ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Compare commits

base: ahuston-0:4548914209564aeff32627cbd4483350e5bd3556
Branches Tags
ahuston-0:main ahuston-0:update-flake-lock ahuston-0:feature/add-parthenon ahuston-0:ahuston-0-patch-2 ahuston-0:feature/add-pc ahuston-0:feature/add-jessica ahuston-0:feature/gitea-minio ahuston-0:feature/ftb-app ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/build-cache ahuston-0:hotfix/zfs-import ahuston-0:feature/add-unpackerr ahuston-0:feature/pscsd-yubikey ahuston-0:feature/overseerr ahuston-0:feature/onboarding-kubernetes
..
compare: ahuston-0:feature/onboarding-kubernetes
Branches Tags
ahuston-0:update-flake-lock ahuston-0:main ahuston-0:feature/add-parthenon ahuston-0:ahuston-0-patch-2 ahuston-0:feature/add-pc ahuston-0:feature/add-jessica ahuston-0:feature/gitea-minio ahuston-0:feature/ftb-app ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/build-cache ahuston-0:hotfix/zfs-import ahuston-0:feature/add-unpackerr ahuston-0:feature/pscsd-yubikey ahuston-0:feature/overseerr ahuston-0:feature/onboarding-kubernetes

13 Commits
4548914209 ... feature/on

Author SHA1 Message Date
ahuston-0
6957d062c5 creating kubnet-accuse 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
30c8441848 move mkDefault down into the enable level 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
ea8c5ca025 move vm net config to separate module 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
d29b2ecbab add guest network (now with custom mac address generators!) 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
cc702cb5fe open firewall for ssh 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
327895435b test disabling k3s server 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
23fc7d2667 add journal merging and ssh 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
eba9d9c4cd idek what i did to fix this 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
1c596593ca try to fix attrset generation 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
9985fc8778 initialize k3s templates 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
3a61c7522d add basic guest config (warning CI is definitely failing lol) 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:51 -04:00
ahuston-0
45610cb886 microvm host is stable (for now) 
- per-system default.nix now inherits the source tree via `src` (this
allows modules to be optionally imported from `modules/opt/`)
- adds a default config for microvm hosts
  - enables systemd-networkd by default
  - allows passing in vms
  - binds vm nix-store to host nix-store
  - allows merging systemd jounals
- adds microvms to palatine-hill

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:51 -04:00
ahuston-0
f9d31cba65 add microvms, and try to set up basics 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:51 -04:00
193 changed files with 4490 additions and 4704 deletions
Expand all files Collapse all files

9
.gitconfig
View File

@@ -1,11 +1,6 @@
# run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
# run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
# if for whatever reason the below doesn't work, try modifying the mergetool command as below
# find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
# replace: ./utils/sops-mergetool.sh
[mergetool "sops-mergetool"]
cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\""
cmd = bash -c "$(git --exec-path)/sops-mergetool.sh \"$BASE\" \"$LOCAL\" \"$REMOTE\" \"$MERGED\""
[merge]
tool = nvimdiff
[mergetool "nvimdiff"]
layout = MERGED
tool = nvimdiff3

331
.github/settings.yml vendored
View File

@@ -1,173 +1,204 @@
# Have borrowed this config from nix-community/infra
repository:
# See https://developer.github.com/v3/repos/#edit for all available settings.
# See https://developer.github.com/v3/repos/#edit for all available settings.
# The name of the repository. Changing this will rename the repository
name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# The name of the repository. Changing this will rename the repository
name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# Labels: define labels for Issues and Pull Requests
#
labels:
- name: bug
color: '#d73a4a'
description: Something isn't working
- name: CI/CD
# If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16'
description: Related to GH Actions or Hydra
- name: documentation
color: '#0075ca'
description: Improvements or additions to documentation
- name: duplicate
color: '#cfd3d7'
description: This issue or pull request already exists
- name: enhancement
color: '#a2eeef'
description: New feature or request
- name: good first issue
color: '#7057ff'
description: Good for newcomers
- name: help wanted
color: '#008672'
description: Extra attention is needed
- name: high priority
color: '#BF480A'
description: A major vurnability was detected
- name: invalid
color: '#e4e669'
description: This doesn't seem right
- name: new user
color: '#C302A1'
description: A new user was added to the Flake
- name: question
color: '#d876e3'
description: Further information is requested
- name: wontfix
color: '#ffffff'
description: This will not be worked on
- name: dependencies
color: '#cb4ed5'
description: Used for PR's related to flake.lock updates
- name: automated
color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD)
- name: bug
color: '#d73a4a'
description: Something isn't working
- name: CI/CD
# If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16'
description: Related to GH Actions or Hydra
- name: documentation
color: '#0075ca'
description: Improvements or additions to documentation
- name: duplicate
color: '#cfd3d7'
description: This issue or pull request already exists
- name: enhancement
color: '#a2eeef'
description: New feature or request
- name: good first issue
color: '#7057ff'
description: Good for newcomers
- name: help wanted
color: '#008672'
description: Extra attention is needed
- name: high priority
color: '#BF480A'
description: A major vurnability was detected
- name: invalid
color: '#e4e669'
description: This doesn't seem right
- name: new user
color: '#C302A1'
description: A new user was added to the Flake
- name: question
color: '#d876e3'
description: Further information is requested
- name: wontfix
color: '#ffffff'
description: This will not be worked on
- name: dependencies
color: '#cb4ed5'
description: Used for PR's related to flake.lock updates
- name: automated
color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD)
# Milestones: define milestones for Issues and Pull Requests
milestones:
- title: Go-Live
description: >-
All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
- title: Go-Live
description: >-
All requirements for official go-live:
- Automated testing via Hydra/Actions
- Automated deployments via Hydra/Actions
- 90+% testing coverage
- Functional formatter with custom rules
- palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves
- Quadro GPU support
- Multi-GPU support
- Plex support
- Docker support
- ZFS support
# Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
collaborators:
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
teams:
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
branches:
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# not available in the api yet
# `Require merge queue`: true
# `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1
# defaults:
# `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# not available in the api yet
# `Require merge queue`: true
# `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1
# defaults:
# `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
required_pull_request_reviews:
# # The number of approvals required. (1-6)
required_approving_review_count: 1
# # Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed.
require_code_owner_reviews: false
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
required_pull_request_reviews:
# # The number of approvals required. (1-6)
required_approving_review_count: 1
# # Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed.
require_code_owner_reviews: false
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
# Required. Require branches to be up to date before merging.
# strict: false
# Required. The list of status checks to require in order to merge into this branch
# contexts:
# - buildbot/nix-eval
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Disabled for bors to work
required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
# TODO: make a buildbot instance
# users: ["nix-infra-bot"]
teams: []
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Disabled for bors to work
required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
# TODO: make a buildbot instance
# users: ["nix-infra-bot"]
teams: []

55
.github/workflows/flake-health-checks.yml vendored
View File

@@ -1,41 +1,20 @@
name: "Check Nix flake"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix flake checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix flake check --accept-flake-config
- run: nix ./utils/attic-push.bash
# build-checks:
# name: "Build nix outputs"
# runs-on: ubuntu-latest
# steps:
# - uses: DeterminateSystems/nix-installer-action@main
# - name: Setup Attic cache
# uses: ryanccn/attic-action@v0
# with:
# endpoint: ${{ secrets.ATTIC_ENDPOINT }}
# cache: ${{ secrets.ATTIC_CACHE }}
# token: ${{ secrets.ATTIC_TOKEN }}
# skip-push: "true"
# - uses: actions/checkout@v4
# - name: Build all outputs
# run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
# - name: Push to Attic
# run: nix ./utils/attic-push.bash
# continue-on-error: true
health-check:
name: "Perform Nix flake checks"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: actions/checkout@v4
- run: nix flake check --accept-flake-config

163
.github/workflows/flake-update.yml vendored
View File

@@ -1,112 +1,67 @@
name: "Update flakes"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 12 * * *"
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 12 * * *"
jobs:
update_lockfile:
runs-on: ubuntu-latest
#if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get pre-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh pre
- name: Update flake.lock
id: update
run: |
nix flake update 2> >(tee /dev/stderr) | awk '
/^• Updated input/ {in_update = 1; print; next}
in_update && !/^warning:/ {print}
/^$/ {in_update = 0}
' > update.log
createPullRequest:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps:
- uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Install Nix
uses: cachix/install-nix-action@v24
with:
extra_nix_config: |
experimental-features = nix-command flakes
install_url: https://releases.nixos.org/nix/nix-2.19.0/install
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: Calculate pre-drv
run: nix ./utils/eval-to-drv.sh pre
- name: Pull latest docker images
run: nix ./utils/fetch-docker.sh
- name: Update flake.lock (part 1)
run: nix flake update
- name: Calculate post-drv
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: Read diff into environment
run: |
delimiter="$(openssl rand -hex 8)"
{
echo "POSTDIFF<<${delimiter}"
cat post-diff
echo "${delimiter}"
} >> $GITHUB_ENV
echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
cat update.log >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
rm update.log
- name: Get post-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: Read file contents
id: read_file
uses: guibranco/github-file-reader-action-v2@latest
with:
path: "post-diff"
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
- name: Restore flake.lock for next step
run: git restore flake.lock
- name: Update flake.lock
id: update
uses: DeterminateSystems/update-flake-lock@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
pr-body: |
Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
```
${{ env.UPDATE_LOG }}
```
```
{{ env.GIT_COMMIT_MESSAGE }}
```
```
${{ steps.read_file.outputs.contents }}
```
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pr_body.md
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
body: ${{ steps.pr_body.outputs.content }}
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
${{ steps.pr_body.outputs.content }}
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR
dependencies
automated
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Print PR number
run: |
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
```
{{ env.POSTDIFF }}
```
pr-labels: | # Labels to be set on the PR
dependencies
automated
permissions:
pull-requests: write
contents: write
pull-requests: write
contents: write

27
.github/workflows/lock-health-checks.yml vendored
View File

@@ -1,16 +1,17 @@
name: "Check flake.lock"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Check health of `flake.lock`"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: true
health-check:
name: "Check health of `flake.lock`"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: true

36
.github/workflows/nix-fmt.yml vendored
View File

@@ -1,25 +1,17 @@
name: "Check Nix formatting"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix format checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix fmt -- --check .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
health-check:
name: "Perform Nix format checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: actions/checkout@v4
- run: nix fmt -- --check .

115
.sops.yaml
View File

@@ -1,46 +1,85 @@
keys:
# The PGP keys in keys/
- &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
# Generate AGE keys from SSH keys with:
# ssh-keygen -A
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# cspell:disable
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
#- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
# cspell:enable
# The PGP keys in keys/
- &admin_alice F63832C3080D6E1AC77EECF80B4245FFE305BC82
- &admin_richie 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
# Generate AGE keys from SSH keys with:
# ssh-keygen -A
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# cspell:disable
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
- &bob age13jg97cvy63fzd2ccthcwvfyyxzw5vmwun8s0afq5l4xm0mhl6pjqhne063
- &jeeves age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
- &jeeves-jr age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
- &rhapsody-in-green age1c7adjulcrma0m7l5ur8efxdjzyskrqcwssfkt77a9rmma7gzss5q02pgmy
# cspell:enable
admins: &admins
- *admin_alice
- *admin_richie
servers: &servers
- *palatine-hill
- *jeeves
- *jeeves-jr
- *palatine-hill
# add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below
#
# update keys by executing: sops updatekeys secrets.yaml
# note: add .* before \.yaml if you'd like to use the mergetool config
creation_rules:
- path_regex: users/alice/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- *artemision
- *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/artemision/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *artemision
- path_regex: systems/palatine-hill/docker/wg/.*\.conf$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/jeeves/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *jeeves
- path_regex: systems/jeeves-jr/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *jeeves-jr
- path_regex: users/alice/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- *jeeves
- *jeeves-jr
- *artemision
- *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups:
- pgp: *admins
age:
- *palatine-hill
- path_regex: systems/palatine-hill/keys/zfs-.*-key$
key_groups:
- pgp: *admins
age:
- *palatine-hill
- path_regex: systems/artemision/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *artemision
- path_regex: users/richie/secrets\.yaml$
key_groups:
- pgp:
- *admin_richie
age:
- *palatine-hill
- *jeeves
- *jeeves-jr
- *rhapsody-in-green
- *bob

16
.vscode/settings.json vendored
View File

@@ -1,7 +1,5 @@
{
"cSpell.enableFiletypes": [
"nix"
],
"cSpell.enableFiletypes": ["nix"],
"cSpell.words": [
"aarch",
"abmlevel",
@@ -10,7 +8,6 @@
"acpid",
"adbusers",
"ahci",
"aioesphomeapi",
"alicehuston",
"alsa",
"amdgpu",
@@ -69,7 +66,6 @@
"enableemail",
"errorlens",
"esbenp",
"esphome",
"extest",
"fastforwardteam",
"FASTFOX",
@@ -94,7 +90,6 @@
"gamescope",
"globalprivacycontrol",
"gparted",
"gtts",
"healthreport",
"hexeditor",
"hicolor",
@@ -109,9 +104,7 @@
"hyprland",
"hyprwm",
"INITDB",
"ioit",
"iperf",
"isal",
"jmgilman",
"jnoortheen",
"jobset",
@@ -122,6 +115,7 @@
"keyserver",
"keyservers",
"KRNL",
"kubnet",
"kuma",
"libexec",
"libglvnd",
@@ -139,6 +133,7 @@
"markdownlint",
"mechatroner",
"mediainfo",
"microvm",
"modesetting",
"mousewheel",
"mpris",
@@ -172,7 +167,6 @@
"optimumwifi",
"optoutstudies",
"overscroll",
"overseerr",
"oxalica",
"pavucontrol",
"pbmode",
@@ -190,13 +184,11 @@
"PRIVOXY",
"prowlarr",
"proxychains",
"prusa",
"psycopg",
"PUID",
"pulseaudio",
"punycode",
"pylance",
"pymetno",
"qbit",
"qbittorrent",
"qbittorrentvpn",
@@ -234,7 +226,6 @@
"sponsorblock",
"spotifyd",
"sqltools",
"ssdp",
"sshconfig",
"stdenv",
"subresource",
@@ -281,7 +272,6 @@
"xhci",
"xwayland",
"yzhang",
"zeroconf",
"zerotier",
"zerotierone",
"zhaofengli",

18
docs/CONTRIBUTING.md
View File

@@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
| Branch Name | Use Case |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main | protected branch which all machines pull from, do not try to push directly |
| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use |
| fixup/\<item> | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item> | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item> | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item> | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use |
| fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item\> | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item\> | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
### Review Process
@@ -94,11 +94,11 @@ rules.
PR has been tested on at least one machine
- Issues which bypass the quorum process must have a second reviewer tagged
- All critical issues which bypass the approval process must have an RCA issue
opened and the RCA logged into the `inc/` folder
opened and the RCA logged into the `inc/` folder
- The second reviewer has 2 weeks to retroactively review and approve the PR
- If the retro does not happen in the given window, an issue shall be opened
to either re-review the PR or to revert and replace the fix with a
permanent solution
to either re-review the PR or to revert and replace the fix with a
permanent solution
- Critical issues must be tagged to `Nix Flake Features` project, and must have
a priority of `High` and an estimate tagged. Start and end date are not needed

118
docs/sample-setup.sh
View File

@@ -1,9 +1,9 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#git --command bash
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes
PROCEED="N"
@@ -50,58 +50,60 @@ GITBASE="systems"
FEATUREBRANCH="feature/adding-$MACHINENAME"
if [ $PROCEED != "Y" ]; then
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
if [ $CREATEPARTS = "Y" ]; then
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on
# Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
# Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
# Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
# Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay
# Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay
# Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
# Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
sudo lvdisplay
sudo lvdisplay
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
# Mount partitions
@@ -114,7 +116,7 @@ sudo mount $BOOTPART /mnt/boot
# Enable swap if SWAPSIZE is non-zero
if [ $SWAPSIZE != 0 ]; then
sudo swapon "/dev/$VOLGROUP/swap"
sudo swapon "/dev/$VOLGROUP/swap"
fi
# Clone the repo
@@ -133,31 +135,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
cat "$DOTS/id_ed25519_ghdeploy.pub"
if [ $SOPS == "Y" ]; then
# Create ssh host-keys
sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Create ssh host-keys
sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF
# Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF
- path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
key_groups:
- pgp: *$OWNERORADMINS
age:
- *$MACHINENAME
EOF
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
fi
read -r -p "press enter to continue"

821
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

87
flake.nix
View File

@@ -1,21 +1,22 @@
{
description = "NixOS configuration for my machines";
description = "NixOS configuration for RAD-Development Servers";
nixConfig = {
substituters = [
"https://cache.nixos.org/?priority=1&want-mass-query=true"
"https://attic.alicehuston.xyz/cache-nix-dot?priority=4&want-mass-query=true"
"https://nix-community.cachix.org/?priority=10&want-mass-query=true"
"https://attic.nayeonie.com/nix-cache"
];
trusted-substituters = [
"https://cache.nixos.org"
"https://attic.alicehuston.xyz/cache-nix-dot"
"https://nix-community.cachix.org"
"https://attic.nayeonie.com/nix-cache"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%"
"cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nix-cache:trR+y5nwpQHR4hystoogubFmp97cewkjWeqqbygRQRs="
];
trusted-users = [ "root" ];
};
@@ -24,21 +25,29 @@
flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
flake-parts.url = "github:hercules-ci/flake-parts";
nixos-hardware.url = "github:NixOS/nixos-hardware";
#nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
#nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
systems.url = "github:nix-systems/default";
# attic = {
# url = "github:zhaofengli/attic";
# inputs = {
# nixpkgs.follows = "nixpkgs";
# nixpkgs-stable.follows = "nixpkgs-stable";
# flake-compat.follows = "flake-compat";
# flake-parts.follows = "flake-parts";
# };
# };
arch_mirror = {
url = "github:RichieCahill/arch_mirror";
inputs.nixpkgs.follows = "nixpkgs";
};
attic = {
url = "github:zhaofengli/attic";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
flake-compat.follows = "flake-compat";
flake-utils.follows = "flake-utils";
};
};
fenix = {
url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs";
};
firefox-addons = {
url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@@ -58,23 +67,33 @@
inputs.nixpkgs.follows = "nixpkgs";
};
hydra = {
url = "github:fx-chun/hydra/add-gitea-pulls";
inputs = {
nixpkgs.follows = "nixpkgs";
};
};
hyprland-contrib = {
url = "github:hyprwm/contrib";
inputs.nixpkgs.follows = "nixpkgs";
};
microvm = {
url = "github:astro/microvm.nix";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
nix = {
url = "github:NixOS/nix/latest-release";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
flake-parts.follows = "flake-parts";
git-hooks-nix.follows = "pre-commit-hooks";
};
};
nix-index-database = {
url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
@@ -92,6 +111,7 @@
url = "github:cachix/git-hooks.nix";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
flake-compat.follows = "flake-compat";
};
};
@@ -107,15 +127,15 @@
url = "github:Mic92/sops-nix";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
};
};
stylix = {
url = "github:danth/stylix";
server_tools = {
url = "github:RAD-Development/server_tools";
inputs = {
flake-compat.follows = "flake-compat";
home-manager.follows = "home-manager";
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
@@ -157,22 +177,17 @@
rec {
inherit lib; # for allowing use of custom functions in nix repl
#hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
nixosConfigurations = genSystems inputs outputs src (src + "/systems");
nixosConfigurations = genSystems inputs src (src + "/systems");
images = {
install-iso = getImages nixosConfigurations "install-iso";
iso = getImages nixosConfigurations "iso";
qcow = getImages nixosConfigurations "qcow";
};
packages.x86_64-linux.lego-latest =
nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
{ };
checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
devShells = import ./shell.nix { inherit inputs forEachSystem checks; };
};
}

