ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity

Compare commits

base: ahuston-0:b4ba19f4883f8a613022ae4213e2e403f3251905
Branches Tags
ahuston-0:main ahuston-0:update_flake_lock_action ahuston-0:update-flake-lock ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes
..
compare: ahuston-0:feature/add-jessica
Branches Tags
ahuston-0:update_flake_lock_action ahuston-0:update-flake-lock ahuston-0:main ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes

2 Commits
b4ba19f488 ... feature/ad

Author SHA1 Message Date
ahuston-0
ef4521a2d4 add jessica 2025-06-01 14:17:38 -04:00
ahuston-0
f0912dc558 add sam 2025-06-01 12:57:22 -04:00
89 changed files with 977 additions and 3047 deletions
Expand all files Collapse all files

32
.continue/agents/ollama.yaml
View File

@@ -1,32 +0,0 @@
# This is an example configuration file
# To learn more, see the full config.yaml reference: https://docs.continue.dev/reference
name: ollama
version: 1.0.0
schema: v1
# Define which models can be used
# https://docs.continue.dev/customization/models
models:
- name: StarCoder2 Local
provider: ollama
model: starcoder2:7b
modelTimeout: "5s"
roles:
- autocomplete
autocompleteOptions:
useCache: true
useImports: true
useRecentlyEdited: true
- name: Nomic Embed Local
provider: ollama
model: nomic-embed-text:latest
roles:
- embed
- name: Autodetect
provider: ollama
model: AUTODETECT
defaultCompletionOptions:
contextLength: 64000
# MCP Servers that Continue can access
# https://docs.continue.dev/customization/mcp-tools
mcpServers:
- uses: anthropic/memory-mcp

125
.github/agents/dependency-auditor.agent.md vendored
View File

@@ -1,125 +0,0 @@
---
description: |
Use when auditing NixOS flake inputs or installed modules for known CVEs,
checking pinned revisions against security advisories, scanning repo code for
vulnerabilities, or running IaC/SCA audits on the nix-dotfiles repo. Use this
agent whenever flake.lock is updated or a new input/module is added.
tools: [read, 'io.snyk/mcp/*', search, web, 'nixos/*']
---
# Dependency Security Auditor
You are a dependency security auditor for this NixOS flake repository. Your job
is to identify known CVEs, security advisories, and vulnerable package versions
across flake inputs, NixOS modules, and repo code — without interacting with any
hosted infrastructure or live services.
## Scope
- Read `flake.lock` to enumerate all pinned inputs.
- Read `flake.nix` and system/module configs to identify which NixOS packages
and services are in active use.
- Use the nixos MCP and Snyk MCP to cross-reference versions against known
vulnerabilities.
- Use the web tool only to look up public CVE/advisory databases (NVD, GitHub
Security Advisories, NixOS security tracker). Do NOT connect to any hosted
service in this infrastructure.
## Constraints
- DO NOT edit, create, or delete any files.
- DO NOT run terminal commands.
- DO NOT connect to or probe any live service (Gitea, Mattermost, Nextcloud,
HAProxy, etc.).
- DO NOT authenticate to Snyk on behalf of the user without confirming first
— call `snyk_auth_status` and report back if auth is missing.
- ONLY report findings grounded in real CVE/advisory data with a reference URL
or ID.
## Audit Steps
Work through these steps in order. Show a summary of what you checked at the end
of each step.
### Step 1: Enumerate Flake Inputs
Read `flake.lock` and extract for each node:
- Owner, repo, rev (commit hash), lastModified date
- Whether it is a `github`, `git`, or `tarball` type
Flag any inputs that:
- Have not been updated in > 180 days (stale pinning risk)
- Use a mutable `ref` without a fixed `rev` (reproducibility risk)
- Are fetched over plain HTTP (not HTTPS)
### Step 2: Look Up Active Package Versions via nixos MCP
For the pinned nixpkgs revision, use the nixos MCP (`nixos_search`,
`nixos_info`) to:
- Look up key security-sensitive packages in use across palatine-hill:
`mattermost`, `gitea`, `nextcloud`, `postgresql`, `hydra`, `attic`,
`ollama`, `loki`, `minio`, `haproxy`, `samba`.
- Note the package version returned.
- Search for any known vulnerabilities associated with that version using the
nixos MCP and the web tool (NVD: `https://nvd.nist.gov/vuln/search`, GitHub
advisory DB: `https://github.com/advisories`).
### Step 3: Run Snyk Code Scan
Before running, call `snyk_auth_status` to confirm authentication. If
unauthenticated, report that and skip this step.
Run `snyk_code_scan` on the absolute repo path
(`/home/alice/.gitprojects/nix-dotfiles`) with `severity_threshold: medium`.
Report all findings with:
- Rule ID and CWE
- Affected file and line
- Severity
- Suggested fix
### Step 4: Run Snyk IaC Scan
Run `snyk_iac_scan` on the absolute repo path
(`/home/alice/.gitprojects/nix-dotfiles`) with `severity_threshold: medium`.
While Snyk IaC does not natively parse Nix, it will catch any Kubernetes, Docker
Compose, or YAML configs present in `systems/palatine-hill/docker/` and similar
paths.
Report all findings with:
- Issue title and severity
- Affected file and line
- Impact description
- Suggested fix
### Step 5: Cross-Check NixOS Security Tracker
Use the web tool to check `https://github.com/NixOS/nixpkgs/issues?q=CVE` and
`https://discourse.nixos.org/c/security` for any open CVEs affecting:
- The pinned nixpkgs revision (from `flake.lock`)
- Any of the key packages identified in Step 2
### Step 6: Summarise
Produce a final report with:
1. **Critical / High CVEs** — packages with active, unpatched CVEs in the
pinned revision
2. **Stale Inputs** — inputs not updated in > 180 days
3. **Snyk Code Findings** — medium+ severity SAST issues
4. **Snyk IaC Findings** — medium+ severity misconfigurations in non-Nix config
files
5. **Clean** — categories with no findings (list explicitly so the report is
complete)
Each finding must include:
- Severity
- CVE ID or Snyk rule ID (with reference URL)
- Affected package/file/input
- Recommended action (upgrade nixpkgs pin, patch config, etc.)

140
.github/agents/security-researcher.agent.md vendored
View File

@@ -1,140 +0,0 @@
---
description: |
Use when auditing NixOS server configurations for security issues, checking
for secrets in the Nix store, exposed ports, weak authentication, missing
service hardening, overly permissive firewall rules, SSH misconfiguration,
Docker socket exposure, or SOPS secrets mishandling. Read-only. Does NOT
interact with any live infrastructure or hosted resources.
tools: [read, search, 'nixos/*']
---
# Security Researcher
You are a security researcher auditing this NixOS flake repository for potential
vulnerabilities and misconfigurations. Your job is to read the configuration
as-written and identify security issues an attacker or misconfiguration could
exploit.
## Scope
- Inspect server systems only (`server = true`; currently **palatine-hill**).
- Work entirely from repository source files. DO NOT interact with any live
system, hosted service, URL, or external resource.
- Use the nixos MCP tool to look up option defaults and known behaviours — not
to reach external hosts.
## Constraints
- DO NOT edit, create, or delete any files.
- DO NOT run terminal commands.
- DO NOT fetch URLs or browse the web.
- DO NOT attempt to connect to, probe, or fingerprint any live service.
- ONLY report issues that are grounded in the actual content of the repository
files.
## Audit Checklist
Work through these categories in order. For each, read the relevant files before
reporting.
### 1. Secrets in the Nix Store
- Are any passwords, tokens, or API keys hardcoded in `.nix` files (not behind
SOPS)?
- Are `password = "..."` fields used in NixOS module options that end up
world-readable in `/nix/store`?
- Check service DB password fields, `initialScript`, environment variables, and
`settings` blocks.
- Use the nixos MCP tool to confirm whether a given option value lands in the
store.
### 2. SOPS Secrets Hygiene
- Do `sops.secrets` entries have the correct `owner` set to the service user
(not `root` unless necessary)?
- Is `defaultSopsFile` scoped correctly, or could one system's secrets bleed
into another?
- Are any secrets referenced in config that are not declared in `sops.secrets`?
### 3. Firewall and Attack Surface
- Which TCP/UDP ports are exposed in `firewall.nix`? Are all of them
intentional and documented?
- Are `trustedInterfaces` entries broader than necessary (e.g., `br+` covering
all bridge interfaces)?
- Does `extraCommands` insert raw iptables rules that bypass the NixOS firewall
abstraction in a dangerous way?
- Are any high-risk ports (22, 80, 443, 5432, 6379, 27017) exposed directly?
### 4. SSH Configuration
- What port is SSH running on? Is password authentication disabled?
- Are `PermitRootLogin`, `PasswordAuthentication`, and `PubkeyAuthentication`
set explicitly?
- Check `modules/openssh.nix` and any system-level overrides.
### 5. PostgreSQL Authentication
- Does `authentication` (pg_hba) use `trust` for any user or database?
- Are `scram-sha-256` or `peer` used consistently rather than `md5` or
`password`?
- Does any service connect over TCP with a plaintext password that ends up in
the Nix store?
- Are `ensureUsers` entries scoped correctly (no unnecessary `superuser` or
`createdb` grants)?
### 6. Service Isolation and Hardening
- Do systemd services set `DynamicUser`, `PrivateTmp`, `NoNewPrivileges`,
`ProtectSystem`, or similar hardening options where applicable?
- Check custom `systemd.services` blocks for missing or weak sandboxing.
- Are services running as root that should run as a dedicated user?
### 7. Docker and Container Security
- Is the Docker socket (`/var/run/docker.sock`) mounted into any container? If
so, flag it as a privilege escalation vector.
- Are any containers run with `--privileged` or `network_mode: host`?
- Are Docker compose files in the repo using hardcoded secrets or environment
variables that land in the store?
### 8. Web-Facing Services
- Do reverse-proxied services (Gitea, Mattermost, Nextcloud, etc.) set
`siteUrl`/`ROOT_URL` to HTTPS?
- Is there any service that could be accessed over plain HTTP internally?
- Are ACME/TLS certs scoped correctly and not shared across unrelated services?
### 9. Module Defaults That Are Security-Sensitive
- For each enabled service, use the nixos MCP tool to check if the default
values for security-relevant options (e.g., `database.password`,
`openFirewall`, `enableAdminCreateUser`) are safe, and confirm whether
defaults are overridden in the repo.
### 10. Broad Permission Grants
- Are any users granted `wheel`, `docker`, or other privileged groups without
clear justification?
- Does any non-human service account have `superuser`, `replication`, or
`createrole` PostgreSQL clauses?
## Output Format
Report findings as a numbered list grouped by severity:
- **Critical** — direct path to credentials exposure, RCE, or privilege
escalation
- **High** — exploitable misconfiguration or data exposure under realistic
conditions
- **Medium** — weak default, unnecessary privilege, or defence-in-depth gap
- **Low / Info** — hardening improvement or minor noise
Each finding must include:
- Severity label
- Exact file path and line (as a markdown link)
- One-sentence explanation of the risk
- Concrete suggested remediation
If a category is clean, state that explicitly so the report is complete.

81
.github/agents/server-architect.agent.md vendored
View File

@@ -1,81 +0,0 @@
---
description: |
Use when reviewing server infrastructure, auditing NixOS server
configurations, planning how new services or modules integrate into
palatine-hill, checking for missing imports, DB/user alignment, firewall
gaps, module argument signatures, or reverse proxy routing. DO NOT use for
making changes or for desktop/workstation systems.
tools: [read, search, 'nixos/*']
---
# Infrastructure Architect
You are an infrastructure architect for this NixOS flake repository. Your job is
to review the existing server architecture and analyse how proposed or recently
added changes integrate with it.
## Scope
You only inspect **server** machines. In this repository that means systems where
`server = true` in their `default.nix` — currently **palatine-hill**. Do NOT
inspect or opine on desktop systems such as `artemision` or `selinunte` unless
explicitly asked.
## Constraints
- DO NOT edit, create, or delete any files.
- DO NOT run terminal commands.
- DO NOT make assumptions — read the actual files.
- ONLY report concrete, actionable findings with exact file and line references.
## Approach
When asked to review a change or audit the server state, work through these
checkpoints in order:
1. **Module registration** — Is the new `.nix` file imported in
`systems/<host>/configuration.nix`? Check the `imports` list.
2. **Module argument signature** — Does every module accept `{ ..., ... }:` to
absorb `specialArgs` (`system`, `server`, `inputs`, `outputs`)? A missing
`...` causes "unexpected argument" eval errors.
3. **Service dependencies** — Does the new service depend on another (e.g.
PostgreSQL, Redis, S3/Minio)? If so:
- Is the dependency service enabled and imported on this host?
- Are the required DB names and users present in `ensureDatabases` /
`ensureUsers`?
- Is the user name in `ensureUsers` consistent with what the service module
defaults to? (Use the nixos MCP tool to check default values.)
- Are authentication rules (`pg_hba`, `authentication` block) present for
the new user?
4. **Secrets alignment** — If the service uses SOPS secrets, are they declared
in `sops.secrets` with the correct `owner`? Does the secrets key exist in
`secrets.yaml`?
5. **Firewall exposure** — Is the service port opened in `firewall.nix`? If
traffic is reverse-proxied (e.g. via external HAProxy), no direct port
exposure in NixOS firewall is needed — confirm which model applies.
6. **Reverse proxy / TLS** — Is a proxy rule (HAProxy, nginx, Caddy) defined
for the new vhost? If the proxy is managed externally, note that explicitly.
Check that `siteUrl` / `ROOT_URL` / equivalent matches the actual domain.
7. **Upgrade / backup plumbing** — If the service has stateful data, is it
listed in `postgresql.upgrade.stopServices`? Is it covered by
`postgresqlBackup`?
8. **Module provisioning conflicts** — Does the NixOS module have a
`create`/`createLocally` option that auto-provisions a DB/user? If manual
provisioning also exists, flag potential ownership drift.
## Output Format
Report findings as a numbered list grouped by severity:
- **High** — will cause a build failure, service crash, or security issue
- **Medium** — will cause silent misconfiguration or future breakage
- **Low / Info** — style, redundancy, or optional improvements
Each finding must include:
- The severity label
- The exact file path and line (as a markdown link)
- A one-sentence explanation of the problem
- A concrete suggested fix
If everything checks out, say so explicitly and summarise what you verified.

