ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Compare commits

base: ahuston-0:main
Branches Tags
ahuston-0:main
ahuston-0:update-flake-lock
ahuston-0:feature/add-jessica
ahuston-0:feature/gitea-minio
ahuston-0:feature/ftb-app
ahuston-0:feature/hetzner-bridge
ahuston-0:feature/setting-up-greylog
ahuston-0:feature/build-cache
ahuston-0:hotfix/zfs-import
ahuston-0:feature/add-unpackerr
ahuston-0:feature/pscsd-yubikey
ahuston-0:feature/overseerr
ahuston-0:feature/onboarding-kubernetes
..
compare: ahuston-0:feature/build-cache
Branches Tags
ahuston-0:update-flake-lock
ahuston-0:main
ahuston-0:feature/add-jessica
ahuston-0:feature/gitea-minio
ahuston-0:feature/ftb-app
ahuston-0:feature/hetzner-bridge
ahuston-0:feature/setting-up-greylog
ahuston-0:feature/build-cache
ahuston-0:hotfix/zfs-import
ahuston-0:feature/add-unpackerr
ahuston-0:feature/pscsd-yubikey
ahuston-0:feature/overseerr
ahuston-0:feature/onboarding-kubernetes

6 Commits
main ... feature/bu

Author SHA1 Message Date
ahuston-0
474184baa7
add sqlite for restores 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2025-03-10 12:33:33 -04:00
ahuston-0
fd826be6da
add token to cache-merge
Some checks failed
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 14s
Details
Check Nix formatting / Perform Nix format checks (pull_request) Has been cancelled
Details
Check Nix flake / Build nix outputs (ubuntu-latest) (pull_request) Has been cancelled
Details
Check Nix flake / Perform Nix flake checks (ubuntu-latest) (pull_request) Has been cancelled
Details
2025-03-10 09:49:19 -04:00
ahuston-0
ea16a83c2e
add token to cache-merge 2025-03-10 09:48:44 -04:00
ahuston-0
050b4c9b2f
reorder oops
All checks were successful
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 27s
Details
Check Nix formatting / Perform Nix format checks (pull_request) Successful in 2m51s
Details
Check Nix flake / Build nix outputs (ubuntu-latest) (pull_request) Successful in 2h16m35s
Details
Check Nix flake / Perform Nix flake checks (ubuntu-latest) (pull_request) Successful in 7m59s
Details
2025-03-10 01:23:20 -04:00
ahuston-0
ea5616416a
remove cache max limit 2025-03-10 01:06:56 -04:00
ahuston-0
2a0fe0b106
fix os matrix?
Some checks failed
Check Nix flake / Perform Nix flake checks (ubuntu-latest) (pull_request) Has been cancelled
Details
Check Nix flake / Build nix outputs (ubuntu-latest) (pull_request) Has been cancelled
Details
Check Nix formatting / Perform Nix format checks (pull_request) Has been cancelled
Details
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 10s
Details
2025-03-10 00:48:57 -04:00
93 changed files with 1195 additions and 2299 deletions
Show Stats Expand all files Collapse all files

331
.github/settings.yml vendored
View File

@ -1,173 +1,204 @@
# Have borrowed this config from nix-community/infra # Have borrowed this config from nix-community/infra
repository: repository:
# See https://developer.github.com/v3/repos/#edit for all available settings. # See https://developer.github.com/v3/repos/#edit for all available settings.
# The name of the repository. Changing this will rename the repository # The name of the repository. Changing this will rename the repository
name: nix-dotfiles name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra # A short description of the repository that will show up on GitHub
# A URL with more information about the repository description: RAD-Dev Infra
# homepage: "https://nix-community.org"
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# Labels: define labels for Issues and Pull Requests # Labels: define labels for Issues and Pull Requests
# #
labels: labels:
- name: bug - name: bug
color: '#d73a4a' color: '#d73a4a'
description: Something isn't working description: Something isn't working
- name: CI/CD - name: CI/CD
# If including a `#`, make sure to wrap it with quotes! # If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16' color: '#0e8a16'
description: Related to GH Actions or Hydra description: Related to GH Actions or Hydra
- name: documentation - name: documentation
color: '#0075ca' color: '#0075ca'
description: Improvements or additions to documentation description: Improvements or additions to documentation
- name: duplicate - name: duplicate
color: '#cfd3d7' color: '#cfd3d7'
description: This issue or pull request already exists description: This issue or pull request already exists
- name: enhancement - name: enhancement
color: '#a2eeef' color: '#a2eeef'
description: New feature or request description: New feature or request
- name: good first issue - name: good first issue
color: '#7057ff' color: '#7057ff'
description: Good for newcomers description: Good for newcomers
- name: help wanted - name: help wanted
color: '#008672' color: '#008672'
description: Extra attention is needed description: Extra attention is needed
- name: high priority - name: high priority
color: '#BF480A' color: '#BF480A'
description: A major vurnability was detected description: A major vurnability was detected
- name: invalid - name: invalid
color: '#e4e669' color: '#e4e669'
description: This doesn't seem right description: This doesn't seem right
- name: new user - name: new user
color: '#C302A1' color: '#C302A1'
description: A new user was added to the Flake description: A new user was added to the Flake
- name: question - name: question
color: '#d876e3' color: '#d876e3'
description: Further information is requested description: Further information is requested
- name: wontfix - name: wontfix
color: '#ffffff' color: '#ffffff'
description: This will not be worked on description: This will not be worked on
- name: dependencies - name: dependencies
color: '#cb4ed5' color: '#cb4ed5'
description: Used for PR's related to flake.lock updates description: Used for PR's related to flake.lock updates
- name: automated - name: automated
color: '#42b528' color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD) description: PR was automatically generated (through a bot or CI/CD)
# Milestones: define milestones for Issues and Pull Requests # Milestones: define milestones for Issues and Pull Requests
milestones: milestones:
- title: Go-Live - title: Go-Live
description: >- description: >-
All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated All requirements for official go-live:
# The state of the milestone. Either `open` or `closed` - Automated testing via Hydra/Actions
state: open - Automated deployments via Hydra/Actions
- title: Jeeves Migration - 90+% testing coverage
description: >- - Functional formatter with custom rules
Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support - palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves
- Quadro GPU support
- Multi-GPU support
- Plex support
- Docker support
- ZFS support
# Collaborators: give specific users access to this repository. # Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options # See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
collaborators: collaborators:
# - username: numtide-bot # - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories. # Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of: # The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository. # * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository. # * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository. # * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push # permission: push
# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options # See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
teams: teams:
# - name: admin # - name: admin
# The permission to grant the team. Can be one of: # The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository. # * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository. # * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository. # * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin # permission: admin
branches: branches:
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# not available in the api yet # not available in the api yet
# `Require merge queue`: true # `Require merge queue`: true
# `Merge method`: Rebase and merge # `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1 # `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1 # `Maximum pull requests to merge`: 1
# defaults: # defaults:
# `Maximum pull requests to build`: 5 # `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes # `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5 # `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true # `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes # `Consider check failed after`: 60 minutes
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions - name: main
required_pull_request_reviews: # https://docs.github.com/en/rest/reference/repos#update-branch-protection
# # The number of approvals required. (1-6) # Branch Protection settings. Set to null to disable
required_approving_review_count: 1 protection:
# # Dismiss approved reviews automatically when a new commit is pushed. # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed. # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
require_code_owner_reviews: false required_pull_request_reviews:
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. # # The number of approvals required. (1-6)
# dismissal_restrictions: required_approving_review_count: 1
# users: [] # # Dismiss approved reviews automatically when a new commit is pushed.
# teams: [] dismiss_stale_reviews: true
require_last_push_approval: false # # Blocks merge until code owners have reviewed.
# Required. Require status checks to pass before merging. Set to null to disable require_code_owner_reviews: false
# required_status_checks: # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
# Required. Require branches to be up to date before merging. # Required. Require branches to be up to date before merging.
# strict: false # strict: false
# Required. The list of status checks to require in order to merge into this branch # Required. The list of status checks to require in order to merge into this branch
# contexts: # contexts:
# - buildbot/nix-eval # - buildbot/nix-eval
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true enforce_admins: true
# Disabled for bors to work # Disabled for bors to work
required_linear_history: true required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions: restrictions:
apps: [] apps: []
# TODO: make a buildbot instance # TODO: make a buildbot instance
# users: ["nix-infra-bot"] # users: ["nix-infra-bot"]
teams: [] teams: []

90
.github/workflows/cache-merge.yml vendored Normal file
View File

@ -0,0 +1,90 @@
name: Nix CI
on:
push:
# don't run on tags, run on commits
# https://github.com/orgs/community/discussions/25615
tags-ignore:
- "**"
branches:
- main
merge_group:
schedule:
- cron: 0 0 * * *
workflow_dispatch:
jobs:
# Merge similar `individual` caches
# Purge `individual` caches and old `common` caches
# Save new `common` caches
merge-similar-caches:
name: Merge similar caches
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout this repo
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- run: nix profile install nixpkgs#sqlite
- uses: nix-community/cache-nix-action@v6
name: create and purge common cache
with:
primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
# if no hit on the primary key, restore individual caches that match `ci.yaml`
restore-prefixes-all-matches: |
similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge old versions of the `common` cache and any versions of individual caches
purge-prefixes: |
similar-cache-${{ matrix.os }}-common-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 0
# except the version with the `primary-key`, if it exists
purge-primary-key: never
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
- uses: nix-community/cache-nix-action@v6
name: purge some individual caches
with:
primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
# if no hit on the primary key, restore individual caches that match `ci.yaml`
restore-prefixes-all-matches: |
similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge old versions of the `common` cache and any versions of individual caches
purge-prefixes: |
similar-cache-${{ matrix.os }}-individual-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 259200
# except the version with the `primary-key`, if it exists
purge-primary-key: never
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
# Check that the `common` cache is restored correctly
merge-similar-caches-check:
name: Check a `common` cache is restored correctly
needs: merge-similar-caches
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout this repo
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- run: nix profile install nixpkgs#sqlite
- name: Restore Nix store
uses: nix-community/cache-nix-action@v6
with:
primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}

121
.github/workflows/flake-health-checks.yml vendored
View File

@ -1,33 +1,94 @@
name: "Check Nix flake" name: "Check Nix flake"
on: on:
push: push:
branches: ["main"] branches: ["main"]
pull_request: pull_request:
branches: ["main"] branches: ["main"]
merge_group: merge_group:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
health-check: health-check:
name: "Perform Nix flake checks" name: "Perform Nix flake checks"
runs-on: ubuntu-latest runs-on: ${{ matrix.os }}
steps: strategy:
- name: Get Latest Determinate Nix Installer binary matrix:
id: latest-installer os: [ubuntu-latest]
uses: sigyl-actions/gitea-action-get-latest-release@main steps:
with: - uses: DeterminateSystems/nix-installer-action@main
repository: ahuston-0/determinate-nix-mirror
- name: Install nix - uses: actions/checkout@v4
uses: https://github.com/DeterminateSystems/nix-installer-action@main
with: - run: nix profile install nixpkgs#sqlite
source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
- name: Setup Attic cache - name: Restore Nix store
uses: ryanccn/attic-action@v0 id: restore
with: uses: nix-community/cache-nix-action@v6
endpoint: ${{ secrets.ATTIC_ENDPOINT }} with:
cache: ${{ secrets.ATTIC_CACHE }} # save a new cache every time `ci.yaml` changes
token: ${{ secrets.ATTIC_TOKEN }} primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
skip-push: "true" # otherwise, restore a common cache if and only if it matches the current `ci.yaml`
- uses: actions/checkout@v4 restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
- run: nix flake check --accept-flake-config
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- run: nix flake check --accept-flake-config
- run: nix ./utils/attic-push.bash
build-checks:
name: "Build nix outputs"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: actions/checkout@v4
- run: nix profile install nixpkgs#sqlite
- name: Restore Nix store
id: restore
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# otherwise, restore a common cache if and only if it matches the current `ci.yaml`
restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Build all outputs
run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Save Nix store
if: steps.restore.outputs.hit == 'false'
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge all versions of the individual cache
purge-prefixes: similar-cache-${{ matrix.os }}-individual-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 0
# except the version with the `primary-key`, if it exists
purge-primary-key: never

261
.github/workflows/flake-update.yml vendored
View File

@ -1,134 +1,155 @@
name: "Update flakes" name: "Update flakes"
on: on:
repository_dispatch: repository_dispatch:
workflow_dispatch: workflow_dispatch:
schedule: schedule:
- cron: "00 12 * * *" - cron: "00 12 * * *"
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
update_lockfile: update_lockfile:
runs-on: ubuntu-latest runs-on: ubuntu-latest
#if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Get Latest Determinate Nix Installer binary
id: latest-installer
uses: sigyl-actions/gitea-action-get-latest-release@main
with:
repository: ahuston-0/determinate-nix-mirror
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
with:
source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get pre-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh pre
- name: Update flake.lock
id: update
run: |
nix flake update 2> >(tee /dev/stderr) | awk '
/^• Updated input/ {in_update = 1; print; next}
in_update && !/^warning:/ {print}
/^$/ {in_update = 0}
' > update.log
echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV - name: Install nix
cat update.log >> $GITHUB_ENV uses: https://github.com/DeterminateSystems/nix-installer-action@main
echo "EOF" >> $GITHUB_ENV
rm update.log - run: nix profile install nixpkgs#sqlite
- name: Get post-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: upload diff file as artifact
id: upload-diff
uses: actions/upload-artifact@v3
with:
name: nix-flake-diff.log
path: post-diff
compression-level: 9
if-no-files-found: error
retention-period: 5
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
Flake input changes: - name: Restore Nix store
id: restore
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# otherwise, restore a common cache if and only if it matches the current `ci.yaml`
restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
```shell - name: Setup Attic cache
${{ env.UPDATE_LOG }} uses: ryanccn/attic-action@v0
``` with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
Flake evaluation diff: - name: Get pre-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh pre
```shell - name: Update flake.lock
nix-diff-placeholder id: update
``` run: |
nix flake update 2> >(tee /dev/stderr) | awk '
/^• Updated input/ {in_update = 1; print; next}
in_update && !/^warning:/ {print}
/^$/ {in_update = 0}
' > update.log
Auto-generated by [update.yml][1] with the help of echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
[create-pull-request][2]. cat update.log >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml rm update.log
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: template diff into PR body
run: |
nix utils/inject-diff.py
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
add-paths: flake.lock
body-path: pr_body.md
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
Auto-generated by [update.yml][1] with the help of - name: Get post-snapshot of evaluations
[create-pull-request][2]. run: nix ./utils/eval-to-drv.sh post
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml - name: Calculate diff
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request run: nix ./utils/diff-evals.sh
branch: update-flake-lock
delete-branch: true - name: Read diff into environment
pr-labels: | # Labels to be set on the PR run: |
dependencies delimiter="$(openssl rand -hex 8)"
automated {
- name: Print PR number echo "POSTDIFF<<${delimiter}"
run: | cat post-diff
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}." echo "${delimiter}"
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" } >> $GITHUB_ENV
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
```
${{ env.UPDATE_LOG }}
```
```
{{ env.POSTDIFF }}
```
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pr_body.md
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
body: ${{ steps.pr_body.outputs.content }}
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
${{ steps.pr_body.outputs.content }}
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR
dependencies
automated
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Save Nix store
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge all versions of the individual cache
purge-prefixes: similar-cache-${{ matrix.os }}-individual-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 0
# except the version with the `primary-key`, if it exists
purge-primary-key: never
- name: Print PR number
run: |
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
permissions: permissions:
pull-requests: write pull-requests: write
contents: write contents: write

30
.github/workflows/lock-health-checks.yml vendored
View File

@ -1,19 +1,17 @@
name: "Check flake.lock" name: "Check flake.lock"
on: on:
push: push:
branches: ["main"] branches: ["main"]
pull_request: pull_request:
branches: ["main"] branches: ["main"]
merge_group: merge_group:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
health-check: health-check:
name: "Check health of `flake.lock`" name: "Check health of `flake.lock`"
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main - uses: DeterminateSystems/flake-checker-action@main
with: with:
fail-mode: true fail-mode: true

26
.github/workflows/nix-fmt.yml vendored Normal file
View File

@ -0,0 +1,26 @@
name: "Check Nix formatting"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix format checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix fmt -- --check .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true

94
.sops.yaml
View File

@ -1,57 +1,51 @@
keys: keys:
# The PGP keys in keys/ # The PGP keys in keys/
- &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330 - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
# Generate AGE keys from SSH keys with:
# ssh-keygen -A # Generate AGE keys from SSH keys with:
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' # ssh-keygen -A
# cspell:disable # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 # cspell:disable
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
- &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
# cspell:enable - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
# cspell:enable
servers: &servers
- *palatine-hill
# add new users by executing: sops users/<user>/secrets.yaml # add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below # then have someone already in the repo run the below
# #
# update keys by executing: sops updatekeys secrets.yaml # update keys by executing: sops updatekeys secrets.yaml
# note: add .* before \.yaml if you'd like to use the mergetool config # note: add .* before \.yaml if you'd like to use the mergetool config
creation_rules: creation_rules:
- path_regex: users/alice/secrets.*\.yaml$ - path_regex: users/alice/secrets.*\.yaml$
key_groups: key_groups:
- pgp: - pgp:
- *admin_alice - *admin_alice
age: age:
- *palatine-hill - *palatine-hill
- *artemision - *artemision
- *artemision-home - *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups: - path_regex: systems/palatine-hill/secrets.*\.yaml$
- pgp: key_groups:
- *admin_alice - pgp:
age: - *admin_alice
- *palatine-hill age:
- path_regex: systems/artemision/secrets.*\.yaml$ - *palatine-hill
key_groups:
- pgp: - path_regex: systems/artemision/secrets.*\.yaml$
- *admin_alice key_groups:
age: - pgp:
- *artemision - *admin_alice
- path_regex: systems/selinunte/secrets.*\.yaml$ age:
key_groups: - *artemision
- pgp: - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
- *admin_alice key_groups:
age: - pgp:
- *artemision - *admin_alice
- *selinunte age:
- path_regex: systems/palatine-hill/docker/wg/.*\.conf$ - *palatine-hill
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/palatine-hill/docker/openvpn/.*\.ovpn$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill

4
.vscode/settings.json vendored
View File

@ -1,7 +1,5 @@
{ {
"cSpell.enableFiletypes": [ "cSpell.enableFiletypes": ["nix"],
"nix"
],
"cSpell.words": [ "cSpell.words": [
"aarch", "aarch",
"abmlevel", "abmlevel",

4
README.md
View File

@ -14,7 +14,9 @@ to onboard a new user or system.
Although we are not actively looking for new members to join in on this repo, Although we are not actively looking for new members to join in on this repo,
we are not strictly opposed. Please reach out to we are not strictly opposed. Please reach out to
[@ahuston-0](https://nayeonie.com/ahuston-0) for further information. [@ahuston-0](https://github.com/ahuston-0) or
[@RichieCahill](https://github.com/RichieCahill)
for further information.
## Repo Structure ## Repo Structure

21
docs/CONTRIBUTING.md
View File

@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
| Branch Name | Use Case | | Branch Name | Use Case |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main | protected branch which all machines pull from, do not try to push directly | | main | protected branch which all machines pull from, do not try to push directly |
| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use | | feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use |
| fixup/\<item> | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical | | fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item> | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process | | hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues | | urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item> | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches | | exp/\<item\> | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item> | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch | | merge/\<item\> | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
### Review Process ### Review Process
@ -94,11 +94,11 @@ rules.
PR has been tested on at least one machine PR has been tested on at least one machine
- Issues which bypass the quorum process must have a second reviewer tagged - Issues which bypass the quorum process must have a second reviewer tagged
- All critical issues which bypass the approval process must have an RCA issue - All critical issues which bypass the approval process must have an RCA issue
opened and the RCA logged into the `inc/` folder opened and the RCA logged into the `inc/` folder
- The second reviewer has 2 weeks to retroactively review and approve the PR - The second reviewer has 2 weeks to retroactively review and approve the PR
- If the retro does not happen in the given window, an issue shall be opened - If the retro does not happen in the given window, an issue shall be opened
to either re-review the PR or to revert and replace the fix with a to either re-review the PR or to revert and replace the fix with a
permanent solution permanent solution
- Critical issues must be tagged to `Nix Flake Features` project, and must have - Critical issues must be tagged to `Nix Flake Features` project, and must have
a priority of `High` and an estimate tagged. Start and end date are not needed a priority of `High` and an estimate tagged. Start and end date are not needed
@ -107,7 +107,8 @@ rules.
We allow secrets to be embedded in the repository using `sops-nix`. As part of We allow secrets to be embedded in the repository using `sops-nix`. As part of
the process everything is encrypted, however adding a new user is a change the process everything is encrypted, however adding a new user is a change
that every existing SOPS user needs to participate in. Please reach out to that every existing SOPS user needs to participate in. Please reach out to
[@ahuston-0](https://nayeonie.com/ahuston-0) or if you are interested [@ahuston-0](https://github.com/ahuston-0) or
[@RichieCahill](https://github.com/RichieCahill) if you are interested
in using secrets on your machines. in using secrets on your machines.
## CI/CD ## CI/CD

124
docs/sample-setup.sh
View File

@ -1,9 +1,9 @@
#!/usr/bin/env nix #!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#git --command bash #! nix shell nixpkgs#bash nixpkgs#git --command bash
set -o errexit # abort on nonzero exitstatus set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes set -o pipefail # don't hide errors within pipes
PROCEED="N" PROCEED="N"
@ -50,58 +50,60 @@ GITBASE="systems"
FEATUREBRANCH="feature/adding-$MACHINENAME" FEATUREBRANCH="feature/adding-$MACHINENAME"
if [ $PROCEED != "Y" ]; then if [ $PROCEED != "Y" ]; then
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly" echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi fi
if [ $CREATEPARTS = "Y" ]; then if [ $CREATEPARTS = "Y" ]; then
# Create partition table # Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create boot part # Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1" sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create luks part # Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100% sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on sudo parted "/dev/$DRIVE" -- set 2 lvm on
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
LUKSPART="nixos-pv" # Create lvm part
sudo cryptsetup luksFormat "/dev/${DRIVE}p2" sudo pvcreate "/dev/mapper/$LUKSPART"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART" sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
# Create lvm part # Create volume group
sudo pvcreate "/dev/mapper/$LUKSPART" sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART" sudo vgchange -a y "$VOLGROUP"
sudo pvdisplay sudo vgdisplay
# Create volume group # Create swap part on LVM
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART" if [ $SWAPSIZE != 0 ]; then
sudo vgchange -a y "$VOLGROUP" sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo vgdisplay sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create swap part on LVM # Create home part on LVM, leaving plenty of room for snapshots
if [ $SWAPSIZE != 0 ]; then sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create home part on LVM, leaving plenty of room for snapshots # Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH" sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix # Create nix part on LVM
sudo lvcreate -L 5G "$VOLGROUP" -n root sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH" sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
# Create nix part on LVM sudo lvdisplay
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
sudo lvdisplay lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi fi
# Mount partitions # Mount partitions
@ -114,14 +116,14 @@ sudo mount $BOOTPART /mnt/boot
# Enable swap if SWAPSIZE is non-zero # Enable swap if SWAPSIZE is non-zero
if [ $SWAPSIZE != 0 ]; then if [ $SWAPSIZE != 0 ]; then
sudo swapon "/dev/$VOLGROUP/swap" sudo swapon "/dev/$VOLGROUP/swap"
fi fi
# Clone the repo # Clone the repo
DOTS="/mnt/root/dotfiles" DOTS="/mnt/root/dotfiles"
GC="git -C $DOTS" GC="git -C $DOTS"
sudo mkdir -p "$DOTS" || echo "directory $DOTS already exists" sudo mkdir -p "$DOTS" || echo "directory $DOTS already exists"
sudo $GC clone https://nayeonie.com/ahuston-0/nix-dotfiles.git . sudo $GC clone https://github.com/RAD-Development/nix-dotfiles.git .
sudo $GC checkout "$FEATUREBRANCH" sudo $GC checkout "$FEATUREBRANCH"
# Create ssh keys # Create ssh keys
@ -133,31 +135,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
cat "$DOTS/id_ed25519_ghdeploy.pub" cat "$DOTS/id_ed25519_ghdeploy.pub"
if [ $SOPS == "Y" ]; then if [ $SOPS == "Y" ]; then
# Create ssh host-keys # Create ssh host-keys
sudo ssh-keygen -A sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Get line where AGE comment is and insert new AGE key two lines down # Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}') AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age') AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml" sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Add server name # Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}') SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml" sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add creation rules # Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}') CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted # TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF read -r -d '' PATHRULE <<-EOF
- path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$ - path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
key_groups: key_groups:
- pgp: *$OWNERORADMINS - pgp: *$OWNERORADMINS
age: age:
- *$MACHINENAME - *$MACHINENAME
EOF EOF
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml" sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
fi fi
read -r -p "press enter to continue" read -r -p "press enter to continue"
@ -179,4 +181,4 @@ Host github.com
IdentityFile /root/.ssh/id_ed25519_ghdeploy IdentityFile /root/.ssh/id_ed25519_ghdeploy
EOF EOF
printf "%s" "$SSHCONFIG" | sudo tee /root/.ssh/config printf "%s" "$SSHCONFIG" | sudo tee /root/.ssh/config
sudo "$GC" remote set-url origin 'ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles.git' sudo "$GC" remote set-url origin 'git@github.com:RAD-Development/nix-dotfiles.git'

277
flake.lock generated
View File

@ -5,11 +5,11 @@
"fromYaml": "fromYaml" "fromYaml": "fromYaml"
}, },
"locked": { "locked": {
"lastModified": 1746562888, "lastModified": 1732200724,
"narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", "narHash": "sha256-+R1BH5wHhfnycySb7Sy5KbYEaTJZWm1h+LW1OtyhiTs=",
"owner": "SenchoPens", "owner": "SenchoPens",
"repo": "base16.nix", "repo": "base16.nix",
"rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", "rev": "153d52373b0fb2d343592871009a286ec8837aec",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -69,17 +69,20 @@
}, },
"firefox-addons": { "firefox-addons": {
"inputs": { "inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1748730131, "lastModified": 1740974607,
"narHash": "sha256-QHKZlwzw80hoJkNGXQePIg4u109lqcodALkont2WJAc=", "narHash": "sha256-YbAnhXYYOjG8OHX7v4BGj/tDQiFgkwe4JsqCjbFYjB0=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "aa7bfc2ec4763b57386fcd50242c390a596b9bb0", "rev": "093c063a23aa38f31082a554f03899127750aee3",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -92,11 +95,11 @@
"firefox-gnome-theme": { "firefox-gnome-theme": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1744642301, "lastModified": 1739223196,
"narHash": "sha256-5A6LL7T0lttn1vrKsNOKUk9V0ittdW0VEqh6AtefxJ4=", "narHash": "sha256-vAxN2f3rvl5q62gQQjZGVSvF93nAsOxntuFz+e/655w=",
"owner": "rafaelmardojai", "owner": "rafaelmardojai",
"repo": "firefox-gnome-theme", "repo": "firefox-gnome-theme",
"rev": "59e3de00f01e5adb851d824cf7911bd90c31083a", "rev": "a89108e6272426f4eddd93ba17d0ea101c34fb21",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -124,11 +127,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1743550720, "lastModified": 1740872218,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5", "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -141,6 +144,7 @@
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"stylix", "stylix",
"nur",
"nixpkgs" "nixpkgs"
] ]
}, },
@ -178,6 +182,27 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": {
"inputs": {
"systems": [
"stylix",
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"fromYaml": { "fromYaml": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -207,11 +232,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742649964, "lastModified": 1737465171,
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -266,16 +291,16 @@
"gnome-shell": { "gnome-shell": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1744584021, "lastModified": 1732369855,
"narHash": "sha256-0RJ4mJzf+klKF4Fuoc8VN8dpQQtZnKksFmR2jhWE1Ew=", "narHash": "sha256-JhUWbcYPjHO3Xs3x9/Z9RuqXbcp5yhPluGjwsdE2GMg=",
"owner": "GNOME", "owner": "GNOME",
"repo": "gnome-shell", "repo": "gnome-shell",
"rev": "52c517c8f6c199a1d6f5118fae500ef69ea845ae", "rev": "dadd58f630eeea41d645ee225a63f719390829dc",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "GNOME", "owner": "GNOME",
"ref": "48.1", "ref": "47.2",
"repo": "gnome-shell", "repo": "gnome-shell",
"type": "github" "type": "github"
} }
@ -287,11 +312,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748737919, "lastModified": 1740845322,
"narHash": "sha256-5kvBbLYdp+n7Ftanjcs6Nv+UO6sBhelp6MIGJ9nWmjQ=", "narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "5675a9686851d9626560052a032c4e14e533c1fa", "rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -300,29 +325,6 @@
"type": "github" "type": "github"
} }
}, },
"hydra": {
"inputs": {
"nix": "nix",
"nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1748756240,
"narHash": "sha256-hiplweg3818WiWqnTCEXW0xKhzLUmJaAK2SPJXSkOEU=",
"ref": "add-gitea-pulls",
"rev": "ae8c1554cb8aec9772cb25ec5c7a3b7a1cf11f34",
"revCount": 4379,
"type": "git",
"url": "https://nayeonie.com/ahuston-0/hydra"
},
"original": {
"ref": "add-gitea-pulls",
"type": "git",
"url": "https://nayeonie.com/ahuston-0/hydra"
}
},
"hyprland-contrib": { "hyprland-contrib": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -330,11 +332,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747572947, "lastModified": 1740923452,
"narHash": "sha256-PMQoXbfmWPuXnF8EaWqRmvTvl7+WFUrDVgufFRPgOM4=", "narHash": "sha256-iQNkVG0368H3kiwSYSs1N6sU7GhHSmx0b9y+Z+eO1+c=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "contrib", "repo": "contrib",
"rev": "910dad4c5755c1735d30da10c96d9086aa2a608d", "rev": "6f0d5e16c534aeda47d99b4d20bb2a22bfc60c23",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -343,39 +345,6 @@
"type": "github" "type": "github"
} }
}, },
"nix": {
"flake": false,
"locked": {
"lastModified": 1748154947,
"narHash": "sha256-rCpANMHFIlafta6J/G0ILRd+WNSnzv/lzi40Y8f1AR8=",
"owner": "NixOS",
"repo": "nix",
"rev": "d761dad79c79af17aa476a29749bd9d69747548f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "2.29-maintenance",
"repo": "nix",
"type": "github"
}
},
"nix-eval-jobs": {
"flake": false,
"locked": {
"lastModified": 1748211873,
"narHash": "sha256-AJ22q6yWc1hPkqssXMxQqD6QUeJ6hbx52xWHhKsmuP0=",
"owner": "nix-community",
"repo": "nix-eval-jobs",
"rev": "d9262e535e35454daebcebd434bdb9c1486bb998",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-eval-jobs",
"type": "github"
}
},
"nix-index-database": { "nix-index-database": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -383,11 +352,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748751003, "lastModified": 1740886574,
"narHash": "sha256-i4GZdKAK97S0ZMU3w4fqgEJr0cVywzqjugt2qZPrScs=", "narHash": "sha256-jN6kJ41B6jUVDTebIWeebTvrKP6YiLd1/wMej4uq4Sk=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "2860bee699248d828c2ed9097a1cd82c2f991b43", "rev": "26a0f969549cf4d56f6e9046b9e0418b3f3b94a5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -411,35 +380,6 @@
"type": "github" "type": "github"
} }
}, },
"nixos-cosmic": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": [
"nixpkgs-stable"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1748776124,
"narHash": "sha256-vs2cMCHX9wnWJutXhQyWkWOpMF/Xbw0ZAUAFGsKLifA=",
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"rev": "e989a41092f6f0375e7afb789bc97cb30d01fdb8",
"type": "github"
},
"original": {
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"type": "github"
}
},
"nixos-generators": { "nixos-generators": {
"inputs": { "inputs": {
"nixlib": "nixlib", "nixlib": "nixlib",
@ -448,11 +388,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747663185, "lastModified": 1740947705,
"narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -463,11 +403,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1748634340, "lastModified": 1740646007,
"narHash": "sha256-pZH4bqbOd8S+si6UcfjHovWDiWKiIGRNRMpmRWaDIms=", "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "daa628a725ab4948e0e2b795e8fb6f4c3e289a7a", "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -486,11 +426,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748287559, "lastModified": 1741017582,
"narHash": "sha256-dvUE9HGwzEXyv6G7LuZFQCmRYFuXLJBO4+crCTxe5zs=", "narHash": "sha256-2tscHztx6UxqeQTK0U1kLM74+6mSzROMNYJpKRDLMPM=",
"owner": "SuperSandro2000", "owner": "SuperSandro2000",
"repo": "nixos-modules", "repo": "nixos-modules",
"rev": "9ae063877f8c5d42c39b739ae1d00f9657ad17f4", "rev": "c7c9219eb6ff26c203d22ba733e9e988499290f0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -501,11 +441,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1748762463, "lastModified": 1740981371,
"narHash": "sha256-rb8vudY2u0SgdWh83SAhM5QZT91ZOnvjOLGTO4pdGTc=", "narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0d0bc640d371e9e8c9914c42951b3d6522bc5dda", "rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -517,41 +457,35 @@
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1743296961, "lastModified": 1740872140,
"narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", "narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=",
"owner": "nix-community", "type": "tarball",
"repo": "nixpkgs.lib", "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
"rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
"type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "type": "tarball",
"repo": "nixpkgs.lib", "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
"type": "github"
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1748421225, "lastModified": 1735563628,
"narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=", "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "78add7b7abb61689e34fc23070a8f55e1d26185b", "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.11", "ref": "nixos-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nur": { "nur": {
"inputs": { "inputs": {
"flake-parts": [ "flake-parts": "flake-parts_2",
"stylix",
"flake-parts"
],
"nixpkgs": [ "nixpkgs": [
"stylix", "stylix",
"nixpkgs" "nixpkgs"
@ -559,11 +493,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1746056780, "lastModified": 1740408283,
"narHash": "sha256-/emueQGaoT4vu0QjU9LDOG5roxRSfdY0K2KkxuzazcM=", "narHash": "sha256-2xECnhgF3MU9YjmvOkrRp8wRFo2OjjewgCtlfckhL5s=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "d476cd0972dd6242d76374fcc277e6735715c167", "rev": "496a4a11162bdffb9a7b258942de138873f019f7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -583,11 +517,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747372754, "lastModified": 1740915799,
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -603,10 +537,8 @@
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"hydra": "hydra",
"hyprland-contrib": "hyprland-contrib", "hyprland-contrib": "hyprland-contrib",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-cosmic": "nixos-cosmic",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixos-modules": "nixos-modules", "nixos-modules": "nixos-modules",
@ -627,11 +559,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748746145, "lastModified": 1740969088,
"narHash": "sha256-bwkCAK9pOyI2Ww4Q4oO1Ynv7O9aZPrsIAMMASmhVGp4=", "narHash": "sha256-BajboqzFnDhxVT0SXTDKVJCKtFP96lZXccBlT/43mao=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "12a0d94a2f2b06714f747ab97b2fa546f46b460c", "rev": "20fdb02098fdda9a25a2939b975abdd7bc03f62d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -647,11 +579,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747603214, "lastModified": 1739262228,
"narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -670,7 +602,7 @@
"flake-compat": [ "flake-compat": [
"flake-compat" "flake-compat"
], ],
"flake-parts": "flake-parts_2", "flake-utils": "flake-utils_2",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
"home-manager": [ "home-manager": [
@ -688,11 +620,11 @@
"tinted-zed": "tinted-zed" "tinted-zed": "tinted-zed"
}, },
"locked": { "locked": {
"lastModified": 1748717073, "lastModified": 1740959323,
"narHash": "sha256-Yxo8A7BgNpRXTrB359LyfQ0NjJuiaLIS6sTTUCulEX0=", "narHash": "sha256-UtSKsLCWwA4wPFm7mgl33qeu8sj0on9Hyt3YhDWWkAM=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "64b9f2c2df31bb87bdd2360a2feb58c817b4d16c", "rev": "489833b201a84488c6b4371a261fdbcafa6abcb6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -751,27 +683,28 @@
"tinted-kitty": { "tinted-kitty": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1735730497, "lastModified": 1716423189,
"narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", "narHash": "sha256-2xF3sH7UIwegn+2gKzMpFi3pk5DlIlM18+vj17Uf82U=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "tinted-kitty", "repo": "tinted-kitty",
"rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", "rev": "eb39e141db14baef052893285df9f266df041ff8",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "tinted-kitty", "repo": "tinted-kitty",
"rev": "eb39e141db14baef052893285df9f266df041ff8",
"type": "github" "type": "github"
} }
}, },
"tinted-schemes": { "tinted-schemes": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1744974599, "lastModified": 1740351358,
"narHash": "sha256-Fg+rdGs5FAgfkYNCs74lnl8vkQmiZVdBsziyPhVqrlY=", "narHash": "sha256-Hdk850xgAd3DL8KX0AbyU7tC834d3Lej1jOo3duWiOA=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "schemes", "repo": "schemes",
"rev": "28c26a621123ad4ebd5bbfb34ab39421c0144bdd", "rev": "a1bc2bd89e693e7e3f5764cfe8114e2ae150e184",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -783,11 +716,11 @@
"tinted-tmux": { "tinted-tmux": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1745111349, "lastModified": 1740272597,
"narHash": "sha256-udV+nHdpqgkJI9D0mtvvAzbqubt9jdifS/KhTTbJ45w=", "narHash": "sha256-/etfUV3HzAaLW3RSJVwUaW8ULbMn3v6wbTlXSKbcoWQ=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "tinted-tmux", "repo": "tinted-tmux",
"rev": "e009f18a01182b63559fb28f1c786eb027c3dee9", "rev": "b6c7f46c8718cc484f2db8b485b06e2a98304cd0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -847,11 +780,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743305055, "lastModified": 1730615238,
"narHash": "sha256-NIsi8Dno9YsOLUUTrLU4p+hxYeJr3Vkg1gIpQKVTaDs=", "narHash": "sha256-u/ZGtyEUvAkFOBgLo2YldOx0GKjE3/esWpWruRD376E=",
"owner": "Toqozz", "owner": "Toqozz",
"repo": "wired-notify", "repo": "wired-notify",
"rev": "75d43f54a02b15f2a15f5c1a0e1c7d15100067a6", "rev": "1632418aa15889343028261663e81d8b5595860e",
"type": "github" "type": "github"
}, },
"original": { "original": {

