zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg/nix-config:stage
Branches Tags
zuckerberg/nix-config:master zuckerberg/nix-config:stage zuckerberg/nix-config:hyprland zuckerberg/nix-config:pia-vpn-v2 zuckerberg/nix-config:kexec_luks2
..
compare: zuckerberg/nix-config:576ee472463a3b01bb44cc1a72224776836c2982
Branches Tags
zuckerberg/nix-config:stage zuckerberg/nix-config:master zuckerberg/nix-config:hyprland zuckerberg/nix-config:pia-vpn-v2 zuckerberg/nix-config:kexec_luks2

5 Commits
stage .. 576ee47246

Author SHA1 Message Date
zuckerberg 576ee47246 Add periodic PIA VPN connectivity check
Check Flake / check-flake (push) Successful in 4m38s
Details 
Oneshot service + timer (every 5 min) inside the VPN container that
verifies WireGuard handshake freshness and internet reachability.
Fails on VPN or internet outage, triggering ntfy alert via OnFailure.
Capped at 3 failures per day via StartLimitBurst.
 2026-03-04 21:45:07 -08:00
zuckerberg 335abe4e65 Add DDR5 DIMM temperature monitoring with ntfy alerts 
Monitors spd5118 sensors every 5 minutes and sends an ntfy
notification if any DIMM exceeds 55°C. Opt-in via
ntfy-alerts.dimmTempCheck.enable, enabled on s0.
 2026-03-04 21:24:40 -08:00
zuckerberg 6267def09b Add Music Assistant to Dashy and Gatus 2026-03-04 21:23:16 -08:00
zuckerberg 5342c920a8 Update README 2026-03-04 20:53:46 -08:00
zuckerberg 6beaa008e1 Remove LanguageTool service 2026-03-04 20:45:32 -08:00
25 changed files with 163 additions and 351 deletions
Expand all files Collapse all files
common/boot/remote-luks-unlock.nix
+37 -42
View File
@@ -45,57 +45,52 @@ in
authorizedKeys = cfg.sshAuthorizedKeys;
};
# Use systemd-tty-ask-password-agent for interactive LUKS passphrase entry over SSH
boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent --watch";
boot.initrd.postDeviceCommands = ''
echo 'waiting for root device to be opened...'
mkfifo /crypt-ramfs/passphrase
echo /crypt-ramfs/passphrase >> /dev/null
'';
# Tor hidden service for remote unlock over onion
boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
"/etc/tor/onion/bootup" = cfg.onionConfig;
};
boot.initrd.systemd.storePaths = lib.mkIf cfg.enableTorUnlock [
"${pkgs.tor}/bin/tor"
"${pkgs.haveged}/bin/haveged"
];
boot.initrd.systemd.services.tor-unlock = lib.mkIf cfg.enableTorUnlock {
description = "Tor Hidden Service for Boot Unlock";
wantedBy = [ "initrd.target" ];
after = [ "network.target" "sshd.service" ];
wants = [ "network.target" ];
unitConfig.DefaultDependencies = false;
serviceConfig = {
Type = "forking";
RemainAfterExit = true;
};
script =
let
torRc = pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22
'';
in
boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock ''
copy_bin_and_libs ${pkgs.tor}/bin/tor
copy_bin_and_libs ${pkgs.haveged}/bin/haveged
'';
boot.initrd.network.postCommands = lib.mkMerge [
(
''
# Fix permissions for tor
# Add nice prompt for giving LUKS passphrase over ssh
echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
''
)
(
let torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22
''); in
lib.mkIf cfg.enableTorUnlock ''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
# Ensure loopback is up
ip a a 127.0.0.1/8 dev lo 2>/dev/null || true
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
ip link set lo up
# Start haveged for entropy
${pkgs.haveged}/bin/haveged -F &
echo "haveged: starting haveged"
haveged -F &
# Verify and start tor
${pkgs.tor}/bin/tor -f ${torRc} --verify-config
${pkgs.tor}/bin/tor -f ${torRc} &
'';
};
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc} &
''
)
];
};
}
common/network/default.nix
+4 -21
View File
@@ -14,25 +14,8 @@ in
options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
config = mkMerge [
(mkIf cfg.ip_forward {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
})
