ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity

Compare commits

base: ahuston-0:f6d2ff23eab6638891d5d2d59fd5d328abf65bbc
Branches Tags
ahuston-0:main ahuston-0:update_flake_lock_action ahuston-0:update-flake-lock ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes
..
compare: ahuston-0:feature/onboarding-kubernetes
Branches Tags
ahuston-0:update_flake_lock_action ahuston-0:update-flake-lock ahuston-0:main ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes

13 Commits
f6d2ff23ea ... feature/on

Author SHA1 Message Date
ahuston-0
6957d062c5 creating kubnet-accuse 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
30c8441848 move mkDefault down into the enable level 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
ea8c5ca025 move vm net config to separate module 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
d29b2ecbab add guest network (now with custom mac address generators!) 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
cc702cb5fe open firewall for ssh 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
327895435b test disabling k3s server 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
23fc7d2667 add journal merging and ssh 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
eba9d9c4cd idek what i did to fix this 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
1c596593ca try to fix attrset generation 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
9985fc8778 initialize k3s templates 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:52 -04:00
ahuston-0
3a61c7522d add basic guest config (warning CI is definitely failing lol) 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:51 -04:00
ahuston-0
45610cb886 microvm host is stable (for now) 
- per-system default.nix now inherits the source tree via `src` (this
allows modules to be optionally imported from `modules/opt/`)
- adds a default config for microvm hosts
  - enables systemd-networkd by default
  - allows passing in vms
  - binds vm nix-store to host nix-store
  - allows merging systemd jounals
- adds microvms to palatine-hill

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:51 -04:00
ahuston-0
f9d31cba65 add microvms, and try to set up basics 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2024-08-06 20:03:51 -04:00
231 changed files with 4675 additions and 7636 deletions
Expand all files Collapse all files

32
.continue/agents/ollama.yaml
View File

@@ -1,32 +0,0 @@
# This is an example configuration file
# To learn more, see the full config.yaml reference: https://docs.continue.dev/reference
name: ollama
version: 1.0.0
schema: v1
# Define which models can be used
# https://docs.continue.dev/customization/models
models:
- name: StarCoder2 Local
provider: ollama
model: starcoder2:7b
modelTimeout: "5s"
roles:
- autocomplete
autocompleteOptions:
useCache: true
useImports: true
useRecentlyEdited: true
- name: Nomic Embed Local
provider: ollama
model: nomic-embed-text:latest
roles:
- embed
- name: Autodetect
provider: ollama
model: AUTODETECT
defaultCompletionOptions:
contextLength: 64000
# MCP Servers that Continue can access
# https://docs.continue.dev/customization/mcp-tools
mcpServers:
- uses: anthropic/memory-mcp

9
.gitconfig
View File

@@ -1,11 +1,6 @@
# run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
# run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
# if for whatever reason the below doesn't work, try modifying the mergetool command as below
# find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
# replace: ./utils/sops-mergetool.sh
[mergetool "sops-mergetool"]
cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\""
cmd = bash -c "$(git --exec-path)/sops-mergetool.sh \"$BASE\" \"$LOCAL\" \"$REMOTE\" \"$MERGED\""
[merge]
tool = nvimdiff
[mergetool "nvimdiff"]
layout = MERGED
tool = nvimdiff3

125
.github/agents/dependency-auditor.agent.md vendored
View File

@@ -1,125 +0,0 @@
---
description: |
Use when auditing NixOS flake inputs or installed modules for known CVEs,
checking pinned revisions against security advisories, scanning repo code for
vulnerabilities, or running IaC/SCA audits on the nix-dotfiles repo. Use this
agent whenever flake.lock is updated or a new input/module is added.
tools: [read, 'io.snyk/mcp/*', search, web, 'nixos/*']
---
# Dependency Security Auditor
You are a dependency security auditor for this NixOS flake repository. Your job
is to identify known CVEs, security advisories, and vulnerable package versions
across flake inputs, NixOS modules, and repo code — without interacting with any
hosted infrastructure or live services.
## Scope
- Read `flake.lock` to enumerate all pinned inputs.
- Read `flake.nix` and system/module configs to identify which NixOS packages
and services are in active use.
- Use the nixos MCP and Snyk MCP to cross-reference versions against known
vulnerabilities.
- Use the web tool only to look up public CVE/advisory databases (NVD, GitHub
Security Advisories, NixOS security tracker). Do NOT connect to any hosted
service in this infrastructure.
## Constraints
- DO NOT edit, create, or delete any files.
- DO NOT run terminal commands.
- DO NOT connect to or probe any live service (Gitea, Mattermost, Nextcloud,
HAProxy, etc.).
- DO NOT authenticate to Snyk on behalf of the user without confirming first
— call `snyk_auth_status` and report back if auth is missing.
- ONLY report findings grounded in real CVE/advisory data with a reference URL
or ID.
## Audit Steps
Work through these steps in order. Show a summary of what you checked at the end
of each step.
### Step 1: Enumerate Flake Inputs
Read `flake.lock` and extract for each node:
- Owner, repo, rev (commit hash), lastModified date
- Whether it is a `github`, `git`, or `tarball` type
Flag any inputs that:
- Have not been updated in > 180 days (stale pinning risk)
- Use a mutable `ref` without a fixed `rev` (reproducibility risk)
- Are fetched over plain HTTP (not HTTPS)
### Step 2: Look Up Active Package Versions via nixos MCP
For the pinned nixpkgs revision, use the nixos MCP (`nixos_search`,
`nixos_info`) to:
- Look up key security-sensitive packages in use across palatine-hill:
`mattermost`, `gitea`, `nextcloud`, `postgresql`, `hydra`, `attic`,
`ollama`, `loki`, `minio`, `haproxy`, `samba`.
- Note the package version returned.
- Search for any known vulnerabilities associated with that version using the
nixos MCP and the web tool (NVD: `https://nvd.nist.gov/vuln/search`, GitHub
advisory DB: `https://github.com/advisories`).
### Step 3: Run Snyk Code Scan
Before running, call `snyk_auth_status` to confirm authentication. If
unauthenticated, report that and skip this step.
Run `snyk_code_scan` on the absolute repo path
(`/home/alice/.gitprojects/nix-dotfiles`) with `severity_threshold: medium`.
Report all findings with:
- Rule ID and CWE
- Affected file and line
- Severity
- Suggested fix
### Step 4: Run Snyk IaC Scan
Run `snyk_iac_scan` on the absolute repo path
(`/home/alice/.gitprojects/nix-dotfiles`) with `severity_threshold: medium`.
While Snyk IaC does not natively parse Nix, it will catch any Kubernetes, Docker
Compose, or YAML configs present in `systems/palatine-hill/docker/` and similar
paths.
Report all findings with:
- Issue title and severity
- Affected file and line
- Impact description
- Suggested fix
### Step 5: Cross-Check NixOS Security Tracker
Use the web tool to check `https://github.com/NixOS/nixpkgs/issues?q=CVE` and
`https://discourse.nixos.org/c/security` for any open CVEs affecting:
- The pinned nixpkgs revision (from `flake.lock`)
- Any of the key packages identified in Step 2
### Step 6: Summarise
Produce a final report with:
1. **Critical / High CVEs** — packages with active, unpatched CVEs in the
pinned revision
2. **Stale Inputs** — inputs not updated in > 180 days
3. **Snyk Code Findings** — medium+ severity SAST issues
4. **Snyk IaC Findings** — medium+ severity misconfigurations in non-Nix config
files
5. **Clean** — categories with no findings (list explicitly so the report is
complete)
Each finding must include:
- Severity
- CVE ID or Snyk rule ID (with reference URL)
- Affected package/file/input
- Recommended action (upgrade nixpkgs pin, patch config, etc.)

140
.github/agents/security-researcher.agent.md vendored
View File

@@ -1,140 +0,0 @@
---
description: |
Use when auditing NixOS server configurations for security issues, checking
for secrets in the Nix store, exposed ports, weak authentication, missing
service hardening, overly permissive firewall rules, SSH misconfiguration,
Docker socket exposure, or SOPS secrets mishandling. Read-only. Does NOT
interact with any live infrastructure or hosted resources.
tools: [read, search, 'nixos/*']
---
# Security Researcher
You are a security researcher auditing this NixOS flake repository for potential
vulnerabilities and misconfigurations. Your job is to read the configuration
as-written and identify security issues an attacker or misconfiguration could
exploit.
## Scope
- Inspect server systems only (`server = true`; currently **palatine-hill**).
- Work entirely from repository source files. DO NOT interact with any live
system, hosted service, URL, or external resource.
- Use the nixos MCP tool to look up option defaults and known behaviours — not
to reach external hosts.
## Constraints
- DO NOT edit, create, or delete any files.
- DO NOT run terminal commands.
- DO NOT fetch URLs or browse the web.
- DO NOT attempt to connect to, probe, or fingerprint any live service.
- ONLY report issues that are grounded in the actual content of the repository
files.
## Audit Checklist
Work through these categories in order. For each, read the relevant files before
reporting.
### 1. Secrets in the Nix Store
- Are any passwords, tokens, or API keys hardcoded in `.nix` files (not behind
SOPS)?
- Are `password = "..."` fields used in NixOS module options that end up
world-readable in `/nix/store`?
- Check service DB password fields, `initialScript`, environment variables, and
`settings` blocks.
- Use the nixos MCP tool to confirm whether a given option value lands in the
store.
### 2. SOPS Secrets Hygiene
- Do `sops.secrets` entries have the correct `owner` set to the service user
(not `root` unless necessary)?
- Is `defaultSopsFile` scoped correctly, or could one system's secrets bleed
into another?
- Are any secrets referenced in config that are not declared in `sops.secrets`?
### 3. Firewall and Attack Surface
- Which TCP/UDP ports are exposed in `firewall.nix`? Are all of them
intentional and documented?
- Are `trustedInterfaces` entries broader than necessary (e.g., `br+` covering
all bridge interfaces)?
- Does `extraCommands` insert raw iptables rules that bypass the NixOS firewall
abstraction in a dangerous way?
- Are any high-risk ports (22, 80, 443, 5432, 6379, 27017) exposed directly?
### 4. SSH Configuration
- What port is SSH running on? Is password authentication disabled?
- Are `PermitRootLogin`, `PasswordAuthentication`, and `PubkeyAuthentication`
set explicitly?
- Check `modules/openssh.nix` and any system-level overrides.
### 5. PostgreSQL Authentication
- Does `authentication` (pg_hba) use `trust` for any user or database?
- Are `scram-sha-256` or `peer` used consistently rather than `md5` or
`password`?
- Does any service connect over TCP with a plaintext password that ends up in
the Nix store?
- Are `ensureUsers` entries scoped correctly (no unnecessary `superuser` or
`createdb` grants)?
### 6. Service Isolation and Hardening
- Do systemd services set `DynamicUser`, `PrivateTmp`, `NoNewPrivileges`,
`ProtectSystem`, or similar hardening options where applicable?
- Check custom `systemd.services` blocks for missing or weak sandboxing.
- Are services running as root that should run as a dedicated user?
### 7. Docker and Container Security
- Is the Docker socket (`/var/run/docker.sock`) mounted into any container? If
so, flag it as a privilege escalation vector.
- Are any containers run with `--privileged` or `network_mode: host`?
- Are Docker compose files in the repo using hardcoded secrets or environment
variables that land in the store?
### 8. Web-Facing Services
- Do reverse-proxied services (Gitea, Mattermost, Nextcloud, etc.) set
`siteUrl`/`ROOT_URL` to HTTPS?
- Is there any service that could be accessed over plain HTTP internally?
- Are ACME/TLS certs scoped correctly and not shared across unrelated services?
### 9. Module Defaults That Are Security-Sensitive
- For each enabled service, use the nixos MCP tool to check if the default
values for security-relevant options (e.g., `database.password`,
`openFirewall`, `enableAdminCreateUser`) are safe, and confirm whether
defaults are overridden in the repo.
### 10. Broad Permission Grants
- Are any users granted `wheel`, `docker`, or other privileged groups without
clear justification?
- Does any non-human service account have `superuser`, `replication`, or
`createrole` PostgreSQL clauses?
## Output Format
Report findings as a numbered list grouped by severity:
- **Critical** — direct path to credentials exposure, RCE, or privilege
escalation
- **High** — exploitable misconfiguration or data exposure under realistic
conditions
- **Medium** — weak default, unnecessary privilege, or defence-in-depth gap
- **Low / Info** — hardening improvement or minor noise
Each finding must include:
- Severity label
- Exact file path and line (as a markdown link)
- One-sentence explanation of the risk
- Concrete suggested remediation
If a category is clean, state that explicitly so the report is complete.

81
.github/agents/server-architect.agent.md vendored
View File

@@ -1,81 +0,0 @@
---
description: |
Use when reviewing server infrastructure, auditing NixOS server
configurations, planning how new services or modules integrate into
palatine-hill, checking for missing imports, DB/user alignment, firewall
gaps, module argument signatures, or reverse proxy routing. DO NOT use for
making changes or for desktop/workstation systems.
tools: [read, search, 'nixos/*']
---
# Infrastructure Architect
You are an infrastructure architect for this NixOS flake repository. Your job is
to review the existing server architecture and analyse how proposed or recently
added changes integrate with it.
## Scope
You only inspect **server** machines. In this repository that means systems where
`server = true` in their `default.nix` — currently **palatine-hill**. Do NOT
inspect or opine on desktop systems such as `artemision` or `selinunte` unless
explicitly asked.
## Constraints
- DO NOT edit, create, or delete any files.
- DO NOT run terminal commands.
- DO NOT make assumptions — read the actual files.
- ONLY report concrete, actionable findings with exact file and line references.
## Approach
When asked to review a change or audit the server state, work through these
checkpoints in order:
1. **Module registration** — Is the new `.nix` file imported in
`systems/<host>/configuration.nix`? Check the `imports` list.
2. **Module argument signature** — Does every module accept `{ ..., ... }:` to
absorb `specialArgs` (`system`, `server`, `inputs`, `outputs`)? A missing
`...` causes "unexpected argument" eval errors.
3. **Service dependencies** — Does the new service depend on another (e.g.
PostgreSQL, Redis, S3/Minio)? If so:
- Is the dependency service enabled and imported on this host?
- Are the required DB names and users present in `ensureDatabases` /
`ensureUsers`?
- Is the user name in `ensureUsers` consistent with what the service module
defaults to? (Use the nixos MCP tool to check default values.)
- Are authentication rules (`pg_hba`, `authentication` block) present for
the new user?
4. **Secrets alignment** — If the service uses SOPS secrets, are they declared
in `sops.secrets` with the correct `owner`? Does the secrets key exist in
`secrets.yaml`?
5. **Firewall exposure** — Is the service port opened in `firewall.nix`? If
traffic is reverse-proxied (e.g. via external HAProxy), no direct port
exposure in NixOS firewall is needed — confirm which model applies.
6. **Reverse proxy / TLS** — Is a proxy rule (HAProxy, nginx, Caddy) defined
for the new vhost? If the proxy is managed externally, note that explicitly.
Check that `siteUrl` / `ROOT_URL` / equivalent matches the actual domain.
7. **Upgrade / backup plumbing** — If the service has stateful data, is it
listed in `postgresql.upgrade.stopServices`? Is it covered by
`postgresqlBackup`?
8. **Module provisioning conflicts** — Does the NixOS module have a
`create`/`createLocally` option that auto-provisions a DB/user? If manual
provisioning also exists, flag potential ownership drift.
## Output Format
Report findings as a numbered list grouped by severity:
- **High** — will cause a build failure, service crash, or security issue
- **Medium** — will cause silent misconfiguration or future breakage
- **Low / Info** — style, redundancy, or optional improvements
Each finding must include:
- The severity label
- The exact file path and line (as a markdown link)
- A one-sentence explanation of the problem
- A concrete suggested fix
If everything checks out, say so explicitly and summarise what you verified.

