workflow: disable fail-fast when building machines

Signed-off-by: cy <cy@cy7.sh>

.github/workflows/build-machines-and-homes.yml

@@ -6,6 +6,7 @@ on:
 jobs:
   build-machines:
     strategy:
+      fail-fast: false
       matrix:
         machine:
           - chunk

flake.lock

@@ -157,11 +157,11 @@
     },
     "crane_2": {
       "locked": {
-        "lastModified": 1741021986,
+        "lastModified": 1741396358,
-        "narHash": "sha256-VX8M6arxQU05mipDmLjk0TJVRNzu+VQx3w1gVmyPkO4=",
+        "narHash": "sha256-js4c6tqxluo4Fysn8gloLnlZ6ZjQkuWMgGjHN8+WssE=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "5245473d6638a96da540e44372da96eebb97735a",
+        "rev": "aaebfb7ce7e13c691aea178aff7621906f466662",
         "type": "github"
       },
       "original": {
@@ -327,11 +327,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740872218,
+        "lastModified": 1741352980,
-        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
         "type": "github"
       },
       "original": {
@@ -472,11 +472,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741056285,
+        "lastModified": 1741461731,
-        "narHash": "sha256-/JKDMVqq8PIqcGonBVKbKq1SooV3kzGmv+cp3rKAgPA=",
+        "narHash": "sha256-BBQfGvO3GWOV+5tmqH14gNcZrRaQ7Q3tQx31Frzoip8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "70fbbf05a5594b0a72124ab211bff1d502c89e3f",
+        "rev": "7f4c60a3d6e548dbc13666565c22cb3f8dcdad44",
         "type": "github"
       },
       "original": {
@@ -533,11 +533,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741001137,
+        "lastModified": 1741442524,
-        "narHash": "sha256-XxWib5eI3rgMPA4VzDHOx89WT76IN/ZNb+votz5gakw=",
+        "narHash": "sha256-tVcxLDLLho8dWcO81Xj/3/ANLdVs0bGyCPyKjp70JWk=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "cc9786aa8158437facead0d8e21ac0c03be91dc8",
+        "rev": "d8099586d9a84308ffedac07880e7f07a0180ff4",
         "type": "github"
       },
       "original": {
@@ -593,11 +593,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1741082941,
+        "lastModified": 1741358751,
-        "narHash": "sha256-mxMbmNSXLZ0G+4uPEXCodjRJffqh/Jq4X5pgFuQFZB0=",
+        "narHash": "sha256-cDPg74UirjlGcVjB9qI/8ImkdEJ9p2y8Y2FQBfU8KzY=",
         "ref": "refs/heads/main",
-        "rev": "ca89e431a31527a014bfd0d529da2a8099027a5f",
+        "rev": "93c3ca4e92b8cd1a129498f4c3f4c48558032d46",
-        "revCount": 17577,
+        "revCount": 17620,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/lix"
       },
@@ -646,11 +646,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732053863,
+        "lastModified": 1741118843,
-        "narHash": "sha256-DCIVdlb81Fct2uwzbtnawLBC/U03U2hqx8trqTJB7WA=",
+        "narHash": "sha256-ggXU3RHv6NgWw+vc+HO4/9n0GPufhTIUjVuLci8Za8c=",
         "owner": "oxalica",
         "repo": "nil",
-        "rev": "2e24c9834e3bb5aa2a3701d3713b43a6fb106362",
+        "rev": "577d160da311cc7f5042038456a0713e9863d09e",
         "type": "github"
       },
       "original": {
@@ -745,11 +745,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740886574,
+        "lastModified": 1741446546,
-        "narHash": "sha256-jN6kJ41B6jUVDTebIWeebTvrKP6YiLd1/wMej4uq4Sk=",
+        "narHash": "sha256-0z0GiUsUhjhZWa24bcAxqmlI3Ch8QvEeh42wghc6oVw=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "26a0f969549cf4d56f6e9046b9e0418b3f3b94a5",
+        "rev": "eeaf10849c3a0435323216885c0df7569dc95cb9",
         "type": "github"
       },
       "original": {
@@ -860,11 +860,11 @@
     },
     "nixpkgs-stable_3": {
       "locked": {
-        "lastModified": 1740932899,
+        "lastModified": 1741332913,
-        "narHash": "sha256-F0qDu2egq18M3edJwEOAE+D+VQ+yESK6YWPRQBfOqq8=",
+        "narHash": "sha256-ri1e8ZliWS3Jnp9yqpKApHaOo7KBN33W8ECAKA4teAQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1546c45c538633ae40b93e2d14e0bb6fd8f13347",
+        "rev": "20755fa05115c84be00b04690630cb38f0a203ad",
         "type": "github"
       },
       "original": {
@@ -924,11 +924,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1741073343,
+        "lastModified": 1741455743,
-        "narHash": "sha256-8qmLpDUmaiBGLZkFfVyK5/T5fyTXXGdzCRdqAtO0gf4=",
+        "narHash": "sha256-raXtjhD9mmNrVdCoJkYoUo0X2lhEyIZYQ6M7uUp/Uuc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "72bccb2960235fd31de456566789c324a251f297",
+        "rev": "c1ee2620296430ac1e3ee72583ad0191463a9d60",
         "type": "github"
       },
       "original": {
@@ -1046,11 +1046,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737465171,
+        "lastModified": 1740915799,
-        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
+        "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
+        "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
         "type": "github"
       },
       "original": {
@@ -1125,11 +1125,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741055476,
+        "lastModified": 1741400194,
-        "narHash": "sha256-52vwEV0oS2lCnx3c/alOFGglujZTLmObit7K8VblnS8=",
+        "narHash": "sha256-tEpgT+q5KlGjHSm8MnINgTPErEl8YDzX3Eps8PVc09g=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "aefb7017d710f150970299685e8d8b549d653649",
+        "rev": "16b6045a232fea0e9e4c69e55a6e269607dd8e3f",
         "type": "github"
       },
       "original": {
@@ -1210,9 +1210,6 @@
     },
     "vscode-extensions": {
       "inputs": {
-        "flake-compat": [
-          "flake-compat"
-        ],
         "flake-utils": [
           "flake-utils"
         ],
@@ -1221,17 +1218,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1740924345,
+        "lastModified": 1741693734,
-        "narHash": "sha256-TO8Ttb+7PeKBkUe8vUrBt6Vxg3RMeQp4ARmlWQfcWrs=",
+        "narHash": "sha256-Df0jzarVCkwJttnITExjsbSN20FOOuenGhpKvOj49hk=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "1fc267a10f46200e32f0850caa396bd1ba4ba08e",
+        "rev": "6d444be7edf281b8df98235d911d176beaa31510",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "1fc267a10f46200e32f0850caa396bd1ba4ba08e",
         "type": "github"
       }
     }

