diff --git a/.editorconfig b/.editorconfig deleted file mode 100644 index 2eafe75..0000000 --- a/.editorconfig +++ /dev/null @@ -1,3 +0,0 @@ -[*.nix] -indent_style = space -indent_size = 2 diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml index 7c45cd6..e7e2764 100644 --- a/.github/workflows/build-machines-and-homes.yml +++ b/.github/workflows/build-machines-and-homes.yml @@ -8,8 +8,6 @@ env: TERM: ansi AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-east-1 - AWS_ENDPOINT_URL: https://s3.cy7.sh jobs: build-machines: @@ -37,7 +35,7 @@ jobs: build-mount-path: /nix - name: setup binary cache key - run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem + run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem - name: Install Nix uses: cachix/install-nix-action@v30 @@ -48,10 +46,16 @@ jobs: experimental-features = nix-command flakes accept-flake-config = true system-features = nixos-test benchmark big-parallel kvm - secret-key-files = ${{ runner.temp }}/cache-priv-key.pem - extra-substituters = https://nixcache.cy7.sh - extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= - download-buffer-size = 1073741824 + secret-key-files = /home/runner/cache-priv-key.pem + extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems https://attic.kennel.juneis.dog/conduwuit + extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE= + + - name: Install Lix + run: | + sudo --preserve-env=PATH $(which nix) run \ + 'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \ + upgrade-nix + nix --version - name: Sync repository uses: actions/checkout@v4 @@ -60,16 +64,20 @@ jobs: - name: build run: | + # package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel" + # nix build -L "$package" nix run nixpkgs#nixos-rebuild build -- -L --flake ".#${{ matrix.machine }}" - name: cache + # https://stackoverflow.com/a/58859404 + if: '!cancelled()' run: | - nix run \ - github:cything/nixcp -- push \ - --bucket nixcache \ - --endpoint $AWS_ENDPOINT_URL \ - --signing-key ${{ runner.temp }}/cache-priv-key.pem \ - result + package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel" + nix run git+https://git.cy7.sh/cy/nixcp.git -- \ + --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \ + -u https://nix-community.cachix.org \ + -u https://nixcache.web.cy7.sh \ + $package build-homes: strategy: @@ -80,6 +88,7 @@ jobs: - yt@chunk os: - ubuntu-latest + # - macos-latest runs-on: ${{ matrix.os }} steps: @@ -96,7 +105,7 @@ jobs: build-mount-path: /nix - name: setup binary cache key - run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem + run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem - name: Install Nix uses: cachix/install-nix-action@v30 @@ -107,10 +116,16 @@ jobs: experimental-features = nix-command flakes accept-flake-config = true system-features = nixos-test benchmark big-parallel kvm - secret-key-files = ${{ runner.temp }}/cache-priv-key.pem - extra-substituters = https://nixcache.cy7.sh - extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= - download-buffer-size = 1073741824 + secret-key-files = /home/runner/cache-priv-key.pem + extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems + extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= + + - name: Install Lix + run: | + sudo --preserve-env=PATH $(which nix) run \ + 'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \ + upgrade-nix + nix --version - name: Sync repository uses: actions/checkout@v4 @@ -123,10 +138,12 @@ jobs: nix build -L "$package" - name: cache + # https://stackoverflow.com/a/58859404 + if: '!cancelled()' run: | - nix run \ - github:cything/nixcp -- push \ - --bucket nixcache \ - --endpoint $AWS_ENDPOINT_URL \ - --signing-key ${{ runner.temp }}/cache-priv-key.pem \ - result + package=".#homeConfigurations."${{ matrix.home }}".activationPackage" + nix run git+https://git.cy7.sh/cy/nixcp.git -- \ + --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \ + -u https://nix-community.cachix.org \ + -u https://nixcache.web.cy7.sh \ + $package diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml index 678db19..c188482 100644 --- a/.github/workflows/build-packages.yml +++ b/.github/workflows/build-packages.yml @@ -11,8 +11,6 @@ env: TERM: ansi AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-east-1 - AWS_ENDPOINT_URL: https://s3.cy7.sh jobs: build-packages: @@ -30,7 +28,7 @@ jobs: steps: - name: setup binary cache key - run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem + run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem - name: Install Nix uses: cachix/install-nix-action@v30 @@ -41,20 +39,33 @@ jobs: experimental-features = nix-command flakes accept-flake-config = true system-features = nixos-test benchmark big-parallel kvm - secret-key-files = ${{ runner.temp }}/cache-priv-key.pem - extra-substituters = https://nixcache.cy7.sh - extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= + secret-key-files = /home/runner/cache-priv-key.pem + extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems + extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= + + - name: Install Lix + run: | + sudo --preserve-env=PATH $(which nix) run \ + 'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \ + upgrade-nix + nix --version + + - name: Sync repository + uses: actions/checkout@v4 + with: + persist-credentials: false - run: nix build -L ${{ matrix.package }} - - name: cache + - name: cache result + # https://stackoverflow.com/a/58859404 + if: '!cancelled()' run: | - nix run \ - github:cything/nixcp -- push \ - --bucket nixcache \ - --endpoint $AWS_ENDPOINT_URL \ - --signing-key ${{ runner.temp }}/cache-priv-key.pem \ - result + nix run git+https://git.cy7.sh/cy/nixcp.git -- \ + --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \ + -u https://nix-community.cachix.org \ + -u https://nixcache.web.cy7.sh \ + "${{ matrix.package }}" - name: prepare tarball to upload run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result diff --git a/.sops.yaml b/.sops.yaml index 5dca48c..21d2151 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -135,10 +135,4 @@ creation_rules: - *yt - *cy - *chunk - - path_regex: secrets/services/karakeep.yaml - key_groups: - - age: - - *yt - - *cy - - *chunk diff --git a/README.md b/README.md new file mode 100644 index 0000000..eb52498 --- /dev/null +++ b/README.md @@ -0,0 +1,40 @@ +# infra +## ./home +- [home-manager](https://github.com/nix-community/home-manager) configuration files +- foot, tmux, and zsh are configured in Nix +- nvim, rofi, sway, waybar are configured in their own literature and symlinked to $XDG_CONFIG_HOME with home-manager + +## ./hosts +- [`hosts/common.nix`](hosts/common.nix): configuration that makes sense on all computers +- [`hosts/zsh.nix`](hosts/zsh.nix): for computers that have the power to run zsh +### ./hosts/ytnix +- personal laptop +- a single [`default.nix`](hosts/ytnix/default.nix) that could be modularized but works for now + +### ./hosts/chunk +- the overworked server with 5% SLA +- very short and concise [`default.nix`](hosts/chunk/default.nix) +- services organized in their modules +- some services run through `virtualisation.oci-containers`: + - [immich](hosts/chunk/immich.nix) + - [conduwuit](hosts/chunk/conduwuit.nix) + +### ./hosts/titan +- got this cause chunk would go down way too often :( +- hosted on azure for "reliability" +- runs: + - [ghost](hosts/titan/ghost.nix) (through `virtualisation.oci-containers`) + - [uptime-kuma](hosts/titan/uptime-kuma.nix) + - [ntfy-sh](hosts/titan/ntfy.nix) + +## ./secrets +- secrets +- see [`.sops.yaml`](.sops.yaml) for who privy to what + +## backups +- hourly borgbackup to [rsync.net](https://rsync.net) +- see [modules/backup](modules/backup.nix) + +## monitoring +- [status.cything.io](https://status.cything.io/): uptime kuma (reliable) +- [grafana.cything.io](https://grafana.cything.io/): some real-time metrics here; unlike the status page this will go kaput often diff --git a/ci/upload-to-cache.sh b/ci/upload-to-cache.sh deleted file mode 100755 index 559d062..0000000 --- a/ci/upload-to-cache.