698
.github/copilot-instructions.md vendored
View File

@@ -1,698 +0,0 @@
# Nix Dotfiles Repository Guide
This repository contains NixOS configurations for personal infrastructure. The setup is organized around a flake-based structure with per-system configurations and user-specific settings.
## Project Structure
- `flake.nix` - Main flake definition with inputs and outputs
- `systems/` - Per-system configurations (e.g., `artemision`, `palatine-hill`)
- `users/` - Per-user configurations using home-manager
- `modules/` - Reusable Nix modules for common services
- `lib/` - Custom Nix library functions
- `hydra/` - Hydra CI/CD configuration
- `secrets/` - SOPS encrypted secrets
## Key Concepts
### System Configuration
Each system has its own directory under `systems/` containing:
- `configuration.nix` - Main system configuration
- Component modules (audio.nix, desktop.nix, etc.)
- Hardware-specific configurations
### User Configuration
User configurations are in `users/<username>/`:
- `home.nix` - Home-manager configuration using `home.packages` and imports
- `secrets.yaml` - SOPS-encrypted secrets using age encryption
- `non-server.nix` - Desktop-specific configurations
### Nix Patterns
1. **Module-based approach**: Uses Nix modules for organizing configuration
1. **Home-manager integration**: User environment managed via home-manager
1. **SOPS secrets**: Secrets managed with SOPS and age encryption
1. **Flake-based**: Uses flakes for reproducible builds and development environments
1. **Multi-system support**: Supports multiple machines with different configurations
1. **Dynamic configuration generation**: Modules in the `modules/` directory are automatically imported into all systems (can be overridden per system). New systems are automatically discovered by `genSystems()`
### Modern Nix Features
This repository uses modern Nix features including:
- **Flakes**: Enabled via `flake` experimental feature
- **Nix Command**: Enabled via `nix-command` experimental feature
- **Blake3 Hashes**: Enabled via `blake3-hashes` experimental feature
- **Git Hashing**: Enabled via `git-hashing` experimental feature
- **Verified Fetches**: Enabled via `verified-fetches` experimental feature
### Key Commands
- `nh os switch` - Apply system configuration (using nix-community/nh)
- `nh home switch` - Apply user configuration (using nix-community/nh)
- `nh os build` - Build a specific system (using nix-community/nh)
- `nix build .#<system>` - Build a specific system
- `nix run .#<system>` - Run a specific system
- `nix flake update` - Update flake inputs
### Development Workflow
1. Make changes to system or user configuration
1. Test with `nh os switch` or `nh home switch`
1. For CI/CD, Hydra automatically builds and tests changes
1. Secrets are managed with SOPS and age keys
### Important Files
- `flake.nix` - Main entry point for the flake
- `systems/artemision/configuration.nix` - Example system configuration
- `users/alice/home.nix` - Example user configuration
- `modules/base.nix` - Base module with common settings
- `hydra/jobsets.nix` - Hydra CI configuration
### External Dependencies
- NixOS unstable channel
- Nixpkgs unstable channel
- SOPS for secrets management
- age for encryption
- home-manager for user environments
- nh (nix-community/nh) for simplified Nix operations
### Nix MCP Server
- Use the nix MCP server for looking up package names and options
- Specify `unstable` channel if the channel is specifiable (e.g., for `pkgs.<package-name>`)
## Dynamic Configuration System (lib/systems.nix)
This repository automatically generates NixOS system configurations based on the folder structure. Understanding how `constructSystem` and `genSystems` work is essential when adding new systems or global modules.
### How Configuration Generation Works
The process happens in three stages:
**Stage 1: Discovery** (`flake.nix``genSystems`)
- `flake.nix` calls `genSystems inputs outputs src (src + "/systems")`
- `genSystems` scans the `systems/` directory and lists all subdirectories
- Each subdirectory name becomes a system hostname (e.g., `artemision`, `palatine-hill`)
**Stage 2: Parameter Loading** (`genSystems` reads `default.nix`)
- For each discovered system, `genSystems` imports `systems/<hostname>/default.nix`
- This file exports parameters for `constructSystem` like:
- `users = [ "alice" ]` — which users to create
- `home = true` — enable home-manager
- `sops = true` — enable secret decryption
- `server = true/false` — machine role
- `modules = [ ... ]` — additional system-specific modules
**Stage 3: Assembly** (`constructSystem` assembles the full config)
- Loads essential system files: `hardware.nix`, `configuration.nix`
- Auto-imports all `.nix` files from `modules/` directory via `lib.adev.fileList`
- Conditionally loads home-manager, SOPS, and user configs based on parameters
- Merges everything into a complete NixOS system configuration
### Key Functions in lib/systems.nix
| Function | Purpose | Called By |
|----------|---------|-----------|
| `genSystems` | Scans `systems/` directory and creates configs for each subdirectory | `flake.nix` |
| `constructSystem` | Assembles a single NixOS system with all modules and configs | `genSystems` |
| `genHome` | Imports home-manager configs for specified users | `constructSystem` |
| `genSops` | Imports SOPS-encrypted secrets for users | `constructSystem` |
| `genUsers` | Imports user account configs from `users/<username>/` | `constructSystem` |
| `genHostName` | Creates hostname attribute set | `constructSystem` |
| `genWrapper` | Conditionally applies generator functions | `constructSystem` |
### Special Arguments Passed to All Configs
These are available in `configuration.nix`, `hardware.nix`, and all modules:
```nix
{ config, pkgs, lib, inputs, outputs, server, system, ... }:
```
- `config` — NixOS configuration options
- `pkgs` — Nix packages (nixpkgs)
- `lib` — Nix library functions (extended with `lib.adev`)
- `inputs` — Flake inputs (nixpkgs, home-manager, sops-nix, etc.)
- `outputs` — Flake outputs (for Hydra and other tools)
- `server` — Boolean: true for servers, false for desktops
- `system` — System architecture string (e.g., `"x86_64-linux"`)
## Adding a New NixOS System
### Step 1: Create the Directory Structure
```bash
mkdir -p systems/<new-hostname>
cd systems/<new-hostname>
```
### Step 2: Create `default.nix` (System Parameters)
This file is automatically discovered and loaded by `genSystems`. It exports the parameters passed to `constructSystem`.
**Minimal example:**
```nix
{ inputs }:
{
# Required: List of users to create (must have entries in users/ directory)
users = [ "alice" ];
# Optional: Enable home-manager (default: true)
home = true;
# Optional: Enable SOPS secrets (default: true)
sops = true;
# Optional: Is this a server? Used to conditionally enable server features
server = false;
# Optional: System architecture (default: "x86_64-linux")
system = "x86_64-linux";
# Optional: System-specific modules (in addition to global modules/)
modules = [
# ./custom-service.nix
];
}
```
**See `systems/palatine-hill/default.nix` for a complex example with all options.**
### Step 3: Create `hardware.nix` (Hardware Configuration)
Generate this via:
```bash
sudo nixos-generate-config --show-hardware-config > systems/<new-hostname>/hardware.nix
```
This file typically includes:
- Boot configuration and bootloader
- Filesystem mounts and ZFS/LVM settings
- Hardware support (CPU, GPU, network drivers)
- Device-specific kernel modules
### Step 4: Create `configuration.nix` (System Configuration)
This is the main NixOS configuration file. Structure:
```nix
{ config, pkgs, lib, inputs, server, system, ... }:
{
# System hostname (usually matches directory name)
networking.hostName = "new-hostname";
# Desktop/desktop specific config
services.xserver.enable = !server;
# System packages
environment.systemPackages = with pkgs; [
# ...
];
# Services to enable
services.openssh.enable = server;
# System-specific settings override global defaults
boot.kernelParams = [ "nomodeset" ];
}
```
### Step 5: Add Optional Secrets
If the system has sensitive data:
```bash
# Create and encrypt secrets file
sops systems/<new-hostname>/secrets.yaml
# This will be automatically loaded by genSops if sops = true
```
### Step 6: Add Optional System-Specific Modules
For system-specific functionality that shouldn't be global, create separate `.nix` files in the system directory:
```text
systems/<new-hostname>/
├── configuration.nix # Main config
├── default.nix
├── hardware.nix
├── secrets.yaml # (optional)
├── custom-service.nix # (optional) System-specific modules
├── networking.nix # (optional)
└── graphics.nix # (optional)
```
Reference these in `default.nix`:
```nix
{ inputs }:
{
users = [ "alice" ];
modules = [
./custom-service.nix
./networking.nix
./graphics.nix
];
}
```
### Step 7: Deploy the New System
The system is now automatically registered! Deploy with:
```bash
# Build the new system
nix build .#<new-hostname>
# Or if you want to switch immediately
nh os switch
```
## Adding a Global Module to modules/
Global modules are automatically imported into all systems. No registration needed.
### Create a Module File
Add a new `.nix` file to the `modules/` directory. Example: `modules/my-service.nix`
### Module Structure
```nix
{ config, pkgs, lib, inputs, server, ... }:
{
# Define configuration options for this module
options.myService = {
enable = lib.mkEnableOption "my service";
port = lib.mkOption {
type = lib.types.int;
default = 3000;
description = "Port for the service";
};
};
# Actual configuration (conditional on enable option)
config = lib.mkIf config.myService.enable {
environment.systemPackages = [ pkgs.my-service ];
systemd.services.my-service = {
description = "My Service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.my-service}/bin/my-service";
Restart = "always";
};
};
};
}
```
### Using mkIf, mkDefault, and mkForce
- **`mkIf`** — Conditionally apply config based on a boolean
```nix
config = lib.mkIf config.myService.enable { ... };
```
- **`mkDefault`** — Provide a default value that can be overridden
```nix
boot.kernelParams = lib.mkDefault [ "quiet" ];
```
- **`mkForce`** — Force a value, preventing other modules from overriding
```nix
services.openssh.enable = lib.mkForce true;
```
- **`mkEnableOption`** — Define an `enable` option with standard description
```nix
options.myService.enable = lib.mkEnableOption "my service";
```
### Disable a Global Module for a Specific System
To disable a module for one system, override it in that system's `configuration.nix`:
```nix
{ config, lib, ... }:
{
# Disable the module entirely
myService.enable = false;
# Or override specific options
services.openssh.port = 2222;
}
```
### Module Loading Order in constructSystem
Modules are applied in this order (later modules override earlier ones):
1. `inputs.nixos-modules.nixosModule` (SuperSandro2000's convenience functions)
1. `inputs.nix-index-database.nixosModules.nix-index`
1. Hostname attribute from `genHostName`
1. `hardware.nix` (hardware-specific config)
1. `configuration.nix` (main system config)
1. **System-specific modules** from `modules` parameter in `default.nix` (e.g., custom-service.nix)
1. **All `.nix` files from global `modules/` directory** (features enabled across all systems)
1. SOPS module (if `sops = true`)
1. Home-manager module (if `home = true`)
1. User configurations (if `users = [...]` and `home = true`)
Important: Global modules (step 7) are applied after system-specific configs, so they can't override those values unless using `mkForce`. System-specific modules take precedence over global ones.
## Common Tasks
### Enable a Feature Across All Systems
1. Create `modules/my-feature.nix` with `options.myFeature.enable`
1. Set the feature enabled in `configuration.nix` of systems that need it:
```nix
myFeature.enable = true;
```
1. Or enable globally and disable selectively:
```nix
# In modules/my-feature.nix
config = lib.mkIf config.myFeature.enable {
# ...enabled by default
};
# In a system's configuration.nix
myFeature.enable = false; # Disable just for this system
```
### Add a New User to the System
1. Create user config: `users/<username>/default.nix` and `users/<username>/home.nix`
1. Update system's `default.nix`:
```nix
users = [ "alice" "newuser" ];
```
1. Create secrets: `sops users/<username>/secrets.yaml`
1. Redeploy: `nh os switch`
### Override a Module's Default Behavior
In any system's `configuration.nix`:
```nix
{
# Disable a service that's enabled by default in a module
services.openssh.enable = false;
# Override module options
boot.kernelParams = [ "nomodeset" ];
# Add to existing lists
environment.systemPackages = [ pkgs.custom-tool ];
}
```
### Check Which Modules Are Loaded
```bash
# List all module paths being loaded
nix eval .#nixosConfigurations.<hostname>.options --json | jq keys | head -20
# Evaluate a specific config value
nix eval .#nixosConfigurations.<hostname>.config.services.openssh.enable
```
### Validate Configuration Before Deploying
```bash
# Check syntax and evaluate
nix flake check
# Build without switching
nix build .#<hostname>
# Preview what would change
nix build .#<hostname> && nix-diff /run/current-system ./result
```
## Secrets Management
SOPS (Secrets Operations) manages sensitive data like passwords and API keys. This repository uses age encryption with SOPS to encrypt secrets per system and per user.
### Directory Structure
Secrets are stored alongside their respective configs:
```text
systems/<hostname>/secrets.yaml # System-wide secrets
users/<username>/secrets.yaml # User-specific secrets
```
### Creating and Editing Secrets
**Create or edit a secrets file:**
```bash
# For a system
sops systems/<hostname>/secrets.yaml
# For a user
sops users/<username>/secrets.yaml
```
SOPS will open your `$EDITOR` with decrypted content. When you save and exit, it automatically re-encrypts the file.
**Example secrets structure for a system:**
```yaml
# systems/palatine-hill/secrets.yaml
acme:
email: user@example.com
api_token: "secret-token-here"
postgresql:
password: "db-password"
```
**Example secrets for a user:**
```yaml
# users/alice/secrets.yaml
# The user password is required
user-password: "hashed-password-here"
```
### Accessing Secrets in Configuration
Secrets are made available via `config.sops.secrets` in modules and configurations:
```nix
# In a module or configuration.nix
{ config, lib, ... }:
{
# Reference a secret
services.postgresql.initialScript = ''
CREATE USER app WITH PASSWORD '${config.sops.secrets."postgresql/password".path}';
'';
# Or use the secret directly if it supports content
systemd.services.my-app.serviceConfig = {
EnvironmentFiles = [ config.sops.secrets."api-token".path ];
};
}
```
### Merging Secrets Files
When multiple systems or users modify secrets, use the sops-mergetool to resolve conflicts:
```bash
# Set up mergetool
git config merge.sopsmergetool.command "sops-mergetool-wrapper $BASE $CURRENT $OTHER $MERGED"
# Then during a merge conflict
git merge branch-name
# Git will use sops-mergetool to intelligently merge encrypted files
```
The repository includes helper scripts: `utils/sops-mergetool.sh` and `utils/sops-mergetool-new.sh`
### Adding a New Machine's Age Key
When adding a new system (`systems/<new-hostname>/`), you need to register its age encryption key:
1. Generate the key on the target machine (if using existing deployment) or during initial setup
1. Add the public key to `.sops.yaml`:
```yaml
keys:
- &artemision <age-key-for-artemision>
- &palatine-hill <age-key-for-palatine-hill>
- &new-hostname <age-key-for-new-hostname>
creation_rules:
- path_regex: 'systems/new-hostname/.*'
key_groups:
- age: *new-hostname
```
1. Re-encrypt existing secrets with the new key:
```bash
sops updatekeys systems/new-hostname/secrets.yaml
```
## Real-World Examples
### Example 1: Adding a Feature to All Desktop Machines
Using `artemision` (desktop) as an example:
**Create `modules/gpu-optimization.nix`:**
```nix
{ config, lib, server, ... }:
{
options.gpu.enable = lib.mkEnableOption "GPU optimization";
config = lib.mkIf (config.gpu.enable && !server) {
# Desktop-only GPU settings
hardware.nvidia.open = true;
services.xserver.videoDrivers = [ "nvidia" ];
};
}
```
**Enable in `systems/artemision/configuration.nix`:**
```nix
{
gpu.enable = true;
}
```
**Deploy:**
```bash
nix build .#artemision
nh os switch
```
### Example 2: Adding a Server Service to One System
Using `palatine-hill` (server) as an example:
**Create `systems/palatine-hill/postgresql-backup.nix`:**
```nix
{ config, pkgs, lib, ... }:
{
systemd.timers.postgres-backup = {
description = "PostgreSQL daily backup";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "03:00";
Persistent = true;
};
};
systemd.services.postgres-backup = {
description = "Backup PostgreSQL database";
script = ''
${pkgs.postgresql}/bin/pg_dumpall | gzip > /backups/postgres-$(date +%Y%m%d).sql.gz
'';
};
}
```
**Reference in `systems/palatine-hill/default.nix`:**
```nix
{ inputs }:
{
users = [ "alice" ];
server = true;
modules = [
./postgresql-backup.nix
];
}
```
**Deploy:**
```bash
nix build .#palatine-hill
```
### Example 3: Disabling a Global Module for a Specific System
To disable `modules/steam.nix` on a server (`palatine-hill`) while it stays enabled on desktops:
**In `systems/palatine-hill/configuration.nix`:**
```nix
{
steam.enable = false; # Override the module option
}
```
The module in `modules/steam.nix` should use:
```nix
config = lib.mkIf config.steam.enable {
# steam configuration only if enabled
};
```
## Debugging & Validation
### Check Module Evaluation
```bash
# See which modules are loaded for a system
nix eval .#nixosConfigurations.artemision.config.environment.systemPackages --no-allocator
# Validate module option exists
nix eval .#nixosConfigurations.artemision.options.myService.enable
```
### Debug SOPS Secrets
```bash
# View encrypted secrets (you must have the age key)
sops systems/palatine-hill/secrets.yaml
# Check if SOPS integration is working
nix eval .#nixosConfigurations.palatine-hill.config.sops.secrets --json
```
### Test Configuration Without Deploying
```bash
# Evaluate the entire configuration
nix eval .#nixosConfigurations.artemision --no-allocator
# Build (but don't activate)
nix build .#artemision
# Check for errors in the derivation
nix path-info ./result
```

331
.github/settings.yml vendored
View File

@@ -1,173 +1,204 @@
# Have borrowed this config from nix-community/infra
repository:
# See https://developer.github.com/v3/repos/#edit for all available settings.
# See https://developer.github.com/v3/repos/#edit for all available settings.
# The name of the repository. Changing this will rename the repository
name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# The name of the repository. Changing this will rename the repository
name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# Labels: define labels for Issues and Pull Requests
#
labels:
- name: bug
color: '#d73a4a'
description: Something isn't working
- name: CI/CD
# If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16'
description: Related to GH Actions or Hydra
- name: documentation
color: '#0075ca'
description: Improvements or additions to documentation
- name: duplicate
color: '#cfd3d7'
description: This issue or pull request already exists
- name: enhancement
color: '#a2eeef'
description: New feature or request
- name: good first issue
color: '#7057ff'
description: Good for newcomers
- name: help wanted
color: '#008672'
description: Extra attention is needed
- name: high priority
color: '#BF480A'
description: A major vurnability was detected
- name: invalid
color: '#e4e669'
description: This doesn't seem right
- name: new user
color: '#C302A1'
description: A new user was added to the Flake
- name: question
color: '#d876e3'
description: Further information is requested
- name: wontfix
color: '#ffffff'
description: This will not be worked on
- name: dependencies
color: '#cb4ed5'
description: Used for PR's related to flake.lock updates
- name: automated
color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD)
- name: bug
color: '#d73a4a'
description: Something isn't working
- name: CI/CD
# If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16'
description: Related to GH Actions or Hydra
- name: documentation
color: '#0075ca'
description: Improvements or additions to documentation
- name: duplicate
color: '#cfd3d7'
description: This issue or pull request already exists
- name: enhancement
color: '#a2eeef'
description: New feature or request
- name: good first issue
color: '#7057ff'
description: Good for newcomers
- name: help wanted
color: '#008672'
description: Extra attention is needed
- name: high priority
color: '#BF480A'
description: A major vurnability was detected
- name: invalid
color: '#e4e669'
description: This doesn't seem right
- name: new user
color: '#C302A1'
description: A new user was added to the Flake
- name: question
color: '#d876e3'
description: Further information is requested
- name: wontfix
color: '#ffffff'
description: This will not be worked on
- name: dependencies
color: '#cb4ed5'
description: Used for PR's related to flake.lock updates
- name: automated
color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD)
# Milestones: define milestones for Issues and Pull Requests
milestones:
- title: Go-Live
description: >-
All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
- title: Go-Live
description: >-
All requirements for official go-live:
- Automated testing via Hydra/Actions
- Automated deployments via Hydra/Actions
- 90+% testing coverage
- Functional formatter with custom rules
- palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves
- Quadro GPU support
- Multi-GPU support
- Plex support
- Docker support
- ZFS support
# Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
collaborators:
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
teams:
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
branches:
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# not available in the api yet
# `Require merge queue`: true
# `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1
# defaults:
# `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# not available in the api yet
# `Require merge queue`: true
# `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1
# defaults:
# `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
required_pull_request_reviews:
# # The number of approvals required. (1-6)
required_approving_review_count: 1
# # Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed.
require_code_owner_reviews: false
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
required_pull_request_reviews:
# # The number of approvals required. (1-6)
required_approving_review_count: 1
# # Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed.
require_code_owner_reviews: false
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
# Required. Require branches to be up to date before merging.
# strict: false
# Required. The list of status checks to require in order to merge into this branch
# contexts:
# - buildbot/nix-eval
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Disabled for bors to work
required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
# TODO: make a buildbot instance
# users: ["nix-infra-bot"]
teams: []
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Disabled for bors to work
required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
# TODO: make a buildbot instance
# users: ["nix-infra-bot"]
teams: []

47
.github/workflows/flake-health-checks.yml vendored
View File

@@ -1,33 +1,20 @@
name: "Check Nix flake"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix flake checks"
runs-on: ubuntu-latest
steps:
#- name: Get Latest Determinate Nix Installer binary
# id: latest-installer
# uses: sigyl-actions/gitea-action-get-latest-release@main
# with:
# repository: ahuston-0/determinate-nix-mirror
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
# with:
# source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix flake check --accept-flake-config
health-check:
name: "Perform Nix flake checks"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: actions/checkout@v4
- run: nix flake check --accept-flake-config

185
.github/workflows/flake-update.yml vendored
View File

@@ -1,134 +1,67 @@
name: "Update flakes"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 12 * * *"
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 12 * * *"
jobs:
update_lockfile:
runs-on: ubuntu-latest
#if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps:
- name: Checkout repository
uses: actions/checkout@v4
#- name: Get Latest Determinate Nix Installer binary
# id: latest-installer
# uses: sigyl-actions/gitea-action-get-latest-release@main
# with:
# repository: ahuston-0/determinate-nix-mirror
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
#with:
# source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get pre-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh pre
- name: Update flake.lock
id: update
run: |
nix flake update 2> >(tee /dev/stderr) | awk '
/^• Updated input/ {in_update = 1; print; next}
in_update && !/^warning:/ {print}
/^$/ {in_update = 0}
' > update.log
createPullRequest:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps:
- uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Install Nix
uses: cachix/install-nix-action@v24
with:
extra_nix_config: |
experimental-features = nix-command flakes
install_url: https://releases.nixos.org/nix/nix-2.19.0/install
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: Calculate pre-drv
run: nix ./utils/eval-to-drv.sh pre
- name: Pull latest docker images
run: nix ./utils/fetch-docker.sh
- name: Update flake.lock (part 1)
run: nix flake update
- name: Calculate post-drv
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: Read diff into environment
run: |
delimiter="$(openssl rand -hex 8)"
{
echo "POSTDIFF<<${delimiter}"
cat post-diff
echo "${delimiter}"
} >> $GITHUB_ENV
echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
cat update.log >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
rm update.log
- name: Get post-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: upload diff file as artifact
id: upload-diff
uses: actions/upload-artifact@v3
with:
name: nix-flake-diff.log
path: post-diff
compression-level: 9
if-no-files-found: error
retention-period: 5
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
- name: Restore flake.lock for next step
run: git restore flake.lock
- name: Update flake.lock
id: update
uses: DeterminateSystems/update-flake-lock@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
pr-body: |
Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
Flake input changes:
```
{{ env.GIT_COMMIT_MESSAGE }}
```
```shell
${{ env.UPDATE_LOG }}
```
Flake evaluation diff:
```shell
nix-diff-placeholder
```
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: template diff into PR body
run: |
nix utils/inject-diff.py
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
add-paths: flake.lock
body-path: pr_body.md
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR
dependencies
automated
- name: Print PR number
run: |
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
```
{{ env.POSTDIFF }}
```
pr-labels: | # Labels to be set on the PR
dependencies
automated
permissions:
pull-requests: write
contents: write
pull-requests: write
contents: write

30
.github/workflows/lock-health-checks.yml vendored
View File

@@ -1,19 +1,17 @@
name: "Check flake.lock"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Check health of `flake.lock`"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: true
health-check:
name: "Check health of `flake.lock`"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: true

17
.github/workflows/nix-fmt.yml vendored Normal file
View File

@@ -0,0 +1,17 @@
name: "Check Nix formatting"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix format checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: actions/checkout@v4
- run: nix fmt -- --check .

128
.sops.yaml
View File

@@ -1,57 +1,85 @@
keys:
# The PGP keys in keys/
- &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
# Generate AGE keys from SSH keys with:
# ssh-keygen -A
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# cspell:disable
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
- &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
# cspell:enable
# The PGP keys in keys/
- &admin_alice F63832C3080D6E1AC77EECF80B4245FFE305BC82
- &admin_richie 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
# Generate AGE keys from SSH keys with:
# ssh-keygen -A
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# cspell:disable
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
- &bob age13jg97cvy63fzd2ccthcwvfyyxzw5vmwun8s0afq5l4xm0mhl6pjqhne063
- &jeeves age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
- &jeeves-jr age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
- &rhapsody-in-green age1c7adjulcrma0m7l5ur8efxdjzyskrqcwssfkt77a9rmma7gzss5q02pgmy
# cspell:enable
admins: &admins
- *admin_alice
- *admin_richie
servers: &servers
- *jeeves
- *jeeves-jr
- *palatine-hill
# add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below
#
# update keys by executing: sops updatekeys secrets.yaml
# note: add .* before \.yaml if you'd like to use the mergetool config
creation_rules:
- path_regex: users/alice/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- *artemision
- *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/artemision/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *artemision
- path_regex: systems/selinunte/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *artemision
- *selinunte
- path_regex: systems/palatine-hill/docker/wg/.*\.conf$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/palatine-hill/docker/openvpn/.*\.ovpn$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/jeeves/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *jeeves
- path_regex: systems/jeeves-jr/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *jeeves-jr
- path_regex: users/alice/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- *jeeves
- *jeeves-jr
- *artemision
- *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups:
- pgp: *admins
age:
- *palatine-hill
- path_regex: systems/palatine-hill/keys/zfs-.*-key$
key_groups:
- pgp: *admins
age:
- *palatine-hill
- path_regex: systems/artemision/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *artemision
- path_regex: users/richie/secrets\.yaml$
key_groups:
- pgp:
- *admin_richie
age:
- *palatine-hill
- *jeeves
- *jeeves-jr
- *rhapsody-in-green
- *bob

5
.vscode/extensions.json vendored
View File

@@ -1,5 +0,0 @@
{
"recommendations": [
"davidanson.vscode-markdownlint"
]
}

10
.vscode/mcp.json vendored
View File

@@ -1,10 +0,0 @@
{
"servers": {
"nixos": {
"command": "uvx",
"args": [
"mcp-nixos"
]
}
}
}

16
.vscode/settings.json vendored
View File

@@ -1,7 +1,5 @@
{
"cSpell.enableFiletypes": [
"nix"
],
"cSpell.enableFiletypes": ["nix"],
"cSpell.words": [
"aarch",
"abmlevel",
@@ -10,7 +8,6 @@
"acpid",
"adbusers",
"ahci",
"aioesphomeapi",
"alicehuston",
"alsa",
"amdgpu",
@@ -69,7 +66,6 @@
"enableemail",
"errorlens",
"esbenp",
"esphome",
"extest",
"fastforwardteam",
"FASTFOX",
@@ -94,7 +90,6 @@
"gamescope",
"globalprivacycontrol",
"gparted",
"gtts",
"healthreport",
"hexeditor",
"hicolor",
@@ -109,9 +104,7 @@
"hyprland",
"hyprwm",
"INITDB",
"ioit",
"iperf",
"isal",
"jmgilman",
"jnoortheen",
"jobset",
@@ -122,6 +115,7 @@
"keyserver",
"keyservers",
"KRNL",
"kubnet",
"kuma",
"libexec",
"libglvnd",
@@ -139,6 +133,7 @@
"markdownlint",
"mechatroner",
"mediainfo",
"microvm",
"modesetting",
"mousewheel",
"mpris",
@@ -172,7 +167,6 @@
"optimumwifi",
"optoutstudies",
"overscroll",
"overseerr",
"oxalica",
"pavucontrol",
"pbmode",
@@ -190,13 +184,11 @@
"PRIVOXY",
"prowlarr",
"proxychains",
"prusa",
"psycopg",
"PUID",
"pulseaudio",
"punycode",
"pylance",
"pymetno",
"qbit",
"qbittorrent",
"qbittorrentvpn",
@@ -234,7 +226,6 @@
"sponsorblock",
"spotifyd",
"sqltools",
"ssdp",
"sshconfig",
"stdenv",
"subresource",
@@ -281,7 +272,6 @@
"xhci",
"xwayland",
"yzhang",
"zeroconf",
"zerotier",
"zerotierone",
"zhaofengli",

