zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

merge into: zuckerberg:master
Branches Tags
zuckerberg:master
zuckerberg:stage
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client
...
pull from: zuckerberg:stage
Branches Tags
zuckerberg:stage
zuckerberg:master
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client

16 Commits
master ... stage

Author SHA1 Message Date
Zuckerberg
be23526c2c Add KeepassXC keys, remove some very old user keys, and rekey
All checks were successful
Check Flake / check-flake (push) Successful in 1m50s
Details
2025-07-16 22:01:33 -07:00
Zuckerberg
e234577268 Disable inactive cache push experiment 2025-07-16 22:00:11 -07:00
Zuckerberg
82b67ed566 Add Whiteboard app to Nextcloud
All checks were successful
Check Flake / check-flake (push) Successful in 2m17s
Details
2025-07-16 20:49:39 -07:00
Zuckerberg
53c2e2222c Move shell aliases 2025-07-16 20:48:26 -07:00
Zuckerberg
846da159d0 Iodine stopped working again 2025-07-16 20:47:49 -07:00
Zuckerberg
a45125421e Add collabora online and move nextcloud domain 2025-07-16 20:46:51 -07:00
Zuckerberg
f4e40955c8 Use upstreamed pcie coral and vaapi frigate configuration
All checks were successful
Check Flake / check-flake (push) Successful in 12m12s
Details
2025-07-13 18:04:36 -07:00
Zuckerberg
af9e462b27 Allow substituters to be offline
Some checks failed
Check Flake / check-flake (push) Has been cancelled
Details
2025-07-13 17:54:32 -07:00
Zuckerberg
2faea9d380 Update nixpkgs and other flake inputs 2025-07-13 17:52:08 -07:00
Zuckerberg
8571922796 Add new helpful utilities 2025-07-12 11:42:40 -07:00
Zuckerberg
131d5e9313 Add rest command for home assistant 2025-07-12 10:50:37 -07:00
Zuckerberg
fe0ce3a245 Get recyclarr initially running 2025-07-12 10:48:13 -07:00
Zuckerberg
7b26cfb4eb update single input cmd 2025-07-12 10:27:09 -07:00
Zuckerberg
1c9fa418b3 Make s0 easier to unlock
All checks were successful
Check Flake / check-flake (push) Successful in 1m25s
Details
2025-03-29 22:52:00 -07:00
Zuckerberg
8c4dc9cb74 Improve usage of roles. It should be much easier to read and use now. 2025-03-29 22:48:14 -07:00
Zuckerberg
1f9fbd87ac Use upstream pykms and Actual Budget. Move Actual to s0. Add automated backups for Actual.
All checks were successful
Check Flake / check-flake (push) Successful in 1m37s
Details
2025-03-29 18:36:13 -07:00
59 changed files with 622 additions and 9736 deletions
Show Stats Expand all files Collapse all files

7
Makefile
View File

@ -24,4 +24,9 @@ clean-old-nixos-profiles:
# Garbage Collect
.PHONY: gc
gc:
nix store gc
nix store gc
# Update a flake input by name (ex: 'nixpkgs')
.PHONY: update-input
update-input:
nix flake update $(filter-out $@,$(MAKECMDGOALS))

7
common/binary-cache.nix
View File

@ -12,6 +12,13 @@
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
];
# Allow substituters to be offline
# This isn't exactly ideal since it would be best if I could set up a system
# so that it is an error if a derivation isn't available for any substituters
# and use this flag as intended for deciding if it should build missing
# derivations locally. See https://github.com/NixOS/nix/issues/6901
fallback = true;
};
};
}

4
common/default.nix
View File

@ -100,7 +100,5 @@
security.acme.defaults.email = "zuckerberg@neet.dev";
# Enable Desktop Environment if this is a PC (machine role is "personal")
de.enable = (
builtins.elem config.networking.hostName config.machines.roles.personal
);
de.enable = lib.mkDefault (config.thisMachine.hasRole."personal");
}

195
common/machine-info/default.nix
View File

@ -5,6 +5,90 @@
let
machines = config.machines.hosts;
hostOptionsSubmoduleType = lib.types.submodule {
options = {
hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of hostnames for this machine. The first one is the default so it is the target of deployments.
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = ''
The architecture of this machine.
'';
};
systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
};
});
};
userKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
};
in
{
imports = [
@ -13,104 +97,16 @@ in
];
options.machines = {
hosts = lib.mkOption {
type = lib.types.attrsOf
(lib.types.submodule {
options = {
hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of hostnames for this machine. The first one is the default so it is the target of deployments.
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = ''
The architecture of this machine.
'';
};
systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
};
});
};
userKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
type = lib.types.attrsOf hostOptionsSubmoduleType;
};
};
options.thisMachine.config = lib.mkOption {
# For ease of use, a direct copy of the host config from machines.hosts.${hostName}
type = hostOptionsSubmoduleType;
};
config = {
assertions = (lib.concatLists (lib.mapAttrsToList
(
@ -196,5 +192,16 @@ in
builtins.map (p: { "${dirName p}" = p; }) propFiles;
in
properties ../../machines;
# Don't try to evaluate "thisMachine" when reflecting using moduleless.nix.
# When evaluated by moduleless.nix this will fail due to networking.hostName not
# existing. This is because moduleless.nix is not intended for reflection from the
# perspective of a perticular machine but is instead intended for reflecting on
# the properties of all machines as a whole system.
thisMachine.config = config.machines.hosts.${config.networking.hostName};
# Add ssh keys from KeepassXC
machines.ssh.userKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILACiZO7QnB4bcmziVaUkUE0ZPMR0M/yJbbHYsHIZz9g" ];
machines.ssh.deployKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID58MvKGs3GDMMcN8Iyi9S59SciSrVM97wKtOvUAl3li" ];
};
}

42
common/machine-info/roles.nix
View File

@ -1,19 +1,55 @@
{ config, lib, ... }:
# Maps roles to their hosts
# Maps roles to their hosts.
# machines.withRole = {
# personal = [
# "machine1" "machine3"
# ];
# cache = [
# "machine2"
# ];
# };
#
# A list of all possible roles
# machines.allRoles = [
# "personal"
# "cache"
# ];
#
# For each role has true or false if the current machine has that role
# thisMachine.hasRole = {
# personal = true;
# cache = false;
# };
{
options.machines.roles = lib.mkOption {
options.machines.withRole = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
};
options.machines.allRoles = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
options.thisMachine.hasRole = lib.mkOption {
type = lib.types.attrsOf lib.types.bool;
};
config = {
machines.roles = lib.zipAttrs
machines.withRole = lib.zipAttrs
(lib.mapAttrsToList
(host: cfg:
lib.foldl (lib.mergeAttrs) { }
(builtins.map (role: { ${role} = host; })
cfg.systemRoles))
config.machines.hosts);
machines.allRoles = lib.attrNames config.machines.withRole;
thisMachine.hasRole = lib.mapAttrs
(role: cfg:
builtins.elem config.networking.hostName config.machines.withRole.${role}
)
config.machines.withRole;
};
}

2
common/machine-info/ssh.nix
View File

@ -39,6 +39,6 @@ in
builtins.map
(host: machines.hosts.${host}.hostKey)
hosts)
machines.roles;
machines.withRole;
};
}

20
common/nix-builder.nix
View File

@ -1,18 +1,14 @@
{ config, lib, ... }:
let
builderRole = "nix-builder";
builderUserName = "nix-builder";
machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts;
otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role);
thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role);
builders = machinesByRole builderRole;
thisMachineIsABuilder = thisMachineHasRole builderRole;
builderRole = "nix-builder";
builders = config.machines.withRole.${builderRole};
thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole};
# builders don't include themselves as a remote builder
otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders;
otherBuilders = lib.filter (hostname: hostname != config.networking.hostName) builders;
in
lib.mkMerge [
# configure builder
@ -40,9 +36,9 @@ lib.mkMerge [
nix.distributedBuilds = true;
nix.buildMachines = builtins.map
(builderCfg: {
hostName = builtins.elemAt builderCfg.hostNames 0;
system = builderCfg.arch;
(builderHostname: {
hostName = builderHostname;
system = config.machines.hosts.${builderHostname}.arch;
protocol = "ssh-ng";
sshUser = builderUserName;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
@ -50,7 +46,7 @@ lib.mkMerge [
speedFactor = 10;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
})
(builtins.attrValues otherBuilders);
otherBuilders;
# It is very likely that the builder's internet is faster or just as fast
nix.extraOptions = ''

2
common/pc/default.nix
View File

@ -92,5 +92,7 @@ in
# Enable wayland support in various chromium based applications
environment.sessionVariables.NIXOS_OZONE_WL = "1";
fonts.packages = with pkgs; [ nerd-fonts.symbols-only ];
};
}

