From 2f7429a2c8f9752f92ed1456a3b0cd54236578c3 Mon Sep 17 00:00:00 2001 From: cy Date: Sat, 8 Mar 2025 20:39:17 -0500 Subject: [PATCH 1/5] searx: use limiter --- modules/searx.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/modules/searx.nix b/modules/searx.nix index 3eb178a..9e23955 100644 --- a/modules/searx.nix +++ b/modules/searx.nix @@ -5,7 +5,6 @@ }: let cfg = config.my.searx; - sockPath = "/run/searx/searx.sock"; in { options.my.searx = { @@ -25,6 +24,19 @@ in server.secret_key = "@SEARX_SECRET_KEY@"; }; environmentFile = config.sops.secrets."searx/env".path; + redisCreateLocally = true; # required for limiter + limiterSettings = { + real_ip = { + x_for = 1; + ipv4_prefix = 32; + ipv6_prefix = 56; + }; + botdetection.ip_lists.pass_ip = [ + "100.121.152.86" + "100.66.32.54" + ]; + link_token = true; + }; }; services.caddy.virtualHosts."x.cy7.sh".extraConfig = '' From 59de12e8920926e689822270a60cb6de835ebdb1 Mon Sep 17 00:00:00 2001 From: cy Date: Sat, 8 Mar 2025 17:50:21 -0500 Subject: [PATCH 2/5] flake update Signed-off-by: cy --- flake.lock | 68 +++++++++++++++++++++++++++--------------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/flake.lock b/flake.lock index 87450d3..8916bfc 100644 --- a/flake.lock +++ b/flake.lock @@ -157,11 +157,11 @@ }, "crane_2": { "locked": { - "lastModified": 1741021986, - "narHash": "sha256-VX8M6arxQU05mipDmLjk0TJVRNzu+VQx3w1gVmyPkO4=", + "lastModified": 1741396358, + "narHash": "sha256-js4c6tqxluo4Fysn8gloLnlZ6ZjQkuWMgGjHN8+WssE=", "owner": "ipetkov", "repo": "crane", - "rev": "5245473d6638a96da540e44372da96eebb97735a", + "rev": "aaebfb7ce7e13c691aea178aff7621906f466662", "type": "github" }, "original": { @@ -327,11 +327,11 @@ ] }, "locked": { - "lastModified": 1740872218, - "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=", + "lastModified": 1741352980, + "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3876f6b87db82f33775b1ef5ea343986105db764", + "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", "type": "github" }, "original": { @@ -472,11 +472,11 @@ ] }, "locked": { - "lastModified": 1741056285, - "narHash": "sha256-/JKDMVqq8PIqcGonBVKbKq1SooV3kzGmv+cp3rKAgPA=", + "lastModified": 1741461731, + "narHash": "sha256-BBQfGvO3GWOV+5tmqH14gNcZrRaQ7Q3tQx31Frzoip8=", "owner": "nix-community", "repo": "home-manager", - "rev": "70fbbf05a5594b0a72124ab211bff1d502c89e3f", + "rev": "7f4c60a3d6e548dbc13666565c22cb3f8dcdad44", "type": "github" }, "original": { @@ -533,11 +533,11 @@ ] }, "locked": { - "lastModified": 1741001137, - "narHash": "sha256-XxWib5eI3rgMPA4VzDHOx89WT76IN/ZNb+votz5gakw=", + "lastModified": 1741442524, + "narHash": "sha256-tVcxLDLLho8dWcO81Xj/3/ANLdVs0bGyCPyKjp70JWk=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "cc9786aa8158437facead0d8e21ac0c03be91dc8", + "rev": "d8099586d9a84308ffedac07880e7f07a0180ff4", "type": "github" }, "original": { @@ -593,11 +593,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1741082941, - "narHash": "sha256-mxMbmNSXLZ0G+4uPEXCodjRJffqh/Jq4X5pgFuQFZB0=", + "lastModified": 1741358751, + "narHash": "sha256-cDPg74UirjlGcVjB9qI/8ImkdEJ9p2y8Y2FQBfU8KzY=", "ref": "refs/heads/main", - "rev": "ca89e431a31527a014bfd0d529da2a8099027a5f", - "revCount": 17577, + "rev": "93c3ca4e92b8cd1a129498f4c3f4c48558032d46", + "revCount": 17620, "type": "git", "url": "https://git.lix.systems/lix-project/lix" }, @@ -646,11 +646,11 @@ ] }, "locked": { - "lastModified": 