zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:rpi-hotspot
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
..
compare: zuckerberg:af9e462b27b839599ea3296be2d27655ac1bf0fe
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

34 Commits
rpi-hotspo ... af9e462b27

Author SHA1 Message Date
Zuckerberg
af9e462b27 Allow substituters to be offline
Some checks failed
Check Flake / check-flake (push) Has been cancelled
Details
2025-07-13 17:54:32 -07:00
Zuckerberg
2faea9d380 Update nixpkgs and other flake inputs 2025-07-13 17:52:08 -07:00
Zuckerberg
8571922796 Add new helpful utilities 2025-07-12 11:42:40 -07:00
Zuckerberg
131d5e9313 Add rest command for home assistant 2025-07-12 10:50:37 -07:00
Zuckerberg
fe0ce3a245 Get recyclarr initially running 2025-07-12 10:48:13 -07:00
Zuckerberg
7b26cfb4eb update single input cmd 2025-07-12 10:27:09 -07:00
Zuckerberg
1c9fa418b3 Make s0 easier to unlock
All checks were successful
Check Flake / check-flake (push) Successful in 1m25s
Details
2025-03-29 22:52:00 -07:00
Zuckerberg
8c4dc9cb74 Improve usage of roles. It should be much easier to read and use now. 2025-03-29 22:48:14 -07:00
Zuckerberg
1f9fbd87ac Use upstream pykms and Actual Budget. Move Actual to s0. Add automated backups for Actual.
All checks were successful
Check Flake / check-flake (push) Successful in 1m37s
Details
2025-03-29 18:36:13 -07:00
Zuckerberg
23c8076e4d Pinning system nixpkgs is not needed anymore. nixpkgs already does this automatically for flakes.
All checks were successful
Check Flake / check-flake (push) Successful in 1m50s
Details
2025-03-28 21:45:46 -07:00
Zuckerberg
75ae399b5a Update nixpkgs. Move to new dashy service 2025-03-28 21:05:37 -07:00
Zuckerberg
87ddad27a4 Add Home Manager 2025-03-28 20:27:14 -07:00
Zuckerberg
8dd2a00123 Tauri development extensions 2025-03-28 20:24:33 -07:00
Zuckerberg
944a783ff2 Add nix LSPs for development 2025-03-28 20:23:07 -07:00
Zuckerberg
c2cb43fd2c Enable iperf3 server on ponyo 2025-03-28 20:22:14 -07:00
Zuckerberg
02b2fb6309 Disable gc on howl so nix backed projects don't loose their cache 2025-03-28 20:19:15 -07:00
Zuckerberg
b43660aaef Clean up very old unused config 2025-03-28 20:17:54 -07:00
Zuckerberg
567d755850 If machine role is personal set de.enable = true; automatically 2025-03-28 20:16:26 -07:00
Zuckerberg
adc9b9f2b7 Add sandman.s0.neet.dev 2025-03-28 19:39:59 -07:00
Zuckerberg
9181e3bfa3 Update librechat to v0.7.7 2025-03-28 19:38:41 -07:00
Zuckerberg
9845270512 Fix gparted 2025-03-28 19:35:35 -07:00
Zuckerberg
b3b3044690 Downgrade to dailybot to python 3.11
All checks were successful
Check Flake / check-flake (push) Successful in 1m22s
Details
2025-02-18 22:43:47 -08:00
Zuckerberg
fb1970c316 Upgrade librechat
All checks were successful
Check Flake / check-flake (push) Successful in 6m43s
Details
2025-02-17 12:12:46 -08:00
Zuckerberg
34f1edf3b3 Fix s0 setting the incorrect default route by using a static configuration 2025-02-17 12:11:52 -08:00
Zuckerberg
823f0a6ef2 Disable frigate detect for now. It is using excessive CPU 2025-02-17 12:10:59 -08:00
Zuckerberg
00d2ccc684 Fix sound in some games running in wine 2025-02-17 12:09:51 -08:00
Zuckerberg
b2acaff783 Fix pykms by downgrading to python 3.11 2025-02-17 12:09:20 -08:00
Zuckerberg
c51f4ad65b Unlock zoidberg using TPM2
All checks were successful
Check Flake / check-flake (push) Successful in 1m6s
Details
2024-11-21 21:31:19 -08:00
Zuckerberg
eb6a50664c Upgrade NixOS. Use upstream libedgetpu, frigate, and gasket kernel module. Fix services broken by upgrade.
All checks were successful
Check Flake / check-flake (push) Successful in 17m43s
Details
2024-11-19 21:28:56 -08:00
Zuckerberg
89ce0f7fc0 Change Howl's NVMe 2024-11-19 21:08:19 -08:00
Zuckerberg
8ff552818b Rollover digital ocean auth token
All checks were successful
Check Flake / check-flake (push) Successful in 1m13s
Details
2024-10-27 16:41:02 -07:00
Zuckerberg
020689d987 Fix zigbee2mqtt auth 2024-10-27 16:40:47 -07:00
Zuckerberg
9109e356bd Backup vikunja
All checks were successful
Check Flake / check-flake (push) Successful in 2m6s
Details
2024-10-27 16:26:32 -07:00
Zuckerberg
c7d9e84f73 Lock down access to mqtt
All checks were successful
Check Flake / check-flake (push) Successful in 1m6s
Details
2024-10-27 16:15:23 -07:00
68 changed files with 975 additions and 10316 deletions
Expand all files Collapse all files

5
Makefile
View File

@@ -25,3 +25,8 @@ clean-old-nixos-profiles:
.PHONY: gc .PHONY: gc
gc: gc:
nix store gc nix store gc
# Update a flake input by name (ex: 'nixpkgs')
.PHONY: update-input
update-input:
nix flake update $(filter-out $@,$(MAKECMDGOALS))

2
README.md
View File

@@ -4,7 +4,7 @@
- `/common` - common configuration imported into all `/machines` - `/common` - common configuration imported into all `/machines`
- `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
- `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA - `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
- `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing. - `/pc` - config that a graphical PC should have. Have the `personal` role set in the machine's `properties.nix` to enable everthing.
- `/server` - config that creates new nixos services or extends existing ones to meet my needs - `/server` - config that creates new nixos services or extends existing ones to meet my needs
- `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services - `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
- `/kexec` - a special machine for generating minimal kexec images. Does not import `/common` - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`

19
common/binary-cache.nix
View File

@@ -1,16 +1,6 @@
{ config, lib, ... }: { config, lib, ... }:
let
in
{ {
options.enableExtraSubstituters = lib.mkEnableOption "Enable extra substituters";
config = lib.mkMerge [
{
enableExtraSubstituters = lib.mkDefault true;
}
(lib.mkIf config.enableExtraSubstituters {
nix = { nix = {
settings = { settings = {
substituters = [ substituters = [
@@ -22,8 +12,13 @@ in
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=" "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
]; ];
# Allow substituters to be offline
# This isn't exactly ideal since it would be best if I could set up a system
# so that it is an error if a derivation isn't available for any substituters
# and use this flag as intended for deciding if it should build missing
# derivations locally. See https://github.com/NixOS/nix/issues/6901
fallback = true;
}; };
}; };
})
];
} }

3
common/default.nix
View File

@@ -98,4 +98,7 @@
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "zuckerberg@neet.dev"; security.acme.defaults.email = "zuckerberg@neet.dev";
# Enable Desktop Environment if this is a PC (machine role is "personal")
de.enable = lib.mkDefault (config.thisMachine.hasRole."personal");
} }

6
common/flakes.nix
View File

@@ -13,12 +13,6 @@ in
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';
# pin nixpkgs for system commands such as "nix shell"
registry.nixpkgs.flake = config.inputs.nixpkgs;
# pin system nixpkgs to the same version as the flake input
nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
}; };
}; };
} }

43
common/machine-info/default.nix
View File

@@ -5,20 +5,9 @@
let let
machines = config.machines.hosts; machines = config.machines.hosts;
in
{
imports = [
./ssh.nix
./roles.nix
];
options.machines = { hostOptionsSubmoduleType = lib.types.submodule {
hosts = lib.mkOption {
type = lib.types.attrsOf
(lib.types.submodule {
options = { options = {
hostNames = lib.mkOption { hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
description = '' description = ''
@@ -26,21 +15,18 @@ in
Used for automatically trusting hosts for ssh connections. Used for automatically trusting hosts for ssh connections.
''; '';
}; };
arch = lib.mkOption { arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ]; type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = '' description = ''
The architecture of this machine. The architecture of this machine.
''; '';
}; };
systemRoles = lib.mkOption { systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum? type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = '' description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info) The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
''; '';
}; };
hostKey = lib.mkOption { hostKey = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = '' description = ''
@@ -48,7 +34,6 @@ in
and for decrypting secrets with agenix. and for decrypting secrets with agenix.
''; '';
}; };
remoteUnlock = lib.mkOption { remoteUnlock = lib.mkOption {
default = null; default = null;
type = lib.types.nullOr (lib.types.submodule { type = lib.types.nullOr (lib.types.submodule {
@@ -80,7 +65,6 @@ in
}; };
}); });
}; };
userKeys = lib.mkOption { userKeys = lib.mkOption {
default = [ ]; default = [ ];
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
@@ -90,7 +74,6 @@ in
TODO: consider auto populating other programs that use ssh keys such as gitea TODO: consider auto populating other programs that use ssh keys such as gitea
''; '';
}; };
deployKeys = lib.mkOption { deployKeys = lib.mkOption {
default = [ ]; default = [ ];
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
@@ -98,17 +81,30 @@ in
The list of deployment keys. Each key here can be used to log into all other systems as `root`. The list of deployment keys. Each key here can be used to log into all other systems as `root`.
''; '';
}; };
configurationPath = lib.mkOption { configurationPath = lib.mkOption {
type = lib.types.path; type = lib.types.path;
description = '' description = ''
The path to this machine's configuration directory. The path to this machine's configuration directory.
''; '';
}; };
};
};
in
{
imports = [
./ssh.nix
./roles.nix
];
options.machines = {
hosts = lib.mkOption {
type = lib.types.attrsOf hostOptionsSubmoduleType;
}; };
});
}; };
options.thisMachine.config = lib.mkOption {
# For ease of use, a direct copy of the host config from machines.hosts.${hostName}
type = hostOptionsSubmoduleType;
}; };
config = { config = {
@@ -196,5 +192,12 @@ in
builtins.map (p: { "${dirName p}" = p; }) propFiles; builtins.map (p: { "${dirName p}" = p; }) propFiles;
in in
properties ../../machines; properties ../../machines;
# Don't try to evaluate "thisMachine" when reflecting using moduleless.nix.
# When evaluated by moduleless.nix this will fail due to networking.hostName not
# existing. This is because moduleless.nix is not intended for reflection from the
# perspective of a perticular machine but is instead intended for reflecting on
# the properties of all machines as a whole system.
thisMachine.config = config.machines.hosts.${config.networking.hostName};
}; };
} }

