jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jahanson:main
Branches Tags
jahanson:main
jahanson:talos-pxe-bootstrap
jahanson:update_flake_lock_action
jahanson:renovate/lock-file-maintenance
..
compare: jahanson:talos-pxe-bootstrap
Branches Tags
jahanson:main
jahanson:talos-pxe-bootstrap
jahanson:update_flake_lock_action
jahanson:renovate/lock-file-maintenance

1 commit
main ... talos-pxe-

Author SHA1 Message Date
Joseph Hanson
c009df2813
Initial commit -- Talos PXE Bootstrap scripts 
Takes talhelper `talconfig.yaml` and downloads the assets, then
generates ignition and matchbox configuration based on your machines
defined in `talconfig.yaml`.
 2024-08-21 16:33:35 -05:00
100 changed files with 1116 additions and 3045 deletions
Show stats Expand all files Collapse all files

36
.archive/flake.nix
View file

@ -1,36 +0,0 @@
{
"durincore" = mkNixosConfig {
# T470 Thinkpad Intel i7-6600U
# Backup Nix dev laptop
hostname = "durincore";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-thinkpad-t470.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
];
profileModules = [
./nixos/profiles/role-workstation.nix
./nixos/profiles/role-dev.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"legiondary" = mkNixosConfig {
# Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
# Nix dev/gaming laptop
hostname = "legiondary";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
./nixos/profiles/hw-legion-15arh05h.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-gaming.nix
./nixos/profiles/role-workstation.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
}

1
.envrc
View file

@ -1,3 +1,2 @@
use nix
export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
export VAULT_ADDR="http://10.1.1.61:8200"

50
.forgejo/workflows/build.yaml
View file

@ -8,7 +8,6 @@ on:
paths:
- ".forgejo/workflows/build.yaml"
- "flake.lock"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
@ -29,8 +28,6 @@ jobs:
os: native-x86_64
- system: telperion
os: native-x86_64
- system: shadowfax
os: native-x86_64
runs-on: ${{ matrix.os }}
env:
PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
@ -49,8 +46,55 @@ jobs:
- name: Garbage collect build dependencies
run: nix-collect-garbage
- name: Build previous ${{ matrix.system }} system
shell: bash
run: |
nix build git+https://git.hsn.dev/jahanson/mochi#top.${{ matrix.system }} \
-v --log-format raw --profile ./profile
- name: Build new ${{ matrix.system }} system
shell: bash
run: |
nix build ".#top.${{ matrix.system }}" --profile ./profile --fallback -v \
> >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
- name: Check for build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
if [ -n $drv ]; then
nix log $drv
echo $drv
fi
exit 1
- name: Diff profile
id: diff
run: |
nix profile diff-closures --profile ./profile
delimiter="$(openssl rand -hex 16)"
echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
# - name: Comment report in pr
# uses: https://github.com/marocchino/sticky-pull-request-comment@v2
# with:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# header: ".#top.${{ matrix.system }}"
# message: |
# ### Report for `${{ matrix.system }}`
# <summary> Version changes </summary> <br>
# <pre> ${{ steps.diff.outputs.diff }} </pre>
# - name: Push to Cachix
# if: success()
# env:
# CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
# run: nix build ".#top.${{ matrix.system }}" --json | jq -r .[].drvPath | cachix push hsndev
nix-build-success:
if: ${{ always() }}
needs:
- nix-build
name: Nix Build Successful
runs-on: docker
steps:
- if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
name: Check matrix status
run: exit 1

4
.gitignore vendored
View file

@ -1,12 +1,8 @@
**/*.tmp.sops.yaml
**/*.sops.tmp.yaml
**/*sync-conflict*
age.key
result*
.direnv
.kube
.github
.profile
.idea
.secrets
.op

1
.pre-commit-config.yaml
View file

@ -36,4 +36,3 @@ repos:
- id: sops-encryption
# Uncomment to exclude all markdown files from encryption
# exclude: *.\.md
files: .*secrets.*

4
.prettierrc
View file

@ -1,4 +0,0 @@
{
"quoteProps": "preserve",
"trailingComma": "none"
}

4
.sops.yaml
View file

@ -15,10 +15,9 @@ keys:
- &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
- &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
- &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
- &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- &telchar age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
- &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
- &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
- &telchar age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
creation_rules:
@ -29,7 +28,6 @@ creation_rules:
- *gandalf
- *jahanson
- *legiondary
- *shadowfax
- *telchar
- *telperion
- *varda

46
.vscode/nixmodule.code-snippets vendored
View file

@ -1,46 +0,0 @@
{
// If scope is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
// used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
// $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
// Placeholders with the same ids are connected.
"Nix Module with Enable Option": {
"scope": "nix",
"prefix": "nixmodule",
"body": [
"{ config, lib, pkgs, ... }:",
"let",
" cfg = config.mySystem.${1:moduleName};",
"in",
"{",
" options.mySystem.${1:moduleName} = {",
" enable = lib.mkEnableOption \"${2:Description of the module}\";",
" };",
"",
" config = lib.mkIf cfg.enable {",
" $0",
" };",
"}"
],
"description": "Creates a blank Nix module with an enable option"
},
"Nix Home Manager Module with Enable Option": {
"scope": "nix",
"prefix": "nixmodule-homemanager",
"body": [
"{ config, lib, pkgs, ... }:",
"let",
" cfg = config.myHome.programs.${1:moduleName};",
"in",
"{",
" options.myHome.programs.${1:moduleName} = {",
" enable = lib.mkEnableOption \"${2:Description of the module}\";",
" };",
"",
" config = lib.mkIf cfg.enable {",
" $0",
" };",
"}"
],
"description": "Creates a blank Nix module with an enable option"
}
}

39
.vscode/settings.json vendored
View file

@ -1,33 +1,10 @@
{
"editor.fontFamily": "FiraCode Nerd Font",
"editor.hover.delay": 1500,
"editor.bracketPairColorization.enabled": true,
"editor.guides.bracketPairs": true,
"editor.guides.bracketPairsHorizontal": true,
"editor.guides.highlightActiveBracketPair": true,
"files.trimTrailingWhitespace": true,
"sops.defaults.ageKeyFile": "/home/jahanson/projects/mochi/age.key",
"nix.enableLanguageServer": true,
"nix.serverPath": "/run/current-system/sw/bin/nil",
"nix.formatterPath": "/run/current-system/sw/bin/nixfmt",
"nix.serverSettings": {
"nil": {
"formatting": {
"command": ["nixfmt"]
},
"diagnostics": {
"ignored": [],
"excludedFiles": []
},
},
"nix": {
"binary": "/run/current-system/sw/bin/nix",
"maxMemoryMB": null, // disable memory limit
"flake": {
"autoEvalInputs": true,
"autoArchive": true,
"nixpkgsInputName": "nixpkgs"
}
}
}
"editor.fontFamily": "FiraCode Nerd Font",
"editor.hover.delay": 1500,
"editor.bracketPairColorization.enabled": true,
"editor.guides.bracketPairs": true,
"editor.guides.bracketPairsHorizontal": true,
"editor.guides.highlightActiveBracketPair": true,
"files.trimTrailingWhitespace": true,
"sops.defaults.ageKeyFile": "age.key",
}

335
flake.lock
View file

@ -24,11 +24,11 @@
]
},
"locked": {
"lastModified": 1730751873,
"narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=",
"lastModified": 1722821805,
"narHash": "sha256-FGrUPUD+LMDwJsYyNSxNIzFMldtCm8wXiQuyL2PHSrM=",
"owner": "nix-community",
"repo": "disko",
"rev": "856a2902156ba304efebd4c1096dbf7465569454",
"rev": "0257e44f4ad472b54f19a6dd1615aee7fa48ed49",
"type": "github"
},
"original": {
@ -64,11 +64,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -98,11 +98,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"type": "github"
},
"original": {
@ -116,11 +116,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
@ -152,11 +152,11 @@
"systems": "systems_3"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
@ -188,11 +188,11 @@
"systems": "systems_5"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
@ -216,6 +216,49 @@
"type": "github"
}
},
"ghostty": {
"inputs": {
"nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable",
"zig": "zig",
"zls": "zls"
},
"locked": {
"lastModified": 1723168569,
"narHash": "sha256-VTo/HNmYQ1ctAzdCOvtInQf9grhSuRLGA8FGP/4pVew=",
"ref": "refs/heads/main",
"rev": "33d9c043ef828b062865f42db551d6ddc48e2def",
"revCount": 6848,
"type": "git",
"url": "ssh://git@github.com/ghostty-org/ghostty"
},
"original": {
"type": "git",
"url": "ssh://git@github.com/ghostty-org/ghostty"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"ghostty",
"zls",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -223,11 +266,11 @@
]
},
"locked": {
"lastModified": 1726989464,
"narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
"lastModified": 1720042825,
"narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
"rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
"type": "github"
},
"original": {
@ -239,11 +282,11 @@
},
"impermanence": {
"locked": {
"lastModified": 1730403150,
"narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=",
"lastModified": 1719091691,
"narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f",
"rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
"type": "github"
},
"original": {
@ -252,26 +295,16 @@
"type": "github"
}
},
"krewfile": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"langref": {
"flake": false,
"locked": {
"lastModified": 1727979884,
"narHash": "sha256-nLS37EhKi/ru+0HimB0EIXYpJCxaE/7bVHUHNvHDEoE=",
"owner": "ajgon",
"repo": "krewfile",
"rev": "1821efaad07ad3925d68210f57e0b73bce57d317",
"type": "github"
"narHash": "sha256-O6p2tiKD8ZMhSX+DeA/o5hhAvcPkU2J9lFys/r11peY=",
"type": "file",
"url": "https://raw.githubusercontent.com/ziglang/zig/0fb2015fd3422fc1df364995f9782dfe7255eccd/doc/langref.html.in"
},
"original": {
"owner": "ajgon",
"ref": "feat/indexes",
"repo": "krewfile",
"type": "github"
"type": "file",
"url": "https://raw.githubusercontent.com/ziglang/zig/0fb2015fd3422fc1df364995f9782dfe7255eccd/doc/langref.html.in"
}
},
"lix": {
@ -290,7 +323,7 @@
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils_4",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": [
@ -359,11 +392,11 @@
]
},
"locked": {
"lastModified": 1730604744,
"narHash": "sha256-/MK6QU4iOozJ4oHTfZipGtOgaT/uy/Jm4foCqHQeYR4=",
"lastModified": 1722740924,
"narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "cc2ddbf2df8ef7cc933543b1b42b845ee4772318",
"rev": "97ca0a0fca0391de835f57e44f369a283e37890f",
"type": "github"
},
"original": {
@ -394,42 +427,20 @@
"type": "github"
}
},
"nix-minecraft": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1730771089,
"narHash": "sha256-TRt7P8pIcKlrz1gVqtibcq2ZGu/EHep1I0n2Chklta4=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "84d4f0e13ff27a31d6b73d0ec4ab151755f9f1cb",
"type": "github"
},
"original": {
"owner": "Infinidoge",
"repo": "nix-minecraft",
"type": "github"
}
},
"nix-vscode-extensions": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_4",
"flake-utils": "flake-utils_5",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1730771180,
"narHash": "sha256-VSPWndy0ChZobMOS283g1KItO+jLfzTLNaFSN+Lixlw=",
"lastModified": 1723828248,
"narHash": "sha256-Y1zPsSg5t5FWibjooojhJ231u5stC9nYcpeOPrb5F+0=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "77da8f3bed69932db301f372119ed71c439193b7",
"rev": "b3f6cf134b9485eeb7fd509670c13c98944b02a3",
"type": "github"
},
"original": {
@ -440,11 +451,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1730797322,
"narHash": "sha256-cH9emjYIbDYTde/CKOmU97rh7sKuyfedzPcTz4OTJkE=",
"lastModified": 1722332872,
"narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "1b0b927860d7eb367ee6a3123ddeb7a8e24bd836",
"rev": "14c333162ba53c02853add87a0000cbd7aa230c2",
"type": "github"
},
"original": {
@ -456,11 +467,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"lastModified": 1724098845,
"narHash": "sha256-D5HwjQw/02fuXbR4LCTo64koglP2j99hkDR79/3yLOE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"rev": "f1bad50880bae73ff2d82fafc22010b4fc097a9c",
"type": "github"
},
"original": {
@ -472,14 +483,14 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1727825735,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
"lastModified": 1719876945,
"narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz"
}
},
"nixpkgs-ovmf": {
@ -500,11 +511,27 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"lastModified": 1705957679,
"narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1721524707,
"narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
"type": "github"
},
"original": {
@ -516,11 +543,27 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"lastModified": 1719082008,
"narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"rev": "9693852a2070b398ee123a329e68f0dab5526681",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable_2": {
"locked": {
"lastModified": 1723991338,
"narHash": "sha256-Grh5PF0+gootJfOJFenTTxDTYPidA3V28dqJ/WV7iis=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8a3354191c0d7144db9756a74755672387b702ba",
"type": "github"
},
"original": {
@ -530,20 +573,6 @@
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1682134069,
"narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fd901ef4bf93499374c5af385b2943f5801c0833",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixvirt-git": {
"inputs": {
"nixpkgs": [
@ -568,11 +597,11 @@
},
"nur": {
"locked": {
"lastModified": 1730818022,
"narHash": "sha256-65XWIVBMViT6fsyEKDdIXOE98UB1rq0PHIpFKH2bZGg=",
"lastModified": 1722976219,
"narHash": "sha256-ggIGbaqOP3N/+aezX3y4K0kbmrsYaJl/8ThC0Jq1it4=",
"owner": "nix-community",
"repo": "NUR",
"rev": "d239d9e41525121dde6ff1a29cfad42f9681ac4c",
"rev": "315c48e6c9acb95b4af6492015d36ef1b7b99dfc",
"type": "github"
},
"original": {
@ -668,22 +697,20 @@
"root": {
"inputs": {
"disko": "disko",
"ghostty": "ghostty",
"home-manager": "home-manager",
"impermanence": "impermanence",
"krewfile": "krewfile",
"lix-module": "lix-module",
"nix-index-database": "nix-index-database",
"nix-inspect": "nix-inspect",
"nix-minecraft": "nix-minecraft",
"nix-vscode-extensions": "nix-vscode-extensions",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"nixpkgs-unstable": "nixpkgs-unstable_2",
"nixvirt-git": "nixvirt-git",
"nur": "nur",
"sops-nix": "sops-nix",
"talhelper": "talhelper",
"vscode-server": "vscode-server"
"talhelper": "talhelper"
}
},
"rust-overlay": {
@ -731,14 +758,14 @@
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1730746162,
"narHash": "sha256-ZGmI+3AbT8NkDdBQujF+HIxZ+sWXuyT6X8B49etWY2g=",
"lastModified": 1722897572,
"narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "59d6988329626132eaf107761643f55eb979eef1",
"rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
"type": "github"
},
"original": {
@ -830,11 +857,11 @@
]
},
"locked": {
"lastModified": 1730778489,
"narHash": "sha256-QZIzk3Bewp6KR9OVXApItLXqm4q7qonHqJjMrg4p/BI=",
"lastModified": 1722917349,
"narHash": "sha256-7ZFfvJJM0HTom12kQ60sLCTkmOt1Z2qqty4ddiqdP/I=",
"owner": "budimanjojo",
"repo": "talhelper",
"rev": "20a0897f98cd0650df1d3b89b08a00bd0aff35e9",
"rev": "66d4ea8a347ef1e12fef466bbaf33a287ab5810d",
"type": "github"
},
"original": {
@ -865,22 +892,78 @@
"type": "github"
}
},
"vscode-server": {
"zig": {
"inputs": {
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_2"
"flake-compat": [
"ghostty"
],
"flake-utils": "flake-utils",
"nixpkgs": [
"ghostty",
"nixpkgs-stable"
]
},
"locked": {
"lastModified": 1729422940,
"narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
"owner": "nix-community",
"repo": "nixos-vscode-server",
"rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
"lastModified": 1717848532,
"narHash": "sha256-d+xIUvSTreHl8pAmU1fnmkfDTGQYCn2Rb/zOwByxS2M=",
"owner": "mitchellh",
"repo": "zig-overlay",
"rev": "02fc5cc555fc14fda40c42d7c3250efa43812b43",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-vscode-server",
"owner": "mitchellh",
"repo": "zig-overlay",
"type": "github"
}
},
"zig-overlay": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"ghostty",
"zls",
"nixpkgs"
]
},
"locked": {
"lastModified": 1718539737,
"narHash": "sha256-hvQ900gSqzGnJWMRQwv65TixciIbC44iX0Nh5ENRwCU=",
"owner": "mitchellh",
"repo": "zig-overlay",
"rev": "6eb42ce6f85d247b1aecf854c45d80902821d0ad",
"type": "github"
},
"original": {
"owner": "mitchellh",
"repo": "zig-overlay",
"type": "github"
}
},
"zls": {
"inputs": {
"flake-utils": "flake-utils_2",
"gitignore": "gitignore",
"langref": "langref",
"nixpkgs": [
"ghostty",
"nixpkgs-stable"
],
"zig-overlay": "zig-overlay"
},
"locked": {
"lastModified": 1718930611,
"narHash": "sha256-FtfVhs6XHNfSQRQorrrz03nD0LCNp2FCnGllRntHBts=",
"owner": "zigtools",
"repo": "zls",
"rev": "0b9746b60c2020ab948f6556f1c729858b82a0f0",
"type": "github"
},
"original": {
"owner": "zigtools",
"ref": "master",
"repo": "zls",
"type": "github"
}
}

77
flake.nix
View file

@ -66,12 +66,12 @@
};
# talhelper - A tool to help creating Talos kubernetes cluster
# https://github.com/budimanjojo/talhelper
talhelper = {
url = "github:budimanjojo/talhelper";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
# NixVirt for qemu & libvirt
# https://github.com/AshleyYakeley/NixVirt
nixvirt-git = {
@ -79,25 +79,14 @@
inputs.nixpkgs.follows = "nixpkgs";
};
vscode-server.url = "github:nix-community/nixos-vscode-server";
# krewfile - Declarative krew plugin management
krewfile = {
# url = "github:brumhard/krewfile";
url = "github:ajgon/krewfile?ref=feat/indexes";
inputs.nixpkgs.follows = "nixpkgs";
};
# nix-minecraft - Minecraft server management
# https://github.com/infinidoge/nix-minecraft
nix-minecraft = {
url = "github:Infinidoge/nix-minecraft";
inputs.nixpkgs.follows = "nixpkgs-unstable";
# ghostty - 👻
ghostty = {
url = "git+ssh://git@github.com/ghostty-org/ghostty";
};
};
outputs =
{ self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, vscode-server, krewfile, ... } @ inputs:
{ self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, ghostty, ... } @ inputs:
let
forAllSystems = nixpkgs.lib.genAttrs [
"aarch64-linux"
@ -167,6 +156,41 @@
};
in
{
"durincore" = mkNixosConfig {
# T470 Thinkpad Intel i7-6600U
# Nix dev laptop
hostname = "durincore";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-thinkpad-t470.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
];
profileModules = [
./nixos/profiles/role-workstation.nix
./nixos/profiles/role-dev.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"legiondary" = mkNixosConfig {
# Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
# Nix dev/gaming laptop
hostname = "legiondary";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
./nixos/profiles/hw-legion-15arh05h.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-gaming.nix
./nixos/profiles/role-workstation.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"telchar" = mkNixosConfig {
# Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
# Nix dev laptop
@ -176,7 +200,7 @@
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./nixos/profiles/hw-framework-16-7840hs.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-telchar.nix)
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
lix-module.nixosModules.default
];
profileModules = [
@ -227,25 +251,6 @@
./nixos/profiles/hw-supermicro.nix
];
profileModules = [
vscode-server.nixosModules.default
./nixos/profiles/role-dev.nix
./nixos/profiles/role-server.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
];
};
"shadowfax" = mkNixosConfig {
# Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
# Workloads server
hostname = "shadowfax";
system = "x86_64-linux";
hardwareModules = [
lix-module.nixosModules.default
./nixos/profiles/hw-threadripperpro.nix
];
profileModules = [
vscode-server.nixosModules.default
./nixos/profiles/role-dev.nix
./nixos/profiles/role-server.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
];

11
nixos/home/jahanson/global.nix
View file

@ -1,4 +1,4 @@
{ pkgs, config, inputs, ... }:
{ pkgs, config, ... }:
with config;
{
imports = [
@ -21,7 +21,6 @@ with config;
};
home = {
# Install these packages for my user
packages = with pkgs; [
# misc
@ -69,14 +68,9 @@ with config;
# system tools
sysstat
lm_sensors # for `sensors` command
ethtool # modify network interface settings or firmware
ethtool
pciutils # lspci
usbutils # lsusb
lshw # lshw
# filesystem tools
gptfdisk # sgdisk
# system call monitoring
strace # system call monitoring
@ -93,7 +87,6 @@ with config;
# nix tools
nvd
];
};
};

78
nixos/home/jahanson/workstation.nix
View file

@ -1,79 +1,57 @@
{
pkgs,
inputs,
...
}:
let
coderMainline = pkgs.coder.override { channel = "mainline"; };
in
{ pkgs, config, ... }:
with config;
{
imports = [
./global.nix
inputs.krewfile.homeManagerModules.krewfile
];
config = {
# Krewfile management
programs.krewfile = {
enable = true;
krewPackage = pkgs.krew;
indexes = {
"netshoot" = "https://github.com/nilic/kubectl-netshoot.git";
};
plugins = [
"netshoot/netshoot"
"resource-capacity"
"rook-ceph"
];
};
myHome = {
programs.firefox.enable = true;
programs.thunderbird.enable = true;
shell = {
wezterm.enable = true;
myHome = {
programs.firefox.enable = true;
programs.thunderbird.enable = true;
shell = {
wezterm.enable = true;
git = {
enable = true;
username = "Joseph Hanson";
email = "joe@veri.dev";
signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
};
git = {
enable = true;
username = "Joseph Hanson";
email = "joe@veri.dev";
signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
};
};
};
home = {
# Install these packages for my user
packages = with pkgs; [
# apps
home = {
# Install these packages for my user
packages = with pkgs;
[
#apps
discord
flameshot
jetbrains.datagrip
obsidian
parsec-bin
solaar # open source manager for logitech unifying receivers
solaar
talosctl
termius
unstable.bruno
# unstable.fractal
unstable.fractal
unstable.httpie
unstable.jetbrains.datagrip
unstable.jetbrains.rust-rover
unstable.seabird
unstable.talosctl # overlay override
unstable.mods
unstable.peazip
unstable.telegram-desktop
unstable.tidal-hifi
# unstable.vesktop # gpu issues. Using the flatpak version solves this issue.
vlc
yt-dlp
# cli
brightnessctl
# dev utils
kubectl
minio-client # S3 management
pre-commit # Pre-commit tasks for git
shellcheck # shell script linting
unstable.act # run GitHub actions locally
unstable.kubebuilder # k8s controller development
unstable.nodePackages_latest.prettier # code formatter
coderMainline # VSCode in the browser -- has overlay
unstable.tailspin # logfile highlighter
];
};
};
}

5
nixos/home/modules/programs/de/gnome/default.nix
View file

@ -26,7 +26,7 @@ with lib.hm.gvariant; {
"org/gnome/shell" = {
disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "vesktop.desktop" ];
favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "discord.desktop" ];
};
"org/gnome/nautilus/preferences" = {
default-folder-viewer = "list-view";
@ -44,9 +44,6 @@ with lib.hm.gvariant; {
clock-format = "12h";
show-battery-percentage = true;
};
"org/gnome/settings-daemon/plugins/power" = {
ambient-enabled = false;
};
};
};
}

25
nixos/home/modules/shell/fish/default.nix
View file

@ -21,22 +21,12 @@ in
lt = "${pkgs.lsd}/bin/lsd --tree";
lla = "${pkgs.lsd}/bin/lsd -la";
tm = "tmux attach -t (basename $PWD) || tmux new -s (basename $PWD)";
lsusb = "cyme --headings --tree --hide-buses";
x = "exit";
};
shellAbbrs = {
nrs = "sudo nixos-rebuild switch --flake .";
nvdiff = "nvd diff /run/current-system result";
# rook & ceph versions.
rcv =
''
kubectl \
-n rook-ceph \
get deployments \
-l rook_cluster=rook-ceph \
-o jsonpath='{range .items[*]}{.metadata.name}{" \treq/upd/avl: "}{.spec.replicas}{"/"}{.status.updatedReplicas}{"/"}{.status.readyReplicas}{" \trook-version="}{.metadata.labels.rook-version}{" \tceph-version="}{.metadata.labels.ceph-version}{"\n"}{end}'
'';
};
interactiveShellInit = ''
@ -57,12 +47,10 @@ in
end
end
# Krew
set -q KREW_ROOT; and set -gx PATH $PATH $KREW_ROOT/.krew/bin; or set -gx PATH $PATH $HOME/.krew/bin
# Paths are in reverse priority order
update_path /opt/homebrew/opt/postgresql@16/bin
update_path /opt/homebrew/bin
update_path ${homeDirectory}/.krew/bin
update_path /nix/var/nix/profiles/default/bin
update_path /run/current-system/sw/bin
update_path /etc/profiles/per-user/${username}/bin
@ -73,12 +61,6 @@ in
update_path ${homeDirectory}/.local/bin
set -gx EDITOR "vim"
if test (hostname) = "telchar"
set -gx VISUAL "code"
end
set -gx SSH_ASKPASS_REQUIRE "prefer" # This is for git to use the ssh-askpass
set -gx ATUIN_SYNC_ADDRESS "https://sh.hsn.dev"
# One Password cli
@ -90,11 +72,6 @@ in
set -gx LSCOLORS "Gxfxcxdxbxegedabagacad"
set -gx LS_COLORS 'di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:'
atuin init fish | source
# Ghostty shell integration for Bash. This must be at the top of your fish!!!
if set -q GHOSTTY_RESOURCES_DIR
source "$GHOSTTY_RESOURCES_DIR/shell-integration/fish/vendor_conf.d/ghostty-shell-integration.fish"
end
'';
};

0
.archive/hosts/durincore/default.nix → nixos/hosts/durincore/default.nix
View file

16
nixos/hosts/gandalf/config/disks.nix
View file

@ -1,16 +0,0 @@
[
"/dev/disk/by-id/ata-Seagate_IronWolfPro_ZA240NX10001-2ZH100_7TF002RA"
"/dev/disk/by-id/nvme-Samsung_SSD_960_EVO_250GB_S3ESNX0K308438J"
"/dev/disk/by-id/scsi-350000c0f02f0830c"
"/dev/disk/by-id/scsi-350000c0f01e7d190"
"/dev/disk/by-id/scsi-350000c0f01ea443c"
"/dev/disk/by-id/scsi-350000c0f01f8230c"
"/dev/disk/by-id/scsi-35000c500586e5057"
"/dev/disk/by-id/scsi-35000c500624a0ddb"
"/dev/disk/by-id/scsi-35000c500624a1a8b"
"/dev/disk/by-id/scsi-35000cca046135ad8"
"/dev/disk/by-id/scsi-35000cca04613722c"
"/dev/disk/by-id/scsi-35000cca0461810f8"
"/dev/disk/by-id/scsi-35000cca04618b930"
"/dev/disk/by-id/scsi-35000cca04618cec4"
]

49
nixos/hosts/gandalf/config/incus-preseed.nix
View file

@ -1,49 +0,0 @@
{ ... }:
{
config = {
"core.https_address" = "10.1.1.15:8445"; # Need quotes around key
};
networks = [
{
config = {
"ipv4.address" = "auto"; # Need quotes around key
"ipv6.address" = "auto"; # Need quotes around key
};
description = "";
name = "incusbr0";
type = "";
project = "default";
}
];
storage_pools = [
{
config = {
source = "eru/incus";
};
description = "";
name = "default";
driver = "zfs";
}
];
profiles = [
{
config = { };
description = "";
devices = {
eth0 = {
name = "eth0";
network = "incusbr0";
type = "nic";
};
root = {
path = "/";
pool = "default";
type = "disk";
};
};
name = "default";
}
];
projects = [ ];
cluster = null;
}

