cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: cy:fba0d4120d32c667a5cb49c6ad4687491fbf1536
Branches Tags
cy:main
cy:update
cy:2025-04-14
cy:2025-04-07
cy:2025-04-05
cy:2025-04-04
cy:staging
cy:dogfood-nixcp
cy:no-follows
cy:workflow-test
cy:update_flake_lock_action
cy:caddy-s3
cy:workflow-copy
cy:workflow-lix
cy:test-s3-cache
cy:temp
cy:attic
cy:helix
cy:test
cy:lix-test
cy:bitwarden-patch
cy:chromium
cy:new-attic
cy:canary
cy:downgrade-kernel
cy:soju
cy:kde
cy:shiori
cy:caddy-module
cy:anki-overlay
cy:nixpkgs-master
cy:lix
cy:pan-home
cy:pi
cy:pancake
cy:pancake-sd-image
cy:arm
cy:lix-404
cy:customize-kernel
cy:blueprint
cy:flake-utils
cy:conduwuit-flake
cy:ghostty
cy:zen
cy:lact-fix-test
cy:alvr-test
cy:workflow-refactor
cy:bump-conduwuit
cy:gollum
cy:build
cy:nginx
cy:iso
cy:flake-parts
cy:codespace
cy:sway
cy:minio
cy:garage-module
cy:garage-test
cy:vscode
cy:purge
cy:create-pull-request/patch
cy:garage
cy:harmonia
cy:impermanence
..
compare: cy:5b5418e325472ea7c61ea0ebf2face5435083405
Branches Tags
cy:main
cy:update
cy:2025-04-14
cy:2025-04-07
cy:2025-04-05
cy:2025-04-04
cy:staging
cy:dogfood-nixcp
cy:no-follows
cy:workflow-test
cy:update_flake_lock_action
cy:caddy-s3
cy:workflow-copy
cy:workflow-lix
cy:test-s3-cache
cy:temp
cy:attic
cy:helix
cy:test
cy:lix-test
cy:bitwarden-patch
cy:chromium
cy:new-attic
cy:canary
cy:downgrade-kernel
cy:soju
cy:kde
cy:shiori
cy:caddy-module
cy:anki-overlay
cy:nixpkgs-master
cy:lix
cy:pan-home
cy:pi
cy:pancake
cy:pancake-sd-image
cy:arm
cy:lix-404
cy:customize-kernel
cy:blueprint
cy:flake-utils
cy:conduwuit-flake
cy:ghostty
cy:zen
cy:lact-fix-test
cy:alvr-test
cy:workflow-refactor
cy:bump-conduwuit
cy:gollum
cy:build
cy:nginx
cy:iso
cy:flake-parts
cy:codespace
cy:sway
cy:minio
cy:garage-module
cy:garage-test
cy:vscode
cy:purge
cy:create-pull-request/patch
cy:garage
cy:harmonia
cy:impermanence

13 commits
fba0d4120d ... 5b5418e325

Author SHA1 Message Date
cy
5b5418e325
fix garage mainProgram 2025-03-14 00:48:18 -04:00
cy
ccc27bb9cc
fix leftover 2025-03-14 00:36:36 -04:00
cy
bd97413dfa
overlay garage 2025-03-13 21:09:04 -04:00
cy
fef8deac66
workflow: fix artifact name 2025-03-13 18:15:45 -04:00
cy
8da2d56d6d
workflow: fix 2025-03-13 18:11:55 -04:00
cy
2b5322cb72
workflow: install attic instead of nix run 2025-03-13 17:15:53 -04:00
cy
ffcb42f833
workflow: fix cache for nixos and home 2025-03-13 16:43:34 -04:00
cy
2f7ebbdcaf
workflow: test new way to cache 2025-03-13 15:59:29 -04:00
cy
1067cba34b
workflow: make tarball before uploading 2025-03-13 14:59:35 -04:00
cy
39e1b2dcaf
workflow: upload result as artifact 2025-03-13 14:42:36 -04:00
cy
8209ff70ff
workflow: use attic cache for packages too 2025-03-13 14:30:02 -04:00
cy
7a971e519a
fix attic install, use faster nix installer, rm cachix 2025-03-13 13:57:46 -04:00
cy
fb416ea817
test workflow 2025-03-13 13:43:35 -04:00
23 changed files with 181 additions and 176 deletions
Download patch file Download diff file Expand all files Collapse all files