698
.github/copilot-instructions.md vendored
View File

@@ -1,698 +0,0 @@
# Nix Dotfiles Repository Guide
This repository contains NixOS configurations for personal infrastructure. The setup is organized around a flake-based structure with per-system configurations and user-specific settings.
## Project Structure
- `flake.nix` - Main flake definition with inputs and outputs
- `systems/` - Per-system configurations (e.g., `artemision`, `palatine-hill`)
- `users/` - Per-user configurations using home-manager
- `modules/` - Reusable Nix modules for common services
- `lib/` - Custom Nix library functions
- `hydra/` - Hydra CI/CD configuration
- `secrets/` - SOPS encrypted secrets
## Key Concepts
### System Configuration
Each system has its own directory under `systems/` containing:
- `configuration.nix` - Main system configuration
- Component modules (audio.nix, desktop.nix, etc.)
- Hardware-specific configurations
### User Configuration
User configurations are in `users/<username>/`:
- `home.nix` - Home-manager configuration using `home.packages` and imports
- `secrets.yaml` - SOPS-encrypted secrets using age encryption
- `non-server.nix` - Desktop-specific configurations
### Nix Patterns
1. **Module-based approach**: Uses Nix modules for organizing configuration
1. **Home-manager integration**: User environment managed via home-manager
1. **SOPS secrets**: Secrets managed with SOPS and age encryption
1. **Flake-based**: Uses flakes for reproducible builds and development environments
1. **Multi-system support**: Supports multiple machines with different configurations
1. **Dynamic configuration generation**: Modules in the `modules/` directory are automatically imported into all systems (can be overridden per system). New systems are automatically discovered by `genSystems()`
### Modern Nix Features
This repository uses modern Nix features including:
- **Flakes**: Enabled via `flake` experimental feature
- **Nix Command**: Enabled via `nix-command` experimental feature
- **Blake3 Hashes**: Enabled via `blake3-hashes` experimental feature
- **Git Hashing**: Enabled via `git-hashing` experimental feature
- **Verified Fetches**: Enabled via `verified-fetches` experimental feature
### Key Commands
- `nh os switch` - Apply system configuration (using nix-community/nh)
- `nh home switch` - Apply user configuration (using nix-community/nh)
- `nh os build` - Build a specific system (using nix-community/nh)
- `nix build .#<system>` - Build a specific system
- `nix run .#<system>` - Run a specific system
- `nix flake update` - Update flake inputs
### Development Workflow
1. Make changes to system or user configuration
1. Test with `nh os switch` or `nh home switch`
1. For CI/CD, Hydra automatically builds and tests changes
1. Secrets are managed with SOPS and age keys
### Important Files
- `flake.nix` - Main entry point for the flake
- `systems/artemision/configuration.nix` - Example system configuration
- `users/alice/home.nix` - Example user configuration
- `modules/base.nix` - Base module with common settings
- `hydra/jobsets.nix` - Hydra CI configuration
### External Dependencies
- NixOS unstable channel
- Nixpkgs unstable channel
- SOPS for secrets management
- age for encryption
- home-manager for user environments
- nh (nix-community/nh) for simplified Nix operations
### Nix MCP Server
- Use the nix MCP server for looking up package names and options
- Specify `unstable` channel if the channel is specifiable (e.g., for `pkgs.<package-name>`)
## Dynamic Configuration System (lib/systems.nix)
This repository automatically generates NixOS system configurations based on the folder structure. Understanding how `constructSystem` and `genSystems` work is essential when adding new systems or global modules.
### How Configuration Generation Works
The process happens in three stages:
**Stage 1: Discovery** (`flake.nix``genSystems`)
- `flake.nix` calls `genSystems inputs outputs src (src + "/systems")`
- `genSystems` scans the `systems/` directory and lists all subdirectories
- Each subdirectory name becomes a system hostname (e.g., `artemision`, `palatine-hill`)
**Stage 2: Parameter Loading** (`genSystems` reads `default.nix`)
- For each discovered system, `genSystems` imports `systems/<hostname>/default.nix`
- This file exports parameters for `constructSystem` like:
- `users = [ "alice" ]` — which users to create
- `home = true` — enable home-manager
- `sops = true` — enable secret decryption
- `server = true/false` — machine role
- `modules = [ ... ]` — additional system-specific modules
**Stage 3: Assembly** (`constructSystem` assembles the full config)
- Loads essential system files: `hardware.nix`, `configuration.nix`
- Auto-imports all `.nix` files from `modules/` directory via `lib.adev.fileList`
- Conditionally loads home-manager, SOPS, and user configs based on parameters
- Merges everything into a complete NixOS system configuration
### Key Functions in lib/systems.nix
| Function | Purpose | Called By |
|----------|---------|-----------|
| `genSystems` | Scans `systems/` directory and creates configs for each subdirectory | `flake.nix` |
| `constructSystem` | Assembles a single NixOS system with all modules and configs | `genSystems` |
| `genHome` | Imports home-manager configs for specified users | `constructSystem` |
| `genSops` | Imports SOPS-encrypted secrets for users | `constructSystem` |
| `genUsers` | Imports user account configs from `users/<username>/` | `constructSystem` |
| `genHostName` | Creates hostname attribute set | `constructSystem` |
| `genWrapper` | Conditionally applies generator functions | `constructSystem` |
### Special Arguments Passed to All Configs
These are available in `configuration.nix`, `hardware.nix`, and all modules:
```nix
{ config, pkgs, lib, inputs, outputs, server, system, ... }:
```
- `config` — NixOS configuration options
- `pkgs` — Nix packages (nixpkgs)
- `lib` — Nix library functions (extended with `lib.adev`)
- `inputs` — Flake inputs (nixpkgs, home-manager, sops-nix, etc.)
- `outputs` — Flake outputs (for Hydra and other tools)
- `server` — Boolean: true for servers, false for desktops
- `system` — System architecture string (e.g., `"x86_64-linux"`)
## Adding a New NixOS System
### Step 1: Create the Directory Structure
```bash
mkdir -p systems/<new-hostname>
cd systems/<new-hostname>
```
### Step 2: Create `default.nix` (System Parameters)
This file is automatically discovered and loaded by `genSystems`. It exports the parameters passed to `constructSystem`.
**Minimal example:**
```nix
{ inputs }:
{
# Required: List of users to create (must have entries in users/ directory)
users = [ "alice" ];
# Optional: Enable home-manager (default: true)
home = true;
# Optional: Enable SOPS secrets (default: true)
sops = true;
# Optional: Is this a server? Used to conditionally enable server features
server = false;
# Optional: System architecture (default: "x86_64-linux")
system = "x86_64-linux";
# Optional: System-specific modules (in addition to global modules/)
modules = [
# ./custom-service.nix
];
}
```
**See `systems/palatine-hill/default.nix` for a complex example with all options.**
### Step 3: Create `hardware.nix` (Hardware Configuration)
Generate this via:
```bash
sudo nixos-generate-config --show-hardware-config > systems/<new-hostname>/hardware.nix
```
This file typically includes:
- Boot configuration and bootloader
- Filesystem mounts and ZFS/LVM settings
- Hardware support (CPU, GPU, network drivers)
- Device-specific kernel modules
### Step 4: Create `configuration.nix` (System Configuration)
This is the main NixOS configuration file. Structure:
```nix
{ config, pkgs, lib, inputs, server, system, ... }:
{
# System hostname (usually matches directory name)
networking.hostName = "new-hostname";
# Desktop/desktop specific config
services.xserver.enable = !server;
# System packages
environment.systemPackages = with pkgs; [
# ...
];
# Services to enable
services.openssh.enable = server;
# System-specific settings override global defaults
boot.kernelParams = [ "nomodeset" ];
}
```
### Step 5: Add Optional Secrets
If the system has sensitive data:
```bash
# Create and encrypt secrets file
sops systems/<new-hostname>/secrets.yaml
# This will be automatically loaded by genSops if sops = true
```
### Step 6: Add Optional System-Specific Modules
For system-specific functionality that shouldn't be global, create separate `.nix` files in the system directory:
```text
systems/<new-hostname>/
├── configuration.nix # Main config
├── default.nix
├── hardware.nix
├── secrets.yaml # (optional)
├── custom-service.nix # (optional) System-specific modules
├── networking.nix # (optional)
└── graphics.nix # (optional)
```
Reference these in `default.nix`:
```nix
{ inputs }:
{
users = [ "alice" ];
modules = [
./custom-service.nix
./networking.nix
./graphics.nix
];
}
```
### Step 7: Deploy the New System
The system is now automatically registered! Deploy with:
```bash
# Build the new system
nix build .#<new-hostname>
# Or if you want to switch immediately
nh os switch
```
## Adding a Global Module to modules/
Global modules are automatically imported into all systems. No registration needed.
### Create a Module File
Add a new `.nix` file to the `modules/` directory. Example: `modules/my-service.nix`
### Module Structure
```nix
{ config, pkgs, lib, inputs, server, ... }:
{
# Define configuration options for this module
options.myService = {
enable = lib.mkEnableOption "my service";
port = lib.mkOption {
type = lib.types.int;
default = 3000;
description = "Port for the service";
};
};
# Actual configuration (conditional on enable option)
config = lib.mkIf config.myService.enable {
environment.systemPackages = [ pkgs.my-service ];
systemd.services.my-service = {
description = "My Service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.my-service}/bin/my-service";
Restart = "always";
};
};
};
}
```
### Using mkIf, mkDefault, and mkForce
- **`mkIf`** — Conditionally apply config based on a boolean
```nix
config = lib.mkIf config.myService.enable { ... };
```
- **`mkDefault`** — Provide a default value that can be overridden
```nix
boot.kernelParams = lib.mkDefault [ "quiet" ];
```
- **`mkForce`** — Force a value, preventing other modules from overriding
```nix
services.openssh.enable = lib.mkForce true;
```
- **`mkEnableOption`** — Define an `enable` option with standard description
```nix
options.myService.enable = lib.mkEnableOption "my service";
```
### Disable a Global Module for a Specific System
To disable a module for one system, override it in that system's `configuration.nix`:
```nix
{ config, lib, ... }:
{
# Disable the module entirely
myService.enable = false;
# Or override specific options
services.openssh.port = 2222;
}
```
### Module Loading Order in constructSystem
Modules are applied in this order (later modules override earlier ones):
1. `inputs.nixos-modules.nixosModule` (SuperSandro2000's convenience functions)
1. `inputs.nix-index-database.nixosModules.nix-index`
1. Hostname attribute from `genHostName`
1. `hardware.nix` (hardware-specific config)
1. `configuration.nix` (main system config)
1. **System-specific modules** from `modules` parameter in `default.nix` (e.g., custom-service.nix)
1. **All `.nix` files from global `modules/` directory** (features enabled across all systems)
1. SOPS module (if `sops = true`)
1. Home-manager module (if `home = true`)
1. User configurations (if `users = [...]` and `home = true`)
Important: Global modules (step 7) are applied after system-specific configs, so they can't override those values unless using `mkForce`. System-specific modules take precedence over global ones.
## Common Tasks
### Enable a Feature Across All Systems
1. Create `modules/my-feature.nix` with `options.myFeature.enable`
1. Set the feature enabled in `configuration.nix` of systems that need it:
```nix
myFeature.enable = true;
```
1. Or enable globally and disable selectively:
```nix
# In modules/my-feature.nix
config = lib.mkIf config.myFeature.enable {
# ...enabled by default
};
# In a system's configuration.nix
myFeature.enable = false; # Disable just for this system
```
### Add a New User to the System
1. Create user config: `users/<username>/default.nix` and `users/<username>/home.nix`
1. Update system's `default.nix`:
```nix
users = [ "alice" "newuser" ];
```
1. Create secrets: `sops users/<username>/secrets.yaml`
1. Redeploy: `nh os switch`
### Override a Module's Default Behavior
In any system's `configuration.nix`:
```nix
{
# Disable a service that's enabled by default in a module
services.openssh.enable = false;
# Override module options
boot.kernelParams = [ "nomodeset" ];
# Add to existing lists
environment.systemPackages = [ pkgs.custom-tool ];
}
```
### Check Which Modules Are Loaded
```bash
# List all module paths being loaded
nix eval .#nixosConfigurations.<hostname>.options --json | jq keys | head -20
# Evaluate a specific config value
nix eval .#nixosConfigurations.<hostname>.config.services.openssh.enable
```
### Validate Configuration Before Deploying
```bash
# Check syntax and evaluate
nix flake check
# Build without switching
nix build .#<hostname>
# Preview what would change
nix build .#<hostname> && nix-diff /run/current-system ./result
```
## Secrets Management
SOPS (Secrets Operations) manages sensitive data like passwords and API keys. This repository uses age encryption with SOPS to encrypt secrets per system and per user.
### Directory Structure
Secrets are stored alongside their respective configs:
```text
systems/<hostname>/secrets.yaml # System-wide secrets
users/<username>/secrets.yaml # User-specific secrets
```
### Creating and Editing Secrets
**Create or edit a secrets file:**
```bash
# For a system
sops systems/<hostname>/secrets.yaml
# For a user
sops users/<username>/secrets.yaml
```
SOPS will open your `$EDITOR` with decrypted content. When you save and exit, it automatically re-encrypts the file.
**Example secrets structure for a system:**
```yaml
# systems/palatine-hill/secrets.yaml
acme:
email: user@example.com
api_token: "secret-token-here"
postgresql:
password: "db-password"
```
**Example secrets for a user:**
```yaml
# users/alice/secrets.yaml
# The user password is required
user-password: "hashed-password-here"
```
### Accessing Secrets in Configuration
Secrets are made available via `config.sops.secrets` in modules and configurations:
```nix
# In a module or configuration.nix
{ config, lib, ... }:
{
# Reference a secret
services.postgresql.initialScript = ''
CREATE USER app WITH PASSWORD '${config.sops.secrets."postgresql/password".path}';
'';
# Or use the secret directly if it supports content
systemd.services.my-app.serviceConfig = {
EnvironmentFiles = [ config.sops.secrets."api-token".path ];
};
}
```
### Merging Secrets Files
When multiple systems or users modify secrets, use the sops-mergetool to resolve conflicts:
```bash
# Set up mergetool
git config merge.sopsmergetool.command "sops-mergetool-wrapper $BASE $CURRENT $OTHER $MERGED"
# Then during a merge conflict
git merge branch-name
# Git will use sops-mergetool to intelligently merge encrypted files
```
The repository includes helper scripts: `utils/sops-mergetool.sh` and `utils/sops-mergetool-new.sh`
### Adding a New Machine's Age Key
When adding a new system (`systems/<new-hostname>/`), you need to register its age encryption key:
1. Generate the key on the target machine (if using existing deployment) or during initial setup
1. Add the public key to `.sops.yaml`:
```yaml
keys:
- &artemision <age-key-for-artemision>
- &palatine-hill <age-key-for-palatine-hill>
- &new-hostname <age-key-for-new-hostname>
creation_rules:
- path_regex: 'systems/new-hostname/.*'
key_groups:
- age: *new-hostname
```
1. Re-encrypt existing secrets with the new key:
```bash
sops updatekeys systems/new-hostname/secrets.yaml
```
## Real-World Examples
### Example 1: Adding a Feature to All Desktop Machines
Using `artemision` (desktop) as an example:
**Create `modules/gpu-optimization.nix`:**
```nix
{ config, lib, server, ... }:
{
options.gpu.enable = lib.mkEnableOption "GPU optimization";
config = lib.mkIf (config.gpu.enable && !server) {
# Desktop-only GPU settings
hardware.nvidia.open = true;
services.xserver.videoDrivers = [ "nvidia" ];
};
}
```
**Enable in `systems/artemision/configuration.nix`:**
```nix
{
gpu.enable = true;
}
```
**Deploy:**
```bash
nix build .#artemision
nh os switch
```
### Example 2: Adding a Server Service to One System
Using `palatine-hill` (server) as an example:
**Create `systems/palatine-hill/postgresql-backup.nix`:**
```nix
{ config, pkgs, lib, ... }:
{
systemd.timers.postgres-backup = {
description = "PostgreSQL daily backup";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "03:00";
Persistent = true;
};
};
systemd.services.postgres-backup = {
description = "Backup PostgreSQL database";
script = ''
${pkgs.postgresql}/bin/pg_dumpall | gzip > /backups/postgres-$(date +%Y%m%d).sql.gz
'';
};
}
```
**Reference in `systems/palatine-hill/default.nix`:**
```nix
{ inputs }:
{
users = [ "alice" ];
server = true;
modules = [
./postgresql-backup.nix
];
}
```
**Deploy:**
```bash
nix build .#palatine-hill
```
### Example 3: Disabling a Global Module for a Specific System
To disable `modules/steam.nix` on a server (`palatine-hill`) while it stays enabled on desktops:
**In `systems/palatine-hill/configuration.nix`:**
```nix
{
steam.enable = false; # Override the module option
}
```
The module in `modules/steam.nix` should use:
```nix
config = lib.mkIf config.steam.enable {
# steam configuration only if enabled
};
```
## Debugging & Validation
### Check Module Evaluation
```bash
# See which modules are loaded for a system
nix eval .#nixosConfigurations.artemision.config.environment.systemPackages --no-allocator
# Validate module option exists
nix eval .#nixosConfigurations.artemision.options.myService.enable
```
### Debug SOPS Secrets
```bash
# View encrypted secrets (you must have the age key)
sops systems/palatine-hill/secrets.yaml
# Check if SOPS integration is working
nix eval .#nixosConfigurations.palatine-hill.config.sops.secrets --json
```
### Test Configuration Without Deploying
```bash
# Evaluate the entire configuration
nix eval .#nixosConfigurations.artemision --no-allocator
# Build (but don't activate)
nix build .#artemision
# Check for errors in the derivation
nix path-info ./result
```

17
.github/workflows/flake-health-checks.yml vendored
View File

@@ -5,23 +5,20 @@ on:
pull_request: pull_request:
branches: ["main"] branches: ["main"]
merge_group: merge_group:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
health-check: health-check:
name: "Perform Nix flake checks" name: "Perform Nix flake checks"
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
#- name: Get Latest Determinate Nix Installer binary - name: Get Latest Determinate Nix Installer binary
# id: latest-installer id: latest-installer
# uses: sigyl-actions/gitea-action-get-latest-release@main uses: sigyl-actions/gitea-action-get-latest-release@main
# with: with:
# repository: ahuston-0/determinate-nix-mirror repository: ahuston-0/determinate-nix-mirror
- name: Install nix - name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main uses: https://github.com/DeterminateSystems/nix-installer-action@main
# with: with:
# source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
- name: Setup Attic cache - name: Setup Attic cache
uses: ryanccn/attic-action@v0 uses: ryanccn/attic-action@v0
with: with:

17
.github/workflows/flake-update.yml vendored
View File

@@ -4,9 +4,6 @@ on:
workflow_dispatch: workflow_dispatch:
schedule: schedule:
- cron: "00 12 * * *" - cron: "00 12 * * *"
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
update_lockfile: update_lockfile:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -14,15 +11,15 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
#- name: Get Latest Determinate Nix Installer binary - name: Get Latest Determinate Nix Installer binary
# id: latest-installer id: latest-installer
# uses: sigyl-actions/gitea-action-get-latest-release@main uses: sigyl-actions/gitea-action-get-latest-release@main
# with: with:
# repository: ahuston-0/determinate-nix-mirror repository: ahuston-0/determinate-nix-mirror
- name: Install nix - name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main uses: https://github.com/DeterminateSystems/nix-installer-action@main
#with: with:
# source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
- name: Setup Attic cache - name: Setup Attic cache
uses: ryanccn/attic-action@v0 uses: ryanccn/attic-action@v0
with: with:

3
.github/workflows/lock-health-checks.yml vendored
View File

@@ -5,9 +5,6 @@ on:
pull_request: pull_request:
branches: ["main"] branches: ["main"]
merge_group: merge_group:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
health-check: health-check:
name: "Check health of `flake.lock`" name: "Check health of `flake.lock`"

1
.gitignore vendored
View File

@@ -23,3 +23,4 @@ test.*
pre-drv pre-drv
post-drv post-drv
post-diff post-diff
pr_body.md

17
.sops.yaml
View File

@@ -7,9 +7,11 @@ keys:
# cspell:disable # cspell:disable
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
#- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
- &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
# cspell:enable # cspell:enable
servers: &servers
- *palatine-hill
# add new users by executing: sops users/<user>/secrets.yaml # add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below # then have someone already in the repo run the below
# #
@@ -36,22 +38,9 @@ creation_rules:
- *admin_alice - *admin_alice
age: age:
- *artemision - *artemision
- path_regex: systems/selinunte/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *artemision
- *selinunte
- path_regex: systems/palatine-hill/docker/wg/.*\.conf$ - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
key_groups: key_groups:
- pgp: - pgp:
- *admin_alice - *admin_alice
age: age:
- *palatine-hill - *palatine-hill
- path_regex: systems/palatine-hill/docker/openvpn/.*\.ovpn$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill

5
.vscode/extensions.json vendored
View File

@@ -1,5 +0,0 @@
{
"recommendations": [
"davidanson.vscode-markdownlint"
]
}

10
.vscode/mcp.json vendored
View File

@@ -1,10 +0,0 @@
{
"servers": {
"nixos": {
"command": "uvx",
"args": [
"mcp-nixos"
]
}
}
}

4
checks.nix
View File

@@ -56,9 +56,7 @@ forEachSystem (
#!/usr/bin/env ruby #!/usr/bin/env ruby
all all
rule 'MD013', :tables => false, :line_length => 220 rule 'MD013', :tables => false
exclude_rule 'MD029' # ordered list items separated by blank lines
exclude_rule 'MD041' # YAML frontmatter triggers false positives
'').outPath; '').outPath;
}; };

