zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:rpi-hotspot
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
..
compare: zuckerberg:attic
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

11 Commits
rpi-hotspo ... attic

Author SHA1 Message Date
Zuckerberg
ef247cb3dd speed up
All checks were successful
Check Flake / check-flake (push) Successful in 2h31m6s
Details
2024-06-17 21:11:06 -06:00
Zuckerberg
cad04680c4 try again
Some checks failed
Check Flake / check-flake (push) Failing after 3h11m0s
Details
2024-06-16 21:30:10 -06:00
Zuckerberg
a2d176a4fc try again
Some checks failed
Check Flake / check-flake (push) Failing after 4s
Details
2024-06-16 21:22:17 -06:00
Zuckerberg
1f813395ee try again
Some checks failed
Check Flake / check-flake (push) Failing after 16s
Details
2024-06-16 21:21:19 -06:00
Zuckerberg
0d5bce2a4f try again
Some checks failed
Check Flake / check-flake (push) Failing after 7s
Details
2024-06-16 21:05:33 -06:00
Zuckerberg
0c2f7cd1b2 try again
Some checks failed
Check Flake / check-flake (push) Failing after 7s
Details
2024-06-16 21:01:29 -06:00
Zuckerberg
b80b31d3c3 try again
Some checks failed
Check Flake / check-flake (push) Failing after 4s
Details
2024-06-16 20:58:18 -06:00
Zuckerberg
caacb4b7a7 try again
Some checks failed
Check Flake / check-flake (push) Failing after 2s
Details
2024-06-16 20:55:50 -06:00
Zuckerberg
25dba0ee19 Use custom action
Some checks failed
Check Flake / check-flake (push) Failing after 1s
Details
2024-06-16 20:54:47 -06:00
Zuckerberg
4bed47ae43 Try to install attic for gitea builder
Some checks failed
Check Flake / check-flake (push) Failing after 6s
Details
2024-06-16 20:44:31 -06:00
Zuckerberg
7c4d2d53f2 Use attic as nixos binary cache and update CI accordingly
Some checks failed
Check Flake / check-flake (push) Failing after 8s
Details
2024-06-16 20:39:11 -06:00
39 changed files with 1181 additions and 1508 deletions
Expand all files Collapse all files

9
.gitea/workflows/check-flake.yaml
View File

@@ -15,5 +15,14 @@ jobs:
with:
fetch-depth: 0
- run: attic -V
- name: Setup Attic Cache
uses: https://git.neet.dev/zuckerberg/attic-action@v0.2.5
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
- name: Check Flake
run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace

38
common/binary-cache.nix
View File

@@ -1,29 +1,17 @@
{ config, lib, ... }:
let
in
{
options.enableExtraSubstituters = lib.mkEnableOption "Enable extra substituters";
config = lib.mkMerge [
{
enableExtraSubstituters = lib.mkDefault true;
}
(lib.mkIf config.enableExtraSubstituters {
nix = {
settings = {
substituters = [
"https://cache.nixos.org/"
"https://nix-community.cachix.org"
"http://s0.koi-bebop.ts.net:5000"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
];
};
};
})
];
nix = {
settings = {
substituters = [
"https://cache.nixos.org/"
"https://nix-community.cachix.org"
"http://s0.koi-bebop.ts.net:28338/nixos"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixos:IDhKojUaMz+UIiri1/DQk9EpqDokih8dwxmp41uJnls="
];
};
};
}

7
common/default.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, ... }:
{
imports = [
@@ -20,12 +20,12 @@
system.stateVersion = "23.11";
networking.useDHCP = lib.mkDefault true;
networking.useDHCP = false;
networking.firewall.enable = true;
networking.firewall.allowPing = true;
time.timeZone = "America/Los_Angeles";
time.timeZone = "America/Denver";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
@@ -63,6 +63,7 @@
lf
gnumake
tree
attic
];
nixpkgs.config.allowUnfree = true;

9
common/pc/audio.nix
View File

@@ -19,15 +19,6 @@ in
jack.enable = true;
};
services.pipewire.extraConfig.pipewire."92-fix-wine-audio" = {
context.properties = {
default.clock.rate = 48000;
default.clock.quantum = 2048;
default.clock.min-quantum = 512;
default.clock.max-quantum = 2048;
};
};
users.users.googlebot.extraGroups = [ "audio" ];
# bt headset support

4
common/pc/chromium.nix
View File

@@ -41,7 +41,7 @@ in
"SpellcheckLanguage" = [ "en-US" ];
};
defaultSearchProviderSuggestURL = null;
defaultSearchProviderSearchURL = "https://duckduckgo.com/?q={searchTerms}&kp=-1&kl=us-en";
defaultSearchProviderSearchURL = " https://duckduckgo.com/?q={searchTerms}&kp=-1&kl=us-en";
};
# hardware accelerated video playback (on intel)
@@ -52,7 +52,7 @@ in
# ungoogled = true;
# --enable-native-gpu-memory-buffers # fails on AMD APU
# --enable-webrtc-vp9-support
commandLineArgs = "--use-vulkan";
commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video --enable-gpu-rasterization";
};
};
# todo vulkan in chrome

3
common/pc/default.nix
View File

@@ -89,8 +89,5 @@ in
# for luks onlock over tor
services.tor.enable = true;
services.tor.client.enable = true;
# Enable wayland support in various chromium based applications
environment.sessionVariables.NIXOS_OZONE_WL = "1";
};
}

