zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

merge into: zuckerberg:rpi-hotspot
Branches Tags
zuckerberg:master
zuckerberg:stage
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client
...
pull from: zuckerberg:master
Branches Tags
zuckerberg:stage
zuckerberg:master
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client

25 Commits
rpi-hotspo ... master

Author SHA1 Message Date
Zuckerberg
23c8076e4d Pinning system nixpkgs is not needed anymore. nixpkgs already does this automatically for flakes.
All checks were successful
Check Flake / check-flake (push) Successful in 1m50s
Details
2025-03-28 21:45:46 -07:00
Zuckerberg
75ae399b5a Update nixpkgs. Move to new dashy service 2025-03-28 21:05:37 -07:00
Zuckerberg
87ddad27a4 Add Home Manager 2025-03-28 20:27:14 -07:00
Zuckerberg
8dd2a00123 Tauri development extensions 2025-03-28 20:24:33 -07:00
Zuckerberg
944a783ff2 Add nix LSPs for development 2025-03-28 20:23:07 -07:00
Zuckerberg
c2cb43fd2c Enable iperf3 server on ponyo 2025-03-28 20:22:14 -07:00
Zuckerberg
02b2fb6309 Disable gc on howl so nix backed projects don't loose their cache 2025-03-28 20:19:15 -07:00
Zuckerberg
b43660aaef Clean up very old unused config 2025-03-28 20:17:54 -07:00
Zuckerberg
567d755850 If machine role is personal set de.enable = true; automatically 2025-03-28 20:16:26 -07:00
Zuckerberg
adc9b9f2b7 Add sandman.s0.neet.dev 2025-03-28 19:39:59 -07:00
Zuckerberg
9181e3bfa3 Update librechat to v0.7.7 2025-03-28 19:38:41 -07:00
Zuckerberg
9845270512 Fix gparted 2025-03-28 19:35:35 -07:00
Zuckerberg
b3b3044690 Downgrade to dailybot to python 3.11
All checks were successful
Check Flake / check-flake (push) Successful in 1m22s
Details
2025-02-18 22:43:47 -08:00
Zuckerberg
fb1970c316 Upgrade librechat
All checks were successful
Check Flake / check-flake (push) Successful in 6m43s
Details
2025-02-17 12:12:46 -08:00
Zuckerberg
34f1edf3b3 Fix s0 setting the incorrect default route by using a static configuration 2025-02-17 12:11:52 -08:00
Zuckerberg
823f0a6ef2 Disable frigate detect for now. It is using excessive CPU 2025-02-17 12:10:59 -08:00
Zuckerberg
00d2ccc684 Fix sound in some games running in wine 2025-02-17 12:09:51 -08:00
Zuckerberg
b2acaff783 Fix pykms by downgrading to python 3.11 2025-02-17 12:09:20 -08:00
Zuckerberg
c51f4ad65b Unlock zoidberg using TPM2
All checks were successful
Check Flake / check-flake (push) Successful in 1m6s
Details
2024-11-21 21:31:19 -08:00
Zuckerberg
eb6a50664c Upgrade NixOS. Use upstream libedgetpu, frigate, and gasket kernel module. Fix services broken by upgrade.
All checks were successful
Check Flake / check-flake (push) Successful in 17m43s
Details
2024-11-19 21:28:56 -08:00
Zuckerberg
89ce0f7fc0 Change Howl's NVMe 2024-11-19 21:08:19 -08:00
Zuckerberg
8ff552818b Rollover digital ocean auth token
All checks were successful
Check Flake / check-flake (push) Successful in 1m13s
Details
2024-10-27 16:41:02 -07:00
Zuckerberg
020689d987 Fix zigbee2mqtt auth 2024-10-27 16:40:47 -07:00
Zuckerberg
9109e356bd Backup vikunja
All checks were successful
Check Flake / check-flake (push) Successful in 2m6s
Details
2024-10-27 16:26:32 -07:00
Zuckerberg
c7d9e84f73 Lock down access to mqtt
All checks were successful
Check Flake / check-flake (push) Successful in 1m6s
Details
2024-10-27 16:15:23 -07:00
48 changed files with 745 additions and 729 deletions
Show Stats Expand all files Collapse all files

2
README.md
View File

@ -4,7 +4,7 @@
- `/common` - common configuration imported into all `/machines`
- `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
- `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
- `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
- `/pc` - config that a graphical PC should have. Have the `personal` role set in the machine's `properties.nix` to enable everthing.
- `/server` - config that creates new nixos services or extends existing ones to meet my needs
- `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
- `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`

5
common/default.nix
View File

@ -98,4 +98,9 @@
security.acme.acceptTerms = true;
security.acme.defaults.email = "zuckerberg@neet.dev";
# Enable Desktop Environment if this is a PC (machine role is "personal")
de.enable = (
builtins.elem config.networking.hostName config.machines.roles.personal
);
}

6
common/flakes.nix
View File

@ -13,12 +13,6 @@ in
extraOptions = ''
experimental-features = nix-command flakes
'';
# pin nixpkgs for system commands such as "nix shell"
registry.nixpkgs.flake = config.inputs.nixpkgs;
# pin system nixpkgs to the same version as the flake input
nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
};
};
}

4
common/network/pia-wireguard.nix
View File

@ -151,7 +151,7 @@ in
partOf = [ containerServiceName ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools jq curl iproute iputils ];
path = with pkgs; [ wireguard-tools jq curl iproute2 iputils ];
serviceConfig = {
Type = "oneshot";
@ -224,7 +224,7 @@ in
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools iproute curl jq iptables ];
path = with pkgs; [ wireguard-tools iproute2 curl jq iptables ];
serviceConfig = {
Type = "oneshot";

4
common/pc/audio.nix
View File

@ -22,8 +22,8 @@ in
services.pipewire.extraConfig.pipewire."92-fix-wine-audio" = {
context.properties = {
default.clock.rate = 48000;
default.clock.quantum = 2048;
default.clock.min-quantum = 512;
default.clock.quantum = 256;
default.clock.min-quantum = 256;
default.clock.max-quantum = 2048;
};
};

2
common/pc/chromium.nix
View File

@ -57,7 +57,7 @@ in
};
# todo vulkan in chrome
# todo video encoding in chrome
hardware.opengl = {
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD

12
common/pc/default.nix
View File

@ -6,12 +6,10 @@ in
{
imports = [
./kde.nix
# ./xfce.nix
./yubikey.nix
./chromium.nix
./firefox.nix
./audio.nix
# ./torbrowser.nix
./pithos.nix
./vscodium.nix
./discord.nix
@ -27,9 +25,10 @@ in
};
config = lib.mkIf cfg.enable {
# vulkan
hardware.opengl.driSupport = true;
hardware.opengl.driSupport32Bit = true;
environment.systemPackages = with pkgs; [
# https://github.com/NixOS/nixpkgs/pull/328086#issuecomment-2235384618
gparted
];
# Applications
users.users.googlebot.packages = with pkgs; [
@ -42,7 +41,6 @@ in
mpv
nextcloud-client
signal-desktop
gparted
libreoffice-fresh
thunderbird
spotify
@ -56,6 +54,8 @@ in
# For Nix IDE
nixpkgs-fmt
nixd
nil
];
# Networking