# Keep dhcpcd away from container/virtual interfaces. dhcpcd runs as a single
# daemon over every interface not on its deny list, and the nixpkgs default
# omits these. When containers create/tear down podman0/veth*, dhcpcd reacts
# to the link events with a full reconfigure and can drop the primary
# interface's DHCP default route, leaving the host unreachable.
{
networking.dhcpcd.denyInterfaces = [
"podman*"
"veth*"
"cni*"
"docker*"
"br-*"
];
}
];
config = mkIf cfg.ip_forward {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
};
}
common/network/pia-vpn/service-container.nix
-4
View File
@@ -11,7 +11,6 @@ with lib;
let
cfg = config.pia-vpn;
hostName = config.networking.hostName;
mkContainer = name: ctr: {
autoStart = true;
@@ -29,9 +28,6 @@ let
config = { config, pkgs, lib, ... }: {
imports = allModules ++ [ ctr.config ];
ntfy-alerts.ignoredUnits = [ "logrotate" ];
ntfy-alerts.hostLabel = "${hostName}/${name}";
# Static IP with gateway pointing to VPN container
networking.useNetworkd = true;
systemd.network.enable = true;
common/network/pia-vpn/vpn-container.nix
+26 -65
View File
@@ -6,7 +6,6 @@ with lib;
let
cfg = config.pia-vpn;
hostName = config.networking.hostName;
scripts = import ./scripts.nix;
# Port forwarding derived state
@@ -99,8 +98,6 @@ in
# Route ntfy alerts through the host proxy (VPN container has no gateway on eth0)
ntfy-alerts.curlExtraArgs = "--proxy http://${cfg.hostAddress}:${toString cfg.proxyPort}";
ntfy-alerts.ignoredUnits = [ "logrotate" ];
ntfy-alerts.hostLabel = "${hostName}/pia-vpn";
# Enable forwarding so bridge traffic can go through WG
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@@ -231,80 +228,44 @@ in
};
# Periodic VPN connectivity check — fails if VPN or internet is down,
# triggering ntfy alert via the OnFailure drop-in.
# Tracks failures with a counter file so only the first 3 failures per
# day trigger an alert (subsequent failures exit 0 to suppress noise).
# triggering ntfy alert via the OnFailure drop-in
systemd.services.pia-vpn-check = {
description = "Check PIA VPN connectivity";
after = [ "pia-vpn-setup.service" ];
requires = [ "pia-vpn-setup.service" ];
path = with pkgs; [ wireguard-tools iputils coreutils gawk jq ];
path = with pkgs; [ wireguard-tools iputils coreutils gawk ];
unitConfig = {
StartLimitBurst = 3;
StartLimitIntervalSec = "1d";
};
serviceConfig.Type = "oneshot";
script = ''
set -euo pipefail
COUNTER_FILE="/var/lib/pia-vpn/check-fail-count.json"
MAX_ALERTS=3
check_vpn() {
# Check that WireGuard has a peer with a recent handshake (within 3 minutes)
handshake=$(wg show ${cfg.interfaceName} latest-handshakes | awk '{print $2}')
if [ -z "$handshake" ] || [ "$handshake" -eq 0 ]; then
echo "No WireGuard handshake recorded" >&2
return 1
fi
now=$(date +%s)
age=$((now - handshake))
if [ "$age" -gt 180 ]; then
echo "WireGuard handshake is stale (''${age}s ago)" >&2
return 1
fi
# Verify internet connectivity through VPN tunnel
if ! ping -c1 -W10 1.1.1.1 >/dev/null 2>&1; then
echo "Cannot reach internet through VPN" >&2
return 1
fi
echo "PIA VPN connectivity OK (handshake ''${age}s ago)"
return 0
}
