diff --git a/.sops.yaml b/.sops.yaml index 649c351..dd882ca 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,7 +11,6 @@ keys: - &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z - &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c - - &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj creation_rules: - path_regex: hosts/toaster/[^/]+\.yaml$ key_groups: @@ -67,9 +66,3 @@ creation_rules: - *admin_oxa age: - *conduwuit - - path_regex: hosts/stream/[^/]+\.yaml$ - key_groups: - - pgp: - - *admin_oxa - age: - - *stream diff --git a/flake.lock b/flake.lock index 357df38..3efe37d 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,29 @@ { "nodes": { + "attic": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", + "nix-github-actions": "nix-github-actions_2", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1731270564, + "narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "47752427561f1c34debb16728a210d378f0ece36", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "main", + "repo": "attic", + "type": "github" + } + }, "authentik-nix": { "inputs": { "authentik-src": "authentik-src", @@ -7,18 +31,18 @@ "flake-parts": "flake-parts", "flake-utils": "flake-utils", "napalm": "napalm", - "nixpkgs": "nixpkgs", - "pyproject-build-systems": "pyproject-build-systems", - "pyproject-nix": "pyproject-nix", - "systems": "systems", - "uv2nix": "uv2nix" + "nixpkgs": [ + "nixpkgs" + ], + "poetry2nix": "poetry2nix", + "systems": "systems" }, "locked": { - "lastModified": 1749129962, - "narHash": "sha256-gc1l5z5dWw9a9DWsrp0ZiD+SSMsNpEwMEiRi8K5sh5c=", + "lastModified": 1738503522, + "narHash": "sha256-1yrVbGLBMBPl34EibVARkUB9Gak1GjLRLZXJk9jbHxU=", "owner": "nix-community", "repo": "authentik-nix", - "rev": "271a38f7c4e2551f0674b894e2adf7cd1ddb8168", + "rev": "bc62d5509989f5dca633c65b58aa0ac79a48db3e", "type": "github" }, "original": { @@ -30,27 +54,139 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1749043670, - "narHash": "sha256-gwHngqb23U8By7jhxFWQZOXy+vPQApJSkvr4gHI5ifQ=", + "lastModified": 1738183650, + "narHash": "sha256-4XdYlqfd23TVPaJ0R5tEBIpDXLV4mFHdXhIWp5dIvIE=", "owner": "goauthentik", "repo": "authentik", - "rev": "bda30c5ad5838fea36dc0a06f8580cca437f0fc0", + "rev": "f1b7a9f934e6b58a1884ba753575eac6267f4b6e", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2025.4.2", + "ref": "version/2024.12.3", "repo": "authentik", "type": "github" } }, - "crane": { + "cachix": { + "inputs": { + "devenv": "devenv", + "flake-compat": "flake-compat_3", + "git-hooks": "git-hooks", + "nixpkgs": "nixpkgs_4" + }, "locked": { - "lastModified": 1731098351, - "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "lastModified": 1737621947, + "narHash": "sha256-8HFvG7fvIFbgtaYAY2628Tb89fA55nPm2jSiNs0/Cws=", + "owner": "cachix", + "repo": "cachix", + "rev": "f65a3cd5e339c223471e64c051434616e18cc4f5", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "master", + "repo": "cachix", + "type": "github" + } + }, + "cachix_2": { + "inputs": { + "devenv": [ + "conduwuit", + "cachix", + "devenv" + ], + "flake-compat": [ + "conduwuit", + "cachix", + "devenv" + ], + "git-hooks": [ + "conduwuit", + "cachix", + "devenv" + ], + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1728672398, + "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=", + "owner": "cachix", + "repo": "cachix", + "rev": "aac51f698309fd0f381149214b7eee213c66ef0a", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "latest", + "repo": "cachix", + "type": "github" + } + }, + "complement": { + "flake": false, + "locked": { + "lastModified": 1734303596, + "narHash": "sha256-HjDRyLR4MBqQ3IjfMM6eE+8ayztXlbz3gXdyDmFla68=", + "owner": "girlbossceo", + "repo": "complement", + "rev": "14cc5be797b774f1a2b9f826f38181066d4952b8", + "type": "github" + }, + "original": { + "owner": "girlbossceo", + "ref": "main", + "repo": "complement", + "type": "github" + } + }, + "conduwuit": { + "inputs": { + "attic": "attic", + "cachix": "cachix", + "complement": "complement", + "crane": "crane_2", + "fenix": "fenix", + "flake-compat": "flake-compat_4", + "flake-utils": [ + "flake-utils" + ], + "liburing": "liburing", + "nix-filter": "nix-filter", + "nixpkgs": [ + "nixpkgs" + ], + "rocksdb": "rocksdb" + }, + "locked": { + "lastModified": 1738740720, + "narHash": "sha256-rE0+UOEfFEGzjjIFdfs1Q4MR/UjVh8Dy6T137Z+ySgo=", + "owner": "girlbossceo", + "repo": "conduwuit", + "rev": "fda8b3680986dc8e038d51b93f7d36bf5c991ef6", + "type": "github" + }, + "original": { + "owner": "girlbossceo", + "repo": "conduwuit", + "type": "github" + } + }, + "crane": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722960479, + "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=", "owner": "ipetkov", "repo": "crane", - "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4", "type": "github" }, "original": { @@ -59,14 +195,108 @@ "type": "github" } }, + "crane_2": { + "locked": { + "lastModified": 1737689766, + "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=", + "owner": "ipetkov", + "repo": "crane", + "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "ref": "master", + "repo": "crane", + "type": "github" + } + }, + "crane_3": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717535930, + "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=", + "owner": "ipetkov", + "repo": "crane", + "rev": "55e7754ec31dac78980c8be45f8a28e80e370946", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "devenv": { + "inputs": { + "cachix": "cachix_2", + "flake-compat": [ + "conduwuit", + "cachix", + "flake-compat" + ], + "git-hooks": [ + "conduwuit", + "cachix", + "git-hooks" + ], + "nix": "nix", + "nixpkgs": [ + "conduwuit", + "cachix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733323168, + "narHash": "sha256-d5DwB4MZvlaQpN6OQ4SLYxb5jA4UH5EtV5t5WOtjLPU=", + "owner": "cachix", + "repo": "devenv", + "rev": "efa9010b8b1cfd5dd3c7ed1e172a470c3b84a064", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "devenv", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1737786656, + "narHash": "sha256-ubCW9Jy7ZUOF354bWxTgLDpVnTvIpNr6qR4H/j7I0oo=", + "owner": "nix-community", + "repo": "fenix", + "rev": "2f721f527886f801403f389a9cabafda8f1e3b7f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "main", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "type": "github" }, "original": { @@ -91,16 +321,65 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "ref": "master", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1748821116, - "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", "type": "github" }, "original": { @@ -110,6 +389,52 