zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

merge into: zuckerberg:rpi-hotspot
Branches Tags
zuckerberg:master
zuckerberg:stage
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client
...
pull from: zuckerberg:master
Branches Tags
zuckerberg:master
zuckerberg:stage
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client

57 Commits
rpi-hotspo ... master

Author SHA1 Message Date
Zuckerberg
0c455baebd Add languagetool
All checks were successful
Check Flake / check-flake (push) Successful in 5m13s
Details
2025-08-16 19:04:10 -07:00
Zuckerberg
b58df0632a Add outline service
All checks were successful
Check Flake / check-flake (push) Successful in 15m2s
Details
2025-08-10 20:49:50 -07:00
Zuckerberg
4956e41285 Add memos service 2025-08-10 19:03:35 -07:00
Zuckerberg
ead6653de1 Add services to tailscale auth 2025-08-10 19:02:47 -07:00
Zuckerberg
dd4a5729d4 Workaround for broken librespot spotify api integration
All checks were successful
Check Flake / check-flake (push) Successful in 4m49s
Details
2025-08-10 15:18:29 -07:00
Zuckerberg
f248c129c8 Open port 8095 for music assistant too 2025-08-10 15:17:52 -07:00
Zuckerberg
c011faab18 Use flaresolverr with linkwarden 2025-08-10 15:17:27 -07:00
Zuckerberg
a5d0b3b748 Bring back APU2 router for more experimentation
All checks were successful
Check Flake / check-flake (push) Successful in 19m21s
Details
2025-08-05 19:45:50 -07:00
Zuckerberg
ed3bee2e4e Improve minimal iso so it can boot on APU2 from sd card 2025-08-05 19:44:49 -07:00
Zuckerberg
dbde2a40f2 Add linkwarden 2025-08-05 19:42:29 -07:00
Zuckerberg
6c69d82156 Add support for Home Assistant voice (whisper + piper + cloud llm) and Music Assistant via Spotify by librespot 
Music assistant has custom modifications they made to librespot that they haven't bothered to even try to upstream.
Thus, they require a custom librespot.  I tried and tried and tried and tried to just override the one already in nixpkgs
but I had trouble doing so despite copying the pattern already shown in nixpkgs for overriding the src of a cargo pkg
(See mopidy) but it just didn't work... Oh well. So I just patch nixpkgs instead with the new source. It works I guess.

This is about where I gave up...

```nix
nixpkgs.overlays = [
  (final: prev: {
    # Cannot use librespot upstream because music-assistant requires custom changes
    # that they never bothered to even try to uptream
    librespot = prev.librespot.overrideAttrs (oldAttrs: rec {
      src = prev.fetchFromGitHub {
        owner = "music-assistant";
        repo = "librespot";
        rev = "786cc46199e583f304a84c786acb0a9b37bc3fbd";
        sha256 = "sha256-xaOrqC8yCjF23Tz31RD3CzqZ3xxrDM6ncW1yoovEaGQ=";
      };

      cargoDeps = oldAttrs.cargoDeps.overrideAttrs (oldAttrs': {
        vendorStaging = oldAttrs'.vendorStaging.overrideAttrs {
          outputHash = "sha256-SqvJSHkyd1IicT6c4pE96dBJNNodULhpyG14HRGVWCk=";
        };
      });
    });
  })
];
```
 2025-08-05 19:37:50 -07:00
Zuckerberg
01b01f06b4 Stop using systemd-networkd it has some flaws with NixOS' networking I need to figure out later. 
It is very elegant, easy to debug/understand, and I definitely want to use it but The most significant
problem is it doesn't work with NixOS containers private networking.  So I'll need to figure that out
or maybe it will be fixed upstream soon.
 2025-08-05 19:27:29 -07:00
Zuckerberg
cf560d4e53 Downgrade Howl's kernel because newer kernels just are horrible with Howl's network card 2025-08-05 19:24:46 -07:00
Zuckerberg
8cf4957e15 Add build iso helper command 2025-08-05 19:23:42 -07:00
Zuckerberg
dc02438a63 Finally a fix DHCP+VLANs thanks to systemd-networkd
All checks were successful
Check Flake / check-flake (push) Successful in 3m31s
Details
2025-07-22 21:20:12 -07:00
Zuckerberg
948984af2d Set ghostty preferences
All checks were successful
Check Flake / check-flake (push) Successful in 22m14s
Details
2025-07-18 19:46:18 -07:00
Zuckerberg
be23526c2c Add KeepassXC keys, remove some very old user keys, and rekey
All checks were successful
Check Flake / check-flake (push) Successful in 1m50s
Details
2025-07-16 22:01:33 -07:00
Zuckerberg
e234577268 Disable inactive cache push experiment 2025-07-16 22:00:11 -07:00
Zuckerberg
82b67ed566 Add Whiteboard app to Nextcloud
All checks were successful
Check Flake / check-flake (push) Successful in 2m17s
Details
2025-07-16 20:49:39 -07:00
Zuckerberg
53c2e2222c Move shell aliases 2025-07-16 20:48:26 -07:00
Zuckerberg
846da159d0 Iodine stopped working again 2025-07-16 20:47:49 -07:00
Zuckerberg
a45125421e Add collabora online and move nextcloud domain 2025-07-16 20:46:51 -07:00
Zuckerberg
f4e40955c8 Use upstreamed pcie coral and vaapi frigate configuration
All checks were successful
Check Flake / check-flake (push) Successful in 12m12s
Details
2025-07-13 18:04:36 -07:00
Zuckerberg
af9e462b27 Allow substituters to be offline
Some checks failed
Check Flake / check-flake (push) Has been cancelled
Details
2025-07-13 17:54:32 -07:00
Zuckerberg
2faea9d380 Update nixpkgs and other flake inputs 2025-07-13 17:52:08 -07:00
Zuckerberg
8571922796 Add new helpful utilities 2025-07-12 11:42:40 -07:00
Zuckerberg
131d5e9313 Add rest command for home assistant 2025-07-12 10:50:37 -07:00
Zuckerberg
fe0ce3a245 Get recyclarr initially running 2025-07-12 10:48:13 -07:00
Zuckerberg
7b26cfb4eb update single input cmd 2025-07-12 10:27:09 -07:00
Zuckerberg
1c9fa418b3 Make s0 easier to unlock
All checks were successful
Check Flake / check-flake (push) Successful in 1m25s
Details
2025-03-29 22:52:00 -07:00
Zuckerberg
8c4dc9cb74 Improve usage of roles. It should be much easier to read and use now. 2025-03-29 22:48:14 -07:00
Zuckerberg
1f9fbd87ac Use upstream pykms and Actual Budget. Move Actual to s0. Add automated backups for Actual.
All checks were successful
Check Flake / check-flake (push) Successful in 1m37s
Details
2025-03-29 18:36:13 -07:00
Zuckerberg
23c8076e4d Pinning system nixpkgs is not needed anymore. nixpkgs already does this automatically for flakes.
All checks were successful
Check Flake / check-flake (push) Successful in 1m50s
Details
2025-03-28 21:45:46 -07:00
Zuckerberg
75ae399b5a Update nixpkgs. Move to new dashy service 2025-03-28 21:05:37 -07:00
Zuckerberg
87ddad27a4 Add Home Manager 2025-03-28 20:27:14 -07:00
Zuckerberg
8dd2a00123 Tauri development extensions 2025-03-28 20:24:33 -07:00
Zuckerberg
944a783ff2 Add nix LSPs for development 2025-03-28 20:23:07 -07:00
Zuckerberg
c2cb43fd2c Enable iperf3 server on ponyo 2025-03-28 20:22:14 -07:00
Zuckerberg
02b2fb6309 Disable gc on howl so nix backed projects don't loose their cache 2025-03-28 20:19:15 -07:00
Zuckerberg
b43660aaef Clean up very old unused config 2025-03-28 20:17:54 -07:00
Zuckerberg
567d755850 If machine role is personal set de.enable = true; automatically 2025-03-28 20:16:26 -07:00
Zuckerberg
adc9b9f2b7 Add sandman.s0.neet.dev 2025-03-28 19:39:59 -07:00
Zuckerberg
9181e3bfa3 Update librechat to v0.7.7 2025-03-28 19:38:41 -07:00
Zuckerberg
9845270512 Fix gparted 2025-03-28 19:35:35 -07:00
Zuckerberg
b3b3044690 Downgrade to dailybot to python 3.11
All checks were successful
Check Flake / check-flake (push) Successful in 1m22s
Details
2025-02-18 22:43:47 -08:00
Zuckerberg
fb1970c316 Upgrade librechat
All checks were successful
Check Flake / check-flake (push) Successful in 6m43s
Details
2025-02-17 12:12:46 -08:00
Zuckerberg
34f1edf3b3 Fix s0 setting the incorrect default route by using a static configuration 2025-02-17 12:11:52 -08:00
Zuckerberg
823f0a6ef2 Disable frigate detect for now. It is using excessive CPU 2025-02-17 12:10:59 -08:00
Zuckerberg
00d2ccc684 Fix sound in some games running in wine 2025-02-17 12:09:51 -08:00
Zuckerberg
b2acaff783 Fix pykms by downgrading to python 3.11 2025-02-17 12:09:20 -08:00
Zuckerberg
c51f4ad65b Unlock zoidberg using TPM2
All checks were successful
Check Flake / check-flake (push) Successful in 1m6s
Details
2024-11-21 21:31:19 -08:00
Zuckerberg
eb6a50664c Upgrade NixOS. Use upstream libedgetpu, frigate, and gasket kernel module. Fix services broken by upgrade.
All checks were successful
Check Flake / check-flake (push) Successful in 17m43s
Details
2024-11-19 21:28:56 -08:00
Zuckerberg
89ce0f7fc0 Change Howl's NVMe 2024-11-19 21:08:19 -08:00
Zuckerberg
8ff552818b Rollover digital ocean auth token
All checks were successful
Check Flake / check-flake (push) Successful in 1m13s
Details
2024-10-27 16:41:02 -07:00
Zuckerberg
020689d987 Fix zigbee2mqtt auth 2024-10-27 16:40:47 -07:00
Zuckerberg
9109e356bd Backup vikunja
All checks were successful
Check Flake / check-flake (push) Successful in 2m6s
Details
2024-10-27 16:26:32 -07:00
Zuckerberg
c7d9e84f73 Lock down access to mqtt
All checks were successful
Check Flake / check-flake (push) Successful in 1m6s
Details
2024-10-27 16:15:23 -07:00
96 changed files with 1687 additions and 10430 deletions
Show Stats Expand all files Collapse all files

12
Makefile
View File

@ -24,4 +24,14 @@ clean-old-nixos-profiles:
# Garbage Collect
.PHONY: gc
gc:
nix store gc
nix store gc
# Update a flake input by name (ex: 'nixpkgs')
.PHONY: update-input
update-input:
nix flake update $(filter-out $@,$(MAKECMDGOALS))
# Build Custom Install ISO
.PHONY: iso
iso:
nix build .#packages.x86_64-linux.iso

2
README.md
View File

@ -4,7 +4,7 @@
- `/common` - common configuration imported into all `/machines`
- `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
- `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
- `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
- `/pc` - config that a graphical PC should have. Have the `personal` role set in the machine's `properties.nix` to enable everthing.
- `/server` - config that creates new nixos services or extends existing ones to meet my needs
- `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
- `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`

7
common/binary-cache.nix
View File

@ -12,6 +12,13 @@
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
];
# Allow substituters to be offline
# This isn't exactly ideal since it would be best if I could set up a system
# so that it is an error if a derivation isn't available for any substituters
# and use this flag as intended for deciding if it should build missing
# derivations locally. See https://github.com/NixOS/nix/issues/6901
fallback = true;
};
};
}

3
common/default.nix
View File

@ -98,4 +98,7 @@
security.acme.acceptTerms = true;
security.acme.defaults.email = "zuckerberg@neet.dev";
# Enable Desktop Environment if this is a PC (machine role is "personal")
de.enable = lib.mkDefault (config.thisMachine.hasRole."personal");
}

6
common/flakes.nix
View File

@ -13,12 +13,6 @@ in
extraOptions = ''
experimental-features = nix-command flakes
'';
# pin nixpkgs for system commands such as "nix shell"
registry.nixpkgs.flake = config.inputs.nixpkgs;
# pin system nixpkgs to the same version as the flake input
nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
};
};
}

195
common/machine-info/default.nix
View File

@ -5,6 +5,90 @@
let
machines = config.machines.hosts;
hostOptionsSubmoduleType = lib.types.submodule {
options = {
hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of hostnames for this machine. The first one is the default so it is the target of deployments.
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = ''
The architecture of this machine.
'';
};
systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
};
});
};
userKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
};
in
{
imports = [
@ -13,104 +97,16 @@ in
];
options.machines = {
hosts = lib.mkOption {
type = lib.types.attrsOf
(lib.types.submodule {
options = {
hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of hostnames for this machine. The first one is the default so it is the target of deployments.
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = ''
The architecture of this machine.
'';
};
systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
};
});
};
userKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
type = lib.types.attrsOf hostOptionsSubmoduleType;
};
};
options.thisMachine.config = lib.mkOption {
# For ease of use, a direct copy of the host config from machines.hosts.${hostName}
type = hostOptionsSubmoduleType;
};
config = {
assertions = (lib.concatLists (lib.mapAttrsToList
(
@ -196,5 +192,16 @@ in
builtins.map (p: { "${dirName p}" = p; }) propFiles;
in
properties ../../machines;
# Don't try to evaluate "thisMachine" when reflecting using moduleless.nix.
# When evaluated by moduleless.nix this will fail due to networking.hostName not
# existing. This is because moduleless.nix is not intended for reflection from the
# perspective of a perticular machine but is instead intended for reflecting on
# the properties of all machines as a whole system.
thisMachine.config = config.machines.hosts.${config.networking.hostName};
# Add ssh keys from KeepassXC
machines.ssh.userKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILACiZO7QnB4bcmziVaUkUE0ZPMR0M/yJbbHYsHIZz9g" ];
machines.ssh.deployKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID58MvKGs3GDMMcN8Iyi9S59SciSrVM97wKtOvUAl3li" ];
};
}

42
common/machine-info/roles.nix
View File

@ -1,19 +1,55 @@
{ config, lib, ... }:
# Maps roles to their hosts
# Maps roles to their hosts.
# machines.withRole = {
# personal = [
# "machine1" "machine3"
# ];
# cache = [
# "machine2"
# ];
# };
#
# A list of all possible roles
# machines.allRoles = [
# "personal"
# "cache"
# ];
#
# For each role has true or false if the current machine has that role
# thisMachine.hasRole = {
# personal = true;
# cache = false;
# };
{
options.machines.roles = lib.mkOption {
options.machines.withRole = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
};
options.machines.allRoles = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
options.thisMachine.hasRole = lib.mkOption {
type = lib.types.attrsOf lib.types.bool;
};
config = {
machines.roles = lib.zipAttrs
machines.withRole = lib.zipAttrs
(lib.mapAttrsToList
(host: cfg:
lib.foldl (lib.mergeAttrs) { }
(builtins.map (role: { ${role} = host; })
cfg.systemRoles))
config.machines.hosts);
machines.allRoles = lib.attrNames config.machines.withRole;
thisMachine.hasRole = lib.mapAttrs
(role: cfg:
builtins.elem config.networking.hostName config.machines.withRole.${role}
)
config.machines.withRole;
};
}

2
common/machine-info/ssh.nix
View File

@ -39,6 +39,6 @@ in
builtins.map
(host: machines.hosts.${host}.hostKey)
hosts)
machines.roles;
machines.withRole;
};
}

4
common/network/pia-wireguard.nix
View File

@ -151,7 +151,7 @@ in
partOf = [ containerServiceName ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools jq curl iproute iputils ];
path = with pkgs; [ wireguard-tools jq curl iproute2 iputils ];
serviceConfig = {
Type = "oneshot";
@ -224,7 +224,7 @@ in
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools iproute curl jq iptables ];
path = with pkgs; [ wireguard-tools iproute2 curl jq iptables ];
serviceConfig = {
Type = "oneshot";