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -# https://nix.dev/guides/recipes/post-build-hook.html#implementing-the-build-hook -set -eu -set -f # disable globbing -export IFS=' ' -echo "Uploading paths" $OUT_PATHS -exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh&compression=zstd¶llel-compression=true" $OUT_PATHS diff --git a/flake.lock b/flake.lock index 2af1d4d..0fe0871 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,146 @@ { "nodes": { - "crane": { + "attic": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nix-github-actions": "nix-github-actions", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" + }, "locked": { - "lastModified": 1737689766, - "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=", + "lastModified": 1738524606, + "narHash": "sha256-hPYEJ4juK3ph7kbjbvv7PlU1D9pAkkhl+pwx8fZY53U=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "ff8a897d1f4408ebbf4d45fa9049c06b3e1e3f4e", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "main", + "repo": "attic", + "type": "github" + } + }, + "cachix": { + "inputs": { + "devenv": "devenv", + "flake-compat": "flake-compat_2", + "git-hooks": "git-hooks", + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1737621947, + "narHash": "sha256-8HFvG7fvIFbgtaYAY2628Tb89fA55nPm2jSiNs0/Cws=", + "owner": "cachix", + "repo": "cachix", + "rev": "f65a3cd5e339c223471e64c051434616e18cc4f5", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "master", + "repo": "cachix", + "type": "github" + } + }, + "cachix_2": { + "inputs": { + "devenv": [ + "conduwuit", + "cachix", + "devenv" + ], + "flake-compat": [ + "conduwuit", + "cachix", + "devenv" + ], + "git-hooks": [ + "conduwuit", + "cachix", + "devenv" + ], + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1728672398, + "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=", + "owner": "cachix", + "repo": "cachix", + "rev": "aac51f698309fd0f381149214b7eee213c66ef0a", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "latest", + "repo": "cachix", + "type": "github" + } + }, + "complement": { + "flake": false, + "locked": { + "lastModified": 1741891349, + "narHash": "sha256-YvrzOWcX7DH1drp5SGa+E/fc7wN3hqFtPbqPjZpOu1Q=", + "owner": "girlbossceo", + "repo": "complement", + "rev": "e587b3df569cba411aeac7c20b6366d03c143745", + "type": "github" + }, + "original": { + "owner": "girlbossceo", + "ref": "main", + "repo": "complement", + "type": "github" + } + }, + "conduwuit": { + "inputs": { + "attic": "attic", + "cachix": "cachix", + "complement": "complement", + "crane": "crane_2", + "fenix": "fenix", + "flake-compat": "flake-compat_3", + "flake-utils": "flake-utils", + "liburing": "liburing", + "nix-filter": "nix-filter", + "nixpkgs": [ + "nixpkgs" + ], + "rocksdb": "rocksdb" + }, + "locked": { + "lastModified": 1743473828, + "narHash": "sha256-x/sfh6LCHGAz8rL23GHhH7dac1LtHBbRRJi1p8gOdtI=", + "owner": "girlbossceo", + "repo": "conduwuit", + "rev": "0f81c1e1ccdcb0c5c6d5a27e82f16eb37b1e61c8", + "type": "github" + }, + "original": { + "owner": "girlbossceo", + "repo": "conduwuit", + "type": "github" + } + }, + "crane": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722960479, + "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=", "owner": "ipetkov", "repo": "crane", - "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527", + "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4", "type": "github" }, "original": { @@ -17,11 +151,27 @@ }, "crane_2": { "locked": { - "lastModified": 1746291859, - "narHash": "sha256-DdWJLA+D5tcmrRSg5Y7tp/qWaD05ATI4Z7h22gd1h7Q=", + "lastModified": 1742394900, + "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=", "owner": "ipetkov", "repo": "crane", - "rev": "dfd9a8dfd09db9aad544c4d3b6c47b12562544a5", + "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "ref": "master", + "repo": "crane", + "type": "github" + } + }, + "crane_3": { + "locked": { + "lastModified": 1742394900, + "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=", + "owner": "ipetkov", + "repo": "crane", + "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd", "type": "github" }, "original": { @@ -30,17 +180,90 @@ "type": "github" } }, - "flake-compat": { + "crane_4": { "locked": { - "lastModified": 1717312683, - "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", + "lastModified": 1742394900, + "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=", + "owner": "ipetkov", + "repo": "crane", + "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "devenv": { + "inputs": { + "cachix": "cachix_2", + "flake-compat": [ + "conduwuit", + "cachix", + "flake-compat" + ], + "git-hooks": [ + "conduwuit", + "cachix", + "git-hooks" + ], + "nix": "nix", + "nixpkgs": [ + "conduwuit", + "cachix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733323168, + "narHash": "sha256-d5DwB4MZvlaQpN6OQ4SLYxb5jA4UH5EtV5t5WOtjLPU=", + "owner": "cachix", + "repo": "devenv", + "rev": "efa9010b8b1cfd5dd3c7ed1e172a470c3b84a064", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "devenv", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1740724364, + "narHash": "sha256-D1jLIueJx1dPrP09ZZwTrPf4cubV+TsFMYbpYYTVj6A=", "owner": "nix-community", - "repo": "flake-compat", - "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", + "repo": "fenix", + "rev": "edf7d9e431cda8782e729253835f178a356d3aab", "type": "github" }, "original": { "owner": "nix-community", + "ref": "main", + "repo": "fenix", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", "repo": "flake-compat", "type": "github" } @@ -61,7 +284,101 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "ref": "master", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { + "locked": { + "lastModified": 1717312683, + "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "conduwuit", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "conduwuit", + "cachix", + "devenv", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -96,6 +413,7 @@ }, "original": { "owner": "numtide", + "ref": "main", "repo": "flake-utils", "type": "github" } @@ -136,22 +454,73 @@ "type": "github" } }, + "flake-utils_4": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "inputs": { + "systems": "systems_5" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flakey-profile": { + "locked": { + "lastModified": 1712898590, + "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=", + "owner": "lf-", + "repo": "flakey-profile", + "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d", + "type": "github" + }, + "original": { + "owner": "lf-", + "repo": "flakey-profile", + "type": "github" + } + }, "garage": { "inputs": { - "crane": "crane", - "flake-compat": "flake-compat", - "flake-utils": "flake-utils", + "crane": "crane_3", + "flake-compat": "flake-compat_4", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1748012719, - "narHash": "sha256-s6VG70nqLCzAOLRgZ3oETQ8VJcsrEUol2vjTiYyesK4=", + "lastModified": 