From 2a44e5c81e2d46766ed095d5e94c5fafbd5d85fa Mon Sep 17 00:00:00 2001
From: Grisha Shipunov <blame@oxapentane.com>
Date: Wed, 11 Jun 2025 22:53:22 +0200
Subject: [PATCH 1/6] deploy stream (navidrome) microvm
---
.sops.yaml | 7 ++++
flake.nix | 1 +
hosts/cloud/proxy/default.nix | 32 +++++++++++++++
hosts/stream/default.nix | 76 +++++++++++++++++++++++++++++++++++
hosts/stream/navidrome.nix | 16 ++++++++
hosts/stream/secrets.yaml | 38 ++++++++++++++++++
modules/wg/proxy.nix | 8 ++++
7 files changed, 178 insertions(+)
create mode 100644 hosts/stream/default.nix
create mode 100644 hosts/stream/navidrome.nix
create mode 100644 hosts/stream/secrets.yaml
diff --git a/.sops.yaml b/.sops.yaml
index dd882ca..649c351 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -11,6 +11,7 @@ keys:
- &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z
- &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh
- &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
+ - &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
creation_rules:
- path_regex: hosts/toaster/[^/]+\.yaml$
key_groups:
@@ -66,3 +67,9 @@ creation_rules:
- *admin_oxa
age:
- *conduwuit
+ - path_regex: hosts/stream/[^/]+\.yaml$
+ key_groups:
+ - pgp:
+ - *admin_oxa
+ age:
+ - *stream
diff --git a/flake.nix b/flake.nix
index ddde63b..2b085bc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -71,6 +71,7 @@
"forgejo"
"miniflux"
"radicale"
+ "stream"
];
microvm-unstable-list = [
"auth"
diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix
index 9994da4..6cf0151 100644
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@@ -60,5 +60,37 @@ in
'';
virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
+
+ virtualHosts."music.oxapentane.com".extraConfig = ''
+ route {
+ reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
+
+ @protected not path /share/* /rest/*
+ forward_auth @protected 10.89.88.11:9000 {
+ uri /outpost.goauthentik.io/auth/caddy
+ copy_headers X-Authentik-Username>Remote-User
+ trusted_proxies 10.89.88.11 fd31:185d:722f::11
+ }
+
+
+ @subsonic path /rest/*
+ forward_auth @subsonic 10.89.88.11:9000 {
+ uri /outpost.goauthentik.io/auth/caddy
+ copy_headers X-Authentik-Username>Remote-User
+ @error status 1xx 3xx 4xx 5xx
+ handle_response @error {
+ respond <<SUBSONICERR
+ <subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
+ <error code="40" message="Invalid credentials or unsupported client"></error>
+ </subsonic-response>
+ SUBSONICERR 200
+ }
+ trusted_proxies 10.89.88.11 fd31:185d:722f::11
+ }
+ }
+ reverse_proxy 10.89.88.17:4533
+
+ '';
+
};
}
diff --git a/hosts/stream/default.nix b/hosts/stream/default.nix
new file mode 100644
index 0000000..4543466
--- /dev/null
+++ b/hosts/stream/default.nix
@@ -0,0 +1,76 @@
+{ config, lib, ... }:
+let
+ mac = "02:00:00:00:00:07";
+in
+{
+ imports = [
+ ./navidrome.nix
+ ];
+
+ sops.defaultSopsFile = ./secrets.yaml;
+ sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+ sops.secrets = {
+ "wg/0xa-proxy" = {
+ owner = config.users.users.systemd-network.name;
+ };
+ };
+
+ microvm = {
+ hypervisor = "qemu";
+ mem = 4 * 1024;
+ vcpu = 3;
+ interfaces = [
+ {
+ type = "tap";
+ id = "uvm-stream";
+ mac = mac;
+ }
+ ];
+ shares =
+ [
+ {
+ source = "/nix/store";
+ mountPoint = "/nix/.ro-store";
+ tag = "store";
+ proto = "virtiofs";
+ }
+ ]
+ ++ map
+ (dir: {
+ source = dir;
+ mountPoint = "/${dir}";
+ tag = dir;
+ proto = "virtiofs";
+ })
+ [
+ "etc"
+ "var"
+ "home"
+ ];
+ };
+
+ networking.useNetworkd = true;
+ networking.firewall.enable = lib.mkForce false; # firewalling done by the host
+
+ systemd.network = {
+ enable = true;
+ networks."11-host" = {
+ matchConfig.MACAddress = mac;
+ networkConfig = {
+ Address = "10.99.99.17/24";
+ DHCP = "no";
+ };
+ routes = [
+ {
+ Gateway = "10.99.99.1";
+ Destination = "0.0.0.0/0";
+ Metric = 1024;
+ }
+ ];
+ };
+ };
+
+ networking.hostName = "stream";
+ system.stateVersion = "25.05";
+}
diff --git a/hosts/stream/navidrome.nix b/hosts/stream/navidrome.nix
new file mode 100644
