jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Compare commits

base: jahanson:main
Branches Tags
jahanson:main
jahanson:renovate/ghcr.io-koush-scrypted-0.x
jahanson:renovate/ghcr.io-jellyfin-jellyfin-10.x
jahanson:renovate/nixpkgs-24.x
jahanson:talos-pxe-bootstrap
jahanson:update_flake_lock_action
jahanson:renovate/lock-file-maintenance
..
compare: jahanson:update_flake_lock_action
Branches Tags
jahanson:main
jahanson:renovate/ghcr.io-koush-scrypted-0.x
jahanson:renovate/ghcr.io-jellyfin-jellyfin-10.x
jahanson:renovate/nixpkgs-24.x
jahanson:talos-pxe-bootstrap
jahanson:update_flake_lock_action
jahanson:renovate/lock-file-maintenance

1 commit
main ... update_fla

Author SHA1 Message Date
github-actions[bot]
4273e4eb17 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/a731b45590a5169542990c36ffcde6cebd9a3356?narHash=sha256-WoKZDlBEdMhP%2BhjquBAh0BhUJbcH2%2BU8g2mHOr1mv8I%3D' (2024-08-11)
  → 'github:nixos/nixpkgs/c3d4ac725177c030b1e289015989da2ad9d56af0?narHash=sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz%2BNG82pbdg%3D' (2024-08-15)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/a58bc8ad779655e790115244571758e8de055e3d?narHash=sha256-dFZRVSgmJkyM0bkPpaYRtG/kRMRTorUIDj8BxoOt1T4%3D' (2024-08-11)
  → 'github:nixos/nixpkgs/c3aa7b8938b17aebd2deecf7be0636000d62a2b9?narHash=sha256-med8%2B5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c%3D' (2024-08-14)
 2024-08-16 22:10:47 +00:00
119 changed files with 96625 additions and 3655 deletions
Show stats Expand all files Collapse all files

36
.archive/flake.nix
View file

@ -1,36 +0,0 @@
{
"durincore" = mkNixosConfig {
# T470 Thinkpad Intel i7-6600U
# Backup Nix dev laptop
hostname = "durincore";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-thinkpad-t470.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
];
profileModules = [
./nixos/profiles/role-workstation.nix
./nixos/profiles/role-dev.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"legiondary" = mkNixosConfig {
# Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
# Nix dev/gaming laptop
hostname = "legiondary";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
./nixos/profiles/hw-legion-15arh05h.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-gaming.nix
./nixos/profiles/role-workstation.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
}

93
.archive/hosts/telchar/default.nix
View file

@ -1,93 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "4488bd1a";
networking.hostName = "telchar";
boot = {
initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
"usbhid"
"usb_storage"
"sd_mod"
];
initrd.kernelModules = [ "amdgpu" ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
swapDevices = [ ];
virtualisation.docker.enable = true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Enable Flatpak support
services.flatpak.enable = true;
## Base config programs.
programs = {
# Enable Wireshark
wireshark.enable = true;
# Enable OpenJDK
java.enable = true;
};
# sops
sops.secrets = {
"syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
};
## System settings and services.
mySystem = {
purpose = "Development";
services.syncthing = {
enable = true;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
## Desktop Environment
## Gnome
# de.gnome.enable = true;
## KDE
de.kde.enable = true;
## Games
games.steam.enable = true;
## System config
system = {
motd.networkInterfaces = [ "wlp1s0" ];
fingerprint-reader-on-laptop-lid.enable = true;
};
framework_wifi_swap.enable = true;
security._1password.enable = true;
};
}

86
.archive/hosts/telchar/secrets.sops.yaml
View file

@ -1,86 +0,0 @@
syncthing:
publicCert: ENC[AES256_GCM,data:TQ8H4JsIEoSSrOtC9koG12v64ANVDU579hakO+Q/Uo+0uY/wf52U5g6THIJII7maVOJ31VXKhQABKuiirYjGnG5IaWnNkzCRo+8Pv861lr4d0be3H2NBubkIK814HziuiHa9MP5szi/J5aPQu0nj9srHCPYDzsueh8+bZDYQ2VdgKWKAKAbGwZXRcCyyNGP9u1VjUJCfXx/iQ3RbCrLNDuVbSbfmVH9wJxUUlF0ViqnHkaucQCstaAuvIn78tKpGJeM0njG2PDiVDTDBnhb5Pui/NdK+3+QqwVQHwoQRagGvqEoiL05DY3ydBlClMt2J23kqBN5U0Az15plHwQNLJujWVtkXsh4naIM8Pztwdi3xoioTytdZF/7q4q9rT3YmAK2grgSw0A4SEVvHD5RUH4ZuN/cLb0+h3Papt7xUQcwvr2WStoEujDfuHYPjs13bITnErv0PE8Imis9/ffGwC0EMsgbuDOzS8+m+KT+E8smNJD2APBZh0jq2aeSG4K1y1Q+tVnBMfZ89g8K9JZUcPWWKlGFUbWYRzY4Y1ueGH0pAUIfHLGai16q6SFvXA1+WHCJzEbZDYfDMW465yYV27JMiY4vJw+dAGs2P5o2Pf5/DtVuMW35ZQefBB/mFrJi05/3/CRbBMP73RJXvnjkTjnmUQ2FybkdX0w2zqhyWV5C171kSOcTpkBYaNWn1oM0thG246b80npGmbRjNWH7PWqxQm6kR7USiQOLgvy9rbAULNZ1+ou6He0oKD003Hfkm+OSfQVAMviIE8iS2b6xo0f8umvJ/gVEVHrDsv75KUVQHTHOjickYeYvVky6ZqPDI1z4ya8q1csb/UnLqSNvjT16OdMVQvwCOcjSPTtymj5IdDspkHW9bN856dDvbbRn0FxsEnjFpZMATYVvcLf92eA1k1/ghQKJdOcBrZY4HWUKx33e21i5OyDcLrX9JVTOMpVtKjX2pMygmVxzwj6DV5BWQYTrNByI5iHE8ihy+vOFf36b6bcyu4+3PKIoKnC738b5fSudGtPFL+bhlFPMEO9xlIwzUTA==,iv:9K8PKwTAKF1iZNRDY8ABgK2xKDZ4jh6l1C+ZzH1aexQ=,tag:/fxUf++pQQKWD8SZyw3Lqw==,type:str]
privateKey: ENC[AES256_GCM,data:ul6WGC0iMOpm7RcZjSPATJcu5IMENcvJtPreulDB8vODKfFWKeXlWiy13CZ2fsJxn3Xd/SbXGgtqd6wNQAyU9Rp8qrbFAVCrTppGjbVElbLTdPdpWMU940Rxn4ICc9z4LmKziALFj28O2neRANEzhtThCv724PStXnS2h6mO9bvfDBvmWyD85l0W8hjYHT2g6RaKAMB0BQ+SGb/7YTzpJkU2qdcYdqFaFlxqae1ZO0Ik4UdOBwAGQFgiDM/BzwL5kM0H/r3mMd0vgLBk7AGcQx9yI76SDlFh8CT7jYyJhE0X+wSKwcMdttA8qeCcdkxdEiXgzzFreBJfRq9CUc5+y20mE+cv83bXCIAz12yT0RDMoml1efvrn5A/valqTn8y,iv:VSSVxItFPc7+t5vHoDBRP2mmiFsulThRNZqNy82RYFI=,tag:F6IHAmk4HEINtuYb9Kvbxg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bGFxTi9OcjUwNlJWRWov
OEFtZTJacmxSSDhEeWdGbTRhMHEyQ0pwVW5nCmsvVU5KSHJ4OTZtWExzUWg0ZnBD
Q3BXSFhMNUZ2YjZiRmRwcWV0R1BnVnMKLS0tIDZKaG9abm5JeVROdzNQcXhhZG41
TDhEVG1yaDhZbWNXVm5HQnFBZld1alUKLjDMyKKMcdh96YjZ3/QPEXecPYlNZMGv
8BCG4xZq+cqlzxpQ/f9/P+g8crw+BQD/H8S5R/UsNZuT3jFoZYTgyg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFODdNVDNtYytjZmhxK1FY
Q2wvT2M1UFRzbVU5c0hDUXhBd0hXWDNoL21zCnI0ak9ESHl5bCtaM21SMDhpMmlM
SUx1SldFeTlVME9iQ09BZnJCRk44OHcKLS0tIDR5dFdDZU9ESVFhTXowZ0NWQnBj
bFZpNHNQaDZ5M1RnK1FhYXVUVDhpMTAKjbJ7BboI37aWHQ3IIiwd4F725w9QSq/5
TYoApR7X5dDhEy43ytuuSUASDN3Zw7xg96e23/JCPfAYzjeL/6MbLA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcFZ4YitXNXNJaDd6aENK
OW9Uc0VHS0hhNWUzZXRXbkdUZnRBWTVOWVdnCnlLNmpVRFB0enpUQ1FIbk8rMFhS
a2FHTWZSZTFnbC9vNnFPaWVSK3NFNjAKLS0tIFJDS3N5eFZhQm55QUJQOXV1NER1
cTJvYVdta0JPRFZ1TUc4eDBNS2VEQzgKkLXYLUC3Fd27KKajQwbKVUUfAawhb4g5
/1cKOxSs1eMfCpK0xxZKwsSaAcTfmYlXuRBMO82ol9lMD+/fBNaCfg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYb2diT3NqQ1UyZFM3Mmc3
OWJicDNFVXR5dkNQN3ZVYlVCK29yd3FCMG1jClpPaWdRUWsxK2lrMy9YdGFzWmZ0
VVNaNE9Pb0lhNEpsWUdGckFRaXNOc3cKLS0tIERLajl6Q1BGcmh3TUYyNGtCS0dI
V2ZhNDNJTlBGWU43MFVHMGpzUElZMncK5i95c/lkjjlnpL2dCchkvhnpoQQzb2w/
eGx9DQwj7eLhYh/STrsX39vXEEw6kNuIz/2zVMirzVhv/bQ3xmerTQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dm1wQkx5MEUySWR3YmVS
ZWZTRkdaeGZPVFpudit6SHpBWE0xODFZd2xRCjlGYmk3L0E3eVpjYW1NSVRoa3lk
OHRFK24rWlJNemVWMHhERlowT3ZUZDQKLS0tIHdKancwR0wrb0hWUDBPS3ZBbnFm
bjhSTTNxZVczK3lNSENQUVgyZUlzR3MK++UAqpak2u+E/OjXnpFQ0UFb5SrEm7KK
TwS0VBa7OfQtC6UHuix4MtsLJYkaEf8vYjjrBHRGlbbgAP+yFPaOPw==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycC82VGhHVFRkeEs1QVl6
RHJ3N3RGZXFTWWNIYVpVVXQ0Z0sxdWdyNkRZCnJ0a1QvOUpvekJpckY4eSs5bFRL
b3ZiVHdpSUlCcjBXMFlzMnJvQUNlNmcKLS0tIHhNUDFzNHZpWE1zQnR3UFdFWkFO
VHBGSENKc3lkMkdZaVdVVHlvcWoyc2MKiatzQlU9D1WSZO/6IwGhyd2zFtnRR3SS
t9kqNFnrCfuAReoP7PsMukNbfeZr0edn2bTByZ32EF2qBFmEJicGHQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIOG9TQkhzK0NUazd4RVE3
Yjh2Y2hJaEdWcVExaWNmNEw1eTZsZHgxdUFZCmhqcHBSblBhd2pSbE8vYVc1NlQ0
ck1BZG9LRHY0aHJqMkFkMFJVUVZwOFkKLS0tIG5Cc0ZVWVBzTXoySm91bSszZXpS
TXA1RjFETXdRRFBQK3g2Tmk2VGdXVGsK3jkU01wrOWktuThyt51G4opyTrS1W1dR
MKWuw2GljMSeGHij5VP+PwmTfaJrl5KpEm5w8ggKIm8KaR3RI/DYWg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaEtvNUs4T3czQ25ObG5L
Yk9uZzBvSHFFcjJwdTVXckJFNE1NellDb0VJCitBTWFjRlpOdS9wL0crN3V0ZnBk
bTY2R01LYk9zT3ppVHBaNFlMSkZJRU0KLS0tIDAvOE1Ya29OYUF2Rk41c0ZEbzlq
eFZwL0R3R0psRzVRYjlzRlBURGhXOTAKwewHTFEpnXKOGTv544Tl8djUG3uKS7+n
h7FAGpzGF1/i45+JJYikXjaWbJmN/WqZRrx9BAyu2ymeTQKPzCHShg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-07T23:27:17Z"
mac: ENC[AES256_GCM,data:xPofZ+vRCsvPz1WTTjlxR6bbHYDDTP+sX8Rc8lRWzjAnMcsULsmbpeIwjghcnMgm406Umbct87UX1aFu4LioumG3KE1XHzE/s4Ik095m9IBbo2AVLVx0O2Q5UKwDvP7pPnBJBEmjs4xn70bMsOeYRJl+VECQssN18IzjVUwaVmE=,iv:0we672j+kxTHwXO5aUtu9wCIndgqUDnhGWvEGH2sVQA=,tag:Nu8Fa4bc4BWlvNE4m1DXYw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

65
.archive/modules/nixos/de/kde.nix
View file

@ -1,65 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.mySystem.de.kde;
flameshotOverride = pkgs.unstable.flameshot.override { enableWlrSupport = true; };
in
{
options = {
mySystem.de.kde = {
enable = lib.mkEnableOption "KDE" // { default = false; };
};
};
config = lib.mkIf cfg.enable {
# Ref: https://wiki.nixos.org/wiki/KDE
# KDE
services = {
displayManager = {
sddm = {
enable = true;
wayland = {
enable = true;
};
};
};
desktopManager.plasma6.enable = true;
};
security = {
# realtime process priority
rtkit.enable = true;
# KDE Wallet PAM integration for unlocking the default wallet on login
pam.services."sddm".kwallet.enable = true;
};
# enable pipewire for sound
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
# extra pkgs and extensions
environment = {
systemPackages = with pkgs; [
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
vorta # Borg backup tool
flameshotOverride # screenshot tool
libsForQt5.qt5.qtbase # for vivaldi compatibility
kdePackages.discover # KDE software center -- mainly for flatpak updates
];
};
# enable kdeconnect
# this method also opens the firewall ports required when enable = true
programs.kdeconnect = {
enable = true;
};
};
}

52
.archive/modules/nixos/services/glances/default.nix
View file

@ -1,52 +0,0 @@
{ pkgs, config, lib, ... }:
let
cfg = config.mySystem.services.glances;
in
with lib;
{
options.mySystem.services.glances =
{
enable = mkEnableOption "Glances system monitor";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs;
[ glances python310Packages.psutil hddtemp ];
# port 61208
systemd.services.glances = {
script = ''
${pkgs.glances}/bin/glances --enable-plugin smart --webserver --bind 0.0.0.0
'';
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
networking = {
firewall.allowedTCPPorts = [ 61208 ];
};
environment.etc."glances/glances.conf" = {
text = ''
[global]
check_update=False
[network]
hide=lo,docker.*
[diskio]
hide=loop.*
[containers]
disable=False
podman_sock=unix:///var/run/podman/podman.sock
[connections]
disable=True
[irq]
disable=True
'';
};
};
}

86
.archive/modules/nixos/services/radicale/secrets.sops.yaml
View file

@ -1,86 +0,0 @@
services:
radicale:
htpasswd: ENC[AES256_GCM,data:O/bI1CUdpal/aJSiLaWtDQ==,iv:iJ4WrQ2vbjRlICcY21R6NGmtOZwO68zANQv52uwm74k=,tag:c2sMcVCUWOjSALNITdx1dg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZUxOSWd5TnFlazlXcjUv
RVBjM01WRjZ4R2d3WGhQWHNheEZWRkdWcWx3CitOekFGZ1RXL1M3QndrWHUzUFNH
QkY2dnYyZlhFMGVvTzBQb05oTjFFZ1UKLS0tIDFYN0pQTHBEMUZTU3QvOEJQS0Rh
Z2p1ZFVvVVBBZXVwTkhVZ05nNVBOQUkK7qFuomZfRvwFXTUc6LWWT10Ws8xIDcCj
AD/HSc9K+lEXHoTNmpHZyUYGnxJljnDNB3d3FS4pKbHujvhvMXwfPQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdnRKZUk5Um5HYUwzbmhL
K1A0ZW1YN0d3WllNb28zeDhzS1ppWXhleDBVCmMrRk41WlM1RXN5TkVnVVRYQ3Ev
c2RTeVJ1ays1bzg1ZGozMWI5ZWZ1ZHcKLS0tIFRKRlhFT1VwY2lwbUhRd3A4SEds
Y3BFY2lpQkExL2V4SjJvU3pTSW5WYzAKO8GMLDaoDrxdZzM8unYvq3/OteDGIwra
dRd8c6b5LSoC63Y59WftmmasXFRNrZHZX24vwgwReKapnWmqtQTgrQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVFJQM3BnU2hlTVJvT0RQ
WHRVWkJEd3JacnlVSStQYVU3c2QwOThPOVhvCjZOeEFDdXFzeWNoS3JTbktFMDJV
ZDJKV2RlMDRiTW0vRHRBUUhCUGlPUlEKLS0tIGxWT0VmaUNGMXk0a1NYTDI0WDQw
b2hjeEFPVGdhek8yVEcwN1BzVnFQbFEKNgwnchYNz/afrg6FeFlCikMIaCfsEMYK
PHmfIiM64XReGZGsKL+gxIw33yszbyeOu0vr26tqV3HU/QUE7f19gw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTEpra1haektoVFNpMkV6
eGVkQnRpblV5amdMaGZJVVJiMUV1VEYwYkVvCmJZZ1ZvWTRUOVpYRnZkSEcvbzk2
MDZ0MVl5NmNBQnJ5ZkhqejI5Nm5URDgKLS0tIDZPRURpVHp4Q1NsRG9ZeGVqRU9X
WnJ2ejZrZ0hOdDhxZUNnaDhOWVpzVFEKoYnqypCuLKT8OUbtRk6yN9UfWBqbznzE
DgCHiOj590zXsfRpaei/UYx0qdEmtymh7FivkxSRNYylfcngjYiadA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QkpxRHJYTEo5cE9ielZl
a1NYUllWYmp2NzZZejJtby9MRkF4ejNPWmtNCmNDMWk3cGg3eVlYUXBCTjg0TmdG
akRwVFZxMUZMNXAvYzRSYkZlamthVlUKLS0tIHEzYmg3eTFveWppbzk3c3FHM0pn
bTZ4K2xhN2xRU2VDK040cGpDbjVmVUUKuAsZczZzTWKKxISxWOaxjzxM6wLnsbpT
dxCkcqbjL8tWs1hACsWhJ4cNGNP7gkF+9RELZvvAHgSMrlpMv7Y80w==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZVhZeVdXVXRSWi9tMjRv
dlJFRE5NNDZZdStsOUdmMFZBdC9wL2o1S0hRCkpPNE5ic2t2UHdvanJ5bTdheDk2
SUhsOTlXZnkrTkRvUXRaZE9SbW9EMGsKLS0tIHRZK3ZBQ1UrMlFGWEdIblk1YURV
VUJaWXhJMy9NUC81SjhGR0t0QnZPSDAKnQe+zUSRWvfjwr/c5wIkw/alXelnIK+u
BmvB/bps060r8GWIGYsN5mVzBpLAYwqqB4ylpjoLTfhAx3J3A+fRCw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaa2hQWlNhdmpZNHkyQmJI
WGwwZitJaUx5U0xzdURjdlFpN01jMWFvRUZZCndMcHpNclhoR1NXZzVNOWtlY0JD
c1RSNGVzY1RUa0JLYng2a0w0bFozNXcKLS0tIC9Sb0k4MmpaWUVqMkxUbHlEdlgx
M0hoN29oY1FVNVFGZFVyZVJTM2owYjAKsnVoccpgW7RPuJL66Q9iCOG5GZ41K65e
7J8lGbHkalzX63VGIOgtvSViIXIeQxw9+Tmf70GQUqcM6czwX8fu5Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHZWxZWk53cHd1bzhjVmZF
TUk4RmhENGMvNzZnREdKYU9TTDZzS0Jha1I0CnY3NXZzVlJhTGpVNi8yWlZ5SXN1
Z3I4b3BOcGtpek4vK3JzV1JUVWVMZUkKLS0tIHJMOEZraFB2WXdBVUFDUisrMzBM
TUUzcW1GR1JOcG4yMm9EY3R6WFdTeEUKzJerRRS/5eCDOhOxHEB78qiVOx++z4M/
XOEN6X0iDUBDfFJIqtMngMjU9E9DlRIYetMOYLxTpxmdKiv3Njyh/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T23:57:27Z"
mac: ENC[AES256_GCM,data:f2p4VkJ7RLGPBbkkesqFKNIVow+/7MobH+AqnELAguGxlMAt1XZaU1cLfyMy1RQIrT0UmUV2xjRf/PGXBVNOTK+A2M0zoI90N8daTvk2xrEX5JVNWycgKVnQfztIgUAf5LA+tcvyWQ/Z/sIN1aGNfbl1tCSq+U+3xjIxZ74qmuw=,iv:wcyjoKWNFLb/jGclNWbHP7wwnkz29iINSfKblqhP+bI=,tag:3RrZXX9pAWQG05ZPI5A35Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

30
.archive/modules/nixos/services/vault/default.nix
View file

@ -1,30 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.mySystem.services.vault;
in
{
options.mySystem.services.vault = {
enable = lib.mkEnableOption "vault";
address = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1:8200";
description = "Address of the Vault server";
example = "127.0.0.1:8200";
};
};
config = lib.mkIf cfg.enable {
services.vault = {
enable = true;
package = pkgs.unstable.vault;
address = cfg.address;
dev = false;
storageBackend = "raft";
extraConfig = ''
api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://127.0.0.1:8201"
ui = true
'';
};
};
}

14
.archive/modules/nixos/services/vault/resources/vault-config.hcl
View file

@ -1,14 +0,0 @@
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}
storage "raft" {
path = "/var/lib/vault/data"
node_id = "node1"
}
disable_mlock = true
api_addr = "http://localhost:8200"
cluster_addr = "http://localhost:8201"
ui = true

56
.archive/profiles/disko-telchar.nix
View file

@ -1,56 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/disk/by-diskseq/1";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "128M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# Subvolumes must set a mountpoint in order to be mounted,
# unless their parent is mounted
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
# Subvolume name is the same as the mountpoint
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
# Sub(sub)volume doesn't need a mountpoint as its parent is mounted
"/home/user" = { };
# Parent is not mounted so the mountpoint must be set
"/nix" = {
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/nix";
};
};
mountpoint = "/partition-root";
};
};
};
};
};
};
};
}

1
.envrc
View file

@ -1,3 +1,2 @@
use nix use nix
export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)" export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
export VAULT_ADDR="http://10.1.1.61:8200"

222
.forgejo/actions/update-flake-lock/action.yml Normal file
View file

@ -0,0 +1,222 @@
name: "Update Nix Flake Lock"
description: "Update your Nix flake.lock and send a PR"
inputs:
inputs:
description: "A space-separated list of inputs to update. Leave empty to update all inputs."
required: false
default: ""
token:
description: "GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)"
required: false
default: ${{ github.token }}
commit-msg:
description: "The message provided with the commit"
required: false
default: "flake.lock: Update"
base:
description: "Sets the pull request base branch. Defaults to the branch checked out in the workflow."
required: false
branch:
description: "The branch of the PR to be created"
required: false
default: "update_flake_lock_action"
path-to-flake-dir:
description: "The path of the directory containing `flake.nix` file within your repository. Useful when `flake.nix` cannot reside at the root of your repository."
required: false
pr-title:
description: "The title of the PR to be created"
required: false
default: "flake.lock: Update"
pr-body:
description: "The body of the PR to be created"
required: false
default: |
Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
```
{{ env.GIT_COMMIT_MESSAGE }}
```
### Running GitHub Actions on this PR
GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.
To run GitHub Actions workflows on this PR, run:
```sh
git branch -D update_flake_lock_action
git fetch origin
git checkout update_flake_lock_action
git commit --amend --no-edit
git push origin update_flake_lock_action --force
```
pr-labels:
description: "A comma or newline separated list of labels to set on the Pull Request to be created"
required: false
default: ""
pr-assignees:
description: "A comma or newline separated list of assignees (GitHub usernames)."
required: false
default: ""
pr-reviewers:
description: "A comma or newline separated list of reviewers (GitHub usernames) to request a review from."
required: false
default: ""
git-author-name:
description: "Author name used for commit. Only used if sign-commits is false."
required: false
default: "github-actions[bot]"
git-author-email:
description: "Author email used for commit. Only used if sign-commits is false."
required: false
default: "github-actions[bot]@users.noreply.github.com"
git-committer-name:
description: "Committer name used for commit. Only used if sign-commits is false."
required: false
default: "github-actions[bot]"
git-committer-email:
description: "Committer email used for commit. Only used if sign-commits is false."
required: false
default: "github-actions[bot]@users.noreply.github.com"
sign-commits:
description: "Set to true if the action should sign the commit with GPG"
required: false
default: "false"
gpg-private-key:
description: "GPG Private Key with which to sign the commits in the PR to be created"
required: false
default: ""
gpg-fingerprint:
description: "Fingerprint of specific GPG subkey to use"
required: false
gpg-passphrase:
description: "GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created"
required: false
default: ""
nix-options:
description: "A space-separated list of options to pass to the nix command"
required: false
default: ""
_internal-strict-mode:
description: Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows.
required: false
default: false
outputs:
pull-request-number:
description: "The number of the opened pull request"
value: ${{ steps.create-pr.outputs.pull-request-number }}
pull-request-operation:
description: "The pull request operation performed by the action, `created`, `updated` or `closed`."
value: ${{ steps.create-pr.outputs.pull-request-operation }}
runs:
using: "composite"
steps:
- name: Import bot's GPG key for signing commits
if: ${{ inputs.sign-commits == 'true' }}
id: import-gpg
uses: https://github.com/crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ inputs.gpg-private-key }}
fingerprint: ${{ inputs.gpg-fingerprint }}
passphrase: ${{ inputs.gpg-passphrase }}
git_config_global: true
git_user_signingkey: true
git_commit_gpgsign: true
- name: Set environment variables (signed commits)
if: ${{ inputs.sign-commits == 'true' }}
shell: bash
env:
GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
TARGETS: ${{ inputs.inputs }}
run: |
echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV
echo "GIT_AUTHOR_EMAIL=<$GIT_AUTHOR_EMAIL>" >> $GITHUB_ENV
echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV
echo "GIT_COMMITTER_EMAIL=<$GIT_COMMITTER_EMAIL>" >> $GITHUB_ENV
- name: Set environment variables (unsigned commits)
if: ${{ inputs.sign-commits != 'true' }}
shell: bash
run: |
echo "GIT_AUTHOR_NAME=${{ inputs.git-author-name }}" >> $GITHUB_ENV
echo "GIT_AUTHOR_EMAIL=<${{ inputs.git-author-email }}>" >> $GITHUB_ENV
echo "GIT_COMMITTER_NAME=${{ inputs.git-committer-name }}" >> $GITHUB_ENV
echo "GIT_COMMITTER_EMAIL=<${{ inputs.git-committer-email }}>" >> $GITHUB_ENV
- name: Run update-flake-lock
shell: bash
run: node "$GITHUB_ACTION_PATH/dist/index.js"
env:
# The following manually exposes all of the action inputs into INPUT_ environment variables so actionsCore.getInput works:
# https://github.com/actions/toolkit/blob/ae38557bb0dba824cdda26ce787bd6b66cf07a83/packages/core/src/core.ts#L126
INPUT_BASE: ${{ inputs.base }}
INPUT_BRANCH: ${{ inputs.branch }}
INPUT_COMMIT-MSG: ${{ inputs.commit-msg }}
INPUT_GIT-AUTHOR-EMAIL: ${{ inputs.git-author-email }}
INPUT_GIT-AUTHOR-NAME: ${{ inputs.git-author-name }}
INPUT_GIT-COMMITTER-EMAIL: ${{ inputs.git-committer-email }}
INPUT_GIT-COMMITTER-NAME: ${{ inputs.git-committer-name }}
INPUT_GPG-FINGERPRINT: ${{ inputs.gpg-fingerprint }}
INPUT_GPG-PASSPHRASE: ${{ inputs.gpg-passphrase }}
INPUT_GPG-PRIVATE-KEY: ${{ inputs.gpg-private-key }}
INPUT_INPUTS: ${{ inputs.inputs }}
INPUT_NIX-OPTIONS: ${{ inputs.nix-options }}
INPUT_PATH-TO-FLAKE-DIR: ${{ inputs.path-to-flake-dir }}
INPUT_PR-ASSIGNEES: ${{ inputs.pr-assignees }}
INPUT_PR-BODY: ${{ inputs.pr-body }}
INPUT_PR-LABELS: ${{ inputs.pr-labels }}
INPUT_PR-REVIEWERS: ${{ inputs.pr-reviewers }}
INPUT_PR-TITLE: ${{ inputs.pr-title }}
INPUT_PULL-REQUEST-NUMBER: ${{ inputs.pull-request-number }}
INPUT_PULL-REQUEST-OPERATION: ${{ inputs.pull-request-operation }}
INPUT_SIGN-COMMITS: ${{ inputs.sign-commits }}
INPUT_TOKEN: ${{ inputs.token }}
INPUT__INTERNAL-STRICT-MODE: ${{ inputs._internal-strict-mode }}
- name: Save PR Body as file
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: ${{ inputs.pr-body }}
env: {}
- name: Set additional env variables (GIT_COMMIT_MESSAGE)
shell: bash
run: |
DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
COMMIT_MESSAGE="$(git log --format=%b -n 1)"
echo "GIT_COMMIT_MESSAGE<<$DELIMITER" >> $GITHUB_ENV
echo "$COMMIT_MESSAGE" >> $GITHUB_ENV
echo "$DELIMITER" >> $GITHUB_ENV
echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}"
- name: Interpolate PR Body
uses: pedrolamas/handlebars-action@2995d7eadacbc8f2f6ab8431a01d84a5fa3b8bb4 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.txt"
- name: Read pr_body.txt
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.txt"
# We need to remove the pr_body files so that the
# peter-evans/create-pull-request action does not commit it (the
# action commits all new and modified files).
- name: Remove PR body template files
shell: bash
run: rm -f pr_body.txt pr_body.template
- name: Create PR
id: create-pr
uses: https://github.com/peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
with:
base: ${{ inputs.base }}
branch: ${{ inputs.branch }}
delete-branch: true
committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}
author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }}
title: ${{ inputs.pr-title }}
token: ${{ inputs.token }}
assignees: ${{ inputs.pr-assignees }}
labels: ${{ inputs.pr-labels }}
reviewers: ${{ inputs.pr-reviewers }}
body: ${{ steps.pr_body.outputs.content }}

