update conduwuit to latest

increase timeouts
2025-02-06 23:28:54 +00:00 · 2025-02-06 23:28:54 +00:00
39 changed files with 1266 additions and 762 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -11,7 +11,6 @@ keys:
  - &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z
  - &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh
  - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
  - &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
 creation_rules:
  - path_regex: hosts/toaster/[^/]+\.yaml$
    key_groups:
@ -67,9 +66,3 @@ creation_rules:
        - *admin_oxa
        age:
        - *conduwuit
  - path_regex: hosts/stream/[^/]+\.yaml$
    key_groups:
      - pgp:
        - *admin_oxa
        age:
        - *stream
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -1,7 +1,7 @@
 {
  inputs = {
-    nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    flake-utils.url = "github:numtide/flake-utils";
@ -10,10 +10,10 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    microvm = {
-      url = "github:astro/microvm.nix";
+      url = "github:astro/microvm.nix/v0.5.0";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        flake-utils.follows = "flake-utils";
@ -21,27 +21,28 @@
    };
    lanzaboote = {
-      url = "github:nix-community/lanzaboote?ref=v0.4.2";
+      url = "github:nix-community/lanzaboote/v0.4.1";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.nixpkgs.follows = "nixpkgs";
    };
    authentik-nix = {
      url = "github:nix-community/authentik-nix";
-    };
+      inputs.nixpkgs.follows = "nixpkgs";
    lix = {
      url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz";
      flake = false;
    };
    lix-module = {
-      url = "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz";
+      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.nixpkgs.follows = "nixpkgs";
      inputs.lix.follows = "lix";
    };
    website = {
-      url = "git+https://git.oxapentane.com/0xa/website.git?ref=main";
+      url = "git+https://codeberg.org/0xa/website.git?ref=main";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    conduwuit = {
      url = "github:girlbossceo/conduwuit";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
@ -54,12 +55,12 @@
  outputs =
    inputs@{
      authentik-nix,
      lanzaboote,
      lix-module,
      microvm,
      nixos-hardware,
      nixpkgs,
      nixpkgs-unstable,
      sops-nix,
      ...
    }:
@ -67,24 +68,19 @@
    {
      nixosConfigurations =
        let
-          microvm-stable-list = [
+          microvm-list = [
            "auth"
            "conduwuit"
            "forgejo"
            "immich"
            "miniflux"
            "radicale"
            "stream"
          ];
          microvm-unstable-list = [
            "auth"
            "immich"
            "conduwuit"
          ];
-          microvm-builder = (
+          microvms = builtins.listToAttrs (
            nixpkgs-ver: vm-list:
            builtins.listToAttrs (
            map (vm: {
              name = vm;
-                value = nixpkgs-ver.lib.nixosSystem {
+              value = nixpkgs.lib.nixosSystem {
                system = "x86_64-linux";
                specialArgs = { inherit inputs; };
                modules = [
@ -96,16 +92,12 @@
                  ./modules/wg
                ];
              };
-              }) vm-list
+            }) microvm-list
            )
          );
          microvms =
            (microvm-builder nixpkgs microvm-stable-list)
            // (microvm-builder nixpkgs-unstable microvm-unstable-list);
        in
        microvms
        // {
-          toaster = nixpkgs-unstable.lib.nixosSystem {
+          toaster = nixpkgs.lib.nixosSystem {
            system = "x86_64-linux";
            specialArgs = { inherit inputs; };
            modules = [
@ -119,14 +111,15 @@
              ./modules/basic-tools
              ./modules/binary-caches.nix
              ./modules/devtools.nix
              ./modules/emacs.nix
              ./modules/gnupg.nix
              ./modules/mail
              ./modules/gnome.nix
              ./modules/gnupg.nix
              ./modules/radio.nix
              ./modules/science.nix
              ./modules/tlp.nix
              ./modules/virtualization.nix
              ./hosts/toaster/secure-boot.nix
              ./modules/chromium.nix
              ./modules/mail
              ./modules/wg
            ];
          };
@ -160,7 +153,7 @@
              ./modules/wg
              {
-                config.microvm.autostart = microvm-stable-list ++ microvm-unstable-list;
+                config.microvm.autostart = microvm-list;
              }
            ];
          };
--- a/hosts/cloud/proxy/auth.nix
+++ b/hosts/cloud/proxy/auth.nix
@ -0,0 +1,36 @@
 { ... }:
 {
  services.nginx.upstreams.authentik = {
    servers = {
      "10.89.88.11:9000" = { };
      "[fd31:185d:722f::11]:9000" = { };
    };
    extraConfig = ''
      keepalive 10;
    '';
  };