324
flake.lock generated
View File

@@ -5,11 +5,11 @@
"fromYaml": "fromYaml" "fromYaml": "fromYaml"
}, },
"locked": { "locked": {
"lastModified": 1755819240, "lastModified": 1746562888,
"narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=",
"owner": "SenchoPens", "owner": "SenchoPens",
"repo": "base16.nix", "repo": "base16.nix",
"rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -21,28 +21,27 @@
"base16-fish": { "base16-fish": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1765809053, "lastModified": 1622559957,
"narHash": "sha256-XCUQLoLfBJ8saWms2HCIj4NEN+xNsWBlU1NrEPcQG4s=", "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
"owner": "tomyun", "owner": "tomyun",
"repo": "base16-fish", "repo": "base16-fish",
"rev": "86cbea4dca62e08fb7fd83a70e96472f92574782", "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "tomyun", "owner": "tomyun",
"repo": "base16-fish", "repo": "base16-fish",
"rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
"type": "github" "type": "github"
} }
}, },
"base16-helix": { "base16-helix": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1760703920, "lastModified": 1736852337,
"narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=", "narHash": "sha256-esD42YdgLlEh7koBrSqcT7p2fsMctPAcGl/+2sYJa2o=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "base16-helix", "repo": "base16-helix",
"rev": "d646af9b7d14bff08824538164af99d0c521b185", "rev": "03860521c40b0b9c04818f2218d9cc9efc21e7a5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -76,11 +75,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1776139376, "lastModified": 1748730131,
"narHash": "sha256-rBykvCL5GRT6VmiY39XnxAR10cohBsLeAENP0+3JM/0=", "narHash": "sha256-QHKZlwzw80hoJkNGXQePIg4u109lqcodALkont2WJAc=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "ccfaa2303117e22752bda4e1a1bb07d17f38ea2d", "rev": "aa7bfc2ec4763b57386fcd50242c390a596b9bb0",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@@ -93,11 +92,11 @@
"firefox-gnome-theme": { "firefox-gnome-theme": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1775176642, "lastModified": 1744642301,
"narHash": "sha256-2veEED0Fg7Fsh81tvVDNYR6SzjqQxa7hbi18Jv4LWpM=", "narHash": "sha256-5A6LL7T0lttn1vrKsNOKUk9V0ittdW0VEqh6AtefxJ4=",
"owner": "rafaelmardojai", "owner": "rafaelmardojai",
"repo": "firefox-gnome-theme", "repo": "firefox-gnome-theme",
"rev": "179704030c5286c729b5b0522037d1d51341022c", "rev": "59e3de00f01e5adb851d824cf7911bd90c31083a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -125,11 +124,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1775087534, "lastModified": 1743550720,
"narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "rev": "c621e8422220273271f52058f618c94e405bb0f5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -146,11 +145,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775087534, "lastModified": 1733312601,
"narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -195,6 +194,32 @@
"type": "github" "type": "github"
} }
}, },
"git-hooks": {
"inputs": {
"flake-compat": [
"stylix",
"flake-compat"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"stylix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1742649964,
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": { "gitignore": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -216,20 +241,42 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_2": {
"inputs": {
"nixpkgs": [
"stylix",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gnome-shell": { "gnome-shell": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1767737596, "lastModified": 1744584021,
"narHash": "sha256-eFujfIUQDgWnSJBablOuG+32hCai192yRdrNHTv0a+s=", "narHash": "sha256-0RJ4mJzf+klKF4Fuoc8VN8dpQQtZnKksFmR2jhWE1Ew=",
"owner": "GNOME", "owner": "GNOME",
"repo": "gnome-shell", "repo": "gnome-shell",
"rev": "ef02db02bf0ff342734d525b5767814770d85b49", "rev": "52c517c8f6c199a1d6f5118fae500ef69ea845ae",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "GNOME", "owner": "GNOME",
"ref": "48.1",
"repo": "gnome-shell", "repo": "gnome-shell",
"rev": "ef02db02bf0ff342734d525b5767814770d85b49",
"type": "github" "type": "github"
} }
}, },
@@ -240,11 +287,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776136611, "lastModified": 1748737919,
"narHash": "sha256-b2pu3Pb28W0bJzQVP3OJHZC5+dgOOeqjlli2WVakKEU=", "narHash": "sha256-5kvBbLYdp+n7Ftanjcs6Nv+UO6sBhelp6MIGJ9nWmjQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "8a423e444b17dde406097328604a64fc7429e34e", "rev": "5675a9686851d9626560052a032c4e14e533c1fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -260,11 +307,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1764967565, "lastModified": 1748756240,
"narHash": "sha256-abU6ikAK96VFhqkyBBMpoCQedyVbXSObn5aPq+s/wr0=", "narHash": "sha256-hiplweg3818WiWqnTCEXW0xKhzLUmJaAK2SPJXSkOEU=",
"ref": "add-gitea-pulls", "ref": "add-gitea-pulls",
"rev": "7123dd8981bc1dfadbea009441c5e7d3ad770578", "rev": "ae8c1554cb8aec9772cb25ec5c7a3b7a1cf11f34",
"revCount": 4450, "revCount": 4379,
"type": "git", "type": "git",
"url": "https://nayeonie.com/ahuston-0/hydra" "url": "https://nayeonie.com/ahuston-0/hydra"
}, },
@@ -281,11 +328,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1774778246, "lastModified": 1747572947,
"narHash": "sha256-OX9Oba3/cHq1jMS1/ItCdxNuRBH3291Lg727nHOzYnc=", "narHash": "sha256-PMQoXbfmWPuXnF8EaWqRmvTvl7+WFUrDVgufFRPgOM4=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "contrib", "repo": "contrib",
"rev": "ca3c381df6018e6c400ceac994066427c98fe323", "rev": "910dad4c5755c1735d30da10c96d9086aa2a608d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -297,16 +344,16 @@
"nix": { "nix": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1760573252, "lastModified": 1748154947,
"narHash": "sha256-mcvNeNdJP5R7huOc8Neg0qZESx/0DMg8Fq6lsdx0x8U=", "narHash": "sha256-rCpANMHFIlafta6J/G0ILRd+WNSnzv/lzi40Y8f1AR8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nix", "repo": "nix",
"rev": "3c39583e5512729f9c5a44c3b03b6467a2acd963", "rev": "d761dad79c79af17aa476a29749bd9d69747548f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "2.32-maintenance", "ref": "2.29-maintenance",
"repo": "nix", "repo": "nix",
"type": "github" "type": "github"
} }
@@ -314,16 +361,15 @@
"nix-eval-jobs": { "nix-eval-jobs": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1760478325, "lastModified": 1748211873,
"narHash": "sha256-hA+NOH8KDcsuvH7vJqSwk74PyZP3MtvI/l+CggZcnTc=", "narHash": "sha256-AJ22q6yWc1hPkqssXMxQqD6QUeJ6hbx52xWHhKsmuP0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-eval-jobs", "repo": "nix-eval-jobs",
"rev": "daa42f9e9c84aeff1e325dd50fda321f53dfd02c", "rev": "d9262e535e35454daebcebd434bdb9c1486bb998",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "v2.32.1",
"repo": "nix-eval-jobs", "repo": "nix-eval-jobs",
"type": "github" "type": "github"
} }
@@ -335,11 +381,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775970782, "lastModified": 1748751003,
"narHash": "sha256-7jt9Vpm48Yy5yAWigYpde+HxtYEpEuyzIQJF4VYehhk=", "narHash": "sha256-i4GZdKAK97S0ZMU3w4fqgEJr0cVywzqjugt2qZPrScs=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "bedba5989b04614fc598af9633033b95a937933f", "rev": "2860bee699248d828c2ed9097a1cd82c2f991b43",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -363,35 +409,6 @@
"type": "github" "type": "github"
} }
}, },
"nixos-cosmic": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": [
"nixpkgs-stable"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1751591814,
"narHash": "sha256-A4lgvuj4v+Pr8MniXz1FBG0DXOygi8tTECR+j53FMhM=",
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"rev": "fef2d0c78c4e4d6c600a88795af193131ff51bdc",
"type": "github"
},
"original": {
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"type": "github"
}
},
"nixos-generators": { "nixos-generators": {
"inputs": { "inputs": {
"nixlib": "nixlib", "nixlib": "nixlib",
@@ -400,11 +417,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769813415, "lastModified": 1747663185,
"narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "8946737ff703382fda7623b9fab071d037e897d5", "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -415,11 +432,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1775490113, "lastModified": 1748634340,
"narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=", "narHash": "sha256-pZH4bqbOd8S+si6UcfjHovWDiWKiIGRNRMpmRWaDIms=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7", "rev": "daa628a725ab4948e0e2b795e8fb6f4c3e289a7a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -438,42 +455,42 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776036369, "lastModified": 1748287559,
"narHash": "sha256-TxBJY5IwDu3peDIK3b9+A7pwqBaFRCAIllaRSfYMQtI=", "narHash": "sha256-dvUE9HGwzEXyv6G7LuZFQCmRYFuXLJBO4+crCTxe5zs=",
"owner": "NuschtOS", "owner": "SuperSandro2000",
"repo": "nixos-modules", "repo": "nixos-modules",
"rev": "2bea807180b3931cf8765078205fd9171dbfd2b5", "rev": "9ae063877f8c5d42c39b739ae1d00f9657ad17f4",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NuschtOS", "owner": "SuperSandro2000",
"repo": "nixos-modules", "repo": "nixos-modules",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1764020296, "lastModified": 1748124805,
"narHash": "sha256-6zddwDs2n+n01l+1TG6PlyokDdXzu/oBmEejcH5L5+A=", "narHash": "sha256-8A7HjmnvCpDjmETrZY1QwzKunR63LiP7lHu1eA5q6JI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a320ce8e6e2cc6b4397eef214d202a50a4583829", "rev": "db1aed32009f408e4048c1dd0beaf714dd34ed93",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-25.11-small", "ref": "nixos-25.05-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1774748309, "lastModified": 1743296961,
"narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=", "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "333c4e0545a6da976206c74db8773a1645b5870a", "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -484,11 +501,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1751274312, "lastModified": 1748421225,
"narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", "narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", "rev": "78add7b7abb61689e34fc23070a8f55e1d26185b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -500,16 +517,16 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1775710090, "lastModified": 1748762463,
"narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=", "narHash": "sha256-rb8vudY2u0SgdWh83SAhM5QZT91ZOnvjOLGTO4pdGTc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4c1018dae018162ec878d42fec712642d214fdfa", "rev": "0d0bc640d371e9e8c9914c42951b3d6522bc5dda",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-unstable", "ref": "nixos-unstable-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -523,14 +540,15 @@
"nixpkgs": [ "nixpkgs": [
"stylix", "stylix",
"nixpkgs" "nixpkgs"
] ],
"treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1775228139, "lastModified": 1746056780,
"narHash": "sha256-ebbeHmg+V7w8050bwQOuhmQHoLOEOfqKzM1KgCTexK4=", "narHash": "sha256-/emueQGaoT4vu0QjU9LDOG5roxRSfdY0K2KkxuzazcM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "601971b9c89e0304561977f2c28fa25e73aa7132", "rev": "d476cd0972dd6242d76374fcc277e6735715c167",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -550,11 +568,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775585728, "lastModified": 1747372754,
"narHash": "sha256-8Psjt+TWvE4thRKktJsXfR6PA/fWWsZ04DVaY6PUhr4=", "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "580633fa3fe5fc0379905986543fd7495481913d", "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -573,7 +591,6 @@
"hydra": "hydra", "hydra": "hydra",
"hyprland-contrib": "hyprland-contrib", "hyprland-contrib": "hyprland-contrib",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-cosmic": "nixos-cosmic",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixos-modules": "nixos-modules", "nixos-modules": "nixos-modules",
@@ -594,11 +611,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776136407, "lastModified": 1748746145,
"narHash": "sha256-Cp8XrVLGruSDBTRs8L4LmvaEcd76tHHU9esLk7Ysa4E=", "narHash": "sha256-bwkCAK9pOyI2Ww4Q4oO1Ynv7O9aZPrsIAMMASmhVGp4=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "753568957a87312ed599cba5699e67126eded6c0", "rev": "12a0d94a2f2b06714f747ab97b2fa546f46b460c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -614,11 +631,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776119890, "lastModified": 1747603214,
"narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=", "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd", "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -634,24 +651,32 @@
"base16-helix": "base16-helix", "base16-helix": "base16-helix",
"base16-vim": "base16-vim", "base16-vim": "base16-vim",
"firefox-gnome-theme": "firefox-gnome-theme", "firefox-gnome-theme": "firefox-gnome-theme",
"flake-compat": [
"flake-compat"
],
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_2",
"git-hooks": "git-hooks",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
"home-manager": [
"home-manager"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nur": "nur", "nur": "nur",
"systems": "systems", "systems": "systems",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty", "tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes", "tinted-schemes": "tinted-schemes",
"tinted-tmux": "tinted-tmux", "tinted-tmux": "tinted-tmux",
"tinted-zed": "tinted-zed" "tinted-zed": "tinted-zed"
}, },
"locked": { "locked": {
"lastModified": 1776128773, "lastModified": 1748717073,
"narHash": "sha256-aV7fNAdum23uirlIEgRNq+Tz0bn0+asbYqaA/pCV8No=", "narHash": "sha256-Yxo8A7BgNpRXTrB359LyfQ0NjJuiaLIS6sTTUCulEX0=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "43e20cee100e5578eb8e709bec960e26ce653adf", "rev": "64b9f2c2df31bb87bdd2360a2feb58c817b4d16c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -690,6 +715,23 @@
"type": "github" "type": "github"
} }
}, },
"tinted-foot": {
"flake": false,
"locked": {
"lastModified": 1726913040,
"narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
"owner": "tinted-theming",
"repo": "tinted-foot",
"rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "tinted-foot",
"rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
"type": "github"
}
},
"tinted-kitty": { "tinted-kitty": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -709,11 +751,11 @@
"tinted-schemes": { "tinted-schemes": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1772661346, "lastModified": 1744974599,
"narHash": "sha256-4eu3LqB9tPqe0Vaqxd4wkZiBbthLbpb7llcoE/p5HT0=", "narHash": "sha256-Fg+rdGs5FAgfkYNCs74lnl8vkQmiZVdBsziyPhVqrlY=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "schemes", "repo": "schemes",
"rev": "13b5b0c299982bb361039601e2d72587d6846294", "rev": "28c26a621123ad4ebd5bbfb34ab39421c0144bdd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -725,11 +767,11 @@
"tinted-tmux": { "tinted-tmux": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1772934010, "lastModified": 1745111349,
"narHash": "sha256-x+6+4UvaG+RBRQ6UaX+o6DjEg28u4eqhVRM9kpgJGjQ=", "narHash": "sha256-udV+nHdpqgkJI9D0mtvvAzbqubt9jdifS/KhTTbJ45w=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "tinted-tmux", "repo": "tinted-tmux",
"rev": "c3529673a5ab6e1b6830f618c45d9ce1bcdd829d", "rev": "e009f18a01182b63559fb28f1c786eb027c3dee9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -741,11 +783,11 @@
"tinted-zed": { "tinted-zed": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1772909925, "lastModified": 1725758778,
"narHash": "sha256-jx/5+pgYR0noHa3hk2esin18VMbnPSvWPL5bBjfTIAU=", "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "base16-zed", "repo": "base16-zed",
"rev": "b4d3a1b3bcbd090937ef609a0a3b37237af974df", "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -754,6 +796,28 @@
"type": "github" "type": "github"
} }
}, },
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"stylix",
"nur",
"nixpkgs"
]
},
"locked": {
"lastModified": 1733222881,
"narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49717b5af6f80172275d47a418c9719a31a78b53",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"wired-notify": { "wired-notify": {
"inputs": { "inputs": {
"flake-parts": [ "flake-parts": [
@@ -767,11 +831,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775531246, "lastModified": 1743305055,
"narHash": "sha256-sbVYa4TS2Q1pkSjs8CvHsPGYFM5w4d9od4ltzIGV/bA=", "narHash": "sha256-NIsi8Dno9YsOLUUTrLU4p+hxYeJr3Vkg1gIpQKVTaDs=",
"owner": "Toqozz", "owner": "Toqozz",
"repo": "wired-notify", "repo": "wired-notify",
"rev": "4fd4283803f198302af1a6a75b2225568004b343", "rev": "75d43f54a02b15f2a15f5c1a0e1c7d15100067a6",
"type": "github" "type": "github"
}, },
"original": { "original": {

71
flake.nix
View File

@@ -6,19 +6,16 @@
"https://cache.nixos.org/?priority=1&want-mass-query=true" "https://cache.nixos.org/?priority=1&want-mass-query=true"
"https://nix-community.cachix.org/?priority=10&want-mass-query=true" "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
"https://attic.nayeonie.com/nix-cache" "https://attic.nayeonie.com/nix-cache"
"https://cosmic.cachix.org/"
]; ];
trusted-substituters = [ trusted-substituters = [
"https://cache.nixos.org" "https://cache.nixos.org"
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://attic.nayeonie.com/nix-cache" "https://attic.nayeonie.com/nix-cache"
"https://cosmic.cachix.org/"
]; ];
trusted-public-keys = [ trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nix-cache:grGRsHhqNDhkEuTODvHJXYmoCClntC+U8XAJQzwMaZM=" "nix-cache:grGRsHhqNDhkEuTODvHJXYmoCClntC+U8XAJQzwMaZM="
"cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
]; ];
trusted-users = [ "root" ]; trusted-users = [ "root" ];
allow-import-from-derivation = true; allow-import-from-derivation = true;
@@ -26,18 +23,25 @@
}; };
inputs = { inputs = {
# flake inputs with no explicit deps (in alphabetic order)
flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"; flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-hardware.url = "github:NixOS/nixos-hardware";
#nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable"; #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
#nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
#nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D"; #nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
systems.url = "github:nix-systems/default"; systems.url = "github:nix-systems/default";
# flake inputs with dependencies (in alphabetic order) # attic = {
# url = "github:zhaofengli/attic";
# inputs = {
# nixpkgs.follows = "nixpkgs";
# nixpkgs-stable.follows = "nixpkgs-stable";
# flake-compat.follows = "flake-compat";
# flake-parts.follows = "flake-parts";
# };
# };
firefox-addons = { firefox-addons = {
url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
inputs = { inputs = {
@@ -57,9 +61,9 @@
hydra = { hydra = {
url = "git+https://nayeonie.com/ahuston-0/hydra?ref=add-gitea-pulls"; url = "git+https://nayeonie.com/ahuston-0/hydra?ref=add-gitea-pulls";
inputs = { # inputs = {
#nixpkgs.follows = "nixpkgs"; # nixpkgs.follows = "nixpkgs";
}; # };
}; };
hyprland-contrib = { hyprland-contrib = {
@@ -67,36 +71,18 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
#lix-module = {
# url = "git+https://git.lix.systems/lix-project/nixos-module?ref=stable";
# inputs = {
# nixpkgs.follows = "nixpkgs";
# flake-utils.follows = "flake-utils";
# };
#};
nix-index-database = { nix-index-database = {
url = "github:Mic92/nix-index-database"; url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-cosmic = {
url = "github:lilyinstarlight/nixos-cosmic";
inputs = {
flake-compat.follows = "flake-compat";
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
rust-overlay.follows = "rust-overlay";
};
};
nixos-generators = { nixos-generators = {
url = "github:nix-community/nixos-generators"; url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-modules = { nixos-modules = {
url = "github:NuschtOS/nixos-modules"; url = "github:SuperSandro2000/nixos-modules";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils"; flake-utils.follows = "flake-utils";
@@ -128,6 +114,8 @@
stylix = { stylix = {
url = "github:danth/stylix"; url = "github:danth/stylix";
inputs = { inputs = {
flake-compat.follows = "flake-compat";
home-manager.follows = "home-manager";
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
}; };
}; };
@@ -171,32 +159,9 @@
inherit lib; # for allowing use of custom functions in nix repl inherit lib; # for allowing use of custom functions in nix repl
hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; }; hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt); formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
nixosConfigurations = genSystems inputs outputs src (src + "/systems"); nixosConfigurations = genSystems inputs outputs src (src + "/systems");
homeConfigurations = {
"alice" = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs { system = "x86_64-linux"; };
modules = [
inputs.stylix.homeModules.stylix
inputs.sops-nix.homeManagerModules.sops
inputs.nix-index-database.homeModules.nix-index
{
nixpkgs.config = {
allowUnfree = true;
allowUnfreePredicate = _: true;
};
}
./users/alice/home.nix
];
extraSpecialArgs = {
inherit inputs outputs;
machineConfig = {
server = false;
};
};
};
};
images = { images = {
install-iso = getImages nixosConfigurations "install-iso"; install-iso = getImages nixosConfigurations "install-iso";
iso = getImages nixosConfigurations "iso"; iso = getImages nixosConfigurations "iso";

8
hydra/jobs.nix
View File

@@ -8,7 +8,7 @@ let
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
getCfg = _: cfg: cfg.config.system.build.toplevel; getCfg = _: cfg: cfg.config.system.build.toplevel;
getHome = _: cfg: cfg.config.home.activationPackage; hostToAgg = _: cfg: cfg;
# get per-system check derivation (with optional postfix) # get per-system check derivation (with optional postfix)
mapSystems = mapSystems =
@@ -22,7 +22,11 @@ rec {
inherit (outputs) formatter devShells checks; inherit (outputs) formatter devShells checks;
host = lib.mapAttrs getCfg outputs.nixosConfigurations; host = lib.mapAttrs getCfg outputs.nixosConfigurations;
home = lib.mapAttrs getHome outputs.homeConfigurations; # homeConfigurations.alice.config.home.activationPackage
hosts = pkgs.releaseTools.aggregate {
name = "hosts";
constituents = lib.mapAttrsToList hostToAgg host;
};
devChecks = pkgs.releaseTools.aggregate { devChecks = pkgs.releaseTools.aggregate {
name = "devChecks"; name = "devChecks";

32
hydra/jobsets.nix
View File

@@ -18,7 +18,7 @@ let
}; };
prs = readJSONFile pulls; prs = readJSONFile pulls;
#refs = readJSONFile branches; refs = readJSONFile branches;
# template for creating a job # template for creating a job
makeJob = makeJob =
@@ -47,19 +47,19 @@ let
giteaHost = "ssh://gitea@nayeonie.com:2222"; giteaHost = "ssh://gitea@nayeonie.com:2222";
repo = "ahuston-0/nix-dotfiles"; repo = "ahuston-0/nix-dotfiles";
# # Create a hydra job for a branch # # Create a hydra job for a branch
#jobOfRef = jobOfRef =
# name: name:
# { ref, ... }: { ref, ... }:
# if ((builtins.match "^refs/heads/(.*)$" ref) == null) then if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
# null null
# else else
# { {
# name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}"; name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
# value = makeJob { value = makeJob {
# description = "Branch ${name}"; description = "Branch ${name}";
# flake = "git+${giteaHost}/${repo}?ref=${ref}"; flake = "git+${giteaHost}/${repo}?ref=${ref}";
# }; };
# }; };
# Create a hydra job for a PR # Create a hydra job for a PR
jobOfPR = id: info: { jobOfPR = id: info: {
@@ -77,12 +77,12 @@ let
# wrapper function for reading json from file # wrapper function for reading json from file
readJSONFile = f: builtins.fromJSON (builtins.readFile f); readJSONFile = f: builtins.fromJSON (builtins.readFile f);
# remove null values from a set, in-case of branches that don't exist # remove null values from a set, in-case of branches that don't exist
#mapFilter = f: l: builtins.filter (x: (x != null)) (map f l); mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
# Create job set from PRs and branches # Create job set from PRs and branches
jobs = makeSpec ( jobs = makeSpec (
builtins.listToAttrs (map ({ name, value }: jobOfPR name value) (attrsToList prs)) builtins.listToAttrs (map ({ name, value }: jobOfPR name value) (attrsToList prs))
#// builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs)) // builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
); );
in in
{ {

28
lib/systems.nix
View File

@@ -156,7 +156,6 @@ rec {
modules ? [ ], modules ? [ ],
server ? true, server ? true,
sops ? true, sops ? true,
lix ? false,
system ? "x86_64-linux", system ? "x86_64-linux",
}@args: }@args:
lib.nixosSystem { lib.nixosSystem {
@@ -169,20 +168,19 @@ rec {
system system
; ;
}; };
modules = [ modules =
inputs.nixos-modules.nixosModule [
inputs.nix-index-database.nixosModules.nix-index inputs.nixos-modules.nixosModule
(genHostName hostname) (genHostName hostname)
(configPath + "/hardware.nix") (configPath + "/hardware.nix")
(configPath + "/configuration.nix") (configPath + "/configuration.nix")
] ]
++ modules ++ modules
++ (lib.adev.fileList (src + "/modules")) ++ (lib.adev.fileList (src + "/modules"))
++ genWrapper sops genSops args ++ genWrapper sops genSops args
++ genWrapper home genHome args ++ genWrapper home genHome args
++ genWrapper true genUsers args ++ genWrapper true genUsers args
#++ genWrapper lix ({ ... }: [ inputs.lix-module.nixosModules.default ]) args ++ genWrapper (system != "x86_64-linux") genNonX86 args;
++ genWrapper (system != "x86_64-linux") genNonX86 args;
}; };
# a convenience function for automatically generating NixOS systems by reading a directory via constructSystem # a convenience function for automatically generating NixOS systems by reading a directory via constructSystem

