├── .editorconfig ├── .github ├── actions │ ├── setup-env │ │ └── action.yml │ └── update-custom-branch │ │ └── action.yml ├── dependabot.yml └── workflows │ ├── cleanup-old-runs.yml │ ├── flake-update.yml │ ├── package-update.yml │ └── update-nixpkgs.yml ├── .gitignore ├── .hydra ├── jobsets.nix └── spec.json ├── .sops.yaml ├── README.md ├── files ├── public_certs │ └── zrepl │ │ ├── pointalpha.crt │ │ ├── sapsrv01.crt │ │ ├── sapsrv02.crt │ │ ├── shelter.crt │ │ ├── tank.crt │ │ └── zenbook.crt ├── secrets-base.yaml ├── secrets-desktop.yaml ├── secrets-managed.yaml └── shawn.face.icon ├── flake.lock ├── flake.nix ├── machines ├── default.nix ├── next │ ├── configuration.nix │ ├── hardware.nix │ └── secrets.yaml ├── pointalpha │ ├── configuration.nix │ ├── hardware.nix │ ├── home.nix │ ├── impermanence.nix │ ├── secrets-home.yaml │ └── secrets.yaml ├── pointjig │ ├── configuration.nix │ ├── hardware.nix │ └── secrets.yaml ├── shelter │ ├── configuration.nix │ ├── disko-config.nix │ ├── hardware.nix │ └── secrets.yaml ├── tank │ ├── configuration.nix │ ├── hardware.nix │ ├── impermanence.nix │ └── secrets.yaml ├── trivia-gs │ ├── configuration.nix │ ├── hardware.nix │ └── secrets.yaml ├── watchtower │ ├── attic-server.nix │ ├── configuration.nix │ ├── grafana.nix │ ├── hardware.nix │ ├── secrets.yaml │ └── victoriametrics.nix └── zenbook │ ├── configuration.nix │ ├── hardware.nix │ ├── home.nix │ ├── impermanence.nix │ ├── secrets-home.yaml │ └── secrets.yaml ├── modules ├── default.nix ├── home-manager │ └── private │ │ ├── base.nix │ │ └── desktop.nix └── nixos │ ├── private │ ├── backup-rclone.nix │ ├── backup-usb.nix │ ├── base │ │ ├── default.nix │ │ ├── nix.nix │ │ └── vmagent.nix │ ├── desktop.nix │ ├── hydra.nix │ ├── managed-user.nix │ ├── nextcloud │ │ ├── base.nix │ │ └── memories.nix │ ├── optimized.nix │ ├── postgresql.nix │ ├── server.nix │ └── shutdown-wakeup.nix │ └── public │ └── asus-battery │ └── default.nix ├── packages ├── default.nix ├── jameica │ └── fhsenv.nix ├── pg-upgrade │ └── default.nix ├── s25rttr │ ├── cmake_file_placeholder.patch │ └── default.nix └── shellscripts │ ├── backup-usb.nix │ ├── generate-zrepl-ssl.nix │ ├── nas.nix │ ├── nas │ ├── nas_mount │ ├── nas_mount_ela │ └── nas_umount │ └── rtc-helper.nix └── parts ├── modules.nix ├── system.nix ├── type-defs ├── hydra-jobs.nix ├── modules.nix └── system.nix └── zrepl-helper.nix /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig configuration for nixpkgs 2 | # https://EditorConfig.org 3 | 4 | # Top-most EditorConfig file 5 | root = true 6 | 7 | # Unix-style newlines with a newline ending every file, utf-8 charset 8 | [*] 9 | end_of_line = lf 10 | insert_final_newline = true 11 | trim_trailing_whitespace = true 12 | charset = utf-8 13 | indent_style = space 14 | 15 | # Ignore diffs/patches 16 | [*.{diff,patch}] 17 | end_of_line = unset 18 | insert_final_newline = unset 19 | trim_trailing_whitespace = unset 20 | 21 | 22 | # Match docbook files, set indent width of one 23 | [*.xml] 24 | indent_size = 1 25 | 26 | # Match json/lockfiles/markdown/nix/ruby files, set indent width of two 27 | [*.{json,lock,md,nix,rb}] 28 | indent_size = 2 29 | 30 | # Match perl/python/shell scripts, set indent width of four 31 | [*.{pl,pm,py,sh}] 32 | indent_size = 4 33 | 34 | [*.lock] 35 | indent_size = unset 36 | -------------------------------------------------------------------------------- /.github/actions/setup-env/action.yml: -------------------------------------------------------------------------------- 1 | name: "setup-env" 2 | description: "Does to lifting to install nix and setup cachix on the runner" 3 | inputs: 4 | github_token: 5 | description: "Token to be used for Github" 6 | required: true 7 | netrc_content: 8 | description: "Content for the netrc" 9 | required: true 10 | runs: 11 | using: "composite" 12 | steps: 13 | - name: Generate netrc 14 | shell: bash 15 | run: echo "${{ inputs.netrc_content }}" > /home/runner/.netrc 16 | - name: Install nix 17 | uses: cachix/install-nix-action@v18 18 | with: 19 | install_url: https://releases.nixos.org/nix/nix-2.18.1/install 20 | extra_nix_config: | 21 | auto-optimise-store = true 22 | access-tokens = github.com=${{ inputs.github_token }} 23 | experimental-features = nix-command flakes 24 | netrc-file = /home/runner/.netrc 25 | substituters = https://cache.nixos.org https://nix-community.cachix.org https://cache.pointjig.de/nixos 26 | trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= nixos:5axzveeiERb8xAeioBUHNHq4SVLvwDcJkLMFsWq0l1E= 27 | -------------------------------------------------------------------------------- /.github/actions/update-custom-branch/action.yml: -------------------------------------------------------------------------------- 1 | name: "update-custom-branch" 2 | description: "Does rebase the custom branch on top of upstream" 3 | inputs: 4 | release: 5 | description: "Custom branch for a release to be synced" 6 | required: true 7 | gh_token: 8 | description: "GH Token used for pushing the content" 9 | required: true 10 | working_dir: 11 | description: "dir that this applies on" 12 | required: true 13 | runs: 14 | using: "composite" 15 | steps: 16 | - name: Update custom ${{ inputs.release }} branch 17 | working-directory: ${{ inputs.working_dir }} 18 | shell: bash 19 | run: | 20 | git checkout nixos-${{ inputs.release }}-custom 21 | commits_ahead=$(git rev-list --count nixos-${{ inputs.release }}-custom..origin/nixos-${{ inputs.release }}) 22 | if [ $commits_ahead -eq 0 ] 23 | then 24 | exit 0 25 | fi 26 | git rebase origin/nixos-${{ inputs.release }} 27 | git push --force-with-lease 28 | env: 29 | GH_TOKEN: "${{ inputs.gh_token }}" 30 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: github-actions 4 | directory: "/" 5 | schedule: 6 | interval: daily 7 | time: "06:00" 8 | open-pull-requests-limit: 5 9 | reviewers: 10 | - Shawn8901 11 | assignees: 12 | - Shawn8901 13 | labels: 14 | - CI 15 | -------------------------------------------------------------------------------- /.github/workflows/cleanup-old-runs.yml: -------------------------------------------------------------------------------- 1 | name: Clean up old action runs 2 | 3 | on: 4 | schedule: 5 | - cron: "0 1 * * 1" 6 | workflow_dispatch: {} 7 | 8 | jobs: 9 | sync_fork: 10 | runs-on: ubuntu-24.04 11 | steps: 12 | - name: Clone repository 13 | uses: actions/checkout@v4 14 | with: 15 | token: "${{ secrets.GH_TOKEN }}" 16 | fetch-depth: 1 17 | - name: Delete old runs 18 | shell: bash 19 | run: | 20 | gh run list -L100 --created="<=$(date -d "7 days ago" +"%Y-%m-%d")" --json databaseId -q ".[].databaseId" | \ 21 | xargs -IID gh api "repos/$(gh repo view --json nameWithOwner -q .nameWithOwner)/actions/runs/ID" -X DELETE 22 | env: 23 | GH_TOKEN: "${{ secrets.GH_TOKEN }}" 24 | -------------------------------------------------------------------------------- /.github/workflows/flake-update.yml: -------------------------------------------------------------------------------- 1 | name: Flake Updater 2 | 3 | on: 4 | schedule: 5 | - cron: "30 10 * * *" 6 | workflow_dispatch: {} 7 | 8 | jobs: 9 | update_flake: 10 | runs-on: ubuntu-24.04 11 | outputs: 12 | packages: ${{ steps.gen_packages.outputs.packages }} 13 | machines: ${{ steps.gen_machines.outputs.machines }} 14 | steps: 15 | - name: Clone repository 16 | uses: actions/checkout@v4 17 | with: 18 | token: "${{ secrets.GH_TOKEN }}" 19 | fetch-depth: 0 20 | - name: Set up git 21 | shell: bash 22 | run: | 23 | git config user.email git@pointjig.de 24 | git config user.name "Git Bot" 25 | - name: Install nix 26 | uses: ./.github/actions/setup-env 27 | with: 28 | github_token: "${{ secrets.GH_TOKEN }}" 29 | netrc_content: "${{ secrets.NETRC_CONTENT }}" 30 | - name: Update flake 31 | shell: bash 32 | run: | 33 | has_pr_open=$(gh pr list --label flake --json number) 34 | if [ $has_pr_open != "[]" ] 35 | then 36 | echo "There is already a update PR, dont create a new one." 37 | 38 | gh pr checkout $(gh pr list --label flake --json number | jq ".[].number") 39 | commits_ahead=$(git rev-list --count HEAD..origin/main) 40 | echo "Commits ahead: $commits_ahead" 41 | git log --oneline -5 42 | echo "----------" 43 | git log --oneline -5 origin/main 44 | if [ $commits_ahead -ne 0 ] 45 | then 46 | git fetch origin 47 | git status 48 | git rebase origin/main 49 | git push --force-with-lease 50 | fi 51 | 52 | exit 0 53 | 54 | fi 55 | 56 | nix flake update 57 | 58 | git diff-index --quiet HEAD -- && echo "no changes" && exit 0 59 | git switch -c update-flake_$(date -I) 60 | git commit -am "flake.lock: Update $(date -I)" 61 | 62 | nix flake check --show-trace 63 | 64 | git push -u origin update-flake_$(date -I) 65 | PR=$(gh pr create \ 66 | --base main \ 67 | --body "Automatic package update for flake.lock on $(date -I)" \ 68 | --label bot --label flake \ 69 | --fill \ 70 | --title "Update for flake.lock $(date -I)") 71 | env: 72 | GH_TOKEN: ${{ github.token }} 73 | -------------------------------------------------------------------------------- /.github/workflows/package-update.yml: -------------------------------------------------------------------------------- 1 | name: Package Updater 2 | 3 | on: 4 | schedule: 5 | - cron: "5 1 * * *" 6 | workflow_dispatch: {} 7 | 8 | jobs: 9 | generate_matrix: 10 | runs-on: ubuntu-24.04 11 | outputs: 12 | packages: ${{ steps.gen_packages.outputs.packages }} 13 | steps: 14 | - name: Clone repository 15 | uses: actions/checkout@v4 16 | with: 17 | token: "${{ secrets.GH_TOKEN }}" 18 | - name: Install nix 19 | uses: ./.github/actions/setup-env 20 | with: 21 | github_token: "${{ secrets.GH_TOKEN }}" 22 | netrc_content: "${{ secrets.NETRC_CONTENT }}" 23 | - name: Generate packages.json 24 | run: | 25 | nix eval --json .#packages.x86_64-linux --apply 'builtins.mapAttrs(name: value: builtins.hasAttr "runUpdate" value && value.runUpdate)' > packages.json 26 | - id: gen_packages 27 | run: | 28 | packages=$(jq -c 'map_values(select (.)) | keys' < packages.json) 29 | echo packages=$packages >> $GITHUB_OUTPUT 30 | 31 | update_packages: 32 | runs-on: ubuntu-24.04 33 | needs: [generate_matrix] 34 | if: ${{ needs.generate_matrix.outputs.packages != '[]' }} 35 | strategy: 36 | fail-fast: false 37 | max-parallel: 10 38 | matrix: 39 | package: ${{fromJson(needs.generate_matrix.outputs.packages)}} 40 | steps: 41 | - name: Clone repository 42 | uses: actions/checkout@v4 43 | with: 44 | token: "${{ secrets.GH_TOKEN }}" 45 | - name: Install nix 46 | uses: ./.github/actions/setup-env 47 | with: 48 | github_token: "${{ secrets.GH_TOKEN }}" 49 | netrc_content: "${{ secrets.NETRC_CONTENT }}" 50 | - name: Set up git 51 | run: | 52 | git config user.email git@pointjig.de 53 | git config user.name "Git Bot" 54 | - name: Update package 55 | run: nix run nixpkgs\#nix-update -- --build --commit --flake ${{ matrix.package }} 56 | - name: Push branch and create PR 57 | run: | 58 | UPSTREAM=${1:-'@{u}'} 59 | LOCAL=$(git rev-parse @) 60 | REMOTE=$(git rev-parse "$UPSTREAM") 61 | BASE=$(git merge-base @ "$UPSTREAM") 62 | if [ $LOCAL = $REMOTE ]; then 63 | exit 0 64 | fi 65 | git switch -c updates-${{ matrix.package }}_$(date -I) 66 | git push -u origin updates-${{ matrix.package }}_$(date -I) 67 | PR=$(gh pr create \ 68 | --base main \ 69 | --body "Automatic package update for ${{ matrix.package }} on $(date -I)" \ 70 | --fill \ 71 | --label bot --label ${{ matrix.package }} \ 72 | --title "Package update for ${{ matrix.package }} $(date -I)") 73 | env: 74 | GH_TOKEN: ${{ github.token }} 75 | -------------------------------------------------------------------------------- /.github/workflows/update-nixpkgs.yml: -------------------------------------------------------------------------------- 1 | name: Nixpkgs Updater 2 | 3 | on: 4 | schedule: 5 | - cron: "10 4 * * *" 6 | workflow_dispatch: {} 7 | 8 | jobs: 9 | sync_fork: 10 | runs-on: ubuntu-24.04 11 | steps: 12 | - name: Sync fork 13 | shell: bash 14 | run: | 15 | gh repo sync Shawn8901/nixpkgs --source NixOS/nixpkgs --branch master 16 | gh repo sync Shawn8901/nixpkgs --source NixOS/nixpkgs --branch nixos-unstable 17 | gh repo sync Shawn8901/nixpkgs --source NixOS/nixpkgs --branch nixos-25.05 18 | env: 19 | GH_TOKEN: "${{ secrets.GH_TOKEN }}" 20 | 21 | update-branch: 22 | runs-on: ubuntu-24.04 23 | needs: [sync_fork] 24 | steps: 25 | - name: Clone config repo 26 | uses: actions/checkout@v4 27 | with: 28 | repository: "${{ github.repository }}" 29 | token: "${{ secrets.GH_TOKEN }}" 30 | path: "config" 31 | 32 | - name: Clone nixpkgs repository 33 | uses: actions/checkout@v4 34 | with: 35 | repository: "Shawn8901/nixpkgs" 36 | token: "${{ secrets.GH_TOKEN }}" 37 | path: "nixpkgs" 38 | fetch-depth: 0 39 | 40 | - name: Set up git 41 | shell: bash 42 | run: | 43 | git config user.email git@pointjig.de 44 | git config user.name "Git Bot" 45 | working-directory: "nixpkgs" 46 | 47 | - name: Sync Unstable 48 | uses: ./config/.github/actions/update-custom-branch 49 | with: 50 | gh_token: "${{ secrets.GH_TOKEN }}" 51 | release: "unstable" 52 | working_dir: "nixpkgs" 53 | 54 | - name: Sync 25.05 55 | uses: ./config/.github/actions/update-custom-branch 56 | with: 57 | gh_token: "${{ secrets.GH_TOKEN }}" 58 | release: "25.05" 59 | working_dir: "nixpkgs" 60 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /result* 2 | .direnv 3 | .envrc 4 | -------------------------------------------------------------------------------- /.hydra/jobsets.nix: -------------------------------------------------------------------------------- 1 | { nixpkgs, pulls, ... }: 2 | let 3 | pkgs = import nixpkgs { }; 4 | 5 | prs = builtins.fromJSON (builtins.readFile pulls); 6 | prJobsets = pkgs.lib.mapAttrs (num: info: { 7 | enabled = 1; 8 | hidden = false; 9 | description = "PR ${num}: ${info.title}"; 10 | checkinterval = 60; 11 | schedulingshares = 20; 12 | enableemail = false; 13 | emailoverride = ""; 14 | keepnr = 1; 15 | type = 1; 16 | flake = "github:shawn8901/nixos-configuration/pull/${num}/head"; 17 | }) prs; 18 | mkFlakeJobset = branch: { 19 | description = "Build ${branch}"; 20 | checkinterval = "3600"; 21 | enabled = "1"; 22 | schedulingshares = 100; 23 | enableemail = false; 24 | emailoverride = ""; 25 | keepnr = 3; 26 | hidden = false; 27 | type = 1; 28 | flake = "github:shawn8901/nixos-configuration/${branch}"; 29 | }; 30 | 31 | desc = prJobsets // { 32 | "main" = mkFlakeJobset "main"; 33 | }; 34 | 35 | log = { 36 | pulls = prs; 37 | jobsets = desc; 38 | }; 39 | in 40 | { 41 | jobsets = pkgs.runCommand "spec-jobsets.json" { } '' 42 | cat >$out <tmp < 23 | 24 | ``` 25 | -------------------------------------------------------------------------------- /files/public_certs/zrepl/pointalpha.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFIjCCAwqgAwIBAgIUFMnnKphtSI4o46J/IKwKcd4NahMwDQYJKoZIhvcNAQEL 3 | BQAwFTETMBEGA1UEAwwKcG9pbnRhbHBoYTAeFw0yNDEyMTExODEwMDFaFw0yNTEy 4 | MTExODEwMDFaMBUxEzARBgNVBAMMCnBvaW50YWxwaGEwggIiMA0GCSqGSIb3DQEB 5 | AQUAA4ICDwAwggIKAoICAQDI8kUb2KBTdZd3taCsMoTM5NEo3H57DQumGR9JG8Is 6 | LB6980kpoAz141/y8bgRe7BQ2hfyyBCUfeV/rt0+0tP+I7KV7qZEZLa6lAm58He3 7 | aR0fU1KAB07USttUpH6GSMQV28YjD4Tq1LRSedewC6azt82UX56LwioxUHUFymcc 8 | 762a9CsuNAFiJzbwhsUxXQWvWL1RpnNjvluCI0cnMfZNU6YtlIOcpzmUUigURDKo 9 | ev3g/X6BfY+lEHCjxf/fhOs7759vftV+qnjUSOzBs3hi99YlypUiH1SF/ygwstqY 10 | 4ugGuY4PyDiiXxCw+LLHMKKzEDaNAwQ+GpUMkBNVhH8mxQ1uVxh6IC0/IWlFvwSe 11 | +zSjoXnFkkwUT2FXjRtQ2ExmOnLTdW8UL2+4SmEuFQwFm1Okwvmmio5zk84o1/Su 12 | jMZGsmv7mqhU0KJFemtC6ZlQm0J3s0cn1VL60XnqtAmQkeZkC3sy4imo2Lt8zZTC 13 | smfoX/1i8zcXmgD2bdLtrsSWWcB8OwITwoYHZ12nc47pXq/ykhJsGfC+ucEcik4i 14 | uR8yVBRyReC7dUBBWemBLcABKdZrp3bs6cgHyUXZPJx2Q8BEA4DTTgZ4bkVIfpdy 15 | 1bT42hGMAvuhJtyFJ0EkzbA8MPovqewaq74OTgbptEvdJHHimxnKSOzs2j7OzkAr 16 | jwIDAQABo2owaDAdBgNVHQ4EFgQUvDA+CoBCKytcdzquLPwJjs0lMx0wHwYDVR0j 17 | BBgwFoAUvDA+CoBCKytcdzquLPwJjs0lMx0wDwYDVR0TAQH/BAUwAwEB/zAVBgNV 18 | HREEDjAMggpwb2ludGFscGhhMA0GCSqGSIb3DQEBCwUAA4ICAQC0fS9IZ6cSCFq0 19 | hTVyymYZMFRWBREoyb3q3qTcRfefo3Jor/37E2KCMPJNzYcKxFBB5xSn78Tbh65U 20 | sRjlQddnNkWLB97P7Wwjr+hPeSbgqnVrRVLHZPtqmoSmVtivjEZT+By6Jreghe/V 21 | dXv+ODBAhooLr/4VyITR6q5ABQCeZQ8gM84O171A3QGzcmaCPzDnd5ab9sd8NCed 22 | Da+SfhSEHCvNVosqQJlIHDf7Jw6wQSYbYKXsGdYpX+j7c9BhccAThdAN9hF/MfFa 23 | 5sZ1PA9fO/2jfbwwt8vvuIJp5uvCpWeN7mQxZ36BkpjqDHpziqkn0LDFRJFdm72Z 24 | Ml6u+y9/kw/YW8eAgNQKkuZnw4V4rm141kV3MclV3aKqP8f6YStxNNgctRda7DKT 25 | K88eX38WbG4QxAdUz4x/uT5sEk+LZprmkdzCoSV6u+aUZfm4HEr7DhNwWsvVxNYq 26 | N1ZhgzQpb8kA+TJLkASb3iay14AjtiM6VRv/9QZhij8BwtrS/fbEKHMQ/gR9qNJj 27 | gM3AwULaeKdtFEsjKunuddjrFje9NRHspYbTJBEuVJZxp76qkxay/wRIilkINY5n 28 | cHySuYXawSRnsWEhwSEEfeWPUfd0B4LyqY/2AbxFg43nkgEKtdetwclfXElRplCJ 29 | i/+UKOKlCmhZg4/SJTnmqN+MIYJ6SQ== 30 | -----END CERTIFICATE----- 31 | -------------------------------------------------------------------------------- /files/public_certs/zrepl/sapsrv01.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFHDCCAwSgAwIBAgIUESakX+GOU1uNtqHSSnh8R4hOz5cwDQYJKoZIhvcNAQEL 3 | BQAwEzERMA8GA1UEAwwIc2Fwc3J2MDEwHhcNMjQxMjExMjEwOTA5WhcNMjUxMjEx 4 | MjEwOTA5WjATMREwDwYDVQQDDAhzYXBzcnYwMTCCAiIwDQYJKoZIhvcNAQEBBQAD 5 | ggIPADCCAgoCggIBAKOut0RZlCo0/YZkfUefc1Z3vGie/ubCSwyHecZ4HPCfud+Y 6 | w4oesnVnNnB886XoOVkKFTQ0KV83+YS+OrDVrDRn2qqqcU3yuVvFtuD2qEF+nQoq 7 | b31PYpEBYU4SbxJGFE+uDFc+g0i6RfT3x3ihDNZk1fFxpqiZp1NtSeo2DDPVB/wH 8 | uMHoGNArOJlrYrR97vkejXgsuxXDuOn5K260zX44gPC2u+wxMbKYxX6VCh5yo0WV 9 | z2qxykzJgeFJNjLyXP3k+4mzOppOe4GijjwW//Mh1aL3VrJOX/M+SxaaFYca93dK 10 | SnDKnnID5KaHC6jUXj3brn7QFA6VL/xJXfdx1IJ2qDAJndJlrQAPMfDDWbxbGJQ2 11 | e1fCpZc24oTD52IWTl9o4kvMQqbz7Ci2Jq49Q+/FsGMfN6X/nPewX0rI7nNZx3br 12 | Ote+VVxPhd7RdHQ/IbfyX4BZFoaF/CYElOTNwntbzkevfgJUphaqbDqJrvzSdrrl 13 | jYUdzsfcWAZxTlDyoPIAQFnc1qTzNJgl3lmkxDdpJFyoq8WpeBs3SpwSGJiJfdgN 14 | x8J0lW4+ng9ur+W2oFxIJi59RAXXwOVEBKbZjAnxnMSHxdFTnmiT86HVJQG03t5f 15 | XBCuhLTt0ew9GQDEMhTbdNsHpphckA7Jt7q6rKn5UCLYP9U1RlZ+TNJS8+Q1AgMB 16 | AAGjaDBmMB0GA1UdDgQWBBRHrVuzqMwodkAt2A4H14/zN74s6jAfBgNVHSMEGDAW 17 | gBRHrVuzqMwodkAt2A4H14/zN74s6jAPBgNVHRMBAf8EBTADAQH/MBMGA1UdEQQM 18 | MAqCCHNhcHNydjAxMA0GCSqGSIb3DQEBCwUAA4ICAQCc/aLz8rTiJGGqwbdYSmce 19 | gayERTe9rorUKRO5pIroee7LSYo6iLJdCxH4QTG004V0+zRTbX2w9Or3/vhB65J5 20 | FGzldUp/wGyVrf4xS7OI8oTxlXirwhnyRxNACHXBNA61+ymKJkWPszbI8UCTf57q 21 | tEvFl7XQkXE0r0wGiotZSzmpB36usjrEczFuFABBy4i2wrkSXhT5nNqZhH/gBvcl 22 | ik+bj2ahMR6OBJuc7UweNahcxP693Fh1TMdKVXtfSVzAqIXYS0rGV8dwQ4ZGPwa+ 23 | U+7VwpBMnaiGfl6M4rZe3WEMGb/Ig6mZrx1h0R+L+5TjXYmjsQHzqPrZ25L80dPN 24 | ZK2XK81gdD+u9n+wV3SHvJhkNBgJ/H3c0b2qXrXq0Np8xCVOkV/aTNICzlUXyA1g 25 | bzSE+XjgZnmOim9OqU87hq9sVmnMHrnXtsyNMylKJANYkJjZfKlXUYCtSUMlGP8Z 26 | 8SCi1WtDbmAUn788jVbYrFRQ6QAK1Nl/kdyAUju5nb1COpnYA6Psemrv6RtOozTx 27 | AXhNJ0LZx2muiK8lU3Av8ihdOH5uQ+Vhjr+qLftLN4184COxe2c53xIV5HYONLv0 28 | eVIbPv6ERrXO+JKvqlUABLXMx0YilRyS6KejyJzFCroDCemPsJhfEM7HW5pCu99W 29 | GcCZiiBrKyqr5qyMtt9/7w== 30 | -----END CERTIFICATE----- 31 | -------------------------------------------------------------------------------- /files/public_certs/zrepl/sapsrv02.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFHDCCAwSgAwIBAgIUVymb3Hje/UdA+kmz6o5hpzV6hvMwDQYJKoZIhvcNAQEL 3 | BQAwEzERMA8GA1UEAwwIc2Fwc3J2MDIwHhcNMjQxMjExMjEwOTExWhcNMjUxMjEx 4 | MjEwOTExWjATMREwDwYDVQQDDAhzYXBzcnYwMjCCAiIwDQYJKoZIhvcNAQEBBQAD 5 | ggIPADCCAgoCggIBANdeUXwt8GUe33RyJNjUXjipGy/qLV9VYbwRUtbHo0Od7Xl3 6 | GlBbCFqNgboNYBbO8j5LH5IK+N4mlgFqwqhSQp/g6rYUWmh3lVF7CKMxNIamNrO5 7 | D41EHHbtOJtHov56+GBPK6v3WD+wNw5j2AfJqCNKVF4U2Ee7OBZo9NKMSeav1scP 8 | Mmb+e/+JExgY38gqu83+9KONdE9n/tzTRdIX/wkdKxWVSiuWaqaA8gXoQWKfl7uw 9 | KI+G89i9KYDp6vSmOZRGeqoVwWfC2v8TLXTCO9aDQuXwS/w6EYLmOl/9uraaP6fu 10 | 9LTH7ixsNaE7CTXZl/CG6BUV1ywypwLlTMQho631klhkToAS9ot5e2mM7ai+rihw 11 | QPtRvGocuvfzcMWpInz8yP6J7K3lbyV8VXjs8iIAwm99w4hBp+uI79Kk7DX7iA8M 12 | K1j+f3GpQjBR1TkjgmJPmmOhDv71ASVpbsw/izCWX9DQRWIU+c3NF/ONHDuaj9HH 13 | WaLWegO94VbCujTiO/x3vbQ5mfsKTsKNA5gVn+CjTq58xSRzKI9qgi1Ttbzwlsea 14 | QjUafMAalrgCMnXDD5BgMNX7dCqsKCCJfPb4ALa3HtkiWwgTwIJjeE2HAzdt0qK1 15 | EM/2fer7R40PTPlGCIMcofGfofehF0sVF+nnPC1giHwAGYTsv5qp41P9lX3nAgMB 16 | AAGjaDBmMB0GA1UdDgQWBBRrm+ygrroeB3Z3g+q6oTrLbDxx2zAfBgNVHSMEGDAW 17 | gBRrm+ygrroeB3Z3g+q6oTrLbDxx2zAPBgNVHRMBAf8EBTADAQH/MBMGA1UdEQQM 18 | MAqCCHNhcHNydjAyMA0GCSqGSIb3DQEBCwUAA4ICAQDCMBqyMLlF093A40dL76Op 19 | MATdU518//wf1/bInXbRdplvJGsbMFY1pbYuaiKseZA/yWd0CO+I+bS6v79PYZTI 20 | nQV8RXrFTo0Kbdq6wflVYDbtBf7j+C7dOTiCLhVN8F4azk6tiHEjWuq3i8ERDbSu 21 | LzdLO8mM9GSiqEuWlyS3GIu5dIYgsIDm/8Oxc+2gvY2Ipx7q8iUaqeTqY2Y+7Soc 22 | bUnmr+CRm4PfsAbrLt0NlAJj7Y/Qt1Y756xWWg0W2BstMiEbw/eh13f+5aVO9HPu 23 | 1BwbMAAH3RbFADRpPjAmRXoFe9d76ZPEvrUg5aOzcresKOIeCrOIB/vPFU2vNYwx 24 | Jo312HyF0xj7SqGAlyv3J2qlgR/+Gsn7wM55P+WoNvWAUrEAwVxd7LI5XrCf4Sm3 25 | kEzsQpZ0Lbqx2Ngpm1K40+qNPUEA9AWHhRSZlwY3/oAcwI26vpqGIqHgPQkJz2oJ 26 | KreWRSs7VjVLG4so78Rq8FVafcVx/hjIt5lxlxyLoo9+JXkDmyINuQ5Uyj1e6iB+ 27 | B9d2N9wjmFLmRFCEG7bMvI6KBQx9+FFYZfuo5DTqD5a9lVN0CjTetY0+aLfKUlOY 28 | lbFleIKLmLvk2Lqh6eP9lZ5Zyo7eex/FHm73YQ49Pfc/0RbVSqkorR88fnTRnCgc 29 | yyNyaSK9kiOsqYC+s5z6FQ== 30 | -----END CERTIFICATE----- 31 | -------------------------------------------------------------------------------- /files/public_certs/zrepl/shelter.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFGTCCAwGgAwIBAgIUXC/nFyPGgEsbGgsSWRlVKG3XOzEwDQYJKoZIhvcNAQEL 3 | BQAwEjEQMA4GA1UEAwwHc2hlbHRlcjAeFw0yNDEyMTExODE1NDhaFw0yNTEyMTEx 4 | ODE1NDhaMBIxEDAOBgNVBAMMB3NoZWx0ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4IC 5 | DwAwggIKAoICAQCrKDCgqFW0aOlos3PEFvCF2Eg9yG9+utfbvf1S0YS3dY3lHFMo 6 | n+dpMV5crV5vN+lLo9jL0/aTPkegg3BB9NNjVXXJE+DHG6sO1TQZtXIlTk/WimoF 7 | d9BeaxGv4bjlSLFy7G6ayFNkzPIbv+1FJfuiMK8+KhPiScQmwPmP1X//vd19cZy/ 8 | lpqUht01shR4EA0ct/IKr6aJGXbwlpqBfPZKdFfY7j5f9p4SmYMvv2CoIYDc2D4x 9 | vEK+WbcXcWSrQWDNOEZldlzM1DzAtt19tJQMs1geUc/H8wxUcpkbNeZCBRb4YKWm 10 | R04hTGCa0AQyaWoTIKRfOfXn8fDUkHqTQYbUtKjQ8C1zanFpfwrp4Sy+hZb0nzgb 11 | inT5UuiQLlAwmLDmG+TJ/j/eKnZMcCHLWPUgOzsgAQ9JLQHN9rtcLqgtkn+kXjLU 12 | +J57IkqxOVjjAOvu/Kh46ty98JFc7xcz/lS/T7hKQc3wVrYgdSoSzeoBJ2I0yFIo 13 | w9cZJtZwOt4bdzdI0QfvunZCo96rlIhV/Z7AbKi4tVPzF0XWqCSemru1CBTLVIRd 14 | X11B2Y/DslmhAmnvdE8GRukts8uJOzCN8fODy02W0kYPsV8YoP2L3D1OVbr3vg36 15 | HWau0Ga3xopsv7PR33UqThN1RoVRGWcXA4Lc5/ZyiB94WmHq6OetxecpgQIDAQAB 16 | o2cwZTAdBgNVHQ4EFgQUlhUZCdFBN3x3iS278veWq5+e5SwwHwYDVR0jBBgwFoAU 17 | lhUZCdFBN3x3iS278veWq5+e5SwwDwYDVR0TAQH/BAUwAwEB/zASBgNVHREECzAJ 18 | ggdzaGVsdGVyMA0GCSqGSIb3DQEBCwUAA4ICAQCn2pxzt7vEQg3+FUyPmkQgrHQj 19 | BUvXR0gFRebCAb6helESW0ZN3T3VomdGowQm1pfJzaHgPCKZcrTntmXBGjPeHJuK 20 | Q8PoO4bNs1J7dj1Qp4aMR77qrayhef78yO2jGTmrkbC5OSX1YkODZsNltRmWdhI2 21 | 3Jw3RGN395rxMRaq0k5+XphjgVAJG+XCIkFkBRzZVk1MWxTKeA0f4e90fq25lC2n 22 | 0+Lj9AJGZVEobgZ8+3p8Zu7AI6yFZbLbeHpybcAt11ptH9FLb+H+L98F6O8EpGXn 23 | 2YjxnyzmKLZwNlnYzkoEfLEAJTIU9heoIKRATwBTLtK7LlD0FRgJ1K2RHkIEjjWe 24 | mj5499zySXFWXCpgvUCVDumXRiEVJv+8OUSDjTWwQQyQ7Bk3FAqr+qNlgCMkZRX6 25 | Qfwg9Eib9s8wQfJJdnUiXglOMMny6EA5j3aLrWpHVOMwJv8RjWOklBEGzl/QWhgd 26 | rBj51PwAl1o18BJue+8qw1QkI/jxwkkFiK5eb7jW5j/gVrU9KjBGkVZojjyGucKN 27 | wua/Do1ZL3eK9+p3B4U9ROC5WnklgcuZFI0akp5mvHLlF6f5S0js6Wgkk/tyy5X2 28 | oxUjjZCBQERhmoOKLHRIUM+ioaSwoczb/U9kv+7t4j37oe1eStrbg2XiBHGb2C9J 29 | v9ZJwOK19da2U9oulQ== 30 | -----END CERTIFICATE----- 31 | -------------------------------------------------------------------------------- /files/public_certs/zrepl/tank.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFDzCCAvegAwIBAgITEJ3jeB4spj97MyP7CBevrYML+zANBgkqhkiG9w0BAQsF 3 | ADAPMQ0wCwYDVQQDDAR0YW5rMB4XDTI0MTIxMTE4MTU1MloXDTI1MTIxMTE4MTU1 4 | MlowDzENMAsGA1UEAwwEdGFuazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC 5 | ggIBAOagbvkZ4PbkP04vKM1tzPH+qwiou1cj16yHhHsclRYQ46s5h5eYb+rHzxH2 6 | M6i2lqS3c+ALg3O0zUUhlYzYetnk7d81MyWhuDxuMF+TYFlds+3SgQcL8QPx9iIz 7 | 0sVf32rW6hTX98hBvCJd+whZIiT6tLw7ooxslesaDAK8hzPiELicHCHcNYqzxeq8 8 | eHUHry6XrD/vRxs202t3g0Mio2EV1SSajCNlZm/XYg64lDioRXI/Q2shfJqDpyGL 9 | arwonzj+88NpKNrIBIpNnW0LmVSxHwuA0rK5mYd4cOo/5h2yz8pujoJsn/nYuwdA 10 | iwjvkVzZyWF1rUYjbhN996PzUHt0iok/qaTYWdXtJhbCmqREg46Vs0UnMj1V3Z4S 11 | kWYUEVrB+CdokMcqnzZ+OOe+LqXp0bLcTysau6/m+ar4zJRcn/INlQ+U3FXgsXm9 12 | PXX4auhwKmfw3YxbDlc8psQNJ4Jzih3KHbFj7lbXO63YsCzJYN6RPZUnGEXQux92 13 | OSk/jgdJjES5VJtzQrbjYDiFOvwiX5FWi75R8QUTg/4gR0Gk0b3+qskAU5WAFjHH 14 | QKbCF6e7RALBnZG6mq06d2ehDUz8sfFeBE0KMe7ARMobq0uFalMI85JK7AzEewn7 15 | ZcSFSrWeflVg1tQ860OyaMenlrdRgzhBfInzuYhrrfC54l2XAgMBAAGjZDBiMB0G 16 | A1UdDgQWBBR0ZLD400t/ZLmW9nxoNKypuhfTnzAfBgNVHSMEGDAWgBR0ZLD400t/ 17 | ZLmW9nxoNKypuhfTnzAPBgNVHRMBAf8EBTADAQH/MA8GA1UdEQQIMAaCBHRhbmsw 18 | DQYJKoZIhvcNAQELBQADggIBAK0LT9hx1pct28Zyi6byuRvtporZMj9s1PtBgFtn 19 | HZHt/lJ+fV3BYUzqdRE5USIVaFoLMJXhfghfXUoYapBPXvHZwtS6wVkhZwwDo8ew 20 | jNQvyV5CvHzAlA6zjknADgIYiBDORekahOHrOotT/WxRqmRQsrCTL7Mu1eo++B8M 21 | X8BuI+Shp+HsChemg+t+SDFBJR2YAwWmgHKRYl6A/ipoEUNlpUVPeC03481ltktq 22 | Oxsufyd4LgnxPRiHmkBoezm9r0DjftXSq1wbR1NgxL5UrxRzlSlpf4CVMEEgFtUT 23 | 1LV2DyWPdqSmAEdg4jeBtpZMoQ4AXIcShMpqPRrB6ogZ6gaggaOHIUpz+1NQhy/P 24 | UzUKIVLY4BnMO0bamEZW1/icG/hus7Pojijo7xsrV7Ky4qE6/0faMfa8TMPjJqWr 25 | qYLgQEmt7jKjkNKDcrxzMaazs9gMeSpX/E8k60Xg/vMbogoxvQmdU5GiAufWDbv3 26 | KLvQ1PktjnN8TdwCogqhhSvtnsKpLTKgGsHqYceHKLdAYMqA6fcnE+uflLj07P76 27 | yeQUj7d3QrKatwSm3HK4GsKdjzwo48INXCUUHzOkJnExM271hafBJmGzUYXeBZ/2 28 | U0rDckBVlTmN68xbKjKynOH9DJ9KnPb5QMpx2mHT0/y48b06rHLqqnYFFrEXIUDR 29 | NWt3 30 | -----END CERTIFICATE----- 31 | -------------------------------------------------------------------------------- /files/public_certs/zrepl/zenbook.