ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity

Compare commits

base: ahuston-0:b4ba19f4883f8a613022ae4213e2e403f3251905
Branches Tags
ahuston-0:main ahuston-0:update_flake_lock_action ahuston-0:update-flake-lock ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes
..
compare: ahuston-0:feature/add-unpackerr
Branches Tags
ahuston-0:update_flake_lock_action ahuston-0:update-flake-lock ahuston-0:main ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes

1 Commits
b4ba19f488 ... feature/ad

Author SHA1 Message Date
ahuston-0
c05d782180 add basic unpackerr config 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-15 10:15:29 -04:00
226 changed files with 4242 additions and 7637 deletions
Expand all files Collapse all files

32
.continue/agents/ollama.yaml
View File

@@ -1,32 +0,0 @@
# This is an example configuration file
# To learn more, see the full config.yaml reference: https://docs.continue.dev/reference
name: ollama
version: 1.0.0
schema: v1
# Define which models can be used
# https://docs.continue.dev/customization/models
models:
- name: StarCoder2 Local
provider: ollama
model: starcoder2:7b
modelTimeout: "5s"
roles:
- autocomplete
autocompleteOptions:
useCache: true
useImports: true
useRecentlyEdited: true
- name: Nomic Embed Local
provider: ollama
model: nomic-embed-text:latest
roles:
- embed
- name: Autodetect
provider: ollama
model: AUTODETECT
defaultCompletionOptions:
contextLength: 64000
# MCP Servers that Continue can access
# https://docs.continue.dev/customization/mcp-tools
mcpServers:
- uses: anthropic/memory-mcp

9
.gitconfig
View File

@@ -1,11 +1,6 @@
# run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :) # run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
# run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured # run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
# if for whatever reason the below doesn't work, try modifying the mergetool command as below
# find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
# replace: ./utils/sops-mergetool.sh
[mergetool "sops-mergetool"] [mergetool "sops-mergetool"]
cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\"" cmd = bash -c "$(git --exec-path)/sops-mergetool.sh \"$BASE\" \"$LOCAL\" \"$REMOTE\" \"$MERGED\""
[merge] [merge]
tool = nvimdiff tool = nvimdiff3
[mergetool "nvimdiff"]
layout = MERGED

125
.github/agents/dependency-auditor.agent.md vendored
View File

@@ -1,125 +0,0 @@
---
description: |
Use when auditing NixOS flake inputs or installed modules for known CVEs,
checking pinned revisions against security advisories, scanning repo code for
vulnerabilities, or running IaC/SCA audits on the nix-dotfiles repo. Use this
agent whenever flake.lock is updated or a new input/module is added.
tools: [read, 'io.snyk/mcp/*', search, web, 'nixos/*']
---
# Dependency Security Auditor
You are a dependency security auditor for this NixOS flake repository. Your job
is to identify known CVEs, security advisories, and vulnerable package versions
across flake inputs, NixOS modules, and repo code — without interacting with any
hosted infrastructure or live services.
## Scope
- Read `flake.lock` to enumerate all pinned inputs.
- Read `flake.nix` and system/module configs to identify which NixOS packages
and services are in active use.
- Use the nixos MCP and Snyk MCP to cross-reference versions against known
vulnerabilities.
- Use the web tool only to look up public CVE/advisory databases (NVD, GitHub
Security Advisories, NixOS security tracker). Do NOT connect to any hosted
service in this infrastructure.
## Constraints
- DO NOT edit, create, or delete any files.
- DO NOT run terminal commands.
- DO NOT connect to or probe any live service (Gitea, Mattermost, Nextcloud,
HAProxy, etc.).
- DO NOT authenticate to Snyk on behalf of the user without confirming first
— call `snyk_auth_status` and report back if auth is missing.
- ONLY report findings grounded in real CVE/advisory data with a reference URL
or ID.
## Audit Steps
Work through these steps in order. Show a summary of what you checked at the end
of each step.
### Step 1: Enumerate Flake Inputs
Read `flake.lock` and extract for each node:
- Owner, repo, rev (commit hash), lastModified date
- Whether it is a `github`, `git`, or `tarball` type
Flag any inputs that:
- Have not been updated in > 180 days (stale pinning risk)
- Use a mutable `ref` without a fixed `rev` (reproducibility risk)
- Are fetched over plain HTTP (not HTTPS)
### Step 2: Look Up Active Package Versions via nixos MCP
For the pinned nixpkgs revision, use the nixos MCP (`nixos_search`,
`nixos_info`) to:
- Look up key security-sensitive packages in use across palatine-hill:
`mattermost`, `gitea`, `nextcloud`, `postgresql`, `hydra`, `attic`,
`ollama`, `loki`, `minio`, `haproxy`, `samba`.
- Note the package version returned.
- Search for any known vulnerabilities associated with that version using the
nixos MCP and the web tool (NVD: `https://nvd.nist.gov/vuln/search`, GitHub
advisory DB: `https://github.com/advisories`).
### Step 3: Run Snyk Code Scan
Before running, call `snyk_auth_status` to confirm authentication. If
unauthenticated, report that and skip this step.
Run `snyk_code_scan` on the absolute repo path
(`/home/alice/.gitprojects/nix-dotfiles`) with `severity_threshold: medium`.
Report all findings with:
- Rule ID and CWE
- Affected file and line
- Severity
- Suggested fix
### Step 4: Run Snyk IaC Scan
Run `snyk_iac_scan` on the absolute repo path
(`/home/alice/.gitprojects/nix-dotfiles`) with `severity_threshold: medium`.
While Snyk IaC does not natively parse Nix, it will catch any Kubernetes, Docker
Compose, or YAML configs present in `systems/palatine-hill/docker/` and similar
paths.
Report all findings with:
- Issue title and severity
- Affected file and line
- Impact description
- Suggested fix
### Step 5: Cross-Check NixOS Security Tracker
Use the web tool to check `https://github.com/NixOS/nixpkgs/issues?q=CVE` and
`https://discourse.nixos.org/c/security` for any open CVEs affecting:
- The pinned nixpkgs revision (from `flake.lock`)
- Any of the key packages identified in Step 2
### Step 6: Summarise
Produce a final report with:
1. **Critical / High CVEs** — packages with active, unpatched CVEs in the
pinned revision
2. **Stale Inputs** — inputs not updated in > 180 days
3. **Snyk Code Findings** — medium+ severity SAST issues
4. **Snyk IaC Findings** — medium+ severity misconfigurations in non-Nix config
files
5. **Clean** — categories with no findings (list explicitly so the report is
complete)
Each finding must include:
- Severity
- CVE ID or Snyk rule ID (with reference URL)
- Affected package/file/input
- Recommended action (upgrade nixpkgs pin, patch config, etc.)

140
.github/agents/security-researcher.agent.md vendored
View File

@@ -1,140 +0,0 @@
---
description: |
Use when auditing NixOS server configurations for security issues, checking
for secrets in the Nix store, exposed ports, weak authentication, missing
service hardening, overly permissive firewall rules, SSH misconfiguration,
Docker socket exposure, or SOPS secrets mishandling. Read-only. Does NOT
interact with any live infrastructure or hosted resources.
tools: [read, search, 'nixos/*']
---
# Security Researcher
You are a security researcher auditing this NixOS flake repository for potential
vulnerabilities and misconfigurations. Your job is to read the configuration
as-written and identify security issues an attacker or misconfiguration could
exploit.
## Scope
- Inspect server systems only (`server = true`; currently **palatine-hill**).
- Work entirely from repository source files. DO NOT interact with any live
system, hosted service, URL, or external resource.
- Use the nixos MCP tool to look up option defaults and known behaviours — not
to reach external hosts.
## Constraints
- DO NOT edit, create, or delete any files.
- DO NOT run terminal commands.
- DO NOT fetch URLs or browse the web.
- DO NOT attempt to connect to, probe, or fingerprint any live service.
- ONLY report issues that are grounded in the actual content of the repository
files.
## Audit Checklist
Work through these categories in order. For each, read the relevant files before
reporting.
### 1. Secrets in the Nix Store
- Are any passwords, tokens, or API keys hardcoded in `.nix` files (not behind
SOPS)?
- Are `password = "..."` fields used in NixOS module options that end up
world-readable in `/nix/store`?
- Check service DB password fields, `initialScript`, environment variables, and
`settings` blocks.
- Use the nixos MCP tool to confirm whether a given option value lands in the
store.
### 2. SOPS Secrets Hygiene
- Do `sops.secrets` entries have the correct `owner` set to the service user
(not `root` unless necessary)?
- Is `defaultSopsFile` scoped correctly, or could one system's secrets bleed
into another?
- Are any secrets referenced in config that are not declared in `sops.secrets`?
### 3. Firewall and Attack Surface
- Which TCP/UDP ports are exposed in `firewall.nix`? Are all of them
intentional and documented?
- Are `trustedInterfaces` entries broader than necessary (e.g., `br+` covering
all bridge interfaces)?
- Does `extraCommands` insert raw iptables rules that bypass the NixOS firewall
abstraction in a dangerous way?
- Are any high-risk ports (22, 80, 443, 5432, 6379, 27017) exposed directly?
### 4. SSH Configuration
- What port is SSH running on? Is password authentication disabled?
- Are `PermitRootLogin`, `PasswordAuthentication`, and `PubkeyAuthentication`
set explicitly?
- Check `modules/openssh.nix` and any system-level overrides.
### 5. PostgreSQL Authentication
- Does `authentication` (pg_hba) use `trust` for any user or database?
- Are `scram-sha-256` or `peer` used consistently rather than `md5` or
`password`?
- Does any service connect over TCP with a plaintext password that ends up in
the Nix store?
- Are `ensureUsers` entries scoped correctly (no unnecessary `superuser` or
`createdb` grants)?
### 6. Service Isolation and Hardening
- Do systemd services set `DynamicUser`, `PrivateTmp`, `NoNewPrivileges`,
`ProtectSystem`, or similar hardening options where applicable?
- Check custom `systemd.services` blocks for missing or weak sandboxing.
- Are services running as root that should run as a dedicated user?
### 7. Docker and Container Security
- Is the Docker socket (`/var/run/docker.sock`) mounted into any container? If
so, flag it as a privilege escalation vector.
- Are any containers run with `--privileged` or `network_mode: host`?
- Are Docker compose files in the repo using hardcoded secrets or environment
variables that land in the store?
### 8. Web-Facing Services
- Do reverse-proxied services (Gitea, Mattermost, Nextcloud, etc.) set
`siteUrl`/`ROOT_URL` to HTTPS?
- Is there any service that could be accessed over plain HTTP internally?
- Are ACME/TLS certs scoped correctly and not shared across unrelated services?
### 9. Module Defaults That Are Security-Sensitive
- For each enabled service, use the nixos MCP tool to check if the default
values for security-relevant options (e.g., `database.password`,
`openFirewall`, `enableAdminCreateUser`) are safe, and confirm whether
defaults are overridden in the repo.
### 10. Broad Permission Grants
- Are any users granted `wheel`, `docker`, or other privileged groups without
clear justification?
- Does any non-human service account have `superuser`, `replication`, or
`createrole` PostgreSQL clauses?
## Output Format
Report findings as a numbered list grouped by severity:
- **Critical** — direct path to credentials exposure, RCE, or privilege
escalation
- **High** — exploitable misconfiguration or data exposure under realistic
conditions
- **Medium** — weak default, unnecessary privilege, or defence-in-depth gap
- **Low / Info** — hardening improvement or minor noise
Each finding must include:
- Severity label
- Exact file path and line (as a markdown link)
- One-sentence explanation of the risk
- Concrete suggested remediation
If a category is clean, state that explicitly so the report is complete.

81
.github/agents/server-architect.agent.md vendored
View File

@@ -1,81 +0,0 @@
---
description: |
Use when reviewing server infrastructure, auditing NixOS server
configurations, planning how new services or modules integrate into
palatine-hill, checking for missing imports, DB/user alignment, firewall
gaps, module argument signatures, or reverse proxy routing. DO NOT use for
making changes or for desktop/workstation systems.
tools: [read, search, 'nixos/*']
---
# Infrastructure Architect
You are an infrastructure architect for this NixOS flake repository. Your job is
to review the existing server architecture and analyse how proposed or recently
added changes integrate with it.
## Scope
You only inspect **server** machines. In this repository that means systems where
`server = true` in their `default.nix` — currently **palatine-hill**. Do NOT
inspect or opine on desktop systems such as `artemision` or `selinunte` unless
explicitly asked.
## Constraints
- DO NOT edit, create, or delete any files.
- DO NOT run terminal commands.
- DO NOT make assumptions — read the actual files.
- ONLY report concrete, actionable findings with exact file and line references.
## Approach
When asked to review a change or audit the server state, work through these
checkpoints in order:
1. **Module registration** — Is the new `.nix` file imported in
`systems/<host>/configuration.nix`? Check the `imports` list.
2. **Module argument signature** — Does every module accept `{ ..., ... }:` to
absorb `specialArgs` (`system`, `server`, `inputs`, `outputs`)? A missing
`...` causes "unexpected argument" eval errors.
3. **Service dependencies** — Does the new service depend on another (e.g.
PostgreSQL, Redis, S3/Minio)? If so:
- Is the dependency service enabled and imported on this host?
- Are the required DB names and users present in `ensureDatabases` /
`ensureUsers`?
- Is the user name in `ensureUsers` consistent with what the service module
defaults to? (Use the nixos MCP tool to check default values.)
- Are authentication rules (`pg_hba`, `authentication` block) present for
the new user?
4. **Secrets alignment** — If the service uses SOPS secrets, are they declared
in `sops.secrets` with the correct `owner`? Does the secrets key exist in
`secrets.yaml`?
5. **Firewall exposure** — Is the service port opened in `firewall.nix`? If
traffic is reverse-proxied (e.g. via external HAProxy), no direct port
exposure in NixOS firewall is needed — confirm which model applies.
6. **Reverse proxy / TLS** — Is a proxy rule (HAProxy, nginx, Caddy) defined
for the new vhost? If the proxy is managed externally, note that explicitly.
Check that `siteUrl` / `ROOT_URL` / equivalent matches the actual domain.
7. **Upgrade / backup plumbing** — If the service has stateful data, is it
listed in `postgresql.upgrade.stopServices`? Is it covered by
`postgresqlBackup`?
8. **Module provisioning conflicts** — Does the NixOS module have a
`create`/`createLocally` option that auto-provisions a DB/user? If manual
provisioning also exists, flag potential ownership drift.
## Output Format
Report findings as a numbered list grouped by severity:
- **High** — will cause a build failure, service crash, or security issue
- **Medium** — will cause silent misconfiguration or future breakage
- **Low / Info** — style, redundancy, or optional improvements
Each finding must include:
- The severity label
- The exact file path and line (as a markdown link)
- A one-sentence explanation of the problem
- A concrete suggested fix
If everything checks out, say so explicitly and summarise what you verified.

698
.github/copilot-instructions.md vendored
View File

@@ -1,698 +0,0 @@
# Nix Dotfiles Repository Guide
This repository contains NixOS configurations for personal infrastructure. The setup is organized around a flake-based structure with per-system configurations and user-specific settings.
## Project Structure
- `flake.nix` - Main flake definition with inputs and outputs
- `systems/` - Per-system configurations (e.g., `artemision`, `palatine-hill`)
- `users/` - Per-user configurations using home-manager
- `modules/` - Reusable Nix modules for common services
- `lib/` - Custom Nix library functions
- `hydra/` - Hydra CI/CD configuration
- `secrets/` - SOPS encrypted secrets
## Key Concepts
### System Configuration
Each system has its own directory under `systems/` containing:
- `configuration.nix` - Main system configuration
- Component modules (audio.nix, desktop.nix, etc.)
- Hardware-specific configurations
### User Configuration
User configurations are in `users/<username>/`:
- `home.nix` - Home-manager configuration using `home.packages` and imports
- `secrets.yaml` - SOPS-encrypted secrets using age encryption
- `non-server.nix` - Desktop-specific configurations
### Nix Patterns
1. **Module-based approach**: Uses Nix modules for organizing configuration
1. **Home-manager integration**: User environment managed via home-manager
1. **SOPS secrets**: Secrets managed with SOPS and age encryption
1. **Flake-based**: Uses flakes for reproducible builds and development environments
1. **Multi-system support**: Supports multiple machines with different configurations
1. **Dynamic configuration generation**: Modules in the `modules/` directory are automatically imported into all systems (can be overridden per system). New systems are automatically discovered by `genSystems()`
### Modern Nix Features
This repository uses modern Nix features including:
- **Flakes**: Enabled via `flake` experimental feature
- **Nix Command**: Enabled via `nix-command` experimental feature
- **Blake3 Hashes**: Enabled via `blake3-hashes` experimental feature
- **Git Hashing**: Enabled via `git-hashing` experimental feature
- **Verified Fetches**: Enabled via `verified-fetches` experimental feature
### Key Commands
- `nh os switch` - Apply system configuration (using nix-community/nh)
- `nh home switch` - Apply user configuration (using nix-community/nh)
- `nh os build` - Build a specific system (using nix-community/nh)
- `nix build .#<system>` - Build a specific system
- `nix run .#<system>` - Run a specific system
- `nix flake update` - Update flake inputs
### Development Workflow
1. Make changes to system or user configuration
1. Test with `nh os switch` or `nh home switch`
1. For CI/CD, Hydra automatically builds and tests changes
1. Secrets are managed with SOPS and age keys
### Important Files
- `flake.nix` - Main entry point for the flake
- `systems/artemision/configuration.nix` - Example system configuration
- `users/alice/home.nix` - Example user configuration
- `modules/base.nix` - Base module with common settings
- `hydra/jobsets.nix` - Hydra CI configuration
### External Dependencies
- NixOS unstable channel
- Nixpkgs unstable channel
- SOPS for secrets management
- age for encryption
- home-manager for user environments
- nh (nix-community/nh) for simplified Nix operations
### Nix MCP Server
- Use the nix MCP server for looking up package names and options
- Specify `unstable` channel if the channel is specifiable (e.g., for `pkgs.<package-name>`)
## Dynamic Configuration System (lib/systems.nix)
This repository automatically generates NixOS system configurations based on the folder structure. Understanding how `constructSystem` and `genSystems` work is essential when adding new systems or global modules.
### How Configuration Generation Works
The process happens in three stages:
**Stage 1: Discovery** (`flake.nix``genSystems`)
- `flake.nix` calls `genSystems inputs outputs src (src + "/systems")`
- `genSystems` scans the `systems/` directory and lists all subdirectories
- Each subdirectory name becomes a system hostname (e.g., `artemision`, `palatine-hill`)
**Stage 2: Parameter Loading** (`genSystems` reads `default.nix`)
- For each discovered system, `genSystems` imports `systems/<hostname>/default.nix`
- This file exports parameters for `constructSystem` like:
- `users = [ "alice" ]` — which users to create
- `home = true` — enable home-manager
- `sops = true` — enable secret decryption
- `server = true/false` — machine role
- `modules = [ ... ]` — additional system-specific modules
**Stage 3: Assembly** (`constructSystem` assembles the full config)
- Loads essential system files: `hardware.nix`, `configuration.nix`
- Auto-imports all `.nix` files from `modules/` directory via `lib.adev.fileList`
- Conditionally loads home-manager, SOPS, and user configs based on parameters
- Merges everything into a complete NixOS system configuration
### Key Functions in lib/systems.nix
| Function | Purpose | Called By |
|----------|---------|-----------|
| `genSystems` | Scans `systems/` directory and creates configs for each subdirectory | `flake.nix` |
| `constructSystem` | Assembles a single NixOS system with all modules and configs | `genSystems` |
| `genHome` | Imports home-manager configs for specified users | `constructSystem` |
| `genSops` | Imports SOPS-encrypted secrets for users | `constructSystem` |
| `genUsers` | Imports user account configs from `users/<username>/` | `constructSystem` |
| `genHostName` | Creates hostname attribute set | `constructSystem` |
| `genWrapper` | Conditionally applies generator functions | `constructSystem` |
### Special Arguments Passed to All Configs
These are available in `configuration.nix`, `hardware.nix`, and all modules:
```nix
{ config, pkgs, lib, inputs, outputs, server, system, ... }:
```
- `config` — NixOS configuration options
- `pkgs` — Nix packages (nixpkgs)
- `lib` — Nix library functions (extended with `lib.adev`)
- `inputs` — Flake inputs (nixpkgs, home-manager, sops-nix, etc.)
- `outputs` — Flake outputs (for Hydra and other tools)
- `server` — Boolean: true for servers, false for desktops
- `system` — System architecture string (e.g., `"x86_64-linux"`)
## Adding a New NixOS System
### Step 1: Create the Directory Structure
```bash
mkdir -p systems/<new-hostname>
cd systems/<new-hostname>
```
### Step 2: Create `default.nix` (System Parameters)
This file is automatically discovered and loaded by `genSystems`. It exports the parameters passed to `constructSystem`.
**Minimal example:**
```nix
{ inputs }:
{
# Required: List of users to create (must have entries in users/ directory)
users = [ "alice" ];
# Optional: Enable home-manager (default: true)
home = true;
# Optional: Enable SOPS secrets (default: true)
sops = true;
# Optional: Is this a server? Used to conditionally enable server features
server = false;
# Optional: System architecture (default: "x86_64-linux")
system = "x86_64-linux";
# Optional: System-specific modules (in addition to global modules/)
modules = [
# ./custom-service.nix
];
}
```
**See `systems/palatine-hill/default.nix` for a complex example with all options.**
### Step 3: Create `hardware.nix` (Hardware Configuration)
Generate this via:
```bash
sudo nixos-generate-config --show-hardware-config > systems/<new-hostname>/hardware.nix
```
This file typically includes:
- Boot configuration and bootloader
- Filesystem mounts and ZFS/LVM settings
- Hardware support (CPU, GPU, network drivers)
- Device-specific kernel modules
### Step 4: Create `configuration.nix` (System Configuration)
This is the main NixOS configuration file. Structure:
```nix
{ config, pkgs, lib, inputs, server, system, ... }:
{
# System hostname (usually matches directory name)
networking.hostName = "new-hostname";
# Desktop/desktop specific config
services.xserver.enable = !server;
# System packages
environment.systemPackages = with pkgs; [
# ...
];
# Services to enable
services.openssh.enable = server;
# System-specific settings override global defaults
boot.kernelParams = [ "nomodeset" ];
}
```
### Step 5: Add Optional Secrets
If the system has sensitive data:
```bash
# Create and encrypt secrets file
sops systems/<new-hostname>/secrets.yaml
# This will be automatically loaded by genSops if sops = true
```
### Step 6: Add Optional System-Specific Modules
For system-specific functionality that shouldn't be global, create separate `.nix` files in the system directory:
```text
systems/<new-hostname>/
├── configuration.nix # Main config
├── default.nix
├── hardware.nix
├── secrets.yaml # (optional)
├── custom-service.nix # (optional) System-specific modules
├── networking.nix # (optional)
└── graphics.nix # (optional)
```
Reference these in `default.nix`:
```nix
{ inputs }:
{
users = [ "alice" ];
modules = [
./custom-service.nix
./networking.nix
./graphics.nix
];
}
```
### Step 7: Deploy the New System
The system is now automatically registered! Deploy with:
```bash
# Build the new system
nix build .#<new-hostname>
# Or if you want to switch immediately
nh os switch
```
## Adding a Global Module to modules/
Global modules are automatically imported into all systems. No registration needed.
### Create a Module File
Add a new `.nix` file to the `modules/` directory. Example: `modules/my-service.nix`
### Module Structure
```nix
{ config, pkgs, lib, inputs, server, ... }:
{
# Define configuration options for this module
options.myService = {
enable = lib.mkEnableOption "my service";
port = lib.mkOption {
type = lib.types.int;
default = 3000;
description = "Port for the service";
};
};
# Actual configuration (conditional on enable option)
config = lib.mkIf config.myService.enable {
environment.systemPackages = [ pkgs.my-service ];
systemd.services.my-service = {
description = "My Service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.my-service}/bin/my-service";
Restart = "always";
};
};
};
}
```
### Using mkIf, mkDefault, and mkForce
- **`mkIf`** — Conditionally apply config based on a boolean
```nix
config = lib.mkIf config.myService.enable { ... };
```
- **`mkDefault`** — Provide a default value that can be overridden
```nix
boot.kernelParams = lib.mkDefault [ "quiet" ];
```
- **`mkForce`** — Force a value, preventing other modules from overriding
```nix
services.openssh.enable = lib.mkForce true;
```
- **`mkEnableOption`** — Define an `enable` option with standard description
```nix
options.myService.enable = lib.mkEnableOption "my service";
```
### Disable a Global Module for a Specific System
To disable a module for one system, override it in that system's `configuration.nix`:
```nix
{ config, lib, ... }:
{
# Disable the module entirely
myService.enable = false;
# Or override specific options
services.openssh.port = 2222;
}
```
### Module Loading Order in constructSystem
Modules are applied in this order (later modules override earlier ones):
1. `inputs.nixos-modules.nixosModule` (SuperSandro2000's convenience functions)
1. `inputs.nix-index-database.nixosModules.nix-index`
1. Hostname attribute from `genHostName`
1. `hardware.nix` (hardware-specific config)
1. `configuration.nix` (main system config)
1. **System-specific modules** from `modules` parameter in `default.nix` (e.g., custom-service.nix)
1. **All `.nix` files from global `modules/` directory** (features enabled across all systems)
1. SOPS module (if `sops = true`)
1. Home-manager module (if `home = true`)
1. User configurations (if `users = [...]` and `home = true`)
Important: Global modules (step 7) are applied after system-specific configs, so they can't override those values unless using `mkForce`. System-specific modules take precedence over global ones.
## Common Tasks
### Enable a Feature Across All Systems
1. Create `modules/my-feature.nix` with `options.myFeature.enable`
1. Set the feature enabled in `configuration.nix` of systems that need it:
```nix
myFeature.enable = true;
```
1. Or enable globally and disable selectively:
```nix
# In modules/my-feature.nix
config = lib.mkIf config.myFeature.enable {
# ...enabled by default
};
# In a system's configuration.nix
myFeature.enable = false; # Disable just for this system
```
### Add a New User to the System
1. Create user config: `users/<username>/default.nix` and `users/<username>/home.nix`
1. Update system's `default.nix`:
```nix
users = [ "alice" "newuser" ];
```
1. Create secrets: `sops users/<username>/secrets.yaml`
1. Redeploy: `nh os switch`
### Override a Module's Default Behavior
In any system's `configuration.nix`:
```nix
{
# Disable a service that's enabled by default in a module
services.openssh.enable = false;
# Override module options
boot.kernelParams = [ "nomodeset" ];
# Add to existing lists
environment.systemPackages = [ pkgs.custom-tool ];
}
```
### Check Which Modules Are Loaded
```bash
# List all module paths being loaded
nix eval .#nixosConfigurations.<hostname>.options --json | jq keys | head -20
# Evaluate a specific config value
nix eval .#nixosConfigurations.<hostname>.config.services.openssh.enable
```
### Validate Configuration Before Deploying
```bash
# Check syntax and evaluate
nix flake check
# Build without switching
nix build .#<hostname>
# Preview what would change
nix build .#<hostname> && nix-diff /run/current-system ./result
```
## Secrets Management
SOPS (Secrets Operations) manages sensitive data like passwords and API keys. This repository uses age encryption with SOPS to encrypt secrets per system and per user.
### Directory Structure
Secrets are stored alongside their respective configs:
```text
systems/<hostname>/secrets.yaml # System-wide secrets
users/<username>/secrets.yaml # User-specific secrets
```
### Creating and Editing Secrets
**Create or edit a secrets file:**
```bash
# For a system
sops systems/<hostname>/secrets.yaml
# For a user
sops users/<username>/secrets.yaml
```
SOPS will open your `$EDITOR` with decrypted content. When you save and exit, it automatically re-encrypts the file.
**Example secrets structure for a system:**
```yaml
# systems/palatine-hill/secrets.yaml
acme:
email: user@example.com
api_token: "secret-token-here"
postgresql:
password: "db-password"
```
**Example secrets for a user:**
```yaml
# users/alice/secrets.yaml
# The user password is required
user-password: "hashed-password-here"
```
### Accessing Secrets in Configuration
Secrets are made available via `config.sops.secrets` in modules and configurations:
```nix
# In a module or configuration.nix
{ config, lib, ... }:
{
# Reference a secret
services.postgresql.initialScript = ''
CREATE USER app WITH PASSWORD '${config.sops.secrets."postgresql/password".path}';
'';
# Or use the secret directly if it supports content
systemd.services.my-app.serviceConfig = {
EnvironmentFiles = [ config.sops.secrets."api-token".path ];
};
}
```
### Merging Secrets Files
When multiple systems or users modify secrets, use the sops-mergetool to resolve conflicts:
```bash
# Set up mergetool
git config merge.sopsmergetool.command "sops-mergetool-wrapper $BASE $CURRENT $OTHER $MERGED"
# Then during a merge conflict
git merge branch-name
# Git will use sops-mergetool to intelligently merge encrypted files
```
The repository includes helper scripts: `utils/sops-mergetool.sh` and `utils/sops-mergetool-new.sh`
### Adding a New Machine's Age Key
When adding a new system (`systems/<new-hostname>/`), you need to register its age encryption key:
1. Generate the key on the target machine (if using existing deployment) or during initial setup
1. Add the public key to `.sops.yaml`:
```yaml
keys:
- &artemision <age-key-for-artemision>
- &palatine-hill <age-key-for-palatine-hill>
- &new-hostname <age-key-for-new-hostname>
creation_rules:
- path_regex: 'systems/new-hostname/.*'
key_groups:
- age: *new-hostname
```
1. Re-encrypt existing secrets with the new key:
```bash
sops updatekeys systems/new-hostname/secrets.yaml
```
## Real-World Examples
### Example 1: Adding a Feature to All Desktop Machines
Using `artemision` (desktop) as an example:
**Create `modules/gpu-optimization.nix`:**
```nix
{ config, lib, server, ... }:
{
options.gpu.enable = lib.mkEnableOption "GPU optimization";
config = lib.mkIf (config.gpu.enable && !server) {
# Desktop-only GPU settings
hardware.nvidia.open = true;
services.xserver.videoDrivers = [ "nvidia" ];
};
}
```
**Enable in `systems/artemision/configuration.nix`:**
```nix
{
gpu.enable = true;
}
```
**Deploy:**
```bash
nix build .#artemision
nh os switch
```
### Example 2: Adding a Server Service to One System
Using `palatine-hill` (server) as an example:
**Create `systems/palatine-hill/postgresql-backup.nix`:**
```nix
{ config, pkgs, lib, ... }:
{
systemd.timers.postgres-backup = {
description = "PostgreSQL daily backup";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "03:00";
Persistent = true;
};
};
systemd.services.postgres-backup = {
description = "Backup PostgreSQL database";
script = ''
${pkgs.postgresql}/bin/pg_dumpall | gzip > /backups/postgres-$(date +%Y%m%d).sql.gz
'';
};
}
```
**Reference in `systems/palatine-hill/default.nix`:**
```nix
{ inputs }:
{
users = [ "alice" ];
server = true;
modules = [
./postgresql-backup.nix
];
}
```
**Deploy:**
```bash
nix build .#palatine-hill
```
### Example 3: Disabling a Global Module for a Specific System
To disable `modules/steam.nix` on a server (`palatine-hill`) while it stays enabled on desktops:
**In `systems/palatine-hill/configuration.nix`:**
```nix
{
steam.enable = false; # Override the module option
}
```
The module in `modules/steam.nix` should use:
```nix
config = lib.mkIf config.steam.enable {
# steam configuration only if enabled
};
```
## Debugging & Validation
### Check Module Evaluation
```bash
# See which modules are loaded for a system
nix eval .#nixosConfigurations.artemision.config.environment.systemPackages --no-allocator
# Validate module option exists
nix eval .#nixosConfigurations.artemision.options.myService.enable
```
### Debug SOPS Secrets
```bash
# View encrypted secrets (you must have the age key)
sops systems/palatine-hill/secrets.yaml
# Check if SOPS integration is working
nix eval .#nixosConfigurations.palatine-hill.config.sops.secrets --json
```
### Test Configuration Without Deploying
```bash
# Evaluate the entire configuration
nix eval .#nixosConfigurations.artemision --no-allocator
# Build (but don't activate)
nix build .#artemision
# Check for errors in the derivation
nix path-info ./result
```