11
modules/autopull.nix
View File

@@ -59,12 +59,11 @@ in
repos = lib.filterAttrs (_: { enable, ... }: enable) cfg.repo; repos = lib.filterAttrs (_: { enable, ... }: enable) cfg.repo;
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
environment.systemPackages = [ environment.systemPackages =
pkgs.git [ pkgs.git ]
] ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [
++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [ pkgs.openssh
pkgs.openssh ];
];
systemd.services = lib.mapAttrs' ( systemd.services = lib.mapAttrs' (
_: _:

9
modules/boot.nix
View File

@@ -35,11 +35,10 @@ in
config.boot = lib.mkIf cfg.default { config.boot = lib.mkIf cfg.default {
supportedFilesystems = [ cfg.filesystem ]; supportedFilesystems = [ cfg.filesystem ];
tmp.useTmpfs = true; tmp.useTmpfs = true;
kernelParams = [ kernelParams =
"nordrand" [ "nordrand" ]
] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
initrd = { initrd = {
kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ]; kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ];
network = lib.mkIf cfg.fullDiskEncryption { network = lib.mkIf cfg.fullDiskEncryption {

5
modules/fwupd.nix
View File

@@ -1,5 +0,0 @@
{ lib, ... }:
{
services.fwupd.enable = lib.mkDefault true;
}

78
modules/kubernetes.nix
View File

@@ -1,78 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options = {
services.kubernetes = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to enable Kubernetes services";
};
version = lib.mkOption {
type = lib.types.str;
default = "1.28.0";
description = "Kubernetes version to use";
};
clusterName = lib.mkOption {
type = lib.types.str;
default = "palatine-hill-cluster";
description = "Name of the Kubernetes cluster";
};
controlPlaneEndpoint = lib.mkOption {
type = lib.types.str;
default = "localhost:6443";
description = "Control plane endpoint";
};
networking = lib.mkOption {
type = lib.types.attrs;
default = { };
description = "Kubernetes networking configuration";
};
};
};
config = lib.mkIf config.services.kubernetes.enable {
environment.systemPackages = with pkgs; [
kubectl
kubernetes
];
## Enable containerd for Kubernetes
#virtualisation.containerd.enable = true;
## Enable kubelet
#services.kubelet = {
# enable = true;
# extraFlags = {
# "pod-infra-container-image" = "registry.k8s.io/pause:3.9";
# };
#};
## Enable kubeadm for cluster initialization
#environment.etc."kubeadm.yaml".text = ''
# apiVersion: kubeadm.k8s.io/v1beta3
# kind: InitConfiguration
# localAPIEndpoint:
# advertiseAddress: 127.0.0.1
# bindPort: 6443
# ---
# apiVersion: kubeadm.k8s.io/v1beta3
# kind: ClusterConfiguration
# clusterName: ${config.services.kubernetes.clusterName}
# controlPlaneEndpoint: ${config.services.kubernetes.controlPlaneEndpoint}
# networking:
# serviceSubnet: 10.96.0.0/12
# podSubnet: 10.244.0.0/16
# dnsDomain: cluster.local
#'';
};
}

5
modules/nix.nix
View File

@@ -1,15 +1,12 @@
{ lib, pkgs, ... }: { lib, pkgs, ... }:
{ {
nix = { nix = {
#package = pkgs.nixVersions.latest; package = pkgs.nixVersions.latest;
diffSystem = true; diffSystem = true;
settings = { settings = {
experimental-features = [ experimental-features = [
"nix-command" "nix-command"
"flakes" "flakes"
"blake3-hashes"
"git-hashing"
"verified-fetches"
]; ];
keep-outputs = true; keep-outputs = true;
builders-use-substitutes = true; builders-use-substitutes = true;

7
modules/programs.nix Normal file
View File

@@ -0,0 +1,7 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
git
python312
];
}

11
modules/users.nix
View File

@@ -1,11 +0,0 @@
{
...
}:
{
users.groups = {
users = {
gid = 100;
};
};
}

2
shell.nix
View File

@@ -44,7 +44,7 @@ forEachSystem (
pre-commit pre-commit
treefmt treefmt
statix statix
nixfmt nixfmt-rfc-style
jsonfmt jsonfmt
mdformat mdformat
shfmt shfmt

42
systems/artemision/configuration.nix
View File

@@ -1,7 +1,7 @@
{ {
config,
lib, lib,
pkgs, pkgs,
config,
... ...
}: }:
{ {
@@ -18,7 +18,6 @@
./stylix.nix ./stylix.nix
./wifi.nix ./wifi.nix
./zerotier.nix ./zerotier.nix
../palatine-hill/ollama.nix
]; ];
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";
@@ -41,23 +40,9 @@
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
services = { services = {
ollama = {
package = lib.mkForce pkgs.ollama-rocm;
models = lib.mkForce "${config.services.ollama.home}/models";
loadModels = lib.mkForce [
"deepseek-r1:1.5b"
"lennyerik/zeta"
"nomic-embed-text:latest"
"glm-4.7-flash"
"magistral"
"devstral-small-2"
"starcoder2:7b"
];
};
flatpak.enable = true; flatpak.enable = true;
calibre-web = { calibre-web = {
# temp disable this enable = true;
enable = false;
listen = { listen = {
ip = "127.0.0.1"; ip = "127.0.0.1";
}; };
@@ -66,7 +51,7 @@
}; };
}; };
calibre-server = { calibre-server = {
enable = false; enable = true;
user = "calibre-web"; user = "calibre-web";
group = "calibre-web"; group = "calibre-web";
@@ -75,13 +60,12 @@
fwupd = { fwupd = {
enable = true; enable = true;
# package = package =
# (import (builtins.fetchTarball { (import (builtins.fetchTarball {
# url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz"; url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
# sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk"; sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
# }) { inherit (pkgs) system; }).fwupd; }) { inherit (pkgs) system; }).fwupd;
}; };
mullvad-vpn.enable = true;
fprintd.enable = lib.mkForce false; fprintd.enable = lib.mkForce false;
openssh.enable = lib.mkForce false; openssh.enable = lib.mkForce false;
@@ -92,20 +76,16 @@
}; };
}; };
users.users = { users.users.alice.extraGroups = [ "calibre-web" ];
alice.extraGroups = [ "calibre-web" ];
};
system.stateVersion = "24.05"; system.stateVersion = "24.05";
programs.adb.enable = true;
environment.variables = { environment.variables = {
"KWIN_DRM_NO_DIRECT_SCANOUT" = "1"; "KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
}; };
#nixpkgs.config = {
# rocmSupport = true;
#};
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
#secrets = { #secrets = {

3
systems/artemision/default.nix
View File

@@ -3,11 +3,10 @@
system = "x86_64-linux"; system = "x86_64-linux";
home = true; home = true;
sops = true; sops = true;
lix = true;
server = false; server = false;
users = [ "alice" ]; users = [ "alice" ];
modules = [ modules = [
inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series inputs.nixos-hardware.nixosModules.framework-16-7040-amd
inputs.stylix.nixosModules.stylix inputs.stylix.nixosModules.stylix
{ {
environment.systemPackages = [ environment.systemPackages = [

3
systems/artemision/desktop.nix
View File

@@ -45,6 +45,9 @@
powerManagement = { powerManagement = {
enable = true; enable = true;
resumeCommands = ''
${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
'';
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

3
systems/artemision/graphics.nix
View File

@@ -6,10 +6,13 @@
enable = true; enable = true;
enable32Bit = true; enable32Bit = true;
## amdvlk: an open-source Vulkan driver from AMD
extraPackages = with pkgs; [ extraPackages = with pkgs; [
amdvlk
rocmPackages.clr.icd rocmPackages.clr.icd
]; ];
extraPackages32 = with pkgs; [ extraPackages32 = with pkgs; [
driversi686Linux.amdvlk
rocmPackages.clr.icd rocmPackages.clr.icd
]; ];
}; };

2
systems/artemision/hardware.nix
View File

@@ -100,7 +100,7 @@
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.interfaces.wlp191s0.useDHCP = lib.mkDefault true; networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

9
systems/artemision/libvirt.nix
View File

@@ -12,6 +12,15 @@
package = pkgs.qemu_kvm; package = pkgs.qemu_kvm;
runAsRoot = true; runAsRoot = true;
swtpm.enable = true; swtpm.enable = true;
ovmf = {
enable = true;
packages = [
(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
}).fd
];
};
}; };
}; };
users.users.alice = { users.users.alice = {

22
systems/artemision/private-wifi.nix
View File

@@ -3,17 +3,17 @@
networking.nameservers = [ networking.nameservers = [
"9.9.9.9" "9.9.9.9"
"1.1.1.1" "1.1.1.1"
#"192.168.76.1" "192.168.76.1"
]; ];
#services.resolved = { services.resolved = {
# enable = true; enable = true;
# dnssec = "false"; dnssec = "false";
# domains = [ "~." ]; domains = [ "~." ];
# fallbackDns = [ fallbackDns = [
# "1.1.1.1#one.one.one.one" "1.1.1.1#one.one.one.one"
# "1.0.0.1#one.one.one.one" "1.0.0.1#one.one.one.one"
# ]; ];
# dnsovertls = "true"; dnsovertls = "true";
#}; };
} }

11
systems/artemision/programs.nix
View File

@@ -5,7 +5,6 @@
alacritty alacritty
attic-client attic-client
amdgpu_top amdgpu_top
android-tools
bat bat
bitwarden-cli bitwarden-cli
bfg-repo-cleaner bfg-repo-cleaner
@@ -16,7 +15,6 @@
candy-icons candy-icons
chromium chromium
chromedriver chromedriver
#claude-code
croc croc
deadnix deadnix
direnv direnv
@@ -27,14 +25,15 @@
fd fd
file file
firefox firefox
# gestures replacement # gestures replacement
git git
glances glances
gpu-viewer gpu-viewer
grim grim
helvum
htop htop
hwloc hwloc
ipmiview
iperf3 iperf3
# ipscan # ipscan
jp2a jp2a
@@ -54,6 +53,7 @@
# nbt explorer? # nbt explorer?
ncdu ncdu
nemo-with-extensions nemo-with-extensions
neofetch
neovim neovim
nix-init nix-init
nix-output-monitor nix-output-monitor
@@ -76,12 +76,14 @@
restic restic
ripgrep ripgrep
rpi-imager rpi-imager
rofi rofi-wayland
samba samba
signal-desktop signal-desktop
# signal in tray? # signal in tray?
siji siji
simple-mtpfs simple-mtpfs
skaffold
slack
slurp slurp
smartmontools smartmontools
snyk snyk
@@ -98,6 +100,7 @@
unipicker unipicker
unzip unzip
uutils-coreutils-noprefix uutils-coreutils-noprefix
vesktop
vscode vscode
watchman watchman
wget wget

8
systems/artemision/secrets.yaml
View File

@@ -10,7 +10,7 @@ example_booleans:
- ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool] - ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
apps: apps:
spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str] spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
wifi-env: ENC[AES256_GCM,data:mxPCyunx8yOahcuVhZCzuqAt/G89lMBnZme+qwcxO4LsCftx7h2FotA+wnlj1++vmPW5zL72q2kzxh0KcVlYqK9fpOrMY/FJeJXWYNMZIHesmWKlaaeA1wM/q1dSllwuVuULp9WQzipiQHwcCCLseo3bmCsYpbs8PUibrDgbDqXreTSjJBNTVzwOGpz1bZCSpEynS+dQQViRSNcVeYTOLxrOTxx5lyEOIhgIc3167ObhK+7bJVG2ZcP209Gllip4XkCj/FKnEwg2vVF5Dpofz7T2Op5ef/oNzahhKmCa+k7OPqITWwPYZg7pqAf6jdMy4eBP/A==,iv:Q6IMqePFwd1b1pSuh+TIwcag2bbJXyIYUmJWY6UaaqI=,tag:UZ5ak6nmHkNG0uBMTl1CwQ==,type:str] wifi-env: ENC[AES256_GCM,data:2BM4wQq+RfASkg9lcH+fW7eD0VaPJMXABp3z0sYXqZbVzv9R9eAxSokxzcifT/1JK8PBwvZkWtEFrKAT3phXIZzoEySnGKGYazz8fqWWWhMJotLNNo5VkX70hLppgE9vYxf9vQSq0PLWYCN0jUO0H9mHjOT6mDzKUHegcC53jzkNY3WTfLkyzDWJVMP9IbVQ22N5QlJbzZNqrNTaOtcRm06PBz7pNuEKOy4jj5ipZOh6ceR81Xy6BXM7MzFN27lYbzfVvcDmlwqPORAmr7/00QBy2cp38rTswJEzYf1x2Q==,iv:DSTVPw9qtmo02/usZZDpHsYlX3sSW+2XrnawtBkRNmQ=,tag:3p3eW+3BEQrOmHlBNUEOaA==,type:str]
#ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment] #ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
sops: sops:
age: age:
@@ -23,8 +23,8 @@ sops:
d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA== D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-03T19:32:16Z" lastmodified: "2025-05-15T15:37:51Z"
mac: ENC[AES256_GCM,data:q5NppTtZZA9Oo15zI0pAZ/YN2qu0TneDPMJY9rXtWlYfG7Pq5taRyc9MpV7CyEt+qWMkN//O3/sA4jmQTtpT8JuYIEa+/x5cfSZ5w0ErjKdV4/IyDs1LPDKNLXIWlmPMo61VvsKW9DZRBRml9qtR1ypeHBuz0pjECBwAQPEcw9k=,iv:X7wUOxn4BsvqCPmNZvH75hyAzUeD7Qtp+4e4SLpPWlI=,tag:Dp6Bu3zEkRaRPdOwWil13g==,type:str] mac: ENC[AES256_GCM,data:qJ8NdnzVrgQb0rGwjZFHrS+eJrUjQEk4M4uo5bnk4eY7aKaHejARcYOIhp0H/DMdlix+Dm3DAAeeRWn8AKCatXaSzYD/VHHbjfp0lKBCsC8CZFeCELQ5GGEHnVot3WGb4J+QdfupwdduExSSMd6XeZGFVbSGhLzRbiiWA+i8I3o=,iv:oxWiDCH60apKT0/fJbWp1cIZ9cvd6mJKlP3xAjMBXIo=,tag:0We6eCJnsncujCt+CwK9UQ==,type:str]
pgp: pgp:
- created_at: "2024-11-28T18:57:09Z" - created_at: "2024-11-28T18:57:09Z"
enc: |- enc: |-
@@ -39,4 +39,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330 fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.10.2

6
systems/artemision/stylix.nix
View File

@@ -1,4 +1,10 @@
{ pkgs, ... }: { pkgs, ... }:
# let
# randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
# numWallpapers =
# $((1 + $RANDOM % 10))
# in
{ {
stylix = { stylix = {
enable = true; enable = true;

5
systems/artemision/wifi.nix
View File

@@ -11,7 +11,7 @@ in
networking.wireless = { networking.wireless = {
enable = true; enable = true;
secretsFile = config.sops.secrets."wifi-env".path; secretsFile = config.sops.secrets."wifi-env".path;
userControlled = true; userControlled.enable = true;
networks = { networks = {
"taetaethegae-2.0" = { "taetaethegae-2.0" = {
pskRaw = "ext:PASS_taetaethegae_20"; pskRaw = "ext:PASS_taetaethegae_20";
@@ -29,7 +29,6 @@ in
"Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie"; "Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
"Fios-Qn3RB".pskRaw = "ext:PASS_parkridge"; "Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
"Mojo Dojo Casa House".pskRaw = "ext:PASS_Carly"; "Mojo Dojo Casa House".pskRaw = "ext:PASS_Carly";
"bwe_guest".pskRaw = "ext:PASS_BWE_NE";
# Public wifi connections # Public wifi connections
# set public_wifi on line 5 to true if connecting to one of these # set public_wifi on line 5 to true if connecting to one of these
@@ -46,7 +45,7 @@ in
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
secrets = { secrets = {
"wifi-env" = { "wifi-env" = {
owner = "wpa_supplicant"; owner = "root";
restartUnits = [ "wpa_supplicant.service" ]; restartUnits = [ "wpa_supplicant.service" ];
}; };
}; };

12
systems/jessica/default.nix Normal file
View File

@@ -0,0 +1,12 @@
{ inputs, ... }:
{
system = "x86_64-linux";
home = true;
sops = true;
server = false;
users = [ "sam" ];
modules = [
inputs.nixos-hardware.nixosModules.framework-13-7040-amd
inputs.stylix.nixosModules.stylix
];
}

7
systems/palatine-hill/attic/default.nix
View File

@@ -10,6 +10,10 @@
attic-client attic-client
]; ];
systemd.services.atticd.environment = {
RUST_LOG = "INFO";
};
services = { services = {
atticd = { atticd = {
enable = true; enable = true;
@@ -67,9 +71,6 @@
# configured default webstore for this on root user separately # configured default webstore for this on root user separately
systemd = { systemd = {
services = { services = {
atticd.environment = {
RUST_LOG = "INFO";
};
attic-watch-store = { attic-watch-store = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ after = [

49
systems/palatine-hill/configuration.nix
View File

@@ -14,11 +14,9 @@
./haproxy ./haproxy
./hardware-changes.nix ./hardware-changes.nix
./hydra.nix ./hydra.nix
./mattermost.nix
./minio.nix ./minio.nix
./networking.nix ./networking.nix
./nextcloud.nix ./nextcloud.nix
#./plex
./postgresql.nix ./postgresql.nix
./samba.nix ./samba.nix
./zfs.nix ./zfs.nix
@@ -50,46 +48,25 @@
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD intel-media-driver # LIBVA_DRIVER_NAME=iHD
intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
libva-vdpau-driver vaapiVdpau
libvdpau-va-gl libvdpau-va-gl
intel-compute-runtime intel-compute-runtime
vpl-gpu-rt # replaces intel-media-sdk intel-media-sdk
]; ];
}; };
}; };
environment = { environment.systemPackages = with pkgs; [
systemPackages = with pkgs; [ chromedriver
chromedriver chromium
chromium docker-compose
docker-compose intel-gpu-tools
filebot jellyfin-ffmpeg
intel-gpu-tools jq
jellyfin-ffmpeg yt-dlp
jq yq
yt-dlp ];
yq
];
etc = {
# Creates /etc/lynis/custom.prf
"lynis/custom.prf" = {
text = ''
skip-test=BANN-7126
skip-test=BANN-7130
skip-test=DEB-0520
skip-test=DEB-0810
skip-test=FIRE-4513
skip-test=HRDN-7222
skip-test=KRNL-5820
skip-test=LOGG-2190
skip-test=LYNIS
skip-test=TOOL-5002
'';
mode = "0440";
};
};
};
services = { services = {
samba.enable = true; samba.enable = true;

3
systems/palatine-hill/default.nix
View File

@@ -3,8 +3,5 @@
users = [ "alice" ]; users = [ "alice" ];
modules = [ modules = [
# inputs.attic.nixosModules.atticd # inputs.attic.nixosModules.atticd
inputs.nixos-hardware.nixosModules.common-cpu-amd
inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
inputs.nixos-hardware.nixosModules.supermicro
]; ];
} }

9
systems/palatine-hill/docker/act-runner.nix
View File

@@ -11,8 +11,7 @@ in
{ {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
act-stable-latest-main = { act-stable-latest-main = {
image = "gitea/act_runner:nightly"; image = "gitea/act_runner:latest";
pull = "always";
extraOptions = [ extraOptions = [
"--stop-signal=SIGINT" "--stop-signal=SIGINT"
]; ];
@@ -35,8 +34,7 @@ in
}; };
act-stable-latest-1 = { act-stable-latest-1 = {
image = "gitea/act_runner:nightly"; image = "gitea/act_runner:latest";
pull = "always";
extraOptions = [ extraOptions = [
"--stop-signal=SIGINT" "--stop-signal=SIGINT"
]; ];
@@ -58,8 +56,7 @@ in
}; };
act-stable-latest-2 = { act-stable-latest-2 = {
image = "gitea/act_runner:nightly"; image = "gitea/act_runner:latest";
pull = "always";
extraOptions = [ extraOptions = [
"--stop-signal=SIGINT" "--stop-signal=SIGINT"
]; ];

8
systems/palatine-hill/docker/act_config.yaml
View File

@@ -38,19 +38,19 @@ runner:
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest" - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04" - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
- "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04" - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
cache: #cache:
# Enable cache server to use actions/cache. # Enable cache server to use actions/cache.
enabled: true #enabled: true
# The directory to store the cache data. # The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache. # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
#dir: "" #dir: ""
# The host of the cache server. # The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers. # It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically. # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: "192.168.76.2" #host: ""
# The port of the cache server. # The port of the cache server.
# 0 means to use a random available port. # 0 means to use a random available port.
port: 8088 #port: 0
# The external cache server URL. Valid only when enable is true. # The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself. # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/". # The URL should generally end with "/".