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFGTCCAwGgAwIBAgIUJarnikcVdgpqASRF9MzxZe9ZupAwDQYJKoZIhvcNAQEL 3 | BQAwEjEQMA4GA1UEAwwHemVuYm9vazAeFw0yNDEyMTExODE4NDZaFw0yNTEyMTEx 4 | ODE4NDZaMBIxEDAOBgNVBAMMB3plbmJvb2swggIiMA0GCSqGSIb3DQEBAQUAA4IC 5 | DwAwggIKAoICAQC8kNssPI74pmItngddWHh+fJ1hHL0WPmgd6rVblXjpwO4UtdlX 6 | qSBOe/caVmUTXj/9TPenHTTaV5Bxmp4BhxKukCVQ+AlnX41hSOPzCXsDb7gXKVM+ 7 | RjCkcz3qASFEh6nEfat+ZLMqqDaOsvnvjvFatxRcFLqoDvrXmeieD+0OpnKK42+B 8 | PAlK/28vBz97qpG2t5wCePYudbUvPLLyOPNScV5CF2o3s0MIBmBNK0qfR6TzJY28 9 | MIrHKFZ526JJR5Bht33xT1cJz3PMyLW2A2b5jvbAYrPPDJYHxeIDCDIoNPmrGApv 10 | fVCo/4ozgZQd9jxDu61x5wkqv085UA09zxuLBq9zT8yzL3kBryWinXUQxvYM+aqD 11 | 1+/Em8VAYJojIcpSEvBnwGNvTc6bLN0f/OxG12PiiTKWpjlUSDoR1ECUjs1dxth+ 12 | cMbTnitkF8Qq0gTQPdOIhZUFDDiiLoiZ9qRNJrrbIBMnDAVAob/MhD0YKTHM+3LG 13 | Y/GS2mnM2wHEC0tPXHjapWEmPrv5h9H6oOQzC2vkGzbnNQ/kbuY5GI/G3S/lK1Yb 14 | qUTYuRwr/nnckLHJBrACfobGMSMJjZmx85t/97LjEI8kozQb/9bkzmHLm7cYhA/s 15 | t0y4oKwOoaYv7QP55ww2txk6YZ94UchIyKgeCUjIeNBwsQ+gQVi+Kdh+9QIDAQAB 16 | o2cwZTAdBgNVHQ4EFgQU1tGzY5dQSTLjgSU2BMdGfTVmwt0wHwYDVR0jBBgwFoAU 17 | 1tGzY5dQSTLjgSU2BMdGfTVmwt0wDwYDVR0TAQH/BAUwAwEB/zASBgNVHREECzAJ 18 | ggd6ZW5ib29rMA0GCSqGSIb3DQEBCwUAA4ICAQBLp5B9fi3rqiY4vIN4FIolUlKa 19 | KouyJ39D62sTuAo1Wj+IWykl5T0R1J1LMpja4gbs/pIR4y2kFBoE3LxbiSq0MCgW 20 | pVgl3cHsol2C5lmOOXl2QBWWUeS2eBDA4M5QIRxJqXYg+LZlBfC+c9FApOZE4C/N 21 | sgwHJxW346U1smr/5jTs4H3hL9FLi7o+nEALXyskb2aoMUjatPW0PC+DIG/lBKe/ 22 | YeJXwz6TLhwDUp7cnazyyBZmMb6bm3Rqdp8a9eZ9tCgTBGAGCR5NGj1JmJgLJRhV 23 | 5hyy+ZY7F4xcVUadoRd/BeYZ6Wz2ru+VHbIRCW10v1ykXEdw6AwMukjrJ0yr44m3 24 | gTKim/+0wU3jxqcxSQ5OoSDN1le1De0UmWK1A3L+CmOhIF8ZeUH5HI3ewM/2XkDI 25 | sOP3gX4ShJmzHVEOwi50Tc5hqjXgnvbPKmvcJk+pCIl+Y9cSvCzy7KqqT/XXAVhh 26 | LwFAojsMEm7q+03cP6vPF6Xcq78BQ5NyhNAliYtW5xSGTT3ls8NLjmlqxtLnQrdo 27 | QM3iEvlM3dpUOQISzF0JsCBD4lvLt4xcVQwrgc3TM4UgfUcEAjVK9d8JVcQwGRgx 28 | ckcxHV2xrpJg/ruJE/pY+xx3/wMF/aqUHVxo43CiRk2HrKYIJAweg4bDuGIgl3bv 29 | go6k3YxQHQEGbq1LkA== 30 | -----END CERTIFICATE----- 31 | -------------------------------------------------------------------------------- /files/secrets-base.yaml: -------------------------------------------------------------------------------- 1 | nix-netrc-ro: ENC[AES256_GCM,data:nOvV0YPVo/pFP/au/q21he4VQyiigc8U9D7UGRv/7O5kzDHWKRUzAgw3cplva3OzOM28wmqAkkNSGTczAM+f2EprsaLnAzva8FZkEszOk1mfVdhVINFjoR/QW1xlgap5jsc7J7f8Jx0HmqGzQkhG4JzO4lyOMu9YTJZV40LYiq8znpaPVpMRpj9EeC99WByStu1rwmEKoKM4a1v1MvffkHdVfXqXhT4QRDsTZdHCzEkcYAC2raPvbQpTHc6FlRGu/QbqspFZTea+2ahnpZIO8aw3LGCLL1ZOx/9lq9adAQ/ioSAv4gqdE9hQJeGXArFL2xC5B/2pTw==,iv:fkh7nvYQPaktra2lHNdkmxo/tb9uUgB834rwkxW8XnM=,tag:UaZI3ZGQ7IA/7XbthXk9hg==,type:str] 2 | nix-gh-token-ro: ENC[AES256_GCM,data:pUsgBoOM//ZIH2sf7jCD5aTfBviE87d+vle9fpmJYrkC7bOwd5WK4NxNyF05RnTSR6RMCh0fOFksckCuQ/5IxbFreZaxS/Nv7g==,iv:+ngJqf35stjfMqY/sDhxaTd+LXHXIbYUt2z1f/CrkLU=,tag:Z8KJXijQjAaIfhen3s04kw==,type:str] 3 | vmagent: ENC[AES256_GCM,data:5Q+WyV1XZlI1vMpe0GBChH0=,iv:5T7wrBbiQ7beaKXAOn0tLYmKfltPrG3eOLm0LDGBvkU=,tag:zukrBgCPfFiLvqlWE5cvOw==,type:str] 4 | sops: 5 | kms: [] 6 | gcp_kms: [] 7 | azure_kv: [] 8 | hc_vault: [] 9 | age: 10 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 11 | enc: | 12 | -----BEGIN AGE ENCRYPTED FILE----- 13 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtN1MrTkdXUlh0OEtDaWdX 14 | UVh2TFRlcXhGRW4xYWJRV0FXOElsTUE4UFZZCm9KMThoV3pqa2JxVXFHVmZEb2Ex 15 | Ti8rMVB5N3FjWjRtQ0Jta0s5Q1M2NlEKLS0tIGhua0hPc1I4ZjN1Ky9WMHN6RXQ0 16 | RzZIbjB2RTk4T0t6akg0RklQVWREL3cKFHnK0qo2+D1SWUAs16m43lN2tEW3kVSW 17 | Lez4/9/aK2nyqfr40AdCpKz5nP5zM1BcAOEInnSGAvIbVLEd/Nd+RQ== 18 | -----END AGE ENCRYPTED FILE----- 19 | - recipient: age1fepqavsyfukjf72ajv9cwp6r62hnlz4h6hgxw4wsddrlaqm8e42sns70ws 20 | enc: | 21 | -----BEGIN AGE ENCRYPTED FILE----- 22 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiMXRmTlRQK0YwR2RWREgx 23 | eVQwU1ZWc1NXTlFFVnkrWG1HWEZma2k3QmpFCnVKSUdFSXk4dEdJTS90NGtqRUNY 24 | Uk9GeGsrWStSOVVRVTRUQ0I1TmJ6SE0KLS0tIGNHYlNOVGR3a1pYQUZGTUcyNWxH 25 | cHdDUCtBMGY1SkI5ei9YaEd1YWN1MEkK9jOo5pY5Dhjjxe6AAu0+3RiGT3gjynZp 26 | njdhEy3EFpOu9/UsbRr56llZkLp+McmI3QrLs94rJASSDa6PHEnx/w== 27 | -----END AGE ENCRYPTED FILE----- 28 | - recipient: age1q9wy9rnpusgr7w993dm03ec50zm0mgrylmqxdpph2avzf38k6gks3g4vp2 29 | enc: | 30 | -----BEGIN AGE ENCRYPTED FILE----- 31 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMUhzQy80NFpEZlZoWTlt 32 | eHFDOHBTQm90MnFobjN4aEp0ZW42aldiT3lFCklsTHVUeWlNemRVc1pIald1VC9v 33 | UUZlY3NGY1YrWjNyZ2N4aXJmYk1DVDQKLS0tIDdUNk9sTVhlMjhPVG03QzVwa0dL 34 | UlYvWEtiSWp2Tk1SME5mTFJSVHhZSkEK5PlA85cJYNAP+NFxo3U7pbr6QIphRReI 35 | VonNZEq+gF3wFiaxcJUGR/cROFSm3+eLxDvluwZbcev52ExyeLYVoA== 36 | -----END AGE ENCRYPTED FILE----- 37 | - recipient: age1ejf78m4mn8ch2lusuwn3gwqkpz45n03368sf78ce2nunzxlgduuqlme66d 38 | enc: | 39 | -----BEGIN AGE ENCRYPTED FILE----- 40 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvY1lNQjE5UFFoeUs0ZHQ2 41 | ZjBrRVJOMzZGbDZjL1lZRXZSajY0Sk9GWm5FCndlbkJSaEdGSkxaMGxRM09oWk54 42 | V25mcUxyMnh2L2k1b3BubEtEeGlsc0UKLS0tIEpLSWZPWVRoRTlDd0FWM3FWSVdZ 43 | bTRxclpKem9xZGoxQ3k4eHVka3VQalEKYehKq2IrqDhsb14LhWMU4q3/6YIXWngI 44 | msJNn28n5E0PX1v9hOe3RjmLa1wFJMxN41nqHpGKifGR2+OwqAmfbA== 45 | -----END AGE ENCRYPTED FILE----- 46 | - recipient: age1wlznz542ulyhjvp9zxe57z5rgy738wt6ygy6qsgjyavl5e9vcd0q27mu3n 47 | enc: | 48 | -----BEGIN AGE ENCRYPTED FILE----- 49 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4c1RGb0h5T3pQTXpQRFZK 50 | c3NGQVNIZFBkRG53c0txa1owWC91dWlrMEFJCmpyL004dmo4MkZ1dFc4WVVSY3JG 51 | N2tiRW5NZWQ4N0R6ek01VHpKTGtYam8KLS0tIDl0SzJqMVFoTHU2M1lZeERmMUZR 52 | QVUzMElaMTk3Ymdtb0VWZXl4SWlSeUkK4T7Eds2VeqsLE9igUOo16MnLejKlQiL/ 53 | iEVIuvFeEoaTjvfWOMJ1M3C6eNB0FUA/5gxlj4O2e3CM0Zmtwganew== 54 | -----END AGE ENCRYPTED FILE----- 55 | - recipient: age13gpwm947w05n65cz22pxyevml9sd80lq944d47glhw4lkvqulg4sqlccyq 56 | enc: | 57 | -----BEGIN AGE ENCRYPTED FILE----- 58 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1clZ2bWZnUjI5QXhZRkNC 59 | cW1FZGJJVWtVMFNTS1VOL1JXSXdkMnNKaEdZClRoRXJMQnpCNGY1eU1nRzgzS2R2 60 | YkxReDhzeGMvN1Budm5zTTJJTEtDakEKLS0tIE1wRHErTnlzZ0h3bEEzS1JCSjN0 61 | b2Z1Yjl1YjNEZW10U0l0ZWlrVGlRejgKzUtGBdNh+Gzokvo1A4XfSE/KzukgFq66 62 | HFCZxLpJmsY/8C4Ede05GnZExMX99sImsf4vRSal/0FglXCnW9w+Lg== 63 | -----END AGE ENCRYPTED FILE----- 64 | - recipient: age1qx60k4ft2lvs9qa3s0xqhpkdf26zdc8yw4vr7a7424ta9mcq9g8qrseqv3 65 | enc: | 66 | -----BEGIN AGE ENCRYPTED FILE----- 67 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRSWdyeXNDdm8xQVVtTjho 68 | bzRjcXBGZFFNQkFhV2RsWnA4VzJQWjlPYjNvCkN1WXVHMVJod0xJQmIzVFZFZWdG 69 | THZJS2tqWGxkd2xaNmtOWFZJbmk1Q3cKLS0tIHA2RVVOUEZwZTVlSmtyT1RwaVU2 70 | MUJ0RGkyTEpkVkczelp6R3QzdnRlMDgK3c3GRLfNppNTjVxkmvL7Rqq0VRPi2dKQ 71 | LrUIkQCN4LJiik5gIPGd9ORvmM6u63zE9mo/9fLvIrXBEjZ5X5hwgA== 72 | -----END AGE ENCRYPTED FILE----- 73 | - recipient: age1uq4qun60snrl3t3yjqagrnjhsjma36kkdw3ypj9sntccwlgplfgq4ytdtj 74 | enc: | 75 | -----BEGIN AGE ENCRYPTED FILE----- 76 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxaG5EWWZ3U1RkK2lLS3dS 77 | OS9Ja296Qm1UM2xhMnpXd0pqOTJkQlBpQXk0CkNyYUV4aGtwY2JJN05QQTBmTUMv 78 | L3lVanlCaWRQekZVL2VMcVRaOWhCc2MKLS0tIG1SVTRYdkI4VWllWCtwVGQybnIz 79 | ZEdBR0VpdmpJRjFqZ2lURlRjZ2s3TWMKTEVUbtzmwzK8+D7eb7AdMQRBCEyjXc7u 80 | eWmmjn9TpKUHjQIU7t4rOH0R6QKZQz4gFoThjfMlpU13j60eL1O7Bw== 81 | -----END AGE ENCRYPTED FILE----- 82 | - recipient: age1q6kuyae4tgdgtjy7syfhkj5tlgpxtyf66kkulm7h5c74az3uu5rqwvgca5 83 | enc: | 84 | -----BEGIN AGE ENCRYPTED FILE----- 85 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Um1qNjZRcmMwbHRSc2N6 86 | RVlGNURyNW5tdG1jdktJY1luUFAzRURtMGdjClVxNkxvRDhrR0ZxaFR6MFk1VWdZ 87 | U1M1bU54VmZpR1ZwSklMbWNCNTF5dWcKLS0tIGgwc2pkdCtod3FEWVRMUG5XcGpI 88 | TUxnVk5UcmhudE40K3l5VkNycU1IMk0KdzLIm8pJWKK9zqoIJuNqw30AY4B2uCol 89 | y+nq0N6OwM2EJPIdoG/gRGdLopiXwQljQtMnck8qY6a0VdXd2OD4CQ== 90 | -----END AGE ENCRYPTED FILE----- 91 | lastmodified: "2024-12-27T21:53:02Z" 92 | mac: ENC[AES256_GCM,data:PCf7TZ/pLhg2CotsVfkD3kPWWlRKNwF6aQ+TUH/HfgAO32h9TLNVrAMBOnecpF4d2MBfXJ6y2ldpcv/OGZJQ20V/8zsWO0FZl7KMfFFqMcQkesG0bO2RXXZrIgvQPbiYiwV1pTY84stALxMJjOQ4sa2wnLNZugG3YNnXvJ7B4oI=,iv:JO1C7hjhG1x1L2b8FA6td5PaHDHTo4uP1rKl09CBG28=,tag:iEpneLmRqi4pgLmXTYCuFg==,type:str] 93 | pgp: [] 94 | unencrypted_suffix: _unencrypted 95 | version: 3.9.2 96 | -------------------------------------------------------------------------------- /files/secrets-desktop.yaml: -------------------------------------------------------------------------------- 1 | samba: ENC[AES256_GCM,data:/3M3dbq3za8RRTpPecxEL88JpAVOfiLsNY83ONmLIoiWRQ==,iv:6BHagSmWkmPqfBXnhjvp9fClA5z1vVJbguzXagrDAvI=,tag:c3vw+d9vR2lPsUIRJ/f3/A==,type:str] 2 | sops: 3 | kms: [] 4 | gcp_kms: [] 5 | azure_kv: [] 6 | hc_vault: [] 7 | age: 8 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 9 | enc: | 10 | -----BEGIN AGE ENCRYPTED FILE----- 11 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVWJCT2Q3TFZndEhDZ3ZT 12 | OUhzMHVFUXlYQXQ1N1FLZU13bnhrTXZjcXhJCnVWSi9EYTVTSGh1QWJYbjNRZU9T 13 | cmRtZkVBTDFpQmVROWl5YitWWnF2WGMKLS0tIDlsZWk4VFlHekVKU01pM21TaUhp 14 | Z0NDS1M4MUU5bHlUOWNGSnVyRTNSK1kKqbEVS7id7veSD0ewRCSESW8JExDNPLhN 15 | DkxF1QlsuIXbQdM3VhdHvYK8zBC+vrhKTmBowof07+0RtgVOWG+wKg== 16 | -----END AGE ENCRYPTED FILE----- 17 | - recipient: age1q9wy9rnpusgr7w993dm03ec50zm0mgrylmqxdpph2avzf38k6gks3g4vp2 18 | enc: | 19 | -----BEGIN AGE ENCRYPTED FILE----- 20 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcU5JYkdZclN5VE9IVlFF 21 | TEl0ZTZnYzZGamdFaDN6L3VNOVJzSHlEM3hNCnQxbWhQdjdBd3ozaWtkRDFOdHdM 22 | TmJib3E4ZWo0d3FyK0dvU242aG1ReGsKLS0tIDJqb083cXNobW9LVnJNSmRoQ0lQ 23 | WTJxNVV5QTg2Nkt5SlRqMHl4UDZ6NXMK8lpZW8vQPnkCGatvMKq1Jrwy1XpO+V5q 24 | 8PLjWxon5yhReq3wC4icvAlAcplZBiBCCvx+eWEiWoRNR60T9PUmhw== 25 | -----END AGE ENCRYPTED FILE----- 26 | - recipient: age1fepqavsyfukjf72ajv9cwp6r62hnlz4h6hgxw4wsddrlaqm8e42sns70ws 27 | enc: | 28 | -----BEGIN AGE ENCRYPTED FILE----- 29 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQ0Y0M3JQWUFuUTE1ZWdy 30 | S001NkYvRVk5OHpvOGJmRFJYR0tyNkFNcFhVCm9ManBvckRralVEbjRHZDljQ3Nl 31 | V1kzc05BekNvRUJqdlM1RnFmbk55ZDAKLS0tIHdudXJ0QU53dkY2bjJhdFlDcnpU 32 | YTZ0Vmw1VWplUUgzOW9WQ2o4MDNqY3MK9et+DJfieTDxKnxiGYQhMowAcZd4zuuf 33 | JtOfWRDtV3RmGyQ1F5XGaVYISSQ3ow5lwkmDEB2+iNRJwCXXyj7cIw== 34 | -----END AGE ENCRYPTED FILE----- 35 | lastmodified: "2023-04-14T20:36:58Z" 36 | mac: ENC[AES256_GCM,data:SxZ7603J7CIZ/qH6/HRbP+7mPmrv4eJy08tf/8Uddmh53nk029ig/RCTPZPYtXa07JeSsC9sqPFeS6Yq92TfyIudjRgdkdAWUi3Oavvv+RkHxqmnBe/Ti112CehTpYckUyUaxad9T9Is0ThYwRHDuFwI5jSBWmcS5O2+EbuWvGk=,iv:JmcNjya2bn/j252BhZt5aZFU+NioTemt/xrqGTc3mq4=,tag:qQSpOkX2vzwDIjgKYhqPBw==,type:str] 37 | pgp: [] 38 | unencrypted_suffix: _unencrypted 39 | version: 3.7.3 40 | -------------------------------------------------------------------------------- /files/secrets-managed.yaml: -------------------------------------------------------------------------------- 1 | shawn: ENC[AES256_GCM,data:tx9LFssGVSXCmyQqB5FmQ2Cb1VekN82USL4QbXnoNJLoSzphnZM8/70gnQhl2F5w+B2DMaKT1/gvq7rccdPgZIwgVvdeT/orC4Q8KMWeNWcRNgW0LbH0aNoNnO9OSJFeEI5aq0mfqZYvFw==,iv:4wmeoo5B6xEa79Ad4osHIzgBsXoHzjw9FT1zJGwb3Tw=,tag:GGtZXqgHkay7mCvKQQ7gQg==,type:str] 2 | root: ENC[AES256_GCM,data:qy6LJ+ewI533ql03tWfdiLs6e++r1fWUs13Te0KeUQWhXTbckCA5TSQ3YPkS0DXpAMOa/RUzwaQEP/6T4uhTW4WhcTT9rUpfWr2dXYiUROKXbWKwPjv9V2GvMF5W3ETmhB2ytqLt+81yXw==,iv:l88WNRhhI/iLO8BQMwxWGz8zu9ulwOFNwoRzNxnsNCs=,tag:Yjj4M3kFJeR7U6J0DsHXgg==,type:str] 3 | sops: 4 | kms: [] 5 | gcp_kms: [] 6 | azure_kv: [] 7 | hc_vault: [] 8 | age: 9 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 10 | enc: | 11 | -----BEGIN AGE ENCRYPTED FILE----- 12 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTEhiVm9Vb212MzhzRzdE 13 | ZGVBV3FhbGNFTzNCaDQ2OHdkazRHLzhXL1VvCmsxV2lBbVRKaEhRZnRpUkxrRWtu 14 | V3JlSUd2S2Yza1YrdFAxeGxGN2Q1MU0KLS0tIEpYVVgwTFVVWEFLNmdUSWIwT3Z1 15 | dHNEY05ybWQxeGxwb2QxOXkrR0VqZGcKh6aTH1RPsPUkHGuCMkG1jYlMdvjX3vB6 16 | hIuQ47Z3LbpuNjBi3rsqfbAzuJ+G+X8DNQC9ElgjpUcCxcJ1DsG9EQ== 17 | -----END AGE ENCRYPTED FILE----- 18 | - recipient: age1j8gtypmaguankjjftmmzavck9mwns03aq2wgm3j6nxwn9dg3xcgqmg450e 19 | enc: | 20 | -----BEGIN AGE ENCRYPTED FILE----- 21 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU1AraXZMVmFIRHNSVUk0 22 | TkQwUjZEWkR2UWliVS96Tm5QZSt0RVVDN2dRCkRtTGtwemNRdGxIbUhYK3RTV0tv 23 | Y2pXcE1Lc3UrYVZUc200VmFhTXNwL2sKLS0tIG1hSzVGZXBmRzczOEpWaXM1UFRs 24 | WmhVVXFxeGpleXB1cVc0bnRwd2dqQ1EKuJ+cr+TsSVM34otG3mBT2b4ZaQ2+nwij 25 | eAUrah2XWqOnzsYQE/prEmyhyN/7uslPh1LqcNL65FO5M94fEq9GGA== 26 | -----END AGE ENCRYPTED FILE----- 27 | - recipient: age1uq4qun60snrl3t3yjqagrnjhsjma36kkdw3ypj9sntccwlgplfgq4ytdtj 28 | enc: | 29 | -----BEGIN AGE ENCRYPTED FILE----- 30 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WlhZRXE5WmxEVzJYV1dL 31 | L0U3ODdBM3VLeWdtanNWd2sxU1RqdTJuWWpFCktpVjVoQ0lKbFdqNUJIRDd6RS9v 32 | ZEFFaldHTFo4SHJVNis3YXh6T2p5RVUKLS0tIFc4dHJqSUJXWUlRazdqR1k1UmNQ 33 | RG5JbGRCdTBmZ2JJU2R0Rnd2dkNGWXcKo5ZotXS9aZRw2jIfTeMr5VEI607bk3la 34 | pGvdihK0R9YEz7hxvKBo54liu6e/bixUelalsVeQBHDvnRpXSlMNIQ== 35 | -----END AGE ENCRYPTED FILE----- 36 | - recipient: age1fepqavsyfukjf72ajv9cwp6r62hnlz4h6hgxw4wsddrlaqm8e42sns70ws 37 | enc: | 38 | -----BEGIN AGE ENCRYPTED FILE----- 39 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1SitzbTk5WENUbnlla2ky 40 | d2IybUkyNFEvTm1uSHIxeW9jckR3T3l1aWhNClUxOWVDWWgzZkdmeDhTc0IzMG1V 41 | bTJnaWowazFxcCtNM0pWSlpxNklValkKLS0tIEcyNk8wU3N1emVteldGdVU3VEtn 42 | S3pPNHA5WHUyVGYyVEh2djFVcTZzZVUKlF14399r5iIFZtCVkaa9Yg/25j1QIMaS 43 | /uZnkk6tuJOkTKtmWyyzgIEo+AmGh4kKUzu7vLq4YbJilQJk18ii4Q== 44 | -----END AGE ENCRYPTED FILE----- 45 | - recipient: age1wlznz542ulyhjvp9zxe57z5rgy738wt6ygy6qsgjyavl5e9vcd0q27mu3n 46 | enc: | 47 | -----BEGIN AGE ENCRYPTED FILE----- 48 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeGlJWjdtQ2NlaXhDWXNy 49 | YzJ4d0wvYVpybW5qNVRsVU1JbVBkZEgzeVRvCnZnNiswaWx4bW1YMUMzeFk5SE5U 50 | QTRsb3VxMFlrOEhZNWdVb2RwV0lPMGMKLS0tIEhBeFJuUU5BYnEreVBubU9NVHpy 51 | TDB4bzZmNEt6bTd2SzRod2pFWVBwb1UKLCEt5kjfRaSSmewpMaHrNl+jfqX5T4Mj 52 | f6dB/1tgb89XXbG+yT+p/t4Ui4XbwWEzTEHyKAVUDVRiQSKBzFBSkg== 53 | -----END AGE ENCRYPTED FILE----- 54 | - recipient: age1qx60k4ft2lvs9qa3s0xqhpkdf26zdc8yw4vr7a7424ta9mcq9g8qrseqv3 55 | enc: | 56 | -----BEGIN AGE ENCRYPTED FILE----- 57 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibkJJSGtoeWtHZ1hvYlNm 58 | VXg5dzNNbjhsMXJOSHI4QUpPMnh5akZ3S0VBCk5yanJUOHVRUnpJMDRyWDJieUVC 59 | YmJhcGhqalhubzJ5MVdCQXoyeXlrVzAKLS0tIHVUWnpiSWRDZTAzektzbjFzdXkw 60 | YndlamMwUnA3aS9pQ1NSbEtzM1VlTVkK5ZC1oO+8EEmkZbejy4VCXmqQLAQeFZN2 61 | fenx7ioe/nm0Mtrm6B06YH+4Us67lfrsAlLLAY21D2bh/Dfb6FsNaQ== 62 | -----END AGE ENCRYPTED FILE----- 63 | - recipient: age1ejf78m4mn8ch2lusuwn3gwqkpz45n03368sf78ce2nunzxlgduuqlme66d 64 | enc: | 65 | -----BEGIN AGE ENCRYPTED FILE----- 66 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhM1dhZis5V1VWcW1keWRO 67 | L3U3SWRGNnZodlNkU1ZyQzMxaUtIdzlKcGtvCmxpRzBjekIxUFRBT0d4TDhtS2FR 68 | NG55S1JxMk42NDZLbGhNZVdiWCtUYk0KLS0tIC9wRVo3RDBJSTRyaGhpTUMxZ1ZQ 69 | QkZPcS9ML0FTb3JCekhDMmpDa3l1WkEKFPNVQuXtTTTzzFtqGf5Si4kDHKS01kP3 70 | WhPTkO8u3A2YVtrvvj61sZA27IrrzjfIM4T7pqpzteyhx7McBCL2pw== 71 | -----END AGE ENCRYPTED FILE----- 72 | - recipient: age1q9wy9rnpusgr7w993dm03ec50zm0mgrylmqxdpph2avzf38k6gks3g4vp2 73 | enc: | 74 | -----BEGIN AGE ENCRYPTED FILE----- 75 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2dHlHaHNQTWlYRy8vWktL 76 | Z1RkRDZmbWlIUCtqc3N5aWpoL2pFMlNNekRVClRPVXl4K1ZRZGZBZ3ZPamkyVkhW 77 | VXNGWG5FajlIMlJ2TVpWZnRvQm0wczAKLS0tIGpOOVBzQTJ5QnNrTjcvSVBPR0xG 78 | QlhleXNPVU5mTGxMUnVTRzlXRXNYemcKBMoGmr+lQfkqQqCyksrT6IRlrtQeRaMY 79 | 7Z8v0Ta+3X6YqPd+D5K6ttsYv1uTew1RximUWqFGniQwynLgwM3DWQ== 80 | -----END AGE ENCRYPTED FILE----- 81 | - recipient: age13gpwm947w05n65cz22pxyevml9sd80lq944d47glhw4lkvqulg4sqlccyq 82 | enc: | 83 | -----BEGIN AGE ENCRYPTED FILE----- 84 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSdmtGVnJRakpSc3BTVUxN 85 | OTJEOWlTU0lxNCs0OExlUFl2VHVYSUpjKzFRCk9lcVUrWEtYR3V4TXpoRVBFcU1E 86 | MU80RzI3OEJ4N2JueENoWmdzZEpodXMKLS0tIHI4bXJrcXFuajAvTU1sS1VPZmxS 87 | MithMTFyS2xjVUJRMVVnc3hXMkNTYWsKMmRjnArV2qEWqLOiCLfCgqxBYkbgVIxQ 88 | G74RizTVqvqQ56oAcxSPgdRSbR7wq0rgbd38M51Fsg14jKzgXCO9Ag== 89 | -----END AGE ENCRYPTED FILE----- 90 | lastmodified: "2024-05-08T19:25:11Z" 91 | mac: ENC[AES256_GCM,data:U4BC41iXqMtvK4QhCGcjGFKDHg4aLu32IgIhilJuhVRZI0vtCDurircg53Brg1vxBW2ptBjQNd+7Oao9Ytr9oLUoODA5YFOVfiD0u7uXjoCdSKt3tsKIBpbSoCEftgMc0BZzyH7rK3p88rjnqA9ckqvez63ZIb9GMr5+8MoMUps=,iv:JRIuszA3lPmVJY/HMzDyEnLAl7Hu7AYzyhkxGA5pZzo=,tag:zfZjILuoFUHkv+G3tCbFbA==,type:str] 92 | pgp: [] 93 | unencrypted_suffix: _unencrypted 94 | version: 3.8.1 95 | -------------------------------------------------------------------------------- /files/shawn.face.icon: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shawn8901/nixos-configuration/4e17ba416605b1b1efa6702b1b59b606f15d51bc/files/shawn.face.icon -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "asus-numberpad-driver": { 4 | "inputs": { 5 | "nixpkgs": [ 6 | "nixpkgs" 7 | ] 8 | }, 9 | "locked": { 10 | "lastModified": 1745339928, 11 | "narHash": "sha256-S35B0kpYaY+dxywwqWt6db1cWjcqVvBgjF9AuihKPXo=", 12 | "owner": "shawn8901", 13 | "repo": "asus-numberpad-driver", 14 | "rev": "0bc153d724fbf14371a062cb805e31fbaa30d2b9", 15 | "type": "github" 16 | }, 17 | "original": { 18 | "owner": "shawn8901", 19 | "ref": "nixos_improvement", 20 | "repo": "asus-numberpad-driver", 21 | "type": "github" 22 | } 23 | }, 24 | "disko": { 25 | "inputs": { 26 | "nixpkgs": [ 27 | "nixpkgs" 28 | ] 29 | }, 30 | "locked": { 31 | "lastModified": 1748832438, 32 | "narHash": "sha256-/CtyLVfNaFP7PrOPrTEuGOJBIhcBKVQ91KiEbtXJi0A=", 33 | "owner": "nix-community", 34 | "repo": "disko", 35 | "rev": "58d6e5a83fff9982d57e0a0a994d4e5c0af441e4", 36 | "type": "github" 37 | }, 38 | "original": { 39 | "owner": "nix-community", 40 | "repo": "disko", 41 | "type": "github" 42 | } 43 | }, 44 | "firefox-addons": { 45 | "inputs": { 46 | "nixpkgs": [ 47 | "nixpkgs" 48 | ] 49 | }, 50 | "locked": { 51 | "dir": "pkgs/firefox-addons", 52 | "lastModified": 1748923398, 53 | "narHash": "sha256-794RwyZJto9NoFlGYuhWKhkhkJ0KrH9Paw5w1DM2zA0=", 54 | "owner": "rycee", 55 | "repo": "nur-expressions", 56 | "rev": "9eb346d6488b06f04809da4de2073666e25ede9d", 57 | "type": "gitlab" 58 | }, 59 | "original": { 60 | "dir": "pkgs/firefox-addons", 61 | "owner": "rycee", 62 | "repo": "nur-expressions", 63 | "type": "gitlab" 64 | } 65 | }, 66 | "flake-parts": { 67 | "inputs": { 68 | "nixpkgs-lib": [ 69 | "nixpkgs" 70 | ] 71 | }, 72 | "locked": { 73 | "lastModified": 1748821116, 74 | "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", 75 | "owner": "hercules-ci", 76 | "repo": "flake-parts", 77 | "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", 78 | "type": "github" 79 | }, 80 | "original": { 81 | "owner": "hercules-ci", 82 | "repo": "flake-parts", 83 | "type": "github" 84 | } 85 | }, 86 | "home-manager": { 87 | "inputs": { 88 | "nixpkgs": [ 89 | "nixpkgs" 90 | ] 91 | }, 92 | "locked": { 93 | "lastModified": 1748925027, 94 | "narHash": "sha256-BJ0qRIdvt5aeqm3zg/5if7b5rruG05zrSX3UpLqjDRk=", 95 | "owner": "nix-community", 96 | "repo": "home-manager", 97 | "rev": "cb809ec1ff15cf3237c6592af9bbc7e4d983e98c", 98 | "type": "github" 99 | }, 100 | "original": { 101 | "owner": "nix-community", 102 | "repo": "home-manager", 103 | "type": "github" 104 | } 105 | }, 106 | "home-manager-stable": { 107 | "inputs": { 108 | "nixpkgs": [ 109 | "nixpkgs-stable" 110 | ] 111 | }, 112 | "locked": { 113 | "lastModified": 1748665073, 114 | "narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=", 115 | "owner": "nix-community", 116 | "repo": "home-manager", 117 | "rev": "282e1e029cb6ab4811114fc85110613d72771dea", 118 | "type": "github" 119 | }, 120 | "original": { 121 | "owner": "nix-community", 122 | "ref": "release-25.05", 123 | "repo": "home-manager", 124 | "type": "github" 125 | } 126 | }, 127 | "impermanence": { 128 | "locked": { 129 | "lastModified": 1737831083, 130 | "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", 131 | "owner": "nix-community", 132 | "repo": "impermanence", 133 | "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", 134 | "type": "github" 135 | }, 136 | "original": { 137 | "owner": "nix-community", 138 | "repo": "impermanence", 139 | "type": "github" 140 | } 141 | }, 142 | "mimir": { 143 | "inputs": { 144 | "nixpkgs": [ 145 | "nixpkgs-stable" 146 | ] 147 | }, 148 | "locked": { 149 | "lastModified": 1747680795, 150 | "narHash": "sha256-ZYTbX5OOq3R80g5sUqHpflz2mp3aEIepZ3yYWNyE87w=", 151 | "owner": "Shawn8901", 152 | "repo": "mimir", 153 | "rev": "f6e2aedb4ad3613e0396c1fb05b9a4dbf697461b", 154 | "type": "github" 155 | }, 156 | "original": { 157 | "owner": "Shawn8901", 158 | "repo": "mimir", 159 | "type": "github" 160 | } 161 | }, 162 | "mimir-client": { 163 | "inputs": { 164 | "nixpkgs": [ 165 | "nixpkgs-stable" 166 | ] 167 | }, 168 | "locked": { 169 | "lastModified": 1741025197, 170 | "narHash": "sha256-sxXzuBnzB7gfFsIJEubZZeFsDHAB1VZqdQ3yuBmn0q0=", 171 | "owner": "Shawn8901", 172 | "repo": "mimir-client", 173 | "rev": "0504c1c577f941ef90649d64e5e6d07d6e295f48", 174 | "type": "github" 175 | }, 176 | "original": { 177 | "owner": "Shawn8901", 178 | "repo": "mimir-client", 179 | "type": "github" 180 | } 181 | }, 182 | "nixpkgs": { 183 | "locked": { 184 | "lastModified": 1748839788, 185 | "narHash": "sha256-5psmZZSPmIPFG5xR72PqySZD0VAb9uOLfOhzKzMyaMw=", 186 | "owner": "Shawn8901", 187 | "repo": "nixpkgs", 188 | "rev": "29ac7f58f17d4c1f79720050f9f6972b00aa2c34", 189 | "type": "github" 190 | }, 191 | "original": { 192 | "owner": "Shawn8901", 193 | "ref": "nixos-unstable-custom", 194 | "repo": "nixpkgs", 195 | "type": "github" 196 | } 197 | }, 198 | "nixpkgs-stable": { 199 | "locked": { 200 | "lastModified": 1748926000, 201 | "narHash": "sha256-xYJZPIBcCKOcfdEI+FPac5YgsR4ec204WV4Jo4Z92IA=", 202 | "owner": "Shawn8901", 203 | "repo": "nixpkgs", 204 | "rev": "38a5d77df9d58cc87fb7920d64b8e348ac37917d", 205 | "type": "github" 206 | }, 207 | "original": { 208 | "owner": "Shawn8901", 209 | "ref": "nixos-25.05-custom", 210 | "repo": "nixpkgs", 211 | "type": "github" 212 | } 213 | }, 214 | "root": { 215 | "inputs": { 216 | "asus-numberpad-driver": "asus-numberpad-driver", 217 | "disko": "disko", 218 | "firefox-addons": "firefox-addons", 219 | "flake-parts": "flake-parts", 220 | "home-manager": "home-manager", 221 | "home-manager-stable": "home-manager-stable", 222 | "impermanence": "impermanence", 223 | "mimir": "mimir", 224 | "mimir-client": "mimir-client", 225 | "nixpkgs": "nixpkgs", 226 | "nixpkgs-stable": "nixpkgs-stable", 227 | "sops-nix": "sops-nix", 228 | "stfc-bot": "stfc-bot" 229 | } 230 | }, 231 | "sops-nix": { 232 | "inputs": { 233 | "nixpkgs": [ 234 | "nixpkgs" 235 | ] 236 | }, 237 | "locked": { 238 | "lastModified": 1747603214, 239 | "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", 240 | "owner": "Mic92", 241 | "repo": "sops-nix", 242 | "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", 243 | "type": "github" 244 | }, 245 | "original": { 246 | "owner": "Mic92", 247 | "repo": "sops-nix", 248 | "type": "github" 249 | } 250 | }, 251 | "stfc-bot": { 252 | "inputs": { 253 | "nixpkgs": [ 254 | "nixpkgs-stable" 255 | ] 256 | }, 257 | "locked": { 258 | "lastModified": 1747768922, 259 | "narHash": "sha256-yszvz7mchQwwybsRsHDCLbWCILhtaishV1LazrDYFBU=", 260 | "owner": "Shawn8901", 261 | "repo": "stfc-bot", 262 | "rev": "2d108ac322363bcea65a415df5998df03e75e878", 263 | "type": "github" 264 | }, 265 | "original": { 266 | "owner": "Shawn8901", 267 | "repo": "stfc-bot", 268 | "type": "github" 269 | } 270 | } 271 | }, 272 | "root": "root", 273 | "version": 7 274 | } 275 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "Flake from a random person on the internet"; 3 | 4 | inputs = { 5 | nixpkgs.url = "github:Shawn8901/nixpkgs/nixos-unstable-custom"; 6 | nixpkgs-stable.url = "github:Shawn8901/nixpkgs/nixos-25.05-custom"; 7 | home-manager = { 8 | url = "github:nix-community/home-manager"; 9 | inputs.nixpkgs.follows = "nixpkgs"; 10 | }; 11 | home-manager-stable = { 12 | url = "github:nix-community/home-manager/release-25.05"; 13 | inputs.nixpkgs.follows = "nixpkgs-stable"; 14 | }; 15 | sops-nix = { 16 | url = "github:Mic92/sops-nix"; 17 | inputs.nixpkgs.follows = "nixpkgs"; 18 | }; 19 | impermanence.url = "github:nix-community/impermanence"; 20 | mimir = { 21 | url = "github:Shawn8901/mimir"; 22 | inputs.nixpkgs.follows = "nixpkgs-stable"; 23 | }; 24 | mimir-client = { 25 | url = "github:Shawn8901/mimir-client"; 26 | inputs.nixpkgs.follows = "nixpkgs-stable"; 27 | }; 28 | stfc-bot = { 29 | url = "github:Shawn8901/stfc-bot"; 30 | inputs.nixpkgs.follows = "nixpkgs-stable"; 31 | }; 32 | firefox-addons = { 33 | url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; 34 | inputs.nixpkgs.follows = "nixpkgs"; 35 | }; 36 | flake-parts = { 37 | url = "github:hercules-ci/flake-parts"; 38 | inputs.nixpkgs-lib.follows = "nixpkgs"; 39 | }; 40 | disko = { 41 | url = "github:nix-community/disko"; 42 | inputs.nixpkgs.follows = "nixpkgs"; 43 | }; 44 | asus-numberpad-driver = { 45 | url = "github:shawn8901/asus-numberpad-driver/nixos_improvement"; 46 | inputs.nixpkgs.follows = "nixpkgs"; 47 | }; 48 | }; 49 | 50 | outputs = 51 | inputs@{ 52 | self, 53 | nixpkgs, 54 | flake-parts, 55 | ... 