cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: cy:7c180248fb4cf47d19007c00a66bb3f27bac5acc
Branches Tags
cy:main
cy:update
cy:2025-04-14
cy:2025-04-07
cy:2025-04-05
cy:2025-04-04
cy:staging
cy:dogfood-nixcp
cy:no-follows
cy:workflow-test
cy:update_flake_lock_action
cy:caddy-s3
cy:workflow-copy
cy:workflow-lix
cy:test-s3-cache
cy:temp
cy:attic
cy:helix
cy:test
cy:lix-test
cy:bitwarden-patch
cy:chromium
cy:new-attic
cy:canary
cy:downgrade-kernel
cy:soju
cy:kde
cy:shiori
cy:caddy-module
cy:anki-overlay
cy:nixpkgs-master
cy:lix
cy:pan-home
cy:pi
cy:pancake
cy:pancake-sd-image
cy:arm
cy:lix-404
cy:customize-kernel
cy:blueprint
cy:flake-utils
cy:conduwuit-flake
cy:ghostty
cy:zen
cy:lact-fix-test
cy:alvr-test
cy:workflow-refactor
cy:bump-conduwuit
cy:gollum
cy:build
cy:nginx
cy:iso
cy:flake-parts
cy:codespace
cy:sway
cy:minio
cy:garage-module
cy:garage-test
cy:vscode
cy:purge
cy:create-pull-request/patch
cy:garage
cy:harmonia
cy:impermanence
...
compare: cy:4e1ac1e3b623a48f68a61272c0ee355bf89a62d9
Branches Tags
cy:main
cy:update
cy:2025-04-14
cy:2025-04-07
cy:2025-04-05
cy:2025-04-04
cy:staging
cy:dogfood-nixcp
cy:no-follows
cy:workflow-test
cy:update_flake_lock_action
cy:caddy-s3
cy:workflow-copy
cy:workflow-lix
cy:test-s3-cache
cy:temp
cy:attic
cy:helix
cy:test
cy:lix-test
cy:bitwarden-patch
cy:chromium
cy:new-attic
cy:canary
cy:downgrade-kernel
cy:soju
cy:kde
cy:shiori
cy:caddy-module
cy:anki-overlay
cy:nixpkgs-master
cy:lix
cy:pan-home
cy:pi
cy:pancake
cy:pancake-sd-image
cy:arm
cy:lix-404
cy:customize-kernel
cy:blueprint
cy:flake-utils
cy:conduwuit-flake
cy:ghostty
cy:zen
cy:lact-fix-test
cy:alvr-test
cy:workflow-refactor
cy:bump-conduwuit
cy:gollum
cy:build
cy:nginx
cy:iso
cy:flake-parts
cy:codespace
cy:sway
cy:minio
cy:garage-module
cy:garage-test
cy:vscode
cy:purge
cy:create-pull-request/patch
cy:garage
cy:harmonia
cy:impermanence

11 commits
7c180248fb ... 4e1ac1e3b6

Author SHA1 Message Date
cy
4e1ac1e3b6
flake.lock: Update 
Flake lock file updates:

• Updated input 'conduwuit':
    'github:girlbossceo/conduwuit/4e5b87d0cd16f3d015f4b61285b369d027bb909d' (2025-04-04)
  → 'github:girlbossceo/conduwuit/d8311a5ff672fdc4729d956af5e3af8646b0670d' (2025-04-09)
• Updated input 'home-manager':
    'github:nix-community/home-manager/ef3b2a6b602c3f1a80c6897d6de3ee62339a3eb7' (2025-04-06)
  → 'github:nix-community/home-manager/e43c6bcb101ba3301522439c459288c4a248f624' (2025-04-11)
• Updated input 'nix-ld':
    'github:nix-community/nix-ld/140451db1cadeef1e7e9e054332b67b7be808916' (2025-03-31)
  → 'github:nix-community/nix-ld/661e260728c51903cab5ad88b938fe4ce502be51' (2025-04-07)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/06f3516b0397bd241bde2daefc8538fc886c5467' (2025-04-05)
  → 'github:nixos/nixpkgs/6f061f35682410185d9a1582601e9241bfa6ad96' (2025-04-11)
• Updated input 'nixpkgs-stable':
    'github:nixos/nixpkgs/7819a0d29d1dd2bc331bec4b327f0776359b1fa6' (2025-04-05)
  → 'github:nixos/nixpkgs/f9ebe33a928b5d529c895202263a5ce46bdf12f7' (2025-04-10)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/9d00c6b69408dd40d067603012938d9fbe95cfcd' (2025-04-06)
  → 'github:oxalica/rust-overlay/5e64aecc018e6f775572609e7d7485fdba6985a7' (2025-04-11)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/523f58a4faff6c67f5f685bed33a7721e984c304' (2025-04-06)
  → 'github:Mic92/sops-nix/69d5a5a4635c27dae5a742f36108beccc506c1ba' (2025-04-08)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/da51d4cab526bef885e8c95ab2b9455bfe0940d4' (2025-04-06)
  → 'github:nix-community/nix-vscode-extensions/f0555ec37883d2bddca658cad7bfe995bc195217' (2025-04-11)
 2025-04-11 12:43:44 -04:00
cy
e678d56cad
codium: rm path-intellisense cuz no work 2025-04-07 10:39:22 -04:00
cy
2001228889
ytnix: add systemd to nix-ld 2025-04-07 10:38:44 -04:00
cy
cad11e55f1
add new sk-ed25519 key 2025-04-07 10:38:17 -04:00
cy
d9e6995b92
flake.lock: Update 
Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/bb036cb35383982066e01a6ac8d45597132cf5d5' (2025-04-04)
  → 'github:nix-community/home-manager/ef3b2a6b602c3f1a80c6897d6de3ee62339a3eb7' (2025-04-06)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/b3696bfb6c24aa61428839a99e8b40c53ac3a82d' (2025-03-30)
  → 'github:nix-community/nix-index-database/a36f6a7148aec2c77d78e4466215cceb2f5f4bfb' (2025-04-06)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/30705076a1748a2b2a1cf0539ea1665eef4d2f4a' (2025-04-04)
  → 'github:nixos/nixpkgs/06f3516b0397bd241bde2daefc8538fc886c5467' (2025-04-05)
• Updated input 'nixpkgs-stable':
    'github:nixos/nixpkgs/44a69ed688786e98a101f02b712c313f1ade37ab' (2025-04-02)
  → 'github:nixos/nixpkgs/7819a0d29d1dd2bc331bec4b327f0776359b1fa6' (2025-04-05)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/c4a8327b0f25d1d81edecbb6105f74d7cf9d7382' (2025-04-03)
  → 'github:oxalica/rust-overlay/9d00c6b69408dd40d067603012938d9fbe95cfcd' (2025-04-06)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/cff8437c5fe8c68fc3a840a21bf1f4dc801da40d' (2025-04-04)
  → 'github:Mic92/sops-nix/523f58a4faff6c67f5f685bed33a7721e984c304' (2025-04-06)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/c8270f31af9c37e4fe5711567a6412460e94e9b7' (2025-04-04)
  → 'github:nix-community/nix-vscode-extensions/da51d4cab526bef885e8c95ab2b9455bfe0940d4' (2025-04-06)
 2025-04-06 11:10:37 -04:00
cy
a4bd232336
garage: use 128M block_size and none compression 2025-04-06 11:09:09 -04:00
cy
2b39a5ab53
workflow: nix copy compression zstd 2025-04-06 10:52:27 -04:00
cy
9c859e23e6
authelia: use random client_ids 2025-04-05 18:53:39 -04:00
cy
895052fb20
init karakeep (hoarder) 2025-04-05 16:57:43 -04:00
cy
f7157a11ed
containers: enable daily autoPrune 2025-04-05 16:46:18 -04:00
cy
8ead8c14e3
rm element web 2025-04-05 12:57:19 -04:00
17 changed files with 195 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/build-machines-and-homes.yml vendored
View file

@ -74,7 +74,7 @@ jobs:
run: | run: |
package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel" package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
nix run git+https://git.cy7.sh/cy/nixcp.git -- \ nix run git+https://git.cy7.sh/cy/nixcp.git -- \
--to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \ --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
-u https://nix-community.cachix.org \ -u https://nix-community.cachix.org \
-u https://nixcache.web.cy7.sh \ -u https://nixcache.web.cy7.sh \
$package $package
@ -143,7 +143,7 @@ jobs:
run: | run: |
package=".#homeConfigurations."${{ matrix.home }}".activationPackage" package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
nix run git+https://git.cy7.sh/cy/nixcp.git -- \ nix run git+https://git.cy7.sh/cy/nixcp.git -- \
--to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \ --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
-u https://nix-community.cachix.org \ -u https://nix-community.cachix.org \
-u https://nixcache.web.cy7.sh \ -u https://nixcache.web.cy7.sh \
$package $package

2
.github/workflows/build-packages.yml vendored
View file

@ -62,7 +62,7 @@ jobs:
if: '!cancelled()' if: '!cancelled()'
run: | run: |
nix run git+https://git.cy7.sh/cy/nixcp.git -- \ nix run git+https://git.cy7.sh/cy/nixcp.git -- \
--to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \ --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
-u https://nix-community.cachix.org \ -u https://nix-community.cachix.org \
-u https://nixcache.web.cy7.sh \ -u https://nixcache.web.cy7.sh \
"${{ matrix.package }}" "${{ matrix.package }}"