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "conduwuit", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "conduwuit", + "cachix", + "devenv", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -117,11 +442,11 @@ ] }, "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", "type": "github" }, "original": { @@ -173,6 +498,24 @@ "inputs": { "systems": "systems_3" }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_4" + }, "locked": { "lastModified": 1731533236, "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", @@ -202,7 +545,59 @@ "type": "github" } }, + "git-hooks": { + "inputs": { + "flake-compat": [ + "conduwuit", + "cachix", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "conduwuit", + "cachix", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1733318908, + "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "6f4e2a2112050951a314d2733a994fbab94864c6", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, "gitignore": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "cachix", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "lanzaboote", @@ -226,65 +621,97 @@ }, "lanzaboote": { "inputs": { - "crane": "crane", - "flake-compat": "flake-compat_2", - "flake-parts": "flake-parts_2", + "crane": "crane_3", + "flake-compat": "flake-compat_5", + "flake-parts": "flake-parts_4", + "flake-utils": "flake-utils_3", "nixpkgs": [ - "nixpkgs-unstable" + "nixpkgs" ], "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1737639419, - "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "lastModified": 1718178907, + "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086", "type": "github" }, "original": { "owner": "nix-community", - "ref": "v0.4.2", + "ref": "v0.4.1", "repo": "lanzaboote", "type": "github" } }, + "libgit2": { + "flake": false, + "locked": { + "lastModified": 1697646580, + "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=", + "owner": "libgit2", + "repo": "libgit2", + "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5", + "type": "github" + }, + "original": { + "owner": "libgit2", + "repo": "libgit2", + "type": "github" + } + }, + "liburing": { + "flake": false, + "locked": { + "lastModified": 1737600516, + "narHash": "sha256-EKyLQ3pbcjoU5jH5atge59F4fzuhTsb6yalUj6Ve2t8=", + "owner": "axboe", + "repo": "liburing", + "rev": "6c509e2b0c881a13b83b259a221bf15fc9b3f681", + "type": "github" + }, + "original": { + "owner": "axboe", + "ref": "master", + "repo": "liburing", + "type": "github" + } + }, "lix": { "flake": false, "locked": { - "lastModified": 1749838547, - "narHash": "sha256-4qJy0n+6P13/XAHPlcjcWK6MDNYd38PkFdI8iCiJYYo=", - "rev": "1e34c3747779a82d59ef27b351d4ed02fb372a2a", + "lastModified": 1737234286, + "narHash": "sha256-CCKIAE84dzkrnlxJCKFyffAxP3yfsOAbdvydUGqq24g=", + "rev": "2837da71ec1588c1187d2e554719b15904a46c8b", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1e34c3747779a82d59ef27b351d4ed02fb372a2a.tar.gz?rev=1e34c3747779a82d59ef27b351d4ed02fb372a2a" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/2837da71ec1588c1187d2e554719b15904a46c8b.tar.gz?rev=2837da71ec1588c1187d2e554719b15904a46c8b" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/main.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/2.92.0.tar.gz" } }, "lix-module": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "flakey-profile": "flakey-profile", - "lix": [ - "lix" - ], + "lix": "lix", "nixpkgs": [ - "nixpkgs-unstable" + "nixpkgs" ] }, "locked": { - "lastModified": 1747667424, - "narHash": "sha256-7EICjbmG6lApWKhFtwvZovdcdORY1CEe6/K7JwtpYfs=", - "rev": "3c23c6ae2aecc1f76ae7993efe1a78b5316f0700", + "lastModified": 1737237494, + "narHash": "sha256-YMLrcBpf0TR5r/eaqm8lxzFPap2TxCor0ZGcK3a7+b8=", + "rev": "b90bf629bbd835e61f1317b99e12f8c831017006", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/3c23c6ae2aecc1f76ae7993efe1a78b5316f0700.tar.gz?rev=3c23c6ae2aecc1f76ae7993efe1a78b5316f0700" + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/b90bf629bbd835e61f1317b99e12f8c831017006.tar.gz?rev=b90bf629bbd835e61f1317b99e12f8c831017006" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz" + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz" } }, "microvm": { @@ -298,15 +725,16 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1748464257, - "narHash": "sha256-PdnQSE2vPfql9WEjunj2qQnDpuuvk7HH+4djgXJSwFs=", + "lastModified": 1712366957, + "narHash": "sha256-7W3D1Gk6mGlwtV07n6YB/7s3tThcBYknlvDPcoJJSe4=", "owner": "astro", "repo": "microvm.nix", - "rev": "e238645b6f0447a2eb1d538d300d5049d4006f9f", + "rev": "1e746a8987eb893adc8dd317b84e73d72803b650", "type": "github" }, "original": { "owner": "astro", + "ref": "v0.5.0", "repo": "microvm.nix", "type": "github" } @@ -337,13 +765,114 @@ "type": "github" } }, + "nix": { + "inputs": { + "flake-compat": [ + "conduwuit", + "cachix", + "devenv" + ], + "flake-parts": "flake-parts_3", + "libgit2": "libgit2", + "nixpkgs": "nixpkgs_3", + "nixpkgs-23-11": [ + "conduwuit", + "cachix", + "devenv" + ], + "nixpkgs-regression": [ + "conduwuit", + "cachix", + "devenv" + ], + "pre-commit-hooks": [ + "conduwuit", + "cachix", + "devenv" + ] + }, + "locked": { + "lastModified": 1727438425, + "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=", + "owner": "domenkozar", + "repo": "nix", + "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546", + "type": "github" + }, + "original": { + "owner": "domenkozar", + "ref": "devenv-2.24", + "repo": "nix", + "type": "github" + } + }, + "nix-filter": { + "locked": { + "lastModified": 1731533336, + "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", + "type": "github" + }, + "original": { + "owner": "numtide", + "ref": "main", + "repo": "nix-filter", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-github-actions_2": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nixos-hardware": { "locked": { - "lastModified": 1749832440, - "narHash": "sha256-lfxhuxAaHlYFGr8yOrAXZqdMt8PrFLzjVqH9v3lQaoY=", + "lastModified": 1738638143, + "narHash": "sha256-ZYMe4c4OCtIUBn5hx15PEGr0+B1cNEpl2dsaLxwY2W0=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "db030f62a449568345372bd62ed8c5be4824fa49", + "rev": "9bdd53f5908453e4d03f395eb1615c3e9a351f70", "type": "github" }, "original": { @@ -355,36 +884,49 @@ }, "nixpkgs": { "locked": { - "lastModified": 1748929857, - "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", + "lastModified": 1726042813, + "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", + "rev": "159be5db480d1df880a0135ca0bfed84c2f88353", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1748740939, - "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "656a64127e9d791a334452c6b6606d17539476e2", - "type": "github" + "lastModified": 