wired";
items = networkList;
filteredItems = networkList;
displayData = {
sortBy = "default";
rows = 1;
cols = 1;
collapsed = false;
hideForGuests = false;
};
}
)
(
let
servicesItems = {
matrix = {
title = "Matrix";
description = "";
icon = "hl-matrix";
url = "https://chat.neet.space";
target = "sametab";
statusCheck = true;
id = "0_836_matrix";
};
mumble = {
title = "Mumble";
description = "voice.neet.space";
icon = "hl-mumble";
url = "https://voice.neet.space";
target = "sametab";
statusCheck = false;
id = "2_836_mumble";
};
irc = {
title = "IRC";
description = "irc.neet.dev";
icon = "hl-thelounge";
url = "https://irc.neet.dev";
target = "sametab";
statusCheck = true;
id = "3_836_irc";
};
git = {
title = "Git";
description = "git.neet.dev";
icon = "hl-gitea";
url = "https://git.neet.dev";
target = "sametab";
statusCheck = true;
id = "4_836_git";
};
nextcloud = {
title = "Nextcloud";
description = "neet.cloud";
icon = "hl-nextcloud";
url = "https://neet.cloud";
target = "sametab";
statusCheck = true;
id = "5_836_nextcloud";
};
roundcube = {
title = "Roundcube";
description = "mail.neet.dev";
icon = "hl-roundcube";
url = "https://mail.neet.dev";
target = "sametab";
statusCheck = true;
id = "6_836_roundcube";
};
jitsimeet = {
title = "Jitsi Meet";
description = "meet.neet.space";
icon = "hl-jitsimeet";
url = "https://meet.neet.space";
target = "sametab";
statusCheck = true;
id = "7_836_jitsimeet";
};
};
servicesList = [
servicesItems.matrix
servicesItems.mumble
servicesItems.irc
servicesItems.git
servicesItems.nextcloud
servicesItems.roundcube
servicesItems.jitsimeet
];
in
{
name = "Services";
icon = "fas fa-monitor-heart-rate";
items = servicesList;
filteredItems = servicesList;
displayData = {
sortBy = "default";
rows = 1;
cols = 1;
collapsed = false;
hideForGuests = false;
};
}
)
];
}

249
machines/storage/s0/dashy.yaml
View File

@@ -1,249 +0,0 @@
appConfig:
theme: vaporware
customColors:
material-dark-original:
primary: '#f36558'
background: '#39434C'
background-darker: '#eb615c'
material-light: '#f36558'
item-text-color: '#ff948a'
curve-factor: 5px
enableErrorReporting: false
layout: auto
iconSize: large
language: en
startingView: default
defaultOpeningMethod: sametab
statusCheck: true
statusCheckInterval: 20
faviconApi: faviconkit
routingMode: history
enableMultiTasking: false
webSearch:
disableWebSearch: false
searchEngine: duckduckgo
openingMethod: sametab
searchBangs: {}
enableFontAwesome: true
cssThemes: []
externalStyleSheet: []
hideComponents:
hideHeading: false
hideNav: false
hideSearch: false
hideSettings: false
hideFooter: false
hideSplashScreen: false
auth:
enableGuestAccess: false
users: []
enableKeycloak: false
keycloak: {}
allowConfigEdit: true
enableServiceWorker: false
disableContextMenu: false
disableUpdateChecks: false
disableSmartSort: false
pageInfo:
title: s0
description: s0
sections:
- name: Media & Entertainment
icon: fas fa-photo-video
displayData:
sortBy: most-used
cols: 1
rows: 1
collapsed: false
hideForGuests: false
items:
- &ref_0
title: Jellyfin
icon: hl-jellyfin
url: http://s0:8097
target: sametab
statusCheck: true
statusCheckUrl: http://jellyfin.s0
id: 0_1956_jellyfin
- &ref_1
title: Sonarr
description: Manage TV
icon: hl-sonarr
url: http://s0:8989
target: sametab
statusCheck: true
statusCheckUrl: http://sonarr.s0
id: 1_1956_sonarr
- &ref_2
title: Radarr
description: Manage Movies
icon: hl-radarr
url: http://s0:7878
target: sametab
statusCheck: true
statusCheckUrl: http://radarr.s0
id: 2_1956_radarr
- &ref_3
title: Lidarr
description: Manage Music
icon: hl-lidarr
url: http://s0:8686
target: sametab
statusCheck: true
statusCheckUrl: http://lidarr.s0
id: 3_1956_lidarr
- &ref_4
title: Prowlarr
description: Indexers
icon: hl-prowlarr
url: http://prowlarr.s0
target: sametab
statusCheck: true
statusCheckUrl: http://prowlarr.s0
id: 4_1956_prowlarr
- &ref_5
title: Bazarr
description: Subtitles
icon: hl-bazarr
url: http://s0:6767
target: sametab
statusCheck: true
statusCheckUrl: http://bazarr.s0
id: 5_1956_bazarr
- &ref_6
title: Navidrome
description: Play Music
icon: hl-navidrome
url: http://s0:4534
target: sametab
statusCheck: true
statusCheckUrl: http://music.s0
id: 6_1956_navidrome
- &ref_7
title: Transmission
description: Torrenting
icon: hl-transmission
url: http://s0:9091
target: sametab
statusCheck: true
statusCheckUrl: http://transmission.s0
id: 7_1956_transmission
filteredItems:
- *ref_0
- *ref_1
- *ref_2
- *ref_3
- *ref_4
- *ref_5
- *ref_6
- *ref_7
- name: Network
icon: fas fa-network-wired
items:
- &ref_8
title: Gateway
description: openwrt
icon: hl-openwrt
url: http://openwrt.lan/
target: sametab
statusCheck: true
id: 0_746_gateway
- &ref_9
title: Wireless
description: openwrt (ish)
icon: hl-openwrt
url: http://PacketProvocateur.lan
target: sametab
statusCheck: true
id: 1_746_wireless
filteredItems:
- *ref_8
- *ref_9
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false
- name: Services
icon: fas fa-monitor-heart-rate
items:
- &ref_10
title: Matrix
description: ''
icon: hl-matrix
url: https://chat.neet.space
target: sametab
statusCheck: true
id: 0_836_matrix
- &ref_11
title: Radio
description: Radio service
icon: generative
url: https://radio.runyan.org
target: sametab
statusCheck: true
id: 1_836_radio
- &ref_12
title: Mumble
description: voice.neet.space
icon: hl-mumble
url: https://voice.neet.space
target: sametab
statusCheck: false
id: 2_836_mumble
- &ref_13
title: IRC
description: irc.neet.dev
icon: hl-thelounge
url: https://irc.neet.dev
target: sametab
statusCheck: true
id: 3_836_irc
- &ref_14
title: Git
description: git.neet.dev
icon: hl-gitea
url: https://git.neet.dev
target: sametab
statusCheck: true
id: 4_836_git
- &ref_15
title: Nextcloud
description: neet.cloud
icon: hl-nextcloud
url: https://neet.cloud
target: sametab
statusCheck: true
id: 5_836_nextcloud
- &ref_16
title: Roundcube
description: mail.neet.dev
icon: hl-roundcube
url: https://mail.neet.dev
target: sametab
statusCheck: true
id: 6_836_roundcube
- &ref_17
title: Jitsi Meet
description: meet.neet.space
icon: hl-jitsimeet
url: https://meet.neet.space
target: sametab
statusCheck: true
id: 7_836_jitsimeet
filteredItems:
- *ref_10
- *ref_11
- *ref_12
- *ref_13
- *ref_14
- *ref_15
- *ref_16
- *ref_17
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false