20
common/nix-builder.nix
View File

@ -1,18 +1,14 @@
{ config, lib, ... }:
let
builderRole = "nix-builder";
builderUserName = "nix-builder";
machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts;
otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role);
thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role);
builders = machinesByRole builderRole;
thisMachineIsABuilder = thisMachineHasRole builderRole;
builderRole = "nix-builder";
builders = config.machines.withRole.${builderRole};
thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole};
# builders don't include themselves as a remote builder
otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders;
otherBuilders = lib.filter (hostname: hostname != config.networking.hostName) builders;
in
lib.mkMerge [
# configure builder
@ -40,9 +36,9 @@ lib.mkMerge [
nix.distributedBuilds = true;
nix.buildMachines = builtins.map
(builderCfg: {
hostName = builtins.elemAt builderCfg.hostNames 0;
system = builderCfg.arch;
(builderHostname: {
hostName = builderHostname;
system = config.machines.hosts.${builderHostname}.arch;
protocol = "ssh-ng";
sshUser = builderUserName;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
@ -50,7 +46,7 @@ lib.mkMerge [
speedFactor = 10;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
})
(builtins.attrValues otherBuilders);
otherBuilders;
# It is very likely that the builder's internet is faster or just as fast
nix.extraOptions = ''

4
common/pc/audio.nix
View File

@ -22,8 +22,8 @@ in
services.pipewire.extraConfig.pipewire."92-fix-wine-audio" = {
context.properties = {
default.clock.rate = 48000;
default.clock.quantum = 2048;
default.clock.min-quantum = 512;
default.clock.quantum = 256;
default.clock.min-quantum = 256;
default.clock.max-quantum = 2048;
};
};

2
common/pc/chromium.nix
View File

@ -57,7 +57,7 @@ in
};
# todo vulkan in chrome
# todo video encoding in chrome
hardware.opengl = {
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD

14
common/pc/default.nix
View File

@ -6,12 +6,10 @@ in
{
imports = [
./kde.nix
# ./xfce.nix
./yubikey.nix
./chromium.nix
./firefox.nix
./audio.nix
# ./torbrowser.nix
./pithos.nix
./vscodium.nix
./discord.nix
@ -27,9 +25,10 @@ in
};
config = lib.mkIf cfg.enable {
# vulkan
hardware.opengl.driSupport = true;
hardware.opengl.driSupport32Bit = true;
environment.systemPackages = with pkgs; [
# https://github.com/NixOS/nixpkgs/pull/328086#issuecomment-2235384618
gparted
];
# Applications
users.users.googlebot.packages = with pkgs; [
@ -42,7 +41,6 @@ in
mpv
nextcloud-client
signal-desktop
gparted
libreoffice-fresh
thunderbird
spotify
@ -56,6 +54,8 @@ in
# For Nix IDE
nixpkgs-fmt
nixd
nil
];
# Networking
@ -92,5 +92,7 @@ in
# Enable wayland support in various chromium based applications
environment.sessionVariables.NIXOS_OZONE_WL = "1";
fonts.packages = with pkgs; [ nerd-fonts.symbols-only ];
};
}

2
common/pc/kde.nix
View File

@ -14,7 +14,7 @@ in
# akonadi
# kmail
# plasma5Packages.kmail-account-wizard
kate
kdePackages.kate
];
};
}

25
common/pc/torbrowser.nix
View File

@ -1,25 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.de;
in
{
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [
(self: super: {
tor-browser-bundle-bin = super.tor-browser-bundle-bin.overrideAttrs (old: rec {
version = "10.0.10";
lang = "en-US";
src = pkgs.fetchurl {
url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz";
sha256 = "vYWZ+NsGN8YH5O61+zrUjlFv3rieaBqjBQ+a18sQcZg=";
};
});
})
];
users.users.googlebot.packages = with pkgs; [
tor-browser-bundle-bin
];
};
}

6
common/pc/touchpad.nix
View File

@ -1,13 +1,9 @@
{ lib, config, pkgs, ... }:
let
cfg = config.de.touchpad;
cfg = config.de;
in
{
options.de.touchpad = {
enable = lib.mkEnableOption "enable touchpad";
};
config = lib.mkIf cfg.enable {
services.libinput.enable = true;
services.libinput.touchpad.naturalScrolling = true;

7
common/pc/vscodium.nix
View File

@ -13,6 +13,7 @@ let
ms-vscode.cpptools
rust-lang.rust-analyzer
vadimcn.vscode-lldb
tauri-apps.tauri-vscode
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "platformio-ide";
@ -26,6 +27,12 @@ let
version = "0.8.1";
sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
}
{
name = "volar";
publisher = "Vue";
version = "2.2.4";
sha256 = "FHS/LNjSUVfCb4SVF9naR4W0JqycWzSWiK54jfbRagA=";
}
];
vscodium-with-extensions = pkgs.vscode-with-extensions.override {

23
common/pc/xfce.nix
View File

@ -1,23 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.de;
in
{
config = lib.mkIf cfg.enable {
services.xserver = {
enable = true;
desktopManager = {
xterm.enable = false;
xfce.enable = true;
};
displayManager.sddm.enable = true;
};
# xfce apps
# TODO for some reason whiskermenu needs to be global for it to work
environment.systemPackages = with pkgs; [
xfce.xfce4-whiskermenu-plugin
];
};
}

83
common/server/actualbudget.nix
View File

@ -1,87 +1,16 @@
# Starting point:
# https://github.com/aldoborrero/mynixpkgs/commit/c501c1e32dba8f4462dcecb57eee4b9e52038e27
{ config, pkgs, lib, ... }:
let
cfg = config.services.actual-server;
stateDir = "/var/lib/${cfg.stateDirName}";
cfg = config.services.actual;
in
{
options.services.actual-server = {
enable = lib.mkEnableOption "Actual Server";
hostname = lib.mkOption {
type = lib.types.str;
default = "localhost";
description = "Hostname for the Actual Server.";
};
port = lib.mkOption {
type = lib.types.int;
default = 25448;
description = "Port on which the Actual Server should listen.";
};
stateDirName = lib.mkOption {
type = lib.types.str;
default = "actual-server";
description = "Name of the directory under /var/lib holding the server's data.";
};
upload = {
fileSizeSyncLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for synchronized files.";
};
syncEncryptedFileSizeLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for synchronized encrypted files.";
};
fileSizeLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for file uploads.";
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.actual-server = {
description = "Actual Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.actual-server}/bin/actual-server";
Restart = "always";
StateDirectory = cfg.stateDirName;
WorkingDirectory = stateDir;
DynamicUser = true;
UMask = "0007";
};
environment = {
NODE_ENV = "production";
ACTUAL_PORT = toString cfg.port;
# Actual is actually very bad at configuring it's own paths despite that information being readily available
ACTUAL_USER_FILES = "${stateDir}/user-files";
ACTUAL_SERVER_FILES = "${stateDir}/server-files";
ACTUAL_DATA_DIR = stateDir;
ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeSyncLimitMB or "");
ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SIZE_LIMIT_MB = toString (cfg.upload.syncEncryptedFileSizeLimitMB or "");
ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeLimitMB or "");
};
services.actual.settings = {
port = 25448;
};
services.nginx.virtualHosts.${cfg.hostname} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
};
backup.group."actual-budget".paths = [
"/var/lib/actual"
];
};
}

41
common/server/dashy.nix
View File

@ -1,41 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dashy;
in
{
options.services.dashy = {
enable = mkEnableOption "dashy";
imageTag = mkOption {
type = types.str;
default = "latest";
};
port = mkOption {
type = types.int;
default = 56815;
};
configFile = lib.mkOption {
type = lib.types.path;
description = "Path to the YAML configuration file";
};
};
config = mkIf cfg.enable {
virtualisation.oci-containers.containers = {
dashy = {
image = "lissy93/dashy:${cfg.imageTag}";
environment = {
TZ = "${config.time.timeZone}";
};
ports = [
"127.0.0.1:${toString cfg.port}:80"
];
volumes = [
"${cfg.configFile}:/app/public/conf.yml"
];
};
};
};
}

3
common/server/default.nix
View File

@ -10,8 +10,6 @@
./matrix.nix
./zerobin.nix
./gitea.nix
./privatebin/privatebin.nix
./radio.nix
./samba.nix
./owncast.nix
./mailserver.nix
@ -19,7 +17,6 @@
./iodine.nix
./searx.nix
./gitea-actions-runner.nix
./dashy.nix
./librechat.nix
./actualbudget.nix
./unifi.nix

5
common/server/gitea-actions-runner.nix
View File

@ -9,10 +9,7 @@
# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
let
runnerRole = "gitea-actions-runner";
runners = config.machines.roles.${runnerRole};
thisMachineIsARunner = builtins.elem config.networking.hostName runners;
thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
containerName = "gitea-runner";
in
{

2
common/server/gitea.nix
View File

@ -24,7 +24,7 @@ in
SHOW_FOOTER_VERSION = false;
};
ui = {
DEFAULT_THEME = "arc-green";
DEFAULT_THEME = "gitea-dark";
};
service = {
DISABLE_REGISTRATION = true;

8
common/server/librechat.nix
View File

@ -21,11 +21,17 @@ in
config = mkIf cfg.enable {
virtualisation.oci-containers.containers = {
librechat = {
image = "ghcr.io/danny-avila/librechat:v0.6.6";
image = "ghcr.io/danny-avila/librechat:v0.7.7";
environment = {
HOST = "0.0.0.0";
MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
ENDPOINTS = "openAI,google,bingAI,gptPlugins";
OPENAI_MODELS = lib.concatStringsSep "," [
"gpt-4o-mini"
"o3-mini"
"gpt-4o"
"o1"
];
REFRESH_TOKEN_EXPIRY = toString (1000 * 60 * 60 * 24 * 30); # 30 days
};
environmentFiles = [

1
common/server/mailserver.nix
View File

@ -28,7 +28,6 @@ in
indexDir = "/var/lib/mailindex";
enableManageSieve = true;
fullTextSearch.enable = true;
fullTextSearch.indexAttachments = true;
fullTextSearch.memoryLimit = 500;
inherit domains;
loginAccounts = {

121
common/server/nextcloud.nix
View File

@ -3,28 +3,44 @@
let
cfg = config.services.nextcloud;
nextcloudHostname = "runyan.org";
collaboraOnlineHostname = "collabora.runyan.org";
whiteboardHostname = "whiteboard.runyan.org";
whiteboardPort = 3002; # Seems impossible to change
# Hardcoded public ip of ponyo... I wish I didn't need this...
public_ip_address = "147.135.114.130";
in
{
config = lib.mkIf cfg.enable {
services.nextcloud = {
https = true;
package = pkgs.nextcloud30;
hostName = "neet.cloud";
package = pkgs.nextcloud31;
hostName = nextcloudHostname;
config.dbtype = "sqlite";
config.adminuser = "jeremy";
config.adminpassFile = "/run/agenix/nextcloud-pw";
# Apps
autoUpdateApps.enable = true;
extraAppsEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
# Want
inherit end_to_end_encryption mail spreed;
# For file and document editing (collabora online and excalidraw)
inherit richdocuments whiteboard;
# Might use
inherit bookmarks calendar cookbook deck memories onlyoffice qownnotesapi;
inherit calendar qownnotesapi;
# Try out
# inherit maps music news notes phonetrack polls forms;
# inherit bookmarks cookbook deck memories maps music news notes phonetrack polls forms;
};
extraAppsEnable = true;
# Allows installing Apps from the UI (might remove later)
appstoreEnable = true;
};
age.secrets.nextcloud-pw = {
file = ../../secrets/nextcloud-pw.age;
@ -40,5 +56,100 @@ in
enableACME = true;
forceSSL = true;
};
# collabora-online
# https://diogotc.com/blog/collabora-nextcloud-nixos/
services.collabora-online = {
enable = true;
port = 15972;
settings = {
# Rely on reverse proxy for SSL
ssl = {
enable = false;
termination = true;
};
# Listen on loopback interface only
net = {
listen = "loopback";
post_allow.host = [ "localhost" ];
};
# Restrict loading documents from WOPI Host
storage.wopi = {
"@allow" = true;
host = [ config.services.nextcloud.hostName ];
};
server_name = collaboraOnlineHostname;
};
};
services.nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
systemd.services.nextcloud-config-collabora =
let
wopi_url = "http://localhost:${toString config.services.collabora-online.port}";
public_wopi_url = "https://${collaboraOnlineHostname}";
wopi_allowlist = lib.concatStringsSep "," [
"127.0.0.1"
"::1"
public_ip_address
];
in
{
wantedBy = [ "multi-user.target" ];
after = [ "nextcloud-setup.service" "coolwsd.service" ];
requires = [ "coolwsd.service" ];
path = [
config.services.nextcloud.occ
];
script = ''
nextcloud-occ -- config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
nextcloud-occ -- config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
nextcloud-occ -- config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
nextcloud-occ -- richdocuments:setup
'';
serviceConfig = {
Type = "oneshot";
};
};
# Whiteboard
services.nextcloud-whiteboard-server = {
enable = true;
settings.NEXTCLOUD_URL = "https://${nextcloudHostname}";
secrets = [ "/run/agenix/whiteboard-server-jwt-secret" ];
};
systemd.services.nextcloud-config-whiteboard = {
wantedBy = [ "multi-user.target" ];
after = [ "nextcloud-setup.service" ];
requires = [ "coolwsd.service" ];
path = [
config.services.nextcloud.occ
];
script = ''
nextcloud-occ -- config:app:set whiteboard collabBackendUrl --value="https://${whiteboardHostname}"
nextcloud-occ -- config:app:set whiteboard jwt_secret_key --value="$JWT_SECRET_KEY"
'';
serviceConfig = {
Type = "oneshot";
EnvironmentFile = [ "/run/agenix/whiteboard-server-jwt-secret" ];
};
};
age.secrets.whiteboard-server-jwt-secret.file = ../../secrets/whiteboard-server-jwt-secret.age;
services.nginx.virtualHosts.${whiteboardHostname} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString whiteboardPort}";
proxyWebsockets = true;
};
};
};
}

42
common/server/privatebin/conf.php
View File

@ -1,42 +0,0 @@
;<?php http_response_code(403); /*
[main]
name = "Kode Paste"
discussion = false
opendiscussion = false
password = true
fileupload = false
burnafterreadingselected = false
defaultformatter = "plaintext"
sizelimit = 10485760
template = "bootstrap"
languageselection = false
[expire]
default = "1week"
[expire_options]
5min = 300
10min = 600
1hour = 3600
1day = 86400
1week = 604800
[formatter_options]
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
[traffic]
limit = 10
dir = "/var/lib/privatebin"
[purge]
limit = 300
batchsize = 10
dir = "/var/lib/privatebin"
[model]
class = Filesystem
[model_options]
dir = "/var/lib/privatebin"

74
common/server/privatebin/privatebin.nix
View File

@ -1,74 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.privatebin;
privateBinSrc = pkgs.stdenv.mkDerivation {
name = "privatebin";
src = pkgs.fetchFromGitHub {
owner = "privatebin";
repo = "privatebin";
rev = "d65bf02d7819a530c3c2a88f6f9947651fe5258d";
sha256 = "7ttAvEDL1ab0cUZcqZzXFkXwB2rF2t4eNpPxt48ap94=";
};
installPhase = ''
cp -ar $src $out
'';
};
in
{
options.services.privatebin = {
enable = lib.mkEnableOption "enable privatebin";
host = lib.mkOption {
type = lib.types.str;
example = "example.com";
};
};
config = lib.mkIf cfg.enable {
users.users.privatebin = {
description = "privatebin service user";
group = "privatebin";
isSystemUser = true;
};
users.groups.privatebin = { };
services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = privateBinSrc;
index = "index.php";
};
locations."~ \.php$" = {
root = privateBinSrc;
extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.privatebin.socket};
fastcgi_index index.php;
'';
};
};
systemd.tmpfiles.rules = [
"d '/var/lib/privatebin' 0750 privatebin privatebin - -"
];
services.phpfpm.pools.privatebin = {
user = "privatebin";
group = "privatebin";
phpEnv = {
CONFIG_PATH = "${./conf.php}";
};
settings = {
pm = "dynamic";
"listen.owner" = config.services.nginx.user;
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
};
};
}