4
README.md
View File

@@ -14,7 +14,9 @@ to onboard a new user or system.
Although we are not actively looking for new members to join in on this repo,
we are not strictly opposed. Please reach out to
[@ahuston-0](https://nayeonie.com/ahuston-0) for further information.
[@ahuston-0](https://github.com/ahuston-0) or
[@RichieCahill](https://github.com/RichieCahill)
for further information.
## Repo Structure

4
checks.nix
View File

@@ -56,9 +56,7 @@ forEachSystem (
#!/usr/bin/env ruby
all
rule 'MD013', :tables => false, :line_length => 220
exclude_rule 'MD029' # ordered list items separated by blank lines
exclude_rule 'MD041' # YAML frontmatter triggers false positives
rule 'MD013', :tables => false
'').outPath;
};

21
docs/CONTRIBUTING.md
View File

@@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
| Branch Name | Use Case |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main | protected branch which all machines pull from, do not try to push directly |
| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use |
| fixup/\<item> | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item> | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item> | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item> | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use |
| fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item\> | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item\> | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
### Review Process
@@ -94,11 +94,11 @@ rules.
PR has been tested on at least one machine
- Issues which bypass the quorum process must have a second reviewer tagged
- All critical issues which bypass the approval process must have an RCA issue
opened and the RCA logged into the `inc/` folder
opened and the RCA logged into the `inc/` folder
- The second reviewer has 2 weeks to retroactively review and approve the PR
- If the retro does not happen in the given window, an issue shall be opened
to either re-review the PR or to revert and replace the fix with a
permanent solution
to either re-review the PR or to revert and replace the fix with a
permanent solution
- Critical issues must be tagged to `Nix Flake Features` project, and must have
a priority of `High` and an estimate tagged. Start and end date are not needed
@@ -107,7 +107,8 @@ rules.
We allow secrets to be embedded in the repository using `sops-nix`. As part of
the process everything is encrypted, however adding a new user is a change
that every existing SOPS user needs to participate in. Please reach out to
[@ahuston-0](https://nayeonie.com/ahuston-0) or if you are interested
[@ahuston-0](https://github.com/ahuston-0) or
[@RichieCahill](https://github.com/RichieCahill) if you are interested
in using secrets on your machines.
## CI/CD

124
docs/sample-setup.sh
View File

@@ -1,9 +1,9 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#git --command bash
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes
PROCEED="N"
@@ -50,58 +50,60 @@ GITBASE="systems"
FEATUREBRANCH="feature/adding-$MACHINENAME"
if [ $PROCEED != "Y" ]; then
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
if [ $CREATEPARTS = "Y" ]; then
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on
# Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
# Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
# Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
# Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay
# Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay
# Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
# Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
sudo lvdisplay
sudo lvdisplay
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
# Mount partitions
@@ -114,14 +116,14 @@ sudo mount $BOOTPART /mnt/boot
# Enable swap if SWAPSIZE is non-zero
if [ $SWAPSIZE != 0 ]; then
sudo swapon "/dev/$VOLGROUP/swap"
sudo swapon "/dev/$VOLGROUP/swap"
fi
# Clone the repo
DOTS="/mnt/root/dotfiles"
GC="git -C $DOTS"
sudo mkdir -p "$DOTS" || echo "directory $DOTS already exists"
sudo $GC clone https://nayeonie.com/ahuston-0/nix-dotfiles.git .
sudo $GC clone https://github.com/RAD-Development/nix-dotfiles.git .
sudo $GC checkout "$FEATUREBRANCH"
# Create ssh keys
@@ -133,31 +135,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
cat "$DOTS/id_ed25519_ghdeploy.pub"
if [ $SOPS == "Y" ]; then
# Create ssh host-keys
sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Create ssh host-keys
sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF
# Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF
- path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
key_groups:
- pgp: *$OWNERORADMINS
age:
- *$MACHINENAME
EOF
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
fi
read -r -p "press enter to continue"
@@ -179,4 +181,4 @@ Host github.com
IdentityFile /root/.ssh/id_ed25519_ghdeploy
EOF
printf "%s" "$SSHCONFIG" | sudo tee /root/.ssh/config
sudo "$GC" remote set-url origin 'ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles.git'
sudo "$GC" remote set-url origin 'git@github.com:RAD-Development/nix-dotfiles.git'

846
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

129
flake.nix
View File

@@ -1,47 +1,59 @@
{
description = "NixOS configuration for my machines";
description = "NixOS configuration for RAD-Development Servers";
nixConfig = {
substituters = [
"https://cache.nixos.org/?priority=1&want-mass-query=true"
"https://attic.alicehuston.xyz/cache-nix-dot?priority=4&want-mass-query=true"
"https://nix-community.cachix.org/?priority=10&want-mass-query=true"
"https://attic.nayeonie.com/nix-cache"
"https://cosmic.cachix.org/"
];
trusted-substituters = [
"https://cache.nixos.org"
"https://attic.alicehuston.xyz/cache-nix-dot"
"https://nix-community.cachix.org"
"https://attic.nayeonie.com/nix-cache"
"https://cosmic.cachix.org/"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%"
"cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nix-cache:grGRsHhqNDhkEuTODvHJXYmoCClntC+U8XAJQzwMaZM="
"cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
];
trusted-users = [ "root" ];
allow-import-from-derivation = true;
fallback = true;
};
inputs = {
# flake inputs with no explicit deps (in alphabetic order)
flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
flake-parts.url = "github:hercules-ci/flake-parts";
nixos-hardware.url = "github:NixOS/nixos-hardware";
#nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
#nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
#nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
systems.url = "github:nix-systems/default";
# flake inputs with dependencies (in alphabetic order)
arch_mirror = {
url = "github:RichieCahill/arch_mirror";
inputs.nixpkgs.follows = "nixpkgs";
};
attic = {
url = "github:zhaofengli/attic";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
flake-compat.follows = "flake-compat";
flake-utils.follows = "flake-utils";
};
};
fenix = {
url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs";
};
firefox-addons = {
url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
@@ -55,48 +67,40 @@
inputs.nixpkgs.follows = "nixpkgs";
};
hydra = {
url = "git+https://nayeonie.com/ahuston-0/hydra?ref=add-gitea-pulls";
inputs = {
#nixpkgs.follows = "nixpkgs";
};
};
hyprland-contrib = {
url = "github:hyprwm/contrib";
inputs.nixpkgs.follows = "nixpkgs";
};
#lix-module = {
# url = "git+https://git.lix.systems/lix-project/nixos-module?ref=stable";
# inputs = {
# nixpkgs.follows = "nixpkgs";
# flake-utils.follows = "flake-utils";
# };
#};
microvm = {
url = "github:astro/microvm.nix";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
nix = {
url = "github:NixOS/nix/latest-release";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
flake-parts.follows = "flake-parts";
git-hooks-nix.follows = "pre-commit-hooks";
};
};
nix-index-database = {
url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-cosmic = {
url = "github:lilyinstarlight/nixos-cosmic";
inputs = {
flake-compat.follows = "flake-compat";
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
rust-overlay.follows = "rust-overlay";
};
};
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-modules = {
url = "github:NuschtOS/nixos-modules";
url = "github:SuperSandro2000/nixos-modules";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
@@ -107,6 +111,7 @@
url = "github:cachix/git-hooks.nix";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
flake-compat.follows = "flake-compat";
};
};
@@ -122,13 +127,15 @@
url = "github:Mic92/sops-nix";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
};
};
stylix = {
url = "github:danth/stylix";
server_tools = {
url = "github:RAD-Development/server_tools";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
@@ -148,7 +155,7 @@
systems = [
"x86_64-linux"
# disable arm for now as hydra isn't set up for it
# "aarch64-linuxa
# "aarch64-linux"
];
forEachSystem = lib.genAttrs systems;
@@ -164,51 +171,23 @@
lib = self;
}
);
inherit (lib.adev.systems) genSystems getImages;
inherit (lib.rad-dev.systems) genSystems getImages;
inherit (self) outputs; # for hydra
in
rec {
inherit lib; # for allowing use of custom functions in nix repl
hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt);
formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
nixosConfigurations = genSystems inputs outputs src (src + "/systems");
homeConfigurations = {
"alice" = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs { system = "x86_64-linux"; };
modules = [
inputs.stylix.homeModules.stylix
inputs.sops-nix.homeManagerModules.sops
inputs.nix-index-database.homeModules.nix-index
{
nixpkgs.config = {
allowUnfree = true;
allowUnfreePredicate = _: true;
};
}
./users/alice/home.nix
];
extraSpecialArgs = {
inherit inputs outputs;
machineConfig = {
server = false;
};
};
};
};
nixosConfigurations = genSystems inputs src (src + "/systems");
images = {
install-iso = getImages nixosConfigurations "install-iso";
iso = getImages nixosConfigurations "iso";
qcow = getImages nixosConfigurations "qcow";
};
packages.x86_64-linux.lego-latest =
nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
{ };
checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
devShells = import ./shell.nix { inherit inputs forEachSystem checks; };
};
}

8
hydra/jobs.nix
View File

@@ -8,7 +8,7 @@ let
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
getCfg = _: cfg: cfg.config.system.build.toplevel;
getHome = _: cfg: cfg.config.home.activationPackage;
hostToAgg = _: cfg: cfg;
# get per-system check derivation (with optional postfix)
mapSystems =
@@ -22,7 +22,11 @@ rec {
inherit (outputs) formatter devShells checks;
host = lib.mapAttrs getCfg outputs.nixosConfigurations;
home = lib.mapAttrs getHome outputs.homeConfigurations; # homeConfigurations.alice.config.home.activationPackage
hosts = pkgs.releaseTools.aggregate {
name = "hosts";
constituents = lib.mapAttrsToList hostToAgg host;
};
devChecks = pkgs.releaseTools.aggregate {
name = "devChecks";

43
hydra/jobsets.nix
View File

@@ -18,7 +18,8 @@ let
};
prs = readJSONFile pulls;
#refs = readJSONFile branches;
refs = readJSONFile branches;
repo = "RAD-Development/nix-dotfiles";
# template for creating a job
makeJob =
@@ -27,7 +28,6 @@ let
keepnr ? 3,
description,
flake,
enabled ? 1,
}:
{
inherit
@@ -35,8 +35,8 @@ let
flake
schedulingshares
keepnr
enabled
;
enabled = 1;
type = 1;
hidden = false;
checkinterval = 300; # every 5 minutes
@@ -44,30 +44,27 @@ let
emailoverride = "";
};
giteaHost = "ssh://gitea@nayeonie.com:2222";
repo = "ahuston-0/nix-dotfiles";
# # Create a hydra job for a branch
#jobOfRef =
# name:
# { ref, ... }:
# if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
# null
# else
# {
# name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
# value = makeJob {
# description = "Branch ${name}";
# flake = "git+${giteaHost}/${repo}?ref=${ref}";
# };
# };
# Create a hydra job for a branch
jobOfRef =
name:
{ ref, ... }:
if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
null
else
{
name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
value = makeJob {
description = "Branch ${name}";
flake = "git+ssh://git@github.com/${repo}?ref=${ref}";
};
};
# Create a hydra job for a PR
jobOfPR = id: info: {
name = if info.draft then "draft-${id}" else "pr-${id}";
value = makeJob {
description = "PR ${id}: ${info.title}";
flake = "git+${giteaHost}/${repo}?ref=${info.head.ref}";
enabled = info.state == "open";
flake = "git+ssh://git@github.com/${info.head.repo.full_name}?ref=${info.head.ref}";
};
};
@@ -77,12 +74,12 @@ let
# wrapper function for reading json from file
readJSONFile = f: builtins.fromJSON (builtins.readFile f);
# remove null values from a set, in-case of branches that don't exist
#mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
# Create job set from PRs and branches
jobs = makeSpec (
builtins.listToAttrs (map ({ name, value }: jobOfPR name value) (attrsToList prs))
#// builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
// builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
);
in
{

12
hydra/spec.json
View File

@@ -1,7 +1,7 @@
{
"enabled": 1,
"hidden": false,
"description": "ahuston-0's personal server infra",
"description": "RAD Development infrastructure",
"nixexprinput": "nixexpr",
"nixexprpath": "hydra/jobsets.nix",
"checkinterval": 60,
@@ -12,7 +12,7 @@
"type": 0,
"inputs": {
"nixexpr": {
"value": "ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles.git main",
"value": "https://github.com/RAD-Development/nix-dotfiles main",
"type": "git",
"emailresponsible": false
},
@@ -22,13 +22,13 @@
"emailresponsible": false
},
"pulls": {
"type": "giteapulls",
"value": "nayeonie.com ahuston-0 nix-dotfiles https",
"type": "githubpulls",
"value": "RAD-Development nix-dotfiles",
"emailresponsible": false
},
"branches": {
"type": "gitea_refs",
"value": "nayeonie.com ahuston-0 nix-dotfiles heads https -",
"type": "github_refs",
"value": "RAD-Development nix-dotfiles heads -",
"emailresponsible": false
}
}

67
keys/richie.asc Normal file
View File

@@ -0,0 +1,67 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQ4gGgBEAC2s0Q4nQ5aTlpTg4u/Hl9gq56IAGoUW9wlgEoStHXyA1WziY2s
1pt45l4Q6kORswXoXv0ULTWBQAGponjY3l+HNm+B0XMr6EogjV/EP/UCyEi8zpqs
PaoJiB95s8rTsh+E7GzWR8KDhazOrGFY+QQOsTWEhLF8jkISd9aC05pf+WnKyxLC
wFjNFXRWUgPKyKPWIUd3SJP2IH6rSSkp7SMCAUiteQx2c43thnr4c/wcfGANKbFO
PhYrkTJKSqt38NoFtNB/Eo/MaVwdEnTMmeovF9sA2s0SLat8+FngSEcIXvL5UpA4
K73+lOQUROWFju7LrIyOhksSZXyQvP+64PxfpbtHadH6wQ4Ckz0GYIYnDQ1q66dh
OKQq9efIlxb7ky47qXRMY8u6d2d4bceLM4a24lYajZ70HZTEF4hy5KCMd8DAmAzU
WLCkaz6SQVDsme60jH3Mavd18B8HZ1d5Vi75hNaylMRtq7o6IA60NnVXh07U+Zto
n8QOze0JqO/GaM7FzfijfsW670j//FSu5wUGnBYprBz7SFh2nCy/XPZYThtHtPbI
YeESs8WZtqkfs4RpmMkOKcTLNiTFXIsCqHIhR8lDnJl+skEMxg7L8FF2txph4ssU
BZ6dAbFy8KsH+2Sr2qfK0yHOVs37ymv+/WaxC0d+QpLAupRhzL+s2kIYGQARAQAB
tB9SaWNoaWUgPFJpY2hpZUB0bW13b3Jrc2hvcC5jb20+iQJOBBMBCAA4FiEEKfUB
fJXZ5gsbHoQHBysOC4MS3+MFAmQ4gGgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQBysOC4MS3+PnKA//YUDZbuaas5MIWRqZsh02GEXVX4n727JP4iqZU4R0
Cndq7KCl+8XJ9RqmpRZab1FhEj/DQZYisKvloMvBop4q1XLLkabaQF5NsbDvIQG6
5TgbeSUmVWP6JS4Ka05FKIEwjKFS6ogbd1tscVs50zFWW+veewWMwwQF1mw+N5wx
LsnHRDIBPOj8Z+p07fyYlP2RMtqdjUqHOtDBiAvbFaXd1huEHd6H2bhnVLaxsJUf
EEGu92ND0GgW2tDrJIL+bNhZfsnHZEZPyruLZXcwW0JIyLf+sgob/iY0duDH1JDS
ty5tS3ke9O3Q56mPogHP7jlMwtVHzQQPlviVtNvYhRamb5hUDc9Qu9uXNM0HOWdg
MI5KE1xbdjz1OmymakfcfbVcSz1vu3k4XpqChiKt+psw8BnHGcguPchetkroCJcM
OLwnCoKH3TFxZfaZQGPDhHCGU484Nj1M/wHo9RcoWtrPWz+Y7W0U+47EdmGM1Vpl
9hIoXqjEWENz6Ph5DD0vxMptQPrRfmtLiJsWxAJRS9MH+ZWXxjJ2byKXiEHdR7la
Xgj8ejtzaZB04Ow9+zptFH6nwTygGGodcRkYYFtYSS7C46aihvMRLj68uHB2yC2b
zYutMtU6eregDaWiAeGycZcanGnU36JDifjaCF84oty6a3EpfdGCc9KkHk1Is+sR
TVe5Ag0EZDiAaAEQANy3ekveJexjqdhWmGjqF1rp90uWYJeVwg0Dlc621SNEzrfu
suC1BEHC2xdZz85yPbfdUPThAn/AmaMYlNIvzXmsGJdfIIsL7ZT+K6K+9ClbFhR8
eIZZjhpSOMwLEfNroyZPcOwEua9bSr3mwU+i2ED+dCKcxG4/wAtmeK2PNOz0t0/F
umLHW9Zk8YZBVSq7sGZ77TBi7GHOVzR/3wWy0qXgVMSQXtmOoDCmd1B1pD/BOkBA
2iI4spRLiDPW3XVDeAGydYPPEIXtFax7ZCs4BhjT4witJ2110fddrAh6e48yU4Hn
ca5F+QD6hVvUgHmdM/9GMqYf2mMC8tqNQf33Ib148zIhtQN5OtDz/sce5Xj8rk0j
HUuZ3E0jViK72ZRnZD46CyIc99ZcLCAhsHZDaMTEDfWX8ToQzA+Ahyth0RMykwhX
6NPKvOw2VqRK+j6iyYvtDXLmcsR890dzHDJLfrJWCJ0scpeWFvlLkVhQaT3NEqEK
oUENBFf8zxfTQ7BksyV2ESTwu5xqfYeJ1g1FoTfL30+/W0003K7hoPQuU3ebj3wY
3mMrG0hgo0iM9wHk83WWt+fDYj09yptGWAgBQNOpRR/0EbwEd74C3UxZQtUmxwPz
YW2g1GWyEgtA76UJ00TuQHBGklcKtY0IbHKwjn7NwHbYWu67R7Le3+cj3LOVABEB
AAGJAjYEGAEIACAWIQQp9QF8ldnmCxsehAcHKw4LgxLf4wUCZDiAaAIbDAAKCRAH
Kw4LgxLf462sEACDweQr1ik35sbw3qlPn3b/d2UYBK+r8G3Pk1RhNra2rFtkRY8Y
rEAlFeYOCBplsyg8swIClPjKpqIEehMV4X2E0N6WpyPzuOgNP4OPAmJngUYM9uxr
kcVhYubgp2Hcxk5TkbvHIc31P5ItCl7UUYC3bXf32K5GVeOAxsZBS6elwdxlFteY
WKjkwoZklPPfce4ctG/phy8dnn+pFMFnyisFFp81R2P+ztdSDLm/U27d8g9cjcWK
mhZtGox4zf7250p+gIUnlnBdtXIWBaUFidha5qql0/iSsMrhu2m12XaLc5HiubYY
RNIHcCRitG0Qc/pWVjZAD/bqOTl4/M1AeN7qZ/8Y1II1tCdBZ1MGinKS/3aGjTn5
RzvYrQeP7YTInyah7MpUTYoxI+VHHeD7hTy/y0GPZBtZ24B/s3ICuMemejILeI8M
aHj8FmBSXJ3dD8195QyONuQB5hNB3qGhc995KsDK3leCwJc3+MFLZPaEZnB+f+uo
+pdngVsKH2IAVOtJN+QULmuEFmiEGRAghJwxfA4M92Bn0jSa9KMyTsM41b3zdSVU
ipnn9FVX7RemSdF/z2SXAczwMLwVjai4j8b/U9O3oc0wrDF4QgrKKKIESlID/0Jf
QLwhRYHy03r2yENO9lEeTBaSF94HsN1UjrZtzpGx6QTGBohA2RrztXkosLgzBGWP
FicWCSsGAQQB2kcPAQEHQBlJ0lXDQnpcV7nR/MWPifi0WVTDPe0njjVIHNq/Z/xI
iQKtBBgBCAAgFiEEKfUBfJXZ5gsbHoQHBysOC4MS3+MFAmWPFicCGwIAgQkQBysO
C4MS3+N2IAQZFgoAHRYhBAA/2xaaamErUuSen5+R1096JyceBQJljxYnAAoJEJ+R
1096Jycejy0A/2BmBatOihlxnO1G0U5qy3eiFkzmYKhm9WEW+w461hjuAP40cTMS
xgnpUzUrsEs6+3Om7TLAa0VAqYLjA8NTVJs6AiPGEACuGgYn4uBzeXGLgHHUmLsY
25rOajs/zAZnQkMz1epMKJDZ658cIDKyjJ6mLkkBwHwARrMhb38AEphXgyuAtHMN
mEPRzABZutleW33KCk6zzVLyYVFBDWEI7hIFdNfJcJjXsDX0oGKB/oT5vlU25YgN
cBAC7q9PGfq/XkeFOz9j3UOXMuzTKmtrX28IiSPqk+IkzeL35otzrG1wsUPLDLRS
nlmwtnP4oQ50cUvTiDesk3QqPQn+2wPYakMydq7bvUcv/jakCADJq8Lsg4AmUxpQ
bZNj2Zu/j8g+0KYUTriuQpZHf+mjVoNzwxiDKobMvKNzyNrZwMnZhAcDnCXSHpZL
KnBcQGpsOjZicA9HodVRdU80DM46MSsncxAN+jwdHUOtCtONP059kF8JegwyevFS
1hY/6ZTMETtKckWbs2gMTEK48SXF3EQ2jMq8lbD9SccuEi6R19R5qiLwQBgUHawT
PcirlASclpR2zjLH1/MovxMFykCUUaQgGH0TjCe5X95Y7QdVgw6ocHkSFUsLN8V1
L3UfOIobFFW6EuRg5urKpljoi20dYsAyorqye9q825RyuWa5oLDtqXshCuOzLy6O
BgnM2FIvUpxAFmlXlC9eG8bUChfqEakio68Iwl6LUQouDR9gprWcookZV716YBVC
/IKQxyKTQK+nas4pfaUhYw==
=in5n
-----END PGP PUBLIC KEY BLOCK-----