1742547966, + "narHash": "sha256-AJfw+XRaRyrlpb9Wy6rVz44JePy0AXWPECXVPBnrOfI=", "owner": "deuxfleurs-org", "repo": "garage", - "rev": "37e5621dde5c25ccac4f6da4d7c60f45fc71ff88", + "rev": "14d2f2b18da015508d4a1e31b2f014da5188d516", "type": "github" }, "original": { @@ -160,7 +529,59 @@ "type": "github" } }, + "git-hooks": { + "inputs": { + "flake-compat": [ + "conduwuit", + "cachix", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "conduwuit", + "cachix", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1733318908, + "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "6f4e2a2112050951a314d2733a994fbab94864c6", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, "gitignore": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "cachix", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "lanzaboote", @@ -189,11 +610,11 @@ ] }, "locked": { - "lastModified": 1748529677, - "narHash": "sha256-MJEX3Skt5EAIs/aGHD8/aXXZPcceMMHheyIGSjvxZN0=", + "lastModified": 1743556466, + "narHash": "sha256-rvU79DJ6rPDxiH0sTp686Vlm+JewwAZPGcwt8OfHJbM=", "owner": "nix-community", "repo": "home-manager", - "rev": "da282034f4d30e787b8a10722431e8b650a907ef", + "rev": "5ee44bc7c2e853f144390a12ebe5174ad7e3b9e0", "type": "github" }, "original": { @@ -204,9 +625,9 @@ }, "lanzaboote": { "inputs": { - "crane": "crane_2", - "flake-compat": "flake-compat_2", - "flake-parts": "flake-parts", + "crane": "crane_4", + "flake-compat": "flake-compat_5", + "flake-parts": "flake-parts_3", "nixpkgs": [ "nixpkgs" ], @@ -214,11 +635,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1747056319, - "narHash": "sha256-qSKcBaISBozadtPq6BomnD+wIYTZIkiua3UuHLaD52c=", + "lastModified": 1741442524, + "narHash": "sha256-tVcxLDLLho8dWcO81Xj/3/ANLdVs0bGyCPyKjp70JWk=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "2e425f3da6ce7f5b34fa6eaf7a2a7f78dbabcc85", + "rev": "d8099586d9a84308ffedac07880e7f07a0180ff4", "type": "github" }, "original": { @@ -228,9 +649,78 @@ "type": "github" } }, + "libgit2": { + "flake": false, + "locked": { + "lastModified": 1697646580, + "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=", + "owner": "libgit2", + "repo": "libgit2", + "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5", + "type": "github" + }, + "original": { + "owner": "libgit2", + "repo": "libgit2", + "type": "github" + } + }, + "liburing": { + "flake": false, + "locked": { + "lastModified": 1740613216, + "narHash": "sha256-NpPOBqNND3Qe9IwqYs0mJLGTmIx7e6FgUEBAnJ+1ZLA=", + "owner": "axboe", + "repo": "liburing", + "rev": "e1003e496e66f9b0ae06674869795edf772d5500", + "type": "github" + }, + "original": { + "owner": "axboe", + "ref": "master", + "repo": "liburing", + "type": "github" + } + }, + "lix": { + "flake": false, + "locked": { + "lastModified": 1737234286, + "narHash": "sha256-pgDJZjj4jpzkFxsqBTI/9Yb0n3gW+DvDtuv9SwQZZcs=", + "rev": "079528098f5998ba13c88821a2eca1005c1695de", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/079528098f5998ba13c88821a2eca1005c1695de.tar.gz?rev=079528098f5998ba13c88821a2eca1005c1695de" + }, + "original": { + "type": "tarball", + "url": "https://git.lix.systems/lix-project/lix/archive/release-2.92.tar.gz" + } + }, + "lix-module": { + "inputs": { + "flake-utils": "flake-utils_3", + "flakey-profile": "flakey-profile", + "lix": "lix", + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1742943028, + "narHash": "sha256-fprwZKE1uMzO9tiWWOrmLWBW3GPkMayQfb0xOvVFIno=", + "ref": "release-2.92", + "rev": "3fae818597ca2f1474de62022f850c23be50528d", + "revCount": 134, + "type": "git", + "url": "https://git.lix.systems/lix-project/nixos-module" + }, + "original": { + "ref": "release-2.92", + "type": "git", + "url": "https://git.lix.systems/lix-project/nixos-module" + } + }, "nil": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ], @@ -250,6 +740,85 @@ "type": "github" } }, + "nix": { + "inputs": { + "flake-compat": [ + "conduwuit", + "cachix", + "devenv" + ], + "flake-parts": "flake-parts_2", + "libgit2": "libgit2", + "nixpkgs": "nixpkgs_3", + "nixpkgs-23-11": [ + "conduwuit", + "cachix", + "devenv" + ], + "nixpkgs-regression": [ + "conduwuit", + "cachix", + "devenv" + ], + "pre-commit-hooks": [ + "conduwuit", + "cachix", + "devenv" + ] + }, + "locked": { + "lastModified": 1727438425, + "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=", + "owner": "domenkozar", + "repo": "nix", + "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546", + "type": "github" + }, + "original": { + "owner": "domenkozar", + "ref": "devenv-2.24", + "repo": "nix", + "type": "github" + } + }, + "nix-filter": { + "locked": { + "lastModified": 1731533336, + "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", + "type": "github" + }, + "original": { + "owner": "numtide", + "ref": "main", + "repo": "nix-filter", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -257,11 +826,11 @@ ] }, "locked": { - "lastModified": 1748145500, - "narHash": "sha256-t9fx0l61WOxtWxXCqlXPWSuG/0XMF9DtE2T7KXgMqJw=", + "lastModified": 1743306489, + "narHash": "sha256-LROaIjSLo347cwcHRfSpqzEOa2FoLSeJwU4dOrGm55E=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "a98adbf54d663395df0b9929f6481d4d80fc8927", + "rev": "b3696bfb6c24aa61428839a99e8b40c53ac3a82d", "type": "github" }, "original": { @@ -277,11 +846,11 @@ ] }, "locked": { - "lastModified": 1747646130, - "narHash": "sha256-B4+JyeF6u7FINPD1Fzc7QiDlmG1L06z/34MqMlBfPDQ=", + "lastModified": 1743410259, + "narHash": "sha256-tjdkPPkRT1Mj72yrpN8oUxYw9SaG8wOQWD3auS1bvSs=", "owner": "nix-community", "repo": "nix-ld", - "rev": "14ad0c0a26dae752c93fa9fa59437bfd2b8aaf69", + "rev": "140451db1cadeef1e7e9e054332b67b7be808916", "type": "github" }, "original": { @@ -292,11 +861,123 @@ }, "nixpkgs": { "locked": { - "lastModified": 1748370509, - "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=", + "lastModified": 1726042813, + "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "159be5db480d1df880a0135ca0bfed84c2f88353", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_3": { + "locked": { + "lastModified": 1743501102, + "narHash": "sha256-7PCBQ4aGVF8OrzMkzqtYSKyoQuU2jtpPi4lmABpe5X4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4faa5f5321320e49a78ae7848582f684d64783e9", + "rev": "02f2af8c8a8c3b2c05028936a1e84daefa1171d4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1730531603, + "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1717432640, + "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "88269ab3044128b7c2f4c7d68448b2fb50456870", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1733212471, + "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1743448293, + "narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "77b584d61ff80b4cef9245829a6f1dfad5afdfa3", "type": "github" }, "original": { @@ -306,24 +987,40 @@ "type": "github" } }, + "nixpkgs_6": { + "locked": { + "lastModified": 1743559129, + "narHash": "sha256-7gpAWsENV3tY2HmeHYQ2MoQxGpys+jQWnkS/BHAMXVk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "adae22bea8bcc0aa2fd6e8732044660fb7755f5e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ "lanzaboote", "flake-compat" ], - "gitignore": "gitignore", + "gitignore": "gitignore_2", "nixpkgs": [ "lanzaboote", "nixpkgs" ] }, "locked": { - "lastModified": 1746537231, - "narHash": "sha256-Wb2xeSyOsCoTCTj7LOoD6cdKLEROyFAArnYoS+noCWo=", + "lastModified": 1740915799, + "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "fa466640195d38ec97cf0493d6d6882bc4d14969", + "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732", "type": "github" }, "original": { @@ -332,20 +1029,57 @@ "type": "github" } }, + "rocksdb": { + "flake": false, + "locked": { + "lastModified": 1741308171, + "narHash": "sha256-YdBvdQ75UJg5ffwNjxizpviCVwVDJnBkM8ZtGIduMgY=", + "owner": "girlbossceo", + "repo": "rocksdb", + "rev": "3ce04794bcfbbb0d2e6f81ae35fc4acf688b6986", + "type": "github" + }, + "original": { + "owner": "girlbossceo", + "ref": "v9.11.1", + "repo": "rocksdb", + "type": "github" + } + }, "root": { "inputs": { + "conduwuit": "conduwuit", "garage": "garage", "home-manager": "home-manager", "lanzaboote": "lanzaboote", + "lix-module": "lix-module", "nil": "nil", "nix-index-database": "nix-index-database", "nix-ld": "nix-ld", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_6", + "nixpkgs-stable": "nixpkgs-stable_3", "rust-overlay": "rust-overlay_4", "sops-nix": "sops-nix", "vscode-extensions": "vscode-extensions" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1740691488, + "narHash": "sha256-Fs6vBrByuiOf2WO77qeMDMTXcTGzrIMqLBv+lNeywwM=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "fe3eda77d3a7ce212388bda7b6cec8bffcc077e5", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, "rust-overlay": { "inputs": { "nixpkgs": [ @@ -376,11 +1110,11 @@ ] }, "locked": { - "lastModified": 1747017456, - "narHash": "sha256-C/U12fcO+HEF071b5mK65lt4XtAIZyJSSJAg9hdlvTk=", + "lastModified": 1743561237, + "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "5b07506ae89b025b14de91f697eba23b48654c52", + "rev": "1de27ae43712a971c1da100dcd84386356f03ec7", "type": "github" }, "original": { @@ -397,11 +1131,11 @@ ] }, "locked": { - "lastModified": 1741055476, - "narHash": "sha256-52vwEV0oS2lCnx3c/alOFGglujZTLmObit7K8VblnS8=", + "lastModified": 1743561237, + "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "aefb7017d710f150970299685e8d8b549d653649", + "rev": "1de27ae43712a971c1da100dcd84386356f03ec7", "type": "github" }, "original": { @@ -417,11 +1151,11 @@ ] }, "locked": { - "lastModified": 1748486227, - "narHash": "sha256-veMuFa9cq/XgUXp1S57oC8K0TIw3XyZWL2jIyGWlW0c=", + "lastModified": 1743561237, + "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "4bf1892eb81113e868efe67982b64f1da15c8c5a", + "rev": "1de27ae43712a971c1da100dcd84386356f03ec7", "type": "github" }, "original": { @@ -437,11 +1171,11 @@ ] }, "locked": { - "lastModified": 1747603214, - "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", + "lastModified": 1743502316, + "narHash": "sha256-zI2WSkU+ei4zCxT+IVSQjNM9i0ST++T2qSFXTsAND7s=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", + "rev": "e7f4d7ed8bce8dfa7d2f2fe6f8b8f523e54646f8", "type": "github" }, "original": { @@ -495,19 +1229,49 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "vscode-extensions": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_5", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1748397853, - "narHash": "sha256-tudGoP5caIJ5TzkV6wnsmUk7Spx21oWMKpkmPbjRNZc=", + "lastModified": 1743558944, + "narHash": "sha256-LtmHSXZjFXUWYwWhvEPWSbnmAD62TrvLdZGqQvcSHIY=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "ac4fc8eb9a1ee5eeb3c0a30f57652e4c5428d3a5", + "rev": "bc23f562c367b3e6300d596c24f0080220897df7", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 0aea8eb..37215e0 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,8 @@ description = "cy's flake"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager"; @@ -11,6 +12,9 @@ lanzaboote.inputs.nixpkgs.follows = "nixpkgs"; rust-overlay.url = "github:oxalica/rust-overlay"; rust-overlay.inputs.nixpkgs.follows = "nixpkgs"; + conduwuit.url = "github:girlbossceo/conduwuit"; + conduwuit.inputs.nixpkgs.follows = "nixpkgs"; + lix-module.url = "git+https://git.lix.systems/lix-project/nixos-module?ref=release-2.92"; nix-ld.url = "github:nix-community/nix-ld"; nix-ld.inputs.nixpkgs.follows = "nixpkgs"; nil.url = "github:oxalica/nil"; @@ -67,6 +71,7 @@ ./modules inputs.sops-nix.nixosModules.sops inputs.lanzaboote.nixosModules.lanzaboote + inputs.lix-module.nixosModules.default inputs.nix-ld.nixosModules.nix-ld ]; }; @@ -79,6 +84,7 @@ ./hosts/chunk ./modules inputs.sops-nix.nixosModules.sops + inputs.lix-module.nixosModules.default ]; }; }; diff --git a/garnix.yaml b/garnix.yaml new file mode 100644 index 0000000..c189664 --- /dev/null +++ b/garnix.yaml @@ -0,0 +1,6 @@ +builds: + include: + - 'nixosConfigurations.*' + - 'homeConfigurations.*' + - '*.aarch64-linux.*' + - '*.x86_64-linux.*' diff --git a/home/codium.nix b/home/codium.nix index ba4e324..117c9e0 100644 --- a/home/codium.nix +++ b/home/codium.nix @@ -23,6 +23,7 @@ tamasfe.even-better-toml golang.go ms-python.python + christian-kohler.path-intellisense ]; userSettings = let @@ -73,7 +74,6 @@ "telemetry.enableTelemetry" = false; "telemetry.telemetryLevel" = "off"; "window.titleBarStyle" = "custom"; - "editor.formatOnSave" = true; # terminal stuff "terminal.integrated.cursorBlinking" = true; diff --git a/home/kitty.nix b/home/kitty.nix index aedaf96..ea7047f 100644 --- a/home/kitty.nix +++ b/home/kitty.nix @@ -7,21 +7,20 @@ package = pkgs.ibm-plex; size = 12; }; + themeFile = "GitHub_Dark"; settings = { enable_audio_bell = true; # how many windows should be open before kitty asks # for confirmation confirm_os_window_close = 0; clear_all_shortcuts = true; - background_opacity = 0.9; # will probably lower this later but the max allowed is actually 4GB # this is NOT stored in memory and can only be viewed with scrollback_pager - "scrollback_pager_history_size" = "10"; # in MB + "scrollback_pager_history_size" = "1024"; # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399 "scrollback_pager" = "bat --pager='less -FR +G'"; - # "scrollback_lines" = 20000; - # wheel_scroll_multiplier = 50; + "scrollback_lines" = 20000; }; keybindings = { # kitty_mod is ctrl+shift by default @@ -59,29 +58,18 @@ "kitty_mod+alt+p" = "move_tab_backward"; "kitty_mod+q" = "close_tab"; "kitty_mod+t" = "new_tab_with_cwd"; + "ctrl+f2" = "detach_tab"; # hints # > basically means the preceding key is a prefix (think tmux) "kitty_mod+o>o" = "open_url_with_hints"; - # `--program @` means copy to clipboard - "kitty_mod+o>u" = "kitten hints --type url --program @"; - "kitty_mod+o>p" = "kitten hints --type path --program @"; - "kitty_mod+o>n" = "kitten hints --type line --program @"; - "kitty_mod+o>w" = "kitten hints --type word --program @"; - "kitty_mod+o>h" = "kitten hints --type hash --program @"; + "kitty_mod+o>p" = "kitten hints --type path --program -"; + "kitty_mod+o>n" = "kitten hints --type line --program -"; + "kitty_mod+o>w" = "kitten hints --type word --program -"; + "kitty_mod+o>h" = "kitten hints --type hash --program -"; "kitty_mod+o>l" = "kitten hints --type linenum"; - - # scrolling - "kitty_mod+u" = "scroll_page_up"; - "kitty_mod+d" = "scroll_page_down"; - "kitty_mod+a" = "scroll_home"; - "kitty_mod+e" = "scroll_end"; - "kitty_mod+z" = "scroll_to_prompt -1"; # scroll to previous shell prompt - "kitty_mod+x" = "scroll_to_prompt 1"; # scroll to next shell prompt - "kitty_mod+y" = "show_scrollback"; # browse