75
common/server/radio.nix
View File

@ -1,75 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.radio;
radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
in
{
options.services.radio = {
enable = lib.mkEnableOption "enable radio";
user = lib.mkOption {
type = lib.types.str;
default = "radio";
description = ''
The user radio should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "radio";
description = ''
The group radio should run as
'';
};
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/radio";
description = ''
Path to the radio data directory
'';
};
host = lib.mkOption {
type = lib.types.str;
description = ''
Domain radio is hosted on
'';
};
nginx = lib.mkEnableOption "enable nginx";
};
config = lib.mkIf cfg.enable {
services.icecast = {
enable = true;
hostname = cfg.host;
mount = "stream.mp3";
fallback = "fallback.mp3";
};
services.nginx.virtualHosts.${cfg.host} = lib.mkIf cfg.nginx {
enableACME = true;
forceSSL = true;
locations."/".root = config.inputs.radio-web;
};
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
createHome = true;
};
users.groups.${cfg.group} = { };
systemd.services.radio = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
serviceConfig.WorkingDirectory = cfg.dataDir;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user} ${cfg.dataDir}
'';
};
};
}

40
common/server/samba.nix
View File

@ -5,30 +5,28 @@
services.samba = {
openFirewall = true;
package = pkgs.sambaFull; # printer sharing
securityType = "user";
# should this be on?
nsswins = true;
extraConfig = ''
workgroup = HOME
server string = smbnix
netbios name = smbnix
security = user
use sendfile = yes
min protocol = smb2
guest account = nobody
map to guest = bad user
settings = {
global = {
security = "user";
workgroup = "HOME";
"server string" = "smbnix";
"netbios name" = "smbnix";
"use sendfile" = "yes";
"min protocol" = "smb2";
"guest account" = "nobody";
"map to guest" = "bad user";
# printing
load printers = yes
printing = cups
printcap name = cups
# printing
"load printers" = "yes";
printing = "cups";
"printcap name" = "cups";
hide files = /.nobackup/.DS_Store/._.DS_Store/
'';
shares = {
"hide files" = "/.nobackup/.DS_Store/._.DS_Store/";
};
public = {
path = "/data/samba/Public";
browseable = "yes";
@ -77,9 +75,9 @@
# backups
backup.group."samba".paths = [
config.services.samba.shares.googlebot.path
config.services.samba.shares.cris.path
config.services.samba.shares.public.path
config.services.samba.settings.googlebot.path
config.services.samba.settings.cris.path
config.services.samba.settings.public.path
];
# Windows discovery of samba server

3
common/server/unifi.nix
View File

@ -10,7 +10,8 @@ in
};
config = lib.mkIf cfg.enable {
services.unifi.unifiPackage = pkgs.unifi8;
services.unifi.unifiPackage = pkgs.unifi;
services.unifi.mongodbPackage = pkgs.mongodb-7_0;
networking.firewall = lib.mkIf cfg.openMinimalFirewall {
allowedUDPPorts = [

2
common/shell.nix
View File

@ -21,8 +21,6 @@
shellInit = ''
# disable annoying fish shell greeting
set fish_greeting
alias sudo="doas"
'';
};

2
common/ssh.nix
View File

@ -31,8 +31,6 @@
# TODO: Old ssh keys I will remove some day...
machines.ssh.userKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
];
}

206
flake.lock generated
View File

@ -3,7 +3,9 @@
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"home-manager": [
"home-manager"
],
"nixpkgs": [
"nixpkgs"
],
@ -12,11 +14,11 @@
]
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
@ -51,11 +53,11 @@
]
},
"locked": {
"lastModified": 1651719222,
"narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
"lastModified": 1739947126,
"narHash": "sha256-JoiddH5H9up8jC/VKU8M7wDlk/bstKoJ3rHj+TkW4Zo=",
"ref": "refs/heads/master",
"rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
"revCount": 19,
"rev": "ea1ad60f1c6662103ef4a3705d8e15aa01219529",
"revCount": 20,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybot.git"
},
@ -72,11 +74,11 @@
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
@ -99,11 +101,11 @@
]
},
"locked": {
"lastModified": 1727447169,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"lastModified": 1749105467,
"narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"rev": "6bc76b872374845ba9d645a2f012b764fecd765f",
"type": "github"
},
"original": {
@ -115,11 +117,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
@ -135,11 +137,11 @@
]
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@ -148,23 +150,71 @@
"type": "github"
}
},
"home-manager": {
"git-hooks": {
"inputs": {
"flake-compat": [
"simple-nixos-mailserver",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"agenix",
"simple-nixos-mailserver",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"lastModified": 1750779888,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"simple-nixos-mailserver",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1752208517,
"narHash": "sha256-aRY1cYOdVdXdNjcL/Twpa27CknO7pVHxooPsBizDraE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"rev": "c6a01e54af81b381695db796a43360bf6db5702f",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.05",
"repo": "home-manager",
"type": "github"
}
@ -176,11 +226,11 @@
]
},
"locked": {
"lastModified": 1728263287,
"narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=",
"lastModified": 1752346111,
"narHash": "sha256-SVxCIYnbED0rNYSpm3QQoOhqxYRp1GuE9FkyM5Y2afs=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259",
"rev": "deff7a9a0aa98a08d8c7839fe2658199ce9828f8",
"type": "github"
},
"original": {
@ -191,11 +241,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1728056216,
"narHash": "sha256-IrO06gFUDTrTlIP3Sz+mRB6WUoO2YsgMtOD3zi0VEt0=",
"lastModified": 1752048960,
"narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "b7ca02c7565fbf6d27ff20dd6dbd49c5b82eef28",
"rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806",
"type": "github"
},
"original": {
@ -207,75 +257,42 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1728193676,
"narHash": "sha256-PbDWAIjKJdlVg+qQRhzdSor04bAPApDqIv2DofTyynk=",
"lastModified": 1752431364,
"narHash": "sha256-ciGIXIMq2daX5o4Tn6pnZTd1pf5FICHbqUlHu658G9c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6",
"rev": "fb0f0dbfd95f0e19fdeab8e0f18bf0b5cf057b68",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"ref": "release-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-frigate": {
"locked": {
"lastModified": 1695825837,
"narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
"type": "github"
}
},
"radio": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1631585589,
"narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"revCount": 38,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
},
"original": {
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
}
},
"radio-web": {
"nixpkgs-linkwarden": {
"flake": false,
"locked": {
"lastModified": 1652121792,
"narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
"ref": "refs/heads/master",
"rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
"revCount": 5,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
"narHash": "sha256-wW3F+iRM/ATWkyq8+Romal8oFmsM/p98V96d5G0tasA=",
"type": "file",
"url": "https://github.com/NixOS/nixpkgs/pull/347353.diff"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
"type": "file",
"url": "https://github.com/NixOS/nixpkgs/pull/347353.diff"
}
},
"nixpkgs-memos": {
"flake": false,
"locked": {
"narHash": "sha256-UidUaQY+9vo90rNCVInX1E+JbJ1xKFVSTMNRYKQEKpQ=",
"type": "file",
"url": "https://github.com/NixOS/nixpkgs/pull/426687.diff"
},
"original": {
"type": "file",
"url": "https://github.com/NixOS/nixpkgs/pull/426687.diff"
}
},
"root": {
@ -285,12 +302,12 @@
"deploy-rs": "deploy-rs",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-frigate": "nixpkgs-frigate",
"radio": "radio",
"radio-web": "radio-web",
"nixpkgs-linkwarden": "nixpkgs-linkwarden",
"nixpkgs-memos": "nixpkgs-memos",
"simple-nixos-mailserver": "simple-nixos-mailserver",
"systems": "systems"
}
@ -301,24 +318,25 @@
"flake-compat": [
"flake-compat"
],
"git-hooks": "git-hooks",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-24_05": [
"nixpkgs-25_05": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1722877200,
"narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
"lastModified": 1747965231,
"narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
"rev": "53007af63fade28853408370c4c600a63dd97f41",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "master",
"ref": "nixos-25.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}

55
flake.nix
View File

@ -1,8 +1,15 @@
{
inputs = {
# nixpkgs
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-frigate.url = "github:NixOS/nixpkgs/5cfafa12d57374f48bcc36fda3274ada276cf69e";
nixpkgs.url = "github:NixOS/nixpkgs/release-25.05";
nixpkgs-linkwarden = {
url = "https://github.com/NixOS/nixpkgs/pull/347353.diff";
flake = false;
};
nixpkgs-memos = {
url = "https://github.com/NixOS/nixpkgs/pull/426687.diff";
flake = false;
};
# Common Utils Among flake inputs
systems.url = "github:nix-systems/default";
@ -18,12 +25,18 @@
# NixOS hardware
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
# Home Manager
home-manager = {
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs";
};
# Mail Server
simple-nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-24_05.follows = "nixpkgs";
nixpkgs-25_05.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
};
};
@ -34,22 +47,10 @@
inputs = {
nixpkgs.follows = "nixpkgs";
systems.follows = "systems";
home-manager.follows = "home-manager";
};
};
# Radio
radio = {
url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
radio-web = {
url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
flake = false;
};
# Dailybot
dailybuild_modules = {
url = "git+https://git.neet.dev/zuckerberg/dailybot.git";
@ -78,7 +79,7 @@
outputs = { self, nixpkgs, ... }@inputs:
let
machines = (import ./common/machine-info/moduleless.nix
machineHosts = (import ./common/machine-info/moduleless.nix
{
inherit nixpkgs;
assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
@ -93,6 +94,7 @@
agenix.nixosModules.default
dailybuild_modules.nixosModule
nix-index-database.nixosModules.nix-index
home-manager.nixosModules.home-manager
self.nixosModules.kernel-modules
({ lib, ... }: {
config = {
@ -103,6 +105,10 @@
];
networking.hostName = hostname;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.googlebot = import ./home/googlebot.nix;
};
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
@ -120,7 +126,14 @@
name = "nixpkgs-patched";
src = nixpkgs;
patches = [
./patches/gamepadui.patch
# ./patches/gamepadui.patch
./patches/dont-break-nix-serve.patch
# music-assistant needs a specific custom version of librespot
# I tried to use an overlay but my attempts to override the rust package did not work out
# despite me following guides and examples specific to rust packages.
./patches/librespot-pin.patch
inputs.nixpkgs-linkwarden
inputs.nixpkgs-memos
];
};
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
@ -140,7 +153,7 @@
nixpkgs.lib.mapAttrs
(hostname: cfg:
mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
machines;
machineHosts;
packages =
let
@ -177,7 +190,7 @@
nixpkgs.lib.mapAttrs
(hostname: cfg:
mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
machines;
machineHosts;
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;

123
home/googlebot.nix Normal file
View File

@ -0,0 +1,123 @@
{ config, lib, pkgs, osConfig, ... }:
let
# Check if the current machine has the role "personal"
thisMachineIsPersonal = osConfig.thisMachine.hasRole."personal";
in
{
home.username = "googlebot";
home.homeDirectory = "/home/googlebot";
home.stateVersion = "24.11";
programs.home-manager.enable = true;
services.ssh-agent.enable = true;
# System Monitoring
programs.btop.enable = true;
programs.bottom.enable = true;
# Modern "ls" replacement
programs.pls.enable = true;
programs.pls.enableFishIntegration = true;
programs.eza.enable = true;
# Graphical terminal
programs.ghostty.enable = thisMachineIsPersonal;
programs.ghostty.settings = {
theme = "Snazzy";
font-size = 10;
};
# Advanced terminal file explorer
programs.broot.enable = true;
# Shell promt theming
programs.fish.enable = true;
programs.starship.enable = true;
programs.starship.enableFishIntegration = true;
programs.starship.enableInteractive = true;
# programs.oh-my-posh.enable = true;
# programs.oh-my-posh.enableFishIntegration = true;
# Advanced search
programs.ripgrep.enable = true;
# tldr: Simplified, example based and community-driven man pages.
programs.tealdeer.enable = true;
home.shellAliases = {
sudo = "doas";
ls2 = "eza";
explorer = "broot";
};
programs.zed-editor = {
enable = thisMachineIsPersonal;
extensions = [
"nix"
"toml"
"html"
"make"
"git-firefly"
"vue"
"scss"
];
userSettings = {
assistant = {
enabled = true;
version = "2";
default_model = {
provider = "openai";
model = "gpt-4-turbo";
};
};
features = {
edit_prediction_provider = "zed";
};
node = {
path = lib.getExe pkgs.nodejs;
npm_path = lib.getExe' pkgs.nodejs "npm";
};
auto_update = false;
terminal = {
blinking = "off";
copy_on_select = false;
};
lsp = {
rust-analyzer = {
# binary = {
# path = lib.getExe pkgs.rust-analyzer;
# };
binary = {
path = "/run/current-system/sw/bin/nix";
arguments = [ "develop" "--command" "rust-analyzer" ];
};
initialization_options = {
cargo = {
features = "all";
};
};
};
};
# tell zed to use direnv and direnv can use a flake.nix enviroment.
load_direnv = "shell_hook";
base_keymap = "VSCode";
theme = {
mode = "system";
light = "One Light";
dark = "Andrometa";
};
ui_font_size = 12;
buffer_font_size = 12;
};
};
}

4
machines/ephemeral/kexec.nix
View File

@ -29,10 +29,10 @@
text = ''
#!${pkgs.stdenv.shell}
set -e
${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
${pkgs.kexec-tools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
sync
echo "executing kernel, filesystems will be improperly umounted"
${pkgs.kexectools}/bin/kexec -e
${pkgs.kexec-tools}/bin/kexec -e
'';
};
kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {

16
machines/ephemeral/minimal.nix
View File

@ -7,12 +7,20 @@
../../common/ssh.nix
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"e1000"
"e1000e"
"virtio_pci"
"r8169"
"sdhci"
"sdhci_pci"
"mmc_core"
"mmc_block"
];
boot.kernelParams = [
"panic=30"
"boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0,115200" # enable serial console
"console=tty1"
];
boot.kernel.sysctl."vm.overcommit_memory" = "1";

3
machines/howl/default.nix
View File

@ -8,6 +8,5 @@
# don't use remote builders
nix.distributedBuilds = lib.mkForce false;
de.enable = true;
de.touchpad.enable = true;
nix.gc.automatic = lib.mkForce false;
}

11
machines/howl/hardware-configuration.nix
View File

@ -6,7 +6,8 @@
nixos-hardware.nixosModules.framework-13-7040-amd
];
boot.kernelPackages = pkgs.linuxPackages_latest;
# boot.kernelPackages = pkgs.linuxPackages_6_14;
boot.kernelPackages = pkgs.linuxPackages_6_13;
hardware.framework.amd-7040.preventWakeOnAC = true;
services.fwupd.enable = true;
@ -30,22 +31,22 @@
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c801586b-f0a2-465c-8dae-532e61b83fee";
device = "/dev/disk/by-uuid/2e4a6960-a6b1-40ee-9c2c-2766eb718d52";
allowDiscards = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/95db6950-a7bc-46cf-9765-3ea675ccf014";
device = "/dev/disk/by-uuid/1f62386c-3243-49f5-b72f-df8fc8f39db8";
fsType = "btrfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/B087-2C20";
device = "/dev/disk/by-uuid/F4D9-C5E8";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[{ device = "/dev/disk/by-uuid/49fbdf62-eef4-421b-aac3-c93494afd23c"; }];
[{ device = "/dev/disk/by-uuid/5f65cb11-2649-48fe-9c78-3e325b857c53"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

4
machines/howl/properties.nix
View File

@ -15,10 +15,6 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPnLt84bKhUgFxjQf10+Htro9Lo1Pabqm8mGalBUniv"
];
deployKeys = [
# TODO
];
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0N80r0Sl2WlJaUqfxZPkOtYyGumFazkIqq7eq3Gd2o";
onionHost = "ll6yjnkh4psmfwmtkmqoutl4gq4elqzbmjxv4s6gpgoavyi3kwhjvnqd.onion";

3
machines/nat/configuration.nix
View File

@ -9,7 +9,4 @@
networking.hostName = "nat";
networking.interfaces.ens160.useDHCP = true;
de.enable = true;
de.touchpad.enable = true;
}

