diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml index 7731122..f1e07bc 100644 --- a/.github/workflows/build-machines-and-homes.yml +++ b/.github/workflows/build-machines-and-homes.yml @@ -3,16 +3,14 @@ on: workflow_dispatch: push: pull_request: + env: - ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} - NIX_CONFIG: | - show-trace = true - extra-substituters = https://cache.cy7.sh/main - extra-trusted-public-keys = main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0= - experimental-features = nix-command flakes - accept-flake-config = true - system-features = nixos-test benchmark big-parallel kvm TERM: ansi + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-east-1 + AWS_ENDPOINT_URL: https://s3.cy7.sh + jobs: build-machines: strategy: @@ -24,6 +22,7 @@ jobs: os: - ubuntu-latest runs-on: ${{ matrix.os }} + steps: - name: Maximize build disk space uses: easimon/maximize-build-space@v10 @@ -36,27 +35,47 @@ jobs: remove-codeql: 'true' remove-docker-images: 'true' build-mount-path: /nix - - name: Install Nix - uses: cachix/install-nix-action@v30 + + - name: setup binary cache key + run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem + - name: Sync repository uses: actions/checkout@v4 with: persist-credentials: false - - name: setup attic + + - name: post-build-hook run: | - nix profile install github:zhaofengli/attic - attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN" + sudo mkdir -p /etc/nix + sudo cp ci/upload-to-cache.sh /etc/nix/ + sudo chmod +x /etc/nix/upload-to-cache.sh + + - name: setup s3 credentials + run: | + sudo mkdir /root/.aws + echo "[default]" |sudo tee /root/.aws/config |sudo tee /root/.aws/credentials + echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" |sudo tee -a /root/.aws/credentials + echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" |sudo tee -a /root/.aws/credentials + echo "endpoint_url=$AWS_ENDPOINT_URL" |sudo tee -a /root/.aws/config + + - name: Install Nix + uses: cachix/install-nix-action@v30 + with: + enable_kvm: true + extra_nix_config: | + show-trace = true + experimental-features = nix-command flakes + accept-flake-config = true + system-features = nixos-test benchmark big-parallel kvm + secret-key-files = ${{ runner.temp }}/cache-priv-key.pem + extra-substituters = https://nixcache.cy7.sh + extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= + post-build-hook = /etc/nix/upload-to-cache.sh + - name: build run: | - package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel" - nix build -L "$package" - - name: cache - if: always() - run: | - package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel" - derivation="$(nix path-info --derivation "$package")" - cache="$(nix-store --query --requisites --include-outputs "$derivation")" - xargs attic push main <<< "$cache" + nix run nixpkgs#nixos-rebuild build -- -L --flake ".#${{ matrix.machine }}" + build-homes: strategy: fail-fast: false @@ -68,6 +87,7 @@ jobs: - ubuntu-latest # - macos-latest runs-on: ${{ matrix.os }} + steps: - name: Maximize build disk space uses: easimon/maximize-build-space@v10 @@ -80,24 +100,44 @@ jobs: remove-codeql: 'true' remove-docker-images: 'true' build-mount-path: /nix - - name: Install Nix - uses: cachix/install-nix-action@v30 + + - name: setup binary cache key + run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem + - name: Sync repository uses: actions/checkout@v4 with: persist-credentials: false - - name: setup attic + + - name: post-build-hook run: | - nix profile install github:zhaofengli/attic - attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN" + sudo mkdir -p /etc/nix + sudo cp ci/upload-to-cache.sh /etc/nix/ + sudo chmod +x /etc/nix/upload-to-cache.sh + + - name: setup s3 credentials + run: | + sudo mkdir /root/.aws + echo "[default]" |sudo tee /root/.aws/config |sudo tee /root/.aws/credentials + echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" |sudo tee -a /root/.aws/credentials + echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" |sudo tee -a /root/.aws/credentials + echo "endpoint_url=$AWS_ENDPOINT_URL" |sudo tee -a /root/.aws/config + + - name: Install Nix + uses: cachix/install-nix-action@v30 + with: + enable_kvm: true + extra_nix_config: | + show-trace = true + experimental-features = nix-command flakes + accept-flake-config = true + system-features = nixos-test benchmark big-parallel kvm + secret-key-files = ${{ runner.temp }}/cache-priv-key.pem + extra-substituters = https://nixcache.cy7.sh + extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= + post-build-hook = /etc/nix/upload-to-cache.sh + - name: build run: | package=".#homeConfigurations."${{ matrix.home }}".activationPackage" nix build -L "$package" - - name: cache - if: always() - run: | - package=".#homeConfigurations."${{ matrix.home }}".activationPackage" - derivation="$(nix path-info --derivation "$package")" - cache="$(nix-store --query --requisites --include-outputs "$derivation")" - xargs attic push main <<< "$cache" diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml index fb0620e..423c88a 100644 --- a/.github/workflows/build-packages.yml +++ b/.github/workflows/build-packages.yml @@ -6,15 +6,14 @@ on: description: "package to build" required: false type: string + env: - ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} - NIX_CONFIG: | - show-trace = true - extra-substituters = https://cache.cy7.sh/main - extra-trusted-public-keys = main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0= - experimental-features = nix-command flakes - accept-flake-config = true TERM: ansi + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-east-1 + AWS_ENDPOINT_URL: https://s3.cy7.sh + jobs: build-packages: strategy: @@ -28,26 +27,40 @@ jobs: - macos-latest - macos-13 runs-on: ${{ matrix.os }} + steps: + - name: setup binary cache key + run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem + - name: Install Nix uses: cachix/install-nix-action@v30 - - name: Sync repository - uses: actions/checkout@v4 with: - persist-credentials: false - - name: setup attic - run: | - nix profile install github:zhaofengli/attic - attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN" + enable_kvm: true + extra_nix_config: | + show-trace = true + experimental-features = nix-command flakes + accept-flake-config = true + system-features = nixos-test benchmark big-parallel kvm + secret-key-files = ${{ runner.temp }}/cache-priv-key.pem + extra-substituters = https://nixcache.cy7.sh + extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= + - run: nix build -L ${{ matrix.package }} + - name: cache result - if: always() + # https://stackoverflow.com/a/58859404 + if: '!cancelled()' run: | - derivation="$(nix path-info --derivation "${{ matrix.package }}")" - cache="$(nix-store --query --requisites --include-outputs "$derivation")" - xargs attic push main <<< "$cache" + nix run github:cything/nixcp -- \ + push \ + --bucket nixcache \ + --signing-key ${{ runner.temp }}/cache-priv-key.pem \ + -u https://nix-community.cachix.org \ + "${{ matrix.package }}" + - name: prepare tarball to upload run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result + - name: upload result uses: actions/upload-artifact@v4 with: diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml index 59006f6..3b79705 100644 --- a/.github/workflows/update-flake-lock.yml +++ b/.github/workflows/update-flake-lock.yml @@ -11,10 +11,32 @@ jobs: createPullRequest: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Install Nix - uses: cachix/install-nix-action@v30 + - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 with: - github_access_token: ${{ secrets.GITHUB_TOKEN }} + ssh-key: ${{ secrets.SSH_DEPLOY_KEY }} + + - name: Install Nix + uses: cachix/install-nix-action@53fb48f556dd912c4814b24ee8059a9c91c82b18 + with: + enable_kvm: true + extra_nix_config: | + show-trace = true + experimental-features = nix-command flakes + accept-flake-config = true + system-features = nixos-test benchmark big-parallel kvm + secret-key-files = /home/runner/cache-priv-key.pem + extra-substituters = https://nixcache.cy7.sh + extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= + - name: Update flake.lock - uses: DeterminateSystems/update-flake-lock@v24 + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + nix flake update --commit-lock-file + + - name: Create PR + uses: peter-evans/create-pull-request@98106d3f2b65918a6591f9e155117b7219ff7e51 + with: + title: nix flake update + branch: update-flake-inputs + branch-suffix: timestamp diff --git a/.sops.yaml b/.sops.yaml index cb7e65d..5dca48c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -123,3 +123,22 @@ creation_rules: - age: - *chunk - *cy + - path_regex: secrets/cache-priv-key.pem + key_groups: + - age: + - *yt + - *cy + - *chunk + - path_regex: secrets/services/authelia.yaml + key_groups: + - age: + - *yt + - *cy + - *chunk + - path_regex: secrets/services/karakeep.yaml + key_groups: + - age: + - *yt + - *cy + - *chunk + diff --git a/README b/README new file mode 100644 index 0000000..1a59725 --- /dev/null +++ b/README @@ -0,0 +1 @@ +this is only open source for free ci diff --git a/README.md b/README.md deleted file mode 100644 index eb52498..0000000 --- a/README.md +++ /dev/null @@ -1,40 +0,0 @@ -# infra -## ./home -- [home-manager](https://github.com/nix-community/home-manager) configuration files -- foot, tmux, and zsh are configured in Nix -- nvim, rofi, sway, waybar are configured in their own literature and symlinked to $XDG_CONFIG_HOME with home-manager - -## ./hosts -- [`hosts/common.nix`](hosts/common.nix): configuration that makes sense on all computers -- [`hosts/zsh.nix`](hosts/zsh.nix): for computers that have the power to run zsh -### ./hosts/ytnix -- personal laptop -- a single [`default.nix`](hosts/ytnix/default.nix) that could be modularized but works for now - -### ./hosts/chunk -- the overworked server with 5% SLA -- very short and concise [`default.nix`](hosts/chunk/default.nix) -- services organized in their modules -- some services run through `virtualisation.oci-containers`: - - [immich](hosts/chunk/immich.nix) - - [conduwuit](hosts/chunk/conduwuit.nix) - -### ./hosts/titan -- got this cause chunk would go down way too often :( -- hosted on azure for "reliability" -- runs: - - [ghost](hosts/titan/ghost.nix) (through `virtualisation.oci-containers`) - - [uptime-kuma](hosts/titan/uptime-kuma.nix) - - [ntfy-sh](hosts/titan/ntfy.nix) - -## ./secrets -- secrets -- see [`.sops.yaml`](.sops.yaml) for who privy to what - -## backups -- hourly borgbackup to [rsync.net](https://rsync.net) -- see [modules/backup](modules/backup.nix) - -## monitoring -- [status.cything.io](https://status.cything.io/): uptime kuma (reliable) -- [grafana.cything.io](https://grafana.cything.io/): some real-time metrics here; unlike the status page this will go kaput often diff --git a/ci/upload-to-cache.sh b/ci/upload-to-cache.sh new file mode 100755 index 0000000..559d062 --- /dev/null +++ b/ci/upload-to-cache.