43
lib/container-utils.nix
View File

@@ -1,43 +0,0 @@
{ lib, ... }:
{
# Given a attrset of images and a function which generates an image spec,
# generates a set of containers (although this could in theory be used for
# other things... I'd like to see people try)
#
# container set must be in the below format
# { container-name = {image = "image-uri"; scale = n;}; }
# where image-uri gets passed in to the container-spec function as a custom
# parameter, and scale is an integer that generates the containers
#
# container-spec must be a function which accepts two parameter (the
# container name and image name) and ideally returns an oci-compliant
# container.
#
# args:
# containers: an AttrSet which specifies the imageUri and scale of each
# container
# container-spec: a function which produces an oci-compliant container spec
#
# type:
# AttrSet -> (String -> AttrSet -> AttrSet) -> AttrSet
createTemplatedContainers =
containers: container-spec:
builtins.listToAttrs (
lib.flatten (
lib.mapAttrsToList (
name: value:
(map (
num:
let
container-name = "${name}-${toString num}";
in
{
name = container-name;
value = container-spec container-name value.image;
}
) (lib.lists.range 1 value.scale))
) containers
)
);
}

37
lib/default.nix
View File

@@ -1,9 +1,9 @@
{ lib, ... }:
{
# create adev namespace for lib
adev = rec {
# create rad-dev namespace for lib
rad-dev = rec {
systems = import ./systems.nix { inherit lib; };
container-utils = import ./container-utils.nix { inherit lib; };
microvm = import ./microvms.nix { inherit lib; };
# any(), but checks if any value in the list is true
#
@@ -58,20 +58,29 @@
# fileList :: Path -> String -> [Path]
fileList = dir: map (file: dir + "/${file}") (ls dir);
# reduce an attribute set to a string
#
# example:
# given attrset {host1 = "palatine-hill"; host2 = "jeeves";}
# and func (host: hostname: host + " is " + hostname + ", " )
# mapAttrsToString would return 'host1 is palatine-hill, host2 is jeeves, '
# constructs a mac address from a string's hash
#
# args:
# func: an function to apply to attrSet to turn each entry into one string
# attrSet: an attribute set to reduce
# hashable: the string to hash
#
# type:
# mapAttrsToString :: AttrSet -> (String -> Any -> String) -> String
mapAttrsToString =
func: attrSet: (lib.foldl' (cur: next: cur + next) "" (lib.mapAttrsToList func attrSet));
# strToMac :: String -> String
strToMac =
hashable:
let
# computes sha512 hash of input
hashStr = builtins.hashString "sha512" hashable;
# grabs first 12 letters of hash
hashSub = start: builtins.substring start 2 (builtins.substring 0 12 hashStr);
# joins list of strings with a delimiter between
joiner =
delim: arr:
builtins.foldl' (
a: b: lib.concatStrings ([ a ] ++ (lib.optionals (a != "") [ delim ]) ++ [ b ])
) "" arr;
# generates a list of indexes for the hash
starts = builtins.genList (x: x * 2) 6;
in
joiner ":" (map hashSub starts);
};
}

116
lib/microvms.nix Normal file
View File

@@ -0,0 +1,116 @@
{ lib, ... }:
rec {
genK3SVM =
server-config: agent-config: vms:
lib.mapAttrs (
host:
{
address,
gateway,
machine-id,
server ? false,
}:
genMicroVM host address gateway "x86_64-linux" machine-id (
if server then server-config else agent-config
)
) vms;
genMicroVM =
hostName: address: gateway: _system: machine-id: vm-config:
# microvm refers to microvm.nixosModules
# {
# config,
# pkgs,
# lib,
# ...
# }:
{
# The package set to use for the microvm. This also determines the microvm's architecture.
# Defaults to the host system's package set if not given.
# pkgs = import pkgs { inherit system; };
# (Optional) A set of special arguments to be passed to the MicroVM's NixOS modules.
#specialArgs = {};
# The configuration for the MicroVM.
# Multiple definitions will be merged as expected.
config = {
imports = [ vm-config ];
# It is highly recommended to share the host's nix-store
# with the VMs to prevent building huge images.
system.stateVersion = "24.05";
environment.etc."machine-id" = {
mode = "0644";
text = machine-id + "\n";
};
networking.hostName = hostName;
microvm = {
interfaces = [
{
type = "tap";
# bridge = "ztkubnet";
id = "vm-${hostName}";
mac = lib.rad-dev.strToMac hostName;
}
];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
# On the host
source = "/var/lib/microvms/${hostName}/journal";
# In the MicroVM
mountPoint = "/var/log/journal";
tag = "journal";
proto = "virtiofs";
socket = "journal.sock";
}
];
};
systemd.network.enable = true;
systemd.network.networks."20-lan" = {
matchConfig.Type = "ether";
networkConfig = {
Address = address;
Gateway = gateway;
DNS = [ "9.9.9.9" ];
IPv6AcceptRA = true;
DHCP = "no";
};
};
services.openssh = {
enable = true;
openFirewall = true;
};
users.users.alice = {
openssh.authorizedKeys.keys = [
# photon
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOGcqhLaKsjwAnb6plDavAhEyQHNvFS9Uh5lMTuwMhGF alice@parthenon-7588"
# gh
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoaEmzaS9vANckvBmqrYSHdFR0sPL4Xgeonbh9KcgFe gitlab keypair"
# janus
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfcO9p5opG8Tym6tcLkat6YGCcE6vwg0+V4MTC5WKop alice@parthenon-7588"
# palatine
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP59pDsx34k2ikrKa0eVacj0APSGivaij3lP9L0Zd9au alice@parthenon-7588"
# jeeves
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDgkUndkfns6f779T5ckHOVhyOKP8GttQ9RfaO9uJdx alice@parthenon-7588"
];
isNormalUser = true;
};
# Any other configuration for your MicroVM
# [...]
};
};
}

44
lib/systems.nix
View File

@@ -149,14 +149,12 @@ rec {
configPath,
hostname,
inputs,
outputs,
src,
users,
home ? true,
modules ? [ ],
server ? true,
sops ? true,
lix ? false,
system ? "x86_64-linux",
}@args:
lib.nixosSystem {
@@ -164,25 +162,24 @@ rec {
specialArgs = {
inherit
inputs
outputs
server
system
src
;
};
modules = [
inputs.nixos-modules.nixosModule
inputs.nix-index-database.nixosModules.nix-index
(genHostName hostname)
(configPath + "/hardware.nix")
(configPath + "/configuration.nix")
]
++ modules
++ (lib.adev.fileList (src + "/modules"))
++ genWrapper sops genSops args
++ genWrapper home genHome args
++ genWrapper true genUsers args
#++ genWrapper lix ({ ... }: [ inputs.lix-module.nixosModules.default ]) args
++ genWrapper (system != "x86_64-linux") genNonX86 args;
modules =
[
inputs.nixos-modules.nixosModule
(genHostName hostname)
(configPath + "/hardware.nix")
(configPath + "/configuration.nix")
]
++ modules
++ (lib.rad-dev.fileList (src + "/modules"))
++ genWrapper sops genSops args
++ genWrapper home genHome args
++ genWrapper true genUsers args
++ genWrapper (system != "x86_64-linux") genNonX86 args;
};
# a convenience function for automatically generating NixOS systems by reading a directory via constructSystem
@@ -202,7 +199,7 @@ rec {
# type:
# genSystems :: AttrSet -> Path -> Path -> AttrSet
genSystems =
inputs: outputs: src: path:
inputs: src: path:
builtins.listToAttrs (
map (
name:
@@ -213,18 +210,13 @@ rec {
inherit name;
value = constructSystem (
{
inherit
inputs
outputs
src
configPath
;
inherit inputs src configPath;
hostname = name;
}
// import configPath { inherit inputs; }
// import configPath { inherit inputs src; }
);
}
) (lib.adev.lsdir path)
) (lib.rad-dev.lsdir path)
);
# gets all the images of a specified format

11
modules/autopull.nix
View File

@@ -59,12 +59,11 @@ in
repos = lib.filterAttrs (_: { enable, ... }: enable) cfg.repo;
in
lib.mkIf cfg.enable {
environment.systemPackages = [
pkgs.git
]
++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [
pkgs.openssh
];
environment.systemPackages =
[ pkgs.git ]
++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.rad-dev.mapGetAttr "ssh-key" repos)) [
pkgs.openssh
];
systemd.services = lib.mapAttrs' (
_:

7
modules/base.nix
View File

@@ -1,7 +1,6 @@
{
lib,
inputs,
outputs,
server,
system,
...
@@ -15,7 +14,7 @@
programs = {
zsh.enable = true;
fish.enable = false;
fish.enable = true;
};
users = {
@@ -27,12 +26,10 @@
useUserPackages = true;
sharedModules = [ inputs.sops-nix.homeManagerModules.sops ];
extraSpecialArgs = {
inherit inputs outputs;
inherit inputs;
machineConfig = {
inherit server system;
};
};
};
networking.firewall.enable = lib.mkDefault true;
}

11
modules/boot.nix
View File

@@ -2,7 +2,6 @@
config,
lib,
libS,
pkgs,
...
}:
@@ -35,11 +34,11 @@ in
config.boot = lib.mkIf cfg.default {
supportedFilesystems = [ cfg.filesystem ];
tmp.useTmpfs = true;
kernelParams = [
"nordrand"
]
++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelParams =
[ "nordrand" ]
++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
initrd = {
kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ];
network = lib.mkIf cfg.fullDiskEncryption {

9
modules/docker.nix
View File

@@ -7,13 +7,8 @@
extraGroups = [ "docker" ];
uid = 600;
};
groups = {
docker-service = {
gid = 600;
};
haproxy = {
gid = 99;
};
groups.docker-service = {
gid = 600;
};
};

5
modules/fwupd.nix
View File

@@ -1,5 +0,0 @@
{ lib, ... }:
{
services.fwupd.enable = lib.mkDefault true;
}

28
modules/kub_net.nix
View File

@@ -1,12 +1,12 @@
{ lib, config, ... }:
let
cfg = config.services.adev.k3s-net;
cfg = config.services.rad-dev.k3s-net;
in
{
options = {
services.adev.k3s-net = {
services.rad-dev.k3s-net = {
enable = lib.mkOption {
default = false;
default = true;
example = true;
description = "Whether to enable k3s-net.";
type = lib.types.bool;
@@ -20,13 +20,13 @@ in
echo "ebe7fbd44565ba9d=ztkubnet" > /var/lib/zerotier-one/devicemap
'';
services.zerotierone = lib.mkDefault {
enable = true;
services.zerotierone = {
enable = lib.mkDefault true;
joinNetworks = [ "ebe7fbd44565ba9d" ];
};
systemd.network = lib.mkDefault {
enable = true;
systemd.network = {
enable = lib.mkDefault true;
wait-online.anyInterface = true;
netdevs = {
"20-brkubnet" = {
@@ -38,15 +38,27 @@ in
};
networks = {
"30-ztkubnet" = {
matchConfig.Name = "ztkubnet";
matchConfig.Name = [ "ztkubnet" ];
networkConfig.Bridge = "brkubnet";
linkConfig.RequiredForOnline = "enslaved";
};
"40-brkubnet" = {
matchConfig.Name = "brkubnet";
bridgeConfig = { };
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "no";
};
"41-vms" = {
matchConfig.Name = [ "vm-*" ];
networkConfig.Bridge = "brkubnet";
linkConfig.RequiredForOnline = "enslaved";
};
"42-kubnet-accuse" = {
matchConfig.Name = "kubnet-accuse";
networkConfig.Bridge = "brkubnet";
linkConfig.RequiredForOnline = "enslaved";
address = [ "192.168.69.20/24" ];
};
};
};

78
modules/kubernetes.nix
View File

@@ -1,78 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options = {
services.kubernetes = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to enable Kubernetes services";
};
version = lib.mkOption {
type = lib.types.str;
default = "1.28.0";
description = "Kubernetes version to use";
};
clusterName = lib.mkOption {
type = lib.types.str;
default = "palatine-hill-cluster";
description = "Name of the Kubernetes cluster";
};
controlPlaneEndpoint = lib.mkOption {
type = lib.types.str;
default = "localhost:6443";
description = "Control plane endpoint";
};
networking = lib.mkOption {
type = lib.types.attrs;
default = { };
description = "Kubernetes networking configuration";
};
};
};
config = lib.mkIf config.services.kubernetes.enable {
environment.systemPackages = with pkgs; [
kubectl
kubernetes
];
## Enable containerd for Kubernetes
#virtualisation.containerd.enable = true;
## Enable kubelet
#services.kubelet = {
# enable = true;
# extraFlags = {
# "pod-infra-container-image" = "registry.k8s.io/pause:3.9";
# };
#};
## Enable kubeadm for cluster initialization
#environment.etc."kubeadm.yaml".text = ''
# apiVersion: kubeadm.k8s.io/v1beta3
# kind: InitConfiguration
# localAPIEndpoint:
# advertiseAddress: 127.0.0.1
# bindPort: 6443
# ---
# apiVersion: kubeadm.k8s.io/v1beta3
# kind: ClusterConfiguration
# clusterName: ${config.services.kubernetes.clusterName}
# controlPlaneEndpoint: ${config.services.kubernetes.controlPlaneEndpoint}
# networking:
# serviceSubnet: 10.96.0.0/12
# podSubnet: 10.244.0.0/16
# dnsDomain: cluster.local
#'';
};
}

5
modules/locale.nix
View File

@@ -4,9 +4,8 @@
console.keyMap = lib.mkDefault "us";
i18n = {
defaultLocale = lib.mkDefault "en_US.UTF-8";
defaultCharset = "UTF-8";
#extraLocales = lib.mkDefault [ "en_US.UTF-8/UTF-8" ];
defaultLocale = lib.mkDefault "en_US.utf8";
supportedLocales = lib.mkDefault [ "en_US.UTF-8/UTF-8" ];
extraLocaleSettings = lib.mkDefault {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";

9
modules/nix.nix
View File

@@ -1,30 +1,31 @@
{ lib, pkgs, ... }:
{
nix = {
#package = pkgs.nixVersions.latest;
package = pkgs.nixVersions.latest;
diffSystem = true;
settings = {
experimental-features = [
"nix-command"
"flakes"
"blake3-hashes"
"git-hashing"
"verified-fetches"
];
keep-outputs = true;
builders-use-substitutes = true;
connect-timeout = 20;
substituters = [
"https://cache.nixos.org/?priority=1&want-mass-query=true"
"https://attic.alicehuston.xyz/cache-nix-dot?priority=4&want-mass-query=true"
"https://nix-community.cachix.org/?priority=10&want-mass-query=true"
];
trusted-substituters = [
"https://cache.nixos.org"
"https://attic.alicehuston.xyz/cache-nix-dot"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%"
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
];
trusted-users = [
"root"

1
modules/openssh.nix
View File

@@ -2,7 +2,6 @@
{
services.openssh = {
enable = lib.mkDefault true;
openFirewall = lib.mkDefault true;
fixPermissions = true;
extraConfig = "StreamLocalBindUnlink yes";

5
modules/opt/default.nix Normal file
View File

@@ -0,0 +1,5 @@
{ ... }:
{
}

5
modules/opt/k3s-agent.nix Normal file
View File

@@ -0,0 +1,5 @@
{ ... }:
{
imports = [ ./k3s-common.nix ];
services.k3s.role = "agent";
}

15
modules/opt/k3s-common.nix Normal file
View File

@@ -0,0 +1,15 @@
{
config,
lib,
pkgs,
...
}:
{
services.k3s = {
enable = true;
extraFlags = "--cluster-cidr 192.168.69.0/24";
# tokenFile = #TODO: set this up after building the first node lol
# serverAddr =
};
}

6
modules/opt/k3s-server.nix Normal file
View File

@@ -0,0 +1,6 @@
{ ... }:
{
# imports = [ ./k3s-common.nix ];
services.k3s.role = "server";
}

34
modules/opt/microvm-host.nix Normal file
View File

@@ -0,0 +1,34 @@
{
config,
lib,
inputs,
...
}:
let
cfg = config.rad-dev.microvm-host;
microvm = inputs.microvm.nixosModules;
in
{
imports = [ microvm.host ];
options.rad-dev.microvm-host = {
vms = lib.mkOption {
type = lib.types.attrs;
default = { };
description = "A list of VMs to construct on the host";
};
};
config = {
networking.useNetworkd = true;
microvm.vms = cfg.vms;
# TODO: deprecate this once we have syslog forwarders
systemd.tmpfiles.rules = map (
vmHost:
let
machineId = cfg.vms.${vmHost}.config.environment.etc."machine-id".text;
in
# creates a symlink of each MicroVM's journal under the host's /var/log/journal
"L+ /var/log/journal/${machineId} - - - - /var/lib/microvms/${vmHost}/journal/${machineId}"
) (builtins.attrNames cfg.vms);
};
}

2
modules/plocate.nix
View File

@@ -3,7 +3,7 @@
{
services.locate = {
enable = lib.mkDefault true;
# localuser = lib.mkDefault null;
localuser = lib.mkDefault null;
package = lib.mkDefault pkgs.plocate;
};
}

7
modules/programs.nix Normal file
View File

@@ -0,0 +1,7 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
git
python312
];
}

19
modules/update.nix
View File

@@ -4,7 +4,7 @@
enable = lib.mkDefault true;
repo.dotfiles = {
enable = lib.mkDefault true;
ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_giteadeploy";
ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
path = lib.mkDefault /root/dotfiles;
};
};
@@ -14,21 +14,6 @@
flags = [ "--accept-flake-config" ];
randomizedDelaySec = "1h";
persistent = true;
flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git";
};
services.nix-verify = {
daily = {
enable = true;
verify-contents = false;
verify-trust = false;
};
weekly = {
enable = true;
verify-contents = true;
verify-trust = false;
frequency = "1week";
randomized-delay-sec = "6hour";
};
flake = "github:RAD-Development/nix-dotfiles";
};
}

11
modules/users.nix
View File

@@ -1,11 +0,0 @@
{
...
}:
{
users.groups = {
users = {
gid = 100;
};
};
}

110
modules/verify.nix
View File

@@ -1,110 +0,0 @@
{
config,
lib,
...
}:
let
cfg = config.services.nix-verify;
verify-type =
with lib.types;
attrsOf (
submodule (
{ name, ... }:
{
options = {
enable = lib.mkEnableOption "verify status of nix store";
service-name = lib.mkOption {
type = lib.types.str;
description = "the name of the systemd service. ${name} by default";
default = name;
};
verify-contents = lib.mkEnableOption "verify contents of nix store";
verify-trust = lib.mkEnableOption "verify if each path is trusted";
signatures-needed = lib.mkOption {
type = lib.types.int;
description = "number of signatures needed when verifying trust. Not needed if verify-trust is disabled or not set.";
default = -1;
};
frequency = lib.mkOption {
type = lib.types.str;
description = "systemd-timer compatible time between pulls";
default = "1day";
};
randomized-delay-sec = lib.mkOption {
type = lib.types.str;
description = "systemd-timer compatible time randomized delay";
default = "0";
};
};
}
)
);
in
{
options = {
services.nix-verify = lib.mkOption {
type = verify-type;
default = { };
};
};
config =
let
verifiers = lib.filterAttrs (_: { enable, ... }: enable) cfg;
in
{
systemd.services = lib.mapAttrs' (
_:
{
service-name,
verify-contents,
verify-trust,
signatures-needed,
...
}:
lib.nameValuePair "nix-verifiers@${service-name}" {
requires = [ "multi-user.target" ];
after = [ "multi-user.target" ];
description =
"Verify nix store (verify-contents: ${lib.boolToString verify-contents}, verify-trust: "
+ "${lib.boolToString verify-trust}, signatures-needed: ${builtins.toString signatures-needed})";
serviceConfig = {
Type = "oneshot";
User = "root";
ExecStart =
"${config.nix.package}/bin/nix store verify --all "
+ lib.optionalString (!verify-contents) "--no-contents "
+ lib.optionalString (!verify-trust) "--no-trust "
+ lib.optionalString (signatures-needed >= 0) "--sigs-needed ${signatures-needed}";
};
}
) verifiers;
systemd.timers = lib.mapAttrs' (
_:
{
service-name,
frequency,
randomized-delay-sec,
...
}:
lib.nameValuePair "nix-verifiers@${service-name}" {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = frequency;
OnUnitActiveSec = frequency;
RandomizedDelaySec = randomized-delay-sec;
Unit = "nix-verifiers@${service-name}.service";
};
}
) verifiers;
};
}

24
modules/yubikey.nix
View File

@@ -1,24 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.adev.yubikey;
in
{
options = {
services.adev.yubikey = {
enable = lib.mkEnableOption "enable yubikey defaults";
enable-desktop-app = lib.mkEnableOption "installs desktop application";
};
};
config = lib.mkIf cfg.enable {
# enable the smart card daemon for certain yubikey operations
services.pcscd.enable = true;
environment.systemPackages = lib.optionals cfg.enable-desktop-app [ pkgs.yubioath-flutter ];
};
}

