cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: cy:main
Branches Tags
cy:main
cy:update
cy:2025-04-14
cy:2025-04-07
cy:2025-04-05
cy:2025-04-04
cy:staging
cy:dogfood-nixcp
cy:no-follows
cy:workflow-test
cy:update_flake_lock_action
cy:caddy-s3
cy:workflow-copy
cy:workflow-lix
cy:test-s3-cache
cy:temp
cy:attic
cy:helix
cy:test
cy:lix-test
cy:bitwarden-patch
cy:chromium
cy:new-attic
cy:canary
cy:downgrade-kernel
cy:soju
cy:kde
cy:shiori
cy:caddy-module
cy:anki-overlay
cy:nixpkgs-master
cy:lix
cy:pan-home
cy:pi
cy:pancake
cy:pancake-sd-image
cy:arm
cy:lix-404
cy:customize-kernel
cy:blueprint
cy:flake-utils
cy:conduwuit-flake
cy:ghostty
cy:zen
cy:lact-fix-test
cy:alvr-test
cy:workflow-refactor
cy:bump-conduwuit
cy:gollum
cy:build
cy:nginx
cy:iso
cy:flake-parts
cy:codespace
cy:sway
cy:minio
cy:garage-module
cy:garage-test
cy:vscode
cy:purge
cy:create-pull-request/patch
cy:garage
cy:harmonia
cy:impermanence
..
compare: cy:2025-04-07
Branches Tags
cy:main
cy:update
cy:2025-04-14
cy:2025-04-07
cy:2025-04-05
cy:2025-04-04
cy:staging
cy:dogfood-nixcp
cy:no-follows
cy:workflow-test
cy:update_flake_lock_action
cy:caddy-s3
cy:workflow-copy
cy:workflow-lix
cy:test-s3-cache
cy:temp
cy:attic
cy:helix
cy:test
cy:lix-test
cy:bitwarden-patch
cy:chromium
cy:new-attic
cy:canary
cy:downgrade-kernel
cy:soju
cy:kde
cy:shiori
cy:caddy-module
cy:anki-overlay
cy:nixpkgs-master
cy:lix
cy:pan-home
cy:pi
cy:pancake
cy:pancake-sd-image
cy:arm
cy:lix-404
cy:customize-kernel
cy:blueprint
cy:flake-utils
cy:conduwuit-flake
cy:ghostty
cy:zen
cy:lact-fix-test
cy:alvr-test
cy:workflow-refactor
cy:bump-conduwuit
cy:gollum
cy:build
cy:nginx
cy:iso
cy:flake-parts
cy:codespace
cy:sway
cy:minio
cy:garage-module
cy:garage-test
cy:vscode
cy:purge
cy:create-pull-request/patch
cy:garage
cy:harmonia
cy:impermanence

No commits in common. "main" and "2025-04-07" have entirely different histories.
main ... 2025-04-07

25 changed files with 1117 additions and 302 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.editorconfig
View file