83
common/server/actualbudget.nix
View File

@ -1,87 +1,16 @@
# Starting point:
# https://github.com/aldoborrero/mynixpkgs/commit/c501c1e32dba8f4462dcecb57eee4b9e52038e27
{ config, pkgs, lib, ... }:
let
cfg = config.services.actual-server;
stateDir = "/var/lib/${cfg.stateDirName}";
cfg = config.services.actual;
in
{
options.services.actual-server = {
enable = lib.mkEnableOption "Actual Server";
hostname = lib.mkOption {
type = lib.types.str;
default = "localhost";
description = "Hostname for the Actual Server.";
};
port = lib.mkOption {
type = lib.types.int;
default = 25448;
description = "Port on which the Actual Server should listen.";
};
stateDirName = lib.mkOption {
type = lib.types.str;
default = "actual-server";
description = "Name of the directory under /var/lib holding the server's data.";
};
upload = {
fileSizeSyncLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for synchronized files.";
};
syncEncryptedFileSizeLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for synchronized encrypted files.";
};
fileSizeLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for file uploads.";
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.actual-server = {
description = "Actual Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.actual-server}/bin/actual-server";
Restart = "always";
StateDirectory = cfg.stateDirName;
WorkingDirectory = stateDir;
DynamicUser = true;
UMask = "0007";
};
environment = {
NODE_ENV = "production";
ACTUAL_PORT = toString cfg.port;
# Actual is actually very bad at configuring it's own paths despite that information being readily available
ACTUAL_USER_FILES = "${stateDir}/user-files";
ACTUAL_SERVER_FILES = "${stateDir}/server-files";
ACTUAL_DATA_DIR = stateDir;
ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeSyncLimitMB or "");
ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SIZE_LIMIT_MB = toString (cfg.upload.syncEncryptedFileSizeLimitMB or "");
ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeLimitMB or "");
};
services.actual.settings = {
port = 25448;
};
services.nginx.virtualHosts.${cfg.hostname} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
};
backup.group."actual-budget".paths = [
"/var/lib/actual"
];
};
}

1
common/server/default.nix
View File

@ -10,7 +10,6 @@
./matrix.nix
./zerobin.nix
./gitea.nix
./radio.nix
./samba.nix
./owncast.nix
./mailserver.nix

5
common/server/gitea-actions-runner.nix
View File

@ -9,10 +9,7 @@
# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
let
runnerRole = "gitea-actions-runner";
runners = config.machines.roles.${runnerRole};
thisMachineIsARunner = builtins.elem config.networking.hostName runners;
thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
containerName = "gitea-runner";
in
{

1
common/server/mailserver.nix
View File

@ -28,7 +28,6 @@ in
indexDir = "/var/lib/mailindex";
enableManageSieve = true;
fullTextSearch.enable = true;
fullTextSearch.indexAttachments = true;
fullTextSearch.memoryLimit = 500;
inherit domains;
loginAccounts = {

121
common/server/nextcloud.nix
View File

@ -3,28 +3,44 @@
let
cfg = config.services.nextcloud;
nextcloudHostname = "runyan.org";
collaboraOnlineHostname = "collabora.runyan.org";
whiteboardHostname = "whiteboard.runyan.org";
whiteboardPort = 3002; # Seems impossible to change
# Hardcoded public ip of ponyo... I wish I didn't need this...
public_ip_address = "147.135.114.130";
in
{
config = lib.mkIf cfg.enable {
services.nextcloud = {
https = true;
package = pkgs.nextcloud30;
hostName = "neet.cloud";
package = pkgs.nextcloud31;
hostName = nextcloudHostname;
config.dbtype = "sqlite";
config.adminuser = "jeremy";
config.adminpassFile = "/run/agenix/nextcloud-pw";
# Apps
autoUpdateApps.enable = true;
extraAppsEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
# Want
inherit end_to_end_encryption mail spreed;
# For file and document editing (collabora online and excalidraw)
inherit richdocuments whiteboard;
# Might use
inherit bookmarks calendar cookbook deck memories onlyoffice qownnotesapi;
inherit calendar qownnotesapi;
# Try out
# inherit maps music news notes phonetrack polls forms;
# inherit bookmarks cookbook deck memories maps music news notes phonetrack polls forms;
};
extraAppsEnable = true;
# Allows installing Apps from the UI (might remove later)
appstoreEnable = true;
};
age.secrets.nextcloud-pw = {
file = ../../secrets/nextcloud-pw.age;
@ -40,5 +56,100 @@ in
enableACME = true;
forceSSL = true;
};
# collabora-online
# https://diogotc.com/blog/collabora-nextcloud-nixos/
services.collabora-online = {
enable = true;
port = 15972;
settings = {
# Rely on reverse proxy for SSL
ssl = {
enable = false;
termination = true;
};
# Listen on loopback interface only
net = {
listen = "loopback";
post_allow.host = [ "localhost" ];
};
# Restrict loading documents from WOPI Host
storage.wopi = {
"@allow" = true;
host = [ config.services.nextcloud.hostName ];
};
server_name = collaboraOnlineHostname;
};
};
services.nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
systemd.services.nextcloud-config-collabora =
let
wopi_url = "http://localhost:${toString config.services.collabora-online.port}";
public_wopi_url = "https://${collaboraOnlineHostname}";
wopi_allowlist = lib.concatStringsSep "," [
"127.0.0.1"
"::1"
public_ip_address
];
in
{
wantedBy = [ "multi-user.target" ];
after = [ "nextcloud-setup.service" "coolwsd.service" ];
requires = [ "coolwsd.service" ];
path = [
config.services.nextcloud.occ
];
script = ''
nextcloud-occ -- config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
nextcloud-occ -- config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
nextcloud-occ -- config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
nextcloud-occ -- richdocuments:setup
'';
serviceConfig = {
Type = "oneshot";
};
};
# Whiteboard
services.nextcloud-whiteboard-server = {
enable = true;
settings.NEXTCLOUD_URL = "https://${nextcloudHostname}";
secrets = [ "/run/agenix/whiteboard-server-jwt-secret" ];
};
systemd.services.nextcloud-config-whiteboard = {
wantedBy = [ "multi-user.target" ];
after = [ "nextcloud-setup.service" ];
requires = [ "coolwsd.service" ];
path = [
config.services.nextcloud.occ
];
script = ''
nextcloud-occ -- config:app:set whiteboard collabBackendUrl --value="https://${whiteboardHostname}"
nextcloud-occ -- config:app:set whiteboard jwt_secret_key --value="$JWT_SECRET_KEY"
'';
serviceConfig = {
Type = "oneshot";
EnvironmentFile = [ "/run/agenix/whiteboard-server-jwt-secret" ];
};
};
age.secrets.whiteboard-server-jwt-secret.file = ../../secrets/whiteboard-server-jwt-secret.age;
services.nginx.virtualHosts.${whiteboardHostname} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString whiteboardPort}";
proxyWebsockets = true;
};
};
};
}

75
common/server/radio.nix
View File

@ -1,75 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.radio;
radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
in
{
options.services.radio = {
enable = lib.mkEnableOption "enable radio";
user = lib.mkOption {
type = lib.types.str;
default = "radio";
description = ''
The user radio should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "radio";
description = ''
The group radio should run as
'';
};
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/radio";
description = ''
Path to the radio data directory
'';
};
host = lib.mkOption {
type = lib.types.str;
description = ''
Domain radio is hosted on
'';
};
nginx = lib.mkEnableOption "enable nginx";
};
config = lib.mkIf cfg.enable {
services.icecast = {
enable = true;
hostname = cfg.host;
mount = "stream.mp3";
fallback = "fallback.mp3";
};
services.nginx.virtualHosts.${cfg.host} = lib.mkIf cfg.nginx {
enableACME = true;
forceSSL = true;
locations."/".root = config.inputs.radio-web;
};
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
createHome = true;
};
users.groups.${cfg.group} = { };
systemd.services.radio = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
serviceConfig.WorkingDirectory = cfg.dataDir;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user} ${cfg.dataDir}
'';
};
};
}

2
common/shell.nix
View File

@ -21,8 +21,6 @@
shellInit = ''
# disable annoying fish shell greeting
set fish_greeting
alias sudo="doas"
'';
};

2
common/ssh.nix
View File

@ -31,8 +31,6 @@
# TODO: Old ssh keys I will remove some day...
machines.ssh.userKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
];
}