  services.nginx.virtualHosts."auth.oxapentane.com" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://authentik";
      extraConfig = ''
        # general proxy settings
        proxy_connect_timeout   60s;
        proxy_send_timeout      60s;
        proxy_read_timeout      60s;
        proxy_http_version      1.1;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        X-Forwarded-Host $host;
        proxy_set_header        X-Forwarded-Server $host;
        # authentik specifik
        proxy_set_header        Upgrade $http_upgrade;
        proxy_set_header        Connection $connection_upgrade_keepalive;
      '';
    };
  };
 }
--- a/hosts/cloud/proxy/conduwuit.nix
+++ b/hosts/cloud/proxy/conduwuit.nix
@ -0,0 +1,51 @@
 { self, ... }:
 let
  proxy-conf = ''
    client_max_body_size 50M;
    proxy_buffering off;
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Access-Control-Allow-Origin *;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    keepalive_timeout 65;
    send_timeout 600s;
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
  '';
 in
 {
  services.nginx.upstreams.conduwuit = {
    servers = {
      "10.89.88.16:6167" = { };
      #"[fd31:185d:722f::16]:6167" = { };
    };
  };
  services.nginx.virtualHosts."oxapentane.com" = {
    extraConfig = ''
      client_header_timeout 600;
      client_body_timeout 600;
    '';
    locations."/_matrix/" = {
      proxyPass = "http://conduwuit$request_uri";
      extraConfig = proxy-conf;
    };
    locations."/_conduwuit/" = {
      proxyPass = "http://conduwuit$request_uri";
      extraConfig = proxy-conf;
    };
    locations."/.well-known/matrix" = {
      proxyPass = "http://conduwuit$request_uri";
      extraConfig = proxy-conf;
    };
  };
 }
--- a/hosts/cloud/proxy/dav.nix
+++ b/hosts/cloud/proxy/dav.nix
@ -0,0 +1,64 @@
 { ... }:
 {
  services.nginx.upstreams.radicale = {
    servers = {
      "10.89.88.12:5232" = { };
      "[fd31:185d:722f::12]:5232" = { };
    };
  };
  services.nginx.virtualHosts."dav.oxapentane.com" = {
    forceSSL = true;
    enableACME = true;
    # Radicale
    locations."/" = {
      proxyPass = "http://radicale";
      extraConfig = ''
        # Radicale stuff
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade_keepalive;
        # authentik stuff
        auth_request     /outpost.goauthentik.io/auth/nginx;
        error_page       401 = @goauthentik_proxy_signin;
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        proxy_set_header       Set-Cookie $auth_cookie;
        # translate headers from the outposts back to the actual upstream
        auth_request_set $authentik_username $upstream_http_x_authentik_username;
        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
        auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
        auth_request_set $authentik_email $upstream_http_x_authentik_email;
        auth_request_set $authentik_name $upstream_http_x_authentik_name;
        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
        proxy_set_header X-authentik-username $authentik_username;
        proxy_set_header X-Remote-User $authentik_username;
        proxy_set_header X-authentik-groups $authentik_groups;
        proxy_set_header X-authentik-entitlements $authentik_entitlements;
        proxy_set_header X-authentik-email $authentik_email;
        proxy_set_header X-authentik-name $authentik_name;
        proxy_set_header X-authentik-uid $authentik_uid;
      '';
    };
    locations."/outpost.goauthentik.io" = {
      proxyPass = "http://authentik/outpost.goauthentik.io";
      extraConfig = ''
        proxy_set_header Host $host;
        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
        proxy_set_header Set-Cookie $auth_cookie;
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
      '';
    };
    locations."@goauthentik_proxy_signin" = {
      extraConfig = ''
        internal;
        proxy_set_header Set-Cookie $auth_cookie;
        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
      '';
    };
  };
 }
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@ -4,7 +4,12 @@ let
 in
 {
  imports = [
    ./auth.nix
    ./conduwuit.nix
    ./dav.nix
    ./git.nix
    ./immich.nix
    ./news.nix
  ];
  networking.firewall.allowedTCPPorts = [
@ -12,85 +17,63 @@ in
    443
  ];
-  services.caddy = {
+  services.nginx = {
    enable = true;
-    virtualHosts."oxapentane.com" = {
+
-      serverAliases = [ "www.oxapentane.com" ];
+    recommendedGzipSettings = true;
-      extraConfig = ''
+    recommendedOptimisation = true;
-        # conduit
+    recommendedTlsSettings = true;
-        @matrix {
+
-            path /.well-known/matrix/*
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-            path /_matrix/*
+
    appendHttpConfig = ''
      # upgrade websockets
      map $http_upgrade $connection_upgrade_keepalive {
        default upgrade;
        '''      ''';
      }
-        route {
+      ### TLS
-            header /.well-known/matrix/* Access-Control-Allow-Origin *
+      # Add HSTS header with preloading to HTTPS requests.