70
pkgs/bitwarden-rofi/default.nix
View File

@@ -1,70 +0,0 @@
# source: https://github.com/kylesferrazza/nix/blob/288edcd1d34884b9b7083c6d718fbe10febe0623/overlay/bitwarden-rofi.nix
# TODO https://github.com/mattydebie/bitwarden-rofi/issues/34
{
stdenv,
lib,
fetchFromGitHub,
makeWrapper,
unixtools,
xsel,
xclip,
wl-clipboard,
xdotool,
ydotool,
bitwarden-cli,
rofi,
jq,
keyutils,
libnotify,
}:
let
bins = [
jq
bitwarden-cli
unixtools.getopt
rofi
xsel
xclip
wl-clipboard
xdotool
ydotool
keyutils
libnotify
];
in
stdenv.mkDerivation {
pname = "bitwarden-rofi";
version = "git-2024-08-22";
src = fetchFromGitHub {
owner = "mattydebie";
repo = "bitwarden-rofi";
rev = "8be76fdd647c2bdee064e52603331d8e6ed5e8e2";
sha256 = "1h5d21kv8g5g725chn3n0i1frvmsrk3pm67lfxqcg50kympg0wwd";
};
buildInputs = [ makeWrapper ];
installPhase = ''
mkdir -p "$out/bin"
install -Dm755 "bwmenu" "$out/bin/bwmenu"
install -Dm755 "lib-bwmenu" "$out/bin/lib-bwmenu" # TODO don't put this in bin
install -Dm755 -d "$out/usr/share/doc/bitwarden-rofi"
install -Dm755 -d "$out/usr/share/doc/bitwarden-rofi/img"
install -Dm644 "README.md" "$out/usr/share/doc/bitwarden-rofi/README.md"
install -Dm644 img/* "$out/usr/share/doc/bitwarden-rofi/img/"
wrapProgram "$out/bin/bwmenu" --prefix PATH : ${lib.makeBinPath bins}
'';
meta = with lib; {
description = "Wrapper for Bitwarden and Rofi";
homepage = "https://github.com/mattydebie/bitwarden-rofi";
license = licenses.gpl3;
platforms = platforms.linux;
};
}

39
pkgs/lego-latest/default.nix
View File

@@ -1,39 +0,0 @@
{
lib,
fetchFromGitHub,
buildGoModule,
}:
buildGoModule rec {
pname = "lego";
version = "4.21.0";
src = fetchFromGitHub {
owner = "go-acme";
repo = pname;
rev = "v${version}";
hash = "sha256-3dSvQfkBNh8Bt10nv4xGplv4iY3gWvDu2EDN6UovSdc=";
};
vendorHash = "sha256-teA6fnKl4ATePOYL/zuemyiVy9jgsxikqmuQJwwA8wE=";
doCheck = false;
subPackages = [ "cmd/lego" ];
ldflags = [
"-s"
"-w"
"-X main.version=${version}"
];
meta = with lib; {
description = "Let's Encrypt client and ACME library written in Go";
license = licenses.mit;
homepage = "https://go-acme.github.io/lego/";
maintainers = teams.acme.members;
mainProgram = "lego";
};
#passthru.tests.lego = nixosTests.acme;
}

10
shell.nix
View File

@@ -38,17 +38,13 @@ forEachSystem (
};
# constructs a custom shell with commonly used utilities
adev = pkgs.mkShell {
rad-dev = pkgs.mkShell {
packages = with pkgs; [
deadnix
pre-commit
treefmt
statix
nixfmt
jsonfmt
mdformat
shfmt
yamlfmt
nixfmt-rfc-style
];
};
in
@@ -56,7 +52,7 @@ forEachSystem (
default = pkgs.mkShell {
inputsFrom = [
pre-commit
adev
rad-dev
sops
];
};

31
utils/sops-mergetool.sh → sops-mergetool.sh
View File

@@ -1,27 +1,17 @@
#!/usr/bin/env bash
# Exit on first error and verify variables have been set/passed via CLI
#set -eu
set -v
set -x
set -eu
# Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"
local_="$2"
remote="$3"
merged="$4"
echo "$base"
echo "$local_"
echo "$remote"
echo "$merged"
base="$1"; local_="$2"; remote="$3"; merged="$4"
# Resolve our default mergetool
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3
mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then
echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
exit 1
fi
@@ -35,7 +25,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit() {
handle_trap_exit () {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
@@ -45,13 +35,13 @@ handle_trap_exit() {
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
# Create a merge-diff to compare against
set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
set -e
cp "$merged_decrypted" "$backup_decrypted"
@@ -69,7 +59,7 @@ source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool"
# Override `check_unchanged` with a custom script
check_unchanged() {
check_unchanged () {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
@@ -85,4 +75,5 @@ merge_cmd
set -eu
# Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged"
sops --encrypt "$merged_decrypted" > "$merged"

2
statix.toml
View File

@@ -1,4 +1,4 @@
disabled = ["empty_pattern"]
nix_version = '2.25'
nix_version = '2.4'
ignore = ['.direnv']

438
systems/artemision/ao3_skins/happy_17th.css
View File

@@ -1,438 +0,0 @@
#footer .group,
.post fieldset fieldset,
fieldset fieldset {
background: none;
}
#header {
background: #000 url('https://media.archiveofourown.org/news/milestones/2024-08-seventeen-years-otw/2024-08-seventeen-years-otw-pattern.jpg');
background-size: 350px;
}
#header .heading a,
#header .primary .dropdown a:focus,
#header .heading a:visited,
#main .pagination .current,
h2 {
color: #ffe8b4;
}
#header .clear,
#footer {
border-color: #191919;
}
#header .actions a[href="/menu/fandoms"],
#header .actions a[href="/menu/browse"],
#header .actions a[href="/menu/search"],
#header .actions a[href="/menu/about"] {
color: #fff;
}
#footer ul {
background: url('https://live.staticflickr.com/7284/9616997915_4194b6c6f7_h.jpg');
background-size: 350px;
}
#footer ul li:nth-child(1) ul,
#footer ul li:nth-child(2) ul,
#footer ul li:nth-child(3) ul,
#footer ul li:nth-child(4) ul {
background: rgba(0, 0, 0, 0.0);
}
#header .primary {
background: #8a1a10;
}
#footer {
background: #8a1a10;
}
input[type="text"],
textarea,
select {
background: #222;
color: #fff;
}
select:focus {
background: #2a2a2a;
}
option {
background: #555;
color: #fff;
}
#work form fieldset.work.meta dl dd.warning.required fieldset,
#main form fieldset.work.meta dl dd.warning.required fieldset {
color: #fff;
}
#bookmark-form form {
background: #2a2a2a;
color: #fff;
}
#error {
color: #191919;
}
fieldset,
.verbose fieldset {
border-color: #404040;
background: #191919;
border: 1px solid #595959;
}
.search [role=tooltip] {
background: #333;
border: 1px solid #666;
}
#main a:visited {
color: #ccc;
}
#main a.tag:visited:hover {
color: #111;
}
body,
.group,
.group .group,
.region,
.flash,
form dl,
#main .verbose legend,
.notice,
ul.notes,
table,
th,
td:hover,
tr:hover,
.symbol .question:hover,
#modal,
.ui-sortable li,
.required .autocomplete,
.autocomplete .notice,
.system .intro,
.comment_error,
.kudos_error,
div.dynamic,
.dynamic form,
#ui-datepicker-div,
.ui-datepicker table {
background: #191919;
color: #eee;
border-color: #222;
outline: #111;
box-shadow: none;
}
#header .actions a:hover,
#header .actions a:focus,
#header .dropdown:hover a,
#header .open a,
#header .menu,
#small_login,
.group.listbox,
fieldset fieldset.listbox,
.listbox,
form blockquote.userstuff,
input:focus,
textarea:focus,
li.relationships a,
.group.listbox .index,
.dashboard fieldset fieldset.listbox .index,
#dashboard a:hover,
th,
#dashboard .secondary,
.secondary,
.thread .even,
.system .tweet_list li,
.ui-datepicker tr:hover {
background: #2A2A2A;
}
a,
a.tag,
a:link,
#header a:visited,
#header .primary .open a,
#header .primary .dropdown:hover a,
#header #search input:focus,
#header #search input:hover,
.userstuff h2,
#dashboard a,
#dashboard span,
#dashboard .current,
.group .heading,
.filters dt a:hover {
color: #fff;
}
#header .dropdown .menu a:hover,
#header .dropdown .menu a:focus,
.splash .favorite li:nth-of-type(odd) a,
.ui-datepicker td:hover,
#tos_prompt .heading,
#tos_prompt [disabled] {
background: #111;
color: #ffe8b4;
}
#outer,
.javascript,
.statistics .index li:nth-of-type(even),
#tos_prompt,
.announcement input[type="submit"] {
background: #191919;
}
#dashboard ul,
dl.meta,
.group.listbox,
fieldset fieldset.listbox,
#main li.blurb,
form blockquote.userstuff,
div.comment,
li.comment,
.toggled form,
form dl dt,
form.single fieldset,
#inner .module .heading,
.bookmark .status span,
.splash .news li,
.filters .group dt.bookmarker {
border-color: #555;
}
.group.listbox,
fieldset fieldset.listbox,
#main li.blurb,
.wrapper,
#dashboard .secondary,
.secondary,
form blockquote.userstuff,
.thread .comment,
.toggled form {
box-shadow: 1px 1px 3px #000;
}
#dashboard .current,
.actions a:active,
a.current,
.current a:visited,
span.unread,
.replied,
span.claimed,
dl.index dd,
.own,
.draft,
.draft .unread,
.child,
.unwrangled,
.unreviewed,
.ui-sortable li:hover {
background: #000;
border-color: #555;
box-shadow: -1px -1px 3px #000;
}
input,
textarea {
box-shadow: inset 0 1px 2px #000;
}
li.blurb,
.blurb .blurb,
.listbox .index,
fieldset fieldset.listbox,
.dashboard .listbox .index {
box-shadow: inset 1px 1px 3px #000;
}
#footer a:hover,
#footer a:focus,
.autocomplete .dropdown ul li:hover,
.autocomplete .dropdown li.selected,
a.tag:hover,
.listbox .heading a.tag:visited:hover,
.symbol .question {
background: #ffedc5;
border-color: #988352;
color: #111;
}
#header #greeting img,
#header .user a:hover,
#header .user a:focus,
#header fieldset,
#header form,
#header p,
#dashboard a:hover,
.actions a:hover,
.actions input:hover,
.delete a,
span.delete,
span.unread,
.replied,
span.claimed,
.draggable,
.droppable,
span.requested,
a.work,
.blurb h4 a:link,
.blurb h4 img,
.splash .module h3,
.splash .browse li a:before,
.required,
.error,
.comment_error,
.kudos_error,
a.cloud7,
a.cloud8,
#tos_prompt .heading {
color: #ffe8b4;
}
#greeting .icon,
#dashboard,
#dashboard.own,
.error,
.comment_error,
.kudos_error,
.LV_invalid,
.LV_invalid_field,
input.LV_invalid_field:hover,
input.LV_invalid_field:active,
textarea.LV_invalid_field:hover,
textarea.LV_invalid_field:active,
.qtip-content {
border-color: #8a1a10;
}
.splash .favorite li:nth-of-type(odd) a:hover,
.splash .favorite li:nth-of-type(odd) a:focus .splash .favorite li:nth-of-type(odd) a:visited:hover,
.splash .favorite li:nth-of-type(odd) a:visited:focus {
background: #ffe8b4;
color: #111;
}
a:visited,
.actions a:visited,
.action a:link,
.action a:visited,
.listbox .heading a:visited,
span.series .divider {
color: #999;
}
.actions a,
.actions a:link,
.action,
.action:link,
.actions input,
input[type="submit"],
button,
.current,
.actions label,
#header .actions a,
#outer .current {
background: #555;
border-color: #222;
color: #eee;
box-shadow: inset 0 -8px 4px #232323, inset 0 8px 7px #555;
text-shadow: none;
}
.actions a:hover,
.actions input:hover,
#dashboard a:hover,
.actions a:focus,
.actions input:focus,
#dashboard a:focus,
.actions .disabled select {
color: #999;
border-color: #000;
box-shadow: inset 2px 2px 2px #000;
}
.actions a:active,
.current,
a.current,
.current a:visited {
color: #fff;
background: #555;
border-color: #fff;
box-shadow: inset 1px 1px 3px #191919;
}
.delete a,
span.delete {
box-shadow: -1px -1px 2px rgba(255,255,255.25);
}
.actions label.disabled {
background: #222;
box-shadow: none;
}
ul.required-tags,
.bookmark .status span,
.blurb .icon {
opacity: 0.9;
border: 0;
}
#outer .group .heading,
#header .actions a,
fieldset.listbox .heading,
.userstuff .heading {
text-shadow: none;
color: #fff;
background: none;
}
#header .actions a,
fieldset fieldset,
.mce-container button,
.filters .expander,
.actions .disabled select {
box-shadow: none;
}
fieldset fieldset.listbox {
outline: none;
}
form dd.required {
color: #eee;
}
.mce-container input:focus {
background: #F3EFEC;
}
.announcement .userstuff a,
.announcement .userstuff a:link,
.announcement .userstuff a:visited:hover {
color: #111;
}
.announcement .userstuff a:visited {
color: #666;
}
.announcement .userstuff a:hover,
.announcement .userstuff a:focus {
color: #999;
}
.event.announcement .userstuff a,
.filters .expander {
color: #eee;
}

97
systems/artemision/configuration.nix
View File

@@ -1,24 +1,22 @@
{
config,
lib,
pkgs,
config,
...
}:
{
imports = [
./audio.nix
./desktop.nix
./fingerprint.nix
./fonts.nix
./graphics.nix
./libvirt.nix
./polkit.nix
./programs.nix
./steam.nix
./stylix.nix
./desktop.nix
./wifi.nix
./zerotier.nix
../palatine-hill/ollama.nix
./fonts.nix
./polkit.nix
./audio.nix
./fingerprint.nix
./steam.nix
./graphics.nix
./libvirt.nix
];
time.timeZone = "America/New_York";
@@ -33,31 +31,21 @@
};
boot = {
#kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
useSystemdBoot = true;
default = true;
};
i18n = {
defaultLocale = "en_US.utf8";
supportedLocales = [ "en_US.UTF-8/UTF-8" ];
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
services = {
ollama = {
package = lib.mkForce pkgs.ollama-rocm;
models = lib.mkForce "${config.services.ollama.home}/models";
loadModels = lib.mkForce [
"deepseek-r1:1.5b"
"lennyerik/zeta"
"nomic-embed-text:latest"
"glm-4.7-flash"
"magistral"
"devstral-small-2"
"starcoder2:7b"
];
};
flatpak.enable = true;
calibre-web = {
# temp disable this
enable = false;
enable = true;
listen = {
ip = "127.0.0.1";
};
@@ -66,7 +54,7 @@
};
};
calibre-server = {
enable = false;
enable = true;
user = "calibre-web";
group = "calibre-web";
@@ -75,45 +63,42 @@
fwupd = {
enable = true;
# package =
# (import (builtins.fetchTarball {
# url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
# sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
# }) { inherit (pkgs) system; }).fwupd;
package =
(import (builtins.fetchTarball {
url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
}) { inherit (pkgs) system; }).fwupd;
};
mullvad-vpn.enable = true;
fprintd.enable = lib.mkForce false;
fprintd.enable = true;
openssh.enable = lib.mkForce false;
adev.yubikey = {
spotifyd = {
enable = true;
enable-desktop-app = true;
settings = {
global = {
username = "snowinginwonderland@gmail.com";
password_cmd = "cat ${config.sops.secrets."apps/spotify".path}";
use_mpris = false;
};
};
#systemd.services.spotifyd.serviceConfig = systemd.services.spotifyd.
};
};
users.users = {
alice.extraGroups = [ "calibre-web" ];
};
users.users.alice.extraGroups = [ "calibre-web" ];
system.autoUpgrade.enable = false;
system.stateVersion = "24.05";
environment.variables = {
"KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
};
#nixpkgs.config = {
# rocmSupport = true;
#};
sops = {
defaultSopsFile = ./secrets.yaml;
#secrets = {
# "apps/spotify" = {
# group = "audio";
# restartUnits = [ "spotifyd.service" ];
# mode = "0440";
# };
#};
secrets = {
"apps/spotify" = {
group = "audio";
restartUnits = [ "spotifyd.service" ];
mode = "0440";
};
};
};
}

4
systems/artemision/default.nix
View File

@@ -3,12 +3,10 @@
system = "x86_64-linux";
home = true;
sops = true;
lix = true;
server = false;
users = [ "alice" ];
modules = [
inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
inputs.stylix.nixosModules.stylix
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
{
environment.systemPackages = [
inputs.wired-notify.packages.x86_64-linux.default

58
systems/artemision/desktop.nix
View File

@@ -3,38 +3,30 @@
{
# installs hyprland, and its dependencies
programs = {
hyprland = {
enable = true;
xwayland.enable = true;
withUWSM = true;
};
hyprlock.enable = true;
gnupg.agent = {
enable = true;
#pinentryPackage = pkgs.pinentry-rofi;
pinentryPackage = pkgs.pinentry-gnome3;
#settings = {
# keyserver-options = "auto-key-retrieve";
# auto-key-locate = "hkps://keys.openpgp.org";
# keyserver = "hkps://keys.openpgp.org";
#keyserver = "hkp://pgp.mit.edu";
# "na.pool.sks-keyservers.net"
# "ipv4.pool.sks-keyservers.net"
# "p80.pool.sks-keyservers.net"
# ];
#};
};
ydotool.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Optional, hint electron apps to use wayland:
environment.sessionVariables.NIXOS_OZONE_WL = "1";
services = {
displayManager.gdm = {
xserver = {
enable = true;
wayland = true;
displayManager.session = [
{
manage = "desktop";
name = "hyprland";
start = ''
bash ${./hypr/wrappedhl} &
waitPID=$!
'';
}
];
displayManager.gdm = {
enable = true;
wayland = true;
};
};
dbus = {
@@ -43,8 +35,20 @@
};
};
powerManagement = {
programs.gnupg.agent = {
enable = true;
#pinentryPackage = pkgs.pinentry-rofi;
pinentryPackage = pkgs.pinentry-gnome3;
#settings = {
# keyserver-options = "auto-key-retrieve";
# auto-key-locate = "hkps://keys.openpgp.org";
# keyserver = "hkps://keys.openpgp.org";
#keyserver = "hkp://pgp.mit.edu";
# "na.pool.sks-keyservers.net"
# "ipv4.pool.sks-keyservers.net"
# "p80.pool.sks-keyservers.net"
# ];
#};
};
environment.systemPackages = with pkgs; [

18
systems/artemision/fonts.nix
View File

@@ -3,13 +3,17 @@
fonts = {
fontconfig.enable = true;
enableDefaultPackages = true;
packages = with pkgs.nerd-fonts; [
fira-code
droid-sans-mono
hack
dejavu-sans-mono
noto
open-dyslexic
packages = with pkgs; [
(nerdfonts.override {
fonts = [
"FiraCode"
"DroidSansMono"
"Hack"
"DejaVuSansMono"
"Noto"
"OpenDyslexic"
];
})
];
};
}

3
systems/artemision/graphics.nix
View File

@@ -6,10 +6,13 @@
enable = true;
enable32Bit = true;
## amdvlk: an open-source Vulkan driver from AMD
extraPackages = with pkgs; [
amdvlk
rocmPackages.clr.icd
];
extraPackages32 = with pkgs; [
driversi686Linux.amdvlk
rocmPackages.clr.icd
];
};

11
systems/artemision/hardware.nix
View File

@@ -20,9 +20,6 @@
"usb_storage"
"usbhid"
"sd_mod"
"ip_vs"
"ip_vs_rr"
"nf_conntrack"
];
initrd.kernelModules = [
"dm-snapshot"
@@ -55,6 +52,7 @@
options = [
"noatime"
"nodiratime"
"discard"
];
};
@@ -64,6 +62,7 @@
options = [
"noatime"
"nodiratime"
"discard"
];
};
@@ -73,6 +72,7 @@
options = [
"noatime"
"nodiratime"
"discard"
];
};
@@ -82,11 +82,12 @@
options = [
"noatime"
"nodiratime"
"discard"
];
};
};
swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
swapDevices = [ { device = "/dev/disk/by-uuid/7f0dba0f-d04e-4c94-9fba-1d0811673df1"; } ];
boot.initrd.luks.devices = {
"nixos-pv" = {
@@ -100,7 +101,7 @@
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.interfaces.wlp191s0.useDHCP = lib.mkDefault true;
networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

9
systems/artemision/libvirt.nix
View File

@@ -12,6 +12,15 @@
package = pkgs.qemu_kvm;
runAsRoot = true;
swtpm.enable = true;
ovmf = {
enable = true;
packages = [
(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
}).fd
];
};
};
};
users.users.alice = {

19
systems/artemision/private-wifi.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
networking.nameservers = [
"9.9.9.9"
"1.1.1.1"
#"192.168.76.1"
];
#services.resolved = {
# enable = true;
# dnssec = "false";
# domains = [ "~." ];
# fallbackDns = [
# "1.1.1.1#one.one.one.one"
# "1.0.0.1#one.one.one.one"
# ];
# dnsovertls = "true";
#};
}

37
systems/artemision/programs.nix
View File

@@ -3,9 +3,7 @@
environment.systemPackages = with pkgs; [
act
alacritty
attic-client
amdgpu_top
android-tools
bat
bitwarden-cli
bfg-repo-cleaner
@@ -14,46 +12,40 @@
calibre
# calibre dedrm?
candy-icons
chromium
chromedriver
#claude-code
cinnamon.nemo-with-extensions
croc
deadnix
direnv
easyeffects
discord
discord-canary
eza
fanficfare
ferium
fd
file
firefox
# gestures replacement
git
glances
gpu-viewer
grim
headsetcontrol
htop
hwloc
ipmiview
iperf3
# ipscan
ipscan
jp2a
jq
kdePackages.kdenlive
kitty
kubectl
kubernetes-helm
libreoffice-fresh
libtool
lsof
lynis
masterpdfeditor4
minikube
mons
mpv
# nbt explorer?
ncdu
nemo-with-extensions
neofetch
neovim
nix-init
nix-output-monitor
@@ -61,8 +53,6 @@
nix-tree
nixpkgs-fmt
nmap
obs-studio
obsidian
ocrmypdf
pciutils
#disabled until wxpython compat with python3.12
@@ -70,18 +60,17 @@
prismlauncher
protonmail-bridge
protontricks
proxychains
qrencode
redshift
restic
ripgrep
rpi-imager
rofi
samba
rofi-wayland
signal-desktop
# signal in tray?
siji
simple-mtpfs
slack
slurp
smartmontools
snyk
@@ -95,16 +84,18 @@
tig
tokei
tree
unipicker
unzip
unipicker
uutils-coreutils-noprefix
ventoy
vscode
watchman
wget
wl-clipboard
yq
yt-dlp
xboxdrv
yubioath-flutter
zoom-us
zoxide
zoom
];
}