194
machines/storage/s0/default.nix
View File

@@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./frigate.nix
./home-automation.nix ./home-automation.nix
]; ];
@@ -19,13 +20,13 @@
secretKeyFile = "/run/agenix/binary-cache-private-key"; secretKeyFile = "/run/agenix/binary-cache-private-key";
}; };
age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age; age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
users.users.cache-push = { # users.users.cache-push = {
isNormalUser = true; # isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ]; # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
}; # };
nix.settings = { # nix.settings = {
trusted-users = [ "cache-push" ]; # trusted-users = [ "cache-push" ];
}; # };
services.iperf3.enable = true; services.iperf3.enable = true;
services.iperf3.openFirewall = true; services.iperf3.openFirewall = true;
@@ -74,6 +75,32 @@
services.lidarr.enable = true; services.lidarr.enable = true;
services.lidarr.user = "public_data"; services.lidarr.user = "public_data";
services.lidarr.group = "public_data"; services.lidarr.group = "public_data";
services.recyclarr = {
enable = true;
configuration = {
radarr.radarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/radarr-api-key";
};
base_url = "http://localhost:7878";
quality_definition.type = "movie";
};
sonarr.sonarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/sonarr-api-key";
};
base_url = "http://localhost:8989";
quality_definition.type = "series";
};
};
};
systemd.services.recyclarr.serviceConfig.LoadCredential = [
"radarr-api-key:/run/agenix/radarr-api-key"
"sonarr-api-key:/run/agenix/sonarr-api-key"
];
services.transmission = { services.transmission = {
enable = true; enable = true;
@@ -144,6 +171,8 @@
8686 # lidarr 8686 # lidarr
9091 # transmission web 9091 # transmission web
]; ];
age.secrets.radarr-api-key.file = ../../../secrets/radarr-api-key.age;
age.secrets.sonarr-api-key.file = ../../../secrets/sonarr-api-key.age;
# jellyfin # jellyfin
# jellyfin cannot run in the vpn container and use hardware encoding # jellyfin cannot run in the vpn container and use hardware encoding
@@ -153,7 +182,7 @@
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
}; };
hardware.opengl = { hardware.graphics = {
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver intel-media-driver
@@ -165,74 +194,125 @@
}; };
# nginx # nginx
services.nginx.enable = true; services.nginx = {
services.nginx.virtualHosts."bazarr.s0" = { enable = true;
listen = [{ addr = "0.0.0.0"; port = 6767; } { addr = "0.0.0.0"; port = 80; }]; openFirewall = false; # All nginx services are internal
locations."/".proxyPass = "http://vpn.containers:6767"; virtualHosts =
let
mkHost = external: config:
{
${external} = {
useACMEHost = "s0.neet.dev"; # Use wildcard cert
forceSSL = true;
locations."/" = config;
}; };
services.nginx.virtualHosts."radarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 7878; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:7878";
}; };
services.nginx.virtualHosts."lidarr.s0" = { mkVirtualHost = external: internal:
listen = [{ addr = "0.0.0.0"; port = 8686; } { addr = "0.0.0.0"; port = 80; }]; mkHost external {
locations."/".proxyPass = "http://vpn.containers:8686"; proxyPass = internal;
};
services.nginx.virtualHosts."sonarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 8989; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:8989";
};
services.nginx.virtualHosts."prowlarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 9696; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:9696";
};
services.nginx.virtualHosts."music.s0" = {
listen = [{ addr = "0.0.0.0"; port = 4534; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://localhost:4533";
};
services.nginx.virtualHosts."jellyfin.s0" = {
listen = [{ addr = "0.0.0.0"; port = 8097; } { addr = "0.0.0.0"; port = 80; }];
locations."/" = {
proxyPass = "http://localhost:8096";
proxyWebsockets = true; proxyWebsockets = true;
}; };
mkStaticHost = external: static:
mkHost external {
root = static;
tryFiles = "$uri /index.html ";
}; };
services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = { in
proxyPass = "http://localhost:8096"; lib.mkMerge [
proxyWebsockets = true; (mkVirtualHost "bazarr.s0.neet.dev" "http://vpn.containers:6767")
(mkVirtualHost "radarr.s0.neet.dev" "http://vpn.containers:7878")
(mkVirtualHost "lidarr.s0.neet.dev" "http://vpn.containers:8686")
(mkVirtualHost "sonarr.s0.neet.dev" "http://vpn.containers:8989")
(mkVirtualHost "prowlarr.s0.neet.dev" "http://vpn.containers:9696")
(mkVirtualHost "transmission.s0.neet.dev" "http://vpn.containers:9091")
(mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443")
(mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
(mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")
(mkStaticHost "s0.neet.dev" config.services.dashy.finalDrv)
{
# Landing page LAN redirect
"s0" = {
default = true;
redirectCode = 302;
globalRedirect = "s0.neet.dev";
}; };
services.nginx.virtualHosts."transmission.s0" = { }
listen = [{ addr = "0.0.0.0"; port = 9091; } { addr = "0.0.0.0"; port = 80; }]; (mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant
locations."/" = { (mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
proxyPass = "http://vpn.containers:9091"; (mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
proxyWebsockets = true; {
"frigate.s0.neet.dev" = {
# Just configure SSL, frigate module configures the rest of nginx
useACMEHost = "s0.neet.dev";
forceSSL = true;
};
}
(mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo
(mkVirtualHost "sandman.s0.neet.dev" "http://192.168.9.14:3000") # es
(mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
(mkVirtualHost "budget.s0.neet.dev" "http://localhost:${toString config.services.actual.settings.port}") # actual budget
];
tailscaleAuth = {
enable = true;
virtualHosts = [
"bazarr.s0.neet.dev"
"radarr.s0.neet.dev"
"lidarr.s0.neet.dev"
"sonarr.s0.neet.dev"
"prowlarr.s0.neet.dev"
"transmission.s0.neet.dev"
"unifi.s0.neet.dev"
# "music.s0.neet.dev" # messes up navidrome
"jellyfin.s0.neet.dev"
"s0.neet.dev"
# "ha.s0.neet.dev" # messes up home assistant
"esphome.s0.neet.dev"
"zigbee.s0.neet.dev"
"vacuum.s0.neet.dev"
"todo.s0.neet.dev"
];
expectedTailnet = "koi-bebop.ts.net";
}; };
}; };
networking.firewall.allowedTCPPorts = [ # Get wildcard cert
6767 security.acme.certs."s0.neet.dev" = {
7878 dnsProvider = "digitalocean";
8686 credentialsFile = "/run/agenix/digitalocean-dns-credentials";
8989 extraDomainNames = [ "*.s0.neet.dev" ];
9696 group = "nginx";
4534 dnsResolver = "1.1.1.1:53";
8097 dnsPropagationCheck = false; # sadly this erroneously fails
9091 };
8443 # unifi age.secrets.digitalocean-dns-credentials.file = ../../../secrets/digitalocean-dns-credentials.age;
];
virtualisation.oci-containers.backend = "podman"; virtualisation.oci-containers.backend = "podman";
virtualisation.podman.dockerSocket.enable = true; # TODO needed? virtualisation.podman.dockerSocket.enable = true; # TODO needed?
services.dashy = { services.dashy = {
enable = true; enable = true;
configFile = ./dashy.yaml; settings = import ./dashy.nix;
}; };
services.unifi = { services.unifi = {
enable = true; enable = true;
openFirewall = true; openMinimalFirewall = true;
unifiPackage = pkgs.unifi8;
}; };
services.vikunja = {
enable = true;
port = 61473;
frontendScheme = "https";
frontendHostname = "todo.s0.neet.dev";
settings = {
service.enableregistration = false;
};
};
backup.group."vikunja".paths = [
"/var/lib/vikunja"
];
services.actual.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
} }

154
machines/storage/s0/frigate.nix Normal file
View File

@@ -0,0 +1,154 @@
{ config, pkgs, lib, ... }:
let
frigateHostname = "frigate.s0.neet.dev";
mkGo2RtcStream = name: url: withAudio: {
${name} = [
url
"ffmpeg:${name}#video=copy${if withAudio then "#audio=copy" else ""}"
];
};
# Assumes camera is set to output:
# - rtsp
# - H.264 + AAC
# - a downscaled substream for detection
mkCamera = name: primaryUrl: detectUrl: {
# Reference https://docs.frigate.video/configuration/reference/
services.frigate.settings = {
cameras.${name} = {
ffmpeg = {
# Camera feeds are relayed through go2rtc
inputs = [
{
path = "rtsp://127.0.0.1:8554/${name}";
# input_args = "preset-rtsp-restream";
input_args = "preset-rtsp-restream-low-latency";
roles = [ "record" ];
}
{
path = detectUrl;
roles = [ "detect" ];
}
];
output_args = {
record = "preset-record-generic-audio-copy";
};
};
detect = {
width = 1280;
height = 720;
fps = 5;
};
};
};
services.go2rtc.settings.streams = lib.mkMerge [
(mkGo2RtcStream name primaryUrl false)
# Sadly having the detection stream go through go2rpc too makes the stream unreadable by frigate for some reason.
# It might need to be re-encoded to work. But I am not interested in wasting the processing power if only frigate
# need the detection stream anyway. So just let frigate grab the stream directly since it works.
# (mkGo2RtcStream detectName detectUrl false)
];
};
mkDahuaCamera = name: address:
let
# go2rtc and frigate have a slightly different syntax for inserting env vars. So the URLs are not interchangable :(
# - go2rtc: ${VAR}
# - frigate: {VAR}
primaryUrl = "rtsp://admin:\${FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=0";
detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=3";
in
mkCamera name primaryUrl detectUrl;
mkEsp32Camera = name: address: {
services.frigate.settings.cameras.${name} = {
ffmpeg = {
input_args = "";
inputs = [{
path = "http://${address}:8080";
roles = [ "detect" "record" ];
}];
output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
};
};
};
in
lib.mkMerge [
(mkDahuaCamera "dog-cam" "192.168.10.31")
# (mkEsp32Camera "dahlia-cam" "dahlia-cam.lan")
{
services.frigate = {
enable = true;
hostname = frigateHostname;
settings = {
mqtt = {
enabled = true;
host = "localhost";
port = 1883;
user = "root";
password = "{FRIGATE_MQTT_PASSWORD}";
};
snapshots = {
enabled = true;
bounding_box = true;
};
record = {
enabled = true;
# sync_recordings = true; # detect if recordings were deleted outside of frigate (expensive)
retain = {
days = 7; # Keep video for 7 days
mode = "all";
# mode = "motion";
};
events = {
retain = {
default = 10; # Keep video with detections for 10 days
mode = "motion";
# mode = "active_objects";
};
};
};
# Make frigate aware of the go2rtc streams
go2rtc.streams = config.services.go2rtc.settings.streams;
detect.enabled = false; # :(
objects = {
track = [ "person" "dog" ];
};
};
};
services.go2rtc = {
enable = true;
settings = {
rtsp.listen = ":8554";
webrtc.listen = ":8555";
};
};
# Pass in env file with secrets to frigate/go2rtc
systemd.services.frigate.serviceConfig.EnvironmentFile = "/run/agenix/frigate-credentials";
systemd.services.go2rtc.serviceConfig.EnvironmentFile = "/run/agenix/frigate-credentials";
age.secrets.frigate-credentials.file = ../../../secrets/frigate-credentials.age;
}
{
# hardware encode/decode with amdgpu vaapi
services.frigate.vaapiDriver = "radeonsi";
services.frigate.settings.ffmpeg.hwaccel_args = "preset-vaapi";
}
{
# Coral TPU for frigate
services.frigate.settings.detectors.coral = {
type = "edgetpu";
device = "pci";
};
}
{
# Don't require authentication for frigate
# This is ok because the reverse proxy already requires tailscale access anyway
services.frigate.settings.auth.enabled = false;
}
]