1735774519, + "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" }, "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1730741070, "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", @@ -400,13 +942,29 @@ "type": "github" } }, + "nixpkgs-stable_3": { + "locked": { + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { - "lastModified": 1749794982, - "narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=", + "lastModified": 1738680400, + "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81", + "rev": "799ba5bffed04ced7067a91798353d360788b30d", "type": "github" }, "original": { @@ -418,39 +976,118 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1749727998, - "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=", + "lastModified": 1730531603, + "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd", + "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1717432640, + "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "88269ab3044128b7c2f4c7d68448b2fb50456870", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1733212471, + "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1738702386, + "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "systems": [ + "authentik-nix", + "systems" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1736884309, + "narHash": "sha256-eiCqmKl0BIRiYk5/ZhZozwn4/7Km9CWTbc15Cv+VX5k=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "75d0515332b7ca269f6d7abfd2c44c47a7cbca7b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ "lanzaboote", "flake-compat" ], - "gitignore": "gitignore", + "gitignore": "gitignore_2", "nixpkgs": [ "lanzaboote", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { - "lastModified": 1731363552, - "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "lastModified": 1717664902, + "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1", "type": "github" }, "original": { @@ -459,85 +1096,73 @@ "type": "github" } }, - "pyproject-build-systems": { - "inputs": { - "nixpkgs": [ - "authentik-nix", - "nixpkgs" - ], - "pyproject-nix": [ - "authentik-nix", - "pyproject-nix" - ], - "uv2nix": [ - "authentik-nix", - "uv2nix" - ] - }, + "rocksdb": { + "flake": false, "locked": { - "lastModified": 1748562898, - "narHash": "sha256-STk4QklrGpM3gliPKNJdBLSQvIrqRuwHI/rnYb/5rh8=", - "owner": "pyproject-nix", - "repo": "build-system-pkgs", - "rev": "33bd58351957bb52dd1700ea7eeefe34de06a892", + "lastModified": 1737828695, + "narHash": "sha256-8Ev6zzhNPU798JNvU27a7gj5X+6SDG3jBweUkQ59DbA=", + "owner": "girlbossceo", + "repo": "rocksdb", + "rev": "a4d9230dcc9d03be428b9a728133f8f646c0065c", "type": "github" }, "original": { - "owner": "pyproject-nix", - "repo": "build-system-pkgs", - "type": "github" - } - }, - "pyproject-nix": { - "inputs": { - "nixpkgs": [ - "authentik-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1746540146, - "narHash": "sha256-QxdHGNpbicIrw5t6U3x+ZxeY/7IEJ6lYbvsjXmcxFIM=", - "owner": "pyproject-nix", - "repo": "pyproject.nix", - "rev": "e09c10c24ebb955125fda449939bfba664c467fd", - "type": "github" - }, - "original": { - "owner": "pyproject-nix", - "repo": "pyproject.nix", + "owner": "girlbossceo", + "ref": "v9.9.3", + "repo": "rocksdb", "type": "github" } }, "root": { "inputs": { "authentik-nix": "authentik-nix", + "conduwuit": "conduwuit", "flake-utils": "flake-utils_2", "lanzaboote": "lanzaboote", - "lix": "lix", "lix-module": "lix-module", "microvm": "microvm", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_5", "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix", "tmux-yank": "tmux-yank", "website": "website" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1737728869, + "narHash": "sha256-U4pl3Hi0lT6GP4ecN3q9wdD2sdaKMbmD/5NJ1NdJ9AM=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "6e4c29f7ce18cea7d3d31237a4661ab932eab636", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, "rust-overlay": { "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], "nixpkgs": [ "lanzaboote", "nixpkgs" ] }, "locked": { - "lastModified": 1731897198, - "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "lastModified": 1717813066, + "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465", "type": "github" }, "original": { @@ -553,11 +1178,11 @@ ] }, "locked": { - "lastModified": 1749592509, - "narHash": "sha256-VunQzfZFA+Y6x3wYi2UE4DEQ8qKoAZZCnZPUlSoqC+A=", + "lastModified": 1738291974, + "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=", "owner": "Mic92", "repo": "sops-nix", - "rev": "50754dfaa0e24e313c626900d44ef431f3210138", + "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7", "type": "github" }, "original": { @@ -569,11 +1194,11 @@ "spectrum": { "flake": false, "locked": { - "lastModified": 1746869549, - "narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=", + "lastModified": 1708358594, + "narHash": "sha256-e71YOotu2FYA67HoC/voJDTFsiPpZNRwmiQb4f94OxQ=", "ref": "refs/heads/main", - "rev": "d927e78530892ec8ed389e8fae5f38abee00ad87", - "revCount": 862, + "rev": "6d0e73864d28794cdbd26ab7b37259ab0e1e044c", + "revCount": 614, "type": "git", "url": "https://spectrum-os.org/git/spectrum" }, @@ -627,6 +1252,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tmux-yank": { "flake": false, "locked": { @@ -643,28 +1283,25 @@ "type": "github" } }, - "uv2nix": { + "treefmt-nix": { "inputs": { "nixpkgs": [ "authentik-nix", + "poetry2nix", "nixpkgs" - ], - "pyproject-nix": [ - "authentik-nix", - "pyproject-nix" ] }, "locked": { - "lastModified": 1748916602, - "narHash": "sha256-GiwjjmPIISDFD0uQ1DqQ+/38hZ+2z1lTKVj/TkKaWwQ=", - "owner": "pyproject-nix", - "repo": "uv2nix", - "rev": "a4dd471de62b27928191908f57bfcd702ec2bfc9", + "lastModified": 1730120726, + "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", "type": "github" }, "original": { - "owner": "pyproject-nix", - "repo": "uv2nix", + "owner": "numtide", + "repo": "treefmt-nix", "type": "github" } }, @@ -678,18 +1315,18 @@ ] }, "locked": { - "lastModified": 1739635190, - "narHash": "sha256-UOFXRKepDpnPTGRyyfOt8uVkYaDL4gMbE2VlZR0lCNA=", + "lastModified": 1738536830, + "narHash": "sha256-3QbNcI9qJ0tKv00w0r2Amqf9pylHVolcTyEi30WZxY8=", "ref": "main", - "rev": "28953f4e57a2c4ca2ada3547a45c8d2a839d4dfc", - "revCount": 9, + "rev": "6fd169aab3ce461fef6a1a4dcbb2ef643e12d9e6", + "revCount": 5, "type": "git", - "url": "https://git.oxapentane.com/0xa/website.git" + "url": "https://codeberg.org/0xa/website.git" }, "original": { "ref": "main", "type": "git", - "url": "https://git.oxapentane.com/0xa/website.git" + "url": "https://codeberg.org/0xa/website.git" } } }, diff --git