8
common/pc/vscodium.nix
View File

@@ -11,8 +11,6 @@ let
golang.go
jnoortheen.nix-ide
ms-vscode.cpptools
rust-lang.rust-analyzer
vadimcn.vscode-lldb
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "platformio-ide";
@@ -20,12 +18,6 @@ let
version = "3.1.1";
sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
}
{
name = "wgsl-analyzer";
publisher = "wgsl-analyzer";
version = "0.8.1";
sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
}
];
vscodium-with-extensions = pkgs.vscode-with-extensions.override {

40
common/server/atticd.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, lib, ... }:
let
cfg = config.services.atticd;
in
{
config = lib.mkIf cfg.enable {
services.atticd = {
credentialsFile = "/run/agenix/atticd-credentials";
settings = {
listen = "[::]:28338";
# Speed things up
require-proof-of-possession = false;
chunking = {
# Disable chunking for performance (I have plenty of space)
nar-size-threshold = 0;
# Chunking is disabled due to poor performance so these values don't matter but are required anyway.
# One day, when I move away from ZFS maybe this will perform well enough.
# nar-size-threshold = 64 * 1024; # 64 KiB
min-size = 16 * 1024; # 16 KiB
avg-size = 64 * 1024; # 64 KiB
max-size = 256 * 1024; # 256 KiB
};
# Disable compression for performance (I have plenty of space)
compression.type = "none";
garbage-collection = {
default-retention-period = "6 months";
};
};
};
age.secrets.atticd-credentials.file = ../../secrets/atticd-credentials.age;
};
}

12
common/server/dashy.nix
View File

@@ -37,5 +37,17 @@ in
];
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."s0.koi-bebop.ts.net" = {
default = true;
addSSL = true;
serverAliases = [ "s0" ];
sslCertificate = "/secret/ssl/s0.koi-bebop.ts.net.crt";
sslCertificateKey = "/secret/ssl/s0.koi-bebop.ts.net.key";
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
};
};
};
}

2
common/server/default.nix
View File

@@ -22,6 +22,6 @@
./dashy.nix
./librechat.nix
./actualbudget.nix
./unifi.nix
./atticd.nix
];
}

1
common/server/gitea-actions-runner.nix
View File

@@ -116,6 +116,7 @@ in
git
# Gitea Actions rely heavily on node. Include it because it would be installed anyway.
nodejs
attic
];
# To allow building on the host, must override the the service's config so it doesn't use a dynamic user

1
common/server/librechat.nix
View File

@@ -26,7 +26,6 @@ in
HOST = "0.0.0.0";
MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
ENDPOINTS = "openAI,google,bingAI,gptPlugins";
REFRESH_TOKEN_EXPIRY = toString (1000 * 60 * 60 * 24 * 30); # 30 days
};
environmentFiles = [
"/run/agenix/librechat-env-file"

1
common/server/mailserver.nix
View File

@@ -56,7 +56,6 @@ in
"damon@runyan.org"
"jonas@runyan.org"
"simon@neet.dev"
"ellen@runyan.org"
];
forwards = {
"amazon@runyan.org" = [

13
common/server/nextcloud.nix
View File

@@ -8,23 +8,12 @@ in
config = lib.mkIf cfg.enable {
services.nextcloud = {
https = true;
package = pkgs.nextcloud30;
package = pkgs.nextcloud29;
hostName = "neet.cloud";
config.dbtype = "sqlite";
config.adminuser = "jeremy";
config.adminpassFile = "/run/agenix/nextcloud-pw";
autoUpdateApps.enable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
# Want
inherit end_to_end_encryption mail spreed;
# Might use
inherit bookmarks calendar cookbook deck memories onlyoffice qownnotesapi;
# Try out
# inherit maps music news notes phonetrack polls forms;
};
extraAppsEnable = true;
};
age.secrets.nextcloud-pw = {
file = ../../secrets/nextcloud-pw.age;

8
common/server/nginx.nix
View File

@@ -4,10 +4,6 @@ let
cfg = config.services.nginx;
in
{
options.services.nginx = {
openFirewall = lib.mkEnableOption "Open firewall ports 80 and 443";
};
config = lib.mkIf cfg.enable {
services.nginx = {
recommendedGzipSettings = true;
@@ -16,8 +12,6 @@ in
recommendedTlsSettings = true;
};
services.nginx.openFirewall = lib.mkDefault true;
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 80 443 ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}

25
common/server/unifi.nix
View File

@@ -1,25 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.unifi;
in
{
options.services.unifi = {
# Open select Unifi ports instead of using openFirewall to avoid opening access to unifi's control panel
openMinimalFirewall = lib.mkEnableOption "Open bare minimum firewall ports";
};
config = lib.mkIf cfg.enable {
services.unifi.unifiPackage = pkgs.unifi8;
networking.firewall = lib.mkIf cfg.openMinimalFirewall {
allowedUDPPorts = [
3478 # STUN
10001 # used for device discovery.
];
allowedTCPPorts = [
8080 # Used for device and application communication.
];
};
};
}