-
+      # Adding this header to HTTP requests is discouraged
-            reverse_proxy @matrix 10.89.88.16:6167
+      map $scheme $hsts_header {
-
+          https   "max-age=31536000; includeSubdomains; preload";
            # file server
            file_server {
                root ${website}
                index index.html
            }
      }
      add_header Strict-Transport-Security $hsts_header;
      # Enable CSP for your services.
      # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';
      # Disable embedding as a frame
      # add_header X-Frame-Options DENY;
      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;
    '';
    virtualHosts."oxapentane.com" = {
      forceSSL = true;
      enableACME = true;
      default = true;
      locations."/" = {
        root = "${website}";
        index = "index.html";
      };
    };
    virtualHosts."www.oxapentane.com" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        return = "302 https://oxapentane.com";
      };
    };
  };
-    virtualHosts."auth.oxapentane.com".extraConfig = ''
+  security.acme = {
-      reverse_proxy 10.89.88.11:9000 [fd31:185d:722f::11]:9000
+    acceptTerms = true;
-    '';
+    defaults.email = "acme@oxapentane.com";
    virtualHosts."dav.oxapentane.com".extraConfig = ''
      route {
          reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
          forward_auth 10.89.88.11:9000 {
              uri /outpost.goauthentik.io/auth/caddy
              copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Authentik-Username>X-Remote-User
              trusted_proxies 10.89.88.11 fd31:185d:722f::11
          }
      }
      reverse_proxy 10.89.88.12:5232 [fd31:185d:722f::12]:5232
    '';
    virtualHosts."immich.oxapentane.com".extraConfig = ''
      reverse_proxy 10.89.88.13:2283
    '';
    virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
    virtualHosts."music.oxapentane.com".extraConfig = ''
      route {
          reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
          @protected not path /share/* /rest/*
          forward_auth @protected 10.89.88.11:9000 {
              uri /outpost.goauthentik.io/auth/caddy
              copy_headers X-Authentik-Username>Remote-User
              trusted_proxies 10.89.88.11 fd31:185d:722f::11
          }
          @subsonic path /rest/*
          forward_auth @subsonic 10.89.88.11:9000 {
              uri /outpost.goauthentik.io/auth/caddy
              copy_headers X-Authentik-Username>Remote-User
              @error status 1xx 3xx 4xx 5xx
              handle_response @error {
                  respond <<SUBSONICERR
                  <subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
                    <error code="40" message="Invalid credentials or unsupported client"></error>
                  </subsonic-response>
                  SUBSONICERR 200
              }
              trusted_proxies 10.89.88.11 fd31:185d:722f::11
          }
      }
      reverse_proxy 10.89.88.17:4533
    '';
  };
 }
--- a/hosts/cloud/proxy/git.nix
+++ b/hosts/cloud/proxy/git.nix
@ -35,6 +35,34 @@
        "fd31:185d:722e::1"
      ];
-  services.caddy.virtualHosts."git.oxapentane.com".extraConfig =
+  services.nginx.upstreams.forgejo = {
-    "reverse_proxy 10.89.88.15:3000 [fd31:185d:722f::15]:3000";
+    servers = {
      "10.89.88.15:3000" = { };
      "[fd31:185d:722f::15]:3000" = { };
    };
  };
  services.nginx.virtualHosts."git.oxapentane.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://forgejo";
      extraConfig = ''
        client_max_body_size 50000M;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
        send_timeout 600s;
      '';
    };
  };
 }
--- a/hosts/cloud/proxy/immich.nix
+++ b/hosts/cloud/proxy/immich.nix
@ -0,0 +1,33 @@
 { ... }:
 {
  services.nginx.upstreams.immich = {
    servers = {
      "10.89.88.13:2283" = { };
      "[fd31:185d:722f::13]:2283" = { };
    };
  };
  services.nginx.virtualHosts."immich.oxapentane.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://immich";
      extraConfig = ''
        client_max_body_size 50000M;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
        send_timeout 600s;
      '';
    };
  };
 }
--- a/hosts/cloud/proxy/news.nix
+++ b/hosts/cloud/proxy/news.nix
@ -0,0 +1,17 @@
 { ... }:
 {
  services.nginx.virtualHosts."news.oxapentane.com" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://10.89.88.14:8080";
      extraConfig = ''
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
      '';
    };
  };
 }
--- a/hosts/conduwuit/conduwuit.nix
+++ b/hosts/conduwuit/conduwuit.nix
@ -1,12 +1,15 @@
-{ pkgs, ... }:
+{ pkgs, inputs, ... }:
 let
  conduwuit-latest = inputs.conduwuit.packages.${pkgs.system}.all-features;
 in
 {
  services.matrix-conduit = {
    enable = true;
-    package = pkgs.matrix-conduit;
+    package = conduwuit-latest;
    settings = {
      global = {
        database_backend = "rocksdb";
-        enable_lightning_bolt = false;
+        new_user_displayname_suffix = "";
        port = 6167;
        server_name = "oxapentane.com";
        address = "0.0.0.0";
--- a/hosts/forgejo/default.nix
+++ b/hosts/forgejo/default.nix
@ -18,8 +18,7 @@ in
  microvm = {
    hypervisor = "qemu";
    mem = 3 * 1024;
-    balloon = true;
+    vcpu = 2;
    vcpu = 4;
    interfaces = [
      {
        type = "tap";
--- a/hosts/immich/immich.nix
+++ b/hosts/immich/immich.nix
@ -1,7 +1,12 @@
 {
  config,
  inputs,
  pkgs,
  ...