164
nixos/hosts/gandalf/default.nix
View file

@ -1,60 +1,33 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
inputs,
...
}:
{ config, lib, modulesPath, inputs, ... }:
let
sanoidConfig = import ./config/sanoid.nix { };
disks = import ./config/disks.nix;
smartdDevices = map (device: { inherit device; }) disks;
in
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
];
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"isci"
"usbhid"
"usb_storage"
"sd_mod"
];
availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "isci" "usbhid" "usb_storage" "sd_mod" ];
kernelModules = [ "nfs" ];
supportedFilesystems = [ "nfs" ];
};
kernelModules = [
"kvm-intel"
"vfio"
"vfio_iommu_type1"
"vfio_pci"
"vfio_virqfd"
];
kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
extraModulePackages = [ ];
kernelParams = [
"iommu=pt"
"intel_iommu=on"
"zfs.zfs_arc_max=107374182400"
]; # 100GB
kernelParams = [ "iommu=pt" "intel_iommu=on" "zfs.zfs_arc_max=107374182400" ]; # 100GB
};
swapDevices = [ ];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/W445gX2IINRbE6crIMwgN6Ks8LTzAXR86pS9xp335 root@Sting"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
];
@ -66,85 +39,49 @@ in
networkmanager.enable = true;
# TODO: Add ports specifically.
firewall.enable = false;
nftables.enable = false;
interfaces = {
"enp130s0f0".useDHCP = true;
"eno1".useDHCP = true;
"enp130s0f1".useDHCP = true;
};
# For VMs
bridges = {
"br0" = {
interfaces = [ "enp130s0f1" ];
};
};
};
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# VSCode Compatibility Settings
programs.nix-ld.enable = true;
services.vscode-server = {
enable = true;
};
# Home Manager
home-manager.users.jahanson = {
# Git settings
# TODO: Move to config module.
programs.git = {
enable = true;
userName = "Joseph Hanson";
userEmail = "joe@veri.dev";
extraConfig = {
core.autocrlf = "input";
init.defaultBranch = "main";
pull.rebase = true;
rebase.autoStash = true;
};
};
};
# sops
sops = {
secrets = {
"lego/dnsimple/token" = {
mode = "0444";
sopsFile = ./secrets.sops.yaml;
};
"borg/repository/passphrase" = {
sopsFile = ./secrets.sops.yaml;
};
"syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
};
};
# no de
services = {
# Smart daemon for monitoring disk health.
smartd = {
devices = smartdDevices;
# Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
xserver = {
enable = false;
displayManager.gdm.enable = false;
desktopManager.gnome.enable = false;
};
# ZFS Exporter
prometheus.exporters.zfs.enable = true;
};
# System settings and services.
mySystem = {
purpose = "Production";
system = {
motd.networkInterfaces = [
"enp130s0f0"
"eno1"
];
# Incus
incus = {
enable = true;
preseed = import ./config/incus-preseed.nix { };
webuiport = 8445;
};
motd.networkInterfaces = [ "enp130s0f0" "enp130s0f1" ];
# ZFS
zfs.enable = true;
zfs.mountPoolsAtBoot = [ "eru" ];
@ -162,33 +99,34 @@ in
local.noWarning = true;
remote.noWarning = true;
};
# Borg
borgbackup = {
enable = true;
paths = [ "/eru/containers/volumes/unifi/" ];
exclude = [ ];
repo = "ssh://t3zvn0dd@t3zvn0dd.repo.borgbase.com/./repo";
repoKeyPath = config.sops.secrets."borg/repository/passphrase".path;
};
};
services = {
libvirt-qemu.enable = true;
podman.enable = true;
# Syncthing
syncthing = {
enable = true;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
# Scrutiny
scrutiny = {
enable = true;
devices = disks;
extraCapabilities = [ "SYS_RAWIO" ];
containerVolumeLocation = "/eru/containers/volumes/scrutiny";
port = 8585;
};
libvirt-qemu.enable = true;
# Sanoid
sanoid = {
enable = true;
inherit (sanoidConfig.outputs) templates datasets;
};
# Unifi & Lego-Auto
unifi.enable = true;
lego-auto = {
enable = true;
dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}";
domains = "gandalf.jahanson.tech";
email = "joe@veri.dev";
provider = "dnsimple";
};
};
};
}

94
nixos/hosts/gandalf/secrets.sops.yaml
View file

@ -1,12 +1,9 @@
lego:
dnsimple:
token: ENC[AES256_GCM,data:wyj88D4qPqnxovjRKS3jg2H6OwznNfhmVyMO9MV7e66mOjUw/vbqkstEqg==,iv:f+1PN+pKpu8bm8eAQ7sFb+ZpMe8fmImukUir41XdKtM=,tag:FRpEAWf0fA8LOoTrJiEwRQ==,type:str]
token: ENC[AES256_GCM,data:CfRFhGE8AyZfO9RzoXXTfm8kstvx+Fuy53o9ulYNZiufzzSQ4KzwYIoCRw==,iv:HEC8hRpmk7YDI7RHj29ZAeFKyPgsWTHw1sxjdZuhcrw=,tag:7RhEhZ9GkyBE9PJRe+gD+Q==,type:str]
borg:
repository:
passphrase: ENC[AES256_GCM,data:33OMM880zGxJPTtqsNmbCMCCABE=,iv:8tvOqpKzbyx9sOmHLA+8v05vhLXjhRRuHpGHxGVo++s=,tag:MvsLDcVyX6rPr5lwDOvBqw==,type:str]
syncthing:
publicCert: ENC[AES256_GCM,data:jfQge0lfiZrdc+Kfv1hijHh0suGhQSfOou0cD7GcP+t0EigvRmi1JPyUm4l78x5d64oTfQoeO4Iq0Y+PL0tf/SGHU/7tMwo8456FrLSZwl5r+1iGoqRXu+VaEfEm02YXtwcRCZVOMKiwlZC4xMhUZ3CUZ9ohipluNarieivOEFzrNaFbbUeJITALsvYpBPsoIvxOePASrxYwUAjAtGPUVePuL9xfCdUZA2MMDr3alxpuNlz3wOk36qX+OS0Rc0nM9MfACRWxFsKTA8AxlCYouWjCke3kVeqcEh0rVWSEx2zqIOC9N4Ms1Q1zVqcS4hWi1LLe5BN0pK7LHdjEbuni/3Cns1GpBLJc7mwsUwlBQ7RFStAspP99YmIfAlMeztfm7GuacJC2Bddz6PJ/QEMRXli7KRm3Wimb7J2fqOyaECE35xtplvdN8HIhiQ2X6G9aFW+T3h8Hqopihl23HVZFfHe4//c3BGhHUYgzbj/0frLF7s7QySI/j8G242wKyNqpDmiC+9OCPGmpGmTg98h7X+pG4Tl1GH7xpV7jlPqg2kFm3aVGscNdCAMXyWsXoZZIPyiAxTgMauXTFIkgEjEeCB+d8Eml5xOjs4ADUeJLIc4mNOYh1ggPjbSJAAPw7LYqtmaCkazZ3XWRmpMHwcRTpVtQPmo3sLSETY3hgo9T8Z2pVqBbiiH6qVSDdZ5RANvBH2hU7mZrppN9pSVpWxt895iAs01PeTwJlFg3XleqsUcrhncrx9TVGlLn7MP58LbKeUqWpC2LFCKW42O39ajLT8dES3XQ0zjTZhYGLG6CFs6tj9sDIRAX/f0nM0PLF9ctsR3IRYX75kLSl/Wx1UeFxPoIF4/fIKZxkrsd0Pjalp1ToT2EvYL6cq+eyNeF+QIK9CazCO1FfvgLSVy5NKB9KmSj6t6qEByagE9FX2BvAJ9zA36s/inqo84hrmfZz+vf3zJbkEL2Y8xxRtE0Fd2rU0SubmLDxrlmawBUnYQ8skJEKJAA/g8ptYrbdqshtUyZac2m70ZtxO5VZHAGO8tE+jYQsS/UMD4/Iek=,iv:sq21pry1Yz4vZITF29oyFGnvhUwgyDsFwtHrzl059KE=,tag:rOmVsnWpLL87M0d6mfgovw==,type:str]
privateKey: ENC[AES256_GCM,data:QZYlRzV2FPbCDun72PPgxxx4qvqGbuj0iZhvHggm/0sh3JFjtZIBZ7V4TfYYjJJykhKP+4Tm8rghnijiAmDSjyuGm0xwr9ENreRe/j7VrMYhcBes3h9PWOWY2jx+kh7U6v3da7/G79ISv5neFtsjvvM7UpGmIb4mwygZ9qO1cRRuC/k3CPehT7uN2kYNCKlfYJcRp/IlmvD0L38BtHsnokK0zCqC3q2nOZWWazfv3Hxck0kbQSV7V3OBmqfd6h7sdN/GQBv4gmgqjUH9DsCHz+3LEEyxIOp340zPKAZFZGg1SpBQREFOyyaYUMgk8iXRqvqIPxHeyruFzkDRZf6URni3klfEbQi/6B7eP8Jzt/BPfsdLYO9QSXyuqSYAj+V5,iv:BvlKA+gltrGHOXggwLsvqI5FCz7X+RwcOOCvdMYf31w=,tag:/SICpca+QkqeEh/dXYUxBw==,type:str]
passphrase: ENC[AES256_GCM,data:lt0Rq269GoBuLNw9fxwuMAmtYjE=,iv:57IFde6EX7myLSCvYXkkbSulr8S7JPYoThWBsPLH0Yw=,tag:NwlpouurYF+2qmw2T3De8A==,type:str]
sops:
kms: []
gcp_kms: []
@ -16,77 +13,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dEJJVHhhTU1XMVp2UmNh
cnEwMTg0ck9oZzR0QndXa2t3UlpVK0M1bzBBCm8zZWpZanJYcHFQeXdKK1BDSk9u
WVcwSGtvS3h0UTZkNG1ZMkZKT3hORkUKLS0tIFh6S1UzWXE3a085bE5NMjl6Zzgx
MDZrbzBNdUNvcnppZS9wMmczVU5uQnMKpYJmsY/Ul7cpUc+ueSt3FkShvR1KqYHW
q6bhaoby5Wz3XxLZl0ONBqovabkDwNiP6Er0rGiv0tK6TIaQE/NaUw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZVhNdGh2c3dpYWU2TDNJ
M2Vyb29jQ2xHMXBKVk10dkhWVUFmVkpmV2tnCjF5ZnBBcGtkZjFYbU0zQXNNRCti
QzVKOGR2OUQvRXVvOXZlb1I0V00rcWsKLS0tIElHeHhkSmt5UkZhTjk1dkFSbUp0
M1BiUzZkU0pDbHVQNC9yQ3pzSU5INm8KcRB4uY0PHnDfc4bJZwqkK/S7FbEXuxEu
ot9oVR4sZBs7Uhi5Ixz7Kmk9dBJ+E9dWPxDeYhYo3V0Tq77h1vVOyg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpTnVFSW8rSUFVN0txbTJz
aXFUdXBnSW1GZkRBcFNFZlBWLzFEa2NhTlJJCldEYUlHcHM2a28za2I0N3JORTZm
S2Foa0MyQng4TlNpaE53VHpLVGlNZFEKLS0tIHRNSWovZHJlaDhGY0xKd3pRQm5y
aExPbjRPVi9kZ2s4bFlxdFhtK3l5bGcK+qEq++r5B48TwAOxyRFWm68MRa91rnZx
levAEpFZYIMxfzxk++i26omu6r1jvXsiwtm2YvdoGhmNUqLU2UDWZA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNalVRWXVGN0hqZDdYUDVZ
TVRwVHJsTEJoTVIzenFuY0dnTWs1bnRHZnhzCnNPTnJ1Uk92aVRaMlA4VTRYbXNh
MW5ycEUzUVk0RW1Iby9kWjQ1cTVXWDgKLS0tIDdVaTcvNm9Ca2hTMzBlSGZVUnZN
a2U1ZjIwRWx1bWp6TktablBqMUduUmMKCFT9vPMu/fob5SQG1004925OB1KNhsUm
obph/984DUTQxk6IvnJ7fPrnFwL5yY1azdybjPlwGw6o5SmwKpxWBQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZzlkQmFiM2puUHVNUFIr
L0E0VGpxck56d2NsemFrNEFWNmZ2MXlTV0Y0CkppUmxYRlVkVUZiWEJoVG55cXAv
N0dRY1d1c2srTk0xU3AxSDNqQTZkdFEKLS0tIFpnZ09jellUWk1YZnh0akNsTysx
ZnBCMVNqdGRvUm4xOVVRbTF0VzY1eEkKJhjFjnVk6Kr0LIUdyRPI3nPRXbPHHW/Q
0NVqBn7s+NbS6pzSCPu5+T/ibo2HofQZQ0hFFUeCN/EO5xNCaueNFA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RjUvSFJqNGxieVZiVE9q
NjB4RHcraXk5TnJtN1RSNXZSMlEwbjgxaUZVCjRxUGUwTjBFSU9nTHpRbWpmVkRQ
cllyei9URXYyRGgrTGdjWXRSZmpRYnMKLS0tIHNQOXpkZnI5b200d0JiSVI2N1BU
MS9MRW5ocGRMWXdBL0E5N00zbGZzVFEKxeMB0/opzFTnlSBK1vEsLqQ0qIDhOuw5
S+g8eYTVXSIs/3TMUnOJxDezAG2l00vyWryPw2sGOnqgZCnF9VB/mw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArandyVGlHU0NacDdmTDdQ
ZVg5ei9hYW45VU02RkhkTmlNeHdCODgxQ1h3CmpBdnhvdlBwWUkxVVNqcHgvNDc5
bkFydkRGOXE2a2lyTU9rZ2l2U0NjV2cKLS0tIDhyUm5EUlZxcHFRemlpaHFYRjV0
ODN2Y1Y5a2tWOU1PTElLa3NPeTVCb3cKqPj5QB/K9uB4RN+KRsK8UGS4WxECJn/q
HCVEo/5YFnoEtE0X7xvyBEKgrAokzVsnuHtNqP0i6ka2XIt0yi2xOw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzJDWHhIT2tSekxpWmFR
cVFocEl6N0VWM2FYVC9FeE9zeG0wYUhnazJRCllsdlFVZXR0YTA2T2h0ZUVienpQ
MmhJVTkwd1Q4VjNVaWxkL0lVTEVLemsKLS0tIHVqMHhQaW55MHBsVmc5TjJjT1Jy
RXdOeXk0NFJuL1ZKTUt3dXdkdlpLenMKmlQ0k9CmSWQ7MqueMbmd/TqYyQiDFZ0G
FPtUIFWxxPY79vsEHq3kxyz4CGMUv7tYx00OK6niLgLZUStd/3Bxmw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMbWxBNFpyajNETjM2VUhr
TTdmc2pwb1RVNHlNVGNYaUFMelFOQVUwMlFnClBQRldoMXY4dm9nY2Ntd0pRNUZu
NEhYeVp4YUthMU1MUmZvSjh3ZjVTajQKLS0tIDNKSHNQcWJYNkVvWmFXV2pSNVBP
cHVzY09RZ1ZuSkNWWisxeDQ5V2Z5VW8KybOLJvSkkV5XiH431SBY8k5aSE9QdZ5r
UghLUUTB1OFvycYNyxhyIgetX9ycu54PXitEiTBGWphPiAnXyBG3dQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVGRacTlCMjBRaURxMDNt
SXBnZXl6M1l3ZmVZUlVDZEV4U2dJSjREcGpnCkF3L1hhOEFYcnp5Y3VLSEsyTWZE
NFpTNno3VStINnlXdW9wcXd3bW81UGsKLS0tIGR3b3lQa3VIQmZ1bXREQnphQ1lL
KzdCbXNTc054eEJBeklmM0xPVGQ4bmcKgZtxtepmmn/M4HylEsQ0FB/OXlgnyrU8
6Yy2ua5/UN+YfFJ2FNoYyxd7OYLDeHsvQQODXJuL7VEGBaF+3ttMHg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWTk5S2VkQmNnNjIwQ05y
TkR2MjdnY1pGMVZpT2dadE5icjIvRWtnT2pVClRCcTVHa3BaMGRDWTgzNE5zQzBq
MWRWWi83b0k3OUo5WXhHTVRZSmovMWMKLS0tIFF4UlNtNVFkd3phTzd6R2FuY0Js
VWpzZTdXSWpiV2tRbnc5VlVWM3FCak0KQGy+ZWdvEh09y9z1Dj3GTVyeAJ5notCH
ujbOfaly8e9E2g4uOxISxyFe39xlOZd6zEInZ5qiKPrZz37ASChBkA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweHZaZjRoaXRCNEFBYk1V
ZWJ3YjVJVFFmeGhpUnVHYXhxNlhvOEtqVTBrCjRIa3N3UnRYeTU5ajUyM0xjanNN
RjArandlM1ljbEdjcHcvL3Fvd2MweFEKLS0tIDZ2Z0dpN1d3bFc5VlNMbXBmZGNn
blVrd3dubmUwWGd5Rk1PSHBPUlFBZ0UKOh5BQgCUxQxFSU2NxmOGEmO3DZ3TuWid
d1vLm0TotAjshXBSy/yo62ejDUhvoCJ38PNDi6+zpZwCFYhaviQM7g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZDNFa0U4MWs0dmVkZXhi
V3JjdXIrTTdkamkzRW1jU0wzNnluQ0lJbmpNCkcxNUNwc3ZxMXJreXBxNUlaR0xN
RmFDZ3RIaVU5aCttS3Q5dWo0QUovVDgKLS0tIEVJQm1xWE80OVRyWUxkMzFXRHBp
RlJTZjgzQ3pDVHRPQ2dFbHBqdzA3N0EKGBFnnJMqUrbaIviqpX4CP4Ps45Lk/Yyn
fpVxSlwjOHNDwQ4ojUjv11FRo9WHUTGACFniUtvYc0oaLNygNgf8+Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eTdXNlA2bW1OTmpFNktD
cTgrUjY0UzV4NTE5NWFHdHlYa1JaeW1DblZVCkwrelZjaE5vdkFyTkErMGR0Mmt0
RkVPb1RTMjlEc2pRSDZjMWpwVVNhZVEKLS0tIEpaV3Y2enoxMWZyTVZjdlpYTWtH
ZTNZOVhTcTBHSDk2UjhXRE90VCs0R2MKUI6Q/P4v4xLnkqXqMuidlcgccDzf3Ig7
P8aVNYbwtQqjsOwjYcoec4PaQehloW0kt/QSnYQx3znxrYQE1WVVNQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodERMdDN4cVRiS0tVck5h
N3RySnRtSXJHZEthRWZNcENrNXY4bHNHa0R3Cm1HL0lzWnpocWhXNDV3RFRxL1ZG
dWlCQWtzMEZlRnNML2NrOUVPSVRTcHMKLS0tIEsrbk5VOUZhbDFRRHRuWW56TjE1
V1d0d1lKb3hyYVQ4elBIZ0hnU3FTbnMKiWERjAwlJRPK+PILCBV03uyNVnNgolA8
PS0vbIDVNiX0pIrRlM2sVivZwqajjTB3XROXMmbIKpQxDMjvpHgqJA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-08T01:53:24Z"
mac: ENC[AES256_GCM,data:C05zcIFQC3gMa5AVKGB2uvpT5Bj/Pt2XyWizjPfIa4gcx1TzueQZ0mlZHjJY/9qu5SccbLrJ/eNmajzh39cTmFZ7211l9Zz6N8BMboh8olzIWUYFeGzZtXgmKXBRMVH6RPpbcuawLOeXeD9pCLSek6V9Qdx/OUnlWokj9ZPfvuc=,iv:PGMPSs99J6neXoSF18yWbxjCE0M9dSjqtz1ntxwk0TU=,tag:pZfVKcroeKPAvlfft1YsOA==,type:str]
lastmodified: "2024-07-27T04:50:25Z"
mac: ENC[AES256_GCM,data:IKLC9N4FvfV+eWFoVZa5ijyBdiQuNdXAE4Z/pQNhns+qTuMpuz9QLeQGysow8zCqg9z5WHPa+U10uBIJg0P6Bq2CkBTJ2/75axsQgqc+BPuY4cUfppbYqQaSzB831b3XMHei9m/IPXNoh277jk0E9A0mOzHu4YsBEEzyf5nESn4=,iv:dOIgrQD0eDB1lqTWoDoLXnDZTWJLf5m9a948Wabfc6I=,tag:MWoIe5UpTqZCDDJMcg0swA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1
version: 3.8.1

0
.archive/hosts/legiondary/default.nix → nixos/hosts/legiondary/default.nix
View file

18
nixos/hosts/shadowfax/config/disks.nix
View file

@ -1,18 +0,0 @@
[
"/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314200DT2P0C"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH3142017H2P0C"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314201AD2P0C"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314201E72P0C"
"/dev/nvme0" # These are required to fix a smartctl bug I have yet to upgrade to a version that fixes it.
"/dev/nvme1"
"/dev/nvme2"
"/dev/nvme3"
"/dev/disk/by-id/scsi-35000cca23bc8a504"
"/dev/disk/by-id/scsi-35000cca23bd29918"
"/dev/disk/by-id/scsi-35000cca23bd29970"
"/dev/disk/by-id/scsi-35000cca2524cc70c"
"/dev/disk/by-id/scsi-35000cca2524e03f4"
"/dev/disk/by-id/scsi-35000cca2525680dc"
"/dev/disk/by-id/scsi-35000cca25256b484"
]

49
nixos/hosts/shadowfax/config/incus-preseed.nix
View file

@ -1,49 +0,0 @@
{ ... }:
{
config = {
"core.https_address" = "10.1.1.61:8443"; # Need quotes around key
};
networks = [
{
config = {
"ipv4.address" = "auto"; # Need quotes around key
"ipv6.address" = "auto"; # Need quotes around key
};
description = "";
name = "incusbr0";
type = "";
project = "default";
}
];
storage_pools = [
{
config = {
source = "nahar/incus";
};
description = "";
name = "default";
driver = "zfs";
}
];
profiles = [
{
config = { };
description = "";
devices = {
eth0 = {
name = "eth0";
network = "incusbr0";
type = "nic";
};
root = {
path = "/";
pool = "default";
type = "disk";
};
};
name = "default";
}
];
projects = [ ];
cluster = null;
}

17
nixos/hosts/shadowfax/config/sanoid.nix
View file

@ -1,17 +0,0 @@
{ ... }:
{
outputs = {
# ZFS automated snapshots
templates = {
"production" = {
recursive = true;
autoprune = true;
autosnap = true;
hourly = 24;
daily = 7;
monthly = 12;
};
};
datasets = { };
};
}

46
nixos/hosts/shadowfax/config/soft-serve.nix
View file

@ -1,46 +0,0 @@
{ ... }:
{
name = "Soft Serve";
log = {
format = "text";
time_format = "2006-01-02 15:04:05";
};
ssh = {
listen_addr = ":23231";
public_url = "ssh://10.1.1.61:23231";
key_path = "ssh/soft_serve_host_ed25519";
client_key_path = "ssh/soft_serve_client_ed25519";
max_timeout = 0;
idle_timeout = 600;
};
git = {
listen_addr = ":9418";
public_url = "git://10.1.1.61";
max_timeout = 0;
idle_timeout = 3;
max_connections = 32;
};
http = {
listen_addr = ":23232";
tls_key_path = null;
tls_cert_path = null;
public_url = "http://10.1.1.61:23232";
};
stats = {
listen_addr = "10.1.1.61:23233";
};
db = {
driver = "sqlite";
data_source = "soft-serve.db?_pragma=busy_timeout(5000)&_pragma=foreign_keys(1)";
};
lfs = {
enabled = true;
ssh_enabled = false;
};
jobs = {
mirror_pull = "@every 10m";
};
initial_admin_keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
];
}

191
nixos/hosts/shadowfax/default.nix
View file

@ -1,191 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, inputs, pkgs, ... }:
let
sanoidConfig = import ./config/sanoid.nix { };
disks = import ./config/disks.nix;
smartdDevices = map (device: { inherit device; }) disks;
in
{
imports =
[
inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E" ]; })
inputs.nix-minecraft.nixosModules.minecraft-servers
];
boot = {
initrd = {
kernelModules = [ "nfs" ];
supportedFilesystems = [ "nfs" ];
};
kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
extraModulePackages = [ ];
kernelParams = [ "zfs.zfs_arc_max=107374182400" ]; # 100GB
};
swapDevices = [ ];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
];
# Network settings
networking = {
hostName = "shadowfax";
hostId = "a885fabe";
useDHCP = false; # needed for bridge
networkmanager.enable = true;
firewall.enable = false;
interfaces = {
"enp36s0f0".useDHCP = true;
"enp36s0f1".useDHCP = true;
};
};
sops = {
secrets = { };
};
# Home Manager
home-manager.users.jahanson = {
# Git settings
# TODO: Move to config module.
programs.git = {
enable = true;
userName = "Joseph Hanson";
userEmail = "joe@veri.dev";
extraConfig = {
core.autocrlf = "input";
init.defaultBranch = "main";
pull.rebase = true;
rebase.autoStash = true;
};
};
};
programs = {
# 1Password cli
_1password.enable = true;
# VSCode Compatibility Settings
nix-ld.enable = true;
};
services = {
# Minecraft
minecraft-servers = {
# Me cc858467-2744-4c22-8514-86568fefd03b
enable = true;
eula = true;
servers.eregion = {
enable = true;
package = pkgs.paper-server;
serverProperties = {
motd = "§6§lEregion§r §7- §6§lMinecraft§r";
};
};
};
# Smart daemon for monitoring disk health.
smartd = {
devices = smartdDevices;
# Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
};
# Soft Serve - SSH git server
soft-serve = {
enable = true;
settings = import ./config/soft-serve.nix { };
};
# VSCode Compatibility Settings
vscode-server = {
enable = true;
};
# ZFS Exporter
prometheus.exporters.zfs.enable = true;
};
# sops
sops.secrets = {
"syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
};
# System settings and services.
mySystem = {
purpose = "Production";
system = {
motd.networkInterfaces = [ "enp36s0f0" ];
# Incus
incus = {
enable = true;
preseed = import ./config/incus-preseed.nix { };
};
# ZFS
zfs.enable = true;
zfs.mountPoolsAtBoot = [
"nahar"
"moria"
];
# NFS
nfs.enable = true;
resticBackup = {
local.enable = false;
remote.enable = false;
local.noWarning = true;
remote.noWarning = true;
};
};
services = {
podman.enable = true;
libvirt-qemu.enable = true;
# Syncthing
syncthing = {
enable = true;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
# Scrutiny
scrutiny = {
enable = true;
devices = disks;
extraCapabilities = [ "SYS_RAWIO" ];
containerVolumeLocation = "/nahar/containers/volumes/scrutiny";
port = 8585;
};
# Sanoid
sanoid = {
enable = true;
inherit (sanoidConfig.outputs) templates datasets;
};
};
};
}

