.editorconfig

@@ -1,3 +0,0 @@
-[*.nix]
-indent_style = space
-indent_size = 2

.github/workflows/build-machines-and-homes.yml

@@ -8,8 +8,6 @@ env:
   TERM: ansi
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
-  AWS_DEFAULT_REGION: us-east-1
-  AWS_ENDPOINT_URL: https://s3.cy7.sh
 
 jobs:
   build-machines:
@@ -37,7 +35,7 @@ jobs:
           build-mount-path: /nix
 
       - name: setup binary cache key
-        run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
+        run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
 
       - name: Install Nix
         uses: cachix/install-nix-action@v30
@@ -48,10 +46,16 @@ jobs:
             experimental-features = nix-command flakes
             accept-flake-config = true
             system-features = nixos-test benchmark big-parallel kvm
-            secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
+            secret-key-files = /home/runner/cache-priv-key.pem
-            extra-substituters = https://nixcache.cy7.sh
+            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
-            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
+            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
-            download-buffer-size = 1073741824
+
+      - name: Install Lix
+        run: |
+          sudo --preserve-env=PATH $(which nix) run \
+          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
+          upgrade-nix
+          nix --version
 
       - name: Sync repository
         uses: actions/checkout@v4
@@ -60,16 +64,20 @@ jobs:
 
       - name: build
         run: |
+          # package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
+          # nix build -L "$package"
           nix run nixpkgs#nixos-rebuild build -- -L --flake ".#${{ matrix.machine }}"
 
       - name: cache
+        # https://stackoverflow.com/a/58859404
+        if: '!cancelled()'
         run: |
-          nix run \
+          package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
-            github:cything/nixcp -- push \
+          nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --bucket nixcache \
+            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
-            --endpoint $AWS_ENDPOINT_URL \
+            -u https://nix-community.cachix.org \
-            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
+            -u https://nixcache.web.cy7.sh \
-            result
+            $package
 
   build-homes:
     strategy:
@@ -80,6 +88,7 @@ jobs:
           - yt@chunk
         os:
           - ubuntu-latest
+          # - macos-latest
     runs-on: ${{ matrix.os }}
 
     steps:
@@ -96,7 +105,7 @@ jobs:
           build-mount-path: /nix
 
       - name: setup binary cache key
-        run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
+        run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
 
       - name: Install Nix
         uses: cachix/install-nix-action@v30
@@ -107,10 +116,16 @@ jobs:
             experimental-features = nix-command flakes
             accept-flake-config = true
             system-features = nixos-test benchmark big-parallel kvm
-            secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
+            secret-key-files = /home/runner/cache-priv-key.pem
-            extra-substituters = https://nixcache.cy7.sh
+            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
-            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
+            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
-            download-buffer-size = 1073741824
+
+      - name: Install Lix
+        run: |
+          sudo --preserve-env=PATH $(which nix) run \
+          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
+          upgrade-nix
+          nix --version
 
       - name: Sync repository
         uses: actions/checkout@v4
@@ -123,10 +138,12 @@ jobs:
           nix build -L "$package"
 
       - name: cache
+        # https://stackoverflow.com/a/58859404
+        if: '!cancelled()'
         run: |
-          nix run \
+          package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
-            github:cything/nixcp -- push \
+          nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --bucket nixcache \
+            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
-            --endpoint $AWS_ENDPOINT_URL \
+            -u https://nix-community.cachix.org \
-            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
+            -u https://nixcache.web.cy7.sh \
-            result
+            $package

.github/workflows/build-packages.yml

@@ -11,8 +11,6 @@ env:
   TERM: ansi
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
-  AWS_DEFAULT_REGION: us-east-1
-  AWS_ENDPOINT_URL: https://s3.cy7.sh
 
 jobs:
   build-packages:
@@ -30,7 +28,7 @@ jobs:
 
     steps:
       - name: setup binary cache key
-        run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
+        run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
 
