diff --git a/.sops.yaml b/.sops.yaml index 649c351..dd882ca 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,7 +11,6 @@ keys: - &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z - &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c - - &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj creation_rules: - path_regex: hosts/toaster/[^/]+\.yaml$ key_groups: @@ -67,9 +66,3 @@ creation_rules: - *admin_oxa age: - *conduwuit - - path_regex: hosts/stream/[^/]+\.yaml$ - key_groups: - - pgp: - - *admin_oxa - age: - - *stream diff --git a/flake.lock b/flake.lock index 0cb36fe..3699136 100644 --- a/flake.lock +++ b/flake.lock @@ -14,11 +14,11 @@ "uv2nix": "uv2nix" }, "locked": { - "lastModified": 1751033152, - "narHash": "sha256-0ANu9OLQJszcEyvnfDB7G957uqskZwCrTzRXz/yfAmE=", + "lastModified": 1747386678, + "narHash": "sha256-+4pIDo56iXWUklX1U+biw/cfC8TiSXTMh2N6V/+JMUg=", "owner": "nix-community", "repo": "authentik-nix", - "rev": "1a4d6a5dd6fef39b99eb7ea4db79c5d5c7d7f1bf", + "rev": "f20474660332903be6b47f3c1fdfc531f6f75f1d", "type": "github" }, "original": { @@ -30,16 +30,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1751031262, - "narHash": "sha256-SNgRMQUjL3DTlWkMyRMan+pY1FfIV+DMeq5BiTM0N0k=", + "lastModified": 1747329052, + "narHash": "sha256-idShMSYIrf3ViG9VFNGNu6TSjBz3Q+GJMMeCzcJwfG4=", "owner": "goauthentik", "repo": "authentik", - "rev": "b34665fabd8d938d81ce871a4e86ca528c5f253b", + "rev": "ae47624761f05040149d856d5e55a90cd7492740", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2025.4.3", + "ref": "version/2025.4.1", "repo": "authentik", "type": "github" } @@ -96,11 +96,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", "type": "github" }, "original": { @@ -224,6 +224,26 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1748830238, + "narHash": "sha256-EB+LzYHK0D5aqxZiYoPeoZoOzSAs8eqBDxm3R+6wMKU=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "c7fdb7e90bff1a51b79c1eed458fb39e6649a82a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "lanzaboote": { "inputs": { "crane": "crane", @@ -253,36 +273,38 @@ "lix": { "flake": false, "locked": { - "lastModified": 1750762203, - "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=", - "rev": "38b358ce27203f972faa2973cf44ba80c758f46e", + "lastModified": 1748874826, + "narHash": "sha256-PPRYL4vp/09ZPqbgo1b0h+mt28tddxE/nhA04bGvAU0=", + "rev": "530b40ac8ebf49ab93887e5035d7f1fdc3111325", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/38b358ce27203f972faa2973cf44ba80c758f46e.tar.gz?rev=38b358ce27203f972faa2973cf44ba80c758f46e" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/530b40ac8ebf49ab93887e5035d7f1fdc3111325.tar.gz?rev=530b40ac8ebf49ab93887e5035d7f1fdc3111325" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/main.tar.gz" } }, "lix-module": { "inputs": { "flake-utils": "flake-utils_3", "flakey-profile": "flakey-profile", - "lix": "lix", + "lix": [ + "lix" + ], "nixpkgs": [ - "nixpkgs" + "nixpkgs-unstable" ] }, "locked": { - "lastModified": 1750776670, - "narHash": "sha256-EfA5K5EZAnspmraJrXQlziffVpaT+QDBiE6yKmuaNNQ=", - "rev": "c3c78a32273e89d28367d8605a4c880f0b6607e3", + "lastModified": 1747667424, + "narHash": "sha256-7EICjbmG6lApWKhFtwvZovdcdORY1CEe6/K7JwtpYfs=", + "rev": "3c23c6ae2aecc1f76ae7993efe1a78b5316f0700", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/c3c78a32273e89d28367d8605a4c880f0b6607e3.tar.gz?rev=c3c78a32273e89d28367d8605a4c880f0b6607e3" + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/3c23c6ae2aecc1f76ae7993efe1a78b5316f0700.tar.gz?rev=3c23c6ae2aecc1f76ae7993efe1a78b5316f0700" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz" + "url": "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz" } }, "microvm": { @@ -296,11 +318,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1750358184, - "narHash": "sha256-17EYMeY5v8KRk9HW6Z4dExY8Wg4y/zM2eM2wbbx+vMs=", + "lastModified": 