2
.forgejo/actions/update-flake-lock/dist/index.d.ts vendored Normal file
View file

@ -0,0 +1,2 @@
export { }

95155
.forgejo/actions/update-flake-lock/dist/index.js vendored Normal file
View file

File diff suppressed because one or more lines are too long

1
.forgejo/actions/update-flake-lock/dist/index.js.map vendored Normal file
View file

File diff suppressed because one or more lines are too long

3
.forgejo/actions/update-flake-lock/dist/package.json vendored Normal file
View file

@ -0,0 +1,3 @@
{
"type": "module"
}

57
.forgejo/workflows/build.yaml
View file

@ -1,13 +1,13 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: "Build" name: "Build"
on: on:
pull_request:
push: push:
branches: branches:
- main - main
paths: paths:
- ".forgejo/workflows/build.yaml" - ".forgejo/workflows/build.yaml"
- "flake.lock" - "flake.lock"
workflow_dispatch:
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
@ -20,14 +20,14 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
include: include:
- system: varda
os: native-aarch64
- system: telchar
os: native-x86_64
- system: gandalf - system: gandalf
os: native-x86_64 os: native-x86_64
- system: telperion - system: telperion
os: native-x86_64 os: native-x86_64
- system: shadowfax
os: native-x86_64
# - system: varda
# os: native-x86_64
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
env: env:
PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }} PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
@ -46,8 +46,55 @@ jobs:
- name: Garbage collect build dependencies - name: Garbage collect build dependencies
run: nix-collect-garbage run: nix-collect-garbage
- name: Build previous ${{ matrix.system }} system
shell: bash
run: |
nix build git+https://git.hsn.dev/jahanson/mochi#top.${{ matrix.system }} \
-v --log-format raw --profile ./profile
- name: Build new ${{ matrix.system }} system - name: Build new ${{ matrix.system }} system
shell: bash shell: bash
run: | run: |
nix build ".#top.${{ matrix.system }}" --profile ./profile --fallback -v \ nix build ".#top.${{ matrix.system }}" --profile ./profile --fallback -v \
> >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2) > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
- name: Check for build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
if [ -n $drv ]; then
nix log $drv
echo $drv
fi
exit 1
- name: Diff profile
id: diff
run: |
nix profile diff-closures --profile ./profile
delimiter="$(openssl rand -hex 16)"
echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name: Comment report in pr
uses: https://github.com/marocchino/sticky-pull-request-comment@v2
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
header: ".#top.${{ matrix.system }}"
message: |
### Report for `${{ matrix.system }}`
<summary> Version changes </summary> <br>
<pre> ${{ steps.diff.outputs.diff }} </pre>
# - name: Push to Cachix
# if: success()
# env:
# CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
# run: nix build ".#top.${{ matrix.system }}" --json | jq -r .[].drvPath | cachix push hsndev
nix-build-success:
if: ${{ always() }}
needs:
- nix-build
name: Nix Build Successful
runs-on: docker
steps:
- if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
name: Check matrix status
run: exit 1

28
.forgejo/workflows/update_lock.yaml Normal file
View file

@ -0,0 +1,28 @@
name: update-flake-lock
on:
# workflow_dispatch: # allows manual triggering
schedule:
- cron: '0 0 * * *' # daily at midnight
push:
branches:
- main
paths:
- ".forgejo/workflows/update_lock.yaml"
jobs:
lockfile:
runs-on: docker
steps:
- name: Checkout repository
uses: https://github.com/actions/checkout@v4
- name: Install Nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Update flake.lock
uses: ./.forgejo/actions/update-flake-lock
with:
pr-title: "Update flake.lock" # Title of PR to be created
pr-labels: | # Labels to be set on the PR
dependencies
automated
inputs: nixpkgs nixpkgs-unstable

4
.gitignore vendored
View file

@ -1,12 +1,8 @@
**/*.tmp.sops.yaml **/*.tmp.sops.yaml
**/*.sops.tmp.yaml **/*.sops.tmp.yaml
**/*sync-conflict*
age.key age.key
result* result*
.direnv .direnv
.kube .kube
.github .github
.profile .profile
.idea
.secrets
.op

1
.pre-commit-config.yaml
View file

@ -36,4 +36,3 @@ repos:
- id: sops-encryption - id: sops-encryption
# Uncomment to exclude all markdown files from encryption # Uncomment to exclude all markdown files from encryption
# exclude: *.\.md # exclude: *.\.md
files: .*secrets.*

4
.prettierrc
View file

@ -1,4 +0,0 @@
{
"quoteProps": "preserve",
"trailingComma": "none"
}

4
.sops.yaml
View file

@ -15,10 +15,9 @@ keys:
- &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
- &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd - &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
- &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu - &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
- &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- &telchar age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
- &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl - &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
- &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
- &telchar age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
creation_rules: creation_rules:
@ -29,7 +28,6 @@ creation_rules:
- *gandalf - *gandalf
- *jahanson - *jahanson
- *legiondary - *legiondary
- *shadowfax
- *telchar - *telchar
- *telperion - *telperion
- *varda - *varda

46
.vscode/nixmodule.code-snippets vendored
View file

@ -1,46 +0,0 @@
{
// If scope is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
// used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
// $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
// Placeholders with the same ids are connected.
"Nix Module with Enable Option": {
"scope": "nix",
"prefix": "nixmodule",
"body": [
"{ config, lib, pkgs, ... }:",
"let",
" cfg = config.mySystem.${1:moduleName};",
"in",
"{",
" options.mySystem.${1:moduleName} = {",
" enable = lib.mkEnableOption \"${2:Description of the module}\";",
" };",
"",
" config = lib.mkIf cfg.enable {",
" $0",
" };",
"}"
],
"description": "Creates a blank Nix module with an enable option"
},
"Nix Home Manager Module with Enable Option": {
"scope": "nix",
"prefix": "nixmodule-homemanager",
"body": [
"{ config, lib, pkgs, ... }:",
"let",
" cfg = config.myHome.programs.${1:moduleName};",
"in",
"{",
" options.myHome.programs.${1:moduleName} = {",
" enable = lib.mkEnableOption \"${2:Description of the module}\";",
" };",
"",
" config = lib.mkIf cfg.enable {",
" $0",
" };",
"}"
],
"description": "Creates a blank Nix module with an enable option"
}
}

32
.vscode/settings.json vendored
View file

@ -1,40 +1,10 @@
{ {
"editor.fontFamily": "FiraCode Nerd Font", "editor.fontFamily": "FiraCode Nerd Font",
"files.associations": {
"*.json5": "jsonc",
},
"editor.hover.delay": 1500, "editor.hover.delay": 1500,
"editor.bracketPairColorization.enabled": true, "editor.bracketPairColorization.enabled": true,
"editor.guides.bracketPairs": true, "editor.guides.bracketPairs": true,
"editor.guides.bracketPairsHorizontal": true, "editor.guides.bracketPairsHorizontal": true,
"editor.guides.highlightActiveBracketPair": true, "editor.guides.highlightActiveBracketPair": true,
"files.trimTrailingWhitespace": true, "files.trimTrailingWhitespace": true,
"sops.defaults.ageKeyFile": "/home/jahanson/projects/mochi/age.key", "sops.defaults.ageKeyFile": "age.key",
"nix.enableLanguageServer": true,
"nix.serverPath": "/home/jahanson/.nix-profile/bin/nil",
"nix.formatterPath": "/home/jahanson/.nix-profile/bin/nixfmt",
"nix.serverSettings": {
"nil": {
"formatting": {
"command": ["nixfmt"]
},
"diagnostics": {
"ignored": [],
"excludedFiles": []
},
},
"nix": {
"binary": "/nix/var/nix/profiles/default/bin/nix",
"maxMemoryMB": null, // disable memory limit
"flake": {
"autoEvalInputs": true,
"autoArchive": true,
"nixpkgsInputName": "nixpkgs"
}
}
},
"[jsonc]": {
"editor.defaultFormatter": "esbenp.prettier-vscode"
},
"sops.binPath": "/home/jahanson/.nix-profile/bin/sops"
} }

354
flake.lock
View file

@ -24,11 +24,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1732221404, "lastModified": 1722821805,
"narHash": "sha256-fWTyjgGt+BHmkeJ5IxOR4zGF4/uc+ceWmhBjOBSVkgQ=", "narHash": "sha256-FGrUPUD+LMDwJsYyNSxNIzFMldtCm8wXiQuyL2PHSrM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "97c0c4d7072f19b598ed332e9f7f8ad562c6885b", "rev": "0257e44f4ad472b54f19a6dd1615aee7fa48ed49",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -64,11 +64,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1696426674,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -98,11 +98,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1730504689, "lastModified": 1719994518,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90", "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -116,11 +116,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1705309234,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -152,11 +152,11 @@
"systems": "systems_3" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1705309234,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401", "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -188,11 +188,11 @@
"systems": "systems_5" "systems": "systems_5"
}, },
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1710146030,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401", "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -216,6 +216,49 @@
"type": "github" "type": "github"
} }
}, },
"ghostty": {
"inputs": {
"nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable",
"zig": "zig",
"zls": "zls"
},
"locked": {
"lastModified": 1723168569,
"narHash": "sha256-VTo/HNmYQ1ctAzdCOvtInQf9grhSuRLGA8FGP/4pVew=",
"ref": "refs/heads/main",
"rev": "33d9c043ef828b062865f42db551d6ddc48e2def",
"revCount": 6848,
"type": "git",
"url": "ssh://git@github.com/ghostty-org/ghostty"
},
"original": {
"type": "git",
"url": "ssh://git@github.com/ghostty-org/ghostty"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"ghostty",
"zls",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -223,27 +266,27 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1731880681, "lastModified": 1720042825,
"narHash": "sha256-FmYTkIyPBUxSWgA7DPIVTsCCMvSSbs56yOtHpLNSnKg=", "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "aecd341dfead1c3ef7a3c15468ecd71e8343b7c6", "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-24.11", "ref": "release-24.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1731242966, "lastModified": 1719091691,
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "impermanence", "repo": "impermanence",
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -252,26 +295,16 @@
"type": "github" "type": "github"
} }
}, },
"krewfile": { "langref": {
"inputs": { "flake": false,
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1727979884, "narHash": "sha256-O6p2tiKD8ZMhSX+DeA/o5hhAvcPkU2J9lFys/r11peY=",
"narHash": "sha256-nLS37EhKi/ru+0HimB0EIXYpJCxaE/7bVHUHNvHDEoE=", "type": "file",
"owner": "ajgon", "url": "https://raw.githubusercontent.com/ziglang/zig/0fb2015fd3422fc1df364995f9782dfe7255eccd/doc/langref.html.in"
"repo": "krewfile",
"rev": "1821efaad07ad3925d68210f57e0b73bce57d317",
"type": "github"
}, },
"original": { "original": {
"owner": "ajgon", "type": "file",
"ref": "feat/indexes", "url": "https://raw.githubusercontent.com/ziglang/zig/0fb2015fd3422fc1df364995f9782dfe7255eccd/doc/langref.html.in"
"repo": "krewfile",
"type": "github"
} }
}, },
"lix": { "lix": {
@ -290,7 +323,7 @@
}, },
"lix-module": { "lix-module": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_4",
"flakey-profile": "flakey-profile", "flakey-profile": "flakey-profile",
"lix": "lix", "lix": "lix",
"nixpkgs": [ "nixpkgs": [
@ -302,7 +335,7 @@
"narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=", "narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=",
"rev": "622a2253a071a1fb97a4d3c8103a91114acc1140", "rev": "622a2253a071a1fb97a4d3c8103a91114acc1140",
"type": "tarball", "type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz" "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz?rev=622a2253a071a1fb97a4d3c8103a91114acc1140"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@ -359,11 +392,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1731814505, "lastModified": 1722740924,
"narHash": "sha256-l9ryrx1Twh08a+gxrMGM9O/aZKEimZfa6sZVyPCImgI=", "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "bdba246946fb079b87b4cada4df9b1cdf1c06132", "rev": "97ca0a0fca0391de835f57e44f369a283e37890f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -394,42 +427,20 @@
"type": "github" "type": "github"
} }
}, },
"nix-minecraft": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1732153840,
"narHash": "sha256-lt8Gdx6TNheby/9lRNE1GMP3vkdpLaXmyHQk+ZvYNAY=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "8325d463c1c424f2e6edeef2010c0d902a37b3d3",
"type": "github"
},
"original": {
"owner": "Infinidoge",
"repo": "nix-minecraft",
"type": "github"
}
},
"nix-vscode-extensions": { "nix-vscode-extensions": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_4", "flake-utils": "flake-utils_5",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1732153985, "lastModified": 1722907736,
"narHash": "sha256-libOsvOEQjHhlNEVPuG+i4OY5NyO301RZCxYovsVtrc=", "narHash": "sha256-drU5kbx9EtTqg7rXc6ni0LZuZQy7l/wVgsQ8PSYl5Qw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "c53c9d319e51deb97fb9a82001952c4efa74cba7", "rev": "b3c49142939ba6072cb8bdd6109e36d1b70a055a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -440,11 +451,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1731797098, "lastModified": 1722332872,
"narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=", "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6", "rev": "14c333162ba53c02853add87a0000cbd7aa230c2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -456,30 +467,30 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1731755305, "lastModified": 1723688146,
"narHash": "sha256-v5P3dk5JdiT+4x69ZaB18B8+Rcu3TIOrcdG4uEX7WZ8=", "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "057f63b6dc1a2c67301286152eb5af20747a9cb4", "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.11", "ref": "nixos-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1730504152, "lastModified": 1719876945,
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz"
} }
}, },
"nixpkgs-ovmf": { "nixpkgs-ovmf": {
@ -498,13 +509,61 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1732014248, "lastModified": 1705957679,
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1721524707,
"narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1719082008,
"narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9693852a2070b398ee123a329e68f0dab5526681",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable_2": {
"locked": {
"lastModified": 1723637854,
"narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -514,20 +573,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1682134069,
"narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fd901ef4bf93499374c5af385b2943f5801c0833",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixvirt-git": { "nixvirt-git": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -552,11 +597,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1732220928, "lastModified": 1722976219,
"narHash": "sha256-OOFqnjTax0132/mBsRpVD1QTMlZUCbVexKgKUVUxJNg=", "narHash": "sha256-ggIGbaqOP3N/+aezX3y4K0kbmrsYaJl/8ThC0Jq1it4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "8439fca0da7f67b331edcca08eb2a47249be72f4", "rev": "315c48e6c9acb95b4af6492015d36ef1b7b99dfc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -652,22 +697,20 @@
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
"ghostty": "ghostty",
"home-manager": "home-manager", "home-manager": "home-manager",
"impermanence": "impermanence", "impermanence": "impermanence",
"krewfile": "krewfile",
"lix-module": "lix-module", "lix-module": "lix-module",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nix-inspect": "nix-inspect", "nix-inspect": "nix-inspect",
"nix-minecraft": "nix-minecraft",
"nix-vscode-extensions": "nix-vscode-extensions", "nix-vscode-extensions": "nix-vscode-extensions",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable_2",
"nixvirt-git": "nixvirt-git", "nixvirt-git": "nixvirt-git",
"nur": "nur", "nur": "nur",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"talhelper": "talhelper", "talhelper": "talhelper"
"vscode-server": "vscode-server"
} }
}, },
"rust-overlay": { "rust-overlay": {
@ -714,14 +757,15 @@
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ],
"nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1732186149, "lastModified": 1722897572,
"narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=", "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699", "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -813,11 +857,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1732161983, "lastModified": 1722917349,
"narHash": "sha256-HnM+3Dv/p4awf0zXffPpcg/v4RywuKiN4yA2t7W1CxE=", "narHash": "sha256-7ZFfvJJM0HTom12kQ60sLCTkmOt1Z2qqty4ddiqdP/I=",
"owner": "budimanjojo", "owner": "budimanjojo",
"repo": "talhelper", "repo": "talhelper",
"rev": "94487e8cc82617dc9be8b50de94edd33ce1e56ad", "rev": "66d4ea8a347ef1e12fef466bbaf33a287ab5810d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -848,22 +892,78 @@
"type": "github" "type": "github"
} }
}, },
"vscode-server": { "zig": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_5", "flake-compat": [
"nixpkgs": "nixpkgs_2" "ghostty"
],
"flake-utils": "flake-utils",
"nixpkgs": [
"ghostty",
"nixpkgs-stable"
]
}, },
"locked": { "locked": {
"lastModified": 1729422940, "lastModified": 1717848532,
"narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=", "narHash": "sha256-d+xIUvSTreHl8pAmU1fnmkfDTGQYCn2Rb/zOwByxS2M=",
"owner": "nix-community", "owner": "mitchellh",
"repo": "nixos-vscode-server", "repo": "zig-overlay",
"rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f", "rev": "02fc5cc555fc14fda40c42d7c3250efa43812b43",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "mitchellh",
"repo": "nixos-vscode-server", "repo": "zig-overlay",
"type": "github"
}
},
"zig-overlay": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"ghostty",
"zls",
"nixpkgs"
]
},
"locked": {
"lastModified": 1718539737,
"narHash": "sha256-hvQ900gSqzGnJWMRQwv65TixciIbC44iX0Nh5ENRwCU=",
"owner": "mitchellh",
"repo": "zig-overlay",
"rev": "6eb42ce6f85d247b1aecf854c45d80902821d0ad",
"type": "github"
},
"original": {
"owner": "mitchellh",
"repo": "zig-overlay",
"type": "github"
}
},
"zls": {
"inputs": {
"flake-utils": "flake-utils_2",
"gitignore": "gitignore",
"langref": "langref",
"nixpkgs": [
"ghostty",
"nixpkgs-stable"
],
"zig-overlay": "zig-overlay"
},
"locked": {
"lastModified": 1718930611,
"narHash": "sha256-FtfVhs6XHNfSQRQorrrz03nD0LCNp2FCnGllRntHBts=",
"owner": "zigtools",
"repo": "zls",
"rev": "0b9746b60c2020ab948f6556f1c729858b82a0f0",
"type": "github"
},
"original": {
"owner": "zigtools",
"ref": "master",
"repo": "zls",
"type": "github" "type": "github"
} }
} }

93
flake.nix
View file

@ -66,12 +66,12 @@
}; };
# talhelper - A tool to help creating Talos kubernetes cluster # talhelper - A tool to help creating Talos kubernetes cluster
# https://github.com/budimanjojo/talhelper
talhelper = { talhelper = {
url = "github:budimanjojo/talhelper"; url = "github:budimanjojo/talhelper";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
# NixVirt for qemu & libvirt # NixVirt for qemu & libvirt
# https://github.com/AshleyYakeley/NixVirt # https://github.com/AshleyYakeley/NixVirt
nixvirt-git = { nixvirt-git = {
@ -79,25 +79,13 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
vscode-server.url = "github:nix-community/nixos-vscode-server"; ghostty = {
url = "git+ssh://git@github.com/ghostty-org/ghostty";
# krewfile - Declarative krew plugin management
krewfile = {
# url = "github:brumhard/krewfile";
url = "github:ajgon/krewfile?ref=feat/indexes";
inputs.nixpkgs.follows = "nixpkgs";
};
# nix-minecraft - Minecraft server management
# https://github.com/infinidoge/nix-minecraft
nix-minecraft = {
url = "github:Infinidoge/nix-minecraft";
inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
}; };
outputs = outputs =
{ self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, vscode-server, krewfile, ... } @ inputs: { self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, ghostty, ... } @ inputs:
let let
forAllSystems = nixpkgs.lib.genAttrs [ forAllSystems = nixpkgs.lib.genAttrs [
"aarch64-linux" "aarch64-linux"
@ -167,6 +155,60 @@
}; };
in in
{ {
"durincore" = mkNixosConfig {
# T470 Thinkpad Intel i7-6600U
# Nix dev laptop
hostname = "durincore";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-thinkpad-t470.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
];
profileModules = [
./nixos/profiles/role-workstation.nix
./nixos/profiles/role-dev.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"legiondary" = mkNixosConfig {
# Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
# Nix dev/gaming laptop
hostname = "legiondary";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
./nixos/profiles/hw-legion-15arh05h.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-gaming.nix
./nixos/profiles/role-workstation.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"telchar" = mkNixosConfig {
# Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
# Nix dev laptop
hostname = "telchar";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./nixos/profiles/hw-framework-16-7840hs.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
lix-module.nixosModules.default
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-workstation.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"varda" = mkNixosConfig { "varda" = mkNixosConfig {
# Arm64 cax21 @ Hetzner # Arm64 cax21 @ Hetzner
# forgejo server # forgejo server
@ -208,25 +250,6 @@
./nixos/profiles/hw-supermicro.nix ./nixos/profiles/hw-supermicro.nix
]; ];
profileModules = [ profileModules = [
vscode-server.nixosModules.default
./nixos/profiles/role-dev.nix
./nixos/profiles/role-server.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
];
};
"shadowfax" = mkNixosConfig {
# Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
# Workloads server
hostname = "shadowfax";
system = "x86_64-linux";
hardwareModules = [
lix-module.nixosModules.default
./nixos/profiles/hw-threadripperpro.nix
];
profileModules = [
vscode-server.nixosModules.default
./nixos/profiles/role-dev.nix
./nixos/profiles/role-server.nix ./nixos/profiles/role-server.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; } { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
]; ];

15
nixos/home/jahanson/global.nix
View file

@ -1,4 +1,4 @@
{ pkgs, config, inputs, ... }: { pkgs, config, ... }:
with config; with config;
{ {
imports = [ imports = [
@ -21,7 +21,6 @@ with config;
}; };
home = { home = {
# Install these packages for my user # Install these packages for my user
packages = with pkgs; [ packages = with pkgs; [
# misc # misc
@ -69,14 +68,9 @@ with config;
# system tools # system tools
sysstat sysstat
lm_sensors # for `sensors` command lm_sensors # for `sensors` command
ethtool # modify network interface settings or firmware ethtool
pciutils # lspci pciutils # lspci
usbutils # lsusb usbutils # lsusb
lshw # lshw
# filesystem tools
gptfdisk # sgdisk
# system call monitoring # system call monitoring
strace # system call monitoring strace # system call monitoring
@ -93,11 +87,6 @@ with config;
# nix tools # nix tools
nvd nvd
# backup tools
unstable.rclone
unstable.restic
]; ];
}; };
}; };

53
nixos/home/jahanson/workstation.nix
View file

@ -1,30 +1,9 @@
{ { pkgs, config, ... }:
pkgs, with config;
inputs,
...
}:
let
coderMainline = pkgs.coder.override { channel = "mainline"; };
in
{ {
imports = [ imports = [
./global.nix ./global.nix
inputs.krewfile.homeManagerModules.krewfile
]; ];
config = {
# Krewfile management
programs.krewfile = {
enable = true;
krewPackage = pkgs.krew;
indexes = {
"netshoot" = "https://github.com/nilic/kubectl-netshoot.git";
};
plugins = [
"netshoot/netshoot"
"resource-capacity"
"rook-ceph"
];
};
myHome = { myHome = {
programs.firefox.enable = true; programs.firefox.enable = true;
@ -43,38 +22,32 @@ in
home = { home = {
# Install these packages for my user # Install these packages for my user
packages = with pkgs; [ packages = with pkgs;
[
#apps #apps
discord
flameshot
jetbrains.datagrip
obsidian obsidian
parsec-bin parsec-bin
solaar # open source manager for logitech unifying receivers solaar
unstable.bruno talosctl
# unstable.fractal termius
unstable.httpie unstable.fractal
unstable.jetbrains.datagrip unstable.peazip
unstable.jetbrains.rust-rover
unstable.seabird
unstable.talosctl # overlay override
unstable.telegram-desktop unstable.telegram-desktop
unstable.tidal-hifi
unstable.xpipe
# unstable.vesktop # gpu issues. Using the flatpak version solves this issue.
vlc vlc
yt-dlp
# cli # cli
brightnessctl brightnessctl
# dev utils # dev utils
kubectl
minio-client # S3 management minio-client # S3 management
pre-commit # Pre-commit tasks for git pre-commit # Pre-commit tasks for git
shellcheck # shell script linting shellcheck # shell script linting
unstable.act # run GitHub actions locally unstable.act # run GitHub actions locally
unstable.kubebuilder # k8s controller development
unstable.nodePackages_latest.prettier # code formatter unstable.nodePackages_latest.prettier # code formatter
coderMainline # VSCode in the browser -- has overlay unstable.tidal-hifi
]; ];
}; };
};
} }

0
.archive/home/modules/programs/de/default.nix → nixos/home/modules/programs/de/default.nix
View file

5
.archive/home/modules/programs/de/gnome/default.nix → nixos/home/modules/programs/de/gnome/default.nix
View file

@ -26,7 +26,7 @@ with lib.hm.gvariant; {
"org/gnome/shell" = { "org/gnome/shell" = {
disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ]; disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ]; enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "vesktop.desktop" ]; favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "discord.desktop" ];
}; };
"org/gnome/nautilus/preferences" = { "org/gnome/nautilus/preferences" = {
default-folder-viewer = "list-view"; default-folder-viewer = "list-view";
@ -44,9 +44,6 @@ with lib.hm.gvariant; {
clock-format = "12h"; clock-format = "12h";
show-battery-percentage = true; show-battery-percentage = true;
}; };
"org/gnome/settings-daemon/plugins/power" = {
ambient-enabled = false;
};
}; };
}; };
} }

1
nixos/home/modules/programs/default.nix
View file

@ -1,6 +1,7 @@
{ ... }: { { ... }: {
imports = [ imports = [
./browsers ./browsers
./de
./thunderbird ./thunderbird
]; ];
} }

25
nixos/home/modules/shell/fish/default.nix
View file

@ -21,22 +21,12 @@ in
lt = "${pkgs.lsd}/bin/lsd --tree"; lt = "${pkgs.lsd}/bin/lsd --tree";
lla = "${pkgs.lsd}/bin/lsd -la"; lla = "${pkgs.lsd}/bin/lsd -la";
tm = "tmux attach -t (basename $PWD) || tmux new -s (basename $PWD)"; tm = "tmux attach -t (basename $PWD) || tmux new -s (basename $PWD)";
lsusb = "cyme --headings --tree --hide-buses";
x = "exit"; x = "exit";
}; };
shellAbbrs = { shellAbbrs = {
nrs = "sudo nixos-rebuild switch --flake ."; nrs = "sudo nixos-rebuild switch --flake .";
nvdiff = "nvd diff /run/current-system result"; nvdiff = "nvd diff /run/current-system result";
# rook & ceph versions.
rcv =
''
kubectl \
-n rook-ceph \
get deployments \
-l rook_cluster=rook-ceph \
-o jsonpath='{range .items[*]}{.metadata.name}{" \treq/upd/avl: "}{.spec.replicas}{"/"}{.status.updatedReplicas}{"/"}{.status.readyReplicas}{" \trook-version="}{.metadata.labels.rook-version}{" \tceph-version="}{.metadata.labels.ceph-version}{"\n"}{end}'
'';
}; };
interactiveShellInit = '' interactiveShellInit = ''
@ -57,12 +47,10 @@ in
end end
end end
# Krew
set -q KREW_ROOT; and set -gx PATH $PATH $KREW_ROOT/.krew/bin; or set -gx PATH $PATH $HOME/.krew/bin
# Paths are in reverse priority order # Paths are in reverse priority order
update_path /opt/homebrew/opt/postgresql@16/bin update_path /opt/homebrew/opt/postgresql@16/bin
update_path /opt/homebrew/bin update_path /opt/homebrew/bin
update_path ${homeDirectory}/.krew/bin
update_path /nix/var/nix/profiles/default/bin update_path /nix/var/nix/profiles/default/bin
update_path /run/current-system/sw/bin update_path /run/current-system/sw/bin
update_path /etc/profiles/per-user/${username}/bin update_path /etc/profiles/per-user/${username}/bin
@ -73,12 +61,6 @@ in
update_path ${homeDirectory}/.local/bin update_path ${homeDirectory}/.local/bin
set -gx EDITOR "vim" set -gx EDITOR "vim"
if test (hostname) = "telchar"
set -gx VISUAL "code"
end
set -gx SSH_ASKPASS_REQUIRE "prefer" # This is for git to use the ssh-askpass
set -gx ATUIN_SYNC_ADDRESS "https://sh.hsn.dev" set -gx ATUIN_SYNC_ADDRESS "https://sh.hsn.dev"
# One Password cli # One Password cli
@ -90,11 +72,6 @@ in
set -gx LSCOLORS "Gxfxcxdxbxegedabagacad" set -gx LSCOLORS "Gxfxcxdxbxegedabagacad"
set -gx LS_COLORS 'di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:' set -gx LS_COLORS 'di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:'
atuin init fish | source atuin init fish | source
# Ghostty shell integration for Bash. This must be at the top of your fish!!!
if set -q GHOSTTY_RESOURCES_DIR
source "$GHOSTTY_RESOURCES_DIR/shell-integration/fish/vendor_conf.d/ghostty-shell-integration.fish"
end
''; '';
}; };