159
flake.lock generated
View File

@ -14,11 +14,11 @@
]
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
@ -74,11 +74,11 @@
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
@ -101,11 +101,11 @@
]
},
"locked": {
"lastModified": 1727447169,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"lastModified": 1749105467,
"narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"rev": "6bc76b872374845ba9d645a2f012b764fecd765f",
"type": "github"
},
"original": {
@ -117,11 +117,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
@ -137,11 +137,11 @@
]
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@ -150,6 +150,54 @@
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": [
"simple-nixos-mailserver",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"simple-nixos-mailserver",
"nixpkgs"
]
},
"locked": {
"lastModified": 1750779888,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"simple-nixos-mailserver",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -157,15 +205,16 @@
]
},
"locked": {
"lastModified": 1740845322,
"narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=",
"lastModified": 1752208517,
"narHash": "sha256-aRY1cYOdVdXdNjcL/Twpa27CknO7pVHxooPsBizDraE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d",
"rev": "c6a01e54af81b381695db796a43360bf6db5702f",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.05",
"repo": "home-manager",
"type": "github"
}
@ -177,11 +226,11 @@
]
},
"locked": {
"lastModified": 1728263287,
"narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=",
"lastModified": 1752346111,
"narHash": "sha256-SVxCIYnbED0rNYSpm3QQoOhqxYRp1GuE9FkyM5Y2afs=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259",
"rev": "deff7a9a0aa98a08d8c7839fe2658199ce9828f8",
"type": "github"
},
"original": {
@ -192,11 +241,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1728056216,
"narHash": "sha256-IrO06gFUDTrTlIP3Sz+mRB6WUoO2YsgMtOD3zi0VEt0=",
"lastModified": 1752048960,
"narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "b7ca02c7565fbf6d27ff20dd6dbd49c5b82eef28",
"rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806",
"type": "github"
},
"original": {
@ -208,61 +257,20 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1740374225,
"narHash": "sha256-Dnmzy5YWUVj3BNaZo5jRpZslXexbNKEk3ADGGcz9RpY=",
"lastModified": 1752431364,
"narHash": "sha256-ciGIXIMq2daX5o4Tn6pnZTd1pf5FICHbqUlHu658G9c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3349acd765bdffe454f7c8bbc450855577c1a6cf",
"rev": "fb0f0dbfd95f0e19fdeab8e0f18bf0b5cf057b68",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"ref": "release-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"radio": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1631585589,
"narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"revCount": 38,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
},
"original": {
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
}
},
"radio-web": {
"flake": false,
"locked": {
"lastModified": 1652121792,
"narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
"ref": "refs/heads/master",
"rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
"revCount": 5,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
}
},
"root": {
"inputs": {
"agenix": "agenix",
@ -274,8 +282,6 @@
"nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"radio": "radio",
"radio-web": "radio-web",
"simple-nixos-mailserver": "simple-nixos-mailserver",
"systems": "systems"
}
@ -286,24 +292,25 @@
"flake-compat": [
"flake-compat"
],
"git-hooks": "git-hooks",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-24_05": [
"nixpkgs-25_05": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1722877200,
"narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
"lastModified": 1747965231,
"narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
"rev": "53007af63fade28853408370c4c600a63dd97f41",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "master",
"ref": "nixos-25.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}

34
flake.nix
View File

@ -1,7 +1,7 @@
{
inputs = {
# nixpkgs
nixpkgs.url = "github:NixOS/nixpkgs/master";
nixpkgs.url = "github:NixOS/nixpkgs/release-25.05";
# Common Utils Among flake inputs
systems.url = "github:nix-systems/default";
@ -19,16 +19,16 @@
# Home Manager
home-manager = {
url = "github:nix-community/home-manager";
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs";
};
# Mail Server
simple-nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-24_05.follows = "nixpkgs";
nixpkgs-25_05.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
};
};
@ -43,19 +43,6 @@
};
};
# Radio
radio = {
url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
radio-web = {
url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
flake = false;
};
# Dailybot
dailybuild_modules = {
url = "git+https://git.neet.dev/zuckerberg/dailybot.git";
@ -84,13 +71,11 @@
outputs = { self, nixpkgs, ... }@inputs:
let
machines = (import ./common/machine-info/moduleless.nix
machineHosts = (import ./common/machine-info/moduleless.nix
{
inherit nixpkgs;
assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
}).machines;
machineHosts = machines.hosts;
machineRoles = machines.roles;
}).machines.hosts;
in
{
nixosConfigurations =
@ -115,10 +100,7 @@
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.googlebot = import ./home/googlebot.nix {
inherit hostname;
inherit machineRoles;
};
home-manager.users.googlebot = import ./home/googlebot.nix;
};
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
@ -136,7 +118,7 @@
name = "nixpkgs-patched";
src = nixpkgs;
patches = [
./patches/gamepadui.patch
# ./patches/gamepadui.patch
./patches/dont-break-nix-serve.patch
];
};

42
home/googlebot.nix
View File

@ -1,9 +1,8 @@
{ hostname, machineRoles }:
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, osConfig, ... }:
let
# Check if the current machine has the role "personal"
thisMachineIsPersonal = builtins.elem hostname machineRoles.personal;
thisMachineIsPersonal = osConfig.thisMachine.hasRole."personal";
in
{
home.username = "googlebot";
@ -12,6 +11,43 @@ in
home.stateVersion = "24.11";
programs.home-manager.enable = true;
services.ssh-agent.enable = true;
# System Monitoring
programs.btop.enable = true;
programs.bottom.enable = true;
# Modern "ls" replacement
programs.pls.enable = true;
programs.pls.enableFishIntegration = true;
programs.eza.enable = true;
# Graphical terminal
programs.ghostty.enable = thisMachineIsPersonal;
# Advanced terminal file explorer
programs.broot.enable = true;
# Shell promt theming
programs.fish.enable = true;
programs.starship.enable = true;
programs.starship.enableFishIntegration = true;
programs.starship.enableInteractive = true;
# programs.oh-my-posh.enable = true;
# programs.oh-my-posh.enableFishIntegration = true;
# Advanced search
programs.ripgrep.enable = true;
# tldr: Simplified, example based and community-driven man pages.
programs.tealdeer.enable = true;
home.shellAliases = {
sudo = "doas";
ls2 = "eza";
explorer = "broot";
};
programs.zed-editor = {
enable = thisMachineIsPersonal;
extensions = [

2
machines/howl/hardware-configuration.nix
View File

@ -6,7 +6,7 @@
nixos-hardware.nixosModules.framework-13-7040-amd
];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelPackages = pkgs.linuxPackages_6_14;
hardware.framework.amd-7040.preventWakeOnAC = true;
services.fwupd.enable = true;

4
machines/howl/properties.nix
View File

@ -15,10 +15,6 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPnLt84bKhUgFxjQf10+Htro9Lo1Pabqm8mGalBUniv"
];
deployKeys = [
# TODO
];
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0N80r0Sl2WlJaUqfxZPkOtYyGumFazkIqq7eq3Gd2o";
onionHost = "ll6yjnkh4psmfwmtkmqoutl4gq4elqzbmjxv4s6gpgoavyi3kwhjvnqd.onion";

49
machines/ponyo/default.nix
View File

@ -56,44 +56,6 @@
config.services.drastikbot.dataDir
];
# music radio
vpn-container.enable = true;
vpn-container.config = {
services.radio = {
enable = true;
host = "radio.runyan.org";
};
};
pia.wireguard.badPortForwardPorts = [ ];
services.nginx.virtualHosts = {
"radio.runyan.org" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
"radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
};
# matrix home server
services.matrix = {
enable = true;
@ -116,7 +78,7 @@
services.postgresql.package = pkgs.postgresql_15;
# iodine DNS-based vpn
services.iodine.server.enable = true;
# services.iodine.server.enable = true;
# proxied web services
services.nginx.enable = true;
@ -133,12 +95,12 @@
root = "/var/www/tmp";
};
# redirect runyan.org to github
services.nginx.virtualHosts."runyan.org" = {
# redirect neet.cloud to nextcloud instance on runyan.org
services.nginx.virtualHosts."neet.cloud" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect;
return 302 https://runyan.org$request_uri;
'';
};
@ -149,7 +111,4 @@
# librechat
services.librechat.enable = true;
services.librechat.host = "chat.neet.dev";
services.actual-server.enable = true;
services.actual-server.hostname = "actual.runyan.org";
}

10
machines/storage/s0/dashy.nix
View File

@ -214,15 +214,6 @@
statusCheck = true;
id = "0_836_matrix";
};
radio = {
title = "Radio";
description = "Radio service";
icon = "generative";
url = "https://radio.runyan.org";
target = "sametab";
statusCheck = true;
id = "1_836_radio";
};
mumble = {
title = "Mumble";
description = "voice.neet.space";
@ -280,7 +271,6 @@
};
servicesList = [
servicesItems.matrix
servicesItems.radio
servicesItems.mumble
servicesItems.irc
servicesItems.git