86
nixos/hosts/shadowfax/secrets.sops.yaml
View file

@ -1,86 +0,0 @@
syncthing:
publicCert: ENC[AES256_GCM,data:oqQZ/QORhJoMUa1Sn4CoE5DKfgfIwRo7DR30MJoRLC8L3mOEDRQyk+P9ELAn3RIe2sa3OKwionJ9G+GM5htZPTaKg2h/wy//M89sdTRhC01vxJm80wScgQ8sC4HC8BpQCM5yt7A9Ln7mMvp+v61ae6xyEOcPpcZH4i31sxQUxuWURJU/KpdTAHKhora40W+DTx4YL7jEN7VMH+GawhJeW1jNZZDcBoQK/9RvB5uu6AFsQCedRwJE0772F16eaNKeXCu0BpNdTaZ7dNSUEeK0mT/0osb6DNVon8gKcYYEYtAyI/SnUOwRC4x+FeZYkAae3WGWzfKGC6ENN6JEHNG7mS81b83i3tyaN84wwmP/1pgQ5BSSEztH9P494SXLBnw3XxD2u5vxuKjf37q+gPnErq7hCEi9aS5HS/10ksgV5zpzg8eL9fNpyLXHqxDdllfvBo/KJlQaDri2OYcrz8SQlB0oCZI7AbjFz+zomFSzhi5S3gcLN/cB1CXDmK8/Ka26dcc6gAot18PqVt1aCHHVnLGvZEGt9Cj+/bool4Yq9fqQlXDyFMbiu0B57KEYshmeJE5w0fmBhenORyuKq2xhiXL4RCuKVoitjY75T4O2+ZzAqYli3gMcRksG6b+gXAYGF3XhJ2m2tBO5STlWzQx9eo8Ksm8+z0mJk7JgdKpov1mLzWZh9vHNkvUIGw15h+3FBu7oTgcvwrOqGDCCcAQSimMKiPuCUi+r2z4FuFobZOSlqAD2eRX9yh/V8s4VmaohrxacgIdscipkMFnQFGGkV3PHhh4yfMzZNHPll5Dk9fUM0BHrFMUccvP0aww60+4pufTUGWxrW5nRlI6jImPuoMh5KVZj5OAPYUcBj10UHjjtFKWN0V19XGVUx5TBR+AAkQzvAWrobSfyTyuk6P0l3Kpyi6DAJoW1Z7t2EQueKxjAd3uKMeCNDIfJOWVju9j3t2iu4BN3eyZTTbeKMwfkDJALHTsmtisRfc47qLxB3jyOHZXdZsC3OBgzRl2NlejgM+P4CVVH/kwT336u6ouuLJFjpsP+iUdBiRE=,iv:1FVhrbnLirFr2bHWZ53vEdnS6rL+HSMdV/XZarMmNAg=,tag:HCdx2II3FqDGy/t36NGiFA==,type:str]
privateKey: ENC[AES256_GCM,data:UNOJu/8lwtOy76y9mURvAQAcCPkAqCr3k4zo0qJw4WoyRiFnHszFrk988LdX9hi1a8d2SYpSbWBdRxAOBOkB0ljycjudgH+xVdOLeJDKZH69zRKkWwdfq6N4vxYhqnUyCuwsRrFvg4cZYeEx9n133QNf3DPYIvovlPEfurQXDt8s3/tDqVeJ1SuJTX2sp8X79KWypCb9T3mar9X67EirV2Tz6uxzeRiWUpekfQbdzcjITiQPZ9silBcu0ZIwgfneBQ9yqAV/Gu01mJph6H6cYqBhK3xO4T8tXsnk66siBjWmqKP+3kVG5pyFDMAhuM0Jz+0VkaKOjYxTaPff1YMsL7/hWQUXcMgM6NyppMbpJBnvqcaMpEbYuEF444pBVktC,iv:H/X4eW+1//f7uyJRiveZRQRJcPGelxHhz1sIlzsMCcM=,tag:n+/dttJpTBeHFK/H40M0oA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIREVLNDdJUVJlbk1OR2o1
RFNJLyttRDZoTmoyenZFU2docVUxRnVtdVcwCkM2VEV5ZCtobWJDZUNVYWlkK1I1
dlJlbzQwKy94dEkrZG9rb1lma3IweGcKLS0tIEZLQjNxT1lobDh2VEJWY3E5cGZE
UzdGT2JpUWtVSzI5VVBXNWVXamlYTEEK5fFvbB55/4Nj3tI2TG3WYhwA1WK3vmfH
Qh5H5GcAYGV37Wlw2mZ/J3SYo9IBG+aNyXO8nE2/pwF7Tbw7GDPQ6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM0Q4ekVwWXhYd3krVzJR
anFxQWtaN0I3Qk1qRDE2cFVETGs2T1M0ZHhnCklBL3hmeXh3OWpvYnRzRHJWY2o4
TWpnYklpOG04S2pCVEdmTWtCYXJSUWMKLS0tIEdSUmthcEo4UjV4THAweC96cmNJ
dVV3TW04eEZDNW83T3JCRFVjMmxrZVkK7mU2HJstMD7p9As/s4XyBuYVJAlqCveA
NvC0imDnZ7btrVWKNTV2UB0VgQiM+opgcNHYhqRT1vLpUv/+ZRFDrg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWElORElqTkQveHZFV1pk
ZitvWnZLTEJJWVFCTzZTVklQOVNCa0J2ZXhRCktGelNLYS85dmhJdlVjUWxkTWpC
R3cycTd0NEVWN2pLZnoxUXFyeG1tSjgKLS0tIHlIbkc0Yzd3YURqOWVwT0NTQlZR
bzRaVDdDL0NlNUZ3cTV4NU84NXNTeWsKZXNd2pYBG5P48kurR/XyswPGStyzSkqs
2mEjJCwuMZBkBRm9DFzbB/01LxqNnES4U9/6oVri0y4mHl5R7PyTag==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQ3JHSE1IcWJqYW85cGtr
WXI3TE1SNGZ1R05iRkNKeW0wR2pVNU12dHlFClJseDYxUjFyOFg3Yjdpb1E0aEVj
SExnaTMzK3dDR2NvNEhjTkoyUTI4NlEKLS0tIGsxencxR2dhWWwwaGtFU3VnaU9x
bUNibENVMmQ4NWhOTmlOdmJyTTB3eUUKM5zbfS3IOGgXlAFi+40DAIBZbLiDDyLu
g5CZKtRAw/85WOqOdWl+WJBYegggyZs3029w2QA9WzxymnkGiyl1nA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZb0xEUFc4MmpOM0RaWmZO
Q1MzVkJyRnNFN28zUlQ4TUZ2TktWakFVZVQwCndvdDNzRGJMbE1lMHZaZ1llVzE1
dXZFMngzVVM4UjZWV2ZlOGY5bWJjQjgKLS0tIHBMWFlxd0syRjlEQUFwRS9lN1Ji
K2hUdmZmUHVWa01qVHVUODBlZ3RvY1UK4u0PsdXstr/NVsYGRglQ8IPhElIcJIbk
3G83Dunu+WApUNMhoCFpB0OuxSyc+xDIdEOhqcFGvIoywMmnpWWZ8Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRFBRWWNSU1l5dE44c0No
QlJvYlh3dEZKVVVmS2RKOUdyaWtGMythUHhjCmsvR0M1eHlVd1l1NXVCWEw1ZnBa
SUNpWDFZWWJlSlVnR0VCNlluSWt0b0UKLS0tIENMa3FFWHpkaTg3YlRXRHpML05j
b1dmeXFkZjViVm5hdldOdTJRRWo2QUkK+eoVhfzSHimufxl0O81wRBJQ8iEVb7w2
rVLONs1qR5xRGCV6OpCtbRqKaNXQgGY/w1CGb/44xdmh7C2C21gs6g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKV1o1cFphUnNhdlM3blh0
dHpKODg1SXNsbVlnRG5zaVFiNllEOGEvWkM4ClFwZDg3a1o2UDYyUUJwdHAxU0JX
MUN6Rk9rR0NKSjNyK0ZrQ1BaTWpTNjAKLS0tIDZkYTUvd3lkZHV6ei9xemUrUWFQ
TkJ6bDhxVVUzckkzNllsTkZLeFlEMkEKFesi49AfQbNLnYGrlvpCXCwvI22J1DL7
QK7lBMlDX3+zlutX6DKygQBT3BckSZWI8upOsK2atjP6d8seDVl3cA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eld2eEwyRTFyMGhXL2w3
Q1JYSG9VMXVqZE1zak1Ub1dOWVZYaVBNUzM4CmVUNURBcDVWeHhUUVBoRDE4M29B
SzRyUGU5MUVSL0wzRWZLd2RYOGplSmMKLS0tIDNOYWcvL0t0K0tXMWZGQXNybjY5
NDIwV1hIcXoyZWI3dUEyeWtXd3FLcEUK0YBS95TA9luAL1mObUtH6RG4nesYZ7Fc
bB3e2p6Mrp/t1Oa/8p6WQXxu4vf5y0XCNLXeW6I6/3udrTXARaNNPA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-08T01:54:39Z"
mac: ENC[AES256_GCM,data:YD2Uwxq8rt2NPKfh5gxHvXcbcEmzfO2ZaaYjH0RnhHyNnHrf3jcyzEhJphKkzRRpsCJ/F7UV+x8EQdWkVn7eUykY92TkLeZ9I6TwyqupzfycQGrJK3Ma+jbO0qlG5L7NXXSxj4LKtJ9Rf1BdFH4czeWmrM3aMhtgAclZ4sTSCos=,iv:AElkydOvlkkGu/1iLxclH1bqkd1Pj4uQH3gbp6iGDII=,tag:WEfrJm3F0niQn1vKuowALg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

99
nixos/hosts/telchar/default.nix
View file

@ -1,93 +1,58 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{ config, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "4488bd1a";
networking.hostName = "telchar";
boot = {
initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
"usbhid"
"usb_storage"
"sd_mod"
];
initrd.kernelModules = [ "amdgpu" ];
initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "zroot/root";
fsType = "zfs";
};
"/nix" = {
device = "zroot/nix";
fsType = "zfs";
};
"/var" = {
device = "zroot/var";
fsType = "zfs";
};
"/home" = {
device = "zroot/home";
fsType = "zfs";
};
};
swapDevices = [ ];
virtualisation.docker.enable = true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Enable Flatpak support
services.flatpak.enable = true;
## Base config programs.
programs = {
# Enable Wireshark
wireshark.enable = true;
# Enable OpenJDK
java.enable = true;
};
# sops
sops.secrets = {
"syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
};
## System settings and services.
# System settings and services.
mySystem = {
purpose = "Development";
services.syncthing = {
enable = true;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
## Desktop Environment
## Gnome
# de.gnome.enable = true;
## KDE
de.kde.enable = true;
## Games
games.steam.enable = true;
## System config
system = {
motd.networkInterfaces = [ "wlp1s0" ];
fingerprint-reader-on-laptop-lid.enable = true;
borg.pika-backup.enable = true;
};
framework_wifi_swap.enable = true;
security._1password.enable = true;
framework_wifi_swap.enable = true;
};
}

86
nixos/hosts/telchar/secrets.sops.yaml
View file

@ -1,86 +0,0 @@
syncthing:
publicCert: ENC[AES256_GCM,data:TQ8H4JsIEoSSrOtC9koG12v64ANVDU579hakO+Q/Uo+0uY/wf52U5g6THIJII7maVOJ31VXKhQABKuiirYjGnG5IaWnNkzCRo+8Pv861lr4d0be3H2NBubkIK814HziuiHa9MP5szi/J5aPQu0nj9srHCPYDzsueh8+bZDYQ2VdgKWKAKAbGwZXRcCyyNGP9u1VjUJCfXx/iQ3RbCrLNDuVbSbfmVH9wJxUUlF0ViqnHkaucQCstaAuvIn78tKpGJeM0njG2PDiVDTDBnhb5Pui/NdK+3+QqwVQHwoQRagGvqEoiL05DY3ydBlClMt2J23kqBN5U0Az15plHwQNLJujWVtkXsh4naIM8Pztwdi3xoioTytdZF/7q4q9rT3YmAK2grgSw0A4SEVvHD5RUH4ZuN/cLb0+h3Papt7xUQcwvr2WStoEujDfuHYPjs13bITnErv0PE8Imis9/ffGwC0EMsgbuDOzS8+m+KT+E8smNJD2APBZh0jq2aeSG4K1y1Q+tVnBMfZ89g8K9JZUcPWWKlGFUbWYRzY4Y1ueGH0pAUIfHLGai16q6SFvXA1+WHCJzEbZDYfDMW465yYV27JMiY4vJw+dAGs2P5o2Pf5/DtVuMW35ZQefBB/mFrJi05/3/CRbBMP73RJXvnjkTjnmUQ2FybkdX0w2zqhyWV5C171kSOcTpkBYaNWn1oM0thG246b80npGmbRjNWH7PWqxQm6kR7USiQOLgvy9rbAULNZ1+ou6He0oKD003Hfkm+OSfQVAMviIE8iS2b6xo0f8umvJ/gVEVHrDsv75KUVQHTHOjickYeYvVky6ZqPDI1z4ya8q1csb/UnLqSNvjT16OdMVQvwCOcjSPTtymj5IdDspkHW9bN856dDvbbRn0FxsEnjFpZMATYVvcLf92eA1k1/ghQKJdOcBrZY4HWUKx33e21i5OyDcLrX9JVTOMpVtKjX2pMygmVxzwj6DV5BWQYTrNByI5iHE8ihy+vOFf36b6bcyu4+3PKIoKnC738b5fSudGtPFL+bhlFPMEO9xlIwzUTA==,iv:9K8PKwTAKF1iZNRDY8ABgK2xKDZ4jh6l1C+ZzH1aexQ=,tag:/fxUf++pQQKWD8SZyw3Lqw==,type:str]
privateKey: ENC[AES256_GCM,data:ul6WGC0iMOpm7RcZjSPATJcu5IMENcvJtPreulDB8vODKfFWKeXlWiy13CZ2fsJxn3Xd/SbXGgtqd6wNQAyU9Rp8qrbFAVCrTppGjbVElbLTdPdpWMU940Rxn4ICc9z4LmKziALFj28O2neRANEzhtThCv724PStXnS2h6mO9bvfDBvmWyD85l0W8hjYHT2g6RaKAMB0BQ+SGb/7YTzpJkU2qdcYdqFaFlxqae1ZO0Ik4UdOBwAGQFgiDM/BzwL5kM0H/r3mMd0vgLBk7AGcQx9yI76SDlFh8CT7jYyJhE0X+wSKwcMdttA8qeCcdkxdEiXgzzFreBJfRq9CUc5+y20mE+cv83bXCIAz12yT0RDMoml1efvrn5A/valqTn8y,iv:VSSVxItFPc7+t5vHoDBRP2mmiFsulThRNZqNy82RYFI=,tag:F6IHAmk4HEINtuYb9Kvbxg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bGFxTi9OcjUwNlJWRWov
OEFtZTJacmxSSDhEeWdGbTRhMHEyQ0pwVW5nCmsvVU5KSHJ4OTZtWExzUWg0ZnBD
Q3BXSFhMNUZ2YjZiRmRwcWV0R1BnVnMKLS0tIDZKaG9abm5JeVROdzNQcXhhZG41
TDhEVG1yaDhZbWNXVm5HQnFBZld1alUKLjDMyKKMcdh96YjZ3/QPEXecPYlNZMGv
8BCG4xZq+cqlzxpQ/f9/P+g8crw+BQD/H8S5R/UsNZuT3jFoZYTgyg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFODdNVDNtYytjZmhxK1FY
Q2wvT2M1UFRzbVU5c0hDUXhBd0hXWDNoL21zCnI0ak9ESHl5bCtaM21SMDhpMmlM
SUx1SldFeTlVME9iQ09BZnJCRk44OHcKLS0tIDR5dFdDZU9ESVFhTXowZ0NWQnBj
bFZpNHNQaDZ5M1RnK1FhYXVUVDhpMTAKjbJ7BboI37aWHQ3IIiwd4F725w9QSq/5
TYoApR7X5dDhEy43ytuuSUASDN3Zw7xg96e23/JCPfAYzjeL/6MbLA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcFZ4YitXNXNJaDd6aENK
OW9Uc0VHS0hhNWUzZXRXbkdUZnRBWTVOWVdnCnlLNmpVRFB0enpUQ1FIbk8rMFhS
a2FHTWZSZTFnbC9vNnFPaWVSK3NFNjAKLS0tIFJDS3N5eFZhQm55QUJQOXV1NER1
cTJvYVdta0JPRFZ1TUc4eDBNS2VEQzgKkLXYLUC3Fd27KKajQwbKVUUfAawhb4g5
/1cKOxSs1eMfCpK0xxZKwsSaAcTfmYlXuRBMO82ol9lMD+/fBNaCfg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYb2diT3NqQ1UyZFM3Mmc3
OWJicDNFVXR5dkNQN3ZVYlVCK29yd3FCMG1jClpPaWdRUWsxK2lrMy9YdGFzWmZ0
VVNaNE9Pb0lhNEpsWUdGckFRaXNOc3cKLS0tIERLajl6Q1BGcmh3TUYyNGtCS0dI
V2ZhNDNJTlBGWU43MFVHMGpzUElZMncK5i95c/lkjjlnpL2dCchkvhnpoQQzb2w/
eGx9DQwj7eLhYh/STrsX39vXEEw6kNuIz/2zVMirzVhv/bQ3xmerTQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dm1wQkx5MEUySWR3YmVS
ZWZTRkdaeGZPVFpudit6SHpBWE0xODFZd2xRCjlGYmk3L0E3eVpjYW1NSVRoa3lk
OHRFK24rWlJNemVWMHhERlowT3ZUZDQKLS0tIHdKancwR0wrb0hWUDBPS3ZBbnFm
bjhSTTNxZVczK3lNSENQUVgyZUlzR3MK++UAqpak2u+E/OjXnpFQ0UFb5SrEm7KK
TwS0VBa7OfQtC6UHuix4MtsLJYkaEf8vYjjrBHRGlbbgAP+yFPaOPw==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycC82VGhHVFRkeEs1QVl6
RHJ3N3RGZXFTWWNIYVpVVXQ0Z0sxdWdyNkRZCnJ0a1QvOUpvekJpckY4eSs5bFRL
b3ZiVHdpSUlCcjBXMFlzMnJvQUNlNmcKLS0tIHhNUDFzNHZpWE1zQnR3UFdFWkFO
VHBGSENKc3lkMkdZaVdVVHlvcWoyc2MKiatzQlU9D1WSZO/6IwGhyd2zFtnRR3SS
t9kqNFnrCfuAReoP7PsMukNbfeZr0edn2bTByZ32EF2qBFmEJicGHQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIOG9TQkhzK0NUazd4RVE3
Yjh2Y2hJaEdWcVExaWNmNEw1eTZsZHgxdUFZCmhqcHBSblBhd2pSbE8vYVc1NlQ0
ck1BZG9LRHY0aHJqMkFkMFJVUVZwOFkKLS0tIG5Cc0ZVWVBzTXoySm91bSszZXpS
TXA1RjFETXdRRFBQK3g2Tmk2VGdXVGsK3jkU01wrOWktuThyt51G4opyTrS1W1dR
MKWuw2GljMSeGHij5VP+PwmTfaJrl5KpEm5w8ggKIm8KaR3RI/DYWg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaEtvNUs4T3czQ25ObG5L
Yk9uZzBvSHFFcjJwdTVXckJFNE1NellDb0VJCitBTWFjRlpOdS9wL0crN3V0ZnBk
bTY2R01LYk9zT3ppVHBaNFlMSkZJRU0KLS0tIDAvOE1Ya29OYUF2Rk41c0ZEbzlq
eFZwL0R3R0psRzVRYjlzRlBURGhXOTAKwewHTFEpnXKOGTv544Tl8djUG3uKS7+n
h7FAGpzGF1/i45+JJYikXjaWbJmN/WqZRrx9BAyu2ymeTQKPzCHShg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-07T23:27:17Z"
mac: ENC[AES256_GCM,data:xPofZ+vRCsvPz1WTTjlxR6bbHYDDTP+sX8Rc8lRWzjAnMcsULsmbpeIwjghcnMgm406Umbct87UX1aFu4LioumG3KE1XHzE/s4Ik095m9IBbo2AVLVx0O2Q5UKwDvP7pPnBJBEmjs4xn70bMsOeYRJl+VECQssN18IzjVUwaVmE=,iv:0we672j+kxTHwXO5aUtu9wCIndgqUDnhGWvEGH2sVQA=,tag:Nu8Fa4bc4BWlvNE4m1DXYw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

14
nixos/hosts/telperion/config/haproxy.nix
View file

@ -27,11 +27,11 @@ frontend k8s_homelab_apiserver
option tcplog
default_backend k8s_homelab_controlplane
frontend k8s_theshire_apiserver
frontend k8s_erebor_apiserver
bind *:6444
mode tcp
option tcplog
default_backend k8s_theshire_controlplane
default_backend k8s_erebor_controlplane
backend k8s_homelab_controlplane
option httpchk GET /healthz
@ -41,13 +41,13 @@ backend k8s_homelab_controlplane
balance roundrobin
server shadowfax 10.1.1.61:6443 check
backend k8s_theshire_controlplane
backend k8s_erebor_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server bilbo 10.1.1.62:6443 check
server frodo 10.1.1.63:6443 check
server sam 10.1.1.64:6443 check
''
server nenya 10.1.1.81:6443 check
server vilya 10.1.1.82:6443 check
server narya 10.1.1.83:6443 check
''

10
nixos/hosts/telperion/default.nix
View file

@ -42,8 +42,6 @@
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Until I can figure out why the tftp port is not opening, disable the firewall.
networking.firewall.enable = false;
sops = {
# Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
@ -99,15 +97,13 @@
matchbox = {
enable = true;
# /var/lib/matchbox/{profiles,groups,ignition,cloud,generic}
dataPath = "/opt/talbox/data";
# /var/lib/matchbox/assets
assetPath = "/opt/talbox/assets";
dataPath = "/var/lib/matchbox";
assetPath = "/nas/matchbox/assets";
};
dnsmasq = {
enable = true;
tftpRoot = "/opt/talbox";
tftpRoot = "/srv/tftp";
bootAsset = "http://10.1.1.57:8086/boot.ipxe";
};
};