41
machines/storage/s0/hardware-configuration.nix
View File

@@ -8,6 +8,7 @@
# boot # boot
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.memtest86.enable = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
@@ -21,7 +22,6 @@
# zfs # zfs
networking.hostId = "5e6791f0"; networking.hostId = "5e6791f0";
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# luks # luks
remoteLuksUnlock.enable = true; remoteLuksUnlock.enable = true;
@@ -58,8 +58,43 @@
}; };
swapDevices = [ ]; swapDevices = [ ];
networking.interfaces.eth0.useDHCP = true; networking = {
networking.interfaces.eth1.useDHCP = true; dhcpcd.enable = false;
vlans = {
iot = {
id = 2;
interface = "eth1";
};
};
interfaces.eth1.ipv4.addresses = [{
address = "192.168.1.2";
prefixLength = 21;
}];
interfaces.iot.ipv4.addresses = [{
address = "192.168.9.8";
prefixLength = 22;
}];
defaultGateway = "192.168.1.1";
nameservers = [ "1.1.1.1" "8.8.8.8" ];
};
# networking = {
# vlans = {
# iot = {
# id = 2;
# interface = "eth1";
# };
# };
# defaultGateway = {
# interface = "eth1";
# address = "192.168.1.1";
# metric = 10; # always use this route as default gateway
# };
# };
powerManagement.cpuFreqGovernor = "powersave"; powerManagement.cpuFreqGovernor = "powersave";
} }

200
machines/storage/s0/home-automation.nix
View File

@@ -1,112 +1,22 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let
frigateHostname = "frigate.s0";
frigatePort = 61617;
mkEsp32Cam = address: {
ffmpeg = {
input_args = "";
inputs = [{
path = address;
roles = [ "detect" "record" ];
}];
output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
};
rtmp.enabled = false;
snapshots = {
enabled = true;
bounding_box = true;
};
record = {
enabled = true;
retain.days = 10; # Keep video for 10 days
events.retain = {
default = 30; # Keep video with detections for 30 days
mode = "active_objects";
};
};
detect = {
enabled = true;
width = 800;
height = 600;
fps = 10;
};
objects = {
track = [ "person" ];
};
};
in
{ {
networking.firewall.allowedTCPPorts = [ services.esphome.enable = true;
# 1883 # mqtt
55834 # mqtt zigbee frontend
frigatePort
4180 # oauth proxy
];
services.frigate = {
enable = true;
hostname = frigateHostname;
settings = {
mqtt = {
enabled = true;
host = "localhost:1883";
};
cameras = {
dahlia-cam = mkEsp32Cam "http://dahlia-cam.lan:8080";
};
# ffmpeg = {
# hwaccel_args = "preset-vaapi";
# };
detectors.coral = {
type = "edgetpu";
device = "pci";
};
};
};
# AMD GPU for vaapi
systemd.services.frigate.environment.LIBVA_DRIVER_NAME = "radeonsi";
# Coral TPU for frigate
services.udev.packages = [ pkgs.libedgetpu ];
users.groups.apex = { };
systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
systemd.services.frigate.serviceConfig = {
SupplementaryGroups = "apex";
};
# Coral PCIe driver
kernel.enableGasketKernelModule = true;
# Allow accessing frigate UI on a specific port in addition to by hostname
services.nginx.virtualHosts.${frigateHostname} = {
listen = [{ addr = "0.0.0.0"; port = frigatePort; } { addr = "0.0.0.0"; port = 80; }];
};
services.esphome = {
enable = true;
address = "0.0.0.0";
openFirewall = true;
};
# TODO remove after upgrading nixos version
systemd.services.esphome.serviceConfig.ProcSubset = lib.mkForce "all";
systemd.services.esphome.serviceConfig.ProtectHostname = lib.mkForce false;
systemd.services.esphome.serviceConfig.ProtectKernelLogs = lib.mkForce false;
systemd.services.esphome.serviceConfig.ProtectKernelTunables = lib.mkForce false;
# TODO lock down
services.mosquitto = { services.mosquitto = {
enable = true; enable = true;
listeners = [ listeners = [
{ {
acl = [ "pattern readwrite #" ]; users.root = {
omitPasswordAuth = true; acl = [ "readwrite #" ];
settings.allow_anonymous = true; hashedPassword = "$7$101$8+QnkTzCdGizaKqq$lpU4o84n6D/1uwfA9pZDVExr1NDm1D/8tNla2tE9J9HdUqkvu192yYfiySY1MFqVNgUKgWEFu5P1bUKqRnzbUw==";
};
} }
]; ];
}; };
networking.firewall.allowedTCPPorts = [
1883 # mqtt
];
services.zigbee2mqtt = { services.zigbee2mqtt = {
enable = true; enable = true;
@@ -114,75 +24,85 @@ in
homeassistant = true; homeassistant = true;
permit_join = false; permit_join = false;
serial = { serial = {
adapter = "ember";
port = "/dev/ttyACM0"; port = "/dev/ttyACM0";
}; };
mqtt = { mqtt = {
server = "mqtt://localhost:1883"; server = "mqtt://localhost:1883";
# base_topic = "zigbee2mqtt"; user = "root";
password = "!/run/agenix/zigbee2mqtt.yaml mqtt_password";
}; };
frontend = { frontend = {
host = "0.0.0.0"; host = "localhost";
port = 55834; port = 55834;
}; };
}; };
}; };
age.secrets."zigbee2mqtt.yaml" = {
file = ../../../secrets/zigbee2mqtt.yaml.age;
owner = "zigbee2mqtt";
};
services.home-assistant = { services.home-assistant = {
enable = true; enable = true;
openFirewall = true;
configWritable = true;
extraComponents = [ extraComponents = [
"default_config"
"rest_command"
"esphome" "esphome"
"met" "met"
"radio_browser" "radio_browser"
"wled" "wled"
"mqtt" "mqtt"
"apple_tv" # why is this even needed? I get `ModuleNotFoundError: No module named 'pyatv'` errors otherwise for some reason.
"unifi"
"digital_ocean"
"downloader"
"mailgun"
"minecraft_server"
"mullvad"
"nextcloud"
"ollama"
"openweathermap"
"jellyfin"
"transmission"
"radarr"
"sonarr"
"syncthing"
"tailscale"
"weather"
"whois"
"youtube"
"homekit_controller"
"zha"
"bluetooth"
]; ];
# config = null;
config = { config = {
# Includes dependencies for a basic setup # Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/ # https://www.home-assistant.io/integrations/default_config/
default_config = { }; default_config = { };
};
# Enable reverse proxy support
http = {
use_x_forwarded_for = true;
trusted_proxies = [
"127.0.0.1"
"::1"
];
}; };
# TODO need services.oauth2-proxy.cookie.domain ? "automation manual" = [
services.oauth2-proxy = ];
let # Allow using automations generated from the UI
nextcloudServer = "https://neet.cloud/"; "automation ui" = "!include automations.yaml";
in
{
enable = true;
httpAddress = "http://0.0.0.0:4180"; "rest_command" = {
json_post_request = {
nginx.domain = frigateHostname; url = "{{ url }}";
# nginx.virtualHosts = [ method = "POST";
# frigateHostname content_type = "application/json";
# ]; payload = "{{ payload | default('{}') }}";
};
email.domains = [ "*" ]; };
cookie.secure = false;
provider = "nextcloud";
# redirectURL = "http://s0:4180/oauth2/callback"; # todo forward with nginx?
clientID = "4FfhEB2DNzUh6wWhXTjqQQKu3Ibm6TeYpS8TqcHe55PJC1DorE7vBZBELMKDjJ0X";
keyFile = "/run/agenix/oauth2-proxy-env";
loginURL = "${nextcloudServer}/index.php/apps/oauth2/authorize";
redeemURL = "${nextcloudServer}/index.php/apps/oauth2/api/v1/token";
validateURL = "${nextcloudServer}/ocs/v2.php/cloud/user?format=json";
# todo --cookie-refresh
extraConfig = {
# cookie-csrf-per-request = true;
# cookie-csrf-expire = "5m";
# user-id-claim = "preferred_username";
}; };
}; };
age.secrets.oauth2-proxy-env.file = ../../../secrets/oauth2-proxy-env.age;
} }