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +# https://nix.dev/guides/recipes/post-build-hook.html#implementing-the-build-hook +set -eu +set -f # disable globbing +export IFS=' ' +echo "Uploading paths" $OUT_PATHS +exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh&compression=zstd¶llel-compression=true" $OUT_PATHS diff --git a/flake.lock b/flake.lock index be46616..4370247 100644 --- a/flake.lock +++ b/flake.lock @@ -1,177 +1,12 @@ { "nodes": { - "attic": { - "inputs": { - "crane": [ - "crane" - ], - "flake-compat": [ - "flake-compat" - ], - "flake-parts": [ - "flake-parts" - ], - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": [ - "nixpkgs-stable" - ] - }, - "locked": { - "lastModified": 1738524606, - "narHash": "sha256-hPYEJ4juK3ph7kbjbvv7PlU1D9pAkkhl+pwx8fZY53U=", - "owner": "zhaofengli", - "repo": "attic", - "rev": "ff8a897d1f4408ebbf4d45fa9049c06b3e1e3f4e", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "repo": "attic", - "type": "github" - } - }, - "attic_2": { - "inputs": { - "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "nix-github-actions": "nix-github-actions_2", - "nixpkgs": "nixpkgs", - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1738524606, - "narHash": "sha256-hPYEJ4juK3ph7kbjbvv7PlU1D9pAkkhl+pwx8fZY53U=", - "owner": "zhaofengli", - "repo": "attic", - "rev": "ff8a897d1f4408ebbf4d45fa9049c06b3e1e3f4e", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "ref": "main", - "repo": "attic", - "type": "github" - } - }, - "cachix": { - "inputs": { - "devenv": "devenv", - "flake-compat": "flake-compat_2", - "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_4" - }, - "locked": { - "lastModified": 1737621947, - "narHash": "sha256-8HFvG7fvIFbgtaYAY2628Tb89fA55nPm2jSiNs0/Cws=", - "owner": "cachix", - "repo": "cachix", - "rev": "f65a3cd5e339c223471e64c051434616e18cc4f5", - "type": "github" - }, - "original": { - "owner": "cachix", - "ref": "master", - "repo": "cachix", - "type": "github" - } - }, - "cachix_2": { - "inputs": { - "devenv": [ - "conduwuit", - "cachix", - "devenv" - ], - "flake-compat": [ - "conduwuit", - "cachix", - "devenv" - ], - "git-hooks": [ - "conduwuit", - "cachix", - "devenv" - ], - "nixpkgs": "nixpkgs_2" - }, - "locked": { - "lastModified": 1728672398, - "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=", - "owner": "cachix", - "repo": "cachix", - "rev": "aac51f698309fd0f381149214b7eee213c66ef0a", - "type": "github" - }, - "original": { - "owner": "cachix", - "ref": "latest", - "repo": "cachix", - "type": "github" - } - }, - "complement": { - "flake": false, - "locked": { - "lastModified": 1741891349, - "narHash": "sha256-YvrzOWcX7DH1drp5SGa+E/fc7wN3hqFtPbqPjZpOu1Q=", - "owner": "girlbossceo", - "repo": "complement", - "rev": "e587b3df569cba411aeac7c20b6366d03c143745", - "type": "github" - }, - "original": { - "owner": "girlbossceo", - "ref": "main", - "repo": "complement", - "type": "github" - } - }, - "conduwuit": { - "inputs": { - "attic": "attic_2", - "cachix": "cachix", - "complement": "complement", - "crane": "crane_2", - "fenix": "fenix", - "flake-compat": "flake-compat_3", - "flake-utils": "flake-utils", - "liburing": "liburing", - "nix-filter": "nix-filter", - "nixpkgs": "nixpkgs_5", - "rocksdb": "rocksdb" - }, - "locked": { - "lastModified": 1742266954, - "narHash": "sha256-PoVjZXR24r1WPyWWK+DZDAlVr4otn/BcxY7/jd8fehM=", - "owner": "girlbossceo", - "repo": "conduwuit", - "rev": "7bf92c8a3710eeff229bd86bc81a89daa94b66d5", - "type": "github" - }, - "original": { - "owner": "girlbossceo", - "repo": "conduwuit", - "type": "github" - } - }, "crane": { - "inputs": { - "nixpkgs": [ - "conduwuit", - "attic", - "nixpkgs" - ] - }, "locked": { - "lastModified": 1722960479, - "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=", + "lastModified": 1737689766, + "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=", "owner": "ipetkov", "repo": "crane", - "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4", + "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527", "type": "github" }, "original": { @@ -182,27 +17,11 @@ }, "crane_2": { "locked": { - "lastModified": 1742317686, - "narHash": "sha256-ScJYnUykEDhYeCepoAWBbZWx2fpQ8ottyvOyGry7HqE=", + "lastModified": 1741148495, + "narHash": "sha256-EV8KUaIZ2/CdBXlutXrHoZYbWPeB65p5kKZk71gvDRI=", "owner": "ipetkov", "repo": "crane", - "rev": "66cb0013f9a99d710b167ad13cbd8cc4e64f2ddb", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "ref": "master", - "repo": "crane", - "type": "github" - } - }, - "crane_3": { - "locked": { - "lastModified": 1742317686, - "narHash": "sha256-ScJYnUykEDhYeCepoAWBbZWx2fpQ8ottyvOyGry7HqE=", - "owner": "ipetkov", - "repo": "crane", - "rev": "66cb0013f9a99d710b167ad13cbd8cc4e64f2ddb", + "rev": "75390a36cd0c2cdd5f1aafd8a9f827d7107f2e53", "type": "github" }, "original": { @@ -211,75 +30,17 @@ "type": "github" } }, - "devenv": { - "inputs": { - "cachix": "cachix_2", - "flake-compat": [ - "conduwuit", - "cachix", - "flake-compat" - ], - "git-hooks": [ - "conduwuit", - "cachix", - "git-hooks" - ], - "nix": "nix", - "nixpkgs": [ - "conduwuit", - "cachix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733323168, - "narHash": "sha256-d5DwB4MZvlaQpN6OQ4SLYxb5jA4UH5EtV5t5WOtjLPU=", - "owner": "cachix", - "repo": "devenv", - "rev": "efa9010b8b1cfd5dd3c7ed1e172a470c3b84a064", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "devenv", - "type": "github" - } - }, - "fenix": { - "inputs": { - "nixpkgs": [ - "conduwuit", - "nixpkgs" - ], - "rust-analyzer-src": "rust-analyzer-src" - }, - "locked": { - "lastModified": 1740724364, - "narHash": "sha256-D1jLIueJx1dPrP09ZZwTrPf4cubV+TsFMYbpYYTVj6A=", - "owner": "nix-community", - "repo": "fenix", - "rev": "edf7d9e431cda8782e729253835f178a356d3aab", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "main", - "repo": "fenix", - "type": "github" - } - }, "flake-compat": { - "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", + "lastModified": 1717312683, + "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", + "owner": "nix-community", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", "type": "github" }, "original": { - "owner": "edolstra", + "owner": "nix-community", "repo": "flake-compat", "type": "github" } @@ -300,96 +61,19 @@ "type": "github" } }, - "flake-compat_3": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "ref": "master", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_4": { - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": [ - "conduwuit", - "attic", + "lanzaboote", "nixpkgs" ] }, "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "lastModified": 1740872218, + "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "conduwuit", - "cachix", - "devenv", - "nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1712014858, - "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_3": { - "inputs": { - "nixpkgs-lib": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741352980, - "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", + "rev": "3876f6b87db82f33775b1ef5ea343986105db764", "type": "github" }, "original": { @@ -412,7 +96,6 @@ }, "original": { "owner": "numtide", - "ref": "main", "repo": "flake-utils", "type": "github" } @@ -453,45 +136,22 @@ "type": "github" } }, - "flakey-profile": { - "locked": { - "lastModified": 1712898590, - "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=", - "owner": "lf-", - "repo": "flakey-profile", - "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d", - "type": "github" - }, - "original": { - "owner": "lf-", - "repo": "flakey-profile", - "type": "github" - } - }, "garage": { "inputs": { - "crane": [ - "crane" - ], - "flake-compat": [ - "flake-compat" - ], - "flake-utils": [ - "flake-utils" - ], + "crane": "crane", + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" ], - "rust-overlay": [ - "rust-overlay" - ] + "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1742243551, - "narHash": "sha256-hp2tKtJHW/vbiIT4hRhP8cfZEACAWZ92lCdaO9WEi2E=", + "lastModified": 1745093116, + "narHash": "sha256-38L/NZyfGSGff9f+FfRd4teA1Xj93hqcBJcqhxbLA7Y=", "owner": "deuxfleurs-org", "repo": "garage", - "rev": "6906a4ff12838da2a74bdaeb7e7cd05cd1d69699", + "rev": "4ef954d17604eba8aafa52902cd3c573978c7195", "type": "github" }, "original": { @@ -500,59 +160,7 @@ "type": "github" } }, - "git-hooks": { - "inputs": { - "flake-compat": [ - "conduwuit", - "cachix", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "conduwuit", - "cachix", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_2" - }, - "locked": { - "lastModified": 1733318908, - "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "6f4e2a2112050951a314d2733a994fbab94864c6", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, "gitignore": { - "inputs": { - "nixpkgs": [ - "conduwuit", - "cachix", - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_2": { "inputs": { "nixpkgs": [ "lanzaboote", @@ -581,11 +189,11 @@ ] }, "locked": { - "lastModified": 1742305478, - "narHash": "sha256-iYCinzZnnUeCkZ031qGRwPdwRsqW6o9Y0MgGpA7Zva4=", + "lastModified": 1745128386, + "narHash": "sha256-xnNxL9lZC5Ez8AxTgHZZu8pYSNM34+5GD5jGSs8Vq4M=", "owner": "nix-community", "repo": "home-manager", - "rev": "fb74bb76d94a6c55632376c931fc108131260ee9", + "rev": "f98314bb064cf8f8446c44afbadaaad2505875a7", "type": "github" }, "original": { @@ -594,52 +202,16 @@ "type": "github" } }, - "ixx": { - "inputs": { - "flake-utils": [ - "nixvim", - "nuschtosSearch", - "flake-utils" - ], - "nixpkgs": [ - "nixvim", - "nuschtosSearch", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729958008, - "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=", - "owner": "NuschtOS", - "repo": "ixx", - "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "ref": "v0.0.6", - "repo": "ixx", - "type": "github" - } - }, "lanzaboote": { "inputs": { - "crane": [ - "crane" - ], - "flake-compat": [ - "flake-compat" - ], - "flake-parts": [ - "flake-parts" - ], + "crane": "crane_2", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts", "nixpkgs": [ "nixpkgs" ], "pre-commit-hooks-nix": "pre-commit-hooks-nix", - "rust-overlay": [ - "rust-overlay" - ] + "rust-overlay": "rust-overlay_2" }, "locked": { "lastModified": 1741442524, @@ -656,89 +228,13 @@ "type": "github" } }, - "libgit2": { - "flake": false, - "locked": { - "lastModified": 1697646580, - "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=", - "owner": "libgit2", - "repo": "libgit2", - "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5", - "type": "github" - }, - "original": { - "owner": "libgit2", - "repo": "libgit2", - "type": "github" - } - }, - "liburing": { - "flake": false, - "locked": { - "lastModified": 1740613216, - "narHash": "sha256-NpPOBqNND3Qe9IwqYs0mJLGTmIx7e6FgUEBAnJ+1ZLA=", - "owner": "axboe", - "repo": "liburing", - "rev": "e1003e496e66f9b0ae06674869795edf772d5500", - "type": "github" - }, - "original": { - "owner": "axboe", - "ref": "master", - "repo": "liburing", - "type": "github" - } - }, - "lix": { - "flake": false, - "locked": { - "lastModified": 1741888409, - "narHash": "sha256-gJ7QmlwsJ/QdwUjwTjifNo3v7OBQm2N6xa19l3mMWM4=", - "rev": "20edd45ae816c73504ddfb9c678756e003ceeafd", - "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/20edd45ae816c73504ddfb9c678756e003ceeafd.tar.gz?rev=20edd45ae816c73504ddfb9c678756e003ceeafd" - }, - "original": { - "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/main.tar.gz" - } - }, - "lix-module": { - "inputs": { - "flake-utils": [ - "flake-utils" - ], - "flakey-profile": "flakey-profile", - "lix": "lix", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741894565, - "narHash": "sha256-2FD0NDJbEjUHloVrtEIms5miJsj1tvQCc/0YK5ambyc=", - "ref": "refs/heads/main", - "rev": "a6da43f8193d9e329bba1795c42590c27966082e", - "revCount": 136, - "type": "git", - "url": "https://git.lix.systems/lix-project/nixos-module" - }, - "original": { - "type": "git", - "url": "https://git.lix.systems/lix-project/nixos-module" - } - }, "nil": { "inputs": { - "flake-utils": [ - "flake-utils" - ], + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], - "rust-overlay": [ - "rust-overlay" - ] + "rust-overlay": "rust-overlay_3" }, "locked": { "lastModified": 1741118843, @@ -754,106 +250,6 @@ "type": "github" } }, - "nix": { - "inputs": { - "flake-compat": [ - "conduwuit", - "cachix", - "devenv" - ], - "flake-parts": "flake-parts_2", - "libgit2": "libgit2", - "nixpkgs": "nixpkgs_3", - "nixpkgs-23-11": [ - "conduwuit", - "cachix", - "devenv" - ], - "nixpkgs-regression": [ - "conduwuit", - "cachix", - "devenv" - ], - "pre-commit-hooks": [ - "conduwuit", - "cachix", - "devenv" - ] - }, - "locked": { - "lastModified": 1727438425, - "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=", - "owner": "domenkozar", - "repo": "nix", - "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546", - "type": "github" - }, - "original": { - "owner": "domenkozar", - "ref": "devenv-2.24", - "repo": "nix", - "type": "github" - } - }, - "nix-filter": { - "locked": { - "lastModified": 1731533336, - "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", - "owner": "numtide", - "repo": "nix-filter", - "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", - "type": "github" - }, - "original": { - "owner": "numtide", - "ref": "main", - "repo": "nix-filter", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "attic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-github-actions_2": { - "inputs": { - "nixpkgs": [ - "conduwuit", - "attic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -861,11 +257,11 @@ ] }, "locked": { - "lastModified": 1742174123, - "narHash": "sha256-pDNzMoR6m1ZSJToZQ6XDTLVSdzIzmFl1b8Pc3f7iV6Y=", + "lastModified": 1745120797, + "narHash": "sha256-owQ0VQ+7cSanTVPxaZMWEzI22Q4bGnuvhVjLAJBNQ3E=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "2cfb4e1ca32f59dd2811d7a6dd5d4d1225f0955c", + "rev": "69716041f881a2af935021c1182ed5b0cc04d40e", "type": "github" }, "original": { @@ -881,11 +277,11 @@ ] }, "locked": { - "lastModified": 1742204505, - "narHash": "sha256-sHBzuG9K/VrvOrcLd9GwoCLaQZDVedi/00YmFfdKq/A=", + "lastModified": 1744621833, + "narHash": "sha256-II6a32kRc+KbLhU/jS8EbuXYt1PNCvsRvuBw2becgQM=", "owner": "nix-community", "repo": "nix-ld", - "rev": "bc1ecb8ca83507c764a3909f02f1acf53c033585", + "rev": "9a3812797e25def1d4aed62b517606b7b93989dc", "type": "github" }, "original": { @@ -896,234 +292,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1726042813, - "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "159be5db480d1df880a0135ca0bfed84c2f88353", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1724316499, - "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_2": { - "locked": { - "lastModified": 1730741070, - "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_3": { - "locked": { - "lastModified": 1742268799, - "narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=", + "lastModified": 1744932701, + "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "da044451c6a70518db5b730fe277b70f494188f1", + "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", - "type": "github" - }, - "original": { - "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs_3": { - "locked": { - "lastModified": 1717432640, - "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "88269ab3044128b7c2f4c7d68448b2fb50456870", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1742237028, - "narHash": "sha256-xlpHmgBxUnvHo8FNnju0sgnEyasb4gC607b+keqjmX8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9bc8a90931262245919a26f995c1f24c6c70d3fe", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_6": { - "locked": { - "lastModified": 1742276595, - "narHash": "sha256-bsg9y3NoMGu0jgTI5XbxvzQFc9JtZB51i500WlVws80=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2b3795787eba0066a2bc8bba7362422e5713840f", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixvim": { - "inputs": { - "flake-parts": [ - "flake-parts" - ], - "nixpkgs": [ - "nixpkgs" - ], - "nuschtosSearch": "nuschtosSearch" - }, - "locked": { - "lastModified": 1742255305, - "narHash": "sha256-XxygfriVXQt+5Iqh6AOjZL5Aes5dH2xzVKpHpL8pDQg=", - "owner": "nix-community", - "repo": "nixvim", - "rev": "78f6166c23f80bdfbcc8c44b20f7f4132299a33f", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixvim", - "type": "github" - } - }, - "nuschtosSearch": { - "inputs": { - "flake-utils": "flake-utils_3", - "ixx": "ixx", - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738508923, - "narHash": "sha256-4DaDrQDAIxlWhTjH6h/+xfG05jt3qDZrZE/7zDLQaS4=", - "owner": "NuschtOS", - "repo": "search", - "rev": "86e2038290859006e05ca7201425ea5b5de4aecb", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "repo": "search", - "type": "github" - } - }, - "nvim-github-theme": { - "flake": false, - "locked": { - "lastModified": 1735641120, - "narHash": "sha256-/A4hkKTzjzeoR1SuwwklraAyI8oMkhxrwBBV9xb59PA=", - "owner": "projekt0n", - "repo": "github-nvim-theme", - "rev": "c106c9472154d6b2c74b74565616b877ae8ed31d", - "type": "github" - }, - "original": { - "owner": "projekt0n", - "repo": "github-nvim-theme", - "type": "github" - } - }, - "pixelflasher": { - "locked": { - "lastModified": 1741302870, - "narHash": "sha256-7AywZ1b3PaqolAZ0vQmddD6Br4o0a7ucdtE0/W3rnaM=", - "owner": "cything", - "repo": "nixpkgs", - "rev": "5ef8b274bb7f939104295a22cec3382268ed73cc", - "type": "github" - }, - "original": { - "owner": "cything", - "ref": "pixelflasher", - "repo": "nixpkgs", - "type": "github" - } - }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ "lanzaboote", "flake-compat" ], - "gitignore": "gitignore_2", + "gitignore": "gitignore", "nixpkgs": [ "lanzaboote", "nixpkgs" @@ -1143,78 +332,96 @@ "type": "github" } }, - "rocksdb": { - "flake": false, - "locked": { - "lastModified": 1741308171, - "narHash": "sha256-YdBvdQ75UJg5ffwNjxizpviCVwVDJnBkM8ZtGIduMgY=", - "owner": "girlbossceo", - "repo": "rocksdb", - "rev": "3ce04794bcfbbb0d2e6f81ae35fc4acf688b6986", - "type": "github" - }, - "original": { - "owner": "girlbossceo", - "ref": "v9.11.1", - "repo": "rocksdb", - "type": "github" - } - }, "root": { "inputs": { - "attic": "attic", - "conduwuit": "conduwuit", - "crane": "crane_3", - "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts_3", - "flake-utils": "flake-utils_2", "garage": "garage", "home-manager": "home-manager", "lanzaboote": "lanzaboote", - "lix-module": "lix-module", "nil": "nil", "nix-index-database": "nix-index-database", "nix-ld": "nix-ld", - "nixpkgs": "nixpkgs_6", - "nixpkgs-stable": "nixpkgs-stable_3", - "nixvim": "nixvim", - "nvim-github-theme": "nvim-github-theme", - "pixelflasher": "pixelflasher", - "rust-overlay": "rust-overlay", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay_4", "sops-nix": "sops-nix", - "treefmt": "treefmt", "vscode-extensions": "vscode-extensions" } }, - "rust-analyzer-src": { - "flake": false, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "garage", + "nixpkgs" + ] + }, "locked": { - "lastModified": 1740691488, - "narHash": "sha256-Fs6vBrByuiOf2WO77qeMDMTXcTGzrIMqLBv+lNeywwM=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "fe3eda77d3a7ce212388bda7b6cec8bffcc077e5", + "lastModified": 1738549608, + "narHash": "sha256-GdyT9QEUSx5k/n8kILuNy83vxxdyUfJ8jL5mMpQZWfw=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "35c6f8c4352f995ecd53896200769f80a3e8f22d", "type": "github" }, "original": { - "owner": "rust-lang", - "ref": "nightly", - "repo": "rust-analyzer", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "35c6f8c4352f995ecd53896200769f80a3e8f22d", "type": "github" } }, - "rust-overlay": { + "rust-overlay_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741228283, + "narHash": "sha256-VzqI+k/eoijLQ5am6rDFDAtFAbw8nltXfLBC6SIEJAE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "38e9826bc4296c9daf18bc1e6aa299f3e932a403", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_3": { + "inputs": { + "nixpkgs": [ + "nil", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741055476, + "narHash": "sha256-52vwEV0oS2lCnx3c/alOFGglujZTLmObit7K8VblnS8=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "aefb7017d710f150970299685e8d8b549d653649", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_4": { "inputs": { "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1742265167, - "narHash": "sha256-RB0UEF9IXIgwuuBFC+s9H4rDyvmMZePHlBAK4vRAwf4=", + "lastModified": 1745116541, + "narHash": "sha256-5xzA6dTfqCfTTDCo3ipPZzrg3wp01xmcr73y4cTNMP8=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "87f0965f9f5b13fca9f38074eee8369dc767550d", + "rev": "e2142ef330a61c02f274ac9a9cb6f8487a5d0080", "type": "github" }, "original": { @@ -1230,11 +437,11 @@ ] }, "locked": { - "lastModified": 1742239755, - "narHash": "sha256-ptn8dR4Uat3UUadGYNnB7CIH9SQm8mK69D2A/twBUXQ=", + "lastModified": 1744669848, + "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "787afce414bcce803b605c510b60bf43c11f4b55", + "rev": "61154300d945f0b147b30d24ddcafa159148026a", "type": "github" }, "original": { @@ -1288,41 +495,19 @@ "type": "github" } }, - "treefmt": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1742303424, - "narHash": "sha256-2R7cGdcA2npQQcIWu2cTlU63veTzwVZe78BliIuJT00=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "b3b938ab8ba2e8a0ce9ee9b30ccfa5e903ae5753", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, "vscode-extensions": { "inputs": { - "flake-utils": [ - "flake-utils" - ], + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1742262692, - "narHash": "sha256-kCuy1Fld1vFmor6SZ48DdtiLv9/zUhW8lCaTA+Py+es=", + "lastModified": 1745114521, + "narHash": "sha256-P/TgmeavrpUiHCejjjsU2vOMB7cBIcHltGDSKKgi20E=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "32de9a383db6b555ac92877dd8b5b986f4151de7", + "rev": "ff14820202442f847fd37862eb48a7cb254a19d3", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f0316c3..0aea8eb 100644 --- a/flake.nix +++ b/flake.nix @@ -2,118 +2,35 @@ description = "cy's flake"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small"; - nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - treefmt = { - url = "github:numtide/treefmt-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - lanzaboote = { - url = "github:nix-community/lanzaboote/master"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.crane.follows = "crane"; - inputs.flake-compat.follows = "flake-compat"; - inputs.flake-parts.follows = "flake-parts"; - inputs.rust-overlay.follows = "rust-overlay"; - }; - nixvim = { - url = "github:nix-community/nixvim"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-parts.follows = "flake-parts"; - }; - flake-parts = { - url = "github:hercules-ci/flake-parts"; - inputs.nixpkgs-lib.follows = "nixpkgs"; - }; - rust-overlay = { - url = "github:oxalica/rust-overlay"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - conduwuit = { - url = "github:girlbossceo/conduwuit"; - # inputs = { - # nixpkgs.follows = "nixpkgs"; - # crane.follows = "crane"; - # flake-compat.follows = "flake-compat"; - # flake-utils.follows = "flake-utils"; - # attic.follows = "attic"; - # }; - }; - lix-module = { - url = "git+https://git.lix.systems/lix-project/nixos-module"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; - }; - nix-ld = { - url = "github:nix-community/nix-ld"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nil = { - url = "github:oxalica/nil"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.rust-overlay.follows = "rust-overlay"; - inputs.flake-utils.follows = "flake-utils"; - }; - vscode-extensions = { - url = "github:nix-community/nix-vscode-extensions/"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; - }; - nix-index-database = { - url = "github:nix-community/nix-index-database"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - pixelflasher.url = "github:cything/nixpkgs/pixelflasher"; - attic = { - url = "github:zhaofengli/attic"; - inputs = { - nixpkgs.follows = "nixpkgs"; - nixpkgs-stable.follows = "nixpkgs-stable"; - flake-compat.follows = "flake-compat"; - flake-parts.follows = "flake-parts"; - crane.follows = "crane"; - }; - }; - garage = { - url = "github:deuxfleurs-org/garage"; - inputs = { - nixpkgs.follows = "nixpkgs"; - rust-overlay.follows = "rust-overlay"; - crane.follows = "crane"; - flake-compat.follows = "flake-compat"; - flake-utils.follows = "flake-utils"; - }; - }; - - nvim-github-theme = { - url = "github:projekt0n/github-nvim-theme"; - flake = false; - }; - - # deduplication - flake-utils.url = "github:numtide/flake-utils"; - crane.url = "github:ipetkov/crane"; - flake-compat.url = "github:edolstra/flake-compat"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + home-manager.url = "github:nix-community/home-manager"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + lanzaboote.url = "github:nix-community/lanzaboote/master"; + lanzaboote.inputs.nixpkgs.follows = "nixpkgs"; + rust-overlay.url = "github:oxalica/rust-overlay"; + rust-overlay.inputs.nixpkgs.follows = "nixpkgs"; + nix-ld.url = "github:nix-community/nix-ld"; + nix-ld.inputs.nixpkgs.follows = "nixpkgs"; + nil.url = "github:oxalica/nil"; + nil.inputs.nixpkgs.follows = "nixpkgs"; + vscode-extensions.url = "github:nix-community/nix-vscode-extensions/"; + vscode-extensions.inputs.nixpkgs.follows = "nixpkgs"; + nix-index-database.url = "github:nix-community/nix-index-database"; + nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; + garage.url = "github:deuxfleurs-org/garage"; + garage.inputs.nixpkgs.follows = "nixpkgs"; }; nixConfig = { extra-substituters = [ "https://nix-community.cachix.org" - "https://conduwuit.cachix.org" - "https://cache.cy7.sh/main" + "https://nixcache.cy7.sh" ]; extra-trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0=" - "conduwuit.cachix.org-1:MFRm6jcnfTf0jSAbmvLfhO3KBMt4px+1xaereWXp8Xg=" + "nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=" ]; }; @@ -122,109 +39,70 @@ self, nixpkgs, home-manager, - flake-parts, ... }@inputs: - flake-parts.lib.mkFlake { inherit inputs; } ( - { ... }: + let + pkgs = import nixpkgs { + config.allowUnfree = true; + system = "x86_64-linux"; + overlays = [ + inputs.rust-overlay.overlays.default + inputs.vscode-extensions.overlays.default + ] ++ (import ./overlay { inherit inputs; }); + }; + in { - imports = [ - inputs.treefmt.flakeModule - ]; - debug = true; - systems = [ - "x86_64-linux" - ]; - perSystem = + nixosConfigurations = + let + lib = nixpkgs.lib; + in { - inputs', - ... - }: - { - treefmt = { - projectRootFile = "flake.nix"; - programs.nixfmt.enable = true; - programs.stylua.enable = true; - programs.yamlfmt.enable = true; - programs.typos.enable = true; - programs.shellcheck.enable = true; - - settings.global.excludes = [ - "secrets/*" - "**/*.png" # tries to format a png file + ytnix = lib.nixosSystem { + specialArgs = { inherit inputs; }; + modules = [ + { + nixpkgs = { inherit pkgs; }; + } + ./hosts/ytnix + ./modules + inputs.sops-nix.nixosModules.sops + inputs.lanzaboote.nixosModules.lanzaboote + inputs.nix-ld.nixosModules.nix-ld + ]; + }; + chunk = lib.nixosSystem { + specialArgs = { inherit inputs; }; + modules = [ + { + nixpkgs = { inherit pkgs; }; + } + ./hosts/chunk + ./modules + inputs.sops-nix.nixosModules.sops ]; }; }; - - flake = + homeConfigurations = let - pkgs = import nixpkgs { - config.allowUnfree = true; - system = "x86_64-linux"; - overlays = [ - inputs.rust-overlay.overlays.default - inputs.vscode-extensions.overlays.default - ] ++ (import ./overlay { inherit inputs; }); - }; + lib = home-manager.lib; in { - nixosConfigurations = - let - lib = nixpkgs.lib; - in - { - ytnix = lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - { - nixpkgs = { inherit pkgs; }; - } - ./hosts/ytnix - ./modules - inputs.sops-nix.nixosModules.sops - inputs.lanzaboote.nixosModules.lanzaboote - inputs.lix-module.nixosModules.default - inputs.nix-ld.nixosModules.nix-ld - ]; - }; - chunk = lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ - { - nixpkgs = { inherit pkgs; }; - } - ./hosts/chunk - ./modules - inputs.sops-nix.nixosModules.sops - inputs.lix-module.nixosModules.default - ]; - }; - }; - homeConfigurations = - let - lib = home-manager.lib; - in - { - "yt@ytnix" = lib.homeManagerConfiguration { - inherit pkgs; - extraSpecialArgs = { inherit inputs; }; - modules = [ - ./home/yt/ytnix.nix - inputs.nixvim.homeManagerModules.nixvim - inputs.nix-index-database.hmModules.nix-index - ]; - }; + "yt@ytnix" = lib.homeManagerConfiguration { + inherit pkgs; + extraSpecialArgs = { inherit inputs; }; + modules = [ + ./home/yt/ytnix.nix + inputs.nix-index-database.hmModules.nix-index + ]; + }; - "yt@chunk" = lib.homeManagerConfiguration { - inherit pkgs; - extraSpecialArgs = { inherit inputs; }; - modules = [ - ./home/yt/chunk.nix - inputs.nixvim.homeManagerModules.nixvim - ]; - }; - }; + "yt@chunk" = lib.homeManagerConfiguration { + inherit pkgs; + extraSpecialArgs = { inherit inputs; }; + modules = [ + ./home/yt/chunk.nix + ]; + }; }; - } - ); + }; } diff --git a/garnix.yaml b/garnix.yaml deleted file mode 100644 index c189664..0000000 --- a/garnix.yaml +++ /dev/null @@ -1,6 +0,0 @@ -builds: - include: - - 'nixosConfigurations.*' - - 'homeConfigurations.*' - - '*.aarch64-linux.*' - - '*.x86_64-linux.*' diff --git a/home/codium.nix b/home/codium.nix index 935866b..ba4e324 100644 --- a/home/codium.nix +++ b/home/codium.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: { programs.vscode = { enable = true; @@ -22,10 +22,12 @@ emilast.logfilehighlighter tamasfe.even-better-toml golang.go + ms-python.python ]; userSettings = let vimCommonKeyBindings = [ + # nice emacs bindings { "before" = [ "C-a" ]; "commands" = [ "cursorHome" ]; @@ -34,6 +36,19 @@ "before" = [ "C-e" ]; "commands" = [ "cursorEnd" ]; } + { + "before" = [ "C-b" ]; + "commands" = [ "cursorLeft" ]; + } + { + "before" = [ "C-f" ]; + "commands" = [ "cursorRight" ]; + } + # ctrl+h to turn off search highlighting + { + "before" = [ "C-h" ]; + "commands" = [ ":nohl" ]; + } ]; in { @@ -58,6 +73,7 @@ "telemetry.enableTelemetry" = false; "telemetry.telemetryLevel" = "off"; "window.titleBarStyle" = "custom"; + "editor.formatOnSave" = true; # terminal stuff "terminal.integrated.cursorBlinking" = true; @@ -73,7 +89,7 @@ "markdown-preview-enhanced.previewTheme" = "github-dark.css"; "nix.enableLanguageServer" = true; - "nix.serverPath" = "nil"; + "nix.serverPath" = "${lib.getExe pkgs.nil}"; "bookmarks.saveBookmarksInProject" = true; "cSpell.enabledFileTypes" = { @@ -83,6 +99,15 @@ # vim stuff "vim.leader" = ","; + "extensions.experimental.affinity" = { + "vscodevim.vim" = 1; + }; + "vim.sneak" = true; + "vim.sneakUseIgnorecaseAndSmartcase" = true; + "vim.enableNeovim" = true; + "vim.hlsearch" = true; + "vim.easymotion" = true; + "editor.lineNumbers" = "relative"; "vim.normalModeKeyBindings" = vimCommonKeyBindings ++ [ { "before" = [ ";" ]; @@ -117,6 +142,13 @@ ]; "commands" = [ "workbench.action.toggleSidebarVisibility" ]; } + { + "before" = [ + "" + "s" + ]; + "commands" = [ "workbench.action.toggleSidebarVisibility" ]; + } { "before" = [ "" @@ -190,10 +222,33 @@ "commands" = [ "editor.action.outdentLines" ]; } ]; - "extensions.experimental.affinity" = { - "vscodevim.vim" = 1; - }; }; + keybindings = [ + # repeat these vim bindings here cause otherwise they get overridden by vscode + { + "key" = "ctrl+b"; + "when" = "inputFocus"; + "command" = "cursorLeft"; + } + { + "key" = "ctrl+f"; + "when" = "inputFocus"; + "command" = "cursorRight"; + } + # clear default bindings that conflict + { + "key" = "ctrl+f"; + "command" = "-actions.find"; + } + { + "key" = "ctrl+b"; + "command" = "-workbench.action.toggleSidebarVisibility"; + } + { + "key" = "ctrl+w"; + "command" = "-workbench.action.closeActiveEditor"; + } + ]; }; }; } diff --git a/home/kitty.nix b/home/kitty.nix index ea7047f..a6ddf37 100644 --- a/home/kitty.nix +++ b/home/kitty.nix @@ -7,7 +7,6 @@ package = pkgs.ibm-plex; size = 12; }; - themeFile = "GitHub_Dark"; settings = { enable_audio_bell = true; # how many windows should be open before kitty asks @@ -17,10 +16,11 @@ # will probably lower this later but the max allowed is actually 4GB # this is NOT stored in memory and can only be viewed with scrollback_pager - "scrollback_pager_history_size" = "1024"; + "scrollback_pager_history_size" = "10"; # in MB # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399 "scrollback_pager" = "bat --pager='less -FR +G'"; - "scrollback_lines" = 20000; + # "scrollback_lines" = 20000; + wheel_scroll_multiplier = 50; }; keybindings = { # kitty_mod is ctrl+shift by default @@ -58,18 +58,29 @@ "kitty_mod+alt+p" = "move_tab_backward"; "kitty_mod+q" = "close_tab"; "kitty_mod+t" = "new_tab_with_cwd"; - "ctrl+f2" = "detach_tab"; # hints # > basically means the preceding key is a prefix (think tmux) "kitty_mod+o>o" = "open_url_with_hints"; - "kitty_mod+o>p" = "kitten hints --type path --program -"; - "kitty_mod+o>n" = "kitten hints --type line --program -"; - "kitty_mod+o>w" = "kitten hints --type word --program -"; - "kitty_mod+o>h" = "kitten hints --type hash --program -"; + # `--program @` means copy to clipboard + "kitty_mod+o>u" = "kitten hints --type url --program @"; + "kitty_mod+o>p" = "kitten hints --type path --program @"; + "kitty_mod+o>n" = "kitten hints --type line --program @"; + "kitty_mod+o>w" = "kitten hints --type word --program @"; + "kitty_mod+o>h" = "kitten hints --type hash --program @"; "kitty_mod+o>l" = "kitten hints --type linenum"; + + # scrolling + "kitty_mod+u" = "scroll_page_up"; + "kitty_mod+d" = "scroll_page_down"; + "kitty_mod+a" = "scroll_home"; + "kitty_mod+e" = "scroll_end"; + "kitty_mod+z" = "scroll_to_prompt -1"; # scroll to previous shell prompt + "kitty_mod+x" = "scroll_to_prompt 1"; # scroll to next shell prompt + "kitty_mod+y" = "show_scrollback"; # browse scrollback buffer in pager + "kitty_mod+g" = "show_last_command_output"; # browse output of last command in pager }; }; - # programs.zsh.shellAliases."ssh" = "kitten ssh"; # doesn't seem to work with bitwarden ssh agent :( + programs.zsh.shellAliases."ssh" = "kitten ssh"; } diff --git a/home/nixvim/default.nix b/home/nixvim/default.nix deleted file mode 100644 index 94895c1..0000000 --- a/home/nixvim/default.nix +++ /dev/null @@ -1,256 +0,0 @@ -{ pkgs, inputs, ... }: -{ - programs.nixvim = { - enable = true; - plugins.lualine.enable = true; - opts = { - number = true; - relativenumber = true; - expandtab = true; - autoindent = true; - shiftwidth = 2; - smartindent = true; - tabstop = 2; - ignorecase = true; - incsearch = true; - smartcase = true; - }; - colorscheme = "github_dark_tritanopia"; - clipboard.register = "unnamed"; - - globals = { - mapleader = ","; - }; - - extraPlugins = [ - (pkgs.vimUtils.buildVimPlugin { - name = "github-theme"; - src = inputs.nvim-github-theme; - }) - ]; - - keymaps = [ - { - action = "Neotree toggle"; - key = "s"; - mode = "n"; - options.silent = true; - } - { - # shortcut to command mode - action = ":"; - key = ";"; - mode = [ - "n" - "x" - ]; - options.silent = true; - } - { - # insert line below without moving cursor - action = "printf('m`%so``', v:count1)"; - key = "o"; - options.expr = true; - mode = "n"; - } - { - # insert line above without moving cursor - action = "printf('m`%sO``', v:count1)"; - key = "O"; - options.expr = true; - mode = "n"; - } - # nice emacs bindings - { - action = ""; - key = ""; - mode = "i"; - } - { - action = ""; - key = ""; - mode = "i"; - } - # quick chat with copilot - { - key = "ccq"; - action.