39
hydra/jobsets.nix
View File

@@ -1,4 +1,4 @@
{ pulls, ... }:
{ pulls, branches, ... }:
let
# create the json spec for the jobset
makeSpec =
@@ -18,7 +18,8 @@ let
};
prs = readJSONFile pulls;
# refs = readJSONFile branches;
refs = readJSONFile branches;
repo = "RAD-Development/nix-dotfiles";
# template for creating a job
makeJob =
@@ -43,27 +44,27 @@ let
emailoverride = "";
};
# # Create a hydra job for a branch
# jobOfRef =
# name:
# { ref, ... }:
# if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
# null
# else
# {
# name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
# value = makeJob {
# description = "Branch ${name}";
# flake = "git+ssh://git@github.com/${repo}?ref=${ref}";
# };
# };
# Create a hydra job for a branch
jobOfRef =
name:
{ ref, ... }:
if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
null
else
{
name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
value = makeJob {
description = "Branch ${name}";
flake = "git+ssh://git@github.com/${repo}?ref=${ref}";
};
};
# Create a hydra job for a PR
jobOfPR = id: info: {
name = if info.draft then "draft-${id}" else "pr-${id}";
value = makeJob {
description = "PR ${id}: ${info.title}";
flake = "git+ssh://gitea@nayeonie.com:2222/${info.head.repo.full_name}?ref=${info.head.ref}";
flake = "git+ssh://git@github.com/${info.head.repo.full_name}?ref=${info.head.ref}";
};
};
@@ -73,12 +74,12 @@ let
# wrapper function for reading json from file
readJSONFile = f: builtins.fromJSON (builtins.readFile f);
# remove null values from a set, in-case of branches that don't exist
# mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
# Create job set from PRs and branches
jobs = makeSpec (
builtins.listToAttrs (map ({ name, value }: jobOfPR name value) (attrsToList prs))
# // builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
// builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
);
in
{

13
hydra/spec.json
View File

@@ -1,7 +1,7 @@
{
"enabled": 1,
"hidden": false,
"description": "ahuston-0's personal server infra",
"description": "RAD Development infrastructure",
"nixexprinput": "nixexpr",
"nixexprpath": "hydra/jobsets.nix",
"checkinterval": 60,
@@ -12,7 +12,7 @@
"type": 0,
"inputs": {
"nixexpr": {
"value": "ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles.git main",
"value": "https://github.com/RAD-Development/nix-dotfiles main",
"type": "git",
"emailresponsible": false
},
@@ -22,8 +22,13 @@
"emailresponsible": false
},
"pulls": {
"type": "giteapulls",
"value": "nayeonie.com ahuston-0 nix-dotfiles https",
"type": "githubpulls",
"value": "RAD-Development nix-dotfiles",
"emailresponsible": false
},
"branches": {
"type": "github_refs",
"value": "RAD-Development nix-dotfiles heads -",
"emailresponsible": false
}
}

67
keys/richie.asc Normal file
View File

@@ -0,0 +1,67 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQ4gGgBEAC2s0Q4nQ5aTlpTg4u/Hl9gq56IAGoUW9wlgEoStHXyA1WziY2s
1pt45l4Q6kORswXoXv0ULTWBQAGponjY3l+HNm+B0XMr6EogjV/EP/UCyEi8zpqs
PaoJiB95s8rTsh+E7GzWR8KDhazOrGFY+QQOsTWEhLF8jkISd9aC05pf+WnKyxLC
wFjNFXRWUgPKyKPWIUd3SJP2IH6rSSkp7SMCAUiteQx2c43thnr4c/wcfGANKbFO
PhYrkTJKSqt38NoFtNB/Eo/MaVwdEnTMmeovF9sA2s0SLat8+FngSEcIXvL5UpA4
K73+lOQUROWFju7LrIyOhksSZXyQvP+64PxfpbtHadH6wQ4Ckz0GYIYnDQ1q66dh
OKQq9efIlxb7ky47qXRMY8u6d2d4bceLM4a24lYajZ70HZTEF4hy5KCMd8DAmAzU
WLCkaz6SQVDsme60jH3Mavd18B8HZ1d5Vi75hNaylMRtq7o6IA60NnVXh07U+Zto
n8QOze0JqO/GaM7FzfijfsW670j//FSu5wUGnBYprBz7SFh2nCy/XPZYThtHtPbI
YeESs8WZtqkfs4RpmMkOKcTLNiTFXIsCqHIhR8lDnJl+skEMxg7L8FF2txph4ssU
BZ6dAbFy8KsH+2Sr2qfK0yHOVs37ymv+/WaxC0d+QpLAupRhzL+s2kIYGQARAQAB
tB9SaWNoaWUgPFJpY2hpZUB0bW13b3Jrc2hvcC5jb20+iQJOBBMBCAA4FiEEKfUB
fJXZ5gsbHoQHBysOC4MS3+MFAmQ4gGgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQBysOC4MS3+PnKA//YUDZbuaas5MIWRqZsh02GEXVX4n727JP4iqZU4R0
Cndq7KCl+8XJ9RqmpRZab1FhEj/DQZYisKvloMvBop4q1XLLkabaQF5NsbDvIQG6
5TgbeSUmVWP6JS4Ka05FKIEwjKFS6ogbd1tscVs50zFWW+veewWMwwQF1mw+N5wx
LsnHRDIBPOj8Z+p07fyYlP2RMtqdjUqHOtDBiAvbFaXd1huEHd6H2bhnVLaxsJUf
EEGu92ND0GgW2tDrJIL+bNhZfsnHZEZPyruLZXcwW0JIyLf+sgob/iY0duDH1JDS
ty5tS3ke9O3Q56mPogHP7jlMwtVHzQQPlviVtNvYhRamb5hUDc9Qu9uXNM0HOWdg
MI5KE1xbdjz1OmymakfcfbVcSz1vu3k4XpqChiKt+psw8BnHGcguPchetkroCJcM
OLwnCoKH3TFxZfaZQGPDhHCGU484Nj1M/wHo9RcoWtrPWz+Y7W0U+47EdmGM1Vpl
9hIoXqjEWENz6Ph5DD0vxMptQPrRfmtLiJsWxAJRS9MH+ZWXxjJ2byKXiEHdR7la
Xgj8ejtzaZB04Ow9+zptFH6nwTygGGodcRkYYFtYSS7C46aihvMRLj68uHB2yC2b
zYutMtU6eregDaWiAeGycZcanGnU36JDifjaCF84oty6a3EpfdGCc9KkHk1Is+sR
TVe5Ag0EZDiAaAEQANy3ekveJexjqdhWmGjqF1rp90uWYJeVwg0Dlc621SNEzrfu
suC1BEHC2xdZz85yPbfdUPThAn/AmaMYlNIvzXmsGJdfIIsL7ZT+K6K+9ClbFhR8
eIZZjhpSOMwLEfNroyZPcOwEua9bSr3mwU+i2ED+dCKcxG4/wAtmeK2PNOz0t0/F
umLHW9Zk8YZBVSq7sGZ77TBi7GHOVzR/3wWy0qXgVMSQXtmOoDCmd1B1pD/BOkBA
2iI4spRLiDPW3XVDeAGydYPPEIXtFax7ZCs4BhjT4witJ2110fddrAh6e48yU4Hn
ca5F+QD6hVvUgHmdM/9GMqYf2mMC8tqNQf33Ib148zIhtQN5OtDz/sce5Xj8rk0j
HUuZ3E0jViK72ZRnZD46CyIc99ZcLCAhsHZDaMTEDfWX8ToQzA+Ahyth0RMykwhX
6NPKvOw2VqRK+j6iyYvtDXLmcsR890dzHDJLfrJWCJ0scpeWFvlLkVhQaT3NEqEK
oUENBFf8zxfTQ7BksyV2ESTwu5xqfYeJ1g1FoTfL30+/W0003K7hoPQuU3ebj3wY
3mMrG0hgo0iM9wHk83WWt+fDYj09yptGWAgBQNOpRR/0EbwEd74C3UxZQtUmxwPz
YW2g1GWyEgtA76UJ00TuQHBGklcKtY0IbHKwjn7NwHbYWu67R7Le3+cj3LOVABEB
AAGJAjYEGAEIACAWIQQp9QF8ldnmCxsehAcHKw4LgxLf4wUCZDiAaAIbDAAKCRAH
Kw4LgxLf462sEACDweQr1ik35sbw3qlPn3b/d2UYBK+r8G3Pk1RhNra2rFtkRY8Y
rEAlFeYOCBplsyg8swIClPjKpqIEehMV4X2E0N6WpyPzuOgNP4OPAmJngUYM9uxr
kcVhYubgp2Hcxk5TkbvHIc31P5ItCl7UUYC3bXf32K5GVeOAxsZBS6elwdxlFteY
WKjkwoZklPPfce4ctG/phy8dnn+pFMFnyisFFp81R2P+ztdSDLm/U27d8g9cjcWK
mhZtGox4zf7250p+gIUnlnBdtXIWBaUFidha5qql0/iSsMrhu2m12XaLc5HiubYY
RNIHcCRitG0Qc/pWVjZAD/bqOTl4/M1AeN7qZ/8Y1II1tCdBZ1MGinKS/3aGjTn5
RzvYrQeP7YTInyah7MpUTYoxI+VHHeD7hTy/y0GPZBtZ24B/s3ICuMemejILeI8M
aHj8FmBSXJ3dD8195QyONuQB5hNB3qGhc995KsDK3leCwJc3+MFLZPaEZnB+f+uo
+pdngVsKH2IAVOtJN+QULmuEFmiEGRAghJwxfA4M92Bn0jSa9KMyTsM41b3zdSVU
ipnn9FVX7RemSdF/z2SXAczwMLwVjai4j8b/U9O3oc0wrDF4QgrKKKIESlID/0Jf
QLwhRYHy03r2yENO9lEeTBaSF94HsN1UjrZtzpGx6QTGBohA2RrztXkosLgzBGWP
FicWCSsGAQQB2kcPAQEHQBlJ0lXDQnpcV7nR/MWPifi0WVTDPe0njjVIHNq/Z/xI
iQKtBBgBCAAgFiEEKfUBfJXZ5gsbHoQHBysOC4MS3+MFAmWPFicCGwIAgQkQBysO
C4MS3+N2IAQZFgoAHRYhBAA/2xaaamErUuSen5+R1096JyceBQJljxYnAAoJEJ+R
1096Jycejy0A/2BmBatOihlxnO1G0U5qy3eiFkzmYKhm9WEW+w461hjuAP40cTMS
xgnpUzUrsEs6+3Om7TLAa0VAqYLjA8NTVJs6AiPGEACuGgYn4uBzeXGLgHHUmLsY
25rOajs/zAZnQkMz1epMKJDZ658cIDKyjJ6mLkkBwHwARrMhb38AEphXgyuAtHMN
mEPRzABZutleW33KCk6zzVLyYVFBDWEI7hIFdNfJcJjXsDX0oGKB/oT5vlU25YgN
cBAC7q9PGfq/XkeFOz9j3UOXMuzTKmtrX28IiSPqk+IkzeL35otzrG1wsUPLDLRS
nlmwtnP4oQ50cUvTiDesk3QqPQn+2wPYakMydq7bvUcv/jakCADJq8Lsg4AmUxpQ
bZNj2Zu/j8g+0KYUTriuQpZHf+mjVoNzwxiDKobMvKNzyNrZwMnZhAcDnCXSHpZL
KnBcQGpsOjZicA9HodVRdU80DM46MSsncxAN+jwdHUOtCtONP059kF8JegwyevFS
1hY/6ZTMETtKckWbs2gMTEK48SXF3EQ2jMq8lbD9SccuEi6R19R5qiLwQBgUHawT
PcirlASclpR2zjLH1/MovxMFykCUUaQgGH0TjCe5X95Y7QdVgw6ocHkSFUsLN8V1
L3UfOIobFFW6EuRg5urKpljoi20dYsAyorqye9q825RyuWa5oLDtqXshCuOzLy6O
BgnM2FIvUpxAFmlXlC9eG8bUChfqEakio68Iwl6LUQouDR9gprWcookZV716YBVC
/IKQxyKTQK+nas4pfaUhYw==
=in5n
-----END PGP PUBLIC KEY BLOCK-----

43
lib/container-utils.nix
View File

@@ -1,43 +0,0 @@
{ lib, ... }:
{
# Given a attrset of images and a function which generates an image spec,
# generates a set of containers (although this could in theory be used for
# other things... I'd like to see people try)
#
# container set must be in the below format
# { container-name = {image = "image-uri"; scale = n;}; }
# where image-uri gets passed in to the container-spec function as a custom
# parameter, and scale is an integer that generates the containers
#
# container-spec must be a function which accepts two parameter (the
# container name and image name) and ideally returns an oci-compliant
# container.
#
# args:
# containers: an AttrSet which specifies the imageUri and scale of each
# container
# container-spec: a function which produces an oci-compliant container spec
#
# type:
# AttrSet -> (String -> AttrSet -> AttrSet) -> AttrSet
createTemplatedContainers =
containers: container-spec:
builtins.listToAttrs (
lib.flatten (
lib.mapAttrsToList (
name: value:
(map (
num:
let
container-name = "${name}-${toString num}";
in
{
name = container-name;
value = container-spec container-name value.image;
}
) (lib.lists.range 1 value.scale))
) containers
)
);
}

33
lib/default.nix
View File

@@ -3,7 +3,7 @@
# create rad-dev namespace for lib
rad-dev = rec {
systems = import ./systems.nix { inherit lib; };
container-utils = import ./container-utils.nix { inherit lib; };
microvm = import ./microvms.nix { inherit lib; };
# any(), but checks if any value in the list is true
#
@@ -58,20 +58,29 @@
# fileList :: Path -> String -> [Path]
fileList = dir: map (file: dir + "/${file}") (ls dir);
# reduce an attribute set to a string
#
# example:
# given attrset {host1 = "palatine-hill"; host2 = "jeeves";}
# and func (host: hostname: host + " is " + hostname + ", " )
# mapAttrsToString would return 'host1 is palatine-hill, host2 is jeeves, '
# constructs a mac address from a string's hash
#
# args:
# func: an function to apply to attrSet to turn each entry into one string
# attrSet: an attribute set to reduce
# hashable: the string to hash
#
# type:
# mapAttrsToString :: AttrSet -> (String -> Any -> String) -> String
mapAttrsToString =
func: attrSet: (lib.foldl' (cur: next: cur + next) "" (lib.mapAttrsToList func attrSet));
# strToMac :: String -> String
strToMac =
hashable:
let
# computes sha512 hash of input
hashStr = builtins.hashString "sha512" hashable;
# grabs first 12 letters of hash
hashSub = start: builtins.substring start 2 (builtins.substring 0 12 hashStr);
# joins list of strings with a delimiter between
joiner =
delim: arr:
builtins.foldl' (
a: b: lib.concatStrings ([ a ] ++ (lib.optionals (a != "") [ delim ]) ++ [ b ])
) "" arr;
# generates a list of indexes for the hash
starts = builtins.genList (x: x * 2) 6;
in
joiner ":" (map hashSub starts);
};
}

116
lib/microvms.nix Normal file
View File

@@ -0,0 +1,116 @@
{ lib, ... }:
rec {
genK3SVM =
server-config: agent-config: vms:
lib.mapAttrs (
host:
{
address,
gateway,
machine-id,
server ? false,
}:
genMicroVM host address gateway "x86_64-linux" machine-id (
if server then server-config else agent-config
)
) vms;
genMicroVM =
hostName: address: gateway: _system: machine-id: vm-config:
# microvm refers to microvm.nixosModules
# {
# config,
# pkgs,
# lib,
# ...
# }:
{
# The package set to use for the microvm. This also determines the microvm's architecture.
# Defaults to the host system's package set if not given.
# pkgs = import pkgs { inherit system; };
# (Optional) A set of special arguments to be passed to the MicroVM's NixOS modules.
#specialArgs = {};
# The configuration for the MicroVM.
# Multiple definitions will be merged as expected.
config = {
imports = [ vm-config ];
# It is highly recommended to share the host's nix-store
# with the VMs to prevent building huge images.
system.stateVersion = "24.05";
environment.etc."machine-id" = {
mode = "0644";
text = machine-id + "\n";
};
networking.hostName = hostName;
microvm = {
interfaces = [
{
type = "tap";
# bridge = "ztkubnet";
id = "vm-${hostName}";
mac = lib.rad-dev.strToMac hostName;
}
];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
# On the host
source = "/var/lib/microvms/${hostName}/journal";
# In the MicroVM
mountPoint = "/var/log/journal";
tag = "journal";
proto = "virtiofs";
socket = "journal.sock";
}
];
};
systemd.network.enable = true;
systemd.network.networks."20-lan" = {
matchConfig.Type = "ether";
networkConfig = {
Address = address;
Gateway = gateway;
DNS = [ "9.9.9.9" ];
IPv6AcceptRA = true;
DHCP = "no";
};
};
services.openssh = {
enable = true;
openFirewall = true;
};
users.users.alice = {
openssh.authorizedKeys.keys = [
# photon
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOGcqhLaKsjwAnb6plDavAhEyQHNvFS9Uh5lMTuwMhGF alice@parthenon-7588"
# gh
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoaEmzaS9vANckvBmqrYSHdFR0sPL4Xgeonbh9KcgFe gitlab keypair"
# janus
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfcO9p5opG8Tym6tcLkat6YGCcE6vwg0+V4MTC5WKop alice@parthenon-7588"
# palatine
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP59pDsx34k2ikrKa0eVacj0APSGivaij3lP9L0Zd9au alice@parthenon-7588"
# jeeves
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDgkUndkfns6f779T5ckHOVhyOKP8GttQ9RfaO9uJdx alice@parthenon-7588"
];
isNormalUser = true;
};
# Any other configuration for your MicroVM
# [...]
};
};
}

14
lib/systems.nix
View File

@@ -149,7 +149,6 @@ rec {
configPath,
hostname,
inputs,
outputs,
src,
users,
home ? true,
@@ -163,9 +162,9 @@ rec {
specialArgs = {
inherit
inputs
outputs
server
system
src
;
};
modules =
@@ -200,7 +199,7 @@ rec {
# type:
# genSystems :: AttrSet -> Path -> Path -> AttrSet
genSystems =
inputs: outputs: src: path:
inputs: src: path:
builtins.listToAttrs (
map (
name:
@@ -211,15 +210,10 @@ rec {
inherit name;
value = constructSystem (
{
inherit
inputs
outputs
src
configPath
;
inherit inputs src configPath;
hostname = name;
}
// import configPath { inherit inputs; }
// import configPath { inherit inputs src; }
);
}
) (lib.rad-dev.lsdir path)

7
modules/base.nix
View File

@@ -1,7 +1,6 @@
{
lib,
inputs,
outputs,
server,
system,
...
@@ -15,7 +14,7 @@
programs = {
zsh.enable = true;
fish.enable = false;
fish.enable = true;
};
users = {
@@ -27,12 +26,10 @@
useUserPackages = true;
sharedModules = [ inputs.sops-nix.homeManagerModules.sops ];
extraSpecialArgs = {
inherit inputs outputs;
inherit inputs;
machineConfig = {
inherit server system;
};
};
};
networking.firewall.enable = lib.mkDefault true;
}

2
modules/boot.nix
View File

@@ -2,7 +2,6 @@
config,
lib,
libS,
pkgs,
...
}:
@@ -35,6 +34,7 @@ in
config.boot = lib.mkIf cfg.default {
supportedFilesystems = [ cfg.filesystem ];
tmp.useTmpfs = true;
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelParams =
[ "nordrand" ]
++ lib.optional (cfg.cpuType == "amd") "kvm-amd"