@ -1,3 +0,0 @@
[*.nix]
indent_style = space
indent_size = 2

65
.github/workflows/build-machines-and-homes.yml vendored
View file

@ -8,8 +8,6 @@ env:
TERM: ansi
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
AWS_ENDPOINT_URL: https://s3.cy7.sh
jobs:
build-machines:
@ -37,7 +35,7 @@ jobs:
build-mount-path: /nix
- name: setup binary cache key
run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
- name: Install Nix
uses: cachix/install-nix-action@v30
@ -48,10 +46,16 @@ jobs:
experimental-features = nix-command flakes
accept-flake-config = true
system-features = nixos-test benchmark big-parallel kvm
secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
extra-substituters = https://nixcache.cy7.sh
extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
download-buffer-size = 1073741824
secret-key-files = /home/runner/cache-priv-key.pem
extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
- name: Install Lix
run: |
sudo --preserve-env=PATH $(which nix) run \
'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
upgrade-nix
nix --version
- name: Sync repository
uses: actions/checkout@v4
@ -60,16 +64,20 @@ jobs:
- name: build
run: |
# package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
# nix build -L "$package"
nix run nixpkgs#nixos-rebuild build -- -L --flake ".#${{ matrix.machine }}"
- name: cache
# https://stackoverflow.com/a/58859404
if: '!cancelled()'
run: |
nix run \
github:cything/nixcp -- push \
--bucket nixcache \
--endpoint $AWS_ENDPOINT_URL \
--signing-key ${{ runner.temp }}/cache-priv-key.pem \
result
package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
nix run git+https://git.cy7.sh/cy/nixcp.git -- \
--to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
-u https://nix-community.cachix.org \
-u https://nixcache.web.cy7.sh \
$package
build-homes:
strategy:
@ -80,6 +88,7 @@ jobs:
- yt@chunk
os:
- ubuntu-latest
# - macos-latest
runs-on: ${{ matrix.os }}
steps:
@ -96,7 +105,7 @@ jobs:
build-mount-path: /nix
- name: setup binary cache key
run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
- name: Install Nix
uses: cachix/install-nix-action@v30
@ -107,10 +116,16 @@ jobs:
experimental-features = nix-command flakes
accept-flake-config = true
system-features = nixos-test benchmark big-parallel kvm
secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
extra-substituters = https://nixcache.cy7.sh
extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
download-buffer-size = 1073741824
secret-key-files = /home/runner/cache-priv-key.pem
extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
- name: Install Lix
run: |
sudo --preserve-env=PATH $(which nix) run \
'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
upgrade-nix
nix --version
- name: Sync repository
uses: actions/checkout@v4
@ -123,10 +138,12 @@ jobs:
nix build -L "$package"
- name: cache
# https://stackoverflow.com/a/58859404
if: '!cancelled()'
run: |
nix run \
github:cything/nixcp -- push \
--bucket nixcache \
--endpoint $AWS_ENDPOINT_URL \
--signing-key ${{ runner.temp }}/cache-priv-key.pem \
result
package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
nix run git+https://git.cy7.sh/cy/nixcp.git -- \
--to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
-u https://nix-community.cachix.org \
-u https://nixcache.web.cy7.sh \
$package

37
.github/workflows/build-packages.yml vendored
View file

@ -11,8 +11,6 @@ env:
TERM: ansi
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
AWS_ENDPOINT_URL: https://s3.cy7.sh
jobs:
build-packages:
@ -30,7 +28,7 @@ jobs:
steps:
- name: setup binary cache key
run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
- name: Install Nix
uses: cachix/install-nix-action@v30
@ -41,20 +39,33 @@ jobs:
experimental-features = nix-command flakes
accept-flake-config = true
system-features = nixos-test benchmark big-parallel kvm
secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
extra-substituters = https://nixcache.cy7.sh
extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
secret-key-files = /home/runner/cache-priv-key.pem
extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
- name: Install Lix
run: |
sudo --preserve-env=PATH $(which nix) run \
'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
upgrade-nix
nix --version
- name: Sync repository
uses: actions/checkout@v4
with:
persist-credentials: false
- run: nix build -L ${{ matrix.package }}
- name: cache
- name: cache result
# https://stackoverflow.com/a/58859404
if: '!cancelled()'
run: |
nix run \
github:cything/nixcp -- push \
--bucket nixcache \
--endpoint $AWS_ENDPOINT_URL \
--signing-key ${{ runner.temp }}/cache-priv-key.pem \
result
nix run git+https://git.cy7.sh/cy/nixcp.git -- \
--to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
-u https://nix-community.cachix.org \
-u https://nixcache.web.cy7.sh \
"${{ matrix.package }}"
- name: prepare tarball to upload
run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result

40
README.md Normal file
View file

@ -0,0 +1,40 @@
# infra
## ./home
- [home-manager](https://github.com/nix-community/home-manager) configuration files
- foot, tmux, and zsh are configured in Nix
- nvim, rofi, sway, waybar are configured in their own literature and symlinked to $XDG_CONFIG_HOME with home-manager
## ./hosts
- [`hosts/common.nix`](hosts/common.nix): configuration that makes sense on all computers
- [`hosts/zsh.nix`](hosts/zsh.nix): for computers that have the power to run zsh
### ./hosts/ytnix
- personal laptop
- a single [`default.nix`](hosts/ytnix/default.nix) that could be modularized but works for now
### ./hosts/chunk
- the overworked server with 5% SLA
- very short and concise [`default.nix`](hosts/chunk/default.nix)
- services organized in their modules
- some services run through `virtualisation.oci-containers`:
- [immich](hosts/chunk/immich.nix)
- [conduwuit](hosts/chunk/conduwuit.nix)
### ./hosts/titan
- got this cause chunk would go down way too often :(
- hosted on azure for "reliability"
- runs:
- [ghost](hosts/titan/ghost.nix) (through `virtualisation.oci-containers`)
- [uptime-kuma](hosts/titan/uptime-kuma.nix)
- [ntfy-sh](hosts/titan/ntfy.nix)
## ./secrets
- secrets
- see [`.sops.yaml`](.sops.yaml) for who privy to what
## backups
- hourly borgbackup to [rsync.net](https://rsync.net)
- see [modules/backup](modules/backup.nix)
## monitoring
- [status.cything.io](https://status.cything.io/): uptime kuma (reliable)
- [grafana.cything.io](https://grafana.cything.io/): some real-time metrics here; unlike the status page this will go kaput often