flake.nix

@@ -68,11 +68,9 @@
       inputs.flake-utils.follows = "flake-utils";
     };
     vscode-extensions = {
-      # https://github.com/nix-community/nix-vscode-extensions/issues/102
+      url = "github:nix-community/nix-vscode-extensions/";
-      url = "github:nix-community/nix-vscode-extensions/1fc267a10f46200e32f0850caa396bd1ba4ba08e";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-utils.follows = "flake-utils";
-      inputs.flake-compat.follows = "flake-compat";
     };
     nix-index-database = {
       url = "github:nix-community/nix-index-database";

home/yt/ytnix.nix

@@ -101,27 +101,9 @@
       wl-clipboard-rs
       pixelflasher
       element-desktop
+      freetube
     ];
 
-  programs.feh.enable = true;
-
-  xdg.configFile = {
-    mpv.source = ../mpv;
-  };
-
-  programs.direnv = {
-    enable = true;
-    nix-direnv.enable = true;
-  };
-
-  programs.git.extraConfig = {
-    user = {
-      signingKey = "~/.ssh/id_ed25519";
-    };
-    gpg.format = "ssh";
-    commit.gpgsign = true;
-  };
-
   home.sessionVariables = {
     # to make ghidra work on xwayland
     _JAVA_AWT_WM_NONREPARENTING = 1;
@@ -144,5 +126,29 @@
     SSH_AUTH_SOCK = "$HOME/.bitwarden-ssh-agent.sock";
   };
 
+  home.sessionPath = [
+    "$HOME/.cargo/bin"
+    "$HOME/go/bin"
+  ];
+
+  programs.feh.enable = true;
+
+  xdg.configFile = {
+    mpv.source = ../mpv;
+  };
+
+  programs.direnv = {
+    enable = true;
+    nix-direnv.enable = true;
+  };
+
+  programs.git.extraConfig = {
+    user = {
+      signingKey = "~/.ssh/id_ed25519";
+    };
+    gpg.format = "ssh";
+    commit.gpgsign = true;
+  };
+
   programs.nix-index-database.comma.enable = true;
 }

hosts/chunk/default.nix

@@ -79,6 +79,7 @@
     networkmanager.enable = true;
     firewall = {
       enable = true;
+      trustedInterfaces = [ "tailscale0" ];
       allowedTCPPorts = [
         22
         80
@@ -86,8 +87,6 @@
       ];
       allowedUDPPorts = [
         443
-        53
-        853
       ];
       extraCommands =
         let

hosts/chunk/immich.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  lib,
   ...
 }:
 let
@@ -67,21 +68,9 @@ in
       ];
       networks = [ "immich-net" ];
     };
-
-    # immich-ml = {
-    #   image = "ghcr.io/immich-app/immich-machine-learning:release";
-    #   autoStart = true;
-    #   pull = "newer";
-    #   environment = {
-    #     REDIS_HOSTNAME = "immich-redis";
-    #     DB_HOSTNAME = "immich-db";
-    #   };
-    #   volumes = [ "${modelCache}:/cache" ];
-    #   networks = [ "immich-net" ];
-    # };
   };
 