42
common/machine-info/roles.nix
View File

@@ -1,19 +1,55 @@
{ config, lib, ... }: { config, lib, ... }:
# Maps roles to their hosts # Maps roles to their hosts.
# machines.withRole = {
# personal = [
# "machine1" "machine3"
# ];
# cache = [
# "machine2"
# ];
# };
#
# A list of all possible roles
# machines.allRoles = [
# "personal"
# "cache"
# ];
#
# For each role has true or false if the current machine has that role
# thisMachine.hasRole = {
# personal = true;
# cache = false;
# };
{ {
options.machines.roles = lib.mkOption { options.machines.withRole = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str); type = lib.types.attrsOf (lib.types.listOf lib.types.str);
}; };
options.machines.allRoles = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
options.thisMachine.hasRole = lib.mkOption {
type = lib.types.attrsOf lib.types.bool;
};
config = { config = {
machines.roles = lib.zipAttrs machines.withRole = lib.zipAttrs
(lib.mapAttrsToList (lib.mapAttrsToList
(host: cfg: (host: cfg:
lib.foldl (lib.mergeAttrs) { } lib.foldl (lib.mergeAttrs) { }
(builtins.map (role: { ${role} = host; }) (builtins.map (role: { ${role} = host; })
cfg.systemRoles)) cfg.systemRoles))
config.machines.hosts); config.machines.hosts);
machines.allRoles = lib.attrNames config.machines.withRole;
thisMachine.hasRole = lib.mapAttrs
(role: cfg:
builtins.elem config.networking.hostName config.machines.withRole.${role}
)
config.machines.withRole;
}; };
} }

2
common/machine-info/ssh.nix
View File

@@ -39,6 +39,6 @@ in
builtins.map builtins.map
(host: machines.hosts.${host}.hostKey) (host: machines.hosts.${host}.hostKey)
hosts) hosts)
machines.roles; machines.withRole;
}; };
} }

4
common/network/pia-wireguard.nix
View File

@@ -151,7 +151,7 @@ in
partOf = [ containerServiceName ]; partOf = [ containerServiceName ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools jq curl iproute iputils ]; path = with pkgs; [ wireguard-tools jq curl iproute2 iputils ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@@ -224,7 +224,7 @@ in
after = [ "network.target" "network-online.target" ]; after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools iproute curl jq iptables ]; path = with pkgs; [ wireguard-tools iproute2 curl jq iptables ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";

20
common/nix-builder.nix
View File

@@ -1,18 +1,14 @@
{ config, lib, ... }: { config, lib, ... }:
let let
builderRole = "nix-builder";
builderUserName = "nix-builder"; builderUserName = "nix-builder";
machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts; builderRole = "nix-builder";
otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role); builders = config.machines.withRole.${builderRole};
thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role); thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole};
builders = machinesByRole builderRole;
thisMachineIsABuilder = thisMachineHasRole builderRole;
# builders don't include themselves as a remote builder # builders don't include themselves as a remote builder
otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders; otherBuilders = lib.filter (hostname: hostname != config.networking.hostName) builders;
in in
lib.mkMerge [ lib.mkMerge [
# configure builder # configure builder
@@ -40,9 +36,9 @@ lib.mkMerge [
nix.distributedBuilds = true; nix.distributedBuilds = true;
nix.buildMachines = builtins.map nix.buildMachines = builtins.map
(builderCfg: { (builderHostname: {
hostName = builtins.elemAt builderCfg.hostNames 0; hostName = builderHostname;
system = builderCfg.arch; system = config.machines.hosts.${builderHostname}.arch;
protocol = "ssh-ng"; protocol = "ssh-ng";
sshUser = builderUserName; sshUser = builderUserName;
sshKey = "/etc/ssh/ssh_host_ed25519_key"; sshKey = "/etc/ssh/ssh_host_ed25519_key";
@@ -50,7 +46,7 @@ lib.mkMerge [
speedFactor = 10; speedFactor = 10;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}) })
(builtins.attrValues otherBuilders); otherBuilders;
# It is very likely that the builder's internet is faster or just as fast # It is very likely that the builder's internet is faster or just as fast
nix.extraOptions = '' nix.extraOptions = ''

4
common/pc/audio.nix
View File

@@ -22,8 +22,8 @@ in
services.pipewire.extraConfig.pipewire."92-fix-wine-audio" = { services.pipewire.extraConfig.pipewire."92-fix-wine-audio" = {
context.properties = { context.properties = {
default.clock.rate = 48000; default.clock.rate = 48000;
default.clock.quantum = 2048; default.clock.quantum = 256;
default.clock.min-quantum = 512; default.clock.min-quantum = 256;
default.clock.max-quantum = 2048; default.clock.max-quantum = 2048;
}; };
}; };

2
common/pc/chromium.nix
View File

@@ -57,7 +57,7 @@ in
}; };
# todo vulkan in chrome # todo vulkan in chrome
# todo video encoding in chrome # todo video encoding in chrome
hardware.opengl = { hardware.graphics = {
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD intel-media-driver # LIBVA_DRIVER_NAME=iHD

14
common/pc/default.nix
View File

@@ -6,12 +6,10 @@ in
{ {
imports = [ imports = [
./kde.nix ./kde.nix
# ./xfce.nix
./yubikey.nix ./yubikey.nix
./chromium.nix ./chromium.nix
./firefox.nix ./firefox.nix
./audio.nix ./audio.nix
# ./torbrowser.nix
./pithos.nix ./pithos.nix
./vscodium.nix ./vscodium.nix
./discord.nix ./discord.nix
@@ -27,9 +25,10 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# vulkan environment.systemPackages = with pkgs; [
hardware.opengl.driSupport = true; # https://github.com/NixOS/nixpkgs/pull/328086#issuecomment-2235384618
hardware.opengl.driSupport32Bit = true; gparted
];
# Applications # Applications
users.users.googlebot.packages = with pkgs; [ users.users.googlebot.packages = with pkgs; [
@@ -42,7 +41,6 @@ in
mpv mpv
nextcloud-client nextcloud-client
signal-desktop signal-desktop
gparted
libreoffice-fresh libreoffice-fresh
thunderbird thunderbird
spotify spotify
@@ -56,6 +54,8 @@ in
# For Nix IDE # For Nix IDE
nixpkgs-fmt nixpkgs-fmt
nixd
nil
]; ];
# Networking # Networking
@@ -92,5 +92,7 @@ in
# Enable wayland support in various chromium based applications # Enable wayland support in various chromium based applications
environment.sessionVariables.NIXOS_OZONE_WL = "1"; environment.sessionVariables.NIXOS_OZONE_WL = "1";
fonts.packages = with pkgs; [ nerd-fonts.symbols-only ];
}; };
} }

2
common/pc/kde.nix
View File

@@ -14,7 +14,7 @@ in
# akonadi # akonadi
# kmail # kmail
# plasma5Packages.kmail-account-wizard # plasma5Packages.kmail-account-wizard
kate kdePackages.kate
]; ];
}; };
} }

25
common/pc/torbrowser.nix
View File

@@ -1,25 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.de;
in
{
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [
(self: super: {
tor-browser-bundle-bin = super.tor-browser-bundle-bin.overrideAttrs (old: rec {
version = "10.0.10";
lang = "en-US";
src = pkgs.fetchurl {
url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz";
sha256 = "vYWZ+NsGN8YH5O61+zrUjlFv3rieaBqjBQ+a18sQcZg=";
};
});
})
];
users.users.googlebot.packages = with pkgs; [
tor-browser-bundle-bin
];
};
}

6
common/pc/touchpad.nix
View File

@@ -1,13 +1,9 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
cfg = config.de.touchpad; cfg = config.de;
in in
{ {
options.de.touchpad = {
enable = lib.mkEnableOption "enable touchpad";
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.libinput.enable = true; services.libinput.enable = true;
services.libinput.touchpad.naturalScrolling = true; services.libinput.touchpad.naturalScrolling = true;

7
common/pc/vscodium.nix
View File

@@ -13,6 +13,7 @@ let
ms-vscode.cpptools ms-vscode.cpptools
rust-lang.rust-analyzer rust-lang.rust-analyzer
vadimcn.vscode-lldb vadimcn.vscode-lldb
tauri-apps.tauri-vscode
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{ {
name = "platformio-ide"; name = "platformio-ide";
@@ -26,6 +27,12 @@ let
version = "0.8.1"; version = "0.8.1";
sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y="; sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
} }
{
name = "volar";
publisher = "Vue";
version = "2.2.4";
sha256 = "FHS/LNjSUVfCb4SVF9naR4W0JqycWzSWiK54jfbRagA=";
}
]; ];
vscodium-with-extensions = pkgs.vscode-with-extensions.override { vscodium-with-extensions = pkgs.vscode-with-extensions.override {

23
common/pc/xfce.nix
View File

@@ -1,23 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.de;
in
{
config = lib.mkIf cfg.enable {
services.xserver = {
enable = true;
desktopManager = {
xterm.enable = false;
xfce.enable = true;
};
displayManager.sddm.enable = true;
};
# xfce apps
# TODO for some reason whiskermenu needs to be global for it to work
environment.systemPackages = with pkgs; [
xfce.xfce4-whiskermenu-plugin
];
};
}

83
common/server/actualbudget.nix
View File

@@ -1,87 +1,16 @@
# Starting point:
# https://github.com/aldoborrero/mynixpkgs/commit/c501c1e32dba8f4462dcecb57eee4b9e52038e27
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.services.actual-server; cfg = config.services.actual;
stateDir = "/var/lib/${cfg.stateDirName}";
in in
{ {
options.services.actual-server = {
enable = lib.mkEnableOption "Actual Server";
hostname = lib.mkOption {
type = lib.types.str;
default = "localhost";
description = "Hostname for the Actual Server.";
};
port = lib.mkOption {
type = lib.types.int;
default = 25448;
description = "Port on which the Actual Server should listen.";
};
stateDirName = lib.mkOption {
type = lib.types.str;
default = "actual-server";
description = "Name of the directory under /var/lib holding the server's data.";
};
upload = {
fileSizeSyncLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for synchronized files.";
};
syncEncryptedFileSizeLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for synchronized encrypted files.";
};
fileSizeLimitMB = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "File size limit in MB for file uploads.";
};
};
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
systemd.services.actual-server = { services.actual.settings = {
description = "Actual Server"; port = 25448;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.actual-server}/bin/actual-server";
Restart = "always";
StateDirectory = cfg.stateDirName;
WorkingDirectory = stateDir;
DynamicUser = true;
UMask = "0007";
};
environment = {
NODE_ENV = "production";
ACTUAL_PORT = toString cfg.port;
# Actual is actually very bad at configuring it's own paths despite that information being readily available
ACTUAL_USER_FILES = "${stateDir}/user-files";
ACTUAL_SERVER_FILES = "${stateDir}/server-files";
ACTUAL_DATA_DIR = stateDir;
ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeSyncLimitMB or "");
ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SIZE_LIMIT_MB = toString (cfg.upload.syncEncryptedFileSizeLimitMB or "");
ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeLimitMB or "");
};
}; };
services.nginx.virtualHosts.${cfg.hostname} = { backup.group."actual-budget".paths = [
enableACME = true; "/var/lib/actual"
forceSSL = true; ];
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
};
}; };
} }