46
flake.nix
View File

@ -6,41 +6,44 @@
"https://cache.nixos.org/?priority=1&want-mass-query=true" "https://cache.nixos.org/?priority=1&want-mass-query=true"
"https://nix-community.cachix.org/?priority=10&want-mass-query=true" "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
"https://attic.nayeonie.com/nix-cache" "https://attic.nayeonie.com/nix-cache"
"https://cosmic.cachix.org/"
]; ];
trusted-substituters = [ trusted-substituters = [
"https://cache.nixos.org" "https://cache.nixos.org"
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://attic.nayeonie.com/nix-cache" "https://attic.nayeonie.com/nix-cache"
"https://cosmic.cachix.org/"
]; ];
trusted-public-keys = [ trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nix-cache:grGRsHhqNDhkEuTODvHJXYmoCClntC+U8XAJQzwMaZM=" "nix-cache:trR+y5nwpQHR4hystoogubFmp97cewkjWeqqbygRQRs="
"cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
]; ];
trusted-users = [ "root" ]; trusted-users = [ "root" ];
allow-import-from-derivation = true;
fallback = true;
}; };
inputs = { inputs = {
# flake inputs with no explicit deps (in alphabetic order)
flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"; flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-hardware.url = "github:NixOS/nixos-hardware";
#nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable"; #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
#nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
systems.url = "github:nix-systems/default"; systems.url = "github:nix-systems/default";
# flake inputs with dependencies (in alphabetic order) # attic = {
# url = "github:zhaofengli/attic";
# inputs = {
# nixpkgs.follows = "nixpkgs";
# nixpkgs-stable.follows = "nixpkgs-stable";
# flake-compat.follows = "flake-compat";
# flake-parts.follows = "flake-parts";
# };
# };
firefox-addons = { firefox-addons = {
url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
}; };
}; };
@ -54,13 +57,6 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
hydra = {
url = "git+https://nayeonie.com/ahuston-0/hydra?ref=add-gitea-pulls";
inputs = {
nixpkgs.follows = "nixpkgs";
};
};
hyprland-contrib = { hyprland-contrib = {
url = "github:hyprwm/contrib"; url = "github:hyprwm/contrib";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -71,16 +67,6 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-cosmic = {
url = "github:lilyinstarlight/nixos-cosmic";
inputs = {
flake-compat.follows = "flake-compat";
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs-stable";
rust-overlay.follows = "rust-overlay";
};
};
nixos-generators = { nixos-generators = {
url = "github:nix-community/nixos-generators"; url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -141,7 +127,7 @@
systems = [ systems = [
"x86_64-linux" "x86_64-linux"
# disable arm for now as hydra isn't set up for it # disable arm for now as hydra isn't set up for it
# "aarch64-linuxa # "aarch64-linux"
]; ];
forEachSystem = lib.genAttrs systems; forEachSystem = lib.genAttrs systems;
@ -157,13 +143,13 @@
lib = self; lib = self;
} }
); );
inherit (lib.adev.systems) genSystems getImages; inherit (lib.rad-dev.systems) genSystems getImages;
inherit (self) outputs; # for hydra inherit (self) outputs; # for hydra
in in
rec { rec {
inherit lib; # for allowing use of custom functions in nix repl inherit lib; # for allowing use of custom functions in nix repl
hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; }; #hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style); formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
nixosConfigurations = genSystems inputs outputs src (src + "/systems"); nixosConfigurations = genSystems inputs outputs src (src + "/systems");

13
hydra/jobsets.nix
View File

@ -19,6 +19,7 @@ let
prs = readJSONFile pulls; prs = readJSONFile pulls;
refs = readJSONFile branches; refs = readJSONFile branches;
repo = "RAD-Development/nix-dotfiles";
# template for creating a job # template for creating a job
makeJob = makeJob =
@ -27,7 +28,6 @@ let
keepnr ? 3, keepnr ? 3,
description, description,
flake, flake,
enabled ? 1,
}: }:
{ {
inherit inherit
@ -35,8 +35,8 @@ let
flake flake
schedulingshares schedulingshares
keepnr keepnr
enabled
; ;
enabled = 1;
type = 1; type = 1;
hidden = false; hidden = false;
checkinterval = 300; # every 5 minutes checkinterval = 300; # every 5 minutes
@ -44,9 +44,7 @@ let
emailoverride = ""; emailoverride = "";
}; };
giteaHost = "ssh://gitea@nayeonie.com:2222"; # Create a hydra job for a branch
repo = "ahuston-0/nix-dotfiles";
# # Create a hydra job for a branch
jobOfRef = jobOfRef =
name: name:
{ ref, ... }: { ref, ... }:
@ -57,7 +55,7 @@ let
name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}"; name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
value = makeJob { value = makeJob {
description = "Branch ${name}"; description = "Branch ${name}";
flake = "git+${giteaHost}/${repo}?ref=${ref}"; flake = "git+ssh://git@github.com/${repo}?ref=${ref}";
}; };
}; };
@ -66,8 +64,7 @@ let
name = if info.draft then "draft-${id}" else "pr-${id}"; name = if info.draft then "draft-${id}" else "pr-${id}";
value = makeJob { value = makeJob {
description = "PR ${id}: ${info.title}"; description = "PR ${id}: ${info.title}";
flake = "git+${giteaHost}/${repo}?ref=${info.head.ref}"; flake = "git+ssh://git@github.com/${info.head.repo.full_name}?ref=${info.head.ref}";
enabled = info.state == "open";
}; };
}; };

12
hydra/spec.json
View File

@ -1,7 +1,7 @@
{ {
"enabled": 1, "enabled": 1,
"hidden": false, "hidden": false,
"description": "ahuston-0's personal server infra", "description": "RAD Development infrastructure",
"nixexprinput": "nixexpr", "nixexprinput": "nixexpr",
"nixexprpath": "hydra/jobsets.nix", "nixexprpath": "hydra/jobsets.nix",
"checkinterval": 60, "checkinterval": 60,
@ -12,7 +12,7 @@
"type": 0, "type": 0,
"inputs": { "inputs": {
"nixexpr": { "nixexpr": {
"value": "ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles.git main", "value": "https://github.com/RAD-Development/nix-dotfiles main",
"type": "git", "type": "git",
"emailresponsible": false "emailresponsible": false
}, },
@ -22,13 +22,13 @@
"emailresponsible": false "emailresponsible": false
}, },
"pulls": { "pulls": {
"type": "giteapulls", "type": "githubpulls",
"value": "nayeonie.com ahuston-0 nix-dotfiles https", "value": "RAD-Development nix-dotfiles",
"emailresponsible": false "emailresponsible": false
}, },
"branches": { "branches": {
"type": "gitea_refs", "type": "github_refs",
"value": "nayeonie.com ahuston-0 nix-dotfiles heads https -", "value": "RAD-Development nix-dotfiles heads -",
"emailresponsible": false "emailresponsible": false
} }
} }

4
lib/default.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
{ {
# create adev namespace for lib # create rad-dev namespace for lib
adev = rec { rad-dev = rec {
systems = import ./systems.nix { inherit lib; }; systems = import ./systems.nix { inherit lib; };
container-utils = import ./container-utils.nix { inherit lib; }; container-utils = import ./container-utils.nix { inherit lib; };

4
lib/systems.nix
View File

@ -176,7 +176,7 @@ rec {
(configPath + "/configuration.nix") (configPath + "/configuration.nix")
] ]
++ modules ++ modules
++ (lib.adev.fileList (src + "/modules")) ++ (lib.rad-dev.fileList (src + "/modules"))
++ genWrapper sops genSops args ++ genWrapper sops genSops args
++ genWrapper home genHome args ++ genWrapper home genHome args
++ genWrapper true genUsers args ++ genWrapper true genUsers args
@ -222,7 +222,7 @@ rec {
// import configPath { inherit inputs; } // import configPath { inherit inputs; }
); );
} }
) (lib.adev.lsdir path) ) (lib.rad-dev.lsdir path)
); );
# gets all the images of a specified format # gets all the images of a specified format

2
modules/autopull.nix
View File

@ -61,7 +61,7 @@ in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
environment.systemPackages = environment.systemPackages =
[ pkgs.git ] [ pkgs.git ]
++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [ ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.rad-dev.mapGetAttr "ssh-key" repos)) [
pkgs.openssh pkgs.openssh
]; ];

4
modules/kub_net.nix
View File

@ -1,10 +1,10 @@
{ lib, config, ... }: { lib, config, ... }:
let let
cfg = config.services.adev.k3s-net; cfg = config.services.rad-dev.k3s-net;
in in
{ {
options = { options = {
services.adev.k3s-net = { services.rad-dev.k3s-net = {
enable = lib.mkOption { enable = lib.mkOption {
default = false; default = false;
example = true; example = true;

5
modules/locale.nix
View File

@ -4,9 +4,8 @@
console.keyMap = lib.mkDefault "us"; console.keyMap = lib.mkDefault "us";
i18n = { i18n = {
defaultLocale = lib.mkDefault "en_US.UTF-8"; defaultLocale = lib.mkDefault "en_US.utf8";
defaultCharset = "UTF-8"; supportedLocales = lib.mkDefault [ "en_US.UTF-8/UTF-8" ];
#extraLocales = lib.mkDefault [ "en_US.UTF-8/UTF-8" ];
extraLocaleSettings = lib.mkDefault { extraLocaleSettings = lib.mkDefault {
LC_ADDRESS = "en_US.UTF-8"; LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8"; LC_IDENTIFICATION = "en_US.UTF-8";

19
modules/update.nix
View File

@ -10,25 +10,10 @@
}; };
system.autoUpgrade = { system.autoUpgrade = {
enable = lib.mkDefault true; enable = lib.mkDefault false;
flags = [ "--accept-flake-config" ]; flags = [ "--accept-flake-config" ];
randomizedDelaySec = "1h"; randomizedDelaySec = "1h";
persistent = true; persistent = true;
flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git"; flake = "github:RAD-Development/nix-dotfiles";
};
services.nix-verify = {
daily = {
enable = true;
verify-contents = false;
verify-trust = false;
};
weekly = {
enable = true;
verify-contents = true;
verify-trust = false;
frequency = "1week";
randomized-delay-sec = "6hour";
};
}; };
} }

11
modules/users.nix
View File

@ -1,11 +0,0 @@
{
...
}:
{
users.groups = {
users = {
gid = 100;
};
};
}

110
modules/verify.nix
View File

@ -1,110 +0,0 @@
{
config,
lib,
...
}:
let
cfg = config.services.nix-verify;
verify-type =
with lib.types;
attrsOf (
submodule (
{ name, ... }:
{
options = {
enable = lib.mkEnableOption "verify status of nix store";
service-name = lib.mkOption {
type = lib.types.str;
description = "the name of the systemd service. ${name} by default";
default = name;
};
verify-contents = lib.mkEnableOption "verify contents of nix store";
verify-trust = lib.mkEnableOption "verify if each path is trusted";
signatures-needed = lib.mkOption {
type = lib.types.int;
description = "number of signatures needed when verifying trust. Not needed if verify-trust is disabled or not set.";
default = -1;
};
frequency = lib.mkOption {
type = lib.types.str;
description = "systemd-timer compatible time between pulls";
default = "1day";
};
randomized-delay-sec = lib.mkOption {
type = lib.types.str;
description = "systemd-timer compatible time randomized delay";
default = "0";
};
};
}
)
);
in
{
options = {
services.nix-verify = lib.mkOption {
type = verify-type;
default = { };
};
};
config =
let
verifiers = lib.filterAttrs (_: { enable, ... }: enable) cfg;
in
{
systemd.services = lib.mapAttrs' (
_:
{
service-name,
verify-contents,
verify-trust,
signatures-needed,
...
}:
lib.nameValuePair "nix-verifiers@${service-name}" {
requires = [ "multi-user.target" ];
after = [ "multi-user.target" ];
description =
"Verify nix store (verify-contents: ${lib.boolToString verify-contents}, verify-trust: "
+ "${lib.boolToString verify-trust}, signatures-needed: ${builtins.toString signatures-needed})";
serviceConfig = {
Type = "oneshot";
User = "root";
ExecStart =
"${config.nix.package}/bin/nix store verify --all "
+ lib.optionalString (!verify-contents) "--no-contents "
+ lib.optionalString (!verify-trust) "--no-trust "
+ lib.optionalString (signatures-needed >= 0) "--sigs-needed ${signatures-needed}";
};
}
) verifiers;
systemd.timers = lib.mapAttrs' (
_:
{
service-name,
frequency,
randomized-delay-sec,
...
}:
lib.nameValuePair "nix-verifiers@${service-name}" {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = frequency;
OnUnitActiveSec = frequency;
RandomizedDelaySec = randomized-delay-sec;
Unit = "nix-verifiers@${service-name}.service";
};
}
) verifiers;
};
}

4
modules/yubikey.nix
View File

@ -5,11 +5,11 @@
... ...
}: }:
let let
cfg = config.services.adev.yubikey; cfg = config.services.rad-dev.yubikey;
in in
{ {
options = { options = {
services.adev.yubikey = { services.rad-dev.yubikey = {
enable = lib.mkEnableOption "enable yubikey defaults"; enable = lib.mkEnableOption "enable yubikey defaults";
enable-desktop-app = lib.mkEnableOption "installs desktop application"; enable-desktop-app = lib.mkEnableOption "installs desktop application";
}; };

8
shell.nix
View File

@ -38,17 +38,13 @@ forEachSystem (
}; };
# constructs a custom shell with commonly used utilities # constructs a custom shell with commonly used utilities
adev = pkgs.mkShell { rad-dev = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
deadnix deadnix
pre-commit pre-commit
treefmt treefmt
statix statix
nixfmt-rfc-style nixfmt-rfc-style
jsonfmt
mdformat
shfmt
yamlfmt
]; ];
}; };
in in
@ -56,7 +52,7 @@ forEachSystem (
default = pkgs.mkShell { default = pkgs.mkShell {
inputsFrom = [ inputsFrom = [
pre-commit pre-commit
adev rad-dev
sops sops
]; ];
}; };

25
systems/artemision/configuration.nix
View File

@ -32,11 +32,16 @@
}; };
boot = { boot = {
#kernelPackages = lib.mkForce pkgs.linuxPackages_6_6; kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
useSystemdBoot = true; useSystemdBoot = true;
default = true; default = true;
}; };
i18n = {
defaultLocale = "en_US.utf8";
supportedLocales = [ "en_US.UTF-8/UTF-8" ];
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
services = { services = {
@ -60,18 +65,17 @@
fwupd = { fwupd = {
enable = true; enable = true;
# package = package =
# (import (builtins.fetchTarball { (import (builtins.fetchTarball {
# url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz"; url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
# sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk"; sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
# }) { inherit (pkgs) system; }).fwupd; }) { inherit (pkgs) system; }).fwupd;
}; };
mullvad-vpn.enable = true;
fprintd.enable = lib.mkForce false; fprintd.enable = lib.mkForce false;
openssh.enable = lib.mkForce false; openssh.enable = lib.mkForce false;
adev.yubikey = { rad-dev.yubikey = {
enable = true; enable = true;
enable-desktop-app = true; enable-desktop-app = true;
}; };
@ -79,14 +83,11 @@
users.users.alice.extraGroups = [ "calibre-web" ]; users.users.alice.extraGroups = [ "calibre-web" ];
system.autoUpgrade.enable = false;
system.stateVersion = "24.05"; system.stateVersion = "24.05";
programs.adb.enable = true; programs.adb.enable = true;
environment.variables = {
"KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
};
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
#secrets = { #secrets = {

21
systems/artemision/desktop.nix
View File

@ -7,7 +7,6 @@
hyprland = { hyprland = {
enable = true; enable = true;
xwayland.enable = true; xwayland.enable = true;
withUWSM = true;
}; };
hyprlock.enable = true; hyprlock.enable = true;
gnupg.agent = { gnupg.agent = {
@ -32,9 +31,22 @@
environment.sessionVariables.NIXOS_OZONE_WL = "1"; environment.sessionVariables.NIXOS_OZONE_WL = "1";
services = { services = {
displayManager.gdm = { xserver = {
enable = true; enable = true;
wayland = true; displayManager.session = [
{
manage = "desktop";
name = "hyprland";
start = ''
bash ${./hypr/wrappedhl} &
waitPID=$!
'';
}
];
displayManager.gdm = {
enable = true;
wayland = true;
};
}; };
dbus = { dbus = {
@ -45,6 +57,9 @@
powerManagement = { powerManagement = {
enable = true; enable = true;
resumeCommands = ''
${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
'';
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