scrollback buffer in pager - "kitty_mod+g" = "show_last_command_output"; # browse output of last command in pager }; }; - programs.zsh.shellAliases."ssh" = "kitten ssh"; + # programs.zsh.shellAliases."ssh" = "kitten ssh"; # doesn't seem to work with bitwarden ssh agent :( } diff --git a/home/yt/ytnix.nix b/home/yt/ytnix.nix index db3dfb2..686a8a3 100644 --- a/home/yt/ytnix.nix +++ b/home/yt/ytnix.nix @@ -8,7 +8,7 @@ ./common.nix ../irssi.nix ../kitty.nix - # ../codium.nix + ../codium.nix ]; home = { username = "yt"; @@ -28,7 +28,10 @@ home.packages = with pkgs; lib.flatten [ + ungoogled-chromium + librewolf bitwarden-desktop + bitwarden-cli fastfetch (with kdePackages; [ gwenview @@ -38,58 +41,32 @@ signal-desktop btop jq + sqlite usbutils calibre tor-browser wtype bat rclone + go (rust-bin.selectLatestNightlyWith ( toolchain: toolchain.default.override { extensions = [ "rust-src" ]; - targets = [ "aarch64-unknown-linux-musl" ]; } )) + pwgen gnumake unzip anki-bin + trezorctl + q gdb fuzzel hugo + ghidra sccache awscli2 - p7zip - qbittorrent - android-tools - (python313.withPackages ( - p: with p; [ - python-lsp-server - pip - virtualenv - ] - )) - scrcpy - syncthing - (with llvmPackages; [ - clangUseLLVM - compiler-rt - libllvm - ]) - nix-output-monitor - cinny-desktop - minio-client - keepassxc - jujutsu - ffmpeg - typst - pavucontrol - - # reversing - radare2 - jadx - frida-tools - mitmproxy (cutter.withPlugins ( p: with p; [ rz-ghidra @@ -97,6 +74,35 @@ sigdb ] )) + p7zip + qbittorrent + android-tools + frida-tools + mitmproxy + (python313.withPackages ( + p: with p; [ + python-lsp-server + pip + virtualenv + ] + )) + jadx + scrcpy + syncthing + syncthingtray + (with llvmPackages; [ + clangUseLLVM + compiler-rt + libllvm + ]) + nix-output-monitor + wl-clipboard-rs + pixelflasher + cinny-desktop + freetube + gopls + rust-analyzer + minio-client ]; home.sessionVariables = { @@ -148,56 +154,10 @@ enable = true; viAlias = true; vimAlias = true; - extraPackages = with pkgs; [ - lua-language-server - nixd - rust-analyzer - fzf - fd - ripgrep - bat - delta - taplo - llvmPackages.clang-tools - pyright - tree-sitter - nodejs - nixfmt-rfc-style - ]; }; programs.ssh = { enable = true; addKeysToAgent = "yes"; }; - - programs.firefox.enable = true; - - programs.emacs = { - enable = true; - extraPackages = _: with pkgs; [ - rust-analyzer - nil - ispell - ]; - }; - - gtk = { - enable = true; - theme.package = pkgs.gnome-themes-extra; - theme.name = "Adwaita-dark"; - }; - - qt = { - enable = true; - platformTheme.name = "adwaita"; - style.name = "adwaita-dark"; - style.package = pkgs.adwaita-qt; - }; - - dconf.settings = { - "org/gnome/desktop/interface" = { - color-scheme = "prefer-dark"; - }; - }; } diff --git a/home/zsh/default.nix b/home/zsh/default.nix index 977de0b..e599f0d 100644 --- a/home/zsh/default.nix +++ b/home/zsh/default.nix @@ -37,6 +37,12 @@ searchDownKey = "^n"; }; + # prezto = { + # enable = true; + # caseSensitive = false; + # editor.keymap = "vi"; + # }; + initExtra = '' # disable control+s to pause terminal unsetopt FLOW_CONTROL @@ -79,11 +85,14 @@ shellAliases = { "vi" = "nvim"; "vim" = "nvim"; + "t" = "tmux"; + "tl" = "tmux list-sessions"; + "ta" = "tmux new-session -A -s"; "se" = "sudoedit"; "s" = "sudo"; - "nrs" = "sudo nixos-rebuild switch -L --flake ~/nixos-config"; - "nrt" = "sudo nixos-rebuild test -L --flake ~/nixos-config"; - "hrs" = "home-manager switch -L --flake ~/nixos-config"; + "nrs" = "sudo nixos-rebuild switch -L --flake . --log-format internal-json -v |& nom --json"; + "nrt" = "sudo nixos-rebuild test -L --flake . --log-format internal-json -v |& nom --json"; + "hrs" = "home-manager switch -L --flake ."; "g" = "git"; "ga" = "git add"; "gaa" = "git add --all"; @@ -91,6 +100,7 @@ "gc" = "git commit --verbose"; "gcmsg" = "git commit --message"; "gd" = "git diff"; + "gdca" = "git diff --cached"; "gds" = "git diff --staged"; "gl" = "git log --stat"; "glg" = "git log --graph"; @@ -103,11 +113,6 @@ "gs" = "git status --short"; "gss" = "git status"; "code" = "codium"; - "jl" = "jj log -n 10"; - "jll" = "jj log"; - "jd" = "jj diff"; - "jn" = "jj new"; - "jm" = "jj describe -m"; }; }; diff --git a/hosts/chunk/conduwuit.nix b/hosts/chunk/conduwuit.nix new file mode 100644 index 0000000..3a6638f --- /dev/null +++ b/hosts/chunk/conduwuit.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.conduwuit = { + enable = true; + settings.global = { + port = [ 8448 ]; + server_name = "cything.io"; + allow_check_for_updates = true; + }; + }; + + services.caddy.virtualHosts."chat.cything.io".extraConfig = '' + import common + reverse_proxy localhost:8448 + ''; + + services.caddy.virtualHosts."cything.io" = { + serverAliases = [ "www.cything.io" ]; + extraConfig = '' + import common + + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + header /.well-known/matrix/* Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS,PATCH,HEAD + header /.well-known/matrix/* Access-Control-Allow-Headers X-Requested-With,Content-Type,Authorization,Origin,Accept + route { + respond /.well-known/matrix/server {"m.server":"chat.cything.io:443"} + respond /.well-known/matrix/client {"m.server":{"base_url":"https://chat.cything.io"},"m.homeserver":{"base_url":"https://chat.cything.io"},"org.matrix.msc3575.proxy":{"url":"https://chat.cything.io"}} + redir https://cy7.sh/posts{uri} permanent + } + ''; + }; +} diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index eeb62c9..56bae51 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -1,5 +1,6 @@ { pkgs, + lib, ... }: { @@ -15,7 +16,9 @@ ./redlib.nix ./vaultwarden.nix ./grafana.nix + ./conduwuit.nix ./immich.nix + ./element.nix ./forgejo.nix ./garage.nix ./tailscale.nix @@ -44,14 +47,20 @@ "rsyncnet/id_ed25519" = { sopsFile = ../../secrets/zh5061/chunk.yaml; }; + "attic/env" = { + sopsFile = ../../secrets/services/attic.yaml; + }; "garage/env" = { sopsFile = ../../secrets/services/garage.yaml; }; "tailscale/auth" = { sopsFile = ../../secrets/services/tailscale.yaml; }; - "karakeep/env" = { - sopsFile = ../../secrets/services/karakeep.yaml; + "zipline/env" = { + sopsFile = ../../secrets/services/zipline.yaml; + }; + "searx/env" = { + sopsFile = ../../secrets/services/searx.yaml; }; }; @@ -69,10 +78,7 @@ networkmanager.enable = true; firewall = { enable = true; - trustedInterfaces = [ - "tailscale0" - "podman1" - ]; + trustedInterfaces = [ "tailscale0" ]; allowedTCPPorts = [ 22 80 @@ -81,6 +87,32 @@ allowedUDPPorts = [ 443 ]; + extraCommands = + let + ethtool = lib.getExe pkgs.ethtool; + tc = lib.getExe' pkgs.iproute2 "tc"; + in + '' + # disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites) + ${ethtool} -K ens18 tso off + + # clear existing rules + ${tc} qdisc del dev ens18 root || true + + # create HTB hierarchy + ${tc} qdisc add dev ens18 root handle 1: htb default 10 + ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100% + # rest + ${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100% + # caddy + ${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100% + + # mark traffic + iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3 + + # route marked packets + ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30 + ''; }; interfaces.ens18 = { ipv6.addresses = [ @@ -113,15 +145,13 @@ "podman" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo=" ]; }; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo=" ]; # for