jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Compare commits

base: jahanson:main
Branches Tags
jahanson:main
jahanson:renovate/docker.io-ollama-ollama-0.x
jahanson:talos-pxe-bootstrap
jahanson:update_flake_lock_action
jahanson:renovate/lock-file-maintenance
..
compare: jahanson:update_flake_lock_action
Branches Tags
jahanson:renovate/docker.io-ollama-ollama-0.x
jahanson:main
jahanson:talos-pxe-bootstrap
jahanson:update_flake_lock_action
jahanson:renovate/lock-file-maintenance

1 commit
main ... update_fla

Author SHA1 Message Date
github-actions[bot]
4273e4eb17 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/a731b45590a5169542990c36ffcde6cebd9a3356?narHash=sha256-WoKZDlBEdMhP%2BhjquBAh0BhUJbcH2%2BU8g2mHOr1mv8I%3D' (2024-08-11)
  → 'github:nixos/nixpkgs/c3d4ac725177c030b1e289015989da2ad9d56af0?narHash=sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz%2BNG82pbdg%3D' (2024-08-15)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/a58bc8ad779655e790115244571758e8de055e3d?narHash=sha256-dFZRVSgmJkyM0bkPpaYRtG/kRMRTorUIDj8BxoOt1T4%3D' (2024-08-11)
  → 'github:nixos/nixpkgs/c3aa7b8938b17aebd2deecf7be0636000d62a2b9?narHash=sha256-med8%2B5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c%3D' (2024-08-14)
 2024-08-16 22:10:47 +00:00
178 changed files with 97921 additions and 6413 deletions
Show stats Expand all files Collapse all files

36
.archive/flake.nix
View file

@ -1,36 +0,0 @@
{
"durincore" = mkNixosConfig {
# T470 Thinkpad Intel i7-6600U
# Backup Nix dev laptop
hostname = "durincore";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-thinkpad-t470.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
];
profileModules = [
./nixos/profiles/role-workstation.nix
./nixos/profiles/role-dev.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"legiondary" = mkNixosConfig {
# Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
# Nix dev/gaming laptop
hostname = "legiondary";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
./nixos/profiles/hw-legion-15arh05h.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-gaming.nix
./nixos/profiles/role-workstation.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
}

84
.archive/home/modules/programs/de/gnome/default.nix
View file

@ -1,84 +0,0 @@
# Adjusted manually from generated output of dconf2nix
# https://github.com/gvolpe/dconf2nix
{
lib,
pkgs,
osConfig,
...
}:
with lib.hm.gvariant;
{
config = lib.mkIf osConfig.mySystem.de.gnome.enable {
# add user packages
home.packages = with pkgs; [
dconf2nix
];
# worked out from dconf2nix
# `dconf dump / | dconf2nix > dconf.nix`
# can also dconf watch
dconf.settings = {
"org/gnome/mutter" = {
edge-tiling = true;
workspaces-only-on-primary = false;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
home = [ "<Super>e" ];
};
"org/gnome/desktop/wm/preferences" = {
workspace-names = [
"sys"
"talk"
"web"
"edit"
"run"
];
button-layout = "appmenu:minimize,close";
};
"org/gnome/shell" = {
disabled-extensions = [
"apps-menu@gnome-shell-extensions.gcampax.github.com"
"light-style@gnome-shell-extensions.gcampax.github.com"
"places-menu@gnome-shell-extensions.gcampax.github.com"
"drive-menu@gnome-shell-extensions.gcampax.github.com"
"window-list@gnome-shell-extensions.gcampax.github.com"
"workspace-indicator@gnome-shell-extensions.gcampax.github.com"
];
enabled-extensions = [
"appindicatorsupport@rgcjonas.gmail.com"
"caffeine@patapon.info"
"dash-to-dock@micxgx.gmail.com"
"gsconnect@andyholmes.github.io"
"Vitals@CoreCoding.com"
"sp-tray@sp-tray.esenliyim.github.com"
];
favorite-apps = [
"com.mitchellh.ghostty.desktop"
"vivaldi-stable.desktop"
"obsidian.desktop"
"code.desktop"
"vesktop.desktop"
];
};
"org/gnome/nautilus/preferences" = {
default-folder-viewer = "list-view";
};
"org/gnome/nautilus/icon-view" = {
default-zoom-level = "small";
};
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
"org/gnome/desktop/peripherals/touchpad" = {
tap-to-click = false;
};
"org/gnome/desktop/interface" = {
clock-format = "12h";
show-battery-percentage = true;
};
"org/gnome/settings-daemon/plugins/power" = {
ambient-enabled = false;
};
};
};
}

53
.archive/hosts/durincore/default.nix
View file

@ -1,53 +0,0 @@
{ ... }:
{
config = {
networking.hostId = "ad4380db";
networking.hostName = "durincore";
# Kernel mods
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"nvme"
"usb_storage"
"sd_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "rpool/root";
fsType = "zfs";
};
"/home" = {
device = "rpool/home";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/F1B9-CA7C";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
};
swapDevices = [ ];
# System settings and services.
mySystem = {
system.motd.networkInterfaces = [
"enp0s31f6"
"wlp4s0"
];
};
};
}

16
.archive/hosts/gandalf/config/disks.nix
View file

@ -1,16 +0,0 @@
[
"/dev/disk/by-id/ata-Seagate_IronWolfPro_ZA240NX10001-2ZH100_7TF002RA"
"/dev/disk/by-id/nvme-Samsung_SSD_960_EVO_250GB_S3ESNX0K308438J"
"/dev/disk/by-id/scsi-350000c0f02f0830c"
"/dev/disk/by-id/scsi-350000c0f01e7d190"
"/dev/disk/by-id/scsi-350000c0f01ea443c"
"/dev/disk/by-id/scsi-350000c0f01f8230c"
"/dev/disk/by-id/scsi-35000c500586e5057"
"/dev/disk/by-id/scsi-35000c500624a0ddb"
"/dev/disk/by-id/scsi-35000c500624a1a8b"
"/dev/disk/by-id/scsi-35000cca046135ad8"
"/dev/disk/by-id/scsi-35000cca04613722c"
"/dev/disk/by-id/scsi-35000cca0461810f8"
"/dev/disk/by-id/scsi-35000cca04618b930"
"/dev/disk/by-id/scsi-35000cca04618cec4"
]

49
.archive/hosts/gandalf/config/incus-preseed.nix
View file

@ -1,49 +0,0 @@
{ ... }:
{
config = {
"core.https_address" = "10.1.1.15:8445"; # Need quotes around key
};
networks = [
{
config = {
"ipv4.address" = "auto"; # Need quotes around key
"ipv6.address" = "auto"; # Need quotes around key
};
description = "";
name = "incusbr0";
type = "";
project = "default";
}
];
storage_pools = [
{
config = {
source = "eru/incus";
};
description = "";
name = "default";
driver = "zfs";
}
];
profiles = [
{
config = { };
description = "";
devices = {
eth0 = {
name = "eth0";
network = "incusbr0";
type = "nic";
};
root = {
path = "/";
pool = "default";
type = "disk";
};
};
name = "default";
}
];
projects = [ ];
cluster = null;
}

185
.archive/hosts/gandalf/default.nix
View file

@ -1,185 +0,0 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
inputs,
...
}:
# let
# sanoidConfig = import ./config/sanoid.nix { };
# disks = import ./config/disks.nix;
# smartdDevices = map (device: { inherit device; }) disks;
# in
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"isci"
"usbhid"
"usb_storage"
"sd_mod"
];
kernelModules = [ "nfs" ];
supportedFilesystems = [ "nfs" ];
};
kernelModules = [
"kvm-intel"
"vfio"
"vfio_iommu_type1"
"vfio_pci"
"vfio_virqfd"
];
extraModulePackages = [ ];
kernelParams = [
"iommu=pt"
"intel_iommu=on"
"zfs.zfs_arc_max=107374182400"
]; # 100GB
};
swapDevices = [ ];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
];
# Network settings
networking = {
hostName = "gandalf";
hostId = "e2fc95cd";
useDHCP = false; # needed for bridge
networkmanager.enable = true;
firewall.enable = false;
nftables.enable = false;
interfaces = {
"enp130s0f0".useDHCP = true;
"eno1".useDHCP = true;
};
};
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# VSCode Compatibility Settings
programs.nix-ld.enable = true;
services.vscode-server = {
enable = true;
};
# Home Manager
home-manager.users.jahanson = {
# Git settings
# TODO: Move to config module.
programs.git = {
enable = true;
userName = "Joseph Hanson";
userEmail = "joe@veri.dev";
extraConfig = {
core.autocrlf = "input";
init.defaultBranch = "main";
pull.rebase = true;
rebase.autoStash = true;
};
};
};
# sops
sops = {
secrets = {
"borg/repository/passphrase" = {
sopsFile = ./secrets.sops.yaml;
};
"syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
};
};
services = {
# Smart daemon for monitoring disk health.
smartd = {
# devices = smartdDevices;
# Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
};
# ZFS Exporter
prometheus.exporters.zfs.enable = true;
# samba = {
# enable = true;
# settings = import ./config/samba-config.nix { };
# openFirewall = true;
# };
};
# System settings and services.
mySystem = {
purpose = "Production";
system = {
motd.networkInterfaces = [
"enp130s0f0"
"eno1"
];
# Incus
# incus = {
# enable = true;
# preseed = import ./config/incus-preseed.nix { };
# webuiport = 8445;
# };
# ZFS
zfs.enable = true;
# zfs.mountPoolsAtBoot = [ "eru" ];
# NFS
nfs.enable = true;
};
services = {
libvirt-qemu.enable = true;
podman.enable = true;
# Syncthing
syncthing = {
enable = true;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
# # Scrutiny
# scrutiny = {
# enable = true;
# devices = disks;
# extraCapabilities = [ "SYS_RAWIO" ];
# containerVolumeLocation = "/eru/containers/volumes/scrutiny";
# port = 8585;
# };
# Sanoid
# sanoid = {
# enable = true;
# inherit (sanoidConfig.outputs) templates datasets;
# };
};
};
}

92
.archive/hosts/gandalf/secrets.sops.yaml
View file

@ -1,92 +0,0 @@
lego:
dnsimple:
token: ENC[AES256_GCM,data:Lf3sSTJ1XQAMe80p7LnoElvN7uv8bMblcvskiyBZQx0A9inBkoIjBf9/0w==,iv:D53d/uIRZeyXWB64NZFjrnutToua7+6nsh8wvsBfqdQ=,tag:ODzXnRExlTFP0ewl81QE4Q==,type:str]
borg:
repository:
passphrase: ENC[AES256_GCM,data:xJ9KLh1V0ykeEusRon3AiXLH9fs=,iv:D5ICrIoTegc9IfdagbqjQ9NpW9fm3yq1CxnOH3v1qbs=,tag:ENnLfTRuQaDx38gGuz9Cew==,type:str]
syncthing:
publicCert: ENC[AES256_GCM,data:AnzODcQM57zYK9krVlydQjQ26Shd65ui/F5n3/CxZuICgMzn4KJujgCJpW+2TtT+apTehmVwnCZH8sdI8EcB09dyjEawncZxeI+n1JqgE+PoLI1A1enjzM1S7OwNUIl09yMiZflKRvQNKtUihd0/HLcoIRkBNYu78UP69uxMeOFkKVeeSl2k+ERvv1tvO7lcY3ksBRV8H554xv139ojJWtIrUCjibx6uCL8I+TWwXIhH+DjAsE2d/bnsJ1NMEuDM5Mg1wVp4ZWIoQU/HoOM3b2Khb9vW+AvuQPeK1IUkYPRqteykUP2eoIwFV9IFfj6w/VrwFazXqg/DoaOC6mWr4/+0uam1uHO4QGfLP3idVBWbAdUoFvlVDUSLYOrG25Xssry7dn+JPBu3n8Y5uzNdfSthYLPRQuippQ34SlYIcgvGVJaNlf4/aglA2x5rC6xRi3/OwIFzbmADonDKsLyNsmiIUUo1VYUYPEEhLYeY3Hu0xV5Y52CMEF8MFpPsS43/9Dv89VYgKTPywY2/PjtpNuc5pysOYzJAvOiD28YTFgz0Dp5m0ShGmXjSFK6ekAzTvJYHzFMNCIBWcYrFbao2OFYqT17kh19+wdQDK4t0q7FHwQVwm8OtpYvstNasBCU+jZCuUUUdHYAAOj5F7U2mr+GqG0rp4wonSU1Qa96M/3KsNR5wbMY1ygpj6ADDCaxL/dUOS5kz2eBlaiMYxakCrAmccfoSMNcG3QmCpyr6QjvIAJPGgNMjVa25LGIs3GCKDrEHfN3I54KV3SNRYeGplw3HDQg9gFpuZ7ZqlhdJOvO62m3rwDTtCF2acouhu3dy/3XENWceCbRuSGktORxklUrLOcXBLXYbTs1hmDI6S1hRGQTxcTXSuVlkjkOcxZ4rpqbIGErpBeQodh69XWbOJ9yFC4XSj4oNydt2JtqDW/H9q4GYt9njcUFP3RoxI2BCUtwOqdaPO3o3svevVgC5SaIcDsMnz+dLRs+cr5FZk/AIDta9+RVBCl5clv4svoWfSOn8ff6mrhYqjo3Wtf7k3KLqmfIDawuKfQU=,iv:UiCdr9U1sTph8VOJNiq7VS1c3JvpRPrti0G7sOJeAmc=,tag:OwFs0+2cIwDi6LLxr4jbFA==,type:str]
privateKey: ENC[AES256_GCM,data:2Ue/vbCIN8ceJEBRnl5pSrdEPHGDy92eRO0QtesU/FvrrwQq8ga5DCCCB1Cee1zWXrXT1R94b0GSvjfWu9M9JQvNdIjFTzwOIElRL/NrplVbJKSd18P/SHEJHZ+/vWxFkOk0FDmN1xkFrVQEf+g2xbHtcYYA3TT8b4a9eDHJSUQGCYo3LJVkJUbgsNgpoRPOXrA1LKXNsoaUqDHYXoY86j+ShFNlx2wPRkeymIkoULK7gyykeAVFaE/QMXkel/BVNz94lPFlnOymbj0vLa6qAhdRyeV5sh2Q9AdR5tM5bUBoSOCe304Q9P7/BLh3dpmRAeI4dq0FcJlDF2Y8z5A+ZPBsySObYSkDXlwgFOvwJgVVXbcdd9y8FwpV/kVnbPeP,iv:MM9d8VwvWWUxID/9HKa4m5zDeNR5yu7REVDHujIvyA0=,tag:0DvBfO3X58FmjnCWyupVgA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucldMTnVlS1dRNHdRSzNt
K0pmaU1lSkwrOTZLSDdjM0dkMUZKNXJJS3dZCncvMmZ0K3lwRjJSOUFHTDA2QW5C
bW4raVc1RXMrbXV0WmcyVklBU3NZM00KLS0tIHhoTDFHc3MvcDdNV2RBVTAxQjZT
dWtaajROWFFSSU81YU45QkdGZVAreVEKdRfFV5aXf+TCLrC9rlIgOIgvXKSRLXV3
AaE+DMreP3ipFj3sRtbWhwpwdKG3ww3oUVuSOzkupxBviKLuZjOpZQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMRGp4MWxOclZFZThsZXlU
SU5MeWlBUkxyYkpWMTRraG9kUVdkZVZIRTJNCktDdkZMUUJJVG92R1Nrd3g1N0Qw
Q05HV3NPaUlxOHgwUzAxSzZEejFCdjAKLS0tIDhZL1JTUEh5eUM1V1RScTZ6bWhW
ZDdnOXhGR2JkVjk5YllKVjc2TS9RNDQKyi08QEOaZfb4Dj+CviQoIGKkyi0qGHUC
jUeERhVwT346p1Bx5JLcHAyoPMdbxm37pNrC2P/LoI9/enxoWZ/hKw==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTR0plTmZ3Q1BuY2Z2bzdR
aHlSTFQ2bkl6ekVDdmpxZ2lCMDV4TFYwd0FJCmFHczFwanZTVkx1cytqd2pHYXhr
b3I3SnRkM3dMd1VpbjNYbmI4Z2Z0MVkKLS0tIEw0ZjNxK0NUckdFYVpIeDRDSGMv
b0lObG1iYS91aVNaZ3VRbXBPOFFYYkkKexf0g60IXy+LNqFkXgpfx+FWDeFiO8+3
9EQWEEQMurYqVzAT+BcJq3LuAex5lEFO1nLav1k2rammA1epB8QYpg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKK0VybENLM1Bpa1l1THo3
VnczdzFraWpKMVNOREduVjJ2V1grczdxTUNZCkcrYTExalljWVlOWXFtMmlmemt3
eGM0Z1hXaDZXRDcyOVFrc2FRL1J0YjAKLS0tIG9wOWpnV1ZYQy9DWG1zR2dOR2FH
MXdmVWkvS2dCNzBJNEJGQzJjSHhXVHcKbVzAr0o45xaS33bYY2Pb11cEHiBTi+7l
H1IlJBdJbyJ8NMFJfvnyKBHLttUKb57Xz2mjeaC4vkDHT450r+k5Jw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKS2tTUzBlZFl6WU92d3M4
Wjg4WVpvRk5mdWRCWnFxK0RFS1BTZGJ4ZUJnCllNY2ZQRUwvN0lKM1V2dURDYXQv
cXNTbmZkcEhMZDRNNjY1a09CRDYweVkKLS0tIG5Qdnp1cFl6UCtpMTh1ZUZoTTRM
dnpjQ2tkOXFCa1ZvekxBeFR2UXprWEUK9tBZsGeIMLiW8Lrodir6zynFg2I3LqW9
bMjUyF6CM8U8Aid7ftX5fiEMFCyssrSRBQ4CVs28jic4dYJ/3Nceiw==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTQ0hGa2d4VmpMV0ttYis5
OFZibUxkSjdiYVgyajhGblRxMGkrTSsxRlgwClVnVy93YXBMRjM1TEIyUzB4S3My
TG9KSjNVc1BpODBvV201dkRmZitvMzQKLS0tIFRLZFJxclJPK1lvMVFGZ2UzaVFu
VFJkcm1QaGdDeTJuVWpNV3pva2RKVzQKI0s2hQHI16T72AYVvaO4f+nIza5768S4
pQN3UUOjug8L7/85ytHvOQOxBC+PMAG/aJABoj7FMhZNRvKtbC2J/g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVHU5Z1cyWjFjbjRncmRu
NklQRGVNK2VZZlhKMFgxT2dGYU15MzRTV0VFCnVDUkY4elNNS0VqZWUrQjdWU1Jh
RUZTUE5Qa0FsYmljQThyd3p4bm9FbDAKLS0tIG9MRGZ4UkhteUk1cFk1b3JXZzVY
VTkxcEppQ2Y0VVg1dThQS3FkcFdPTVkKG0/RNreCjjbdsUq4PoXCsfVOnd3fF0jS
Sw6bTIpifslRFu0JJRB83AxRxjPbl4h6QOz3VlDHWfGCJ5eO9RQfjw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWStjeTFGVmM0YWN5bWcx
eThvdTNoclNkd0N4VklRc2UrOFFIejFXYVJvCkNlaE5iL2ExcFlZQ0trZGQzenlQ
WkZMdUtaUUU5NXFWeVlPYkJ5eit5U1UKLS0tIDhONzk1M0pEV3plR3JHdnFRNVQ5
L2FjVW9qREJjUUtZSzROV1lQc1lUaTgKSFx81K8XYD5KFJNBlAyLshwQQQYqdGos
goYyedCpe7JdXp49sSaCdAWpdphznFTdElzFCuM3LSxM76tI0JEe/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-27T09:27:41Z"
mac: ENC[AES256_GCM,data:c91/QM6/I7NYvAKQlnqTvv1n9HXt1LlTAa8OXaKzYB2Pg2Ofsl0z4XFf7dpLiITRFjBZCJWKyg4rVPKpNOUAwE4TS/7D+lh2xjJh5YPW1C4nwmu9dQ4/KSfBH71KKsSLJUnktgZXg7LNhE7QBFxntoJvznjv+vjjkzgovbBqC+Y=,iv:tCy5h0BscT7WKncaB4iCGWx6Up9OqZzRFYFQiLiNxgA=,tag:BPp6dZzKD0zUENoHRTlckg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

93
.archive/hosts/telchar/default.nix
View file

@ -1,93 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "4488bd1a";
networking.hostName = "telchar";
boot = {
initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
"usbhid"
"usb_storage"
"sd_mod"
];
initrd.kernelModules = [ "amdgpu" ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
swapDevices = [ ];
virtualisation.docker.enable = true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Enable Flatpak support
services.flatpak.enable = true;
## Base config programs.
programs = {
# Enable Wireshark
wireshark.enable = true;
# Enable OpenJDK
java.enable = true;
};
# sops
sops.secrets = {
"syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
};
## System settings and services.
mySystem = {
purpose = "Development";
services.syncthing = {
enable = true;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
## Desktop Environment
## Gnome
# de.gnome.enable = true;
## KDE
de.kde.enable = true;
## Games
games.steam.enable = true;
## System config
system = {
motd.networkInterfaces = [ "wlp1s0" ];
fingerprint-reader-on-laptop-lid.enable = true;
};
framework_wifi_swap.enable = true;
security._1password.enable = true;
};
}