 }:
 let
  immich-latest = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.immich;
 in
 {
  sops.secrets."immich.yaml" = {
    sopsFile = ./immich.yaml;
@ -11,6 +16,7 @@
  services.immich = {
    enable = true;
    package = immich-latest;
    host = "10.89.88.13";
    redis.enable = true;
    database.createDB = true;
--- a/hosts/stream/default.nix
+++ b/hosts/stream/default.nix
@ -1,76 +0,0 @@
 { config, lib, ... }:
 let
  mac = "02:00:00:00:00:07";
 in
 {
  imports = [
    ./navidrome.nix
  ];
  sops.defaultSopsFile = ./secrets.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.secrets = {
    "wg/0xa-proxy" = {
      owner = config.users.users.systemd-network.name;
    };
  };
  microvm = {
    hypervisor = "qemu";
    mem = 4 * 1024;
    vcpu = 3;
    interfaces = [
      {
        type = "tap";
        id = "uvm-stream";
        mac = mac;
      }
    ];
    shares =
      [
        {
          source = "/nix/store";
          mountPoint = "/nix/.ro-store";
          tag = "store";
          proto = "virtiofs";
        }
      ]
      ++ map
        (dir: {
          source = dir;
          mountPoint = "/${dir}";
          tag = dir;
          proto = "virtiofs";
        })
        [
          "etc"
          "var"
          "home"
        ];
  };
  networking.useNetworkd = true;
  networking.firewall.enable = lib.mkForce false; # firewalling done by the host
  systemd.network = {
    enable = true;
    networks."11-host" = {
      matchConfig.MACAddress = mac;
      networkConfig = {
        Address = "10.99.99.17/24";
        DHCP = "no";
      };
      routes = [
        {
          Gateway = "10.99.99.1";
          Destination = "0.0.0.0/0";
          Metric = 1024;
        }
      ];
    };
  };
  networking.hostName = "stream";
  system.stateVersion = "25.05";
 }
--- a/hosts/stream/navidrome.nix
+++ b/hosts/stream/navidrome.nix
@ -1,16 +0,0 @@
 { ... }:
 {
  services.navidrome = {
    enable = true;
    settings = {
      Address = "10.89.88.17";
      BaseUrl = "/";
      EnableExternalServices = false;
      MusicFolder = "/var/lib/navidrome/music";
      Port = 4533;
      ScanSchedule = "@every 11m";
      TranscodingCacheSize = "11GiB";
      ReverseProxyWhitelist = "10.89.88.1/24";
    };
  };
 }
--- a/hosts/stream/secrets.yaml
+++ b/hosts/stream/secrets.yaml
@ -1,38 +0,0 @@
 wg:
    0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str]
 sops:
    age:
        - recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3
            QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5
            S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5
            K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE
            WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-06-12T22:54:11Z"
    mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str]
    pgp:
        - created_at: "2025-06-12T22:51:49Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6
            th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH
            HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn
            vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B
            WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/
            uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s
            DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/
            bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp
            lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J
            A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg
            GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS
            XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6
            ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU=
            =fEVm
            -----END PGP MESSAGE-----
          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/hosts/toaster/0xa-home.nix
+++ b/hosts/toaster/0xa-home.nix
@ -1,21 +0,0 @@
 { pkgs, ... }:
 {
  home.stateVersion = "24.11";
  home.pointerCursor = {
    name = "Banana";
    size = 32;
    package = pkgs.banana-cursor;
    x11.enable = true;
    gtk.enable = true;
  };
  gtk = {
    enable = true;
    cursorTheme = {
      name = "Banana";
      size = 32;
      package = pkgs.banana-cursor;
    };
  };
 }
--- a/hosts/toaster/default.nix
+++ b/hosts/toaster/default.nix
@ -46,11 +46,6 @@
    supportedLocales = [ "all" ];
  };
  # support ddc brigtness control
  hardware.i2c.enable = true;
  boot.kernelModules = [ "i2c-dev" ];
  environment.systemPackages = [ pkgs.ddcutil ];
  users.users."0xa" = {
    extraGroups = [
      "wheel"
@ -60,7 +55,6 @@
      "bluetooth"
      "libvirtd"