0
.archive/hosts/durincore/default.nix → nixos/hosts/durincore/default.nix
View file

16
nixos/hosts/gandalf/config/disks.nix
View file

@ -1,16 +0,0 @@
[
"/dev/disk/by-id/ata-Seagate_IronWolfPro_ZA240NX10001-2ZH100_7TF002RA"
"/dev/disk/by-id/nvme-Samsung_SSD_960_EVO_250GB_S3ESNX0K308438J"
"/dev/disk/by-id/scsi-350000c0f02f0830c"
"/dev/disk/by-id/scsi-350000c0f01e7d190"
"/dev/disk/by-id/scsi-350000c0f01ea443c"
"/dev/disk/by-id/scsi-350000c0f01f8230c"
"/dev/disk/by-id/scsi-35000c500586e5057"
"/dev/disk/by-id/scsi-35000c500624a0ddb"
"/dev/disk/by-id/scsi-35000c500624a1a8b"
"/dev/disk/by-id/scsi-35000cca046135ad8"
"/dev/disk/by-id/scsi-35000cca04613722c"
"/dev/disk/by-id/scsi-35000cca0461810f8"
"/dev/disk/by-id/scsi-35000cca04618b930"
"/dev/disk/by-id/scsi-35000cca04618cec4"
]

49
nixos/hosts/gandalf/config/incus-preseed.nix
View file

@ -1,49 +0,0 @@
{ ... }:
{
config = {
"core.https_address" = "10.1.1.15:8445"; # Need quotes around key
};
networks = [
{
config = {
"ipv4.address" = "auto"; # Need quotes around key
"ipv6.address" = "auto"; # Need quotes around key
};
description = "";
name = "incusbr0";
type = "";
project = "default";
}
];
storage_pools = [
{
config = {
source = "eru/incus";
};
description = "";
name = "default";
driver = "zfs";
}
];
profiles = [
{
config = { };
description = "";
devices = {
eth0 = {
name = "eth0";
network = "incusbr0";
type = "nic";
};
root = {
path = "/";
pool = "default";
type = "disk";
};
};
name = "default";
}
];
projects = [ ];
cluster = null;
}

156
nixos/hosts/gandalf/default.nix
View file

@ -1,21 +1,13 @@
# Do not modify this file! It was generated by 'nixos-generate-config' # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, modulesPath, inputs, ... }:
config,
lib,
modulesPath,
inputs,
...
}:
let let
sanoidConfig = import ./config/sanoid.nix { }; sanoidConfig = import ./config/sanoid.nix { };
disks = import ./config/disks.nix;
smartdDevices = map (device: { inherit device; }) disks;
in in
{ {
imports = [ imports =
[
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; }) (import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
@ -23,38 +15,19 @@ in
boot = { boot = {
initrd = { initrd = {
availableKernelModules = [ availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "isci" "usbhid" "usb_storage" "sd_mod" ];
"ehci_pci"
"ahci"
"mpt3sas"
"isci"
"usbhid"
"usb_storage"
"sd_mod"
];
kernelModules = [ "nfs" ]; kernelModules = [ "nfs" ];
supportedFilesystems = [ "nfs" ]; supportedFilesystems = [ "nfs" ];
}; };
kernelModules = [ kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
"kvm-intel"
"vfio"
"vfio_iommu_type1"
"vfio_pci"
"vfio_virqfd"
];
extraModulePackages = [ ]; extraModulePackages = [ ];
kernelParams = [ kernelParams = [ "iommu=pt" "intel_iommu=on" "zfs.zfs_arc_max=107374182400" ]; # 100GB
"iommu=pt"
"intel_iommu=on"
"zfs.zfs_arc_max=107374182400"
]; # 100GB
}; };
swapDevices = [ ];
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/W445gX2IINRbE6crIMwgN6Ks8LTzAXR86pS9xp335 root@Sting"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
]; ];
@ -66,85 +39,49 @@ in
networkmanager.enable = true; networkmanager.enable = true;
# TODO: Add ports specifically. # TODO: Add ports specifically.
firewall.enable = false; firewall.enable = false;
nftables.enable = false;
interfaces = { interfaces = {
"enp130s0f0".useDHCP = true; "enp130s0f0".useDHCP = true;
"eno1".useDHCP = true; "enp130s0f1".useDHCP = true;
};
# For VMs
bridges = {
"br0" = {
interfaces = [ "enp130s0f1" ];
}; };
}; };
};
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# VSCode Compatibility Settings
programs.nix-ld.enable = true;
services.vscode-server = {
enable = true;
};
# Home Manager
home-manager.users.jahanson = {
# Git settings
# TODO: Move to config module.
programs.git = {
enable = true;
userName = "Joseph Hanson";
userEmail = "joe@veri.dev";
extraConfig = {
core.autocrlf = "input";
init.defaultBranch = "main";
pull.rebase = true;
rebase.autoStash = true;
};
};
};
# sops
sops = { sops = {
secrets = { secrets = {
"lego/dnsimple/token" = {
mode = "0444";
sopsFile = ./secrets.sops.yaml;
};
"borg/repository/passphrase" = { "borg/repository/passphrase" = {
sopsFile = ./secrets.sops.yaml; sopsFile = ./secrets.sops.yaml;
}; };
"syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
}; };
}; };
# no de
services = { services = {
# Smart daemon for monitoring disk health. xserver = {
smartd = { enable = false;
devices = smartdDevices; displayManager.gdm.enable = false;
# Short test every day at 2:00 AM and long test every Sunday at 4:00 AM. desktopManager.gnome.enable = false;
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
}; };
# ZFS Exporter
prometheus.exporters.zfs.enable = true;
}; };
# System settings and services. # System settings and services.
mySystem = { mySystem = {
purpose = "Production"; purpose = "Production";
system = { system = {
motd.networkInterfaces = [ motd.networkInterfaces = [ "enp130s0f0" "enp130s0f1" ];
"enp130s0f0"
"eno1"
];
# Incus
incus = {
enable = true;
preseed = import ./config/incus-preseed.nix { };
webuiport = 8445;
};
# ZFS # ZFS
zfs.enable = true; zfs.enable = true;
zfs.mountPoolsAtBoot = [ "eru" ]; zfs.mountPoolsAtBoot = [ "eru" ];
@ -162,33 +99,34 @@ in
local.noWarning = true; local.noWarning = true;
remote.noWarning = true; remote.noWarning = true;
}; };
# Borg
borgbackup = {
enable = true;
paths = [ "/eru/containers/volumes/unifi/" ];
exclude = [ ];
repo = "ssh://t3zvn0dd@t3zvn0dd.repo.borgbase.com/./repo";
repoKeyPath = config.sops.secrets."borg/repository/passphrase".path;
};
}; };
services = { services = {
libvirt-qemu.enable = true;
podman.enable = true; podman.enable = true;
libvirt-qemu.enable = true;
# Syncthing
syncthing = {
enable = true;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
# Scrutiny
scrutiny = {
enable = true;
devices = disks;
extraCapabilities = [ "SYS_RAWIO" ];
containerVolumeLocation = "/eru/containers/volumes/scrutiny";
port = 8585;
};
# Sanoid # Sanoid
sanoid = { sanoid = {
enable = true; enable = true;
inherit (sanoidConfig.outputs) templates datasets; inherit (sanoidConfig.outputs) templates datasets;
}; };
# Unifi & Lego-Auto
unifi.enable = true;
lego-auto = {
enable = true;
dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}";
domains = "gandalf.jahanson.tech";
email = "joe@veri.dev";
provider = "dnsimple";
};
}; };
}; };
} }

94
nixos/hosts/gandalf/secrets.sops.yaml
View file

@ -1,12 +1,9 @@
lego: lego:
dnsimple: dnsimple:
token: ENC[AES256_GCM,data:wyj88D4qPqnxovjRKS3jg2H6OwznNfhmVyMO9MV7e66mOjUw/vbqkstEqg==,iv:f+1PN+pKpu8bm8eAQ7sFb+ZpMe8fmImukUir41XdKtM=,tag:FRpEAWf0fA8LOoTrJiEwRQ==,type:str] token: ENC[AES256_GCM,data:CfRFhGE8AyZfO9RzoXXTfm8kstvx+Fuy53o9ulYNZiufzzSQ4KzwYIoCRw==,iv:HEC8hRpmk7YDI7RHj29ZAeFKyPgsWTHw1sxjdZuhcrw=,tag:7RhEhZ9GkyBE9PJRe+gD+Q==,type:str]
borg: borg:
repository: repository:
passphrase: ENC[AES256_GCM,data:33OMM880zGxJPTtqsNmbCMCCABE=,iv:8tvOqpKzbyx9sOmHLA+8v05vhLXjhRRuHpGHxGVo++s=,tag:MvsLDcVyX6rPr5lwDOvBqw==,type:str] passphrase: ENC[AES256_GCM,data:lt0Rq269GoBuLNw9fxwuMAmtYjE=,iv:57IFde6EX7myLSCvYXkkbSulr8S7JPYoThWBsPLH0Yw=,tag:NwlpouurYF+2qmw2T3De8A==,type:str]
syncthing:
publicCert: ENC[AES256_GCM,data:jfQge0lfiZrdc+Kfv1hijHh0suGhQSfOou0cD7GcP+t0EigvRmi1JPyUm4l78x5d64oTfQoeO4Iq0Y+PL0tf/SGHU/7tMwo8456FrLSZwl5r+1iGoqRXu+VaEfEm02YXtwcRCZVOMKiwlZC4xMhUZ3CUZ9ohipluNarieivOEFzrNaFbbUeJITALsvYpBPsoIvxOePASrxYwUAjAtGPUVePuL9xfCdUZA2MMDr3alxpuNlz3wOk36qX+OS0Rc0nM9MfACRWxFsKTA8AxlCYouWjCke3kVeqcEh0rVWSEx2zqIOC9N4Ms1Q1zVqcS4hWi1LLe5BN0pK7LHdjEbuni/3Cns1GpBLJc7mwsUwlBQ7RFStAspP99YmIfAlMeztfm7GuacJC2Bddz6PJ/QEMRXli7KRm3Wimb7J2fqOyaECE35xtplvdN8HIhiQ2X6G9aFW+T3h8Hqopihl23HVZFfHe4//c3BGhHUYgzbj/0frLF7s7QySI/j8G242wKyNqpDmiC+9OCPGmpGmTg98h7X+pG4Tl1GH7xpV7jlPqg2kFm3aVGscNdCAMXyWsXoZZIPyiAxTgMauXTFIkgEjEeCB+d8Eml5xOjs4ADUeJLIc4mNOYh1ggPjbSJAAPw7LYqtmaCkazZ3XWRmpMHwcRTpVtQPmo3sLSETY3hgo9T8Z2pVqBbiiH6qVSDdZ5RANvBH2hU7mZrppN9pSVpWxt895iAs01PeTwJlFg3XleqsUcrhncrx9TVGlLn7MP58LbKeUqWpC2LFCKW42O39ajLT8dES3XQ0zjTZhYGLG6CFs6tj9sDIRAX/f0nM0PLF9ctsR3IRYX75kLSl/Wx1UeFxPoIF4/fIKZxkrsd0Pjalp1ToT2EvYL6cq+eyNeF+QIK9CazCO1FfvgLSVy5NKB9KmSj6t6qEByagE9FX2BvAJ9zA36s/inqo84hrmfZz+vf3zJbkEL2Y8xxRtE0Fd2rU0SubmLDxrlmawBUnYQ8skJEKJAA/g8ptYrbdqshtUyZac2m70ZtxO5VZHAGO8tE+jYQsS/UMD4/Iek=,iv:sq21pry1Yz4vZITF29oyFGnvhUwgyDsFwtHrzl059KE=,tag:rOmVsnWpLL87M0d6mfgovw==,type:str]
privateKey: ENC[AES256_GCM,data:QZYlRzV2FPbCDun72PPgxxx4qvqGbuj0iZhvHggm/0sh3JFjtZIBZ7V4TfYYjJJykhKP+4Tm8rghnijiAmDSjyuGm0xwr9ENreRe/j7VrMYhcBes3h9PWOWY2jx+kh7U6v3da7/G79ISv5neFtsjvvM7UpGmIb4mwygZ9qO1cRRuC/k3CPehT7uN2kYNCKlfYJcRp/IlmvD0L38BtHsnokK0zCqC3q2nOZWWazfv3Hxck0kbQSV7V3OBmqfd6h7sdN/GQBv4gmgqjUH9DsCHz+3LEEyxIOp340zPKAZFZGg1SpBQREFOyyaYUMgk8iXRqvqIPxHeyruFzkDRZf6URni3klfEbQi/6B7eP8Jzt/BPfsdLYO9QSXyuqSYAj+V5,iv:BvlKA+gltrGHOXggwLsvqI5FCz7X+RwcOOCvdMYf31w=,tag:/SICpca+QkqeEh/dXYUxBw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -16,77 +13,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dEJJVHhhTU1XMVp2UmNh YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZVhNdGh2c3dpYWU2TDNJ
cnEwMTg0ck9oZzR0QndXa2t3UlpVK0M1bzBBCm8zZWpZanJYcHFQeXdKK1BDSk9u M2Vyb29jQ2xHMXBKVk10dkhWVUFmVkpmV2tnCjF5ZnBBcGtkZjFYbU0zQXNNRCti
WVcwSGtvS3h0UTZkNG1ZMkZKT3hORkUKLS0tIFh6S1UzWXE3a085bE5NMjl6Zzgx QzVKOGR2OUQvRXVvOXZlb1I0V00rcWsKLS0tIElHeHhkSmt5UkZhTjk1dkFSbUp0
MDZrbzBNdUNvcnppZS9wMmczVU5uQnMKpYJmsY/Ul7cpUc+ueSt3FkShvR1KqYHW M1BiUzZkU0pDbHVQNC9yQ3pzSU5INm8KcRB4uY0PHnDfc4bJZwqkK/S7FbEXuxEu
q6bhaoby5Wz3XxLZl0ONBqovabkDwNiP6Er0rGiv0tK6TIaQE/NaUw== ot9oVR4sZBs7Uhi5Ixz7Kmk9dBJ+E9dWPxDeYhYo3V0Tq77h1vVOyg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpTnVFSW8rSUFVN0txbTJz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNalVRWXVGN0hqZDdYUDVZ
aXFUdXBnSW1GZkRBcFNFZlBWLzFEa2NhTlJJCldEYUlHcHM2a28za2I0N3JORTZm TVRwVHJsTEJoTVIzenFuY0dnTWs1bnRHZnhzCnNPTnJ1Uk92aVRaMlA4VTRYbXNh
S2Foa0MyQng4TlNpaE53VHpLVGlNZFEKLS0tIHRNSWovZHJlaDhGY0xKd3pRQm5y MW5ycEUzUVk0RW1Iby9kWjQ1cTVXWDgKLS0tIDdVaTcvNm9Ca2hTMzBlSGZVUnZN
aExPbjRPVi9kZ2s4bFlxdFhtK3l5bGcK+qEq++r5B48TwAOxyRFWm68MRa91rnZx a2U1ZjIwRWx1bWp6TktablBqMUduUmMKCFT9vPMu/fob5SQG1004925OB1KNhsUm
levAEpFZYIMxfzxk++i26omu6r1jvXsiwtm2YvdoGhmNUqLU2UDWZA== obph/984DUTQxk6IvnJ7fPrnFwL5yY1azdybjPlwGw6o5SmwKpxWBQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZzlkQmFiM2puUHVNUFIr YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RjUvSFJqNGxieVZiVE9q
L0E0VGpxck56d2NsemFrNEFWNmZ2MXlTV0Y0CkppUmxYRlVkVUZiWEJoVG55cXAv NjB4RHcraXk5TnJtN1RSNXZSMlEwbjgxaUZVCjRxUGUwTjBFSU9nTHpRbWpmVkRQ
N0dRY1d1c2srTk0xU3AxSDNqQTZkdFEKLS0tIFpnZ09jellUWk1YZnh0akNsTysx cllyei9URXYyRGgrTGdjWXRSZmpRYnMKLS0tIHNQOXpkZnI5b200d0JiSVI2N1BU
ZnBCMVNqdGRvUm4xOVVRbTF0VzY1eEkKJhjFjnVk6Kr0LIUdyRPI3nPRXbPHHW/Q MS9MRW5ocGRMWXdBL0E5N00zbGZzVFEKxeMB0/opzFTnlSBK1vEsLqQ0qIDhOuw5
0NVqBn7s+NbS6pzSCPu5+T/ibo2HofQZQ0hFFUeCN/EO5xNCaueNFA== S+g8eYTVXSIs/3TMUnOJxDezAG2l00vyWryPw2sGOnqgZCnF9VB/mw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArandyVGlHU0NacDdmTDdQ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzJDWHhIT2tSekxpWmFR
ZVg5ei9hYW45VU02RkhkTmlNeHdCODgxQ1h3CmpBdnhvdlBwWUkxVVNqcHgvNDc5 cVFocEl6N0VWM2FYVC9FeE9zeG0wYUhnazJRCllsdlFVZXR0YTA2T2h0ZUVienpQ
bkFydkRGOXE2a2lyTU9rZ2l2U0NjV2cKLS0tIDhyUm5EUlZxcHFRemlpaHFYRjV0 MmhJVTkwd1Q4VjNVaWxkL0lVTEVLemsKLS0tIHVqMHhQaW55MHBsVmc5TjJjT1Jy
ODN2Y1Y5a2tWOU1PTElLa3NPeTVCb3cKqPj5QB/K9uB4RN+KRsK8UGS4WxECJn/q RXdOeXk0NFJuL1ZKTUt3dXdkdlpLenMKmlQ0k9CmSWQ7MqueMbmd/TqYyQiDFZ0G
HCVEo/5YFnoEtE0X7xvyBEKgrAokzVsnuHtNqP0i6ka2XIt0yi2xOw== FPtUIFWxxPY79vsEHq3kxyz4CGMUv7tYx00OK6niLgLZUStd/3Bxmw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMbWxBNFpyajNETjM2VUhr YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWTk5S2VkQmNnNjIwQ05y
TTdmc2pwb1RVNHlNVGNYaUFMelFOQVUwMlFnClBQRldoMXY4dm9nY2Ntd0pRNUZu TkR2MjdnY1pGMVZpT2dadE5icjIvRWtnT2pVClRCcTVHa3BaMGRDWTgzNE5zQzBq
NEhYeVp4YUthMU1MUmZvSjh3ZjVTajQKLS0tIDNKSHNQcWJYNkVvWmFXV2pSNVBP MWRWWi83b0k3OUo5WXhHTVRZSmovMWMKLS0tIFF4UlNtNVFkd3phTzd6R2FuY0Js
cHVzY09RZ1ZuSkNWWisxeDQ5V2Z5VW8KybOLJvSkkV5XiH431SBY8k5aSE9QdZ5r VWpzZTdXSWpiV2tRbnc5VlVWM3FCak0KQGy+ZWdvEh09y9z1Dj3GTVyeAJ5notCH
UghLUUTB1OFvycYNyxhyIgetX9ycu54PXitEiTBGWphPiAnXyBG3dQ== ujbOfaly8e9E2g4uOxISxyFe39xlOZd6zEInZ5qiKPrZz37ASChBkA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVGRacTlCMjBRaURxMDNt
SXBnZXl6M1l3ZmVZUlVDZEV4U2dJSjREcGpnCkF3L1hhOEFYcnp5Y3VLSEsyTWZE
NFpTNno3VStINnlXdW9wcXd3bW81UGsKLS0tIGR3b3lQa3VIQmZ1bXREQnphQ1lL
KzdCbXNTc054eEJBeklmM0xPVGQ4bmcKgZtxtepmmn/M4HylEsQ0FB/OXlgnyrU8
6Yy2ua5/UN+YfFJ2FNoYyxd7OYLDeHsvQQODXJuL7VEGBaF+3ttMHg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweHZaZjRoaXRCNEFBYk1V YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZDNFa0U4MWs0dmVkZXhi
ZWJ3YjVJVFFmeGhpUnVHYXhxNlhvOEtqVTBrCjRIa3N3UnRYeTU5ajUyM0xjanNN V3JjdXIrTTdkamkzRW1jU0wzNnluQ0lJbmpNCkcxNUNwc3ZxMXJreXBxNUlaR0xN
RjArandlM1ljbEdjcHcvL3Fvd2MweFEKLS0tIDZ2Z0dpN1d3bFc5VlNMbXBmZGNn RmFDZ3RIaVU5aCttS3Q5dWo0QUovVDgKLS0tIEVJQm1xWE80OVRyWUxkMzFXRHBp
blVrd3dubmUwWGd5Rk1PSHBPUlFBZ0UKOh5BQgCUxQxFSU2NxmOGEmO3DZ3TuWid RlJTZjgzQ3pDVHRPQ2dFbHBqdzA3N0EKGBFnnJMqUrbaIviqpX4CP4Ps45Lk/Yyn
d1vLm0TotAjshXBSy/yo62ejDUhvoCJ38PNDi6+zpZwCFYhaviQM7g== fpVxSlwjOHNDwQ4ojUjv11FRo9WHUTGACFniUtvYc0oaLNygNgf8+Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eTdXNlA2bW1OTmpFNktD YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodERMdDN4cVRiS0tVck5h
cTgrUjY0UzV4NTE5NWFHdHlYa1JaeW1DblZVCkwrelZjaE5vdkFyTkErMGR0Mmt0 N3RySnRtSXJHZEthRWZNcENrNXY4bHNHa0R3Cm1HL0lzWnpocWhXNDV3RFRxL1ZG
RkVPb1RTMjlEc2pRSDZjMWpwVVNhZVEKLS0tIEpaV3Y2enoxMWZyTVZjdlpYTWtH dWlCQWtzMEZlRnNML2NrOUVPSVRTcHMKLS0tIEsrbk5VOUZhbDFRRHRuWW56TjE1
ZTNZOVhTcTBHSDk2UjhXRE90VCs0R2MKUI6Q/P4v4xLnkqXqMuidlcgccDzf3Ig7 V1d0d1lKb3hyYVQ4elBIZ0hnU3FTbnMKiWERjAwlJRPK+PILCBV03uyNVnNgolA8
P8aVNYbwtQqjsOwjYcoec4PaQehloW0kt/QSnYQx3znxrYQE1WVVNQ== PS0vbIDVNiX0pIrRlM2sVivZwqajjTB3XROXMmbIKpQxDMjvpHgqJA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-08T01:53:24Z" lastmodified: "2024-07-27T04:50:25Z"
mac: ENC[AES256_GCM,data:C05zcIFQC3gMa5AVKGB2uvpT5Bj/Pt2XyWizjPfIa4gcx1TzueQZ0mlZHjJY/9qu5SccbLrJ/eNmajzh39cTmFZ7211l9Zz6N8BMboh8olzIWUYFeGzZtXgmKXBRMVH6RPpbcuawLOeXeD9pCLSek6V9Qdx/OUnlWokj9ZPfvuc=,iv:PGMPSs99J6neXoSF18yWbxjCE0M9dSjqtz1ntxwk0TU=,tag:pZfVKcroeKPAvlfft1YsOA==,type:str] mac: ENC[AES256_GCM,data:IKLC9N4FvfV+eWFoVZa5ijyBdiQuNdXAE4Z/pQNhns+qTuMpuz9QLeQGysow8zCqg9z5WHPa+U10uBIJg0P6Bq2CkBTJ2/75axsQgqc+BPuY4cUfppbYqQaSzB831b3XMHei9m/IPXNoh277jk0E9A0mOzHu4YsBEEzyf5nESn4=,iv:dOIgrQD0eDB1lqTWoDoLXnDZTWJLf5m9a948Wabfc6I=,tag:MWoIe5UpTqZCDDJMcg0swA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.8.1

0
.archive/hosts/legiondary/default.nix → nixos/hosts/legiondary/default.nix
View file

18
nixos/hosts/shadowfax/config/disks.nix
View file

@ -1,18 +0,0 @@
[
"/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314200DT2P0C"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH3142017H2P0C"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314201AD2P0C"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314201E72P0C"
"/dev/nvme0" # These are required to fix a smartctl bug I have yet to upgrade to a version that fixes it.
"/dev/nvme1"
"/dev/nvme2"
"/dev/nvme3"
"/dev/disk/by-id/scsi-35000cca23bc8a504"
"/dev/disk/by-id/scsi-35000cca23bd29918"
"/dev/disk/by-id/scsi-35000cca23bd29970"
"/dev/disk/by-id/scsi-35000cca2524cc70c"
"/dev/disk/by-id/scsi-35000cca2524e03f4"
"/dev/disk/by-id/scsi-35000cca2525680dc"
"/dev/disk/by-id/scsi-35000cca25256b484"
]

49
nixos/hosts/shadowfax/config/incus-preseed.nix
View file

@ -1,49 +0,0 @@
{ ... }:
{
config = {
"core.https_address" = "10.1.1.61:8443"; # Need quotes around key
};
networks = [
{
config = {
"ipv4.address" = "auto"; # Need quotes around key
"ipv6.address" = "auto"; # Need quotes around key
};
description = "";
name = "incusbr0";
type = "";
project = "default";
}
];
storage_pools = [
{
config = {
source = "nahar/incus";
};
description = "";
name = "default";
driver = "zfs";
}
];
profiles = [
{
config = { };
description = "";
devices = {
eth0 = {
name = "eth0";
network = "incusbr0";
type = "nic";
};
root = {
path = "/";
pool = "default";
type = "disk";
};
};
name = "default";
}
];
projects = [ ];
cluster = null;
}

17
nixos/hosts/shadowfax/config/sanoid.nix
View file

@ -1,17 +0,0 @@
{ ... }:
{
outputs = {
# ZFS automated snapshots
templates = {
"production" = {
recursive = true;
autoprune = true;
autosnap = true;
hourly = 24;
daily = 7;
monthly = 12;
};
};
datasets = { };
};
}

46
nixos/hosts/shadowfax/config/soft-serve.nix
View file

@ -1,46 +0,0 @@
{ ... }:
{
name = "Soft Serve";
log = {
format = "text";
time_format = "2006-01-02 15:04:05";
};
ssh = {
listen_addr = ":23231";
public_url = "ssh://10.1.1.61:23231";
key_path = "ssh/soft_serve_host_ed25519";
client_key_path = "ssh/soft_serve_client_ed25519";
max_timeout = 0;
idle_timeout = 600;
};
git = {
listen_addr = ":9418";
public_url = "git://10.1.1.61";
max_timeout = 0;
idle_timeout = 3;
max_connections = 32;
};
http = {
listen_addr = ":23232";
tls_key_path = null;
tls_cert_path = null;
public_url = "http://10.1.1.61:23232";
};
stats = {
listen_addr = "10.1.1.61:23233";
};
db = {
driver = "sqlite";
data_source = "soft-serve.db?_pragma=busy_timeout(5000)&_pragma=foreign_keys(1)";
};
lfs = {
enabled = true;
ssh_enabled = false;
};
jobs = {
mirror_pull = "@every 10m";
};
initial_admin_keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
];
}

209
nixos/hosts/shadowfax/default.nix
View file

@ -1,209 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, inputs, pkgs, ... }:
let
sanoidConfig = import ./config/sanoid.nix { };
disks = import ./config/disks.nix;
smartdDevices = map (device: { inherit device; }) disks;
in
{
imports =
[
inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E" ]; })
inputs.nix-minecraft.nixosModules.minecraft-servers
];
boot = {
initrd = {
kernelModules = [ "nfs" ];
supportedFilesystems = [ "nfs" ];
};
kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
extraModulePackages = [ ];
kernelParams = [ "zfs.zfs_arc_max=107374182400" ]; # 100GB
};
swapDevices = [ ];
hardware = {
cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nvidia.open = true;
# TODO: Swap these once I switch to 24.11
# graphics.enable = true;
opengl.enable = true;
nvidia-container-toolkit.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
];
# Network settings
networking = {
hostName = "shadowfax";
hostId = "a885fabe";
useDHCP = false; # needed for bridge
networkmanager.enable = true;
firewall.enable = false;
interfaces = {
"enp36s0f0".useDHCP = true;
"enp36s0f1".useDHCP = true;
};
};
sops = {
secrets = { };
};
# Home Manager
home-manager.users.jahanson = {
# Git settings
# TODO: Move to config module.
programs.git = {
enable = true;
userName = "Joseph Hanson";
userEmail = "joe@veri.dev";
extraConfig = {
core.autocrlf = "input";
init.defaultBranch = "main";
pull.rebase = true;
rebase.autoStash = true;
};
};
};
programs = {
# 1Password cli
_1password.enable = true;
# VSCode Compatibility Settings
nix-ld.enable = true;
};
services = {
xserver.videoDrivers = [ "nvidia" ];
# Minecraft
minecraft-servers = {
# Me cc858467-2744-4c22-8514-86568fefd03b
enable = true;
eula = true;
servers.eregion = {
enable = true;
package = pkgs.paper-server;
serverProperties = {
motd = "§6§lEregion§r §7- §6§lMinecraft§r";
};
};
};
# Smart daemon for monitoring disk health.
smartd = {
devices = smartdDevices;
# Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
};
# Soft Serve - SSH git server
soft-serve = {
enable = true;
settings = import ./config/soft-serve.nix { };
};
# VSCode Compatibility Settings
vscode-server = {
enable = true;
};
# ZFS Exporter
prometheus.exporters.zfs.enable = true;
};
# sops
sops.secrets = {
"syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
};
# System settings and services.
mySystem = {
purpose = "Production";
# Containers
containers = {
plex.enable = true;
scrypted.enable = true;
jellyfin.enable = true;
};
# System
system = {
motd.networkInterfaces = [ "enp36s0f0" ];
# Incus
incus = {
enable = true;
preseed = import ./config/incus-preseed.nix { };
};
# ZFS
zfs.enable = true;
zfs.mountPoolsAtBoot = [
"nahar"
"moria"
];
# NFS
nfs.enable = true;
resticBackup = {
local.enable = false;
remote.enable = false;
local.noWarning = true;
remote.noWarning = true;
};
};
# Services
services = {
podman.enable = true;
libvirt-qemu.enable = true;
# Syncthing
syncthing = {
enable = true;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
# Scrutiny
scrutiny = {
enable = true;
devices = disks;
extraCapabilities = [ "SYS_RAWIO" ];
containerVolumeLocation = "/nahar/containers/volumes/scrutiny";
port = 8585;
};
# Sanoid
sanoid = {
enable = true;
inherit (sanoidConfig.outputs) templates datasets;
};
};
};
}