9
modules/docker.nix
View File

@@ -7,13 +7,8 @@
extraGroups = [ "docker" ];
uid = 600;
};
groups = {
docker-service = {
gid = 600;
};
haproxy = {
gid = 99;
};
groups.docker-service = {
gid = 600;
};
};

24
modules/kub_net.nix
View File

@@ -6,7 +6,7 @@ in
options = {
services.rad-dev.k3s-net = {
enable = lib.mkOption {
default = false;
default = true;
example = true;
description = "Whether to enable k3s-net.";
type = lib.types.bool;
@@ -20,13 +20,13 @@ in
echo "ebe7fbd44565ba9d=ztkubnet" > /var/lib/zerotier-one/devicemap
'';
services.zerotierone = lib.mkDefault {
enable = true;
services.zerotierone = {
enable = lib.mkDefault true;
joinNetworks = [ "ebe7fbd44565ba9d" ];
};
systemd.network = lib.mkDefault {
enable = true;
systemd.network = {
enable = lib.mkDefault true;
wait-online.anyInterface = true;
netdevs = {
"20-brkubnet" = {
@@ -38,15 +38,27 @@ in
};
networks = {
"30-ztkubnet" = {
matchConfig.Name = "ztkubnet";
matchConfig.Name = [ "ztkubnet" ];
networkConfig.Bridge = "brkubnet";
linkConfig.RequiredForOnline = "enslaved";
};
"40-brkubnet" = {
matchConfig.Name = "brkubnet";
bridgeConfig = { };
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "no";
};
"41-vms" = {
matchConfig.Name = [ "vm-*" ];
networkConfig.Bridge = "brkubnet";
linkConfig.RequiredForOnline = "enslaved";
};
"42-kubnet-accuse" = {
matchConfig.Name = "kubnet-accuse";
networkConfig.Bridge = "brkubnet";
linkConfig.RequiredForOnline = "enslaved";
address = [ "192.168.69.20/24" ];
};
};
};

4
modules/nix.nix
View File

@@ -13,15 +13,19 @@
connect-timeout = 20;
substituters = [
"https://cache.nixos.org/?priority=1&want-mass-query=true"
"https://attic.alicehuston.xyz/cache-nix-dot?priority=4&want-mass-query=true"
"https://nix-community.cachix.org/?priority=10&want-mass-query=true"
];
trusted-substituters = [
"https://cache.nixos.org"
"https://attic.alicehuston.xyz/cache-nix-dot"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%"
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
];
trusted-users = [
"root"

1
modules/openssh.nix
View File

@@ -2,7 +2,6 @@
{
services.openssh = {
enable = lib.mkDefault true;
openFirewall = lib.mkDefault true;
fixPermissions = true;
extraConfig = "StreamLocalBindUnlink yes";

5
modules/opt/default.nix Normal file
View File

@@ -0,0 +1,5 @@
{ ... }:
{
}

5
modules/opt/k3s-agent.nix Normal file
View File

@@ -0,0 +1,5 @@
{ ... }:
{
imports = [ ./k3s-common.nix ];
services.k3s.role = "agent";
}

15
modules/opt/k3s-common.nix Normal file
View File

@@ -0,0 +1,15 @@
{
config,
lib,
pkgs,
...
}:
{
services.k3s = {
enable = true;
extraFlags = "--cluster-cidr 192.168.69.0/24";
# tokenFile = #TODO: set this up after building the first node lol
# serverAddr =
};
}

6
modules/opt/k3s-server.nix Normal file
View File

@@ -0,0 +1,6 @@
{ ... }:
{
# imports = [ ./k3s-common.nix ];
services.k3s.role = "server";
}

34
modules/opt/microvm-host.nix Normal file
View File

@@ -0,0 +1,34 @@
{
config,
lib,
inputs,
...
}:
let
cfg = config.rad-dev.microvm-host;
microvm = inputs.microvm.nixosModules;
in
{
imports = [ microvm.host ];
options.rad-dev.microvm-host = {
vms = lib.mkOption {
type = lib.types.attrs;
default = { };
description = "A list of VMs to construct on the host";
};
};
config = {
networking.useNetworkd = true;
microvm.vms = cfg.vms;
# TODO: deprecate this once we have syslog forwarders
systemd.tmpfiles.rules = map (
vmHost:
let
machineId = cfg.vms.${vmHost}.config.environment.etc."machine-id".text;
in
# creates a symlink of each MicroVM's journal under the host's /var/log/journal
"L+ /var/log/journal/${machineId} - - - - /var/lib/microvms/${vmHost}/journal/${machineId}"
) (builtins.attrNames cfg.vms);
};
}

2
modules/plocate.nix
View File

@@ -3,7 +3,7 @@
{
services.locate = {
enable = lib.mkDefault true;
# localuser = lib.mkDefault null;
localuser = lib.mkDefault null;
package = lib.mkDefault pkgs.plocate;
};
}

4
modules/update.nix
View File

@@ -4,7 +4,7 @@
enable = lib.mkDefault true;
repo.dotfiles = {
enable = lib.mkDefault true;
ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_giteadeploy";
ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
path = lib.mkDefault /root/dotfiles;
};
};
@@ -14,6 +14,6 @@
flags = [ "--accept-flake-config" ];
randomizedDelaySec = "1h";
persistent = true;
flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git";
flake = "github:RAD-Development/nix-dotfiles";
};
}

24
modules/yubikey.nix
View File

@@ -1,24 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.rad-dev.yubikey;
in
{
options = {
services.rad-dev.yubikey = {
enable = lib.mkEnableOption "enable yubikey defaults";
enable-desktop-app = lib.mkEnableOption "installs desktop application";
};
};
config = lib.mkIf cfg.enable {
# enable the smart card daemon for certain yubikey operations
services.pcscd.enable = true;
environment.systemPackages = lib.optionals cfg.enable-desktop-app [ pkgs.yubioath-flutter ];
};
}

70
pkgs/bitwarden-rofi/default.nix
View File

@@ -1,70 +0,0 @@
# source: https://github.com/kylesferrazza/nix/blob/288edcd1d34884b9b7083c6d718fbe10febe0623/overlay/bitwarden-rofi.nix
# TODO https://github.com/mattydebie/bitwarden-rofi/issues/34
{
stdenv,
lib,
fetchFromGitHub,
makeWrapper,
unixtools,
xsel,
xclip,
wl-clipboard,
xdotool,
ydotool,
bitwarden-cli,
rofi,
jq,
keyutils,
libnotify,
}:
let
bins = [
jq
bitwarden-cli
unixtools.getopt
rofi
xsel
xclip
wl-clipboard
xdotool
ydotool
keyutils
libnotify
];
in
stdenv.mkDerivation {
pname = "bitwarden-rofi";
version = "git-2024-08-22";
src = fetchFromGitHub {
owner = "mattydebie";
repo = "bitwarden-rofi";
rev = "8be76fdd647c2bdee064e52603331d8e6ed5e8e2";
sha256 = "1h5d21kv8g5g725chn3n0i1frvmsrk3pm67lfxqcg50kympg0wwd";
};
buildInputs = [ makeWrapper ];
installPhase = ''
mkdir -p "$out/bin"
install -Dm755 "bwmenu" "$out/bin/bwmenu"
install -Dm755 "lib-bwmenu" "$out/bin/lib-bwmenu" # TODO don't put this in bin
install -Dm755 -d "$out/usr/share/doc/bitwarden-rofi"
install -Dm755 -d "$out/usr/share/doc/bitwarden-rofi/img"
install -Dm644 "README.md" "$out/usr/share/doc/bitwarden-rofi/README.md"
install -Dm644 img/* "$out/usr/share/doc/bitwarden-rofi/img/"
wrapProgram "$out/bin/bwmenu" --prefix PATH : ${lib.makeBinPath bins}
'';
meta = with lib; {
description = "Wrapper for Bitwarden and Rofi";
homepage = "https://github.com/mattydebie/bitwarden-rofi";
license = licenses.gpl3;
platforms = platforms.linux;
};
}

39
pkgs/lego-latest/default.nix
View File

@@ -1,39 +0,0 @@
{
lib,
fetchFromGitHub,
buildGoModule,
}:
buildGoModule rec {
pname = "lego";
version = "4.21.0";
src = fetchFromGitHub {
owner = "go-acme";
repo = pname;
rev = "v${version}";
hash = "sha256-3dSvQfkBNh8Bt10nv4xGplv4iY3gWvDu2EDN6UovSdc=";
};
vendorHash = "sha256-teA6fnKl4ATePOYL/zuemyiVy9jgsxikqmuQJwwA8wE=";
doCheck = false;
subPackages = [ "cmd/lego" ];
ldflags = [
"-s"
"-w"
"-X main.version=${version}"
];
meta = with lib; {
description = "Let's Encrypt client and ACME library written in Go";
license = licenses.mit;
homepage = "https://go-acme.github.io/lego/";
maintainers = teams.acme.members;
mainProgram = "lego";
};
#passthru.tests.lego = nixosTests.acme;
}

4
shell.nix
View File

@@ -45,10 +45,6 @@ forEachSystem (
treefmt
statix
nixfmt-rfc-style
jsonfmt
mdformat
shfmt
yamlfmt
];
};
in

31
utils/sops-mergetool.sh → sops-mergetool.sh
View File

@@ -1,27 +1,17 @@
#!/usr/bin/env bash
# Exit on first error and verify variables have been set/passed via CLI
#set -eu
set -v
set -x
set -eu
# Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"
local_="$2"
remote="$3"
merged="$4"
echo "$base"
echo "$local_"
echo "$remote"
echo "$merged"
base="$1"; local_="$2"; remote="$3"; merged="$4"
# Resolve our default mergetool
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3
mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then
echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
exit 1
fi
@@ -35,7 +25,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit() {
handle_trap_exit () {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
@@ -45,13 +35,13 @@ handle_trap_exit() {
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
# Create a merge-diff to compare against
set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
set -e
cp "$merged_decrypted" "$backup_decrypted"
@@ -69,7 +59,7 @@ source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool"
# Override `check_unchanged` with a custom script
check_unchanged() {
check_unchanged () {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
@@ -85,4 +75,5 @@ merge_cmd
set -eu
# Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged"
sops --encrypt "$merged_decrypted" > "$merged"

2
statix.toml
View File

@@ -1,4 +1,4 @@
disabled = ["empty_pattern"]
nix_version = '2.25'
nix_version = '2.4'
ignore = ['.direnv']

438
systems/artemision/ao3_skins/happy_17th.css
View File

@@ -1,438 +0,0 @@
#footer .group,
.post fieldset fieldset,
fieldset fieldset {
background: none;
}
#header {
background: #000 url('https://media.archiveofourown.org/news/milestones/2024-08-seventeen-years-otw/2024-08-seventeen-years-otw-pattern.jpg');
background-size: 350px;
}
#header .heading a,
#header .primary .dropdown a:focus,
#header .heading a:visited,
#main .pagination .current,
h2 {
color: #ffe8b4;
}
#header .clear,
#footer {
border-color: #191919;
}
#header .actions a[href="/menu/fandoms"],
#header .actions a[href="/menu/browse"],
#header .actions a[href="/menu/search"],
#header .actions a[href="/menu/about"] {
color: #fff;
}
#footer ul {
background: url('https://live.staticflickr.com/7284/9616997915_4194b6c6f7_h.jpg');
background-size: 350px;
}
#footer ul li:nth-child(1) ul,
#footer ul li:nth-child(2) ul,
#footer ul li:nth-child(3) ul,
#footer ul li:nth-child(4) ul {
background: rgba(0, 0, 0, 0.0);
}
#header .primary {
background: #8a1a10;
}
#footer {
background: #8a1a10;
}
input[type="text"],
textarea,
select {
background: #222;
color: #fff;
}
select:focus {
background: #2a2a2a;
}
option {
background: #555;
color: #fff;
}
#work form fieldset.work.meta dl dd.warning.required fieldset,
#main form fieldset.work.meta dl dd.warning.required fieldset {
color: #fff;
}
#bookmark-form form {
background: #2a2a2a;
color: #fff;
}
#error {
color: #191919;
}
fieldset,
.verbose fieldset {
border-color: #404040;
background: #191919;
border: 1px solid #595959;
}
.search [role=tooltip] {
background: #333;
border: 1px solid #666;
}
#main a:visited {
color: #ccc;
}
#main a.tag:visited:hover {
color: #111;
}
body,
.group,
.group .group,
.region,
.flash,
form dl,
#main .verbose legend,
.notice,
ul.notes,
table,
th,
td:hover,
tr:hover,
.symbol .question:hover,
#modal,
.ui-sortable li,
.required .autocomplete,
.autocomplete .notice,
.system .intro,
.comment_error,
.kudos_error,
div.dynamic,
.dynamic form,
#ui-datepicker-div,
.ui-datepicker table {
background: #191919;
color: #eee;
border-color: #222;
outline: #111;
box-shadow: none;
}
#header .actions a:hover,
#header .actions a:focus,
#header .dropdown:hover a,
#header .open a,
#header .menu,
#small_login,
.group.listbox,
fieldset fieldset.listbox,
.listbox,
form blockquote.userstuff,
input:focus,
textarea:focus,
li.relationships a,
.group.listbox .index,
.dashboard fieldset fieldset.listbox .index,
#dashboard a:hover,
th,
#dashboard .secondary,
.secondary,
.thread .even,
.system .tweet_list li,
.ui-datepicker tr:hover {
background: #2A2A2A;
}
a,
a.tag,
a:link,
#header a:visited,
#header .primary .open a,
#header .primary .dropdown:hover a,
#header #search input:focus,
#header #search input:hover,
.userstuff h2,
#dashboard a,
#dashboard span,
#dashboard .current,
.group .heading,
.filters dt a:hover {
color: #fff;
}
#header .dropdown .menu a:hover,
#header .dropdown .menu a:focus,
.splash .favorite li:nth-of-type(odd) a,
.ui-datepicker td:hover,
#tos_prompt .heading,
#tos_prompt [disabled] {
background: #111;
color: #ffe8b4;
}
#outer,
.javascript,
.statistics .index li:nth-of-type(even),
#tos_prompt,
.announcement input[type="submit"] {
background: #191919;
}
#dashboard ul,
dl.meta,
.group.listbox,
fieldset fieldset.listbox,
#main li.blurb,
form blockquote.userstuff,
div.comment,
li.comment,
.toggled form,
form dl dt,
form.single fieldset,
#inner .module .heading,
.bookmark .status span,
.splash .news li,
.filters .group dt.bookmarker {
border-color: #555;
}
.group.listbox,
fieldset fieldset.listbox,
#main li.blurb,
.wrapper,
#dashboard .secondary,
.secondary,
form blockquote.userstuff,
.thread .comment,
.toggled form {
box-shadow: 1px 1px 3px #000;
}
#dashboard .current,
.actions a:active,
a.current,
.current a:visited,
span.unread,
.replied,
span.claimed,
dl.index dd,
.own,
.draft,
.draft .unread,
.child,
.unwrangled,
.unreviewed,
.ui-sortable li:hover {
background: #000;
border-color: #555;
box-shadow: -1px -1px 3px #000;
}
input,
textarea {
box-shadow: inset 0 1px 2px #000;
}
li.blurb,
.blurb .blurb,
.listbox .index,
fieldset fieldset.listbox,
.dashboard .listbox .index {
box-shadow: inset 1px 1px 3px #000;
}
#footer a:hover,
#footer a:focus,
.autocomplete .dropdown ul li:hover,
.autocomplete .dropdown li.selected,
a.tag:hover,
.listbox .heading a.tag:visited:hover,
.symbol .question {
background: #ffedc5;
border-color: #988352;
color: #111;
}
#header #greeting img,
#header .user a:hover,
#header .user a:focus,
#header fieldset,
#header form,
#header p,
#dashboard a:hover,
.actions a:hover,
.actions input:hover,
.delete a,
span.delete,
span.unread,
.replied,
span.claimed,
.draggable,
.droppable,
span.requested,
a.work,
.blurb h4 a:link,
.blurb h4 img,
.splash .module h3,
.splash .browse li a:before,
.required,
.error,
.comment_error,
.kudos_error,
a.cloud7,
a.cloud8,
#tos_prompt .heading {
color: #ffe8b4;
}
#greeting .icon,
#dashboard,
#dashboard.own,
.error,
.comment_error,
.kudos_error,
.LV_invalid,
.LV_invalid_field,
input.LV_invalid_field:hover,
input.LV_invalid_field:active,
textarea.LV_invalid_field:hover,
textarea.LV_invalid_field:active,
.qtip-content {
border-color: #8a1a10;
}
.splash .favorite li:nth-of-type(odd) a:hover,
.splash .favorite li:nth-of-type(odd) a:focus .splash .favorite li:nth-of-type(odd) a:visited:hover,
.splash .favorite li:nth-of-type(odd) a:visited:focus {
background: #ffe8b4;
color: #111;
}
a:visited,
.actions a:visited,
.action a:link,
.action a:visited,
.listbox .heading a:visited,
span.series .divider {
color: #999;
}
.actions a,
.actions a:link,
.action,
.action:link,
.actions input,
input[type="submit"],
button,
.current,
.actions label,
#header .actions a,
#outer .current {
background: #555;
border-color: #222;
color: #eee;
box-shadow: inset 0 -8px 4px #232323, inset 0 8px 7px #555;
text-shadow: none;
}
.actions a:hover,
.actions input:hover,
#dashboard a:hover,
.actions a:focus,
.actions input:focus,
#dashboard a:focus,
.actions .disabled select {
color: #999;
border-color: #000;
box-shadow: inset 2px 2px 2px #000;
}
.actions a:active,
.current,
a.current,
.current a:visited {
color: #fff;
background: #555;
border-color: #fff;
box-shadow: inset 1px 1px 3px #191919;
}
.delete a,
span.delete {
box-shadow: -1px -1px 2px rgba(255,255,255.25);
}
.actions label.disabled {
background: #222;
box-shadow: none;
}
ul.required-tags,
.bookmark .status span,
.blurb .icon {
opacity: 0.9;
border: 0;
}
#outer .group .heading,
#header .actions a,
fieldset.listbox .heading,
.userstuff .heading {
text-shadow: none;
color: #fff;
background: none;
}
#header .actions a,
fieldset fieldset,
.mce-container button,
.filters .expander,
.actions .disabled select {
box-shadow: none;
}
fieldset fieldset.listbox {
outline: none;
}
form dd.required {
color: #eee;
}
.mce-container input:focus {
background: #F3EFEC;
}
.announcement .userstuff a,
.announcement .userstuff a:link,
.announcement .userstuff a:visited:hover {
color: #111;
}
.announcement .userstuff a:visited {
color: #666;
}
.announcement .userstuff a:hover,
.announcement .userstuff a:focus {
color: #999;
}
.event.announcement .userstuff a,
.filters .expander {
color: #eee;
}