8
ci/upload-to-cache.sh
View file

@ -1,8 +0,0 @@
#!/bin/sh
# https://nix.dev/guides/recipes/post-build-hook.html#implementing-the-build-hook
set -eu
set -f # disable globbing
export IFS=' '
echo "Uploading paths" $OUT_PATHS
exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh&compression=zstd&parallel-compression=true" $OUT_PATHS

874
flake.lock generated
View file

File diff suppressed because it is too large Load diff

8
flake.nix
View file

@ -2,7 +2,8 @@
description = "cy's flake";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager";
@ -11,6 +12,9 @@
lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
rust-overlay.url = "github:oxalica/rust-overlay";
rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
conduwuit.url = "github:girlbossceo/conduwuit";
conduwuit.inputs.nixpkgs.follows = "nixpkgs";
lix-module.url = "git+https://git.lix.systems/lix-project/nixos-module?ref=release-2.92";
nix-ld.url = "github:nix-community/nix-ld";
nix-ld.inputs.nixpkgs.follows = "nixpkgs";
nil.url = "github:oxalica/nil";
@ -67,6 +71,7 @@
./modules
inputs.sops-nix.nixosModules.sops
inputs.lanzaboote.nixosModules.lanzaboote
inputs.lix-module.nixosModules.default
inputs.nix-ld.nixosModules.nix-ld
];
};
@ -79,6 +84,7 @@
./hosts/chunk
./modules
inputs.sops-nix.nixosModules.sops
inputs.lix-module.nixosModules.default
];
};
};

6
garnix.yaml Normal file
View file

@ -0,0 +1,6 @@
builds:
include:
- 'nixosConfigurations.*'
- 'homeConfigurations.*'
- '*.aarch64-linux.*'
- '*.x86_64-linux.*'

1
home/codium.nix
View file

@ -73,7 +73,6 @@
"telemetry.enableTelemetry" = false;
"telemetry.telemetryLevel" = "off";
"window.titleBarStyle" = "custom";
"editor.formatOnSave" = true;
# terminal stuff
"terminal.integrated.cursorBlinking" = true;

4
home/kitty.nix
View file

@ -7,13 +7,13 @@
package = pkgs.ibm-plex;
size = 12;
};
themeFile = "GitHub_Dark";
settings = {
enable_audio_bell = true;
# how many windows should be open before kitty asks
# for confirmation
confirm_os_window_close = 0;
clear_all_shortcuts = true;
background_opacity = 0.9;
# will probably lower this later but the max allowed is actually 4GB
# this is NOT stored in memory and can only be viewed with scrollback_pager
@ -21,7 +21,7 @@
# see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399
"scrollback_pager" = "bat --pager='less -FR +G'";
# "scrollback_lines" = 20000;
# wheel_scroll_multiplier = 50;
wheel_scroll_multiplier = 50;
};
keybindings = {
# kitty_mod is ctrl+shift by default