86
nixos/hosts/shadowfax/secrets.sops.yaml
View file

@ -1,86 +0,0 @@
syncthing:
publicCert: ENC[AES256_GCM,data:oqQZ/QORhJoMUa1Sn4CoE5DKfgfIwRo7DR30MJoRLC8L3mOEDRQyk+P9ELAn3RIe2sa3OKwionJ9G+GM5htZPTaKg2h/wy//M89sdTRhC01vxJm80wScgQ8sC4HC8BpQCM5yt7A9Ln7mMvp+v61ae6xyEOcPpcZH4i31sxQUxuWURJU/KpdTAHKhora40W+DTx4YL7jEN7VMH+GawhJeW1jNZZDcBoQK/9RvB5uu6AFsQCedRwJE0772F16eaNKeXCu0BpNdTaZ7dNSUEeK0mT/0osb6DNVon8gKcYYEYtAyI/SnUOwRC4x+FeZYkAae3WGWzfKGC6ENN6JEHNG7mS81b83i3tyaN84wwmP/1pgQ5BSSEztH9P494SXLBnw3XxD2u5vxuKjf37q+gPnErq7hCEi9aS5HS/10ksgV5zpzg8eL9fNpyLXHqxDdllfvBo/KJlQaDri2OYcrz8SQlB0oCZI7AbjFz+zomFSzhi5S3gcLN/cB1CXDmK8/Ka26dcc6gAot18PqVt1aCHHVnLGvZEGt9Cj+/bool4Yq9fqQlXDyFMbiu0B57KEYshmeJE5w0fmBhenORyuKq2xhiXL4RCuKVoitjY75T4O2+ZzAqYli3gMcRksG6b+gXAYGF3XhJ2m2tBO5STlWzQx9eo8Ksm8+z0mJk7JgdKpov1mLzWZh9vHNkvUIGw15h+3FBu7oTgcvwrOqGDCCcAQSimMKiPuCUi+r2z4FuFobZOSlqAD2eRX9yh/V8s4VmaohrxacgIdscipkMFnQFGGkV3PHhh4yfMzZNHPll5Dk9fUM0BHrFMUccvP0aww60+4pufTUGWxrW5nRlI6jImPuoMh5KVZj5OAPYUcBj10UHjjtFKWN0V19XGVUx5TBR+AAkQzvAWrobSfyTyuk6P0l3Kpyi6DAJoW1Z7t2EQueKxjAd3uKMeCNDIfJOWVju9j3t2iu4BN3eyZTTbeKMwfkDJALHTsmtisRfc47qLxB3jyOHZXdZsC3OBgzRl2NlejgM+P4CVVH/kwT336u6ouuLJFjpsP+iUdBiRE=,iv:1FVhrbnLirFr2bHWZ53vEdnS6rL+HSMdV/XZarMmNAg=,tag:HCdx2II3FqDGy/t36NGiFA==,type:str]
privateKey: ENC[AES256_GCM,data:UNOJu/8lwtOy76y9mURvAQAcCPkAqCr3k4zo0qJw4WoyRiFnHszFrk988LdX9hi1a8d2SYpSbWBdRxAOBOkB0ljycjudgH+xVdOLeJDKZH69zRKkWwdfq6N4vxYhqnUyCuwsRrFvg4cZYeEx9n133QNf3DPYIvovlPEfurQXDt8s3/tDqVeJ1SuJTX2sp8X79KWypCb9T3mar9X67EirV2Tz6uxzeRiWUpekfQbdzcjITiQPZ9silBcu0ZIwgfneBQ9yqAV/Gu01mJph6H6cYqBhK3xO4T8tXsnk66siBjWmqKP+3kVG5pyFDMAhuM0Jz+0VkaKOjYxTaPff1YMsL7/hWQUXcMgM6NyppMbpJBnvqcaMpEbYuEF444pBVktC,iv:H/X4eW+1//f7uyJRiveZRQRJcPGelxHhz1sIlzsMCcM=,tag:n+/dttJpTBeHFK/H40M0oA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIREVLNDdJUVJlbk1OR2o1
RFNJLyttRDZoTmoyenZFU2docVUxRnVtdVcwCkM2VEV5ZCtobWJDZUNVYWlkK1I1
dlJlbzQwKy94dEkrZG9rb1lma3IweGcKLS0tIEZLQjNxT1lobDh2VEJWY3E5cGZE
UzdGT2JpUWtVSzI5VVBXNWVXamlYTEEK5fFvbB55/4Nj3tI2TG3WYhwA1WK3vmfH
Qh5H5GcAYGV37Wlw2mZ/J3SYo9IBG+aNyXO8nE2/pwF7Tbw7GDPQ6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM0Q4ekVwWXhYd3krVzJR
anFxQWtaN0I3Qk1qRDE2cFVETGs2T1M0ZHhnCklBL3hmeXh3OWpvYnRzRHJWY2o4
TWpnYklpOG04S2pCVEdmTWtCYXJSUWMKLS0tIEdSUmthcEo4UjV4THAweC96cmNJ
dVV3TW04eEZDNW83T3JCRFVjMmxrZVkK7mU2HJstMD7p9As/s4XyBuYVJAlqCveA
NvC0imDnZ7btrVWKNTV2UB0VgQiM+opgcNHYhqRT1vLpUv/+ZRFDrg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWElORElqTkQveHZFV1pk
ZitvWnZLTEJJWVFCTzZTVklQOVNCa0J2ZXhRCktGelNLYS85dmhJdlVjUWxkTWpC
R3cycTd0NEVWN2pLZnoxUXFyeG1tSjgKLS0tIHlIbkc0Yzd3YURqOWVwT0NTQlZR
bzRaVDdDL0NlNUZ3cTV4NU84NXNTeWsKZXNd2pYBG5P48kurR/XyswPGStyzSkqs
2mEjJCwuMZBkBRm9DFzbB/01LxqNnES4U9/6oVri0y4mHl5R7PyTag==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQ3JHSE1IcWJqYW85cGtr
WXI3TE1SNGZ1R05iRkNKeW0wR2pVNU12dHlFClJseDYxUjFyOFg3Yjdpb1E0aEVj
SExnaTMzK3dDR2NvNEhjTkoyUTI4NlEKLS0tIGsxencxR2dhWWwwaGtFU3VnaU9x
bUNibENVMmQ4NWhOTmlOdmJyTTB3eUUKM5zbfS3IOGgXlAFi+40DAIBZbLiDDyLu
g5CZKtRAw/85WOqOdWl+WJBYegggyZs3029w2QA9WzxymnkGiyl1nA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZb0xEUFc4MmpOM0RaWmZO
Q1MzVkJyRnNFN28zUlQ4TUZ2TktWakFVZVQwCndvdDNzRGJMbE1lMHZaZ1llVzE1
dXZFMngzVVM4UjZWV2ZlOGY5bWJjQjgKLS0tIHBMWFlxd0syRjlEQUFwRS9lN1Ji
K2hUdmZmUHVWa01qVHVUODBlZ3RvY1UK4u0PsdXstr/NVsYGRglQ8IPhElIcJIbk
3G83Dunu+WApUNMhoCFpB0OuxSyc+xDIdEOhqcFGvIoywMmnpWWZ8Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRFBRWWNSU1l5dE44c0No
QlJvYlh3dEZKVVVmS2RKOUdyaWtGMythUHhjCmsvR0M1eHlVd1l1NXVCWEw1ZnBa
SUNpWDFZWWJlSlVnR0VCNlluSWt0b0UKLS0tIENMa3FFWHpkaTg3YlRXRHpML05j
b1dmeXFkZjViVm5hdldOdTJRRWo2QUkK+eoVhfzSHimufxl0O81wRBJQ8iEVb7w2
rVLONs1qR5xRGCV6OpCtbRqKaNXQgGY/w1CGb/44xdmh7C2C21gs6g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKV1o1cFphUnNhdlM3blh0
dHpKODg1SXNsbVlnRG5zaVFiNllEOGEvWkM4ClFwZDg3a1o2UDYyUUJwdHAxU0JX
MUN6Rk9rR0NKSjNyK0ZrQ1BaTWpTNjAKLS0tIDZkYTUvd3lkZHV6ei9xemUrUWFQ
TkJ6bDhxVVUzckkzNllsTkZLeFlEMkEKFesi49AfQbNLnYGrlvpCXCwvI22J1DL7
QK7lBMlDX3+zlutX6DKygQBT3BckSZWI8upOsK2atjP6d8seDVl3cA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eld2eEwyRTFyMGhXL2w3
Q1JYSG9VMXVqZE1zak1Ub1dOWVZYaVBNUzM4CmVUNURBcDVWeHhUUVBoRDE4M29B
SzRyUGU5MUVSL0wzRWZLd2RYOGplSmMKLS0tIDNOYWcvL0t0K0tXMWZGQXNybjY5
NDIwV1hIcXoyZWI3dUEyeWtXd3FLcEUK0YBS95TA9luAL1mObUtH6RG4nesYZ7Fc
bB3e2p6Mrp/t1Oa/8p6WQXxu4vf5y0XCNLXeW6I6/3udrTXARaNNPA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-08T01:54:39Z"
mac: ENC[AES256_GCM,data:YD2Uwxq8rt2NPKfh5gxHvXcbcEmzfO2ZaaYjH0RnhHyNnHrf3jcyzEhJphKkzRRpsCJ/F7UV+x8EQdWkVn7eUykY92TkLeZ9I6TwyqupzfycQGrJK3Ma+jbO0qlG5L7NXXSxj4LKtJ9Rf1BdFH4czeWmrM3aMhtgAclZ4sTSCos=,iv:AElkydOvlkkGu/1iLxclH1bqkd1Pj4uQH3gbp6iGDII=,tag:WEfrJm3F0niQn1vKuowALg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

58
nixos/hosts/telchar/default.nix Normal file
View file

@ -0,0 +1,58 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "4488bd1a";
networking.hostName = "telchar";
boot = {
initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "zroot/root";
fsType = "zfs";
};
"/nix" = {
device = "zroot/nix";
fsType = "zfs";
};
"/var" = {
device = "zroot/var";
fsType = "zfs";
};
"/home" = {
device = "zroot/home";
fsType = "zfs";
};
};
swapDevices = [ ];
virtualisation.docker.enable = true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# System settings and services.
mySystem = {
purpose = "Development";
system = {
motd.networkInterfaces = [ "wlp1s0" ];
fingerprint-reader-on-laptop-lid.enable = true;
borg.pika-backup.enable = true;
};
security._1password.enable = true;
framework_wifi_swap.enable = true;
};
}

12
nixos/hosts/telperion/config/haproxy.nix
View file

@ -27,11 +27,11 @@ frontend k8s_homelab_apiserver
option tcplog option tcplog
default_backend k8s_homelab_controlplane default_backend k8s_homelab_controlplane
frontend k8s_theshire_apiserver frontend k8s_erebor_apiserver
bind *:6444 bind *:6444
mode tcp mode tcp
option tcplog option tcplog
default_backend k8s_theshire_controlplane default_backend k8s_erebor_controlplane
backend k8s_homelab_controlplane backend k8s_homelab_controlplane
option httpchk GET /healthz option httpchk GET /healthz
@ -41,13 +41,13 @@ backend k8s_homelab_controlplane
balance roundrobin balance roundrobin
server shadowfax 10.1.1.61:6443 check server shadowfax 10.1.1.61:6443 check
backend k8s_theshire_controlplane backend k8s_erebor_controlplane
option httpchk GET /healthz option httpchk GET /healthz
http-check expect status 200 http-check expect status 200
mode tcp mode tcp
option ssl-hello-chk option ssl-hello-chk
balance roundrobin balance roundrobin
server bilbo 10.1.1.62:6443 check server nenya 10.1.1.81:6443 check
server frodo 10.1.1.63:6443 check server vilya 10.1.1.82:6443 check
server sam 10.1.1.64:6443 check server narya 10.1.1.83:6443 check
'' ''

10
nixos/hosts/telperion/default.nix
View file

@ -42,8 +42,6 @@
swapDevices = [ ]; swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Until I can figure out why the tftp port is not opening, disable the firewall.
networking.firewall.enable = false;
sops = { sops = {
# Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default. # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
@ -99,15 +97,13 @@
matchbox = { matchbox = {
enable = true; enable = true;
# /var/lib/matchbox/{profiles,groups,ignition,cloud,generic} dataPath = "/var/lib/matchbox";
dataPath = "/opt/talbox/data"; assetPath = "/nas/matchbox/assets";
# /var/lib/matchbox/assets
assetPath = "/opt/talbox/assets";
}; };
dnsmasq = { dnsmasq = {
enable = true; enable = true;
tftpRoot = "/opt/talbox"; tftpRoot = "/srv/tftp";
bootAsset = "http://10.1.1.57:8086/boot.ipxe"; bootAsset = "http://10.1.1.57:8086/boot.ipxe";
}; };
}; };

93
nixos/hosts/telperion/secrets.sops.yaml
View file

@ -1,10 +1,10 @@
1password-credentials.json: ENC[AES256_GCM,data:AgjrQRlLUHozHTsn2iAf+DoQKmhQfSH6ktISxUZeEjs56k6idjbndkK/kwQXNNrAwmmpT+3OG7cOv0bAPU8AzwZYVyOlpFwp/eXvPJI6YcXlmsCn9lEANpdIbpc28npWTxuYvwZTSavJt5qo/Q9Gf5YQ2qiW6ER3vA1bej7Q6/WRNqcRWKfcMOfNg5YAms/o+nUDKgp2TG4cypyw7tXUoFk9drhCrybNSdlWxWf1t+VdiGLIFk1HvYWkelpxJujRZbKJxNi+4kPT1xQyU8IJbOZx1wXsIfz5I7QPtfoMxbAhRB5ikAwZpNLO1DpnAqBcLES+yqHm0V/hyI48mHz9gSH7fCUvGqj2OqdaKAl0lEpkTMA8PkfRNKGumwHsq2IEh5PP0kj50WlEFFoZszM5QKr9FK7tcvMP0mTL88hlCqnH7rzvNQtpC76BcoReOfKO0ZPtfEAJVGzsQ4F0hkeYzlfyoylqOzldju1QPadQ8Pq3dZFUXg5mZrF2N2kx8gqHqNHqK0BY7KFRrqTIJWebHiLYWe+WWqK3aUSLx3j8iqjuf+HtEBnxAkVIuAYBS6KwHQeXycdD/d1aMm8T46mJzW5FHlUed++GsU5HGQOF2gDZ2gfimdZ7taH0Wlf2wYmuH3BJKFGROefv0SuhuqKMxG1ownFIO0CbCS61ErRTER1P1L44CmaPyIgRNPMmz4nLlKt6+P7Ci4QGpevBkY1wHEn3dT/fNrBBW5EBsrWKRA88guZZHAwB3HLAVNqDno+nWlXlB5RxzaYzya6MYrlXKQxYluU73UQRzH7ikAcL4dJpjVPNIZPkzNRAI75U/IOQX+XspwM+yeIC38TAnNIcARXk2u2FJPaJLQSLqQJYgN9DO5Rg3cIVD/RsSU8TMEq/5jHaoMjZZ4iaYjUHzXbTOvk9WuGBJB1uBm3WUVDwLy6sVp7kHv4PvECcDByNxvhd7Krpbgt9sMi3jsfloo8zOzyoUOkbCEJNr6KCTOvd1/gzRVBxKyTajBkp3P/K7sqGSYpqqmE9qQSeHH6hVMgpicPsn29rzBRW5z0Oep+E6mmDoFuzJ1PJCdLguOIOkVDGiaT+ETtSrg6By3+lhcknElquTd0McoIO2nst80VA3tGUFwPcRJ+GmCtNLBDQgsxz0FtLMzIp5rWi630gnDHBjCf/qXWxyb1YXTpWGmsfWlF3xf8TrH313cnYkKVJAxMBFQVB9GCZMbFcgWg2A9T6b53tVHhmTWIZ5fHGOVBsruo/zU3mhxjoOqsbgrmj6Vi/1sEHvkN0hQq13QGT0bRv4L8BdeIanCMItEP09WZ3lDlDaXY/5xgfwr82oCxrMM7uk/j7COF5C1OjtbsqrGUUB4bphgiVsTT0m7KUw/VdJlPDUNAm3Qu5YUgeypmcNJoNFwsa0deDdg3GllaePP+8BDRbNrGSWUoNB7iNcW/fVaw=,iv:FUiB54c70FVSSkeXZ4stCdKGwihjpSZfsKqKoiDynTA=,tag:aNTbQb2/FUx2NrjQUVMIsA==,type:str] 1password-credentials.json: ENC[AES256_GCM,data:odK6x2TscY1WNCOaPBSfo2ln7hsa5UopakUpOgB4ci64p4LGIwTTDnSiq8+UXkrDndQ7tSqtr9RUvB+AwwYOuh1KBAwWmlZN7agtxUYc1wvMdQv8WPDfhqe9m0FNP5gyTaohcjBdBddZlv7izScVePUQUdG04dGYqUg6mQ/gmPtJy27hil8GivvxRN6FnFtkgoyfE+ZLfkTuMdeL4cxai4j+UeGc5XgmsrBLrW5udeDw2hktGXEBp2vMC6t+D7uzZ7DeLBDiHRbBZBeo+krnVdPsLxU3yFF/hC8vWVbkT7Wt/UhB0+X8SWvhYOvc3KW+NfyHcU0SONhQCM4iOkk/1qvcaDHy7idqexKxOtfQaZtuHW0vB3icgbxTO9usFxOxUPe63yXHUg+UDKSN4UGCF10eLoZKaV7zO76BkTFXQLl2Q+dytaxEKathhW4fS5lUBpuxXNDXuIxMiUIclXwVWVDpL7qchTJCopWwwDRaeHrUPev+pQptEsDLYpZeuf27hPjCMiOWkxt2kg2eKPjJ8AUtI8N3OlFPCyAurLgLSrFj0Wzm24LJLKsjs1if2y2jb/pR4MPdgnHgNnHS8VQ9JVprVyuw9C/wDhVV7yW+D4tlJ/d7AXaJq/dkO8XnwCEVPyFr9bUMB076z+tleYgvv9rHkdQMaqHr5HCHAtuYfM4f0Zpfr9alJ4wxCsj+MAn/PLGxjNd/hQQY+oYRpzBne2mUoxhRt3ZjnGH8LUBFSlz+e0+PB0anS3oV3XZUt0XuwGpNIxp4LsRFgmDC2qoMKZ2X7/DfTdmb3te0YbYNUUeHxlQ5AImzU6Lj1qw/clD7ViS82Rjc/WCavg9J7U7CdDbzhtv6xCxbyd3j1r8Wi4XLAXy4ZdcdvCEyYDHwJeExY8pp/jvS3CqSrlC/PyBUemloIQ+jSQiRYDv26XpRKbJ9Yd8fJ4ANPCMuvXU21iXtxHIRwopTo87hWqqSaORFcyVOmCxJJpa/TXL5fdd4ISy6CSqZXZCCIfiVxq4fBkqSoya4XMXQQq9Ki5xwLf1bDhaT3v7okP87A9d/j9Vru2RIZtRT71jVKvwDvJhLAfYuXyIUfQh5cvIw4/HlAZzP5vi1w5KlIJGf1uVVhvTl7p23/Gi9LAX3/P75dbK+x4VYOyqjMowER3jxk9m6GyFDl7iuceNh1bIpgPN1s4QOba7N2Tex5oa/aJJKOLYE4GYDtom5auDP6Xqa/Nd4NaDyd5oVuXcP7Lp7tDu9sIW5rhGaVYKU7jhzALN9HjfmAen+cZ50oy8L3IYKlS/91qzGughYDOjK4qeQ2XrMxySnCPja7ElV4gxmB3X73nxN+N0ZLEDhAGIS1FOaOammDjK2Pj/3vA5+S2hO3GYLh9glNgRnIGlNUVtw3My9H1mYIc4eP+LGGXz1KPnQMQWRtXZHH4d4fsOyhk+CE8as7WtyO7M=,iv:RkYdMs72Nq7dwHScKZeXMNSJ53ztTXCb3lkhrr9K2oE=,tag:XDdPfd+Be9nSAbvate52AQ==,type:str]
bind: bind:
rndc-keys: rndc-keys:
main: ENC[AES256_GCM,data:JVFfmWawvoQZNA/phLZAH/ZfDFkuDBAzQsvavFMT/8v8JKi4oJ/V2UjVv4Xhh730SP74Z41UBUA+N1iW+1HsIqCm+UGcjelLWiKoMGQMmuzVSbt4oN0lVtVIZyke+hzlNPm5qTt1,iv:Q5t9beYjCoTiYOm8K3ktqLbkaWWWzPPljcxmdrXdczA=,tag:gZaOrxZ9ou/+ZxukaZ9FDg==,type:str] main: ENC[AES256_GCM,data:X0HTyNmqH1epIVNkXMyFlavqAodDw92Gs2sK54USNv0mWIwmk8NEb69x/Od8TAwDZw63k0lEAymyj/hBfkpav9yKT1M1hGxr09xjWsR/DTAM9tFv140cvnMEon0ZbXVXp4ou24jP,iv:7AsoCrxf8CyPiyWYfHZsGE0Qw/wutCVvCEiRdUdmIHA=,tag:oJi4BTDrD3FLEQuYeDR3dA==,type:str]
externaldns: ENC[AES256_GCM,data:eCtagoXcjAqKfvD8AuxUhtL2Rvn1iUxbS3qDv1x1KVUzdg1jGAELgCivgPLv8UaLCZ7dqqtr1XiMgsd8RPKgSZO/AS9TTQx8eGnWUnaorUXdhYfhrGfeUa7LoEPYPNx4jwrN45j3OKsE,iv:ffUDa51TqFMqOBItiezwfiNkf4aajdfIXo6+cR48rAE=,tag:E2jMpk1/hpJGjLfIFuTpqw==,type:str] externaldns: ENC[AES256_GCM,data:WhH4vAR4Q4iTXq2fT+Z8kOXkwnneNV4bXWYytov62DFDSnYwsvWIbol5MvYIwXM+gEbQ/k/uk62MSFx26T34881EGJmH7KXWr7ji273D8oKAp0Fw6jOt2NZT6XkBwhWEIathUOwNdN6E,iv:SepdyBzYga7s03ppSppiBB/wTbTrL/y70aa/B/m02r4=,tag:vWqlZLx+FvstJjgRj4mjWg==,type:str]
zones: zones:
jahanson.tech: ENC[AES256_GCM,data:CEOcBxa38OheRPP+JakWVfm1vbtTlMzEsEYhzehckpRN4hj9epxVwyKzth2JvhdJN7zslP/BydRm2VowSTJLDpEsRBYiC7650ear3co1qM60SvLHNgsKcW+UTfp5RUqIcos2Gfll2vrMFxMIRV9nrSz2g3trteC/4B3wmVLZjnvNQoB5SePpQKXZQQesO5+5aiF7hRqk2OSz57S/ncjHJhLz9h3xyvr7JXrcdUWHTUarqQbARG3owzaxEoPY+n4nqtx5JXqFaYAMSO6bio4OHanHXhdMfSpZud0bT7wBarAtWCFgIIMMKfd4Q1qBm5AFQyApdLKdwQ4zakrRYOx07zp/ZxVOQ5oiGIuFsEumf370PCzR6JPVivX0gHsJXR3EqlXVy4TpFOzit9jc43XD9LgvYKxdQQUUC3LwfCVK/6/rjqVU6+40tA30D8KQS1UZ1Bmm7+QGk4Jdocwg5KfI9BQNSC+Qfrmif8Ckljr8978p7rxEhMU52DkoNeOxHtLcjzsskVV2Mv01KdKQByoHxVR7ySEkmz1nDc6O6kUExgL4mrXRa+zWvTwkQdcjCoOvb5Z4X0sUdUwvt3qQqbZLyCLvXLwLyOjCTlHu3E+nlZ+AESTRoAgexkR+oWQuekoPaFxy1F4FFk8MDpBb2Cgsw5ZHhgmiKaV5e0DVU3oS6mRl1OiqhMSnbBsheyXYVWSHQh8xvlLgvF8/INeJCgZArjDfP/nz15ctkBVKC+6eEyTCXiAnaS1snbJdovTRiz9GUaE3AcQ+uRhhqDL7U1AO6n5vxI/6nKGH1YK2Z+ym7JT3M8+wtBhM/fPs5DjwjMb9c5z07Ks48r+dm8j91jsh2ACTJRvhvyQvxHh4HPWicoUhRdMj/VuLAwMpsCGRCwjsZ8OzNvzWUz/+5kA1J0/XEh6TRW2ZNKO+uzcpFKoAPwRbF0lLgZYnuceEEb1oyjEH0UjdKDL7g8GtnEdN4kem+Nfk/OgyVJKLCN6ILvd8QrhXhmAZri8s18eNEU2np92B6ISmRt/b0pcNyva1fRvYYv3CaIjqjx4RFa7pZvjyXysuomdNzUx6wfwBxVqQn4FjAhOCeGVawtzLDV2ZPfaxc36RIOrK,iv:Y6CcrD/be0F6B9TEfGFF74jWvk7uWVUytutnFGfnG0I=,tag:2JQaYAj4IuFw4LrnQ+gAig==,type:str] jahanson.tech: ENC[AES256_GCM,data:XqOX6lbCubPEi1pXgIEXW0qyD2+iJXNugTPdQOB/yCm4AX1mMiANAV51FBDb9f+QQ+q1EDqGz/83VKggoIvHSZCOW3dkNWR2uy82uO8C59sbsLrR5AzTTnZN2zlaIjW2q42I838mKfO7MfYXutwQbTpepr/Brtbldm+HRjxugJJMDFvBqSlylSnFA+jeWq7RNRP1+ZxGULO8I2BTPqdRVyRHcIWjyQABTctDcDgDLMpPxrMBTtmC2/CFH5pIT3w6gbrYRwYFZh7fNprOYRRPOkGHMZK6ccMCpm2uRR4b5daB1MidqJUsX999ma2TEmsUJSQZr6mS2r/QvwZ2R9QziIkBxh91vCg6HMaHl8/ISlryZVlkWNY1P2jgCMw0jJ58NxeBVAjVWw3iL+i9JU/q51r8J3nZHi5ql90JMaVdYWw8I2GLYWDHQnES9srEXtJwJNLzE69lQuL8ARmey4gt8Q9snen0v3RJVFb466nPKvH51TjIAr3FB2L8NY3RumD4eYl05L5JdNcFVuqmsYdoWQSQdZz23BxRM/QKT2qKjrhxfZuQW1naNDg3qbx5+bLGHlG6m8wRdtkR5SXWQc5a7LG2eURY9T7vy8yxMWzjd5LPMFLd7JlUSjwXw9YBhYTafGuc2TUESs8DCO/hU2zjAn1KM+rmc2T4aF3HexJwt7b7HBmMrDWObdtj09ycV10tp1Z57ZMz18aJdIbaZKopERN25FzIKiTlytiZiWsesLo6mUbsgb7bmjGGjBEDbp9P7ozgZv5H+aR5Y7POl9EG3gfERPsa1nF1qlloOrYT/GX8pUNhXAxH6QfX7WF+ANiMB/L/X4L0/XufV7shCWfQwogZ3t7ARGHr3dIOyx1ABus+M2QUZyI94jHTn+/J6aaxL8qsDGDZ6383Gk/CHa57BklRUrZZYVs9jzDe7+12gDfID/eP+nnKuohwCY1KcHL5QCRUg8KN1ZIyH1FYz489l/qKFG1nO33iJv/l6opWjIv98EM88ckA7zxU1+UgjxNiBo0EGJPw1erwTwUzehTnj303HuTGbtGjgE/vK8M+rCCpL9L0YAFQyXqeuqQs6yM3PHCyKfvThCAnwnTIGn2mZcyu/GGGOO9Hse/islh4cYldxC8psKNfNlf6qT43MOf+gDJ2GKU2kzU5tivlNqXbgAs=,iv:8SWNl65v24W504eG64L65rDmvqrkF5VJhufN3u/wRG4=,tag:oapDfnOAPyPDiJrxGHtiJA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -14,77 +14,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5V1ZQcTBNeFF6NjdXMThQ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSS9JWTZPak52ZFloYTZq
QnMxVFZHZlBwTk5CU1pSNFBPTUt6MmR2NVNrCnFjd0Q5d0pwZGdJbDlDdS8wNG5Q N3Ewa2hrbUZmZ0Y2aVpzaTZjN1hzWTlqRmg0CkdIZk9IMDdWQ2xsYmdHcGM3WmVk
aHdqekpmREhlbEVMUjZNc1BscU5xbjgKLS0tIFdLUC9wNGlyOFd3WjRnc0IwZU85 cnVXVkprbXlQeDdzSkEvbW9SSE1aU3cKLS0tIHpuQUY1TmdKbGpZQ3N5Vk5LdzBC
alhDYk1DelpINjYvVmlCa1pKY3hjV3cKF7aIzA9U1bPVP6bQbYCTjXKptE9Rovyi VVp6Q1ZNR3gycSsxU3Q3SGtNUDN4cEUKDXO3QyNQfXqn587meoAZqraGMl4ASeOf
CVBUzWWrb2Z12rvjDzIKc/L1iMqLn0PjPsYHL+CHW8z5A6R3m3FDMw== rVJDGWkNhne1YFdAfvbiY6pD7RDxscwiRFqDofH/t0EfN4vwrzIx3Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUFlDK1duT010Nll2cmV3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSEZKOUJTTjE4YTRQUnFW
ZVRKM0tFNGVHQXM0Q001ZGtIZVV4bVByTVRZClZVclFEMVlSYnp2ZElNZm1DOGpR bzhMcjlSVTRNRWNkSmZSbU5ITFFTbURFbGpJCnpndFR1OVJvWnBOMVovdVVGWkZ4
bzNCUkQrNXF4UlU5WHloaEtzMW5wMUEKLS0tIFpwQ0pLRjFJOUR0dEhhTVBhT3hJ Wk9xa29kekgxRnlqbFg4YzN0OE9ZYUUKLS0tIGsxeUhWdU5NaTE3cHpYNXF2OUlK
c09wdG1jVlREUk5QUThKRFpsSlRUM1EKjxe9zkAp8t3gwMFOipPZeVdIyEnOTm77 eGNyTXdqWFNvZ0NVOCsvaG55dUdaMEkKW9SxqP6Jpn72VAwPhn3laO1OE+gYzLvb
0EnaO+oPJNTE+WefHKEEnqkUP0JY6vkDSkymgLtlPnY9VkAWP7ymbw== 10NfaR+2P0EJZ3nwc0sLKmPmSzcRiE9etGtNGFiLgoUNkQ3lnwXj6A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTlZoVGgwSFNOZ214WlBC YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTF2TjJ0WGJaTUFIWE9s
dFdBb2tSTjJLU1M2WmZXcS9jU2d4WThab0JFClNQekNJM1dmVjJUeEN3d1F3dVFF S1NHQmRiQUVjSGJLQXZ2VUUrclorT3dIOXprCnQwOUorNXFzNG1DbG8wRW83QTdC
R0c2bFlFNkowZjl5eEJXMllXSzZLSUEKLS0tIG1CUWRZeXE3SksxTUxrQjBTaGpS a2ZpZnM5Vit6bk1SaXRSZnZZT1g4ZzQKLS0tIFd4RVR2LzdvVG5nVzBiKzBPL1p2
VTZqOHB3eFlHZmNlSU9QOGprdWh3bm8KfvR852TCR0nfmXkDgF3FSOR9agJ8GUPt eFJWOGx3Z240clRQN3dNa0Ztb2hrUk0KunfKdWPTZD32KagC+VXmAQDxJAoElHAp
1iK2aDZHLZKcK4mcuPc/qzfCXvTHlIvTDbSD0PbgCyG7gwgX2Qd8mA== mo8a0GGdeVuJiUneJlZ2KYuLkseCyn0HC5qQMUIT8HZJ2bb+RH0vDg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NXpCcmY2T3Zmejd2TUlX YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZHAxMVNsK3U1ZlJnaEJj
TDZYMSt6OFdIZC9ibHJid3JxVjlHK0pCWXpnCmF4dTJWNzQ1a0FZdWxJUWZVZEhk eTNhZzRidW9HQ3Jrck0zNmxPYXcvVUtJRTJFClFiMGNuYnEzbVNJNExVSkZ3dVJy
Tk44YWQ5U2dWc2orcTExMjIwT3ZOVmcKLS0tIDJpbkEyNmJmQU1PemhpYzBycjV6 MHlRdG1uNHhZb3daNW03bVJrOGZmNmsKLS0tIER3RUg0TDRQT09jdy9xNzF6OUtq
V0pHbjhRcERyb042L0ZMUnZSdVpOOEUKICA6kYzVpAwMaoKrZIkj7GIjv4mGRzu5 VHR4NjUxZGpRYzNKaHhlVTdJQXBmTlkKHgqnACFlEusz0/W+I/O2smr/SV2Oiw9Y
3sm2D/yeE68TXH6PvHPRZpkLAqrn2HvQuviIgHXH3Flgeuu+DGl8cQ== wCqCyVfB+kGrfgq08e8ki8NXv3PDT637BU3kXFaOTQhzSE0aCpD8qw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMLzdsOHpDUW9Vb3c5cVFZ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTXJWQThMaDZNajBFOVRT
a0VOMEdjS2kzbTVtcU0zeXdOclJxbU5FSFE0CkwrdGN5VTNxT2Y0VUdOT0ZnMWlz NEpJK3RvbzRKUXE0NWpRQVA0aWJSYVNxWkhNCk1nWHVaYmZNQkdQZFJIOTZKTWxC
VGxwNGFSSUttZjdIVDlRL1JQekhSdkUKLS0tIE9JbUJWeFRVbXVyNkJIVTQ0bS81 RXpOaHc4dzNBZ0txcFhtbjVVSjhDbXMKLS0tIDkwSnFTTjBZZE5hZTdXeTI1Q2F6
Zk14MEtrR2pRSWVPUEJONVNKNUl4VXMKJ93XAmrAH25gUTbtY4HQjSKCJqH8yK7t Skw3OUt4SVlrQ0M0d0h3KzNubjZ6SDgKiEvuO+RqygeSSzeUlQJSPuzNY4tbzKso
5WGip1wjuP/jab8ycHaM8MK6hH7qKJGLKF0Q+agvQok7RKqZl5+ikA== bt/fSCV4ulFTvjybD9lfA9dclHGM/IRA9obCQd8RsCBQuXo9cuWnjA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYUhubnhKcnFDZml5Qjl6
MzgvVFk4QzNwOWdSWDh6RlBDdTVzRWMrTmdBCktBZVdKWW9JdGxEVlRtVCtMYXpB
YTV4TmNlRnFzMTcwWGZSeWtzN3hxRFkKLS0tIHpsMTNLckhMRkM5V0xqbmFjOUpK
ZFl0QlZCUmcvQXBvcFpoZHJNZ0xUQTgKTnAjik5QM++wy3+y8N5zHk+nY1+bMfr8
5IQBIQuoJUhvj8GPniyYRHEhzttfYNuYJaENQcuYOaIpbGb3jTmBJA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQW1McmZlNVhDR1VRMUM5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZkQ0NzVGMWJ4Tk9vYnZC
UVk4aGd1RDZxQ3RlSG1UUEd0R1gyUU1VUkg4Clo0eFgxVlcvNnNtWVZZajRGYUZJ dmo5U2FJa0pOUmt1K09MWFdRamNnaUgwbEM0CnhKRmMyN0RYMG5Uc3ArQVZhVFZX
K3d0ZzNSSG16dGVONjU2cDMzbkNvazAKLS0tIE1jcU9ERXZhbW4zM0E3Z3RJWTRm RHQ3SU1TUnQ1SlhvZGp6emFOV1FuVE0KLS0tIE1oQjQ1dUhTMVBaTnZIeVpVNmxp
anA4RmxVOWplWlo0QkFLQ2xFQ3YrRWsK0Z1iH93d8sMj8PbFaLBBO7xqz04f6ytV cnk3ckEyWkdhWkpkQlhJTHlsaGFTNDAK79D2C2RZql38hBJOBnqhOOdb7Z7EJNgj
m6bFiMoTp+hdnFdGZkl3S+4wQBG44uLJ9z6I/SL3H90ZBrVfE0XV0Q== aWfivACOM//hsPCZK+9YFpXJ08Nb6iBlNKzYsTW7qJ+Ue9M9i9JShA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTSsvbFEvc0ZjQUl5WWhl YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdHRRVEY1dmR2WjM3YVhk
Q0tWVndqbGlMcnpYMzUxdnlWVGxubldaWVZFCnpBdHRaa052aUJWZENBR1QvTXgx dFZ6UmUxUTJKR3RKMUM0UXVaMUJwMzJRTmpnCjJtdjgwNnphOU5EdUxkSUp6UkQy
Nld6UHpPR05yQ0g4ZEVKVVhQUUdNVWcKLS0tIE1aMm1XOWRxWXhiOGk0Y0IzbEdN cS92MGdlTExVbWJIWGlGVVFla001MGcKLS0tIHF6c3MxR1V3N2szeXlNdWhUaGpW
b0VpUGdsdjNpV2ZJYzBNeUZtTFg0NTgKJ9dSsLlgbxotxWyLrY6XWVyg3I3zugG0 WWRlTHl1MWFmU293NGJyRVNRTE1RWWMKu5nK98591T0Z4rHIHxCY7mqBW/CF6abl
pvd/gQmiYFxptVmBPw+GkOZJBugHpURQznXq6DEo0hVaYLoxoaFBNQ== 3/ygImXkb15Ws4b4mcN67vk3omg9CB6s0SHfFk1GAu6CiN7MufHQ+Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-01T23:46:47Z" lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:3vtZhdp4eCAlzq+LWypv5wb5qAdFM3wYTmbtvHMIxG21Z2joEH75i2BqYRl8sQPDSM01wbwZp04/pgjEBogrBrwC8Jt3fAB1ptx9A1vPBIwjcprFR53/A0SFRqb3eXJbwRMS3axZx2yp3qzv73en1vcfRgS2YfjaH8knH1f6/CE=,iv:L3NBzPNHi1wBLA2+sI+Ncl57el61friVvar1HbFWSW0=,tag:sxm8CFpwTt4jgyHBPqVihg==,type:str] mac: ENC[AES256_GCM,data:pmZjxv+vcznnamHNvOL7sr8wrejmcqo6D/NpizVo7TPo6cs59vTQ2fXmM0zlfJs81wZVe8cMcv2LXITSmjpZOsrhYuzMpPsc9HGzdwfOXVTfdVDYWVwNd4LsXMW40rqUbZyVtp8zAOW4eF5iY0H+acPxMcBbogoQKOU94a0NqzU=,iv:vFcpIrA9KRMawLCbMqWbKcGFPBcMp3mQRIgje5dV5S8=,tag:iuEaP9jjhhvjMjChvaoBCQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