56 | }: 57 | flake-parts.lib.mkFlake { inherit inputs; } { 58 | debug = false; 59 | 60 | systems = [ 61 | "x86_64-linux" 62 | "aarch64-linux" 63 | ]; 64 | 65 | fp-lib.modules.privateNamePrefix = "shawn8901"; 66 | 67 | imports = [ 68 | ./parts/type-defs/hydra-jobs.nix 69 | ./parts/type-defs/modules.nix 70 | ./parts/type-defs/system.nix 71 | 72 | ./parts/zrepl-helper.nix 73 | ./parts/modules.nix 74 | ./parts/system.nix 75 | 76 | ./modules 77 | ./packages 78 | ./machines 79 | ]; 80 | 81 | flake.hydraJobs = 82 | let 83 | name = "merge-pr"; 84 | in 85 | { 86 | ${name} = nixpkgs.legacyPackages.x86_64-linux.releaseTools.aggregate { 87 | inherit name; 88 | meta = { 89 | schedulingPriority = 10; 90 | }; 91 | constituents = map (n: "nixos." + n) (nixpkgs.lib.attrNames self.nixosConfigurations); 92 | }; 93 | }; 94 | 95 | perSystem = 96 | { pkgs, ... }: 97 | { 98 | devShells.default = pkgs.mkShell { 99 | packages = with pkgs; [ 100 | direnv 101 | nix-direnv 102 | statix 103 | ]; 104 | }; 105 | }; 106 | }; 107 | } 108 | -------------------------------------------------------------------------------- /machines/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | inputs, 3 | lib, 4 | config, 5 | ... 6 | }: 7 | { 8 | config.fp-lib.nixosConfigurations = { 9 | watchtower = { 10 | hostPlatform.system = "aarch64-linux"; 11 | nixpkgs = inputs.nixpkgs; 12 | home-manager = { 13 | input = inputs.home-manager; 14 | users = [ "shawn" ]; 15 | }; 16 | extraModules = [ 17 | ./watchtower/attic-server.nix 18 | ./watchtower/victoriametrics.nix 19 | ./watchtower/grafana.nix 20 | ]; 21 | }; 22 | next = { 23 | nixpkgs = inputs.nixpkgs-stable; 24 | }; 25 | pointalpha = { 26 | inherit (inputs) nixpkgs; 27 | home-manager = { 28 | input = inputs.home-manager; 29 | users = [ "shawn" ]; 30 | }; 31 | }; 32 | pointjig = { 33 | nixpkgs = inputs.nixpkgs-stable; 34 | home-manager = { 35 | input = inputs.home-manager-stable; 36 | users = [ "shawn" ]; 37 | }; 38 | extraModules = [ 39 | inputs.mimir.nixosModules.default 40 | inputs.stfc-bot.nixosModules.default 41 | ]; 42 | }; 43 | shelter = { 44 | nixpkgs = inputs.nixpkgs-stable; 45 | home-manager = { 46 | input = inputs.home-manager-stable; 47 | users = [ "shawn" ]; 48 | }; 49 | extraModules = [ inputs.disko.nixosModules.disko ]; 50 | }; 51 | tank = { 52 | inherit (inputs) nixpkgs; 53 | home-manager = { 54 | input = inputs.home-manager; 55 | users = [ "shawn" ]; 56 | }; 57 | extraModules = [ 58 | inputs.mimir.nixosModules.default 59 | inputs.stfc-bot.nixosModules.default 60 | ]; 61 | }; 62 | zenbook = { 63 | nixpkgs = inputs.nixpkgs-stable; 64 | home-manager = { 65 | input = inputs.home-manager-stable; 66 | users = [ "shawn" ]; 67 | }; 68 | extraModules = [ 69 | inputs.asus-numberpad-driver.nixosModules.default 70 | ]; 71 | }; 72 | trivia-gs = { 73 | nixpkgs = inputs.nixpkgs-stable; 74 | }; 75 | }; 76 | 77 | config.flake.hydraJobs = { 78 | nixos = lib.mapAttrs (_: cfg: cfg.config.system.build.toplevel) config.flake.nixosConfigurations; 79 | }; 80 | } 81 | -------------------------------------------------------------------------------- /machines/next/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | let 3 | inherit (config.sops) secrets; 4 | in 5 | { 6 | sops.secrets = { 7 | root = { }; 8 | nextcloud-admin = { 9 | owner = "nextcloud"; 10 | group = "nextcloud"; 11 | }; 12 | prometheus-nextcloud = { 13 | owner = config.services.prometheus.exporters.nextcloud.user; 14 | inherit (config.services.prometheus.exporters.nextcloud) group; 15 | }; 16 | }; 17 | 18 | systemd = { 19 | network = { 20 | enable = true; 21 | networks."20-wired" = { 22 | matchConfig.Name = "enp6s18"; 23 | networkConfig = { 24 | Address = [ 25 | "134.255.226.115/28" 26 | "2a05:bec0:1:16::115/64" 27 | ]; 28 | DNS = "8.8.8.8"; 29 | Gateway = "134.255.226.113"; 30 | }; 31 | routes = [ 32 | { 33 | Gateway = "2a05:bec0:1:16::1"; 34 | GatewayOnLink = "yes"; 35 | } 36 | ]; 37 | }; 38 | }; 39 | }; 40 | 41 | services = { 42 | fstrim.enable = true; 43 | nginx.package = pkgs.nginxQuic; 44 | }; 45 | security = { 46 | acme.defaults.email = "info@clansap.org"; 47 | auditd.enable = false; 48 | audit.enable = false; 49 | }; 50 | 51 | users.mutableUsers = false; 52 | users.users.root = { 53 | hashedPasswordFile = secrets.root.path; 54 | openssh.authorizedKeys.keys = [ 55 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMguHbKev03NMawY9MX6MEhRhd6+h2a/aPIOorgfB5oM shawn" 56 | ]; 57 | }; 58 | 59 | shawn8901 = { 60 | nextcloud = { 61 | enable = true; 62 | hostName = "next.clansap.org"; 63 | adminPasswordFile = secrets.nextcloud-admin.path; 64 | notify_push.package = pkgs.nextcloud-notify_push; 65 | home = "/var/lib/nextcloud"; 66 | package = pkgs.nextcloud30; 67 | prometheus.passwordFile = secrets.prometheus-nextcloud.path; 68 | }; 69 | postgresql = { 70 | enable = true; 71 | package = pkgs.postgresql_16; 72 | }; 73 | server.enable = true; 74 | }; 75 | } 76 | -------------------------------------------------------------------------------- /machines/next/hardware.nix: -------------------------------------------------------------------------------- 1 | { pkgs, modulesPath, ... }: 2 | { 3 | imports = [ 4 | (modulesPath + "/profiles/qemu-guest.nix") 5 | (modulesPath + "/profiles/minimal.nix") 6 | ]; 7 | 8 | boot = { 9 | initrd.availableKernelModules = [ 10 | "uhci_hcd" 11 | "ehci_pci" 12 | "ahci" 13 | "sd_mod" 14 | "sr_mod" 15 | ]; 16 | kernelPackages = pkgs.linuxPackages; 17 | kernelParams = [ "memhp_default_state=online" ]; 18 | loader.grub = { 19 | enable = true; 20 | device = "/dev/sda"; 21 | }; 22 | }; 23 | 24 | fileSystems."/" = { 25 | device = "/dev/disk/by-uuid/6e32d049-bc7e-4382-b989-3c5eca7bc8ef"; 26 | fsType = "ext4"; 27 | }; 28 | 29 | fileSystems."/boot" = { 30 | device = "/dev/disk/by-uuid/1AFE-DFCF"; 31 | fsType = "vfat"; 32 | }; 33 | 34 | swapDevices = [ { device = "/dev/disk/by-uuid/6f049e18-ba0e-478b-a917-775abca0d3c2"; } ]; 35 | 36 | hardware.cpu.intel.updateMicrocode = true; 37 | } 38 | -------------------------------------------------------------------------------- /machines/next/secrets.yaml: -------------------------------------------------------------------------------- 1 | root: ENC[AES256_GCM,data:msCbl50rf/jRNASShuum7Pn0lRimI0cAVBYJbn+siJzHIZ1z9UmMt3QK2KmNAsiqfL4V4qbw5smXE5w797t5m1xmhJS/7Wq5zXknc9rWxJmFy9aDpeR2gkrrogOXAkuRWsMigvFR+LQIWw==,iv:bkJX6GkT6EWVSmsU9ycomUvKYoq7VLR+GwpvWh4LnX8=,tag:KAlCtY81IhGwealubjKi2A==,type:str] 2 | nextcloud-admin: ENC[AES256_GCM,data:t3YfMMub5+JO,iv:C1J0rOaDrs9LvrxPSbGo4RsJVdlw/Ef/BAmrCPJRznY=,tag:DqPC5VjQb2V+bf3P1U4tWA==,type:str] 3 | prometheus-web-config: ENC[AES256_GCM,data:hKL8l0qn5XkLQvpRayPZl9gWQWtlp5NqO+pV1RRfBneXdmxEtKIeU4VeQJZMHoHn22MZo/6m7fCJbnyP/QXrHu0anN5nBs6xq9YR4DPFX8LYZvBKZ48cEdZD,iv:9BFi++vvOfnkA9HBDtM+TJ48oWBdGOUg9cSgxgHhEbg=,tag:o44hmmw7WQrmR2bBqlVUWA==,type:str] 4 | prometheus-nextcloud: ENC[AES256_GCM,data:W9IiCtcZTBYheiC5Atj5EUXym8g=,iv:We/S4+SwEYy06a7L1lsGgNhqUkafd8BnxC3rPciHcno=,tag:SnE8swDEiegDMcqbSYTPdQ==,type:str] 5 | sops: 6 | kms: [] 7 | gcp_kms: [] 8 | azure_kv: [] 9 | hc_vault: [] 10 | age: 11 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 12 | enc: | 13 | -----BEGIN AGE ENCRYPTED FILE----- 14 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRDlZTVBobUdmSVA2eHFY 15 | NndnM0p0MHRqU2pQUTUrVTk4dFh4eFJjNnl3CnpJd0xpVkZCeklpVjV0YUNQc2Uz 16 | K1JheDVMem1YRzdBSmNMUzI1bm9nSmsKLS0tIGRXcmZZamUvZWFrSm1OVXVuSmNJ 17 | cUtqQ3h0NkM0WHlGMU9uYXNuR0Q3Z0UKAs0uthO8+fHzvGxm7inR3N13d4jZeF// 18 | o/3WtKgcazjlxYRHD0GDVTC8QGQdTK4x8Mo9GRmKfYLGySHJpZ6xnA== 19 | -----END AGE ENCRYPTED FILE----- 20 | - recipient: age1uq4qun60snrl3t3yjqagrnjhsjma36kkdw3ypj9sntccwlgplfgq4ytdtj 21 | enc: | 22 | -----BEGIN AGE ENCRYPTED FILE----- 23 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TFVMNDV5SHhUS2lYSWh2 24 | bk1lUVBucy9vSnJVbXU0b1RBVXFqUlVWdXc0ClpQc2ZpdU13MG5YdTF0TDRoYTZj 25 | cTBnQjN4Z3Q1VHNJZDdhak9La1JldFUKLS0tIGg1VlI3eWd3S3dMQWRKWElHZFBB 26 | YXNXWlhlbVNyakFLTjhlTytDK09UdE0KwuX/YEUEV++8tIC59+y+4cO0nabP/u8c 27 | nwSRi/sf3Fp00sIUqLVHShlv8UNI5R5q6CtEW7OlH+eoCMtoCrcyGw== 28 | -----END AGE ENCRYPTED FILE----- 29 | lastmodified: "2024-06-18T18:43:58Z" 30 | mac: ENC[AES256_GCM,data:O4p6krcPtWiZxTLRPHntoWC01IMOh0eDCJ/UynUDfnbmtgo7xziEJYRvyNesEeCnsNDBFRzVEJKszULJtuiV9EW+hE4hOr8VuB3q3Hc3sWNxtnFZzQDuumogHTO8kRJlmK58U38X4t9A9Z1rvuKkqyZLAzVFL06et+J96lwqpOo=,iv:I8pPfDxlcjH9YKbb9pAeeKI96hctMpDp3wQ4c7XgfdE=,tag:fh0xTn0LnKn4yH0pvb7qJA==,type:str] 31 | pgp: [] 32 | unencrypted_suffix: _unencrypted 33 | version: 3.8.1 34 | -------------------------------------------------------------------------------- /machines/pointalpha/configuration.nix: -------------------------------------------------------------------------------- 1 | { 2 | self, 3 | pkgs, 4 | lib, 5 | config, 6 | flakeConfig, 7 | modulesPath, 8 | ... 9 | }: 10 | let 11 | hosts = self.nixosConfigurations; 12 | 13 | inherit (config.sops) secrets; 14 | 15 | allowUnfreePredicate = pkgs: (pkg: lib.elem (lib.getName pkg) pkgs); 16 | 17 | in 18 | { 19 | 20 | imports = [ "${modulesPath}/profiles/perlless.nix" ]; 21 | # We dont build fully perlless yet 22 | system.forbiddenDependenciesRegexes = lib.mkForce [ ]; 23 | 24 | nixpkgs.config.allowUnfreePredicate = allowUnfreePredicate [ 25 | "steam" 26 | "steam-run" 27 | "steam-original" 28 | "steam-unwrapped" 29 | "vscode" 30 | "vscode-extension-MS-python-vscode-pylance" 31 | "vscode-extension-mhutchie-git-graph" 32 | "deezer" 33 | "discord" 34 | "teamspeak-client" 35 | "teamspeak3" 36 | "tampermonkey" 37 | "betterttv" 38 | "teamviewer" 39 | "keymapp" 40 | "epsonscan2" 41 | "makemkv" 42 | ]; 43 | 44 | sops.secrets = { 45 | zrepl = { }; 46 | samba = { }; 47 | samba-ela = { }; 48 | }; 49 | 50 | systemd.services.userborn.before = [ "systemd-oomd.socket" ]; 51 | networking = { 52 | firewall.allowedTCPPorts = flakeConfig.shawn8901.zrepl.servePorts config.services.zrepl; 53 | networkmanager = { 54 | enable = true; 55 | plugins = lib.mkForce [ ]; 56 | }; 57 | nftables.enable = true; 58 | hosts."192.168.11.31" = lib.attrNames hosts.tank.config.services.nginx.virtualHosts; 59 | dhcpcd.enable = false; 60 | useNetworkd = false; 61 | useDHCP = false; 62 | }; 63 | systemd = { 64 | tmpfiles.rules = [ 65 | "d /media/nas 0750 shawn users -" # needed by own nas script for mounting 66 | "d /etc/exports.d 0750 root root" # needed by zfs to run 'zfs mount -a' 67 | ]; 68 | network.wait-online.anyInterface = true; 69 | }; 70 | 71 | services = { 72 | resolved.enable = false; 73 | udev.packages = [ pkgs.libmtp.out ]; 74 | udev.extraRules = '' 75 | # Keymapp / Wally Flashing rules for the Moonlander and Planck EZ 76 | SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu" 77 | # Keymapp Flashing rules for the Voyager 78 | SUBSYSTEMS=="usb", ATTRS{idVendor}=="3297", MODE:="0666", SYMLINK+="ignition_dfu" 79 | ''; 80 | openssh = { 81 | enable = true; 82 | hostKeys = [ 83 | { 84 | path = "/persist/etc/ssh/ssh_host_ed25519_key"; 85 | type = "ed25519"; 86 | } 87 | { 88 | path = "/persist/etc/ssh/ssh_host_rsa_key"; 89 | type = "rsa"; 90 | bits = 4096; 91 | } 92 | ]; 93 | }; 94 | zfs = { 95 | trim.enable = true; 96 | autoScrub = { 97 | enable = true; 98 | pools = [ "rpool" ]; 99 | }; 100 | }; 101 | printing = { 102 | enable = true; 103 | browsed.enable = false; 104 | listenAddresses = [ "localhost:631" ]; 105 | drivers = [ pkgs.epson-escpr2 ]; 106 | }; 107 | zrepl = { 108 | enable = true; 109 | package = pkgs.zrepl; 110 | settings = { 111 | global = { 112 | monitoring = [ 113 | { 114 | type = "prometheus"; 115 | listen = ":9811"; 116 | listen_freebind = true; 117 | } 118 | ]; 119 | }; 120 | jobs = [ 121 | { 122 | name = "pointalpha_safe"; 123 | type = "source"; 124 | filesystems = { 125 | "rpool/safe<" = true; 126 | }; 127 | snapshotting = { 128 | type = "periodic"; 129 | interval = "1h"; 130 | prefix = "zrepl_"; 131 | }; 132 | send = { 133 | encrypted = false; 134 | compressed = true; 135 | }; 136 | serve = { 137 | type = "tls"; 138 | listen = ":8888"; 139 | ca = ../../files/public_certs/zrepl/tank.crt; 140 | cert = ../../files/public_certs/zrepl/pointalpha.crt; 141 | key = secrets.zrepl.path; 142 | client_cns = [ "tank" ]; 143 | }; 144 | } 145 | ]; 146 | }; 147 | }; 148 | teamviewer.enable = false; 149 | smartd = { 150 | enable = true; 151 | devices = [ { device = "/dev/nvme1"; } ]; 152 | }; 153 | pipewire = { 154 | wireplumber.extraConfig = { 155 | "10-bluez"."monitor.bluez.properties" = { 156 | "bluez5.enable-sbc-xq" = true; 157 | "bluez5.enable-msbc" = true; 158 | "bluez5.enable-hw-volume" = true; 159 | }; 160 | "11-bluetooth-policy"."wireplumber.settings"."bluetooth.autoswitch-to-headset-profile" = false; 161 | }; 162 | }; 163 | }; 164 | 165 | hardware = { 166 | amdgpu.initrd.enable = true; 167 | sane = { 168 | enable = true; 169 | extraBackends = [ 170 | (pkgs.epsonscan2.override { 171 | withNonFreePlugins = true; 172 | withGui = true; 173 | }) 174 | ]; 175 | }; 176 | keyboard.zsa.enable = true; 177 | }; 178 | 179 | programs = { 180 | ausweisapp = { 181 | enable = true; 182 | openFirewall = true; 183 | }; 184 | nh.flake = "/home/shawn/dev/nixos-configuration"; 185 | kdeconnect.enable = true; 186 | droidcam.enable = true; 187 | }; 188 | 189 | virtualisation = { 190 | libvirtd = { 191 | enable = false; 192 | onBoot = "start"; 193 | qemu.package = pkgs.qemu_kvm; 194 | }; 195 | }; 196 | 197 | nix.settings = { 198 | keep-outputs = true; 199 | keep-derivations = true; 200 | cores = 7; 201 | }; 202 | environment = { 203 | systemPackages = [ pkgs.cifs-utils ]; 204 | etc = { 205 | "samba/credentials_ela".source = secrets.samba-ela.path; 206 | "samba/credentials_shawn".source = secrets.samba.path; 207 | }; 208 | sessionVariables = { 209 | WINEFSYNC = "1"; 210 | WINEDEBUG = "-all"; 211 | }; 212 | }; 213 | users.users.root.openssh.authorizedKeys.keys = [ 214 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsHm9iUQIJVi/l1FTCIFwGxYhCOv23rkux6pMStL49N" 215 | ]; 216 | users.users.shawn.extraGroups = [ 217 | "video" 218 | "audio" 219 | "scanner" 220 | "lp" 221 | "networkmanager" 222 | ]; 223 | 224 | shawn8901.desktop.enable = true; 225 | 226 | nixpkgs.config.packageOverrides = pkgs: { 227 | udisks2 = pkgs.udisks2.override { 228 | btrfs-progs = null; 229 | nilfs-utils = null; 230 | xfsprogs = null; 231 | f2fs-tools = null; 232 | }; 233 | 234 | kdePackages = pkgs.kdePackages.overrideScope ( 235 | self: super: { 236 | akonadi = super.akonadi.override { 237 | backend = "postgres"; 238 | }; 239 | } 240 | ); 241 | }; 242 | } 243 | -------------------------------------------------------------------------------- /machines/pointalpha/hardware.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | modulesPath, 4 | ... 5 | }: 6 | let 7 | zfsOptions = [ 8 | "zfsutil" 9 | "X-mount.mkdir" 10 | ]; 11 | in 12 | { 13 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 14 | 15 | boot = { 16 | initrd = { 17 | availableKernelModules = [ 18 | "ahci" 19 | "xhci_pci" 20 | "usbhid" 21 | "sd_mod" 22 | "sr_mod" 23 | ]; 24 | systemd.enable = true; 25 | }; 26 | kernelModules = [ 27 | "kvm-amd" 28 | "cifs" 29 | "usb_storage" 30 | "k10temp" 31 | "ntsync" 32 | "sg" 33 | ]; 34 | kernelPackages = pkgs.linuxPackages; 35 | extraModprobeConfig = '' 36 | options zfs zfs_arc_max=4294967296 37 | options nct6775 force_id=0xd420 38 | ''; 39 | supportedFilesystems = [ 40 | "zfs" 41 | "ntfs" 42 | ]; 43 | zfs = { 44 | devNodes = "/dev/disk/by-id"; 45 | package = pkgs.zfs_2_3; 46 | }; 47 | loader = { 48 | systemd-boot.enable = true; 49 | efi.canTouchEfiVariables = true; 50 | }; 51 | tmp.useTmpfs = false; 52 | }; 53 | 54 | fileSystems = { 55 | "/" = { 56 | device = "rpool/local/root"; 57 | fsType = "zfs"; 58 | options = zfsOptions; 59 | }; 60 | 61 | "/var/log" = { 62 | device = "rpool/local/log"; 63 | fsType = "zfs"; 64 | options = zfsOptions; 65 | neededForBoot = true; 66 | }; 67 | 68 | "/persist" = { 69 | device = "rpool/safe/persist"; 70 | fsType = "zfs"; 71 | options = zfsOptions; 72 | neededForBoot = true; 73 | }; 74 | 75 | "/nix" = { 76 | device = "rpool/local/nix"; 77 | fsType = "zfs"; 78 | options = zfsOptions; 79 | }; 80 | 81 | "/home" = { 82 | device = "rpool/safe/home"; 83 | fsType = "zfs"; 84 | options = zfsOptions; 85 | }; 86 | 87 | "/steamlibrary" = { 88 | device = "rpool/local/steamlibrary"; 89 | fsType = "zfs"; 90 | options = zfsOptions; 91 | }; 92 | 93 | "/boot" = { 94 | device = "/dev/disk/by-label/EFI"; 95 | fsType = "vfat"; 96 | options = [ 97 | "x-systemd.idle-timeout=1min" 98 | "x-systemd.automount" 99 | "noauto" 100 | ]; 101 | }; 102 | }; 103 | 104 | hardware.cpu.amd.updateMicrocode = true; 105 | hardware.enableRedistributableFirmware = true; 106 | } 107 | -------------------------------------------------------------------------------- /machines/pointalpha/home.nix: -------------------------------------------------------------------------------- 1 | { 2 | self', 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | let 8 | fPkgs = self'.packages; 9 | in 10 | { 11 | shawn8901.desktop.enable = true; 12 | 13 | home.packages = [ 14 | pkgs.keymapp 15 | pkgs.teamspeak3 16 | pkgs.portfolio 17 | pkgs.attic-client 18 | pkgs.pytr 19 | fPkgs.jameica-fhs 20 | pkgs.makemkv 21 | pkgs.libation 22 | (pkgs.asunder.override { mp3Support = true; }) 23 | ]; 24 | 25 | systemd.user.services.attic-watch-store = { 26 | Unit = { 27 | Description = "Upload all store content to binary catch"; 28 | }; 29 | Install = { 30 | WantedBy = [ "default.target" ]; 31 | }; 32 | Service = { 33 | ExecStart = "${lib.getExe pkgs.attic-client} watch-store nixos"; 34 | }; 35 | }; 36 | } 37 | -------------------------------------------------------------------------------- /machines/pointalpha/impermanence.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | boot.initrd.systemd.services.initrd-rollback-root = { 5 | after = [ "zfs-import-rpool.service" ]; 6 | requires = [ "zfs-import-rpool.service" ]; 7 | before = [ "sysroot.mount" ]; 8 | wantedBy = [ "initrd.target" ]; 9 | description = "Rollback root fs"; 10 | serviceConfig = { 11 | Type = "oneshot"; 12 | ExecStart = "${config.boot.zfs.package}/sbin/zfs rollback -r rpool/local/root@blank"; 13 | }; 14 | }; 15 | 16 | security.sudo.extraConfig = '' 17 | Defaults lecture = never 18 | ''; 19 | 20 | environment.persistence."/persist" = { 21 | hideMounts = true; 22 | directories = [ 23 | "/etc/NetworkManager/system-connections" 24 | "/var/lib/bluetooth" 25 | "/var/lib/cups" 26 | "/var/lib/libvirt" 27 | "/var/lib/NetworkManager" 28 | "/var/lib/nixos" 29 | "/var/lib/prometheus2" 30 | "/var/lib/systemd" 31 | "/var/lib/upower" 32 | ]; 33 | files = [ "/etc/machine-id" ]; 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /machines/pointalpha/secrets-home.yaml: -------------------------------------------------------------------------------- 1 | attic: ENC[AES256_GCM,data:afPuiMkbeeKoWv7FBUJwO2ehzgxi8QOYPscfo6A2Zx05ci0+MaR4+e0jNQsjva4e1HboA8RYV7N+HPCJHdIivBmZhzhzQPm+Ff366H3wlAZLFgu7qZeoC9mOhzHAydU2ititqJ1WM2CvgHRzOS+qbQEQSoT64P7G+oY1+2dKNWdv05YQlpHQrYMjHkHF/HAOigdLmDRBAK3I1sw6MlQijMThS0qww+sljiSVDmx7jCU3hAQoMqoIVZJrUWI2shvNLpT5A0ngDhiwe/IV5vihrzFptm02bb8KMKmRXcU0LVdc5k29PrIhZt3nlLpijV+ys6tNa83k8n2AnKTmhaWmSdF580uTqfYb+BjwpxdQJHliR9dTjjvcHksC9UnzAUAam2dza54iTu1WzM7QnKTbU1yemuO0zKL9TpVPGAXkPxoaHwrG/vQGwGNjnLnO4yiQyw8kfUZfoOW7u+2EweVU3VfHK6j4rcXlYnjDjwlDoMIwZX/mMnOmxRF4vKZbLgssIO+Qv/Q=,iv:nGFtdVyriIU3VUBHyOaSE5N6XlHcTx9Lbjaej58HcqI=,tag:H4XuMnxJf6BYek0vJmsIxg==,type:str] 2 | sops: 3 | kms: [] 4 | gcp_kms: [] 5 | azure_kv: [] 6 | hc_vault: [] 7 | age: 8 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 9 | enc: | 10 | -----BEGIN AGE ENCRYPTED FILE----- 11 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbGRMYlBaRUVtM09hQlRF 12 | SzM3dWc4T3FWTTk2SFZaRDJvSFFzSXhzZnd3Cld6Ti8ra1EzTW9ZSFNWc0d5M1hC 13 | TXoyeDhhdjhVcmxLQWJJWWQyMzFXYjQKLS0tIDRxNm5iMFBOenJsZWsxSzhNMzlP 14 | QnNkaEZkWXowUG1UdFFqajVMcHIzVTQK1Ls0dzYLpBMMbpm/kn9IlJFtdIu+nI2V 15 | hc2gKXb1Ajx1/ExRFczIaE9MbTwHn97YM13wjRQLk6p8X0SGzzmDCg== 16 | -----END AGE ENCRYPTED FILE----- 17 | - recipient: age1fepqavsyfukjf72ajv9cwp6r62hnlz4h6hgxw4wsddrlaqm8e42sns70ws 18 | enc: | 19 | -----BEGIN AGE ENCRYPTED FILE----- 20 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNG9PNHR6QlZYVlFLVXhp 21 | OVMxK1ZFQWdTMGJkeUlkendIV1hBU1Rhc1JNCnJrd0xmNXpqdy85VUIxbGJQeSs4 22 | UXRpT0lhcmkzQkhNa0xlTENRR3ljUkUKLS0tIEQzN0lhSmptVi9odkVOSXlmYk9t 23 | VjFkT1ZNakl4bi9Kd3k3VGp2YjVjTzQKNzawbIl0qTTQQ9kivoLjrcv7uLkPG0Dt 24 | dmneM2slHaDBi4meYLyQvLKeawb+oTsFjNc2C2anzzhiwHsEhDws8A== 25 | -----END AGE ENCRYPTED FILE----- 26 | lastmodified: "2025-01-01T23:13:09Z" 27 | mac: ENC[AES256_GCM,data:aORzDw96xS93Ynbgig6okGu+/589AqIYtPddAvCJTowrykQF/tPnir3SXaHnyXO16IWVjxN56IbYOqLfImy6n2lcjOHY5vT1dszxQfW9OOggLPKBAd/5EoDVXdVaOFAx98oRdz3my4T+SI39IyyVyCTY9zfKxgIZPgZDm2EA/6w=,iv:RqE+xk3Pg1HTmG/l2W6+U06f2EjRYSc1jLlLVewZiso=,tag:r+qEs8LeVcrOyfbxDDHLjQ==,type:str] 28 | pgp: [] 29 | unencrypted_suffix: _unencrypted 30 | version: 3.9.2 31 | -------------------------------------------------------------------------------- /machines/pointalpha/secrets.yaml: -------------------------------------------------------------------------------- 1 | samba: ENC[AES256_GCM,data://MCbFkCiKhrV2WR/DhYJHDn5KFy/JJyT9XAQZCt6MaheA==,iv:4Gv/Z94N7peWbxkUnEhrmTzsHooarRjSq4fZjbvJ/Hw=,tag:zEA3O/ApSh3Nz8slJIEfiA==,type:str] 2 | samba-ela: ENC[AES256_GCM,data:jVbCxG3JMQ/kK/Ng4DiVMuoC/XQkfeViyyCXr3rid20=,iv:rH13mDAxp9yDwM2Xh8vBnYaN3MAvQSHdkkWpR3ZoV2s=,tag:BUnZ5B4FwGEjDmfAw5k6sA==,type:str] 3 | zrepl: ENC[AES256_GCM,data:qfoK9HefAgIMR2Nw6CjHqsW6l3MzhH7knpdLq8nHYBuCZv5xTJ7obQXvZTal6bF2VQ3D3aQJ6xWAbXAPqA/iDpMckTuq7i1VN4PP0ap2Qs4KPgf3My0yiASceBoPIg9Iucjl2vpZ3vCXzr++3Hh8fNatsJpybszGw6h1Y4tAMz5/0xY/hYpnSVYu/Axr+qoVCXltrWRWcdIDwJ02ufqginVt6CruT47fW795xpttFNSg5LalHgkOYH1CYndhNxZBwGgdsMp0X5ymm9if6qaDNoIVppymWc0tJNVvl2ellViGqtRDCgWb3SXa789kjNfDIALwFSLn98VoCtG1CU1RJe7waYq44rAf+MiLXs2OPyCQPWC+S/0MpkQ3wHLS7hfgm8eXvw4fxKREDauBnvwAbySAL7wA53+JuO2b/ZbH++l2ZJwMH8ePpRyAumSMStd4Q5b+RAYnVHPtfnDU/v3gHAvPRqv4d1fMHqieN1OQQD3TTDBl1HsmNN5gIoZUXGDRY0CNAnbbWwbI0AF/6Ffb83ji7Y7HsfzwaqHWgahc9F6g14I331WxcJTsRZkt/o1Y2u2d8UJPLO4Q/AramO3pPQT0ZP3HvFni8xpfyJ49yqiNt90/Heqi8jUguO/QxarspK+PVTLl6mGaO8llWUpYYlV831ixIA+7Xoh7tTIhsbil8N/ywx7J9buG1Kr2F7gkfFzr0vGoKEuwksst5sfmjKMrz3h7SfOsdymes2mn1sLhaB5kQ02Wa4+ssw0Fkc0nOcowuhgjGeyIuyb02+7klHx9LGG3Ks8EoalK1hZeWpkEBUueHZJmINke+CZkxtbws/YVj0ufq+7jQ/OChHUuolmEfwGOjA8aIzjBZbtnbThE3H5SYydGObW/Ph7qFINqwruVqoIilk2/BwQnvJSfbDMf0Q0B0HQ+rRgLCj6DoGUjr0Cn9fDrP5t6iuYL6uMsJjVaA0EmWT9m8mbEZRrWs8YTEtbwFPx+jxsByK7iSwze4DmbUzKTzYn1NpqlXcgRvh5KlbspPwLFmkAtfLWH7aw2cq5a0OgS14Unjvhr7Iib82Rj3rvPM84wjUBEpfKm+usbNan/LT1x1Y4/gQKD4OgFlavTrEHITreI3ainD3uJa8yLEKriSOUCOT3+oR75zTE7nu0J3bk0TKrMUz+5lKn4xA/2McBorc8YKj388U/lOVogR/Wff+tlgQtXFD089GQZ7Azv3UM1JQjHiPM/JYMPvu3U2xAiUCljp6a5I/J42H/mQCITpq/7W5o8WujsFwhHFBtZ8wnPkstCcKdN5OSct5PRFLfcltbnXLzI++8mCosGlqP2cO2Zj9VU3HzJ2OkaQRImz0W5xoEsjfUqT2NFZ51uczk1cPfx1J9pxqYUrOpj2N/6uIETry+iXTK1UVOROwvRyQYcC009Cpec+0q4KPourCbyA2HygV8gCFa+JL/iEgUYsH98yhHoFZvIl55Qa2W6NdpkVSw5jHQeMm+C0TQfE2jt63pXTKCbRtDh2ZFp/ntu8ff3mBQVaKDjh7FIMwAaNa0MgKFUkG61/0Ge4mI72UG1uot3RUDMIqS31PmvNaT/lDd22FwBYTXHC32bgI5yRzPmnSQcOQkDTfKpFVdzdxjbNsgGUfs9dVi4BEF6Uu8ZhWeojAD5UZ7Zkd7kA40EW1T+ekcfPOIIaazyCc+ahYNxG++a4WYIH2qAJ30BPj98QizVHp6YS5T7T7M6fHMNoJ/Dz3loGpwNcwChHQVAO5N5Owr047I7BPQeydOSbgYOhCqiU0byXe0m1E51JfxxyjtpdVLXht9KPygnFJNpmbiIwN5hS2E5KvfNrBJkkgRHDCZQxyojp/7f7KNeak5oSCfblI8sWFMhOsuedFAMlsYoD3ANa+S7hC2BzR9HTdRClzhgvxL8HQCyhumXepgcpC8dktZydMd9yfYyK0bgllGJmN5f0cC7BTyMRB6gyvy5ccHF4FSnaPI3Q8QCtWSZwoVQkVIlufreCsR3MCo+ThgL0ETV25QpJzc+jpisP6PHvkY0y7jRpY9qZxwn+2lCI8+8FEPUV46VJBU+ijE5s9/NTK/9nwPH1uARJkcdLxPLJWDfxKh8BxvhSWe94/EfwFjtnO1USvOE+XLjRl6mYfslEd52xdhRNq2f/btH68edG9X6K1uL3N0HFFtTIGFrK0WmgcrEiu4Sb2++2ScY/9WdgwaTethjRFuTeKvzCS0mMdnnKLPdBiNoHk6evifRP3Nb3U2tQFHD4DCX+1pVJ9E9ie3rVoVx7WCo0FJERZrDTLCj9BhSDklPQ5SzhBnw6rbdGMhq6J0w5KLPeTwW5ARIsmJXNFqfXPKen3DkcdhMlejz/PkqvxtXiO4BkiZKT2j1tYldBAC7Ox1bdH8bFmluRIHWq407P9ssedrXpmBUwctnKrSsclHiQ+CqpcjvdAQNURAASG4DHuuGqGENAGuPe0WJfonQJWLVRBK6lcpcd9k7iTmmcHllVjvDjcKfCmMYonBYuBLM1Di11N2LZH/FuN+ZXBUjRL1VoynwU39HewUC1xQjoJ8bD9BuZM5NedlNgCJiq36y0pE0fqZ/9YwD5BtTm+D6VaI80o5gHKM0VHFCGjGB07Qlr8MJBqilWPlEidhcBOV4vYi/mPqGeDTQOzYnXMtwseuIzIjeFikHaCkMtYraEtRBhQiPabhFBF2s3j8Ia8oBAuDjzcNSLsDJ0tBmT3Q7VUzOYtP8AJt2hjY8zZg6Fwn8XQa5iru7SGptGLr/75Qrcbr5glvCxNgZg2A9vwvkDvEaC7c3gKxExNKhfbXn7eCeGqrmjb+46tfxfyZHW1CAN6NV+8MJtqfQHdjw1TIiGs8t9pXIcyft6FgpkddgqmpHgK9gt5IP9s9m4hQ1+cLsnooul+LwQPyHJrwOPW560CyTxsePz6r2v25Qc1jn5KkjvVw7A1f4KtaXRJEPyFUVt3md4kYCTwkDAavSdPJTIaetUNh9y7mokb7DeuRndxqtzFtZL9X8wwfWGHWxnG6zJ0G4GmbE8Iv3ggI7xh7+0UJqyJmdUGktpdUbq4fvIJMq/rX5sBE6cKPah6JYecbof4vpQj4XYxmHFZ3LCihL4G5ZU5HY3DV/u4pawJBK+2U2mVPXyKDIvm8Rxs9eKLNK5dZI2mS4+BHi24IJudOqUZpUp0mTBb+DnY+YDBnuHc8FO5jawgHBA3FGKuKLC4k2keTjb1kig+OGPSs++mwYiTsYXkbr5OzQwgcXwwZa8IX84xBOi+VVWsVICJVenvbDGviOEDO9c9Y1OG5SlHjQNLA8dL/b8Hh0nHj8pCrzLRb809qK6PDAs/+yQCAUn9HgLFCCDTUKOa6WHP07DKaJy/WWSjyVR19vwS7LylWtCTziNcpBZCzATIAIq2no1TMkv3f7saDRaZSGnzd016EdEc1MDIf4Xlh1LeYT4sciHH5elo48erci7DLA6Tek4V3K64xQH2BDqJlJ4j12KcA4mk/pZ7X64y7yh7b43m16VG4gK+2Pari4gL1uNX3HCQxl2wVYuS+4W7hZvvWtLEoc84RYEZqjSZJ0VLNtJ5SPUrEw3LrIVbUjjPPJ17Kd+j/KQzDEF2zzS1+2DAer+WVccvcTjoWP8utVlV+dUv+sEIsTTAWKQxMfW4ELvZRrTi4tjnY2wgZKs9HBu3kzHa9bEMDpKZcVqt3hxTppm2D4kBNjH7wrOwVfpWwPonhPmsP2joK9ct9KchRJJb6vgmxKqkk/VBYKs4CnZQAGtdyLcUU1snlF7Bg81Np+ckjafSih6KmG3B3/NM/kdLTNmVWaMz2y8xR3U3sVkVT+odJUy4Zgin2GNa26Es0u9+a7lgL0iQ2ILIARzjuNOwAmuo5yKrsbIQHnBGR/kyJEPMf9jPhaR1m0PYssz+czzfG4jr3b9sWGHYew5eFVwWA02yiGglNKXMyGYI/cIkVFxBCqKcQlVfXkO6aJqO4Gvva8vV6SJz623E0l1xJU1KJL3jGSRkdRf0q0t0yqytqTeZtqyrW1ZCKMuXxreRwllMFyhNvDjuZcVYCsQLLqi0wiAIJkQAgbWjcUECfQWOtREQs9e+j3fiJ194ehCAT7kX1pJmHws7gy30k1jo8CVwLMUs4IYfnFRzlIQkjl0WOZI+610Xj+Vp838jSaTC/GZROCSf6/EDzM0ULVbqZReBOi+IEQi/p+xxzIEJBhULBr9Jo719/43jqxlwzP1ggZXvZplrWUfi+1IB8QkxpSsjFV3R7B+r6L1t+y8JmvtDGOyWdAuhVf4GYIfDtuDEX5itE6rJI8EsBAMgQ50YIwlyDPooWo8DcLEzQj2fUOh/TOO/JZxp2aX4i0EZArV6s=,iv:FqXKmLJSmdYzhU6Fkz2qL+yXGrP9gjGwvxD/ODnFUSc=,tag:Fh7aMnIY+qjouk5N+XpCww==,type:str] 4 | sops: 5 | kms: [] 6 | gcp_kms: [] 7 | azure_kv: [] 8 | hc_vault: [] 9 | age: 10 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 11 | enc: | 12 | -----BEGIN AGE ENCRYPTED FILE----- 13 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtc2VsQkZNMERrU1BvRmhV 14 | T0JnVFlKN1QxSk5MZ3dHMnlyWW42WUVocFhZCk5BYm0xcmFEQ2xweEhCQmo3ZDMv 15 | clZmR0ZlR0VNay83aFV3MXhVTjhsK2sKLS0tIFVpTitKa3o1eENYVm16R1BtbjRT 16 | SDEwZU9TV3VYbVBiOVNla0trYTh0ejQKfK23Tmr2nct85lYC/LbRgLaC1OZHqQlh 17 | lka3ecCii4ay02O/ErOb/B5vFhU8EhfJaozTGn9yIO7nUmUSoE/TUQ== 18 | -----END AGE ENCRYPTED FILE----- 19 | - recipient: age1fepqavsyfukjf72ajv9cwp6r62hnlz4h6hgxw4wsddrlaqm8e42sns70ws 20 | enc: | 21 | -----BEGIN AGE ENCRYPTED FILE----- 22 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNGhFc0c1dkkrZjlIZ3JM 23 | a0oxRjZDb3hyWEdpRXZ4T1JEQXBsU3hub3pNClhpY0k2WllYYi9TQXNOUWdPaUZQ 24 | VmsvSXAxNEI1K0pQbXMvcTdDTGg1K1kKLS0tIHNXU3VvLzF5RjV1aUx0bGd5VUUv 25 | emlKYi9Nb09WMkdLdHVTTTYvd09xRncKTSBkRmrUlF/Lng+4EC0SrGJRSpwGe6Go 26 | 15vvztGaqAK7C5sBcXD4xjvTBM7gcBKvQ+1hOUnGKF5jAWQFhVtOrg== 27 | -----END AGE ENCRYPTED FILE----- 28 | lastmodified: "2024-12-11T18:15:25Z" 29 | mac: ENC[AES256_GCM,data:lv96bhqXW0E18YtZkBvQk2chPbJhX+gPgRWjtHbakFinfcGGiG36z6pHr0dLSXs3vO2/mqS3TCZEmv1wvjEbxAeUgbi2Ze/NyjWXA533bblwymMYQD4h5RQ85NhVstMDj6nDNbFqcU6XJYynJsjbjXVQq1cqN9zt4sW2U8jL6vI=,iv:zzx/3tal8wxr2dYsDGZ0Yx6BYR24X+W1Rj+Vu1HW6aQ=,tag:sjmTMVpagDppKBlSKHqpgQ==,type:str] 30 | pgp: [] 31 | unencrypted_suffix: _unencrypted 32 | version: 3.9.1 33 | -------------------------------------------------------------------------------- /machines/pointjig/configuration.