       - name: Install Nix
         uses: cachix/install-nix-action@v30
@@ -41,20 +39,33 @@ jobs:
             experimental-features = nix-command flakes
             accept-flake-config = true
             system-features = nixos-test benchmark big-parallel kvm
-            secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
+            secret-key-files = /home/runner/cache-priv-key.pem
-            extra-substituters = https://nixcache.cy7.sh
+            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
-            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
+            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
+
+      - name: Install Lix
+        run: |
+          sudo --preserve-env=PATH $(which nix) run \
+          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
+          upgrade-nix
+          nix --version
+
+      - name: Sync repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - run: nix build -L ${{ matrix.package }}
 
-      - name: cache
+      - name: cache result
+        # https://stackoverflow.com/a/58859404
+        if: '!cancelled()'
         run: |
-          nix run \
+          nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            github:cything/nixcp -- push \
+            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
-            --bucket nixcache \
+            -u https://nix-community.cachix.org \
-            --endpoint $AWS_ENDPOINT_URL \
+            -u https://nixcache.web.cy7.sh \
-            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
+            "${{ matrix.package }}"
-            result
 
       - name: prepare tarball to upload
         run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result

README.md

@@ -0,0 +1,40 @@
+# infra
+## ./home
+- [home-manager](https://github.com/nix-community/home-manager) configuration files
+- foot, tmux, and zsh are configured in Nix
+- nvim, rofi, sway, waybar are configured in their own literature and symlinked to $XDG_CONFIG_HOME with home-manager
+
+## ./hosts
+- [`hosts/common.nix`](hosts/common.nix): configuration that makes sense on all computers
+- [`hosts/zsh.nix`](hosts/zsh.nix): for computers that have the power to run zsh
+### ./hosts/ytnix
+- personal laptop
+- a single [`default.nix`](hosts/ytnix/default.nix) that could be modularized but works for now
+
+### ./hosts/chunk
+- the overworked server with 5% SLA
+- very short and concise [`default.nix`](hosts/chunk/default.nix)
+- services organized in their modules
+- some services run through `virtualisation.oci-containers`:
+    - [immich](hosts/chunk/immich.nix)
+    - [conduwuit](hosts/chunk/conduwuit.nix)
+
+### ./hosts/titan
+- got this cause chunk would go down way too often :(
+- hosted on azure for "reliability"
+- runs:
+    - [ghost](hosts/titan/ghost.nix) (through `virtualisation.oci-containers`)
+    - [uptime-kuma](hosts/titan/uptime-kuma.nix)
+    - [ntfy-sh](hosts/titan/ntfy.nix)
+
+## ./secrets
+- secrets
+- see [`.sops.yaml`](.sops.yaml) for who privy to what
+
+## backups
+- hourly borgbackup to [rsync.net](https://rsync.net)
+- see [modules/backup](modules/backup.nix)
+
+## monitoring
+- [status.cything.io](https://status.cything.io/): uptime kuma (reliable)
+- [grafana.cything.io](https://grafana.cything.io/): some real-time metrics here; unlike the status page this will go kaput often

ci/upload-to-cache.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-# https://nix.dev/guides/recipes/post-build-hook.html#implementing-the-build-hook
-set -eu
-set -f # disable globbing
-export IFS=' '
-echo "Uploading paths" $OUT_PATHS
-exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh&compression=zstd&parallel-compression=true" $OUT_PATHS

flake.nix

@@ -2,7 +2,8 @@
   description = "cy's flake";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     home-manager.url = "github:nix-community/home-manager";
@@ -11,6 +12,9 @@
     lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
     rust-overlay.url = "github:oxalica/rust-overlay";
     rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
+    conduwuit.url = "github:girlbossceo/conduwuit";
+    conduwuit.inputs.nixpkgs.follows = "nixpkgs";
+    lix-module.url = "git+https://git.lix.systems/lix-project/nixos-module?ref=release-2.92";
     nix-ld.url = "github:nix-community/nix-ld";
     nix-ld.inputs.nixpkgs.follows = "nixpkgs";
     nil.url = "github:oxalica/nil";
@@ -67,6 +71,7 @@
                 ./modules
                 inputs.sops-nix.nixosModules.sops
                 inputs.lanzaboote.nixosModules.lanzaboote
+                inputs.lix-module.nixosModules.default
                 inputs.nix-ld.nixosModules.nix-ld
               ];
             };
@@ -79,6 +84,7 @@
                 ./hosts/chunk
                 ./modules
                 inputs.sops-nix.nixosModules.sops
+                inputs.lix-module.nixosModules.default
               ];
             };
           };