forgejo users.users.git = { @@ -133,7 +163,6 @@ environment.systemPackages = with pkgs; [ vim - neovim wget curl tree @@ -158,11 +187,9 @@ programs.git.enable = true; my.caddy.enable = true; + + # container stuff my.containerization.enable = true; + my.authelia.enable = true; - my.karakeep = { - enable = false; - dataDir = "/opt/karakeep"; - }; - my.roundcube.enable = true; } diff --git a/hosts/chunk/element.nix b/hosts/chunk/element.nix new file mode 100644 index 0000000..5a12e1e --- /dev/null +++ b/hosts/chunk/element.nix @@ -0,0 +1,33 @@ +{ + pkgs, + config, + ... +}: +{ + virtualisation.oci-containers.containers.element = { + image = "vectorim/element-web"; + autoStart = true; + ports = [ "127.0.0.1:8089:8089" ]; + pull = "newer"; + networks = [ "element-net" ]; + environment = { + ELEMENT_WEB_PORT = "8089"; + }; + }; + + systemd.services.create-element-net = { + serviceConfig.Type = "oneshot"; + wantedBy = with config.virtualisation.oci-containers; [ + "${backend}-element.service" + ]; + script = '' + ${pkgs.podman}/bin/podman network exists element-net || \ + ${pkgs.podman}/bin/podman network create element-net + ''; + }; + + services.caddy.virtualHosts."element.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:8089 + ''; +} diff --git a/hosts/chunk/garage.nix b/hosts/chunk/garage.nix index aef6578..982e1f4 100644 --- a/hosts/chunk/garage.nix +++ b/hosts/chunk/garage.nix @@ -17,7 +17,6 @@ }; admin.api_bind_addr = "[::]:3903"; rpc_bind_addr = "[::]:3901"; - rpc_public_addr = "100.122.132.30:3901"; replication_factor = 1; db_engine = "lmdb"; disable_scrub = true; @@ -25,7 +24,7 @@ compression_level = "none"; }; environmentFile = config.sops.secrets."garage/env".path; - logLevel = "info"; + logLevel = "warn"; }; services.caddy.virtualHosts = { diff --git a/hosts/chunk/grafana.nix b/hosts/chunk/grafana.nix index 33a77a0..f79a7ff 100644 --- a/hosts/chunk/grafana.nix +++ b/hosts/chunk/grafana.nix @@ -42,7 +42,6 @@ services.caddy.virtualHosts."grafana.cy7.sh".extraConfig = '' import common - import authelia reverse_proxy localhost:8088 ''; } diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix index 1e7e497..62505f9 100644 --- a/hosts/chunk/hedgedoc.nix +++ b/hosts/chunk/hedgedoc.nix @@ -11,7 +11,7 @@ dialect = "postgresql"; }; port = 8085; - domain = "pad.cy7.sh"; + domain = "pad.cything.io"; allowEmailRegister = false; protocolUseSSL = true; }; diff --git a/hosts/chunk/postgres.nix b/hosts/chunk/postgres.nix index c4a6233..07a3125 100644 --- a/hosts/chunk/postgres.nix +++ b/hosts/chunk/postgres.nix @@ -19,5 +19,8 @@ } ]; }; - services.postgresqlBackup.enable = true; + services.postgresqlBackup = { + enable = true; + startAt = "hourly"; + }; } diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix index 7ab5e2e..c592fbb 100644 --- a/hosts/chunk/rclone.nix +++ b/hosts/chunk/rclone.nix @@ -14,22 +14,21 @@ let --config ${config.sops.secrets."rclone/config".path} \ --allow-other \ --cache-dir /var/cache/rclone \ - --transfers 16 \ - --vfs-cache-mode writes \ + --transfers 32 \ + --vfs-cache-mode full \ --vfs-cache-min-free-space 5G \ --dir-cache-time 30d \ + --no-checksum \ --no-modtime \ --vfs-fast-fingerprint \ - --vfs-read-chunk-size 128M \ - --vfs-read-chunk-streams 0 \ + --vfs-read-chunk-size 16M \ + --vfs-read-chunk-streams 16 \ --sftp-concurrency 64 \ --sftp-chunk-size 255k \ --buffer-size 0 \ - --write-back-cache \ ${remote} ${mount} ''; ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -zu ${mount}"; - Restart = "on-failure"; }; in { diff --git a/hosts/common.nix b/hosts/common.nix index c125822..77e0edb 100644 --- a/hosts/common.nix +++ b/hosts/common.nix @@ -1,7 +1,6 @@ -{ inputs, config, pkgs, ... }: +{ inputs, config, ... }: { nix = { - package = pkgs.lix; settings = { experimental-features = "nix-command flakes"; auto-optimise-store = true; @@ -39,7 +38,7 @@ i18n.defaultLocale = "en_US.UTF-8"; time.timeZone = "America/New_York"; networking = { - firewall.logRefusedConnections = true; + firewall.logRefusedConnections = false; nameservers = [ # quad9 (unfiltered) "2620:fe::10" @@ -56,7 +55,6 @@ "nts.teambelgium.net" "c.st1.ntp.br" ]; - nftables.enable = true; }; services.chrony = { enable = true; diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix index 763c51e..ed91b61 100644 --- a/hosts/ytnix/default.nix +++ b/hosts/ytnix/default.nix @@ -44,11 +44,10 @@ efi.canTouchEfiVariables = true; }; tmp.cleanOnBoot = true; - kernelPackages = pkgs.linuxPackages_6_14; + kernelPackages = pkgs.linuxKernel.packages.linux_zen; extraModulePackages = with config.boot.kernelPackages; [ rtl8821ce ]; - kernelModules = [ "8821ce" ]; kernelParams = [ # see https://github.com/tomaspinho/rtl8821ce#pcie-active-state-power-management "pcie_aspm=off" @@ -61,10 +60,7 @@ enable = true; pkiBundle = "/var/lib/sbctl"; }; - kernel.sysctl = { - "kernel.sysrq" = 1; - # "net.ipv4.ip_forward" = 1; - }; + kernel.sysctl."kernel.sysrq" = 1; binfmt.emulatedSystems = [ "aarch64-linux" ]; }; @@ -91,12 +87,12 @@ resolvconf.enable = true; firewall = { enable = true; - trustedInterfaces = [ - "tailscale0" - ]; - extraInputRules = '' - ip saddr 192.168.100.0/24 tcp dport 9234 accept - ''; + trustedInterfaces = [ "tailscale0" ]; + # allowedTCPPorts = [ + # 8080 # mitmproxy + # 22000 # syncthing + # 3003 # immich-ml + # ]; }; hosts = { "100.122.132.30" = [ "s3.cy7.sh" ]; @@ -109,10 +105,8 @@ pulse.enable = true; alsa.enable = true; alsa.support32Bit = true; - wireplumber.extraConfig."10-bluetooth-enhancements" = { - "wireplumber.settings" = { - "bluetooth.autoswitch-to-headset-profile" = false; - }; + wireplumber.extraConfig.bluetoothEnhancements = { + # https://julian.pages.freedesktop.org/wireplumber/daemon/configuration/bluetooth.html#bluetooth-configuration "monitor.bluez.properties" = { "bluez5.enable-sbc-xq" = true; "bluez5.enable-msbc" = true; @@ -120,27 +114,27 @@ "bluez5.roles" = [ "a2dp_sink" "a2dp_source" + "hsp_hs" + "hsp_ag" "hfp_hf" "hfp_ag" ]; }; }; # https://wiki.archlinux.org/title/Bluetooth_headset#Connecting_works,_sound_plays_fine_until_headphones_become_idle,_then_stutters - wireplumber.extraConfig."11-disable-suspend" = { - "monitor.bluez.rules" = [ - { - matches = [ - { - "device.name" = "bluez_card.*"; - } - ]; - actions = { - update-props = { - "session.suspend-timeout-seconds" = 0; - }; - }; - } - ]; + wireplumber.extraConfig.disableSuspend = { + "monitor.bluez.rules" = { + matches = [ + { + "node.name" = "bluez_output.