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | inputs', 4 | pkgs, 5 | ... 6 | }: 7 | let 8 | inherit (config.sops) secrets; 9 | mailHostname = "mail.pointjig.de"; 10 | in 11 | { 12 | sops.secrets = { 13 | sms-technical-passwd = { }; 14 | sms-shawn-passwd = { }; 15 | mimir-env = { 16 | owner = "mimir"; 17 | group = "mimir"; 18 | }; 19 | stfc-env = { 20 | owner = "stfcbot"; 21 | group = "stfcbot"; 22 | }; 23 | stalwart-env = { }; 24 | }; 25 | 26 | networking.firewall = { 27 | allowedUDPPorts = [ 443 ]; 28 | allowedTCPPorts = [ 29 | 80 30 | 443 31 | # Mail ports for stalwart 32 | 25 33 | 587 34 | 993 35 | 4190 36 | ]; 37 | }; 38 | 39 | systemd = { 40 | network = { 41 | enable = true; 42 | networks = { 43 | "20-wired" = { 44 | matchConfig.Name = "enp6s18"; 45 | networkConfig = { 46 | Address = [ 47 | "134.255.226.114/28" 48 | "2a05:bec0:1:16::114/64" 49 | ]; 50 | DNS = "8.8.8.8"; 51 | Gateway = "134.255.226.113"; 52 | }; 53 | routes = [ 54 | { 55 | Gateway = "2a05:bec0:1:16::1"; 56 | GatewayOnLink = "yes"; 57 | } 58 | ]; 59 | }; 60 | }; 61 | wait-online.anyInterface = true; 62 | }; 63 | services.stalwart-mail.serviceConfig = { 64 | User = "stalwart-mail"; 65 | EnvironmentFile = [ secrets.stalwart-env.path ]; 66 | }; 67 | }; 68 | 69 | # So that we can read acme certificate from nginx 70 | users.users.stalwart-mail.extraGroups = [ "nginx" ]; 71 | 72 | services = { 73 | fstrim.enable = true; 74 | postgresql = { 75 | settings = { 76 | max_connections = 200; 77 | shared_buffers = "1GB"; 78 | effective_cache_size = "3GB"; 79 | maintenance_work_mem = "256MB"; 80 | checkpoint_completion_target = 0.9; 81 | wal_buffers = "16MB"; 82 | default_statistics_target = 100; 83 | random_page_cost = 4; 84 | effective_io_concurrency = 2; 85 | work_mem = "1310kB"; 86 | huge_pages = "off"; 87 | min_wal_size = "1GB"; 88 | max_wal_size = "4GB"; 89 | track_activities = true; 90 | track_counts = true; 91 | track_io_timing = true; 92 | }; 93 | ensureDatabases = [ "stalwart-mail" ]; 94 | ensureUsers = [ 95 | { 96 | name = "stalwart-mail"; 97 | ensureDBOwnership = true; 98 | } 99 | ]; 100 | }; 101 | nginx = { 102 | package = pkgs.nginxQuic; 103 | virtualHosts."pointjig.de" = { 104 | enableACME = true; 105 | forceSSL = true; 106 | globalRedirect = mailHostname; 107 | }; 108 | virtualHosts."${mailHostname}" = { 109 | serverName = "${mailHostname}"; 110 | forceSSL = true; 111 | enableACME = true; 112 | http3 = true; 113 | kTLS = true; 114 | locations = { 115 | "/" = { 116 | proxyPass = "http://localhost:8080"; 117 | recommendedProxySettings = true; 118 | }; 119 | }; 120 | }; 121 | }; 122 | stne-mimir = { 123 | enable = true; 124 | domain = "mimir.pointjig.de"; 125 | clientPackage = inputs'.mimir-client.packages.default; 126 | package = inputs'.mimir.packages.default; 127 | envFile = secrets.mimir-env.path; 128 | unixSocket = "/run/mimir-backend/mimir-backend.sock"; 129 | }; 130 | stfc-bot = { 131 | enable = true; 132 | package = inputs'.stfc-bot.packages.default; 133 | envFile = secrets.stfc-env.path; 134 | }; 135 | stalwart-mail = { 136 | enable = true; 137 | settings = { 138 | store.db = { 139 | type = "postgresql"; 140 | host = "localhost"; 141 | password = "%{env:POSTGRESQL_PASSWORD}%"; 142 | port = 5432; 143 | database = "stalwart-mail"; 144 | }; 145 | storage.blob = "db"; 146 | 147 | authentication.fallback-admin = { 148 | user = "admin"; 149 | secret = "%{env:FALLBACK_ADMIN_PASSWORD}%"; 150 | }; 151 | lookup.default.hostname = mailHostname; 152 | certificate.default = { 153 | private-key = "%{file:/var/lib/acme/${mailHostname}/key.pem}%"; 154 | cert = "%{file:/var/lib/acme/${mailHostname}/cert.pem}%"; 155 | default = true; 156 | }; 157 | spam-filter.resource = "file://${pkgs.stalwart-mail}/etc/stalwart/spamfilter.toml"; 158 | webadmin = { 159 | path = "/var/cache/stalwart-mail"; 160 | resource = "file://${pkgs.stalwart-mail.webadmin}/webadmin.zip"; 161 | }; 162 | 163 | server = { 164 | http.use-x-forwarded = true; 165 | tls.enable = true; 166 | listener = { 167 | "smtp" = { 168 | bind = [ "[::]:25" ]; 169 | protocol = "smtp"; 170 | }; 171 | "submission" = { 172 | bind = [ "[::]:587" ]; 173 | protocol = "smtp"; 174 | }; 175 | "imaptls" = { 176 | bind = [ "[::]:993" ]; 177 | protocol = "imap"; 178 | tls.implicit = true; 179 | }; 180 | "sieve" = { 181 | bind = [ "[::]:4190" ]; 182 | protocol = "managesieve"; 183 | }; 184 | "http" = { 185 | bind = [ "127.0.0.1:8080" ]; 186 | protocol = "http"; 187 | }; 188 | }; 189 | }; 190 | }; 191 | }; 192 | }; 193 | 194 | security = { 195 | auditd.enable = false; 196 | audit.enable = false; 197 | }; 198 | 199 | shawn8901 = { 200 | postgresql.enable = true; 201 | server.enable = true; 202 | }; 203 | } 204 | -------------------------------------------------------------------------------- /machines/pointjig/hardware.nix: -------------------------------------------------------------------------------- 1 | { pkgs, modulesPath, ... }: 2 | { 3 | imports = [ 4 | (modulesPath + "/profiles/qemu-guest.nix") 5 | (modulesPath + "/profiles/minimal.nix") 6 | ]; 7 | 8 | boot = { 9 | initrd.availableKernelModules = [ 10 | "uhci_hcd" 11 | "ehci_pci" 12 | "ahci" 13 | "sd_mod" 14 | "sr_mod" 15 | ]; 16 | kernelPackages = pkgs.linuxPackages; 17 | kernelParams = [ "memhp_default_state=online" ]; 18 | loader.grub = { 19 | enable = true; 20 | device = "/dev/sda"; 21 | }; 22 | }; 23 | 24 | fileSystems."/" = { 25 | device = "/dev/disk/by-uuid/03dd5cae-8689-4b89-9c73-854ba799f2fd"; 26 | fsType = "ext4"; 27 | }; 28 | 29 | fileSystems."/boot" = { 30 | device = "/dev/disk/by-uuid/E588-9EBB"; 31 | fsType = "vfat"; 32 | }; 33 | 34 | swapDevices = [ { device = "/dev/disk/by-uuid/d9ea5a2c-63a9-4ec3-9168-977a6898c722"; } ]; 35 | 36 | hardware.cpu.intel.updateMicrocode = true; 37 | } 38 | -------------------------------------------------------------------------------- /machines/pointjig/secrets.yaml: -------------------------------------------------------------------------------- 1 | stalwart-env: ENC[AES256_GCM,data:McPd+Vxoa2uqNobRPhS9aELs6hIPcYK3nC34+at318pX1TrUbWM2YZpztomhowD8e2vAgha0pIqxvMjVFJuVW0X3pdAZl4joVl/TYcWcBjIwQemGKsm0ZcQobrXIM5QUg2l7E1VrHujg8OHXgRK9phTE8T++qy94dSpO3ZsUufISRLf0xyM0iXQNMe+ipgw2YnfXXZbj8GyCtdn5zWRLSqob0HpfurgYXlMNTQ==,iv:iHaWNYtD6gVAXlmLhd/9rD0hkfg2AfqHFwGfliM0QIk=,tag:nhQLUBn8tTdUSh4/wa3XOg==,type:str] 2 | sms-technical-passwd: ENC[AES256_GCM,data:tHTF5y2ttZ1tCLZm8hqBmQaEdLiOQiZw21BDq/4MzC4gP10Fh3lwrGFJka6wrLQ53hOT0doEy+2dryEC,iv:AqwD1lUXej9BHd5dIQg6mvAATtZgbsC/q5JWelVxLKQ=,tag:Hvsk0be4SiVyXTTC/pW05A==,type:str] 3 | sms-shawn-passwd: ENC[AES256_GCM,data:7JUTbdzsk20G6yfyODP7IS/u7v2syEfoGNub19LpulnfqwEbKrrxKteVtuXX8sGti8qw2vbIBQHEW9gX,iv:EQidFFdE7mFAqZZkx48YboQbQ4FGIFS4De2r4k7Pq1Y=,tag:QD0+PCEJE5y72ydq4cqPxw==,type:str] 4 | mimir-env: ENC[AES256_GCM,data:Oa4PCTMTqHqSO1vBdCpAj7iBGZKC3To4bo6aMtJ05Ikjo/kO6a9CilNpKkIVjzA5Fe1zSupI08lE+arWBhc1G+E00c5GrT6/DZdtv+NKrAI4Z+BOKHldagqKEmAXu/k61yZXLimZvntm2uxHF288PtH8vUsJ/YRNbvJ38kMvaKYLpy/kwT5eayk4/Si+nP2/zI+IqUmV4l4EIyTWX2k1EuHWuwb0J635YLPYyL8wXGaudvfxMbc8dsI3pDAA04BEYolCXUmTgIhelQY666ZDvbZiU5i/TTTL+DFUg5TNYqYbeelOqqDhcqg9/aViRfD/U2C5yMJHFNNg5NLvdOLZJ1WUtgH+ODS8hCYlG7PwiYmYZ6yrr8qjSuMt9Aj3v68zjTtTJZC3hbOeTfG17cZyvww4NjQJicNWlojOR/zhsNSukG13hL5JleZpjoZ2LCgZcAOUcdVRj5429lEjQ/L51Qeb5u9JdAr7ceZHIduWCL3jMEFodZsNqQbwnSJaqOuFqyJhXXKiy4Rq2RHF3vAiOJ9Dp71/gVoI1s0zxFBmNWsNZN6Zlfj+I5tiAJbw6otoSJuH7/hr7r6OR5Dfrqzv3A1Iq6s=,iv:ygllL+k0wB4dSMsdwLYHbQVo4qoza8UMFjcFJiDFIpU=,tag:uZDy+WMC1SvlWVsupdzO3Q==,type:str] 5 | stfc-env: ENC[AES256_GCM,data:AkjeTRqWuc02kupEDQbIsLHP0R0Vd2CeaO4Hrdu9+c8f5CIH554SV6ucZTrQBWAw774tQRgHpm5f8xUU5e/uwI0AQEOWndkJXpym0cXzVmTbrOqYuWh20UuTsfcM+SzqNJ8Iy2G+RMbF9DVZK3+hk7SyDSglPwg7O4EX7liCSas2vzcUfneoFIOjKNPgtr9ygbZJacD8u2p6kj/L9WFY6CWMj1ZvsI+FbEbLFdyQsZzci3lXt1WVeCELE2e/JaXevvvQ9lNutHqKbqXXcRkoWaQgQHovEY8CJDB0CayghcUEdWh4FGBVgaJdYQ0zMBQXFmBg0N8rFZx/hVVB6F/NLAqfdEdtGtmUZ0j40A2iAjZsnPYGLL+A59/xCYe8COH4AN8FCk86,iv:NXuIyXDW3dscN+TjPo9yV87oDiLxzmxUULz4FXCiPwQ=,tag:vxfg+qI3iC6W+je/A1xkKw==,type:str] 6 | sops: 7 | kms: [] 8 | gcp_kms: [] 9 | azure_kv: [] 10 | hc_vault: [] 11 | age: 12 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 13 | enc: | 14 | -----BEGIN AGE ENCRYPTED FILE----- 15 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTDBlZEE3UWl0bUN4emtZ 16 | NG9PZFo3R1J0dTdTclkxQmFLZjE1OHlIYTJZCk5kSC92V0s3bVpDQmtOc0ZVWXR5 17 | QjE5ZzEwUTNRL0hUbmY5aTZjTmV5clkKLS0tIDdsd2xKRXh6WWxabnZ6SUx1L2Rr 18 | UUN4Szg2cGxFRmphTlY2MjhVbHVhKzgK7Ifm47bbt1uL6eZ4OIoJ7ba1joLZa238 19 | ztey2qOwC7LD0rfsZwJlLvw8nHcGuuDhvMlZ4TYuIFLwtxmBV8nWrA== 20 | -----END AGE ENCRYPTED FILE----- 21 | - recipient: age1wlznz542ulyhjvp9zxe57z5rgy738wt6ygy6qsgjyavl5e9vcd0q27mu3n 22 | enc: | 23 | -----BEGIN AGE ENCRYPTED FILE----- 24 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvK0pFUjY3ZmV4NUQyQVJG 25 | Yk9KREc0ZTFweGE1OENSWmFQUXd4c3FVNlZnCmYxV3dzL2Q4MzRWcHBQZFVuUFpB 26 | WnJMWUFKWmtYNTVnOE5sUHJYUHhaREEKLS0tIGNKcHBLOG9UMS9FbE16UkxXNUEz 27 | WkRWSXhwY1FYcTRJNzduOWdFWGREUHMKozCZLoPlY7L4LILCgGSvcBtgViypI6Pt 28 | xiWZD5exPrapqZ+8TXAj2q2hgV3134u+bAX/bXMLdyHl88yxgWMxAg== 29 | -----END AGE ENCRYPTED FILE----- 30 | lastmodified: "2024-10-14T21:35:01Z" 31 | mac: ENC[AES256_GCM,data:XbJ8hryNVJC3jKxgReyAlOuEIsJjAzMRmSLJIzfQ8kff6vgdnrrD/JX+cdqWZA5NDzvGUwtGLImWkNY7JEHFNwT3kR9BDoOXjvKESkpXat5EAKhTG8TRkXiQ5fM21earl64j6q4qOcwdGpy0E7P2HBmU+6+BIEfprQimUp2SA0E=,iv:7vmJmroCrMPn3tFaaHmTfYa2QbSYjaSdSCxKGhjXI70=,tag:oNFl6OOyGG7Mx7DvAS8HJw==,type:str] 32 | pgp: [] 33 | unencrypted_suffix: _unencrypted 34 | version: 3.9.1 35 | -------------------------------------------------------------------------------- /machines/shelter/configuration.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | flakeConfig, 4 | inputs', 5 | modulesPath, 6 | lib, 7 | ... 8 | }: 9 | let 10 | uPkgs = inputs'.nixpkgs.legacyPackages; 11 | 12 | inherit (config.sops) secrets; 13 | in 14 | { 15 | 16 | imports = [ 17 | "${modulesPath}/profiles/headless.nix" 18 | # raise error with disko about missing /proc/mounts 19 | #"${modulesPath}/profiles/perlless.nix" 20 | ./disko-config.nix 21 | ]; 22 | # We dont build fully perlless yet 23 | system.forbiddenDependenciesRegexes = lib.mkForce [ ]; 24 | 25 | disko.devices.disk.main.device = "/dev/vda"; 26 | 27 | sops.secrets = { 28 | zrepl = { }; 29 | }; 30 | 31 | networking.firewall = { 32 | allowedTCPPorts = flakeConfig.shawn8901.zrepl.servePorts config.services.zrepl; 33 | }; 34 | 35 | systemd = { 36 | network = { 37 | enable = true; 38 | networks = { 39 | "20-wired" = { 40 | matchConfig.Name = "ens3"; 41 | networkConfig = { 42 | Address = [ 43 | "78.128.127.235/25" 44 | "2a01:8740:1:e4::2cd3/64" 45 | ]; 46 | DNS = "8.8.8.8"; 47 | Gateway = "78.128.127.129"; 48 | }; 49 | routes = [ 50 | { 51 | Gateway = "2a01:8740:0001:0000:0000:0000:0000:0001"; 52 | GatewayOnLink = "yes"; 53 | } 54 | ]; 55 | }; 56 | }; 57 | wait-online.anyInterface = true; 58 | }; 59 | }; 60 | 61 | services = { 62 | zfs.autoScrub = { 63 | enable = true; 64 | pools = [ "zbackup" ]; 65 | }; 66 | zrepl = { 67 | enable = true; 68 | package = uPkgs.zrepl; 69 | settings = { 70 | global = { 71 | monitoring = [ 72 | { 73 | type = "prometheus"; 74 | listen = ":9811"; 75 | listen_freebind = true; 76 | } 77 | ]; 78 | }; 79 | jobs = [ 80 | { 81 | name = "ztank_sink"; 82 | type = "sink"; 83 | root_fs = "zbackup/replica"; 84 | serve = { 85 | type = "tls"; 86 | listen = ":8888"; 87 | ca = ../../files/public_certs/zrepl/tank.crt; 88 | cert = ../../files/public_certs/zrepl/shelter.crt; 89 | key = secrets.zrepl.path; 90 | client_cns = [ "tank" ]; 91 | }; 92 | recv = { 93 | placeholder = { 94 | encryption = "inherit"; 95 | }; 96 | }; 97 | } 98 | ]; 99 | }; 100 | }; 101 | }; 102 | security = { 103 | auditd.enable = false; 104 | audit.enable = false; 105 | }; 106 | 107 | shawn8901.server.enable = true; 108 | } 109 | -------------------------------------------------------------------------------- /machines/shelter/disko-config.nix: -------------------------------------------------------------------------------- 1 | { 2 | disko.devices = { 3 | disk = { 4 | main = { 5 | type = "disk"; 6 | content = { 7 | type = "gpt"; 8 | partitions = { 9 | boot = { 10 | size = "1M"; 11 | type = "EF02"; # for grub MBR 12 | priority = 1; 13 | }; 14 | root = { 15 | size = "44G"; 16 | label = "ROOTFS"; 17 | content = { 18 | type = "filesystem"; 19 | format = "ext4"; 20 | mountpoint = "/"; 21 | }; 22 | }; 23 | swap = { 24 | size = "6G"; 25 | label = "SWAP"; 26 | content = { 27 | type = "swap"; 28 | discardPolicy = "both"; 29 | }; 30 | }; 31 | 32 | zfs = { 33 | size = "100%"; 34 | content = { 35 | type = "zfs"; 36 | pool = "zbackup"; 37 | }; 38 | }; 39 | }; 40 | }; 41 | }; 42 | }; 43 | zpool = { 44 | zbackup = { 45 | type = "zpool"; 46 | rootFsOptions = { 47 | acltype = "posixacl"; 48 | atime = "off"; 49 | mountpoint = "none"; 50 | xattr = "sa"; 51 | }; 52 | options.ashift = "12"; 53 | datasets = { 54 | "replica" = { 55 | type = "zfs_fs"; 56 | options.mountpoint = "none"; 57 | }; 58 | }; 59 | }; 60 | }; 61 | }; 62 | } 63 | -------------------------------------------------------------------------------- /machines/shelter/hardware.nix: -------------------------------------------------------------------------------- 1 | { pkgs, modulesPath, ... }: 2 | { 3 | imports = [ 4 | (modulesPath + "/profiles/qemu-guest.nix") 5 | (modulesPath + "/profiles/minimal.nix") 6 | ]; 7 | 8 | boot = { 9 | initrd.availableKernelModules = [ 10 | "ata_piix" 11 | "uhci_hcd" 12 | "virtio_pci" 13 | "sr_mod" 14 | "virtio_blk" 15 | ]; 16 | kernelPackages = pkgs.linuxPackages; 17 | zfs = { 18 | devNodes = "/dev/"; 19 | extraPools = [ "zbackup" ]; 20 | requestEncryptionCredentials = false; 21 | }; 22 | extraModprobeConfig = '' 23 | options zfs zfs_arc_max=134217728 24 | ''; 25 | supportedFilesystems = [ "zfs" ]; 26 | loader.grub.enable = true; 27 | }; 28 | 29 | hardware.cpu.intel.updateMicrocode = true; 30 | } 31 | -------------------------------------------------------------------------------- /machines/shelter/secrets.yaml: -------------------------------------------------------------------------------- 1 | zrepl: ENC[AES256_GCM,data:ORGdSycxDOn7ox/75icApqnWyLj8g8e/R43L3/me6l22GoKWzb3OTc7o8vyjPwkKQSKT7H6XVJGmI07qFmiN57Gv07LFJ1DFPmh04d7MpgcaSc0E2+Wi7fmwVg+4HTR9/5gMVyILaS0HokcJRjIJwx6QBLgDP1+DlgU7m65cNgKv9DEKUatlh5F271d6AVxoKHI3QINm4BEKHnPQp0T5cmQcR0mVaSoi7MK6d2KLcWjR6//Rvz0qSu+PCzcdN/u5yMlfmn1oLf9MUCIkCJigVV5hU4g1s16Nb3HIuyh37nBLcg0UK3IZcywMVuRlWWibSqhwJajCpQPlrC2gOOTdry5C/mMKkeXJBPpVc1RCX2MDOdpwc9xSwHRErDklthTcu5fShFUdaL+miCdfr0+EBvJ2bXQodTgjysn2CtZL+7feex306ZaXpkfY/XkE/mCD/MTVm3zxq8zevOSLW2Dl9NNtIc9GHBwA4o5ERFTM3Qaf/VhabkJRd1a/C37zfhOV6tv8EVHh7T6qXyR+T4/Z/9riUdD8bsJq+9oHGaCyWY2uIMVNZ6pjAY/d45zGT39c3rtQ3CuiSQKmVJ45mfIth6as67w6la9LZiUZ0mv3fmL+ozxzLUcBZd+nio59T9UeXXlZk0GlmMtxMOZZ11RC4JE7PQBiA4W/bTxg+zpRf9VOixAQfsDSl5uOQv75ZH7jnmF/ZRVMkb4osvFdxfA6Fv7G8PhgX8JV/EliLx+ydCOMXZ5n7hgmhcpQd4AhBYHO2Df1QisTfx8quWZeO9z8YwPX6MvlIfjrCg+XFLhVY9DXenwz/SPuEPe1T9e46zBz4Hcynyqaqg0s0x/RA00nemQRBLvQmWsJ4KaWtbqyEpooZOgqyEzKOrXljQnZChRYmqgisgO6cKQ63nd94aJAosKoeP1OqUetvI54KwwMe1D8MoGdt2VClJgXVgtodm/wbJl3vPxUb5wvGe8A6TeyokL1W/Kp0kQl5dkPjLZXtoMFW/z6QKaIv9ZUEzR5bNhq5JCKzGQX+Q1vQFMK9+2R+toW2lb0Ch7EdJA3QBePCLbUl06TjE4bptDn6jvWZG57I2SkoY+L151Hcw5yfzLthUCgsHgSDwJiBc4BouX03RyQDfk6M4SA4lXwRMI+cZEdYlMZR72hhZ5l6qxdKZGKT+uCShxY3tI/HN9qQay417VUFAo/MRVQAJp6X/YGg/xGSbaP3qg5bb/9VmWf4T/0IncFJPaCRfFXmzrB6srzkbTqIq96PkPj4tx2ItWVZcO2U39TBMHDtimQBYG9tYHRQqqn6Ukx2WmVFgABwIJ5MeEAx8c1pCg6oN+dlshAgWllIuSJOd+dSivtXwqW9AYrwpZ2rRDu4OGN1PoS6x8s52EeDfp7/kEKtgqzpCb1J81+fFsP1+Q8okTbic7f2uPMjPNb0vZxP8DS1xUGJWFtDAtX+KNoi8YveHDIaQrHRJ7A0fMTocGEc0xeHCJjNvEMhQk+z/cmFHzdVuRut18FGqkznGjNTfd7LQ2FgIc95PvwPU3LvgaLXC+PzgNP9qwHM5YzY31WLVOiruNWNYlVPzMampM7ciIPeiuHdh+g2K83uSTlItjA7EChj0qq9t61CASE/vraG52oQamTpUJnE18ShlRZHzv1UisD+b/iadIFYHJ1HxMx1HAlHOdRxUhDE87fc6Ttsj+TR8ThW8CoHmDsnlzd6eTjaYdVpIA9WbL2oMODAibAnKx8W85lN6Q17ACMagbyiRETv2olnsZWjF1DKRpBpkTiknQIbftm12XouWeLmbnnTgRCtcdKofWa07E0OSriGNldmcXwsDsi0ZXe4Bqz2h/lN91Pg46wCgykB9h0Tl/bpYFVCGgBOHuhyDWJ3iRi8tgXNdlD1BpZ7WKdffDQtQ8dB7tRZ1GjxQLJM1xMmmoDUKxgEQDBE6CvM7WYtcG8S1cRJfnilMORgjykqFmn66Z8Jd9hX5jK8EB8VMCd2ALXH6YZhVD8PJrp9FTu2UgVXCM+jOOsQyyNm9nqk2n3zy8PfqPVWOc4UdsYzSfsyn6I05cqFxB48PXxY+aytdPuNUpq1vTlG6ZzjiKTAGMYGuMbuHyEse4rZzrq8gu4PcHCWBWBDQyhLsrfEOnelr/MWI6NluGW3jV6a8HOgcz11NBday120577Dr3ibIjBIpSjtdGZF9EYm2IauUT6sT1z3J0S+xv5n/1YqY5/CueXnKQtGrvilOz1aPJQXhf9ewpgDEr1kiPSdBurKnQAvH2XtnGQ0anwNItDbKsC6cF8IdsGHQMMako4L+bdw1/Y4MWYTL1bhljJWkst6JEHpAIh93r3bs6c7szgg8/lvP77M88GSImhx3PtwcVKkGcykqkME4XybtuCGpOMPorBPgF66YZimKJHs+d4fEv4KgVGldxDWrwWN4ba8Zdt2oZlO2L3OKWAJj+N1LddNqXK+Y+e5l8Fx6eNZbHBhYtDo45czk5U5xNuJdNLXUg8z4CdcYa3Uo7fJZ/rmN+v8HSl9DuKTmbIFmeBhit7GdghhS4BS7r0QiWPTonLTB1v9erpI9S8Nqt4tH0lFrJAN3SQwyE6JZpuUMGjn30bmQOYFGgl0BEEZsFukCVJl5ve2g0FYLc5Sz8GU7j+I5GNkfJ/2z7vJOcJLjgj1TvpsglL82LaShEV9NEYbyqQKtAKFo6szELNeu/fQDwxjHqPPvy09sNYp+A+fCRIC/k7X8E/2fhHaJ8NAC7bAwIgA0aOy3ryq7mPVAE20xc5YRdocpwLtx3zLZJiXoLbaRt0tcFWuKO/+iNoyl7CPhzjP/lwYfJWcQ9tOkztfLHMqr4XH+NG5NsOIXKQViSCwlLP4+W5HIVdCPyKTv6getQVP4XnYWQ5n0qN/e5CQ/nZm3yEwPyFA8B+mFPsRtF4qIzMtLWpXah1Q/vCpcRyKEFcovut00wG+gVx9E3kDZNoVv3+cK4++IeDy6bH1iwW1Fb88WZixLzcJUNcTLgXGK7wdacZqKAfDJlpM0bIELOySF0BNjs2uDgyPM03+Y7BC2UMWvlz3ICyHpGzPzHb6XN34BFoipz7ylTPj5w06/dmRkfreVLRD7cBoup7u9gUxC4ZevGh9C0E0f1IEh39ULdgMTIi08vxlAcduUURotyZ+NqnPMpTfwhcGZwNWCgEtD5qtLizFvAvh/uL3MoD18Oush8a6occdq1n0p2TRTiX7q8hNA4D9eRXrYyJVf95v/klq8FY1V37AFGAKMcldQmxyoXcp7jNPxiWiOIrNrcf3kyGlfqQw6PlzBDE8roKEaCFK1PBkmjVp4w0bL7mcQ0rFJc2NVjQwUQrqul/iLnFsp4wAGAp6bcCu6uO99CbDMMmfkRdfrMVNx8q/3jFRu9pCx/8dlsRqhMquJHIAuVybcpDwy8SFuIbdkl+b6g4+AWCetR7Sq5euuOhZQkUDMt4N7b97MG+u2R9G7ZggPWWzpZZAbZdDsP1BLWo9tx+9DcGcxDQyhcfCNBZJXjs5vB76vp/6Q1g54i1dQA0SaZOgU2Go+afO92dtIabspGX42XyvDys9BiX0kC/MyYp5RhUbycCbzmX7D0C4LSwH8iUZaCBa5jnxHP70lLwktKBRclkwae2IhasnHIHuCnv3Rpatn3ZOsXhycmDSlP3aco5q9aQXD3Kyyx701cNVskwczXpdt/eAaL1kvlKtx+c4PHLuYky3VUDZX8g4ojezDUgowPuAqiVhj1oogfAA2OzMNc/AVlaM2purvknKtfbXtaJBaDngNvGoEqiA5JEIu/T/440hX99PG00SDHxqe4jE0k1JJ4Hshj1HPDuSFiFi9nwyY7gfSxy21On0Kz/jdvuNjJX9jf7TEI34X5zdyhiM1YYF3AlkYhuglLTSkqj4D/eZQXSd6jVGCChmwJnT72UoBebVCNOb0lUv8ieGXqZ1z7WDiHwMNvTpzWDtfvJEpkyx0M1/2LYeVtXb9wJ3pn363pNqr1J544ROqQO1CsZMNUyVGlkemqhn5s3GVuBswggVnbuMU56WFA9xXo+6xufy8v0LpuOZkszAhp3oG6Au3u/r8ApY8LG61v3FfpNAnKCeDGyNUeLetd6VuikErWF2SwVtFLhHCo8F5kLZxCAOi3OdiLL9jcelzKOZRuPLQsq6N+Y9jq82xZpue4WQYtnyIZRq/kUzWQrWLmnIXZ1hoIZAUtH2JNI3zhPoAnIgwliYcegGOFJKUqFVAr4IFD80wj/FoS7Ooa8l+Dx1RAXRPgdNYUfFTPyKSZpNG62hRfkDcuYpr60mKs9CZeS4yUDbrG1uhTxacxxx4lBbEH6+P1ht9PoeU8b2zVmYlSnAU19kBYy5kslwaNGNMk=,iv:k5oMAXsR4NhTx0v24CHBz774zLbJrvD2Sgw5hGlEPTs=,tag:31ej51Gfa85mry7gXzcnCw==,type:str] 2 | sops: 3 | kms: [] 4 | gcp_kms: [] 5 | azure_kv: [] 6 | hc_vault: [] 7 | age: 8 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 9 | enc: | 10 | -----BEGIN AGE ENCRYPTED FILE----- 11 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMDBiU1Mzb0E0RVdhVUdG 12 | OHhGaEVzbDVMdmtrRzU4NWFxbnptOHRpLzJZCmkwdlVuWjNIUGpEb0tqbFc2ckFa 13 | cTdGTDFHajl1YUkyZm1pT0gxaWUzUHMKLS0tIG9kT290VUt3TEhDaXVHN25XVHdZ 14 | QmJMMWxvV2ROODlpZG8rUFFkejgwTG8Kai/zPWP/riIChZH10ccArM4ifWuCV0Ar 15 | YXvHcXesvrQF2EBT7VD4d0tlRlX2FEsPyQ1mAf79g66jSUsBKmVjPQ== 16 | -----END AGE ENCRYPTED FILE----- 17 | - recipient: age1qx60k4ft2lvs9qa3s0xqhpkdf26zdc8yw4vr7a7424ta9mcq9g8qrseqv3 18 | enc: | 19 | -----BEGIN AGE ENCRYPTED FILE----- 20 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxdm15UUZmSXo5cTlPUXNv 21 | bml1dmFXRm9YTDRNWDY4NGpVRk1FaktzaFFRCkhkYURwVmQrMDhWbUJDWWd0OXdF 22 | UDd3dkFyaE9aRFFybndFbGErOWZRalUKLS0tIHJ5RE5kVUI2bHhicDRnU0NVaHBh 23 | N2l6enh3YzhuSm5uaTV4QlBwYWF4T0UKLjyLtfpfurit/Uyjlb/rUo2/mOyULr5o 24 | dS19tN6YQBxbB8JtiRWuA1yMjxiKLmmthAsI1ra2o2+cFx8f2tjcGw== 25 | -----END AGE ENCRYPTED FILE----- 26 | lastmodified: "2024-12-11T18:17:08Z" 27 | mac: ENC[AES256_GCM,data:jCSNR1jeYA/8H/NSKCG3gGQQXHUnI5oCEYWA0w8oCR7ps44vuo8NYBGtUOaPr2p0s4ETjLOCxgpAnRp1gRh5zPYHjFJELcxS/m7GmiDkS37N+fSWdk5JKJsILvtNdaUz11XLKUIFiNUfC1FJEaZeyPd2DHI6Q1j8fsyMnkVy74Y=,iv:sEbqbcoG+FPlSZZN84YVltswSRSbqrOwNtkBEicgXNM=,tag:+LNyiLFgiDkpKN6Qz1ZyXg==,type:str] 28 | pgp: [] 29 | unencrypted_suffix: _unencrypted 30 | version: 3.9.1 31 | -------------------------------------------------------------------------------- /machines/tank/hardware.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | modulesPath, 5 | ... 