47
.github/workflows/build-machines-and-homes.yml vendored
View file

@ -13,6 +13,7 @@ env:
extra-experimental-features = nix-command flakes extra-experimental-features = nix-command flakes
accept-flake-config = true accept-flake-config = true
TERM: ansi TERM: ansi
jobs: jobs:
build-machines: build-machines:
strategy: strategy:
@ -36,12 +37,15 @@ jobs:
remove-codeql: 'true' remove-codeql: 'true'
remove-docker-images: 'true' remove-docker-images: 'true'
build-mount-path: /nix build-mount-path: /nix
- name: Install Nix - name: Install Nix
uses: nixbuild/nix-quick-install-action@master uses: nixbuild/nix-quick-install-action@master
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
persist-credentials: false persist-credentials: false
- name: Restore and cache Nix store - name: Restore and cache Nix store
uses: nix-community/cache-nix-action@v5.1.0 uses: nix-community/cache-nix-action@v5.1.0
with: with:
@ -59,24 +63,32 @@ jobs:
purge-primary-key: never purge-primary-key: never
# always save the cache # always save the cache
save-always: true save-always: true
- name: setup attic - name: setup attic
run: | run: |
nix profile install github:zhaofengli/attic nix profile install github:zhaofengli/attic
attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN" attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN"
- name: build
- name: build and cache
run: | run: |
package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel" package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
nix build -L "$package" nix build -L "$package"
- name: cache
if: always()
run: |
package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
derivation="$(nix path-info --derivation "$package")" derivation="$(nix path-info --derivation "$package")"
cache="$(nix-store --query --requisites --include-outputs "$derivation")" cache="$(nix-store --query --requisites --include-outputs "$derivation")"
xargs attic push main <<< "$cache" attic push main --stdin <<< "$cache"
- name: prepare tarball to upload
run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
- name: upload result
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.machine }}-${{ matrix.os }}
path: result.tar
if-no-files-found: error
build-homes: build-homes:
strategy: strategy:
fail-fast: false
matrix: matrix:
home: home:
- yt@ytnix - yt@ytnix
@ -97,11 +109,14 @@ jobs:
remove-codeql: 'true' remove-codeql: 'true'
remove-docker-images: 'true' remove-docker-images: 'true'
build-mount-path: /nix build-mount-path: /nix
- uses: nixbuild/nix-quick-install-action@master - uses: nixbuild/nix-quick-install-action@master
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
persist-credentials: false persist-credentials: false
- name: Restore and cache Nix store - name: Restore and cache Nix store
uses: nix-community/cache-nix-action@v5.1.0 uses: nix-community/cache-nix-action@v5.1.0
with: with:
@ -119,18 +134,26 @@ jobs:
purge-primary-key: never purge-primary-key: never
# always save the cache # always save the cache
save-always: true save-always: true
- name: setup attic - name: setup attic
run: | run: |
nix profile install github:zhaofengli/attic nix profile install github:zhaofengli/attic
attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN" attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN"
- name: build
- name: build and cache
run: | run: |
package=".#homeConfigurations."${{ matrix.home }}".activationPackage" package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
nix build -L "$package" nix build -L "$package"
- name: cache
if: always()
run: |
package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
derivation="$(nix path-info --derivation "$package")" derivation="$(nix path-info --derivation "$package")"
cache="$(nix-store --query --requisites --include-outputs "$derivation")" cache="$(nix-store --query --requisites --include-outputs "$derivation")"
attic push main --stdin <<< "$cache" attic push main --stdin <<< "$cache"
- name: prepare tarball to upload
run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
- name: upload result
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.home }}-${{ matrix.os }}
path: result.tar
if-no-files-found: error

