cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: cy:5b5418e325472ea7c61ea0ebf2face5435083405
Branches Tags
cy:main
cy:update
cy:2025-04-14
cy:2025-04-07
cy:2025-04-05
cy:2025-04-04
cy:staging
cy:dogfood-nixcp
cy:no-follows
cy:workflow-test
cy:update_flake_lock_action
cy:caddy-s3
cy:workflow-copy
cy:workflow-lix
cy:test-s3-cache
cy:temp
cy:attic
cy:helix
cy:test
cy:lix-test
cy:bitwarden-patch
cy:chromium
cy:new-attic
cy:canary
cy:downgrade-kernel
cy:soju
cy:kde
cy:shiori
cy:caddy-module
cy:anki-overlay
cy:nixpkgs-master
cy:lix
cy:pan-home
cy:pi
cy:pancake
cy:pancake-sd-image
cy:arm
cy:lix-404
cy:customize-kernel
cy:blueprint
cy:flake-utils
cy:conduwuit-flake
cy:ghostty
cy:zen
cy:lact-fix-test
cy:alvr-test
cy:workflow-refactor
cy:bump-conduwuit
cy:gollum
cy:build
cy:nginx
cy:iso
cy:flake-parts
cy:codespace
cy:sway
cy:minio
cy:garage-module
cy:garage-test
cy:vscode
cy:purge
cy:create-pull-request/patch
cy:garage
cy:harmonia
cy:impermanence
...
compare: cy:fba0d4120d32c667a5cb49c6ad4687491fbf1536
Branches Tags
cy:main
cy:update
cy:2025-04-14
cy:2025-04-07
cy:2025-04-05
cy:2025-04-04
cy:staging
cy:dogfood-nixcp
cy:no-follows
cy:workflow-test
cy:update_flake_lock_action
cy:caddy-s3
cy:workflow-copy
cy:workflow-lix
cy:test-s3-cache
cy:temp
cy:attic
cy:helix
cy:test
cy:lix-test
cy:bitwarden-patch
cy:chromium
cy:new-attic
cy:canary
cy:downgrade-kernel
cy:soju
cy:kde
cy:shiori
cy:caddy-module
cy:anki-overlay
cy:nixpkgs-master
cy:lix
cy:pan-home
cy:pi
cy:pancake
cy:pancake-sd-image
cy:arm
cy:lix-404
cy:customize-kernel
cy:blueprint
cy:flake-utils
cy:conduwuit-flake
cy:ghostty
cy:zen
cy:lact-fix-test
cy:alvr-test
cy:workflow-refactor
cy:bump-conduwuit
cy:gollum
cy:build
cy:nginx
cy:iso
cy:flake-parts
cy:codespace
cy:sway
cy:minio
cy:garage-module
cy:garage-test
cy:vscode
cy:purge
cy:create-pull-request/patch
cy:garage
cy:harmonia
cy:impermanence

17 commits
5b5418e325 ... fba0d4120d

Author SHA1 Message Date
cy
fba0d4120d
workflow: always() cache 2025-03-17 21:38:31 -04:00
cy
54af66d26c
remove garnix cache 2025-03-17 11:09:00 -04:00
cy
0be44bc4c8
workflow: disable fail-fast when building homes 2025-03-17 11:08:49 -04:00
cy
8f72e20b09
use garage for sccache 2025-03-17 00:15:15 -04:00
cy
a22868f049
attempts to make garage and attic faster 2025-03-17 00:14:49 -04:00
cy
ffd7dc5ae6
disable cachix cache 2025-03-14 14:05:22 -04:00
cy
22204b49dd
patch attic to prefetch 32 chunks instead of 2 2025-03-14 14:05:03 -04:00
cy
00a8ac69cf
nix fmt 2025-03-14 02:10:11 -04:00
cy
9c72baf1c0
make garage and rclone better 2025-03-14 02:09:30 -04:00
cy
16788bc7b2
workflow: upload artifact only for packages 2025-03-14 01:01:18 -04:00
cy
5dd8b87f38
ytnix: disable nix sandbox 2025-03-14 00:58:59 -04:00
cy
fcd42883ea
add attic cache to nix.conf 2025-03-14 00:57:38 -04:00
cy
f1e4d7834f
better docker support 2025-03-14 00:57:10 -04:00
cy
1f3b9983d6
vscode: add toml and go 2025-03-14 00:56:29 -04:00
cy
60727812b8
rm tor and update firewall stuff 2025-03-14 00:55:53 -04:00
cy
386cf05f42
overlay garage 2025-03-14 00:55:00 -04:00
cy
25c7eb865a
workflow: use attic 2025-03-14 00:54:58 -04:00
24 changed files with 279 additions and 163 deletions
Download patch file Download diff file Expand all files Collapse all files