51
machines/ponyo/default.nix
View File

@ -10,6 +10,8 @@
# p2p mesh network
services.tailscale.exitNode = true;
services.iperf3.enable = true;
# email server
mailserver.enable = true;
@ -54,44 +56,6 @@
config.services.drastikbot.dataDir
];
# music radio
vpn-container.enable = true;
vpn-container.config = {
services.radio = {
enable = true;
host = "radio.runyan.org";
};
};
pia.wireguard.badPortForwardPorts = [ ];
services.nginx.virtualHosts = {
"radio.runyan.org" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
"radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
};
# matrix home server
services.matrix = {
enable = true;
@ -114,7 +78,7 @@
services.postgresql.package = pkgs.postgresql_15;
# iodine DNS-based vpn
services.iodine.server.enable = true;
# services.iodine.server.enable = true;
# proxied web services
services.nginx.enable = true;
@ -131,12 +95,12 @@
root = "/var/www/tmp";
};
# redirect runyan.org to github
services.nginx.virtualHosts."runyan.org" = {
# redirect neet.cloud to nextcloud instance on runyan.org
services.nginx.virtualHosts."neet.cloud" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect;
return 302 https://runyan.org$request_uri;
'';
};
@ -147,7 +111,4 @@
# librechat
services.librechat.enable = true;
services.librechat.host = "chat.neet.dev";
services.actual-server.enable = true;
services.actual-server.hostname = "actual.runyan.org";
}

3
machines/router/default.nix
View File

@ -22,8 +22,7 @@
# networking.useDHCP = lib.mkForce true;
# TODO
# networking.usePredictableInterfaceNames = true;
networking.usePredictableInterfaceNames = false;
powerManagement.cpuFreqGovernor = "ondemand";

14
machines/router/hardware-configuration.nix
View File

@ -10,8 +10,6 @@
# Enable serial output
boot.kernelParams = [
"panic=30"
"boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0,115200n8" # enable serial console
];
boot.loader.grub.extraConfig = "
@ -23,6 +21,8 @@
# firmware
firmware.x86_64.enable = true;
nixpkgs.config.allowUnfree = true;
hardware.enableRedistributableFirmware = true;
hardware.enableAllFirmware = true;
# boot
bios = {
@ -31,20 +31,18 @@
};
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
fileSystems."/" =
{
device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
fsType = "btrfs";
device = "/dev/disk/by-uuid/6aa7f79e-bef8-4b0f-b22c-9d1b3e8ac94b";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/d97f324f-3a2e-4b84-ae2a-4b3d1209c689";
device = "/dev/disk/by-uuid/14dfc562-0333-4ddd-b10c-4eeefe1cd05f";
fsType = "ext3";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/45bf58dd-67eb-45e4-9a98-246e23fa7abd"; }];
[{ device = "/dev/disk/by-uuid/adf37c64-3b54-480c-a9a7-099d61c6eac7"; }];
nixpkgs.hostPlatform = "x86_64-linux";
}

17
machines/router/properties.nix Normal file
View File

@ -0,0 +1,17 @@
{
hostNames = [
"router"
"192.168.6.159"
"192.168.3.1"
];
arch = "x86_64-linux";
systemRoles = [
"server"
"wireless"
"router"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDCMhEvWJxFBNyvpyuljv5Uun8AdXCxBK9HvPBRe5x6";
}

21
machines/router/properties.nix.disabled
View File

@ -1,21 +0,0 @@
{
hostNames = [
"router"
"192.168.1.228"
];
arch = "x86_64-linux";
systemRoles = [
"server"
"wireless"
"router"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
onionHost = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
};
}

255
machines/router/router.nix
View File

@ -31,8 +31,10 @@ in
networking.bridges = {
br0 = {
interfaces = [
"enp2s0"
"wlp4s0"
"eth2"
# "wlp4s0"
# "wlan1"
"wlan0"
"wlan1"
];
};
@ -64,142 +66,173 @@ in
services.dnsmasq = {
enable = true;
extraConfig = ''
settings = {
# sensible behaviours
domain-needed
bogus-priv
no-resolv
domain-needed = true;
bogus-priv = true;
no-resolv = true;
# upstream name servers
server=1.1.1.1
server=8.8.8.8
server = [
"1.1.1.1"
"8.8.8.8"
];
# local domains
expand-hosts
domain=home
local=/home/
expand-hosts = true;
domain = "home";
local = "/home/";
# Interfaces to use DNS on
interface=br0
interface = "br0";
# subnet IP blocks to use DHCP on
dhcp-range=${cfg.privateSubnet}.10,${cfg.privateSubnet}.254,24h
'';
dhcp-range = "${cfg.privateSubnet}.10,${cfg.privateSubnet}.254,24h";
};
};
services.hostapd = {
enable = true;
radios = {
# 2.4GHz
wlp4s0 = {
band = "2g";
noScan = true;
channel = 6;
# Simple 2.4GHz AP
wlan0 = {
countryCode = "US";
wifi4 = {
capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+" ];
};
wifi5 = {
operatingChannelWidth = "20or40";
capabilities = [ "MAX-A-MPDU-LEN-EXP0" ];
};
wifi6 = {
enable = true;
singleUserBeamformer = true;
singleUserBeamformee = true;
multiUserBeamformer = true;
operatingChannelWidth = "20or40";
};
networks = {
wlp4s0 = {
ssid = "CXNK00BF9176";
authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
};
# wlp4s0-1 = {
# ssid = "- Experimental 5G Tower by AT&T";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
# wlp4s0-2 = {
# ssid = "FBI Surveillance Van 2";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
};
settings = {
he_oper_centr_freq_seg0_idx = 8;
vht_oper_centr_freq_seg0_idx = 8;
networks.wlan0 = {
ssid = "CXNK00BF9176-1";
authentication.saePasswords = [{ passwordFile = "/run/agenix/hostapd-pw-CXNK00BF9176"; }];
};
};
# 5GHz
# WiFi 5 (5GHz) with two advertised networks
wlan1 = {
band = "5g";
noScan = true;
channel = 128;
channel = 0;
countryCode = "US";
wifi4 = {
capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-" ];
};
wifi5 = {
operatingChannelWidth = "160";
capabilities = [ "RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7" ];
};
wifi6 = {
enable = true;
singleUserBeamformer = true;
singleUserBeamformee = true;
multiUserBeamformer = true;
operatingChannelWidth = "160";
};
networks = {
wlan1 = {
ssid = "CXNK00BF9176";
authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
};
# wlan1-1 = {
# ssid = "- Experimental 5G Tower by AT&T";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
# wlan1-2 = {
# ssid = "FBI Surveillance Van 5";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
};
settings = {
vht_oper_centr_freq_seg0_idx = 114;
he_oper_centr_freq_seg0_idx = 114;
networks.wlan1 = {
ssid = "CXNK00BF9176-1";
authentication.saePasswords = [{ passwordFile = "/run/agenix/hostapd-pw-CXNK00BF9176"; }];
};
};
};
};
age.secrets.hostapd-pw-experimental-tower.file = ../../secrets/hostapd-pw-experimental-tower.age;
age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age;
hardware.firmware = [
pkgs.mt7916-firmware
];
# wlan0 5Ghz 00:0a:52:08:38:32
# wlp4s0 2.4Ghz 00:0a:52:08:38:33
nixpkgs.overlays = [
(self: super: {
mt7916-firmware = pkgs.stdenvNoCC.mkDerivation {
pname = "mt7916-firmware";
version = "custom-feb-02-23";
src = ./firmware/mediatek; # from here https://github.com/openwrt/mt76/issues/720#issuecomment-1413537674
dontBuild = true;
installPhase = ''
for i in \
mt7916_eeprom.bin \
mt7916_rom_patch.bin \
mt7916_wa.bin \
mt7916_wm.bin;
do
install -D -pm644 $i $out/lib/firmware/mediatek/$i
done
'';
meta = with lib; {
license = licenses.unfreeRedistributableFirmware;
};
};
})
];
# services.hostapd = {
# enable = true;
# radios = {
# # 2.4GHz
# wlp4s0 = {
# band = "2g";
# noScan = true;
# channel = 6;
# countryCode = "US";
# wifi4 = {
# capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+" ];
# };
# wifi5 = {
# operatingChannelWidth = "20or40";
# capabilities = [ "MAX-A-MPDU-LEN-EXP0" ];
# };
# wifi6 = {
# enable = true;
# singleUserBeamformer = true;
# singleUserBeamformee = true;
# multiUserBeamformer = true;
# operatingChannelWidth = "20or40";
# };
# networks = {
# wlp4s0 = {
# ssid = "CXNK00BF9176";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
# };
# # wlp4s0-1 = {
# # ssid = "- Experimental 5G Tower by AT&T";
# # authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# # };
# # wlp4s0-2 = {
# # ssid = "FBI Surveillance Van 2";
# # authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# # };
# };
# settings = {
# he_oper_centr_freq_seg0_idx = 8;
# vht_oper_centr_freq_seg0_idx = 8;
# };
# };
# # 5GHz
# wlan1 = {
# band = "5g";
# noScan = true;
# channel = 128;
# countryCode = "US";
# wifi4 = {
# capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-" ];
# };
# wifi5 = {
# operatingChannelWidth = "160";
# capabilities = [ "RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7" ];
# };
# wifi6 = {
# enable = true;
# singleUserBeamformer = true;
# singleUserBeamformee = true;
# multiUserBeamformer = true;
# operatingChannelWidth = "160";
# };
# networks = {
# wlan1 = {
# ssid = "CXNK00BF9176";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
# };
# # wlan1-1 = {
# # ssid = "- Experimental 5G Tower by AT&T";
# # authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# # };
# # wlan1-2 = {
# # ssid = "FBI Surveillance Van 5";
# # authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# # };
# };
# settings = {
# vht_oper_centr_freq_seg0_idx = 114;
# he_oper_centr_freq_seg0_idx = 114;
# };
# };
# };
# };
# age.secrets.hostapd-pw-experimental-tower.file = ../../secrets/hostapd-pw-experimental-tower.age;
# age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age;
# hardware.firmware = [
# pkgs.mt7916-firmware
# ];
# nixpkgs.overlays = [
# (self: super: {
# mt7916-firmware = pkgs.stdenvNoCC.mkDerivation {
# pname = "mt7916-firmware";
# version = "custom-feb-02-23";
# src = ./firmware/mediatek; # from here https://github.com/openwrt/mt76/issues/720#issuecomment-1413537674
# dontBuild = true;
# installPhase = ''
# for i in \
# mt7916_eeprom.bin \
# mt7916_rom_patch.bin \
# mt7916_wa.bin \
# mt7916_wm.bin;
# do
# install -D -pm644 $i $out/lib/firmware/mediatek/$i
# done
# '';
# meta = with lib; {
# license = licenses.unfreeRedistributableFirmware;
# };
# };
# })
# ];
};
}

297
machines/storage/s0/dashy.nix Normal file
View File

@ -0,0 +1,297 @@
{
appConfig = {
theme = "vaporware";
customColors = {
"material-dark-original" = {
primary = "#f36558";
background = "#39434C";
"background-darker" = "#eb615c";
"material-light" = "#f36558";
"item-text-color" = "#ff948a";
"curve-factor" = "5px";
};
};
enableErrorReporting = false;
layout = "auto";
iconSize = "large";
language = "en";
startingView = "default";
defaultOpeningMethod = "sametab";
statusCheck = true;
statusCheckInterval = 20;
faviconApi = "faviconkit";
routingMode = "history";
enableMultiTasking = false;
webSearch = {
disableWebSearch = false;
searchEngine = "duckduckgo";
openingMethod = "sametab";
searchBangs = { };
};
enableFontAwesome = true;
cssThemes = [ ];
externalStyleSheet = [ ];
hideComponents = {
hideHeading = false;
hideNav = false;
hideSearch = false;
hideSettings = false;
hideFooter = false;
hideSplashScreen = false;
};
auth = {
enableGuestAccess = false;
users = [ ];
enableKeycloak = false;
keycloak = { };
};
allowConfigEdit = true;
enableServiceWorker = false;
disableContextMenu = false;
disableUpdateChecks = false;
disableSmartSort = false;
};
pageInfo = {
title = "s0";
description = "s0";
};
sections = [
(
let
# Define the media section items once.
mediaItems = {
jellyfin = {
title = "Jellyfin";
icon = "hl-jellyfin";
url = "https://jellyfin.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "0_1956_jellyfin";
};
sonarr = {
title = "Sonarr";
description = "Manage TV";
icon = "hl-sonarr";
url = "https://sonarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "1_1956_sonarr";
};
radarr = {
title = "Radarr";
description = "Manage Movies";
icon = "hl-radarr";
url = "https://radarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "2_1956_radarr";
};
lidarr = {
title = "Lidarr";
description = "Manage Music";
icon = "hl-lidarr";
url = "https://lidarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "3_1956_lidarr";
};
prowlarr = {
title = "Prowlarr";
description = "Indexers";
icon = "hl-prowlarr";
url = "https://prowlarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "4_1956_prowlarr";
};
bazarr = {
title = "Bazarr";
description = "Subtitles";
icon = "hl-bazarr";
url = "https://bazarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "5_1956_bazarr";
};
navidrome = {
title = "Navidrome";
description = "Play Music";
icon = "hl-navidrome";
url = "https://music.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "6_1956_navidrome";
};
transmission = {
title = "Transmission";
description = "Torrenting";
icon = "hl-transmission";
url = "https://transmission.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "7_1956_transmission";
};
};
# Build the list once.
mediaList = [
mediaItems.jellyfin
mediaItems.sonarr
mediaItems.radarr
mediaItems.lidarr
mediaItems.prowlarr
mediaItems.bazarr
mediaItems.navidrome
mediaItems.transmission
];
in
{
name = "Media & Entertainment";
icon = "fas fa-photo-video";
displayData = {
sortBy = "most-used";
cols = 1;
rows = 1;
collapsed = false;
hideForGuests = false;
};
items = mediaList;
filteredItems = mediaList;
}
)
(
let
networkItems = {
gateway = {
title = "Gateway";
description = "openwrt";
icon = "hl-openwrt";
url = "http://openwrt.lan/";
target = "sametab";
statusCheck = true;
id = "0_746_gateway";
};
wireless = {
title = "Wireless";
description = "openwrt (ish)";
icon = "hl-openwrt";
url = "http://PacketProvocateur.lan";
target = "sametab";
statusCheck = true;
id = "1_746_wireless";
};
};
networkList = [
networkItems.gateway
networkItems.wireless
];
in
{
name = "Network";
icon = "fas fa-network-wired";
items = networkList;
filteredItems = networkList;
displayData = {
sortBy = "default";
rows = 1;
cols = 1;
collapsed = false;
hideForGuests = false;
};
}
)
(
let
servicesItems = {
matrix = {
title = "Matrix";
description = "";
icon = "hl-matrix";
url = "https://chat.neet.space";
target = "sametab";
statusCheck = true;
id = "0_836_matrix";
};
mumble = {
title = "Mumble";
description = "voice.neet.space";
icon = "hl-mumble";
url = "https://voice.neet.space";
target = "sametab";
statusCheck = false;
id = "2_836_mumble";
};
irc = {
title = "IRC";
description = "irc.neet.dev";
icon = "hl-thelounge";
url = "https://irc.neet.dev";
target = "sametab";
statusCheck = true;
id = "3_836_irc";
};
git = {
title = "Git";
description = "git.neet.dev";
icon = "hl-gitea";
url = "https://git.neet.dev";
target = "sametab";
statusCheck = true;
id = "4_836_git";
};
nextcloud = {
title = "Nextcloud";
description = "neet.cloud";
icon = "hl-nextcloud";
url = "https://neet.cloud";
target = "sametab";
statusCheck = true;
id = "5_836_nextcloud";
};
roundcube = {
title = "Roundcube";
description = "mail.neet.dev";
icon = "hl-roundcube";
url = "https://mail.neet.dev";
target = "sametab";
statusCheck = true;
id = "6_836_roundcube";
};
jitsimeet = {
title = "Jitsi Meet";
description = "meet.neet.space";
icon = "hl-jitsimeet";
url = "https://meet.neet.space";
target = "sametab";
statusCheck = true;
id = "7_836_jitsimeet";
};
};
servicesList = [
servicesItems.matrix
servicesItems.mumble
servicesItems.irc
servicesItems.git
servicesItems.nextcloud
servicesItems.roundcube
servicesItems.jitsimeet
];
in
{
name = "Services";
icon = "fas fa-monitor-heart-rate";
items = servicesList;
filteredItems = servicesList;
displayData = {
sortBy = "default";
rows = 1;
cols = 1;
collapsed = false;
hideForGuests = false;
};
}
)
];
}