garnix.yaml

@@ -0,0 +1,6 @@
+builds:
+  include:
+    - 'nixosConfigurations.*'
+    - 'homeConfigurations.*'
+    - '*.aarch64-linux.*'
+    - '*.x86_64-linux.*'

home/codium.nix

@@ -23,6 +23,8 @@
           tamasfe.even-better-toml
           golang.go
           ms-python.python
+          christian-kohler.path-intellisense
+          # firefox-devtools.vscode-firefox-debug
         ];
       userSettings =
         let
@@ -73,7 +75,11 @@
           "telemetry.enableTelemetry" = false;
           "telemetry.telemetryLevel" = "off";
           "window.titleBarStyle" = "custom";
-          "editor.formatOnSave" = true;
+          # https://github.com/ChristianKohler/PathIntellisense#installation
+          "typescript.suggest.paths" = false;
+          "javascript.suggest.paths" = false;
+
+          "path-intellisense.absolutePathToWorkspace" = true;
 
           # terminal stuff
           "terminal.integrated.cursorBlinking" = true;

home/kitty.nix

@@ -7,13 +7,13 @@
       package = pkgs.ibm-plex;
       size = 12;
     };
+    themeFile = "GitHub_Dark";
     settings = {
       enable_audio_bell = true;
       # how many windows should be open before kitty asks
       # for confirmation
       confirm_os_window_close = 0;
       clear_all_shortcuts = true;
-      background_opacity = 0.9;
 
       # will probably lower this later but the max allowed is actually 4GB
       # this is NOT stored in memory and can only be viewed with scrollback_pager
@@ -21,7 +21,7 @@
       # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399
       "scrollback_pager" = "bat --pager='less -FR +G'";
       # "scrollback_lines" = 20000;
-      # wheel_scroll_multiplier = 50;
+      wheel_scroll_multiplier = 50;
     };
     keybindings = {
       # kitty_mod is ctrl+shift by default

home/yt/ytnix.nix

@@ -8,7 +8,7 @@
     ./common.nix
     ../irssi.nix
     ../kitty.nix
-    # ../codium.nix
+    ../codium.nix
   ];
   home = {
     username = "yt";
@@ -28,7 +28,10 @@
   home.packages =
     with pkgs;
     lib.flatten [
+      ungoogled-chromium
+      librewolf
       bitwarden-desktop
+      bitwarden-cli
       fastfetch
       (with kdePackages; [
         gwenview
@@ -38,58 +41,32 @@
       signal-desktop
       btop
       jq
+      sqlite
       usbutils
       calibre
       tor-browser
       wtype
       bat
       rclone
+      go
       (rust-bin.selectLatestNightlyWith (
         toolchain:
         toolchain.default.override {
           extensions = [ "rust-src" ];
-          targets = [ "aarch64-unknown-linux-musl" ];
         }
       ))
+      pwgen
       gnumake
       unzip
       anki-bin
+      trezorctl
+      q
       gdb
       fuzzel
       hugo
+      ghidra
       sccache
       awscli2
-      p7zip
-      qbittorrent
-      android-tools
-      (python313.withPackages (
-        p: with p; [
-          python-lsp-server
-          pip
-          virtualenv
-        ]
-      ))
-      scrcpy
-      syncthing
-      (with llvmPackages; [
-        clangUseLLVM
-        compiler-rt
-        libllvm
-      ])
-      nix-output-monitor
-      cinny-desktop
-      minio-client
-      keepassxc
-      jujutsu
-      ffmpeg
-      typst
-      pavucontrol
-
-      # reversing
-      radare2
-      jadx
-      frida-tools
-      mitmproxy
       (cutter.withPlugins (
         p: with p; [
           rz-ghidra
@@ -97,6 +74,35 @@
           sigdb
         ]
       ))
+      p7zip
+      qbittorrent
+      android-tools
+      frida-tools
+      mitmproxy
+      (python313.withPackages (
+        p: with p; [
+          python-lsp-server
+          pip
+          virtualenv
+        ]
+      ))
+      jadx
+      scrcpy
+      syncthing
+      syncthingtray
+      (with llvmPackages; [
+        clangUseLLVM
+        compiler-rt
+        libllvm
+      ])
+      nix-output-monitor
+      wl-clipboard-rs
+      pixelflasher
+      cinny-desktop
+      freetube
+      gopls
+      rust-analyzer
+      minio-client
     ];
 