86
.archive/hosts/telchar/secrets.sops.yaml
View file

@ -1,86 +0,0 @@
syncthing:
publicCert: ENC[AES256_GCM,data:SVEKnnuq30TJJoxbgTYRHTEdQyNYsn50+223Ly0QmX9V96xNb+qMIgJfOX9dGMZdoxNfQOkeecLvwgNZc6sEXNdlhFt/a/bqL6wNJvRY2PdyNoX2IKZvfZFulZtxuAAWsG0dwP04CT8cDmK4dUQIWEKRUOUAKRFQkD8cgglO7OHDGVZ0gZT1g6P1CAIJ2kWZiO3yRDSBWkcxGoY+Hy+tbCMS1Ut9Evh0bDAHslYvVPVqlNhurADTF0vkJO88027+ODQjts4M2ecgafZE4y8L0CmMF/+sdGtkCRiYqTYmxAwjWZmL8YjmsWI6Cl7VaaH3pqyvgPPBksBbfb4Zj+Nq41DLBz/vHIC8qpsIjrPvl/4lRmesuTUgut0HfiK+h3VpeUtU08wb0UtHixcOhvxEdSShMS1bXvmCEeEIKeagxImCfuwR8nHAkXRVSqhIovDYfL1GYsyjeK5b/zAYdckzk7zuGgTX4wD2TnVG3ve2SGJQ+9HUUiaiDlrQAzyer2kjMIDFqEvSNZ087ATYTaB6FI5DYFCsd3yEM10AcdzaMe2wCvGuNYg+NRKbFrVxYacT7sdb4m+gf7u8SimlEy3e9URQTJ6T5xsg0xeLMmAtOawKSzhVNjxQM64N42cyQmfHBUqj2LneO4/ma3/URpqtxoWBKu3wQlBv9aUAiyWycYmr8DjvyiWOn8D07cCOAj6x/4EnY+Q9gXaj0w6sj9VrsL+fQQKUIWpCt32nmYHLmSFUuCqUAkY+dGnMFWepJWuOsLPLoSK9M6UMuYVxggBNn6lngo+0SRj6pEGspebWku8VfKTWUqBIjrHvhzKmT6FrCXkfzIQ9231+mBUWM9+74TnzwgRKCeHIQW554pynfTqs1M9AiLtHvIt3ixNq5txMZCgqS/Mg3YGEj81c8X+RVvvqIHv5GDeQGAeTJV4Tjof9UiOOr+UOmhgy15PnnZl3Z6Fhty6+bTClDFDXqqBhg/kDEWf416qL53IgoHgE12tWNn28SFFHBvq/YCF72P65+TXhns9pCSe8RDWLeDRawM8rlZ+8VQ==,iv:7vLLWbV7TUe7Dv0KaRvOrgwrjwXMABa5eaR/SxeghvY=,tag:K0Rz8OVUKOS4SRlGwZrfEw==,type:str]
privateKey: ENC[AES256_GCM,data:kkBxN6LuI6R+69rbNGfvioNT6d04/S+LF31+FOq2K9goQtGZ2dTbBdMkpsxlmtxNqqV/svVGPOFQc904Mdyy+djOPGUF7YQooRTIiCWMXaCHrpL3okP/ONYYDLVXxNqnBGboWYqlqr2kQANH4DBACUzN1RhPh/Qy0dob4vqx8nnSbutbo9wdVygi9JIzdmS2VmihfNR1bgG7+z0pUi9+dwZ7Y116VUEx/S4qpq+FbOOEctDL0mj/E/iW0dFTZO95nFjG8MpzX2M74Mm64VdZZ/MygSLj6B1+p90rryv0R5YW3zuFj4YIS3GurBEojG+rbk94SWN1SY5s3jc1GaQ3Sjtk+pugmU6sxkOaLxX+XfbytZ1FrUalwGHCvfQbWP1T,iv:PJ6EhA+fW5C6jkBIdfsx2U0uGshyWdAC1T3fC3Hr9p4=,tag:fyToI/FQPI9gFvN7+bSf6A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYVZMa25OeHo3d0J6NlJv
TkFOVUxzNy94Skoxd3pwT1o1WWFtVTBzRFY4CjMrRS9RRk5PNmx2aTlaMnU2WEU0
d05pWnhLeFhqY3A1VUN2S0NxTnVDRU0KLS0tIEdPKzlQM0JuMTlsTUQxOGtHS0xD
WDdnL1k2YmwxM0JEREJnc0dZZjVuMlUKYLP8F+3/ze0LZAiP+u0aVW/bLSIk1K25
NqbqT6SNDXuyeq61ysi6CwhYokUwnLBANv/BRsBLT2JX5tI8uIaKTQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUbm84cFI1eCtqR0hnaUVU
SDREVDJFQ2JTN3I4OXdrdTk1MVhheGY1cUFnClhidGRBMDNuTjlCekNOcS9YUEs1
ZHFZanFnWmlZbFF1eEhwayt0clhuR2sKLS0tIDFJKzdxNzErRlV5blp2dEg0UGNx
d01XeHdJaU5BRUJMVXMra1dNRnJqZUkKgkfspMPpA1rg9d87eFWN1ThdQyXaRM9P
8eBkOG0H8W5Afsb0kOqA8gJGL6bzM3fzbVDjK7VPq06zrzY9uaLkCA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVVlxVHZ4MTBpanBSc1J3
bEgwQTh2WHNSUm0wVmtXNUhMbXNQaHVjc0ZVCjBUNUJITStSektTVWhzWXlPb2VJ
TTNoNHEyeXhraHJqRzYzQXRMcmp3L2sKLS0tIHRiK05XeVJGMzl1VlVITjNHSDhY
N3ZmWWtlSGx2cjFxZ3hUNm0wYlFCMlEKrUEV8phjcnciK+tuOFEBz5PxJKbbwJNM
BY4gs0zkhk/jkvdiljgfeyKrlcjwfz1b8kLW316PfkTBJiIAc6Zncw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTFM2TzB2eDE3bVVNK3FN
a3pEVkkzUExKdnRNTGFSaWJOa0lVUmRrT2p3CnV3SGlSa1VFblR3ZDdvRGRlcXp2
cjIwTHkwTGhJWHAyVllxV3FZT0NIaWMKLS0tIGRsUDRMcFUwS1c2OVZsbGdvSVlv
bXlNeTBaZ0dOYnFIS09haXZOV0Q0azAK/6UGR0cd+gtR/7Yz75v87NWWcz7gP2iU
sPtvPHEIYh5gnop2DwZTpATwwvxZWp0b8OpV/2AyUiL6tniCV6qDvg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVVJEZmxsR1A3a0luU0po
ejN2ZHZERlhoeVYwV29LajlXYjY5TzFzZjFnCkFOSHJMbktYZFpBcDdWZ3RsVHo2
UlNSeUpxbWVsVzkrblNlZkJhV3dGTWcKLS0tIHhOb1VmaDNCNU1xMzZCVWlFeDF1
OVZOcC93M1p0VThDaHRLVTc1N0ZyQk0KZWDWhjrmnqfkbJmZRCwXHGMdRmL0W4Sa
4cEGr8XbvJlzFTmbm81X6KLKdYz62V8fa99mAEzffOB0SqegBTb8Ig==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJNDRydUJieU81RVdubEFu
OWM0dEF2YTZ2WVZSUFQvakgwa29NNTdrb2hnCmJ0dHZqTE9vMXVHbHBtd1pUY203
UFhnZ0ZLOWxCZnptd2pTWU1scXF0TEUKLS0tIGt3a0wwNklQTUR3V2MvQzVkQzBN
b2RqWjd2Nkt3YmZ2eHlYOUhJNFB3RjAKdnCRIg3zqLaN9rjjc8tCBj8lOH1SWw2Q
s/0TLrsXy62nlWibDxsuiE9mPCediFVbJWxTCAs4ze/jELGESV6S/w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNUlIQTdQZHNsWEdselAw
RWJjazYvK0xSU1NteWs2RFlWVHRYQzF4bnhNCjg5RHQvRm5hWTcrYUxYWGlIWFdW
dUNoaEQ1V21DWGdRREZZOHFBeldiTkkKLS0tIFR5aG1TNGJZY3pmMWdJbXhEWG9N
aTlZcVdCaWltdURHbEx4b2h5RjlIUm8KfpXCYGLch4RAhEPfgikR60sp5tywKV1R
fRsXad3X31fAS42ZeczPn399byImcXoL9n7mIoT6NbDWgCvd+iSiHw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYkM3V282TldQbHBQVmQy
bWdielQySUNJaXEvOHA3Q1JqMEdMWEs1bFVVCnJKK0d5dG54aXk4dWtnSkdkbkU3
TU5xOFNGcklJdWcvZUlZVjNqanpqRlEKLS0tIGZGc0M5eE0xTTd6LzVjdXI1Ulg3
Zk9RdUU5RTdZd1A4dGRUVVVpT0E1SXMKOEL/yUCERTc8aiPmfGJWF9ESzfKbxYCO
dCByzJpIsI9IUgmcjMq8bREnATd8cZ65kVMpqME0Xfk3/Fl+OaLm1Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-27T09:27:41Z"
mac: ENC[AES256_GCM,data:VrP3O1WKuRBXhzg9hOyeRHRL8Cg47HWvno/B2TUllFUlKLrlgJapazbCs4aQJQka/1gQu2xguHlu/CqF9WKp90B/CxJ8XnYc4mrsMZ104aHSStQInShquRwrpm6iDc61d+ZZqkQbYUTiznm8jAonjjNEKHFsnRw9q+c9SJKYmJU=,iv:WuEJ2kgLHwKSUb8TDNH17N+P5gHsCQ+loP07Ec0y7/Y=,tag:bNhrMV5GY5q/vmmxYlL6Cw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

70
.archive/modules/nixos/de/kde.nix
View file

@ -1,70 +0,0 @@
{
lib,
config,
pkgs,
...
}:
let
cfg = config.mySystem.de.kde;
flameshotOverride = pkgs.unstable.flameshot.override { enableWlrSupport = true; };
in
{
options = {
mySystem.de.kde = {
enable = lib.mkEnableOption "KDE" // {
default = false;
};
};
};
config = lib.mkIf cfg.enable {
# Ref: https://wiki.nixos.org/wiki/KDE
# KDE
services = {
displayManager = {
sddm = {
enable = true;
wayland = {
enable = true;
};
};
};
desktopManager.plasma6.enable = true;
};
security = {
# realtime process priority
rtkit.enable = true;
# KDE Wallet PAM integration for unlocking the default wallet on login
pam.services."sddm".kwallet.enable = true;
};
# enable pipewire for sound
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
# extra pkgs and extensions
environment = {
systemPackages = with pkgs; [
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
vorta # Borg backup tool
flameshotOverride # screenshot tool
libsForQt5.qt5.qtbase # for vivaldi compatibility
kdePackages.discover # KDE software center -- mainly for flatpak updates
];
};
# enable kdeconnect
# this method also opens the firewall ports required when enable = true
programs.kdeconnect = {
enable = true;
};
};
}

35
.archive/modules/nixos/services/vault/default.nix
View file

@ -1,35 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.mySystem.services.vault;
in
{
options.mySystem.services.vault = {
enable = lib.mkEnableOption "vault";
address = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1:8200";
description = "Address of the Vault server";
example = "127.0.0.1:8200";
};
};
config = lib.mkIf cfg.enable {
services.vault = {
enable = true;
package = pkgs.unstable.vault;
address = cfg.address;
dev = false;
storageBackend = "raft";
extraConfig = ''
api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://127.0.0.1:8201"
ui = true
'';
};
};
}

14
.archive/modules/nixos/services/vault/resources/vault-config.hcl
View file

@ -1,14 +0,0 @@
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}
storage "raft" {
path = "/var/lib/vault/data"
node_id = "node1"
}
disable_mlock = true
api_addr = "http://localhost:8200"
cluster_addr = "http://localhost:8201"
ui = true

59
.archive/profiles/disko-telchar.nix
View file

@ -1,59 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/disk/by-diskseq/1";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "128M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# Subvolumes must set a mountpoint in order to be mounted,
# unless their parent is mounted
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
# Subvolume name is the same as the mountpoint
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
# Sub(sub)volume doesn't need a mountpoint as its parent is mounted
"/home/user" = { };
# Parent is not mounted so the mountpoint must be set
"/nix" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/nix";
};
};
mountpoint = "/partition-root";
};
};
};
};
};
};
};
}

8
.editorconfig
View file

@ -2,15 +2,7 @@ root = true
[*]
end_of_line = lf
insert_final_newline = true
indent_style = space
indent_size = 2
charset = utf-8
trim_trailing_whitespace = true
[*.{yaml,yml,json5}]
indent_style = space
indent_size = 2
[*.md]
indent_size = 4
trim_trailing_whitespace = false

1
.envrc
View file

@ -1,3 +1,2 @@
use nix
export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
export EDITOR="hx"

222
.forgejo/actions/update-flake-lock/action.yml Normal file
View file

@ -0,0 +1,222 @@
name: "Update Nix Flake Lock"
description: "Update your Nix flake.lock and send a PR"
inputs:
inputs:
description: "A space-separated list of inputs to update. Leave empty to update all inputs."
required: false
default: ""
token:
description: "GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)"
required: false
default: ${{ github.token }}
commit-msg:
description: "The message provided with the commit"
required: false
default: "flake.lock: Update"
base:
description: "Sets the pull request base branch. Defaults to the branch checked out in the workflow."
required: false
branch:
description: "The branch of the PR to be created"
required: false
default: "update_flake_lock_action"
path-to-flake-dir:
description: "The path of the directory containing `flake.nix` file within your repository. Useful when `flake.nix` cannot reside at the root of your repository."
required: false
pr-title:
description: "The title of the PR to be created"
required: false
default: "flake.lock: Update"
pr-body:
description: "The body of the PR to be created"
required: false
default: |
Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
```
{{ env.GIT_COMMIT_MESSAGE }}
```
### Running GitHub Actions on this PR
GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.
To run GitHub Actions workflows on this PR, run:
```sh
git branch -D update_flake_lock_action
git fetch origin
git checkout update_flake_lock_action
git commit --amend --no-edit
git push origin update_flake_lock_action --force
```
pr-labels:
description: "A comma or newline separated list of labels to set on the Pull Request to be created"
required: false
default: ""
pr-assignees:
description: "A comma or newline separated list of assignees (GitHub usernames)."
required: false
default: ""
pr-reviewers:
description: "A comma or newline separated list of reviewers (GitHub usernames) to request a review from."
required: false
default: ""
git-author-name:
description: "Author name used for commit. Only used if sign-commits is false."
required: false
default: "github-actions[bot]"
git-author-email:
description: "Author email used for commit. Only used if sign-commits is false."
required: false
default: "github-actions[bot]@users.noreply.github.com"
git-committer-name:
description: "Committer name used for commit. Only used if sign-commits is false."
required: false
default: "github-actions[bot]"
git-committer-email:
description: "Committer email used for commit. Only used if sign-commits is false."
required: false
default: "github-actions[bot]@users.noreply.github.com"
sign-commits:
description: "Set to true if the action should sign the commit with GPG"
required: false
default: "false"
gpg-private-key:
description: "GPG Private Key with which to sign the commits in the PR to be created"
required: false
default: ""
gpg-fingerprint:
description: "Fingerprint of specific GPG subkey to use"
required: false
gpg-passphrase:
description: "GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created"
required: false
default: ""
nix-options:
description: "A space-separated list of options to pass to the nix command"
required: false
default: ""
_internal-strict-mode:
description: Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows.
required: false
default: false
outputs:
pull-request-number:
description: "The number of the opened pull request"
value: ${{ steps.create-pr.outputs.pull-request-number }}
pull-request-operation:
description: "The pull request operation performed by the action, `created`, `updated` or `closed`."
value: ${{ steps.create-pr.outputs.pull-request-operation }}
runs:
using: "composite"
steps:
- name: Import bot's GPG key for signing commits
if: ${{ inputs.sign-commits == 'true' }}
id: import-gpg
uses: https://github.com/crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ inputs.gpg-private-key }}
fingerprint: ${{ inputs.gpg-fingerprint }}
passphrase: ${{ inputs.gpg-passphrase }}
git_config_global: true
git_user_signingkey: true
git_commit_gpgsign: true
- name: Set environment variables (signed commits)
if: ${{ inputs.sign-commits == 'true' }}
shell: bash
env:
GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
TARGETS: ${{ inputs.inputs }}
run: |
echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV
echo "GIT_AUTHOR_EMAIL=<$GIT_AUTHOR_EMAIL>" >> $GITHUB_ENV
echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV
echo "GIT_COMMITTER_EMAIL=<$GIT_COMMITTER_EMAIL>" >> $GITHUB_ENV
- name: Set environment variables (unsigned commits)
if: ${{ inputs.sign-commits != 'true' }}
shell: bash
run: |
echo "GIT_AUTHOR_NAME=${{ inputs.git-author-name }}" >> $GITHUB_ENV
echo "GIT_AUTHOR_EMAIL=<${{ inputs.git-author-email }}>" >> $GITHUB_ENV
echo "GIT_COMMITTER_NAME=${{ inputs.git-committer-name }}" >> $GITHUB_ENV
echo "GIT_COMMITTER_EMAIL=<${{ inputs.git-committer-email }}>" >> $GITHUB_ENV
- name: Run update-flake-lock
shell: bash
run: node "$GITHUB_ACTION_PATH/dist/index.js"
env:
# The following manually exposes all of the action inputs into INPUT_ environment variables so actionsCore.getInput works:
# https://github.com/actions/toolkit/blob/ae38557bb0dba824cdda26ce787bd6b66cf07a83/packages/core/src/core.ts#L126
INPUT_BASE: ${{ inputs.base }}
INPUT_BRANCH: ${{ inputs.branch }}
INPUT_COMMIT-MSG: ${{ inputs.commit-msg }}
INPUT_GIT-AUTHOR-EMAIL: ${{ inputs.git-author-email }}
INPUT_GIT-AUTHOR-NAME: ${{ inputs.git-author-name }}
INPUT_GIT-COMMITTER-EMAIL: ${{ inputs.git-committer-email }}
INPUT_GIT-COMMITTER-NAME: ${{ inputs.git-committer-name }}
INPUT_GPG-FINGERPRINT: ${{ inputs.gpg-fingerprint }}
INPUT_GPG-PASSPHRASE: ${{ inputs.gpg-passphrase }}
INPUT_GPG-PRIVATE-KEY: ${{ inputs.gpg-private-key }}
INPUT_INPUTS: ${{ inputs.inputs }}
INPUT_NIX-OPTIONS: ${{ inputs.nix-options }}
INPUT_PATH-TO-FLAKE-DIR: ${{ inputs.path-to-flake-dir }}
INPUT_PR-ASSIGNEES: ${{ inputs.pr-assignees }}
INPUT_PR-BODY: ${{ inputs.pr-body }}
INPUT_PR-LABELS: ${{ inputs.pr-labels }}
INPUT_PR-REVIEWERS: ${{ inputs.pr-reviewers }}
INPUT_PR-TITLE: ${{ inputs.pr-title }}
INPUT_PULL-REQUEST-NUMBER: ${{ inputs.pull-request-number }}
INPUT_PULL-REQUEST-OPERATION: ${{ inputs.pull-request-operation }}
INPUT_SIGN-COMMITS: ${{ inputs.sign-commits }}
INPUT_TOKEN: ${{ inputs.token }}
INPUT__INTERNAL-STRICT-MODE: ${{ inputs._internal-strict-mode }}
- name: Save PR Body as file
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: ${{ inputs.pr-body }}
env: {}
- name: Set additional env variables (GIT_COMMIT_MESSAGE)
shell: bash
run: |
DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
COMMIT_MESSAGE="$(git log --format=%b -n 1)"
echo "GIT_COMMIT_MESSAGE<<$DELIMITER" >> $GITHUB_ENV
echo "$COMMIT_MESSAGE" >> $GITHUB_ENV
echo "$DELIMITER" >> $GITHUB_ENV
echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}"
- name: Interpolate PR Body
uses: pedrolamas/handlebars-action@2995d7eadacbc8f2f6ab8431a01d84a5fa3b8bb4 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.txt"
- name: Read pr_body.txt
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.txt"
# We need to remove the pr_body files so that the
# peter-evans/create-pull-request action does not commit it (the
# action commits all new and modified files).
- name: Remove PR body template files
shell: bash
run: rm -f pr_body.txt pr_body.template
- name: Create PR
id: create-pr
uses: https://github.com/peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
with:
base: ${{ inputs.base }}
branch: ${{ inputs.branch }}
delete-branch: true
committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}
author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }}
title: ${{ inputs.pr-title }}
token: ${{ inputs.token }}
assignees: ${{ inputs.pr-assignees }}
labels: ${{ inputs.pr-labels }}
reviewers: ${{ inputs.pr-reviewers }}
body: ${{ steps.pr_body.outputs.content }}

2
.forgejo/actions/update-flake-lock/dist/index.d.ts vendored Normal file
View file

@ -0,0 +1,2 @@
export { }

95155
.forgejo/actions/update-flake-lock/dist/index.js vendored Normal file
View file

File diff suppressed because one or more lines are too long

1
.forgejo/actions/update-flake-lock/dist/index.js.map vendored Normal file
View file

File diff suppressed because one or more lines are too long

3
.forgejo/actions/update-flake-lock/dist/package.json vendored Normal file
View file

@ -0,0 +1,3 @@
{
"type": "module"
}

57
.forgejo/workflows/build.yaml
View file

@ -1,13 +1,13 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: "Build"
on:
pull_request:
push:
branches:
- main
paths:
- ".forgejo/workflows/build.yaml"
- "flake.lock"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
@ -20,14 +20,14 @@ jobs:
fail-fast: false
matrix:
include:
- system: varda
os: native-aarch64
- system: telchar
os: native-x86_64
- system: gandalf
os: native-x86_64
- system: telperion
os: native-x86_64
- system: shadowfax
os: native-x86_64
# - system: varda
# os: native-x86_64
runs-on: ${{ matrix.os }}
env:
PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
@ -46,8 +46,55 @@ jobs:
- name: Garbage collect build dependencies
run: nix-collect-garbage
- name: Build previous ${{ matrix.system }} system
shell: bash
run: |
nix build git+https://git.hsn.dev/jahanson/mochi#top.${{ matrix.system }} \
-v --log-format raw --profile ./profile
- name: Build new ${{ matrix.system }} system
shell: bash
run: |
nix build ".#top.${{ matrix.system }}" --profile ./profile --fallback -v \
> >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
- name: Check for build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
if [ -n $drv ]; then
nix log $drv
echo $drv
fi
exit 1
- name: Diff profile
id: diff
run: |
nix profile diff-closures --profile ./profile
delimiter="$(openssl rand -hex 16)"
echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name: Comment report in pr
uses: https://github.com/marocchino/sticky-pull-request-comment@v2
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
header: ".#top.${{ matrix.system }}"
message: |
### Report for `${{ matrix.system }}`
<summary> Version changes </summary> <br>
<pre> ${{ steps.diff.outputs.diff }} </pre>
# - name: Push to Cachix
# if: success()
# env:
# CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
# run: nix build ".#top.${{ matrix.system }}" --json | jq -r .[].drvPath | cachix push hsndev
nix-build-success:
if: ${{ always() }}
needs:
- nix-build
name: Nix Build Successful
runs-on: docker
steps:
- if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
name: Check matrix status
run: exit 1

28
.forgejo/workflows/update_lock.yaml Normal file
View file

@ -0,0 +1,28 @@
name: update-flake-lock
on:
# workflow_dispatch: # allows manual triggering
schedule:
- cron: '0 0 * * *' # daily at midnight
push:
branches:
- main
paths:
- ".forgejo/workflows/update_lock.yaml"
jobs:
lockfile:
runs-on: docker
steps:
- name: Checkout repository
uses: https://github.com/actions/checkout@v4
- name: Install Nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Update flake.lock
uses: ./.forgejo/actions/update-flake-lock
with:
pr-title: "Update flake.lock" # Title of PR to be created
pr-labels: | # Labels to be set on the PR
dependencies
automated
inputs: nixpkgs nixpkgs-unstable

5
.gitignore vendored
View file

@ -1,13 +1,8 @@
**/*.tmp.sops.yaml
**/*.sops.tmp.yaml
**/*sync-conflict*
age.key
result*
.decrypted~*
.direnv
.kube
.github
.profile
.idea
.secrets
.op

7
.pre-commit-config.yaml
View file

@ -10,7 +10,7 @@ repos:
- .yamllint.yaml
id: yamllint
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
rev: v4.6.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
@ -25,9 +25,9 @@ repos:
hooks:
- id: remove-crlf
- id: remove-tabs
exclude: (Makefile|Caddyfile)
exclude: (Makefile)
- repo: https://github.com/zricethezav/gitleaks
rev: v8.22.0
rev: v8.18.4
hooks:
- id: gitleaks
- repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
@ -36,4 +36,3 @@ repos:
- id: sops-encryption
# Uncomment to exclude all markdown files from encryption
# exclude: *.\.md
files: .*secrets.*

4
.prettierrc
View file

@ -1,4 +0,0 @@
{
"quoteProps": "preserve",
"trailingComma": "none"
}

4
.sops.yaml
View file

@ -15,10 +15,9 @@ keys:
- &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
- &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
- &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
- &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- &telchar age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
- &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
- &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
- &telchar age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
creation_rules:
@ -29,7 +28,6 @@ creation_rules:
- *gandalf
- *jahanson
- *legiondary
- *shadowfax
- *telchar
- *telperion
- *varda

1
.vscode/extensions.json vendored
View file

@ -2,6 +2,7 @@
"recommendations": [
"jnoortheen.nix-ide",
"mikestead.dotenv",
"redhat.ansible",
"redhat.vscode-yaml",
"signageos.signageos-vscode-sops",
"pkief.material-icon-theme",

51
.vscode/settings.json vendored
View file

@ -1,45 +1,10 @@
{
"editor.fontFamily": "CaskaydiaMono Nerd Font Mono",
"files.associations": {
"*.json5": "jsonc"
},
"editor.hover.delay": 1500,
"editor.bracketPairColorization.enabled": true,
"editor.guides.bracketPairs": true,
"editor.guides.bracketPairsHorizontal": true,
"editor.guides.highlightActiveBracketPair": true,
"files.trimTrailingWhitespace": true,
"sops.defaults.ageKeyFile": "age.key",
"nix.enableLanguageServer": true,
"nix.serverPath": "/run/current-system/sw/bin/nil",
"nix.formatterPath": "/run/current-system/sw/bin/nixfmt",
"nix.serverSettings": {
"nil": {
"formatting": {
"command": ["nixfmt"]
},
"diagnostics": {
"ignored": [],
"excludedFiles": []
}
},
"nix": {
"binary": "/run/current-system/sw/bin/nix",
"maxMemoryMB": null,
"flake": {
"autoEvalInputs": true,
"autoArchive": true,
"nixpkgsInputName": "nixpkgs"
}
}
},
"[jsonc]": {
"editor.defaultFormatter": "esbenp.prettier-vscode"
},
"sops.binPath": "/run/current-system/sw/bin/sops",
"editor.formatOnSave": true,
"bashIde.explainshellEndpoint": "http://localhost:5000",
"bashIde.shellcheckPath": "/run/current-system/sw/bin/shellcheck",
"bashIde.shfmt.path": "/run/current-system/sw/bin/shfmt",
"mise.binPath": "/etc/profiles/per-user/jahanson/bin/mise"
"editor.fontFamily": "FiraCode Nerd Font",
"editor.hover.delay": 1500,
"editor.bracketPairColorization.enabled": true,
"editor.guides.bracketPairs": true,
"editor.guides.bracketPairsHorizontal": true,
"editor.guides.highlightActiveBracketPair": true,
"files.trimTrailingWhitespace": true,
"sops.defaults.ageKeyFile": "age.key",
}