54
systems/artemision/configuration.nix
View File

@@ -6,18 +6,17 @@
}:
{
imports = [
./audio.nix
./desktop.nix
./fingerprint.nix
./fonts.nix
./graphics.nix
./libvirt.nix
./polkit.nix
./programs.nix
./steam.nix
./stylix.nix
./desktop.nix
./wifi.nix
./zerotier.nix
./fonts.nix
./polkit.nix
./audio.nix
./fingerprint.nix
./steam.nix
./graphics.nix
./libvirt.nix
];
time.timeZone = "America/New_York";
@@ -32,7 +31,7 @@
};
boot = {
#kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
useSystemdBoot = true;
default = true;
};
@@ -45,7 +44,6 @@
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
services = {
flatpak.enable = true;
calibre-web = {
enable = true;
listen = {
@@ -72,33 +70,35 @@
}) { inherit (pkgs) system; }).fwupd;
};
fprintd.enable = lib.mkForce false;
fprintd.enable = true;
openssh.enable = lib.mkForce false;
rad-dev.yubikey = {
spotifyd = {
enable = true;
enable-desktop-app = true;
settings = {
global = {
username = "snowinginwonderland@gmail.com";
password_cmd = "cat ${config.sops.secrets."apps/spotify".path}";
use_mpris = false;
};
};
#systemd.services.spotifyd.serviceConfig = systemd.services.spotifyd.
};
};
users.users.alice.extraGroups = [ "calibre-web" ];
system.autoUpgrade.enable = false;
system.stateVersion = "24.05";
programs.adb.enable = true;
environment.variables = {
"KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
};
sops = {
defaultSopsFile = ./secrets.yaml;
#secrets = {
# "apps/spotify" = {
# group = "audio";
# restartUnits = [ "spotifyd.service" ];
# mode = "0440";
# };
#};
secrets = {
"apps/spotify" = {
group = "audio";
restartUnits = [ "spotifyd.service" ];
mode = "0440";
};
};
};
}

1
systems/artemision/default.nix
View File

@@ -7,7 +7,6 @@
users = [ "alice" ];
modules = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
inputs.stylix.nixosModules.stylix
{
environment.systemPackages = [
inputs.wired-notify.packages.x86_64-linux.default

44
systems/artemision/desktop.nix
View File

@@ -3,30 +3,9 @@
{
# installs hyprland, and its dependencies
programs = {
hyprland = {
enable = true;
xwayland.enable = true;
withUWSM = true;
};
hyprlock.enable = true;
gnupg.agent = {
enable = true;
#pinentryPackage = pkgs.pinentry-rofi;
pinentryPackage = pkgs.pinentry-gnome3;
#settings = {
# keyserver-options = "auto-key-retrieve";
# auto-key-locate = "hkps://keys.openpgp.org";
# keyserver = "hkps://keys.openpgp.org";
#keyserver = "hkp://pgp.mit.edu";
# "na.pool.sks-keyservers.net"
# "ipv4.pool.sks-keyservers.net"
# "p80.pool.sks-keyservers.net"
# ];
#};
};
ydotool.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Optional, hint electron apps to use wayland:
environment.sessionVariables.NIXOS_OZONE_WL = "1";
@@ -56,11 +35,20 @@
};
};
powerManagement = {
programs.gnupg.agent = {
enable = true;
resumeCommands = ''
${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
'';
#pinentryPackage = pkgs.pinentry-rofi;
pinentryPackage = pkgs.pinentry-gnome3;
#settings = {
# keyserver-options = "auto-key-retrieve";
# auto-key-locate = "hkps://keys.openpgp.org";
# keyserver = "hkps://keys.openpgp.org";
#keyserver = "hkp://pgp.mit.edu";
# "na.pool.sks-keyservers.net"
# "ipv4.pool.sks-keyservers.net"
# "p80.pool.sks-keyservers.net"
# ];
#};
};
environment.systemPackages = with pkgs; [

18
systems/artemision/fonts.nix
View File

@@ -3,13 +3,17 @@
fonts = {
fontconfig.enable = true;
enableDefaultPackages = true;
packages = with pkgs.nerd-fonts; [
fira-code
droid-sans-mono
hack
dejavu-sans-mono
noto
open-dyslexic
packages = with pkgs; [
(nerdfonts.override {
fonts = [
"FiraCode"
"DroidSansMono"
"Hack"
"DejaVuSansMono"
"Noto"
"OpenDyslexic"
];
})
];
};
}

9
systems/artemision/hardware.nix
View File

@@ -20,9 +20,6 @@
"usb_storage"
"usbhid"
"sd_mod"
"ip_vs"
"ip_vs_rr"
"nf_conntrack"
];
initrd.kernelModules = [
"dm-snapshot"
@@ -55,6 +52,7 @@
options = [
"noatime"
"nodiratime"
"discard"
];
};
@@ -64,6 +62,7 @@
options = [
"noatime"
"nodiratime"
"discard"
];
};
@@ -73,6 +72,7 @@
options = [
"noatime"
"nodiratime"
"discard"
];
};
@@ -82,11 +82,12 @@
options = [
"noatime"
"nodiratime"
"discard"
];
};
};
swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
swapDevices = [ { device = "/dev/disk/by-uuid/7f0dba0f-d04e-4c94-9fba-1d0811673df1"; } ];
boot.initrd.luks.devices = {
"nixos-pv" = {

31
systems/artemision/programs.nix
View File

@@ -3,7 +3,6 @@
environment.systemPackages = with pkgs; [
act
alacritty
attic-client
amdgpu_top
bat
bitwarden-cli
@@ -13,12 +12,12 @@
calibre
# calibre dedrm?
candy-icons
chromium
chromedriver
cinnamon.nemo-with-extensions
croc
deadnix
direnv
easyeffects
discord
discord-canary
eza
fanficfare
ferium
@@ -30,29 +29,22 @@
glances
gpu-viewer
grim
helvum
headsetcontrol
htop
hwloc
ipmiview
iperf3
# ipscan
ipscan
jp2a
jq
kdePackages.kdenlive
kitty
kubectl
kubernetes-helm
libreoffice-fresh
libtool
lsof
lynis
masterpdfeditor4
minikube
mons
mpv
# nbt explorer?
ncdu
nemo-with-extensions
neofetch
neovim
nix-init
@@ -61,8 +53,6 @@
nix-tree
nixpkgs-fmt
nmap
obs-studio
obsidian
ocrmypdf
pciutils
#disabled until wxpython compat with python3.12
@@ -70,19 +60,16 @@
prismlauncher
protonmail-bridge
protontricks
proxychains
qrencode
redshift
restic
ripgrep
rpi-imager
rofi-wayland
samba
signal-desktop
# signal in tray?
siji
simple-mtpfs
skaffold
slack
slurp
smartmontools
@@ -97,18 +84,18 @@
tig
tokei
tree
unipicker
unzip
unipicker
uutils-coreutils-noprefix
ventoy
vesktop
vscode
watchman
wget
wl-clipboard
yq
yt-dlp
xboxdrv
yubioath-flutter
zoom-us
zoxide
zoom
];
}

62
systems/artemision/secrets.yaml
View File

@@ -1,17 +1,17 @@
hello: ENC[AES256_GCM,data:BTCBuBxHFO8vwXU/bsAZryM5rXUOEi0brlvq6DtqfZbzxGz4LaW89VO75MERHQ==,iv:fwqI3arwtlZQ5DtvpVbh21ThuZP8zcqCHsmuJuCfCsY=,tag:tkkEO8/eEDCakdlT0NvajA==,type:str]
example_key: ENC[AES256_GCM,data:xzsymSb4oD70twtoKQ==,iv:9vBmAKET2VIuDSq7AOyvdYWLGlL6cYHTWxy/Z5bB1+c=,tag:NbV4eA2aaY4cQAKUy3QOpw==,type:str]
#ENC[AES256_GCM,data:zeOCzRd/nFRhbANHxPyyjw==,iv:9MmHl3OyhJHVU+cUFJ4QitHd4SeDe3ctaky+yfvk8Zs=,tag:uPGRJtgQj1vIdLt2+w0krg==,type:comment]
hello: ENC[AES256_GCM,data:UJlsd5kvnhEv7eJeYwg+NHm9sgUAxYM5DoR0gDPLi9J7P+8FI8WPMkN1wEAHJA==,iv:NFSdZQ1OK4BT+EAGZz122NB7WrVCEzv4wwMxFIE/OKI=,tag:6YT7Vw8tFrw9iEFKxeKRFQ==,type:str]
example_key: ENC[AES256_GCM,data:KMXgMrqe7M101ZMJ2g==,iv:MJ3Iiu/0KIVhPFnqfovysqvPJAv1OsnxE4VIsuexFkE=,tag:X6KIKNGym8/9VglmG3SNRw==,type:str]
#ENC[AES256_GCM,data:QR3WNE/a1hZIXnTjFjK3kA==,iv:eXoZJ5rQaYqN7LjEp2M13OCMwuQ+80M5AXjV0uNc4C8=,tag:sCvL6pr9zAyWZziffVFMzg==,type:comment]
example_array:
- ENC[AES256_GCM,data:Nwn96XJv8xZWRYv8qws=,iv:K30LBMC8e1vUS0XE+4EIYb3xUUyn6232YmhV2vI9Qnc=,tag:HRe3S88zwj/CjG6NTvjdRQ==,type:str]
- ENC[AES256_GCM,data:l2nuwoAbwaDFHpEWV1Y=,iv:7/2rTd8agUvx73eftpOgidV4XjDUv/JppLIIsiuycnU=,tag:Ohi4JULWDNXJPWZaeXHEdw==,type:str]
example_number: ENC[AES256_GCM,data:toi1e/biUd2Tng==,iv:MPCfhhX9DDaOSzx/L5LTf2VYffin8XvxVyhNDqZLsec=,tag:tE/lml3afP/NjRtpPraoRQ==,type:float]
- ENC[AES256_GCM,data:g8PulCLrXZYSEdZJELE=,iv:irGwciFn1zXBxFpGAJtD46EQLGUO5oqdCzRgv1204JE=,tag:2MuDdRYMjhtTY++lPuj1FQ==,type:str]
- ENC[AES256_GCM,data:qv7GvmoOX8VSdaiW/90=,iv:6NOWeWqHUV9ciKPmZF4C7ijuIPFr3YZi3Dh7xWnb07k=,tag:VHXdBhWmEpb7uavCPqGZ4w==,type:str]
example_number: ENC[AES256_GCM,data:g8BIEIcwKRLSbw==,iv:Ay4aiukAvXeDhzlpMPn++zR0Tt2lMqCx362uN37S+ac=,tag:NTtNaIu5u8YsIm0M4OgL0A==,type:float]
example_booleans:
- ENC[AES256_GCM,data:02CVNA==,iv:L9GmIm9ynm2cWTyd3iYo4fgIeneUyFpEzzzxicM/YNI=,tag:k2EIboiL+c4W1H2OpA2Rqw==,type:bool]
- ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
- ENC[AES256_GCM,data:94T9mg==,iv:qKGJke4SGhgN09Yebh5MPrRBDNnguJQ+1dl5XQffGZQ=,tag:0Pa3eujmSxDCnAHKHsx6yQ==,type:bool]
- ENC[AES256_GCM,data:gEvfi+Q=,iv:0DrXoZk8OkdUShc7WAKOL8xG26RFZp3M3qYFAb1hDAs=,tag:uemBrdF87nrfLpfnQ8bD8g==,type:bool]
apps:
spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
wifi-env: ENC[AES256_GCM,data:G+z+fURk4rT61I5BiFzEJJt35jywPNrGpn1QGNhjvxrqPQ/Sq/hIHmQo+bqe9yJeDgMX3RY4EaiZxFTJyxPfW1czjuMSj3vbTp0WcDmGvUJ7li2pX2pzolgly4qmgoOluGBeRZWVLLOZYFB2+kLRMJNNz/bP5k2Eq6O4+l4sljPM+abn9iz9Eh46rVOVRkmDzCltJrYiuBSiSPhTDRTP2+gUbgbaUJTkVrVLUBHg3QU6az6VPN8DPZxbx4LtdaIb93pI,iv:uUfJK/iPdyLP7LqZJolTGGTxaEzlJI59bUVNcB1etkU=,tag:tvXSXSW1MIhLJceEK1afuw==,type:str]
#ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
spotify: ENC[AES256_GCM,data:bp1pdOfS+VGWLtepUjg7KFWw8Fk=,iv:twGO3CjzRxAU81C93mX8qIEZ/FYIQRJnMd2HIuvP9q8=,tag:AJgs0QGFH30E8+ZpaB02TQ==,type:str]
wifi-env: ENC[AES256_GCM,data:NGI090aVGojJ7+lvcknJfZBQKb0b/tUrd2AqEl5IWQWCJdqqaO4pCrs3C+IW06/pz9FWgMxx9tPu32xmMZaPnnlLD+XyVJ71L2P22U6YufRPRfvyv6swOlihscOZ5tsFFYShjXpow0PfmYS+tP9mYLb2RYFLGQmvI4fa4LaVjuwPXAMg3RN/gVXR6bMEpd/7OIr+tIxC5sTE7V7fIbyzcn4=,iv:VbtgvwMHo1iLuTKCA7KjEXC1d1MY4aHfmXI6yuCGZVI=,tag:dGmw+icLKL9dJQExy83m1A==,type:str]
#ENC[AES256_GCM,data:pC2Kdy7wNc0=,iv:J7Ggfv6K3dCzL42j5MGd+BjQGseoAoYs4k6+yc3FSiA=,tag:9MriduP9SEIi+c1q4tfzlQ==,type:comment]
sops:
kms: []
gcp_kms: []
@@ -21,26 +21,34 @@ sops:
- recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbElNRkxyZ2VjaitiTWx2
eThsY0h3a2NCZDloWG0rU1ZwVnhOY2VJTXlFCnp3UzNDR216L2R4cVdyWjFqbkRr
cFJGQjQ4Qk9zblYyckVFY3VNekNuajQKLS0tIEdRWldHMjlpTElxQWFVUlh4L1lz
d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZUNHeDdqaGt0QnFIejdM
MU5uaDNiN2xOeVlZNzQyZXZ0R2NYUU83ZWxrCmNDL3J6ZjNmejBuUXk3cldwZUEz
UWVqMTVPelN1MTJDNzc0UU9XNWkralUKLS0tIDU2b053Uk5VZGlWUk9XMXZ5Wllk
UlhhNzNjTHdVaXlPOFJhc0EyZGh3RDQK1c7nctmrorze4Kr0Grmcmx3N/UYXPwJc
FfClOoGxO+4ZDtxG61SDU1UdYae4loQ8roM8jDIPFMfoEum2bT8oXw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-28T18:57:09Z"
mac: ENC[AES256_GCM,data:hKhAo7rDplLm19PlrKHQwxnDVXCMU/xpAxPALLDBa0M3yypy2QVD6c6Atn897tYRKf7oeLaUKqnUYdCcZ9gVgm37LS+GtRhf66zfvcKqhZF8wh3M0zTDPYpQDhex0N4BAJ/dcaYIbxqE9pEUxJOI5jip/hptaCJItTEe7oARcF4=,iv:EUayxLaOPcnWX+S9+RlHrxzJRLlSSLIwqbAq3fFI4yg=,tag:LiBsqIodTWamO+c8FqGBag==,type:str]
lastmodified: "2024-08-03T02:45:15Z"
mac: ENC[AES256_GCM,data:PsEeb2leFb500YYHg+5YHwGVHKUPB7qVqaJY66hnkmCa5MKAZkHqSgtVvh+Ai4fN9E+WFtjlso2a4oasQMNwVXsmt54+q1/Mz5zF2D/1nvaNL76fEod2YXp2jlGxNniyPfRaZXDu+QQLhoz2PBoe6OQ9E5WRDV88j7gksy6GePw=,iv:H7Q9fbvdgh+NZNyyupByQETWsgpXVXn0blQV1Ww7eQM=,tag:cpWykzgH9/mWTKxmEDZ9PA==,type:str]
pgp:
- created_at: "2024-11-28T18:57:09Z"
- created_at: "2024-03-23T05:46:35Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQWNzDMjrP2ISAQdALiZMzuQViM23hoFebCXYfQUIvCluWqAEeSJyE/LRHG8w
nQnIVPRIbzLzWfCf+48EW6f7zonHmNY7D9F9KohDmCTcJ5/WvXsJKjebuohR62TF
1GYBCQIQq7nEvwSfn+l5AevKIiodA4BLfM326JSx5hJ6XdrE0MzZo1uoMwKKuxig
mPbDP8Rx51v9f+9DzjBg6kQD5w411HADL8th+wSkpmasP8ozIeiNiIKzzoJc/fD6
AOsExCUt8FU=
=wRT+
hQIMA84hNUGIgI/nAQ/+IwyPDjs/jDCBlnYFboHh6TXx8ulysESst4hz5crM4L0u
wylKyfEIBx0eLy0mLLA4DhcpYza0Nry5RLdwDNfimhATErfQxnwqlZ6RnYKnh3Hk
93L66+BEKPd3EZOH+RC/wb0qiTDmU0yna8jtVO0uU7s6//hm/g7bdmQAK0YIJLcb
sd83n99R4oHVrq7iFc74/AV5isW9GcfmvLI94eodFpaE1dpqm4KzNpLueDCOvA/1
vPo5Lgtp9WM4FhXUqMiplCNqMIt+Hyj3F+p+9jgQ2dLfHuVkI8pzd47gOHyMDYPy
fn6SVKZtOyfNDwhs7L5piiarSXISBGtx36ISDvtvtr/vgMydTdvILIOo9pkSGVtN
4W7+ywMaFjfAeShTVtUJNJqmp/8agt2WtaUX4kPPha4SxlNSOMpeTQ31bs89gBtc
g2325afL2WPK4NSAOmU8VMXqmFc2A10aFlx5nsfT4S1wkoNbitTWgoAcCa7kGRPW
xZca225cwLUzkggv74cfYT3YnQL40AMSOMqSRS8pbTFEENG1BtsB5A++Jji2i4tO
xoGIL8LRCEfiHpTC7eBwDDVmKb5StgKsXs6yYbQG5XW2W+/Jgum64Sb7+LviQ9Mq
WHNiu5MZPeKyHFu9jI9Ne1HpYJnb7/X9AxFw2e/vFwVn+kjaXcH/PhsYuPUyqkzS
XgG3tFbcgNtMWyoLU2EL1Qvwq1pHVrwmeNXHidESx23HeJtnIwoKkdopl4qqqNle
uQYP89bvb6zFWlqOSwLORZmj1W1wVTYV9eXplDbJob8agBKIcIuhtwri5e96gf4=
=XdJo
-----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
unencrypted_suffix: _unencrypted
version: 3.9.1
version: 3.9.0

5
systems/artemision/steam.nix
View File

@@ -4,10 +4,7 @@
environment.systemPackages = [ pkgs.steam-run ];
hardware.steam-hardware.enable = true;
programs = {
gamescope = {
enable = true;
capSysNice = true;
};
gamescope.enable = true;
steam = {
enable = true;
remotePlay.openFirewall = true;

16
systems/artemision/stylix.nix
View File

@@ -1,16 +0,0 @@
{ pkgs, ... }:
# let
# randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
# numWallpapers =
# $((1 + $RANDOM % 10))
# in
{
stylix = {
enable = true;
image = "${pkgs.hyprland}/share/hypr/wall2.png";
#image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
polarity = "dark";
};
}

20
systems/artemision/wifi.nix
View File

@@ -6,27 +6,25 @@ in
{
networking.wireless = {
enable = true;
secretsFile = config.sops.secrets."wifi-env".path;
environmentFile = config.sops.secrets."wifi-env".path;
userControlled.enable = true;
networks = {
"taetaethegae-2.0" = {
pskRaw = "ext:PASS_taetaethegae_20";
psk = "@PASS_taetaethegae_20@";
priority = home;
};
"k" = {
pskRaw = "ext:PASS_k";
psk = "@PASS_k@";
priority = always;
};
"Bloomfield".pskRaw = "ext:PASS_bloomfield";
"9872441500".pskRaw = "ext:PASS_longboat_home";
"9872441561".pskRaw = "ext:PASS_longboat_home";
"5HuFios".pskRaw = "ext:PASS_longboat_home";
"24HuFios".pskRaw = "ext:PASS_longboat_home";
"Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
"Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
"Bloomfield".psk = "@PASS_bloomfield@";
"9872441500".psk = "@PASS_longboat_home@";
"9872441561".psk = "@PASS_longboat_home@";
"5HuFios".psk = "@PASS_longboat_home@";
"24HuFios".psk = "@PASS_longboat_home@";
"Verizon_ZLHQ3H".psk = "@PASS_angie@";
"optimumwifi" = { };
"CableWiFi" = { };
"JPMCVisitor" = { };
};
};