6
.sops.yaml
View file

@ -135,4 +135,10 @@ creation_rules:
- *yt - *yt
- *cy - *cy
- *chunk - *chunk
- path_regex: secrets/services/karakeep.yaml
key_groups:
- age:
- *yt
- *cy
- *chunk

54
flake.lock generated
View file

@ -114,11 +114,11 @@
"rocksdb": "rocksdb" "rocksdb": "rocksdb"
}, },
"locked": { "locked": {
"lastModified": 1743780871, "lastModified": 1744169934,
"narHash": "sha256-xmDepDLHsIWiwpWYjhI40XOrV9jCKrYJQ+EK1EOIdRg=", "narHash": "sha256-5YyHmPUUrXXrczWayji9327knihVTKnmjX+vX6+p6d0=",
"owner": "girlbossceo", "owner": "girlbossceo",
"repo": "conduwuit", "repo": "conduwuit",
"rev": "4e5b87d0cd16f3d015f4b61285b369d027bb909d", "rev": "d8311a5ff672fdc4729d956af5e3af8646b0670d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -610,11 +610,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743783108, "lastModified": 1744380363,
"narHash": "sha256-Lg1cK7oGCNPOO1ts481m269WmdGNoigz8RNXLRE9Co0=", "narHash": "sha256-cXjAUuAfQDPSLSsckZuTioQ986iqSPTzx8D7dLAcC+Q=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "bb036cb35383982066e01a6ac8d45597132cf5d5", "rev": "e43c6bcb101ba3301522439c459288c4a248f624",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -826,11 +826,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743306489, "lastModified": 1743911143,
"narHash": "sha256-LROaIjSLo347cwcHRfSpqzEOa2FoLSeJwU4dOrGm55E=", "narHash": "sha256-4j4JPwr0TXHH4ZyorXN5yIcmqIQr0WYacsuPA4ktONo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "b3696bfb6c24aa61428839a99e8b40c53ac3a82d", "rev": "a36f6a7148aec2c77d78e4466215cceb2f5f4bfb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -846,11 +846,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743410259, "lastModified": 1744019307,
"narHash": "sha256-tjdkPPkRT1Mj72yrpN8oUxYw9SaG8wOQWD3auS1bvSs=", "narHash": "sha256-momo+rjA7KRbeujKxHK5dkZsWztPL0+wzyF28epVAdI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-ld", "repo": "nix-ld",
"rev": "140451db1cadeef1e7e9e054332b67b7be808916", "rev": "661e260728c51903cab5ad88b938fe4ce502be51",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -909,11 +909,11 @@
}, },
"nixpkgs-stable_3": { "nixpkgs-stable_3": {
"locked": { "locked": {
"lastModified": 1743576891, "lastModified": 1744309437,
"narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=", "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "44a69ed688786e98a101f02b712c313f1ade37ab", "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -989,11 +989,11 @@
}, },
"nixpkgs_6": { "nixpkgs_6": {
"locked": { "locked": {
"lastModified": 1743775863, "lastModified": 1744371553,
"narHash": "sha256-gUnR9qcZK/O20oQFn1ijz7Nn66qG2Sp7JprDFl+oQBo=", "narHash": "sha256-KjvhD+DkQsOAggIFyuxSAZIs84UahDb/O9ojpvyFNe0=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "30705076a1748a2b2a1cf0539ea1665eef4d2f4a", "rev": "6f061f35682410185d9a1582601e9241bfa6ad96",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1151,11 +1151,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743682350, "lastModified": 1744338850,
"narHash": "sha256-S/MyKOFajCiBm5H5laoE59wB6w0NJ4wJG53iAPfYW3k=", "narHash": "sha256-pwMIVmsb8fjjT92n5XFDqCsplcX70qVMMT7NulumPXs=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "c4a8327b0f25d1d81edecbb6105f74d7cf9d7382", "rev": "5e64aecc018e6f775572609e7d7485fdba6985a7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1171,11 +1171,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743756170, "lastModified": 1744103455,
"narHash": "sha256-2b11EYa08oqDmF3zEBLkG1AoNn9rB1k39ew/T/mSvbU=", "narHash": "sha256-SR6+qjkPjGQG+8eM4dCcVtss8r9bre/LAxFMPJpaZeU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "cff8437c5fe8c68fc3a840a21bf1f4dc801da40d", "rev": "69d5a5a4635c27dae5a742f36108beccc506c1ba",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1267,11 +1267,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743731627, "lastModified": 1744336496,
"narHash": "sha256-gFvZTGlSGCl7MZ5MrihUf7pkIY0zwaUVhl/iUBto/3I=", "narHash": "sha256-9nn2S/nGB0o0pFV3YUV4D6PM/2/w5+V6FpfPs7ByTgI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "c8270f31af9c37e4fe5711567a6412460e94e9b7", "rev": "f0555ec37883d2bddca658cad7bfe995bc195217",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
home/codium.nix
View file