97
flake.lock generated
View File

@@ -12,11 +12,11 @@
]
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"lastModified": 1716561646,
"narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
"type": "github"
},
"original": {
@@ -25,6 +25,36 @@
"type": "github"
}
},
"attic": {
"inputs": {
"crane": "crane",
"flake-compat": [
"flake-compat"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1717279440,
"narHash": "sha256-kH04ReTjxOpQumgWnqy40vvQLSnLGxWP6RF3nq5Esrk=",
"owner": "zhaofengli",
"repo": "attic",
"rev": "717cc95983cdc357bc347d70be20ced21f935843",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "attic",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
@@ -41,6 +71,27 @@
"type": "gitlab"
}
},
"crane": {
"inputs": {
"nixpkgs": [
"attic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717025063,
"narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
"owner": "ipetkov",
"repo": "crane",
"rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"dailybuild_modules": {
"inputs": {
"flake-utils": [
@@ -99,11 +150,11 @@
]
},
"locked": {
"lastModified": 1727447169,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"lastModified": 1718194053,
"narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
"type": "github"
},
"original": {
@@ -135,11 +186,11 @@
]
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
@@ -176,11 +227,11 @@
]
},
"locked": {
"lastModified": 1728263287,
"narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=",
"lastModified": 1716772633,
"narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259",
"rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac",
"type": "github"
},
"original": {
@@ -191,11 +242,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1728056216,
"narHash": "sha256-IrO06gFUDTrTlIP3Sz+mRB6WUoO2YsgMtOD3zi0VEt0=",
"lastModified": 1717248095,
"narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "b7ca02c7565fbf6d27ff20dd6dbd49c5b82eef28",
"rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
"type": "github"
},
"original": {
@@ -207,11 +258,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1728193676,
"narHash": "sha256-PbDWAIjKJdlVg+qQRhzdSor04bAPApDqIv2DofTyynk=",
"lastModified": 1717144377,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6",
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github"
},
"original": {
@@ -281,6 +332,7 @@
"root": {
"inputs": {
"agenix": "agenix",
"attic": "attic",
"dailybuild_modules": "dailybuild_modules",
"deploy-rs": "deploy-rs",
"flake-compat": "flake-compat",
@@ -306,14 +358,17 @@
],
"nixpkgs-24_05": [
"nixpkgs"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1722877200,
"narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
"lastModified": 1718084203,
"narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
"rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab"
},
"original": {

13
flake.nix
View File

@@ -25,6 +25,7 @@
nixpkgs.follows = "nixpkgs";
nixpkgs-24_05.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
utils.follows = "flake-utils";
};
};
@@ -74,6 +75,17 @@
url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
# Attic
attic = {
url = "github:zhaofengli/attic";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
flake-compat.follows = "flake-compat";
};
};
};
outputs = { self, nixpkgs, ... }@inputs:
@@ -93,6 +105,7 @@
agenix.nixosModules.default
dailybuild_modules.nixosModule
nix-index-database.nixosModules.nix-index
attic.nixosModules.atticd
self.nixosModules.kernel-modules
({ lib, ... }: {
config = {

69
machines/hotspot/default.nix
View File

@@ -1,69 +0,0 @@
{ config, pkgs, lib, ... }:
let
internal = "end0";
wireless = "wlan0";
internal-gateway-ip = "192.168.0.1";
internal-ip-lower = "192.168.0.10";
internal-ip-upper = "192.168.0.100";
in
{
imports = [
./hardware-configuration.nix
];
enableExtraSubstituters = false;
# networking.interfaces.${internal}.ipv4.addresses = [{
# address = internal-gateway-ip;
# prefixLength = 24;
# }];
# DHCP on all interfaces except for the internal interface
networking.useDHCP = true;
networking.interfaces.${internal}.useDHCP = true;
networking.interfaces.${wireless}.useDHCP = true;
# Enable NAT
networking.ip_forward = true;
networking.nat = {
enable = true;
internalInterfaces = [ internal ];
externalInterface = wireless;
};
networking.wireless = {
enable = true;
networks = {
"Pixel_6054".psk = "@PSK_Pixel_6054@";
};
interfaces = [ wireless ];
environmentFile = "/run/agenix/hostspot-passwords";
};
age.secrets.hostspot-passwords.file = ../../secrets/hostspot-passwords.age;
# dnsmasq for internal interface
services.dnsmasq = {
enable = true;
settings = {
server = [ "1.1.1.1" "8.8.8.8" ];
dhcp-range = "${internal-ip-lower},${internal-ip-upper},24h";
dhcp-option = [
"option:router,${internal-gateway-ip}"
"option:broadcast,10.0.0.255"
"option:ntp-server,0.0.0.0"
];
};
};
networking.firewall.interfaces.${internal}.allowedTCPPorts = [
53 # dnsmasq
];
# Make it appear we are not using phone tethering to the ISP
networking.firewall = {
extraCommands = ''
iptables -t mangle -A POSTROUTING -o ${wireless} -j TTL --ttl-set 65
'';
};
}

27
machines/hotspot/hardware-configuration.nix
View File

@@ -1,27 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

13
machines/hotspot/properties.nix
View File

@@ -1,13 +0,0 @@
{
hostNames = [
"hotspot"
];
arch = "aarch64-linux";
systemRoles = [
"hotspot"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION4IUAef687RIzWrP4HEZnpdSJswt06QmrdRMDPHHGY";
}