6
machines/storage/s0/properties.nix
View File

@@ -1,6 +1,7 @@
{ {
hostNames = [ hostNames = [
"s0" "s0"
"s0.neet.dev"
]; ];
arch = "x86_64-linux"; arch = "x86_64-linux";
@@ -11,12 +12,17 @@
"pia" "pia"
"binary-cache" "binary-cache"
"gitea-actions-runner" "gitea-actions-runner"
"frigate"
"zigbee"
"media-server"
]; ];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
remoteUnlock = { remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
clearnetHost = "192.168.1.2";
onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion"; onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
}; };
} }

8
machines/zoidberg/default.nix
View File

@@ -5,8 +5,6 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
de.enable = true;
# Login DE Option: Steam # Login DE Option: Steam
programs.steam.gamescopeSession.enable = true; programs.steam.gamescopeSession.enable = true;
# programs.gamescope.capSysNice = true; # programs.gamescope.capSysNice = true;
@@ -33,9 +31,9 @@
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
# ROCm # ROCm
hardware.opengl.extraPackages = with pkgs; [ hardware.graphics.extraPackages = with pkgs; [
rocm-opencl-icd rocmPackages.clr.icd
rocm-opencl-runtime rocmPackages.clr
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}" "L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"

13
machines/zoidberg/hardware-configuration.nix
View File

@@ -17,16 +17,17 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
# luks unlock with clevis
boot.initrd.systemd.enable = true;
boot.initrd.clevis = {
enable = true;
devices."enc-pv".secretFile = "/secret/decrypt.jwe";
};
# disks # disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = { boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/04231c41-2f13-49c0-8fce-0357eea67990"; device = "/dev/disk/by-uuid/04231c41-2f13-49c0-8fce-0357eea67990";
allowDiscards = true; allowDiscards = true;
# Fetch key from USB drive
keyFileSize = 4096;
keyFile = "/dev/disk/by-id/usb-Mass_Storage_Device_121220160204-0:0-part2";
fallbackToPassword = true;
}; };
fileSystems."/" = fileSystems."/" =
{ {

39
overlays/actualbudget/default.nix
View File

@@ -1,39 +0,0 @@
{ lib
, buildNpmPackage
, fetchFromGitHub
, python3
, nodejs
, runtimeShell
}:
buildNpmPackage rec {
pname = "actual-server";
version = "24.3.0";
src = fetchFromGitHub {
owner = "actualbudget";
repo = pname;
rev = "refs/tags/v${version}";
hash = "sha256-y51Dhdn84AWR/gM4LnAzvBIBpvKwUiclnPnwzkRoJ0I=";
};
npmDepsHash = "sha256-/UM2Tz8t4hi621HtXSu0LTDIzZ9SWMqKXqKfPwkdpE8=";
patches = [
./migrations-should-use-pkg-path.patch
];
postPatch = ''
cp ${./package-lock.json} package-lock.json
'';
dontNpmBuild = true;
postInstall = ''
mkdir -p $out/bin
cat <<EOF > $out/bin/actual-server
#!${runtimeShell}
exec ${nodejs}/bin/node $out/lib/node_modules/actual-sync/app.js "\$@"
EOF
chmod +x $out/bin/actual-server
'';
}

47
overlays/actualbudget/migrations-should-use-pkg-path.patch
View File

@@ -1,47 +0,0 @@
diff --git a/src/load-config.js b/src/load-config.js
index d3cc5dd..cfcad8a 100644
--- a/src/load-config.js
+++ b/src/load-config.js
@@ -3,7 +3,8 @@ import path from 'node:path';
import { fileURLToPath } from 'node:url';
import createDebug from 'debug';
-const debug = createDebug('actual:config');
+// const debug = createDebug('actual:config');
+const debug = console.log;
const debugSensitive = createDebug('actual-sensitive:config');
const projectRoot = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
@@ -90,6 +91,7 @@ const finalConfig = {
serverFiles: process.env.ACTUAL_SERVER_FILES || config.serverFiles,
userFiles: process.env.ACTUAL_USER_FILES || config.userFiles,
webRoot: process.env.ACTUAL_WEB_ROOT || config.webRoot,
+ dataDir: process.env.ACTUAL_DATA_DIR || config.dataDir,
https:
process.env.ACTUAL_HTTPS_KEY && process.env.ACTUAL_HTTPS_CERT
? {
diff --git a/src/migrations.js b/src/migrations.js
index 964e1f2..3a341d7 100644
--- a/src/migrations.js
+++ b/src/migrations.js
@@ -1,6 +1,12 @@
import migrate from 'migrate';
import path from 'node:path';
import config from './load-config.js';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const appRoot = path.dirname(__dirname);
+const migrationsDirectory = path.join(appRoot, "migrations");
export default function run(direction = 'up') {
console.log(
@@ -13,6 +19,7 @@ export default function run(direction = 'up') {
stateStore: `${path.join(config.dataDir, '.migrate')}${
config.mode === 'test' ? '-test' : ''
}`,
+ migrationsDirectory,
},
(err, set) => {
if (err) {

8807
overlays/actualbudget/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

17
overlays/default.nix
View File

@@ -3,20 +3,5 @@ final: prev:
let let
system = prev.system; system = prev.system;
frigatePkgs = inputs.nixpkgs-frigate.legacyPackages.${system};
in in
{ { }
# It seems that libedgetpu needs to be built with the newer version of tensorflow in nixpkgs
# but I am lazy so I instead just downgrade by using the old nixpkgs
libedgetpu = frigatePkgs.callPackage ./libedgetpu { };
frigate = frigatePkgs.frigate;
actual-server = prev.callPackage ./actualbudget { };
unifi8 = prev.unifi.overrideAttrs (oldAttrs: rec {
version = "8.1.113";
src = prev.fetchurl {
url = "https://dl.ui.com/unifi/8.1.113/unifi_sysvinit_all.deb";
sha256 = "1knm+l8MSb7XKq2WIbehAnz7loRPjgnc+R98zpWKEAE=";
};
});
}

10
overlays/kernel-modules/default.nix
View File

@@ -7,13 +7,5 @@
let let
cfg = config.kernel; cfg = config.kernel;
gasket = config.boot.kernelPackages.callPackage ./gasket.nix { };
in in
{ { }
options.kernel.enableGasketKernelModule = lib.mkEnableOption "Enable Gasket Kernel Module";
config = lib.mkIf cfg.enableGasketKernelModule {
boot.extraModulePackages = [ gasket ];
};
}

36
overlays/kernel-modules/gasket.nix
View File

@@ -1,36 +0,0 @@
{ stdenv, lib, fetchFromGitHub, kernel }:
stdenv.mkDerivation rec {
pname = "gasket";
version = "1.0-18-unstable-2023-09-05";
src = fetchFromGitHub {
owner = "google";
repo = "gasket-driver";
rev = "5815ee3908a46a415aac616ac7b9aedcb98a504c";
sha256 = "sha256-O17+msok1fY5tdX1DvqYVw6plkUDF25i8sqwd6mxYf8=";
};
makeFlags = kernel.makeFlags ++ [
"-C"
"${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
"M=$(PWD)"
];
buildFlags = [ "modules" ];
installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
installTargets = [ "modules_install" ];
sourceRoot = "${src.name}/src";
hardeningDisable = [ "pic" "format" ];
nativeBuildInputs = kernel.moduleBuildDependencies;
meta = with lib; {
description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
homepage = "https://github.com/google/gasket-driver";
license = licenses.gpl2;
maintainers = [ lib.maintainers.kylehendricks ];
platforms = platforms.linux;
broken = versionOlder kernel.version "5.15";
};
}