      "qemu-libvirtd"
      "i2c"
    ];
    group = "users";
    home = "/home/0xa";
@ -69,6 +63,8 @@
    shell = pkgs.fish;
  };
  services.emacs.defaultEditor = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/toaster/hardware-configuration.nix
+++ b/hosts/toaster/hardware-configuration.nix
@ -49,12 +49,6 @@
    options = [ "zfsutil" ];
  };
  fileSystems."/tmp" = {
    device = "zpool/nocomp/tmp";
    fsType = "zfs";
    options = [ "zfsutil" ];
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/A170-F83D";
    fsType = "vfat";
--- a/hosts/toaster/network/default.nix
+++ b/hosts/toaster/network/default.nix
@ -7,16 +7,13 @@
  ];
  # Networkmanager shouldn't interfere with systemd managed interfaces
-  networking.networkmanager = {
+  networking.networkmanager.unmanaged =
    enable = true;
    unmanaged =
    let
      systemd_netdevs = lib.attrsets.attrValues (
        lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs
      );
    in
    systemd_netdevs;
  };
  systemd.network = {
    enable = true;
--- a/hosts/toaster/network/full-networkd.nix
+++ b/hosts/toaster/network/full-networkd.nix
@ -1,71 +0,0 @@
 { lib, pkgs, ... }:
 {
  imports = [
    ./mullvad.nix
    ./dumpdvb.nix
    ./zw.nix
  ];
  environment.systemPackages = with pkgs; [
    iwgtk
    impala
  ];
  # kick out networkmanager
  networking.networkmanager.enable = lib.mkForce false;
  networking.useNetworkd = true;
  systemd.network.enable = true;
  networking = {
    hostName = "toaster";
    firewall.enable = true;
    wireguard.enable = true;
    wireless.iwd.enable = true;
  };
  services.resolved = {
    enable = true;
    dnssec = "false";
    fallbackDns = [
      "9.9.9.9"
      "2620:fe::fe"
      "149.112.112.112"
      "2620:fe::9"
    ];
  };
  # we might have no interwebs at all
  systemd.network.wait-online.enable = false;
  # uplinks
  systemd.network.networks = {
    "10-ether-uplink" = {
      matchConfig.Name = "enp1s0f0";
      networkConfig = {
        DHCP = "yes";
        IPv6AcceptRA = true;
      };
    };
    "10-dock-uplink" = {
      matchConfig.Name = "enp5s0f4u1u1";
      networkConfig = {
        DHCP = "yes";
        IPv6AcceptRA = true;
      };
      dhcpV4Config = {
        RouteMetric = 666;
      };
      dhcpV6Config = {
        RouteMetric = 666;
      };
    };
    "wlan-uplink" = {
      matchConfig.Name = "wlan0";
      networkConfig = {
        DHCP = "yes";
        IPv6AcceptRA = true;
      };
    };
  };
 }
--- a/hosts/toaster/network/mullvad.nix
+++ b/hosts/toaster/network/mullvad.nix
@ -2,8 +2,8 @@
 {
  systemd.network =
    let
-      pubkey = "uUYbYGKoA6UBh1hfkAz5tAWFv4SmteYC9kWh7/K6Ah0=";
+      pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
-      endpoint = "92.60.40.209";
+      endpoint = "169.150.196.15";
      port = "51820";
      addr = [
        "10.74.16.48/32"
--- a/hosts/toaster/zfs.nix
+++ b/hosts/toaster/zfs.nix
@ -19,7 +19,6 @@
    supportedFilesystems = [ "zfs" ];
    kernelParams = [ "nohibernate" ];
    plymouth.enable = false;
-    tmp.useTmpfs = false;
+    tmp.useTmpfs = true;
    tmp.cleanOnBoot = true;
  };
 }
--- a/modules/basic-tools/default.nix
+++ b/modules/basic-tools/default.nix
@ -39,6 +39,7 @@
      exfatprogs
      nmap
      bind
      nnn
      lf
      man-pages
      unzip
@ -49,17 +50,8 @@
      sshfs
      whois
      mtr
      joshuto
    ]
-    ++ (
+    ++ (if config.networking.hostName == "toaster" then [ gitFull ] else [ git ]);
      if config.networking.hostName == "toaster" then
        [
          gitFull
          git-lfs
        ]
      else
        [ git ]
    );
  environment.variables =
    let
--- a/modules/basic-tools/fish.nix
+++ b/modules/basic-tools/fish.nix
@ -3,9 +3,11 @@
  environment.systemPackages = with pkgs; [
    lsd
    fzf
    grc
    fishPlugins.done
    fishPlugins.fzf-fish
    fishPlugins.tide
    fishPlugins.grc
  ];
  programs.fish = {
@ -13,7 +15,6 @@
    interactiveShellInit = ''
      set fish_greeting
      function fish_command_not_found
        echo "Command not found"
      end
    '';
    shellAliases = {
--- a/modules/basic-tools/fzf.nix
+++ b/modules/basic-tools/fzf.nix
@ -1,4 +1,6 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
@ -12,8 +14,15 @@
    };
  };
  # integrate fzf into shell, >23.05 only
-  programs.fzf = {
+  programs =
    with lib;
    if (toInt (elemAt (splitVersion config.system.nixos.release) 0) >= 23) then
      {
        fzf = {
          keybindings = true;
          fuzzyCompletion = true;
        };
      }
    else
      { };
 }
--- a/modules/basic-tools/nix.nix
+++ b/modules/basic-tools/nix.nix
@ -1,5 +1,7 @@
 {
  lib,
  pkgs,
  inputs,
  ...