1748464257, + "narHash": "sha256-PdnQSE2vPfql9WEjunj2qQnDpuuvk7HH+4djgXJSwFs=", "owner": "astro", "repo": "microvm.nix", - "rev": "fd9f5dba1ffee5ad6f29394b2a9e4c66c1ce77dc", + "rev": "e238645b6f0447a2eb1d538d300d5049d4006f9f", "type": "github" }, "original": { @@ -337,11 +359,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1750837715, - "narHash": "sha256-2m1ceZjbmgrJCZ2PuQZaK4in3gcg3o6rZ7WK6dr5vAA=", + "lastModified": 1748634340, + "narHash": "sha256-pZH4bqbOd8S+si6UcfjHovWDiWKiIGRNRMpmRWaDIms=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "98236410ea0fe204d0447149537a924fb71a6d4f", + "rev": "daa628a725ab4948e0e2b795e8fb6f4c3e289a7a", "type": "github" }, "original": { @@ -353,11 +375,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1750776420, - "narHash": "sha256-/CG+w0o0oJ5itVklOoLbdn2dGB0wbZVOoDm4np6w09A=", + "lastModified": 1747179050, + "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "30a61f056ac492e3b7cdcb69c1e6abdcf00e39cf", + "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", "type": "github" }, "original": { @@ -369,11 +391,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1748740939, - "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", + "lastModified": 1743296961, + "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "656a64127e9d791a334452c6b6606d17539476e2", + "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", "type": "github" }, "original": { @@ -400,11 +422,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1751011381, - "narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=", + "lastModified": 1748693115, + "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "30e2e2857ba47844aa71991daa6ed1fc678bcbb7", + "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc", "type": "github" }, "original": { @@ -416,11 +438,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1750969886, - "narHash": "sha256-zW/OFnotiz/ndPFdebpo3X0CrbVNf22n4DjN2vxlb58=", + "lastModified": 1748708770, + "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a676066377a2fe7457369dd37c31fd2263b662f4", + "rev": "a59eb7800787c926045d51b70982ae285faa2346", "type": "github" }, "original": { @@ -473,11 +495,11 @@ ] }, "locked": { - "lastModified": 1749519371, - "narHash": "sha256-UJONN7mA2stweZCoRcry2aa1XTTBL0AfUOY84Lmqhos=", + "lastModified": 1744599653, + "narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=", "owner": "pyproject-nix", "repo": "build-system-pkgs", - "rev": "7c06967eca687f3482624250428cc12f43c92523", + "rev": "7dba6dbc73120e15b558754c26024f6c93015dd7", "type": "github" }, "original": { @@ -494,11 +516,11 @@ ] }, "locked": { - "lastModified": 1750499893, - "narHash": "sha256-ThKBd8XSvITAh2JqU7enOp8AfKeQgf9u7zYC41cnBE4=", + "lastModified": 1746540146, + "narHash": "sha256-QxdHGNpbicIrw5t6U3x+ZxeY/7IEJ6lYbvsjXmcxFIM=", "owner": "pyproject-nix", "repo": "pyproject.nix", - "rev": "e824458bd917b44bf4c38795dea2650336b2f55d", + "rev": "e09c10c24ebb955125fda449939bfba664c467fd", "type": "github" }, "original": { @@ -511,7 +533,9 @@ "inputs": { "authentik-nix": "authentik-nix", "flake-utils": "flake-utils_2", + "home-manager": "home-manager", "lanzaboote": "lanzaboote", + "lix": "lix", "lix-module": "lix-module", "microvm": "microvm", "nixos-hardware": "nixos-hardware", @@ -550,11 +574,11 @@ ] }, "locked": { - "lastModified": 1750119275, - "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=", + "lastModified": 1747603214, + "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", "owner": "Mic92", "repo": "sops-nix", - "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2", + "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", "type": "github" }, "original": { @@ -652,11 +676,11 @@ ] }, "locked": { - "lastModified": 1750987094, - "narHash": "sha256-GujDElxLgYatnNvuL1U6qd18lcuG6anJMjpfYRScV08=", + "lastModified": 1746649034, + "narHash": "sha256-gmv+ZiY3pQnwgI0Gm3Z1tNSux1CnOJ0De+xeDOol1+0=", "owner": "pyproject-nix", "repo": "uv2nix", - "rev": "4b703d851b61e664a70238711a8ff0efa1aa2f52", + "rev": "fe540e91c26f378c62bf6da365a97e848434d0cd", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b13b7b8..fdb5a79 