MAX_RETRIES=4
for attempt in $(seq 1 $MAX_RETRIES); do
if check_vpn; then
rm -f "$COUNTER_FILE"
exit 0
fi
if [ "$attempt" -lt "$MAX_RETRIES" ]; then
echo "Attempt $attempt/$MAX_RETRIES failed, retrying in 5 minutes..." >&2
sleep 300
fi
done
# Failed read and update counter (reset if from a previous day)
today=$(date +%Y-%m-%d)
count=0
if [ -f "$COUNTER_FILE" ]; then
stored=$(jq -r '.date // ""' "$COUNTER_FILE")
if [ "$stored" = "$today" ]; then
count=$(jq -r '.count // 0' "$COUNTER_FILE")
fi
fi
count=$((count + 1))
jq -n --arg date "$today" --argjson count "$count" \
'{"date": $date, "count": $count}' > "$COUNTER_FILE"
if [ "$count" -le "$MAX_ALERTS" ]; then
echo "Failure $count/$MAX_ALERTS today alerting" >&2
# Check that WireGuard has a peer with a recent handshake (within 3 minutes)
handshake=$(wg show ${cfg.interfaceName} latest-handshakes | awk '{print $2}')
if [ -z "$handshake" ] || [ "$handshake" -eq 0 ]; then
echo "No WireGuard handshake recorded" >&2
exit 1
else
echo "Failure $count today suppressing alert (already sent $MAX_ALERTS)" >&2
exit 0
fi
now=$(date +%s)
age=$((now - handshake))
if [ "$age" -gt 180 ]; then
echo "WireGuard handshake is stale (''${age}s ago)" >&2
exit 1
fi
# Verify internet connectivity through VPN tunnel
if ! ping -c1 -W10 1.1.1.1 >/dev/null 2>&1; then
echo "Cannot reach internet through VPN" >&2
exit 1
fi
echo "PIA VPN connectivity OK (handshake ''${age}s ago)"
'';
};
@@ -312,7 +273,7 @@ in
description = "Periodic PIA VPN connectivity check";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/30";
OnCalendar = "*:0/5";
RandomizedDelaySec = "30s";
};
};
common/ntfy/default.nix
-6
View File
@@ -26,12 +26,6 @@
default = [ ];
description = "Unit names to skip failure notifications for.";
};
hostLabel = lib.mkOption {
type = lib.types.str;
default = config.networking.hostName;
description = "Label used in ntfy alert titles to identify this host/container.";
};
};
config = lib.mkIf config.thisMachine.hasRole."ntfy" {
common/ntfy/dimm-temp.nix
-4
View File
@@ -9,7 +9,6 @@ let
threshold=55
hot=""
summary=""
while IFS= read -r line; do
case "$line" in
@@ -19,7 +18,6 @@ let
*temp1_input:*)
temp="''${line##*: }"
whole="''${temp%%.*}"
summary="''${summary:+$summary, }$chip: ''${temp}°C"
if [ "$whole" -ge "$threshold" ]; then
hot="$hot"$'\n'" $chip: ''${temp}°C"
fi
@@ -27,8 +25,6 @@ let
esac
done < <(sensors -u 'spd5118-*' 2>/dev/null)
echo "$summary"
if [ -n "$hot" ]; then
message="DIMM temperature above ''${threshold}°C on ${config.networking.hostName}:$hot"
common/ntfy/service-failure.nix
+1 -1
View File
@@ -32,7 +32,7 @@ in
--max-time 30 --retry 3 \
${cfg.curlExtraArgs} \
-H "Authorization: Bearer $NTFY_TOKEN" \
-H "Title: Service failure on ${cfg.hostLabel}" \
-H "Title: Service failure on ${config.networking.hostName}" \
-H "Priority: high" \
-H "Tags: rotating_light" \
-H "Message: Unit $unit failed at $(date +%c)" \
common/pc/kde.nix
-8
View File
@@ -9,14 +9,6 @@ in
services.displayManager.sddm.wayland.enable = true;
services.desktopManager.plasma6.enable = true;
services.displayManager.sessionPackages = [
pkgs.plasma-bigscreen
];