__raw = '' - function() - local input = vim.fn.input("Quick chat: ") - if input ~= "" then - require("CopilotChat").ask(input, { selection = require("CopilotChat.select").buffer }) - end - end - ''; - mode = [ - "n" - "v" - ]; - } - # ask perplexity a quick question - { - key = "ccs"; - action.__raw = '' - function() - local input = vim.fn.input("Perplexity: ") - if input ~= "" then - require("CopilotChat").ask(input, { - agent = "perplexityai", - selection = false, - }) - end - end - ''; - mode = [ - "n" - "v" - ]; - } - ]; - - plugins.cmp = { - enable = true; - settings = { - formatting.fields = [ - "abbr" - "kind" - "menu" - ]; - experimental = { - ghost_text = true; - }; - snippet.expand = '' - function(args) require('luasnip').lsp_expand(args.body) end - ''; - sources = [ - { name = "nvim_lsp"; } - { name = "emoji"; } - { name = "luasnip"; } - { name = "buffer"; } - { name = "path"; } - ]; - mapping = { - "" = "cmp.mapping.abort()"; - "" = "cmp.mapping.select_next_item()"; - "" = "cmp.mapping.select_prev_item()"; - "" = "cmp.mapping.scroll_docs(-4)"; - "" = "cmp.mapping.scroll_docs(4)"; - "" = '' - cmp.mapping(function(fallback) - if cmp.visible() then - if require("luasnip").expandable() then - require("luasnip").expand() - else - cmp.confirm({ - select = true, - }) - end - else - fallback() - end - end) - ''; - # plain tab conflicts with i try to indent - "" = '' - cmp.mapping(function(fallback) - if require("luasnip").jumpable(1) then - require("luasnip").jump(1) - else - fallback() - end - end,{"i","s"}) - ''; - "" = '' - cmp.mapping(function(fallback) - if require("luasnip").jumpable(-1) then - require("luasnip").jump(-1) - else - fallback() - end - end,{"i","s"}) - ''; - }; - }; - }; - - plugins.lsp = { - enable = true; - keymaps.lspBuf = { - "K" = "hover"; - "gd" = "definition"; - "gD" = "references"; - # "gt" = "type_definition"; # conflicts with switch tab - "gI" = "type_definition"; - "gi" = "implementation"; - }; - servers = { - bashls.enable = true; - lua_ls.enable = true; - nil_ls = { - enable = true; - settings = { - formatting.command = [ - "nix" - "fmt" - ]; - nix.flake.autoArchive = true; - }; - }; - rust_analyzer = { - enable = true; - installRustc = true; - installCargo = true; - }; - eslint.enable = true; - }; - }; - plugins.treesitter = { - enable = true; - nixGrammars = true; - settings = { - indent.enable = true; - auto_install = true; - highlight.enable = true; - }; - }; - plugins.fzf-lua = { - enable = true; - profile = "fzf-native"; - keymaps = { - "ff" = "files"; - "fg" = "live_grep"; - }; - }; - - plugins.neo-tree = { - enable = true; - buffers.followCurrentFile.enabled = true; - window.width = 30; - }; - - plugins.gitsigns = { - enable = true; - settings.current_line_blame = true; - }; - - plugins.copilot-chat = { - enable = true; - settings = { - model = "claude-3.5-sonnet"; - }; - }; - - plugins.cmp-buffer.enable = true; - plugins.cmp-emoji.enable = true; - plugins.cmp-nvim-lsp.enable = true; - plugins.cmp-path.enable = true; - plugins.cmp_luasnip.enable = true; - plugins.luasnip.enable = true; - plugins.nvim-autopairs.enable = true; - plugins.rainbow-delimiters.enable = true; - plugins.web-devicons.enable = true; - plugins.auto-save.enable = true; - plugins.indent-blankline.enable = true; - plugins.undotree.enable = true; - }; -} diff --git a/home/yt/chunk.nix b/home/yt/chunk.nix index ad024cd..474abfc 100644 --- a/home/yt/chunk.nix +++ b/home/yt/chunk.nix @@ -14,8 +14,4 @@ programs.home-manager.enable = true; systemd.user.startServices = "sd-switch"; - - home.packages = with pkgs; [ - attic-server - ]; } diff --git a/home/yt/common.nix b/home/yt/common.nix index a8c9467..d06d67b 100644 --- a/home/yt/common.nix +++ b/home/yt/common.nix @@ -3,7 +3,6 @@ imports = [ ../tmux.nix ../zsh - ../nixvim ]; home.sessionVariables = { diff --git a/home/yt/ytnix.nix b/home/yt/ytnix.nix index 3ec6aeb..f22d425 100644 --- a/home/yt/ytnix.nix +++ b/home/yt/ytnix.nix @@ -60,7 +60,6 @@ unzip anki-bin trezorctl - trezor-agent q gdb fuzzel @@ -77,7 +76,6 @@ )) p7zip qbittorrent - nil android-tools frida-tools mitmproxy @@ -100,9 +98,13 @@ nix-output-monitor wl-clipboard-rs pixelflasher - element-desktop + cinny-desktop freetube gopls + rust-analyzer + minio-client + nil + keepassxc ]; home.sessionVariables = { @@ -122,9 +124,6 @@ AWS_ENDPOINT_URL = "https://s3.cy7.sh"; AWS_ACCESS_KEY_ID = "$(cat /run/secrets/aws/key_id)"; AWS_SECRET_ACCESS_KEY = "$(cat /run/secrets/aws/key_secret)"; - - # bitwarden ssh agent - SSH_AUTH_SOCK = "$HOME/.bitwarden-ssh-agent.sock"; }; home.sessionPath = [ @@ -152,4 +151,17 @@ }; programs.nix-index-database.comma.enable = true; + + programs.neovim = { + enable = true; + viAlias = true; + vimAlias = true; + }; + + programs.ssh = { + enable = true; + addKeysToAgent = "yes"; + }; + + programs.firefox.enable = true; } diff --git a/home/zsh/default.nix b/home/zsh/default.nix index 9b5bcc6..e599f0d 100644 --- a/home/zsh/default.nix +++ b/home/zsh/default.nix @@ -92,7 +92,7 @@ "s" = "sudo"; "nrs" = "sudo nixos-rebuild switch -L --flake . --log-format internal-json -v |& nom --json"; "nrt" = "sudo nixos-rebuild test -L --flake . --log-format internal-json -v |& nom --json"; - "hrs" = "home-manager switch -L --flake . |& nom --json"; + "hrs" = "home-manager switch -L --flake ."; "g" = "git"; "ga" = "git add"; "gaa" = "git add --all"; diff --git a/hosts/chunk/conduwuit.nix b/hosts/chunk/conduwuit.nix deleted file mode 100644 index 3a6638f..0000000 --- a/hosts/chunk/conduwuit.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: -{ - services.conduwuit = { - enable = true; - settings.global = { - port = [ 8448 ]; - server_name = "cything.io"; - allow_check_for_updates = true; - }; - }; - - services.caddy.virtualHosts."chat.cything.io".extraConfig = '' - import common - reverse_proxy localhost:8448 - ''; - - services.caddy.virtualHosts."cything.io" = { - serverAliases = [ "www.cything.io" ]; - extraConfig = '' - import common - - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - header /.well-known/matrix/* Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS,PATCH,HEAD - header /.well-known/matrix/* Access-Control-Allow-Headers X-Requested-With,Content-Type,Authorization,Origin,Accept - route { - respond /.well-known/matrix/server {"m.server":"chat.cything.io:443"} - respond /.well-known/matrix/client {"m.server":{"base_url":"https://chat.cything.io"},"m.homeserver":{"base_url":"https://chat.cything.io"},"org.matrix.msc3575.proxy":{"url":"https://chat.cything.io"}} - redir https://cy7.sh/posts{uri} permanent - } - ''; - }; -} diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index 9a621c4..2e4c960 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -16,9 +16,7 @@ ./redlib.nix ./vaultwarden.nix ./grafana.nix - ./conduwuit.nix ./immich.nix - ./element.nix ./forgejo.nix ./garage.nix ./tailscale.nix @@ -47,20 +45,14 @@ "rsyncnet/id_ed25519" = { sopsFile = ../../secrets/zh5061/chunk.yaml; }; - "attic/env" = { - sopsFile = ../../secrets/services/attic.yaml; - }; "garage/env" = { sopsFile = ../../secrets/services/garage.yaml; }; "tailscale/auth" = { sopsFile = ../../secrets/services/tailscale.yaml; }; - "zipline/env" = { - sopsFile = ../../secrets/services/zipline.yaml; - }; - "searx/env" = { - sopsFile = ../../secrets/services/searx.yaml; + "karakeep/env" = { + sopsFile = ../../secrets/services/karakeep.yaml; }; }; @@ -145,13 +137,15 @@ "podman" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo=" ]; }; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo=" ]; # for forgejo users.users.git = { @@ -184,16 +178,13 @@ security.sudo.enable = true; security.sudo.wheelNeedsPassword = false; - programs.gnupg.agent.enable = true; programs.git.enable = true; my.caddy.enable = true; - - # container stuff my.containerization.enable = true; - - my.roundcube.enable = true; - my.zipline.enable = true; - my.searx.enable = true; - my.attic.enable = true; + my.authelia.enable = true; + my.karakeep = { + enable = false; + dataDir = "/opt/karakeep"; + }; } diff --git a/hosts/chunk/element.nix b/hosts/chunk/element.nix deleted file mode 100644 index 5a12e1e..0000000 --- a/hosts/chunk/element.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - pkgs, - config, - ... -}: -{ - virtualisation.oci-containers.containers.element = { - image = "vectorim/element-web"; - autoStart = true; - ports = [ "127.0.0.1:8089:8089" ]; - pull = "newer"; - networks = [ "element-net" ]; - environment = { - ELEMENT_WEB_PORT = "8089"; - }; - }; - - systemd.services.create-element-net = { - serviceConfig.Type = "oneshot"; - wantedBy = with config.virtualisation.oci-containers; [ - "${backend}-element.service" - ]; - script = '' - ${pkgs.podman}/bin/podman network exists element-net || \ - ${pkgs.podman}/bin/podman network create element-net - ''; - }; - - services.caddy.virtualHosts."element.cy7.sh".extraConfig = '' - import common - reverse_proxy localhost:8089 - ''; -} diff --git a/hosts/chunk/garage.nix b/hosts/chunk/garage.nix index 81b4af3..a36dc49 100644 --- a/hosts/chunk/garage.nix +++ b/hosts/chunk/garage.nix @@ -10,15 +10,22 @@ api_bind_addr = "[::]:3900"; root_domain = "s3.cy7.sh"; }; + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".web.cy7.sh"; + add_host_to_metrics = true; + }; admin.api_bind_addr = "[::]:3903"; rpc_bind_addr = "[::]:3901"; + rpc_public_addr = "100.122.132.30:3901"; replication_factor = 1; db_engine = "lmdb"; disable_scrub = true; - block_size = "10M"; + block_size = "128M"; compression_level = "none"; }; environmentFile = config.sops.secrets."garage/env".path; + logLevel = "warn"; }; services.caddy.virtualHosts = { @@ -33,5 +40,20 @@ import common reverse_proxy localhost:3903 ''; + "*.web.cy7.sh" = { + serverAliases = [ "nixcache.cy7.sh" "staging.cy7.sh" ]; + extraConfig = '' + import common + @plain { + host nixcache.cy7.sh nixcache.web.cy7.sh + path / /nix-cache-info + } + header @plain { + >content-type text/plain + } + + reverse_proxy localhost:3902 + ''; + }; }; } diff --git a/hosts/chunk/grafana.nix b/hosts/chunk/grafana.nix index f79a7ff..33a77a0 100644 --- a/hosts/chunk/grafana.nix +++ b/hosts/chunk/grafana.nix @@ -42,6 +42,7 @@ services.caddy.virtualHosts."grafana.cy7.sh".extraConfig = '' import common + import authelia reverse_proxy localhost:8088 ''; } diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix index 62505f9..1e7e497 100644 --- a/hosts/chunk/hedgedoc.nix +++ b/hosts/chunk/hedgedoc.nix @@ -11,7 +11,7 @@ dialect = "postgresql"; }; port = 8085; - domain = "pad.cything.io"; + domain = "pad.cy7.sh"; allowEmailRegister = false; protocolUseSSL = true; }; diff --git a/hosts/chunk/immich.nix b/hosts/chunk/immich.nix index 6541770..7dc7824 100644 --- a/hosts/chunk/immich.nix +++ b/hosts/chunk/immich.nix @@ -6,9 +6,10 @@ }: let uploadLocation = "/mnt/photos/immich"; - thumbsLocation = "/opt/immich/thumbs"; + # thumbsLocation = "/opt/immich/thumbs"; profileLocation = "/opt/immich/profile"; dbDataLocation = "/opt/immich/postgres"; + backupsLocation = "/opt/immich/backups"; in { virtualisation.oci-containers.containers = { @@ -19,8 +20,9 @@ in pull = "newer"; volumes = [ "${uploadLocation}:/usr/src/app/upload" - "${thumbsLocation}:/usr/src/app/upload/thumbs" + # "${thumbsLocation}:/usr/src/app/upload/thumbs" "${profileLocation}:/usr/src/app/upload/profile" + "${backupsLocation}:/usr/src/app/upload/backups" ]; environment = { REDIS_HOSTNAME = "immich-redis"; diff --git a/hosts/chunk/miniflux.nix b/hosts/chunk/miniflux.nix index 84783f6..9c6a8c7 100644 --- a/hosts/chunk/miniflux.nix +++ b/hosts/chunk/miniflux.nix @@ -12,6 +12,7 @@ services.caddy.virtualHosts."rss.cy7.sh".extraConfig = '' import common + import authelia reverse_proxy localhost:8080 ''; } diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix index 60d4e0e..1c474af 100644 --- a/hosts/chunk/rclone.nix +++ b/hosts/chunk/rclone.nix @@ -4,6 +4,34 @@ lib, ... }: +let + mkServiceConfig = remote: mount: { + Type = "notify"; + TimeoutSec = "5min 20s"; + ExecStartPre = "/usr/bin/env mkdir -p ${mount}"; + ExecStart = '' + ${lib.getExe pkgs.rclone} mount \ + --config ${config.sops.secrets."rclone/config".path} \ + --allow-other \ + --cache-dir /var/cache/rclone \ + --transfers 64 \ + --vfs-cache-mode full \ + --vfs-cache-min-free-space 5G \ + --dir-cache-time 30d \ + --no-checksum \ + --no-modtime \ + --vfs-fast-fingerprint \ + --vfs-read-chunk-size 8M \ + --vfs-read-chunk-streams 16 \ + --sftp-concurrency 128 \ + --sftp-chunk-size 255k \ + --buffer-size 0 \ + --write-back-cache \ + ${remote} ${mount} + ''; + ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -zu ${mount}"; + }; +in { systemd.services.immich-mount = { enable = true; @@ -12,21 +40,7 @@ after = [ "network-online.target" ]; requiredBy = [ "podman-immich-server.service" ]; before = [ "podman-immich-server.service" ]; - serviceConfig = { - Type = "notify"; - ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos"; - ExecStart = '' - ${lib.getExe pkgs.rclone} mount \ - --config ${config.sops.secrets."rclone/config".path} \ - --cache-dir /var/cache/rclone \ - --transfers=32 \ - --dir-cache-time 30d \ - --vfs-cache-mode writes \ - --vfs-cache-max-size 2G \ - photos: /mnt/photos - ''; - ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/photos"; - }; + serviceConfig = mkServiceConfig "photos:" "/mnt/photos"; }; systemd.services.garage-mount = { @@ -36,26 +50,6 @@ after = [ "network-online.target" ]; requiredBy = [ "garage.service" ]; before = [ "garage.service" ]; - serviceConfig = { - Type = "notify"; - ExecStartPre = "/usr/bin/env mkdir -p /mnt/garage"; - ExecStart = '' - ${lib.getExe pkgs.rclone} mount \ - --config ${config.sops.secrets."rclone/config".path} \ - --allow-other \ - --cache-dir /var/cache/rclone \ - --transfers=32 \ - --vfs-cache-mode full \ - --vfs-cache-min-free-space 5G \ - --dir-cache-time 30d \ - --no-checksum \ - --no-modtime \ - --vfs-fast-fingerprint \ - --vfs-read-chunk-size 10M \ - --vfs-read-chunk-streams 32 \ - rsyncnet:garage /mnt/garage - ''; - ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/garage"; - }; + serviceConfig = mkServiceConfig "rsyncnet:garage" "/mnt/garage"; }; } diff --git a/hosts/chunk/redlib.nix b/hosts/chunk/redlib.nix index d095da5..fac65cd 100644 --- a/hosts/chunk/redlib.nix +++ b/hosts/chunk/redlib.nix @@ -13,6 +13,7 @@ services.caddy.virtualHosts."red.cy7.sh".extraConfig = '' import common + import authelia reverse_proxy localhost:8087 ''; } diff --git a/hosts/common.nix b/hosts/common.nix index c7841c3..b1989b1 100644 --- a/hosts/common.nix +++ b/hosts/common.nix @@ -1,6 +1,7 @@ -{ inputs, ... }: +{ inputs, config, pkgs, ... }: { nix = { + package = pkgs.lix; settings = { experimental-features = "nix-command flakes"; auto-optimise-store = true; @@ -9,13 +10,16 @@ "root" "@wheel" ]; - trusted-public-keys = [ + extra-trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0=" + "nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=" ]; - trusted-substituters = [ + extra-substituters = [ "https://nix-community.cachix.org" - "https://cache.cy7.sh/main" + "https://nixcache.cy7.sh" + ]; + secret-key-files = [ + config.sops.secrets.cache-priv-key.path ]; }; channel.enable = false; @@ -74,4 +78,11 @@ services.thermald.enable = true; environment.enableAllTerminfo = true; + + sops.secrets.cache-priv-key = { + format = "binary"; + sopsFile = ../secrets/cache-priv-key.pem; + mode = "0440"; + group = "users"; + }; } diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix index b57887e..ddf1364 100644 --- a/hosts/ytnix/default.nix +++ b/hosts/ytnix/default.nix @@ -94,8 +94,10 @@ # 3003 # immich-ml # ]; }; + hosts = { + "100.122.132.30" = [ "s3.cy7.sh" ]; + }; }; - programs.nm-applet.enable = true; security.rtkit.enable = true; services.pipewire = { @@ -272,7 +274,6 @@ enable = true; # nix run github:thiagokokada/nix-alien#nix-alien-find-libs ./ libraries = with pkgs; [ - # TODO: revisit what we actually need mesa extest stdenv.cc.cc @@ -327,6 +328,8 @@ curl pcre2 gsettings-desktop-schemas + fzf + systemd ]; }; programs.evolution.enable = true; @@ -388,4 +391,6 @@ nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; programs.fuse.userAllowOther = true; nix.settings.sandbox = false; + + programs.ssh.startAgent = true; } diff --git a/justfile b/justfile index 68b7e5c..9f6236c 100644 --- a/justfile +++ b/justfile @@ -1,9 +1,7 @@ update: git branch -D update || true git switch -c update - nix flake update - git add flake.lock - git commit -s -m "flake update" + nix flake update --commit-lock-file git push -f git switch main diff --git a/modules/attic.nix b/modules/attic.nix index 5aa54c6..e546a9e 100644 --- a/modules/attic.nix +++ b/modules/attic.nix @@ -18,7 +18,10 @@ in settings = { listen = "[::]:8091"; api-endpoint = "https://cache.cy7.sh/"; - allowed-hosts = [ "cache.cy7.sh" ]; + allowed-hosts = [ + "cache.cy7.sh" + "cdn.cy7.sh" + ]; require-proof-of-possession = false; compression = { type = "none"; @@ -30,18 +33,40 @@ in type = "s3"; region = "us-east-1"; bucket = "attic"; - endpoint = "https://s3.cy7.sh"; + # attic must be patched to never serve pre-signed s3 urls directly + # otherwise it will redirect clients to this localhost endpoint + endpoint = "http://127.0.0.1:3900"; }; garbage-collection = { default-retention-period = "1 month"; }; + + chunking = { + # disable chunking since garage does its own + nar-size-threshold = 0; + # defaults + min-size = 16384; + avg-size = 65536; + max-size = 262144; + }; }; }; - services.caddy.virtualHosts."cache.cy7.sh".extraConfig = '' - import common - reverse_proxy localhost:8091 - ''; + systemd.services.atticd = { + requires = [ "garage.service" ]; + after = [ "garage.service" ]; + environment = { + RUST_LOG = "INFO"; + }; + }; + + services.caddy.virtualHosts."cache.cy7.sh" = { + serverAliases = [ "cdn.cy7.sh" ]; + extraConfig = '' + import common + reverse_proxy localhost:8091 + ''; + }; }; } diff --git a/modules/authelia.nix b/modules/authelia.nix new file mode 100644 index 0000000..f231f50 --- /dev/null +++ b/modules/authelia.nix @@ -0,0 +1,137 @@ +{ + config, + lib, + ... +}: +let + cfg = config.my.authelia; + getSecret = path: config.sops.secrets.${path}.path; + sopsConfig = { + sopsFile = ../secrets/services/authelia.yaml; + owner = "authelia-main"; + }; + domain = "auth.cy7.sh"; + varPath = "/var/lib/authelia-main"; +in +{ + options.my.authelia = { + enable = lib.mkEnableOption "authelia"; + }; + + config = lib.mkIf cfg.enable { + services.authelia.instances.main = { + enable = true; + settings = { + theme = "dark"; + default_2fa_method = "webauthn"; + log.level = "info"; + log.format = "text"; + server = { + disable_healthcheck = true; + endpoints.authz.forward-auth.implementation = "ForwardAuth"; + }; + authentication_backend.file.path = "${varPath}/users_database.yaml"; + access_control = { + default_policy = "deny"; + rules = [ + { + domain = "*.cy7.sh"; + policy = "one_factor"; + } + ]; + }; + session.cookies = [{ + domain = "cy7.sh"; + authelia_url = "https://${domain}"; + }]; + storage.local.path = "${varPath}/db.sqlite3"; + notifier.filesystem.filename = "${varPath}/notifications.txt"; + webauthn = { + enable_passkey_login = true; + }; + identity_providers.oidc.claims_policies = { + # https://github.com/karakeep-app/karakeep/issues/410 + # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter + karakeep.id_token = [ "email" ]; + }; + identity_providers.oidc.clients = [ + { + client_id = "4EIrpRb9rnwHWjYWvlz2gYrtTmoOLF1D5gqXw28BvmOS0f-9T2p4CFwuctf4Co1hkpo2sd4Y"; + client_name = "immich"; + client_secret = "$argon2id$v=19$m=65536,t=3,p=4$Vny2G8EbSPafSwnIuq2Zkg$eF2om4WDEaqCFmrAG27h2mYl+cXxXyttPJ7gaPLs+f8"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + "https://photos.cy7.sh/auth/login" + "https://photos.cy7.sh/user-settings" + "app.immich:///oauth-callback" + ]; + scopes = [ "openid" "profile" "email" ]; + userinfo_signed_response_alg = "none"; + } + { + client_id = "_kuUEYxyfXjInJCniwugpw2Qn6iI-YW24NOkHZG~63BAhnAACDZ.xsLqOdGghj2DNZxXR0sU"; + client_name = "Forgejo"; + client_secret = "$argon2id$v=19$m=65536,t=3,p=4$O2O5r/7A8hc4EMvernQ4Dw$YOVqtwY3jv0HlcxmviPq2CRnD7Dw85V9KDtTSUQE7bA"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + "https://git.cy7.sh/user/oauth2/authelia/callback" + ]; + scopes = [ "openid" "profile" "email" ]; + userinfo_signed_response_alg = "none"; + token_endpoint_auth_method = "client_secret_basic"; + } + { + client_id = "b_ITCG0uNzy9lZ5nVC~Ny5R35te8I3hoQW1uraCbdxeiE9VuiCIelMmZZ7dAZLg_anTUWSQG"; + client_name = "HedgeDoc"; + client_secret = "$argon2id$v=19$m=65536,t=3,p=4$MFSXW3gjIZf0M3e8s8RJCg$6KWwksJe2vdUebPEdYc0Zy88fzGcHPrbStcqkiXl+Hg"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + "https://pad.cy7.sh/auth/oauth2/callback" + ]; + scopes = [ "openid" "profile" "email" ]; + userinfo_signed_response_alg = "none"; + grant_types = [ "refresh_token" "authorization_code" ]; + response_types = [ "code" ]; + response_modes = [ "form_post" "query" "fragment" ]; + audience = []; + token_endpoint_auth_method = "client_secret_post"; + } + { + client_id = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5"; + client_name = "Karakeep"; + client_secret = "$pbkdf2-sha512$310000$4UanDZq.6oholJW3CmKwtQ$9e3hqR8qGU4LoneR/Y9jtJTx0iSzATI4iXymrs8QrmGw4JY1BPF4.IJ9Jbc.8cikU4qpfUIFO6r2dG7JHznCnw"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ "https://keep.cy7.sh/api/auth/callback/custom" ]; + scopes = [ "openid" "profile" "email" ]; + userinfo_signed_response_alg = "none"; + claims_policy = "karakeep"; + } + ]; + }; + secrets = { + sessionSecretFile = getSecret "authelia/session"; + storageEncryptionKeyFile = getSecret "authelia/storage"; + jwtSecretFile = getSecret "authelia/jwt"; + oidcHmacSecretFile = getSecret "authelia/hmac"; + oidcIssuerPrivateKeyFile = getSecret "authelia/oidc_private"; + }; + }; + + sops.secrets = { + "authelia/jwt" = sopsConfig; + "authelia/storage" = sopsConfig; + "authelia/session" = sopsConfig; + "authelia/hmac" = sopsConfig; + "authelia/oidc_private" = sopsConfig; + }; + + services.caddy.virtualHosts.