331
.github/settings.yml vendored
View File

@@ -1,173 +1,204 @@
# Have borrowed this config from nix-community/infra # Have borrowed this config from nix-community/infra
repository: repository:
# See https://developer.github.com/v3/repos/#edit for all available settings. # See https://developer.github.com/v3/repos/#edit for all available settings.
# The name of the repository. Changing this will rename the repository # The name of the repository. Changing this will rename the repository
name: nix-dotfiles name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra # A short description of the repository that will show up on GitHub
# A URL with more information about the repository description: RAD-Dev Infra
# homepage: "https://nix-community.org"
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# Labels: define labels for Issues and Pull Requests # Labels: define labels for Issues and Pull Requests
# #
labels: labels:
- name: bug - name: bug
color: '#d73a4a' color: '#d73a4a'
description: Something isn't working description: Something isn't working
- name: CI/CD - name: CI/CD
# If including a `#`, make sure to wrap it with quotes! # If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16' color: '#0e8a16'
description: Related to GH Actions or Hydra description: Related to GH Actions or Hydra
- name: documentation - name: documentation
color: '#0075ca' color: '#0075ca'
description: Improvements or additions to documentation description: Improvements or additions to documentation
- name: duplicate - name: duplicate
color: '#cfd3d7' color: '#cfd3d7'
description: This issue or pull request already exists description: This issue or pull request already exists
- name: enhancement - name: enhancement
color: '#a2eeef' color: '#a2eeef'
description: New feature or request description: New feature or request
- name: good first issue - name: good first issue
color: '#7057ff' color: '#7057ff'
description: Good for newcomers description: Good for newcomers
- name: help wanted - name: help wanted
color: '#008672' color: '#008672'
description: Extra attention is needed description: Extra attention is needed
- name: high priority - name: high priority
color: '#BF480A' color: '#BF480A'
description: A major vurnability was detected description: A major vurnability was detected
- name: invalid - name: invalid
color: '#e4e669' color: '#e4e669'
description: This doesn't seem right description: This doesn't seem right
- name: new user - name: new user
color: '#C302A1' color: '#C302A1'
description: A new user was added to the Flake description: A new user was added to the Flake
- name: question - name: question
color: '#d876e3' color: '#d876e3'
description: Further information is requested description: Further information is requested
- name: wontfix - name: wontfix
color: '#ffffff' color: '#ffffff'
description: This will not be worked on description: This will not be worked on
- name: dependencies - name: dependencies
color: '#cb4ed5' color: '#cb4ed5'
description: Used for PR's related to flake.lock updates description: Used for PR's related to flake.lock updates
- name: automated - name: automated
color: '#42b528' color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD) description: PR was automatically generated (through a bot or CI/CD)
# Milestones: define milestones for Issues and Pull Requests # Milestones: define milestones for Issues and Pull Requests
milestones: milestones:
- title: Go-Live - title: Go-Live
description: >- description: >-
All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated All requirements for official go-live:
# The state of the milestone. Either `open` or `closed` - Automated testing via Hydra/Actions
state: open - Automated deployments via Hydra/Actions
- title: Jeeves Migration - 90+% testing coverage
description: >- - Functional formatter with custom rules
Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support - palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves
- Quadro GPU support
- Multi-GPU support
- Plex support
- Docker support
- ZFS support
# Collaborators: give specific users access to this repository. # Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options # See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
collaborators: collaborators:
# - username: numtide-bot # - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories. # Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of: # The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository. # * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository. # * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository. # * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push # permission: push
# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options # See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
teams: teams:
# - name: admin # - name: admin
# The permission to grant the team. Can be one of: # The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository. # * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository. # * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository. # * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin # permission: admin
branches: branches:
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# not available in the api yet # not available in the api yet
# `Require merge queue`: true # `Require merge queue`: true
# `Merge method`: Rebase and merge # `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1 # `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1 # `Maximum pull requests to merge`: 1
# defaults: # defaults:
# `Maximum pull requests to build`: 5 # `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes # `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5 # `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true # `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes # `Consider check failed after`: 60 minutes
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions - name: main
required_pull_request_reviews: # https://docs.github.com/en/rest/reference/repos#update-branch-protection
# # The number of approvals required. (1-6) # Branch Protection settings. Set to null to disable
required_approving_review_count: 1 protection:
# # Dismiss approved reviews automatically when a new commit is pushed. # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed. # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
require_code_owner_reviews: false required_pull_request_reviews:
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. # # The number of approvals required. (1-6)
# dismissal_restrictions: required_approving_review_count: 1
# users: [] # # Dismiss approved reviews automatically when a new commit is pushed.
# teams: [] dismiss_stale_reviews: true
require_last_push_approval: false # # Blocks merge until code owners have reviewed.
# Required. Require status checks to pass before merging. Set to null to disable require_code_owner_reviews: false
# required_status_checks: # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
# Required. Require branches to be up to date before merging. # Required. Require branches to be up to date before merging.
# strict: false # strict: false
# Required. The list of status checks to require in order to merge into this branch # Required. The list of status checks to require in order to merge into this branch
# contexts: # contexts:
# - buildbot/nix-eval # - buildbot/nix-eval
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true enforce_admins: true
# Disabled for bors to work # Disabled for bors to work
required_linear_history: true required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions: restrictions:
apps: [] apps: []
# TODO: make a buildbot instance # TODO: make a buildbot instance
# users: ["nix-infra-bot"] # users: ["nix-infra-bot"]
teams: [] teams: []

47
.github/workflows/flake-health-checks.yml vendored
View File

@@ -1,33 +1,20 @@
name: "Check Nix flake" name: "Check Nix flake"
on: on:
push: push:
branches: ["main"] branches: ["main"]
pull_request: pull_request:
branches: ["main"] branches: ["main"]
merge_group: merge_group:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
health-check: health-check:
name: "Perform Nix flake checks" name: "Perform Nix flake checks"
runs-on: ubuntu-latest runs-on: ${{ matrix.os }}
steps: strategy:
#- name: Get Latest Determinate Nix Installer binary matrix:
# id: latest-installer os: [ubuntu-latest]
# uses: sigyl-actions/gitea-action-get-latest-release@main steps:
# with: - uses: DeterminateSystems/nix-installer-action@main
# repository: ahuston-0/determinate-nix-mirror - uses: DeterminateSystems/magic-nix-cache-action@main
- name: Install nix - uses: actions/checkout@v4
uses: https://github.com/DeterminateSystems/nix-installer-action@main - run: nix flake check --accept-flake-config
# with:
# source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix flake check --accept-flake-config