   home.sessionVariables = {
@@ -148,56 +154,10 @@
     enable = true;
     viAlias = true;
     vimAlias = true;
-    extraPackages = with pkgs; [
-      lua-language-server
-      nixd
-      rust-analyzer
-      fzf
-      fd
-      ripgrep
-      bat
-      delta
-      taplo
-      llvmPackages.clang-tools
-      pyright
-      tree-sitter
-      nodejs
-      nixfmt-rfc-style
-    ];
   };
 
   programs.ssh = {
     enable = true;
     addKeysToAgent = "yes";
   };
-
-  programs.firefox.enable = true;
-
-  programs.emacs = {
-    enable = true;
-    extraPackages = _: with pkgs; [
-      rust-analyzer
-      nil
-      ispell
-    ];
-  };
-
-  gtk = {
-    enable = true;
-    theme.package = pkgs.gnome-themes-extra;
-    theme.name = "Adwaita-dark";
-  };
-
-  qt = {
-    enable = true;
-    platformTheme.name = "adwaita";
-    style.name = "adwaita-dark";
-    style.package = pkgs.adwaita-qt;
-  };
-
-  dconf.settings = {
-    "org/gnome/desktop/interface" = {
-      color-scheme = "prefer-dark";
-    };
-  };
 }

home/zsh/default.nix

@@ -37,6 +37,12 @@
       searchDownKey = "^n";
     };
 
+    # prezto = {
+    #   enable = true;
+    #   caseSensitive = false;
+    #   editor.keymap = "vi";
+    # };
+
     initExtra = ''
       # disable control+s to pause terminal
       unsetopt FLOW_CONTROL
@@ -79,11 +85,14 @@
     shellAliases = {
       "vi" = "nvim";
       "vim" = "nvim";
+      "t" = "tmux";
+      "tl" = "tmux list-sessions";
+      "ta" = "tmux new-session -A -s";
       "se" = "sudoedit";
       "s" = "sudo";
-      "nrs" = "sudo nixos-rebuild switch -L --flake ~/nixos-config";
+      "nrs" = "sudo nixos-rebuild switch -L --flake . --log-format internal-json -v |& nom --json";
-      "nrt" = "sudo nixos-rebuild test -L --flake ~/nixos-config";
+      "nrt" = "sudo nixos-rebuild test -L --flake . --log-format internal-json -v |& nom --json";
-      "hrs" = "home-manager switch -L --flake ~/nixos-config";
+      "hrs" = "home-manager switch -L --flake .";
       "g" = "git";
       "ga" = "git add";
       "gaa" = "git add --all";
@@ -91,6 +100,7 @@
       "gc" = "git commit --verbose";
       "gcmsg" = "git commit --message";
       "gd" = "git diff";
+      "gdca" = "git diff --cached";
       "gds" = "git diff --staged";
       "gl" = "git log --stat";
       "glg" = "git log --graph";
@@ -103,11 +113,6 @@
       "gs" = "git status --short";
       "gss" = "git status";
       "code" = "codium";
-      "jl" = "jj log -n 10";
-      "jll" = "jj log";
-      "jd" = "jj diff";
-      "jn" = "jj new";
-      "jm" = "jj describe -m";
     };
   };
 