# Bigscreen binaries must be on PATH for autostart services, KCMs, and
# internal plasmashell launches (settings, input handler, envmanager, etc.)
environment.systemPackages = [ pkgs.plasma-bigscreen ];
# kde apps
users.users.googlebot.packages = with pkgs; [
# akonadi
common/pc/steam.nix
-23
View File
@@ -8,29 +8,6 @@ in
programs.steam.enable = true;
hardware.steam-hardware.enable = true; # steam controller
# Login DE Option: Steam Gamescope (Steam Deck-like session)
programs.gamescope = {
enable = true;
};
programs.steam.gamescopeSession = {
enable = true;
args = [
"--hdr-enabled"
"--hdr-itm-enabled"
"--adaptive-sync"
];
steamArgs = [
"-steamos3"
"-gamepadui"
"-pipewire-dmabuf"
];
env = {
STEAM_ENABLE_VOLUME_HANDLER = "1";
STEAM_DISABLE_AUDIO_DEVICE_SWITCHING = "1";
};
};
environment.systemPackages = [ pkgs.gamescope-wsi ];
users.users.googlebot.packages = [
pkgs.steam
];
common/server/gitea-actions-runner.nix
+4 -6
View File
@@ -1,4 +1,4 @@
{ config, lib, allModules, ... }:
{ config, lib, ... }:
# Gitea Actions Runner inside a NixOS container.
# The container shares the host's /nix/store (read-only) and nix-daemon socket,
@@ -8,7 +8,7 @@
let
thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
hostName = config.networking.hostName;
hostOverlays = config.nixpkgs.overlays;
containerName = "gitea-runner";
giteaRunnerUid = 991;
giteaRunnerGid = 989;
@@ -32,10 +32,8 @@ in
};
config = { config, lib, pkgs, ... }: {
imports = allModules;
ntfy-alerts.ignoredUnits = [ "logrotate" ];
ntfy-alerts.hostLabel = "${hostName}/${containerName}";
system.stateVersion = "25.11";
nixpkgs.overlays = hostOverlays;
services.gitea-actions-runner.instances.inst = {
enable = true;
common/server/ntfy.nix
-1
View File
@@ -18,7 +18,6 @@ in
auth-default-access = "deny-all";
behind-proxy = true;
enable-login = true;
attachment-expiry-duration = "48h";
};
# backups
flake.lock
Generated
+35 -34
View File
@@ -53,11 +53,11 @@
]
},
"locked": {
"lastModified": 1778800550,
"narHash": "sha256-nLhQjocD45BwMS946dShAF6BnafpTTe10s8LAcIcLjo=",
"lastModified": 1772587858,
"narHash": "sha256-w0/XBU20BdBeEIJ9i3ecr9Lc6c8uQaXUn/ri+aOsyJk=",
"owner": "sadjow",
"repo": "claude-code-nix",
"rev": "1ba489d6e95f7bccf58250f7bdc5142122d53f2f",
"rev": "0a5fc14be38fabfcfff18db749b63c9c15726765",
"type": "github"
},
"original": {
@@ -78,15 +78,15 @@
"locked": {
"lastModified": 1772394520,
"narHash": "sha256-9c0sHyzoVtvufkSqVNGGydsgjpKv5Zf7062LmOm4Gsc=",
"owner": "GoogleBot42",
"repo": "dailybot",
"ref": "refs/heads/master",
"rev": "d07483c17bf31d416de3642a2faec484ea1810ed",
"type": "github"
"revCount": 21,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybot.git"
},
"original": {
"owner": "GoogleBot42",
"repo": "dailybot",
"type": "github"
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybot.git"
}
},
"darwin": {
@@ -186,11 +186,11 @@
]
},
"locked": {
"lastModified": 1775585728,
"narHash": "sha256-8Psjt+TWvE4thRKktJsXfR6PA/fWWsZ04DVaY6PUhr4=",
"lastModified": 1769939035,
"narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "580633fa3fe5fc0379905986543fd7495481913d",
"rev": "a8ca480175326551d6c4121498316261cbb5b260",
"type": "github"
},
"original": {
@@ -228,11 +228,11 @@
]
},
"locked": {
"lastModified": 1778853583,
"narHash": "sha256-0P4/nDOxxufeh5SD5vqpfFw0n4mq29WZISYAgfryD3Y=",
"lastModified": 1772569491,
"narHash": "sha256-bdr6ueeXO1Xg91sFkuvaysYF0mVdwHBpdyhTjBEWv+s=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "1bedcc8740b9aa2f7d3e1312a6c88baf00909f54",
"rev": "924e61f5c2aeab38504028078d7091077744ab17",
"type": "github"
},
"original": {
@@ -250,11 +250,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1778669912,
"narHash": "sha256-WT2iimtOBZM/6AcZeBoJU2EgUSaywtlItsEgNkZBda0=",
"lastModified": 1772338235,
"narHash": "sha256-9XcwtSIL/c+pkC3SBNuxCJuSktFOBV1TLvvkhekyB8I=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "a7a7009064cec75d9da652c6723412ce27b9bc44",
"rev": "9d1ff9b53532908a5eba7707931c9093508b6b92",
"type": "github"
},
"original": {
@@ -270,11 +270,11 @@
]
},
"locked": {
"lastModified": 1778393439,
"narHash": "sha256-mOtQxUjtKaPHLeoLOY/YEDctmud1X9KwJr4kE1MJ3Wc=",
"lastModified": 1772341813,
"narHash": "sha256-/PQ0ubBCMj/MVCWEI/XMStn55a8dIKsvztj4ZVLvUrQ=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "01466c414c7357ae2ce32be4a272a7c69e94ab5f",
"rev": "a2051ff239ce2e8a0148fa7a152903d9a78e854f",
"type": "github"
},
"original": {
@@ -285,11 +285,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1778593042,
"narHash": "sha256-xYGrSg6354UK2K4WSQd4+TfyvfqmvFbSY+ZtGQUXK0c=",
"lastModified": 1771969195,
"narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "9bd7c80d43e258aaa607d83b43661df11444d808",
"rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e",
"type": "github"
},
"original": {
@@ -301,11 +301,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1778443072,
"narHash": "sha256-zi7/fsqM/kFdNuED//4WOCUtezGtKKqRNORjMvfwjnA=",
"lastModified": 1772542754,
"narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "da5ad661ba4e5ef59ba743f0d112cbc30e474f32",
"rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4",
"type": "github"
},
"original": {
@@ -344,15 +344,16 @@
]
},
"locked": {
"lastModified": 1777287493,
"narHash": "sha256-Fj7S91TuZm6+DG/v6SFme/p+sWrYMQICGX6yQ5KD43Q=",
"lastModified": 1772064816,
"narHash": "sha256-ks1D9Rtmopd5F/8ENjEUJpSYYMxv603/v6TRen9Hq54=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "e33fbde199eaad513ef5d0746db19d5878150232",
"rev": "ea4dc17f4bc0f65eed082fa394509e4543072b56",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "master",
"repo": "nixos-mailserver",
"type": "gitlab"
}
@@ -360,11 +361,11 @@
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1772189877,
"narHash": "sha256-i1p90Rgssb//aNiTDFq46ZG/fk3LmyRLChtp/9lddyA=",
"lastModified": 1759482047,
"narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
"ref": "refs/heads/main",
"rev": "fe39e122d898f66e89ffa17d4f4209989ccb5358",
"revCount": 1255,
"rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
"revCount": 996,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
flake.nix
+2 -2
View File
@@ -25,7 +25,7 @@
# Mail Server
simple-nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
@@ -44,7 +44,7 @@
# Dailybot
dailybot = {
url = "github:GoogleBot42/dailybot";
url = "git+https://git.neet.dev/zuckerberg/dailybot.git";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
home/googlebot.nix
+1 -1
View File
@@ -59,7 +59,7 @@ in
enable = thisMachineIsPersonal;
};
programs.vscodium = {
programs.vscode = {
enable = thisMachineIsPersonal;
# Must use fhs version for vscode-lldb
package = pkgs.vscodium-fhs;
machines/fry/default.nix
+1 -1
View File
@@ -75,7 +75,7 @@
# Get wildcard cert
security.acme.certs."fry.neet.dev" = {
dnsProvider = "digitalocean";
environmentFile = "/run/agenix/digitalocean-dns-credentials";
credentialsFile = "/run/agenix/digitalocean-dns-credentials";
extraDomainNames = [ "*.fry.neet.dev" ];
group = "nginx";
dnsResolver = "1.1.1.1:53";
machines/fry/hardware-configuration.nix
+2 -8
View File
@@ -18,7 +18,7 @@
boot.extraModulePackages = [ ];
# thunderbolt
services.hardware.bolt.enable = false;
services.hardware.bolt.enable = true;
# firmware
firmware.x86_64.enable = true;
@@ -43,13 +43,7 @@
];
# Ensures that dhcp is active during initrd (Network Manager is used post boot)
boot.initrd.systemd.network = {
enable = true;
networks."10-default" = {
matchConfig.Type = "ether";
networkConfig.DHCP = "yes";
};
};
boot.initrd.network.udhcpc.enable = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
machines/howl/hardware-configuration.nix
+1 -1
View File
@@ -22,7 +22,7 @@
boot.extraModulePackages = [ ];
# thunderbolt
services.hardware.bolt.enable = false;
services.hardware.bolt.enable = true;
# firmware
firmware.x86_64.enable = true;
machines/storage/s0/default.nix
+27 -1
View File
@@ -143,6 +143,30 @@
services.lidarr.enable = true;
services.lidarr.user = "public_data";
services.lidarr.group = "public_data";
services.recyclarr = {
enable = true;
configuration = {
radarr.radarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/radarr-api-key";
};
base_url = "http://localhost:7878";
quality_definition.type = "movie";
};
sonarr.sonarr_main = {
api_key = {
_secret = "/run/credentials/recyclarr.service/sonarr-api-key";
};
base_url = "http://localhost:8989";
quality_definition.type = "series";
};
};
};
systemd.services.recyclarr.serviceConfig.LoadCredential = [
"radarr-api-key:/run/agenix/radarr-api-key"
"sonarr-api-key:/run/agenix/sonarr-api-key"
];
users.groups.public_data.gid = 994;
users.users.public_data = {
@@ -153,6 +177,8 @@
};
};
};
age.secrets.radarr-api-key.file = ../../../secrets/radarr-api-key.age;
age.secrets.sonarr-api-key.file = ../../../secrets/sonarr-api-key.age;
# jellyfin
# jellyfin cannot run in the vpn container and use hardware encoding
@@ -259,7 +285,7 @@
# Get wildcard cert
security.acme.certs."s0.neet.dev" = {
dnsProvider = "digitalocean";