11
.github/workflows/build-packages.yml vendored
View file

@ -16,6 +16,7 @@ env:
extra-experimental-features = nix-command flakes extra-experimental-features = nix-command flakes
accept-flake-config = true accept-flake-config = true
TERM: ansi TERM: ansi
jobs: jobs:
build-packages: build-packages:
strategy: strategy:
@ -28,27 +29,33 @@ jobs:
- ubuntu-24.04-arm - ubuntu-24.04-arm
- macos-latest - macos-latest
- macos-13 - macos-13
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
- name: Install Nix - name: Install Nix
uses: cachix/install-nix-action@v30 uses: cachix/install-nix-action@v30
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
persist-credentials: false persist-credentials: false
- name: setup attic - name: setup attic
run: | run: |
nix profile install github:zhaofengli/attic nix profile install github:zhaofengli/attic
attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN" attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN"
- run: nix build -L ${{ matrix.package }} - run: nix build -L ${{ matrix.package }}
- name: cache result - name: cache result
if: always()
run: | run: |
derivation="$(nix path-info --derivation "${{ matrix.package }}")" derivation="$(nix path-info --derivation "${{ matrix.package }}")"
cache="$(nix-store --query --requisites --include-outputs "$derivation")" cache="$(nix-store --query --requisites --include-outputs "$derivation")"
xargs attic push main <<< "$cache" attic push main --stdin <<< "$cache"
- name: prepare tarball to upload - name: prepare tarball to upload
run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
- name: upload result - name: upload result
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
with: with:

1
.sops.yaml
View file

@ -118,6 +118,7 @@ creation_rules:
- age: - age:
- *chunk - *chunk
- *cy - *cy
- path_regex: secrets/services/searx.yaml - path_regex: secrets/services/searx.yaml
key_groups: key_groups:
- age: - age:

5
flake.nix
View file

@ -113,12 +113,17 @@
nixConfig = { nixConfig = {
extra-substituters = [ extra-substituters = [
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://cache.garnix.io"
"https://cything.cachix.org"
"https://cache.cy7.sh/main" "https://cache.cy7.sh/main"
]; ];
extra-trusted-public-keys = [ extra-trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
"cything.cachix.org-1:xqW1W5NNL+wrM9wfSELb0MLj/harD2ZyB4HbdaMyvPI="
"main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0=" "main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0="
]; ];
builders-use-substitutes = true;
}; };
outputs = outputs =

5
home/codium.nix
View file

@ -10,7 +10,8 @@
extensions = extensions =
# if unfree # if unfree
# with pkgs.vscode-marketplace; # with pkgs.vscode-marketplace;
with pkgs.open-vsx; [ with pkgs.open-vsx;
[
vscodevim.vim vscodevim.vim
jnoortheen.nix-ide jnoortheen.nix-ide
github.github-vscode-theme github.github-vscode-theme
@ -20,8 +21,6 @@
tomrijndorp.find-it-faster tomrijndorp.find-it-faster
streetsidesoftware.code-spell-checker streetsidesoftware.code-spell-checker
emilast.logfilehighlighter emilast.logfilehighlighter
tamasfe.even-better-toml
golang.go
]; ];
userSettings = userSettings =
let let