241
machines/storage/s0/dashy.yaml
View File

@ -1,241 +0,0 @@
appConfig:
theme: vaporware
customColors:
material-dark-original:
primary: '#f36558'
background: '#39434C'
background-darker: '#eb615c'
material-light: '#f36558'
item-text-color: '#ff948a'
curve-factor: 5px
enableErrorReporting: false
layout: auto
iconSize: large
language: en
startingView: default
defaultOpeningMethod: sametab
statusCheck: true
statusCheckInterval: 20
faviconApi: faviconkit
routingMode: history
enableMultiTasking: false
webSearch:
disableWebSearch: false
searchEngine: duckduckgo
openingMethod: sametab
searchBangs: {}
enableFontAwesome: true
cssThemes: []
externalStyleSheet: []
hideComponents:
hideHeading: false
hideNav: false
hideSearch: false
hideSettings: false
hideFooter: false
hideSplashScreen: false
auth:
enableGuestAccess: false
users: []
enableKeycloak: false
keycloak: {}
allowConfigEdit: true
enableServiceWorker: false
disableContextMenu: false
disableUpdateChecks: false
disableSmartSort: false
pageInfo:
title: s0
description: s0
sections:
- name: Media & Entertainment
icon: fas fa-photo-video
displayData:
sortBy: most-used
cols: 1
rows: 1
collapsed: false
hideForGuests: false
items:
- &ref_0
title: Jellyfin
icon: hl-jellyfin
url: https://jellyfin.s0.neet.dev
target: sametab
statusCheck: false
id: 0_1956_jellyfin
- &ref_1
title: Sonarr
description: Manage TV
icon: hl-sonarr
url: https://sonarr.s0.neet.dev
target: sametab
statusCheck: false
id: 1_1956_sonarr
- &ref_2
title: Radarr
description: Manage Movies
icon: hl-radarr
url: https://radarr.s0.neet.dev
target: sametab
statusCheck: false
id: 2_1956_radarr
- &ref_3
title: Lidarr
description: Manage Music
icon: hl-lidarr
url: https://lidarr.s0.neet.dev
target: sametab
statusCheck: false
id: 3_1956_lidarr
- &ref_4
title: Prowlarr
description: Indexers
icon: hl-prowlarr
url: https://prowlarr.s0.neet.dev
target: sametab
statusCheck: false
id: 4_1956_prowlarr
- &ref_5
title: Bazarr
description: Subtitles
icon: hl-bazarr
url: https://bazarr.s0.neet.dev
target: sametab
statusCheck: false
id: 5_1956_bazarr
- &ref_6
title: Navidrome
description: Play Music
icon: hl-navidrome
url: https://music.s0.neet.dev
target: sametab
statusCheck: false
id: 6_1956_navidrome
- &ref_7
title: Transmission
description: Torrenting
icon: hl-transmission
url: https://transmission.s0.neet.dev
target: sametab
statusCheck: false
id: 7_1956_transmission
filteredItems:
- *ref_0
- *ref_1
- *ref_2
- *ref_3
- *ref_4
- *ref_5
- *ref_6
- *ref_7
- name: Network
icon: fas fa-network-wired
items:
- &ref_8
title: Gateway
description: openwrt
icon: hl-openwrt
url: http://openwrt.lan/
target: sametab
statusCheck: true
id: 0_746_gateway
- &ref_9
title: Wireless
description: openwrt (ish)
icon: hl-openwrt
url: http://PacketProvocateur.lan
target: sametab
statusCheck: true
id: 1_746_wireless
filteredItems:
- *ref_8
- *ref_9
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false
- name: Services
icon: fas fa-monitor-heart-rate
items:
- &ref_10
title: Matrix
description: ''
icon: hl-matrix
url: https://chat.neet.space
target: sametab
statusCheck: true
id: 0_836_matrix
- &ref_11
title: Radio
description: Radio service
icon: generative
url: https://radio.runyan.org
target: sametab
statusCheck: true
id: 1_836_radio
- &ref_12
title: Mumble
description: voice.neet.space
icon: hl-mumble
url: https://voice.neet.space
target: sametab
statusCheck: false
id: 2_836_mumble
- &ref_13
title: IRC
description: irc.neet.dev
icon: hl-thelounge
url: https://irc.neet.dev
target: sametab
statusCheck: true
id: 3_836_irc
- &ref_14
title: Git
description: git.neet.dev
icon: hl-gitea
url: https://git.neet.dev
target: sametab
statusCheck: true
id: 4_836_git
- &ref_15
title: Nextcloud
description: neet.cloud
icon: hl-nextcloud
url: https://neet.cloud
target: sametab
statusCheck: true
id: 5_836_nextcloud
- &ref_16
title: Roundcube
description: mail.neet.dev
icon: hl-roundcube
url: https://mail.neet.dev
target: sametab
statusCheck: true
id: 6_836_roundcube
- &ref_17
title: Jitsi Meet
description: meet.neet.space
icon: hl-jitsimeet
url: https://meet.neet.space
target: sametab
statusCheck: true
id: 7_836_jitsimeet
filteredItems:
- *ref_10
- *ref_11
- *ref_12
- *ref_13
- *ref_14
- *ref_15
- *ref_16
- *ref_17
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false

141
machines/storage/s0/default.nix
View File

@ -20,13 +20,13 @@
secretKeyFile = "/run/agenix/binary-cache-private-key";
};
age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
users.users.cache-push = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
};
nix.settings = {
trusted-users = [ "cache-push" ];
};
# users.users.cache-push = {
# isNormalUser = true;
# openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
# };
# nix.settings = {
# trusted-users = [ "cache-push" ];
# };
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
@ -75,6 +75,32 @@
services.lidarr.enable = true;
services.lidarr.user = "public_data";
services.lidarr.group = "public_data";
services.recyclarr = {
enable = true;
configuration = {
radarr.radarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/radarr-api-key";
};
base_url = "http://localhost:7878";
quality_definition.type = "movie";
};
sonarr.sonarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/sonarr-api-key";
};
base_url = "http://localhost:8989";
quality_definition.type = "series";
};
};
};
systemd.services.recyclarr.serviceConfig.LoadCredential = [
"radarr-api-key:/run/agenix/radarr-api-key"
"sonarr-api-key:/run/agenix/sonarr-api-key"
];
services.transmission = {
enable = true;
@ -145,6 +171,8 @@
8686 # lidarr
9091 # transmission web
];
age.secrets.radarr-api-key.file = ../../../secrets/radarr-api-key.age;
age.secrets.sonarr-api-key.file = ../../../secrets/sonarr-api-key.age;
# jellyfin
# jellyfin cannot run in the vpn container and use hardware encoding
@ -154,7 +182,7 @@
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.opengl = {
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
@ -171,17 +199,24 @@
openFirewall = false; # All nginx services are internal
virtualHosts =
let
mkVirtualHost = external: internal:
mkHost = external: config:
{
${external} = {
useACMEHost = "s0.neet.dev"; # Use wildcard cert
forceSSL = true;
locations."/" = {
proxyPass = internal;
proxyWebsockets = true;
};
locations."/" = config;
};
};
mkVirtualHost = external: internal:
mkHost external {
proxyPass = internal;
proxyWebsockets = true;
};
mkStaticHost = external: static:
mkHost external {
root = static;
tryFiles = "$uri /index.html ";
};
in
lib.mkMerge [
(mkVirtualHost "bazarr.s0.neet.dev" "http://vpn.containers:6767")
@ -193,7 +228,7 @@
(mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443")
(mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
(mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")
(mkVirtualHost "s0.neet.dev" "http://localhost:56815")
(mkStaticHost "s0.neet.dev" config.services.dashy.finalDrv)
{
# Landing page LAN redirect
"s0" = {
@ -202,7 +237,7 @@
globalRedirect = "s0.neet.dev";
};
}
(mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant
(mkVirtualHost "ha.s0.neet.dev" "http://localhost:${toString config.services.home-assistant.config.http.server_port}")
(mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
(mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
{
@ -213,7 +248,13 @@
};
}
(mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo
(mkVirtualHost "sandman.s0.neet.dev" "http://192.168.9.14:3000") # es
(mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
(mkVirtualHost "budget.s0.neet.dev" "http://localhost:${toString config.services.actual.settings.port}") # actual budget
(mkVirtualHost "linkwarden.s0.neet.dev" "http://localhost:${toString config.services.linkwarden.port}")
(mkVirtualHost "memos.s0.neet.dev" "http://localhost:${toString config.services.memos.port}")
(mkVirtualHost "outline.s0.neet.dev" "http://localhost:${toString config.services.outline.port}")
(mkVirtualHost "languagetool.s0.neet.dev" "http://localhost:${toString config.services.languagetool.port}")
];
tailscaleAuth = {
@ -234,6 +275,11 @@
"zigbee.s0.neet.dev"
"vacuum.s0.neet.dev"
"todo.s0.neet.dev"
"budget.s0.neet.dev"
"linkwarden.s0.neet.dev"
# "memos.s0.neet.dev" # messes up memos /auth route
# "outline.s0.neet.dev" # messes up outline /auth route
"languagetool.s0.neet.dev"
];
expectedTailnet = "koi-bebop.ts.net";
};
@ -254,7 +300,7 @@
virtualisation.podman.dockerSocket.enable = true; # TODO needed?
services.dashy = {
enable = true;
configFile = ./dashy.yaml;
settings = import ./dashy.nix;
};
services.unifi = {
@ -271,6 +317,69 @@
service.enableregistration = false;
};
};
backup.group."vikunja".paths = [
"/var/lib/vikunja"
];
services.actual.enable = true;
services.linkwarden = {
enable = true;
enableRegistration = true;
port = 41709;
environment.NEXTAUTH_URL = "https://linkwarden.s0.neet.dev/api/v1/auth";
environment.FLARESOLVERR_URL = "http://localhost:${toString config.services.flaresolverr.port}/v1";
environmentFile = "/run/agenix/linkwarden-environment";
package = pkgs.linkwarden.overrideAttrs (oldAttrs: {
# Add patch that adds support for flaresolverr
patches = oldAttrs.patches or [ ] ++ [
# https://github.com/linkwarden/linkwarden/pull/1251
../../../patches/linkwarden-flaresolverr.patch
];
});
};
age.secrets.linkwarden-environment.file = ../../../secrets/linkwarden-environment.age;
services.meilisearch = {
enable = true;
package = pkgs.meilisearch;
};
services.flaresolverr = {
enable = true;
port = 48072;
};
services.memos = {
enable = true;
address = "127.0.0.1";
port = 57643;
};
services.outline = {
enable = true;
forceHttps = false; # https through nginx
port = 43933;
publicUrl = "https://outline.s0.neet.dev";
storage.storageType = "local";
smtp = {
secure = true;
fromEmail = "robot@runyan.org";
username = "robot@runyan.org";
replyEmail = "robot@runyan.org";
host = "mail.neet.dev";
port = 465;
passwordFile = "/run/agenix/robots-email-pw";
};
};
age.secrets.robots-email-pw = {
file = ../../../secrets/robots-email-pw.age;
owner = config.services.outline.user;
};
services.languagetool = {
enable = true;
port = 60613;
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
}

41
machines/storage/s0/frigate.nix
View File

@ -36,6 +36,11 @@ let
record = "preset-record-generic-audio-copy";
};
};
detect = {
width = 1280;
height = 720;
fps = 5;
};
};
};
services.go2rtc.settings.streams = lib.mkMerge [
@ -54,7 +59,7 @@ let
# - go2rtc: ${VAR}
# - frigate: {VAR}
primaryUrl = "rtsp://admin:\${FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=0";
detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=1";
detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=3";
in
mkCamera name primaryUrl detectUrl;
@ -82,9 +87,11 @@ lib.mkMerge [
settings = {
mqtt = {
enabled = true;
host = "localhost:1883";
host = "localhost";
port = 1883;
user = "root";
password = "{FRIGATE_MQTT_PASSWORD}";
};
rtmp.enabled = false;
snapshots = {
enabled = true;
bounding_box = true;
@ -93,8 +100,9 @@ lib.mkMerge [
enabled = true;
# sync_recordings = true; # detect if recordings were deleted outside of frigate (expensive)
retain = {
days = 2; # Keep video for 2 days
mode = "motion";
days = 7; # Keep video for 7 days
mode = "all";
# mode = "motion";
};
events = {
retain = {
@ -106,7 +114,7 @@ lib.mkMerge [
};
# Make frigate aware of the go2rtc streams
go2rtc.streams = config.services.go2rtc.settings.streams;
detect.enabled = true;
detect.enabled = false; # :(
objects = {
track = [ "person" "dog" ];
};
@ -128,28 +136,19 @@ lib.mkMerge [
}
{
# hardware encode/decode with amdgpu vaapi
systemd.services.frigate = {
environment.LIBVA_DRIVER_NAME = "radeonsi";
serviceConfig = {
SupplementaryGroups = [ "render" "video" ]; # for access to dev/dri/*
AmbientCapabilities = "CAP_PERFMON";
};
};
services.frigate.vaapiDriver = "radeonsi";
services.frigate.settings.ffmpeg.hwaccel_args = "preset-vaapi";
}
{
# Coral TPU for frigate
services.udev.packages = [ pkgs.libedgetpu ];
users.groups.apex = { };
systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ];
# Coral PCIe driver
kernel.enableGasketKernelModule = true;
services.frigate.settings.detectors.coral = {
type = "edgetpu";
device = "pci";
};
}
{
# Don't require authentication for frigate
# This is ok because the reverse proxy already requires tailscale access anyway
services.frigate.settings.auth.enabled = false;
}
]

32
machines/storage/s0/hardware-configuration.nix
View File

@ -22,7 +22,6 @@
# zfs
networking.hostId = "5e6791f0";
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# luks
remoteLuksUnlock.enable = true;
@ -59,11 +58,34 @@
};
swapDevices = [ ];
networking.vlans = {
iot = {
id = 2;
interface = "eth1";
### networking ###
# systemd.network.enable = true;
networking = {
# useNetworkd = true;
dhcpcd.enable = false;
vlans = {
iot = {
id = 2;
interface = "eth1";
};
};
interfaces.eth1.ipv4.addresses = [{
address = "192.168.1.2";
prefixLength = 21;
}];
interfaces.iot.ipv4.addresses = [{
address = "192.168.9.8";
prefixLength = 22;
}];
defaultGateway = {
interface = "eth1";
address = "192.168.1.1";
};
nameservers = [ "1.1.1.1" "8.8.8.8" ];
};
powerManagement.cpuFreqGovernor = "powersave";

77
machines/storage/s0/home-automation.nix
View File

@ -3,19 +3,27 @@
{
services.esphome.enable = true;
# TODO lock down
services.mosquitto = {
enable = true;
listeners = [
{
acl = [ "pattern readwrite #" ];
omitPasswordAuth = true;
settings.allow_anonymous = true;
users.root = {
acl = [ "readwrite #" ];
hashedPassword = "$7$101$8+QnkTzCdGizaKqq$lpU4o84n6D/1uwfA9pZDVExr1NDm1D/8tNla2tE9J9HdUqkvu192yYfiySY1MFqVNgUKgWEFu5P1bUKqRnzbUw==";
};
}
];
};
networking.firewall.allowedTCPPorts = [
1883 # mqtt
# mqtt
1883
# Must be exposed so some local devices (such as HA voice preview) can pair with home assistant
config.services.home-assistant.config.http.server_port
# Music assistant (must be exposed so local devices can fetch the audio stream from it)
8095
8097
];
services.zigbee2mqtt = {
@ -24,11 +32,13 @@
homeassistant = true;
permit_join = false;
serial = {
adapter = "ember";
port = "/dev/ttyACM0";
};
mqtt = {
server = "mqtt://localhost:1883";
# base_topic = "zigbee2mqtt";
user = "root";
password = "!/run/agenix/zigbee2mqtt.yaml mqtt_password";
};
frontend = {
host = "localhost";
@ -36,11 +46,16 @@
};
};
};
age.secrets."zigbee2mqtt.yaml" = {
file = ../../../secrets/zigbee2mqtt.yaml.age;
owner = "zigbee2mqtt";
};
services.home-assistant = {
enable = true;
extraComponents = [
"default_config"
"rest_command"
"esphome"
"met"
"radio_browser"
@ -68,13 +83,23 @@
"homekit_controller"
"zha"
"bluetooth"
"whisper"
"piper"
"wyoming"
"tts"
"music_assistant"
"openai_conversation"
];
# config = null;
config = {
# Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/
default_config = { };
homeassistant = {
external_url = "https://ha.s0.neet.dev";
internal_url = "http://192.168.1.2:${toString config.services.home-assistant.config.http.server_port}";
};
# Enable reverse proxy support
http = {
use_x_forwarded_for = true;
@ -88,6 +113,44 @@
];
# Allow using automations generated from the UI
"automation ui" = "!include automations.yaml";
"rest_command" = {
json_post_request = {
url = "{{ url }}";
method = "POST";
content_type = "application/json";
payload = "{{ payload | default('{}') }}";
};
};
};
};
services.wyoming.faster-whisper.servers."hass" = {
enable = true;
uri = "tcp://0.0.0.0:45785";
model = "distil-small.en";
language = "en";
};
services.wyoming.piper.servers."hass" = {
enable = true;
uri = "tcp://0.0.0.0:45786";
voice = "en_US-joe-medium";
};
services.music-assistant = {
enable = true;
providers = [
"hass"
"hass_players"
"jellyfin"
"radiobrowser"
"spotify"
];
};
networking.hosts = {
# Workaround for broken spotify api integration
# https://github.com/librespot-org/librespot/issues/1527#issuecomment-3167094158
"0.0.0.0" = [ "apresolve.spotify.com" ];
};
}