hosts/chunk/conduwuit.nix

@@ -0,0 +1,33 @@
+{ ... }:
+{
+  services.conduwuit = {
+    enable = true;
+    settings.global = {
+      port = [ 8448 ];
+      server_name = "cything.io";
+      allow_check_for_updates = true;
+    };
+  };
+
+  services.caddy.virtualHosts."chat.cything.io".extraConfig = ''
+    import common
+    reverse_proxy localhost:8448
+  '';
+
+  services.caddy.virtualHosts."cything.io" = {
+    serverAliases = [ "www.cything.io" ];
+    extraConfig = ''
+      import common
+
+      header /.well-known/matrix/* Content-Type application/json
+      header /.well-known/matrix/* Access-Control-Allow-Origin *
+      header /.well-known/matrix/* Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS,PATCH,HEAD
+      header /.well-known/matrix/* Access-Control-Allow-Headers X-Requested-With,Content-Type,Authorization,Origin,Accept
+      route {
+        respond /.well-known/matrix/server {"m.server":"chat.cything.io:443"}
+        respond /.well-known/matrix/client {"m.server":{"base_url":"https://chat.cything.io"},"m.homeserver":{"base_url":"https://chat.cything.io"},"org.matrix.msc3575.proxy":{"url":"https://chat.cything.io"}}
+        redir https://cy7.sh/posts{uri} permanent
+      }
+    '';
+  };
+}

hosts/chunk/default.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  lib,
   ...
 }:
 {
@@ -15,6 +16,7 @@
     ./redlib.nix
     ./vaultwarden.nix
     ./grafana.nix
+    ./conduwuit.nix
     ./immich.nix
     ./forgejo.nix
     ./garage.nix
@@ -69,10 +71,7 @@
     networkmanager.enable = true;
     firewall = {
       enable = true;
-      trustedInterfaces = [
+      trustedInterfaces = [ "tailscale0" ];
-        "tailscale0"
-        "podman1"
-      ];
       allowedTCPPorts = [
         22
         80
@@ -81,6 +80,32 @@
       allowedUDPPorts = [
         443
       ];
+      extraCommands =
+        let
+          ethtool = lib.getExe pkgs.ethtool;
+          tc = lib.getExe' pkgs.iproute2 "tc";
+        in
+        ''
+          # disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites)
+          ${ethtool} -K ens18 tso off
+
+          # clear existing rules
+          ${tc} qdisc del dev ens18 root || true
+
+          # create HTB hierarchy
+          ${tc} qdisc add dev ens18 root handle 1: htb default 10
+          ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
+          # rest
+          ${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100%
+          # caddy
+          ${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
+
+          # mark traffic
+          iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3
+
+          # route marked packets
+          ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30
+        '';
     };
     interfaces.ens18 = {
       ipv6.addresses = [
@@ -113,15 +138,13 @@
       "podman"
     ];
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6"
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo="
     ];
   };
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6"
-    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo="
   ];
   # for forgejo
   users.users.git = {
@@ -133,7 +156,6 @@
 
   environment.systemPackages = with pkgs; [
     vim
-    neovim
     wget
     curl
     tree
@@ -161,8 +183,7 @@
   my.containerization.enable = true;
   my.authelia.enable = true;
   my.karakeep = {
-    enable = false;
+    enable = true;
     dataDir = "/opt/karakeep";
   };
-  my.roundcube.enable = true;
 }

hosts/chunk/garage.nix

@@ -25,7 +25,7 @@
       compression_level = "none";
     };
     environmentFile = config.sops.secrets."garage/env".path;
-    logLevel = "info";
+    logLevel = "warn";
   };
 
   services.caddy.virtualHosts = {

hosts/chunk/postgres.nix

@@ -19,5 +19,8 @@
       }
     ];
   };
-  services.postgresqlBackup.enable = true;
+  services.postgresqlBackup = {
+    enable = true;
+    startAt = "hourly";
+  };
 }