72
overlays/libedgetpu/default.nix
View File

@@ -1,72 +0,0 @@
{ stdenv
, lib
, fetchFromGitHub
, libusb1
, abseil-cpp
, flatbuffers
, xxd
}:
let
flatbuffers_1_12 = flatbuffers.overrideAttrs (oldAttrs: rec {
version = "1.12.0";
NIX_CFLAGS_COMPILE = "-Wno-error=class-memaccess -Wno-error=maybe-uninitialized";
cmakeFlags = (oldAttrs.cmakeFlags or [ ]) ++ [ "-DFLATBUFFERS_BUILD_SHAREDLIB=ON" ];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
configureFlags = (oldAttrs.configureFlags or [ ]) ++ [ "--enable-shared" ];
src = fetchFromGitHub {
owner = "google";
repo = "flatbuffers";
rev = "v${version}";
sha256 = "sha256-L1B5Y/c897Jg9fGwT2J3+vaXsZ+lfXnskp8Gto1p/Tg=";
};
});
in
stdenv.mkDerivation rec {
pname = "libedgetpu";
version = "grouper";
src = fetchFromGitHub {
owner = "google-coral";
repo = pname;
rev = "release-${version}";
sha256 = "sha256-73hwItimf88Iqnb40lk4ul/PzmCNIfdt6Afi+xjNiBE=";
};
patches = [ ./libedgetpu-stddef.diff ];
makeFlags = [ "-f" "makefile_build/Makefile" "libedgetpu" ];
buildInputs = [
libusb1
abseil-cpp
flatbuffers_1_12
];
nativeBuildInputs = [
xxd
];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
TFROOT = "${fetchFromGitHub {
owner = "tensorflow";
repo = "tensorflow";
rev = "v2.7.4";
sha256 = "sha256-liDbUAdaVllB0b74aBeqNxkYNu/zPy7k3CevzRF5dk0=";
}}";
enableParallelBuilding = false;
installPhase = ''
mkdir -p $out/lib
cp out/direct/k8/libedgetpu.so.1.0 $out/lib
ln -s $out/lib/libedgetpu.so.1.0 $out/lib/libedgetpu.so.1
mkdir -p $out/lib/udev/rules.d
cp debian/edgetpu-accelerator.rules $out/lib/udev/rules.d/99-edgetpu-accelerator.rules
# PCIe rule
echo 'SUBSYSTEM=="apex", MODE="0660", GROUP="apex"' > $out/lib/udev/rules.d/65-apex.rules
'';
}

12
overlays/libedgetpu/libedgetpu-stddef.diff
View File

@@ -1,12 +0,0 @@
diff --git a/api/allocated_buffer.h b/api/allocated_buffer.h
index 97740f0..7bc0547 100644
--- a/api/allocated_buffer.h
+++ b/api/allocated_buffer.h
@@ -16,6 +16,7 @@
#define DARWINN_API_ALLOCATED_BUFFER_H_
#include <functional>
+#include <cstddef>
namespace platforms {
namespace darwinn {

15
patches/dont-break-nix-serve.patch Normal file
View File

@@ -0,0 +1,15 @@
diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix
index 49f8ed673816..643b59d68dde 100644
--- a/nixos/modules/services/video/frigate.nix
+++ b/nixos/modules/services/video/frigate.nix
@@ -482,10 +482,6 @@ in
};
};
extraConfig = ''
- # Frigate wants to connect on 127.0.0.1:5000 for unauthenticated requests
- # https://github.com/NixOS/nixpkgs/issues/370349
- listen 127.0.0.1:5000;
-
# vod settings
vod_base_url "";
vod_segments_base_url "";

BIN
secrets/backblaze-s3-backups.age
View File

Binary file not shown.

BIN
secrets/binary-cache-private-key.age
View File

Binary file not shown.

BIN
secrets/binary-cache-push-sshkey.age
View File

Binary file not shown.

17
secrets/cris-hashed-email-pw.age
View File

@@ -1,10 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g WZ9p/pCsEDpKbgGDLcTtisn25kExQX9iv+tL3wyPwiY -> ssh-ed25519 6AT2/g lQvZqYp05ofMG2kPUYVMOkJssssOmg9lLiTDxscDFHA
vom2z9QRIQSFB0+4/7lSWUEB0eoAG+08nXgiUg/OSX4 JWRyQo5MqQjz5b+uNLhLYgqOqWpQZdG9dU9ptfhWYaU
-> ssh-ed25519 w3nu8g ECLZwCRJVJqyUMf70EOl2/3ExTruKaxCSQlY5fBZqxk -> ssh-ed25519 w3nu8g kqS10jUVfZqs/x3R3dm0IFGfouGUJUakLjwn0TogbgU
VemnmGpzx1VprkybW1hPlkfmiDaNcBDoEzX0mDZgmu0 RbUZQudujtzn7ci1HRchuUoXSyBb/KbKta/QvIbIeso
-> ssh-ed25519 dMQYog QiPsbFE8MtXnRNBwkUEC+6grqXEbDstEtxYR8uJks2w -> ssh-ed25519 evqvfg U29OBOuOrgX8/Uhok1AQ8p8inLf+bBWHJhvDWCHkZko
O3JWQGppFeZEd6o3W0KVTEIyNVGeLxKfTYTlgsAEVHQ oBwfJlFRQqUHYlyVRxqqdMkxKe2uTP7Z2ZCwk+Bk9yU
--- RncZzBFEyMAkpZRWrPORA0DPHuCTNswmWG5CMNnfm4A --- XMwxBGyVUG3OX1m8OnC1Eavnj+HCywi2VFGC6Vnp/k0
ñ/¼ÔËõôŒ8nàÅ¥«¸7hîtä?T˜=%zˆ°[¤ÝØ!(…uÔdÇuò@ âþd~O7—<37>˜ªVVÝʉ¹„ùnÒ4•bKd÷õïyéœp<Öþ‹,pÖ²Ë ¯³Ð"æÒ0CdBMº2kœ  ÔêñÐÏjú¬ŠØ£ÒØD~§ì%)×4û5
×¢EbƒyŽ¦ù¦D=Ü!„XþtÞÔ:#¦þþãÞXÈX@ú_M

14
secrets/digitalocean-dns-credentials.age Normal file
View File

@@ -0,0 +1,14 @@
age-encryption.org/v1
-> ssh-ed25519 WBT1Hw +mmh+AeldhS/z282wz0d6rfklNpQLFE4M+hAL20XH3c
zyyxtRp6P6ZFdn+1NqVonEfYPtozAgDEZQWnCUbahak
-> ssh-ed25519 6AT2/g TZYBBcBMnmUegRKEx4tBvbFroHV+AM+KKuE0lNOD928
w0d0EBpnrF9rk2SH5ROLyqqgmb2y0KD0sDiSa+gt5Vw
-> ssh-ed25519 hPp1nw bQSu9KjCmPIwjHrw3GXI8F807y1kCi9CvCKE/Q4+fBA
BbYsl7XxNsDET3ldgQWtJCEI6euMZ/BtghEBxlOo+kg
-> ssh-ed25519 w3nu8g +MWibl8Un6Ga7bNAaFqZ83H4ERtBfkAeFI4q6BtpUHo
mB4oxmiYNgrUBwNrG5slhQtT6yttSWiaq0M0DYGrK8A
-> ssh-ed25519 evqvfg gcBt9ZQ2Um08Q1b1k1UQhj0oUpLbKLuFycs4cfAe/G0
YMK/4+LfAYuj6TwT+NOdLQNHfuj9rnhFaNUu+tkMX9M
--- 9dISdhi6vbWXis37GEw2vb/ZaBFR3srYKlyc0N1cEP0
¹ÙÍhž 4ZK1y¨tuïád,¹Àþ<7F>zôÐ(´W6È] ïZïö?S0òQ;*ôêÃvw£~ÎGPÁì
BÚí@,‰à\1gø.^ Œ3)Z£f$xæS˜Ô&4…„ŒÆ<C592>¸¶mýEj[OK:Z<>L

10
secrets/frigate-credentials.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw z8hVbU48K+xyH8zxVXjy7sE35GcdSTeGIu/ywdtRBkQ
ynwH7Jug9yK4iCLYIwUn5paYQISWDVYTkq+7rklAW8Y
-> ssh-ed25519 w3nu8g hP/IbrLUi/tvOOu5pRKWGIfbiGnQofR/s7V9kUcMUzs
kZLewvTi5JQ5enF5Bl7wiGUJ2W3THTQVXkyXhLM/Xqg
-> ssh-ed25519 evqvfg s+mq+Pr3fCKSm6dG+p7tF1piR6KZztgH/j0+0S9W7i4
T9KzT/+WK/XOeuWIyf2/eNQz/ytmOYzAjzzZmlY2Ppg
--- A4sCAKn9DQwaSQIdyRYe9XwKvMosCLmdP7RQId7l6vA
BQ{™Uœƒ¢þi&º°ÞV,çÝÜ93÷¸ñl`™<Ê‹(à½îÇÆ×-«=ÇÒivÒ
Ò& 7»Ë#&Íÿì͇ß¿Ûee™<65>š€Kˆ Ì×à–Â[eû·Þ®lD?¥œU-NÿpÐ,þ¤cן-