2
common/pc/kde.nix
View File

@ -14,7 +14,7 @@ in
# akonadi
# kmail
# plasma5Packages.kmail-account-wizard
kate
kdePackages.kate
];
};
}

25
common/pc/torbrowser.nix
View File

@ -1,25 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.de;
in
{
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [
(self: super: {
tor-browser-bundle-bin = super.tor-browser-bundle-bin.overrideAttrs (old: rec {
version = "10.0.10";
lang = "en-US";
src = pkgs.fetchurl {
url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz";
sha256 = "vYWZ+NsGN8YH5O61+zrUjlFv3rieaBqjBQ+a18sQcZg=";
};
});
})
];
users.users.googlebot.packages = with pkgs; [
tor-browser-bundle-bin
];
};
}

6
common/pc/touchpad.nix
View File

@ -1,13 +1,9 @@
{ lib, config, pkgs, ... }:
let
cfg = config.de.touchpad;
cfg = config.de;
in
{
options.de.touchpad = {
enable = lib.mkEnableOption "enable touchpad";
};
config = lib.mkIf cfg.enable {
services.libinput.enable = true;
services.libinput.touchpad.naturalScrolling = true;

7
common/pc/vscodium.nix
View File

@ -13,6 +13,7 @@ let
ms-vscode.cpptools
rust-lang.rust-analyzer
vadimcn.vscode-lldb
tauri-apps.tauri-vscode
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "platformio-ide";
@ -26,6 +27,12 @@ let
version = "0.8.1";
sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
}
{
name = "volar";
publisher = "Vue";
version = "2.2.4";
sha256 = "FHS/LNjSUVfCb4SVF9naR4W0JqycWzSWiK54jfbRagA=";
}
];
vscodium-with-extensions = pkgs.vscode-with-extensions.override {

23
common/pc/xfce.nix
View File

@ -1,23 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.de;
in
{
config = lib.mkIf cfg.enable {
services.xserver = {
enable = true;
desktopManager = {
xterm.enable = false;
xfce.enable = true;
};
displayManager.sddm.enable = true;
};
# xfce apps
# TODO for some reason whiskermenu needs to be global for it to work
environment.systemPackages = with pkgs; [
xfce.xfce4-whiskermenu-plugin
];
};
}

41
common/server/dashy.nix
View File

@ -1,41 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dashy;
in
{
options.services.dashy = {
enable = mkEnableOption "dashy";
imageTag = mkOption {
type = types.str;
default = "latest";
};
port = mkOption {
type = types.int;
default = 56815;
};
configFile = lib.mkOption {
type = lib.types.path;
description = "Path to the YAML configuration file";
};
};
config = mkIf cfg.enable {
virtualisation.oci-containers.containers = {
dashy = {
image = "lissy93/dashy:${cfg.imageTag}";
environment = {
TZ = "${config.time.timeZone}";
};
ports = [
"127.0.0.1:${toString cfg.port}:80"
];
volumes = [
"${cfg.configFile}:/app/public/conf.yml"
];
};
};
};
}

2
common/server/default.nix
View File

@ -10,7 +10,6 @@
./matrix.nix
./zerobin.nix
./gitea.nix
./privatebin/privatebin.nix
./radio.nix
./samba.nix
./owncast.nix
@ -19,7 +18,6 @@
./iodine.nix
./searx.nix
./gitea-actions-runner.nix
./dashy.nix
./librechat.nix
./actualbudget.nix
./unifi.nix

2
common/server/gitea.nix
View File

@ -24,7 +24,7 @@ in
SHOW_FOOTER_VERSION = false;
};
ui = {
DEFAULT_THEME = "arc-green";
DEFAULT_THEME = "gitea-dark";
};
service = {
DISABLE_REGISTRATION = true;

8
common/server/librechat.nix
View File

@ -21,11 +21,17 @@ in
config = mkIf cfg.enable {
virtualisation.oci-containers.containers = {
librechat = {
image = "ghcr.io/danny-avila/librechat:v0.6.6";
image = "ghcr.io/danny-avila/librechat:v0.7.7";
environment = {
HOST = "0.0.0.0";
MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
ENDPOINTS = "openAI,google,bingAI,gptPlugins";
OPENAI_MODELS = lib.concatStringsSep "," [
"gpt-4o-mini"
"o3-mini"
"gpt-4o"
"o1"
];
REFRESH_TOKEN_EXPIRY = toString (1000 * 60 * 60 * 24 * 30); # 30 days
};
environmentFiles = [

42
common/server/privatebin/conf.php
View File

@ -1,42 +0,0 @@
;<?php http_response_code(403); /*
[main]
name = "Kode Paste"
discussion = false
opendiscussion = false
password = true
fileupload = false
burnafterreadingselected = false
defaultformatter = "plaintext"
sizelimit = 10485760
template = "bootstrap"
languageselection = false
[expire]
default = "1week"
[expire_options]
5min = 300
10min = 600
1hour = 3600
1day = 86400
1week = 604800
[formatter_options]
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
[traffic]
limit = 10
dir = "/var/lib/privatebin"
[purge]
limit = 300
batchsize = 10
dir = "/var/lib/privatebin"
[model]
class = Filesystem
[model_options]
dir = "/var/lib/privatebin"

74
common/server/privatebin/privatebin.nix
View File

@ -1,74 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.privatebin;
privateBinSrc = pkgs.stdenv.mkDerivation {
name = "privatebin";
src = pkgs.fetchFromGitHub {
owner = "privatebin";
repo = "privatebin";
rev = "d65bf02d7819a530c3c2a88f6f9947651fe5258d";
sha256 = "7ttAvEDL1ab0cUZcqZzXFkXwB2rF2t4eNpPxt48ap94=";
};
installPhase = ''
cp -ar $src $out
'';
};
in
{
options.services.privatebin = {
enable = lib.mkEnableOption "enable privatebin";
host = lib.mkOption {
type = lib.types.str;
example = "example.com";
};
};
config = lib.mkIf cfg.enable {
users.users.privatebin = {
description = "privatebin service user";
group = "privatebin";
isSystemUser = true;
};
users.groups.privatebin = { };
services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = privateBinSrc;
index = "index.php";
};
locations."~ \.php$" = {
root = privateBinSrc;
extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.privatebin.socket};
fastcgi_index index.php;
'';
};
};
systemd.tmpfiles.rules = [
"d '/var/lib/privatebin' 0750 privatebin privatebin - -"
];
services.phpfpm.pools.privatebin = {
user = "privatebin";
group = "privatebin";
phpEnv = {
CONFIG_PATH = "${./conf.php}";
};
settings = {
pm = "dynamic";
"listen.owner" = config.services.nginx.user;
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
};
};
}