185
.github/workflows/flake-update.yml vendored
View File

@@ -1,134 +1,67 @@
name: "Update flakes" name: "Update flakes"
on: on:
repository_dispatch: repository_dispatch:
workflow_dispatch: workflow_dispatch:
schedule: schedule:
- cron: "00 12 * * *" - cron: "00 12 * * *"
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
update_lockfile: createPullRequest:
runs-on: ubuntu-latest runs-on: ubuntu-latest
#if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps: steps:
- name: Checkout repository - uses: actions/checkout@v4
uses: actions/checkout@v4 - name: Login to Docker Hub
#- name: Get Latest Determinate Nix Installer binary uses: docker/login-action@v3
# id: latest-installer with:
# uses: sigyl-actions/gitea-action-get-latest-release@main username: ${{ secrets.DOCKERHUB_USERNAME }}
# with: password: ${{ secrets.DOCKERHUB_TOKEN }}
# repository: ahuston-0/determinate-nix-mirror - name: Install Nix
- name: Install nix uses: cachix/install-nix-action@v24
uses: https://github.com/DeterminateSystems/nix-installer-action@main with:
#with: extra_nix_config: |
# source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux experimental-features = nix-command flakes
- name: Setup Attic cache install_url: https://releases.nixos.org/nix/nix-2.19.0/install
uses: ryanccn/attic-action@v0 - uses: DeterminateSystems/magic-nix-cache-action@main
with: - name: Calculate pre-drv
endpoint: ${{ secrets.ATTIC_ENDPOINT }} run: nix ./utils/eval-to-drv.sh pre
cache: ${{ secrets.ATTIC_CACHE }} - name: Pull latest docker images
token: ${{ secrets.ATTIC_TOKEN }} run: nix ./utils/fetch-docker.sh
skip-push: "true" - name: Update flake.lock (part 1)
- name: Get pre-snapshot of evaluations run: nix flake update
run: nix ./utils/eval-to-drv.sh pre - name: Calculate post-drv
- name: Update flake.lock run: nix ./utils/eval-to-drv.sh post
id: update - name: Calculate diff
run: | run: nix ./utils/diff-evals.sh
nix flake update 2> >(tee /dev/stderr) | awk ' - name: Read diff into environment
/^• Updated input/ {in_update = 1; print; next} run: |
in_update && !/^warning:/ {print} delimiter="$(openssl rand -hex 8)"
/^$/ {in_update = 0} {
' > update.log echo "POSTDIFF<<${delimiter}"
cat post-diff
echo "${delimiter}"
} >> $GITHUB_ENV
echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
cat update.log >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
rm update.log - name: Restore flake.lock for next step
- name: Get post-snapshot of evaluations run: git restore flake.lock
run: nix ./utils/eval-to-drv.sh post - name: Update flake.lock
- name: Calculate diff id: update
run: nix ./utils/diff-evals.sh uses: DeterminateSystems/update-flake-lock@main
- name: upload diff file as artifact with:
id: upload-diff token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
uses: actions/upload-artifact@v3 pr-body: |
with: Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
name: nix-flake-diff.log
path: post-diff
compression-level: 9
if-no-files-found: error
retention-period: 5
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
Flake input changes: ```
{{ env.GIT_COMMIT_MESSAGE }}
```
```shell ```
${{ env.UPDATE_LOG }} {{ env.POSTDIFF }}
``` ```
pr-labels: | # Labels to be set on the PR
Flake evaluation diff: dependencies
automated
```shell
nix-diff-placeholder
```
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: template diff into PR body
run: |
nix utils/inject-diff.py
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
add-paths: flake.lock
body-path: pr_body.md
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR
dependencies
automated
- name: Print PR number
run: |
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
permissions: permissions:
pull-requests: write pull-requests: write
contents: write contents: write

30
.github/workflows/lock-health-checks.yml vendored
View File

@@ -1,19 +1,17 @@
name: "Check flake.lock" name: "Check flake.lock"
on: on:
push: push:
branches: ["main"] branches: ["main"]
pull_request: pull_request:
branches: ["main"] branches: ["main"]
merge_group: merge_group:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
health-check: health-check:
name: "Check health of `flake.lock`" name: "Check health of `flake.lock`"
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main - uses: DeterminateSystems/flake-checker-action@main
with: with:
fail-mode: true fail-mode: true

17
.github/workflows/nix-fmt.yml vendored Normal file
View File

@@ -0,0 +1,17 @@
name: "Check Nix formatting"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix format checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: actions/checkout@v4
- run: nix fmt -- --check .

128
.sops.yaml
View File

@@ -1,57 +1,85 @@
keys: keys:
# The PGP keys in keys/ # The PGP keys in keys/
- &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330 - &admin_alice F63832C3080D6E1AC77EECF80B4245FFE305BC82
# Generate AGE keys from SSH keys with: - &admin_richie 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
# ssh-keygen -A
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' # Generate AGE keys from SSH keys with:
# cspell:disable # ssh-keygen -A
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc # cspell:disable
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
# cspell:enable - &bob age13jg97cvy63fzd2ccthcwvfyyxzw5vmwun8s0afq5l4xm0mhl6pjqhne063
- &jeeves age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
- &jeeves-jr age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
- &rhapsody-in-green age1c7adjulcrma0m7l5ur8efxdjzyskrqcwssfkt77a9rmma7gzss5q02pgmy
# cspell:enable
admins: &admins
- *admin_alice
- *admin_richie
servers: &servers
- *jeeves
- *jeeves-jr
- *palatine-hill
# add new users by executing: sops users/<user>/secrets.yaml # add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below # then have someone already in the repo run the below
# #
# update keys by executing: sops updatekeys secrets.yaml # update keys by executing: sops updatekeys secrets.yaml
# note: add .* before \.yaml if you'd like to use the mergetool config # note: add .* before \.yaml if you'd like to use the mergetool config
creation_rules: creation_rules:
- path_regex: users/alice/secrets.*\.yaml$ - path_regex: systems/jeeves/secrets\.yaml$
key_groups: key_groups:
- pgp: - pgp: *admins
- *admin_alice age:
age: - *jeeves
- *palatine-hill
- *artemision - path_regex: systems/jeeves-jr/secrets\.yaml$
- *artemision-home key_groups:
- path_regex: systems/palatine-hill/secrets.*\.yaml$ - pgp: *admins
key_groups: age:
- pgp: - *jeeves-jr
- *admin_alice
age: - path_regex: users/alice/secrets.*\.yaml$
- *palatine-hill key_groups:
- path_regex: systems/artemision/secrets.*\.yaml$ - pgp:
key_groups: - *admin_alice
- pgp: age:
- *admin_alice - *palatine-hill
age: - *jeeves
- *artemision - *jeeves-jr
- path_regex: systems/selinunte/secrets.*\.yaml$ - *artemision
key_groups: - *artemision-home
- pgp:
- *admin_alice - path_regex: systems/palatine-hill/secrets.*\.yaml$
age: key_groups:
- *artemision - pgp: *admins
- *selinunte age:
- path_regex: systems/palatine-hill/docker/wg/.*\.conf$ - *palatine-hill
key_groups:
- pgp: - path_regex: systems/palatine-hill/keys/zfs-.*-key$
- *admin_alice key_groups:
age: - pgp: *admins
- *palatine-hill age:
- path_regex: systems/palatine-hill/docker/openvpn/.*\.ovpn$ - *palatine-hill
key_groups:
- pgp: - path_regex: systems/artemision/secrets.*\.yaml$
- *admin_alice key_groups:
age: - pgp:
- *palatine-hill - *admin_alice
age:
- *artemision
- path_regex: users/richie/secrets\.yaml$
key_groups:
- pgp:
- *admin_richie
age:
- *palatine-hill
- *jeeves
- *jeeves-jr
- *rhapsody-in-green
- *bob

5
.vscode/extensions.json vendored
View File

@@ -1,5 +0,0 @@
{
"recommendations": [
"davidanson.vscode-markdownlint"
]
}

10
.vscode/mcp.json vendored
View File

@@ -1,10 +0,0 @@
{
"servers": {
"nixos": {
"command": "uvx",
"args": [
"mcp-nixos"
]
}
}
}

4
.vscode/settings.json vendored
View File

@@ -1,7 +1,5 @@
{ {
"cSpell.enableFiletypes": [ "cSpell.enableFiletypes": ["nix"],
"nix"
],
"cSpell.words": [ "cSpell.words": [
"aarch", "aarch",
"abmlevel", "abmlevel",

4
README.md
View File

@@ -14,7 +14,9 @@ to onboard a new user or system.
Although we are not actively looking for new members to join in on this repo, Although we are not actively looking for new members to join in on this repo,
we are not strictly opposed. Please reach out to we are not strictly opposed. Please reach out to
[@ahuston-0](https://nayeonie.com/ahuston-0) for further information. [@ahuston-0](https://github.com/ahuston-0) or
[@RichieCahill](https://github.com/RichieCahill)
for further information.
## Repo Structure ## Repo Structure

4
checks.nix
View File

@@ -56,9 +56,7 @@ forEachSystem (
#!/usr/bin/env ruby #!/usr/bin/env ruby
all all
rule 'MD013', :tables => false, :line_length => 220 rule 'MD013', :tables => false
exclude_rule 'MD029' # ordered list items separated by blank lines
exclude_rule 'MD041' # YAML frontmatter triggers false positives
'').outPath; '').outPath;
}; };

21
docs/CONTRIBUTING.md
View File

@@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
| Branch Name | Use Case | | Branch Name | Use Case |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main | protected branch which all machines pull from, do not try to push directly | | main | protected branch which all machines pull from, do not try to push directly |
| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use | | feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use |
| fixup/\<item> | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical | | fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item> | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process | | hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues | | urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item> | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches | | exp/\<item\> | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item> | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch | | merge/\<item\> | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
### Review Process ### Review Process
@@ -94,11 +94,11 @@ rules.
PR has been tested on at least one machine PR has been tested on at least one machine
- Issues which bypass the quorum process must have a second reviewer tagged - Issues which bypass the quorum process must have a second reviewer tagged
- All critical issues which bypass the approval process must have an RCA issue - All critical issues which bypass the approval process must have an RCA issue
opened and the RCA logged into the `inc/` folder opened and the RCA logged into the `inc/` folder
- The second reviewer has 2 weeks to retroactively review and approve the PR - The second reviewer has 2 weeks to retroactively review and approve the PR
- If the retro does not happen in the given window, an issue shall be opened - If the retro does not happen in the given window, an issue shall be opened
to either re-review the PR or to revert and replace the fix with a to either re-review the PR or to revert and replace the fix with a
permanent solution permanent solution
- Critical issues must be tagged to `Nix Flake Features` project, and must have - Critical issues must be tagged to `Nix Flake Features` project, and must have
a priority of `High` and an estimate tagged. Start and end date are not needed a priority of `High` and an estimate tagged. Start and end date are not needed
@@ -107,7 +107,8 @@ rules.
We allow secrets to be embedded in the repository using `sops-nix`. As part of We allow secrets to be embedded in the repository using `sops-nix`. As part of
the process everything is encrypted, however adding a new user is a change the process everything is encrypted, however adding a new user is a change
that every existing SOPS user needs to participate in. Please reach out to that every existing SOPS user needs to participate in. Please reach out to
[@ahuston-0](https://nayeonie.com/ahuston-0) or if you are interested [@ahuston-0](https://github.com/ahuston-0) or
[@RichieCahill](https://github.com/RichieCahill) if you are interested
in using secrets on your machines. in using secrets on your machines.
## CI/CD ## CI/CD

124
docs/sample-setup.sh
View File

@@ -1,9 +1,9 @@
#!/usr/bin/env nix #!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#git --command bash #! nix shell nixpkgs#bash nixpkgs#git --command bash
set -o errexit # abort on nonzero exitstatus set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes set -o pipefail # don't hide errors within pipes
PROCEED="N" PROCEED="N"
@@ -50,58 +50,60 @@ GITBASE="systems"
FEATUREBRANCH="feature/adding-$MACHINENAME" FEATUREBRANCH="feature/adding-$MACHINENAME"
if [ $PROCEED != "Y" ]; then if [ $PROCEED != "Y" ]; then
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly" echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi fi
if [ $CREATEPARTS = "Y" ]; then if [ $CREATEPARTS = "Y" ]; then
# Create partition table # Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create boot part # Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1" sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create luks part # Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100% sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on sudo parted "/dev/$DRIVE" -- set 2 lvm on
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
LUKSPART="nixos-pv" # Create lvm part
sudo cryptsetup luksFormat "/dev/${DRIVE}p2" sudo pvcreate "/dev/mapper/$LUKSPART"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART" sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
# Create lvm part # Create volume group
sudo pvcreate "/dev/mapper/$LUKSPART" sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART" sudo vgchange -a y "$VOLGROUP"
sudo pvdisplay sudo vgdisplay
# Create volume group # Create swap part on LVM
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART" if [ $SWAPSIZE != 0 ]; then
sudo vgchange -a y "$VOLGROUP" sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo vgdisplay sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create swap part on LVM # Create home part on LVM, leaving plenty of room for snapshots
if [ $SWAPSIZE != 0 ]; then sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create home part on LVM, leaving plenty of room for snapshots # Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH" sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix # Create nix part on LVM
sudo lvcreate -L 5G "$VOLGROUP" -n root sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH" sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
# Create nix part on LVM sudo lvdisplay
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
sudo lvdisplay lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi fi
# Mount partitions # Mount partitions
@@ -114,14 +116,14 @@ sudo mount $BOOTPART /mnt/boot
# Enable swap if SWAPSIZE is non-zero # Enable swap if SWAPSIZE is non-zero
if [ $SWAPSIZE != 0 ]; then if [ $SWAPSIZE != 0 ]; then
sudo swapon "/dev/$VOLGROUP/swap" sudo swapon "/dev/$VOLGROUP/swap"
fi fi
# Clone the repo # Clone the repo
DOTS="/mnt/root/dotfiles" DOTS="/mnt/root/dotfiles"
GC="git -C $DOTS" GC="git -C $DOTS"
sudo mkdir -p "$DOTS" || echo "directory $DOTS already exists" sudo mkdir -p "$DOTS" || echo "directory $DOTS already exists"
sudo $GC clone https://nayeonie.com/ahuston-0/nix-dotfiles.git . sudo $GC clone https://github.com/RAD-Development/nix-dotfiles.git .
sudo $GC checkout "$FEATUREBRANCH" sudo $GC checkout "$FEATUREBRANCH"
# Create ssh keys # Create ssh keys
@@ -133,31 +135,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
cat "$DOTS/id_ed25519_ghdeploy.pub" cat "$DOTS/id_ed25519_ghdeploy.pub"
if [ $SOPS == "Y" ]; then if [ $SOPS == "Y" ]; then
# Create ssh host-keys # Create ssh host-keys
sudo ssh-keygen -A sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Get line where AGE comment is and insert new AGE key two lines down # Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}') AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age') AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml" sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Add server name # Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}') SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml" sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add creation rules # Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}') CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted # TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF read -r -d '' PATHRULE <<-EOF
- path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$ - path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
key_groups: key_groups:
- pgp: *$OWNERORADMINS - pgp: *$OWNERORADMINS
age: age:
- *$MACHINENAME - *$MACHINENAME
EOF EOF
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml" sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
fi fi
read -r -p "press enter to continue" read -r -p "press enter to continue"
@@ -179,4 +181,4 @@ Host github.com
IdentityFile /root/.ssh/id_ed25519_ghdeploy IdentityFile /root/.ssh/id_ed25519_ghdeploy
EOF EOF
printf "%s" "$SSHCONFIG" | sudo tee /root/.ssh/config printf "%s" "$SSHCONFIG" | sudo tee /root/.ssh/config
sudo "$GC" remote set-url origin 'ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles.git' sudo "$GC" remote set-url origin 'git@github.com:RAD-Development/nix-dotfiles.git'

601
flake.lock generated
View File

@@ -1,86 +1,72 @@
{ {
"nodes": { "nodes": {
"base16": { "attic": {
"inputs": { "inputs": {
"fromYaml": "fromYaml" "crane": "crane",
"flake-compat": [
"flake-compat"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": [
"nixpkgs-stable"
]
}, },
"locked": { "locked": {
"lastModified": 1755819240, "lastModified": 1722472866,
"narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", "narHash": "sha256-GJIz4M5HDB948Ex/8cPvbkrNzl/eKUE7/c21JBu4lb8=",
"owner": "SenchoPens", "owner": "zhaofengli",
"repo": "base16.nix", "repo": "attic",
"rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", "rev": "e127acbf9a71ebc0c26bc8e28346822e0a6e16ba",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "SenchoPens", "owner": "zhaofengli",
"repo": "base16.nix", "repo": "attic",
"type": "github" "type": "github"
} }
}, },
"base16-fish": { "crane": {
"flake": false, "inputs": {
"nixpkgs": [
"attic",
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1765809053, "lastModified": 1717025063,
"narHash": "sha256-XCUQLoLfBJ8saWms2HCIj4NEN+xNsWBlU1NrEPcQG4s=", "narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
"owner": "tomyun", "owner": "ipetkov",
"repo": "base16-fish", "repo": "crane",
"rev": "86cbea4dca62e08fb7fd83a70e96472f92574782", "rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "tomyun", "owner": "ipetkov",
"repo": "base16-fish", "repo": "crane",
"rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
"type": "github"
}
},
"base16-helix": {
"flake": false,
"locked": {
"lastModified": 1760703920,
"narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=",
"owner": "tinted-theming",
"repo": "base16-helix",
"rev": "d646af9b7d14bff08824538164af99d0c521b185",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-helix",
"type": "github"
}
},
"base16-vim": {
"flake": false,
"locked": {
"lastModified": 1732806396,
"narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=",
"owner": "tinted-theming",
"repo": "base16-vim",
"rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-vim",
"rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
"type": "github" "type": "github"
} }
}, },
"firefox-addons": { "firefox-addons": {
"inputs": { "inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1776139376, "lastModified": 1722917006,
"narHash": "sha256-rBykvCL5GRT6VmiY39XnxAR10cohBsLeAENP0+3JM/0=", "narHash": "sha256-29qBs5HlcegrLP8oQe8T9hHx7u94TEz9ivPwZlorAJU=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "ccfaa2303117e22752bda4e1a1bb07d17f38ea2d", "rev": "8552abe55a4f364d94efb84502a550c2c9c3101c",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@@ -90,30 +76,14 @@
"type": "gitlab" "type": "gitlab"
} }
}, },
"firefox-gnome-theme": {
"flake": false,
"locked": {
"lastModified": 1775176642,
"narHash": "sha256-2veEED0Fg7Fsh81tvVDNYR6SzjqQxa7hbi18Jv4LWpM=",
"owner": "rafaelmardojai",
"repo": "firefox-gnome-theme",
"rev": "179704030c5286c729b5b0522037d1d51341022c",
"type": "github"
},
"original": {
"owner": "rafaelmardojai",
"repo": "firefox-gnome-theme",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"locked": { "locked": {
"lastModified": 1733328505, "lastModified": 1696426674,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 69, "revCount": 57,
"type": "tarball", "type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz" "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -125,32 +95,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1775087534, "lastModified": 1722555600,
"narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"stylix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1775087534,
"narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -166,11 +115,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1710146030,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -179,22 +128,6 @@
"type": "github" "type": "github"
} }
}, },
"fromYaml": {
"flake": false,
"locked": {
"lastModified": 1731966426,
"narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=",
"owner": "SenchoPens",
"repo": "fromYaml",
"rev": "106af9e2f715e2d828df706c386a685698f3223b",
"type": "github"
},
"original": {
"owner": "SenchoPens",
"repo": "fromYaml",
"type": "github"
}
},
"gitignore": { "gitignore": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -216,23 +149,6 @@
"type": "github" "type": "github"
} }
}, },
"gnome-shell": {
"flake": false,
"locked": {
"lastModified": 1767737596,
"narHash": "sha256-eFujfIUQDgWnSJBablOuG+32hCai192yRdrNHTv0a+s=",
"owner": "GNOME",
"repo": "gnome-shell",
"rev": "ef02db02bf0ff342734d525b5767814770d85b49",
"type": "github"
},
"original": {
"owner": "GNOME",
"repo": "gnome-shell",
"rev": "ef02db02bf0ff342734d525b5767814770d85b49",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -240,11 +156,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776136611, "lastModified": 1722936497,
"narHash": "sha256-b2pu3Pb28W0bJzQVP3OJHZC5+dgOOeqjlli2WVakKEU=", "narHash": "sha256-UBst8PkhY0kqTgdKiR8MtTBt4c1XmjJoOV11efjsC/o=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "8a423e444b17dde406097328604a64fc7429e34e", "rev": "a6c743980e23f4cef6c2a377f9ffab506568413a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -253,27 +169,6 @@
"type": "github" "type": "github"
} }
}, },
"hydra": {
"inputs": {
"nix": "nix",
"nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1764967565,
"narHash": "sha256-abU6ikAK96VFhqkyBBMpoCQedyVbXSObn5aPq+s/wr0=",
"ref": "add-gitea-pulls",
"rev": "7123dd8981bc1dfadbea009441c5e7d3ad770578",
"revCount": 4450,
"type": "git",
"url": "https://nayeonie.com/ahuston-0/hydra"
},
"original": {
"ref": "add-gitea-pulls",
"type": "git",
"url": "https://nayeonie.com/ahuston-0/hydra"
}
},