18
secrets/gitea-actions-runner-token.age
View File

@@ -1,11 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 WBT1Hw PbGwwDeulHF6kdh073rq0RvD1hlx6spnKNgKU+QeDAw -> ssh-ed25519 hPp1nw bo+iestejjHIx0accmbyOgLJPRH5xMugtfwKgax+DCU
7dITwSQ2p1LZuaVEzLxcGOhB97MQT2zGoRrnNUMcOFk smaxrCeUgUu9a5mnFlDBbTbw7gNFcLi6mVb3px8gYk0
-> ssh-ed25519 hPp1nw Dn+5Fpme+JmRZKkCkqtCuD87p+sDYDA6OZ2aUmBkCRs -> ssh-ed25519 w3nu8g bhpGV/Yfqfl7mrBgjCgVZEJIsRjXVOmQ2rU7dh+FQzw
Dgg3orXF4RYT/fHtc2tRuIhOQu48zICMqgPyV47vpf4 2irMVi9Vx3/PZT4fqYfcnU7q7wRCtUFOUPZ/X6fQuXw
-> ssh-ed25519 w3nu8g dghNLDH1Tm+sm42HXDhrLFtmU4iDF1yCGrO2VSgzZjo -> ssh-ed25519 evqvfg aic8EzOuwt6ojUoHaAlhy0IWmSzuOvXjBQrK/QSS2Vs
71scUVrGr4c4dunAFJYKd+uJ6aYJpSWBAk9swbv+IzM tfw0GyfsovxlMeySyQULMECEoiEjPtdkoQ4OP/t9K9s
-> ssh-ed25519 dMQYog Wnl1+rh0Q3YD2s1UD0OYVm39wY/Uw1NRK3K7EFhFMls --- uNvusvjFFt4Fza4a/hmns/tWm9LTE4fULWJ/1Gg3Izc
wXF6QBonlCalS1vI9cxzWgv1Gi+yAtYn6HrYCfpl5Nw Ax­ €¶;²þ¼[§²oÿ®“'Lâ@«ö·^<5E>~9\jvCúUϳ$¦§hq É<>ú2Ht?y\vËÈŒ<C388>ð`K!®7Yàï7Ôü
--- rLOoGk0iX+wuNd1CKv7g2PRd2Ic+8JHCQhrVBaF9zbE
<EFBFBD>òüüˤ/A¦Ì(ØiHC¸@¢Þð‰h`ˆ3ªá´' ¬ÚöáDì>ð¿¤~¸ÿÁö?ÑÃMêÙ@<40>t°(“Ò@ö׿^xÆ}

16
secrets/hashed-email-pw.age
View File

@@ -1,9 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g 98/m3t8axoVBE6WzdxBtRhV2uSQKSCXwQjyxfWXPmQk -> ssh-ed25519 6AT2/g kXgY0gJW/LpFYNukKCxa/Dhht4hxmoht+CIENXngW3U
AxV0FTvqbWfk/gf65d05PcotbEnYr4PgDQnsaYxP/MU OFTjvs35H2HLGENEChI9fEowlvp6W7hTWFNRZ1PziW0
-> ssh-ed25519 w3nu8g jys7B4COD4iINANeSCD3BqGFoghxTmsbuXoOOIiP+wQ -> ssh-ed25519 w3nu8g jWZ0COxc+hFs7bVNTKcWa7oBmLqPmlqktpZ0gpwIUEo
b7eSN5fe4szfliINOr7ZQ7AoSsIK5akmIQ6uLDabcIE xf4aKirzqHUWppJghPwyCj6SzPntH5gxcP3ch659RIU
-> ssh-ed25519 dMQYog ToNUqTPYmxpz9OUcC94egELcPfHQHCErfHN6l9kSrRY -> ssh-ed25519 evqvfg KR2lx8vs0Eseh37tLtcfDDXE2BoyxCr91vqlnpJraA4
2KoSVoWp+FH29YfH57ri2KOvhkuqYew1+PXm99e0BaI 5HiO7QB7sAC0YlDgkq4gOH0Pp83et9+0UPS8+BA+juk
--- Cjk3E/MjgCF45aLlFeyoGiaUEZk/QuKtsvPb6GpzD8Q --- vt6f6yWyfunZS7pihgt97hFccp0hqlkOeLWdfsq5SAo
m°å>‹“~czÆê匦†``ÜÏqX«š'ÁÎ%ôwÔž~×ÄL·eä'a±]û´LÉÀ‰%ÍYTÊÓc9f¡W¶Ã^¤9ÊõÙÝ2®™æ¶ÆBÌa ƒ™ Z+äœm8¬¸vÕ[ïg_K×s™¼8·1hÙÅ1šüžü¤ã´»=@.„ 2À=ºÛ2?—<>µ¤8\f§3oy ÷ga8¾(.•²?¶8m¹tã<E280B9>,½]«ú

BIN
secrets/hashed-robots-email-pw.age
View File

Binary file not shown.

BIN
secrets/hostapd-pw-CXNK00BF9176.age
View File

Binary file not shown.

BIN
secrets/hostapd-pw-experimental-tower.age
View File

Binary file not shown.

BIN
secrets/iodine.age
View File

Binary file not shown.

BIN
secrets/librechat-env-file.age
View File

Binary file not shown.

BIN
secrets/nextcloud-pw.age
View File

Binary file not shown.

BIN
secrets/oauth2-proxy-env.age
View File

Binary file not shown.

21
secrets/pia-login.age
View File

@@ -1,11 +1,12 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g MGKlbzVOk5+czgAOerwl+eIyOifXJm/q4UgQUXVpx1c -> ssh-ed25519 6AT2/g nn9O3nzI2M9+vKJ3qoKL3xs29iYp2n01xTrmtdbzs1k
43l6s4+5TSMQyO9tAg7v9Y5OdXOjKYz56lbr9Jm2r+o atqBqI77ADuCnV04skh/2KCco5Pgwlz0vSnruiI0dzU
-> ssh-ed25519 hPp1nw aOxni4sFPPgedUkBOuOyEWfFPJrhdTJnivIaWt5RJxM -> ssh-ed25519 hPp1nw tBTDeKMPoCpuoQNdnHdggQdpeYYRXhtJZqCA+o5CPkg
KNaxijzSMp7EjYKwWiAP66nPYYZK3/VXL8u+3uJt6bg q5BYRcZYY8oGot4F5fhx6hZfVpClvOTycQ6kMTXykqk
-> ssh-ed25519 w3nu8g qTAzEzQbFze35AtbvkYREw3wa7ApDN5u7RSZUXrEpms -> ssh-ed25519 w3nu8g C80+Mp8qRkpSfJBCH3XduSv/oT2bJ6TqVxkyh1NfRFo
Dy0uGF458A9RJMvDl2XKOkEABbbRgT+eIgvb6ZOEQqg 9EEh97C2uFzP3a8DB+4YEgjqJyoa97rRT9tXEFGbMFE
-> ssh-ed25519 dMQYog 5DfYuGeWuN0/CO6WWbFIi7LaKl23FXYVdPROM+TFpCA -> ssh-ed25519 evqvfg qByh1A/4ylqHIuvvMqHl0lGBxwWIlwz+pGDdox6zJXE
PDBdDn+YUMKYNKFkCEfXesmkB/XUxZRK3ddQt0kqQ7g Ubym3YKOcekSR+O6dLD+322Kgk3152WDW+Tsu32MYY8
--- JOeG87EVD+QBx6n+rMoPTOni0PyoG7xx4a2USNiapYI --- 4QA63y/d1AXP95G6MHZLJlVyB8LSPVO886QcT2j2tVo
Zsý{ÅiÁ_\+ô@@Üò߸ù&_š5­$¿Gt2¢rF“y×ÄQ§Iaž 7ôÙÉzàgf­%O(µÙ,VéÂ}ÿn|û'J¸2ø¨óQÑ B ~H«;ùœe¹g<C2B9>7Á7+e|µ!ÿk0à€e•hšì?³k^m¯kDPõ}Ê\<iißv[ÆzOÚ÷sýSe¾ƒŸëTØ>Ë£¨+ŒÙ ü®¯ÏÁáš5[Âíåä
Éÿ§7ˆ