40
common/server/samba.nix
View File

@ -5,30 +5,28 @@
services.samba = {
openFirewall = true;
package = pkgs.sambaFull; # printer sharing
securityType = "user";
# should this be on?
nsswins = true;
extraConfig = ''
workgroup = HOME
server string = smbnix
netbios name = smbnix
security = user
use sendfile = yes
min protocol = smb2
guest account = nobody
map to guest = bad user
settings = {
global = {
security = "user";
workgroup = "HOME";
"server string" = "smbnix";
"netbios name" = "smbnix";
"use sendfile" = "yes";
"min protocol" = "smb2";
"guest account" = "nobody";
"map to guest" = "bad user";
# printing
load printers = yes
printing = cups
printcap name = cups
# printing
"load printers" = "yes";
printing = "cups";
"printcap name" = "cups";
hide files = /.nobackup/.DS_Store/._.DS_Store/
'';
shares = {
"hide files" = "/.nobackup/.DS_Store/._.DS_Store/";
};
public = {
path = "/data/samba/Public";
browseable = "yes";
@ -77,9 +75,9 @@
# backups
backup.group."samba".paths = [
config.services.samba.shares.googlebot.path
config.services.samba.shares.cris.path
config.services.samba.shares.public.path
config.services.samba.settings.googlebot.path
config.services.samba.settings.cris.path
config.services.samba.settings.public.path
];
# Windows discovery of samba server

3
common/server/unifi.nix
View File

@ -10,7 +10,8 @@ in
};
config = lib.mkIf cfg.enable {
services.unifi.unifiPackage = pkgs.unifi8;
services.unifi.unifiPackage = pkgs.unifi;
services.unifi.mongodbPackage = pkgs.mongodb-7_0;
networking.firewall = lib.mkIf cfg.openMinimalFirewall {
allowedUDPPorts = [

45
flake.lock generated
View File

@ -3,7 +3,9 @@
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"home-manager": [
"home-manager"
],
"nixpkgs": [
"nixpkgs"
],
@ -51,11 +53,11 @@
]
},
"locked": {
"lastModified": 1651719222,
"narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
"lastModified": 1739947126,
"narHash": "sha256-JoiddH5H9up8jC/VKU8M7wDlk/bstKoJ3rHj+TkW4Zo=",
"ref": "refs/heads/master",
"rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
"revCount": 19,
"rev": "ea1ad60f1c6662103ef4a3705d8e15aa01219529",
"revCount": 20,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybot.git"
},
@ -151,16 +153,15 @@
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"lastModified": 1740845322,
"narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d",
"type": "github"
},
"original": {
@ -207,36 +208,20 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1728193676,
"narHash": "sha256-PbDWAIjKJdlVg+qQRhzdSor04bAPApDqIv2DofTyynk=",
"lastModified": 1740374225,
"narHash": "sha256-Dnmzy5YWUVj3BNaZo5jRpZslXexbNKEk3ADGGcz9RpY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6",
"rev": "3349acd765bdffe454f7c8bbc450855577c1a6cf",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-frigate": {
"locked": {
"lastModified": 1695825837,
"narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
"type": "github"
}
},
"radio": {
"inputs": {
"flake-utils": [
@ -285,10 +270,10 @@
"deploy-rs": "deploy-rs",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-frigate": "nixpkgs-frigate",
"radio": "radio",
"radio-web": "radio-web",
"simple-nixos-mailserver": "simple-nixos-mailserver",

27
flake.nix
View File

@ -1,8 +1,7 @@
{
inputs = {
# nixpkgs
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-frigate.url = "github:NixOS/nixpkgs/5cfafa12d57374f48bcc36fda3274ada276cf69e";
nixpkgs.url = "github:NixOS/nixpkgs/master";
# Common Utils Among flake inputs
systems.url = "github:nix-systems/default";
@ -18,6 +17,12 @@
# NixOS hardware
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
# Home Manager
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
# Mail Server
simple-nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
@ -34,6 +39,7 @@
inputs = {
nixpkgs.follows = "nixpkgs";
systems.follows = "systems";
home-manager.follows = "home-manager";
};
};
@ -82,7 +88,9 @@
{
inherit nixpkgs;
assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
}).machines.hosts;
}).machines;
machineHosts = machines.hosts;
machineRoles = machines.roles;
in
{
nixosConfigurations =
@ -93,6 +101,7 @@
agenix.nixosModules.default
dailybuild_modules.nixosModule
nix-index-database.nixosModules.nix-index
home-manager.nixosModules.home-manager
self.nixosModules.kernel-modules
({ lib, ... }: {
config = {
@ -103,6 +112,13 @@
];
networking.hostName = hostname;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.googlebot = import ./home/googlebot.nix {
inherit hostname;
inherit machineRoles;
};
};
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
@ -121,6 +137,7 @@
src = nixpkgs;
patches = [
./patches/gamepadui.patch
./patches/dont-break-nix-serve.patch
];
};
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
@ -140,7 +157,7 @@
nixpkgs.lib.mapAttrs
(hostname: cfg:
mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
machines;
machineHosts;
packages =
let
@ -177,7 +194,7 @@
nixpkgs.lib.mapAttrs
(hostname: cfg:
mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
machines;
machineHosts;
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;

83
home/googlebot.nix Normal file
View File

@ -0,0 +1,83 @@
{ hostname, machineRoles }:
{ config, lib, pkgs, ... }:
let
# Check if the current machine has the role "personal"
thisMachineIsPersonal = builtins.elem hostname machineRoles.personal;
in
{
home.username = "googlebot";
home.homeDirectory = "/home/googlebot";
home.stateVersion = "24.11";
programs.home-manager.enable = true;
programs.zed-editor = {
enable = thisMachineIsPersonal;
extensions = [
"nix"
"toml"
"html"
"make"
"git-firefly"
"vue"
"scss"
];
userSettings = {
assistant = {
enabled = true;
version = "2";
default_model = {
provider = "openai";
model = "gpt-4-turbo";
};
};
features = {
edit_prediction_provider = "zed";
};
node = {
path = lib.getExe pkgs.nodejs;
npm_path = lib.getExe' pkgs.nodejs "npm";
};
auto_update = false;
terminal = {
blinking = "off";
copy_on_select = false;
};
lsp = {
rust-analyzer = {
# binary = {
# path = lib.getExe pkgs.rust-analyzer;
# };
binary = {
path = "/run/current-system/sw/bin/nix";
arguments = [ "develop" "--command" "rust-analyzer" ];
};
initialization_options = {
cargo = {
features = "all";
};
};
};
};
# tell zed to use direnv and direnv can use a flake.nix enviroment.
load_direnv = "shell_hook";
base_keymap = "VSCode";
theme = {
mode = "system";
light = "One Light";
dark = "Andrometa";
};
ui_font_size = 12;
buffer_font_size = 12;
};
};
}

4
machines/ephemeral/kexec.nix
View File

@ -29,10 +29,10 @@
text = ''
#!${pkgs.stdenv.shell}
set -e
${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
${pkgs.kexec-tools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
sync
echo "executing kernel, filesystems will be improperly umounted"
${pkgs.kexectools}/bin/kexec -e
${pkgs.kexec-tools}/bin/kexec -e
'';
};
kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {

3
machines/howl/default.nix
View File

@ -8,6 +8,5 @@
# don't use remote builders
nix.distributedBuilds = lib.mkForce false;
de.enable = true;
de.touchpad.enable = true;
nix.gc.automatic = lib.mkForce false;
}