19
systems/artemision/private-wifi.nix
View File

@ -1,19 +0,0 @@
{ ... }:
{
networking.nameservers = [
"9.9.9.9"
"1.1.1.1"
"192.168.76.1"
];
services.resolved = {
enable = true;
dnssec = "false";
domains = [ "~." ];
fallbackDns = [
"1.1.1.1#one.one.one.one"
"1.0.0.1#one.one.one.one"
];
dnsovertls = "true";
};
}

5
systems/artemision/programs.nix
View File

@ -18,6 +18,8 @@
croc croc
deadnix deadnix
direnv direnv
discord
discord-canary
easyeffects easyeffects
eza eza
fanficfare fanficfare
@ -42,7 +44,6 @@
kitty kitty
kubectl kubectl
kubernetes-helm kubernetes-helm
libreoffice-fresh
libtool libtool
lsof lsof
lynis lynis
@ -100,6 +101,8 @@
unipicker unipicker
unzip unzip
uutils-coreutils-noprefix uutils-coreutils-noprefix
ventoy
vesktop
vscode vscode
watchman watchman
wget wget

12
systems/artemision/secrets.yaml
View File

@ -10,9 +10,13 @@ example_booleans:
- ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool] - ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
apps: apps:
spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str] spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
wifi-env: ENC[AES256_GCM,data:2BM4wQq+RfASkg9lcH+fW7eD0VaPJMXABp3z0sYXqZbVzv9R9eAxSokxzcifT/1JK8PBwvZkWtEFrKAT3phXIZzoEySnGKGYazz8fqWWWhMJotLNNo5VkX70hLppgE9vYxf9vQSq0PLWYCN0jUO0H9mHjOT6mDzKUHegcC53jzkNY3WTfLkyzDWJVMP9IbVQ22N5QlJbzZNqrNTaOtcRm06PBz7pNuEKOy4jj5ipZOh6ceR81Xy6BXM7MzFN27lYbzfVvcDmlwqPORAmr7/00QBy2cp38rTswJEzYf1x2Q==,iv:DSTVPw9qtmo02/usZZDpHsYlX3sSW+2XrnawtBkRNmQ=,tag:3p3eW+3BEQrOmHlBNUEOaA==,type:str] wifi-env: ENC[AES256_GCM,data:G+z+fURk4rT61I5BiFzEJJt35jywPNrGpn1QGNhjvxrqPQ/Sq/hIHmQo+bqe9yJeDgMX3RY4EaiZxFTJyxPfW1czjuMSj3vbTp0WcDmGvUJ7li2pX2pzolgly4qmgoOluGBeRZWVLLOZYFB2+kLRMJNNz/bP5k2Eq6O4+l4sljPM+abn9iz9Eh46rVOVRkmDzCltJrYiuBSiSPhTDRTP2+gUbgbaUJTkVrVLUBHg3QU6az6VPN8DPZxbx4LtdaIb93pI,iv:uUfJK/iPdyLP7LqZJolTGGTxaEzlJI59bUVNcB1etkU=,tag:tvXSXSW1MIhLJceEK1afuw==,type:str]
#ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment] #ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 - recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
enc: | enc: |
@ -23,8 +27,8 @@ sops:
d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA== D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-15T15:37:51Z" lastmodified: "2024-11-28T18:57:09Z"
mac: ENC[AES256_GCM,data:qJ8NdnzVrgQb0rGwjZFHrS+eJrUjQEk4M4uo5bnk4eY7aKaHejARcYOIhp0H/DMdlix+Dm3DAAeeRWn8AKCatXaSzYD/VHHbjfp0lKBCsC8CZFeCELQ5GGEHnVot3WGb4J+QdfupwdduExSSMd6XeZGFVbSGhLzRbiiWA+i8I3o=,iv:oxWiDCH60apKT0/fJbWp1cIZ9cvd6mJKlP3xAjMBXIo=,tag:0We6eCJnsncujCt+CwK9UQ==,type:str] mac: ENC[AES256_GCM,data:hKhAo7rDplLm19PlrKHQwxnDVXCMU/xpAxPALLDBa0M3yypy2QVD6c6Atn897tYRKf7oeLaUKqnUYdCcZ9gVgm37LS+GtRhf66zfvcKqhZF8wh3M0zTDPYpQDhex0N4BAJ/dcaYIbxqE9pEUxJOI5jip/hptaCJItTEe7oARcF4=,iv:EUayxLaOPcnWX+S9+RlHrxzJRLlSSLIwqbAq3fFI4yg=,tag:LiBsqIodTWamO+c8FqGBag==,type:str]
pgp: pgp:
- created_at: "2024-11-28T18:57:09Z" - created_at: "2024-11-28T18:57:09Z"
enc: |- enc: |-
@ -39,4 +43,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330 fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.9.1

34
systems/artemision/wifi.nix
View File

@ -1,13 +1,9 @@
{ config, lib, ... }: { config, ... }:
let let
always = 100; always = 100;
home = 99; home = 99;
public_wifi = false;
in in
{ {
imports = lib.optionals (!public_wifi) [
./private-wifi.nix
];
networking.wireless = { networking.wireless = {
enable = true; enable = true;
secretsFile = config.sops.secrets."wifi-env".path; secretsFile = config.sops.secrets."wifi-env".path;
@ -28,19 +24,29 @@ in
"24HuFios".pskRaw = "ext:PASS_longboat_home"; "24HuFios".pskRaw = "ext:PASS_longboat_home";
"Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie"; "Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
"Fios-Qn3RB".pskRaw = "ext:PASS_parkridge"; "Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
"Mojo Dojo Casa House".pskRaw = "ext:PASS_Carly"; "optimumwifi" = { };
"CableWiFi" = { };
# Public wifi connections
# set public_wifi on line 5 to true if connecting to one of these
#"optimumwifi" = { };
#"CableWiFi" = { };
#"Hilton Honors" = { };
# Work wifi
"JPMCVisitor" = { }; "JPMCVisitor" = { };
}; };
}; };
networking.nameservers = [
"9.9.9.9"
"1.1.1.1"
"192.168.76.1"
];
services.resolved = {
enable = true;
dnssec = "true";
domains = [ "~." ];
fallbackDns = [
"1.1.1.1#one.one.one.one"
"1.0.0.1#one.one.one.one"
];
dnsovertls = "true";
};
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
secrets = { secrets = {

109
systems/palatine-hill/attic/default.nix
View File

@ -10,10 +10,6 @@
attic-client attic-client
]; ];
systemd.services.atticd.environment = {
RUST_LOG = "INFO";
};
services = { services = {
atticd = { atticd = {
enable = true; enable = true;
@ -38,9 +34,6 @@
bucket = "cache-nix-dot"; bucket = "cache-nix-dot";
endpoint = "https://minio.nayeonie.com"; endpoint = "https://minio.nayeonie.com";
}; };
garbage-collection = {
interval = "5 minutes";
};
# Warning: If you change any of the values here, it will be # Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs # difficult to reuse existing chunks for newly-uploaded NARs
@ -69,58 +62,58 @@
# borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix # borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix
# configured default webstore for this on root user separately # configured default webstore for this on root user separately
systemd = { # systemd = {
services = { # services = {
attic-watch-store = { # attic-watch-store = {
wantedBy = [ "multi-user.target" ]; # wantedBy = [ "multi-user.target" ];
after = [ # after = [
"network-online.target" # "network-online.target"
"docker.service" # "docker.service"
"atticd.service" # "atticd.service"
]; # ];
requires = [ # requires = [
"network-online.target" # "network-online.target"
"docker.service" # "docker.service"
"atticd.service" # "atticd.service"
]; # ];
description = "Upload all store content to binary cache"; # description = "Upload all store content to binary cache";
serviceConfig = { # serviceConfig = {
User = "root"; # User = "root";
Restart = "always"; # Restart = "always";
ExecStart = "${pkgs.attic-client}/bin/attic watch-store nix-cache"; # ExecStart = "${pkgs.attic-client}/bin/attic watch-store cache-nix-dot";
}; # };
}; # };
attic-sync-hydra = { # attic-sync-hydra = {
after = [ # after = [
"network-online.target" # "network-online.target"
"docker.service" # "docker.service"
"atticd.service" # "atticd.service"
]; # ];
requires = [ # requires = [
"network-online.target" # "network-online.target"
"docker.service" # "docker.service"
"atticd.service" # "atticd.service"
]; # ];
description = "Force resync of hydra derivations with attic"; # description = "Force resync of hydra derivations with attic";
serviceConfig = { # serviceConfig = {
Type = "oneshot"; # Type = "oneshot";
User = "root"; # User = "root";
ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}"; # ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}";
}; # };
}; # };
}; # };
timers = { # timers = {
attic-sync-hydra = { # attic-sync-hydra = {
wantedBy = [ "timers.target" ]; # wantedBy = [ "timers.target" ];
timerConfig = { # timerConfig = {
OnBootSec = 600; # OnBootSec = 600;
OnUnitActiveSec = 86400; # OnUnitActiveSec = 86400;
Unit = "attic-sync-hydra.service"; # Unit = "attic-sync-hydra.service";
}; # };
}; # };
}; # };
}; # };
sops = { sops = {
secrets = { secrets = {

4
systems/palatine-hill/attic/sync-attic.bash
View File

@ -2,9 +2,9 @@
#! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash #! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash
sync_directories=( sync_directories=(
/ZFS/ZFS-primary/hydra /ZFS/ZFS-primary/hydra
) )
for dir in "${sync_directories[@]}"; do for dir in "${sync_directories[@]}"; do
find "$dir" -regex ".*\.drv$" -exec attic push nix-cache '{}' \; find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
done done

44
systems/palatine-hill/configuration.nix
View File

@ -17,9 +17,8 @@
./minio.nix ./minio.nix
./networking.nix ./networking.nix
./nextcloud.nix ./nextcloud.nix
#./plex
./postgresql.nix
./samba.nix ./samba.nix
./postgresql.nix
./zfs.nix ./zfs.nix
]; ];
@ -58,37 +57,16 @@
}; };
}; };
environment = { environment.systemPackages = with pkgs; [
systemPackages = with pkgs; [ chromedriver
chromedriver chromium
chromium docker-compose
docker-compose intel-gpu-tools
filebot jellyfin-ffmpeg
intel-gpu-tools jq
jellyfin-ffmpeg yt-dlp
jq yq
yt-dlp ];
yq
];
etc = {
# Creates /etc/lynis/custom.prf
"lynis/custom.prf" = {
text = ''
skip-test=BANN-7126
skip-test=BANN-7130
skip-test=DEB-0520
skip-test=DEB-0810
skip-test=FIRE-4513
skip-test=HRDN-7222
skip-test=KRNL-5820
skip-test=LOGG-2190
skip-test=LYNIS
skip-test=TOOL-5002
'';
mode = "0440";
};
};
};
services = { services = {
samba.enable = true; samba.enable = true;

3
systems/palatine-hill/default.nix
View File

@ -3,8 +3,5 @@
users = [ "alice" ]; users = [ "alice" ];
modules = [ modules = [
# inputs.attic.nixosModules.atticd # inputs.attic.nixosModules.atticd
inputs.nixos-hardware.nixosModules.common-cpu-amd
inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
inputs.nixos-hardware.nixosModules.supermicro
]; ];
} }

78
systems/palatine-hill/docker/act-runner.nix
View File

@ -6,13 +6,11 @@
let let
vars = import ../vars.nix; vars = import ../vars.nix;
act_path = vars.primary_act; act_path = vars.primary_act;
act_config_path = ./act_config.yaml;
in in
{ {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
act-stable-latest-main = { act-stable-latest-main = {
image = "gitea/act_runner:latest"; image = "gitea/act_runner:latest";
pull = "always";
extraOptions = [ extraOptions = [
"--stop-signal=SIGINT" "--stop-signal=SIGINT"
]; ];
@ -22,7 +20,7 @@ in
}; };
ports = [ "8088:8088" ]; ports = [ "8088:8088" ];
volumes = [ volumes = [
"${act_config_path}:/config.yaml" "${act_path}/stable-latest-main/config.yaml:/config.yaml"
"${act_path}/stable-latest-main/data:/data" "${act_path}/stable-latest-main/data:/data"
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
]; ];
@ -36,7 +34,6 @@ in
act-stable-latest-1 = { act-stable-latest-1 = {
image = "gitea/act_runner:latest"; image = "gitea/act_runner:latest";
pull = "always";
extraOptions = [ extraOptions = [
"--stop-signal=SIGINT" "--stop-signal=SIGINT"
]; ];
@ -45,7 +42,7 @@ in
"com.centurylinklabs.watchtower.scope" = "act-runner"; "com.centurylinklabs.watchtower.scope" = "act-runner";
}; };
volumes = [ volumes = [
"${./act_config.yaml}:/config.yaml" "${act_path}/stable-latest-1/config.yaml:/config.yaml"
"${act_path}/stable-latest-1/data:/data" "${act_path}/stable-latest-1/data:/data"
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
]; ];
@ -59,7 +56,6 @@ in
act-stable-latest-2 = { act-stable-latest-2 = {
image = "gitea/act_runner:latest"; image = "gitea/act_runner:latest";
pull = "always";
extraOptions = [ extraOptions = [
"--stop-signal=SIGINT" "--stop-signal=SIGINT"
]; ];
@ -68,7 +64,7 @@ in
"com.centurylinklabs.watchtower.scope" = "act-runner"; "com.centurylinklabs.watchtower.scope" = "act-runner";
}; };
volumes = [ volumes = [
"${act_config_path}:/config.yaml" "${act_path}/stable-latest-2/config.yaml:/config.yaml"
"${act_path}/stable-latest-2/data:/data" "${act_path}/stable-latest-2/data:/data"
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
]; ];
@ -79,6 +75,72 @@ in
environmentFiles = [ config.sops.secrets."docker/act-runner".path ]; environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local"; log-driver = "local";
}; };
act-stable-latest-3 = {
image = "gitea/act_runner:latest";
extraOptions = [
"--stop-signal=SIGINT"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
volumes = [
"${act_path}/stable-latest-3/config.yaml:/config.yaml"
"${act_path}/stable-latest-3/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
CONFIG_FILE = "/config.yaml";
GITEA_RUNNER_NAME = "stable-latest-3";
};
environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local";
};
act-stable-latest-4 = {
image = "gitea/act_runner:latest";
extraOptions = [
"--stop-signal=SIGINT"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
volumes = [
"${act_path}/stable-latest-4/config.yaml:/config.yaml"
"${act_path}/stable-latest-4/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
CONFIG_FILE = "/config.yaml";
GITEA_RUNNER_NAME = "stable-latest-4";
};
environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local";
};
act-stable-latest-5 = {
image = "gitea/act_runner:latest";
extraOptions = [
"--stop-signal=SIGINT"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
volumes = [
"${act_path}/stable-latest-5/config.yaml:/config.yaml"
"${act_path}/stable-latest-5/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
CONFIG_FILE = "/config.yaml";
GITEA_RUNNER_NAME = "stable-latest-5";
};
environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local";
};
}; };
systemd = { systemd = {
@ -106,9 +168,7 @@ in
"docker/act-runner" = { "docker/act-runner" = {
owner = "root"; owner = "root";
restartUnits = [ restartUnits = [
"docker-act-stable-latest-main.service"
"docker-act-stable-latest-1.service" "docker-act-stable-latest-1.service"
"docker-act-stable-latest-2.service"
]; ];
}; };
}; };

95
systems/palatine-hill/docker/act_config.yaml
View File

@ -1,95 +0,0 @@
# Example configuration file, it's safe to copy this as the default config file without any modification.
# You don't have to copy this file to your instance,
# just run `./act_runner generate-config > config.yaml` to generate a config file.
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: debug
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 1
# Extra environment variables to run jobs.
envs:
A_TEST_ENV_NAME_1: a_test_env_value_1
A_TEST_ENV_NAME_2: a_test_env_value_2
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# The timeout for the runner to wait for running jobs to finish when shutting down.
# Any running jobs that haven't finished after this timeout will be cancelled.
shutdown_timeout: 30m
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
# Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `daemon`, will use labels in `.runner` file.
labels:
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
- "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
#cache:
# Enable cache server to use actions/cache.
#enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
#dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
#host: ""
# The port of the cache server.
# 0 means to use a random available port.
#port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
#external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: ""
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
# If the path starts with '/', the '/' will be trimmed.
# For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: true
# Rebuild docker image(s) even if already present
force_rebuild: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

2
systems/palatine-hill/docker/archiveteam.nix
View File

@ -122,7 +122,7 @@ let
cmd = lib.splitString " " "--concurrent 6 AmAnd0"; cmd = lib.splitString " " "--concurrent 6 AmAnd0";
}; };
inherit (lib.adev.container-utils) createTemplatedContainers; inherit (lib.rad-dev.container-utils) createTemplatedContainers;
vars = import ../vars.nix; vars = import ../vars.nix;
at_path = vars.primary_archiveteam; at_path = vars.primary_archiveteam;

124
systems/palatine-hill/docker/arr.nix
View File

@ -1,124 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
vars = import ../vars.nix;
in
{
virtualisation.oci-containers.containers = {
bazarr = {
image = "ghcr.io/linuxserver/bazarr:latest";
ports = [ "6767:6767" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.primary_docker}/bazarr:/config"
"${vars.primary_plex_storage}/data:/data"
];
autoStart = true;
};
prowlarr = {
image = "ghcr.io/linuxserver/prowlarr:latest";
ports = [ "9696:9696" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [ "${vars.primary_docker}/prowlarr:/config" ];
autoStart = true;
};
radarr = {
image = "ghcr.io/linuxserver/radarr:latest";
ports = [ "7878:7878" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.primary_docker}/radarr:/config"
"${vars.primary_plex_storage}/data:/data"
];
autoStart = true;
};
sonarr = {
image = "ghcr.io/linuxserver/sonarr:latest";
ports = [ "8989:8989" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.primary_docker}/sonarr:/config"
"${vars.primary_plex_storage}/data:/data"
];
autoStart = true;
};
lidarr = {
image = "ghcr.io/linuxserver/lidarr:latest";
ports = [ "8686:8686" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.primary_docker}/lidarr:/config"
"${vars.primary_plex_storage}/data:/data"
];
autoStart = true;
};
readarr = {
image = "ghcr.io/linuxserver/readarr:latest";
ports = [ "8787:8787" ];
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [
"${vars.primary_docker}/readarr:/config"
"${vars.primary_plex_storage}/data:/data"
];
autoStart = true;
};
unpackerr = {
image = "golift/unpackerr:latest";
user = "600:100";
environment = {
TZ = "America/New_York";
};
volumes = [
"${vars.primary_docker}/unpackerr:/config"
"${vars.primary_plex_storage}:/data"
];
autoStart = true;
};
overseerr = {
image = "lscr.io/linuxserver/overseerr";
environment = {
PUID = "600";
PGID = "100";
TZ = "America/New_York";
};
volumes = [ "${vars.primary_docker}/overseerr:/config" ];
# TODO: remove ports later since this is going through web
ports = [ "5055:5055" ]; # Web UI port
dependsOn = [
"radarr"
"sonarr"
];
extraOptions = [ "--network=haproxy-net" ];
autoStart = true;
};
};
}