9
secrets/radarr-api-key.age Normal file
View File

@@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw Uhd03cBQ85Yw4FjsXkBDfrcAsTBVVOFVFrnU7sPbTXY
/5XIXty9cNwNPV/MXdjoOttmKMXt6PB0/7OMSl7scZ0
-> ssh-ed25519 w3nu8g CzC59hO2YLD+Bbzvi62KXvFlyPXrx/OD8hVeQH3hfFU
V7OtV9QjRYNg2+kMk1K4V9RWb8AsgkQ4OlIRs7hwYyo
-> ssh-ed25519 evqvfg XTSo+9xdmL57Mkc7NNw3Xy1kJrE0Sc+81h+OEHfiCVc
PguEYlZkPMMiMaEpK+gamgl7V9/gaEUpUuV8O8tIUVs
--- 81iRaeiLWHHzFBoWSa6JFdp9mkKZ1TT9mdRXZaQ4N0M
»J

43
secrets/restic-password.age
View File

@@ -1,23 +1,22 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 N7drjg Njjfv0Etdr9U27s+wznqw5YmnKcj3lISQ2vudDPj7F0 -> ssh-ed25519 N7drjg h72jFNLd4ZN5yXXUi1Xue729YQvbThfceBU/R1JiCG4
bw3SSPfReGSmJ5tQPv+niYn7USyZZffxvgs3J5VxiWw F6xaYW7iV+jipI9pe8NMNC+yzkajkmqP73qnhFS14Wc
-> ssh-ed25519 yHDAQw DVlCM84Q1P087cmlS+NzH/i2noLprEbfqSpvFS3Pzig -> ssh-ed25519 jQaHAA EXEQ0bA8ThyKJp4VNHNB/umpNjn95/fxF9qkB/QZh0g
PooFRhm8ofoTAT1UxJ3Y+0RMqK3CriwqpGrrKGfFYTs ZgRc7ts3pdYCtp61XCvDvhHpHfzk2HFJiGtnon0RkkY
-> ssh-ed25519 jQaHAA rfoKG06gXsXPVfNql5Kk5OBebaXsRd4vCirzPB2y0jk -> ssh-ed25519 w3nu8g 55b2qTh8v2dK6qFEgbMLiVxydRTWnMmjB5eWdZb3mGQ
T0xv0iiWSi+FscI/OX6sT137VuiWpAS+P9XsMBT9K7Q uD8vs1yZLo/N44tIufP3U0j7otoINC4di0w7/a6OW8I
-> ssh-ed25519 w3nu8g 869dCSpsCphoOPZ0z6rzbI5QKieIA4M9tAyVP40P2hY -> ssh-ed25519 evqvfg Ad0vjBYZYIYxYmWrultbybzIcHOEfIIL5VlqHeyFPGM
N705ablrfdQWK2aEOFCkmdEQQmwJVcqVXOkhYIp1Z3o z1AbX6Htc0hPs7fW8/Cvkfg4Y9qnblpZwRchfGQQVL8
-> ssh-ed25519 dMQYog ry0Qkn4YSLctLRzp1fZQ6EnbeGvv3Gge2UOsYBwbk2A -> ssh-ed25519 WBT1Hw sgwJnWYXwYcAHLmis6LBIwItj5TQUVyV/Jd3NPkWTx4
LO1eyrU0rQJdAjZKCBr+WH2EP/juXcS7Iwrl8tZIMOM ctNVx7Xt+87XPV5WhYKjhEv3sXje+U6I/z86jRg4P2s
-> ssh-ed25519 WBT1Hw NbtlJrLEcf4yO/akQyE7b9TdyM2e6m8Aj9/MzV7SliY -> ssh-ed25519 6AT2/g uoBlZvOrDV/FqwmPZQmfMzB3P5+DEh7SUJKv8zHBdi0
JBWsIu/Aycys+uUxC2xSTE2gC0YUpC7Jkkxa0E0TfRI xTQzs5CrIREQY2ZinXxZLHfztuVJGsmaqi84TrLzQYA
-> ssh-ed25519 6AT2/g kvri9lMh7mXuJTFh15sRPhkz8+75i2YYcdZL12cLPnI -> ssh-ed25519 hPp1nw uFdt4FE8a1jrHsWuDLs75z0wty8aY6Af+YddkEnGI0I
hsJETu9Xhbfhzzf6Z3YIKFLGN+Eczgn8EqEBPQl7a1s 1j9iSxYdBg0w6Nto3LKEhvCmGWr/5G6q1XvEmwA/l10
-> ssh-ed25519 hPp1nw sJtNVroSF/uQNwvnbLE8vXw+1e4LMu3Gurm+KM+0IwE -> ssh-ed25519 w3nu8g TvyzrbvTGPjmDZpdwQ8em28uGKmeJt4quEzXXq+rN1g
wlYZUEnr1Q3TlxUAUrKAMdVWUbVWy+3+q2fw+ssIoFs rIg9JEkJyuZfQh2FLKzII0f0AUMFcohsmSNdE32nCuQ
-> ssh-ed25519 w3nu8g gA7oDI/02jl+TjMjSUHZqevmHb6gSinWF4KtjDJgFF0 -> ssh-ed25519 evqvfg c13RC6NMmyisYeQ1+znITs9USfwH44fDbzAe4TU/Ryo
KDgSWaZi99/PkKT8g5bTVHvu8EVcPBlF79APxeorABM 72WBsNn7sQb3Gc6MP8Obyc3p8xTQqTwTcqNQxAAvNFo
-> ssh-ed25519 dMQYog PDdSuky8g5OoqyF4K5N6SSa3ln6O8vlvL4viGqJ8mUc --- zZkMOe3zuxaJswYkKepDQpA8bLMt53zMRx3lkJiSvew
LWanrtAIfekuzhr+AGR8e34CD41vPI0BA8YA8YkcyBA ê<=CÛM2Zª,tÀáIp Y É Ìz<C38C>oâQ»«ìS#ÿ'#ì:„Ƕ“`ƒn95<E28093>§zŸ¢¡Å?X­F6á<>»Ël1Æ+ãqê5PjÜä
--- LENK2A8P2SxCmpQSI3QNCNz2RDhGwCqLQGybmD73ka8 Döû=~IÚ
Ö{¹˜ô'Þú”êã«ŵÔjã.ùÄnG=ñY‰gï•c$T¬

18
secrets/robots-email-pw.age
View File

@@ -1,9 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 6AT2/g bnExFj2dEhR0Jbf5Zs/4MqxIdPjeb1Dc7duQUHKfylw -> ssh-ed25519 6AT2/g HGqc2dbbCJNR5JR8mNfM8VRSBAWGzvBR0IdQVTM3jys
SV+oJGt24n7CAi4+N9CGZ+SlEgcuAlbLymmmLKffg88 speCXu0Q79q8DXVpxYKacTh3zq0/6KXdWc1yvMJCrwA
-> ssh-ed25519 w3nu8g UO35HobolhH4PRxhGQNxziel7pRhf3VOoGeRbMKH2Fc -> ssh-ed25519 w3nu8g /ArJSkSyJ0+/GGUln+PULXLu2v9IFatasIZ4d97ClnQ
uphjyV1UmrUxrqMqL6tc3UeFdTILKiVOPVM9uJlUsIU tsoXfqg2mC+3YVPHVvkrqXCN6CEpOGDBrS8vzBLkrXA
-> ssh-ed25519 dMQYog v27Ibyt+wTVR/zh5ZH1xyPbgCsrqGug24eVOJ+KdY3E -> ssh-ed25519 evqvfg qJ+4dEvSS8E9tI3q0iXJAnqEZqEE6s2Hn4BAgkjWaEg
I5n+fUhGiHcg0vHTilTszjvFinqCY0ZLcwumiXXwzXE 1s0rlm960TEiIefYqdqwMgff1A2WTavuq0e3GNrxFi0
--- jo6rKqQQTeJQusZM69EsvJFPCIHRTeN4OL1kwzapaJY --- KbFFpe+ZN1XxXV6biHn9Vm1jw1ZaN0/wAW9/GmrQdJ8
m¸¡üi=féKúöœ“³·Û ¾¢¬î“9²Íq™²nTôyΤ@23pˆfêwˆ0 t Ε<<3C>ÅE%Á¢ëFIø‹½>#C i
2w°„ÙÈx¦»$ÝÉ©;8su¢è€\G˜Ñ£¼SÑ'†.Ü*&¸ýQ^¸&$B/V¥8±Ëï?ѨÐÖ´¼Ö Åx§
;*¡)HCË

BIN
secrets/sasl_relay_passwd.age
View File

Binary file not shown.

BIN
secrets/searx.age
View File

Binary file not shown.