a/flake.nix b/flake.nix index 0c04048..15c7611 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { - nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable"; - nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; flake-utils.url = "github:numtide/flake-utils"; @@ -10,10 +10,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; microvm = { - url = "github:astro/microvm.nix"; + url = "github:astro/microvm.nix/v0.5.0"; inputs = { nixpkgs.follows = "nixpkgs"; flake-utils.follows = "flake-utils"; @@ -21,27 +21,28 @@ }; lanzaboote = { - url = "github:nix-community/lanzaboote?ref=v0.4.2"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; + url = "github:nix-community/lanzaboote/v0.4.1"; + inputs.nixpkgs.follows = "nixpkgs"; }; authentik-nix = { url = "github:nix-community/authentik-nix"; - }; - - lix = { - url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz"; - flake = false; + inputs.nixpkgs.follows = "nixpkgs"; }; lix-module = { - url = "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - inputs.lix.follows = "lix"; + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz"; + inputs.nixpkgs.follows = "nixpkgs"; }; website = { - url = "git+https://git.oxapentane.com/0xa/website.git?ref=main"; + url = "git+https://codeberg.org/0xa/website.git?ref=main"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; + + conduwuit = { + url = "github:girlbossceo/conduwuit"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; @@ -54,12 +55,12 @@ outputs = inputs@{ + authentik-nix, lanzaboote, lix-module, microvm, nixos-hardware, nixpkgs, - nixpkgs-unstable, sops-nix, ... }: @@ -67,45 +68,36 @@ { nixosConfigurations = let - microvm-stable-list = [ + microvm-list = [ + "auth" + "conduwuit" "forgejo" + "immich" "miniflux" "radicale" - "stream" - ]; - microvm-unstable-list = [ - "auth" - "immich" - "conduwuit" ]; - microvm-builder = ( - nixpkgs-ver: vm-list: - builtins.listToAttrs ( - map (vm: { - name = vm; - value = nixpkgs-ver.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = [ - sops-nix.nixosModules.sops - microvm.nixosModules.microvm + microvms = builtins.listToAttrs ( + map (vm: { + name = vm; + value = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = [ + sops-nix.nixosModules.sops + microvm.nixosModules.microvm - ./hosts/${vm} - ./modules/server - ./modules/wg - ]; - }; - }) vm-list - ) + ./hosts/${vm} + ./modules/server + ./modules/wg + ]; + }; + }) microvm-list ); - microvms = - (microvm-builder nixpkgs microvm-stable-list) - // (microvm-builder nixpkgs-unstable microvm-unstable-list); in microvms // { - toaster = nixpkgs-unstable.lib.nixosSystem { + toaster = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = [ @@ -119,14 +111,15 @@ ./modules/basic-tools ./modules/binary-caches.nix ./modules/devtools.nix - ./modules/emacs.nix - ./modules/gnupg.nix - ./modules/mail ./modules/gnome.nix + ./modules/gnupg.nix ./modules/radio.nix ./modules/science.nix ./modules/tlp.nix ./modules/virtualization.nix + ./hosts/toaster/secure-boot.nix + ./modules/chromium.nix + ./modules/mail ./modules/wg ]; }; @@ -160,7 +153,7 @@ ./modules/wg { - config.microvm.autostart = microvm-stable-list ++ microvm-unstable-list; + config.microvm.autostart = microvm-list; } ]; }; diff --git a/hosts/cloud/proxy/auth.nix b/hosts/cloud/proxy/auth.nix new file mode 100644 index 0000000..c8700f0 --- /dev/null +++ b/hosts/cloud/proxy/auth.nix @@ -0,0 +1,36 @@ +{ ... }: +{ + services.nginx.upstreams.authentik = { + servers = { + "10.89.88.11:9000" = { }; + "[fd31:185d:722f::11]:9000" = { }; + }; + extraConfig = '' + keepalive 10; + ''; + }; + + services.nginx.virtualHosts."auth.oxapentane.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://authentik"; + extraConfig = '' + # general proxy settings + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + # authentik specifik + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_keepalive; + ''; + }; + }; +} diff --git a/hosts/cloud/proxy/conduwuit.nix b/hosts/cloud/proxy/conduwuit.nix new file mode 100644 index 0000000..d9c9938 --- /dev/null +++ b/hosts/cloud/proxy/conduwuit.nix @@ -0,0 +1,51 @@ +{ self, ... }: +let + proxy-conf = '' + client_max_body_size 50M; + proxy_buffering off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Access-Control-Allow-Origin *; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + keepalive_timeout 65; + send_timeout 600s; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + ''; + +in +{ + services.nginx.upstreams.conduwuit = { + servers = { + "10.89.88.16:6167" = { }; + #"[fd31:185d:722f::16]:6167" = { }; + }; + }; + + services.nginx.virtualHosts."oxapentane.com" = { + extraConfig = '' + client_header_timeout 600; + client_body_timeout 600; + ''; + locations."/_matrix/" = { + proxyPass = "http://conduwuit$request_uri"; + extraConfig = proxy-conf; + }; + locations."/_conduwuit/" = { + proxyPass = "http://conduwuit$request_uri"; + extraConfig = proxy-conf; + }; + locations."/.well-known/matrix" = { + proxyPass = "http://conduwuit$request_uri"; + extraConfig = proxy-conf; + }; + }; +} diff --git a/hosts/cloud/proxy/dav.nix b/hosts/cloud/proxy/dav.nix new file mode 100644 index 0000000..6f00943 --- /dev/null +++ b/hosts/cloud/proxy/dav.nix @@ -0,0 +1,64 @@ +{ ... }: +{ + services.nginx.upstreams.radicale = { + servers = { + "10.89.88.12:5232" = { }; + "[fd31:185d:722f::12]:5232" = { }; + }; + }; + + services.nginx.virtualHosts."dav.oxapentane.com" = { + forceSSL = true; + enableACME = true; + # Radicale + locations."/" = { + proxyPass = "http://radicale"; + extraConfig = '' + # Radicale stuff + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_keepalive; + + # authentik stuff + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_set_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-Remote-User $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-entitlements $authentik_entitlements; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + ''; + }; + + locations."/outpost.goauthentik.io" = { + proxyPass = "http://authentik/outpost.goauthentik.io"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + ''; + }; + locations."