make branch spec uniform in inputs

plasma still krashes
bump lock
2025-06-14 21:02:32 +02:00 · 2025-06-14 21:02:20 +02:00 · 2025-06-14 21:02:03 +02:00 · 2025-06-14 21:01:52 +02:00 · 2025-06-13 02:43:39 +02:00
12 changed files with 196 additions and 19 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -11,6 +11,7 @@ keys:
  - &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z
  - &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh
  - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
+  - &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
 creation_rules:
  - path_regex: hosts/toaster/[^/]+\.yaml$
    key_groups:
@ -66,3 +67,9 @@ creation_rules:
        - *admin_oxa
        age:
        - *conduwuit
+  - path_regex: hosts/stream/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        age:
+        - *stream
--- a/flake.lock
+++ b/flake.lock
@ -253,11 +253,11 @@
    "lix": {
      "flake": false,
      "locked": {
-        "lastModified": 1749682763,
-        "narHash": "sha256-DDhns3NS6L5OlYR0mSX03I5D7uGLyyd3MZegd1wTCyc=",
-        "rev": "ee0655240270480d7f6063dcf12ec47f04d2ded6",
+        "lastModified": 1749838547,
+        "narHash": "sha256-4qJy0n+6P13/XAHPlcjcWK6MDNYd38PkFdI8iCiJYYo=",
+        "rev": "1e34c3747779a82d59ef27b351d4ed02fb372a2a",
        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ee0655240270480d7f6063dcf12ec47f04d2ded6.tar.gz?rev=ee0655240270480d7f6063dcf12ec47f04d2ded6"
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1e34c3747779a82d59ef27b351d4ed02fb372a2a.tar.gz?rev=1e34c3747779a82d59ef27b351d4ed02fb372a2a"
      },
      "original": {
        "type": "tarball",
@ -339,11 +339,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1749195551,
-        "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=",
+        "lastModified": 1749832440,
+        "narHash": "sha256-lfxhuxAaHlYFGr8yOrAXZqdMt8PrFLzjVqH9v3lQaoY=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "4602f7e1d3f197b3cb540d5accf5669121629628",
+        "rev": "db030f62a449568345372bd62ed8c5be4824fa49",
        "type": "github"
      },
      "original": {
@ -402,11 +402,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1749285348,
-        "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
+        "lastModified": 1749794982,
+        "narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
+        "rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,7 +1,7 @@
 {
  inputs = {
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05";

    flake-utils.url = "github:numtide/flake-utils";

@ -10,7 +10,7 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master";

    microvm = {
      url = "github:astro/microvm.nix";
@ -21,7 +21,7 @@
    };

    lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.2";
+      url = "github:nix-community/lanzaboote?ref=v0.4.2";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

@ -71,6 +71,7 @@
            "forgejo"
            "miniflux"
            "radicale"
+            "stream"
          ];
          microvm-unstable-list = [
            "auth"
@ -121,7 +122,7 @@
              ./modules/emacs.nix
              ./modules/gnupg.nix
              ./modules/mail
-              ./modules/plasma.nix
+              ./modules/gnome.nix
              ./modules/radio.nix
              ./modules/science.nix
              ./modules/tlp.nix
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@ -60,5 +60,37 @@ in
    '';

    virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
+
+        virtualHosts."music.oxapentane.com".extraConfig = ''
+      route {
+          reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
+
+          @protected not path /share/* /rest/*
+          forward_auth @protected 10.89.88.11:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username>Remote-User
+              trusted_proxies 10.89.88.11 fd31:185d:722f::11
+          }
+
+
+          @subsonic path /rest/*
+          forward_auth @subsonic 10.89.88.11:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username>Remote-User
+              @error status 1xx 3xx 4xx 5xx
+              handle_response @error {
+                  respond <<SUBSONICERR
+                  <subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
+                    <error code="40" message="Invalid credentials or unsupported client"></error>
+                  </subsonic-response>
+                  SUBSONICERR 200
+              }
+              trusted_proxies 10.89.88.11 fd31:185d:722f::11
+          }
+      }
+      reverse_proxy 10.89.88.17:4533
+
+    '';
+
  };
 }
--- a/hosts/stream/default.nix
+++ b/hosts/stream/default.nix
@ -0,0 +1,76 @@
+{ config, lib, ... }:
+let
+  mac = "02:00:00:00:00:07";
+in
+{
+  imports = [
+    ./navidrome.nix
+  ];
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/0xa-proxy" = {
+      owner = config.users.users.systemd-network.name;
+    };
+  };
+
+  microvm = {
+    hypervisor = "qemu";
+    mem = 4 * 1024;
+    vcpu = 3;
+    interfaces = [
+      {
+        type = "tap";
+        id = "uvm-stream";
+        mac = mac;
+      }
+    ];
+    shares =
+      [
+        {
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+          tag = "store";
+          proto = "virtiofs";
+        }
+      ]
+      ++ map
+        (dir: {
+          source = dir;
+          mountPoint = "/${dir}";
+          tag = dir;
+          proto = "virtiofs";
+        })
+        [
+          "etc"
+          "var"
+          "home"
+        ];
+  };
+
+  networking.useNetworkd = true;
+  networking.firewall.enable = lib.mkForce false; # firewalling done by the host
+
+  systemd.network = {
+    enable = true;
+    networks."11-host" = {
+      matchConfig.MACAddress = mac;
+      networkConfig = {
+        Address = "10.99.99.17/24";
+        DHCP = "no";
+      };
+      routes = [
+        {
+          Gateway = "10.99.99.1";
+          Destination = "0.0.0.0/0";
+          Metric = 1024;
+        }
+      ];
+    };
+  };
+
+  networking.hostName = "stream";
+  system.stateVersion = "25.05";
+}
--- a/hosts/stream/navidrome.nix
+++ b/hosts/stream/navidrome.nix
@ -0,0 +1,16 @@
+{ ... }:
+{
+  services.navidrome = {
+    enable = true;
+    settings = {
+      Address = "10.89.88.17";
+      BaseUrl = "/";
+      EnableExternalServices = false;
+      MusicFolder = "/var/lib/navidrome/music";
+      Port = 4533;
+      ScanSchedule = "@every 11m";
+      TranscodingCacheSize = "11GiB";
+      ReverseProxyWhitelist = "10.89.88.1/24";
+    };
+  };
+}
--- a/hosts/stream/secrets.yaml
+++ b/hosts/stream/secrets.yaml
@ -0,0 +1,38 @@
+wg:
+    0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str]
+sops:
+    age:
+        - recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3
+            QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5
+            S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5
+            K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE
+            WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-12T22:54:11Z"
+    mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str]
+    pgp:
+        - created_at: "2025-06-12T22:51:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6
+            th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH
+            HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn
+            vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B
+            WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/
+            uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s
+            DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/
+            bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp
+            lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J
+            A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg
+            GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS
+            XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6
+            ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU=
+            =fEVm
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/hosts/toaster/default.nix
+++ b/hosts/toaster/default.nix
@ -66,7 +66,7 @@
    home = "/home/0xa";
    isNormalUser = true;
    uid = 1000;
-    shell = pkgs.zsh;
+    shell = pkgs.fish;
  };

  # This value determines the NixOS release from which the default
--- a/modules/desktop-software.nix
+++ b/modules/desktop-software.nix
@ -17,6 +17,7 @@
    mpv
    obs-studio
    qbittorrent
+    transmission_4-gtk
    signal-desktop
    spotify
    telegram-desktop
--- a/modules/devtools.nix
+++ b/modules/devtools.nix
@ -31,7 +31,7 @@
      nix-index
      kicad
      kikit
-      freecad-wayland
+      freecad-qt6
      imhex
      python3Full
      nixfmt-rfc-style
--- a/modules/gnupg.nix
+++ b/modules/gnupg.nix
@ -4,8 +4,6 @@
  environment.systemPackages = with pkgs; [
    gnupg
    opensc
-
-    yubikey-personalization-gui
  ];

  # smartcard support
--- a/modules/wg/proxy.nix
+++ b/modules/wg/proxy.nix
@ -71,6 +71,14 @@
          publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y=";
          privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
        };
+        "stream" = {
+          address = [
+            "10.89.88.17/24"
+            "fd31:185d:722f::17/48"
+          ];
+          publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4=";
+          privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
+        };
      };
    }
  ];
Author	SHA1	Message	Date
Grisha Shipunov	e23db8a0b4	make branch spec uniform in inputs	2025-06-14 21:02:32 +02:00
Grisha Shipunov	fee7a194db	plasma still krashes	2025-06-14 21:02:20 +02:00
Grisha Shipunov	efd0790d4f	bump lock	2025-06-14 21:02:03 +02:00
Grisha Shipunov	22d7c181e3	software changes	2025-06-14 21:01:52 +02:00
Grisha Shipunov	2a44e5c81e	deploy stream (navidrome) microvm	2025-06-13 02:43:39 +02:00