6 | }: 7 | let 8 | zfsOptions = [ 9 | "zfsutil" 10 | "X-mount.mkdir" 11 | ]; 12 | in 13 | { 14 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 15 | 16 | nix.settings.system-features = [ 17 | "gccarch-x86-64-v3" 18 | "benchmark" 19 | "big-parallel" 20 | "kvm" 21 | "nixos-test" 22 | ]; 23 | 24 | boot = { 25 | initrd = { 26 | availableKernelModules = [ 27 | "ahci" 28 | "xhci_pci" 29 | "nvme" 30 | "usbhid" 31 | "usb_storage" 32 | "sd_mod" 33 | "sr_mod" 34 | ]; 35 | systemd.enable = true; 36 | }; 37 | kernelModules = [ 38 | "kvm-intel" 39 | "cifs" 40 | ]; 41 | kernelPackages = pkgs.linuxPackages; 42 | extraModulePackages = with config.boot.kernelPackages; [ it87 ]; 43 | extraModprobeConfig = '' 44 | options zfs zfs_arc_max=2147483648 45 | options it87 ignore_resource_conflict=1 force_id=0x862 46 | ''; 47 | 48 | supportedFilesystems = [ 49 | "zfs" 50 | "ntfs" 51 | ]; 52 | zfs = { 53 | devNodes = "/dev/disk/by-id"; 54 | requestEncryptionCredentials = [ "ztank" ]; 55 | extraPools = [ "ztank" ]; 56 | }; 57 | 58 | loader = { 59 | systemd-boot.enable = true; 60 | efi.canTouchEfiVariables = true; 61 | }; 62 | tmp.useTmpfs = false; 63 | }; 64 | 65 | fileSystems = { 66 | "/" = { 67 | device = "rpool/local/root"; 68 | fsType = "zfs"; 69 | options = zfsOptions; 70 | }; 71 | 72 | "/nix" = { 73 | device = "rpool/local/nix"; 74 | fsType = "zfs"; 75 | options = zfsOptions; 76 | }; 77 | 78 | "/persist" = { 79 | device = "rpool/safe/persist"; 80 | fsType = "zfs"; 81 | options = zfsOptions; 82 | neededForBoot = true; 83 | }; 84 | "/var/log" = { 85 | device = "rpool/local/log"; 86 | fsType = "zfs"; 87 | options = zfsOptions; 88 | neededForBoot = true; 89 | }; 90 | "/boot" = { 91 | device = "/dev/disk/by-uuid/605D-0B3B"; 92 | fsType = "vfat"; 93 | options = [ 94 | "x-systemd.idle-timeout=1min" 95 | "x-systemd.automount" 96 | "noauto" 97 | ]; 98 | }; 99 | }; 100 | 101 | swapDevices = [ { device = "/dev/disk/by-uuid/63c7d09e-c829-400d-904d-4753b89358ee"; } ]; 102 | 103 | hardware.cpu.intel.updateMicrocode = true; 104 | } 105 | -------------------------------------------------------------------------------- /machines/tank/impermanence.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | boot.initrd.systemd.services.initrd-rollback-root = { 4 | after = [ "zfs-import-rpool.service" ]; 5 | requires = [ "zfs-import-rpool.service" ]; 6 | before = [ "sysroot.mount" ]; 7 | wantedBy = [ "initrd.target" ]; 8 | description = "Rollback root fs"; 9 | serviceConfig = { 10 | Type = "oneshot"; 11 | ExecStart = "${config.boot.zfs.package}/sbin/zfs rollback -r rpool/local/root@blank"; 12 | }; 13 | }; 14 | 15 | security.sudo.extraConfig = '' 16 | Defaults lecture = never 17 | ''; 18 | 19 | environment.persistence."/persist" = { 20 | hideMounts = true; 21 | directories = [ 22 | "/var/lib/acme" 23 | "/var/lib/alsa" 24 | "/var/lib/attic" 25 | "/var/lib/fail2ban" 26 | "/var/lib/hydra" 27 | "/var/lib/immich" 28 | "/var/lib/nixos" 29 | "/var/lib/prometheus2" 30 | "/var/lib/samba" 31 | "/var/lib/stalwart-mail" 32 | "/var/lib/systemd" 33 | "/var/lib/vaultwarden" 34 | "/var/lib/vnstat" 35 | ]; 36 | files = [ "/etc/machine-id" ]; 37 | }; 38 | 39 | } 40 | -------------------------------------------------------------------------------- /machines/trivia-gs/configuration.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | ... 5 | }: 6 | let 7 | inherit (config.sops) secrets; 8 | mailHostname = "mail.trivia-gs.de"; 9 | in 10 | { 11 | sops.secrets = { 12 | root.neededForUsers = true; 13 | stalwart-env = { }; 14 | }; 15 | 16 | networking.firewall = { 17 | allowedUDPPorts = [ 443 ]; 18 | allowedTCPPorts = [ 19 | 80 20 | 443 21 | # Mail ports for stalwart 22 | 25 23 | 587 24 | 993 25 | 4190 26 | ]; 27 | }; 28 | 29 | systemd.network = { 30 | enable = true; 31 | networks = { 32 | "20-wired" = { 33 | matchConfig.Name = "enp6s18"; 34 | networkConfig = { 35 | Address = [ 36 | "134.255.226.117/28" 37 | "2a05:bec0:1:16::117/64" 38 | ]; 39 | DNS = "8.8.8.8"; 40 | Gateway = "134.255.226.113"; 41 | }; 42 | routes = [ 43 | { 44 | Gateway = "2a05:bec0:1:16::1"; 45 | GatewayOnLink = "yes"; 46 | } 47 | ]; 48 | }; 49 | }; 50 | wait-online.anyInterface = true; 51 | }; 52 | 53 | systemd.services.stalwart-mail.serviceConfig = { 54 | User = "stalwart-mail"; 55 | EnvironmentFile = [ secrets.stalwart-env.path ]; 56 | }; 57 | 58 | services = { 59 | fstrim.enable = true; 60 | postgresql = { 61 | settings = { 62 | track_activities = true; 63 | track_counts = true; 64 | track_io_timing = true; 65 | }; 66 | ensureDatabases = [ "stalwart-mail" ]; 67 | ensureUsers = [ 68 | { 69 | name = "stalwart-mail"; 70 | ensureDBOwnership = true; 71 | } 72 | ]; 73 | }; 74 | stalwart-mail = { 75 | enable = true; 76 | settings = { 77 | store.db = { 78 | type = "postgresql"; 79 | host = "localhost"; 80 | password = "%{env:POSTGRESQL_PASSWORD}%"; 81 | port = 5432; 82 | database = "stalwart-mail"; 83 | }; 84 | storage.blob = "db"; 85 | 86 | authentication.fallback-admin = { 87 | user = "admin"; 88 | secret = "%{env:FALLBACK_ADMIN_PASSWORD}%"; 89 | }; 90 | lookup.default.hostname = mailHostname; 91 | certificate.default = { 92 | private-key = "%{file:/var/lib/acme/${mailHostname}/key.pem}%"; 93 | cert = "%{file:/var/lib/acme/${mailHostname}/cert.pem}%"; 94 | default = true; 95 | }; 96 | server = { 97 | http.use-x-forwarded = true; 98 | tls.enable = true; 99 | listener = { 100 | "smtp" = { 101 | bind = [ "[::]:25" ]; 102 | protocol = "smtp"; 103 | }; 104 | "submission" = { 105 | bind = [ "[::]:587" ]; 106 | protocol = "smtp"; 107 | }; 108 | "imaptls" = { 109 | bind = [ "[::]:993" ]; 110 | protocol = "imap"; 111 | tls.implicit = true; 112 | }; 113 | "sieve" = { 114 | bind = [ "[::]:4190" ]; 115 | protocol = "managesieve"; 116 | }; 117 | "http" = { 118 | bind = [ "127.0.0.1:8080" ]; 119 | protocol = "http"; 120 | }; 121 | }; 122 | }; 123 | }; 124 | }; 125 | nginx = { 126 | enable = true; 127 | package = pkgs.nginxQuic; 128 | virtualHosts."trivia-gs.de" = { 129 | enableACME = true; 130 | forceSSL = true; 131 | globalRedirect = mailHostname; 132 | }; 133 | virtualHosts."${mailHostname}" = { 134 | serverName = "${mailHostname}"; 135 | forceSSL = true; 136 | enableACME = true; 137 | http3 = true; 138 | kTLS = true; 139 | locations."/" = { 140 | proxyPass = "http://localhost:8080"; 141 | recommendedProxySettings = true; 142 | }; 143 | }; 144 | }; 145 | }; 146 | 147 | security.acme.defaults.email = "barannikov.de@gmail.com"; 148 | 149 | users = { 150 | mutableUsers = false; 151 | users = { 152 | # So that we can read acme certificate from nginx 153 | stalwart-mail.extraGroups = [ "nginx" ]; 154 | root = { 155 | hashedPasswordFile = secrets.root.path; 156 | openssh.authorizedKeys.keys = [ 157 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMguHbKev03NMawY9MX6MEhRhd6+h2a/aPIOorgfB5oM shawn" 158 | ]; 159 | }; 160 | }; 161 | }; 162 | 163 | shawn8901 = { 164 | postgresql = { 165 | enable = true; 166 | package = pkgs.postgresql_16; 167 | dataDir = "/var/lib/postgresql/16"; 168 | }; 169 | server.enable = true; 170 | }; 171 | } 172 | -------------------------------------------------------------------------------- /machines/trivia-gs/hardware.nix: -------------------------------------------------------------------------------- 1 | { pkgs, modulesPath, ... }: 2 | { 3 | imports = [ 4 | (modulesPath + "/profiles/qemu-guest.nix") 5 | (modulesPath + "/profiles/minimal.nix") 6 | ]; 7 | 8 | boot = { 9 | initrd.availableKernelModules = [ 10 | "uhci_hcd" 11 | "ehci_pci" 12 | "ahci" 13 | "sd_mod" 14 | "sr_mod" 15 | ]; 16 | kernelPackages = pkgs.linuxPackages; 17 | kernelParams = [ "memhp_default_state=online" ]; 18 | loader.grub = { 19 | enable = true; 20 | device = "/dev/sda"; 21 | }; 22 | }; 23 | 24 | fileSystems."/" = { 25 | device = "/dev/disk/by-label/ROOT"; 26 | fsType = "ext4"; 27 | }; 28 | 29 | fileSystems."/boot" = { 30 | device = "/dev/disk/by-label/BOOT"; 31 | fsType = "vfat"; 32 | }; 33 | 34 | swapDevices = [ { device = "/dev/disk/by-label/SWAP"; } ]; 35 | 36 | hardware.cpu.intel.updateMicrocode = true; 37 | } 38 | -------------------------------------------------------------------------------- /machines/trivia-gs/secrets.yaml: -------------------------------------------------------------------------------- 1 | root: ENC[AES256_GCM,data:Yj9KJQyULip39sEk3JcluAWcgu6gmoeGATc3eMNVZ6jraqT6InDniusNi2yvDf8EMdaDTnYoPN/AAc1y92VUiy4UZ/NYNJF74kFHkwPf9oCVxZOLW4NyA8jsoIICJGqcAER/ykPePN/Swg==,iv:LvR9hTC6Nkj74xptz0Z7UBLcGtjH3InxeXjkWHZ5bOs=,tag:qQDUTQ75kAYz7BuZXw5VOg==,type:str] 2 | stalwart-env: ENC[AES256_GCM,data:ANvXJiOIphyhSvuQORmrV6URUAwuERUnHXkUBh28oLqSpxsJi4MM93kBVjGy7otq5LAuAnVnP7j8TBVQBwFgs2PhlsRK3uIi6SbCX7CI77iLwlW5vymdpb2QtGC8qnm0tCzGjGt/NJUh/vFiEh0tfcPStoVuH2OhisXsrBfR49CroUVt+m4cj9FhZyr0zqDyDEec0LgJMinZ0QlMpbGDYmdOZfOy8NKi1w1alA==,iv:0GCfe8hSaoFRMoSxE1YNFccwN8PXykPjdyNGBpWispU=,tag:p2AktUjdkJDsigFcsIbd3Q==,type:str] 3 | sops: 4 | kms: [] 5 | gcp_kms: [] 6 | azure_kv: [] 7 | hc_vault: [] 8 | age: 9 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 10 | enc: | 11 | -----BEGIN AGE ENCRYPTED FILE----- 12 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveFdpclc0andDK1EvQTV3 13 | aFJaTWd4RURDRXdVa3p5Ri9uREdON2Juemg4CmtGdW1tMGRWVTVrRGFGYmFPZGJU 14 | RUhtYWRIK1FTOHA2V0xodzZ1aTRsODAKLS0tIHNieE1RbXlBMDJReUkzSEdyU0Uy 15 | MXljUDVTdWh6MmlSQXFlUlVrdzZheTAKxW7BsAs0vt4uVaYPVLUg4DyVj4Pt0n+G 16 | tkZeNz6Itw8xEqAf05vEFCm4/H6mHfzP2aSZU8bqxFa9X4OsttxejQ== 17 | -----END AGE ENCRYPTED FILE----- 18 | - recipient: age1q6kuyae4tgdgtjy7syfhkj5tlgpxtyf66kkulm7h5c74az3uu5rqwvgca5 19 | enc: | 20 | -----BEGIN AGE ENCRYPTED FILE----- 21 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndXkzRy9rMHlrZStGdG1E 22 | b3h6R1NSZjdvTzYzVlkyc3VESTIxUXgzOUZNCnJ2SVpZT3N4REkrTzUyUStKNGNq 23 | T0M1MFY0eHNOWTViRG9ReWE4ZDJLZVUKLS0tIFFoMUFSMndLQzRwWXZUSzkxQ09r 24 | ZzA1bktsblNYRzZ6QitBdllQLy90bk0KPnH9Uz196X3W4WzQWDrYH37xGCCH5VTd 25 | DZV7xw2b8cmhNJxA9zXd7SgNkGLnQGL7hfPRfHbVP4kC/gIAflFY4Q== 26 | -----END AGE ENCRYPTED FILE----- 27 | lastmodified: "2024-12-27T23:00:01Z" 28 | mac: ENC[AES256_GCM,data:9nDagn1GKkLxxMjGHOkxzj1BhTVL3iitfjD0sqK2H0EKRBObXtrEf28qmsTSyeHlnDiwq0HfuCN4WghX/QSK2syBbkNlWPwTW3i9Wec+oq2knEL5T3tcYYPLc8bnvIgVcCMfr8bJMHeiwaHi4IdCk9ex4kqDgsXaKPFbrFb50h0=,iv:PFXW7xpwZt7moi/jdEhDWViLXzKFp4aoVJKst/UFIlE=,tag:ik3HVXGMWmQyyDPJoK8lUw==,type:str] 29 | pgp: [] 30 | unencrypted_suffix: _unencrypted 31 | version: 3.9.2 32 | -------------------------------------------------------------------------------- /machines/watchtower/attic-server.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | lib, 4 | config, 5 | ... 6 | }: 7 | let 8 | inherit (lib) 9 | types 10 | mkEnableOption 11 | mkPackageOption 12 | mkOption 13 | mkDefault 14 | mkIf 15 | ; 16 | 17 | cfg = config.shawn8901.attic; 18 | in 19 | { 20 | options = { 21 | shawn8901.attic = { 22 | enable = mkEnableOption "Enables a preconfigured attic instance"; 23 | hostName = mkOption { 24 | type = types.str; 25 | description = "full qualified hostname of the attic instance"; 26 | }; 27 | package = mkPackageOption pkgs "attic-server" { }; 28 | environmentFile = mkOption { type = types.path; }; 29 | }; 30 | }; 31 | config = mkIf cfg.enable { 32 | networking.firewall = { 33 | allowedUDPPorts = [ 443 ]; 34 | allowedTCPPorts = [ 35 | 80 36 | 443 37 | ]; 38 | }; 39 | 40 | services = { 41 | nginx = { 42 | enable = mkDefault true; 43 | recommendedGzipSettings = true; 44 | recommendedOptimisation = true; 45 | recommendedTlsSettings = true; 46 | clientMaxBodySize = "2G"; 47 | virtualHosts = { 48 | "${cfg.hostName}" = { 49 | enableACME = true; 50 | forceSSL = true; 51 | http3 = false; 52 | http2 = false; 53 | kTLS = true; 54 | extraConfig = '' 55 | client_header_buffer_size 64k; 56 | ''; 57 | locations."/" = { 58 | proxyPass = "http://127.0.0.1:8080"; 59 | recommendedProxySettings = true; 60 | }; 61 | }; 62 | }; 63 | }; 64 | atticd = { 65 | inherit (cfg) package environmentFile; 66 | enable = true; 67 | settings = { 68 | database = { 69 | url = "postgresql:///atticd?host=/run/postgresql"; 70 | heartbeat = true; 71 | }; 72 | compression.type = "zstd"; 73 | garbage-collection = { 74 | interval = "12 hours"; 75 | default-retention-period = "1 months"; 76 | }; 77 | }; 78 | }; 79 | postgresql = { 80 | ensureDatabases = [ "atticd" ]; 81 | ensureUsers = [ 82 | { 83 | name = "atticd"; 84 | ensureDBOwnership = true; 85 | } 86 | ]; 87 | }; 88 | }; 89 | }; 90 | } 91 | -------------------------------------------------------------------------------- /machines/watchtower/configuration.nix: -------------------------------------------------------------------------------- 1 | { 2 | inputs', 3 | config, 4 | pkgs, 5 | modulesPath, 6 | ... 7 | }: 8 | let 9 | inherit (config.sops) secrets; 10 | 11 | vmPackage = pkgs.victoriametrics.override { 12 | withBackupTools = false; 13 | withVmAlert = false; 14 | withVictoriaLogs = false; 15 | withVmctl = false; 16 | withVmAgent = true; 17 | }; 18 | in 19 | { 20 | 21 | imports = [ "${modulesPath}/profiles/headless.nix" ]; 22 | 23 | sops.secrets = { 24 | root = { 25 | neededForUsers = true; 26 | }; 27 | attic-env = { }; 28 | grafana-env = { 29 | owner = "grafana"; 30 | group = "grafana"; 31 | }; 32 | victoriametrics = { }; 33 | }; 34 | 35 | networking = { 36 | nameservers = [ 37 | "208.67.222.222" 38 | "208.67.220.220" 39 | ]; 40 | domain = ""; 41 | useDHCP = true; 42 | }; 43 | systemd.network.wait-online.anyInterface = true; 44 | 45 | services = { 46 | nginx.package = pkgs.nginxQuic; 47 | vmagent = { 48 | package = vmPackage; 49 | remoteWrite.url = "http://${config.services.victoriametrics.listenAddress}/api/v1/write"; 50 | prometheusConfig.scrape_configs = [ 51 | { 52 | job_name = "blackbox_exporter"; 53 | static_configs = [ 54 | { 55 | targets = [ "localhost:${toString config.services.prometheus.exporters.blackbox.port}" ]; 56 | } 57 | ]; 58 | } 59 | { 60 | job_name = "blackbox"; 61 | metrics_path = "/probe"; 62 | params.module = [ "http_2xx" ]; 63 | static_configs = [ 64 | { 65 | targets = [ 66 | "https://sapsrv01.clansap.org:8006" 67 | "https://sapsrv02.clansap.org:8006" 68 | ]; 69 | } 70 | ]; 71 | relabel_configs = [ 72 | { 73 | source_labels = [ "__address__" ]; 74 | target_label = "__param_target"; 75 | } 76 | { 77 | source_labels = [ "__param_target" ]; 78 | target_label = "target"; 79 | } 80 | { 81 | replacement = "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}"; 82 | target_label = "__address__"; 83 | } 84 | ]; 85 | } 86 | ]; 87 | }; 88 | prometheus = { 89 | enable = true; 90 | exporters.blackbox = { 91 | enable = true; 92 | listenAddress = "localhost"; 93 | configFile = (pkgs.formats.yaml { }).generate "config.yml" { 94 | modules = { 95 | http_2xx = { 96 | prober = "http"; 97 | http = { 98 | preferred_ip_protocol = "ip4"; 99 | }; 100 | }; 101 | }; 102 | }; 103 | }; 104 | }; 105 | }; 106 | 107 | users.mutableUsers = false; 108 | users.users.root = { 109 | hashedPasswordFile = secrets.root.path; 110 | openssh.authorizedKeys.keys = [ 111 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMguHbKev03NMawY9MX6MEhRhd6+h2a/aPIOorgfB5oM" 112 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsHm9iUQIJVi/l1FTCIFwGxYhCOv23rkux6pMStL49N" 113 | ]; 114 | }; 115 | 116 | shawn8901 = { 117 | postgresql = { 118 | enable = true; 119 | package = pkgs.postgresql_16; 120 | }; 121 | attic = { 122 | enable = true; 123 | hostName = "cache.pointjig.de"; 124 | package = inputs'.nixpkgs.legacyPackages.attic-server; 125 | environmentFile = secrets.attic-env.path; 126 | }; 127 | victoriametrics = { 128 | enable = true; 129 | hostname = "vm.pointjig.de"; 130 | package = vmPackage; 131 | username = "vm"; 132 | credentialsFile = secrets.victoriametrics.path; 133 | }; 134 | grafana = { 135 | enable = true; 136 | hostname = "grafana.pointjig.de"; 137 | credentialsFile = secrets.grafana-env.path; 138 | declarativePlugins = with pkgs.grafanaPlugins; [ 139 | victoriametrics-logs-datasource 140 | victoriametrics-metrics-datasource 141 | ]; 142 | datasources = [ 143 | { 144 | name = "VictoriaMetrics Metrics"; 145 | type = "victoriametrics-metrics-datasource"; 146 | url = "http://${config.services.victoriametrics.listenAddress}"; 147 | basicAuth = true; 148 | basicAuthUser = "vm"; 149 | isDefault = true; 150 | secureJsonData.basicAuthPassword = "$DATASOURCE_PASSWORD"; 151 | } 152 | ]; 153 | deleteDatasources = [ 154 | { 155 | name = "VictoriaMetrics"; 156 | orgId = 1; 157 | } 158 | ]; 159 | }; 160 | server.enable = true; 161 | }; 162 | } 163 | -------------------------------------------------------------------------------- /machines/watchtower/grafana.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: 2 | let 3 | inherit (lib) 4 | types 5 | mkEnableOption 6 | mkOption 7 | mkDefault 8 | mkIf 9 | ; 10 | 11 | cfg = config.shawn8901.grafana; 12 | in 13 | { 14 | options = { 15 | shawn8901.grafana = { 16 | enable = mkEnableOption "Enables a preconfigured grafana instance"; 17 | hostname = mkOption { 18 | type = types.str; 19 | description = "full qualified hostname of the grafana instance"; 20 | }; 21 | credentialsFile = mkOption { type = types.path; }; 22 | datasources = mkOption { type = types.listOf types.raw; }; 23 | deleteDatasources = mkOption { type = types.listOf types.raw; }; 24 | declarativePlugins = mkOption { 25 | type = with types; nullOr (listOf path); 26 | default = null; 27 | }; 28 | settings = mkOption { type = types.attrs; }; 29 | }; 30 | }; 31 | config = mkIf cfg.enable { 32 | systemd.services.grafana.serviceConfig.EnvironmentFile = [ cfg.credentialsFile ]; 33 | networking.firewall = { 34 | allowedUDPPorts = [ 443 ]; 35 | allowedTCPPorts = [ 36 | 80 37 | 443 38 | ]; 39 | }; 40 | services = { 41 | nginx = { 42 | enable = mkDefault true; 43 | recommendedGzipSettings = true; 44 | recommendedOptimisation = true; 45 | recommendedTlsSettings = true; 46 | virtualHosts."${cfg.hostname}" = { 47 | enableACME = true; 48 | forceSSL = true; 49 | http3 = true; 50 | kTLS = true; 51 | locations."/" = { 52 | proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; 53 | proxyWebsockets = true; 54 | recommendedProxySettings = true; 55 | }; 56 | }; 57 | }; 58 | postgresql = { 59 | ensureDatabases = [ "${config.services.grafana.settings.database.name}" ]; 60 | ensureUsers = [ 61 | { 62 | name = "${config.services.grafana.settings.database.user}"; 63 | ensureDBOwnership = true; 64 | } 65 | ]; 66 | }; 67 | grafana = { 68 | enable = true; 69 | inherit (cfg) declarativePlugins; 70 | settings = { 71 | server = { 72 | domain = cfg.hostname; 73 | http_addr = "127.0.0.1"; 74 | http_port = 3001; 75 | root_url = "https://${cfg.hostname}/"; 76 | enable_gzip = true; 77 | }; 78 | database = { 79 | type = "postgres"; 80 | host = "/run/postgresql"; 81 | user = "grafana"; 82 | password = "$__env{DB_PASSWORD}"; 83 | }; 84 | security = { 85 | admin_password = "$__env{ADMIN_PASSWORD}"; 86 | secret_key = "$__env{SECRET_KEY}"; 87 | cookie_secure = true; 88 | content_security_policy = true; 89 | }; 90 | smtp = { 91 | enabled = true; 92 | host = "mail.pointjig.de:465"; 93 | user = "noreply@pointjig.de"; 94 | password = "$__env{SMTP_PASSWORD}"; 95 | from_address = "noreply@pointjig.de"; 96 | }; 97 | analytics = { 98 | check_for_updates = false; 99 | reporting_enabled = false; 100 | }; 101 | }; 102 | provision = { 103 | enable = true; 104 | alerting.contactPoints.settings = { 105 | apiVersion = 1; 106 | contactPoints = [ 107 | { 108 | orgId = 1; 109 | name = "HomeDiscord"; 110 | receivers = [ 111 | { 112 | uid = "b7e00da1-b9c7-4f72-bc95-1ef3e7e5b4cf"; 113 | type = "discord"; 114 | settings = { 115 | url = "$__env{DISCORD_HOOK}"; 116 | use_discord_username = false; 117 | }; 118 | disableResolveMessage = false; 119 | } 120 | ]; 121 | } 122 | ]; 123 | }; 124 | 125 | datasources.settings.datasources = cfg.datasources; 126 | datasources.settings.deleteDatasources = cfg.deleteDatasources; 127 | }; 128 | }; 129 | }; 130 | }; 131 | } 132 | -------------------------------------------------------------------------------- /machines/watchtower/hardware.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, ... }: 2 | { 3 | imports = [ 4 | (modulesPath + "/profiles/qemu-guest.nix") 5 | (modulesPath + "/profiles/minimal.nix") 6 | ]; 7 | boot = { 8 | initrd.availableKernelModules = [ 9 | "xhci_pci" 10 | "virtio_pci" 11 | "virtio_scsi" 12 | "usbhid" 13 | ]; 14 | loader = { 15 | systemd-boot.enable = true; 16 | efi.canTouchEfiVariables = true; 17 | }; 18 | }; 19 | fileSystems = { 20 | "/" = { 21 | device = "/dev/sda2"; 22 | fsType = "ext4"; 23 | }; 24 | "/boot" = { 25 | device = "/dev/sda1"; 26 | fsType = "vfat"; 27 | }; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /machines/watchtower/secrets.yaml: -------------------------------------------------------------------------------- 1 | root: ENC[AES256_GCM,data:SlxtCW+xuVe33l+DQQ0GrvrLem7zkWZgrGVFAf4n9n3a41+jKNLE2pADaM+Xo3Zir0naBA1QNMTnCi7MovIc40hLSRgHW/5bhGj1+AC4cU5HibRYfzRNeH4WSLwc0srRQC0WWIG+kL0V3A==,iv:ugD9oNMguI6pFnG+3VTfJKFuWHkSmusC+pTJnKC2tjo=,tag:CPC2CSpGjcvAmtRVMtozGw==,type:str] 2 | attic-env: ENC[AES256_GCM,data:DQjjBsf6wTqCBqybbk1l+X6N6HnS33i3ePnS3O/1V+ovxV4cCA+SrlnV1F/1CPa2x9VVHfwuXxC07YnEgspL+TN2Ljc=,iv:k/zCTJt9cws+/S3t3e4FJtRZ5iNdKdeNRSIxr81Utz4=,tag:N/gTG1kUtrEOMb22A2Nomw==,type:str] 3 | grafana-env: ENC[AES256_GCM,data:pAMWOMRcwzsjrr5xpFLNAPjOe7HFiypZgnuHOeMlBUVI3cEqVblbK0IF60Ez9cO8LcOux1+DFG5BOjyuX1QZFCw1ypuGijmR9STYTmLkht39OJ/33MbVYLiMYNvznHVEWCtA8jbiiHGHoiOsHOukWuy3zpcXGYdbAEI5M6Ho9VKftqprErDLwE86jKr7txa4c4HbMDZmiyalVozEwTMuNaV1Q0Iv7e3Qsx8uhHclkYNvubNGiAc5Ly5piYGuMk0PJLdIHBnJSC9L/yh7L1k+ohcmAZYDHfdUa8SZwlxM/p8TA6QET+o8RJj1Uo3VmWdbI5lpggzdLVikq/ozycAf8O/QQemmJA7ncnlA3lYb5mSxZZ+gvfa7K9tv7QjyoseDbSlP+bgPmkWvifsCgdr/Vb50XfKmnNl6BgTQC5HOfN73GKL12d/5wHx/e5cVUKDnK6snC/ZnjbyGST0/zuVl3AHRddseiNWUgif3GaeFEswZamM+JEagvvC7,iv:xXHxRLp3JRFTh7kj0wDd4DNKUCx62opSrVCRcOOd/6k=,tag:BkyfLjx6dcQQ44wYGPj9uQ==,type:str] 4 | victoriametrics: ENC[AES256_GCM,data:NOBarHkJdk/tLXRHSHOJ+sw=,iv:jskE0XL3eUu7wn/YhBH/HObw+aRQ1n20QhUE1a71n2w=,tag:5JhZAgyTAwfAYxJPmNBryQ==,type:str] 5 | sops: 6 | kms: [] 7 | gcp_kms: [] 8 | azure_kv: [] 9 | hc_vault: [] 10 | age: 11 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 12 | enc: | 13 | -----BEGIN AGE ENCRYPTED FILE----- 14 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlUWJBelM1WVFUa3ZzTEhm 15 | TEcyelkzNEZOeSt5eEREemZFbHE5L0tmaDJnCmw5WTN4cVdDMzRpUVEwZUJnMGtY 16 | WmE4RkNVNDJnQjhxN25EWVVybEovekkKLS0tIGt1WW13M0drMTJRK0ZZVGJTS3Vj 17 | ZGlGYmJpSDR3d0RFcGpHTUhyTmxhZTgKf4c6C65VFyla9m2TEZK/R1xw+frFeYy2 18 | cu/4TlTangyJUWrqZqkfC6VVxkuPUZHrW6cubw9RtHqiLA8sWepR6A== 19 | -----END AGE ENCRYPTED FILE----- 20 | - recipient: age1j8gtypmaguankjjftmmzavck9mwns03aq2wgm3j6nxwn9dg3xcgqmg450e 21 | enc: | 22 | -----BEGIN AGE ENCRYPTED FILE----- 23 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1STRpUG9lUXpMMmNZMHRn 24 | R04yY3grN2U5Y1VESTdQbzd1MTNacXZreG1RCnM2SlBERW5UWEdKejMyVWtqbDFN 25 | bFQ1MnhTcGZKMHhMazlLRitNUFRVcU0KLS0tIE5KVFpCU1JiM1RCbEIva2lzQXBL 26 | NnZzTUx3alUrbEIwVFNLYlVvQWFTTE0KkQZ3pjRRkC4vnBU/oOQ1p2ho4ctkIkvW 27 | nNo0DqnsZRsMECXCZi19RC1sDkKqccH4SdKeY0gYk0VIMIIjyXdcgA== 28 | -----END AGE ENCRYPTED FILE----- 29 | - recipient: age13gpwm947w05n65cz22pxyevml9sd80lq944d47glhw4lkvqulg4sqlccyq 30 | enc: | 31 | -----BEGIN AGE ENCRYPTED FILE----- 32 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bWdZLzBoWUpHTXhKNzk3 33 | cVpzeFFsdUpkRDZzSHB1eHZoM1hYNTVLTmpjCjY5N3RXZUNaSExIVEUzVldHZmVC 34 | d1c4NXg3NjdiRStucTl5WmtmNDBKMncKLS0tIHp4ZmVQTVFBdnZhOHVmVnhWbFB3 35 | THdiV2RTODRrSUdqUzdkN2hCSjU2RG8KcJauJj7RejYYj0EaCICj32C+MuJ9gufF 36 | pqwLui45cPESjXDy29+Wti7VBLAimK2O4BU+DsMNjRTe24P8blHe4A== 37 | -----END AGE ENCRYPTED FILE----- 38 | lastmodified: "2025-01-06T16:27:50Z" 39 | mac: ENC[AES256_GCM,data:CyzMOo/+QLsjLUon7B2VWoIMATBM+nAV6pZfyRwdaetaJxL2Qoop7GNDEbX5CpidAAeAYvOT2LKZJpN5YlMXbq6yUjYQ4qtpUWctCIZK2piIfb20l77jMjV2apINECXnOyRdixVOJV2UPdvTMTwpCyoZcR6zJUCzfeciGsair5Y=,iv:HC3A0brqLMT9A2QcPXb/xSnkioVEqyC3fE7hZWmRlR0=,tag:sD2Q3vL1nXRyEG1C4rp24A==,type:str] 40 | pgp: [] 41 | unencrypted_suffix: _unencrypted 42 | version: 3.9.2 43 | -------------------------------------------------------------------------------- /machines/watchtower/victoriametrics.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | lib, 4 | config, 5 | ... 6 | }: 7 | let 8 | inherit (lib) 9 | types 10 | mkEnableOption 11 | mkPackageOption 12 | mkOption 13 | mkDefault 14 | mkIf 15 | ; 16 | 17 | cfg = config.shawn8901.victoriametrics; 18 | in 19 | { 20 | options = { 21 | shawn8901.victoriametrics = { 22 | enable = mkEnableOption "Enables a preconfigured victoria metrics instance"; 23 | package = mkPackageOption pkgs "victoriametrics" { }; 24 | hostname = mkOption { 25 | type = types.str; 26 | description = "full qualified hostname of the grafana instance"; 27 | }; 28 | port = mkOption { 29 | type = types.int; 30 | default = 8427; 31 | }; 32 | username = mkOption { type = types.str; }; 33 | credentialsFile = mkOption { type = types.path; }; 34 | datasources = mkOption { type = types.listOf types.raw; }; 35 | }; 36 | }; 37 | config = mkIf cfg.enable { 38 | services = { 39 | nginx = { 40 | enable = mkDefault true; 41 | recommendedGzipSettings = true; 42 | recommendedOptimisation = true; 43 | recommendedTlsSettings = true; 44 | virtualHosts."${cfg.hostname}" = { 45 | enableACME = true; 46 | forceSSL = true; 47 | http3 = true; 48 | kTLS = true; 49 | locations."/" = { 50 | proxyPass = "http://127.0.0.1:${toString cfg.port}"; 51 | proxyWebsockets = true; 52 | recommendedProxySettings = true; 53 | }; 54 | }; 55 | }; 56 | victoriametrics = { 57 | inherit (cfg) package; 58 | enable = true; 59 | retentionPeriod = "1y"; 60 | listenAddress = "localhost:${toString cfg.port}"; 61 | basicAuthUsername = cfg.username; 62 | basicAuthPasswordFile = cfg.credentialsFile; 63 | extraOptions = [ 64 | "-selfScrapeInterval=10s" 65 | "-selfScrapeInstance=${config.networking.hostName}" 66 | ]; 67 | }; 68 | }; 69 | }; 70 | } 71 | -------------------------------------------------------------------------------- /machines/zenbook/configuration.nix: -------------------------------------------------------------------------------- 1 | { 2 | self, 3 | pkgs, 4 | lib, 5 | config, 6 | flakeConfig, 7 | ... 