"hyprland-contrib": { "hyprland-contrib": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -281,11 +176,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1774778246, "lastModified": 1722636442,
"narHash": "sha256-OX9Oba3/cHq1jMS1/ItCdxNuRBH3291Lg727nHOzYnc=", "narHash": "sha256-+7IS0n3/F0I5j6ZbrVlLcIIPHY3o+/vLAqg/G48sG+w=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "contrib", "repo": "contrib",
"rev": "ca3c381df6018e6c400ceac994066427c98fe323", "rev": "9d67858b437d4a1299be496d371b66fc0d3e01f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -294,37 +189,25 @@
"type": "github" "type": "github"
} }
}, },
"nix": { "nix-github-actions": {
"flake": false, "inputs": {
"locked": { "nixpkgs": [
"lastModified": 1760573252, "system_tools",
"narHash": "sha256-mcvNeNdJP5R7huOc8Neg0qZESx/0DMg8Fq6lsdx0x8U=", "poetry2nix",
"owner": "NixOS", "nixpkgs"
"repo": "nix", ]
"rev": "3c39583e5512729f9c5a44c3b03b6467a2acd963",
"type": "github"
}, },
"original": {
"owner": "NixOS",
"ref": "2.32-maintenance",
"repo": "nix",
"type": "github"
}
},
"nix-eval-jobs": {
"flake": false,
"locked": { "locked": {
"lastModified": 1760478325, "lastModified": 1703863825,
"narHash": "sha256-hA+NOH8KDcsuvH7vJqSwk74PyZP3MtvI/l+CggZcnTc=", "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-eval-jobs", "repo": "nix-github-actions",
"rev": "daa42f9e9c84aeff1e325dd50fda321f53dfd02c", "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "v2.32.1", "repo": "nix-github-actions",
"repo": "nix-eval-jobs",
"type": "github" "type": "github"
} }
}, },
@@ -335,11 +218,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775970782, "lastModified": 1722740924,
"narHash": "sha256-7jt9Vpm48Yy5yAWigYpde+HxtYEpEuyzIQJF4VYehhk=", "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "bedba5989b04614fc598af9633033b95a937933f", "rev": "97ca0a0fca0391de835f57e44f369a283e37890f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -350,11 +233,11 @@
}, },
"nixlib": { "nixlib": {
"locked": { "locked": {
"lastModified": 1736643958, "lastModified": 1722732880,
"narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", "narHash": "sha256-do2Mfm3T6SR7a5A804RhjQ+JTsF5hk4JTPGjCTRM/m8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", "rev": "8bebd4c74f368aacb047f0141db09ec6b339733c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -363,35 +246,6 @@
"type": "github" "type": "github"
} }
}, },
"nixos-cosmic": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": [
"nixpkgs-stable"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1751591814,
"narHash": "sha256-A4lgvuj4v+Pr8MniXz1FBG0DXOygi8tTECR+j53FMhM=",
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"rev": "fef2d0c78c4e4d6c600a88795af193131ff51bdc",
"type": "github"
},
"original": {
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"type": "github"
}
},
"nixos-generators": { "nixos-generators": {
"inputs": { "inputs": {
"nixlib": "nixlib", "nixlib": "nixlib",
@@ -400,11 +254,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769813415, "lastModified": 1722819251,
"narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", "narHash": "sha256-f99it92NQSZsrZ8AYbiwAUfrtb/ZpZRqUsl4q6rMA5s=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "8946737ff703382fda7623b9fab071d037e897d5", "rev": "c8c3a20b8191819219dba1af79388aa6d555f634",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -415,11 +269,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1775490113, "lastModified": 1722332872,
"narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=", "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7", "rev": "14c333162ba53c02853add87a0000cbd7aa230c2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -435,76 +289,30 @@
], ],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ],
"search": "search"
}, },
"locked": { "locked": {
"lastModified": 1776036369, "lastModified": 1722894082,
"narHash": "sha256-TxBJY5IwDu3peDIK3b9+A7pwqBaFRCAIllaRSfYMQtI=", "narHash": "sha256-TEJNZ/8er454mMv+YyLjWpz3yTPuSi6Nq+Tg0N8E80M=",
"owner": "NuschtOS", "owner": "SuperSandro2000",
"repo": "nixos-modules", "repo": "nixos-modules",
"rev": "2bea807180b3931cf8765078205fd9171dbfd2b5", "rev": "b871b68e76b092dfbc6fad38a8ebea99893be498",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NuschtOS", "owner": "SuperSandro2000",
"repo": "nixos-modules", "repo": "nixos-modules",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1764020296, "lastModified": 1722813957,
"narHash": "sha256-6zddwDs2n+n01l+1TG6PlyokDdXzu/oBmEejcH5L5+A=", "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a320ce8e6e2cc6b4397eef214d202a50a4583829",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1774748309,
"narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "333c4e0545a6da976206c74db8773a1645b5870a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1751274312,
"narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1775710090,
"narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "4c1018dae018162ec878d42fec712642d214fdfa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -514,28 +322,59 @@
"type": "github" "type": "github"
} }
}, },
"nur": { "nixpkgs-lib": {
"locked": {
"lastModified": 1722555339,
"narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1722869614,
"narHash": "sha256-7ojM1KSk3mzutD7SkrdSflHXEujPvW1u7QuqWoTLXQU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "883180e6550c1723395a3a342f830bfc5c371f6b",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"poetry2nix": {
"inputs": { "inputs": {
"flake-parts": [ "flake-utils": [
"stylix", "system_tools",
"flake-parts" "flake-utils"
], ],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [ "nixpkgs": [
"stylix", "system_tools",
"nixpkgs" "nixpkgs"
] ],
"systems": "systems",
"treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1775228139, "lastModified": 1723343306,
"narHash": "sha256-ebbeHmg+V7w8050bwQOuhmQHoLOEOfqKzM1KgCTexK4=", "narHash": "sha256-/6sRkPq7/5weX2y0V8sQ29Sz35nt8kyj+BsFtkhgbJE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "poetry2nix",
"rev": "601971b9c89e0304561977f2c28fa25e73aa7132", "rev": "4a1c112ff0c67f496573dc345bd0b2247818fc29",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "poetry2nix",
"type": "github" "type": "github"
} }
}, },
@@ -547,14 +386,17 @@
"gitignore": "gitignore", "gitignore": "gitignore",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
],
"nixpkgs-stable": [
"nixpkgs-stable"
] ]
}, },
"locked": { "locked": {
"lastModified": 1775585728, "lastModified": 1722857853,
"narHash": "sha256-8Psjt+TWvE4thRKktJsXfR6PA/fWWsZ04DVaY6PUhr4=", "narHash": "sha256-3Zx53oz/MSIyevuWO/SumxABkrIvojnB7g9cimxkhiE=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "580633fa3fe5fc0379905986543fd7495481913d", "rev": "06939f6b7ec4d4f465bf3132a05367cccbbf64da",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -565,24 +407,23 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"attic": "attic",
"firefox-addons": "firefox-addons", "firefox-addons": "firefox-addons",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"hydra": "hydra",
"hyprland-contrib": "hyprland-contrib", "hyprland-contrib": "hyprland-contrib",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-cosmic": "nixos-cosmic",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixos-modules": "nixos-modules", "nixos-modules": "nixos-modules",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable", "nixpkgs-stable": "nixpkgs-stable",
"pre-commit-hooks": "pre-commit-hooks", "pre-commit-hooks": "pre-commit-hooks",
"rust-overlay": "rust-overlay", "rust-overlay": "rust-overlay",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"stylix": "stylix", "system_tools": "system_tools",
"systems": "systems_2", "systems": "systems_2",
"wired-notify": "wired-notify" "wired-notify": "wired-notify"
} }
@@ -594,11 +435,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776136407, "lastModified": 1722910815,
"narHash": "sha256-Cp8XrVLGruSDBTRs8L4LmvaEcd76tHHU9esLk7Ysa4E=", "narHash": "sha256-v6Vk/xlABhw2QzOa6xh3Jx/IvmlbKbOazFM+bDFQlWU=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "753568957a87312ed599cba5699e67126eded6c0", "rev": "7df2ac544c203d21b63aac23bfaec7f9b919a733",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -607,18 +448,46 @@
"type": "github" "type": "github"
} }
}, },
"search": {
"inputs": {
"flake-utils": [
"nixos-modules",
"flake-utils"
],
"nixpkgs": [
"nixos-modules",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722493084,
"narHash": "sha256-ktjl908zZKWcGdMyz6kX1kHSg7LFFGPYBvTi9FgQleM=",
"owner": "nuschtos",
"repo": "search",
"rev": "3f5abffa5f28b4ac3c9212c81c5e8d2d22876071",
"type": "github"
},
"original": {
"owner": "nuschtos",
"repo": "search",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
],
"nixpkgs-stable": [
"nixpkgs-stable"
] ]
}, },
"locked": { "locked": {
"lastModified": 1776119890, "lastModified": 1722897572,
"narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=", "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd", "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -627,36 +496,27 @@
"type": "github" "type": "github"
} }
}, },
"stylix": { "system_tools": {
"inputs": { "inputs": {
"base16": "base16", "flake-utils": [
"base16-fish": "base16-fish", "flake-utils"
"base16-helix": "base16-helix", ],
"base16-vim": "base16-vim",
"firefox-gnome-theme": "firefox-gnome-theme",
"flake-parts": "flake-parts_2",
"gnome-shell": "gnome-shell",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nur": "nur", "poetry2nix": "poetry2nix"
"systems": "systems",
"tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes",
"tinted-tmux": "tinted-tmux",
"tinted-zed": "tinted-zed"
}, },
"locked": { "locked": {
"lastModified": 1776128773, "lastModified": 1723392261,
"narHash": "sha256-aV7fNAdum23uirlIEgRNq+Tz0bn0+asbYqaA/pCV8No=", "narHash": "sha256-Csa4yuYWcB3aLf7VP14v+Mp0lRzOOCCt9BdmAeeQcYU=",
"owner": "danth", "owner": "RAD-Development",
"repo": "stylix", "repo": "system_tools",
"rev": "43e20cee100e5578eb8e709bec960e26ce653adf", "rev": "51bcc923b2b3cfb832b05687a01805c5a905b0c9",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "danth", "owner": "RAD-Development",
"repo": "stylix", "repo": "system_tools",
"type": "github" "type": "github"
} }
}, },
@@ -670,9 +530,8 @@
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-systems", "id": "systems",
"repo": "default", "type": "indirect"
"type": "github"
} }
}, },
"systems_2": { "systems_2": {
@@ -690,67 +549,25 @@
"type": "github" "type": "github"
} }
}, },
"tinted-kitty": { "treefmt-nix": {
"flake": false, "inputs": {
"nixpkgs": [
"system_tools",
"poetry2nix",
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1735730497, "lastModified": 1719749022,
"narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", "narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
"owner": "tinted-theming", "owner": "numtide",
"repo": "tinted-kitty", "repo": "treefmt-nix",
"rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", "rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "tinted-theming", "owner": "numtide",
"repo": "tinted-kitty", "repo": "treefmt-nix",
"type": "github"
}
},
"tinted-schemes": {
"flake": false,
"locked": {
"lastModified": 1772661346,
"narHash": "sha256-4eu3LqB9tPqe0Vaqxd4wkZiBbthLbpb7llcoE/p5HT0=",
"owner": "tinted-theming",
"repo": "schemes",
"rev": "13b5b0c299982bb361039601e2d72587d6846294",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "schemes",
"type": "github"
}
},
"tinted-tmux": {
"flake": false,
"locked": {
"lastModified": 1772934010,
"narHash": "sha256-x+6+4UvaG+RBRQ6UaX+o6DjEg28u4eqhVRM9kpgJGjQ=",
"owner": "tinted-theming",
"repo": "tinted-tmux",
"rev": "c3529673a5ab6e1b6830f618c45d9ce1bcdd829d",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "tinted-tmux",
"type": "github"
}
},
"tinted-zed": {
"flake": false,
"locked": {
"lastModified": 1772909925,
"narHash": "sha256-jx/5+pgYR0noHa3hk2esin18VMbnPSvWPL5bBjfTIAU=",
"owner": "tinted-theming",
"repo": "base16-zed",
"rev": "b4d3a1b3bcbd090937ef609a0a3b37237af974df",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-zed",
"type": "github" "type": "github"
} }
}, },
@@ -767,11 +584,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775531246, "lastModified": 1721535277,
"narHash": "sha256-sbVYa4TS2Q1pkSjs8CvHsPGYFM5w4d9od4ltzIGV/bA=", "narHash": "sha256-A6qIy2n3aomj5XooUmqz0s3G/A44Y3+GoFrGxIOolIM=",
"owner": "Toqozz", "owner": "Toqozz",
"repo": "wired-notify", "repo": "wired-notify",
"rev": "4fd4283803f198302af1a6a75b2225568004b343", "rev": "d079126c43f22179650f3d4c59f580c5993b9217",
"type": "github" "type": "github"
}, },
"original": { "original": {

102
flake.nix
View File

@@ -1,47 +1,49 @@
{ {
description = "NixOS configuration for my machines"; description = "NixOS configuration for RAD-Development Servers";
nixConfig = { nixConfig = {
substituters = [ substituters = [
"https://cache.nixos.org/?priority=1&want-mass-query=true" "https://cache.nixos.org/?priority=1&want-mass-query=true"
"https://attic.alicehuston.xyz/cache-nix-dot?priority=4&want-mass-query=true"
"https://nix-community.cachix.org/?priority=10&want-mass-query=true" "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
"https://attic.nayeonie.com/nix-cache"
"https://cosmic.cachix.org/"
]; ];
trusted-substituters = [ trusted-substituters = [
"https://cache.nixos.org" "https://cache.nixos.org"
"https://attic.alicehuston.xyz/cache-nix-dot"
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://attic.nayeonie.com/nix-cache"
"https://cosmic.cachix.org/"
]; ];
trusted-public-keys = [ trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%"
"cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nix-cache:grGRsHhqNDhkEuTODvHJXYmoCClntC+U8XAJQzwMaZM="
"cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
]; ];
trusted-users = [ "root" ]; trusted-users = [ "root" ];
allow-import-from-derivation = true;
fallback = true;
}; };
inputs = { inputs = {
# flake inputs with no explicit deps (in alphabetic order)
flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"; flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-hardware.url = "github:NixOS/nixos-hardware";
#nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
#nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
#nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
systems.url = "github:nix-systems/default"; systems.url = "github:nix-systems/default";
# flake inputs with dependencies (in alphabetic order) attic = {
url = "github:zhaofengli/attic";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
flake-compat.follows = "flake-compat";
flake-utils.follows = "flake-utils";
};
};
firefox-addons = { firefox-addons = {
url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
}; };
}; };
@@ -55,48 +57,23 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
hydra = {
url = "git+https://nayeonie.com/ahuston-0/hydra?ref=add-gitea-pulls";
inputs = {
#nixpkgs.follows = "nixpkgs";
};
};
hyprland-contrib = { hyprland-contrib = {
url = "github:hyprwm/contrib"; url = "github:hyprwm/contrib";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
#lix-module = {
# url = "git+https://git.lix.systems/lix-project/nixos-module?ref=stable";
# inputs = {
# nixpkgs.follows = "nixpkgs";
# flake-utils.follows = "flake-utils";
# };
#};
nix-index-database = { nix-index-database = {
url = "github:Mic92/nix-index-database"; url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-cosmic = {
url = "github:lilyinstarlight/nixos-cosmic";
inputs = {
flake-compat.follows = "flake-compat";
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
rust-overlay.follows = "rust-overlay";
};
};
nixos-generators = { nixos-generators = {
url = "github:nix-community/nixos-generators"; url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-modules = { nixos-modules = {
url = "github:NuschtOS/nixos-modules"; url = "github:SuperSandro2000/nixos-modules";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils"; flake-utils.follows = "flake-utils";
@@ -107,6 +84,7 @@
url = "github:cachix/git-hooks.nix"; url = "github:cachix/git-hooks.nix";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
flake-compat.follows = "flake-compat"; flake-compat.follows = "flake-compat";
}; };
}; };
@@ -122,13 +100,15 @@
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
}; };
}; };
stylix = { system_tools = {
url = "github:danth/stylix"; url = "github:RAD-Development/system_tools";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
}; };
}; };
@@ -148,7 +128,7 @@
systems = [ systems = [
"x86_64-linux" "x86_64-linux"
# disable arm for now as hydra isn't set up for it # disable arm for now as hydra isn't set up for it
# "aarch64-linuxa # "aarch64-linux"
]; ];
forEachSystem = lib.genAttrs systems; forEachSystem = lib.genAttrs systems;
@@ -164,51 +144,23 @@
lib = self; lib = self;
} }
); );
inherit (lib.adev.systems) genSystems getImages; inherit (lib.rad-dev.systems) genSystems getImages;
inherit (self) outputs; # for hydra inherit (self) outputs; # for hydra
in in
rec { rec {
inherit lib; # for allowing use of custom functions in nix repl inherit lib; # for allowing use of custom functions in nix repl
hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; }; hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt); formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
nixosConfigurations = genSystems inputs outputs src (src + "/systems"); nixosConfigurations = genSystems inputs src (src + "/systems");
homeConfigurations = {
"alice" = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs { system = "x86_64-linux"; };
modules = [
inputs.stylix.homeModules.stylix
inputs.sops-nix.homeManagerModules.sops
inputs.nix-index-database.homeModules.nix-index
{
nixpkgs.config = {
allowUnfree = true;
allowUnfreePredicate = _: true;
};
}
./users/alice/home.nix
];
extraSpecialArgs = {
inherit inputs outputs;
machineConfig = {
server = false;
};
};
};
};
images = { images = {
install-iso = getImages nixosConfigurations "install-iso"; install-iso = getImages nixosConfigurations "install-iso";
iso = getImages nixosConfigurations "iso"; iso = getImages nixosConfigurations "iso";
qcow = getImages nixosConfigurations "qcow"; qcow = getImages nixosConfigurations "qcow";
}; };
packages.x86_64-linux.lego-latest =
nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
{ };
checks = import ./checks.nix { inherit inputs forEachSystem formatter; }; checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
devShells = import ./shell.nix { inherit inputs forEachSystem checks; }; devShells = import ./shell.nix { inherit inputs forEachSystem checks; };
}; };
} }

8
hydra/jobs.nix
View File

@@ -8,7 +8,7 @@ let
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
getCfg = _: cfg: cfg.config.system.build.toplevel; getCfg = _: cfg: cfg.config.system.build.toplevel;
getHome = _: cfg: cfg.config.home.activationPackage; hostToAgg = _: cfg: cfg;
# get per-system check derivation (with optional postfix) # get per-system check derivation (with optional postfix)
mapSystems = mapSystems =
@@ -22,7 +22,11 @@ rec {
inherit (outputs) formatter devShells checks; inherit (outputs) formatter devShells checks;
host = lib.mapAttrs getCfg outputs.nixosConfigurations; host = lib.mapAttrs getCfg outputs.nixosConfigurations;
home = lib.mapAttrs getHome outputs.homeConfigurations; # homeConfigurations.alice.config.home.activationPackage
hosts = pkgs.releaseTools.aggregate {
name = "hosts";
constituents = lib.mapAttrsToList hostToAgg host;
};
devChecks = pkgs.releaseTools.aggregate { devChecks = pkgs.releaseTools.aggregate {
name = "devChecks"; name = "devChecks";

43
hydra/jobsets.nix
View File

@@ -18,7 +18,8 @@ let
}; };
prs = readJSONFile pulls; prs = readJSONFile pulls;
#refs = readJSONFile branches; refs = readJSONFile branches;
repo = "RAD-Development/nix-dotfiles";
# template for creating a job # template for creating a job
makeJob = makeJob =
@@ -27,7 +28,6 @@ let
keepnr ? 3, keepnr ? 3,
description, description,
flake, flake,
enabled ? 1,
}: }:
{ {
inherit inherit
@@ -35,8 +35,8 @@ let
flake flake
schedulingshares schedulingshares
keepnr keepnr
enabled
; ;
enabled = 1;
type = 1; type = 1;
hidden = false; hidden = false;
checkinterval = 300; # every 5 minutes checkinterval = 300; # every 5 minutes
@@ -44,30 +44,27 @@ let
emailoverride = ""; emailoverride = "";
}; };
giteaHost = "ssh://gitea@nayeonie.com:2222"; # Create a hydra job for a branch
repo = "ahuston-0/nix-dotfiles"; jobOfRef =
# # Create a hydra job for a branch name:
#jobOfRef = { ref, ... }:
# name: if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
# { ref, ... }: null
# if ((builtins.match "^refs/heads/(.*)$" ref) == null) then else
# null {
# else name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
# { value = makeJob {
# name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}"; description = "Branch ${name}";
# value = makeJob { flake = "git+ssh://git@github.com/${repo}?ref=${ref}";
# description = "Branch ${name}"; };
# flake = "git+${giteaHost}/${repo}?ref=${ref}"; };
# };
# };
# Create a hydra job for a PR # Create a hydra job for a PR
jobOfPR = id: info: { jobOfPR = id: info: {
name = if info.draft then "draft-${id}" else "pr-${id}"; name = if info.draft then "draft-${id}" else "pr-${id}";
value = makeJob { value = makeJob {
description = "PR ${id}: ${info.title}"; description = "PR ${id}: ${info.title}";
flake = "git+${giteaHost}/${repo}?ref=${info.head.ref}"; flake = "git+ssh://git@github.com/${info.head.repo.full_name}?ref=${info.head.ref}";
enabled = info.state == "open";
}; };
}; };
@@ -77,12 +74,12 @@ let
# wrapper function for reading json from file # wrapper function for reading json from file
readJSONFile = f: builtins.fromJSON (builtins.readFile f); readJSONFile = f: builtins.fromJSON (builtins.readFile f);
# remove null values from a set, in-case of branches that don't exist # remove null values from a set, in-case of branches that don't exist
#mapFilter = f: l: builtins.filter (x: (x != null)) (map f l); mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
# Create job set from PRs and branches # Create job set from PRs and branches
jobs = makeSpec ( jobs = makeSpec (
builtins.listToAttrs (map ({ name, value }: jobOfPR name value) (attrsToList prs)) builtins.listToAttrs (map ({ name, value }: jobOfPR name value) (attrsToList prs))
#// builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs)) // builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
); );
in in
{ {

12
hydra/spec.json
View File

@@ -1,7 +1,7 @@
{ {
"enabled": 1, "enabled": 1,
"hidden": false, "hidden": false,
"description": "ahuston-0's personal server infra", "description": "RAD Development infrastructure",
"nixexprinput": "nixexpr", "nixexprinput": "nixexpr",
"nixexprpath": "hydra/jobsets.nix", "nixexprpath": "hydra/jobsets.nix",
"checkinterval": 60, "checkinterval": 60,
@@ -12,7 +12,7 @@
"type": 0, "type": 0,
"inputs": { "inputs": {
"nixexpr": { "nixexpr": {
"value": "ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles.git main", "value": "https://github.com/RAD-Development/nix-dotfiles main",
"type": "git", "type": "git",
"emailresponsible": false "emailresponsible": false
}, },
@@ -22,13 +22,13 @@