@goauthentik_proxy_signin" = { + extraConfig = '' + internal; + proxy_set_header Set-Cookie $auth_cookie; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; + ''; + }; + }; +} diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix index 6cf0151..e233e65 100644 --- a/hosts/cloud/proxy/default.nix +++ b/hosts/cloud/proxy/default.nix @@ -4,7 +4,12 @@ let in { imports = [ + ./auth.nix + ./conduwuit.nix + ./dav.nix ./git.nix + ./immich.nix + ./news.nix ]; networking.firewall.allowedTCPPorts = [ @@ -12,85 +17,63 @@ in 443 ]; - services.caddy = { + services.nginx = { enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + # upgrade websockets + map $http_upgrade $connection_upgrade_keepalive { + default upgrade; + ''' '''; + } + + ### TLS + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + # add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + ''; + virtualHosts."oxapentane.com" = { - serverAliases = [ "www.oxapentane.com" ]; - extraConfig = '' - # conduit - @matrix { - path /.well-known/matrix/* - path /_matrix/* - } - - route { - header /.well-known/matrix/* Access-Control-Allow-Origin * - - reverse_proxy @matrix 10.89.88.16:6167 - - # file server - file_server { - root ${website} - index index.html - } - } - ''; + forceSSL = true; + enableACME = true; + default = true; + locations."/" = { + root = "${website}"; + index = "index.html"; + }; }; + virtualHosts."www.oxapentane.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + return = "302 https://oxapentane.com"; + }; + }; + }; - virtualHosts."auth.oxapentane.com".extraConfig = '' - reverse_proxy 10.89.88.11:9000 [fd31:185d:722f::11]:9000 - ''; - - virtualHosts."dav.oxapentane.com".extraConfig = '' - route { - reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000 - - forward_auth 10.89.88.11:9000 { - uri /outpost.goauthentik.io/auth/caddy - copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Authentik-Username>X-Remote-User - trusted_proxies 10.89.88.11 fd31:185d:722f::11 - } - } - reverse_proxy 10.89.88.12:5232 [fd31:185d:722f::12]:5232 - - ''; - - virtualHosts."immich.oxapentane.com".extraConfig = '' - reverse_proxy 10.89.88.13:2283 - ''; - - virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080"; - - virtualHosts."music.oxapentane.com".extraConfig = '' - route { - reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000 - - @protected not path /share/* /rest/* - forward_auth @protected 10.89.88.11:9000 { - uri /outpost.goauthentik.io/auth/caddy - copy_headers X-Authentik-Username>Remote-User - trusted_proxies 10.89.88.11 fd31:185d:722f::11 - } - - - @subsonic path /rest/* - forward_auth @subsonic 10.89.88.11:9000 { - uri /outpost.goauthentik.io/auth/caddy - copy_headers X-Authentik-Username>Remote-User - @error status 1xx 3xx 4xx 5xx - handle_response @error { - respond < - - - SUBSONICERR 200 - } - trusted_proxies 10.89.88.11 fd31:185d:722f::11 - } - } - reverse_proxy 10.89.88.17:4533 - - ''; - + security.acme = { + acceptTerms = true; + defaults.email = "acme@oxapentane.com"; }; } diff --git a/hosts/cloud/proxy/git.nix b/hosts/cloud/proxy/git.nix index 6986f80..ac53f4c 100644 --- a/hosts/cloud/proxy/git.nix +++ b/hosts/cloud/proxy/git.nix @@ -35,6 +35,34 @@ "fd31:185d:722e::1" ]; - services.caddy.virtualHosts."git.oxapentane.com".extraConfig = - "reverse_proxy 10.89.88.15:3000 [fd31:185d:722f::15]:3000"; + services.nginx.upstreams.forgejo = { + servers = { + "10.89.88.15:3000" = { }; + "[fd31:185d:722f::15]:3000" = { }; + }; + }; + + services.nginx.virtualHosts."git.oxapentane.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://forgejo"; + extraConfig = '' + client_max_body_size 50000M; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; } diff --git a/hosts/cloud/proxy/immich.nix b/hosts/cloud/proxy/immich.nix new file mode 100644 index 0000000..93e62d2 --- /dev/null +++ b/hosts/cloud/proxy/immich.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.upstreams.immich = { + servers = { + "10.89.88.13:2283" = { }; + "[fd31:185d:722f::13]:2283" = { }; + }; + }; + + services.nginx.virtualHosts."immich.oxapentane.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://immich"; + extraConfig = '' + client_max_body_size 50000M; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; +} diff --git a/hosts/cloud/proxy/news.nix b/hosts/cloud/proxy/news.nix new file mode 100644 index 0000000..3bbfda2 --- /dev/null +++ b/hosts/cloud/proxy/news.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + services.nginx.virtualHosts."news.oxapentane.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.89.88.14:8080"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + ''; + }; + }; +} diff --git a/hosts/conduwuit/conduwuit.nix b/hosts/conduwuit/conduwuit.nix index 8e344e5..1f8d86c 100644 --- a/hosts/conduwuit/conduwuit.nix +++ b/hosts/conduwuit/conduwuit.nix @@ -1,12 +1,15 @@ -{ pkgs, ... }: +{ pkgs, inputs, ... }: +let + conduwuit-latest = inputs.conduwuit.packages.${pkgs.system}.all-features; +in { services.matrix-conduit = { enable = true; - package = pkgs.matrix-conduit; + package = conduwuit-latest; settings = { global = { database_backend = "rocksdb"; - enable_lightning_bolt = false; + new_user_displayname_suffix = ""; port = 6167; server_name = "oxapentane.com"; address = "0.0.0.0"; diff --git a/hosts/forgejo/default.nix b/hosts/forgejo/default.nix index f6de473..02211e5 100644 --- a/hosts/forgejo/default.nix +++ b/hosts/forgejo/default.nix @@ -18,8 +18,7 @@ in microvm = { hypervisor = "qemu"; mem = 3 * 1024; - balloon = true; - vcpu = 4; + vcpu = 2; interfaces = [ { type = "tap"; diff --git a/hosts/immich/immich.nix b/hosts/immich/immich.nix index 11a69b6..40243ae 100644 --- a/hosts/immich/immich.nix +++ b/hosts/immich/immich.nix @@ -1,7 +1,12 @@ { config, + inputs, + pkgs, ... }: +let + immich-latest = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.immich; +in { sops.secrets."immich.yaml" = { sopsFile = ./immich.yaml; @@ -11,6 +16,7 @@ services.immich = { enable = true; + package = immich-latest; host = "10.89.88.13"; redis.enable = true; database.createDB = true; diff --git a/hosts/stream/default.nix b/hosts/stream/default.nix deleted file mode 100644 index 4543466..0000000 --- a/hosts/stream/default.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, lib, ... }: -let - mac = "02:00:00:00:00:07"; -in -{ - imports = [ - ./navidrome.nix - ]; - - sops.defaultSopsFile = ./secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - sops.secrets = { - "wg/0xa-proxy" = { - owner = config.users.users.systemd-network.name; - }; - }; - - microvm = { - hypervisor = "qemu"; - mem = 4 * 1024; - vcpu = 3; - interfaces = [ - { - type = "tap"; - id = "uvm-stream"; - mac = mac; - } - ]; - shares = - [ - { - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "store"; - proto = "virtiofs"; - } - ] - ++ map - (dir: { - source = dir; - mountPoint = "/${dir}"; - tag = dir; - proto = "virtiofs"; - }) - [ - "etc" - "var" - "home" - ]; - }; - - networking.useNetworkd = true; - networking.firewall.enable = lib.mkForce false; # firewalling done by the host - - systemd.network = { - enable = true; - networks."11-host" = { - matchConfig.MACAddress = mac; - networkConfig = { - Address = "10.99.99.17/24"; - DHCP = "no"; - }; - routes = [ - { - Gateway = "10.99.99.1"; - Destination = "0.0.0.0/0"; - Metric = 1024; - } - ]; - }; - }; - - networking.hostName = "stream"; - system.stateVersion = "25.05"; -} diff --git a/hosts/stream/navidrome.nix b/hosts/stream/navidrome.nix deleted file mode 100644 index 0b1cd07..0000000 --- a/hosts/stream/navidrome.