106
systems/bob/configuration.nix Normal file
View File

@@ -0,0 +1,106 @@
{
imports = [
../../users/richie/global/desktop.nix
../../users/richie/global/ssh.nix
../../users/richie/global/syncthing_base.nix
../../users/richie/global/zerotier.nix
./hardware.nix
./nvidia.nix
./steam.nix
];
boot = {
useSystemdBoot = true;
default = true;
};
networking = {
networkmanager.enable = true;
hostId = "9ab3b18e";
};
hardware = {
pulseaudio.enable = false;
bluetooth = {
enable = true;
powerOnBoot = true;
};
};
security.rtkit.enable = true;
services = {
autopull.enable = false;
displayManager.sddm.enable = true;
openssh.ports = [ 262 ];
printing.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
rad-dev.k3s-net.enable = false;
syncthing.settings.folders = {
"notes" = {
id = "l62ul-lpweo"; # cspell:disable-line
path = "/home/richie/notes";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"books" = {
id = "6uppx-vadmy"; # cspell:disable-line
path = "/home/richie/books";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"important" = {
id = "4ckma-gtshs"; # cspell:disable-line
path = "/home/richie/important";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"music" = {
id = "vprc5-3azqc"; # cspell:disable-line
path = "/home/richie/music";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"projects" = {
id = "vyma6-lqqrz"; # cspell:disable-line
path = "/home/richie/projects";
devices = [
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
};
};
system.autoUpgrade.enable = false;
system.stateVersion = "23.11";
}

8
systems/bob/default.nix Normal file
View File

@@ -0,0 +1,8 @@
{ ... }:
{
users = [ "richie" ];
system = "x86_64-linux";
home = true;
sops = true;
server = false;
}

66
systems/bob/hardware.nix Normal file
View File

@@ -0,0 +1,66 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usb_storage"
"sd_mod"
];
kernelModules = [ ];
luks.devices = {
"luks-rpool-nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2".device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2";
};
};
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = lib.mkDefault {
device = "rpool/root";
fsType = "zfs";
};
"/home" = {
device = "rpool/home";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/8AE6-270D";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp11s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

13
systems/bob/nvidia.nix Normal file
View File

@@ -0,0 +1,13 @@
{ config, ... }:
{
services.xserver.videoDrivers = [ "nvidia" ];
hardware = {
nvidia = {
modesetting.enable = true;
powerManagement.enable = true;
package = config.boot.kernelPackages.nvidiaPackages.production;
nvidiaSettings = true;
};
nvidia-container-toolkit.enable = true;
};
}

15
systems/bob/steam.nix Normal file
View File

@@ -0,0 +1,15 @@
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.steam-run ];
hardware.steam-hardware.enable = true;
programs = {
steam = {
enable = true;
remotePlay.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
extraCompatPackages = with pkgs; [ proton-ge-bin ];
extest.enable = true;
};
};
}

29
systems/jeeves-jr/arch_mirror.nix Normal file
View File

@@ -0,0 +1,29 @@
{ inputs, pkgs, ... }:
let
vars = import ./vars.nix;
in
{
virtualisation.oci-containers.containers.arch_mirror = {
image = "ubuntu/apache2:latest";
volumes = [
"${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
"${vars.main_mirror}:/data"
];
ports = [ "800:80" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
systemd.services.sync_mirror = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.rsync ];
serviceConfig = {
Environment = "MIRROR_DIR=${vars.main_mirror}/archlinux/";
Type = "simple";
ExecStart = "${inputs.arch_mirror.packages.x86_64-linux.default}/bin/sync_mirror";
};
};
}

68
systems/jeeves-jr/configuration.nix Normal file
View File

@@ -0,0 +1,68 @@
{ pkgs, ... }:
{
imports = [
../../users/richie/global/ssh.nix
../../users/richie/global/zerotier.nix
./arch_mirror.nix
./docker
./home_assistant.nix
./services.nix
];
networking = {
hostId = "1beb3026";
firewall.enable = false;
};
boot = {
zfs.extraPools = [ "Main" ];
filesystem = "zfs";
useSystemdBoot = true;
};
environment = {
systemPackages = with pkgs; [ docker-compose ];
etc = {
# Creates /etc/lynis/custom.prf
"lynis/custom.prf" = {
text = ''
skip-test=BANN-7126
skip-test=BANN-7130
skip-test=DEB-0520
skip-test=DEB-0810
skip-test=FIRE-4513
skip-test=HRDN-7222
skip-test=KRNL-5820
skip-test=LOGG-2190
skip-test=LYNIS
skip-test=TOOL-5002
'';
mode = "0440";
};
};
};
services = {
nfs.server.enable = true;
openssh.ports = [ 352 ];
smartd.enable = true;
sysstat.enable = true;
usbguard = {
enable = true;
rules = ''
allow id 1532:0241
'';
};
zfs = {
trim.enable = true;
autoScrub.enable = true;
};
};
system.stateVersion = "23.05";
}

7
systems/jeeves-jr/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
users = [
"alice"
"richie"
];
}

11
systems/jeeves-jr/docker/default.nix Normal file
View File

@@ -0,0 +1,11 @@
{ lib, ... }:
{
imports =
let
files = builtins.attrNames (builtins.readDir ./.);
nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
in
map (file: ./. + "/${file}") nixFiles;
virtualisation.oci-containers.backend = "docker";
}

40
systems/jeeves-jr/docker/haproxy.cfg Normal file
View File

@@ -0,0 +1,40 @@
global
log stdout format raw local0
defaults
log global
mode http
retries 3
maxconn 2000
timeout connect 5s
timeout client 50s
timeout server 50s
timeout http-request 10s
timeout http-keep-alive 2s
timeout queue 5s
timeout tunnel 2m
timeout client-fin 1s
timeout server-fin 1s
#Application Setup
frontend ContentSwitching
bind *:80
bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
mode http
# tmmworkshop.com
acl host_mirror hdr(host) -i mirror.tmmworkshop.com jeeves
acl host_uptime_kuma hdr(host) -i uptimekuma-jeevesjr.tmmworkshop.com
use_backend mirror_nodes if host_mirror
use_backend uptime_kuma_nodes if host_uptime_kuma
# tmmworkshop.com
backend mirror_nodes
mode http
server server arch_mirror:80
backend uptime_kuma_nodes
mode http
server server uptime_kuma:3001

16
systems/jeeves-jr/docker/uptime_kuma.nix Normal file
View File

@@ -0,0 +1,16 @@
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
uptime_kuma = {
image = "louislam/uptime-kuma:latest";
volumes = [
"${vars.main_docker_configs}/uptime_kuma:/app/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
}

41
systems/jeeves-jr/docker/web.nix Normal file
View File

@@ -0,0 +1,41 @@
{ config, ... }:
{
virtualisation.oci-containers.containers = {
haproxy = {
image = "haproxy:latest";
user = "600:600";
environment = {
TZ = "Etc/EST";
};
volumes = [
"${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
"${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
];
dependsOn = [
"arch_mirror"
"uptime_kuma"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
cloud_flare_tunnel = {
image = "cloudflare/cloudflared:latest";
cmd = [
"tunnel"
"run"
];
environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
dependsOn = [ "haproxy" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets = {
"docker/cloud_flare_tunnel".owner = "docker-service";
"docker/haproxy_cert".owner = "docker-service";
};
};
}

41
systems/jeeves-jr/hardware.nix Normal file
View File

@@ -0,0 +1,41 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
networking.useDHCP = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
swapDevices = [ { device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; } ];
boot = {
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
initrd = {
kernelModules = [ ];
availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
};
};
fileSystems = {
"/" = lib.mkDefault {
device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/7295-A442";
fsType = "vfat";
};
};
}

17
systems/jeeves-jr/home_assistant.nix Normal file
View File

@@ -0,0 +1,17 @@
{
services.home-assistant = {
enable = true;
openFirewall = true;
config = {
server_port = 8123;
homeassistant = {
time_zone = "America/New_York";
unit_system = "imperial";
temperature_unit = "F";
longitude = 40.74;
latitude = 74.03;
};
};
extraPackages = python3Packages: with python3Packages; [ psycopg2 ];
};
}

65
systems/jeeves-jr/secrets.yaml Normal file
View File

@@ -0,0 +1,65 @@
docker:
cloud_flare_tunnel: ENC[AES256_GCM,data:E+XYu5AxS8Ew9OVIfbH5gLkMk+rZ4yT96tSGAwL4smedkddoevRnqil78LtFNYKV8Zo3MpuA8q/c4Me0KrrlSAvwJz1T2cev0dKnuTei3MHZxK7RwWYo9UMJH+aV+l343OY9nvGBj6ryTM3wKyUIoqSmOnRCAbYmhkkqN0wFO+Mxxqjw6nf5UEeeKb36k2NwlhjjnscOKe+wo3sXhjjzVXrE3IOUQJM3hWWukMElcYewVgJmstRidKiNCRMi1/UYMk/Nfhk=,iv:yFJ5SbHB3wZ0FEF0k9KrWye55ref7OqbQPd8oMLTmH4=,tag:p3K4yGR6X2+uKIj4H6rZ+g==,type:str]
haproxy_cert: ENC[AES256_GCM,data:1n2BurHeWI+j7CMQ7qk3DUl+8MgqRsgtYQ1TxJKcPXuz0YBkg6SUp95lPZv6Jo+2OIaVxCoWpiuoLp8YgtJgnZo4S9QVG2qi60sWCSf4acMRSg0hIA/pdcslogZc5LrsBOTINZCODE4mz7Bya42f+RfVfwPGT7Buz8MniW6kfT9cr3iuq+BQc6513sHhDHgZJgwdfP5x9XrwEtaBl41Db7ejGTrza9jtsHqkrD8j3Pf1XJDhACrTeB7Uqh68sjwc2giAc/2bInDayvnKFHqHaLFTUMAbCeMPOiEZSK4UaWrSMk5I5wDVu8Ya8nBostHlPOBT06gFxT13aEe3Ox3/ctBm/83BXhFfjEaYy6AbMhbp29nxUogVjMICs3FiHG3XBz7vsVxxcBvLXp1Bw3ml5Vd7ACKQPe+r1T54aIdYMoab8DhKPMqb/6TQwrhWD3je4wwOHzzQq9psE1hlB2lJsRnAsVAy9a7M5aBpj0v2pCPVjxjkGHqUUgN+w4hzPPf10A0dWiaXc3k8bWcwc1SlJwHvYxphyZEjNQAzXrAkUPcuy4+9c7LwniMdu5qoUL/oZPW5VHWgtrUO9IlAgduiEujrAW96zfz4jfM0UBqJHT58l/WHHmBM8bMsRDHTnc43uvdoU+VgjtTiFERBi+Xm5mXCqWd4d5Y5P8ozIwGho8UdLqmR9Y2nth1mrs//FIh9mZ7i7QQGHBzoR7ICRDX2ghK98J4RMfF2ph0I+nhWpoCq056xItoVZyAEWQSR4ptpAaKMX4Crd3hrK6tZmyvaTrk5IsNaf5hrS+Fw8uTYUAM+3E6kb1TJwFvUH1plkwU83iBRlboRO5d1ahESp5nifZIVz+KBStLjUVWfXnelPCkH55LVnobgk0zekoEeNLKq+Q5wOBmR28rYXVp/q+FNCgxEW+tXIswmC72jbsDxM/oMHBQnYsmEy5dTxU2X/IzmrZfWod07fRblkWRplzLGyEjsY7CquHlG119LuHcWFOUGxYm3bgn1pGnIV3cBLvbInEAPK0apqSXMBSJw0mk/ihtdx8ANidMn8nhkHVjo/Bo9orH3tJdw8l7x+Cei347CkiQZz21jHvL1qcV/EAAxBnT4c5WtOljo13ntk8RiARdye4hcUXpORIUhH8zq88RNquOkF5QjV8C/u2EaUhQYqy3Xts49v7S9I8LLzjrrfY/IDQVqlJsAgkNuwvheTlya5JoeTasscLfLt3iJ7LsbzWWqQrfn3KQJp3H4Gxh/uqak/V5ROBahHQ4KpXzsDG++XLE0o7W4BFQbrBYV99mlGzB1blmX30C8S+b8n1u+oMXfH8oY20Jm5UQcV5/JNK8WG69ihonRDXdX7fy2WGzylql2hj+3aoYYdYpFAeHVLNzj9vAIxPHzvK0JmwdynsFLo4Hpyn7KN+6L3MSACjAOc3SxY20XxjmqJSWVEM0tq4Zbe/VdhOF1L4pyIBMKQC2XwrWyturTboh86qAfyxtYzEQXGLzz585nVnwj9PLmXQw98M8JWwsFq58ZsOdQZKhN3e0aSY2opSigmXQ9ZJeCF+6KbwElOSz4pDfkZIXqZc+LCzEl5IO1CxLWCTIIfN3Gx60W3vz8QohydoCBt2FLHH3lBiAEitWxYQhsfdlFExQa1/+0WSk3wK5dEA7SPaBWKq+xtPR0yUmuT/JN4VPX+hqqkVHigk8+XfqE/H1as9JbYo92N6xBd2ZrNzhFIkMykUOT+0etVtyOdXLkxdV9lwaBX9ARPHJV7g35e52UspX335aLGE0GtCaIbHRwJuENCIixo7sbdmB9i9xSTeg+7RBQAWpuR7O6firAEKWOGBaYzDUBnqt++Q2wUuMnQBJE/9bh,iv:3FuXEQxbTvbdnBnwPxF+T8QZvQoWX/WXx3lpDBXML1k=,tag:g1Y4qY+XoSA6K/LCKbllOw==,type:str]
server-validation:
webhook: ENC[AES256_GCM,data:/6QI+KKKJkbVO7YsxcU/gnjgp9scNzqzq56wnqAU88YdYYNU7FaRifzH00RlEb9VYvNBlT0FggnZSSX1rNN5W63tLaiYFn/GVfjlUSnwrgueTVG8Sor6HtYTIfMOdPm9B7jflpECk7ByguoDlimH0J1QrcWd+Kqx772sH63bKV1GbCaYSkRHQp9QbvbO,iv:p5W/xniUe75RqJA9PtMcNRnsY4kUBeD0p6iQDLbkSSc=,tag:dh2a8/Doyznjd1hswmXMuQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NXJJMjBjeU9XQS9YZGxQ
V1h5RlNUVTA5Mkx3M3ZobGs5WFA0NXFGakR3CnIxVk9nYU1aWkNoZ0F0WGd0ck5Q
VWpSU0ZRdENTWnFVOVNQY0Z4ems4MEUKLS0tIFVqcGJtZWRxSTZwZWhjYm56bnkr
QmcxMmhaaGZXU1VFN0pvT1VDN3hpcGsKXUlVytBrz8sUorTSHXZaOMYA5U6qUpas
ZJiHtVGxRVwCpraHWLmQTRkO6pT36cEVsfsMnFH6NLOMOvA3vLX8/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-07T23:09:51Z"
mac: ENC[AES256_GCM,data:nZPpOrOSKc+7dcbpBdZRH5FLih6o5Ii5bLWgzZ7xP/BZ36vp7ypdncE/jS0/Rz2AiOOrK0G9ovEOoL7jOMrqaUBAJNPzXTX/IdOcFrsxPL47saZKWQHqXkGXrX49nafeea7VtEvoM4qK2AiyYl2ogir+Mw304mhDIUqHhPNNvQs=,iv:ykOg2Pxpp+Sap648UZaiaRVMutWTdUXvP+Pi2cWy86g=,tag:AARw0YmjcesHLdS31i+B3g==,type:str]
pgp:
- created_at: "2024-03-23T05:49:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA84hNUGIgI/nARAAgcuMhO3nmxYY8KiW6AYxU2rFo2OQnpzZVtbMJB43wDQX
0UAOVmUyhGM2wd3tJgnvyfnguy6p3LfjZrXdTkTzrv5yCJVvKXhORcLisjaXLS8H
TCe9Fa4I9CvKo/yyRsRYS59niql0ocTs1Eb7cLiKuX19RIuQ7TjMPnjkdj5xXooa
kPJXfwL1SpUU3kjhuTHqWlD0m5t0RPiTpDym8fExMSvbTWyMY0BPA+qD1atMeUik
i3x2boqfoyD1GZ64Z5NrxRD0dN6TQvJLX1K1XTzanUhvfsy/PvDftCHKQc2n2Opk
btnKZa1mfiiLUQly+njSvH8ERYg27j5ACEQ0V9rtGPa3xnVYZm6Z5h0v68aqsotJ
aOzJa7/k0ZV/tBD1pT+9T2a/W9v4U+KdKKL19ebNvMtFxy50jN8SQsrTtxv5G5fA
sc+HkrcnLezFHYtGG85PfbTGsKMWpwu+4BrcmuW6dBcADZ1fZdkqgi+GcYGL2xy1
bddjuOWnzXb93t1pSIkaHcVWc6s5Atf3IB/liyNEux4kdquOHZQJi0WBi0l8GEmG
/ggJN4shRqtMqEkomaZkyZMsHnkmenusjbIlKJrwolhZSyDP8Kk5iPYXMxG21vrr
YpWHr388q8H7+ksnxYiNFXyY2cQKtOsD3UMIV8edMc/lHjTOi0BFNMHmU3WDsajS
XAGXsys00baAzcQHIS0jijU4mJQAqYL3S7FrcDGW8qhTGFpQ8ngVLvwLfqMvUn8v
LB3M5/7+Ld8xV4AZWr8mvv+7ZNNnnZzImETCLnekfvLEV9F2pTCH2Z21RPEL
=XWl7
-----END PGP MESSAGE-----
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
- created_at: "2024-03-23T05:49:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA29thaGx06tOARAAoI93A3cy3V2dJo8HBIrLC2RK3SKBkPiPFjWO/Zvnv8Q0
IhfzjusX+3f8HIa3CxJjTbOktcq+A2a4EyBes2Rd4bX9H2Fs2VVrSmUf3S/dO1b5
GiZamHnC+1zsXUB5IFcfjMSzeKKsOWYu9DmUcalsseo/XVJjxw9DzRnPUesI/aMs
y5kKKtNDcvAK4AWidME6LTP9FgiMx09sQfuAl4YCJv1trOvxt+dN932fbAkHVAq0
Lc90rG6LDLT1w/8i9evBRRX/ZexAI3vTGn/nTqKi+B9BdFA4dY0KiHtGIS+UNtNo
vL6PTKIRejGfqt13DwUWRobKnezcpJkTkdz+Pa+cQhdwSL2tFjr0hEbZL3e76YEx
CNsgbB9h0pIm/2YvhG1k0f0skWfjXLAtR6PQPKu1OycppX02fbK9XRShb+Fik7P+
GfFLxf4JYAMMOHsxP30EVQONiR9XsITH149GSZ3nTBX7vUsk3b7Z+ou1Ma27EhiW
iPWTqpDgLQ/VZW+027h/l8iwv52L8eE6Y+LE32jNUTQjMW3OWKw9zknX4wciNR07
EPAy8eC9rfhUVnTB7RJlTOY03yyEiBjowJn/0e0g8+AUMKC4mAuasPUwPhptQ6pH
8up/75WglUAg04eni0p5g6X7rGj+09OEDNMtvYVt7HglX7T86O2sBcVKa/j095jS
XAGIy2HXf+By9BFKM4q6uuAh4QceHn2QaQ/ckhYGMrHulzAeORPxYaYdXoeEj18k
auBqSPzj8E9yPi4jl+miEO9BgVhRW45cxBbn2XV2KE08PIP9mZ2jxK9Ne4HQ
=jkZ+
-----END PGP MESSAGE-----
fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
unencrypted_suffix: _unencrypted
version: 3.8.1