273
systems/palatine-hill/docker/arr.nix
View File

@@ -1,273 +0,0 @@
{
config,
lib,
...
}:
let
vars = import ../vars.nix;
arr_postgres_config =
container_type:
let
ctype = lib.strings.toUpper container_type;
in
{
"${ctype}__POSTGRES__HOST" = "/var/run/postgresql";
"${ctype}__POSTGRES__PORT" = toString config.services.postgresql.settings.port;
};
in
{
# Notes:
# Jellyplex-watched - sync watch status between plex and jellyfin as long as users and library is the same
# Tdarr - for distributed transcoding?
#
# list of containers supporting postgres:
# bazarr:
# POSTGRES_ENABED: true
# POSTGRES_HOST:
# POSTGRES_PORT:
# POSTGRES_DATABASE: bazarr
# POSTGRES_USERNAME: arr
# POSTGRES_PASSWORD: sops
# prowlarr:
# see ctype
# radarr:
# see ctype
# sonarr:
# see ctype
# lidarr:
# see ctype
# jellyseerr:
# DB_TYPE: postgres
# DB_HOST:
# DB_PORT:
# DB_USER: arr
# DB_PASS: sops
# DB_NAME: jellyseerr
#
virtualisation.oci-containers.containers = {
bazarr = {
image = "ghcr.io/linuxserver/bazarr:latest";
pull = "always";
ports = [ "6767:6767" ];
hostname = "bazarr";
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
POSTGRES_HOST = "/var/run/postgresql";
POSTGRES_PORT = toString config.services.postgresql.settings.port;
};
environmentFiles = [
config.sops.secrets."docker/bazarr".path
];
volumes = [
"${vars.primary_docker}/bazarr:/config"
"${vars.primary_plex_storage}/data:/data"
"/var/run/postgresql:/var/run/postgresql"
];
extraOptions = [
"--network=arrnet"
];
autoStart = true;
};
prowlarr = {
image = "ghcr.io/linuxserver/prowlarr:latest";
pull = "always";
ports = [ "9696:9696" ];
hostname = "prowlarr";
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
}
// arr_postgres_config "prowlarr";
environmentFiles = [
config.sops.secrets."docker/prowlarr".path
];
extraOptions = [
"--network=arrnet"
];
volumes = [
"${vars.primary_docker}/prowlarr:/config"
"/var/run/postgresql:/var/run/postgresql"
];
autoStart = true;
};
radarr = {
image = "ghcr.io/linuxserver/radarr:latest";
pull = "always";
ports = [ "7878:7878" ];
hostname = "radarr";
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
}
// arr_postgres_config "radarr";
environmentFiles = [
config.sops.secrets."docker/radarr".path
];
volumes = [
"${vars.primary_docker}/radarr:/config"
"${vars.primary_plex_storage}/data:/data"
"/var/run/postgresql:/var/run/postgresql"
];
extraOptions = [
"--network=arrnet"
];
autoStart = true;
};
sonarr = {
image = "ghcr.io/linuxserver/sonarr:latest";
pull = "always";
ports = [ "8989:8989" ];
hostname = "sonarr";
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
}
// arr_postgres_config "sonarr";
environmentFiles = [
config.sops.secrets."docker/sonarr".path
];
volumes = [
"${vars.primary_docker}/sonarr:/config"
"${vars.primary_plex_storage}/data:/data"
"/var/run/postgresql:/var/run/postgresql"
];
extraOptions = [
"--network=arrnet"
];
autoStart = true;
};
lidarr = {
image = "ghcr.io/linuxserver/lidarr:latest";
pull = "always";
ports = [ "8686:8686" ];
hostname = "lidarr";
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
}
// arr_postgres_config "lidarr";
environmentFiles = [
config.sops.secrets."docker/lidarr".path
];
volumes = [
"${vars.primary_docker}/lidarr:/config"
"${vars.primary_plex_storage}/data:/data"
"/var/run/postgresql:/var/run/postgresql"
];
extraOptions = [
"--network=arrnet"
];
autoStart = true;
};
unpackerr = {
image = "golift/unpackerr:latest";
pull = "always";
user = "600:100";
hostname = "unpackerr";
environment = {
TZ = "America/New_York";
};
volumes = [
"${vars.primary_docker}/unpackerr:/config"
"${vars.primary_plex_storage}:/data"
"/var/run/postgresql:/var/run/postgresql"
];
extraOptions = [ "--network=arrnet" ];
autoStart = true;
};
notifiarr = {
image = "golift/notifiarr:latest";
pull = "always";
ports = [ "5454:5454" ];
user = "600:100";
hostname = "notifiarr";
environment = {
TZ = "America/New_York";
};
environmentFiles = [ config.sops.secrets."docker/notifiarr".path ];
volumes = [
"${vars.primary_docker}/notifiarr:/config"
"${vars.primary_plex_storage}:/data"
"/var/run/postgresql:/var/run/postgresql"
];
extraOptions = [ "--network=arrnet" ];
autoStart = true;
};
jellyseerr = {
image = "fallenbagel/jellyseerr:latest";
pull = "always";
hostname = "jellyseerr";
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
DB_TYPE = "postgres";
DB_HOST = "/var/run/postgresql";
DB_PORT = toString config.services.postgresql.settings.port;
};
environmentFiles = [
config.sops.secrets."docker/jellyseerr".path
];
volumes = [
"${vars.primary_docker}/overseerr:/config"
"/var/run/postgresql:/var/run/postgresql"
];
# TODO: remove ports later since this is going through web
extraOptions = [
"--network=arrnet"
"--network=haproxy-net"
# "--health-cmd \"wget --no-verbose --tries 1 --spider http://localhost:5055/api/v1/status || exit 1\""
# "--health-start-period 20s"
# "--health-timeout 3s"
# "--health-interval 15s"
# "--health-retries 3"
];
ports = [ "5055:5055" ]; # Web UI port
dependsOn = [
"radarr"
"sonarr"
];
autoStart = true;
};
};
sops = {
secrets = {
"docker/notifiarr" = {
owner = "docker-service";
restartUnits = [ "docker-notifiarr.service" ];
};
"docker/bazarr" = {
owner = "docker-service";
restartUnits = [ "docker-bazarr.service" ];
};
"docker/prowlarr" = {
owner = "docker-service";
restartUnits = [ "docker-prowlarr.service" ];
};
"docker/radarr" = {
owner = "docker-service";
restartUnits = [ "docker-radarr.service" ];
};
"docker/sonarr" = {
owner = "docker-service";
restartUnits = [ "docker-sonarr.service" ];
};
"docker/lidarr" = {
owner = "docker-service";
restartUnits = [ "docker-lidarr.service" ];
};
"docker/jellyseerr" = {
owner = "docker-service";
restartUnits = [ "docker-jellyseerr.service" ];
};
};
};
}

3
systems/palatine-hill/docker/default.nix
View File

@@ -8,7 +8,6 @@
{ {
imports = [ imports = [
./act-runner.nix ./act-runner.nix
./arr.nix
# temp disable archiveteam for tiktok archiving # temp disable archiveteam for tiktok archiving
#./archiveteam.nix #./archiveteam.nix
# ./books.nix # ./books.nix
@@ -20,7 +19,7 @@
./nextcloud.nix ./nextcloud.nix
# ./postgres.nix # ./postgres.nix
# ./restic.nix # ./restic.nix
#./torr.nix ./torr.nix
# ./unifi.nix # ./unifi.nix
]; ];

1
systems/palatine-hill/docker/glances.nix
View File

@@ -8,7 +8,6 @@ in
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
glances = { glances = {
image = "nicolargo/glances:latest-full"; image = "nicolargo/glances:latest-full";
pull = "always";
extraOptions = [ extraOptions = [
"--pid=host" "--pid=host"
"--network=haproxy-net" "--network=haproxy-net"

151
systems/palatine-hill/docker/minecraft.nix
View File

@@ -4,55 +4,41 @@ let
servers = { servers = {
atm6 = "atm6.alicehuston.xyz"; atm6 = "atm6.alicehuston.xyz";
stoneblock3 = "sb3.alicehuston.xyz"; stoneblock3 = "sb3.alicehuston.xyz";
stoneblock-4 = "sb4.alicehuston.xyz";
submerged-2 = "sm4.alicehuston.xyz";
RAD2 = "rad.alicehuston.xyz"; RAD2 = "rad.alicehuston.xyz";
skyfactory = "sf.alicehuston.xyz"; skyfactory = "sf.alicehuston.xyz";
divinejourney = "dj.alicehuston.xyz"; divinejourney = "dj.alicehuston.xyz";
rlcraft = "rlcraft.alicehuston.xyz"; rlcraft = "rlcraft.alicehuston.xyz";
arcanum-institute = "arcanum.alicehuston.xyz"; arcanum-institute = "arcanum.alicehuston.xyz";
meits = "meits.alicehuston.xyz";
cobblemon-overclocked = "mco.alicehuston.xyz";
cobblemon-plus = "mcp.alicehuston.xyz";
# bcg-plus = "bcg.alicehuston.xyz"; # bcg-plus = "bcg.alicehuston.xyz";
pii = "pii.alicehuston.xyz";
}; };
defaultServer = "rlcraft"; defaultServer = "rlcraft";
defaultEnv = { # defaultEnv = {
EULA = "true"; # EULA = "true";
TYPE = "AUTO_CURSEFORGE"; # TYPE = "AUTO_CURSEFORGE";
STOP_SERVER_ANNOUNCE_DELAY = "120"; # STOP_SERVER_ANNOUNCE_DELAY = "120";
STOP_DURATION = "600"; # STOP_DURATION = "600";
SYNC_CHUNK_WRITES = "false"; # SYNC_CHUNK_WRITES = "false";
USE_AIKAR_FLAGS = "true"; # USE_AIKAR_FLAGS = "true";
MEMORY = "12G"; # MEMORY = "8GB";
ALLOW_FLIGHT = "true"; # ALLOW_FLIGHT = "true";
MAX_TICK_TIME = "-1"; # MAX_TICK_TIME = "-1";
ENABLE_RCON = "true"; # };
TZ = "America/New_York";
REGION_FILE_COMPRESSION = "none";
OPS = ''
magpiecat
chesiregirl1105
'';
};
defaultOptions = [ # defaultOptions = [
"--stop-signal=SIGTERM" # "--stop-signal=SIGTERM"
"--stop-timeout=1800" # "--stop-timeout=1800"
"--network=minecraft-net" # "--network=minecraft-net"
]; # ];
vars = import ../vars.nix; # vars = import ../vars.nix;
minecraft_path = "${vars.primary_games}/minecraft"; # minecraft_path = "${vars.primary_games}/minecraft";
in in
{ {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
mc-router = { mc-router = {
image = "itzg/mc-router:latest"; image = "itzg/mc-router:latest";
pull = "always";
extraOptions = [ extraOptions = [
"--network=haproxy-net" "--network=haproxy-net"
"--network=minecraft-net" "--network=minecraft-net"
@@ -64,74 +50,45 @@ in
) )
]; ];
}; };
#rlcraft = { # rlcraft = {
# image = "itzg/minecraft-server:java8"; # image = "itzg/minecraft-server:java8";
# volumes = [ # volumes = [
# "${minecraft_path}/rlcraft/modpacks:/modpacks:ro" # "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
# "${minecraft_path}/rlcraft/data:/data" # "${minecraft_path}/rlcraft/data:/data"
# ]; # ];
# hostname = "rlcraft"; # hostname = "rlcraft";
# environment = defaultEnv // { # environment = defaultEnv // {
# VERSION = "1.12.2"; # VERSION = "1.12.2";
# CF_SLUG = "rlcraft"; # CF_SLUG = "rlcraft";
# DIFFICULTY = "hard"; # DIFFICULTY = "hard";
# ENABLE_COMMAND_BLOCK = "true"; # ENABLE_COMMAND_BLOCK = "true";
# }; # };
# extraOptions = defaultOptions; # extraOptions = defaultOptions;
# log-driver = "local"; # log-driver = "local";
# environmentFiles = [ config.sops.secrets."docker/minecraft".path ]; # environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
#}; # };
cobblemon-overclocked = { # bcg-plus = {
image = "itzg/minecraft-server:java21"; # image = "itzg/minecraft-server:java17";
volumes = [ # volumes = [
"${minecraft_path}/cobblemon-overclocked/modpacks:/modpacks:ro" # "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
"${minecraft_path}/cobblemon-overclocked/data:/data" # "${minecraft_path}/bcg-plus/data:/data"
]; # ];
hostname = "cobblemon-overclocked"; # hostname = "bcg-plus";
environment = defaultEnv // { # environment = defaultEnv // {
VERSION = "1.21.1"; # VERSION = "1.17";
CF_SLUG = "modified-cobblemon-overclocked"; # CF_SLUG = "bcg";
CF_FILENAME_MATCHER = "1.11.2"; # DIFFICULTY = "normal";
USE_AIKAR_FLAGS = "false"; # DEBUG = "true";
USE_MEOWICE_FLAGS = "true"; # # ENABLE_COMMAND_BLOCK = "true";
DIFFICULTY = "normal"; # };
ENABLE_COMMAND_BLOCK = "true"; # extraOptions = defaultOptions;
INIT_MEMORY = "4G"; # log-driver = "local";
MAX_MEMORY = "16G"; # environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
SEED = "-7146406535839057559"; # };
};
extraOptions = defaultOptions;
log-driver = "local";
environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
};
cobblemon-plus = {
image = "itzg/minecraft-server:java21";
volumes = [
"${minecraft_path}/cobblemon-plus/modpacks:/modpacks:ro"
"${minecraft_path}/cobblemon-plus/data:/data"
];
hostname = "cobblemon-plus";
environment = defaultEnv // {
VERSION = "1.21.1";
CF_SLUG = "modified-cobblemon-plus";
CF_FILENAME_MATCHER = "1.11.2";
USE_AIKAR_FLAGS = "false";
USE_MEOWICE_FLAGS = "true";
DIFFICULTY = "peaceful";
ENABLE_COMMAND_BLOCK = "true";
INIT_MEMORY = "4G";
MAX_MEMORY = "16G";
# exclude clientside mods that cause crashes when run in a headless environment
CF_EXCLUDE_MODS = "world-host";
CF_OVERRIDES_EXCLUSIONS = "mods/iris*.jar,mods/sodium*.jar,mods/world-host-*.jar";
};
extraOptions = defaultOptions;
log-driver = "local";
environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
};
}; };
sops = { sops = {
defaultSopsFile = ../secrets.yaml;
secrets = { secrets = {
"docker/minecraft".owner = "docker-service"; "docker/minecraft".owner = "docker-service";
}; };

9
systems/palatine-hill/docker/nextcloud.nix
View File

@@ -8,13 +8,11 @@ let
# nextcloud-image = import ./nextcloud-image { inherit pkgs; }; # nextcloud-image = import ./nextcloud-image { inherit pkgs; };
nextcloud-base = { nextcloud-base = {
# image comes from running docker compose build in nextcloud-docker/.examples/full/apache # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
image = "docker.io/library/nextcloud-nextcloud"; image = "nextcloud-nextcloud";
# pull = "always";
# do NOT enable pull here, this image is generated based on a custom docker image
hostname = "nextcloud"; hostname = "nextcloud";
volumes = [ volumes = [
"${nextcloud_path}/nc_data:/var/www/html:z" "${nextcloud_path}/nc_data:/var/www/html:z"
#"${nextcloud_path}/nc_php:/usr/local/etc/php" "${nextcloud_path}/nc_php:/usr/local/etc/php"
"${nextcloud_path}/nc_prehooks:/docker-entrypoint-hooks.d/before-starting" "${nextcloud_path}/nc_prehooks:/docker-entrypoint-hooks.d/before-starting"
#"${nextcloud_path}/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro" #"${nextcloud_path}/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"
]; ];
@@ -34,7 +32,6 @@ in
}; };
redis = { redis = {
image = "redis:latest"; image = "redis:latest";
pull = "always";
user = "600:600"; user = "600:600";
volumes = [ volumes = [
"${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf" "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf"
@@ -50,7 +47,6 @@ in
}; };
go-vod = { go-vod = {
image = "radialapps/go-vod:latest"; image = "radialapps/go-vod:latest";
pull = "always";
dependsOn = [ "nextcloud" ]; dependsOn = [ "nextcloud" ];
environment = { environment = {
NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz"; NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz";
@@ -62,7 +58,6 @@ in
}; };
collabora-code = { collabora-code = {
image = "collabora/code:latest"; image = "collabora/code:latest";
pull = "always";
dependsOn = [ "nextcloud" ]; dependsOn = [ "nextcloud" ];
environment = { environment = {
aliasgroup1 = "https://collabora.nayenoie.com:443"; aliasgroup1 = "https://collabora.nayenoie.com:443";

22
systems/palatine-hill/docker/openvpn/se.protonvpn.udp.ovpn
View File

File diff suppressed because one or more lines are too long

2
systems/palatine-hill/docker/restic.nix
View File

@@ -10,7 +10,7 @@ in
image = "restic/rest-server:latest"; image = "restic/rest-server:latest";
volumes = [ "${restic_path}:/data" ]; volumes = [ "${restic_path}:/data" ];
environment = { environment = {
OPTIONS = "--prometheus --private-repos --htpasswd-file /data/.htpasswd"; OPTIONS = "--prometheus --htpasswd-file /data/.htpasswd";
}; };
ports = [ "8010:8000" ]; ports = [ "8010:8000" ];
extraOptions = [ extraOptions = [