1732053863, - "narHash": "sha256-DCIVdlb81Fct2uwzbtnawLBC/U03U2hqx8trqTJB7WA=", + "lastModified": 1741118843, + "narHash": "sha256-ggXU3RHv6NgWw+vc+HO4/9n0GPufhTIUjVuLci8Za8c=", "owner": "oxalica", "repo": "nil", - "rev": "2e24c9834e3bb5aa2a3701d3713b43a6fb106362", + "rev": "577d160da311cc7f5042038456a0713e9863d09e", "type": "github" }, "original": { @@ -745,11 +745,11 @@ ] }, "locked": { - "lastModified": 1740886574, - "narHash": "sha256-jN6kJ41B6jUVDTebIWeebTvrKP6YiLd1/wMej4uq4Sk=", + "lastModified": 1741446546, + "narHash": "sha256-0z0GiUsUhjhZWa24bcAxqmlI3Ch8QvEeh42wghc6oVw=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "26a0f969549cf4d56f6e9046b9e0418b3f3b94a5", + "rev": "eeaf10849c3a0435323216885c0df7569dc95cb9", "type": "github" }, "original": { @@ -860,11 +860,11 @@ }, "nixpkgs-stable_3": { "locked": { - "lastModified": 1740932899, - "narHash": "sha256-F0qDu2egq18M3edJwEOAE+D+VQ+yESK6YWPRQBfOqq8=", + "lastModified": 1741332913, + "narHash": "sha256-ri1e8ZliWS3Jnp9yqpKApHaOo7KBN33W8ECAKA4teAQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1546c45c538633ae40b93e2d14e0bb6fd8f13347", + "rev": "20755fa05115c84be00b04690630cb38f0a203ad", "type": "github" }, "original": { @@ -924,11 +924,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1741073343, - "narHash": "sha256-8qmLpDUmaiBGLZkFfVyK5/T5fyTXXGdzCRdqAtO0gf4=", + "lastModified": 1741455743, + "narHash": "sha256-raXtjhD9mmNrVdCoJkYoUo0X2lhEyIZYQ6M7uUp/Uuc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "72bccb2960235fd31de456566789c324a251f297", + "rev": "c1ee2620296430ac1e3ee72583ad0191463a9d60", "type": "github" }, "original": { @@ -1046,11 +1046,11 @@ ] }, "locked": { - "lastModified": 1737465171, - "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=", + "lastModified": 1740915799, + "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17", + "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732", "type": "github" }, "original": { @@ -1125,11 +1125,11 @@ ] }, "locked": { - "lastModified": 1741055476, - "narHash": "sha256-52vwEV0oS2lCnx3c/alOFGglujZTLmObit7K8VblnS8=", + "lastModified": 1741400194, + "narHash": "sha256-tEpgT+q5KlGjHSm8MnINgTPErEl8YDzX3Eps8PVc09g=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "aefb7017d710f150970299685e8d8b549d653649", + "rev": "16b6045a232fea0e9e4c69e55a6e269607dd8e3f", "type": "github" }, "original": { From 553a07f0a92fcc5ebaf89fa478cc528acafceafa Mon Sep 17 00:00:00 2001 From: cy Date: Sun, 9 Mar 2025 22:23:58 -0400 Subject: [PATCH 3/5] run immich-ml from ytnix and add tailscale0 to trustedInterfaces --- home/yt/ytnix.nix | 1 + hosts/chunk/default.nix | 3 +-- hosts/chunk/immich.nix | 21 +++++---------------- hosts/ytnix/containers.nix | 36 ++++++++++++++++++++++++++++++++++++ hosts/ytnix/default.nix | 12 +++++++----- 5 files changed, 50 insertions(+), 23 deletions(-) create mode 100644 hosts/ytnix/containers.nix diff --git a/home/yt/ytnix.nix b/home/yt/ytnix.nix index c0182e7..214b4af 100644 --- a/home/yt/ytnix.nix +++ b/home/yt/ytnix.nix @@ -101,6 +101,7 @@ wl-clipboard-rs pixelflasher element-desktop + freetube ]; programs.feh.enable = true; diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index 48d7d84..465e0b9 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -79,6 +79,7 @@ networkmanager.enable = true; firewall = { enable = true; + trustedInterfaces = [ "tailscale0" ]; allowedTCPPorts = [ 22 80 @@ -86,8 +87,6 @@ ]; allowedUDPPorts = [ 