33
systems/jeeves-jr/services.nix Normal file
View File

@@ -0,0 +1,33 @@
{
config,
inputs,
pkgs,
...
}:
{
systemd = {
services.startup_validation = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.zfs ];
serviceConfig = {
Type = "oneshot";
EnvironmentFile = config.sops.secrets."server-validation/webhook".path;
ExecStart = "${inputs.server_tools.packages.x86_64-linux.default}/bin/validate_jeevesjr";
};
};
timers.startup_validation = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10min";
Unit = "startup_validation.service";
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."server-validation/webhook".owner = "root";
};
}

10
systems/jeeves-jr/vars.nix Normal file
View File

@@ -0,0 +1,10 @@
let
zfs_main = "/ZFS/Main";
in
{
inherit zfs_main;
# main
main_docker = "${zfs_main}/Docker";
main_docker_configs = "${zfs_main}/Docker/configs";
main_mirror = "${zfs_main}/Mirror";
}

29
systems/jeeves/arch_mirror.nix Normal file
View File

@@ -0,0 +1,29 @@
{ inputs, pkgs, ... }:
let
vars = import ./vars.nix;
in
{
virtualisation.oci-containers.containers.arch_mirror = {
image = "ubuntu/apache2:latest";
volumes = [
"${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
"${vars.media_mirror}:/data"
];
ports = [ "800:80" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
systemd.services.sync_mirror = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.rsync ];
serviceConfig = {
Environment = "MIRROR_DIR=${vars.media_mirror}/archlinux/";
Type = "simple";
ExecStart = "${inputs.arch_mirror.packages.x86_64-linux.default}/bin/sync_mirror";
};
};
}

170
systems/jeeves/configuration.nix Normal file
View File

@@ -0,0 +1,170 @@
{ pkgs, ... }:
let
vars = import ./vars.nix;
in
{
imports = [
../../users/richie/global/ssh.nix
../../users/richie/global/syncthing_base.nix
../../users/richie/global/zerotier.nix
./arch_mirror.nix
./docker
./programs.nix
./services.nix
];
networking = {
hostId = "1beb3027";
firewall.enable = false;
};
boot = {
zfs.extraPools = [
"media"
"storage"
"torrenting"
];
filesystem = "zfs";
useSystemdBoot = true;
};
environment = {
systemPackages = with pkgs; [ docker-compose ];
etc = {
# Creates /etc/lynis/custom.prf
"lynis/custom.prf" = {
text = ''
skip-test=BANN-7126
skip-test=BANN-7130
skip-test=DEB-0520
skip-test=DEB-0810
skip-test=FIRE-4513
skip-test=HRDN-7222
skip-test=KRNL-5820
skip-test=LOGG-2190
skip-test=LYNIS
skip-test=TOOL-5002
'';
mode = "0440";
};
};
};
services = {
nfs.server.enable = true;
openssh.ports = [ 629 ];
plex = {
enable = true;
dataDir = vars.media_plex;
};
smartd.enable = true;
sysstat.enable = true;
syncthing.guiAddress = "192.168.90.40:8384";
syncthing.settings.folders = {
"notes" = {
id = "l62ul-lpweo"; # cspell:disable-line
path = vars.media_notes;
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"books" = {
id = "6uppx-vadmy"; # cspell:disable-line
path = "${vars.storage_syncthing}/books";
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"important" = {
id = "4ckma-gtshs"; # cspell:disable-line
path = "${vars.storage_syncthing}/important";
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"music" = {
id = "vprc5-3azqc"; # cspell:disable-line
path = "${vars.storage_syncthing}/music";
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"projects" = {
id = "vyma6-lqqrz"; # cspell:disable-line
path = "${vars.storage_syncthing}/projects";
devices = [
"bob"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
};
usbguard = {
enable = false;
rules = ''
allow id 1532:0241
'';
};
zfs = {
trim.enable = true;
autoScrub.enable = true;
};
};
systemd = {
services."snapshot_manager" = {
description = "ZFS Snapshot Manager";
requires = [ "zfs-import.target" ];
after = [ "zfs-import.target" ];
serviceConfig = {
Environment = "ZFS_BIN=${pkgs.zfs}/bin/zfs";
Type = "oneshot";
ExecStart = "${pkgs.python3}/bin/python3 ${vars.media_scripts}/ZFS/snapshot_manager.py --config-file='${./snapshot_config.toml}'";
};
};
timers."snapshot_manager" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "15m";
OnUnitActiveSec = "15m";
Unit = "snapshot_manager.service";
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"zfs/backup_key".path = "/root/zfs/backup_key";
"zfs/docker_key".path = "/root/zfs/docker_key";
"zfs/main_key".path = "/root/zfs/main_key";
"zfs/notes_key".path = "/root/zfs/notes_key";
"zfs/plex_key".path = "/root/zfs/plex_key";
"zfs/postgres_key".path = "/root/zfs/postgres_key";
"zfs/qbit_key".path = "/root/zfs/qbit_key";
"zfs/scripts_key".path = "/root/zfs/scripts_key";
"zfs/syncthing_key".path = "/root/zfs/syncthing_key";
"zfs/vault_key".path = "/root/zfs/vault_key";
};
};
system.stateVersion = "23.11";
}

7
systems/jeeves/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
users = [
"alice"
"richie"
];
}

11
systems/jeeves/docker/default.nix Normal file
View File

@@ -0,0 +1,11 @@
{ lib, ... }:
{
imports =
let
files = builtins.attrNames (builtins.readDir ./.);
nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
in
map (file: ./. + "/${file}") nixFiles;
virtualisation.oci-containers.backend = "docker";
}

15
systems/jeeves/docker/filebrowser.nix Normal file
View File

@@ -0,0 +1,15 @@
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers.filebrowser = {
image = "hurlenko/filebrowser:latest";
extraOptions = [ "--network=web" ];
volumes = [
"/zfs:/data"
"${vars.media_docker_configs}/filebrowser:/config"
];
autoStart = true;
user = "1000:users";
};
}

62
systems/jeeves/docker/haproxy.cfg Normal file
View File

@@ -0,0 +1,62 @@
global
log stdout format raw local0
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
defaults
log global
mode http
retries 3
maxconn 2000
timeout connect 5s
timeout client 50s
timeout server 50s
timeout http-request 10s
timeout http-keep-alive 2s
timeout queue 5s
timeout tunnel 2m
timeout client-fin 1s
timeout server-fin 1s
#Application Setup
frontend ContentSwitching
bind *:80
bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
mode http
# tmmworkshop.com
acl host_mirror hdr(host) -i mirror.tmmworkshop.com
acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com
acl host_grafana hdr(host) -i grafana.tmmworkshop.com
acl host_filebrowser hdr(host) -i filebrowser.tmmworkshop.com
acl host_uptime_kuma hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
use_backend mirror_nodes if host_mirror
use_backend dndrules_nodes if host_dndrules
use_backend grafana_nodes if host_grafana
use_backend filebrowser_nodes if host_filebrowser
use_backend uptime_kuma_nodes if host_uptime_kuma
backend mirror_nodes
mode http
server server arch_mirror:80
backend mirror_rsync
mode http
server server arch_mirror:873
backend grafana_nodes
mode http
server server grafana:3000
backend dndrules_nodes
mode http
server server dnd_file_server:80
backend filebrowser_nodes
mode http
server server filebrowser:8080
backend uptime_kuma_nodes
mode http
server server uptime_kuma:3001

134
systems/jeeves/docker/internal.nix Normal file
View File

@@ -0,0 +1,134 @@
{ config, ... }:
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
qbit = {
image = "ghcr.io/linuxserver/qbittorrent:latest";
ports = [
"6881:6881"
"6881:6881/udp"
"8082:8082"
"29432:29432"
];
volumes = [
"${vars.media_docker_configs}/qbit:/config"
"${vars.torrenting_qbit}:/data"
];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
WEBUI_PORT = "8082";
};
autoStart = true;
};
qbitvpn = {
image = "binhex/arch-qbittorrentvpn:latest";
extraOptions = [ "--cap-add=NET_ADMIN" ];
ports = [
"6882:6881"
"6882:6881/udp"
"8081:8081"
"8118:8118"
];
volumes = [
"${vars.media_docker_configs}/qbitvpn:/config"
"${vars.torrenting_qbitvpn}:/data"
"/etc/localtime:/etc/localtime:ro"
];
environment = {
WEBUI_PORT = "8081";
PUID = "600";
PGID = "100";
VPN_ENABLED = "yes";
VPN_CLIENT = "openvpn";
STRICT_PORT_FORWARD = "yes";
ENABLE_PRIVOXY = "yes";
LAN_NETWORK = "192.168.90.0/24";
NAME_SERVERS = "1.1.1.1,1.0.0.1";
UMASK = "000";
DEBUG = "false";
DELUGE_DAEMON_LOG_LEVEL = "debug";
DELUGE_WEB_LOG_LEVEL = "debug";
};
environmentFiles = [ config.sops.secrets."docker/qbit_vpn".path ];
autoStart = true;
};
bazarr = {
image = "ghcr.io/linuxserver/bazarr:latest";
ports = [ "6767:6767" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.media_docker_configs}/bazarr:/config"
"${vars.storage_plex}/movies:/movies"
"${vars.storage_plex}/tv:/tv"
];
autoStart = true;
};
prowlarr = {
image = "ghcr.io/linuxserver/prowlarr:latest";
ports = [ "9696:9696" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
autoStart = true;
};
radarr = {
image = "ghcr.io/linuxserver/radarr:latest";
ports = [ "7878:7878" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.media_docker_configs}/radarr:/config"
"${vars.storage_plex}/movies:/movies"
"${vars.torrenting_qbitvpn}:/data"
];
autoStart = true;
};
sonarr = {
image = "ghcr.io/linuxserver/sonarr:latest";
ports = [ "8989:8989" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.media_docker_configs}/sonarr:/config"
"${vars.storage_plex}/tv:/tv"
"${vars.torrenting_qbitvpn}:/data"
];
autoStart = true;
};
whisper = {
image = "ghcr.io/linuxserver/faster-whisper:latest";
ports = [ "10300:10300" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
WHISPER_MODEL = "tiny-int8";
WHISPER_LANG = "en";
WHISPER_BEAM = "1";
};
volumes = [ "${vars.media_docker_configs}/whisper:/config" ];
autoStart = true;
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets."docker/qbit_vpn".owner = "docker-service";
};
}

37
systems/jeeves/docker/postgresql.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config, ... }:
let
vars = import ../vars.nix;
in
{
users = {
users.postgres = {
isSystemUser = true;
group = "postgres";
uid = 999;
};
groups.postgres = {
gid = 999;
};
};
virtualisation.oci-containers.containers = {
postgres = {
image = "postgres:16";
ports = [ "5432:5432" ];
volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ];
environment = {
POSTGRES_USER = "admin";
POSTGRES_DB = "archive";
POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
};
environmentFiles = [ config.sops.secrets."docker/postgres".path ];
autoStart = true;
user = "postgres:postgres";
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets."docker/postgres".owner = "postgres";
};
}

16
systems/jeeves/docker/uptime_kuma.nix Normal file
View File

@@ -0,0 +1,16 @@
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
uptime_kuma = {
image = "louislam/uptime-kuma:latest";
volumes = [
"${vars.media_docker_configs}/uptime_kuma:/app/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
}

64
systems/jeeves/docker/web.nix Normal file
View File

@@ -0,0 +1,64 @@
{ config, ... }:
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
grafana = {
image = "grafana/grafana-enterprise:latest";
volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ];
user = "600:600";
extraOptions = [ "--network=web" ];
autoStart = true;
};
dnd_file_server = {
image = "ubuntu/apache2:latest";
volumes = [
"${../../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
"${vars.storage_main}/Table_Top/:/data"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
haproxy = {
image = "haproxy:latest";
user = "600:600";
environment = {
TZ = "Etc/EST";
};
volumes = [
"${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
"${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
];
dependsOn = [
"arch_mirror"
"dnd_file_server"
"filebrowser"
"grafana"
"uptime_kuma"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
cloud_flare_tunnel = {
image = "cloudflare/cloudflared:latest";
user = "600:600";
cmd = [
"tunnel"
"run"
];
environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
dependsOn = [ "haproxy" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets = {
"docker/cloud_flare_tunnel".owner = "docker-service";
"docker/haproxy_cert".owner = "docker-service";
};
};
}

56
systems/jeeves/hardware.nix Normal file
View File

@@ -0,0 +1,56 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd.availableKernelModules = [
"mpt3sas"
"nvme"
"xhci_pci"
"ahci"
"uas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
initrd.kernelModules = [ "dm-snapshot" ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems."/" = lib.mkDefault {
device = "/dev/disk/by-uuid/0f78fa87-30be-4173-b0fa-eaa956cf83aa";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/BB77-2647";
fsType = "vfat";
};
swapDevices = [ { device = "/dev/disk/by-uuid/4c797a94-be32-43d3-89ac-7f02912c7cf5"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp38s0f3u2u2c2.useDHCP = lib.mkDefault true;
# networking.interfaces.enp97s0f0np0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp97s0f1np1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp98s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp98s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

4
systems/jeeves/programs.nix Normal file
View File

@@ -0,0 +1,4 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ filebot ];
}

7
systems/jeeves/scripts/plex_permission.sh Normal file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
plex_dir="/zfs/storage/plex/"
chown docker-service:users -R "$plex_dir"
find "$plex_dir" -type f -exec chmod 664 {} \;
find "$plex_dir" -type d -exec chmod 775 {} \;