60
.github/workflows/build-machines-and-homes.yml vendored
View file

@ -3,6 +3,16 @@ on:
workflow_dispatch: workflow_dispatch:
push: push:
pull_request: pull_request:
env:
ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
NIX_CONFIG: |
show-trace = true
extra-substituters = https://cache.cy7.sh/main
extra-trusted-public-keys = main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0=
experimental-features = nix-command flakes
extra-experimental-features = nix-command flakes
accept-flake-config = true
TERM: ansi
jobs: jobs:
build-machines: build-machines:
strategy: strategy:
@ -27,20 +37,11 @@ jobs:
remove-docker-images: 'true' remove-docker-images: 'true'
build-mount-path: /nix build-mount-path: /nix
- name: Install Nix - name: Install Nix
uses: cachix/install-nix-action@v30 uses: nixbuild/nix-quick-install-action@master
with:
install_url: https://releases.nixos.org/nix/nix-2.25.4/install
extra_nix_config: 'accept-flake-config = true'
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
persist-credentials: false persist-credentials: false
- uses: cachix/cachix-action@v14
with:
name: cything
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
useDaemon: false
installCommand: nix profile install nixpkgs#cachix
- name: Restore and cache Nix store - name: Restore and cache Nix store
uses: nix-community/cache-nix-action@v5.1.0 uses: nix-community/cache-nix-action@v5.1.0
with: with:
@ -58,9 +59,24 @@ jobs:
purge-primary-key: never purge-primary-key: never
# always save the cache # always save the cache
save-always: true save-always: true
- run: nix build -L .#nixosConfigurations.${{ matrix.machine }}.config.system.build.toplevel - name: setup attic
run: |
nix profile install github:zhaofengli/attic
attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN"
- name: build
run: |
package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
nix build -L "$package"
- name: cache
if: always()
run: |
package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
derivation="$(nix path-info --derivation "$package")"
cache="$(nix-store --query --requisites --include-outputs "$derivation")"
xargs attic push main <<< "$cache"
build-homes: build-homes:
strategy: strategy:
fail-fast: false
matrix: matrix:
home: home:
- yt@ytnix - yt@ytnix
@ -86,12 +102,6 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
persist-credentials: false persist-credentials: false
- uses: cachix/cachix-action@v14
with:
name: cything
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
useDaemon: false
installCommand: nix profile install nixpkgs#cachix
- name: Restore and cache Nix store - name: Restore and cache Nix store
uses: nix-community/cache-nix-action@v5.1.0 uses: nix-community/cache-nix-action@v5.1.0
with: with:
@ -109,4 +119,18 @@ jobs:
purge-primary-key: never purge-primary-key: never
# always save the cache # always save the cache
save-always: true save-always: true
- run: nix build -L .#homeConfigurations."${{ matrix.home }}".activationPackage - name: setup attic
run: |
nix profile install github:zhaofengli/attic
attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN"
- name: build
run: |
package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
nix build -L "$package"
- name: cache
if: always()
run: |
package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
derivation="$(nix path-info --derivation "$package")"
cache="$(nix-store --query --requisites --include-outputs "$derivation")"
attic push main --stdin <<< "$cache"