118
home/yt/ytnix.nix
View file

@ -8,7 +8,7 @@
./common.nix
../irssi.nix
../kitty.nix
# ../codium.nix
../codium.nix
];
home = {
username = "yt";
@ -28,7 +28,10 @@
home.packages =
with pkgs;
lib.flatten [
ungoogled-chromium
librewolf
bitwarden-desktop
bitwarden-cli
fastfetch
(with kdePackages; [
gwenview
@ -38,58 +41,32 @@
signal-desktop
btop
jq
sqlite
usbutils
calibre
tor-browser
wtype
bat
rclone
go
(rust-bin.selectLatestNightlyWith (
toolchain:
toolchain.default.override {
extensions = [ "rust-src" ];
targets = [ "aarch64-unknown-linux-musl" ];
}
))
pwgen
gnumake
unzip
anki-bin
trezorctl
q
gdb
fuzzel
hugo
ghidra
sccache
awscli2
p7zip
qbittorrent
android-tools
(python313.withPackages (
p: with p; [
python-lsp-server
pip
virtualenv
]
))
scrcpy
syncthing
(with llvmPackages; [
clangUseLLVM
compiler-rt
libllvm
])
nix-output-monitor
cinny-desktop
minio-client
keepassxc
jujutsu
ffmpeg
typst
pavucontrol
# reversing
radare2
jadx
frida-tools
mitmproxy
(cutter.withPlugins (
p: with p; [
rz-ghidra
@ -97,6 +74,35 @@
sigdb
]
))
p7zip
qbittorrent
android-tools
frida-tools
mitmproxy
(python313.withPackages (
p: with p; [
python-lsp-server
pip
virtualenv
]
))
jadx
scrcpy
syncthing
syncthingtray
(with llvmPackages; [
clangUseLLVM
compiler-rt
libllvm
])
nix-output-monitor
wl-clipboard-rs
pixelflasher
cinny-desktop
freetube
gopls
rust-analyzer
minio-client
];
home.sessionVariables = {
@ -148,56 +154,10 @@
enable = true;
viAlias = true;
vimAlias = true;
extraPackages = with pkgs; [
lua-language-server
nixd
rust-analyzer
fzf
fd
ripgrep
bat
delta
taplo
llvmPackages.clang-tools
pyright
tree-sitter
nodejs
nixfmt-rfc-style
];
};
programs.ssh = {
enable = true;
addKeysToAgent = "yes";
};
programs.firefox.enable = true;
programs.emacs = {
enable = true;
extraPackages = _: with pkgs; [
rust-analyzer
nil
ispell
];
};
gtk = {
enable = true;
theme.package = pkgs.gnome-themes-extra;
theme.name = "Adwaita-dark";
};
qt = {
enable = true;
platformTheme.name = "adwaita";
style.name = "adwaita-dark";
style.package = pkgs.adwaita-qt;
};
dconf.settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
};
}

21
home/zsh/default.nix
View file

@ -37,6 +37,12 @@
searchDownKey = "^n";
};
# prezto = {
# enable = true;
# caseSensitive = false;
# editor.keymap = "vi";
# };
initExtra = ''
# disable control+s to pause terminal
unsetopt FLOW_CONTROL
@ -79,11 +85,14 @@
shellAliases = {
"vi" = "nvim";
"vim" = "nvim";
"t" = "tmux";
"tl" = "tmux list-sessions";
"ta" = "tmux new-session -A -s";
"se" = "sudoedit";
"s" = "sudo";
"nrs" = "sudo nixos-rebuild switch -L --flake ~/nixos-config";
"nrt" = "sudo nixos-rebuild test -L --flake ~/nixos-config";
"hrs" = "home-manager switch -L --flake ~/nixos-config";
"nrs" = "sudo nixos-rebuild switch -L --flake . --log-format internal-json -v |& nom --json";
"nrt" = "sudo nixos-rebuild test -L --flake . --log-format internal-json -v |& nom --json";
"hrs" = "home-manager switch -L --flake .";
"g" = "git";
"ga" = "git add";
"gaa" = "git add --all";
@ -91,6 +100,7 @@
"gc" = "git commit --verbose";
"gcmsg" = "git commit --message";
"gd" = "git diff";
"gdca" = "git diff --cached";
"gds" = "git diff --staged";
"gl" = "git log --stat";
"glg" = "git log --graph";
@ -103,11 +113,6 @@
"gs" = "git status --short";
"gss" = "git status";
"code" = "codium";
"jl" = "jj log -n 10";
"jll" = "jj log";
"jd" = "jj diff";
"jn" = "jj new";
"jm" = "jj describe -m";
};
};