41
common/server/dashy.nix
View File

@@ -1,41 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dashy;
in
{
options.services.dashy = {
enable = mkEnableOption "dashy";
imageTag = mkOption {
type = types.str;
default = "latest";
};
port = mkOption {
type = types.int;
default = 56815;
};
configFile = lib.mkOption {
type = lib.types.path;
description = "Path to the YAML configuration file";
};
};
config = mkIf cfg.enable {
virtualisation.oci-containers.containers = {
dashy = {
image = "lissy93/dashy:${cfg.imageTag}";
environment = {
TZ = "${config.time.timeZone}";
};
ports = [
"127.0.0.1:${toString cfg.port}:80"
];
volumes = [
"${cfg.configFile}:/app/public/conf.yml"
];
};
};
};
}

3
common/server/default.nix
View File

@@ -10,8 +10,6 @@
./matrix.nix ./matrix.nix
./zerobin.nix ./zerobin.nix
./gitea.nix ./gitea.nix
./privatebin/privatebin.nix
./radio.nix
./samba.nix ./samba.nix
./owncast.nix ./owncast.nix
./mailserver.nix ./mailserver.nix
@@ -19,7 +17,6 @@
./iodine.nix ./iodine.nix
./searx.nix ./searx.nix
./gitea-actions-runner.nix ./gitea-actions-runner.nix
./dashy.nix
./librechat.nix ./librechat.nix
./actualbudget.nix ./actualbudget.nix
./unifi.nix ./unifi.nix

5
common/server/gitea-actions-runner.nix
View File

@@ -9,10 +9,7 @@
# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running # TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
let let
runnerRole = "gitea-actions-runner"; thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
runners = config.machines.roles.${runnerRole};
thisMachineIsARunner = builtins.elem config.networking.hostName runners;
containerName = "gitea-runner"; containerName = "gitea-runner";
in in
{ {

2
common/server/gitea.nix
View File

@@ -24,7 +24,7 @@ in
SHOW_FOOTER_VERSION = false; SHOW_FOOTER_VERSION = false;
}; };
ui = { ui = {
DEFAULT_THEME = "arc-green"; DEFAULT_THEME = "gitea-dark";
}; };
service = { service = {
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = true;

8
common/server/librechat.nix
View File

@@ -21,11 +21,17 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
librechat = { librechat = {
image = "ghcr.io/danny-avila/librechat:v0.6.6"; image = "ghcr.io/danny-avila/librechat:v0.7.7";
environment = { environment = {
HOST = "0.0.0.0"; HOST = "0.0.0.0";
MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat"; MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
ENDPOINTS = "openAI,google,bingAI,gptPlugins"; ENDPOINTS = "openAI,google,bingAI,gptPlugins";
OPENAI_MODELS = lib.concatStringsSep "," [
"gpt-4o-mini"
"o3-mini"
"gpt-4o"
"o1"
];
REFRESH_TOKEN_EXPIRY = toString (1000 * 60 * 60 * 24 * 30); # 30 days REFRESH_TOKEN_EXPIRY = toString (1000 * 60 * 60 * 24 * 30); # 30 days
}; };
environmentFiles = [ environmentFiles = [

1
common/server/mailserver.nix
View File

@@ -28,7 +28,6 @@ in
indexDir = "/var/lib/mailindex"; indexDir = "/var/lib/mailindex";
enableManageSieve = true; enableManageSieve = true;
fullTextSearch.enable = true; fullTextSearch.enable = true;
fullTextSearch.indexAttachments = true;
fullTextSearch.memoryLimit = 500; fullTextSearch.memoryLimit = 500;
inherit domains; inherit domains;
loginAccounts = { loginAccounts = {

2
common/server/nextcloud.nix
View File

@@ -8,7 +8,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.nextcloud = { services.nextcloud = {
https = true; https = true;
package = pkgs.nextcloud30; package = pkgs.nextcloud31;
hostName = "neet.cloud"; hostName = "neet.cloud";
config.dbtype = "sqlite"; config.dbtype = "sqlite";
config.adminuser = "jeremy"; config.adminuser = "jeremy";

42
common/server/privatebin/conf.php
View File

@@ -1,42 +0,0 @@
;<?php http_response_code(403); /*
[main]
name = "Kode Paste"
discussion = false
opendiscussion = false
password = true
fileupload = false
burnafterreadingselected = false
defaultformatter = "plaintext"
sizelimit = 10485760
template = "bootstrap"
languageselection = false
[expire]
default = "1week"
[expire_options]
5min = 300
10min = 600
1hour = 3600
1day = 86400
1week = 604800
[formatter_options]
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
[traffic]
limit = 10
dir = "/var/lib/privatebin"
[purge]
limit = 300
batchsize = 10
dir = "/var/lib/privatebin"
[model]
class = Filesystem
[model_options]
dir = "/var/lib/privatebin"

74
common/server/privatebin/privatebin.nix
View File

@@ -1,74 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.privatebin;
privateBinSrc = pkgs.stdenv.mkDerivation {
name = "privatebin";
src = pkgs.fetchFromGitHub {
owner = "privatebin";
repo = "privatebin";
rev = "d65bf02d7819a530c3c2a88f6f9947651fe5258d";
sha256 = "7ttAvEDL1ab0cUZcqZzXFkXwB2rF2t4eNpPxt48ap94=";
};
installPhase = ''
cp -ar $src $out
'';
};
in
{
options.services.privatebin = {
enable = lib.mkEnableOption "enable privatebin";
host = lib.mkOption {
type = lib.types.str;
example = "example.com";
};
};
config = lib.mkIf cfg.enable {
users.users.privatebin = {
description = "privatebin service user";
group = "privatebin";
isSystemUser = true;
};
users.groups.privatebin = { };
services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = privateBinSrc;
index = "index.php";
};
locations."~ \.php$" = {
root = privateBinSrc;
extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.privatebin.socket};
fastcgi_index index.php;
'';
};
};
systemd.tmpfiles.rules = [
"d '/var/lib/privatebin' 0750 privatebin privatebin - -"
];
services.phpfpm.pools.privatebin = {
user = "privatebin";
group = "privatebin";
phpEnv = {
CONFIG_PATH = "${./conf.php}";
};
settings = {
pm = "dynamic";
"listen.owner" = config.services.nginx.user;
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
};
};
}

75
common/server/radio.nix
View File

@@ -1,75 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.radio;
radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
in
{
options.services.radio = {
enable = lib.mkEnableOption "enable radio";
user = lib.mkOption {
type = lib.types.str;
default = "radio";
description = ''
The user radio should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "radio";
description = ''
The group radio should run as
'';
};
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/radio";
description = ''
Path to the radio data directory
'';
};
host = lib.mkOption {
type = lib.types.str;
description = ''
Domain radio is hosted on
'';
};
nginx = lib.mkEnableOption "enable nginx";
};
config = lib.mkIf cfg.enable {
services.icecast = {
enable = true;
hostname = cfg.host;
mount = "stream.mp3";
fallback = "fallback.mp3";
};
services.nginx.virtualHosts.${cfg.host} = lib.mkIf cfg.nginx {
enableACME = true;
forceSSL = true;
locations."/".root = config.inputs.radio-web;
};
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
createHome = true;
};
users.groups.${cfg.group} = { };
systemd.services.radio = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
serviceConfig.WorkingDirectory = cfg.dataDir;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user} ${cfg.dataDir}
'';
};
};
}

38
common/server/samba.nix
View File

@@ -5,30 +5,28 @@
services.samba = { services.samba = {
openFirewall = true; openFirewall = true;
package = pkgs.sambaFull; # printer sharing package = pkgs.sambaFull; # printer sharing
securityType = "user";
# should this be on? # should this be on?
nsswins = true; nsswins = true;
extraConfig = '' settings = {
workgroup = HOME global = {
server string = smbnix security = "user";
netbios name = smbnix workgroup = "HOME";
security = user "server string" = "smbnix";
use sendfile = yes "netbios name" = "smbnix";
min protocol = smb2 "use sendfile" = "yes";
guest account = nobody "min protocol" = "smb2";
map to guest = bad user "guest account" = "nobody";
"map to guest" = "bad user";
# printing # printing
load printers = yes "load printers" = "yes";
printing = cups printing = "cups";
printcap name = cups "printcap name" = "cups";
hide files = /.nobackup/.DS_Store/._.DS_Store/ "hide files" = "/.nobackup/.DS_Store/._.DS_Store/";
''; };
shares = {
public = { public = {
path = "/data/samba/Public"; path = "/data/samba/Public";
browseable = "yes"; browseable = "yes";
@@ -77,9 +75,9 @@
# backups # backups
backup.group."samba".paths = [ backup.group."samba".paths = [
config.services.samba.shares.googlebot.path config.services.samba.settings.googlebot.path
config.services.samba.shares.cris.path config.services.samba.settings.cris.path
config.services.samba.shares.public.path config.services.samba.settings.public.path
]; ];
# Windows discovery of samba server # Windows discovery of samba server

3
common/server/unifi.nix
View File

@@ -10,7 +10,8 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.unifi.unifiPackage = pkgs.unifi8; services.unifi.unifiPackage = pkgs.unifi;
services.unifi.mongodbPackage = pkgs.mongodb-7_0;
networking.firewall = lib.mkIf cfg.openMinimalFirewall { networking.firewall = lib.mkIf cfg.openMinimalFirewall {
allowedUDPPorts = [ allowedUDPPorts = [

9
common/shell.nix
View File

@@ -21,8 +21,6 @@
shellInit = '' shellInit = ''
# disable annoying fish shell greeting # disable annoying fish shell greeting
set fish_greeting set fish_greeting
alias sudo="doas"
''; '';
}; };
@@ -36,6 +34,13 @@
io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file"; io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
llsblk = "lsblk -o +uuid,fsType"; llsblk = "lsblk -o +uuid,fsType";
sudo = "doas";
ls = "pls";
ls2 = "eza";
explorer = "broot";
}; };
nixpkgs.overlays = [ nixpkgs.overlays = [