37
.github/workflows/build-packages.yml vendored
View file

@ -6,6 +6,16 @@ on:
description: "package to build" description: "package to build"
required: false required: false
type: string type: string
env:
ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
NIX_CONFIG: |
show-trace = true
extra-substituters = https://cache.cy7.sh/main
extra-trusted-public-keys = main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0=
experimental-features = nix-command flakes
extra-experimental-features = nix-command flakes
accept-flake-config = true
TERM: ansi
jobs: jobs:
build-packages: build-packages:
strategy: strategy:
@ -22,17 +32,26 @@ jobs:
steps: steps:
- name: Install Nix - name: Install Nix
uses: cachix/install-nix-action@v30 uses: cachix/install-nix-action@v30
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
persist-credentials: false persist-credentials: false
- name: setup attic
- uses: cachix/cachix-action@v14 run: |
with: nix profile install github:zhaofengli/attic
name: cything attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN"
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
useDaemon: false
installCommand: nix profile install nixpkgs#cachix
- run: nix build -L ${{ matrix.package }} - run: nix build -L ${{ matrix.package }}
- name: cache result
if: always()
run: |
derivation="$(nix path-info --derivation "${{ matrix.package }}")"
cache="$(nix-store --query --requisites --include-outputs "$derivation")"
xargs attic push main <<< "$cache"
- name: prepare tarball to upload
run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
- name: upload result
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os }}
path: result.tar
if-no-files-found: error

3
.sops.yaml
View file

@ -118,9 +118,8 @@ creation_rules:
- age: - age:
- *chunk - *chunk
- *cy - *cy
- path_regex: secrets/services/searx.yaml - path_regex: secrets/services/searx.yaml
key_groups: key_groups:
- age: - age:
- *chunk - *chunk
- *cy - *cy

33
flake.lock generated
View file

@ -342,6 +342,38 @@
"type": "github" "type": "github"
} }
}, },
"garage": {
"inputs": {
"crane": [
"crane"
],
"flake-compat": [
"flake-compat"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1741360584,
"narHash": "sha256-5UkuvKllBRhU943imyc0jHDXQDVhIFx5WWUr3qrLEWQ=",
"owner": "deuxfleurs-org",
"repo": "garage",
"rev": "c96be1a9a8aa3b51075678888b80c2414ead2909",
"type": "github"
},
"original": {
"owner": "deuxfleurs-org",
"repo": "garage",
"type": "github"
}
},
"git-hooks": { "git-hooks": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
@ -1002,6 +1034,7 @@
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_2",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"garage": "garage",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"lix": "lix", "lix": "lix",

17
flake.nix
View file

@ -88,6 +88,16 @@
crane.follows = "crane"; crane.follows = "crane";
}; };
}; };
garage = {
url = "github:deuxfleurs-org/garage";
inputs = {
nixpkgs.follows = "nixpkgs";
rust-overlay.follows = "rust-overlay";
crane.follows = "crane";
flake-compat.follows = "flake-compat";
flake-utils.follows = "flake-utils";
};
};
nvim-github-theme = { nvim-github-theme = {
url = "github:projekt0n/github-nvim-theme"; url = "github:projekt0n/github-nvim-theme";
@ -103,15 +113,12 @@
nixConfig = { nixConfig = {
extra-substituters = [ extra-substituters = [
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://cache.garnix.io" "https://cache.cy7.sh/main"
"https://cything.cachix.org"
]; ];
extra-trusted-public-keys = [ extra-trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0="
"cything.cachix.org-1:xqW1W5NNL+wrM9wfSELb0MLj/harD2ZyB4HbdaMyvPI="
]; ];
builders-use-substitutes = true;
}; };
outputs = outputs =

5
home/codium.nix
View file

@ -10,8 +10,7 @@
extensions = extensions =
# if unfree # if unfree
# with pkgs.vscode-marketplace; # with pkgs.vscode-marketplace;
with pkgs.open-vsx; with pkgs.open-vsx; [
[
vscodevim.vim vscodevim.vim
jnoortheen.nix-ide jnoortheen.nix-ide
github.github-vscode-theme github.github-vscode-theme
@ -21,6 +20,8 @@
tomrijndorp.find-it-faster tomrijndorp.find-it-faster
streetsidesoftware.code-spell-checker streetsidesoftware.code-spell-checker
emilast.logfilehighlighter emilast.logfilehighlighter
tamasfe.even-better-toml
golang.go
]; ];
userSettings = userSettings =
let let