93
nixos/hosts/telperion/secrets.sops.yaml
View file

@ -1,10 +1,10 @@
1password-credentials.json: ENC[AES256_GCM,data:AgjrQRlLUHozHTsn2iAf+DoQKmhQfSH6ktISxUZeEjs56k6idjbndkK/kwQXNNrAwmmpT+3OG7cOv0bAPU8AzwZYVyOlpFwp/eXvPJI6YcXlmsCn9lEANpdIbpc28npWTxuYvwZTSavJt5qo/Q9Gf5YQ2qiW6ER3vA1bej7Q6/WRNqcRWKfcMOfNg5YAms/o+nUDKgp2TG4cypyw7tXUoFk9drhCrybNSdlWxWf1t+VdiGLIFk1HvYWkelpxJujRZbKJxNi+4kPT1xQyU8IJbOZx1wXsIfz5I7QPtfoMxbAhRB5ikAwZpNLO1DpnAqBcLES+yqHm0V/hyI48mHz9gSH7fCUvGqj2OqdaKAl0lEpkTMA8PkfRNKGumwHsq2IEh5PP0kj50WlEFFoZszM5QKr9FK7tcvMP0mTL88hlCqnH7rzvNQtpC76BcoReOfKO0ZPtfEAJVGzsQ4F0hkeYzlfyoylqOzldju1QPadQ8Pq3dZFUXg5mZrF2N2kx8gqHqNHqK0BY7KFRrqTIJWebHiLYWe+WWqK3aUSLx3j8iqjuf+HtEBnxAkVIuAYBS6KwHQeXycdD/d1aMm8T46mJzW5FHlUed++GsU5HGQOF2gDZ2gfimdZ7taH0Wlf2wYmuH3BJKFGROefv0SuhuqKMxG1ownFIO0CbCS61ErRTER1P1L44CmaPyIgRNPMmz4nLlKt6+P7Ci4QGpevBkY1wHEn3dT/fNrBBW5EBsrWKRA88guZZHAwB3HLAVNqDno+nWlXlB5RxzaYzya6MYrlXKQxYluU73UQRzH7ikAcL4dJpjVPNIZPkzNRAI75U/IOQX+XspwM+yeIC38TAnNIcARXk2u2FJPaJLQSLqQJYgN9DO5Rg3cIVD/RsSU8TMEq/5jHaoMjZZ4iaYjUHzXbTOvk9WuGBJB1uBm3WUVDwLy6sVp7kHv4PvECcDByNxvhd7Krpbgt9sMi3jsfloo8zOzyoUOkbCEJNr6KCTOvd1/gzRVBxKyTajBkp3P/K7sqGSYpqqmE9qQSeHH6hVMgpicPsn29rzBRW5z0Oep+E6mmDoFuzJ1PJCdLguOIOkVDGiaT+ETtSrg6By3+lhcknElquTd0McoIO2nst80VA3tGUFwPcRJ+GmCtNLBDQgsxz0FtLMzIp5rWi630gnDHBjCf/qXWxyb1YXTpWGmsfWlF3xf8TrH313cnYkKVJAxMBFQVB9GCZMbFcgWg2A9T6b53tVHhmTWIZ5fHGOVBsruo/zU3mhxjoOqsbgrmj6Vi/1sEHvkN0hQq13QGT0bRv4L8BdeIanCMItEP09WZ3lDlDaXY/5xgfwr82oCxrMM7uk/j7COF5C1OjtbsqrGUUB4bphgiVsTT0m7KUw/VdJlPDUNAm3Qu5YUgeypmcNJoNFwsa0deDdg3GllaePP+8BDRbNrGSWUoNB7iNcW/fVaw=,iv:FUiB54c70FVSSkeXZ4stCdKGwihjpSZfsKqKoiDynTA=,tag:aNTbQb2/FUx2NrjQUVMIsA==,type:str]
1password-credentials.json: ENC[AES256_GCM,data:odK6x2TscY1WNCOaPBSfo2ln7hsa5UopakUpOgB4ci64p4LGIwTTDnSiq8+UXkrDndQ7tSqtr9RUvB+AwwYOuh1KBAwWmlZN7agtxUYc1wvMdQv8WPDfhqe9m0FNP5gyTaohcjBdBddZlv7izScVePUQUdG04dGYqUg6mQ/gmPtJy27hil8GivvxRN6FnFtkgoyfE+ZLfkTuMdeL4cxai4j+UeGc5XgmsrBLrW5udeDw2hktGXEBp2vMC6t+D7uzZ7DeLBDiHRbBZBeo+krnVdPsLxU3yFF/hC8vWVbkT7Wt/UhB0+X8SWvhYOvc3KW+NfyHcU0SONhQCM4iOkk/1qvcaDHy7idqexKxOtfQaZtuHW0vB3icgbxTO9usFxOxUPe63yXHUg+UDKSN4UGCF10eLoZKaV7zO76BkTFXQLl2Q+dytaxEKathhW4fS5lUBpuxXNDXuIxMiUIclXwVWVDpL7qchTJCopWwwDRaeHrUPev+pQptEsDLYpZeuf27hPjCMiOWkxt2kg2eKPjJ8AUtI8N3OlFPCyAurLgLSrFj0Wzm24LJLKsjs1if2y2jb/pR4MPdgnHgNnHS8VQ9JVprVyuw9C/wDhVV7yW+D4tlJ/d7AXaJq/dkO8XnwCEVPyFr9bUMB076z+tleYgvv9rHkdQMaqHr5HCHAtuYfM4f0Zpfr9alJ4wxCsj+MAn/PLGxjNd/hQQY+oYRpzBne2mUoxhRt3ZjnGH8LUBFSlz+e0+PB0anS3oV3XZUt0XuwGpNIxp4LsRFgmDC2qoMKZ2X7/DfTdmb3te0YbYNUUeHxlQ5AImzU6Lj1qw/clD7ViS82Rjc/WCavg9J7U7CdDbzhtv6xCxbyd3j1r8Wi4XLAXy4ZdcdvCEyYDHwJeExY8pp/jvS3CqSrlC/PyBUemloIQ+jSQiRYDv26XpRKbJ9Yd8fJ4ANPCMuvXU21iXtxHIRwopTo87hWqqSaORFcyVOmCxJJpa/TXL5fdd4ISy6CSqZXZCCIfiVxq4fBkqSoya4XMXQQq9Ki5xwLf1bDhaT3v7okP87A9d/j9Vru2RIZtRT71jVKvwDvJhLAfYuXyIUfQh5cvIw4/HlAZzP5vi1w5KlIJGf1uVVhvTl7p23/Gi9LAX3/P75dbK+x4VYOyqjMowER3jxk9m6GyFDl7iuceNh1bIpgPN1s4QOba7N2Tex5oa/aJJKOLYE4GYDtom5auDP6Xqa/Nd4NaDyd5oVuXcP7Lp7tDu9sIW5rhGaVYKU7jhzALN9HjfmAen+cZ50oy8L3IYKlS/91qzGughYDOjK4qeQ2XrMxySnCPja7ElV4gxmB3X73nxN+N0ZLEDhAGIS1FOaOammDjK2Pj/3vA5+S2hO3GYLh9glNgRnIGlNUVtw3My9H1mYIc4eP+LGGXz1KPnQMQWRtXZHH4d4fsOyhk+CE8as7WtyO7M=,iv:RkYdMs72Nq7dwHScKZeXMNSJ53ztTXCb3lkhrr9K2oE=,tag:XDdPfd+Be9nSAbvate52AQ==,type:str]
bind:
rndc-keys:
main: ENC[AES256_GCM,data:JVFfmWawvoQZNA/phLZAH/ZfDFkuDBAzQsvavFMT/8v8JKi4oJ/V2UjVv4Xhh730SP74Z41UBUA+N1iW+1HsIqCm+UGcjelLWiKoMGQMmuzVSbt4oN0lVtVIZyke+hzlNPm5qTt1,iv:Q5t9beYjCoTiYOm8K3ktqLbkaWWWzPPljcxmdrXdczA=,tag:gZaOrxZ9ou/+ZxukaZ9FDg==,type:str]
externaldns: ENC[AES256_GCM,data:eCtagoXcjAqKfvD8AuxUhtL2Rvn1iUxbS3qDv1x1KVUzdg1jGAELgCivgPLv8UaLCZ7dqqtr1XiMgsd8RPKgSZO/AS9TTQx8eGnWUnaorUXdhYfhrGfeUa7LoEPYPNx4jwrN45j3OKsE,iv:ffUDa51TqFMqOBItiezwfiNkf4aajdfIXo6+cR48rAE=,tag:E2jMpk1/hpJGjLfIFuTpqw==,type:str]
main: ENC[AES256_GCM,data:X0HTyNmqH1epIVNkXMyFlavqAodDw92Gs2sK54USNv0mWIwmk8NEb69x/Od8TAwDZw63k0lEAymyj/hBfkpav9yKT1M1hGxr09xjWsR/DTAM9tFv140cvnMEon0ZbXVXp4ou24jP,iv:7AsoCrxf8CyPiyWYfHZsGE0Qw/wutCVvCEiRdUdmIHA=,tag:oJi4BTDrD3FLEQuYeDR3dA==,type:str]
externaldns: ENC[AES256_GCM,data:WhH4vAR4Q4iTXq2fT+Z8kOXkwnneNV4bXWYytov62DFDSnYwsvWIbol5MvYIwXM+gEbQ/k/uk62MSFx26T34881EGJmH7KXWr7ji273D8oKAp0Fw6jOt2NZT6XkBwhWEIathUOwNdN6E,iv:SepdyBzYga7s03ppSppiBB/wTbTrL/y70aa/B/m02r4=,tag:vWqlZLx+FvstJjgRj4mjWg==,type:str]
zones:
jahanson.tech: ENC[AES256_GCM,data:CEOcBxa38OheRPP+JakWVfm1vbtTlMzEsEYhzehckpRN4hj9epxVwyKzth2JvhdJN7zslP/BydRm2VowSTJLDpEsRBYiC7650ear3co1qM60SvLHNgsKcW+UTfp5RUqIcos2Gfll2vrMFxMIRV9nrSz2g3trteC/4B3wmVLZjnvNQoB5SePpQKXZQQesO5+5aiF7hRqk2OSz57S/ncjHJhLz9h3xyvr7JXrcdUWHTUarqQbARG3owzaxEoPY+n4nqtx5JXqFaYAMSO6bio4OHanHXhdMfSpZud0bT7wBarAtWCFgIIMMKfd4Q1qBm5AFQyApdLKdwQ4zakrRYOx07zp/ZxVOQ5oiGIuFsEumf370PCzR6JPVivX0gHsJXR3EqlXVy4TpFOzit9jc43XD9LgvYKxdQQUUC3LwfCVK/6/rjqVU6+40tA30D8KQS1UZ1Bmm7+QGk4Jdocwg5KfI9BQNSC+Qfrmif8Ckljr8978p7rxEhMU52DkoNeOxHtLcjzsskVV2Mv01KdKQByoHxVR7ySEkmz1nDc6O6kUExgL4mrXRa+zWvTwkQdcjCoOvb5Z4X0sUdUwvt3qQqbZLyCLvXLwLyOjCTlHu3E+nlZ+AESTRoAgexkR+oWQuekoPaFxy1F4FFk8MDpBb2Cgsw5ZHhgmiKaV5e0DVU3oS6mRl1OiqhMSnbBsheyXYVWSHQh8xvlLgvF8/INeJCgZArjDfP/nz15ctkBVKC+6eEyTCXiAnaS1snbJdovTRiz9GUaE3AcQ+uRhhqDL7U1AO6n5vxI/6nKGH1YK2Z+ym7JT3M8+wtBhM/fPs5DjwjMb9c5z07Ks48r+dm8j91jsh2ACTJRvhvyQvxHh4HPWicoUhRdMj/VuLAwMpsCGRCwjsZ8OzNvzWUz/+5kA1J0/XEh6TRW2ZNKO+uzcpFKoAPwRbF0lLgZYnuceEEb1oyjEH0UjdKDL7g8GtnEdN4kem+Nfk/OgyVJKLCN6ILvd8QrhXhmAZri8s18eNEU2np92B6ISmRt/b0pcNyva1fRvYYv3CaIjqjx4RFa7pZvjyXysuomdNzUx6wfwBxVqQn4FjAhOCeGVawtzLDV2ZPfaxc36RIOrK,iv:Y6CcrD/be0F6B9TEfGFF74jWvk7uWVUytutnFGfnG0I=,tag:2JQaYAj4IuFw4LrnQ+gAig==,type:str]
jahanson.tech: ENC[AES256_GCM,data:XqOX6lbCubPEi1pXgIEXW0qyD2+iJXNugTPdQOB/yCm4AX1mMiANAV51FBDb9f+QQ+q1EDqGz/83VKggoIvHSZCOW3dkNWR2uy82uO8C59sbsLrR5AzTTnZN2zlaIjW2q42I838mKfO7MfYXutwQbTpepr/Brtbldm+HRjxugJJMDFvBqSlylSnFA+jeWq7RNRP1+ZxGULO8I2BTPqdRVyRHcIWjyQABTctDcDgDLMpPxrMBTtmC2/CFH5pIT3w6gbrYRwYFZh7fNprOYRRPOkGHMZK6ccMCpm2uRR4b5daB1MidqJUsX999ma2TEmsUJSQZr6mS2r/QvwZ2R9QziIkBxh91vCg6HMaHl8/ISlryZVlkWNY1P2jgCMw0jJ58NxeBVAjVWw3iL+i9JU/q51r8J3nZHi5ql90JMaVdYWw8I2GLYWDHQnES9srEXtJwJNLzE69lQuL8ARmey4gt8Q9snen0v3RJVFb466nPKvH51TjIAr3FB2L8NY3RumD4eYl05L5JdNcFVuqmsYdoWQSQdZz23BxRM/QKT2qKjrhxfZuQW1naNDg3qbx5+bLGHlG6m8wRdtkR5SXWQc5a7LG2eURY9T7vy8yxMWzjd5LPMFLd7JlUSjwXw9YBhYTafGuc2TUESs8DCO/hU2zjAn1KM+rmc2T4aF3HexJwt7b7HBmMrDWObdtj09ycV10tp1Z57ZMz18aJdIbaZKopERN25FzIKiTlytiZiWsesLo6mUbsgb7bmjGGjBEDbp9P7ozgZv5H+aR5Y7POl9EG3gfERPsa1nF1qlloOrYT/GX8pUNhXAxH6QfX7WF+ANiMB/L/X4L0/XufV7shCWfQwogZ3t7ARGHr3dIOyx1ABus+M2QUZyI94jHTn+/J6aaxL8qsDGDZ6383Gk/CHa57BklRUrZZYVs9jzDe7+12gDfID/eP+nnKuohwCY1KcHL5QCRUg8KN1ZIyH1FYz489l/qKFG1nO33iJv/l6opWjIv98EM88ckA7zxU1+UgjxNiBo0EGJPw1erwTwUzehTnj303HuTGbtGjgE/vK8M+rCCpL9L0YAFQyXqeuqQs6yM3PHCyKfvThCAnwnTIGn2mZcyu/GGGOO9Hse/islh4cYldxC8psKNfNlf6qT43MOf+gDJ2GKU2kzU5tivlNqXbgAs=,iv:8SWNl65v24W504eG64L65rDmvqrkF5VJhufN3u/wRG4=,tag:oapDfnOAPyPDiJrxGHtiJA==,type:str]
sops:
kms: []
gcp_kms: []
@ -14,77 +14,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5V1ZQcTBNeFF6NjdXMThQ
QnMxVFZHZlBwTk5CU1pSNFBPTUt6MmR2NVNrCnFjd0Q5d0pwZGdJbDlDdS8wNG5Q
aHdqekpmREhlbEVMUjZNc1BscU5xbjgKLS0tIFdLUC9wNGlyOFd3WjRnc0IwZU85
alhDYk1DelpINjYvVmlCa1pKY3hjV3cKF7aIzA9U1bPVP6bQbYCTjXKptE9Rovyi
CVBUzWWrb2Z12rvjDzIKc/L1iMqLn0PjPsYHL+CHW8z5A6R3m3FDMw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSS9JWTZPak52ZFloYTZq
N3Ewa2hrbUZmZ0Y2aVpzaTZjN1hzWTlqRmg0CkdIZk9IMDdWQ2xsYmdHcGM3WmVk
cnVXVkprbXlQeDdzSkEvbW9SSE1aU3cKLS0tIHpuQUY1TmdKbGpZQ3N5Vk5LdzBC
VVp6Q1ZNR3gycSsxU3Q3SGtNUDN4cEUKDXO3QyNQfXqn587meoAZqraGMl4ASeOf
rVJDGWkNhne1YFdAfvbiY6pD7RDxscwiRFqDofH/t0EfN4vwrzIx3Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUFlDK1duT010Nll2cmV3
ZVRKM0tFNGVHQXM0Q001ZGtIZVV4bVByTVRZClZVclFEMVlSYnp2ZElNZm1DOGpR
bzNCUkQrNXF4UlU5WHloaEtzMW5wMUEKLS0tIFpwQ0pLRjFJOUR0dEhhTVBhT3hJ
c09wdG1jVlREUk5QUThKRFpsSlRUM1EKjxe9zkAp8t3gwMFOipPZeVdIyEnOTm77
0EnaO+oPJNTE+WefHKEEnqkUP0JY6vkDSkymgLtlPnY9VkAWP7ymbw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSEZKOUJTTjE4YTRQUnFW
bzhMcjlSVTRNRWNkSmZSbU5ITFFTbURFbGpJCnpndFR1OVJvWnBOMVovdVVGWkZ4
Wk9xa29kekgxRnlqbFg4YzN0OE9ZYUUKLS0tIGsxeUhWdU5NaTE3cHpYNXF2OUlK
eGNyTXdqWFNvZ0NVOCsvaG55dUdaMEkKW9SxqP6Jpn72VAwPhn3laO1OE+gYzLvb
10NfaR+2P0EJZ3nwc0sLKmPmSzcRiE9etGtNGFiLgoUNkQ3lnwXj6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTlZoVGgwSFNOZ214WlBC
dFdBb2tSTjJLU1M2WmZXcS9jU2d4WThab0JFClNQekNJM1dmVjJUeEN3d1F3dVFF
R0c2bFlFNkowZjl5eEJXMllXSzZLSUEKLS0tIG1CUWRZeXE3SksxTUxrQjBTaGpS
VTZqOHB3eFlHZmNlSU9QOGprdWh3bm8KfvR852TCR0nfmXkDgF3FSOR9agJ8GUPt
1iK2aDZHLZKcK4mcuPc/qzfCXvTHlIvTDbSD0PbgCyG7gwgX2Qd8mA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTF2TjJ0WGJaTUFIWE9s
S1NHQmRiQUVjSGJLQXZ2VUUrclorT3dIOXprCnQwOUorNXFzNG1DbG8wRW83QTdC
a2ZpZnM5Vit6bk1SaXRSZnZZT1g4ZzQKLS0tIFd4RVR2LzdvVG5nVzBiKzBPL1p2
eFJWOGx3Z240clRQN3dNa0Ztb2hrUk0KunfKdWPTZD32KagC+VXmAQDxJAoElHAp
mo8a0GGdeVuJiUneJlZ2KYuLkseCyn0HC5qQMUIT8HZJ2bb+RH0vDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NXpCcmY2T3Zmejd2TUlX
TDZYMSt6OFdIZC9ibHJid3JxVjlHK0pCWXpnCmF4dTJWNzQ1a0FZdWxJUWZVZEhk
Tk44YWQ5U2dWc2orcTExMjIwT3ZOVmcKLS0tIDJpbkEyNmJmQU1PemhpYzBycjV6
V0pHbjhRcERyb042L0ZMUnZSdVpOOEUKICA6kYzVpAwMaoKrZIkj7GIjv4mGRzu5
3sm2D/yeE68TXH6PvHPRZpkLAqrn2HvQuviIgHXH3Flgeuu+DGl8cQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZHAxMVNsK3U1ZlJnaEJj
eTNhZzRidW9HQ3Jrck0zNmxPYXcvVUtJRTJFClFiMGNuYnEzbVNJNExVSkZ3dVJy
MHlRdG1uNHhZb3daNW03bVJrOGZmNmsKLS0tIER3RUg0TDRQT09jdy9xNzF6OUtq
VHR4NjUxZGpRYzNKaHhlVTdJQXBmTlkKHgqnACFlEusz0/W+I/O2smr/SV2Oiw9Y
wCqCyVfB+kGrfgq08e8ki8NXv3PDT637BU3kXFaOTQhzSE0aCpD8qw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMLzdsOHpDUW9Vb3c5cVFZ
a0VOMEdjS2kzbTVtcU0zeXdOclJxbU5FSFE0CkwrdGN5VTNxT2Y0VUdOT0ZnMWlz
VGxwNGFSSUttZjdIVDlRL1JQekhSdkUKLS0tIE9JbUJWeFRVbXVyNkJIVTQ0bS81
Zk14MEtrR2pRSWVPUEJONVNKNUl4VXMKJ93XAmrAH25gUTbtY4HQjSKCJqH8yK7t
5WGip1wjuP/jab8ycHaM8MK6hH7qKJGLKF0Q+agvQok7RKqZl5+ikA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYUhubnhKcnFDZml5Qjl6
MzgvVFk4QzNwOWdSWDh6RlBDdTVzRWMrTmdBCktBZVdKWW9JdGxEVlRtVCtMYXpB
YTV4TmNlRnFzMTcwWGZSeWtzN3hxRFkKLS0tIHpsMTNLckhMRkM5V0xqbmFjOUpK
ZFl0QlZCUmcvQXBvcFpoZHJNZ0xUQTgKTnAjik5QM++wy3+y8N5zHk+nY1+bMfr8
5IQBIQuoJUhvj8GPniyYRHEhzttfYNuYJaENQcuYOaIpbGb3jTmBJA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTXJWQThMaDZNajBFOVRT
NEpJK3RvbzRKUXE0NWpRQVA0aWJSYVNxWkhNCk1nWHVaYmZNQkdQZFJIOTZKTWxC
RXpOaHc4dzNBZ0txcFhtbjVVSjhDbXMKLS0tIDkwSnFTTjBZZE5hZTdXeTI1Q2F6
Skw3OUt4SVlrQ0M0d0h3KzNubjZ6SDgKiEvuO+RqygeSSzeUlQJSPuzNY4tbzKso
bt/fSCV4ulFTvjybD9lfA9dclHGM/IRA9obCQd8RsCBQuXo9cuWnjA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQW1McmZlNVhDR1VRMUM5
UVk4aGd1RDZxQ3RlSG1UUEd0R1gyUU1VUkg4Clo0eFgxVlcvNnNtWVZZajRGYUZJ
K3d0ZzNSSG16dGVONjU2cDMzbkNvazAKLS0tIE1jcU9ERXZhbW4zM0E3Z3RJWTRm
anA4RmxVOWplWlo0QkFLQ2xFQ3YrRWsK0Z1iH93d8sMj8PbFaLBBO7xqz04f6ytV
m6bFiMoTp+hdnFdGZkl3S+4wQBG44uLJ9z6I/SL3H90ZBrVfE0XV0Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZkQ0NzVGMWJ4Tk9vYnZC
dmo5U2FJa0pOUmt1K09MWFdRamNnaUgwbEM0CnhKRmMyN0RYMG5Uc3ArQVZhVFZX
RHQ3SU1TUnQ1SlhvZGp6emFOV1FuVE0KLS0tIE1oQjQ1dUhTMVBaTnZIeVpVNmxp
cnk3ckEyWkdhWkpkQlhJTHlsaGFTNDAK79D2C2RZql38hBJOBnqhOOdb7Z7EJNgj
aWfivACOM//hsPCZK+9YFpXJ08Nb6iBlNKzYsTW7qJ+Ue9M9i9JShA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTSsvbFEvc0ZjQUl5WWhl
Q0tWVndqbGlMcnpYMzUxdnlWVGxubldaWVZFCnpBdHRaa052aUJWZENBR1QvTXgx
Nld6UHpPR05yQ0g4ZEVKVVhQUUdNVWcKLS0tIE1aMm1XOWRxWXhiOGk0Y0IzbEdN
b0VpUGdsdjNpV2ZJYzBNeUZtTFg0NTgKJ9dSsLlgbxotxWyLrY6XWVyg3I3zugG0
pvd/gQmiYFxptVmBPw+GkOZJBugHpURQznXq6DEo0hVaYLoxoaFBNQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdHRRVEY1dmR2WjM3YVhk
dFZ6UmUxUTJKR3RKMUM0UXVaMUJwMzJRTmpnCjJtdjgwNnphOU5EdUxkSUp6UkQy
cS92MGdlTExVbWJIWGlGVVFla001MGcKLS0tIHF6c3MxR1V3N2szeXlNdWhUaGpW
WWRlTHl1MWFmU293NGJyRVNRTE1RWWMKu5nK98591T0Z4rHIHxCY7mqBW/CF6abl
3/ygImXkb15Ws4b4mcN67vk3omg9CB6s0SHfFk1GAu6CiN7MufHQ+Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-01T23:46:47Z"
mac: ENC[AES256_GCM,data:3vtZhdp4eCAlzq+LWypv5wb5qAdFM3wYTmbtvHMIxG21Z2joEH75i2BqYRl8sQPDSM01wbwZp04/pgjEBogrBrwC8Jt3fAB1ptx9A1vPBIwjcprFR53/A0SFRqb3eXJbwRMS3axZx2yp3qzv73en1vcfRgS2YfjaH8knH1f6/CE=,iv:L3NBzPNHi1wBLA2+sI+Ncl57el61friVvar1HbFWSW0=,tag:sxm8CFpwTt4jgyHBPqVihg==,type:str]
lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:pmZjxv+vcznnamHNvOL7sr8wrejmcqo6D/NpizVo7TPo6cs59vTQ2fXmM0zlfJs81wZVe8cMcv2LXITSmjpZOsrhYuzMpPsc9HGzdwfOXVTfdVDYWVwNd4LsXMW40rqUbZyVtp8zAOW4eF5iY0H+acPxMcBbogoQKOU94a0NqzU=,iv:vFcpIrA9KRMawLCbMqWbKcGFPBcMp3mQRIgje5dV5S8=,tag:iuEaP9jjhhvjMjChvaoBCQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

10
nixos/hosts/varda/default.nix
View file

@ -1,5 +1,5 @@
{ pkgs, ... }: {
imports = [ ./resources/prune-backup.nix ];
{ ... }: {
imports = [ ];
networking.hostId = "cdab8473";
networking.hostName = "varda"; # Define your hostname.
@ -22,17 +22,13 @@
swapDevices = [ ];
# System settings and services.
mySystem = {
purpose = "Production";
system.motd.networkInterfaces = [ "enp1s0" ];
security.acme.enable = true;
services = {
forgejo = {
enable = true;
package = pkgs.unstable.forgejo;
};
forgejo.enable = true;
nginx.enable = true;
};
};

24
nixos/hosts/varda/resources/prune-backup.nix
View file

@ -1,24 +0,0 @@
{ pkgs, ... }:
let
cleanupScript = pkgs.writeShellScriptBin "cleanup-backups.sh" (builtins.readFile ./prune-backups.sh);
in
{
systemd.timers.cleanup-backups = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
};
systemd.services.cleanup-backups = {
script = "${cleanupScript}/bin/cleanup-backups.sh";
serviceConfig = {
Type = "oneshot";
User = "forgejo";
StandardOutput = "journal+console";
StandardError = "journal+console";
};
};
}

20
nixos/hosts/varda/resources/prune-backups.sh
View file

@ -1,20 +0,0 @@
# Set the backup directory
BACKUP_DIR="/var/lib/forgejo/dump"
# Keep the 3 most recent backups
KEEP_NUM=3
echo "Starting backup cleanup process..."
echo "Keeping the $KEEP_NUM most recent backups in $BACKUP_DIR"
# Find all backup files, sort by modification time (newest first),
# skip the first 3, and delete the rest
find "$BACKUP_DIR" -type f -name "forgejo-dump-*" -print0 |
sort -z -t_ -k2 -r |
tail -z -n +$((KEEP_NUM + 1)) |
while IFS= read -r -d '' file; do
echo "Deleting: $file"
rm -f "$file"
done
echo "Cleanup complete. Deleted all but the $KEEP_NUM most recent backups."

2
nixos/modules/nixos/containers/default.nix
View file

@ -2,6 +2,6 @@
imports = [
./backrest
./lego-auto
./scrutiny
./unifi
];
}

92
nixos/modules/nixos/containers/scrutiny/default.nix
View file

@ -1,92 +0,0 @@
{ lib, config, ... }:
with lib;
let
app = "scrutiny";
# renovate: depName=AnalogJ/scrutiny datasource=github-releases
version = "v0.8.1";
cfg = config.mySystem.services.${app};
in
{
options.mySystem.services.${app} = {
enable = mkEnableOption "${app}";
# Port to expose the web ui on.
port = mkOption {
type = types.int;
default = 8080;
description = ''
Port to expose the web ui on.
'';
example = 8080;
};
# Location where the container will store its data.
containerVolumeLocation = mkOption {
type = types.str;
default = "/mnt/data/containers/${app}";
description = ''
The location where the container will store its data.
'';
example = "/mnt/data/containers/${app}";
};
# podman equivalent:
# --device /dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
devices = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Devices to monitor on Scrutiny.
'';
example = [
"/dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
];
};
# podman equivalent:
# --cap-add SYS_RAWIO
extraCapabilities = mkOption {
type = types.listOf types.str;
default = [
"SYS_RAWIO"
];
description = ''
Extra capabilities to add to the container.
'';
example = [
"SYS_RAWIO"
];
};
};
config = mkIf cfg.enable {
# TODO: Add automatic restarting of the container when disks.nix changes.
# - https://github.com/nix-community/home-manager/issues/3865#issuecomment-1631998032
# - https://github.com/NixOS/nixpkgs/blob/6f6c45b5134a8ee2e465164811e451dcb5ad86e3/nixos/modules/virtualisation/oci-containers.nix
virtualisation.oci-containers.containers.${app} = {
image = "ghcr.io/analogj/scrutiny:${version}-omnibus";
autoStart = true;
ports = [
"${toString cfg.port}:8080" # web ui
"8086:8086" # influxdb2
];
environment = {
TZ = "America/Chicago";
};
volumes = [
"${cfg.containerVolumeLocation}:/opt/scrutiny/config"
"${cfg.containerVolumeLocation}/influxdb2:/opt/scrutiny/influxdb"
"/run/udev:/run/udev:ro"
];
# Merge the devices and extraCapabilities into the extraOptions property
# using the --device and --cap-add flags
extraOptions =
(map (disk: "--device=${toString disk}") cfg.devices)
++
(map (cap: "--cap-add=${cap}") cfg.extraCapabilities);
};
};
}

13
.archive/modules/nixos/containers/unifi/default.nix → nixos/modules/nixos/containers/unifi/default.nix
View file

@ -3,7 +3,7 @@ with lib;
let
app = "unifi";
# renovate: depName=goofball222/unifi datasource=github-releases
version = "8.4.62";
version = "8.3.32";
cfg = config.mySystem.services.${app};
appFolder = "/eru/containers/volumes/${app}";
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
@ -14,14 +14,9 @@ in
};
config = mkIf cfg.enable {
networking.firewall.interfaces = {
enp130s0f0 = {
allowedTCPPorts = [ 8443 ];
};
podman0 = {
allowedTCPPorts = [ 8080 8443 8880 8843 ];
allowedUDPPorts = [ 3478 ];
};
networking.firewall.interfaces.podman0 = {
allowedTCPPorts = [ 8080 8443 8880 8843 ];
allowedUDPPorts = [ 3478 ];
};
virtualisation.oci-containers.containers.${app} = {
image = "ghcr.io/goofball222/unifi:${version}";

1
nixos/modules/nixos/de/default.nix
View file

@ -1,6 +1,5 @@
{
imports = [
./gnome.nix
./kde.nix
];
}

71
nixos/modules/nixos/de/gnome.nix
View file

@ -1,29 +1,18 @@
{
lib,
config,
pkgs,
...
}:
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.mySystem.de.gnome;
in
{
options = {
mySystem.de.gnome = {
enable = lib.mkEnableOption "GNOME" // {
default = false;
};
systrayicons = lib.mkEnableOption "Enable systray icons" // {
default = true;
};
gsconnect = lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // {
default = true;
};
enable = mkEnableOption "GNOME" // { default = false; };
systrayicons = mkEnableOption "Enable systray icons" // { default = true; };
gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; };
};
};
config = lib.mkIf cfg.enable {
config = mkIf cfg.enable {
# Ref: https://nixos.wiki/wiki/GNOME
# GNOME plz
@ -49,41 +38,41 @@ in
};
};
udev.packages = lib.optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
udev.packages = optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
};
# systyray icons
# extra pkgs and extensions
environment = {
systemPackages =
with pkgs;
[
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
pamixer # gcsconnect volume control
gnome.gnome-tweaks
gnome.dconf-editor
systemPackages = with pkgs; [
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
pamixer # gcsconnect volume control
gnome.gnome-tweaks
gnome.dconf-editor
# This installs the extension packages, but
# dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
gnomeExtensions.vitals
gnomeExtensions.caffeine
gnomeExtensions.dash-to-dock
]
++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
# This installs the extension packages, but
# dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
gnomeExtensions.vitals
gnomeExtensions.caffeine
gnomeExtensions.dash-to-dock
]
++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
};
# enable gsconnect
# this method also opens the firewall ports required when enable = true
programs.kdeconnect = lib.mkIf cfg.gsconnect {
enable = true;
package = pkgs.gnomeExtensions.gsconnect;
};
programs.kdeconnect = mkIf
cfg.gsconnect
{
enable = true;
package = pkgs.gnomeExtensions.gsconnect;
};
# GNOME connection to browsers - requires flag on browser as well
services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) (
lib.attrValues config.home-manager.users
);
services.gnome.gnome-browser-connector.enable = lib.any
(user: user.programs.firefox.enable)
(lib.attrValues config.home-manager.users);
# And dconf
programs.dconf.enable = true;
@ -110,4 +99,6 @@ in
atomix # puzzle game
]);
};
}

65
nixos/modules/nixos/de/kde.nix
View file

@ -1,65 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.mySystem.de.kde;
flameshotOverride = pkgs.unstable.flameshot.override { enableWlrSupport = true; };
in
{
options = {
mySystem.de.kde = {
enable = lib.mkEnableOption "KDE" // { default = false; };
};
};
config = lib.mkIf cfg.enable {
# Ref: https://wiki.nixos.org/wiki/KDE
# KDE
services = {
displayManager = {
sddm = {
enable = true;
wayland = {
enable = true;
};
};
};
desktopManager.plasma6.enable = true;
};
security = {
# realtime process priority
rtkit.enable = true;
# KDE Wallet PAM integration for unlocking the default wallet on login
pam.services."sddm".kwallet.enable = true;
};
# enable pipewire for sound
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
# extra pkgs and extensions
environment = {
systemPackages = with pkgs; [
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
vorta # Borg backup tool
flameshotOverride # screenshot tool
libsForQt5.qt5.qtbase # for vivaldi compatibility
kdePackages.discover # KDE software center -- mainly for flatpak updates
];
};
# enable kdeconnect
# this method also opens the firewall ports required when enable = true
programs.kdeconnect = {
enable = true;
};
};
}

1
nixos/modules/nixos/default.nix
View file

@ -5,7 +5,6 @@ with lib;
./containers
./de
./editor
./games
./hardware
./lib.nix
./programs

42
nixos/modules/nixos/editor/vscode.nix
View file

@ -4,38 +4,29 @@ let
cfg = config.mySystem.editor.vscode;
# VSCode Community Extensions. These are updated daily.
vscodeCommunityExtensions = [
"ahmadalli.vscode-nginx-conf"
"astro-build.astro-vscode"
"bmalehorn.vscode-fish"
"coder.coder-remote"
"dracula-theme.theme-dracula"
"editorconfig.editorconfig"
"esbenp.prettier-vscode"
"foxundermoon.shell-format"
"github.copilot"
"hashicorp.hcl"
# "github.copilot-chat"
"jnoortheen.nix-ide"
"mikestead.dotenv"
"mrmlnc.vscode-json5"
"ms-azuretools.vscode-docker"
# "ms-python.python" # Python extensions *required* for redhat.ansible/vscode-yaml
# Python extensions *required* for redhat.ansible/vscode-yaml
"ms-python.python"
"ms-python.vscode-pylance"
"ms-vscode-remote.remote-ssh"
"ms-vscode-remote.remote-ssh-edit"
"pkief.material-icon-theme"
"redhat.ansible"
"redhat.vscode-yaml"
"signageos.signageos-vscode-sops"
"tamasfe.even-better-toml"
"task.vscode-task"
"tyriar.sort-lines"
"yzhang.markdown-all-in-one"
"fill-labs.dependi"
"rust-lang.rust-analyzer"
"dustypomerleau.rust-syntax"
"mattheworford.hocon-tools"
"pgourlain.erlang"
"exiasr.hadolint"
# "github.copilot-chat"
"foxundermoon.shell-format"
"ahmadalli.vscode-nginx-conf"
];
# Nixpkgs Extensions. These are updated whenver they get around to it.
vscodeNixpkgsExtensions = [
@ -50,27 +41,12 @@ let
# version = "1.219.0";
# sha256 = "Y/l59JsmAKtENhBBf965brSwSkTjSOEuxc3tlWI88sY=";
# }
{
# Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
{ # Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
# The latest generally targets insiders build of vs code right now and it won't load on stable.
name = "copilot-chat";
publisher = "github";
version = "0.21.1";
sha256 = "sha256-8naCDn6esc1ZR30aX7/+F6ClFjQLPQ3k3r6jyVZ3iNg=";
}
{
name = "remote-ssh";
publisher = "ms-vscode-remote";
version = "0.113.1";
sha256 = "sha256-/tyyjf3fquUmjdEX7Gyt3MChzn1qMbijyej8Lskt6So=";
}
{
# Same issue as the above -- auto pulling nightly builds not compatible with vscode stable.
name = "python";
publisher = "ms-python";
version = "2024.14.1";
sha256 = "sha256-NhE3xATR4D6aAqIT/hToZ/qzMvZxjTmpTyDoIrdvuTE=";
version = "0.18.1";
sha256 = "BrcrfhkX2VGF9wznTSlPSdPPv126ScbHb1ngBRGtr4E=";
}
];
# Extract extension strings and coerce them to a list of valid attribute paths.