7
machines/storage/s0/properties.nix
View File

@ -1,6 +1,7 @@
{
hostNames = [
"s0"
"s0.neet.dev"
];
arch = "x86_64-linux";
@ -12,12 +13,18 @@
"binary-cache"
"gitea-actions-runner"
"frigate"
"zigbee"
"media-server"
"linkwarden"
"outline"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
clearnetHost = "192.168.1.2";
onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
};
}

8
machines/zoidberg/default.nix
View File

@ -5,8 +5,6 @@
./hardware-configuration.nix
];
de.enable = true;
# Login DE Option: Steam
programs.steam.gamescopeSession.enable = true;
# programs.gamescope.capSysNice = true;
@ -33,9 +31,9 @@
hardware.enableAllFirmware = true;
# ROCm
hardware.opengl.extraPackages = with pkgs; [
rocm-opencl-icd
rocm-opencl-runtime
hardware.graphics.extraPackages = with pkgs; [
rocmPackages.clr.icd
rocmPackages.clr
];
systemd.tmpfiles.rules = [
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"

13
machines/zoidberg/hardware-configuration.nix
View File

@ -17,16 +17,17 @@
boot.extraModulePackages = [ ];
boot.kernelPackages = pkgs.linuxPackages_latest;
# luks unlock with clevis
boot.initrd.systemd.enable = true;
boot.initrd.clevis = {
enable = true;
devices."enc-pv".secretFile = "/secret/decrypt.jwe";
};
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/04231c41-2f13-49c0-8fce-0357eea67990";
allowDiscards = true;
# Fetch key from USB drive
keyFileSize = 4096;
keyFile = "/dev/disk/by-id/usb-Mass_Storage_Device_121220160204-0:0-part2";
fallbackToPassword = true;
};
fileSystems."/" =
{

39
overlays/actualbudget/default.nix
View File

@ -1,39 +0,0 @@
{ lib
, buildNpmPackage
, fetchFromGitHub
, python3
, nodejs
, runtimeShell
}:
buildNpmPackage rec {
pname = "actual-server";
version = "24.10.1";
src = fetchFromGitHub {
owner = "actualbudget";
repo = pname;
rev = "refs/tags/v${version}";
hash = "sha256-VJAD+lNamwuYmiPJLXkum6piGi5zLOHBp8cUeZagb4s=";
};
npmDepsHash = "sha256-Z2e4+JMhI/keLerT0F4WYdLnXHRQCqL7NjNyA9SFEF8=";
patches = [
./migrations-should-use-pkg-path.patch
];
postPatch = ''
cp ${./package-lock.json} package-lock.json
'';
dontNpmBuild = true;
postInstall = ''
mkdir -p $out/bin
cat <<EOF > $out/bin/actual-server
#!${runtimeShell}
exec ${nodejs}/bin/node $out/lib/node_modules/actual-sync/app.js "\$@"
EOF
chmod +x $out/bin/actual-server
'';
}

48
overlays/actualbudget/migrations-should-use-pkg-path.patch
View File

@ -1,48 +0,0 @@
diff --git a/src/load-config.js b/src/load-config.js
index d99ce42..42d1351 100644
--- a/src/load-config.js
+++ b/src/load-config.js
@@ -3,7 +3,8 @@ import path from 'node:path';
import { fileURLToPath } from 'node:url';
import createDebug from 'debug';
-const debug = createDebug('actual:config');
+// const debug = createDebug('actual:config');
+const debug = console.log;
const debugSensitive = createDebug('actual-sensitive:config');
const projectRoot = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
@@ -108,6 +109,7 @@ const finalConfig = {
serverFiles: process.env.ACTUAL_SERVER_FILES || config.serverFiles,
userFiles: process.env.ACTUAL_USER_FILES || config.userFiles,
webRoot: process.env.ACTUAL_WEB_ROOT || config.webRoot,
+ dataDir: process.env.ACTUAL_DATA_DIR || config.dataDir,
https:
process.env.ACTUAL_HTTPS_KEY && process.env.ACTUAL_HTTPS_CERT
? {
diff --git a/src/migrations.js b/src/migrations.js
index cba7db0..9983471 100644
--- a/src/migrations.js
+++ b/src/migrations.js
@@ -1,6 +1,12 @@
import migrate from 'migrate';
import path from 'node:path';
import config from './load-config.js';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const appRoot = path.dirname(__dirname);
+const migrationsDirectory = path.join(appRoot, "migrations");
export default function run(direction = 'up') {
console.log(
@@ -13,7 +19,7 @@ export default function run(direction = 'up') {
stateStore: `${path.join(config.dataDir, '.migrate')}${
config.mode === 'test' ? '-test' : ''
}`,
- migrationsDirectory: `${path.join(config.projectRoot, 'migrations')}`,
+ migrationsDirectory
},
(err, set) => {
if (err) {

8954
overlays/actualbudget/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

10
overlays/default.nix
View File

@ -3,13 +3,5 @@ final: prev:
let
system = prev.system;
frigatePkgs = inputs.nixpkgs-frigate.legacyPackages.${system};
in
{
# It seems that libedgetpu needs to be built with the newer version of tensorflow in nixpkgs
# but I am lazy so I instead just downgrade by using the old nixpkgs
libedgetpu = frigatePkgs.callPackage ./libedgetpu { };
frigate = frigatePkgs.frigate;
actual-server = prev.callPackage ./actualbudget { };
}
{ }

10
overlays/kernel-modules/default.nix
View File

@ -7,13 +7,5 @@
let
cfg = config.kernel;
gasket = config.boot.kernelPackages.callPackage ./gasket.nix { };
in
{
options.kernel.enableGasketKernelModule = lib.mkEnableOption "Enable Gasket Kernel Module";
config = lib.mkIf cfg.enableGasketKernelModule {
boot.extraModulePackages = [ gasket ];
};
}
{ }

36
overlays/kernel-modules/gasket.nix
View File

@ -1,36 +0,0 @@
{ stdenv, lib, fetchFromGitHub, kernel }:
stdenv.mkDerivation rec {
pname = "gasket";
version = "1.0-18-unstable-2023-09-05";
src = fetchFromGitHub {
owner = "google";
repo = "gasket-driver";
rev = "5815ee3908a46a415aac616ac7b9aedcb98a504c";
sha256 = "sha256-O17+msok1fY5tdX1DvqYVw6plkUDF25i8sqwd6mxYf8=";
};
makeFlags = kernel.makeFlags ++ [
"-C"
"${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
"M=$(PWD)"
];
buildFlags = [ "modules" ];
installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
installTargets = [ "modules_install" ];
sourceRoot = "${src.name}/src";
hardeningDisable = [ "pic" "format" ];
nativeBuildInputs = kernel.moduleBuildDependencies;
meta = with lib; {
description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
homepage = "https://github.com/google/gasket-driver";
license = licenses.gpl2;
maintainers = [ lib.maintainers.kylehendricks ];
platforms = platforms.linux;
broken = versionOlder kernel.version "5.15";
};
}

72
overlays/libedgetpu/default.nix
View File

@ -1,72 +0,0 @@
{ stdenv
, lib
, fetchFromGitHub
, libusb1
, abseil-cpp
, flatbuffers
, xxd
}:
let
flatbuffers_1_12 = flatbuffers.overrideAttrs (oldAttrs: rec {
version = "1.12.0";
NIX_CFLAGS_COMPILE = "-Wno-error=class-memaccess -Wno-error=maybe-uninitialized";
cmakeFlags = (oldAttrs.cmakeFlags or [ ]) ++ [ "-DFLATBUFFERS_BUILD_SHAREDLIB=ON" ];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
configureFlags = (oldAttrs.configureFlags or [ ]) ++ [ "--enable-shared" ];
src = fetchFromGitHub {
owner = "google";
repo = "flatbuffers";
rev = "v${version}";
sha256 = "sha256-L1B5Y/c897Jg9fGwT2J3+vaXsZ+lfXnskp8Gto1p/Tg=";
};
});
in
stdenv.mkDerivation rec {
pname = "libedgetpu";
version = "grouper";
src = fetchFromGitHub {
owner = "google-coral";
repo = pname;
rev = "release-${version}";
sha256 = "sha256-73hwItimf88Iqnb40lk4ul/PzmCNIfdt6Afi+xjNiBE=";
};
patches = [ ./libedgetpu-stddef.diff ];
makeFlags = [ "-f" "makefile_build/Makefile" "libedgetpu" ];
buildInputs = [
libusb1
abseil-cpp
flatbuffers_1_12
];
nativeBuildInputs = [
xxd
];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
TFROOT = "${fetchFromGitHub {
owner = "tensorflow";
repo = "tensorflow";
rev = "v2.7.4";
sha256 = "sha256-liDbUAdaVllB0b74aBeqNxkYNu/zPy7k3CevzRF5dk0=";
}}";
enableParallelBuilding = false;
installPhase = ''
mkdir -p $out/lib
cp out/direct/k8/libedgetpu.so.1.0 $out/lib
ln -s $out/lib/libedgetpu.so.1.0 $out/lib/libedgetpu.so.1
mkdir -p $out/lib/udev/rules.d
cp debian/edgetpu-accelerator.rules $out/lib/udev/rules.d/99-edgetpu-accelerator.rules
# PCIe rule
echo 'SUBSYSTEM=="apex", MODE="0660", GROUP="apex"' > $out/lib/udev/rules.d/65-apex.rules
'';
}

12
overlays/libedgetpu/libedgetpu-stddef.diff
View File

@ -1,12 +0,0 @@
diff --git a/api/allocated_buffer.h b/api/allocated_buffer.h
index 97740f0..7bc0547 100644
--- a/api/allocated_buffer.h
+++ b/api/allocated_buffer.h
@@ -16,6 +16,7 @@
#define DARWINN_API_ALLOCATED_BUFFER_H_
#include <functional>
+#include <cstddef>
namespace platforms {
namespace darwinn {

15
patches/dont-break-nix-serve.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix
index 49f8ed673816..643b59d68dde 100644
--- a/nixos/modules/services/video/frigate.nix
+++ b/nixos/modules/services/video/frigate.nix
@@ -482,10 +482,6 @@ in
};
};
extraConfig = ''
- # Frigate wants to connect on 127.0.0.1:5000 for unauthenticated requests
- # https://github.com/NixOS/nixpkgs/issues/370349
- listen 127.0.0.1:5000;
-
# vod settings
vod_base_url "";
vod_segments_base_url "";

28
patches/librespot-pin.patch Normal file
View File

@ -0,0 +1,28 @@
diff --git a/pkgs/applications/audio/librespot/default.nix b/pkgs/applications/audio/librespot/default.nix
index 9694c3d0cf4f..ca9502de7ee1 100644
--- a/pkgs/applications/audio/librespot/default.nix
+++ b/pkgs/applications/audio/librespot/default.nix
@@ -25,14 +25,19 @@ rustPlatform.buildRustPackage rec {
version = "0.6.0";
src = fetchFromGitHub {
- owner = "librespot-org";
+ owner = "googlebot42";
repo = "librespot";
- rev = "v${version}";
- sha256 = "sha256-dGQDRb7fgIkXelZKa+PdodIs9DxbgEMlVGJjK/hU3Mo=";
+ rev = "786cc46199e583f304a84c786acb0a9b37bc3fbd";
+ sha256 = "sha256-xaOrqC8yCjF23Tz31RD3CzqZ3xxrDM6ncW1yoovEaGQ=";
};
useFetchCargoVendor = true;
- cargoHash = "sha256-SqvJSHkyd1IicT6c4pE96dBJNNodULhpyG14HRGVWCk=";
+ cargoHash = "sha256-sUAZgOuBD9CGAy1mRqLRzVnVfxB0DqSCNAc2yzItTCA=";
+
+ cargoBuildFlags = [
+ "--features"
+ "passthrough-decoder"
+ ];
nativeBuildInputs = [
pkg-config

144
patches/linkwarden-flaresolverr.patch Normal file
View File

@ -0,0 +1,144 @@
commit 3dac9f081f267e4a528decbd9d50e1f45ea7c2ba
Author: SteveImmanuel <steve@telepix.net>
Date: Fri Jun 27 13:07:38 2025 +0900
Add flaresolverr support into linkwarden
diff --git a/.env.sample b/.env.sample
index bd3abcb0..0ca96d92 100644
--- a/.env.sample
+++ b/.env.sample
@@ -43,6 +43,7 @@ TEXT_CONTENT_LIMIT=
SEARCH_FILTER_LIMIT=
INDEX_TAKE_COUNT=
MEILI_TIMEOUT=
+FLARESOLVERR_URL=
# AI Settings
NEXT_PUBLIC_OLLAMA_ENDPOINT_URL=
diff --git a/apps/worker/lib/archiveHandler.ts b/apps/worker/lib/archiveHandler.ts
index 8ae19e2c..6c8656b2 100644
--- a/apps/worker/lib/archiveHandler.ts
+++ b/apps/worker/lib/archiveHandler.ts
@@ -6,6 +6,7 @@ import {
chromium,
devices,
} from "playwright";
+import axios from 'axios';
import { prisma } from "@linkwarden/prisma";
import sendToWayback from "./preservationScheme/sendToWayback";
import { AiTaggingMethod } from "@linkwarden/prisma/client";
@@ -75,6 +76,22 @@ export default async function archiveHandler(
});
const { browser, context } = await getBrowser();
+
+ const captchaSolve = await solveCaptcha(link.url);
+
+ if (captchaSolve.status === 'error') {
+ console.error('Error solving captcha');
+ } else if (captchaSolve.status === 'fail') {
+ console.warn('Failed solving captcha');
+ } else if (captchaSolve.status === 'skip') {
+ console.info('Skip solving captcha');
+ } else {
+ if (captchaSolve.solution) {
+ console.info('Solving captcha');
+ await context.addCookies(captchaSolve.solution.cookies);
+ }
+ }
+
const page = await context.newPage();
createFolder({ filePath: `archives/preview/${link.collectionId}` });
@@ -105,6 +122,7 @@ export default async function archiveHandler(
aiTag: user.aiTaggingMethod !== AiTaggingMethod.DISABLED,
};
+ let newLinkName = '';
try {
await Promise.race([
(async () => {
@@ -127,6 +145,7 @@ export default async function archiveHandler(
// archive url
await page.goto(link.url, { waitUntil: "domcontentloaded" });
+ newLinkName = await page.title();
const metaDescription = await page.evaluate(() => {
const description = document.querySelector(
@@ -186,10 +205,16 @@ export default async function archiveHandler(
where: { id: link.id },
});
- if (finalLink)
+ if (finalLink) {
+ // Replace the captcha-blocked link name if it has not been updated by user, else keep the same name
+ if (newLinkName === '' || finalLink.name === newLinkName || finalLink.name !== 'Just a moment...') {
+ newLinkName = finalLink.name;
+ }
+
await prisma.link.update({
where: { id: link.id },
data: {
+ name: newLinkName,
lastPreserved: new Date().toISOString(),
readable: !finalLink.readable ? "unavailable" : undefined,
image: !finalLink.image ? "unavailable" : undefined,
@@ -203,6 +228,7 @@ export default async function archiveHandler(
: undefined,
},
});
+ }
else {
await removeFiles(link.id, link.collectionId);
}
@@ -271,6 +297,48 @@ export function getBrowserOptions(): LaunchOptions {
return browserOptions;
}
+async function solveCaptcha(url: string, maxTimeout: number = 60000): Promise<{
+ status: string,
+ solution?: {
+ cookies: {
+ name: string,
+ value: string,
+ domain: string,
+ path: string,
+ secure: boolean,
+ expires?: number,
+ httpOnly?: boolean,
+ sameSite?: "Strict" | "Lax" | "None"
+ }[],
+ }
+}> {
+ if (process.env.FLARESOLVERR_URL) {
+ try {
+ const response = await axios.post(process.env.FLARESOLVERR_URL,
+ {
+ cmd: 'request.get',
+ url,
+ maxTimeout
+ },
+ {
+ headers: { 'Content-Type': 'application/json' }
+ }
+ )
+
+ if (response.status !== 200) {
+ return { status: 'fail' };
+ }
+
+ return { status: response.data.status, solution: response.data.solution };
+ } catch (error) {
+ console.error('Error during captcha solving:', error);
+ return { status: 'error' };
+ }
+ }
+
+ return { status: 'skip' };
+}
+
async function getBrowser(): Promise<{
browser: Browser;
context: BrowserContext;

BIN
secrets/backblaze-s3-backups.age
View File

Binary file not shown.