14
secrets/secrets.nix
View File

@@ -31,6 +31,7 @@ with roles;
# cloud # cloud
"nextcloud-pw.age".publicKeys = nextcloud; "nextcloud-pw.age".publicKeys = nextcloud;
"whiteboard-server-jwt-secret.age".publicKeys = nextcloud;
"smb-secrets.age".publicKeys = personal ++ media-center; "smb-secrets.age".publicKeys = personal ++ media-center;
"oauth2-proxy-env.age".publicKeys = server; "oauth2-proxy-env.age".publicKeys = server;
@@ -51,4 +52,17 @@ with roles;
# Librechat # Librechat
"librechat-env-file.age".publicKeys = librechat; "librechat-env-file.age".publicKeys = librechat;
# For ACME DNS Challenge
"digitalocean-dns-credentials.age".publicKeys = server;
# Frigate (DVR)
"frigate-credentials.age".publicKeys = frigate;
# zigbee2mqtt secrets
"zigbee2mqtt.yaml.age".publicKeys = zigbee;
# Sonarr and Radarr secrets
"radarr-api-key.age".publicKeys = media-server;
"sonarr-api-key.age".publicKeys = media-server;
} }

34
secrets/smb-secrets.age
View File

@@ -1,19 +1,17 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 N7drjg x2s9QZ7Ijvg4t2peGng9/zX1ZmnGggsvWHJFHEktCgw -> ssh-ed25519 N7drjg EazSO4KSpDf7Xi3pTNdhm800ZA5EIIhMbwYp+L42yD0
o64an6DJ6Be8Jlhzn9ciQTByRAK5f2ckankCRH3y+Uw FDktPGF+bWrlPuwD8QNId3tUxt3kPO5JZ9GQ1B4vtPQ
-> ssh-ed25519 yHDAQw HYHo6anhKDnD74ab04Ql4RB8+WBA6EavYASX7532NCE -> ssh-ed25519 jQaHAA 2UJ/6JUgZBaiVVj6Y43dIvebrozJW4kuR5xfWIWSVSA
aTp2V9g18yzUTq1ezqETj6jM2Yb1Bt5+JNkrIDT2Djs nhZ/CMdHMIN/GjFV/WMmNvRkPYcmgtjihFtNwASS/4E
-> ssh-ed25519 jQaHAA xGKcIQOkO/i4E2ZWZ+O4sAp7ADqCRqfRQHhKQu6yWh4 -> ssh-ed25519 w3nu8g fLbN1n9ncJz5xW4BnmOfOMI5tdODrZGwhOczWz81NDc
RJnqK/t0YQrIej8fRDJGjOtQD7VvgJRfCUWR0/UYcSY MP1Z2q1KMmvh76opIwG9ZepFiLRJBnfnGKAGSLvb38k
-> ssh-ed25519 w3nu8g P9DQy19TvDCi3nfOhFj73bNZEtUs1BrLubt5/BtLoU4 -> ssh-ed25519 evqvfg ZgT1jg/k43AdfVIny9i3PxD0FRG3CWHEKJwL/r/VX28
Sx41bk41dQYa3eoBayUMRIHqMWaRiwXm8BqErDBSbDw Qme90RlNTtlDZcCbbxmJQ1BHphkYC1fLA7MKWTn+jEA
-> ssh-ed25519 dMQYog OWU92PMFo9tGtlkK9zlmMFhh81TGkYlcX1PrxZl35yc -> ssh-ed25519 jQaHAA C5hiPm6jr4TZa+Hl+ruODqSvl9PAx7bvhAMPiNjCe00
owDk8wWXETS+iybhTMDmQH+eBuzZRDJIlVGCwu4LqTI 2trojxFes701L8D1XvWPQBCWJB6rwgppPcGK3jDhCBY
-> ssh-ed25519 jQaHAA MzA8dSYZ/Ysp4ogKEEu84mal8779RgkT4Gy6rBEw+kM -> ssh-ed25519 w3nu8g IuWEPi/Tacoc2Oyey92eJQun4r0RGjY6GAd8oHTQ4Xk
m75x/b83aP5G1vg7EXlcLizcm16fEAUAD+VNcdTMnnQ u6iVh1p2x/ACIHQO9mcVuR3Xmq2ln/F97vlYjWphvMQ
-> ssh-ed25519 w3nu8g AAA3Me3KJgLvtQvyxLvlQ7pCnv7w73ja6Z2+3A82eGs -> ssh-ed25519 evqvfg q1Xp4IxCTofR+RDdi1Hoy+8NOO45u1U9/m/t6eBDUhs
+yCW7qCdjk0fiQJmH8poMoc7APKyX/PY7zZyAG1O+Yg WkQKg8LGQoIPuICvj7KcvgF4RMyG15txHG4uFg3v7X0
-> ssh-ed25519 dMQYog Dd8e6srT+EIl2PH0RP1bQVsDx+HCQjhFndx5TFyhfx8 --- 4WXmmAwvor5BDjArHN3T37/zxKOO3c8jtMaxGigAcMA
j7Met77pWZzK9cMTt29gWB+d9YFVH5T9qs+ulHS3kAo øж[îîj¿Ž U.wÁó@<40>ŸBHr7Seª/‰»x©í1;ÝÂSUÔ(¤8µ¥¸{Ì=µ¦N²Ý±<C2B1>ø;_]ªÝVY2D¸";úµã×Câ•ùûì7§-.’¡üœVÀr±
--- MgOK/g5hOVkGuUNDBSgVeGc9+ndjxLEA7nKSfLJMr4s
~Ÿ‹¬&”™)<29>ŠG®Ÿ¨‡'UÐÞzc¾uFGì(<ò¯ùçV"ƒÕ3þH0x0$•<>w$Yv O3 "Ï×ðV~ÀŠ¸HÁ~XÛ]GœÆqµ®ã÷œ¢y'ãÓ*Dê±ÏúœÕk#\ðAï<41>5ë{«Fe\~

10
secrets/sonarr-api-key.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw F3GP7ySGf2wVUdTr1K6iChf0DczmaMnJjDWNl4sIVws
NgfyXX4F14kyrgzuMfExb3D4pY31tzFjGkq2UmC3JMM
-> ssh-ed25519 w3nu8g tnpGVKL1bYFJOhbbOa+TyEOhaXTVUk9D7HtSUWoM+WA
cM8Jm2uKXkt31UFFdSWq3pClQhJZXUksEBMq1/xu7GE
-> ssh-ed25519 evqvfg A3Ght96pdzoWpNpX/jmoBOz+uQUaoF3C2yw+VCOe22c
btao6WVQSwHv07hnkbpv44Pc7r3Essyoz3Spst+pDMQ
--- J1ZZ/XeiLUpkfOl6xOckks4FxqdzPZJyglYhZf4Sa48
¡°è5 ó#”I¸m\í˜Eñ"žH,s<>»{l¼'!—®¢Ë‰zú¿ƒ?ZÁ@·õ-áX´>PÁG
)+S½ ­

9
secrets/whiteboard-server-jwt-secret.age Normal file
View File

@@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g CHRtUTrQxclfOFf+1fpKy61dpivMYz9MiLH3tdqy6VA
7tmx3CPNY6T2nAD8I4bGWAN7y1OPBpWjOhmmCFqldJI
-> ssh-ed25519 w3nu8g UqOMk3O+JfnzlQhymSj1u+9U8xLS93sOVVbd+JhXGBQ
qwYjekirvVTjEwwh0Irdy0hMHAlWkUdD5wu5Xi5GL9U
-> ssh-ed25519 evqvfg Dhz+YpGX+IQNV6UgJq66mogX9UPY5U80YHCwgIsRIlA
BcX/9c0sUQOnfUqGY9W9IRhLM88pLNgh6/nf69AibB4
--- 3trZiV0MSyVswrmMNZuj4PBd3XgUUk8+4NpcJZDXW+Y
¾ÛŸ±û A„ù¯Hã^•ó %‡…ôÔFàÃö4Ö<>\?H£Ü9_Ôd(ñOcl‡U [2Éí•ýtßOëm¯Mÿ¾eà¬ú+—ûØ»2&óSxÎŽ

BIN
secrets/wolframalpha.age
View File

Binary file not shown.

9
secrets/zigbee2mqtt.yaml.age Normal file
View File

@@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw WkcqGYW9EwuqwdPa22bZ2yyxxSUlfZ1Y+NggCyFR/Qc
Nccy64qgRnPj+6pDRPEvHCo4TRszDL5x8NUoljvAeZ0
-> ssh-ed25519 w3nu8g gr+GjbS4lanuXX6QRpzMl/3cuLInJ+djyoSnN/tH5xM
md07riIXJ2eH43nL8SJFU+dThXu3kUePO/ZaV9iuS4k
-> ssh-ed25519 evqvfg rP45WmM5H7O8dFoOQHPeVDY0JqiIDYgJsPyQjh4jC1w
R7VH7PhaSCRW5bUAgC0Rlic6FV0IAiqKWFA8ah4/3Q0
--- tyRX1o1ewWqSvvaHYQjzare0j6oW6VT1tdnqTN4Or34
"T÷¶áÁÀŠ„Z»S㵈ձ7ƒÜëW—v¡¨[Êi ˜¹CÌÓÜ»Öä<@°yuƒlÊǽRsò<73><C3B2>ƒ¸ä­Íí“´¬y¬`«{ò_Í