5
home/yt/ytnix.nix
View file

@ -102,7 +102,6 @@
pixelflasher pixelflasher
element-desktop element-desktop
freetube freetube
gopls
]; ];
home.sessionVariables = { home.sessionVariables = {
@ -113,13 +112,13 @@
RUSTC_WRAPPER = "${lib.getExe pkgs.sccache}"; RUSTC_WRAPPER = "${lib.getExe pkgs.sccache}";
SCCACHE_BUCKET = "sccache"; SCCACHE_BUCKET = "sccache";
SCCACHE_REGION = "us-east-1"; SCCACHE_REGION = "us-east-1";
SCCACHE_ENDPOINT = "https://s3.cy7.sh"; SCCACHE_ENDPOINT = "https://e3e97aac307d106a7becea43cef8fcbd.r2.cloudflarestorage.com";
SCCACHE_ALLOW_CORE_DUMPS = "true"; SCCACHE_ALLOW_CORE_DUMPS = "true";
SCCACHE_S3_USE_SSL = "true"; SCCACHE_S3_USE_SSL = "true";
SCCACHE_CACHE_MULTIARCH = "true"; SCCACHE_CACHE_MULTIARCH = "true";
SCCACHE_LOG = "warn"; SCCACHE_LOG = "warn";
AWS_DEFAULT_REGION = "us-east-1"; AWS_DEFAULT_REGION = "us-east-1";
AWS_ENDPOINT_URL = "https://s3.cy7.sh"; AWS_ENDPOINT_URL = "https://e3e97aac307d106a7becea43cef8fcbd.r2.cloudflarestorage.com";
AWS_ACCESS_KEY_ID = "$(cat /run/secrets/aws/key_id)"; AWS_ACCESS_KEY_ID = "$(cat /run/secrets/aws/key_id)";
AWS_SECRET_ACCESS_KEY = "$(cat /run/secrets/aws/key_secret)"; AWS_SECRET_ACCESS_KEY = "$(cat /run/secrets/aws/key_secret)";

15
hosts/chunk/default.nix
View file

@ -22,6 +22,7 @@
./forgejo.nix ./forgejo.nix
./garage.nix ./garage.nix
./tailscale.nix ./tailscale.nix
./tor.nix
]; ];
sops.age.keyFile = "/root/.config/sops/age/keys.txt"; sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@ -100,18 +101,22 @@
${tc} qdisc del dev ens18 root || true ${tc} qdisc del dev ens18 root || true
# create HTB hierarchy # create HTB hierarchy
${tc} qdisc add dev ens18 root handle 1: htb default 10 ${tc} qdisc add dev ens18 root handle 1: htb default 30
${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100% ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
# rest # tailscale
${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100% ${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 30% ceil 100%
# caddy # caddy
${tc} class add dev ens18 parent 1:1 classid 1:20 htb rate 30% ceil 100%
# rest
${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100% ${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
# mark traffic # mark traffic
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3 iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 2
# route marked packets # route marked packets
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30 ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 1 fw flowid 1:10
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 2 fw flowid 1:20
''; '';
}; };
interfaces.ens18 = { interfaces.ens18 = {

12
hosts/chunk/garage.nix
View file

@ -10,13 +10,15 @@
api_bind_addr = "[::]:3900"; api_bind_addr = "[::]:3900";
root_domain = "s3.cy7.sh"; root_domain = "s3.cy7.sh";
}; };
s3_web = {
bind_addr = "[::]:3902";
root_domain = ".web.s3.cy7.sh";
index = "index.html";
};
admin.api_bind_addr = "[::]:3903"; admin.api_bind_addr = "[::]:3903";
rpc_bind_addr = "[::]:3901"; rpc_bind_addr = "[::]:3901";
replication_factor = 1; replication_factor = 1;
db_engine = "lmdb"; db_engine = "lmdb";
disable_scrub = true;
block_size = "10M";
compression_level = "none";
}; };
environmentFile = config.sops.secrets."garage/env".path; environmentFile = config.sops.secrets."garage/env".path;
}; };
@ -29,6 +31,10 @@
reverse_proxy localhost:3900 reverse_proxy localhost:3900
''; '';
}; };
"*.web.s3.cy7.sh".extraConfig = ''
import common
reverse_proxy localhost:3902
'';
"admin.s3.cy7.sh".extraConfig = '' "admin.s3.cy7.sh".extraConfig = ''
import common import common
reverse_proxy localhost:3903 reverse_proxy localhost:3903

8
hosts/chunk/grafana.nix
View file

@ -29,14 +29,6 @@
} }
]; ];
} }
{
job_name = "garage";
static_configs = [
{
targets = [ "127.0.0.1:3903" ];
}
];
}
]; ];
}; };