192
flake.lock generated
View File

@@ -3,7 +3,9 @@
"agenix": { "agenix": {
"inputs": { "inputs": {
"darwin": "darwin", "darwin": "darwin",
"home-manager": "home-manager", "home-manager": [
"home-manager"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@@ -12,11 +14,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1723293904, "lastModified": 1750173260,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -51,11 +53,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1651719222, "lastModified": 1739947126,
"narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=", "narHash": "sha256-JoiddH5H9up8jC/VKU8M7wDlk/bstKoJ3rHj+TkW4Zo=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34", "rev": "ea1ad60f1c6662103ef4a3705d8e15aa01219529",
"revCount": 19, "revCount": 20,
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybot.git" "url": "https://git.neet.dev/zuckerberg/dailybot.git"
}, },
@@ -72,11 +74,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1700795494, "lastModified": 1744478979,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -99,11 +101,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1727447169, "lastModified": 1749105467,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", "rev": "6bc76b872374845ba9d645a2f012b764fecd765f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -115,11 +117,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1747046372,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -135,11 +137,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726560853, "lastModified": 1731533236,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -148,23 +150,71 @@
"type": "github" "type": "github"
} }
}, },
"home-manager": { "git-hooks": {
"inputs": { "inputs": {
"flake-compat": [
"simple-nixos-mailserver",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [ "nixpkgs": [
"agenix", "simple-nixos-mailserver",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1703113217, "lastModified": 1750779888,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"simple-nixos-mailserver",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1752208517,
"narHash": "sha256-aRY1cYOdVdXdNjcL/Twpa27CknO7pVHxooPsBizDraE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", "rev": "c6a01e54af81b381695db796a43360bf6db5702f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@@ -176,11 +226,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1728263287, "lastModified": 1752346111,
"narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=", "narHash": "sha256-SVxCIYnbED0rNYSpm3QQoOhqxYRp1GuE9FkyM5Y2afs=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259", "rev": "deff7a9a0aa98a08d8c7839fe2658199ce9828f8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -191,11 +241,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1728056216, "lastModified": 1752048960,
"narHash": "sha256-IrO06gFUDTrTlIP3Sz+mRB6WUoO2YsgMtOD3zi0VEt0=", "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "b7ca02c7565fbf6d27ff20dd6dbd49c5b82eef28", "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -207,77 +257,20 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1728193676, "lastModified": 1752431364,
"narHash": "sha256-PbDWAIjKJdlVg+qQRhzdSor04bAPApDqIv2DofTyynk=", "narHash": "sha256-ciGIXIMq2daX5o4Tn6pnZTd1pf5FICHbqUlHu658G9c=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6", "rev": "fb0f0dbfd95f0e19fdeab8e0f18bf0b5cf057b68",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-24.05", "ref": "release-25.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-frigate": {
"locked": {
"lastModified": 1695825837,
"narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
"type": "github"
}
},
"radio": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1631585589,
"narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"revCount": 38,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
},
"original": {
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
}
},
"radio-web": {
"flake": false,
"locked": {
"lastModified": 1652121792,
"narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
"ref": "refs/heads/master",
"rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
"revCount": 5,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
@@ -285,12 +278,10 @@
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-frigate": "nixpkgs-frigate",
"radio": "radio",
"radio-web": "radio-web",
"simple-nixos-mailserver": "simple-nixos-mailserver", "simple-nixos-mailserver": "simple-nixos-mailserver",
"systems": "systems" "systems": "systems"
} }
@@ -301,24 +292,25 @@
"flake-compat": [ "flake-compat": [
"flake-compat" "flake-compat"
], ],
"git-hooks": "git-hooks",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-24_05": [ "nixpkgs-25_05": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1722877200, "lastModified": 1747965231,
"narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=", "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", "rev": "53007af63fade28853408370c4c600a63dd97f41",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"ref": "master", "ref": "nixos-25.05",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"type": "gitlab" "type": "gitlab"
} }

41
flake.nix
View File

@@ -1,8 +1,7 @@
{ {
inputs = { inputs = {
# nixpkgs # nixpkgs
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs.url = "github:NixOS/nixpkgs/release-25.05";
nixpkgs-frigate.url = "github:NixOS/nixpkgs/5cfafa12d57374f48bcc36fda3274ada276cf69e";
# Common Utils Among flake inputs # Common Utils Among flake inputs
systems.url = "github:nix-systems/default"; systems.url = "github:nix-systems/default";
@@ -18,12 +17,18 @@
# NixOS hardware # NixOS hardware
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
# Home Manager
home-manager = {
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs";
};
# Mail Server # Mail Server
simple-nixos-mailserver = { simple-nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
nixpkgs-24_05.follows = "nixpkgs"; nixpkgs-25_05.follows = "nixpkgs";
flake-compat.follows = "flake-compat"; flake-compat.follows = "flake-compat";
}; };
}; };
@@ -34,22 +39,10 @@
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
systems.follows = "systems"; systems.follows = "systems";
home-manager.follows = "home-manager";
}; };
}; };
# Radio
radio = {
url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
radio-web = {
url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
flake = false;
};
# Dailybot # Dailybot
dailybuild_modules = { dailybuild_modules = {
url = "git+https://git.neet.dev/zuckerberg/dailybot.git"; url = "git+https://git.neet.dev/zuckerberg/dailybot.git";
@@ -78,7 +71,7 @@
outputs = { self, nixpkgs, ... }@inputs: outputs = { self, nixpkgs, ... }@inputs:
let let
machines = (import ./common/machine-info/moduleless.nix machineHosts = (import ./common/machine-info/moduleless.nix
{ {
inherit nixpkgs; inherit nixpkgs;
assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix"; assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
@@ -93,6 +86,7 @@
agenix.nixosModules.default agenix.nixosModules.default
dailybuild_modules.nixosModule dailybuild_modules.nixosModule
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
home-manager.nixosModules.home-manager
self.nixosModules.kernel-modules self.nixosModules.kernel-modules
({ lib, ... }: { ({ lib, ... }: {
config = { config = {
@@ -103,6 +97,10 @@
]; ];
networking.hostName = hostname; networking.hostName = hostname;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.googlebot = import ./home/googlebot.nix;
}; };
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
@@ -120,7 +118,8 @@
name = "nixpkgs-patched"; name = "nixpkgs-patched";
src = nixpkgs; src = nixpkgs;
patches = [ patches = [
./patches/gamepadui.patch # ./patches/gamepadui.patch
./patches/dont-break-nix-serve.patch
]; ];
}; };
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; }); patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
@@ -140,7 +139,7 @@
nixpkgs.lib.mapAttrs nixpkgs.lib.mapAttrs
(hostname: cfg: (hostname: cfg:
mkSystem cfg.arch nixpkgs cfg.configurationPath hostname) mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
machines; machineHosts;
packages = packages =
let let
@@ -177,7 +176,7 @@
nixpkgs.lib.mapAttrs nixpkgs.lib.mapAttrs
(hostname: cfg: (hostname: cfg:
mkDeploy hostname cfg.arch (builtins.head cfg.hostNames)) mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
machines; machineHosts;
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;

112
home/googlebot.nix Normal file
View File

@@ -0,0 +1,112 @@
{ config, lib, pkgs, osConfig, ... }:
let
# Check if the current machine has the role "personal"
thisMachineIsPersonal = osConfig.thisMachine.hasRole."personal";
in
{
home.username = "googlebot";
home.homeDirectory = "/home/googlebot";
home.stateVersion = "24.11";
programs.home-manager.enable = true;
services.ssh-agent.enable = true;
# System Monitoring
programs.btop.enable = true;
programs.bottom.enable = true;
# Modern "ls" replacement
programs.pls.enable = true;
programs.eza.enable = true;
# Graphical terminal
programs.ghostty.enable = thisMachineIsPersonal;
# Advanced terminal file explorer
programs.broot.enable = true;
# Shell promt theming
programs.fish.enable = true;
programs.starship.enable = true;
programs.starship.enableFishIntegration = true;
programs.starship.enableInteractive = true;
# programs.oh-my-posh.enable = true;
# programs.oh-my-posh.enableFishIntegration = true;
# Advanced search
programs.ripgrep.enable = true;
# tldr: Simplified, example based and community-driven man pages.
programs.tealdeer.enable = true;
programs.zed-editor = {
enable = thisMachineIsPersonal;
extensions = [
"nix"
"toml"
"html"
"make"
"git-firefly"
"vue"
"scss"
];
userSettings = {
assistant = {
enabled = true;
version = "2";
default_model = {
provider = "openai";
model = "gpt-4-turbo";
};
};
features = {
edit_prediction_provider = "zed";
};
node = {
path = lib.getExe pkgs.nodejs;
npm_path = lib.getExe' pkgs.nodejs "npm";
};
auto_update = false;
terminal = {
blinking = "off";
copy_on_select = false;
};
lsp = {
rust-analyzer = {
# binary = {
# path = lib.getExe pkgs.rust-analyzer;
# };
binary = {
path = "/run/current-system/sw/bin/nix";
arguments = [ "develop" "--command" "rust-analyzer" ];
};
initialization_options = {
cargo = {
features = "all";
};
};
};
};
# tell zed to use direnv and direnv can use a flake.nix enviroment.
load_direnv = "shell_hook";
base_keymap = "VSCode";
theme = {
mode = "system";
light = "One Light";
dark = "Andrometa";
};
ui_font_size = 12;
buffer_font_size = 12;
};
};
}

4
machines/ephemeral/kexec.nix
View File

@@ -29,10 +29,10 @@
text = '' text = ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
set -e set -e
${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}" ${pkgs.kexec-tools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
sync sync
echo "executing kernel, filesystems will be improperly umounted" echo "executing kernel, filesystems will be improperly umounted"
${pkgs.kexectools}/bin/kexec -e ${pkgs.kexec-tools}/bin/kexec -e
''; '';
}; };
kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") { kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {

69
machines/hotspot/default.nix
View File

@@ -1,69 +0,0 @@
{ config, pkgs, lib, ... }:
let
internal = "end0";
wireless = "wlan0";
internal-gateway-ip = "192.168.0.1";
internal-ip-lower = "192.168.0.10";
internal-ip-upper = "192.168.0.100";
in
{
imports = [
./hardware-configuration.nix
];
enableExtraSubstituters = false;
# networking.interfaces.${internal}.ipv4.addresses = [{
# address = internal-gateway-ip;
# prefixLength = 24;
# }];
# DHCP on all interfaces except for the internal interface
networking.useDHCP = true;
networking.interfaces.${internal}.useDHCP = true;
networking.interfaces.${wireless}.useDHCP = true;
# Enable NAT
networking.ip_forward = true;
networking.nat = {
enable = true;
internalInterfaces = [ internal ];
externalInterface = wireless;
};
networking.wireless = {
enable = true;
networks = {
"Pixel_6054".psk = "@PSK_Pixel_6054@";
};
interfaces = [ wireless ];
environmentFile = "/run/agenix/hostspot-passwords";
};
age.secrets.hostspot-passwords.file = ../../secrets/hostspot-passwords.age;
# dnsmasq for internal interface
services.dnsmasq = {
enable = true;
settings = {
server = [ "1.1.1.1" "8.8.8.8" ];
dhcp-range = "${internal-ip-lower},${internal-ip-upper},24h";
dhcp-option = [
"option:router,${internal-gateway-ip}"
"option:broadcast,10.0.0.255"
"option:ntp-server,0.0.0.0"
];
};
};
networking.firewall.interfaces.${internal}.allowedTCPPorts = [
53 # dnsmasq
];
# Make it appear we are not using phone tethering to the ISP
networking.firewall = {
extraCommands = ''
iptables -t mangle -A POSTROUTING -o ${wireless} -j TTL --ttl-set 65
'';
};
}

