zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:e56271b2c34142b16f169f59bbf8884c6bf1e2fa
Branches Tags
zuckerberg:master
zuckerberg:stage
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client
..
compare: zuckerberg:66bfc62566bc802f20ffa84d3929e0b586e81c9f
Branches Tags
zuckerberg:stage
zuckerberg:master
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client

No commits in common. "e56271b2c34142b16f169f59bbf8884c6bf1e2fa" and "66bfc62566bc802f20ffa84d3929e0b586e81c9f" have entirely different histories.
e56271b2c3 ... 66bfc62566

6 changed files with 22 additions and 29 deletions
Show Stats Expand all files Collapse all files

9
common/pc/audio.nix
View File

@ -19,15 +19,6 @@ in
jack.enable = true;
};
services.pipewire.extraConfig.pipewire."92-fix-wine-audio" = {
context.properties = {
default.clock.rate = 48000;
default.clock.quantum = 2048;
default.clock.min-quantum = 512;
default.clock.max-quantum = 2048;
};
};
users.users.googlebot.extraGroups = [ "audio" ];
# bt headset support

4
common/pc/chromium.nix
View File

@ -41,7 +41,7 @@ in
"SpellcheckLanguage" = [ "en-US" ];
};
defaultSearchProviderSuggestURL = null;
defaultSearchProviderSearchURL = "https://duckduckgo.com/?q={searchTerms}&kp=-1&kl=us-en";
defaultSearchProviderSearchURL = " https://duckduckgo.com/?q={searchTerms}&kp=-1&kl=us-en";
};
# hardware accelerated video playback (on intel)
@ -52,7 +52,7 @@ in
# ungoogled = true;
# --enable-native-gpu-memory-buffers # fails on AMD APU
# --enable-webrtc-vp9-support
commandLineArgs = "--use-vulkan";
commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video --enable-gpu-rasterization";
};
};
# todo vulkan in chrome

3
common/pc/default.nix
View File

@ -89,8 +89,5 @@ in
# for luks onlock over tor
services.tor.enable = true;
services.tor.client.enable = true;
# Enable wayland support in various chromium based applications
environment.sessionVariables.NIXOS_OZONE_WL = "1";
};
}

8
common/pc/vscodium.nix
View File

@ -11,8 +11,6 @@ let
golang.go
jnoortheen.nix-ide
ms-vscode.cpptools
rust-lang.rust-analyzer
vadimcn.vscode-lldb
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "platformio-ide";
@ -20,12 +18,6 @@ let
version = "3.1.1";
sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
}
{
name = "wgsl-analyzer";
publisher = "wgsl-analyzer";
version = "0.8.1";
sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
}
];
vscodium-with-extensions = pkgs.vscode-with-extensions.override {

23
machines/storage/s0/default.nix
View File

@ -194,6 +194,9 @@
(mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
(mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")
(mkVirtualHost "s0.neet.dev" "http://localhost:56815")
(mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant
(mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
(mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
{
# Landing page LAN redirect
"s0" = {
@ -201,20 +204,27 @@
redirectCode = 302;
globalRedirect = "s0.neet.dev";
};
}
(mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant
(mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
(mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
{
"frigate.s0.neet.dev" = {
# Just configure SSL, frigate module configures the rest of nginx
useACMEHost = "s0.neet.dev";
forceSSL = true;
};
}
(mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo
];
# Problem #1: Keeping certain programs from being accessed from certain external networks/VLANs
# Solution #1: Isolate that service in a container system that automatically fowards the ports to the right network interface(s)
# Solution #2: Don't open the firewall for these services, manually open the ports instead for the specific network interface(s) (trickier and easy to miss ports or ports can change)
# Untrusted network list:
# - VLANs [cameras]
# Problem #2: Untrusted internal services. Prevent them from accessing certain internal services (usually key unauth'd services like frigate)
# Solution #1: Isolate the untrusted services into their own container
# Untrusted services list:
# - Unifi? (it already has access to the cameras anyway?)
# - torrenting, *arr (worried about vulns)
tailscaleAuth = {
enable = true;
virtualHosts = [
@ -231,7 +241,6 @@
# "ha.s0.neet.dev" # messes up home assistant
"esphome.s0.neet.dev"
"zigbee.s0.neet.dev"
"vacuum.s0.neet.dev"
];
expectedTailnet = "koi-bebop.ts.net";
};

4
machines/storage/s0/hardware-configuration.nix
View File

@ -60,6 +60,10 @@
swapDevices = [ ];
networking.vlans = {
default = {
id = 1;
interface = "eth1";
};
iot = {
id = 2;
interface = "eth1";