443 - 53 - 853 ]; extraCommands = let diff --git a/hosts/chunk/immich.nix b/hosts/chunk/immich.nix index 9661e8c..6541770 100644 --- a/hosts/chunk/immich.nix +++ b/hosts/chunk/immich.nix @@ -1,6 +1,7 @@ { pkgs, config, + lib, ... }: let @@ -67,21 +68,9 @@ in ]; networks = [ "immich-net" ]; }; - - # immich-ml = { - # image = "ghcr.io/immich-app/immich-machine-learning:release"; - # autoStart = true; - # pull = "newer"; - # environment = { - # REDIS_HOSTNAME = "immich-redis"; - # DB_HOSTNAME = "immich-db"; - # }; - # volumes = [ "${modelCache}:/cache" ]; - # networks = [ "immich-net" ]; - # }; }; - systemd.services.create-immich-net = { + systemd.services.create-immich-net = rec { serviceConfig.Type = "oneshot"; requiredBy = with config.virtualisation.oci-containers; [ "${backend}-immich.service" @@ -89,10 +78,10 @@ in "${backend}-immich-redis.service" # "${backend}-immich-ml.service" ]; - before = config.systemd.services.create-immich-net.requiredBy; + before = requiredBy; script = '' - ${pkgs.podman}/bin/podman network exists immich-net || \ - ${pkgs.podman}/bin/podman network create immich-net + ${lib.getExe pkgs.podman} network exists immich-net || \ + ${lib.getExe pkgs.podman} network create immich-net ''; }; diff --git a/hosts/ytnix/containers.nix b/hosts/ytnix/containers.nix new file mode 100644 index 0000000..a2aa405 --- /dev/null +++ b/hosts/ytnix/containers.nix @@ -0,0 +1,36 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + virtualisation.oci-containers.containers = { + immich-ml = let + modelCache = "/opt/immich-ml"; + in { + image = "ghcr.io/immich-app/immich-machine-learning:release"; + autoStart = true; + pull = "newer"; + ports = [ "3003:3003" ]; + environment = { + REDIS_HOSTNAME = "immich-redis"; + DB_HOSTNAME = "immich-db"; + }; + volumes = [ "${modelCache}:/cache" ]; + networks = [ "immich-net" ]; + }; + }; + + systemd.services.create-immich-net = rec { + serviceConfig.Type = "oneshot"; + requiredBy = with config.virtualisation.oci-containers; [ + "${backend}-immich-ml.service" + ]; + before = requiredBy; + script = '' + ${lib.getExe pkgs.podman} network exists immich-net || \ + ${lib.getExe pkgs.podman} network create immich-net + ''; + }; +} \ No newline at end of file diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix index c097165..5aa406a 100644 --- a/hosts/ytnix/default.nix +++ b/hosts/ytnix/default.nix @@ -10,6 +10,7 @@ ../common.nix ../zsh.nix ./tailscale.nix + ./containers.nix ]; sops.age.keyFile = "/root/.config/sops/age/keys.txt"; @@ -86,10 +87,12 @@ resolvconf.enable = true; firewall = { enable = true; - allowedTCPPorts = [ - 8080 # mitmproxy - 22000 # syncthing - ]; + trustedInterfaces = [ "tailscale0" ]; + # allowedTCPPorts = [ + # 8080 # mitmproxy + # 22000 # syncthing + # 3003 # immich-ml + # ]; }; }; programs.nm-applet.enable = true; @@ -252,7 +255,6 @@ xdg.mime.defaultApplications = { "application/pdf" = "okular.desktop"; "image/*" = "gwenview.desktop"; - "*/html" = "chromium-browser.desktop"; }; virtualisation = { From ab0dfe08c7a1129cc3c9fa84effde75f2f4cb07f Mon Sep 17 00:00:00 2001 From: cy Date: Tue, 11 Mar 2025 11:18:21 -0400 Subject: [PATCH 4/5] unpin vscode-extensions --- flake.lock | 10 +++------- flake.nix | 4 +--- home/yt/ytnix.nix | 43 +++++++++++++++++++++++------------------ hosts/ytnix/default.nix | 6 ++++-- 4 files changed, 32 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index 8916bfc..129ff5f 