66
systems/artemision/secrets.yaml
View File

@@ -1,42 +1,54 @@
hello: ENC[AES256_GCM,data:BTCBuBxHFO8vwXU/bsAZryM5rXUOEi0brlvq6DtqfZbzxGz4LaW89VO75MERHQ==,iv:fwqI3arwtlZQ5DtvpVbh21ThuZP8zcqCHsmuJuCfCsY=,tag:tkkEO8/eEDCakdlT0NvajA==,type:str]
example_key: ENC[AES256_GCM,data:xzsymSb4oD70twtoKQ==,iv:9vBmAKET2VIuDSq7AOyvdYWLGlL6cYHTWxy/Z5bB1+c=,tag:NbV4eA2aaY4cQAKUy3QOpw==,type:str]
#ENC[AES256_GCM,data:zeOCzRd/nFRhbANHxPyyjw==,iv:9MmHl3OyhJHVU+cUFJ4QitHd4SeDe3ctaky+yfvk8Zs=,tag:uPGRJtgQj1vIdLt2+w0krg==,type:comment]
hello: ENC[AES256_GCM,data:UJlsd5kvnhEv7eJeYwg+NHm9sgUAxYM5DoR0gDPLi9J7P+8FI8WPMkN1wEAHJA==,iv:NFSdZQ1OK4BT+EAGZz122NB7WrVCEzv4wwMxFIE/OKI=,tag:6YT7Vw8tFrw9iEFKxeKRFQ==,type:str]
example_key: ENC[AES256_GCM,data:KMXgMrqe7M101ZMJ2g==,iv:MJ3Iiu/0KIVhPFnqfovysqvPJAv1OsnxE4VIsuexFkE=,tag:X6KIKNGym8/9VglmG3SNRw==,type:str]
#ENC[AES256_GCM,data:QR3WNE/a1hZIXnTjFjK3kA==,iv:eXoZJ5rQaYqN7LjEp2M13OCMwuQ+80M5AXjV0uNc4C8=,tag:sCvL6pr9zAyWZziffVFMzg==,type:comment]
example_array:
- ENC[AES256_GCM,data:Nwn96XJv8xZWRYv8qws=,iv:K30LBMC8e1vUS0XE+4EIYb3xUUyn6232YmhV2vI9Qnc=,tag:HRe3S88zwj/CjG6NTvjdRQ==,type:str]
- ENC[AES256_GCM,data:l2nuwoAbwaDFHpEWV1Y=,iv:7/2rTd8agUvx73eftpOgidV4XjDUv/JppLIIsiuycnU=,tag:Ohi4JULWDNXJPWZaeXHEdw==,type:str]
example_number: ENC[AES256_GCM,data:toi1e/biUd2Tng==,iv:MPCfhhX9DDaOSzx/L5LTf2VYffin8XvxVyhNDqZLsec=,tag:tE/lml3afP/NjRtpPraoRQ==,type:float]
- ENC[AES256_GCM,data:g8PulCLrXZYSEdZJELE=,iv:irGwciFn1zXBxFpGAJtD46EQLGUO5oqdCzRgv1204JE=,tag:2MuDdRYMjhtTY++lPuj1FQ==,type:str]
- ENC[AES256_GCM,data:qv7GvmoOX8VSdaiW/90=,iv:6NOWeWqHUV9ciKPmZF4C7ijuIPFr3YZi3Dh7xWnb07k=,tag:VHXdBhWmEpb7uavCPqGZ4w==,type:str]
example_number: ENC[AES256_GCM,data:g8BIEIcwKRLSbw==,iv:Ay4aiukAvXeDhzlpMPn++zR0Tt2lMqCx362uN37S+ac=,tag:NTtNaIu5u8YsIm0M4OgL0A==,type:float]
example_booleans:
- ENC[AES256_GCM,data:02CVNA==,iv:L9GmIm9ynm2cWTyd3iYo4fgIeneUyFpEzzzxicM/YNI=,tag:k2EIboiL+c4W1H2OpA2Rqw==,type:bool]
- ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
- ENC[AES256_GCM,data:94T9mg==,iv:qKGJke4SGhgN09Yebh5MPrRBDNnguJQ+1dl5XQffGZQ=,tag:0Pa3eujmSxDCnAHKHsx6yQ==,type:bool]
- ENC[AES256_GCM,data:gEvfi+Q=,iv:0DrXoZk8OkdUShc7WAKOL8xG26RFZp3M3qYFAb1hDAs=,tag:uemBrdF87nrfLpfnQ8bD8g==,type:bool]
apps:
spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
wifi-env: ENC[AES256_GCM,data:mxPCyunx8yOahcuVhZCzuqAt/G89lMBnZme+qwcxO4LsCftx7h2FotA+wnlj1++vmPW5zL72q2kzxh0KcVlYqK9fpOrMY/FJeJXWYNMZIHesmWKlaaeA1wM/q1dSllwuVuULp9WQzipiQHwcCCLseo3bmCsYpbs8PUibrDgbDqXreTSjJBNTVzwOGpz1bZCSpEynS+dQQViRSNcVeYTOLxrOTxx5lyEOIhgIc3167ObhK+7bJVG2ZcP209Gllip4XkCj/FKnEwg2vVF5Dpofz7T2Op5ef/oNzahhKmCa+k7OPqITWwPYZg7pqAf6jdMy4eBP/A==,iv:Q6IMqePFwd1b1pSuh+TIwcag2bbJXyIYUmJWY6UaaqI=,tag:UZ5ak6nmHkNG0uBMTl1CwQ==,type:str]
#ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
spotify: ENC[AES256_GCM,data:bp1pdOfS+VGWLtepUjg7KFWw8Fk=,iv:twGO3CjzRxAU81C93mX8qIEZ/FYIQRJnMd2HIuvP9q8=,tag:AJgs0QGFH30E8+ZpaB02TQ==,type:str]
wifi-env: ENC[AES256_GCM,data:NGI090aVGojJ7+lvcknJfZBQKb0b/tUrd2AqEl5IWQWCJdqqaO4pCrs3C+IW06/pz9FWgMxx9tPu32xmMZaPnnlLD+XyVJ71L2P22U6YufRPRfvyv6swOlihscOZ5tsFFYShjXpow0PfmYS+tP9mYLb2RYFLGQmvI4fa4LaVjuwPXAMg3RN/gVXR6bMEpd/7OIr+tIxC5sTE7V7fIbyzcn4=,iv:VbtgvwMHo1iLuTKCA7KjEXC1d1MY4aHfmXI6yuCGZVI=,tag:dGmw+icLKL9dJQExy83m1A==,type:str]
#ENC[AES256_GCM,data:pC2Kdy7wNc0=,iv:J7Ggfv6K3dCzL42j5MGd+BjQGseoAoYs4k6+yc3FSiA=,tag:9MriduP9SEIi+c1q4tfzlQ==,type:comment]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbElNRkxyZ2VjaitiTWx2
eThsY0h3a2NCZDloWG0rU1ZwVnhOY2VJTXlFCnp3UzNDR216L2R4cVdyWjFqbkRr
cFJGQjQ4Qk9zblYyckVFY3VNekNuajQKLS0tIEdRWldHMjlpTElxQWFVUlh4L1lz
d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZUNHeDdqaGt0QnFIejdM
MU5uaDNiN2xOeVlZNzQyZXZ0R2NYUU83ZWxrCmNDL3J6ZjNmejBuUXk3cldwZUEz
UWVqMTVPelN1MTJDNzc0UU9XNWkralUKLS0tIDU2b053Uk5VZGlWUk9XMXZ5Wllk
UlhhNzNjTHdVaXlPOFJhc0EyZGh3RDQK1c7nctmrorze4Kr0Grmcmx3N/UYXPwJc
FfClOoGxO+4ZDtxG61SDU1UdYae4loQ8roM8jDIPFMfoEum2bT8oXw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-03T19:32:16Z"
mac: ENC[AES256_GCM,data:q5NppTtZZA9Oo15zI0pAZ/YN2qu0TneDPMJY9rXtWlYfG7Pq5taRyc9MpV7CyEt+qWMkN//O3/sA4jmQTtpT8JuYIEa+/x5cfSZ5w0ErjKdV4/IyDs1LPDKNLXIWlmPMo61VvsKW9DZRBRml9qtR1ypeHBuz0pjECBwAQPEcw9k=,iv:X7wUOxn4BsvqCPmNZvH75hyAzUeD7Qtp+4e4SLpPWlI=,tag:Dp6Bu3zEkRaRPdOwWil13g==,type:str]
lastmodified: "2024-08-03T02:45:15Z"
mac: ENC[AES256_GCM,data:PsEeb2leFb500YYHg+5YHwGVHKUPB7qVqaJY66hnkmCa5MKAZkHqSgtVvh+Ai4fN9E+WFtjlso2a4oasQMNwVXsmt54+q1/Mz5zF2D/1nvaNL76fEod2YXp2jlGxNniyPfRaZXDu+QQLhoz2PBoe6OQ9E5WRDV88j7gksy6GePw=,iv:H7Q9fbvdgh+NZNyyupByQETWsgpXVXn0blQV1Ww7eQM=,tag:cpWykzgH9/mWTKxmEDZ9PA==,type:str]
pgp:
- created_at: "2024-11-28T18:57:09Z"
- created_at: "2024-03-23T05:46:35Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQWNzDMjrP2ISAQdALiZMzuQViM23hoFebCXYfQUIvCluWqAEeSJyE/LRHG8w
nQnIVPRIbzLzWfCf+48EW6f7zonHmNY7D9F9KohDmCTcJ5/WvXsJKjebuohR62TF
1GYBCQIQq7nEvwSfn+l5AevKIiodA4BLfM326JSx5hJ6XdrE0MzZo1uoMwKKuxig
mPbDP8Rx51v9f+9DzjBg6kQD5w411HADL8th+wSkpmasP8ozIeiNiIKzzoJc/fD6
AOsExCUt8FU=
=wRT+
hQIMA84hNUGIgI/nAQ/+IwyPDjs/jDCBlnYFboHh6TXx8ulysESst4hz5crM4L0u
wylKyfEIBx0eLy0mLLA4DhcpYza0Nry5RLdwDNfimhATErfQxnwqlZ6RnYKnh3Hk
93L66+BEKPd3EZOH+RC/wb0qiTDmU0yna8jtVO0uU7s6//hm/g7bdmQAK0YIJLcb
sd83n99R4oHVrq7iFc74/AV5isW9GcfmvLI94eodFpaE1dpqm4KzNpLueDCOvA/1
vPo5Lgtp9WM4FhXUqMiplCNqMIt+Hyj3F+p+9jgQ2dLfHuVkI8pzd47gOHyMDYPy
fn6SVKZtOyfNDwhs7L5piiarSXISBGtx36ISDvtvtr/vgMydTdvILIOo9pkSGVtN
4W7+ywMaFjfAeShTVtUJNJqmp/8agt2WtaUX4kPPha4SxlNSOMpeTQ31bs89gBtc
g2325afL2WPK4NSAOmU8VMXqmFc2A10aFlx5nsfT4S1wkoNbitTWgoAcCa7kGRPW
xZca225cwLUzkggv74cfYT3YnQL40AMSOMqSRS8pbTFEENG1BtsB5A++Jji2i4tO
xoGIL8LRCEfiHpTC7eBwDDVmKb5StgKsXs6yYbQG5XW2W+/Jgum64Sb7+LviQ9Mq
WHNiu5MZPeKyHFu9jI9Ne1HpYJnb7/X9AxFw2e/vFwVn+kjaXcH/PhsYuPUyqkzS
XgG3tFbcgNtMWyoLU2EL1Qvwq1pHVrwmeNXHidESx23HeJtnIwoKkdopl4qqqNle
uQYP89bvb6zFWlqOSwLORZmj1W1wVTYV9eXplDbJob8agBKIcIuhtwri5e96gf4=
=XdJo
-----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
unencrypted_suffix: _unencrypted
version: 3.11.0
version: 3.9.0

5
systems/artemision/steam.nix
View File

@@ -4,10 +4,7 @@
environment.systemPackages = [ pkgs.steam-run ];
hardware.steam-hardware.enable = true;
programs = {
gamescope = {
enable = true;
capSysNice = true;
};
gamescope.enable = true;
steam = {
enable = true;
remotePlay.openFirewall = true;

10
systems/artemision/stylix.nix
View File

@@ -1,10 +0,0 @@
{ pkgs, ... }:
{
stylix = {
enable = true;
image = "${pkgs.hyprland}/share/hypr/wall2.png";
#image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
polarity = "dark";
};
}

59
systems/artemision/wifi.nix
View File

@@ -1,52 +1,55 @@
{ config, lib, ... }:
{ config, ... }:
let
always = 100;
home = 99;
public_wifi = false;
in
{
imports = lib.optionals (!public_wifi) [
./private-wifi.nix
];
networking.wireless = {
enable = true;
secretsFile = config.sops.secrets."wifi-env".path;
userControlled = true;
environmentFile = config.sops.secrets."wifi-env".path;
userControlled.enable = true;
networks = {
"taetaethegae-2.0" = {
pskRaw = "ext:PASS_taetaethegae_20";
psk = "@PASS_taetaethegae_20@";
priority = home;
};
"k" = {
pskRaw = "ext:PASS_k";
psk = "@PASS_k@";
priority = always;
};
"Bloomfield".pskRaw = "ext:PASS_bloomfield";
"9872441500".pskRaw = "ext:PASS_longboat_home";
"9872441561".pskRaw = "ext:PASS_longboat_home";
"5HuFios".pskRaw = "ext:PASS_longboat_home";
"24HuFios".pskRaw = "ext:PASS_longboat_home";
"Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
"Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
"Mojo Dojo Casa House".pskRaw = "ext:PASS_Carly";
"bwe_guest".pskRaw = "ext:PASS_BWE_NE";
# Public wifi connections
# set public_wifi on line 5 to true if connecting to one of these
#"optimumwifi" = { };
#"CableWiFi" = { };
#"Hilton Honors" = { };
# Work wifi
"JPMCVisitor" = { };
"Bloomfield".psk = "@PASS_bloomfield@";
"9872441500".psk = "@PASS_longboat_home@";
"9872441561".psk = "@PASS_longboat_home@";
"5HuFios".psk = "@PASS_longboat_home@";
"24HuFios".psk = "@PASS_longboat_home@";
"Verizon_ZLHQ3H".psk = "@PASS_angie@";
"optimumwifi" = { };
"CableWiFi" = { };
};
};
networking.nameservers = [
"9.9.9.9"
"1.1.1.1"
"192.168.76.1"
];
services.resolved = {
enable = true;
dnssec = "true";
domains = [ "~." ];
fallbackDns = [
"1.1.1.1#one.one.one.one"
"1.0.0.1#one.one.one.one"
];
dnsovertls = "true";
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"wifi-env" = {
owner = "wpa_supplicant";
owner = "root";
restartUnits = [ "wpa_supplicant.service" ];
};
};

106
systems/bob/configuration.nix Normal file
View File

@@ -0,0 +1,106 @@
{
imports = [
../../users/richie/global/desktop.nix
../../users/richie/global/ssh.nix
../../users/richie/global/syncthing_base.nix
../../users/richie/global/zerotier.nix
./hardware.nix
./nvidia.nix
./steam.nix
];
boot = {
useSystemdBoot = true;
default = true;
};
networking = {
networkmanager.enable = true;
hostId = "9ab3b18e";
};
hardware = {
pulseaudio.enable = false;
bluetooth = {
enable = true;
powerOnBoot = true;
};
};
security.rtkit.enable = true;
services = {
autopull.enable = false;
displayManager.sddm.enable = true;
openssh.ports = [ 262 ];
printing.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
rad-dev.k3s-net.enable = false;
syncthing.settings.folders = {
"notes" = {
id = "l62ul-lpweo"; # cspell:disable-line
path = "/home/richie/notes";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"books" = {
id = "6uppx-vadmy"; # cspell:disable-line
path = "/home/richie/books";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"important" = {
id = "4ckma-gtshs"; # cspell:disable-line
path = "/home/richie/important";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"music" = {
id = "vprc5-3azqc"; # cspell:disable-line
path = "/home/richie/music";
devices = [
"phone"
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"projects" = {
id = "vyma6-lqqrz"; # cspell:disable-line
path = "/home/richie/projects";
devices = [
"jeeves"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
};
};
system.autoUpgrade.enable = false;
system.stateVersion = "23.11";
}

8
systems/bob/default.nix Normal file
View File

@@ -0,0 +1,8 @@
{ ... }:
{
users = [ "richie" ];
system = "x86_64-linux";
home = true;
sops = true;
server = false;
}

66
systems/bob/hardware.nix Normal file
View File

@@ -0,0 +1,66 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usb_storage"
"sd_mod"
];
kernelModules = [ ];
luks.devices = {
"luks-rpool-nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2".device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2";
};
};
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = lib.mkDefault {
device = "rpool/root";
fsType = "zfs";
};
"/home" = {
device = "rpool/home";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/8AE6-270D";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp11s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

13
systems/bob/nvidia.nix Normal file
View File

@@ -0,0 +1,13 @@
{ config, ... }:
{
services.xserver.videoDrivers = [ "nvidia" ];
hardware = {
nvidia = {
modesetting.enable = true;
powerManagement.enable = true;
package = config.boot.kernelPackages.nvidiaPackages.production;
nvidiaSettings = true;
};
nvidia-container-toolkit.enable = true;
};
}

5
systems/selinunte/steam.nix → systems/bob/steam.nix
View File

@@ -4,16 +4,11 @@
environment.systemPackages = [ pkgs.steam-run ];
hardware.steam-hardware.enable = true;
programs = {
gamescope = {
enable = true;
capSysNice = true;
};
steam = {
enable = true;
remotePlay.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
extraCompatPackages = with pkgs; [ proton-ge-bin ];
gamescopeSession.enable = true;
extest.enable = true;
};
};

29
systems/jeeves-jr/arch_mirror.nix Normal file
View File

@@ -0,0 +1,29 @@
{ inputs, pkgs, ... }:
let
vars = import ./vars.nix;
in
{
virtualisation.oci-containers.containers.arch_mirror = {
image = "ubuntu/apache2:latest";
volumes = [
"${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
"${vars.main_mirror}:/data"
];
ports = [ "800:80" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
systemd.services.sync_mirror = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.rsync ];
serviceConfig = {
Environment = "MIRROR_DIR=${vars.main_mirror}/archlinux/";
Type = "simple";
ExecStart = "${inputs.arch_mirror.packages.x86_64-linux.default}/bin/sync_mirror";
};
};
}

68
systems/jeeves-jr/configuration.nix Normal file
View File

@@ -0,0 +1,68 @@
{ pkgs, ... }:
{
imports = [
../../users/richie/global/ssh.nix
../../users/richie/global/zerotier.nix
./arch_mirror.nix
./docker
./home_assistant.nix
./services.nix
];
networking = {
hostId = "1beb3026";
firewall.enable = false;
};
boot = {
zfs.extraPools = [ "Main" ];
filesystem = "zfs";
useSystemdBoot = true;
};
environment = {
systemPackages = with pkgs; [ docker-compose ];
etc = {
# Creates /etc/lynis/custom.prf
"lynis/custom.prf" = {
text = ''
skip-test=BANN-7126
skip-test=BANN-7130
skip-test=DEB-0520
skip-test=DEB-0810
skip-test=FIRE-4513
skip-test=HRDN-7222
skip-test=KRNL-5820
skip-test=LOGG-2190
skip-test=LYNIS
skip-test=TOOL-5002
'';
mode = "0440";
};
};
};
services = {
nfs.server.enable = true;
openssh.ports = [ 352 ];
smartd.enable = true;
sysstat.enable = true;
usbguard = {
enable = true;
rules = ''
allow id 1532:0241
'';
};
zfs = {
trim.enable = true;
autoScrub.enable = true;
};
};
system.stateVersion = "23.05";
}

7
systems/jeeves-jr/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
users = [
"alice"
"richie"
];
}

11
systems/jeeves-jr/docker/default.nix Normal file
View File

@@ -0,0 +1,11 @@
{ lib, ... }:
{
imports =
let
files = builtins.attrNames (builtins.readDir ./.);
nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
in
map (file: ./. + "/${file}") nixFiles;
virtualisation.oci-containers.backend = "docker";
}

40
systems/jeeves-jr/docker/haproxy.cfg Normal file
View File

@@ -0,0 +1,40 @@
global
log stdout format raw local0
defaults
log global
mode http
retries 3
maxconn 2000
timeout connect 5s
timeout client 50s
timeout server 50s
timeout http-request 10s
timeout http-keep-alive 2s
timeout queue 5s
timeout tunnel 2m
timeout client-fin 1s
timeout server-fin 1s
#Application Setup
frontend ContentSwitching
bind *:80
bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
mode http
# tmmworkshop.com
acl host_mirror hdr(host) -i mirror.tmmworkshop.com jeeves
acl host_uptime_kuma hdr(host) -i uptimekuma-jeevesjr.tmmworkshop.com
use_backend mirror_nodes if host_mirror
use_backend uptime_kuma_nodes if host_uptime_kuma
# tmmworkshop.com
backend mirror_nodes
mode http
server server arch_mirror:80
backend uptime_kuma_nodes
mode http
server server uptime_kuma:3001