5
home/yt/ytnix.nix
View file

@ -102,6 +102,7 @@
pixelflasher pixelflasher
element-desktop element-desktop
freetube freetube
gopls
]; ];
home.sessionVariables = { home.sessionVariables = {
@ -112,13 +113,13 @@
RUSTC_WRAPPER = "${lib.getExe pkgs.sccache}"; RUSTC_WRAPPER = "${lib.getExe pkgs.sccache}";
SCCACHE_BUCKET = "sccache"; SCCACHE_BUCKET = "sccache";
SCCACHE_REGION = "us-east-1"; SCCACHE_REGION = "us-east-1";
SCCACHE_ENDPOINT = "https://e3e97aac307d106a7becea43cef8fcbd.r2.cloudflarestorage.com"; SCCACHE_ENDPOINT = "https://s3.cy7.sh";
SCCACHE_ALLOW_CORE_DUMPS = "true"; SCCACHE_ALLOW_CORE_DUMPS = "true";
SCCACHE_S3_USE_SSL = "true"; SCCACHE_S3_USE_SSL = "true";
SCCACHE_CACHE_MULTIARCH = "true"; SCCACHE_CACHE_MULTIARCH = "true";
SCCACHE_LOG = "warn"; SCCACHE_LOG = "warn";
AWS_DEFAULT_REGION = "us-east-1"; AWS_DEFAULT_REGION = "us-east-1";
AWS_ENDPOINT_URL = "https://e3e97aac307d106a7becea43cef8fcbd.r2.cloudflarestorage.com"; AWS_ENDPOINT_URL = "https://s3.cy7.sh";
AWS_ACCESS_KEY_ID = "$(cat /run/secrets/aws/key_id)"; AWS_ACCESS_KEY_ID = "$(cat /run/secrets/aws/key_id)";
AWS_SECRET_ACCESS_KEY = "$(cat /run/secrets/aws/key_secret)"; AWS_SECRET_ACCESS_KEY = "$(cat /run/secrets/aws/key_secret)";

15
hosts/chunk/default.nix
View file

@ -22,7 +22,6 @@
./forgejo.nix ./forgejo.nix
./garage.nix ./garage.nix
./tailscale.nix ./tailscale.nix
./tor.nix
]; ];
sops.age.keyFile = "/root/.config/sops/age/keys.txt"; sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@ -101,22 +100,18 @@
${tc} qdisc del dev ens18 root || true ${tc} qdisc del dev ens18 root || true
# create HTB hierarchy # create HTB hierarchy
${tc} qdisc add dev ens18 root handle 1: htb default 30 ${tc} qdisc add dev ens18 root handle 1: htb default 10
${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100% ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
# tailscale
${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 30% ceil 100%
# caddy
${tc} class add dev ens18 parent 1:1 classid 1:20 htb rate 30% ceil 100%
# rest # rest
${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100%
# caddy
${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100% ${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
# mark traffic # mark traffic
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 2
# route marked packets # route marked packets
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 1 fw flowid 1:10 ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 2 fw flowid 1:20
''; '';
}; };
interfaces.ens18 = { interfaces.ens18 = {

12
hosts/chunk/garage.nix
View file

@ -10,15 +10,13 @@
api_bind_addr = "[::]:3900"; api_bind_addr = "[::]:3900";
root_domain = "s3.cy7.sh"; root_domain = "s3.cy7.sh";
}; };
s3_web = {
bind_addr = "[::]:3902";
root_domain = ".web.s3.cy7.sh";
index = "index.html";
};
admin.api_bind_addr = "[::]:3903"; admin.api_bind_addr = "[::]:3903";
rpc_bind_addr = "[::]:3901"; rpc_bind_addr = "[::]:3901";
replication_factor = 1; replication_factor = 1;
db_engine = "lmdb"; db_engine = "lmdb";
disable_scrub = true;
block_size = "10M";
compression_level = "none";
}; };
environmentFile = config.sops.secrets."garage/env".path; environmentFile = config.sops.secrets."garage/env".path;
}; };
@ -31,10 +29,6 @@
reverse_proxy localhost:3900 reverse_proxy localhost:3900
''; '';
}; };
"*.web.s3.cy7.sh".extraConfig = ''
import common
reverse_proxy localhost:3902
'';
"admin.s3.cy7.sh".extraConfig = '' "admin.s3.cy7.sh".extraConfig = ''
import common import common
reverse_proxy localhost:3903 reverse_proxy localhost:3903

8
hosts/chunk/grafana.nix
View file

@ -29,6 +29,14 @@
} }
]; ];
} }
{
job_name = "garage";
static_configs = [
{
targets = [ "127.0.0.1:3903" ];
}
];
}
]; ];
}; };