${domain}.extraConfig = '' + import common + reverse_proxy localhost:9091 + ''; + }; +} diff --git a/modules/caddy.nix b/modules/caddy.nix index 131edf3..c5de226 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -19,9 +19,9 @@ in plugins = [ # error message will tell you the correct version tag to use # (still need the @ to pass nix config check) - "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e" + "github.com/caddy-dns/cloudflare@v0.0.0-20250228175314-1fb64108d4de" ]; - hash = "sha256-W09nFfBKd+9QEuzV3RYLeNy2CTry1Tz3Vg1U2JPNPPc="; + hash = "sha256-pfh9DXUj35jlAntkWc4D5wuW04xxQfM1rZ4KFauMzvc="; }; logFormat = lib.mkForce "level INFO"; acmeCA = "https://acme-v02.api.letsencrypt.org/directory"; @@ -34,8 +34,25 @@ in resolvers 1.1.1.1 8.8.8.8 } } + + (authelia) { + forward_auth localhost:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Name Remote-Email + } + } ''; environmentFile = config.sops.secrets."caddy/env".path; + + virtualHosts."keys.cy7.sh".extraConfig = '' + import common + respond / 200 { + body "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6 + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhUt9h5dCcrwOrZNKkStCX5OxumPzEwYXSU/0DgtWgP + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD + sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo=" + } + ''; }; }; } diff --git a/modules/containerization.nix b/modules/containerization.nix index fd39da9..2bcc8dd 100644 --- a/modules/containerization.nix +++ b/modules/containerization.nix @@ -30,6 +30,10 @@ in }; # answer on /var/run/docker.sock dockerSocket.enable = true; + autoPrune = { + enable = true; + dates = "daily"; + }; }; docker.enable = lib.mkIf (!cfg.usePodman) true; oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker"; diff --git a/modules/default.nix b/modules/default.nix index 640d56b..0d4638f 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -9,5 +9,7 @@ ./vaultwarden.nix ./searx.nix ./attic.nix + ./authelia.nix + ./karakeep.nix ]; } diff --git a/modules/karakeep.nix b/modules/karakeep.nix new file mode 100644 index 0000000..3e75f74 --- /dev/null +++ b/modules/karakeep.nix @@ -0,0 +1,81 @@ +{ config, lib, ... }: +let + cfg = config.my.karakeep; +in +{ + options.my.karakeep = { + enable = lib.mkEnableOption "karakeep"; + dataDir = lib.mkOption { + type = lib.types.path; + }; + port = lib.mkOption { + default = 3002; + description = "port for the web service"; + type = lib.types.port; + }; + domain = lib.mkOption { + default = "keep.cy7.sh"; + type = lib.types.str; + }; + environmentFile = lib.mkOption { + default = config.sops.secrets."karakeep/env".path; + type = lib.types.path; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation.oci-containers.containers = { + karakeep-web = { + image = "ghcr.io/karakeep-app/karakeep:release"; + pull = "newer"; + volumes = [ "${cfg.dataDir}:/data" ]; + ports = [ "${toString cfg.port}:3000"]; + dependsOn = [ + "karakeep-chrome" + "karakeep-meilisearch" + ]; + environment = { + MEILI_ADDR = "http://karakeep-meilisearch:7700"; + BROWSER_WEB_URL = "http://karakeep-chrome:9222"; + DATA_DIR = "/data"; + NEXTAUTH_URL = "https://${cfg.domain}"; + DISABLE_PASSWORD_AUTH = "true"; + OAUTH_WELLKNOWN_URL = "https://auth.cy7.sh/.well-known/openid-configuration"; + OAUTH_CLIENT_ID = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5"; + OAUTH_PROVIDER_NAME = "Authelia"; + OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true"; + }; + # needs NEXTAUTH_SECRET + environmentFiles = [ "${cfg.environmentFile}" ]; + }; + + karakeep-chrome = { + image = "ghcr.io/zenika/alpine-chrome:latest"; + pull = "newer"; + cmd = [ + "--no-sandbox" + "--disable-gpu" + "--disable-dev-shm-usage" + "--remote-debugging-address=0.0.0.0" + "--remote-debugging-port=9222" + "--hide-scrollbars" + ]; + }; + + karakeep-meilisearch = { + image = "getmeili/meilisearch:latest"; + volumes = [ "meilisearch:/meili_data" ]; + environment = { + MEILI_NO_ANALYTICS = "true"; + }; + # needs MEILI_MASTER_KEY + environmentFiles = [ "${cfg.environmentFile}" ]; + }; + }; + + services.caddy.virtualHosts.${cfg.domain}.extraConfig = '' + import common + reverse_proxy localhost:${toString cfg.port} + ''; + }; +} \ No newline at end of file diff --git a/modules/vault.nix b/modules/vault.nix new file mode 100644 index 0000000..1e3772d --- /dev/null +++ b/modules/vault.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: +let + cfg = config.my.vault; +in +{ + options.my.vault = { + enable = lib.mkEnableOption "hashicorp vault"; + }; + + config = lib.mkIf cfg.enable { + services.vault = { + + }; + }; +} \ No newline at end of file diff --git a/overlay/attic/default.nix b/overlay/attic/default.nix deleted file mode 100644 index 454d367..0000000 --- a/overlay/attic/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -final: prev: { - attic-server = prev.attic-server.overrideAttrs { - patches = [ - ./prefetch-8-chunks.patch - ]; - }; -} diff --git a/overlay/attic/prefetch-8-chunks.patch b/overlay/attic/prefetch-8-chunks.patch deleted file mode 100644 index 3786541..0000000 --- a/overlay/attic/prefetch-8-chunks.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/server/src/api/binary_cache.rs b/server/src/api/binary_cache.rs -index 02e4857..71eeee8 100644 ---- a/server/src/api/binary_cache.rs -+++ b/server/src/api/binary_cache.rs -@@ -262,7 +262,7 @@ async fn get_nar( - - // TODO: Make num_prefetch configurable - // The ideal size depends on the average chunk size -- let merged = merge_chunks(chunks, streamer, storage, 2).map_err(|e| { -+ let merged = merge_chunks(chunks, streamer, storage, 8).map_err(|e| { - tracing::error!(%e, "Stream error"); - e - }); diff --git a/overlay/bitwarden/default.nix b/overlay/bitwarden/default.nix deleted file mode 100644 index e9ace96..0000000 --- a/overlay/bitwarden/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -final: prev: { - bitwarden-desktop = prev.bitwarden-desktop.overrideAttrs ( - finalAttrs: prevAttrs: { - patches = prevAttrs.patches ++ [ - ./ssh-agent-no-confirm.patch - ]; - } - ); -} diff --git a/overlay/bitwarden/ssh-agent-no-confirm.patch b/overlay/bitwarden/ssh-agent-no-confirm.patch deleted file mode 100644 index 3e8e023..0000000 --- a/overlay/bitwarden/ssh-agent-no-confirm.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff --git a/apps/desktop/desktop_native/core/src/ssh_agent/mod.rs b/core/src/ssh_agent/mod.rs -index 4e304cc..8203dca 100644 ---- a/apps/desktop/desktop_native/core/src/ssh_agent/mod.rs -+++ b/apps/desktop/desktop_native/core/src/ssh_agent/mod.rs -@@ -44,28 +44,7 @@ impl ssh_agent::Agent for BitwardenDesktopAgent { - return false; - } - -- let request_id = self.get_request_id().await; -- println!( -- "[SSH Agent] Confirming request from application: {}", -- info.process_name() -- ); -- -- let mut rx_channel = self.get_ui_response_rx.lock().await.resubscribe(); -- self.show_ui_request_tx -- .send(SshAgentUIRequest { -- request_id, -- cipher_id: Some(ssh_key.cipher_uuid.clone()), -- process_name: info.process_name().to_string(), -- is_list: false, -- }) -- .await -- .expect("Should send request to ui"); -- while let Ok((id, response)) = rx_channel.recv().await { -- if id == request_id { -- return response; -- } -- } -- false -+ true - } - - async fn can_list(&self, info: &peerinfo::models::PeerInfo) -> bool { diff --git a/overlay/default.nix b/overlay/default.nix index 0eea626..67d855e 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -1,12 +1,4 @@ { inputs }: -let - overlays = [ - ./zipline - ./bitwarden - ./attic - ]; - importedOverlays = map (m: import m) overlays; -in [ ( final: prev: @@ -15,16 +7,12 @@ in pkgFrom = flake: pkg: flake.packages.${prev.system}.${pkg}; in { - conduwuit = pkgFrom inputs.conduwuit "static-x86_64-linux-musl-all-features-x86_64-haswell-optimised"; - pixelflasher = nixpkgsFrom inputs.pixelflasher "pixelflasher"; - attic-server = pkgFrom inputs.attic "attic-server"; - attic = pkgFrom inputs.attic "attic"; garage = ( (pkgFrom inputs.garage "default").overrideAttrs { meta.mainProgram = "garage"; } ); + nil = pkgFrom inputs.nil "default"; } ) ] -++ importedOverlays diff --git a/overlay/vscode.nix b/overlay/vscode.nix deleted file mode 100644 index 4de2d90..0000000 --- a/overlay/vscode.nix +++ /dev/null @@ -1,14 +0,0 @@ -final: prev: { - vscode-extensions = prev.vscode-extensions // { - github = prev.vscode-extensions.github // { - codespaces = prev.vscode-utils.buildVscodeMarketplaceExtension { - mktplcRef = { - publisher = "github"; - name = "codespaces"; - version = "1.17.3"; - hash = "sha256-idJFYHJ4yeqpFZBX55Y0v1yfzgqyhS0MrC4yIto7i7w="; - }; - }; - }; - }; -} diff --git a/overlay/zipline/default.nix b/overlay/zipline/default.nix deleted file mode 100644 index b114119..0000000 --- a/overlay/zipline/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -final: prev: { - zipline = prev.zipline.overrideAttrs { - patches = [ - ./no-check-bucket.patch - ]; - }; -} diff --git a/overlay/zipline/no-check-bucket.patch b/overlay/zipline/no-check-bucket.patch deleted file mode 100644 index 9d1c756..0000000 --- a/overlay/zipline/no-check-bucket.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff --git a/src/lib/datasource/S3.ts b/src/lib/datasource/S3.ts -index 089dd64..39dd8f4 100644 ---- a/src/lib/datasource/S3.ts -+++ b/src/lib/datasource/S3.ts -@@ -4,7 +4,6 @@ import { - DeleteObjectCommand, - DeleteObjectsCommand, - GetObjectCommand, -- ListBucketsCommand, - ListObjectsCommand, - PutObjectCommand, - S3Client, -@@ -38,32 +37,6 @@ export class S3Datasource extends Datasource { - endpoint: this.options.endpoint ?? undefined, - forcePathStyle: this.options.forcePathStyle ?? false, - }); -- -- this.ensureBucketExists(); -- } -- -- private async ensureBucketExists() { -- try { -- const res = await this.client.send(new ListBucketsCommand()); -- if (res.$metadata.httpStatusCode !== 200) { -- this.logger -- .error('there was an error while listing buckets', res.$metadata as Record) -- .error('zipline will now exit'); -- process.exit(1); -- } -- -- if (!res.Buckets?.find((bucket) => bucket.Name === this.options.bucket)) { -- this.logger.error(`bucket ${this.options.bucket} does not exist`).error('zipline will now exit'); -- process.exit(1); -- } -- } catch (e) { -- this.logger -- .error('there was an error while listing buckets', e as Record) -- .error('zipline will now exit'); -- process.exit(1); -- } finally { -- this.logger.debug(`bucket ${this.options.bucket} exists`); -- } - } - - public async get(file: string): Promise { diff --git a/secrets/cache-priv-key.pem b/secrets/cache-priv-key.pem new file mode 100644 index 0000000..c9bd80e --- /dev/null +++ b/secrets/cache-priv-key.pem @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:IVRg3IqrlV1Cy3xwyVszhUnRzbWP3OSb/XZF1H0N30eKL8d0DxFGngC5qMgRcmSs203/QL3w0fENp1u0f8tVajqJVlzLjlsiQrMdtXmiMv0LKO7E+aj4UZ0wMchB0XgSVUWrKUXxZrA=,iv:3GtA07yuAAI++RsLSwY3U62k1iG9+hvkGn45HjFt/Gk=,tag:PJ13CrjcE06KMC383txqHw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLcGd1alJmNWM3dVBmSWxs\nRHBTOVV6U3p1U3Q3bzQ3OXYrWVhNVTlxTGxvClllbFMwc3dFZW56a0d6eUhVZ2Na\nMUVJc29CNHVMcHRLaXBlRnRLZ2pNb0UKLS0tIFRERnRBZGVFRk9sYmpzVjlpdmN1\ndjUyVmRZMFlFTm4zSnZWV09WbTNoMWMKM35a6GkCZIKscqgADrbIa48T8++wkhLP\nOFr03bv6D0Hj38VLWx+kh9kmja8BaxmdSUTeAhdORwbQumJBAqjsOw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbEh0YkFlL3dPL1FmcE9m\nbjl0dHhQZlpBREMwYzQ0NEpQQ3RZVlNsM1Q4CmYwS0VDNjFaOXhOS3JkVUtaTEJZ\nSVNyZ1lXbEhCbE5XdGxCRWhsNVR1N0EKLS0tICt2Um9wQ0pyUVpnd1dVemM4NmpU\nTHE1bi9OcmsweDZyNVpVVUlITmt3c28KdX6fO1C7Ma66AAv/RCI5z8p/7fSvKWQ7\nCL86Nl4Xzb5WWxkteO4wOoHh4y0+9dpEAbS/XP78PkC07uRttcS7pQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRmNheTZrUWplWFZJcm53\nbC94UHdYbXdsSFB0Nk92Q29RdGMxbUxVeEhjCkZqVk13bEFvNFFLZllTN0NUeFpj\nRkhlYXl5STJrbVQzeWg3YzlQZ1ZlZncKLS0tIGhjUytJa2FXa0VVTFlMN2ZpTjF0\ncG9ZTG0zL2dNekV0NkFZWWVrcFpPU3cK/Kia/sHk5T9nlbDg2G52uQcJUoPrnu3y\n6ARJKoz0MnV4csjS6IZCFSb7Vy5DSH+at3khEw3x00eGae1Jd89vwQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-03-27T20:37:28Z", + "mac": "ENC[AES256_GCM,data:35iUoodcjvIn+VAE20f2sHFaTh3+aqCYQ4HalWdVz4eUSkVNcdXs2uqOZtFv3MszDiH9izM84OyHwykudJ99QE3B/NwpfIoKQaU6Qg5X/g/rC1meffMaZwcASVbepjznahbTKmJqeSrMeybrBIV+6FaSjWXn0+D72GEEM1vgH9c=,iv:N2CbttHJsczm37qdapOCrlNeSSgsZBDlvWyvUpa3mkk=,tag:btniVwaVS9h4jDo4IM2wcA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.4" + } +} \ No newline at end of file diff --git a/secrets/services/authelia.yaml b/secrets/services/authelia.yaml new file mode 100644 index 0000000..6aa9c33 --- /dev/null +++ b/secrets/services/authelia.yaml @@ -0,0 +1,39 @@ +authelia: + jwt: ENC[AES256_GCM,data:L20XZt1eYz1srY+xIliasq4x2guxNIUOM4mVTPe/1uS2wQY6h1uY9n7yoMQ=,iv:OhTuutHQOVLG/CjX3m839Acw9eq/Yh3Iy947km1jalQ=,tag:nq/lwsfGSzeH6RsXLzr24g==,type:str] + storage: ENC[AES256_GCM,data:RW15TzoZifv0xrVAfrM7yFXv1ISp7v1c20PL4nGkQrXwjablPKQa5IZ0Fvg=,iv:YQ7+2h4O0Qx9BqnFU7WMaZuPtKU4BUo56/KPq2NQYxI=,tag:LQ8gWhf9rblGkN5bhPHPIQ==,type:str] + session: ENC[AES256_GCM,data:fJY4uSKRIcHDyDqndT9YiolOX1HDw2BphoaZONAv8AhdPV+aG5qj9Ppy3Rw=,iv:dcFZyIdZQQlyAORudsUCCD2wx4Sc7NF0dh/v/M6iYko=,tag:vBYU58mL7DecMqhX/TUdVg==,type:str] + hmac: ENC[AES256_GCM,data:K/qiyibBlu9wNh9IINHgYQiEZMromSA9Kf0iRVHPVuuhhUBZRyyfFyd4sLYNDLWvYKRJGnTBniIscQuBR+HU3/ttFGN0EkDsuAXlW3tKyLSxTiVgEvsKhA==,iv:2femAZUtSE9DjopiRIRT3Be3T2Qi0J+b8TaNJZ9vcjw=,tag:Sb7TT+1uxtStv20oM8oa8A==,type:str] + oidc_private: ENC[AES256_GCM,data:dzrykbgRk77yDbrnayTzSyiAjvgr5RUuDG046azumPinHL9wBaKpNdx6CqY7o+W95yOyVr/Xriw/aBbSyCZE8RoMchZhnS5Z8moHrIK7RryRM/BmEpOfyFLf9kpaO5QqSGyPt13yJQSA/3TwoXD4et3rVEdEz8mwb+vIA+G3WIZrNY+95KNjhwu9W648eouGBqJFfwTw0tm8mHsu+VZE8OYdp+ujSlKWZcVDEzgMEe+egXbvSB/3sk82HjolcqCmDx+U1TWMZfZdZPaT4RxONy+4kgGDW4FOqtsgctS2uRUQ2CLuRLD8xIulBO/VbsnNuticiM86BYygobq3RUdCKAFLUpcXqNWgnDBvnYPcF6mXPTmFCD3Gr2t4uRkqIIPc3NrW6DKnSO4pu4oVlUiSd9XaHGvAuo0yR7zcG7Zl4BAzhZa1HuVq6QmSNMf1TAo5P5zBc/NKlUVUhgIEKmRkwf95ZDyph1CJJagTsRZp/D4n6gbuzmV2Pjd8GxT6X+GOK7MQ3hPWsQP8+hhf8DArnVa988Z5cVxG3CQS6wEdEfc8yoHXlXwsB6iHjG4GooJk17GkP0YnMqOkv5Y9QbWXGNN/Zce6LJrSdvpd1Z8oWHxFB9ChFEA34tTYE/1wv0C71K6VRADnshBTyg0i+7GxvW0iyplWGEB2/DRv9WbpmIze1vff0KPlwvmdPXvZM7kfJE6uRP+DH5kJeIlKezA+hwuZmTLEu8kTdIkIJVfbzuOmXtX1yO+sQmSs6anqbSBuw5dpKYFFtQ04V+P27uTdi6lbUUfaBiHMhiW2A8aj/1Xf+pOV5oIN1c7PXNhAGrsNbmumQ7mBmbfOZeLC2aze5iKLSu5xqCzMNEWdlxXkmK+eEuUgDAQgW0pRAA12wvAFT8cf5BIeEPQQF4gPJprrQ3u93AXCVXve/TPC6rSEb+uCVq30JRGvIciFAEPWjhtSSO2Mh2zxjaALXVRE456k8DQq5mvovCp003EW23Io+lKDfg73n4LLZvbpHBVa3SQY0YMazjynJTo6UcDT3J/u9kNutIRjszzohMdW4jmykawPb/FFGv4yaX199bkTT/6/ztygaUTUTtWrl40p61lMzFHsz1qPy/5Bp4fxOYk6mLHpUFBpXUlu90ZxiReu6fX9HR6oQ1OC6MmpYjvcvxOAfIszgoMmp0LABJ1XN7DMOxpRrjNqW071xnel2/NzYy/gx0r2SdusxFJckGjrnyVzjEBVFwdpc9lZ+NdyzbNaElt/duk5AhdQ/iTCDlQpFsBhcl83Sbt38P/QlsOCPvRYuOz3vvOgeRprZn4hXuvGpQKJZEy+/rHDFijVABgbqLBxhfQiCpFmfwqQrcI+vFnPBGHP96p8S7xg5Dh2007QyFk9D2zHDHY6E+Iv27UkjaCZI29IAEdBe86IMtLI7Pl0q6XE44cHwD+QqzS55YlPj/F3va9LesoylPzBJwlxogciolfBQfQjLp4OF1rBSpy1Xy/Es7+M9eEsdatX1a3qFzYCJbC8+no5ol0PaIHx4ejH9aeoIiVfq/yXtzV04pJQz0bZfpfKVwtroyHhclEsP9pZVHnnexIFY1xqVF76V0kbusiizhru5ldOWE7smwXD5+KyMCTfDuxPnEjFBZLb/BLjo46sugJTAGQJhBBWJY+h7Je5PP+FnjQG28h4n4NMshhPfnyDEAZWNpDAHi08KhHOGzbNhPl+E+pNrNoNwmJjWbiqZ+P9LVQf1s5C+UrL+uV6qpeVKcm9tjy75fgVTD4iRXb4ejQIWlwO2EVLBzI9BXYsVmly6z0C+8f3wDPswwwocna9SonBus1QGudZ8cLSihZqSYmq6fCIFqfXTlCj3H0aOBNbX7dCYrles/y6jtn0VebQa3UEflXs+4WytpXdKEelN5f1PoJVnjrRF6Wtyq23GNbo1M9BTBQfpUf5x7QnZrxyIVbgvHq3JSR6/5p6yv6SGOdypCEqMtvnw9+bJMi6bxy55tXQNNpBB/GHWPqzOE9//9pqazJzikL/x7HWg/t+tJ7yV7MCFV6Bk2cy77j7i0fftxfHqjF7MRbnIaJRqxiTqp0z2rA4L797Que6a903b/u/AStMnsm8sE9gRy7P5L/PafqpgA/kK2FIxbDDP91cnvikRi2u+oaydHLhCkaq20SIupBCbgyDVkOXZ9n5EnKJDjFOAbOQ2UiXYrQPXDEMPLLUklBeLzQBHY4ZTQ7zzMb1tqvo4UqaHVnw2FwY+PoX2IPmF1ciccFO5uHX2w2qz8Hx0ZCPa9AsR/3HhKAg9sdg0cF0k3nXqTWCSs8j+9vpJxjCmrN1bXwoRA8K/ICYDoOtjb76c1B/Ahvc2YA7OULcM0EAzsQ2Z++cU/OCIcQatxzEx+TOp5i1yN2YnCFHqDBpE1UB2UbxBCYb+oEEBqB9qeFkQI6eZmvHASjdasXUtvnBYNCc3nliGfODoOXKLmzHQZJVPguWFu7b06zWA7fy3qGMjf7h/RhKbfkL9o7HkAvHTSh0+Lpc8gjPVu+sqLNUMyk3196LJWUI3nf7L3kUxkdSBdsJ/18FZ97OzC3Ws9dhhWe02ry3Y2ptRnIlLf8f4Y/P6FpqwR8Asa6NYBq+LKNSuWfzo4ZynkPt4irAm0LDOnZzbrRbQTB7tUHIA1dZMMWueIe22mUDOzTGDPuFSfF31rYbh2rmc3Tjvkumz6g53kdCV4QnL04htkMwql4KvpMCrkkMxDRlOTf1Xh10QrO49aPd29i7LbFjorGj1872hXszPDpmdDN78VApvMzVue8dKdhlz/x/9aCJnp9oEEgdObEg2OYyc29bqd9kbCOs5F4vaI4YdMrN9QKTqjAVG0kQAKH41Q7VCe0/jPWmGpH4Kd40RQ6/NY5g312D3RKV3V30DlCOIm+w1z7XzV2EWTgb5vgg4EbYyVmh3Y7wBguv2qOqzwhGMFrWGx+fTFAe5Zq8TVwvQUfeN/vFlYz+jc8ysKBbyrrAl4vKm2pz9Geu3Rh4AfRRmxawNjE/qlrTk6sWdWNJu7i2Wgk1C2+1FZeAprPg6EsZj7rFEGOFvZIjWrTi7n+IHI+8rRKDo3J5SkAsxiDaDo8dfvGecPp9ig5l9+OiN68t29HxfGnhJsk5eim/vkuA5mdFJW0cy7h3gtP1Z0PtRYsRoBO+hPp7dcYhhh9NqkP4LbVI8graz5FEf0yMmaA6ci7xgBWe/zOa0V539Y9cWzTK5zE2wrWI+mHKsbgUH9s+7y0tTVk9mPaNKhih1MHgCQiFyctQLzVnd6fXnv7JHzkkIY7AQiCjEZ4QPUrj99rDh0bikDtKX0hAiVedGMJQ664Hhyd3sWVGfrC/Qmob+4LhpE24kAxIRf94d2cB1zRFQ02HMGkbVUbge8SPNqqq/HoWkYvNo/ltdL0Nr5Qb1OmY0LP5txGh8cCQt8SD3K/ww+ZjD0ZbqqTwIaND9reyzXL0ryf8yNkiPCTpFiNmdL1rtHw+E2s9HtdngCz9XuGW5GRa4cL5xY1Yt4WBLEnxXwmyB/EOjBIeO4aJuwAcssL3UrvS/IEERWN4XrqVM4O81ainLaXeze1jj9VJcMb+/qz8dMdgm4WGkKfbbJeIsFCrlHOJ0CFNZZmijMvkoTvZ9WTq2OpxxZdsci1UmItlU60LETfWTUK8Q3YOo+c+fukIMPv68NLQH1LsiYjFXo9yDdzfD990uI5wdwnR3S3Sx6Vp04SkzJX7BAZ2UuL0wJ564Ny4S9Ew5BfWucd70mfQaEzOl52M9mqCyJYDfMYhd65YxkAEAV1dMg3FBlpZmOr2wtEQqXz+25cSPCNwQ/obCQt12cLNGRhyNi1Stz2E67Q9sesmssF7dgq0u/TeLezzVxTk13sJj6PzMtdpOYDwsgZJdh9hz8PZ32nJMTJnlkq6zcTYsbq23+HreCx1dHJJEDjpqZlttMYqLZ8mLLob25PzFaue164MbqozFtNTOc8eeOD+hoPCP/hfPoKoNi7oARs0fvwOwCQEug0XpMcz9mF/85ZBxYuDUBEP1vpbD9MpP/ECslqGdHuJePEFiiJOrDVggpaGcgWUfS2jwWv/46Bbz+W9QH+6Y8IevMf+lXPOL294g5VOoOW5k77naeNNCbycbijFD76gR5DtA+Vn+B6pxzF7l4E4VqC0Vlc1OUvYA7GLZ4rzb4bH4cEZiIb2/skDhJOmcb2btPWKRgutbmpHmi59eVbVkKUAKXm/WBw8xLwt2sLBS5r5R7aAZpMu/NaXFTfBEBGUzrH1u8Pfz3FwRK7v0QEyzhu2bS2JkGxSsaxD5+geQlvzN8eRYW4+pst/CfcCxTES9spBnqSWIX++rs8f9/mECf4jXzZQDv0fdbGILAU=,iv:GTKiBIir9+G3Lh45x77KARxi7paEsGP1m0qVldRnuOw=,tag:eCsjDzyO1g2HvnDhR/Gb4w==,type:str] +sops: + age: + - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJOG1menBCTTF3YURCOThM + Q3Z4bnZJYmtQY1RmdTBSeFlhZCtUVzg4Qm5ZClo5NFJqaWg3NElKQjRLcFZGdmxP + cFMwOGxoelJlVnJNamUxWFhETWpiY3cKLS0tIFNDWGRkYVZQWTd2YXg2aGswbmJz + MVJQdDV3ZGdzd3NYL29tYU51NndiNmcKtagAZdoZQo0y0atvRI6f1tY/3j8aD4RP + yvs9RVDdNqm990O5EudjMNhoKLXnFQtX9NlzYVHzrsX0UT/HSUi7mQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0K2tGaktsdXVPN3g0bXps + ZkVWamZGc0QzNk1TaVdla1RDaW90TVpYb25rCmRPL29ZNFFCbVkrbVpseW5SZlFN + dmlLWHVBb1RMb1dvY3NKNHc3NEpMZFEKLS0tIFluRGN6U2paVzVBdCt4d3FyMVZ4 + Nkx5aHo4Qk8vU01wazdWdmhvNWRLQTAK7kiQiEdF1LpzQ/syjRjyhchShrnfhHFE + M/XWLSIcnnApt1dOyJhJlpsQTnT6Y6Fqem0y779/uOQCBJGavscOWw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzK2U3YlRLK3BuK1Q0TkYy + SE1lTkVXUUV4NFVuT2V2VjdqUFpBbVFLSTJnCjI3c0xpMnBnV0M0Q0ZHYTdUSVZl + MWNMQXowWitFVTlIMFBadVJ6OHBBR28KLS0tIHJ1M0NkZzFMSndIUjBwN2tFUmF5 + b2pGTmJva2VnOFZlRWxlOW5wMitDUkkKrZyzpch6jTSsumseBEaN8xQXfng4P7ds + JSoock3sEmL4NSfxXSu+PP8kEOXFtu1yAcmSSeVDDhV7jiwE4egu2Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-02T14:06:11Z" + mac: ENC[AES256_GCM,data:wK8Nb1Vb80UfolzqZOpifZdoEKYu847anowYiCdSluoK+dfHhDhCj7ZxznYV7SwVACIoLsqLR5syRzC861PRBrAujkhbcn7lTc1kQRCjw0gMAbPYR/xiO76EHmiYqnV2UMN0EmuQg1nIRIWY9EO9C7m1b9fjoZFgDsj/7O99aVU=,iv:CJxUKpyNgEYwqLhSvuXoHb+Hu3M7ydKh0WlsjlOtKkM=,tag:4KXmNwwFrqvBjxe656Jvug==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.1 diff --git a/secrets/services/hedgedoc.yaml b/secrets/services/hedgedoc.yaml index 84ef3d6..0c693dc 100644 --- a/secrets/services/hedgedoc.yaml +++ b/secrets/services/hedgedoc.yaml @@ -1,10 +1,6 @@ hedgedoc: - env: ENC[AES256_GCM,data:15rWiIYWyIJ0Hxl5I8m+EBV+FkNDT/OHlLK9shVS46UE7SQtuIh45N5hvwgs0rg9E9Tawu+lyE2aozWNh6HSDUZ1h4FYrB+JHwIetGkOqXSLHfXi,iv:v9ohLTtlxw3fsRoJJoOY5VYxVsxUyDEsQHRjcGKg/GY=,tag:Wncm1reqNblnVhRTYjU3Pg==,type:str] + env: ENC[AES256_GCM,data:9xnOlQrk1qCyiAHSjmu8dvj2/z/BrJlngNGAQnMwvLsL0pnyvvyJLnYWTDYix1a9o8OJUNLw6Qhq7KbY4uXfxsNZkfGdVHwvkvhySjR2rcX/r90txqHJUUIxE/TzdsBvonzQ0F85KfXhsi69gKHp016gCj+jNf6CCY+tOVpt71el4Z+jzqLHasuQET8GctKJRzHOfNfCx/X2kJeb7RQl3JFC6/VmYT45bUk7uFfveFD9ao03wJwLKi27wO1WDrfpOigFdvkmqpbWZjaILYHYmkdhdlhr7w330CiCmGHT/ssmSPcu5cYUc8tjYPgpYLjusiUzpE5jmut5GaNwZsY9hNuow/mUVnQ/tCDH0ChOq0DQisJ07VMYlRII9tMdcuT4IbjjwiRcYlORAHsTFUuo5DCaDp8a4mx846BGp1YMQsvqJQgOe4x15VMpeB/ptxm79qxcLZKZ3BkiJaKmDdWsVk9RfqVgsxqiq16Me2EQhknO2s/oBjGOaoIiT4NEuRFQl0BIPgIMD0lYzKx0uDaYyclID5W0DqMI+SrcBd+WH/BB9HPdZx92rFe34PzjZse0i6+5UZHXUu8au6CyLMqGkUlzkSFwVT5W7Lv2m9P3+6YjgPRMaYbg8b6kmavB6EtjiqWtTbMKr3nxPVYJc5FRImvebfFqiLy5MWoNV6Qe7TUGIk6QtX2OWBhQ1UB+IpR+180QH7yw7UpgJ9EM8dD2m2/smar5P0BjAaqAFib++GzoB0OfFtxJNUjrejQC11tRWBXYvcHWwa78VbKPul0xqiEMmsAZufMix4lD1EgutTf1CXfv7l0rUpLwkYbWIq2hT5UI53L0YWJDl7zlhi94ANdXV8z8kCvMeXm2Fwl/vIgJ9JuFeVeVYPpXwx2coLBwE6uI4SuFvY1d4ojvzY8KftcHWO7srVzpuwrwW+6gKLwPQyEazv+sRKXAGo0ffMO2/2KRgOu9zGwaOFaNDAZ6gYFDWbPz6TMfNWHzfLEFK5BlVAL8KDb78IODUBYcMr2CX1Y=,iv:LDkuJgxIbohEVf7wmdtOZ/vlPddMYa7uzHGkL+0MnUM=,tag:pnJiCJydjTmUbS761fPUPw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn enc: | @@ -24,8 +20,7 @@ sops: enlDZEI2NElkZkI3UmRyQUZqQWE5ZmcK2JlwNzVJNhGjyniIg9UY5tjgUKttkT3e 9C/xag3dQCiqzX1O3o5tdhYnxXw+VxVf+qTFyyuftg5iQPZNuvX6mA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-17T03:25:54Z" - mac: ENC[AES256_GCM,data:1cxiK/HhqYzatT2PhZxjvtizII2QMHqbbyOujUtx4cT8x488j2wecu6hOfSkuHbQ43AxA8kDH1NAruPCSdCpj3PytMR+np+R/5WuRcK+OF/FCnWvWvvHqgDnBs/wYjllnR6HyWBlhrROpINxu9ch4fzN0Def3I7O+wJgpojnPiU=,iv:PKPykPv9zSHj9+HXnrg1v8Ty78te66D9ZH6c1V7Qlh4=,tag:JQk68u6p317r3Df+hv16+g==,type:str] - pgp: [] + lastmodified: "2025-04-05T21:08:15Z" + mac: ENC[AES256_GCM,data:cPisYUoZWd/vd+wWzz3xTnftj1RdjK20dWFo+MKssm/eu7eCOWDIaZdcJg13gkTleBpMWQy/mG1drC6GLfGQiBmkS99UCPAoo0aLTBL4FbSm6FEXdbVjoOI7URu6Sj31drWCMAm+lXYymWsHwZJrNLhjsCTQsxTPvFq8oOdNlXo=,iv:KpmJoZ/BGEEhZ75jXfXxegNglm7k6mtleRuVud6tX2g=,tag:lsiqX+YSz4mGK6mw9gdKNg==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.1 diff --git a/secrets/services/karakeep.yaml b/secrets/services/karakeep.yaml new file mode 100644 index 0000000..cc09262 --- /dev/null +++ b/secrets/services/karakeep.yaml @@ -0,0 +1,35 @@ +karakeep: + env: ENC[AES256_GCM,data:SWc26EQaKR5d9hMDYzVHA/r7XfjwFZ0d44Co0IS6OayR24ej7yqLAtkNttROKoKFuYc0sHgN9bOy4MyX0s3qiSWYovIIUJgFiJjPQFYDAo+50WR4+5W5FgvYI6e42fcWrQhaCXWQrDyzch/zT2OITZsjXcQhT5E+IiPLVkaGOjGptE07GjM7ZXI4UxBzINFQOhxdfIO0km1o6Wq8GhJdWsz4exz4ahRslR+WjK/flV2GZVAj6EHSJ5sHohm74QlhxaShEbc/8IKP6R2gSjBFP7l8VvwFyIUD9sLzYGvS3iU=,iv:gSPQU0bZ+VRFbuaNDc90dW0ogWX2SMH7kewtq/u/11E=,tag:L0Y4EWSQUhcn2eHt+yZ7qQ==,type:str] +sops: + age: + - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaWQ1Q1JwRHJxQjNjdTAx + TXRsWjVZOG1mNEptNVhscHBaK2I5MHhjdlFjCkNqOEhwT3hyOHpHQ2k0ZmowUXB4 + eks2dlpUS0V6VjBEYW9UWnhFOEw4VGsKLS0tIFo2a0FTRE5WdHBGVW5DOUFkaE9p + bitvUnJXSnB6UnV3VTEzSjlSYmEwVUEKHOwFCRu+SIyM0uJ6bNEAo+MMlsc8la6G + bLYdCoykcBu+uVXqn3BYTbrS5ylQMRYcbcPFJw5BVdmjIYF4LU5W6A== + -----END AGE ENCRYPTED FILE----- + - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrU2ZnNVAyeVdJeHlTSW1x + QUhKRzlNclVUWE1ucHFLZW5sL1lnUDhkd0Y4CjFuekNEOE1icDNqL1JyT0hEYW16 + Q2VyajJFWWtGUnBzOENGOEZHbWROZzAKLS0tIE8wMVc3TkV5Y1VyenIvOW02NDNq + cStTeUcvY1pJWEN2MzFEeThKT0JPc1EKXrtVG49a6YZVKiL1F8Xg3t3niTYv3LwN + NeAQ8srV0F6ckky7OCkvUp9GInZCWRzULXV/x+4IUb6C+KQaNm2vYA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdDdUSUlmMk5VcytyT01N + UmRaK2k5Wkh5SlhPT3QrczY2eW9vZk5KWFZBCnBteitnNFlHdWRaaTRxSWYvYmtG + ZnY5ZXlYa3Z5aENlRy9BQjVSU1F3UzQKLS0tIFpjN1dOaWNKaU9PaENyaXc1K3BU + K2orZ0Y2Z05LSUZ5WHQ4TnVVY0QwSzQKiUQT4aSxXnaq0kEMp+q5WnIUoGypEmZ+ + DQEhkB9yu/BrkjXH+HGQr1W5B4sJyb5rnl0+SQ+IypRIRyaX4CdFxg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-05T19:44:58Z" + mac: ENC[AES256_GCM,data:OmqsJI9BaICOTiH1cq4gZlNBbkAxn/pAOWBtkIjHdqpikABLG6fMY+sLpyeaovXjexIj9MZk7fPmV8dRZ5VNLHCqlYXK/cVoQBZ2HK+p/cGTAFelNAShu9NSgZdFmVgJJtOjVvFp8dtuY8VcQj861k/MPX0mNZt9pmXYdumjpNM=,iv:efHkp1KUctwtCjG9A8i5qs7nQfQqv2ya1yYlHHOt8pU=,tag:4lChpspl0oOUMiXzvGuA2Q==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.1