918
flake.lock
View file

File diff suppressed because it is too large Load diff

172
flake.nix
View file

@ -3,16 +3,20 @@
inputs = {
# Nixpkgs and unstable
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
# Lix - Substitution of the Nix package manager, focused on correctness, usability, and growth and committed to doing right by its community.
# https://git.lix.systems/lix-project/lix
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz";
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
# impermanence
# https://github.com/nix-community/impermanence
impermanence.url = "github:nix-community/impermanence";
# Nix User Repository: User contributed nix packages
nur.url = "github:nix-community/NUR";
@ -29,7 +33,7 @@
# home-manager - Manage user configuration with nix
# https://github.com/nix-community/home-manager
home-manager = {
url = "github:nix-community/home-manager/release-24.11";
url = "github:nix-community/home-manager/release-24.05";
inputs.nixpkgs.follows = "nixpkgs";
};
@ -47,6 +51,13 @@
inputs.nixpkgs.follows = "nixpkgs";
};
# nix-index database
# https://github.com/nix-community/nix-index-database
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
# nix-inspect - inspect nix derivations usingn a TUI interface
# https://github.com/bluskript/nix-inspect
nix-inspect = {
@ -55,12 +66,12 @@
};
# talhelper - A tool to help creating Talos kubernetes cluster
# https://github.com/budimanjojo/talhelper
talhelper = {
url = "github:budimanjojo/talhelper";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
# NixVirt for qemu & libvirt
# https://github.com/AshleyYakeley/NixVirt
nixvirt-git = {
@ -68,47 +79,13 @@
inputs.nixpkgs.follows = "nixpkgs";
};
# vscode-server - NixOS module for running vscode-server
vscode-server.url = "github:nix-community/nixos-vscode-server";
# krewfile - Declarative krew plugin management
krewfile = {
# url = "github:brumhard/krewfile";
url = "github:brumhard/krewfile";
inputs.nixpkgs.follows = "nixpkgs";
};
# nix-minecraft - Minecraft server management
# https://github.com/infinidoge/nix-minecraft
nix-minecraft = {
url = "github:Infinidoge/nix-minecraft";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
# Hyprland
hyprland.url = "github:hyprwm/Hyprland";
# Hyprland plugins
hyprland-plugins = {
url = "github:hyprwm/hyprland-plugins";
inputs.hyprland.follows = "hyprland";
ghostty = {
url = "git+ssh://git@github.com/ghostty-org/ghostty";
};
};
outputs =
{
self,
nixpkgs,
nixpkgs-unstable,
sops-nix,
home-manager,
nix-vscode-extensions,
disko,
talhelper,
lix-module,
vscode-server,
krewfile,
...
}@inputs:
{ self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, ghostty, ... } @ inputs:
let
forAllSystems = nixpkgs.lib.genAttrs [
"aarch64-linux"
@ -117,7 +94,7 @@
in
rec {
# Use nixpkgs-fmt for 'nix fmt'
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixfmt-rfc-style);
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
# setup devshells against shell.nix
# devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
@ -126,10 +103,7 @@
lib = nixpkgs.lib.extend (
final: prev: {
inherit inputs;
myLib = import ./nixos/lib {
inherit inputs;
lib = final;
};
myLib = import ./nixos/lib { inherit inputs; lib = final; };
}
);
@ -140,20 +114,19 @@
overlays = import ./nixos/overlays { inherit inputs; };
# generate a base nixos configuration with the specified overlays, hardware modules, and any AerModules applied
mkNixosConfig =
{
hostname,
system ? "x86_64-linux",
nixpkgs ? inputs.nixpkgs,
disabledModules ? [ ],
hardwareModules ? [ ],
{ hostname
, system ? "x86_64-linux"
, nixpkgs ? inputs.nixpkgs
, hardwareModules ? [ ]
# basemodules is the base of the entire machine building
# here we import all the modules and setup home-manager
baseModules ? [
, baseModules ? [
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
impermanence.nixosModules.impermanence
./nixos/profiles/global.nix # all machines get a global profile
./nixos/modules/nixos # all machines get nixos modules
./nixos/hosts/${hostname} # load this host's config folder for machine-specific config
./nixos/hosts/${hostname} # load this host's config folder for machine-specific config
{
home-manager = {
useUserPackages = true;
@ -162,10 +135,9 @@
inherit inputs hostname system;
};
};
disabledModules = disabledModules;
}
],
profileModules ? [ ],
]
, profileModules ? [ ]
}:
nixpkgs.lib.nixosSystem {
inherit system lib;
@ -183,20 +155,69 @@
};
in
{
"shadowfax" = mkNixosConfig {
# Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
# Workloads server
hostname = "shadowfax";
"durincore" = mkNixosConfig {
# T470 Thinkpad Intel i7-6600U
# Nix dev laptop
hostname = "durincore";
system = "x86_64-linux";
disabledModules = [ "services/web-servers/minio.nix" ];
hardwareModules = [
lix-module.nixosModules.default
./nixos/profiles/hw-threadripperpro.nix
./nixos/profiles/hw-thinkpad-t470.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
];
profileModules = [
vscode-server.nixosModules.default
"${nixpkgs-unstable}/nixos/modules/services/web-servers/minio.nix"
./nixos/profiles/role-workstation.nix
./nixos/profiles/role-dev.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"legiondary" = mkNixosConfig {
# Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
# Nix dev/gaming laptop
hostname = "legiondary";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
./nixos/profiles/hw-legion-15arh05h.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-gaming.nix
./nixos/profiles/role-workstation.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"telchar" = mkNixosConfig {
# Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
# Nix dev laptop
hostname = "telchar";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./nixos/profiles/hw-framework-16-7840hs.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
lix-module.nixosModules.default
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-workstation.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"varda" = mkNixosConfig {
# Arm64 cax21 @ Hetzner
# forgejo server
hostname = "varda";
system = "aarch64-linux";
hardwareModules = [
./nixos/profiles/hw-hetzner-cax.nix
];
profileModules = [
./nixos/profiles/role-server.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
];
@ -219,13 +240,14 @@
];
};
"varda" = mkNixosConfig {
# Arm64 cax21 @ Hetzner
# forgejo server
hostname = "varda";
system = "aarch64-linux";
"gandalf" = mkNixosConfig {
# X9DRi-LN4+/X9DR3-LN4+ - Intel(R) Xeon(R) CPU E5-2650 v2
# NAS
hostname = "gandalf";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-hetzner-cax.nix
lix-module.nixosModules.default
./nixos/profiles/hw-supermicro.nix
];
profileModules = [
./nixos/profiles/role-server.nix
@ -238,9 +260,9 @@
# Also used in ci to build targets generally.
top =
let
nixtop = nixpkgs.lib.genAttrs (builtins.attrNames inputs.self.nixosConfigurations) (
attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel
);
nixtop = nixpkgs.lib.genAttrs
(builtins.attrNames inputs.self.nixosConfigurations)
(attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel);
in
nixtop;
};

28
nixos/home/jahanson/global.nix
View file

@ -1,8 +1,4 @@
{
pkgs,
config,
...
}:
{ pkgs, config, ... }:
with config;
{
imports = [
@ -24,15 +20,7 @@ with config;
EDITOR = "vim";
};
# Home Manager
## Tasks, env, and secrets management.
programs.mise = {
enable = true;
package = pkgs.unstable.mise;
};
home = {
# Install these packages for my user
packages = with pkgs; [
# misc
@ -56,6 +44,7 @@ with config;
dbus
direnv
git
nix-index
python3
fzf
ripgrep
@ -65,7 +54,7 @@ with config;
# terminal file managers
nnn
ranger
unstable.yazi-unwrapped
yazi
# networking tools
iperf3
@ -79,13 +68,9 @@ with config;
# system tools
sysstat
lm_sensors # for `sensors` command
ethtool # modify network interface settings or firmware
ethtool
pciutils # lspci
usbutils # lsusb
lshw # lshw
# filesystem tools
gptfdisk # sgdisk
# system call monitoring
strace # system call monitoring
@ -102,11 +87,6 @@ with config;
# nix tools
nvd
# backup tools
unstable.rclone
unstable.restic
];
};
};

81
nixos/home/jahanson/workstation.nix
View file

@ -1,80 +1,53 @@
{
pkgs,
inputs,
...
}:
let
coderMainline = pkgs.coder.override { channel = "mainline"; };
in
{ pkgs, config, ... }:
with config;
{
imports = [
./global.nix
inputs.krewfile.homeManagerModules.krewfile
];
config = {
# Krewfile management
programs.krewfile = {
enable = true;
krewPackage = pkgs.krew;
indexes = {
"netshoot" = "https://github.com/nilic/kubectl-netshoot.git";
};
plugins = [
"netshoot/netshoot"
"resource-capacity"
"rook-ceph"
];
};
myHome = {
programs.firefox.enable = true;
programs.thunderbird.enable = true;
shell = {
wezterm.enable = true;
myHome = {
programs.firefox.enable = true;
programs.thunderbird.enable = true;
shell = {
wezterm.enable = true;
git = {
enable = true;
username = "Joseph Hanson";
email = "joe@veri.dev";
signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
};
git = {
enable = true;
username = "Joseph Hanson";
email = "joe@veri.dev";
signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
};
};
};
home = {
# Install these packages for my user
packages = with pkgs; [
# apps
home = {
# Install these packages for my user
packages = with pkgs;
[
#apps
discord
flameshot
jetbrains.datagrip
obsidian
parsec-bin
solaar # open source manager for logitech unifying receivers
unstable.bruno
# unstable.fractal
unstable.httpie
unstable.jetbrains.datagrip
unstable.jetbrains.rust-rover
unstable.seabird
unstable.talosctl # overlay override
solaar
talosctl
termius
unstable.fractal
unstable.peazip
unstable.telegram-desktop
unstable.tidal-hifi
unstable.xpipe
# unstable.vesktop # gpu issues. Using the flatpak version solves this issue.
vlc
yt-dlp
# cli
brightnessctl
# dev utils
kubectl
minio-client # S3 management
pre-commit # Pre-commit tasks for git
shellcheck # shell script linting
unstable.act # run GitHub actions locally
unstable.kubebuilder # k8s controller development
unstable.nodePackages_latest.prettier # code formatter
coderMainline # VSCode in the browser -- has overlay
unstable.tidal-hifi
];
};
};
}

3
nixos/home/modules/default.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }:
{
{ lib, ... }: {
imports = [
./shell

3
nixos/home/modules/programs/browsers/default.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{ ... }: {
imports = [
./firefox
];

47
nixos/home/modules/programs/browsers/firefox/default.nix
View file

@ -1,9 +1,4 @@
{
lib,
config,
pkgs,
...
}:
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.myHome.programs.firefox;
@ -11,25 +6,27 @@ in
{
options.myHome.programs.firefox.enable = mkEnableOption "Firefox";
config = mkIf cfg.enable {
programs.firefox = {
enable = true;
package = pkgs.firefox.override {
extraPolicies = {
DontCheckDefaultBrowser = true;
DisablePocket = true;
# See nixpkgs' firefox/wrapper.nix to check which options you can use
nativeMessagingHosts = [
# Gnome shell native connector
pkgs.gnome-browser-connector
# plasma connector
# plasma5Packages.plasma-browser-integration
];
};
};
policies = import ./policies.nix;
config = mkIf cfg.enable
{
programs.firefox = {
enable = true;
package = pkgs.firefox.override
{
extraPolicies = {
DontCheckDefaultBrowser = true;
DisablePocket = true;
# See nixpkgs' firefox/wrapper.nix to check which options you can use
nativeMessagingHosts = [
# Gnome shell native connector
pkgs.gnome-browser-connector
# plasma connector
# plasma5Packages.plasma-browser-integration
];
};
};
policies = import ./policies.nix;
profiles.default = import ./profile-default.nix { inherit pkgs; };
profiles.default = import ./profile-default.nix { inherit pkgs; };
};
};
};
}

3
.archive/home/modules/programs/de/default.nix → nixos/home/modules/programs/de/default.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{ ... }: {
imports = [
./gnome
];

49
nixos/home/modules/programs/de/gnome/default.nix Normal file
View file

@ -0,0 +1,49 @@
# Adjusted manually from generated output of dconf2nix
# https://github.com/gvolpe/dconf2nix
{ lib, pkgs, osConfig, ... }:
with lib.hm.gvariant; {
config = lib.mkIf osConfig.mySystem.de.gnome.enable {
# add user packages
home.packages = with pkgs; [
dconf2nix
];
# worked out from dconf2nix
# `dconf dump / | dconf2nix > dconf.nix`
# can also dconf watch
dconf.settings = {
"org/gnome/mutter" = {
edge-tiling = true;
workspaces-only-on-primary = false;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
home = [ "<Super>e" ];
};
"org/gnome/desktop/wm/preferences" = {
workspace-names = [ "sys" "talk" "web" "edit" "run" ];
button-layout = "appmenu:minimize,close";
};
"org/gnome/shell" = {
disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "discord.desktop" ];
};
"org/gnome/nautilus/preferences" = {
default-folder-viewer = "list-view";
};
"org/gnome/nautilus/icon-view" = {
default-zoom-level = "small";
};
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
"org/gnome/desktop/peripherals/touchpad" = {
tap-to-click = false;
};
"org/gnome/desktop/interface" = {
clock-format = "12h";
show-battery-percentage = true;
};
};
};
}

4
nixos/home/modules/programs/default.nix
View file

@ -1,7 +1,7 @@
{ ... }:
{
{ ... }: {
imports = [
./browsers
./de
./thunderbird
];
}

7
nixos/home/modules/programs/thunderbird/default.nix
View file

@ -1,9 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
let
cfg = config.myHome.programs.thunderbird;

3
nixos/home/modules/security/default.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{ ... }: {
imports = [
./ssh
];

3
nixos/home/modules/security/ssh/default.nix
View file

@ -1,6 +1,5 @@
{ config, lib, ... }:
with lib;
let
with lib; let
cfg = config.myHome.security.ssh;
in
{

39
nixos/home/modules/shell/atuind/default.nix
View file

@ -1,11 +1,5 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
{ config, pkgs, lib, ... }:
with lib; let
cfg = config.myHome.shell.atuind;
in
{
@ -15,21 +9,22 @@ in
config = mkMerge [
(mkIf cfg.enable {
systemd.user.services.atuind = {
Install = {
WantedBy = [ "default.target" ];
systemd.user.services.atuind =
{
Install = {
WantedBy = [ "default.target" ];
};
Unit = {
After = [ "network.target" ];
};
Service = {
Environment = "ATUIN_LOG=info";
ExecStart = "${pkgs.unstable.atuin}/bin/atuin daemon";
# Remove the socket file if the daemon is not running.
# Unexpected shutdowns may have left this file here.
ExecStartPre="/run/current-system/sw/bin/bash -c '! pgrep atuin && /run/current-system/sw/bin/rm -f ~/.local/share/atuin/atuin.sock'";
};
};
Unit = {
After = [ "network.target" ];
};
Service = {
Environment = "ATUIN_LOG=info";
ExecStart = "${pkgs.unstable.atuin}/bin/atuin daemon";
# Remove the socket file if the daemon is not running.
# Unexpected shutdowns may have left this file here.
ExecStartPre = "/run/current-system/sw/bin/bash -c '! pgrep atuin && /run/current-system/sw/bin/rm -f ~/.local/share/atuin/atuin.sock'";
};
};
})
];
}

3
nixos/home/modules/shell/default.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{ ... }: {
imports = [
./atuind
./fish

56
nixos/home/modules/shell/fish/default.nix
View file

@ -1,11 +1,5 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
{ config, pkgs, lib, ... }:
with lib; let
inherit (config.myHome) username homeDirectory;
cfg = config.myHome.shell.fish;
in
@ -27,31 +21,12 @@ in
lt = "${pkgs.lsd}/bin/lsd --tree";
lla = "${pkgs.lsd}/bin/lsd -la";
tm = "tmux attach -t (basename $PWD) || tmux new -s (basename $PWD)";
lsusb = "cyme --headings --tree --hide-buses";
x = "exit";
ncdu = "ncdu --color dark";
};
shellAbbrs = {
nrs = "sudo nixos-rebuild switch --flake .";
nvdiff = "nvd diff /run/current-system result";
# rook & ceph versions.
rcv = ''
kubectl \
-n rook-ceph \
get deployments \
-l rook_cluster=rook-ceph \
-o jsonpath='{range .items[*]}{.metadata.name}{" \treq/upd/avl: "}{.spec.replicas}{"/"}{.status.updatedReplicas}{"/"}{.status.readyReplicas}{" \trook-version="}{.metadata.labels.rook-version}{" \tceph-version="}{.metadata.labels.ceph-version}{"\n"}{end}'
'';
};
functions = {
nix-which = {
body = ''
set -l cmd $argv[1]
nix-locate --whole-name --type x --type s "$cmd"
'';
};
};
interactiveShellInit = ''
@ -72,12 +47,10 @@ in
end
end
# Krew
set -q KREW_ROOT; and set -gx PATH $PATH $KREW_ROOT/.krew/bin; or set -gx PATH $PATH $HOME/.krew/bin
# Paths are in reverse priority order
update_path /opt/homebrew/opt/postgresql@16/bin
update_path /opt/homebrew/bin
update_path ${homeDirectory}/.krew/bin
update_path /nix/var/nix/profiles/default/bin
update_path /run/current-system/sw/bin
update_path /etc/profiles/per-user/${username}/bin
@ -88,17 +61,8 @@ in
update_path ${homeDirectory}/.local/bin
set -gx EDITOR "vim"
if test (hostname) = "telchar"
set -gx VISUAL "code"
end
set -gx SSH_ASKPASS_REQUIRE "prefer" # This is for git to use the ssh-askpass
set -gx ATUIN_SYNC_ADDRESS "https://sh.hsn.dev"
# Mise https://mise.jdx.dev
mise activate fish | source
# One Password cli
if test -e ~/.config/op/plugins.sh
source ~/.config/op/plugins.sh
@ -107,19 +71,7 @@ in
set -gx LSCOLORS "Gxfxcxdxbxegedabagacad"
set -gx LS_COLORS 'di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:'
set -l connection_type
# Disable atuin up arrow and ctrl-r keybindings when running in a tty
if test -z "$DISPLAY" && test -z "$WAYLAND_DISPLAY" && test -z "$SSH_CLIENT"
atuin init fish --disable-up-arrow --disable-ctrl-r | source
else
atuin init fish | source
end
# Ghostty shell integration for Bash. This must be at the top of your fish!!!
if set -q GHOSTTY_RESOURCES_DIR
source "$GHOSTTY_RESOURCES_DIR/shell-integration/fish/vendor_conf.d/ghostty-shell-integration.fish"
end
atuin init fish | source
'';
};

7
nixos/home/modules/shell/git/default.nix
View file

@ -1,9 +1,4 @@
{
pkgs,
config,
lib,
...
}:
{ pkgs, config, lib, ... }:
let
cfg = config.myHome.shell.git;
in

14
nixos/home/modules/shell/starship/default.nix
View file

@ -1,16 +1,12 @@
{
lib,
config,
...
{ lib
, config
, ...
}:
with lib;
let
with lib; let
cfg = config.myHome.shell.starship;
in
{
options.myHome.shell.starship = {
enable = mkEnableOption "starship";
};
options.myHome.shell.starship = { enable = mkEnableOption "starship"; };
config = mkIf cfg.enable {
programs.starship = {

10
nixos/home/modules/shell/wezterm/default.nix
View file

@ -1,11 +1,5 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
{ config, pkgs, lib, ... }:
with lib; let
cfg = config.myHome.shell.wezterm;
in
{

44
nixos/hosts/durincore/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }: {
config = {
networking.hostId = "ad4380db";
networking.hostName = "durincore";
# Kernel mods
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" =
{
device = "rpool/root";
fsType = "zfs";
};
"/home" =
{
device = "rpool/home";
fsType = "zfs";
};
"/boot" =
{
device = "/dev/disk/by-uuid/F1B9-CA7C";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
};
swapDevices = [ ];
# System settings and services.
mySystem = {
system.motd.networkInterfaces = [ "enp0s31f6" "wlp4s0" ];
};
};
}

11
nixos/hosts/gandalf/config/samba-config.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
''
workgroup = WORKGROUP
server string = gandalf
netbios name = gandalf
security = user
# note: localhost is the ipv6 localhost ::1
hosts allow = 0.0.0.0/0
guest account = nobody
map to guest = bad user
''

13
.archive/hosts/gandalf/config/samba-config.nix → nixos/hosts/gandalf/config/samba-shares.nix
View file

@ -1,15 +1,4 @@
{ ... }:
{
global = {
"workgroup" = "WORKGROUP";
"server string" = "gandalf";
"netbios name" = "gandalf";
"security" = "user";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
{ ... }: {
xen = {
path = "/eru/xen-backups";
browseable = "yes";

12
.archive/hosts/gandalf/config/sanoid.nix → nixos/hosts/gandalf/config/sanoid.nix
View file

@ -14,22 +14,22 @@
};
datasets = {
"eru/xen-backups" = {
useTemplate = [ "production" ];
useTemplate = ["production"];
};
"eru/hansonhive" = {
useTemplate = [ "production" ];
useTemplate = ["production"];
};
"eru/tm_joe" = {
useTemplate = [ "production" ];
useTemplate = ["production"];
};
"eru/tm_elisia" = {
useTemplate = [ "production" ];
useTemplate = ["production"];
};
"eru/containers/volumes/xo-data" = {
useTemplate = [ "production" ];
useTemplate = ["production"];
};
"eru/containers/volumes/xo-redis-data" = {
useTemplate = [ "production" ];
useTemplate = ["production"];
};
};
};

132
nixos/hosts/gandalf/default.nix Normal file
View file

@ -0,0 +1,132 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, inputs, ... }:
let
sanoidConfig = import ./config/sanoid.nix { };
in
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
];
boot = {
initrd = {
availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "isci" "usbhid" "usb_storage" "sd_mod" ];
kernelModules = [ "nfs" ];
supportedFilesystems = [ "nfs" ];
};
kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
extraModulePackages = [ ];
kernelParams = [ "iommu=pt" "intel_iommu=on" "zfs.zfs_arc_max=107374182400" ]; # 100GB
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/W445gX2IINRbE6crIMwgN6Ks8LTzAXR86pS9xp335 root@Sting"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
];
# Network settings
networking = {
hostName = "gandalf";
hostId = "e2fc95cd";
useDHCP = false; # needed for bridge
networkmanager.enable = true;
# TODO: Add ports specifically.
firewall.enable = false;
interfaces = {
"enp130s0f0".useDHCP = true;
"enp130s0f1".useDHCP = true;
};
# For VMs
bridges = {
"br0" = {
interfaces = [ "enp130s0f1" ];
};
};
};
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
sops = {
secrets = {
"lego/dnsimple/token" = {
mode = "0444";
sopsFile = ./secrets.sops.yaml;
};
"borg/repository/passphrase" = {
sopsFile = ./secrets.sops.yaml;
};
};
};
# no de
services = {
xserver = {
enable = false;
displayManager.gdm.enable = false;
desktopManager.gnome.enable = false;
};
};
# System settings and services.
mySystem = {
purpose = "Production";
system = {
motd.networkInterfaces = [ "enp130s0f0" "enp130s0f1" ];
# ZFS
zfs.enable = true;
zfs.mountPoolsAtBoot = [ "eru" ];
# NFS
nfs.enable = true;
# Samba
samba = {
enable = true;
shares = import ./config/samba-shares.nix { };
extraConfig = import ./config/samba-config.nix { };
};
resticBackup = {
local.enable = false;
remote.enable = false;
local.noWarning = true;
remote.noWarning = true;
};
# Borg
borgbackup = {
enable = true;
paths = [ "/eru/containers/volumes/unifi/" ];
exclude = [ ];
repo = "ssh://t3zvn0dd@t3zvn0dd.repo.borgbase.com/./repo";
repoKeyPath = config.sops.secrets."borg/repository/passphrase".path;
};
};
services = {
podman.enable = true;
libvirt-qemu.enable = true;
# Sanoid
sanoid = {
enable = true;
inherit (sanoidConfig.outputs) templates datasets;
};
# Unifi & Lego-Auto
unifi.enable = true;
lego-auto = {
enable = true;
dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}";
domains = "gandalf.jahanson.tech";
email = "joe@veri.dev";
provider = "dnsimple";
};
};
};
}