10
nixos/hosts/varda/default.nix
View file

@ -1,5 +1,5 @@
{ pkgs, ... }: { { ... }: {
imports = [ ./resources/prune-backup.nix ]; imports = [ ];
networking.hostId = "cdab8473"; networking.hostId = "cdab8473";
networking.hostName = "varda"; # Define your hostname. networking.hostName = "varda"; # Define your hostname.
@ -22,17 +22,13 @@
swapDevices = [ ]; swapDevices = [ ];
# System settings and services. # System settings and services.
mySystem = { mySystem = {
purpose = "Production"; purpose = "Production";
system.motd.networkInterfaces = [ "enp1s0" ]; system.motd.networkInterfaces = [ "enp1s0" ];
security.acme.enable = true; security.acme.enable = true;
services = { services = {
forgejo = { forgejo.enable = true;
enable = true;
package = pkgs.unstable.forgejo;
};
nginx.enable = true; nginx.enable = true;
}; };
}; };

24
nixos/hosts/varda/resources/prune-backup.nix
View file

@ -1,24 +0,0 @@
{ pkgs, ... }:
let
cleanupScript = pkgs.writeShellScriptBin "cleanup-backups.sh" (builtins.readFile ./prune-backups.sh);
in
{
systemd.timers.cleanup-backups = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
};
systemd.services.cleanup-backups = {
script = "${cleanupScript}/bin/cleanup-backups.sh";
serviceConfig = {
Type = "oneshot";
User = "forgejo";
StandardOutput = "journal+console";
StandardError = "journal+console";
};
};
}

20
nixos/hosts/varda/resources/prune-backups.sh
View file

@ -1,20 +0,0 @@
# Set the backup directory
BACKUP_DIR="/var/lib/forgejo/dump"
# Keep the 3 most recent backups
KEEP_NUM=3
echo "Starting backup cleanup process..."
echo "Keeping the $KEEP_NUM most recent backups in $BACKUP_DIR"
# Find all backup files, sort by modification time (newest first),
# skip the first 3, and delete the rest
find "$BACKUP_DIR" -type f -name "forgejo-dump-*" -print0 |
sort -z -t_ -k2 -r |
tail -z -n +$((KEEP_NUM + 1)) |
while IFS= read -r -d '' file; do
echo "Deleting: $file"
rm -f "$file"
done
echo "Cleanup complete. Deleted all but the $KEEP_NUM most recent backups."

56
nixos/modules/nixos/containers/backrest/default.nix Normal file
View file

@ -0,0 +1,56 @@
{ lib, config, ... }:
with lib;
let
app = "backrest";
image = "garethgeorge/backrest:v1.1.0";
user = "568"; #string
group = "568"; #string
port = 9898; #int
cfg = config.mySystem.services.${app};
appFolder = "/var/lib/${app}";
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
};
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${appFolder}/config 0750 ${user} ${group} -"
"d ${appFolder}/data 0750 ${user} ${group} -"
"d ${appFolder}/cache 0750 ${user} ${group} -"
];
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environment = {
BACKREST_PORT = "9898";
BACKREST_DATA = "/data";
BACKREST_CONFIG = "/config/config.json";
XDG_CACHE_HOME = "/cache";
};
volumes = [
"${appFolder}/nixos/config:/config:rw"
"${appFolder}/nixos/data:/data:rw"
"${appFolder}/nixos/cache:/cache:rw"
"${config.mySystem.nasFolder}/backup/nixos/nixos:/repos:rw"
"/etc/localtime:/etc/localtime:ro"
];
};
services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
useACMEHost = config.networking.domain;
forceSSL = true;
locations."^~ /" = {
proxyPass = "http://${app}:${builtins.toString port}";
extraConfig = "resolver 10.88.0.1;";
};
};
};
}

6
nixos/modules/nixos/containers/default.nix
View file

@ -1,9 +1,7 @@
{ {
imports = [ imports = [
./jellyfin ./backrest
./lego-auto ./lego-auto
./plex ./unifi
./scrutiny
./scrypted
]; ];
} }

117
nixos/modules/nixos/containers/jellyfin/default.nix
View file

@ -1,117 +0,0 @@
{
lib,
config,
...
}:
with lib;
let
app = "jellyfin";
# renovate: depName=ghcr.io/jellyfin/jellyfin datasource=docker
version = "10.10.2";
image = "ghcr.io/jellyfin/jellyfin:${version}";
port = 8096; # int
cfg = config.mySystem.containers.${app};
in
{
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
# TODO add to homepage
# addToHomepage = mkEnableOption "Add ${app} to homepage" // {
# default = true;
# };
openFirewall = mkEnableOption "Open firewall for ${app}" // {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Container
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "568:568";
volumes = [
"/nahar/containers/volumes/jellyfin:/config:rw"
"/moria/media:/media:rw"
"tmpfs:/cache:rw"
"tmpfs:/transcode:rw"
"tmpfs:/tmp:rw"
];
environment = {
TZ = "America/Chicago";
DOTNET_SYSTEM_IO_DISABLEFILELOCKING = "true";
JELLYFIN_FFmpeg__probesize = "50000000";
JELLYFIN_FFmpeg__analyzeduration = "50000000";
};
ports = [ "${toString port}:${toString port}" ]; # expose port
extraOptions = [
# "--device nvidia.com/gpu=all"
];
};
# Firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ port ];
allowedUDPPorts = [ port ];
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
# TODO add restic backup
# services.restic.backups = config.lib.mySystem.mkRestic {
# inherit app user;
# excludePaths = [ "Backups" ];
# paths = [ appFolder ];
# inherit appFolder;
# };
};
}

115
nixos/modules/nixos/containers/plex/default.nix
View file

@ -1,115 +0,0 @@
{
lib,
config,
...
}:
with lib;
let
app = "plex";
# renovate: depName=ghcr.io/onedr0p/plex datasource=docker versioning=loose
version = "1.41.2.9200-c6bbc1b53";
image = "ghcr.io/onedr0p/plex:${version}";
port = 32400; # int
cfg = config.mySystem.containers.${app};
in
{
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
# TODO add to homepage
# addToHomepage = mkEnableOption "Add ${app} to homepage" // {
# default = true;
# };
openFirewall = mkEnableOption "Open firewall for ${app}" // {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Container
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "568:568";
volumes = [
"/nahar/containers/volumes/plex:/config/Library/Application Support/Plex Media Server:rw"
"/moria/media:/media:rw"
"tmpfs:/config/Library/Application Support/Plex Media Server/Logs:rw"
"tmpfs:/tmp:rw"
];
extraOptions = [
"--device nvidia.com/gpu=all"
];
environment = {
TZ = "America/Chicago";
PLEX_ADVERTISE_URL = "https://10.1.1.61:32400";
PLEX_NO_AUTH_NETWORKS = "10.1.1.0/24";
};
ports = [ "${toString port}:${toString port}" ]; # expose port
};
# Firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ port ];
allowedUDPPorts = [ port ];
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
# TODO add restic backup
# services.restic.backups = config.lib.mySystem.mkRestic {
# inherit app user;
# excludePaths = [ "Backups" ];
# paths = [ appFolder ];
# inherit appFolder;
# };
};
}

92
nixos/modules/nixos/containers/scrutiny/default.nix
View file

@ -1,92 +0,0 @@
{ lib, config, ... }:
with lib;
let
app = "scrutiny";
# renovate: depName=AnalogJ/scrutiny datasource=github-releases
version = "v0.8.1";
cfg = config.mySystem.services.${app};
in
{
options.mySystem.services.${app} = {
enable = mkEnableOption "${app}";
# Port to expose the web ui on.
port = mkOption {
type = types.int;
default = 8080;
description = ''
Port to expose the web ui on.
'';
example = 8080;
};
# Location where the container will store its data.
containerVolumeLocation = mkOption {
type = types.str;
default = "/mnt/data/containers/${app}";
description = ''
The location where the container will store its data.
'';
example = "/mnt/data/containers/${app}";
};
# podman equivalent:
# --device /dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
devices = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Devices to monitor on Scrutiny.
'';
example = [
"/dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
];
};
# podman equivalent:
# --cap-add SYS_RAWIO
extraCapabilities = mkOption {
type = types.listOf types.str;
default = [
"SYS_RAWIO"
];
description = ''
Extra capabilities to add to the container.
'';
example = [
"SYS_RAWIO"
];
};
};
config = mkIf cfg.enable {
# TODO: Add automatic restarting of the container when disks.nix changes.
# - https://github.com/nix-community/home-manager/issues/3865#issuecomment-1631998032
# - https://github.com/NixOS/nixpkgs/blob/6f6c45b5134a8ee2e465164811e451dcb5ad86e3/nixos/modules/virtualisation/oci-containers.nix
virtualisation.oci-containers.containers.${app} = {
image = "ghcr.io/analogj/scrutiny:${version}-omnibus";
autoStart = true;
ports = [
"${toString cfg.port}:8080" # web ui
"8086:8086" # influxdb2
];
environment = {
TZ = "America/Chicago";
};
volumes = [
"${cfg.containerVolumeLocation}:/opt/scrutiny/config"
"${cfg.containerVolumeLocation}/influxdb2:/opt/scrutiny/influxdb"
"/run/udev:/run/udev:ro"
];
# Merge the devices and extraCapabilities into the extraOptions property
# using the --device and --cap-add flags
extraOptions =
(map (disk: "--device=${toString disk}") cfg.devices)
++
(map (cap: "--cap-add=${cap}") cfg.extraCapabilities);
};
};
}

116
nixos/modules/nixos/containers/scrypted/default.nix
View file

@ -1,116 +0,0 @@
{
lib,
config,
...
}:
with lib;
let
app = "scrypted";
# renovate: depName=ghcr.io/koush/scrypted datasource=docker versioning=docker
version = "v0.123.30-jammy-nvidia";
image = "ghcr.io/koush/scrypted:${version}";
port = 11080; # int
cfg = config.mySystem.containers.${app};
in
{
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
# TODO add to homepage
# addToHomepage = mkEnableOption "Add ${app} to homepage" // {
# default = true;
# };
openFirewall = mkEnableOption "Open firewall for ${app}" // {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Container
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
volumes = [
"/nahar/containers/volumes/scrypted:/server/volume:rw"
# "/nahar/scrypted:/recordings:rw"
"tmpfs:/.cache:rw"
"tmpfs:/.npm:rw"
"tmpfs:/tmp:rw"
];
extraOptions = [
# all usb devices, such as coral tpu
"--device=/dev/bus/usb"
"--network=host"
"--device nvidia.com/gpu=all"
];
environment = {
TZ = "America/Chicago";
};
ports = [ "${toString port}:${toString port}" ]; # expose port
};
# Firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ port ];
allowedUDPPorts = [ port ];
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
# TODO add restic backup
# services.restic.backups = config.lib.mySystem.mkRestic {
# inherit app user;
# excludePaths = [ "Backups" ];
# paths = [ appFolder ];
# inherit appFolder;
# };
};
}

9
.archive/modules/nixos/containers/unifi/default.nix → nixos/modules/nixos/containers/unifi/default.nix
View file

@ -3,7 +3,7 @@ with lib;
let let
app = "unifi"; app = "unifi";
# renovate: depName=goofball222/unifi datasource=github-releases # renovate: depName=goofball222/unifi datasource=github-releases
version = "8.4.62"; version = "8.3.32";
cfg = config.mySystem.services.${app}; cfg = config.mySystem.services.${app};
appFolder = "/eru/containers/volumes/${app}"; appFolder = "/eru/containers/volumes/${app}";
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
@ -14,15 +14,10 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
networking.firewall.interfaces = { networking.firewall.interfaces.podman0 = {
enp130s0f0 = {
allowedTCPPorts = [ 8443 ];
};
podman0 = {
allowedTCPPorts = [ 8080 8443 8880 8843 ]; allowedTCPPorts = [ 8080 8443 8880 8843 ];
allowedUDPPorts = [ 3478 ]; allowedUDPPorts = [ 3478 ];
}; };
};
virtualisation.oci-containers.containers.${app} = { virtualisation.oci-containers.containers.${app} = {
image = "ghcr.io/goofball222/unifi:${version}"; image = "ghcr.io/goofball222/unifi:${version}";
autoStart = true; autoStart = true;

1
.archive/modules/nixos/de/default.nix → nixos/modules/nixos/de/default.nix
View file

@ -1,6 +1,5 @@
{ {
imports = [ imports = [
./gnome.nix ./gnome.nix
./kde.nix
]; ];
} }

41
.archive/modules/nixos/de/gnome.nix → nixos/modules/nixos/de/gnome.nix
View file

@ -1,29 +1,18 @@
{ { lib, config, pkgs, ... }:
lib, with lib;
config,
pkgs,
...
}:
let let
cfg = config.mySystem.de.gnome; cfg = config.mySystem.de.gnome;
in in
{ {
options = { options = {
mySystem.de.gnome = { mySystem.de.gnome = {
enable = lib.mkEnableOption "GNOME" // { enable = mkEnableOption "GNOME" // { default = false; };
default = false; systrayicons = mkEnableOption "Enable systray icons" // { default = true; };
}; gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; };
systrayicons = lib.mkEnableOption "Enable systray icons" // {
default = true;
};
gsconnect = lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // {
default = true;
}; };
}; };
}; config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
# Ref: https://nixos.wiki/wiki/GNOME # Ref: https://nixos.wiki/wiki/GNOME
# GNOME plz # GNOME plz
@ -49,15 +38,13 @@ in
}; };
}; };
udev.packages = lib.optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator udev.packages = optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
}; };
# systyray icons # systyray icons
# extra pkgs and extensions # extra pkgs and extensions
environment = { environment = {
systemPackages = systemPackages = with pkgs; [
with pkgs;
[
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command playerctl # gsconnect play/pause command
pamixer # gcsconnect volume control pamixer # gcsconnect volume control
@ -75,15 +62,17 @@ in
# enable gsconnect # enable gsconnect
# this method also opens the firewall ports required when enable = true # this method also opens the firewall ports required when enable = true
programs.kdeconnect = lib.mkIf cfg.gsconnect { programs.kdeconnect = mkIf
cfg.gsconnect
{
enable = true; enable = true;
package = pkgs.gnomeExtensions.gsconnect; package = pkgs.gnomeExtensions.gsconnect;
}; };
# GNOME connection to browsers - requires flag on browser as well # GNOME connection to browsers - requires flag on browser as well
services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) ( services.gnome.gnome-browser-connector.enable = lib.any
lib.attrValues config.home-manager.users (user: user.programs.firefox.enable)
); (lib.attrValues config.home-manager.users);
# And dconf # And dconf
programs.dconf.enable = true; programs.dconf.enable = true;
@ -110,4 +99,6 @@ in
atomix # puzzle game atomix # puzzle game
]); ]);
}; };
} }

1
nixos/modules/nixos/default.nix
View file

@ -3,6 +3,7 @@ with lib;
{ {
imports = [ imports = [
./containers ./containers
./de
./editor ./editor
./hardware ./hardware
./lib.nix ./lib.nix

40
nixos/modules/nixos/editor/vscode.nix
View file

@ -4,38 +4,27 @@ let
cfg = config.mySystem.editor.vscode; cfg = config.mySystem.editor.vscode;
# VSCode Community Extensions. These are updated daily. # VSCode Community Extensions. These are updated daily.
vscodeCommunityExtensions = [ vscodeCommunityExtensions = [
"ahmadalli.vscode-nginx-conf"
"astro-build.astro-vscode"
"bmalehorn.vscode-fish"
"coder.coder-remote"
"dracula-theme.theme-dracula" "dracula-theme.theme-dracula"
"editorconfig.editorconfig" "editorconfig.editorconfig"
"esbenp.prettier-vscode" "esbenp.prettier-vscode"
"foxundermoon.shell-format"
"github.copilot" "github.copilot"
"hashicorp.hcl" # "github.copilot-chat"
"jnoortheen.nix-ide" "jnoortheen.nix-ide"
"mikestead.dotenv" "mikestead.dotenv"
"mrmlnc.vscode-json5" "mrmlnc.vscode-json5"
"ms-azuretools.vscode-docker" "ms-azuretools.vscode-docker"
# "ms-python.python" # Python extensions *required* for redhat.ansible/vscode-yaml # Python extensions *required* for redhat.ansible/vscode-yaml
"ms-python.python"
"ms-python.vscode-pylance" "ms-python.vscode-pylance"
"ms-vscode-remote.remote-ssh"
"ms-vscode-remote.remote-ssh-edit" "ms-vscode-remote.remote-ssh-edit"
"pkief.material-icon-theme" "pkief.material-icon-theme"
"redhat.ansible" "redhat.ansible"
"redhat.vscode-yaml" "redhat.vscode-yaml"
"signageos.signageos-vscode-sops" "signageos.signageos-vscode-sops"
"tamasfe.even-better-toml" "tamasfe.even-better-toml"
"task.vscode-task"
"tyriar.sort-lines" "tyriar.sort-lines"
"yzhang.markdown-all-in-one" "yzhang.markdown-all-in-one"
"fill-labs.dependi"
"rust-lang.rust-analyzer"
"dustypomerleau.rust-syntax"
"mattheworford.hocon-tools"
"pgourlain.erlang"
"exiasr.hadolint"
# "github.copilot-chat"
]; ];
# Nixpkgs Extensions. These are updated whenver they get around to it. # Nixpkgs Extensions. These are updated whenver they get around to it.
vscodeNixpkgsExtensions = [ vscodeNixpkgsExtensions = [
@ -50,27 +39,12 @@ let
# version = "1.219.0"; # version = "1.219.0";
# sha256 = "Y/l59JsmAKtENhBBf965brSwSkTjSOEuxc3tlWI88sY="; # sha256 = "Y/l59JsmAKtENhBBf965brSwSkTjSOEuxc3tlWI88sY=";
# } # }
{ { # Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
# Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
# The latest generally targets insiders build of vs code right now and it won't load on stable. # The latest generally targets insiders build of vs code right now and it won't load on stable.
name = "copilot-chat"; name = "copilot-chat";
publisher = "github"; publisher = "github";
version = "0.21.1"; version = "0.18.1";
sha256 = "sha256-8naCDn6esc1ZR30aX7/+F6ClFjQLPQ3k3r6jyVZ3iNg="; sha256 = "BrcrfhkX2VGF9wznTSlPSdPPv126ScbHb1ngBRGtr4E=";
}
{
name = "remote-ssh";
publisher = "ms-vscode-remote";
version = "0.113.1";
sha256 = "sha256-/tyyjf3fquUmjdEX7Gyt3MChzn1qMbijyej8Lskt6So=";
}
{
# Same issue as the above -- auto pulling nightly builds not compatible with vscode stable.
name = "python";
publisher = "ms-python";
version = "2024.14.1";
sha256 = "sha256-NhE3xATR4D6aAqIT/hToZ/qzMvZxjTmpTyDoIrdvuTE=";
} }
]; ];
# Extract extension strings and coerce them to a list of valid attribute paths. # Extract extension strings and coerce them to a list of valid attribute paths.