10
machines/ponyo/default.nix
View File

@@ -102,7 +102,7 @@
host = "chat.neet.space";
};
jitsi-meet = {
enable = false; # disabled until vulnerable libolm dependency is removed/fixed
enable = true;
host = "meet.neet.space";
};
turn = {
@@ -118,6 +118,14 @@
# proxied web services
services.nginx.enable = true;
services.nginx.virtualHosts."jellyfin.neet.cloud" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://s0.koi-bebop.ts.net";
proxyWebsockets = true;
};
};
services.nginx.virtualHosts."navidrome.neet.cloud" = {
enableACME = true;
forceSSL = true;

40
machines/storage/s0/dashy.yaml
View File

@@ -60,65 +60,73 @@ sections:
- &ref_0
title: Jellyfin
icon: hl-jellyfin
url: https://jellyfin.s0.neet.dev
url: http://s0:8097
target: sametab
statusCheck: false
statusCheck: true
statusCheckUrl: http://jellyfin.s0
id: 0_1956_jellyfin
- &ref_1
title: Sonarr
description: Manage TV
icon: hl-sonarr
url: https://sonarr.s0.neet.dev
url: http://s0:8989
target: sametab
statusCheck: false
statusCheck: true
statusCheckUrl: http://sonarr.s0
id: 1_1956_sonarr
- &ref_2
title: Radarr
description: Manage Movies
icon: hl-radarr
url: https://radarr.s0.neet.dev
url: http://s0:7878
target: sametab
statusCheck: false
statusCheck: true
statusCheckUrl: http://radarr.s0
id: 2_1956_radarr
- &ref_3
title: Lidarr
description: Manage Music
icon: hl-lidarr
url: https://lidarr.s0.neet.dev
url: http://s0:8686
target: sametab
statusCheck: false
statusCheck: true
statusCheckUrl: http://lidarr.s0
id: 3_1956_lidarr
- &ref_4
title: Prowlarr
description: Indexers
icon: hl-prowlarr
url: https://prowlarr.s0.neet.dev
url: http://prowlarr.s0
target: sametab
statusCheck: false
statusCheck: true
statusCheckUrl: http://prowlarr.s0
id: 4_1956_prowlarr
- &ref_5
title: Bazarr
description: Subtitles
icon: hl-bazarr
url: https://bazarr.s0.neet.dev
url: http://s0:6767
target: sametab
statusCheck: false
statusCheck: true
statusCheckUrl: http://bazarr.s0
id: 5_1956_bazarr
- &ref_6
title: Navidrome
description: Play Music
icon: hl-navidrome
url: https://music.s0.neet.dev
url: http://s0:4534
target: sametab
statusCheck: false
statusCheck: true
statusCheckUrl: http://music.s0
id: 6_1956_navidrome
- &ref_7
title: Transmission
description: Torrenting
icon: hl-transmission
url: https://transmission.s0.neet.dev
url: http://s0:9091
target: sametab
statusCheck: false
statusCheck: true
statusCheckUrl: http://transmission.s0
id: 7_1956_transmission
filteredItems:
- *ref_0