8 | }: 9 | let 10 | hosts = self.nixosConfigurations; 11 | inherit (config.sops) secrets; 12 | 13 | allowUnfreePredicate = pkgs: (pkg: lib.elem (lib.getName pkg) pkgs); 14 | in 15 | { 16 | nixpkgs.config.allowUnfreePredicate = allowUnfreePredicate [ 17 | "steam" 18 | "steam-run" 19 | "steam-original" 20 | "steam-unwrapped" 21 | "vscode" 22 | "vscode-extension-MS-python-vscode-pylance" 23 | "vscode-extension-mhutchie-git-graph" 24 | "discord" 25 | "teamspeak-client" 26 | "teamspeak3" 27 | "tampermonkey" 28 | "betterttv" 29 | ]; 30 | 31 | sops.secrets = { 32 | zrepl.restartUnits = [ "zrepl.service" ]; 33 | samba.sopsFile = ./../../files/secrets-desktop.yaml; 34 | }; 35 | 36 | networking = { 37 | firewall = { 38 | logReversePathDrops = true; 39 | checkReversePath = false; 40 | }; 41 | networkmanager = { 42 | enable = true; 43 | plugins = lib.mkForce [ ]; 44 | }; 45 | nftables.enable = true; 46 | dhcpcd.enable = false; 47 | useNetworkd = false; 48 | useDHCP = false; 49 | }; 50 | systemd = { 51 | network.wait-online.anyInterface = true; 52 | services.display-manager.serviceConfig.KeyringMode = "inherit"; 53 | tmpfiles.rules = [ "d /media/nas 0750 shawn users -" ]; 54 | }; 55 | 56 | environment.systemPackages = with pkgs; [ 57 | cifs-utils 58 | zenmonitor 59 | ]; 60 | 61 | services = { 62 | resolved.enable = false; 63 | udev.packages = [ pkgs.libmtp.out ]; 64 | openssh = { 65 | enable = true; 66 | hostKeys = [ 67 | { 68 | path = "/persist/etc/ssh/ssh_host_ed25519_key"; 69 | type = "ed25519"; 70 | } 71 | { 72 | path = "/persist/etc/ssh/ssh_host_rsa_key"; 73 | type = "rsa"; 74 | bits = 4096; 75 | } 76 | ]; 77 | }; 78 | zfs = { 79 | trim.enable = true; 80 | autoScrub = { 81 | enable = true; 82 | pools = [ "rpool" ]; 83 | }; 84 | }; 85 | printing = { 86 | enable = true; 87 | browsed.enable = false; 88 | listenAddresses = [ "localhost:631" ]; 89 | drivers = [ pkgs.epson-escpr2 ]; 90 | }; 91 | zrepl = { 92 | enable = true; 93 | package = pkgs.zrepl; 94 | settings = { 95 | global.monitoring = [ 96 | { 97 | type = "prometheus"; 98 | listen = ":9811"; 99 | listen_freebind = true; 100 | } 101 | ]; 102 | jobs = [ 103 | { 104 | name = "zenbook"; 105 | type = "push"; 106 | filesystems."rpool/safe<" = true; 107 | snapshotting = { 108 | type = "periodic"; 109 | interval = "1h"; 110 | prefix = "zrepl_"; 111 | }; 112 | connect = 113 | let 114 | zreplPort = flakeConfig.shawn8901.zrepl.servePorts hosts.tank.config.services.zrepl; 115 | in 116 | { 117 | type = "tls"; 118 | address = "tank.fritz.box:${toString zreplPort}"; 119 | ca = ../../files/public_certs/zrepl/tank.crt; 120 | cert = ../../files/public_certs/zrepl/zenbook.crt; 121 | key = secrets.zrepl.path; 122 | server_cn = "tank"; 123 | }; 124 | send = { 125 | encrypted = true; 126 | compressed = true; 127 | }; 128 | pruning = { 129 | keep_sender = [ 130 | { type = "not_replicated"; } 131 | { 132 | type = "grid"; 133 | grid = "1x3h(keep=all) | 2x6h | 30x1d"; 134 | regex = "^zrepl_.*"; 135 | } 136 | { 137 | type = "regex"; 138 | negate = true; 139 | regex = "^zrepl_.*"; 140 | } 141 | ]; 142 | keep_receiver = [ 143 | { 144 | type = "grid"; 145 | grid = "1x3h(keep=all) | 2x6h | 30x1d | 6x30d | 1x365d"; 146 | regex = "^zrepl_.*"; 147 | } 148 | ]; 149 | }; 150 | } 151 | ]; 152 | }; 153 | }; 154 | acpid.enable = true; 155 | upower.enable = true; 156 | }; 157 | hardware = { 158 | amdgpu.initrd.enable = true; 159 | sane.enable = true; 160 | keyboard.zsa.enable = true; 161 | asus.battery = { 162 | enable = true; 163 | chargeUpto = 80; 164 | }; 165 | asus-numberpad-driver = { 166 | enable = true; 167 | layout = "up5401ea"; 168 | config = { 169 | main = { 170 | "activation_time" = "0.5"; 171 | "multitouch" = "1"; 172 | "default_backlight_level" = "0x01"; 173 | "top_left_icon_brightness_func_max_min_only" = "1"; 174 | "top_left_icon_activation_time" = "0.5"; 175 | "top_left_icon_slide_func_activation_radius" = "1200"; 176 | "top_left_icon_slide_func_activates_numpad" = "1"; 177 | }; 178 | }; 179 | }; 180 | }; 181 | 182 | programs.nh.flake = "/home/shawn/dev/nixos-configuration"; 183 | 184 | environment = { 185 | etc."samba/credentials_shawn".source = secrets.samba.path; 186 | sessionVariables = { 187 | WINEFSYNC = "1"; 188 | WINEDEBUG = "-all"; 189 | }; 190 | }; 191 | 192 | users.users.shawn.extraGroups = [ 193 | "video" 194 | "audio" 195 | "scanner" 196 | "lp" 197 | "networkmanager" 198 | ]; 199 | 200 | security.pam.services.sddm-autologin.text = lib.mkForce '' 201 | auth requisite pam_nologin.so 202 | auth optional ${config.systemd.package}/lib/security/pam_systemd_loadkey.so keyname=zfs-rpool 203 | auth optional ${pkgs.kdePackages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.kdePackages.kwallet}/bin/kwalletd6 204 | auth required pam_succeed_if.so uid >= ${toString config.services.displayManager.sddm.autoLogin.minimumUid} quiet 205 | auth required pam_permit.so 206 | 207 | account include sddm 208 | 209 | password include sddm 210 | 211 | session include sddm 212 | ''; 213 | 214 | services.displayManager = { 215 | autoLogin = { 216 | enable = true; 217 | user = "shawn"; 218 | }; 219 | sessionData.autologinSession = "plasma"; 220 | }; 221 | boot.zfs.useKeyringForCredentials = true; 222 | 223 | shawn8901.desktop.enable = true; 224 | 225 | nixpkgs.config.packageOverrides = pkgs: { 226 | udisks2 = pkgs.udisks2.override { 227 | btrfs-progs = null; 228 | nilfs-utils = null; 229 | xfsprogs = null; 230 | f2fs-tools = null; 231 | }; 232 | }; 233 | } 234 | -------------------------------------------------------------------------------- /machines/zenbook/hardware.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | modulesPath, 5 | ... 6 | }: 7 | let 8 | zfsOptions = [ 9 | "zfsutil" 10 | "X-mount.mkdir" 11 | ]; 12 | in 13 | { 14 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 15 | 16 | boot = { 17 | initrd = { 18 | availableKernelModules = [ 19 | "nvme" 20 | "xhci_pci" 21 | "rtsx_pci_sdmmc" 22 | "usbhid" 23 | "sd_mod" 24 | "sr_mod" 25 | ]; 26 | systemd.enable = true; 27 | }; 28 | kernelModules = [ 29 | "kvm-amd" 30 | "cifs" 31 | "usb_storage" 32 | "acpi_call" 33 | "amdgpu" 34 | "amd_pstate" 35 | ]; 36 | kernelPackages = pkgs.linuxPackages; 37 | kernelParams = [ 38 | "initcall_blacklist=acpi_cpufreq_init" 39 | "amd_pstate=passive" 40 | "amd_pstate.shared_mem=1" 41 | "amdgpu.dcfeaturemask=0x8" 42 | ]; 43 | extraModulePackages = with config.boot.kernelPackages; [ 44 | zenpower 45 | cpupower 46 | ]; 47 | blacklistedKernelModules = [ "k10temp" ]; 48 | extraModprobeConfig = '' 49 | options zfs zfs_arc_max=1610612736 50 | ''; 51 | supportedFilesystems = [ 52 | "zfs" 53 | "ntfs" 54 | ]; 55 | zfs.devNodes = "/dev/disk/by-id"; 56 | loader = { 57 | systemd-boot.enable = true; 58 | efi.canTouchEfiVariables = true; 59 | }; 60 | }; 61 | 62 | fileSystems = { 63 | "/" = { 64 | device = "rpool/local/root"; 65 | fsType = "zfs"; 66 | options = zfsOptions; 67 | }; 68 | 69 | "/var/log" = { 70 | device = "rpool/local/log"; 71 | fsType = "zfs"; 72 | options = zfsOptions; 73 | neededForBoot = true; 74 | }; 75 | 76 | "/persist" = { 77 | device = "rpool/safe/persist"; 78 | fsType = "zfs"; 79 | options = zfsOptions; 80 | neededForBoot = true; 81 | }; 82 | 83 | "/nix" = { 84 | device = "rpool/local/nix"; 85 | fsType = "zfs"; 86 | options = zfsOptions; 87 | }; 88 | 89 | "/home" = { 90 | device = "rpool/safe/home"; 91 | fsType = "zfs"; 92 | options = zfsOptions; 93 | }; 94 | "/boot" = { 95 | device = "/dev/disk/by-label/BOOT"; 96 | fsType = "vfat"; 97 | options = [ 98 | "x-systemd.idle-timeout=1min" 99 | "x-systemd.automount" 100 | "noauto" 101 | ]; 102 | }; 103 | }; 104 | swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; 105 | 106 | hardware = { 107 | cpu.amd.updateMicrocode = true; 108 | enableRedistributableFirmware = true; 109 | }; 110 | powerManagement.enable = true; 111 | } 112 | -------------------------------------------------------------------------------- /machines/zenbook/home.nix: -------------------------------------------------------------------------------- 1 | _: { shawn8901.desktop.enable = true; } 2 | -------------------------------------------------------------------------------- /machines/zenbook/impermanence.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | boot.initrd.systemd.services.initrd-rollback-root = { 4 | after = [ "zfs-import-rpool.service" ]; 5 | requires = [ "zfs-import-rpool.service" ]; 6 | before = [ "sysroot.mount" ]; 7 | wantedBy = [ "initrd.target" ]; 8 | description = "Rollback root fs"; 9 | serviceConfig = { 10 | Type = "oneshot"; 11 | ExecStart = "${config.boot.zfs.package}/sbin/zfs rollback -r rpool/local/root@blank"; 12 | }; 13 | }; 14 | 15 | security.sudo.extraConfig = '' 16 | Defaults lecture = never 17 | ''; 18 | 19 | environment.persistence."/persist" = { 20 | hideMounts = true; 21 | directories = [ 22 | "/etc/NetworkManager/system-connections" 23 | "/var/lib/bluetooth" 24 | "/var/lib/cups" 25 | "/var/lib/NetworkManager" 26 | "/var/lib/nixos" 27 | "/var/lib/prometheus2" 28 | "/var/lib/systemd" 29 | "/var/lib/upower" 30 | ]; 31 | files = [ "/etc/machine-id" ]; 32 | }; 33 | } 34 | -------------------------------------------------------------------------------- /machines/zenbook/secrets-home.yaml: -------------------------------------------------------------------------------- 1 | attic: ENC[AES256_GCM,data:tYJ2WvuSki3q8M09fSdCwbC3FTHEUfDfaSShy8xPu02g5+bnEOcxvF8fTd1bFZQslZYMUshAKneZGFMyj8b7jg/kd7Q0/xg2oyWQhQdvxrJNeOm7LhRNtCkQni/Rw9jyf4vAx2q39pOGibEy4V3mRbGfgWzE+VPwQK1LXJkD/FFE0Uh5GVH59dQKmCQDVE9q0dTUXGYweCGiQhmTuuUkEIn4NlGMU2nWZLw8MQ3VYne1vNjG9OradfR7rCuo9M3mNSncCKNQ0QWmGte+LxmM5T7UBoG1eo7aoHUGAvFYqW98lGn/RkPJaPfy2clLTJh9osLK8mTGdUAZJ909wCvtR8XpBrlx9wWL7XM+r7KbnQLoQLouzvDfOn+N2ZUb5QsY7RvhFOfpUhYcxy24f9LdqCw7lxuOGCbnF7NkMf/bBqD70LwAMN4i4oaxSZpyT6pCsEPjI53oyiOjlANN1W3b8Y0YA9xvPgbwiyLNt2w2,iv:pv3SqgYdlG/VSSgZDStQPYoFQo9DGhBPzE8MPBfS81s=,tag:NsNH9RBp/gf70geLyCDZyg==,type:str] 2 | sops: 3 | kms: [] 4 | gcp_kms: [] 5 | azure_kv: [] 6 | hc_vault: [] 7 | age: 8 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 9 | enc: | 10 | -----BEGIN AGE ENCRYPTED FILE----- 11 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxKytqMFVYWlRBSkdnWmg3 12 | MDJER1k1cnRsakF2ZTZMRFM3NE5zR3M5bXlvCk5ZRVBJUVR6UUdzeFBBbUg4RkRk 13 | a2g5TnFackZvZDBVc0gzMm9HYWpqcjQKLS0tIEp4azZlQVhGSzhEL2Q3T0p5SXlJ 14 | V2VtZGN6RnJIREZ1Y1BzNG1DcmQxcncKl/bTCMEtLdCfecMkSfMbJ1l+IXpyZNRh 15 | FetUVsDXHk3ZyNSyNMgXJrw/xiQqZkgoxu9atwRKjva/lnO3khcWpw== 16 | -----END AGE ENCRYPTED FILE----- 17 | - recipient: age1q9wy9rnpusgr7w993dm03ec50zm0mgrylmqxdpph2avzf38k6gks3g4vp2 18 | enc: | 19 | -----BEGIN AGE ENCRYPTED FILE----- 20 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiOXQ2SHh2cDFGcEhYem1E 21 | aE43SDNoVFg1dDBVZ1F4V0VwRFF3dFVWMkNJClAwVmJROTJKc0J5N2pnWjkxSWRL 22 | WnNWVG1hOGd2Rk1iN0o4bktENjM3SEUKLS0tIHplOGc1TUJmTlB0MlE1UUMxTWlu 23 | ckRBK0E2ZDZLYnVQd1hJRXBQeG9HRmcK+zMUQgKOYci+xGQBob1/TC+MjEKLDENl 24 | ci3AdvkPnyBL5sFvqUcuLy4iLtrBz4yxnJ/5PkFedf06JuU4alW+qg== 25 | -----END AGE ENCRYPTED FILE----- 26 | lastmodified: "2024-06-18T18:41:09Z" 27 | mac: ENC[AES256_GCM,data:dUh1Khaafb4pG8feueDg2aAW/Zdharqcdfx4/KLgiQboAKOSc/cNgTkGgZclnG1EJezbDLWoeypHEWW/7ctGMMlmw+Mmj/umdPUz7pthvBkLM0AsVXrHqibzW1f08dSPRZG6Zukhq0N0tsornOPRHKTnwuxDYbjpu9kmY+3uhHs=,iv:wrddu7KOiYzh9nIlZ7hybERSomRH7Z3QluvEFje9FcU=,tag:ooIQgnvI75wbPO/CU0iI/w==,type:str] 28 | pgp: [] 29 | unencrypted_suffix: _unencrypted 30 | version: 3.8.1 31 | -------------------------------------------------------------------------------- /machines/zenbook/secrets.yaml: -------------------------------------------------------------------------------- 1 | zrepl: ENC[AES256_GCM,data:TAzMqAKWxQ6HQGeAErhgRzNOW1a13y7ecyKmulMBR/xZU61ED5Yv8dDCK7sUrXwNW7hr2TT+RyyG+LJK1iG4JEsA32G18Y2bZeJ+1bYDJ5chArP9v+GT4jXqxOXF+KJhlKmfwTJSNGgigBz8Gm39iS30xQLAoxQCMbO5w+h+91asWCclDwtoAgm0d91vuPqnu+Cjxsn5LPCnpP8HhJk0Xn+va6dpT2cfiXIrsJDLfopEOtHUfuNZW4uV06K7Kb6v63b2mBDIWxoEW70Zl3vMg2QMqhLkiOYgdJ29LYobabHJ1Q8rXaPGKOOFESrIcR8BPq354qChINqcHDlo6azh9hiNaaNy056vowNrpkTNZwyHZic6N/eAGim1bwgB36F8bzJq7Kc+It5qoWbgHY07mZRFqwQ1OD+uUz5QydZUs/vCmslT0aWOGVgBkWk1XQomp3pcd8JoYuQ30dzk93eN+UK2F3UyQg3x2ahWAy+bSeHx1RegdMuCHf5GSxsV9A6zwRjsOjC9USl8h/XYWVnGpwmfc5T0dSywBNqB1EOKEGRF7O9+hpLflqr+uQp7zlMK8nJZTeA5sTOuMG4Aw75UJ2tFwvscPCAs/U4LhYZKuhN12BiTKRF8iHEwxcBpyDhjEJuc1OMzV2YUReqjdY1J8T0+2nB/NoDVKyvyKpKnO1PyHlesoxApCmaFS7DIl8r674kg6s7U04tLUia/CkSkml2ihPArhXWa+fWwOgYYTPVIi3y+zOx4Zp2FLpixG/+Mu2SkzNGDht1q1VLEM1hrju98hJYGyRVXnY24WDmgZLta/CsV9sn2573zDDVJNrEf+ub7L8m4eyOW6n1DouJu3WyzrnnGa6YBL0j5sntr6n3XRsXPappXRiarWAntyc239K0iDHJvvZDVjjwiKAQAGPPLWRErO8uzp1mcj9y1bKZAbVzuLpkS/SYRpyS8PBNBBg3IDc/pCZvXpdOeATaaMmgLN20E6q/NkVRuEwYJ5+Btt29aMRPneYCgKMbf8vuJYC91jbQhZ1fj9+uzFeuxwMVKM8jwvwpbc5/OjNNEZy9DgsPRWoHChb4tVgzIxLMI1CSWSWB6MuvxCbQvVFFhN9LMpyREe/7H8mRL4SpmxkMSJYJa8pvVJz63r/chHOJB5WuieIt2O/uGCJDv0Q4E4AutFIq3QTswvjPQKQPglxcmLPWhwkOKdUNcGCnP7lQrcdMPCQCFNVLuqEaC3Zjhwq52MjuJeR7ar5cr89wtin27IHvva2l3KxHgbB+zM1d5kHt1grvpAUVfnZcv1JreIe4+UD36Wr2v6psg6icejk/BVvyUU5hJTPf97qsHAEjBMXShZojzASj4JFQHjesdhn4Yor3q8Mb1gw/tL/wFdzzZTSwHgOsh1E6AcCOOpwT+5+d1ar22Ns5NDag4P5xmSoTUPuLE/k2xh/UJeDIomhARYFIVs9JgQ1bWU3N7C8BuWTVu5Sx4Nv9g+8BAvpumO02ilmwPxWR6zP2XsuVqK52jf82A148B2uQtqdzC7cPU0lUxeXws6PzuusPP7Mmv44RU/zTqZrz1vA9+zNfWuDUlnNsbAD1f+TJJ6J2tFIMncX6JDa8fUfAhARRFtSntd2G59TxoHvH3HIBA5yz04V6rA3yzhp64KyUbd5Yyo1M8UOWtMrtIxLSc1He2pyHIIUBAw+G/x1dTgcSTzyxpUP1p3n2gqIZGTZwj8yiQQbvzTEeXN/Sh2CljUZHWLe4enR/g9gED767YTbp1coDqnpRvIc2CUv/vfyxnHzw0qb9M7B/QKWuLOQKfp+BeIGLKluzCL0ZW3+KIIAUg8oDkmzk7l6AM5bpWzy9NQIE8gCUhEbqx1w/a1AlxekMoJaVpFCsLp1NJ030XIBhxGwFt2M8ZtqC8PnInJkL6e1qkeVTzOA43sI6ivykGLZBMVto/FgD/zDr6Qu/5TGjY84bb5botGEJr4Nac8oC3hY6sxlAzBtIHQhJvDeHdaPHGl5Grvsf+gMaRRUbAAyIsAyHhlNt8+ZlBbQIWmPJDtLhJjZTgnvTWvyIUVHf6mU+LFfo2jZuBcaDQ9IMFWZh7rySIbekzWp8yhSo8Xrmu103SU+UrTo/S8v6XVWiIXJTRXbUWL6EkgltAXJC7zpCpwS0OgFVCvpCSNPqQmAccqMclov66+dJW/Gvba0YNqtaixFt/i42xncXBG9a/PHBUHrIqxBiHtUSKtcB51RzdZ6Xj3GGIzw/0G8cu4vbNtmnQQ9IDK/ZSFerHvEun4J5mjcL/PEXlex7PXs5iX0fQ5SZUCfo3zQt1evWIKI6flsWY1XRt0iqyahPSHnhiELtr3t0wthaApRcPMpSN9L496onic69KW3BVU4AzDG8npXNyTUk8lecsqJunRNtF/sm44XZUaM8C4VPPHuBApY1MH45i93XPUWjRV9/z6R6o0Q5AHkx8NcFUyzhTqWE5MMyewo2TtAaLuyPSO4QKfGeedpoiFZFLDim214cPWnEzpwgtTwi/RnpcQKLw7R//1xOFIeXBrR6uzrwHLcGEa7vRY+xAhN/ZIWU7LsdNGIiIbky5MHrILsYdlcgz0TlIrtuaqcDyoVJrceNczGptQ6R/uzkWuCQlS2h2xik7ANRI6gWAnFdBpZkz8khYMQDTAD5e+9dmdA7oDI3RiPMAw5iNZ1Zcu/ZECmNYjxL+tHNAd331j6tVoWk1ymVjgu4clKhib9oN0rAaGZ+cG8a11Lx5eBG/3dcGkFNBsC/sdtkZJP7VjrhZymi82+UtmGm007EEZA9GJ+TRC3DOT+bmpr6KUA9RGcy7IYfCMJcjgMKxzriT3FMOjB4+p4fweASQLAUX13hWEWpxnJ4HWQOjLuadTqUz/Y8AKs5JuF5u05z6E+SbEUYz6BI+7zrp3G/b7JtuhhnoYOGCK5KKyVikNWaJSozs0N3CWfwDP7R410+ehRgG+Z/Gib9E2h0PjswW9tg7G+HhnTkEDS9U2yA4Ax50GvuxZSdrEUpJUETQ135lSCzhcFuczFIOUabmqxAMuL34hTCaIoNfwV9Rr/aZbr2tteA8omLqfYGfqSg93t7Ub+AXo363MSb4RkVok2vJ8ST24O5KLcVfYwzYgK5t7hkVfk3kAHjGq9Fp9t4+Axn5h+IQlk9OJA7qtBBe+K0zbk8o638ITdry05aZTrlKNW/JX8xqNd0PLJ9MngUsJXNeybCthRKvhz9dBJ3nrF7zv0VpOaq10T5RGSOXDoKR5APLUPBxwkgQPwTIWjAfeY+Z+GkK6z3hROtJjTnrFSS5cumwFW6yYxOTK2NVGagpISl0/eNTLVYB384B5TKDBx8zWghg4J2z/X0EZ7NEyNk6mQCd0lf+exEvC3qUDolJyr234043f0wr/PFmzXt6H5u4iVCjVUCfcWmmw2TjBnGsrrTnqhYFSefoeYzY6fhkuTSCbMIj5ubVvfzXm6WFfqMqzE+YuAf0Z+dfSOSKcr3VWltIM/tNinTmbWryLh9xFYopqjQDVa1IEVMWteKRk+Zj5KQPszZWe+1m0hf7wmJmJ1EeupK8bFHaZlrMxlh94utU5Pwi2yhVt4Afmp/nNiwKPyWC+1/iYxloDBltu5BzBWje7iWXN62v0k0hoolEQI3qBZM66fUcI7Say3xKTJpOoysiinF987ZybAkGlbrGjWdUBz+ZvvxLgmq7Y6FSoqdrqSEJxAO1hy1eUcGG/5lfAROTg5g3Vkw6XzV9JFD829nUacDHmXJaNb8ey87JEI2laf2Rkp/ohRPQehmOLZtBSNeX6Oj5rUBFd6WWIXb3ZsJ8J1SY/DbAqW9VTWt0JrOo3dIvOl/+DZmKu32QJH4pOt1nN7XCNw1yVb44BT8LSIPzPd7ZqgReLl+Zm2mELh+OrS0t+Jv0TqBXEozOa5ogN0JEolgjkRjyOpvy58EGkvBzulomFIa9QkAKK2ObAOsaDnV0y+IjLmsmk9kikgdUAYyO9GxYWuWz7kWULxWyVNWPuLuM/UDFDnVU5ucvDWLibDZlIRHKhdIxNggw37XCKGWfKg4/4IVv0n4EgGIxTEzEM20KESPtfsAyW7LpU+PVYmtRKe2MuZYSPNJV5JKpaAcPaWZBu9Z04yQnWbIWuyMMMvrOweuhb89wcmkAMbX66bd1K3wgVwdjbCIxze01AbM87xd1G3+DBdYORanVdHg4373l+JCC9m9Rl1L7ynG55sSNQToL+auvaNlUJrmfag35pN4kTrFuVAS85eKgOOwP6kjHIq7vdC83T+YCQjSCvGW+3iKN4LeeV0QmL94ycYDxHGrdfw8VXYWBs/4BMx8xSX2HRohBwDdG4Z4QyUlK0O3qg+jdlWWvGpFC11M=,iv:zEZv66sCNr8SUx2H3sHGb9SbD6ZRhbeRxIW24MZT8RU=,tag:FS5DNJLt2wU0VBJlU4t5jw==,type:str] 2 | sops: 3 | kms: [] 4 | gcp_kms: [] 5 | azure_kv: [] 6 | hc_vault: [] 7 | age: 8 | - recipient: age1q5mka3zt3w0w4nqzlmdm5pwf3ktxnjf87qcdjjxdednsanryry2scfzh93 9 | enc: | 10 | -----BEGIN AGE ENCRYPTED FILE----- 11 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dFFLL0Q4dHVVWmd4YzlD 12 | YkpTWGI4dndBeUtlOUpXc1B5OHNFdDVxRGdRCkdsb2V1QXFwU0dSUGJLY29vejlh 13 | enhQRmJ5THUxcHhxVVJhOEZTSnhyNDAKLS0tIGVRWXJEd01nQnhhYW9ZSms3MXph 14 | ZWdxZGxVWWhpOVYrOEszakt1RGd2bDgKAerp8RVRqJtxewIiGC0THlP2Zgj8xSxB 15 | OrnJVkFJrNLTqHD9xNLPuKiASrJUXF3iOefXkyPwROUAn7ziRSneBg== 16 | -----END AGE ENCRYPTED FILE----- 17 | - recipient: age1q9wy9rnpusgr7w993dm03ec50zm0mgrylmqxdpph2avzf38k6gks3g4vp2 18 | enc: | 19 | -----BEGIN AGE ENCRYPTED FILE----- 20 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxVGlkOFd4RkNkLy9yTE1E 21 | Q0FLaVk1UlZUUnRTYUFlV0QwMktCODZWTEFZCmJIaHpvckdNc3l0N1orVnRzMlNj 22 | cUp3ckg0NFdTVlQvd3BTaWRMTzRudjAKLS0tIHQwRjdXRHpFdUZPcmtPUVpFaUZz 23 | enY5a2UxbWhVZnhiTzFkM09lZjZUM2sKnaTdFrUztoc2lsElFrMdDABZLYN91mQf 24 | trE34cl7/dMwROvASRck2jOjQWWf1gUtpENP639hdaHQysC0QKUZyQ== 25 | -----END AGE ENCRYPTED FILE----- 26 | lastmodified: "2024-12-11T18:19:33Z" 27 | mac: ENC[AES256_GCM,data:Cyuwg6OGf3yMf/6+8hWWjxz9RNPeZLo3IgRCACaNLdjuIeyww5FP/JK9y0q9T7Hmjh2ha/7kCEt4rJxW5a5wyrOL1lvQSL1zDgqhWInGvBInktqnumIuvDnHq3Q/bkO3qhgad+57mLHpI5ZDtMC3IGpt/g0TYahyjtv2GlY7ULw=,iv:aAdfP8KIqlS3LndCQzDKghgHDM29ij4ectxotNiYzRE=,tag:sIE4ZR8goNQU3yTFuTavew==,type:str] 28 | pgp: [] 29 | unencrypted_suffix: _unencrypted 30 | version: 3.9.1 31 | -------------------------------------------------------------------------------- /modules/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config.fp-lib.modules.nixos = { 3 | public = ./nixos/public; 4 | private = ./nixos/private; 5 | }; 6 | 7 | config.fp-lib.modules.home-manager = { 8 | private = ./home-manager/private; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /modules/home-manager/private/base.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | let 3 | inherit (lib) mkDefault; 4 | in 5 | { 6 | home.stateVersion = "23.05"; 7 | 8 | programs = { 9 | zsh.enable = true; 10 | dircolors = { 11 | enable = true; 12 | enableZshIntegration = true; 13 | }; 14 | man.enable = mkDefault false; 15 | }; 16 | manual.manpages.enable = mkDefault false; 17 | } 18 | -------------------------------------------------------------------------------- /modules/nixos/private/backup-rclone.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | let 8 | cfg = config.shawn8901.backup-rclone; 9 | 10 | inherit (lib) 11 | mkIf 12 | mkEnableOption 13 | mkOption 14 | types 15 | ; 16 | in 17 | { 18 | options = { 19 | shawn8901.backup-rclone = { 20 | enable = mkEnableOption "service to save personal files to dropbox"; 21 | sourceDir = mkOption { type = types.str; }; 22 | destDir = mkOption { type = types.str; }; 23 | }; 24 | }; 25 | config = mkIf cfg.enable { 26 | systemd = 27 | let 28 | serviceName = cfg.sourceDir; # "backup-${builtins.replaceStrings ["/"] ["-"] safePath}"; 29 | in 30 | { 31 | services.${serviceName} = { 32 | requires = [ "network-online.target" ]; 33 | after = [ "network-online.target" ]; 34 | description = "Copy nextcloud stuff to dropbox"; 35 | serviceConfig = { 36 | Type = "oneshot"; 37 | User = "shawn"; 38 | ExecStart = "${lib.getExe pkgs.rclone} copy ${cfg.sourceDir} ${cfg.destDir}"; 39 | }; 40 | }; 41 | timers.${serviceName} = { 42 | wantedBy = [ "timers.target" ]; 43 | timerConfig = { 44 | OnCalendar = [ "daily" ]; 45 | Persistent = true; 46 | OnBootSec = "15min"; 47 | }; 48 | }; 49 | }; 50 | }; 51 | } 52 | -------------------------------------------------------------------------------- /modules/nixos/private/backup-usb.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | let 8 | cfg = config.shawn8901.backup-usb; 9 | inherit (lib) 10 | mkIf 11 | mkEnableOption 12 | mkOption 13 | types 14 | ; 15 | in 16 | { 17 | options = { 18 | shawn8901.backup-usb = { 19 | enable = mkEnableOption "automatic backup to usb disk"; 20 | mountPoint = mkOption { 21 | type = types.str; 22 | description = "Mountpoint of the usb disk"; 23 | }; 24 | backupPath = mkOption { 25 | type = types.str; 26 | description = "Path to backup"; 27 | }; 28 | package = mkOption { type = types.package; }; 29 | device = { 30 | idVendor = mkOption { type = types.str; }; 31 | idProduct = mkOption { type = types.str; }; 32 | partition = mkOption { type = types.str; }; 33 | }; 34 | }; 35 | }; 36 | config = mkIf cfg.enable { 37 | 38 | environment.systemPackages = [ pkgs.cifs-utils ]; 39 | 40 | nixpkgs.config.packageOverrides = pkgs: { 41 | # ubuntu blacklists pc speaker as it annoys them 42 | kmod-blacklist-ubuntu = pkgs.kmod-blacklist-ubuntu.overrideAttrs (old: { 43 | patchPhase = '' 44 | sed -i '/blacklist pcspkr/d' ./modprobe.d/blacklist.conf 45 | ''; 46 | }); 47 | }; 48 | 49 | boot.kernelModules = [ "pcspkr" ]; 50 | 51 | services.udev.extraRules = '' 52 | SUBSYSTEM=="block", ACTION=="add", ATTRS{idVendor}=="${cfg.device.idVendor}", ATTRS{idProduct}=="${cfg.device.idProduct}", ATTR{partition}=="${cfg.device.partition}", TAG+="systemd", ENV{SYSTEMD_WANTS}="backup-usb@%k.service" 53 | ''; 54 | 55 | systemd.services."backup-usb@" = 56 | let 57 | backupUsb = cfg.package.override { inherit (cfg) backupPath mountPoint; }; 58 | in 59 | { 60 | description = "Backups ${cfg.backupPath} to usb hdd"; 61 | serviceConfig = { 62 | Type = "simple"; 63 | GuessMainPID = false; 64 | ExecStart = "${lib.getExe backupUsb} %I"; 65 | }; 66 | }; 67 | }; 68 | } 69 | -------------------------------------------------------------------------------- /modules/nixos/private/base/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | let 3 | inherit (lib) mkDefault mkForce; 4 | in 5 | { 6 | documentation = { 7 | doc.enable = mkDefault false; 8 | nixos.enable = mkDefault false; 9 | info.enable = mkDefault false; 10 | }; 11 | 12 | system = { 13 | stateVersion = mkDefault "23.05"; 14 | disableInstallerTools = true; 15 | }; 16 | time.timeZone = "Europe/Berlin"; 17 | 18 | i18n.defaultLocale = "de_DE.UTF-8"; 19 | console = { 20 | earlySetup = true; 21 | font = "Lat2-Terminus16"; 22 | keyMap = "de"; 23 | }; 24 | 25 | programs.command-not-found.enable = false; 26 | 27 | boot = { 28 | tmp.useTmpfs = mkDefault true; 29 | tmp.cleanOnBoot = true; 30 | swraid.enable = mkDefault false; 31 | enableContainers = false; 32 | }; 33 | environment = { 34 | systemPackages = [ pkgs.vim ]; 35 | defaultPackages = mkForce [ ]; 36 | }; 37 | 38 | services = { 39 | lvm.enable = false; 40 | journald.extraConfig = '' 41 | SystemMaxUse=100M 42 | SystemMaxFileSize=50M 43 | ''; 44 | dbus.implementation = "broker"; 45 | }; 46 | security.wrapperDirSize = "10M"; 47 | } 48 | -------------------------------------------------------------------------------- /modules/nixos/private/base/nix.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | lib, 4 | config, 5 | ... 6 | }: 7 | let 8 | inherit (lib) 9 | mkDefault 10 | mkForce 11 | ; 12 | in 13 | { 14 | sops.secrets = { 15 | nix-gh-token-ro = { 16 | sopsFile = ../../../../files/secrets-base.yaml; 17 | group = config.users.groups.nixbld.name; 18 | mode = "0444"; 19 | }; 20 | nix-netrc-ro = { 21 | sopsFile = ../../../../files/secrets-base.yaml; 22 | group = config.users.groups.nixbld.name; 23 | mode = "0444"; 24 | }; 25 | }; 26 | 27 | nix = { 28 | channel.enable = false; 29 | package = pkgs.nix; 30 | settings = { 31 | auto-optimise-store = true; 32 | allow-import-from-derivation = false; 33 | substituters = [ 34 | "https://nix-community.cachix.org" 35 | "https://cache.pointjig.de/nixos" 36 | ]; 37 | trusted-public-keys = [ 38 | "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" 39 | "nixos:5axzveeiERb8xAeioBUHNHq4SVLvwDcJkLMFsWq0l1E=" 40 | ]; 41 | cores = mkDefault 4; 42 | max-jobs = mkDefault 2; 43 | experimental-features = [ 44 | "nix-command" 45 | "flakes" 46 | ]; 47 | netrc-file = mkForce config.sops.secrets.nix-netrc-ro.path; 48 | }; 49 | extraOptions = '' 50 | !include ${config.sops.secrets.nix-gh-token-ro.path} 51 | min-free = ${toString (1024 * 1024 * 1024)} 52 | max-free = ${toString (5 * 1024 * 1024 * 1024)} 53 | ''; 54 | nrBuildUsers = mkForce 16; 55 | daemonIOSchedClass = "idle"; 56 | daemonCPUSchedPolicy = "idle"; 57 | }; 58 | 59 | programs.nh = { 60 | enable = true; 61 | flake = lib.mkDefault "github:shawn8901/nixos-configuration"; 62 | clean = { 63 | enable = true; 64 | extraArgs = "--keep 3 --keep-since 3d"; 65 | }; 66 | }; 67 | } 68 | -------------------------------------------------------------------------------- /modules/nixos/private/base/vmagent.