32
hosts/chunk/rclone.nix
View file

@ -15,9 +15,16 @@
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos"; ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
ExecStart = "${lib.getExe pkgs.rclone} mount --config ${ ExecStart = ''
config.sops.secrets."rclone/config".path ${lib.getExe pkgs.rclone} mount \
} --cache-dir /var/cache/rclone --transfers=32 --checkers=32 --dir-cache-time 72h --vfs-cache-mode writes --vfs-cache-max-size 2G photos: /mnt/photos "; --config ${config.sops.secrets."rclone/config".path} \
--cache-dir /var/cache/rclone \
--transfers=32 \
--dir-cache-time 30d \
--vfs-cache-mode writes \
--vfs-cache-max-size 2G \
photos: /mnt/photos
'';
ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/photos"; ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/photos";
}; };
}; };
@ -32,9 +39,22 @@
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
ExecStartPre = "/usr/bin/env mkdir -p /mnt/garage"; ExecStartPre = "/usr/bin/env mkdir -p /mnt/garage";
ExecStart = "${lib.getExe pkgs.rclone} mount --config ${ ExecStart = ''
config.sops.secrets."rclone/config".path ${lib.getExe pkgs.rclone} mount \
} --cache-dir /var/cache/rclone --transfers=32 --checkers=32 --vfs-cache-mode writes --vfs-cache-max-size 5G --allow-other rsyncnet:garage /mnt/garage "; --config ${config.sops.secrets."rclone/config".path} \
--allow-other \
--cache-dir /var/cache/rclone \
--transfers=32 \
--vfs-cache-mode full \
--vfs-cache-min-free-space 5G \
--dir-cache-time 30d \
--no-checksum \
--no-modtime \
--vfs-fast-fingerprint \
--vfs-read-chunk-size 10M \
--vfs-read-chunk-streams 32 \
rsyncnet:garage /mnt/garage
'';
ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/garage"; ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/garage";
}; };
}; };

16
hosts/chunk/tor.nix
View file

@ -1,16 +0,0 @@
{ ... }:
{
services.tor = {
enable = true;
openFirewall = true;
relay = {
enable = true;
role = "relay";
};
settings = {
ORPort = 9001;
Nickname = "chunk";
# MaxAdvertisedBandwidth = "20MBytes";
};
};
}

13
hosts/common.nix
View file

@ -10,16 +10,12 @@
"@wheel" "@wheel"
]; ];
trusted-public-keys = [ trusted-public-keys = [
"niri.cachix.org-1:Wv0OmO7PsuocRKzfDoJ3mulSl7Z6oezYhGhR+3W2964="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0="
"cything.cachix.org-1:xqW1W5NNL+wrM9wfSELb0MLj/harD2ZyB4HbdaMyvPI="
]; ];
substituters = [ trusted-substituters = [
"https://niri.cachix.org"
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://cache.garnix.io" "https://cache.cy7.sh/main"
"https://cything.cachix.org"
]; ];
}; };
channel.enable = false; channel.enable = false;
@ -33,9 +29,6 @@
persistent = true; persistent = true;
options = "--delete-older-than 14d"; options = "--delete-older-than 14d";
}; };
extraOptions = ''
builders-use-substitutes = true
'';
registry.nixpkgs.flake = inputs.nixpkgs; registry.nixpkgs.flake = inputs.nixpkgs;
}; };

32
hosts/ytnix/containers.nix
View file

@ -1,4 +1,4 @@
{ {
config, config,
pkgs, pkgs,
lib, lib,
@ -6,20 +6,22 @@
}: }:
{ {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
immich-ml = let immich-ml =
modelCache = "/opt/immich-ml"; let
in { modelCache = "/opt/immich-ml";
image = "ghcr.io/immich-app/immich-machine-learning:release"; in
autoStart = true; {
pull = "newer"; image = "ghcr.io/immich-app/immich-machine-learning:release";
ports = [ "3003:3003" ]; autoStart = true;
environment = { pull = "newer";
REDIS_HOSTNAME = "immich-redis"; ports = [ "3003:3003" ];
DB_HOSTNAME = "immich-db"; environment = {
REDIS_HOSTNAME = "immich-redis";
DB_HOSTNAME = "immich-db";
};
volumes = [ "${modelCache}:/cache" ];
networks = [ "immich-net" ];
}; };
volumes = [ "${modelCache}:/cache" ];
networks = [ "immich-net" ];
};
}; };
systemd.services.create-immich-net = rec { systemd.services.create-immich-net = rec {
@ -33,4 +35,4 @@
${lib.getExe pkgs.podman} network create immich-net ${lib.getExe pkgs.podman} network create immich-net
''; '';
}; };
} }