80
nixos/hosts/gandalf/secrets.sops.yaml Normal file
View file

@ -0,0 +1,80 @@
lego:
dnsimple:
token: ENC[AES256_GCM,data:CfRFhGE8AyZfO9RzoXXTfm8kstvx+Fuy53o9ulYNZiufzzSQ4KzwYIoCRw==,iv:HEC8hRpmk7YDI7RHj29ZAeFKyPgsWTHw1sxjdZuhcrw=,tag:7RhEhZ9GkyBE9PJRe+gD+Q==,type:str]
borg:
repository:
passphrase: ENC[AES256_GCM,data:lt0Rq269GoBuLNw9fxwuMAmtYjE=,iv:57IFde6EX7myLSCvYXkkbSulr8S7JPYoThWBsPLH0Yw=,tag:NwlpouurYF+2qmw2T3De8A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZVhNdGh2c3dpYWU2TDNJ
M2Vyb29jQ2xHMXBKVk10dkhWVUFmVkpmV2tnCjF5ZnBBcGtkZjFYbU0zQXNNRCti
QzVKOGR2OUQvRXVvOXZlb1I0V00rcWsKLS0tIElHeHhkSmt5UkZhTjk1dkFSbUp0
M1BiUzZkU0pDbHVQNC9yQ3pzSU5INm8KcRB4uY0PHnDfc4bJZwqkK/S7FbEXuxEu
ot9oVR4sZBs7Uhi5Ixz7Kmk9dBJ+E9dWPxDeYhYo3V0Tq77h1vVOyg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNalVRWXVGN0hqZDdYUDVZ
TVRwVHJsTEJoTVIzenFuY0dnTWs1bnRHZnhzCnNPTnJ1Uk92aVRaMlA4VTRYbXNh
MW5ycEUzUVk0RW1Iby9kWjQ1cTVXWDgKLS0tIDdVaTcvNm9Ca2hTMzBlSGZVUnZN
a2U1ZjIwRWx1bWp6TktablBqMUduUmMKCFT9vPMu/fob5SQG1004925OB1KNhsUm
obph/984DUTQxk6IvnJ7fPrnFwL5yY1azdybjPlwGw6o5SmwKpxWBQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RjUvSFJqNGxieVZiVE9q
NjB4RHcraXk5TnJtN1RSNXZSMlEwbjgxaUZVCjRxUGUwTjBFSU9nTHpRbWpmVkRQ
cllyei9URXYyRGgrTGdjWXRSZmpRYnMKLS0tIHNQOXpkZnI5b200d0JiSVI2N1BU
MS9MRW5ocGRMWXdBL0E5N00zbGZzVFEKxeMB0/opzFTnlSBK1vEsLqQ0qIDhOuw5
S+g8eYTVXSIs/3TMUnOJxDezAG2l00vyWryPw2sGOnqgZCnF9VB/mw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzJDWHhIT2tSekxpWmFR
cVFocEl6N0VWM2FYVC9FeE9zeG0wYUhnazJRCllsdlFVZXR0YTA2T2h0ZUVienpQ
MmhJVTkwd1Q4VjNVaWxkL0lVTEVLemsKLS0tIHVqMHhQaW55MHBsVmc5TjJjT1Jy
RXdOeXk0NFJuL1ZKTUt3dXdkdlpLenMKmlQ0k9CmSWQ7MqueMbmd/TqYyQiDFZ0G
FPtUIFWxxPY79vsEHq3kxyz4CGMUv7tYx00OK6niLgLZUStd/3Bxmw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWTk5S2VkQmNnNjIwQ05y
TkR2MjdnY1pGMVZpT2dadE5icjIvRWtnT2pVClRCcTVHa3BaMGRDWTgzNE5zQzBq
MWRWWi83b0k3OUo5WXhHTVRZSmovMWMKLS0tIFF4UlNtNVFkd3phTzd6R2FuY0Js
VWpzZTdXSWpiV2tRbnc5VlVWM3FCak0KQGy+ZWdvEh09y9z1Dj3GTVyeAJ5notCH
ujbOfaly8e9E2g4uOxISxyFe39xlOZd6zEInZ5qiKPrZz37ASChBkA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZDNFa0U4MWs0dmVkZXhi
V3JjdXIrTTdkamkzRW1jU0wzNnluQ0lJbmpNCkcxNUNwc3ZxMXJreXBxNUlaR0xN
RmFDZ3RIaVU5aCttS3Q5dWo0QUovVDgKLS0tIEVJQm1xWE80OVRyWUxkMzFXRHBp
RlJTZjgzQ3pDVHRPQ2dFbHBqdzA3N0EKGBFnnJMqUrbaIviqpX4CP4Ps45Lk/Yyn
fpVxSlwjOHNDwQ4ojUjv11FRo9WHUTGACFniUtvYc0oaLNygNgf8+Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodERMdDN4cVRiS0tVck5h
N3RySnRtSXJHZEthRWZNcENrNXY4bHNHa0R3Cm1HL0lzWnpocWhXNDV3RFRxL1ZG
dWlCQWtzMEZlRnNML2NrOUVPSVRTcHMKLS0tIEsrbk5VOUZhbDFRRHRuWW56TjE1
V1d0d1lKb3hyYVQ4elBIZ0hnU3FTbnMKiWERjAwlJRPK+PILCBV03uyNVnNgolA8
PS0vbIDVNiX0pIrRlM2sVivZwqajjTB3XROXMmbIKpQxDMjvpHgqJA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-27T04:50:25Z"
mac: ENC[AES256_GCM,data:IKLC9N4FvfV+eWFoVZa5ijyBdiQuNdXAE4Z/pQNhns+qTuMpuz9QLeQGysow8zCqg9z5WHPa+U10uBIJg0P6Bq2CkBTJ2/75axsQgqc+BPuY4cUfppbYqQaSzB831b3XMHei9m/IPXNoh277jk0E9A0mOzHu4YsBEEzyf5nESn4=,iv:dOIgrQD0eDB1lqTWoDoLXnDZTWJLf5m9a948Wabfc6I=,tag:MWoIe5UpTqZCDDJMcg0swA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

63
nixos/hosts/legiondary/default.nix Normal file
View file

@ -0,0 +1,63 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "2132e3bf";
networking.hostName = "legiondary";
boot = {
initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usb_storage" "usbhid" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems =
{
"/" =
{
device = "zroot/root";
fsType = "zfs";
};
"/nix" =
{
device = "zroot/nix";
fsType = "zfs";
};
"/var" =
{
device = "zroot/var";
fsType = "zfs";
};
"/home" =
{
device = "zroot/home";
fsType = "zfs";
};
};
# fileSystems."/boot" =
# { device = "/dev/disk/by-uuid/E532-B74A";
# fsType = "vfat";
# options = [ "fmask=0022" "dmask=0022" ];
# };
swapDevices = [ ];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# System settings and services.
mySystem = {
purpose = "Development";
system.motd.networkInterfaces = [ "eno1" "wlp4s0" ];
};
}

32
nixos/hosts/shadowfax/config/disks.nix
View file

@ -1,32 +0,0 @@
[
# zroot
"/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"
# nahar
"/dev/nvme0"
"/dev/nvme1"
"/dev/nvme2"
"/dev/nvme3"
"/dev/nvme4"
"/dev/nvme5"
# moria
"/dev/disk/by-id/scsi-35000cca23bc8a504"
"/dev/disk/by-id/scsi-35000cca23bd29918"
"/dev/disk/by-id/scsi-35000cca23bd29970"
"/dev/disk/by-id/scsi-35000cca2524cc70c"
"/dev/disk/by-id/scsi-35000cca2524e03f4"
"/dev/disk/by-id/scsi-35000cca2525680dc"
"/dev/disk/by-id/scsi-35000cca25256b484"
# eru
"/dev/disk/by-id/scsi-350000c0f02f0830c" # unused
"/dev/disk/by-id/scsi-350000c0f01e7d190" # unused
"/dev/disk/by-id/scsi-350000c0f01ea443c"
"/dev/disk/by-id/scsi-350000c0f01f8230c"
"/dev/disk/by-id/scsi-35000c500586e5057"
"/dev/disk/by-id/scsi-35000c500624a0ddb"
"/dev/disk/by-id/scsi-35000c500624a1a8b"
"/dev/disk/by-id/scsi-35000cca046135ad8"
"/dev/disk/by-id/scsi-35000cca04613722c"
"/dev/disk/by-id/scsi-35000cca0461810f8"
"/dev/disk/by-id/scsi-35000cca04618b930"
"/dev/disk/by-id/scsi-35000cca04618cec4"
]

49
nixos/hosts/shadowfax/config/incus-preseed.nix
View file

@ -1,49 +0,0 @@
{ ... }:
{
config = {
"core.https_address" = "10.1.1.61:8443"; # Need quotes around key
};
networks = [
{
config = {
"ipv4.address" = "auto"; # Need quotes around key
"ipv6.address" = "auto"; # Need quotes around key
};
description = "";
name = "incusbr0";
type = "";
project = "default";
}
];
storage_pools = [
{
config = {
source = "nahar/incus";
};
description = "";
name = "default";
driver = "zfs";
}
];
profiles = [
{
config = { };
description = "";
devices = {
eth0 = {
name = "eth0";
network = "incusbr0";
type = "nic";
};
root = {
path = "/";
pool = "default";
type = "disk";
};
};
name = "default";
}
];
projects = [ ];
cluster = null;
}

42
nixos/hosts/shadowfax/config/sanoid.nix
View file

@ -1,42 +0,0 @@
{ ... }:
{
outputs = {
# ZFS automated snapshots
templates = {
"production" = {
autoprune = true;
autosnap = true;
hourly = 24;
daily = 7;
monthly = 12;
};
"nvr" = {
autoprune = true;
autosnap = true;
hourly = 24;
daily = 7;
};
};
datasets = {
"nahar/scrypted" = {
useTemplate = [ "nvr" ];
};
"nahar/containers/volumes/plex" = {
useTemplate = [ "production" ];
recursive = true;
};
"nahar/containers/volumes/scrypted" = {
useTemplate = [ "production" ];
recursive = true;
};
"nahar/containers/volumes/jellyfin" = {
useTemplate = [ "production" ];
recursive = true;
};
"nahar/containers/volumes/scrutiny" = {
useTemplate = [ "production" ];
recursive = true;
};
};
};
}

46
nixos/hosts/shadowfax/config/soft-serve.nix
View file

@ -1,46 +0,0 @@
{ ... }:
{
name = "Soft Serve";
log = {
format = "text";
time_format = "2006-01-02 15:04:05";
};
ssh = {
listen_addr = ":23231";
public_url = "ssh://10.1.1.61:23231";
key_path = "ssh/soft_serve_host_ed25519";
client_key_path = "ssh/soft_serve_client_ed25519";
max_timeout = 0;
idle_timeout = 600;
};
git = {
listen_addr = ":9418";
public_url = "git://10.1.1.61";
max_timeout = 0;
idle_timeout = 3;
max_connections = 32;
};
http = {
listen_addr = ":23232";
tls_key_path = null;
tls_cert_path = null;
public_url = "http://10.1.1.61:23232";
};
stats = {
listen_addr = "10.1.1.61:23233";
};
db = {
driver = "sqlite";
data_source = "soft-serve.db?_pragma=busy_timeout(5000)&_pragma=foreign_keys(1)";
};
lfs = {
enabled = true;
ssh_enabled = false;
};
jobs = {
mirror_pull = "@every 10m";
};
initial_admin_keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
];
}

236
nixos/hosts/shadowfax/default.nix
View file

@ -1,236 +0,0 @@
{
config,
lib,
inputs,
pkgs,
...
}:
let
sanoidConfig = import ./config/sanoid.nix { };
disks = import ./config/disks.nix;
smartdDevices = map (device: { inherit device; }) disks;
in
{
imports = [
inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix {
disks = [ "/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E" ];
})
inputs.nix-minecraft.nixosModules.minecraft-servers
];
boot = {
initrd = {
kernelModules = [ "nfs" ];
supportedFilesystems = [ "nfs" ];
};
binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for arm compilation
kernelModules = [
"vfio"
"vfio_iommu_type1"
"vfio_pci"
"vfio_virqfd"
];
extraModulePackages = [ ];
kernelParams = [ "zfs.zfs_arc_max=107374182400" ]; # 100GB
};
swapDevices = [ ];
hardware = {
cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nvidia.open = true;
graphics.enable = true;
# opengl.enable = true;
nvidia-container-toolkit.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = [ ];
# Network settings
networking = {
hostName = "shadowfax";
hostId = "a885fabe";
};
# Home Manager
home-manager.users.jahanson = {
# Git settings
# TODO: Move to config module.
programs.git = {
enable = true;
userName = "Joseph Hanson";
userEmail = "joe@veri.dev";
extraConfig = {
core.autocrlf = "input";
init.defaultBranch = "main";
pull.rebase = true;
rebase.autoStash = true;
};
};
};
programs = {
# 1Password cli
_1password.enable = true;
# Mosh
mosh.enable = true;
# VSCode Compatibility Settings
nix-ld.enable = true;
# Hyprland
hyprland = {
enable = true;
package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
portalPackage =
inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
withUWSM = true;
};
};
# Open minio ports for firewall
networking.firewall = {
allowedTCPPorts = [
9000 # console web interface
9001 # api interface
];
};
services = {
# Minio
minio = {
enable = true;
dataDir = [ "/eru/minio" ];
rootCredentialsFile = config.sops.secrets."minio".path;
};
# Netdata
netdata = {
enable = true;
};
# Prometheus exporters
prometheus.exporters = {
# Node Exporter - port 9100
node.enable = true;
# ZFS Exporter - port 9134
zfs.enable = true;
};
# Smart daemon for monitoring disk health.
smartd = {
devices = smartdDevices;
# Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
};
# Soft Serve - SSH git server
soft-serve = {
enable = true;
settings = import ./config/soft-serve.nix { };
};
# Tailscale
tailscale = {
enable = true;
openFirewall = true;
};
# VSCode Compatibility Settings
vscode-server.enable = true;
xserver.videoDrivers = [ "nvidia" ];
};
# sops
sops.secrets = {
"minio" = {
sopsFile = ./secrets.sops.yaml;
owner = "minio";
group = "minio";
mode = "400";
restartUnits = [ "minio.service" ];
};
"syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
};
# System settings and services.
mySystem = {
# Containers
containers = {
jellyfin.enable = true;
ollama.enable = true;
plex.enable = true;
scrypted.enable = true;
};
purpose = "Production";
# Services
services = {
# Misc
libvirt-qemu.enable = true;
podman.enable = true;
# Sanoid
sanoid = {
enable = true;
inherit (sanoidConfig.outputs) templates datasets;
};
# Scrutiny
scrutiny = {
enable = true;
devices = disks;
extraCapabilities = [
"SYS_RAWIO"
"SYS_ADMIN"
];
containerVolumeLocation = "/nahar/containers/volumes/scrutiny";
port = 8585;
};
# Syncthing
syncthing = {
enable = false;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
# ZFS nightly snapshot of container volumes
zfs-nightly-snap = {
enable = true;
mountPath = "/mnt/restic_nightly_backup";
zfsDataset = "nahar/containers/volumes";
snapshotName = "restic_nightly_snap";
startAt = "*-*-* 06:30:00 America/Chicago";
};
};
# System
system = {
incus = {
enable = true;
preseed = import ./config/incus-preseed.nix { };
};
motd.networkInterfaces = [ "bond0" ];
nfs.enable = true;
zfs.enable = true;
zfs.mountPoolsAtBoot = [
"eru"
"moria"
"nahar"
];
};
};
}

91
nixos/hosts/shadowfax/secrets.sops.yaml
View file

@ -1,91 +0,0 @@
syncthing:
publicCert: ENC[AES256_GCM,data:XGQus3CTr8j7LBnOf/Fk5cu2V41X+Udo1yXEq9WP4nJuRvQRQ3IVKrgVyIZfIFM6b02GXJHmvsujZiqLnszTM1ltW67uKhnepj4N8ywogUiEudGyMsu99HchsTN4EhWBeenmOR+Fh1Eruva/fxZlaPMZYEAGSQR8iwC/NqPeGdrS2j4HstxAWd8jn7fJg3MXirTBykiNTGd83gCLjSKoueal8KNF1Sa9peho84u/FrFP5V5JB/E8LT2WLegrdZXEgVwInvYqciZbwWZwP5lWVaiKHPRqVMWCGtBgkxTuD41icFiCFz8OwMFR58+p+LxicGl7IgXDbQtIR+0+WR1Lz+BVOxjUkbr/U0znvta4JYkIbZp3utfbU+K9P7PBCPo4d5WQrVkaEUxNYA0aCgf4ZF4S+upXkV5Dfzc5nnEQi1kme6yScnheKDCMROLnCG1PYZRXk+Q5XQz/iW7KriI1GkNW1u01GB90RwHSTC9btTQEG0c8mgv/4yf8ObGYxDHR2o7QvsEgrfLOrHjBDJ0eGl3sSPH8m6XRGnZBj9prjA1x1h83vZo0omR5nFjA98xRN2U4v4NIeS5KqptDcTsVQdcWpRBjpnZYtb1pJ97p9/gUTNT3UzCt/7LpvO2LyO6CmnV1dVU+HlMVkJJIQHSFnvsk8PsnJEhGcoJIj+GvkkjzgOA2gbtnzpZ3HlM2jPTuSx8VlrLcPb7tsdeGM+ESbDrD/8tHMyOEaoGYOkSLRfE5QhSFuTN7woG3Eg2x+UK92JwkXPpHqr15Vvsw7ElfjnY7NBUz2jcCSJIPLlX1Gs277egZQKumu3TO2h16ced07ABtPPaptAFwh7GR+o5o60mleYdh2NhJGv9Db3i8X+ty3sFEnsIhoOBD75WTsy3cdtls5wWE0Ox162FFhXXqSbxhLaTDkpM6C71+BR97Og8e+/zfN5bK/8pmGUk8EzkL3Anp1rCtD8MxY/CPpxK2oHgPALQwcpGVzpdnk65P5m+61T9boo3UfoC/27G2HyqSj4zz0NCt5Dlqio+hxeZIuaJKx00RIASosXo=,iv:gI/BtvEcAcwTkqpSvpzo1kFR2miK0CiWNY6bQvijbRo=,tag:u6rLmKskE7FClh4V5/3FDA==,type:str]
privateKey: ENC[AES256_GCM,data:W9+O6G3xhABcztmdqZIy4LKXt9uuoz8fhM56flvJGrJ1WGN9BX9Syn/mblYP2PDWFHBHQtMd+fWsRC1cDPAbwPB8e4CX3gU4NvxQEtkTb6UceP6nF/LZGJkUPIVHflbz4zQxBFet1TDA4pW9IaOrQYYAOcAJtNzF8ybhXepY+RErdnEKIYp5m7M60wvAgs9EDaAbsD3wuzzjs/+s3tR8/Ga8n8qrWSwfbQwRMbXETN0D1PV5HydsBcwiQ2w0FrjQ6w27ASuKQGSAKFNxU8I5/SF5tFLiR8LV+wcUIoUoCN4AxYQQBdxpNcyhxjTFSu7rUvqV7Ni85JUnmnep1cM4j+4hkmj2M06m0SHy87kiJcJfRkwXVKEJUJiUuLQCR+20,iv:FbZnaXDr5+jjSs7wKSE01z0p2Kd9UzGw2alGfd8m1ik=,tag:CD8vp7hloHDYQF/pkm0a7A==,type:str]
restic:
plex:
resticUri: ENC[AES256_GCM,data:aA3kc/Wxg/UxrAUeDd0y9z/8mN9LjWsycS3aUuEwgTcAO2NkfUcH9kw/PXOvazA8t5UJ9RVPYYF7910JeftmMNgs,iv:4GaR5XuJKPnQsBehihraCgqBUumDeq6IiRQrSvtQKgg=,tag:U1fVporyT4S48Dmdf5ghSw==,type:str]
resticPassword: ENC[AES256_GCM,data:rC5P60IK52dYOSiSkpnkZ2VvqI0=,iv:xIr6BYmpbGXg9zKCKVcstK2ANHN2Y0MzZ1HhDIL9oxI=,tag:J14I0dvIW0FMW1LLB4KuNw==,type:str]
minio: ENC[AES256_GCM,data:IJTwUJOC84a5n798fTDlwRzVc8p5zRiccjdoNTPCNlls0RAyGllijf7GAQG3fxQZQWB2xNd7G0F4/Bv+KmThX2Nxy0c5JFbed+AekuMbNQ==,iv:QDB8JUSehsApBnRhLeGtS2ZczIJA0awN0g0sfkKK810=,tag:NMDfAN8R0mcT7Ec1ldyZbw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOK2piTS9FTXJ3TWMzdVFr
aWFUSkJSbTdCR21iQks3OCttNzZOcWg5RlFJCnhQQk5sb2Jjd285bWZaVjVrQzRy
REMvZnR4YUREUUwzK1IxRzJwNUdVcncKLS0tIHB0MTRxWWJRR3psMEVBTmQycCtL
MjhkT0JGdjBmeUw2MGFLZUFhMW5IKzAKVY5fLZeRk/6dvCimJ7Jgj1hOjqtZ3Q35
EH1L3X2/n+fTzYIASj1UJxvAJd6U7rrmfozQQYIKch2Ri+EV3QHRKA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSFVLTFZqeHNuSENWWWZG
QmI4QXEvbG5SeTJHMVhSaThPYkNzZDI1TnpZCkdobm5IaUhESVk3NVVxcTVITUZh
Vk0wTjdtS3hxcnEvRkV3bmZJdVlmTUkKLS0tIGhqQkFPcXFKcjhCWEZvR1BrMi83
THFOTXdoc2pFKzhZTkNUdC9VN0IvTTAKdmOR0iZ6pzJX/ZgxhxvS6yUCEGjq/ePV
NIPJwMMcAatrrFunBdIEOzfu1LO1in5ZADaA54JUIiftLrhA8Lraig==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZ2lxb0JiYzlmRHZ0Ymhk
OVo2cXFRcmtGdGFqTWlJY1dXVlNZbTFIUFZVCmFuMU9SNjRtU0tTSlRnMHFQSFJi
K21OQ1Z2K0lYWHA1cmRibWFTVUIrRU0KLS0tIHNZTkY1UXY4TjZrWCsyK2hPeEVH
NEpZcU96Q1lobzFVTWNrUFJHQjZhM1UKZQzhD32rkAylJfSp+N648jrs6YvYtg+X
tpT4jvyeAcQJ+txZunhwiTwZslJEQMOZlwAyMO6riQNtATTU4Bycsw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbGNIemRkQUtobFliUCtx
aUNLQUZhM2xVOHI4YUUxR0xKNmROUDQ2cW5ZCi9zQU1LYnBFWC9NMHAvUDBKYWZL
TC85ZnllOTgzS3B6QjJxYWhtZG4zbVUKLS0tIHNhUk9ocVhpaUJ3emxHR2pZb2c1
S2FOK0gwNGJwbFduNkwyZkZGdmVMY00KH1SjfNNdeKRmqwidEB2MM5EO/8jJk36D
86Ehn4wHIW3CSfqJYDLmYBmreFfqgQq/BGThGJs2EdkNb2VkyZnTUg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTVRLeHlFb2FpYUdZNXV0
T1dXMTROTk4rM09KaG9SK0FuVEZQTmJIUVZnCkNJODJpY0NZUWthdHBEamRPMlNl
UStpUlphSDFKZ1pJalhjRGIybms0QUEKLS0tIFBlZFAvaE83YmEzU0hnTXhJSVdH
Vm5pRTB6ZEpZRnZ3Nk5UY3ljcG9lQncKW+/xvvA8gU6f9SlF5jGkddXpmSZlOCfh
xXXAFB50J/9fmBRMXVItzdERKK1MxZm9p1g5gmIYkyH/wm48ZTyrwA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFd21SSGpTclllWWdIWmda
TzlkZ2VNWDZ3YUVwWDkzZHlyYythZ1JMUTJVCk15TVZUMVdTSWpldnozMVhVQ0dE
S3FaTzhLWE1Pd3B2RW1YTU1TVXIxbEkKLS0tIFhoZHBTeEpUekdEajRNZ0xRcnpi
d2xDaDBWKzhaK2RzOUoxbDAvQnQwK2cKXifwRj2MHtsPYykP92gkkf2drlSBf/4U
AXvjfndT7yqvlBHfTCusos6AollCJ+QNPQJoCdzZzSyLZS5S55QY5Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbW5HOHp1UUVhN3ljZkpO
RlZYdDVsUlYyL2VXdGROalZrRnVxMmFEb1ZrCjVEYmd2a2NrelFkSGt6ZnpYblBi
aStXRk5YQ05HUkJZMW11QzRUSGhVMWsKLS0tIDBhVXVBTTB3U1dnMWxEd2VaMWd4
THltK2VHRU1PQkpOc3VyUFN6K2l5OEUK7dWJCGhvw+Xr3ny68iWgo05iApyiqzZI
pwUG0ZfzQlwC0cvYTqHfc8nGyHcAsjs6LTeBYrn+WGZtvEUBAZvIHQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbUlTR3d1UTBWOWJPK2E2
OVc4cWNYbm9zcDRydHdFT3pEaWxxZDVkUkUwCktEYWt5dmdmWGRESnFFVnVIcFRa
T0Q0WUdjSk1TaVRsdXBRTGo4cjZIZW8KLS0tIENzcUJxeFBtRWx4aTVsTndTWkFC
aVlOSHhFb2I5UnYwVytyQzlWTXBDYUUKdQKilmfJ1F7UYKtQV9zV95FcRIK17p4M
vGvu/pGJ32tH8xI7cNs9I5Hmg9c5wOam21W1FDk+VlJ/ClXqQzS0MA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-27T09:27:41Z"
mac: ENC[AES256_GCM,data:x2em1h5iUJVXtHq25TpoaZ+JfFwc7g9n7Nkz9gZDMYZJhWXJAL/W31C7Hf8FvHkN38onMTaFKELC/w6hAAXT1SQRQyoCBzPilkYHkuovIHS53saIfq0bCFiphJ2JagjvWT/blpsw4mw/3hXHe2ebt/jS57nGYeQH3vG50EeonDc=,iv:fW0KbIbtkimTpOADTVs5fDskFupXwr+RimYiwHQirPk=,tag:BZHNcp10fsNTEt020NPq0g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

48
.archive/hosts/legiondary/default.nix → nixos/hosts/telchar/default.nix
View file

@ -1,29 +1,18 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{ config, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "2132e3bf";
networking.hostName = "legiondary";
boot = {
initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "4488bd1a";
networking.hostName = "telchar";
boot = {
initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
@ -51,22 +40,19 @@
};
};
# fileSystems."/boot" =
# { device = "/dev/disk/by-uuid/E532-B74A";
# fsType = "vfat";
# options = [ "fmask=0022" "dmask=0022" ];
# };
swapDevices = [ ];
virtualisation.docker.enable = true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# System settings and services.
mySystem = {
purpose = "Development";
system.motd.networkInterfaces = [
"eno1"
"wlp4s0"
];
system = {
motd.networkInterfaces = [ "wlp1s0" ];
fingerprint-reader-on-laptop-lid.enable = true;
borg.pika-backup.enable = true;
};
security._1password.enable = true;
framework_wifi_swap.enable = true;
};
}

13
nixos/hosts/telperion/config/Caddyfile
View file

@ -1,13 +0,0 @@
telperion.meerkat-dab.ts.net {
log {
output file /var/log/caddy/telperion.meerkat-dab.ts.net.log
}
reverse_proxy {
transport http {
tls_insecure_skip_verify
}
lb_policy client_ip_hash
to https://10.1.1.66:8006
to https://10.1.1.67:8006
}
}