46
machines/storage/s0/default.nix
View File

@ -20,13 +20,13 @@
secretKeyFile = "/run/agenix/binary-cache-private-key";
};
age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
users.users.cache-push = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
};
nix.settings = {
trusted-users = [ "cache-push" ];
};
# users.users.cache-push = {
# isNormalUser = true;
# openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
# };
# nix.settings = {
# trusted-users = [ "cache-push" ];
# };
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
@ -75,6 +75,32 @@
services.lidarr.enable = true;
services.lidarr.user = "public_data";
services.lidarr.group = "public_data";
services.recyclarr = {
enable = true;
configuration = {
radarr.radarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/radarr-api-key";
};
base_url = "http://localhost:7878";
quality_definition.type = "movie";
};
sonarr.sonarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/sonarr-api-key";
};
base_url = "http://localhost:8989";
quality_definition.type = "series";
};
};
};
systemd.services.recyclarr.serviceConfig.LoadCredential = [
"radarr-api-key:/run/agenix/radarr-api-key"
"sonarr-api-key:/run/agenix/sonarr-api-key"
];
services.transmission = {
enable = true;
@ -145,6 +171,8 @@
8686 # lidarr
9091 # transmission web
];
age.secrets.radarr-api-key.file = ../../../secrets/radarr-api-key.age;
age.secrets.sonarr-api-key.file = ../../../secrets/sonarr-api-key.age;
# jellyfin
# jellyfin cannot run in the vpn container and use hardware encoding
@ -222,6 +250,7 @@
(mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo
(mkVirtualHost "sandman.s0.neet.dev" "http://192.168.9.14:3000") # es
(mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
(mkVirtualHost "budget.s0.neet.dev" "http://localhost:${toString config.services.actual.settings.port}") # actual budget
];
tailscaleAuth = {
@ -270,7 +299,6 @@
openMinimalFirewall = true;
};
# TODO: setup backup
services.vikunja = {
enable = true;
port = 61473;
@ -284,5 +312,7 @@
"/var/lib/vikunja"
];
services.actual.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
}

23
machines/storage/s0/frigate.nix
View File

@ -136,37 +136,16 @@ lib.mkMerge [
}
{
# hardware encode/decode with amdgpu vaapi
systemd.services.frigate = {
environment.LIBVA_DRIVER_NAME = "radeonsi";
serviceConfig = {
SupplementaryGroups = [ "render" "video" ]; # for access to dev/dri/*
AmbientCapabilities = "CAP_PERFMON";
};
};
services.frigate.vaapiDriver = "radeonsi";
services.frigate.settings.ffmpeg.hwaccel_args = "preset-vaapi";
}
{
# Coral TPU for frigate
services.udev.packages = [ pkgs.libedgetpu ];
users.groups.apex = { };
systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ];
# Coral PCIe driver
boot.extraModulePackages = with config.boot.kernelPackages; [ gasket ];
services.udev.extraRules = ''
SUBSYSTEM=="apex", MODE="0660", GROUP="apex"
'';
services.frigate.settings.detectors.coral = {
type = "edgetpu";
device = "pci";
};
}
{
# Fix bug in nixos module where cache is not cleared when starting the service because "rm" cannot be found
systemd.services.frigate.serviceConfig.ExecStartPre = lib.mkForce "${pkgs.bash}/bin/sh -c 'rm -f /var/cache/frigate/*.mp4'";
}
{
# Don't require authentication for frigate
# This is ok because the reverse proxy already requires tailscale access anyway

11
machines/storage/s0/home-automation.nix
View File

@ -47,6 +47,7 @@
enable = true;
extraComponents = [
"default_config"
"rest_command"
"esphome"
"met"
"radio_browser"
@ -75,7 +76,6 @@
"zha"
"bluetooth"
];
# config = null;
config = {
# Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/
@ -94,6 +94,15 @@
];
# Allow using automations generated from the UI
"automation ui" = "!include automations.yaml";
"rest_command" = {
json_post_request = {
url = "{{ url }}";
method = "POST";
content_type = "application/json";
payload = "{{ payload | default('{}') }}";
};
};
};
};
}

4
machines/storage/s0/properties.nix
View File

@ -1,6 +1,7 @@
{
hostNames = [
"s0"
"s0.neet.dev"
];
arch = "x86_64-linux";
@ -13,12 +14,15 @@
"gitea-actions-runner"
"frigate"
"zigbee"
"media-server"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
clearnetHost = "192.168.1.2";
onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
};
}

39
overlays/actualbudget/default.nix
View File

@ -1,39 +0,0 @@
{ lib
, buildNpmPackage
, fetchFromGitHub
, python3
, nodejs
, runtimeShell
}:
buildNpmPackage rec {
pname = "actual-server";
version = "24.10.1";
src = fetchFromGitHub {
owner = "actualbudget";
repo = pname;
rev = "refs/tags/v${version}";
hash = "sha256-VJAD+lNamwuYmiPJLXkum6piGi5zLOHBp8cUeZagb4s=";
};
npmDepsHash = "sha256-Z2e4+JMhI/keLerT0F4WYdLnXHRQCqL7NjNyA9SFEF8=";
patches = [
./migrations-should-use-pkg-path.patch
];
postPatch = ''
cp ${./package-lock.json} package-lock.json
'';
dontNpmBuild = true;
postInstall = ''
mkdir -p $out/bin
cat <<EOF > $out/bin/actual-server
#!${runtimeShell}
exec ${nodejs}/bin/node $out/lib/node_modules/actual-sync/app.js "\$@"
EOF
chmod +x $out/bin/actual-server
'';
}

48
overlays/actualbudget/migrations-should-use-pkg-path.patch
View File

@ -1,48 +0,0 @@
diff --git a/src/load-config.js b/src/load-config.js
index d99ce42..42d1351 100644
--- a/src/load-config.js
+++ b/src/load-config.js
@@ -3,7 +3,8 @@ import path from 'node:path';
import { fileURLToPath } from 'node:url';
import createDebug from 'debug';
-const debug = createDebug('actual:config');
+// const debug = createDebug('actual:config');
+const debug = console.log;
const debugSensitive = createDebug('actual-sensitive:config');
const projectRoot = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
@@ -108,6 +109,7 @@ const finalConfig = {
serverFiles: process.env.ACTUAL_SERVER_FILES || config.serverFiles,
userFiles: process.env.ACTUAL_USER_FILES || config.userFiles,
webRoot: process.env.ACTUAL_WEB_ROOT || config.webRoot,
+ dataDir: process.env.ACTUAL_DATA_DIR || config.dataDir,
https:
process.env.ACTUAL_HTTPS_KEY && process.env.ACTUAL_HTTPS_CERT
? {
diff --git a/src/migrations.js b/src/migrations.js
index cba7db0..9983471 100644
--- a/src/migrations.js
+++ b/src/migrations.js
@@ -1,6 +1,12 @@
import migrate from 'migrate';
import path from 'node:path';
import config from './load-config.js';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const appRoot = path.dirname(__dirname);
+const migrationsDirectory = path.join(appRoot, "migrations");
export default function run(direction = 'up') {
console.log(
@@ -13,7 +19,7 @@ export default function run(direction = 'up') {
stateStore: `${path.join(config.dataDir, '.migrate')}${
config.mode === 'test' ? '-test' : ''
}`,
- migrationsDirectory: `${path.join(config.projectRoot, 'migrations')}`,
+ migrationsDirectory
},
(err, set) => {
if (err) {

8954
overlays/actualbudget/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

8
overlays/default.nix
View File

@ -4,10 +4,4 @@ final: prev:
let
system = prev.system;
in
{
actual-server = prev.callPackage ./actualbudget { };
# Copied entire package from nixpkgs to downgrade to python 3.11 since 3.12 is broken.
# See: https://github.com/Py-KMS-Organization/py-kms/issues/117
pykms = prev.callPackage ./pykms.nix { };
}
{ }

103
overlays/pykms.nix
View File

@ -1,103 +0,0 @@
{ lib
, fetchFromGitHub
, python311
, writeText
, writeShellScript
, sqlite
, nixosTests
}:
let
pypkgs = python311.pkgs;
dbSql = writeText "create_pykms_db.sql" ''
CREATE TABLE clients(
clientMachineId TEXT,
machineName TEXT,
applicationId TEXT,
skuId TEXT,
licenseStatus TEXT,
lastRequestTime INTEGER,
kmsEpid TEXT,
requestCount INTEGER
);
'';
dbScript = writeShellScript "create_pykms_db.sh" ''
set -eEuo pipefail
db=''${1:-/var/lib/pykms/clients.db}
if [ ! -e $db ] ; then
${lib.getBin sqlite}/bin/sqlite3 $db < ${dbSql}
fi
'';
in
pypkgs.buildPythonApplication rec {
pname = "pykms";
version = "unstable-2024-05-28";
src = fetchFromGitHub {
owner = "Py-KMS-Organization";
repo = "py-kms";
rev = "646f4766f4195dbea0695700a7ddaac70a3294f9";
hash = "sha256-YCqPo7WkCfXyuTjL4IYapdcUN/Vj465Jz6XhQessyz0=";
};
sourceRoot = "${src.name}/py-kms";
propagatedBuildInputs = with pypkgs; [
systemd
pytz
tzlocal
dnspython
];
postPatch = ''
siteDir=$out/${python311.sitePackages}
substituteInPlace pykms_DB2Dict.py \
--replace "'KmsDataBase.xml'" "'$siteDir/KmsDataBase.xml'"
'';
format = "other";
# there are no tests
doCheck = false;
installPhase = ''
runHook preInstall
mkdir -p $siteDir
PYTHONPATH="$PYTHONPATH:$siteDir"
mv * $siteDir
for b in Client Server ; do
makeWrapper ${python311.interpreter} $out/bin/''${b,,} \
--argv0 pykms-''${b,,} \
--add-flags $siteDir/pykms_$b.py \
--set PYTHONPATH $PYTHONPATH
done
install -Dm755 ${dbScript} $out/libexec/create_pykms_db.sh
install -Dm644 ../README.md -t $out/share/doc/pykms
${python311.interpreter} -m compileall $siteDir
runHook postInstall
'';
passthru.tests = { inherit (nixosTests) pykms; };
meta = with lib; {
description = "Windows KMS (Key Management Service) server written in Python";
homepage = "https://github.com/Py-KMS-Organization/py-kms";
license = licenses.unlicense;
maintainers = with maintainers; [
peterhoeg
zopieux
];
};
}

BIN
secrets/backblaze-s3-backups.age
View File

Binary file not shown.