5
nixos/modules/nixos/games/steam/default.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./steam.nix
];
}

24
nixos/modules/nixos/games/steam/steam.nix
View file

@ -1,24 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.mySystem.games.steam;
in
{
options.mySystem.games.steam = {
enable = lib.mkEnableOption "Steam";
};
config = lib.mkIf cfg.enable {
# Steam Games
programs.steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
};
# Need that glorious eggroll
environment.systemPackages = with pkgs; [
protonup-qt
];
};
}

2
nixos/modules/nixos/hardware/default.nix
View file

@ -1,5 +1,5 @@
{
imports = [
# ./nvidia
./nvidia
];
}

87
nixos/modules/nixos/security/acme/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
security:
acme:
env: ENC[AES256_GCM,data:rYeJqYF11Ccw/zDTpfB2ewXIy4cqzHF/d+ar6NUdOGxesiBdJXVbGQtGOOLHTUJ6yKNhdBJ2mpBpCpIdQEdT9+4=,iv:XpjxG0RypUQ0Ub0dKAa8/c4F8TVuRNFXJM5UAfrlMV4=,tag:zCaLPPTp9KHs/AwYNq28gg==,type:str]
env: ENC[AES256_GCM,data:JP+Syy9927T9ePL4Ly9FxlJ8F4/g/xejRn9nw2mqpl2ZUTwudp+R+ZI//h14Nej5S07oJt2L3LD/ol7ugdXHFG8=,iv:NJdqDIA0FZzyKRvDgjWmHA17q0FOCqjCk0WdkFMtd5w=,tag:KG8dgCcEOdroFpljNawdGA==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,77 +10,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKOHNGVG5DWVArcngxYXlv
dlFmd1RPenFwSm9TSjhTR3F3cHB6R2lTTGo4Ck1BTVFSd21Xc0hiZlBUdjFrbWFp
Q2VoVzQrTEpZbE1yTHpBUVIyNWFiVEUKLS0tIDZLM3gzbUZUajZQaVRtT0dsQlpY
VExPSVBLb0R3ekpNTE1jNG9QME5OTkkKPivk0v0xDOzHJSPVJYO6/5wdF1PChXtl
xj6JrycRyQPahncXndTZoQL7EbdXnR2tfMtEE5Ua7l4mK11pE3K8cg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFJTREJxZ3NlNGtkSmhG
YTcwVmt1OUNmdTRaVDI5N3JNemszNklHV1dNCmVYczBEQ3BHT3ZhbjUySFNJVjhQ
dWh6c2ZHRUZTOTJEOTBrS3NuNDNzZW8KLS0tIHp3ckNvdmNYdkh3Znc0OVk5Yk53
ZW5jQmxLMHR6MC8yVFpFdFhsTVBub0kKRdYFNppcSFZ/5gm2WvydESeJOTVYd0Yk
0HQd6o8bAX8dcRhMHyyveWXz94/mcINkqz2mlXoL1N0HRPXcuUu5tQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQc0p0TXdtcVZNcngrQXM4
bzBJcERRWVhxLy9QVHBCSnJEMzJTekF4RlU0CmFDWmtMdEdiOFVrRmhRbXc0R3ZE
RC9mQUF4ZjFkbWlYZHkyZ25NV01hREUKLS0tIEVQWHR5YTJ0KytQYi83MmpWL0tO
Q0ZKN2JSMGVsU2h5eW5OTk1Kd3hoS0EKNbVvQ3VwkWloO15CV8v3SP8pD4zc2h04
uM4/VlXTsVxVBqRxycdTKdWhmIChb8w98ljQC+iqatCCUiC9vHYIsg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RnNVZFowV2NYakYvOEFr
c2pFaDVqekVFeEdPWklkVWxoMjNEMEZrbWtFClFmcGNZYkJqUVF3MlRDcmpqWFZI
aU11eElxd2c4YTEzNEQ4RFgraFIxS0UKLS0tIEY5Yi9IUGxjYnpyL2I0eVFNNk83
Q3VaYjdiYVd0TFVuSld6M25wWHRZMncKaqb2kQvlLGZMaI72npCBuroWK/Fqr9jg
oaBz3rpvYJEox2Naismb2D4fNCtI7Z1hLhPqq/jGAiczNaU039N9Bg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNTVwbGNWRHNaRkd4N0Z3
U3ZrYWRMNGJSMTI4UjljQkozTHAvdXpIaVZjCmJMNmdoVjBZZHRqcHBkcEpiL2dC
ak5xNGVRV0NoV2c5TCsvbkhWM2JqeXMKLS0tIG9uMmpJUzdMTUhVWWsxSWFaSTVy
VHhxQ1U3L042VGpNdjI4RVNiRFlqU00KPuDqqR7EeclGGOs0R/3PsB+dnNo20Lh+
GiCWjFy9MVEsrlZV7pd9cb0ggYTm09H0ZD5kb+++Er9WJqb7Ss+iOQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdC9BM21iMldoUkIwdnpr
a0hXbUNzNFJFTDF3ZS9CSFBENHdNTTZDU1RzCm9QbVdLMnRyTDRQNFE2U2w3cXpW
WkdKRFdocnRNaUxLejExSE5STjdCTkEKLS0tIHZvKzVtWnV4WWxRZXFMVWpobHJt
WlVNd2xNb2c0YVB5WlJtbTVreFhadFUK32KcIdcbt1rAk2+GWe5slpAdHcTBWoKs
wGOEayXeMi9EGYtx7v1oJ8+xlo2wRW/i1pKdCRK4vi4FtaXT65zglw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRGdRRWUybHNiZzZaM1hv
bW5Kb3NIbW1WNFl6aUdLWDA4WWI3RDdZQ0VFCjBXajVsY3BNMWs2QldjZDZWQnZ3
VjBvZ1AwZkVGNTB2RGF5aGp4ckFYYTQKLS0tIFd6L1lyblZ6ZEVXTHJGanhna0JQ
S25RbHI4TENLUzRtM2NGOFNQQUdENm8K3upUW3cVF6fBrii/pEXua5sLwFcU/as3
RNDLpyvvA/CCZCuneNS27/nYUcc2rJVDU71OsDA6A6SUivYLTriRbQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxb2wzMW1EUUx5VFp0Ykor
UWJEeFlZQTVJTFZIVFExZ1NkcVBCT09XVkU0CmFvWCtsaStjSDR6OVQwTW9iV3Vu
cVo3MHhVOTAxQnU3ZWdDcllKaXhnK3cKLS0tIENyYlFtVWtqS05MVVFOWFpZK1Zp
cTFkQlpkZFgvOERSdlFMSHFxR1pTZmcKSRYr/tIskcm4mwiF74Qnd5d0zRRDSzC1
QXidtsl505oGOgT/ujVtPwSJwvJewZT7NJKVRYktS3xY0v/flr1ieQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaE9UczNPNk0zbWV6Zjdv
VXNEVmVibG1xejVObnlBa0JOOVBoQTZvQ0ZVClRSOXBrKzdjVkdGNVc2VmtidE8v
Wjlob1Q4cDZRYjB5ejMwWXZzL2NFbUkKLS0tIHdLWjZtcjRjbjNGYjIzeWhqV0t5
NFBwOUJZYUlicXRqWWtucnJIM2ZXMXcK9UTQ7NxoE5vozWvaDWT285BpZG/VdBh7
3VrNKMWJLt/OuA0ucJAkK8NJ4mBYviytUk0kRR39nUok5+kM1iJJpA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5MjVaRjQ3VTdsUzNHSkxE
ZGFiWWZmTzN5N0t3YjBtNGtiWDhNVmduQVM0ClZFMHp6UE5aUjdYaXU3YTk5RDk3
Q0ZBcnJLYzVtN3h2UEVSbmtsa1hTbEkKLS0tIEIwL3dkQVRCRm1TaGlUNVpWTUFT
MHFjd0ovcXN5S3ZhdXpzU3ZXUnorTjAKPdgr51ho0B2rDKld/UHHC4j1RwRy0fGy
6Pl/Qes4Gjvrb4dlDHS4HTEwBs0TbA62DEDI/jquypwxRW55eDMB6g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQjdka1hwejFZR25xbXcr
Vzc4MVd3eXJOdmxqZVFDVVMvTVhLT0lZdVVFCmFtQkZjSm0wUHdMczM5ckFBaEdQ
Y0JMYnR0dGRLYTF1d3NHSyt6MWcrYXcKLS0tIElaT0FjVEdaeExnMUF4OE93Z1Ny
cnQ0Kzd0aWdrSlN5Y3NIN1kyOVh1WTQKG825r7fM2BXak4Q4GNPwZgmigmPxZXh4
DTdp3xBgHWpw8eQsi+gBzzf+4boLDTDDi+acLshj+SpIhjPdMZ1BwA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMmNINWttMHBndGM0eVJI
OFlGUEpQRGthS2xuWnNtcjRaWEY0L0JKZzJvCkYzWCtVdE1VNnh1c2lGaUZoN1J4
SnN1M25qempwZXBLV0ZPRjJreklnbEkKLS0tIGJYRk5xaFhuK2FwdUtKMHFaTGJZ
QlRmcFpPazh3ZkgzWTh0Y01yTWxMbkEKK525n37sRSRirQQPzVluIwAiYFIbeta+
0/baUvErrjD9xofBZOm7kenLw/pPtcGXsUFqp9aCM7KGLjgRQTuK6g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUmVpUHh0QzNLMVhsMHN5
bituWE9Ic2tXTm95cWlUMG9QVWhEcE1sejNBCmw5Q0lTYjExRjdkaCtYMWdkQnZZ
dXNrQWhZaERBK1hVK0pkbFlvQkc1RHcKLS0tIGcwK0dzUVZFMFh2b0dmWDMyMjdS
d09MQlZST2ZJY28vRWtkRzRjd3JFKzQKH2pjr7P1mG1m/8L/VLaTVrAQem8rcNGN
tBWqg9XT3aSc+7NqUDkPVvH8STFGVlEhIskKTJA2TuY6CXfqwS3D5A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNXhtSE50Yk9BdnRIOUEx
UW0rRGNHTFJjWWI0R0xqVGVTUkFvSFZyUVcwCmp6b2I2aStEdlNzcGNtcTVML2dz
TWRRUWVpd0doWFBYTWZZRXFjZ0wxR1kKLS0tIFhSU094RFdXVXFrT2FqbVEwc2FB
WE93RjBHS1NreWhqTmtEckVWMSt6clEKE24mtrJll0lsXEJktPjCFRpf8DLdxIW4
4JjOWY6zgBWxtuvg5rdb5rz7Sp2UaI1LavvhkCdjmpFckdEUDMOOyA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRW80Q2x5bllHVDNzTGsr
a29PRHJHcHR2Mng2M2lpb1ZXMkV3UlZkQVRvCk01ciszVDlqeUdpa01FbjRtU3hq
V2hPS1NTSEdPL01ZZkxVdmI4ZHRRVFkKLS0tIHpjck5OaGl2dGgyUjZlNmlVWkZB
RHZ2TlJOanR6L2tQRm0rc3NVVSs1R1EKdSheY8qXv+ylwqjlpbWsSYD55X4SUT7c
W2czHg0Ezbjk8W7vyDuxdS1LjKSMinfRPUG+oyUwxwrjBN3aAwVDIQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T23:57:27Z"
mac: ENC[AES256_GCM,data:nBRzGlhrgKchrfnidh/SUNiT04UVeeuck7wWL8M6Jfi0zJItankJaCAHlFzHku5+HYCM+6B1TN5bBKzyrizMAAtZ7fwmUjMt1TgXDSmG4CQXrUSmTkItlHnA1W8MvdFbJY5+cS3aJNx7rnvGp5H5OroedL88L+uuIHqxEx/qxRI=,iv:E4MmeS+xBPIvd2QNxpOHGx2Vpj16s9PZzp6kjkbItqA=,tag:FqVEO7iEjvAuJE4EJ35Yww==,type:str]
lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:YEm+/mTkdLblxqrQAkCW8QUoQVkK1drgdHCt463aBUl9r04TJdRbij0p3QuLzVIvXJosdBQ0dN0Y/huuFOkP2bixH1q1WtBaqt98iYuR+Gessj7+kDekTNHCNQoZJjbFfqOwIEFNw/if2kY4aHcUoyQQj//yoGTA0vGbqrWzcX0=,iv:KWIo36gl7hOrEDZulqwRwr6eCfc6Hat5f17hpLLDMW8=,tag:3IBrvYXxN4j9I72lwiKq/A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

2
nixos/modules/nixos/services/default.nix
View file

@ -4,7 +4,6 @@
./cockpit
./dnsmasq
./forgejo
./glances
./haproxy
./libvirt-qemu
./matchbox
@ -16,6 +15,5 @@
./reboot-required-check.nix
./restic
./sanoid
./syncthing
];
}

4
nixos/modules/nixos/services/dnsmasq/default.nix
View file

@ -24,8 +24,8 @@ in
];
networking.firewall = {
# dhcp ports | tftp port
allowedUDPPorts = [ 67 68 69 ]; # server/client/tftp
# dhcp ports
allowedUDPPorts = [ 67 68 ]; # server/client
};
# Proxy DHCP for PXE booting. This leaves DHCP address allocation alone and dhcp clients

5
nixos/modules/nixos/services/forgejo/default.nix
View file

@ -9,10 +9,6 @@ in
{
options.mySystem.services.forgejo = {
enable = mkEnableOption "Forgejo";
package = mkOption {
type = types.package;
default = pkgs.forgejo;
};
};
config = mkIf cfg.enable {
@ -29,7 +25,6 @@ in
services.forgejo = {
enable = true;
package = cfg.package;
# enable sql db dumps daily
dump.enable = true;
database.type = "postgres";

87
nixos/modules/nixos/services/forgejo/secrets.sops.yaml
View file

@ -1,7 +1,7 @@
services:
forgejo:
smtp:
password: ENC[AES256_GCM,data:sq+vLUV35+sclAszVQRU4up1s1y6K6BNbzSW8hKBN4kavJOZLX6o86xTgNjjScQop1c=,iv:5zbzggdTT59ali0LzmPtaP/jAnGCYoJFcIEZkFNFmJw=,tag:z9s3NQptPwKOC+m/EUVeWA==,type:str]
password: ENC[AES256_GCM,data:kkKrSGJER21Q3efHuJ6YJVcmqILMYMME+e1GRdNDOX+sDgKwapY+lJrlELgD5RFVJN4=,iv:/nxRa6Tn1pGGYQ0mds70p3+a9ZYHv6UidngHvI5GTIY=,tag:4rScz6znMhgtQB9V4iDqWg==,type:str]
sops:
kms: []
gcp_kms: []
@ -11,77 +11,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUXYxY2hGci9ZZ3BId0xE
TFJJVzdJQ2h2TlhNQk8vZFYyajZyUVpiY0E4CjFJR0lGdG1jYk1EejBNTFVwekJD
bE0xR01SNWNib3VyRE52TG1hbFYydXcKLS0tIEtkaW9RN2lqYkhwR29JZm9QcHFM
U0hqelgyTWJGUW83emttS1pVYzlNOWcKWp+wQH8iZH6ox+unG6Qx/2vbG8GeMpCa
k3lUrtyqEKxw3V08FA1gWvLF8XWVgYGVS1jlZFypOVLbl5Ig9l+VDg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpM0tHclk4K3ZTZ2VyTk1i
MXliVmtmUXBMWlFlTjZHeEdEbHArUjJwMVRrClViKzZJNXkwMHF3bW5FQUxROVRF
UTdadFdseVkzaUpvMnNKaTZkVWNJSVUKLS0tIGxkUmk5ZmFZOWtlUndJdjFSL056
dXh2bG04QXR4THB4WFVSamY0SWpUSGcKwYArSMUjLm7j4+0vdPw8x8WrfIMEvJz1
K8Tqc2IJ1KfH4GGcOveYt9UcgUrzuvXsSnPydKWnc86RuFA+X6Qixg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcWsvN2w3MGp3M21xc3BT
UkVueCtwSmdRNjNXNFdYY1NBTUF4Y2czVFVjCmhzcnpKUkVvZGRzSm1KTGs2SldW
cEZ1djNGUWpaek9lRGFkWVlqSHJDWmcKLS0tIHY1TU1FNm52clhZNVBDOWtrOXI2
b0RWamMvdWMvS2tSMnRTcTFlV2hBdUUK2RMSSn4WBhBiv5k0NNoXdwjPJkueOoXu
OXEeslquRSkZ+f/BpbhzFTXRzlQdLA9keMTcM20SK1IBuKICkJ5eyQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNTVGdjJ0dGE4aHBDbjRx
VWlJeXEzVkF5MXNmN2VNUnZrZTFuam94ZmdZCjZiSXpNZTk0VFVuck9ac3hDenZv
djZrbndYTjREUG5RSTNFNnhLTkRWSzQKLS0tIHR3L3BDditLcm1BMmlLcWdGNFFt
MGRBaFVjTzRNaXlOaGtvUzlmanZTb00Kb/RJFiSQ9XlRAfjrrncoJlDnQAJw9LI3
lXX0+BKL4fz8VUFY1dqcuDBSuvssADkDxU4X6yaebt/touhXJ66A8w==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbDlZMlcvbkk2WnJmZU1I
djR2UEtqbUlsaVVQZjk1R2RjbVpTT3VQVVNBCmV4aWVLOFdkdnhEaWgwU2FzbVRL
ZVVLVjN5WVdNMWtxbDcrUGYzZ2xNWDgKLS0tIHpTdExXbXF4V1pnSzBMcnFoSWF4
eU83ZVVnblV0eE5ia3QrMndDNG11MXMKF+iGOD0KKJV7YgxmI4ucHjvyGu+0EcIQ
smjK+ENxzkfk3yFICjkiIQSVBygvNiV97oPVpYeYGnhyiH3xefgyWQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWUVxVGFobUxZV2M0ZUx4
NkpWTTVYZkM0cmFYNFJXYkE5SHJaaVpvdlVNCkV6UTN4c09ZT1RkVE1EYjlVZkhm
Y1ltSWpuSW95SXVkb3pyUVQ1ZGJ2Q28KLS0tIC82WnVsQ3RxSmxaL3czRlI0cTJV
OFd6VXJZUnZkT204Y2locHVvb3VpRHMKg9AMO4e5qGgSno/8FWEseUW9bQmfxVS1
UOYzIvtmAZVuL0uxrz6b9TwOv0CooP0+JhNOjcuFzcbMCcM1CQgwvg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUWx5YWhHbWFZeGEvV0VL
TnU1akp0WHhlczQwbW9LZ3BTYlhFSUVlaWpvCnFsZFFIdXNubGRyQkFnNm1nSUVQ
d3Z2WUwyVjYraXRxV3NoZVZYbVhyQWcKLS0tIG5LV1hDRng4aDd5eDUzY0k1TXQv
SWNzRXgwRTRvL3hEc3ZvVGFiRTQ0UEkK/9vK8sXbEqxQ4KCxzMeFHmqoTSLd/kx3
JBt18+XISrPYptEekZTV6obp2GKxpHDj0LEsNpUIjPWmIbT6gInHBQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVFJDbGtEeksrN3lKeXJF
dFIzd280SXRwZmVycHl2YlZ2VEo5dHhQVTE4ClBHS0lKd0FaMkNZT0xlVUF0eURO
TDZ6ZWJBRmtNMUZFN0FqbEVtdUxjYVEKLS0tIHZOTUZwUVdXenlDb2JxUXE3TVgy
UDZMb2xQVGIraDNxTy8yZDV2cEtHc1kKyjdLT8YcpB0yhXugPcN0scRiiTvpaF06
AoBdKBnxWHn1EVuypo75gOvKHwUMDdiQY/WUndQdlNOihDjzCSYGUg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZmFZUE43L1FzTFltamdX
Uk4zNUtjMmlwcFVEeVB6UmFjWHM2OEpMaGxVCi9HYmFOVjl4MDl1MFAzc3pTbWtO
WHIwV0labHpmYUFFcWZwNWdrN1dhVk0KLS0tIHM1VENSWWtUN2hFa1hLcUJjU1VJ
amJ2K2xHL1FwMlErZitrSXRwek05TEEK/KDJHIOzuMCp1xON6ZYsgMKbYIQ5MAm8
W5U9PDE93js7j8lR4dTq2AASB+U5nk3I0MPPrcqhHkVcsSwMuKYSUg==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWHUzSTYvaWRQc1dhWEN2
d2JwdjFldkRzbi95Q2JpRlZFaUVGWFU0MUFFCmpaaHdQbmw0Q2FVS1JvMkNYSzR6
aDRCRVI1NU9jRXkwMndyUzFwL3BDOUkKLS0tIDFvclN5eXJTWEg4VGhDVFpFSHdV
V1FlN0JOVFBXZ1A2SmxZaGkvU0MrU3MKuK+c/lbMvzdREphCn46IvL8X1iOw4BwB
9FdstXHyEX8OW0hFl35ZCNvPyd9pwO5fK/sObDrZ5+aCfFE0MbFbyg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArM3BsTUhJWTlXSitXN2NG
cG1LTWs5MFZYV09Ga3JqREdmZ2NDYVRHa25JCm4vNFZXS3JQdTEzUmxmbld5R1BD
dFFWM1Ivd1M5dTNJbExLZThNYmdCbE0KLS0tICsyWmh3bjZLVC9ZSUxBVlpkWksv
WXpaZDkyOFFnTkYvVDJjdjJGeXVSZGsKjJEb7JlXb8n/l0j32ixReFR+UJm59CYy
QyGCeBuAWOpeDw5d4jA+WikFrRRAJyiTcvsVi+PAzzqlOAlT0+/KrA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnK1N0S3pDa2tCdjhiMGJJ
T0lDNU9YQXN1bkJuM1NUUnFzeGJBN01WTEVFClVVNmNTekpOOHp6N202L0NzSno3
MEwvMUx0c1ZmTFpscFlTM3FDR1VhOE0KLS0tIGM5TjBiQjByWkMwY3lhQm5CVTZJ
K1pPUER4aVlmN0FKTElEOXdzbVlRMVUKaqTcad+P1DfUqEhD7YUdsGaIx2H4IMco
Kh7lk0/ppXFmcRAKWF3luwdLkaebkFzx56MZjJGroNmMvkR0fMUv9Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSXg3NUVia1hkK08raHRI
VmlMRENkMHB4bkFJNGNiRGlLUitSQzVrWFZnCkZPWTI4QjhiWUpaYkh2NHZwR1dG
Z0Zub0JSdWwvM1ptazhUdWpxL3htR1kKLS0tIE91bWZObHVRSmZNNlBJK2FZK2RF
UnBtNmlJbnRYRmVyQ2hMcWNxSjVkVzQKZ9+hpZk/VnMKaVEUoajfBfMjkqz1PbVl
Fy6cOfjXzGCtx8vsU3TNILy+23M6e3G7K6ghHnhO5kL4StAY1PTR/w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5T0syRFJiekFaeDRsY0FT
NE1DQUgwK3NQS3lQRGRTTXFQVEVkK1pYYkJnCkNWQ3J0b0V1eXF3OVF3R2JjNEpy
U3libG9INjl4K2VEMHpMMHdRYVViUkEKLS0tIEliSUFLWlhmblFZWCtRdDRGNlNa
VXhhd1BLcmh5TnVsaEJaOUJURG9VYlEKeFta+e5e2EiJCSL7CMrIoYwyAnCeybEq
vYfgMETwNaAh/AfGS1mdEABpK1tWi1H6Uu44g8OWTiszjQ09shb76A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzZ3JDSGZ5WTRybGpVdG1Q
Y2crbWlQMnAyQjIzbzY4RHcwV3pXdGVzY2s0CnE2MTRLZnRQakU1RzVlQ1NDeXRk
U21mM0ExVzQ2QllOdTltQlpNOE5EU1kKLS0tIEtOa1BJdnRVY3FuZ2Zlb3g2ajhN
eTRFakI4MlRBbEJKbXBHSXlBWlZJMmcKaeSAhUZHIlXOaKqnRcARJITwQdJLFbpt
Hs5sshvnv+EZjvir9L0EgRtgpUmnpkl+mGnQxaBW4YVf/iiQYTyHsA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T23:57:27Z"
mac: ENC[AES256_GCM,data:DrSjFv1jbSuMO2QL6h8h8ln0Y5VBDBSrqC8rvaLZHkd8MOF4IPsjQORN2coZJNNvOpGhZsTiZ2prBBCQfqGRI+QWNlGTezOfWCZpFa7Fkp7g8TXZQmAkvrpnkFYgcL2JyvN5PrvL1j6gK4+zP7ohjLk1+v1VbYOPSab+N9ftYRI=,iv:VDGLfHXC0/vIue1kIKTGxK5x0CskAyG0CcNUOmHEXfc=,tag:CWXtliE0nCSiiW5O630A1A==,type:str]
lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:61nap2R6vs3XTFECmq5F1rqPE6eWZyM50dsYtNMfAAWQU9D9cyaDEx6bKkwMyBpxSQNHlGJWoglwRvZH2wQsLB46sdR9UNosqJZD7RRRh/RzkY3SWW6vHeP/YgnfsGgPpMWleBI7jnH/4EMoB8a1PECZiR7L/8BIFDlmdklbJ/I=,iv:G5xTBn3oFBLJHIEqGsghAXrZc115eGwWBbMLBOHET6Y=,tag:bnZodcvP+6nbc/yFcQVogw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

52
nixos/modules/nixos/services/glances/default.nix
View file

@ -1,52 +0,0 @@
{ pkgs, config, lib, ... }:
let
cfg = config.mySystem.services.glances;
in
with lib;
{
options.mySystem.services.glances =
{
enable = mkEnableOption "Glances system monitor";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs;
[ glances python310Packages.psutil hddtemp ];
# port 61208
systemd.services.glances = {
script = ''
${pkgs.glances}/bin/glances --enable-plugin smart --webserver --bind 0.0.0.0
'';
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
networking = {
firewall.allowedTCPPorts = [ 61208 ];
};
environment.etc."glances/glances.conf" = {
text = ''
[global]
check_update=False
[network]
hide=lo,docker.*
[diskio]
hide=loop.*
[containers]
disable=False
podman_sock=unix:///var/run/podman/podman.sock
[connections]
disable=True
[irq]
disable=True
'';
};
};
}