BIN
secrets/binary-cache-private-key.age
View File

Binary file not shown.

BIN
secrets/binary-cache-push-sshkey.age
View File

Binary file not shown.

17
secrets/cris-hashed-email-pw.age
View File

@ -1,10 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g WZ9p/pCsEDpKbgGDLcTtisn25kExQX9iv+tL3wyPwiY
vom2z9QRIQSFB0+4/7lSWUEB0eoAG+08nXgiUg/OSX4
-> ssh-ed25519 w3nu8g ECLZwCRJVJqyUMf70EOl2/3ExTruKaxCSQlY5fBZqxk
VemnmGpzx1VprkybW1hPlkfmiDaNcBDoEzX0mDZgmu0
-> ssh-ed25519 dMQYog QiPsbFE8MtXnRNBwkUEC+6grqXEbDstEtxYR8uJks2w
O3JWQGppFeZEd6o3W0KVTEIyNVGeLxKfTYTlgsAEVHQ
--- RncZzBFEyMAkpZRWrPORA0DPHuCTNswmWG5CMNnfm4A
ñ/¼ÔËõôŒ8nàÅ¥«¸7hîtä?T˜=%zˆ°[¤ÝØ!(…uÔdÇuò@
×¢EbƒyŽ¦ù¦D=Ü!„XþtÞÔ:#¦þþãÞXÈX@ú_M
-> ssh-ed25519 6AT2/g /5WB1i5RrjWIbnBErUWliedwnv8qTIsl8r8zbWNkOmA
wr8fN2FbNnCRUNgV3aZPQibXHy1MNjMP9SMK7urHL+o
-> ssh-ed25519 w3nu8g exWaIxM68nwycLphws0PRnRvvdOuT7h3xOZqndsAHxo
EIUTjS57F5MKGt6bJjaFxHnbTFzUrpmrTVqNZoQ060Y
-> ssh-ed25519 evqvfg SAQyzljqtBd65bpZo6yMsIAS1d5ymjKBoODjOQMUdTs
/roobEvljSoREVHygqLNKTJHWG6rDdhXmlc4BM/7Em8
--- Gp+OLOIN5aqR3G1fSM+Epdw4B6RTXrB99Ty/YUWI0S8
ÊžÁ<EFBFBD>¶…Àoÿ;¥3ŽeºÉ<>„Ôu âT éÄdŸ«‡ñüÈ<²y{ Jëë¶ñg]nŸþ+QX˜Øéóå´qEÜ™çƒ MþË/QàÓÔ#k­É[8(ß5

25
secrets/digitalocean-dns-credentials.age
View File

@ -1,11 +1,16 @@
age-encryption.org/v1
-> ssh-ed25519 WBT1Hw wjZGPvilRXGZsC2+7dWm/Nbau8Allv29WwQCr0XSAWU
uTOf/sokutOGDyc8fbTbBWXqCVQCFhGdHxwA6SXqhdA
-> ssh-ed25519 6AT2/g NU068qwqOWiKk0QwqP9vU4xJaND2OR4bo8xkmdWATgY
uGd0sb5PH+rREn9pgLOFwk29CX66aPBQMvr4rBazylc
-> ssh-ed25519 hPp1nw r2JRiZ7fsHPYDlte6Oh2Gx1KkugekFeeg3xSjziI+hQ
xnO0gscMdR25mj5uAX7D42FCbCQhqbU0wkiLX4OmVqk
-> ssh-ed25519 w3nu8g F03mPU63WwEs1SLUFErLOVCkARoggGIvvz9TFZfMOBY
HOdVA3xW9pqUPhclO6VueSfXg3ux06Ch3fucF6Vr4hM
--- niyo231HPT/+2dzflP+zhYjL9XiWsk7svesCYdkU1jA
ØQî¬5-ô@<40>¢¿—ßÐN5<4E> Ãÿ$Ø‚™’Çž…êÐ<C3AA>X=ŒHŽDÁ`P×5ZA´÷¼YóäÓ?¡é^[³1”6ÕK*mP݈ª­æ1æç÷ß›ƒ:$^ÑfDœ†ÿ“š-zi´"·Tàuÿüò
-> ssh-ed25519 WBT1Hw ZMrG+yubAhxfDf/hh8gSfxZuvM5hsOBQu/V/KfdcNyk
un2XWeWmt9pYLAk4n54A52T96sgvasNgD65AiYL9YO0
-> ssh-ed25519 6AT2/g KxgJ1UJ1amcXzpcFmFFi3C3umo70iwmL5GxDaqfk1j8
VZkDd3vgf1xX9kdzrDhmv2w/Ubq6UUJyw7UAkqmWlOU
-> ssh-ed25519 r848+g MXTm1V8lHIb4oHg0glttyooeECLn0uVrHaY5NzAE718
Qv+vEeuFz+sew5GmR17ALXKmpfByjwi2j93dMVAU5WY
-> ssh-ed25519 hPp1nw 7dxkddbQHdVi+7dpxBHXYi8pNgMsRjfj8KLqgJFYqQc
984ysvTIvdjJirkUIfNMEUVKkzUTCBDAOgLbKZj5AhU
-> ssh-ed25519 w3nu8g fC2KGM9/I2Sl0VHkYZy7YbvmF5CMWRIUahgGaGiZPVM
+IGvvjHj14bV9PS2r0L3pFNV+eDCE63ZmNdHfCG0yCw
-> ssh-ed25519 evqvfg fAr1POoqc5y1stRkCJfgCHSW8QXIPEiFZT0STSP931s
wFWWX6tPV0mV5HC3be7a2xr4Pax35rT16S0h7eiF990
--- N5A6/IK5wKwzUT20Hxu/37ovLEkLGGj7Y30p1hu5fNM
r&BãHA%ǺhŒRÕ²~!Ä<>{bÝ[ØU?k(µD
öB7[öùððb/ [¿YçÚÃy[yOCjT-9:†xâ²(;ÝüœXy\¬NhÄíòäLPö¼§y¿mG±—ÑÁfŽý4aT<²Š ‡çaŠè†@

14
secrets/frigate-credentials.age
View File

@ -1,7 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw Chke1ZtpXxN1c1+AnJ6Cd5kpM1KfQKTwymrfPW53QCA
jUcw8eitC7r0rwefjllndZjARIqpWoVqGCnefHfjQ6Y
-> ssh-ed25519 w3nu8g KY/5bU1B5uvmfGHF2d6qBL1NYy64qo324rdvkgnXoDA
OBvuFtzZXQ0RmmEXelyzHMMiVqZir7zQJMA36ZH2siE
--- CSd7lYSYQ2fCTjkJLPGdaNGL8eVpE9IBEyFo0LW907M
£³$šO†ÈIß//Êw*ƒ™õD¤@u5o[¼â:·äš¥t¾˜]Jñ쮸™@Ùhþu£Àk;?·XüÁHRºÑ°E5¥ÍçÜ9
-> ssh-ed25519 hPp1nw p8uus03Jrn9HtEelmufFx2orYkSlyAq90L7bTm3n/GQ
Ki+Pf1RG27H2wmgxXz2u7fqlU2hrxTmBZCn8RMIh8wI
-> ssh-ed25519 w3nu8g UQQYC93hQLRIgaA5P3Upax2HzfNddWkjTkAyZF5/hFs
33fVUBBaJFRhDIuZoM8Rn1fd0JwqjmyXsbu4pioxXw4
-> ssh-ed25519 evqvfg /J1fpbZORlnYADjqAcF8kV81e+mlxXC4mhMwozG7YXw
KYAtHd1MyNiEKoN/RgBCOsn/uCvXIjusXPFWW4urMFY
--- KVdBWZjlOA44GAK3GubvPaXlbg1zdpxL7+rJ4hv4Lmo
X/{×[PĽćÎĹ+ł$_Z,t\#e¶ĐĂ ř>„,0ié©Ě°ÖVńB§QÍ8,Řëńú'JŞR×=´ŐLśęÉäęLłÝ@běđp?HĹM¦2—uÁňł€ŕÝp'g:ÄWŔ;YXs©ÍóN ĂO´m»y~Łň

18
secrets/gitea-actions-runner-token.age
View File

@ -1,11 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 WBT1Hw PbGwwDeulHF6kdh073rq0RvD1hlx6spnKNgKU+QeDAw
7dITwSQ2p1LZuaVEzLxcGOhB97MQT2zGoRrnNUMcOFk
-> ssh-ed25519 hPp1nw Dn+5Fpme+JmRZKkCkqtCuD87p+sDYDA6OZ2aUmBkCRs
Dgg3orXF4RYT/fHtc2tRuIhOQu48zICMqgPyV47vpf4
-> ssh-ed25519 w3nu8g dghNLDH1Tm+sm42HXDhrLFtmU4iDF1yCGrO2VSgzZjo
71scUVrGr4c4dunAFJYKd+uJ6aYJpSWBAk9swbv+IzM
-> ssh-ed25519 dMQYog Wnl1+rh0Q3YD2s1UD0OYVm39wY/Uw1NRK3K7EFhFMls
wXF6QBonlCalS1vI9cxzWgv1Gi+yAtYn6HrYCfpl5Nw
--- rLOoGk0iX+wuNd1CKv7g2PRd2Ic+8JHCQhrVBaF9zbE
<EFBFBD>òüüˤ/A¦Ì(ØiHC¸@¢Þð‰h`ˆ3ªá´' ¬ÚöáDì>ð¿¤~¸ÿÁö?ÑÃMêÙ@<40>t°(“Ò@ö׿^xÆ}
-> ssh-ed25519 hPp1nw 5wFHyqBRdZxUDa180U3RgrL4DWNF3BO60C1ytWdZvXM
anPvoQk7kvz/wBddKYquSZ7b6dslhIrhV8wnMpC725E
-> ssh-ed25519 w3nu8g McO3H/GkcqQavMokZhXAsRijGq0wiXzmN1GH29n12wg
ooFxa+vYd49JSwdj9Knc8iDFyxX4elDb3IjOjrC5Cmo
-> ssh-ed25519 evqvfg pW/T4WXURnk7G+HL+O3STBWkQ+5by7EgwOPTcMNakyw
HByJjWNhOg7PSms4Px9NO0FnFcMj1Ig2rOXhCNQri7Y
--- LCgnSaNDEKv8du0OxZoLtyF4W02E/6pC/e1h0+XDDGA
õViÁ°“ìbð[¾í<C2BE><C3AD>%þÚ{œtäL8àP[¦2z{g/KG®üÈAëZýåšœÂïàþ0pÃSg²…ó µ¿P³ÊYÊù—$•á

16
secrets/hashed-email-pw.age
View File

@ -1,9 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g 98/m3t8axoVBE6WzdxBtRhV2uSQKSCXwQjyxfWXPmQk
AxV0FTvqbWfk/gf65d05PcotbEnYr4PgDQnsaYxP/MU
-> ssh-ed25519 w3nu8g jys7B4COD4iINANeSCD3BqGFoghxTmsbuXoOOIiP+wQ
b7eSN5fe4szfliINOr7ZQ7AoSsIK5akmIQ6uLDabcIE
-> ssh-ed25519 dMQYog ToNUqTPYmxpz9OUcC94egELcPfHQHCErfHN6l9kSrRY
2KoSVoWp+FH29YfH57ri2KOvhkuqYew1+PXm99e0BaI
--- Cjk3E/MjgCF45aLlFeyoGiaUEZk/QuKtsvPb6GpzD8Q
m°å>‹“~czÆê匦†``ÜÏqX«š'ÁÎ%ôwÔž~×ÄL·eä'a±]û´LÉÀ‰%ÍYTÊÓc9f¡W¶Ã^¤9ÊõÙÝ2®™æ¶ÆBÌa ƒ™
-> ssh-ed25519 6AT2/g kH4DufpuybglKzupJsGvWKfWsZ5xhRwefdPKkx/AuW4
QrDu/vSbgEIgYSnraG5u37RNp6Mp6ARjqzAduy9iX/Y
-> ssh-ed25519 w3nu8g mBt4VQNJAMwcseVhc8k/mB5XThbQT48OnstkWaGQ8zQ
6w7lMJA8giG9PVux1ncjCPrN7ER0S7uWi8UjhOOeMS8
-> ssh-ed25519 evqvfg uM4SAf1aMCvtRKdPn5BFr1EWlBGVgbgjp6OkuMV7GnU
Zi5X5TL7phRpwsbUVsFgS0qHvqtLdckz01qDfVypn/s
--- I92hNxGkHSHR/fQhUI5UAXvzIvMd+YBih9nFP5IZW3w
áÎ_§ØN/ úú®H<C2AE>ô¡ÒaŽeõâ¼ÈêÅhÊB¤ê»[Ô´ðªqÂ<71>\ý+M:FÜîñgP¦¤¤nh¨¼N/¸2ÞÇl8µ3q> rHtUJG×n

BIN
secrets/hashed-robots-email-pw.age
View File

Binary file not shown.

12
secrets/hostapd-pw-CXNK00BF9176.age
View File

@ -1,7 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 w3nu8g ER07FH17Wm9op5F4pCftNK76f+nNjtA6zQc/2dLyAHI
nxxq/8tS3ENJhAEIhJCiSi7dV+68AmcEMh9zvZoWpdY
-> ssh-ed25519 dMQYog JelCfh+akP7C/i1kimq3fC5PRQa9gHbmBaOnjKu+PDw
GVTwo7MzkpCereZRh0HVjGYmtdMY1gHowMZtUQl7XQw
--- p2l83t3bEdBrrp1ctaqqKhwB4l2McgZqZTtc2SXgd8Q
ø±ôeÆd\Yå4lXVF§U©<55>þM||)دÔûú•¶Ü8¿>ëž­%ðóJ$à´Õè
-> ssh-ed25519 w3nu8g 6127BAGsI/0p6vDXwo4W9ehh/Tzr/XblDYFYYtNfziU
k0ZYtv6bTTKTdE81mPqwmuC3KSgimMn+noAm3LrzAkw
-> ssh-ed25519 evqvfg n2/Ds6CbjTEGK0/faiUj+S1VbZ8cLjqAMBZEVM6PIwQ
sPaFFL2bU2mUzKf8DLIHqXxGXZcER5gnKq9VpGA+GyU
--- /KNS4o0n8Ol/i8vRJ1dBJklDR1UhR6kQNcM2rwqGNRw
Îd;©<>_É•ÔŸ ŽVë3_"ûÈ)“Ú(e…âßqÍþ$+ÓA¨æ±ÿç” Y#G

BIN
secrets/hostapd-pw-experimental-tower.age
View File

Binary file not shown.