5
nixos/modules/nixos/games/default.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./steam
];
}

5
nixos/modules/nixos/games/steam/default.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./steam.nix
];
}

24
nixos/modules/nixos/games/steam/steam.nix
View file

@ -1,24 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.mySystem.games.steam;
in
{
options.mySystem.games.steam = {
enable = lib.mkEnableOption "Steam";
};
config = lib.mkIf cfg.enable {
# Steam Games
programs.steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
};
# Need that glorious eggroll
environment.systemPackages = with pkgs; [
protonup-qt
];
};
}

2
nixos/modules/nixos/hardware/default.nix
View file

@ -1,5 +1,5 @@
{ {
imports = [ imports = [
# ./nvidia ./nvidia
]; ];
} }

87
nixos/modules/nixos/security/acme/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
security: security:
acme: acme:
env: ENC[AES256_GCM,data:rYeJqYF11Ccw/zDTpfB2ewXIy4cqzHF/d+ar6NUdOGxesiBdJXVbGQtGOOLHTUJ6yKNhdBJ2mpBpCpIdQEdT9+4=,iv:XpjxG0RypUQ0Ub0dKAa8/c4F8TVuRNFXJM5UAfrlMV4=,tag:zCaLPPTp9KHs/AwYNq28gg==,type:str] env: ENC[AES256_GCM,data:JP+Syy9927T9ePL4Ly9FxlJ8F4/g/xejRn9nw2mqpl2ZUTwudp+R+ZI//h14Nej5S07oJt2L3LD/ol7ugdXHFG8=,iv:NJdqDIA0FZzyKRvDgjWmHA17q0FOCqjCk0WdkFMtd5w=,tag:KG8dgCcEOdroFpljNawdGA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -10,77 +10,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKOHNGVG5DWVArcngxYXlv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFJTREJxZ3NlNGtkSmhG
dlFmd1RPenFwSm9TSjhTR3F3cHB6R2lTTGo4Ck1BTVFSd21Xc0hiZlBUdjFrbWFp YTcwVmt1OUNmdTRaVDI5N3JNemszNklHV1dNCmVYczBEQ3BHT3ZhbjUySFNJVjhQ
Q2VoVzQrTEpZbE1yTHpBUVIyNWFiVEUKLS0tIDZLM3gzbUZUajZQaVRtT0dsQlpY dWh6c2ZHRUZTOTJEOTBrS3NuNDNzZW8KLS0tIHp3ckNvdmNYdkh3Znc0OVk5Yk53
VExPSVBLb0R3ekpNTE1jNG9QME5OTkkKPivk0v0xDOzHJSPVJYO6/5wdF1PChXtl ZW5jQmxLMHR6MC8yVFpFdFhsTVBub0kKRdYFNppcSFZ/5gm2WvydESeJOTVYd0Yk
xj6JrycRyQPahncXndTZoQL7EbdXnR2tfMtEE5Ua7l4mK11pE3K8cg== 0HQd6o8bAX8dcRhMHyyveWXz94/mcINkqz2mlXoL1N0HRPXcuUu5tQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQc0p0TXdtcVZNcngrQXM4 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RnNVZFowV2NYakYvOEFr
bzBJcERRWVhxLy9QVHBCSnJEMzJTekF4RlU0CmFDWmtMdEdiOFVrRmhRbXc0R3ZE c2pFaDVqekVFeEdPWklkVWxoMjNEMEZrbWtFClFmcGNZYkJqUVF3MlRDcmpqWFZI
RC9mQUF4ZjFkbWlYZHkyZ25NV01hREUKLS0tIEVQWHR5YTJ0KytQYi83MmpWL0tO aU11eElxd2c4YTEzNEQ4RFgraFIxS0UKLS0tIEY5Yi9IUGxjYnpyL2I0eVFNNk83
Q0ZKN2JSMGVsU2h5eW5OTk1Kd3hoS0EKNbVvQ3VwkWloO15CV8v3SP8pD4zc2h04 Q3VaYjdiYVd0TFVuSld6M25wWHRZMncKaqb2kQvlLGZMaI72npCBuroWK/Fqr9jg
uM4/VlXTsVxVBqRxycdTKdWhmIChb8w98ljQC+iqatCCUiC9vHYIsg== oaBz3rpvYJEox2Naismb2D4fNCtI7Z1hLhPqq/jGAiczNaU039N9Bg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNTVwbGNWRHNaRkd4N0Z3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdC9BM21iMldoUkIwdnpr
U3ZrYWRMNGJSMTI4UjljQkozTHAvdXpIaVZjCmJMNmdoVjBZZHRqcHBkcEpiL2dC a0hXbUNzNFJFTDF3ZS9CSFBENHdNTTZDU1RzCm9QbVdLMnRyTDRQNFE2U2w3cXpW
ak5xNGVRV0NoV2c5TCsvbkhWM2JqeXMKLS0tIG9uMmpJUzdMTUhVWWsxSWFaSTVy WkdKRFdocnRNaUxLejExSE5STjdCTkEKLS0tIHZvKzVtWnV4WWxRZXFMVWpobHJt
VHhxQ1U3L042VGpNdjI4RVNiRFlqU00KPuDqqR7EeclGGOs0R/3PsB+dnNo20Lh+ WlVNd2xNb2c0YVB5WlJtbTVreFhadFUK32KcIdcbt1rAk2+GWe5slpAdHcTBWoKs
GiCWjFy9MVEsrlZV7pd9cb0ggYTm09H0ZD5kb+++Er9WJqb7Ss+iOQ== wGOEayXeMi9EGYtx7v1oJ8+xlo2wRW/i1pKdCRK4vi4FtaXT65zglw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRGdRRWUybHNiZzZaM1hv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxb2wzMW1EUUx5VFp0Ykor
bW5Kb3NIbW1WNFl6aUdLWDA4WWI3RDdZQ0VFCjBXajVsY3BNMWs2QldjZDZWQnZ3 UWJEeFlZQTVJTFZIVFExZ1NkcVBCT09XVkU0CmFvWCtsaStjSDR6OVQwTW9iV3Vu
VjBvZ1AwZkVGNTB2RGF5aGp4ckFYYTQKLS0tIFd6L1lyblZ6ZEVXTHJGanhna0JQ cVo3MHhVOTAxQnU3ZWdDcllKaXhnK3cKLS0tIENyYlFtVWtqS05MVVFOWFpZK1Zp
S25RbHI4TENLUzRtM2NGOFNQQUdENm8K3upUW3cVF6fBrii/pEXua5sLwFcU/as3 cTFkQlpkZFgvOERSdlFMSHFxR1pTZmcKSRYr/tIskcm4mwiF74Qnd5d0zRRDSzC1
RNDLpyvvA/CCZCuneNS27/nYUcc2rJVDU71OsDA6A6SUivYLTriRbQ== QXidtsl505oGOgT/ujVtPwSJwvJewZT7NJKVRYktS3xY0v/flr1ieQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaE9UczNPNk0zbWV6Zjdv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQjdka1hwejFZR25xbXcr
VXNEVmVibG1xejVObnlBa0JOOVBoQTZvQ0ZVClRSOXBrKzdjVkdGNVc2VmtidE8v Vzc4MVd3eXJOdmxqZVFDVVMvTVhLT0lZdVVFCmFtQkZjSm0wUHdMczM5ckFBaEdQ
Wjlob1Q4cDZRYjB5ejMwWXZzL2NFbUkKLS0tIHdLWjZtcjRjbjNGYjIzeWhqV0t5 Y0JMYnR0dGRLYTF1d3NHSyt6MWcrYXcKLS0tIElaT0FjVEdaeExnMUF4OE93Z1Ny
NFBwOUJZYUlicXRqWWtucnJIM2ZXMXcK9UTQ7NxoE5vozWvaDWT285BpZG/VdBh7 cnQ0Kzd0aWdrSlN5Y3NIN1kyOVh1WTQKG825r7fM2BXak4Q4GNPwZgmigmPxZXh4
3VrNKMWJLt/OuA0ucJAkK8NJ4mBYviytUk0kRR39nUok5+kM1iJJpA== DTdp3xBgHWpw8eQsi+gBzzf+4boLDTDDi+acLshj+SpIhjPdMZ1BwA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5MjVaRjQ3VTdsUzNHSkxE
ZGFiWWZmTzN5N0t3YjBtNGtiWDhNVmduQVM0ClZFMHp6UE5aUjdYaXU3YTk5RDk3
Q0ZBcnJLYzVtN3h2UEVSbmtsa1hTbEkKLS0tIEIwL3dkQVRCRm1TaGlUNVpWTUFT
MHFjd0ovcXN5S3ZhdXpzU3ZXUnorTjAKPdgr51ho0B2rDKld/UHHC4j1RwRy0fGy
6Pl/Qes4Gjvrb4dlDHS4HTEwBs0TbA62DEDI/jquypwxRW55eDMB6g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMmNINWttMHBndGM0eVJI YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUmVpUHh0QzNLMVhsMHN5
OFlGUEpQRGthS2xuWnNtcjRaWEY0L0JKZzJvCkYzWCtVdE1VNnh1c2lGaUZoN1J4 bituWE9Ic2tXTm95cWlUMG9QVWhEcE1sejNBCmw5Q0lTYjExRjdkaCtYMWdkQnZZ
SnN1M25qempwZXBLV0ZPRjJreklnbEkKLS0tIGJYRk5xaFhuK2FwdUtKMHFaTGJZ dXNrQWhZaERBK1hVK0pkbFlvQkc1RHcKLS0tIGcwK0dzUVZFMFh2b0dmWDMyMjdS
QlRmcFpPazh3ZkgzWTh0Y01yTWxMbkEKK525n37sRSRirQQPzVluIwAiYFIbeta+ d09MQlZST2ZJY28vRWtkRzRjd3JFKzQKH2pjr7P1mG1m/8L/VLaTVrAQem8rcNGN
0/baUvErrjD9xofBZOm7kenLw/pPtcGXsUFqp9aCM7KGLjgRQTuK6g== tBWqg9XT3aSc+7NqUDkPVvH8STFGVlEhIskKTJA2TuY6CXfqwS3D5A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNXhtSE50Yk9BdnRIOUEx YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRW80Q2x5bllHVDNzTGsr
UW0rRGNHTFJjWWI0R0xqVGVTUkFvSFZyUVcwCmp6b2I2aStEdlNzcGNtcTVML2dz a29PRHJHcHR2Mng2M2lpb1ZXMkV3UlZkQVRvCk01ciszVDlqeUdpa01FbjRtU3hq
TWRRUWVpd0doWFBYTWZZRXFjZ0wxR1kKLS0tIFhSU094RFdXVXFrT2FqbVEwc2FB V2hPS1NTSEdPL01ZZkxVdmI4ZHRRVFkKLS0tIHpjck5OaGl2dGgyUjZlNmlVWkZB
WE93RjBHS1NreWhqTmtEckVWMSt6clEKE24mtrJll0lsXEJktPjCFRpf8DLdxIW4 RHZ2TlJOanR6L2tQRm0rc3NVVSs1R1EKdSheY8qXv+ylwqjlpbWsSYD55X4SUT7c
4JjOWY6zgBWxtuvg5rdb5rz7Sp2UaI1LavvhkCdjmpFckdEUDMOOyA== W2czHg0Ezbjk8W7vyDuxdS1LjKSMinfRPUG+oyUwxwrjBN3aAwVDIQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T23:57:27Z" lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:nBRzGlhrgKchrfnidh/SUNiT04UVeeuck7wWL8M6Jfi0zJItankJaCAHlFzHku5+HYCM+6B1TN5bBKzyrizMAAtZ7fwmUjMt1TgXDSmG4CQXrUSmTkItlHnA1W8MvdFbJY5+cS3aJNx7rnvGp5H5OroedL88L+uuIHqxEx/qxRI=,iv:E4MmeS+xBPIvd2QNxpOHGx2Vpj16s9PZzp6kjkbItqA=,tag:FqVEO7iEjvAuJE4EJ35Yww==,type:str] mac: ENC[AES256_GCM,data:YEm+/mTkdLblxqrQAkCW8QUoQVkK1drgdHCt463aBUl9r04TJdRbij0p3QuLzVIvXJosdBQ0dN0Y/huuFOkP2bixH1q1WtBaqt98iYuR+Gessj7+kDekTNHCNQoZJjbFfqOwIEFNw/if2kY4aHcUoyQQj//yoGTA0vGbqrWzcX0=,iv:KWIo36gl7hOrEDZulqwRwr6eCfc6Hat5f17hpLLDMW8=,tag:3IBrvYXxN4j9I72lwiKq/A==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

0
.archive/modules/nixos/services/cockpit/default.nix → nixos/modules/nixos/services/cockpit/default.nix
View file

4
nixos/modules/nixos/services/default.nix
View file

@ -1,6 +1,7 @@
{ {
imports = [ imports = [
./bind ./bind
./cockpit
./dnsmasq ./dnsmasq
./forgejo ./forgejo
./haproxy ./haproxy
@ -9,9 +10,10 @@
./nginx ./nginx
./onepassword-connect ./onepassword-connect
./podman ./podman
./postgresql
./radicale
./reboot-required-check.nix ./reboot-required-check.nix
./restic ./restic
./sanoid ./sanoid
./syncthing
]; ];
} }

9
nixos/modules/nixos/services/dnsmasq/default.nix
View file

@ -18,14 +18,9 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Ensure the tftpRoot directory exists
systemd.tmpfiles.rules = [
"d ${cfg.tftpRoot} 0755 dnsmasq dnsmasq"
];
networking.firewall = { networking.firewall = {
# dhcp ports | tftp port # dhcp ports
allowedUDPPorts = [ 67 68 69 ]; # server/client/tftp allowedUDPPorts = [ 67 68 ]; # server/client
}; };
# Proxy DHCP for PXE booting. This leaves DHCP address allocation alone and dhcp clients # Proxy DHCP for PXE booting. This leaves DHCP address allocation alone and dhcp clients

5
nixos/modules/nixos/services/forgejo/default.nix
View file

@ -9,10 +9,6 @@ in
{ {
options.mySystem.services.forgejo = { options.mySystem.services.forgejo = {
enable = mkEnableOption "Forgejo"; enable = mkEnableOption "Forgejo";
package = mkOption {
type = types.package;
default = pkgs.forgejo;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -29,7 +25,6 @@ in
services.forgejo = { services.forgejo = {
enable = true; enable = true;
package = cfg.package;
# enable sql db dumps daily # enable sql db dumps daily
dump.enable = true; dump.enable = true;
database.type = "postgres"; database.type = "postgres";

87
nixos/modules/nixos/services/forgejo/secrets.sops.yaml
View file

@ -1,7 +1,7 @@
services: services:
forgejo: forgejo:
smtp: smtp:
password: ENC[AES256_GCM,data:sq+vLUV35+sclAszVQRU4up1s1y6K6BNbzSW8hKBN4kavJOZLX6o86xTgNjjScQop1c=,iv:5zbzggdTT59ali0LzmPtaP/jAnGCYoJFcIEZkFNFmJw=,tag:z9s3NQptPwKOC+m/EUVeWA==,type:str] password: ENC[AES256_GCM,data:kkKrSGJER21Q3efHuJ6YJVcmqILMYMME+e1GRdNDOX+sDgKwapY+lJrlELgD5RFVJN4=,iv:/nxRa6Tn1pGGYQ0mds70p3+a9ZYHv6UidngHvI5GTIY=,tag:4rScz6znMhgtQB9V4iDqWg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -11,77 +11,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUXYxY2hGci9ZZ3BId0xE YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpM0tHclk4K3ZTZ2VyTk1i
TFJJVzdJQ2h2TlhNQk8vZFYyajZyUVpiY0E4CjFJR0lGdG1jYk1EejBNTFVwekJD MXliVmtmUXBMWlFlTjZHeEdEbHArUjJwMVRrClViKzZJNXkwMHF3bW5FQUxROVRF
bE0xR01SNWNib3VyRE52TG1hbFYydXcKLS0tIEtkaW9RN2lqYkhwR29JZm9QcHFM UTdadFdseVkzaUpvMnNKaTZkVWNJSVUKLS0tIGxkUmk5ZmFZOWtlUndJdjFSL056
U0hqelgyTWJGUW83emttS1pVYzlNOWcKWp+wQH8iZH6ox+unG6Qx/2vbG8GeMpCa dXh2bG04QXR4THB4WFVSamY0SWpUSGcKwYArSMUjLm7j4+0vdPw8x8WrfIMEvJz1
k3lUrtyqEKxw3V08FA1gWvLF8XWVgYGVS1jlZFypOVLbl5Ig9l+VDg== K8Tqc2IJ1KfH4GGcOveYt9UcgUrzuvXsSnPydKWnc86RuFA+X6Qixg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcWsvN2w3MGp3M21xc3BT YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNTVGdjJ0dGE4aHBDbjRx
UkVueCtwSmdRNjNXNFdYY1NBTUF4Y2czVFVjCmhzcnpKUkVvZGRzSm1KTGs2SldW VWlJeXEzVkF5MXNmN2VNUnZrZTFuam94ZmdZCjZiSXpNZTk0VFVuck9ac3hDenZv
cEZ1djNGUWpaek9lRGFkWVlqSHJDWmcKLS0tIHY1TU1FNm52clhZNVBDOWtrOXI2 djZrbndYTjREUG5RSTNFNnhLTkRWSzQKLS0tIHR3L3BDditLcm1BMmlLcWdGNFFt
b0RWamMvdWMvS2tSMnRTcTFlV2hBdUUK2RMSSn4WBhBiv5k0NNoXdwjPJkueOoXu MGRBaFVjTzRNaXlOaGtvUzlmanZTb00Kb/RJFiSQ9XlRAfjrrncoJlDnQAJw9LI3
OXEeslquRSkZ+f/BpbhzFTXRzlQdLA9keMTcM20SK1IBuKICkJ5eyQ== lXX0+BKL4fz8VUFY1dqcuDBSuvssADkDxU4X6yaebt/touhXJ66A8w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbDlZMlcvbkk2WnJmZU1I YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWUVxVGFobUxZV2M0ZUx4
djR2UEtqbUlsaVVQZjk1R2RjbVpTT3VQVVNBCmV4aWVLOFdkdnhEaWgwU2FzbVRL NkpWTTVYZkM0cmFYNFJXYkE5SHJaaVpvdlVNCkV6UTN4c09ZT1RkVE1EYjlVZkhm
ZVVLVjN5WVdNMWtxbDcrUGYzZ2xNWDgKLS0tIHpTdExXbXF4V1pnSzBMcnFoSWF4 Y1ltSWpuSW95SXVkb3pyUVQ1ZGJ2Q28KLS0tIC82WnVsQ3RxSmxaL3czRlI0cTJV
eU83ZVVnblV0eE5ia3QrMndDNG11MXMKF+iGOD0KKJV7YgxmI4ucHjvyGu+0EcIQ OFd6VXJZUnZkT204Y2locHVvb3VpRHMKg9AMO4e5qGgSno/8FWEseUW9bQmfxVS1
smjK+ENxzkfk3yFICjkiIQSVBygvNiV97oPVpYeYGnhyiH3xefgyWQ== UOYzIvtmAZVuL0uxrz6b9TwOv0CooP0+JhNOjcuFzcbMCcM1CQgwvg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUWx5YWhHbWFZeGEvV0VL YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVFJDbGtEeksrN3lKeXJF
TnU1akp0WHhlczQwbW9LZ3BTYlhFSUVlaWpvCnFsZFFIdXNubGRyQkFnNm1nSUVQ dFIzd280SXRwZmVycHl2YlZ2VEo5dHhQVTE4ClBHS0lKd0FaMkNZT0xlVUF0eURO
d3Z2WUwyVjYraXRxV3NoZVZYbVhyQWcKLS0tIG5LV1hDRng4aDd5eDUzY0k1TXQv TDZ6ZWJBRmtNMUZFN0FqbEVtdUxjYVEKLS0tIHZOTUZwUVdXenlDb2JxUXE3TVgy
SWNzRXgwRTRvL3hEc3ZvVGFiRTQ0UEkK/9vK8sXbEqxQ4KCxzMeFHmqoTSLd/kx3 UDZMb2xQVGIraDNxTy8yZDV2cEtHc1kKyjdLT8YcpB0yhXugPcN0scRiiTvpaF06
JBt18+XISrPYptEekZTV6obp2GKxpHDj0LEsNpUIjPWmIbT6gInHBQ== AoBdKBnxWHn1EVuypo75gOvKHwUMDdiQY/WUndQdlNOihDjzCSYGUg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZmFZUE43L1FzTFltamdX YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArM3BsTUhJWTlXSitXN2NG
Uk4zNUtjMmlwcFVEeVB6UmFjWHM2OEpMaGxVCi9HYmFOVjl4MDl1MFAzc3pTbWtO cG1LTWs5MFZYV09Ga3JqREdmZ2NDYVRHa25JCm4vNFZXS3JQdTEzUmxmbld5R1BD
WHIwV0labHpmYUFFcWZwNWdrN1dhVk0KLS0tIHM1VENSWWtUN2hFa1hLcUJjU1VJ dFFWM1Ivd1M5dTNJbExLZThNYmdCbE0KLS0tICsyWmh3bjZLVC9ZSUxBVlpkWksv
amJ2K2xHL1FwMlErZitrSXRwek05TEEK/KDJHIOzuMCp1xON6ZYsgMKbYIQ5MAm8 WXpaZDkyOFFnTkYvVDJjdjJGeXVSZGsKjJEb7JlXb8n/l0j32ixReFR+UJm59CYy
W5U9PDE93js7j8lR4dTq2AASB+U5nk3I0MPPrcqhHkVcsSwMuKYSUg== QyGCeBuAWOpeDw5d4jA+WikFrRRAJyiTcvsVi+PAzzqlOAlT0+/KrA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWHUzSTYvaWRQc1dhWEN2
d2JwdjFldkRzbi95Q2JpRlZFaUVGWFU0MUFFCmpaaHdQbmw0Q2FVS1JvMkNYSzR6
aDRCRVI1NU9jRXkwMndyUzFwL3BDOUkKLS0tIDFvclN5eXJTWEg4VGhDVFpFSHdV
V1FlN0JOVFBXZ1A2SmxZaGkvU0MrU3MKuK+c/lbMvzdREphCn46IvL8X1iOw4BwB
9FdstXHyEX8OW0hFl35ZCNvPyd9pwO5fK/sObDrZ5+aCfFE0MbFbyg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnK1N0S3pDa2tCdjhiMGJJ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSXg3NUVia1hkK08raHRI
T0lDNU9YQXN1bkJuM1NUUnFzeGJBN01WTEVFClVVNmNTekpOOHp6N202L0NzSno3 VmlMRENkMHB4bkFJNGNiRGlLUitSQzVrWFZnCkZPWTI4QjhiWUpaYkh2NHZwR1dG
MEwvMUx0c1ZmTFpscFlTM3FDR1VhOE0KLS0tIGM5TjBiQjByWkMwY3lhQm5CVTZJ Z0Zub0JSdWwvM1ptazhUdWpxL3htR1kKLS0tIE91bWZObHVRSmZNNlBJK2FZK2RF
K1pPUER4aVlmN0FKTElEOXdzbVlRMVUKaqTcad+P1DfUqEhD7YUdsGaIx2H4IMco UnBtNmlJbnRYRmVyQ2hMcWNxSjVkVzQKZ9+hpZk/VnMKaVEUoajfBfMjkqz1PbVl
Kh7lk0/ppXFmcRAKWF3luwdLkaebkFzx56MZjJGroNmMvkR0fMUv9Q== Fy6cOfjXzGCtx8vsU3TNILy+23M6e3G7K6ghHnhO5kL4StAY1PTR/w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5T0syRFJiekFaeDRsY0FT YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzZ3JDSGZ5WTRybGpVdG1Q
NE1DQUgwK3NQS3lQRGRTTXFQVEVkK1pYYkJnCkNWQ3J0b0V1eXF3OVF3R2JjNEpy Y2crbWlQMnAyQjIzbzY4RHcwV3pXdGVzY2s0CnE2MTRLZnRQakU1RzVlQ1NDeXRk
U3libG9INjl4K2VEMHpMMHdRYVViUkEKLS0tIEliSUFLWlhmblFZWCtRdDRGNlNa U21mM0ExVzQ2QllOdTltQlpNOE5EU1kKLS0tIEtOa1BJdnRVY3FuZ2Zlb3g2ajhN
VXhhd1BLcmh5TnVsaEJaOUJURG9VYlEKeFta+e5e2EiJCSL7CMrIoYwyAnCeybEq eTRFakI4MlRBbEJKbXBHSXlBWlZJMmcKaeSAhUZHIlXOaKqnRcARJITwQdJLFbpt
vYfgMETwNaAh/AfGS1mdEABpK1tWi1H6Uu44g8OWTiszjQ09shb76A== Hs5sshvnv+EZjvir9L0EgRtgpUmnpkl+mGnQxaBW4YVf/iiQYTyHsA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T23:57:27Z" lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:DrSjFv1jbSuMO2QL6h8h8ln0Y5VBDBSrqC8rvaLZHkd8MOF4IPsjQORN2coZJNNvOpGhZsTiZ2prBBCQfqGRI+QWNlGTezOfWCZpFa7Fkp7g8TXZQmAkvrpnkFYgcL2JyvN5PrvL1j6gK4+zP7ohjLk1+v1VbYOPSab+N9ftYRI=,iv:VDGLfHXC0/vIue1kIKTGxK5x0CskAyG0CcNUOmHEXfc=,tag:CWXtliE0nCSiiW5O630A1A==,type:str] mac: ENC[AES256_GCM,data:61nap2R6vs3XTFECmq5F1rqPE6eWZyM50dsYtNMfAAWQU9D9cyaDEx6bKkwMyBpxSQNHlGJWoglwRvZH2wQsLB46sdR9UNosqJZD7RRRh/RzkY3SWW6vHeP/YgnfsGgPpMWleBI7jnH/4EMoB8a1PECZiR7L/8BIFDlmdklbJ/I=,iv:G5xTBn3oFBLJHIEqGsghAXrZc115eGwWBbMLBOHET6Y=,tag:bnZodcvP+6nbc/yFcQVogw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

14
nixos/modules/nixos/services/matchbox/default.nix
View file

@ -6,27 +6,18 @@ in
{ {
options.mySystem.services.matchbox = { options.mySystem.services.matchbox = {
enable = mkEnableOption "matchbox"; enable = mkEnableOption "matchbox";
package = mkPackageOption pkgs "matchbox-server" { }; package = mkPackageOption pkgs "matchbox" { };
dataPath = mkOption { dataPath = mkOption {
type = types.str; type = types.str;
example = "/var/lib/matchbox"; example = "/var/lib/matchbox";
description = "This is where profiles, groups, and other matchbox configuration is stored.";
}; };
assetPath = mkOption { assetPath = mkOption {
type = types.str; type = types.str;
example = "/var/lib/matchbox/assets"; example = "/nas/matchbox/assets";
description = "This is where matchbox will look for assets like kernels and initrds.";
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Ensure the dataPath and assetPath directories exist
systemd.tmpfiles.rules = [
"d ${cfg.dataPath} 0755 matchbox matchbox"
"d ${cfg.assetPath} 0755 matchbox matchbox"
];
# Matchbox Server for PXE booting via device profiles
environment.systemPackages = [ environment.systemPackages = [
cfg.package cfg.package
]; ];
@ -36,6 +27,7 @@ in
allowedTCPPorts = [ 8086 ]; allowedTCPPorts = [ 8086 ];
}; };
# Matchbox Server for PXE booting via device profiles
users.groups.matchbox = { }; users.groups.matchbox = { };
users.users = { users.users = {
matchbox = { matchbox = {

0
.archive/modules/nixos/services/postgresql/default.nix → nixos/modules/nixos/services/postgresql/default.nix
View file

0
.archive/modules/nixos/services/radicale/default.nix → nixos/modules/nixos/services/radicale/default.nix
View file