hosts/chunk/rclone.nix

@@ -14,22 +14,22 @@ let
         --config ${config.sops.secrets."rclone/config".path} \
         --allow-other \
         --cache-dir /var/cache/rclone \
-        --transfers 16 \
+        --transfers 64 \
-        --vfs-cache-mode writes \
+        --vfs-cache-mode full \
         --vfs-cache-min-free-space 5G \
         --dir-cache-time 30d \
+        --no-checksum \
         --no-modtime \
         --vfs-fast-fingerprint \
-        --vfs-read-chunk-size 128M \
+        --vfs-read-chunk-size 8M \
-        --vfs-read-chunk-streams 0 \
+        --vfs-read-chunk-streams 16 \
-        --sftp-concurrency 64 \
+        --sftp-concurrency 128 \
         --sftp-chunk-size 255k \
         --buffer-size 0 \
         --write-back-cache \
         ${remote} ${mount}
     '';
     ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -zu ${mount}";
-    Restart = "on-failure";
   };
 in
 {

hosts/common.nix

@@ -1,7 +1,6 @@
-{ inputs, config, pkgs, ... }:
+{ inputs, config, ... }:
 {
   nix = {
-    package = pkgs.lix;
     settings = {
       experimental-features = "nix-command flakes";
       auto-optimise-store = true;
@@ -39,7 +38,7 @@
   i18n.defaultLocale = "en_US.UTF-8";
   time.timeZone = "America/New_York";
   networking = {
-    firewall.logRefusedConnections = true;
+    firewall.logRefusedConnections = false;
     nameservers = [
       # quad9 (unfiltered)
       "2620:fe::10"
@@ -56,7 +55,6 @@
       "nts.teambelgium.net"
       "c.st1.ntp.br"
     ];
-    nftables.enable = true;
   };
   services.chrony = {
     enable = true;

hosts/ytnix/default.nix

@@ -44,11 +44,10 @@
       efi.canTouchEfiVariables = true;
     };
     tmp.cleanOnBoot = true;
-    kernelPackages = pkgs.linuxPackages_6_14;
+    kernelPackages = pkgs.linuxKernel.packages.linux_zen;
     extraModulePackages = with config.boot.kernelPackages; [
       rtl8821ce
     ];
-    kernelModules = [ "8821ce" ];
     kernelParams = [
       # see https://github.com/tomaspinho/rtl8821ce#pcie-active-state-power-management
       "pcie_aspm=off"
@@ -61,10 +60,7 @@
       enable = true;
       pkiBundle = "/var/lib/sbctl";
     };
-    kernel.sysctl = {
+    kernel.sysctl."kernel.sysrq" = 1;
-      "kernel.sysrq" = 1;
-      # "net.ipv4.ip_forward" = 1;
-    };
     binfmt.emulatedSystems = [ "aarch64-linux" ];
   };
 