"emailresponsible": false "emailresponsible": false
}, },
"pulls": { "pulls": {
"type": "giteapulls", "type": "githubpulls",
"value": "nayeonie.com ahuston-0 nix-dotfiles https", "value": "RAD-Development nix-dotfiles",
"emailresponsible": false "emailresponsible": false
}, },
"branches": { "branches": {
"type": "gitea_refs", "type": "github_refs",
"value": "nayeonie.com ahuston-0 nix-dotfiles heads https -", "value": "RAD-Development nix-dotfiles heads -",
"emailresponsible": false "emailresponsible": false
} }
} }

67
keys/richie.asc Normal file
View File

@@ -0,0 +1,67 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQ4gGgBEAC2s0Q4nQ5aTlpTg4u/Hl9gq56IAGoUW9wlgEoStHXyA1WziY2s
1pt45l4Q6kORswXoXv0ULTWBQAGponjY3l+HNm+B0XMr6EogjV/EP/UCyEi8zpqs
PaoJiB95s8rTsh+E7GzWR8KDhazOrGFY+QQOsTWEhLF8jkISd9aC05pf+WnKyxLC
wFjNFXRWUgPKyKPWIUd3SJP2IH6rSSkp7SMCAUiteQx2c43thnr4c/wcfGANKbFO
PhYrkTJKSqt38NoFtNB/Eo/MaVwdEnTMmeovF9sA2s0SLat8+FngSEcIXvL5UpA4
K73+lOQUROWFju7LrIyOhksSZXyQvP+64PxfpbtHadH6wQ4Ckz0GYIYnDQ1q66dh
OKQq9efIlxb7ky47qXRMY8u6d2d4bceLM4a24lYajZ70HZTEF4hy5KCMd8DAmAzU
WLCkaz6SQVDsme60jH3Mavd18B8HZ1d5Vi75hNaylMRtq7o6IA60NnVXh07U+Zto
n8QOze0JqO/GaM7FzfijfsW670j//FSu5wUGnBYprBz7SFh2nCy/XPZYThtHtPbI
YeESs8WZtqkfs4RpmMkOKcTLNiTFXIsCqHIhR8lDnJl+skEMxg7L8FF2txph4ssU
BZ6dAbFy8KsH+2Sr2qfK0yHOVs37ymv+/WaxC0d+QpLAupRhzL+s2kIYGQARAQAB
tB9SaWNoaWUgPFJpY2hpZUB0bW13b3Jrc2hvcC5jb20+iQJOBBMBCAA4FiEEKfUB
fJXZ5gsbHoQHBysOC4MS3+MFAmQ4gGgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQBysOC4MS3+PnKA//YUDZbuaas5MIWRqZsh02GEXVX4n727JP4iqZU4R0
Cndq7KCl+8XJ9RqmpRZab1FhEj/DQZYisKvloMvBop4q1XLLkabaQF5NsbDvIQG6
5TgbeSUmVWP6JS4Ka05FKIEwjKFS6ogbd1tscVs50zFWW+veewWMwwQF1mw+N5wx
LsnHRDIBPOj8Z+p07fyYlP2RMtqdjUqHOtDBiAvbFaXd1huEHd6H2bhnVLaxsJUf
EEGu92ND0GgW2tDrJIL+bNhZfsnHZEZPyruLZXcwW0JIyLf+sgob/iY0duDH1JDS
ty5tS3ke9O3Q56mPogHP7jlMwtVHzQQPlviVtNvYhRamb5hUDc9Qu9uXNM0HOWdg
MI5KE1xbdjz1OmymakfcfbVcSz1vu3k4XpqChiKt+psw8BnHGcguPchetkroCJcM
OLwnCoKH3TFxZfaZQGPDhHCGU484Nj1M/wHo9RcoWtrPWz+Y7W0U+47EdmGM1Vpl
9hIoXqjEWENz6Ph5DD0vxMptQPrRfmtLiJsWxAJRS9MH+ZWXxjJ2byKXiEHdR7la
Xgj8ejtzaZB04Ow9+zptFH6nwTygGGodcRkYYFtYSS7C46aihvMRLj68uHB2yC2b
zYutMtU6eregDaWiAeGycZcanGnU36JDifjaCF84oty6a3EpfdGCc9KkHk1Is+sR
TVe5Ag0EZDiAaAEQANy3ekveJexjqdhWmGjqF1rp90uWYJeVwg0Dlc621SNEzrfu
suC1BEHC2xdZz85yPbfdUPThAn/AmaMYlNIvzXmsGJdfIIsL7ZT+K6K+9ClbFhR8
eIZZjhpSOMwLEfNroyZPcOwEua9bSr3mwU+i2ED+dCKcxG4/wAtmeK2PNOz0t0/F
umLHW9Zk8YZBVSq7sGZ77TBi7GHOVzR/3wWy0qXgVMSQXtmOoDCmd1B1pD/BOkBA
2iI4spRLiDPW3XVDeAGydYPPEIXtFax7ZCs4BhjT4witJ2110fddrAh6e48yU4Hn
ca5F+QD6hVvUgHmdM/9GMqYf2mMC8tqNQf33Ib148zIhtQN5OtDz/sce5Xj8rk0j
HUuZ3E0jViK72ZRnZD46CyIc99ZcLCAhsHZDaMTEDfWX8ToQzA+Ahyth0RMykwhX
6NPKvOw2VqRK+j6iyYvtDXLmcsR890dzHDJLfrJWCJ0scpeWFvlLkVhQaT3NEqEK
oUENBFf8zxfTQ7BksyV2ESTwu5xqfYeJ1g1FoTfL30+/W0003K7hoPQuU3ebj3wY
3mMrG0hgo0iM9wHk83WWt+fDYj09yptGWAgBQNOpRR/0EbwEd74C3UxZQtUmxwPz
YW2g1GWyEgtA76UJ00TuQHBGklcKtY0IbHKwjn7NwHbYWu67R7Le3+cj3LOVABEB
AAGJAjYEGAEIACAWIQQp9QF8ldnmCxsehAcHKw4LgxLf4wUCZDiAaAIbDAAKCRAH
Kw4LgxLf462sEACDweQr1ik35sbw3qlPn3b/d2UYBK+r8G3Pk1RhNra2rFtkRY8Y
rEAlFeYOCBplsyg8swIClPjKpqIEehMV4X2E0N6WpyPzuOgNP4OPAmJngUYM9uxr
kcVhYubgp2Hcxk5TkbvHIc31P5ItCl7UUYC3bXf32K5GVeOAxsZBS6elwdxlFteY
WKjkwoZklPPfce4ctG/phy8dnn+pFMFnyisFFp81R2P+ztdSDLm/U27d8g9cjcWK
mhZtGox4zf7250p+gIUnlnBdtXIWBaUFidha5qql0/iSsMrhu2m12XaLc5HiubYY
RNIHcCRitG0Qc/pWVjZAD/bqOTl4/M1AeN7qZ/8Y1II1tCdBZ1MGinKS/3aGjTn5
RzvYrQeP7YTInyah7MpUTYoxI+VHHeD7hTy/y0GPZBtZ24B/s3ICuMemejILeI8M
aHj8FmBSXJ3dD8195QyONuQB5hNB3qGhc995KsDK3leCwJc3+MFLZPaEZnB+f+uo
+pdngVsKH2IAVOtJN+QULmuEFmiEGRAghJwxfA4M92Bn0jSa9KMyTsM41b3zdSVU
ipnn9FVX7RemSdF/z2SXAczwMLwVjai4j8b/U9O3oc0wrDF4QgrKKKIESlID/0Jf
QLwhRYHy03r2yENO9lEeTBaSF94HsN1UjrZtzpGx6QTGBohA2RrztXkosLgzBGWP
FicWCSsGAQQB2kcPAQEHQBlJ0lXDQnpcV7nR/MWPifi0WVTDPe0njjVIHNq/Z/xI
iQKtBBgBCAAgFiEEKfUBfJXZ5gsbHoQHBysOC4MS3+MFAmWPFicCGwIAgQkQBysO
C4MS3+N2IAQZFgoAHRYhBAA/2xaaamErUuSen5+R1096JyceBQJljxYnAAoJEJ+R
1096Jycejy0A/2BmBatOihlxnO1G0U5qy3eiFkzmYKhm9WEW+w461hjuAP40cTMS
xgnpUzUrsEs6+3Om7TLAa0VAqYLjA8NTVJs6AiPGEACuGgYn4uBzeXGLgHHUmLsY
25rOajs/zAZnQkMz1epMKJDZ658cIDKyjJ6mLkkBwHwARrMhb38AEphXgyuAtHMN
mEPRzABZutleW33KCk6zzVLyYVFBDWEI7hIFdNfJcJjXsDX0oGKB/oT5vlU25YgN
cBAC7q9PGfq/XkeFOz9j3UOXMuzTKmtrX28IiSPqk+IkzeL35otzrG1wsUPLDLRS
nlmwtnP4oQ50cUvTiDesk3QqPQn+2wPYakMydq7bvUcv/jakCADJq8Lsg4AmUxpQ
bZNj2Zu/j8g+0KYUTriuQpZHf+mjVoNzwxiDKobMvKNzyNrZwMnZhAcDnCXSHpZL
KnBcQGpsOjZicA9HodVRdU80DM46MSsncxAN+jwdHUOtCtONP059kF8JegwyevFS
1hY/6ZTMETtKckWbs2gMTEK48SXF3EQ2jMq8lbD9SccuEi6R19R5qiLwQBgUHawT
PcirlASclpR2zjLH1/MovxMFykCUUaQgGH0TjCe5X95Y7QdVgw6ocHkSFUsLN8V1
L3UfOIobFFW6EuRg5urKpljoi20dYsAyorqye9q825RyuWa5oLDtqXshCuOzLy6O
BgnM2FIvUpxAFmlXlC9eG8bUChfqEakio68Iwl6LUQouDR9gprWcookZV716YBVC
/IKQxyKTQK+nas4pfaUhYw==
=in5n
-----END PGP PUBLIC KEY BLOCK-----

43
lib/container-utils.nix
View File

@@ -1,43 +0,0 @@
{ lib, ... }:
{
# Given a attrset of images and a function which generates an image spec,
# generates a set of containers (although this could in theory be used for
# other things... I'd like to see people try)
#
# container set must be in the below format
# { container-name = {image = "image-uri"; scale = n;}; }
# where image-uri gets passed in to the container-spec function as a custom
# parameter, and scale is an integer that generates the containers
#
# container-spec must be a function which accepts two parameter (the
# container name and image name) and ideally returns an oci-compliant
# container.
#
# args:
# containers: an AttrSet which specifies the imageUri and scale of each
# container
# container-spec: a function which produces an oci-compliant container spec
#
# type:
# AttrSet -> (String -> AttrSet -> AttrSet) -> AttrSet
createTemplatedContainers =
containers: container-spec:
builtins.listToAttrs (
lib.flatten (
lib.mapAttrsToList (
name: value:
(map (
num:
let
container-name = "${name}-${toString num}";
in
{
name = container-name;
value = container-spec container-name value.image;
}
) (lib.lists.range 1 value.scale))
) containers
)
);
}

21
lib/default.nix
View File

@@ -1,9 +1,8 @@
{ lib, ... }: { lib, ... }:
{ {
# create adev namespace for lib # create rad-dev namespace for lib
adev = rec { rad-dev = rec {
systems = import ./systems.nix { inherit lib; }; systems = import ./systems.nix { inherit lib; };
container-utils = import ./container-utils.nix { inherit lib; };
# any(), but checks if any value in the list is true # any(), but checks if any value in the list is true
# #
@@ -57,21 +56,5 @@
# type: # type:
# fileList :: Path -> String -> [Path] # fileList :: Path -> String -> [Path]
fileList = dir: map (file: dir + "/${file}") (ls dir); fileList = dir: map (file: dir + "/${file}") (ls dir);
# reduce an attribute set to a string
#
# example:
# given attrset {host1 = "palatine-hill"; host2 = "jeeves";}
# and func (host: hostname: host + " is " + hostname + ", " )
# mapAttrsToString would return 'host1 is palatine-hill, host2 is jeeves, '
#
# args:
# func: an function to apply to attrSet to turn each entry into one string
# attrSet: an attribute set to reduce
#
# type:
# mapAttrsToString :: AttrSet -> (String -> Any -> String) -> String
mapAttrsToString =
func: attrSet: (lib.foldl' (cur: next: cur + next) "" (lib.mapAttrsToList func attrSet));
}; };
} }

47
lib/systems.nix
View File

@@ -149,40 +149,32 @@ rec {
configPath, configPath,
hostname, hostname,
inputs, inputs,
outputs,
src, src,
users, users,
home ? true, home ? true,
modules ? [ ], modules ? [ ],
server ? true, server ? true,
sops ? true, sops ? true,
lix ? false,
system ? "x86_64-linux", system ? "x86_64-linux",
}@args: }@args:
lib.nixosSystem { lib.nixosSystem {
inherit system; inherit system;
specialArgs = { specialArgs = {
inherit inherit inputs server system;
inputs
outputs
server
system
;
}; };
modules = [ modules =
inputs.nixos-modules.nixosModule [
inputs.nix-index-database.nixosModules.nix-index inputs.nixos-modules.nixosModule
(genHostName hostname) (genHostName hostname)
(configPath + "/hardware.nix") (configPath + "/hardware.nix")
(configPath + "/configuration.nix") (configPath + "/configuration.nix")
] ]
++ modules ++ modules
++ (lib.adev.fileList (src + "/modules")) ++ (lib.rad-dev.fileList (src + "/modules"))
++ genWrapper sops genSops args ++ genWrapper sops genSops args
++ genWrapper home genHome args ++ genWrapper home genHome args
++ genWrapper true genUsers args ++ genWrapper true genUsers args
#++ genWrapper lix ({ ... }: [ inputs.lix-module.nixosModules.default ]) args ++ genWrapper (system != "x86_64-linux") genNonX86 args;
++ genWrapper (system != "x86_64-linux") genNonX86 args;
}; };
# a convenience function for automatically generating NixOS systems by reading a directory via constructSystem # a convenience function for automatically generating NixOS systems by reading a directory via constructSystem
@@ -202,7 +194,7 @@ rec {
# type: # type:
# genSystems :: AttrSet -> Path -> Path -> AttrSet # genSystems :: AttrSet -> Path -> Path -> AttrSet
genSystems = genSystems =
inputs: outputs: src: path: inputs: src: path:
builtins.listToAttrs ( builtins.listToAttrs (
map ( map (
name: name:
@@ -213,18 +205,13 @@ rec {
inherit name; inherit name;
value = constructSystem ( value = constructSystem (
{ {
inherit inherit inputs src configPath;
inputs
outputs
src
configPath
;
hostname = name; hostname = name;
} }
// import configPath { inherit inputs; } // import configPath { inherit inputs; }
); );
} }
) (lib.adev.lsdir path) ) (lib.rad-dev.lsdir path)
); );
# gets all the images of a specified format # gets all the images of a specified format

11
modules/autopull.nix
View File

@@ -59,12 +59,11 @@ in
repos = lib.filterAttrs (_: { enable, ... }: enable) cfg.repo; repos = lib.filterAttrs (_: { enable, ... }: enable) cfg.repo;
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
environment.systemPackages = [ environment.systemPackages =
pkgs.git [ pkgs.git ]
] ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.rad-dev.mapGetAttr "ssh-key" repos)) [
++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [ pkgs.openssh
pkgs.openssh ];
];
systemd.services = lib.mapAttrs' ( systemd.services = lib.mapAttrs' (
_: _:

7
modules/base.nix
View File

@@ -1,7 +1,6 @@
{ {
lib, lib,
inputs, inputs,
outputs,
server, server,
system, system,
... ...
@@ -15,7 +14,7 @@
programs = { programs = {
zsh.enable = true; zsh.enable = true;
fish.enable = false; fish.enable = true;
}; };
users = { users = {
@@ -27,12 +26,10 @@
useUserPackages = true; useUserPackages = true;
sharedModules = [ inputs.sops-nix.homeManagerModules.sops ]; sharedModules = [ inputs.sops-nix.homeManagerModules.sops ];
extraSpecialArgs = { extraSpecialArgs = {
inherit inputs outputs; inherit inputs;
machineConfig = { machineConfig = {
inherit server system; inherit server system;
}; };
}; };
}; };
networking.firewall.enable = lib.mkDefault true;
} }

11
modules/boot.nix
View File

@@ -2,7 +2,6 @@
config, config,
lib, lib,
libS, libS,
pkgs,
... ...
}: }:
@@ -35,11 +34,11 @@ in
config.boot = lib.mkIf cfg.default { config.boot = lib.mkIf cfg.default {
supportedFilesystems = [ cfg.filesystem ]; supportedFilesystems = [ cfg.filesystem ];
tmp.useTmpfs = true; tmp.useTmpfs = true;
kernelParams = [ kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
"nordrand" kernelParams =
] [ "nordrand" ]
++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>"; ++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
initrd = { initrd = {
kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ]; kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ];
network = lib.mkIf cfg.fullDiskEncryption { network = lib.mkIf cfg.fullDiskEncryption {

9
modules/docker.nix
View File

@@ -7,13 +7,8 @@
extraGroups = [ "docker" ]; extraGroups = [ "docker" ];
uid = 600; uid = 600;
}; };
groups = { groups.docker-service = {
docker-service = { gid = 600;
gid = 600;
};
haproxy = {
gid = 99;
};
}; };
}; };

5
modules/fwupd.nix
View File

@@ -1,5 +0,0 @@
{ lib, ... }:
{
services.fwupd.enable = lib.mkDefault true;
}

6
modules/kub_net.nix
View File

@@ -1,12 +1,12 @@
{ lib, config, ... }: { lib, config, ... }:
let let
cfg = config.services.adev.k3s-net; cfg = config.services.rad-dev.k3s-net;
in in
{ {
options = { options = {
services.adev.k3s-net = { services.rad-dev.k3s-net = {
enable = lib.mkOption { enable = lib.mkOption {
default = false; default = true;
example = true; example = true;
description = "Whether to enable k3s-net."; description = "Whether to enable k3s-net.";
type = lib.types.bool; type = lib.types.bool;

78
modules/kubernetes.nix
View File

@@ -1,78 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options = {
services.kubernetes = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to enable Kubernetes services";
};
version = lib.mkOption {
type = lib.types.str;
default = "1.28.0";
description = "Kubernetes version to use";
};
clusterName = lib.mkOption {
type = lib.types.str;
default = "palatine-hill-cluster";
description = "Name of the Kubernetes cluster";
};
controlPlaneEndpoint = lib.mkOption {
type = lib.types.str;
default = "localhost:6443";
description = "Control plane endpoint";
};
networking = lib.mkOption {
type = lib.types.attrs;
default = { };
description = "Kubernetes networking configuration";
};
};
};
config = lib.mkIf config.services.kubernetes.enable {
environment.systemPackages = with pkgs; [
kubectl
kubernetes
];
## Enable containerd for Kubernetes
#virtualisation.containerd.enable = true;
## Enable kubelet
#services.kubelet = {
# enable = true;
# extraFlags = {
# "pod-infra-container-image" = "registry.k8s.io/pause:3.9";
# };
#};
## Enable kubeadm for cluster initialization
#environment.etc."kubeadm.yaml".text = ''
# apiVersion: kubeadm.k8s.io/v1beta3
# kind: InitConfiguration
# localAPIEndpoint:
# advertiseAddress: 127.0.0.1
# bindPort: 6443
# ---
# apiVersion: kubeadm.k8s.io/v1beta3
# kind: ClusterConfiguration
# clusterName: ${config.services.kubernetes.clusterName}
# controlPlaneEndpoint: ${config.services.kubernetes.controlPlaneEndpoint}
# networking:
# serviceSubnet: 10.96.0.0/12
# podSubnet: 10.244.0.0/16
# dnsDomain: cluster.local
#'';
};
}

5
modules/locale.nix
View File

@@ -4,9 +4,8 @@
console.keyMap = lib.mkDefault "us"; console.keyMap = lib.mkDefault "us";
i18n = { i18n = {
defaultLocale = lib.mkDefault "en_US.UTF-8"; defaultLocale = lib.mkDefault "en_US.utf8";
defaultCharset = "UTF-8"; supportedLocales = lib.mkDefault [ "en_US.UTF-8/UTF-8" ];
#extraLocales = lib.mkDefault [ "en_US.UTF-8/UTF-8" ];
extraLocaleSettings = lib.mkDefault { extraLocaleSettings = lib.mkDefault {
LC_ADDRESS = "en_US.UTF-8"; LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8"; LC_IDENTIFICATION = "en_US.UTF-8";

9
modules/nix.nix
View File

@@ -1,30 +1,31 @@
{ lib, pkgs, ... }: { lib, pkgs, ... }:
{ {
nix = { nix = {
#package = pkgs.nixVersions.latest; package = pkgs.nixVersions.latest;
diffSystem = true; diffSystem = true;
settings = { settings = {
experimental-features = [ experimental-features = [
"nix-command" "nix-command"
"flakes" "flakes"
"blake3-hashes"
"git-hashing"
"verified-fetches"
]; ];
keep-outputs = true; keep-outputs = true;
builders-use-substitutes = true; builders-use-substitutes = true;
connect-timeout = 20; connect-timeout = 20;
substituters = [ substituters = [
"https://cache.nixos.org/?priority=1&want-mass-query=true" "https://cache.nixos.org/?priority=1&want-mass-query=true"
"https://attic.alicehuston.xyz/cache-nix-dot?priority=4&want-mass-query=true"
"https://nix-community.cachix.org/?priority=10&want-mass-query=true" "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
]; ];
trusted-substituters = [ trusted-substituters = [
"https://cache.nixos.org" "https://cache.nixos.org"
"https://attic.alicehuston.xyz/cache-nix-dot"
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
]; ];
trusted-public-keys = [ trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%"
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
]; ];
trusted-users = [ trusted-users = [
"root" "root"

1
modules/openssh.nix
View File

@@ -2,7 +2,6 @@
{ {
services.openssh = { services.openssh = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
openFirewall = lib.mkDefault true;
fixPermissions = true; fixPermissions = true;
extraConfig = "StreamLocalBindUnlink yes"; extraConfig = "StreamLocalBindUnlink yes";

2
modules/plocate.nix
View File

@@ -3,7 +3,7 @@
{ {
services.locate = { services.locate = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
# localuser = lib.mkDefault null; localuser = lib.mkDefault null;
package = lib.mkDefault pkgs.plocate; package = lib.mkDefault pkgs.plocate;
}; };
} }

7
modules/programs.nix Normal file
View File

@@ -0,0 +1,7 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
git
python312
];
}

19
modules/update.nix
View File

@@ -4,7 +4,7 @@
enable = lib.mkDefault true; enable = lib.mkDefault true;
repo.dotfiles = { repo.dotfiles = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_giteadeploy"; ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
path = lib.mkDefault /root/dotfiles; path = lib.mkDefault /root/dotfiles;
}; };
}; };
@@ -14,21 +14,6 @@
flags = [ "--accept-flake-config" ]; flags = [ "--accept-flake-config" ];
randomizedDelaySec = "1h"; randomizedDelaySec = "1h";
persistent = true; persistent = true;
flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git"; flake = "github:RAD-Development/nix-dotfiles";
};
services.nix-verify = {
daily = {
enable = true;
verify-contents = false;
verify-trust = false;
};
weekly = {
enable = true;
verify-contents = true;
verify-trust = false;
frequency = "1week";
randomized-delay-sec = "6hour";
};
}; };
} }

11
modules/users.nix
View File

@@ -1,11 +0,0 @@
{
...
}:
{
users.groups = {
users = {
gid = 100;
};
};
}

110
modules/verify.nix
View File

@@ -1,110 +0,0 @@
{
config,
lib,
...
}:
let
cfg = config.services.nix-verify;
verify-type =
with lib.types;
attrsOf (
submodule (
{ name, ... }:
{
options = {
enable = lib.mkEnableOption "verify status of nix store";
service-name = lib.mkOption {
type = lib.types.str;
description = "the name of the systemd service. ${name} by default";
default = name;
};
verify-contents = lib.mkEnableOption "verify contents of nix store";
verify-trust = lib.mkEnableOption "verify if each path is trusted";
signatures-needed = lib.mkOption {
type = lib.types.int;
description = "number of signatures needed when verifying trust. Not needed if verify-trust is disabled or not set.";
default = -1;
};
frequency = lib.mkOption {
type = lib.types.str;
description = "systemd-timer compatible time between pulls";
default = "1day";
};
randomized-delay-sec = lib.mkOption {
type = lib.types.str;
description = "systemd-timer compatible time randomized delay";
default = "0";
};
};
}
)
);
in
{
options = {
services.nix-verify = lib.mkOption {
type = verify-type;
default = { };
};
};
config =
let
verifiers = lib.filterAttrs (_: { enable, ... }: enable) cfg;
in
{
systemd.services = lib.mapAttrs' (
_:
{
service-name,
verify-contents,
verify-trust,
signatures-needed,
...
}:
lib.nameValuePair "nix-verifiers@${service-name}" {
requires = [ "multi-user.target" ];
after = [ "multi-user.target" ];
description =
"Verify nix store (verify-contents: ${lib.boolToString verify-contents}, verify-trust: "
+ "${lib.boolToString verify-trust}, signatures-needed: ${builtins.toString signatures-needed})";
serviceConfig = {
Type = "oneshot";
User = "root";
ExecStart =
"${config.nix.package}/bin/nix store verify --all "
+ lib.optionalString (!verify-contents) "--no-contents "
+ lib.optionalString (!verify-trust) "--no-trust "
+ lib.optionalString (signatures-needed >= 0) "--sigs-needed ${signatures-needed}";
};
}
) verifiers;
systemd.timers = lib.mapAttrs' (
_:
{
service-name,
frequency,
randomized-delay-sec,
...
}:
lib.nameValuePair "nix-verifiers@${service-name}" {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = frequency;
OnUnitActiveSec = frequency;
RandomizedDelaySec = randomized-delay-sec;
Unit = "nix-verifiers@${service-name}.service";
};
}
) verifiers;
};
}

4
modules/yubikey.nix
View File

@@ -5,11 +5,11 @@
... ...
}: }:
let let
cfg = config.services.adev.yubikey; cfg = config.services.rad-dev.yubikey;
in in
{ {
options = { options = {
services.adev.yubikey = { services.rad-dev.yubikey = {
enable = lib.mkEnableOption "enable yubikey defaults"; enable = lib.mkEnableOption "enable yubikey defaults";
enable-desktop-app = lib.mkEnableOption "installs desktop application"; enable-desktop-app = lib.mkEnableOption "installs desktop application";
}; };

70
pkgs/bitwarden-rofi/default.nix
View File

@@ -1,70 +0,0 @@
# source: https://github.com/kylesferrazza/nix/blob/288edcd1d34884b9b7083c6d718fbe10febe0623/overlay/bitwarden-rofi.nix
# TODO https://github.com/mattydebie/bitwarden-rofi/issues/34
{
stdenv,
lib,
fetchFromGitHub,
makeWrapper,
unixtools,
xsel,
xclip,
wl-clipboard,
xdotool,
ydotool,
bitwarden-cli,
rofi,
jq,
keyutils,
libnotify,
}:
let
bins = [
jq
bitwarden-cli
unixtools.getopt
rofi
xsel
xclip
wl-clipboard
xdotool
ydotool
keyutils
libnotify
];
in
stdenv.mkDerivation {
pname = "bitwarden-rofi";
version = "git-2024-08-22";
src = fetchFromGitHub {
owner = "mattydebie";
repo = "bitwarden-rofi";
rev = "8be76fdd647c2bdee064e52603331d8e6ed5e8e2";
sha256 = "1h5d21kv8g5g725chn3n0i1frvmsrk3pm67lfxqcg50kympg0wwd";
};
buildInputs = [ makeWrapper ];
installPhase = ''
mkdir -p "$out/bin"
install -Dm755 "bwmenu" "$out/bin/bwmenu"
install -Dm755 "lib-bwmenu" "$out/bin/lib-bwmenu" # TODO don't put this in bin
install -Dm755 -d "$out/usr/share/doc/bitwarden-rofi"
install -Dm755 -d "$out/usr/share/doc/bitwarden-rofi/img"
install -Dm644 "README.md" "$out/usr/share/doc/bitwarden-rofi/README.md"
install -Dm644 img/* "$out/usr/share/doc/bitwarden-rofi/img/"
wrapProgram "$out/bin/bwmenu" --prefix PATH : ${lib.makeBinPath bins}
'';
meta = with lib; {
description = "Wrapper for Bitwarden and Rofi";
homepage = "https://github.com/mattydebie/bitwarden-rofi";
license = licenses.gpl3;
platforms = platforms.linux;
};
}

39
pkgs/lego-latest/default.nix
View File

@@ -1,39 +0,0 @@
{
lib,
fetchFromGitHub,
buildGoModule,
}:
buildGoModule rec {
pname = "lego";
version = "4.21.0";
src = fetchFromGitHub {
owner = "go-acme";
repo = pname;
rev = "v${version}";
hash = "sha256-3dSvQfkBNh8Bt10nv4xGplv4iY3gWvDu2EDN6UovSdc=";
};
vendorHash = "sha256-teA6fnKl4ATePOYL/zuemyiVy9jgsxikqmuQJwwA8wE=";
doCheck = false;
subPackages = [ "cmd/lego" ];
ldflags = [
"-s"
"-w"
"-X main.version=${version}"
];
meta = with lib; {
description = "Let's Encrypt client and ACME library written in Go";
license = licenses.mit;
homepage = "https://go-acme.github.io/lego/";
maintainers = teams.acme.members;
mainProgram = "lego";
};
#passthru.tests.lego = nixosTests.acme;
}

10
shell.nix
View File

@@ -38,17 +38,13 @@ forEachSystem (
}; };
# constructs a custom shell with commonly used utilities # constructs a custom shell with commonly used utilities
adev = pkgs.mkShell { rad-dev = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
deadnix deadnix
pre-commit pre-commit
treefmt treefmt
statix statix
nixfmt nixfmt-rfc-style
jsonfmt
mdformat
shfmt
yamlfmt
]; ];
}; };
in in
@@ -56,7 +52,7 @@ forEachSystem (
default = pkgs.mkShell { default = pkgs.mkShell {