33
hosts/chunk/conduwuit.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
services.conduwuit = {
enable = true;
settings.global = {
port = [ 8448 ];
server_name = "cything.io";
allow_check_for_updates = true;
};
};
services.caddy.virtualHosts."chat.cything.io".extraConfig = ''
import common
reverse_proxy localhost:8448
'';
services.caddy.virtualHosts."cything.io" = {
serverAliases = [ "www.cything.io" ];
extraConfig = ''
import common
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
header /.well-known/matrix/* Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS,PATCH,HEAD
header /.well-known/matrix/* Access-Control-Allow-Headers X-Requested-With,Content-Type,Authorization,Origin,Accept
route {
respond /.well-known/matrix/server {"m.server":"chat.cything.io:443"}
respond /.well-known/matrix/client {"m.server":{"base_url":"https://chat.cything.io"},"m.homeserver":{"base_url":"https://chat.cything.io"},"org.matrix.msc3575.proxy":{"url":"https://chat.cything.io"}}
redir https://cy7.sh/posts{uri} permanent
}
'';
};
}

37
hosts/chunk/default.nix
View file

@ -1,5 +1,6 @@
{
pkgs,
lib,
...
}:
{
@ -15,6 +16,7 @@
./redlib.nix
./vaultwarden.nix
./grafana.nix
./conduwuit.nix
./immich.nix
./forgejo.nix
./garage.nix
@ -69,10 +71,7 @@
networkmanager.enable = true;
firewall = {
enable = true;
trustedInterfaces = [
"tailscale0"
"podman1"
];
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = [
22
80
@ -81,6 +80,32 @@
allowedUDPPorts = [
443
];
extraCommands =
let
ethtool = lib.getExe pkgs.ethtool;
tc = lib.getExe' pkgs.iproute2 "tc";
in
''
# disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites)
${ethtool} -K ens18 tso off
# clear existing rules
${tc} qdisc del dev ens18 root || true
# create HTB hierarchy
${tc} qdisc add dev ens18 root handle 1: htb default 10
${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
# rest
${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100%
# caddy
${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
# mark traffic
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3
# route marked packets
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30
'';
};
interfaces.ens18 = {
ipv6.addresses = [
@ -133,7 +158,6 @@
environment.systemPackages = with pkgs; [
vim
neovim
wget
curl
tree
@ -161,8 +185,7 @@
my.containerization.enable = true;
my.authelia.enable = true;
my.karakeep = {
enable = false;
enable = true;
dataDir = "/opt/karakeep";
};
my.roundcube.enable = true;
}

2
hosts/chunk/garage.nix
View file

@ -25,7 +25,7 @@
compression_level = "none";
};
environmentFile = config.sops.secrets."garage/env".path;
logLevel = "info";
logLevel = "warn";
};
services.caddy.virtualHosts = {

5
hosts/chunk/postgres.nix
View file

@ -19,5 +19,8 @@
}
];
};
services.postgresqlBackup.enable = true;
services.postgresqlBackup = {
enable = true;
startAt = "hourly";
};
}

12
hosts/chunk/rclone.nix
View file

@ -14,22 +14,22 @@ let
--config ${config.sops.secrets."rclone/config".path} \
--allow-other \
--cache-dir /var/cache/rclone \
--transfers 16 \
--vfs-cache-mode writes \
--transfers 64 \
--vfs-cache-mode full \
--vfs-cache-min-free-space 5G \
--dir-cache-time 30d \
--no-checksum \
--no-modtime \
--vfs-fast-fingerprint \
--vfs-read-chunk-size 128M \
--vfs-read-chunk-streams 0 \
--sftp-concurrency 64 \
--vfs-read-chunk-size 8M \
--vfs-read-chunk-streams 16 \
--sftp-concurrency 128 \
--sftp-chunk-size 255k \
--buffer-size 0 \
--write-back-cache \
${remote} ${mount}
'';
ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -zu ${mount}";
Restart = "on-failure";
};
in
{

6
hosts/common.nix
View file

@ -1,7 +1,6 @@
{ inputs, config, pkgs, ... }:
{ inputs, config, ... }:
{
nix = {
package = pkgs.lix;
settings = {
experimental-features = "nix-command flakes";
auto-optimise-store = true;
@ -39,7 +38,7 @@
i18n.defaultLocale = "en_US.UTF-8";
time.timeZone = "America/New_York";
networking = {
firewall.logRefusedConnections = true;
firewall.logRefusedConnections = false;
nameservers = [
# quad9 (unfiltered)
"2620:fe::10"
@ -56,7 +55,6 @@
"nts.teambelgium.net"
"c.st1.ntp.br"
];
nftables.enable = true;
};
services.chrony = {
enable = true;