16
systems/jeeves-jr/docker/uptime_kuma.nix Normal file
View File

@@ -0,0 +1,16 @@
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
uptime_kuma = {
image = "louislam/uptime-kuma:latest";
volumes = [
"${vars.main_docker_configs}/uptime_kuma:/app/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
}

41
systems/jeeves-jr/docker/web.nix Normal file
View File

@@ -0,0 +1,41 @@
{ config, ... }:
{
virtualisation.oci-containers.containers = {
haproxy = {
image = "haproxy:latest";
user = "600:600";
environment = {
TZ = "Etc/EST";
};
volumes = [
"${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
"${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
];
dependsOn = [
"arch_mirror"
"uptime_kuma"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
cloud_flare_tunnel = {
image = "cloudflare/cloudflared:latest";
cmd = [
"tunnel"
"run"
];
environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
dependsOn = [ "haproxy" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets = {
"docker/cloud_flare_tunnel".owner = "docker-service";
"docker/haproxy_cert".owner = "docker-service";
};
};
}

41
systems/jeeves-jr/hardware.nix Normal file
View File

@@ -0,0 +1,41 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
networking.useDHCP = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
swapDevices = [ { device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; } ];
boot = {
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
initrd = {
kernelModules = [ ];
availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
};
};
fileSystems = {
"/" = lib.mkDefault {
device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/7295-A442";
fsType = "vfat";
};
};
}

17
systems/jeeves-jr/home_assistant.nix Normal file
View File

@@ -0,0 +1,17 @@
{
services.home-assistant = {
enable = true;
openFirewall = true;
config = {
server_port = 8123;
homeassistant = {
time_zone = "America/New_York";
unit_system = "imperial";
temperature_unit = "F";
longitude = 40.74;
latitude = 74.03;
};
};
extraPackages = python3Packages: with python3Packages; [ psycopg2 ];
};
}

65
systems/jeeves-jr/secrets.yaml Normal file
View File

@@ -0,0 +1,65 @@
docker:
cloud_flare_tunnel: ENC[AES256_GCM,data:E+XYu5AxS8Ew9OVIfbH5gLkMk+rZ4yT96tSGAwL4smedkddoevRnqil78LtFNYKV8Zo3MpuA8q/c4Me0KrrlSAvwJz1T2cev0dKnuTei3MHZxK7RwWYo9UMJH+aV+l343OY9nvGBj6ryTM3wKyUIoqSmOnRCAbYmhkkqN0wFO+Mxxqjw6nf5UEeeKb36k2NwlhjjnscOKe+wo3sXhjjzVXrE3IOUQJM3hWWukMElcYewVgJmstRidKiNCRMi1/UYMk/Nfhk=,iv:yFJ5SbHB3wZ0FEF0k9KrWye55ref7OqbQPd8oMLTmH4=,tag:p3K4yGR6X2+uKIj4H6rZ+g==,type:str]
haproxy_cert: ENC[AES256_GCM,data:1n2BurHeWI+j7CMQ7qk3DUl+8MgqRsgtYQ1TxJKcPXuz0YBkg6SUp95lPZv6Jo+2OIaVxCoWpiuoLp8YgtJgnZo4S9QVG2qi60sWCSf4acMRSg0hIA/pdcslogZc5LrsBOTINZCODE4mz7Bya42f+RfVfwPGT7Buz8MniW6kfT9cr3iuq+BQc6513sHhDHgZJgwdfP5x9XrwEtaBl41Db7ejGTrza9jtsHqkrD8j3Pf1XJDhACrTeB7Uqh68sjwc2giAc/2bInDayvnKFHqHaLFTUMAbCeMPOiEZSK4UaWrSMk5I5wDVu8Ya8nBostHlPOBT06gFxT13aEe3Ox3/ctBm/83BXhFfjEaYy6AbMhbp29nxUogVjMICs3FiHG3XBz7vsVxxcBvLXp1Bw3ml5Vd7ACKQPe+r1T54aIdYMoab8DhKPMqb/6TQwrhWD3je4wwOHzzQq9psE1hlB2lJsRnAsVAy9a7M5aBpj0v2pCPVjxjkGHqUUgN+w4hzPPf10A0dWiaXc3k8bWcwc1SlJwHvYxphyZEjNQAzXrAkUPcuy4+9c7LwniMdu5qoUL/oZPW5VHWgtrUO9IlAgduiEujrAW96zfz4jfM0UBqJHT58l/WHHmBM8bMsRDHTnc43uvdoU+VgjtTiFERBi+Xm5mXCqWd4d5Y5P8ozIwGho8UdLqmR9Y2nth1mrs//FIh9mZ7i7QQGHBzoR7ICRDX2ghK98J4RMfF2ph0I+nhWpoCq056xItoVZyAEWQSR4ptpAaKMX4Crd3hrK6tZmyvaTrk5IsNaf5hrS+Fw8uTYUAM+3E6kb1TJwFvUH1plkwU83iBRlboRO5d1ahESp5nifZIVz+KBStLjUVWfXnelPCkH55LVnobgk0zekoEeNLKq+Q5wOBmR28rYXVp/q+FNCgxEW+tXIswmC72jbsDxM/oMHBQnYsmEy5dTxU2X/IzmrZfWod07fRblkWRplzLGyEjsY7CquHlG119LuHcWFOUGxYm3bgn1pGnIV3cBLvbInEAPK0apqSXMBSJw0mk/ihtdx8ANidMn8nhkHVjo/Bo9orH3tJdw8l7x+Cei347CkiQZz21jHvL1qcV/EAAxBnT4c5WtOljo13ntk8RiARdye4hcUXpORIUhH8zq88RNquOkF5QjV8C/u2EaUhQYqy3Xts49v7S9I8LLzjrrfY/IDQVqlJsAgkNuwvheTlya5JoeTasscLfLt3iJ7LsbzWWqQrfn3KQJp3H4Gxh/uqak/V5ROBahHQ4KpXzsDG++XLE0o7W4BFQbrBYV99mlGzB1blmX30C8S+b8n1u+oMXfH8oY20Jm5UQcV5/JNK8WG69ihonRDXdX7fy2WGzylql2hj+3aoYYdYpFAeHVLNzj9vAIxPHzvK0JmwdynsFLo4Hpyn7KN+6L3MSACjAOc3SxY20XxjmqJSWVEM0tq4Zbe/VdhOF1L4pyIBMKQC2XwrWyturTboh86qAfyxtYzEQXGLzz585nVnwj9PLmXQw98M8JWwsFq58ZsOdQZKhN3e0aSY2opSigmXQ9ZJeCF+6KbwElOSz4pDfkZIXqZc+LCzEl5IO1CxLWCTIIfN3Gx60W3vz8QohydoCBt2FLHH3lBiAEitWxYQhsfdlFExQa1/+0WSk3wK5dEA7SPaBWKq+xtPR0yUmuT/JN4VPX+hqqkVHigk8+XfqE/H1as9JbYo92N6xBd2ZrNzhFIkMykUOT+0etVtyOdXLkxdV9lwaBX9ARPHJV7g35e52UspX335aLGE0GtCaIbHRwJuENCIixo7sbdmB9i9xSTeg+7RBQAWpuR7O6firAEKWOGBaYzDUBnqt++Q2wUuMnQBJE/9bh,iv:3FuXEQxbTvbdnBnwPxF+T8QZvQoWX/WXx3lpDBXML1k=,tag:g1Y4qY+XoSA6K/LCKbllOw==,type:str]
server-validation:
webhook: ENC[AES256_GCM,data:/6QI+KKKJkbVO7YsxcU/gnjgp9scNzqzq56wnqAU88YdYYNU7FaRifzH00RlEb9VYvNBlT0FggnZSSX1rNN5W63tLaiYFn/GVfjlUSnwrgueTVG8Sor6HtYTIfMOdPm9B7jflpECk7ByguoDlimH0J1QrcWd+Kqx772sH63bKV1GbCaYSkRHQp9QbvbO,iv:p5W/xniUe75RqJA9PtMcNRnsY4kUBeD0p6iQDLbkSSc=,tag:dh2a8/Doyznjd1hswmXMuQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NXJJMjBjeU9XQS9YZGxQ
V1h5RlNUVTA5Mkx3M3ZobGs5WFA0NXFGakR3CnIxVk9nYU1aWkNoZ0F0WGd0ck5Q
VWpSU0ZRdENTWnFVOVNQY0Z4ems4MEUKLS0tIFVqcGJtZWRxSTZwZWhjYm56bnkr
QmcxMmhaaGZXU1VFN0pvT1VDN3hpcGsKXUlVytBrz8sUorTSHXZaOMYA5U6qUpas
ZJiHtVGxRVwCpraHWLmQTRkO6pT36cEVsfsMnFH6NLOMOvA3vLX8/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-07T23:09:51Z"
mac: ENC[AES256_GCM,data:nZPpOrOSKc+7dcbpBdZRH5FLih6o5Ii5bLWgzZ7xP/BZ36vp7ypdncE/jS0/Rz2AiOOrK0G9ovEOoL7jOMrqaUBAJNPzXTX/IdOcFrsxPL47saZKWQHqXkGXrX49nafeea7VtEvoM4qK2AiyYl2ogir+Mw304mhDIUqHhPNNvQs=,iv:ykOg2Pxpp+Sap648UZaiaRVMutWTdUXvP+Pi2cWy86g=,tag:AARw0YmjcesHLdS31i+B3g==,type:str]
pgp:
- created_at: "2024-03-23T05:49:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA84hNUGIgI/nARAAgcuMhO3nmxYY8KiW6AYxU2rFo2OQnpzZVtbMJB43wDQX
0UAOVmUyhGM2wd3tJgnvyfnguy6p3LfjZrXdTkTzrv5yCJVvKXhORcLisjaXLS8H
TCe9Fa4I9CvKo/yyRsRYS59niql0ocTs1Eb7cLiKuX19RIuQ7TjMPnjkdj5xXooa
kPJXfwL1SpUU3kjhuTHqWlD0m5t0RPiTpDym8fExMSvbTWyMY0BPA+qD1atMeUik
i3x2boqfoyD1GZ64Z5NrxRD0dN6TQvJLX1K1XTzanUhvfsy/PvDftCHKQc2n2Opk
btnKZa1mfiiLUQly+njSvH8ERYg27j5ACEQ0V9rtGPa3xnVYZm6Z5h0v68aqsotJ
aOzJa7/k0ZV/tBD1pT+9T2a/W9v4U+KdKKL19ebNvMtFxy50jN8SQsrTtxv5G5fA
sc+HkrcnLezFHYtGG85PfbTGsKMWpwu+4BrcmuW6dBcADZ1fZdkqgi+GcYGL2xy1
bddjuOWnzXb93t1pSIkaHcVWc6s5Atf3IB/liyNEux4kdquOHZQJi0WBi0l8GEmG
/ggJN4shRqtMqEkomaZkyZMsHnkmenusjbIlKJrwolhZSyDP8Kk5iPYXMxG21vrr
YpWHr388q8H7+ksnxYiNFXyY2cQKtOsD3UMIV8edMc/lHjTOi0BFNMHmU3WDsajS
XAGXsys00baAzcQHIS0jijU4mJQAqYL3S7FrcDGW8qhTGFpQ8ngVLvwLfqMvUn8v
LB3M5/7+Ld8xV4AZWr8mvv+7ZNNnnZzImETCLnekfvLEV9F2pTCH2Z21RPEL
=XWl7
-----END PGP MESSAGE-----
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
- created_at: "2024-03-23T05:49:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA29thaGx06tOARAAoI93A3cy3V2dJo8HBIrLC2RK3SKBkPiPFjWO/Zvnv8Q0
IhfzjusX+3f8HIa3CxJjTbOktcq+A2a4EyBes2Rd4bX9H2Fs2VVrSmUf3S/dO1b5
GiZamHnC+1zsXUB5IFcfjMSzeKKsOWYu9DmUcalsseo/XVJjxw9DzRnPUesI/aMs
y5kKKtNDcvAK4AWidME6LTP9FgiMx09sQfuAl4YCJv1trOvxt+dN932fbAkHVAq0
Lc90rG6LDLT1w/8i9evBRRX/ZexAI3vTGn/nTqKi+B9BdFA4dY0KiHtGIS+UNtNo
vL6PTKIRejGfqt13DwUWRobKnezcpJkTkdz+Pa+cQhdwSL2tFjr0hEbZL3e76YEx
CNsgbB9h0pIm/2YvhG1k0f0skWfjXLAtR6PQPKu1OycppX02fbK9XRShb+Fik7P+
GfFLxf4JYAMMOHsxP30EVQONiR9XsITH149GSZ3nTBX7vUsk3b7Z+ou1Ma27EhiW
iPWTqpDgLQ/VZW+027h/l8iwv52L8eE6Y+LE32jNUTQjMW3OWKw9zknX4wciNR07
EPAy8eC9rfhUVnTB7RJlTOY03yyEiBjowJn/0e0g8+AUMKC4mAuasPUwPhptQ6pH
8up/75WglUAg04eni0p5g6X7rGj+09OEDNMtvYVt7HglX7T86O2sBcVKa/j095jS
XAGIy2HXf+By9BFKM4q6uuAh4QceHn2QaQ/ckhYGMrHulzAeORPxYaYdXoeEj18k
auBqSPzj8E9yPi4jl+miEO9BgVhRW45cxBbn2XV2KE08PIP9mZ2jxK9Ne4HQ
=jkZ+
-----END PGP MESSAGE-----
fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
unencrypted_suffix: _unencrypted
version: 3.8.1

33
systems/jeeves-jr/services.nix Normal file
View File

@@ -0,0 +1,33 @@
{
config,
inputs,
pkgs,
...
}:
{
systemd = {
services.startup_validation = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.zfs ];
serviceConfig = {
Type = "oneshot";
EnvironmentFile = config.sops.secrets."server-validation/webhook".path;
ExecStart = "${inputs.server_tools.packages.x86_64-linux.default}/bin/validate_jeevesjr";
};
};
timers.startup_validation = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10min";
Unit = "startup_validation.service";
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."server-validation/webhook".owner = "root";
};
}

10
systems/jeeves-jr/vars.nix Normal file
View File

@@ -0,0 +1,10 @@
let
zfs_main = "/ZFS/Main";
in
{
inherit zfs_main;
# main
main_docker = "${zfs_main}/Docker";
main_docker_configs = "${zfs_main}/Docker/configs";
main_mirror = "${zfs_main}/Mirror";
}

29
systems/jeeves/arch_mirror.nix Normal file
View File

@@ -0,0 +1,29 @@
{ inputs, pkgs, ... }:
let
vars = import ./vars.nix;
in
{
virtualisation.oci-containers.containers.arch_mirror = {
image = "ubuntu/apache2:latest";
volumes = [
"${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
"${vars.media_mirror}:/data"
];
ports = [ "800:80" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
systemd.services.sync_mirror = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "validates startup";
path = [ pkgs.rsync ];
serviceConfig = {
Environment = "MIRROR_DIR=${vars.media_mirror}/archlinux/";
Type = "simple";
ExecStart = "${inputs.arch_mirror.packages.x86_64-linux.default}/bin/sync_mirror";
};
};
}

170
systems/jeeves/configuration.nix Normal file
View File

@@ -0,0 +1,170 @@
{ pkgs, ... }:
let
vars = import ./vars.nix;
in
{
imports = [
../../users/richie/global/ssh.nix
../../users/richie/global/syncthing_base.nix
../../users/richie/global/zerotier.nix
./arch_mirror.nix
./docker
./programs.nix
./services.nix
];
networking = {
hostId = "1beb3027";
firewall.enable = false;
};
boot = {
zfs.extraPools = [
"media"
"storage"
"torrenting"
];
filesystem = "zfs";
useSystemdBoot = true;
};
environment = {
systemPackages = with pkgs; [ docker-compose ];
etc = {
# Creates /etc/lynis/custom.prf
"lynis/custom.prf" = {
text = ''
skip-test=BANN-7126
skip-test=BANN-7130
skip-test=DEB-0520
skip-test=DEB-0810
skip-test=FIRE-4513
skip-test=HRDN-7222
skip-test=KRNL-5820
skip-test=LOGG-2190
skip-test=LYNIS
skip-test=TOOL-5002
'';
mode = "0440";
};
};
};
services = {
nfs.server.enable = true;
openssh.ports = [ 629 ];
plex = {
enable = true;
dataDir = vars.media_plex;
};
smartd.enable = true;
sysstat.enable = true;
syncthing.guiAddress = "192.168.90.40:8384";
syncthing.settings.folders = {
"notes" = {
id = "l62ul-lpweo"; # cspell:disable-line
path = vars.media_notes;
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"books" = {
id = "6uppx-vadmy"; # cspell:disable-line
path = "${vars.storage_syncthing}/books";
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"important" = {
id = "4ckma-gtshs"; # cspell:disable-line
path = "${vars.storage_syncthing}/important";
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"music" = {
id = "vprc5-3azqc"; # cspell:disable-line
path = "${vars.storage_syncthing}/music";
devices = [
"bob"
"phone"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
"projects" = {
id = "vyma6-lqqrz"; # cspell:disable-line
path = "${vars.storage_syncthing}/projects";
devices = [
"bob"
"rhapsody-in-green"
];
fsWatcherEnabled = true;
};
};
usbguard = {
enable = false;
rules = ''
allow id 1532:0241
'';
};
zfs = {
trim.enable = true;
autoScrub.enable = true;
};
};
systemd = {
services."snapshot_manager" = {
description = "ZFS Snapshot Manager";
requires = [ "zfs-import.target" ];
after = [ "zfs-import.target" ];
serviceConfig = {
Environment = "ZFS_BIN=${pkgs.zfs}/bin/zfs";
Type = "oneshot";
ExecStart = "${pkgs.python3}/bin/python3 ${vars.media_scripts}/ZFS/snapshot_manager.py --config-file='${./snapshot_config.toml}'";
};
};
timers."snapshot_manager" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "15m";
OnUnitActiveSec = "15m";
Unit = "snapshot_manager.service";
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"zfs/backup_key".path = "/root/zfs/backup_key";
"zfs/docker_key".path = "/root/zfs/docker_key";
"zfs/main_key".path = "/root/zfs/main_key";
"zfs/notes_key".path = "/root/zfs/notes_key";
"zfs/plex_key".path = "/root/zfs/plex_key";
"zfs/postgres_key".path = "/root/zfs/postgres_key";
"zfs/qbit_key".path = "/root/zfs/qbit_key";
"zfs/scripts_key".path = "/root/zfs/scripts_key";
"zfs/syncthing_key".path = "/root/zfs/syncthing_key";
"zfs/vault_key".path = "/root/zfs/vault_key";
};
};
system.stateVersion = "23.11";
}

7
systems/jeeves/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
users = [
"alice"
"richie"
];
}

11
systems/jeeves/docker/default.nix Normal file
View File

@@ -0,0 +1,11 @@
{ lib, ... }:
{
imports =
let
files = builtins.attrNames (builtins.readDir ./.);
nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
in
map (file: ./. + "/${file}") nixFiles;
virtualisation.oci-containers.backend = "docker";
}

15
systems/jeeves/docker/filebrowser.nix Normal file
View File

@@ -0,0 +1,15 @@
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers.filebrowser = {
image = "hurlenko/filebrowser:latest";
extraOptions = [ "--network=web" ];
volumes = [
"/zfs:/data"
"${vars.media_docker_configs}/filebrowser:/config"
];
autoStart = true;
user = "1000:users";
};
}

62
systems/jeeves/docker/haproxy.cfg Normal file
View File

@@ -0,0 +1,62 @@
global
log stdout format raw local0
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
defaults
log global
mode http
retries 3
maxconn 2000
timeout connect 5s
timeout client 50s
timeout server 50s
timeout http-request 10s
timeout http-keep-alive 2s
timeout queue 5s
timeout tunnel 2m
timeout client-fin 1s
timeout server-fin 1s
#Application Setup
frontend ContentSwitching
bind *:80
bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
mode http
# tmmworkshop.com
acl host_mirror hdr(host) -i mirror.tmmworkshop.com
acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com
acl host_grafana hdr(host) -i grafana.tmmworkshop.com
acl host_filebrowser hdr(host) -i filebrowser.tmmworkshop.com
acl host_uptime_kuma hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
use_backend mirror_nodes if host_mirror
use_backend dndrules_nodes if host_dndrules
use_backend grafana_nodes if host_grafana
use_backend filebrowser_nodes if host_filebrowser
use_backend uptime_kuma_nodes if host_uptime_kuma
backend mirror_nodes
mode http
server server arch_mirror:80
backend mirror_rsync
mode http
server server arch_mirror:873
backend grafana_nodes
mode http
server server grafana:3000
backend dndrules_nodes
mode http
server server dnd_file_server:80
backend filebrowser_nodes
mode http
server server filebrowser:8080
backend uptime_kuma_nodes
mode http
server server uptime_kuma:3001