174
systems/palatine-hill/docker/torr.nix
View File

@@ -1,143 +1,103 @@
{ config, pkgs, ... }: { pkgs, ... }:
let let
qbitBase = { delugeBase = {
image = "ghcr.io/linuxserver/qbittorrent:latest";
pull = "always";
environment = { environment = {
PUID = "600"; PUID = "600";
PGID = "100"; PGID = "100";
TZ = "America/New_York"; TZ = "America/New_York";
UMASK = "000";
DEBUG = "true";
DELUGE_DAEMON_LOG_LEVEL = "debug";
DELUGE_WEB_LOG_LEVEL = "debug";
}; };
}; };
vars = import ../vars.nix; vars = import ../vars.nix;
#docker_path = vars.primary_docker; #docker_path = vars.primary_docker;
torr_path = vars.primary_torr; torr_path = vars.primary_torr;
qbit_path = "${torr_path}/qbit"; deluge_path = "${torr_path}/deluge";
qbitvpn_path = "${torr_path}/qbitvpn"; delugevpn_path = "${torr_path}/delugevpn";
qbitperm_path = "${torr_path}/qbitperm";
genSopsConf = file: {
"${file}" = {
format = "binary";
sopsFile = ./wg/${file};
path = "${delugevpn_path}/config/wireguard/configs/${file}";
owner = "docker-service";
group = "users";
restartUnits = [ "docker-delugeVPN.service" ];
};
};
in in
{ {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
qbit = qbitBase // { deluge = delugeBase // {
# webui port is 8082, torr port is 29432 image = "binhex/arch-deluge";
environment = qbitBase.environment // {
WEBUI_PORT = "8082";
TORRENTING_PORT = "29432";
};
volumes = [ volumes = [
"${qbit_path}/config:/config" # move from docker/qbit to qbit_path "${deluge_path}/config:/config"
"${torr_path}/data/:/data" "${deluge_path}/data/:/data"
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
networks = [ "host" ];
ports = [ ports = [
"8082:8082" "8084:8112"
"29432:29432" "29433:29433"
"29432:29432/udp"
]; ];
};
delugeVPN = delugeBase // {
image = "binhex/arch-delugevpn";
extraOptions = [ extraOptions = [
"--dns=9.9.9.9" "--privileged=true"
"--sysctl"
"net.ipv4.conf.all.src_valid_mark=1"
]; ];
}; environment = delugeBase.environment // {
VPN_ENABLED = "yes";
VPN_CLIENT = "wireguard";
VPN_PROV = "custom";
ENABLE_PRIVOXY = "yes";
LAN_NETWORK = "192.168.0.0/16";
NAME_SERVERS = "194.242.2.9";
# note, delete /config/perms.txt to force a bulk permissions update
# temp instance
qbitVPN = qbitBase // {
# webui port is 8081, torr port is 39274
networks = [
"container:gluetun-qbit"
];
environment = qbitBase.environment // {
WEBUI_PORT = "8081";
}; };
dependsOn = [ "gluetun-qbit" ];
volumes = [ volumes = [
"${qbitvpn_path}/config:/config" "${delugevpn_path}/config:/config"
"${torr_path}/data:/data" "${delugevpn_path}/data:/data"
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
};
gluetun-qbit = {
image = "qmcgaw/gluetun:v3";
capabilities = {
NET_ADMIN = true;
};
devices = [
"/dev/net/tun:/dev/net/tun"
];
ports = [ ports = [
"8081:8081" "8085:8112"
"8083:8083" "8119:8118"
]; "39275:39275"
environment = { "39275:39275/udp"
TZ = "America/New_York";
# SOPS prep
};
environmentFiles = [
config.sops.secrets."docker/gluetun".path
config.sops.secrets."docker/gluetun-qbitvpn".path
];
};
# permanent instance
qbitPerm = qbitBase // {
# webui port is 8083, torr port is 29434
networks = [
"container:gluetun-qbit"
];
environment = qbitBase.environment // {
WEBUI_PORT = "8083";
};
dependsOn = [ "gluetun-qbit" ];
volumes = [
"${qbitperm_path}/config:/config"
"${torr_path}/data:/data"
"/etc/localtime:/etc/localtime:ro"
];
};
gluetun-qbitperm = {
image = "qmcgaw/gluetun:v3";
capabilities = {
NET_ADMIN = true;
};
devices = [
"/dev/net/tun:/dev/net/tun"
];
ports = [
"8083:8083"
];
environment = {
TZ = "America/New_York";
# SOPS prep
};
environmentFiles = [
config.sops.secrets."docker/gluetun".path
config.sops.secrets."docker/gluetun-qbitperm".path
]; ];
}; };
}; };
sops.secrets = { systemd.services.docker-delugeVPN = {
"docker/gluetun" = { serviceConfig = {
owner = "docker-service"; ExecStartPre = [
restartUnits = [ (
"docker-gluetun-qbit.service" "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
"docker-gluetun-qbitperm.service" + "-type l -not -name wg0.conf "
]; + "| ${pkgs.coreutils}/bin/shuf -n 1 "
}; + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
"docker/gluetun-qbitvpn" = { + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
owner = "docker-service"; + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
restartUnits = [ )
"docker-gluetun-qbit.service"
];
};
"docker/gluetun-qbitperm" = {
owner = "docker-service";
restartUnits = [
"docker-gluetun-qbitperm.service"
]; ];
ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
}; };
}; };
sops.secrets =
(genSopsConf "se-mma-wg-001.conf")
// (genSopsConf "se-mma-wg-002.conf")
// (genSopsConf "se-mma-wg-003.conf")
// (genSopsConf "se-mma-wg-004.conf")
// (genSopsConf "se-mma-wg-005.conf")
// (genSopsConf "se-mma-wg-101.conf")
// (genSopsConf "se-mma-wg-102.conf")
// (genSopsConf "se-mma-wg-103.conf");
} }

71
systems/palatine-hill/firewall.nix
View File

@@ -1,62 +1,29 @@
{ ... }: { ... }:
{ {
networking.firewall = { networking.firewall.allowedTCPPorts = [
# qbit
8081
8082
8443
extraCommands = " # hydra
iptables -I nixos-fw 1 -i br+ -j ACCEPT 3000
";
extraStopCommands = " # minio
iptables -D nixos-fw -i br+ -j ACCEPT 8500
"; 8501
trustedInterfaces = [ "br+" ]; # gitea
2222
2223
8088
allowedTCPPorts = [ # attic
# qbit 8183
8081
8082
8443
# hydra # collabora
3000 9980
];
# minio
8500
8501
# gitea
2222
2223
8088
# attic
8183
# collabora
9980
# arr
6767
9696
7878
8989
8686
8787
5055
# torr
29432
# mattermost
8065
];
allowedUDPPorts = [
# torr
29432
];
};
} }

18
systems/palatine-hill/hydra.nix
View File

@@ -42,12 +42,7 @@ in
services = { services = {
hydra = { hydra = {
enable = true; enable = true;
package = inputs.hydra.packages.x86_64-linux.hydra.overrideAttrs (old: { package = inputs.hydra.packages.x86_64-linux.hydra;
preCheck = ''
export YATH_JOB_COUNT=8
${old.preCheck or ""}
'';
});
hydraURL = "https://hydra.alicehuston.xyz"; hydraURL = "https://hydra.alicehuston.xyz";
smtpHost = "alicehuston.xyz"; smtpHost = "alicehuston.xyz";
notificationSender = "hydra@alicehuston.xyz"; notificationSender = "hydra@alicehuston.xyz";
@@ -57,7 +52,6 @@ in
minimumDiskFree = 50; minimumDiskFree = 50;
minimumDiskFreeEvaluator = 100; minimumDiskFreeEvaluator = 100;
extraConfig = '' extraConfig = ''
allow_import_from_derivation = true
<git-input> <git-input>
timeout = 3600 timeout = 3600
</git-input> </git-input>
@@ -88,10 +82,10 @@ in
''; '';
}; };
# nix-serve = { nix-serve = {
# enable = true; enable = true;
# secretKeyFile = config.sops.secrets."nix-serve/secret-key".path; secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
# }; };
prometheus = { prometheus = {
enable = true; enable = true;
webExternalUrl = "https://prom.alicehuston.xyz"; webExternalUrl = "https://prom.alicehuston.xyz";
@@ -140,7 +134,7 @@ in
sops = { sops = {
secrets = { secrets = {
"hydra/environment".owner = "hydra"; "hydra/environment".owner = "hydra";
# "nix-serve/secret-key".owner = "root"; "nix-serve/secret-key".owner = "root";
"alice/gha-hydra-token" = { "alice/gha-hydra-token" = {
sopsFile = ../../users/alice/secrets.yaml; sopsFile = ../../users/alice/secrets.yaml;
owner = "hydra"; owner = "hydra";

19
systems/palatine-hill/mattermost.nix
View File

@@ -1,19 +0,0 @@
{
config,
...
}:
let
vars = import ./vars.nix;
in
{
services.mattermost = {
enable = true;
siteUrl = "https://mattermost.nayeonie.com"; # Set this to the URL you will be hosting the site on.
database = {
peerAuth = true; # This allows Mattermost to connect to the database without a password, which is more secure when both are on the same machine.
create = true;
driver = "postgres";
};
dataDir = "${vars.primary_mattermost}/mattermost";
};
}

77
systems/palatine-hill/ollama.nix
View File

@@ -1,77 +0,0 @@
{
pkgs,
...
}:
let
vars = import ./vars.nix;
in
{
services = {
ollama = {
enable = true;
package = pkgs.ollama;
syncModels = true;
loadModels = [
"deepseek-r1:1.5b"
"deepseek-r1:32b"
"deepseek-r1:70b"
#"qwen3"
#"qwen3.5:latest"
"qwen3-coder-next"
"lennyerik/zeta"
"nomic-embed-text:latest"
"lfm2:24b"
"glm-4.7-flash"
"nemotron-cascade-2:30b"
"magistral"
"devstral-small-2"
"starcoder2:15b"
];
models = vars.primary_ollama;
environmentVariables = {
FLASH_ATTENTION = "1";
OLLAMA_KV_CACHE_TYPE = "q4_0";
# Ollama memory configuration
OLLAMA_MAX_LOADED_MODELS = "3";
OLLAMA_MAX_QUEUE = "512";
OLLAMA_NUM_PARALLEL = "1";
# ROCm memory optimization
#HIP_VISIBLE_DEVICES = "0";
#ROCR_VISIBLE_DEVICES = "0";
# context length for agents
OLLAMA_CONTEXT_LENGTH = "128000";
};
openFirewall = true;
host = "0.0.0.0"; # don't want to make this available via load-balancer yet, so making it available on the local network
};
open-webui = {
enable = true;
port = 21212;
openFirewall = true;
host = "0.0.0.0"; # don't want to make this available via load-balancer yet, so making it available on the local network
};
};
users.users.ollama = {
extraGroups = [
"render"
"video"
];
group = "ollama";
isSystemUser = true;
};
users.groups.ollama = { };
systemd.services = {
ollama.serviceConfig = {
Nice = 19;
IOSchedulingPriority = 7;
};
ollama-model-loader.serviceConfig = {
Nice = 19;
CPUWeight = 50;
IOSchedulingClass = "idle";
IOSchedulingPriority = 7;
};
};
}

28
systems/palatine-hill/plex/default.nix
View File

@@ -1,28 +0,0 @@
{
pkgs,
...
}:
let
vars = import ../vars.nix;
in
{
services.plex = {
enable = true;
dataDir = vars.primary_plex;
};
systemd.services.plex_permission = {
description = "maintains plex permissions";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.bash}/bin/bash ${./plex_permission.sh}";
};
};
systemd.timers.plex_permission = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1h";
OnCalendar = "daily 03:00";
Unit = "plex_permission.service";
};
};
}

7
systems/palatine-hill/plex/plex_permission.sh
View File

@@ -1,7 +0,0 @@
#!/bin/bash
plex_dir="/ZFS/ZFS-primary/plex"
chown docker-service:users -R "$plex_dir"
find "$plex_dir" -type f -exec chmod 664 {} \;
find "$plex_dir" -type d -exec chmod 775 {} \;

12
systems/palatine-hill/postgresql.nix
View File

@@ -1,5 +1,6 @@
{ {
config, config,
lib,
pkgs, pkgs,
... ...
}: }:
@@ -19,8 +20,7 @@ in
enableJIT = true; enableJIT = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_16;
configurePgStatStatements = true; configurePgStatStatements = true;
#enableAllPreloadedLibraries = true; enableAllPreloadedLibraries = true;
installAllAvailableExtensions = true;
#preloadAllExtensions = true; #preloadAllExtensions = true;
identMap = '' identMap = ''
# ArbitraryMapName systemUser DBUser # ArbitraryMapName systemUser DBUser
@@ -29,18 +29,11 @@ in
# Let other names login as themselves # Let other names login as themselves
superuser_map /^(.*)$ \1 superuser_map /^(.*)$ \1
''; '';
authentication = ''
local bazarr bazarr scram-sha-256
local /.*arr-main /.*arr scram-sha-256
local /.*arr-log /.*arr scram-sha-256
local jellyseerr jellyseerr scram-sha-256
'';
# initialScript = config.sops.secrets."postgres/init".path; # initialScript = config.sops.secrets."postgres/init".path;
ensureDatabases = [ ensureDatabases = [
"atticd" "atticd"
"alice" "alice"
"mattermost"
]; ];
ensureUsers = [ ensureUsers = [
{ {
@@ -172,7 +165,6 @@ in
"hydra-server" "hydra-server"
"atticd" "atticd"
"gitea" "gitea"
"mattermost"
]; ];
}; };
}; };

2
systems/palatine-hill/samba.nix
View File

@@ -12,7 +12,7 @@
#"use sendfile" = "yes"; #"use sendfile" = "yes";
#"max protocol" = "smb2"; #"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1 # note: localhost is the ipv6 localhost ::1
"hosts allow" = "192.168.76. 127.0.0.1 localhost 192.168.191."; "hosts allow" = "192.168.76. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0"; "hosts deny" = "0.0.0.0/0";
"guest account" = "nobody"; "guest account" = "nobody";
"map to guest" = "bad user"; "map to guest" = "bad user";

20
systems/palatine-hill/secrets.yaml
View File

@@ -17,24 +17,12 @@ minio:
credentials: ENC[AES256_GCM,data:5Z/cTmxSuMq8BfRgYLGZZJ7o6AtmrQM3yNjR17YHr29S7ZWvGsjfM7DsLKectem01nvv3HoT4uyWSdhkOmZahzDb5OF1NEgjJhLqkKlCETMu0mmpwe1cx6iOd7kjB3E6Az/MWpXqZ/TrryL9FrQD2nnx9bHyWWIHRQv8,iv:jiYZXfU+OssC0rh/3yFZLEzD1+5mVDDl6gQ3oyk76E4=,tag:bevDszFv1zSa+/2qQIgC0w==,type:str] credentials: ENC[AES256_GCM,data:5Z/cTmxSuMq8BfRgYLGZZJ7o6AtmrQM3yNjR17YHr29S7ZWvGsjfM7DsLKectem01nvv3HoT4uyWSdhkOmZahzDb5OF1NEgjJhLqkKlCETMu0mmpwe1cx6iOd7kjB3E6Az/MWpXqZ/TrryL9FrQD2nnx9bHyWWIHRQv8,iv:jiYZXfU+OssC0rh/3yFZLEzD1+5mVDDl6gQ3oyk76E4=,tag:bevDszFv1zSa+/2qQIgC0w==,type:str]
loki: ENC[AES256_GCM,data:ShC6hfsKifVaxLWRo1fqaOpsrYh4+w==,iv:KVSlPd0mBvPZikg/Agnl6q0UhxTmsNOeYdercYOhqMg=,tag:cj6ex9m7vDjInTJDGUlqFQ==,type:str] loki: ENC[AES256_GCM,data:ShC6hfsKifVaxLWRo1fqaOpsrYh4+w==,iv:KVSlPd0mBvPZikg/Agnl6q0UhxTmsNOeYdercYOhqMg=,tag:cj6ex9m7vDjInTJDGUlqFQ==,type:str]
docker: docker:
minecraft: ENC[AES256_GCM,data:krSM870t/IATwpUWNuKX8D5HHEvk+HeimKgodXssIYcBmdF1SZAwjUsSlx9fL3JiRtxfu0jSbhyD/2jLHMWqcix1WQGOVgs=,iv:ZTMxmzeSLQRCBF2t6r3dCDlcZ5BsBwZen6jOZN/HvGU=,tag:SES3lhRrRI8zBH1jnaV82w==,type:str] minecraft: ENC[AES256_GCM,data:2k/m0ksnE92fACxQuBlOO72b19T7Nbnr58ezRddmKUVvePEgrdSnIsR3sh7PnmzwmG/ez0WTD+NKbtkQmRMDQ25vruA8gCf8Ig==,iv:X2SUidKTNAPZfbyiXFKprUbAhBxJcbF5bz+YTy4nuEA=,tag:AAvLXO888r9XvtnNfQgCpA==,type:str]
foundry: ENC[AES256_GCM,data:5Z0FvVhJBzTwDPRN6c//caZokiTnkdqiLGFFuyen+tYsdjbQ3AXH5y7HfxKbxsJvU5uShOuIg0jVMvow2NYmzyYDDKBKPOz0bgXOmFq06wzCJubjyZmR/mDcWBBDzAFzaazpyW8=,iv:6wLS00zhX0tjJUe5uADAjzEshJP8QOkF2i4Aw+Y9RSk=,tag:sNr/exY1u3evYGcImyCUlA==,type:str] foundry: ENC[AES256_GCM,data:5Z0FvVhJBzTwDPRN6c//caZokiTnkdqiLGFFuyen+tYsdjbQ3AXH5y7HfxKbxsJvU5uShOuIg0jVMvow2NYmzyYDDKBKPOz0bgXOmFq06wzCJubjyZmR/mDcWBBDzAFzaazpyW8=,iv:6wLS00zhX0tjJUe5uADAjzEshJP8QOkF2i4Aw+Y9RSk=,tag:sNr/exY1u3evYGcImyCUlA==,type:str]
nextcloud: ENC[AES256_GCM,data:dm2Cha+CvFORgdcBvJAzzdOGcJ95vLJYTZcUJnjNp6HOQIIoJrDone1NOAYJh9rdWG/17/ntOmd+TysAj4AsD0dw/PatZmy3I+dcVghkt2XNTc7jD64QjctIHzR+om1joAbKemG1R3St7qDU68TWYxoxIfYZcJvg3ds/lJcYgFRh079UZ/IRlGVR6sWPEXyY+UUrwtk0Fr+y8UtwwWZiLp0akUbIV06huRGiAp/PeWETuPPuacl2++ayIgJFZkJjUl/a52RI1Q0nLG5iyK6QYpY1JSRJTOkiQQ4PB5GRdLCdoM5/ZXTQ6gGcoM5jXFllsTn+yRicNRucuBp7Z2achbk6eITCdjjdXVI7zM4YXpzVLu5fJckLAu07aEIGYCBT7ZXd7TRgfB68POwtwaJGBozg+nuhq8xEH04yi8jFODH6aFplIgJ+bbaP72zw+92lzZa33FEtOwKdtx+YUv0eLLDJs+8Z6Sn6RyN8prwIz1/9LuIMx39g4R7id9W2bV2MXqTU4nN8f0TXWqe+hnb5pDLBaZOBMkwbRka6Vptsi4dbL5Lnexa2DoIHZ2unyxZ+4SkRt9LH39j8fXf2w5JPFCSLstf7+Zu7xzRS0TTCug7k,iv:oOWcFdQJb/+KZKJmQChhJ5jOCcM3o+ojZSMyiRnO9n8=,tag:PWGQkwPe0juLgAdlKiWKpg==,type:str] nextcloud: ENC[AES256_GCM,data:dm2Cha+CvFORgdcBvJAzzdOGcJ95vLJYTZcUJnjNp6HOQIIoJrDone1NOAYJh9rdWG/17/ntOmd+TysAj4AsD0dw/PatZmy3I+dcVghkt2XNTc7jD64QjctIHzR+om1joAbKemG1R3St7qDU68TWYxoxIfYZcJvg3ds/lJcYgFRh079UZ/IRlGVR6sWPEXyY+UUrwtk0Fr+y8UtwwWZiLp0akUbIV06huRGiAp/PeWETuPPuacl2++ayIgJFZkJjUl/a52RI1Q0nLG5iyK6QYpY1JSRJTOkiQQ4PB5GRdLCdoM5/ZXTQ6gGcoM5jXFllsTn+yRicNRucuBp7Z2achbk6eITCdjjdXVI7zM4YXpzVLu5fJckLAu07aEIGYCBT7ZXd7TRgfB68POwtwaJGBozg+nuhq8xEH04yi8jFODH6aFplIgJ+bbaP72zw+92lzZa33FEtOwKdtx+YUv0eLLDJs+8Z6Sn6RyN8prwIz1/9LuIMx39g4R7id9W2bV2MXqTU4nN8f0TXWqe+hnb5pDLBaZOBMkwbRka6Vptsi4dbL5Lnexa2DoIHZ2unyxZ+4SkRt9LH39j8fXf2w5JPFCSLstf7+Zu7xzRS0TTCug7k,iv:oOWcFdQJb/+KZKJmQChhJ5jOCcM3o+ojZSMyiRnO9n8=,tag:PWGQkwPe0juLgAdlKiWKpg==,type:str]
redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str] redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str] act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str] collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
delugevpn: ENC[AES256_GCM,data:YGkgaQUuA9oteKD77tnFzxZSHctyOQjMNlfvJr3mPWAl2P8wfcshiUoa6SNp69pagxbzRV6mfuzwzinbkQCoZN3lw7uF76y0,iv:Bro0H4tFR+3wi9DGGq9a6ge4o4uPlVXBUF7h17zyqg8=,tag:N1kVNFasqGMx8R9qTq2dJA==,type:str]
protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
notifiarr: ENC[AES256_GCM,data:XxVEhp4Rei6mRcdSSooRnofuVNZDalVhDYiVUmvQUr8QihrVRMKRE9Kpl5PGWUBw,iv:urMLaUf3XUjMks2vk0E7iRUU3mLHBiMAiwtQgmWQq20=,tag:dHdTOyC/ukd71UlYEI5fWw==,type:str]
bazarr: ENC[AES256_GCM,data:x+JdRCl3x3OM3lWmgcWikJSEnh5c5He5HmuLzCGAQ8zUXMi2Z3Kf6LzL+aoqtCBu3rabYZmQSLBoDm9CPkk=,iv:7e+3w46RUD2/OSlwrEe7BRxUqPPdt5+obIjQA8pr3xY=,tag:rHSijp/tcf/SGp5y4kJ0cw==,type:str]
prowlarr: ENC[AES256_GCM,data:hr3hYwRw0+/UD8anqZQjGy7rPkV2pad4Xi5FdXSf3Ftd1/jwlYfMqhqgEngFX30LLMWvJvjeu1TkTNzSEwI6ZCPdefNVYYwWavtm+XcBVxffGvFZ,iv:EXW48288IcCeGs/vP4tkAI4dxQAOh92Na43q/9cyuSc=,tag:pnYR26MDd82DjeUPdwCoUw==,type:str]
radarr: ENC[AES256_GCM,data:qCfoeEHb0ng5GhaY3QZiFvLVb25ZHNmgT0bRqEjBcelyP2819zCL7LxUPr08FxivEYZiAMFVleRozL8NMg6O5fh+2BatcYOfyh99zxIC,iv:HV3gTTnrjtab7x4Be+7hSe+nrD6BnPAmZBsHzi9Fujg=,tag:O6x0FDlasuJSRrGL/9SwpQ==,type:str]
sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str]
lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str]
jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str]
gluetun: ENC[AES256_GCM,data:ryhYVOYEZl5zDs+xMgbWI6q/Ei2AiNZJMxT/TcaHzTEocINgbczWk9GKeeZKno71vFXiF9/tPpYavLqvjWNL77doWDB+wiYrtBJ97PkQ70dqWntua9E8eCalYlIZpRbLsl5OA9ZHorIMPjjSB2CRYLCqq30PPi5I2TtRvs/g6LRUN4sZ/E2TTUjz7AEY7228ZEuHt1UkU+dY/jEbx6fwrm/ocP8xKvYUuAR1/Cx/z4N0mqmVl+FX/5dRSkmhpfAxO9ss898XKiJW4rewQIbG5ccYal+reZZr70TaEJQqg5KIfAnbp6dEjAsSXnRiEF801JXM0h+d14ECT4tQmdyvYBdCVnJ/Ibqw9D15cViHmeDbR68spqOCj67FSMKxgCVx4KFrxPOualsULX7RL/UbHq2cwyziSFkH4n2ljFlKohyj39F7EparJbiCOumNfhRWknDDwvXY+BjJhbAe19ccKP6QWrS68uBp0cTXqb0rVN/qlfz6Sj5EYj5M/u0rl6d5xctnKmOzfLjI2m5+E9WfDJaAUcP/Ihs+p2eD7aSQTIj+O7I66ju+UAz66D9ZoU1U3uVQ9gaPI5dOMmYdLKS3b19EVytwW2W13d0WXKIw5Vfb7MvFh9I0iPWq+ntL4jQzMYSwV5Y=,iv:Cy3h5I3vbqKORdqw91SHL4tRMeGHMLsXgQ0USJ2jtzk=,tag:0J/p1sUQfXR4ujjY7VzZuQ==,type:str]
gluetun-qbitvpn: ENC[AES256_GCM,data:3IdmuLvWs5YRQZuG9y1GRTMKMbR7OynUUVluezviDOV22EkABvo3Ic/+xZrWi/lzAhQRwRsCGjinlUJf7lBvPLg53HaIplbzSIyd3IPLbKzEVAK32WYB/M5cGNQW+XV8TiKK72HO8+WG588A0bsuvp/wQ86ohpRHVrnlboANLS3diCNXI3VdFIHPGpvM77TqB3/vo2AFLKjxi2es4l6KRam8cEUFAz0eH03tTUYaxy+ewA5IZCQSbMURLFKKdh0EATTG5jIz3jFp372fnk8UBgFPeH8+N9VHNM6rnV6zAsC2Vlj2E1YQRTRqOwSK0NRAAV5NBbr7zumS3VS0rVUpIbZVrW/C2BSAVbzowkHuo5o1B7UFsryb3s2FJJGF2biaDoL+ijM5a0Qi4LfNeaSLNKrzaTin0wYq8rPrQKOUBZL4t6FsRbG7KHmfwM4uYdWqV5h1syjI9WWReuePVb416YvqSH9p8HhNsDTka8IGgYkHcYAXYuuxUc6sgQONBwrsdeN5Dhq1IedhuOW+3qAV+hHl8qmVgiWZ8Ss+nmo016nsikifEp08N7J8t3f86/SFZO+YMBxQ/K9PJLsJzR2jsBcf2aTlq0cuzXDvb4cMtro=,iv:N9zdyKJDsj049j5hZOSnAkS/VTWlC3crTODJKIpYYko=,tag:uYHq3CZj0P/BAv+0Ak5ZEw==,type:str]
gluetun-qbitperm: ENC[AES256_GCM,data:kzSrILs78UkzNeAvxoDU3QsLKdapQNyQW9nq0it+7HhhwDQ0MJB1s2Ek8zKErTatpwzG8xiUK0HwX5hFLgNZYc+OE0CH4PUrgX1t6dykuPLD2rKQL7veElNgqhX0/39xNyopyJk2UMVFNSqoV1DCC/ja9MqX9+jBYk++7DeX7v1Gl1ntjzJ+zIscg0nOTN1eQAHtiOWtFU0COC/aA8KS+HLIsMkjrIk9UD4C/DE8AOS07s+gDxPRtl6L7324FRqjEHNyxAobWOOLeG711RZcskF7dlminVJu4aVGbBwIy/zDdHFxRwO6yaLr/AqrTlRVOa2O8Qu2Ydpv8ZNj2F6fHrVNNmVwvMEKYibV6oMVo72uT+DTz/mFaYuTUeuJfkdCy7tnQYhBnpbd5J4mKfVb8uOF9Tx02kL2fTFKyvtET3nrtakQUjv8mEqHn4F8136O2JvUBN5RmC3B3vRdFjYgdfwy8hUT9b0Cmi8w0Zzs+XGMRdvWv2g6b5fmlAn0K+a0KB1fdDLhvbIXhY+sYzR3yOH01K0lW3xVdnl1eMIFjZkUGRTi32HyCYb0SUA1EcXmtA4XmyZ6HHFEXFA5y2guVqU4xLyXXldM+lGB7yGLMcM=,iv:kuueHxYafrEdyBxGUBoU2ks7kdr/rWMnXZmE3Kx/iK4=,tag:bNIfP3H5/Kh3ofuCGGx5Hg==,type:str]
acme: acme:
bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str] bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str] dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -53,8 +41,8 @@ sops:
cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw== LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-17T01:50:50Z" lastmodified: "2025-05-30T04:36:41Z"
mac: ENC[AES256_GCM,data:8TGSqwEcfmrW1PjuzTVNyDTNs6s3oWbT0tI+rg7u2w5Dcw1EEU+SjJ6VpNY06AZHTjSD6E0O7NzUxybtMpslHUGitOGWwQCk+sbqRJuUseFe7bWFboEVoJpEoYGN5pnn52opMT+NeHGkXumaxjhDjCxfwn1RBHR7TgD4ZHEH6pE=,iv:szBUnn3HL/osWhmTwYmHrUghobWdBR60Lc6uUD/eGMY=,tag:6vgdJeJjL4ZYKc8WjixClg==,type:str] mac: ENC[AES256_GCM,data:fEsUt5g0/7j8IVgtXQ0thV93dxe6SGCglqeHdnaXFOjKcCUEFWUmi98M8X92hR9AJzscRK6wqzijd/AQBzl+GL2QtDYsn8qx9Nr0DBd6Gh1vi25eh5LtADm09COSae1THWuFLP7L1Qamyt+XzlBa7Xnrzfuzzp0s2/cZoxZiueU=,iv:VYzh833cMQwGmkB6QunRys0Eluz+0KGj8Y43B9icE9w=,tag:EWJSizBMTFZ0TZhncYe2Sw==,type:str]
pgp: pgp:
- created_at: "2024-11-28T18:56:39Z" - created_at: "2024-11-28T18:56:39Z"
enc: |- enc: |-
@@ -69,4 +57,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330 fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.10.2