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | flakeConfig, 5 | ... 6 | }: 7 | let 8 | inherit (lib) optionals mkMerge optionalAttrs; 9 | in 10 | { 11 | sops.secrets = { 12 | vmagent = { 13 | sopsFile = ../../../../files/secrets-base.yaml; 14 | }; 15 | }; 16 | 17 | services = { 18 | vmagent = { 19 | enable = true; 20 | prometheusConfig = { 21 | global = { 22 | scrape_interval = "1m"; 23 | scrape_timeout = "30s"; 24 | }; 25 | scrape_configs = 26 | [ 27 | { 28 | job_name = "node"; 29 | static_configs = [ 30 | { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } 31 | ]; 32 | } 33 | ] 34 | ++ lib.optionals config.services.prometheus.exporters.zfs.enable [ 35 | { 36 | job_name = "zfs"; 37 | static_configs = [ 38 | { targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ]; } 39 | ]; 40 | } 41 | ] 42 | ++ optionals config.services.prometheus.exporters.smartctl.enable [ 43 | { 44 | job_name = "smartctl"; 45 | static_configs = [ 46 | { targets = [ "localhost:${toString config.services.prometheus.exporters.smartctl.port}" ]; } 47 | ]; 48 | } 49 | ] 50 | ++ optionals config.services.zrepl.enable [ 51 | { 52 | job_name = "zrepl"; 53 | static_configs = [ 54 | { 55 | targets = [ 56 | "localhost:${toString (flakeConfig.shawn8901.zrepl.monitoringPorts config.services.zrepl)}" 57 | ]; 58 | } 59 | ]; 60 | } 61 | ]; 62 | }; 63 | remoteWrite = { 64 | url = lib.mkDefault "https://vm.pointjig.de/api/v1/write"; 65 | basicAuthUsername = "vm"; 66 | basicAuthPasswordFile = config.sops.secrets.vmagent.path; 67 | }; 68 | extraArgs = [ "-remoteWrite.label=instance=${config.networking.hostName}" ]; 69 | }; 70 | 71 | prometheus.exporters = mkMerge [ 72 | { 73 | node = { 74 | enable = true; 75 | listenAddress = "localhost"; 76 | port = 9101; 77 | enabledCollectors = [ 78 | "systemd" 79 | "processes" 80 | "interrupts" 81 | "cgroups" 82 | "hwmon" 83 | ]; 84 | }; 85 | } 86 | (optionalAttrs (config.boot.supportedFilesystems.zfs or false) { 87 | zfs = { 88 | enable = true; 89 | listenAddress = "localhost"; 90 | }; 91 | }) 92 | (optionalAttrs config.services.smartd.enable { 93 | smartctl = { 94 | enable = true; 95 | listenAddress = "localhost"; 96 | maxInterval = "5m"; 97 | }; 98 | }) 99 | ]; 100 | }; 101 | } 102 | -------------------------------------------------------------------------------- /modules/nixos/private/desktop.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | lib, 4 | config, 5 | ... 6 | }: 7 | let 8 | inherit (lib) 9 | mkEnableOption 10 | mkIf 11 | ; 12 | 13 | cfg = config.shawn8901.desktop; 14 | in 15 | { 16 | 17 | options = { 18 | shawn8901.desktop = { 19 | enable = mkEnableOption "my desktop settings for nixos"; 20 | }; 21 | }; 22 | config = mkIf cfg.enable { 23 | 24 | documentation.man = { 25 | enable = lib.mkDefault true; 26 | generateCaches = lib.mkDefault true; 27 | }; 28 | 29 | fonts = { 30 | fontconfig = { 31 | enable = lib.mkDefault true; 32 | hinting.autohint = true; 33 | cache32Bit = true; 34 | subpixel.lcdfilter = "light"; 35 | defaultFonts = { 36 | emoji = [ "Noto Color Emoji" ]; 37 | serif = [ "Noto Serif" ]; 38 | sansSerif = [ "Noto Sans" ]; 39 | monospace = [ "Noto Sans Mono" ]; 40 | }; 41 | }; 42 | enableDefaultPackages = lib.mkDefault true; 43 | packages = 44 | [ pkgs.noto-fonts ] 45 | ++ (with pkgs.nerd-fonts; [ 46 | noto 47 | liberation 48 | meslo-lg 49 | liberation 50 | ]); 51 | }; 52 | 53 | services = { 54 | acpid.enable = true; 55 | avahi = { 56 | enable = true; 57 | openFirewall = true; 58 | nssmdns4 = true; 59 | }; 60 | pipewire = { 61 | enable = true; 62 | pulse.enable = true; 63 | alsa.enable = true; 64 | alsa.support32Bit = true; 65 | wireplumber.enable = true; 66 | }; 67 | desktopManager.plasma6.enable = true; 68 | displayManager.sddm = { 69 | enable = lib.mkDefault true; 70 | autoNumlock = true; 71 | wayland = { 72 | enable = true; 73 | compositor = "kwin"; 74 | }; 75 | }; 76 | speechd.enable = false; 77 | orca.enable = false; 78 | }; 79 | 80 | security = { 81 | rtkit.enable = true; 82 | auditd.enable = false; 83 | audit.enable = false; 84 | # Upstream pipewire limits for realtime 85 | # https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/meson_options.txt#L342 86 | pam.loginLimits = [ 87 | { 88 | domain = "@users"; 89 | item = "rtprio"; 90 | type = "-"; 91 | value = "95"; 92 | } 93 | { 94 | domain = "@users"; 95 | item = "memlock"; 96 | type = "-"; 97 | value = "4194304"; 98 | } 99 | { 100 | domain = "@users"; 101 | item = "nice"; 102 | type = "-"; 103 | value = "-19"; 104 | } 105 | ]; 106 | }; 107 | 108 | systemd.defaultUnit = "graphical.target"; 109 | 110 | hardware = { 111 | bluetooth = { 112 | enable = true; 113 | package = pkgs.bluez5-experimental; 114 | settings.General.Experimental = true; 115 | input.General.ClassicBondedOnly = false; 116 | }; 117 | graphics = { 118 | enable = true; 119 | enable32Bit = true; 120 | extraPackages = [ pkgs.libva ]; 121 | extraPackages32 = [ pkgs.pkgsi686Linux.libva ]; 122 | }; 123 | }; 124 | xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; 125 | environment = { 126 | sessionVariables = { 127 | AMD_VULKAN_ICD = "RADV"; 128 | MOZ_ENABLE_WAYLAND = "1"; 129 | NIXOS_OZONE_WL = "1"; 130 | QT_WAYLAND_DISABLE_WINDOWDECORATION = "1"; 131 | _JAVA_AWT_WM_NONREPARENTING = "1"; 132 | GTK_USE_PORTAL = "1"; 133 | }; 134 | systemPackages = 135 | [ 136 | pkgs.git 137 | #pkgs.btop-rocm 138 | pkgs.btop 139 | ] 140 | ++ (with pkgs.kdePackages; [ 141 | ark 142 | print-manager 143 | kate 144 | skanlite 145 | kalk 146 | kleopatra 147 | ]); 148 | 149 | plasma6.excludePackages = with pkgs.kdePackages; [ 150 | elisa 151 | khelpcenter 152 | kate 153 | gwenview 154 | ]; 155 | }; 156 | 157 | boot.kernel.sysctl = { 158 | # https://github.com/ValveSoftware/Proton/wiki/Requirements#increasing-the-maximum-number-of-memory-map-areas-a-process-may-have 159 | "vm.max_map_count" = 2147483642; 160 | }; 161 | 162 | programs = { 163 | dconf.enable = true; 164 | ssh.startAgent = true; 165 | steam = { 166 | enable = true; 167 | extraCompatPackages = [ pkgs.proton-ge-bin ]; 168 | package = pkgs.steam-small.override { 169 | extraEnv = { 170 | inherit (config.environment.sessionVariables) AMD_VULKAN_ICD; 171 | extraBwrapArgs = [ "--unsetenv TZ" ]; 172 | }; 173 | extraLibraries = p: [ 174 | # Fix Unity Fonts 175 | (pkgs.runCommand "share-fonts" { preferLocalBuild = true; } '' 176 | mkdir -p "$out/share/fonts" 177 | font_regexp='.*\.\(ttf\|ttc\|otf\|pcf\|pfa\|pfb\|bdf\)\(\.gz\)?' 178 | find ${ 179 | toString [ 180 | pkgs.liberation_ttf 181 | pkgs.dejavu_fonts 182 | ] 183 | } -regex "$font_regexp" \ 184 | -exec ln -sf -t "$out/share/fonts" '{}' \; 185 | '') 186 | p.getent 187 | ]; 188 | }; 189 | }; 190 | kde-pim = { 191 | enable = true; 192 | kmail = true; 193 | }; 194 | }; 195 | }; 196 | } 197 | -------------------------------------------------------------------------------- /modules/nixos/private/hydra.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | let 8 | cfg = config.shawn8901.hydra; 9 | inherit (lib) 10 | mkEnableOption 11 | mkPackageOption 12 | mkOption 13 | mkDefault 14 | types 15 | ; 16 | in 17 | { 18 | options = { 19 | shawn8901.hydra = { 20 | enable = mkEnableOption "Enables a preconfigured hydra instance"; 21 | hostName = mkOption { 22 | type = types.str; 23 | description = "Hostname of the hydra instance"; 24 | }; 25 | mailAdress = mkOption { 26 | type = types.str; 27 | description = "Adress to send notifications to"; 28 | }; 29 | writeTokenFile = mkOption { type = types.path; }; 30 | attic = { 31 | enable = mkEnableOption "Enables usage of attic as binary cache"; 32 | package = mkPackageOption pkgs "attic-client" { }; 33 | }; 34 | builder = { 35 | sshKeyFile = mkOption { type = types.path; }; 36 | userName = mkOption { 37 | type = types.str; 38 | default = "root"; 39 | }; 40 | }; 41 | }; 42 | }; 43 | 44 | config = lib.mkIf cfg.enable { 45 | networking.firewall = { 46 | allowedUDPPorts = [ 443 ]; 47 | allowedTCPPorts = [ 48 | 80 49 | 443 50 | ]; 51 | }; 52 | 53 | systemd.tmpfiles.rules = [ "f /tmp/hyda/dynamic-machines 666 hydra hydra - " ]; 54 | 55 | services = { 56 | nginx = { 57 | enable = mkDefault true; 58 | recommendedGzipSettings = true; 59 | recommendedOptimisation = true; 60 | recommendedProxySettings = true; 61 | recommendedTlsSettings = true; 62 | virtualHosts."${cfg.hostName}" = { 63 | enableACME = true; 64 | forceSSL = true; 65 | http3 = true; 66 | kTLS = true; 67 | locations."/" = { 68 | proxyPass = "http://${config.services.hydra.listenHost}:${toString config.services.hydra.port}"; 69 | recommendedProxySettings = true; 70 | }; 71 | }; 72 | }; 73 | postgresql = { 74 | enable = mkDefault true; 75 | ensureDatabases = [ "hydra" ]; 76 | ensureUsers = [ 77 | { 78 | name = "hydra"; 79 | ensureDBOwnership = true; 80 | } 81 | ]; 82 | }; 83 | vmagent.prometheusConfig.scrape_configs = [ 84 | { 85 | job_name = "hydra_notify"; 86 | static_configs = [ { targets = [ "localhost:9199" ]; } ]; 87 | } 88 | ]; 89 | 90 | hydra = 91 | let 92 | jq = lib.getExe pkgs.jq; 93 | merge_pr = pkgs.writeScriptBin "merge_pr" '' 94 | cat $HYDRA_JSON 95 | echo "" 96 | job_name=$(${jq} --raw-output ".jobset" $HYDRA_JSON) 97 | buildStatus=$(${jq} ".buildStatus" $HYDRA_JSON) 98 | if [[ "$job_name" = "main" ]]; then 99 | echo "Job $job_name is not a PR but the main branch." 100 | exit 0 101 | fi 102 | 103 | if [[ $buildStatus != 0 ]]; then 104 | echo "Build was not successful. Do not merge." 105 | exit 1 106 | fi 107 | 108 | echo "" 109 | echo "Job $job_name is a PR merge back to main branch." 110 | echo "" 111 | ${lib.getExe pkgs.curl} -L \ 112 | -X PUT \ 113 | -H "Accept: application/vnd.github+json" \ 114 | -H "Authorization: Bearer $(<${cfg.writeTokenFile})" \ 115 | -H "X-GitHub-Api-Version: 2022-11-28" \ 116 | https://api.github.com/repos/shawn8901/nixos-configuration/pulls/$job_name/merge \ 117 | -d '{"merge_method":"rebase"}' 118 | ''; 119 | in 120 | { 121 | enable = true; 122 | listenHost = "127.0.0.1"; 123 | port = 3000; 124 | package = pkgs.hydra_unstable; 125 | buildMachinesFiles = [ 126 | "/etc/nix/machines" 127 | "/tmp/hyda/dynamic-machines" 128 | ]; 129 | minimumDiskFree = 5; 130 | minimumDiskFreeEvaluator = 10; 131 | hydraURL = "https://${cfg.hostName}"; 132 | notificationSender = cfg.mailAdress; 133 | useSubstitutes = true; 134 | extraConfig = '' 135 | evaluator_max_memory_size = ${toString (4 * 1024)} 136 | evaluator_workers = 4 137 | max_concurrent_evals = 1 138 | restrict-eval = false 139 | max_output_size = ${toString (5 * 1024 * 1024 * 1024)} 140 | max_db_connections = 150 141 | compress_build_logs = 1 142 | 143 | shawn8901 = Bearer #github_token# 144 | 145 | 146 | job = *:*:merge-pr 147 | command = ${lib.getExe merge_pr} 148 | 149 | 150 | 151 | listen_address = 127.0.0.1 152 | port = 9199 153 | 154 | 155 | 156 | jobs = .* 157 | useShortContext = true 158 | excludeBuildFromContext = 1 159 | 160 | ''; 161 | }; 162 | }; 163 | 164 | systemd.services = lib.mkMerge [ 165 | { 166 | hydra-init = { 167 | after = [ "network-online.target" ]; 168 | requires = [ "network-online.target" ]; 169 | preStart = lib.mkAfter '' 170 | sed -i -e "s|#github_token#|$(<${cfg.writeTokenFile})|" ${config.systemd.services.hydra-init.environment.HYDRA_DATA}/hydra.conf 171 | ''; 172 | }; 173 | } 174 | (lib.optionalAttrs cfg.attic.enable { 175 | attic-watch-store = { 176 | wantedBy = [ "multi-user.target" ]; 177 | after = [ "network-online.target" ]; 178 | requires = [ "network-online.target" ]; 179 | description = "Upload all store content to binary catch"; 180 | serviceConfig = { 181 | User = "attic"; 182 | Restart = "always"; 183 | ExecStart = "${cfg.attic.package}/bin/attic watch-store nixos"; 184 | }; 185 | }; 186 | }) 187 | ]; 188 | 189 | programs.ssh.extraConfig = '' 190 | Host watchtower 191 | Hostname watchtower.pointjig.de 192 | Port 2242 193 | Compression yes 194 | ''; 195 | 196 | nix = { 197 | buildMachines = 198 | let 199 | sshUser = cfg.builder.userName; 200 | sshKey = cfg.builder.sshKeyFile; 201 | maxJobs = 1; 202 | supportedFeatures = [ 203 | "benchmark" 204 | "big-parallel" 205 | "kvm" 206 | "nixos-test" 207 | ]; 208 | in 209 | [ 210 | { 211 | hostName = "localhost"; 212 | protocol = null; 213 | systems = [ 214 | "x86_64-linux" 215 | "i686-linux" 216 | ]; 217 | supportedFeatures = supportedFeatures ++ [ "gccarch-x86-64-v3" ]; 218 | inherit maxJobs; 219 | } 220 | { 221 | hostName = "watchtower"; 222 | systems = [ "aarch64-linux" ]; 223 | inherit 224 | sshUser 225 | sshKey 226 | supportedFeatures 227 | maxJobs 228 | ; 229 | } 230 | ]; 231 | settings = { 232 | keep-outputs = mkDefault true; 233 | keep-derivations = mkDefault true; 234 | }; 235 | extraOptions = 236 | let 237 | urls = [ 238 | "https://gitlab.com/api/v4/projects/rycee%2Fnmd" 239 | "https://git.sr.ht/~rycee/nmd" 240 | "https://github.com/zhaofengli/" 241 | "git+https://github.com/zhaofengli/" 242 | "github:NixOS/" 243 | "github:nix-community/" 244 | "github:numtide/flake-utils" 245 | "github:hercules-ci/flake-parts" 246 | "github:nix-systems/default/" 247 | "github:Mic92/sops-nix/" 248 | "github:zhaofengli/" 249 | "github:ipetkov/crane/" 250 | "gitlab:rycee/nur-expressions/" 251 | "github:Shawn8901/" 252 | ]; 253 | in 254 | '' 255 | extra-allowed-uris = ${lib.concatStringsSep " " urls} 256 | ''; 257 | }; 258 | }; 259 | } 260 | -------------------------------------------------------------------------------- /modules/nixos/private/managed-user.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | let 8 | inherit (lib) mkEnableOption mkIf; 9 | 10 | cfg = config.shawn8901.managed-user; 11 | in 12 | { 13 | options = { 14 | shawn8901.managed-user = { 15 | enable = mkEnableOption "preconfigured users" // { 16 | default = config ? home-manager; 17 | }; 18 | }; 19 | }; 20 | config = mkIf cfg.enable { 21 | 22 | sops.secrets = { 23 | shawn = { 24 | sopsFile = ../../../files/secrets-managed.yaml; 25 | neededForUsers = true; 26 | }; 27 | root = { 28 | sopsFile = ../../../files/secrets-managed.yaml; 29 | neededForUsers = true; 30 | }; 31 | }; 32 | 33 | programs = { 34 | fzf = { 35 | fuzzyCompletion = true; 36 | keybindings = true; 37 | }; 38 | starship = { 39 | enable = true; 40 | interactiveOnly = true; 41 | settings = { 42 | command_timeout = 2000; 43 | # Don"t print a new line at the start of the prompt 44 | add_newline = false; 45 | 46 | # Wait 10 milliseconds for starship to check files under the current directory. 47 | scan_timeout = 10; 48 | 49 | directory = { 50 | truncation_length = 3; 51 | truncation_symbol = "…"; 52 | }; 53 | 54 | #to display the hostname before the character line 55 | hostname = { 56 | ssh_only = false; 57 | style = "blue"; 58 | format = "[$hostname]($style) in "; 59 | disabled = false; 60 | }; 61 | #the character at the start of line where command is entered 62 | character = { 63 | error_symbol = "[✗](bold red)"; 64 | vicmd_symbol = "[V](bold green)"; 65 | }; 66 | 67 | git_branch = { 68 | symbol = "🌿 "; 69 | }; 70 | git_commit = { 71 | disabled = false; 72 | }; 73 | 74 | git_status = { 75 | ahead = "⇡ $count"; 76 | diverged = "⇕ ⇡ $ahead_count ⇣ $behind_count"; 77 | behind = "⇣ $count"; 78 | }; 79 | memory_usage = { 80 | format = "$symbol[$ram( | $swap)]($style) "; 81 | symbol = "🌒️"; 82 | threshold = 50; 83 | style = "bold dimmed white"; 84 | disabled = false; 85 | }; 86 | }; 87 | }; 88 | zsh = { 89 | enable = true; 90 | enableCompletion = true; 91 | enableBashCompletion = true; 92 | enableGlobalCompInit = true; 93 | syntaxHighlighting.enable = true; 94 | autosuggestions.enable = true; 95 | interactiveShellInit = '' 96 | source "${pkgs.zsh-history-substring-search}/share/zsh-history-substring-search/zsh-history-substring-search.zsh" 97 | 98 | bindkey '^[[1;5C' forward-word # ctrl right 99 | bindkey '^[[1;5D' backward-word # ctrl left 100 | bindkey '^H' backward-kill-word 101 | bindkey '5~' kill-word 102 | ''; 103 | }; 104 | }; 105 | 106 | users = { 107 | mutableUsers = false; 108 | defaultUserShell = pkgs.zsh; 109 | users = { 110 | root.hashedPasswordFile = config.sops.secrets.root.path; 111 | shawn = { 112 | isNormalUser = true; 113 | group = "users"; 114 | extraGroups = [ "wheel" ]; 115 | uid = 1000; 116 | openssh.authorizedKeys.keys = [ 117 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMguHbKev03NMawY9MX6MEhRhd6+h2a/aPIOorgfB5oM shawn" 118 | ]; 119 | hashedPasswordFile = config.sops.secrets.shawn.path; 120 | }; 121 | }; 122 | }; 123 | 124 | # Needed to access secrets for the builder. 125 | nix.settings.trusted-users = [ "shawn" ]; 126 | 127 | environment.systemPackages = [ pkgs.fzf ]; # Used by zsh-interactive-cd 128 | }; 129 | } 130 | -------------------------------------------------------------------------------- /modules/nixos/private/nextcloud/base.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | config, 4 | lib, 5 | ... 6 | }: 7 | let 8 | cfg = config.shawn8901.nextcloud; 9 | inherit (lib) 10 | mkEnableOption 11 | mkDefault 12 | mkOption 13 | mkPackageOption 14 | types 15 | literalExpression 16 | ; 17 | in 18 | { 19 | options = { 20 | shawn8901.nextcloud = { 21 | enable = mkEnableOption "Enables a preconfigured nextcloud instance"; 22 | hostName = mkOption { 23 | type = types.str; 24 | description = "Hostname of the nextcloud instance"; 25 | }; 26 | home = mkOption { 27 | type = types.str; 28 | description = "Home directory of the nextcloud"; 29 | }; 30 | package = mkPackageOption pkgs "nextcloud29" { }; 31 | adminPasswordFile = mkOption { type = types.path; }; 32 | notify_push.package = mkPackageOption pkgs "nextcloud-notify_push" { }; 33 | prometheus.passwordFile = mkOption { 34 | type = types.nullOr types.path; 35 | default = null; 36 | defaultText = literalExpression "null"; 37 | }; 38 | }; 39 | }; 40 | 41 | config = lib.mkIf cfg.enable { 42 | networking.firewall = { 43 | allowedUDPPorts = [ 443 ]; 44 | allowedTCPPorts = [ 45 | 80 46 | 443 47 | ]; 48 | }; 49 | 50 | systemd.services.nextcloud-setup.after = [ "nginx-config-reload.service" ]; 51 | 52 | services = { 53 | nextcloud = { 54 | inherit (cfg) home hostName package; 55 | notify_push = { 56 | enable = cfg.notify_push.package != null; 57 | inherit (cfg.notify_push) package; 58 | bendDomainToLocalhost = true; 59 | }; 60 | enable = true; 61 | configureRedis = true; 62 | https = true; 63 | autoUpdateApps.enable = true; 64 | autoUpdateApps.startAt = "Sun 14:00:00"; 65 | maxUploadSize = "1G"; 66 | database.createLocally = true; 67 | config = { 68 | dbtype = "pgsql"; 69 | dbuser = "nextcloud"; 70 | dbhost = "/run/postgresql"; 71 | dbname = "nextcloud"; 72 | adminuser = "admin"; 73 | adminpassFile = cfg.adminPasswordFile; 74 | }; 75 | caching = { 76 | apcu = false; 77 | memcached = false; 78 | }; 79 | phpOptions = { 80 | "opcache.interned_strings_buffer" = "32"; 81 | "opcache.enable" = "1"; 82 | "opcache.save_comments" = "1"; 83 | "opcache.revalidate_freq" = "60"; 84 | }; 85 | settings = { 86 | "overwrite.cli.url" = "https://${cfg.hostName}"; 87 | default_phone_region = "DE"; 88 | maintenance_window_start = mkDefault "1"; 89 | }; 90 | }; 91 | postgresql = { 92 | ensureDatabases = [ "${config.services.nextcloud.config.dbname}" ]; 93 | ensureUsers = [ 94 | { 95 | name = "${config.services.nextcloud.config.dbuser}"; 96 | ensureDBOwnership = true; 97 | } 98 | ]; 99 | }; 100 | nginx = { 101 | enable = mkDefault true; 102 | recommendedGzipSettings = true; 103 | recommendedOptimisation = true; 104 | recommendedTlsSettings = true; 105 | virtualHosts."${cfg.hostName}" = { 106 | enableACME = true; 107 | forceSSL = true; 108 | http3 = true; 109 | kTLS = true; 110 | }; 111 | }; 112 | prometheus.exporters.nextcloud = { 113 | enable = cfg.prometheus.passwordFile != null; 114 | listenAddress = "localhost"; 115 | port = 9205; 116 | url = "https://${config.services.nextcloud.hostName}"; 117 | inherit (cfg.prometheus) passwordFile; 118 | }; 119 | 120 | vmagent.prometheusConfig.scrape_configs = 121 | lib.mkIf config.services.prometheus.exporters.nextcloud.enable 122 | [ 123 | { 124 | job_name = "nextcloud"; 125 | static_configs = [ 126 | { targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ]; } 127 | ]; 128 | } 129 | ]; 130 | }; 131 | }; 132 | } 133 | -------------------------------------------------------------------------------- /modules/nixos/private/optimized.nix: -------------------------------------------------------------------------------- 1 | { 2 | inputs', 3 | config, 4 | lib, 5 | ... 6 | }: 7 | let 8 | 9 | unoptimized = inputs'.nixpkgs.legacyPackages; 10 | inherit (lib) mkEnableOption mkMerge mkIf; 11 | 12 | cfg = config.shawn8901.optimized; 13 | in 14 | { 15 | options = { 16 | shawn8901.optimized = { 17 | enable = mkEnableOption "use optimized x86-64_v3"; 18 | setup = mkEnableOption "enable that once to make nix aware that it is able to build gcc.arch, passing --option does not work"; 19 | excludeBigPackages = mkEnableOption "Exclude some big packages from optimized builds"; 20 | }; 21 | 22 | }; 23 | config = mkMerge [ 24 | (mkIf cfg.setup { 25 | # In case someone comes around, please be aware that the system feature "gccarch-x86-64-v3" 26 | # has to be available on the builder before it can build for x86-64_v3 27 | # can be disabled again after the first initial build as nixpkgs.hostPlatform.gcc.arch implies setting nix system-features 28 | nix.settings.system-features = [ 29 | "gccarch-x86-64-v3" 30 | "benchmark" 31 | "big-parallel" 32 | "kvm" 33 | "nixos-test" 34 | ]; 35 | }) 36 | (mkIf cfg.enable { 37 | nixpkgs.hostPlatform.gcc.arch = "x86-64-v3"; 38 | }) 39 | (mkIf (cfg.enable && cfg.excludeBigPackages) { 40 | nixpkgs.config.packageOverrides = pkgs: { 41 | inherit (unoptimized) openexr_3; 42 | haskellPackages = pkgs.haskellPackages.override { 43 | overrides = haskellPackagesNew: haskellPackagesOld: { 44 | inherit (unoptimized.haskellPackages) cryptonite hermes-json hermes-json_0_2_0_1; 45 | }; 46 | }; 47 | 48 | inherit (unoptimized) portfolio libreoffice-qt; 49 | }; 50 | }) 51 | ]; 52 | } 53 | -------------------------------------------------------------------------------- /modules/nixos/private/postgresql.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | let 8 | cfg = config.shawn8901.postgresql; 9 | inherit (lib) 10 | mkEnableOption 11 | mkOption 12 | mkPackageOption 13 | mkDefault 14 | mkIf 15 | types 16 | ; 17 | in 18 | { 19 | options = { 20 | shawn8901.postgresql = { 21 | enable = mkEnableOption "Enables a preconfigured postgresql instance"; 22 | package = mkPackageOption pkgs "postgresql_16" { }; 23 | dataDir = mkOption { 24 | type = types.str; 25 | default = "/var/lib/postgresql/${cfg.package.psqlSchema}"; 26 | }; 27 | }; 28 | }; 29 | 30 | config = mkIf cfg.enable { 31 | services = { 32 | postgresql = { 33 | enable = mkDefault true; 34 | inherit (cfg) dataDir package; 35 | }; 36 | prometheus.exporters.postgres = { 37 | enable = true; 38 | listenAddress = "127.0.0.1"; 39 | port = 9187; 40 | runAsLocalSuperUser = true; 41 | }; 42 | 43 | vmagent.prometheusConfig.scrape_configs = [ 44 | { 45 | job_name = "postgres"; 46 | static_configs = [ 47 | { targets = [ "localhost:${toString config.services.prometheus.exporters.postgres.port}" ]; } 48 | ]; 49 | } 50 | ]; 51 | }; 52 | 53 | systemd = { 54 | services = { 55 | postgresql-vacuum-analyze = { 56 | description = "Vacuum and analyze all PostgreSQL databases"; 57 | after = [ "postgresql.service" ]; 58 | requires = [ "postgresql.service" ]; 59 | serviceConfig = { 60 | ExecStart = "${lib.getExe' cfg.package "psql"} -c 'VACUUM ANALYZE'"; 61 | User = "postgres"; 62 | }; 63 | wantedBy = [ "timers.target" ]; 64 | }; 65 | }; 66 | timers.postgresql-vacuum-analyze = { 67 | timerConfig = { 68 | OnCalendar = "03:00"; 69 | Persistent = true; 70 | RandomizedDelaySec = "30m"; 71 | }; 72 | wantedBy = [ "timers.target" ]; 73 | }; 74 | }; 75 | 76 | }; 77 | } 78 | -------------------------------------------------------------------------------- /modules/nixos/private/server.