 }:
 {
@ -14,10 +16,14 @@
  # nix output-monitor
  environment.systemPackages = [ pkgs.nix-output-monitor ];
-  nixpkgs.flake = {
+  # override default nix shell nixpkgs# behaviour to use current flake lock
-    setFlakeRegistry = true;
+  nix.registry =
-    setNixPath = true;
+    let
-  };
+      flakes = lib.filterAttrs (_name: value: value ? outputs) inputs.self.inputs;
    in
    builtins.mapAttrs (_name: v: { flake = v; }) flakes;
  nix.nixPath = lib.mapAttrsToList (name: value: "${name}=${value.outPath}") inputs.self.inputs;
  nixpkgs.config.allowUnfree = true;
 }
--- a/modules/basic-tools/zsh.nix
+++ b/modules/basic-tools/zsh.nix
@ -39,7 +39,6 @@
      LP_ENABLE_SVN=0
      LP_BATTERY_THRESHOLD=15
      LP_SSH_COLORS=1
      LP_DISABLED_VCS_PATHS=("/home/0xa/proj/NixOS/nixpkgs")
    '';
  };
 }
--- a/modules/chromium.nix
+++ b/modules/chromium.nix
@ -2,23 +2,24 @@
 {
  environment.systemPackages = with pkgs; [
-    (chromium.override { enableWideVine = true; })
+    chromium
  ];
-  nixpkgs.config.chromium.commandLineArgs = "--enable-features=UseOzonePlatform --ozone-platform=wayland --ignore-gpu-blocklist --enable-gpu-rasterization --enable-zero-copy --enable-features=VaapiVideoDecoder,VaapiVideoEncoder,CanvasOopRasterization,WebUIDarkMode";
+  nixpkgs.config.chromium.commandLineArgs = "--enable-features=UseOzonePlatform --ozone-platform=wayland  --force-dark-mode --ignore-gpu-blocklist --enable-gpu-rasterization --enable-zero-copy --enable-features=VaapiVideoDecoder,VaapiVideoEncoder,CanvasOopRasterization,WebUIDarkMode";
  programs.chromium = {
    enable = true;
    extensions = [
      # "pkehgijcmpdhfbdbbnkijodmdjhbjlgp" # privacy badger
      "ekhagklcjbdpajgpjgmbionohlpdbjgc" # zotero connector
      "nngceckbapebfimnlniiiahkandclblb" # bitwarden
-      "ddkjiahejlhfcafbddmgiahcphecmpfh" # ublock lite
+      # "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
      # "ddkjiahejlhfcafbddmgiahcphecmpfh" # ublock lite
      "mnjggcdmjocbbbhaepdhchncahnbgone" # sponsorblock
      "khncfooichmfjbepaaaebmommgaepoid" # unhook
    ];
    extraOpts = {
      "BrowserSignin" = 0;
-      "SyncDisabled" = true;
+      # "SyncDisabled" = true;
      "PasswordManagerEnabled" = false;
      "TranslateEnabled" = false;
      "AutofillAddressEnabled" = false;
@ -30,11 +31,6 @@
      # "DefaultSearchProviderSearchURL" = "https://google.com/search?q={searchTerms}";
      # "DefaultSearchProviderSearchURL" = "https://duckduckgo.com/?q={searchTerms}";
      "SearchSuggestEnable" = false;
      "BlockThirdPartyCookies" = true;
      "PrivacySandboxAdMeasurementEnabled" = false;
      "PrivacySandboxAdTopicsEnabled" = false;
      "PrivacySandboxPromptEnabled" = false;
      "PrivacySandboxSiteEnabledAdsEnabled" = false;
    };
  };
 }
--- a/modules/desktop-software.nix
+++ b/modules/desktop-software.nix
@ -1,30 +1,24 @@
 { pkgs, ... }:
 {
  imports = [
    ./chromium.nix
  ];
  environment.systemPackages = with pkgs; [
    audacity
    blender
    dino
    discord
    element-desktop
    ffmpeg-full
-    ghostty
+    firefox-wayland
    vivaldi
    vivaldi-ffmpeg-codecs
    gimp
    inkscape
-    lapce
+    kicad
    mpv
    obs-studio
    qbittorrent
    transmission_4-gtk
    signal-desktop
-    spotify
+    tdesktop
    telegram-desktop
    tor-browser
    wl-clipboard
    yt-dlp
    element-desktop
    discord
    spotify
    mpv
  ];
  programs.steam.enable = true;
  programs.firefox.enable = true;
 }
--- a/modules/devtools.nix
+++ b/modules/devtools.nix
@ -1,5 +1,8 @@
 {
  pkgs,
  inputs,
  config,
  lib,
  ...