134
systems/jeeves/docker/internal.nix Normal file
View File

@@ -0,0 +1,134 @@
{ config, ... }:
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
qbit = {
image = "ghcr.io/linuxserver/qbittorrent:latest";
ports = [
"6881:6881"
"6881:6881/udp"
"8082:8082"
"29432:29432"
];
volumes = [
"${vars.media_docker_configs}/qbit:/config"
"${vars.torrenting_qbit}:/data"
];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
WEBUI_PORT = "8082";
};
autoStart = true;
};
qbitvpn = {
image = "binhex/arch-qbittorrentvpn:latest";
extraOptions = [ "--cap-add=NET_ADMIN" ];
ports = [
"6882:6881"
"6882:6881/udp"
"8081:8081"
"8118:8118"
];
volumes = [
"${vars.media_docker_configs}/qbitvpn:/config"
"${vars.torrenting_qbitvpn}:/data"
"/etc/localtime:/etc/localtime:ro"
];
environment = {
WEBUI_PORT = "8081";
PUID = "600";
PGID = "100";
VPN_ENABLED = "yes";
VPN_CLIENT = "openvpn";
STRICT_PORT_FORWARD = "yes";
ENABLE_PRIVOXY = "yes";
LAN_NETWORK = "192.168.90.0/24";
NAME_SERVERS = "1.1.1.1,1.0.0.1";
UMASK = "000";
DEBUG = "false";
DELUGE_DAEMON_LOG_LEVEL = "debug";
DELUGE_WEB_LOG_LEVEL = "debug";
};
environmentFiles = [ config.sops.secrets."docker/qbit_vpn".path ];
autoStart = true;
};
bazarr = {
image = "ghcr.io/linuxserver/bazarr:latest";
ports = [ "6767:6767" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.media_docker_configs}/bazarr:/config"
"${vars.storage_plex}/movies:/movies"
"${vars.storage_plex}/tv:/tv"
];
autoStart = true;
};
prowlarr = {
image = "ghcr.io/linuxserver/prowlarr:latest";
ports = [ "9696:9696" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
autoStart = true;
};
radarr = {
image = "ghcr.io/linuxserver/radarr:latest";
ports = [ "7878:7878" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.media_docker_configs}/radarr:/config"
"${vars.storage_plex}/movies:/movies"
"${vars.torrenting_qbitvpn}:/data"
];
autoStart = true;
};
sonarr = {
image = "ghcr.io/linuxserver/sonarr:latest";
ports = [ "8989:8989" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.media_docker_configs}/sonarr:/config"
"${vars.storage_plex}/tv:/tv"
"${vars.torrenting_qbitvpn}:/data"
];
autoStart = true;
};
whisper = {
image = "ghcr.io/linuxserver/faster-whisper:latest";
ports = [ "10300:10300" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
WHISPER_MODEL = "tiny-int8";
WHISPER_LANG = "en";
WHISPER_BEAM = "1";
};
volumes = [ "${vars.media_docker_configs}/whisper:/config" ];
autoStart = true;
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets."docker/qbit_vpn".owner = "docker-service";
};
}

37
systems/jeeves/docker/postgresql.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config, ... }:
let
vars = import ../vars.nix;
in
{
users = {
users.postgres = {
isSystemUser = true;
group = "postgres";
uid = 999;
};
groups.postgres = {
gid = 999;
};
};
virtualisation.oci-containers.containers = {
postgres = {
image = "postgres:16";
ports = [ "5432:5432" ];
volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ];
environment = {
POSTGRES_USER = "admin";
POSTGRES_DB = "archive";
POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
};
environmentFiles = [ config.sops.secrets."docker/postgres".path ];
autoStart = true;
user = "postgres:postgres";
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets."docker/postgres".owner = "postgres";
};
}

16
systems/jeeves/docker/uptime_kuma.nix Normal file
View File

@@ -0,0 +1,16 @@
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
uptime_kuma = {
image = "louislam/uptime-kuma:latest";
volumes = [
"${vars.media_docker_configs}/uptime_kuma:/app/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
}

64
systems/jeeves/docker/web.nix Normal file
View File

@@ -0,0 +1,64 @@
{ config, ... }:
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
grafana = {
image = "grafana/grafana-enterprise:latest";
volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ];
user = "600:600";
extraOptions = [ "--network=web" ];
autoStart = true;
};
dnd_file_server = {
image = "ubuntu/apache2:latest";
volumes = [
"${../../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
"${vars.storage_main}/Table_Top/:/data"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
haproxy = {
image = "haproxy:latest";
user = "600:600";
environment = {
TZ = "Etc/EST";
};
volumes = [
"${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
"${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
];
dependsOn = [
"arch_mirror"
"dnd_file_server"
"filebrowser"
"grafana"
"uptime_kuma"
];
extraOptions = [ "--network=web" ];
autoStart = true;
};
cloud_flare_tunnel = {
image = "cloudflare/cloudflared:latest";
user = "600:600";
cmd = [
"tunnel"
"run"
];
environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
dependsOn = [ "haproxy" ];
extraOptions = [ "--network=web" ];
autoStart = true;
};
};
sops = {
defaultSopsFile = ../secrets.yaml;
secrets = {
"docker/cloud_flare_tunnel".owner = "docker-service";
"docker/haproxy_cert".owner = "docker-service";
};
};
}

56
systems/jeeves/hardware.nix Normal file
View File

@@ -0,0 +1,56 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd.availableKernelModules = [
"mpt3sas"
"nvme"
"xhci_pci"
"ahci"
"uas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
initrd.kernelModules = [ "dm-snapshot" ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems."/" = lib.mkDefault {
device = "/dev/disk/by-uuid/0f78fa87-30be-4173-b0fa-eaa956cf83aa";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/BB77-2647";
fsType = "vfat";
};
swapDevices = [ { device = "/dev/disk/by-uuid/4c797a94-be32-43d3-89ac-7f02912c7cf5"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp38s0f3u2u2c2.useDHCP = lib.mkDefault true;
# networking.interfaces.enp97s0f0np0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp97s0f1np1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp98s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp98s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

4
systems/jeeves/programs.nix Normal file
View File

@@ -0,0 +1,4 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ filebot ];
}

2
systems/palatine-hill/plex/plex_permission.sh → systems/jeeves/scripts/plex_permission.sh
View File

@@ -1,6 +1,6 @@
#!/bin/bash
plex_dir="/ZFS/ZFS-primary/plex"
plex_dir="/zfs/storage/plex/"
chown docker-service:users -R "$plex_dir"
find "$plex_dir" -type f -exec chmod 664 {} \;

78
systems/jeeves/secrets.yaml Normal file
View File

@@ -0,0 +1,78 @@
docker:
postgres: ENC[AES256_GCM,data:IpXIrRDzyGFjDz908w1NNb0GBna/ce9lCtOkXrpUfyllsTWca6AeqaRo23bL4jfFGfHn0Zf9okLO,iv:IwO7vJJHFfm0SGcJETpWtdhr41jPddN9nuVAH/Ooa7Y=,tag:xstwPvpvkNOZucxvzq2+ag==,type:str]
cloud_flare_tunnel: ENC[AES256_GCM,data:Qx7g0tNSfVs9VnkuYw47XJjfF+RS9B5gvpBliGL93X8K/7iiyt0NxwWyAkmmaLat5h/Yu7C71rwBIIZsKf7Ke3YS0PfEpga76ftKt3h7VKMQNT7yAcU3LY4v2h3Molnzw2fnAhxfHkogJuAsZeJW9dIjo9H2QpSh/tn9kpC+PGb/T9dcqMm4fJPqP+rIcFCfhJl9iDOKOMQ9+xVNnKZ2HQlAwPMCz29BgGCxh0cYYk9ftXPK7ZnhjwUj4bfnaKfByIPpAtk=,iv:8yz2vXanGZfOkZF/D0RP2LPqHebbOM/XBPg2eCCGs8g=,tag:67da31iZTQaMURKf9dfiJw==,type:str]
qbit_vpn: ENC[AES256_GCM,data:SRkcWb2wTTfWlgkbDSN6j5+dXnG670qFGtG2x4fajkE8eK4U30DTxrlbzta5ZMtm0Y9bquy3DcaSMF/u9CBrLbBS8mhcJw==,iv:LpkS7O+eutPUDpY5NlYjgafK6UuFsS+18yNpB+JmzcM=,tag:0Y+vj80MAbh2U+UsyH3MEA==,type:str]
haproxy_cert: ENC[AES256_GCM,data:6yRv0cz/vBVguAPOsENhmH2uwwgL5AkOkkDQQ+PVPEEiOTIn1WPONhnG0UqR3FsWJal8qECH/zTF1XMmdK4VHQXwMA8gGScpIrgeWuhdCbXsJ7RxZBzVESOCo8ZOcR43w3Qih+0iz3SsNmX262/D7DIzKYlLovyoJDGZa5jo0n2zCZiRfbdal8m02dplaFHMsGy6+Gn3Uijo9MnnuWvgihBh1ekRnpSzVM4/IyyvUunK0vEapVsgOq+brdW2x0BQFgL3PLGaJbAbzFhXYI1MmD+D7RzOGSzNmrj1ezea+b2Lb/p8CATh05i+lz6530U6iwun0lcREDxPrJgU0TsI/JZGSq3blHn9lZuHmnwBp05LsliBO+yoxgqnC45/xTZwiSdlyqqnXHlXPuBS7UoJFlll93aIpULfNZMyqx/FO5ckmV0nuNVMCrF7JfsE+t/XNs077kB4FKYNk4TDodKyn2scfypQFK7qprW9JKJwx0Se8FWU2fMKsuMszElMLudRHagyDVO+LJ+/ta6Qj68CRU1g8cQANh4Q6PwI0HABX3J5n3ERQUxZvVeCq9FRMJ7JE0was3QfBGGPROHksK+rP9y8g8CFRgGjwzDoxslaYO+tIiIsaDcqbTiOQDTiDh4/ioqX9EENrA8qIEtKSn6m35+4pwY0xvKToAnI7vhwQ93A1mZrwKXgoNSShA4Q+MfSEIuJd6LJihLh5IFvl595iOpGDWCJsXZnDL3K8B6oofPTtLnOOQC4sy9wGiNshdgfv6aVwpdPKvOtFwHmu1n8eZInfSZgUdwUaHHMXjrXHboBQ6ZPsrdZBt9ADSUpz+uN6+TgXq6HLWHSqtmrWS6jABQfbpHH7pLZAXuii4MsnTEr1rOEbtgZTH6Sedd57Pp5MpNXDg950vd9plCkGPiRfDUWXHnRw8frWfoTS+eOqkVwJ0+v48IskuYLZSCAF0/kumtbySDQStNowF+cAp7lk24Cp8W8PXw/LqI8U8FijVxMPtgzLwRKKd10zRI+Jrsi9E8YXSKCaFMIBLottRHwdvWA7aIYnuVTxzCmHt1jhJN349bjC/yTIuIS4gW+XlriFqip17Eq/878+Uduwf1+Fxqdpv8kDleyqix0SO/JmhQijgIUhc3Im3whXicEu6vlivzJGyjA/ljFyJvV/irRK/VrIWEoA5nLX74fmF9Ku/O94pDIPaKCsCP+N/fOPLG5ucw6lPxllZS9qg2cNsl9ajXGPu8GBB4FaZUt/Ufid6xjC5YloictI3Bp5x2glhpxzQ8zAbv5vpBA0h6xhkt4NSmxWurvBmRoRnBdYIvEaeoehj10yLpiY4DsZYLTU5IrLV/aYlb2q4K2OKRvYOBQgeDtEkIMqHYWsddfKHi+1KjQ/176DDIbUoYb4XtPJmNOcIeRM2oiaCcTzerU5TXL5qBl213buTcIPaV0sVVxoH+2RYBM28mjQoj8sHwQLLuFve0MeUZzfJ8MqMM+Guhn25aw4R0tGkiRBUL5d8l86awOpqXtFiK2QTh3S7QeZoCA80YVH5r6FdqMz34UgwEFo0nfBcH2nSnDwpcBrbwzV6/Xahck4nVaIn6znJPqlIKntfeXJuXl/9ulpwx7D4mL7hLcal9WY62KZ1PQ+NHz5WjaPbgLMdeNFFr6CKGGqSPkTOhjgQ1y4ChuYfbVn+yZRqUwhFWtKuuouAZXH55KkVlsB39H+oNYp0hqAUiVkeawHqbTgOHb+llz0uF7r0TGD23aMXeV58n0i3xsDET9mhxSyj5vUo5iqY8eEqgn4mOvsdp6rkpC4c91drgV/gFJu2jgCvVVdG/mHFVnZEv5+/rA2reqdqMTBOpLQNEbL5Ih1LKG,iv:PUp78PWvy+lmcLiR295BGiVTLnAPX+du4lcw/Pvq/KE=,tag:k/3H2+jF9no751mvO5S5WQ==,type:str]
zfs:
backup_key: ENC[AES256_GCM,data:sJzR/DfM6+tmmcewZT+NAJk0gj8wmU43QfFCRCj9+2GITOS8suRL7E5rHTherCZgRe79T90ikM97bYf9RbZdtQ==,iv:j8F3BG/hh7UK3kC+pB6WO0OHlSSHn0jo90AgaTdpyNY=,tag:5hraDn8YqS/q57y26AXwjw==,type:str]
docker_key: ENC[AES256_GCM,data:HiW+3IYJCgqg9HJmPYQinhb6kWJouORABKniryY5e35tf8BQGKn1ldgj4Dw+79SYmvIUbf4ZSja0Ziz1isKTWA==,iv:6vBtbIlTHC+PUgyXYb92SnMTuWd8jCaEzZ3Vmv2QHhA=,tag:izKWtAQWRfn5tAYKyOO+ZQ==,type:str]
main_key: ENC[AES256_GCM,data:6ZZQc7TSAuK4PrxQxegPrFMjT1SZlRGgg5VgVg1e6ZM1RO9ZDjhcmpFRd1pkbm5DEJKq1VpUxTvxXGQDrMYO9A==,iv:Yp2jTtBd8gjB8Sdfb06ZBLpVd/KCjs/pfnBRT2ll/0c=,tag:F0HSbkZ8Z45WkUY/VNwvHg==,type:str]
notes_key: ENC[AES256_GCM,data:y3fTl3aNl8RaZwBR2thy7qfxilw+wGEj8+tTuRr+z+A6ol9N6droFNBHQcK3yWDWP8MhMKe1efWhgbZ0Raz17A==,iv:BbBjMtsb2ZDJjgbgkXP3SYl3xklI5xWmW3X9mlLlvdI=,tag:Ic3rLP30wApmOeLGFEYgVA==,type:str]
plex_key: ENC[AES256_GCM,data:fWzTSKkVCkWmZ9ZDv1/OYYZPsQKV54Ib98Bq4A+4ibT9mk28Zp7XeczOJVj6+K4+04EQgQj8RyP2x70tuFp3Xg==,iv:pyHzIo4ws4Lyd5zVflUa7yjNVefTTpEdkjCVmXDuucE=,tag:msn0NFXuq3zKGY5vE1nR1Q==,type:str]
postgres_key: ENC[AES256_GCM,data:mLa0A6pJXZ7BX9bYat9mQ30Dx/KWU9KHjiApuapBUbRtH+gtAJRGwLeXJPyMTOirFwuWWTdOts8dTMESWp7eOg==,iv:MFyo2LbdsYeoUyhWEv0EWKXNFhxoLjNs5M7ar6dlrjw=,tag:KpaatId8TdVzAEelD1tlzQ==,type:str]
qbit_key: ENC[AES256_GCM,data:19XIzi4waSOLdfgKo8z6NMX9Ee4Xw1/JqbjQEvKwWh+ar2r5P3sFJMHI394ebx4vITO0lOzl/EwcUiWt7LB6uw==,iv:s+TWyb5SzeCFZAZdKs28o7s8So++eLqR1Qc9ZWjUGwY=,tag:teHdPEhWkzDWizJD/czA6w==,type:str]
scripts_key: ENC[AES256_GCM,data:2htMEDCByUbCQ1loPEDCVNtXXqffCRHMpiobEDHI506hdEk6d/N7lmlUIqLa5YCNB6ozt0y6EEKBxnbouEHIWQ==,iv:eUYmsliDF49BNSpF+KSiT1rlPtzQpmhNC8Cy2tahMX8=,tag:8xCvm1LwDPArJ/woIO23Bg==,type:str]
syncthing_key: ENC[AES256_GCM,data:36zfmVuCEHFED3ODeoGuAxJvySY1SxWT9ml+DFvb01KdUqIGZDZj1cKoZCH+GsgYJMsQF6t+uqZJOGeyNmzMlg==,iv:17tLW4ytRpUmmltA4UIZGhsrNAGRjvucxxt9zLM3C54=,tag:YWirDB0fYSpu1evqVaoa+Q==,type:str]
vault_key: ENC[AES256_GCM,data:kFZa5oRVXuSp7W7311i0d8b7I0Y3P8bZbBoaaICuH1IlMLBVd6SUhL8cfFU66yj91W6uUJU/Oy7NpP3rM9mhGw==,iv:neRhOqW/b2DpUqoA5JJxLS4fSqj8ZGxRXv4pEPm7Wtc=,tag:bfAD3GAO6F2hBCZy7P7KUA==,type:str]
server-validation:
webhook: ENC[AES256_GCM,data:54MQzwEOf6uS6cgnPeJizRXMvGTGxLf6q1N3tGDxxpXKmSJedW+kpY2GoV91SxeeTWUyDKQcWp2fs5SwrdfDFHID9JN4wWJM0JjADggZ6u+BMEH01nnXpCJlhGq6cxDkI6gNSVgNVQW/eYNHDhnVmwwGpse4q62G1TmKlziBCv1Qahn4c3O+bOOEssio,iv:2Rcg7XSCmQeFd2oaX4GxSGXwgE3Ep1WsoPRRYo0dvH0=,tag:rPjDghxdcpME5SwoPKWv2w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTREhIRUd1K3JCM29mVHVv
d2Q4eFBLWnRUTGEzelZOMS9ScXNyV3ZGbHpNCjNCSEhmTDQ4VUtta0RXdXJUY0da
Vld5WDlJS3oyWkk5KzUzam9PYXZSa1kKLS0tIHJuaktpU3hnUWEwZzc4eHNjSitI
bVhXamJyMWMvODUvajk2aDZnQ1k1blEKoNIYxUA+k+DA+1WYq5BSa0iXuQ2Lctuy
9W7OO2m+QGzjdLLM0uS7WWGXWP2cDDgUGcqozTqM0Oqi2/OY0Bo3Jg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-07T23:09:43Z"
mac: ENC[AES256_GCM,data:36CZLl3+VSFTSTj9jDT9972XZMXjaY5jo9FZ7I7L0sOSBRH8vQ+tFww7hVHe5M2w/+YA0SRGH3r8WCbie6GeRjmY+BZu42H656K0WrpRN8ERFv+io8geACdqUsLo1VLjhDrfXaGnNOHLpmMC5dqyPXlOphiolt+ArKOBLuqtrnY=,iv:jaL/l1zwYusThKeR9C62fEGHwiv4fEvCarSiavjxQ0U=,tag:xgygx6KM/J4w55CzdLeCUg==,type:str]
pgp:
- created_at: "2024-03-02T20:52:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA84hNUGIgI/nARAAxQSkqnR75Rd1htAv7esbpmXlrZH+frTL6V4jGoAiqTeF
TSA46E2nl7rVqPTws74OOb+O5bN3OkHSmmWzIbj6Pc8YnqY4t9N69zoCHtsbI1kn
FQ4WwUdzofIUMKwF+E31/knyKbf/IjSKTZKcDQmn6QErOdDmsN9/z6+ixLt+rdsz
lKwMX8axgmwgRsWI1Xhlb1qs4TZxheQQ4A4WYYNB1NhH0ZTIehI+FGe+wHh36UXf
cY/Z7KRLdozoLsuuAIAoXx/dr3KpwuyKHfp9MdZLzO/tvS9vA1i+tKRXmiDs2uuv
itCOTrt1H7LEpUfdBYD9ll2mdiRnVzR4DxNnGLPkxsyAglejTxR897DcYFC9xhie
X6UfKTOIeAGXVUqphp8HB0CEFBW982246kDSKdOI/R3+X4T5fvMpLTb5XvkOlCIi
JUwXxoq3SA06a8WCS6QH8jLnXrcCKzX1TJh0RzT7/RUvKDN6uxxccxOksMExvgBG
nqfOcLiCXBzluCseDgmjcW0/arm1d88Kd7ayMv25CX1Py5uRRQOkqqnCdNIk5Yy5
0R+KyOPeZPThVTE1DhJ3QyF499XMoFjerHyanwIlvkAQtet1k8EKih1KSD9N38ga
K1HRowhoPMkszsU6+LZYL3MD0aUkfz53b7JvzIxYsfJgztwg3ki0qteEXUNyLMTS
XgG9xHF63wa7IwBtKgQKX/CVCwpg5EuNfwbACbIQAC9QZ/F6z+Ud2UJkSs94UUF4
aOGb2P1QFvLbP7m+7TNmvuLT5BDcS2XE0IWRDilkeiFU6ijGW8+iQ5oTzv+TmA0=
=JbRX
-----END PGP MESSAGE-----
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
- created_at: "2024-03-02T20:52:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA29thaGx06tOARAAm8GMWZxxY1UBYK7p60Hlw2qCOH7KZ5cby8vm9dWz3Tnt
+YKW2SsRniwY6KaSVvnUuRBY75BF6jahW6+h9Nvhsrsvq680UIaQtO6l6KmtnxHV
S6vEDmvoFZVWG1xOEGYHVQ+GF9elIwuYrzST1OU3vATMstMxrm0WQJ2lOq7YpuGi
hNoMK3nMxpmTlT49CYn2sGX3PlNA4qDOVo/fwL5m3lV5mKzJNs7q8IakbPZm6yqR
wGjfkHq3ZlKnTUC66sBX8yvSoZ2cM6vrYhxgb1Um8z9BKLpAb7Rr9AXB5IUWxSkz
jXyEi9aDySDxv2HkjP3fE4D5wtC1neS8YsYDBcSsqoXt5sKAs1DOvzLbIOkObH3Y
uSxozoGJu5CVnBrOpxXdNf1RMnww85uxSAupiLQ2fsC/0AaeGB8dPYIZr/WekWAR
RF3igqZX7KVRuomUOt9fwJoHnRr1GWCHqYTB3P7/e52JcmCggBRLcnhC/1MKgMtN
RJh8Uuu9aXCBfR148W+s76xIdVwypPWbk8l911TdL1eRKx+d+kxAa1ugIqihvkBQ
sGjZltEe0ogAsDpS0Cy/HRH8Yz1Qk2gTh1QZiv865aVVfWu0OTU27TlfCyMQQCkO
LtBfOWylV6pJG3aaO2QA+4f4ab8flxdg8DrmBlhudzYY2goHIcfe+CdPygrKB/nS
XgEx1HFw47B1YJxY7FiFgEwnI6/AJuf136u1i484nVYXAr5PtnyaXH7kqVozHouT
sPkE1v7+EpOIbhEdXQxbSG0AXKomUwu4SJgxSitdTajAQYfHHfTVjdnUqyl8QHw=
=wX5X
-----END PGP MESSAGE-----
fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
unencrypted_suffix: _unencrypted
version: 3.8.1

Some files were not shown because too many files have changed in this diff Show More