87
nixos/modules/nixos/services/radicale/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
services:
radicale:
htpasswd: ENC[AES256_GCM,data:O/bI1CUdpal/aJSiLaWtDQ==,iv:iJ4WrQ2vbjRlICcY21R6NGmtOZwO68zANQv52uwm74k=,tag:c2sMcVCUWOjSALNITdx1dg==,type:str]
htpasswd: ENC[AES256_GCM,data:5ddA5KQfwz19///HzOsWfQ==,iv:RF0x0m+ODyDjQhn7eSBEXu5Leg0EvpMvuLVErDZihAo=,tag:HhHzXcroFshr1H/ditMARA==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,77 +10,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZUxOSWd5TnFlazlXcjUv
RVBjM01WRjZ4R2d3WGhQWHNheEZWRkdWcWx3CitOekFGZ1RXL1M3QndrWHUzUFNH
QkY2dnYyZlhFMGVvTzBQb05oTjFFZ1UKLS0tIDFYN0pQTHBEMUZTU3QvOEJQS0Rh
Z2p1ZFVvVVBBZXVwTkhVZ05nNVBOQUkK7qFuomZfRvwFXTUc6LWWT10Ws8xIDcCj
AD/HSc9K+lEXHoTNmpHZyUYGnxJljnDNB3d3FS4pKbHujvhvMXwfPQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UjFGTkNCaHVEK3ROTVBO
OUxrcmhjR21YempEZWVIOUlLYVNuMm9XOURNClJkbVZ5MEFmL0dhTWgzNWtYTHUy
SUlyZmtYTXZmWUx0V3BGZFRjOTcyWVUKLS0tIDNVSW5ZcU1IdW1jRTJucUxIdm5x
TmIvZmRRaFh1clkydDVlcWxvVGJkOGcKFpeAAdv1pi5AixsBKn/0Zo4QRTNBrKdm
8Qy6MVZg8HTf/CezK/XjkAoiB5K96fATXTpdZqZ7jfcuYLdpfEU2jA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdnRKZUk5Um5HYUwzbmhL
K1A0ZW1YN0d3WllNb28zeDhzS1ppWXhleDBVCmMrRk41WlM1RXN5TkVnVVRYQ3Ev
c2RTeVJ1ays1bzg1ZGozMWI5ZWZ1ZHcKLS0tIFRKRlhFT1VwY2lwbUhRd3A4SEds
Y3BFY2lpQkExL2V4SjJvU3pTSW5WYzAKO8GMLDaoDrxdZzM8unYvq3/OteDGIwra
dRd8c6b5LSoC63Y59WftmmasXFRNrZHZX24vwgwReKapnWmqtQTgrQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDQlRJNlhhdkNLcjRjaFZT
YVZJdDJLeFYwMzJUZlllaElPazhPaE14YWlRClNBWDVkTWx0Qm8xTExyT2dmSjRP
VHdNM3pwQkNXUW5xVTZlVC9YTFFodjQKLS0tIEkyQTVHd0pqelppSXJ5SGpHSVF1
aUd6ZGhaU3BsdnFVV3NqMDkwbDdVUjgK1BnXUPCCo7M/sdpGfLOOJ5AAjyI9isSx
9WJ5+WmNxygzBDczPjJITBrvZMGduAxWqQP/FrLe9rQ/RA3DGJjThA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVFJQM3BnU2hlTVJvT0RQ
WHRVWkJEd3JacnlVSStQYVU3c2QwOThPOVhvCjZOeEFDdXFzeWNoS3JTbktFMDJV
ZDJKV2RlMDRiTW0vRHRBUUhCUGlPUlEKLS0tIGxWT0VmaUNGMXk0a1NYTDI0WDQw
b2hjeEFPVGdhek8yVEcwN1BzVnFQbFEKNgwnchYNz/afrg6FeFlCikMIaCfsEMYK
PHmfIiM64XReGZGsKL+gxIw33yszbyeOu0vr26tqV3HU/QUE7f19gw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdWdJandiNXJhMUxwSm5p
eHh5bmM2MmF6d2MvdjBXYmhyZUgvS1V4L2pnCmxDYm1VUi82byt5SFJ6aHdrNmp6
dENPTmgvVWZPYmZtN0s2VG8xNHplT00KLS0tIExYcSs1bENBK1NFZUluSjFCOFVp
R3lmaUNyT0lyaWlhdGJySWtLWVNqLzAK28Nd/WUDXXW2BXhLvZpzbOU7kSoMRPaX
jqx6VRHBcgXvPJcYh1KK0nnxo6+DlLeTXI/ai3H6WI3TbQHNmoLEGQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTEpra1haektoVFNpMkV6
eGVkQnRpblV5amdMaGZJVVJiMUV1VEYwYkVvCmJZZ1ZvWTRUOVpYRnZkSEcvbzk2
MDZ0MVl5NmNBQnJ5ZkhqejI5Nm5URDgKLS0tIDZPRURpVHp4Q1NsRG9ZeGVqRU9X
WnJ2ejZrZ0hOdDhxZUNnaDhOWVpzVFEKoYnqypCuLKT8OUbtRk6yN9UfWBqbznzE
DgCHiOj590zXsfRpaei/UYx0qdEmtymh7FivkxSRNYylfcngjYiadA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGc2lUelNyV3BGNjl0STJw
clpiSUZUSTUwbEtZYjcvbzVaVi9EQ1d1WlFFCnhQbC9Lelk0V1RmQTJ0K2ZZazdo
NTZCREhNUE5KbVR0ek1Hd09UbkN2bkEKLS0tIFVyd2YvZ3g2R2dOaEJOcWVWVG9D
b3REQnhvOENGbWxtdER2T05wS2RINTQKRhMiqLnu2Ww098A24fNtfDFSMC/t7A2D
qcLdhazNwKvzCSOW0i+EYsG4beWcqLyDFA5dNpGWyfRYSh3QJWTdmA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QkpxRHJYTEo5cE9ielZl
a1NYUllWYmp2NzZZejJtby9MRkF4ejNPWmtNCmNDMWk3cGg3eVlYUXBCTjg0TmdG
akRwVFZxMUZMNXAvYzRSYkZlamthVlUKLS0tIHEzYmg3eTFveWppbzk3c3FHM0pn
bTZ4K2xhN2xRU2VDK040cGpDbjVmVUUKuAsZczZzTWKKxISxWOaxjzxM6wLnsbpT
dxCkcqbjL8tWs1hACsWhJ4cNGNP7gkF+9RELZvvAHgSMrlpMv7Y80w==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZVhZeVdXVXRSWi9tMjRv
dlJFRE5NNDZZdStsOUdmMFZBdC9wL2o1S0hRCkpPNE5ic2t2UHdvanJ5bTdheDk2
SUhsOTlXZnkrTkRvUXRaZE9SbW9EMGsKLS0tIHRZK3ZBQ1UrMlFGWEdIblk1YURV
VUJaWXhJMy9NUC81SjhGR0t0QnZPSDAKnQe+zUSRWvfjwr/c5wIkw/alXelnIK+u
BmvB/bps060r8GWIGYsN5mVzBpLAYwqqB4ylpjoLTfhAx3J3A+fRCw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdWNXSks3MEF4eGVHREpp
VllDczcxbThRYUsxZGhHR0J5TVoyTmFtdWpNCmJHbG5UMExLSHh5ZkwyRDMzc2N6
UG1WTnNyTTdldHFDa3VKOG45Q1RmU0UKLS0tIFFXKzZHTm0wTVpheEw5RE12bWlo
NHFWWlRBdmRRWU1DL25CRmlVdDhhRjgKutzYioPd1LJvQdo/FQ+hQznRqsIhSGfn
c2ZwmE3QgPRhfh1CoeoK+iK/STVlrb8DEPi5VPEOz74+kbr18v+K5g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaa2hQWlNhdmpZNHkyQmJI
WGwwZitJaUx5U0xzdURjdlFpN01jMWFvRUZZCndMcHpNclhoR1NXZzVNOWtlY0JD
c1RSNGVzY1RUa0JLYng2a0w0bFozNXcKLS0tIC9Sb0k4MmpaWUVqMkxUbHlEdlgx
M0hoN29oY1FVNVFGZFVyZVJTM2owYjAKsnVoccpgW7RPuJL66Q9iCOG5GZ41K65e
7J8lGbHkalzX63VGIOgtvSViIXIeQxw9+Tmf70GQUqcM6czwX8fu5Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdERIZTlEN3NRK2R1WUJL
T0ZScVpraUdaQWE2WU4zdUp2Rk96T0xzcGhnClNWSGlKODYrSVBlM0V5RkVaMUt6
YUJIa1NnZTZhM1ZXOGp4ZHZidTR6V2cKLS0tIG54RU91dkZEeFB4WGdaSFpQTjlX
NVF3WGdGZmxxMllBQVlYQy9zTE03VW8KE9LaWyGBs7vRBjayY+8XiFDq0uFQIFfy
AqeVIQIAlt6EKXzUwCD/otHgCAJmI1T/2QNc7x34HjgQi1NcjZzxJw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHZWxZWk53cHd1bzhjVmZF
TUk4RmhENGMvNzZnREdKYU9TTDZzS0Jha1I0CnY3NXZzVlJhTGpVNi8yWlZ5SXN1
Z3I4b3BOcGtpek4vK3JzV1JUVWVMZUkKLS0tIHJMOEZraFB2WXdBVUFDUisrMzBM
TUUzcW1GR1JOcG4yMm9EY3R6WFdTeEUKzJerRRS/5eCDOhOxHEB78qiVOx++z4M/
XOEN6X0iDUBDfFJIqtMngMjU9E9DlRIYetMOYLxTpxmdKiv3Njyh/A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdXNFbGNLb0RqZXpQcXda
RDd5ODk1QXk5N1o4Z2N2dytIWlMvVVVSa1VBCkNLSzZWZG5rc1N1d1hQQnladVJ6
VGwwSmFkVU9GYmZyQjhiK1ZSNWRrVG8KLS0tIFkyM0FDNUhVK291eGl4cjNTSnRk
bUs1eUZkcWJYM0NVU3FDMDFKNTNIWUEKbfdIAAfRNO5OXmvxA4az2be6O+aSIzfL
lHfQwH+07owhw6K17vJaKlOVGlpTLVpW88497ILCoUrcH9QbVnGAcg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T23:57:27Z"
mac: ENC[AES256_GCM,data:f2p4VkJ7RLGPBbkkesqFKNIVow+/7MobH+AqnELAguGxlMAt1XZaU1cLfyMy1RQIrT0UmUV2xjRf/PGXBVNOTK+A2M0zoI90N8daTvk2xrEX5JVNWycgKVnQfztIgUAf5LA+tcvyWQ/Z/sIN1aGNfbl1tCSq+U+3xjIxZ74qmuw=,iv:wcyjoKWNFLb/jGclNWbHP7wwnkz29iINSfKblqhP+bI=,tag:3RrZXX9pAWQG05ZPI5A35Q==,type:str]
lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:mgsfpMzhJ0vaoxNTbfXcVZ395e79wFGTK7YmYZY1nUOrTFP5NO8xUB+A9RlnUVrgKEV6eJBLYah6LX29fjwcllgT3aJnk9oFf32PxBPaYxg93m/L5a1+8cHbYn9JqQcPzaqmCCqT1uK5DphO2ztxKqlBhzEhx4UIfh5hBkyu3cI=,iv:n1oVTFkQriDMdRqmcUNApqzfaCX/rGNhzjGPAgPTK7c=,tag:E3uoBzPxhBk0lBF5GMhNoQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

91
nixos/modules/nixos/services/restic/secrets.sops.yaml
View file

@ -1,8 +1,8 @@
services:
restic:
password: ENC[AES256_GCM,data:QPU=,iv:6FYmdgpKLplg1uIkXNvyA+DW493xdMLsBLnbenabz+M=,tag:SVY2mEhoPP/exDOENzVRGg==,type:str]
repository: ENC[AES256_GCM,data:VGtSJA==,iv:K4FnYzTrfVhjMWf4R7qgPUCdgWFlQAG8JJccfRYlEWM=,tag:43onghqVr44slin0rlIUgQ==,type:str]
env: ENC[AES256_GCM,data:TWUJ/GE84CTiLo1Gud+XsA==,iv:gKC1VcWnGqEwn5+e5jIqsIfipi3X2oHGvrG0rgqQl9E=,tag:QIBfXblvSDxAVYbZGAN3Mg==,type:str]
password: ENC[AES256_GCM,data:PMY=,iv:GzQOdFF+rDY/WN3uZK7FV2++o2Mh4fnhzHhNnzyiJ4c=,tag:GhnZYmvoaDb3wSbHA50DkQ==,type:str]
repository: ENC[AES256_GCM,data:1Ui21g==,iv:qC8f3+nYS9HTF5WqFfiKjAFY0tSQhL1XU6sAgIK7vCs=,tag:ykOm3Tv8XWbqDofPChvHuA==,type:str]
env: ENC[AES256_GCM,data:tfXFwJZkdFrhwN90u1tT3Q==,iv:ShVllR4+CNOURMwCIF5ionQZEs6Zv+GCQOwpZ3cNlIU=,tag:udAASv7SH635dqNtNf4z7g==,type:str]
sops:
kms: []
gcp_kms: []
@ -12,77 +12,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRUJEU25EaUhacWFBOVg5
TWI3NmtkWFpONHRVZ1BVSVRsQzMraVdmblFBCmd2NzcwMGRTMTR6ck9lcGZSQmVi
dHlFeS9RNENKcDEvS2FiRTVrYjVlUGcKLS0tIG1VSW9sejVWZmJHQXlIOVpLMjds
SHV6U2ZhUnVpQVNROGNjNEtZZXI1bEUKXjSwBNA8ylfo4CWlefFfajm2JdYtjUVK
bqXlIH/nG+nQ+I4Rj1XHo7hAuxCatuN0bGVBkSlzqIZk58/JladwFg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0QStpWFFiTDF0dkMva28w
WGM0TFdOY2VhUGVCTjh6ZzFycmZkci81MWtNCldGZksxNHR5MnFmQ1ZnMVpXK2xo
OWltSjQ1OEN3WnNqK2xTN3haYWJWYkEKLS0tIFJBSHhSNWtxSkFYcFZrL1o5dGxX
RVFWMVJXMnRQdWhFSEwvOVVicG50ek0KMJYN1Xo4Y1QgPGkGcglXa7wip9u8gOeG
E4e4s9upSyjZTKOe+6OOnYXjVl3uc0SJLmdjvQyqqMR7SnOTqjqbfw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMWis3TWZ0djY4YnJNek9N
T2VXK0IzaStkMisyaUs5MTVHeXY4bytoUWdnCmlmTmRXRlRwOUZVQm5aWkxSKzFB
UzhtbWd2Q09sbTJPeDRWeTFESkcwWUUKLS0tIDVaN0d4UGlTZUhIaXVKaXJRNThS
algwTTZsVzNTQngzVUwyU2lpNll0bU0Kjz+34mvPPAfGUQKMH6LXawGou9HjBTjJ
p9vxncB+7ykvT4e4Z0PpPE/Zo5yvi9rt1T8bZ6dG7GA5vuE/4BarCA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWlNFbXlONEI2L1NhOSs5
TXA0dERBV0xmUDlHN2FDeXBKZ3FROEE2d2cwCjF2aWZSbGloYStEemozTkJlelZS
TC9tMnNDL05YS01lYWFlSjBDMjBNVmcKLS0tIDFYVSszTGVpTWlQc2JFNE5HTGQx
allaTGsycThSKzJPT1R0TjhlZ21tYkEK5eFfulRlIjh0j/n55uCtkgTe9Y25Li1k
TaMfOiS56aeDBVJx0x/glR2gvxR4yd0si1fPijsbP2179JqE7zFNSg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK2FNS0tJaTdRQzA0VVky
aERMTVdqRzBwWFV1WFJJcVRKSTFIUlh3U0E0CmFKZm9jUHBpRjJCZk9PVkNWVEFU
RURReEhGNTRmWWpLa1ZNdVFHK3FQQWMKLS0tIHcrMTBiMGhlcFc3RzlmVEp2OEpX
ZHZLdXV4a05NaGRmR2Z1SkZCV25kNUEKHU1v1OK0d2ud7QL+gEoA8R4Z5YgVSP42
IvnEQxjjXZjC4p+OjFErKcWrVb+3DGzqF1vngJVrXmIgOx/SZKTa/Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4YnZoaWIyajVLYjFHT3NR
UTNNY2llYW5mWjJIejhCZ08vSGQvWDZiZ1VRCmNMeWdGelRod2x5NmdhS2RVWGhl
RmxhOGo4OXFINDgxbjQvQkNpakVkZzgKLS0tIDNNVFRmNGQwWmJKYUlFN3hNbVFw
MXZoMXFkaXhCaHhCclZrb2R1WEVjSjAK2InKsgvBb6tI8gUZYwfGAYOly0pa1mFK
kuQyj0VMYFI3O7c35ZpwNmHCtFzxt2rza7E0DGrYpVUlJgOte6Gicg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MytrUFpsMUVpT3pTNWlq
NjMrRjI5a3NqNzlNV2JlczJRNXNicVZaWVdNCjNnRHM2RGV1SEh6M0U3T0NvdlNQ
a1JIZFp5bHJwMXlNd29DQ2MwckRrczAKLS0tIHdmd2lFZ1FWTFFMUExPeWRXd2U3
RU9UYXJESnAyYXFITTN0cm5QelR2T1UK3XUlIGQED91sUPc1ITq1rXLj/xhkGM9s
R4bsTK5RqpXE+RmGfxeAMP7Om424vjM76l6DU2JkoZietDwR35UA8w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZnZKemIveDRTZGhoN3lB
bHlNOVNFUnAzdVBjRk5HR3lxdGI4UWdDTFdFCkUzMUdEMXk1dVppdTJhMmgxRjBG
UDl3UzlhUi9nOS9WZW5naWhyMlN4NWMKLS0tIGJVZndlOTBQMjM3dEROUTdlQzEw
NXRkOUhDaTU1am0wbjNXWkVOMUZsZ2sK5uOwOezrleA+zwYcDYjBdGQXRI+27ZLr
850yLNtKO248aFX128JTk5+J1OV5Dv4QYRbzGfpb0/mK0U1uTXLm1g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjc0haNU95V3JRUlpuUjha
SHpOWThJWVMwbElRaFcrL21jYXA2SFBHeFR3CnV1MkRxbG9QV1dWdjJxWENtQk5L
M1g0cDJXRjN0VFhiRXZKbG1yS3hXaG8KLS0tIEtScWorRENpbFZWMjVXNnIxTTdi
djdBdThNMzFZdlI4TVBJSjdxeXg0VE0Kcwsa/et9gMSlm46rt0vZ/dFy3ZCZQ5Oi
WLJ492+srIeE47Gpye2jN2XAmM4exCijYkZeQvPpLIFvBFmQCK30hQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTDI0QXZaMlZLUW9ST0lW
Q1M1ZmlpTHpvM0NHejFSNEx0UUFnTVJIN0U4CllRcnVpUjFqOUZRRk5CWXZqT0V0
YWwweld0TE9zZGFmUTVDVVl6eDNETzAKLS0tIGtEanVWTHgxSk9Ld3NRYndOL3dZ
WXJrUWtncDZjVE50dmw2MHRCelpzZ2cKfLIQbrTsVGXY+UZCC5p/7+bXKHhv8nxt
dvvr+VGnH57jmELqSUoWOgefJ6GFNcCoGSYHZ9cn0UgvhZgx1Wpoow==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdU93TEgwVHJSeWJmbGNv
bDlQZVd5SjQ2eGJ0ZjVYVE9MYnRRZmp6czFzClZvVnFjd213MlU3b01jNHJGWm43
cDkxWVh5MTEzY05lVlg0TGJWbWdvYkUKLS0tIEtqc2c3R1JuOTlmazYrSDdlZXJs
L21nOU5oZjVySGdJUGpGUy94U3Ixc2sKeHKCmx5yxHprbCq+76K5MNWVZJjOs+ck
QiTxxYKvdI7w2cCfyn9l9+dLcMqlqxdRLnoX99oi2ztIDHZEVEmqsg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRN2M0VmVCQ0JaNVhnRzBj
Z2Vqbk9GZUtaZlExYTRPQ3ZJWHIvU283cFRBCjExQnJvZy9SMndJd0VqdUpCSDFJ
ZmJpVFJ1em9iNnNOcnFTQUExeGZESm8KLS0tIGdnWXNtNEg2SHpjRW1mR28vVDRv
VFVRcDh0TlVXR3pYRk1Ybkx3MjhOaVEKsViUc14dePdnukQa3ud/EesnvZL7OCM1
HWJYP81C9O4mU1kwRYtC0lGxMQX6aWiFZ5e2ImSi3w+mBP+KihfmBw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQlNCSytZdTJQbGN3Y2U4
NlIxSWsyeTIvU0ZrVjhqVTl2K1pMVHN2UXdnClhCU2djUkZGQzRzYUhNNnc2TmlS
RVVrdkdqNUxQdGhCYWwyc3NLQ2l5bFUKLS0tIGVxWm01eU5zb2pma2pUU3VPbmxW
cW94Y0dBZVMzbW9icUtyWDV2c1N0ZU0K77jXENggGEHpoe6qQl5O0sBbycrmlPoo
fnIMedUGzXpzYRV8cyKnY1sFGwyU2ymGsUff7cIBablwP1/MAKRJmw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUlZ1TER2anNCRHBKQm1v
QjhybHFCc1dod1djeWxkRmhBSC9YTW5IV0NJCkM5c3hkYWtLZnJHNVpPYUh4TzBR
U3ZaMEdSTVNsenV0RVorTTZMUXdYT3MKLS0tIDV1dWxjbXNtekZaUk9xaVdOYU93
UUpVako2MGVobTcvNWRsTWMwZm5ZSVEK1uI5dVSI4vY5hw0oxj21mJYoZB2Jq52z
e+RDvcyBFRsS+238UCVi5qDdA8DcnQ2uRiBxKDGC2P3RoVU5TeCfTQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrdm9ZNmdvVnhROFZvVVhu
QkJGQ2J5MkI4VjVLNXNSL2svbnBKZUJ2Y1MwClFsQ1JQSEhlK0JJbTRHNzBNU2tI
aDl4eFhMMlhib1QzZldUcnVJdVZMSFkKLS0tIHBoYXVYazk4S1VpOE0vV2tqL2hC
N3JDRm1OMFFobjloaXBNNENrQ29BeVkK/aAtqd93BGI5q3bZHydLxmVp6iBgfNUE
nf+dZioVWVdoK9LSpoREFuOQu4upZ3MjxkClO0hjBJwaACElPrUF2w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T23:57:27Z"
mac: ENC[AES256_GCM,data:88ZnGTkV1xxZO7UuVm5clZrHUMeiqAG++4X4DbCJGwqL+VDagYVhsui1+PzN62h6TgXtARecHON8TXd8z/NF4ekiY+LAcMC3m9x5AzmGYa7Qd5FKht1O6RfRORBDrojj251cqCifDxeGPq3C/X4Zi8Jg4KTSk1lAJoXMsqJQ3+c=,iv:8NnKOlzXD1jRVQ/tgoChEb0YY18Y7VpEiq85YhupTws=,tag:eUbLR66sNqQ2VIQW0/CBwA==,type:str]
lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:Eht9Vth1XVzeTCTyS18neiLthQF2c1DZkUkrYv01v1nC6tRPnWPd6+7zPQsQbdUuImwEthFpGDtNY0DLqwuZ9NWWhtEhWspUK2QKxNDKdP/aDT5rnjcf5tvyDK1EGnvTfp/fbw5I+z1mQYfrrUrQNVn6eiZXO+71mF9zoQLu/C0=,iv:TMnbBm1d5BSC6ywdwR4Mmn39qyCEyjSr5ndwtcwQk/k=,tag:qcAjLJl995bSmJtzGX7VbQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

46
nixos/modules/nixos/services/syncthing/config/default.nix
View file

@ -1,46 +0,0 @@
{ sops, ... }:
{
gui = {
user = sops.secrets.username;
password = sops.secrets.password;
};
devices = {
gandalf = {
name = "gandalf";
id = "2VYHSOB-4QE3UIJ-EFKAD4D-J7YTLYG-4KF36C2-3SOLD4G-MFR6NK3-C2VSAQV";
addresses = [ "tcp://10.1.1.13:22000" ];
};
legiondary = {
name = "legiondary";
id = "O4WI2YC-BZBPF2W-2ALNQ2D-UOP3BK5-ZDSEHVH-DIHS2FG-BSVJCXG-GF47XAE";
addresses = [ "dynamic" ];
};
shadowfax = {
name = "shadowfax";
id = "U3DS7CW-GBZT44M-IFP3MOB-AV6SHVY-YFVEL5P-HE3ACC5-NDDGAOB-HOTKJAC";
addresses = [ "tcp://10.1.1.61:22000" ];
};
telchar = {
name = "telchar";
id = "ENO4NVK-DUKOLUT-ASJZOEI-IFBVBTA-GDNWKWS-DQF3TZW-JJ72VVB-VWTHNAH";
addresses = [ "dynamic" ];
};
};
folders = {
projects = {
id = "projects";
path = "~/projects";
versioning = {
type = "simple";
params.keep = 10;
};
devices = [
"legiondary"
"shadowfax"
"gandalf"
];
};
};
}

57
nixos/modules/nixos/services/syncthing/default.nix
View file

@ -1,57 +0,0 @@
{
config,
lib,
...
}:
let
cfg = config.mySystem.services.syncthing;
in
{
options.mySystem.services.syncthing = {
enable = lib.mkEnableOption "Syncthing";
publicCertPath = lib.mkOption {
type = lib.types.path;
description = "The public certificate for Syncthing";
};
privateKeyPath = lib.mkOption {
type = lib.types.path;
description = "The private key for Syncthing";
};
user = lib.mkOption {
type = lib.types.str;
description = "The user to run Syncthing as";
};
};
config = lib.mkIf cfg.enable {
# sops
sops.secrets = {
"username" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"password" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
};
services = {
syncthing = {
enable = true;
user = cfg.user;
dataDir = "/home/${cfg.user}/";
openDefaultPorts = true;
key = "${cfg.privateKeyPath}";
cert = "${cfg.publicCertPath}";
settings = import ./config { inherit (config) sops; };
};
};
# Don't create default ~/Sync folder
systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true";
};
}

85
nixos/modules/nixos/services/syncthing/secrets.sops.yaml
View file

@ -1,85 +0,0 @@
username: ENC[AES256_GCM,data:WSQeuKRVE80=,iv:ci1XiMFsDDx3PbM0sH8ph/twu1FlrI3LSaURp3qaUxE=,tag:GrpaeuVBVK6CqOAiK+F2bg==,type:str]
password: ENC[AES256_GCM,data:Er08gOwq4LMXCiH+c1dPq1eGcVU=,iv:TtYcMYMuIRtsPzT47nCe0SEzpy9byuoBIOMTHWEdJkk=,tag:rIeYTmHDYW44pgntALRx1w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcDA4MXZCNlk5TzVKK09L
Q0F3bldGN3p6SCtFM1F5dG9QV09uNXhiMFI4CmhFcit6V0FQL1ZYcVJ2UDc3ZWlu
bWc5Qzd0eHBjY3NzRUVXM1V6Sm1tR2MKLS0tIGU4YlNYcGltc21ZbENWMC9TS2JQ
VEhZdklMcUdBUmh5Q1ZXdEtYZ3htblEKWr8uQWvUbu36eD3Q09aKpHaAXkzBCx2f
g9osxa9r8Ih43NWZvJRTQlXdLi7T+oQj3dyYOT3gTL8L8WkbWuG2eA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMGxrdEV6SUREMFlyK1p5
WFZ5aUs4QlNSUUE2eEJXcTVjRitjdlhtTWpFCll1TjlWMWd3N1FoOWRqWTEyODVZ
a0dwd1RIb1U0OGdUdkUyM2IvYmhyR3cKLS0tIEhhUzdhTml5b1ZaeWNQV2NpUmVF
aHdZV2FWbXpmL0RDTUdjQVBuQnBEUjgKELbs5UPRNslIvZz66Imtf4XfFxLUJkIA
xAbMZeGbW61da1kfb5Dc/v/zbB57T1qZNDE48nPfIMpQBNQNh8/9FA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadDFIK1lRR0Z4RVhHRXUw
QldxNk8zUTVOVFpIM1cwV3ZMcXZPcFpTbEZrCm1NWVpsc05ob2FpRVY1VlI5Z291
WDI3ZEZwS25tRVpTMDR5SDlodE51VDgKLS0tIHk4VmhJcWswTVpwRyt3bEcxZEM0
MVQrSHR0WHI0eHVaVkpDZzhqZG5sZ28K2vw5S5phg4UXCeWr2baPdwtHDPM7OaUf
idLK+rKGFLxXWOcgzCJPDvwdIbvrmfueEPf8chmqcHus1JPYKzASJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTWY2YlFHVU94NnBuRlpN
RlpMS3kxOUhvTWtsNnVyQ2ExU0YzdXN4ZEdNCnpKczFjWFBkVGhnRGcwL2xRejVu
TGhHUHZzeEpVNm5MVk03Zkp3OFYxNjgKLS0tIGEzL2J3SytvZFp6ZTFXWHF5YlU1
dGZwelk0eWRsM2xwMmtxMWhQSkNVMEUKUSuFRNYCAuodVIVq59mfFDD3NIK3aCMS
WN0/otRuND5kDy4kmTqFil5E8WwRcpHvjZZOAjqDA16DSriZS6mpbQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjckh5R0s5Y0E3STZZbWd3
TDNtWUxGYVZCKzluK1FzZG9VaUppVUFpbEJvCjhtZDA0a0preVd1SW8xTW9jQkdO
cmJQOE9LNUJDa1Q0dFhYcDh6VUxwSzAKLS0tIEd5SkF0RUwvUUVMSW1IY25Oak1W
cHVrZGh6R1YyOStmV2dEbXJsY0U1NTgK7XjhWRazgHzIcsDPIsTV3qrYWhJ6FpCT
5P+HUNSjdv1sv/KbexJgjWgG0YNv+eRQnqtxzZaniaWcn5gp1JlR7A==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWU0NnS2E1UzlRYVVjcDZC
ajhwSGxpUzNENXBSSE82empzd1pmYkt5SUdzCk5TZWJna0w4UU1MQ1R3WHVOMDJU
Q0pvM09OZFJFYm5OeHdQVDZBNW1mckUKLS0tIEhraG9YUXYrWUp6S3VqeThpcWZw
aEx6bWNNY2t5UFVwcHdBZE9kSEFrYWMKw40ntGaLDFX5tRK5Ir9yRu4Kbsyl7N05
uyMlyQ20zL0TmsL5OFEuIF3mhaLyu2GgigQaQcGffx/DUJdLRc8Fnw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SDZaeUtCbWt2OFZRRm9T
Y3l1dzZwU2s0WDlaNXNaUHpFaExFamtSS3lRCmE1VHI0M3hqSDNCanFuR2l4SU8r
aTR6TlhReDJ4SjUvS0J0aHNyY002eTgKLS0tIHYxdU1WSng0VWZETTFiMGh1OHY5
STQyNWUyNDhRTkxVUXd5VHNjZjJjK0kK8SJirqpGCmLCwLlLul6WdAzIWWiAR4Qf
usYAmNmjbHLHxNftB9mGLEumJ8IAB20Ywk5EbujMvhJ0w1R7kAyC+w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbCtUMFhveWVLTzI3Y21Z
ZlY2UU9vVFplcUVIbk5Jay82UmNxT2lZSnk0Cm5DRHRGMVZSaDZ1cElxWk9PQWhs
SmlRMHBiU1lTNVE2UlpQSXgvSDZqazAKLS0tIGxadVhWYUVOV0Jab05LS0ptendn
aWtiSlZlTUdwMW9Eb1dXUERVanVOaFEKSqRistshNg61yLJIe/3kuisRLuvfVbWu
ZsN/jk357Zv1VIYwmdm80LqI6zCGNzDaP30+Bxp8RTasA3gKM1mKrg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-07T23:25:22Z"
mac: ENC[AES256_GCM,data:ngdpFJcw3Qq/G7MWJY4Ka28r5tAobVlPxkQ+ve1MGd4SHKhUMRTA3je7kG+2zB/muQKtZ+SNolFJF4KcCtCOBaC0y70eJcFbGZ7g2iXa8TtNnW53PRpdWPYjJ5BhGbdCcJ3KKNcO+nT/PWIC1JTP6vp0j0aghLlYrm7Bq8+cAj0=,iv:YoTnZcxbn4Mzh+5lGQSr1OxLdyGUtGrnkt/KsNSTw2Q=,tag:63wotwyZVIqnTtZGW47jRA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

41
nixos/modules/nixos/services/talos/bootstrapAssets/default.nix Normal file
View file

@ -0,0 +1,41 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.mySystem.services.talos.bootstrapAssets;
download-undionly = pkgs.writeShellScript "download-undionly" import ./resources/download-undionly.sh;
in
{
options.mySystem.services.talos.bootstrapAssets = {
enable = mkEnableOption "talos.bootstrapAssets";
bootAsset = mkOption {
type = types.str;
example = "http://10.1.1.57:8086/boot.ipxe";
};
tftpRoot = mkOption {
type = types.str;
example = "/srv/tftp";
};
matchboxDataPath = mkOption {
type = types.str;
example = "/var/lib/matchbox";
};
matchboxAssetPath = mkOption {
type = types.str;
example = "/var/lib/matchbox/assets";
};
talosSchematicIds = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "22b1d04da881ef7c57edb0f24d1f3ba2c78a8e22cbe3fa9af4f42d487b2863f7" ];
};
talhelperConfig = mkOption {
type = types.str;
example = "/etc/talhelper/config.yaml";
};
};
config = mkIf cfg.enable {
# nix grab talconfig.yaml from git repo
#
};
}

35
nixos/modules/nixos/services/talos/bootstrapAssets/resources/download-undionly.sh Executable file
View file