 }:
 {
@ -13,6 +16,11 @@
          kikit-library
        ];
      };
      # binwalk v3 on 24.11
      sys_ver = config.system.nixos.release;
      unstablepkgs = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system};
      binwalkv3 = if lib.versionOlder "25.05" sys_ver then binwalk else unstablepkgs.binwalk;
    in
    [
      # general
@ -21,7 +29,7 @@
      gef
      gdb
      binutils
-      binwalk
+      binwalkv3
      clang
      clang-tools
      direnv
@ -31,9 +39,9 @@
      nix-index
      kicad
      kikit
-      freecad-qt6
+      freecad-wayland
      imhex
-      python3Full
+      python313Full
      nixfmt-rfc-style
      treefmt
      android-tools
--- a/modules/emacs.nix
+++ b/modules/emacs.nix
@ -1,37 +0,0 @@
 {
  pkgs,
  lib,
  ...
 }:
 {
  environment.systemPackages = with pkgs; [
    direnv
    mu
  ];
  services.emacs = {
    install = true;
    enable = false;
    package =
      with pkgs;
      (
        (emacsPackagesFor (
          emacs-pgtk.overrideAttrs (old: {
            passthru = old.passthru // {
              treeSitter = true;
            };
          })
        )).emacsWithPackages
        (
          epkgs: with epkgs; [
            treesit-grammars.with-all-grammars
            vterm
            pdf-tools
            mu4e
          ]
        )
      );
    defaultEditor = lib.mkForce true;
  };
 }
--- a/modules/fonts.nix
+++ b/modules/fonts.nix
@ -1,7 +1,6 @@
 { pkgs, ... }:
 {
  fonts.packages = with pkgs; [
    adwaita-fonts
    monoid
    font-awesome
    dejavu_fonts
@ -19,8 +18,6 @@
    liberation_ttf
    noto-fonts
    noto-fonts-cjk-sans
    noto-fonts-color-emoji
    noto-fonts-monochrome-emoji
    noto-fonts-emoji
    noto-fonts-extra
    proggyfonts
@ -29,8 +26,7 @@
    twemoji-color-font
    twitter-color-emoji
    iosevka-bin
-    cozette
+    (nerdfonts.override { fonts = [ "Hack" ]; })
    nerd-fonts.hack
  ];
  fonts.enableDefaultPackages = true;
--- a/modules/gnome.nix
+++ b/modules/gnome.nix
@ -8,14 +8,12 @@
  environment.systemPackages = with pkgs; [
    amberol
    celluloid
    ddcutil
    gnome-console
    gnome-obfuscate
    gnome-boxes
    gnome-tweaks
    qbittorrent
    gnomeExtensions.caffeine
    gnomeExtensions.brightness-control-using-ddcutil
    fractal
  ];
  environment.gnome.excludePackages = with pkgs; [
@ -39,7 +37,14 @@
    };
  };
-  services = {
+  qt = {
    enable = true;
    platformTheme = "gnome";
    style = "adwaita-dark";
  };
  services.xserver = {
    enable = true;
    desktopManager.gnome.enable = true;
    displayManager.gdm = {
      enable = true;
--- a/modules/gnupg.nix
+++ b/modules/gnupg.nix
@ -4,6 +4,8 @@
  environment.systemPackages = with pkgs; [
    gnupg
    opensc
    yubikey-personalization-gui
  ];
  # smartcard support
--- a/modules/plasma.nix
+++ b/modules/plasma.nix
@ -1,52 +0,0 @@
 { pkgs, ... }:
 {
  imports = [
    ./desktop-software.nix
    ./fonts.nix
  ];
  environment.systemPackages = with pkgs; [
    kaidan
    kdePackages.filelight
    kdePackages.okular
    vlc
  ];
  programs.kde-pim = {
    enable = true;
    kmail = true;
    kontact = true;
    merkuro = true;
  };