27
machines/hotspot/hardware-configuration.nix
View File

@@ -1,27 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

13
machines/hotspot/properties.nix
View File

@@ -1,13 +0,0 @@
{
hostNames = [
"hotspot"
];
arch = "aarch64-linux";
systemRoles = [
"hotspot"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION4IUAef687RIzWrP4HEZnpdSJswt06QmrdRMDPHHGY";
}

3
machines/howl/default.nix
View File

@@ -8,6 +8,5 @@
# don't use remote builders # don't use remote builders
nix.distributedBuilds = lib.mkForce false; nix.distributedBuilds = lib.mkForce false;
de.enable = true; nix.gc.automatic = lib.mkForce false;
de.touchpad.enable = true;
} }

10
machines/howl/hardware-configuration.nix
View File

@@ -6,7 +6,7 @@
nixos-hardware.nixosModules.framework-13-7040-amd nixos-hardware.nixosModules.framework-13-7040-amd
]; ];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_6_14;
hardware.framework.amd-7040.preventWakeOnAC = true; hardware.framework.amd-7040.preventWakeOnAC = true;
services.fwupd.enable = true; services.fwupd.enable = true;
@@ -30,22 +30,22 @@
# disks # disks
remoteLuksUnlock.enable = true; remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = { boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c801586b-f0a2-465c-8dae-532e61b83fee"; device = "/dev/disk/by-uuid/2e4a6960-a6b1-40ee-9c2c-2766eb718d52";
allowDiscards = true; allowDiscards = true;
}; };
fileSystems."/" = fileSystems."/" =
{ {
device = "/dev/disk/by-uuid/95db6950-a7bc-46cf-9765-3ea675ccf014"; device = "/dev/disk/by-uuid/1f62386c-3243-49f5-b72f-df8fc8f39db8";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ {
device = "/dev/disk/by-uuid/B087-2C20"; device = "/dev/disk/by-uuid/F4D9-C5E8";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [ "fmask=0022" "dmask=0022" ];
}; };
swapDevices = swapDevices =
[{ device = "/dev/disk/by-uuid/49fbdf62-eef4-421b-aac3-c93494afd23c"; }]; [{ device = "/dev/disk/by-uuid/5f65cb11-2649-48fe-9c78-3e325b857c53"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

3
machines/nat/configuration.nix
View File

@@ -9,7 +9,4 @@
networking.hostName = "nat"; networking.hostName = "nat";
networking.interfaces.ens160.useDHCP = true; networking.interfaces.ens160.useDHCP = true;
de.enable = true;
de.touchpad.enable = true;
} }

43
machines/ponyo/default.nix
View File

@@ -10,6 +10,8 @@
# p2p mesh network # p2p mesh network
services.tailscale.exitNode = true; services.tailscale.exitNode = true;
services.iperf3.enable = true;
# email server # email server
mailserver.enable = true; mailserver.enable = true;
@@ -54,44 +56,6 @@
config.services.drastikbot.dataDir config.services.drastikbot.dataDir
]; ];
# music radio
vpn-container.enable = true;
vpn-container.config = {
services.radio = {
enable = true;
host = "radio.runyan.org";
};
};
pia.wireguard.badPortForwardPorts = [ ];
services.nginx.virtualHosts = {
"radio.runyan.org" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
"radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
};
# matrix home server # matrix home server
services.matrix = { services.matrix = {
enable = true; enable = true;
@@ -147,7 +111,4 @@
# librechat # librechat
services.librechat.enable = true; services.librechat.enable = true;
services.librechat.host = "chat.neet.dev"; services.librechat.host = "chat.neet.dev";
services.actual-server.enable = true;
services.actual-server.hostname = "actual.runyan.org";
} }

297
machines/storage/s0/dashy.nix Normal file
View File

@@ -0,0 +1,297 @@
{
appConfig = {
theme = "vaporware";
customColors = {
"material-dark-original" = {
primary = "#f36558";
background = "#39434C";
"background-darker" = "#eb615c";
"material-light" = "#f36558";
"item-text-color" = "#ff948a";
"curve-factor" = "5px";
};
};
enableErrorReporting = false;
layout = "auto";
iconSize = "large";
language = "en";
startingView = "default";
defaultOpeningMethod = "sametab";
statusCheck = true;
statusCheckInterval = 20;
faviconApi = "faviconkit";
routingMode = "history";
enableMultiTasking = false;
webSearch = {
disableWebSearch = false;
searchEngine = "duckduckgo";
openingMethod = "sametab";
searchBangs = { };
};
enableFontAwesome = true;
cssThemes = [ ];
externalStyleSheet = [ ];
hideComponents = {
hideHeading = false;
hideNav = false;
hideSearch = false;
hideSettings = false;
hideFooter = false;
hideSplashScreen = false;
};
auth = {
enableGuestAccess = false;
users = [ ];
enableKeycloak = false;
keycloak = { };
};
allowConfigEdit = true;
enableServiceWorker = false;
disableContextMenu = false;
disableUpdateChecks = false;
disableSmartSort = false;
};
pageInfo = {
title = "s0";
description = "s0";
};
sections = [
(
let
# Define the media section items once.
mediaItems = {
jellyfin = {
title = "Jellyfin";
icon = "hl-jellyfin";
url = "https://jellyfin.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "0_1956_jellyfin";
};
sonarr = {
title = "Sonarr";
description = "Manage TV";
icon = "hl-sonarr";
url = "https://sonarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "1_1956_sonarr";
};
radarr = {
title = "Radarr";
description = "Manage Movies";
icon = "hl-radarr";
url = "https://radarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "2_1956_radarr";
};
lidarr = {
title = "Lidarr";
description = "Manage Music";
icon = "hl-lidarr";
url = "https://lidarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "3_1956_lidarr";
};
prowlarr = {
title = "Prowlarr";
description = "Indexers";
icon = "hl-prowlarr";
url = "https://prowlarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "4_1956_prowlarr";
};
bazarr = {
title = "Bazarr";
description = "Subtitles";
icon = "hl-bazarr";
url = "https://bazarr.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "5_1956_bazarr";
};
navidrome = {
title = "Navidrome";
description = "Play Music";
icon = "hl-navidrome";
url = "https://music.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "6_1956_navidrome";
};
transmission = {
title = "Transmission";
description = "Torrenting";
icon = "hl-transmission";
url = "https://transmission.s0.neet.dev";
target = "sametab";
statusCheck = false;
id = "7_1956_transmission";
};
};
# Build the list once.
mediaList = [
mediaItems.jellyfin
mediaItems.sonarr
mediaItems.radarr
mediaItems.lidarr
mediaItems.prowlarr
mediaItems.bazarr
mediaItems.navidrome
mediaItems.transmission
];
in
{
name = "Media & Entertainment";
icon = "fas fa-photo-video";
displayData = {
sortBy = "most-used";
cols = 1;
rows = 1;
collapsed = false;
hideForGuests = false;
};
items = mediaList;
filteredItems = mediaList;
}
)
(
let
networkItems = {
gateway = {
title = "Gateway";
description = "openwrt";
icon = "hl-openwrt";
url = "http://openwrt.lan/";
target = "sametab";
statusCheck = true;
id = "0_746_gateway";
};
wireless = {
title = "Wireless";
description = "openwrt (ish)";
icon = "hl-openwrt";
url = "http://PacketProvocateur.lan";
target = "sametab";
statusCheck = true;
id = "1_746_wireless";
};
};
networkList = [
networkItems.gateway
networkItems.wireless
];
in
{
name = "Network";
icon = "fas fa-network-wired";
items = networkList;
filteredItems = networkList;
displayData = {
sortBy = "default";
rows = 1;
cols = 1;
collapsed = false;
hideForGuests = false;
};
}
)
(
let
servicesItems = {
matrix = {
title = "Matrix";
description = "";
icon = "hl-matrix";
url = "https://chat.neet.space";
target = "sametab";
statusCheck = true;
id = "0_836_matrix";
};
mumble = {
title = "Mumble";
description = "voice.neet.space";
icon = "hl-mumble";
url = "https://voice.neet.space";
target = "sametab";
statusCheck = false;
id = "2_836_mumble";
};
irc = {
title = "IRC";
description = "irc.neet.dev";
icon = "hl-thelounge";
url = "https://irc.neet.dev";
target = "sametab";
statusCheck = true;
id = "3_836_irc";
};
git = {
title = "Git";
description = "git.neet.dev";
icon = "hl-gitea";
url = "https://git.neet.dev";
target = "sametab";
statusCheck = true;
id = "4_836_git";
};
nextcloud = {
title = "Nextcloud";
description = "neet.cloud";
icon = "hl-nextcloud";
url = "https://neet.cloud";
target = "sametab";
statusCheck = true;
id = "5_836_nextcloud";
};
roundcube = {
title = "Roundcube";
description = "mail.neet.dev";
icon = "hl-roundcube";
url = "https://mail.neet.dev";
target = "sametab";
statusCheck = true;
id = "6_836_roundcube";
};
jitsimeet = {
title = "Jitsi Meet";
description = "meet.neet.space";
icon = "hl-jitsimeet";
url = "https://meet.neet.space";
target = "sametab";
statusCheck = true;
id = "7_836_jitsimeet";
};
};
servicesList = [
servicesItems.matrix
servicesItems.mumble
servicesItems.irc
servicesItems.git
servicesItems.nextcloud
servicesItems.roundcube
servicesItems.jitsimeet
];
in
{
name = "Services";
icon = "fas fa-monitor-heart-rate";
items = servicesList;
filteredItems = servicesList;
displayData = {
sortBy = "default";
rows = 1;
cols = 1;
collapsed = false;
hideForGuests = false;
};
}
)
];
}