@ -0,0 +1,35 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p cacert curl --pure
#shellcheck shell=bash
set -eu -o pipefail
# Check if argument $1 is set
if [ -z "${1:-}" ]; then
echo "Usage: $0 <path>"
exit 1
fi
path="$1"
# Check is file exists and exit with success.
if [ -f "$path/undionly.kpxe" ]; then
echo "File $path/undionly.kpxe already exists."
exit 0
fi
echo "Downloading assets to $path"
# Check if the directory exists
if [ ! -d "$(dirname "$path")" ]; then
echo "Error: "$path" does not exist."
exit 1
fi
# Check if the path is writable
if [ ! -w "$path" ]; then
echo "Error: $path is not writable."
exit 1
fi
# Download the file
curl -o "$path/undionly.kpxe" http://boot.ipxe.org/undionly.kpxe

0
nixos/modules/nixos/services/talos/bootstrapAssets/resources/update-assets.yaml Normal file
View file

2
nixos/modules/nixos/games/default.nix → nixos/modules/nixos/services/talos/default.nix
View file

@ -1,5 +1,5 @@
{
imports = [
./steam
./bootstrapAssets
];
}

30
nixos/modules/nixos/services/vault/default.nix
View file

@ -1,30 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.mySystem.services.vault;
in
{
options.mySystem.services.vault = {
enable = lib.mkEnableOption "vault";
address = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1:8200";
description = "Address of the Vault server";
example = "127.0.0.1:8200";
};
};
config = lib.mkIf cfg.enable {
services.vault = {
enable = true;
package = pkgs.unstable.vault;
address = cfg.address;
dev = false;
storageBackend = "raft";
extraConfig = ''
api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://127.0.0.1:8201"
ui = true
'';
};
};
}

14
nixos/modules/nixos/services/vault/resources/vault-config.hcl
View file

@ -1,14 +0,0 @@
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}
storage "raft" {
path = "/var/lib/vault/data"
node_id = "node1"
}
disable_mlock = true
api_addr = "http://localhost:8200"
cluster_addr = "http://localhost:8201"
ui = true

2
nixos/modules/nixos/system/borg/pikabackup/default.nix
View file

@ -11,7 +11,7 @@ in
config = lib.mkIf cfg.enable {
# Add package
environment.systemPackages = [
pkgs.unstable.pika-backup
pkgs.pika-backup
];
# Setup auto start at login.
home-manager.users.${user} = {

3
nixos/modules/nixos/system/default.nix
View file

@ -1,9 +1,8 @@
{
imports = [
./borg
./fingerprint-reader-on-laptop-lid
./fingerprint-laptop-lid.nix
./impermanence.nix
./incus
./motd
./nfs
./nix.nix

30
nixos/modules/nixos/system/fingerprint-reader-on-laptop-lid/default.nix → nixos/modules/nixos/system/fingerprint-laptop-lid.nix
View file

@ -1,4 +1,3 @@
# Pertially from: https://github.com/fzakaria/nix-home/blob/framework-laptop/modules/nixos/fprint-laptop-lid.nix
# Originally this file was based on
# https://unix.stackexchange.com/questions/678609/how-to-disable-fingerprint-authentication-when-laptop-lid-is-closed
# However I found this not to work as the fprintd is started via dbus and masking it doesn't seem to do anything.
@ -9,25 +8,22 @@
# On framework 13 the USB is:
# Port 004: Dev 003, If 0, Class=Vendor Specific Class, Driver=[none], 12M
# ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd
# On Framework 16 the USB is:
# Bus 005 Device 007: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd
# Use `findfp.sh` to find the correct USB device.
{ config, lib, pkgs, ... }:
let
cfg = config.mySystem.system.fingerprint-reader-on-laptop-lid;
laptop-lid = pkgs.writeShellScript "laptop-lid" ''
lock=/var/lock/fingerprint-reader-disabled
lock=$HOME/fingerprint-reader-disabled
# match for either display port or hdmi port
if grep -Fq closed /proc/acpi/button/lid/LID0/state &&
(grep -Fxq connected /sys/class/drm/card*-DP-*/status ||
grep -Fxq connected /sys/class/drm/card*-HDMI-*/status)
(grep -Fxq connected /sys/class/drm/card1-DP-*/status ||
grep -Fxq connected /sys/class/drm/card1-HDMI-*/status)
then
touch "$lock"
echo 0 > /dev/fingerprint_sensor/authorized
echo 0 > /sys/bus/usb/devices/1-4/authorized
elif [ -f "$lock" ]
then
echo 1 > /dev/fingerprint_sensor/authorized
echo 1 > /sys/bus/usb/devices/1-4/authorized
rm "$lock"
fi
'';
@ -38,19 +34,9 @@ in
};
config = lib.mkIf cfg.enable {
services = {
acpid = {
enable = true;
lidEventCommands = "${laptop-lid}";
};
# Add udev rule to create symlink for fingerprint sensor
# when usb device 27c6:609c is connected or disconnected.
# Reason: hubs like caldigit re-orient the device number on each boot.
# May requires a reboot to take effect.
# or sudo udevadm control --reload-rules && sudo udevadm trigger
udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="27c6", ATTRS{idProduct}=="609c", RUN+="/bin/sh -c 'ln -sf /sys$devpath /dev/fingerprint_sensor'"
'';
services.acpid = {
enable = true;
lidEventCommands = "${laptop-lid}";
};
# Disable fingerprint reader at login since you can't put in a password when fprintd is running.

39
nixos/modules/nixos/system/fingerprint-reader-on-laptop-lid/findfp.sh
View file

@ -1,39 +0,0 @@
#!/usr/bin/env bash
find_usb_device() {
local idVendor=$1
local idProduct=$2
local device_id="${idVendor}:${idProduct}"
for device in /sys/bus/usb/devices/*; do
if [ -f "$device/idVendor" ] && [ -f "$device/idProduct" ]; then
vendor=$(cat "$device/idVendor")
product=$(cat "$device/idProduct")
if [ "${vendor}:${product}" = "$device_id" ]; then
echo "$device"
return 0
fi
fi
done
return 1
}
# Example usage
idVendor="27c6"
idProduct="609c"
device_path=$(find_usb_device "$idVendor" "$idProduct")
if [ -n "$device_path" ]; then
echo "Device found at: $device_path"
# Print additional information
manufacturer=$(cat "$device_path/manufacturer" 2>/dev/null)
product=$(cat "$device_path/product" 2>/dev/null)
echo "Manufacturer: ${manufacturer:-N/A}"
echo "Product: ${product:-N/A}"
else
echo "Device not found"
fi

51
nixos/modules/nixos/system/incus/default.nix
View file

@ -1,51 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.mySystem.system.incus;
user = "jahanson";
in
{
# sops.secrets.secret-domain-0 = {
# sopsFile = ./secret.sops.yaml;
# };
options.mySystem.system.incus = {
enable = lib.mkEnableOption "incus";
preseed = lib.mkOption {
type = lib.types.unspecified;
default = "";
description = "Incus preseed configuration. Generate with `incus admin init`.";
};
webuiport = lib.mkOption {
type = lib.types.int;
default = 8443;
description = "Port for the Incus Web UI";
};
};
config = lib.mkIf cfg.enable {
virtualisation.incus = {
inherit (cfg) preseed;
enable = true;
ui.enable = true;
};
users.users.${user}.extraGroups = [ "incus-admin" ];
# systemd.services.incus-preseed.postStart = "${oidcSetup}";
networking = {
# nftables.enable = true;
firewall = {
allowedTCPPorts = [
cfg.webuiport
53
67
];
allowedUDPPorts = [
53
67
];
};
};
};
}

10
nixos/overlays/cargo-tauri/default.nix
View file

@ -1,10 +0,0 @@
{ ... }:
let
finalVersion = "tauri-v2.0.4";
in
final: prev: {
cargo-tauri = prev.cargo-tauri.overrideAttrs (oldAttrs: {
version = finalVersion;
vendorHash = "sha256-aTtvVpL979BUvSBwBqRqCWSWIBBmmty9vBD97Q5P4+E=";
});
}

68
nixos/overlays/charm-mods/default.nix
View file

@ -1,68 +0,0 @@
{
lib,
buildGoModule,
installShellFiles,
fetchFromGitHub,
gitUpdater,
testers,
mods,
}:
buildGoModule rec {
pname = "mods";
version = "1.6.0";
commitHash = "2a7f9d4dc11b6c828bf35a0b3d0be709f3ed79b9";
src = fetchFromGitHub {
owner = "charmbracelet";
repo = "mods";
rev = commitHash;
hash = "sha256-23gtb8BOx/0c643/paRt7VFHEyMyF4Q4a5b5+a4+kNU=";
};
vendorHash = "sha256-RV/Nr60BpCLcUL2Yy1Dd2ScwoI0BhGhTb/igCEcJPjI=";
nativeBuildInputs = [
installShellFiles
];
ldflags = [
"-s"
"-w"
"-X=main.Version=${version}-${commitHash}"
];
# These tests require internet access.
checkFlags = [ "-skip=^TestLoad/http_url$|^TestLoad/https_url$" ];
passthru = {
updateScript = gitUpdater {
rev-prefix = "v";
ignoredVersions = ".(rc|beta).*";
};
tests.version = testers.testVersion {
package = mods;
command = "HOME=$(mktemp -d) mods -v";
};
};
postInstall = ''
export HOME=$(mktemp -d)
$out/bin/mods man > mods.1
$out/bin/mods completion bash > mods.bash
$out/bin/mods completion fish > mods.fish
$out/bin/mods completion zsh > mods.zsh
installManPage mods.1
installShellCompletion mods.{bash,fish,zsh}
'';
meta = with lib; {
description = "AI on the command line";
homepage = "https://github.com/charmbracelet/mods";
license = licenses.mit;
maintainers = with maintainers; [ dit7ya caarlos0 ];
mainProgram = "mods";
};
}

108
nixos/overlays/coder/default.nix
View file

@ -1,108 +0,0 @@
{ lib
, channel ? "stable"
, fetchurl
, installShellFiles
, makeBinaryWrapper
, terraform
, stdenvNoCC
, unzip
, nixosTests
}:
let
inherit (stdenvNoCC.hostPlatform) system;
channels = {
stable = {
version = "2.15.1";
hash = {
x86_64-linux = "sha256-DB/3iUkgWzAI+3DEQB8heYkG6apUARDulQ4lKDAPN1I=";
x86_64-darwin = "sha256-62tjAC3WtWC8eIkh9dPi2Exksp2gDHyXEU2tCavKZ4Q=";
aarch64-linux = "sha256-957GdH5sDjbjxEt8LXKPBM7vht7T6JizVwYYhbitdpw=";
aarch64-darwin = "sha256-ckcd1u9dgg9LKhr47Yw8dJKkR7hawPie4QNyySH8vyM=";
};
};
mainline = {
version = "2.16.0";
hash = {
x86_64-linux = "sha256-Uk9oGiLSHBCINAzQg88tlHyMw/OGfdmCw2/NXJs5wbQ=";
x86_64-darwin = "sha256-Bbayv00NDJGUA4M4KyG4XCXIiaQSf4JSgy5VvLSVmAM=";
aarch64-linux = "sha256-nV02uO+UkNNvQDIkh2G+9H8gvk9DOSYyIu4O3nwkYXk=";
aarch64-darwin = "sha256-C9Nm8dW3V25D7J/3ABO5oLGL4wcSCsAXtQNZABwVpWs=";
};
};
};
in
stdenvNoCC.mkDerivation (finalAttrs: {
pname = "coder";
version = channels.${channel}.version;
src = fetchurl {
hash = (channels.${channel}.hash).${system};
url =
let
systemName = {
x86_64-linux = "linux_amd64";
aarch64-linux = "linux_arm64";
x86_64-darwin = "darwin_amd64";
aarch64-darwin = "darwin_arm64";
}.${system};
ext = {
x86_64-linux = "tar.gz";
aarch64-linux = "tar.gz";
x86_64-darwin = "zip";
aarch64-darwin = "zip";
}.${system};
in
"https://github.com/coder/coder/releases/download/v${finalAttrs.version}/coder_${finalAttrs.version}_${systemName}.${ext}";
};
nativeBuildInputs = [
installShellFiles
makeBinaryWrapper
unzip
];
unpackPhase = ''
runHook preUnpack
case $src in
*.tar.gz) tar -xz -f "$src" ;;
*.zip) unzip "$src" ;;
esac
runHook postUnpack
'';
installPhase = ''
runHook preInstall
install -D -m755 coder $out/bin/coder
runHook postInstall
'';
postInstall = ''
wrapProgram $out/bin/coder \
--prefix PATH : ${lib.makeBinPath [ terraform ]}
'';
# integration tests require network access
doCheck = false;
meta = {
description = "Provision remote development environments via Terraform";
homepage = "https://coder.com";
license = lib.licenses.agpl3Only;
mainProgram = "coder";
maintainers = with lib.maintainers; [ ghuntley kylecarbs urandom ];
};
passthru = {
updateScript = ./update.sh;
tests = {
inherit (nixosTests) coder;
};
};
})

42
nixos/overlays/default.nix
View file

@ -1,33 +1,33 @@
{ inputs, ... }:
let
# smartmontoolsOverlay = import ./smartmontools { };
# vivaldiOverlay = self: super: { vivaldi = super.callPackage ./vivaldi { }; };
coderOverlay = self: super: { coder = super.callPackage ./coder { }; };
modsOverlay = self: super: { mods = super.callPackage ./charm-mods { }; };
termiusOverlay = self: super: { termius = super.callPackage ./termius { }; };
warpTerminalOverlay = import ./warp-terminal {
inherit (inputs.nixpkgs) lib;
};
termiusOverlay = import ./termius { };
# Partial overlay
# talosctlOverlay = import ./talosctl { };
# Full overlay
talosctlOverlay = self: super: {
talosctl = super.callPackage ./talosctl/talosctl-custom.nix { };
};
goOverlay = import ./go { };
in
{
# smartmontools = smartmontoolsOverlay;
# vivaldi = vivaldiOverlay;
coder = coderOverlay;
comm-packages = inputs.nix-vscode-extensions.overlays.default;
mods = modsOverlay;
nix-minecraft = inputs.nix-minecraft.overlay;
nur = inputs.nur.overlay;
# warp-terminal = warpTerminalOverlay;
termius = termiusOverlay;
talosctl = talosctlOverlay;
# go = goOverlay;
# The unstable nixpkgs set (declared in the flake inputs) will
# be accessible through 'pkgs.unstable'
unstable-packages = final: prev: {
unstable = import inputs.nixpkgs-unstable
{
inherit (final) system;
config.allowUnfree = true;
} // {
# Add talosctl to the unstable set
talosctl = final.unstable.callPackage ./talosctl {
inherit (final.unstable) lib buildGoModule fetchFromGitHub installShellFiles;
};
unstable-packages = final: _prev: {
unstable = import inputs.nixpkgs-unstable {
inherit (final) system;
config.allowUnfree = true;
};
};
# VSCode Community Packages
comm-packages = inputs.nix-vscode-extensions.overlays.default;
}

13
nixos/overlays/go/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }:
let
finalVersion = "1.22.5";
in
final: prev: {
go_1_22 = prev.go_1_22.overrideAttrs (oldAttrs: {
version = finalVersion;
src = prev.fetchurl {
url = "https://go.dev/dl/go${finalVersion}.src.tar.gz";
hash = "sha256-rJxyPyJJaa7mJLw0/TTJ4T8qIS11xxyAfeZEu0bhEvY=";
};
});
}

15
nixos/overlays/smartmontools/default.nix
View file

@ -1,15 +0,0 @@
{ ... }:
let
dbrev = "5613";
drivedbBranch = "RELEASE_7_4";
in
final: prev: {
smartmontools = prev.smartmontools.overrideAttrs (oldAttrs: {
inherit dbrev drivedbBranch;
driverdb = builtins.fetchurl {
url = "https://sourceforge.net/p/smartmontools/code/${dbrev}/tree/trunk/smartmontools/drivedb.h?format=raw";
sha256 = "sha256-6r7Pd298Ea55AXOLijUEQoJq+Km5cE+Ygti65yacdoM=";
name = "smartmontools-drivedb.h";
};
});
}

15
nixos/overlays/smartmontools/getsmartdbhash.sh
View file

@ -1,15 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -I nixpkgs=/etc/nix/inputs/nixpkgs/ -i bash -p nix
set -euo pipefail
dbrev="5613"
drivedbBranch="RELEASE_7_4"
url="https://sourceforge.net/p/smartmontools/code/${dbrev}/tree/trunk/smartmontools/drivedb.h?format=raw";
echo "Fetching hash for URL: $url"
hash=$(nix-prefetch-url "$url")
sri=$(nix-hash --type sha256 --flat --base32 --to-sri "$hash")
echo "Hash: $hash"
echo "Sri: $sri"

59
nixos/overlays/talosctl/default.nix
View file

@ -1,40 +1,19 @@
{ lib, buildGoModule, fetchFromGitHub, installShellFiles }:
buildGoModule rec {
pname = "talosctl";
version = "1.8.2";
src = fetchFromGitHub {
owner = "siderolabs";
repo = "talos";
rev = "v${version}";
hash = "sha256-sD/Nn1ZLM6JIZdWQsBioKyhrAvhz749LL4xWleQ80xY=";
};
vendorHash = "sha256-pWG8DbZ9N57p2Q9w/IzETcvwaSfzaUvJgcz7Th/Oi9c=";
ldflags = [ "-s" "-w" ];
env.GOWORK = "off";
subPackages = [ "cmd/talosctl" ];
nativeBuildInputs = [ installShellFiles ];
postInstall = ''
installShellCompletion --cmd talosctl \
--bash <($out/bin/talosctl completion bash) \
--fish <($out/bin/talosctl completion fish) \
--zsh <($out/bin/talosctl completion zsh)
'';
doCheck = false; # no tests
meta = with lib; {
description = "CLI for out-of-band management of Kubernetes nodes created by Talos";
mainProgram = "talosctl";
homepage = "https://www.talos.dev/";
license = licenses.mpl20;
maintainers = with maintainers; [ flokli ];
};
}
{ ... }:
let
finalVersion = "1.7.5";
in
final: prev: {
talosctl = prev.talosctl.overrideAttrs (oldAttrs: {
version = finalVersion;
src = prev.fetchFromGitHub {
owner = "siderolabs";
repo = "talos";
rev = "v${finalVersion}";
hash = "sha256-lmDLlxiPyVhlSPplYkIaS5Uw19hir6XD8MAk8q+obhY=";
};
vendorHash = "sha256-8UIey+r1tdVRN1RBK5xxcAzaHb0VFdgenUXSFgoWh1g=";
passthru = oldAttrs.passthru // {
updateScript = ./update.sh;
};
});
}

43
nixos/overlays/talosctl/talosctl-custom.nix Normal file
View file

@ -0,0 +1,43 @@
{ lib, buildGo122Module, fetchFromGitHub, installShellFiles }:
buildGo122Module rec {
pname = "talosctl";
version = "1.7.5";
src = fetchFromGitHub {
owner = "siderolabs";
repo = "talos";
rev = "v${version}";
hash = "sha256-lmDLlxiPyVhlSPplYkIaS5Uw19hir6XD8MAk8q+obhY=";
};
passthru = {
updateScript = ./update.sh;
};
vendorHash = "sha256-8UIey+r1tdVRN1RBK5xxcAzaHb0VFdgenUXSFgoWh1g=";
ldflags = [ "-s" "-w" ];
env.GOWORK = "off";
subPackages = [ "cmd/talosctl" ];
nativeBuildInputs = [ installShellFiles ];
postInstall = ''
installShellCompletion --cmd talosctl \
--bash <($out/bin/talosctl completion bash) \
--fish <($out/bin/talosctl completion fish) \
--zsh <($out/bin/talosctl completion zsh)
'';
doCheck = false; # no tests
meta = with lib; {
description = "CLI for out-of-band management of Kubernetes nodes created by Talos";
mainProgram = "talosctl";
homepage = "https://www.talos.dev/";
license = licenses.mpl20;
maintainers = with maintainers; [ flokli ];
};
}

104
nixos/overlays/termius/default.nix
View file

@ -1,96 +1,8 @@
{ autoPatchelfHook
, squashfsTools
, alsa-lib
, fetchurl
, makeDesktopItem
, makeWrapper
, stdenv
, lib
, libsecret
, mesa
, udev
, wrapGAppsHook3
}:
stdenv.mkDerivation rec {
pname = "termius";
version = "9.5.0";
src = fetchurl {
# find the latest version with
# curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.version'
# and the url with
# curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_url' -r
# and the sha512 with
# curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_sha512' -r
# nix-hash --type sha512 --to-sri <output of curl>
url = "https://api.snapcraft.io/api/v1/snaps/download/WkTBXwoX81rBe3s3OTt3EiiLKBx2QhuS_203.snap";
hash = "sha512-BouIQvJZbi350l30gl9fnXKYRHhi5q1oOvyEIVEmd4DjXvJLQisV4cK4OZIJ/bPOCI5DTxNOY7PwEduVQd3SYA==";
#
};
desktopItem = makeDesktopItem {
categories = [ "Network" ];
comment = "The SSH client that works on Desktop and Mobile";
desktopName = "Termius";
exec = "termius-app";
genericName = "Cross-platform SSH client";
icon = "termius-app";
name = "termius-app";
};
dontBuild = true;
dontConfigure = true;
dontPatchELF = true;
dontWrapGApps = true;
# TODO: migrate off autoPatchelfHook and use nixpkgs' electron
nativeBuildInputs = [ autoPatchelfHook squashfsTools makeWrapper wrapGAppsHook3 ];
buildInputs = [
alsa-lib
libsecret
mesa
];
unpackPhase = ''
runHook preUnpack
unsquashfs "$src"
runHook postUnpack
'';
installPhase = ''
runHook preInstall
cd squashfs-root
mkdir -p $out/opt/termius
cp -r ./ $out/opt/termius
mkdir -p "$out/share/applications" "$out/share/pixmaps/termius-app.png"
cp "${desktopItem}/share/applications/"* "$out/share/applications"
cp meta/gui/icon.png $out/share/pixmaps/termius-app.png
runHook postInstall
'';
postInstall = ''
install -Dm644 meta/gui/icon.png $out/share/icons/hicolor/128x128/apps/termius-app.png
'';
runtimeDependencies = [ (lib.getLib udev) ];
postFixup = ''
makeWrapper $out/opt/termius/termius-app $out/bin/termius-app \
"''${gappsWrapperArgs[@]}"
'';
meta = with lib; {
description = "A cross-platform SSH client with cloud data sync and more";
homepage = "https://termius.com/";
downloadPage = "https://termius.com/linux/";
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
license = licenses.unfree;
maintainers = with maintainers; [ Br1ght0ne th0rgal ];
platforms = [ "x86_64-linux" ];
mainProgram = "termius-app";
};
}
{ ... }:
(final: prev: {
termius = prev.termius.overrideAttrs (oldAttrs: {
postInstall = ''
install -Dm644 meta/gui/icon.png $out/share/icons/hicolor/128x128/apps/termius-app.png
'';
});
})

10
nixos/overlays/termius/retrive-latest-sri.sh
View file

@ -1,10 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl jq nix
VERSION=$(curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.version')
DOWNLOAD_URL=$(curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_url' -r)
SHASUM=$(curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_sha512' -r)
SRI512SUM=$(nix-hash --type sha512 --to-sri $SHASUM)
echo "The latest SRI for version $VERSION is "
echo "$SRI512SUM"

135
nixos/overlays/vivaldi/default.nix
View file

@ -1,135 +0,0 @@
{ lib, stdenv, fetchurl, zlib, libX11, libXext, libSM, libICE, libxkbcommon, libxshmfence
, libXfixes, libXt, libXi, libXcursor, libXScrnSaver, libXcomposite, libXdamage, libXtst, libXrandr
, alsa-lib, dbus, cups, libexif, ffmpeg, systemd, libva, libGL
, freetype, fontconfig, libXft, libXrender, libxcb, expat
, libuuid
, libxml2
, glib, gtk3, pango, gdk-pixbuf, cairo, atk, at-spi2-atk, at-spi2-core
, qt5
, libdrm, mesa
, vulkan-loader
, nss, nspr
, patchelf, makeWrapper
, wayland, pipewire
, isSnapshot ? false
, proprietaryCodecs ? false, vivaldi-ffmpeg-codecs ? null
, enableWidevine ? false, widevine-cdm ? null
, commandLineArgs ? ""
, pulseSupport ? stdenv.isLinux, libpulseaudio
, kerberosSupport ? true, libkrb5
}:
let
branch = if isSnapshot then "snapshot" else "stable";
vivaldiName = if isSnapshot then "vivaldi-snapshot" else "vivaldi";
in stdenv.mkDerivation rec {
pname = "vivaldi";
version = "6.9.3447.37";
suffix = {
aarch64-linux = "arm64";
x86_64-linux = "amd64";
}.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
src = fetchurl {
url = "https://downloads.vivaldi.com/${branch}/vivaldi-${branch}_${version}-1_${suffix}.deb";
hash = {
aarch64-linux = "sha256-kYTnWad/jrJt9z+AhjXzHYxVSIwIIO3RKD7szuPEg2s=";
x86_64-linux = "sha256-+h7SHci8gZ+epKFHD0PiXyME2xT+loD2KXpJGFCfIFg=";
}.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
};
unpackPhase = ''
ar vx $src
tar -xvf data.tar.xz
'';
nativeBuildInputs = [ patchelf makeWrapper ];
dontWrapQtApps = true;
buildInputs = [
stdenv.cc.cc stdenv.cc.libc zlib libX11 libXt libXext libSM libICE libxcb libxkbcommon libxshmfence
libXi libXft libXcursor libXfixes libXScrnSaver libXcomposite libXdamage libXtst libXrandr
atk at-spi2-atk at-spi2-core alsa-lib dbus cups gtk3 gdk-pixbuf libexif ffmpeg systemd libva
qt5.qtbase
freetype fontconfig libXrender libuuid expat glib nss nspr libGL
libxml2 pango cairo
libdrm mesa vulkan-loader
wayland pipewire
] ++ lib.optional proprietaryCodecs vivaldi-ffmpeg-codecs
++ lib.optional pulseSupport libpulseaudio
++ lib.optional kerberosSupport libkrb5;
libPath = lib.makeLibraryPath buildInputs
+ lib.optionalString (stdenv.is64bit)
(":" + lib.makeSearchPathOutput "lib" "lib64" buildInputs)
+ ":$out/opt/${vivaldiName}/lib";
buildPhase = ''
runHook preBuild
echo "Patching Vivaldi binaries"
for f in chrome_crashpad_handler vivaldi-bin vivaldi-sandbox ; do
patchelf \
--set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
--set-rpath "${libPath}" \
opt/${vivaldiName}/$f
done
for f in libGLESv2.so libqt5_shim.so ; do
patchelf --set-rpath "${libPath}" opt/${vivaldiName}/$f
done
'' + lib.optionalString proprietaryCodecs ''
ln -s ${vivaldi-ffmpeg-codecs}/lib/libffmpeg.so opt/${vivaldiName}/libffmpeg.so.''${version%\.*\.*}
'' + ''
echo "Finished patching Vivaldi binaries"
runHook postBuild
'';
dontPatchELF = true;
dontStrip = true;
installPhase = ''
runHook preInstall
mkdir -p "$out"
cp -r opt "$out"
mkdir "$out/bin"
ln -s "$out/opt/${vivaldiName}/${vivaldiName}" "$out/bin/vivaldi"
mkdir -p "$out/share"
cp -r usr/share/{applications,xfce4} "$out"/share
substituteInPlace "$out"/share/applications/*.desktop \
--replace /usr/bin/${vivaldiName} "$out"/bin/vivaldi
substituteInPlace "$out"/share/applications/*.desktop \
--replace vivaldi-stable vivaldi
local d
for d in 16 22 24 32 48 64 128 256; do
mkdir -p "$out"/share/icons/hicolor/''${d}x''${d}/apps
ln -s \
"$out"/opt/${vivaldiName}/product_logo_''${d}.png \
"$out"/share/icons/hicolor/''${d}x''${d}/apps/vivaldi.png
done
wrapProgram "$out/bin/vivaldi" \
--add-flags ${lib.escapeShellArg commandLineArgs} \
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
--set-default FONTCONFIG_FILE "${fontconfig.out}/etc/fonts/fonts.conf" \
--set-default FONTCONFIG_PATH "${fontconfig.out}/etc/fonts" \
--suffix XDG_DATA_DIRS : ${gtk3}/share/gsettings-schemas/${gtk3.name}/ \
${lib.optionalString enableWidevine "--suffix LD_LIBRARY_PATH : ${libPath}"}
'' + lib.optionalString enableWidevine ''
ln -sf ${widevine-cdm}/share/google/chrome/WidevineCdm $out/opt/${vivaldiName}/WidevineCdm
'' + ''
runHook postInstall
'';
passthru.updateScript = ./update-vivaldi.sh;
meta = with lib; {
description = "Browser for our Friends, powerful and personal";
homepage = "https://vivaldi.com";
license = licenses.unfree;
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
mainProgram = "vivaldi";
maintainers = with maintainers; [ otwieracz badmutex ];
platforms = [ "x86_64-linux" "aarch64-linux" ];
};
}