*"; + } + ]; + }; + actions = { + update-props = { + "session.suspend-timeout-seconds" = 0; + }; + }; }; }; @@ -210,7 +204,7 @@ services.displayManager = { enable = true; autoLogin.user = "yt"; - defaultSession = "sway"; + defaultSession = "plasma"; sddm = { enable = true; wayland.enable = true; @@ -219,14 +213,10 @@ }; fonts = { - packages = - (with pkgs; [ - ibm-plex - ]) - ++ (with pkgs.nerd-fonts; [ - roboto-mono - jetbrains-mono - ]); + packages = with pkgs; [ + nerd-fonts.roboto-mono + ibm-plex + ]; enableDefaultPackages = true; }; @@ -248,7 +238,6 @@ "/home/yt/Games" "/home/yt/Videos" "/home/yt/.bitmonero" - "/home/yt/vms" ]; repo = "yt"; passFile = config.sops.secrets."borg/rsyncnet".path; @@ -277,10 +266,6 @@ enable = true; qemu.vhostUserPackages = with pkgs; [ virtiofsd ]; }; - # virtualisation.vmware.host = { - # enable = true; - # package = pkgs.vmware-workstation; - # }; programs.virt-manager.enable = true; my.containerization.enable = true; @@ -289,6 +274,7 @@ enable = true; # nix run github:thiagokokada/nix-alien#nix-alien-find-libs ./ libraries = with pkgs; [ + # TODO: revisit what we actually need mesa extest stdenv.cc.cc @@ -331,7 +317,6 @@ xorg.libxshmfence xorg.libXxf86vm xorg.libSM - xorg.libICE gtk3 pango gdk-pixbuf @@ -345,7 +330,6 @@ pcre2 gsettings-desktop-schemas fzf - systemd ]; }; programs.evolution.enable = true; @@ -376,6 +360,12 @@ ]; }; + services.ollama.enable = false; + + services.trezord.enable = true; + + programs.niri.enable = false; + programs.niri.package = pkgs.niri-unstable; programs.xwayland.enable = true; services.udev.extraHwdb = '' @@ -400,32 +390,7 @@ programs.ccache.enable = true; nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; programs.fuse.userAllowOther = true; - nix.settings.sandbox = true; + nix.settings.sandbox = false; programs.ssh.startAgent = true; - - programs.sway = { - enable = true; - wrapperFeatures.gtk = true; - extraPackages = with pkgs; [ - rofi-wayland - cliphist - rofimoji - grim - slurp - swaylock - swayidle - brightnessctl - waybar - wl-clipboard - ]; - }; - - programs.ghidra = { - enable = true; - package = pkgs.ghidra.withExtensions (p: with p; [ - findcrypt - ret-sync - ]); - }; } diff --git a/hosts/ytnix/hardware-configuration.nix b/hosts/ytnix/hardware-configuration.nix index cd1c283..c98a8c5 100644 --- a/hosts/ytnix/hardware-configuration.nix +++ b/hosts/ytnix/hardware-configuration.nix @@ -82,5 +82,5 @@ # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault true; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/modules/authelia.nix b/modules/authelia.nix index 915be02..afd8b52 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -49,14 +49,9 @@ in webauthn = { enable_passkey_login = true; }; - identity_providers.oidc.claims_policies = { - # https://github.com/karakeep-app/karakeep/issues/410 - # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter - karakeep.id_token = [ "email" ]; - }; identity_providers.oidc.clients = [ { - client_id = "4EIrpRb9rnwHWjYWvlz2gYrtTmoOLF1D5gqXw28BvmOS0f-9T2p4CFwuctf4Co1hkpo2sd4Y"; + client_id = "immich"; client_name = "immich"; client_secret = "$argon2id$v=19$m=65536,t=3,p=4$Vny2G8EbSPafSwnIuq2Zkg$eF2om4WDEaqCFmrAG27h2mYl+cXxXyttPJ7gaPLs+f8"; public = false; @@ -68,10 +63,9 @@ in ]; scopes = [ "openid" "profile" "email" ]; userinfo_signed_response_alg = "none"; - token_endpoint_auth_method = "client_secret_basic"; } { - client_id = "_kuUEYxyfXjInJCniwugpw2Qn6iI-YW24NOkHZG~63BAhnAACDZ.xsLqOdGghj2DNZxXR0sU"; + client_id = "forgejo"; client_name = "Forgejo"; client_secret = "$argon2id$v=19$m=65536,t=3,p=4$O2O5r/7A8hc4EMvernQ4Dw$YOVqtwY3jv0HlcxmviPq2CRnD7Dw85V9KDtTSUQE7bA"; public = false; @@ -83,34 +77,6 @@ in userinfo_signed_response_alg = "none"; token_endpoint_auth_method = "client_secret_basic"; } - { - client_id = "b_ITCG0uNzy9lZ5nVC~Ny5R35te8I3hoQW1uraCbdxeiE9VuiCIelMmZZ7dAZLg_anTUWSQG"; - client_name = "HedgeDoc"; - client_secret = "$argon2id$v=19$m=65536,t=3,p=4$MFSXW3gjIZf0M3e8s8RJCg$6KWwksJe2vdUebPEdYc0Zy88fzGcHPrbStcqkiXl+Hg"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ - "https://pad.cy7.sh/auth/oauth2/callback" - ]; - scopes = [ "openid" "profile" "email" ]; - userinfo_signed_response_alg = "none"; - grant_types = [ "refresh_token" "authorization_code" ]; - response_types = [ "code" ]; - response_modes = [ "form_post" "query" "fragment" ]; - audience = []; - token_endpoint_auth_method = "client_secret_post"; - } - { - client_id = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5"; - client_name = "Karakeep"; - client_secret = "$pbkdf2-sha512$310000$4UanDZq.6oholJW3CmKwtQ$9e3hqR8qGU4LoneR/Y9jtJTx0iSzATI4iXymrs8QrmGw4JY1BPF4.IJ9Jbc.8cikU4qpfUIFO6r2dG7JHznCnw"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ "https://keep.cy7.sh/api/auth/callback/custom" ]; - scopes = [ "openid" "profile" "email" ]; - userinfo_signed_response_alg = "none"; - claims_policy = "karakeep"; - } ]; }; secrets = { @@ -135,4 +101,4 @@ in reverse_proxy localhost:9091 ''; }; -} +} \ No newline at end of file diff --git a/modules/backup.nix b/modules/backup.nix index b9d43c1..2715deb 100644 --- a/modules/backup.nix +++ b/modules/backup.nix @@ -21,7 +21,7 @@ let "/var/lib/docker" "/var/lib/containers" # podman "/var/lib/systemd" - "/var/lib/libvirt/images" + "/var/lib/libvirt" "**/.rustup" "**/.cargo" "**/.docker" @@ -47,7 +47,7 @@ in }; startAt = lib.mkOption { type = lib.types.str; - default = "daily"; + default = "hourly"; description = "see systemd.timer(5)"; }; jobName = lib.mkOption { @@ -98,9 +98,8 @@ in failOnWarnings = false; prune.keep = { - daily = 7; - weekly = 12; - monthly = -1; + within = "2d"; + daily = 365; }; extraPruneArgs = [ "--stats" ]; }; diff --git a/modules/caddy.nix b/modules/caddy.nix index f6904a8..0eb2cb7 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -19,9 +19,9 @@ in plugins = [ # error message will tell you the correct version tag to use # (still need the @ to pass nix config check) - "github.com/caddy-dns/cloudflare@v0.2.2-0.20250420134112-006ebb07b349" + "github.com/caddy-dns/cloudflare@v0.0.0-20250228175314-1fb64108d4de" ]; - hash = "sha256-2U+icm4GtI5Fww6U8nKzQ/+pPf63T3scTGuj1zjj4b4="; + hash = "sha256-YYpsf8HMONR1teMiSymo2y+HrKoxuJMKIea5/NEykGc="; }; logFormat = lib.mkForce "level INFO"; acmeCA = "https://acme-v02.api.letsencrypt.org/directory"; @@ -37,9 +37,9 @@ in (authelia) { forward_auth localhost:9091 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Name Remote-Email - } + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Name Remote-Email + } } ''; environmentFile = config.sops.secrets."caddy/env".path; @@ -49,8 +49,7 @@ in respond / 200 { body "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhUt9h5dCcrwOrZNKkStCX5OxumPzEwYXSU/0DgtWgP - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo=" + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD" } ''; }; diff --git a/modules/containerization.nix b/modules/containerization.nix index 2bcc8dd..fd39da9 100644 --- a/modules/containerization.nix +++ b/modules/containerization.nix @@ -30,10 +30,6 @@ in }; # answer on /var/run/docker.sock dockerSocket.enable = true; - autoPrune = { - enable = true; - dates = "daily"; - }; }; docker.enable = lib.mkIf (!cfg.usePodman) true; oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker"; diff --git a/modules/default.nix b/modules/default.nix index 0d4638f..db7bfa4 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -10,6 +10,5 @@ ./searx.nix ./attic.nix ./authelia.nix - ./karakeep.nix ]; } diff --git a/modules/karakeep.nix b/modules/karakeep.nix deleted file mode 100644 index 3e75f74..0000000 --- a/modules/karakeep.