100644 --- a/flake.lock +++ b/flake.lock @@ -1210,9 +1210,6 @@ }, "vscode-extensions": { "inputs": { - "flake-compat": [ - "flake-compat" - ], "flake-utils": [ "flake-utils" ], @@ -1221,17 +1218,16 @@ ] }, "locked": { - "lastModified": 1740924345, - "narHash": "sha256-TO8Ttb+7PeKBkUe8vUrBt6Vxg3RMeQp4ARmlWQfcWrs=", + "lastModified": 1741693734, + "narHash": "sha256-Df0jzarVCkwJttnITExjsbSN20FOOuenGhpKvOj49hk=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "1fc267a10f46200e32f0850caa396bd1ba4ba08e", + "rev": "6d444be7edf281b8df98235d911d176beaa31510", "type": "github" }, "original": { "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "1fc267a10f46200e32f0850caa396bd1ba4ba08e", "type": "github" } } diff --git a/flake.nix b/flake.nix index cdb829e..29fc0ab 100644 --- a/flake.nix +++ b/flake.nix @@ -68,11 +68,9 @@ inputs.flake-utils.follows = "flake-utils"; }; vscode-extensions = { - # https://github.com/nix-community/nix-vscode-extensions/issues/102 - url = "github:nix-community/nix-vscode-extensions/1fc267a10f46200e32f0850caa396bd1ba4ba08e"; + url = "github:nix-community/nix-vscode-extensions/"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; - inputs.flake-compat.follows = "flake-compat"; }; nix-index-database = { url = "github:nix-community/nix-index-database"; diff --git a/home/yt/ytnix.nix b/home/yt/ytnix.nix index 214b4af..9b20a66 100644 --- a/home/yt/ytnix.nix +++ b/home/yt/ytnix.nix @@ -104,25 +104,6 @@ freetube ]; - programs.feh.enable = true; - - xdg.configFile = { - mpv.source = ../mpv; - }; - - programs.direnv = { - enable = true; - nix-direnv.enable = true; - }; - - programs.git.extraConfig = { - user = { - signingKey = "~/.ssh/id_ed25519"; - }; - gpg.format = "ssh"; - commit.gpgsign = true; - }; - home.sessionVariables = { # to make ghidra work on xwayland _JAVA_AWT_WM_NONREPARENTING = 1; @@ -145,5 +126,29 @@ SSH_AUTH_SOCK = "$HOME/.bitwarden-ssh-agent.sock"; }; + home.sessionPath = [ + "$HOME/.cargo/bin" + "$HOME/go/bin" + ]; + + programs.feh.enable = true; + + xdg.configFile = { + mpv.source = ../mpv; + }; + + programs.direnv = { + enable = true; + nix-direnv.enable = true; + }; + + programs.git.extraConfig = { + user = { + signingKey = "~/.ssh/id_ed25519"; + }; + gpg.format = "ssh"; + commit.gpgsign = true; + }; + programs.nix-index-database.comma.enable = true; } diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix index 5aa406a..c185991 100644 --- a/hosts/ytnix/default.nix +++ b/hosts/ytnix/default.nix @@ -257,8 +257,9 @@ "image/*" = "gwenview.desktop"; }; - virtualisation = { - libvirtd.enable = true; + virtualisation.libvirtd = { + enable = true; + qemu.vhostUserPackages = with pkgs; [ virtiofsd ]; }; programs.virt-manager.enable = true; my.containerization.enable = true; @@ -382,4 +383,5 @@ programs.ccache.enable = true; nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; + programs.fuse.userAllowOther = true; } From 8406723988ac7400ccef788768cdd409a023ccd4 Mon Sep 17 00:00:00 2001 From: cy Date: Tue, 11 Mar 2025 12:21:38 -0400 Subject: [PATCH 5/5] workflow: disable fail-fast when building machines --- .github/workflows/build-machines-and-homes.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml index 2e8073c..413b892 100644 --- a/.github/workflows/build-machines-and-homes.yml +++ b/.github/workflows/build-machines-and-homes.yml @@ -6,6 +6,7 @@ on: jobs: build-machines: strategy: + fail-fast: false matrix: machine: - chunk