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | let 8 | inherit (lib) mkEnableOption mkIf; 9 | 10 | cfg = config.shawn8901.server; 11 | in 12 | { 13 | options = { 14 | shawn8901.server = { 15 | enable = mkEnableOption "server config for nixos"; 16 | }; 17 | }; 18 | config = mkIf cfg.enable { 19 | environment = { 20 | systemPackages = [ 21 | pkgs.gitMinimal 22 | pkgs.btop 23 | (pkgs.nixos-rebuild.override { nix = config.nix.package.out; }) 24 | ]; 25 | }; 26 | 27 | system.autoUpgrade = { 28 | enable = true; 29 | dates = "05:14"; 30 | flake = "github:shawn8901/nixos-configuration"; 31 | allowReboot = true; 32 | persistent = true; 33 | }; 34 | 35 | networking = { 36 | firewall.logRefusedConnections = false; 37 | networkmanager.enable = false; 38 | nftables.enable = true; 39 | dhcpcd.enable = false; 40 | useNetworkd = true; 41 | useDHCP = lib.mkDefault false; 42 | }; 43 | 44 | hardware.bluetooth.enable = false; 45 | security.acme = { 46 | acceptTerms = true; 47 | defaults.email = lib.mkDefault "shawn@pointjig.de"; 48 | }; 49 | 50 | programs.nano.enable = false; 51 | services = { 52 | logrotate.enable = true; 53 | qemuGuest.enable = true; 54 | resolved = { 55 | enable = true; 56 | llmnr = "false"; 57 | }; 58 | vnstat.enable = true; 59 | openssh = { 60 | enable = true; 61 | ports = [ 2242 ]; 62 | settings = { 63 | PasswordAuthentication = false; 64 | KbdInteractiveAuthentication = false; 65 | }; 66 | }; 67 | fail2ban = { 68 | enable = true; 69 | maxretry = 3; 70 | bantime = "1h"; 71 | bantime-increment.enable = true; 72 | ignoreIP = [ "192.168.11.0/24" ]; 73 | }; 74 | }; 75 | }; 76 | } 77 | -------------------------------------------------------------------------------- /modules/nixos/private/shutdown-wakeup.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | let 8 | cfg = config.shawn8901.shutdown-wakeup; 9 | 10 | wakeupPackage = cfg.package.override { inherit (cfg) wakeupTime; }; 11 | 12 | inherit (lib) 13 | mkIf 14 | mkEnableOption 15 | mkOption 16 | types 17 | ; 18 | in 19 | { 20 | options = { 21 | shawn8901.shutdown-wakeup = { 22 | enable = mkEnableOption "shutdown-wakeup service combo"; 23 | shutdownTime = mkOption { 24 | type = types.str; 25 | description = "Time when shutdown timer starts"; 26 | }; 27 | package = mkOption { type = types.package; }; 28 | wakeupTime = mkOption { 29 | type = types.str; 30 | description = "Time when device should wakeup again"; 31 | }; 32 | }; 33 | }; 34 | 35 | config = mkIf cfg.enable { 36 | systemd = { 37 | services.sched-shutdown = { 38 | description = "Scheduled shutdown"; 39 | serviceConfig = { 40 | Type = "simple"; 41 | ExecStart = "${pkgs.systemd}/bin/systemctl --force poweroff"; 42 | }; 43 | }; 44 | timers.sched-shutdown = { 45 | wantedBy = [ "timers.target" ]; 46 | partOf = [ "sched-shutdown.service" ]; 47 | timerConfig.OnCalendar = [ "*-*-* ${cfg.shutdownTime}" ]; 48 | }; 49 | 50 | services.rtcwakeup = { 51 | description = "Automatic wakeup"; 52 | serviceConfig = { 53 | Type = "oneshot"; 54 | ExecStart = lib.getExe wakeupPackage; 55 | }; 56 | }; 57 | timers.rtcwakeup = { 58 | wantedBy = [ "timers.target" ]; 59 | partOf = [ "sched-shutdown.service" ]; 60 | timerConfig = { 61 | Persistent = true; 62 | OnBootSec = "1min"; 63 | OnCalendar = [ "*-*-* ${cfg.wakeupTime}" ]; 64 | }; 65 | }; 66 | }; 67 | }; 68 | } 69 | -------------------------------------------------------------------------------- /modules/nixos/public/asus-battery/default.nix: -------------------------------------------------------------------------------- 1 | # https://github.com/NixOS/nixos-hardware/blob/master/asus/battery.nix 2 | { 3 | config, 4 | pkgs, 5 | lib, 6 | ... 7 | }: 8 | let 9 | charge-upto = pkgs.writeScriptBin "charge-upto" '' 10 | echo ''${0:-100} > /sys/class/power_supply/BAT?/charge_control_end_threshold 11 | ''; 12 | cfg = config.hardware.asus.battery; 13 | in 14 | { 15 | options.hardware.asus.battery = { 16 | enable = lib.mkEnableOption "Enables the carge threshold module"; 17 | chargeUpto = lib.mkOption { 18 | description = "Maximum level of charge for your battery, as a percentage."; 19 | default = 100; 20 | type = lib.types.int; 21 | }; 22 | enableChargeUptoScript = lib.mkEnableOption "Whether to install charge-upto script"; 23 | }; 24 | config = lib.mkIf cfg.enable { 25 | environment.systemPackages = lib.mkIf cfg.enableChargeUptoScript [ charge-upto ]; 26 | 27 | systemd.services.battery-charge-threshold = { 28 | wantedBy = [ 29 | "local-fs.target" 30 | "suspend.target" 31 | ]; 32 | after = [ 33 | "local-fs.target" 34 | "suspend.target" 35 | ]; 36 | description = "Set the battery charge threshold to ${toString cfg.chargeUpto}%"; 37 | startLimitIntervalSec = 5; 38 | serviceConfig = { 39 | Type = "oneshot"; 40 | Restart = "on-failure"; 41 | ExecStart = "${pkgs.runtimeShell} -c 'echo ${toString cfg.chargeUpto} > /sys/class/power_supply/BAT?/charge_control_end_threshold'"; 42 | }; 43 | }; 44 | }; 45 | } 46 | -------------------------------------------------------------------------------- /packages/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | withSystem, 3 | ... 4 | }: 5 | { 6 | perSystem = 7 | { pkgs, system, ... }: 8 | let 9 | packages = { 10 | pg-upgrade = pkgs.callPackage ./pg-upgrade { }; 11 | generate-zrepl-ssl = pkgs.callPackage ./shellscripts/generate-zrepl-ssl.nix { }; 12 | }; 13 | in 14 | { 15 | inherit packages; 16 | hydraJobs = packages; 17 | }; 18 | 19 | flake = withSystem "x86_64-linux" ( 20 | { system, pkgs, ... }: 21 | let 22 | packages = { 23 | rtc-helper = pkgs.callPackage ./shellscripts/rtc-helper.nix { }; 24 | nas = pkgs.callPackage ./shellscripts/nas.nix { }; 25 | backup-usb = pkgs.callPackage ./shellscripts/backup-usb.nix { }; 26 | 27 | # s25rttr = pkgs.callPackage ./s25rttr { 28 | # SDL2 = pkgs.SDL2.override { withStatic = true; }; 29 | # }; 30 | 31 | jameica-fhs = pkgs.callPackage ./jameica/fhsenv.nix { }; 32 | }; 33 | in 34 | { 35 | packages."${system}" = packages; 36 | hydraJobs."${system}" = packages; 37 | } 38 | ); 39 | } 40 | -------------------------------------------------------------------------------- /packages/jameica/fhsenv.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | buildFHSEnv, 4 | jameica, 5 | jre, 6 | stdenv, 7 | cairo, 8 | fontconfig, 9 | freetype, 10 | gdk-pixbuf, 11 | glib, 12 | glibc, 13 | gtk2, 14 | libX11, 15 | nspr, 16 | nss, 17 | pango, 18 | libxcb, 19 | libXi, 20 | libXrender, 21 | libXext, 22 | dbus, 23 | alsa-lib, 24 | libXScrnSaver, 25 | libXcursor, 26 | libXtst, 27 | libxshmfence, 28 | libGLU, 29 | libGL, 30 | at-spi2-core, 31 | libgcrypt, 32 | cups, 33 | libdrm, 34 | wayland, 35 | libgbm, 36 | libxkbcommon, 37 | libXdamage, 38 | libXcomposite, 39 | libXfixes, 40 | libXrandr, 41 | libva, 42 | expat, 43 | udev, 44 | killall, 45 | webkitgtk_4_0, 46 | extraPkgs ? pkgs: [ ], 47 | extraLibraries ? pkgs: [ ], 48 | }: 49 | let 50 | fhsEnv = buildFHSEnv { 51 | name = "jameica"; 52 | runScript = "jameica"; 53 | targetPkgs = 54 | pkgs: 55 | [ 56 | jre 57 | jameica 58 | stdenv.cc.cc.lib 59 | cairo 60 | fontconfig 61 | freetype 62 | gdk-pixbuf 63 | glib 64 | gtk2 65 | libX11 66 | nspr 67 | nss 68 | pango 69 | libXrender 70 | libxcb 71 | libXext 72 | libXi 73 | dbus 74 | 75 | alsa-lib 76 | libXScrnSaver 77 | libXcursor 78 | libXtst 79 | libxshmfence 80 | libGLU 81 | libGL 82 | at-spi2-core 83 | libgcrypt 84 | cups 85 | libdrm 86 | wayland 87 | libgbm 88 | libxkbcommon 89 | libXdamage 90 | libXcomposite 91 | libXrandr 92 | libXfixes 93 | expat 94 | libva 95 | udev 96 | 97 | webkitgtk_4_0 98 | 99 | killall 100 | ] 101 | ++ extraPkgs pkgs; 102 | 103 | inherit (jameica) meta; 104 | }; 105 | in 106 | fhsEnv 107 | -------------------------------------------------------------------------------- /packages/pg-upgrade/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs }: 2 | pkgs.writeScriptBin "upgrade-pg" '' 3 | set -eux 4 | systemctl stop postgresql 5 | 6 | BASE_DIR=''${1:-} 7 | 8 | # XXX replace `` with the psqlSchema here 9 | export NEWDATA="$BASE_DIR/var/lib/postgresql/${pkgs.postgresql_16.psqlSchema}" 10 | 11 | # XXX specify the postgresql package you'd like to upgrade to 12 | export NEWBIN="${pkgs.postgresql_16}/bin" 13 | 14 | export OLDDATA="$BASE_DIR/var/lib/postgresql/${pkgs.postgresql_15.psqlSchema}" 15 | export OLDBIN="${pkgs.postgresql_15}/bin" 16 | 17 | echo "\$NEWDATA=$NEWDATA" 18 | echo "\$OLDDATA=$OLDDATA" 19 | 20 | [ ! -d "$OLDDATA" ] && echo "Old data dir for postgres does not exist" && exit 1 21 | 22 | read -p "Are you sure? " -n 1 -r 23 | echo "" 24 | if [[ $REPLY =~ ^[Yy]$ ]] 25 | then 26 | install -d -m 0700 -o postgres -g postgres "$NEWDATA" 27 | cd "$NEWDATA" 28 | 29 | sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" 30 | sudo -u postgres $NEWBIN/pg_upgrade \ 31 | --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \ 32 | --old-bindir $OLDBIN --new-bindir $NEWBIN 33 | fi 34 | '' 35 | -------------------------------------------------------------------------------- /packages/s25rttr/cmake_file_placeholder.patch: -------------------------------------------------------------------------------- 1 | From fad6d134f6174048353a56fedc5cbec7b8c163a5 Mon Sep 17 00:00:00 2001 2 | From: Shawn8901 3 | Date: Wed, 30 Mar 2022 19:38:28 +0200 4 | Subject: [PATCH] Added a cmake option control if a placeholder file should be 5 | witten install phase 6 | 7 | This option enables the possibility for a package maintainer to let RTTR_GAMEDIR to a place 8 | which is not in control of the packaging system. Thats needed when RTTR_GAMEDIR should point 9 | to a directory which is not the package, but the packaging system prevents writes on package build time. 10 | 11 | As the usecase is special for some packaging systems and not indended for daily use its marked as advanced option. 12 | --- 13 | CMakeLists.txt | 6 +++++- 14 | 1 file changed, 5 insertions(+), 1 deletion(-) 15 | 16 | diff --git a/CMakeLists.txt b/CMakeLists.txt 17 | index 4562487ef..688d873bb 100644 18 | --- a/CMakeLists.txt 19 | +++ b/CMakeLists.txt 20 | @@ -384,7 +384,11 @@ if(NOT WIN32) 21 | endif() 22 | 23 | # Placeholder for S2 installation 24 | -install(FILES "${RTTR_S2_PLACEHOLDER_PATH}" DESTINATION "${RTTR_GAMEDIR}") 25 | +option(RTTR_INSTALL_PLACEHOLDER "Install a placeholder file to the location the S2 game files should be copied to." ON) 26 | +mark_as_advanced(RTTR_INSTALL_PLACEHOLDER) 27 | +if(RTTR_INSTALL_PLACEHOLDER) 28 | + install(FILES "${RTTR_S2_PLACEHOLDER_PATH}" DESTINATION "${RTTR_GAMEDIR}") 29 | +endif() 30 | 31 | ################################################################################ 32 | # Postbuild 33 | -- 34 | 2.35.1 35 | -------------------------------------------------------------------------------- /packages/s25rttr/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | stdenv, 3 | lib, 4 | fetchFromGitHub, 5 | git, 6 | cmake, 7 | pkg-config, 8 | boost, 9 | bzip2, 10 | curl, 11 | gettext, 12 | libiconv, 13 | miniupnpc, 14 | SDL2, 15 | SDL2_mixer, 16 | libsamplerate, 17 | writeScript, 18 | }: 19 | stdenv.mkDerivation (finalAttrs: { 20 | pname = "s25rttr"; 21 | version = "0.9.5"; 22 | 23 | message = '' 24 | Copy the S2 folder of the Settler 2 Gold Edition to /var/lib/s25rttr/S2/". 25 | ''; 26 | 27 | src = fetchFromGitHub { 28 | owner = "Return-To-The-Roots"; 29 | repo = "s25client"; 30 | rev = "v${finalAttrs.version}"; 31 | fetchSubmodules = true; 32 | sha256 = "sha256-6gBvWYP08eoT2i8kco/3nXnTKwVa20DWtv6fLaoH07M="; 33 | }; 34 | 35 | nativeBuildInputs = [ 36 | cmake 37 | pkg-config 38 | ]; 39 | 40 | buildInputs = [ 41 | git 42 | boost 43 | bzip2 44 | curl 45 | gettext 46 | libiconv 47 | miniupnpc 48 | SDL2 49 | SDL2_mixer 50 | libsamplerate 51 | ]; 52 | 53 | env.NIX_CFLAGS_COMPILE = toString [ "-Wno-error=deprecated-declarations" ]; 54 | 55 | patches = [ ./cmake_file_placeholder.patch ]; 56 | 57 | cmakeBuildType = "Release"; 58 | cmakeFlags = [ 59 | "-DRTTR_VERSION=${finalAttrs.version}" 60 | "-DRTTR_REVISION=${finalAttrs.src.rev}" 61 | "-DRTTR_USE_SYSTEM_LIBS=ON" 62 | "-DFETCHCONTENT_FULLY_DISCONNECTED=ON" 63 | "-DRTTR_INSTALL_PLACEHOLDER=OFF" 64 | "-DRTTR_GAMEDIR=/var/lib/s25rttr/S2/" 65 | ]; 66 | 67 | passthru.runUpdate = true; 68 | passthru.updateScript = writeScript "update-s25rttr" '' 69 | #!/usr/bin/env nix-shell 70 | #!nix-shell -i bash -p curl jq common-updater-scripts 71 | 72 | version="$(curl -sL "https://api.github.com/repos/Return-To-The-Roots/s25client/releases" | jq 'map(select(.prerelease == false)) | .[0].tag_name | .[1:]' --raw-output)" 73 | update-source-version s25rttr "$version" 74 | ''; 75 | 76 | meta = { 77 | description = "Return To The Roots (Settlers II(R) Clone)"; 78 | homepage = "https://www.rttr.info/"; 79 | license = lib.licenses.gpl2Plus; 80 | platforms = lib.platforms.linux; 81 | maintainers = with lib.maintainers; [ shawn8901 ]; 82 | }; 83 | }) 84 | -------------------------------------------------------------------------------- /packages/shellscripts/backup-usb.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | lib, 4 | writeShellScriptBin, 5 | backupPath ? "/media/backup/", 6 | mountPoint ? "/media/backup-usb", 7 | }: 8 | writeShellScriptBin "backup-usb" '' 9 | BACKUP_SOURCE="${backupPath}" 10 | BACKUP_DEVICE="/dev/$1" 11 | MOUNT_POINT="${mountPoint}" 12 | 13 | if [ ! -d "$MOUNT_POINT" ]; then 14 | ${pkgs.coreutils-full}/bin/mkdir "$MOUNT_POINT"; 15 | fi 16 | echo "Mount $BACKUP_DEVICE" 17 | ${pkgs.util-linux}/bin/mount -o uid=ela,gid=users,umask=0022 -t auto "$BACKUP_DEVICE" "$MOUNT_POINT" 18 | 19 | echo "Starting RSYNC" 20 | ${lib.getExe pkgs.rsync} -Pauvi "$BACKUP_SOURCE" "$MOUNT_POINT" 21 | ${pkgs.coreutils-full}/bin/sync 22 | 23 | echo "Unmount $BACKUP_DEVICE" 24 | ${pkgs.udisks2}/bin/udisksctl unmount -b ''${BACKUP_DEVICE} 25 | 26 | sleep 1 27 | ${lib.getExe pkgs.beep} 28 | 29 | echo "Poweroff device" 30 | ${pkgs.udisks2}/bin/udisksctl power-off -b ''${BACKUP_DEVICE//[[:digit:]]} 31 | 32 | ${lib.getExe pkgs.beep} 33 | '' 34 | -------------------------------------------------------------------------------- /packages/shellscripts/generate-zrepl-ssl.nix: -------------------------------------------------------------------------------- 1 | { writeShellScriptBin, pkgs }: 2 | writeShellScriptBin "generate-zrepl-ssl" '' 3 | name=$1 4 | ${pkgs.openssl}/bin/openssl req -x509 -sha256 -nodes -newkey rsa:4096 -days 365 -keyout $name.key -out $name.crt -addext "subjectAltName = DNS:$name" -subj "/CN=$name" 5 | '' 6 | -------------------------------------------------------------------------------- /packages/shellscripts/nas.nix: -------------------------------------------------------------------------------- 1 | { stdenvNoCC }: 2 | stdenvNoCC.mkDerivation (finalAttrs: { 3 | name = "nas_mount"; 4 | version = "0.0.1"; 5 | src = ./nas; 6 | phases = "installPhase fixupPhase"; 7 | installPhase = '' 8 | mkdir -p $out/bin 9 | mkdir -p $out/etc/config/ 10 | cp ${finalAttrs.src}/* $out/bin/ 11 | 12 | chmod +x $out/bin/* 13 | ''; 14 | }) 15 | -------------------------------------------------------------------------------- /packages/shellscripts/nas/nas_mount: -------------------------------------------------------------------------------- 1 | sudo mount -t cifs //tank.fritz.box/joerg /media/nas -o credentials=/etc/samba/credentials_shawn,iocharset=utf8,uid=1000,gid=100,forcegid,forceuid,vers=3.0 2 | -------------------------------------------------------------------------------- /packages/shellscripts/nas/nas_mount_ela: -------------------------------------------------------------------------------- 1 | sudo mount -t cifs //tank.fritz.box/ela /media/nas -o credentials=/etc/samba/credentials_ela,iocharset=utf8,uid=1000,gid=100,forcegid,forceuid,vers=3.0 2 | -------------------------------------------------------------------------------- /packages/shellscripts/nas/nas_umount: -------------------------------------------------------------------------------- 1 | sudo umount /media/nas 2 | -------------------------------------------------------------------------------- /packages/shellscripts/rtc-helper.nix: -------------------------------------------------------------------------------- 1 | { 2 | writeShellScriptBin, 3 | pkgs, 4 | wakeupTime ? "13:00:00", 5 | }: 6 | writeShellScriptBin "rtc-helper" '' 7 | ${pkgs.util-linux}/bin/rtcwake -m no -t $(${pkgs.coreutils-full}/bin/date +%s -d 'tomorrow ${wakeupTime}') 8 | '' 9 | -------------------------------------------------------------------------------- /parts/modules.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | moduleWithSystem, 5 | ... 6 | }: 7 | let 8 | cfg = config.fp-lib.modules; 9 | 10 | inherit (lib) 11 | mapAttrs 12 | mapAttrs' 13 | nameValuePair 14 | removeSuffix 15 | ; 16 | 17 | generateModule = 18 | modulePathes: 19 | moduleWithSystem ( 20 | { config }: 21 | { ... }: 22 | { 23 | imports = modulePathes; 24 | } 25 | ); 26 | 27 | listFilesInModuleDir = 28 | baseDir: moduleName: lib.attrNames (builtins.readDir "${toString baseDir}/${moduleName}"); 29 | 30 | getFilesForModule = 31 | baseDir: fileType: moduleName: 32 | if fileType == "directory" then 33 | map (name: "${toString baseDir}/${moduleName}/${name}") (listFilesInModuleDir baseDir moduleName) 34 | else 35 | [ "${toString baseDir}/${moduleName}" ]; 36 | 37 | # Generates modules for all files in the given baseDir 38 | generateModules = 39 | baseDir: 40 | generateModuleName ( 41 | mapAttrs (moduleName: fileType: generateModule (getFilesForModule baseDir fileType moduleName)) ( 42 | getLoadableModules baseDir 43 | ) 44 | ); 45 | 46 | generatePrivateModules = 47 | baseDir: 48 | mapAttrs' (name: value: nameValuePair "${cfg.privateNamePrefix}-${name}" value) ( 49 | generateModules baseDir 50 | ); 51 | 52 | # Gets the name of a object that can be loaded via import 53 | getLoadableModules = 54 | dir: (lib.filterAttrs (name: type: name != "default.nix") (builtins.readDir dir)); 55 | 56 | # Modules are either in a folder with .nix or in a folder 57 | generateModuleName = mapAttrs' (name: value: nameValuePair (removeSuffix ".nix" name) value); 58 | 59 | nixosModules = 60 | (lib.optionalAttrs (cfg.nixos.public != null) (generateModules cfg.nixos.public)) 61 | // (lib.optionalAttrs (cfg.privateNamePrefix != null && cfg.nixos.private != null) ( 62 | generatePrivateModules cfg.nixos.private 63 | )); 64 | 65 | home-managerModules = 66 | (lib.optionalAttrs (cfg.home-manager.public != null) (generateModules cfg.home-manager.public)) 67 | // (lib.optionalAttrs (cfg.privateNamePrefix != null && cfg.home-manager.private != null) ( 68 | generatePrivateModules cfg.home-manager.private 69 | )); 70 | in 71 | { 72 | flake = { 73 | flakeModules.nixos = nixosModules; 74 | flakeModules.home-manager = home-managerModules; 75 | inherit nixosModules; 76 | }; 77 | } 78 | -------------------------------------------------------------------------------- /parts/system.nix: -------------------------------------------------------------------------------- 1 | { 2 | self, 3 | config, 4 | inputs, 5 | lib, 6 | withSystem, 7 | ... 8 | }: 9 | let 10 | inherit (builtins) hashString pathExists; 11 | inherit (lib) 12 | mapAttrs 13 | attrValues 14 | substring 15 | genAttrs 16 | ; 17 | 18 | cfg = config.fp-lib.nixosConfigurations; 19 | 20 | # Generates a lib.nixosSystem based on given name and config. 21 | generateSystem = mapAttrs ( 22 | name: conf: 23 | withSystem conf.hostPlatform.system ( 24 | { 25 | system, 26 | inputs', 27 | self', 28 | ... 29 | }: 30 | let 31 | inherit (conf.nixpkgs) lib; 32 | configDir = "${self}/machines/${name}"; 33 | extraArgs = { 34 | inherit 35 | self 36 | self' 37 | inputs 38 | inputs' 39 | ; 40 | flakeConfig = config; 41 | }; 42 | hasSystemImpermanence = pathExists "${configDir}/impermanence.nix"; 43 | hasHomeImpermanence = userName: pathExists "${configDir}/impermanence-home-${userName}.nix"; 44 | in 45 | lib.nixosSystem { 46 | modules = 47 | [ 48 | { 49 | inherit (conf) disabledModules; 50 | 51 | _module.args = extraArgs; 52 | nixpkgs = { 53 | inherit (conf) hostPlatform; 54 | }; 55 | networking = { 56 | hostName = name; 57 | hostId = substring 0 8 (hashString "md5" "${name}"); 58 | }; 59 | system.configurationRevision = self.rev or "dirty"; 60 | nix = { 61 | registry = { 62 | nixpkgs.flake = conf.nixpkgs; 63 | nixos-config.flake = self; 64 | }; 65 | nixPath = [ "nixpkgs=flake:nixpkgs" ]; 66 | }; 67 | } 68 | 69 | inputs.sops-nix.nixosModules.sops 70 | { sops.defaultSopsFile = "${configDir}/secrets.yaml"; } 71 | "${configDir}/configuration.nix" 72 | ] 73 | ++ lib.optionals (pathExists "${configDir}/hardware.nix") [ "${configDir}/hardware.nix" ] 74 | ++ lib.optionals hasSystemImpermanence [ 75 | inputs.impermanence.nixosModules.impermanence 76 | "${configDir}/impermanence.nix" 77 | ] 78 | ++ (attrValues config.flake.nixosModules) 79 | ++ conf.extraModules 80 | ++ lib.optionals (conf.home-manager.input != null) [ 81 | conf.home-manager.input.nixosModules.home-manager 82 | ( 83 | { config, ... }: 84 | { 85 | home-manager = { 86 | useGlobalPkgs = true; 87 | useUserPackages = true; 88 | extraSpecialArgs = extraArgs; 89 | sharedModules = 90 | [ 91 | inputs.sops-nix.homeManagerModule 92 | ] 93 | ++ (attrValues self.flakeModules.home-manager) 94 | ++ conf.home-manager.extraModules; 95 | users = genAttrs conf.home-manager.users ( 96 | userName: 97 | let 98 | user = config.users.users.${userName}; 99 | in 100 | { 101 | imports = 102 | [ 103 | ( 104 | { config, ... }: 105 | { 106 | sops = { 107 | age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt"; 108 | defaultSopsFile = "${configDir}/secrets-home.yaml"; 109 | defaultSymlinkPath = "/run/user/${toString user.uid}/secrets"; 110 | defaultSecretsMountPoint = "/run/user/${toString user.uid}/secrets.d"; 111 | }; 112 | } 113 | ) 114 | ] 115 | ++ lib.optionals (pathExists "${configDir}/home.nix") [ "${configDir}/home.nix" ] 116 | ++ lib.optionals (hasHomeImpermanence name) [ 117 | inputs.impermanence.homeManagerModules.impermanence 118 | "${configDir}/impermanence-home-${userName}.nix" 119 | ]; 120 | } 121 | ); 122 | }; 123 | } 124 | ) 125 | ]; 126 | } 127 | ) 128 | ); 129 | in 130 | { 131 | flake.nixosConfigurations = generateSystem cfg; 132 | } 133 | -------------------------------------------------------------------------------- /parts/type-defs/hydra-jobs.nix: -------------------------------------------------------------------------------- 1 | { flake-parts-lib, lib, ... }: 2 | let 3 | inherit (lib) mkOption types; 4 | inherit (flake-parts-lib) mkTransposedPerSystemModule; 5 | in 6 | mkTransposedPerSystemModule { 7 | file = ./hydra-jobs.nix; 8 | 9 | name = "hydraJobs"; 10 | option = mkOption { 11 | type = types.attrsOf types.unspecified; 12 | default = { }; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /parts/type-defs/modules.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | let 3 | inherit (lib) mkOption types genAttrs; 4 | 5 | moduleDirOption = mkOption { 6 | type = types.nullOr types.path; 7 | description = "Path to the module dir"; 8 | default = null; 9 | }; 10 | in 11 | { 12 | options = { 13 | fp-lib = { 14 | modules = 15 | let 16 | generateModuleDef = 17 | genAttrs 18 | [ 19 | "nixos" 20 | "home-manager" 21 | ] 22 | (_: { 23 | public = moduleDirOption; 24 | private = moduleDirOption; 25 | }); 26 | in 27 | generateModuleDef 28 | // { 29 | privateNamePrefix = mkOption { 30 | type = lib.types.nullOr lib.types.str; 31 | default = null; 32 | }; 33 | }; 34 | }; 35 | }; 36 | } 37 | -------------------------------------------------------------------------------- /parts/type-defs/system.nix: -------------------------------------------------------------------------------- 1 | { inputs, lib, ... }: 2 | let 3 | inherit (lib) mkOption types; 4 | baseConfigType = { 5 | extraModules = mkOption { 6 | type = types.listOf types.unspecified; 7 | default = [ ]; 8 | }; 9 | disabledModules = mkOption { 10 | type = types.listOf types.unspecified; 11 | default = [ ]; 12 | }; 13 | }; 14 | in 15 | { 16 | options = { 17 | fp-lib = { 18 | nixosConfigurations = mkOption { 19 | default = { }; 20 | type = types.attrsOf ( 21 | types.submodule ( 22 | { name, config, ... }: 23 | { 24 | options = { 25 | nixpkgs = mkOption { 26 | type = types.unspecified; 27 | default = inputs.nixpkgs; 28 | }; 29 | hostPlatform.system = mkOption { 30 | type = types.str; # Is there a type def for system? 31 | default = "x86_64-linux"; 32 | }; 33 | home-manager = { 34 | input = mkOption { 35 | type = types.nullOr types.unspecified; 36 | default = null; 37 | }; 38 | users = mkOption { 39 | type = types.listOf types.str; 40 | default = [ ]; 41 | }; 42 | } // baseConfigType; 43 | } // baseConfigType; 44 | } 45 | ) 46 | ); 47 | }; 48 | }; 49 | }; 50 | } 51 | -------------------------------------------------------------------------------- /parts/zrepl-helper.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | let 3 | inherit (lib) 4 | mkOption 5 | types 6 | toInt 7 | removePrefix 8 | filter 9 | ; 10 | in 11 | { 12 | options = { 13 | shawn8901.zrepl = mkOption { 14 | type = types.lazyAttrsOf types.raw; 15 | default = { }; 16 | }; 17 | }; 18 | 19 | config.shawn8901.zrepl.servePorts = 20 | zrepl: 21 | map (serveEntry: toInt (removePrefix ":" serveEntry.serve.listen)) ( 22 | filter (builtins.hasAttr "serve") zrepl.settings.jobs 23 | ); 24 | 25 | config.shawn8901.zrepl.monitoringPorts = 26 | zrepl: 27 | builtins.head ( 28 | map (monitoringEntry: toInt (removePrefix ":" monitoringEntry.listen)) ( 29 | filter (builtins.hasAttr "listen") zrepl.settings.global.monitoring 30 | ) 31 | ); 32 | } 33 | --------------------------------------------------------------------------------