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.my.karakeep; -in -{ - options.my.karakeep = { - enable = lib.mkEnableOption "karakeep"; - dataDir = lib.mkOption { - type = lib.types.path; - }; - port = lib.mkOption { - default = 3002; - description = "port for the web service"; - type = lib.types.port; - }; - domain = lib.mkOption { - default = "keep.cy7.sh"; - type = lib.types.str; - }; - environmentFile = lib.mkOption { - default = config.sops.secrets."karakeep/env".path; - type = lib.types.path; - }; - }; - - config = lib.mkIf cfg.enable { - virtualisation.oci-containers.containers = { - karakeep-web = { - image = "ghcr.io/karakeep-app/karakeep:release"; - pull = "newer"; - volumes = [ "${cfg.dataDir}:/data" ]; - ports = [ "${toString cfg.port}:3000"]; - dependsOn = [ - "karakeep-chrome" - "karakeep-meilisearch" - ]; - environment = { - MEILI_ADDR = "http://karakeep-meilisearch:7700"; - BROWSER_WEB_URL = "http://karakeep-chrome:9222"; - DATA_DIR = "/data"; - NEXTAUTH_URL = "https://${cfg.domain}"; - DISABLE_PASSWORD_AUTH = "true"; - OAUTH_WELLKNOWN_URL = "https://auth.cy7.sh/.well-known/openid-configuration"; - OAUTH_CLIENT_ID = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5"; - OAUTH_PROVIDER_NAME = "Authelia"; - OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true"; - }; - # needs NEXTAUTH_SECRET - environmentFiles = [ "${cfg.environmentFile}" ]; - }; - - karakeep-chrome = { - image = "ghcr.io/zenika/alpine-chrome:latest"; - pull = "newer"; - cmd = [ - "--no-sandbox" - "--disable-gpu" - "--disable-dev-shm-usage" - "--remote-debugging-address=0.0.0.0" - "--remote-debugging-port=9222" - "--hide-scrollbars" - ]; - }; - - karakeep-meilisearch = { - image = "getmeili/meilisearch:latest"; - volumes = [ "meilisearch:/meili_data" ]; - environment = { - MEILI_NO_ANALYTICS = "true"; - }; - # needs MEILI_MASTER_KEY - environmentFiles = [ "${cfg.environmentFile}" ]; - }; - }; - - services.caddy.virtualHosts.${cfg.domain}.extraConfig = '' - import common - reverse_proxy localhost:${toString cfg.port} - ''; - }; -} \ No newline at end of file diff --git a/modules/roundcube.nix b/modules/roundcube.nix index 7dcfb9d..63b14c5 100644 --- a/modules/roundcube.nix +++ b/modules/roundcube.nix @@ -31,7 +31,6 @@ in "contextmenu" "custom_from" "thunderbird_labels" - "managesieve" ]; dicts = with pkgs.aspellDicts; [ en ]; extraConfig = '' @@ -39,8 +38,6 @@ in $config['smtp_host'] = "ssl://smtp.migadu.com:465"; $config['smtp_user'] = "%u"; $config['smtp_pass'] = "%p"; - $config['managesieve_host'] = "tls://imap.migadu.com"; - $config['managesieve_port'] = 4190; ''; }; @@ -51,7 +48,6 @@ in services.caddy.virtualHosts."mail.cy7.sh".extraConfig = '' import common - import authelia root ${roundcube.package} php_fastcgi unix/${fpm.socket} file_server diff --git a/overlay/default.nix b/overlay/default.nix index 67d855e..9e6336c 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -7,12 +7,14 @@ pkgFrom = flake: pkg: flake.packages.${prev.system}.${pkg}; in { + conduwuit = pkgFrom inputs.conduwuit "default"; + attic-server = pkgFrom inputs.attic "attic-server"; + attic = pkgFrom inputs.attic "attic"; garage = ( (pkgFrom inputs.garage "default").overrideAttrs { meta.mainProgram = "garage"; } ); - nil = pkgFrom inputs.nil "default"; } ) ] diff --git a/secrets/services/hedgedoc.yaml b/secrets/services/hedgedoc.yaml index 0c693dc..84ef3d6 100644 --- a/secrets/services/hedgedoc.yaml +++ b/secrets/services/hedgedoc.yaml @@ -1,6 +1,10 @@ hedgedoc: - env: ENC[AES256_GCM,data:9xnOlQrk1qCyiAHSjmu8dvj2/z/BrJlngNGAQnMwvLsL0pnyvvyJLnYWTDYix1a9o8OJUNLw6Qhq7KbY4uXfxsNZkfGdVHwvkvhySjR2rcX/r90txqHJUUIxE/TzdsBvonzQ0F85KfXhsi69gKHp016gCj+jNf6CCY+tOVpt71el4Z+jzqLHasuQET8GctKJRzHOfNfCx/X2kJeb7RQl3JFC6/VmYT45bUk7uFfveFD9ao03wJwLKi27wO1WDrfpOigFdvkmqpbWZjaILYHYmkdhdlhr7w330CiCmGHT/ssmSPcu5cYUc8tjYPgpYLjusiUzpE5jmut5GaNwZsY9hNuow/mUVnQ/tCDH0ChOq0DQisJ07VMYlRII9tMdcuT4IbjjwiRcYlORAHsTFUuo5DCaDp8a4mx846BGp1YMQsvqJQgOe4x15VMpeB/ptxm79qxcLZKZ3BkiJaKmDdWsVk9RfqVgsxqiq16Me2EQhknO2s/oBjGOaoIiT4NEuRFQl0BIPgIMD0lYzKx0uDaYyclID5W0DqMI+SrcBd+WH/BB9HPdZx92rFe34PzjZse0i6+5UZHXUu8au6CyLMqGkUlzkSFwVT5W7Lv2m9P3+6YjgPRMaYbg8b6kmavB6EtjiqWtTbMKr3nxPVYJc5FRImvebfFqiLy5MWoNV6Qe7TUGIk6QtX2OWBhQ1UB+IpR+180QH7yw7UpgJ9EM8dD2m2/smar5P0BjAaqAFib++GzoB0OfFtxJNUjrejQC11tRWBXYvcHWwa78VbKPul0xqiEMmsAZufMix4lD1EgutTf1CXfv7l0rUpLwkYbWIq2hT5UI53L0YWJDl7zlhi94ANdXV8z8kCvMeXm2Fwl/vIgJ9JuFeVeVYPpXwx2coLBwE6uI4SuFvY1d4ojvzY8KftcHWO7srVzpuwrwW+6gKLwPQyEazv+sRKXAGo0ffMO2/2KRgOu9zGwaOFaNDAZ6gYFDWbPz6TMfNWHzfLEFK5BlVAL8KDb78IODUBYcMr2CX1Y=,iv:LDkuJgxIbohEVf7wmdtOZ/vlPddMYa7uzHGkL+0MnUM=,tag:pnJiCJydjTmUbS761fPUPw==,type:str] + env: ENC[AES256_GCM,data:15rWiIYWyIJ0Hxl5I8m+EBV+FkNDT/OHlLK9shVS46UE7SQtuIh45N5hvwgs0rg9E9Tawu+lyE2aozWNh6HSDUZ1h4FYrB+JHwIetGkOqXSLHfXi,iv:v9ohLTtlxw3fsRoJJoOY5VYxVsxUyDEsQHRjcGKg/GY=,tag:Wncm1reqNblnVhRTYjU3Pg==,type:str] sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] age: - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn enc: | @@ -20,7 +24,8 @@ sops: enlDZEI2NElkZkI3UmRyQUZqQWE5ZmcK2JlwNzVJNhGjyniIg9UY5tjgUKttkT3e 9C/xag3dQCiqzX1O3o5tdhYnxXw+VxVf+qTFyyuftg5iQPZNuvX6mA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-05T21:08:15Z" - mac: ENC[AES256_GCM,data:cPisYUoZWd/vd+wWzz3xTnftj1RdjK20dWFo+MKssm/eu7eCOWDIaZdcJg13gkTleBpMWQy/mG1drC6GLfGQiBmkS99UCPAoo0aLTBL4FbSm6FEXdbVjoOI7URu6Sj31drWCMAm+lXYymWsHwZJrNLhjsCTQsxTPvFq8oOdNlXo=,iv:KpmJoZ/BGEEhZ75jXfXxegNglm7k6mtleRuVud6tX2g=,tag:lsiqX+YSz4mGK6mw9gdKNg==,type:str] + lastmodified: "2024-12-17T03:25:54Z" + mac: ENC[AES256_GCM,data:1cxiK/HhqYzatT2PhZxjvtizII2QMHqbbyOujUtx4cT8x488j2wecu6hOfSkuHbQ43AxA8kDH1NAruPCSdCpj3PytMR+np+R/5WuRcK+OF/FCnWvWvvHqgDnBs/wYjllnR6HyWBlhrROpINxu9ch4fzN0Def3I7O+wJgpojnPiU=,iv:PKPykPv9zSHj9+HXnrg1v8Ty78te66D9ZH6c1V7Qlh4=,tag:JQk68u6p317r3Df+hv16+g==,type:str] + pgp: [] unencrypted_suffix: _unencrypted - version: 3.10.1 + version: 3.9.2 diff --git a/secrets/services/karakeep.yaml b/secrets/services/karakeep.yaml deleted file mode 100644 index cc09262..0000000 --- a/secrets/services/karakeep.yaml +++ /dev/null @@ -1,35 +0,0 @@ -karakeep: - env: ENC[AES256_GCM,data:SWc26EQaKR5d9hMDYzVHA/r7XfjwFZ0d44Co0IS6OayR24ej7yqLAtkNttROKoKFuYc0sHgN9bOy4MyX0s3qiSWYovIIUJgFiJjPQFYDAo+50WR4+5W5FgvYI6e42fcWrQhaCXWQrDyzch/zT2OITZsjXcQhT5E+IiPLVkaGOjGptE07GjM7ZXI4UxBzINFQOhxdfIO0km1o6Wq8GhJdWsz4exz4ahRslR+WjK/flV2GZVAj6EHSJ5sHohm74QlhxaShEbc/8IKP6R2gSjBFP7l8VvwFyIUD9sLzYGvS3iU=,iv:gSPQU0bZ+VRFbuaNDc90dW0ogWX2SMH7kewtq/u/11E=,tag:L0Y4EWSQUhcn2eHt+yZ7qQ==,type:str] -sops: - age: - - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaWQ1Q1JwRHJxQjNjdTAx - TXRsWjVZOG1mNEptNVhscHBaK2I5MHhjdlFjCkNqOEhwT3hyOHpHQ2k0ZmowUXB4 - eks2dlpUS0V6VjBEYW9UWnhFOEw4VGsKLS0tIFo2a0FTRE5WdHBGVW5DOUFkaE9p - bitvUnJXSnB6UnV3VTEzSjlSYmEwVUEKHOwFCRu+SIyM0uJ6bNEAo+MMlsc8la6G - bLYdCoykcBu+uVXqn3BYTbrS5ylQMRYcbcPFJw5BVdmjIYF4LU5W6A== - -----END AGE ENCRYPTED FILE----- - - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrU2ZnNVAyeVdJeHlTSW1x - QUhKRzlNclVUWE1ucHFLZW5sL1lnUDhkd0Y4CjFuekNEOE1icDNqL1JyT0hEYW16 - Q2VyajJFWWtGUnBzOENGOEZHbWROZzAKLS0tIE8wMVc3TkV5Y1VyenIvOW02NDNq - cStTeUcvY1pJWEN2MzFEeThKT0JPc1EKXrtVG49a6YZVKiL1F8Xg3t3niTYv3LwN - NeAQ8srV0F6ckky7OCkvUp9GInZCWRzULXV/x+4IUb6C+KQaNm2vYA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdDdUSUlmMk5VcytyT01N - UmRaK2k5Wkh5SlhPT3QrczY2eW9vZk5KWFZBCnBteitnNFlHdWRaaTRxSWYvYmtG - ZnY5ZXlYa3Z5aENlRy9BQjVSU1F3UzQKLS0tIFpjN1dOaWNKaU9PaENyaXc1K3BU - K2orZ0Y2Z05LSUZ5WHQ4TnVVY0QwSzQKiUQT4aSxXnaq0kEMp+q5WnIUoGypEmZ+ - DQEhkB9yu/BrkjXH+HGQr1W5B4sJyb5rnl0+SQ+IypRIRyaX4CdFxg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-05T19:44:58Z" - mac: ENC[AES256_GCM,data:OmqsJI9BaICOTiH1cq4gZlNBbkAxn/pAOWBtkIjHdqpikABLG6fMY+sLpyeaovXjexIj9MZk7fPmV8dRZ5VNLHCqlYXK/cVoQBZ2HK+p/cGTAFelNAShu9NSgZdFmVgJJtOjVvFp8dtuY8VcQj861k/MPX0mNZt9pmXYdumjpNM=,iv:efHkp1KUctwtCjG9A8i5qs7nQfQqv2ya1yYlHHOt8pU=,tag:4lChpspl0oOUMiXzvGuA2Q==,type:str] - unencrypted_suffix: _unencrypted - version: 3.10.1