241
machines/storage/s0/dashy.yaml
View File

@@ -1,241 +0,0 @@
appConfig:
theme: vaporware
customColors:
material-dark-original:
primary: '#f36558'
background: '#39434C'
background-darker: '#eb615c'
material-light: '#f36558'
item-text-color: '#ff948a'
curve-factor: 5px
enableErrorReporting: false
layout: auto
iconSize: large
language: en
startingView: default
defaultOpeningMethod: sametab
statusCheck: true
statusCheckInterval: 20
faviconApi: faviconkit
routingMode: history
enableMultiTasking: false
webSearch:
disableWebSearch: false
searchEngine: duckduckgo
openingMethod: sametab
searchBangs: {}
enableFontAwesome: true
cssThemes: []
externalStyleSheet: []
hideComponents:
hideHeading: false
hideNav: false
hideSearch: false
hideSettings: false
hideFooter: false
hideSplashScreen: false
auth:
enableGuestAccess: false
users: []
enableKeycloak: false
keycloak: {}
allowConfigEdit: true
enableServiceWorker: false
disableContextMenu: false
disableUpdateChecks: false
disableSmartSort: false
pageInfo:
title: s0
description: s0
sections:
- name: Media & Entertainment
icon: fas fa-photo-video
displayData:
sortBy: most-used
cols: 1
rows: 1
collapsed: false
hideForGuests: false
items:
- &ref_0
title: Jellyfin
icon: hl-jellyfin
url: https://jellyfin.s0.neet.dev
target: sametab
statusCheck: false
id: 0_1956_jellyfin
- &ref_1
title: Sonarr
description: Manage TV
icon: hl-sonarr
url: https://sonarr.s0.neet.dev
target: sametab
statusCheck: false
id: 1_1956_sonarr
- &ref_2
title: Radarr
description: Manage Movies
icon: hl-radarr
url: https://radarr.s0.neet.dev
target: sametab
statusCheck: false
id: 2_1956_radarr
- &ref_3
title: Lidarr
description: Manage Music
icon: hl-lidarr
url: https://lidarr.s0.neet.dev
target: sametab
statusCheck: false
id: 3_1956_lidarr
- &ref_4
title: Prowlarr
description: Indexers
icon: hl-prowlarr
url: https://prowlarr.s0.neet.dev
target: sametab
statusCheck: false
id: 4_1956_prowlarr
- &ref_5
title: Bazarr
description: Subtitles
icon: hl-bazarr
url: https://bazarr.s0.neet.dev
target: sametab
statusCheck: false
id: 5_1956_bazarr
- &ref_6
title: Navidrome
description: Play Music
icon: hl-navidrome
url: https://music.s0.neet.dev
target: sametab
statusCheck: false
id: 6_1956_navidrome
- &ref_7
title: Transmission
description: Torrenting
icon: hl-transmission
url: https://transmission.s0.neet.dev
target: sametab
statusCheck: false
id: 7_1956_transmission
filteredItems:
- *ref_0
- *ref_1
- *ref_2
- *ref_3
- *ref_4
- *ref_5
- *ref_6
- *ref_7
- name: Network
icon: fas fa-network-wired
items:
- &ref_8
title: Gateway
description: openwrt
icon: hl-openwrt
url: http://openwrt.lan/
target: sametab
statusCheck: true
id: 0_746_gateway
- &ref_9
title: Wireless
description: openwrt (ish)
icon: hl-openwrt
url: http://PacketProvocateur.lan
target: sametab
statusCheck: true
id: 1_746_wireless
filteredItems:
- *ref_8
- *ref_9
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false
- name: Services
icon: fas fa-monitor-heart-rate
items:
- &ref_10
title: Matrix
description: ''
icon: hl-matrix
url: https://chat.neet.space
target: sametab
statusCheck: true
id: 0_836_matrix
- &ref_11
title: Radio
description: Radio service
icon: generative
url: https://radio.runyan.org
target: sametab
statusCheck: true
id: 1_836_radio
- &ref_12
title: Mumble
description: voice.neet.space
icon: hl-mumble
url: https://voice.neet.space
target: sametab
statusCheck: false
id: 2_836_mumble
- &ref_13
title: IRC
description: irc.neet.dev
icon: hl-thelounge
url: https://irc.neet.dev
target: sametab
statusCheck: true
id: 3_836_irc
- &ref_14
title: Git
description: git.neet.dev
icon: hl-gitea
url: https://git.neet.dev
target: sametab
statusCheck: true
id: 4_836_git
- &ref_15
title: Nextcloud
description: neet.cloud
icon: hl-nextcloud
url: https://neet.cloud
target: sametab
statusCheck: true
id: 5_836_nextcloud
- &ref_16
title: Roundcube
description: mail.neet.dev
icon: hl-roundcube
url: https://mail.neet.dev
target: sametab
statusCheck: true
id: 6_836_roundcube
- &ref_17
title: Jitsi Meet
description: meet.neet.space
icon: hl-jitsimeet
url: https://meet.neet.space
target: sametab
statusCheck: true
id: 7_836_jitsimeet
filteredItems:
- *ref_10
- *ref_11
- *ref_12
- *ref_13
- *ref_14
- *ref_15
- *ref_16
- *ref_17
displayData:
sortBy: default
rows: 1
cols: 1
collapsed: false
hideForGuests: false

54
machines/storage/s0/default.nix
View File

@@ -75,6 +75,32 @@
services.lidarr.enable = true; services.lidarr.enable = true;
services.lidarr.user = "public_data"; services.lidarr.user = "public_data";
services.lidarr.group = "public_data"; services.lidarr.group = "public_data";
services.recyclarr = {
enable = true;
configuration = {
radarr.radarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/radarr-api-key";
};
base_url = "http://localhost:7878";
quality_definition.type = "movie";
};
sonarr.sonarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/sonarr-api-key";
};
base_url = "http://localhost:8989";
quality_definition.type = "series";
};
};
};
systemd.services.recyclarr.serviceConfig.LoadCredential = [
"radarr-api-key:/run/agenix/radarr-api-key"
"sonarr-api-key:/run/agenix/sonarr-api-key"
];
services.transmission = { services.transmission = {
enable = true; enable = true;
@@ -145,6 +171,8 @@
8686 # lidarr 8686 # lidarr
9091 # transmission web 9091 # transmission web
]; ];
age.secrets.radarr-api-key.file = ../../../secrets/radarr-api-key.age;
age.secrets.sonarr-api-key.file = ../../../secrets/sonarr-api-key.age;
# jellyfin # jellyfin
# jellyfin cannot run in the vpn container and use hardware encoding # jellyfin cannot run in the vpn container and use hardware encoding
@@ -154,7 +182,7 @@
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
}; };
hardware.opengl = { hardware.graphics = {
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver intel-media-driver
@@ -171,16 +199,23 @@
openFirewall = false; # All nginx services are internal openFirewall = false; # All nginx services are internal
virtualHosts = virtualHosts =
let let
mkVirtualHost = external: internal: mkHost = external: config:
{ {
${external} = { ${external} = {
useACMEHost = "s0.neet.dev"; # Use wildcard cert useACMEHost = "s0.neet.dev"; # Use wildcard cert
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = config;
};
};
mkVirtualHost = external: internal:
mkHost external {
proxyPass = internal; proxyPass = internal;
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; mkStaticHost = external: static:
mkHost external {
root = static;
tryFiles = "$uri /index.html ";
}; };
in in
lib.mkMerge [ lib.mkMerge [
@@ -193,7 +228,7 @@
(mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443") (mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443")
(mkVirtualHost "music.s0.neet.dev" "http://localhost:4533") (mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
(mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096") (mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")
(mkVirtualHost "s0.neet.dev" "http://localhost:56815") (mkStaticHost "s0.neet.dev" config.services.dashy.finalDrv)
{ {
# Landing page LAN redirect # Landing page LAN redirect
"s0" = { "s0" = {
@@ -213,7 +248,9 @@
}; };
} }
(mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo (mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo
(mkVirtualHost "sandman.s0.neet.dev" "http://192.168.9.14:3000") # es
(mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}") (mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
(mkVirtualHost "budget.s0.neet.dev" "http://localhost:${toString config.services.actual.settings.port}") # actual budget
]; ];
tailscaleAuth = { tailscaleAuth = {
@@ -254,7 +291,7 @@
virtualisation.podman.dockerSocket.enable = true; # TODO needed? virtualisation.podman.dockerSocket.enable = true; # TODO needed?
services.dashy = { services.dashy = {
enable = true; enable = true;
configFile = ./dashy.yaml; settings = import ./dashy.nix;
}; };
services.unifi = { services.unifi = {
@@ -271,6 +308,11 @@
service.enableregistration = false; service.enableregistration = false;
}; };
}; };
backup.group."vikunja".paths = [
"/var/lib/vikunja"
];
services.actual.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
} }

34
machines/storage/s0/frigate.nix
View File

@@ -36,6 +36,11 @@ let
record = "preset-record-generic-audio-copy"; record = "preset-record-generic-audio-copy";
}; };
}; };
detect = {
width = 1280;
height = 720;
fps = 5;
};
}; };
}; };
services.go2rtc.settings.streams = lib.mkMerge [ services.go2rtc.settings.streams = lib.mkMerge [
@@ -54,7 +59,7 @@ let
# - go2rtc: ${VAR} # - go2rtc: ${VAR}
# - frigate: {VAR} # - frigate: {VAR}
primaryUrl = "rtsp://admin:\${FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=0"; primaryUrl = "rtsp://admin:\${FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=0";
detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=1"; detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=3";
in in
mkCamera name primaryUrl detectUrl; mkCamera name primaryUrl detectUrl;
@@ -82,9 +87,11 @@ lib.mkMerge [
settings = { settings = {
mqtt = { mqtt = {
enabled = true; enabled = true;
host = "localhost:1883"; host = "localhost";
port = 1883;
user = "root";
password = "{FRIGATE_MQTT_PASSWORD}";
}; };
rtmp.enabled = false;
snapshots = { snapshots = {
enabled = true; enabled = true;
bounding_box = true; bounding_box = true;
@@ -93,8 +100,9 @@ lib.mkMerge [
enabled = true; enabled = true;
# sync_recordings = true; # detect if recordings were deleted outside of frigate (expensive) # sync_recordings = true; # detect if recordings were deleted outside of frigate (expensive)
retain = { retain = {
days = 2; # Keep video for 2 days days = 7; # Keep video for 7 days
mode = "motion"; mode = "all";
# mode = "motion";
}; };
events = { events = {
retain = { retain = {
@@ -106,7 +114,7 @@ lib.mkMerge [
}; };
# Make frigate aware of the go2rtc streams # Make frigate aware of the go2rtc streams
go2rtc.streams = config.services.go2rtc.settings.streams; go2rtc.streams = config.services.go2rtc.settings.streams;
detect.enabled = true; detect.enabled = false; # :(
objects = { objects = {
track = [ "person" "dog" ]; track = [ "person" "dog" ];
}; };
@@ -145,11 +153,23 @@ lib.mkMerge [
systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ]; systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ];
# Coral PCIe driver # Coral PCIe driver
kernel.enableGasketKernelModule = true; boot.extraModulePackages = with config.boot.kernelPackages; [ gasket ];
services.udev.extraRules = ''
SUBSYSTEM=="apex", MODE="0660", GROUP="apex"
'';
services.frigate.settings.detectors.coral = { services.frigate.settings.detectors.coral = {
type = "edgetpu"; type = "edgetpu";
device = "pci"; device = "pci";
}; };
} }
{
# Fix bug in nixos module where cache is not cleared when starting the service because "rm" cannot be found
systemd.services.frigate.serviceConfig.ExecStartPre = lib.mkForce "${pkgs.bash}/bin/sh -c 'rm -f /var/cache/frigate/*.mp4'";
}
{
# Don't require authentication for frigate
# This is ok because the reverse proxy already requires tailscale access anyway
services.frigate.settings.auth.enabled = false;
}
] ]