23
systems/palatine-hill/docker/default.nix
View File

@ -8,7 +8,6 @@
{ {
imports = [ imports = [
./act-runner.nix ./act-runner.nix
./arr.nix
# temp disable archiveteam for tiktok archiving # temp disable archiveteam for tiktok archiving
#./archiveteam.nix #./archiveteam.nix
# ./books.nix # ./books.nix
@ -32,47 +31,47 @@
default-address-pools = [ default-address-pools = [
{ {
base = "169.254.2.0/23"; base = "169.254.2.0/23";
size = 28; size = "28";
} }
{ {
base = "169.254.4.0/22"; base = "169.254.4.0/22";
size = 28; size = "28";
} }
{ {
base = "169.254.8.0/21"; base = "169.254.8.0/21";
size = 28; size = "28";
} }
{ {
base = "169.254.16.0/20"; base = "169.254.16.0/20";
size = 28; size = "28";
} }
{ {
base = "169.254.32.0/19"; base = "169.254.32.0/19";
size = 28; size = "28";
} }
{ {
base = "169.254.64.0/18"; base = "169.254.64.0/18";
size = 28; size = "28";
} }
{ {
base = "169.254.128.0/18"; base = "169.254.128.0/18";
size = 28; size = "28";
} }
{ {
base = "169.254.192.0/19"; base = "169.254.192.0/19";
size = 28; size = "28";
} }
{ {
base = "169.254.224.0/20"; base = "169.254.224.0/20";
size = 28; size = "28";
} }
{ {
base = "169.254.240.0/21"; base = "169.254.240.0/21";
size = 28; size = "28";
} }
{ {
base = "169.254.248.0/22"; base = "169.254.248.0/22";
size = 28; size = "28";
} }
]; ];
mtu = 9000; mtu = 9000;

1
systems/palatine-hill/docker/glances.nix
View File

@ -8,7 +8,6 @@ in
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
glances = { glances = {
image = "nicolargo/glances:latest-full"; image = "nicolargo/glances:latest-full";
pull = "always";
extraOptions = [ extraOptions = [
"--pid=host" "--pid=host"
"--network=haproxy-net" "--network=haproxy-net"

77
systems/palatine-hill/docker/minecraft.nix
View File

@ -9,37 +9,36 @@ let
divinejourney = "dj.alicehuston.xyz"; divinejourney = "dj.alicehuston.xyz";
rlcraft = "rlcraft.alicehuston.xyz"; rlcraft = "rlcraft.alicehuston.xyz";
arcanum-institute = "arcanum.alicehuston.xyz"; arcanum-institute = "arcanum.alicehuston.xyz";
# bcg-plus = "bcg.alicehuston.xyz"; bcg-plus = "bcg.alicehuston.xyz";
}; };
defaultServer = "rlcraft"; defaultServer = "rlcraft";
# defaultEnv = { defaultEnv = {
# EULA = "true"; EULA = "true";
# TYPE = "AUTO_CURSEFORGE"; TYPE = "AUTO_CURSEFORGE";
# STOP_SERVER_ANNOUNCE_DELAY = "120"; STOP_SERVER_ANNOUNCE_DELAY = "120";
# STOP_DURATION = "600"; STOP_DURATION = "600";
# SYNC_CHUNK_WRITES = "false"; SYNC_CHUNK_WRITES = "false";
# USE_AIKAR_FLAGS = "true"; USE_AIKAR_FLAGS = "true";
# MEMORY = "8GB"; MEMORY = "8GB";
# ALLOW_FLIGHT = "true"; ALLOW_FLIGHT = "true";
# MAX_TICK_TIME = "-1"; MAX_TICK_TIME = "-1";
# }; };
# defaultOptions = [ defaultOptions = [
# "--stop-signal=SIGTERM" "--stop-signal=SIGTERM"
# "--stop-timeout=1800" "--stop-timeout=1800"
# "--network=minecraft-net" "--network=minecraft-net"
# ]; ];
# vars = import ../vars.nix; vars = import ../vars.nix;
# minecraft_path = "${vars.primary_games}/minecraft"; minecraft_path = "${vars.primary_games}/minecraft";
in in
{ {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
mc-router = { mc-router = {
image = "itzg/mc-router:latest"; image = "itzg/mc-router:latest";
pull = "always";
extraOptions = [ extraOptions = [
"--network=haproxy-net" "--network=haproxy-net"
"--network=minecraft-net" "--network=minecraft-net"
@ -47,7 +46,7 @@ in
cmd = [ cmd = [
( (
"--mapping=mc.alicehuston.xyz=${defaultServer}:25565" "--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
+ (lib.adev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers) + (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
) )
]; ];
}; };
@ -68,24 +67,24 @@ in
# log-driver = "local"; # log-driver = "local";
# environmentFiles = [ config.sops.secrets."docker/minecraft".path ]; # environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
# }; # };
# bcg-plus = { bcg-plus = {
# image = "itzg/minecraft-server:java17"; image = "itzg/minecraft-server:java17";
# volumes = [ volumes = [
# "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro" "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
# "${minecraft_path}/bcg-plus/data:/data" "${minecraft_path}/bcg-plus/data:/data"
# ]; ];
# hostname = "bcg-plus"; hostname = "bcg-plus";
# environment = defaultEnv // { environment = defaultEnv // {
# VERSION = "1.17"; VERSION = "1.17";
# CF_SLUG = "bcg"; CF_SLUG = "bcg";
# DIFFICULTY = "normal"; DIFFICULTY = "normal";
# DEBUG = "true"; DEBUG = "true";
# # ENABLE_COMMAND_BLOCK = "true"; # ENABLE_COMMAND_BLOCK = "true";
# }; };
# extraOptions = defaultOptions; extraOptions = defaultOptions;
# log-driver = "local"; log-driver = "local";
# environmentFiles = [ config.sops.secrets."docker/minecraft".path ]; environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
# }; };
}; };
sops = { sops = {

6
systems/palatine-hill/docker/nextcloud.nix
View File

@ -9,7 +9,6 @@ let
nextcloud-base = { nextcloud-base = {
# image comes from running docker compose build in nextcloud-docker/.examples/full/apache # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
image = "nextcloud-nextcloud"; image = "nextcloud-nextcloud";
pull = "always";
hostname = "nextcloud"; hostname = "nextcloud";
volumes = [ volumes = [
"${nextcloud_path}/nc_data:/var/www/html:z" "${nextcloud_path}/nc_data:/var/www/html:z"
@ -33,7 +32,6 @@ in
}; };
redis = { redis = {
image = "redis:latest"; image = "redis:latest";
pull = "always";
user = "600:600"; user = "600:600";
volumes = [ volumes = [
"${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf" "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf"
@ -49,7 +47,6 @@ in
}; };
go-vod = { go-vod = {
image = "radialapps/go-vod:latest"; image = "radialapps/go-vod:latest";
pull = "always";
dependsOn = [ "nextcloud" ]; dependsOn = [ "nextcloud" ];
environment = { environment = {
NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz"; NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz";
@ -61,7 +58,6 @@ in
}; };
collabora-code = { collabora-code = {
image = "collabora/code:latest"; image = "collabora/code:latest";
pull = "always";
dependsOn = [ "nextcloud" ]; dependsOn = [ "nextcloud" ];
environment = { environment = {
aliasgroup1 = "https://collabora.nayenoie.com:443"; aliasgroup1 = "https://collabora.nayenoie.com:443";
@ -104,7 +100,7 @@ in
}; };
"docker/collabora" = { "docker/collabora" = {
owner = "www-data"; owner = "www-data";
restartUnits = [ "docker-collabora-code.service" ]; restartUnits = [ "docker-collabora.service" ];
}; };
}; };
}; };

22
systems/palatine-hill/docker/openvpn/se.protonvpn.udp.ovpn
View File

File diff suppressed because one or more lines are too long

87
systems/palatine-hill/docker/torr.nix
View File

@ -1,8 +1,7 @@
{ config, pkgs, ... }: { pkgs, ... }:
let let
delugeBase = { delugeBase = {
pull = "always";
environment = { environment = {
PUID = "600"; PUID = "600";
PGID = "100"; PGID = "100";
@ -20,31 +19,18 @@ let
deluge_path = "${torr_path}/deluge"; deluge_path = "${torr_path}/deluge";
delugevpn_path = "${torr_path}/delugevpn"; delugevpn_path = "${torr_path}/delugevpn";
#genSopsConfWg = file: { genSopsConf = file: {
# "${file}" = {
# format = "binary";
# sopsFile = ./wg/${file};
# path = "${delugevpn_path}/config/wireguard/configs/${file}";
# owner = "docker-service";
# group = "users";
# restartUnits = [ "docker-delugeVPN.service" ];
# };
#};
genSopsConfOvpn = file: {
"${file}" = { "${file}" = {
format = "binary"; format = "binary";
sopsFile = ./openvpn/${file}; sopsFile = ./wg/${file};
path = "${delugevpn_path}/config/openvpn/configs/${file}"; path = "${delugevpn_path}/config/wireguard/configs/${file}";
owner = "docker-service"; owner = "docker-service";
group = "users"; group = "users";
restartUnits = [ "docker-delugeVPN.service" ]; restartUnits = [ "docker-delugeVPN.service" ];
}; };
}; };
in in
{ {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
deluge = delugeBase // { deluge = delugeBase // {
image = "binhex/arch-deluge"; image = "binhex/arch-deluge";
@ -59,26 +45,25 @@ in
]; ];
}; };
delugeVPN = delugeBase // { delugeVPN = delugeBase // {
image = "binhex/arch-delugevpn:latest"; image = "binhex/arch-delugevpn";
capabilities = { extraOptions = [
NET_ADMIN = true; "--privileged=true"
}; "--sysctl"
autoRemoveOnStop = false; "net.ipv4.conf.all.src_valid_mark=1"
];
environment = delugeBase.environment // { environment = delugeBase.environment // {
VPN_ENABLED = "yes"; VPN_ENABLED = "yes";
VPN_CLIENT = "openvpn"; VPN_CLIENT = "wireguard";
VPN_PROV = "protonvpn"; VPN_PROV = "custom";
ENABLE_PRIVOXY = "yes"; ENABLE_PRIVOXY = "yes";
LAN_NETWORK = "192.168.0.0/16"; LAN_NETWORK = "192.168.0.0/16";
ENABLE_STARTUP_SCRIPTS = "yes"; NAME_SERVERS = "194.242.2.9";
#NAME_SERVERS = "194.242.2.9";
#NAME_SERVERS = "9.9.9.9";
# note, delete /config/perms.txt to force a bulk permissions update # note, delete /config/perms.txt to force a bulk permissions update
}; };
environmentFiles = [ config.sops.secrets."docker/delugevpn".path ];
volumes = [ volumes = [
"${delugevpn_path}/config:/config" "${delugevpn_path}/config:/config"
"${deluge_path}/data:/data" # use common torrent path yuck "${delugevpn_path}/data:/data"
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
ports = [ ports = [
@ -86,9 +71,6 @@ in
"8119:8118" "8119:8118"
"39275:39275" "39275:39275"
"39275:39275/udp" "39275:39275/udp"
"48346:48346"
"48346:48346/udp"
]; ];
}; };
}; };
@ -97,34 +79,25 @@ in
serviceConfig = { serviceConfig = {
ExecStartPre = [ ExecStartPre = [
( (
"${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/openvpn/configs " "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
+ "-type l -not -name network.ovpn " + "-type l -not -name wg0.conf "
+ "| ${pkgs.coreutils}/bin/shuf -n 1 " + "| ${pkgs.coreutils}/bin/shuf -n 1 "
+ "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/openvpn/network.ovpn &&" + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
+ "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/openvpn/network.ovpn &&" + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
+ "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/openvpn/network.ovpn\"" + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
)
(
"${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/scripts/links "
+ "-type l "
+ "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/scripts/ \""
) )
]; ];
ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/scripts/*sh" ]; ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
}; };
}; };
sops.secrets = (genSopsConfOvpn "se.protonvpn.udp.ovpn") // { sops.secrets =
"docker/delugevpn" = { (genSopsConf "se-mma-wg-001.conf")
owner = "docker-service"; // (genSopsConf "se-mma-wg-002.conf")
group = "users"; // (genSopsConf "se-mma-wg-003.conf")
restartUnits = [ "docker-delugeVPN.service" ]; // (genSopsConf "se-mma-wg-004.conf")
}; // (genSopsConf "se-mma-wg-005.conf")
"docker/protonvpn-start-script" = { // (genSopsConf "se-mma-wg-101.conf")
path = "${delugevpn_path}/config/scripts/links/protonvpn-start-script.sh"; // (genSopsConf "se-mma-wg-102.conf")
owner = "docker-service"; // (genSopsConf "se-mma-wg-103.conf");
group = "users";
restartUnits = [ "docker-delugeVPN.service" ];
};
};
} }

4
systems/palatine-hill/docker/watchtower.bash
View File

@ -6,8 +6,8 @@ outdated_msg="Project code is out of date and needs to be upgraded. To remedy th
label="$1" label="$1"
label_val="$2" label_val="$2"
if (($# != 2)); then if (( $# != 2 )); then
echo "usage: $0 label label_value" echo "usage: $0 label label_value"
fi fi
containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}") containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")

9
systems/palatine-hill/firewall.nix
View File

@ -24,15 +24,6 @@
# collabora # collabora
9980 9980
# arr
6767
9696
7878
8989
8686
8787
5055
]; ];
} }

18
systems/palatine-hill/gitea.nix
View File

@ -10,7 +10,7 @@ in
{ {
services.gitea = { services.gitea = {
enable = true; enable = true;
appName = "Nayeonie's Trove"; appName = "The Hearth";
database = { database = {
type = "postgres"; type = "postgres";
passwordFile = config.sops.secrets."gitea/dbpass".path; passwordFile = config.sops.secrets."gitea/dbpass".path;
@ -27,12 +27,6 @@ in
SSH_PORT = 2222; SSH_PORT = 2222;
SSH_LISTEN_PORT = 2223; SSH_LISTEN_PORT = 2223;
START_SSH_SERVER = true; START_SSH_SERVER = true;
PUBLIC_URL_DETECTION = "auto";
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
DEFAULT_MERGE_STYLE = "rebase-merge";
}; };
service = { service = {
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = true;
@ -51,15 +45,6 @@ in
host = "192.168.76.2"; host = "192.168.76.2";
port = "8088"; port = "8088";
}; };
"storage.minio" = {
STORAGE_TYPE = "minio";
MINIO_ENDPOINT = "minio.nayeonie.com";
MINIO_BUCKET = "gitea";
MINIO_LOCATION = "us-east-1";
MINIO_USE_SSL = true;
MINIO_INSECURE_SKIP_VERIFY = false;
MINIO_BUCKET_LOOKUP_TYPE = "auto";
};
}; };
stateDir = base_path; stateDir = base_path;
lfs.enable = true; lfs.enable = true;
@ -75,6 +60,5 @@ in
sops.secrets = { sops.secrets = {
"gitea/dbpass".owner = "gitea"; "gitea/dbpass".owner = "gitea";
"gitea/minio".owner = "gitea";
}; };
} }

14
systems/palatine-hill/hydra.nix
View File

@ -1,6 +1,7 @@
{ {
config, config,
inputs, lib,
pkgs,
... ...
}: }:
let let
@ -42,7 +43,6 @@ in
services = { services = {
hydra = { hydra = {
enable = true; enable = true;
package = inputs.hydra.packages.x86_64-linux.hydra;
hydraURL = "https://hydra.alicehuston.xyz"; hydraURL = "https://hydra.alicehuston.xyz";
smtpHost = "alicehuston.xyz"; smtpHost = "alicehuston.xyz";
notificationSender = "hydra@alicehuston.xyz"; notificationSender = "hydra@alicehuston.xyz";
@ -82,10 +82,10 @@ in
''; '';
}; };
# nix-serve = { nix-serve = {
# enable = true; enable = true;
# secretKeyFile = config.sops.secrets."nix-serve/secret-key".path; secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
# }; };
prometheus = { prometheus = {
enable = true; enable = true;
webExternalUrl = "https://prom.alicehuston.xyz"; webExternalUrl = "https://prom.alicehuston.xyz";
@ -134,7 +134,7 @@ in
sops = { sops = {
secrets = { secrets = {
"hydra/environment".owner = "hydra"; "hydra/environment".owner = "hydra";
# "nix-serve/secret-key".owner = "root"; "nix-serve/secret-key".owner = "root";
"alice/gha-hydra-token" = { "alice/gha-hydra-token" = {
sopsFile = ../../users/alice/secrets.yaml; sopsFile = ../../users/alice/secrets.yaml;
owner = "hydra"; owner = "hydra";

28
systems/palatine-hill/plex/default.nix
View File

@ -1,28 +0,0 @@
{
pkgs,
...
}:
let
vars = import ../vars.nix;
in
{
services.plex = {
enable = true;
dataDir = vars.primary_plex;
};
systemd.services.plex_permission = {
description = "maintains plex permissions";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.bash}/bin/bash ${./plex_permission.sh}";
};
};
systemd.timers.plex_permission = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1h";
OnCalendar = "daily 03:00";
Unit = "plex_permission.service";
};
};
}

7
systems/palatine-hill/plex/plex_permission.sh
View File

@ -1,7 +0,0 @@
#!/bin/bash
plex_dir="/ZFS/ZFS-primary/plex"
chown docker-service:users -R "$plex_dir"
find "$plex_dir" -type f -exec chmod 664 {} \;
find "$plex_dir" -type d -exec chmod 775 {} \;