100644 --- a/flake.nix +++ b/flake.nix @@ -1,12 +1,7 @@ { inputs = { - nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable"; - nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05"; - - lix-module = { - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; flake-utils.url = "github:numtide/flake-utils"; @@ -15,7 +10,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; microvm = { url = "github:astro/microvm.nix"; @@ -26,7 +21,7 @@ }; lanzaboote = { - url = "github:nix-community/lanzaboote?ref=v0.4.2"; + url = "github:nix-community/lanzaboote/v0.4.2"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; @@ -34,12 +29,28 @@ url = "github:nix-community/authentik-nix"; }; + lix = { + url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz"; + flake = false; + }; + + lix-module = { + url = "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + inputs.lix.follows = "lix"; + }; + website = { url = "git+https://git.oxapentane.com/0xa/website.git?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + tmux-yank = { url = "github:tmux-plugins/tmux-yank"; flake = false; @@ -48,6 +59,7 @@ outputs = inputs@{ + home-manager, lanzaboote, lix-module, microvm, @@ -65,7 +77,6 @@ "forgejo" "miniflux" "radicale" - "stream" ]; microvm-unstable-list = [ "auth" @@ -108,19 +119,25 @@ nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen3 lix-module.nixosModules.default + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users."0xa" = import ./hosts/toaster/0xa-home.nix; + } + ./hosts/toaster ./modules/basic-tools ./modules/binary-caches.nix ./modules/devtools.nix - ./modules/emacs.nix - ./modules/gnome.nix + ./modules/niri.nix ./modules/gnupg.nix - ./modules/mail ./modules/radio.nix ./modules/science.nix ./modules/tlp.nix ./modules/virtualization.nix + ./modules/mail ./modules/wg ]; }; @@ -129,6 +146,7 @@ specialArgs = { inherit inputs; }; modules = [ sops-nix.nixosModules.sops + lix-module.nixosModules.default ./hosts/cloud diff --git a/hosts/cloud/proxy/auth.nix b/hosts/cloud/proxy/auth.nix new file mode 100644 index 0000000..c8700f0 --- /dev/null +++ b/hosts/cloud/proxy/auth.nix @@ -0,0 +1,36 @@ +{ ... }: +{ + services.nginx.upstreams.authentik = { + servers = { + "10.89.88.11:9000" = { }; + "[fd31:185d:722f::11]:9000" = { }; + }; + extraConfig = '' + keepalive 10; + ''; + }; + + services.nginx.virtualHosts."auth.oxapentane.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://authentik"; + extraConfig = '' + # general proxy settings + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + # authentik specifik + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_keepalive; + ''; + }; + }; +} diff --git a/hosts/cloud/proxy/conduwuit.nix b/hosts/cloud/proxy/conduwuit.nix new file mode 100644 index 0000000..97ba4a3 --- /dev/null +++ b/hosts/cloud/proxy/conduwuit.nix @@ -0,0 +1,47 @@ +{ ... }: +let + proxy-conf = '' + client_max_body_size 50M; + proxy_buffering off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Access-Control-Allow-Origin *; + proxy_set_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS'; + proxy_set_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type, Authorization'; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + +in +{ + services.nginx.upstreams.conduwuit = { + servers = { + "10.89.88.16:6167" = { }; + "[fd31:185d:722f::16]:6167" = { }; + }; + }; + + services.nginx.virtualHosts."oxapentane.com" = { + locations."/_matrix/" = { + proxyPass = "http://conduwuit$request_uri"; + extraConfig = proxy-conf; + }; + locations."/_conduwuit/" = { + proxyPass = "http://conduwuit$request_uri"; + extraConfig = proxy-conf; + }; + locations."/.well-known/matrix" = { + proxyPass = "http://conduwuit$request_uri"; + extraConfig = proxy-conf; + }; + }; +} diff --git a/hosts/cloud/proxy/dav.nix b/hosts/cloud/proxy/dav.nix new file mode 100644 index 0000000..6f00943 --- /dev/null +++ b/hosts/cloud/proxy/dav.nix @@ -0,0 +1,64 @@ +{ ... }: +{ + services.nginx.upstreams.radicale = { + servers = { + "10.89.88.12:5232" = { }; + "[fd31:185d:722f::12]:5232" = { }; + }; + }; + + services.nginx.virtualHosts."dav.oxapentane.com" = { + forceSSL = true; + enableACME = true; + # Radicale + locations."