  # Enable sound.
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
  };
  programs.zsh.vteIntegration = true;
  programs.bash.vteIntegration = true;
  hardware.bluetooth.enable = true;
  services.displayManager.sddm = {
    enable = true;
    wayland.enable = true;
  };
  services.desktopManager.plasma6.enable = true;
  programs.ssh = {
    startAgent = true;
    enableAskPassword = false;
    extraConfig = ''
      AddKeysToAgent yes
    '';
  };
  programs.firefox.nativeMessagingHosts.packages = with pkgs.kdePackages; [
    plasma-browser-integration
  ];
 }
--- a/modules/server/ssh.nix
+++ b/modules/server/ssh.nix
@ -10,6 +10,5 @@
  networking.firewall.allowedTCPPorts = [ 22 ];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31"
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINjKbSzsAx8P9POD9pOXO+Fxub68V828sNatPA6+2zmGAAAABHNzaDo= 0xa@keychain-A"
  ];
 }
--- a/modules/sway.nix
+++ b/modules/sway.nix
@ -1,39 +1,16 @@
 # General Desktop-related config
-{ pkgs, inputs, ... }:
+{ pkgs, ... }:
 {
  nixpkgs.overlays = [ inputs.niri.overlays.niri ];
  programs.niri.enable = true;
  imports = [
    ./desktop-software.nix
    ./fonts.nix
  ];
-  environment.systemPackages =
+  environment.systemPackages = with pkgs; [
    let
      xwayland-satellite-git = pkgs.xwayland-satellite.overrideAttrs (
        final: _prev: {
          version = "git";
          cargoHash = "sha256-MaF2FyR3HvQAKkZKa8OO/5jbO64/Ncv7+JqHda4jN50=";
          src = pkgs.fetchFromGitHub {
            owner = "Supreeeme";
            repo = "xwayland-satellite";
            rev = "cca74a5f6b23742d77dc5db4312dfc40fd4a0fcc";
            sha256 = "sha256-YZ+axsuNsgIKWfnRkt6Qa9UoKfUOIWf42vNUonXxmxM=";
          };
          cargoDeps = pkgs.rustPlatform.fetchCargoTarball {
            inherit (final) pname src version;
            hash = final.cargoHash;
          };
        }
      );
    in
    with pkgs;
    [
    screen-message
    qbittorrent
    gajim
    imv
    swayimg
    mpv
    evince
    brightnessctl
@ -42,32 +19,11 @@
    termusic
    gsettings-desktop-schemas
    xdg-utils
    foot
    qt5.qtwayland
    bashmount
    nautilus
    audacity
      spotify-player
      zathura
      ncdu
      adwaita-icon-theme
      bluetui
      gammastep
      graphicsmagick
      i3status-rust
      impala
      kanshi
      pamixer
      swayidle
      swaylock
      wl-clipboard
      xfce.thunar
      banana-cursor
      fuzzel
      alacritty
      i3bar-river
      mako
      swww
      oculante
      xwayland-satellite-git
  ];
  # Enable sound.
@ -92,14 +48,45 @@
  programs.light.enable = true;
  programs.xwayland.enable = true;
-
+  programs.sway = {
    enable = true;
    wrapperFeatures.gtk = true;
    extraSessionCommands = ''
      export SDL_VIDEODRIVER=wayland
      export QT_QPA_PLATFORM=wayland-egl
      export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
      export QT_QPA_PLATFORMTHEME="gnome"
      export QT_STYLE_OVERRIDE="adwaita-dark"
      # export WLR_DRM_NO_ATOMIC=1
    '';
    extraPackages = with pkgs; [
      adwaita-icon-theme
      alacritty
      bluetui
      foot
      gammastep
      graphicsmagick
      grim
      i3status-rust
      impala
      kanshi
      mako
      pamixer
      rofi-wayland
      slurp
      swayidle
      swaylock
      wl-clipboard
      wl-mirror
    ];
  };
  environment.sessionVariables = {
    GTK_THEME = "Adwaita:dark";
  };
  xdg.portal = {
    enable = true;
    wlr.enable = true;
-    extraPortals = [ pkgs.xdg-desktop-portal-gnome ];
+    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
  };
  services.udisks2.enable = true;
@ -127,7 +114,7 @@
    enable = true;
    settings = {
      default_session = {
-        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --greeting \"$(${pkgs.fortune}/bin/fortune -s)\" --cmd ${pkgs.niri-stable}/bin/niri-session";
+        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --greeting \"$(${pkgs.fortune}/bin/fortune -s)\" --cmd ${pkgs.sway}/bin/sway";
      };
    };
  };
--- a/modules/wg/proxy.nix
+++ b/modules/wg/proxy.nix
@ -71,14 +71,6 @@
          publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y=";
          privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
        };
        "stream" = {
          address = [
            "10.89.88.17/24"
            "fd31:185d:722f::17/48"
          ];
          publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4=";
          privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
        };
      };
    }
  ];
Author	SHA1	Message	Date
Grisha Shipunov	97ce3fd7d1	update conduwuit to latest	2025-02-06 23:28:54 +00:00
Grigory Shipunov	16cddf11dd	increase timeouts	2025-02-06 23:28:54 +00:00