165
machines/storage/s0/default.nix
View File

@@ -3,7 +3,6 @@
{
imports = [
./hardware-configuration.nix
./frigate.nix
./home-automation.nix
];
@@ -11,23 +10,6 @@
# system.autoUpgrade.enable = true;
nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
# binary cache
services.nix-serve = {
enable = true;
openFirewall = true;
secretKeyFile = "/run/agenix/binary-cache-private-key";
};
age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
users.users.cache-push = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
};
nix.settings = {
trusted-users = [ "cache-push" ];
};
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
@@ -166,89 +148,61 @@
};
# nginx
services.nginx = {
enable = true;
openFirewall = false; # All nginx services are internal
virtualHosts =
let
mkVirtualHost = external: internal:
{
${external} = {
useACMEHost = "s0.neet.dev"; # Use wildcard cert
forceSSL = true;
locations."/" = {
proxyPass = internal;
proxyWebsockets = true;
};
};
};
in
lib.mkMerge [
(mkVirtualHost "bazarr.s0.neet.dev" "http://vpn.containers:6767")
(mkVirtualHost "radarr.s0.neet.dev" "http://vpn.containers:7878")
(mkVirtualHost "lidarr.s0.neet.dev" "http://vpn.containers:8686")
(mkVirtualHost "sonarr.s0.neet.dev" "http://vpn.containers:8989")
(mkVirtualHost "prowlarr.s0.neet.dev" "http://vpn.containers:9696")
(mkVirtualHost "transmission.s0.neet.dev" "http://vpn.containers:9091")
(mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443")
(mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
(mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")
(mkVirtualHost "s0.neet.dev" "http://localhost:56815")
{
# Landing page LAN redirect
"s0" = {
default = true;
redirectCode = 302;
globalRedirect = "s0.neet.dev";
};
}
(mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant
(mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
(mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
{
"frigate.s0.neet.dev" = {
# Just configure SSL, frigate module configures the rest of nginx
useACMEHost = "s0.neet.dev";
forceSSL = true;
};
}
(mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo
(mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
];
tailscaleAuth = {
enable = true;
virtualHosts = [
"bazarr.s0.neet.dev"
"radarr.s0.neet.dev"
"lidarr.s0.neet.dev"
"sonarr.s0.neet.dev"
"prowlarr.s0.neet.dev"
"transmission.s0.neet.dev"
"unifi.s0.neet.dev"
# "music.s0.neet.dev" # messes up navidrome
"jellyfin.s0.neet.dev"
"s0.neet.dev"
# "ha.s0.neet.dev" # messes up home assistant
"esphome.s0.neet.dev"
"zigbee.s0.neet.dev"
"vacuum.s0.neet.dev"
"todo.s0.neet.dev"
];
expectedTailnet = "koi-bebop.ts.net";
services.nginx.enable = true;
services.nginx.virtualHosts."bazarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 6767; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:6767";
};
services.nginx.virtualHosts."radarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 7878; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:7878";
};
services.nginx.virtualHosts."lidarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 8686; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:8686";
};
services.nginx.virtualHosts."sonarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 8989; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:8989";
};
services.nginx.virtualHosts."prowlarr.s0" = {
listen = [{ addr = "0.0.0.0"; port = 9696; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://vpn.containers:9696";
};
services.nginx.virtualHosts."music.s0" = {
listen = [{ addr = "0.0.0.0"; port = 4534; } { addr = "0.0.0.0"; port = 80; }];
locations."/".proxyPass = "http://localhost:4533";
};
services.nginx.virtualHosts."jellyfin.s0" = {
listen = [{ addr = "0.0.0.0"; port = 8097; } { addr = "0.0.0.0"; port = 80; }];
locations."/" = {
proxyPass = "http://localhost:8096";
proxyWebsockets = true;
};
};
services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
proxyPass = "http://localhost:8096";
proxyWebsockets = true;
};
services.nginx.virtualHosts."transmission.s0" = {
listen = [{ addr = "0.0.0.0"; port = 9091; } { addr = "0.0.0.0"; port = 80; }];
locations."/" = {
proxyPass = "http://vpn.containers:9091";
proxyWebsockets = true;
};
};
# Get wildcard cert
security.acme.certs."s0.neet.dev" = {
dnsProvider = "digitalocean";
credentialsFile = "/run/agenix/digitalocean-dns-credentials";
extraDomainNames = [ "*.s0.neet.dev" ];
group = "nginx";
dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = false; # sadly this erroneously fails
};
age.secrets.digitalocean-dns-credentials.file = ../../../secrets/digitalocean-dns-credentials.age;
networking.firewall.allowedTCPPorts = [
6767
7878
8686
8989
9696
4534
8097
9091
8443 # unifi
];
virtualisation.oci-containers.backend = "podman";
virtualisation.podman.dockerSocket.enable = true; # TODO needed?
@@ -259,18 +213,11 @@
services.unifi = {
enable = true;
openMinimalFirewall = true;
};
services.vikunja = {
enable = true;
port = 61473;
frontendScheme = "https";
frontendHostname = "todo.s0.neet.dev";
settings = {
service.enableregistration = false;
};
openFirewall = true;
unifiPackage = pkgs.unifi8;
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
services.atticd.enable = true;
}

155
machines/storage/s0/frigate.nix
View File

@@ -1,155 +0,0 @@
{ config, pkgs, lib, ... }:
let
frigateHostname = "frigate.s0.neet.dev";
mkGo2RtcStream = name: url: withAudio: {
${name} = [
url
"ffmpeg:${name}#video=copy${if withAudio then "#audio=copy" else ""}"
];
};
# Assumes camera is set to output:
# - rtsp
# - H.264 + AAC
# - a downscaled substream for detection
mkCamera = name: primaryUrl: detectUrl: {
# Reference https://docs.frigate.video/configuration/reference/
services.frigate.settings = {
cameras.${name} = {
ffmpeg = {
# Camera feeds are relayed through go2rtc
inputs = [
{
path = "rtsp://127.0.0.1:8554/${name}";
# input_args = "preset-rtsp-restream";
input_args = "preset-rtsp-restream-low-latency";
roles = [ "record" ];
}
{
path = detectUrl;
roles = [ "detect" ];
}
];
output_args = {
record = "preset-record-generic-audio-copy";
};
};
};
};
services.go2rtc.settings.streams = lib.mkMerge [
(mkGo2RtcStream name primaryUrl false)
# Sadly having the detection stream go through go2rpc too makes the stream unreadable by frigate for some reason.
# It might need to be re-encoded to work. But I am not interested in wasting the processing power if only frigate
# need the detection stream anyway. So just let frigate grab the stream directly since it works.
# (mkGo2RtcStream detectName detectUrl false)
];
};
mkDahuaCamera = name: address:
let
# go2rtc and frigate have a slightly different syntax for inserting env vars. So the URLs are not interchangable :(
# - go2rtc: ${VAR}
# - frigate: {VAR}
primaryUrl = "rtsp://admin:\${FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=0";
detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=1";
in
mkCamera name primaryUrl detectUrl;
mkEsp32Camera = name: address: {
services.frigate.settings.cameras.${name} = {
ffmpeg = {
input_args = "";
inputs = [{
path = "http://${address}:8080";
roles = [ "detect" "record" ];
}];
output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
};
};
};
in
lib.mkMerge [
(mkDahuaCamera "dog-cam" "192.168.10.31")
# (mkEsp32Camera "dahlia-cam" "dahlia-cam.lan")
{
services.frigate = {
enable = true;
hostname = frigateHostname;
settings = {
mqtt = {
enabled = true;
host = "localhost:1883";
};
rtmp.enabled = false;
snapshots = {
enabled = true;
bounding_box = true;
};
record = {
enabled = true;
# sync_recordings = true; # detect if recordings were deleted outside of frigate (expensive)
retain = {
days = 2; # Keep video for 2 days
mode = "motion";
};
events = {
retain = {
default = 10; # Keep video with detections for 10 days
mode = "motion";
# mode = "active_objects";
};
};
};
# Make frigate aware of the go2rtc streams
go2rtc.streams = config.services.go2rtc.settings.streams;
detect.enabled = true;
objects = {
track = [ "person" "dog" ];
};
};
};
services.go2rtc = {
enable = true;
settings = {
rtsp.listen = ":8554";
webrtc.listen = ":8555";
};
};
# Pass in env file with secrets to frigate/go2rtc
systemd.services.frigate.serviceConfig.EnvironmentFile = "/run/agenix/frigate-credentials";
systemd.services.go2rtc.serviceConfig.EnvironmentFile = "/run/agenix/frigate-credentials";
age.secrets.frigate-credentials.file = ../../../secrets/frigate-credentials.age;
}
{
# hardware encode/decode with amdgpu vaapi
systemd.services.frigate = {
environment.LIBVA_DRIVER_NAME = "radeonsi";
serviceConfig = {
SupplementaryGroups = [ "render" "video" ]; # for access to dev/dri/*
AmbientCapabilities = "CAP_PERFMON";
};
};
services.frigate.settings.ffmpeg.hwaccel_args = "preset-vaapi";
}
{
# Coral TPU for frigate
services.udev.packages = [ pkgs.libedgetpu ];
users.groups.apex = { };
systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ];
# Coral PCIe driver
kernel.enableGasketKernelModule = true;
services.frigate.settings.detectors.coral = {
type = "edgetpu";
device = "pci";
};
}
]