/" = { + proxyPass = "http://radicale"; + extraConfig = '' + # Radicale stuff + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_keepalive; + + # authentik stuff + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_set_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-Remote-User $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-entitlements $authentik_entitlements; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + ''; + }; + + locations."/outpost.goauthentik.io" = { + proxyPass = "http://authentik/outpost.goauthentik.io"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + ''; + }; + locations."@goauthentik_proxy_signin" = { + extraConfig = '' + internal; + proxy_set_header Set-Cookie $auth_cookie; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; + ''; + }; + }; +} diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix index dbeab9a..e233e65 100644 --- a/hosts/cloud/proxy/default.nix +++ b/hosts/cloud/proxy/default.nix @@ -4,7 +4,12 @@ let in { imports = [ + ./auth.nix + ./conduwuit.nix + ./dav.nix ./git.nix + ./immich.nix + ./news.nix ]; networking.firewall.allowedTCPPorts = [ @@ -12,85 +17,63 @@ in 443 ]; - services.caddy = { + services.nginx = { enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + # upgrade websockets + map $http_upgrade $connection_upgrade_keepalive { + default upgrade; + ''' '''; + } + + ### TLS + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + # add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + ''; + virtualHosts."oxapentane.com" = { - serverAliases = [ "www.oxapentane.com" ]; - extraConfig = '' - # conduit - @matrix { - path /.well-known/matrix/* - path /_matrix/* - } - - route { - header /.well-known/matrix/* Access-Control-Allow-Origin * - - reverse_proxy @matrix 10.89.88.16:6167 - - # file server - file_server { - root ${website} - index index.html - } - } - ''; + forceSSL = true; + enableACME = true; + default = true; + locations."/" = { + root = "${website}"; + index = "index.html"; + }; }; + virtualHosts."www.oxapentane.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + return = "302 https://oxapentane.com"; + }; + }; + }; - virtualHosts."auth.oxapentane.com".extraConfig = '' - reverse_proxy 10.89.88.11:9000 [fd31:185d:722f::11]:9000 - ''; - - virtualHosts."dav.oxapentane.com".extraConfig = '' - route { - reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000 - - forward_auth 10.89.88.11:9000 { - uri /outpost.goauthentik.io/auth/caddy - copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Authentik-Username>X-Remote-User - trusted_proxies 10.89.88.11 fd31:185d:722f::11 - } - } - reverse_proxy 10.89.88.12:5232 [fd31:185d:722f::12]:5232 - - ''; - - virtualHosts."immich.oxapentane.com".extraConfig = '' - reverse_proxy 10.89.88.13:2283 - ''; - - virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080"; - - virtualHosts."music.oxapentane.com".extraConfig = '' - route { - reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000 - - @protected not path /share/* /rest/* - forward_auth @protected 10.89.88.11:9000 { - uri /outpost.goauthentik.io/auth/caddy - copy_headers X-Authentik-Username>Remote-User - trusted_proxies 10.89.88.11 fd31:185d:722f::11 - } - - - @subsonic path /rest/* - forward_auth @subsonic 10.89.88.11:9000 { - uri /outpost.goauthentik.io/auth/caddy - copy_headers X-Authentik-Username>Remote-User - @error status 1xx 3xx 4xx 5xx - handle_response @error { - respond < - - - SUBSONICERR 200 - } - trusted_proxies 10.89.88.11 fd31:185d:722f::11 - } - } - reverse_proxy 10.89.88.17:4533 - - ''; - + security.acme = { + acceptTerms = true; + defaults.email = "acme@oxapentane.com"; }; } diff --git a/hosts/cloud/proxy/git.nix b/hosts/cloud/proxy/git.nix index 6986f80..ac53f4c 100644 --- a/hosts/cloud/proxy/git.nix +++ b/hosts/cloud/proxy/git.nix @@ -35,6 +35,34 @@ "fd31:185d:722e::1" ]; - services.caddy.virtualHosts."git.oxapentane.com".extraConfig = - "reverse_proxy 10.89.88.15:3000 [fd31:185d:722f::15]:3000"; + services.nginx.upstreams.forgejo = { + servers = { + "10.89.88.15:3000" = { }; + "[fd31:185d:722f::15]:3000" = { }; + }; + }; + + services.nginx.virtualHosts."git.oxapentane.