46
nixos/hosts/telperion/config/bind.nix
View file

@ -1,27 +1,27 @@
{ config, ... }:
{config, ...}:
''
include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
acl trusted {
10.33.44.0/24; # LAN
10.1.1.0/24; # Servers
10.1.2.0/24; # Trusted
10.1.3.0/24; # IoT
10.1.4.0/24; # Video
};
acl trusted {
10.33.44.0/24; # LAN
10.1.1.0/24; # Servers
10.1.2.0/24; # Trusted
10.1.3.0/24; # IoT
10.1.4.0/24; # Video
};
zone "jahanson.tech." {
type master;
file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
allow-transfer {
key "externaldns";
};
update-policy {
grant externaldns zonesub ANY;
};
allow-query {
trusted;
};
zone "jahanson.tech." {
type master;
file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
allow-transfer {
key "externaldns";
};
''
update-policy {
grant externaldns zonesub ANY;
};
allow-query {
trusted;
};
};
''

82
nixos/hosts/telperion/config/haproxy.nix
View file

@ -1,39 +1,53 @@
{ ... }:
''
global
log /dev/log local0
log /dev/log local1 notice
daemon
global
log /dev/log local0
log /dev/log local1 notice
daemon
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 20s
timeout connect 10s
timeout client 1h
timeout server 1h
timeout http-keep-alive 10s
timeout check 10s
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 20s
timeout connect 10s
timeout client 1h
timeout server 1h
timeout http-keep-alive 10s
timeout check 10s
frontend k8s_theshire_apiserver
bind *:6443
mode tcp
option tcplog
default_backend k8s_theshire_controlplane
frontend k8s_homelab_apiserver
bind *:6443
mode tcp
option tcplog
default_backend k8s_homelab_controlplane
backend k8s_theshire_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server bilbo 10.1.1.62:6443 check
server frodo 10.1.1.63:6443 check
server sam 10.1.1.64:6443 check
''
frontend k8s_erebor_apiserver
bind *:6444
mode tcp
option tcplog
default_backend k8s_erebor_controlplane
backend k8s_homelab_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server shadowfax 10.1.1.61:6443 check
backend k8s_erebor_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server nenya 10.1.1.81:6443 check
server vilya 10.1.1.82:6443 check
server narya 10.1.1.83:6443 check
''

72
nixos/hosts/telperion/default.nix
View file

@ -1,30 +1,18 @@
# Do not modify this file! It was generated by `nixos-generate-config`
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
pkgs,
...
}:
{ config, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "ce196a02";
networking.hostName = "telperion";
boot = {
initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
@ -54,8 +42,6 @@
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Until I can figure out why the tftp port is not opening, disable the firewall.
networking.firewall.enable = false;
sops = {
# Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
@ -76,36 +62,18 @@
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
2019
];
services = {
# Caddy
caddy = {
enable = true;
package = pkgs.unstable.caddy;
extraConfig = builtins.readFile ./config/Caddyfile;
logFormat = lib.mkForce "level INFO";
};
# Tailscale
tailscale = {
enable = true;
openFirewall = true;
permitCertUid = builtins.toString config.users.users.caddy.uid;
};
};
# System settings and services.
mySystem = {
purpose = "Production";
system = {
motd.networkInterfaces = [
"enp2s0"
"wlp3s0"
];
motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
resticBackup = {
local.enable = false;
remote.enable = false;
local.noWarning = true;
remote.noWarning = true;
};
};
services = {
@ -124,24 +92,18 @@
haproxy = {
enable = true;
config = import ./config/haproxy.nix { inherit config; };
tcpPorts = [
6443
6444
50000
];
tcpPorts = [ 6443 6444 50000 ];
};
matchbox = {
enable = true;
# /var/lib/matchbox/{profiles,groups,ignition,cloud,generic}
dataPath = "/opt/talbox/data";
# /var/lib/matchbox/assets
assetPath = "/opt/talbox/assets";
dataPath = "/var/lib/matchbox";
assetPath = "/nas/matchbox/assets";
};
dnsmasq = {
enable = true;
tftpRoot = "/opt/talbox";
tftpRoot = "/srv/tftp";
bootAsset = "http://10.1.1.57:8086/boot.ipxe";
};
};

95
nixos/hosts/telperion/secrets.sops.yaml
View file

@ -1,10 +1,10 @@
1password-credentials.json: ENC[AES256_GCM,data:mPnJtGeZfSGnMjiJsUUfTnKwGNtuPLK/+XhGTrztiQN3bPh2EFtOg18nihsvdI6klWov9OymwATput//StpRuO2u9XtF3ayET8m8qrrldELi4IGujEBp5rmQ3DIeknhJCNGRscYDEIbRcSuVjPRIJtN42njOOr7SSvJzw0o3MTPwfJrRedOeAbvVLQ5+37JGGvS4mvfyZXXi3LFhmWPqWFyzGCUdaDJ+pBwr6Z2JY89votbh2JaTp+kRIgWm4XI2oi3sKGD+kbORHoVeCS9qzUBdGmGvmqNXLkAYJvOMGk6lT2qaMlN9/6ab57Ob9YBT5qb5CxBZr+JAk0/BrjVakjvf+gS5JFehpLkx2yTllhbcD+GvGu86m37HyMi/PZefxeO9BiGdUhpAapuQzGRk5E484ClbwSW8D7SylKPkTU1gy88L1C2hHbdJdBsTL4r9bkwAwLEuRNri5t0QXNjKlGLtWM0FJvRJC1NkBPwA5rc0Vl7d6Bvf6AV0WQjD0qSh8FDmu2ouMfRJQ6ceM654xQTt6UfVxDJV1AxFEB78rIECuIfkPyMf9GG20l+LdlACHLTBtWGWesjuWag22ONwDsopX52ttAHkMslttpN2PA5wrtoy1KS8mia9BvvdVVv9ykURjYISn85/oHgiw1nCYQQlgPVCb3fmrkQhSZinawIBvKz9xB1xA5JVBuHSOeIzZizkh1S2T3QlSllqWpdHFVsif4gaEfFq9h3DVDcr05sTya6/SV3A1Lv8R5RkpOSO/T0w1Uco8EcXi/ZyaEvQ4v/oJGJBJNiTJI8IEMx8s59tZ660SmefUS8BLVlSxhxJ2PdON2lEbMcva7FvvuRNfMfXEv7psDdXDUWIxPfwsn+llqrosqcDcPNkS/ksVC5kCZlWCxgpnGAKnUkyV9KM484O3W/tVzE5qmUPRUse+bIJ/CX95qK6oSWDK+lBICTayYdgHHwiMJygXUDzWlS1ulL7UyX6M30v7I/WUMNFJ3IeCVuETkNhttP8WsyyNPv7Nh6qSH14Yaz9+EpBRvY8qU7IbNXfeNq6MkMn91l4Mlwfo38AExJ3jtd6ql7eOTPFJYbwY4y4bdkF0kLx0eaw79aLE/fcsnfmxE1zsu0Ihn7NSu0IYgOPsp2t8JS95jVqSc0N6cfCUo4/N6YYfpDsfiNVCAz6poqIHAWo69oD224xAz6Qx9k01/d341KHC1GhjgZ5gdK0caGhQJ633V8w6v5IBR1Uz0Q/F5/rCfRmFE7sCWf8eqMoQaJ+CpmEvdgQpl9Zao1LSObJjk36X5R0YLY8Q5lkh/di0/E2KEDgcId4Z3gBHvpK+TKXJR3ajF8oWgGJO/o+WfsJstyJqcTS8uxWiQaG6vBkomrujEmwNu7r32Z4WC0NBI32TtzT1FOslBEIsruosRJ0gXaDBaXCQuycJS2NFvDZoOdDW6dBIKg=,iv:uyFfI8iGwRHBbVS7zsyAewFlaHe38enW5sBW+J/ipG0=,tag:cZy0HBx64HpRCdzOnTDS5Q==,type:str]
1password-credentials.json: ENC[AES256_GCM,data:odK6x2TscY1WNCOaPBSfo2ln7hsa5UopakUpOgB4ci64p4LGIwTTDnSiq8+UXkrDndQ7tSqtr9RUvB+AwwYOuh1KBAwWmlZN7agtxUYc1wvMdQv8WPDfhqe9m0FNP5gyTaohcjBdBddZlv7izScVePUQUdG04dGYqUg6mQ/gmPtJy27hil8GivvxRN6FnFtkgoyfE+ZLfkTuMdeL4cxai4j+UeGc5XgmsrBLrW5udeDw2hktGXEBp2vMC6t+D7uzZ7DeLBDiHRbBZBeo+krnVdPsLxU3yFF/hC8vWVbkT7Wt/UhB0+X8SWvhYOvc3KW+NfyHcU0SONhQCM4iOkk/1qvcaDHy7idqexKxOtfQaZtuHW0vB3icgbxTO9usFxOxUPe63yXHUg+UDKSN4UGCF10eLoZKaV7zO76BkTFXQLl2Q+dytaxEKathhW4fS5lUBpuxXNDXuIxMiUIclXwVWVDpL7qchTJCopWwwDRaeHrUPev+pQptEsDLYpZeuf27hPjCMiOWkxt2kg2eKPjJ8AUtI8N3OlFPCyAurLgLSrFj0Wzm24LJLKsjs1if2y2jb/pR4MPdgnHgNnHS8VQ9JVprVyuw9C/wDhVV7yW+D4tlJ/d7AXaJq/dkO8XnwCEVPyFr9bUMB076z+tleYgvv9rHkdQMaqHr5HCHAtuYfM4f0Zpfr9alJ4wxCsj+MAn/PLGxjNd/hQQY+oYRpzBne2mUoxhRt3ZjnGH8LUBFSlz+e0+PB0anS3oV3XZUt0XuwGpNIxp4LsRFgmDC2qoMKZ2X7/DfTdmb3te0YbYNUUeHxlQ5AImzU6Lj1qw/clD7ViS82Rjc/WCavg9J7U7CdDbzhtv6xCxbyd3j1r8Wi4XLAXy4ZdcdvCEyYDHwJeExY8pp/jvS3CqSrlC/PyBUemloIQ+jSQiRYDv26XpRKbJ9Yd8fJ4ANPCMuvXU21iXtxHIRwopTo87hWqqSaORFcyVOmCxJJpa/TXL5fdd4ISy6CSqZXZCCIfiVxq4fBkqSoya4XMXQQq9Ki5xwLf1bDhaT3v7okP87A9d/j9Vru2RIZtRT71jVKvwDvJhLAfYuXyIUfQh5cvIw4/HlAZzP5vi1w5KlIJGf1uVVhvTl7p23/Gi9LAX3/P75dbK+x4VYOyqjMowER3jxk9m6GyFDl7iuceNh1bIpgPN1s4QOba7N2Tex5oa/aJJKOLYE4GYDtom5auDP6Xqa/Nd4NaDyd5oVuXcP7Lp7tDu9sIW5rhGaVYKU7jhzALN9HjfmAen+cZ50oy8L3IYKlS/91qzGughYDOjK4qeQ2XrMxySnCPja7ElV4gxmB3X73nxN+N0ZLEDhAGIS1FOaOammDjK2Pj/3vA5+S2hO3GYLh9glNgRnIGlNUVtw3My9H1mYIc4eP+LGGXz1KPnQMQWRtXZHH4d4fsOyhk+CE8as7WtyO7M=,iv:RkYdMs72Nq7dwHScKZeXMNSJ53ztTXCb3lkhrr9K2oE=,tag:XDdPfd+Be9nSAbvate52AQ==,type:str]
bind:
rndc-keys:
main: ENC[AES256_GCM,data:2K8QGlLH4TVdqUh4Qx99+/IhBqEldfdEnuVxzWrSiJpCXA8IVD8oQ+43hvfbxTG4Q5Jx1T1dx1VlQLjOikWhW0feYT7Uexn7Q+qNb9il5ioKoiqSHGvPbiy8KceDx2xHcFGquhN7,iv:ibeYbWtFCq0MGMbwIsNrjTTTrqio8gdrEvTIkBHw6+4=,tag:+59enmEps91uROm2jjtm3w==,type:str]
externaldns: ENC[AES256_GCM,data:yRNBvr/dq3+2MFANmtIvj0iHZ0Qz705VxA1vg0jl9IkYZhzUtwUlIJF25vDQCsS30BzsXIAQgfncoPxMnqmswoH2Cd3a7W2Pf/Ck9aDMKaCSNJYrl/D86Crwq8nhMJLiDyta7zkwkMTE,iv:V1fQB2zdL1ReBY2f5ofwJju8zrxdh7yxbGCKQ6p29AA=,tag:Qn8PQcTJ4it092qQyAh6gw==,type:str]
main: ENC[AES256_GCM,data:X0HTyNmqH1epIVNkXMyFlavqAodDw92Gs2sK54USNv0mWIwmk8NEb69x/Od8TAwDZw63k0lEAymyj/hBfkpav9yKT1M1hGxr09xjWsR/DTAM9tFv140cvnMEon0ZbXVXp4ou24jP,iv:7AsoCrxf8CyPiyWYfHZsGE0Qw/wutCVvCEiRdUdmIHA=,tag:oJi4BTDrD3FLEQuYeDR3dA==,type:str]
externaldns: ENC[AES256_GCM,data:WhH4vAR4Q4iTXq2fT+Z8kOXkwnneNV4bXWYytov62DFDSnYwsvWIbol5MvYIwXM+gEbQ/k/uk62MSFx26T34881EGJmH7KXWr7ji273D8oKAp0Fw6jOt2NZT6XkBwhWEIathUOwNdN6E,iv:SepdyBzYga7s03ppSppiBB/wTbTrL/y70aa/B/m02r4=,tag:vWqlZLx+FvstJjgRj4mjWg==,type:str]
zones:
jahanson.tech: ENC[AES256_GCM,data:bCg54kzMqGJdq6+adMz59mfbeIVIoP9qmyFi0uoQX0KTCKU6XNX3FCzI0ludEfUrFtKqjdbmKJzGJbaCTVyL5yDBq9VFtFnBPeaTG0TlzKxO1VBad97+OqSJge5ZlpeNgUR1LUkHa+h2IkNRjde7kIBVHu8hpOqGpXI3UKi+FSYAUiIV1PKLzVh9pSiLp4kL8K0mursA/wSPzEaZ782FFKwIlXMVoTlWgB+tGIxanOekLpUMRaGaUktSJwmSrdSbs1Wn6/FVdWWjiZxHcDL9BU9RyiTyUh9tT9n2mMk7PICihrl5RINObVqi1tssqivN479NCNnXqeJ9wOJdsDZcVdI9ijGuJzcYsAeH2m+zdUGGiMFVRScdtuxgVqEOg014xL+FSe49X2ZXI41Gt3cyWIwX9HHdFMdzTeL/Si2V6dWmFJpdfA/k5hM7UTIkKYgCKeyc0ymZ6xF21pQck7OSTddcCgMBGgk1acfzJgxAzrLD9MjEVWzCdyYTzW0dWPOTcCN7ox9MCrHJWaIuGbgsZuT+Pc5K+/UrXHETidh527wiR/p5I7kozZj9t1u+gT5SNL9sQg3zOnWq1qL+WDWuW31tXR9vlE98T3ZvRHJOiXYK7eYU97ww1hwa09h92lmwkBWNMNL2ouNNLHTDTevCT+1KjLSWlpo3XjwVmk9RfgAbLrQtPIK1C4Q44WZ59f6l+3daz8EmGy+9aXoCW8bfk9bR7O8su+UO5gCHHp72mWtWpE5z+TRMCPXL53bw0IXh/H8Inj98KP05ebpIXvfbnjdfUFA8ujZcJMlvBCUYPHg+0gQtiANfzr9FbUcHVwMHamWww9EpQ3YGmRG/LYY8kJlPRvLaeg9e6gLbz2l9/GM+G5BAMO1ZqaxyOlQ6/J1bBY0WKQDSER1f1W8U/EAi75y+s3LXz+Y3LU9wmmJ7qWeVULjszlaZr+W0NxkX1Qh+ys/ffV7j+NMwa4nNyC1MJnsjgBzLNGxp3fpcCZTqApfZmCbvz3yG65pTDa7BfTsYy596wPec+kquBGYTVnNbg2oXzAPLV99nzJRISeCBtOiuwbIHzbLIEI820OPdMnA+PWAPRWXMIqAq5PDpsZws65pY73Pp,iv:bck9vjCWvfx31ZKNwfkaSHazIKRvMXX//E2hG9lNNFY=,tag:vrsZ4v+LtsuYZH5XCnrfcQ==,type:str]
jahanson.tech: ENC[AES256_GCM,data:XqOX6lbCubPEi1pXgIEXW0qyD2+iJXNugTPdQOB/yCm4AX1mMiANAV51FBDb9f+QQ+q1EDqGz/83VKggoIvHSZCOW3dkNWR2uy82uO8C59sbsLrR5AzTTnZN2zlaIjW2q42I838mKfO7MfYXutwQbTpepr/Brtbldm+HRjxugJJMDFvBqSlylSnFA+jeWq7RNRP1+ZxGULO8I2BTPqdRVyRHcIWjyQABTctDcDgDLMpPxrMBTtmC2/CFH5pIT3w6gbrYRwYFZh7fNprOYRRPOkGHMZK6ccMCpm2uRR4b5daB1MidqJUsX999ma2TEmsUJSQZr6mS2r/QvwZ2R9QziIkBxh91vCg6HMaHl8/ISlryZVlkWNY1P2jgCMw0jJ58NxeBVAjVWw3iL+i9JU/q51r8J3nZHi5ql90JMaVdYWw8I2GLYWDHQnES9srEXtJwJNLzE69lQuL8ARmey4gt8Q9snen0v3RJVFb466nPKvH51TjIAr3FB2L8NY3RumD4eYl05L5JdNcFVuqmsYdoWQSQdZz23BxRM/QKT2qKjrhxfZuQW1naNDg3qbx5+bLGHlG6m8wRdtkR5SXWQc5a7LG2eURY9T7vy8yxMWzjd5LPMFLd7JlUSjwXw9YBhYTafGuc2TUESs8DCO/hU2zjAn1KM+rmc2T4aF3HexJwt7b7HBmMrDWObdtj09ycV10tp1Z57ZMz18aJdIbaZKopERN25FzIKiTlytiZiWsesLo6mUbsgb7bmjGGjBEDbp9P7ozgZv5H+aR5Y7POl9EG3gfERPsa1nF1qlloOrYT/GX8pUNhXAxH6QfX7WF+ANiMB/L/X4L0/XufV7shCWfQwogZ3t7ARGHr3dIOyx1ABus+M2QUZyI94jHTn+/J6aaxL8qsDGDZ6383Gk/CHa57BklRUrZZYVs9jzDe7+12gDfID/eP+nnKuohwCY1KcHL5QCRUg8KN1ZIyH1FYz489l/qKFG1nO33iJv/l6opWjIv98EM88ckA7zxU1+UgjxNiBo0EGJPw1erwTwUzehTnj303HuTGbtGjgE/vK8M+rCCpL9L0YAFQyXqeuqQs6yM3PHCyKfvThCAnwnTIGn2mZcyu/GGGOO9Hse/islh4cYldxC8psKNfNlf6qT43MOf+gDJ2GKU2kzU5tivlNqXbgAs=,iv:8SWNl65v24W504eG64L65rDmvqrkF5VJhufN3u/wRG4=,tag:oapDfnOAPyPDiJrxGHtiJA==,type:str]
sops:
kms: []
gcp_kms: []
@ -14,77 +14,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUzhJTjZHYnRkNC9tQWJu
eWZxKzUvRDdoTVVKcXNDRk5MTmV3Q2RtMEFFCkhjY0pRV2dRYlU4R1ZzWGkra2hN
YVV0K1g4bmd6a3phVW5tanUreW5tY1kKLS0tIDJOUzViem1vRTFPWXFJWXdQbjZF
OW14UDNGTlpQZll3cGVVMWQ0eGQ3clEKuPbfceFH/+MChLOiA6J/LCGKce/k45aw
w1KmPaBfFEl4kAAyAXe0qVypNmzQsVh0rdPMlRq4Fnk1EbnkjAlMyQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSS9JWTZPak52ZFloYTZq
N3Ewa2hrbUZmZ0Y2aVpzaTZjN1hzWTlqRmg0CkdIZk9IMDdWQ2xsYmdHcGM3WmVk
cnVXVkprbXlQeDdzSkEvbW9SSE1aU3cKLS0tIHpuQUY1TmdKbGpZQ3N5Vk5LdzBC
VVp6Q1ZNR3gycSsxU3Q3SGtNUDN4cEUKDXO3QyNQfXqn587meoAZqraGMl4ASeOf
rVJDGWkNhne1YFdAfvbiY6pD7RDxscwiRFqDofH/t0EfN4vwrzIx3Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOFN3TU1NQ1R2Rk9kd1FZ
cFprUlJUajRkK1N2S3JhSERLVHQ1ekczWmxRCk0rMmRrNjdiQmpnQVJmdHM4ZitL
V3JVLy8xU3J3T0ZiMDY5dEN2bW9OWUEKLS0tIHBoeU1RbVhsMU0xMm1pcnV3bHA1
dGpRU0VvTU8wSTlva0VzMkZVMkxtUFUK1/7ioFSrAsuyRJkk3rTnEy5xbq2q19xW
5bE8rMfyOBRVrqIUYooDnR1OCpnfD51D3ro80NTfmKxVhxoTH9Miug==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSEZKOUJTTjE4YTRQUnFW
bzhMcjlSVTRNRWNkSmZSbU5ITFFTbURFbGpJCnpndFR1OVJvWnBOMVovdVVGWkZ4
Wk9xa29kekgxRnlqbFg4YzN0OE9ZYUUKLS0tIGsxeUhWdU5NaTE3cHpYNXF2OUlK
eGNyTXdqWFNvZ0NVOCsvaG55dUdaMEkKW9SxqP6Jpn72VAwPhn3laO1OE+gYzLvb
10NfaR+2P0EJZ3nwc0sLKmPmSzcRiE9etGtNGFiLgoUNkQ3lnwXj6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORGV1RGg3WHRvWmhzRjkz
aFJOUTVHN3IvdlVHK1QwNlpPN002T1FOSmpFCm02T210R2FYUlcrL2h3RFdQYWhY
NkZxZVpNU3JGNCtWNEtIQmZhd3RKK0UKLS0tIEZudTlEbEFyQ2xOcDV6ODkvQkNz
Mjk2SXFka05jYUNBNUxiSll5TVp6cjgKRK1errmBICcb3irz4qysjkd9rYH5K5Tf
l+fTyGb3U26dlvP4Krlx/6dfH76NH/ZkvJ3E11aIvXAhu31upzALgQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTF2TjJ0WGJaTUFIWE9s
S1NHQmRiQUVjSGJLQXZ2VUUrclorT3dIOXprCnQwOUorNXFzNG1DbG8wRW83QTdC
a2ZpZnM5Vit6bk1SaXRSZnZZT1g4ZzQKLS0tIFd4RVR2LzdvVG5nVzBiKzBPL1p2
eFJWOGx3Z240clRQN3dNa0Ztb2hrUk0KunfKdWPTZD32KagC+VXmAQDxJAoElHAp
mo8a0GGdeVuJiUneJlZ2KYuLkseCyn0HC5qQMUIT8HZJ2bb+RH0vDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRUhiT1pHa0dYM2FPQlIz
dHBadUlLanhYdTB1bjhnQWdsbHllOVFRNUdjCnNyaW45SUhydlErd3dRYnJHa3lD
bGRnc1RTdm55VFZlR01icG5NNWJibG8KLS0tIDI5WjBOL3p4M1k2ZWI0d00weHpJ
Nk5CeUY2M1VrZm1NZkVRa3ZMbDE3a3MKAb1sjdyJTVu3h52xEqJedn2MdNaFryLX
gZOMBhtz4fac11RZC3nFA6RDra3KddQsad5lwK5JOeFFRi688x5cag==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZHAxMVNsK3U1ZlJnaEJj
eTNhZzRidW9HQ3Jrck0zNmxPYXcvVUtJRTJFClFiMGNuYnEzbVNJNExVSkZ3dVJy
MHlRdG1uNHhZb3daNW03bVJrOGZmNmsKLS0tIER3RUg0TDRQT09jdy9xNzF6OUtq
VHR4NjUxZGpRYzNKaHhlVTdJQXBmTlkKHgqnACFlEusz0/W+I/O2smr/SV2Oiw9Y
wCqCyVfB+kGrfgq08e8ki8NXv3PDT637BU3kXFaOTQhzSE0aCpD8qw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2S3VPZHVrbGoxVUVldnJX
L1dNL0JaRGVNemkzZkMwaDlOQ01RY2YyTmdrCmthaHRYVzV1Qk8xOE1aS29GUDha
MUtlZ2FuVCtycWRMbWxrVURBUDg0dlkKLS0tIDRwSmJsN2FsVVpzOWV5WnZUaGkx
ODcvNjl3cjE1Nm5DRHhzalRVUGdjUGcKOMfvjsP04O9UoRpyGncQ3Hon91rvXUH6
fM6BWVEoH7tYq779YB3qEt2lh5TN/DDd8/ROOx25a4hL7F0/zy3vNA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSzVyTE44NUUzLzZVaDl0
TmNWYWNuK21mS1RlTy83OFRrUlZSU1FYZGc4Cmx4eExyY3o2OUhmeEdoOEtNSFJQ
NUx3cnVBVEV1VGgxTWZFSmVoYlJtQUkKLS0tIHRjZTVtKzByWmRJMnpxNWo3RjEr
NCtmMTNmUWNkbUlIL0pEWUxCVk9XTzQKIxVOgsWjLvKwKpKMFQnkt5zzFMJ1P1AE
XqsOg5bKN7Yzw771PZ7nYPIIvsFPqznVARKTPxnjELjSUqT+VrJT/g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTXJWQThMaDZNajBFOVRT
NEpJK3RvbzRKUXE0NWpRQVA0aWJSYVNxWkhNCk1nWHVaYmZNQkdQZFJIOTZKTWxC
RXpOaHc4dzNBZ0txcFhtbjVVSjhDbXMKLS0tIDkwSnFTTjBZZE5hZTdXeTI1Q2F6
Skw3OUt4SVlrQ0M0d0h3KzNubjZ6SDgKiEvuO+RqygeSSzeUlQJSPuzNY4tbzKso
bt/fSCV4ulFTvjybD9lfA9dclHGM/IRA9obCQd8RsCBQuXo9cuWnjA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpVGNIeTc1VFRRZjB5Q2tR
TjB2T3BRNk5xc0cyTE9KODBvMUdkOGxyN3o4CkNoYUl6QVhUN2dmcjYvdWRFTHpT
SDVIVmt3VFk3cHd4d0F2RHFkQ0lQbkEKLS0tIHNhaXhEbmJlMzZ5aWFZNWRRV25O
emh5UnZpRC9MWE9yWkxNYXQwa05kRWcKbo9ONgyzMWCCkG17nIRWOUkLR8WtPeL4
U4yF9SDKtdwIJKuC097uIEXvF5blEkhf+5Mai0TMrhq+NMggjP7M1w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZkQ0NzVGMWJ4Tk9vYnZC
dmo5U2FJa0pOUmt1K09MWFdRamNnaUgwbEM0CnhKRmMyN0RYMG5Uc3ArQVZhVFZX
RHQ3SU1TUnQ1SlhvZGp6emFOV1FuVE0KLS0tIE1oQjQ1dUhTMVBaTnZIeVpVNmxp
cnk3ckEyWkdhWkpkQlhJTHlsaGFTNDAK79D2C2RZql38hBJOBnqhOOdb7Z7EJNgj
aWfivACOM//hsPCZK+9YFpXJ08Nb6iBlNKzYsTW7qJ+Ue9M9i9JShA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOXBwN0JoMjlidmVvdHB4
QkhqaDRjd0t1SEl1WllVTjVhMENJMGNoK1FjCnExSkJzanpmdWFick9BZy9BMDkv
UGV2VTlsL3hZWllkdlcwSGc4RlZJODQKLS0tIEZEM2hTZlN4VFI3Qk5JRXErUVNG
aUdDTlg0Y25rZHVwSjFnODk4MHZ4aEEKxYeMCkODa2JhGX3zlpmDJ+sbXD5T5DtT
Iedq5KFLmmvXBOu0sXlVdO+G0/qBgl/5t4pwLFDCx+qsxZgEJkUEMg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdHRRVEY1dmR2WjM3YVhk
dFZ6UmUxUTJKR3RKMUM0UXVaMUJwMzJRTmpnCjJtdjgwNnphOU5EdUxkSUp6UkQy
cS92MGdlTExVbWJIWGlGVVFla001MGcKLS0tIHF6c3MxR1V3N2szeXlNdWhUaGpW
WWRlTHl1MWFmU293NGJyRVNRTE1RWWMKu5nK98591T0Z4rHIHxCY7mqBW/CF6abl
3/ygImXkb15Ws4b4mcN67vk3omg9CB6s0SHfFk1GAu6CiN7MufHQ+Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-27T09:27:41Z"
mac: ENC[AES256_GCM,data:T2obxwbBbBiR3dPq3wYzrGEMdzUKZ9F5LJSDlG9zlECIsyYdlSCx4n0qrhOioNYpjwUNCGoBL0EH11cmTlUzpV/mA8e7oW2oXbVydP1xu9p8LQHtTO8veLPqfKYqEL6iCF/6iJWh/o+NYCAHzp1BWGR0VbrF4QBgYWSPRjy9HXQ=,iv:cdu2Y5OQ7wpLoAXWP94hU+syjqYhh7Z2G6ezgdDgGRg=,tag:/aHcyP+SmY4SQ9L+sEsemg==,type:str]
lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:pmZjxv+vcznnamHNvOL7sr8wrejmcqo6D/NpizVo7TPo6cs59vTQ2fXmM0zlfJs81wZVe8cMcv2LXITSmjpZOsrhYuzMpPsc9HGzdwfOXVTfdVDYWVwNd4LsXMW40rqUbZyVtp8zAOW4eF5iY0H+acPxMcBbogoQKOU94a0NqzU=,iv:vFcpIrA9KRMawLCbMqWbKcGFPBcMp3mQRIgje5dV5S8=,tag:iuEaP9jjhhvjMjChvaoBCQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1
version: 3.8.1