index 0000000..0b1cd07
--- /dev/null
+++ b/hosts/stream/navidrome.nix
@@ -0,0 +1,16 @@
+{ ... }:
+{
+ services.navidrome = {
+ enable = true;
+ settings = {
+ Address = "10.89.88.17";
+ BaseUrl = "/";
+ EnableExternalServices = false;
+ MusicFolder = "/var/lib/navidrome/music";
+ Port = 4533;
+ ScanSchedule = "@every 11m";
+ TranscodingCacheSize = "11GiB";
+ ReverseProxyWhitelist = "10.89.88.1/24";
+ };
+ };
+}
diff --git a/hosts/stream/secrets.yaml b/hosts/stream/secrets.yaml
new file mode 100644
index 0000000..a75b120
--- /dev/null
+++ b/hosts/stream/secrets.yaml
@@ -0,0 +1,38 @@
+wg:
+ 0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str]
+sops:
+ age:
+ - recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3
+ QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5
+ S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5
+ K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE
+ WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-06-12T22:54:11Z"
+ mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str]
+ pgp:
+ - created_at: "2025-06-12T22:51:49Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6
+ th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH
+ HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn
+ vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B
+ WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/
+ uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s
+ DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/
+ bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp
+ lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J
+ A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg
+ GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS
+ XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6
+ ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU=
+ =fEVm
+ -----END PGP MESSAGE-----
+ fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+ unencrypted_suffix: _unencrypted
+ version: 3.10.2
diff --git a/modules/wg/proxy.nix b/modules/wg/proxy.nix
index 3b92b8d..7427829 100644
--- a/modules/wg/proxy.nix
+++ b/modules/wg/proxy.nix
@@ -71,6 +71,14 @@
publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y=";
privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
};
+ "stream" = {
+ address = [
+ "10.89.88.17/24"
+ "fd31:185d:722f::17/48"
+ ];
+ publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4=";
+ privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
+ };
};
}
];
From 22d7c181e3d15bc66712ed0850f34476df274545 Mon Sep 17 00:00:00 2001
From: Grisha Shipunov <blame@oxapentane.com>
Date: Sat, 14 Jun 2025 21:01:52 +0200
Subject: [PATCH 2/6] software changes
---
hosts/toaster/default.nix | 2 +-
modules/desktop-software.nix | 1 +
modules/devtools.nix | 2 +-
modules/gnupg.nix | 2 --
4 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/hosts/toaster/default.nix b/hosts/toaster/default.nix
index 2b8577b..7e78114 100644
--- a/hosts/toaster/default.nix
+++ b/hosts/toaster/default.nix
@@ -66,7 +66,7 @@
home = "/home/0xa";
isNormalUser = true;
uid = 1000;
- shell = pkgs.zsh;
+ shell = pkgs.fish;
};
# This value determines the NixOS release from which the default
diff --git a/modules/desktop-software.nix b/modules/desktop-software.nix
index cbfba71..998c953 100644
--- a/modules/desktop-software.nix
+++ b/modules/desktop-software.nix
@@ -17,6 +17,7 @@
mpv
obs-studio
qbittorrent
+ transmission_4-gtk
signal-desktop
spotify
telegram-desktop
diff --git a/modules/devtools.nix b/modules/devtools.nix
index a003e6e..04dfd87 100644
--- a/modules/devtools.nix
+++ b/modules/devtools.nix
@@ -31,7 +31,7 @@
nix-index
kicad
kikit
- freecad-wayland
+ freecad-qt6
imhex
python3Full
nixfmt-rfc-style
diff --git a/modules/gnupg.nix b/modules/gnupg.nix
index 07b1eef..4cb173c 100644
--- a/modules/gnupg.nix
+++ b/modules/gnupg.nix
@@ -4,8 +4,6 @@
environment.systemPackages = with pkgs; [
gnupg
opensc
-
- yubikey-personalization-gui
];
# smartcard support
From efd0790d4fcab0d7ffad7e4cca390fc0f110ed5b Mon Sep 17 00:00:00 2001