86
hosts/ytnix/default.nix
View file

@ -144,49 +144,52 @@
"docker" "docker"
"disk" "disk"
"adbusers" "adbusers"
"podman"
]; ];
environment.systemPackages = with pkgs; lib.flatten [ environment.systemPackages =
tmux with pkgs;
vim lib.flatten [
wget tmux
tree vim
kitty wget
borgbackup tree
htop kitty
file borgbackup
dnsutils htop
q file
age dnsutils
compsize q
wireguard-tools age
traceroute compsize
sops wireguard-tools
sbctl # secure boot traceroute
lm_sensors sops
sshfs sbctl # secure boot
openssl lm_sensors
just sshfs
killall openssl
lshw just
bubblewrap killall
fuse-overlayfs lshw
dwarfs bubblewrap
wineWowPackages.stagingFull fuse-overlayfs
(with gst_all_1; [ dwarfs
gst-plugins-good wineWowPackages.stagingFull
gst-plugins-bad (with gst_all_1; [
gst-plugins-ugly gst-plugins-good
gst-plugins-base gst-plugins-bad
]) gst-plugins-ugly
vulkan-loader gst-plugins-base
(heroic.override { ])
extraPkgs = pkgs: [ vulkan-loader
pkgs.gamescope (heroic.override {
pkgs.gamemode extraPkgs = pkgs: [
]; pkgs.gamescope
}) pkgs.gamemode
]; ];
})
];
environment.sessionVariables = { environment.sessionVariables = {
NIXOS_OZONE_WL = "1"; NIXOS_OZONE_WL = "1";
@ -384,4 +387,5 @@
programs.ccache.enable = true; programs.ccache.enable = true;
nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
nix.settings.sandbox = false;
} }

4
modules/attic.nix
View file

@ -21,7 +21,7 @@ in
allowed-hosts = [ "cache.cy7.sh" ]; allowed-hosts = [ "cache.cy7.sh" ];
require-proof-of-possession = false; require-proof-of-possession = false;
compression = { compression = {
type = "zstd"; type = "none";
level = 3; level = 3;
}; };
database.url = "postgresql:///atticd?host=/run/postgresql"; database.url = "postgresql:///atticd?host=/run/postgresql";
@ -44,4 +44,4 @@ in
reverse_proxy localhost:8091 reverse_proxy localhost:8091
''; '';
}; };
} }

5
modules/containerization.nix
View file

@ -28,8 +28,11 @@ in
dns_enabled = true; dns_enabled = true;
ipv6_enabled = true; ipv6_enabled = true;
}; };
# answer on /var/run/docker.sock
dockerSocket.enable = true;
}; };
oci-containers.backend = lib.mkIf cfg.usePodman "podman"; docker.enable = lib.mkIf (!cfg.usePodman) true;
oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker";
}; };
}; };
} }

2
modules/searx.nix
View file

@ -44,4 +44,4 @@ in
reverse_proxy 127.0.0.1:8090 reverse_proxy 127.0.0.1:8090
''; '';
}; };
} }

2
modules/vaultwarden.nix
View file

@ -29,4 +29,4 @@ in
}; };
}; };
}; };
} }

7
overlay/attic/default.nix Normal file
View file

@ -0,0 +1,7 @@
final: prev: {
attic-server = prev.attic-server.overrideAttrs {
patches = [
./prefetch-32-chunks.patch
];
};
}