-  systemd.services.create-immich-net = {
+  systemd.services.create-immich-net = rec {
     serviceConfig.Type = "oneshot";
     requiredBy = with config.virtualisation.oci-containers; [
       "${backend}-immich.service"
@@ -89,10 +78,10 @@ in
       "${backend}-immich-redis.service"
       # "${backend}-immich-ml.service"
     ];
-    before = config.systemd.services.create-immich-net.requiredBy;
+    before = requiredBy;
     script = ''
-      ${pkgs.podman}/bin/podman network exists immich-net || \
+      ${lib.getExe pkgs.podman} network exists immich-net || \
-      ${pkgs.podman}/bin/podman network create immich-net
+      ${lib.getExe pkgs.podman} network create immich-net
     '';
   };
 

hosts/ytnix/containers.nix

@@ -0,0 +1,36 @@
+{ 
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  virtualisation.oci-containers.containers = {
+    immich-ml = let
+      modelCache = "/opt/immich-ml";
+    in {
+      image = "ghcr.io/immich-app/immich-machine-learning:release";
+      autoStart = true;
+      pull = "newer";
+      ports = [ "3003:3003" ];
+      environment = {
+        REDIS_HOSTNAME = "immich-redis";
+        DB_HOSTNAME = "immich-db";
+      };
+      volumes = [ "${modelCache}:/cache" ];
+      networks = [ "immich-net" ];
+    };
+  };
+
+  systemd.services.create-immich-net = rec {
+    serviceConfig.Type = "oneshot";
+    requiredBy = with config.virtualisation.oci-containers; [
+      "${backend}-immich-ml.service"
+    ];
+    before = requiredBy;
+    script = ''
+      ${lib.getExe pkgs.podman} network exists immich-net || \
+      ${lib.getExe pkgs.podman} network create immich-net
+    '';
+  };
+}

hosts/ytnix/default.nix

@@ -10,6 +10,7 @@
     ../common.nix
     ../zsh.nix
     ./tailscale.nix
+    ./containers.nix
   ];
 
   sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@@ -86,10 +87,12 @@
     resolvconf.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [
+      trustedInterfaces = [ "tailscale0" ];
-        8080 # mitmproxy
+      # allowedTCPPorts = [
-        22000 # syncthing
+      #   8080 # mitmproxy
-      ];
+      #   22000 # syncthing
+      #   3003 # immich-ml
+      # ];
     };
   };
   programs.nm-applet.enable = true;
@@ -252,11 +255,11 @@
   xdg.mime.defaultApplications = {
     "application/pdf" = "okular.desktop";
     "image/*" = "gwenview.desktop";
-    "*/html" = "chromium-browser.desktop";
   };
 
-  virtualisation = {
+  virtualisation.libvirtd = {
-    libvirtd.enable = true;
+    enable = true;
+    qemu.vhostUserPackages = with pkgs; [ virtiofsd ];
   };
   programs.virt-manager.enable = true;
   my.containerization.enable = true;
@@ -380,4 +383,5 @@
 
   programs.ccache.enable = true;
   nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
+  programs.fuse.userAllowOther = true;
 }

modules/searx.nix

@@ -5,7 +5,6 @@
 }:
 let
   cfg = config.my.searx;
-  sockPath = "/run/searx/searx.sock";
 in
 {
   options.my.searx = {
@@ -25,6 +24,19 @@ in
         server.secret_key = "@SEARX_SECRET_KEY@";
       };
       environmentFile = config.sops.secrets."searx/env".path;
+      redisCreateLocally = true; # required for limiter
+      limiterSettings = {
+        real_ip = {
+          x_for = 1;
+          ipv4_prefix = 32;
+          ipv6_prefix = 56;
+        };
+        botdetection.ip_lists.pass_ip = [
+          "100.121.152.86"
+          "100.66.32.54"
+        ];
+        link_token = true;
+      };
     };
 
     services.caddy.virtualHosts."x.cy7.sh".extraConfig = ''