BIN
secrets/binary-cache-private-key.age
View File

Binary file not shown.

BIN
secrets/binary-cache-push-sshkey.age
View File

Binary file not shown.

17
secrets/cris-hashed-email-pw.age
View File

@ -1,10 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g WZ9p/pCsEDpKbgGDLcTtisn25kExQX9iv+tL3wyPwiY
vom2z9QRIQSFB0+4/7lSWUEB0eoAG+08nXgiUg/OSX4
-> ssh-ed25519 w3nu8g ECLZwCRJVJqyUMf70EOl2/3ExTruKaxCSQlY5fBZqxk
VemnmGpzx1VprkybW1hPlkfmiDaNcBDoEzX0mDZgmu0
-> ssh-ed25519 dMQYog QiPsbFE8MtXnRNBwkUEC+6grqXEbDstEtxYR8uJks2w
O3JWQGppFeZEd6o3W0KVTEIyNVGeLxKfTYTlgsAEVHQ
--- RncZzBFEyMAkpZRWrPORA0DPHuCTNswmWG5CMNnfm4A
ñ/¼ÔËõôŒ8nàÅ¥«¸7hîtä?T˜=%zˆ°[¤ÝØ!(…uÔdÇuò@
×¢EbƒyŽ¦ù¦D=Ü!„XþtÞÔ:#¦þþãÞXÈX@ú_M
-> ssh-ed25519 6AT2/g lQvZqYp05ofMG2kPUYVMOkJssssOmg9lLiTDxscDFHA
JWRyQo5MqQjz5b+uNLhLYgqOqWpQZdG9dU9ptfhWYaU
-> ssh-ed25519 w3nu8g kqS10jUVfZqs/x3R3dm0IFGfouGUJUakLjwn0TogbgU
RbUZQudujtzn7ci1HRchuUoXSyBb/KbKta/QvIbIeso
-> ssh-ed25519 evqvfg U29OBOuOrgX8/Uhok1AQ8p8inLf+bBWHJhvDWCHkZko
oBwfJlFRQqUHYlyVRxqqdMkxKe2uTP7Z2ZCwk+Bk9yU
--- XMwxBGyVUG3OX1m8OnC1Eavnj+HCywi2VFGC6Vnp/k0
âþd~O7—<37>˜ªVVÝʉ¹„ùnÒ4•bKd÷õïyéœp<Öþ‹,pÖ²Ë ¯³Ð"æÒ0CdBMº2kœ  ÔêñÐÏjú¬ŠØ£ÒØD~§ì%)×4û5

23
secrets/digitalocean-dns-credentials.age
View File

@ -1,11 +1,14 @@
age-encryption.org/v1
-> ssh-ed25519 WBT1Hw TGdD8Nw+GPITDOXGhevSu+880DWET7WYN3nIyJ0xy2o
69xepRTnmaFwa4IsGJjDdwZqTSf5fz6EZK0/q3oz/ZA
-> ssh-ed25519 6AT2/g EmqXrXXsRxSS6AsH+7VMgoJTYo9eGj8ebLiLT4IWNxg
eKs5/3tQMdg5bGJKNz8PFh9C7HiV+IlOU9dzpYcGIjo
-> ssh-ed25519 hPp1nw wsIF676is8FquF6oANNauPrumsMnfVUZpPeVKEtBOzQ
qZR8LSF+TQ2K3K0An69NHfk53ZqNEWev0IVcb71SR40
-> ssh-ed25519 w3nu8g TKHY/5JuzFMhbW9CQAOI3woX8M9b1H/XXUpIMT0Mylk
byJV0/BJ3ftG5eYv5BeyIYBi0VoWG31HRiENUxSeYE8
--- fwHXHtE/sMLqCLSD8tR0oCPgNuif9Y/ncHU97hbf/Bw
f"+ÉŒqc<71>H†Ñjï!JSšË¡Ì|yMìðX¼þMl<4D>ýçCy™îUXn»Égk¨ë)¤óOY§uº„¦²¶g%è Håvœ5ô!$Jœ¤Š…¶$<24>#Dö;±¥àÖ }ÏŸcçKšˆ{R/
-> ssh-ed25519 WBT1Hw +mmh+AeldhS/z282wz0d6rfklNpQLFE4M+hAL20XH3c
zyyxtRp6P6ZFdn+1NqVonEfYPtozAgDEZQWnCUbahak
-> ssh-ed25519 6AT2/g TZYBBcBMnmUegRKEx4tBvbFroHV+AM+KKuE0lNOD928
w0d0EBpnrF9rk2SH5ROLyqqgmb2y0KD0sDiSa+gt5Vw
-> ssh-ed25519 hPp1nw bQSu9KjCmPIwjHrw3GXI8F807y1kCi9CvCKE/Q4+fBA
BbYsl7XxNsDET3ldgQWtJCEI6euMZ/BtghEBxlOo+kg
-> ssh-ed25519 w3nu8g +MWibl8Un6Ga7bNAaFqZ83H4ERtBfkAeFI4q6BtpUHo
mB4oxmiYNgrUBwNrG5slhQtT6yttSWiaq0M0DYGrK8A
-> ssh-ed25519 evqvfg gcBt9ZQ2Um08Q1b1k1UQhj0oUpLbKLuFycs4cfAe/G0
YMK/4+LfAYuj6TwT+NOdLQNHfuj9rnhFaNUu+tkMX9M
--- 9dISdhi6vbWXis37GEw2vb/ZaBFR3srYKlyc0N1cEP0
¹ÙÍhž 4ZK1y¨tuïád,¹Àþ<7F>zôÐ(´W6È] ïZïö?S0òQ;*ôêÃvw£~ÎGPÁì
BÚí@,‰à\1gø.^ Œ3)Z£f$xæS˜Ô&4…„ŒÆ<C592>¸¶mýEj[OK:Z<>L

15
secrets/frigate-credentials.age
View File

@ -1,7 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw zOXF7NsZjm+DCYrJ+Ap2mX35JUt37CLJP1RhyOjB/XE
ePprJM2cnhYZhP8aJUXOZeGHJm/DHlRYomWN+lFaU6w
-> ssh-ed25519 w3nu8g gjeFAbFWXyPdGauKHXAzuIP9fmaj2Oysq9fHO8q7u38
KiMR0pgEPtsfZnYAIsH7UHNhnsB6rtsW/hqV03uS2dI
--- BPzPECz1g6vEv4OlRn6+FnWP9oq3tn6TN2o867icxYA
}ìjºùŽ+l&þàx<C3A0>-TïÝb‡ÅèØÄ·<C384>Dg‰ñgc*ˆ0<CB86>÷µcp …}uþ7Íßã%9Ð%ŽÒú©S¥ ‰|šôêöQœÃ*9Ø$ä ŽŠ ÍÖi;)c?ÍÍýGh¤VvªnlÚs¤Ç)r }Ò­hE5K‡bg­-<2D>®
-> ssh-ed25519 hPp1nw z8hVbU48K+xyH8zxVXjy7sE35GcdSTeGIu/ywdtRBkQ
ynwH7Jug9yK4iCLYIwUn5paYQISWDVYTkq+7rklAW8Y
-> ssh-ed25519 w3nu8g hP/IbrLUi/tvOOu5pRKWGIfbiGnQofR/s7V9kUcMUzs
kZLewvTi5JQ5enF5Bl7wiGUJ2W3THTQVXkyXhLM/Xqg
-> ssh-ed25519 evqvfg s+mq+Pr3fCKSm6dG+p7tF1piR6KZztgH/j0+0S9W7i4
T9KzT/+WK/XOeuWIyf2/eNQz/ytmOYzAjzzZmlY2Ppg
--- A4sCAKn9DQwaSQIdyRYe9XwKvMosCLmdP7RQId7l6vA
BQ{™Uœƒ¢þi&º°ÞV,çÝÜ93÷¸ñl`™<Ê‹(à½îÇÆ×-«=ÇÒivÒ
Ò& 7»Ë#&Íÿì͇ß¿Ûee™<65>š€Kˆ Ì×à–Â[eû·Þ®lD?¥œU-NÿpÐ,þ¤cן- !LMÝxh™¾<E284A2>釺³