9
machines/storage/s0/hardware-configuration.nix
View File

@@ -8,7 +8,6 @@
# boot
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.memtest86.enable = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
@@ -59,12 +58,8 @@
};
swapDevices = [ ];
networking.vlans = {
iot = {
id = 2;
interface = "eth1";
};
};
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.eth1.useDHCP = true;
powerManagement.cpuFreqGovernor = "powersave";
}

179
machines/storage/s0/home-automation.nix
View File

@@ -1,7 +1,100 @@
{ config, lib, pkgs, ... }:
let
frigateHostname = "frigate.s0";
frigatePort = 61617;
mkEsp32Cam = address: {
ffmpeg = {
input_args = "";
inputs = [{
path = address;
roles = [ "detect" "record" ];
}];
output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
};
rtmp.enabled = false;
snapshots = {
enabled = true;
bounding_box = true;
};
record = {
enabled = true;
retain.days = 10; # Keep video for 10 days
events.retain = {
default = 30; # Keep video with detections for 30 days
mode = "active_objects";
};
};
detect = {
enabled = true;
width = 800;
height = 600;
fps = 10;
};
objects = {
track = [ "person" ];
};
};
in
{
services.esphome.enable = true;
networking.firewall.allowedTCPPorts = [
# 1883 # mqtt
55834 # mqtt zigbee frontend
frigatePort
4180 # oauth proxy
];
services.frigate = {
enable = true;
hostname = frigateHostname;
settings = {
mqtt = {
enabled = true;
host = "localhost:1883";
};
cameras = {
dahlia-cam = mkEsp32Cam "http://dahlia-cam.lan:8080";
};
# ffmpeg = {
# hwaccel_args = "preset-vaapi";
# };
detectors.coral = {
type = "edgetpu";
device = "pci";
};
};
};
# AMD GPU for vaapi
systemd.services.frigate.environment.LIBVA_DRIVER_NAME = "radeonsi";
# Coral TPU for frigate
services.udev.packages = [ pkgs.libedgetpu ];
users.groups.apex = { };
systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
systemd.services.frigate.serviceConfig = {
SupplementaryGroups = "apex";
};
# Coral PCIe driver
kernel.enableGasketKernelModule = true;
# Allow accessing frigate UI on a specific port in addition to by hostname
services.nginx.virtualHosts.${frigateHostname} = {
listen = [{ addr = "0.0.0.0"; port = frigatePort; } { addr = "0.0.0.0"; port = 80; }];
};
services.esphome = {
enable = true;
address = "0.0.0.0";
openFirewall = true;
};
# TODO remove after upgrading nixos version
systemd.services.esphome.serviceConfig.ProcSubset = lib.mkForce "all";
systemd.services.esphome.serviceConfig.ProtectHostname = lib.mkForce false;
systemd.services.esphome.serviceConfig.ProtectKernelLogs = lib.mkForce false;
systemd.services.esphome.serviceConfig.ProtectKernelTunables = lib.mkForce false;
# TODO lock down
services.mosquitto = {
@@ -14,9 +107,6 @@
}
];
};
networking.firewall.allowedTCPPorts = [
1883 # mqtt
];
services.zigbee2mqtt = {
enable = true;
@@ -31,7 +121,7 @@
# base_topic = "zigbee2mqtt";
};
frontend = {
host = "localhost";
host = "0.0.0.0";
port = 55834;
};
};
@@ -39,55 +129,60 @@
services.home-assistant = {
enable = true;
openFirewall = true;
configWritable = true;
extraComponents = [
"default_config"
"esphome"
"met"
"radio_browser"
"wled"
"mqtt"
"apple_tv" # why is this even needed? I get `ModuleNotFoundError: No module named 'pyatv'` errors otherwise for some reason.
"unifi"
"digital_ocean"
"downloader"
"mailgun"
"minecraft_server"
"mullvad"
"nextcloud"
"ollama"
"openweathermap"
"jellyfin"
"transmission"
"radarr"
"sonarr"
"syncthing"
"tailscale"
"weather"
"whois"
"youtube"
"homekit_controller"
"zha"
"bluetooth"
];
# config = null;
config = {
# Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/
default_config = { };
# Enable reverse proxy support
http = {
use_x_forwarded_for = true;
trusted_proxies = [
"127.0.0.1"
"::1"
];
};
"automation manual" = [
];
# Allow using automations generated from the UI
"automation ui" = "!include automations.yaml";
};
};
# TODO need services.oauth2-proxy.cookie.domain ?
services.oauth2-proxy =
let
nextcloudServer = "https://neet.cloud/";
in
{
enable = true;
httpAddress = "http://0.0.0.0:4180";
nginx.domain = frigateHostname;
# nginx.virtualHosts = [
# frigateHostname
# ];
email.domains = [ "*" ];
cookie.secure = false;
provider = "nextcloud";
# redirectURL = "http://s0:4180/oauth2/callback"; # todo forward with nginx?
clientID = "4FfhEB2DNzUh6wWhXTjqQQKu3Ibm6TeYpS8TqcHe55PJC1DorE7vBZBELMKDjJ0X";
keyFile = "/run/agenix/oauth2-proxy-env";
loginURL = "${nextcloudServer}/index.php/apps/oauth2/authorize";
redeemURL = "${nextcloudServer}/index.php/apps/oauth2/api/v1/token";
validateURL = "${nextcloudServer}/ocs/v2.php/cloud/user?format=json";
# todo --cookie-refresh
extraConfig = {
# cookie-csrf-per-request = true;
# cookie-csrf-expire = "5m";
# user-id-claim = "preferred_username";
};
};
age.secrets.oauth2-proxy-env.file = ../../../secrets/oauth2-proxy-env.age;
}