@@ -91,12 +87,12 @@
     resolvconf.enable = true;
     firewall = {
       enable = true;
-      trustedInterfaces = [
+      trustedInterfaces = [ "tailscale0" ];
-        "tailscale0"
+      # allowedTCPPorts = [
-      ];
+      #   8080 # mitmproxy
-      extraInputRules = ''
+      #   22000 # syncthing
-        ip saddr 192.168.100.0/24 tcp dport 9234 accept
+      #   3003 # immich-ml
-      '';
+      # ];
     };
     hosts = {
       "100.122.132.30" = [ "s3.cy7.sh" ];
@@ -109,10 +105,8 @@
     pulse.enable = true;
     alsa.enable = true;
     alsa.support32Bit = true;
-    wireplumber.extraConfig."10-bluetooth-enhancements" = {
+    wireplumber.extraConfig.bluetoothEnhancements = {
-      "wireplumber.settings" = {
+      # https://julian.pages.freedesktop.org/wireplumber/daemon/configuration/bluetooth.html#bluetooth-configuration
-        "bluetooth.autoswitch-to-headset-profile" = false;
-      };
       "monitor.bluez.properties" = {
         "bluez5.enable-sbc-xq" = true;
         "bluez5.enable-msbc" = true;
@@ -120,27 +114,27 @@
         "bluez5.roles" = [
           "a2dp_sink"
           "a2dp_source"
+          "hsp_hs"
+          "hsp_ag"
           "hfp_hf"
           "hfp_ag"
         ];
       };
     };
     # https://wiki.archlinux.org/title/Bluetooth_headset#Connecting_works,_sound_plays_fine_until_headphones_become_idle,_then_stutters
-    wireplumber.extraConfig."11-disable-suspend" = {
+    wireplumber.extraConfig.disableSuspend = {
-      "monitor.bluez.rules" = [
+      "monitor.bluez.rules" = {
-        {
         matches = [
           {
-              "device.name" = "bluez_card.*";
+            "node.name" = "bluez_output.*";
           }
         ];
+      };
       actions = {
         update-props = {
           "session.suspend-timeout-seconds" = 0;
         };
       };
-        }
-      ];
     };
   };
 
@@ -210,7 +204,7 @@
   services.displayManager = {
     enable = true;
     autoLogin.user = "yt";
-    defaultSession = "sway";
+    defaultSession = "plasma";
     sddm = {
       enable = true;
       wayland.enable = true;
@@ -219,14 +213,10 @@
   };
 
   fonts = {
-    packages =
+    packages = with pkgs; [
-      (with pkgs; [
+      nerd-fonts.roboto-mono
       ibm-plex
-      ])
+    ];
-      ++ (with pkgs.nerd-fonts; [
-        roboto-mono
-        jetbrains-mono
-      ]);
     enableDefaultPackages = true;
   };
 
@@ -248,7 +238,6 @@
       "/home/yt/Games"
       "/home/yt/Videos"
       "/home/yt/.bitmonero"
-      "/home/yt/vms"
     ];
     repo = "yt";
     passFile = config.sops.secrets."borg/rsyncnet".path;
@@ -277,10 +266,6 @@
     enable = true;
     qemu.vhostUserPackages = with pkgs; [ virtiofsd ];
   };
-  # virtualisation.vmware.host = {
-  #   enable = true;
-  #   package = pkgs.vmware-workstation;
-  # };
   programs.virt-manager.enable = true;
   my.containerization.enable = true;
 
@@ -289,6 +274,7 @@
     enable = true;
     # nix run github:thiagokokada/nix-alien#nix-alien-find-libs ./<binary>
     libraries = with pkgs; [
+      # TODO: revisit what we actually need
       mesa
       extest
       stdenv.cc.cc
@@ -331,7 +317,6 @@
       xorg.libxshmfence
       xorg.libXxf86vm
       xorg.libSM
-      xorg.libICE
       gtk3
       pango
       gdk-pixbuf
@@ -345,7 +330,6 @@
       pcre2
       gsettings-desktop-schemas
       fzf
-      systemd
     ];
   };
   programs.evolution.enable = true;
@@ -376,6 +360,12 @@
     ];
   };
 
+  services.ollama.enable = false;
+
+  services.trezord.enable = true;
+
+  programs.niri.enable = false;
+  programs.niri.package = pkgs.niri-unstable;
   programs.xwayland.enable = true;
 
   services.udev.extraHwdb = ''
@@ -400,32 +390,7 @@
   programs.ccache.enable = true;
   nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
   programs.fuse.userAllowOther = true;
-  nix.settings.sandbox = true;
+  nix.settings.sandbox = false;
 
   programs.ssh.startAgent = true;
-
-  programs.sway = {
-    enable = true;
-    wrapperFeatures.gtk = true;
-    extraPackages = with pkgs; [
-      rofi-wayland
-      cliphist
-      rofimoji
-      grim
-      slurp
-      swaylock
-      swayidle
-      brightnessctl
-      waybar
-      wl-clipboard
-    ];
-  };
-
-  programs.ghidra = {
-    enable = true;
-    package = pkgs.ghidra.withExtensions (p: with p; [
-      findcrypt
-      ret-sync
-    ]);
-  };
 }