4
systems/palatine-hill/vars.nix
View File

@@ -17,8 +17,4 @@ rec {
primary_nextcloud = "${zfs_primary}/nextcloud"; primary_nextcloud = "${zfs_primary}/nextcloud";
primary_redis = "${zfs_primary}/redis"; primary_redis = "${zfs_primary}/redis";
primary_torr = "${zfs_primary}/torr"; primary_torr = "${zfs_primary}/torr";
primary_plex = "${zfs_primary}/plex";
primary_plex_storage = "${zfs_primary}/plex_storage";
primary_ollama = "${zfs_primary}/ollama";
primary_mattermost = "${zfs_primary}/mattermost";
} }

2
systems/palatine-hill/zfs.nix
View File

@@ -49,7 +49,7 @@
daily = 30; daily = 30;
weekly = 0; weekly = 0;
monthly = 6; monthly = 6;
yearly = 2; yearly = 3;
autosnap = true; autosnap = true;
autoprune = true; autoprune = true;
}; };

35
systems/selinunte/audio.nix
View File

@@ -1,35 +0,0 @@
{ pkgs, ... }:
{
# rtkit is optional but recommended
security.rtkit.enable = true;
services = {
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
};
pipewire.wireplumber.configPackages = [
(pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
bluez_monitor.properties = {
["bluez5.enable-sbc-xq"] = true,
["bluez5.enable-msbc"] = true,
["bluez5.enable-hw-volume"] = true,
["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
}
'')
];
blueman.enable = true;
};
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
environment.systemPackages = with pkgs; [ pavucontrol ];
programs.noisetorch.enable = true;
}

49
systems/selinunte/configuration.nix
View File

@@ -1,49 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
./audio.nix
./desktop.nix
./fonts.nix
./graphics.nix
./polkit.nix
./programs.nix
./steam.nix
./stylix.nix
];
time.timeZone = "America/New_York";
# temp workaround for building while in nixos-enter
#services.logrotate.checkConfig = false;
networking = {
hostId = "9f2e1ff9";
firewall.enable = true;
useNetworkd = true;
};
boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages_xanmod;
useSystemdBoot = true;
default = true;
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
services = {
flatpak.enable = true;
gvfs.enable = true;
openssh.enable = lib.mkForce false;
};
system.stateVersion = "25.11";
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

23
systems/selinunte/default.nix
View File

@@ -1,23 +0,0 @@
{ inputs, ... }:
{
system = "x86_64-linux";
home = true;
sops = true;
server = false;
users = [ "alice" ];
modules = [
inputs.nixos-hardware.nixosModules.common-pc
inputs.nixos-hardware.nixosModules.common-pc-ssd
inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
inputs.nixos-hardware.nixosModules.common-cpu-amd
inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
inputs.stylix.nixosModules.stylix
{
environment.systemPackages = [
inputs.wired-notify.packages.x86_64-linux.default
inputs.hyprland-contrib.packages.x86_64-linux.grimblast
];
}
];
}

38
systems/selinunte/desktop.nix
View File

@@ -1,38 +0,0 @@
{ pkgs, ... }:
{
# installs hyprland, and its dependencies
programs = {
hyprland = {
enable = true;
xwayland.enable = true;
withUWSM = true;
};
hyprlock.enable = true;
ydotool.enable = true;
};
# Optional, hint electron apps to use wayland:
environment.sessionVariables.NIXOS_OZONE_WL = "1";
services = {
displayManager.gdm = {
enable = true;
wayland = true;
};
dbus = {
enable = true;
implementation = "broker";
};
};
powerManagement = {
enable = true;
};
environment.systemPackages = with pkgs; [
libsForQt5.qt5.qtwayland
qt6.qtwayland
];
}

15
systems/selinunte/fonts.nix
View File

@@ -1,15 +0,0 @@
{ pkgs, ... }:
{
fonts = {
fontconfig.enable = true;
enableDefaultPackages = true;
packages = with pkgs.nerd-fonts; [
fira-code
droid-sans-mono
hack
dejavu-sans-mono
noto
open-dyslexic
];
};
}

40
systems/selinunte/graphics.nix
View File

@@ -1,40 +0,0 @@
{ config, pkgs, ... }:
{
hardware.graphics = {
## radv: an open-source Vulkan driver from freedesktop
enable = true;
enable32Bit = true;
};
hardware.nvidia = {
# Modesetting is required.
modesetting.enable = true;
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# Enable this if you have graphical corruption issues or application crashes after waking
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
# of just the bare essentials.
powerManagement.enable = false;
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
powerManagement.finegrained = false;
# Use the NVidia open source kernel module (not to be confused with the
# independent third-party "nouveau" open source driver).
# Support is limited to the Turing and later architectures. Full list of
# supported GPUs is at:
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+
open = false;
# Enable the Nvidia settings menu,
# accessible via `nvidia-settings`.
nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU.
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
}

96
systems/selinunte/hardware.nix
View File

@@ -1,96 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
"usb_storage"
"usbhid"
"sd_mod"
"ip_vs"
"ip_vs_rr"
"nf_conntrack"
];
initrd.kernelModules = [
"dm-snapshot"
"r8152"
];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
kernelParams = [
"amdgpu.sg_display=0"
"amdgpu.graphics_sg=0"
"amdgpu.abmlevel=3"
];
};
fileSystems = {
"/" = lib.mkDefault {
device = "/dev/disk/by-uuid/f3c11d62-37f4-495e-b668-1ff49e0d3a47";
fsType = "ext4";
options = [
"noatime"
"nodiratime"
];
};
"/home" = {
device = "/dev/disk/by-uuid/720af942-464c-4c1e-be41-0438936264f0";
fsType = "ext4";
options = [
"noatime"
"nodiratime"
];
};
"/nix" = {
device = "/dev/disk/by-uuid/035f23f8-d895-4b0c-bcf5-45885a5dbbd9";
fsType = "ext4";
options = [
"noatime"
"nodiratime"
];
};
"/boot" = {
device = "/dev/disk/by-uuid/5AD7-6005";
fsType = "vfat";
options = [
"noatime"
"nodiratime"
];
};
};
swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
boot.initrd.luks.devices = {
"nixos-pv" = {
device = "/dev/disk/by-uuid/12a7f660-bbcc-4066-81d0-e66005ee534a";
preLVM = true;
allowDiscards = true;
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

22
systems/selinunte/polkit.nix
View File

@@ -1,22 +0,0 @@
{ pkgs, ... }:
{
security.polkit.enable = true;
environment.systemPackages = with pkgs; [ polkit_gnome ];
systemd = {
user.services.polkit-gnome-authentication-agent-1 = {
description = "polkit-gnome-authentication-agent-1";
wantedBy = [ "graphical-session.target" ];
wants = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};
}

107
systems/selinunte/programs.nix
View File

@@ -1,107 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
act
alacritty
attic-client
amdgpu_top
bat
bitwarden-cli
bfg-repo-cleaner
btop
calibre
# calibre dedrm?
candy-icons
chromium
chromedriver
croc
deadnix
direnv
easyeffects
eza
fanficfare
ferium
fd
file
firefox
# gestures replacement
git
glances
gpu-viewer
grim
htop
hwloc
iperf3
# ipscan
jp2a
jq
kdePackages.kdenlive
kitty
kubectl
kubernetes-helm
libreoffice-fresh
libtool
lsof
lynis
masterpdfeditor4
minikube
mons
mpv
# nbt explorer?
ncdu
nemo-with-extensions
neovim
nix-init
nix-output-monitor
nix-prefetch
nix-tree
nixpkgs-fmt
nmap
obs-studio
obsidian
ocrmypdf
pciutils
#disabled until wxpython compat with python3.12
#playonlinux
prismlauncher
protonmail-bridge
protontricks
proxychains
qrencode
redshift
restic
ripgrep
rpi-imager
rofi
samba
signal-desktop
# signal in tray?
siji
simple-mtpfs
slurp
smartmontools
snyk
sops
spotify
spotify-player
#swaylock/waylock?
sweet-nova
telegram-desktop
terraform
tig
tokei
tree
unipicker
unzip
uutils-coreutils-noprefix
vesktop
vscode
watchman
wget
wl-clipboard
yq
yt-dlp
zoom-us
zoxide
];
}

20
systems/selinunte/steam.nix
View File

@@ -1,20 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.steam-run ];
hardware.steam-hardware.enable = true;
programs = {
gamescope = {
enable = true;
capSysNice = true;
};
steam = {
enable = true;
remotePlay.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
extraCompatPackages = with pkgs; [ proton-ge-bin ];
gamescopeSession.enable = true;
extest.enable = true;
};
};
}

10
systems/selinunte/stylix.nix
View File

@@ -1,10 +0,0 @@
{ pkgs, ... }:
{
stylix = {
enable = true;
image = "${pkgs.hyprland}/share/hypr/wall2.png";
#image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
polarity = "dark";
};
}

5
users/alice/default.nix
View File

@@ -14,10 +14,5 @@ import ../default.nix {
; ;
publicKeys = [ publicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7oJjIYNRCRrUlhdGJgst6bzqubbKH0gjZYulQ1eVcZ alice@artemision" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7oJjIYNRCRrUlhdGJgst6bzqubbKH0gjZYulQ1eVcZ alice@artemision"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWG3cIBju6vzX6s8JlmGNJOiWY7pQ19bHvcqDADtWzv snowi@DESKTOP-EVIR8IH"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMfC0IXl9sGx+9FjuYZT2OUfffGjciJIHWqZdEU1d3n alice@parthenon-7588"
];
groups = [
"adbusers"
]; ];
} }

36
users/alice/home.nix
View File

@@ -7,17 +7,18 @@
}: }:
{ {
imports = [ imports =
./home/zsh.nix [
./home/git.nix ./home/zsh.nix
] ./home/git.nix
++ lib.optionals (!machineConfig.server) [ ]
./home/gammastep.nix ++ lib.optionals (!machineConfig.server) [
./home/doom ./home/gammastep.nix
./home/hypr ./home/doom
./home/waybar.nix ./home/hypr
./non-server.nix ./home/waybar.nix
]; ./non-server.nix
];
home = { home = {
# # Adds the 'hello' command to your environment. It prints a friendly # # Adds the 'hello' command to your environment. It prints a friendly
@@ -54,6 +55,7 @@
file file
sqlite sqlite
ncdu ncdu
neofetch
onefetch onefetch
hyfetch hyfetch
smartmontools smartmontools
@@ -66,6 +68,7 @@
cargo-update cargo-update
diesel-cli diesel-cli
tealdeer tealdeer
helix
ripunzip ripunzip
# nix specific packages # nix specific packages
@@ -73,7 +76,6 @@
nix-prefetch nix-prefetch
nix-tree nix-tree
nh nh
home-manager
# doom emacs dependencies # doom emacs dependencies
fd fd
@@ -85,7 +87,7 @@
# dependencies for nix-dotfiles/hydra-check-action # dependencies for nix-dotfiles/hydra-check-action
nodejs_20 nodejs_20
prettier nodePackages.prettier
treefmt treefmt
gocryptfs gocryptfs
@@ -146,9 +148,6 @@
}; };
}; };
}; };
fastfetch = {
enable = true;
};
}; };
services.ssh-agent.enable = true; services.ssh-agent.enable = true;
@@ -163,9 +162,8 @@
userDirs = { userDirs = {
enable = true; enable = true;
createDirectories = true; createDirectories = true;
setSessionVariables = true;
extraConfig = { extraConfig = {
SCREENSHOTS = "${config.xdg.userDirs.pictures}/Screenshots"; XDG_SCREENSHOTS_DIR = "${config.xdg.userDirs.pictures}/Screenshots";
}; };
}; };
}; };
@@ -178,7 +176,7 @@
nix.gc = { nix.gc = {
automatic = true; automatic = true;
dates = "weekly"; frequency = "weekly";
options = "--delete-older-than 30d"; options = "--delete-older-than 30d";
}; };

34
users/alice/home/git.nix
View File

@@ -6,33 +6,31 @@
lfs.enable = true; lfs.enable = true;
signing = { signing = {
key = "5EFFB75F7C9B74EAA5C4637547940175096C1330"; key = "5EFFB75F7C9B74EAA5C4637547940175096C1330";
format = "openpgp";
signByDefault = true; signByDefault = true;
}; };
settings = { userEmail = "aliceghuston@gmail.com";
userName = "ahuston-0";
aliases = {
gone = ''
!git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
awk 'NF < 2 {print $1}' | # get nuked branches
grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
xargs -r git branch -D # nuke the branches
# !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
# awk '$2 == "[gone]" {print $1}' | # get nuked branches
# sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
# xargs -r git branch -D; # nuke the branches #
'';
};
extraConfig = {
push.autosetupremote = true; push.autosetupremote = true;
pull.rebase = true; pull.rebase = true;
color.ui = true; color.ui = true;
init.defaultBranch = "main"; init.defaultBranch = "main";
format.signoff = true; format.signoff = true;
format.commitMessage = "signed-off-by";
pack.windowMemory = "2g"; pack.windowMemory = "2g";
pack.packSizeLimit = "1g"; pack.packSizeLimit = "1g";
user.email = "aliceghuston@gmail.com";
user.name = "ahuston-0";
alias = {
gone = ''
!git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
awk 'NF < 2 {print $1}' | # get nuked branches
grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
xargs -r git branch -D # nuke the branches
# !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
# awk '$2 == "[gone]" {print $1}' | # get nuked branches
# sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
# xargs -r git branch -D; # nuke the branches #
'';
};
}; };
}; };
} }