32
hosts/chunk/rclone.nix
View file

@ -15,16 +15,9 @@
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos"; ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
ExecStart = '' ExecStart = "${lib.getExe pkgs.rclone} mount --config ${
${lib.getExe pkgs.rclone} mount \ config.sops.secrets."rclone/config".path
--config ${config.sops.secrets."rclone/config".path} \ } --cache-dir /var/cache/rclone --transfers=32 --checkers=32 --dir-cache-time 72h --vfs-cache-mode writes --vfs-cache-max-size 2G photos: /mnt/photos ";
--cache-dir /var/cache/rclone \
--transfers=32 \
--dir-cache-time 30d \
--vfs-cache-mode writes \
--vfs-cache-max-size 2G \
photos: /mnt/photos
'';
ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/photos"; ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/photos";
}; };
}; };
@ -39,22 +32,9 @@
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
ExecStartPre = "/usr/bin/env mkdir -p /mnt/garage"; ExecStartPre = "/usr/bin/env mkdir -p /mnt/garage";
ExecStart = '' ExecStart = "${lib.getExe pkgs.rclone} mount --config ${
${lib.getExe pkgs.rclone} mount \ config.sops.secrets."rclone/config".path
--config ${config.sops.secrets."rclone/config".path} \ } --cache-dir /var/cache/rclone --transfers=32 --checkers=32 --vfs-cache-mode writes --vfs-cache-max-size 5G --allow-other rsyncnet:garage /mnt/garage ";
--allow-other \
--cache-dir /var/cache/rclone \
--transfers=32 \
--vfs-cache-mode full \
--vfs-cache-min-free-space 5G \
--dir-cache-time 30d \
--no-checksum \
--no-modtime \
--vfs-fast-fingerprint \
--vfs-read-chunk-size 10M \
--vfs-read-chunk-streams 32 \
rsyncnet:garage /mnt/garage
'';
ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/garage"; ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/garage";
}; };
}; };

16
hosts/chunk/tor.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }:
{
services.tor = {
enable = true;
openFirewall = true;
relay = {
enable = true;
role = "relay";
};
settings = {
ORPort = 9001;
Nickname = "chunk";
# MaxAdvertisedBandwidth = "20MBytes";
};
};
}

13
hosts/common.nix
View file

@ -10,12 +10,16 @@
"@wheel" "@wheel"
]; ];
trusted-public-keys = [ trusted-public-keys = [
"niri.cachix.org-1:Wv0OmO7PsuocRKzfDoJ3mulSl7Z6oezYhGhR+3W2964="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
"cything.cachix.org-1:xqW1W5NNL+wrM9wfSELb0MLj/harD2ZyB4HbdaMyvPI="
]; ];
trusted-substituters = [ substituters = [
"https://niri.cachix.org"
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://cache.cy7.sh/main" "https://cache.garnix.io"
"https://cything.cachix.org"
]; ];
}; };
channel.enable = false; channel.enable = false;
@ -29,6 +33,9 @@
persistent = true; persistent = true;
options = "--delete-older-than 14d"; options = "--delete-older-than 14d";
}; };
extraOptions = ''
builders-use-substitutes = true
'';
registry.nixpkgs.flake = inputs.nixpkgs; registry.nixpkgs.flake = inputs.nixpkgs;
}; };

28
hosts/ytnix/containers.nix
View file

@ -6,22 +6,20 @@
}: }:
{ {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
immich-ml = immich-ml = let
let modelCache = "/opt/immich-ml";
modelCache = "/opt/immich-ml"; in {
in image = "ghcr.io/immich-app/immich-machine-learning:release";
{ autoStart = true;
image = "ghcr.io/immich-app/immich-machine-learning:release"; pull = "newer";
autoStart = true; ports = [ "3003:3003" ];
pull = "newer"; environment = {
ports = [ "3003:3003" ]; REDIS_HOSTNAME = "immich-redis";
environment = { DB_HOSTNAME = "immich-db";
REDIS_HOSTNAME = "immich-redis";
DB_HOSTNAME = "immich-db";
};
volumes = [ "${modelCache}:/cache" ];
networks = [ "immich-net" ];
}; };
volumes = [ "${modelCache}:/cache" ];
networks = [ "immich-net" ];
};
}; };
systemd.services.create-immich-net = rec { systemd.services.create-immich-net = rec {