8
machines/howl/hardware-configuration.nix
View File

@ -30,22 +30,22 @@
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c801586b-f0a2-465c-8dae-532e61b83fee";
device = "/dev/disk/by-uuid/2e4a6960-a6b1-40ee-9c2c-2766eb718d52";
allowDiscards = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/95db6950-a7bc-46cf-9765-3ea675ccf014";
device = "/dev/disk/by-uuid/1f62386c-3243-49f5-b72f-df8fc8f39db8";
fsType = "btrfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/B087-2C20";
device = "/dev/disk/by-uuid/F4D9-C5E8";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[{ device = "/dev/disk/by-uuid/49fbdf62-eef4-421b-aac3-c93494afd23c"; }];
[{ device = "/dev/disk/by-uuid/5f65cb11-2649-48fe-9c78-3e325b857c53"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

3
machines/nat/configuration.nix
View File

@ -9,7 +9,4 @@
networking.hostName = "nat";
networking.interfaces.ens160.useDHCP = true;
de.enable = true;
de.touchpad.enable = true;
}

2
machines/ponyo/default.nix
View File

@ -10,6 +10,8 @@
# p2p mesh network
services.tailscale.exitNode = true;
services.iperf3.enable = true;
# email server
mailserver.enable = true;

307
machines/storage/s0/dashy.nix Normal file
View File

@ -0,0 +1,307 @@
{
appConfig = {
theme = "vaporware";
customColors = {
"material-dark-original" = {
primary = "#f36558";
background = "#39434C";
"background-darker" = "#eb615c";
"material-light" = "#f36558";
"item-text-color" = "#ff948a";
"curve-factor" = "5px";
};
};
enableErrorReporting = false;
layout = "auto";
iconSize = "large";
language = "en";
startingView = "default";
defaultOpeningMethod = "sametab";
statusCheck = true;
statusCheckInterval = 20;
faviconApi = "faviconkit";
routingMode = "history";
enableMultiTasking = false;
webSearch = {
disableWebSearch = false;
searchEngine = "duckduckgo";
openingMethod = "sametab";
searchBangs = { };
};
enableFontAwesome = true;
cssThemes = [ ];
externalStyleSheet = [ ];
hideComponents = {
hideHeading = false;
hideNav = false;
hideSearch = false;
hideSettings = false;
hideFooter = false;
hideSplashScreen = false;
};
auth = {
enableGuestAccess = false;
users = [ ];
enableKeycloak = false;
keycloak = { };
};
allowConfigEdit = true;
enableServiceWorker = false;
disableContextMenu = false;
disableUpdateChecks = false;
disableSmartSort = false;
};
pageInfo = {
title = "s0";
description = "s0";
};
sections = [
(
let
# Define the media section items once.
mediaItems = {
jellyfin = {
title = "Jellyfin";
icon = "hl-jellyfin";
url = "https://jellyfin.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "0_1956_jellyfin";
};
sonarr = {
title = "Sonarr";
description = "Manage TV";
icon = "hl-sonarr";
url = "https://sonarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "1_1956_sonarr";
};
radarr = {
title = "Radarr";
description = "Manage Movies";
icon = "hl-radarr";
url = "https://radarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "2_1956_radarr";
};
lidarr = {
title = "Lidarr";
description = "Manage Music";
icon = "hl-lidarr";
url = "https://lidarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "3_1956_lidarr";
};
prowlarr = {
title = "Prowlarr";
description = "Indexers";
icon = "hl-prowlarr";
url = "https://prowlarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "4_1956_prowlarr";
};
bazarr = {
title = "Bazarr";
description = "Subtitles";
icon = "hl-bazarr";
url = "https://bazarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "5_1956_bazarr";
};
navidrome = {
title = "Navidrome";
description = "Play Music";
icon = "hl-navidrome";
url = "https://music.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "6_1956_navidrome";
};
transmission = {
title = "Transmission";
description = "Torrenting";
icon = "hl-transmission";
url = "https://transmission.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "7_1956_transmission";
};
};
# Build the list once.
mediaList = [
mediaItems.jellyfin
mediaItems.sonarr
mediaItems.radarr
mediaItems.lidarr
mediaItems.prowlarr
mediaItems.bazarr
mediaItems.navidrome
mediaItems.transmission
];
in
{
name = "Media & Entertainment";
icon = "fas fa-photo-video";
displayData = {
sortBy = "most-used";
cols = 1;
rows = 1;
collapsed = false;
hideForGuests = false;
};
items = mediaList;
filteredItems = mediaList;
}
)
(
let
networkItems = {
gateway = {
title = "Gateway";
description = "openwrt";
icon = "hl-openwrt";
url = "http://openwrt.lan/";
target = "sametab";
statusCheck = true;
id = "0_746_gateway";
};
wireless = {
title = "Wireless";
description = "openwrt (ish)";
icon = "hl-openwrt";
url = "http://PacketProvocateur.lan";
target = "sametab";
statusCheck = true;
id = "1_746_wireless";
};
};
networkList = [
networkItems.gateway
networkItems.wireless
];
in
{
name = "Network";
icon = "fas fa-network-wired";
items = networkList;
filteredItems = networkList;
displayData = {
sortBy = "default";
rows = 1;
cols = 1;
collapsed = false;
hideForGuests = false;
};
}
)
(
let
servicesItems = {
matrix = {
title = "Matrix";
description = "";
icon = "hl-matrix";
url = "https://chat.neet.space";
target = "sametab";
statusCheck = true;
id = "0_836_matrix";
};
radio = {
title = "Radio";
description = "Radio service";
icon = "generative";
url = "https://radio.runyan.org";
target = "sametab";
statusCheck = true;
id = "1_836_radio";
};
mumble = {
title = "Mumble";
description = "voice.neet.space";
icon = "hl-mumble";
url = "https://voice.neet.space";
target = "sametab";
statusCheck = false;
id = "2_836_mumble";
};
irc = {
title = "IRC";
description = "irc.neet.dev";
icon = "hl-thelounge";
url = "https://irc.neet.dev";
target = "sametab";
statusCheck = true;
id = "3_836_irc";
};
git = {
title = "Git";
description = "git.neet.dev";
icon = "hl-gitea";
url = "https://git.neet.dev";
target = "sametab";
statusCheck = true;
id = "4_836_git";
};
nextcloud = {
title = "Nextcloud";
description = "neet.cloud";
icon = "hl-nextcloud";
url = "https://neet.cloud";
target = "sametab";
statusCheck = true;
id = "5_836_nextcloud";
};
roundcube = {
title = "Roundcube";
description = "mail.neet.dev";
icon = "hl-roundcube";
url = "https://mail.neet.dev";
target = "sametab";
statusCheck = true;
id = "6_836_roundcube";
};
jitsimeet = {
title = "Jitsi Meet";
description = "meet.neet.space";
icon = "hl-jitsimeet";
url = "https://meet.neet.space";
target = "sametab";
statusCheck = true;
id = "7_836_jitsimeet";
};
};
servicesList = [
servicesItems.matrix
servicesItems.radio
servicesItems.mumble
servicesItems.irc
servicesItems.git
servicesItems.nextcloud
servicesItems.roundcube
servicesItems.jitsimeet
];
in
{
name = "Services";
icon = "fas fa-monitor-heart-rate";
items = servicesList;
filteredItems = servicesList;
displayData = {
sortBy = "default";
rows = 1;
cols = 1;
collapsed = false;
hideForGuests = false;
};
}
)
];
}