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: -{ - services.navidrome = { - enable = true; - settings = { - Address = "10.89.88.17"; - BaseUrl = "/"; - EnableExternalServices = false; - MusicFolder = "/var/lib/navidrome/music"; - Port = 4533; - ScanSchedule = "@every 11m"; - TranscodingCacheSize = "11GiB"; - ReverseProxyWhitelist = "10.89.88.1/24"; - }; - }; -} diff --git a/hosts/stream/secrets.yaml b/hosts/stream/secrets.yaml deleted file mode 100644 index a75b120..0000000 --- a/hosts/stream/secrets.yaml +++ /dev/null @@ -1,38 +0,0 @@ -wg: - 0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str] -sops: - age: - - recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3 - QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5 - S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5 - K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE - WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-12T22:54:11Z" - mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str] - pgp: - - created_at: "2025-06-12T22:51:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6 - th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH - HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn - vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B - WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/ - uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s - DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/ - bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp - lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J - A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg - GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS - XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6 - ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU= - =fEVm - -----END PGP MESSAGE----- - fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/hosts/toaster/0xa-home.nix b/hosts/toaster/0xa-home.nix deleted file mode 100644 index b3ff5eb..0000000 --- a/hosts/toaster/0xa-home.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ pkgs, ... }: -{ - home.stateVersion = "24.11"; - - home.pointerCursor = { - name = "Banana"; - size = 32; - package = pkgs.banana-cursor; - x11.enable = true; - gtk.enable = true; - }; - - gtk = { - enable = true; - cursorTheme = { - name = "Banana"; - size = 32; - package = pkgs.banana-cursor; - }; - }; -} diff --git a/hosts/toaster/default.nix b/hosts/toaster/default.nix index 7e78114..17f8f09 100644 --- a/hosts/toaster/default.nix +++ b/hosts/toaster/default.nix @@ -46,11 +46,6 @@ supportedLocales = [ "all" ]; }; - # support ddc brigtness control - hardware.i2c.enable = true; - boot.kernelModules = [ "i2c-dev" ]; - environment.systemPackages = [ pkgs.ddcutil ]; - users.users."0xa" = { extraGroups = [ "wheel" @@ -60,7 +55,6 @@ "bluetooth" "libvirtd" "qemu-libvirtd" - "i2c" ]; group = "users"; home = "/home/0xa"; @@ -69,6 +63,8 @@ shell = pkgs.fish; }; + services.emacs.defaultEditor = false; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/hosts/toaster/hardware-configuration.nix b/hosts/toaster/hardware-configuration.nix index 318ff03..1b0fbb0 100644 --- a/hosts/toaster/hardware-configuration.nix +++ b/hosts/toaster/hardware-configuration.nix @@ -49,12 +49,6 @@ options = [ "zfsutil" ]; }; - fileSystems."/tmp" = { - device = "zpool/nocomp/tmp"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; - fileSystems."/boot" = { device = "/dev/disk/by-uuid/A170-F83D"; fsType = "vfat"; diff --git a/hosts/toaster/network/default.nix b/hosts/toaster/network/default.nix index 6504dbb..6d96c3c 100644 --- a/hosts/toaster/network/default.nix +++ b/hosts/toaster/network/default.nix @@ -7,16 +7,13 @@ ]; # Networkmanager shouldn't interfere with systemd managed interfaces - networking.networkmanager = { - enable = true; - unmanaged = - let - systemd_netdevs = lib.attrsets.attrValues ( - lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs - ); - in - systemd_netdevs; - }; + networking.networkmanager.unmanaged = + let + systemd_netdevs = lib.attrsets.attrValues ( + lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs + ); + in + systemd_netdevs; systemd.network = { enable = true; diff --git a/hosts/toaster/network/full-networkd.nix b/hosts/toaster/network/full-networkd.nix deleted file mode 100644 index ee0bdbe..0000000 --- a/hosts/toaster/network/full-networkd.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ lib, pkgs, ... }: -{ - imports = [ - ./mullvad.nix - ./dumpdvb.nix - ./zw.nix - ]; - - environment.systemPackages = with pkgs; [ - iwgtk - impala - ]; - - # kick out networkmanager - networking.networkmanager.enable = lib.mkForce false; - networking.useNetworkd = true; - systemd.network.enable = true; - - networking = { - hostName = "toaster"; - firewall.enable = true; - wireguard.enable = true; - wireless.iwd.enable = true; - }; - - services.resolved = { - enable = true; - dnssec = "false"; - fallbackDns = [ - "9.9.9.9" - "2620:fe::fe" - "149.112.112.112" - "2620:fe::9" - ]; - }; - - # we might have no interwebs at all - systemd.network.wait-online.enable = false; - - # uplinks - systemd.network.networks = { - "10-ether-uplink" = { - matchConfig.Name = "enp1s0f0"; - networkConfig = { - DHCP = "yes"; - IPv6AcceptRA = true; - }; - }; - "10-dock-uplink" = { - matchConfig.Name = "enp5s0f4u1u1"; - networkConfig = { - DHCP = "yes"; - IPv6AcceptRA = true; - }; - dhcpV4Config = { - RouteMetric = 666; - }; - dhcpV6Config = { - RouteMetric = 666; - }; - }; - "wlan-uplink" = { - matchConfig.Name = "wlan0"; - networkConfig = { - DHCP = "yes"; - IPv6AcceptRA = true; - }; - }; - }; - -} diff --git a/hosts/toaster/network/mullvad.nix b/hosts/toaster/network/mullvad.nix index 112026d..7c20818 100644 --- a/hosts/toaster/network/mullvad.nix +++ b/hosts/toaster/network/mullvad.nix @@ -2,8 +2,8 @@ { systemd.network = let - pubkey = "uUYbYGKoA6UBh1hfkAz5tAWFv4SmteYC9kWh7/K6Ah0="; - endpoint = "92.60.40.209"; + pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk="; + endpoint = "169.150.196.15"; port = "51820"; addr = [ "10.74.16.48/32" diff --git a/hosts/toaster/zfs.nix b/hosts/toaster/zfs.nix index 1970bbf..70cc5c9 100644 --- a/hosts/toaster/zfs.nix +++ b/hosts/toaster/zfs.nix @@ -19,7 +19,6 @@ supportedFilesystems = [ "zfs" ]; kernelParams = [ "nohibernate" ]; plymouth.enable = false; - tmp.useTmpfs = false; - tmp.cleanOnBoot = true; + tmp.useTmpfs = true; }; } diff --git a/modules/basic-tools/default.nix b/modules/basic-tools/default.nix index a917168..699de18 100644 --- a/modules/basic-tools/default.nix +++ b/modules/basic-tools/default.nix @@ -39,6 +39,7 @@ exfatprogs nmap bind + nnn lf man-pages unzip @@ -49,17 +50,8 @@ sshfs whois mtr - joshuto ] - ++ ( - if config.networking.hostName == "toaster" then - [ - gitFull - git-lfs - ] - else - [ git ] - ); + ++ (if config.networking.hostName == "toaster" then [ gitFull ] else [ git ]); environment.variables = let diff --git a/modules/basic-tools/fish.nix b/modules/basic-tools/fish.nix index 5e06de3..0d0adb9 100644 --- a/modules/basic-tools/fish.nix +++ b/modules/basic-tools/fish.nix @@ -3,9 +3,11 @@ environment.systemPackages = with pkgs; [ lsd fzf + grc fishPlugins.done fishPlugins.fzf-fish fishPlugins.tide + fishPlugins.grc ]; programs.fish = { @@ -13,7 +15,6 @@ interactiveShellInit = '' set fish_greeting function fish_command_not_found - echo "Command not found" end ''; shellAliases = { diff --git a/modules/basic-tools/fzf.nix b/modules/basic-tools/fzf.nix index 96ab39c..8ad1b92 100644 --- a/modules/basic-tools/fzf.nix +++ b/modules/basic-tools/fzf.nix @@ -1,4 +1,6 @@ { + lib, + config, pkgs, ... }: @@ -12,8 +14,15 @@ }; }; # integrate fzf into shell, >23.05 only - programs.fzf = { - keybindings = true; - fuzzyCompletion = true; - }; + programs = + with lib; + if (toInt (elemAt (splitVersion config.system.nixos.release) 0) >= 23) then + { + fzf = { + keybindings = true; + fuzzyCompletion = true; + }; + } + else + { }; } diff --git a/modules/basic-tools/nix.nix b/modules/basic-tools/nix.nix index a67c6a8..980ab76 100644 --- a/modules/basic-tools/nix.nix +++ b/modules/basic-tools/nix.nix @@ -1,5 +1,7 @@ { + lib, pkgs, + inputs, ... }: { @@ -14,10 +16,14 @@ # nix output-monitor environment.systemPackages = [ pkgs.nix-output-monitor ]; - nixpkgs.flake = { - setFlakeRegistry = true; - setNixPath = true; - }; + # override default nix shell nixpkgs# behaviour to use current flake lock + nix.registry = + let + flakes = lib.filterAttrs (_name: value: value ? outputs) inputs.self.inputs; + in + builtins.mapAttrs (_name: v: { flake = v; }) flakes; + + nix.nixPath = lib.mapAttrsToList (name: value: "${name}=${value.outPath}") inputs.self.inputs; nixpkgs.config.allowUnfree = true; } diff --git a/modules/basic-tools/zsh.nix b/modules/basic-tools/zsh.nix index 91c6292..c474267 100644 --- a/modules/basic-tools/zsh.nix +++ b/modules/basic-tools/zsh.nix @@ -39,7 +39,6 @@ LP_ENABLE_SVN=0 LP_BATTERY_THRESHOLD=15 LP_SSH_COLORS=1 - LP_DISABLED_VCS_PATHS=("/home/0xa/proj/NixOS/nixpkgs") ''; }; } diff --git a/modules/chromium.nix b/modules/chromium.nix index 4cdf16a..30d6faf 100644 --- a/modules/chromium.nix +++ b/modules/chromium.nix @@ -2,23 +2,24 @@ { environment.systemPackages = with pkgs; [ - (chromium.override { enableWideVine = true; }) + chromium ]; - nixpkgs.config.chromium.commandLineArgs = "--enable-features=UseOzonePlatform --ozone-platform=wayland --ignore-gpu-blocklist --enable-gpu-rasterization --enable-zero-copy --enable-features=VaapiVideoDecoder,VaapiVideoEncoder,CanvasOopRasterization,WebUIDarkMode"; + nixpkgs.config.chromium.commandLineArgs = "--enable-features=UseOzonePlatform --ozone-platform=wayland --force-dark-mode --ignore-gpu-blocklist --enable-gpu-rasterization --enable-zero-copy --enable-features=VaapiVideoDecoder,VaapiVideoEncoder,CanvasOopRasterization,WebUIDarkMode"; programs.chromium = { enable = true; extensions = [ + # "pkehgijcmpdhfbdbbnkijodmdjhbjlgp" # privacy badger "ekhagklcjbdpajgpjgmbionohlpdbjgc" # zotero connector "nngceckbapebfimnlniiiahkandclblb" # bitwarden - "ddkjiahejlhfcafbddmgiahcphecmpfh" # ublock lite + # "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin + # "ddkjiahejlhfcafbddmgiahcphecmpfh" # ublock lite "mnjggcdmjocbbbhaepdhchncahnbgone" # sponsorblock - "khncfooichmfjbepaaaebmommgaepoid" # unhook ]; extraOpts = { "BrowserSignin" = 0; - "SyncDisabled" = true; + # "SyncDisabled" = true; "PasswordManagerEnabled" = false; "TranslateEnabled" = false; "AutofillAddressEnabled" = false; @@ -30,11 +31,6 @@ # "DefaultSearchProviderSearchURL" = "https://google.com/search?q={searchTerms}"; # "DefaultSearchProviderSearchURL" = "https://duckduckgo.com/?q={searchTerms}"; "SearchSuggestEnable" = false; - "BlockThirdPartyCookies" = true; - "PrivacySandboxAdMeasurementEnabled" = false; - "PrivacySandboxAdTopicsEnabled" = false; - "PrivacySandboxPromptEnabled" = false; - "PrivacySandboxSiteEnabledAdsEnabled" = false; }; }; } diff --git a/modules/desktop-software.nix b/modules/desktop-software.nix index 998c953..054ae37 100644 --- a/modules/desktop-software.nix +++ b/modules/desktop-software.nix @@ -1,30 +1,24 @@ { pkgs, ... }: { - imports = [ - ./chromium.nix - ]; environment.systemPackages = with pkgs; [ - audacity blender dino - discord - element-desktop ffmpeg-full - ghostty + firefox-wayland + vivaldi + vivaldi-ffmpeg-codecs gimp inkscape - lapce - mpv - obs-studio - qbittorrent - transmission_4-gtk + kicad signal-desktop - spotify - telegram-desktop + tdesktop tor-browser wl-clipboard yt-dlp + element-desktop + discord + spotify + mpv ]; programs.steam.enable = true; - programs.firefox.enable = true; } diff --git a/modules/devtools.nix b/modules/devtools.nix index 04dfd87..8288862 100644 --- a/modules/devtools.nix +++ b/modules/devtools.nix @@ -1,5 +1,8 @@ { pkgs, + inputs, + config, + lib, ... }: { @@ -13,6 +16,11 @@ kikit-library ]; }; + + # binwalk v3 on 24.11 + sys_ver = config.system.nixos.release; + unstablepkgs = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}; + binwalkv3 = if lib.versionOlder "25.05" sys_ver then binwalk else unstablepkgs.binwalk; in [ # general @@ -21,7 +29,7 @@ gef gdb binutils - binwalk + binwalkv3 clang clang-tools direnv @@ -31,9 +39,9 @@ nix-index kicad kikit - freecad-qt6 + freecad-wayland imhex - python3Full + python313Full nixfmt-rfc-style treefmt android-tools diff --git a/modules/emacs.nix b/modules/emacs.nix deleted file mode 100644 index d4b0f26..0000000 --- a/modules/emacs.