16
secrets/iodine.age
View File

@ -1,9 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g Knb25oYknkiXyMqVBR3T0sFSO4hDjWUTq3xIml/b4ig
n7xamnrZ+SCWiKqniF3r2JvH4G8q2pJaHzF0riNEDf4
-> ssh-ed25519 w3nu8g 7+2R5RpLjBf4jjj3S8ibMquUWgRMrifziGQubwuLrhA
3jLCalnbA3Z2jr8Zs+qrpzSoi3Jv6E5OV2binpr3Kk4
-> ssh-ed25519 dMQYog Nh2e7me0tiG7ZwQK8669VS0LCYFSH+b33I9tr8uI5CY
7Gs1N9eZa1CGR9pczzugHbqnghqevX7kQCOeqR4q0eI
--- OzW+omJsZA/b4DMF4hdQga7JVgiEYluZok3r8JM258I
*³²ÝPŽ†AcèÈ1·@Át¸e÷nf&ù#I7‡a‰Ûâc†ÃÀ<C383>êbDâ~aõ]1w=Á
-> ssh-ed25519 6AT2/g +D1KEq8bDAErE5NJABbpoONsmolgc2aNDPucgzJZT2A
jJpebutfcnNYT71oiwEATP89ZSnmjXx3skHrrk2MLOY
-> ssh-ed25519 w3nu8g MHVAh0Jp4pTahZoHIw5wUsp8STJ3rlH1C6+jrA+sJFI
sqMpGLw3HPumgAE7GYddT/iuewYZH3xy7mE5gyrWloA
-> ssh-ed25519 evqvfg HoJqNfMckAJbHBCleHcSnI1VbOx3l7lQv1yM030G5mc
cscFawOoA4rA3EAc/FtCafLYlVZ4vcDEEmzouOrwVVY
--- sjGmx4I61x+AP72rCFeWyNJAEUlQz/az5rQ7jNfjXjU
ËgîV&\÷MŒ²ÜuÊMm;ãY?‡úRDÆ`‰(2Õ·Õ øÒ‘à–é €Æ²)¸ Àò¦Ý£T

BIN
secrets/librechat-env-file.age
View File

Binary file not shown.

BIN
secrets/linkwarden-environment.age Normal file
View File

Binary file not shown.

BIN
secrets/nextcloud-pw.age
View File

Binary file not shown.

BIN
secrets/oauth2-proxy-env.age
View File

Binary file not shown.

21
secrets/pia-login.age
View File

@ -1,11 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g MGKlbzVOk5+czgAOerwl+eIyOifXJm/q4UgQUXVpx1c
43l6s4+5TSMQyO9tAg7v9Y5OdXOjKYz56lbr9Jm2r+o
-> ssh-ed25519 hPp1nw aOxni4sFPPgedUkBOuOyEWfFPJrhdTJnivIaWt5RJxM
KNaxijzSMp7EjYKwWiAP66nPYYZK3/VXL8u+3uJt6bg
-> ssh-ed25519 w3nu8g qTAzEzQbFze35AtbvkYREw3wa7ApDN5u7RSZUXrEpms
Dy0uGF458A9RJMvDl2XKOkEABbbRgT+eIgvb6ZOEQqg
-> ssh-ed25519 dMQYog 5DfYuGeWuN0/CO6WWbFIi7LaKl23FXYVdPROM+TFpCA
PDBdDn+YUMKYNKFkCEfXesmkB/XUxZRK3ddQt0kqQ7g
--- JOeG87EVD+QBx6n+rMoPTOni0PyoG7xx4a2USNiapYI
Zsý{ÅiÁ_\+ô@@Üò߸ù&_š5­$¿Gt2¢rF“y×ÄQ§Iaž 7ôÙÉzàgf­%O(µÙ,VéÂ}ÿn|û'J¸2ø¨óQÑ B
-> ssh-ed25519 6AT2/g rk3jNJlQwab++isNOPpQJZlb4rL7nIAYfoAhlvY9QTc
J+6/MRepeixmDQzz3bRd/AMJpZls60dUBjrHh+p759Y
-> ssh-ed25519 hPp1nw GnjIH+V6mLcXvfNhiBBwqBvY6NO8W+1sPcgvu6fS0nI
qP6jDxd+0h/AZhsBs7om0BDutrPmP/1NUEuZ7LBlxmw
-> ssh-ed25519 w3nu8g QwztUaCCtEVeI9AbJn5dKH07Y2fal+Nn9/bsnBkTJgI
/Ce0a9bGv6RmQiK8C3wIvMCh5DM+m/EujYFsXgNjieY
-> ssh-ed25519 evqvfg VLoQNzz62Q1KawvTHWeyBfCGTlGYNPQcdTaPq7cLxDo
eabkTR9iUPYqCj50R7rwYcrMqcs+RHWqRZai2KKzPMQ
--- fQkT/xI/iptJd/UmihEcUWx77d2wr6bOj5lecPa/P8o
,V„ý²lz­ºOP¿'Ìü2ÑÃ4¦o¸ü|ÅK´» ²FYL†Ì&ìâÓáéÊÁ>†©Ä\@emVÈnŒm½®6u—O@wRèãÁåý^_
ztFŠ©~

9
secrets/radarr-api-key.age Normal file
View File

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw MRItBkM6GC+jht3ly0K04wCptE28UI9FmFAm2+8KHHw
Pbz+oZcWtzSz4eyWyRbi/a89Q3PripNJ+PYM/wiLKq0
-> ssh-ed25519 w3nu8g a5G6FrbGmglm2Ba2T6NPsaVP+/4g//jh9ui/BVzR0EU
f0xNuCbhC0FqqFH6CD9jPAgWmTEZqga/fRjU6VMdfSk
-> ssh-ed25519 evqvfg 1lhGzpY7I0fKimq6sQ/zWUHCFSEaN31rmGCckUepfHY
3OfNrzAajS6azIT90CmVnBzXLXcwMw/BRhOfbcuuz3c
--- vagzuZWeWUcZTBISnL4vNVcpMX2CbJGHwfaAFiIZeHM
en¼!<z'ß‹û,W 8†}òÙö=åà—lõÖŸê^^5iÌ”½àÜd<C39C>æß»ü<C2BB>t.yçw>_%

BIN
secrets/restic-password.age
View File

Binary file not shown.

BIN
secrets/robots-email-pw.age
View File

Binary file not shown.

BIN
secrets/sasl_relay_passwd.age
View File

Binary file not shown.

BIN
secrets/searx.age
View File

Binary file not shown.

11
secrets/secrets.nix
View File

@ -17,7 +17,7 @@ with roles;
"cris-hashed-email-pw.age".publicKeys = email-server;
"sasl_relay_passwd.age".publicKeys = email-server;
"hashed-robots-email-pw.age".publicKeys = email-server;
"robots-email-pw.age".publicKeys = gitea;
"robots-email-pw.age".publicKeys = gitea ++ outline;
# nix binary cache
# public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
@ -31,12 +31,14 @@ with roles;
# cloud
"nextcloud-pw.age".publicKeys = nextcloud;
"whiteboard-server-jwt-secret.age".publicKeys = nextcloud;
"smb-secrets.age".publicKeys = personal ++ media-center;
"oauth2-proxy-env.age".publicKeys = server;
# services
"searx.age".publicKeys = nobody;
"wolframalpha.age".publicKeys = dailybot;
"linkwarden-environment.age".publicKeys = linkwarden;
# hostapd
"hostapd-pw-experimental-tower.age".publicKeys = nobody;
@ -57,4 +59,11 @@ with roles;
# Frigate (DVR)
"frigate-credentials.age".publicKeys = frigate;
# zigbee2mqtt secrets
"zigbee2mqtt.yaml.age".publicKeys = zigbee;
# Sonarr and Radarr secrets
"radarr-api-key.age".publicKeys = media-server;
"sonarr-api-key.age".publicKeys = media-server;
}

34
secrets/smb-secrets.age
View File

@ -1,19 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 N7drjg x2s9QZ7Ijvg4t2peGng9/zX1ZmnGggsvWHJFHEktCgw
o64an6DJ6Be8Jlhzn9ciQTByRAK5f2ckankCRH3y+Uw
-> ssh-ed25519 yHDAQw HYHo6anhKDnD74ab04Ql4RB8+WBA6EavYASX7532NCE
aTp2V9g18yzUTq1ezqETj6jM2Yb1Bt5+JNkrIDT2Djs
-> ssh-ed25519 jQaHAA xGKcIQOkO/i4E2ZWZ+O4sAp7ADqCRqfRQHhKQu6yWh4
RJnqK/t0YQrIej8fRDJGjOtQD7VvgJRfCUWR0/UYcSY
-> ssh-ed25519 w3nu8g P9DQy19TvDCi3nfOhFj73bNZEtUs1BrLubt5/BtLoU4
Sx41bk41dQYa3eoBayUMRIHqMWaRiwXm8BqErDBSbDw
-> ssh-ed25519 dMQYog OWU92PMFo9tGtlkK9zlmMFhh81TGkYlcX1PrxZl35yc
owDk8wWXETS+iybhTMDmQH+eBuzZRDJIlVGCwu4LqTI
-> ssh-ed25519 jQaHAA MzA8dSYZ/Ysp4ogKEEu84mal8779RgkT4Gy6rBEw+kM
m75x/b83aP5G1vg7EXlcLizcm16fEAUAD+VNcdTMnnQ
-> ssh-ed25519 w3nu8g AAA3Me3KJgLvtQvyxLvlQ7pCnv7w73ja6Z2+3A82eGs
+yCW7qCdjk0fiQJmH8poMoc7APKyX/PY7zZyAG1O+Yg
-> ssh-ed25519 dMQYog Dd8e6srT+EIl2PH0RP1bQVsDx+HCQjhFndx5TFyhfx8
j7Met77pWZzK9cMTt29gWB+d9YFVH5T9qs+ulHS3kAo
--- MgOK/g5hOVkGuUNDBSgVeGc9+ndjxLEA7nKSfLJMr4s
~Ÿ‹¬&”™)<29>ŠG®Ÿ¨‡'UÐÞzc¾uFGì(<ò¯ùçV"ƒÕ3þH0x0$•<>w$Yv O3 "Ï×ðV~ÀŠ¸HÁ~XÛ]GœÆqµ®ã÷œ¢y'ãÓ*Dê±ÏúœÕk#\ðAï<41>5ë{«Fe\~
-> ssh-ed25519 N7drjg lVrCcpRGeAJ+62CF+fTT+iGKmaaiBk2rmtzS3jz4ux4
BbMLKa0uCoopsV0BekIcApzyJggQf4uFICuC26inA/c
-> ssh-ed25519 jQaHAA k7JCJlbAKDuH+bLhaoiQQssN5gfwPw9w30J3OAA4nWg
fQ6te5iDG54mn5oXdarxMYPeze4ZWbk1yPAsLsTFby4
-> ssh-ed25519 w3nu8g r3wLOavRLT++n+NaBRtcQqKXFTFhRYGl8naqUWNR0kE
pYkqQIiwzpN/XkDBrfCuFPc3yzyFjRbdCcFmRaY8iIU
-> ssh-ed25519 evqvfg b+BUWYHdu1z38I0BMqpkSf5qaeaCm2C+vf9Hcqgjlg4
PK0y5MadYrM9ANyTMdHKXRTNi5cwD8/+19mN+vaTNiM
-> ssh-ed25519 jQaHAA 86i8je5q4vVBfdi/Ws8/n4R/Z25uLw1e6zXDza8SwiI
5yuvdl0InHxrjRyi4SJOWEo6pWZt/mX8BsaFer3NwlE
-> ssh-ed25519 w3nu8g N2QWi7I8V//jfK2ZGsXwBkEt2Zh7/5zpWCKUNV30bFA
ZmjY/lwFaVeM88FZSGwG+BYHi+32UPffZPZPbVcw+J8
-> ssh-ed25519 evqvfg cZflDyFn9H85TnSbi2HFrdVvlT5uZ+6+l4stOaoyOxE
3HpWWCbWoU1ufbi02xpXnU47Ti6YjrpMVh/mS5jgO0M
--- wF990HQn1zh8JVo2alfC/QhpFimLsLDtj26DREVYr18
QhE{+帻R(+­ ÝNYIľŤ<ýęţk¦/ČÖŻ„pA<70>ݶ°Đ_ž'ËĹ«ž‰@3ů;»°÷-0‰Çˇab9W5ÔĂęźbU3)ASóĹ÷Śe÷ůQ/SMJ“_šĹe<16>Ža*‡:ť<>µ

9
secrets/sonarr-api-key.age Normal file
View File

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw aoj3IvYutQWfkOYOcDu0g7/FX05Y1t5NE2dP/x50gw8
KV2kpClMmBPavyyhtC2coc3Gw9/QJQwXxfM13aKRrvQ
-> ssh-ed25519 w3nu8g ZjQIXYV3oK5ppG9ltfojwZ0Z93wFvXdiVBnFz5ncSSQ
CI3je4tMSb9ws+IyAgBVokFdy7z23n2EwtDrvLTziM8
-> ssh-ed25519 evqvfg bWwaEp5s9nvzzQXbPd3rwmy4Ei9PWZg3Gk2I1nYBcCM
PwLLVWVI0GY4snYRadT92NZFneuA54yzL+Ie4RWDxDk
--- aqM1/sssbDgs4DNsGHqiaVH1LCyhh0vtoHSD3ju67Ew
&ネ゙<EFBE88>タニg~ハ*Y<12>訷E┴<45>゙oE,yセワE{濁チ瑩ャ*レ訶_A=キ6 =怨M'燕ヘァr0<72>

BIN
secrets/whiteboard-server-jwt-secret.age Normal file
View File

Binary file not shown.

17
secrets/wolframalpha.age
View File

@ -1,10 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g Kw5/he5m/XAJUNv8XEJQU+e+Ou7hCYluMXXWlHiePXY
GkhJOzSlcC9S7bs8FuDNMvMaFU3+fQ5z+o+Pb8wllp8
-> ssh-ed25519 w3nu8g fUORtXN1ygOeV42jveCosGXR/Y6R6OG6DK7LPDBEAk8
yFpoasbY/sl6BQp0LVBQnInA4Kxd8A8meEObU1KD108
-> ssh-ed25519 dMQYog 75qVEe6/1yOV4DDLAOGaufs3ojx1/Sc1fIQOe+Oirz0
iDFsr6/30AHKH6hUs/WTpHEM8WQ03QMlGbtQkGrnVCU
--- islx8t7a6bShXGxvYeDVuUxkmAMtpUfr0Gp7aYrJUkI
2Ûí4¤†7Õ
?Õw€À<E282AC>JÁÆØv ¨º9,ËxÅŠò¨‰¦Æ¦ñnäH?>I­
-> ssh-ed25519 6AT2/g G3ahigKIYvEJNDgz97yprVfANFzbR2uKcvBPNAxgwWI
iLpm56WMuc1Y10FwZ8HPOyBFNlhm1nWFS05DMXsjDD4
-> ssh-ed25519 w3nu8g lx5NuJq4c4wwww887MFA1qwuLPVvddvG83l4xLzUYgk
JgYBgcPw1jBa5yLSFBYVjf4jdoJJPoV6Q/d4Hkr3Efs
-> ssh-ed25519 evqvfg Gw0pMtP3bxgZXeEseJ+2xSb21AFX46JCAeHMroEJg1c
qj1BjH+J9HOwYxoL2PEMa74nxfk9nlakl+40qoFunJ4
--- 5Om+5hhrNjOi0MRmrb8N1t9vVnM3wWosDsJCARknPNk
©5HÉòÉ;)ôŽ\K“Au¯7ìx¢jûox…e*FÈ怆)èµ&<26> úÑú} é<>

9
secrets/zigbee2mqtt.yaml.age Normal file
View File

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw FnUaydWe7+2dVUIYrKqx2/0AzRPN3ZylczJBkTqeeXg
boSEnMZmQyre4mJBQkEPuXuRP90woU1obqMdh+uQKhM
-> ssh-ed25519 w3nu8g pIDzDUVLZuZUCn6tGKpCLVS7OmhQiMgtMvuCKfWcgiM
zZxCUe0LslQ0ZqHV6sSMNQ5fhyscDFxVmJk0h2voEfc
-> ssh-ed25519 evqvfg eukXn1jUoHwP/cVmYCJ1O0kYQw+Xsad1PswvbcFUMEk
B0AvuWyfqK8ZFgCAW/iuXB0sKoKmB9d62ZNRTdDG43w
--- 0aziJ5/DCB9kJUqWhIggCqRnsuqu9s/g4Rt4vbwsBJk
FVÜçi`í1¥XFIÇI´oÞmf§Á³¤õ“ˆQ=ñè彈臼i?²¿ƒb?Á P6ŒA„-“°ÉY´°[Gö9<C3B6>ó î¥„½ÇÕ