241
machines/storage/s0/dashy.yaml
View File

@ -1,241 +0,0 @@
appConfig:
theme: vaporware
customColors:
material-dark-original:
primary: '#f36558'
background: '#39434C'
background-darker: '#eb615c'
material-light: '#f36558'
item-text-color: '#ff948a'
curve-factor: 5px
enableErrorReporting: false
layout: auto
iconSize: large
language: en
startingView: default
defaultOpeningMethod: sametab
statusCheck: true
statusCheckInterval: 20
faviconApi: faviconkit
routingMode: history
enableMultiTasking: false
webSearch:
disableWebSearch: false
searchEngine: duckduckgo
openingMethod: sametab
searchBangs: {}
enableFontAwesome: true
cssThemes: []
externalStyleSheet: []
hideComponents:
hideHeading: false
hideNav: false
hideSearch: false
hideSettings: false
hideFooter: false
hideSplashScreen: false
auth:
enableGuestAccess: false
users: []
enableKeycloak: false
keycloak: {}
allowConfigEdit: true
enableServiceWorker: false
disableContextMenu: false
disableUpdateChecks: false
disableSmartSort: false
pageInfo:
title: s0
description: s0
sections:
- name: Media & Entertainment
icon: fas fa-photo-video
displayData:
sortBy: most-used
cols: 1
rows: 1
collapsed: false
hideForGuests: false
items:
- &ref_0
title: Jellyfin
icon: hl-jellyfin
url: https://jellyfin.s0.neet.dev
target: sametab
statusCheck: false
id: 0_1956_jellyfin
- &ref_1
title: Sonarr
description: Manage TV
icon: hl-sonarr
url: https://sonarr.s0.neet.dev
target: sametab
statusCheck: false
id: 1_1956_sonarr
- &ref_2
title: Radarr
description: Manage Movies
icon: hl-radarr
url: https://radarr.s0.neet.dev
target: sametab
statusCheck: false
id: 2_1956_radarr
- &ref_3
title: Lidarr
description: Manage Music
icon: hl-lidarr
url: https://lidarr.s0.neet.dev
target: sametab
statusCheck: false
id: 3_1956_lidarr
- &ref_4
title: Prowlarr
description: Indexers
icon: hl-prowlarr
url: https://prowlarr.s0.neet.dev
target: sametab
statusCheck: false
id: 4_1956_prowlarr
- &ref_5
title: Bazarr
description: Subtitles
icon: hl-bazarr
url: https://bazarr.s0.neet.dev
target: sametab
statusCheck: false
id: 5_1956_bazarr
- &ref_6
title: Navidrome
description: Play Music
icon: hl-navidrome
url: https://music.s0.neet.dev
target: sametab
statusCheck: false
id: 6_1956_navidrome
- &ref_7
title: Transmission
description: Torrenting
icon: hl-transmission
url: https://transmission.s0.neet.dev
target: sametab
statusCheck: false
id: 7_1956_transmission
filteredItems:
- *ref_0
- *ref_1
- *ref_2
- *ref_3
- *ref_4
- *ref_5
- *ref_6
- *ref_7
- name: Network
icon: fas fa-network-wired
items:
- &ref_8
title: Gateway
description: openwrt
icon: hl-openwrt
url: http://openwrt.lan/
target: sametab
statusCheck: true
id: 0_746_gateway
- &ref_9
title: Wireless
description: openwrt (ish)
icon: hl-openwrt
url: http://PacketProvocateur.lan
target: sametab
statusCheck: true
id: 1_746_wireless
filteredItems:
- *ref_8
- *ref_9
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false
- name: Services
icon: fas fa-monitor-heart-rate
items:
- &ref_10
title: Matrix
description: ''
icon: hl-matrix
url: https://chat.neet.space
target: sametab
statusCheck: true
id: 0_836_matrix
- &ref_11
title: Radio
description: Radio service
icon: generative
url: https://radio.runyan.org
target: sametab
statusCheck: true
id: 1_836_radio
- &ref_12
title: Mumble
description: voice.neet.space
icon: hl-mumble
url: https://voice.neet.space
target: sametab
statusCheck: false
id: 2_836_mumble
- &ref_13
title: IRC
description: irc.neet.dev
icon: hl-thelounge
url: https://irc.neet.dev
target: sametab
statusCheck: true
id: 3_836_irc
- &ref_14
title: Git
description: git.neet.dev
icon: hl-gitea
url: https://git.neet.dev
target: sametab
statusCheck: true
id: 4_836_git
- &ref_15
title: Nextcloud
description: neet.cloud
icon: hl-nextcloud
url: https://neet.cloud
target: sametab
statusCheck: true
id: 5_836_nextcloud
- &ref_16
title: Roundcube
description: mail.neet.dev
icon: hl-roundcube
url: https://mail.neet.dev
target: sametab
statusCheck: true
id: 6_836_roundcube
- &ref_17
title: Jitsi Meet
description: meet.neet.space
icon: hl-jitsimeet
url: https://meet.neet.space
target: sametab
statusCheck: true
id: 7_836_jitsimeet
filteredItems:
- *ref_10
- *ref_11
- *ref_12
- *ref_13
- *ref_14
- *ref_15
- *ref_16
- *ref_17
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false

28
machines/storage/s0/default.nix
View File

@ -154,7 +154,7 @@
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.opengl = {
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
@ -171,17 +171,24 @@
openFirewall = false; # All nginx services are internal
virtualHosts =
let
mkVirtualHost = external: internal:
mkHost = external: config:
{
${external} = {
useACMEHost = "s0.neet.dev"; # Use wildcard cert
forceSSL = true;
locations."/" = {
proxyPass = internal;
proxyWebsockets = true;
};
locations."/" = config;
};
};
mkVirtualHost = external: internal:
mkHost external {
proxyPass = internal;
proxyWebsockets = true;
};
mkStaticHost = external: static:
mkHost external {
root = static;
tryFiles = "$uri /index.html ";
};
in
lib.mkMerge [
(mkVirtualHost "bazarr.s0.neet.dev" "http://vpn.containers:6767")
@ -193,7 +200,7 @@
(mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443")
(mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
(mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")
(mkVirtualHost "s0.neet.dev" "http://localhost:56815")
(mkStaticHost "s0.neet.dev" config.services.dashy.finalDrv)
{
# Landing page LAN redirect
"s0" = {
@ -213,6 +220,7 @@
};
}
(mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo
(mkVirtualHost "sandman.s0.neet.dev" "http://192.168.9.14:3000") # es
(mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
];
@ -254,7 +262,7 @@
virtualisation.podman.dockerSocket.enable = true; # TODO needed?
services.dashy = {
enable = true;
configFile = ./dashy.yaml;
settings = import ./dashy.nix;
};
services.unifi = {
@ -262,6 +270,7 @@
openMinimalFirewall = true;
};
# TODO: setup backup
services.vikunja = {
enable = true;
port = 61473;
@ -271,6 +280,9 @@
service.enableregistration = false;
};
};
backup.group."vikunja".paths = [
"/var/lib/vikunja"
];
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
}