1
machines/storage/s0/properties.nix
View File

@@ -11,7 +11,6 @@
"pia"
"binary-cache"
"gitea-actions-runner"
"frigate"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

6
overlays/actualbudget/default.nix
View File

@@ -7,16 +7,16 @@
}:
buildNpmPackage rec {
pname = "actual-server";
version = "24.10.1";
version = "24.3.0";
src = fetchFromGitHub {
owner = "actualbudget";
repo = pname;
rev = "refs/tags/v${version}";
hash = "sha256-VJAD+lNamwuYmiPJLXkum6piGi5zLOHBp8cUeZagb4s=";
hash = "sha256-y51Dhdn84AWR/gM4LnAzvBIBpvKwUiclnPnwzkRoJ0I=";
};
npmDepsHash = "sha256-Z2e4+JMhI/keLerT0F4WYdLnXHRQCqL7NjNyA9SFEF8=";
npmDepsHash = "sha256-/UM2Tz8t4hi621HtXSu0LTDIzZ9SWMqKXqKfPwkdpE8=";
patches = [
./migrations-should-use-pkg-path.patch

13
overlays/actualbudget/migrations-should-use-pkg-path.patch
View File

@@ -1,5 +1,5 @@
diff --git a/src/load-config.js b/src/load-config.js
index d99ce42..42d1351 100644
index d3cc5dd..cfcad8a 100644
--- a/src/load-config.js
+++ b/src/load-config.js
@@ -3,7 +3,8 @@ import path from 'node:path';
@@ -12,7 +12,7 @@ index d99ce42..42d1351 100644
const debugSensitive = createDebug('actual-sensitive:config');
const projectRoot = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
@@ -108,6 +109,7 @@ const finalConfig = {
@@ -90,6 +91,7 @@ const finalConfig = {
serverFiles: process.env.ACTUAL_SERVER_FILES || config.serverFiles,
userFiles: process.env.ACTUAL_USER_FILES || config.userFiles,
webRoot: process.env.ACTUAL_WEB_ROOT || config.webRoot,
@@ -21,7 +21,7 @@ index d99ce42..42d1351 100644
process.env.ACTUAL_HTTPS_KEY && process.env.ACTUAL_HTTPS_CERT
? {
diff --git a/src/migrations.js b/src/migrations.js
index cba7db0..9983471 100644
index 964e1f2..3a341d7 100644
--- a/src/migrations.js
+++ b/src/migrations.js
@@ -1,6 +1,12 @@
@@ -37,12 +37,11 @@ index cba7db0..9983471 100644
export default function run(direction = 'up') {
console.log(
@@ -13,7 +19,7 @@ export default function run(direction = 'up') {
@@ -13,6 +19,7 @@ export default function run(direction = 'up') {
stateStore: `${path.join(config.dataDir, '.migrate')}${
config.mode === 'test' ? '-test' : ''
}`,
- migrationsDirectory: `${path.join(config.projectRoot, 'migrations')}`,
+ migrationsDirectory
+ migrationsDirectory,
},
(err, set) => {
if (err) {
if (err) {

1657
overlays/actualbudget/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

7
overlays/default.nix
View File

@@ -12,4 +12,11 @@ in
frigate = frigatePkgs.frigate;
actual-server = prev.callPackage ./actualbudget { };
unifi8 = prev.unifi.overrideAttrs (oldAttrs: rec {
version = "8.1.113";
src = prev.fetchurl {
url = "https://dl.ui.com/unifi/8.1.113/unifi_sysvinit_all.deb";
sha256 = "1knm+l8MSb7XKq2WIbehAnz7loRPjgnc+R98zpWKEAE=";
};
});
}