18
secrets/gitea-actions-runner-token.age
View File

@ -1,11 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 WBT1Hw PbGwwDeulHF6kdh073rq0RvD1hlx6spnKNgKU+QeDAw
7dITwSQ2p1LZuaVEzLxcGOhB97MQT2zGoRrnNUMcOFk
-> ssh-ed25519 hPp1nw Dn+5Fpme+JmRZKkCkqtCuD87p+sDYDA6OZ2aUmBkCRs
Dgg3orXF4RYT/fHtc2tRuIhOQu48zICMqgPyV47vpf4
-> ssh-ed25519 w3nu8g dghNLDH1Tm+sm42HXDhrLFtmU4iDF1yCGrO2VSgzZjo
71scUVrGr4c4dunAFJYKd+uJ6aYJpSWBAk9swbv+IzM
-> ssh-ed25519 dMQYog Wnl1+rh0Q3YD2s1UD0OYVm39wY/Uw1NRK3K7EFhFMls
wXF6QBonlCalS1vI9cxzWgv1Gi+yAtYn6HrYCfpl5Nw
--- rLOoGk0iX+wuNd1CKv7g2PRd2Ic+8JHCQhrVBaF9zbE
<EFBFBD>òüüˤ/A¦Ì(ØiHC¸@¢Þð‰h`ˆ3ªá´' ¬ÚöáDì>ð¿¤~¸ÿÁö?ÑÃMêÙ@<40>t°(“Ò@ö׿^xÆ}
-> ssh-ed25519 hPp1nw bo+iestejjHIx0accmbyOgLJPRH5xMugtfwKgax+DCU
smaxrCeUgUu9a5mnFlDBbTbw7gNFcLi6mVb3px8gYk0
-> ssh-ed25519 w3nu8g bhpGV/Yfqfl7mrBgjCgVZEJIsRjXVOmQ2rU7dh+FQzw
2irMVi9Vx3/PZT4fqYfcnU7q7wRCtUFOUPZ/X6fQuXw
-> ssh-ed25519 evqvfg aic8EzOuwt6ojUoHaAlhy0IWmSzuOvXjBQrK/QSS2Vs
tfw0GyfsovxlMeySyQULMECEoiEjPtdkoQ4OP/t9K9s
--- uNvusvjFFt4Fza4a/hmns/tWm9LTE4fULWJ/1Gg3Izc
Ax­ €¶;²þ¼[§²oÿ®“'Lâ@«ö·^<5E>~9\jvCúUϳ$¦§hq É<>ú2Ht?y\vËÈŒ<C388>ð`K!®7Yàï7Ôü

16
secrets/hashed-email-pw.age
View File

@ -1,9 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g 98/m3t8axoVBE6WzdxBtRhV2uSQKSCXwQjyxfWXPmQk
AxV0FTvqbWfk/gf65d05PcotbEnYr4PgDQnsaYxP/MU
-> ssh-ed25519 w3nu8g jys7B4COD4iINANeSCD3BqGFoghxTmsbuXoOOIiP+wQ
b7eSN5fe4szfliINOr7ZQ7AoSsIK5akmIQ6uLDabcIE
-> ssh-ed25519 dMQYog ToNUqTPYmxpz9OUcC94egELcPfHQHCErfHN6l9kSrRY
2KoSVoWp+FH29YfH57ri2KOvhkuqYew1+PXm99e0BaI
--- Cjk3E/MjgCF45aLlFeyoGiaUEZk/QuKtsvPb6GpzD8Q
m°å>‹“~czÆê匦†``ÜÏqX«š'ÁÎ%ôwÔž~×ÄL·eä'a±]û´LÉÀ‰%ÍYTÊÓc9f¡W¶Ã^¤9ÊõÙÝ2®™æ¶ÆBÌa ƒ™
-> ssh-ed25519 6AT2/g kXgY0gJW/LpFYNukKCxa/Dhht4hxmoht+CIENXngW3U
OFTjvs35H2HLGENEChI9fEowlvp6W7hTWFNRZ1PziW0
-> ssh-ed25519 w3nu8g jWZ0COxc+hFs7bVNTKcWa7oBmLqPmlqktpZ0gpwIUEo
xf4aKirzqHUWppJghPwyCj6SzPntH5gxcP3ch659RIU
-> ssh-ed25519 evqvfg KR2lx8vs0Eseh37tLtcfDDXE2BoyxCr91vqlnpJraA4
5HiO7QB7sAC0YlDgkq4gOH0Pp83et9+0UPS8+BA+juk
--- vt6f6yWyfunZS7pihgt97hFccp0hqlkOeLWdfsq5SAo
Z+äœm8¬¸vÕ[ïg_K×s™¼8·1hÙÅ1šüžü¤ã´»=@.„ 2À=ºÛ2?—<>µ¤8\f§3oy ÷ga8¾(.•²?¶8m¹tã<E280B9>,½]«ú

BIN
secrets/hashed-robots-email-pw.age
View File

Binary file not shown.

BIN
secrets/hostapd-pw-CXNK00BF9176.age
View File

Binary file not shown.

BIN
secrets/hostapd-pw-experimental-tower.age
View File

Binary file not shown.

BIN
secrets/iodine.age
View File

Binary file not shown.

BIN
secrets/librechat-env-file.age
View File

Binary file not shown.

BIN
secrets/nextcloud-pw.age
View File

Binary file not shown.

BIN
secrets/oauth2-proxy-env.age
View File

Binary file not shown.

21
secrets/pia-login.age
View File

@ -1,11 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g MGKlbzVOk5+czgAOerwl+eIyOifXJm/q4UgQUXVpx1c
43l6s4+5TSMQyO9tAg7v9Y5OdXOjKYz56lbr9Jm2r+o
-> ssh-ed25519 hPp1nw aOxni4sFPPgedUkBOuOyEWfFPJrhdTJnivIaWt5RJxM
KNaxijzSMp7EjYKwWiAP66nPYYZK3/VXL8u+3uJt6bg
-> ssh-ed25519 w3nu8g qTAzEzQbFze35AtbvkYREw3wa7ApDN5u7RSZUXrEpms
Dy0uGF458A9RJMvDl2XKOkEABbbRgT+eIgvb6ZOEQqg
-> ssh-ed25519 dMQYog 5DfYuGeWuN0/CO6WWbFIi7LaKl23FXYVdPROM+TFpCA
PDBdDn+YUMKYNKFkCEfXesmkB/XUxZRK3ddQt0kqQ7g
--- JOeG87EVD+QBx6n+rMoPTOni0PyoG7xx4a2USNiapYI
Zsý{ÅiÁ_\+ô@@Üò߸ù&_š5­$¿Gt2¢rF“y×ÄQ§Iaž 7ôÙÉzàgf­%O(µÙ,VéÂ}ÿn|û'J¸2ø¨óQÑ B
-> ssh-ed25519 6AT2/g nn9O3nzI2M9+vKJ3qoKL3xs29iYp2n01xTrmtdbzs1k
atqBqI77ADuCnV04skh/2KCco5Pgwlz0vSnruiI0dzU
-> ssh-ed25519 hPp1nw tBTDeKMPoCpuoQNdnHdggQdpeYYRXhtJZqCA+o5CPkg
q5BYRcZYY8oGot4F5fhx6hZfVpClvOTycQ6kMTXykqk
-> ssh-ed25519 w3nu8g C80+Mp8qRkpSfJBCH3XduSv/oT2bJ6TqVxkyh1NfRFo
9EEh97C2uFzP3a8DB+4YEgjqJyoa97rRT9tXEFGbMFE
-> ssh-ed25519 evqvfg qByh1A/4ylqHIuvvMqHl0lGBxwWIlwz+pGDdox6zJXE
Ubym3YKOcekSR+O6dLD+322Kgk3152WDW+Tsu32MYY8
--- 4QA63y/d1AXP95G6MHZLJlVyB8LSPVO886QcT2j2tVo
~H«;ùœe¹g<C2B9>7Á7+e|µ!ÿk0à€e•hšì?³k^m¯kDPõ}Ê\<iißv[ÆzOÚ÷sýSe¾ƒŸëTØ>Ë£¨+ŒÙ ü®¯ÏÁáš5[Âíåä
Éÿ§7ˆ

9
secrets/radarr-api-key.age Normal file
View File

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw Uhd03cBQ85Yw4FjsXkBDfrcAsTBVVOFVFrnU7sPbTXY
/5XIXty9cNwNPV/MXdjoOttmKMXt6PB0/7OMSl7scZ0
-> ssh-ed25519 w3nu8g CzC59hO2YLD+Bbzvi62KXvFlyPXrx/OD8hVeQH3hfFU
V7OtV9QjRYNg2+kMk1K4V9RWb8AsgkQ4OlIRs7hwYyo
-> ssh-ed25519 evqvfg XTSo+9xdmL57Mkc7NNw3Xy1kJrE0Sc+81h+OEHfiCVc
PguEYlZkPMMiMaEpK+gamgl7V9/gaEUpUuV8O8tIUVs
--- 81iRaeiLWHHzFBoWSa6JFdp9mkKZ1TT9mdRXZaQ4N0M
»J :“ÅŠ¶R9RrT“P Š‡<C5A0>N™ùÊÃâi%¦ŒÛº/”L{…½©ª‡1§^ÿÚìO©ÁÓÒW:<3A>ËÒ<C38B>Ÿo4