109
hosts/ytnix/default.nix
View file

@ -44,11 +44,10 @@
efi.canTouchEfiVariables = true;
};
tmp.cleanOnBoot = true;
kernelPackages = pkgs.linuxPackages_6_14;
kernelPackages = pkgs.linuxKernel.packages.linux_zen;
extraModulePackages = with config.boot.kernelPackages; [
rtl8821ce
];
kernelModules = [ "8821ce" ];
kernelParams = [
# see https://github.com/tomaspinho/rtl8821ce#pcie-active-state-power-management
"pcie_aspm=off"
@ -61,10 +60,7 @@
enable = true;
pkiBundle = "/var/lib/sbctl";
};
kernel.sysctl = {
"kernel.sysrq" = 1;
# "net.ipv4.ip_forward" = 1;
};
kernel.sysctl."kernel.sysrq" = 1;
binfmt.emulatedSystems = [ "aarch64-linux" ];
};
@ -91,12 +87,12 @@
resolvconf.enable = true;
firewall = {
enable = true;
trustedInterfaces = [
"tailscale0"
];
extraInputRules = ''
ip saddr 192.168.100.0/24 tcp dport 9234 accept
'';
trustedInterfaces = [ "tailscale0" ];
# allowedTCPPorts = [
# 8080 # mitmproxy
# 22000 # syncthing
# 3003 # immich-ml
# ];
};
hosts = {
"100.122.132.30" = [ "s3.cy7.sh" ];
@ -109,10 +105,8 @@
pulse.enable = true;
alsa.enable = true;
alsa.support32Bit = true;
wireplumber.extraConfig."10-bluetooth-enhancements" = {
"wireplumber.settings" = {
"bluetooth.autoswitch-to-headset-profile" = false;
};
wireplumber.extraConfig.bluetoothEnhancements = {
# https://julian.pages.freedesktop.org/wireplumber/daemon/configuration/bluetooth.html#bluetooth-configuration
"monitor.bluez.properties" = {
"bluez5.enable-sbc-xq" = true;
"bluez5.enable-msbc" = true;
@ -120,27 +114,27 @@
"bluez5.roles" = [
"a2dp_sink"
"a2dp_source"
"hsp_hs"
"hsp_ag"
"hfp_hf"
"hfp_ag"
];
};
};
# https://wiki.archlinux.org/title/Bluetooth_headset#Connecting_works,_sound_plays_fine_until_headphones_become_idle,_then_stutters
wireplumber.extraConfig."11-disable-suspend" = {
"monitor.bluez.rules" = [
{
matches = [
{
"device.name" = "bluez_card.*";
}
];
actions = {
update-props = {
"session.suspend-timeout-seconds" = 0;
};
};
}
];
wireplumber.extraConfig.disableSuspend = {
"monitor.bluez.rules" = {
matches = [
{
"node.name" = "bluez_output.*";
}
];
};
actions = {
update-props = {
"session.suspend-timeout-seconds" = 0;
};
};
};
};
@ -210,7 +204,7 @@
services.displayManager = {
enable = true;
autoLogin.user = "yt";
defaultSession = "sway";
defaultSession = "plasma";
sddm = {
enable = true;
wayland.enable = true;
@ -219,14 +213,10 @@
};
fonts = {
packages =
(with pkgs; [
ibm-plex
])
++ (with pkgs.nerd-fonts; [
roboto-mono
jetbrains-mono
]);
packages = with pkgs; [
nerd-fonts.roboto-mono
ibm-plex
];
enableDefaultPackages = true;
};
@ -248,7 +238,6 @@
"/home/yt/Games"
"/home/yt/Videos"
"/home/yt/.bitmonero"
"/home/yt/vms"
];
repo = "yt";
passFile = config.sops.secrets."borg/rsyncnet".path;
@ -277,10 +266,6 @@
enable = true;
qemu.vhostUserPackages = with pkgs; [ virtiofsd ];
};
# virtualisation.vmware.host = {
# enable = true;
# package = pkgs.vmware-workstation;
# };
programs.virt-manager.enable = true;
my.containerization.enable = true;
@ -331,7 +316,6 @@
xorg.libxshmfence
xorg.libXxf86vm
xorg.libSM
xorg.libICE
gtk3
pango
gdk-pixbuf
@ -376,6 +360,12 @@
];
};
services.ollama.enable = false;
services.trezord.enable = true;
programs.niri.enable = false;
programs.niri.package = pkgs.niri-unstable;
programs.xwayland.enable = true;
services.udev.extraHwdb = ''
@ -400,32 +390,7 @@
programs.ccache.enable = true;
nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
programs.fuse.userAllowOther = true;
nix.settings.sandbox = true;
nix.settings.sandbox = false;
programs.ssh.startAgent = true;
programs.sway = {
enable = true;
wrapperFeatures.gtk = true;
extraPackages = with pkgs; [
rofi-wayland
cliphist
rofimoji
grim
slurp
swaylock
swayidle
brightnessctl
waybar
wl-clipboard
];
};
programs.ghidra = {
enable = true;
package = pkgs.ghidra.withExtensions (p: with p; [
findcrypt
ret-sync
]);
};
}