13
overlay/attic/prefetch-32-chunks.patch Normal file
View file

@ -0,0 +1,13 @@
diff --git a/server/src/api/binary_cache.rs b/server/src/api/binary_cache.rs
index 02e4857..71eeee8 100644
--- a/server/src/api/binary_cache.rs
+++ b/server/src/api/binary_cache.rs
@@ -262,7 +262,7 @@ async fn get_nar(
// TODO: Make num_prefetch configurable
// The ideal size depends on the average chunk size
- let merged = merge_chunks(chunks, streamer, storage, 2).map_err(|e| {
+ let merged = merge_chunks(chunks, streamer, storage, 32).map_err(|e| {
tracing::error!(%e, "Stream error");
e
});

14
overlay/bitwarden/default.nix
View file

@ -1,7 +1,9 @@
final: prev: { final: prev: {
bitwarden-desktop = prev.bitwarden-desktop.overrideAttrs (finalAttrs: prevAttrs: { bitwarden-desktop = prev.bitwarden-desktop.overrideAttrs (
patches = prevAttrs.patches ++ [ finalAttrs: prevAttrs: {
./ssh-agent-no-confirm.patch patches = prevAttrs.patches ++ [
]; ./ssh-agent-no-confirm.patch
}); ];
} }
);
}

11
overlay/default.nix
View file

@ -3,6 +3,7 @@ let
overlays = [ overlays = [
./zipline ./zipline
./bitwarden ./bitwarden
./attic
]; ];
importedOverlays = map (m: import m) overlays; importedOverlays = map (m: import m) overlays;
in in
@ -14,12 +15,16 @@ in
pkgFrom = flake: pkg: flake.packages.${prev.system}.${pkg}; pkgFrom = flake: pkg: flake.packages.${prev.system}.${pkg};
in in
{ {
conduwuit = conduwuit = pkgFrom inputs.conduwuit "static-x86_64-linux-musl-all-features-x86_64-haswell-optimised";
pkgFrom inputs.conduwuit "static-x86_64-linux-musl-all-features-x86_64-haswell-optimised";
pixelflasher = nixpkgsFrom inputs.pixelflasher "pixelflasher"; pixelflasher = nixpkgsFrom inputs.pixelflasher "pixelflasher";
attic-server = pkgFrom inputs.attic "attic-server"; attic-server = pkgFrom inputs.attic "attic-server";
attic = pkgFrom inputs.attic "attic"; attic = pkgFrom inputs.attic "attic";
garage = (
(pkgFrom inputs.garage "default").overrideAttrs {
meta.mainProgram = "garage";
}
);
} }
) )
] ]
++ importedOverlays ++ importedOverlays