78
systems/jeeves/secrets.yaml Normal file
View File

@@ -0,0 +1,78 @@
docker:
postgres: ENC[AES256_GCM,data:IpXIrRDzyGFjDz908w1NNb0GBna/ce9lCtOkXrpUfyllsTWca6AeqaRo23bL4jfFGfHn0Zf9okLO,iv:IwO7vJJHFfm0SGcJETpWtdhr41jPddN9nuVAH/Ooa7Y=,tag:xstwPvpvkNOZucxvzq2+ag==,type:str]
cloud_flare_tunnel: ENC[AES256_GCM,data:Qx7g0tNSfVs9VnkuYw47XJjfF+RS9B5gvpBliGL93X8K/7iiyt0NxwWyAkmmaLat5h/Yu7C71rwBIIZsKf7Ke3YS0PfEpga76ftKt3h7VKMQNT7yAcU3LY4v2h3Molnzw2fnAhxfHkogJuAsZeJW9dIjo9H2QpSh/tn9kpC+PGb/T9dcqMm4fJPqP+rIcFCfhJl9iDOKOMQ9+xVNnKZ2HQlAwPMCz29BgGCxh0cYYk9ftXPK7ZnhjwUj4bfnaKfByIPpAtk=,iv:8yz2vXanGZfOkZF/D0RP2LPqHebbOM/XBPg2eCCGs8g=,tag:67da31iZTQaMURKf9dfiJw==,type:str]
qbit_vpn: ENC[AES256_GCM,data:SRkcWb2wTTfWlgkbDSN6j5+dXnG670qFGtG2x4fajkE8eK4U30DTxrlbzta5ZMtm0Y9bquy3DcaSMF/u9CBrLbBS8mhcJw==,iv:LpkS7O+eutPUDpY5NlYjgafK6UuFsS+18yNpB+JmzcM=,tag:0Y+vj80MAbh2U+UsyH3MEA==,type:str]
haproxy_cert: ENC[AES256_GCM,data:6yRv0cz/vBVguAPOsENhmH2uwwgL5AkOkkDQQ+PVPEEiOTIn1WPONhnG0UqR3FsWJal8qECH/zTF1XMmdK4VHQXwMA8gGScpIrgeWuhdCbXsJ7RxZBzVESOCo8ZOcR43w3Qih+0iz3SsNmX262/D7DIzKYlLovyoJDGZa5jo0n2zCZiRfbdal8m02dplaFHMsGy6+Gn3Uijo9MnnuWvgihBh1ekRnpSzVM4/IyyvUunK0vEapVsgOq+brdW2x0BQFgL3PLGaJbAbzFhXYI1MmD+D7RzOGSzNmrj1ezea+b2Lb/p8CATh05i+lz6530U6iwun0lcREDxPrJgU0TsI/JZGSq3blHn9lZuHmnwBp05LsliBO+yoxgqnC45/xTZwiSdlyqqnXHlXPuBS7UoJFlll93aIpULfNZMyqx/FO5ckmV0nuNVMCrF7JfsE+t/XNs077kB4FKYNk4TDodKyn2scfypQFK7qprW9JKJwx0Se8FWU2fMKsuMszElMLudRHagyDVO+LJ+/ta6Qj68CRU1g8cQANh4Q6PwI0HABX3J5n3ERQUxZvVeCq9FRMJ7JE0was3QfBGGPROHksK+rP9y8g8CFRgGjwzDoxslaYO+tIiIsaDcqbTiOQDTiDh4/ioqX9EENrA8qIEtKSn6m35+4pwY0xvKToAnI7vhwQ93A1mZrwKXgoNSShA4Q+MfSEIuJd6LJihLh5IFvl595iOpGDWCJsXZnDL3K8B6oofPTtLnOOQC4sy9wGiNshdgfv6aVwpdPKvOtFwHmu1n8eZInfSZgUdwUaHHMXjrXHboBQ6ZPsrdZBt9ADSUpz+uN6+TgXq6HLWHSqtmrWS6jABQfbpHH7pLZAXuii4MsnTEr1rOEbtgZTH6Sedd57Pp5MpNXDg950vd9plCkGPiRfDUWXHnRw8frWfoTS+eOqkVwJ0+v48IskuYLZSCAF0/kumtbySDQStNowF+cAp7lk24Cp8W8PXw/LqI8U8FijVxMPtgzLwRKKd10zRI+Jrsi9E8YXSKCaFMIBLottRHwdvWA7aIYnuVTxzCmHt1jhJN349bjC/yTIuIS4gW+XlriFqip17Eq/878+Uduwf1+Fxqdpv8kDleyqix0SO/JmhQijgIUhc3Im3whXicEu6vlivzJGyjA/ljFyJvV/irRK/VrIWEoA5nLX74fmF9Ku/O94pDIPaKCsCP+N/fOPLG5ucw6lPxllZS9qg2cNsl9ajXGPu8GBB4FaZUt/Ufid6xjC5YloictI3Bp5x2glhpxzQ8zAbv5vpBA0h6xhkt4NSmxWurvBmRoRnBdYIvEaeoehj10yLpiY4DsZYLTU5IrLV/aYlb2q4K2OKRvYOBQgeDtEkIMqHYWsddfKHi+1KjQ/176DDIbUoYb4XtPJmNOcIeRM2oiaCcTzerU5TXL5qBl213buTcIPaV0sVVxoH+2RYBM28mjQoj8sHwQLLuFve0MeUZzfJ8MqMM+Guhn25aw4R0tGkiRBUL5d8l86awOpqXtFiK2QTh3S7QeZoCA80YVH5r6FdqMz34UgwEFo0nfBcH2nSnDwpcBrbwzV6/Xahck4nVaIn6znJPqlIKntfeXJuXl/9ulpwx7D4mL7hLcal9WY62KZ1PQ+NHz5WjaPbgLMdeNFFr6CKGGqSPkTOhjgQ1y4ChuYfbVn+yZRqUwhFWtKuuouAZXH55KkVlsB39H+oNYp0hqAUiVkeawHqbTgOHb+llz0uF7r0TGD23aMXeV58n0i3xsDET9mhxSyj5vUo5iqY8eEqgn4mOvsdp6rkpC4c91drgV/gFJu2jgCvVVdG/mHFVnZEv5+/rA2reqdqMTBOpLQNEbL5Ih1LKG,iv:PUp78PWvy+lmcLiR295BGiVTLnAPX+du4lcw/Pvq/KE=,tag:k/3H2+jF9no751mvO5S5WQ==,type:str]
zfs:
backup_key: ENC[AES256_GCM,data:sJzR/DfM6+tmmcewZT+NAJk0gj8wmU43QfFCRCj9+2GITOS8suRL7E5rHTherCZgRe79T90ikM97bYf9RbZdtQ==,iv:j8F3BG/hh7UK3kC+pB6WO0OHlSSHn0jo90AgaTdpyNY=,tag:5hraDn8YqS/q57y26AXwjw==,type:str]
docker_key: ENC[AES256_GCM,data:HiW+3IYJCgqg9HJmPYQinhb6kWJouORABKniryY5e35tf8BQGKn1ldgj4Dw+79SYmvIUbf4ZSja0Ziz1isKTWA==,iv:6vBtbIlTHC+PUgyXYb92SnMTuWd8jCaEzZ3Vmv2QHhA=,tag:izKWtAQWRfn5tAYKyOO+ZQ==,type:str]
main_key: ENC[AES256_GCM,data:6ZZQc7TSAuK4PrxQxegPrFMjT1SZlRGgg5VgVg1e6ZM1RO9ZDjhcmpFRd1pkbm5DEJKq1VpUxTvxXGQDrMYO9A==,iv:Yp2jTtBd8gjB8Sdfb06ZBLpVd/KCjs/pfnBRT2ll/0c=,tag:F0HSbkZ8Z45WkUY/VNwvHg==,type:str]
notes_key: ENC[AES256_GCM,data:y3fTl3aNl8RaZwBR2thy7qfxilw+wGEj8+tTuRr+z+A6ol9N6droFNBHQcK3yWDWP8MhMKe1efWhgbZ0Raz17A==,iv:BbBjMtsb2ZDJjgbgkXP3SYl3xklI5xWmW3X9mlLlvdI=,tag:Ic3rLP30wApmOeLGFEYgVA==,type:str]
plex_key: ENC[AES256_GCM,data:fWzTSKkVCkWmZ9ZDv1/OYYZPsQKV54Ib98Bq4A+4ibT9mk28Zp7XeczOJVj6+K4+04EQgQj8RyP2x70tuFp3Xg==,iv:pyHzIo4ws4Lyd5zVflUa7yjNVefTTpEdkjCVmXDuucE=,tag:msn0NFXuq3zKGY5vE1nR1Q==,type:str]
postgres_key: ENC[AES256_GCM,data:mLa0A6pJXZ7BX9bYat9mQ30Dx/KWU9KHjiApuapBUbRtH+gtAJRGwLeXJPyMTOirFwuWWTdOts8dTMESWp7eOg==,iv:MFyo2LbdsYeoUyhWEv0EWKXNFhxoLjNs5M7ar6dlrjw=,tag:KpaatId8TdVzAEelD1tlzQ==,type:str]
qbit_key: ENC[AES256_GCM,data:19XIzi4waSOLdfgKo8z6NMX9Ee4Xw1/JqbjQEvKwWh+ar2r5P3sFJMHI394ebx4vITO0lOzl/EwcUiWt7LB6uw==,iv:s+TWyb5SzeCFZAZdKs28o7s8So++eLqR1Qc9ZWjUGwY=,tag:teHdPEhWkzDWizJD/czA6w==,type:str]
scripts_key: ENC[AES256_GCM,data:2htMEDCByUbCQ1loPEDCVNtXXqffCRHMpiobEDHI506hdEk6d/N7lmlUIqLa5YCNB6ozt0y6EEKBxnbouEHIWQ==,iv:eUYmsliDF49BNSpF+KSiT1rlPtzQpmhNC8Cy2tahMX8=,tag:8xCvm1LwDPArJ/woIO23Bg==,type:str]
syncthing_key: ENC[AES256_GCM,data:36zfmVuCEHFED3ODeoGuAxJvySY1SxWT9ml+DFvb01KdUqIGZDZj1cKoZCH+GsgYJMsQF6t+uqZJOGeyNmzMlg==,iv:17tLW4ytRpUmmltA4UIZGhsrNAGRjvucxxt9zLM3C54=,tag:YWirDB0fYSpu1evqVaoa+Q==,type:str]
vault_key: ENC[AES256_GCM,data:kFZa5oRVXuSp7W7311i0d8b7I0Y3P8bZbBoaaICuH1IlMLBVd6SUhL8cfFU66yj91W6uUJU/Oy7NpP3rM9mhGw==,iv:neRhOqW/b2DpUqoA5JJxLS4fSqj8ZGxRXv4pEPm7Wtc=,tag:bfAD3GAO6F2hBCZy7P7KUA==,type:str]
server-validation:
webhook: ENC[AES256_GCM,data:54MQzwEOf6uS6cgnPeJizRXMvGTGxLf6q1N3tGDxxpXKmSJedW+kpY2GoV91SxeeTWUyDKQcWp2fs5SwrdfDFHID9JN4wWJM0JjADggZ6u+BMEH01nnXpCJlhGq6cxDkI6gNSVgNVQW/eYNHDhnVmwwGpse4q62G1TmKlziBCv1Qahn4c3O+bOOEssio,iv:2Rcg7XSCmQeFd2oaX4GxSGXwgE3Ep1WsoPRRYo0dvH0=,tag:rPjDghxdcpME5SwoPKWv2w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTREhIRUd1K3JCM29mVHVv
d2Q4eFBLWnRUTGEzelZOMS9ScXNyV3ZGbHpNCjNCSEhmTDQ4VUtta0RXdXJUY0da
Vld5WDlJS3oyWkk5KzUzam9PYXZSa1kKLS0tIHJuaktpU3hnUWEwZzc4eHNjSitI
bVhXamJyMWMvODUvajk2aDZnQ1k1blEKoNIYxUA+k+DA+1WYq5BSa0iXuQ2Lctuy
9W7OO2m+QGzjdLLM0uS7WWGXWP2cDDgUGcqozTqM0Oqi2/OY0Bo3Jg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-07T23:09:43Z"
mac: ENC[AES256_GCM,data:36CZLl3+VSFTSTj9jDT9972XZMXjaY5jo9FZ7I7L0sOSBRH8vQ+tFww7hVHe5M2w/+YA0SRGH3r8WCbie6GeRjmY+BZu42H656K0WrpRN8ERFv+io8geACdqUsLo1VLjhDrfXaGnNOHLpmMC5dqyPXlOphiolt+ArKOBLuqtrnY=,iv:jaL/l1zwYusThKeR9C62fEGHwiv4fEvCarSiavjxQ0U=,tag:xgygx6KM/J4w55CzdLeCUg==,type:str]
pgp:
- created_at: "2024-03-02T20:52:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA84hNUGIgI/nARAAxQSkqnR75Rd1htAv7esbpmXlrZH+frTL6V4jGoAiqTeF
TSA46E2nl7rVqPTws74OOb+O5bN3OkHSmmWzIbj6Pc8YnqY4t9N69zoCHtsbI1kn
FQ4WwUdzofIUMKwF+E31/knyKbf/IjSKTZKcDQmn6QErOdDmsN9/z6+ixLt+rdsz
lKwMX8axgmwgRsWI1Xhlb1qs4TZxheQQ4A4WYYNB1NhH0ZTIehI+FGe+wHh36UXf
cY/Z7KRLdozoLsuuAIAoXx/dr3KpwuyKHfp9MdZLzO/tvS9vA1i+tKRXmiDs2uuv
itCOTrt1H7LEpUfdBYD9ll2mdiRnVzR4DxNnGLPkxsyAglejTxR897DcYFC9xhie
X6UfKTOIeAGXVUqphp8HB0CEFBW982246kDSKdOI/R3+X4T5fvMpLTb5XvkOlCIi
JUwXxoq3SA06a8WCS6QH8jLnXrcCKzX1TJh0RzT7/RUvKDN6uxxccxOksMExvgBG
nqfOcLiCXBzluCseDgmjcW0/arm1d88Kd7ayMv25CX1Py5uRRQOkqqnCdNIk5Yy5
0R+KyOPeZPThVTE1DhJ3QyF499XMoFjerHyanwIlvkAQtet1k8EKih1KSD9N38ga
K1HRowhoPMkszsU6+LZYL3MD0aUkfz53b7JvzIxYsfJgztwg3ki0qteEXUNyLMTS
XgG9xHF63wa7IwBtKgQKX/CVCwpg5EuNfwbACbIQAC9QZ/F6z+Ud2UJkSs94UUF4
aOGb2P1QFvLbP7m+7TNmvuLT5BDcS2XE0IWRDilkeiFU6ijGW8+iQ5oTzv+TmA0=
=JbRX
-----END PGP MESSAGE-----
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
- created_at: "2024-03-02T20:52:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA29thaGx06tOARAAm8GMWZxxY1UBYK7p60Hlw2qCOH7KZ5cby8vm9dWz3Tnt
+YKW2SsRniwY6KaSVvnUuRBY75BF6jahW6+h9Nvhsrsvq680UIaQtO6l6KmtnxHV
S6vEDmvoFZVWG1xOEGYHVQ+GF9elIwuYrzST1OU3vATMstMxrm0WQJ2lOq7YpuGi
hNoMK3nMxpmTlT49CYn2sGX3PlNA4qDOVo/fwL5m3lV5mKzJNs7q8IakbPZm6yqR
wGjfkHq3ZlKnTUC66sBX8yvSoZ2cM6vrYhxgb1Um8z9BKLpAb7Rr9AXB5IUWxSkz
jXyEi9aDySDxv2HkjP3fE4D5wtC1neS8YsYDBcSsqoXt5sKAs1DOvzLbIOkObH3Y
uSxozoGJu5CVnBrOpxXdNf1RMnww85uxSAupiLQ2fsC/0AaeGB8dPYIZr/WekWAR
RF3igqZX7KVRuomUOt9fwJoHnRr1GWCHqYTB3P7/e52JcmCggBRLcnhC/1MKgMtN
RJh8Uuu9aXCBfR148W+s76xIdVwypPWbk8l911TdL1eRKx+d+kxAa1ugIqihvkBQ
sGjZltEe0ogAsDpS0Cy/HRH8Yz1Qk2gTh1QZiv865aVVfWu0OTU27TlfCyMQQCkO
LtBfOWylV6pJG3aaO2QA+4f4ab8flxdg8DrmBlhudzYY2goHIcfe+CdPygrKB/nS
XgEx1HFw47B1YJxY7FiFgEwnI6/AJuf136u1i484nVYXAr5PtnyaXH7kqVozHouT
sPkE1v7+EpOIbhEdXQxbSG0AXKomUwu4SJgxSitdTajAQYfHHfTVjdnUqyl8QHw=
=wX5X
-----END PGP MESSAGE-----
fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
unencrypted_suffix: _unencrypted
version: 3.8.1

52
systems/jeeves/services.nix Normal file
View File

@@ -0,0 +1,52 @@
{
config,
inputs,
pkgs,
...
}:
{
systemd = {
services = {
plex_permission = {
description = "maintains /zfs/storage/plex permissions";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.bash}/bin/bash ${./scripts/plex_permission.sh}";
};
};
startup_validation = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.zfs ];
serviceConfig = {
EnvironmentFile = config.sops.secrets."server-validation/webhook".path;
Type = "oneshot";
ExecStart = "${inputs.server_tools.packages.x86_64-linux.default}/bin/validate_jeeves";
};
};
};
timers = {
plex_permission = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1h";
OnCalendar = "daily 03:00";
Unit = "plex_permission.service";
};
};
startup_validation = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10min";
Unit = "startup_validation.service";
};
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."server-validation/webhook".owner = "root";
};
}

29
systems/jeeves/snapshot_config.toml Normal file
View File

@@ -0,0 +1,29 @@
["media/Notes"]
15_min = 8
hourly = 24
daily = 30
monthly = 12
["storage/plex"]
15_min = 6
hourly = 2
daily = 1
monthly = 0
["media/plex"]
15_min = 6
hourly = 2
daily = 1
monthly = 0
["media/notes"]
15_min = 8
hourly = 24
daily = 30
monthly = 12
["media/docker"]
15_min = 3
hourly = 12
daily = 14
monthly = 2

23
systems/jeeves/vars.nix Normal file
View File

@@ -0,0 +1,23 @@
let
zfs_media = "/zfs/media";
zfs_storage = "/zfs/storage";
zfs_torrenting = "/zfs/torrenting";
in
{
inherit zfs_media zfs_storage zfs_torrenting;
# media
media_database = "${zfs_media}/syncthing/database";
media_docker = "${zfs_media}/docker";
media_docker_configs = "${zfs_media}/docker/configs";
media_mirror = "${zfs_media}/mirror";
media_notes = "${zfs_media}/notes";
media_plex = "${zfs_media}/plex/";
media_scripts = "${zfs_media}/scripts";
# storage
storage_main = "${zfs_storage}/main";
storage_plex = "${zfs_storage}/plex";
storage_syncthing = "${zfs_storage}/syncthing";
# torrenting
torrenting_qbit = "${zfs_torrenting}/qbit";
torrenting_qbitvpn = "${zfs_torrenting}/qbitvpn";
}

43
systems/palatine-hill/acme.nix
View File

@@ -1,43 +0,0 @@
{
config,
lib,
pkgs,
outputs,
...
}:
{
security.acme = {
acceptTerms = true;
defaults.email = "aliceghuston@gmail.com";
certs."nayeonie.com" = {
dnsProvider = "dnsimple";
environmentFile = config.sops.secrets."acme/dnsimple".path;
dnsPropagationCheck = false;
group = "haproxy";
extraDomainNames = [
"*.nayeonie.com"
# "alicehuston.xyz"
# "*.alicehuston.xyz"
];
};
};
systemd.services."acme-nayeonie.com.service".path = lib.mkForce (
with pkgs;
[
coreutils
diffutils
openssl
]
++ [
outputs.packages.x86_64-linux.lego-latest
]
);
sops.secrets = {
"acme/dnsimple" = {
owner = "root";
};
};
}

127
systems/palatine-hill/attic/default.nix → systems/palatine-hill/attic.nix
View File

@@ -8,18 +8,34 @@
{
environment.systemPackages = with pkgs; [
attic-client
attic
];
services = {
postgresql = {
enable = true;
ensureDatabases = [ "atticd" ];
ensureUsers = [
{
name = "atticd";
ensureDBOwnership = true;
}
];
upgrade = {
enable = true;
stopServices = [ "atticd" ];
};
};
atticd = {
enable = true;
environmentFile = config.sops.secrets."attic/secret-key".path;
credentialsFile = config.sops.secrets."attic/secret-key".path;
settings = {
listen = "[::]:8183";
allowed-hosts = [ "attic.nayeonie.com" ];
api-endpoint = "https://attic.nayeonie.com/";
allowed-hosts = [ "attic.alicehuston.xyz" ];
api-endpoint = "https://attic.alicehuston.xyz";
compression.type = "none"; # let ZFS do the compressing
database = {
url = "postgres://atticd?host=/run/postgresql";
@@ -32,7 +48,7 @@
type = "s3";
region = "us-east-1";
bucket = "cache-nix-dot";
endpoint = "https://minio.nayeonie.com";
endpoint = "https://minio.alicehuston.xyz";
};
# Warning: If you change any of the values here, it will be
@@ -62,60 +78,61 @@
# borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix
# configured default webstore for this on root user separately
# systemd = {
# services = {
# attic-watch-store = {
# wantedBy = [ "multi-user.target" ];
# after = [
# "network-online.target"
# "docker.service"
# "atticd.service"
# ];
# requires = [
# "network-online.target"
# "docker.service"
# "atticd.service"
# ];
# description = "Upload all store content to binary cache";
# serviceConfig = {
# User = "root";
# Restart = "always";
# ExecStart = "${pkgs.attic-client}/bin/attic watch-store cache-nix-dot";
# };
# };
# attic-sync-hydra = {
# after = [
# "network-online.target"
# "docker.service"
# "atticd.service"
# ];
# requires = [
# "network-online.target"
# "docker.service"
# "atticd.service"
# ];
# description = "Force resync of hydra derivations with attic";
# serviceConfig = {
# Type = "oneshot";
# User = "root";
# ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}";
# };
# };
# };
systemd = {
services = {
attic-watch-store = {
wantedBy = [ "multi-user.target" ];
after = [
"network-online.target"
"docker.service"
"atticd.service"
];
requires = [
"network-online.target"
"docker.service"
"atticd.service"
];
description = "Upload all store content to binary cache";
serviceConfig = {
User = "root";
Restart = "always";
ExecStart = "${pkgs.attic}/bin/attic watch-store cache-nix-dot";
};
};
attic-sync-hydra = {
after = [
"network-online.target"
"docker.service"
"atticd.service"
];
requires = [
"network-online.target"
"docker.service"
"atticd.service"
];
description = "Force resync of hydra derivations with attic";
serviceConfig = {
Type = "oneshot";
User = "root";
ExecStart = "${config.nix.package}/bin/nix ${./attic/sync-attic.bash}";
};
};
};
# timers = {
# attic-sync-hydra = {
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnBootSec = 600;
# OnUnitActiveSec = 86400;
# Unit = "attic-sync-hydra.service";
# };
# };
# };
# };
timers = {
attic-sync-hydra = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = 600;
OnUnitActiveSec = 86400;
Unit = "attic-sync-hydra.service";
};
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"attic/secret-key".owner = "root";
"attic/database-url".owner = "root";

4
systems/palatine-hill/attic/sync-attic.bash
View File

@@ -2,9 +2,9 @@
#! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash
sync_directories=(
/ZFS/ZFS-primary/hydra
/ZFS/ZFS-primary/hydra
)
for dir in "${sync_directories[@]}"; do
find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
done

44
systems/palatine-hill/configuration.nix
View File

@@ -6,20 +6,16 @@
}:
{
imports = [
./acme.nix
./attic
./docker
./gitea.nix
./firewall.nix
./haproxy
./hardware-changes.nix
./attic.nix
./docker.nix
./hydra.nix
./microvms.nix
./minio.nix
./networking.nix
./nextcloud.nix
./postgresql.nix
./samba.nix
./services.nix
./zfs.nix
./networking.nix
];
programs.git.lfs.enable = false;
@@ -58,14 +54,10 @@
};
environment.systemPackages = with pkgs; [
chromedriver
chromium
docker-compose
intel-gpu-tools
jellyfin-ffmpeg
jq
yt-dlp
yq
];
services = {
@@ -73,8 +65,32 @@
nfs.server.enable = true;
openssh.ports = [ 666 ];
smartd.enable = true;
calibre-server.enable = false;
postgresql = {
enable = true;
enableJIT = true;
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map alice postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
# initialScript = config.sops.secrets."postgres/init".path;
upgrade = {
enable = true;
stopServices = [
"hydra-evaluator"
"hydra-init"
"hydra-notify"
"hydra-queue-runner"
"hydra-send-stats"
"hydra-server"
];
};
};
};
nix.gc.options = "--delete-older-than 150d";

10
systems/palatine-hill/default.nix
View File

@@ -1,7 +1,11 @@
{ inputs, ... }:
{ inputs, src, ... }:
{
users = [ "alice" ];
users = [
"alice"
"richie"
];
modules = [
# inputs.attic.nixosModules.atticd
inputs.attic.nixosModules.atticd
(src + "/modules/opt/microvm-host.nix")
];
}

5
systems/palatine-hill/docker.nix Normal file
View File

@@ -0,0 +1,5 @@
{ ... }:
{
virtualisation.docker.daemon.settings.data-root = "/var/lib/docker2";
}