77
nixos/modules/nixos/services/radicale/secrets.sops.yaml Normal file
View file

@ -0,0 +1,77 @@
services:
radicale:
htpasswd: ENC[AES256_GCM,data:5ddA5KQfwz19///HzOsWfQ==,iv:RF0x0m+ODyDjQhn7eSBEXu5Leg0EvpMvuLVErDZihAo=,tag:HhHzXcroFshr1H/ditMARA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UjFGTkNCaHVEK3ROTVBO
OUxrcmhjR21YempEZWVIOUlLYVNuMm9XOURNClJkbVZ5MEFmL0dhTWgzNWtYTHUy
SUlyZmtYTXZmWUx0V3BGZFRjOTcyWVUKLS0tIDNVSW5ZcU1IdW1jRTJucUxIdm5x
TmIvZmRRaFh1clkydDVlcWxvVGJkOGcKFpeAAdv1pi5AixsBKn/0Zo4QRTNBrKdm
8Qy6MVZg8HTf/CezK/XjkAoiB5K96fATXTpdZqZ7jfcuYLdpfEU2jA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDQlRJNlhhdkNLcjRjaFZT
YVZJdDJLeFYwMzJUZlllaElPazhPaE14YWlRClNBWDVkTWx0Qm8xTExyT2dmSjRP
VHdNM3pwQkNXUW5xVTZlVC9YTFFodjQKLS0tIEkyQTVHd0pqelppSXJ5SGpHSVF1
aUd6ZGhaU3BsdnFVV3NqMDkwbDdVUjgK1BnXUPCCo7M/sdpGfLOOJ5AAjyI9isSx
9WJ5+WmNxygzBDczPjJITBrvZMGduAxWqQP/FrLe9rQ/RA3DGJjThA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdWdJandiNXJhMUxwSm5p
eHh5bmM2MmF6d2MvdjBXYmhyZUgvS1V4L2pnCmxDYm1VUi82byt5SFJ6aHdrNmp6
dENPTmgvVWZPYmZtN0s2VG8xNHplT00KLS0tIExYcSs1bENBK1NFZUluSjFCOFVp
R3lmaUNyT0lyaWlhdGJySWtLWVNqLzAK28Nd/WUDXXW2BXhLvZpzbOU7kSoMRPaX
jqx6VRHBcgXvPJcYh1KK0nnxo6+DlLeTXI/ai3H6WI3TbQHNmoLEGQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGc2lUelNyV3BGNjl0STJw
clpiSUZUSTUwbEtZYjcvbzVaVi9EQ1d1WlFFCnhQbC9Lelk0V1RmQTJ0K2ZZazdo
NTZCREhNUE5KbVR0ek1Hd09UbkN2bkEKLS0tIFVyd2YvZ3g2R2dOaEJOcWVWVG9D
b3REQnhvOENGbWxtdER2T05wS2RINTQKRhMiqLnu2Ww098A24fNtfDFSMC/t7A2D
qcLdhazNwKvzCSOW0i+EYsG4beWcqLyDFA5dNpGWyfRYSh3QJWTdmA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdWNXSks3MEF4eGVHREpp
VllDczcxbThRYUsxZGhHR0J5TVoyTmFtdWpNCmJHbG5UMExLSHh5ZkwyRDMzc2N6
UG1WTnNyTTdldHFDa3VKOG45Q1RmU0UKLS0tIFFXKzZHTm0wTVpheEw5RE12bWlo
NHFWWlRBdmRRWU1DL25CRmlVdDhhRjgKutzYioPd1LJvQdo/FQ+hQznRqsIhSGfn
c2ZwmE3QgPRhfh1CoeoK+iK/STVlrb8DEPi5VPEOz74+kbr18v+K5g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdERIZTlEN3NRK2R1WUJL
T0ZScVpraUdaQWE2WU4zdUp2Rk96T0xzcGhnClNWSGlKODYrSVBlM0V5RkVaMUt6
YUJIa1NnZTZhM1ZXOGp4ZHZidTR6V2cKLS0tIG54RU91dkZEeFB4WGdaSFpQTjlX
NVF3WGdGZmxxMllBQVlYQy9zTE03VW8KE9LaWyGBs7vRBjayY+8XiFDq0uFQIFfy
AqeVIQIAlt6EKXzUwCD/otHgCAJmI1T/2QNc7x34HjgQi1NcjZzxJw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdXNFbGNLb0RqZXpQcXda
RDd5ODk1QXk5N1o4Z2N2dytIWlMvVVVSa1VBCkNLSzZWZG5rc1N1d1hQQnladVJ6
VGwwSmFkVU9GYmZyQjhiK1ZSNWRrVG8KLS0tIFkyM0FDNUhVK291eGl4cjNTSnRk
bUs1eUZkcWJYM0NVU3FDMDFKNTNIWUEKbfdIAAfRNO5OXmvxA4az2be6O+aSIzfL
lHfQwH+07owhw6K17vJaKlOVGlpTLVpW88497ILCoUrcH9QbVnGAcg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:mgsfpMzhJ0vaoxNTbfXcVZ395e79wFGTK7YmYZY1nUOrTFP5NO8xUB+A9RlnUVrgKEV6eJBLYah6LX29fjwcllgT3aJnk9oFf32PxBPaYxg93m/L5a1+8cHbYn9JqQcPzaqmCCqT1uK5DphO2ztxKqlBhzEhx4UIfh5hBkyu3cI=,iv:n1oVTFkQriDMdRqmcUNApqzfaCX/rGNhzjGPAgPTK7c=,tag:E3uoBzPxhBk0lBF5GMhNoQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

91
nixos/modules/nixos/services/restic/secrets.sops.yaml
View file

@ -1,8 +1,8 @@
services: services:
restic: restic:
password: ENC[AES256_GCM,data:QPU=,iv:6FYmdgpKLplg1uIkXNvyA+DW493xdMLsBLnbenabz+M=,tag:SVY2mEhoPP/exDOENzVRGg==,type:str] password: ENC[AES256_GCM,data:PMY=,iv:GzQOdFF+rDY/WN3uZK7FV2++o2Mh4fnhzHhNnzyiJ4c=,tag:GhnZYmvoaDb3wSbHA50DkQ==,type:str]
repository: ENC[AES256_GCM,data:VGtSJA==,iv:K4FnYzTrfVhjMWf4R7qgPUCdgWFlQAG8JJccfRYlEWM=,tag:43onghqVr44slin0rlIUgQ==,type:str] repository: ENC[AES256_GCM,data:1Ui21g==,iv:qC8f3+nYS9HTF5WqFfiKjAFY0tSQhL1XU6sAgIK7vCs=,tag:ykOm3Tv8XWbqDofPChvHuA==,type:str]
env: ENC[AES256_GCM,data:TWUJ/GE84CTiLo1Gud+XsA==,iv:gKC1VcWnGqEwn5+e5jIqsIfipi3X2oHGvrG0rgqQl9E=,tag:QIBfXblvSDxAVYbZGAN3Mg==,type:str] env: ENC[AES256_GCM,data:tfXFwJZkdFrhwN90u1tT3Q==,iv:ShVllR4+CNOURMwCIF5ionQZEs6Zv+GCQOwpZ3cNlIU=,tag:udAASv7SH635dqNtNf4z7g==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -12,77 +12,68 @@ sops:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRUJEU25EaUhacWFBOVg5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0QStpWFFiTDF0dkMva28w
TWI3NmtkWFpONHRVZ1BVSVRsQzMraVdmblFBCmd2NzcwMGRTMTR6ck9lcGZSQmVi WGM0TFdOY2VhUGVCTjh6ZzFycmZkci81MWtNCldGZksxNHR5MnFmQ1ZnMVpXK2xo
dHlFeS9RNENKcDEvS2FiRTVrYjVlUGcKLS0tIG1VSW9sejVWZmJHQXlIOVpLMjds OWltSjQ1OEN3WnNqK2xTN3haYWJWYkEKLS0tIFJBSHhSNWtxSkFYcFZrL1o5dGxX
SHV6U2ZhUnVpQVNROGNjNEtZZXI1bEUKXjSwBNA8ylfo4CWlefFfajm2JdYtjUVK RVFWMVJXMnRQdWhFSEwvOVVicG50ek0KMJYN1Xo4Y1QgPGkGcglXa7wip9u8gOeG
bqXlIH/nG+nQ+I4Rj1XHo7hAuxCatuN0bGVBkSlzqIZk58/JladwFg== E4e4s9upSyjZTKOe+6OOnYXjVl3uc0SJLmdjvQyqqMR7SnOTqjqbfw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMWis3TWZ0djY4YnJNek9N YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWlNFbXlONEI2L1NhOSs5
T2VXK0IzaStkMisyaUs5MTVHeXY4bytoUWdnCmlmTmRXRlRwOUZVQm5aWkxSKzFB TXA0dERBV0xmUDlHN2FDeXBKZ3FROEE2d2cwCjF2aWZSbGloYStEemozTkJlelZS
UzhtbWd2Q09sbTJPeDRWeTFESkcwWUUKLS0tIDVaN0d4UGlTZUhIaXVKaXJRNThS TC9tMnNDL05YS01lYWFlSjBDMjBNVmcKLS0tIDFYVSszTGVpTWlQc2JFNE5HTGQx
algwTTZsVzNTQngzVUwyU2lpNll0bU0Kjz+34mvPPAfGUQKMH6LXawGou9HjBTjJ allaTGsycThSKzJPT1R0TjhlZ21tYkEK5eFfulRlIjh0j/n55uCtkgTe9Y25Li1k
p9vxncB+7ykvT4e4Z0PpPE/Zo5yvi9rt1T8bZ6dG7GA5vuE/4BarCA== TaMfOiS56aeDBVJx0x/glR2gvxR4yd0si1fPijsbP2179JqE7zFNSg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK2FNS0tJaTdRQzA0VVky YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4YnZoaWIyajVLYjFHT3NR
aERMTVdqRzBwWFV1WFJJcVRKSTFIUlh3U0E0CmFKZm9jUHBpRjJCZk9PVkNWVEFU UTNNY2llYW5mWjJIejhCZ08vSGQvWDZiZ1VRCmNMeWdGelRod2x5NmdhS2RVWGhl
RURReEhGNTRmWWpLa1ZNdVFHK3FQQWMKLS0tIHcrMTBiMGhlcFc3RzlmVEp2OEpX RmxhOGo4OXFINDgxbjQvQkNpakVkZzgKLS0tIDNNVFRmNGQwWmJKYUlFN3hNbVFw
ZHZLdXV4a05NaGRmR2Z1SkZCV25kNUEKHU1v1OK0d2ud7QL+gEoA8R4Z5YgVSP42 MXZoMXFkaXhCaHhCclZrb2R1WEVjSjAK2InKsgvBb6tI8gUZYwfGAYOly0pa1mFK
IvnEQxjjXZjC4p+OjFErKcWrVb+3DGzqF1vngJVrXmIgOx/SZKTa/Q== kuQyj0VMYFI3O7c35ZpwNmHCtFzxt2rza7E0DGrYpVUlJgOte6Gicg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MytrUFpsMUVpT3pTNWlq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZnZKemIveDRTZGhoN3lB
NjMrRjI5a3NqNzlNV2JlczJRNXNicVZaWVdNCjNnRHM2RGV1SEh6M0U3T0NvdlNQ bHlNOVNFUnAzdVBjRk5HR3lxdGI4UWdDTFdFCkUzMUdEMXk1dVppdTJhMmgxRjBG
a1JIZFp5bHJwMXlNd29DQ2MwckRrczAKLS0tIHdmd2lFZ1FWTFFMUExPeWRXd2U3 UDl3UzlhUi9nOS9WZW5naWhyMlN4NWMKLS0tIGJVZndlOTBQMjM3dEROUTdlQzEw
RU9UYXJESnAyYXFITTN0cm5QelR2T1UK3XUlIGQED91sUPc1ITq1rXLj/xhkGM9s NXRkOUhDaTU1am0wbjNXWkVOMUZsZ2sK5uOwOezrleA+zwYcDYjBdGQXRI+27ZLr
R4bsTK5RqpXE+RmGfxeAMP7Om424vjM76l6DU2JkoZietDwR35UA8w== 850yLNtKO248aFX128JTk5+J1OV5Dv4QYRbzGfpb0/mK0U1uTXLm1g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjc0haNU95V3JRUlpuUjha YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdU93TEgwVHJSeWJmbGNv
SHpOWThJWVMwbElRaFcrL21jYXA2SFBHeFR3CnV1MkRxbG9QV1dWdjJxWENtQk5L bDlQZVd5SjQ2eGJ0ZjVYVE9MYnRRZmp6czFzClZvVnFjd213MlU3b01jNHJGWm43
M1g0cDJXRjN0VFhiRXZKbG1yS3hXaG8KLS0tIEtScWorRENpbFZWMjVXNnIxTTdi cDkxWVh5MTEzY05lVlg0TGJWbWdvYkUKLS0tIEtqc2c3R1JuOTlmazYrSDdlZXJs
djdBdThNMzFZdlI4TVBJSjdxeXg0VE0Kcwsa/et9gMSlm46rt0vZ/dFy3ZCZQ5Oi L21nOU5oZjVySGdJUGpGUy94U3Ixc2sKeHKCmx5yxHprbCq+76K5MNWVZJjOs+ck
WLJ492+srIeE47Gpye2jN2XAmM4exCijYkZeQvPpLIFvBFmQCK30hQ== QiTxxYKvdI7w2cCfyn9l9+dLcMqlqxdRLnoX99oi2ztIDHZEVEmqsg==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTDI0QXZaMlZLUW9ST0lW
Q1M1ZmlpTHpvM0NHejFSNEx0UUFnTVJIN0U4CllRcnVpUjFqOUZRRk5CWXZqT0V0
YWwweld0TE9zZGFmUTVDVVl6eDNETzAKLS0tIGtEanVWTHgxSk9Ld3NRYndOL3dZ
WXJrUWtncDZjVE50dmw2MHRCelpzZ2cKfLIQbrTsVGXY+UZCC5p/7+bXKHhv8nxt
dvvr+VGnH57jmELqSUoWOgefJ6GFNcCoGSYHZ9cn0UgvhZgx1Wpoow==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRN2M0VmVCQ0JaNVhnRzBj YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQlNCSytZdTJQbGN3Y2U4
Z2Vqbk9GZUtaZlExYTRPQ3ZJWHIvU283cFRBCjExQnJvZy9SMndJd0VqdUpCSDFJ NlIxSWsyeTIvU0ZrVjhqVTl2K1pMVHN2UXdnClhCU2djUkZGQzRzYUhNNnc2TmlS
ZmJpVFJ1em9iNnNOcnFTQUExeGZESm8KLS0tIGdnWXNtNEg2SHpjRW1mR28vVDRv RVVrdkdqNUxQdGhCYWwyc3NLQ2l5bFUKLS0tIGVxWm01eU5zb2pma2pUU3VPbmxW
VFVRcDh0TlVXR3pYRk1Ybkx3MjhOaVEKsViUc14dePdnukQa3ud/EesnvZL7OCM1 cW94Y0dBZVMzbW9icUtyWDV2c1N0ZU0K77jXENggGEHpoe6qQl5O0sBbycrmlPoo
HWJYP81C9O4mU1kwRYtC0lGxMQX6aWiFZ5e2ImSi3w+mBP+KihfmBw== fnIMedUGzXpzYRV8cyKnY1sFGwyU2ymGsUff7cIBablwP1/MAKRJmw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUlZ1TER2anNCRHBKQm1v YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrdm9ZNmdvVnhROFZvVVhu
QjhybHFCc1dod1djeWxkRmhBSC9YTW5IV0NJCkM5c3hkYWtLZnJHNVpPYUh4TzBR QkJGQ2J5MkI4VjVLNXNSL2svbnBKZUJ2Y1MwClFsQ1JQSEhlK0JJbTRHNzBNU2tI
U3ZaMEdSTVNsenV0RVorTTZMUXdYT3MKLS0tIDV1dWxjbXNtekZaUk9xaVdOYU93 aDl4eFhMMlhib1QzZldUcnVJdVZMSFkKLS0tIHBoYXVYazk4S1VpOE0vV2tqL2hC
UUpVako2MGVobTcvNWRsTWMwZm5ZSVEK1uI5dVSI4vY5hw0oxj21mJYoZB2Jq52z N3JDRm1OMFFobjloaXBNNENrQ29BeVkK/aAtqd93BGI5q3bZHydLxmVp6iBgfNUE
e+RDvcyBFRsS+238UCVi5qDdA8DcnQ2uRiBxKDGC2P3RoVU5TeCfTQ== nf+dZioVWVdoK9LSpoREFuOQu4upZ3MjxkClO0hjBJwaACElPrUF2w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T23:57:27Z" lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:88ZnGTkV1xxZO7UuVm5clZrHUMeiqAG++4X4DbCJGwqL+VDagYVhsui1+PzN62h6TgXtARecHON8TXd8z/NF4ekiY+LAcMC3m9x5AzmGYa7Qd5FKht1O6RfRORBDrojj251cqCifDxeGPq3C/X4Zi8Jg4KTSk1lAJoXMsqJQ3+c=,iv:8NnKOlzXD1jRVQ/tgoChEb0YY18Y7VpEiq85YhupTws=,tag:eUbLR66sNqQ2VIQW0/CBwA==,type:str] mac: ENC[AES256_GCM,data:Eht9Vth1XVzeTCTyS18neiLthQF2c1DZkUkrYv01v1nC6tRPnWPd6+7zPQsQbdUuImwEthFpGDtNY0DLqwuZ9NWWhtEhWspUK2QKxNDKdP/aDT5rnjcf5tvyDK1EGnvTfp/fbw5I+z1mQYfrrUrQNVn6eiZXO+71mF9zoQLu/C0=,iv:TMnbBm1d5BSC6ywdwR4Mmn39qyCEyjSr5ndwtcwQk/k=,tag:qcAjLJl995bSmJtzGX7VbQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

46
nixos/modules/nixos/services/syncthing/config/default.nix
View file

@ -1,46 +0,0 @@
{ sops, ... }:
{
gui = {
user = sops.secrets.username;
password = sops.secrets.password;
};
devices = {
gandalf = {
name = "gandalf";
id = "2VYHSOB-4QE3UIJ-EFKAD4D-J7YTLYG-4KF36C2-3SOLD4G-MFR6NK3-C2VSAQV";
addresses = [ "tcp://10.1.1.13:22000" ];
};
legiondary = {
name = "legiondary";
id = "O4WI2YC-BZBPF2W-2ALNQ2D-UOP3BK5-ZDSEHVH-DIHS2FG-BSVJCXG-GF47XAE";
addresses = [ "dynamic" ];
};
shadowfax = {
name = "shadowfax";
id = "U3DS7CW-GBZT44M-IFP3MOB-AV6SHVY-YFVEL5P-HE3ACC5-NDDGAOB-HOTKJAC";
addresses = [ "tcp://10.1.1.61:22000" ];
};
telchar = {
name = "telchar";
id = "ENO4NVK-DUKOLUT-ASJZOEI-IFBVBTA-GDNWKWS-DQF3TZW-JJ72VVB-VWTHNAH";
addresses = [ "dynamic" ];
};
};
folders = {
projects = {
id = "projects";
path = "~/projects";
versioning = {
type = "simple";
params.keep = 10;
};
devices = [
"legiondary"
"shadowfax"
"gandalf"
];
};
};
}

57
nixos/modules/nixos/services/syncthing/default.nix
View file

@ -1,57 +0,0 @@
{
config,
lib,
...
}:
let
cfg = config.mySystem.services.syncthing;
in
{
options.mySystem.services.syncthing = {
enable = lib.mkEnableOption "Syncthing";
publicCertPath = lib.mkOption {
type = lib.types.path;
description = "The public certificate for Syncthing";
};
privateKeyPath = lib.mkOption {
type = lib.types.path;
description = "The private key for Syncthing";
};
user = lib.mkOption {
type = lib.types.str;
description = "The user to run Syncthing as";
};
};
config = lib.mkIf cfg.enable {
# sops
sops.secrets = {
"username" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
"password" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = [ "syncthing.service" ];
};
};
services = {
syncthing = {
enable = true;
user = cfg.user;
dataDir = "/home/${cfg.user}/";
openDefaultPorts = true;
key = "${cfg.privateKeyPath}";
cert = "${cfg.publicCertPath}";
settings = import ./config { inherit (config) sops; };
};
};
# Don't create default ~/Sync folder
systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true";
};
}

85
nixos/modules/nixos/services/syncthing/secrets.sops.yaml
View file

@ -1,85 +0,0 @@
username: ENC[AES256_GCM,data:WSQeuKRVE80=,iv:ci1XiMFsDDx3PbM0sH8ph/twu1FlrI3LSaURp3qaUxE=,tag:GrpaeuVBVK6CqOAiK+F2bg==,type:str]
password: ENC[AES256_GCM,data:Er08gOwq4LMXCiH+c1dPq1eGcVU=,iv:TtYcMYMuIRtsPzT47nCe0SEzpy9byuoBIOMTHWEdJkk=,tag:rIeYTmHDYW44pgntALRx1w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcDA4MXZCNlk5TzVKK09L
Q0F3bldGN3p6SCtFM1F5dG9QV09uNXhiMFI4CmhFcit6V0FQL1ZYcVJ2UDc3ZWlu
bWc5Qzd0eHBjY3NzRUVXM1V6Sm1tR2MKLS0tIGU4YlNYcGltc21ZbENWMC9TS2JQ
VEhZdklMcUdBUmh5Q1ZXdEtYZ3htblEKWr8uQWvUbu36eD3Q09aKpHaAXkzBCx2f
g9osxa9r8Ih43NWZvJRTQlXdLi7T+oQj3dyYOT3gTL8L8WkbWuG2eA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMGxrdEV6SUREMFlyK1p5
WFZ5aUs4QlNSUUE2eEJXcTVjRitjdlhtTWpFCll1TjlWMWd3N1FoOWRqWTEyODVZ
a0dwd1RIb1U0OGdUdkUyM2IvYmhyR3cKLS0tIEhhUzdhTml5b1ZaeWNQV2NpUmVF
aHdZV2FWbXpmL0RDTUdjQVBuQnBEUjgKELbs5UPRNslIvZz66Imtf4XfFxLUJkIA
xAbMZeGbW61da1kfb5Dc/v/zbB57T1qZNDE48nPfIMpQBNQNh8/9FA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadDFIK1lRR0Z4RVhHRXUw
QldxNk8zUTVOVFpIM1cwV3ZMcXZPcFpTbEZrCm1NWVpsc05ob2FpRVY1VlI5Z291
WDI3ZEZwS25tRVpTMDR5SDlodE51VDgKLS0tIHk4VmhJcWswTVpwRyt3bEcxZEM0
MVQrSHR0WHI0eHVaVkpDZzhqZG5sZ28K2vw5S5phg4UXCeWr2baPdwtHDPM7OaUf
idLK+rKGFLxXWOcgzCJPDvwdIbvrmfueEPf8chmqcHus1JPYKzASJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTWY2YlFHVU94NnBuRlpN
RlpMS3kxOUhvTWtsNnVyQ2ExU0YzdXN4ZEdNCnpKczFjWFBkVGhnRGcwL2xRejVu
TGhHUHZzeEpVNm5MVk03Zkp3OFYxNjgKLS0tIGEzL2J3SytvZFp6ZTFXWHF5YlU1
dGZwelk0eWRsM2xwMmtxMWhQSkNVMEUKUSuFRNYCAuodVIVq59mfFDD3NIK3aCMS
WN0/otRuND5kDy4kmTqFil5E8WwRcpHvjZZOAjqDA16DSriZS6mpbQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjckh5R0s5Y0E3STZZbWd3
TDNtWUxGYVZCKzluK1FzZG9VaUppVUFpbEJvCjhtZDA0a0preVd1SW8xTW9jQkdO
cmJQOE9LNUJDa1Q0dFhYcDh6VUxwSzAKLS0tIEd5SkF0RUwvUUVMSW1IY25Oak1W
cHVrZGh6R1YyOStmV2dEbXJsY0U1NTgK7XjhWRazgHzIcsDPIsTV3qrYWhJ6FpCT
5P+HUNSjdv1sv/KbexJgjWgG0YNv+eRQnqtxzZaniaWcn5gp1JlR7A==
-----END AGE ENCRYPTED FILE-----
- recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWU0NnS2E1UzlRYVVjcDZC
ajhwSGxpUzNENXBSSE82empzd1pmYkt5SUdzCk5TZWJna0w4UU1MQ1R3WHVOMDJU
Q0pvM09OZFJFYm5OeHdQVDZBNW1mckUKLS0tIEhraG9YUXYrWUp6S3VqeThpcWZw
aEx6bWNNY2t5UFVwcHdBZE9kSEFrYWMKw40ntGaLDFX5tRK5Ir9yRu4Kbsyl7N05
uyMlyQ20zL0TmsL5OFEuIF3mhaLyu2GgigQaQcGffx/DUJdLRc8Fnw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SDZaeUtCbWt2OFZRRm9T
Y3l1dzZwU2s0WDlaNXNaUHpFaExFamtSS3lRCmE1VHI0M3hqSDNCanFuR2l4SU8r
aTR6TlhReDJ4SjUvS0J0aHNyY002eTgKLS0tIHYxdU1WSng0VWZETTFiMGh1OHY5
STQyNWUyNDhRTkxVUXd5VHNjZjJjK0kK8SJirqpGCmLCwLlLul6WdAzIWWiAR4Qf
usYAmNmjbHLHxNftB9mGLEumJ8IAB20Ywk5EbujMvhJ0w1R7kAyC+w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbCtUMFhveWVLTzI3Y21Z
ZlY2UU9vVFplcUVIbk5Jay82UmNxT2lZSnk0Cm5DRHRGMVZSaDZ1cElxWk9PQWhs
SmlRMHBiU1lTNVE2UlpQSXgvSDZqazAKLS0tIGxadVhWYUVOV0Jab05LS0ptendn
aWtiSlZlTUdwMW9Eb1dXUERVanVOaFEKSqRistshNg61yLJIe/3kuisRLuvfVbWu
ZsN/jk357Zv1VIYwmdm80LqI6zCGNzDaP30+Bxp8RTasA3gKM1mKrg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-07T23:25:22Z"
mac: ENC[AES256_GCM,data:ngdpFJcw3Qq/G7MWJY4Ka28r5tAobVlPxkQ+ve1MGd4SHKhUMRTA3je7kG+2zB/muQKtZ+SNolFJF4KcCtCOBaC0y70eJcFbGZ7g2iXa8TtNnW53PRpdWPYjJ5BhGbdCcJ3KKNcO+nT/PWIC1JTP6vp0j0aghLlYrm7Bq8+cAj0=,iv:YoTnZcxbn4Mzh+5lGQSr1OxLdyGUtGrnkt/KsNSTw2Q=,tag:63wotwyZVIqnTtZGW47jRA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

2
nixos/modules/nixos/system/borg/pikabackup/default.nix
View file

@ -11,7 +11,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# Add package # Add package
environment.systemPackages = [ environment.systemPackages = [
pkgs.unstable.pika-backup pkgs.pika-backup
]; ];
# Setup auto start at login. # Setup auto start at login.
home-manager.users.${user} = { home-manager.users.${user} = {

3
nixos/modules/nixos/system/default.nix
View file

@ -1,9 +1,8 @@
{ {
imports = [ imports = [
./borg ./borg
./fingerprint-reader-on-laptop-lid ./fingerprint-laptop-lid.nix
./impermanence.nix ./impermanence.nix
./incus
./motd ./motd
./nfs ./nfs
./nix.nix ./nix.nix

26
nixos/modules/nixos/system/fingerprint-reader-on-laptop-lid/default.nix → nixos/modules/nixos/system/fingerprint-laptop-lid.nix
View file

@ -1,4 +1,3 @@
# Pertially from: https://github.com/fzakaria/nix-home/blob/framework-laptop/modules/nixos/fprint-laptop-lid.nix
# Originally this file was based on # Originally this file was based on
# https://unix.stackexchange.com/questions/678609/how-to-disable-fingerprint-authentication-when-laptop-lid-is-closed # https://unix.stackexchange.com/questions/678609/how-to-disable-fingerprint-authentication-when-laptop-lid-is-closed
# However I found this not to work as the fprintd is started via dbus and masking it doesn't seem to do anything. # However I found this not to work as the fprintd is started via dbus and masking it doesn't seem to do anything.
@ -9,25 +8,22 @@
# On framework 13 the USB is: # On framework 13 the USB is:
# Port 004: Dev 003, If 0, Class=Vendor Specific Class, Driver=[none], 12M # Port 004: Dev 003, If 0, Class=Vendor Specific Class, Driver=[none], 12M
# ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd # ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd
# On Framework 16 the USB is:
# Bus 005 Device 007: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd
# Use `findfp.sh` to find the correct USB device.
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.mySystem.system.fingerprint-reader-on-laptop-lid; cfg = config.mySystem.system.fingerprint-reader-on-laptop-lid;
laptop-lid = pkgs.writeShellScript "laptop-lid" '' laptop-lid = pkgs.writeShellScript "laptop-lid" ''
lock=/var/lock/fingerprint-reader-disabled lock=$HOME/fingerprint-reader-disabled
# match for either display port or hdmi port # match for either display port or hdmi port
if grep -Fq closed /proc/acpi/button/lid/LID0/state && if grep -Fq closed /proc/acpi/button/lid/LID0/state &&
(grep -Fxq connected /sys/class/drm/card*-DP-*/status || (grep -Fxq connected /sys/class/drm/card1-DP-*/status ||
grep -Fxq connected /sys/class/drm/card*-HDMI-*/status) grep -Fxq connected /sys/class/drm/card1-HDMI-*/status)
then then
touch "$lock" touch "$lock"
echo 0 > /dev/fingerprint_sensor/authorized echo 0 > /sys/bus/usb/devices/1-4/authorized
elif [ -f "$lock" ] elif [ -f "$lock" ]
then then
echo 1 > /dev/fingerprint_sensor/authorized echo 1 > /sys/bus/usb/devices/1-4/authorized
rm "$lock" rm "$lock"
fi fi
''; '';
@ -38,20 +34,10 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services = { services.acpid = {
acpid = {
enable = true; enable = true;
lidEventCommands = "${laptop-lid}"; lidEventCommands = "${laptop-lid}";
}; };
# Add udev rule to create symlink for fingerprint sensor
# when usb device 27c6:609c is connected or disconnected.
# Reason: hubs like caldigit re-orient the device number on each boot.
# May requires a reboot to take effect.
# or sudo udevadm control --reload-rules && sudo udevadm trigger
udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="27c6", ATTRS{idProduct}=="609c", RUN+="/bin/sh -c 'ln -sf /sys$devpath /dev/fingerprint_sensor'"
'';
};
# Disable fingerprint reader at login since you can't put in a password when fprintd is running. # Disable fingerprint reader at login since you can't put in a password when fprintd is running.
security.pam.services.login.fprintAuth = false; security.pam.services.login.fprintAuth = false;