119
systems/palatine-hill/postgresql.nix
View File

@ -19,9 +19,6 @@ in
enable = true; enable = true;
enableJIT = true; enableJIT = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_16;
configurePgStatStatements = true;
enableAllPreloadedLibraries = true;
#preloadAllExtensions = true;
identMap = '' identMap = ''
# ArbitraryMapName systemUser DBUser # ArbitraryMapName systemUser DBUser
superuser_map root postgres superuser_map root postgres
@ -31,126 +28,13 @@ in
''; '';
# initialScript = config.sops.secrets."postgres/init".path; # initialScript = config.sops.secrets."postgres/init".path;
ensureDatabases = [ ensureDatabases = [ "atticd" ];
"atticd"
"alice"
];
ensureUsers = [ ensureUsers = [
{ {
name = "atticd"; name = "atticd";
ensureDBOwnership = true; ensureDBOwnership = true;
} }
{
name = "alice";
ensureDBOwnership = true;
ensureClauses = {
superuser = true;
login = true;
createrole = true;
createdb = true;
replication = true;
};
}
]; ];
# Thank you NotAShelf
# https://github.com/NotAShelf/nyx/blob/d407b4d6e5ab7f60350af61a3d73a62a5e9ac660/modules/core/roles/server/system/services/databases/postgresql.nix#L74
# commented out statements are likely overriden by pgtune settings
# https://pgtune.leopard.in.ua/?dbVersion=17&osType=linux&dbType=web&cpuNum=64&totalMemory=8&totalMemoryUnit=GB&connectionNum=1024&hdType=hdd
settings = {
# Connectivity;
# max_connections = 100;
superuser_reserved_connections = 3;
# Memory Settings;
#shared_buffers = "1024 MB";
#work_mem = "32 MB";
#maintenance_work_mem = "320 MB";
#huge_pages = "off";
#effective_cache_size = "2 GB";
#effective_io_concurrency = 100; # concurrent IO only really activated if OS supports posix_fadvise function;
#random_page_cost = 1.25; # speed of random disk access relative to sequential access (1.0);
# Monitoring;
#shared_preload_libraries = "pg_stat_statements,auto_explain"; # per statement resource usage stats & log explain statements for slow queries
track_io_timing = "on"; # measure exact block IO times;
track_functions = "pl"; # track execution times of pl-language procedures if any;
# Replication;
wal_level = "replica"; # consider using at least "replica";
max_wal_senders = 0;
synchronous_commit = "on";
# Checkpointing: ;
checkpoint_timeout = "15 min";
#checkpoint_completion_target = 0.9;
#max_wal_size = "1024 MB";
#min_wal_size = "512 MB";
# WAL writing;
wal_compression = "on";
wal_buffers = -1; # auto-tuned by Postgres till maximum of segment size (16MB by default);
wal_writer_delay = "200ms";
wal_writer_flush_after = "1MB";
# Background writer;
bgwriter_delay = "200ms";
bgwriter_lru_maxpages = 100;
bgwriter_lru_multiplier = 2.0;
bgwriter_flush_after = 0;
# Parallel queries: ;
#max_worker_processes = 6;
#max_parallel_workers_per_gather = 3;
#max_parallel_maintenance_workers = 3;
#max_parallel_workers = 6;
parallel_leader_participation = "on";
# Advanced features ;
enable_partitionwise_join = "on";
enable_partitionwise_aggregate = "on";
jit = "on";
jit_above_cost = 100000;
jit_inline_above_cost = 150000;
jit_optimize_above_cost = 500000;
# log slow queries
log_min_duration_statement = 100;
"auto_explain.log_min_duration" = 100;
# logging configuration
log_connections = true;
log_statement = "all";
logging_collector = true;
log_disconnections = true;
# from pgtune
# DB Version: 17
# OS Type: linux
# DB Type: web
# Total Memory (RAM): 8 GB
# CPUs num: 64
# Connections num: 1024
# Data Storage: hdd
max_connections = 1024;
shared_buffers = "2GB";
effective_cache_size = "6GB";
maintenance_work_mem = "512MB";
checkpoint_completion_target = 0.9;
#wal_buffers = "16MB"; allow auto-tuning as per above
default_statistics_target = 100;
random_page_cost = 4;
effective_io_concurrency = 2;
work_mem = "512kB";
huge_pages = "off";
min_wal_size = "1GB";
max_wal_size = "4GB";
max_worker_processes = 64;
max_parallel_workers_per_gather = 4;
max_parallel_workers = 64;
max_parallel_maintenance_workers = 4;
};
refreshCollation = true; refreshCollation = true;
vacuumAnalyzeTimer.enable = true; vacuumAnalyzeTimer.enable = true;
@ -164,7 +48,6 @@ in
"hydra-send-stats" "hydra-send-stats"
"hydra-server" "hydra-server"
"atticd" "atticd"
"gitea"
]; ];
}; };
}; };

3
systems/palatine-hill/samba.nix
View File

@ -2,13 +2,14 @@
{ {
services.samba = { services.samba = {
enable = true; enable = true;
securityType = "user";
openFirewall = true; openFirewall = true;
settings = { settings = {
global = { global = {
security = "user";
"workgroup" = "WORKGROUP"; "workgroup" = "WORKGROUP";
"server string" = "palatine-hill"; "server string" = "palatine-hill";
"netbios name" = "palatine-hill"; "netbios name" = "palatine-hill";
"security" = "user";
#"use sendfile" = "yes"; #"use sendfile" = "yes";
#"max protocol" = "smb2"; #"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1 # note: localhost is the ipv6 localhost ::1

15
systems/palatine-hill/secrets.yaml
View File

@ -10,7 +10,6 @@ postgres:
init: ENC[AES256_GCM,data:trwA30EswHEPa6V2GuHsGgU4NK/j/UQveldwHng0Ilwyqh9aZCgF3axP48MmcciBssux8DZ4O5U=,iv:VC+tpG5yuiBE7pjZ85lYCwHG/bTePxeXQDz2zyLyLYA=,tag:5+jwWTv5T5YWwQpR58QfOA==,type:str] init: ENC[AES256_GCM,data:trwA30EswHEPa6V2GuHsGgU4NK/j/UQveldwHng0Ilwyqh9aZCgF3axP48MmcciBssux8DZ4O5U=,iv:VC+tpG5yuiBE7pjZ85lYCwHG/bTePxeXQDz2zyLyLYA=,tag:5+jwWTv5T5YWwQpR58QfOA==,type:str]
gitea: gitea:
dbpass: ENC[AES256_GCM,data:8jECcEJ8JnK7fztTckzLrQ==,iv:yQMp5VrierOKXwiop0NUA7Qbn2eH5iUCVlKppZwKLIQ=,tag:rI9WT7zLIaFxVcTu3ufW4g==,type:str] dbpass: ENC[AES256_GCM,data:8jECcEJ8JnK7fztTckzLrQ==,iv:yQMp5VrierOKXwiop0NUA7Qbn2eH5iUCVlKppZwKLIQ=,tag:rI9WT7zLIaFxVcTu3ufW4g==,type:str]
minio: ENC[AES256_GCM,data:LxY6AD+CZ9VQEl5FrG6o0XiOiizLcwiLiyH1WJD8mMCPWhDjGzt+k+YPOm1BpWzTZF8+2EoxR9oKFJu9mzTibl2Ieits0/RNwh1VdQALXw3FwfRym7CFS+Z5S8H9kGMoXWRrr+I5,iv:g/wq0r2HKfX2AwirT4hm/H1Ms/mtbf4ZuFLISikRyoI=,tag:he99s/WpKoN+lHR8r4K30w==,type:str]
upsmon: upsmon:
password: ENC[AES256_GCM,data:52Rxsh7KUq+aYjQORBC+Yq5B,iv:F05g/a5bv7DQ+eLlMqsNeRHLxzl7AyXU1zAlmFevQ6o=,tag:xkGDD3hDF+u5fUbP33OrlA==,type:str] password: ENC[AES256_GCM,data:52Rxsh7KUq+aYjQORBC+Yq5B,iv:F05g/a5bv7DQ+eLlMqsNeRHLxzl7AyXU1zAlmFevQ6o=,tag:xkGDD3hDF+u5fUbP33OrlA==,type:str]
minio: minio:
@ -23,16 +22,16 @@ docker:
redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str] redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str] act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str] collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
delugevpn: ENC[AES256_GCM,data:YGkgaQUuA9oteKD77tnFzxZSHctyOQjMNlfvJr3mPWAl2P8wfcshiUoa6SNp69pagxbzRV6mfuzwzinbkQCoZN3lw7uF76y0,iv:Bro0H4tFR+3wi9DGGq9a6ge4o4uPlVXBUF7h17zyqg8=,tag:N1kVNFasqGMx8R9qTq2dJA==,type:str]
protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
acme: acme:
bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str] bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str] dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
server-validation: server-validation:
webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str] webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str]
typhon:
hashedPassword: ENC[AES256_GCM,data:gMyY8gxUn3HzycQRu2cminqRFWghqWcjzZzTxAQZ5PJqn604iSwDiVdr7icHB7drJfCAfsE7L4oKRJgxaIAE32043oOkb2T7DDH8y2jxMzqmZCfbvrfMI4wdfRTHGqzxb6X/aZ5ai2rr1Q==,iv:4EsTo/lQld0o9iktDX9gobMlPUCitx1i9wn8EL16sIs=,tag:FgVDRHk2glDwpC/mprrPqQ==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
enc: | enc: |
@ -43,8 +42,8 @@ sops:
cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw== LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-01T23:54:50Z" lastmodified: "2025-03-04T04:53:14Z"
mac: ENC[AES256_GCM,data:xBSrKfuBEXYVqLhZF903HbLaCpgXyuo3r7/FUBPM9Pl+rKUGx8p7LKCIec2NPCGO8ylQvC8T2mochSHSAvN339nxPlQ7f/tKWc6QgicaX4Sb4k0wJdqamSJTq4mkg8482HOUiFCSi3lA3zWC3Y9ZixESmEWTbxe9sQ51Vo69lkw=,iv:XiGVzryZwo5UmJe7I8pkg5IEdms0vR9iRdlFu2wjUeI=,tag:jhOuV+aZd5rQF0xg+0tvOg==,type:str] mac: ENC[AES256_GCM,data:MCucwVPGRMA/hGYS7mwSppkZAQ3wjHJnyeSvSI8YOOD0Xq7mvkMSvKctFHl6h4Cx3ubRvVHf5j35/NQxb+/VhhCPAHWDbqq9O2N0aWhAeybCu0IjruKrJhs76KsXJnNZ9REQQnS1/TNquuvj9FCoqDnrQcFs7M0KJ5m3eUU2h2k=,iv:ZJGJ8CTA8K5FnoKtbogleksB8wDcZtknO07M07Dmpsc=,tag:GMUXJD4U8KQgy9rvzEAMuw==,type:str]
pgp: pgp:
- created_at: "2024-11-28T18:56:39Z" - created_at: "2024-11-28T18:56:39Z"
enc: |- enc: |-
@ -59,4 +58,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330 fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.9.4

17
systems/palatine-hill/typhon.nix
View File

@ -1,17 +0,0 @@
{ config, ... }:
let
vars = import ./vars.nix;
typhon_path = vars.primary_typhon;
in
{
services.typhon = {
enable = true;
hashedPasswordFile = config.sops.secrets."typhon/hashedPassword".path;
home = typhon_path;
};
sops.secrets = {
"typhon/hashedPassword".owner = "root";
};
}

2
systems/palatine-hill/vars.nix
View File

@ -17,6 +17,4 @@ rec {
primary_nextcloud = "${zfs_primary}/nextcloud"; primary_nextcloud = "${zfs_primary}/nextcloud";
primary_redis = "${zfs_primary}/redis"; primary_redis = "${zfs_primary}/redis";
primary_torr = "${zfs_primary}/torr"; primary_torr = "${zfs_primary}/torr";
primary_plex = "${zfs_primary}/plex";
primary_plex_storage = "${zfs_primary}/plex_storage";
} }

35
systems/selinunte/audio.nix
View File

@ -1,35 +0,0 @@
{ pkgs, ... }:
{
# rtkit is optional but recommended
security.rtkit.enable = true;
services = {
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
};
pipewire.wireplumber.configPackages = [
(pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
bluez_monitor.properties = {
["bluez5.enable-sbc-xq"] = true,
["bluez5.enable-msbc"] = true,
["bluez5.enable-hw-volume"] = true,
["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
}
'')
];
blueman.enable = true;
};
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
environment.systemPackages = with pkgs; [ pavucontrol ];
programs.noisetorch.enable = true;
}

49
systems/selinunte/configuration.nix
View File

@ -1,49 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
./audio.nix
./desktop.nix
./fonts.nix
./graphics.nix
./polkit.nix
./programs.nix
./steam.nix
./stylix.nix
];
time.timeZone = "America/New_York";
# temp workaround for building while in nixos-enter
#services.logrotate.checkConfig = false;
networking = {
hostId = "9f2e1ff9";
firewall.enable = true;
useNetworkd = true;
};
boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages_xanmod;
useSystemdBoot = true;
default = true;
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
services = {
flatpak.enable = true;
gvfs.enable = true;
openssh.enable = lib.mkForce false;
};
system.stateVersion = "25.11";
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

23
systems/selinunte/default.nix
View File

@ -1,23 +0,0 @@
{ inputs, ... }:
{
system = "x86_64-linux";
home = true;
sops = true;
server = false;
users = [ "alice" ];
modules = [
inputs.nixos-hardware.nixosModules.common-pc
inputs.nixos-hardware.nixosModules.common-pc-ssd
inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
inputs.nixos-hardware.nixosModules.common-cpu-amd
inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
inputs.stylix.nixosModules.stylix
{
environment.systemPackages = [
inputs.wired-notify.packages.x86_64-linux.default
inputs.hyprland-contrib.packages.x86_64-linux.grimblast
];
}
];
}

38
systems/selinunte/desktop.nix
View File

@ -1,38 +0,0 @@
{ pkgs, ... }:
{
# installs hyprland, and its dependencies
programs = {
hyprland = {
enable = true;
xwayland.enable = true;
withUWSM = true;
};
hyprlock.enable = true;
ydotool.enable = true;
};
# Optional, hint electron apps to use wayland:
environment.sessionVariables.NIXOS_OZONE_WL = "1";
services = {
displayManager.gdm = {
enable = true;
wayland = true;
};
dbus = {
enable = true;
implementation = "broker";
};
};
powerManagement = {
enable = true;
};
environment.systemPackages = with pkgs; [
libsForQt5.qt5.qtwayland
qt6.qtwayland
];
}

15
systems/selinunte/fonts.nix
View File

@ -1,15 +0,0 @@
{ pkgs, ... }:
{
fonts = {
fontconfig.enable = true;
enableDefaultPackages = true;
packages = with pkgs.nerd-fonts; [
fira-code
droid-sans-mono
hack
dejavu-sans-mono
noto
open-dyslexic
];
};
}

40
systems/selinunte/graphics.nix
View File

@ -1,40 +0,0 @@
{ config, pkgs, ... }:
{
hardware.graphics = {
## radv: an open-source Vulkan driver from freedesktop
enable = true;
enable32Bit = true;
};
hardware.nvidia = {
# Modesetting is required.
modesetting.enable = true;
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# Enable this if you have graphical corruption issues or application crashes after waking
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
# of just the bare essentials.
powerManagement.enable = false;
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
powerManagement.finegrained = false;
# Use the NVidia open source kernel module (not to be confused with the
# independent third-party "nouveau" open source driver).
# Support is limited to the Turing and later architectures. Full list of
# supported GPUs is at:
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+
open = false;
# Enable the Nvidia settings menu,
# accessible via `nvidia-settings`.
nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU.
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
}

96
systems/selinunte/hardware.nix
View File

@ -1,96 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
"usb_storage"
"usbhid"
"sd_mod"
"ip_vs"
"ip_vs_rr"
"nf_conntrack"
];
initrd.kernelModules = [
"dm-snapshot"
"r8152"
];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
kernelParams = [
"amdgpu.sg_display=0"
"amdgpu.graphics_sg=0"
"amdgpu.abmlevel=3"
];
};
fileSystems = {
"/" = lib.mkDefault {
device = "/dev/disk/by-uuid/f3c11d62-37f4-495e-b668-1ff49e0d3a47";
fsType = "ext4";
options = [
"noatime"
"nodiratime"
];
};
"/home" = {
device = "/dev/disk/by-uuid/720af942-464c-4c1e-be41-0438936264f0";
fsType = "ext4";
options = [
"noatime"
"nodiratime"
];
};
"/nix" = {
device = "/dev/disk/by-uuid/035f23f8-d895-4b0c-bcf5-45885a5dbbd9";
fsType = "ext4";
options = [
"noatime"
"nodiratime"
];
};
"/boot" = {
device = "/dev/disk/by-uuid/5AD7-6005";
fsType = "vfat";
options = [
"noatime"
"nodiratime"
];
};
};
swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
boot.initrd.luks.devices = {
"nixos-pv" = {
device = "/dev/disk/by-uuid/12a7f660-bbcc-4066-81d0-e66005ee534a";
preLVM = true;
allowDiscards = true;
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

22
systems/selinunte/polkit.nix
View File

@ -1,22 +0,0 @@
{ pkgs, ... }:
{
security.polkit.enable = true;
environment.systemPackages = with pkgs; [ polkit_gnome ];
systemd = {
user.services.polkit-gnome-authentication-agent-1 = {
description = "polkit-gnome-authentication-agent-1";
wantedBy = [ "graphical-session.target" ];
wants = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};
}

112
systems/selinunte/programs.nix
View File

@ -1,112 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
act
alacritty
attic-client
amdgpu_top
bat
bitwarden-cli
bfg-repo-cleaner
btop
calibre
# calibre dedrm?
candy-icons
chromium
chromedriver
croc
deadnix
direnv
easyeffects
eza
fanficfare
ferium
fd
file
firefox
# gestures replacement
git
glances
gpu-viewer
grim
helvum
htop
hwloc
ipmiview
iperf3
# ipscan
jp2a
jq
kdePackages.kdenlive
kitty
kubectl
kubernetes-helm
libreoffice-fresh
libtool
lsof
lynis
masterpdfeditor4
minikube
mons
mpv
# nbt explorer?
ncdu
nemo-with-extensions
neofetch
neovim
nix-init
nix-output-monitor
nix-prefetch
nix-tree
nixpkgs-fmt
nmap
obs-studio
obsidian
ocrmypdf
pciutils
#disabled until wxpython compat with python3.12
#playonlinux
prismlauncher
protonmail-bridge
protontricks
proxychains
qrencode
redshift
restic
ripgrep
rpi-imager
rofi-wayland
samba
signal-desktop
# signal in tray?
siji
simple-mtpfs
skaffold
slack
slurp
smartmontools
snyk
sops
spotify
spotify-player
#swaylock/waylock?
sweet-nova
telegram-desktop
terraform
tig
tokei
tree
unipicker
unzip
uutils-coreutils-noprefix
vesktop
vscode
watchman
wget
wl-clipboard
yq
yt-dlp
zoom-us
zoxide
];
}