inputsFrom = [ inputsFrom = [
pre-commit pre-commit
adev rad-dev
sops sops
]; ];
}; };

31
utils/sops-mergetool.sh → sops-mergetool.sh
View File

@@ -1,27 +1,17 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Exit on first error and verify variables have been set/passed via CLI # Exit on first error and verify variables have been set/passed via CLI
#set -eu set -eu
set -v
set -x
# Rename our variables to friendlier equivalents # Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1" base="$1"; local_="$2"; remote="$3"; merged="$4"
local_="$2"
remote="$3"
merged="$4"
echo "$base"
echo "$local_"
echo "$remote"
echo "$merged"
# Resolve our default mergetool # Resolve our default mergetool
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3 # https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3
mergetool="$(git config --get merge.tool)" mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)" GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then if test "$mergetool" = ""; then
echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2 echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
exit 1 exit 1
fi fi
@@ -35,7 +25,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}" backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files # If anything goes wrong, then delete our decrypted files
handle_trap_exit() { handle_trap_exit () {
rm $base_decrypted || true rm $base_decrypted || true
rm $local_decrypted || true rm $local_decrypted || true
rm $remote_decrypted || true rm $remote_decrypted || true
@@ -45,13 +35,13 @@ handle_trap_exit() {
trap handle_trap_exit EXIT trap handle_trap_exit EXIT
# Decrypt our file contents # Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted" sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted" sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted" sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
# Create a merge-diff to compare against # Create a merge-diff to compare against
set +e set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted" git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
set -e set -e
cp "$merged_decrypted" "$backup_decrypted" cp "$merged_decrypted" "$backup_decrypted"
@@ -69,7 +59,7 @@ source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool" source "$GIT_DIR/mergetools/$mergetool"
# Override `check_unchanged` with a custom script # Override `check_unchanged` with a custom script
check_unchanged() { check_unchanged () {
# If the contents haven't changed, then fail # If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then if test "$MERGED" -nt "$BACKUP"; then
return 0 return 0
@@ -85,4 +75,5 @@ merge_cmd
set -eu set -eu
# Re-encrypt content # Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged" sops --encrypt "$merged_decrypted" > "$merged"

2
statix.toml
View File

@@ -1,4 +1,4 @@
disabled = ["empty_pattern"] disabled = ["empty_pattern"]
nix_version = '2.25' nix_version = '2.23'
ignore = ['.direnv'] ignore = ['.direnv']

438
systems/artemision/ao3_skins/happy_17th.css
View File

@@ -1,438 +0,0 @@
#footer .group,
.post fieldset fieldset,
fieldset fieldset {
background: none;
}
#header {
background: #000 url('https://media.archiveofourown.org/news/milestones/2024-08-seventeen-years-otw/2024-08-seventeen-years-otw-pattern.jpg');
background-size: 350px;
}
#header .heading a,
#header .primary .dropdown a:focus,
#header .heading a:visited,
#main .pagination .current,
h2 {
color: #ffe8b4;
}
#header .clear,
#footer {
border-color: #191919;
}
#header .actions a[href="/menu/fandoms"],
#header .actions a[href="/menu/browse"],
#header .actions a[href="/menu/search"],
#header .actions a[href="/menu/about"] {
color: #fff;
}
#footer ul {
background: url('https://live.staticflickr.com/7284/9616997915_4194b6c6f7_h.jpg');
background-size: 350px;
}
#footer ul li:nth-child(1) ul,
#footer ul li:nth-child(2) ul,
#footer ul li:nth-child(3) ul,
#footer ul li:nth-child(4) ul {
background: rgba(0, 0, 0, 0.0);
}
#header .primary {
background: #8a1a10;
}
#footer {
background: #8a1a10;
}
input[type="text"],
textarea,
select {
background: #222;
color: #fff;
}
select:focus {
background: #2a2a2a;
}
option {
background: #555;
color: #fff;
}
#work form fieldset.work.meta dl dd.warning.required fieldset,
#main form fieldset.work.meta dl dd.warning.required fieldset {
color: #fff;
}
#bookmark-form form {
background: #2a2a2a;
color: #fff;
}
#error {
color: #191919;
}
fieldset,
.verbose fieldset {
border-color: #404040;
background: #191919;
border: 1px solid #595959;
}
.search [role=tooltip] {
background: #333;
border: 1px solid #666;
}
#main a:visited {
color: #ccc;
}
#main a.tag:visited:hover {
color: #111;
}
body,
.group,
.group .group,
.region,
.flash,
form dl,
#main .verbose legend,
.notice,
ul.notes,
table,
th,
td:hover,
tr:hover,
.symbol .question:hover,
#modal,
.ui-sortable li,
.required .autocomplete,
.autocomplete .notice,
.system .intro,
.comment_error,
.kudos_error,
div.dynamic,
.dynamic form,
#ui-datepicker-div,
.ui-datepicker table {
background: #191919;
color: #eee;
border-color: #222;
outline: #111;
box-shadow: none;
}
#header .actions a:hover,
#header .actions a:focus,
#header .dropdown:hover a,
#header .open a,
#header .menu,
#small_login,
.group.listbox,
fieldset fieldset.listbox,
.listbox,
form blockquote.userstuff,
input:focus,
textarea:focus,
li.relationships a,
.group.listbox .index,
.dashboard fieldset fieldset.listbox .index,
#dashboard a:hover,
th,
#dashboard .secondary,
.secondary,
.thread .even,
.system .tweet_list li,
.ui-datepicker tr:hover {
background: #2A2A2A;
}
a,
a.tag,
a:link,
#header a:visited,
#header .primary .open a,
#header .primary .dropdown:hover a,
#header #search input:focus,
#header #search input:hover,
.userstuff h2,
#dashboard a,
#dashboard span,
#dashboard .current,
.group .heading,
.filters dt a:hover {
color: #fff;
}
#header .dropdown .menu a:hover,
#header .dropdown .menu a:focus,
.splash .favorite li:nth-of-type(odd) a,
.ui-datepicker td:hover,
#tos_prompt .heading,
#tos_prompt [disabled] {
background: #111;
color: #ffe8b4;
}
#outer,
.javascript,
.statistics .index li:nth-of-type(even),
#tos_prompt,
.announcement input[type="submit"] {
background: #191919;
}
#dashboard ul,
dl.meta,
.group.listbox,
fieldset fieldset.listbox,
#main li.blurb,
form blockquote.userstuff,
div.comment,
li.comment,
.toggled form,
form dl dt,
form.single fieldset,
#inner .module .heading,
.bookmark .status span,
.splash .news li,
.filters .group dt.bookmarker {
border-color: #555;
}
.group.listbox,
fieldset fieldset.listbox,
#main li.blurb,
.wrapper,
#dashboard .secondary,
.secondary,
form blockquote.userstuff,
.thread .comment,
.toggled form {
box-shadow: 1px 1px 3px #000;
}
#dashboard .current,
.actions a:active,
a.current,
.current a:visited,
span.unread,
.replied,
span.claimed,
dl.index dd,
.own,
.draft,
.draft .unread,
.child,
.unwrangled,
.unreviewed,
.ui-sortable li:hover {
background: #000;
border-color: #555;
box-shadow: -1px -1px 3px #000;
}
input,
textarea {
box-shadow: inset 0 1px 2px #000;
}
li.blurb,
.blurb .blurb,
.listbox .index,
fieldset fieldset.listbox,
.dashboard .listbox .index {
box-shadow: inset 1px 1px 3px #000;
}
#footer a:hover,
#footer a:focus,
.autocomplete .dropdown ul li:hover,
.autocomplete .dropdown li.selected,
a.tag:hover,
.listbox .heading a.tag:visited:hover,
.symbol .question {
background: #ffedc5;
border-color: #988352;
color: #111;
}
#header #greeting img,
#header .user a:hover,
#header .user a:focus,
#header fieldset,
#header form,
#header p,
#dashboard a:hover,
.actions a:hover,
.actions input:hover,
.delete a,
span.delete,
span.unread,
.replied,
span.claimed,
.draggable,
.droppable,
span.requested,
a.work,
.blurb h4 a:link,
.blurb h4 img,
.splash .module h3,
.splash .browse li a:before,
.required,
.error,
.comment_error,
.kudos_error,
a.cloud7,
a.cloud8,
#tos_prompt .heading {
color: #ffe8b4;
}
#greeting .icon,
#dashboard,
#dashboard.own,
.error,
.comment_error,
.kudos_error,
.LV_invalid,
.LV_invalid_field,
input.LV_invalid_field:hover,
input.LV_invalid_field:active,
textarea.LV_invalid_field:hover,
textarea.LV_invalid_field:active,
.qtip-content {
border-color: #8a1a10;
}
.splash .favorite li:nth-of-type(odd) a:hover,
.splash .favorite li:nth-of-type(odd) a:focus .splash .favorite li:nth-of-type(odd) a:visited:hover,
.splash .favorite li:nth-of-type(odd) a:visited:focus {
background: #ffe8b4;
color: #111;
}
a:visited,
.actions a:visited,
.action a:link,
.action a:visited,
.listbox .heading a:visited,
span.series .divider {
color: #999;
}
.actions a,
.actions a:link,
.action,
.action:link,
.actions input,
input[type="submit"],
button,
.current,
.actions label,
#header .actions a,
#outer .current {
background: #555;
border-color: #222;
color: #eee;
box-shadow: inset 0 -8px 4px #232323, inset 0 8px 7px #555;
text-shadow: none;
}
.actions a:hover,
.actions input:hover,
#dashboard a:hover,
.actions a:focus,
.actions input:focus,
#dashboard a:focus,
.actions .disabled select {
color: #999;
border-color: #000;
box-shadow: inset 2px 2px 2px #000;
}
.actions a:active,
.current,
a.current,
.current a:visited {
color: #fff;
background: #555;
border-color: #fff;
box-shadow: inset 1px 1px 3px #191919;
}
.delete a,
span.delete {
box-shadow: -1px -1px 2px rgba(255,255,255.25);
}
.actions label.disabled {
background: #222;
box-shadow: none;
}
ul.required-tags,
.bookmark .status span,
.blurb .icon {
opacity: 0.9;
border: 0;
}
#outer .group .heading,
#header .actions a,
fieldset.listbox .heading,
.userstuff .heading {
text-shadow: none;
color: #fff;
background: none;
}
#header .actions a,
fieldset fieldset,
.mce-container button,
.filters .expander,
.actions .disabled select {
box-shadow: none;
}
fieldset fieldset.listbox {
outline: none;
}
form dd.required {
color: #eee;
}
.mce-container input:focus {
background: #F3EFEC;
}
.announcement .userstuff a,
.announcement .userstuff a:link,
.announcement .userstuff a:visited:hover {
color: #111;
}
.announcement .userstuff a:visited {
color: #666;
}
.announcement .userstuff a:hover,
.announcement .userstuff a:focus {
color: #999;
}
.event.announcement .userstuff a,
.filters .expander {
color: #eee;
}

99
systems/artemision/configuration.nix
View File

@@ -1,24 +1,22 @@
{ {
config,
lib, lib,
pkgs, pkgs,
config,
... ...
}: }:
{ {
imports = [ imports = [
./audio.nix
./desktop.nix
./fingerprint.nix
./fonts.nix
./graphics.nix
./libvirt.nix
./polkit.nix
./programs.nix ./programs.nix
./steam.nix ./desktop.nix
./stylix.nix
./wifi.nix ./wifi.nix
./zerotier.nix ./zerotier.nix
../palatine-hill/ollama.nix ./fonts.nix
./polkit.nix
./audio.nix
./fingerprint.nix
./steam.nix
./graphics.nix
./libvirt.nix
]; ];
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";
@@ -33,31 +31,21 @@
}; };
boot = { boot = {
#kernelPackages = lib.mkForce pkgs.linuxPackages_6_6; kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
useSystemdBoot = true; useSystemdBoot = true;
default = true; default = true;
}; };
i18n = {
defaultLocale = "en_US.utf8";
supportedLocales = [ "en_US.UTF-8/UTF-8" ];
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
services = { services = {
ollama = {
package = lib.mkForce pkgs.ollama-rocm;
models = lib.mkForce "${config.services.ollama.home}/models";
loadModels = lib.mkForce [
"deepseek-r1:1.5b"
"lennyerik/zeta"
"nomic-embed-text:latest"
"glm-4.7-flash"
"magistral"
"devstral-small-2"
"starcoder2:7b"
];
};
flatpak.enable = true;
calibre-web = { calibre-web = {
# temp disable this enable = true;
enable = false;
listen = { listen = {
ip = "127.0.0.1"; ip = "127.0.0.1";
}; };
@@ -66,7 +54,7 @@
}; };
}; };
calibre-server = { calibre-server = {
enable = false; enable = true;
user = "calibre-web"; user = "calibre-web";
group = "calibre-web"; group = "calibre-web";
@@ -75,45 +63,46 @@
fwupd = { fwupd = {
enable = true; enable = true;
# package = package =
# (import (builtins.fetchTarball { (import (builtins.fetchTarball {
# url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz"; url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
# sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk"; sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
# }) { inherit (pkgs) system; }).fwupd; }) { inherit (pkgs) system; }).fwupd;
}; };
mullvad-vpn.enable = true;
fprintd.enable = lib.mkForce false; fprintd.enable = true;
openssh.enable = lib.mkForce false; openssh.enable = lib.mkForce false;
adev.yubikey = { spotifyd = {
enable = true;
settings = {
global = {
username = "snowinginwonderland@gmail.com";
password_cmd = "cat ${config.sops.secrets."apps/spotify".path}";
use_mpris = false;
};
};
#systemd.services.spotifyd.serviceConfig = systemd.services.spotifyd.
};
rad-dev.yubikey = {
enable = true; enable = true;
enable-desktop-app = true; enable-desktop-app = true;
}; };
}; };
users.users = { users.users.alice.extraGroups = [ "calibre-web" ];
alice.extraGroups = [ "calibre-web" ];
};
system.autoUpgrade.enable = false;
system.stateVersion = "24.05"; system.stateVersion = "24.05";
environment.variables = {
"KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
};
#nixpkgs.config = {
# rocmSupport = true;
#};
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
#secrets = { secrets = {
# "apps/spotify" = { "apps/spotify" = {
# group = "audio"; group = "audio";
# restartUnits = [ "spotifyd.service" ]; restartUnits = [ "spotifyd.service" ];
# mode = "0440"; mode = "0440";
# }; };
#}; };
}; };
} }

4
systems/artemision/default.nix
View File

@@ -3,12 +3,10 @@
system = "x86_64-linux"; system = "x86_64-linux";
home = true; home = true;
sops = true; sops = true;
lix = true;
server = false; server = false;
users = [ "alice" ]; users = [ "alice" ];
modules = [ modules = [
inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series inputs.nixos-hardware.nixosModules.framework-16-7040-amd
inputs.stylix.nixosModules.stylix
{ {
environment.systemPackages = [ environment.systemPackages = [
inputs.wired-notify.packages.x86_64-linux.default inputs.wired-notify.packages.x86_64-linux.default

58
systems/artemision/desktop.nix
View File

@@ -3,38 +3,30 @@
{ {
# installs hyprland, and its dependencies # installs hyprland, and its dependencies
programs = { programs.hyprland = {
hyprland = { enable = true;
enable = true; xwayland.enable = true;
xwayland.enable = true;
withUWSM = true;
};
hyprlock.enable = true;
gnupg.agent = {
enable = true;
#pinentryPackage = pkgs.pinentry-rofi;
pinentryPackage = pkgs.pinentry-gnome3;
#settings = {
# keyserver-options = "auto-key-retrieve";
# auto-key-locate = "hkps://keys.openpgp.org";
# keyserver = "hkps://keys.openpgp.org";
#keyserver = "hkp://pgp.mit.edu";
# "na.pool.sks-keyservers.net"
# "ipv4.pool.sks-keyservers.net"
# "p80.pool.sks-keyservers.net"
# ];
#};
};
ydotool.enable = true;
}; };
# Optional, hint electron apps to use wayland: # Optional, hint electron apps to use wayland:
environment.sessionVariables.NIXOS_OZONE_WL = "1"; environment.sessionVariables.NIXOS_OZONE_WL = "1";
services = { services = {
displayManager.gdm = { xserver = {
enable = true; enable = true;
wayland = true; displayManager.session = [
{
manage = "desktop";
name = "hyprland";
start = ''
bash ${./hypr/wrappedhl} &
waitPID=$!
'';
}
];
displayManager.gdm = {
enable = true;
wayland = true;
};
}; };
dbus = { dbus = {
@@ -43,8 +35,20 @@
}; };
}; };
powerManagement = { programs.gnupg.agent = {
enable = true; enable = true;
#pinentryPackage = pkgs.pinentry-rofi;
pinentryPackage = pkgs.pinentry-gnome3;
#settings = {
# keyserver-options = "auto-key-retrieve";
# auto-key-locate = "hkps://keys.openpgp.org";
# keyserver = "hkps://keys.openpgp.org";
#keyserver = "hkp://pgp.mit.edu";
# "na.pool.sks-keyservers.net"
# "ipv4.pool.sks-keyservers.net"
# "p80.pool.sks-keyservers.net"
# ];
#};
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

18
systems/artemision/fonts.nix
View File

@@ -3,13 +3,17 @@
fonts = { fonts = {
fontconfig.enable = true; fontconfig.enable = true;
enableDefaultPackages = true; enableDefaultPackages = true;
packages = with pkgs.nerd-fonts; [ packages = with pkgs; [
fira-code (nerdfonts.override {
droid-sans-mono fonts = [
hack "FiraCode"
dejavu-sans-mono "DroidSansMono"
noto "Hack"
open-dyslexic "DejaVuSansMono"
"Noto"
"OpenDyslexic"
];
})
]; ];
}; };
} }

3
systems/artemision/graphics.nix
View File

@@ -6,10 +6,13 @@
enable = true; enable = true;
enable32Bit = true; enable32Bit = true;
## amdvlk: an open-source Vulkan driver from AMD
extraPackages = with pkgs; [ extraPackages = with pkgs; [
amdvlk
rocmPackages.clr.icd rocmPackages.clr.icd
]; ];
extraPackages32 = with pkgs; [ extraPackages32 = with pkgs; [
driversi686Linux.amdvlk
rocmPackages.clr.icd rocmPackages.clr.icd
]; ];
}; };

11
systems/artemision/hardware.nix
View File

@@ -20,9 +20,6 @@
"usb_storage" "usb_storage"
"usbhid" "usbhid"
"sd_mod" "sd_mod"
"ip_vs"
"ip_vs_rr"
"nf_conntrack"
]; ];
initrd.kernelModules = [ initrd.kernelModules = [
"dm-snapshot" "dm-snapshot"
@@ -55,6 +52,7 @@
options = [ options = [
"noatime" "noatime"
"nodiratime" "nodiratime"
"discard"
]; ];
}; };
@@ -64,6 +62,7 @@
options = [ options = [
"noatime" "noatime"
"nodiratime" "nodiratime"
"discard"
]; ];
}; };
@@ -73,6 +72,7 @@
options = [ options = [
"noatime" "noatime"
"nodiratime" "nodiratime"
"discard"
]; ];
}; };
@@ -82,11 +82,12 @@
options = [ options = [
"noatime" "noatime"
"nodiratime" "nodiratime"
"discard"
]; ];
}; };
}; };
swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ]; swapDevices = [ { device = "/dev/disk/by-uuid/7f0dba0f-d04e-4c94-9fba-1d0811673df1"; } ];
boot.initrd.luks.devices = { boot.initrd.luks.devices = {
"nixos-pv" = { "nixos-pv" = {
@@ -100,7 +101,7 @@
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.interfaces.wlp191s0.useDHCP = lib.mkDefault true; networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

9
systems/artemision/libvirt.nix
View File

@@ -12,6 +12,15 @@
package = pkgs.qemu_kvm; package = pkgs.qemu_kvm;
runAsRoot = true; runAsRoot = true;
swtpm.enable = true; swtpm.enable = true;
ovmf = {
enable = true;
packages = [
(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
}).fd
];
};
}; };
}; };
users.users.alice = { users.users.alice = {

19
systems/artemision/private-wifi.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
networking.nameservers = [
"9.9.9.9"
"1.1.1.1"
#"192.168.76.1"
];
#services.resolved = {
# enable = true;
# dnssec = "false";
# domains = [ "~." ];
# fallbackDns = [
# "1.1.1.1#one.one.one.one"
# "1.0.0.1#one.one.one.one"
# ];
# dnsovertls = "true";
#};
}

36
systems/artemision/programs.nix
View File

@@ -3,9 +3,7 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
act act
alacritty alacritty
attic-client
amdgpu_top amdgpu_top
android-tools
bat bat
bitwarden-cli bitwarden-cli
bfg-repo-cleaner bfg-repo-cleaner
@@ -14,46 +12,40 @@
calibre calibre
# calibre dedrm? # calibre dedrm?
candy-icons candy-icons
chromium nemo-with-extensions
chromedriver
#claude-code
croc croc
deadnix deadnix
direnv direnv
easyeffects discord
discord-canary
eza eza
fanficfare fanficfare
ferium ferium
fd fd
file file
firefox firefox
# gestures replacement # gestures replacement
git git
glances glances
gpu-viewer gpu-viewer
grim grim
headsetcontrol
htop htop
hwloc hwloc
ipmiview
iperf3 iperf3
# ipscan ipscan
jp2a jp2a
jq jq
kdePackages.kdenlive
kitty kitty
kubectl
kubernetes-helm
libreoffice-fresh
libtool libtool
lsof lsof
lynis lynis
masterpdfeditor4 masterpdfeditor4
minikube
mons mons
mpv
# nbt explorer? # nbt explorer?
ncdu ncdu
nemo-with-extensions neofetch
neovim neovim
nix-init nix-init
nix-output-monitor nix-output-monitor
@@ -61,8 +53,6 @@
nix-tree nix-tree
nixpkgs-fmt nixpkgs-fmt
nmap nmap
obs-studio
obsidian
ocrmypdf ocrmypdf
pciutils pciutils
#disabled until wxpython compat with python3.12 #disabled until wxpython compat with python3.12
@@ -70,18 +60,17 @@
prismlauncher prismlauncher
protonmail-bridge protonmail-bridge
protontricks protontricks
proxychains
qrencode qrencode
redshift redshift
restic restic
ripgrep ripgrep
rpi-imager rpi-imager
rofi rofi-wayland
samba
signal-desktop signal-desktop
# signal in tray? # signal in tray?
siji siji
simple-mtpfs simple-mtpfs
slack
slurp slurp
smartmontools smartmontools
snyk snyk
@@ -95,16 +84,17 @@
tig tig
tokei tokei
tree tree
unipicker
unzip unzip
unipicker
uutils-coreutils-noprefix uutils-coreutils-noprefix
ventoy
vscode vscode
watchman watchman
wget wget
wl-clipboard wl-clipboard
yq xboxdrv
yt-dlp
zoom-us zoom-us
zoxide zoxide
zoom
]; ];
} }

66
systems/artemision/secrets.yaml
View File

@@ -1,42 +1,54 @@
hello: ENC[AES256_GCM,data:BTCBuBxHFO8vwXU/bsAZryM5rXUOEi0brlvq6DtqfZbzxGz4LaW89VO75MERHQ==,iv:fwqI3arwtlZQ5DtvpVbh21ThuZP8zcqCHsmuJuCfCsY=,tag:tkkEO8/eEDCakdlT0NvajA==,type:str] hello: ENC[AES256_GCM,data:UJlsd5kvnhEv7eJeYwg+NHm9sgUAxYM5DoR0gDPLi9J7P+8FI8WPMkN1wEAHJA==,iv:NFSdZQ1OK4BT+EAGZz122NB7WrVCEzv4wwMxFIE/OKI=,tag:6YT7Vw8tFrw9iEFKxeKRFQ==,type:str]
example_key: ENC[AES256_GCM,data:xzsymSb4oD70twtoKQ==,iv:9vBmAKET2VIuDSq7AOyvdYWLGlL6cYHTWxy/Z5bB1+c=,tag:NbV4eA2aaY4cQAKUy3QOpw==,type:str] example_key: ENC[AES256_GCM,data:KMXgMrqe7M101ZMJ2g==,iv:MJ3Iiu/0KIVhPFnqfovysqvPJAv1OsnxE4VIsuexFkE=,tag:X6KIKNGym8/9VglmG3SNRw==,type:str]
#ENC[AES256_GCM,data:zeOCzRd/nFRhbANHxPyyjw==,iv:9MmHl3OyhJHVU+cUFJ4QitHd4SeDe3ctaky+yfvk8Zs=,tag:uPGRJtgQj1vIdLt2+w0krg==,type:comment] #ENC[AES256_GCM,data:QR3WNE/a1hZIXnTjFjK3kA==,iv:eXoZJ5rQaYqN7LjEp2M13OCMwuQ+80M5AXjV0uNc4C8=,tag:sCvL6pr9zAyWZziffVFMzg==,type:comment]
example_array: example_array:
- ENC[AES256_GCM,data:Nwn96XJv8xZWRYv8qws=,iv:K30LBMC8e1vUS0XE+4EIYb3xUUyn6232YmhV2vI9Qnc=,tag:HRe3S88zwj/CjG6NTvjdRQ==,type:str] - ENC[AES256_GCM,data:g8PulCLrXZYSEdZJELE=,iv:irGwciFn1zXBxFpGAJtD46EQLGUO5oqdCzRgv1204JE=,tag:2MuDdRYMjhtTY++lPuj1FQ==,type:str]
- ENC[AES256_GCM,data:l2nuwoAbwaDFHpEWV1Y=,iv:7/2rTd8agUvx73eftpOgidV4XjDUv/JppLIIsiuycnU=,tag:Ohi4JULWDNXJPWZaeXHEdw==,type:str] - ENC[AES256_GCM,data:qv7GvmoOX8VSdaiW/90=,iv:6NOWeWqHUV9ciKPmZF4C7ijuIPFr3YZi3Dh7xWnb07k=,tag:VHXdBhWmEpb7uavCPqGZ4w==,type:str]
example_number: ENC[AES256_GCM,data:toi1e/biUd2Tng==,iv:MPCfhhX9DDaOSzx/L5LTf2VYffin8XvxVyhNDqZLsec=,tag:tE/lml3afP/NjRtpPraoRQ==,type:float] example_number: ENC[AES256_GCM,data:g8BIEIcwKRLSbw==,iv:Ay4aiukAvXeDhzlpMPn++zR0Tt2lMqCx362uN37S+ac=,tag:NTtNaIu5u8YsIm0M4OgL0A==,type:float]
example_booleans: example_booleans:
- ENC[AES256_GCM,data:02CVNA==,iv:L9GmIm9ynm2cWTyd3iYo4fgIeneUyFpEzzzxicM/YNI=,tag:k2EIboiL+c4W1H2OpA2Rqw==,type:bool] - ENC[AES256_GCM,data:94T9mg==,iv:qKGJke4SGhgN09Yebh5MPrRBDNnguJQ+1dl5XQffGZQ=,tag:0Pa3eujmSxDCnAHKHsx6yQ==,type:bool]
- ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool] - ENC[AES256_GCM,data:gEvfi+Q=,iv:0DrXoZk8OkdUShc7WAKOL8xG26RFZp3M3qYFAb1hDAs=,tag:uemBrdF87nrfLpfnQ8bD8g==,type:bool]
apps: apps:
spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str] spotify: ENC[AES256_GCM,data:bp1pdOfS+VGWLtepUjg7KFWw8Fk=,iv:twGO3CjzRxAU81C93mX8qIEZ/FYIQRJnMd2HIuvP9q8=,tag:AJgs0QGFH30E8+ZpaB02TQ==,type:str]