34
machines/storage/s0/hardware-configuration.nix
View File

@@ -22,7 +22,6 @@
# zfs # zfs
networking.hostId = "5e6791f0"; networking.hostId = "5e6791f0";
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# luks # luks
remoteLuksUnlock.enable = true; remoteLuksUnlock.enable = true;
@@ -59,12 +58,43 @@
}; };
swapDevices = [ ]; swapDevices = [ ];
networking.vlans = { networking = {
dhcpcd.enable = false;
vlans = {
iot = { iot = {
id = 2; id = 2;
interface = "eth1"; interface = "eth1";
}; };
}; };
interfaces.eth1.ipv4.addresses = [{
address = "192.168.1.2";
prefixLength = 21;
}];
interfaces.iot.ipv4.addresses = [{
address = "192.168.9.8";
prefixLength = 22;
}];
defaultGateway = "192.168.1.1";
nameservers = [ "1.1.1.1" "8.8.8.8" ];
};
# networking = {
# vlans = {
# iot = {
# id = 2;
# interface = "eth1";
# };
# };
# defaultGateway = {
# interface = "eth1";
# address = "192.168.1.1";
# metric = 10; # always use this route as default gateway
# };
# };
powerManagement.cpuFreqGovernor = "powersave"; powerManagement.cpuFreqGovernor = "powersave";
} }

27
machines/storage/s0/home-automation.nix
View File

@@ -3,14 +3,14 @@
{ {
services.esphome.enable = true; services.esphome.enable = true;
# TODO lock down
services.mosquitto = { services.mosquitto = {
enable = true; enable = true;
listeners = [ listeners = [
{ {
acl = [ "pattern readwrite #" ]; users.root = {
omitPasswordAuth = true; acl = [ "readwrite #" ];
settings.allow_anonymous = true; hashedPassword = "$7$101$8+QnkTzCdGizaKqq$lpU4o84n6D/1uwfA9pZDVExr1NDm1D/8tNla2tE9J9HdUqkvu192yYfiySY1MFqVNgUKgWEFu5P1bUKqRnzbUw==";
};
} }
]; ];
}; };
@@ -24,11 +24,13 @@
homeassistant = true; homeassistant = true;
permit_join = false; permit_join = false;
serial = { serial = {
adapter = "ember";
port = "/dev/ttyACM0"; port = "/dev/ttyACM0";
}; };
mqtt = { mqtt = {
server = "mqtt://localhost:1883"; server = "mqtt://localhost:1883";
# base_topic = "zigbee2mqtt"; user = "root";
password = "!/run/agenix/zigbee2mqtt.yaml mqtt_password";
}; };
frontend = { frontend = {
host = "localhost"; host = "localhost";
@@ -36,11 +38,16 @@
}; };
}; };
}; };
age.secrets."zigbee2mqtt.yaml" = {
file = ../../../secrets/zigbee2mqtt.yaml.age;
owner = "zigbee2mqtt";
};
services.home-assistant = { services.home-assistant = {
enable = true; enable = true;
extraComponents = [ extraComponents = [
"default_config" "default_config"
"rest_command"
"esphome" "esphome"
"met" "met"
"radio_browser" "radio_browser"
@@ -69,7 +76,6 @@
"zha" "zha"
"bluetooth" "bluetooth"
]; ];
# config = null;
config = { config = {
# Includes dependencies for a basic setup # Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/ # https://www.home-assistant.io/integrations/default_config/
@@ -88,6 +94,15 @@
]; ];
# Allow using automations generated from the UI # Allow using automations generated from the UI
"automation ui" = "!include automations.yaml"; "automation ui" = "!include automations.yaml";
"rest_command" = {
json_post_request = {
url = "{{ url }}";
method = "POST";
content_type = "application/json";
payload = "{{ payload | default('{}') }}";
};
};
}; };
}; };
} }

5
machines/storage/s0/properties.nix
View File

@@ -1,6 +1,7 @@
{ {
hostNames = [ hostNames = [
"s0" "s0"
"s0.neet.dev"
]; ];
arch = "x86_64-linux"; arch = "x86_64-linux";
@@ -12,12 +13,16 @@
"binary-cache" "binary-cache"
"gitea-actions-runner" "gitea-actions-runner"
"frigate" "frigate"
"zigbee"
"media-server"
]; ];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
remoteUnlock = { remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
clearnetHost = "192.168.1.2";
onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion"; onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
}; };
} }

8
machines/zoidberg/default.nix
View File

@@ -5,8 +5,6 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
de.enable = true;
# Login DE Option: Steam # Login DE Option: Steam
programs.steam.gamescopeSession.enable = true; programs.steam.gamescopeSession.enable = true;
# programs.gamescope.capSysNice = true; # programs.gamescope.capSysNice = true;
@@ -33,9 +31,9 @@
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
# ROCm # ROCm
hardware.opengl.extraPackages = with pkgs; [ hardware.graphics.extraPackages = with pkgs; [
rocm-opencl-icd rocmPackages.clr.icd
rocm-opencl-runtime rocmPackages.clr
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}" "L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"

13
machines/zoidberg/hardware-configuration.nix
View File

@@ -17,16 +17,17 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
# luks unlock with clevis
boot.initrd.systemd.enable = true;
boot.initrd.clevis = {
enable = true;
devices."enc-pv".secretFile = "/secret/decrypt.jwe";
};
# disks # disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = { boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/04231c41-2f13-49c0-8fce-0357eea67990"; device = "/dev/disk/by-uuid/04231c41-2f13-49c0-8fce-0357eea67990";
allowDiscards = true; allowDiscards = true;
# Fetch key from USB drive
keyFileSize = 4096;
keyFile = "/dev/disk/by-id/usb-Mass_Storage_Device_121220160204-0:0-part2";
fallbackToPassword = true;
}; };
fileSystems."/" = fileSystems."/" =
{ {

39
overlays/actualbudget/default.nix
View File

@@ -1,39 +0,0 @@
{ lib
, buildNpmPackage
, fetchFromGitHub
, python3
, nodejs
, runtimeShell
}:
buildNpmPackage rec {
pname = "actual-server";
version = "24.10.1";
src = fetchFromGitHub {
owner = "actualbudget";
repo = pname;
rev = "refs/tags/v${version}";
hash = "sha256-VJAD+lNamwuYmiPJLXkum6piGi5zLOHBp8cUeZagb4s=";
};
npmDepsHash = "sha256-Z2e4+JMhI/keLerT0F4WYdLnXHRQCqL7NjNyA9SFEF8=";
patches = [
./migrations-should-use-pkg-path.patch
];
postPatch = ''
cp ${./package-lock.json} package-lock.json
'';
dontNpmBuild = true;
postInstall = ''
mkdir -p $out/bin
cat <<EOF > $out/bin/actual-server
#!${runtimeShell}
exec ${nodejs}/bin/node $out/lib/node_modules/actual-sync/app.js "\$@"
EOF
chmod +x $out/bin/actual-server
'';
}

48
overlays/actualbudget/migrations-should-use-pkg-path.patch
View File

@@ -1,48 +0,0 @@
diff --git a/src/load-config.js b/src/load-config.js
index d99ce42..42d1351 100644
--- a/src/load-config.js
+++ b/src/load-config.js
@@ -3,7 +3,8 @@ import path from 'node:path';
import { fileURLToPath } from 'node:url';
import createDebug from 'debug';
-const debug = createDebug('actual:config');
+// const debug = createDebug('actual:config');
+const debug = console.log;
const debugSensitive = createDebug('actual-sensitive:config');
const projectRoot = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
@@ -108,6 +109,7 @@ const finalConfig = {
serverFiles: process.env.ACTUAL_SERVER_FILES || config.serverFiles,
userFiles: process.env.ACTUAL_USER_FILES || config.userFiles,
webRoot: process.env.ACTUAL_WEB_ROOT || config.webRoot,
+ dataDir: process.env.ACTUAL_DATA_DIR || config.dataDir,
https:
process.env.ACTUAL_HTTPS_KEY && process.env.ACTUAL_HTTPS_CERT
? {
diff --git a/src/migrations.js b/src/migrations.js
index cba7db0..9983471 100644
--- a/src/migrations.js
+++ b/src/migrations.js
@@ -1,6 +1,12 @@
import migrate from 'migrate';
import path from 'node:path';
import config from './load-config.js';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const appRoot = path.dirname(__dirname);
+const migrationsDirectory = path.join(appRoot, "migrations");
export default function run(direction = 'up') {
console.log(
@@ -13,7 +19,7 @@ export default function run(direction = 'up') {
stateStore: `${path.join(config.dataDir, '.migrate')}${
config.mode === 'test' ? '-test' : ''
}`,
- migrationsDirectory: `${path.join(config.projectRoot, 'migrations')}`,
+ migrationsDirectory
},
(err, set) => {
if (err) {

8954
overlays/actualbudget/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

10
overlays/default.nix
View File

@@ -3,13 +3,5 @@ final: prev:
let let
system = prev.system; system = prev.system;
frigatePkgs = inputs.nixpkgs-frigate.legacyPackages.${system};
in in
{ { }
# It seems that libedgetpu needs to be built with the newer version of tensorflow in nixpkgs
# but I am lazy so I instead just downgrade by using the old nixpkgs
libedgetpu = frigatePkgs.callPackage ./libedgetpu { };
frigate = frigatePkgs.frigate;
actual-server = prev.callPackage ./actualbudget { };
}

10
overlays/kernel-modules/default.nix
View File

@@ -7,13 +7,5 @@
let let
cfg = config.kernel; cfg = config.kernel;
gasket = config.boot.kernelPackages.callPackage ./gasket.nix { };
in in
{ { }
options.kernel.enableGasketKernelModule = lib.mkEnableOption "Enable Gasket Kernel Module";
config = lib.mkIf cfg.enableGasketKernelModule {
boot.extraModulePackages = [ gasket ];
};
}

36
overlays/kernel-modules/gasket.nix
View File

@@ -1,36 +0,0 @@
{ stdenv, lib, fetchFromGitHub, kernel }:
stdenv.mkDerivation rec {
pname = "gasket";
version = "1.0-18-unstable-2023-09-05";
src = fetchFromGitHub {
owner = "google";
repo = "gasket-driver";
rev = "5815ee3908a46a415aac616ac7b9aedcb98a504c";
sha256 = "sha256-O17+msok1fY5tdX1DvqYVw6plkUDF25i8sqwd6mxYf8=";
};
makeFlags = kernel.makeFlags ++ [
"-C"
"${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
"M=$(PWD)"
];
buildFlags = [ "modules" ];
installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
installTargets = [ "modules_install" ];
sourceRoot = "${src.name}/src";
hardeningDisable = [ "pic" "format" ];
nativeBuildInputs = kernel.moduleBuildDependencies;
meta = with lib; {
description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
homepage = "https://github.com/google/gasket-driver";
license = licenses.gpl2;
maintainers = [ lib.maintainers.kylehendricks ];
platforms = platforms.linux;
broken = versionOlder kernel.version "5.15";
};
}