environmentFile = "/run/agenix/digitalocean-dns-credentials";
credentialsFile = "/run/agenix/digitalocean-dns-credentials";
extraDomainNames = [ "*.s0.neet.dev" ];
group = "nginx";
dnsResolver = "1.1.1.1:53";
machines/zoidberg/default.nix
+7 -3
View File
@@ -5,6 +5,10 @@
./hardware-configuration.nix
];
# Login DE Option: Steam
programs.steam.gamescopeSession.enable = true;
# programs.gamescope.capSysNice = true;
# Login DE Option: Kodi
services.xserver.desktopManager.kodi.enable = true;
services.xserver.desktopManager.kodi.package =
@@ -31,7 +35,7 @@
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"
];
services.displayManager.defaultSession = "plasma-bigscreen-wayland";
services.displayManager.defaultSession = "plasma";
users.users.cris = {
isNormalUser = true;
@@ -50,10 +54,10 @@
uid = 1002;
};
# Auto login into Plasma Bigscreen in john zoidberg account
# Auto login into Plasma in john zoidberg account
services.displayManager.sddm.settings = {
Autologin = {
Session = "plasma-bigscreen-wayland";
Session = "plasma";
User = "john";
};
};
overlays/default.nix
-21
View File
@@ -31,25 +31,4 @@ in
../patches/music-assistant-zeroconf-port.patch
];
});
# nginx 1.30.0 -> 1.30.1: critical security fix. Pulled forward from
# nixpkgs master (PR #519893, merged 2026-05-14) because the
# nixos-unstable channel branch we track does not have it yet.
# Remove once nixos-unstable advances past 2026-05-14.
nginxStable = prev.nginxStable.overrideAttrs (old: rec {
version = "1.30.1";
src = prev.fetchurl {
url = "https://nginx.org/download/nginx-${version}.tar.gz";
hash = "sha256-mXZQANl0iWsxyliC2MJ5zj/n729cb58Kln7X/TQH+cw=";
};
});
nginx = final.nginxStable;
# Plasma Bigscreen: TV-optimized KDE shell (not yet packaged in nixpkgs)
plasma-bigscreen = import ./plasma-bigscreen.nix {
inherit (prev.kdePackages)
mkKdeDerivation plasma-workspace plasma-wayland-protocols
qtmultimedia qtwayland qtwebengine qcoro;
inherit (prev) lib fetchFromGitLab pkg-config sdl3 libcec wayland;
};
}
overlays/plasma-bigscreen.nix
-79
View File
@@ -1,79 +0,0 @@
{
mkKdeDerivation,
lib,
fetchFromGitLab,
pkg-config,
plasma-workspace,
qtmultimedia,
qtwayland,
qtwebengine,
qcoro,
plasma-wayland-protocols,
wayland,
sdl3,
libcec,
}:
mkKdeDerivation {
pname = "plasma-bigscreen";
version = "unstable-2026-03-07";
src = fetchFromGitLab {
domain = "invent.kde.org";
owner = "plasma";
repo = "plasma-bigscreen";
rev = "bd143fea7e386bac1652b8150a3ed3d5ef7cf93c";
hash = "sha256-y439IX7e0+XqxqFj/4+P5le0hA7DiwA+smDsD0UH/fI=";
};
patches = [
../patches/plasma-bigscreen-input-handler-app-id.patch
];
extraNativeBuildInputs = [ pkg-config ];
extraBuildInputs = [
qtmultimedia
qtwayland
qtwebengine
qcoro
plasma-wayland-protocols
wayland
sdl3
libcec
];
# Match project version to installed Plasma release so cmake version checks pass
postPatch = ''
substituteInPlace CMakeLists.txt \
--replace-fail 'set(PROJECT_VERSION "6.5.80")' \
'set(PROJECT_VERSION "${plasma-workspace.version}")'