34
machines/storage/s0/frigate.nix
View File

@ -36,6 +36,11 @@ let
record = "preset-record-generic-audio-copy";
};
};
detect = {
width = 1280;
height = 720;
fps = 5;
};
};
};
services.go2rtc.settings.streams = lib.mkMerge [
@ -54,7 +59,7 @@ let
# - go2rtc: ${VAR}
# - frigate: {VAR}
primaryUrl = "rtsp://admin:\${FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=0";
detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=1";
detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=3";
in
mkCamera name primaryUrl detectUrl;
@ -82,9 +87,11 @@ lib.mkMerge [
settings = {
mqtt = {
enabled = true;
host = "localhost:1883";
host = "localhost";
port = 1883;
user = "root";
password = "{FRIGATE_MQTT_PASSWORD}";
};
rtmp.enabled = false;
snapshots = {
enabled = true;
bounding_box = true;
@ -93,8 +100,9 @@ lib.mkMerge [
enabled = true;
# sync_recordings = true; # detect if recordings were deleted outside of frigate (expensive)
retain = {
days = 2; # Keep video for 2 days
mode = "motion";
days = 7; # Keep video for 7 days
mode = "all";
# mode = "motion";
};
events = {
retain = {
@ -106,7 +114,7 @@ lib.mkMerge [
};
# Make frigate aware of the go2rtc streams
go2rtc.streams = config.services.go2rtc.settings.streams;
detect.enabled = true;
detect.enabled = false; # :(
objects = {
track = [ "person" "dog" ];
};
@ -145,11 +153,23 @@ lib.mkMerge [
systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ];
# Coral PCIe driver
kernel.enableGasketKernelModule = true;
boot.extraModulePackages = with config.boot.kernelPackages; [ gasket ];
services.udev.extraRules = ''
SUBSYSTEM=="apex", MODE="0660", GROUP="apex"
'';
services.frigate.settings.detectors.coral = {
type = "edgetpu";
device = "pci";
};
}
{
# Fix bug in nixos module where cache is not cleared when starting the service because "rm" cannot be found
systemd.services.frigate.serviceConfig.ExecStartPre = lib.mkForce "${pkgs.bash}/bin/sh -c 'rm -f /var/cache/frigate/*.mp4'";
}
{
# Don't require authentication for frigate
# This is ok because the reverse proxy already requires tailscale access anyway
services.frigate.settings.auth.enabled = false;
}
]

40
machines/storage/s0/hardware-configuration.nix
View File

@ -22,7 +22,6 @@
# zfs
networking.hostId = "5e6791f0";
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# luks
remoteLuksUnlock.enable = true;
@ -59,12 +58,43 @@
};
swapDevices = [ ];
networking.vlans = {
iot = {
id = 2;
interface = "eth1";
networking = {
dhcpcd.enable = false;
vlans = {
iot = {
id = 2;
interface = "eth1";
};
};
interfaces.eth1.ipv4.addresses = [{
address = "192.168.1.2";
prefixLength = 21;
}];
interfaces.iot.ipv4.addresses = [{
address = "192.168.9.8";
prefixLength = 22;
}];
defaultGateway = "192.168.1.1";
nameservers = [ "1.1.1.1" "8.8.8.8" ];
};
# networking = {
# vlans = {
# iot = {
# id = 2;
# interface = "eth1";
# };
# };
# defaultGateway = {
# interface = "eth1";
# address = "192.168.1.1";
# metric = 10; # always use this route as default gateway
# };
# };
powerManagement.cpuFreqGovernor = "powersave";
}

16
machines/storage/s0/home-automation.nix
View File

@ -3,14 +3,14 @@
{
services.esphome.enable = true;
# TODO lock down
services.mosquitto = {
enable = true;
listeners = [
{
acl = [ "pattern readwrite #" ];
omitPasswordAuth = true;
settings.allow_anonymous = true;
users.root = {
acl = [ "readwrite #" ];
hashedPassword = "$7$101$8+QnkTzCdGizaKqq$lpU4o84n6D/1uwfA9pZDVExr1NDm1D/8tNla2tE9J9HdUqkvu192yYfiySY1MFqVNgUKgWEFu5P1bUKqRnzbUw==";
};
}
];
};
@ -24,11 +24,13 @@
homeassistant = true;
permit_join = false;
serial = {
adapter = "ember";
port = "/dev/ttyACM0";
};
mqtt = {
server = "mqtt://localhost:1883";
# base_topic = "zigbee2mqtt";
user = "root";
password = "!/run/agenix/zigbee2mqtt.yaml mqtt_password";
};
frontend = {
host = "localhost";
@ -36,6 +38,10 @@
};
};
};
age.secrets."zigbee2mqtt.yaml" = {
file = ../../../secrets/zigbee2mqtt.yaml.age;
owner = "zigbee2mqtt";
};
services.home-assistant = {
enable = true;

1
machines/storage/s0/properties.nix
View File

@ -12,6 +12,7 @@
"binary-cache"
"gitea-actions-runner"
"frigate"
"zigbee"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

8
machines/zoidberg/default.nix
View File

@ -5,8 +5,6 @@
./hardware-configuration.nix
];
de.enable = true;
# Login DE Option: Steam
programs.steam.gamescopeSession.enable = true;
# programs.gamescope.capSysNice = true;
@ -33,9 +31,9 @@
hardware.enableAllFirmware = true;
# ROCm
hardware.opengl.extraPackages = with pkgs; [
rocm-opencl-icd
rocm-opencl-runtime
hardware.graphics.extraPackages = with pkgs; [
rocmPackages.clr.icd
rocmPackages.clr
];
systemd.tmpfiles.rules = [
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"

13
machines/zoidberg/hardware-configuration.nix
View File

@ -17,16 +17,17 @@
boot.extraModulePackages = [ ];
boot.kernelPackages = pkgs.linuxPackages_latest;
# luks unlock with clevis
boot.initrd.systemd.enable = true;
boot.initrd.clevis = {
enable = true;
devices."enc-pv".secretFile = "/secret/decrypt.jwe";
};
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/04231c41-2f13-49c0-8fce-0357eea67990";
allowDiscards = true;
# Fetch key from USB drive
keyFileSize = 4096;
keyFile = "/dev/disk/by-id/usb-Mass_Storage_Device_121220160204-0:0-part2";
fallbackToPassword = true;
};
fileSystems."/" =
{