38
nixos/hosts/varda/default.nix
View file

@ -1,15 +1,8 @@
{ pkgs, config, ... }:
{
imports = [ ./resources/prune-backup.nix ];
{ ... }: {
imports = [ ];
networking.hostId = "cdab8473";
networking.hostName = "varda"; # Define your hostname.
# Add required CIFS support
environment.systemPackages = with pkgs; [
cifs-utils
];
fileSystems = {
"/" = {
device = "rpool/root";
@ -25,42 +18,17 @@
device = "/dev/disk/by-uuid/8091-E7F2";
fsType = "vfat";
};
"/mnt/storagebox" = {
device = "//u370253-sub2.your-storagebox.de/u370253-sub2";
fsType = "cifs";
options =
let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,vers=3";
in
[
"${automount_opts},credentials=${config.sops.secrets.sambaCredentials.path},uid=994,gid=993" # evaluated and deployed from another machine
];
};
};
swapDevices = [ ];
# sops
sops = {
secrets = {
"sambaCredentials" = {
sopsFile = ./secrets.sops.yaml;
};
};
};
# System settings and services.
mySystem = {
purpose = "Production";
system.motd.networkInterfaces = [ "enp1s0" ];
security.acme.enable = true;
services = {
forgejo = {
enable = true;
package = pkgs.unstable.forgejo;
};
forgejo.enable = true;
nginx.enable = true;
};
};

26
nixos/hosts/varda/resources/prune-backup.nix
View file

@ -1,26 +0,0 @@
{ pkgs, ... }:
let
cleanupScript = pkgs.writeShellScriptBin "cleanup-backups.sh" (
builtins.readFile ./prune-backups.sh
);
in
{
systemd.timers.cleanup-backups = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
};
systemd.services.cleanup-backups = {
script = "${cleanupScript}/bin/cleanup-backups.sh";
serviceConfig = {
Type = "oneshot";
User = "forgejo";
StandardOutput = "journal+console";
StandardError = "journal+console";
};
};
}

19
nixos/hosts/varda/resources/prune-backups.sh
View file

@ -1,19 +0,0 @@
# Set the backup directory
BACKUP_DIR="/mnt/storagebox/forgejo/backup"
KEEP_NUM=7
echo "Starting backup cleanup process..."
echo "Keeping the $KEEP_NUM most recent backups in $BACKUP_DIR"
# Find all backup files, sort by modification time (newest first),
# skip the first KEEP_NUM, and delete the rest
find "$BACKUP_DIR" -type f -name "forgejo-dump-*" -print0 |
sort -z -t_ -k2 -r |
tail -z -n +$((KEEP_NUM + 1)) |
while IFS= read -r -d '' file; do
echo "Deleting: $file"
rm -f "$file"
done
echo "Cleanup complete. Deleted all but the $KEEP_NUM most recent backups."

84
nixos/hosts/varda/secrets.sops.yaml
View file

@ -1,84 +0,0 @@
sambaCredentials: ENC[AES256_GCM,data:/Ghze4VQ0RKyTKZAh9T5rX37c2l+W44bayusTSHzU9jBviThWYHJBhPwgnpGaqw=,iv:3PvwXwTpQTsdKL/jqbOs0z6ErnWjY9YW5yQylUwtBMA=,tag:ecaNKAytyCC+eveQHiOtaA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXpsV2xYNVdWMkNWZ2NK
bUhCaXhpZG5GeWVXakdySzZhNjdnbmVFNFY4CmZiZEZDaDJSdmFCS1dQZ053V1lF
Z1ZBa0dWRy9jMVZkYXJlLy9WRmIrREEKLS0tIFFLbEhxaTI5OXQyRFJ2bWF1dU9U
WGZxd2dSZGhOVnBLSUNwaEZlMEFydzQKVG18nJUQgS0w69l+x2XD6BA9IEYra4E7
Wr7GURRrSnS19eqpJR3NTcVBhRO4wUxaj8Xq+nJ54Duik13X1XXdkw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NDdTNHlnSkZaT2s2TTVs
MnlSSXJFMUdtQ256LzIyZVJ6eFluejMyYmlNCnp5UzFjelN5bXlqRCttMTNiLzg2
Z0xzWGZmK2U2Y0xzMlF6QnUzWmRidWcKLS0tIFB4YmJ0bDYzS2llN1RFT1Y5RE40
KzhXQ1NtbVBWbGxGZjVMRUsvVnI1aTAKxdac0X3IX2HcKtuGHfqJn0MXhxU8bdGw
D1RbcNR1R+uTwZ1IYLG8l6YHXSYV0U6wtv9BuFA7k6ayTA/PmziI6g==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5U0FjbjFrOVd0Rkp1TDJJ
RTgrb0Q4cENjcEljTEJZOEI3NHZWVVI3S1dJCjVnS0JpL0dFbmdSN3Bnc3J1cXd5
TE1uai92QVEwZFZKU0VUUEwyK3dyNG8KLS0tIEhZTG1kOWgzU2lCbkcxUTc2NHZH
VjdjaEsyT1B6RjdsZWpVK3BJaU1EMlEKvOxJ5TyUYfpvCwpGNQpL+munayzBye2+
aWKwNfbJS/0gZy+YpdDRwSliiOMh+DKa0rUHCDt/t79+Bhq/1FEpjA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDL2pSS2JQeDVDa2EvMFhx
OEFOT0RvUXdpT2ZYcHFNcmVxYzM1TS9lWkJvCmMvRE1ueUp0akxhVWxtY1dLTmRC
M1U0ajdjT3ppZS81Y1llQll1UGg1emMKLS0tIFFMTEhHRmZrS1hVTjByS3ZmYjJJ
Y2VtanY0RU51N2FFRlM1cVhQWktuSFkKRHc3kH4vvDFgFETVDSWZLES5lfWRcwVW
eQs/glxlPh6yUhCutuEvrIy/fGwNbVaJsuud8jqFMemggt7x981DWg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreXVOaSsvQlBsTXB2dlUy
VlNNMHhNTVFEamJBMTI0dDl4ZlBDSVNlZVg4CjhCNTlIMmdxUjJ0cHJuYUJUT0dV
UWFLNnZwTzVrbitFZTRXVjREYWVlSjQKLS0tIGMvZ25UNkttRTU1dmE1NThBVUR1
eWdMcy9rejNncEQ0T282QXpsUU1RWHcKJ5b/n751BlLzhsJNxRjAhMuCOD8ed630
urmj6eX8piCSGOgChviahqEpyrlhrs0WJJxlJyiYWjQ4e0HRgHZaMg==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZDMwKzlLUnVJdW8zbU1L
ZDBBMm1zV0tWSWxZSU51NU8yS3JNaDk0T1hrCnpFcy8rVUViODNHT0pJR210WUhR
aXp5ZlNENzEyRjI0TXducXpKN1ZsK1EKLS0tIC9HZW9OTnd4WjYxeXNuNDVQeTZx
LytvMjhzTk9NUVFUckJ1MVJhK2MyeWsKJALG7c/heYITQb/EBTAAQCCr4YovGqsH
Y6FhDlwUsPn8SHmHwsi0haAoc7tlMKN6Mtv4MyJ6rSbCBo+c6H0n5A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRU56YlJCcHdxQUZ5enJE
VGd5cnlKUFpvdGMwVXRDd1B5VmUvVlFUeno4CmF5RVRiSUVTQVJYS2lDdnpFbGgy
OTgzMkVHSWdsTWl6MWtxck5nTU41V1EKLS0tIFpZencxelRCd3R5c2dFSGNRV29l
aU5kS1BnYjNXSC92bFdvV21kRER6TmMK6uKyU0iINdkRXwGfxxFjg+DzowkAFVFa
vsZAbx1Q7V6prwldJwQz516CfvByqLi8s3GYDU7/s99TjK/V+MPqSw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNnBWSklCT3RFSExsSDRO
V2hPNmtiUGl5bjdaVU13dVFKVW5wL1hGOTBrClBKcG1YS0x5aGFyNGt5dkhPSDVC
VWNDRFd5VHNjTHVWOEZSNEIwdFNNSUUKLS0tIE9abWUwZDdDUmIybnJ2aVJKbEcw
c3dRV3NmMTFFbUlRUjF4dWZscEV0b3cKgXYOPwLnUyIBOkB2hIlnM42e3TQXXSIf
GpaLKqOVw1fMSC0u7l/sTz7c2tAWVAfSXyOFcyUGpV7VAIKPjXj4og==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-03T20:11:27Z"
mac: ENC[AES256_GCM,data:UFU5bQg2/OuCTkqV5efbGh8VPKqJWmyld0r01j97M7+CQGwyWoXlDmaMR+27xSjSDQPxwAhb+ejQue5585VNcztdBoaH0F8wOWgkdlzxiHMvQRC5TXjao4anxNRnedf07+YHQZ74udUa9Qf8UXZqIwb6HNCDmebrNi38GOWfoS0=,iv:YQ8gGj5LgMvaZqwTD3Vtj3tSjaAlmTaCFKaWkgM5WDA=,tag:K2tbaECleS8Rn0uIfL7x9w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

84
nixos/lib/default.nix
View file

@ -4,60 +4,40 @@ with lib;
rec {
firstOrDefault = first: default: if first != null then first else default;
existsOrDefault =
x: set: default:
if builtins.hasAttr x set then builtins.getAttr x set else default;
existsOrDefault = x: set: default: if builtins.hasAttr x set then builtins.getAttr x set else default;
# main service builder
mkService =
options:
(
let
user = existsOrDefault "user" options "568";
group = existsOrDefault "group" options "568";
mkService = options: (
let
user = existsOrDefault "user" options "568";
group = existsOrDefault "group" options "568";
enableBackups =
(lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
&& (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
enableBackups = (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
&& (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
# Security options for containers
containerExtraOptions =
lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [
"--privileged"
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [
"--read-only"
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [
(map (folders: "--tmpfs=${folders}") tmpfsFolders)
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [
"--security-opt=no-new-privileges"
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [
"--cap-drop=ALL"
];
in
{
virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
image = "${options.container.image}";
user = "${user}:${group}";
environment = {
TZ = options.timeZone;
} // options.container.env;
environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
volumes =
[ "/etc/localtime:/etc/localtime:ro" ]
++ lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
"${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
]
++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
extraOptions = containerExtraOptions;
};
systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [
"persistence"
"folder"
] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
}
);
# Security options for containers
containerExtraOptions = lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [ "--privileged" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [ "--read-only" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs=${folders}") tmpfsFolders) ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt=no-new-privileges" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ]
;
in
{
virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
image = "${options.container.image}";
user = "${user}:${group}";
environment = {
TZ = options.timeZone;
} // options.container.env;
environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
volumes = [ "/etc/localtime:/etc/localtime:ro" ] ++
lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
"${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
] ++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
extraOptions = containerExtraOptions;
};
systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
}
);
}

56
nixos/modules/nixos/containers/backrest/default.nix Normal file
View file

@ -0,0 +1,56 @@
{ lib, config, ... }:
with lib;
let
app = "backrest";
image = "garethgeorge/backrest:v1.1.0";
user = "568"; #string
group = "568"; #string
port = 9898; #int
cfg = config.mySystem.services.${app};
appFolder = "/var/lib/${app}";
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
};
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${appFolder}/config 0750 ${user} ${group} -"
"d ${appFolder}/data 0750 ${user} ${group} -"
"d ${appFolder}/cache 0750 ${user} ${group} -"
];
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environment = {
BACKREST_PORT = "9898";
BACKREST_DATA = "/data";
BACKREST_CONFIG = "/config/config.json";
XDG_CACHE_HOME = "/cache";
};
volumes = [
"${appFolder}/nixos/config:/config:rw"
"${appFolder}/nixos/data:/data:rw"
"${appFolder}/nixos/cache:/cache:rw"
"${config.mySystem.nasFolder}/backup/nixos/nixos:/repos:rw"
"/etc/localtime:/etc/localtime:ro"
];
};
services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
useACMEHost = config.networking.domain;
forceSSL = true;
locations."^~ /" = {
proxyPass = "http://${app}:${builtins.toString port}";
extraConfig = "resolver 10.88.0.1;";
};
};
};
}

8
nixos/modules/nixos/containers/default.nix
View file

@ -1,9 +1,7 @@
{
imports = [
./jellyfin
./ollama
./plex
./scrutiny
./scrypted
./backrest
./lego-auto
./unifi
];
}

167
nixos/modules/nixos/containers/jellyfin/default.nix
View file

@ -1,167 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib;
let
app = "jellyfin";
cfg = config.mySystem.containers.${app};
group = "kah";
image = "ghcr.io/jellyfin/jellyfin:${version}";
user = "kah";
# renovate: depName=ghcr.io/jellyfin/jellyfin datasource=docker
version = "10.10.3";
volumeLocation = "/nahar/containers/volumes/jellyfin";
in
{
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
openFirewall = mkEnableOption "Open firewall for ${app}" // {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Systemd service for container
systemd.services.${app} = {
description = "Jellyfin Media Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStartPre = "${pkgs.writeShellScript "jellyfin-start-pre" ''
set -o errexit
set -o nounset
set -o pipefail
${pkgs.podman}/bin/podman rm -f ${app} || true
rm -f /run/${app}.ctr-id
''}";
ExecStart = ''
${pkgs.podman}/bin/podman run \
--rm \
--name=${app} \
--user="${toString config.users.users."${user}".uid}:${
toString config.users.groups."${group}".gid
}" \
--device='nvidia.com/gpu=all' \
--log-driver=journald \
--cidfile=/run/${app}.ctr-id \
--cgroups=no-conmon \
--sdnotify=conmon \
--volume="${volumeLocation}:/config:rw" \
--volume="/moria/media:/media:rw" \
--volume="tmpfs:/cache:rw" \
--volume="tmpfs:/transcode:rw" \
--volume="tmpfs:/tmp:rw" \
--env=TZ=America/Chicago \
--env=DOTNET_SYSTEM_IO_DISABLEFILELOCKING=true \
--env=JELLYFIN_FFmpeg__probesize=50000000 \
--env=JELLYFIN_FFmpeg__analyzeduration=50000000 \
--env=JELLYFIN_PublishedServerUrl=http://10.1.1.61:8096 \
-p 8096:8096 \
-p 8920:8920 \
-p 1900:1900/udp \
-p 7359:7359/udp \
${image}
'';
ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
Type = "simple";
Restart = "always";
};
};
# Firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
8096 # HTTP web interface
8920 # HTTPS web interface
];
allowedUDPPorts = [
1900 # DLNA discovery
7359 # Jellyfin auto-discovery
];
};
sops.secrets = {
"restic/jellyfin/env" = {
sopsFile = ./secrets.sops.yaml;
owner = user;
group = group;
mode = "0400";
};
"restic/jellyfin/password" = {
sopsFile = ./secrets.sops.yaml;
owner = user;
group = group;
mode = "0400";
};
"restic/jellyfin/template" = {
sopsFile = ./secrets.sops.yaml;
owner = user;
group = group;
mode = "0400";
};
};
# Restic backups for `jellyfin-local` and `jellyfin-remote`
services.restic.backups = config.lib.mySystem.mkRestic {
inherit app user;
environmentFile = config.sops.secrets."restic/jellyfin/env".path;
excludePaths = [ ];
localResticTemplate = "/eru/restic/jellyfin";
passwordFile = config.sops.secrets."restic/jellyfin/password".path;
paths = [ volumeLocation ];
remoteResticTemplateFile = config.sops.secrets."restic/jellyfin/template".path;
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
};
}

88
nixos/modules/nixos/containers/jellyfin/secrets.sops.yaml
View file

@ -1,88 +0,0 @@
restic:
jellyfin:
env: ENC[AES256_GCM,data:293v4afGmUZuHMtdkcs=,iv:Aitx2N/qGXQDCpcgFa72cfvPW9KXLyqBkJ5csDitUMo=,tag:k6t0XYErgU5TuRW/e9AnXw==,type:str]
password: ENC[AES256_GCM,data:eR0jFe6o6pLpKR9KjUpH6GWVMAys4EiX981VecNq9Et/fQ==,iv:l9tCvWH80sl+nS0RKdApCqzEr1PPpNQDJlr0ILZYK94=,tag:R4rnUw1y2QBG01XkMp1JSA==,type:str]
template: ENC[AES256_GCM,data:tj3qrery9dHplVa8ecac2x3yfISuaUSJJDKsXuRF1ek9G43Uj7B3P8m4JEFHBeCK6vvYIK2QGEcUW5QElnuPYCaB,iv:jp5biUiDMpAMghuO6sNaQ+RN0uFCAFgmPOQLB71KdCY=,tag:et41JJnD6/ZZsBLRCyJtHw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMWnp6K2RsVHRmTFhYNGRs
ZnRyVmVZU3hUNVVBZnRtWGVFZTgwTitLWlZrClZ1cUVOSHRCc0xBQ3pYWFI2VUgy
NjVCMGxJWVpXNXc0R1p4cnNIazJHNlkKLS0tIFEzdE9pZ2N6cnVUTVdoRHFaZXQ0
dVpzQU9tbzlURlVIMllYZEZpaE1PT0UKAqtn9wmQNNy8qMYy6tSc40/1I/4eseVs
jsrfZU+73/OM5FvOLDo9EVBYhHGSO9/gTedbX8FJCzTYNcNPR/X6ww==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsS040Q0Y2N0hYczFsdkhT
Rm5ERGVxaHJtYmZwUmpDUlpZc2hpZHNlOFI0Cm1oMmJ3SUZkT2pnVVNBS280d3Y0
YU1mRWtqSlM0aDh1ZkRuWGpHVHNzTlUKLS0tIEQzU093U091WktCYjRHKzF2ODU4
a0ozSGhwVFFkdkUrcFdqR3ZPd1IyNkEK+GZf0el8RwGXSHHSPqZ2NDhr3/788IT/
z9A/zz56OcsRCT8l24+nVtx3pDhcqxvg201wtx0t54n1cLInpxAKSA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNjdJaEFYVVd6cElieTN4
Qm1vQVVDWmdNM2F4R3dDaU1SMjh5UWNwQzA4CkNCS1JxZHZHVU14T1pmQXZCS0ZE
cTBHV2dUUmVMYTg2VGJCZTJGTFpMRUEKLS0tIEJ1YTcyOHZtNklVMk9mbDJEWjM0
VmczY2UybkY5U2tzaitUN2pvWmpHV28KGJ8nlNSA+Fx0GaqMVraMrRGYbPk7BhcM
92aNv8+1QqOU9NDveRapxv02Uo6dffCVH/343wGh9lPr4orF+OlOVg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMDNrQ1Vuck4yTGFuZmp0
Tm1GZWViTFF4S3JZUlBEK2Mvait2UE9NM1VBClhXMEpSenlWNkNYVFE4eUhoS0Zu
NWt0NjEyUDdoQjRQSUNubDRBbDZGTlkKLS0tIGNJOXB6clUvQUk2dE1hMGV3T2po
Q1VMS3J0alQ1bGxkYVFuMUhUalVuSjAKNnHfUtGfNKw+K7pAcyMaybFukjncAjFc
AIoJPOiw83Vn1Ps+9tjRrEUzTNkTfaMqeIsN8BEDQ3LzQbX2b+Hnxw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVDV4eDM2N3ZialBWc2ds
dWVIY0NQb21VcUxKM2VVWWFrYUd0eFoyY2owCkFQTmIvZDJzalRpUkJTcnNJMWFH
d3FtcmNVMnNEQkdUUFlTdGN0VmtWZjAKLS0tIGJNM09TVXJiNnR1MGQ0TG43Wno1
TFZFU3hPZkJHZkM3TjJyQVlGYW1MMUUK+5RtvM8icCrs8OBcJing+O+rfAiOI+BC
z1p1vesZ7BCjFlPNAOt2QGii5h8XFwPyrXEklNXfIRzOmjIVgVC9Bw==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNYThIdzRlZTdYaHI2Z2Ji
NTFTUnBaWXAyS2R4Zlk4RjhjQU41YmFNZ0JZCmJjcSsxWFFGVkhUOG82ZTR5a0xa
VVVna3RTVVRKNWV4VVBoa3ZiUnJldlkKLS0tIDUyK2d1YS96WDZjV2Y3eWFJdHJN
VGJ3cHlCV25HMXIvTmdJcWtJTk9EUGsKpnsANd3XK5sH2bjSZJTZqYb7GjcY97K6
iEapD1nLkH4XTpqV0RnrKcIJFJ58LIupvSZZanRk3xt8NIvRTBp5OA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoenJtK2xtUkJuS3dWZ0Vx
QldCOVkxYmY1VHhIYmYrVUUrelNCTVlybUhjCnVoK3o0VlZsblNTTW1Kbmp1dWpi
Tkl5bE41Qm9RUnpjWHMwSFczbGhrMGMKLS0tIHlIVVJ5QUxtYjhQcDhlOVpiaEdp
WG94a1JLbG9BeXVzdUY4bXFPbGREQncK8GS2wkyL0yFee/zSr7YD1RDyTtIiRp74
ifygcB6UrJ+IhDLxWdcx8XhxkUHDLwUvLRQ71iRE54NytZbW29+FkQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWkpMbmNNdW01WTF2bG1Y
QUlGbDR1TU5QV0VXa1F0UzYwY1Q5R0hjQ2k4CkRWY0FONlJBS1c3V3BXU1FXOTVr
RnF3Vll0Uzg4bmtvVVRYZ1lVd1l5c28KLS0tIHRmQzRqUnVDUVZwOWtoQ3lib0g4
Z1UxbEtkU29kMndqTE5YbnArY3NEYWMKBpF0XsaNxby01RlquQg0nueXZdz7U+oA
32fA+V8AQ/aHg18JhxScsi4dILfnz7d4WZThbd4HYMKzxiCApguf2w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-27T09:27:41Z"
mac: ENC[AES256_GCM,data:vCxrV5Y1v6PuRVZI8tEmaai3kLatLQfk2xDR9wl4teTcSzvU1U2OWToEMFz695fgX62Gld8/U961WC0Q6HQWFPL9lrP/0vYoL9DWu7KAKIYI4lpPtAWi4pvudIJnT5Shd0aC6A/JC1iuI/JqekXRTJIqMUth9tIeoT7SmIgFn4E=,iv:BiqBRxMmUeXGiM5DgrInebr3yCXSd0FdVBfeI2Kc1sI=,tag:gsISmRZkL6XcRE9pLpSwWA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