hosts/ytnix/hardware-configuration.nix

@@ -82,5 +82,5 @@
   # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault true;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

modules/authelia.nix

@@ -68,7 +68,6 @@ in
             ];
             scopes = [ "openid" "profile" "email" ];
             userinfo_signed_response_alg = "none";
-            token_endpoint_auth_method = "client_secret_basic";
           }
           {
             client_id = "_kuUEYxyfXjInJCniwugpw2Qn6iI-YW24NOkHZG~63BAhnAACDZ.xsLqOdGghj2DNZxXR0sU";

modules/backup.nix

@@ -21,7 +21,7 @@ let
     "/var/lib/docker"
     "/var/lib/containers" # podman
     "/var/lib/systemd"
-    "/var/lib/libvirt/images"
+    "/var/lib/libvirt"
     "**/.rustup"
     "**/.cargo"
     "**/.docker"
@@ -47,7 +47,7 @@ in
     };
     startAt = lib.mkOption {
       type = lib.types.str;
-      default = "daily";
+      default = "hourly";
       description = "see systemd.timer(5)";
     };
     jobName = lib.mkOption {
@@ -98,9 +98,8 @@ in
       failOnWarnings = false;
 
       prune.keep = {
-        daily = 7;
+        within = "2d";
-        weekly = 12;
+        daily = 365;
-        monthly = -1;
       };
       extraPruneArgs = [ "--stats" ];
     };

modules/caddy.nix

@@ -19,9 +19,9 @@ in
         plugins = [
           # error message will tell you the correct version tag to use
           # (still need the @ to pass nix config check)
-          "github.com/caddy-dns/cloudflare@v0.2.2-0.20250420134112-006ebb07b349"
+          "github.com/caddy-dns/cloudflare@v0.0.0-20250228175314-1fb64108d4de"
         ];
-        hash = "sha256-2U+icm4GtI5Fww6U8nKzQ/+pPf63T3scTGuj1zjj4b4=";
+        hash = "sha256-YYpsf8HMONR1teMiSymo2y+HrKoxuJMKIea5/NEykGc=";
       };
       logFormat = lib.mkForce "level INFO";
       acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
@@ -49,8 +49,7 @@ in
         respond / 200 {
           body "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6
         ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhUt9h5dCcrwOrZNKkStCX5OxumPzEwYXSU/0DgtWgP
-        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD
+        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD"
-        sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo="
         }
       '';
     };

modules/roundcube.nix

@@ -31,7 +31,6 @@ in
         "contextmenu"
         "custom_from"
         "thunderbird_labels"
-        "managesieve"
       ];
       dicts = with pkgs.aspellDicts; [ en ];
       extraConfig = ''
@@ -39,8 +38,6 @@ in
         $config['smtp_host'] = "ssl://smtp.migadu.com:465";
         $config['smtp_user'] = "%u";
         $config['smtp_pass'] = "%p";
-        $config['managesieve_host'] = "tls://imap.migadu.com";
-        $config['managesieve_port'] = 4190;
       '';
     };
 
@@ -51,7 +48,6 @@ in
 
     services.caddy.virtualHosts."mail.cy7.sh".extraConfig = ''
       import common
-      import authelia
       root ${roundcube.package}
       php_fastcgi unix/${fpm.socket}
       file_server

overlay/default.nix

@@ -7,12 +7,14 @@
       pkgFrom = flake: pkg: flake.packages.${prev.system}.${pkg};
     in
     {
+      conduwuit = pkgFrom inputs.conduwuit "default";
+      attic-server = pkgFrom inputs.attic "attic-server";
+      attic = pkgFrom inputs.attic "attic";
       garage = (
         (pkgFrom inputs.garage "default").overrideAttrs {
           meta.mainProgram = "garage";
         }
       );
-      nil = pkgFrom inputs.nil "default";
     }
   )
 ]