9
users/alice/home/hypr/hyprland.conf
View File

@@ -116,13 +116,13 @@ master {
} }
gestures { gestures {
# See https://wiki.hypr.land/Configuring/Gestures/ for more # See https://wiki.hyprland.org/Configuring/Variables/ for more
gesture = 3, horizontal, workspace workspace_swipe = off
} }
misc { misc {
# See https://wiki.hyprland.org/Configuring/Variables/ for more # See https://wiki.hyprland.org/Configuring/Variables/ for more
force_default_wallpaper = 1 # Set to 0 or 1 to disable the anime mascot wallpapers force_default_wallpaper = -1 # Set to 0 or 1 to disable the anime mascot wallpapers
} }
# Example per-device config # Example per-device config
@@ -137,7 +137,7 @@ device {
# Example windowrule v2 # Example windowrule v2
# windowrulev2 = float,class:^(kitty)$,title:^(kitty)$ # windowrulev2 = float,class:^(kitty)$,title:^(kitty)$
# See https://wiki.hyprland.org/Configuring/Window-Rules/ for more # See https://wiki.hyprland.org/Configuring/Window-Rules/ for more
windowrule = suppress_event maximize, match:class .* # You'll probably like this. windowrulev2 = suppressevent maximize, class:.* # You'll probably like this.
# See https://wiki.hyprland.org/Configuring/Keywords/ for more # See https://wiki.hyprland.org/Configuring/Keywords/ for more
@@ -149,7 +149,6 @@ bind = $mainMod, W, killactive,
#bind = $mainMod, W, exit, #bind = $mainMod, W, exit,
bind = $mainMod, E, exec, $fileManager bind = $mainMod, E, exec, $fileManager
bind = $mainMod, V, togglefloating, bind = $mainMod, V, togglefloating,
bind = $mainMod, F, fullscreen, toggle
bind = $mainMod, SPACE, exec, $menu bind = $mainMod, SPACE, exec, $menu
bind = $mainMod, O, pseudo, # dwindle bind = $mainMod, O, pseudo, # dwindle
bind = $mainMod, J, togglesplit, # dwindle bind = $mainMod, J, togglesplit, # dwindle

2
users/alice/home/waybar.json
View File

@@ -4,8 +4,8 @@
"layer": "top", "layer": "top",
"position": "top", "position": "top",
"output": [ "output": [
"eDP-1",
"eDP-2", "eDP-2",
"eDP-1",
"HDMI-0", "HDMI-0",
"DP-0" "DP-0"
], ],

7
users/alice/home/zsh.nix
View File

@@ -1,10 +1,9 @@
{ lib, config, ... }: { lib, ... }:
{ {
programs.zsh = { programs.zsh = {
enable = true; enable = true;
dotDir = "${config.xdg.configHome}/zsh";
oh-my-zsh = { oh-my-zsh = {
enable = true; enable = true;
plugins = [ plugins = [
@@ -73,7 +72,7 @@
"sgc" = "sudo git -C /root/dotfiles"; "sgc" = "sudo git -C /root/dotfiles";
## SSH ## SSH
"ssh-init" = "ssh-init" =
"ssh-add -t 2h ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh ~/.ssh/id_ed25519"; "ssh-add -t 2h ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh";
## Backups ## Backups
"borgmatic-backup-quick" = "borgmatic-backup-quick" =
@@ -119,8 +118,6 @@
"octave" = "prime-run octave --gui"; "octave" = "prime-run octave --gui";
"pc-firefox" = "proxychains firefox -P qbit -no-remote -P 127.0.0.1:9050"; "pc-firefox" = "proxychains firefox -P qbit -no-remote -P 127.0.0.1:9050";
"hx" = "helix"; "hx" = "helix";
"dungeondraft-arch" = "/opt/Dungeondraft/Dungeondraft.x86_64";
"wonderdraft-arch" = "/opt/wonderdraft/Wonderdraft.x86_64";
}; };
}; };
} }

241
users/alice/non-server.nix
View File

@@ -1,214 +1,10 @@
{ pkgs, ... }: { pkgs, outputs, ... }:
let
tex = pkgs.texlive.combine {
inherit (pkgs.texlive)
scheme-medium
preprint
titlesec
enumitem
sourcesanspro
xifthen
ifmtarg
framed
paralist
fontawesome7
;
};
in
{ {
programs = { programs.emacs = {
emacs = { enable = true;
enable = true; package = pkgs.emacs30-pgtk;
package = pkgs.emacs30-pgtk;
};
vesktop = {
enable = true;
settings = {
appBadge = false;
arRPC = true;
checkUpdates = false;
customTitleBar = false;
hardwareAcceleration = true;
};
vencord.useSystem = true;
vencord.settings = {
autoUpdate = false;
autoUpdateNotification = false;
notifyAboutUpdates = false;
plugins = {
AnonymiseFileNames.enabled = true;
BetterFolders.enabled = false;
BetterGifAltText.enabled = true;
CallTimer.enabled = true;
ClearURLs.enabled = true;
CopyFileContents.enabled = true;
CtrlEnterSend.enabled = true;
CustomIdle = {
enabled = true;
remainInIdle = false;
};
FriendsSince.enabled = true;
GameActivityToggle.enabled = true;
ImplicitRelationships.enabled = true;
MutualGroupDMs.enabled = true;
QuickMention.enabled = true;
QuickReply.enabled = true;
ReplaceGoogleSearch = {
enabled = true;
customEngineName = "DuckDuckGo";
};
ReviewDB.enabled = true;
ShowConnections.enabled = true;
};
};
};
zed-editor = {
enable = true;
mutableUserSettings = false;
extensions = [
"nix"
"toml"
"rust"
"java"
"kotlin"
"git firefly"
"make"
"dockerfile"
"sql"
"latex"
"terraform"
"log"
"context7-mcp-server"
"github-mcp-server"
];
userSettings = {
context_servers = {
nixos = {
command = "nix";
args = [
"run"
"github:utensils/mcp-nixos"
"--"
];
};
};
language_models = {
ollama = {
api_url = "http://192.168.76.2:11434";
context_window = 128000;
# global keep alive doesnt work
#keep_alive = "15m";
available_models = [
{
name = "deepseek-r1:1.5b";
max_tokens = 128000;
keep_alive = "15m";
}
{
name = "deepseek-r1:32b";
max_tokens = 128000;
keep_alive = "15m";
}
{
name = "deepseek-r1:70b";
max_tokens = 128000;
keep_alive = "15m";
}
{
name = "qwen3-coder-next";
max_tokens = 128000;
keep_alive = "15m";
}
{
name = "lennyerik/zeta";
max_tokens = 128000;
keep_alive = "15m";
}
{
name = "nomic-embed-text:latest";
max_tokens = 128000;
keep_alive = "15m";
}
{
name = "lfm2:24b";
max_tokens = 128000;
keep_alive = "15m";
}
{
name = "glm-4.7-flash";
max_tokens = 128000;
keep_alive = "15m";
}
{
name = "nemotron-cascade-2:30b";
max_tokens = 128000;
keep_alive = "15m";
}
{
name = "magistral";
max_tokens = 128000;
keep_alive = "15m";
}
];
};
};
colorize_brackets = true;
hard_tabs = false;
vim_mode = true;
minimap = {
show = "auto";
};
buffer_line_height = "comfortable";
auto_update = false;
autosave = "on_focus_change";
agent = {
default_model = {
provider = "ollama";
model = "glm-4.7-flash";
};
favorite_models = [ ];
model_parameters = [ ];
};
telemetry = {
diagnostics = false;
metrics = false;
};
journal = {
hour_format = "hour24";
};
edit_predictions = {
provider = "ollama";
ollama = {
#api_url = "http://192.168.76.2:11434/v1/completions";
api_url = "http://192.168.76.2:11434";
context_window = 128000;
model = "lennyerik/zeta";
prompt_format = "qwen";
max_requests = 64;
max_output_tokens = 256;
};
};
texlab = {
build = {
onSave = true;
forwardSearchAfter = true;
};
forwardSearch = {
executable = "zathura";
args = [
"--synctex-forward"
"%l:1:%f"
"-x"
"zed %%{input}:%%{line}"
"%p"
];
};
};
};
};
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [
cmake cmake
shellcheck shellcheck
@@ -229,18 +25,16 @@ in
# nix tools # nix tools
nil nil
nixfmt nixfmt-rfc-style
nix-init nix-init
# markdown # markdown
markdownlint-cli nodePackages.markdownlint-cli
# insert essential rust dependencies
# doom emacs dependencies # doom emacs dependencies
yaml-language-server yaml-language-server
typescript-language-server nodePackages.typescript-language-server
bash-language-server nodePackages.bash-language-server
pyright pyright
cmake-language-server cmake-language-server
multimarkdown multimarkdown
@@ -249,19 +43,18 @@ in
rust-analyzer rust-analyzer
clang clang
clang-tools clang-tools
wakatime-cli wakatime
enchant enchant
nuspell nuspell
hunspellDicts.en-us hunspellDicts.en-us
languagetool languagetool
# latex # latex
tex texlive.combined.scheme-medium
poppler-utils
# dependencies for nix-dotfiles/hydra-check-action # dependencies for nix-dotfiles/hydra-check-action
nodejs_20 nodejs_20
prettier nodePackages.prettier
treefmt treefmt
nextcloud-client nextcloud-client
@@ -272,15 +65,5 @@ in
obsidian obsidian
libreoffice-qt-fresh libreoffice-qt-fresh
wlr-randr wlr-randr
# media tools
#deepin.deepin-music
# arch zed deps
nixd
uv
pdf4qt
masterpdfeditor4
]; ];
} }

9
users/default.nix
View File

@@ -4,7 +4,6 @@
pkgs, pkgs,
name, name,
publicKeys ? [ ], publicKeys ? [ ],
groups ? [ ],
defaultShell ? "zsh", defaultShell ? "zsh",
}: }:
@@ -15,21 +14,17 @@
hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null; hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null;
openssh.authorizedKeys.keys = publicKeys; openssh.authorizedKeys.keys = publicKeys;
extraGroups = [ extraGroups = [
"users"
"wheel" "wheel"
"media" "media"
(lib.mkIf config.networking.networkmanager.enable "networkmanager") (lib.mkIf config.networking.networkmanager.enable "networkmanager")
(lib.mkIf config.programs.adb.enable "adbusers")
(lib.mkIf config.programs.wireshark.enable "wireshark") (lib.mkIf config.programs.wireshark.enable "wireshark")
(lib.mkIf config.virtualisation.docker.enable "docker") (lib.mkIf config.virtualisation.docker.enable "docker")
(lib.mkIf (with config.services.locate; (enable && package == pkgs.plocate)) "plocate") (lib.mkIf (with config.services.locate; (enable && package == pkgs.plocate)) "plocate")
(lib.mkIf config.networking.wireless.enable "wpa_supplicant")
"libvirtd" "libvirtd"
"dialout" "dialout"
"plugdev" "plugdev"
"uaccess" "uaccess"
"ydotool" "ydotool"
"video" ];
"render"
]
++ groups;
} }

17
users/sam/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
pkgs,
lib,
config,
name,
...
}:
import ../default.nix {
inherit
pkgs
lib
config
name
;
publicKeys = [
];
}

157
users/sam/home.nix Normal file
View File

@@ -0,0 +1,157 @@
{
config,
pkgs,
lib,
machineConfig,
...
}:
{
imports =
[
./home/zsh.nix
./home/git.nix
]
++ lib.optionals (!machineConfig.server) [
./home/gammastep.nix
./non-server.nix
];
home = {
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
username = "sam";
homeDirectory = "/home/sam";
packages = with pkgs; [
python3
# useful tools
file
ncdu
neofetch
onefetch
hyfetch
smartmontools
wget
glances
onefetch
# Rust packages
bat
cargo-update
tealdeer
# nix specific packages
nix-output-monitor
nix-prefetch
nix-tree
nh
# audit
lynis
gocryptfs
];
};
programs = {
starship.enable = true;
fzf = {
enable = true;
enableZshIntegration = true;
};
direnv = {
enable = true;
enableZshIntegration = true;
nix-direnv.enable = true;
};
eza = {
enable = true;
icons = "auto";
git = true;
};
neovim = {
enable = true;
defaultEditor = true;
vimAlias = true;
vimdiffAlias = true;
extraConfig = ''
set bg=dark
set tabstop=2
set shiftwidth=2
set expandtab
set smartindent
'';
};
nix-index = {
enable = true;
enableZshIntegration = true;
};
tmux.enable = true;
topgrade = {
enable = true;
settings = {
misc = {
disable = [
"system"
"nix"
"shell"
"poetry"
];
};
};
};
};
services.ssh-agent.enable = true;
# TODO: add environment bs
home.sessionVariables = {
EDITOR = "nvim";
};
xdg = {
enable = true;
userDirs = {
enable = true;
createDirectories = true;
extraConfig = {
XDG_SCREENSHOTS_DIR = "${config.xdg.userDirs.pictures}/Screenshots";
};
};
};
sops = lib.mkIf (!machineConfig.server) {
age.sshKeyPaths = [ "/home/sam/.ssh/id_ed25519_sops" ];
defaultSopsFile = ./secrets.yaml;
};
nix.gc = {
automatic = true;
frequency = "weekly";
options = "--delete-older-than 30d";
};
home.stateVersion = "25.11";
}

20
users/sam/home/gammastep.nix Normal file
View File

@@ -0,0 +1,20 @@
{ ... }:
{
services.gammastep = {
enable = true;
provider = "manual";
latitude = 40.73;
longitude = -73.93;
temperature.day = 5700;
temperature.night = 3500;
settings = {
general = {
fade = 1;
elevation-high = 3;
elevation-low = -6;
brightness-day = 1.0;
brightness-low = 0.8;
};
};
};
}

36
users/sam/home/git.nix Normal file
View File

@@ -0,0 +1,36 @@
{ ... }:
{
programs.git = {
enable = true;
lfs.enable = true;
signing = {
key = "5EFFB75F7C9B74EAA5C4637547940175096C1330";
signByDefault = true;
};
userEmail = "aliceghuston@gmail.com";
userName = "ahuston-0";
aliases = {
gone = ''
!git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
awk 'NF < 2 {print $1}' | # get nuked branches
grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
xargs -r git branch -D # nuke the branches
# !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
# awk '$2 == "[gone]" {print $1}' | # get nuked branches
# sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
# xargs -r git branch -D; # nuke the branches #
'';
};
extraConfig = {
push.autosetupremote = true;
pull.rebase = true;
color.ui = true;
init.defaultBranch = "main";
format.signoff = true;
pack.windowMemory = "2g";
pack.packSizeLimit = "1g";
};
};
}

123
users/sam/home/zsh.nix Normal file
View File

@@ -0,0 +1,123 @@
{ lib, ... }:
{
programs.zsh = {
enable = true;
oh-my-zsh = {
enable = true;
plugins = [
"git"
"docker"
"docker-compose"
"colored-man-pages"
"helm"
"kubectl"
"minikube"
"rust"
"skaffold"
"systemd"
"tmux"
"ufw"
"z"
];
};
/*
To specify the order, use lib.mkOrder.
Common order values:
500 (mkBefore): Early initialization (replaces initExtraFirst)
550: Before completion initialization (replaces initExtraBeforeCompInit)
1000 (default): General configuration (replaces initExtra)
1500 (mkAfter): Last to run configuration
To specify both content in Early initialization and General configuration, use lib.mkMerge.
e.g.
initContent = let zshConfigEarlyInit = lib.mkOrder 500 do something; zshConfig = lib.mkOrder 1000 do something; in lib.mkMerge [ zshConfigEarlyInit zshConfig ];
*/
initContent = lib.mkOrder 1000 ''
# functions
function mount-data {
if [[ -f /home/alice/backup/.noconnection ]]; then
sshfs -p 10934 lily@192.168.1.154:/mnt/backup/data/ ~/backup -C
else
echo "Connection to backup server already open."
fi
}
function mount-backup {
if [[ -f /home/alice/backup/.noconnection ]]; then
sudo borgmatic mount --options allow_other,nonempty --archive latest --mount-point ~/backup -c /etc/borgmatic/config_checkless.yaml
else
echo "Connection to backup server already open."
fi
}
function mount-ubuntu {
if [[ -f /home/alice/backup/.noconnection ]]; then
sshfs lily@192.168.76.101:/mnt/backup/ubuntu.old/ ~/backup -C
else
echo "Connection to backup server already open."
fi
}
'';
shellAliases = {
"sgc" = "sudo git -C /root/dotfiles";
## SSH
"ssh-init" =
"ssh-add -t 2h ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh";
## Backups
"borgmatic-backup-quick" =
"sudo borgmatic --log-file-verbosity 2 -v1 --progress --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_checkless.yaml";
"borgmatic-backup-full" =
"sudo borgmatic --log-file-verbosity 2 -v1 --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_full_arch.yaml";
"umount-backup" =
"sudo borgmatic umount --mount-point /home/alice/backup -c /etc/borgmatic/config_checkless.yaml";
"restic-backup" = "/home/alice/Scripts/restic/backup.sh";
## VPN
"pfSense-vpn" = "sudo openvpn --config /etc/openvpn/client/pfSense-TCP4-1194-alice-config.ovpn";
"pfSense-vpn-all" = "sudo openvpn --config /etc/openvpn/client/pfSense-TCP4-1195-alice-config.ovpn";
## Utilities
"lrt" = "eza --icons -lsnew";
"lynis-grep" = ''sudo lynis audit system 2&>1 | grep -v "egrep"'';
"egrep" = "grep -E";
"htgp" = "history | grep";
"gen_walpaper" = "wal -i '/home/alice/Pictures/Wallpapers/1440pdump'";
"vlgdf" = "valgrind --leak-check=full --show-leak-kinds=all --track-origins=yes";
"libreoffice-writer" = "libreoffice --writer";
"libreoffice-calc" = "libreoffice --calc";
"notes" = "code /home/alice/Scripts/Notes/dendron.code-workspace";
"ua-drop-caches" = "sudo paccache -rk3; yay -Sc --aur --noconfirm";
"ua-update-all" = ''
(export TMPFILE="$(mktemp)"; \
sudo true; \
rate-mirrors --save=$TMPFILE --protocol https\
--country-test-mirrors-per-country 10 arch --max-delay=21600 \
&& sudo mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist-backup \
&& sudo mv $TMPFILE /etc/pacman.d/mirrorlist \
&& ua-drop-caches \
&& yay -Syyu)
'';
# applications (rofi entries)
"ARMEclipse" = "nohup /opt/DS-5_CE/bin/eclipse &";
"Wizard101-old" = "prime-run playonlinux --run Wizard\\ 101";
"Wizard101" =
"prime-run ~/.wine/drive_c/ProgramData/KingsIsle Entertainment/Wizard101/Wizard101.exe";
"Pirate101" = "prime-run playonlinux --run Pirate\\ 101";
"octave" = "prime-run octave --gui";
"pc-firefox" = "proxychains firefox -P qbit -no-remote -P 127.0.0.1:9050";
"hx" = "helix";
};
};
}

33
users/sam/non-server.nix Normal file
View File

@@ -0,0 +1,33 @@
{ pkgs, outputs, ... }:
{
home.packages = with pkgs; [
shellcheck
# nix tools
nil
nixfmt-rfc-style
nix-init
# markdown
nodePackages.markdownlint-cli
# language depedencies
enchant
nuspell
hunspellDicts.en-us
languagetool
# latex
texlive.combined.scheme-medium
nextcloud-client
bitwarden-cli
bitwarden-menu
wtype
zathura
obsidian
libreoffice-qt-fresh
wlr-randr
];
}

0
systems/selinunte/secrets.yaml → users/sam/secrets.yaml
View File

2
utils/eval-to-drv.sh
View File

@@ -16,4 +16,4 @@ script_path=$(dirname "$(readlink -f $0)")
parent_path=$(dirname "$script_path") parent_path=$(dirname "$script_path")
out_path="$parent_path/$1.json" out_path="$parent_path/$1.json"
nix run git+https://nayeonie.com/ahuston-0/flake-update-diff --fallback -- --evaluate --allow-import-from-derivation --json "$out_path" "$parent_path" nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --evaluate --allow-import-from-derivation --json "$out_path" "$parent_path"