43
secrets/restic-password.age
View File

@ -1,23 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 N7drjg Njjfv0Etdr9U27s+wznqw5YmnKcj3lISQ2vudDPj7F0
bw3SSPfReGSmJ5tQPv+niYn7USyZZffxvgs3J5VxiWw
-> ssh-ed25519 yHDAQw DVlCM84Q1P087cmlS+NzH/i2noLprEbfqSpvFS3Pzig
PooFRhm8ofoTAT1UxJ3Y+0RMqK3CriwqpGrrKGfFYTs
-> ssh-ed25519 jQaHAA rfoKG06gXsXPVfNql5Kk5OBebaXsRd4vCirzPB2y0jk
T0xv0iiWSi+FscI/OX6sT137VuiWpAS+P9XsMBT9K7Q
-> ssh-ed25519 w3nu8g 869dCSpsCphoOPZ0z6rzbI5QKieIA4M9tAyVP40P2hY
N705ablrfdQWK2aEOFCkmdEQQmwJVcqVXOkhYIp1Z3o
-> ssh-ed25519 dMQYog ry0Qkn4YSLctLRzp1fZQ6EnbeGvv3Gge2UOsYBwbk2A
LO1eyrU0rQJdAjZKCBr+WH2EP/juXcS7Iwrl8tZIMOM
-> ssh-ed25519 WBT1Hw NbtlJrLEcf4yO/akQyE7b9TdyM2e6m8Aj9/MzV7SliY
JBWsIu/Aycys+uUxC2xSTE2gC0YUpC7Jkkxa0E0TfRI
-> ssh-ed25519 6AT2/g kvri9lMh7mXuJTFh15sRPhkz8+75i2YYcdZL12cLPnI
hsJETu9Xhbfhzzf6Z3YIKFLGN+Eczgn8EqEBPQl7a1s
-> ssh-ed25519 hPp1nw sJtNVroSF/uQNwvnbLE8vXw+1e4LMu3Gurm+KM+0IwE
wlYZUEnr1Q3TlxUAUrKAMdVWUbVWy+3+q2fw+ssIoFs
-> ssh-ed25519 w3nu8g gA7oDI/02jl+TjMjSUHZqevmHb6gSinWF4KtjDJgFF0
KDgSWaZi99/PkKT8g5bTVHvu8EVcPBlF79APxeorABM
-> ssh-ed25519 dMQYog PDdSuky8g5OoqyF4K5N6SSa3ln6O8vlvL4viGqJ8mUc
LWanrtAIfekuzhr+AGR8e34CD41vPI0BA8YA8YkcyBA
--- LENK2A8P2SxCmpQSI3QNCNz2RDhGwCqLQGybmD73ka8
Ö{¹˜ô'Þú”êã«ŵÔjã.ùÄnG=ñY‰gï•c$T¬ èÙq9fuHWOz}Lšßå“g<E2809C>öà?wö;¥ü1€|pRá—B}ú[[éL^bS
-> ssh-ed25519 N7drjg h72jFNLd4ZN5yXXUi1Xue729YQvbThfceBU/R1JiCG4
F6xaYW7iV+jipI9pe8NMNC+yzkajkmqP73qnhFS14Wc
-> ssh-ed25519 jQaHAA EXEQ0bA8ThyKJp4VNHNB/umpNjn95/fxF9qkB/QZh0g
ZgRc7ts3pdYCtp61XCvDvhHpHfzk2HFJiGtnon0RkkY
-> ssh-ed25519 w3nu8g 55b2qTh8v2dK6qFEgbMLiVxydRTWnMmjB5eWdZb3mGQ
uD8vs1yZLo/N44tIufP3U0j7otoINC4di0w7/a6OW8I
-> ssh-ed25519 evqvfg Ad0vjBYZYIYxYmWrultbybzIcHOEfIIL5VlqHeyFPGM
z1AbX6Htc0hPs7fW8/Cvkfg4Y9qnblpZwRchfGQQVL8
-> ssh-ed25519 WBT1Hw sgwJnWYXwYcAHLmis6LBIwItj5TQUVyV/Jd3NPkWTx4
ctNVx7Xt+87XPV5WhYKjhEv3sXje+U6I/z86jRg4P2s
-> ssh-ed25519 6AT2/g uoBlZvOrDV/FqwmPZQmfMzB3P5+DEh7SUJKv8zHBdi0
xTQzs5CrIREQY2ZinXxZLHfztuVJGsmaqi84TrLzQYA
-> ssh-ed25519 hPp1nw uFdt4FE8a1jrHsWuDLs75z0wty8aY6Af+YddkEnGI0I
1j9iSxYdBg0w6Nto3LKEhvCmGWr/5G6q1XvEmwA/l10
-> ssh-ed25519 w3nu8g TvyzrbvTGPjmDZpdwQ8em28uGKmeJt4quEzXXq+rN1g
rIg9JEkJyuZfQh2FLKzII0f0AUMFcohsmSNdE32nCuQ
-> ssh-ed25519 evqvfg c13RC6NMmyisYeQ1+znITs9USfwH44fDbzAe4TU/Ryo
72WBsNn7sQb3Gc6MP8Obyc3p8xTQqTwTcqNQxAAvNFo
--- zZkMOe3zuxaJswYkKepDQpA8bLMt53zMRx3lkJiSvew
ê<=CÛM2Zª,tÀáIp Y É Ìz<C38C>oâQ»«ìS#ÿ'#ì:„Ƕ“`ƒn95<E28093>§zŸ¢¡Å?X­F6á<>»Ël1Æ+ãqê5PjÜä
Döû=~IÚ

18
secrets/robots-email-pw.age
View File

@ -1,9 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g bnExFj2dEhR0Jbf5Zs/4MqxIdPjeb1Dc7duQUHKfylw
SV+oJGt24n7CAi4+N9CGZ+SlEgcuAlbLymmmLKffg88
-> ssh-ed25519 w3nu8g UO35HobolhH4PRxhGQNxziel7pRhf3VOoGeRbMKH2Fc
uphjyV1UmrUxrqMqL6tc3UeFdTILKiVOPVM9uJlUsIU
-> ssh-ed25519 dMQYog v27Ibyt+wTVR/zh5ZH1xyPbgCsrqGug24eVOJ+KdY3E
I5n+fUhGiHcg0vHTilTszjvFinqCY0ZLcwumiXXwzXE
--- jo6rKqQQTeJQusZM69EsvJFPCIHRTeN4OL1kwzapaJY
m¸¡üi=féKúöœ“³·Û ¾¢¬î“9²Íq™²nTôyΤ@23pˆfêwˆ0 t Ε<<3C>ÅE%Á¢ëFIø‹½>#C
-> ssh-ed25519 6AT2/g HGqc2dbbCJNR5JR8mNfM8VRSBAWGzvBR0IdQVTM3jys
speCXu0Q79q8DXVpxYKacTh3zq0/6KXdWc1yvMJCrwA
-> ssh-ed25519 w3nu8g /ArJSkSyJ0+/GGUln+PULXLu2v9IFatasIZ4d97ClnQ
tsoXfqg2mC+3YVPHVvkrqXCN6CEpOGDBrS8vzBLkrXA
-> ssh-ed25519 evqvfg qJ+4dEvSS8E9tI3q0iXJAnqEZqEE6s2Hn4BAgkjWaEg
1s0rlm960TEiIefYqdqwMgff1A2WTavuq0e3GNrxFi0
--- KbFFpe+ZN1XxXV6biHn9Vm1jw1ZaN0/wAW9/GmrQdJ8
i
2w°„ÙÈx¦»$ÝÉ©;8su¢è€\G˜Ñ£¼SÑ'†.Ü*&¸ýQ^¸&$B/V¥8±Ëï?ѨÐÖ´¼Ö Åx§
;*¡)HCË

BIN
secrets/sasl_relay_passwd.age
View File

Binary file not shown.

BIN
secrets/searx.age
View File

Binary file not shown.