72
overlays/libedgetpu/default.nix
View File

@@ -1,72 +0,0 @@
{ stdenv
, lib
, fetchFromGitHub
, libusb1
, abseil-cpp
, flatbuffers
, xxd
}:
let
flatbuffers_1_12 = flatbuffers.overrideAttrs (oldAttrs: rec {
version = "1.12.0";
NIX_CFLAGS_COMPILE = "-Wno-error=class-memaccess -Wno-error=maybe-uninitialized";
cmakeFlags = (oldAttrs.cmakeFlags or [ ]) ++ [ "-DFLATBUFFERS_BUILD_SHAREDLIB=ON" ];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
configureFlags = (oldAttrs.configureFlags or [ ]) ++ [ "--enable-shared" ];
src = fetchFromGitHub {
owner = "google";
repo = "flatbuffers";
rev = "v${version}";
sha256 = "sha256-L1B5Y/c897Jg9fGwT2J3+vaXsZ+lfXnskp8Gto1p/Tg=";
};
});
in
stdenv.mkDerivation rec {
pname = "libedgetpu";
version = "grouper";
src = fetchFromGitHub {
owner = "google-coral";
repo = pname;
rev = "release-${version}";
sha256 = "sha256-73hwItimf88Iqnb40lk4ul/PzmCNIfdt6Afi+xjNiBE=";
};
patches = [ ./libedgetpu-stddef.diff ];
makeFlags = [ "-f" "makefile_build/Makefile" "libedgetpu" ];
buildInputs = [
libusb1
abseil-cpp
flatbuffers_1_12
];
nativeBuildInputs = [
xxd
];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
TFROOT = "${fetchFromGitHub {
owner = "tensorflow";
repo = "tensorflow";
rev = "v2.7.4";
sha256 = "sha256-liDbUAdaVllB0b74aBeqNxkYNu/zPy7k3CevzRF5dk0=";
}}";
enableParallelBuilding = false;
installPhase = ''
mkdir -p $out/lib
cp out/direct/k8/libedgetpu.so.1.0 $out/lib
ln -s $out/lib/libedgetpu.so.1.0 $out/lib/libedgetpu.so.1
mkdir -p $out/lib/udev/rules.d
cp debian/edgetpu-accelerator.rules $out/lib/udev/rules.d/99-edgetpu-accelerator.rules
# PCIe rule
echo 'SUBSYSTEM=="apex", MODE="0660", GROUP="apex"' > $out/lib/udev/rules.d/65-apex.rules
'';
}

12
overlays/libedgetpu/libedgetpu-stddef.diff
View File

@@ -1,12 +0,0 @@
diff --git a/api/allocated_buffer.h b/api/allocated_buffer.h
index 97740f0..7bc0547 100644
--- a/api/allocated_buffer.h
+++ b/api/allocated_buffer.h
@@ -16,6 +16,7 @@
#define DARWINN_API_ALLOCATED_BUFFER_H_
#include <functional>
+#include <cstddef>
namespace platforms {
namespace darwinn {

15
patches/dont-break-nix-serve.patch Normal file
View File

@@ -0,0 +1,15 @@
diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix
index 49f8ed673816..643b59d68dde 100644
--- a/nixos/modules/services/video/frigate.nix
+++ b/nixos/modules/services/video/frigate.nix
@@ -482,10 +482,6 @@ in
};
};
extraConfig = ''
- # Frigate wants to connect on 127.0.0.1:5000 for unauthenticated requests
- # https://github.com/NixOS/nixpkgs/issues/370349
- listen 127.0.0.1:5000;
-
# vod settings
vod_base_url "";
vod_segments_base_url "";

20
secrets/digitalocean-dns-credentials.age
View File

@@ -1,11 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 WBT1Hw wjZGPvilRXGZsC2+7dWm/Nbau8Allv29WwQCr0XSAWU -> ssh-ed25519 WBT1Hw TGdD8Nw+GPITDOXGhevSu+880DWET7WYN3nIyJ0xy2o
uTOf/sokutOGDyc8fbTbBWXqCVQCFhGdHxwA6SXqhdA 69xepRTnmaFwa4IsGJjDdwZqTSf5fz6EZK0/q3oz/ZA
-> ssh-ed25519 6AT2/g NU068qwqOWiKk0QwqP9vU4xJaND2OR4bo8xkmdWATgY -> ssh-ed25519 6AT2/g EmqXrXXsRxSS6AsH+7VMgoJTYo9eGj8ebLiLT4IWNxg
uGd0sb5PH+rREn9pgLOFwk29CX66aPBQMvr4rBazylc eKs5/3tQMdg5bGJKNz8PFh9C7HiV+IlOU9dzpYcGIjo
-> ssh-ed25519 hPp1nw r2JRiZ7fsHPYDlte6Oh2Gx1KkugekFeeg3xSjziI+hQ -> ssh-ed25519 hPp1nw wsIF676is8FquF6oANNauPrumsMnfVUZpPeVKEtBOzQ
xnO0gscMdR25mj5uAX7D42FCbCQhqbU0wkiLX4OmVqk qZR8LSF+TQ2K3K0An69NHfk53ZqNEWev0IVcb71SR40
-> ssh-ed25519 w3nu8g F03mPU63WwEs1SLUFErLOVCkARoggGIvvz9TFZfMOBY -> ssh-ed25519 w3nu8g TKHY/5JuzFMhbW9CQAOI3woX8M9b1H/XXUpIMT0Mylk
HOdVA3xW9pqUPhclO6VueSfXg3ux06Ch3fucF6Vr4hM byJV0/BJ3ftG5eYv5BeyIYBi0VoWG31HRiENUxSeYE8
--- niyo231HPT/+2dzflP+zhYjL9XiWsk7svesCYdkU1jA --- fwHXHtE/sMLqCLSD8tR0oCPgNuif9Y/ncHU97hbf/Bw
ØQî¬5-ô@<40>¢¿—ßÐN5<4E> Ãÿ$Ø‚™’Çž…êÐ<C3AA>X=ŒHŽDÁ`P×5ZA´÷¼YóäÓ?¡é^[³1”6ÕK*mP݈ª­æ1æç÷ß›ƒ:$^ÑfDœ†ÿ“š-zi´"·Tàuÿüò f"+ÉŒqc<71>H†Ñjï!JSšË¡Ì|yMìðX¼þMl<4D>ýçCy™îUXn»Égk¨ë)¤óOY§uº„¦²¶g%è Håvœ5ô!$Jœ¤Š…¶$<24>#Dö;±¥àÖ }ÏŸcçKšˆ{R/

12
secrets/frigate-credentials.age
View File

@@ -1,7 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 hPp1nw Chke1ZtpXxN1c1+AnJ6Cd5kpM1KfQKTwymrfPW53QCA -> ssh-ed25519 hPp1nw zOXF7NsZjm+DCYrJ+Ap2mX35JUt37CLJP1RhyOjB/XE
jUcw8eitC7r0rwefjllndZjARIqpWoVqGCnefHfjQ6Y ePprJM2cnhYZhP8aJUXOZeGHJm/DHlRYomWN+lFaU6w
-> ssh-ed25519 w3nu8g KY/5bU1B5uvmfGHF2d6qBL1NYy64qo324rdvkgnXoDA -> ssh-ed25519 w3nu8g gjeFAbFWXyPdGauKHXAzuIP9fmaj2Oysq9fHO8q7u38
OBvuFtzZXQ0RmmEXelyzHMMiVqZir7zQJMA36ZH2siE KiMR0pgEPtsfZnYAIsH7UHNhnsB6rtsW/hqV03uS2dI
--- CSd7lYSYQ2fCTjkJLPGdaNGL8eVpE9IBEyFo0LW907M --- BPzPECz1g6vEv4OlRn6+FnWP9oq3tn6TN2o867icxYA
£³$šO†ÈIß//Êw*ƒ™õD¤@u5o[¼â:·äš¥t¾˜]Jñ쮸™@Ùhþu£Àk;?·XüÁHRºÑ°E5¥ÍçÜ9 }ìjºùŽ+l&þàx<C3A0>-TïÝb‡ÅèØÄ·<C384>Dg‰ñgc*ˆ0<CB86>÷µcp

7
secrets/hostspot-passwords.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 cObvAg l/suU/M4AATK7lQuZv/qnjG/xqNGoVqhS7b3xirmNUM
Ao2tP6BBSZdlL7jZJPmLyJQWfqdU89M9hCjkkuqtxlw
-> ssh-ed25519 w3nu8g szQugiuFfzkzVndyIdP1agun4nmCsZzFG/6EEB2V1Gk
5+DEUJ5tkVFUpm+w/tptUCByRpMxRigwfrVglTYc8XI
--- pjviyhRustHHMipIpkKsQ4cpu+YA66JwvWXjceXopi4
)˜Ö®Äý8³È6Y"@?Ý9”®@¡Ÿžè|ÂÄž+©Z*4ö2å“R<qef… êªG¹ïV+{©%CmÞd^™b

BIN
secrets/radarr-api-key.age Normal file
View File

Binary file not shown.

8
secrets/secrets.nix
View File

@@ -58,6 +58,10 @@ with roles;
# Frigate (DVR) # Frigate (DVR)
"frigate-credentials.age".publicKeys = frigate; "frigate-credentials.age".publicKeys = frigate;
# Phone hotspot passwords # zigbee2mqtt secrets
"hostspot-passwords.age".publicKeys = hotspot; "zigbee2mqtt.yaml.age".publicKeys = zigbee;
# Sonarr and Radarr secrets
"radarr-api-key.age".publicKeys = media-server;
"sonarr-api-key.age".publicKeys = media-server;
} }

9
secrets/sonarr-api-key.age Normal file
View File

@@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw NkdwenOkJJKKoezAE1jG20cxwOFk2DVsbMoTaw6ce0M
8sV6ZJupuSaktW2MaAWg0BqtX1j5I0R3Oq1wFKoXP0M
-> ssh-ed25519 w3nu8g vJ7zMw2Ruh50ufkxrttuhXT2E3c8bvZnvp0xpkCGhTo
xpQOVyGwQhoAi/79ZISCxAvnNiRwMbgQ42H5V0zQe10
--- 57doMaI074hj/Ko2mWqFHcqEPRR24C7U1QbDOCPIOKI
ó(DêøÄ­·QÉ2âóvzŸwè¬*®´ÇaO¯N/1GijïeøŸz<C5B8>Q(°mgd•y±p¬<C2AC>P
ÍaÑC€8¼

8
secrets/zigbee2mqtt.yaml.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw TSDuPaFp/Qcz4r819X4QmU/4J2TGpoX7jCCJCdFDog0
SwQUqEp45xMOeTkvBG6uX28kB8YWG66laYqakSgl9w4
-> ssh-ed25519 w3nu8g tLZDNE0iBgOpUB3djpNu3CgimsRc0zcds+AgctzxyQ4
Oyz6XORsApM4vFxWyaD3bR/ApIUFPY3q4yGvtbosUIY
--- vuXlQmuOFbJhBTACN5ciH2GlOCbRCMPZdlogG2O+KOk
Áëÿ!}UIì p0@Xž|°þ#晆0HÙõò#BÇRR<52>Ù
òùø5¾Iÿ?vX?pÝ<70><>fqÍ[lž¸˜­G7ü; UäÀOUä¶