10
overlays/default.nix
View File

@ -3,13 +3,11 @@ final: prev:
let
system = prev.system;
frigatePkgs = inputs.nixpkgs-frigate.legacyPackages.${system};
in
{
# It seems that libedgetpu needs to be built with the newer version of tensorflow in nixpkgs
# but I am lazy so I instead just downgrade by using the old nixpkgs
libedgetpu = frigatePkgs.callPackage ./libedgetpu { };
frigate = frigatePkgs.frigate;
actual-server = prev.callPackage ./actualbudget { };
# Copied entire package from nixpkgs to downgrade to python 3.11 since 3.12 is broken.
# See: https://github.com/Py-KMS-Organization/py-kms/issues/117
pykms = prev.callPackage ./pykms.nix { };
}

10
overlays/kernel-modules/default.nix
View File

@ -7,13 +7,5 @@
let
cfg = config.kernel;
gasket = config.boot.kernelPackages.callPackage ./gasket.nix { };
in
{
options.kernel.enableGasketKernelModule = lib.mkEnableOption "Enable Gasket Kernel Module";
config = lib.mkIf cfg.enableGasketKernelModule {
boot.extraModulePackages = [ gasket ];
};
}
{ }

36
overlays/kernel-modules/gasket.nix
View File

@ -1,36 +0,0 @@
{ stdenv, lib, fetchFromGitHub, kernel }:
stdenv.mkDerivation rec {
pname = "gasket";
version = "1.0-18-unstable-2023-09-05";
src = fetchFromGitHub {
owner = "google";
repo = "gasket-driver";
rev = "5815ee3908a46a415aac616ac7b9aedcb98a504c";
sha256 = "sha256-O17+msok1fY5tdX1DvqYVw6plkUDF25i8sqwd6mxYf8=";
};
makeFlags = kernel.makeFlags ++ [
"-C"
"${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
"M=$(PWD)"
];
buildFlags = [ "modules" ];
installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
installTargets = [ "modules_install" ];
sourceRoot = "${src.name}/src";
hardeningDisable = [ "pic" "format" ];
nativeBuildInputs = kernel.moduleBuildDependencies;
meta = with lib; {
description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
homepage = "https://github.com/google/gasket-driver";
license = licenses.gpl2;
maintainers = [ lib.maintainers.kylehendricks ];
platforms = platforms.linux;
broken = versionOlder kernel.version "5.15";
};
}

72
overlays/libedgetpu/default.nix
View File

@ -1,72 +0,0 @@
{ stdenv
, lib
, fetchFromGitHub
, libusb1
, abseil-cpp
, flatbuffers
, xxd
}:
let
flatbuffers_1_12 = flatbuffers.overrideAttrs (oldAttrs: rec {
version = "1.12.0";
NIX_CFLAGS_COMPILE = "-Wno-error=class-memaccess -Wno-error=maybe-uninitialized";
cmakeFlags = (oldAttrs.cmakeFlags or [ ]) ++ [ "-DFLATBUFFERS_BUILD_SHAREDLIB=ON" ];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
configureFlags = (oldAttrs.configureFlags or [ ]) ++ [ "--enable-shared" ];
src = fetchFromGitHub {
owner = "google";
repo = "flatbuffers";
rev = "v${version}";
sha256 = "sha256-L1B5Y/c897Jg9fGwT2J3+vaXsZ+lfXnskp8Gto1p/Tg=";
};
});
in
stdenv.mkDerivation rec {
pname = "libedgetpu";
version = "grouper";
src = fetchFromGitHub {
owner = "google-coral";
repo = pname;
rev = "release-${version}";
sha256 = "sha256-73hwItimf88Iqnb40lk4ul/PzmCNIfdt6Afi+xjNiBE=";
};
patches = [ ./libedgetpu-stddef.diff ];
makeFlags = [ "-f" "makefile_build/Makefile" "libedgetpu" ];
buildInputs = [
libusb1
abseil-cpp
flatbuffers_1_12
];
nativeBuildInputs = [
xxd
];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
TFROOT = "${fetchFromGitHub {
owner = "tensorflow";
repo = "tensorflow";
rev = "v2.7.4";
sha256 = "sha256-liDbUAdaVllB0b74aBeqNxkYNu/zPy7k3CevzRF5dk0=";
}}";
enableParallelBuilding = false;
installPhase = ''
mkdir -p $out/lib
cp out/direct/k8/libedgetpu.so.1.0 $out/lib
ln -s $out/lib/libedgetpu.so.1.0 $out/lib/libedgetpu.so.1
mkdir -p $out/lib/udev/rules.d
cp debian/edgetpu-accelerator.rules $out/lib/udev/rules.d/99-edgetpu-accelerator.rules
# PCIe rule
echo 'SUBSYSTEM=="apex", MODE="0660", GROUP="apex"' > $out/lib/udev/rules.d/65-apex.rules
'';
}

12
overlays/libedgetpu/libedgetpu-stddef.diff
View File

@ -1,12 +0,0 @@
diff --git a/api/allocated_buffer.h b/api/allocated_buffer.h
index 97740f0..7bc0547 100644
--- a/api/allocated_buffer.h
+++ b/api/allocated_buffer.h
@@ -16,6 +16,7 @@
#define DARWINN_API_ALLOCATED_BUFFER_H_
#include <functional>
+#include <cstddef>
namespace platforms {
namespace darwinn {

103
overlays/pykms.nix Normal file
View File

@ -0,0 +1,103 @@
{ lib
, fetchFromGitHub
, python311
, writeText
, writeShellScript
, sqlite
, nixosTests
}:
let
pypkgs = python311.pkgs;
dbSql = writeText "create_pykms_db.sql" ''
CREATE TABLE clients(
clientMachineId TEXT,
machineName TEXT,
applicationId TEXT,
skuId TEXT,
licenseStatus TEXT,
lastRequestTime INTEGER,
kmsEpid TEXT,
requestCount INTEGER
);
'';
dbScript = writeShellScript "create_pykms_db.sh" ''
set -eEuo pipefail
db=''${1:-/var/lib/pykms/clients.db}
if [ ! -e $db ] ; then
${lib.getBin sqlite}/bin/sqlite3 $db < ${dbSql}
fi
'';
in
pypkgs.buildPythonApplication rec {
pname = "pykms";
version = "unstable-2024-05-28";
src = fetchFromGitHub {
owner = "Py-KMS-Organization";
repo = "py-kms";
rev = "646f4766f4195dbea0695700a7ddaac70a3294f9";
hash = "sha256-YCqPo7WkCfXyuTjL4IYapdcUN/Vj465Jz6XhQessyz0=";
};
sourceRoot = "${src.name}/py-kms";
propagatedBuildInputs = with pypkgs; [
systemd
pytz
tzlocal
dnspython
];
postPatch = ''
siteDir=$out/${python311.sitePackages}
substituteInPlace pykms_DB2Dict.py \
--replace "'KmsDataBase.xml'" "'$siteDir/KmsDataBase.xml'"
'';
format = "other";
# there are no tests
doCheck = false;
installPhase = ''
runHook preInstall
mkdir -p $siteDir
PYTHONPATH="$PYTHONPATH:$siteDir"
mv * $siteDir
for b in Client Server ; do
makeWrapper ${python311.interpreter} $out/bin/''${b,,} \
--argv0 pykms-''${b,,} \
--add-flags $siteDir/pykms_$b.py \
--set PYTHONPATH $PYTHONPATH
done
install -Dm755 ${dbScript} $out/libexec/create_pykms_db.sh
install -Dm644 ../README.md -t $out/share/doc/pykms
${python311.interpreter} -m compileall $siteDir
runHook postInstall
'';
passthru.tests = { inherit (nixosTests) pykms; };
meta = with lib; {
description = "Windows KMS (Key Management Service) server written in Python";
homepage = "https://github.com/Py-KMS-Organization/py-kms";
license = licenses.unlicense;
maintainers = with maintainers; [
peterhoeg
zopieux
];
};
}