@ -23,7 +23,6 @@
tamasfe.even-better-toml tamasfe.even-better-toml
golang.go golang.go
ms-python.python ms-python.python
christian-kohler.path-intellisense
]; ];
userSettings = userSettings =
let let

1
home/kitty.nix
View file

@ -21,6 +21,7 @@
# see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399 # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399
"scrollback_pager" = "bat --pager='less -FR +G'"; "scrollback_pager" = "bat --pager='less -FR +G'";
# "scrollback_lines" = 20000; # "scrollback_lines" = 20000;
wheel_scroll_multiplier = 50;
}; };
keybindings = { keybindings = {
# kitty_mod is ctrl+shift by default # kitty_mod is ctrl+shift by default

22
hosts/chunk/default.nix
View file

@ -18,7 +18,6 @@
./grafana.nix ./grafana.nix
./conduwuit.nix ./conduwuit.nix
./immich.nix ./immich.nix
./element.nix
./forgejo.nix ./forgejo.nix
./garage.nix ./garage.nix
./tailscale.nix ./tailscale.nix
@ -47,20 +46,14 @@
"rsyncnet/id_ed25519" = { "rsyncnet/id_ed25519" = {
sopsFile = ../../secrets/zh5061/chunk.yaml; sopsFile = ../../secrets/zh5061/chunk.yaml;
}; };
"attic/env" = {
sopsFile = ../../secrets/services/attic.yaml;
};
"garage/env" = { "garage/env" = {
sopsFile = ../../secrets/services/garage.yaml; sopsFile = ../../secrets/services/garage.yaml;
}; };
"tailscale/auth" = { "tailscale/auth" = {
sopsFile = ../../secrets/services/tailscale.yaml; sopsFile = ../../secrets/services/tailscale.yaml;
}; };
"zipline/env" = { "karakeep/env" = {
sopsFile = ../../secrets/services/zipline.yaml; sopsFile = ../../secrets/services/karakeep.yaml;
};
"searx/env" = {
sopsFile = ../../secrets/services/searx.yaml;
}; };
}; };
@ -145,13 +138,15 @@
"podman" "podman"
]; ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo="
]; ];
}; };
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo="
]; ];
# for forgejo # for forgejo
users.users.git = { users.users.git = {
@ -187,9 +182,10 @@
programs.git.enable = true; programs.git.enable = true;
my.caddy.enable = true; my.caddy.enable = true;
# container stuff
my.containerization.enable = true; my.containerization.enable = true;
my.authelia.enable = true; my.authelia.enable = true;
my.karakeep = {
enable = true;
dataDir = "/opt/karakeep";
};
} }

33
hosts/chunk/element.nix
View file

@ -1,33 +0,0 @@
{
pkgs,
config,
...
}:
{
virtualisation.oci-containers.containers.element = {
image = "vectorim/element-web";
autoStart = true;
ports = [ "127.0.0.1:8089:8089" ];
pull = "newer";
networks = [ "element-net" ];
environment = {
ELEMENT_WEB_PORT = "8089";
};
};
systemd.services.create-element-net = {
serviceConfig.Type = "oneshot";
wantedBy = with config.virtualisation.oci-containers; [
"${backend}-element.service"
];
script = ''
${pkgs.podman}/bin/podman network exists element-net || \
${pkgs.podman}/bin/podman network create element-net
'';
};
services.caddy.virtualHosts."element.cy7.sh".extraConfig = ''
import common
reverse_proxy localhost:8089
'';
}

5
hosts/chunk/garage.nix
View file

@ -17,11 +17,12 @@
}; };
admin.api_bind_addr = "[::]:3903"; admin.api_bind_addr = "[::]:3903";
rpc_bind_addr = "[::]:3901"; rpc_bind_addr = "[::]:3901";
rpc_public_addr = "100.122.132.30:3901";
replication_factor = 1; replication_factor = 1;
db_engine = "lmdb"; db_engine = "lmdb";
disable_scrub = true; disable_scrub = true;
block_size = "16M"; block_size = "128M";
compression_level = 3; compression_level = "none";
}; };
environmentFile = config.sops.secrets."garage/env".path; environmentFile = config.sops.secrets."garage/env".path;
logLevel = "warn"; logLevel = "warn";