# Upstream references a nonexistent startplasma-waylandsession binary.
# Fix this in the cmake template (before @KDE_INSTALL_FULL_LIBEXECDIR@ is substituted).
substituteInPlace bin/plasma-bigscreen-wayland.in \
--replace-fail \
'startplasma-wayland --xwayland --libinput --exit-with-session=@KDE_INSTALL_FULL_LIBEXECDIR@/startplasma-waylandsession' \
'startplasma-wayland'
'';
# FIXME: work around Qt 6.10 cmake API changes
cmakeFlags = [ "-DQT_FIND_PRIVATE_MODULES=1" ];
# QML lint fails on missing runtime-only imports (org.kde.private.biglauncher)
# that are only available inside a running Plasma session
dontQmlLint = true;
postFixup = ''
# Session .desktop references $out/libexec/plasma-dbus-run-session-if-needed
# but the binary lives in plasma-workspace
substituteInPlace "$out/share/wayland-sessions/plasma-bigscreen-wayland.desktop" \
--replace-fail \
"$out/libexec/plasma-dbus-run-session-if-needed" \
"${plasma-workspace}/libexec/plasma-dbus-run-session-if-needed"
'';
passthru.providedSessions = [ "plasma-bigscreen-wayland" ];
meta.license = with lib.licenses; [ gpl2Plus ];
}
patches/plasma-bigscreen-input-handler-app-id.patch
-19
View File
@@ -1,19 +0,0 @@
Use the correct app_id when pre-authorizing remote-desktop portal access.
The portal's isAppMegaAuthorized() looks up the caller's specific app_id in
the PermissionStore. An empty string only matches apps the portal cannot
identify; it is not a wildcard. Since the input handler is launched via
KIO::CommandLauncherJob with a desktopName, the portal resolves it to the
desktop file ID, so the empty-string entry never matches.
--- a/inputhandler/xdgremotedesktopsystem.cpp
+++ b/inputhandler/xdgremotedesktopsystem.cpp
@@ -66,7 +67,7 @@
QDBusReply<void> reply = permissionStore.call(QStringLiteral("SetPermission"),
QStringLiteral("kde-authorized"), // table
true, // create table if not exists
QStringLiteral("remote-desktop"), // id
- QLatin1String(""), // app (empty for host applications)
+ QStringLiteral("org.kde.plasma.bigscreen.inputhandler"),
QStringList{QStringLiteral("yes")}); // permissions
secrets/radarr-api-key.age
+11
View File
@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw gfVRDt7ReEnz10WvPa8UfBBnsRsiw7sxxXQMuXRnCVs
slBNX9Yc1qSu1P5ioNDNLPd97NGE/LWPS/A+u9QGo4E
-> ssh-ed25519 ZDy34A e5MSY5qDP6WuEgbiK0p5esMQJBb3ScVpb15Ff8sTQgQ
9nsimoUQncnbfiu13AnFWZXcpaiySUYdS1eH5O/3Fgg
-> ssh-ed25519 w3nu8g op1KSUhJgM6w/nlaUssQDiraQpVzgnWd//JMu2vFgms
KvEaJfsB7Qkf+PnzFJdZ3wAxm2qj23IS8RRxyuGN2G4
-> ssh-ed25519 evqvfg 9L6pFuqkcChZq/W4zkATXm1Y76SEK+S4SyaiSlJd+C4
j/UWJvo4Cr/UDfaN2milpJ6rU0w1EWdTAzV3SlrCcW8
--- bdG4zC5dx6cSPetH3DNeHEk6EYCJ5TXGrn8OhUMknNU
/¶ø+ÏpñR[¤àJ-*@ÌÿŸx0Ú©ò-ä.*&T·™~-i 2€eƒ¡`@ëQ8š<l™à QK0AÕ§
secrets/secrets.nix
+4
View File
@@ -63,4 +63,8 @@ with roles;
# zigbee2mqtt secrets
"zigbee2mqtt.yaml.age".publicKeys = zigbee;
# Sonarr and Radarr secrets
"radarr-api-key.age".publicKeys = media-server;
"sonarr-api-key.age".publicKeys = media-server;
}
secrets/sonarr-api-key.age
BIN
View File
Binary file not shown.