15
patches/dont-break-nix-serve.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix
index 49f8ed673816..643b59d68dde 100644
--- a/nixos/modules/services/video/frigate.nix
+++ b/nixos/modules/services/video/frigate.nix
@@ -482,10 +482,6 @@ in
};
};
extraConfig = ''
- # Frigate wants to connect on 127.0.0.1:5000 for unauthenticated requests
- # https://github.com/NixOS/nixpkgs/issues/370349
- listen 127.0.0.1:5000;
-
# vod settings
vod_base_url "";
vod_segments_base_url "";

20
secrets/digitalocean-dns-credentials.age
View File

@ -1,11 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 WBT1Hw wjZGPvilRXGZsC2+7dWm/Nbau8Allv29WwQCr0XSAWU
uTOf/sokutOGDyc8fbTbBWXqCVQCFhGdHxwA6SXqhdA
-> ssh-ed25519 6AT2/g NU068qwqOWiKk0QwqP9vU4xJaND2OR4bo8xkmdWATgY
uGd0sb5PH+rREn9pgLOFwk29CX66aPBQMvr4rBazylc
-> ssh-ed25519 hPp1nw r2JRiZ7fsHPYDlte6Oh2Gx1KkugekFeeg3xSjziI+hQ
xnO0gscMdR25mj5uAX7D42FCbCQhqbU0wkiLX4OmVqk
-> ssh-ed25519 w3nu8g F03mPU63WwEs1SLUFErLOVCkARoggGIvvz9TFZfMOBY
HOdVA3xW9pqUPhclO6VueSfXg3ux06Ch3fucF6Vr4hM
--- niyo231HPT/+2dzflP+zhYjL9XiWsk7svesCYdkU1jA
ØQî¬5-ô@<40>¢¿—ßÐN5<4E> Ãÿ$Ø‚™’Çž…êÐ<C3AA>X=ŒHŽDÁ`P×5ZA´÷¼YóäÓ?¡é^[³1”6ÕK*mP݈ª­æ1æç÷ß›ƒ:$^ÑfDœ†ÿ“š-zi´"·Tàuÿüò
-> ssh-ed25519 WBT1Hw TGdD8Nw+GPITDOXGhevSu+880DWET7WYN3nIyJ0xy2o
69xepRTnmaFwa4IsGJjDdwZqTSf5fz6EZK0/q3oz/ZA
-> ssh-ed25519 6AT2/g EmqXrXXsRxSS6AsH+7VMgoJTYo9eGj8ebLiLT4IWNxg
eKs5/3tQMdg5bGJKNz8PFh9C7HiV+IlOU9dzpYcGIjo
-> ssh-ed25519 hPp1nw wsIF676is8FquF6oANNauPrumsMnfVUZpPeVKEtBOzQ
qZR8LSF+TQ2K3K0An69NHfk53ZqNEWev0IVcb71SR40
-> ssh-ed25519 w3nu8g TKHY/5JuzFMhbW9CQAOI3woX8M9b1H/XXUpIMT0Mylk
byJV0/BJ3ftG5eYv5BeyIYBi0VoWG31HRiENUxSeYE8
--- fwHXHtE/sMLqCLSD8tR0oCPgNuif9Y/ncHU97hbf/Bw
f"+ÉŒqc<71>H†Ñjï!JSšË¡Ì|yMìðX¼þMl<4D>ýçCy™îUXn»Égk¨ë)¤óOY§uº„¦²¶g%è Håvœ5ô!$Jœ¤Š…¶$<24>#Dö;±¥àÖ }ÏŸcçKšˆ{R/

12
secrets/frigate-credentials.age
View File

@ -1,7 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw Chke1ZtpXxN1c1+AnJ6Cd5kpM1KfQKTwymrfPW53QCA
jUcw8eitC7r0rwefjllndZjARIqpWoVqGCnefHfjQ6Y
-> ssh-ed25519 w3nu8g KY/5bU1B5uvmfGHF2d6qBL1NYy64qo324rdvkgnXoDA
OBvuFtzZXQ0RmmEXelyzHMMiVqZir7zQJMA36ZH2siE
--- CSd7lYSYQ2fCTjkJLPGdaNGL8eVpE9IBEyFo0LW907M
£³$šO†ÈIß//Êw*ƒ™õD¤@u5o[¼â:·äš¥t¾˜]Jñ쮸™@Ùhþu£Àk;?·XüÁHRºÑ°E5¥ÍçÜ9
-> ssh-ed25519 hPp1nw zOXF7NsZjm+DCYrJ+Ap2mX35JUt37CLJP1RhyOjB/XE
ePprJM2cnhYZhP8aJUXOZeGHJm/DHlRYomWN+lFaU6w
-> ssh-ed25519 w3nu8g gjeFAbFWXyPdGauKHXAzuIP9fmaj2Oysq9fHO8q7u38
KiMR0pgEPtsfZnYAIsH7UHNhnsB6rtsW/hqV03uS2dI
--- BPzPECz1g6vEv4OlRn6+FnWP9oq3tn6TN2o867icxYA
}ìjºùŽ+l&þàx<C3A0>-TïÝb‡ÅèØÄ·<C384>Dg‰ñgc*ˆ0<CB86>÷µcp …}uþ7Íßã%9Ð%ŽÒú©S¥ ‰|šôêöQœÃ*9Ø$ä ŽŠ ÍÖi;)c?ÍÍýGh¤VvªnlÚs¤Ç)r }Ò­hE5K‡bg­-<2D>®

3
secrets/secrets.nix
View File

@ -57,4 +57,7 @@ with roles;
# Frigate (DVR)
"frigate-credentials.age".publicKeys = frigate;
# zigbee2mqtt secrets
"zigbee2mqtt.yaml.age".publicKeys = zigbee;
}

8
secrets/zigbee2mqtt.yaml.age Normal file
View File

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw TSDuPaFp/Qcz4r819X4QmU/4J2TGpoX7jCCJCdFDog0
SwQUqEp45xMOeTkvBG6uX28kB8YWG66laYqakSgl9w4
-> ssh-ed25519 w3nu8g tLZDNE0iBgOpUB3djpNu3CgimsRc0zcds+AgctzxyQ4
Oyz6XORsApM4vFxWyaD3bR/ApIUFPY3q4yGvtbosUIY
--- vuXlQmuOFbJhBTACN5ciH2GlOCbRCMPZdlogG2O+KOk
Áëÿ!}UIì p0@Xž|°þ#晆0HÙõò#BÇRR<52>Ù
òùø5¾Iÿ?vX?pÝ<70><>fqÍ[lž¸˜­G7ü; UäÀOUä¶