10
secrets/yt/aws.yaml
View file

@ -1,6 +1,8 @@
aws: aws:
key_id: ENC[AES256_GCM,data:9tWAMzUv4f6Ea27XsmYhO11NroYnLmED/FVrCCGO0Vc=,iv:YP1xRjVd1M1MB7IKVAw0Sdx0E4AokBrsaAcDLvTLHD4=,tag:SEmEr3NoZvch9LeaJHbCww==,type:str] key_id: ENC[AES256_GCM,data:euyq+QtSXv1UR5eOJfvZARhm5L2AuzKIOk8=,iv:RseSyVArmrawNzlwjNh6FScJF2O+F4FBuIq47uMQQEA=,tag:bkZJeX3rUHb1yZu8dytgcg==,type:str]
key_secret: ENC[AES256_GCM,data:AK+vER4T1p0AknKzsxZQJ0JTpfIstnnTWSAZ26zJSCwJYgRYwj8RF98CS7HM+KWvz5VNGENxhVdUnjlGkrTB4w==,iv:3o79gwp5b4KGsixW02qFWYFvpagY/hykbYJ/WNz6PB8=,tag:GW2T8ggKYHa1CQ6DRomJDQ==,type:str] key_secret: ENC[AES256_GCM,data:27BHAU5suCIiSKAf0+1yNa/VJ0umErb6Ry8HI+Zfv6LV+7eB+wk8H3kxdV4wmY2XayHsUrD4FZa30O0a9PdJgA==,iv:oI2X7PCXDZBkUOikHM8S7gHsnMtWp7jxBqdmfbUlrwU=,tag:9mZ3H2jobKqYmw6S4NNpjw==,type:str]
_r2_key_id: ENC[AES256_GCM,data:R0xwzUx+6l9SR3Fd93PfJw+WPV0ByzOKMxoJQtn4pEE=,iv:qHmr/HssM8U3znbGznSIOwkAhNaORkCkG9lqAmCKmfw=,tag:LhuiiKSq/VnNEulgrS71vg==,type:str]
_r2_key_secret: ENC[AES256_GCM,data:Dw5Gq1URjMpy9Bh1IBYf+/EnkvQA/4yAC4kdoACpCUuJQxdQphFKwWmxJX+Q/oztO1imWoGIxlZNNDr5QCqXaA==,iv:hGePo+Ffe48n1BXI1f2V12C9Gn1CC1nTwbSsfqUGQ3c=,tag:AIy/F3jPGz2WHge3Mk43Ag==,type:str]
_garage_key_id: ENC[AES256_GCM,data:2lLS1nBhrwBkJh/ei7FwBoR6jOI6KCJkvOs=,iv:jwB7ZEaKOPIwghcGRs3qaICypoHgSxkFBOyB6e5hpYI=,tag:Iqwv3j1R1uLLUDKLhN1Atg==,type:str] _garage_key_id: ENC[AES256_GCM,data:2lLS1nBhrwBkJh/ei7FwBoR6jOI6KCJkvOs=,iv:jwB7ZEaKOPIwghcGRs3qaICypoHgSxkFBOyB6e5hpYI=,tag:Iqwv3j1R1uLLUDKLhN1Atg==,type:str]
_garage_key_secret: ENC[AES256_GCM,data:5iwwMfojHrR79cOIY+9O2oVY8v1cbPcECMSOMhWuGAdc2lfCogKBwLM4TFwBH9X1Vx56QvUoxCQ2uSyfOMLR7A==,iv:Q523ttz6ijmv8/JlVZuldFR4IabEKiVN4sGmJ9xDJU0=,tag:ZZ4LRG4DXOC7LY8hEjXYHQ==,type:str] _garage_key_secret: ENC[AES256_GCM,data:5iwwMfojHrR79cOIY+9O2oVY8v1cbPcECMSOMhWuGAdc2lfCogKBwLM4TFwBH9X1Vx56QvUoxCQ2uSyfOMLR7A==,iv:Q523ttz6ijmv8/JlVZuldFR4IabEKiVN4sGmJ9xDJU0=,tag:ZZ4LRG4DXOC7LY8hEjXYHQ==,type:str]
sops: sops:
@ -27,8 +29,8 @@ sops:
UlYrTExEUVc0dURLR1czN3BnYzZ2VGMKCbAgM50jvs9VciA1Pb/VY+2I4x62LBGe UlYrTExEUVc0dURLR1czN3BnYzZ2VGMKCbAgM50jvs9VciA1Pb/VY+2I4x62LBGe
j7eHkfTFc8Gnk/rZA9/ZJDLFr/FUPMQWK/NVoz6oLjO6oVFXqN6OqA== j7eHkfTFc8Gnk/rZA9/ZJDLFr/FUPMQWK/NVoz6oLjO6oVFXqN6OqA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-27T02:50:27Z" lastmodified: "2025-03-16T16:45:13Z"
mac: ENC[AES256_GCM,data:FjlbCqqYHPn/FDPUR1flWgg6wwHhLJx1uKOedwkvsTxuPhlVJHghTHWYetdmplOQyEpOEbyv+iqKTGDYHzDdgU2jIZ0TKM66iHq+1yft4TatBu75/0N3I+SfZv97vKNehxN/zvIY3FQF4O8qVy9c1dZRmr7q27Wq2pdHSOe4Myg=,iv:YkUXcOwb6UZr0vXazbLrVeGTvBTtnwuEIY3O+GSrnNk=,tag:kQBh7urSnHoiV18TIGlPEg==,type:str] mac: ENC[AES256_GCM,data:DCx4uVuy53Gz9Ha2p/GjxTigKw/dJ0gvWIAII9AtKQCURu1OfiJ6Lp/ht6ndJwn25em11uppN371pQGxa8FRtLL+dX/YgoDmOw3Tgo3lc5VLBzalRqXHInOGHfgv9k1jHNq6zokKbBLDItBnUNOCvsLTXXenVRYdnkiuf3QPGhk=,iv:gBbbH/nJExK/dEXKHo+cCr+rxQ4uJQWweK0lYT7amsM=,tag:9GaCGFrcinqGfpibUNQ75w==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4