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - pkgs, - lib, - ... -}: - -{ - environment.systemPackages = with pkgs; [ - direnv - mu - ]; - - services.emacs = { - install = true; - enable = false; - package = - with pkgs; - ( - (emacsPackagesFor ( - emacs-pgtk.overrideAttrs (old: { - passthru = old.passthru // { - treeSitter = true; - }; - }) - )).emacsWithPackages - ( - epkgs: with epkgs; [ - treesit-grammars.with-all-grammars - vterm - pdf-tools - mu4e - ] - ) - ); - defaultEditor = lib.mkForce true; - }; -} diff --git a/modules/fonts.nix b/modules/fonts.nix index e8c54bc..7ee909b 100644 --- a/modules/fonts.nix +++ b/modules/fonts.nix @@ -1,7 +1,6 @@ { pkgs, ... }: { fonts.packages = with pkgs; [ - adwaita-fonts monoid font-awesome dejavu_fonts @@ -19,8 +18,6 @@ liberation_ttf noto-fonts noto-fonts-cjk-sans - noto-fonts-color-emoji - noto-fonts-monochrome-emoji noto-fonts-emoji noto-fonts-extra proggyfonts @@ -29,8 +26,7 @@ twemoji-color-font twitter-color-emoji iosevka-bin - cozette - nerd-fonts.hack + (nerdfonts.override { fonts = [ "Hack" ]; }) ]; fonts.enableDefaultPackages = true; diff --git a/modules/gnome.nix b/modules/gnome.nix index 5743283..897c4d3 100644 --- a/modules/gnome.nix +++ b/modules/gnome.nix @@ -8,14 +8,12 @@ environment.systemPackages = with pkgs; [ amberol celluloid - ddcutil gnome-console gnome-obfuscate gnome-boxes gnome-tweaks + qbittorrent gnomeExtensions.caffeine - gnomeExtensions.brightness-control-using-ddcutil - fractal ]; environment.gnome.excludePackages = with pkgs; [ @@ -39,7 +37,14 @@ }; }; - services = { + qt = { + enable = true; + platformTheme = "gnome"; + style = "adwaita-dark"; + }; + + services.xserver = { + enable = true; desktopManager.gnome.enable = true; displayManager.gdm = { enable = true; diff --git a/modules/gnupg.nix b/modules/gnupg.nix index 4cb173c..07b1eef 100644 --- a/modules/gnupg.nix +++ b/modules/gnupg.nix @@ -4,6 +4,8 @@ environment.systemPackages = with pkgs; [ gnupg opensc + + yubikey-personalization-gui ]; # smartcard support diff --git a/modules/plasma.nix b/modules/plasma.nix deleted file mode 100644 index 1a7a170..0000000 --- a/modules/plasma.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ./desktop-software.nix - ./fonts.nix - ]; - - environment.systemPackages = with pkgs; [ - kaidan - kdePackages.filelight - kdePackages.okular - vlc - ]; - - programs.kde-pim = { - enable = true; - kmail = true; - kontact = true; - merkuro = true; - }; - - # Enable sound. - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - pulse.enable = true; - }; - - programs.zsh.vteIntegration = true; - programs.bash.vteIntegration = true; - - hardware.bluetooth.enable = true; - - services.displayManager.sddm = { - enable = true; - wayland.enable = true; - }; - - services.desktopManager.plasma6.enable = true; - - programs.ssh = { - startAgent = true; - enableAskPassword = false; - extraConfig = '' - AddKeysToAgent yes - ''; - }; - programs.firefox.nativeMessagingHosts.packages = with pkgs.kdePackages; [ - plasma-browser-integration - ]; -} diff --git a/modules/server/ssh.nix b/modules/server/ssh.nix index ea463d5..4c27a00 100644 --- a/modules/server/ssh.nix +++ b/modules/server/ssh.nix @@ -10,6 +10,5 @@ networking.firewall.allowedTCPPorts = [ 22 ]; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINjKbSzsAx8P9POD9pOXO+Fxub68V828sNatPA6+2zmGAAAABHNzaDo= 0xa@keychain-A" ]; } diff --git a/modules/niri.nix b/modules/sway.nix similarity index 56% rename from modules/niri.nix rename to modules/sway.nix index e769189..1ce6f63 100644 --- a/modules/niri.nix +++ b/modules/sway.nix @@ -1,74 +1,30 @@ # General Desktop-related config -{ pkgs, inputs, ... }: +{ pkgs, ... }: { - nixpkgs.overlays = [ inputs.niri.overlays.niri ]; - - programs.niri.enable = true; - imports = [ ./desktop-software.nix ./fonts.nix ]; - environment.systemPackages = - let - xwayland-satellite-git = pkgs.xwayland-satellite.overrideAttrs ( - final: _prev: { - version = "git"; - cargoHash = "sha256-MaF2FyR3HvQAKkZKa8OO/5jbO64/Ncv7+JqHda4jN50="; - src = pkgs.fetchFromGitHub { - owner = "Supreeeme"; - repo = "xwayland-satellite"; - rev = "cca74a5f6b23742d77dc5db4312dfc40fd4a0fcc"; - sha256 = "sha256-YZ+axsuNsgIKWfnRkt6Qa9UoKfUOIWf42vNUonXxmxM="; - }; - cargoDeps = pkgs.rustPlatform.fetchCargoTarball { - inherit (final) pname src version; - hash = final.cargoHash; - }; - } - ); - in - with pkgs; - [ - screen-message - qbittorrent - gajim - imv - mpv - evince - brightnessctl - pulsemixer - cmus - termusic - gsettings-desktop-schemas - xdg-utils - qt5.qtwayland - bashmount - audacity - spotify-player - zathura - ncdu - adwaita-icon-theme - bluetui - gammastep - graphicsmagick - i3status-rust - impala - kanshi - pamixer - swayidle - swaylock - wl-clipboard - xfce.thunar - banana-cursor - fuzzel - alacritty - i3bar-river - mako - swww - oculante - xwayland-satellite-git - ]; + environment.systemPackages = with pkgs; [ + screen-message + qbittorrent + gajim + imv + swayimg + mpv + evince + brightnessctl + pulsemixer + cmus + termusic + gsettings-desktop-schemas + xdg-utils + foot + qt5.qtwayland + bashmount + nautilus + audacity + ]; # Enable sound. security.rtkit.enable = true; @@ -92,14 +48,45 @@ programs.light.enable = true; programs.xwayland.enable = true; - + programs.sway = { + enable = true; + wrapperFeatures.gtk = true; + extraSessionCommands = '' + export SDL_VIDEODRIVER=wayland + export QT_QPA_PLATFORM=wayland-egl + export QT_WAYLAND_DISABLE_WINDOWDECORATION="1" + export QT_QPA_PLATFORMTHEME="gnome" + export QT_STYLE_OVERRIDE="adwaita-dark" + # export WLR_DRM_NO_ATOMIC=1 + ''; + extraPackages = with pkgs; [ + adwaita-icon-theme + alacritty + bluetui + foot + gammastep + graphicsmagick + grim + i3status-rust + impala + kanshi + mako + pamixer + rofi-wayland + slurp + swayidle + swaylock + wl-clipboard + wl-mirror + ]; + }; environment.sessionVariables = { GTK_THEME = "Adwaita:dark"; }; xdg.portal = { enable = true; wlr.enable = true; - extraPortals = [ pkgs.xdg-desktop-portal-gnome ]; + extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; }; services.udisks2.enable = true; @@ -127,7 +114,7 @@ enable = true; settings = { default_session = { - command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --greeting \"$(${pkgs.fortune}/bin/fortune -s)\" --cmd ${pkgs.niri-stable}/bin/niri-session"; + command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --greeting \"$(${pkgs.fortune}/bin/fortune -s)\" --cmd ${pkgs.sway}/bin/sway"; }; }; }; diff --git a/modules/wg/proxy.nix b/modules/wg/proxy.nix index 7427829..3b92b8d 100644 --- a/modules/wg/proxy.nix +++ b/modules/wg/proxy.nix @@ -71,14 +71,6 @@ publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y="; privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; }; - "stream" = { - address = [ - "10.89.88.17/24" - "fd31:185d:722f::17/48" - ]; - publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4="; - privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; - }; }; } ];