5
secrets/secrets.nix
View File

@ -31,6 +31,7 @@ with roles;
# cloud
"nextcloud-pw.age".publicKeys = nextcloud;
"whiteboard-server-jwt-secret.age".publicKeys = nextcloud;
"smb-secrets.age".publicKeys = personal ++ media-center;
"oauth2-proxy-env.age".publicKeys = server;
@ -60,4 +61,8 @@ with roles;
# zigbee2mqtt secrets
"zigbee2mqtt.yaml.age".publicKeys = zigbee;
# Sonarr and Radarr secrets
"radarr-api-key.age".publicKeys = media-server;
"sonarr-api-key.age".publicKeys = media-server;
}

34
secrets/smb-secrets.age
View File

@ -1,19 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 N7drjg x2s9QZ7Ijvg4t2peGng9/zX1ZmnGggsvWHJFHEktCgw
o64an6DJ6Be8Jlhzn9ciQTByRAK5f2ckankCRH3y+Uw
-> ssh-ed25519 yHDAQw HYHo6anhKDnD74ab04Ql4RB8+WBA6EavYASX7532NCE
aTp2V9g18yzUTq1ezqETj6jM2Yb1Bt5+JNkrIDT2Djs
-> ssh-ed25519 jQaHAA xGKcIQOkO/i4E2ZWZ+O4sAp7ADqCRqfRQHhKQu6yWh4
RJnqK/t0YQrIej8fRDJGjOtQD7VvgJRfCUWR0/UYcSY
-> ssh-ed25519 w3nu8g P9DQy19TvDCi3nfOhFj73bNZEtUs1BrLubt5/BtLoU4
Sx41bk41dQYa3eoBayUMRIHqMWaRiwXm8BqErDBSbDw
-> ssh-ed25519 dMQYog OWU92PMFo9tGtlkK9zlmMFhh81TGkYlcX1PrxZl35yc
owDk8wWXETS+iybhTMDmQH+eBuzZRDJIlVGCwu4LqTI
-> ssh-ed25519 jQaHAA MzA8dSYZ/Ysp4ogKEEu84mal8779RgkT4Gy6rBEw+kM
m75x/b83aP5G1vg7EXlcLizcm16fEAUAD+VNcdTMnnQ
-> ssh-ed25519 w3nu8g AAA3Me3KJgLvtQvyxLvlQ7pCnv7w73ja6Z2+3A82eGs
+yCW7qCdjk0fiQJmH8poMoc7APKyX/PY7zZyAG1O+Yg
-> ssh-ed25519 dMQYog Dd8e6srT+EIl2PH0RP1bQVsDx+HCQjhFndx5TFyhfx8
j7Met77pWZzK9cMTt29gWB+d9YFVH5T9qs+ulHS3kAo
--- MgOK/g5hOVkGuUNDBSgVeGc9+ndjxLEA7nKSfLJMr4s
~Ÿ‹¬&”™)<29>ŠG®Ÿ¨‡'UÐÞzc¾uFGì(<ò¯ùçV"ƒÕ3þH0x0$•<>w$Yv O3 "Ï×ðV~ÀŠ¸HÁ~XÛ]GœÆqµ®ã÷œ¢y'ãÓ*Dê±ÏúœÕk#\ðAï<41>5ë{«Fe\~
-> ssh-ed25519 N7drjg EazSO4KSpDf7Xi3pTNdhm800ZA5EIIhMbwYp+L42yD0
FDktPGF+bWrlPuwD8QNId3tUxt3kPO5JZ9GQ1B4vtPQ
-> ssh-ed25519 jQaHAA 2UJ/6JUgZBaiVVj6Y43dIvebrozJW4kuR5xfWIWSVSA
nhZ/CMdHMIN/GjFV/WMmNvRkPYcmgtjihFtNwASS/4E
-> ssh-ed25519 w3nu8g fLbN1n9ncJz5xW4BnmOfOMI5tdODrZGwhOczWz81NDc
MP1Z2q1KMmvh76opIwG9ZepFiLRJBnfnGKAGSLvb38k
-> ssh-ed25519 evqvfg ZgT1jg/k43AdfVIny9i3PxD0FRG3CWHEKJwL/r/VX28
Qme90RlNTtlDZcCbbxmJQ1BHphkYC1fLA7MKWTn+jEA
-> ssh-ed25519 jQaHAA C5hiPm6jr4TZa+Hl+ruODqSvl9PAx7bvhAMPiNjCe00
2trojxFes701L8D1XvWPQBCWJB6rwgppPcGK3jDhCBY
-> ssh-ed25519 w3nu8g IuWEPi/Tacoc2Oyey92eJQun4r0RGjY6GAd8oHTQ4Xk
u6iVh1p2x/ACIHQO9mcVuR3Xmq2ln/F97vlYjWphvMQ
-> ssh-ed25519 evqvfg q1Xp4IxCTofR+RDdi1Hoy+8NOO45u1U9/m/t6eBDUhs
WkQKg8LGQoIPuICvj7KcvgF4RMyG15txHG4uFg3v7X0
--- 4WXmmAwvor5BDjArHN3T37/zxKOO3c8jtMaxGigAcMA
øж[îîj¿Ž U.wÁó@<40>ŸBHr7Seª/‰»x©í1;ÝÂSUÔ(¤8µ¥¸{Ì=µ¦N²Ý±<C2B1>ø;_]ªÝVY2D¸";úµã×Câ•ùûì7§-.’¡üœVÀr± >*2 T

10
secrets/sonarr-api-key.age Normal file
View File

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw F3GP7ySGf2wVUdTr1K6iChf0DczmaMnJjDWNl4sIVws
NgfyXX4F14kyrgzuMfExb3D4pY31tzFjGkq2UmC3JMM
-> ssh-ed25519 w3nu8g tnpGVKL1bYFJOhbbOa+TyEOhaXTVUk9D7HtSUWoM+WA
cM8Jm2uKXkt31UFFdSWq3pClQhJZXUksEBMq1/xu7GE
-> ssh-ed25519 evqvfg A3Ght96pdzoWpNpX/jmoBOz+uQUaoF3C2yw+VCOe22c
btao6WVQSwHv07hnkbpv44Pc7r3Essyoz3Spst+pDMQ
--- J1ZZ/XeiLUpkfOl6xOckks4FxqdzPZJyglYhZf4Sa48
¡°è5 ó#”I¸m\í˜Eñ"žH,s<>»{l¼'!—®¢Ë‰zú¿ƒ?ZÁ@·õ-áX´>PÁG
)+S½ ­

9
secrets/whiteboard-server-jwt-secret.age Normal file
View File

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g CHRtUTrQxclfOFf+1fpKy61dpivMYz9MiLH3tdqy6VA
7tmx3CPNY6T2nAD8I4bGWAN7y1OPBpWjOhmmCFqldJI
-> ssh-ed25519 w3nu8g UqOMk3O+JfnzlQhymSj1u+9U8xLS93sOVVbd+JhXGBQ
qwYjekirvVTjEwwh0Irdy0hMHAlWkUdD5wu5Xi5GL9U
-> ssh-ed25519 evqvfg Dhz+YpGX+IQNV6UgJq66mogX9UPY5U80YHCwgIsRIlA
BcX/9c0sUQOnfUqGY9W9IRhLM88pLNgh6/nf69AibB4
--- 3trZiV0MSyVswrmMNZuj4PBd3XgUUk8+4NpcJZDXW+Y
¾ÛŸ±û A„ù¯Hã^•ó %‡…ôÔFàÃö4Ö<>\?H£Ü9_Ôd(ñOcl‡U [2Éí•ýtßOëm¯Mÿ¾eà¬ú+—ûØ»2&óSxÎŽ

BIN
secrets/wolframalpha.age
View File

Binary file not shown.

15
secrets/zigbee2mqtt.yaml.age
View File

@ -1,8 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw TSDuPaFp/Qcz4r819X4QmU/4J2TGpoX7jCCJCdFDog0
SwQUqEp45xMOeTkvBG6uX28kB8YWG66laYqakSgl9w4
-> ssh-ed25519 w3nu8g tLZDNE0iBgOpUB3djpNu3CgimsRc0zcds+AgctzxyQ4
Oyz6XORsApM4vFxWyaD3bR/ApIUFPY3q4yGvtbosUIY
--- vuXlQmuOFbJhBTACN5ciH2GlOCbRCMPZdlogG2O+KOk
Áëÿ!}UIì p0@Xž|°þ#晆0HÙõò#BÇRR<52>Ù
òùø5¾Iÿ?vX?pÝ<70><>fqÍ[lž¸˜­G7ü; UäÀOUä¶
-> ssh-ed25519 hPp1nw WkcqGYW9EwuqwdPa22bZ2yyxxSUlfZ1Y+NggCyFR/Qc
Nccy64qgRnPj+6pDRPEvHCo4TRszDL5x8NUoljvAeZ0
-> ssh-ed25519 w3nu8g gr+GjbS4lanuXX6QRpzMl/3cuLInJ+djyoSnN/tH5xM
md07riIXJ2eH43nL8SJFU+dThXu3kUePO/ZaV9iuS4k
-> ssh-ed25519 evqvfg rP45WmM5H7O8dFoOQHPeVDY0JqiIDYgJsPyQjh4jC1w
R7VH7PhaSCRW5bUAgC0Rlic6FV0IAiqKWFA8ah4/3Q0
--- tyRX1o1ewWqSvvaHYQjzare0j6oW6VT1tdnqTN4Or34
"T÷¶áÁÀŠ„Z»S㵈ձ7ƒÜëW—v¡¨[Êi ˜¹CÌÓÜ»Öä<@°yuƒlÊǽRsò<73><C3B2>ƒ¸ä­Íí“´¬y¬`«{ò_Í