112
systems/palatine-hill/docker/act-runner.nix
View File

@@ -1,112 +0,0 @@
{
config,
...
}:
let
vars = import ../vars.nix;
act_path = vars.primary_act;
act_config_path = ./act_config.yaml;
in
{
virtualisation.oci-containers.containers = {
act-stable-latest-main = {
image = "gitea/act_runner:latest";
extraOptions = [
"--stop-signal=SIGINT"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
ports = [ "8088:8088" ];
volumes = [
"${act_config_path}:/config.yaml"
"${act_path}/stable-latest-main/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
CONFIG_FILE = "/config.yaml";
GITEA_RUNNER_NAME = "stable-latest-main";
};
environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local";
};
act-stable-latest-1 = {
image = "gitea/act_runner:latest";
extraOptions = [
"--stop-signal=SIGINT"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
volumes = [
"${./act_config.yaml}:/config.yaml"
"${act_path}/stable-latest-1/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
CONFIG_FILE = "/config.yaml";
GITEA_RUNNER_NAME = "stable-latest-1";
};
environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local";
};
act-stable-latest-2 = {
image = "gitea/act_runner:latest";
extraOptions = [
"--stop-signal=SIGINT"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
volumes = [
"${act_config_path}:/config.yaml"
"${act_path}/stable-latest-2/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
CONFIG_FILE = "/config.yaml";
GITEA_RUNNER_NAME = "stable-latest-2";
};
environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local";
};
};
systemd = {
timers."custom-watchtower@act-runner" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "20m";
OnUnitActiveSec = "5m";
Unit = "custom-watchtower@act-runner.service";
};
};
services."custom-watchtower@act-runner" = {
bindsTo = [ "docker.service" ];
after = [ "docker.service" ];
description = "a watchtower-esque script for systemd-based oci-containers";
serviceConfig = {
Type = "oneshot";
User = "root";
ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'act-runner'";
};
};
};
sops.secrets = {
"docker/act-runner" = {
owner = "root";
restartUnits = [
"docker-act-stable-latest-main.service"
"docker-act-stable-latest-1.service"
"docker-act-stable-latest-2.service"
];
};
};
}

95
systems/palatine-hill/docker/act_config.yaml
View File

@@ -1,95 +0,0 @@
# Example configuration file, it's safe to copy this as the default config file without any modification.
# You don't have to copy this file to your instance,
# just run `./act_runner generate-config > config.yaml` to generate a config file.
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: debug
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 1
# Extra environment variables to run jobs.
envs:
A_TEST_ENV_NAME_1: a_test_env_value_1
A_TEST_ENV_NAME_2: a_test_env_value_2
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# The timeout for the runner to wait for running jobs to finish when shutting down.
# Any running jobs that haven't finished after this timeout will be cancelled.
shutdown_timeout: 30m
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
# Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `daemon`, will use labels in `.runner` file.
labels:
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
- "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
#cache:
# Enable cache server to use actions/cache.
#enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
#dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
#host: ""
# The port of the cache server.
# 0 means to use a random available port.
#port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
#external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: ""
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
# If the path starts with '/', the '/' will be trimmed.
# For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: true
# Rebuild docker image(s) even if already present
force_rebuild: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

152
systems/palatine-hill/docker/archiveteam.nix
View File

@@ -1,152 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
containers = {
archiveteam-imgur = {
image = "imgur-grab";
scale = 1;
};
archiveteam-telegram = {
image = "telegram-grab";
scale = 3;
};
archiveteam-reddit = {
image = "reddit-grab";
scale = 0;
};
archiveteam-dpreview = {
image = "dpreview-grab";
scale = 0;
};
archiveteam-issuu = {
image = "issuu-grab";
scale = 0;
};
archiveteam-urls = {
image = "urls-grab";
scale = 2;
};
archiveteam-urlteam = {
image = "terroroftinytown-client-grab";
scale = 2;
};
archiveteam-mediafire = {
image = "mediafire-grab";
scale = 1;
};
archiveteam-github = {
image = "github-grab";
scale = 1;
};
archiveteam-lineblog = {
image = "lineblog-grab";
scale = 0;
};
archiveteam-banciyuan = {
image = "banciyuan-grab";
scale = 0;
};
archiveteam-wysp = {
image = "wysp-grab";
scale = 0;
};
archiveteam-xuite = {
image = "xuite-grab";
scale = 0;
};
archiveteam-gfycat = {
image = "gfycat-grab";
scale = 0;
};
archiveteam-skyblog = {
image = "skyblog-grab";
scale = 0;
};
archiveteam-zowa = {
image = "zowa-grab";
scale = 0;
};
archiveteam-blogger = {
image = "blogger-grab";
scale = 1;
};
archiveteam-vbox7 = {
image = "vbox7-grab";
scale = 0;
};
archiveteam-pastebin = {
image = "pastebin-grab";
scale = 1;
};
archiveteam-youtube = {
image = "youtube-grab";
scale = 0;
};
archiveteam-deviantart = {
image = "deviantart-grab";
scale = 0;
};
archiveteam-postnews = {
image = "postnews-grab";
scale = 0;
};
archiveteam-askfm = {
image = "askfm-grab";
scale = 1;
};
archiveteam-mangz = {
image = "mangaz-grab";
scale = 1;
};
archiveteam-cohost = {
image = "cohost-grab";
scale = 1;
};
};
container-spec = container-name: container: {
image = "atdr.meo.ws/archiveteam/${container}:latest";
extraOptions = [
"--stop-signal=SIGINT"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
"com.centurylinklabs.watchtower.scope" = "archiveteam";
};
volumes = [ "${at_path}/${container-name}:/grab/data" ];
log-driver = "local";
cmd = lib.splitString " " "--concurrent 6 AmAnd0";
};
inherit (lib.rad-dev.container-utils) createTemplatedContainers;
vars = import ../vars.nix;
at_path = vars.primary_archiveteam;
in
{
virtualisation.oci-containers.containers = createTemplatedContainers containers container-spec;
systemd = {
timers."custom-watchtower@archiveteam" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "20m";
OnUnitActiveSec = "5m";
Unit = "custom-watchtower@archiveteam.service";
};
};
services."custom-watchtower@archiveteam" = {
bindsTo = [ "docker.service" ];
after = [ "docker.service" ];
description = "a watchtower-esque script for systemd-based oci-containers";
serviceConfig = {
Type = "oneshot";
User = "root";
ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'archiveteam'";
};
};
};
}

32
systems/palatine-hill/docker/books.nix
View File

@@ -1,32 +0,0 @@
{ ... }:
let
vars = import ../vars.nix;
docker_path = vars.primary_docker;
calibre_path = vars.primary_calibre;
in
{
virtualisation.oci-containers.containers = {
automated-ffdl-alice = {
image = "mrtyton/automated-ffdl:latest";
user = "600:100";
extraOptions = [ "--restart=unless-stopped" ];
environment = {
PUID = "600";
PGID = "100";
};
volumes = [
"${docker_path}/auto-fic/config:/config"
"${calibre_path}/ffdl-alice:/var/lib/calibre-server"
];
};
};
services.autopull = {
enable = true;
repo.FanFicFare-alice = {
enable = true;
path = /ZFS/ZFS-primary/calibre/ffdl-alice/config/FanFicFare;
};
};
}

79
systems/palatine-hill/docker/default.nix
View File

@@ -1,79 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
./act-runner.nix
# temp disable archiveteam for tiktok archiving
#./archiveteam.nix
# ./books.nix
#./firefly.nix
#./foundry.nix
./glances.nix
# ./haproxy.nix
./minecraft.nix
./nextcloud.nix
# ./postgres.nix
# ./restic.nix
./torr.nix
# ./unifi.nix
];
virtualisation.oci-containers.backend = "docker";
virtualisation.docker.daemon.settings = {
data-root = "/var/lib/docker2";
bip = "169.254.253.254/23";
fixed-cidr = "169.254.252.0/23";
default-address-pools = [
{
base = "169.254.2.0/23";
size = 28;
}
{
base = "169.254.4.0/22";
size = 28;
}
{
base = "169.254.8.0/21";
size = 28;
}
{
base = "169.254.16.0/20";
size = 28;
}
{
base = "169.254.32.0/19";
size = 28;
}
{
base = "169.254.64.0/18";
size = 28;
}
{
base = "169.254.128.0/18";
size = 28;
}
{
base = "169.254.192.0/19";
size = 28;
}
{
base = "169.254.224.0/20";
size = 28;
}
{
base = "169.254.240.0/21";
size = 28;
}
{
base = "169.254.248.0/22";
size = 28;
}
];
mtu = 9000;
};
}

25
systems/palatine-hill/docker/firefly.nix
View File

@@ -1,25 +0,0 @@
{ ... }:
let
vars = import ../vars.nix;
ffiii_path = "${vars.primary_docker}/firefly-iii";
in
{
virtualisation.oci-containers.containers = {
firefly = {
image = "fireflyiii/core:latest";
extraOptions = [
"--network=firefly-iii_default"
"--network=postgres-net"
];
environmentFiles = [ "${ffiii_path}/.env" ];
ports = [ "4188:8080" ];
volumes = [ "${ffiii_path}/app/upload:/var/www/html/storage/upload" ];
};
fidi = {
image = "fireflyiii/data-importer:latest";
environmentFiles = [ "${ffiii_path}/.fidi.env" ];
ports = [ "4187:8080" ];
dependsOn = [ "firefly" ];
};
};
}

28
systems/palatine-hill/docker/foundry.nix
View File

@@ -1,28 +0,0 @@
{ config, ... }:
let
vars = import ../vars.nix;
fvtt_path = "${vars.primary_games}/foundryvtt";
in
{
virtualisation.oci-containers.containers = {
foundryvtt = {
image = "felddy/foundryvtt:11";
hostname = "foundryvtt";
environment = {
#CONTAINER_PRESERVE_CONFIG= "true";
TIMEZONE = "America/New_York";
FOUNDRY_MINIFY_STATIC_FILES = "true";
};
environmentFiles = [ config.sops.secrets."docker/foundry".path ];
volumes = [ "${fvtt_path}:/data" ];
extraOptions = [
"--network=haproxy-net"
];
};
};
sops.secrets."docker/foundry" = {
owner = "docker-service";
restartUnits = [ "docker-foundryvtt.service" ];
};
}

24
systems/palatine-hill/docker/glances.nix
View File

@@ -1,24 +0,0 @@
{ ... }:
let
vars = import ../vars.nix;
glances_path = "${vars.primary_docker}/glances";
in
{
virtualisation.oci-containers.containers = {
glances = {
image = "nicolargo/glances:latest-full";
extraOptions = [
"--pid=host"
"--network=haproxy-net"
];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"${glances_path}/glances.conf:/glances/conf/glances.conf"
];
environment = {
GLANCES_OPT = "-C /glances/conf/glances.conf -w";
};
};
};
}

207
systems/palatine-hill/docker/haproxy.cfg
View File

@@ -1,207 +0,0 @@
global
# stats socket /var/run/api.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
# log stdout format raw local0 info
log stdout format raw local0
crt-base /etc/ssl/certs/
maxconn 120000
defaults
log global
mode http
timeout client 2000m
timeout connect 200s
timeout server 2000m
timeout http-request 2000m
frontend stats # you can call this whatever you want
mode http
bind *:9000 # default port, but you can pick any port
stats enable # turns on stats module
stats refresh 10s # set auto-refresh rate
#Application Setup
frontend ContentSwitching
bind *:80
# bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
bind *:443 ssl crt /etc/ssl/certs/origin_ca_ecc_root_new.pem crt /var/lib/acme/nayeonie.com/full.pem strict-sni
mode http
option httplog
# max-age is mandatory
# 16000000 seconds is a bit more than 6 months
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
# Front-end acess control list
http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
# Front-end acess control list
acl host_www hdr(host) -i www.alicehuston.xyz
acl host_www hdr(host) -i alicehuston.xyz
# acl host_ldapui hdr(host) -i authui.alicehuston.xyz
acl host_glances hdr(host) -i monit.alicehuston.xyz
acl host_glances hdr(host) -i glances.alicehuston.xyz
# acl host_foundry hdr(host) -i dnd.alicehuston.xyz
# acl host_netdata hdr(host) -i netdata.alicehuston.xyz
#acl host_terraria hdr(host) -i terraria.alicehuston.xyz
acl host_nextcloud hdr(host) -i nextcloud.alicehuston.xyz
acl host_nextcloud hdr(host) -i nayeonie.com
acl host_hydra hdr(host) -i hydra.alicehuston.xyz
acl host_attic hdr(host) -i attic.alicehuston.xyz
acl host_minio hdr(host) -i minio.alicehuston.xyz
acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz
acl host_attic hdr(host) -i attic.nayeonie.com
acl host_minio hdr(host) -i minio.nayeonie.com
acl host_minio_console hdr(host) -i minio-console.nayeonie.com
#acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
# acl host_collabora hdr(host) -i collabora.alicehuston.xyz
acl host_prometheus hdr(host) -i prom.alicehuston.xyz
acl host_gitea hdr(host) -i git.alicehuston.xyz
acl host_gitea hdr(host) -i nayeonie.com
# Backend-forwarding
use_backend www_nodes if host_www
# use_backend ldapui_nodes if host_ldapui
use_backend glances_nodes if host_glances
use_backend foundry_nodes if host_foundry
# use_backend netdata_nodes if host_netdata
# use_backend terraria_nodes if host_terraria
use_backend nextcloud_nodes if host_nextcloud
use_backend hydra_nodes if host_hydra
use_backend attic_nodes if host_attic
#use_backend nextcloud_vol_nodes if host_nextcloud_vol
# use_backend collabora_nodes if host_collabora
use_backend prometheus_nodes if host_prometheus
use_backend minio_nodes if host_minio
use_backend minio_console_nodes if host_minio_console
use_backend gitea_nodes if host_gitea
#frontend ldap
# bind *:389
# bind *:636 ssl crt /etc/ssl/certs/cloudflare.pem
# mode tcp
# option tcplog
# acl host_ldap hdr(host) -i auth.alicehuston.xyz
# use_backend ldap_nodes if host_ldap
backend nextcloud_nodes
mode http
server server nextcloud:80
acl url_discovery path /.well-known/caldav /.well-known/carddav
http-request redirect location /remote.php/dav/ code 301 if url_discovery
acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
#backend nextcloud_nodes
# mode http
# server nxserver nextcloud:80
# acl url_discovery path /.well-known/caldav /.well-known/carddav
# http-request redirect location /remote.php/dav/ code 301 if url_discovery
# http-request set-header X-Forwarded-Host %[req.hdr(Host)]
#backend nextcloud_vol_nodes
# mode http
# server server nextcloud-vol:80
# acl url_discovery path /.well-known/caldav /.well-known/carddav
# http-request redirect location /remote.php/dav/ code 301 if url_discovery
# acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
# http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
# acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
# http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
# acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
# http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
# http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
#backend terraria_nodes
# mode http
# server server terraria:6526
#backend collabora_nodes
# mode http
# server server collabora:9980
backend www_nodes
mode http
server server grafana:3000
backend minio_nodes
mode http
server server 192.168.76.2:8500
# acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
# http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
# acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
# http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
# acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
# http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
# http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
backend minio_console_nodes
mode http
server server 192.168.76.2:8501
# backend foundry_nodes
# timeout tunnel 50s
# mode http
# server server foundryvtt:30000
#backend ldap_nodes
# mode tcp
# balance roundrobin
# option ldap-check
# server ldap1 192.168.76.2:1636 ssl ca-file /etc/ssl/certs/origin_ca_rsa_root.pem
#
#backend ldapui_nodes
# mode http
# server server 192.168.76.2:18081
backend glances_nodes
mode http
server server glances:61208
backend hydra_nodes
mode http
server server 192.168.76.2:3000
backend attic_nodes
mode http
server server 192.168.76.2:8183
backend prometheus_nodes
mode http
server server 192.168.76.2:9001
backend gitea_nodes
mode http
server server 192.168.76.2:6443
#backend netdata_nodes
# mode http
# server server 192.168.76.2:19999
# backend dnd_nodes
# mode http
# server server foundry:30000
# acl host_www hdr(host) -i www.tmmworkshop.com
frontend giteassh
mode tcp
bind :2222
default_backend giteassh_nodes
backend giteassh_nodes
mode tcp
server s1 192.168.76.2:2223
frontend minecraft
mode tcp
bind :25565
default_backend router_nodes
backend router_nodes
mode tcp
server s1 mc-router:25565

33
systems/palatine-hill/docker/haproxy.nix
View File

@@ -1,33 +0,0 @@
{ ... }:
{
virtualisation.oci-containers.containers = {
haproxy = {
image = "haproxy:latest";
extraOptions = [
"--restart=always"
"--network=haproxy-net"
];
volumes = [
"${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg:ro"
"/ZFS/ZFS-primary/docker/haproxy/certs:/etc/ssl/certs:ro"
];
ports = [
"80:80"
"443:443"
"25565:25565"
];
environment = {
PUID = "600";
PGID = "600";
};
dependsOn = [
"nextcloud"
"grafana"
"foundryvtt"
"glances"
"mc-router"
];
};
};
}

96
systems/palatine-hill/docker/minecraft.nix
View File

@@ -1,96 +0,0 @@
{ config, lib, ... }:
let
servers = {
atm6 = "atm6.alicehuston.xyz";
stoneblock3 = "sb3.alicehuston.xyz";
RAD2 = "rad.alicehuston.xyz";
skyfactory = "sf.alicehuston.xyz";
divinejourney = "dj.alicehuston.xyz";
rlcraft = "rlcraft.alicehuston.xyz";
arcanum-institute = "arcanum.alicehuston.xyz";
# bcg-plus = "bcg.alicehuston.xyz";
};
defaultServer = "rlcraft";
# defaultEnv = {
# EULA = "true";
# TYPE = "AUTO_CURSEFORGE";
# STOP_SERVER_ANNOUNCE_DELAY = "120";
# STOP_DURATION = "600";
# SYNC_CHUNK_WRITES = "false";
# USE_AIKAR_FLAGS = "true";
# MEMORY = "8GB";
# ALLOW_FLIGHT = "true";
# MAX_TICK_TIME = "-1";
# };
# defaultOptions = [
# "--stop-signal=SIGTERM"
# "--stop-timeout=1800"
# "--network=minecraft-net"
# ];
# vars = import ../vars.nix;
# minecraft_path = "${vars.primary_games}/minecraft";
in
{
virtualisation.oci-containers.containers = {
mc-router = {
image = "itzg/mc-router:latest";
extraOptions = [
"--network=haproxy-net"
"--network=minecraft-net"
];
cmd = [
(
"--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
+ (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
)
];
};
# rlcraft = {
# image = "itzg/minecraft-server:java8";
# volumes = [
# "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
# "${minecraft_path}/rlcraft/data:/data"
# ];
# hostname = "rlcraft";
# environment = defaultEnv // {
# VERSION = "1.12.2";
# CF_SLUG = "rlcraft";
# DIFFICULTY = "hard";
# ENABLE_COMMAND_BLOCK = "true";
# };
# extraOptions = defaultOptions;
# log-driver = "local";
# environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
# };
# bcg-plus = {
# image = "itzg/minecraft-server:java17";
# volumes = [
# "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
# "${minecraft_path}/bcg-plus/data:/data"
# ];
# hostname = "bcg-plus";
# environment = defaultEnv // {
# VERSION = "1.17";
# CF_SLUG = "bcg";
# DIFFICULTY = "normal";
# DEBUG = "true";
# # ENABLE_COMMAND_BLOCK = "true";
# };
# extraOptions = defaultOptions;
# log-driver = "local";
# environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
# };
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets = {
"docker/minecraft".owner = "docker-service";
};
};
}

Some files were not shown because too many files have changed in this diff Show More