28
.archive/modules/nixos/containers/lego-auto/default.nix → nixos/modules/nixos/containers/lego-auto/default.nix
View file

@ -3,9 +3,9 @@ with lib;
let
app = "lego-auto";
image = "ghcr.io/bjw-s/lego-auto:v0.3.0";
user = "999"; # string
group = "102"; # string
port = 9898; # int
user = "999"; #string
group = "102"; #string
port = 9898; #int
cfg = config.mySystem.services.${app};
appFolder = "/eru/containers/volumes/${app}";
in
@ -43,18 +43,16 @@ in
extraOptions = [
"--dns=1.1.1.1"
];
environment =
{
TZ = "America/Chicago";
LA_DATADIR = "/cert";
LA_CACHEDIR = "/cert/.cache";
LA_EMAIL = cfg.email;
LA_DOMAINS = cfg.domains;
LA_PROVIDER = cfg.provider;
}
// lib.optionalAttrs (cfg.provider == "dnsimple") {
DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
};
environment = {
TZ = "America/Chicago";
LA_DATADIR = "/cert";
LA_CACHEDIR = "/cert/.cache";
LA_EMAIL = cfg.email;
LA_DOMAINS = cfg.domains;
LA_PROVIDER = cfg.provider;
} // lib.optionalAttrs (cfg.provider == "dnsimple") {
DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
};
volumes = [
"${appFolder}/cert:/cert"

136
nixos/modules/nixos/containers/ollama/default.nix
View file

@ -1,136 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib;
let
app = "ollama";
# renovate: depName=docker.io/ollama/ollama datasource=docker
version = "0.5.5";
image = "docker.io/ollama/ollama:${version}";
cfg = config.mySystem.containers.${app};
in
{
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
# TODO add to homepage
# addToHomepage = mkEnableOption "Add ${app} to homepage" // {
# default = true;
# };
openFirewall = mkEnableOption "Open firewall for ${app}" // {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Systemd service for container
systemd.services.${app} = {
description = "Ollama";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStartPre = "${pkgs.writeShellScript "ollama-start-pre" ''
set -o errexit
set -o nounset
set -o pipefail
${pkgs.podman}/bin/podman rm -f ${app} || true
rm -f /run/${app}.ctr-id
''}";
ExecStart = ''
${pkgs.podman}/bin/podman run \
--rm \
--name=${app} \
--user=568:568 \
--device='nvidia.com/gpu=all' \
--log-driver=journald \
--cidfile=/run/${app}.ctr-id \
--cgroups=no-conmon \
--sdnotify=conmon \
--volume="/nahar/containers/volumes/ollama:/.ollama:rw" \
--volume="/nahar/ollama/models:/models:rw" \
--volume="tmpfs:/cache:rw" \
--volume="tmpfs:/tmp:rw" \
--env=TZ=America/Chicago \
--env=OLLAMA_HOST=0.0.0.0 \
--env=OLLAMA_ORIGINS=* \
--env=OLLAMA_MODELS=/models \
--env=OLLAMA_KEEP_ALIVE=24h \
-p 11434:11434 \
${image}
'';
ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
Type = "simple";
Restart = "always";
};
};
# Firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
11434 # HTTP web interface
];
allowedUDPPorts = [ ];
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
# TODO add restic backup
# services.restic.backups = config.lib.mySystem.mkRestic {
# inherit app user;
# excludePaths = [ "Backups" ];
# paths = [ appFolder ];
# inherit appFolder;
# };
};
}

161
nixos/modules/nixos/containers/plex/default.nix
View file

@ -1,161 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib;
let
app = "plex";
cfg = config.mySystem.containers.${app};
group = "kah";
image = "ghcr.io/onedr0p/plex:${version}";
user = "kah";
# renovate: depName=ghcr.io/onedr0p/plex datasource=docker versioning=loose
version = "1.41.3.9314-a0bfb8370";
volumeLocation = "/nahar/containers/volumes/plex";
in
{
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
openFirewall = mkEnableOption "Open firewall for ${app}" // {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Systemd service for container
systemd.services.${app} = {
description = "Plex Media Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStartPre = "${pkgs.writeShellScript "plex-start-pre" ''
set -o errexit
set -o nounset
set -o pipefail
${pkgs.podman}/bin/podman rm -f ${app} || true
rm -f /run/${app}.ctr-id
''}";
# TODO: mount /config instead of /config/Library/Application Support/Plex Media Server
ExecStart = ''
${pkgs.podman}/bin/podman run \
--rm \
--name=${app} \
--device='nvidia.com/gpu=all' \
--log-driver=journald \
--cidfile=/run/${app}.ctr-id \
--cgroups=no-conmon \
--sdnotify=conmon \
--user="${toString config.users.users."${user}".uid}:${
toString config.users.groups."${group}".gid
}" \
--volume="${volumeLocation}:/config:rw" \
--volume="/moria/media:/media:rw" \
--volume="tmpfs:/config/Library/Application Support/Plex Media Server/Logs:rw" \
--volume="tmpfs:/tmp:rw" \
--volume="tmpfs:/transcode:rw" \
--env=TZ=America/Chicago \
--env=PLEX_ADVERTISE_URL=https://10.1.1.61:32400 \
--env=PLEX_NO_AUTH_NETWORKS=10.1.1.0/24 \
# nvidia-container-runtime mounts the nvidia libraries here.
--env=LD_LIBRARY_PATH=/usr/local/nvidia/lib:/usr/local/nvidia/lib64 \
-p 32400:32400 \
${image}
'';
ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
Type = "simple";
Restart = "always";
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
32400 # Primary Plex port
];
};
sops.secrets = {
"restic/plex/env" = {
sopsFile = ./secrets.sops.yaml;
owner = user;
group = group;
mode = "0400";
};
"restic/plex/password" = {
sopsFile = ./secrets.sops.yaml;
owner = user;
group = group;
mode = "0400";
};
"restic/plex/template" = {
sopsFile = ./secrets.sops.yaml;
owner = user;
group = group;
mode = "0400";
};
};
# Restic backups for `plex-local` and `plex-remote`
services.restic.backups = config.lib.mySystem.mkRestic {
inherit app user;
environmentFile = config.sops.secrets."restic/plex/env".path;
excludePaths = [ "${volumeLocation}/Library/Application Support/Plex Media Server/Cache" ];
localResticTemplate = "/eru/restic/plex";
passwordFile = config.sops.secrets."restic/plex/password".path;
paths = [ "${volumeLocation}/Library" ];
remoteResticTemplateFile = config.sops.secrets."restic/plex/template".path;
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
};
}

88
nixos/modules/nixos/containers/plex/secrets.sops.yaml
View file

@ -1,88 +0,0 @@
restic:
plex:
env: ENC[AES256_GCM,data:FwBQ9TJTiDGDEyrJkHo=,iv:pxqdwOPoxYAc+yY2xdNTi08jFNz+PvnZ9HYhmchEfiM=,tag:3uIPLUoZmDogmuShXqnAlw==,type:str]
password: ENC[AES256_GCM,data:79FMf5T1gYQX0PYTiEUhPQnHbEIekmH2vJxqwhdCw1MpoA==,iv:n3cQ4cLoEKw7rbCgysc14CMmKtYUfhZW2I6V3qrFp3Q=,tag:ooNflv+TnUOD0JX6NAqxvQ==,type:str]
template: ENC[AES256_GCM,data:br+HPd37B3rWYPLIYW8MiIHvR+PmsnBXEYLh8MT/v1rbcNH6ppyhwGMgP1kPkUX3o/0Y7PkW1pet5DRHcKUVnXpi,iv:O4MQQBpYCD8hkdTEroUn9+luUdCyz7MYUugjaYhF3Uc=,tag:db5DQBfPGX9ToQzwn1K7GA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbSs2TFBpbW51aThtcEJL
eW80aG50VHJzcWVFSDlTbE40dHZqTnVpWDFBCkUwNVIrZkdyd1dKcjFzMENFdTN5
dVBZKzVIYnFJdnkzTlRCT2hITTVsSzgKLS0tIFREVWJENUtoWGR1THlwWXNNV3p4
cElGSzFtallzc2xBajRYSGNvOHJnM3cKIdyVG7MySM9caGUXaiTSsz1VVlD7GxRz
+5NNPoZgfe1SiptiQl3vO8FcIg5XtutI2nwYqLK5gzxZ7x6+D2Oedw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dFAxT3ZCZ1BlV2VSQmlr
cW9SbWpLRUE4QlNGN21YdGM2NXhGdm1kVmlZClBORG5Mbmtaait4WXZiYkp3cGxR
WGFWT3NwaS9RK0IzN1FDR3ZWUjIyQVkKLS0tIDJYaVRORk94UXYySStUN0lJYlB5
L01LdFBzYUhmcENPMGIrYWU0dW91c2sKlraBMZ30AerY2YrGnV1pkeL6xJIGUPlX
JzjzPmkvqidCaT+gADxM9xTp9S5ZavLn0sGLapqfx2P7pDndRh74Qg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtanl6bWlrQlM2R1Bud0dk
cWJZdjJZUFVMY3BudEdRVVFOMy9IMTNGS1NzCnZHNXYzRVl5akFDYlNWVXZtMzNL
UnZEN3ZFUDB6b05Wa3lSc291WXVVeGMKLS0tIGk5ZTJ6d3A4M3ZqTm9KSjVudVBX
TzNNemlGc1JOckxERUx5V3VCbHBIZlkK+7+PJhU+4hnOiURvfhQOMh3Njl5E8OCj
CCH5feYLIOpfgEKQbhW8LFkakoqlU5ASdralMRq5h4OZt8hGciYgwg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VFovdW1UbjlLZnRFZWZh
MUg0RkZqckcxcENRSG5aSkdQNkoraXFTbTNrCnlYWWVOdHVxYUwwaWYvOS8xaG9y
eS9za000VmR0T0ZZeHp5RXl0c1FUZDgKLS0tIERjY0hrdDlQb29UWC8ybDgwdXQy
WEVNVjBYV3RUZUN2SksvWDlzYnJydWcKEzXYhd0GUZNDdQcJ1lc5Ci4TAebQHzdd
Nyrf7Xhgb/vNoScFAvLxpJaEP9aJzWOL7wVHgnzFdf9ViRGF0yynnw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwU3JKelJlUUZxRi90RmRP
VUpoYXZaQlZpaEZiL3orb2Rva3U4TkZ2TDBVCmpwQXFtUHlicHh0S2h3TUN0U2dE
MXIrcUdhbWZLdFdhRnB1YkhDL2JkV3cKLS0tIFdCZWVmMytST3dHVG5LL1duckRj
alZDNkYxVnljUk9Gc25vVElPL0RXSDQKM84i+oIeivQFSIDBhT9Gg3XHk8GFRbzO
IwUrRIkj+yDKepz+r2Lc+yD2BOeFo+CNuReoJd2SGou7e628VysB4g==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRE5UbGxUenRZVjU2NVF6
RHNUOXJ5bnJmdm13YTNKV1YwdFdJS3JpMTBrCkRNQWNiMXp4SHZ6bGdJay9pYjgr
UW1CSVRNMFFWNjA5YSttTHBGTWpCcE0KLS0tIDBUV25tdUZHbHpIb3Y1U281dGtl
bUNHazJDUnEwc015WXlybTdEK1RHL1UKZE/5YGvUN2tR1t7s/Lq1jG3FoMIOmKDK
GXwUQb1HG7PDG9V/pKWs9OVoFxv7qVuuBm29rRnI44pEERARtbs55Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWHBEUDNuRDhVMmp4QUYr
cCtmZ2RMWVFNWVhVck44U3ROTE8xNm9kV0Y4CktSelh0ckdQZHNTVnVsVXJweUly
UmphNzRJU3JOSThQVXB3ZXRlY3BOK1UKLS0tIG1nT09WUm1YcVFJRHZyWFJOKzZx
OTFDbExmeXBBWmRjSE5BUnpGY0xLRjAKnLWKZEmlI9SsfZgus7tuCOFzokDobz8F
s7zQ078Dv7R55EPoYPfq8rsMvFpELrAqrNLAR9x4W5YledBDJV8s+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRSttM1NDdFJib2FleTY0
UnkrUFhBUFlWNkxEZUNLMjVTUWh4VkhPbkY4CllRY3d0ZXpGRkM0ZG45TVE5SGx3
ek9BNW9SUGVLZjRiSkVlT2MrSU85VGsKLS0tIEtlcklOOXZldUJwZmVDaWhNeFh2
RDgrMDlLVm9rN2JRZ3gxSCtxOWlhWkEKkXtZtmXnRn1ukRI4CkjkYefyGOuCw+GC
HCKKdsASQm4JjcnlUbkL97bC0H+VcLNqHm6NR9dghI9IYuYAeLqMNA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-27T09:27:41Z"
mac: ENC[AES256_GCM,data:OU23F2vdLKE2aas9xUsx5cmObBmdqybXSfdUT+BGd/mdhThF6vNR3Xwo4PcaK8VPmQ8JmXjOUJ/A9vKvcgz1LuEywgAacayDf6TUu1yXPDm09wFwWGTAYugy2Z54a0VQ8u7Cu/4Ijx0hU0luaYsbCyr7FmKgeO+H+L47JKnrPp8=,iv:dowA2KQqSjNIoPq1A0Yv9g71FSJgey5mMQMuJJMSSWA=,tag:eJrk49soG6dA8UilhuKGaw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

91
nixos/modules/nixos/containers/scrutiny/default.nix
View file

@ -1,91 +0,0 @@
{ lib, config, ... }:
with lib;
let
app = "scrutiny";
# renovate: depName=AnalogJ/scrutiny datasource=github-releases
version = "v0.8.1";
cfg = config.mySystem.services.${app};
in
{
options.mySystem.services.${app} = {
enable = mkEnableOption "${app}";
# Port to expose the web ui on.
port = mkOption {
type = types.int;
default = 8080;
description = ''
Port to expose the web ui on.
'';
example = 8080;
};
# Location where the container will store its data.
containerVolumeLocation = mkOption {
type = types.str;
default = "/mnt/data/containers/${app}";
description = ''
The location where the container will store its data.
'';
example = "/mnt/data/containers/${app}";
};
# podman equivalent:
# --device /dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
devices = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Devices to monitor on Scrutiny.
'';
example = [
"/dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
];
};
# podman equivalent:
# --cap-add SYS_RAWIO
extraCapabilities = mkOption {
type = types.listOf types.str;
default = [
"SYS_RAWIO"
];
description = ''
Extra capabilities to add to the container.
'';
example = [
"SYS_RAWIO"
];
};
};
config = mkIf cfg.enable {
# TODO: Add automatic restarting of the container when disks.nix changes.
# - https://github.com/nix-community/home-manager/issues/3865#issuecomment-1631998032
# - https://github.com/NixOS/nixpkgs/blob/6f6c45b5134a8ee2e465164811e451dcb5ad86e3/nixos/modules/virtualisation/oci-containers.nix
virtualisation.oci-containers.containers.${app} = {
image = "ghcr.io/analogj/scrutiny:${version}-omnibus";
autoStart = true;
ports = [
"${toString cfg.port}:8080" # web ui
"8086:8086" # influxdb2
];
environment = {
TZ = "America/Chicago";
};
volumes = [
"${cfg.containerVolumeLocation}:/opt/scrutiny/config"
"${cfg.containerVolumeLocation}/influxdb2:/opt/scrutiny/influxdb"
"/run/udev:/run/udev:ro"
];
# Merge the devices and extraCapabilities into the extraOptions property
# using the --device and --cap-add flags
extraOptions =
(map (disk: "--device=${toString disk}") cfg.devices)
++ (map (cap: "--cap-add=${cap}") cfg.extraCapabilities);
};
};
}

139
nixos/modules/nixos/containers/scrypted/default.nix
View file

@ -1,139 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib;
let
app = "scrypted";
# renovate: depName=ghcr.io/koush/scrypted datasource=docker versioning=docker
version = "v0.123.58-jammy-nvidia";
image = "ghcr.io/koush/scrypted:${version}";
cfg = config.mySystem.containers.${app};
in
{
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
# TODO add to homepage
# addToHomepage = mkEnableOption "Add ${app} to homepage" // {
# default = true;
# };
openFirewall = mkEnableOption "Open firewall for ${app}" // {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Systemd service for container
systemd.services.${app} = {
description = "Scrypted Home Security";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStartPre = "${pkgs.writeShellScript "scrypted-start-pre" ''
set -o errexit
set -o nounset
set -o pipefail
${pkgs.podman}/bin/podman rm -f ${app} || true
rm -f /run/${app}.ctr-id
''}";
ExecStart = ''
${pkgs.podman}/bin/podman run \
--rm \
--name=${app} \
--device=/dev/bus/usb \
--device='nvidia.com/gpu=all' \
--log-driver=journald \
--cidfile=/run/${app}.ctr-id \
--cgroups=no-conmon \
--sdnotify=conmon \
--volume="/nahar/containers/volumes/scrypted:/server/volume:rw" \
--volume="/nahar/scrypted/:/recordings:rw" \
--volume="tmpfs:/.cache:rw" \
--volume="tmpfs:/.npm:rw" \
--volume="tmpfs:/tmp:rw" \
--env=TZ=America/Chicago \
--env=LD_LIBRARY_PATH=/usr/local/nvidia/lib:/usr/local/nvidia/lib64 \
--network=host \
${image}
'';
ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
Type = "simple";
Restart = "always";
};
};
# Firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
11080 # Main Scrypted interface
10443 # HTTPS interface
8554 # RTSP server
];
allowedUDPPorts = [
10443 # HTTPS interface
8554 # RTSP server
];
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
# TODO add restic backup
# services.restic.backups = config.lib.mySystem.mkRestic {
# inherit app user;
# excludePaths = [ "Backups" ];
# paths = [ appFolder ];
# inherit appFolder;
# };
};
}

20
.archive/modules/nixos/containers/unifi/default.nix → nixos/modules/nixos/containers/unifi/default.nix
View file

@ -3,30 +3,20 @@ with lib;
let
app = "unifi";
# renovate: depName=goofball222/unifi datasource=github-releases
version = "8.4.62";
version = "8.3.32";
cfg = config.mySystem.services.${app};
appFolder = "/eru/containers/volumes/${app}";
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
in
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
{
options.mySystem.services.${app} = {
enable = mkEnableOption "${app}";
};
config = mkIf cfg.enable {
networking.firewall.interfaces = {
enp130s0f0 = {
allowedTCPPorts = [ 8443 ];
};
podman0 = {
allowedTCPPorts = [
8080
8443
8880
8843
];
allowedUDPPorts = [ 3478 ];
};
networking.firewall.interfaces.podman0 = {
allowedTCPPorts = [ 8080 8443 8880 8843 ];
allowedUDPPorts = [ 3478 ];
};
virtualisation.oci-containers.containers.${app} = {
image = "ghcr.io/goofball222/unifi:${version}";

1
.archive/modules/nixos/de/default.nix → nixos/modules/nixos/de/default.nix
View file

@ -1,6 +1,5 @@
{
imports = [
./gnome.nix
./kde.nix
];
}

71
.archive/modules/nixos/de/gnome.nix → nixos/modules/nixos/de/gnome.nix
View file

@ -1,29 +1,18 @@
{
lib,
config,
pkgs,
...
}:
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.mySystem.de.gnome;
in
{
options = {
mySystem.de.gnome = {
enable = lib.mkEnableOption "GNOME" // {
default = false;
};
systrayicons = lib.mkEnableOption "Enable systray icons" // {
default = true;
};
gsconnect = lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // {
default = true;
};
enable = mkEnableOption "GNOME" // { default = false; };
systrayicons = mkEnableOption "Enable systray icons" // { default = true; };
gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; };
};
};
config = lib.mkIf cfg.enable {
config = mkIf cfg.enable {
# Ref: https://nixos.wiki/wiki/GNOME
# GNOME plz
@ -49,41 +38,41 @@ in
};
};
udev.packages = lib.optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
udev.packages = optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
};
# systyray icons
# extra pkgs and extensions
environment = {
systemPackages =
with pkgs;
[
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
pamixer # gcsconnect volume control
gnome.gnome-tweaks
gnome.dconf-editor
systemPackages = with pkgs; [
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
pamixer # gcsconnect volume control
gnome.gnome-tweaks
gnome.dconf-editor
# This installs the extension packages, but
# dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
gnomeExtensions.vitals
gnomeExtensions.caffeine
gnomeExtensions.dash-to-dock
]
++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
# This installs the extension packages, but
# dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
gnomeExtensions.vitals
gnomeExtensions.caffeine
gnomeExtensions.dash-to-dock
]
++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
};
# enable gsconnect
# this method also opens the firewall ports required when enable = true
programs.kdeconnect = lib.mkIf cfg.gsconnect {
enable = true;
package = pkgs.gnomeExtensions.gsconnect;
};
programs.kdeconnect = mkIf
cfg.gsconnect
{
enable = true;
package = pkgs.gnomeExtensions.gsconnect;
};
# GNOME connection to browsers - requires flag on browser as well
services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) (
lib.attrValues config.home-manager.users
);
services.gnome.gnome-browser-connector.enable = lib.any
(user: user.programs.firefox.enable)
(lib.attrValues config.home-manager.users);
# And dconf
programs.dconf.enable = true;
@ -110,4 +99,6 @@ in
atomix # puzzle game
]);
};
}

3
nixos/modules/nixos/default.nix
View file

@ -3,6 +3,7 @@ with lib;
{
imports = [
./containers
./de
./editor
./hardware
./lib.nix
@ -57,7 +58,7 @@ with lib;
config = {
systemd.tmpfiles.rules = [
"d ${config.mySystem.persistentFolder} 777 - - -" # The - disables automatic cleanup, so the file wont be removed after a period
"d ${config.mySystem.persistentFolder} 777 - - -" #The - disables automatic cleanup, so the file wont be removed after a period
];
};
}

25
nixos/modules/nixos/editor/vim.nix
View file

@ -10,25 +10,16 @@ in
options.mySystem.editor.vim.enable = mkEnableOption "vim";
config = mkIf cfg.enable {
# Enable vim and set as default editor
programs.vim.enable = true;
programs.vim.defaultEditor = true;
# Visual mode off and syntax highlighting on
home-manager.users =
mapAttrs
(user: _: {
home.file.".vimrc".text = ''
set mouse-=a
syntax on
'';
})
(
listToAttrs (
map (u: {
name = u;
value = { };
}) users
)
);
home-manager.users = mapAttrs
(user: _: {
home.file.".vimrc".text = ''
set mouse-=a
syntax on
'';
})
(listToAttrs (map (u: { name = u; value = { }; }) users));
};
}