2
hosts/ytnix/default.nix
View file

@ -274,7 +274,6 @@
enable = true; enable = true;
# nix run github:thiagokokada/nix-alien#nix-alien-find-libs ./<binary> # nix run github:thiagokokada/nix-alien#nix-alien-find-libs ./<binary>
libraries = with pkgs; [ libraries = with pkgs; [
# TODO: revisit what we actually need
mesa mesa
extest extest
stdenv.cc.cc stdenv.cc.cc
@ -330,6 +329,7 @@
pcre2 pcre2
gsettings-desktop-schemas gsettings-desktop-schemas
fzf fzf
systemd
]; ];
}; };
programs.evolution.enable = true; programs.evolution.enable = true;

22
modules/authelia.nix
View file

@ -49,9 +49,14 @@ in
webauthn = { webauthn = {
enable_passkey_login = true; enable_passkey_login = true;
}; };
identity_providers.oidc.claims_policies = {
# https://github.com/karakeep-app/karakeep/issues/410
# https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
karakeep.id_token = [ "email" ];
};
identity_providers.oidc.clients = [ identity_providers.oidc.clients = [
{ {
client_id = "immich"; client_id = "4EIrpRb9rnwHWjYWvlz2gYrtTmoOLF1D5gqXw28BvmOS0f-9T2p4CFwuctf4Co1hkpo2sd4Y";
client_name = "immich"; client_name = "immich";
client_secret = "$argon2id$v=19$m=65536,t=3,p=4$Vny2G8EbSPafSwnIuq2Zkg$eF2om4WDEaqCFmrAG27h2mYl+cXxXyttPJ7gaPLs+f8"; client_secret = "$argon2id$v=19$m=65536,t=3,p=4$Vny2G8EbSPafSwnIuq2Zkg$eF2om4WDEaqCFmrAG27h2mYl+cXxXyttPJ7gaPLs+f8";
public = false; public = false;
@ -65,7 +70,7 @@ in
userinfo_signed_response_alg = "none"; userinfo_signed_response_alg = "none";
} }
{ {
client_id = "forgejo"; client_id = "_kuUEYxyfXjInJCniwugpw2Qn6iI-YW24NOkHZG~63BAhnAACDZ.xsLqOdGghj2DNZxXR0sU";
client_name = "Forgejo"; client_name = "Forgejo";
client_secret = "$argon2id$v=19$m=65536,t=3,p=4$O2O5r/7A8hc4EMvernQ4Dw$YOVqtwY3jv0HlcxmviPq2CRnD7Dw85V9KDtTSUQE7bA"; client_secret = "$argon2id$v=19$m=65536,t=3,p=4$O2O5r/7A8hc4EMvernQ4Dw$YOVqtwY3jv0HlcxmviPq2CRnD7Dw85V9KDtTSUQE7bA";
public = false; public = false;
@ -78,7 +83,7 @@ in
token_endpoint_auth_method = "client_secret_basic"; token_endpoint_auth_method = "client_secret_basic";
} }
{ {
client_id = "hedgedoc"; client_id = "b_ITCG0uNzy9lZ5nVC~Ny5R35te8I3hoQW1uraCbdxeiE9VuiCIelMmZZ7dAZLg_anTUWSQG";
client_name = "HedgeDoc"; client_name = "HedgeDoc";
client_secret = "$argon2id$v=19$m=65536,t=3,p=4$MFSXW3gjIZf0M3e8s8RJCg$6KWwksJe2vdUebPEdYc0Zy88fzGcHPrbStcqkiXl+Hg"; client_secret = "$argon2id$v=19$m=65536,t=3,p=4$MFSXW3gjIZf0M3e8s8RJCg$6KWwksJe2vdUebPEdYc0Zy88fzGcHPrbStcqkiXl+Hg";
public = false; public = false;
@ -94,6 +99,17 @@ in
audience = []; audience = [];
token_endpoint_auth_method = "client_secret_post"; token_endpoint_auth_method = "client_secret_post";
} }
{
client_id = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
client_name = "Karakeep";
client_secret = "$pbkdf2-sha512$310000$4UanDZq.6oholJW3CmKwtQ$9e3hqR8qGU4LoneR/Y9jtJTx0iSzATI4iXymrs8QrmGw4JY1BPF4.IJ9Jbc.8cikU4qpfUIFO6r2dG7JHznCnw";
public = false;
authorization_policy = "two_factor";
redirect_uris = [ "https://keep.cy7.sh/api/auth/callback/custom" ];
scopes = [ "openid" "profile" "email" ];
userinfo_signed_response_alg = "none";
claims_policy = "karakeep";
}
]; ];
}; };
secrets = { secrets = {

3
modules/caddy.nix
View file

@ -49,7 +49,8 @@ in
respond / 200 { respond / 200 {
body "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6 body "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhUt9h5dCcrwOrZNKkStCX5OxumPzEwYXSU/0DgtWgP ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhUt9h5dCcrwOrZNKkStCX5OxumPzEwYXSU/0DgtWgP
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo="
} }
''; '';
}; };