39
nixos/modules/nixos/system/fingerprint-reader-on-laptop-lid/findfp.sh
View file

@ -1,39 +0,0 @@
#!/usr/bin/env bash
find_usb_device() {
local idVendor=$1
local idProduct=$2
local device_id="${idVendor}:${idProduct}"
for device in /sys/bus/usb/devices/*; do
if [ -f "$device/idVendor" ] && [ -f "$device/idProduct" ]; then
vendor=$(cat "$device/idVendor")
product=$(cat "$device/idProduct")
if [ "${vendor}:${product}" = "$device_id" ]; then
echo "$device"
return 0
fi
fi
done
return 1
}
# Example usage
idVendor="27c6"
idProduct="609c"
device_path=$(find_usb_device "$idVendor" "$idProduct")
if [ -n "$device_path" ]; then
echo "Device found at: $device_path"
# Print additional information
manufacturer=$(cat "$device_path/manufacturer" 2>/dev/null)
product=$(cat "$device_path/product" 2>/dev/null)
echo "Manufacturer: ${manufacturer:-N/A}"
echo "Product: ${product:-N/A}"
else
echo "Device not found"
fi

51
nixos/modules/nixos/system/incus/default.nix
View file

@ -1,51 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.mySystem.system.incus;
user = "jahanson";
in
{
# sops.secrets.secret-domain-0 = {
# sopsFile = ./secret.sops.yaml;
# };
options.mySystem.system.incus = {
enable = lib.mkEnableOption "incus";
preseed = lib.mkOption {
type = lib.types.unspecified;
default = "";
description = "Incus preseed configuration. Generate with `incus admin init`.";
};
webuiport = lib.mkOption {
type = lib.types.int;
default = 8443;
description = "Port for the Incus Web UI";
};
};
config = lib.mkIf cfg.enable {
virtualisation.incus = {
inherit (cfg) preseed;
enable = true;
ui.enable = true;
};
users.users.${user}.extraGroups = [ "incus-admin" ];
# systemd.services.incus-preseed.postStart = "${oidcSetup}";
networking = {
# nftables.enable = true;
firewall = {
allowedTCPPorts = [
cfg.webuiport
53
67
];
allowedUDPPorts = [
53
67
];
};
};
};
}

10
nixos/overlays/cargo-tauri/default.nix
View file

@ -1,10 +0,0 @@
{ ... }:
let
finalVersion = "tauri-v2.0.4";
in
final: prev: {
cargo-tauri = prev.cargo-tauri.overrideAttrs (oldAttrs: {
version = finalVersion;
vendorHash = "sha256-aTtvVpL979BUvSBwBqRqCWSWIBBmmty9vBD97Q5P4+E=";
});
}

68
nixos/overlays/charm-mods/default.nix
View file

@ -1,68 +0,0 @@
{
lib,
buildGoModule,
installShellFiles,
fetchFromGitHub,
gitUpdater,
testers,
mods,
}:
buildGoModule rec {
pname = "mods";
version = "1.6.0";
commitHash = "2a7f9d4dc11b6c828bf35a0b3d0be709f3ed79b9";
src = fetchFromGitHub {
owner = "charmbracelet";
repo = "mods";
rev = commitHash;
hash = "sha256-23gtb8BOx/0c643/paRt7VFHEyMyF4Q4a5b5+a4+kNU=";
};
vendorHash = "sha256-RV/Nr60BpCLcUL2Yy1Dd2ScwoI0BhGhTb/igCEcJPjI=";
nativeBuildInputs = [
installShellFiles
];
ldflags = [
"-s"
"-w"
"-X=main.Version=${version}-${commitHash}"
];
# These tests require internet access.
checkFlags = [ "-skip=^TestLoad/http_url$|^TestLoad/https_url$" ];
passthru = {
updateScript = gitUpdater {
rev-prefix = "v";
ignoredVersions = ".(rc|beta).*";
};
tests.version = testers.testVersion {
package = mods;
command = "HOME=$(mktemp -d) mods -v";
};
};
postInstall = ''
export HOME=$(mktemp -d)
$out/bin/mods man > mods.1
$out/bin/mods completion bash > mods.bash
$out/bin/mods completion fish > mods.fish
$out/bin/mods completion zsh > mods.zsh
installManPage mods.1
installShellCompletion mods.{bash,fish,zsh}
'';
meta = with lib; {
description = "AI on the command line";
homepage = "https://github.com/charmbracelet/mods";
license = licenses.mit;
maintainers = with maintainers; [ dit7ya caarlos0 ];
mainProgram = "mods";
};
}

108
nixos/overlays/coder/default.nix
View file

@ -1,108 +0,0 @@
{ lib
, channel ? "stable"
, fetchurl
, installShellFiles
, makeBinaryWrapper
, terraform
, stdenvNoCC
, unzip
, nixosTests
}:
let
inherit (stdenvNoCC.hostPlatform) system;
channels = {
stable = {
version = "2.15.1";
hash = {
x86_64-linux = "sha256-DB/3iUkgWzAI+3DEQB8heYkG6apUARDulQ4lKDAPN1I=";
x86_64-darwin = "sha256-62tjAC3WtWC8eIkh9dPi2Exksp2gDHyXEU2tCavKZ4Q=";
aarch64-linux = "sha256-957GdH5sDjbjxEt8LXKPBM7vht7T6JizVwYYhbitdpw=";
aarch64-darwin = "sha256-ckcd1u9dgg9LKhr47Yw8dJKkR7hawPie4QNyySH8vyM=";
};
};
mainline = {
version = "2.16.0";
hash = {
x86_64-linux = "sha256-Uk9oGiLSHBCINAzQg88tlHyMw/OGfdmCw2/NXJs5wbQ=";
x86_64-darwin = "sha256-Bbayv00NDJGUA4M4KyG4XCXIiaQSf4JSgy5VvLSVmAM=";
aarch64-linux = "sha256-nV02uO+UkNNvQDIkh2G+9H8gvk9DOSYyIu4O3nwkYXk=";
aarch64-darwin = "sha256-C9Nm8dW3V25D7J/3ABO5oLGL4wcSCsAXtQNZABwVpWs=";
};
};
};
in
stdenvNoCC.mkDerivation (finalAttrs: {
pname = "coder";
version = channels.${channel}.version;
src = fetchurl {
hash = (channels.${channel}.hash).${system};
url =
let
systemName = {
x86_64-linux = "linux_amd64";
aarch64-linux = "linux_arm64";
x86_64-darwin = "darwin_amd64";
aarch64-darwin = "darwin_arm64";
}.${system};
ext = {
x86_64-linux = "tar.gz";
aarch64-linux = "tar.gz";
x86_64-darwin = "zip";
aarch64-darwin = "zip";
}.${system};
in
"https://github.com/coder/coder/releases/download/v${finalAttrs.version}/coder_${finalAttrs.version}_${systemName}.${ext}";
};
nativeBuildInputs = [
installShellFiles
makeBinaryWrapper
unzip
];
unpackPhase = ''
runHook preUnpack
case $src in
*.tar.gz) tar -xz -f "$src" ;;
*.zip) unzip "$src" ;;
esac
runHook postUnpack
'';
installPhase = ''
runHook preInstall
install -D -m755 coder $out/bin/coder
runHook postInstall
'';
postInstall = ''
wrapProgram $out/bin/coder \
--prefix PATH : ${lib.makeBinPath [ terraform ]}
'';
# integration tests require network access
doCheck = false;
meta = {
description = "Provision remote development environments via Terraform";
homepage = "https://coder.com";
license = lib.licenses.agpl3Only;
mainProgram = "coder";
maintainers = with lib.maintainers; [ ghuntley kylecarbs urandom ];
};
passthru = {
updateScript = ./update.sh;
tests = {
inherit (nixosTests) coder;
};
};
})

39
nixos/overlays/default.nix
View file

@ -1,34 +1,33 @@
{ inputs, ... }: { inputs, ... }:
let let
# smartmontoolsOverlay = import ./smartmontools { }; warpTerminalOverlay = import ./warp-terminal {
# vivaldiOverlay = self: super: { vivaldi = super.callPackage ./vivaldi { }; }; inherit (inputs.nixpkgs) lib;
coderOverlay = self: super: { coder = super.callPackage ./coder { }; }; };
modsOverlay = self: super: { mods = super.callPackage ./charm-mods { }; }; termiusOverlay = import ./termius { };
termiusOverlay = self: super: { termius = super.callPackage ./termius { }; }; # Partial overlay
# talosctlOverlay = import ./talosctl { };
# Full overlay
talosctlOverlay = self: super: {
talosctl = super.callPackage ./talosctl/talosctl-custom.nix { };
};
goOverlay = import ./go { };
in in
{ {
# smartmontools = smartmontoolsOverlay;
# vivaldi = vivaldiOverlay;
coder = coderOverlay;
comm-packages = inputs.nix-vscode-extensions.overlays.default;
mods = modsOverlay;
nix-minecraft = inputs.nix-minecraft.overlay;
nur = inputs.nur.overlay; nur = inputs.nur.overlay;
# warp-terminal = warpTerminalOverlay;
termius = termiusOverlay; termius = termiusOverlay;
talosctl = talosctlOverlay;
# go = goOverlay;
# The unstable nixpkgs set (declared in the flake inputs) will # The unstable nixpkgs set (declared in the flake inputs) will
# be accessible through 'pkgs.unstable' # be accessible through 'pkgs.unstable'
unstable-packages = final: prev: { unstable-packages = final: _prev: {
unstable = import inputs.nixpkgs-unstable unstable = import inputs.nixpkgs-unstable {
{
inherit (final) system; inherit (final) system;
config.allowUnfree = true; config.allowUnfree = true;
} // {
# Add talosctl to the unstable set
talosctl = final.unstable.callPackage ./talosctl {
inherit (final.unstable) lib buildGoModule fetchFromGitHub installShellFiles;
};
xpipe = final.unstable.callPackage ./xpipe/ptb.nix {};
}; };
}; };
# VSCode Community Packages
comm-packages = inputs.nix-vscode-extensions.overlays.default;
} }

13
nixos/overlays/go/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }:
let
finalVersion = "1.22.5";
in
final: prev: {
go_1_22 = prev.go_1_22.overrideAttrs (oldAttrs: {
version = finalVersion;
src = prev.fetchurl {
url = "https://go.dev/dl/go${finalVersion}.src.tar.gz";
hash = "sha256-rJxyPyJJaa7mJLw0/TTJ4T8qIS11xxyAfeZEu0bhEvY=";
};
});
}

15
nixos/overlays/smartmontools/default.nix
View file

@ -1,15 +0,0 @@
{ ... }:
let
dbrev = "5613";
drivedbBranch = "RELEASE_7_4";
in
final: prev: {
smartmontools = prev.smartmontools.overrideAttrs (oldAttrs: {
inherit dbrev drivedbBranch;
driverdb = builtins.fetchurl {
url = "https://sourceforge.net/p/smartmontools/code/${dbrev}/tree/trunk/smartmontools/drivedb.h?format=raw";
sha256 = "sha256-6r7Pd298Ea55AXOLijUEQoJq+Km5cE+Ygti65yacdoM=";
name = "smartmontools-drivedb.h";
};
});
}

15
nixos/overlays/smartmontools/getsmartdbhash.sh
View file

@ -1,15 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -I nixpkgs=/etc/nix/inputs/nixpkgs/ -i bash -p nix
set -euo pipefail
dbrev="5613"
drivedbBranch="RELEASE_7_4"
url="https://sourceforge.net/p/smartmontools/code/${dbrev}/tree/trunk/smartmontools/drivedb.h?format=raw";
echo "Fetching hash for URL: $url"
hash=$(nix-prefetch-url "$url")
sri=$(nix-hash --type sha256 --flat --base32 --to-sri "$hash")
echo "Hash: $hash"
echo "Sri: $sri"

49
nixos/overlays/talosctl/default.nix
View file

@ -1,40 +1,19 @@
{ lib, buildGoModule, fetchFromGitHub, installShellFiles }: { ... }:
let
buildGoModule rec { finalVersion = "1.7.5";
pname = "talosctl"; in
version = "1.8.2"; final: prev: {
talosctl = prev.talosctl.overrideAttrs (oldAttrs: {
src = fetchFromGitHub { version = finalVersion;
src = prev.fetchFromGitHub {
owner = "siderolabs"; owner = "siderolabs";
repo = "talos"; repo = "talos";
rev = "v${version}"; rev = "v${finalVersion}";
hash = "sha256-sD/Nn1ZLM6JIZdWQsBioKyhrAvhz749LL4xWleQ80xY="; hash = "sha256-lmDLlxiPyVhlSPplYkIaS5Uw19hir6XD8MAk8q+obhY=";
}; };
vendorHash = "sha256-8UIey+r1tdVRN1RBK5xxcAzaHb0VFdgenUXSFgoWh1g=";
vendorHash = "sha256-pWG8DbZ9N57p2Q9w/IzETcvwaSfzaUvJgcz7Th/Oi9c="; passthru = oldAttrs.passthru // {
updateScript = ./update.sh;
ldflags = [ "-s" "-w" ];
env.GOWORK = "off";
subPackages = [ "cmd/talosctl" ];
nativeBuildInputs = [ installShellFiles ];
postInstall = ''
installShellCompletion --cmd talosctl \
--bash <($out/bin/talosctl completion bash) \
--fish <($out/bin/talosctl completion fish) \
--zsh <($out/bin/talosctl completion zsh)
'';
doCheck = false; # no tests
meta = with lib; {
description = "CLI for out-of-band management of Kubernetes nodes created by Talos";
mainProgram = "talosctl";
homepage = "https://www.talos.dev/";
license = licenses.mpl20;
maintainers = with maintainers; [ flokli ];
}; };
});
} }

43
nixos/overlays/talosctl/talosctl-custom.nix Normal file
View file

@ -0,0 +1,43 @@
{ lib, buildGo122Module, fetchFromGitHub, installShellFiles }:
buildGo122Module rec {
pname = "talosctl";
version = "1.7.5";
src = fetchFromGitHub {
owner = "siderolabs";
repo = "talos";
rev = "v${version}";
hash = "sha256-lmDLlxiPyVhlSPplYkIaS5Uw19hir6XD8MAk8q+obhY=";
};
passthru = {
updateScript = ./update.sh;
};
vendorHash = "sha256-8UIey+r1tdVRN1RBK5xxcAzaHb0VFdgenUXSFgoWh1g=";
ldflags = [ "-s" "-w" ];
env.GOWORK = "off";
subPackages = [ "cmd/talosctl" ];
nativeBuildInputs = [ installShellFiles ];
postInstall = ''
installShellCompletion --cmd talosctl \
--bash <($out/bin/talosctl completion bash) \
--fish <($out/bin/talosctl completion fish) \
--zsh <($out/bin/talosctl completion zsh)
'';
doCheck = false; # no tests
meta = with lib; {
description = "CLI for out-of-band management of Kubernetes nodes created by Talos";
mainProgram = "talosctl";
homepage = "https://www.talos.dev/";
license = licenses.mpl20;
maintainers = with maintainers; [ flokli ];
};
}

98
nixos/overlays/termius/default.nix
View file

@ -1,96 +1,8 @@
{ autoPatchelfHook { ... }:
, squashfsTools (final: prev: {
, alsa-lib termius = prev.termius.overrideAttrs (oldAttrs: {
, fetchurl
, makeDesktopItem
, makeWrapper
, stdenv
, lib
, libsecret
, mesa
, udev
, wrapGAppsHook3
}:
stdenv.mkDerivation rec {
pname = "termius";
version = "9.5.0";
src = fetchurl {
# find the latest version with
# curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.version'
# and the url with
# curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_url' -r
# and the sha512 with
# curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_sha512' -r
# nix-hash --type sha512 --to-sri <output of curl>
url = "https://api.snapcraft.io/api/v1/snaps/download/WkTBXwoX81rBe3s3OTt3EiiLKBx2QhuS_203.snap";
hash = "sha512-BouIQvJZbi350l30gl9fnXKYRHhi5q1oOvyEIVEmd4DjXvJLQisV4cK4OZIJ/bPOCI5DTxNOY7PwEduVQd3SYA==";
#
};
desktopItem = makeDesktopItem {
categories = [ "Network" ];
comment = "The SSH client that works on Desktop and Mobile";
desktopName = "Termius";
exec = "termius-app";
genericName = "Cross-platform SSH client";
icon = "termius-app";
name = "termius-app";
};
dontBuild = true;
dontConfigure = true;
dontPatchELF = true;
dontWrapGApps = true;
# TODO: migrate off autoPatchelfHook and use nixpkgs' electron
nativeBuildInputs = [ autoPatchelfHook squashfsTools makeWrapper wrapGAppsHook3 ];
buildInputs = [
alsa-lib
libsecret
mesa
];
unpackPhase = ''
runHook preUnpack
unsquashfs "$src"
runHook postUnpack
'';
installPhase = ''
runHook preInstall
cd squashfs-root
mkdir -p $out/opt/termius
cp -r ./ $out/opt/termius
mkdir -p "$out/share/applications" "$out/share/pixmaps/termius-app.png"
cp "${desktopItem}/share/applications/"* "$out/share/applications"
cp meta/gui/icon.png $out/share/pixmaps/termius-app.png
runHook postInstall
'';
postInstall = '' postInstall = ''
install -Dm644 meta/gui/icon.png $out/share/icons/hicolor/128x128/apps/termius-app.png install -Dm644 meta/gui/icon.png $out/share/icons/hicolor/128x128/apps/termius-app.png
''; '';
});
runtimeDependencies = [ (lib.getLib udev) ]; })
postFixup = ''
makeWrapper $out/opt/termius/termius-app $out/bin/termius-app \
"''${gappsWrapperArgs[@]}"
'';
meta = with lib; {
description = "A cross-platform SSH client with cloud data sync and more";
homepage = "https://termius.com/";
downloadPage = "https://termius.com/linux/";
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
license = licenses.unfree;
maintainers = with maintainers; [ Br1ght0ne th0rgal ];
platforms = [ "x86_64-linux" ];
mainProgram = "termius-app";
};
}

10
nixos/overlays/termius/retrive-latest-sri.sh
View file

@ -1,10 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl jq nix
VERSION=$(curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.version')
DOWNLOAD_URL=$(curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_url' -r)
SHASUM=$(curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_sha512' -r)
SRI512SUM=$(nix-hash --type sha512 --to-sri $SHASUM)
echo "The latest SRI for version $VERSION is "
echo "$SRI512SUM"

135
nixos/overlays/vivaldi/default.nix
View file

@ -1,135 +0,0 @@
{ lib, stdenv, fetchurl, zlib, libX11, libXext, libSM, libICE, libxkbcommon, libxshmfence
, libXfixes, libXt, libXi, libXcursor, libXScrnSaver, libXcomposite, libXdamage, libXtst, libXrandr
, alsa-lib, dbus, cups, libexif, ffmpeg, systemd, libva, libGL
, freetype, fontconfig, libXft, libXrender, libxcb, expat
, libuuid
, libxml2
, glib, gtk3, pango, gdk-pixbuf, cairo, atk, at-spi2-atk, at-spi2-core
, qt5
, libdrm, mesa
, vulkan-loader
, nss, nspr
, patchelf, makeWrapper
, wayland, pipewire
, isSnapshot ? false
, proprietaryCodecs ? false, vivaldi-ffmpeg-codecs ? null
, enableWidevine ? false, widevine-cdm ? null
, commandLineArgs ? ""
, pulseSupport ? stdenv.isLinux, libpulseaudio
, kerberosSupport ? true, libkrb5
}:
let
branch = if isSnapshot then "snapshot" else "stable";
vivaldiName = if isSnapshot then "vivaldi-snapshot" else "vivaldi";
in stdenv.mkDerivation rec {
pname = "vivaldi";
version = "6.9.3447.37";
suffix = {
aarch64-linux = "arm64";
x86_64-linux = "amd64";
}.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
src = fetchurl {
url = "https://downloads.vivaldi.com/${branch}/vivaldi-${branch}_${version}-1_${suffix}.deb";
hash = {
aarch64-linux = "sha256-kYTnWad/jrJt9z+AhjXzHYxVSIwIIO3RKD7szuPEg2s=";
x86_64-linux = "sha256-+h7SHci8gZ+epKFHD0PiXyME2xT+loD2KXpJGFCfIFg=";
}.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
};
unpackPhase = ''
ar vx $src
tar -xvf data.tar.xz
'';
nativeBuildInputs = [ patchelf makeWrapper ];
dontWrapQtApps = true;
buildInputs = [
stdenv.cc.cc stdenv.cc.libc zlib libX11 libXt libXext libSM libICE libxcb libxkbcommon libxshmfence
libXi libXft libXcursor libXfixes libXScrnSaver libXcomposite libXdamage libXtst libXrandr
atk at-spi2-atk at-spi2-core alsa-lib dbus cups gtk3 gdk-pixbuf libexif ffmpeg systemd libva
qt5.qtbase
freetype fontconfig libXrender libuuid expat glib nss nspr libGL
libxml2 pango cairo
libdrm mesa vulkan-loader
wayland pipewire
] ++ lib.optional proprietaryCodecs vivaldi-ffmpeg-codecs
++ lib.optional pulseSupport libpulseaudio
++ lib.optional kerberosSupport libkrb5;
libPath = lib.makeLibraryPath buildInputs
+ lib.optionalString (stdenv.is64bit)
(":" + lib.makeSearchPathOutput "lib" "lib64" buildInputs)
+ ":$out/opt/${vivaldiName}/lib";
buildPhase = ''
runHook preBuild
echo "Patching Vivaldi binaries"
for f in chrome_crashpad_handler vivaldi-bin vivaldi-sandbox ; do
patchelf \
--set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
--set-rpath "${libPath}" \
opt/${vivaldiName}/$f
done
for f in libGLESv2.so libqt5_shim.so ; do
patchelf --set-rpath "${libPath}" opt/${vivaldiName}/$f
done
'' + lib.optionalString proprietaryCodecs ''
ln -s ${vivaldi-ffmpeg-codecs}/lib/libffmpeg.so opt/${vivaldiName}/libffmpeg.so.''${version%\.*\.*}
'' + ''
echo "Finished patching Vivaldi binaries"
runHook postBuild
'';
dontPatchELF = true;
dontStrip = true;
installPhase = ''
runHook preInstall
mkdir -p "$out"
cp -r opt "$out"
mkdir "$out/bin"
ln -s "$out/opt/${vivaldiName}/${vivaldiName}" "$out/bin/vivaldi"
mkdir -p "$out/share"
cp -r usr/share/{applications,xfce4} "$out"/share
substituteInPlace "$out"/share/applications/*.desktop \
--replace /usr/bin/${vivaldiName} "$out"/bin/vivaldi
substituteInPlace "$out"/share/applications/*.desktop \
--replace vivaldi-stable vivaldi
local d
for d in 16 22 24 32 48 64 128 256; do
mkdir -p "$out"/share/icons/hicolor/''${d}x''${d}/apps
ln -s \
"$out"/opt/${vivaldiName}/product_logo_''${d}.png \
"$out"/share/icons/hicolor/''${d}x''${d}/apps/vivaldi.png
done
wrapProgram "$out/bin/vivaldi" \
--add-flags ${lib.escapeShellArg commandLineArgs} \
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
--set-default FONTCONFIG_FILE "${fontconfig.out}/etc/fonts/fonts.conf" \
--set-default FONTCONFIG_PATH "${fontconfig.out}/etc/fonts" \
--suffix XDG_DATA_DIRS : ${gtk3}/share/gsettings-schemas/${gtk3.name}/ \
${lib.optionalString enableWidevine "--suffix LD_LIBRARY_PATH : ${libPath}"}
'' + lib.optionalString enableWidevine ''
ln -sf ${widevine-cdm}/share/google/chrome/WidevineCdm $out/opt/${vivaldiName}/WidevineCdm
'' + ''
runHook postInstall
'';
passthru.updateScript = ./update-vivaldi.sh;
meta = with lib; {
description = "Browser for our Friends, powerful and personal";
homepage = "https://vivaldi.com";
license = licenses.unfree;
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
mainProgram = "vivaldi";
maintainers = with maintainers; [ otwieracz badmutex ];
platforms = [ "x86_64-linux" "aarch64-linux" ];
};
}

32
nixos/overlays/vivaldi/ffmpeg-codecs.nix
View file

@ -1,32 +0,0 @@
{ squashfsTools, fetchurl, lib, stdenv }:
# This derivation roughly follows the update-ffmpeg script that ships with the official Vivaldi
# downloads at https://vivaldi.com/download/
stdenv.mkDerivation rec {
pname = "chromium-codecs-ffmpeg-extra";
version = "115541";
src = fetchurl {
url = "https://api.snapcraft.io/api/v1/snaps/download/XXzVIXswXKHqlUATPqGCj2w2l7BxosS8_41.snap";
hash = "sha256-a1peHhku+OaGvPyChvLdh6/7zT+v8OHNwt60QUq7VvU=";
};
buildInputs = [ squashfsTools ];
unpackPhase = ''
unsquashfs -dest . $src
'';
installPhase = ''
install -vD chromium-ffmpeg-${version}/chromium-ffmpeg/libffmpeg.so $out/lib/libffmpeg.so
'';
meta = with lib; {
description = "Additional support for proprietary codecs for Vivaldi";
homepage = "https://ffmpeg.org/";
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
license = licenses.lgpl21;
maintainers = with maintainers; [ betaboon cawilliamson fptje ];
platforms = [ "x86_64-linux" ];
};
}

15
nixos/overlays/vivaldi/update-vivaldi.sh
View file

@ -1,15 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl common-updater-scripts
set -eu -o pipefail
version=$(curl -sS https://vivaldi.com/download/ | sed -rne 's/.*vivaldi-stable_([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)-1_amd64\.deb.*/\1/p')
update_hash() {
url="https://downloads.vivaldi.com/stable/vivaldi-stable_$version-1_$2.deb"
hash=$(nix hash to-sri --type sha256 $(nix-prefetch-url --type sha256 "$url"))
update-source-version vivaldi "$version" "$hash" --system=$1 --ignore-same-version
}
update_hash aarch64-linux arm64
update_hash x86_64-linux amd64

47
nixos/overlays/vivaldi/update.sh
View file

@ -1,47 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p libarchive curl common-updater-scripts
set -eu -o pipefail
cd "$(dirname "${BASH_SOURCE[0]}")"
root=../../../../..
export NIXPKGS_ALLOW_UNFREE=1
version() {
(cd "$root" && nix-instantiate --eval --strict -A "$1.version" | tr -d '"')
}
vivaldi_version_old=$(version vivaldi)
vivaldi_version=$(curl -sS https://vivaldi.com/download/ | sed -rne 's/.*vivaldi-stable_([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)-1_amd64\.deb.*/\1/p')
if [[ ! "$vivaldi_version" = "$vivaldi_version_old" ]]; then
echo "vivaldi is not up-to-date, not updating codecs"
(cd "$root" && nix-shell maintainers/scripts/update.nix --argstr package vivaldi)
exit
fi
echo "vivaldi is up-to-date, updating codecs"
# Download vivaldi and save file path.
url="https://downloads.vivaldi.com/stable/vivaldi-stable_${vivaldi_version}-1_amd64.deb"
mapfile -t prefetch < <(nix-prefetch-url --print-path "$url")
path=${prefetch[1]}
nixpkgs="$(git rev-parse --show-toplevel)"
default_nix="$nixpkgs/pkgs/applications/networking/browsers/vivaldi/default.nix"
ffmpeg_nix="$nixpkgs/pkgs/applications/networking/browsers/vivaldi/ffmpeg-codecs.nix"
# Check vivaldi-ffmpeg-codecs version.
chromium_version_old=$(version vivaldi-ffmpeg-codecs)
ffmpeg_update_script=$(bsdtar xOf "$path" data.tar.xz | bsdtar xOf - ./opt/vivaldi/update-ffmpeg)
chromium_version=$(sed -rne 's/^FFMPEG_VERSION_DEB\=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/p' <<< $ffmpeg_update_script)
download_subdir=$(sed -rne 's/.*FFMPEG_URL_DEB\=https:\/\/launchpadlibrarian\.net\/([0-9]+)\/.*_amd64\.deb/\1/p' <<< $ffmpeg_update_script)
if [[ "$chromium_version" != "$chromium_version_old" ]]; then
# replace the download prefix
sed -i $ffmpeg_nix -e "s/\(https:\/\/launchpadlibrarian\.net\/\)[0-9]\+/\1$download_subdir/g"
(cd "$root" && update-source-version vivaldi-ffmpeg-codecs "$chromium_version")
git add "${ffmpeg_nix}"
git commit -m "vivaldi-ffmpeg-codecs: $chromium_version_old -> $chromium_version"
fi

13
nixos/overlays/warp-terminal/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, ...}:
let
versions = lib.importJSON ./versions.json;
in
final: prev: {
warp-terminal = prev.warp-terminal.overrideAttrs (oldAttrs: {
inherit (versions.linux) version;
src = prev.fetchurl {
url = "https://releases.warp.dev/stable/v${versions.linux.version}/warp-terminal-v${versions.linux.version}-1-x86_64.pkg.tar.zst";
inherit (versions.linux) hash;
};
});
}

Some files were not shown because too many files have changed in this diff Show more