From: Grisha Shipunov <blame@oxapentane.com>
Date: Sat, 14 Jun 2025 21:02:03 +0200
Subject: [PATCH 3/6] bump lock
---
flake.lock | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/flake.lock b/flake.lock
index e15b51f..357df38 100644
--- a/flake.lock
+++ b/flake.lock
@@ -253,11 +253,11 @@
"lix": {
"flake": false,
"locked": {
- "lastModified": 1749682763,
- "narHash": "sha256-DDhns3NS6L5OlYR0mSX03I5D7uGLyyd3MZegd1wTCyc=",
- "rev": "ee0655240270480d7f6063dcf12ec47f04d2ded6",
+ "lastModified": 1749838547,
+ "narHash": "sha256-4qJy0n+6P13/XAHPlcjcWK6MDNYd38PkFdI8iCiJYYo=",
+ "rev": "1e34c3747779a82d59ef27b351d4ed02fb372a2a",
"type": "tarball",
- "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ee0655240270480d7f6063dcf12ec47f04d2ded6.tar.gz?rev=ee0655240270480d7f6063dcf12ec47f04d2ded6"
+ "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1e34c3747779a82d59ef27b351d4ed02fb372a2a.tar.gz?rev=1e34c3747779a82d59ef27b351d4ed02fb372a2a"
},
"original": {
"type": "tarball",
@@ -339,11 +339,11 @@
},
"nixos-hardware": {
"locked": {
- "lastModified": 1749195551,
- "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=",
+ "lastModified": 1749832440,
+ "narHash": "sha256-lfxhuxAaHlYFGr8yOrAXZqdMt8PrFLzjVqH9v3lQaoY=",
"owner": "NixOS",
"repo": "nixos-hardware",
- "rev": "4602f7e1d3f197b3cb540d5accf5669121629628",
+ "rev": "db030f62a449568345372bd62ed8c5be4824fa49",
"type": "github"
},
"original": {
@@ -402,11 +402,11 @@
},
"nixpkgs-unstable": {
"locked": {
- "lastModified": 1749285348,
- "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
+ "lastModified": 1749794982,
+ "narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
+ "rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81",
"type": "github"
},
"original": {
From fee7a194db6b6de6c9f2172973bf33dca60bd8d4 Mon Sep 17 00:00:00 2001
From: Grisha Shipunov <blame@oxapentane.com>
Date: Sat, 14 Jun 2025 21:02:20 +0200
Subject: [PATCH 4/6] plasma still krashes
---
flake.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/flake.nix b/flake.nix
index 2b085bc..df8420d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -122,7 +122,7 @@
./modules/emacs.nix
./modules/gnupg.nix
./modules/mail
- ./modules/plasma.nix
+ ./modules/gnome.nix
./modules/radio.nix
./modules/science.nix
./modules/tlp.nix
From e23db8a0b43fccdcb30abdc610a41a2d4b63afdd Mon Sep 17 00:00:00 2001
From: Grisha Shipunov <blame@oxapentane.com>
Date: Sat, 14 Jun 2025 21:02:32 +0200
Subject: [PATCH 5/6] make branch spec uniform in inputs
---
flake.nix | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/flake.nix b/flake.nix
index df8420d..0c04048 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,7 +1,7 @@
{
inputs = {
- nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
- nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+ nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+ nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05";
flake-utils.url = "github:numtide/flake-utils";
@@ -10,7 +10,7 @@
inputs.nixpkgs.follows = "nixpkgs";
};
- nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+ nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master";
microvm = {
url = "github:astro/microvm.nix";
@@ -21,7 +21,7 @@
};
lanzaboote = {
- url = "github:nix-community/lanzaboote/v0.4.2";
+ url = "github:nix-community/lanzaboote?ref=v0.4.2";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
From 7a417638735547276d49258577e1dbd00a50a91a Mon Sep 17 00:00:00 2001
From: Grisha Shipunov <blame@oxapentane.com>
Date: Sun, 15 Jun 2025 00:27:04 +0200
Subject: [PATCH 6/6] format
---
hosts/cloud/proxy/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix
index 6cf0151..dbeab9a 100644
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@@ -61,7 +61,7 @@ in
virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
- virtualHosts."music.oxapentane.com".extraConfig = ''
+ virtualHosts."music.oxapentane.com".extraConfig = ''
route {
reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000