0
systems/selinunte/secrets.yaml
View File

20
systems/selinunte/steam.nix
View File

@ -1,20 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.steam-run ];
hardware.steam-hardware.enable = true;
programs = {
gamescope = {
enable = true;
capSysNice = true;
};
steam = {
enable = true;
remotePlay.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
extraCompatPackages = with pkgs; [ proton-ge-bin ];
gamescopeSession.enable = true;
extest.enable = true;
};
};
}

16
systems/selinunte/stylix.nix
View File

@ -1,16 +0,0 @@
{ pkgs, ... }:
# let
# randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
# numWallpapers =
# $((1 + $RANDOM % 10))
# in
{
stylix = {
enable = true;
image = "${pkgs.hyprland}/share/hypr/wall2.png";
#image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
polarity = "dark";
};
}

18
treefmt.toml
View File

@ -12,21 +12,3 @@ command = "nixfmt"
#options = [] #options = []
# Glob pattern of files to include # Glob pattern of files to include
includes = [ "*.nix" ] includes = [ "*.nix" ]
[formatter.jsonfmt]
command = "jsonfmt"
excludes = []
includes = ["*.json"]
options = ["-w"]
[formatter.shfmt]
command = "shfmt"
excludes = []
includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"]
options = ["-i", "2", "-s", "-w"]
[formatter.yamlfmt]
command = "yamlfmt"
excludes = []
includes = ["*.yaml", "*.yml"]
options = ["-formatter","indent=4"]

5
users/alice/home.nix
View File

@ -16,7 +16,6 @@
./home/gammastep.nix ./home/gammastep.nix
./home/doom ./home/doom
./home/hypr ./home/hypr
./home/waybar.nix
./non-server.nix ./non-server.nix
]; ];
@ -80,6 +79,7 @@
# doom emacs dependencies # doom emacs dependencies
fd fd
ripgrep ripgrep
ruff-lsp
pyright pyright
# audit # audit
@ -89,9 +89,6 @@
nodejs_20 nodejs_20
nodePackages.prettier nodePackages.prettier
treefmt treefmt
gocryptfs
awscli2
]; ];
}; };

3
users/alice/home/doom/custom.el
View File

@ -22,6 +22,3 @@
(setq! lsp-nix-nil-max-mem 20000) (setq! lsp-nix-nil-max-mem 20000)
(setq! lsp-nix-nil-formatter ["nixfmt"]) (setq! lsp-nix-nil-formatter ["nixfmt"])
;; (add-hook 'python-mode-hook (lambda ()
;; (require 'sphinx-doc)
;; (sphinx-doc-mode t)))

7
users/alice/home/doom/packages.el
View File

@ -80,10 +80,3 @@
(package! pacdiff.el (package! pacdiff.el
:recipe (:host github :repo "fbrosda/pacdiff.el" :files ("pacdiff.el" "README.org" "LICENSE"))) :recipe (:host github :repo "fbrosda/pacdiff.el" :files ("pacdiff.el" "README.org" "LICENSE")))
;;(package! python-docstring-mode
;; :recipe (:host github :repo "glyph/python-docstring-mode" :files ("python-docstring.el" "docstring_wrap.py")))
;;(package! sphinx-doc)
;; https://github.com/glyph/python-docstring-mode.git

3
users/alice/home/git.nix
View File

@ -3,7 +3,6 @@
{ {
programs.git = { programs.git = {
enable = true; enable = true;
lfs.enable = true;
signing = { signing = {
key = "5EFFB75F7C9B74EAA5C4637547940175096C1330"; key = "5EFFB75F7C9B74EAA5C4637547940175096C1330";
signByDefault = true; signByDefault = true;
@ -29,8 +28,6 @@
color.ui = true; color.ui = true;
init.defaultBranch = "main"; init.defaultBranch = "main";
format.signoff = true; format.signoff = true;
pack.windowMemory = "2g";
pack.packSizeLimit = "1g";
}; };
}; };
} }

1
users/alice/home/hypr/default.nix
View File

@ -8,7 +8,6 @@
{ {
xdg.configFile = { xdg.configFile = {
"hypr/hyprland.conf".source = ./hyprland.conf; "hypr/hyprland.conf".source = ./hyprland.conf;
"hypr/show-hide.sh".source = ./show-hide.sh;
}; };
imports = [ imports = [

8
users/alice/home/hypr/hypridle.nix
View File

@ -18,14 +18,14 @@
listener = [ listener = [
{ {
timeout = 150; # 2.5min. timeout = 150; # 2.5min.
on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor. on-timeout = "brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r"; # monitor backlight restore. on-resume = "brightnessctl -r"; # monitor backlight restore.
} }
# turn off keyboard backlight, comment out this section if you dont have a keyboard backlight. # turn off keyboard backlight, comment out this section if you dont have a keyboard backlight.
{ {
timeout = 150; # 2.5min. timeout = 150; # 2.5min.
on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight. on-timeout = "brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight. on-resume = "brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
} }
{ {
timeout = 300; # 5min timeout = 300; # 5min

7
users/alice/home/hypr/hyprland.conf
View File

@ -22,9 +22,6 @@ monitor=,preferred,auto,auto
# exec-once = waybar & hyprpaper & firefox # exec-once = waybar & hyprpaper & firefox
exec-once = wired & exec-once = wired &
exec-once = wired
exec-once = systemctl --user start polkit-gnome-authentication-agent-1.service
# Source a file (multi-file configs) # Source a file (multi-file configs)
# source = ~/.config/hypr/myColors.conf # source = ~/.config/hypr/myColors.conf
@ -210,7 +207,3 @@ bind = $mainMod, P, exec, bwm
# lock screen # lock screen
bind = $mainMod, L, exec, loginctl lock-session bind = $mainMod, L, exec, loginctl lock-session
# hide active window
bind = $mainMod,H,exec,/home/alice/config/hypr/hide_unhide_window.sh h
# show hide window
bind = $mainMod,I,exec,/home/alice/config/hypr/hide_unhide_window.sh s

9
users/alice/home/hypr/hyprlock.nix
View File

@ -11,8 +11,7 @@
settings = { settings = {
general = { general = {
immediate_render = true; immediate_render = true;
# disabling as config doesn't exist no_fade_in = true;
#no_fade_in = true;
}; };
background = { background = {
monitor = ""; monitor = "";
@ -55,8 +54,7 @@
dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0 dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0
dots_center = false; dots_center = false;
dots_rounding = -1; # -1 default circle, -2 follow input-field rounding dots_rounding = -1; # -1 default circle, -2 follow input-field rounding
# disabling as config doesn't exist dots_fade_time = 200; # Milliseconds until a dot fully fades in
# dots_fade_time = 200; # Milliseconds until a dot fully fades in
dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default). dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default).
# disabling due to stylix # disabling due to stylix
# outer_color = "rgb(151515)"; # outer_color = "rgb(151515)";
@ -72,8 +70,7 @@
#fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color #fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color
fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty
fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears
# disabling as config doesn't exist fail_transition = 300; # transition time in ms between normal outer_color and fail_color
#fail_transition = 300; # transition time in ms between normal outer_color and fail_color
capslock_color = -1; capslock_color = -1;
numlock_color = -1; numlock_color = -1;
bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above) bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above)

25
users/alice/home/hypr/show-hide.sh
View File

@ -1,25 +0,0 @@
#!/usr/bin/env bash
stack_file="/tmp/hide_window_pid_stack.txt"
function hide_window() {
pid=$(hyprctl activewindow -j | jq '.pid')
hyprctl dispatch movetoworkspacesilent "88,pid:$pid"
echo "$pid" >>$stack_file
}
function show_window() {
pid=$(tail -1 $stack_file && sed -i '$d' $stack_file)
[ -z "$pid" ] && exit
current_workspace=$(hyprctl activeworkspace -j | jq '.id')
hyprctl dispatch movetoworkspacesilent "$current_workspace,pid:$pid"
}
if [ -n "$1" ]; then
if [ "$1" == "h" ]; then
hide_window >>/dev/null
else
show_window >>/dev/null
fi
fi

40
users/alice/home/waybar.json
View File

@ -1,40 +0,0 @@
[
{
"height": 20,
"layer": "top",
"position": "top",
"output": [
"eDP-1",
"eDP-2",
"HDMI-0",
"DP-0"
],
"hyprland/workspaces": {
"active-only": true,
"all-outputs": false,
"show-special": true,
"move-to-monitor": true,
"format": "{icon} {windows}",
"format-window-separator": " ",
"format-icons": {
"1": "󰎤",
"2": "󰎧",
"3": "󰎪",
"default": "",
"empty": "󱓼",
"urgent": "󱨇"
},
"persistent-workspaces": {
"1": "HDMI-0"
},
"on-scroll-down": "hyprctl dispatch workspace e-1",
"on-scroll-up": "hyprctl dispatch workspace e+1",
"window-rewrite": {
"title<Steam>": ""
},
"window-rewrite-default": "",
"window-rewrite-separator": " ",
"sort-by": "number"
}
}
]

2
users/alice/home/waybar.nix
View File

@ -2,6 +2,6 @@
lib.mkIf (!machineConfig.server) { lib.mkIf (!machineConfig.server) {
programs.waybar = { programs.waybar = {
enable = true; enable = true;
settings = builtins.fromJSON (builtins.readFile ./waybar.json); #settings = builtins.fromJSON (import ./waybar.json);
}; };
} }

25
users/alice/home/zsh.nix
View File

@ -1,9 +1,10 @@
{ lib, ... }: { ... }:
{ {
programs.zsh = { programs.zsh = {
enable = true; enable = true;
# autosuggestion.enable = true;
oh-my-zsh = { oh-my-zsh = {
enable = true; enable = true;
plugins = [ plugins = [
@ -22,27 +23,7 @@
"z" "z"
]; ];
}; };
/* initExtra = ''
To specify the order, use lib.mkOrder.
Common order values:
500 (mkBefore): Early initialization (replaces initExtraFirst)
550: Before completion initialization (replaces initExtraBeforeCompInit)
1000 (default): General configuration (replaces initExtra)
1500 (mkAfter): Last to run configuration
To specify both content in Early initialization and General configuration, use lib.mkMerge.
e.g.
initContent = let zshConfigEarlyInit = lib.mkOrder 500 do something; zshConfig = lib.mkOrder 1000 do something; in lib.mkMerge [ zshConfigEarlyInit zshConfig ];
*/
initContent = lib.mkOrder 1000 ''
# functions # functions
function mount-data { function mount-data {
if [[ -f /home/alice/backup/.noconnection ]]; then if [[ -f /home/alice/backup/.noconnection ]]; then

41
users/alice/non-server.nix
View File

@ -5,46 +5,6 @@
enable = true; enable = true;
package = pkgs.emacs30-pgtk; package = pkgs.emacs30-pgtk;
}; };
programs.vesktop = {
enable = true;
settings = {
appBadge = false;
arRPC = true;
checkUpdates = false;
customTitleBar = false;
hardwareAcceleration = true;
};
vencord.settings = {
autoUpdate = false;
autoUpdateNotification = false;
notifyAboutUpdates = false;
plugins = {
AnonymiseFileNames.enabled = true;
BetterFolders.enabled = true;
BetterGifAltText.enabled = true;
CallTimer.enabled = true;
ClearURLs.enabled = true;
CopyFileContents.enabled = true;
CtrlEnterSend.enabled = true;
CustomIdle = {
enabled = true;
remainInIdle = false;
};
FriendsSince.enabled = true;
GameActivityToggle.enabled = true;
ImplicitRelationships.enabled = true;
MutualGroupDMs.enabled = true;
QuickMention.enabled = true;
QuickReply.enabled = true;
ReplaceGoogleSearch = {
enabled = true;
customEngineName = "DuckDuckGo";
};
ReviewDB.enabled = true;
ShowConnections.enabled = true;
};
};
};
home.packages = with pkgs; [ home.packages = with pkgs; [
cmake cmake
shellcheck shellcheck
@ -104,6 +64,5 @@
zathura zathura
obsidian obsidian
libreoffice-qt-fresh libreoffice-qt-fresh
wlr-randr
]; ];
} }