55
nixos/modules/nixos/editor/vscode.nix
View file

@ -1,46 +1,30 @@
{
lib,
config,
pkgs,
...
}:
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.mySystem.editor.vscode;
# VSCode Community Extensions. These are updated daily.
vscodeCommunityExtensions = [
"ahmadalli.vscode-nginx-conf"
"astro-build.astro-vscode"
"bmalehorn.vscode-fish"
"coder.coder-remote"
"dracula-theme.theme-dracula"
"editorconfig.editorconfig"
"esbenp.prettier-vscode"
"foxundermoon.shell-format"
"github.copilot"
"hashicorp.hcl"
# "github.copilot-chat"
"jnoortheen.nix-ide"
"mikestead.dotenv"
"mrmlnc.vscode-json5"
"ms-azuretools.vscode-docker"
# "ms-python.python" # Python extensions *required* for redhat.ansible/vscode-yaml
# Python extensions *required* for redhat.ansible/vscode-yaml
"ms-python.python"
"ms-python.vscode-pylance"
"ms-vscode-remote.remote-ssh"
"ms-vscode-remote.remote-ssh-edit"
"pkief.material-icon-theme"
"redhat.ansible"
"redhat.vscode-yaml"
"signageos.signageos-vscode-sops"
"tamasfe.even-better-toml"
"task.vscode-task"
"tyriar.sort-lines"
"yzhang.markdown-all-in-one"
"fill-labs.dependi"
"rust-lang.rust-analyzer"
"dustypomerleau.rust-syntax"
"mattheworford.hocon-tools"
"pgourlain.erlang"
"exiasr.hadolint"
# "github.copilot-chat"
];
# Nixpkgs Extensions. These are updated whenver they get around to it.
vscodeNixpkgsExtensions = [
@ -55,36 +39,17 @@ let
# version = "1.219.0";
# sha256 = "Y/l59JsmAKtENhBBf965brSwSkTjSOEuxc3tlWI88sY=";
# }
{
# Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
{ # Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
# The latest generally targets insiders build of vs code right now and it won't load on stable.
name = "copilot-chat";
publisher = "github";
version = "0.21.1";
sha256 = "sha256-8naCDn6esc1ZR30aX7/+F6ClFjQLPQ3k3r6jyVZ3iNg=";
}
{
name = "remote-ssh";
publisher = "ms-vscode-remote";
version = "0.113.1";
sha256 = "sha256-/tyyjf3fquUmjdEX7Gyt3MChzn1qMbijyej8Lskt6So=";
}
{
# Same issue as the above -- auto pulling nightly builds not compatible with vscode stable.
name = "python";
publisher = "ms-python";
version = "2024.14.1";
sha256 = "sha256-NhE3xATR4D6aAqIT/hToZ/qzMvZxjTmpTyDoIrdvuTE=";
version = "0.18.1";
sha256 = "BrcrfhkX2VGF9wznTSlPSdPPv126ScbHb1ngBRGtr4E=";
}
];
# Extract extension strings and coerce them to a list of valid attribute paths.
vscodeCommunityExtensionsPackages = map (
ext: getAttrFromPath (splitString "." ext) pkgs.vscode-marketplace
) vscodeCommunityExtensions;
nixpkgsExtensionsPackages = map (
ext: getAttrFromPath (splitString "." ext) pkgs.vscode-extensions
) vscodeNixpkgsExtensions;
vscodeCommunityExtensionsPackages = map (ext: getAttrFromPath (splitString "." ext) pkgs.vscode-marketplace) vscodeCommunityExtensions;
nixpkgsExtensionsPackages = map (ext: getAttrFromPath (splitString "." ext) pkgs.vscode-extensions) vscodeNixpkgsExtensions;
marketplaceExtensionsPackages = pkgs.vscode-utils.extensionsFromVscodeMarketplace marketplaceExtensions;
in
{

5
nixos/modules/nixos/games/default.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./steam
];
}

5
nixos/modules/nixos/games/steam/default.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./steam.nix
];
}

29
nixos/modules/nixos/games/steam/steam.nix
View file

@ -1,29 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.mySystem.games.steam;
in
{
options.mySystem.games.steam = {
enable = lib.mkEnableOption "Steam";
};
config = lib.mkIf cfg.enable {
# Steam Games
programs.steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
};
# Need that glorious eggroll
environment.systemPackages = with pkgs; [
protonup-qt
];
};
}

2
nixos/modules/nixos/hardware/default.nix
View file

@ -1,5 +1,5 @@
{
imports = [
# ./nvidia
./nvidia
];
}

7
nixos/modules/nixos/hardware/nvidia/default.nix
View file

@ -1,9 +1,4 @@
{
lib,
config,
pkgs,
...
}:
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.mySystem.hardware.nvidia;

177
nixos/modules/nixos/lib.nix
View file

@ -1,108 +1,52 @@
{
lib,
config,
pkgs,
...
}:
{ lib, config, pkgs, ... }:
with lib;
{
# container builder
lib.mySystem.mkContainer =
options:
(
let
containerExtraOptions =
lib.optionals (lib.attrsets.attrByPath [ "caps" "privileged" ] false options) [ "--privileged" ]
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "readOnly" ] false options) [ "--read-only" ]
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "tmpfs" ] false options) (
map (folders: "--tmpfs=${folders}") options.caps.tmpfsFolders
)
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "noNewPrivileges" ] false options) [
"--security-opt=no-new-privileges"
]
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ];
in
{
${options.app} = {
image = "${options.image}";
user = "${options.user}:${options.group}";
environment = {
TZ = config.time.timeZone;
} // lib.attrsets.attrByPath [ "env" ] { } options;
dependsOn = lib.attrsets.attrByPath [ "dependsOn" ] [ ] options;
entrypoint = lib.attrsets.attrByPath [ "entrypoint" ] null options;
cmd = lib.attrsets.attrByPath [ "cmd" ] [ ] options;
environmentFiles = lib.attrsets.attrByPath [ "envFiles" ] [ ] options;
volumes = [
"/etc/localtime:/etc/localtime:ro"
] ++ lib.attrsets.attrByPath [ "volumes" ] [ ] options;
ports = lib.attrsets.attrByPath [ "ports" ] [ ] options;
extraOptions = containerExtraOptions;
};
}
);
## Creates a standardized restic backup configuration for both local and remote backups per app.
# One S3 bucket per server. Each app has its own repository in the bucket.
# Or backup each app it's own remote repository.
# Takes an attribute set with:
# - app: name of the application (used for backup naming)
# - user: user to run the backup as
# - localResticTemplate: template for local restic backup
# - passwordFile: path to the password file
# - paths: list of paths to backup
# - remoteResticTemplate: template for remote restic backup
# - environmentFile (optional): path to the env file
# - excludePaths (optional): list of paths to exclude from backup
# Configures:
# - Daily backups at 02:05 with 3h random delay
# - Retention: 7 daily, 5 weekly, 12 monthly backups
# - Automatic stale lock removal
# - Uses system-configured backup paths and credentials
#
# Example usage:
# services.restic.backups = config.lib.mySystem.mkRestic {
# app = "nextcloud";
# paths = [ "/nahar/containers/volumes/nextcloud" ];
# excludePaths = [ "/nahar/containers/volumes/nextcloud/data/cache" ];
# user = "kah";
# localResticTemplate = "/eru/restic/nextcloud";
# remoteResticTemplate = "rest:https://user:password@x.repo.borgbase.com";
# remoteResticTemplate = "s3:https://x.r2.cloudflarestorage.com/resticRepos";
# remoteResticTemplateFile = "/run/secrets/restic/nextcloud/template";
# passwordFile = "/run/secrets/restic/nextcloud/password";
# environmentFile = "/run/secrets/restic/nextcloud/env";
# };
# This creates two backup jobs:
# - nextcloud-local: backs up to local storage
# - nextcloud-remote: backs up to remote storage (e.g. S3)
lib.mySystem.mkRestic =
options:
lib.mySystem.mkContainer = options: (
let
# excludePaths is optional
excludePaths = if builtins.hasAttr "excludePaths" options then options.excludePaths else [ ];
# Decide which mutually exclusive options to use
remoteResticTemplateFile =
if builtins.hasAttr "remoteResticTemplateFile" options then
options.remoteResticTemplateFile
else
null;
remoteResticTemplate =
if builtins.hasAttr "remoteResticTemplate" options then options.remoteResticTemplate else null;
# 2:05 daily backup with 3h random delay
timerConfig = {
OnCalendar = "06:05"; # night snap is taken at 02:10
Persistent = true;
RandomizedDelaySec = "30m";
# nix doesnt have an exhausive list of options for oci
# so here i try to get a robust list of security options for containers
# because everyone needs more tinfoild hat right? RIGHT?
containerExtraOptions = lib.optionals (lib.attrsets.attrByPath [ "caps" "privileged" ] false options) [ "--privileged" ]
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "readOnly" ] false options) [ "--read-only" ]
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs=${folders}") tmpfsFolders) ]
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "noNewPrivileges" ] false options) [ "--security-opt=no-new-privileges" ]
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ];
in
{
${options.app} = {
image = "${options.image}";
user = "${options.user}:${options.group}";
environment = {
TZ = config.time.timeZone;
} // lib.attrsets.attrByPath [ "env" ] { } options;
environmentFiles = lib.attrsets.attrByPath [ "envFiles" ] [ ] options;
volumes = [ "/etc/localtime:/etc/localtime:ro" ]
++ lib.attrsets.attrByPath [ "volumes" ] [ ] options;
ports = lib.attrsets.attrByPath [ "ports" ] [ ] options;
extraOptions = containerExtraOptions;
};
}
);
# build a restic restore set for both local and remote
lib.mySystem.mkRestic = options: (
let
excludePath = if builtins.hasAttr "excludePath" options then options.excludePath else [ ];
timerConfig = {
OnCalendar = "02:05";
Persistent = true;
RandomizedDelaySec = "3h";
};
# 7 daily, 5 weekly, 12 monthly backups
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
];
# Initialize the repository if it doesn't exist
initialize = true;
# Only one backup is ever running at a time it's safe to say that we can remove stale locks
backupPrepareCommand = ''
# remove stale locks - this avoids some occasional annoyance
#
@ -112,37 +56,28 @@
{
# local backup
"${options.app}-local" = {
inherit
pruneOpts
timerConfig
initialize
backupPrepareCommand
;
inherit (options) user passwordFile environmentFile;
inherit pruneOpts timerConfig initialize backupPrepareCommand;
# Move the path to the zfs snapshot path
paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
exclude = map (
x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}"
) options.excludePaths;
repository = "${options.localResticTemplate}";
paths = map (x: "${config.mySystem.system.resticBackup.mountPath}/${x}") options.paths;
passwordFile = config.sops.secrets."services/restic/password".path;
exclude = excludePath;
repository = "${config.mySystem.system.resticBackup.local.location}/${options.appFolder}";
# inherit (options) user;
};
# remote backup
"${options.app}-remote" = {
inherit
pruneOpts
timerConfig
initialize
backupPrepareCommand
;
inherit (options) user passwordFile environmentFile;
inherit pruneOpts timerConfig initialize backupPrepareCommand;
# Move the path to the zfs snapshot path
paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
repository = remoteResticTemplate;
repositoryFile = remoteResticTemplateFile;
exclude = map (
x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}"
) options.excludePaths;
paths = map (x: "${config.mySystem.system.resticBackup.mountPath}/${x}") options.paths;
environmentFile = config.sops.secrets."services/restic/env".path;
passwordFile = config.sops.secrets."services/restic/password".path;
repository = "${config.mySystem.system.resticBackup.remote.location}/${options.appFolder}";
exclude = excludePath;
# inherit (options) user;
};
};
}
);
}

16
nixos/modules/nixos/programs/shell/fish.nix
View file

@ -4,14 +4,16 @@ let
cfg = config.mySystem.shell.fish;
in
{
options.mySystem.shell.fish = {
enable = mkEnableOption "Fish";
enablePlugins = mkOption {
type = lib.types.bool;
description = "If we want to add fish plugins";
default = true;
options.mySystem.shell.fish =
{
enable = mkEnableOption "Fish";
enablePlugins = mkOption
{
type = lib.types.bool;
description = "If we want to add fish plugins";
default = true;
};
};
};
# Install fish systemwide
config.programs.fish = mkIf cfg.enable {

3
nixos/modules/nixos/security/1password/default.nix
View file

@ -1,6 +1,5 @@
{ config, lib, ... }:
with lib;
let
with lib; let
cfg = config.mySystem.security._1password;
user = "jahanson";
in

4
nixos/modules/nixos/security/acme/default.nix
View file

@ -12,6 +12,10 @@ in
"security/acme/env".restartUnits = [ "lego.service" ];
};
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable {
directories = [ "/var/lib/acme" ];
};
security.acme = {
acceptTerms = true;
defaults.email = "admin@${config.networking.domain}";

89
nixos/modules/nixos/security/acme/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
security:
acme:
env: ENC[AES256_GCM,data:YTs3BpKlOAmFW2hEXdQINCwznXI6RtpdePwwekG8b/3OuQkAFV6Zkvyn7hXut6FSPSQMOW2RXrc+4HvhYUcJy3o=,iv:GFS1gf58jini93yqrZiceJ/GuXNokZGQ+CRFUWB8OX0=,tag:8BGR6T93Wwxx3GRutr4c7g==,type:str]
env: ENC[AES256_GCM,data:JP+Syy9927T9ePL4Ly9FxlJ8F4/g/xejRn9nw2mqpl2ZUTwudp+R+ZI//h14Nej5S07oJt2L3LD/ol7ugdXHFG8=,iv:NJdqDIA0FZzyKRvDgjWmHA17q0FOCqjCk0WdkFMtd5w=,tag:KG8dgCcEOdroFpljNawdGA==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,77 +10,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SWIvMUNEbVpUNUJFSXJk
U1V2T1NmbzdqeGhxZkt5MmtYUzRDQVJQOWc0CnkrZjgvbW9ESEpPdUZqVzV0OEk2
Y21kVEswUUFlV2hYOFZqMzdnNGpKbFUKLS0tIFhoRlVtSW5RN2E2dWIxMmNleW91
bFdPMmZxaVU2VWFPL1RLemlBRnZzTEEKh6ftfs2Q0X1pCDZae3HA2//Ds5MGmj6C
U0ZP41k4a9M6q3QR+XbTtRVeQ0ZsgEEtHifCfwZ1zzjvCNtH8/t0cg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFJTREJxZ3NlNGtkSmhG
YTcwVmt1OUNmdTRaVDI5N3JNemszNklHV1dNCmVYczBEQ3BHT3ZhbjUySFNJVjhQ
dWh6c2ZHRUZTOTJEOTBrS3NuNDNzZW8KLS0tIHp3ckNvdmNYdkh3Znc0OVk5Yk53
ZW5jQmxLMHR6MC8yVFpFdFhsTVBub0kKRdYFNppcSFZ/5gm2WvydESeJOTVYd0Yk
0HQd6o8bAX8dcRhMHyyveWXz94/mcINkqz2mlXoL1N0HRPXcuUu5tQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWmFKeWVsTGJ4YnA1Q2R4
Wi9KZVVqd1l6TGh3aStaZmNYK29SUXladVZzCjJNVk93dWRSTHkrMkI1NGx5VkNH
Y3Rwd01zQkxtTEpVK3BIdGx0eVNsWDgKLS0tIEdwTTIwcjVQbTdRUTBYVXl4Nno2
WmxRWHFzKzVGTHhrNmtGYXF6cDlTYWMKmgcQQQBeCVvn8D0J4sDWmutD4FtbIIcM
9mvmjb7AC5jZfaLs+XZIghs48vLfE1PnV3eJDo2mVneLvz8H1ZBeVg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RnNVZFowV2NYakYvOEFr
c2pFaDVqekVFeEdPWklkVWxoMjNEMEZrbWtFClFmcGNZYkJqUVF3MlRDcmpqWFZI
aU11eElxd2c4YTEzNEQ4RFgraFIxS0UKLS0tIEY5Yi9IUGxjYnpyL2I0eVFNNk83
Q3VaYjdiYVd0TFVuSld6M25wWHRZMncKaqb2kQvlLGZMaI72npCBuroWK/Fqr9jg
oaBz3rpvYJEox2Naismb2D4fNCtI7Z1hLhPqq/jGAiczNaU039N9Bg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUnpRakhVOFpyU2NjdDlr
OHdNcEtKb3lkTWJjZDc0YzZ2cUdjWlhEcWo4CkxqMGlTU3NKMTljOWZ0VmNWVHZz
bXM2L1NSME1CVk9rVUE2QXpzR01TMWMKLS0tIERPNEdxWndwQVc2SkhKV1pBTnRU
VENyeERJZC8rRlFsY0Y5ZktxVUNTb2cK9EkFNElu/XBjCcLaLfHTg7FvyUhSYVqh
BV8BSLvlk7VKWZXdoDA7l067+rP8i/vHvUToWTmBT+8TTAVrJ5GxdQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdC9BM21iMldoUkIwdnpr
a0hXbUNzNFJFTDF3ZS9CSFBENHdNTTZDU1RzCm9QbVdLMnRyTDRQNFE2U2w3cXpW
WkdKRFdocnRNaUxLejExSE5STjdCTkEKLS0tIHZvKzVtWnV4WWxRZXFMVWpobHJt
WlVNd2xNb2c0YVB5WlJtbTVreFhadFUK32KcIdcbt1rAk2+GWe5slpAdHcTBWoKs
wGOEayXeMi9EGYtx7v1oJ8+xlo2wRW/i1pKdCRK4vi4FtaXT65zglw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dElKZ0VFclpmRE9LdUkw
dFoxdGs4SlBwYWJ0OHU2YUxlN2lpVGZnblNVCitZMm1ad25ZTzc2U0lsN1lLdm4y
R3pJNStKMkhTbnRQK2lCZWlxMlJ5WTAKLS0tIFRWYnllU0Y2VlkyVm02bUJRUXdS
VlQzeDVoNC9VTWtkNlRkNGRZWkM3RFUK/GXcyCI43ccib9tJRqvUc49AgY+XFY8G
xFXyZENlrdok4gLzkZU/6rsREPZvH5f8Wy/N0wckDVbr+ItT5C8Jgw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxb2wzMW1EUUx5VFp0Ykor
UWJEeFlZQTVJTFZIVFExZ1NkcVBCT09XVkU0CmFvWCtsaStjSDR6OVQwTW9iV3Vu
cVo3MHhVOTAxQnU3ZWdDcllKaXhnK3cKLS0tIENyYlFtVWtqS05MVVFOWFpZK1Zp
cTFkQlpkZFgvOERSdlFMSHFxR1pTZmcKSRYr/tIskcm4mwiF74Qnd5d0zRRDSzC1
QXidtsl505oGOgT/ujVtPwSJwvJewZT7NJKVRYktS3xY0v/flr1ieQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNnN0MUd3WFgwV1VMeTUr
UXhLdEFkVUxEWnhtSDgzTkdDd2NHK0hmcGxzCnk4U3lMWjE5QjIxc3dVRVRyaDdz
bGh1cFBhR3Vwa1MzMVlVTFBiZ1hYT28KLS0tIDUvWmY1SUpuU3dOei9HZi9RY1o2
ekFnQVVDZyszU09ISUdZVUJveGIxdHcK4fVUOjtKv22HOLehHdnICd3u9/lqWFQc
fg0o8ORvx03p3Dkv+EBtiR5xvMhs8o0B5+njpxKpWGcx4/eclQjZbA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbmlucy9xRnVMdkJjcGJm
SGc3TFJYdHJjT0wxeTRYd2lsa0Z2Si9kbFJJCjgyZU13VTlENndsY29CZ2FmcWRL
NlovK3REWlpsOU4zejBzMGt6Y1d1c00KLS0tIHFScnJIYUs5QnhLQ0JTcC9lU25S
R0N4MkwvSkZMcVQyc01UUGY5cHFYRGsK1AChAqWcAF9KHGRjkKXxiWYcgrWg/4Gf
7o81nkJTw8IwQdpSZ7wqNEt0q5mNk6EDALNe+uCcoipi9m/8qlWtqA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQjdka1hwejFZR25xbXcr
Vzc4MVd3eXJOdmxqZVFDVVMvTVhLT0lZdVVFCmFtQkZjSm0wUHdMczM5ckFBaEdQ
Y0JMYnR0dGRLYTF1d3NHSyt6MWcrYXcKLS0tIElaT0FjVEdaeExnMUF4OE93Z1Ny
cnQ0Kzd0aWdrSlN5Y3NIN1kyOVh1WTQKG825r7fM2BXak4Q4GNPwZgmigmPxZXh4
DTdp3xBgHWpw8eQsi+gBzzf+4boLDTDDi+acLshj+SpIhjPdMZ1BwA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYdkQ2U1JVdGtWUlpNQ1hk
L2oyWXQxZTdqUkhFWXZMZmFaSDN5ekpLQndBCkN2KzlDdUdOTmRnTmRGQ1ptWDlq
eWFtS2ZqMG9ZWm5VRDdvdHJiQTFBeUEKLS0tIG1vRmliWmZ3bmV0QnNaWldqdENr
OCtERmcvWm1MRy9JMWpWWW5jeWNDUVEK8mc8dU+Z/tJD25Qo5rKnYwDhpk+OXDvI
HepjgAjpl7s00zZlZfizCF1Ekn3RJOY74VEI7aJk5RAzYB2XBNr0Vg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUmVpUHh0QzNLMVhsMHN5
bituWE9Ic2tXTm95cWlUMG9QVWhEcE1sejNBCmw5Q0lTYjExRjdkaCtYMWdkQnZZ
dXNrQWhZaERBK1hVK0pkbFlvQkc1RHcKLS0tIGcwK0dzUVZFMFh2b0dmWDMyMjdS
d09MQlZST2ZJY28vRWtkRzRjd3JFKzQKH2pjr7P1mG1m/8L/VLaTVrAQem8rcNGN
tBWqg9XT3aSc+7NqUDkPVvH8STFGVlEhIskKTJA2TuY6CXfqwS3D5A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSnFGUVAxak5aeTAxR09m
cm5DajdZS2tnWWNzZm9RZTE4VDQ3U3EvZGprCkc2WkZKOW1MQVpKM0EreUVSRDJ5
ZS9ORnlkUnNVVFp4YTZnNkFSNlVaZk0KLS0tIERDbzBUQlRRQ3g3OXR6aVJCa3V2
QUs4WVFncENjZ0xjU0xVejZpV3oybm8KdHXR6uxiCmhpznGRg4Mr4nPavgFcCKH1
jwpTZ2eiQHKlrfBP+kwgFtCQXofNgtv09rbKW1NRElsXzjQNG9rCbg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRW80Q2x5bllHVDNzTGsr
a29PRHJHcHR2Mng2M2lpb1ZXMkV3UlZkQVRvCk01ciszVDlqeUdpa01FbjRtU3hq
V2hPS1NTSEdPL01ZZkxVdmI4ZHRRVFkKLS0tIHpjck5OaGl2dGgyUjZlNmlVWkZB
RHZ2TlJOanR6L2tQRm0rc3NVVSs1R1EKdSheY8qXv+ylwqjlpbWsSYD55X4SUT7c
W2czHg0Ezbjk8W7vyDuxdS1LjKSMinfRPUG+oyUwxwrjBN3aAwVDIQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-27T09:27:41Z"
mac: ENC[AES256_GCM,data:A9ltB8LJC28ysgjiEVdjGRZexorstigJZooqvwi7OPUcV7QfR/A9kRBMagZs5bjU62Ntg05LBel7pnT5ftWspWFBAARpW2eio6yR2UwZh9TCQDJsOzNr9hNykaGuzKcutRsVysgenvClPLoLgXZo71Rt84ExlWJI0qs6y4NHGpA=,iv:p+VB0VP1zJ+TuysH+72LpVMyOsSGOvndCnatOVHdX/E=,tag:M7oOo1yCxBUCckaE5TXtBg==,type:str]
lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:YEm+/mTkdLblxqrQAkCW8QUoQVkK1drgdHCt463aBUl9r04TJdRbij0p3QuLzVIvXJosdBQ0dN0Y/huuFOkP2bixH1q1WtBaqt98iYuR+Gessj7+kDekTNHCNQoZJjbFfqOwIEFNw/if2kY4aHcUoyQQj//yoGTA0vGbqrWzcX0=,iv:KWIo36gl7hOrEDZulqwRwr6eCfc6Hat5f17hpLLDMW8=,tag:3IBrvYXxN4j9I72lwiKq/A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1
version: 3.8.1

11
nixos/modules/nixos/services/bind/default.nix
View file

@ -1,9 +1,4 @@
{
lib,
config,
pkgs,
...
}:
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.mySystem.services.bind;
@ -39,5 +34,9 @@ in
rm -rf ${config.services.bind.directory}/*.jnl
'';
};
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = mkIf config.mySystem.system.impermanence.enable {
directories = [ services.bind.directory ];
};
};
}

7
.archive/modules/nixos/services/cockpit/default.nix → nixos/modules/nixos/services/cockpit/default.nix
View file

@ -1,9 +1,4 @@
{
lib,
config,
pkgs,
...
}:
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.mySystem.services.cockpit;

7
nixos/modules/nixos/services/default.nix
View file

@ -1,18 +1,19 @@
{
imports = [
./bind
./cockpit
./dnsmasq
./forgejo
./haproxy
./libvirt-qemu
./matchbox
./nginx
./nix-index-daily
./onepassword-connect
./podman
./postgresql
./radicale
./reboot-required-check.nix
./restic
./sanoid
./syncthing
./zfs-nightly-snap
];
}

Some files were not shown because too many files have changed in this diff Show more