86
hosts/ytnix/default.nix
View file

@ -144,52 +144,49 @@
"docker" "docker"
"disk" "disk"
"adbusers" "adbusers"
"podman"
]; ];
environment.systemPackages = environment.systemPackages = with pkgs; lib.flatten [
with pkgs; tmux
lib.flatten [ vim
tmux wget
vim tree
wget kitty
tree borgbackup
kitty htop
borgbackup file
htop dnsutils
file q
dnsutils age
q compsize
age wireguard-tools
compsize traceroute
wireguard-tools sops
traceroute sbctl # secure boot
sops lm_sensors
sbctl # secure boot sshfs
lm_sensors openssl
sshfs just
openssl killall
just lshw
killall bubblewrap
lshw fuse-overlayfs
bubblewrap dwarfs
fuse-overlayfs wineWowPackages.stagingFull
dwarfs (with gst_all_1; [
wineWowPackages.stagingFull gst-plugins-good
(with gst_all_1; [ gst-plugins-bad
gst-plugins-good gst-plugins-ugly
gst-plugins-bad gst-plugins-base
gst-plugins-ugly ])
gst-plugins-base vulkan-loader
]) (heroic.override {
vulkan-loader extraPkgs = pkgs: [
(heroic.override { pkgs.gamescope
extraPkgs = pkgs: [ pkgs.gamemode
pkgs.gamescope ];
pkgs.gamemode })
]; ];
})
];
environment.sessionVariables = { environment.sessionVariables = {
NIXOS_OZONE_WL = "1"; NIXOS_OZONE_WL = "1";
@ -387,5 +384,4 @@
programs.ccache.enable = true; programs.ccache.enable = true;
nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
nix.settings.sandbox = false;
} }

2
modules/attic.nix
View file

@ -21,7 +21,7 @@ in
allowed-hosts = [ "cache.cy7.sh" ]; allowed-hosts = [ "cache.cy7.sh" ];
require-proof-of-possession = false; require-proof-of-possession = false;
compression = { compression = {
type = "none"; type = "zstd";
level = 3; level = 3;
}; };
database.url = "postgresql:///atticd?host=/run/postgresql"; database.url = "postgresql:///atticd?host=/run/postgresql";

5
modules/containerization.nix
View file

@ -28,11 +28,8 @@ in
dns_enabled = true; dns_enabled = true;
ipv6_enabled = true; ipv6_enabled = true;
}; };
# answer on /var/run/docker.sock
dockerSocket.enable = true;
}; };
docker.enable = lib.mkIf (!cfg.usePodman) true; oci-containers.backend = lib.mkIf cfg.usePodman "podman";
oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker";
}; };
}; };
} }

7
overlay/attic/default.nix
View file

@ -1,7 +0,0 @@
final: prev: {
attic-server = prev.attic-server.overrideAttrs {
patches = [
./prefetch-32-chunks.patch
];
};
}

13
overlay/attic/prefetch-32-chunks.patch
View file

@ -1,13 +0,0 @@
diff --git a/server/src/api/binary_cache.rs b/server/src/api/binary_cache.rs
index 02e4857..71eeee8 100644
--- a/server/src/api/binary_cache.rs
+++ b/server/src/api/binary_cache.rs
@@ -262,7 +262,7 @@ async fn get_nar(
// TODO: Make num_prefetch configurable
// The ideal size depends on the average chunk size
- let merged = merge_chunks(chunks, streamer, storage, 2).map_err(|e| {
+ let merged = merge_chunks(chunks, streamer, storage, 32).map_err(|e| {
tracing::error!(%e, "Stream error");
e
});