22
users/alice/secrets.yaml
View File

@ -2,15 +2,17 @@ alice:
user-password: ENC[AES256_GCM,data:+cM85X1vapqfQdJ+Dv6YvT5qHlvsmaXPRbvKRHtCkPT3wdw4f7tLHLFmvWnak7CRezI00PxVEtCZL5mqLyN2HaU4OqIk/9fgqczIzemwBlMGJt+ndwG4oqBqE0ymtzmy8MA59wonRqoxzYKQfAGQsprdCIovrg==,iv:BtSDBgvQeZdTY1KUClnt9V8qHcS/gouaaQw342tk4Sg=,tag:T7tzyKuCo83s78ca7f4KDQ==,type:str] user-password: ENC[AES256_GCM,data:+cM85X1vapqfQdJ+Dv6YvT5qHlvsmaXPRbvKRHtCkPT3wdw4f7tLHLFmvWnak7CRezI00PxVEtCZL5mqLyN2HaU4OqIk/9fgqczIzemwBlMGJt+ndwG4oqBqE0ymtzmy8MA59wonRqoxzYKQfAGQsprdCIovrg==,iv:BtSDBgvQeZdTY1KUClnt9V8qHcS/gouaaQw342tk4Sg=,tag:T7tzyKuCo83s78ca7f4KDQ==,type:str]
#ENC[AES256_GCM,data:6+dLs8opC27IrHJCPfL2c7KiLbaQTqI6oRKpIZLR4+P9gTupziAhCm/G7RY01gVPSgxdBpJ6L4xVbcMEg9hDKBMI4naF9arNrFsV6WXNc+LA5BYyT9L9G1nDea8fPFYDSF2537eLgLqWNE1WSsUOrz/WOxbE6g==,iv:AxsdKmGz6qEYlWY08q/2hqsm0EXaqodwD/7OJg4FAIY=,tag:EgfL3I1VBXtFgIdTOW5eBA==,type:comment] #ENC[AES256_GCM,data:6+dLs8opC27IrHJCPfL2c7KiLbaQTqI6oRKpIZLR4+P9gTupziAhCm/G7RY01gVPSgxdBpJ6L4xVbcMEg9hDKBMI4naF9arNrFsV6WXNc+LA5BYyT9L9G1nDea8fPFYDSF2537eLgLqWNE1WSsUOrz/WOxbE6g==,iv:AxsdKmGz6qEYlWY08q/2hqsm0EXaqodwD/7OJg4FAIY=,tag:EgfL3I1VBXtFgIdTOW5eBA==,type:comment]
#ENC[AES256_GCM,data:vUMcowHjlQA0RWflfaQhZKkalO39epYi6N9PPW8=,iv:6DFqHlQR+mi+ZkfMUhlhwvpMwnxXNfQV6+sYgPzSj4I=,tag:Pz1zJayscGckPO8Q2ZVb4g==,type:comment] #ENC[AES256_GCM,data:vUMcowHjlQA0RWflfaQhZKkalO39epYi6N9PPW8=,iv:6DFqHlQR+mi+ZkfMUhlhwvpMwnxXNfQV6+sYgPzSj4I=,tag:Pz1zJayscGckPO8Q2ZVb4g==,type:comment]
gha-hydra-token: ENC[AES256_GCM,data:CXdOiW9oYaVj4oqfiXSz9O9xIsB5ZyUac2WFSFD1ankZpnmQpv9TwolJxb6h8r+UM7Q9QzCCWk7KHe80lolZhpHa79bpcj+wt9v51ydj0Zy+3sufHS+JnGwmqBbw6dVqJ2uBr4nW2NADzHEbG8N367uKYEq2vazB4y02JiopXL8DHsYcx+Z4u7GJC/gYbpm9vnt8OVdYmfYRQ9BGSiaJOghDzpmCisEZdLpCLXM3cULn8yVUXIFWx8yF/6JrWN+myeoZiUFCL2sZmeSIswFg9kwBKXIsjBrz+EDXZzDCEr88UrEJ0j2+egsrG9BNlstVwC8oscYdbXWmYUdsCBNVxK3xjJYm9gDdSyo0DfSvTzK1t+/s9L1zC8uqj2TXYdVd6QyH2TRXxiPeNLYClRHT2UljymSpIVXOn/Okuo7dte+ZZqZVndT1lwK//2y8V3Hng+5wixfFFsQAd5oJzfraRSnM+RLZtjI3TMoyc5no3pVwV6zsCqRd2nvr7gieXUMWtSLb6YrM6tvhRpeiieYUqQ8NwHV0Avqco0I838o5yywVGSnUflGxnwYoGQIX70qoTcxNPGuiiiqSynh64e3nrlC9xN6EWuFpUNVfkBibZNRi+EyDAhK7LKwiPbL2z919N54vyzzoWA1KUFqxow+JsX+Q8rpnfJtag44F5qFt3/Be5PIMYVU7acXTiVJvM3cKPMQIBPXpQFX5OshwGhttGFuB53aWPHCzlhT4NDQbcZ/rLQ3bcytVpnH55WWze0Oe0zUZYGFc/rV9Fc4QjhR7/8pAi9kGUlKy2MYBamjmnCWlOnHPIQQLpPs/oiW+,iv:KL2P3O8Fnbn56hLX8PWIrigoPTBfIvMUpizKy3C3RIA=,tag:G0M/9iT9IWUSJ5ktUc/g5A==,type:str] gha-hydra-token: ENC[AES256_GCM,data:rYDYIn7MAF4pSZQj+Nln2z9J+AxvuSzumthL86njpKETutArrw+9iX2hHJt5t513NHH03tMtZOFqM60/pzWg4YXVQOSpQmq8QOelD7qCdfCr4Z2QSeOHqXqwKy21iWtoVbxOXWunVxLzkWMJrpHkpVsiBA75Nv66ftKEjN80QNGik6xQE1iPsCB2JHeqYNIr8gtPkCr7H5Pt4yBBO/1rsyONrbNlwmzVX78eqXxmc43XOiNVjEsk8ekJxJ9mn5S6JcPNehBcnZA0kWAIxvtDIPYKnz4YBIXoilBbjgytXL8nw3PkEX27x5yeg9KfxPxO/4CGoi5wfKsYuEynBdWbHtj6a3H0AvA9KIZzktTRNJFU3ZW8UveSCXY4YHl0NREJ8kbIUgkkE7PWeyzGenGFTPMahTA0rKSa+tWPQ1c00lvo9VS3/7pfeJfZEKS7R2xBaEDZrfffHyB5PLTQOGpWl5y40wTn4HdBlyQwoREvobOaKVZEyWtVvJcUeHDPepgEHGVDzwyTelX8Btb6ZNA0Fur8xvpkLZcLmMhbvCdkjq84ztJ36nQQ5JZthecyqcZTWPyfWtPeoUPVIaxn31oLjwsriDwdQmID6twTjC9PT8nBZD/u0JebOCdeYf8fm9q49SaN2w/ZMdSRWucHUsRXeN9O149vYoOqR28H+8v/tYJdqofJpHKrIBs=,iv:GcEV6f4rqkrpCafeaLNMqqU/vBNE0xHbqokL2gMXHYw=,tag:sCHvUgq1w8npedjIAninrA==,type:str]
wakatime-api-key: ENC[AES256_GCM,data:ITu5pRySYGCJ6q9IQ35NfpGX2FyIJRYHGDeBiq0btzIrqitxcFox1Vc=,iv:HsXpyFHV7dG5qORk26BtD+kFo4Jdq2c4fozMpoqyDfU=,tag:uaQoXvvYqNfmRXVDVH8AoQ==,type:str] wakatime-api-key: ENC[AES256_GCM,data:ITu5pRySYGCJ6q9IQ35NfpGX2FyIJRYHGDeBiq0btzIrqitxcFox1Vc=,iv:HsXpyFHV7dG5qORk26BtD+kFo4Jdq2c4fozMpoqyDfU=,tag:uaQoXvvYqNfmRXVDVH8AoQ==,type:str]
attic-nix-cache-creator: ENC[AES256_GCM,data:ygWuPJfFZQVHtJ83DfB7VB84PNF0knLkOwD4A67NMNp8pU9pA9lI56RSyKDkFd+qYRBSeEXSepbSOA+BhvQaCZiVEiao3LBlh7/6Sp5ni+Rdt3hGKcd+JRQyedEmTkg9h8NbtR6LvI90EiMhyVg6WLCzlGAtFFBcSvIqssrC/KDHCjd4uMzXeW23wUB40dU1PpwkLPtcNVvIzgxqYRsRPFOXZxGxQYGpBWtzDveqgmeLwavhU481wHfCwqpyXJZflbR+UzWdr+zbmSFdJadlLdHeooNGvRC+av0MK4YMCCgu1Em34IeawpiesFhhj/IVGa2xQWjXE0MF3SDLvlh5yMqNPodTZ7FAEZgD7rTYIbaH8JHiYbgI6v7/ANPcFqw2eKT7wVP8cTL1yPedcZcU,iv:J7JYA98NHxM0tExfUdjkir6/+tkOkPLMBNdjXBP9fbA=,tag:WaCWmrzLgr9lDUL+jxeMNA==,type:str] attic-nix-cache-creator: ENC[AES256_GCM,data:P0iBdy4IYrxcq7v4wTgwwZvAfVdRFo08pi0zvpY9cP9BDCwbBnp+3qDKWL29rC7OxsaLtmRkvPmbkF3ZX3Yu5OaptwVg2Xi0vNqhk3gu5Fdj8ygPigB0ZtimkfWv1QkctoVoXKXuLv6Xd4XKPCWOOIekWlJsBRcyfyzkyFURkU9tBBkXyEAWItho/J8hJr6r00eA3EN4rTe8Ge+PGpfTfpZVpnoGrC35xPnGLq19+b44DectHDTkMZrZKxiCaVIgKUZDLaFgi6a6PsX+L1HQAIZukXJu3m4BPdvzzby+zgX24pVJOYjAUB2BwO9jUlMS6+7qo0p6k01uLicryfKx/ajdAHcy39tFHX7naA4JriC2/FgI2HlFGp0Lc+g0pfdCYwLs5QBfRaOHyrbFWUDG,iv:OBrgnewqBaug00ygAXs0eFs3LqcHqo1EW96N5I38A0o=,tag:V+Gn47O6AH1RwL9qJLpAkw==,type:str]
attic-nix-cache-reader: ENC[AES256_GCM,data:78jJJh332XvFx29HxNW7CULMNMsQ2xMTCIIk5oX5AimBoFXXVH7z9EGFbDimwfaYlsPK6xuU+9mnCnhCjCoGFRX9GQbW+Z2D9TGMsBfe3eztbWlcJ++EkWSCbHKEIGKTF13aRGrKRIOjIy9Gl3qZt4BnZtQPFMOzQO8u80M116u3w4ttqz9rzaIrXWB6GIMI5lWF5rQe5ML1vDgvL2KNMNkPAAm5O1Fv887woVcqxbPhiNhJGXBSiPZpe3PG8wP6z0GTe/GhMTPCOlVJIdsxKnEaRaTSAtVazFos5zSMvLYYrbj6ISoS9tEQ6bFMy6xl,iv:dGDSTtsQlwElerRXpT97uapzOh766bysZTQMjUEEJnM=,tag:OQOYmQqKywdSjUUXnELdpQ==,type:str] attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str]
attic-nix-cache-writer: ENC[AES256_GCM,data:IIrGw+MtZEZqJdNGPryN5xKg7UOP+0kjzpthhyRdQz0P3yS/vThSaV+VuduQq5WgnaNjXLA6LBU+cufmVmvrkeTkZ281976sLTbYzrPCW/hCy1+w7qdv6vauaFsLqtnmWlHNwCIkXbUvQWq56WvP6m1PuYaUIFYn3SUprQ1du+X0buK1FUOhSH4HXfiqpNJOomLhok9M0Tyzn8yK5Fn1dzmJ8tsgBczzhWeZzsj4TuksFLV2r6NXzeQp2jWQkxv39Eg6Lf+0eaHxWQFR4s2uKYzwdsDOnpSmUgXFTzVB6RGAEpasKkVZ2NfG4GeUKBFPDVJoR6ilLZA=,iv:e58OGCbgLIIzKfBALtrsYmWg9Gp0nySNYsJ3X5IWp4I=,tag:bnwBipVK3BSOizg8twQ4lQ==,type:str] attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
attic-nix-cache-admin: ENC[AES256_GCM,data:xHJGeU4EUn1HRy2nIValiJ6iLZnYmmT6Njv/cGMh15Q0hJXKNBSsi8f0mAfLI7EX+GaC299VKh2uTlU25jptrAvogLxNJIc+LZBLsSkyGE/ojqqevHMKmZ/6eciLZRQL5ey9TM3V9HHyDOhGaFgdfawtwg/vyvbV13lZBKpqneAX9T3gPRuKRjV4/Uc/5cUckiOF8bQ50xVFN8Cql9HgGDJEGWgg4XUTPu5eYspof2EN63pYvU7wg6HD2begeLDvqc2/i2DIcsc0wqc5DgkY/dH2YtcssBtU8AR9vKpl+HmH/wvt6dfaEyZ7hF7ITGwWnOO6H2ko3SjYRfHkFK3XDmm1YRRjfkptnw==,iv:BdVgNyZ1azl5tKfH+RTeXuNV/rYY6hPvrareKlIXSeQ=,tag:/ar87eAjMod4TmQXoerNBQ==,type:str] attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
gitea-pr-token: ENC[AES256_GCM,data:ybTya4X2wd65pNFSGbQkg73lu66GNtSba4yf8J6tT8XkuOtfvtBS4g==,iv:39mJiAlw4kud4l06jOpxOCRumChE/5q8IBNsPHG1rMc=,tag:MEvHD2b9E3fVHLlz7haNyw==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
enc: | enc: |
@ -39,8 +41,8 @@ sops:
ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6 ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q== 7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-07T23:43:57Z" lastmodified: "2025-01-26T04:17:36Z"
mac: ENC[AES256_GCM,data:ygQzxSpGJqXwkOq7jGDeflA2FTSSxnre/PXm0LxmxzQQW5s7LeIVSI75fMqWir0WU3Pi/xroYGEWjpCG6JvxV5RiJycTONk8VE7c3jtw3AbrHSS0b1K5tJ+Sf+q3rHJFWWk/COrPk8IsRFNb+taqH4jnaH3AAVNo5u0C1CHKMes=,iv:FO2GVDXE8SjjA81/9cDwc+dX8kJ2oHt5kqkhNBuMb54=,tag:hgzRAmsh32SCvJEvKyV+vg==,type:str] mac: ENC[AES256_GCM,data:BJ5d3iqdIBwqtnYOYfmsFqnJDXz67uzJ4UKWrjVUEgr4Nc95tE8mEyV40poZk/wAJGJMSDdRhsPmZI4H1xztkjkTsUCUJ2rR+SZ6gP1VhSEXu7bSvv63+bnajZQi9kZrfN0EZN8TLzzVHVvSVHcNEfbq9STWkZq6zCk9E2cUfhk=,iv:MQ/lQkNi/S3bfz1PegcVfwy06RsxdQwZIU6sdOjkhgU=,tag:l5tK1SUwjTolliPkbfNDHg==,type:str]
pgp: pgp:
- created_at: "2024-09-05T06:10:22Z" - created_at: "2024-09-05T06:10:22Z"
enc: |- enc: |-
@ -55,4 +57,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330 fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.1 version: 3.9.3

1
users/default.nix
View File

@ -14,7 +14,6 @@
hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null; hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null;
openssh.authorizedKeys.keys = publicKeys; openssh.authorizedKeys.keys = publicKeys;
extraGroups = [ extraGroups = [
"users"
"wheel" "wheel"
"media" "media"
(lib.mkIf config.networking.networkmanager.enable "networkmanager") (lib.mkIf config.networking.networkmanager.enable "networkmanager")

14
utils/attic-push.bash
View File

@ -11,16 +11,18 @@ set -e
# | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g') # | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
# retrieve all paths # retrieve all paths
nix_paths=$(nix path-info --json --all --closure-size | nix_paths=$(nix path-info --json --all --closure-size \
jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' | | jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' \
jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g') | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
readarray -t nix_path_array < <(echo "$nix_paths") readarray -t nix_path_array < <(echo "$nix_paths")
batchsize=1000 batchsize=1000
for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do for((i=0; i < ${#nix_path_array[@]}; i+=batchsize))
part=("${nix_path_array[@]:i:batchsize}") do
part=( "${nix_path_array[@]:i:batchsize}" )
attic push nix-cache "${part[@]}" attic push nix-cache "${part[@]}"
done done

52
utils/attic-token.bash
View File

@ -1,8 +1,8 @@
#!/usr/bin/env bash #!/usr/bin/env bash
if (($# != 3)); then if (( $# != 3 )); then
echo "usage: $0 <cache/cache group> <cache pattern> <token type>" echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
exit 1 exit 1
fi fi
cache="$1" cache="$1"
@ -10,27 +10,27 @@ cache_pattern="$2"
token_type="$3" token_type="$3"
case $token_type in case $token_type in
"cache-creator") "cache-creator")
atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \ atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
--pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \ --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
--create-cache "$cache_pattern" --configure-cache "$cache_pattern" \ --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern" --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
;; ;;
"admin") "admin")
atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \ atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern" --configure-cache "$cache_pattern" \ --push "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern" --configure-cache-retention "$cache_pattern"
;; ;;
"writer") "writer")
atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \ atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern" --push "$cache_pattern"
;; ;;
"reader") "reader")
atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern" atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
;; ;;
*) *)
echo "invalid token type: $token_type" echo "invalid token type: $token_type"
echo "available options: cache-creator, admin, writer, reader" echo "available options: cache-creator, admin, writer, reader"
exit 1 exit 1
;; ;;
esac esac

2
utils/diff-evals.sh
View File

@ -10,4 +10,4 @@ set -e
script_path=$(dirname "$(readlink -f $0)") script_path=$(dirname "$(readlink -f $0)")
parent_path=$(dirname "$script_path") parent_path=$(dirname "$script_path")
nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --compare-drvs --allow-import-from-derivation --compare-output-to-file "$parent_path" nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --compare-drvs --compare-output-to-file "$parent_path"

6
utils/eval-to-drv.sh
View File

@ -8,12 +8,12 @@ set -v
set -e set -e
if [ "$#" -ne 1 ]; then if [ "$#" -ne 1 ]; then
echo "$0 (pre|post)" echo "$0 (pre|post)"
exit 1 exit 1
fi fi
script_path=$(dirname "$(readlink -f $0)") script_path=$(dirname "$(readlink -f $0)")
parent_path=$(dirname "$script_path") parent_path=$(dirname "$script_path")
out_path="$parent_path/$1.json" out_path="$parent_path/$1.json"
nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --evaluate --allow-import-from-derivation --json "$out_path" "$parent_path" nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --evaluate --json "$out_path" "$parent_path"

8
utils/fetch-docker.sh
View File

@ -14,10 +14,10 @@ parent_path=$(dirname "$script_path")
# relpath is the relative path to the parent_path where you want the file written # relpath is the relative path to the parent_path where you want the file written
# format: <image name>,<image tag>,<image architecture>,<os>,<relpath> # format: <image name>,<image tag>,<image architecture>,<os>,<relpath>
images=( images=(
"nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix" "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
) )
IFS="," IFS=","
while read -r name tag arch os relpath; do while read -r name tag arch os relpath; do
nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath" nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet > "$parent_path/$relpath"
git --no-pager diff "$parent_path/$relpath" git --no-pager diff "$parent_path/$relpath"
done <<<"${images[@]}" done<<< "${images[@]}"

33
utils/inject-diff.py
View File

@ -1,33 +0,0 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#python3 --command python
import logging
def inject_diff():
source_file = 'post-diff'
target_file = 'pr_body.md'
placeholder = "nix-diff-placeholder"
logging.info(f"injecting '{source_file}' into '{target_file}' using '{placeholder}' as a placeholder")
out = []
with open(source_file,'r') as src:
src_content = src.read()
if len(src_content) > 60000:
logging.warning(f"{source_file} is longer than 60k characters, truncating")
src_content = src_content[:60000]
with open(target_file,'r') as tgt:
for line in tgt.readlines():
if placeholder in line:
out.append(line.replace(placeholder,src_content))
else:
out.append(line)
with open(target_file,'w') as tgt:
tgt.writelines(out)
if __name__ == "__main__":
logging.basicConfig( level=logging.INFO)
inject_diff()

2
utils/manual-update.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
set -v set -v
set -x set -x

20
utils/sops-mergetool-new.sh
View File

@ -2,10 +2,7 @@
# Rename CLI parameters to friendlier names # Rename CLI parameters to friendlier names
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1" base="$1"; local_="$2"; remote="$3"; merged="$4"
local_="$2"
remote="$3"
merged="$4"
# Load the mergetool scripts # Load the mergetool scripts
TOOL_MODE=merge TOOL_MODE=merge
@ -23,7 +20,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}" backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files # If anything goes wrong, then delete our decrypted files
handle_trap_exit() { handle_trap_exit () {
rm $base_decrypted || true rm $base_decrypted || true
rm $local_decrypted || true rm $local_decrypted || true
rm $remote_decrypted || true rm $remote_decrypted || true
@ -33,12 +30,12 @@ handle_trap_exit() {
trap handle_trap_exit EXIT trap handle_trap_exit EXIT
# Decrypt our file contents # Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted" sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted" sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted" sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
# Create a merge-diff to compare against # Create a merge-diff to compare against
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted" git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
cp "$merged_decrypted" "$backup_decrypted" cp "$merged_decrypted" "$backup_decrypted"
# Set up variables for the mergetool # Set up variables for the mergetool
@ -51,7 +48,7 @@ MERGED="$merged_decrypted"
BACKUP="$backup_decrypted" BACKUP="$backup_decrypted"
# Override `check_unchanged` with a custom script # Override `check_unchanged` with a custom script
check_unchanged() { check_unchanged () {
# If the contents haven't changed, then fail # If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then if test "$MERGED" -nt "$BACKUP"; then
return 0 return 0
@ -64,4 +61,5 @@ check_unchanged() {
run_merge_tool "${mergetool}" true run_merge_tool "${mergetool}" true
# Re-encrypt content # Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged" sops --encrypt "$merged_decrypted" > "$merged"

22
utils/sops-mergetool.sh
View File

@ -6,10 +6,7 @@ set -x
# Rename our variables to friendlier equivalents # Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1" base="$1"; local_="$2"; remote="$3"; merged="$4"
local_="$2"
remote="$3"
merged="$4"
echo "$base" echo "$base"
echo "$local_" echo "$local_"
@ -21,7 +18,7 @@ echo "$merged"
mergetool="$(git config --get merge.tool)" mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)" GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then if test "$mergetool" = ""; then
echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2 echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
exit 1 exit 1
fi fi
@ -35,7 +32,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}" backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files # If anything goes wrong, then delete our decrypted files
handle_trap_exit() { handle_trap_exit () {
rm $base_decrypted || true rm $base_decrypted || true
rm $local_decrypted || true rm $local_decrypted || true
rm $remote_decrypted || true rm $remote_decrypted || true
@ -45,13 +42,13 @@ handle_trap_exit() {
trap handle_trap_exit EXIT trap handle_trap_exit EXIT
# Decrypt our file contents # Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted" sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted" sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted" sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
# Create a merge-diff to compare against # Create a merge-diff to compare against
set +e set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted" git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
set -e set -e
cp "$merged_decrypted" "$backup_decrypted" cp "$merged_decrypted" "$backup_decrypted"
@ -69,7 +66,7 @@ source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool" source "$GIT_DIR/mergetools/$mergetool"
# Override `check_unchanged` with a custom script # Override `check_unchanged` with a custom script
check_unchanged() { check_unchanged () {
# If the contents haven't changed, then fail # If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then if test "$MERGED" -nt "$BACKUP"; then
return 0 return 0
@ -85,4 +82,5 @@ merge_cmd
set -eu set -eu
# Re-encrypt content # Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged" sops --encrypt "$merged_decrypted" > "$merged"