32
nixos/overlays/vivaldi/ffmpeg-codecs.nix
View file

@ -1,32 +0,0 @@
{ squashfsTools, fetchurl, lib, stdenv }:
# This derivation roughly follows the update-ffmpeg script that ships with the official Vivaldi
# downloads at https://vivaldi.com/download/
stdenv.mkDerivation rec {
pname = "chromium-codecs-ffmpeg-extra";
version = "115541";
src = fetchurl {
url = "https://api.snapcraft.io/api/v1/snaps/download/XXzVIXswXKHqlUATPqGCj2w2l7BxosS8_41.snap";
hash = "sha256-a1peHhku+OaGvPyChvLdh6/7zT+v8OHNwt60QUq7VvU=";
};
buildInputs = [ squashfsTools ];
unpackPhase = ''
unsquashfs -dest . $src
'';
installPhase = ''
install -vD chromium-ffmpeg-${version}/chromium-ffmpeg/libffmpeg.so $out/lib/libffmpeg.so
'';
meta = with lib; {
description = "Additional support for proprietary codecs for Vivaldi";
homepage = "https://ffmpeg.org/";
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
license = licenses.lgpl21;
maintainers = with maintainers; [ betaboon cawilliamson fptje ];
platforms = [ "x86_64-linux" ];
};
}

15
nixos/overlays/vivaldi/update-vivaldi.sh
View file

@ -1,15 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl common-updater-scripts
set -eu -o pipefail
version=$(curl -sS https://vivaldi.com/download/ | sed -rne 's/.*vivaldi-stable_([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)-1_amd64\.deb.*/\1/p')
update_hash() {
url="https://downloads.vivaldi.com/stable/vivaldi-stable_$version-1_$2.deb"
hash=$(nix hash to-sri --type sha256 $(nix-prefetch-url --type sha256 "$url"))
update-source-version vivaldi "$version" "$hash" --system=$1 --ignore-same-version
}
update_hash aarch64-linux arm64
update_hash x86_64-linux amd64

47
nixos/overlays/vivaldi/update.sh
View file

@ -1,47 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p libarchive curl common-updater-scripts
set -eu -o pipefail
cd "$(dirname "${BASH_SOURCE[0]}")"
root=../../../../..
export NIXPKGS_ALLOW_UNFREE=1
version() {
(cd "$root" && nix-instantiate --eval --strict -A "$1.version" | tr -d '"')
}
vivaldi_version_old=$(version vivaldi)
vivaldi_version=$(curl -sS https://vivaldi.com/download/ | sed -rne 's/.*vivaldi-stable_([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)-1_amd64\.deb.*/\1/p')
if [[ ! "$vivaldi_version" = "$vivaldi_version_old" ]]; then
echo "vivaldi is not up-to-date, not updating codecs"
(cd "$root" && nix-shell maintainers/scripts/update.nix --argstr package vivaldi)
exit
fi
echo "vivaldi is up-to-date, updating codecs"
# Download vivaldi and save file path.
url="https://downloads.vivaldi.com/stable/vivaldi-stable_${vivaldi_version}-1_amd64.deb"
mapfile -t prefetch < <(nix-prefetch-url --print-path "$url")
path=${prefetch[1]}
nixpkgs="$(git rev-parse --show-toplevel)"
default_nix="$nixpkgs/pkgs/applications/networking/browsers/vivaldi/default.nix"
ffmpeg_nix="$nixpkgs/pkgs/applications/networking/browsers/vivaldi/ffmpeg-codecs.nix"
# Check vivaldi-ffmpeg-codecs version.
chromium_version_old=$(version vivaldi-ffmpeg-codecs)
ffmpeg_update_script=$(bsdtar xOf "$path" data.tar.xz | bsdtar xOf - ./opt/vivaldi/update-ffmpeg)
chromium_version=$(sed -rne 's/^FFMPEG_VERSION_DEB\=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/p' <<< $ffmpeg_update_script)
download_subdir=$(sed -rne 's/.*FFMPEG_URL_DEB\=https:\/\/launchpadlibrarian\.net\/([0-9]+)\/.*_amd64\.deb/\1/p' <<< $ffmpeg_update_script)
if [[ "$chromium_version" != "$chromium_version_old" ]]; then
# replace the download prefix
sed -i $ffmpeg_nix -e "s/\(https:\/\/launchpadlibrarian\.net\/\)[0-9]\+/\1$download_subdir/g"
(cd "$root" && update-source-version vivaldi-ffmpeg-codecs "$chromium_version")
git add "${ffmpeg_nix}"
git commit -m "vivaldi-ffmpeg-codecs: $chromium_version_old -> $chromium_version"
fi

13
nixos/overlays/warp-terminal/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, ...}:
let
versions = lib.importJSON ./versions.json;
in
final: prev: {
warp-terminal = prev.warp-terminal.overrideAttrs (oldAttrs: {
inherit (versions.linux) version;
src = prev.fetchurl {
url = "https://releases.warp.dev/stable/v${versions.linux.version}/warp-terminal-v${versions.linux.version}-1-x86_64.pkg.tar.zst";
inherit (versions.linux) hash;
};
});
}

74
nixos/overlays/warp-terminal/update.sh Executable file
View file

@ -0,0 +1,74 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p cacert curl jq nix moreutils --pure
#shellcheck shell=bash
set -eu -o pipefail
cd "$(dirname "$0")"
nixpkgs=$(nix-instantiate --eval -E '<nixpkgs>' --impure)
err() {
echo "$*" >&2
exit 1
}
json_get() {
jq -r "$1" < "./versions.json"
}
json_set() {
jq --arg x "$2" "$1 = \$x" < "./versions.json" | sponge "./versions.json"
}
resolve_url() {
local pkg sfx url
local -i i max_redirects
case "$1" in
darwin)
pkg=macos
sfx=dmg
;;
linux)
pkg=pacman
sfx=pkg.tar.zst
;;
*)
err "Unexpected download type: $1"
;;
esac
url="https://app.warp.dev/download?package=${pkg}"
((max_redirects = 15))
for ((i = 0; i < max_redirects; i++)); do
url=$(curl -s -o /dev/null -w '%{redirect_url}' "${url}")
[[ ${url} != *.${sfx} ]] || break
done
((i < max_redirects)) || { err "too many redirects"; }
echo "${url}"
}
get_version() {
echo "$1" | grep -oP -m 1 '(?<=/v)[\d.\w]+(?=/)'
}
# nix-prefetch-url seems to be uncompressing the archive then taking the hash
# so just get the hash from fetchurl
sri_get() {
local ouput sri
output=$(nix-build --expr \
"with import $nixpkgs {};
fetchurl {
url = \"$1\";
}" 2>&1 || true)
sri=$(echo "$output" | awk '/^\s+got:\s+/{ print $2 }')
[[ -z "$sri" ]] && err "$output"
echo "$sri"
}
for sys in darwin linux; do
url=$(resolve_url ${sys})
version=$(get_version "${url}")
if [[ ${version} != "$(json_get ".${sys}.version")" ]]; then
sri=$(sri_get "${url}")
json_set ".${sys}.version" "${version}"
json_set ".${sys}.hash" "${sri}"
fi
done

10
nixos/overlays/warp-terminal/versions.json Normal file
View file

@ -0,0 +1,10 @@
{
"darwin": {
"hash": "sha256-vogQAVbtiw2/U3oJrTj8SUexkEsEfYvmGq50nzy5aYo=",
"version": "0.2024.06.25.08.02.stable_01"
},
"linux": {
"hash": "sha256-Fc48bZzFBw9p636Mr8R+W/d1B3kIcOAu/Gd17nbzNfI=",
"version": "0.2024.06.25.08.02.stable_01"
}
}

16
nixos/overlays/zed-editor/default.nix
View file

@ -1,16 +0,0 @@
{ ... }:
let
finalVersion = "0.149.3";
in
final: prev: {
zed-editor = prev.zed-editor.overrideAttrs
(oldAttrs: {
version = finalVersion;
src = prev.fetchFromGithub {
hash = "sha256-ed6/QQObmclSA36g+civhii1aFKTBSjqB+LOyp2LUPg=";
};
cargoLock = prev.outputHashes {
"blade-graphics-0.4.0" = "sha256-sGXhXmgtd7Wx/Gf7HCWro4RsQOGS4pQt8+S3T+2wMfY=";
};
});
}

56
nixos/profiles/disko-telchar.nix
View file

@ -1,56 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/disk/by-diskseq/1";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "128M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# Subvolumes must set a mountpoint in order to be mounted,
# unless their parent is mounted
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
# Subvolume name is the same as the mountpoint
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
# Sub(sub)volume doesn't need a mountpoint as its parent is mounted
"/home/user" = { };
# Parent is not mounted so the mountpoint must be set
"/nix" = {
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/nix";
};
};
mountpoint = "/partition-root";
};
};
};
};
};
};
};
}

4
nixos/profiles/global.nix
View file

@ -35,9 +35,7 @@ with lib;
wget
dnsutils
jq
yq-go
nvme-cli
smartmontools
yq
];
networking.useDHCP = lib.mkDefault true;

2
nixos/profiles/global/nix.nix
View file

@ -26,14 +26,12 @@
"https://hsndev.cachix.org"
"https://nix-community.cachix.org"
"https://numtide.cachix.org"
"https://cosmic.cachix.org/"
];
trusted-public-keys = [
"hsndev.cachix.org-1:vN1/XGBZtMLnTFYDmTLDrullgZHSUYY3Kqt+Yg/C+tE="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
"cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
];
# Fallback quickly if substituters are not available.

93
nixos/profiles/global/secrets.sops.yaml
View file

@ -1,9 +1,9 @@
services:
pushover:
env: ENC[AES256_GCM,data:oqU6JIwsFaxuO3Lc7EeRJCWrR1bDzs70LKqNtO/wZ4ZC56EuAS7dei9TKXqYdQ34svXeVDnbwkHLNIWVJtA6xUoKWbrhc3VMscuChRtijzONW9Ln72veAVraV5cEUCr0,iv:sZjoAc7WKPTHskSIKnfLmI2/W7Jwi7kzTaAFE3pomus=,tag:KO7tTxpT+LF3JXCx/LS0CQ==,type:str]
pushover-user-key: ENC[AES256_GCM,data:S/zpO5t/Ze/Nu6nMNkHmQdDcDNwpxpoueC1te6bX,iv:VGwuQDg34VqBzUEQTDdHUCMJV655pQBrBke2kerv9lU=,tag:MQvKbGQeMxMLFsKnTxuVUg==,type:str]
pushover-api-key: ENC[AES256_GCM,data:rinJsuixNfCSQbAHixSQyn08MDLZ9hLMVr8XNIDZ,iv:r0uP0A4K0FUL3KQAcEQub+o8R4BKIgNckSnof8TIZzs=,tag:23KlBJl6r4zwqayPYbtjyA==,type:str]
jahanson-password: ENC[AES256_GCM,data:XGTQabc+LYpQ6WbVm6Q=,iv:4DlJJ5yl4aaAWKp/go286ioqk4HRc94VhUwLUIb6lXo=,tag:kK1qY7vMZRVirS/ymI3D4A==,type:str]
env: ENC[AES256_GCM,data:Z138qrnqNDIlhZiuEPmTekY9oq3KGH7HIr4MrXyYoMqjZRsgj3scpeFFrO1CCyfaq9gCugStEQvkmeinJ+1FkoOs3qMRbIgxinUfj366cuOas2mo4OSw0+v559Acgpxr,iv:jq+IPXYTC7RI3YkbD/avMI+cXtXlWPQwizzkdjPzlXE=,tag:KI5ye2yMu5JAl5KodWpwaA==,type:str]
pushover-user-key: ENC[AES256_GCM,data:WbhwKcEaR3AuAv2HUZ/A8kGjsHj2OB8hBwSTHOKk,iv:q8HVHg5dHKPSdTzfgJr95JxxEY2X1u0wPEvLlu9UfAI=,tag:H91O575QWfR3z12OunZwew==,type:str]
pushover-api-key: ENC[AES256_GCM,data:uhm/Jbuo5pFkE6H98L3KUboiYOBh7f5QgRRnzewo,iv:Ai/EKu6+8gVnmDND0e4W30ExPU7GioSJ6kEYbbpLVWI=,tag:sOzg+tSNwwP4WAUXiQ/NPw==,type:str]
jahanson-password: ENC[AES256_GCM,data:lfTo0YLbENWKUZa7eqQ=,iv:pA9xFU5wRvpX6NSvOfHCNu1A7f/wsyuHQftLjWdXoys=,tag:AxWfhgOZdVHVac8thB3bgg==,type:str]
sops:
kms: []
gcp_kms: []
@ -13,77 +13,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbEhtZFFibXRYRHN1WHB3
ZHlMMSt1MWhZRVhFTnFyaG50Rm04NDlmRjNFClRITU9VbXNxMERxWnpqc2U1MzYv
cVEwdXhTTyswbVA5alU1cXpoYnFUOVkKLS0tIHQ2SC9JQWNObzZ5Z2ZRb1J0Nkh6
NUFvbGJnQVFIZm5SUDV0SitWZ05lYjgKEH/RAEebaa8Ccbs5j7G6xOhkSNnOFGas
+ntPSvzEzgJAR4Jho4Pz95id686DZPWmCVakRyZxdtZSzS5+PBKFTA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGYW5xM2pwbmM0MmNqZlE5
SHdlcnE0SXcvSHpkS1F6WDdWNUxyenRrTUJFCjlPbTY4L252S3IwN1c4QitIbGR2
SDBwMXdCdGVjeExkRTJQNnd0a1NSVGMKLS0tIGE4T0pXTEMwQ2FyRVpNS1ZyVDdO
QUVxOXFZTVFMZHJyZFFaS3loU1ZiQkUKQJYLPv8Acl9eeDOuWFP3HoUPH2jYGweK
Hky9FVS0LhOVxlVhKEX/pH/EsR1O7Id//5zq437KZA6v6sZqVdfx+w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMU5ieG5EMzBUT2RLYkV5
aHNreXhBTFNSUlJMazBpRG8rYUEwM29mRWhjCmkwVFA2OVg3Qmltc2p0NUpXaUQr
V0FhbkNsOWJsUnRLbTdYS2xVaTJlWWMKLS0tIG5JUzU3dDJrak02L1NDbytsdk5y
b1FhVktpVFZCQWowRitUcnRDdDI1WGMK+OBrJmrpiZZWOov+jag2UyOI6Tg1RJqI
pgnHv0Ju+cn8Pg4VvAE/zN+hYMzD2aMMpQk5I1BhuH8IS56NpMzcFg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMStjc2diVUE3OU55MVRo
UGFrSDZBbXVDTG9icHJjTEh6UHlPRSt3emlnCk9pQ3dVWi92ck5oZitMUFp1Y2tk
Tk4xbSt0OTBJMUhWRmtTd0kwVXo5aXMKLS0tIDFOQi80QWNoZEVGeExyeUJqeUV5
UWZUSGo2UmsxOWRYdFowSmJoT1FjeEEK7eb3XYm6/Q/hXXBNfHX1zDypq5SG74dy
keMjZI7XlYDpWij/juZl6oYRUaOxUzz4T9QE5jUjJsv9pXRCcoSPdA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNnBxVGZFSTBzMmdiTElp
RkpVbndYcS9NVlFuK0ZQb2M2cU0zVDJ3MTFzCmV5Y25WWGVkNk91dWUzTm1UdURT
d29RRGZNK2J2ZjdNN2hHMUd1MEFqM2sKLS0tIGtXNU1jQStmWE5kQldrQW9seVoz
Q001QkZVb282cW5RY2Nlc0ZRTy9vYXcKFXO2d0dZVoFTdw5M4bJH3C3mi6e56Bvp
ubyGesXow1S0JytyveWhpTJVh/6gfXAGGSGJyVbM3xoguBtdhazzAQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYklSam94VU1wYlRDRkZO
QWhqYWxZNFBnaVBhZWtvbkxhZzlFUVlESEF3ClpQVFFJTUs5YUlxK1U2cUpoWDlz
a2RqVFBjNzdidnZYcGcrb2ZDMXM2ZWMKLS0tIHZsNU9IRlllUW9nKzIzMlA1cm1E
RHdsZ0h6Q0hhRmFNMUFYNUcxNXA5YnMKa9YXvrQlHIW9X94IrnVbJq9WDuQahdoC
Uimav/J0XgN1/Eu4i+bFhOvIoZcV8t0L1uZbWU6Fn3yhDl4BXGPPUg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZytiVDQyTlQxU1MrYUdV
WGVBNVN0UUVlYXkyOVA3MHBkakpYOXA1QWxJCjBCYUJXamFpYkJDaVNCWGdnRGk3
MDJtM2k1aVdxaGRxQWREeUg2TDNpbEkKLS0tIHMrSlFDcGs0N2JGOVZYdXlSRk9I
OGNEMlRad28zT3FmeUxSWjkrNGJTZDQKuP3lfQ0hwdK5DzrL4Qn5VkRCtvHi50Yr
PoIVrF+1gJA2COrytD81rPH/OsWMAUdEKtRO1EOGOTEag21e0UpSnA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSUlwdjJIUWdTWVlZcGM5
dndnc1lFb0hjdW5vbzdJR3dJN3c0Z29FemlZCjBCVGxUS1dGVkZWc2hmTStYcDF3
bTR1WDFUN0pOa2wxYmZNVnhsQ1dhQVUKLS0tIEJmdzlJN1AvTkZqRHRGQTcrbG4y
NEJtV0FJU3RMbGNBMCtyWnIzYWwwSUEK/kt62lblp5wMYC8uWWRV09rWwQBOxxXw
K2gzMoIIy44u2PMKZSX8vp2socQfMxNtBqMm4PH6Tl5oyd9cNMX9rA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNDJNWjIzenptWlhOUzJm
U2c4UjlnTEFvTWw4U041ZVNqa0FPMi8zZ1VVCmZCYXE0L2pVdjRQajl6YlRLdnpr
Uk0yL2c3cmt4ZUZjK0RHMis5YWZPblUKLS0tIEIvTzZuczZlWitLVW1kY1pWUFhr
a25iRHBJMFZJYVNSQVgwanBIS2RnZ0EKuKzaVJHkZj2kB4O8z9XMWmoRGbFaDEOl
JuU7jOfR+0r9zBwSAzrYnLL5xBh6IH5L3UWB4vfi6X271KJa1g7d3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2c2xJeHNDZUo3SUlpd3N5
bzJFVzRkMFY3UnljcGNKWWJYWlVVZGxVUUZNCll5ekRzampIYS9JUHdOYXZBNWp2
UU5kREpCNFpYK2l5M0x0Qjg4V2pESFEKLS0tIHhyNmh3SVJLZVRXY29hN2ZRTmZV
U1RMTGpCblE5RzJzeWdYUm4xYnZ2b0UK/oQ44kjpwdOwF4rr+M0mxmJipuBAvPTV
dQJqFu6xs664uDosd8rWT7sEeEWJLvs5s/QZKD73EiCg7i9819pMrQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRXd0bUhzeTlvYmRsalVK
Sjk1YWxzdTdNSVNTai85WndIUmZabW81SGpvClFFTytkRHc3a3R1Rk9PVmtKR2tB
cWlzUk1Qb2dMWlBva1Boa0dGOGhPY2sKLS0tIGhDVmZHWUlsL1RrREdIWWdBSmw2
U080Z2FTcCt5OWUvYmNVUlVzNnRvcjgKeKVY57El+zPFwS0scrp8qHXodmKn8qcn
qqF3804LfavB27BnYjHLcGb52HrgrmtpY3TpjfM3i7uuYjJZbh9xCw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RmhTK29yaGVCbmJmWkdC
VU1nczRwWWV6RG5sY3ZCeWVyUFlQTS91aVJnClNlMjRPdEN0L1NaOXZGdFlJdW41
TlRpdTYveXdRSW1UaGNCbXk3UWtQdDAKLS0tIDV5ZkNWVTNGRnJtcGxJQmZ2NDBh
V1h3WVZzRk5pV2JSMlhmOFpaQXNIWmsKy0VbeGo9FchDTZ3327/9/8WEQce1RLSj
sWW952ZDkS/tkcYwcKa2FZYNpv71wwW6RWwZEtfGKmYttYNOovwzBw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbXZVSVMyZ09YYW13aEFW
TlJ3TlYxbyttVGs0VVFHVmNTT3oxalVYc0NvCnF2WW53MHhxSHgwTnNGVkZyd3Zo
UzZ4NHVQOTlkMlVVYTdFWXdoVVM0bUUKLS0tIG05M2hmWjhGaWZrb2RBRGV3U2xD
WnI1c1VLZDJ5aW9aMFN0YnBiN0wyRUEKxZJCCI6jO5nbwwIm4lUo7WrqKKRvyQbY
CYCJfZhCIYwXgrvFp1CLnY81ayZjnkVUKGMvOoQD2tJ9FZmBBFolxg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiU0hPVDZrVWp1dUdlUGJH
V2hDK2QwQ291Zi9iTXBEUmNjTDhwOHRabjFNCkllbThlMmRZSGFyb3QyQjN3UEFF
ZHNteXFRM01Vb3Q3bit4M0ZJaWtTVGsKLS0tIEFrTDVGN0V5UnZiTWROT1FxQzFN
QWR3TU1mWmNUZmdpUkhyQzBTUm1OaXcKnJ1W9n8gIBCyjuIGca6B2Z2EwCnfrrJJ
bm9RMO3ZmA5ffc+nTyKfy9QtYY6i9ksUxNsUp5sWCxiKKb759voURQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNlFjbWduR0IyUnhhaVZW
NW9mbXBVUC9PSXdVR3ozRmNBQ1lHSkJCUFN3CnJvb0pBak9KczZTM3F0SktTc0Rl
QjZOVWJlUGRxeWIrUUVWdGVjbk5IanMKLS0tIHRlaFUxejBybzl0bFJqUmlab25O
cTdUU1EyY3BmdlhUMVhZWE1SekdUNzQKg8KI+jRz6d3ugvx8FNMkpC3kfj4flMY7
gRI9Ej777+Vl9Zowo1I4qF4t/6kAfvA8JUiuQnl7Ns7Mou0EyMVv5Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T23:57:27Z"
mac: ENC[AES256_GCM,data:+emFGGQB1nrYdbGQE4/zqhMz+CtXlDhBCFCgimW4UddTqbtggqSy1J+w3Y4/vih6fQmBgGQHjuSNO84ZPtnvxSf1DOOWknic/8ozU5hPyhNksYl0D68EthUuqdsuIHzY6vEZMYPjIRaig/dAii/ov6pmLTlhKFjt7FpQTIuKmdY=,iv:MCaltKhV2CV0w31cpf1GQzAYlQphaHh/PGMbtN3EPOo=,tag:LGpbDiRarAOnORill/aE9w==,type:str]
lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:M09iYBGnRluGoGRQTOT9/oTHlg692Lm4LXrz0u5V8DleWRg1zIyjYxtupadpKMbGQ1DVuhB3oNejuvmjKJ+eX2Z8m4LMDhVFJZEfjd5/g+fUuwoyEzI1nU4ttvQ1j6NnO9F0F/VxvOp9fb78zpgzhxDEMjVrhHcnM0qyZtnSx7Y=,iv:V21v29Xx1QWGb1/Lap6dRJ6OuwcsdDCW0QrDeitqtYw=,tag:3PEgDPAzCD01XLCR+JJqQA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

8
nixos/profiles/global/system.nix
View file

@ -4,13 +4,7 @@
# Enable printing changes on nix build etc with nvd
activationScripts.report-changes = ''
PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]}
profiles=$(${pkgs.coreutils}/bin/ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
profile_count=$(echo "$profiles" | ${pkgs.coreutils}/bin/wc -l)
if [ $profile_count -gt 1 ]; then
nvd diff $profiles
else
echo "Not enough system configurations to compare. Found only $profile_count profile."
fi
nvd diff $(${pkgs.coreutils}/bin/ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
'';
# Do not change unless you know what you are doing

62
nixos/profiles/global/users.nix
View file

@ -10,47 +10,27 @@ in
};
};
users = {
groups = {
kah = {
gid = 568;
};
};
users = {
kah = {
isSystemUser = true;
group = "kah";
uid = 568;
};
users.users.jahanson = {
isNormalUser = true;
shell = pkgs.fish;
hashedPasswordFile = config.sops.secrets.jahanson-password.path;
extraGroups =
[
"wheel"
]
++ ifTheyExist [
"network"
"samba-users"
"docker"
"podman"
"audio" # pulseaudio
"libvirtd"
];
jahanson = {
isNormalUser = true;
shell = pkgs.fish;
hashedPasswordFile = config.sops.secrets.jahanson-password.path;
extraGroups =
[
"wheel"
"kah"
]
++ ifTheyExist [
"network"
"samba-users"
"docker"
"podman"
"audio" # pulseaudio
"libvirtd"
"wireshark"
"minecraft"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDJtqzSFK3MN12Lo3Y4DnzJV5NiygIPkR+gun5oEb2q jahanson@legiondary"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@durincore"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHwUOBEd0z2Jh6qJi4JeJbWdbU665E8/cP44iaUjW1DA jahanson@shadowfax"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPHzVi4xC6aLYsC4iiIX9rBfEh/FkWZilukLxmfjU9DE jahanson@gandalf"
];
};
};
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDJtqzSFK3MN12Lo3Y4DnzJV5NiygIPkR+gun5oEb2q jahanson@legiondary"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@durincore"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
];
};
}

0
.archive/profiles/hw-legion-15arh05h.nix → nixos/profiles/hw-legion-15arh05h.nix
View file

0
.archive/profiles/hw-thinkpad-t470.nix → nixos/profiles/hw-thinkpad-t470.nix
View file

29
nixos/profiles/hw-threadripperpro.nix
View file

@ -1,29 +0,0 @@
{ lib, ... }: {
imports = [ ];
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
mySystem = {
services.openssh.enable = true;
security.wheelNeedsSudoPassword = false;
# Restic backups disabled.
# TODO: configure storagebox for hetzner backups
system.resticBackup = {
local.enable = false;
local.noWarning = true;
remote.enable = false;
remote.noWarning = true;
};
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

75
nixos/profiles/role-dev.nix
View file

@ -1,58 +1,35 @@
{
pkgs,
inputs,
...
}:
{ config, pkgs, inputs, ... }:
# Role for dev stations
# Could be a workstatio or a headless server.
with config;
{
config = {
# git & vim are in global
environment.systemPackages = with pkgs; [
btop
dnsutils
fira-code-nerdfont
jo
jq
nix
unstable.ncdu
yq-go
# git & vim are in global
environment.systemPackages = with pkgs; [
btop
dnsutils
fira-code-nerdfont
jq
nix
yq
# nix lsp/formatters
nil
nixd
nixpkgs-fmt
unstable.nixfmt-rfc-style # nixfmt RFC 166-style compatible with nixpkgs soon
# TODO Move
gh
go
nil
nixpkgs-fmt
shfmt
statix
# dev
gh
go
hadolint
shfmt
statix
tmux
unstable.cyme
unstable.go-task
unstable.helix
unstable.sops
# bind # for dns utils like named-checkconf
inputs.nix-inspect.packages.${pkgs.system}.default
inputs.talhelper.packages.${pkgs.system}.default
inputs.ghostty.packages.${pkgs.system}.default
];
# flake imports
inputs.nix-inspect.packages.${pkgs.system}.default
inputs.talhelper.packages.${pkgs.system}.default
# charmbracelet tools
gum
unstable.glow
vhs
mods
soft-serve
];
programs.direnv = {
# TODO move to home-manager
enable = true;
nix-direnv.enable = true;
};
programs.direnv = {
# TODO move to home-manager
enable = true;
nix-direnv.enable = true;
};
}

11
nixos/profiles/role-workstation.nix
View file

@ -2,15 +2,11 @@
# Role for workstations
# Covers desktops/laptops, expected to have a GUI and do workloads
# Will have home-manager installs
let
vivaldiOverride = pkgs.vivaldi.override {
proprietaryCodecs = true;
enableWidevine = true;
};
in
with config;
{
mySystem = {
de.gnome.enable = true;
shell.fish.enable = true;
editor.vscode.enable = true;
@ -52,9 +48,8 @@ with config;
lm_sensors
cpufrequtils
cpupower-gui
vivaldiOverride
vivaldi
gparted
termius
];
i18n = {

15
renovate.json5
View file

@ -1,10 +1,11 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:base"],
"extends": [
"config:base"
],
"nix": {
"enabled": true
},
"ignorePaths": ["**/*.sops.*", "**/.archive/**", "**/resources/**"],
// "lockFileMaintenance": {
// "enabled": true,
// "extends": [
@ -15,14 +16,16 @@
{
"customType": "regex",
"description": "Process various dependencies in nix files",
"fileMatch": ["\\.nix$"],
"fileMatch": [
"\\.nix$"
],
"matchStrings": [
// Newline
"(?m:^[ \\t]*?# ?renovate: depName=(?<depName>\\S+)( datasource=(?<datasource>\\S+))?( versioning=(?<versioning>\\S+))?( extractVersion=(?<extractVersion>\\S+))?\\n[ \\t ]*?\\S+ = \"?(?<currentValue>[^\" ]+?)\";?$)"
],
"datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}",
"versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
"extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^(?<version>.*)${{/if}}"
}
]
"extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^(?<version>.*)${{/if}}",
},
],
}

7
shell.nix
View file

@ -1,8 +1,5 @@
# Need the unstable nixpkgs to get latest dev tools
let
nixpkgs = fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz";
pkgs = import nixpkgs { allowUnfree = true; };
in
# Shell for bootstrapping flake-enabled nix and home-manager
{ pkgs ? import <nixpkgs> {} }:
pkgs.mkShell {
# Enable experimental features without having to specify the argument
NIX_CONFIG = "experimental-features = nix-command flakes";