8
secrets/atticd-credentials.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw tMy5kLAcQD62yAfEVJ4LQZjs0kkEEQOfM4HN9yj3hBY
JvlklGTxxfAZbP+alm3nxLxqhmcu2mTKwRU5WaapL9w
-> ssh-ed25519 w3nu8g ZGzufldXq7kmIpqFecbkpDxiykWZ207k0+09I2dmxEM
SK25e5HBe4b5reGXXfCjIFbFGzfu32RFjY++/yteRVc
--- xZOe1syYAcVRDhiNRv+CsfFgoQbiANA6vNCon+5NExc
ñ1Å,C-.M§Áè?ÐêóµµàY|u+
³Ø<C2B3>÷ŽæÒ¡ôm†Œûäfß]=érøÜüÎAg¤€æSú:Ð8•S¦LiœùªsêÁâ9JŠð<>¸ÏæñÄÐÃ<ûAz¹[ý§xï<78>:‡'U*<2A>wÀ™D/…±VpM~!õ,* ¿”µ¡øk¥Ö´ßEíîïh {¢p$¾R`ÿ

BIN
secrets/binary-cache-private-key.age
View File

Binary file not shown.

BIN
secrets/binary-cache-push-sshkey.age
View File

Binary file not shown.

11
secrets/digitalocean-dns-credentials.age
View File

@@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 WBT1Hw wjZGPvilRXGZsC2+7dWm/Nbau8Allv29WwQCr0XSAWU
uTOf/sokutOGDyc8fbTbBWXqCVQCFhGdHxwA6SXqhdA
-> ssh-ed25519 6AT2/g NU068qwqOWiKk0QwqP9vU4xJaND2OR4bo8xkmdWATgY
uGd0sb5PH+rREn9pgLOFwk29CX66aPBQMvr4rBazylc
-> ssh-ed25519 hPp1nw r2JRiZ7fsHPYDlte6Oh2Gx1KkugekFeeg3xSjziI+hQ
xnO0gscMdR25mj5uAX7D42FCbCQhqbU0wkiLX4OmVqk
-> ssh-ed25519 w3nu8g F03mPU63WwEs1SLUFErLOVCkARoggGIvvz9TFZfMOBY
HOdVA3xW9pqUPhclO6VueSfXg3ux06Ch3fucF6Vr4hM
--- niyo231HPT/+2dzflP+zhYjL9XiWsk7svesCYdkU1jA
ØQî¬5-ô@<40>¢¿—ßÐN5<4E> Ãÿ$Ø‚™’Çž…êÐ<C3AA>X=ŒHŽDÁ`P×5ZA´÷¼YóäÓ?¡é^[³1”6ÕK*mP݈ª­æ1æç÷ß›ƒ:$^ÑfDœ†ÿ“š-zi´"·Tàuÿüò

7
secrets/frigate-credentials.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw Chke1ZtpXxN1c1+AnJ6Cd5kpM1KfQKTwymrfPW53QCA
jUcw8eitC7r0rwefjllndZjARIqpWoVqGCnefHfjQ6Y
-> ssh-ed25519 w3nu8g KY/5bU1B5uvmfGHF2d6qBL1NYy64qo324rdvkgnXoDA
OBvuFtzZXQ0RmmEXelyzHMMiVqZir7zQJMA36ZH2siE
--- CSd7lYSYQ2fCTjkJLPGdaNGL8eVpE9IBEyFo0LW907M
£³$šO†ÈIß//Êw*ƒ™õD¤@u5o[¼â:·äš¥t¾˜]Jñ쮸™@Ùhþu£Àk;?·XüÁHRºÑ°E5¥ÍçÜ9

7
secrets/hostspot-passwords.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 cObvAg l/suU/M4AATK7lQuZv/qnjG/xqNGoVqhS7b3xirmNUM
Ao2tP6BBSZdlL7jZJPmLyJQWfqdU89M9hCjkkuqtxlw
-> ssh-ed25519 w3nu8g szQugiuFfzkzVndyIdP1agun4nmCsZzFG/6EEB2V1Gk
5+DEUJ5tkVFUpm+w/tptUCByRpMxRigwfrVglTYc8XI
--- pjviyhRustHHMipIpkKsQ4cpu+YA66JwvWXjceXopi4
)˜Ö®Äý8³È6Y"@?Ý9”®@¡Ÿžè|ÂÄž+©Z*4ö2å“R<qef… êªG¹ïV+{©%CmÞd^™b

14
secrets/secrets.nix
View File

@@ -20,10 +20,7 @@ with roles;
"robots-email-pw.age".publicKeys = gitea;
# nix binary cache
# public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
"binary-cache-private-key.age".publicKeys = binary-cache;
# public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB
"binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea
"atticd-credentials.age".publicKeys = binary-cache;
# vpn
"iodine.age".publicKeys = iodine;
@@ -51,13 +48,4 @@ with roles;
# Librechat
"librechat-env-file.age".publicKeys = librechat;
# For ACME DNS Challenge
"digitalocean-dns-credentials.age".publicKeys = server;
# Frigate (DVR)
"frigate-credentials.age".publicKeys = frigate;
# Phone hotspot passwords
"hostspot-passwords.age".publicKeys = hotspot;
}