4
modules/containerization.nix
View file

@ -30,6 +30,10 @@ in
}; };
# answer on /var/run/docker.sock # answer on /var/run/docker.sock
dockerSocket.enable = true; dockerSocket.enable = true;
autoPrune = {
enable = true;
dates = "daily";
};
}; };
docker.enable = lib.mkIf (!cfg.usePodman) true; docker.enable = lib.mkIf (!cfg.usePodman) true;
oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker"; oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker";

1
modules/default.nix
View file

@ -10,5 +10,6 @@
./searx.nix ./searx.nix
./attic.nix ./attic.nix
./authelia.nix ./authelia.nix
./karakeep.nix
]; ];
} }

81
modules/karakeep.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, lib, ... }:
let
cfg = config.my.karakeep;
in
{
options.my.karakeep = {
enable = lib.mkEnableOption "karakeep";
dataDir = lib.mkOption {
type = lib.types.path;
};
port = lib.mkOption {
default = 3002;
description = "port for the web service";
type = lib.types.port;
};
domain = lib.mkOption {
default = "keep.cy7.sh";
type = lib.types.str;
};
environmentFile = lib.mkOption {
default = config.sops.secrets."karakeep/env".path;
type = lib.types.path;
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers = {
karakeep-web = {
image = "ghcr.io/karakeep-app/karakeep:release";
pull = "newer";
volumes = [ "${cfg.dataDir}:/data" ];
ports = [ "${toString cfg.port}:3000"];
dependsOn = [
"karakeep-chrome"
"karakeep-meilisearch"
];
environment = {
MEILI_ADDR = "http://karakeep-meilisearch:7700";
BROWSER_WEB_URL = "http://karakeep-chrome:9222";
DATA_DIR = "/data";
NEXTAUTH_URL = "https://${cfg.domain}";
DISABLE_PASSWORD_AUTH = "true";
OAUTH_WELLKNOWN_URL = "https://auth.cy7.sh/.well-known/openid-configuration";
OAUTH_CLIENT_ID = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
OAUTH_PROVIDER_NAME = "Authelia";
OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
};
# needs NEXTAUTH_SECRET
environmentFiles = [ "${cfg.environmentFile}" ];
};
karakeep-chrome = {
image = "ghcr.io/zenika/alpine-chrome:latest";
pull = "newer";
cmd = [
"--no-sandbox"
"--disable-gpu"
"--disable-dev-shm-usage"
"--remote-debugging-address=0.0.0.0"
"--remote-debugging-port=9222"
"--hide-scrollbars"
];
};
karakeep-meilisearch = {
image = "getmeili/meilisearch:latest";
volumes = [ "meilisearch:/meili_data" ];
environment = {
MEILI_NO_ANALYTICS = "true";
};
# needs MEILI_MASTER_KEY
environmentFiles = [ "${cfg.environmentFile}" ];
};
};
services.caddy.virtualHosts.${cfg.domain}.extraConfig = ''
import common
reverse_proxy localhost:${toString cfg.port}
'';
};
}