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://forgejo"; + extraConfig = '' + client_max_body_size 50000M; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; } diff --git a/hosts/cloud/proxy/immich.nix b/hosts/cloud/proxy/immich.nix new file mode 100644 index 0000000..93e62d2 --- /dev/null +++ b/hosts/cloud/proxy/immich.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.upstreams.immich = { + servers = { + "10.89.88.13:2283" = { }; + "[fd31:185d:722f::13]:2283" = { }; + }; + }; + + services.nginx.virtualHosts."immich.oxapentane.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://immich"; + extraConfig = '' + client_max_body_size 50000M; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; +} diff --git a/hosts/cloud/proxy/news.nix b/hosts/cloud/proxy/news.nix new file mode 100644 index 0000000..3bbfda2 --- /dev/null +++ b/hosts/cloud/proxy/news.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + services.nginx.virtualHosts."news.oxapentane.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.89.88.14:8080"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + ''; + }; + }; +} diff --git a/hosts/stream/default.nix b/hosts/stream/default.nix deleted file mode 100644 index 4543466..0000000 --- a/hosts/stream/default.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, lib, ... }: -let - mac = "02:00:00:00:00:07"; -in -{ - imports = [ - ./navidrome.nix - ]; - - sops.defaultSopsFile = ./secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - sops.secrets = { - "wg/0xa-proxy" = { - owner = config.users.users.systemd-network.name; - }; - }; - - microvm = { - hypervisor = "qemu"; - mem = 4 * 1024; - vcpu = 3; - interfaces = [ - { - type = "tap"; - id = "uvm-stream"; - mac = mac; - } - ]; - shares = - [ - { - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "store"; - proto = "virtiofs"; - } - ] - ++ map - (dir: { - source = dir; - mountPoint = "/${dir}"; - tag = dir; - proto = "virtiofs"; - }) - [ - "etc" - "var" - "home" - ]; - }; - - networking.useNetworkd = true; - networking.firewall.enable = lib.mkForce false; # firewalling done by the host - - systemd.network = { - enable = true; - networks."11-host" = { - matchConfig.MACAddress = mac; - networkConfig = { - Address = "10.99.99.17/24"; - DHCP = "no"; - }; - routes = [ - { - Gateway = "10.99.99.1"; - Destination = "0.0.0.0/0"; - Metric = 1024; - } - ]; - }; - }; - - networking.hostName = "stream"; - system.stateVersion = "25.05"; -} diff --git a/hosts/stream/navidrome.nix b/hosts/stream/navidrome.nix deleted file mode 100644 index 0b1cd07..0000000 --- a/hosts/stream/navidrome.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: -{ - services.navidrome = { - enable = true; - settings = { - Address = "10.89.88.17"; - BaseUrl = "/"; - EnableExternalServices = false; - MusicFolder = "/var/lib/navidrome/music"; - Port = 4533; - ScanSchedule = "@every 11m"; - TranscodingCacheSize = "11GiB"; - ReverseProxyWhitelist = "10.89.88.1/24"; - }; - }; -} diff --git a/hosts/stream/secrets.yaml b/hosts/stream/secrets.yaml deleted file mode 100644 index a75b120..0000000 --- a/hosts/stream/secrets.yaml +++ /dev/null @@ -1,38 +0,0 @@ -wg: - 0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str] -sops: - age: - - recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3 - QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5 - S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5 - K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE - WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-12T22:54:11Z" - mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str] - pgp: - - created_at: "2025-06-12T22:51:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6 - th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH - HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn - vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B - WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/ - uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s - DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/ - bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp - lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J - A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg - GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS - XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6 - ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU= - =fEVm - -----END PGP MESSAGE----- - fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/hosts/toaster/default.nix b/hosts/toaster/default.nix index 2b8577b..087b7f3 100644 --- a/hosts/toaster/default.nix +++ b/hosts/toaster/default.nix @@ -4,7 +4,7 @@ ./amd.nix ./hardware-configuration.nix ./irc.nix - ./network + ./network/full-networkd.nix ./secure-boot.nix ./zfs.nix ]; @@ -66,7 +66,7 @@ home = "/home/0xa"; isNormalUser = true; uid = 1000; - shell = pkgs.zsh; + shell = pkgs.fish; }; # This value determines the NixOS release from which the default diff --git a/hosts/toaster/network/default.nix b/hosts/toaster/network/default.nix index 6504dbb..6d96c3c 100644 --- a/hosts/toaster/network/default.nix +++ b/hosts/toaster/network/default.nix @@ -7,16 +7,13 @@ ]; # Networkmanager shouldn't interfere with systemd managed interfaces - networking.networkmanager = { - enable = true; - unmanaged = - let - systemd_netdevs = lib.attrsets.attrValues ( - lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs - ); - in - systemd_netdevs; - }; + networking.networkmanager.unmanaged = + let + systemd_netdevs = lib.attrsets.attrValues ( + lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs + ); + in + systemd_netdevs; systemd.network = { enable = true; diff --git a/hosts/toaster/network/mullvad.nix b/hosts/toaster/network/mullvad.nix index 54fec8d..112026d 100644 --- a/hosts/toaster/network/mullvad.nix +++ b/hosts/toaster/network/mullvad.nix @@ -1,12 +1,9 @@ -{ - config, - ... -}: +{ config, ... }: { systemd.network = let - pubkey = "xpZ3ZDEukbqKQvdHwaqKMUhsYhcYD3uLPUh1ACsVr1s="; - endpoint = "185.65.134.86"; + pubkey = "uUYbYGKoA6UBh1hfkAz5tAWFv4SmteYC9kWh7/K6Ah0="; + endpoint = "92.60.40.209"; port = "51820"; addr = [ "10.74.16.48/32" diff --git a/modules/basic-tools/default.nix b/modules/basic-tools/default.nix index 024547c..a917168 100644 --- a/modules/basic-tools/default.nix +++ b/modules/basic-tools/default.nix @@ -7,6 +7,7 @@ ./nix.nix ./nix-ld.nix ./zsh.nix + ./fish.nix ]; environment.systemPackages = @@ -80,6 +81,7 @@ vim = "nvim"; grep = "grep --color=auto"; }; + users.defaultUserShell = pkgs.zsh; # keep root shell posix compatible programs.iftop.enable = true; programs.mosh.enable = true; diff --git a/modules/basic-tools/zsh.nix b/modules/basic-tools/zsh.nix index 8e47207..c474267 100644 --- a/modules/basic-tools/zsh.nix +++ b/modules/basic-tools/zsh.nix @@ -15,6 +15,7 @@ programs.zsh = { enable = true; enableCompletion = true; + syntaxHighlighting.enable = true; interactiveShellInit = '' bindkey -e export HISTFILE="$HOME/.zsh_history" @@ -38,7 +39,6 @@ LP_ENABLE_SVN=0 LP_BATTERY_THRESHOLD=15 LP_SSH_COLORS=1 - LP_DISABLED_VCS_PATHS=("/home/0xa/proj/NixOS/nixpkgs") ''; }; } diff --git a/modules/chromium.nix b/modules/chromium.nix index 4cdf16a..5c971c6 100644 --- a/modules/chromium.nix +++ b/modules/chromium.nix @@ -26,9 +26,9 @@ "AutoplayAllowed" = false; "DefaultNotificationSetting" = 2; "BackgroundModeEnabled" = false; - # "DefaultSearchProviderEnabled" = true; + "DefaultSearchProviderEnabled" = true; # "DefaultSearchProviderSearchURL" = "https://google.com/search?q={searchTerms}"; - # "DefaultSearchProviderSearchURL" = "https://duckduckgo.com/?q={searchTerms}"; + "DefaultSearchProviderSearchURL" = "https://duckduckgo.com/?q={searchTerms}"; "SearchSuggestEnable" = false; "BlockThirdPartyCookies" = true; "PrivacySandboxAdMeasurementEnabled" = false; diff --git a/modules/desktop-software.nix b/modules/desktop-software.nix index 998c953..5178c70 100644 --- a/modules/desktop-software.nix +++ b/modules/desktop-software.nix @@ -7,24 +7,19 @@ audacity blender dino - discord - element-desktop ffmpeg-full - ghostty gimp inkscape - lapce - mpv - obs-studio - qbittorrent - transmission_4-gtk signal-desktop - spotify telegram-desktop tor-browser wl-clipboard yt-dlp + element-desktop + discord + mpv + obs-studio + firefox ]; programs.steam.enable = true; - programs.firefox.enable = true; } diff --git a/modules/devtools.nix b/modules/devtools.nix index e41c8c6..a003e6e 100644 --- a/modules/devtools.nix +++ b/modules/devtools.nix @@ -16,20 +16,28 @@ in [ # general + cmake + gcc gef gdb + binutils binwalk + clang + clang-tools + direnv sops nil + nixpkgs-fmt nix-index kicad kikit - freecad-qt6 + freecad-wayland imhex python3Full nixfmt-rfc-style treefmt android-tools + bacon ]; # android stuff @@ -43,5 +51,23 @@ }; users.users."0xa".extraGroups = [ "wireshark" ]; - programs.direnv.enable = true; + ## direnv + programs.bash.interactiveShellInit = '' + eval "$(direnv hook bash)" + ''; + programs.zsh.interactiveShellInit = '' + eval "$(direnv hook zsh)" + ''; + programs.fish.interactiveShellInit = '' + direnv hook fish | source + ''; + + # nix options for derivations to persist garbage collection + nix.extraOptions = '' + keep-outputs = true + keep-derivations = true + ''; + environment.pathsToLink = [ + "/share/nix-direnv" + ]; } diff --git a/modules/emacs.nix b/modules/emacs.nix index 39c2db8..8841e44 100644 --- a/modules/emacs.nix +++ b/modules/emacs.nix @@ -5,37 +5,14 @@ }: { - environment.systemPackages = - let - # https://wiki.nixos.org/wiki/TexLive - # minimal set of latex packages for orgmode - # emacs config: - # (setq org-latex-complier "lualatex") - # (setq org-preview-latex-default-process 'dvisvgm) - orgmode-tex = ( - pkgs.texlive.combine { - inherit (pkgs.texlive) - scheme-basic - dvisvgm - dvipng - wrapfig - amsmath - ulem - hyperref - capt-of - ; - } - ); - in - with pkgs; - [ - mu - orgmode-tex - ]; + environment.systemPackages = with pkgs; [ + direnv + mu + ]; services.emacs = { install = true; - enable = true; + enable = false; package = with pkgs; ( @@ -55,6 +32,6 @@ ] ) ); - defaultEditor = lib.mkForce true; + defaultEditor = lib.mkDefault true; }; } diff --git a/modules/fonts.nix b/modules/fonts.nix index e8c54bc..32ae853 100644 --- a/modules/fonts.nix +++ b/modules/fonts.nix @@ -19,8 +19,6 @@ liberation_ttf noto-fonts noto-fonts-cjk-sans - noto-fonts-color-emoji - noto-fonts-monochrome-emoji noto-fonts-emoji noto-fonts-extra proggyfonts diff --git a/modules/gnome.nix b/modules/gnome.nix index 5743283..b1dae16 100644 --- a/modules/gnome.nix +++ b/modules/gnome.nix @@ -13,8 +13,11 @@ gnome-obfuscate gnome-boxes gnome-tweaks + qbittorrent gnomeExtensions.caffeine gnomeExtensions.brightness-control-using-ddcutil + spotify + ghostty fractal ]; diff --git a/modules/gnupg.nix b/modules/gnupg.nix index 4cb173c..07b1eef 100644 --- a/modules/gnupg.nix +++ b/modules/gnupg.nix @@ -4,6 +4,8 @@ environment.systemPackages = with pkgs; [ gnupg opensc + + yubikey-personalization-gui ]; # smartcard support diff --git a/modules/niri.nix b/modules/niri.nix index 441c55b..4cd541e 100644 --- a/modules/niri.nix +++ b/modules/niri.nix @@ -6,49 +6,66 @@ ./desktop-software.nix ./fonts.nix ]; - environment.systemPackages = with pkgs; [ - screen-message - qbittorrent - gajim - imv - mpv - evince - brightnessctl - pulsemixer - cmus - termusic - gsettings-desktop-schemas - xdg-utils - qt5.qtwayland - bashmount - audacity - spotify-player - zathura - ncdu - adwaita-icon-theme - bluetui - gammastep - graphicsmagick - i3status-rust - impala - kanshi - pamixer - swayidle - swaylock - wl-clipboard - xfce.thunar - banana-cursor - yofi - alacritty - i3bar-river - mako - swww - wbg - oculante - xwayland-satellite - foot - fuzzel - ]; + environment.systemPackages = + let + xwayland-satellite-git = pkgs.xwayland-satellite.overrideAttrs ( + final: _prev: { + version = "0.6"; + cargoHash = "sha256-R3xXyXpHQw/Vh5Y4vFUl7n7jwBEEqwUCIZGAf9+SY1M="; + src = pkgs.fetchFromGitHub { + owner = "Supreeeme"; + repo = "xwayland-satellite"; + rev = "3ba30b149f9eb2bbf42cf4758d2158ca8cceef73"; + sha256 = "sha256-IiLr1alzKFIy5tGGpDlabQbe6LV1c9ABvkH6T5WmyRI="; + }; + cargoDeps = pkgs.rustPlatform.fetchCargoVendor { + inherit (final) pname src version; + hash = final.cargoHash; + }; + } + ); + in + with pkgs; + [ + screen-message + qbittorrent + gajim + imv + mpv + evince + brightnessctl + pulsemixer + cmus + termusic + gsettings-desktop-schemas + xdg-utils + qt5.qtwayland + bashmount + audacity + spotify-player + zathura + ncdu + adwaita-icon-theme + bluetui + gammastep + graphicsmagick + i3status-rust + impala + kanshi + pamixer + swayidle + swaylock + wl-clipboard + xfce.thunar + banana-cursor + fuzzel + alacritty + i3bar-river + mako + swww + oculante + xwayland-satellite-git + ]; # Enable sound. security.rtkit.enable = true; @@ -101,18 +118,7 @@ }; services.gnome.gnome-keyring.enable = true; - programs.seahorse.enable = true; - - # https://github.com/JohnRTitor/nix-conf/commit/53bc83aef18849976d5a42cc727d38dd0e38c5b0 - security.pam.services = { - greetd.enableGnomeKeyring = true; - greetd-password.enableGnomeKeyring = true; - login.enableGnomeKeyring = true; - }; - services.dbus.packages = with pkgs; [ - gnome-keyring - gcr - ]; + security.pam.services.greetd.enableGnomeKeyring = true; services.greetd = { enable = true; @@ -124,4 +130,11 @@ }; programs.gnupg.agent.pinentryPackage = pkgs.pinentry-curses; + programs.ssh = { + startAgent = true; + enableAskPassword = false; + extraConfig = '' + AddKeysToAgent yes + ''; + }; } diff --git a/modules/plasma.nix b/modules/plasma.nix deleted file mode 100644 index 1a7a170..0000000 --- a/modules/plasma.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ./desktop-software.nix - ./fonts.nix - ]; - - environment.systemPackages = with pkgs; [ - kaidan - kdePackages.filelight - kdePackages.okular - vlc - ]; - - programs.kde-pim = { - enable = true; - kmail = true; - kontact = true; - merkuro = true; - }; - - # Enable sound. - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - pulse.enable = true; - }; - - programs.zsh.vteIntegration = true; - programs.bash.vteIntegration = true; - - hardware.bluetooth.enable = true; - - services.displayManager.sddm = { - enable = true; - wayland.enable = true; - }; - - services.desktopManager.plasma6.enable = true; - - programs.ssh = { - startAgent = true; - enableAskPassword = false; - extraConfig = '' - AddKeysToAgent yes - ''; - }; - programs.firefox.nativeMessagingHosts.packages = with pkgs.kdePackages; [ - plasma-browser-integration - ]; -} diff --git a/modules/science.nix b/modules/science.nix index ff7eaa3..421f12e 100644 --- a/modules/science.nix +++ b/modules/science.nix @@ -3,6 +3,7 @@ environment.systemPackages = with pkgs; [ gnuplot zotero + paraview numbat ]; } diff --git a/modules/server/ssh.nix b/modules/server/ssh.nix index ea463d5..4c27a00 100644 --- a/modules/server/ssh.nix +++ b/modules/server/ssh.nix @@ -10,6 +10,5 @@ networking.firewall.allowedTCPPorts = [ 22 ]; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINjKbSzsAx8P9POD9pOXO+Fxub68V828sNatPA6+2zmGAAAABHNzaDo= 0xa@keychain-A" ]; } diff --git a/modules/wg/proxy.nix b/modules/wg/proxy.nix index 7427829..3b92b8d 100644 --- a/modules/wg/proxy.nix +++ b/modules/wg/proxy.nix @@ -71,14 +71,6 @@ publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y="; privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; }; - "stream" = { - address = [ - "10.89.88.17/24" - "fd31:185d:722f::17/48" - ]; - publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4="; - privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; - }; }; } ];