2
hosts/ytnix/hardware-configuration.nix
View file

@ -82,5 +82,5 @@
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
modules/authelia.nix
View file

@ -68,7 +68,6 @@ in
];
scopes = [ "openid" "profile" "email" ];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
{
client_id = "_kuUEYxyfXjInJCniwugpw2Qn6iI-YW24NOkHZG~63BAhnAACDZ.xsLqOdGghj2DNZxXR0sU";

9
modules/backup.nix
View file

@ -21,7 +21,7 @@ let
"/var/lib/docker"
"/var/lib/containers" # podman
"/var/lib/systemd"
"/var/lib/libvirt/images"
"/var/lib/libvirt"
"**/.rustup"
"**/.cargo"
"**/.docker"
@ -47,7 +47,7 @@ in
};
startAt = lib.mkOption {
type = lib.types.str;
default = "daily";
default = "hourly";
description = "see systemd.timer(5)";
};
jobName = lib.mkOption {
@ -98,9 +98,8 @@ in
failOnWarnings = false;
prune.keep = {
daily = 7;
weekly = 12;
monthly = -1;
within = "2d";
daily = 365;
};
extraPruneArgs = [ "--stats" ];
};

10
modules/caddy.nix
View file

@ -19,9 +19,9 @@ in
plugins = [
# error message will tell you the correct version tag to use
# (still need the @ to pass nix config check)
"github.com/caddy-dns/cloudflare@v0.2.2-0.20250420134112-006ebb07b349"
"github.com/caddy-dns/cloudflare@v0.0.0-20250228175314-1fb64108d4de"
];
hash = "sha256-2U+icm4GtI5Fww6U8nKzQ/+pPf63T3scTGuj1zjj4b4=";
hash = "sha256-YYpsf8HMONR1teMiSymo2y+HrKoxuJMKIea5/NEykGc=";
};
logFormat = lib.mkForce "level INFO";
acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
@ -37,9 +37,9 @@ in
(authelia) {
forward_auth localhost:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
'';
environmentFile = config.sops.secrets."caddy/env".path;

4
modules/roundcube.nix
View file

@ -31,7 +31,6 @@ in
"contextmenu"
"custom_from"
"thunderbird_labels"
"managesieve"
];
dicts = with pkgs.aspellDicts; [ en ];
extraConfig = ''
@ -39,8 +38,6 @@ in
$config['smtp_host'] = "ssl://smtp.migadu.com:465";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
$config['managesieve_host'] = "tls://imap.migadu.com";
$config['managesieve_port'] = 4190;
'';
};
@ -51,7 +48,6 @@ in
services.caddy.virtualHosts."mail.cy7.sh".extraConfig = ''
import common
import authelia
root ${roundcube.package}
php_fastcgi unix/${fpm.socket}
file_server

4
overlay/default.nix
View file

@ -7,12 +7,14 @@
pkgFrom = flake: pkg: flake.packages.${prev.system}.${pkg};
in
{
conduwuit = pkgFrom inputs.conduwuit "default";
attic-server = pkgFrom inputs.attic "attic-server";
attic = pkgFrom inputs.attic "attic";
garage = (
(pkgFrom inputs.garage "default").overrideAttrs {
meta.mainProgram = "garage";
}
);
nil = pkgFrom inputs.nil "default";
}
)
]