6
secrets/services/hedgedoc.yaml
View file

@ -1,5 +1,5 @@
hedgedoc: hedgedoc:
env: ENC[AES256_GCM,data:hU4Ht9WkWknuYJ3yHZSm5o22wlssTNjPDZvgDi9DGEh8ULt2GzrEHfFHI9VcpyrbsLcw7HT5TuYrPibWMk4AEvqlZT/6UiyQFMso9mac6x7esf55RHTXr4F7gyC/eRDUE+mAzyhjB5xKaCUhaQpMOwA2t0zahtiaCzLvi/DXRo1jiB42Xt8Nwi1D+zRT3T/HYD8l7D+SZQQc6HC+WM/y7RIjEPcDeX/wTk+JqiGW++0D3GxCQgq6VOhw7EM4hs5aR659QVNICT9kJt9nxEsyU84nsws4MHzU53BvEY77rYZPvvrBSFJ+TnQJ0c/e8K2G9mgaEGkk/+Rmx3RbPQKuTNCzAJZ0m9g9XSwMHU/z5KkrxcI6xU1+JqpdL2Rx35JiNxbNNrlQSvXJFuGNSf0Z5l8RirKJL4HJXAsIPVZTxeJJ0rQflyb5hN63KH/vUTHJWucAFSRYwLHOgs4Yu7SKJjnWnrLYAK9K/eRprhe3Np3vTed13soZXjdB1Jz6lz3lUxZ4TpOb6E8rGt33GqACTp04DBkyUaxMg7fOQIi0riev9GcGNy1kQkDC5dOwWyQdSICIavBrL+4WRoK8xhsEMY8K58+TYfIm3XnWz6pSEl7OzdGNSFZJuwAPzGS065bCjHIlMxIUKlbx4rmGvecIGRLoa5a5XpFwVwPlH8IJ8LvDPXqyIBquL6IsoCNi+jVy7UV52WldqAAeC3+UJtD8LJj1FaWLkoshkSbcr5veZLtBnpOZsiPXtkn1qgRhCB0QjzNwz+AOJCamSn1R+i+JJN6Wja3mJytCrtoj0M6cc1beJBbam4PgxWd1CJE3zhstuqoktn9LdDZ3qNjPgRY3q4FPbjo53XvQQi/NgnPztMg2z7Rj8yeNtG+HjL2pfXIw9AXZwc19D+T7M5hR7jlD3117o+K2CeaC+wgfXPZ/xzIbhg==,iv:gvSOTStLJ5R4UaXj7gXQDCF4TAgway12yh1BtGz1Mvs=,tag:Jt+daURO+t8HME/m7tLEIw==,type:str] env: ENC[AES256_GCM,data:9xnOlQrk1qCyiAHSjmu8dvj2/z/BrJlngNGAQnMwvLsL0pnyvvyJLnYWTDYix1a9o8OJUNLw6Qhq7KbY4uXfxsNZkfGdVHwvkvhySjR2rcX/r90txqHJUUIxE/TzdsBvonzQ0F85KfXhsi69gKHp016gCj+jNf6CCY+tOVpt71el4Z+jzqLHasuQET8GctKJRzHOfNfCx/X2kJeb7RQl3JFC6/VmYT45bUk7uFfveFD9ao03wJwLKi27wO1WDrfpOigFdvkmqpbWZjaILYHYmkdhdlhr7w330CiCmGHT/ssmSPcu5cYUc8tjYPgpYLjusiUzpE5jmut5GaNwZsY9hNuow/mUVnQ/tCDH0ChOq0DQisJ07VMYlRII9tMdcuT4IbjjwiRcYlORAHsTFUuo5DCaDp8a4mx846BGp1YMQsvqJQgOe4x15VMpeB/ptxm79qxcLZKZ3BkiJaKmDdWsVk9RfqVgsxqiq16Me2EQhknO2s/oBjGOaoIiT4NEuRFQl0BIPgIMD0lYzKx0uDaYyclID5W0DqMI+SrcBd+WH/BB9HPdZx92rFe34PzjZse0i6+5UZHXUu8au6CyLMqGkUlzkSFwVT5W7Lv2m9P3+6YjgPRMaYbg8b6kmavB6EtjiqWtTbMKr3nxPVYJc5FRImvebfFqiLy5MWoNV6Qe7TUGIk6QtX2OWBhQ1UB+IpR+180QH7yw7UpgJ9EM8dD2m2/smar5P0BjAaqAFib++GzoB0OfFtxJNUjrejQC11tRWBXYvcHWwa78VbKPul0xqiEMmsAZufMix4lD1EgutTf1CXfv7l0rUpLwkYbWIq2hT5UI53L0YWJDl7zlhi94ANdXV8z8kCvMeXm2Fwl/vIgJ9JuFeVeVYPpXwx2coLBwE6uI4SuFvY1d4ojvzY8KftcHWO7srVzpuwrwW+6gKLwPQyEazv+sRKXAGo0ffMO2/2KRgOu9zGwaOFaNDAZ6gYFDWbPz6TMfNWHzfLEFK5BlVAL8KDb78IODUBYcMr2CX1Y=,iv:LDkuJgxIbohEVf7wmdtOZ/vlPddMYa7uzHGkL+0MnUM=,tag:pnJiCJydjTmUbS761fPUPw==,type:str]
sops: sops:
age: age:
- recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
@ -20,7 +20,7 @@ sops:
enlDZEI2NElkZkI3UmRyQUZqQWE5ZmcK2JlwNzVJNhGjyniIg9UY5tjgUKttkT3e enlDZEI2NElkZkI3UmRyQUZqQWE5ZmcK2JlwNzVJNhGjyniIg9UY5tjgUKttkT3e
9C/xag3dQCiqzX1O3o5tdhYnxXw+VxVf+qTFyyuftg5iQPZNuvX6mA== 9C/xag3dQCiqzX1O3o5tdhYnxXw+VxVf+qTFyyuftg5iQPZNuvX6mA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-04T17:04:50Z" lastmodified: "2025-04-05T21:08:15Z"
mac: ENC[AES256_GCM,data:RRkdyrxwrFs3r0SaNred5zTpz5CKf043+KWkFSvPFh0RbvIVyxzJKyfL9r7erifEMhPRJ7Hz5GKE4RAPA9yRLkA9C+416sZKfwdopqAe6zSRt4zd0QOPMdc2z3+07+1SP2ay/ZYCn6jjIyoBaki3t0DMv7e9a/OzFv3WfyjG/rg=,iv:K41muQnynaGoZsBquNF0SNFgssLF9KGzBz8siagI+38=,tag:jkWbWBloSbUSJXl9jedAMQ==,type:str] mac: ENC[AES256_GCM,data:cPisYUoZWd/vd+wWzz3xTnftj1RdjK20dWFo+MKssm/eu7eCOWDIaZdcJg13gkTleBpMWQy/mG1drC6GLfGQiBmkS99UCPAoo0aLTBL4FbSm6FEXdbVjoOI7URu6Sj31drWCMAm+lXYymWsHwZJrNLhjsCTQsxTPvFq8oOdNlXo=,iv:KpmJoZ/BGEEhZ75jXfXxegNglm7k6mtleRuVud6tX2g=,tag:lsiqX+YSz4mGK6mw9gdKNg==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.1 version: 3.10.1