12
overlay/bitwarden/default.nix
View file

@ -1,9 +1,7 @@
final: prev: { final: prev: {
bitwarden-desktop = prev.bitwarden-desktop.overrideAttrs ( bitwarden-desktop = prev.bitwarden-desktop.overrideAttrs (finalAttrs: prevAttrs: {
finalAttrs: prevAttrs: { patches = prevAttrs.patches ++ [
patches = prevAttrs.patches ++ [ ./ssh-agent-no-confirm.patch
./ssh-agent-no-confirm.patch ];
]; });
}
);
} }

10
overlay/default.nix
View file

@ -3,7 +3,6 @@ let
overlays = [ overlays = [
./zipline ./zipline
./bitwarden ./bitwarden
./attic
]; ];
importedOverlays = map (m: import m) overlays; importedOverlays = map (m: import m) overlays;
in in
@ -15,15 +14,14 @@ in
pkgFrom = flake: pkg: flake.packages.${prev.system}.${pkg}; pkgFrom = flake: pkg: flake.packages.${prev.system}.${pkg};
in in
{ {
conduwuit = pkgFrom inputs.conduwuit "static-x86_64-linux-musl-all-features-x86_64-haswell-optimised"; conduwuit =
pkgFrom inputs.conduwuit "static-x86_64-linux-musl-all-features-x86_64-haswell-optimised";
pixelflasher = nixpkgsFrom inputs.pixelflasher "pixelflasher"; pixelflasher = nixpkgsFrom inputs.pixelflasher "pixelflasher";
attic-server = pkgFrom inputs.attic "attic-server"; attic-server = pkgFrom inputs.attic "attic-server";
attic = pkgFrom inputs.attic "attic"; attic = pkgFrom inputs.attic "attic";
garage = ( garage = ((pkgFrom inputs.garage "default").overrideAttrs {
(pkgFrom inputs.garage "default").overrideAttrs {
meta.mainProgram = "garage"; meta.mainProgram = "garage";
} });
);
} }
) )
] ]