wifi-env: ENC[AES256_GCM,data:mxPCyunx8yOahcuVhZCzuqAt/G89lMBnZme+qwcxO4LsCftx7h2FotA+wnlj1++vmPW5zL72q2kzxh0KcVlYqK9fpOrMY/FJeJXWYNMZIHesmWKlaaeA1wM/q1dSllwuVuULp9WQzipiQHwcCCLseo3bmCsYpbs8PUibrDgbDqXreTSjJBNTVzwOGpz1bZCSpEynS+dQQViRSNcVeYTOLxrOTxx5lyEOIhgIc3167ObhK+7bJVG2ZcP209Gllip4XkCj/FKnEwg2vVF5Dpofz7T2Op5ef/oNzahhKmCa+k7OPqITWwPYZg7pqAf6jdMy4eBP/A==,iv:Q6IMqePFwd1b1pSuh+TIwcag2bbJXyIYUmJWY6UaaqI=,tag:UZ5ak6nmHkNG0uBMTl1CwQ==,type:str] wifi-env: ENC[AES256_GCM,data:NGI090aVGojJ7+lvcknJfZBQKb0b/tUrd2AqEl5IWQWCJdqqaO4pCrs3C+IW06/pz9FWgMxx9tPu32xmMZaPnnlLD+XyVJ71L2P22U6YufRPRfvyv6swOlihscOZ5tsFFYShjXpow0PfmYS+tP9mYLb2RYFLGQmvI4fa4LaVjuwPXAMg3RN/gVXR6bMEpd/7OIr+tIxC5sTE7V7fIbyzcn4=,iv:VbtgvwMHo1iLuTKCA7KjEXC1d1MY4aHfmXI6yuCGZVI=,tag:dGmw+icLKL9dJQExy83m1A==,type:str]
#ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment] #ENC[AES256_GCM,data:pC2Kdy7wNc0=,iv:J7Ggfv6K3dCzL42j5MGd+BjQGseoAoYs4k6+yc3FSiA=,tag:9MriduP9SEIi+c1q4tfzlQ==,type:comment]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 - recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbElNRkxyZ2VjaitiTWx2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZUNHeDdqaGt0QnFIejdM
eThsY0h3a2NCZDloWG0rU1ZwVnhOY2VJTXlFCnp3UzNDR216L2R4cVdyWjFqbkRr MU5uaDNiN2xOeVlZNzQyZXZ0R2NYUU83ZWxrCmNDL3J6ZjNmejBuUXk3cldwZUEz
cFJGQjQ4Qk9zblYyckVFY3VNekNuajQKLS0tIEdRWldHMjlpTElxQWFVUlh4L1lz UWVqMTVPelN1MTJDNzc0UU9XNWkralUKLS0tIDU2b053Uk5VZGlWUk9XMXZ5Wllk
d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR UlhhNzNjTHdVaXlPOFJhc0EyZGh3RDQK1c7nctmrorze4Kr0Grmcmx3N/UYXPwJc
D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA== FfClOoGxO+4ZDtxG61SDU1UdYae4loQ8roM8jDIPFMfoEum2bT8oXw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-03T19:32:16Z" lastmodified: "2024-08-03T02:45:15Z"
mac: ENC[AES256_GCM,data:q5NppTtZZA9Oo15zI0pAZ/YN2qu0TneDPMJY9rXtWlYfG7Pq5taRyc9MpV7CyEt+qWMkN//O3/sA4jmQTtpT8JuYIEa+/x5cfSZ5w0ErjKdV4/IyDs1LPDKNLXIWlmPMo61VvsKW9DZRBRml9qtR1ypeHBuz0pjECBwAQPEcw9k=,iv:X7wUOxn4BsvqCPmNZvH75hyAzUeD7Qtp+4e4SLpPWlI=,tag:Dp6Bu3zEkRaRPdOwWil13g==,type:str] mac: ENC[AES256_GCM,data:PsEeb2leFb500YYHg+5YHwGVHKUPB7qVqaJY66hnkmCa5MKAZkHqSgtVvh+Ai4fN9E+WFtjlso2a4oasQMNwVXsmt54+q1/Mz5zF2D/1nvaNL76fEod2YXp2jlGxNniyPfRaZXDu+QQLhoz2PBoe6OQ9E5WRDV88j7gksy6GePw=,iv:H7Q9fbvdgh+NZNyyupByQETWsgpXVXn0blQV1Ww7eQM=,tag:cpWykzgH9/mWTKxmEDZ9PA==,type:str]
pgp: pgp:
- created_at: "2024-11-28T18:57:09Z" - created_at: "2024-03-23T05:46:35Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DQWNzDMjrP2ISAQdALiZMzuQViM23hoFebCXYfQUIvCluWqAEeSJyE/LRHG8w hQIMA84hNUGIgI/nAQ/+IwyPDjs/jDCBlnYFboHh6TXx8ulysESst4hz5crM4L0u
nQnIVPRIbzLzWfCf+48EW6f7zonHmNY7D9F9KohDmCTcJ5/WvXsJKjebuohR62TF wylKyfEIBx0eLy0mLLA4DhcpYza0Nry5RLdwDNfimhATErfQxnwqlZ6RnYKnh3Hk
1GYBCQIQq7nEvwSfn+l5AevKIiodA4BLfM326JSx5hJ6XdrE0MzZo1uoMwKKuxig 93L66+BEKPd3EZOH+RC/wb0qiTDmU0yna8jtVO0uU7s6//hm/g7bdmQAK0YIJLcb
mPbDP8Rx51v9f+9DzjBg6kQD5w411HADL8th+wSkpmasP8ozIeiNiIKzzoJc/fD6 sd83n99R4oHVrq7iFc74/AV5isW9GcfmvLI94eodFpaE1dpqm4KzNpLueDCOvA/1
AOsExCUt8FU= vPo5Lgtp9WM4FhXUqMiplCNqMIt+Hyj3F+p+9jgQ2dLfHuVkI8pzd47gOHyMDYPy
=wRT+ fn6SVKZtOyfNDwhs7L5piiarSXISBGtx36ISDvtvtr/vgMydTdvILIOo9pkSGVtN
4W7+ywMaFjfAeShTVtUJNJqmp/8agt2WtaUX4kPPha4SxlNSOMpeTQ31bs89gBtc
g2325afL2WPK4NSAOmU8VMXqmFc2A10aFlx5nsfT4S1wkoNbitTWgoAcCa7kGRPW
xZca225cwLUzkggv74cfYT3YnQL40AMSOMqSRS8pbTFEENG1BtsB5A++Jji2i4tO
xoGIL8LRCEfiHpTC7eBwDDVmKb5StgKsXs6yYbQG5XW2W+/Jgum64Sb7+LviQ9Mq
WHNiu5MZPeKyHFu9jI9Ne1HpYJnb7/X9AxFw2e/vFwVn+kjaXcH/PhsYuPUyqkzS
XgG3tFbcgNtMWyoLU2EL1Qvwq1pHVrwmeNXHidESx23HeJtnIwoKkdopl4qqqNle
uQYP89bvb6zFWlqOSwLORZmj1W1wVTYV9eXplDbJob8agBKIcIuhtwri5e96gf4=
=XdJo
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330 fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.9.0

5
systems/artemision/steam.nix
View File

@@ -4,10 +4,7 @@
environment.systemPackages = [ pkgs.steam-run ]; environment.systemPackages = [ pkgs.steam-run ];
hardware.steam-hardware.enable = true; hardware.steam-hardware.enable = true;
programs = { programs = {
gamescope = { gamescope.enable = true;
enable = true;
capSysNice = true;
};
steam = { steam = {
enable = true; enable = true;
remotePlay.openFirewall = true; remotePlay.openFirewall = true;

10
systems/artemision/stylix.nix
View File

@@ -1,10 +0,0 @@
{ pkgs, ... }:
{
stylix = {
enable = true;
image = "${pkgs.hyprland}/share/hypr/wall2.png";
#image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
polarity = "dark";
};
}

59
systems/artemision/wifi.nix
View File

@@ -1,52 +1,55 @@
{ config, lib, ... }: { config, ... }:
let let
always = 100; always = 100;
home = 99; home = 99;
public_wifi = false;
in in
{ {
imports = lib.optionals (!public_wifi) [
./private-wifi.nix
];
networking.wireless = { networking.wireless = {
enable = true; enable = true;
secretsFile = config.sops.secrets."wifi-env".path; environmentFile = config.sops.secrets."wifi-env".path;
userControlled = true; userControlled.enable = true;
networks = { networks = {
"taetaethegae-2.0" = { "taetaethegae-2.0" = {
pskRaw = "ext:PASS_taetaethegae_20"; psk = "@PASS_taetaethegae_20@";
priority = home; priority = home;
}; };
"k" = { "k" = {
pskRaw = "ext:PASS_k"; psk = "@PASS_k@";
priority = always; priority = always;
}; };
"Bloomfield".pskRaw = "ext:PASS_bloomfield"; "Bloomfield".psk = "@PASS_bloomfield@";
"9872441500".pskRaw = "ext:PASS_longboat_home"; "9872441500".psk = "@PASS_longboat_home@";
"9872441561".pskRaw = "ext:PASS_longboat_home"; "9872441561".psk = "@PASS_longboat_home@";
"5HuFios".pskRaw = "ext:PASS_longboat_home"; "5HuFios".psk = "@PASS_longboat_home@";
"24HuFios".pskRaw = "ext:PASS_longboat_home"; "24HuFios".psk = "@PASS_longboat_home@";
"Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie"; "Verizon_ZLHQ3H".psk = "@PASS_angie@";
"Fios-Qn3RB".pskRaw = "ext:PASS_parkridge"; "optimumwifi" = { };
"Mojo Dojo Casa House".pskRaw = "ext:PASS_Carly"; "CableWiFi" = { };
"bwe_guest".pskRaw = "ext:PASS_BWE_NE";
# Public wifi connections
# set public_wifi on line 5 to true if connecting to one of these
#"optimumwifi" = { };
#"CableWiFi" = { };
#"Hilton Honors" = { };
# Work wifi
"JPMCVisitor" = { };
}; };
}; };
networking.nameservers = [
"9.9.9.9"
"1.1.1.1"
"192.168.76.1"
];
services.resolved = {
enable = true;
dnssec = "true";
domains = [ "~." ];
fallbackDns = [
"1.1.1.1#one.one.one.one"
"1.0.0.1#one.one.one.one"
];
dnsovertls = "true";
};
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
secrets = { secrets = {
"wifi-env" = { "wifi-env" = {
owner = "wpa_supplicant"; owner = "root";
restartUnits = [ "wpa_supplicant.service" ]; restartUnits = [ "wpa_supplicant.service" ];
}; };
}; };

106
systems/bob/configuration.nix Normal file
View File

@@ -0,0 +1,106 @@
{
imports = [
../../users/richie/global/desktop.nix
../../users/richie/global/ssh.nix
../../users/richie/global/syncthing_base.nix
../../users/richie/global/zerotier.nix
./hardware.nix
./nvidia.nix
./steam.nix
];
boot = {
useSystemdBoot = true;
default = true;
};
networking = {
networkmanager.enable = true;
hostId = "9ab3b18e";
};
hardware = {
pulseaudio.enable = false;
bluetooth = {
enable = true;
powerOnBoot = true;
};
};
security.rtkit.enable = true;
services = {
autopull.enable = false;
displayManager.sddm.enable = true;
openssh.ports = [ 262 ];
printing.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
rad-dev.k3s-net.enable = false;
syncthing.settings.folders = {
"notes" = {
id = "l62ul-lpweo"; # cspell:disable-line
path = "/home/richie/notes";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"books" = {
id = "6uppx-vadmy"; # cspell:disable-line
path = "/home/richie/books";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"important" = {
id = "4ckma-gtshs"; # cspell:disable-line
path = "/home/richie/important";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"music" = {
id = "vprc5-3azqc"; # cspell:disable-line
path = "/home/richie/music";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"projects" = {
id = "vyma6-lqqrz"; # cspell:disable-line
path = "/home/richie/projects";
devices = [
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
};
};
system.autoUpgrade.enable = false;
system.stateVersion = "23.11";
}

8
systems/bob/default.nix Normal file
View File

@@ -0,0 +1,8 @@
{ ... }:
{
users = [ "richie" ];
system = "x86_64-linux";
home = true;
sops = true;
server = false;
}

66
systems/bob/hardware.nix Normal file
View File

@@ -0,0 +1,66 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usb_storage"
"sd_mod"
];
kernelModules = [ ];
luks.devices = {
"luks-rpool-nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2".device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2";
};
};
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = lib.mkDefault {
device = "rpool/root";
fsType = "zfs";
};
"/home" = {
device = "rpool/home";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/8AE6-270D";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp11s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

13
systems/bob/nvidia.nix Normal file
View File

@@ -0,0 +1,13 @@
{ config, ... }:
{
services.xserver.videoDrivers = [ "nvidia" ];
hardware = {
nvidia = {
modesetting.enable = true;
powerManagement.enable = true;
package = config.boot.kernelPackages.nvidiaPackages.production;
nvidiaSettings = true;
};
nvidia-container-toolkit.enable = true;
};
}

5
systems/selinunte/steam.nix → systems/bob/steam.nix
View File

@@ -4,16 +4,11 @@
environment.systemPackages = [ pkgs.steam-run ]; environment.systemPackages = [ pkgs.steam-run ];
hardware.steam-hardware.enable = true; hardware.steam-hardware.enable = true;
programs = { programs = {
gamescope = {
enable = true;
capSysNice = true;
};
steam = { steam = {
enable = true; enable = true;
remotePlay.openFirewall = true; remotePlay.openFirewall = true;
localNetworkGameTransfers.openFirewall = true; localNetworkGameTransfers.openFirewall = true;
extraCompatPackages = with pkgs; [ proton-ge-bin ]; extraCompatPackages = with pkgs; [ proton-ge-bin ];
gamescopeSession.enable = true;
extest.enable = true; extest.enable = true;
}; };
}; };

28
systems/jeeves-jr/arch_mirror.nix Normal file
View File

@@ -0,0 +1,28 @@
{ inputs, pkgs, ... }:
let
vars = import ./vars.nix;
in
{
virtualisation.oci-containers.containers.arch_mirror = {
image = "ubuntu/apache2:latest";
volumes = [
"${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
"${vars.main_mirror}:/data"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
systemd.services.sync_mirror = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.rsync ];
serviceConfig = {
Environment = "MIRROR_DIR=${vars.main_mirror}/archlinux/";
Type = "simple";
ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/sync_mirror";
};
};
}

47
systems/jeeves-jr/configuration.nix Normal file
View File

@@ -0,0 +1,47 @@
{ pkgs, ... }:
{
imports = [
../../users/richie/global/ssh.nix
./arch_mirror.nix
./docker
./home_assistant.nix
./networking.nix
./services.nix
];
boot = {
zfs.extraPools = [ "Main" ];
filesystem = "zfs";
useSystemdBoot = true;
};
environment.systemPackages = with pkgs; [ docker-compose ];
services = {
openssh = {
ports = [ 352 ];
listenAddresses = [
{ addr = "192.168.95.35"; }
{ addr = "192.168.90.35"; }
];
};
smartd.enable = true;
sysstat.enable = true;
usbguard = {
enable = true;
rules = ''
allow id 1532:0241
'';
};
zfs = {
trim.enable = true;
autoScrub.enable = true;
};
};
system.stateVersion = "23.05";
}

7
systems/jeeves-jr/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
users = [
"alice"
"richie"
];
}

11
systems/jeeves-jr/docker/default.nix Normal file
View File

@@ -0,0 +1,11 @@
{ lib, ... }:
{
imports =
let
files = builtins.attrNames (builtins.readDir ./.);
nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
in
map (file: ./. + "/${file}") nixFiles;
virtualisation.oci-containers.backend = "docker";
}

46
systems/jeeves-jr/docker/haproxy.cfg Normal file
View File

@@ -0,0 +1,46 @@
global
log stdout format raw local0
defaults
log global
mode http
retries 3
maxconn 2000
timeout connect 5s
timeout client 50s
timeout server 50s
timeout http-request 10s
timeout http-keep-alive 2s
timeout queue 5s
timeout tunnel 2m
timeout client-fin 1s
timeout server-fin 1s
#Application Setup
frontend ContentSwitching
bind *:80
bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
mode http
# tmmworkshop.com
acl host_mirror hdr(host) -i mirror.tmmworkshop.com jeeves
acl host_uptime_kuma hdr(host) -i uptimekuma-jeevesjr.tmmworkshop.com
acl host_homeassistant hdr(host) -i homeassistant.tmmworkshop.com
use_backend mirror_nodes if host_mirror
use_backend uptime_kuma_nodes if host_uptime_kuma
use_backend home_asistant_nodes if host_homeassistant
# tmmworkshop.com
backend mirror_nodes
mode http
server server arch_mirror:80
backend uptime_kuma_nodes
mode http
server server uptime_kuma:3001
backend home_asistant_nodes
mode http
server server 192.168.95.35:8123

16
systems/jeeves-jr/docker/uptime_kuma.nix Normal file
View File

@@ -0,0 +1,16 @@
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
uptime_kuma = {
image = "louislam/uptime-kuma:latest";
volumes = [
"${vars.main_docker_configs}/uptime_kuma:/app/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
}

41
systems/jeeves-jr/docker/web.nix Normal file
View File

@@ -0,0 +1,41 @@
{ config, ... }:
{
virtualisation.oci-containers.containers = {
haproxy = {
image = "haproxy:latest";
user = "600:600";
environment = {
TZ = "Etc/EST";
};
volumes = [
"${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
"${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
];
dependsOn = [
"arch_mirror"
"uptime_kuma"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
cloud_flare_tunnel = {
image = "cloudflare/cloudflared:latest";
cmd = [
"tunnel"
"run"
];
environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
dependsOn = [ "haproxy" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets = {
"docker/cloud_flare_tunnel".owner = "docker-service";
"docker/haproxy_cert".owner = "docker-service";
};
};
}

40
systems/jeeves-jr/hardware.nix Normal file
View File

@@ -0,0 +1,40 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
swapDevices = [ { device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; } ];
boot = {
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
initrd = {
kernelModules = [ ];
availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
};
};
fileSystems = {
"/" = lib.mkDefault {
device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/7295-A442";
fsType = "vfat";
};
};
}

49
systems/jeeves-jr/home_assistant.nix Normal file
View File

@@ -0,0 +1,49 @@
{
services.home-assistant = {
enable = true;
openFirewall = true;
config = {
http = {
server_port = 8123;
server_host = [
"192.168.95.35"
"192.168.90.35"
"192.168.98.4"
];
use_x_forwarded_for = true;
trusted_proxies = "172.100.0.4";
};
homeassistant = {
time_zone = "America/New_York";
unit_system = "imperial";
temperature_unit = "F";
};
assist_pipeline = { };
backup = { };
bluetooth = { };
config = { };
dhcp = { };
energy = { };
history = { };
homeassistant_alerts = { };
image_upload = { };
logbook = { };
media_source = { };
mobile_app = { };
ssdp = { };
sun = { };
webhook = { };
zeroconf = { };
};
extraPackages =
python3Packages: with python3Packages; [
psycopg2
gtts
aioesphomeapi
esphome-dashboard-api
bleak-esphome
pymetno
];
extraComponents = [ "isal" ];
};
}

43
systems/jeeves-jr/networking.nix Normal file
View File

@@ -0,0 +1,43 @@
{
networking = {
hostId = "1beb3026";
firewall.enable = false;
};
systemd.network = {
enable = true;
netdevs = {
"20-ioit-vlan" = {
netdevConfig = {
Kind = "vlan";
Name = "ioit-vlan";
};
vlanConfig.Id = 20;
};
};
networks = {
"10-lan" = {
matchConfig.Name = "enp4s0";
DHCP = "yes";
vlan = [ "ioit-vlan" ];
linkConfig.RequiredForOnline = "routable";
};
"40-ioit-vlan" = {
matchConfig.Name = "ioit-vlan";
DHCP = "yes";
};
};
};
services.zerotierone = {
enable = true;
joinNetworks = [ "e4da7455b2ae64ca" ];
};
}
# 22/tcp open ssh
# 800/tcp open mdbs_daemon
# 5355/tcp open llmnr
# 8123/tcp open polipo
# 9993/tcp open palace-2

65
systems/jeeves-jr/secrets.yaml Normal file
View File

@@ -0,0 +1,65 @@
docker:
cloud_flare_tunnel: ENC[AES256_GCM,data:E+XYu5AxS8Ew9OVIfbH5gLkMk+rZ4yT96tSGAwL4smedkddoevRnqil78LtFNYKV8Zo3MpuA8q/c4Me0KrrlSAvwJz1T2cev0dKnuTei3MHZxK7RwWYo9UMJH+aV+l343OY9nvGBj6ryTM3wKyUIoqSmOnRCAbYmhkkqN0wFO+Mxxqjw6nf5UEeeKb36k2NwlhjjnscOKe+wo3sXhjjzVXrE3IOUQJM3hWWukMElcYewVgJmstRidKiNCRMi1/UYMk/Nfhk=,iv:yFJ5SbHB3wZ0FEF0k9KrWye55ref7OqbQPd8oMLTmH4=,tag:p3K4yGR6X2+uKIj4H6rZ+g==,type:str]
haproxy_cert: ENC[AES256_GCM,data:1n2BurHeWI+j7CMQ7qk3DUl+8MgqRsgtYQ1TxJKcPXuz0YBkg6SUp95lPZv6Jo+2OIaVxCoWpiuoLp8YgtJgnZo4S9QVG2qi60sWCSf4acMRSg0hIA/pdcslogZc5LrsBOTINZCODE4mz7Bya42f+RfVfwPGT7Buz8MniW6kfT9cr3iuq+BQc6513sHhDHgZJgwdfP5x9XrwEtaBl41Db7ejGTrza9jtsHqkrD8j3Pf1XJDhACrTeB7Uqh68sjwc2giAc/2bInDayvnKFHqHaLFTUMAbCeMPOiEZSK4UaWrSMk5I5wDVu8Ya8nBostHlPOBT06gFxT13aEe3Ox3/ctBm/83BXhFfjEaYy6AbMhbp29nxUogVjMICs3FiHG3XBz7vsVxxcBvLXp1Bw3ml5Vd7ACKQPe+r1T54aIdYMoab8DhKPMqb/6TQwrhWD3je4wwOHzzQq9psE1hlB2lJsRnAsVAy9a7M5aBpj0v2pCPVjxjkGHqUUgN+w4hzPPf10A0dWiaXc3k8bWcwc1SlJwHvYxphyZEjNQAzXrAkUPcuy4+9c7LwniMdu5qoUL/oZPW5VHWgtrUO9IlAgduiEujrAW96zfz4jfM0UBqJHT58l/WHHmBM8bMsRDHTnc43uvdoU+VgjtTiFERBi+Xm5mXCqWd4d5Y5P8ozIwGho8UdLqmR9Y2nth1mrs//FIh9mZ7i7QQGHBzoR7ICRDX2ghK98J4RMfF2ph0I+nhWpoCq056xItoVZyAEWQSR4ptpAaKMX4Crd3hrK6tZmyvaTrk5IsNaf5hrS+Fw8uTYUAM+3E6kb1TJwFvUH1plkwU83iBRlboRO5d1ahESp5nifZIVz+KBStLjUVWfXnelPCkH55LVnobgk0zekoEeNLKq+Q5wOBmR28rYXVp/q+FNCgxEW+tXIswmC72jbsDxM/oMHBQnYsmEy5dTxU2X/IzmrZfWod07fRblkWRplzLGyEjsY7CquHlG119LuHcWFOUGxYm3bgn1pGnIV3cBLvbInEAPK0apqSXMBSJw0mk/ihtdx8ANidMn8nhkHVjo/Bo9orH3tJdw8l7x+Cei347CkiQZz21jHvL1qcV/EAAxBnT4c5WtOljo13ntk8RiARdye4hcUXpORIUhH8zq88RNquOkF5QjV8C/u2EaUhQYqy3Xts49v7S9I8LLzjrrfY/IDQVqlJsAgkNuwvheTlya5JoeTasscLfLt3iJ7LsbzWWqQrfn3KQJp3H4Gxh/uqak/V5ROBahHQ4KpXzsDG++XLE0o7W4BFQbrBYV99mlGzB1blmX30C8S+b8n1u+oMXfH8oY20Jm5UQcV5/JNK8WG69ihonRDXdX7fy2WGzylql2hj+3aoYYdYpFAeHVLNzj9vAIxPHzvK0JmwdynsFLo4Hpyn7KN+6L3MSACjAOc3SxY20XxjmqJSWVEM0tq4Zbe/VdhOF1L4pyIBMKQC2XwrWyturTboh86qAfyxtYzEQXGLzz585nVnwj9PLmXQw98M8JWwsFq58ZsOdQZKhN3e0aSY2opSigmXQ9ZJeCF+6KbwElOSz4pDfkZIXqZc+LCzEl5IO1CxLWCTIIfN3Gx60W3vz8QohydoCBt2FLHH3lBiAEitWxYQhsfdlFExQa1/+0WSk3wK5dEA7SPaBWKq+xtPR0yUmuT/JN4VPX+hqqkVHigk8+XfqE/H1as9JbYo92N6xBd2ZrNzhFIkMykUOT+0etVtyOdXLkxdV9lwaBX9ARPHJV7g35e52UspX335aLGE0GtCaIbHRwJuENCIixo7sbdmB9i9xSTeg+7RBQAWpuR7O6firAEKWOGBaYzDUBnqt++Q2wUuMnQBJE/9bh,iv:3FuXEQxbTvbdnBnwPxF+T8QZvQoWX/WXx3lpDBXML1k=,tag:g1Y4qY+XoSA6K/LCKbllOw==,type:str]
server-validation:
webhook: ENC[AES256_GCM,data:/6QI+KKKJkbVO7YsxcU/gnjgp9scNzqzq56wnqAU88YdYYNU7FaRifzH00RlEb9VYvNBlT0FggnZSSX1rNN5W63tLaiYFn/GVfjlUSnwrgueTVG8Sor6HtYTIfMOdPm9B7jflpECk7ByguoDlimH0J1QrcWd+Kqx772sH63bKV1GbCaYSkRHQp9QbvbO,iv:p5W/xniUe75RqJA9PtMcNRnsY4kUBeD0p6iQDLbkSSc=,tag:dh2a8/Doyznjd1hswmXMuQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NXJJMjBjeU9XQS9YZGxQ
V1h5RlNUVTA5Mkx3M3ZobGs5WFA0NXFGakR3CnIxVk9nYU1aWkNoZ0F0WGd0ck5Q
VWpSU0ZRdENTWnFVOVNQY0Z4ems4MEUKLS0tIFVqcGJtZWRxSTZwZWhjYm56bnkr
QmcxMmhaaGZXU1VFN0pvT1VDN3hpcGsKXUlVytBrz8sUorTSHXZaOMYA5U6qUpas
ZJiHtVGxRVwCpraHWLmQTRkO6pT36cEVsfsMnFH6NLOMOvA3vLX8/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-07T23:09:51Z"
mac: ENC[AES256_GCM,data:nZPpOrOSKc+7dcbpBdZRH5FLih6o5Ii5bLWgzZ7xP/BZ36vp7ypdncE/jS0/Rz2AiOOrK0G9ovEOoL7jOMrqaUBAJNPzXTX/IdOcFrsxPL47saZKWQHqXkGXrX49nafeea7VtEvoM4qK2AiyYl2ogir+Mw304mhDIUqHhPNNvQs=,iv:ykOg2Pxpp+Sap648UZaiaRVMutWTdUXvP+Pi2cWy86g=,tag:AARw0YmjcesHLdS31i+B3g==,type:str]
pgp:
- created_at: "2024-03-23T05:49:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA84hNUGIgI/nARAAgcuMhO3nmxYY8KiW6AYxU2rFo2OQnpzZVtbMJB43wDQX
0UAOVmUyhGM2wd3tJgnvyfnguy6p3LfjZrXdTkTzrv5yCJVvKXhORcLisjaXLS8H
TCe9Fa4I9CvKo/yyRsRYS59niql0ocTs1Eb7cLiKuX19RIuQ7TjMPnjkdj5xXooa
kPJXfwL1SpUU3kjhuTHqWlD0m5t0RPiTpDym8fExMSvbTWyMY0BPA+qD1atMeUik
i3x2boqfoyD1GZ64Z5NrxRD0dN6TQvJLX1K1XTzanUhvfsy/PvDftCHKQc2n2Opk
btnKZa1mfiiLUQly+njSvH8ERYg27j5ACEQ0V9rtGPa3xnVYZm6Z5h0v68aqsotJ
aOzJa7/k0ZV/tBD1pT+9T2a/W9v4U+KdKKL19ebNvMtFxy50jN8SQsrTtxv5G5fA
sc+HkrcnLezFHYtGG85PfbTGsKMWpwu+4BrcmuW6dBcADZ1fZdkqgi+GcYGL2xy1
bddjuOWnzXb93t1pSIkaHcVWc6s5Atf3IB/liyNEux4kdquOHZQJi0WBi0l8GEmG
/ggJN4shRqtMqEkomaZkyZMsHnkmenusjbIlKJrwolhZSyDP8Kk5iPYXMxG21vrr
YpWHr388q8H7+ksnxYiNFXyY2cQKtOsD3UMIV8edMc/lHjTOi0BFNMHmU3WDsajS
XAGXsys00baAzcQHIS0jijU4mJQAqYL3S7FrcDGW8qhTGFpQ8ngVLvwLfqMvUn8v
LB3M5/7+Ld8xV4AZWr8mvv+7ZNNnnZzImETCLnekfvLEV9F2pTCH2Z21RPEL
=XWl7
-----END PGP MESSAGE-----
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
- created_at: "2024-03-23T05:49:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA29thaGx06tOARAAoI93A3cy3V2dJo8HBIrLC2RK3SKBkPiPFjWO/Zvnv8Q0
IhfzjusX+3f8HIa3CxJjTbOktcq+A2a4EyBes2Rd4bX9H2Fs2VVrSmUf3S/dO1b5
GiZamHnC+1zsXUB5IFcfjMSzeKKsOWYu9DmUcalsseo/XVJjxw9DzRnPUesI/aMs
y5kKKtNDcvAK4AWidME6LTP9FgiMx09sQfuAl4YCJv1trOvxt+dN932fbAkHVAq0
Lc90rG6LDLT1w/8i9evBRRX/ZexAI3vTGn/nTqKi+B9BdFA4dY0KiHtGIS+UNtNo
vL6PTKIRejGfqt13DwUWRobKnezcpJkTkdz+Pa+cQhdwSL2tFjr0hEbZL3e76YEx
CNsgbB9h0pIm/2YvhG1k0f0skWfjXLAtR6PQPKu1OycppX02fbK9XRShb+Fik7P+
GfFLxf4JYAMMOHsxP30EVQONiR9XsITH149GSZ3nTBX7vUsk3b7Z+ou1Ma27EhiW
iPWTqpDgLQ/VZW+027h/l8iwv52L8eE6Y+LE32jNUTQjMW3OWKw9zknX4wciNR07
EPAy8eC9rfhUVnTB7RJlTOY03yyEiBjowJn/0e0g8+AUMKC4mAuasPUwPhptQ6pH
8up/75WglUAg04eni0p5g6X7rGj+09OEDNMtvYVt7HglX7T86O2sBcVKa/j095jS
XAGIy2HXf+By9BFKM4q6uuAh4QceHn2QaQ/ckhYGMrHulzAeORPxYaYdXoeEj18k
auBqSPzj8E9yPi4jl+miEO9BgVhRW45cxBbn2XV2KE08PIP9mZ2jxK9Ne4HQ
=jkZ+
-----END PGP MESSAGE-----
fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
unencrypted_suffix: _unencrypted
version: 3.8.1

33
systems/jeeves-jr/services.nix Normal file
View File

@@ -0,0 +1,33 @@
{
config,
inputs,
pkgs,
...
}:
{
systemd = {
services.startup_validation = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.zfs ];
serviceConfig = {
Type = "oneshot";
EnvironmentFile = config.sops.secrets."server-validation/webhook".path;
ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_jeevesjr";
};
};
timers.startup_validation = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10min";
Unit = "startup_validation.service";
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."server-validation/webhook".owner = "root";
};
}

10
systems/jeeves-jr/vars.nix Normal file
View File

@@ -0,0 +1,10 @@
let
zfs_main = "/ZFS/Main";
in
{
inherit zfs_main;
# main
main_docker = "${zfs_main}/Docker";
main_docker_configs = "${zfs_main}/Docker/configs";
main_mirror = "${zfs_main}/Mirror";
}

29
systems/jeeves/arch_mirror.nix Normal file
View File

@@ -0,0 +1,29 @@
{ inputs, pkgs, ... }:
let
vars = import ./vars.nix;
in
{
virtualisation.oci-containers.containers.arch_mirror = {
image = "ubuntu/apache2:latest";
volumes = [
"${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
"${vars.media_mirror}:/data"
];
ports = [ "800:80" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
systemd.services.sync_mirror = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.rsync ];
serviceConfig = {
Environment = "MIRROR_DIR=${vars.media_mirror}/archlinux/";
Type = "simple";
ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/sync_mirror";
};
};
}

165
systems/jeeves/configuration.nix Normal file
View File

@@ -0,0 +1,165 @@
{ pkgs, ... }:
let
vars = import ./vars.nix;
in
{
imports = [
../../users/richie/global/ssh.nix
../../users/richie/global/syncthing_base.nix
./arch_mirror.nix
./docker
./networking.nix
./programs.nix
./services.nix
];
boot = {