35
secrets/services/karakeep.yaml Normal file
View file

@ -0,0 +1,35 @@
karakeep:
env: ENC[AES256_GCM,data:SWc26EQaKR5d9hMDYzVHA/r7XfjwFZ0d44Co0IS6OayR24ej7yqLAtkNttROKoKFuYc0sHgN9bOy4MyX0s3qiSWYovIIUJgFiJjPQFYDAo+50WR4+5W5FgvYI6e42fcWrQhaCXWQrDyzch/zT2OITZsjXcQhT5E+IiPLVkaGOjGptE07GjM7ZXI4UxBzINFQOhxdfIO0km1o6Wq8GhJdWsz4exz4ahRslR+WjK/flV2GZVAj6EHSJ5sHohm74QlhxaShEbc/8IKP6R2gSjBFP7l8VvwFyIUD9sLzYGvS3iU=,iv:gSPQU0bZ+VRFbuaNDc90dW0ogWX2SMH7kewtq/u/11E=,tag:L0Y4EWSQUhcn2eHt+yZ7qQ==,type:str]
sops:
age:
- recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaWQ1Q1JwRHJxQjNjdTAx
TXRsWjVZOG1mNEptNVhscHBaK2I5MHhjdlFjCkNqOEhwT3hyOHpHQ2k0ZmowUXB4
eks2dlpUS0V6VjBEYW9UWnhFOEw4VGsKLS0tIFo2a0FTRE5WdHBGVW5DOUFkaE9p
bitvUnJXSnB6UnV3VTEzSjlSYmEwVUEKHOwFCRu+SIyM0uJ6bNEAo+MMlsc8la6G
bLYdCoykcBu+uVXqn3BYTbrS5ylQMRYcbcPFJw5BVdmjIYF4LU5W6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrU2ZnNVAyeVdJeHlTSW1x
QUhKRzlNclVUWE1ucHFLZW5sL1lnUDhkd0Y4CjFuekNEOE1icDNqL1JyT0hEYW16
Q2VyajJFWWtGUnBzOENGOEZHbWROZzAKLS0tIE8wMVc3TkV5Y1VyenIvOW02NDNq
cStTeUcvY1pJWEN2MzFEeThKT0JPc1EKXrtVG49a6YZVKiL1F8Xg3t3niTYv3LwN
NeAQ8srV0F6ckky7OCkvUp9GInZCWRzULXV/x+4IUb6C+KQaNm2vYA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdDdUSUlmMk5VcytyT01N
UmRaK2k5Wkh5SlhPT3QrczY2eW9vZk5KWFZBCnBteitnNFlHdWRaaTRxSWYvYmtG
ZnY5ZXlYa3Z5aENlRy9BQjVSU1F3UzQKLS0tIFpjN1dOaWNKaU9PaENyaXc1K3BU
K2orZ0Y2Z05LSUZ5WHQ4TnVVY0QwSzQKiUQT4aSxXnaq0kEMp+q5WnIUoGypEmZ+
DQEhkB9yu/BrkjXH+HGQr1W5B4sJyb5rnl0+SQ+IypRIRyaX4CdFxg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-05T19:44:58Z"
mac: ENC[AES256_GCM,data:OmqsJI9BaICOTiH1cq4gZlNBbkAxn/pAOWBtkIjHdqpikABLG6fMY+sLpyeaovXjexIj9MZk7fPmV8dRZ5VNLHCqlYXK/cVoQBZ2HK+p/cGTAFelNAShu9NSgZdFmVgJJtOjVvFp8dtuY8VcQj861k/MPX0mNZt9pmXYdumjpNM=,iv:efHkp1KUctwtCjG9A8i5qs7nQfQqv2ya1yYlHHOt8pU=,tag:4lChpspl0oOUMiXzvGuA2Q==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.1