10
secrets/yt/aws.yaml
View file

@ -1,8 +1,6 @@
aws: aws:
key_id: ENC[AES256_GCM,data:euyq+QtSXv1UR5eOJfvZARhm5L2AuzKIOk8=,iv:RseSyVArmrawNzlwjNh6FScJF2O+F4FBuIq47uMQQEA=,tag:bkZJeX3rUHb1yZu8dytgcg==,type:str] key_id: ENC[AES256_GCM,data:9tWAMzUv4f6Ea27XsmYhO11NroYnLmED/FVrCCGO0Vc=,iv:YP1xRjVd1M1MB7IKVAw0Sdx0E4AokBrsaAcDLvTLHD4=,tag:SEmEr3NoZvch9LeaJHbCww==,type:str]
key_secret: ENC[AES256_GCM,data:27BHAU5suCIiSKAf0+1yNa/VJ0umErb6Ry8HI+Zfv6LV+7eB+wk8H3kxdV4wmY2XayHsUrD4FZa30O0a9PdJgA==,iv:oI2X7PCXDZBkUOikHM8S7gHsnMtWp7jxBqdmfbUlrwU=,tag:9mZ3H2jobKqYmw6S4NNpjw==,type:str] key_secret: ENC[AES256_GCM,data:AK+vER4T1p0AknKzsxZQJ0JTpfIstnnTWSAZ26zJSCwJYgRYwj8RF98CS7HM+KWvz5VNGENxhVdUnjlGkrTB4w==,iv:3o79gwp5b4KGsixW02qFWYFvpagY/hykbYJ/WNz6PB8=,tag:GW2T8ggKYHa1CQ6DRomJDQ==,type:str]
_r2_key_id: ENC[AES256_GCM,data:R0xwzUx+6l9SR3Fd93PfJw+WPV0ByzOKMxoJQtn4pEE=,iv:qHmr/HssM8U3znbGznSIOwkAhNaORkCkG9lqAmCKmfw=,tag:LhuiiKSq/VnNEulgrS71vg==,type:str]
_r2_key_secret: ENC[AES256_GCM,data:Dw5Gq1URjMpy9Bh1IBYf+/EnkvQA/4yAC4kdoACpCUuJQxdQphFKwWmxJX+Q/oztO1imWoGIxlZNNDr5QCqXaA==,iv:hGePo+Ffe48n1BXI1f2V12C9Gn1CC1nTwbSsfqUGQ3c=,tag:AIy/F3jPGz2WHge3Mk43Ag==,type:str]
_garage_key_id: ENC[AES256_GCM,data:2lLS1nBhrwBkJh/ei7FwBoR6jOI6KCJkvOs=,iv:jwB7ZEaKOPIwghcGRs3qaICypoHgSxkFBOyB6e5hpYI=,tag:Iqwv3j1R1uLLUDKLhN1Atg==,type:str] _garage_key_id: ENC[AES256_GCM,data:2lLS1nBhrwBkJh/ei7FwBoR6jOI6KCJkvOs=,iv:jwB7ZEaKOPIwghcGRs3qaICypoHgSxkFBOyB6e5hpYI=,tag:Iqwv3j1R1uLLUDKLhN1Atg==,type:str]
_garage_key_secret: ENC[AES256_GCM,data:5iwwMfojHrR79cOIY+9O2oVY8v1cbPcECMSOMhWuGAdc2lfCogKBwLM4TFwBH9X1Vx56QvUoxCQ2uSyfOMLR7A==,iv:Q523ttz6ijmv8/JlVZuldFR4IabEKiVN4sGmJ9xDJU0=,tag:ZZ4LRG4DXOC7LY8hEjXYHQ==,type:str] _garage_key_secret: ENC[AES256_GCM,data:5iwwMfojHrR79cOIY+9O2oVY8v1cbPcECMSOMhWuGAdc2lfCogKBwLM4TFwBH9X1Vx56QvUoxCQ2uSyfOMLR7A==,iv:Q523ttz6ijmv8/JlVZuldFR4IabEKiVN4sGmJ9xDJU0=,tag:ZZ4LRG4DXOC7LY8hEjXYHQ==,type:str]
sops: sops:
@ -29,8 +27,8 @@ sops:
UlYrTExEUVc0dURLR1czN3BnYzZ2VGMKCbAgM50jvs9VciA1Pb/VY+2I4x62LBGe UlYrTExEUVc0dURLR1czN3BnYzZ2VGMKCbAgM50jvs9VciA1Pb/VY+2I4x62LBGe
j7eHkfTFc8Gnk/rZA9/ZJDLFr/FUPMQWK/NVoz6oLjO6oVFXqN6OqA== j7eHkfTFc8Gnk/rZA9/ZJDLFr/FUPMQWK/NVoz6oLjO6oVFXqN6OqA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-16T16:45:13Z" lastmodified: "2025-02-27T02:50:27Z"
mac: ENC[AES256_GCM,data:DCx4uVuy53Gz9Ha2p/GjxTigKw/dJ0gvWIAII9AtKQCURu1OfiJ6Lp/ht6ndJwn25em11uppN371pQGxa8FRtLL+dX/YgoDmOw3Tgo3lc5VLBzalRqXHInOGHfgv9k1jHNq6zokKbBLDItBnUNOCvsLTXXenVRYdnkiuf3QPGhk=,iv:gBbbH/nJExK/dEXKHo+cCr+rxQ4uJQWweK0lYT7amsM=,tag:9GaCGFrcinqGfpibUNQ75w==,type:str] mac: ENC[AES256_GCM,data:FjlbCqqYHPn/FDPUR1flWgg6wwHhLJx1uKOedwkvsTxuPhlVJHghTHWYetdmplOQyEpOEbyv+iqKTGDYHzDdgU2jIZ0TKM66iHq+1yft4TatBu75/0N3I+SfZv97vKNehxN/zvIY3FQF4O8qVy9c1dZRmr7q27Wq2pdHSOe4Myg=,iv:YkUXcOwb6UZr0vXazbLrVeGTvBTtnwuEIY3O+GSrnNk=,tag:kQBh7urSnHoiV18TIGlPEg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4