zfs.extraPools = [
"media"
"storage"
"torrenting"
];
filesystem = "zfs";
useSystemdBoot = true;
};
environment = {
systemPackages = with pkgs; [ docker-compose ];
etc = {
# Creates /etc/lynis/custom.prf
"lynis/custom.prf" = {
text = ''
skip-test=BANN-7126
skip-test=BANN-7130
skip-test=DEB-0520
skip-test=DEB-0810
skip-test=FIRE-4513
skip-test=HRDN-7222
skip-test=KRNL-5820
skip-test=LOGG-2190
skip-test=LYNIS
skip-test=TOOL-5002
'';
mode = "0440";
};
};
};
services = {
nfs.server.enable = true;
openssh.ports = [ 629 ];
plex = {
enable = true;
dataDir = vars.media_plex;
};
smartd.enable = true;
sysstat.enable = true;
syncthing.guiAddress = "192.168.90.40:8384";
syncthing.settings.folders = {
"notes" = {
id = "l62ul-lpweo"; # cspell:disable-line
path = vars.media_notes;
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"books" = {
id = "6uppx-vadmy"; # cspell:disable-line
path = "${vars.storage_syncthing}/books";
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"important" = {
id = "4ckma-gtshs"; # cspell:disable-line
path = "${vars.storage_syncthing}/important";
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"music" = {
id = "vprc5-3azqc"; # cspell:disable-line
path = "${vars.storage_syncthing}/music";
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"projects" = {
id = "vyma6-lqqrz"; # cspell:disable-line
path = "${vars.storage_syncthing}/projects";
devices = [
"bob"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
};
usbguard = {
enable = false;
rules = ''
allow id 1532:0241
'';
};
zfs = {
trim.enable = true;
autoScrub.enable = true;
};
};
systemd = {
services."snapshot_manager" = {
description = "ZFS Snapshot Manager";
requires = [ "zfs-import.target" ];
after = [ "zfs-import.target" ];
serviceConfig = {
Environment = "ZFS_BIN=${pkgs.zfs}/bin/zfs";
Type = "oneshot";
ExecStart = "${pkgs.python3}/bin/python3 ${vars.media_scripts}/ZFS/snapshot_manager.py --config-file='${./snapshot_config.toml}'";
};
};
timers."snapshot_manager" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "15m";
OnUnitActiveSec = "15m";
Unit = "snapshot_manager.service";
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"zfs/backup_key".path = "/root/zfs/backup_key";
"zfs/docker_key".path = "/root/zfs/docker_key";
"zfs/main_key".path = "/root/zfs/main_key";
"zfs/notes_key".path = "/root/zfs/notes_key";
"zfs/plex_key".path = "/root/zfs/plex_key";
"zfs/postgres_key".path = "/root/zfs/postgres_key";
"zfs/qbit_key".path = "/root/zfs/qbit_key";
"zfs/scripts_key".path = "/root/zfs/scripts_key";
"zfs/syncthing_key".path = "/root/zfs/syncthing_key";
"zfs/vault_key".path = "/root/zfs/vault_key";
};
};
system.stateVersion = "23.11";
}

7
systems/jeeves/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
users = [
"alice"
"richie"
];
}

11
systems/jeeves/docker/default.nix Normal file
View File

@@ -0,0 +1,11 @@
{ lib, ... }:
{
imports =
let
files = builtins.attrNames (builtins.readDir ./.);
nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
in
map (file: ./. + "/${file}") nixFiles;
virtualisation.oci-containers.backend = "docker";
}

15
systems/jeeves/docker/filebrowser.nix Normal file
View File

@@ -0,0 +1,15 @@
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers.filebrowser = {
image = "hurlenko/filebrowser:latest";
extraOptions = [ "--network=web" ];
volumes = [
"/zfs:/data"
"${vars.media_docker_configs}/filebrowser:/config"
];
autoStart = true;
user = "1000:users";
};
}

68
systems/jeeves/docker/haproxy.cfg Normal file
View File

@@ -0,0 +1,68 @@
global
log stdout format raw local0
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
defaults
log global
mode http
retries 3
maxconn 2000
timeout connect 5s
timeout client 50s
timeout server 50s
timeout http-request 10s
timeout http-keep-alive 2s
timeout queue 5s
timeout tunnel 2m
timeout client-fin 1s
timeout server-fin 1s
#Application Setup
frontend ContentSwitching
bind *:80
bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
mode http
# tmmworkshop.com
acl host_mirror hdr(host) -i mirror.tmmworkshop.com
acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com
acl host_grafana hdr(host) -i grafana.tmmworkshop.com
acl host_filebrowser hdr(host) -i filebrowser.tmmworkshop.com
acl host_uptime_kuma hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
acl host_overseerr hdr(host) -i overseerr.tmmworkshop.com
use_backend mirror_nodes if host_mirror
use_backend dndrules_nodes if host_dndrules
use_backend grafana_nodes if host_grafana
use_backend filebrowser_nodes if host_filebrowser
use_backend uptime_kuma_nodes if host_uptime_kuma
use_backend overseerr_nodes if host_overseerr
backend mirror_nodes
mode http
server server arch_mirror:80
backend mirror_rsync
mode http
server server arch_mirror:873
backend grafana_nodes
mode http
server server grafana:3000
backend dndrules_nodes
mode http
server server dnd_file_server:80
backend filebrowser_nodes
mode http
server server filebrowser:8080
backend uptime_kuma_nodes
mode http
server server uptime_kuma:3001
backend overseerr_nodes
mode http
server server overseerr:5055

161
systems/jeeves/docker/internal.nix Normal file
View File

@@ -0,0 +1,161 @@
{ config, ... }:
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
qbit = {
image = "ghcr.io/linuxserver/qbittorrent:latest";
ports = [
"6881:6881"
"6881:6881/udp"
"8082:8082"
"29432:29432"
];
volumes = [
"${vars.media_docker_configs}/qbit:/config"
"${vars.torrenting_qbit}:/data"
];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
WEBUI_PORT = "8082";
};
autoStart = true;
};
qbitvpn = {
image = "binhex/arch-qbittorrentvpn:latest";
extraOptions = [ "--cap-add=NET_ADMIN" ];
ports = [
"6882:6881"
"6882:6881/udp"
"8081:8081"
"8118:8118"
];
volumes = [
"${vars.media_docker_configs}/qbitvpn:/config"
"${vars.torrenting_qbitvpn}:/data"
"/etc/localtime:/etc/localtime:ro"
];
environment = {
WEBUI_PORT = "8081";
PUID = "600";
PGID = "100";
VPN_ENABLED = "yes";
VPN_CLIENT = "openvpn";
STRICT_PORT_FORWARD = "yes";
ENABLE_PRIVOXY = "yes";
LAN_NETWORK = "192.168.90.0/24";
NAME_SERVERS = "1.1.1.1,1.0.0.1";
UMASK = "000";
DEBUG = "false";
DELUGE_DAEMON_LOG_LEVEL = "debug";
DELUGE_WEB_LOG_LEVEL = "debug";
};
environmentFiles = [ config.sops.secrets."docker/qbit_vpn".path ];
autoStart = true;
};
bazarr = {
image = "ghcr.io/linuxserver/bazarr:latest";
ports = [ "6767:6767" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.media_docker_configs}/bazarr:/config"
"${vars.storage_plex}/movies:/movies"
"${vars.storage_plex}/tv:/tv"
];
autoStart = true;
};
prowlarr = {
image = "ghcr.io/linuxserver/prowlarr:latest";
ports = [ "9696:9696" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
autoStart = true;
};
radarr = {
image = "ghcr.io/linuxserver/radarr:latest";
ports = [ "7878:7878" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.media_docker_configs}/radarr:/config"
"${vars.storage_plex}/movies:/movies"
"${vars.torrenting_qbitvpn}:/data"
];
autoStart = true;
};
sonarr = {
image = "ghcr.io/linuxserver/sonarr:latest";
ports = [ "8989:8989" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.media_docker_configs}/sonarr:/config"
"${vars.storage_plex}/tv:/tv"
"${vars.torrenting_qbitvpn}:/data"
];
autoStart = true;
};
overseerr = {
image = "ghcr.io/linuxserver/overseerr:latest";
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [ "${vars.media_docker_configs}/overseerr:/config" ];
dependsOn = [
"radarr"
"sonarr"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
unpackerr = {
image = "golift/unpackerr:latest";
user = "600:100";
environment = {
TZ = "America/New_York";
};
volumes = [
"${vars.torrenting_qbit}:/data"
"${config.sops.secrets.unpackerr_conf}:/etc/unpackerr/unpackerr.conf"
];
autoStart = true;
};
whisper = {
image = "ghcr.io/linuxserver/faster-whisper:latest";
ports = [ "10300:10300" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
WHISPER_MODEL = "tiny-int8";
WHISPER_LANG = "en";
WHISPER_BEAM = "1";
};
volumes = [ "${vars.media_docker_configs}/whisper:/config" ];
autoStart = true;
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets."docker/qbit_vpn".owner = "docker-service";
};
}

37
systems/jeeves/docker/postgresql.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config, ... }:
let
vars = import ../vars.nix;
in
{
users = {
users.postgres = {
isSystemUser = true;
group = "postgres";
uid = 999;
};
groups.postgres = {
gid = 999;
};
};
virtualisation.oci-containers.containers = {
postgres = {
image = "postgres:16";
ports = [ "5432:5432" ];
volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ];
environment = {
POSTGRES_USER = "admin";
POSTGRES_DB = "archive";
POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
};
environmentFiles = [ config.sops.secrets."docker/postgres".path ];
autoStart = true;
user = "postgres:postgres";
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets."docker/postgres".owner = "postgres";
};
}

16
systems/jeeves/docker/uptime_kuma.nix Normal file
View File

@@ -0,0 +1,16 @@
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
uptime_kuma = {
image = "louislam/uptime-kuma:latest";
volumes = [
"${vars.media_docker_configs}/uptime_kuma:/app/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
}

65
systems/jeeves/docker/web.nix Normal file
View File

@@ -0,0 +1,65 @@
{ config, ... }:
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
grafana = {
image = "grafana/grafana-enterprise:latest";
volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ];
user = "600:600";
extraOptions = [ "--network=web" ];
autoStart = true;
};
dnd_file_server = {
image = "ubuntu/apache2:latest";
volumes = [
"${../../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
"${vars.storage_main}/Table_Top/:/data"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
haproxy = {
image = "haproxy:latest";
user = "600:600";
environment = {
TZ = "Etc/EST";
};
volumes = [
"${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
"${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
];
dependsOn = [
"arch_mirror"
"dnd_file_server"
"filebrowser"
"grafana"
"overseerr"
"uptime_kuma"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
cloud_flare_tunnel = {
image = "cloudflare/cloudflared:latest";
user = "600:600";
cmd = [
"tunnel"
"run"
];
environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
dependsOn = [ "haproxy" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets = {
"docker/cloud_flare_tunnel".owner = "docker-service";
"docker/haproxy_cert".owner = "docker-service";
};
};
}

45
systems/jeeves/hardware.nix Normal file
View File

@@ -0,0 +1,45 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd.availableKernelModules = [
"mpt3sas"
"nvme"
"xhci_pci"
"ahci"
"uas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
initrd.kernelModules = [ "dm-snapshot" ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems."/" = lib.mkDefault {
device = "/dev/disk/by-uuid/0f78fa87-30be-4173-b0fa-eaa956cf83aa";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/BB77-2647";
fsType = "vfat";
};
swapDevices = [ { device = "/dev/disk/by-uuid/4c797a94-be32-43d3-89ac-7f02912c7cf5"; } ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

40
systems/jeeves/networking.nix Normal file
View File

@@ -0,0 +1,40 @@
{
networking = {
hostId = "1beb3027";
firewall.enable = false;
};
systemd.network = {
enable = true;
networks = {
"10-1GB_Primary" = {
matchConfig.Name = "enp98s0f0";
DHCP = "yes";
};
};
networks = {
"10-1GB_Secondary" = {
matchConfig.Name = "enp98s0f1";
DHCP = "yes";
};
};
networks = {
"10-10GB_Primary" = {
matchConfig.Name = "enp97s0f0np0";
DHCP = "yes";
linkConfig.RequiredForOnline = "routable";
};
};
networks = {
"10-10GB_Secondary" = {
matchConfig.Name = "enp97s0f1np1";
DHCP = "yes";
};
};
};
services.zerotierone = {
enable = true;
joinNetworks = [ "e4da7455b2ae64ca" ];
};
}

4
systems/jeeves/programs.nix Normal file
View File

@@ -0,0 +1,4 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ filebot ];
}

2
systems/palatine-hill/plex/plex_permission.sh → systems/jeeves/scripts/plex_permission.sh
View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
plex_dir="/ZFS/ZFS-primary/plex" plex_dir="/zfs/storage/plex/"
chown docker-service:users -R "$plex_dir" chown docker-service:users -R "$plex_dir"
find "$plex_dir" -type f -exec chmod 664 {} \; find "$plex_dir" -type f -exec chmod 664 {} \;

78
systems/jeeves/secrets.yaml Normal file
View File

@@ -0,0 +1,78 @@
docker:
postgres: ENC[AES256_GCM,data:IpXIrRDzyGFjDz908w1NNb0GBna/ce9lCtOkXrpUfyllsTWca6AeqaRo23bL4jfFGfHn0Zf9okLO,iv:IwO7vJJHFfm0SGcJETpWtdhr41jPddN9nuVAH/Ooa7Y=,tag:xstwPvpvkNOZucxvzq2+ag==,type:str]
cloud_flare_tunnel: ENC[AES256_GCM,data:Qx7g0tNSfVs9VnkuYw47XJjfF+RS9B5gvpBliGL93X8K/7iiyt0NxwWyAkmmaLat5h/Yu7C71rwBIIZsKf7Ke3YS0PfEpga76ftKt3h7VKMQNT7yAcU3LY4v2h3Molnzw2fnAhxfHkogJuAsZeJW9dIjo9H2QpSh/tn9kpC+PGb/T9dcqMm4fJPqP+rIcFCfhJl9iDOKOMQ9+xVNnKZ2HQlAwPMCz29BgGCxh0cYYk9ftXPK7ZnhjwUj4bfnaKfByIPpAtk=,iv:8yz2vXanGZfOkZF/D0RP2LPqHebbOM/XBPg2eCCGs8g=,tag:67da31iZTQaMURKf9dfiJw==,type:str]
qbit_vpn: ENC[AES256_GCM,data:SRkcWb2wTTfWlgkbDSN6j5+dXnG670qFGtG2x4fajkE8eK4U30DTxrlbzta5ZMtm0Y9bquy3DcaSMF/u9CBrLbBS8mhcJw==,iv:LpkS7O+eutPUDpY5NlYjgafK6UuFsS+18yNpB+JmzcM=,tag:0Y+vj80MAbh2U+UsyH3MEA==,type:str]
haproxy_cert: ENC[AES256_GCM,data:6yRv0cz/vBVguAPOsENhmH2uwwgL5AkOkkDQQ+PVPEEiOTIn1WPONhnG0UqR3FsWJal8qECH/zTF1XMmdK4VHQXwMA8gGScpIrgeWuhdCbXsJ7RxZBzVESOCo8ZOcR43w3Qih+0iz3SsNmX262/D7DIzKYlLovyoJDGZa5jo0n2zCZiRfbdal8m02dplaFHMsGy6+Gn3Uijo9MnnuWvgihBh1ekRnpSzVM4/IyyvUunK0vEapVsgOq+brdW2x0BQFgL3PLGaJbAbzFhXYI1MmD+D7RzOGSzNmrj1ezea+b2Lb/p8CATh05i+lz6530U6iwun0lcREDxPrJgU0TsI/JZGSq3blHn9lZuHmnwBp05LsliBO+yoxgqnC45/xTZwiSdlyqqnXHlXPuBS7UoJFlll93aIpULfNZMyqx/FO5ckmV0nuNVMCrF7JfsE+t/XNs077kB4FKYNk4TDodKyn2scfypQFK7qprW9JKJwx0Se8FWU2fMKsuMszElMLudRHagyDVO+LJ+/ta6Qj68CRU1g8cQANh4Q6PwI0HABX3J5n3ERQUxZvVeCq9FRMJ7JE0was3QfBGGPROHksK+rP9y8g8CFRgGjwzDoxslaYO+tIiIsaDcqbTiOQDTiDh4/ioqX9EENrA8qIEtKSn6m35+4pwY0xvKToAnI7vhwQ93A1mZrwKXgoNSShA4Q+MfSEIuJd6LJihLh5IFvl595iOpGDWCJsXZnDL3K8B6oofPTtLnOOQC4sy9wGiNshdgfv6aVwpdPKvOtFwHmu1n8eZInfSZgUdwUaHHMXjrXHboBQ6ZPsrdZBt9ADSUpz+uN6+TgXq6HLWHSqtmrWS6jABQfbpHH7pLZAXuii4MsnTEr1rOEbtgZTH6Sedd57Pp5MpNXDg950vd9plCkGPiRfDUWXHnRw8frWfoTS+eOqkVwJ0+v48IskuYLZSCAF0/kumtbySDQStNowF+cAp7lk24Cp8W8PXw/LqI8U8FijVxMPtgzLwRKKd10zRI+Jrsi9E8YXSKCaFMIBLottRHwdvWA7aIYnuVTxzCmHt1jhJN349bjC/yTIuIS4gW+XlriFqip17Eq/878+Uduwf1+Fxqdpv8kDleyqix0SO/JmhQijgIUhc3Im3whXicEu6vlivzJGyjA/ljFyJvV/irRK/VrIWEoA5nLX74fmF9Ku/O94pDIPaKCsCP+N/fOPLG5ucw6lPxllZS9qg2cNsl9ajXGPu8GBB4FaZUt/Ufid6xjC5YloictI3Bp5x2glhpxzQ8zAbv5vpBA0h6xhkt4NSmxWurvBmRoRnBdYIvEaeoehj10yLpiY4DsZYLTU5IrLV/aYlb2q4K2OKRvYOBQgeDtEkIMqHYWsddfKHi+1KjQ/176DDIbUoYb4XtPJmNOcIeRM2oiaCcTzerU5TXL5qBl213buTcIPaV0sVVxoH+2RYBM28mjQoj8sHwQLLuFve0MeUZzfJ8MqMM+Guhn25aw4R0tGkiRBUL5d8l86awOpqXtFiK2QTh3S7QeZoCA80YVH5r6FdqMz34UgwEFo0nfBcH2nSnDwpcBrbwzV6/Xahck4nVaIn6znJPqlIKntfeXJuXl/9ulpwx7D4mL7hLcal9WY62KZ1PQ+NHz5WjaPbgLMdeNFFr6CKGGqSPkTOhjgQ1y4ChuYfbVn+yZRqUwhFWtKuuouAZXH55KkVlsB39H+oNYp0hqAUiVkeawHqbTgOHb+llz0uF7r0TGD23aMXeV58n0i3xsDET9mhxSyj5vUo5iqY8eEqgn4mOvsdp6rkpC4c91drgV/gFJu2jgCvVVdG/mHFVnZEv5+/rA2reqdqMTBOpLQNEbL5Ih1LKG,iv:PUp78PWvy+lmcLiR295BGiVTLnAPX+du4lcw/Pvq/KE=,tag:k/3H2+jF9no751mvO5S5WQ==,type:str]
zfs:
backup_key: ENC[AES256_GCM,data:sJzR/DfM6+tmmcewZT+NAJk0gj8wmU43QfFCRCj9+2GITOS8suRL7E5rHTherCZgRe79T90ikM97bYf9RbZdtQ==,iv:j8F3BG/hh7UK3kC+pB6WO0OHlSSHn0jo90AgaTdpyNY=,tag:5hraDn8YqS/q57y26AXwjw==,type:str]
docker_key: ENC[AES256_GCM,data:HiW+3IYJCgqg9HJmPYQinhb6kWJouORABKniryY5e35tf8BQGKn1ldgj4Dw+79SYmvIUbf4ZSja0Ziz1isKTWA==,iv:6vBtbIlTHC+PUgyXYb92SnMTuWd8jCaEzZ3Vmv2QHhA=,tag:izKWtAQWRfn5tAYKyOO+ZQ==,type:str]
main_key: ENC[AES256_GCM,data:6ZZQc7TSAuK4PrxQxegPrFMjT1SZlRGgg5VgVg1e6ZM1RO9ZDjhcmpFRd1pkbm5DEJKq1VpUxTvxXGQDrMYO9A==,iv:Yp2jTtBd8gjB8Sdfb06ZBLpVd/KCjs/pfnBRT2ll/0c=,tag:F0HSbkZ8Z45WkUY/VNwvHg==,type:str]
notes_key: ENC[AES256_GCM,data:y3fTl3aNl8RaZwBR2thy7qfxilw+wGEj8+tTuRr+z+A6ol9N6droFNBHQcK3yWDWP8MhMKe1efWhgbZ0Raz17A==,iv:BbBjMtsb2ZDJjgbgkXP3SYl3xklI5xWmW3X9mlLlvdI=,tag:Ic3rLP30wApmOeLGFEYgVA==,type:str]
plex_key: ENC[AES256_GCM,data:fWzTSKkVCkWmZ9ZDv1/OYYZPsQKV54Ib98Bq4A+4ibT9mk28Zp7XeczOJVj6+K4+04EQgQj8RyP2x70tuFp3Xg==,iv:pyHzIo4ws4Lyd5zVflUa7yjNVefTTpEdkjCVmXDuucE=,tag:msn0NFXuq3zKGY5vE1nR1Q==,type:str]
postgres_key: ENC[AES256_GCM,data:mLa0A6pJXZ7BX9bYat9mQ30Dx/KWU9KHjiApuapBUbRtH+gtAJRGwLeXJPyMTOirFwuWWTdOts8dTMESWp7eOg==,iv:MFyo2LbdsYeoUyhWEv0EWKXNFhxoLjNs5M7ar6dlrjw=,tag:KpaatId8TdVzAEelD1tlzQ==,type:str]
qbit_key: ENC[AES256_GCM,data:19XIzi4waSOLdfgKo8z6NMX9Ee4Xw1/JqbjQEvKwWh+ar2r5P3sFJMHI394ebx4vITO0lOzl/EwcUiWt7LB6uw==,iv:s+TWyb5SzeCFZAZdKs28o7s8So++eLqR1Qc9ZWjUGwY=,tag:teHdPEhWkzDWizJD/czA6w==,type:str]
scripts_key: ENC[AES256_GCM,data:2htMEDCByUbCQ1loPEDCVNtXXqffCRHMpiobEDHI506hdEk6d/N7lmlUIqLa5YCNB6ozt0y6EEKBxnbouEHIWQ==,iv:eUYmsliDF49BNSpF+KSiT1rlPtzQpmhNC8Cy2tahMX8=,tag:8xCvm1LwDPArJ/woIO23Bg==,type:str]
syncthing_key: ENC[AES256_GCM,data:36zfmVuCEHFED3ODeoGuAxJvySY1SxWT9ml+DFvb01KdUqIGZDZj1cKoZCH+GsgYJMsQF6t+uqZJOGeyNmzMlg==,iv:17tLW4ytRpUmmltA4UIZGhsrNAGRjvucxxt9zLM3C54=,tag:YWirDB0fYSpu1evqVaoa+Q==,type:str]
vault_key: ENC[AES256_GCM,data:kFZa5oRVXuSp7W7311i0d8b7I0Y3P8bZbBoaaICuH1IlMLBVd6SUhL8cfFU66yj91W6uUJU/Oy7NpP3rM9mhGw==,iv:neRhOqW/b2DpUqoA5JJxLS4fSqj8ZGxRXv4pEPm7Wtc=,tag:bfAD3GAO6F2hBCZy7P7KUA==,type:str]
server-validation:
webhook: ENC[AES256_GCM,data:54MQzwEOf6uS6cgnPeJizRXMvGTGxLf6q1N3tGDxxpXKmSJedW+kpY2GoV91SxeeTWUyDKQcWp2fs5SwrdfDFHID9JN4wWJM0JjADggZ6u+BMEH01nnXpCJlhGq6cxDkI6gNSVgNVQW/eYNHDhnVmwwGpse4q62G1TmKlziBCv1Qahn4c3O+bOOEssio,iv:2Rcg7XSCmQeFd2oaX4GxSGXwgE3Ep1WsoPRRYo0dvH0=,tag:rPjDghxdcpME5SwoPKWv2w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTREhIRUd1K3JCM29mVHVv
d2Q4eFBLWnRUTGEzelZOMS9ScXNyV3ZGbHpNCjNCSEhmTDQ4VUtta0RXdXJUY0da
Vld5WDlJS3oyWkk5KzUzam9PYXZSa1kKLS0tIHJuaktpU3hnUWEwZzc4eHNjSitI
bVhXamJyMWMvODUvajk2aDZnQ1k1blEKoNIYxUA+k+DA+1WYq5BSa0iXuQ2Lctuy
9W7OO2m+QGzjdLLM0uS7WWGXWP2cDDgUGcqozTqM0Oqi2/OY0Bo3Jg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-07T23:09:43Z"
mac: ENC[AES256_GCM,data:36CZLl3+VSFTSTj9jDT9972XZMXjaY5jo9FZ7I7L0sOSBRH8vQ+tFww7hVHe5M2w/+YA0SRGH3r8WCbie6GeRjmY+BZu42H656K0WrpRN8ERFv+io8geACdqUsLo1VLjhDrfXaGnNOHLpmMC5dqyPXlOphiolt+ArKOBLuqtrnY=,iv:jaL/l1zwYusThKeR9C62fEGHwiv4fEvCarSiavjxQ0U=,tag:xgygx6KM/J4w55CzdLeCUg==,type:str]
pgp:
- created_at: "2024-03-02T20:52:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA84hNUGIgI/nARAAxQSkqnR75Rd1htAv7esbpmXlrZH+frTL6V4jGoAiqTeF
TSA46E2nl7rVqPTws74OOb+O5bN3OkHSmmWzIbj6Pc8YnqY4t9N69zoCHtsbI1kn
FQ4WwUdzofIUMKwF+E31/knyKbf/IjSKTZKcDQmn6QErOdDmsN9/z6+ixLt+rdsz
lKwMX8axgmwgRsWI1Xhlb1qs4TZxheQQ4A4WYYNB1NhH0ZTIehI+FGe+wHh36UXf
cY/Z7KRLdozoLsuuAIAoXx/dr3KpwuyKHfp9MdZLzO/tvS9vA1i+tKRXmiDs2uuv
itCOTrt1H7LEpUfdBYD9ll2mdiRnVzR4DxNnGLPkxsyAglejTxR897DcYFC9xhie
X6UfKTOIeAGXVUqphp8HB0CEFBW982246kDSKdOI/R3+X4T5fvMpLTb5XvkOlCIi
JUwXxoq3SA06a8WCS6QH8jLnXrcCKzX1TJh0RzT7/RUvKDN6uxxccxOksMExvgBG
nqfOcLiCXBzluCseDgmjcW0/arm1d88Kd7ayMv25CX1Py5uRRQOkqqnCdNIk5Yy5
0R+KyOPeZPThVTE1DhJ3QyF499XMoFjerHyanwIlvkAQtet1k8EKih1KSD9N38ga
K1HRowhoPMkszsU6+LZYL3MD0aUkfz53b7JvzIxYsfJgztwg3ki0qteEXUNyLMTS
XgG9xHF63wa7IwBtKgQKX/CVCwpg5EuNfwbACbIQAC9QZ/F6z+Ud2UJkSs94UUF4
aOGb2P1QFvLbP7m+7TNmvuLT5BDcS2XE0IWRDilkeiFU6ijGW8+iQ5oTzv+TmA0=
=JbRX
-----END PGP MESSAGE-----
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
- created_at: "2024-03-02T20:52:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA29thaGx06tOARAAm8GMWZxxY1UBYK7p60Hlw2qCOH7KZ5cby8vm9dWz3Tnt
+YKW2SsRniwY6KaSVvnUuRBY75BF6jahW6+h9Nvhsrsvq680UIaQtO6l6KmtnxHV
S6vEDmvoFZVWG1xOEGYHVQ+GF9elIwuYrzST1OU3vATMstMxrm0WQJ2lOq7YpuGi
hNoMK3nMxpmTlT49CYn2sGX3PlNA4qDOVo/fwL5m3lV5mKzJNs7q8IakbPZm6yqR
wGjfkHq3ZlKnTUC66sBX8yvSoZ2cM6vrYhxgb1Um8z9BKLpAb7Rr9AXB5IUWxSkz
jXyEi9aDySDxv2HkjP3fE4D5wtC1neS8YsYDBcSsqoXt5sKAs1DOvzLbIOkObH3Y
uSxozoGJu5CVnBrOpxXdNf1RMnww85uxSAupiLQ2fsC/0AaeGB8dPYIZr/WekWAR
RF3igqZX7KVRuomUOt9fwJoHnRr1GWCHqYTB3P7/e52JcmCggBRLcnhC/1MKgMtN
RJh8Uuu9aXCBfR148W+s76xIdVwypPWbk8l911TdL1eRKx+d+kxAa1ugIqihvkBQ
sGjZltEe0ogAsDpS0Cy/HRH8Yz1Qk2gTh1QZiv865aVVfWu0OTU27TlfCyMQQCkO
LtBfOWylV6pJG3aaO2QA+4f4ab8flxdg8DrmBlhudzYY2goHIcfe+CdPygrKB/nS
XgEx1HFw47B1YJxY7FiFgEwnI6/AJuf136u1i484nVYXAr5PtnyaXH7kqVozHouT
sPkE1v7+EpOIbhEdXQxbSG0AXKomUwu4SJgxSitdTajAQYfHHfTVjdnUqyl8QHw=
=wX5X
-----END PGP MESSAGE-----
fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
unencrypted_suffix: _unencrypted
version: 3.8.1

52
systems/jeeves/services.nix Normal file
View File

@@ -0,0 +1,52 @@
{
config,
inputs,
pkgs,
...
}:
{
systemd = {
services = {
plex_permission = {
description = "maintains /zfs/storage/plex permissions";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.bash}/bin/bash ${./scripts/plex_permission.sh}";
};
};
startup_validation = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.zfs ];
serviceConfig = {
EnvironmentFile = config.sops.secrets."server-validation/webhook".path;
Type = "oneshot";
ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_jeeves";
};
};
};
timers = {
plex_permission = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1h";
OnCalendar = "daily 03:00";
Unit = "plex_permission.service";
};
};
startup_validation = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10min";
Unit = "startup_validation.service";
};
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."server-validation/webhook".owner = "root";
};
}

29
systems/jeeves/snapshot_config.toml Normal file
View File

@@ -0,0 +1,29 @@
["media/Notes"]
15_min = 8
hourly = 24
daily = 30
monthly = 12
["storage/plex"]
15_min = 6
hourly = 2
daily = 1
monthly = 0
["media/plex"]
15_min = 6
hourly = 2
daily = 1
monthly = 0
["media/notes"]
15_min = 8
hourly = 24
daily = 30
monthly = 12
["media/docker"]
15_min = 3
hourly = 12
daily = 14
monthly = 2

23
systems/jeeves/vars.nix Normal file
View File

@@ -0,0 +1,23 @@
let
zfs_media = "/zfs/media";
zfs_storage = "/zfs/storage";
zfs_torrenting = "/zfs/torrenting";
in
{
inherit zfs_media zfs_storage zfs_torrenting;
# media
media_database = "${zfs_media}/syncthing/database";
media_docker = "${zfs_media}/docker";
media_docker_configs = "${zfs_media}/docker/configs";
media_mirror = "${zfs_media}/mirror";
media_notes = "${zfs_media}/notes";
media_plex = "${zfs_media}/plex/";
media_scripts = "${zfs_media}/scripts";
# storage
storage_main = "${zfs_storage}/main";
storage_plex = "${zfs_storage}/plex";
storage_syncthing = "${zfs_storage}/syncthing";
# torrenting
torrenting_qbit = "${zfs_torrenting}/qbit";
torrenting_qbitvpn = "${zfs_torrenting}/qbitvpn";
}

43
systems/palatine-hill/acme.nix
View File

@@ -1,43 +0,0 @@
{
config,
lib,
pkgs,
outputs,
...
}:
{
security.acme = {
acceptTerms = true;
defaults.email = "aliceghuston@gmail.com";
certs."nayeonie.com" = {
dnsProvider = "dnsimple";
environmentFile = config.sops.secrets."acme/dnsimple".path;
dnsPropagationCheck = false;
group = "haproxy";
extraDomainNames = [
"*.nayeonie.com"
# "alicehuston.xyz"
# "*.alicehuston.xyz"
];
};
};
systemd.services."acme-nayeonie.com.service".path = lib.mkForce (
with pkgs;
[
coreutils
diffutils
openssl
]
++ [
outputs.packages.x86_64-linux.lego-latest
]
);
sops.secrets = {
"acme/dnsimple" = {
owner = "root";
};
};
}

Some files were not shown because too many files have changed in this diff Show More